diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000..378eac25d3
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+build
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000000..12e758c23a
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,15 @@
+[submodule "aux/bro-aux"]
+	path = aux/bro-aux
+	url = git://git.bro-ids.org/bro-aux
+[submodule "aux/binpac"]
+	path = aux/binpac
+	url = git://git.bro-ids.org/binpac
+[submodule "aux/broccoli"]
+	path = aux/broccoli
+	url = git://git.bro-ids.org/broccoli
+[submodule "aux/broctl"]
+	path = aux/broctl
+	url = git://git.bro-ids.org/broctl
+[submodule "aux/btest"]
+	path = aux/btest
+	url = git://git.bro-ids.org/btest
diff --git a/CHANGES b/CHANGES
index ef3f8c35d1..449b5c9eb4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,415 @@
-@(#) $Id: CHANGES 7076 2010-09-13 02:42:27Z vern $
+1.6-dev.99 Fri Apr 22 22:10:03 PDT 2011
 
--+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- Extending the connection record with a unique identifier. (Robin
+  Sommer)
+
+    type connection: record {
+        [...]
+        id: string;
+   };
+
+  These identifiers very likely unique even across independent Bro
+  runs.
+
+- Delete operator for record fields. (Robin Sommer)
+    
+  "delete x$y" now resets record field "x" back to its original state
+  if it is either &optional or has a &default. "delete" may not be
+  used with non-optional/default fields.
+
+- Fixing bug with nested record coercions. (Robin Sommer)
+
+- Fixing a do_split() bug. (Seth Hall)
+
+
+1.6-dev.94 Thu Apr 21 19:51:38 PDT 2011
+
+- Fixing generation of config.h. (Jon Siwek)
+    
+- Updates and tests for NetBIOS name BiF. (Seth Hall)
+  
+- Fixing do_split bug(), and adding a test. (Seth Hall)
+    
+- When Bro is given a PRNG seed, it now uses its own internal random
+  number generator that produces consistent results across sytems.
+  Note that this internal generator isn't very good, so it should only
+  be used for testing purpses. (Robin Sommer)
+    
+- The BTest configuration now sets the environemnt variables TZ=UTC
+  and LANG=C to ensure consistent results. (Robin Sommer)
+    
+- Logging fixes. (Robin Sommer)
+    
+1.6-dev.88 Wed Apr 20 20:43:48 PDT 2011
+
+- Implementation of Bro's new logging framework. We will document this
+  separately. (Robin Sommer)
+
+- Already defined record types can now be further extended via the
+  '+=' operator. The added fields must be either &optional or have a
+  &default value. (Robin Sommer)
+    
+  Example:
+    
+        type Foo: record {
+            a: count;
+            b: count &optional;
+        };
+    
+        redef record Foo += {
+            c: count &default=42;
+            d: count &optional;
+        };
+    
+        global f: Foo = [$a=21];
+    
+        print f;
+    
+  Output:
+   
+        [a=21, b=<uninitialized>, c=42, d=<uninitialized>]
+
+- Enabling assignment of empty vectors ("vector()"). (Robin Sommer)
+
+- Fixing attributes to allow &default attributes to be associated with
+  records fields of type tables/sets/vector. (Robin Sommer)
+    
+- '[]' is now a valid record constructor. (Robin Sommer)
+  
+- A instance of a record type A is now coercable into one of type B if
+  the fields of type A are a subset of those of type B. (Robin Sommer)
+
+- A number of bug fixes and enhancements for record/set/table/vector
+  coercion. (Robin Sommer)
+
+- Fixing a problem with records that have optional fields when used as
+  table/set indices. Addresses #367. (Robin Sommer)
+
+- Fixing an off-by-one error in join_string_vec(). (Seth Hall)
+  
+- Updating to_count() to cope with 64bit ints. (Seth Hall)
+  
+- A new BiF count_to_v4_addr() to turn a count into an IPv4 address.
+  (Seth Hall)
+
+1.6-dev.80 Mon Apr 18 14:50:54 PDT 2011
+
+- New framework for generating documentation from Bro scripts. (Jon
+  Siwek)
+
+  This includes:
+
+    - Changes to Bro's scanner/parser to facilitate automatic
+      generation of Bro policy script documentation in
+      reStructuredText format.
+
+    - New command line flags -Z/--doc-scripts to enable the new doc
+      generation mode.
+
+    - Changes to bifcl to pass comments starting with "##" through
+      into the generated .bro script.
+
+    - A "doc" build target for the top-level Makefile to first
+      generate reStructuredText for a defined set of Bro policy
+      scripts, and then run that through Sphinx to create HTML
+      documentation.
+
+1.6-dev.78 Mon Apr 18 12:52:55 PDT 2011
+
+- Adding files to CMake build targets so they show up in generated IDE
+  projects. This addresses #413. (Jon Siwek)
+    
+- Fix unnecessary config.h preprocessor (re)definitions. This
+  addresses #414. (Jon Siwek)
+
+- Updating istate tests. (Robin Sommer)
+  
+- Adding files to CMake build targets so they show up in generated IDE
+  projects.
+    
+- Adding new environment variable BRO_SEED_FILE to set the seed file
+  for the random number generator. (Robin Sommer)
+    
+1.6-dev.71 Fri Apr  1 16:06:33 PDT 2011
+
+- Removing code for the following no longer supported functionality.
+  
+    * Trace rewriting.
+    * DFA state expiration in regexp engine.
+    * Active mapping.
+    * Unused hash functions.
+
+  (Robin Sommer)
+
+- Fixing crashes when SSL is not configured correctly. (Robin Sommer)
+
+1.6-dev.66 Tue Mar 29 21:52:01 PDT 2011
+
+- Initial btest setup (Don Appleman and Robin Sommer)
+  
+- Porting the istate tests to btest (not finished) (Robin Sommer)
+
+1.6-dev.63 Mon Mar 21 16:31:15 PDT 2011
+
+- Changes to the way user-modifiable config files are installed  (Jon Siwek)
+
+    * Duplicates of the distribution's configuration files are now
+      always installed with a .example suffix
+
+    * Added --binary-package configure option to toggle configure
+      logic specific to the creation of binary packages.
+
+    * When not in binary packaging mode, `make install` never
+      overwrites existing configure files in case they've been
+      modified. The previous behavior (CMake's default) would only
+      avoid overwriting modified files if one consistently uses the
+      same build directory and doesn't reconfigure.
+
+- Fixed an issue with Mac package's pre-install script not preserving
+  ACLs. (Jon Siwek)
+
+- Minor cleanup/refactor of the make-mac/rpm-packages scripts. (Jon
+  Siwek)
+
+- Add explicit CMake check for compiler. (Jon Siwek)
+  
+- Add alternative way to set BROPATH for running bro from build/ dir.
+  (Jon Siwek)
+
+- Fixing compiler warnings (Gregor Maier)
+  
+- Remvoing leftover local variables that caused compile error on Mac
+  OS X. (Gregor Maier)
+
+1.6-dev.53 Fri Feb 25 17:03:05 PST 2011
+
+- Fixing file detector leak in remote communication module. (Scott
+  Campbell)
+
+- Updating independent-state tests to work with new setup. (Robin
+  Sommer)
+
+1.6-dev.49 Fri Feb 25 15:37:28 PST 2011
+
+- Enum IDs can have explicitly defined values. (Gregor Maier)
+
+- Extensions for the built-in function compiler, bifcl. (Gregor Maier)
+
+    * Support for policy-layer namespaces.
+    * Support for type declarations in bif files (with access them
+      from C++)
+    * Extended const declarations in bif files.
+
+  See http://bro.icir.org/devel/bif-doc for more information.
+
+1.6-dev.48 Fri Feb 25 10:53:04 PST 2011
+
+- Preliminary TCP Reassembler fix: deliver data after 2GB by disabling
+  the unused seq_to_skip feature. (Gregor Maier)
+
+1.6-dev.47 Fri Feb 25 10:40:22 PST 2011
+
+- Fixing endianess error in XDR when data is not 4-byte aligned.
+  (Gregor Maier)
+
+- Fix for Val constructor with new int64 typedefs. (Gregor Maier)
+
+- Updated fix for OS X 10.5 compile error wrt llabs(). (Gregor Maier)
+
+- Fix more compiler warning wrt printf format strings.  (Gregor Maier)
+
+1.6-dev.45 Tue Feb  8 21:28:01 PST 2011
+
+- Fixing a number of compiler warnings. (Seth Hall and Robin Sommer)
+
+1.6-dev.44 Tue Feb  8 20:11:44 PST 2011
+
+- A number of updates to the SSL analyzer, including support for new
+  ciphers; SSL extensions; and bug fixes. The analyzer does not longer
+  throw weird for exceeding a predefined cipherspec_size anymore.
+  (Seth Hall and Rmkml).
+
+- The various split*() BiFs now handle strings containing null bytes
+  correctly. (Seth Hall)
+
+- Adding new aux/btest submodule. This is a framework we will use in
+  the future for doing unit tests. (Robin Sommer)
+
+1.6-dev.41 Mon Feb  7 13:43:56 PST 2011
+
+- Smarter way to increase the parent/child pipe's socket buffer.
+  (Craig Leres).
+    
+- Fixing bug with defining bro_int_t and bro_uint_t to be 64 bits wide
+  on some platforms. (Robin Sommer)
+
+1.6-dev.39 Mon Jan 31 16:42:23 PST 2011
+
+- Login's confused messages now go through weird.bro. (Robin Sommer)
+
+1.6-dev.36 Mon Jan 31 08:45:35 PST 2011
+
+- Adding more configure options for finding dependencies, (Jon Siwek)
+
+    --with-flex=PATH       path to flex executable
+    --with-bison=PATH      path to bison executable
+    --with-perl=PATH       path to perl executable
+    --with-python=PATH     path to Python interpreter
+    --with-python-lib=PATH path to libpython
+    --with-python-inc=PATH path to Python headers
+    --with-swig=PATH       path to SWIG executable
+
+- Fixing typo in PCAPTests.cmake  (Jon Siwek)
+
+
+1.6-dev.33 Mon Jan 24 15:29:04 PST 2011
+
+- Fixing bug in SMB analyzer. (Robin Sommer)
+
+- Configure wrapper now deletes previous CMake cache (Jon Siwek)
+
+- Fix for the --with-binpac configure option. (Jon Siwek)
+
+1.6-dev.30 Thu Jan 20 16:32:43 PST 2011
+
+- Changed configure wrapper to create config.status. (Jon Siwek)
+
+1.6-dev.29 Thu Jan 20 16:29:56 PST 2011
+
+- Fixing little problem with initialization of Bro-to-Bro event
+  communication. (Christian Kreibich)
+
+
+1.6-dev.27 Thu Jan 20 13:52:25 PST 2011
+
+- Fine-tuning of the HTTP analyzer in terms of raising protocol
+  violations and interrupted transfers. (Gregor Maier)
+
+
+1.6-dev.21 Wed Jan 19 17:36:02 PST 2011
+
+- Added 4 new BiFs and a new record type for testing the entropy of
+  strings. (Seth Hall)
+
+    find_entropy(data: string): entropy_test_result
+        This is a one shot function that accepts a string and
+        returns the result of the entropy calculations.
+
+    entropy_test_init(index: any): bool
+        This and the next two functions are for calculating entropy
+        piece-wise. It only needs an index which can be any type of
+        variable. It needs to be something that uniquely identifies
+        the data stream that is currently having it's entropy
+        calculated.
+
+    entropy_test_add(index: any, data: string): bool
+        This function is used to add data into the entropy
+        calculation. It takes the index used in the function above
+        and the data that you are adding and returns true if
+        everything seemed to work, false otherwise.
+
+     entropy_test_finish(index: any): entropy_test_result
+        Calling this function indicates that all of the desired data
+        has been inserted into the entropy_test_add function and the
+        entropy should be calculated. This function *must* be called
+        in order to clean up an internal state tracking variable.
+        If this is never called on an index, it will result in a
+        memory leak.
+
+  The entropy_test_result values have several measures of the
+  entropy, but a good one to work with is the "entropy" attribute.
+  It's a double and as the value approaches 8.0 it can be considered
+  more and more random.  For example, a value of 7.832 would be
+  quite random but a value of 4.671 is not very random.
+
+1.6-dev.20 Wed Jan 19 17:30:11 PST 2011
+
+- BRO_DNS_FAKE is now listed in the --help output. (Seth Hall)
+
+
+1.6-dev.18 Wed Jan 19 16:37:13 PST 2011
+
+- Removing unnecessary expire timer from http_sessions. (Gregor
+  Maier)
+
+
+1.6-dev.16 Sat Jan 15 14:14:21 PST 2011
+
+- Updates to the build system. (Jonathan Siwek)
+
+    * ``make dist`` is now available to be used with the top-level
+      Makefile for creating source packages according to #344.
+
+    * ``make-rpm-packages`` and ``make-mac-packages`` scripts can
+      now generate binary packages according to #295.
+
+    * Additional configure options to change packaging behavior.
+
+    * OS X builds will now prefer to link static libraries of
+      optional dependencies that don't come with the vanilla
+      operating system.
+
+    * Fix for OS X 10.5 compile error dealing with the llabs()
+      function from stdlib.
+
+    * Installing as a different user than the one that
+      configured/built now works (although, a harmless error message
+      about not being able to write the install manifest may occur).
+
+
+1.6-dev.3 Wed Dec  8 04:09:38 PST 2010
+
+- Merge with Subversion repository as of r7137. Incorporated change:
+
+    * Fix for packet processing resumption when a remote Bro dies
+      during state synchronization (Robin Sommer).
+
+1.6-dev.2 Wed Dec  8 03:57:03 PST 2010
+
+- Compatibility fix for OpenSSL 1.0.0 (Christian Kreibich, Gregor
+  Maier).
+
+1.6-dev.1 Sat Nov 27 12:19:47 PST 2010
+
+- Merge with Subversion repository as of r7098. Incorporated changes:
+
+    * Rotation post-processors are now passed an additional argument
+      indicating whether Bro is terminating (Robin Sommer).
+
+    * Bro now consistently generates a file_opened event for all
+      fopen() calls. (Robin Sommer).
+
+    * You can now redefine the email_notice_to function (Robin
+      Sommer).
+
+1.6-dev.0 Fri Nov 26 13:48:11 PST 2010
+
+- The Bro source code is now developed in the new git repositories.
+  See the developer pages at http://www.bro-ids.org for more
+  information on the new development process.
+
+- Bro's build and installation setup has been moved from GNU
+  autotools to CMake. As a result of that, layout and specifics of
+  the distribution has changed significantly.
+
+- Lots of pieces have been removed from the distribution that are
+  either now unnecessary or are no longer maintained.
+
+- As part of the cleanup, a numbef of Bro configure options and
+  their corresponding functionality have been removed, including:
+
+    * --disable-select-loop
+    * --with-dag
+    * --disable-nbdns
+    * --enable-activemapping
+    * --enable-activemapping
+    * --enable-shippedpcap
+
+- The previous configure option --enable-int64 is now enabled by default,
+  and can no longer be disabled.
+
+- ClamAV support has been removed, which has been non-functional for
+  a while already.
 
 1.5.2.7 Sun Sep 12 19:39:49 PDT 2010
 
@@ -378,7 +787,7 @@
  (1) Remote communication now no longer includes location information for
  serialized objects; that removes quite a bit of redundacy from the network
  traffic.
- 
+
  (2) The new option 'remote_check_sync_consistency" disables the cross-check
  on the receiving side of &synchronized state of whether the current value
  of a variable has the value expected by the sender. Transmitting the
@@ -395,7 +804,7 @@
  we maintain *two* caches independently for these types of objects; one
  with a low turn-over one and another with a high one.  This should reduce
  CPU load on both sender and receiver sides.
- 
+
  The new scheme is only used if both communicating Bros support it; with
  older Bros, as well as with Broccoli, we continue using the old scheme.
 
@@ -589,12 +998,12 @@
 		      bro -Y 0.0.0.0:5555 netflow
 		      bro -i eth0 -Y 10.0.0.1:1234=src1 brolite netflow
 
-	  -y|--flowfile <file>[=<ident>] 
+	  -y|--flowfile <file>[=<ident>]
 
 	    Used to read from a file. You can optionally include an
 	    identifier for the source.
 
-	    Examples: 
+	    Examples:
 		      bro -y myflowfile netflow
 		      bro -y myflowfile=src1 otherflowfile=src2 netflow
 
@@ -763,7 +1172,7 @@
 
   So, to drop all sources triggering a specific notice, one can now, e.g.,
   write:
-  
+
 	redef notice_action_filters += { [Hot::SSH_Overflow] = drop_source };
 
   Related to this change, notice_info has a new field $dropped, set to
@@ -794,8 +1203,8 @@
 	   before starting the main packet loop and another one when
 	   finished. These snapshots can then be analyzed with pprof.
 
-  For more information about the perftools see 
-  
+  For more information about the perftools see
+
 	http://code.google.com/p/google-perftools
 
 - Notice tags are now generated in a pseudo-unique fashion that, with high
@@ -869,7 +1278,7 @@
 	detector tables.
 
 - When Bro serializes functions, it now does so by default using only
-  their name, rather than their full value (Robin Sommer).  This prevents 
+  their name, rather than their full value (Robin Sommer).  This prevents
   propagation of expiration functions associated with tables and sets.
   Note, currently there is no mechanism provided to switch from the
   default behavior, but the internal hooks are in place to do so.
@@ -1134,7 +1543,7 @@
 - An arbitrary tag can now be past to post-processors for log rotation
   (Robin Sommer).
 
-- Default inactivity timeouts for interactive services shortened to 
+- Default inactivity timeouts for interactive services shortened to
   1 hour (Robin Sommer).
 
 - The scanning variables distinct_{peers,ports,low_ports} are now
@@ -1447,7 +1856,7 @@
   This fixes a long-standing problem of sometimes $addl fields not showing
   up in connection summaries.
 
-- The new expressions record(...), table(...), set(...) and vector(...) 
+- The new expressions record(...), table(...), set(...) and vector(...)
   are constructors for the corresponding aggregate types (Vern Paxson).
   For example,
 
@@ -1601,7 +2010,7 @@
 - A new notice_action_filter, tally_notice_type_and_ignore, works the same
   as tally_notice_type but returns IGNORE (Robin Sommer)
 
-- Setting summary_interval == 0 disables the creation of irc-bots.summary.log 
+- Setting summary_interval == 0 disables the creation of irc-bots.summary.log
   (Robin Sommer).
 
 - If you @load foo and a directory "foo" is in your path, Bro no longer
@@ -1718,9 +2127,9 @@
 
 - Fixed using "time" values as table indices.
 
-- Added ssh to default brolite DPD configuration. 
+- Added ssh to default brolite DPD configuration.
 
-- Fixed catching up to real-time in case of lull. 
+- Fixed catching up to real-time in case of lull.
 
 - Fixed Broccoli "BRO_DATA_FORMAT_VERSION" to match version in Bro.
 
@@ -1730,11 +2139,11 @@
 
 - Added Linux tuning to brolite install script.
 
-- Modified Makefile to include broccoli/contrib. 
+- Modified Makefile to include broccoli/contrib.
 
-- Adding missing initialization to remote serializer. 
+- Adding missing initialization to remote serializer.
 
-- Minor documentation updates for reference manual and Broccoli. 
+- Minor documentation updates for reference manual and Broccoli.
 
 
 1.2 Tue Oct 17 12:09:49 PDT 2006
@@ -1953,7 +2362,7 @@
 
 	- notice_action_filters now reside in the new script
 	  notice-action-filter.bro (automatically loaded by notice.bro).
-        
+
 	- The notice actions NOTICE_ALARM_PER_CONN, NOTICE_ALARM_PER_ORIG,
 	  and NOTICE_ALARM_ONCE have been removed, as they were never
 	  actually implemented.
@@ -1973,7 +2382,7 @@
 
 - TRW analysis now skips UDP traffic because it currently treats
   all UDP connections as failures (Robin Sommer).
-     
+
 - trw.bro has been split into trw-impl.bro (the algorithm) and
   trw.bro (which simply activates the analysis), to facilitate writing
   scripts that have hooks into TRW analysis but don't presume it's
@@ -2106,7 +2515,7 @@
   (Robin Sommer).  This appears to still need some work, as now
   it generates redundant events.
 
-- Fix for initial exchange of &sync state which could lead to 
+- Fix for initial exchange of &sync state which could lead to
   referencing unknown IDs (Robin Sommer).
 
 - Fix to scan detection for differing semantics of connection compressor
@@ -2415,7 +2824,7 @@
 
 	- the new variable dump_backdoor_packets (default F) if set causes
 	  the packet that triggered the backdoor detection to be written to
-	  backdoor-packets/<tag>:<time> 
+	  backdoor-packets/<tag>:<time>
 
 	- the new variable backdoor_ignore_host_port_pairs is a set[addr, port]
 	  specify host/port combinations to ignore
@@ -2569,7 +2978,7 @@
 	- Now can ignore specific connections dynamically.
 
 	- TCP content gaps are now recognized and ADU delivery is for now
-	  stopped for such flows, unless explicitly requested. 
+	  stopped for such flows, unless explicitly requested.
 
 	- No longer logs to file in test mode.
 
@@ -2580,7 +2989,7 @@
 - Bro now performs serialization (such as when checkpointing &persistent
   tables or communicating them between Bro's) in an incremental fashion,
   intermingling transfers of large tables with ongoing packet processing
-  (Robin Sommer).  Doing so helps avoid packet drops for large items. 
+  (Robin Sommer).  Doing so helps avoid packet drops for large items.
   This has not yet been implemented for the initial handshake done
   for &synchronized items.
 
@@ -2643,7 +3052,7 @@
 
 - Notices now report current time for remotely-received notices rather
   than network time (Brian Tierney).
-  
+
 - Notices now include a tag es=<peer_description> any time a peer
   description is defined, not just for remote notices (Robin Sommer).
 
@@ -2847,9 +3256,9 @@
 
 - Bug fix for exchanging peer descriptions (Robin Sommer).
 
-- Bug fix for processing multipart-MIME HTTP messages with content-length 
+- Bug fix for processing multipart-MIME HTTP messages with content-length
   headers (Ruoming Pang).
-  
+
 - Bug fix for failing to escape "'s in HTTP server replies (Robin Sommer).
 
 - Bug fix for propagating increment operations on tables (Robin Sommer).
@@ -2863,7 +3272,7 @@
 - Bug fix for printing enum's (Christian Kreibich).
 
 - When not configured with --enable debug, Bro now still accepts (yet ignores)
-  option -B (Robin Sommer). 
+  option -B (Robin Sommer).
 
 - Serialization enhancements and fixes, including a change of the
   protocol version number (Robin Sommer).
@@ -2904,7 +3313,7 @@
 
 - Fix for connection compressor bug in tracking connection history
   (Robin Sommer).
-  
+
 - Bug fix for potential floating point exception in signature engine's
   resource-profiling code (Robin Sommer).
 
@@ -3030,7 +3439,7 @@
 	smb_get_dfs_referral(c: connection, max_referral_level: count,
 				file_name: string)
 		generated for SMB DFS referal requests
- 
+
 	dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
 		low-level event generated for each DNS request/reponse
 
@@ -3104,7 +3513,7 @@
 - The "bif" compiler for compiling Bro built-in functions now supports
   an "enum" type (Ruoming Pang).  The syntax is:
 
-	enum dce_rpc_ptype 
+	enum dce_rpc_ptype
 	%{
 		DCE_RPC_REQUEST,
 		DCE_RPC_PING,
@@ -3113,7 +3522,7 @@
 
   which is translated to an enum declaration of "dce_rpc_ptype" in
   Bro, an EnumType* enum_dce_rpc_ptype in NetVar.{h,cc} and a C++ enum
-  BroEnum::dce_rpc_ptype {...}. 
+  BroEnum::dce_rpc_ptype {...}.
 
   One limitation is that redef's on enum types cannot be taken into
   account because the bif is parsed at compile time.
@@ -3257,7 +3666,7 @@
   specify whether to broadcast events/state received from one peer to other
   peers (Robin Sommer).  Both default to F.  Note, these options are temporary;
   they will disappear when we add a more sophisticated script-level
-  communication framework. 
+  communication framework.
 
 - Vectors can now be initialized using the syntax such as
 
@@ -3299,11 +3708,11 @@
     //      VERSION messages must be exchanged.
     //      Ends when both peers have sent VERSION.
     //  Handshake:
-    //      REQUEST_EVENTS/REQUEST_SYNC/CAPTURE_FILTER/CAPS/selected SERIALs 
+    //      REQUEST_EVENTS/REQUEST_SYNC/CAPTURE_FILTER/CAPS/selected SERIALs
     //        may be exchanged.
     //      Phase ends when both peers have sent PHASE_DONE.
     //  State synchronization:
-    //      Entered iff at least one of the peers has sent REQUEST_SYNC.    
+    //      Entered iff at least one of the peers has sent REQUEST_SYNC.
     //      The peer with the smallest runtime (incl. in VERSION msg) sends
     //        SERIAL messages comprising all of its state.
     //      Phase ends when peer sends another PHASE_DONE.
@@ -4191,7 +4600,7 @@
 - A new flag, -e, lets you specify Bro code to execute via the command
   line (Christian Kreibich).  So, for example,
 
-	bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp 
+	bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp
 
   will run tcp.bro on the trace "mytrace.tcpdump", but with
   traditional_conn_format redefined to be true.  Note that statements
@@ -4288,7 +4697,7 @@
 - The new "weird" type "base64_illegal_encoding" takes the place of
   some previously unstructured Base64 "weird" errors.
 
-- A tweak to ftp.bro will give it slightly more consistent results 
+- A tweak to ftp.bro will give it slightly more consistent results
   for some forms of unusual traffic.
 
 
@@ -4365,7 +4774,7 @@
 
 - The new built-ins any_set() and all_set() return true if for a given
   boolean vector any element is true or all of the elements is true
-  (Umesh Shankar).  So, for example, "any_set(x < 0)" returns T if 
+  (Umesh Shankar).  So, for example, "any_set(x < 0)" returns T if
   an element of x is less than zero.
 
 - The new built-in sort() takes a vector as an argument and sorts it
@@ -4736,7 +5145,7 @@
   current CPU load. If the load is below cpu_lower_limit (default 40%),
   the load-level is decreased.  If it's above cpu_upper_limit (default
   90%), it's increased.  (Robin Sommer)
- 
+
 - The new policy script hand-over.bro can be used for a new running
   instance of Bro to smoothly take over operation from an old instance,
   i.e., it implements hand-over of state between two Bro instances when
@@ -4922,7 +5331,7 @@
 	$priority - type must be arithmetic (count, int, double).  This
 		  is the priority associated with the match of EXPR1
 		  if $pred returns true.
-  
+
   The way the expression works is that EXPR1 is evaluated yielding a
   value V.  EXPR2 is then evaluated yielding a set of records whose
   type includes the above fields.  Bro then spins through each of the
@@ -5257,8 +5666,8 @@
   Sommer).  The format is simple, just "include" or "ignore" followed
   by the SID number:
 
-	# sid-526 BAD TRAFFIC data in TCP SYN packet 
-	ignore	526 
+	# sid-526 BAD TRAFFIC data in TCP SYN packet
+	ignore	526
 
 	# sid-623 matches a null-flags stealth scan.  Include it even
 	# if we build with -p, since it doesn't tend to generate any
@@ -5411,7 +5820,7 @@
   A new function, get_event_source(), returns a record event_source
   describing the source that raised the last event.
 
-  See doc/ssl.txt for an explanation of how to create the keys/certificates.   
+  See doc/ssl.txt for an explanation of how to create the keys/certificates.
 
 - A fledgling Gnutella analyzer has been contributed (Mark Allman).
   It generates the following events:
@@ -5439,7 +5848,7 @@
 	  redef secondary_filters += {
 		  ["tcp[13] & 7 != 0"] = rst_syn_fin_flag,
 	  }
-  
+
   will invoke rst_syn_fin_flag() anytime a TCP packet is seen for
   which the SYN/FIN/RST bits are non-zero.  The event handler will
   be passed the string "tcp[13] & 7 != 0" (so it can tell which
@@ -5497,7 +5906,7 @@
   public key; it's used to then embed a Blowfish session key.  (Robin Sommer)
 
   A new utility, aux/bdcat/bdcat ("Bro decrypt cat") can be used to decrypt
-  the files. 
+  the files.
 
 - The internal structure of TCP analysis has been significantly altered.
   Previously, TCP_Endpoint tracked endpoint state and TCP_EndpointContents
@@ -5574,7 +5983,7 @@
     const remote_peers_ssl : table[addr, port] of Peer &redef;
     [...]
     for ( [ip, p] in remote_peers_ssl )
-        connect_ssl(ip, p, remote_peers_ssl[ip, p]$retry); 
+        connect_ssl(ip, p, remote_peers_ssl[ip, p]$retry);
 
 - Checkpointing of persistent state on SIGHUP now happens via bro.init
   (Robin Sommer).  Not tested.
diff --git a/CMakeLists.txt b/CMakeLists.txt
new file mode 100644
index 0000000000..11b8454d84
--- /dev/null
+++ b/CMakeLists.txt
@@ -0,0 +1,256 @@
+project(Bro C CXX)
+
+if (NOT CMAKE_C_COMPILER)
+    message(FATAL_ERROR "Could not find prerequisite C compiler")
+endif ()
+
+if (NOT CMAKE_CXX_COMPILER)
+    message(FATAL_ERROR "Could not find prerequisite C++ compiler")
+endif ()
+
+########################################################################
+## CMake Configuration
+cmake_minimum_required(VERSION 2.6 FATAL_ERROR)
+
+# Prohibit in-source builds.
+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}")
+    message(FATAL_ERROR "In-source builds are not allowed. Please use "
+                        "./configure to choose a build directory and "
+                        "initialize the build configuration.")
+endif ()
+
+set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake)
+
+if ("${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}")
+    # uninstall target
+    configure_file("${CMAKE_CURRENT_SOURCE_DIR}/cmake/cmake_uninstall.cmake.in"
+                   "${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
+                    @ONLY)
+
+    add_custom_target(uninstall COMMAND
+        ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake)
+endif ()
+
+########################################################################
+## Project/Build Configuration
+
+set(BRO_ROOT_DIR ${CMAKE_INSTALL_PREFIX})
+if (NOT POLICYDIR)
+    # set the default policy installation path (user did not specify one)
+    set(POLICYDIR ${BRO_ROOT_DIR}/share/bro)
+endif ()
+
+# sanitize the policy install directory into an absolute path
+# (CMake is confused by ~ as a representation of home directory)
+get_filename_component(POLICYDIR ${POLICYDIR} ABSOLUTE)
+
+configure_file(bro-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev)
+file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.sh
+     "export BROPATH=`${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev`\n")
+file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.csh
+     "setenv BROPATH `${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev`\n")
+
+file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
+string(REPLACE "." " " version_numbers ${VERSION})
+separate_arguments(version_numbers)
+list(GET version_numbers 0 VERSION_MAJOR)
+list(GET version_numbers 1 VERSION_MINOR)
+set(VERSION_MAJ_MIN "${VERSION_MAJOR}.${VERSION_MINOR}")
+
+set(EXTRA_COMPILE_FLAGS "-Wall -Wno-unused")
+
+if (ENABLE_DEBUG)
+    set(CMAKE_BUILD_TYPE Debug)
+    set(EXTRA_COMPILE_FLAGS "${EXTRA_COMPILE_FLAGS} -DDEBUG")
+else ()
+    set(CMAKE_BUILD_TYPE RelWithDebInfo)
+endif ()
+
+# Compiler flags may already exist in CMake cache (e.g. when specifying
+# CFLAGS environment variable before running cmake for the the first time)
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${EXTRA_COMPILE_FLAGS}")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${EXTRA_COMPILE_FLAGS}")
+
+########################################################################
+## Dependency Configuration
+
+include(MacDependencyPaths)
+include(FindRequiredPackage)
+
+# Check cache value first to avoid displaying "Found sed" messages everytime
+if (NOT SED_EXE)
+    find_program(SED_EXE sed)
+    if (NOT SED_EXE)
+        message(FATAL_ERROR "Could not find required dependency: sed")
+    else ()
+        message(STATUS "Found sed: ${SED_EXE}")
+    endif ()
+endif ()
+
+FindRequiredPackage(Perl)
+FindRequiredPackage(FLEX)
+FindRequiredPackage(BISON)
+FindRequiredPackage(PCAP)
+FindRequiredPackage(OpenSSL)
+FindRequiredPackage(BIND)
+
+if (NOT BinPAC_ROOT_DIR AND
+    EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/binpac/CMakeLists.txt)
+    add_subdirectory(aux/binpac)
+endif ()
+FindRequiredPackage(BinPAC)
+
+if (MISSING_PREREQS)
+    foreach (prereq ${MISSING_PREREQ_DESCS})
+        message(SEND_ERROR ${prereq})
+    endforeach ()
+    message(FATAL_ERROR "Configuration aborted due to missing prerequisites")
+endif ()
+
+include_directories(BEFORE
+                    ${PCAP_INCLUDE_DIR}
+                    ${OpenSSL_INCLUDE_DIR}
+                    ${BIND_INCLUDE_DIR}
+                    ${BinPAC_INCLUDE_DIR}
+)
+
+# Optional Dependencies
+
+set(HAVE_LIBMAGIC false)
+find_package(LibMagic)
+if (LIBMAGIC_FOUND)
+    set(HAVE_LIBMAGIC true)
+    include_directories(BEFORE ${LibMagic_INCLUDE_DIR})
+    list(APPEND OPTLIBS ${LibMagic_LIBRARY})
+endif ()
+
+set(HAVE_LIBZ false)
+find_package(ZLIB)
+if (ZLIB_FOUND)
+    set(HAVE_LIBZ true)
+    include_directories(BEFORE ${ZLIB_INCLUDE_DIR})
+    list(APPEND OPTLIBS ${ZLIB_LIBRARY})
+endif ()
+
+set(USE_GEOIP false)
+find_package(LibGeoIP)
+if (LIBGEOIP_FOUND)
+    set(USE_GEOIP true)
+    include_directories(BEFORE ${LibGeoIP_INCLUDE_DIR})
+    list(APPEND OPTLIBS ${LibGeoIP_LIBRARY})
+endif ()
+
+set(USE_PERFTOOLS false)
+if (ENABLE_PERFTOOLS)
+    find_package(GooglePerftools)
+    if (GOOGLEPERFTOOLS_FOUND)
+        set(USE_PERFTOOLS true)
+        include_directories(BEFORE ${GooglePerftools_INCLUDE_DIR})
+        list(APPEND OPTLIBS ${GooglePerftools_LIBRARIES})
+    endif ()
+endif ()
+
+########################################################################
+## System Introspection
+
+include(TestBigEndian)
+test_big_endian(WORDS_BIGENDIAN)
+
+include(OSSpecific)
+include(CheckTypes)
+include(CheckHeaders)
+include(CheckFunctions)
+include(MiscTests)
+include(PCAPTests)
+include(OpenSSLTests)
+include(CheckNameserCompat)
+
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/config.h.in
+               ${CMAKE_CURRENT_BINARY_DIR}/config.h)
+
+include_directories(${CMAKE_CURRENT_BINARY_DIR})
+
+########################################################################
+## Recurse on sub-directories
+
+add_subdirectory(src)
+add_subdirectory(policy)
+add_subdirectory(doc)
+
+include(CheckOptionalBuildSources)
+
+CheckOptionalBuildSources(aux/broctl   Broctl   INSTALL_BROCTL)
+CheckOptionalBuildSources(aux/bro-aux  Bro-Aux  INSTALL_AUX_TOOLS)
+CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI)
+
+########################################################################
+## Packaging Setup
+
+if (INSTALL_BROCTL)
+    # CPack RPM Generator may not automatically detect this
+    set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.4.0")
+endif ()
+
+# If this CMake project is a sub-project of another, we will not
+# configure the generic packaging because CPack will fail in the case
+# that the parent project has already configured packaging
+if ("${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}")
+    include(ConfigurePackaging)
+    ConfigurePackaging(${VERSION})
+endif ()
+
+########################################################################
+## Build Summary
+
+if (CMAKE_BUILD_TYPE)
+    string(TOUPPER ${CMAKE_BUILD_TYPE} BuildType)
+endif ()
+
+if (INSTALL_BROCTL)
+    if (STANDALONE)
+        set(BROCTL_INSTALL_MODE "standalone")
+    else ()
+        set(BROCTL_INSTALL_MODE "cluster")
+    endif ()
+else ()
+    set(BROCTL_INSTALL_MODE "false")
+endif ()
+
+message(
+    "\n====================|  Bro Build Summary  |====================="
+    "\n"
+    "\nInstall prefix:    ${CMAKE_INSTALL_PREFIX}"
+    "\nPolicy dir:        ${POLICYDIR}"
+    "\nDebug mode:        ${ENABLE_DEBUG}"
+    "\n"
+    "\nCC:                ${CMAKE_C_COMPILER}"
+    "\nCFLAGS:            ${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS_${BuildType}}"
+    "\nCXX:               ${CMAKE_CXX_COMPILER}"
+    "\nCXXFLAGS:          ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}"
+    "\nCPP:               ${CMAKE_CXX_COMPILER}"
+    "\n"
+    "\nBroccoli:          ${INSTALL_BROCCOLI}"
+    "\nBroctl:            ${BROCTL_INSTALL_MODE}"
+    "\nAux. Tools:        ${INSTALL_AUX_TOOLS}"
+    "\n"
+    "\nGeoIP:             ${USE_GEOIP}"
+    "\nlibz:              ${HAVE_LIBZ}"
+    "\nlibmagic:          ${HAVE_LIBMAGIC}"
+    "\nGoogle perftools:  ${USE_PERFTOOLS}"
+    "\n"
+    "\n================================================================\n"
+)
+
+########################################################################
+## Show warning when installing user is different from the one that configured
+
+install(CODE "
+    if (NOT $ENV{USER} STREQUAL \$ENV{USER})
+        message(STATUS \"ATTENTION: Install is being performed by user \"
+                \"'\$ENV{USER}', but the build directory was configured by \"
+                \"user '$ENV{USER}'. This may result in a permissions error \"
+                \"when writing the install manifest, but you can ignore it \"
+                \"and consider the installation as successful if you don't \"
+                \"care about the install manifest.\")
+    endif ()
+")
diff --git a/COPYING b/COPYING
index f4bafa114c..f9bba2b90e 100644
--- a/COPYING
+++ b/COPYING
@@ -1,4 +1,4 @@
-Copyright (c) 1995-2008, The Regents of the University of California,
+Copyright (c) 1995-2010, The Regents of the University of California,
 through Lawrence Berkeley National Laboratory. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
@@ -31,7 +31,7 @@ POSSIBILITY OF SUCH DAMAGE.
 
 Note that some files in the Bro distribution carry their own copyright
 notices.  The above applies to the Bro scripts in policy/ (other than as
-noted below) and the source files in src/ , other than:
+noted below) and the source files in src/, other than:
 
 	policy/sigs/p0fsyn.osf
 	src/H3.h
@@ -44,6 +44,5 @@ noted below) and the source files in src/ , other than:
 	src/patricia.c
 	src/patricia.h
 
-In addition, the build components such as Makefile.in, acinclude.m4, and
-others have separate copyrights, as do a number of the elements in the
-aux/ subdirectory and in scripts/s2b/snort_rules2.2/ .
+In addition, other components, such as the build system, may have
+separate copyrights.
diff --git a/Checklist-for-Release b/Checklist-for-Release
index f5f477f766..e0d0572872 100644
--- a/Checklist-for-Release
+++ b/Checklist-for-Release
@@ -1,3 +1,6 @@
+
+TODO: Needs update. -Robin
+
 - Make sure BroV6 works.
 
 - Make sure --enable-int64 builds w/o warnings.
diff --git a/FILES.bin b/FILES.bin
deleted file mode 100644
index f0b07e4bec..0000000000
--- a/FILES.bin
+++ /dev/null
@@ -1,3 +0,0 @@
-README
-VERSION
-bro
diff --git a/INSTALL b/INSTALL
index 0e71d2bfe3..f0c59d79fb 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,104 +1,106 @@
+==============
+Installing Bro
+==============
+
+
 Prerequisites
 =============
 
 Bro relies on the following libraries and tools, which need to be installed
-before you begin with the installation:
+before you begin:
 
-    * Libpcap
-	   If libpcap is already installed on the system, by default Bro
-	   will use that one.  Otherwise, it falls back to a version shipped
-	   with the Bro distribution.
+    * A C/C++ compiler
 
-    * Flex
-	   Flex is already installed on most systems, so with luck you can
-	   skip having to install it yourself.
+    * Libpcap headers and libraries
+       Network traffic capture library
 
-    * Bison or byacc
-	   These come with many systems, but if you get errors compiling
-	   parse.y, you will need to install them.  bison is available
-	   from GNU sites such as ftp.gnu.org.
+    * Flex (Fast Lexical Analyzer)
+       Flex is already installed on most systems, so with luck you can
+       skip having to install it yourself.
+
+    * Bison (GNU Parser Generator)
+       This comes with many systems, but if you get errors compiling
+       parse.y, you will need to install it.
+
+    * Perl
+       Used only during the Bro build process
+
+    * sed
+       Used only during the Bro build process
 
     * BIND8 headers and libraries
-           These are usually already installed as well.
+       These are usually already installed as well.
 
-    * Autotools
-	   If you have checked the source out from Bro's Subversion
-	   repository, you need the autotools suite installed.  In this
-	   case, run "./autogen.sh" first right after the check out.
-	   Otherwise the installation steps below will fail.
+    * OpenSSL headers and libraries
+        For analysis of SSL certificates by the HTTP analyzer, and
+        for encrypted Bro-to-Bro communication. These are likely installed,
+        though some platforms may require installation of a 'devel' package
+         for the headers.
+
+    * CMake 2.6 or greater
+       CMake is a cross-platform, open-source build system, typically
+       not installed by default.  See http://www.cmake.org for more
+       information regarding CMake and the installation steps below for
+       how to use it to build this distribution.  CMake generates native
+       Makefiles that depend on GNU Make by default.
 
 Bro can also make uses of some optional libraries if they are found at
 installation time:
 
-    * OpenSSL
-           For analysis of SSL certificates by the HTTP analyzer, and 
-           for encrypted Bro-to-Bro communication.
-
     * Libmagic
-           For identifying file types (e.g., in FTP transfers).
-           
+      For identifying file types (e.g., in FTP transfers).
+
     * LibGeoIP
-           For geo-locating IP addresses.
-           
+       For geo-locating IP addresses.
+
     * Libz
-	   For decompressing HTTP bodies by the HTTP analyzer, and for
-	   compressed Bro-to-Bro communication.
-
-    * Endace's DAG tools:
-           For native support of Endace DAG cards.
-
+       For decompressing HTTP bodies by the HTTP analyzer, and for
+       compressed Bro-to-Bro communication.
 
 Installation
 ============
 
-To build and install into /usr/local:
+To build and install into /usr/local/bro:
 
-	> ./configure
-	> make
-	> make install
+    > ./configure
+    > cd build
+    > make
+    > make install
 
-This will install the Bro binary into /usr/local/bin/bro and the policy
-files into /usr/local/share/bro.
+This will perform an out-of-source build into a directory called
+build/, using default build options. It then installs the Bro binary
+into /usr/local/bro/bin. Depending on the Bro package you
+downloaded, there may be auxiliary tools and libraries available in
+the aux/ directory. If so, they will be installed by default as well
+if not explicitly disabled via configure options and may also have
+additional installation/configuration instructions that you can
+find in their source directories.
 
-As usual you can specify a different installation directory with
+You can specify a different installation directory with
 
-   > ./configure --prefix=<dir>".
+    > ./configure --prefix=<dir>
 
-Run "./configure --help" for more options. 
+Note that "/usr" and "/opt/bro" are standard prefixes for binary
+packages to be installed, so those are typically not good choices
+unless you are creating such a package.
 
+Run "./configure --help" for more options.
 
 Running Bro
 ===========
 
 Bro is a complex program and it takes a bit of time to get familiar
-with it.  In the following we give a few simple examples.  See
-http://www.bro-ids.org/wiki for more information.
+with it. In the following we give a few simple examples.  See the
+quickstart guide at http://www.bro-ids.org for more information; you
+can the source that in doc/quick-start.
 
-To run a policy file from /usr/local/share/bro, such as mt.bro, on a
-previously captured tcpdump save file named foo:
+For developers that wish to run Bro from the the build/ directory
+after performing "make", but without performing "make install", they
+will have to first set BROPATH to look for scripts inside the build
+directory.  Sourcing either build/bro-path-dev.sh or build/bro-path-dev.csh
+as appropriate for the current shell accomplishes this. e.g.:
 
-	bro -r foo mt.bro
-
-To run from interface le0:
-
-	bro -i le0 mt
-
-You can alternatively specify interface and scripts to load in your own
-policy file:
-
-	@load mt
-	redef interfaces = "le0";
-
-and then run
-
-    bro ./my-policy.bro
-
-You can see the BPF filter Bro will use (if not overridden) by executing
-
-	bro mt print-filter
-
-To run interactively (e.g., for playing with expression evaluation):
-
-	bro
-
-"bro -h" lists the various options.
+    > ./configure
+    > make
+    > source build/bro-path-dev.sh
+    > ./build/src/bro
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000000..863440661e
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,58 @@
+#
+# A simple static wrapper for a number of standard Makefile targets,
+# mostly just forwarding to build/Makefile. This is provided only for
+# convenience and supports only a subset of what CMake's Makefile
+# to offer. For more, execute that one directly. 
+#
+
+SOURCE=$(PWD)
+BUILD=$(SOURCE)/build
+TMP=/tmp/bro-dist.$(UID)
+BRO_V=`cat $(SOURCE)/VERSION`
+BROCCOLI_V=`cat $(SOURCE)/aux/broccoli/VERSION`
+BROCTL_V=`cat $(SOURCE)/aux/broctl/VERSION`
+
+all: configured
+	( cd $(BUILD) && make )
+
+install: configured
+	( cd $(BUILD) && make install )
+
+clean: configured
+	( cd $(BUILD) && make clean )
+	( cd $(BUILD) && make docclean && make restclean )
+
+doc: configured
+	( cd $(BUILD) && make doc )
+
+docclean: configured
+	( cd $(BUILD) && make docclean && make restclean )
+
+dist:
+	@( mkdir -p $(BUILD) && rm -rf $(TMP) && mkdir $(TMP) )
+	@cp -R $(SOURCE) $(TMP)/Bro-$(BRO_V)
+	@( cd $(TMP) && find . -name .git\* | xargs rm -rf )
+	@( cd $(TMP) && find . -name \*.swp | xargs rm -rf )
+	@( cd $(TMP) && find . -type d -name build | xargs rm -rf )
+	@( cd $(TMP) && tar -czf $(BUILD)/Bro-all-$(BRO_V).tar.gz Bro-$(BRO_V) )
+	@( cd $(TMP)/Bro-$(BRO_V)/aux && mv broccoli Broccoli-$(BROCCOLI_V) && \
+	    tar -czf $(BUILD)/Broccoli-$(BROCCOLI_V).tar.gz Broccoli-$(BROCCOLI_V) )
+	@( cd $(TMP)/Bro-$(BRO_V)/aux && mv broctl Broctl-$(BROCTL_V) && \
+	    tar -czf $(BUILD)/Broctl-$(BROCTL_V).tar.gz Broctl-$(BROCTL_V) )
+	@( cd $(TMP)/Bro-$(BRO_V)/aux && rm -rf Broctl* Broccoli* )
+	@( cd $(TMP) && tar -czf $(BUILD)/Bro-$(BRO_V).tar.gz Bro-$(BRO_V) )
+	@rm -rf $(TMP)
+	@echo "Distribution source tarballs have been compiled in $(BUILD)"
+
+bindist:
+	@( cd pkg && ( ./make-deb-packages || ./make-mac-packages || \
+	               ./make-rpm-packages ) )
+
+distclean:
+	rm -rf $(BUILD)
+
+configured:
+	@test -d $(BUILD) || ( echo "Error: No build/ directory found. Did you run configure?" && exit 1 )
+	@test -e $(BUILD)/Makefile || ( echo "Error: No build/Makefile found. Did you run configure?" && exit 1 )
+
+.PHONY : all install clean doc docclean dist bindist distclean configured
diff --git a/Makefile.am b/Makefile.am
deleted file mode 100644
index bdbdc25ef5..0000000000
--- a/Makefile.am
+++ /dev/null
@@ -1,64 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-# snag the whole linux-include directory
-EXTRA_DIST = CHANGES README VERSION shtool linux-include \
-	autogen.sh depcomp ylwrap
-
-# When running distcheck, make sure we skip building GtkDoc-based
-# documentation. This applies to Broccoli only, and needs to be
-# duplicated here because DISTCHECK_CONFIGURE_FLAGS isn't otherwise
-# noticed.
-#
-DISTCHECK_CONFIGURE_FLAGS = --disable-gtk-doc
-
-chown = @CHOWN@
-
-# aux before src so we compile the libpcap
-SUBDIRS = aux src scripts policy doc
-
-test:
-	( cd ../testing && $(MAKE) test )
-
-install-broctl:
-	$(MAKE) install
-	( cd aux/broctl && $(MAKE) install-broctl )
-
-# Deprecated. Don't use. 
-install-brolite:
-	$(MAKE) install
-	$(INSTALL) -d $(prefix)/logs
-	$(INSTALL) -d $(prefix)/archive
-	$(INSTALL) -d $(prefix)/var
-	( cd scripts && $(MAKE) install-brolite )
-	( cd aux && $(MAKE) install-brolite )
-	- @CHOWN@ -R `cat scripts/bro_user_id` ${prefix}/
-	@echo "*********************************************************"
-	@echo "Please run \"${prefix}/etc/bro.rc --start\" to start bro"
-	@echo "*********************************************************"
-
-docs:
-	( cd doc && $(MAKE) doc )
-
-doc-install:
-	( cd doc && $(MAKE) doc-install )
-
-update:
-	( cd scripts && $(MAKE) update )
-	( cd policy && $(MAKE) install )
-
-update-sigs:
-	(cd scripts && $(MAKE) update-sigs )
-
-reports:
-	( cd scripts && $(MAKE) reports )
-
-# make sure we don't leak CVS/SVN or private policy files
-dist-hook:
-	rm -rf `find $(distdir) -name CVS`
-	rm -rf `find $(distdir) -name .svn`
-	rm -rf $(distdir)/policy/local 
-
-release:
-	./autogen.sh
-	./configure
-	$(MAKE) distcheck
diff --git a/NEWS b/NEWS
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/README b/README
index 160aea36b7..66a580fa19 100644
--- a/README
+++ b/README
@@ -1,29 +1,24 @@
-This is release 1.5 of Bro, a system for detecting network intruders in
+This is release 1.6 of Bro, a system for detecting network intruders in
 real-time using passive network monitoring.
 
-Please see the file INSTALL for installation instructions and some examples
-on how to run Bro.  For more documentation, see the Bro Wiki:
+Please see the file INSTALL for installation instructions and
+pointers for getting started. For more documentation, see the
+documentation on Bro's home page:
 
-  http://www.bro-ids.org/wiki/index.php/User_Manual
+    http://www.bro-ids.org/docs
 
-Please note that this documentation is preliminary and still missing pieces.
-PDF and HTML versions of older versions of the manuals are also available
-in the doc/ directory.
-
-There's also in doc/misc/conn-logs/ a brief summary of the connection logs
-generated by the sample policy scripts (which are in policy/).
+The main parts of Bro's documentation are also available in the doc/
+directory of the distribution. (Please note that the documentation
+is still a work in progress; there will be more in future releases.)
 
 Numerous other Bro-related publications, including a paper describing the
 system, can be found at
 
-  http://www.bro-ids.org/publications.html
+    http://www.bro-ids.org/publications.html
 
-Some auxiliary scripts and utilities are available in the aux/ directory.
-Note that these are not installed by default.
-
-Send comments, etc., to the Bro mailing list, bro@bro-ids.org.  However,
-please note that you must first subscribe to the list in order to be able
-to post to it.
+Send comments, etc., to the Bro mailing list, bro@bro-ids.org.
+However, please note that you must first subscribe to the list in
+order to be able to post to it.
 
 - Vern Paxson & Robin Sommer, on behalf of the Bro development team
 
diff --git a/TODO-For-Next-Release b/TODO-For-Next-Release
deleted file mode 100644
index e8985b669e..0000000000
--- a/TODO-For-Next-Release
+++ /dev/null
@@ -1,9 +0,0 @@
-Plan for 1.6:
-	Originally, with 1.5 we were going to start working with --use-binpac
-	as the default.  However, this has been deferred pending development
-	of BinPAC++.  We might however turn on BinPAC for the SSL analyzer,
-	for which the BinPAC version is more robust.  It, though, doesn't
-	support storing certs to disk, which some folks use operationally.
-
-	Given DPD means we might not filter traffic anyway, we no longer
-	have such a good excuse for not dealing with IPv6 options.
diff --git a/VERSION b/VERSION
index dcfb77b1f4..359249d5d6 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.5.2.7
+1.6-dev.99
diff --git a/acinclude.m4 b/acinclude.m4
deleted file mode 100644
index b8554a299b..0000000000
--- a/acinclude.m4
+++ /dev/null
@@ -1,1007 +0,0 @@
-dnl @(#) $Id: acinclude.m4 6084 2008-08-27 16:13:23Z vern $ (LBL)
-dnl
-dnl Copyright (c) 1995, 1996, 1997, 1998, 1999, 2002, 2003
-dnl	The Regents of the University of California.  All rights reserved.
-dnl
-dnl Redistribution and use in source and binary forms, with or without
-dnl modification, are permitted provided that: (1) source code distributions
-dnl retain the above copyright notice and this paragraph in its entirety, (2)
-dnl distributions including binary code include the above copyright notice and
-dnl this paragraph in its entirety in the documentation or other materials
-dnl provided with the distribution, and (3) all advertising materials mentioning
-dnl features or use of this software display the following acknowledgement:
-dnl ``This product includes software developed by the University of California,
-dnl Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
-dnl the University nor the names of its contributors may be used to endorse
-dnl or promote products derived from this software without specific prior
-dnl written permission.
-dnl THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
-dnl WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
-dnl MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
-dnl
-dnl LBL autoconf macros
-dnl
-
-dnl
-dnl Define RETSIGTYPE and RETSIGVAL
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_TYPE_SIGNAL
-dnl
-dnl results:
-dnl
-dnl	RETSIGTYPE (defined)
-dnl	RETSIGVAL (defined)
-dnl
-AC_DEFUN([AC_LBL_TYPE_SIGNAL],
-    [[AC_BEFORE([$0], [AC_LBL_LIBPCAP])
-    AC_TYPE_SIGNAL
-    if test "$ac_cv_type_signal" = void ; then
-	    AC_DEFINE(RETSIGVAL,,[signal function return value])
-    else
-	    AC_DEFINE(RETSIGVAL,(0))
-    fi
-    case "$target_os" in
-
-    irix*)
-	    AC_DEFINE(_BSD_SIGNALS,,[irix's BSD style signals])
-	    ;;
-
-    *)
-	    dnl prefer sigset() to sigaction()
-	    AC_CHECK_FUNCS(sigset)
-	    if test $ac_cv_func_sigset = yes ; then
-		    AC_DEFINE(signal,sigset,[use sigset() instead of signal()])
-	    else
-		    AC_CHECK_FUNCS(sigaction)
-	    fi
-	    ;;
-    esac]])
-
-dnl
-dnl Determine which compiler we're using (cc or gcc)
-dnl If using gcc, determine the version number
-dnl If using cc, require that it support ansi prototypes
-dnl If using gcc, use -O2 (otherwise use -O)
-dnl If using cc, explicitly specify /usr/local/include
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_C_INIT(copt, incls)
-dnl
-dnl results:
-dnl
-dnl	$1 (copt set)
-dnl	$2 (incls set)
-dnl	CC
-dnl	LDFLAGS
-dnl	LBL_CFLAGS
-dnl
-AC_DEFUN([AC_LBL_C_INIT],
-    [AC_PREREQ(2.12)
-    AC_BEFORE([$0], [AC_PROG_CC])
-    AC_BEFORE([$0], [AC_LBL_FIXINCLUDES])
-    AC_BEFORE([$0], [AC_LBL_DEVEL])
-    AC_ARG_WITH(gcc, [  --without-gcc           don't use gcc])
-    $1="-O"
-    $2=""
-    if test "${srcdir}" != "." ; then
-	    $2='-I$(srcdir)'
-    fi
-    if test "${CFLAGS+set}" = set; then
-	    LBL_CFLAGS="$CFLAGS"
-    fi
-    if test -z "$CC" ; then
-	    case "$target_os" in
-
-	    bsdi*)
-		    AC_CHECK_PROG(SHLICC2, shlicc2, yes, no)
-		    if test $SHLICC2 = yes ; then
-			    CC=shlicc2
-			    export CC
-		    fi
-		    ;;
-	    esac
-    fi
-    if test -z "$CC" -a "$with_gcc" = no ; then
-	    CC=cc
-	    export CC
-    fi
-    AC_PROG_CC
-    if test "$GCC" != yes ; then
-	    AC_MSG_CHECKING(that $CC handles ansi prototypes)
-	    AC_CACHE_VAL(ac_cv_lbl_cc_ansi_prototypes,
-		AC_TRY_COMPILE(
-		    [#include <sys/types.h>],
-		    [int frob(int, char *)],
-		    ac_cv_lbl_cc_ansi_prototypes=yes,
-		    ac_cv_lbl_cc_ansi_prototypes=no))
-	    AC_MSG_RESULT($ac_cv_lbl_cc_ansi_prototypes)
-	    if test $ac_cv_lbl_cc_ansi_prototypes = no ; then
-		    case "$target_os" in
-
-		    hpux*)
-			    AC_MSG_CHECKING(for HP-UX ansi compiler ($CC -Aa -D_HPUX_SOURCE))
-			    savedcflags="$CFLAGS"
-			    CFLAGS="-Aa -D_HPUX_SOURCE $CFLAGS"
-			    AC_CACHE_VAL(ac_cv_lbl_cc_hpux_cc_aa,
-				AC_TRY_COMPILE(
-				    [#include <sys/types.h>],
-				    [int frob(int, char *)],
-				    ac_cv_lbl_cc_hpux_cc_aa=yes,
-				    ac_cv_lbl_cc_hpux_cc_aa=no))
-			    AC_MSG_RESULT($ac_cv_lbl_cc_hpux_cc_aa)
-			    if test $ac_cv_lbl_cc_hpux_cc_aa = no ; then
-				    AC_MSG_ERROR(see the INSTALL doc for more info)
-			    fi
-			    CFLAGS="$savedcflags"
-			    $1="-Aa $$1"
-			    AC_DEFINE(_HPUX_SOURCE,,[HP-UX ansi compiler])
-			    ;;
-
-		    *)
-			    AC_MSG_ERROR(see the INSTALL doc for more info)
-			    ;;
-		    esac
-	    fi
-	    $2="$$2 -I/usr/local/include"
-	    LDFLAGS="$LDFLAGS -L/usr/local/lib"
-
-	    case "$target_os" in
-
-	    irix*)
-		    $1="$$1 -xansi -signed -g3"
-		    ;;
-
-	    osf*)
-		    $1="$$1 -std1 -g3"
-		    ;;
-
-	    ultrix*)
-		    AC_MSG_CHECKING(that Ultrix $CC hacks const in prototypes)
-		    AC_CACHE_VAL(ac_cv_lbl_cc_const_proto,
-			AC_TRY_COMPILE(
-			    [#include <sys/types.h>],
-			    [struct a { int b; };
-			    void c(const struct a *)],
-			    ac_cv_lbl_cc_const_proto=yes,
-			    ac_cv_lbl_cc_const_proto=no))
-		    AC_MSG_RESULT($ac_cv_lbl_cc_const_proto)
-		    if test $ac_cv_lbl_cc_const_proto = no ; then
-			    AC_DEFINE(const,,[ultrix can't hack const])
-		    fi
-		    ;;
-	    esac
-    fi
-])
-
-dnl AC_LBL_ENABLE_CHECK(brov6 activemapping expire-dfa-states)
-dnl
-dnl This allows us to check for bogus configure enable/disable
-dnl command line options
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_ENABLE_CHECK(opt ...)
-dnl
-AC_DEFUN([AC_LBL_ENABLE_CHECK],
-    [set |
-	sed -n -e 's/^enable_\([[^=]]*\)=[[^=]]*$/\1/p' |
-	while read var; do
-	    ok=0
-        for o in option_checking m4_translit([$1], -, _); do
-		    if test "${o}" = "${var}" ; then
-			    ok=1
-			    break
-		    fi
-	    done
-	    if test ${ok} -eq 0 ; then
-		    # It's hard to kill configure script from subshell!
-		    AC_MSG_ERROR(unknown enable option: ${var})
-		    exit 1
-	    fi
-	done
-	if test $? -ne 0 ; then
-		exit 1
-	fi])
-
-dnl
-dnl Use pfopen.c if available and pfopen() not in standard libraries
-dnl Require libpcap
-dnl Look for libpcap in ..
-dnl Use the installed libpcap if there is no local version
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_LIBPCAP(pcapdep, incls)
-dnl
-dnl results:
-dnl
-dnl	$1 (pcapdep set)
-dnl	$2 (incls appended)
-dnl	LIBS
-dnl	LDFLAGS
-dnl	LBL_LIBS
-dnl
-AC_DEFUN([AC_LBL_LIBPCAP],
-    [AC_REQUIRE([AC_LBL_LIBRARY_NET])
-    dnl
-    dnl save a copy before locating libpcap.a
-    dnl
-    LBL_LIBS="$LIBS"
-    pfopen=/usr/examples/packetfilter/pfopen.c
-    if test -f $pfopen ; then
-	    AC_CHECK_FUNCS(pfopen)
-	    if test $ac_cv_func_pfopen = "no" ; then
-		    AC_MSG_RESULT(Using $pfopen)
-		    LIBS="$LIBS $pfopen"
-	    fi
-    fi
-    AC_MSG_CHECKING(for local pcap library)
-    libpcap=FAIL
-    lastdir=FAIL
-    dnl Since config is at the top level, .. is meaningless for subdirs, get
-    dnl the full path
-    oneup=`(cd ..; pwd)`
-    places=`ls .. | sed -e 's,/$,,' -e "s,^,$oneup/," | \
-	egrep '/libpcap-[[0-9]]*\.[[0-9]]*(\.[[0-9]]*)?([[ab]][[0-9]]*)?$'`
-    for dir in $places $oneup/libpcap libpcap ; do
-	    basedir=`echo $dir | sed -e 's/[[ab]][[0-9]]*$//'`
-	    if test $lastdir = $basedir ; then
-		    dnl skip alphas when an actual release is present
-		    continue;
-	    fi
-	    lastdir=$dir
-	    if test -r $dir/pcap.c ; then
-		    libpcap=$dir/libpcap.a
-		    d=$dir
-		    dnl continue and select the last one that exists
-	    fi
-    done
-    if test "x$libpcap" = xFAIL ; then
-	    AC_MSG_RESULT(not found)
-	    AC_CHECK_LIB(pcap, pcap_open_live, libpcap="-lpcap")
-	    unset ac_cv_lib_pcap_pcap_open_live
-	    if test "x$libpcap" = xFAIL ; then
-		    CFLAGS="$CFLAGS -I/usr/local/include"
-		    LIBS="$LIBS -L/usr/local/lib"
-		    AC_CHECK_LIB(pcap, pcap_open_live, libpcap="-lpcap")
-		    unset ac_cv_lib_pcap_pcap_open_live
-		    if test "x$libpcap" = xFAIL ; then
-			    AC_MSG_ERROR(see the INSTALL doc for more info)
-		    fi
-		    $2="$$2 -I/usr/local/include"
-	    fi
-	    LIBS="$LIBS -lpcap"
-    else
-	    $1=$libpcap
-	    $2="-I$d $$2"
-	    AC_MSG_RESULT($libpcap)
-    fi
-    if test "x$libpcap" != "x-lpcap" ; then
-      LIBS="-L$d -lpcap $LIBS"
-    fi
-
-    dnl check libpcap is modern enough for Bro (>= 0.6.1)
-    AC_CHECK_LIB(pcap, pcap_freecode)
-    if test "$ac_cv_lib_pcap_pcap_freecode" = no ; then
-	    AC_DEFINE([DONT_HAVE_LIBPCAP_PCAP_FREECODE],[],[Old libpcap versions (< 0.6.1) need defining pcap_freecode and pcap_compile_nopcap])
-    fi
-
-		dnl check pcap headers location
-    AC_MSG_CHECKING(for pcap headers)
-		pcap_header_locations="\
-			$PWD/../libpcap \
-			/usr/include \
-			/usr/include/pcap \
-			/usr/src/sys \
-			/usr/local/include \
-			/usr/local/src/libpcap \
-            $d"
-		pcap_includes=FAIL
-		for dir in $pcap_header_locations; do
-			if test -r $dir/pcap.h ; then
-				pcap_includes=$dir
-				break
-			fi
-		done
-    if test "x$pcap_includes" = xFAIL ; then
-			AC_MSG_ERROR(couldn't find pcap.h)
-    fi
-    if test "x$pcap_includes" != x/usr/include ; then
-	    AC_MSG_RESULT($pcap_includes)
-	    V_INCLS="$V_INCLS -I$pcap_includes"
-    else
-        AC_MSG_RESULT($pcap_includes)
-    fi
-
-		dnl check if pcap_compile_nopcap needs error parameter (NetBSDism)
-    if test "$ac_cv_lib_pcap_pcap_freecode" = yes ; then
-			CFLAGS="$CFLAGS -I$pcap_includes"
-			AC_MSG_CHECKING(if pcap_compile_nopcap needs error parameter)
-			AC_LINK_IFELSE(
-				[AC_LANG_PROGRAM([[
-					#include <pcap.h>
-					]], [[
-					int snaplen;
-					int linktype;
-					struct bpf_program fp;
-					int optimize;
-					bpf_u_int32 netmask;
-					char str[10];
-					snaplen = 50;
-					linktype = DLT_EN10MB;
-					optimize = 1;
-					netmask = 0L;
-					str[0] = 'i'; str[1] = 'p'; str[2] = '\0';
-					(void)pcap_compile_nopcap(snaplen, linktype, &fp, str, optimize, netmask);
-					]])],result="ok",result="wrong")
-			if test "$result" = "ok" ; then
-				AC_MSG_RESULT(not needed)
-			else
-				AC_LINK_IFELSE(
-					[AC_LANG_PROGRAM([[
-						#include <pcap.h>
-						]], [[
-						int snaplen;
-						int linktype;
-						struct bpf_program fp;
-						int optimize;
-						bpf_u_int32 netmask;
-						char str[10];
-						char error[1024];
-						snaplen = 50;
-						linktype = DLT_EN10MB;
-						optimize = 1;
-						netmask = 0L;
-						str[0] = 'i'; str[1] = 'p'; str[2] = '\0';
-						(void)pcap_compile_nopcap(snaplen, linktype, &fp, str, optimize, netmask, &error);
-						]])],result="ok",result="wrong")
-				if test "$result" = "ok" ; then
-					AC_DEFINE([LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER],[],
-							[Some libpcap versions use an extra parameter (error) in pcap_compile_nopcap])
-					AC_MSG_RESULT(needed)
-				else
-					AC_MSG_ERROR(don't know (weird pcap_compile_nopcap))
-				fi
-			fi
-		fi
-
-
-    case "$target_os" in
-
-    aix*)
-	    pseexe="/lib/pse.exp"
-	    AC_MSG_CHECKING(for $pseexe)
-	    if test -f $pseexe ; then
-		    AC_MSG_RESULT(yes)
-		    LIBS="$LIBS -I:$pseexe"
-	    fi
-	    ;;
-    esac])
-
-dnl
-dnl Define RETSIGTYPE and RETSIGVAL
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_TYPE_SIGNAL
-dnl
-dnl results:
-dnl
-dnl	RETSIGTYPE (defined)
-dnl	RETSIGVAL (defined)
-dnl
-AC_DEFUN([AC_LBL_TYPE_SIGNAL],
-    [AC_BEFORE([$0], [AC_LBL_LIBPCAP])
-    AC_TYPE_SIGNAL
-    if test "$ac_cv_type_signal" = void ; then
-	    AC_DEFINE(RETSIGVAL,,[signal function return value])
-    else
-	    AC_DEFINE(RETSIGVAL,(0))
-    fi
-    case "$target_os" in
-
-    irix*)
-	    AC_DEFINE(_BSD_SIGNALS,,[irix's BSD style signals])
-	    ;;
-
-    *)
-	    dnl prefer sigset() to sigaction()
-	    AC_CHECK_FUNCS(sigset)
-	    if test $ac_cv_func_sigset = yes ; then
-		    AC_DEFINE(signal,sigset,[use sigset() instead of signal()])
-	    else
-		    AC_CHECK_FUNCS(sigaction)
-	    fi
-	    ;;
-    esac])
-
-dnl
-dnl If using gcc, make sure we have ANSI ioctl definitions
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_FIXINCLUDES
-dnl
-AC_DEFUN([AC_LBL_FIXINCLUDES],
-    [if test "$GCC" = yes ; then
-	    AC_MSG_CHECKING(for ANSI ioctl definitions)
-	    AC_CACHE_VAL(ac_cv_lbl_gcc_fixincludes,
-		AC_TRY_COMPILE(
-		    [/*
-		     * This generates a "duplicate case value" when fixincludes
-		     * has not be run.
-		     */
-#		include <sys/types.h>
-#		include <sys/time.h>
-#		include <sys/ioctl.h>
-#		ifdef HAVE_SYS_IOCCOM_H
-#		include <sys/ioccom.h>
-#		endif],
-		    [switch (0) {
-		    case _IO('A', 1):;
-		    case _IO('B', 1):;
-		    }],
-		    ac_cv_lbl_gcc_fixincludes=yes,
-		    ac_cv_lbl_gcc_fixincludes=no))
-	    AC_MSG_RESULT($ac_cv_lbl_gcc_fixincludes)
-	    if test $ac_cv_lbl_gcc_fixincludes = no ; then
-		    # Don't cache failure
-		    unset ac_cv_lbl_gcc_fixincludes
-		    AC_MSG_ERROR(see the INSTALL for more info)
-	    fi
-    fi])
-
-dnl
-dnl Check for flex, default to lex
-dnl Require flex 2.4 or higher
-dnl Check for bison, default to yacc
-dnl Default to lex/yacc if both flex and bison are not available
-dnl Define the yy prefix string if using flex and bison
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_LEX_AND_YACC(lex, yacc, yyprefix)
-dnl
-dnl results:
-dnl
-dnl	$1 (lex set)
-dnl	$2 (yacc appended)
-dnl	$3 (optional flex and bison -P prefix)
-dnl
-AC_DEFUN([AC_LBL_LEX_AND_YACC],
-    [AC_ARG_WITH(flex, [  --without-flex          don't use flex])
-    AC_ARG_WITH(bison, [  --without-bison         don't use bison])
-    if test "$with_flex" = no ; then
-	    $1=lex
-    else
-	    AC_CHECK_PROGS($1, flex, lex)
-    fi
-    if test "$$1" = flex ; then
-	    # The -V flag was added in 2.4
-	    AC_MSG_CHECKING(for flex 2.4 or higher)
-	    AC_CACHE_VAL(ac_cv_lbl_flex_v24,
-		if flex -V >/dev/null 2>&1; then
-			ac_cv_lbl_flex_v24=yes
-		else
-			ac_cv_lbl_flex_v24=no
-		fi)
-	    AC_MSG_RESULT($ac_cv_lbl_flex_v24)
-	    if test $ac_cv_lbl_flex_v24 = no ; then
-		    s="2.4 or higher required"
-		    AC_MSG_WARN(ignoring obsolete flex executable ($s))
-		    $1=lex
-	    fi
-    fi
-    if test "$with_bison" = no ; then
-	    $2=yacc
-    else
-	    AC_CHECK_PROGS($2, bison, yacc)
-    fi
-    if test "$$2" = bison ; then
-	    $2="$$2 -y"
-    fi
-    if test "$$1" != lex -a "$$2" = yacc -o "$$1" = lex -a "$$2" != yacc ; then
-	    AC_MSG_WARN(don't have both flex and bison; reverting to lex/yacc)
-	    $1=lex
-	    $2=yacc
-    fi
-    if test "$$1" = flex -a -n "$3" ; then
-	    $1="$$1 -P$3"
-	    $2="$$2 -p $3"
-    fi])
-
-dnl
-dnl Checks to see if union wait is used with WEXITSTATUS()
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_UNION_WAIT
-dnl
-dnl results:
-dnl
-dnl	DECLWAITSTATUS (defined)
-dnl
-AC_DEFUN([AC_LBL_UNION_WAIT],
-    [AC_MSG_CHECKING(if union wait is used)
-    AC_CACHE_VAL(ac_cv_lbl_union_wait,
-	AC_TRY_COMPILE([
-#	include <sys/types.h>
-#	include <sys/wait.h>],
-	    [int status;
-	    u_int i = WEXITSTATUS(status);
-	    u_int j = waitpid(0, &status, 0);],
-	    ac_cv_lbl_union_wait=no,
-	    ac_cv_lbl_union_wait=yes))
-    AC_MSG_RESULT($ac_cv_lbl_union_wait)
-    if test $ac_cv_lbl_union_wait = yes ; then
-	    AC_DEFINE(DECLWAITSTATUS,union wait)
-    else
-	    AC_DEFINE(DECLWAITSTATUS,int)
-    fi])
-
-dnl
-dnl Checks to see if the sockaddr struct has the 4.4 BSD sa_len member
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_SOCKADDR_SA_LEN
-dnl
-dnl results:
-dnl
-dnl	HAVE_SOCKADDR_SA_LEN (defined)
-dnl
-AC_DEFUN([AC_LBL_SOCKADDR_SA_LEN],
-    [AC_CHECK_MEMBERS(struct sockaddr.sa_len,,,[
-#	include <sys/types.h>
-#	include <sys/socket.h>])])
-
-dnl
-dnl Makes sure socklen_t is defined
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_SOCKLEN_T
-dnl
-dnl results:
-dnl
-dnl	socklen_t (defined if missing)
-dnl
-AC_DEFUN([AC_LBL_SOCKLEN_T],
-    [AC_MSG_CHECKING(for socklen_t in sys/socket.h using $CC)
-    AC_CACHE_VAL(ac_cv_lbl_socklen_t,
-	AC_TRY_COMPILE([
-#	include "confdefs.h"
-#	include <sys/types.h>
-#	include <sys/socket.h>
-#	if STDC_HEADERS
-#	include <stdlib.h>
-#	include <stddef.h>
-#	endif],
-	[socklen_t i],
-	ac_cv_lbl_socklen_t=yes,
-	ac_cv_lbl_socklen_t=no))
-    AC_MSG_RESULT($ac_cv_lbl_socklen_t)
-    if test $ac_cv_lbl_socklen_t = no ; then
-	    AC_DEFINE(socklen_t, int, [Define socklen_t if missing])
-    fi])
-
-dnl
-dnl Checks to see if the IFF_LOOPBACK exists as a define or enum
-dnl
-dnl   (stupidly some versions of linux use an enum...)
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_IFF_LOOPBACK
-dnl
-dnl results:
-dnl
-dnl	HAVE_IFF_LOOPBACK (defined)
-dnl
-AC_DEFUN([AC_LBL_IFF_LOOPBACK],
-    [AC_MSG_CHECKING(for IFF_LOOPBACK define/enum)
-    AC_CACHE_VAL(ac_cv_lbl_have_iff_loopback,
-	AC_TRY_COMPILE([
-#	include <sys/param.h>
-#	include <sys/file.h>
-#	include <sys/ioctl.h>
-#	include <sys/socket.h>
-#	ifdef HAVE_SYS_SOCKIO_H
-#	include <sys/sockio.h>
-#	endif
-#	include <sys/time.h>
-#	include <net/if.h>
-#	include <netinet/in.h>],
-	[int i = IFF_LOOPBACK],
-	ac_cv_lbl_have_iff_loopback=yes,
-	ac_cv_lbl_have_iff_loopback=no))
-    AC_MSG_RESULT($ac_cv_lbl_have_iff_loopback)
-    if test $ac_cv_lbl_have_iff_loopback = yes ; then
-	    AC_DEFINE(HAVE_IFF_LOOPBACK,, [Have IFF_LOOPBACK define/enum])
-    fi])
-
-dnl
-dnl Checks to see if -R is used
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_HAVE_RUN_PATH
-dnl
-dnl results:
-dnl
-dnl	ac_cv_lbl_have_run_path (yes or no)
-dnl
-AC_DEFUN([AC_LBL_HAVE_RUN_PATH],
-    [AC_MSG_CHECKING(for ${CC-cc} -R)
-    AC_CACHE_VAL(ac_cv_lbl_have_run_path,
-	[echo 'main(){}' > conftest.c
-	${CC-cc} -o conftest conftest.c -R/a1/b2/c3 >conftest.out 2>&1
-	if test ! -s conftest.out ; then
-		ac_cv_lbl_have_run_path=yes
-	else
-		ac_cv_lbl_have_run_path=no
-	fi
-	rm -f conftest*])
-    AC_MSG_RESULT($ac_cv_lbl_have_run_path)
-    ])
-
-dnl
-dnl Due to the stupid way it's implemented, AC_CHECK_TYPE is nearly useless.
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_CHECK_TYPE
-dnl
-dnl results:
-dnl
-dnl	int32_t (defined)
-dnl	u_int32_t (defined)
-dnl
-AC_DEFUN([AC_LBL_CHECK_TYPE],
-    [AC_MSG_CHECKING(for $1 using $CC)
-    AC_CACHE_VAL(ac_cv_lbl_have_$1,
-	AC_TRY_COMPILE([
-#	include "confdefs.h"
-#	include <sys/types.h>
-#	if STDC_HEADERS
-#	include <stdlib.h>
-#	include <stddef.h>
-#	endif],
-	[$1 i],
-	ac_cv_lbl_have_$1=yes,
-	ac_cv_lbl_have_$1=no))
-    AC_MSG_RESULT($ac_cv_lbl_have_$1)
-    if test $ac_cv_lbl_have_$1 = no ; then
-	    AC_DEFINE($1, $2, Define $1)
-    fi])
-
-dnl
-dnl Checks to see if unaligned memory accesses fail
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_UNALIGNED_ACCESS
-dnl
-dnl results:
-dnl
-dnl	LBL_ALIGN (DEFINED)
-dnl
-AC_DEFUN([AC_LBL_UNALIGNED_ACCESS],
-    [AC_MSG_CHECKING(if unaligned accesses fail)
-    AC_CACHE_VAL(ac_cv_lbl_unaligned_fail,
-	[case "$target_cpu" in
-
-	alpha|hp*|mips|sparc)
-		ac_cv_lbl_unaligned_fail=yes
-		;;
-
-	*)
-		cat >conftest.c <<EOF
-#		include <sys/types.h>
-#		include <sys/wait.h>
-#		include <stdio.h>
-		unsigned char a[[5]] = { 1, 2, 3, 4, 5 };
-		main() {
-		unsigned int i;
-		pid_t pid;
-		int status;
-		/* avoid "core dumped" message */
-		pid = fork();
-		if (pid <  0)
-			exit(2);
-		if (pid > 0) {
-			/* parent */
-			pid = waitpid(pid, &status, 0);
-			if (pid < 0)
-				exit(3);
-			exit(!WIFEXITED(status));
-		}
-		/* child */
-		i = *(unsigned int *)&a[[1]];
-		printf("%d\n", i);
-		exit(0);
-		}
-EOF
-		${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS \
-		    conftest.c $LIBS >/dev/null 2>&1
-		if test ! -x conftest ; then
-			dnl failed to compile for some reason
-			ac_cv_lbl_unaligned_fail=yes
-		else
-			./conftest >conftest.out
-			if test ! -s conftest.out ; then
-				ac_cv_lbl_unaligned_fail=yes
-			else
-				ac_cv_lbl_unaligned_fail=no
-			fi
-		fi
-		rm -f conftest* core core.conftest
-		;;
-	esac])
-    AC_MSG_RESULT($ac_cv_lbl_unaligned_fail)
-    if test $ac_cv_lbl_unaligned_fail = yes ; then
-	    AC_DEFINE(LBL_ALIGN)
-    fi])
-
-dnl
-dnl add all warning option to CFLAGS
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_CHECK_WALL(copt)
-dnl
-dnl results:
-dnl
-dnl	$1 (copt appended)
-dnl	ac_cv_lbl_gcc_vers
-dnl
-AC_DEFUN([AC_LBL_CHECK_WALL],
-    [ if test "$GCC" = yes ; then
-	    if test "$SHLICC2" = yes ; then
-		    ac_cv_lbl_gcc_vers=2
-		    $1="`echo $$1 | sed -e 's/-O/-O2/'`"
-	    else
-		    AC_MSG_CHECKING(gcc version)
-		    AC_CACHE_VAL(ac_cv_lbl_gcc_vers,
-			# Gag, the gcc folks keep changing the output...
-			ac_cv_lbl_gcc_vers=`$CC --version 2>&1 | \
-			    sed -e '1!d' -e 's/.* //' -e 's/\..*//'`)
-		    AC_MSG_RESULT($ac_cv_lbl_gcc_vers)
-		    if test $ac_cv_lbl_gcc_vers -gt 1 ; then
-			    $1="`echo $$1 | sed -e 's/-O/-O2/'`"
-		    fi
-	    fi
-	    if test "${LBL_CFLAGS+set}" != set; then
-		    if test "$ac_cv_prog_cc_g" = yes ; then
-			    $1="-g $$1"
-		    fi
-		    $1="$$1 -Wall"
-		    if test $ac_cv_lbl_gcc_vers -gt 1 ; then
-			    $1="$$1 -Wmissing-prototypes -Wstrict-prototypes"
-		    fi
-	    fi
-    else
-	    case "$target_os" in
-
-	    irix6*)
-		    $1="$$1 -fullwarn -n32"
-		    ;;
-
-	    *)
-		    ;;
-	    esac
-    fi])
-
-dnl
-dnl If using gcc and the file .devel exists:
-dnl	Compile with -g (if supported) and -Wall
-dnl	If using gcc 2, do extra prototype checking
-dnl	If an os prototype include exists, symlink os-proto.h to it
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_DEVEL(copt)
-dnl
-dnl results:
-dnl
-dnl	$1 (copt appended)
-dnl	HAVE_OS_PROTO_H (defined)
-dnl	os-proto.h (symlinked)
-dnl
-AC_DEFUN([AC_LBL_DEVEL],
-    [rm -f os-proto.h
-    if test "${LBL_CFLAGS+set}" = set; then
-	    $1="$$1 ${LBL_CFLAGS}"
-    fi
-    if test -f .devel ; then
-	    AC_LBL_CHECK_WALL($1)
-	    os=`echo $target_os | sed -e 's/\([[0-9]][[0-9]]*\)[[^0-9]].*$/\1/'`
-	    name="lbl/os-$os.h"
-	    if test -f $name ; then
-		    ln -s $name os-proto.h
-		    AC_DEFINE(HAVE_OS_PROTO_H,,[have os-proto.h])
-	    else
-		    AC_MSG_WARN(can't find $name)
-	    fi
-    fi])
-
-dnl
-dnl Improved version of AC_CHECK_LIB
-dnl
-dnl Thanks to John Hawkinson (jhawk@mit.edu)
-dnl
-dnl usage:
-dnl
-dnl	AC_LBL_CHECK_LIB(LIBRARY, FUNCTION [, ACTION-IF-FOUND [,
-dnl	    ACTION-IF-NOT-FOUND [, OTHER-LIBRARIES]]])
-dnl
-dnl results:
-dnl
-dnl	LIBS
-dnl
-
-define(AC_LBL_CHECK_LIB,
-[AC_MSG_CHECKING([for $2 in -l$1])
-dnl Use a cache variable name containing both the library and function name,
-dnl because the test really is for library $1 defining function $2, not
-dnl just for library $1.  Separate tests with the same $1 and different $2's
-dnl may have different results.
-ac_lib_var=`echo $1['_']$2['_']$5 | sed 'y%./+- %__p__%'`
-AC_CACHE_VAL(ac_cv_lbl_lib_$ac_lib_var,
-[ac_save_LIBS="$LIBS"
-LIBS="-l$1 $5 $LIBS"
-AC_TRY_LINK(dnl
-ifelse([$2], [main], , dnl Avoid conflicting decl of main.
-[/* Override any gcc2 internal prototype to avoid an error.  */
-]ifelse(AC_LANG, CPLUSPLUS, [#ifdef __cplusplus
-extern "C"
-#endif
-])dnl
-[/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char $2();
-]),
-	    [$2()],
-	    eval "ac_cv_lbl_lib_$ac_lib_var=yes",
-	    eval "ac_cv_lbl_lib_$ac_lib_var=no")
-LIBS="$ac_save_LIBS"
-])dnl
-if eval "test \"`echo '$ac_cv_lbl_lib_'$ac_lib_var`\" = yes"; then
-  AC_MSG_RESULT(yes)
-  ifelse([$3], ,
-[changequote(, )dnl
-  ac_tr_lib=HAVE_LIB`echo $1 | sed -e 's/[^a-zA-Z0-9_]/_/g' \
-    -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'`
-changequote([, ])dnl
-  AC_DEFINE_UNQUOTED($ac_tr_lib)
-  LIBS="-l$1 $LIBS"
-], [$3])
-else
-  AC_MSG_RESULT(no)
-ifelse([$4], , , [$4
-])dnl
-fi
-])
-
-dnl
-dnl AC_LBL_LIBRARY_NET
-dnl
-dnl This test is for network applications that need socket() and
-dnl gethostbyname() -ish functions.  Under Solaris, those applications
-dnl need to link with "-lsocket -lnsl".  Under IRIX, they need to link
-dnl with "-lnsl" but should *not* link with "-lsocket" because
-dnl libsocket.a breaks a number of things (for instance:
-dnl gethostbyname() under IRIX 5.2, and snoop sockets under most
-dnl versions of IRIX).
-dnl
-dnl Unfortunately, many application developers are not aware of this,
-dnl and mistakenly write tests that cause -lsocket to be used under
-dnl IRIX.  It is also easy to write tests that cause -lnsl to be used
-dnl under operating systems where neither are necessary (or useful),
-dnl such as SunOS 4.1.4, which uses -lnsl for TLI.
-dnl
-dnl This test exists so that every application developer does not test
-dnl this in a different, and subtly broken fashion.
-
-dnl It has been argued that this test should be broken up into two
-dnl seperate tests, one for the resolver libraries, and one for the
-dnl libraries necessary for using Sockets API. Unfortunately, the two
-dnl are carefully intertwined and allowing the autoconf user to use
-dnl them independantly potentially results in unfortunate ordering
-dnl dependancies -- as such, such component macros would have to
-dnl carefully use indirection and be aware if the other components were
-dnl executed. Since other autoconf macros do not go to this trouble,
-dnl and almost no applications use sockets without the resolver, this
-dnl complexity has not been implemented.
-dnl
-dnl The check for libresolv is in case you are attempting to link
-dnl statically and happen to have a libresolv.a lying around (and no
-dnl libnsl.a).
-dnl
-AC_DEFUN([AC_LBL_LIBRARY_NET], [
-    # Most operating systems have gethostbyname() in the default searched
-    # libraries (i.e. libc):
-    AC_CHECK_FUNC(gethostbyname, ,
-	# Some OSes (eg. Solaris) place it in libnsl:
-	AC_CHECK_LIB(nsl, gethostbyname, ,
-	    # Some strange OSes (SINIX) have it in libsocket:
-	    AC_CHECK_LIB(socket, gethostbyname, ,
-		# Unfortunately libsocket sometimes depends on libnsl.
-		# AC_CHECK_LIB's API is essentially broken so the
-		# following ugliness is necessary:
-		AC_CHECK_LIB(socket, gethostbyname,
-		    LIBS="-lsocket -lnsl $LIBS",
-		    AC_CHECK_LIB(resolv, gethostbyname),
-		    -lnsl))))
-    AC_CHECK_FUNC(socket, , AC_CHECK_LIB(socket, socket, ,
-	AC_CHECK_LIB(socket, socket, LIBS="-lsocket -lnsl $LIBS", ,
-	    -lnsl)))
-    # DLPI needs putmsg under HPUX so test for -lstr while we're at it
-    AC_CHECK_LIB(str, putmsg)
-    ])
-
-
-dnl
-dnl Checks to see if declaring syslog() and openlog() as returning int
-dnl is compatible with <syslog.h> and <stdlib.h>, or if we should not
-dnl declare them explicitly.
-dnl
-dnl usage:
-dnl
-dnl	AC_BRO_SYSLOG_INT
-dnl
-dnl results:
-dnl
-dnl	SYSLOG_INT (either defined or not defined)
-dnl
-AC_DEFUN([AC_BRO_SYSLOG_INT],
-    [AC_LANG_CPLUSPLUS
-    AC_MSG_CHECKING(if syslog returns int)
-    AC_CACHE_VAL(ac_cv_bro_syslog_int,
-	AC_TRY_COMPILE([
-#	include <stdlib.h>
-#	include <syslog.h>
-	    extern "C" {
-		int openlog(const char* ident, int logopt, int facility);
-		int syslog(int priority, const char* message_fmt, ...);
-		int closelog();
-	    }],,
-	    ac_cv_bro_syslog_int=yes,
-	    ac_cv_bro_syslog_int=no))
-    AC_MSG_RESULT($ac_cv_bro_syslog_int)
-    if test $ac_cv_bro_syslog_int = yes ; then
-	    AC_DEFINE(SYSLOG_INT,,[should we declare syslog() and openlog()])
-    fi])
-
-dnl
-dnl Checks to see if we should explicitly declare socket() and friends.
-dnl
-dnl usage:
-dnl
-dnl	AC_BRO_SOCK_DECL
-dnl
-dnl results:
-dnl
-dnl	DO_SOCK_DECL (either defined or not defined)
-dnl
-AC_DEFUN([AC_BRO_SOCK_DECL],
-    [AC_LANG_C
-    AC_MSG_CHECKING(if we should declare socket and friends)
-    AC_CACHE_VAL(ac_cv_bro_sock_decl,
-	AC_TRY_COMPILE([
-#	include <sys/types.h>
-#	include <sys/socket.h>
-	extern int socket(int, int, int);
-	extern int connect(int, const struct sockaddr *, int);
-	extern int send(int, const void *, int, int);
-	extern int recvfrom(int, void *, int, int, struct sockaddr *, int *);
-	    ],,
-	    ac_cv_bro_sock_decl=yes,
-	    ac_cv_bro_sock_decl=no))
-    AC_MSG_RESULT($ac_cv_bro_sock_decl)
-    if test $ac_cv_bro_sock_decl = yes ; then
-	    AC_DEFINE(DO_SOCK_DECL,,[should explicitly declare socket() and friends])
-    fi])
diff --git a/autogen.sh b/autogen.sh
deleted file mode 100755
index 817498c141..0000000000
--- a/autogen.sh
+++ /dev/null
@@ -1,143 +0,0 @@
-#!/bin/sh
-
-# Initialization script to set up the initial configuration files etc.
-# shtool usage inspired by the autogen script of the ferite scripting
-# language -- cheers Chris :)
-#
-# This is 'borrowed' from netdude, with minor changes for bro 
-
-BLD_ON=`./shtool echo -n -e %B`
-BLD_OFF=`./shtool echo -n -e %b`
-
-srcdir=`dirname $0`
-NAME=bro
-
-DIE=0
-
-echo
-echo "               "${BLD_ON}"BRO Build Tools Setup"${BLD_OFF}
-echo "===================================================="
-echo
-echo "Checking whether we have all tools available ..."
-
-(autoconf --version) < /dev/null > /dev/null 2>&1 || {
-  echo
-  echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`autoconf' installed to."
-  echo "Download the appropriate package for your distribution,"
-  echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/"
-  DIE=1
-}
-
-(automake --version) < /dev/null > /dev/null 2>&1 || {
-  echo
-  echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`automake' installed."
-  echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
-  echo "(or a newer version if it is available)"
-  DIE=1
-  NO_AUTOMAKE=yes
-}
-
-# if no automake, don't bother testing for aclocal
-test -n "$NO_AUTOMAKE" || (aclocal --version) < /dev/null > /dev/null 2>&1 || {
-  echo
-  echo ${BLD_ON}"Error"${BLD_OFF}": Missing \`aclocal'.  The version of \`automake'"
-  echo "installed doesn't appear recent enough."
-  echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
-  echo "(or a newer version if it is available)"
-  DIE=1
-}
-
-if test "$DIE" -eq 1; then
-  exit 1
-fi
-
-echo "All necessary tools found."
-echo
-
-if [ -d autom4te.cache ] ; then
-    echo "Removing autom4te.cache ..."
-    rm -rf autom4te.cache
-    #echo
-    #echo ${BLD_ON}"Error"${BLD_OFF}": autom4te.cache directory exists"
-    #echo "please remove it, and rerun this script"
-    #echo 
-    #exit 1
-fi
-
-echo
-echo "running "${BLD_ON}"aclocal"${BLD_OFF}
-echo "----------------------------------------------------"
-aclocal -I . $ACLOCAL_FLAGS
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-echo
-echo "running "${BLD_ON}"autoheader"${BLD_OFF}
-echo "----------------------------------------------------"
-autoheader
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-echo
-echo "running "${BLD_ON}"automake"${BLD_OFF}
-echo "----------------------------------------------------"
-automake -a -c 
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-echo
-echo "running "${BLD_ON}"autoconf"${BLD_OFF}
-echo "----------------------------------------------------"
-autoconf
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-echo
-echo
-echo "Running aux/binpac/autogen.sh"
-echo "----------------------------------------------------"
-(cd aux/binpac/ && BROBUILD=yes ./autogen.sh)
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-echo
-echo
-echo "Running aux/broccoli/autogen.sh"
-echo "----------------------------------------------------"
-(cd aux/broccoli/ && BROBUILD=yes ./autogen.sh)
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-echo
-echo
-echo "Running aux/broctl/aux/capstats/autogen.sh"
-echo "----------------------------------------------------"
-(cd aux/broctl/aux/capstats && ./autogen.sh)
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-echo
-echo 
-echo "Setup finished. Now run:"
-echo
-echo "  $ "${BLD_ON}"./configure"${BLD_OFF}" (with options as needed, try --help)"
-echo
-echo "and then"
-echo
-echo "  $ "${BLD_ON}"make"${BLD_OFF}
-echo "  # "${BLD_ON}"make install"${BLD_OFF}
-echo
diff --git a/aux/Makefile.am b/aux/Makefile.am
deleted file mode 100644
index d109d7ce05..0000000000
--- a/aux/Makefile.am
+++ /dev/null
@@ -1,77 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-LIBPCAP_VER = libpcap-0.9.8
-LIBPCAP_LIB = $(LIBPCAP_VER)/libpcap.a
-
-EXTRA_DIST = README $(LIBPCAP_VER).tar.gz
-
-# if we don't have ssl, can't build bdcat
-if USE_SSL
-bdcat_dir = bdcat
-else
-bdcat_dir =
-endif
-
-# don't compile libpcap if they did a '--disable-localpcap' to configure
-if USE_LOCALPCAP
-built_srcs =  $(LIBPCAP_LIB)
-LARGE_FILE =  "-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE"
-else
-built_srcs =  
-endif
-
-if USEV6
-PCAPARGS = --enable-ipv6
-else
-PCAPARGS = 
-endif
-
-if USE_BROCCOLI
-broccoli = broccoli
-else
-broccoli =
-endif
-
-if USE_BROCTL
-broctl = broctl
-else
-broctl =
-endif
-
-BUILT_SOURCES = $(built_srcs)
-
-SUBDIRS = adtrace binpac cf hf nftools rst scripts \
-		$(bdcat_dir) $(broccoli) $(broctl)
-
-DIST_SUBDIRS = adtrace binpac cf hf nftools rst scripts \
-		$(bdcat_dir) $(broccoli) $(broctl)
-
-clean-local:
-	rm -rf $(LIBPCAP_VER)
-
-
-$(LIBPCAP_LIB): $(top_srcdir)/aux/$(LIBPCAP_VER).tar.gz
-	@echo "Unpacking libpcap sources"
-	@gzip -d < $(top_srcdir)/aux/$(LIBPCAP_VER).tar.gz | tar xf -
-	@echo "Building libpcap"
-	( cd $(LIBPCAP_VER) && ./configure --prefix=$(prefix) $(PCAPARGS) CFLAGS=$(LARGE_FILE) && $(MAKE) )
-	@chmod -R 755 $(LIBPCAP_VER)
-
-
-# This is a hack. These are hardcoded here to mimic the previous
-# brolite installation. While these should better go into the 
-# subdirs' Makefile.am, it's not really worth the effort as 
-# we will get rid of all this at some point anyway.
-install-brolite:
-	$(INSTALL) ./hf/hf ${bindir}
-	$(INSTALL) ./hf/nf ${bindir}
-	$(INSTALL) ./hf/pf ${bindir}
-	$(INSTALL) ./cf/cf ${bindir}
-	$(INSTALL) ./rst/rst ${bindir}
-	- install -d $(prefix)/scripts/
-	$(INSTALL) ./scripts/host-to-addrs $(prefix)/scripts
-	$(INSTALL) ./scripts/bro-logchk.pl $(prefix)/scripts
-	$(INSTALL) ./scripts/host-grep $(prefix)/scripts
-	$(INSTALL) ./scripts/mvlog $(prefix)/scripts
-
-
diff --git a/aux/README b/aux/README
deleted file mode 100644
index ace78cb3a0..0000000000
--- a/aux/README
+++ /dev/null
@@ -1,61 +0,0 @@
-This directory contains handy auxiliary programs:
-
-adtrace/
-	Makefile and source for the adtrace utility. This program is used
-	in conjunction with the localnetMAC.pl perl script to compute the
-	network address that compose the internal and extern nets that bro
-	is monitoring. This program when run by itself just reads a pcap
-	(tcpcump) file and writes out the src MAC, dst MAC, src IP, dst
-	IP for each packet seen in the file. This output is processed by
-	the localnetMAC.pl script during 'make install'.
-
-bdcat/
-	A utility for decrypting encrypted Bro log files.
-
-binpac/
-	A compiler for generating protocol analyzers from high-level,
-	declarative specifications.  Used extensively for constructing
-	Bro's protocol analyzers, but capable of stand-alone use for
-	building analyzers outside of the Bro system.
-
-broccoli/
-	A C client library for interfacing programs with the Bro system.
-	Enables sending and receiving of Bro values and events.
-
-cf/
-	Makefile and source for the "cf" utility.  cf reads lines from
-	stdin and if the line begins with a number, then it assumes that
-	the number corresponds to a Unix timestamp and replaces it with
-	the corresponding local time in a readable format.  Useful for
-	running on log files.  See cf/cf.man.txt for documentation.
-
-contrib/
-	Unsupported contributions to Bro.
-
-hf/
-	The main utility in this subdirectory is hf, which translates
-	any dotted-quad (in text) appearing on stdin to the corresponding
-	DNS hostname (via a PTR lookup) on stdout.
-
-nftools/
-	Utilities for dealing with Bro's custom file format for storing
-	NetFlow records.  nfcollector reads NetFlow data from a socket
-	and writes it in Bro's format.  ftwire2bro reads NetFlow "wire"
-	format (e.g., as generated by a 'flow-export' directive) and writes
-	it in Bro's format.
-
-rst/
-	Makefile and source for the rst utility. "rst" can be invoked by
-	a Bro script to terminate an established TCP connection by forging
-	RST tear-down packets.  See terminate_connection() in conn.bro.
-
-scripts/
-	A set of utility scripts for munching on Bro connection summaries.
-
-	bro_logchk: orders and scans through FTP and HTTP logs
-	host-grep: greps a summary file for a particular host's activities
-	host-to-addrs: converts a hostname to a list of IP addresses
-	hot-report: formats a summary file in a readable fashion
-	ip-grep: returns a grep pattern for a given IP address
-	mon-report: summarizes a particular host's activity
-	mvlog: compresses and archives log files
diff --git a/aux/adtrace/Makefile.am b/aux/adtrace/Makefile.am
deleted file mode 100644
index 858a6fb362..0000000000
--- a/aux/adtrace/Makefile.am
+++ /dev/null
@@ -1,10 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-AM_CFLAGS=@V_INCLS@
-
-# Should use AM_ vars, but automake 1.5 errors out.
-#AM_LDFLAGS = @LDFLAGS@
-LDFLAGS = @LDFLAGS@
-
-noinst_PROGRAMS = adtrace
-adtrace_SOURCES = adtrace.c ether.h ethertype.h ip.h
diff --git a/aux/adtrace/adtrace.c b/aux/adtrace/adtrace.c
deleted file mode 100644
index 4c2c9e1136..0000000000
--- a/aux/adtrace/adtrace.c
+++ /dev/null
@@ -1,92 +0,0 @@
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <pcap.h>
-
-#include "../../config.h"
-#include "ip.h"
-#include "ether.h" 
-#include "ethertype.h"
-
-pcap_t *p;
-
-const u_char*  printEAddr(const u_char* pkt, u_char* endp){
-  const struct ether_header *ep;
-  int i=0;
-  ep = (const struct ether_header*) pkt;
-
-  if (pkt+ETHER_HDRLEN > endp ||
-      ntohs(ep->ether_type) != ETHERTYPE_IP){
-    return 0;
-  }
-
-  for (i = 0; i<ETHER_ADDR_LEN; i++){
-    if (i>0) putchar(':');
-    printf("%02x", ep->ether_shost[i]);
-  }
-  putchar (' ');
-  for (i = 0; i<ETHER_ADDR_LEN; i++){
-    if (i>0) putchar(':');
-    printf("%02x", ep->ether_dhost[i]);
-  }
-  putchar(' ');
-  return (pkt+ETHER_HDRLEN);
-}
-
-void printIPAddr(const u_char* pkt, u_char* endp){
-  const struct ip* iph;
-  if (pkt+sizeof(struct ip) > endp) return;
-  iph = (const struct ip*) pkt;
-  fputs ((char*) inet_ntoa(iph->ip_src), stdout);
-  putchar(' ');
-  puts ((char*) inet_ntoa(iph->ip_dst));
-}
-
-void handler(u_char *user, const struct pcap_pkthdr *head, const u_char *packet){
-  u_char* endp;
-
-  endp =(u_char*) packet + head->caplen;
-  packet = printEAddr(packet, endp);
-  if (packet)
-    printIPAddr(packet, endp);
-}
-
-void usage(char *av[])
-{
-	fprintf(stderr,"usage: %s filename \n", av[0]);
-	exit(1);
-}
-
-int main (int argc, char *argv[])
-{
-  char *file;
-  char errbuf[PCAP_ERRBUF_SIZE];
-  u_char* pkt, endp; 
-  struct pcap_pkthdr *head;
-
-  if ( argc != 2 ) 
-	  usage(argv);
-
-  file = argv[1];
-
-  p = pcap_open_offline(file, errbuf);
-  if(p==NULL){
-    fprintf (stderr, "cannot open %s: %s\n", file, errbuf);
-    exit(2);
-  }
-  
-  if (pcap_datalink(p) != DLT_EN10MB){
-    fputs ("sorry, currently only ethernet links supported\n", stderr);
-    exit(1); //if it is not ethernet we are watching we won't have MACs
-  }
-
-  pcap_loop(p, -1, handler, NULL);
-  pcap_close(p);
-  return(0);
-}
-
diff --git a/aux/adtrace/ether.h b/aux/adtrace/ether.h
deleted file mode 100644
index 77d0377945..0000000000
--- a/aux/adtrace/ether.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/* @(#) $Header$ (LBL) */
-/*
- * Copyright (c) 1982, 1986, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)if_ether.h	8.3 (Berkeley) 5/2/95
- */
-
-#define	ETHERMTU	1500
-
-/*
- * The number of bytes in an ethernet (MAC) address.
- */
-#define	ETHER_ADDR_LEN		6
-
-/*
- * Structure of a DEC/Intel/Xerox or 802.3 Ethernet header.
- */
-struct	ether_header {
-	u_int8_t	ether_dhost[ETHER_ADDR_LEN];
-	u_int8_t	ether_shost[ETHER_ADDR_LEN];
-	u_int16_t	ether_type;
-};
-
-/*
- * Length of a DEC/Intel/Xerox or 802.3 Ethernet header; note that some
- * compilers may pad "struct ether_header" to a multiple of 4 bytes,
- * for example, so "sizeof (struct ether_header)" may not give the right
- * answer.
- */
-#define ETHER_HDRLEN		14
diff --git a/aux/adtrace/ethertype.h b/aux/adtrace/ethertype.h
deleted file mode 100644
index 1f6aab6776..0000000000
--- a/aux/adtrace/ethertype.h
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * Copyright (c) 1993, 1994, 1996
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- *
- * @(#) $Header$ (LBL)
- */
-
-/*
- * Ethernet types.
- *
- * We wrap the declarations with #ifdef, so that if a file includes
- * <netinet/if_ether.h>, which may declare some of these, we don't
- * get a bunch of complaints from the C compiler about redefinitions
- * of these values.
- *
- * We declare all of them here so that no file has to include
- * <netinet/if_ether.h> if all it needs are ETHERTYPE_ values.
- */
-
-#ifndef ETHERTYPE_PUP
-#define	ETHERTYPE_PUP		0x0200	/* PUP protocol */
-#endif
-#ifndef ETHERTYPE_IP
-#define	ETHERTYPE_IP		0x0800	/* IP protocol */
-#endif
-#ifndef ETHERTYPE_ARP
-#define ETHERTYPE_ARP		0x0806	/* Addr. resolution protocol */
-#endif
-#ifndef ETHERTYPE_REVARP
-#define ETHERTYPE_REVARP	0x8035	/* reverse Addr. resolution protocol */
-#endif
-#ifndef ETHERTYPE_NS
-#define ETHERTYPE_NS		0x0600
-#endif
-#ifndef	ETHERTYPE_SPRITE
-#define	ETHERTYPE_SPRITE	0x0500
-#endif
-#ifndef ETHERTYPE_TRAIL
-#define ETHERTYPE_TRAIL		0x1000
-#endif
-#ifndef	ETHERTYPE_MOPDL
-#define	ETHERTYPE_MOPDL		0x6001
-#endif
-#ifndef	ETHERTYPE_MOPRC
-#define	ETHERTYPE_MOPRC		0x6002
-#endif
-#ifndef	ETHERTYPE_DN
-#define	ETHERTYPE_DN		0x6003
-#endif
-#ifndef	ETHERTYPE_LAT
-#define	ETHERTYPE_LAT		0x6004
-#endif
-#ifndef ETHERTYPE_SCA
-#define ETHERTYPE_SCA		0x6007
-#endif
-#ifndef ETHERTYPE_REVARP
-#define ETHERTYPE_REVARP	0x8035
-#endif
-#ifndef	ETHERTYPE_LANBRIDGE
-#define	ETHERTYPE_LANBRIDGE	0x8038
-#endif
-#ifndef	ETHERTYPE_DECDNS
-#define	ETHERTYPE_DECDNS	0x803c
-#endif
-#ifndef	ETHERTYPE_DECDTS
-#define	ETHERTYPE_DECDTS	0x803e
-#endif
-#ifndef	ETHERTYPE_VEXP
-#define	ETHERTYPE_VEXP		0x805b
-#endif
-#ifndef	ETHERTYPE_VPROD
-#define	ETHERTYPE_VPROD		0x805c
-#endif
-#ifndef ETHERTYPE_ATALK
-#define ETHERTYPE_ATALK		0x809b
-#endif
-#ifndef ETHERTYPE_AARP
-#define ETHERTYPE_AARP		0x80f3
-#endif
-#ifndef	ETHERTYPE_8021Q
-#define	ETHERTYPE_8021Q		0x8100
-#endif
-#ifndef ETHERTYPE_IPX
-#define ETHERTYPE_IPX		0x8137
-#endif
-#ifndef ETHERTYPE_IPV6
-#define ETHERTYPE_IPV6		0x86dd
-#endif
-#ifndef ETHERTYPE_PPP
-#define	ETHERTYPE_PPP		0x880b
-#endif
-#ifndef	ETHERTYPE_MPLS
-#define	ETHERTYPE_MPLS		0x8847
-#endif
-#ifndef	ETHERTYPE_MPLS_MULTI
-#define	ETHERTYPE_MPLS_MULTI	0x8848
-#endif
-#ifndef ETHERTYPE_PPPOED
-#define ETHERTYPE_PPPOED	0x8863
-#endif
-#ifndef ETHERTYPE_PPPOES
-#define ETHERTYPE_PPPOES	0x8864
-#endif
-#ifndef	ETHERTYPE_LOOPBACK
-#define	ETHERTYPE_LOOPBACK	0x9000
-#endif
diff --git a/aux/adtrace/ip.h b/aux/adtrace/ip.h
deleted file mode 100644
index 3d930537c9..0000000000
--- a/aux/adtrace/ip.h
+++ /dev/null
@@ -1,159 +0,0 @@
-/* @(#) $Header$ (LBL) */
-/*
- * Copyright (c) 1982, 1986, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)ip.h	8.2 (Berkeley) 6/1/94
- */
-
-/*
- * Definitions for internet protocol version 4.
- * Per RFC 791, September 1981.
- */
-#define	IPVERSION	4
-
-/*
- * Structure of an internet header, naked of options.
- *
- * We declare ip_len and ip_off to be short, rather than u_short
- * pragmatically since otherwise unsigned comparisons can result
- * against negative integers quite easily, and fail in subtle ways.
- */
-struct ip {
-	u_int8_t	ip_vhl;		/* header length, version */
-#define IP_V(ip)	(((ip)->ip_vhl & 0xf0) >> 4)
-#define IP_HL(ip)	((ip)->ip_vhl & 0x0f)
-	u_int8_t	ip_tos;		/* type of service */
-	u_int16_t	ip_len;		/* total length */
-	u_int16_t	ip_id;		/* identification */
-	u_int16_t	ip_off;		/* fragment offset field */
-#define	IP_DF 0x4000			/* dont fragment flag */
-#define	IP_MF 0x2000			/* more fragments flag */
-#define	IP_OFFMASK 0x1fff		/* mask for fragmenting bits */
-	u_int8_t	ip_ttl;		/* time to live */
-	u_int8_t	ip_p;		/* protocol */
-	u_int16_t	ip_sum;		/* checksum */
-	struct	in_addr ip_src,ip_dst;	/* source and dest address */
-};
-
-#define	IP_MAXPACKET	65535		/* maximum packet size */
-
-/*
- * Definitions for IP type of service (ip_tos)
- */
-#define	IPTOS_LOWDELAY		0x10
-#define	IPTOS_THROUGHPUT	0x08
-#define	IPTOS_RELIABILITY	0x04
-
-/*
- * Definitions for IP precedence (also in ip_tos) (hopefully unused)
- */
-#define	IPTOS_PREC_NETCONTROL		0xe0
-#define	IPTOS_PREC_INTERNETCONTROL	0xc0
-#define	IPTOS_PREC_CRITIC_ECP		0xa0
-#define	IPTOS_PREC_FLASHOVERRIDE	0x80
-#define	IPTOS_PREC_FLASH		0x60
-#define	IPTOS_PREC_IMMEDIATE		0x40
-#define	IPTOS_PREC_PRIORITY		0x20
-#define	IPTOS_PREC_ROUTINE		0x00
-
-/*
- * Definitions for options.
- */
-#define	IPOPT_COPIED(o)		((o)&0x80)
-#define	IPOPT_CLASS(o)		((o)&0x60)
-#define	IPOPT_NUMBER(o)		((o)&0x1f)
-
-#define	IPOPT_CONTROL		0x00
-#define	IPOPT_RESERVED1		0x20
-#define	IPOPT_DEBMEAS		0x40
-#define	IPOPT_RESERVED2		0x60
-
-#define	IPOPT_EOL		0		/* end of option list */
-#define	IPOPT_NOP		1		/* no operation */
-
-#define	IPOPT_RR		7		/* record packet route */
-#define	IPOPT_TS		68		/* timestamp */
-#define	IPOPT_SECURITY		130		/* provide s,c,h,tcc */
-#define	IPOPT_LSRR		131		/* loose source route */
-#define	IPOPT_SATID		136		/* satnet id */
-#define	IPOPT_SSRR		137		/* strict source route */
-
-/*
- * Offsets to fields in options other than EOL and NOP.
- */
-#define	IPOPT_OPTVAL		0		/* option ID */
-#define	IPOPT_OLEN		1		/* option length */
-#define IPOPT_OFFSET		2		/* offset within option */
-#define	IPOPT_MINOFF		4		/* min value of above */
-
-/*
- * Time stamp option structure.
- */
-struct	ip_timestamp {
-	u_int8_t	ipt_code;	/* IPOPT_TS */
-	u_int8_t	ipt_len;	/* size of structure (variable) */
-	u_int8_t	ipt_ptr;	/* index of current entry */
-	u_int8_t	ipt_oflwflg;	/* flags, overflow counter */
-#define IPTS_OFLW(ip)	(((ipt)->ipt_oflwflg & 0xf0) >> 4)
-#define IPTS_FLG(ip)	((ipt)->ipt_oflwflg & 0x0f)
-	union ipt_timestamp {
-		u_int32_t ipt_time[1];
-		struct	ipt_ta {
-			struct in_addr ipt_addr;
-			u_int32_t ipt_time;
-		} ipt_ta[1];
-	} ipt_timestamp;
-};
-
-/* flag bits for ipt_flg */
-#define	IPOPT_TS_TSONLY		0		/* timestamps only */
-#define	IPOPT_TS_TSANDADDR	1		/* timestamps and addresses */
-#define	IPOPT_TS_PRESPEC	3		/* specified modules only */
-
-/* bits for security (not byte swapped) */
-#define	IPOPT_SECUR_UNCLASS	0x0000
-#define	IPOPT_SECUR_CONFID	0xf135
-#define	IPOPT_SECUR_EFTO	0x789a
-#define	IPOPT_SECUR_MMMM	0xbc4d
-#define	IPOPT_SECUR_RESTR	0xaf13
-#define	IPOPT_SECUR_SECRET	0xd788
-#define	IPOPT_SECUR_TOPSECRET	0x6bc5
-
-/*
- * Internet implementation parameters.
- */
-#define	MAXTTL		255		/* maximum time to live (seconds) */
-#define	IPDEFTTL	64		/* default ttl, from RFC 1340 */
-#define	IPFRAGTTL	60		/* time to live for frags, slowhz */
-#define	IPTTLDEC	1		/* subtracted when forwarding */
-
-#define	IP_MSS		576		/* default maximum segment size */
diff --git a/aux/bdcat/Makefile.am b/aux/bdcat/Makefile.am
deleted file mode 100644
index 8a4427d3d1..0000000000
--- a/aux/bdcat/Makefile.am
+++ /dev/null
@@ -1,4 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-noinst_PROGRAMS = bdcat
-bdcat_SOURCES = bdcat.cc
diff --git a/aux/bdcat/bdcat.cc b/aux/bdcat/bdcat.cc
deleted file mode 100644
index 631f1b3801..0000000000
--- a/aux/bdcat/bdcat.cc
+++ /dev/null
@@ -1,175 +0,0 @@
-// $Id: bdcat.cc 6 2004-04-30 00:31:26Z jason $
-//
-// Decrypts Bro's log files.
-//
-// Usage: bdcat [-k file-with-secret-rsa-key] [files...]
-//
-// The key file may be alternatively set via the env variable BDCAT_KEY.
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <netinet/in.h>
-
-#include "openssl/evp.h"
-#include "openssl/pem.h"
-#include "openssl/err.h"
-
-EVP_PKEY* SecKey = 0;
-EVP_CIPHER* CipherType = 0;
-
-void cryptcat(FILE* f)
-	{
-	unsigned char magic[7];
-	unsigned long secret_len;
-
-	// Read file header.
-	if ( ! (fread(&magic, 7, 1, f) &&
-		fread(&secret_len, sizeof(secret_len), 1, f)) )
-		{
-		fprintf(stderr, "can't read file header: %s\n", strerror(errno));
-		exit(1);
-		}
-
-	if ( memcmp("BROENC1", (const char*) magic, 7) != 0 )
-		{
-		fputs("not a Bro encrypted file\n", stderr);
-		exit(1);
-		}
-
-	secret_len = ntohl(secret_len);
-	int iv_len = EVP_CIPHER_iv_length(CipherType);
-	unsigned char secret[secret_len];
-	unsigned char iv[iv_len];
-
-	if ( ! (fread(&secret, secret_len, 1, f) &&
-		fread(&iv, iv_len, 1, f)) )
-		{
-		fprintf(stderr, "can't read file header: %s\n", strerror(errno));
-		exit(1);
-		}
-
-	// Decrypt data.
-	EVP_CIPHER_CTX cipher_ctx;
-	if ( ! EVP_OpenInit(&cipher_ctx, CipherType,
-				secret, secret_len, iv, SecKey) )
-		{
-		fprintf( stderr, "can't init decryption: %s\n",
-				ERR_error_string(ERR_get_error(), 0));
-		exit(1);
-		return;
-		}
-
-	int block_size = EVP_CIPHER_block_size(CipherType);
-	unsigned char buffer_in[block_size];
-	unsigned char buffer_out[block_size];
-
-	int inl, outl;
-	while ( (inl = fread(buffer_in, 1, block_size, f)) )
-		{
-		if ( ! EVP_OpenUpdate(&cipher_ctx, buffer_out,
-					&outl, buffer_in, inl) )
-			{
-			fprintf( stderr, "can't decrypt: %s\n",
-				 ERR_error_string(ERR_get_error(), 0));
-			exit(1);
-			}
-
-		if ( outl && ! fwrite(buffer_out, outl, 1, stdout) )
-			{
-			fprintf(stderr, "can't write to stdout: %s\n",
-					strerror(errno));
-			exit(1);
-			}
-		}
-
-	if ( ! EVP_OpenFinal(&cipher_ctx, buffer_out, &outl) )
-		{
-		fprintf( stderr, "can't decrypt: %s\n",
-				 ERR_error_string(ERR_get_error(), 0));
-		exit(1);
-		}
-
-	if ( outl && ! fwrite(buffer_out, outl, 1, stdout) )
-		{
-		fprintf(stderr, "can't write to stdout: %s\n", strerror(errno));
-		exit(1);
-		}
-
-	fclose(f);
-	}
-
-void Usage()
-	{
-	fprintf(stderr, "bdcat [-k <sec-key-file>] [files]\n");
-	exit(1);
-	}
-
-int main(int argc, char** argv)
-	{
-	char* keyfile = getenv("BDCAT_KEY");
-
-	// Read options.
-	char op;
-	while ( (op = getopt(argc, argv, "k:")) >= 0 )
-		{
-		if ( op == 'k' )
-			keyfile = optarg;
-		else
-			Usage();
-		}
-
-	if ( ! keyfile )
-		{
-		fputs("no keyfile given\n", stderr);
-		exit(1);
-		}
-
-	// Init crypto.
-
-	ERR_load_crypto_strings();
-	OpenSSL_add_all_algorithms();
-
-	FILE* f = fopen(keyfile, "r");
-	if ( ! f )
-		{
-		fprintf(stderr, "can't open key file %s: %s\n",
-				keyfile, strerror(errno));
-		exit(1);
-		}
-
-	SecKey = PEM_read_PrivateKey(f, 0, 0, 0);
-	if ( ! SecKey )
-		{
-		fprintf(stderr, "can't read key from %s: %s\n", keyfile,
-				ERR_error_string(ERR_get_error(), 0));
-		exit(1);
-		}
-
-	fclose(f);
-
-	// Depending on the OpenSSL version, EVP_*_cbc()
-	// returns a const or a non-const.
-	CipherType = (EVP_CIPHER*) EVP_bf_cbc();
-
-	// Decrypt the files.
-	if ( optind == argc )
-		cryptcat(stdin);
-	else
-		{
-		while ( optind < argc )
-			{
-			FILE* f = fopen(argv[optind], "r");
-			if ( ! f )
-				{
-				fprintf(stderr, "can't open %s: %s\n",
-						argv[optind], strerror(errno));
-				exit(1);
-				}
-
-			cryptcat(f);
-			++optind;
-			}
-		}
-	}
diff --git a/aux/binpac b/aux/binpac
new file mode 160000
index 0000000000..4fc13f7c69
--- /dev/null
+++ b/aux/binpac
@@ -0,0 +1 @@
+Subproject commit 4fc13f7c6987b4163609e3df7a31f38501411cb7
diff --git a/aux/binpac/AUTHORS b/aux/binpac/AUTHORS
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/aux/binpac/CHANGES b/aux/binpac/CHANGES
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/aux/binpac/COPYING b/aux/binpac/COPYING
deleted file mode 100644
index 2a9a9e934b..0000000000
--- a/aux/binpac/COPYING
+++ /dev/null
@@ -1,18 +0,0 @@
-// Copyright (c) 1995-2007
-//      The Regents of the University of California.  All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that: (1) source code distributions
-// retain the above copyright notice and this paragraph in its entirety, (2)
-// distributions including binary code include the above copyright notice and
-// this paragraph in its entirety in the documentation or other materials
-// provided with the distribution, and (3) all advertising materials mentioning
-// features or use of this software display the following acknowledgement:
-// ``This product includes software developed by the University of California,
-// Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
-// the University nor the names of its contributors may be used to endorse
-// or promote products derived from this software without specific prior
-// written permission.
-// THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
-// WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
-// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
diff --git a/aux/binpac/ChangeLog b/aux/binpac/ChangeLog
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/aux/binpac/INSTALL b/aux/binpac/INSTALL
deleted file mode 100644
index 095b1eb406..0000000000
--- a/aux/binpac/INSTALL
+++ /dev/null
@@ -1,231 +0,0 @@
-Installation Instructions
-*************************
-
-Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004 Free
-Software Foundation, Inc.
-
-This file is free documentation; the Free Software Foundation gives
-unlimited permission to copy, distribute and modify it.
-
-Basic Installation
-==================
-
-These are generic installation instructions.
-
-   The `configure' shell script attempts to guess correct values for
-various system-dependent variables used during compilation.  It uses
-those values to create a `Makefile' in each directory of the package.
-It may also create one or more `.h' files containing system-dependent
-definitions.  Finally, it creates a shell script `config.status' that
-you can run in the future to recreate the current configuration, and a
-file `config.log' containing compiler output (useful mainly for
-debugging `configure').
-
-   It can also use an optional file (typically called `config.cache'
-and enabled with `--cache-file=config.cache' or simply `-C') that saves
-the results of its tests to speed up reconfiguring.  (Caching is
-disabled by default to prevent problems with accidental use of stale
-cache files.)
-
-   If you need to do unusual things to compile the package, please try
-to figure out how `configure' could check whether to do them, and mail
-diffs or instructions to the address given in the `README' so they can
-be considered for the next release.  If you are using the cache, and at
-some point `config.cache' contains results you don't want to keep, you
-may remove or edit it.
-
-   The file `configure.ac' (or `configure.in') is used to create
-`configure' by a program called `autoconf'.  You only need
-`configure.ac' if you want to change it or regenerate `configure' using
-a newer version of `autoconf'.
-
-The simplest way to compile this package is:
-
-  1. `cd' to the directory containing the package's source code and type
-     `./configure' to configure the package for your system.  If you're
-     using `csh' on an old version of System V, you might need to type
-     `sh ./configure' instead to prevent `csh' from trying to execute
-     `configure' itself.
-
-     Running `configure' takes awhile.  While running, it prints some
-     messages telling which features it is checking for.
-
-  2. Type `make' to compile the package.
-
-  3. Optionally, type `make check' to run any self-tests that come with
-     the package.
-
-  4. Type `make install' to install the programs and any data files and
-     documentation.
-
-  5. You can remove the program binaries and object files from the
-     source code directory by typing `make clean'.  To also remove the
-     files that `configure' created (so you can compile the package for
-     a different kind of computer), type `make distclean'.  There is
-     also a `make maintainer-clean' target, but that is intended mainly
-     for the package's developers.  If you use it, you may have to get
-     all sorts of other programs in order to regenerate files that came
-     with the distribution.
-
-Compilers and Options
-=====================
-
-Some systems require unusual options for compilation or linking that the
-`configure' script does not know about.  Run `./configure --help' for
-details on some of the pertinent environment variables.
-
-   You can give `configure' initial values for configuration parameters
-by setting variables in the command line or in the environment.  Here
-is an example:
-
-     ./configure CC=c89 CFLAGS=-O2 LIBS=-lposix
-
-   *Note Defining Variables::, for more details.
-
-Compiling For Multiple Architectures
-====================================
-
-You can compile the package for more than one kind of computer at the
-same time, by placing the object files for each architecture in their
-own directory.  To do this, you must use a version of `make' that
-supports the `VPATH' variable, such as GNU `make'.  `cd' to the
-directory where you want the object files and executables to go and run
-the `configure' script.  `configure' automatically checks for the
-source code in the directory that `configure' is in and in `..'.
-
-   If you have to use a `make' that does not support the `VPATH'
-variable, you have to compile the package for one architecture at a
-time in the source code directory.  After you have installed the
-package for one architecture, use `make distclean' before reconfiguring
-for another architecture.
-
-Installation Names
-==================
-
-By default, `make install' will install the package's files in
-`/usr/local/bin', `/usr/local/man', etc.  You can specify an
-installation prefix other than `/usr/local' by giving `configure' the
-option `--prefix=PREFIX'.
-
-   You can specify separate installation prefixes for
-architecture-specific files and architecture-independent files.  If you
-give `configure' the option `--exec-prefix=PREFIX', the package will
-use PREFIX as the prefix for installing programs and libraries.
-Documentation and other data files will still use the regular prefix.
-
-   In addition, if you use an unusual directory layout you can give
-options like `--bindir=DIR' to specify different values for particular
-kinds of files.  Run `configure --help' for a list of the directories
-you can set and what kinds of files go in them.
-
-   If the package supports it, you can cause programs to be installed
-with an extra prefix or suffix on their names by giving `configure' the
-option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
-
-Optional Features
-=================
-
-Some packages pay attention to `--enable-FEATURE' options to
-`configure', where FEATURE indicates an optional part of the package.
-They may also pay attention to `--with-PACKAGE' options, where PACKAGE
-is something like `gnu-as' or `x' (for the X Window System).  The
-`README' should mention any `--enable-' and `--with-' options that the
-package recognizes.
-
-   For packages that use the X Window System, `configure' can usually
-find the X include and library files automatically, but if it doesn't,
-you can use the `configure' options `--x-includes=DIR' and
-`--x-libraries=DIR' to specify their locations.
-
-Specifying the System Type
-==========================
-
-There may be some features `configure' cannot figure out automatically,
-but needs to determine by the type of machine the package will run on.
-Usually, assuming the package is built to be run on the _same_
-architectures, `configure' can figure that out, but if it prints a
-message saying it cannot guess the machine type, give it the
-`--build=TYPE' option.  TYPE can either be a short name for the system
-type, such as `sun4', or a canonical name which has the form:
-
-     CPU-COMPANY-SYSTEM
-
-where SYSTEM can have one of these forms:
-
-     OS KERNEL-OS
-
-   See the file `config.sub' for the possible values of each field.  If
-`config.sub' isn't included in this package, then this package doesn't
-need to know the machine type.
-
-   If you are _building_ compiler tools for cross-compiling, you should
-use the `--target=TYPE' option to select the type of system they will
-produce code for.
-
-   If you want to _use_ a cross compiler, that generates code for a
-platform different from the build platform, you should specify the
-"host" platform (i.e., that on which the generated programs will
-eventually be run) with `--host=TYPE'.
-
-Sharing Defaults
-================
-
-If you want to set default values for `configure' scripts to share, you
-can create a site shell script called `config.site' that gives default
-values for variables like `CC', `cache_file', and `prefix'.
-`configure' looks for `PREFIX/share/config.site' if it exists, then
-`PREFIX/etc/config.site' if it exists.  Or, you can set the
-`CONFIG_SITE' environment variable to the location of the site script.
-A warning: not all `configure' scripts look for a site script.
-
-Defining Variables
-==================
-
-Variables not defined in a site shell script can be set in the
-environment passed to `configure'.  However, some packages may run
-configure again during the build, and the customized values of these
-variables may be lost.  In order to avoid this problem, you should set
-them in the `configure' command line, using `VAR=value'.  For example:
-
-     ./configure CC=/usr/local2/bin/gcc
-
-will cause the specified gcc to be used as the C compiler (unless it is
-overridden in the site shell script).
-
-`configure' Invocation
-======================
-
-`configure' recognizes the following options to control how it operates.
-
-`--help'
-`-h'
-     Print a summary of the options to `configure', and exit.
-
-`--version'
-`-V'
-     Print the version of Autoconf used to generate the `configure'
-     script, and exit.
-
-`--cache-file=FILE'
-     Enable the cache: use and save the results of the tests in FILE,
-     traditionally `config.cache'.  FILE defaults to `/dev/null' to
-     disable caching.
-
-`--config-cache'
-`-C'
-     Alias for `--cache-file=config.cache'.
-
-`--quiet'
-`--silent'
-`-q'
-     Do not print messages saying which checks are being made.  To
-     suppress all normal output, redirect it to `/dev/null' (any error
-     messages will still be shown).
-
-`--srcdir=DIR'
-     Look for the package's source code in directory DIR.  Usually
-     `configure' can determine that directory automatically.
-
-`configure' also accepts some other, not widely useful, options.  Run
-`configure --help' for more details.
-
diff --git a/aux/binpac/Makefile.am b/aux/binpac/Makefile.am
deleted file mode 100644
index 7c93dcde5c..0000000000
--- a/aux/binpac/Makefile.am
+++ /dev/null
@@ -1,4 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-EXTRA_DIST = README VERSION CHANGES TODO depcomp shtool autogen.sh
-SUBDIRS = lib src
diff --git a/aux/binpac/NEWS b/aux/binpac/NEWS
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/aux/binpac/README b/aux/binpac/README
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/aux/binpac/TODO b/aux/binpac/TODO
deleted file mode 100644
index 4b2833f224..0000000000
--- a/aux/binpac/TODO
+++ /dev/null
@@ -1,34 +0,0 @@
-Big features
-* Variable context (xid, call in RPC)? -- no variable context
-* Helpers
-* Connection states and actions
-* Case and analyzer redef
-* &also withinput
-* Explicit analyzer context (interface + instantiation) "withcontext"
-+ Interface with C++ and Bro (events, extern, weird)
-+ Incremental input
-+ ASCII protocols
-+ Reassembly
-- Dealing with exceptions
-- Dependency analysis to save parsing time on unused fields
-- Performance measurement
-
-Small features
-* Restructure the code: break up pac.{h,cc}
-* ref counting (to keep certain structures)
-* analyzer context as a parameter of class
-* &autolength
-* find a better name for "analyzer_context" ("analcxt", "context", "analyzer") $context
-* &if
-* &autolength (now &restofdata)
-* Use vector<> instead of array<>?
-* set end_of_data when &length = ...
-- make the `default' case mandatory?
-- &inline
-- &warn and &check? (follow &if)
-- typedef?
-
-Binpac 1
-- create a namespace for each .pac file
-- type equivalence
-- byteorder() for every type?
diff --git a/aux/binpac/VERSION b/aux/binpac/VERSION
deleted file mode 100644
index 49d59571fb..0000000000
--- a/aux/binpac/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-0.1
diff --git a/aux/binpac/autogen.sh b/aux/binpac/autogen.sh
deleted file mode 100755
index 4f01b6fbf2..0000000000
--- a/aux/binpac/autogen.sh
+++ /dev/null
@@ -1,114 +0,0 @@
-#!/bin/sh
-
-# Initialization script to set up the initial configuration files etc.
-# shtool usage inspired by the autogen script of the ferite scripting
-# language -- cheers Chris :)
-#
-# This is 'borrowed' from netdude, with minor changes for bro 
-
-BLD_ON=`./shtool echo -n -e %B`
-BLD_OFF=`./shtool echo -n -e %b`
-
-srcdir=`dirname $0`
-NAME=binpac
-
-DIE=0
-
-echo
-echo "              "${BLD_ON}"Binpac Build Tools Setup"${BLD_OFF}
-echo "===================================================="
-echo
-echo "Checking whether we have all tools available ..."
-
-(autoconf --version) < /dev/null > /dev/null 2>&1 || {
-  echo
-  echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`autoconf' installed to."
-  echo "Download the appropriate package for your distribution,"
-  echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/"
-  DIE=1
-}
-
-(automake --version) < /dev/null > /dev/null 2>&1 || {
-  echo
-  echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`automake' installed."
-  echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
-  echo "(or a newer version if it is available)"
-  DIE=1
-  NO_AUTOMAKE=yes
-}
-
-# if no automake, don't bother testing for aclocal
-test -n "$NO_AUTOMAKE" || (aclocal --version) < /dev/null > /dev/null 2>&1 || {
-  echo
-  echo ${BLD_ON}"Error"${BLD_OFF}": Missing \`aclocal'.  The version of \`automake'"
-  echo "installed doesn't appear recent enough."
-  echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
-  echo "(or a newer version if it is available)"
-  DIE=1
-}
-
-if test "$DIE" -eq 1; then
-  exit 1
-fi
-
-echo "All necessary tools found."
-echo
-
-if [ -d autom4te.cache ] ; then
-    echo "Removing autom4te.cache ..."
-    rm -rf autom4te.cache
-    #echo
-    #echo ${BLD_ON}"Error"${BLD_OFF}": autom4te.cache directory exists"
-    #echo "please remove it, and rerun this script"
-    #echo 
-    #exit 1
-fi
-
-echo
-echo "running "${BLD_ON}"aclocal"${BLD_OFF}
-echo "----------------------------------------------------"
-aclocal -I . $ACLOCAL_FLAGS
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-echo
-echo "running "${BLD_ON}"autoheader"${BLD_OFF}
-echo "----------------------------------------------------"
-autoheader
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-echo
-echo "running "${BLD_ON}"automake"${BLD_OFF}
-echo "----------------------------------------------------"
-automake -a -c 
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-echo
-echo "running "${BLD_ON}"autoconf"${BLD_OFF}
-echo "----------------------------------------------------"
-autoconf
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-if ! test "x$BROBUILD" = xyes; then
-echo 
-echo "Setup finished. Now run:"
-echo
-echo "  $ "${BLD_ON}"./configure"${BLD_OFF}" (with options as needed, try --help)"
-echo
-echo "and then"
-echo
-echo "  $ "${BLD_ON}"make"${BLD_OFF}
-echo "  # "${BLD_ON}"make install"${BLD_OFF}
-echo
-fi
diff --git a/aux/binpac/configure.in b/aux/binpac/configure.in
deleted file mode 100644
index e4d4c3074a..0000000000
--- a/aux/binpac/configure.in
+++ /dev/null
@@ -1,55 +0,0 @@
-AC_INIT
-AC_CONFIG_SRCDIR([src/pac_main.cc])
-
-AC_CANONICAL_SYSTEM
-
-AC_CONFIG_AUX_DIR(.)
-AM_CONFIG_HEADER(config.h)
-AM_INIT_AUTOMAKE(binpac,  esyscmd([tr -d '\n' < VERSION]))
-
-dnl Commands for funkier shell output:
-BLD_ON=`./shtool echo -n -e %B`
-BLD_OFF=`./shtool echo -n -e %b`
-
-dnl ################################################
-dnl # Checks for programs
-dnl ################################################
-AM_PROG_LEX
-AC_PROG_YACC
-AC_PROG_CXX
-AC_PROG_RANLIB
-AC_PROG_INSTALL
-
-m4_ifdef([AC_COMPUTE_INT], [], [AC_DEFUN([AC_COMPUTE_INT], [_AC_COMPUTE_INT([$2],[$1],[$3],[$4])])])
-
-AC_COMPUTE_INT([SIZEOF_UNSIGNED_INT], [sizeof(unsigned int)])
-AC_SUBST(SIZEOF_UNSIGNED_INT)
-
-AC_ARG_ENABLE(debug,
-    [  --enable-debug          no compiler optimizations],
-    debug="yes"
-    CFLAGS="-DDEBUG `echo $CFLAGS | sed -e 's/-O2//'`"
-    CXXFLAGS="-DDEBUG `echo $CXXFLAGS | sed -e 's/-O2//'`",
-    debug="no")
-
-AC_C_BIGENDIAN(
-	AC_DEFINE(WORDS_BIGENDIAN,1,[whether words are stored with the most significant byte first])
-	dnl This is intentionally named differently so as to not collide with WORDS_BIGENDIAN
-	HOST_BIGENDIAN="#define HOST_BIGENDIAN 1"
-	AC_SUBST(HOST_BIGENDIAN))
-
-AC_CONFIG_FILES([
-Makefile 
-src/Makefile 
-lib/Makefile
-lib/binpac.h
-])
-AC_OUTPUT
-
-echo
-echo "                "${BLD_ON}"Binpac Configuration Summary"${BLD_OFF}
-echo "=========================================================="
-echo
-echo "  - Debugging enabled:      "${BLD_ON}$debug${BLD_OFF}
-echo
-exit 0
diff --git a/aux/binpac/lib/Makefile.am b/aux/binpac/lib/Makefile.am
deleted file mode 100644
index 7ff8dca88f..0000000000
--- a/aux/binpac/lib/Makefile.am
+++ /dev/null
@@ -1,8 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-noinst_LIBRARIES = libbinpac.a
-
-libbinpac_a_SOURCES = \
-	binpac_buffer.cc binpac_bytestring.cc \
-	binpac.h binpac_analyzer.h binpac_buffer.h \
-	binpac_bytestring.h binpac_exception.h binpac_regex.h
diff --git a/aux/binpac/lib/README b/aux/binpac/lib/README
deleted file mode 100644
index c57ca2ebab..0000000000
--- a/aux/binpac/lib/README
+++ /dev/null
@@ -1,3 +0,0 @@
-This directory contains a library needed by generated C++ code from
-binpac. Note that the library is not needed by the binpac compiler
-itself.
diff --git a/aux/binpac/lib/binpac.h.in b/aux/binpac/lib/binpac.h.in
deleted file mode 100644
index 920a699409..0000000000
--- a/aux/binpac/lib/binpac.h.in
+++ /dev/null
@@ -1,142 +0,0 @@
-// $Id: binpac.h,v 1.1.4.2 2006/06/02 15:13:13 rpang Exp $
-// Do not edit binpac.h, edit binpac.h.in instead!
-
-#ifndef binpac_h
-#define binpac_h
-
-#include <sys/param.h>
-
-@HOST_BIGENDIAN@
-#ifdef HOST_BIGENDIAN
-#  define HOST_BYTEORDER	bigendian
-#else
-#  define HOST_BYTEORDER	littleendian
-#endif
-
-#include <assert.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <string>
-#include <memory>
-
-#define BINPAC_ASSERT(x)	assert(x)
-
-using namespace std;
-
-namespace binpac {
-
-const int bigendian = 0;
-const int littleendian = 1;
-const int unspecified_byteorder = -1;
-
-#ifndef pac_type_defs
-#define pac_type_defs
-
-typedef char 		int8;
-typedef short 		int16;
-typedef long 		int32;
-typedef unsigned char 	uint8;
-typedef unsigned short 	uint16;
-typedef unsigned int 	uint32;
-typedef void		*nullptr;
-typedef void		*voidptr;
-typedef uint8		*byteptr;
-typedef const uint8	*const_byteptr;
-typedef const char	*const_charptr;
-
-#if @SIZEOF_UNSIGNED_INT@ != 4
-#error "unexpected size of unsigned int"
-#endif
-
-#endif /* pac_type_defs */
-
-/* Handling byte order */
-
-namespace {
-
-inline int16 pac_swap(int16 x)
-	{
-	return (x >> 8) | ((x & 0xff) << 8);
-	}
-
-inline uint16 pac_swap(uint16 x)
-	{
-	return (x >> 8) | ((x & 0xff) << 8);
-	}
-
-inline int32 pac_swap(int32 x)
-	{
-	return 	(x >> 24) | 
-		((x & 0xff0000) >> 8) | 
-		((x & 0xff00) << 8) | 
-		((x & 0xff) << 24);
-	}
-
-inline uint32 pac_swap(uint32 x)
-	{
-	return 	(x >> 24) | 
-		((x & 0xff0000) >> 8) | 
-		((x & 0xff00) << 8) | 
-		((x & 0xff) << 24);
-	}
-
-#define FixByteOrder(byteorder, x)	(byteorder == HOST_BYTEORDER ? (x) : pac_swap(x))
-
-template <class T>
-inline T UnMarshall(const u_char *data, int byteorder)
-	{
-	T result = 0;
-	for ( int i = 0; i < (int) sizeof(T); ++i )
-		result = ( result << 8 ) | 
-			data[byteorder == bigendian ? i : sizeof(T) - 1 - i];
-	return result;
-	}
-
-inline const char* do_fmt(const char* format, va_list ap)
-	{
-	static char buf[1024];
-	vsnprintf(buf, sizeof(buf), format, ap);
-	return buf;
-	}
-
-inline string strfmt(const char* format, ...)
-	{
-	va_list ap;
-	va_start(ap, format);
-	const char* r = do_fmt(format, ap);
-	va_end(ap);
-	return string(r);
-	}
-
-} // anonymous namespace
-
-#define binpac_fmt(x...) strfmt(x).c_str()
-
-class RefCount
-{
-public:
-	RefCount() 	{ count = 1; }
-	void Ref() 	{ ++count; }
-	int Unref() 	{ BINPAC_ASSERT(count > 0); return --count; }
-
-private:
-	int count;
-};
-
-namespace {
-	inline void Unref(RefCount *x)
-		{
-		if ( x && x->Unref() <= 0 )
-			delete x;
-		}
-}  // anonymous namespace
-
-} // namespace binpac
-
-#include "binpac_analyzer.h"
-#include "binpac_buffer.h"
-#include "binpac_bytestring.h"
-#include "binpac_exception.h"
-#include "binpac_regex.h"
-
-#endif /* binpac_h */
diff --git a/aux/binpac/lib/binpac_analyzer.h b/aux/binpac/lib/binpac_analyzer.h
deleted file mode 100644
index b9228da5de..0000000000
--- a/aux/binpac/lib/binpac_analyzer.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef binpac_an_h
-#define binpac_an_h
-
-namespace binpac {
-
-// TODO: Add the Done() function
-
-// The interface for a connection analyzer
-class ConnectionAnalyzer {
-public:
-	virtual ~ConnectionAnalyzer() {}
-	virtual void NewData(bool is_orig,
-	                     const u_char *begin_of_data, 
-	                     const u_char *end_of_data) = 0;
-};
-
-// The interface for a flow analyzer
-class FlowAnalyzer {
-public:
-	virtual ~FlowAnalyzer() {}
-	virtual void NewData(const u_char *begin_of_data, 
-	                     const u_char *end_of_data) = 0;
-};
-
-}  // namespace binpac
-
-#endif  // binpac_an_h
diff --git a/aux/binpac/lib/binpac_buffer.cc b/aux/binpac/lib/binpac_buffer.cc
deleted file mode 100644
index 1b12b58eab..0000000000
--- a/aux/binpac/lib/binpac_buffer.cc
+++ /dev/null
@@ -1,465 +0,0 @@
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>	// for memcpy
-
-#define binpac_regex_h
-
-#include "binpac.h"
-#include "binpac_buffer.h"
-
-namespace binpac {
-
-extern double network_time();
-
-namespace {
-	const u_char CR = '\r';
-	const u_char LF = '\n';
-}
-
-FlowBuffer::FlowBuffer(LineBreakStyle linebreak_style)
-	{
-	buffer_length_ = 0;
-	buffer_ = 0;
-
-	orig_data_begin_ = 0;
-	orig_data_end_ = 0;
-
-	linebreak_style_ = linebreak_style;
-	ResetLineState();
-
-	mode_ = UNKNOWN_MODE;
-	frame_length_ = 0;
-	chunked_ = false;
-
-	data_seq_at_orig_data_end_ = 0;
-	eof_ = false;
-	have_pending_request_ = false;
-
-	buffer_n_ = 0;
-
-	NewMessage();
-	}
-
-FlowBuffer::~FlowBuffer()
-	{
-	if ( buffer_ )
-		free(buffer_);
-	}
-
-void FlowBuffer::NewMessage()
-	{
-	BINPAC_ASSERT(frame_length_ >= 0);
-
-	int bytes_to_advance = 0;
-	if ( buffer_n_ == 0 ) 
-		{
-		switch ( mode_ ) 
-			{
-			case LINE_MODE:
-				bytes_to_advance = (frame_length_ + 
-					(linebreak_style_ == STRICT_CRLF ? 
-						2 : 1));
-				break;
-			case FRAME_MODE:
-				bytes_to_advance = frame_length_;
-				break;
-			case UNKNOWN_MODE:
-				break;
-			}
-		}
-
-	orig_data_begin_ += bytes_to_advance;
-	BINPAC_ASSERT(orig_data_begin_ <= orig_data_end_);
-
-	buffer_n_ = 0;
-	message_complete_ = false;
-	}
-
-void FlowBuffer::ResetLineState()
-	{
-	switch ( linebreak_style_ )
-		{
-		case CR_OR_LF:
-			state_ = CR_OR_LF_0;
-			break;
-		case STRICT_CRLF:
-			state_ = STRICT_CRLF_0;
-			break;
-		default:
-			BINPAC_ASSERT(0);
-			break;
-		}
-	}
-
-void FlowBuffer::ExpandBuffer(int length)
-	{
-	if ( buffer_length_ >= length )
-		return;
-	// So length > 0
-	if ( length < 512 )
-		length = 512;
-	
-	if ( length < buffer_length_ * 2 )
-		length = buffer_length_ * 2;
-
-	// Allocate a new buffer and copy the existing contents
-	buffer_length_ = length;
-	u_char *new_buf = (u_char *) realloc(buffer_, buffer_length_);
-	BINPAC_ASSERT(new_buf);
-#if 0
-	u_char* new_buf = new u_char[buffer_length_];
-	if ( buffer_ && buffer_n_ > 0 )
-		memcpy(new_buf, buffer_, buffer_n_);
-	delete [] buffer_;
-#endif
-	buffer_ = new_buf;
-	}
-
-void FlowBuffer::NewLine()
-	{
-	FlowBuffer::NewMessage();
-	mode_ = LINE_MODE;
-	frame_length_ = 0;
-	chunked_ = false;
-	have_pending_request_ = true;
-	if ( state_ == FRAME_0 )
-		ResetLineState();
-	MarkOrCopyLine();
-	}
-
-void FlowBuffer::NewFrame(int frame_length, bool chunked)
-	{
-	FlowBuffer::NewMessage();
-	mode_ = FRAME_MODE;
-	frame_length_ = frame_length;
-	chunked_ = chunked;
-	have_pending_request_ = true;
-	MarkOrCopyFrame();
-	}
-
-void FlowBuffer::GrowFrame(int length)
-	{
-	BINPAC_ASSERT(frame_length_ >= 0);
-	if ( length <= frame_length_ )
-		return;
-	BINPAC_ASSERT(! chunked_ || frame_length_ == 0);
-	mode_ = FRAME_MODE;
-	frame_length_ = length;
-	MarkOrCopyFrame();
-	}
-
-void FlowBuffer::DiscardData()
-	{
-	mode_ = UNKNOWN_MODE;
-	message_complete_ = false;
-	have_pending_request_ = false;
-	orig_data_begin_ = orig_data_end_ = 0;
-
-	buffer_n_ = 0;
-	frame_length_ = 0;
-	}
-
-void FlowBuffer::set_eof()
-	{
-	// fprintf(stderr, "EOF\n");
-	eof_ = true;
-	if ( chunked_ )
-		frame_length_ = orig_data_end_ - orig_data_begin_;
-	if ( frame_length_ < 0 )
-		frame_length_ = 0;
-	}
-
-void FlowBuffer::NewData(const_byteptr begin, const_byteptr end)
-	{
-	BINPAC_ASSERT(begin <= end);
-
-	ClearPreviousData();
-
-	BINPAC_ASSERT((buffer_n_ == 0 && message_complete_) || 
-		orig_data_begin_ == orig_data_end_);
-
-	orig_data_begin_ = begin;
-	orig_data_end_ = end;
-	data_seq_at_orig_data_end_ += (end - begin);
-
-	MarkOrCopy();
-	}
-
-void FlowBuffer::MarkOrCopy()
-	{
-	if ( ! message_complete_ )
-		{
-		switch ( mode_ ) 
-			{
-			case LINE_MODE:
-				MarkOrCopyLine();
-				break;
-
-			case FRAME_MODE:
-				MarkOrCopyFrame();
-				break;
-		
-			default:
-				break;
-			}
-		}
-	}
-
-void FlowBuffer::ClearPreviousData()
-	{
-	// All previous data must have been processed or buffered already
-	if ( orig_data_begin_ < orig_data_end_ )
-		{
-		BINPAC_ASSERT(buffer_n_ == 0);
-		if ( chunked_ )
-			{
-			if ( frame_length_ > 0 )
-				{
-				frame_length_ -= 
-					(orig_data_end_ - orig_data_begin_);
-				}
-			orig_data_begin_ = orig_data_end_;
-			}
-		}
-	}
-
-void FlowBuffer::NewGap(int length)
-	{
-	ClearPreviousData();
-
-	if ( chunked_ && frame_length_ >= 0 )
-		{
-		frame_length_ -= length;
-		if ( frame_length_ < 0 )
-			frame_length_ = 0;
-		}
-
-	orig_data_begin_ = orig_data_end_ = 0;
-	MarkOrCopy();
-	}
-
-void FlowBuffer::MarkOrCopyLine()
-	{
-	switch ( linebreak_style_ )
-		{
-		case CR_OR_LF:
-			MarkOrCopyLine_CR_OR_LF();
-			break;
-		case STRICT_CRLF:
-			MarkOrCopyLine_STRICT_CRLF();
-			break;
-		default:
-			BINPAC_ASSERT(0);
-			break;
-		}
-	}
-
-/*
-Finite state automaton for CR_OR_LF:
-(!--line is complete, *--add to buffer)
-
-CR_OR_LF_0:
-	CR:	CR_OR_LF_1 !
-	LF:	CR_OR_LF_0 !
-	.:	CR_OR_LF_0 *
-
-CR_OR_LF_1:
-	CR:	CR_OR_LF_1 !
-	LF:	CR_OR_LF_0
-	.:	CR_OR_LF_0 *
-*/
-
-void FlowBuffer::MarkOrCopyLine_CR_OR_LF()
-	{
-	if ( state_ == CR_OR_LF_1 && 
-	     orig_data_begin_ < orig_data_end_ && *orig_data_begin_ == LF )
-		{
-		state_ = CR_OR_LF_0;
-		++orig_data_begin_;
-		}
-
-	const_byteptr data;
-	for ( data = orig_data_begin_; data < orig_data_end_; ++data )
-		{
-		switch ( *data )
-			{
-			case CR:
-				state_ = CR_OR_LF_1;
-				goto found_end_of_line;
-
-			case LF:
-				// state_ = CR_OR_LF_0;
-				goto found_end_of_line;
-
-			default:
-				// state_ = CR_OR_LF_0;
-				break;
-			}
-		}
-
-	AppendToBuffer(orig_data_begin_, orig_data_end_ - orig_data_begin_);
-	return;
-
-found_end_of_line:
-	if ( buffer_n_ == 0 )
-		{
-		frame_length_ = data - orig_data_begin_;
-		}
-	else
-		{
-		AppendToBuffer(orig_data_begin_, data + 1 - orig_data_begin_);
-		// But eliminate the last CR or LF
-		--buffer_n_;
-		}
-	message_complete_ = true;
-
-#if DEBUG_FLOW_BUFFER
-	fprintf(stderr, "%.6f Line complete: [%s]\n",
-		network_time(),
-		string((const char *) begin(), (const char *) end()).c_str());
-#endif
-	}
-
-/*
-Finite state automaton and STRICT_CRLF:
-(!--line is complete, *--add to buffer)
-
-STRICT_CRLF_0:
-	CR:	STRICT_CRLF_1 *
-	LF:	STRICT_CRLF_0 *
-	.:	STRICT_CRLF_0 *
-
-STRICT_CRLF_1:
-	CR:	STRICT_CRLF_1 *
-	LF:	STRICT_CRLF_0 ! (--buffer_n_)
-	.:	STRICT_CRLF_0 *
-*/
-
-void FlowBuffer::MarkOrCopyLine_STRICT_CRLF()
-	{
-	const_byteptr data;
-	for ( data = orig_data_begin_; data < orig_data_end_; ++data )
-		{
-		switch ( *data )
-			{
-			case CR:
-				state_ = STRICT_CRLF_1;
-				break;
-
-			case LF:
-				if ( state_ == STRICT_CRLF_1 )
-					{
-					state_ = STRICT_CRLF_0;
-					goto found_end_of_line;
-					}
-				break;
-
-			default:
-				state_ = STRICT_CRLF_0;
-				break;
-			}
-		}
-
-	AppendToBuffer(orig_data_begin_, orig_data_end_ - orig_data_begin_);
-	return;
-
-found_end_of_line:
-	if ( buffer_n_ == 0 )
-		{
-		frame_length_ = data - 1 - orig_data_begin_;
-		}
-	else
-		{
-		AppendToBuffer(orig_data_begin_, data + 1 - orig_data_begin_);
-		// Pop the preceding CR and LF from the buffer
-		buffer_n_ -= 2;
-		}
-
-	message_complete_ = true;
-
-#if DEBUG_FLOW_BUFFER
-	fprintf(stderr, "%.6f Line complete: [%s]\n",
-		network_time(),
-		string((const char *) begin(), (const char *) end()).c_str());
-#endif
-	}
-
-// Invariants:
-// 
-// When buffer_n_ == 0:
-// Frame = [orig_data_begin_..(orig_data_begin_ + frame_length_)]
-// 
-// When buffer_n_ > 0:
-// Frame = [0..buffer_n_][orig_data_begin_..]
-
-void FlowBuffer::MarkOrCopyFrame()
-	{
-	if ( mode_ == FRAME_MODE && state_ == CR_OR_LF_1 && 
-	     orig_data_begin_ < orig_data_end_ )
-		{
-		// Skip the lingering LF
-		if ( *orig_data_begin_ == LF )
-			{
-			++orig_data_begin_;
-			}
-		state_ = FRAME_0;
-		}
-
-	if ( buffer_n_ == 0 )
-		{
-		// If there is enough data
-		if ( frame_length_ >= 0 &&
-		     orig_data_end_ - orig_data_begin_ >= frame_length_ )
-			{
-			// Do nothing except setting the message complete flag
-			message_complete_ = true;
-			}
-		else 
-			{
-			if ( ! chunked_ )
-				{
-				AppendToBuffer(orig_data_begin_, 
-					orig_data_end_ - orig_data_begin_);
-				}
-			message_complete_ = false;
-			}
-		}
-	else
-		{
-		BINPAC_ASSERT(!chunked_);
-		int bytes_to_copy = orig_data_end_ - orig_data_begin_;
-		message_complete_ = false;
-		if ( frame_length_ >= 0 && buffer_n_ + bytes_to_copy >= frame_length_ ) 
-			{
-			bytes_to_copy = frame_length_ - buffer_n_;
-			message_complete_ = true;
-			}
-		AppendToBuffer(orig_data_begin_, bytes_to_copy);
-		}
-
-#if DEBUG_FLOW_BUFFER
-	if ( message_complete_ )
-		{
-		fprintf(stderr, "%.6f frame complete: [%s]\n",
-			network_time(),
-			string((const char *) begin(), 
-				(const char *) end()).c_str());
-		}
-#endif
-	}
-
-void FlowBuffer::AppendToBuffer(const_byteptr data, int len)
-	{
-	if ( len <= 0 )
-		return;
-
-	BINPAC_ASSERT(! chunked_);
-	ExpandBuffer(buffer_n_ + len);
-	memcpy(buffer_ + buffer_n_, data, len);
-	buffer_n_ += len;
-
-	orig_data_begin_ += len;
-	BINPAC_ASSERT(orig_data_begin_ <= orig_data_end_);
-	}
-
-}  // namespace binpac
diff --git a/aux/binpac/lib/binpac_buffer.h b/aux/binpac/lib/binpac_buffer.h
deleted file mode 100644
index 2eb197e7b9..0000000000
--- a/aux/binpac/lib/binpac_buffer.h
+++ /dev/null
@@ -1,148 +0,0 @@
-#ifndef binpac_buffer_h
-#define binpac_buffer_h
-
-#include <sys/types.h>
-#include "binpac.h"
-
-namespace binpac {
-
-class FlowBuffer {
-public:
-	enum LineBreakStyle { 
-		CR_OR_LF, 	// CR or LF or CRLF
-		STRICT_CRLF, 	// CR followed by LF
-		CR_LF_NUL,	// CR or LF or CR-LF or CR-NUL
-	};
-
-	FlowBuffer(LineBreakStyle linebreak_style = CR_OR_LF);
-	virtual ~FlowBuffer();
-
-	void NewData(const_byteptr begin, const_byteptr end);
-	void NewGap(int length);
-
-	// Discard unprocessed data
-	void DiscardData();
-
-	// Whether there is enough data for the frame
-	bool ready() const{ return message_complete_ || mode_ == UNKNOWN_MODE; }
-
-	inline const_byteptr begin() const
-		{
-		BINPAC_ASSERT(ready());
-		return ( buffer_n_ == 0 ) ? 
-			orig_data_begin_ : buffer_;
-		}
-
-	inline const_byteptr end() const
-		{
-		BINPAC_ASSERT(ready());
-		if ( buffer_n_ == 0 )
-			{
-			BINPAC_ASSERT(frame_length_ >= 0);
-			const_byteptr end = orig_data_begin_ + frame_length_;
-			BINPAC_ASSERT(end <= orig_data_end_);
-			return end;
-			}
-		else
-			return buffer_ + buffer_n_;
-		}
-
-	inline int data_length() const
-		{
-		if ( buffer_n_ > 0 ) 
-			return buffer_n_;
-
-		if ( frame_length_ < 0 ||
-		     orig_data_begin_ + frame_length_ > orig_data_end_ )
-			return orig_data_end_ - orig_data_begin_;
-		else
-			return frame_length_;
-		}
-
-	inline bool data_available() const
-	        {
-		return buffer_n_ > 0 || orig_data_end_ > orig_data_begin_;
-		}
-
-	void NewLine();
-	// A negative frame_length represents a frame till EOF
-	void NewFrame(int frame_length, bool chunked_);
-	void GrowFrame(int new_frame_length);
-
-	int data_seq() const
-		{ 
-		int data_seq_at_orig_data_begin = 
-			data_seq_at_orig_data_end_ - 
-			(orig_data_end_ - orig_data_begin_);
-		if ( buffer_n_ > 0 )
-			return data_seq_at_orig_data_begin;
-		else
-			return data_seq_at_orig_data_begin + data_length(); 
-		}
-	bool eof() const	{ return eof_; }
-	void set_eof();
-
-	bool have_pending_request() const { return have_pending_request_; }
-
-protected:
-	// Reset the buffer for a new message
-	void NewMessage();
-
-	void ClearPreviousData();
-
-	// Expand the buffer to at least <length> bytes. If there 
-	// are contents in the existing buffer, copy them to the new
-	// buffer.
-	void ExpandBuffer(int length);
-
-	// Reset line state when transit from frame mode to line mode.
-	void ResetLineState();
-
-	void AppendToBuffer(const_byteptr data, int len);
-
-	// MarkOrCopy{Line,Frame} sets message_complete_ and
-	// marks begin/end pointers if a line/frame is complete, 
-	// otherwise it clears message_complete_ and copies all 
-	// the original data to the buffer.
-	//
-	void MarkOrCopy();
-	void MarkOrCopyLine();
-	void MarkOrCopyFrame();
-
-	void MarkOrCopyLine_CR_OR_LF();
-	void MarkOrCopyLine_STRICT_CRLF();
-
-	int 	buffer_n_;		// number of bytes in the buffer
-	int 	buffer_length_;	// size of the buffer
-	u_char	*buffer_;
-	bool 	message_complete_;
-	int 	frame_length_;
-	bool	chunked_;
-	const_byteptr orig_data_begin_, orig_data_end_;
-
-	LineBreakStyle linebreak_style_;
-
-	enum {
-		UNKNOWN_MODE,
-		LINE_MODE,
-		FRAME_MODE,
-	} mode_;
-
-	enum {
-		CR_OR_LF_0,
-		CR_OR_LF_1,
-		STRICT_CRLF_0,
-		STRICT_CRLF_1,
-		FRAME_0,
-	} state_;
-
-	int 	data_seq_at_orig_data_end_;
-	bool 	eof_;
-	bool    have_pending_request_;
-};
-
-typedef FlowBuffer *flow_buffer_t;
-
-}  // namespace binpac
-
-#endif // binpac_buffer_h
diff --git a/aux/binpac/lib/binpac_bytestring.cc b/aux/binpac/lib/binpac_bytestring.cc
deleted file mode 100644
index b74fe369b1..0000000000
--- a/aux/binpac/lib/binpac_bytestring.cc
+++ /dev/null
@@ -1,24 +0,0 @@
-#define binpac_regex_h
-
-#include <stdlib.h>
-#include "binpac_bytestring.h"
-
-namespace binpac 
-{
-
-std::string std_string(bytestring const *s)
-	{
-	return std::string((const char *) s->begin(), (const char *) s->end());
-	}
-
-int bytestring_to_int(bytestring const *s)
-	{
-	return atoi((const char *) s->begin());
-	}
-
-double bytestring_to_double(bytestring const *s)
-	{
-	return atof((const char *) s->begin());
-	}
-
-}  // namespace binpac
diff --git a/aux/binpac/lib/binpac_bytestring.h b/aux/binpac/lib/binpac_bytestring.h
deleted file mode 100644
index 13d1879aed..0000000000
--- a/aux/binpac/lib/binpac_bytestring.h
+++ /dev/null
@@ -1,199 +0,0 @@
-#ifndef binpac_bytestring_h
-#define binpac_bytestring_h
-
-#include <string.h>
-#include <string>
-#include "binpac.h"
-
-namespace binpac
-{
-
-template<class T> class datastring;
-
-template <class T>
-class const_datastring
-{
-public:
-	const_datastring()
-		: begin_(0), end_(0)
-		{ 
-		}
-
-	const_datastring(T const *data, int length)
-		: begin_(data), end_(data + length)
-		{
-		}
-
-	const_datastring(const T *begin, const T *end)
-		: begin_(begin), end_(end)
-		{
-		}
-
-	const_datastring(datastring<T> const &s)
-		: begin_(s.begin()), end_(s.end())
-		{
-		}
-
-	void init(const T *data, int length)
-		{
-		begin_ = data;
-		end_ = data + length;
-		}
-
-	T const *begin() const	{ return begin_; }
-	T const *end() const	{ return end_; }
-	int length() const	{ return end_ - begin_; }
-
-	T const &operator[](int index) const
-		{
-		return begin()[index];
-		}
-
-	bool operator==(const_datastring<T> const &s)
-		{
-		if ( length() != s.length() )
-			return false;
-		return memcmp((const void *) begin(), (const void *) s.begin(),
-			sizeof(T) * length()) == 0;
-		}
-
-	void set_begin(T const *begin)	{ begin_ = begin; }
-	void set_end(T const *end)	{ end_ = end; }
-
-private:
-	T const *begin_; 
-	T const *end_;
-};
-
-typedef const_datastring<uint8>	const_bytestring;
-
-template<class T>
-class datastring
-{
-public:
-	datastring()
-		{ 
-		clear();
-		}
-
-	datastring(T *data, int len)
-		{
-		set(data, len);
-		}
-
-	datastring(T const *begin, T const *end)
-		{
-		set_const(begin, end - begin);
-		}
-
-	datastring(datastring<T> const &x)
-		: data_(x.data()), length_(x.length())
-		{
-		}
-
-	explicit datastring(const_datastring<T> const &x)
-		{
-		set_const(x.begin(), x.length());
-		}
-
-	datastring const &operator=(datastring<T> const &x)
-		{
-		BINPAC_ASSERT(!data_);
-		set(x.data(), x.length());
-		return *this;
-		}
-
-	void init(T const *begin, int length)
-		{
-		BINPAC_ASSERT(!data_);
-		set_const(begin, length);
-		}
-
-	void clear()
-		{
-		data_ = 0; length_ = 0;
-		}
-
-	void free()
-		{
-		if ( data_ )
-			delete [] data_;
-		clear();
-		}
-
-	void clone()
-		{
-		set_const(begin(), length());
-		}
-
-	datastring const &operator=(const_datastring<T> const &x)
-		{
-		BINPAC_ASSERT(!data_);
-		set_const(x.begin(), x.length());
-		return *this;
-		}
-
-	T const &operator[](int index) const
-		{
-		return begin()[index];
-		}
-
-	T *data() const		{ return data_; }
-	int length() const	{ return length_; }
-
-	T const *begin() const	{ return data_; }
-	T const *end() const	{ return data_ + length_; }
-
-private:
-	void set(T *data, int len)
-		{
-		data_ = data;
-		length_ = len;
-		}
-
-	void set_const(T const *data, int len)
-		{
-		length_ = len;
-		data_ = new T[len + 1];
-		memcpy(data_, data, sizeof(T) * len);
-		data_[len] = 0;
-		}
-
-	T * data_;
-	int length_;
-};
-
-typedef datastring<uint8> bytestring;
-
-inline const char *c_str(bytestring const &s)
-	{
-	return (const char *) s.begin();
-	}
-
-inline std::string std_str(const_bytestring const &s) 
-	{
-	return std::string((const char *) s.begin(), (const char *) s.end());
-	}
-
-inline bool operator==(bytestring const &s1, const char *s2)
-	{
-	return strcmp(c_str(s1), s2) == 0;
-	}
-
-inline void get_pointers(const_bytestring const &s, 
-		uint8 const **pbegin, uint8 const **pend)
-	{
-	*pbegin = s.begin();
-	*pend = s.end();
-	}
-
-inline void get_pointers(bytestring const *s, 
-		uint8 const **pbegin, uint8 const **pend)
-	{
-	*pbegin = s->begin();
-	*pend = s->end();
-	}
-
-} // namespace binpac
-
-#endif  // binpac_bytestring_h
diff --git a/aux/binpac/lib/binpac_exception.h b/aux/binpac/lib/binpac_exception.h
deleted file mode 100644
index 3feda3d69d..0000000000
--- a/aux/binpac/lib/binpac_exception.h
+++ /dev/null
@@ -1,112 +0,0 @@
-#ifndef binpac_exception_h
-#define binpac_exception_h
-
-namespace binpac {
-
-class Exception
-{
-public:
-	Exception(const char* m = 0)
-		: msg_("binpac exception: ")
-		{
-		if ( m )
-			append(m);
-		// abort();
-		}
-
-	void append(string m) 		{ msg_ += m; }
-	string msg() const		{ return msg_; }
-	const char* c_msg() const 	{ return msg().c_str(); }
-
-protected:
-	string msg_;
-};
-
-class ExceptionOutOfBound : public Exception
-{
-public:
-	ExceptionOutOfBound(const char* where, int len_needed, int len_given)
-		{
-		append(binpac_fmt("out_of_bound: %s: %d > %d", 
-			where, len_needed, len_given));
-		}
-};
-
-class ExceptionInvalidCase : public Exception
-{
-public:
-	ExceptionInvalidCase(const char* location, 
-			int index,
-			const char *expected)
-		: location_(location), 
-		  index_(index), 
-		  expected_(expected)
-		{
-		append(binpac_fmt("invalid case: %s: %d (%s)",
-			location, index, expected));
-		}
-
-protected:
-	const char* location_;
-	int index_;
-	string expected_;
-};
-
-class ExceptionInvalidCaseIndex : public Exception
-{
-public:
-	ExceptionInvalidCaseIndex(const char* location, 
-			int index)
-		: location_(location), 
-		  index_(index)
-		{
-		append(binpac_fmt("invalid index for case: %s: %d",
-			location, index));
-		}
-
-protected:
-	const char* location_;
-	int index_;
-};
-
-class ExceptionInvalidOffset : public Exception
-{
-public:
-	ExceptionInvalidOffset(const char* location, 
-			int min_offset, int offset)
-		: location_(location), 
-		  min_offset_(min_offset), offset_(offset)
-		{
-		append(binpac_fmt("invalid offset: %s: min_offset = %d, offset = %d",
-			location, min_offset, offset));
-		}
-
-protected:
-	const char* location_;
-	int min_offset_, offset_;
-};
-
-class ExceptionStringMismatch : public Exception
-{
-public:
-	ExceptionStringMismatch(const char* location, 
-			const char *expected, const char *actual_data)
-		{
-		append(binpac_fmt("string mismatch at %s: \nexpected pattern: \"%s\"\nactual data: \"%s\"",
-			location, expected, actual_data));
-		}
-};
-
-class ExceptionInvalidStringLength : public Exception
-{
-public:
-	ExceptionInvalidStringLength(const char* location, int len)
-		{
-		append(binpac_fmt("invalid length string: %s: %d",
-			location, len));
-		}
-};
-
-}
-
-#endif  // binpac_exception_h
diff --git a/aux/binpac/lib/binpac_regex.cc b/aux/binpac/lib/binpac_regex.cc
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/aux/binpac/lib/binpac_regex.h b/aux/binpac/lib/binpac_regex.h
deleted file mode 100644
index b41e6dbb90..0000000000
--- a/aux/binpac/lib/binpac_regex.h
+++ /dev/null
@@ -1,43 +0,0 @@
-#ifndef binpac_regex_h
-#define binpac_regex_h
-
-#include "binpac.h"
-#include "RE.h"
-
-class RE_Matcher;
-
-namespace binpac
-{
-
-class RegExMatcher {
-public:
-	RegExMatcher(const char *pattern)
-		: pattern_(pattern)
-		{
-		re_matcher_ = 0;
-		}
-
-	~RegExMatcher()
-		{
-		delete re_matcher_;
-		}
-
-	// Returns the length of longest match, or -1 on mismatch.
-	int MatchPrefix(const_byteptr data, int len)
-		{
-		if ( ! re_matcher_ )
-			{
-			re_matcher_ = new RE_Matcher(pattern_.c_str());
-			re_matcher_->Compile();
-			}
-		return re_matcher_->MatchPrefix(data, len);
-		}
-
-private:
-	string pattern_;
-	RE_Matcher *re_matcher_;
-};
-
-}  // namespace binpac
-
-#endif  // binpac_regex_h
diff --git a/aux/binpac/patches/binpac-1.patch b/aux/binpac/patches/binpac-1.patch
deleted file mode 100644
index ade4e41065..0000000000
--- a/aux/binpac/patches/binpac-1.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-diff -urN bro-1.2.1-orig/src/binpac/pac_expr.cc bro-1.2.1-ssl-binpac/src/binpac/pac_expr.cc
---- bro-1.2.1-orig/src/binpac/pac_expr.cc	2006-07-26 15:02:40.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_expr.cc	2007-05-04 14:31:11.728494000 -0700
-@@ -776,6 +776,27 @@
- 			}
- 			break;
- 
-+		case EXPR_CALLARGS:
-+		        {
-+		        mhs = 0;
-+			if ( args_ )
-+			        for ( uint i = 0; i < args_->size(); ++i )
-+				        mhs = mhs_max(mhs, args_->at(i)->MinimalHeaderSize(env));
-+			}
-+		        break;
-+		case EXPR_CASE:
-+		        {
-+		        mhs = operand_[0]->MinimalHeaderSize(env);
-+			for ( uint i = 0; i < cases_->size(); ++i )
-+			        {
-+				CaseExpr * ce = cases_->at(i);
-+				if ( ce->index() )
-+				        for ( uint j = 0; j < ce->index()->size(); ++j )
-+						mhs = mhs_max(mhs, ce->index()->at(j)->MinimalHeaderSize(env));
-+				mhs = mhs_max(mhs, ce->value()->MinimalHeaderSize(env));
-+				}
-+			}
-+			break;
- 		default:
- 			// Evaluate every operand by default
- 			mhs = 0;
diff --git a/aux/binpac/patches/binpac-2.patch b/aux/binpac/patches/binpac-2.patch
deleted file mode 100644
index 378c33027a..0000000000
--- a/aux/binpac/patches/binpac-2.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-diff -urN bro-1.2.1-orig/src/binpac/pac_expr.cc bro-1.2.1-ssl-binpac/src/binpac/pac_expr.cc
---- bro-1.2.1-orig/src/binpac/pac_expr.cc	2006-07-26 15:02:40.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_expr.cc	2007-05-04 14:31:11.728494000 -0700
-@@ -245,6 +245,12 @@
- 	out_cc->println("%s %s;", 
- 	                val_type->DataTypeStr().c_str(), 
- 	                env->LValue(val_var));
-+
-+	// force evaluation of IDs appearing in case stmt
-+       operand_[0]->ForceIDEval(out_cc, env);
-+	foreach(i, CaseExprList, cases_)
-+		(*i)->value()->ForceIDEval(out_cc, env);
-+
- 	out_cc->println("switch ( %s )", operand_[0]->EvalExpr(out_cc, env));
- 
- 	out_cc->inc_indent();
-@@ -386,6 +392,49 @@
- 		}
- 	}
- 
-+void Expr::ForceIDEval(Output* out_cc, Env* env)
-+        {
-+	switch ( expr_type_ )
-+		{
-+		case EXPR_NUM:
-+		case EXPR_SIZEOF:
-+		case EXPR_OFFSETOF:
-+			break;
-+
-+		case EXPR_ID:
-+			if ( ! env->Evaluated(id_) )
-+				env->Evaluate(out_cc, id_);
-+			break;
-+
-+		case EXPR_MEMBER:
-+			operand_[0]->ForceIDEval(out_cc, env);
-+			break;
-+
-+		case EXPR_CALLARGS:
-+		        {
-+		        foreach(i, ExprList, args_)
-+			        (*i)->ForceIDEval(out_cc, env);
-+			}
-+			break;
-+
-+		case EXPR_CASE:
-+		        {
-+		        operand_[0]->ForceIDEval(out_cc, env);
-+			foreach(i, CaseExprList, cases_)
-+				(*i)->value()->ForceIDEval(out_cc, env);
-+		        }
-+			break;
-+
-+		default:
-+			// Evaluate every operand by default
-+			for ( int i = 0; i < 3; ++i )
-+				if ( operand_[i] )
-+					operand_[i]->ForceIDEval(out_cc, env);
-+			break;
-+		}
-+	}
-+
-+
- const char* Expr::EvalExpr(Output* out_cc, Env* env)
- 	{
- 	GenEval(out_cc, env);
-diff -urN bro-1.2.1-orig/src/binpac/pac_expr.h bro-1.2.1-ssl-binpac/src/binpac/pac_expr.h
---- bro-1.2.1-orig/src/binpac/pac_expr.h	2006-07-26 15:02:39.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_expr.h	2007-05-04 14:16:31.624287000 -0700
-@@ -56,6 +56,11 @@
- 	//
- 	const char *EvalExpr(Output *out, Env *env);
- 
-+	// force evaulation of IDs contained in this expression;
-+	// necessary with case expr and conditional let fields (&if)
-+	// for correct parsing of fields
-+	void ForceIDEval(Output *out_cc, Env *env);
-+
- 	// Returns the set_* function of the expression. 
- 	// The expression must be of form ID or x.ID.
- 	string SetFunc(Output *out, Env *env);
-diff -urN bro-1.2.1-orig/src/binpac/pac_let.cc bro-1.2.1-ssl-binpac/src/binpac/pac_let.cc
---- bro-1.2.1-orig/src/binpac/pac_let.cc	2006-07-26 15:02:39.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_let.cc	2007-05-04 15:32:09.695568000 -0700
-@@ -80,7 +80,12 @@
- 	if ( type_->attr_if_expr() )
- 		{
- 		// A conditional field
-+
- 		env->Evaluate(out_cc, type_->has_value_var());
-+
-+		// force evaluation of IDs contained in this expr
-+		expr()->ForceIDEval(out_cc, env);
-+
- 		out_cc->println("if ( %s )", 
- 			env->RValue(type_->has_value_var()));
- 		out_cc->inc_indent();
diff --git a/aux/binpac/patches/binpac-3.patch b/aux/binpac/patches/binpac-3.patch
deleted file mode 100644
index 9832a245b6..0000000000
--- a/aux/binpac/patches/binpac-3.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-diff -urN bro-1.2.1-orig/src/binpac/pac_let.cc bro-1.2.1-ssl-binpac/src/binpac/pac_let.cc
---- bro-1.2.1-orig/src/binpac/pac_let.cc	2006-07-26 15:02:39.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_let.cc	2007-05-04 15:32:09.695568000 -0700
-@@ -108,11 +108,6 @@
- void LetField::GenEval(Output* out_cc, Env* env)
- 	{
- 	GenParseCode(out_cc, env);
--	if ( type_->attr_if_expr() )
--		{
--		out_cc->println("BINPAC_ASSERT(%s);", 
--			env->RValue(type_->has_value_var()));
--		}
- 	}
- 
- LetDecl::LetDecl(ID *id, Type *type, Expr *expr)
-diff -urN bro-1.2.1-orig/src/binpac/pac_type.cc bro-1.2.1-ssl-binpac/src/binpac/pac_type.cc
---- bro-1.2.1-orig/src/binpac/pac_type.cc	2006-07-26 15:02:40.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_type.cc	2007-05-24 10:56:42.140658000 -0700
-@@ -316,9 +316,15 @@
- 	{
- 	if ( DefineValueVar() )
- 		{
--		out_h->println("%s %s const	{ return %s; }", 
--			DataTypeConstRefStr().c_str(), 
--			env->RValue(value_var()), lvalue());
-+		if ( attr_if_expr_ )
-+		        out_h->println("%s %s const { BINPAC_ASSERT(%s); return %s; }",
-+			        DataTypeConstRefStr().c_str(), 
-+			        env->RValue(value_var()),
-+			        env->RValue(has_value_var()), lvalue());
-+		else
-+		        out_h->println("%s %s const { return %s; }",
-+			        DataTypeConstRefStr().c_str(), 
-+			        env->RValue(value_var()), lvalue());
- 		}
- 
- 	foreach (i, FieldList, fields_)
diff --git a/aux/binpac/patches/binpac-4.patch b/aux/binpac/patches/binpac-4.patch
deleted file mode 100644
index 560fb4051b..0000000000
--- a/aux/binpac/patches/binpac-4.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -urN bro-1.2.1-orig/src/binpac/pac_record.cc bro-1.2.1-ssl-binpac/src/binpac/pac_record.cc
---- bro-1.2.1-orig/src/binpac/pac_record.cc	2006-07-26 15:02:40.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_record.cc	2007-05-08 16:13:33.373850000 -0700
-@@ -123,7 +123,7 @@
- void RecordType::DoGenParseCode(Output* out_cc, Env* env, 
- 		const DataPtr& data, int flags)
- 	{
--	if ( StaticSize(env) >= 0 )
-+	if ( !incremental_input() && StaticSize(env) >= 0 )
- 		GenBoundaryCheck(out_cc, env, data);
- 
- 	if ( incremental_parsing() )
diff --git a/aux/binpac/patches/binpac-5.patch b/aux/binpac/patches/binpac-5.patch
deleted file mode 100644
index ae31fa1711..0000000000
--- a/aux/binpac/patches/binpac-5.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-diff -urN bro-1.2.1-orig/src/binpac/pac_paramtype.cc bro-1.2.1-ssl-binpac/src/binpac/pac_paramtype.cc
---- bro-1.2.1-orig/src/binpac/pac_paramtype.cc	2006-07-26 15:02:40.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_paramtype.cc	2007-05-10 15:09:47.470104000 -0700
-@@ -208,7 +208,13 @@
- 	const char *parse_func;
- 	string parse_params;
- 
--	if ( ref_type->incremental_input() )
-+	if ( buffer_mode() == BUFFER_NOTHING )
-+	        {
-+		ASSERT(!ref_type->incremental_input());
-+		parse_func = kParseFuncWithoutBuffer;
-+		parse_params = "0, 0";
-+		}
-+	else if ( ref_type->incremental_input() )
- 		{
- 		parse_func = kParseFuncWithBuffer;
- 		parse_params = env->RValue(flow_buffer_id);
-@@ -239,15 +245,24 @@
- 
- 	if ( incremental_input() )
- 		{
--		ASSERT(parsing_complete_var());
--		out_cc->println("%s = %s;",
--			env->LValue(parsing_complete_var()),
--			call_parse_func.c_str());
--
--		// parsing_complete_var might have been already
--		// evaluated when set to false
--		if ( ! env->Evaluated(parsing_complete_var()) )
--			env->SetEvaluated(parsing_complete_var());
-+		if ( buffer_mode() == BUFFER_NOTHING )
-+		        {
-+		        out_cc->println("%s;", call_parse_func.c_str());
-+			out_cc->println("%s = true;", 
-+				env->LValue(parsing_complete_var()));
-+			}
-+		else
-+		        {
-+			ASSERT(parsing_complete_var());
-+			out_cc->println("%s = %s;",
-+				env->LValue(parsing_complete_var()),
-+				call_parse_func.c_str());
-+
-+			// parsing_complete_var might have been already
-+			// evaluated when set to false
-+			if ( ! env->Evaluated(parsing_complete_var()) )
-+			        env->SetEvaluated(parsing_complete_var());
-+			}
- 		}
- 	else
- 		{
-diff -urN bro-1.2.1-orig/src/binpac/pac_type.cc bro-1.2.1-ssl-binpac/src/binpac/pac_type.cc
---- bro-1.2.1-orig/src/binpac/pac_type.cc	2006-07-26 15:02:40.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_type.cc	2007-05-24 10:56:42.140658000 -0700
-@@ -501,8 +501,8 @@
- 
- 		if ( buffer_mode() == BUFFER_NOTHING )
- 			{
--			out_cc->println("%s = true;", 
--				env->LValue(parsing_complete_var()));
-+			// this is the empty type
-+			DoGenParseCode(out_cc, env, data, flags);
- 			}
- 		else if ( buffer_input() )
- 			{
diff --git a/aux/binpac/patches/binpac-6.patch b/aux/binpac/patches/binpac-6.patch
deleted file mode 100644
index fec16c1084..0000000000
--- a/aux/binpac/patches/binpac-6.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-diff -urN bro-1.2.1-orig/src/binpac/lib/binpac_buffer.h bro-1.2.1-ssl-binpac/src/binpac/lib/binpac_buffer.h
---- bro-1.2.1-orig/src/binpac/lib/binpac_buffer.h	2006-07-26 15:02:38.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/lib/binpac_buffer.h	2007-05-09 16:14:54.501656000 -0700
-@@ -59,6 +59,11 @@
- 			return frame_length_;
- 		}
- 
-+	inline bool data_available() const
-+	        {
-+		return buffer_n_ > 0 || orig_data_end_ > orig_data_begin_;
-+		}
-+
- 	void NewLine();
- 	// A negative frame_length represents a frame till EOF
- 	void NewFrame(int frame_length, bool chunked_);
-diff -urN bro-1.2.1-orig/src/binpac/pac_flow.cc bro-1.2.1-ssl-binpac/src/binpac/pac_flow.cc
---- bro-1.2.1-orig/src/binpac/pac_flow.cc	2006-10-12 14:13:12.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_flow.cc	2007-05-22 16:43:55.997562000 -0700
-@@ -272,7 +272,8 @@
- 		env_->RValue(begin_of_data), 
- 		env_->RValue(end_of_data)); 
- 
--	out_cc->println("while ( true )");
-+	out_cc->println("while ( %s->data_available() )",
-+		env_->LValue(flow_buffer_id));
- 	out_cc->inc_indent();
- 	out_cc->println("{");
- 
diff --git a/aux/binpac/patches/binpac-7.patch b/aux/binpac/patches/binpac-7.patch
deleted file mode 100644
index 263f00bf2c..0000000000
--- a/aux/binpac/patches/binpac-7.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff -urN bro-1.2.1-orig/src/binpac/pac_type.cc bro-1.2.1-ssl-binpac/src/binpac/pac_type.cc
---- bro-1.2.1-orig/src/binpac/pac_type.cc	2006-07-26 15:02:40.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_type.cc	2007-05-24 10:56:42.140658000 -0700
-@@ -393,7 +393,7 @@
- 			break;
- 
- 		case BUFFER_BY_LENGTH:
--			if ( buffering_state_var_field_ )
-+		        if ( env->GetDataType(buffering_state_id) )
- 				{
- 				out_cc->println("if ( %s == 0 )",
- 					env->RValue(buffering_state_id));
-@@ -421,7 +421,7 @@
- 				frame_buffer_arg.c_str(),
- 				attr_chunked() ? "true" : "false");
- 
--			if ( buffering_state_var_field_ )
-+			if ( env->GetDataType(buffering_state_id) )
- 				{
- 				out_cc->println("%s = 1;",
- 					env->LValue(buffering_state_id));
diff --git a/aux/binpac/patches/binpac-8.patch b/aux/binpac/patches/binpac-8.patch
deleted file mode 100644
index b69a1676dd..0000000000
--- a/aux/binpac/patches/binpac-8.patch
+++ /dev/null
@@ -1,190 +0,0 @@
-diff -urN bro-1.2.1-orig/src/binpac/pac_analyzer.cc bro-1.2.1-ssl-binpac/src/binpac/pac_analyzer.cc
---- bro-1.2.1-orig/src/binpac/pac_analyzer.cc	2006-07-26 15:02:40.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_analyzer.cc	2007-05-22 17:00:10.091531000 -0700
-@@ -26,8 +26,9 @@
- 	helpers_ = new AnalyzerHelperList();
- 	functions_ = new FunctionList();
- 
--	constructor_helper_ = 0;
--	destructor_helper_ = 0;
-+	constructor_helpers_ = new AnalyzerHelperList();
-+	destructor_helpers_ = new AnalyzerHelperList();
-+	eof_helpers_ = new AnalyzerHelperList();
- 
- 	SetAnalyzerContext();
- 
-@@ -41,6 +42,9 @@
- 	delete_list(AnalyzerHelperList, helpers_);
- 	delete_list(FunctionList, functions_);
- 	delete_list(ParamList, params_);
-+	delete_list(AnalyzerHelperList, constructor_helpers_);
-+	delete_list(AnalyzerHelperList, destructor_helpers_);
-+	delete_list(AnalyzerHelperList, eof_helpers_);
- 	}
- 
- void AnalyzerDecl::AddElements(AnalyzerElementList *elemlist)
-@@ -75,28 +79,20 @@
- 				AnalyzerHelper *helper_elem = 
- 					(AnalyzerHelper *) elem;
- 
--				if ( helper_elem->helper_type() == 
--				     AnalyzerHelper::INIT_CODE)
--					{
--					if ( constructor_helper_ )
--						{
--						throw Exception(elem,
--							"Repeated definition of %init code");
--						}
--					constructor_helper_ = helper_elem;
-+				switch ( helper_elem->helper_type() )
-+				        {
-+					case AnalyzerHelper::INIT_CODE:
-+					        constructor_helpers_->push_back(helper_elem);
-+						break;
-+					case AnalyzerHelper::CLEANUP_CODE:
-+ 				                destructor_helpers_->push_back(helper_elem);
-+						break;
-+					case AnalyzerHelper::EOF_CODE:
-+					        eof_helpers_->push_back(helper_elem);
-+						break;
-+					default:
-+					        helpers_->push_back(helper_elem);
- 					}
--				else if ( helper_elem->helper_type() == 
--				          AnalyzerHelper::CLEANUP_CODE)
--					{
--					if ( destructor_helper_ )
--						{
--						throw Exception(elem,
--							"Repeated definition of %cleanup code");
--						}
--					destructor_helper_ = helper_elem;
--					}
--				else
--					helpers_->push_back(helper_elem);
- 				}
- 				break;
- 			case AnalyzerElement::FUNCTION:
-@@ -217,15 +213,19 @@
- void AnalyzerDecl::GenInitCode(Output *out_cc)
- 	{
- 	TypeDecl::GenInitCode(out_cc);
--	if ( constructor_helper_ )
--		constructor_helper_->GenCode(0, out_cc, this);
-+	foreach(i, AnalyzerHelperList, constructor_helpers_)
-+		{
-+		(*i)->GenCode(0, out_cc, this);
-+		}
- 	}
- 
- void AnalyzerDecl::GenCleanUpCode(Output *out_cc)
- 	{
- 	TypeDecl::GenCleanUpCode(out_cc);
--	if ( destructor_helper_ )
--		destructor_helper_->GenCode(0, out_cc, this);
-+	foreach(i, AnalyzerHelperList, destructor_helpers_)
-+		{
-+		(*i)->GenCode(0, out_cc, this);
-+		}
- 	}
- 
- void AnalyzerDecl::GenStateVarDecls(Output *out_h)
-@@ -295,6 +295,7 @@
- 			break;
- 		case INIT_CODE:
- 		case CLEANUP_CODE:
-+		case EOF_CODE:
- 			out = out_cc;
- 			break;
- 		}
-diff -urN bro-1.2.1-orig/src/binpac/pac_analyzer.h bro-1.2.1-ssl-binpac/src/binpac/pac_analyzer.h
---- bro-1.2.1-orig/src/binpac/pac_analyzer.h	2006-07-26 15:02:39.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_analyzer.h	2007-05-22 16:32:08.397926000 -0700
-@@ -76,8 +76,9 @@
- 	AnalyzerHelperList *helpers_;
- 	FunctionList *functions_;
- 
--	AnalyzerHelper *constructor_helper_;
--	AnalyzerHelper *destructor_helper_;
-+	AnalyzerHelperList *constructor_helpers_;
-+	AnalyzerHelperList *destructor_helpers_;
-+	AnalyzerHelperList *eof_helpers_;
- };
- 
- class AnalyzerElement : public Object
-@@ -117,6 +118,7 @@
- 		MEMBER_DECLS,
- 		INIT_CODE,
- 		CLEANUP_CODE,
-+		EOF_CODE,
- 	};
- 	AnalyzerHelper(Type helper_type, EmbeddedCode *code)
- 		: AnalyzerElement(HELPER),
-diff -urN bro-1.2.1-orig/src/binpac/pac_conn.cc bro-1.2.1-ssl-binpac/src/binpac/pac_conn.cc
---- bro-1.2.1-orig/src/binpac/pac_conn.cc	2006-07-26 15:02:40.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_conn.cc	2007-05-22 16:42:35.406135000 -0700
-@@ -97,6 +97,12 @@
- 	out_cc->println("%s->%s();",
- 	                env_->LValue(downflow_id),
- 	                kFlowEOF);
-+
-+	foreach(i, AnalyzerHelperList, eof_helpers_)
-+		{
-+		(*i)->GenCode(0, out_cc, this);
-+		}
-+
- 	out_cc->dec_indent();
- 	
- 	out_cc->println("}");
-diff -urN bro-1.2.1-orig/src/binpac/pac_flow.cc bro-1.2.1-ssl-binpac/src/binpac/pac_flow.cc
---- bro-1.2.1-orig/src/binpac/pac_flow.cc	2006-10-12 14:13:12.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_flow.cc	2007-05-22 16:43:55.997562000 -0700
-@@ -151,6 +151,11 @@
- 	out_cc->inc_indent();
- 	out_cc->println("{");
- 
-+	foreach(i, AnalyzerHelperList, eof_helpers_)
-+		{
-+		(*i)->GenCode(0, out_cc, this);
-+		}
-+
- 	if ( dataunit_->type() == AnalyzerDataUnit::FLOWUNIT )
- 		{
- 		out_cc->println("%s->set_eof();", 
-diff -urN bro-1.2.1-orig/src/binpac/pac_parse.yy bro-1.2.1-ssl-binpac/src/binpac/pac_parse.yy
---- bro-1.2.1-orig/src/binpac/pac_parse.yy	2006-10-12 14:13:12.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_parse.yy	2007-05-22 16:56:09.280526000 -0700
-@@ -22,7 +22,7 @@
- %token TOK_STATE TOK_ACTION TOK_WHEN TOK_HELPER 
- %token TOK_DATAUNIT TOK_FLOWDIR TOK_WITHCONTEXT
- %token TOK_LPB_EXTERN TOK_LPB_HEADER TOK_LPB_CODE 
--%token TOK_LPB_MEMBER TOK_LPB_INIT TOK_LPB_CLEANUP 
-+%token TOK_LPB_MEMBER TOK_LPB_INIT TOK_LPB_CLEANUP TOK_LPB_EOF
- %token TOK_LPB TOK_RPB 
- %token TOK_EMBEDDED_ATOM TOK_EMBEDDED_STRING
- %token TOK_PAC_VAL TOK_PAC_SET TOK_PAC_TYPE TOK_PAC_TYPEOF TOK_PAC_CONST_DEF 
-@@ -795,6 +795,10 @@
- 				{
- 				$$ = new AnalyzerHelper(AnalyzerHelper::CLEANUP_CODE, $2);
- 				}
-+		|	TOK_LPB_EOF embedded_code TOK_RPB
-+				{
-+				$$ = new AnalyzerHelper(AnalyzerHelper::EOF_CODE, $2);
-+				}
- 		|	TOK_FLOWDIR '=' tok_id optargs ';'
- 				{
- 				$$ = new AnalyzerFlow((AnalyzerFlow::Direction) $1, $3, $4);
-diff -urN bro-1.2.1-orig/src/binpac/pac_scan.ll bro-1.2.1-ssl-binpac/src/binpac/pac_scan.ll
---- bro-1.2.1-orig/src/binpac/pac_scan.ll	2006-07-26 15:02:40.000000000 -0700
-+++ bro-1.2.1-ssl-binpac/src/binpac/pac_scan.ll	2007-05-22 16:55:19.349644000 -0700
-@@ -96,6 +96,10 @@
- 				BEGIN(EC);
- 				return TOK_LPB_MEMBER;
- 				}
-+<INITIAL>"%eof{"		{
-+				BEGIN(EC);
-+				return TOK_LPB_EOF;
-+				}
- <INITIAL>"%{"			{
- 				BEGIN(EC);
- 				return TOK_LPB;
diff --git a/aux/binpac/patches/binpac-patch-doc.txt b/aux/binpac/patches/binpac-patch-doc.txt
deleted file mode 100644
index 052285eaea..0000000000
--- a/aux/binpac/patches/binpac-patch-doc.txt
+++ /dev/null
@@ -1,87 +0,0 @@
-binpac fixes
-----------------
-
-numbers of issues below correspond to the patch numbers
-
-(1) correct calculation of minimal header size in pac_expr.cc
-- problem: EXPR_CALLARGS and EXPR_CASE not considered for the calculation
-  of minimal header size
-- solution: added two cases in switch stmt of Expr::MinimalHeaderSize
-  for EXPR_CALLARGS and EXPR_CASE
-
-
-(2) ensure parsing of fields first referenced in a case expression or
-    let field with an &if attribute
-- problem: in cases where the if expression evaluates to false or the
-  proper case does not occur, fields get not parsed at all
-- solution: force evaluation of all IDs referenced in a let field with
-  if attribute or a case expression before the body of the corresponding
-  switch stmt or the if stmt
-- added public method Expr::ForceIDEval, properly called before
-  generating the code of a field with if attribute or the case expression
-
-
-(3) properly assert the use of fields with an if attribute
-- problem: the use of fields with an if attribute was not asserted in all
-  cases and asserted in the wrong way in some others due to the
-  corresponding BINPAC_ASSERT only called upon parsing the field
-- solution: perform BINPAC_ASSERT upon calling the fields accessor
-  function
-- moved BINPAC_ASSERT statement from LetField::GenEval to
-  Type::GenPubDecls
-
-
-(4) incremental input with records with a non-negative StaticSize
-- problem: incremental input with records with a StaticSize >= 0
-  cannot be performed due to necessary length attribute, leading to
-  an invalid call of GenBoundaryCheck in RecordType::DoGenParseCode
-- solution: added a check for incremental input in
-  RecordType::DoGenParseCode before calling GenBoundaryCheck
-
-
-(5) empty type with incremental input
-- problem: with an empty type and incremental input, although the
-  Parse function is created, it is never called, leading to problems,
-  if additional actions are to be performed when encountering that
-  empty type
-- solution: generate call to Parse of empty type in Type::GenParseBuffer
-
-
-(6) parsing loop in flow ParseBuffer (while(true))
-- problem: while(true) leads to problems after parsing of a type is
-  complete; at this time, it is unexpected that parsing continues, even
-  if no data is available in the flow buffer
-- solution: check if data is available before starting a new parsing
-  cycle
-- added a method data_available to FlowBuffer
-- changed while(true) in FlowDecl::GenCodeFlowUnit to
-  while(flow_buffer_->data_available())
-
-
-(7) initialization of flow buffer in CaseType with bufferable fields
-    in cases
-- problem: initialization of buffer occurs in every Parse call,
-  regardless if it was initialized before or not; initialization
-  is correct only on first such occurence
-- solution: check to buffer_state is to be created always when
-  buffering_state_id is in environment in Type::GenBufferConfig
-- changed condition from buffering_state_var_field_ to
-  env->GetDataType(buffering_state_id)
-
-
-(8) allowing init and cleanup code to be redefined, as well as addition
-    of code to FlowEOF calls in analyzer and flow
-- problem 1: when refining an analyzer or flow definition, additional
-  init and cleanup code was not allowed, if these were already defined
-  before; this leads to problems when adding new members, as these
-  cannot be initialized and destroyed properly
-- solution: allow init and cleanup code to be specified more than once
-- changed deifnitions and usage of constructor_helper and
-  destructor_helper to allow for lists of constructor and destructor
-  helpers (similar to member declarations) in pac_analyzer.h and
-  pac_analyzer.cc
-- problem 2: in some cases, it is desirable to execute code when
-  encountering the end of the input stream, which is not possible in
-  binpac
-- solution: added a %eof binpac primitive similar to %init, which adds
-  code to the FlowEOF function of an analyzer or a flow
diff --git a/aux/binpac/patches/brosslbinpacanalyzerpatches.zip b/aux/binpac/patches/brosslbinpacanalyzerpatches.zip
deleted file mode 100644
index 4d89326f71..0000000000
Binary files a/aux/binpac/patches/brosslbinpacanalyzerpatches.zip and /dev/null differ
diff --git a/aux/binpac/patches/nadi-bittorrent.patch b/aux/binpac/patches/nadi-bittorrent.patch
deleted file mode 100644
index 1ce6cc0313..0000000000
--- a/aux/binpac/patches/nadi-bittorrent.patch
+++ /dev/null
@@ -1,172 +0,0 @@
-Index: pac_type.h
-===================================================================
---- pac_type.h	(revision 4130)
-+++ pac_type.h	(working copy)
-@@ -78,12 +78,6 @@
- 	string EvalByteOrder(Output *out_cc, Env *env) const;
- 
- 	virtual string EvalMember(const ID *member_id) const;
--#if 0
--	// member_env() is used for finding a member of the type.
--	// Thus member_env() of a ParameterizedType should return 
--	// ReferredDataType()->env()
--	// virtual Env *member_env() const;
--#endif
- 
- 	// The variable defined by the type
- 	const ID *value_var() const		{ return value_var_; }
-@@ -223,6 +217,8 @@
- 
- 	virtual bool ByteOrderSensitive() const = 0;
- 
-+	bool NeedsBufferingStateVar() const;
-+
- 	void GenBufferingLoop(Output* out_cc, Env* env, int flags);
- 	void GenParseBuffer(Output* out_cc, Env* env, int flags);
- 	void GenParseCode2(Output* out_cc, Env* env, const DataPtr& data, int flags);
-Index: lib/binpac_buffer.h
-===================================================================
---- lib/binpac_buffer.h	(revision 4130)
-+++ lib/binpac_buffer.h	(working copy)
-@@ -24,18 +24,18 @@
- 	void DiscardData();
- 
- 	// Whether there is enough data for the frame
--	bool ready() const{ return message_complete_; }
-+	bool ready() const{ return message_complete_ || mode_ == UNKNOWN_MODE; }
- 
- 	inline const_byteptr begin() const
- 		{
--		BINPAC_ASSERT(message_complete_);
-+		BINPAC_ASSERT(ready());
- 		return ( buffer_n_ == 0 ) ? 
- 			orig_data_begin_ : buffer_;
- 		}
- 
- 	inline const_byteptr end() const
- 		{
--		BINPAC_ASSERT(message_complete_);
-+		BINPAC_ASSERT(ready());
- 		if ( buffer_n_ == 0 )
- 			{
- 			BINPAC_ASSERT(frame_length_ >= 0);
-Index: pac_type.cc
-===================================================================
---- pac_type.cc	(revision 4130)
-+++ pac_type.cc	(working copy)
-@@ -285,9 +285,8 @@
- 			parsing_complete_var, extern_type_bool->Clone());
- 		parsing_complete_var_field_->Prepare(env);
- 
--		if ( ( buffer_mode() == BUFFER_BY_LENGTH ||
--		       buffer_mode() == BUFFER_BY_LINE ) &&
--		       ! env->GetDataType(buffering_state_id) )
-+		if ( NeedsBufferingStateVar() && 
-+		     !env->GetDataType(buffering_state_id) )
- 			{
- 			buffering_state_var_field_ = new PrivVarField(
- 				buffering_state_id->clone(), 
-@@ -387,17 +386,17 @@
- 			break;
- 
- 		case BUFFER_BY_LENGTH:
--			if ( buffering_state_var_field_ )
--				{
--				out_cc->println("if ( %s == 0 )",
--					env->RValue(buffering_state_id));
--				out_cc->inc_indent();
--				out_cc->println("{");
--				}
-+			if ( !NeedsBufferingStateVar() )
-+				break;
- 
-+			ASSERT(env->GetDataType(buffering_state_id));
-+			out_cc->println("if ( %s == 0 )",
-+				env->RValue(buffering_state_id));
-+			out_cc->inc_indent();
-+			out_cc->println("{");
-+
- 			if ( attr_length_expr_ )
- 				{
--				// frame_buffer_arg = attr_length_expr_->EvalExpr(out_cc, env);
- 				frame_buffer_arg = strfmt("%d", InitialBufferLength());
- 				}
- 			else if ( attr_restofflow_ )
-@@ -407,7 +406,7 @@
- 				}
- 			else
- 				{
--				frame_buffer_arg = strfmt("%d", InitialBufferLength());
-+				ASSERT(0);
- 				}
- 
- 			out_cc->println("%s->NewFrame(%s, %s);",
-@@ -415,16 +414,14 @@
- 				frame_buffer_arg.c_str(),
- 				attr_chunked() ? "true" : "false");
- 
--			if ( buffering_state_var_field_ )
--				{
--				out_cc->println("%s = 1;",
--					env->LValue(buffering_state_id));
--				out_cc->println("}");
--				out_cc->dec_indent();
--				}
-+			out_cc->println("%s = 1;",
-+				env->LValue(buffering_state_id));
-+			out_cc->println("}");
-+			out_cc->dec_indent();
- 			break;
- 
- 		case BUFFER_BY_LINE:
-+			ASSERT(env->GetDataType(buffering_state_id));
- 			out_cc->println("if ( %s == 0 )",
- 				env->RValue(buffering_state_id));
- 			out_cc->inc_indent();
-@@ -890,6 +887,25 @@
- 	return ! attr_byteorder_expr() && ByteOrderSensitive(); 
- 	}
- 
-+bool Type::NeedsBufferingStateVar() const
-+	{
-+	if ( !incremental_input() )
-+		return false;
-+	switch ( buffer_mode() )
-+		{
-+		case BUFFER_NOTHING:
-+		case NOT_BUFFERABLE:
-+			return false;
-+		case BUFFER_BY_LINE:
-+			return true;
-+		case BUFFER_BY_LENGTH:
-+			return ( attr_length_expr_ || attr_restofflow_ );
-+		default:
-+			ASSERT(0);
-+			return false;
-+		}
-+	}
-+
- bool Type::DoTraverse(DataDepVisitor *visitor)
- 	{
- 	foreach (i, FieldList, fields_)
-Index: pac_flow.cc
-===================================================================
---- pac_flow.cc	(revision 4130)
-+++ pac_flow.cc	(working copy)
-@@ -224,15 +224,13 @@
- 	out_cc->println("catch ( Exception const &e )");
- 	out_cc->inc_indent();
- 	out_cc->println("{");
--	out_cc->println("DEBUG_MSG(\"%%.6f binpac exception: %%s\\n\", network_time(), e.c_msg());");
- 	GenCleanUpCode(out_cc);
- 	if ( dataunit_->type() == AnalyzerDataUnit::FLOWUNIT )
- 		{
- 		out_cc->println("%s->DiscardData();",
- 			env_->LValue(flow_buffer_id));
--		out_cc->println("BINPAC_ASSERT(!%s->ready());",
--			env_->RValue(flow_buffer_id));
- 		}
-+	out_cc->println("throw e;");
- 	out_cc->println("}");
- 	out_cc->dec_indent();
- 
diff --git a/aux/binpac/shtool b/aux/binpac/shtool
deleted file mode 100755
index 4c1a7396fd..0000000000
--- a/aux/binpac/shtool
+++ /dev/null
@@ -1,716 +0,0 @@
-#!/bin/sh
-##
-##  GNU shtool -- The GNU Portable Shell Tool
-##  Copyright (c) 1994-2000 Ralf S. Engelschall <rse@engelschall.com>
-##
-##  See http://www.gnu.org/software/shtool/ for more information.
-##  See ftp://ftp.gnu.org/gnu/shtool/ for latest version.
-##
-##  Version 1.4.9 (16-Apr-2000)
-##  Ingredients: 3/17 available modules
-##
-
-##
-##  This program is free software; you can redistribute it and/or modify
-##  it under the terms of the GNU General Public License as published by
-##  the Free Software Foundation; either version 2 of the License, or
-##  (at your option) any later version.
-##
-##  This program is distributed in the hope that it will be useful,
-##  but WITHOUT ANY WARRANTY; without even the implied warranty of
-##  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-##  General Public License for more details.
-##
-##  You should have received a copy of the GNU General Public License
-##  along with this program; if not, write to the Free Software
-##  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
-##  USA, or contact Ralf S. Engelschall <rse@engelschall.com>.
-##
-##  Notice: Given that you include this file verbatim into your own
-##  source tree, you are justified in saying that it remains separate
-##  from your package, and that this way you are simply just using GNU
-##  shtool. So, in this situation, there is no requirement that your
-##  package itself is licensed under the GNU General Public License in
-##  order to take advantage of GNU shtool.
-##
-
-##
-##  Usage: shtool [<options>] [<cmd-name> [<cmd-options>] [<cmd-args>]]
-##
-##  Available commands:
-##    echo       Print string with optional construct expansion
-##    install    Install a program, script or datafile
-##    mkdir      Make one or more directories
-##
-##  Not available commands (because module was not built-in):
-##    mdate      Pretty-print modification time of a file or dir
-##    table      Pretty-print a field-separated list as a table
-##    prop       Display progress with a running propeller
-##    move       Move files with simultaneous substitution
-##    mkln       Make link with calculation of relative paths
-##    mkshadow   Make a shadow tree through symbolic links
-##    fixperm    Fix file permissions inside a source tree
-##    tarball    Roll distribution tarballs
-##    guessos    Simple operating system guesser
-##    arx        Extended archive command
-##    slo        Separate linker options by library class
-##    scpp       Sharing C Pre-Processor
-##    version    Generate and maintain a version information file
-##    path       Deal with program paths
-##
-
-if [ $# -eq 0 ]; then
-    echo "$0:Error: invalid command line" 1>&2
-    echo "$0:Hint:  run \`$0 -h' for usage" 1>&2
-    exit 1
-fi
-if [ ".$1" = ".-h" -o ".$1" = ".--help" ]; then
-    echo "This is GNU shtool, version 1.4.9 (16-Apr-2000)"
-    echo "Copyright (c) 1994-2000 Ralf S. Engelschall <rse@engelschall.com>"
-    echo "Report bugs to <bug-shtool@gnu.org>"
-    echo ''
-    echo "Usage: shtool [<options>] [<cmd-name> [<cmd-options>] [<cmd-args>]]" 
-    echo ''
-    echo 'Available global <options>:'
-    echo '  -v, --version   display shtool version information'
-    echo '  -h, --help      display shtool usage help page (this one)'
-    echo '  -d, --debug     display shell trace information'
-    echo ''
-    echo 'Available <cmd-name> [<cmd-options>] [<cmd-args>]:'
-    echo '  echo     [-n] [-e] [<str> ...]'
-    echo '  install  [-v] [-t] [-c] [-C] [-s] [-m<mode>] [-o<owner>] [-g<group>]'
-    echo '           [-e<ext>] <file> <path>'
-    echo '  mkdir    [-t] [-f] [-p] [-m<mode>] <dir> [<dir> ...]'
-    echo ''
-    echo 'Not available <cmd-name> (because module was not built-in):'
-    echo '  mdate    [-n] [-z] [-s] [-d] [-f<str>] [-o<spec>] <path>'
-    echo '  table    [-F<sep>] [-w<width>] [-c<cols>] [-s<strip>] <str><sep><str>...'
-    echo '  prop     [-p<str>]'
-    echo '  move     [-v] [-t] [-e] [-p] <src-file> <dst-file>'
-    echo '  mkln     [-t] [-f] [-s] <src-path> [<src-path> ...] <dst-path>'
-    echo '  mkshadow [-v] [-t] [-a] <src-dir> <dst-dir>'
-    echo '  fixperm  [-v] [-t] <path> [<path> ...]'
-    echo '  tarball  [-t] [-v] [-o <tarball>] [-c <prog>] [-d <dir>] [-u'
-    echo '           <user>] [-g <group>] [-e <pattern>] <path> [<path> ...]'
-    echo '  guessos  '
-    echo '  arx      [-t] [-C<cmd>] <op> <archive> [<file> ...]'
-    echo '  slo      [-p<str>] -- -L<dir> -l<lib> [-L<dir> -l<lib> ...]'
-    echo '  scpp     [-v] [-p] [-f<filter>] [-o<ofile>] [-t<tfile>] [-M<mark>]'
-    echo '           [-D<dname>] [-C<cname>] <file> [<file> ...]'
-    echo '  version  [-l<lang>] [-n<name>] [-p<prefix>] [-s<version>] [-i<knob>]'
-    echo '           [-d<type>] <file>'
-    echo '  path     [-s] [-r] [-d] [-b] [-m] [-p<path>] <str> [<str> ...]'
-    echo ''
-    exit 0
-fi
-if [ ".$1" = ".-v" -o ".$1" = ."--version" ]; then
-    echo "GNU shtool 1.4.9 (16-Apr-2000)"
-    exit 0
-fi
-if [ ".$1" = ".-d" -o ".$1" = ."--debug" ]; then
-    shift
-    set -x
-fi
-name=`echo "$0" | sed -e 's;.*/\([^/]*\)$;\1;' -e 's;-sh$;;' -e 's;\.sh$;;'`
-case "$name" in
-    echo|install|mkdir )
-        #   implicit tool command selection
-        tool="$name"
-        ;;
-    * )
-        #   explicit tool command selection
-        tool="$1"
-        shift
-        ;;
-esac
-arg_spec=""
-opt_spec=""
-gen_tmpfile=no
-
-##
-##  DISPATCH INTO SCRIPT PROLOG
-##
-
-case $tool in
-    echo )
-        str_tool="echo"
-        str_usage="[-n] [-e] [<str> ...]"
-        arg_spec="0+"
-        opt_spec="n.e."
-        opt_n=no
-        opt_e=no
-        ;;
-    install )
-        str_tool="install"
-        str_usage="[-v] [-t] [-c] [-C] [-s] [-m<mode>] [-o<owner>] [-g<group>] [-e<ext>] <file> <path>"
-        arg_spec="2="
-        opt_spec="v.t.c.C.s.m:o:g:e:"
-        opt_v=no
-        opt_t=no
-        opt_c=no
-        opt_C=no
-        opt_s=no
-        opt_m=""
-        opt_o=""
-        opt_g=""
-        opt_e=""
-        ;;
-    mkdir )
-        str_tool="mkdir"
-        str_usage="[-t] [-f] [-p] [-m<mode>] <dir> [<dir> ...]"
-        arg_spec="1+"
-        opt_spec="t.f.p.m:"
-        opt_t=no
-        opt_f=no
-        opt_p=no
-        opt_m=""
-        ;;
-    -* )
-        echo "$0:Error: unknown option \`$tool'" 2>&1
-        echo "$0:Hint:  run \`$0 -h' for usage" 2>&1
-        exit 1
-        ;;
-    * )
-        echo "$0:Error: unknown command \`$tool'" 2>&1
-        echo "$0:Hint:  run \`$0 -h' for usage" 2>&1
-        exit 1
-        ;;
-esac
-
-##
-##  COMMON UTILITY CODE
-##
-
-#   determine name of tool
-if [ ".$tool" != . ]; then
-    #   used inside shtool script
-    toolcmd="$0 $tool"
-    toolcmdhelp="shtool $tool"
-    msgprefix="shtool:$tool"
-else
-    #   used as standalone script
-    toolcmd="$0"
-    toolcmdhelp="sh $0"
-    msgprefix="$str_tool"
-fi
-
-#   parse argument specification string
-eval `echo $arg_spec |\
-      sed -e 's/^\([0-9]*\)\([+=]\)/arg_NUMS=\1; arg_MODE=\2/'`
-
-#   parse option specification string
-eval `echo h.$opt_spec |\
-      sed -e 's/\([a-zA-Z0-9]\)\([.:+]\)/opt_MODE_\1=\2;/g'`
-
-#   interate over argument line
-opt_PREV=''
-while [ $# -gt 0 ]; do
-    #   special option stops processing
-    if [ ".$1" = ".--" ]; then
-        shift
-        break
-    fi
-
-    #   determine option and argument
-    opt_ARG_OK=no
-    if [ ".$opt_PREV" != . ]; then
-        #   merge previous seen option with argument
-        opt_OPT="$opt_PREV"
-        opt_ARG="$1"
-        opt_ARG_OK=yes
-        opt_PREV=''
-    else
-        #   split argument into option and argument
-        case "$1" in
-            -[a-zA-Z0-9]*)
-                eval `echo "x$1" |\
-                      sed -e 's/^x-\([a-zA-Z0-9]\)/opt_OPT="\1";/' \
-                          -e 's/";\(.*\)$/"; opt_ARG="\1"/'`
-                ;;
-            -[a-zA-Z0-9])
-                opt_OPT=`echo "x$1" | cut -c3-`
-                opt_ARG=''
-                ;;
-            *)
-                break
-                ;;
-        esac
-    fi
-
-    #   eat up option
-    shift
-
-    #   determine whether option needs an argument
-    eval "opt_MODE=\$opt_MODE_${opt_OPT}"
-    if [ ".$opt_ARG" = . -a ".$opt_ARG_OK" != .yes ]; then
-        if [ ".$opt_MODE" = ".:" -o ".$opt_MODE" = ".+" ]; then
-            opt_PREV="$opt_OPT"
-            continue
-        fi
-    fi
-
-    #   process option
-    case $opt_MODE in
-        '.' )
-            #   boolean option
-            eval "opt_${opt_OPT}=yes"
-            ;;
-        ':' )
-            #   option with argument (multiple occurances override)
-            eval "opt_${opt_OPT}=\"\$opt_ARG\""
-            ;;
-        '+' )
-            #   option with argument (multiple occurances append)
-            eval "opt_${opt_OPT}=\"\$opt_${opt_OPT} \$opt_ARG\""
-            ;;
-        * )
-            echo "$msgprefix:Error: unknown option: \`-$opt_OPT'" 1>&2
-            echo "$msgprefix:Hint:  run \`$toolcmdhelp -h' or \`man shtool' for details" 1>&2
-            exit 1
-            ;;
-    esac
-done
-if [ ".$opt_PREV" != . ]; then
-    echo "$msgprefix:Error: missing argument to option \`-$opt_PREV'" 1>&2
-    echo "$msgprefix:Hint:  run \`$toolcmdhelp -h' or \`man shtool' for details" 1>&2
-    exit 1
-fi
-
-#   process help option
-if [ ".$opt_h" = .yes ]; then
-    echo "Usage: $toolcmdhelp $str_usage"
-    exit 0
-fi
-
-#   complain about incorrect number of arguments
-case $arg_MODE in
-    '=' )
-        if [ $# -ne $arg_NUMS ]; then
-            echo "$msgprefix:Error: invalid number of arguments (exactly $arg_NUMS expected)" 1>&2
-            echo "$msgprefix:Hint:  run \`$toolcmd -h' or \`man shtool' for details" 1>&2
-            exit 1
-        fi
-        ;;
-    '+' )
-        if [ $# -lt $arg_NUMS ]; then
-            echo "$msgprefix:Error: invalid number of arguments (at least $arg_NUMS expected)" 1>&2
-            echo "$msgprefix:Hint:  run \`$toolcmd -h' or \`man shtool' for details" 1>&2
-            exit 1
-        fi
-        ;;
-esac
-
-#   establish a temporary file on request
-if [ ".$gen_tmpfile" = .yes ]; then
-    if [ ".$TMPDIR" != . ]; then
-        tmpdir="$TMPDIR"
-    elif [ ".$TEMPDIR" != . ]; then
-        tmpdir="$TEMPDIR"
-    else
-        tmpdir="/tmp"
-    fi
-    tmpfile="$tmpdir/.shtool.$$"
-    rm -f $tmpfile >/dev/null 2>&1
-    touch $tmpfile
-fi
-
-##
-##  DISPATCH INTO SCRIPT BODY
-##
-
-case $tool in
-
-echo )
-    ##
-    ##  echo -- Print string with optional construct expansion
-    ##  Copyright (c) 1998-2000 Ralf S. Engelschall <rse@engelschall.com>
-    ##  Originally written for WML as buildinfo
-    ##
-    
-    text="$*"
-    
-    #   check for broken escape sequence expansion
-    seo=''
-    bytes=`echo '\1' | wc -c | awk '{ printf("%s", $1); }'`
-    if [ ".$bytes" != .3 ]; then
-        bytes=`echo -E '\1' | wc -c | awk '{ printf("%s", $1); }'`
-        if [ ".$bytes" = .3 ]; then
-            seo='-E'
-        fi
-    fi
-    
-    #   check for existing -n option (to suppress newline)
-    minusn=''
-    bytes=`echo -n 123 2>/dev/null | wc -c | awk '{ printf("%s", $1); }'`
-    if [ ".$bytes" = .3 ]; then
-        minusn='-n'
-    fi
-    
-    #   determine terminal bold sequence
-    term_bold='' 
-    term_norm=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[Bb]'`" != . ]; then
-        case $TERM in
-            #   for the most important terminal types we directly know the sequences
-            xterm|xterm*|vt220|vt220*)
-                term_bold=`awk 'BEGIN { printf("%c%c%c%c", 27, 91, 49, 109); }' </dev/null 2>/dev/null`
-                term_norm=`awk 'BEGIN { printf("%c%c%c", 27, 91, 109); }' </dev/null 2>/dev/null`
-                ;;
-            vt100|vt100*)
-                term_bold=`awk 'BEGIN { printf("%c%c%c%c%c%c", 27, 91, 49, 109, 0, 0); }' </dev/null 2>/dev/null`
-                term_norm=`awk 'BEGIN { printf("%c%c%c%c%c", 27, 91, 109, 0, 0); }' </dev/null 2>/dev/null`
-                ;;
-            #   for all others, we try to use a possibly existing `tput' or `tcout' utility
-            * )
-                paths=`echo $PATH | sed -e 's/:/ /g'`
-                for tool in tput tcout; do
-                    for dir in $paths; do
-                        if [ -r "$dir/$tool" ]; then
-                            for seq in bold md smso; do # 'smso' is last
-                                bold="`$dir/$tool $seq 2>/dev/null`"
-                                if [ ".$bold" != . ]; then
-                                    term_bold="$bold"
-                                    break
-                                fi
-                            done
-                            if [ ".$term_bold" != . ]; then
-                                for seq in sgr0 me rmso reset; do # 'reset' is last
-                                    norm="`$dir/$tool $seq 2>/dev/null`"
-                                    if [ ".$norm" != . ]; then
-                                        term_norm="$norm"
-                                        break
-                                    fi
-                                done
-                            fi
-                            break
-                        fi
-                    done
-                    if [ ".$term_bold" != . -a ".$term_norm" != . ]; then
-                        break;
-                    fi
-                done
-                ;;
-        esac
-        if [ ".$term_bold" = . -o ".$term_norm" = . ]; then
-            echo "$msgprefix:Warning: unable to determine terminal sequence for bold mode" 1>&2
-        fi
-    fi
-    
-    #   determine user name
-    username=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[uU]'`" != . ]; then
-        username="$LOGNAME"
-        if [ ".$username" = . ]; then
-            username="$USER"
-            if [ ".$username" = . ]; then
-                username="`(whoami) 2>/dev/null |\
-                           awk '{ printf("%s", $1); }'`"
-                if [ ".$username" = . ]; then
-                    username="`(who am i) 2>/dev/null |\
-                               awk '{ printf("%s", $1); }'`"
-                    if [ ".$username" = . ]; then
-                        username='unknown'
-                    fi
-                fi
-            fi
-        fi
-    fi
-    
-    #   determine user id
-    userid=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%U'`" != . ]; then
-        userid="`(id -u) 2>/dev/null`"
-        if [ ".$userid" = . ]; then
-            str="`(id) 2>/dev/null`"
-            if [ ".`echo $str | grep '^uid[ 	]*=[ 	]*[0-9]*('`" != . ]; then
-                userid=`echo $str | sed -e 's/^uid[ 	]*=[ 	]*//' -e 's/(.*//'`
-            fi
-            if [ ".$userid" = . ]; then
-                userid=`egrep "^${username}:" /etc/passwd 2>/dev/null | \
-                        sed -e 's/[^:]*:[^:]*://' -e 's/:.*$//'`
-                if [ ".$userid" = . ]; then
-                    userid=`(ypcat passwd) 2>/dev/null |
-                            egrep "^${username}:" | \
-                            sed -e 's/[^:]*:[^:]*://' -e 's/:.*$//'`
-                    if [ ".$userid" = . ]; then
-                        userid='?'
-                    fi
-                fi
-            fi
-        fi
-    fi
-    
-    #   determine host name
-    hostname=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%h'`" != . ]; then
-        hostname="`(uname -n) 2>/dev/null |\
-                   awk '{ printf("%s", $1); }'`"
-        if [ ".$hostname" = . ]; then
-            hostname="`(hostname) 2>/dev/null |\
-                       awk '{ printf("%s", $1); }'`"
-            if [ ".$hostname" = . ]; then
-                hostname='unknown'
-            fi
-        fi
-        case $hostname in
-            *.* )
-                domainname=".`echo $hostname | cut -d. -f2-`"
-                hostname="`echo $hostname | cut -d. -f1`"
-                ;;
-        esac
-    fi
-    
-    #   determine domain name
-    domainname=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%d'`" != . ]; then
-        if [ ".$domainname" = . ]; then
-            if [ -f /etc/resolv.conf ]; then
-                domainname="`egrep '^[ 	]*domain' /etc/resolv.conf | head -1 |\
-                             sed -e 's/.*domain//' \
-                                 -e 's/^[ 	]*//' -e 's/^ *//' -e 's/^	*//' \
-                                 -e 's/^\.//' -e 's/^/./' |\
-                             awk '{ printf("%s", $1); }'`"
-                if [ ".$domainname" = . ]; then
-                    domainname="`egrep '^[ 	]*search' /etc/resolv.conf | head -1 |\
-                                 sed -e 's/.*search//' \
-                                     -e 's/^[ 	]*//' -e 's/^ *//' -e 's/^	*//' \
-                                     -e 's/ .*//' -e 's/	.*//' \
-                                     -e 's/^\.//' -e 's/^/./' |\
-                                 awk '{ printf("%s", $1); }'`"
-                fi
-            fi
-        fi
-    fi
-    
-    #   determine current time
-    time_day=''
-    time_month=''
-    time_year=''
-    time_monthname=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[DMYm]'`" != . ]; then
-        time_day=`date '+%d'`
-        time_month=`date '+%m'`
-        time_year=`date '+%Y' 2>/dev/null`
-        if [ ".$time_year" = . ]; then
-            time_year=`date '+%y'`
-            case $time_year in
-                [5-9][0-9]) time_year="19$time_year" ;;
-                [0-4][0-9]) time_year="20$time_year" ;;
-            esac
-        fi
-        case $time_month in
-            1|01) time_monthname='Jan' ;;
-            2|02) time_monthname='Feb' ;;
-            3|03) time_monthname='Mar' ;;
-            4|04) time_monthname='Apr' ;;
-            5|05) time_monthname='May' ;;
-            6|06) time_monthname='Jun' ;;
-            7|07) time_monthname='Jul' ;;
-            8|08) time_monthname='Aug' ;;
-            9|09) time_monthname='Sep' ;;
-              10) time_monthname='Oct' ;;
-              11) time_monthname='Nov' ;;
-              12) time_monthname='Dec' ;;
-        esac
-    fi
-    
-    #   expand special ``%x'' constructs
-    if [ ".$opt_e" = .yes ]; then
-        text=`echo $seo "$text" |\
-              sed -e "s/%B/${term_bold}/g" \
-                  -e "s/%b/${term_norm}/g" \
-                  -e "s/%u/${username}/g" \
-                  -e "s/%U/${userid}/g" \
-                  -e "s/%h/${hostname}/g" \
-                  -e "s/%d/${domainname}/g" \
-                  -e "s/%D/${time_day}/g" \
-                  -e "s/%M/${time_month}/g" \
-                  -e "s/%Y/${time_year}/g" \
-                  -e "s/%m/${time_monthname}/g" 2>/dev/null`
-    fi
-    
-    #   create output
-    if [ .$opt_n = .no ]; then
-        echo $seo "$text"
-    else
-        #   the harder part: echo -n is best, because
-        #   awk may complain about some \xx sequences.
-        if [ ".$minusn" != . ]; then
-            echo $seo $minusn "$text"
-        else
-            echo dummy | awk '{ printf("%s", TEXT); }' TEXT="$text"
-        fi
-    fi
-    ;;
-
-install )
-    ##
-    ##  install -- Install a program, script or datafile
-    ##  Copyright (c) 1997-2000 Ralf S. Engelschall <rse@engelschall.com>
-    ##  Originally written for shtool
-    ##
-    
-    src="$1"
-    dst="$2"
-    
-    #  If destination is a directory, append the input filename
-    if [ -d $dst ]; then
-        dst=`echo "$dst" | sed -e 's:/$::'`
-        dstfile=`echo "$src" | sed -e 's;.*/\([^/]*\)$;\1;'`
-        dst="$dst/$dstfile"
-    fi
-    
-    #  Add a possible extension to src and dst
-    if [ ".$opt_e" != . ]; then
-        src="$src$opt_e"
-        dst="$dst$opt_e"
-    fi
-    
-    #  Check for correct arguments
-    if [ ".$src" = ".$dst" ]; then
-        echo "$msgprefix:Error: source and destination are the same" 1>&2
-        exit 1
-    fi
-    
-    #  Make a temp file name in the destination directory
-    dstdir=`echo $dst | sed -e 's;[^/]*$;;' -e 's;\(.\)/$;\1;' -e 's;^$;.;'`
-    dsttmp="$dstdir/#INST@$$#"
-    
-    #  Verbosity
-    if [ ".$opt_v" = .yes ]; then
-        echo "$src -> $dst" 1>&2
-    fi
-    
-    #  Copy or move the file name to the temp name
-    #  (because we might be not allowed to change the source)
-    if [ ".$opt_C" = .yes ]; then
-        opt_c=yes
-    fi
-    if [ ".$opt_c" = .yes ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "cp $src $dsttmp" 1>&2
-        fi
-        cp $src $dsttmp || exit $?
-    else
-        if [ ".$opt_t" = .yes ]; then
-            echo "mv $src $dsttmp" 1>&2
-        fi
-        mv $src $dsttmp || exit $?
-    fi
-    
-    #  Adjust the target file
-    #  (we do chmod last to preserve setuid bits)
-    if [ ".$opt_s" = .yes ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "strip $dsttmp" 1>&2
-        fi
-        strip $dsttmp || exit $?
-    fi
-    if [ ".$opt_o" != . ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "chown $opt_o $dsttmp" 1>&2
-        fi
-        chown $opt_o $dsttmp || exit $?
-    fi
-    if [ ".$opt_g" != . ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "chgrp $opt_g $dsttmp" 1>&2
-        fi
-        chgrp $opt_g $dsttmp || exit $?
-    fi
-    if [ ".$opt_m" != . ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "chmod $opt_m $dsttmp" 1>&2
-        fi
-        chmod $opt_m $dsttmp || exit $?
-    fi
-    
-    #   Determine whether to do a quick install
-    #   (has to be done _after_ the strip was already done)
-    quick=no
-    if [ ".$opt_C" = .yes ]; then
-        if [ -r $dst ]; then
-            if cmp -s $src $dst; then
-                quick=yes
-            fi
-        fi
-    fi
-    
-    #   Finally install the file to the real destination
-    if [ $quick = yes ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "rm -f $dsttmp" 1>&2
-        fi
-        rm -f $dsttmp
-    else
-        if [ ".$opt_t" = .yes ]; then
-            echo "rm -f $dst && mv $dsttmp $dst" 1>&2
-        fi
-        rm -f $dst && mv $dsttmp $dst
-    fi
-    ;;
-
-mkdir )
-    ##
-    ##  mkdir -- Make one or more directories
-    ##  Copyright (c) 1996-2000 Ralf S. Engelschall <rse@engelschall.com>
-    ##  Originally written for public domain by Noah Friedman <friedman@prep.ai.mit.edu>
-    ##  Cleaned up and enhanced for shtool
-    ##
-    
-    errstatus=0
-    for p in ${1+"$@"}; do
-        #   if the directory already exists...
-        if [ -d "$p" ]; then
-            if [ ".$opt_f" = .no ] && [ ".$opt_p" = .no ]; then
-                echo "$msgprefix:Error: directory already exists: $p" 1>&2
-                errstatus=1
-                break
-            else
-                continue
-            fi
-        fi
-        #   if the directory has to be created...
-        if [ ".$opt_p" = .no ]; then
-            if [ ".$opt_t" = .yes ]; then
-                echo "mkdir $p" 1>&2
-            fi
-            mkdir $p || errstatus=$?
-        else
-            #   the smart situation
-            set fnord `echo ":$p" |\
-                       sed -e 's/^:\//%/' \
-                           -e 's/^://' \
-                           -e 's/\// /g' \
-                           -e 's/^%/\//'`
-            shift
-            pathcomp=''
-            for d in ${1+"$@"}; do
-                pathcomp="$pathcomp$d"
-                case "$pathcomp" in
-                    -* ) pathcomp="./$pathcomp" ;;
-                esac
-                if [ ! -d "$pathcomp" ]; then
-                    if [ ".$opt_t" = .yes ]; then
-                        echo "mkdir $pathcomp" 1>&2
-                    fi
-                    mkdir $pathcomp || errstatus=$?
-                    if [ ".$opt_m" != . ]; then
-                        if [ ".$opt_t" = .yes ]; then
-                            echo "chmod $opt_m $pathcomp" 1>&2
-                        fi
-                        chmod $opt_m $pathcomp || errstatus=$?
-                    fi
-                fi
-                pathcomp="$pathcomp/"
-            done
-        fi
-    done
-    exit $errstatus
-    ;;
-
-esac
-
-exit 0
-
-##EOF##
diff --git a/aux/binpac/src/Makefile.am b/aux/binpac/src/Makefile.am
deleted file mode 100644
index 2dc2816c35..0000000000
--- a/aux/binpac/src/Makefile.am
+++ /dev/null
@@ -1,62 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-AM_YFLAGS = -d -t -v
-AM_CPPFLAGS = -W -Wall -Wno-unused
-
-noinst_PROGRAMS = binpac
-
-binpac_SOURCES = \
-	pac_scan.ll pac_parse.yy \
-	pac_action.cc \
-	pac_analyzer.cc \
-	pac_array.cc \
-	pac_attr.cc \
-	pac_btype.cc \
-	pac_case.cc \
-	pac_conn.cc \
-	pac_context.cc \
-	pac_cstr.cc \
-	pac_datadep.cc \
-	pac_dataptr.cc \
-	pac_dataunit.cc \
-	pac_decl.cc \
-	pac_embedded.cc \
-	pac_enum.cc \
-	pac_expr.cc \
-	pac_exttype.cc \
-	pac_field.cc \
-	pac_flow.cc \
-	pac_func.cc \
-	pac_id.cc \
-	pac_inputbuf.cc \
-	pac_let.cc \
-	pac_param.cc \
-	pac_paramtype.cc \
-	pac_primitive.cc \
-	pac_record.cc \
-	pac_redef.cc \
-	pac_regex.cc \
-	pac_state.cc \
-	pac_strtype.cc \
-	pac_type.cc \
-	pac_typedecl.cc \
-	pac_withinput.cc \
-	pac_output.cc pac_utils.cc pac_exception.cc \
-	pac_main.cc \
-	pac_action.h pac_analyzer.h pac_array.h pac_attr.h pac_btype.h \
-	pac_case.h pac_cclass.h pac_common.h pac_conn.h pac_context.h \
-	pac_cstr.h pac_ctype.h pac_datadep.h pac_dataptr.h pac_dataunit.h \
-	pac_dbg.h pac_decl-inl.h pac_decl.h pac_embedded.h pac_enum.h \
-	pac_exception.h pac_expr.h pac_exttype.h pac_field.h pac_flow.h \
-	pac_func.h pac_id.h pac_inputbuf.h pac_let.h pac_number.h \
-	pac_output.h pac_param.h pac_paramtype.h pac_parse.h pac_primitive.h \
-	pac_record.h pac_redef.h pac_regex.h pac_state.h pac_strtype.h \
-	pac_type.h pac_typedecl.h pac_utils.h pac_varfield.h pac_withinput.h
-
-EXTRA_DIST = pac_expr.def pac_type.def pac_externtype.def
-
-DISTCLEANFILES = pac_parse.cc pac_parse.h pac_scan.cc y.output
-
-# Manual rules below:
-
-pac_scan.o:	pac_parse.h
diff --git a/aux/binpac/src/pac_action.cc b/aux/binpac/src/pac_action.cc
deleted file mode 100644
index 0b1ac3574f..0000000000
--- a/aux/binpac/src/pac_action.cc
+++ /dev/null
@@ -1,119 +0,0 @@
-#include "pac_embedded.h"
-#include "pac_exception.h"
-#include "pac_id.h"
-#include "pac_output.h"
-#include "pac_type.h"
-#include "pac_typedecl.h"
-#include "pac_utils.h"
-
-#include "pac_action.h"
-
-AnalyzerAction::AnalyzerAction(ID *action_id, 
-	                       When when, 
-	                       ActionParam *param, 
-	                       EmbeddedCode *code)
-	: AnalyzerElement(ACTION),
-	  action_id_(action_id),
-	  when_(when),
-	  param_(param),
-	  code_(code),
-	  analyzer_(0) 
-	{
-	}
-
-AnalyzerAction::~AnalyzerAction()
-	{
-	delete action_id_;
-	delete param_;
-	delete code_;
-	}
-
-string AnalyzerAction::action_function() const
-	{
-	return strfmt("Action_%s", action_id_->Name());
-	}
-
-void AnalyzerAction::InstallHook(AnalyzerDecl *analyzer)
-	{
-	ASSERT(0);
-	analyzer_ = analyzer;
-	// param_->MainDataType()->InstallAction(this);
-	}
-
-void AnalyzerAction::GenCode(Output *out_h, Output *out_cc, AnalyzerDecl *decl)
-	{
-	Env action_func_env(decl->env(), this);
-	action_func_env.AddID(param_->id(), 
-	                      TEMP_VAR, 
-	                      param_->DataType());
-	action_func_env.SetEvaluated(param_->id());
-
-	string action_func_proto = 
-		strfmt("%s(%s)", 
-		       action_function().c_str(), 
-		       ParamDecls(&action_func_env).c_str());
-
-	out_h->println("void %s;", action_func_proto.c_str());
-
-	out_cc->println("void %s::%s", 
-	                decl->class_name().c_str(), 
-	                action_func_proto.c_str());
-	out_cc->inc_indent();
-	out_cc->println("{");
-
-	code_->GenCode(out_cc, &action_func_env);
-
-	out_cc->println("");
-	out_cc->println("}");
-	out_cc->dec_indent();
-	out_cc->println("");
-	}
-
-string AnalyzerAction::ParamDecls(Env *env) const
-	{
-	return param_->DeclStr(env);
-	}
-
-Type *ActionParam::MainDataType() const
-	{
-	// Note: this is not equal to DataType()
-	Type *main_type = TypeDecl::LookUpType(type()->type_id());
-
-	if ( ! main_type )
-		{
-		throw Exception(type()->type_id(), 
-		                "type not defined");
-		}
-
-	return main_type;
-	}
-
-Type *ActionParam::DataType() const
-	{
-	Type *main_type = MainDataType();
-
-	if ( ! type()->field_id() )
-		{
-		return main_type;
-		}
-	else
-		{
-		Type *member_type = 
-			main_type->MemberDataType(type()->field_id());
-		if ( ! member_type )
-			{
-			throw Exception(type()->field_id(),
-				fmt("cannot find member type for `%s.%s'",
-				    type()->type_id()->Name(),
-				    type()->field_id()->Name()));
-			}
-		return member_type;
-		}
-	}
-
-string ActionParam::DeclStr(Env *env) const
-	{
-	return strfmt("%s %s", 
-	              DataType()->DataTypeStr().c_str(), 
-	              env->LValue(id()));
-	}
diff --git a/aux/binpac/src/pac_action.h b/aux/binpac/src/pac_action.h
deleted file mode 100644
index df0828b823..0000000000
--- a/aux/binpac/src/pac_action.h
+++ /dev/null
@@ -1,74 +0,0 @@
-#ifndef pac_action_h
-#define pac_action_h
-
-// Classes representing analyzer actions.
-
-#include "pac_common.h"
-#include "pac_analyzer.h"
-
-class AnalyzerAction : public AnalyzerElement
-{
-public:
-	enum When { BEFORE, AFTER };
-
-	AnalyzerAction(ID *action_id, 
-	               When when, 
-	               ActionParam *param, 
-	               EmbeddedCode *code);
-
-	~AnalyzerAction();
-
-	When when() const		{ return when_; }
-	ActionParam *param() const	{ return param_; }
-	AnalyzerDecl *analyzer() const	{ return analyzer_; }
-	string action_function() const;
-
-	// Generate function prototype and code for the action
-	void GenCode(Output *out_h, Output *out_cc, AnalyzerDecl *decl);
-
-	// Install the hook at the corresponding data type parsing
-	// function to invoke the action.
-	void InstallHook(AnalyzerDecl *analyzer);
-
-private:
-	string ParamDecls(Env *env) const;
-
-	ID *action_id_;
-	When when_;
-	ActionParam *param_;
-	EmbeddedCode *code_;
-	AnalyzerDecl *analyzer_;
-};
-
-class ActionParam
-{
-public:
-	ActionParam(const ID *id, ActionParamType *type)
-		: id_(id), type_(type) {}
-
-	const ID *id() const		{ return id_; }
-	ActionParamType *type() const	{ return type_; }
-
-	Type *MainDataType() const;
-	Type *DataType() const;
-	string DeclStr(Env *env) const;
-
-private:
-	const ID *id_;
-	ActionParamType *type_;
-};
-
-class ActionParamType
-{
-public:
-	ActionParamType(const ID *type_id, const ID *field_id = 0)
-		: type_id_(type_id), field_id_(field_id) {}
-
-	const ID *type_id() const	{ return type_id_; }
-	const ID *field_id() const	{ return field_id_; }
-
-protected:
-	const ID *type_id_, *field_id_;
-};
-
-#endif  // pac_action_h
diff --git a/aux/binpac/src/pac_analyzer.cc b/aux/binpac/src/pac_analyzer.cc
deleted file mode 100644
index 0c01190a9d..0000000000
--- a/aux/binpac/src/pac_analyzer.cc
+++ /dev/null
@@ -1,358 +0,0 @@
-#include "pac_action.h"
-#include "pac_context.h"
-#include "pac_embedded.h"
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_flow.h"
-#include "pac_func.h"
-#include "pac_output.h"
-#include "pac_param.h"
-#include "pac_paramtype.h"
-#include "pac_state.h"
-#include "pac_type.h"
-#include "pac_varfield.h"
-
-#include "pac_analyzer.h"
-
-AnalyzerDecl::AnalyzerDecl(ID *id, 
-                           DeclType decl_type,
-                           ParamList *params)
-	: TypeDecl(id, params, new DummyType())
-	{
-	decl_type_ = decl_type;
-
-	statevars_ = new StateVarList();
-	actions_ = new AnalyzerActionList();
-	helpers_ = new AnalyzerHelperList();
-	functions_ = new FunctionList();
-
-	constructor_helpers_ = new AnalyzerHelperList();
-	destructor_helpers_ = new AnalyzerHelperList();
-	eof_helpers_ = new AnalyzerHelperList();
-
-	SetAnalyzerContext();
-
-	env_ = 0;
-	}
-
-AnalyzerDecl::~AnalyzerDecl()
-	{
-	delete_list(StateVarList, statevars_);
-	delete_list(AnalyzerActionList, actions_);
-	delete_list(AnalyzerHelperList, helpers_);
-	delete_list(FunctionList, functions_);
-	delete_list(ParamList, params_);
-	delete_list(AnalyzerHelperList, constructor_helpers_);
-	delete_list(AnalyzerHelperList, destructor_helpers_);
-	delete_list(AnalyzerHelperList, eof_helpers_);
-	}
-
-void AnalyzerDecl::AddElements(AnalyzerElementList *elemlist)
-	{
-	ASSERT(! env_);
-	foreach(i, AnalyzerElementList, elemlist)
-		{
-		AnalyzerElement *elem = *i;
-		switch ( elem->type() )
-			{
-			case AnalyzerElement::STATE:
-				{
-				ASSERT(0);
-				AnalyzerState *state_elem = 
-					(AnalyzerState *) elem;
-				statevars_->insert(
-					statevars_->end(),
-					state_elem->statevars()->begin(),
-					state_elem->statevars()->end());
-				}
-				break;
-			case AnalyzerElement::ACTION:
-				{
-				ASSERT(0);
-				AnalyzerAction *action_elem = 
-					(AnalyzerAction *) elem;
-				actions_->push_back(action_elem);
-				}
-				break;
-			case AnalyzerElement::HELPER:
-				{
-				AnalyzerHelper *helper_elem = 
-					(AnalyzerHelper *) elem;
-
-				switch ( helper_elem->helper_type() )
-				        {
-					case AnalyzerHelper::INIT_CODE:
-					        constructor_helpers_->push_back(helper_elem);
-						break;
-					case AnalyzerHelper::CLEANUP_CODE:
- 				                destructor_helpers_->push_back(helper_elem);
-						break;
-					case AnalyzerHelper::EOF_CODE:
-					        eof_helpers_->push_back(helper_elem);
-						break;
-					default:
-					        helpers_->push_back(helper_elem);
-					}
-				}
-				break;
-			case AnalyzerElement::FUNCTION:
-				{
-				AnalyzerFunction *func_elem = 
-					(AnalyzerFunction *) elem;
-				Function *func = func_elem->function();
-				func->set_analyzer_decl(this);
-				functions_->push_back(func);
-				}
-				break;
-			case AnalyzerElement::FLOW:
-				{
-				AnalyzerFlow *flow_elem = 
-					(AnalyzerFlow *) elem;
-				ProcessFlowElement(flow_elem);
-				}
-				break;
-			case AnalyzerElement::DATAUNIT:
-				{
-				AnalyzerDataUnit *dataunit_elem = 
-					(AnalyzerDataUnit *) elem;
-				ProcessDataUnitElement(dataunit_elem);
-				}
-				break;
-			}
-		}
-	}
-
-string AnalyzerDecl::class_name() const
-	{ 
-	return id_->Name(); 
-	}
-
-void AnalyzerDecl::Prepare()
-	{
-	TypeDecl::Prepare();
-
-	ASSERT(statevars_->empty());
-	ASSERT(actions_->empty());
-
-	foreach(i, FunctionList, functions_)
-		{
-		Function *function = *i;
-		function->Prepare(env_);
-		}
-	foreach(i, StateVarList, statevars_)
-		{
-		StateVar *statevar = *i;
-		env_->AddID(statevar->id(), STATE_VAR, statevar->type());
-		}
-	foreach(i, AnalyzerActionList, actions_)
-		{
-		AnalyzerAction *action = *i;
-		action->InstallHook(this);
-		}
-	}
-
-void AnalyzerDecl::GenForwardDeclaration(Output* out_h)
-	{
-	out_h->println("class %s;", class_name().c_str());
-	foreach(i, FunctionList, functions_)
-		{
-		Function *function = *i;
-		function->GenForwardDeclaration(out_h);
-		}
-	}
-
-void AnalyzerDecl::GenActions(Output *out_h, Output *out_cc)
-	{
-	foreach(i, AnalyzerActionList, actions_)
-		{
-		(*i)->GenCode(out_h, out_cc, this);
-		}
-	}
-
-void AnalyzerDecl::GenHelpers(Output *out_h, Output *out_cc)
-	{
-	foreach(i, AnalyzerHelperList, helpers_)
-		{
-		(*i)->GenCode(out_h, out_cc, this);
-		}
-	}
-
-void AnalyzerDecl::GenPubDecls(Output *out_h, Output *out_cc)
-	{
-	TypeDecl::GenPubDecls(out_h, out_cc);
-
-	GenProcessFunc(out_h, out_cc);
-	GenGapFunc(out_h, out_cc);
-	GenEOFFunc(out_h, out_cc);
-	out_h->println("");
-
-	if ( ! functions_->empty() )
-		{
-		out_h->println("// Functions");
-		GenFunctions(out_h, out_cc);
-		out_h->println("");
-		}
-
-	// TODO: export public state variables
-	}
-
-void AnalyzerDecl::GenPrivDecls(Output *out_h, Output *out_cc)
-	{
-	TypeDecl::GenPrivDecls(out_h, out_cc);
-
-	if ( ! helpers_->empty() )
-		{
-		out_h->println("");
-		out_h->println("// Additional members");
-		GenHelpers(out_h, out_cc);
-		}
-
-	// TODO: declare state variables
-	}
-
-void AnalyzerDecl::GenInitCode(Output *out_cc)
-	{
-	TypeDecl::GenInitCode(out_cc);
-	foreach(i, AnalyzerHelperList, constructor_helpers_)
-		{
-		(*i)->GenCode(0, out_cc, this);
-		}
-	}
-
-void AnalyzerDecl::GenCleanUpCode(Output *out_cc)
-	{
-	TypeDecl::GenCleanUpCode(out_cc);
-	foreach(i, AnalyzerHelperList, destructor_helpers_)
-		{
-		(*i)->GenCode(0, out_cc, this);
-		}
-	}
-
-void AnalyzerDecl::GenStateVarDecls(Output *out_h)
-	{
-	foreach(i, StateVarList, statevars_)
-		{
-		StateVar *var = *i;
-		var->GenDecl(out_h, env_);
-		}
-	}
-
-void AnalyzerDecl::GenStateVarSetFunctions(Output *out_h)
-	{
-	foreach(i, StateVarList, statevars_)
-		{
-		StateVar *var = *i;
-		var->GenSetFunction(out_h, env_);
-		}
-	}
-
-void AnalyzerDecl::GenStateVarInitCode(Output *out_cc)
-	{
-	foreach(i, StateVarList, statevars_)
-		{
-		StateVar *var = *i;
-		var->GenInitCode(out_cc, env_);
-		}
-	}
-
-void AnalyzerDecl::GenStateVarCleanUpCode(Output *out_cc)
-	{
-	foreach(i, StateVarList, statevars_)
-		{
-		StateVar *var = *i;
-		var->GenCleanUpCode(out_cc, env_);
-		}
-	}
-
-void AnalyzerDecl::GenFunctions(Output *out_h, Output *out_cc)
-	{
-	foreach(i, FunctionList, functions_)
-		{
-		Function *function = *i;
-		function->GenCode(out_h, out_cc);
-		}
-	}
-
-AnalyzerState::~AnalyzerState()
-	{
-	// Note: do not delete elements of statevars_, because they
-	// are referenced by the AnalyzerDecl.
-	delete statevars_;
-	}
-
-AnalyzerHelper::~AnalyzerHelper()
-	{
-	delete code_;
-	}
-
-void AnalyzerHelper::GenCode(Output *out_h, Output *out_cc, AnalyzerDecl *decl)
-	{
-	Output *out = 0;
-	switch ( helper_type_ )
-		{
-		case MEMBER_DECLS:
-			out = out_h;
-			break;
-		case INIT_CODE:
-		case CLEANUP_CODE:
-		case EOF_CODE:
-			out = out_cc;
-			break;
-		}
-	ASSERT(out);
-	code()->GenCode(out, decl->env());
-	}
-
-FlowField::FlowField(ID *flow_id, ParameterizedType *flow_type)
-	: Field(FLOW_FIELD, 
-		TYPE_NOT_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE, 
-		flow_id, flow_type)
-	{
-	}
-
-void FlowField::GenInitCode(Output *out_cc, Env *env)
-	{
-	type_->GenPreParsing(out_cc, env);
-	}
-
-AnalyzerFlow::AnalyzerFlow(Direction dir, ID *type_id, ExprList *params)
-	: AnalyzerElement(FLOW),
-	  dir_(dir),
-	  type_id_(type_id)
-	{
-	if ( ! params )
-		params = new ExprList();
-
-	// Add "this" to the list of params
-	params->insert(params->begin(), new Expr(this_id->clone()));
-
-	ID *flow_id = ((dir == UP) ? upflow_id : downflow_id)->clone();
-
-	ParameterizedType *flow_type = new ParameterizedType(type_id_, params);
-
-	flow_field_ = new FlowField(flow_id, flow_type);
-
-	flow_decl_ = 0;
-	}
-
-AnalyzerFlow::~AnalyzerFlow()
-	{
-	delete flow_field_;
-	}
-
-FlowDecl *AnalyzerFlow::flow_decl()
-	{
-	DEBUG_MSG("Getting flow_decl for %s\n", type_id_->Name());
-	if ( ! flow_decl_ )
-		{
-		Decl *decl = Decl::LookUpDecl(type_id_);
-		if ( decl && decl->decl_type() == Decl::FLOW )
-			flow_decl_ = static_cast<FlowDecl *>(decl);
-		if ( ! flow_decl_ )
-			{
-			throw Exception(this, 
-			                "cannot find the flow declaration");
-			}
-		}
-	return flow_decl_;
-	}
diff --git a/aux/binpac/src/pac_analyzer.h b/aux/binpac/src/pac_analyzer.h
deleted file mode 100644
index a5fd5245aa..0000000000
--- a/aux/binpac/src/pac_analyzer.h
+++ /dev/null
@@ -1,168 +0,0 @@
-#ifndef pac_analyzer_h
-#define pac_analyzer_h
-
-#include "pac_common.h"
-#include "pac_field.h"
-#include "pac_typedecl.h"
-
-class AnalyzerElement;
-class AnalyzerState;
-class AnalyzerAction;	// defined in pac_action.h
-class AnalyzerHelper;
-class AnalyzerFlow;
-class AnalyzerDataUnit;
-class AnalyzerFunction;
-class ConnDecl;
-class FlowDecl;
-typedef vector<AnalyzerHelper *> AnalyzerHelperList;
-typedef vector<Function *> FunctionList;
-
-class AnalyzerDecl : public TypeDecl
-{
-public:
-	AnalyzerDecl(ID *id, DeclType decl_type, ParamList *params);
-	~AnalyzerDecl();
-
-	void AddElements(AnalyzerElementList *elemlist);
-
-	void Prepare();
-	void GenForwardDeclaration(Output *out_h);
-	// void GenCode(Output *out_h, Output *out_cc);
-
-	void GenInitCode(Output *out_cc);
-	void GenCleanUpCode(Output *out_cc);
-
-	string class_name() const;
-	// string cookie_name() const;
-
-protected:
-	virtual void ProcessFlowElement(AnalyzerFlow *flow_elem) = 0;
-	virtual void ProcessDataUnitElement(AnalyzerDataUnit *dataunit_elem) = 0;
-
-	// Generate public/private declarations for member functions and 
-	// variables
-	void GenPubDecls(Output *out_h, Output *out_cc);
-	void GenPrivDecls(Output *out_h, Output *out_cc);
-
-	// Generate the NewData() function
-	virtual void GenProcessFunc(Output *out_h, Output *out_cc) = 0;
-
-	// Generate the NewGap() function
-	virtual void GenGapFunc(Output *out_h, Output *out_cc) = 0;
-
-	// Generate the FlowEOF() function
-	virtual void GenEOFFunc(Output *out_h, Output *out_cc) = 0;
-
-	// Generate the functions
-	void GenFunctions(Output *out_h, Output *out_cc);
-
-	// Generate the action functions
-	void GenActions(Output *out_h, Output *out_cc);
-
-	// Generate the helper code segments
-	void GenHelpers(Output *out_h, Output *out_cc);
-
-	// Generate declarations for state variables and their set functions
-	void GenStateVarDecls(Output *out_h);
-	void GenStateVarSetFunctions(Output *out_h);
-
-	// Generate code for initializing and cleaning up (including
-	// memory de-allocating) state variables
-	void GenStateVarInitCode(Output *out_cc);
-	void GenStateVarCleanUpCode(Output *out_cc);
-
-	StateVarList *statevars_;
-	AnalyzerActionList *actions_;
-	AnalyzerHelperList *helpers_;
-	FunctionList *functions_;
-
-	AnalyzerHelperList *constructor_helpers_;
-	AnalyzerHelperList *destructor_helpers_;
-	AnalyzerHelperList *eof_helpers_;
-};
-
-class AnalyzerElement : public Object
-{
-public:
-	enum ElementType { STATE, ACTION, FUNCTION, HELPER, FLOW, DATAUNIT };
-	AnalyzerElement(ElementType type)
-		: type_(type) {}
-	virtual ~AnalyzerElement() {}
-
-	ElementType type() const	{ return type_; }
-
-private:
-	ElementType type_;
-};
-
-// A collection of variables representing analyzer states.
-class AnalyzerState : public AnalyzerElement
-{
-public:
-	AnalyzerState(StateVarList *statevars)
-		: AnalyzerElement(STATE),
-		  statevars_(statevars) {}
-	~AnalyzerState();
-
-	StateVarList *statevars() const	{ return statevars_; }
-
-private:
-	StateVarList *statevars_;
-};
-
-// A collection of embedded C++ code
-class AnalyzerHelper : public AnalyzerElement
-{
-public:
-	enum Type {
-		MEMBER_DECLS,
-		INIT_CODE,
-		CLEANUP_CODE,
-		EOF_CODE,
-	};
-	AnalyzerHelper(Type helper_type, EmbeddedCode *code)
-		: AnalyzerElement(HELPER),
-		  helper_type_(helper_type), 
-		  code_(code) {}
-	~AnalyzerHelper();
-
-	Type helper_type() const	{ return helper_type_; }
-
-	void GenCode(Output *out_h, Output *out_cc, AnalyzerDecl *decl);
-
-	EmbeddedCode *code() const	{ return code_; }
-
-private:
-	Type helper_type_;
-	EmbeddedCode *code_;
-};
-
-// The type and parameters of (uni-directional) flows of a connection.
-
-class FlowField : public Field
-{
-public:
-	FlowField(ID *flow_id, ParameterizedType *flow_type);
-	void GenInitCode(Output *out, Env *env);
-};
-
-class AnalyzerFlow : public AnalyzerElement
-{
-public:
-	enum Direction { UP, DOWN };
-	AnalyzerFlow(Direction dir, ID *type_id, ExprList *params);
-	~AnalyzerFlow();
-
-	Direction dir() const		{ return dir_; }
-	FlowField *flow_field() const	{ return flow_field_; }
-
-	FlowDecl *flow_decl();
-
-private:
-	Direction dir_;
-	ID *type_id_;
-	FlowField *flow_field_;
-	FlowDecl *flow_decl_;
-};
-
-#endif  // pac_analyzer_h
diff --git a/aux/binpac/src/pac_array.cc b/aux/binpac/src/pac_array.cc
deleted file mode 100644
index 7477ba050b..0000000000
--- a/aux/binpac/src/pac_array.cc
+++ /dev/null
@@ -1,700 +0,0 @@
-#include "pac_attr.h"
-#include "pac_dataptr.h"
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_exttype.h"
-#include "pac_id.h"
-#include "pac_number.h"
-#include "pac_output.h"
-#include "pac_utils.h"
-#include "pac_varfield.h"
-
-#include "pac_array.h"
-
-ArrayType::ArrayType(Type *elemtype, Expr *length)
-	: Type(ARRAY), elemtype_(elemtype), length_(length)
-	{
-	init();
-
-	switch ( elemtype_->tot() )
-		{
-		case BUILTIN:
-		case PARAMETERIZED:
-		case STRING:
-		case EXTERN:
-			break;
-
-		case ARRAY:
-		case CASE:
-		case DUMMY:
-		case EMPTY:
-		case RECORD:
-		case UNDEF:
-			ASSERT(0);
-			break;
-		}
-	}
-
-void ArrayType::init()
-	{
-	arraylength_var_field_ = 0;
-	elem_it_var_field_ = 0;
-	elem_var_field_ = 0;
-	elem_dataptr_var_field_ = 0;
-	elem_input_var_field_ = 0;
-
-	elem_dataptr_until_expr_ = 0;
-
-	end_of_array_loop_label_ = "@@@";
-
-	vector_str_ = strfmt("vector<%s>", elemtype_->DataTypeStr().c_str());
-
-	datatype_str_ = strfmt("%s *", vector_str_.c_str());
-
-	attr_generic_until_expr_ = 0;
-	attr_until_element_expr_ = 0;
-	attr_until_input_expr_ = 0;
-	}
-
-ArrayType::~ArrayType()
-	{
-	delete arraylength_var_field_;
-	delete elem_it_var_field_;
-	delete elem_var_field_;
-	delete elem_dataptr_var_field_;
-	delete elem_input_var_field_;
-
-	delete elem_dataptr_until_expr_;
-	}
-
-Type *ArrayType::DoClone() const
-	{
-	Type *elemtype = elemtype_->Clone();
-	if ( ! elemtype )
-		return 0;
-	return new ArrayType(elemtype, length_);
-	}
-
-bool ArrayType::DefineValueVar() const
-	{
-	return true;
-	}
-
-string ArrayType::DataTypeStr() const
-	{
-	return datatype_str_;
-	}
-
-Type *ArrayType::ElementDataType() const
-	{
-	return elemtype_;
-	}
-
-string ArrayType::EvalElement(const string &array, const string &index) const
-	{
-	return strfmt("(*(%s))[%s]", array.c_str(), index.c_str());
-	}
-
-const ID *ArrayType::arraylength_var() const
-	{
-	return arraylength_var_field_ ? arraylength_var_field_->id() : 0;
-	}
-
-const ID *ArrayType::elem_it_var() const
-	{
-	return elem_it_var_field_ ? elem_it_var_field_->id() : 0;
-	}
-
-const ID *ArrayType::elem_var() const
-	{
-	return elem_var_field_ ? elem_var_field_->id() : 0;
-	}
-
-const ID *ArrayType::elem_dataptr_var() const
-	{
-	return elem_dataptr_var_field_ ? elem_dataptr_var_field_->id() : 0;
-	}
-
-const ID *ArrayType::elem_input_var() const
-	{
-	return elem_input_var_field_ ? elem_input_var_field_->id() : 0;
-	}
-
-void ArrayType::ProcessAttr(Attr *a)
-	{
-	Type::ProcessAttr(a);
-
-	switch ( a->type() )
-		{
-		case ATTR_RESTOFDATA:
-			{
-			if ( elemtype_->StaticSize(env()) != 1 )
-				{
-				throw Exception(elemtype_, 
-					"&restofdata can be applied"
-					" to only byte arrays");
-				}
-			if ( length_ )
-				{
-				throw Exception(length_, 
-					"&restofdata cannot be applied"
-					" to arrays with specified length");
-				}
-			attr_restofdata_ = true;
-			// As the array automatically extends to the end of 
-			// data, we do not have to check boundary.
-			SetBoundaryChecked();
-			}
-			break;
-
-		case ATTR_RESTOFFLOW:
-			attr_restofflow_ = true;
-			// TODO: handle &restofflow
-			break;
-
-		case ATTR_UNTIL:
-			{
-			bool ref_element = a->expr()->HasReference(element_macro_id);
-			bool ref_input = a->expr()->HasReference(input_macro_id);
-			if ( ref_element && ref_input )
-				{
-				throw Exception(a->expr(), 
-					"cannot reference both $element and $input "
-					"in the same &until---please separate them.");
-				}
-
-			if ( ref_element )
-				{
-				if ( attr_until_element_expr_ )
-					{
-					throw Exception(a->expr(), 
-						"multiple &until on $element");
-					}
-				attr_until_element_expr_ = a->expr();
-				}
-			else if ( ref_input )
-				{
-				if ( attr_until_input_expr_ )
-					{
-					throw Exception(a->expr(), 
-						"multiple &until on $input");
-					}
-				attr_until_input_expr_ = a->expr();
-				}
-			else
-				{
-				if ( attr_generic_until_expr_ )
-					{
-					throw Exception(a->expr(), 
-						"multiple &until condition");
-					}
-				attr_generic_until_expr_ = a->expr();
-				}
-			}
-			break;
-
-		default:
-			break;
-		}
-	}
-
-void ArrayType::Prepare(Env *env, int flags)
-	{
-	if ( flags & TO_BE_PARSED )
-		{
-		ID *arraylength_var = new ID(fmt("%s__arraylength", value_var()->Name()));
-		ID *elem_var = new ID(fmt("%s__elem", value_var()->Name()));
-		ID *elem_it_var = new ID(fmt("%s__it", elem_var->Name()));
-
-		elem_var_field_ = 
-			new ParseVarField(Field::CLASS_MEMBER, elem_var, elemtype_);
-		AddField(elem_var_field_);
-
-		if ( incremental_parsing() )
-			{
-			arraylength_var_field_ = 
-				new PrivVarField(arraylength_var, extern_type_int->Clone());
-			elem_it_var_field_ = 
-				new PrivVarField(elem_it_var, extern_type_int->Clone());
-
-			AddField(arraylength_var_field_);
-			AddField(elem_it_var_field_);
-			}
-		else
-			{
-			arraylength_var_field_ = 
-				new TempVarField(arraylength_var, extern_type_int->Clone());
-			elem_it_var_field_ = 
-				new TempVarField(elem_it_var, extern_type_int->Clone());
-
-			arraylength_var_field_->Prepare(env);
-			elem_it_var_field_->Prepare(env);
-
-			// Add elem_dataptr_var only when not parsing incrementally
-			ID *elem_dataptr_var = 
-				new ID(fmt("%s__dataptr", elem_var->Name()));
-			elem_dataptr_var_field_ = new TempVarField(
-				elem_dataptr_var, 
-				extern_type_const_byteptr->Clone());
-			elem_dataptr_var_field_->Prepare(env);
-
-			// until(dataptr >= end_of_data)
-			elem_dataptr_until_expr_ = new Expr(
-				Expr::EXPR_GE, 
-				new Expr(elem_dataptr_var->clone()),
-				new Expr(end_of_data->clone()));
-			}
-
-		if ( attr_until_input_expr_ )
-			{
-			elemtype_->SetUntilCheck(this);
-			}
-
-		end_of_array_loop_label_ = strfmt("end_of_%s", value_var()->Name());
-		}
-
-	Type::Prepare(env, flags);
-	}
-
-void ArrayType::GenArrayLength(Output *out_cc, Env *env, const DataPtr& data)
-	{
-	if ( env->Evaluated(arraylength_var()) )
-		return;
-
-	if ( ! incremental_parsing() )
-		{
-		arraylength_var_field_->GenTempDecls(out_cc, env);
-		arraylength_var_field_->GenInitCode(out_cc, env);
-		}
-
-	if ( length_ )
-		{
-		out_cc->println("%s = %s;", 
-			env->LValue(arraylength_var()), 
-			length_->EvalExpr(out_cc, env));
-
-		env->SetEvaluated(arraylength_var());
-
-		// Check for overlong array length. We cap it at the
-		// maximum data size as we won't store more elements.
-		out_cc->println("if ( t_begin_of_data + %s > t_end_of_data + 1 )",
-			env->LValue(arraylength_var()));
-		out_cc->inc_indent();
-		out_cc->println("{");
-		out_cc->println("%s = t_end_of_data - t_begin_of_data + 1;",
-			env->LValue(arraylength_var()));
-		out_cc->println("}");
-		out_cc->dec_indent();
-		
-		// Check negative array length
-		out_cc->println("if ( %s < 0 )",
-			env->LValue(arraylength_var())); 
-		out_cc->inc_indent();
-		out_cc->println("{");
-		out_cc->println("%s = 0;",
-			env->LValue(arraylength_var())); 
-		out_cc->println("}");
-		out_cc->dec_indent();
-		}
-	else if ( attr_restofdata_ )
-		{
-		ASSERT(elemtype_->StaticSize(env) == 1);
-		out_cc->println("%s = (%s) - (%s);", 
-			env->LValue(arraylength_var()), 
-			env->RValue(end_of_data),
-			data.ptr_expr());
-		env->SetEvaluated(arraylength_var());
-		}
-	}
-
-void ArrayType::GenPubDecls(Output *out_h, Env *env)
-	{
-	Type::GenPubDecls(out_h, env);
-
-	if ( declared_as_type() )
-		{
-		out_h->println("int size() const	{ return %s ? %s->size() : 0; }",
-			env->RValue(value_var()),
-			env->RValue(value_var()));
-		out_h->println("%s operator[](int index) const { BINPAC_ASSERT(%s); return (*%s)[index]; }",
-			elemtype_->DataTypeConstRefStr().c_str(),
-			env->RValue(value_var()),
-			env->RValue(value_var()));
-		}
-	}
-
-void ArrayType::GenPrivDecls(Output *out_h, Env *env)
-	{
-	ASSERT(elem_var_field_->type() == elemtype_);
-	ASSERT(elemtype_->value_var());
-	Type::GenPrivDecls(out_h, env);
-	}
-
-void ArrayType::GenInitCode(Output *out_cc, Env *env)
-	{
-	// Do not initiate the array here
-	// out_cc->println("%s = new %s;", lvalue(), vector_str_.c_str());
-	out_cc->println("%s = 0;", lvalue());
-
-	Type::GenInitCode(out_cc, env);
-	if ( incremental_parsing() )
-		{
-		out_cc->println("%s = -1;", 
-			env->LValue(elem_it_var()));
-		}
-	}
-
-void ArrayType::GenCleanUpCode(Output *out_cc, Env *env)
-	{
-	Type::GenCleanUpCode(out_cc, env);
-	if ( elemtype_->NeedsCleanUp() )
-		{
-		if ( ! elem_var_field_ )
-			{
-			ID *elem_var = new ID(fmt("%s__elem", value_var()->Name()));
-			elem_var_field_ = 
-				new ParseVarField(
-					Field::NOT_CLASS_MEMBER, 
-					elem_var, 
-					elemtype_);
-			elem_var_field_->Prepare(env);
-			}
-
-		out_cc->println("if ( %s )", env->RValue(value_var()));
-		out_cc->inc_indent();
-		out_cc->println("{");
-
-		out_cc->println("for ( int i = 0; i < (int) %s->size(); ++i )",
-			env->RValue(value_var()));
-		out_cc->inc_indent();
-		out_cc->println("{");
-		out_cc->println("%s %s = (*%s)[i];", 
-			elemtype_->DataTypeStr().c_str(), 
-			env->LValue(elem_var()), 
-			lvalue());
-		elemtype_->GenCleanUpCode(out_cc, env);
-		out_cc->println("}");
-		out_cc->dec_indent();
-
-		out_cc->println("}");
-		out_cc->dec_indent();
-		}
-	out_cc->println("delete %s;", lvalue());
-	}
-
-string ArrayType::GenArrayInit(Output *out_cc, Env *env, bool known_array_length)
-	{
-	string array_str;
-
-	array_str = lvalue();
-	if ( incremental_parsing() )
-		{
-		out_cc->println("if ( %s < 0 )", 
-			env->LValue(elem_it_var()));
-		out_cc->inc_indent();
-		out_cc->println("{");
-		out_cc->println("// Initialize only once");
-		out_cc->println("%s = 0;", env->LValue(elem_it_var()));
-		}
-
-	out_cc->println("%s = new %s;", 
-		lvalue(), vector_str_.c_str());
-
-	if ( known_array_length )
-		{
-		out_cc->println("%s->reserve(%s);", 
-			lvalue(), env->RValue(arraylength_var()));
-		}
-
-	if ( incremental_parsing() )
-		{
-		out_cc->println("}");
-		out_cc->dec_indent();
-		}
-
-	return array_str;
-	}
-
-void ArrayType::GenElementAssignment(Output *out_cc, Env *env,
-		string const &array_str, bool use_vector)
-	{
-	// Assign the element
-	if ( ! use_vector )
-		{
-		out_cc->println("%s[%s] = %s;", 
-			array_str.c_str(), 
-			env->LValue(elem_it_var()), 
-			env->LValue(elem_var()));
-		}
-	else
-		{
-		out_cc->println("%s->push_back(%s);", 
-			array_str.c_str(), 
-			env->LValue(elem_var()));
-		}
-	}
-
-void ArrayType::DoGenParseCode(Output *out_cc, Env *env, 
-		const DataPtr& data, int flags)
-	{
-	GenArrayLength(out_cc, env, data);
-
-	// Otherwise these variables are declared as member variables
-	if ( ! incremental_parsing() )
-		{
-		// Declare and initialize temporary variables
-		elem_var_field_->GenInitCode(out_cc, env);
-		elem_it_var_field_->GenTempDecls(out_cc, env);
-		out_cc->println("%s = 0;", env->LValue(elem_it_var()));
-		env->SetEvaluated(elem_it_var());
-		}
-
-	/*
-	If the input length can be determined without parsing
-	individual elements, generate the boundary checking before
-	parsing (unless in the case of incremental parsing).
-
-	There are two cases when the input length can be determined:
-	1. The array has a static size;
-	2. The array length can be computed before parsing and
-   	each element is of constant size.
-	*/
-
-	bool compute_size_var = false;
-
-	if ( incremental_input() )
-		{
-		// Do not compute size_var on incremental input
-		compute_size_var = false;
-		
-		if ( ! incremental_parsing() &&
-		     ( StaticSize(env) >= 0 ||
-		       ( env->Evaluated(arraylength_var()) && 
-		         elemtype_->StaticSize(env) >= 0 ) ) )
-			{
-			GenBoundaryCheck(out_cc, env, data);
-			}
-		}
-	else
-		{
-		compute_size_var = AddSizeVar(out_cc, env);
-		}
-
-	bool known_array_length = env->Evaluated(arraylength_var());
-	string array_str = GenArrayInit(out_cc, env, known_array_length);
-
-	bool use_vector = true;
-
-	ASSERT(elem_it_var());
-
-	DataPtr elem_data(env, 0, 0);
-
-	if ( elem_dataptr_var() )
-		{
-		out_cc->println("const_byteptr %s = %s;", 
-			env->LValue(elem_dataptr_var()), data.ptr_expr());
-		env->SetEvaluated(elem_dataptr_var());
-
-		elem_data = DataPtr(env, elem_dataptr_var(), 0);
-		}
-
-	string for_condition = known_array_length ?
-		strfmt("%s < %s", 
-			env->LValue(elem_it_var()), 
-			env->RValue(arraylength_var())) :
-		"/* forever */";
-
-	out_cc->println("for (; %s; ++%s)", 
-		for_condition.c_str(), 
-		env->LValue(elem_it_var()));
-	out_cc->inc_indent();
-	out_cc->println("{");
-
-	if ( attr_generic_until_expr_ )
-		GenUntilCheck(out_cc, env, attr_generic_until_expr_, true);
-
-	if ( elem_dataptr_var() )
-		GenUntilCheck(out_cc, env, elem_dataptr_until_expr_, false);
-	
-	elemtype_->GenPreParsing(out_cc, env);
-	elemtype_->GenParseCode(out_cc, env, elem_data, flags);
-
-	if ( incremental_parsing() ) 
-		{
-		out_cc->println("if ( ! %s )", 
-			elemtype_->parsing_complete(env).c_str());
-		out_cc->inc_indent();
-		out_cc->println("goto %s;", kNeedMoreData);
-		out_cc->dec_indent();
-		}
-
-	GenElementAssignment(out_cc, env, array_str, use_vector);
-
-	if ( elem_dataptr_var() )
-		{
-		out_cc->println("%s += %s;", 
-			env->LValue(elem_dataptr_var()), 
-			elemtype_->DataSize(0, env, elem_data).c_str());
-		out_cc->println("BINPAC_ASSERT(%s <= %s);",
-			env->RValue(elem_dataptr_var()), 
-			env->RValue(end_of_data));
-		}
-
-	if ( attr_until_element_expr_ )
-		GenUntilCheck(out_cc, env, attr_until_element_expr_, false);
-
-	if ( elemtype_->IsPointerType() )
-		out_cc->println("%s = 0;", env->LValue(elem_var()));
-
-	out_cc->println("}");
-	out_cc->dec_indent();
-
-	out_cc->dec_indent();
-	out_cc->println("%s: ;", end_of_array_loop_label_.c_str());
-	out_cc->inc_indent();
-
-	if ( compute_size_var && elem_dataptr_var() && ! env->Evaluated(size_var()) )
-		{
-		// Compute the data size
-		out_cc->println("%s = %s - (%s);", 
-			env->LValue(size_var()),
-			env->RValue(elem_dataptr_var()),
-			data.ptr_expr());
-		env->SetEvaluated(size_var());
-		}
-	}
-
-void ArrayType::GenUntilInputCheck(Output *out_cc, Env *env)
-	{
-	ID *elem_input_var_id = new ID(
-		fmt("%s__elem_input", value_var()->Name()));
-	elem_input_var_field_ = new TempVarField(
-		elem_input_var_id, extern_type_const_bytestring->Clone());
-	elem_input_var_field_->Prepare(env);
-
-	out_cc->println("%s %s(%s, %s);", 
-		extern_type_const_bytestring->DataTypeStr().c_str(),
-		env->LValue(elem_input_var()),
-		env->RValue(begin_of_data),
-		env->RValue(end_of_data));
-	env->SetEvaluated(elem_input_var());
-
-	GenUntilCheck(out_cc, env, attr_until_input_expr_, true);
-	}
-
-void ArrayType::GenUntilCheck(Output *out_cc, Env *env, 
-		Expr *until_expr, bool delete_elem)
-	{
-	ASSERT(until_expr);
-
-	Env check_env(env, this);
-	check_env.AddMacro(element_macro_id, 
-		new Expr(elem_var()->clone()));
-	if ( elem_input_var() )
-		{
-		check_env.AddMacro(input_macro_id, 
-			new Expr(elem_input_var()->clone()));
-		}
-
-	out_cc->println("// Check &until(%s)", until_expr->orig());
-	out_cc->println("if ( %s )", 
-		until_expr->EvalExpr(out_cc, &check_env));
-	out_cc->inc_indent();
-	out_cc->println("{");
-	if ( parsing_complete_var() )
-		{
-		out_cc->println("%s = true;",
-			env->LValue(parsing_complete_var()));
-		}
-
-	if ( elemtype_->IsPointerType() )
-		{
-		if ( delete_elem )
-			elemtype_->GenCleanUpCode(out_cc, env);
-		else
-			out_cc->println("%s = 0;", env->LValue(elem_var()));
-		}
-
-	out_cc->println("goto %s;", end_of_array_loop_label_.c_str());
-	out_cc->println("}");
-	out_cc->dec_indent();
-	}
-
-void ArrayType::GenDynamicSize(Output *out_cc, Env *env,
-		const DataPtr& data)
-	{
-	ASSERT(! incremental_input());
-	DEBUG_MSG("Generating dynamic size for array `%s'\n", 
-		value_var()->Name());
-
-	int elem_w = elemtype_->StaticSize(env);
-	if ( elem_w >= 0 &&
-	     ! attr_until_element_expr_ && 
-	     ! attr_until_input_expr_ &&
-	     ( length_ || attr_restofdata_ ) )
-		{
-		// If the elements have a fixed size,
-		// we only need to compute the number of elements
-		bool compute_size_var = AddSizeVar(out_cc, env);
-		ASSERT(compute_size_var);
-		GenArrayLength(out_cc, env, data);
-		ASSERT(env->Evaluated(arraylength_var()));
-		out_cc->println("%s = %d * %s;",
-			env->LValue(size_var()), elem_w, env->RValue(arraylength_var()));
-		env->SetEvaluated(size_var());
-		}
-	else
-		{
-		// Otherwise we need parse the array dynamically
-		GenParseCode(out_cc, env, data, 0);
-		}
-	}
-
-int ArrayType::StaticSize(Env *env) const
-	{
-	int num = 0;
-
-	if ( ! length_ || ! length_->ConstFold(env, &num) )
-		return -1;
-
-	int elem_w = elemtype_->StaticSize(env);
-	if ( elem_w < 0 )
-		return -1;
-
-	DEBUG_MSG("static size of %s:%s = %d * %d\n", 
-		decl_id()->Name(), lvalue(), elem_w, num);
-
-	return num * elem_w;
-	}
-
-void ArrayType::SetBoundaryChecked()
-	{
-	Type::SetBoundaryChecked();
-	elemtype_->SetBoundaryChecked();
-	}
-
-void ArrayType::DoMarkIncrementalInput()
-	{
-	elemtype_->MarkIncrementalInput(); 
-	}
-
-bool ArrayType::RequiresAnalyzerContext()
-	{ 
-	return Type::RequiresAnalyzerContext() ||
-	       ( length_ && length_->RequiresAnalyzerContext() ) || 
-	       elemtype_->RequiresAnalyzerContext(); 
-	}
-
-bool ArrayType::DoTraverse(DataDepVisitor *visitor)
-	{ 
-	if ( ! Type::DoTraverse(visitor) )
-		return false;
-
-	if ( length_ && ! length_->Traverse(visitor) )
-		return false;
-
-	if ( ! elemtype_->Traverse(visitor) )
-		return false; 
-
-	return true;
-	}
diff --git a/aux/binpac/src/pac_array.h b/aux/binpac/src/pac_array.h
deleted file mode 100644
index 022ef2ea4a..0000000000
--- a/aux/binpac/src/pac_array.h
+++ /dev/null
@@ -1,92 +0,0 @@
-#ifndef pac_array_h
-#define pac_array_h
-
-#include "pac_common.h"
-#include "pac_type.h"
-
-// Fixed-length array and variable length sequence with an ending pattern
-
-class ArrayType : public Type
-{
-public:
-	ArrayType(Type *arg_elemtype, Expr *arg_length = 0);
-	~ArrayType();
-
-	bool DefineValueVar() const;
-	string DataTypeStr() const;
-	string DefaultValue() const	{ return "0"; }
-	Type *ElementDataType() const;
-
-	string EvalElement(const string &array, const string &index) const;
-
-	void ProcessAttr(Attr *a);
-
-	void Prepare(Env *env, int flags);
-
-	void GenPubDecls(Output *out, Env *env);
-	void GenPrivDecls(Output *out, Env *env);
-
-	void GenInitCode(Output *out, Env *env);
-	void GenCleanUpCode(Output *out, Env *env);
-
-	int StaticSize(Env *env) const;
-
-	void SetBoundaryChecked();
-	void GenUntilInputCheck(Output *out_cc, Env *env);
-
-	bool IsPointerType() const	{ return true; }
-
-protected:
-	void init();
-
-	void DoGenParseCode(Output *out, Env *env, const DataPtr& data, int flags);
-	void GenDynamicSize(Output *out, Env *env, const DataPtr& data);
-	void GenArrayLength(Output *out_cc, Env *env, const DataPtr& data);
-	string GenArrayInit(Output *out_cc, Env *env, bool known_array_length);
-	void GenElementAssignment(Output *out_cc, Env *env,
-		string const &array_str, bool use_vector);
-	void GenUntilCheck(Output *out_cc, Env *env, 
-		Expr *until_condition, bool delete_elem);
-
-	bool ByteOrderSensitive() const 
-		{ 
-		return elemtype_->RequiresByteOrder(); 
-		}
-	bool RequiresAnalyzerContext();
-
-	Type *DoClone() const;
-
-	void DoMarkIncrementalInput();
-
-	const ID *arraylength_var() const;
-	const ID *elem_it_var() const;
-	const ID *elem_var() const;
-	const ID *elem_dataptr_var() const;
-	const ID *elem_input_var() const;
-
-protected:
-	bool DoTraverse(DataDepVisitor *visitor);
-
-private:
-	Type *elemtype_;
-	Expr *length_;
-
-	string vector_str_;
-	string datatype_str_;
-	string end_of_array_loop_label_;
-
-	Field *arraylength_var_field_;
-	Field *elem_it_var_field_;
-	Field *elem_var_field_;
-	Field *elem_dataptr_var_field_;
-	Field *elem_input_var_field_;
-
-	// This does not come from &until, but is internally generated
-	Expr *elem_dataptr_until_expr_;
-
-	Expr *attr_generic_until_expr_;
-	Expr *attr_until_element_expr_;
-	Expr *attr_until_input_expr_;
-};
-
-#endif  // pac_array_h
diff --git a/aux/binpac/src/pac_attr.cc b/aux/binpac/src/pac_attr.cc
deleted file mode 100644
index cfd6263be6..0000000000
--- a/aux/binpac/src/pac_attr.cc
+++ /dev/null
@@ -1,57 +0,0 @@
-#include "pac_attr.h"
-#include "pac_expr.h"
-
-bool Attr::DoTraverse(DataDepVisitor *visitor)
-	{
-	if ( expr_ && ! expr_->Traverse(visitor) )
-		return false;
-	return true;
-	}
-
-bool Attr::RequiresAnalyzerContext() const
-	{
-	return (expr_ && expr_->RequiresAnalyzerContext());
-	}
-
-void Attr::init()
-	{
-	expr_ = 0;
-	seqend_ = 0;
-	}
-
-Attr::Attr(AttrType type)
-	: DataDepElement(DataDepElement::ATTR)
-	{
-	type_ = type;
-	init();
-	}
-
-Attr::Attr(AttrType type, Expr *expr)
-	: DataDepElement(DataDepElement::ATTR)
-	{
-	type_ = type;
-	init();
-	expr_ = expr;
-	}
-
-Attr::Attr(AttrType type, ExprList *exprlist)
-	: DataDepElement(DataDepElement::ATTR)
-	{
-	type_ = type;
-	init();
-	expr_ = new Expr(exprlist);
-	}
-
-Attr::Attr(AttrType type, SeqEnd *seqend)
-	: DataDepElement(DataDepElement::ATTR)
-	{
-	type_ = type;
-	init();
-	seqend_ = seqend;
-	}
-
-LetAttr::LetAttr(FieldList *letfields)
-	: Attr(ATTR_LET)
-	{
-	letfields_ = letfields;
-	}
diff --git a/aux/binpac/src/pac_attr.h b/aux/binpac/src/pac_attr.h
deleted file mode 100644
index 67bdbedc8d..0000000000
--- a/aux/binpac/src/pac_attr.h
+++ /dev/null
@@ -1,61 +0,0 @@
-#ifndef pac_attr_h
-#define pac_attr_h
-
-#include "pac_common.h"
-#include "pac_datadep.h"
-
-enum AttrType { 
-	ATTR_BYTEORDER, 
-	ATTR_CHECK, 
-	ATTR_CHUNKED,
-	ATTR_EXPORTSOURCEDATA,
-	ATTR_IF,
-	ATTR_LENGTH, 
-	ATTR_LET,
-	ATTR_LINEBREAKER,
-	ATTR_MULTILINE,
-	ATTR_ONELINE,
-	ATTR_REFCOUNT,
-	ATTR_REQUIRES,
-	ATTR_RESTOFDATA, 
-	ATTR_RESTOFFLOW, 
-	ATTR_TRANSIENT,
-	ATTR_UNTIL,
-};
-
-class Attr : public Object, public DataDepElement
-{
-public:
-	Attr(AttrType type);
-	Attr(AttrType type, Expr *expr);
-	Attr(AttrType type, ExprList *exprlist);
-	Attr(AttrType type, SeqEnd *seqend);
-
-	AttrType type() const 		{ return type_; }
-	Expr *expr() const		{ return expr_; }
-	SeqEnd *seqend() const		{ return seqend_; }
-
-	bool RequiresAnalyzerContext() const;
-
-protected:
-	bool DoTraverse(DataDepVisitor *visitor);
-
-protected:
-	void init();
-
-	AttrType type_;
-	Expr *expr_;
-	SeqEnd *seqend_;
-};
-
-class LetAttr : public Attr
-{
-public:
-	LetAttr(FieldList *letfields);
-	FieldList *letfields() const	{ return letfields_; }
-
-private:
-	FieldList *letfields_;
-};
-
-#endif  // pac_attr_h
diff --git a/aux/binpac/src/pac_btype.cc b/aux/binpac/src/pac_btype.cc
deleted file mode 100644
index a7df6f7bf3..0000000000
--- a/aux/binpac/src/pac_btype.cc
+++ /dev/null
@@ -1,144 +0,0 @@
-#include "pac_btype.h"
-#include "pac_dataptr.h"
-#include "pac_id.h"
-#include "pac_output.h"
-
-Type *BuiltInType::DoClone() const
-	{
-	return new BuiltInType(bit_type());
-	}
-
-bool BuiltInType::IsNumericType() const
-	{
-	BITType t = bit_type();
-	return (t == INT8 || t == INT16 || t == INT32 ||
-	        t == UINT8 || t == UINT16 || t == UINT32);
-	}
-
-bool BuiltInType::CompatibleBuiltInTypes(BuiltInType *type1, 
-	                                 BuiltInType *type2)
-	{
-	return type1->IsNumericType() && type2->IsNumericType();
-	}
-
-static const char* basic_pactype_name[] = {
-#	define TYPE_DEF(name, pactype, ctype, size)	pactype,
-#	include "pac_type.def"
-#	undef TYPE_DEF
-	0,
-};
-
-void BuiltInType::static_init()
-	{
-	for ( int bit_type = 0; basic_pactype_name[bit_type]; ++bit_type )
-		{
-		Type::AddPredefinedType(
-			basic_pactype_name[bit_type], 
-			new BuiltInType((BITType) bit_type));
-		}
-	}
-
-int BuiltInType::LookUpByName(const char* name)
-	{
-	ASSERT(0);
-	for ( int i = 0; basic_pactype_name[i]; ++i )
-		if ( strcmp(basic_pactype_name[i], name) == 0 )
-			return i;
-	return -1;
-	}
-
-static const char* basic_ctype_name[] = {
-#	define TYPE_DEF(name, pactype, ctype, size)	ctype,
-#	include "pac_type.def"
-#	undef TYPE_DEF
-	0,
-};
-
-bool BuiltInType::DefineValueVar() const
-	{
-	return bit_type_ != EMPTY;
-	}
-
-string BuiltInType::DataTypeStr() const
-	{
-	return basic_ctype_name[bit_type_];
-	}
-
-int BuiltInType::StaticSize(Env* /* env */) const
-	{
-	static const size_t basic_type_size[] = 
-		{
-#		define TYPE_DEF(name, pactype, ctype, size)	size,
-#		include "pac_type.def"
-#		undef TYPE_DEF
-		};
-
-	return basic_type_size[bit_type_];
-	}
-
-void BuiltInType::DoMarkIncrementalInput()
-	{
-	if ( bit_type_ == EMPTY )
-		return;
-	Type::DoMarkIncrementalInput();
-	}
-
-void BuiltInType::GenInitCode(Output* out_cc, Env* env)
-	{
-	if ( bit_type_ != EMPTY )
-		out_cc->println("%s = 0;", env->LValue(value_var()));
-	Type::GenInitCode(out_cc, env);
-	}
-
-void BuiltInType::GenDynamicSize(Output* out_cc, Env* env, const DataPtr& data)
-	{
-	/* should never be called */
-	ASSERT(0);
-	}
-
-void BuiltInType::DoGenParseCode(Output* out_cc, Env* env,
-		const DataPtr& data, int flags)
-	{
-	if ( bit_type_ == EMPTY )
-		return;
-
-	// There is no need to generate the size variable
-	// out_cc->println("%s = sizeof(%s);", size_var(), DataTypeStr().c_str());
-
-	GenBoundaryCheck(out_cc, env, data);
-
-	if ( anonymous_value_var() )
-		return;
-
-	switch ( bit_type_ ) 
-		{
-		case EMPTY:
-			// do nothing
-			break;
-
-		case INT8:
-		case UINT8:
-			out_cc->println("%s = *((%s const *) (%s));",
-				lvalue(), DataTypeStr().c_str(), data.ptr_expr()); 
-			break;
-		case INT16:
-		case UINT16:
-		case INT32:
-		case UINT32:
-#if 0
-			out_cc->println("%s = UnMarshall<%s>(%s, %s);",
-				lvalue(), 
-				DataTypeStr().c_str(), 
-				data.ptr_expr(),
-				EvalByteOrder(out_cc, env).c_str());
-#else
-			out_cc->println("%s = FixByteOrder(%s, *((%s const *) (%s)));",
-				lvalue(), 
-				EvalByteOrder(out_cc, env).c_str(),
-				DataTypeStr().c_str(), 
-				data.ptr_expr());
-#endif
-			break;
-		}
-	}
-
diff --git a/aux/binpac/src/pac_btype.h b/aux/binpac/src/pac_btype.h
deleted file mode 100644
index 4bdbf9390b..0000000000
--- a/aux/binpac/src/pac_btype.h
+++ /dev/null
@@ -1,52 +0,0 @@
-#ifndef pac_btype_h
-#define pac_btype_h
-
-#include "pac_type.h"
-
-class BuiltInType : public Type
-{
-public:
-	enum BITType {
-#		define TYPE_DEF(name, pactype, ctype, size)	name,
-#		include "pac_type.def"
-#		undef TYPE_DEF
-	};
-
-	static int LookUpByName(const char *name);
-
-	BuiltInType(BITType bit_type)
-		: Type(bit_type == BuiltInType::EMPTY ? Type::EMPTY : BUILTIN),
-		  bit_type_(bit_type) {}
-
-	BITType bit_type() const	{ return bit_type_; }
-
-	bool IsNumericType() const;
-
-	bool DefineValueVar() const;
-	string DataTypeStr() const;
-	string DefaultValue() const	{ return "0"; }
-
-	int StaticSize(Env *env) const;
-
-	bool IsPointerType() const	{ return false; }
-
-	bool ByteOrderSensitive() const { return StaticSize(0) >= 2; }
-
-	void GenInitCode(Output *out_cc, Env *env);
-
-	void DoMarkIncrementalInput();
-
-protected:
-	void DoGenParseCode(Output *out, Env *env, const DataPtr& data, int flags);
-	void GenDynamicSize(Output *out, Env *env, const DataPtr& data);
-	Type *DoClone() const;
-
-	BITType bit_type_;
-
-public:
-	static void static_init();
-	static bool CompatibleBuiltInTypes(BuiltInType *type1, 
-	                                   BuiltInType *type2);
-};
-
-#endif  // pac_btype_h
diff --git a/aux/binpac/src/pac_case.cc b/aux/binpac/src/pac_case.cc
deleted file mode 100644
index b809d61b6e..0000000000
--- a/aux/binpac/src/pac_case.cc
+++ /dev/null
@@ -1,391 +0,0 @@
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_exttype.h"
-#include "pac_id.h"
-#include "pac_output.h"
-#include "pac_typedecl.h"
-#include "pac_utils.h"
-
-#include "pac_case.h"
-
-CaseType::CaseType(Expr* index_expr, CaseFieldList* cases)
-	: Type(CASE), index_expr_(index_expr), cases_(cases) 
-	{
-	index_var_ = 0;
-	foreach(i, CaseFieldList, cases_)
-		AddField(*i);
-	}
-
-CaseType::~CaseType()
-	{
-	delete index_var_;
-	delete index_expr_;
-	delete cases_;
-	}
-
-void CaseType::AddCaseField(CaseField *f)
-	{
-	// All fields must be added before Prepare()
-	ASSERT(!env());
-
-	AddField(f);
-	cases_->push_back(f);
-	}
-
-bool CaseType::DefineValueVar() const
-	{
-	return false;
-	}
-
-string CaseType::DataTypeStr() const
-	{
-	ASSERT(type_decl());
-	return strfmt("%s *", type_decl()->class_name().c_str());
-	}
-
-Type *CaseType::ValueType() const
-	{
-	foreach (i, CaseFieldList, cases_)
-		{
-		CaseField *c = *i;
-		return c->type();
-		}
-	ASSERT(0);
-	return 0;
-	}
-
-string CaseType::DefaultValue() const
-	{
-	return ValueType()->DefaultValue();
-	}
-
-void CaseType::Prepare(Env* env, int flags)
-	{
-	ASSERT(flags & TO_BE_PARSED);
-
-	index_var_ = new ID(fmt("%s_case_index", value_var()->Name()));
-	env->AddID(index_var_, MEMBER_VAR, extern_type_int);
-
-	// Sort the cases_ to put the default case at the end of the list
-	CaseFieldList::iterator default_case_it = 
-		cases_->end(); // to avoid warning
-	CaseField *default_case = 0;
-
-	foreach (i, CaseFieldList, cases_)
-		{
-		CaseField *c = *i;
-		if ( ! c->index() )
-			{
-			if ( default_case )
-				throw Exception(c, "duplicate default case");
-			default_case_it = i;
-			default_case = c;
-			}
-		}
-	if ( default_case )
-		{
-		cases_->erase(default_case_it);
-		cases_->push_back(default_case);
-		}
-
-	foreach (i, CaseFieldList, cases_)
-		{
-		CaseField *c = *i;
-		c->set_index_var(index_var_);
-		c->set_case_type(this);
-		}
-
-	Type::Prepare(env, flags);
-	}
-
-void CaseType::GenPrivDecls(Output* out_h, Env* env)
-	{
-	out_h->println("int %s;", env->LValue(index_var_));
-	Type::GenPrivDecls(out_h, env);
-	}
-
-void CaseType::GenPubDecls(Output* out_h, Env* env)
-	{
-	out_h->println("int %s const	{ return %s; }",
-		env->RValue(index_var_), env->LValue(index_var_));
-	Type::GenPubDecls(out_h, env);
-	}
-
-void CaseType::GenInitCode(Output* out_cc, Env* env)
-	{
-	out_cc->println("%s = -1;", env->LValue(index_var_));
-	Type::GenInitCode(out_cc, env);
-	}
-
-void CaseType::GenCleanUpCode(Output* out_cc, Env* env)
-	{
-	Type::GenCleanUpCode(out_cc, env);
-
-	env->set_in_branch(true);
-	out_cc->println("switch ( %s )", env->RValue(index_var_));
-	out_cc->inc_indent();
-	out_cc->println("{");
-	foreach (i, CaseFieldList, cases_)
-		{
-		CaseField *c = *i;
-		c->GenCleanUpCode(out_cc, env);
-		}
-	out_cc->println("}");
-	out_cc->dec_indent();
-	env->set_in_branch(false);
-	}
-
-void CaseType::DoGenParseCode(Output* out_cc, Env* env,
-		const DataPtr& data, int flags)
-	{
-	if ( StaticSize(env) >= 0 )
-		GenBoundaryCheck(out_cc, env, data);
-
-	bool compute_size_var = false;
-
-	if ( ! incremental_input() )
-		compute_size_var = AddSizeVar(out_cc, env);
-
-	out_cc->println("%s = %s;", 
-		env->LValue(index_var_), index_expr_->EvalExpr(out_cc, env));
-	env->SetEvaluated(index_var_);
-	
-	env->set_in_branch(true);
-	out_cc->println("switch ( %s )", env->RValue(index_var_));
-	out_cc->inc_indent();
-	out_cc->println("{");
-	bool has_default_case = false;
-	foreach (i, CaseFieldList, cases_)
-		{
-		CaseField *c = *i;
-		c->GenParseCode(out_cc, env, data, 
-			compute_size_var ? size_var() : 0);
-		if ( c->IsDefaultCase() )
-			has_default_case = true;
-		}
-
-	if ( ! has_default_case )
-		{
-		out_cc->println("default:");
-		out_cc->inc_indent();
-		out_cc->println("throw ExceptionInvalidCaseIndex(\"%s\", %s);", 
-			decl_id()->Name(), env->RValue(index_var_));
-		out_cc->println("break;");
-		out_cc->dec_indent();
-		}
-	out_cc->println("}");
-	out_cc->dec_indent();
-	env->set_in_branch(false);
-
-	if ( compute_size_var )
-		env->SetEvaluated(size_var());
-	}
-
-void CaseType::GenDynamicSize(Output* out_cc, Env* env,
-		const DataPtr& data)
-	{
-	GenParseCode(out_cc, env, data, 0);
-	}
-
-int CaseType::StaticSize(Env* env) const
-	{
-	int static_w = -1;
-	foreach (i, CaseFieldList, cases_)
-		{
-		CaseField *c = *i;
-		int w = c->StaticSize(env);
-		if ( w < 0 || ( static_w >= 0 && w != static_w ) )
-			return -1;
-		static_w = w;
-		}
-	return static_w;
-	}
-
-void CaseType::SetBoundaryChecked()
-	{
-	Type::SetBoundaryChecked();
-	foreach (i, CaseFieldList, cases_)
-		{
-		CaseField *c = *i;
-		c->SetBoundaryChecked();
-		}
-	}
-
-void CaseType::DoMarkIncrementalInput()
-	{
-	foreach (i, CaseFieldList, cases_)
-		{
-		CaseField *c = *i;
-		c->type()->MarkIncrementalInput();
-		}
-	}
-
-bool CaseType::ByteOrderSensitive() const
-	{
-	foreach (i, CaseFieldList, cases_)
-		{
-		CaseField *c = *i;
-		if ( c->RequiresByteOrder() )
-			return true;
-		}
-	return false;
-	}
-
-CaseField::CaseField(ExprList* index, ID* id, Type* type)
-	: Field(CASE_FIELD, 
-		TYPE_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE, 
-		id, type), 
-	  index_(index)
-	{
-	ASSERT(type_);
-	type_->set_value_var(id, MEMBER_VAR);
-	case_type_ = 0;
-	}
-
-CaseField::~CaseField()
-	{
-	delete_list(ExprList, index_);
-	}
-
-void GenCaseStr(ExprList *index_list, Output *out_cc, Env *env)
-	{
-	if ( index_list )
-		{
-		foreach(i, ExprList, index_list)
-			{
-			Expr *index_expr = *i;
-			int index_const;
-			
-			if ( ! index_expr->ConstFold(env, &index_const) )
-				throw ExceptionNonConstExpr(index_expr);
-			out_cc->println("case %d:", index_const);
-			}
-		}
-	else
-		{
-		out_cc->println("default:");
-		}
-	}
-
-void CaseField::Prepare(Env* env)
-	{
-	ASSERT(index_var_);
-	Field::Prepare(env);
-	}
-
-void CaseField::GenPubDecls(Output* out_h, Env* env)
-	{
-	if ( ! ((flags_ & PUBLIC_READABLE) && (flags_ & CLASS_MEMBER)) )
-		return;
-
-	// Skip type "empty"
-	if ( type_->DataTypeStr().empty() )
-		return;
-
-	out_h->println("%s %s const",
-		type_->DataTypeConstRefStr().c_str(), env->RValue(id_));
-
-	out_h->inc_indent();
-	out_h->println("{");
-
-	if ( ! index_ )
-		out_h->println("return %s;", lvalue());
-	else
-		{
-		out_h->println("switch ( %s )", env->RValue(index_var_));
-		out_h->inc_indent();
-		out_h->println("{");
-		GenCaseStr(index_, out_h, env);
-		out_h->inc_indent();
-		out_h->println("break;  // OK");
-		out_h->dec_indent();
-
-		out_h->println("default:");
-		out_h->inc_indent();
-		out_h->println("throw ExceptionInvalidCase(\"%s\", %s, \"%s\");", 
-		               id_->LocName(), 
-		               env->RValue(index_var_), 
-		               OrigExprList(index_).c_str());
-		out_h->println("break;");
-		out_h->dec_indent();
-
-		out_h->println("}");
-		out_h->dec_indent();
-
-		out_h->println("return %s;", lvalue());
-		}
-
-	out_h->println("}");
-	out_h->dec_indent();
-	}
-
-void CaseField::GenInitCode(Output* out_cc, Env* env)
-	{
-	// GenCaseStr(index_, out_cc, env);
-	// out_cc->inc_indent();
-	// out_cc->println("{");
-	// out_cc->println("// Initialize \"%s\"", id_->Name());
-	type_->GenInitCode(out_cc, env);
-	// out_cc->println("}");
-	// out_cc->println("break;");
-	// out_cc->dec_indent();
-	}
-
-void CaseField::GenCleanUpCode(Output* out_cc, Env* env)
-	{
-	GenCaseStr(index_, out_cc, env);
-	out_cc->inc_indent();
-	out_cc->println("// Clean up \"%s\"", id_->Name());
-	out_cc->println("{");
-	if ( ! anonymous_field() )
-		type_->GenCleanUpCode(out_cc, env);
-	out_cc->println("}");
-	out_cc->println("break;");
-	out_cc->dec_indent();
-	}
-
-void CaseField::GenParseCode(Output* out_cc, Env* env, 
-		const DataPtr& data, const ID* size_var)
-	{
-	GenCaseStr(index_, out_cc, env);
-	out_cc->inc_indent();
-	out_cc->println("// Parse \"%s\"", id_->Name());
-	out_cc->println("{");
-	
-	{
-	Env case_env(env, this);
-	Env *env = &case_env;
-
-	type_->GenPreParsing(out_cc, env);
-	type_->GenParseCode(out_cc, env, data, 0);
-	if ( size_var )
-		{
-		out_cc->println("%s = %s;", 
-			env->LValue(size_var),
-			type_->DataSize(out_cc, env, data).c_str());
-		}
-	if ( type_->incremental_input() )
-		{
-		ASSERT(case_type()->parsing_complete_var());
-		out_cc->println("%s = %s;", 
-			env->LValue(case_type()->parsing_complete_var()),
-			env->RValue(type_->parsing_complete_var()));
-		}
-	out_cc->println("}");
-	}
-
-	out_cc->println("break;");
-	out_cc->dec_indent();
-	}
-
-bool CaseField::DoTraverse(DataDepVisitor *visitor)
-	{ 
-	return Field::DoTraverse(visitor) &&
-	       type()->Traverse(visitor); 
-	}
-
-bool CaseField::RequiresAnalyzerContext() const 
-	{ 
-	return Field::RequiresAnalyzerContext() ||
-	       type()->RequiresAnalyzerContext(); 
-	}
diff --git a/aux/binpac/src/pac_case.h b/aux/binpac/src/pac_case.h
deleted file mode 100644
index c9e416cfe1..0000000000
--- a/aux/binpac/src/pac_case.h
+++ /dev/null
@@ -1,99 +0,0 @@
-#ifndef pac_case_h
-#define pac_case_h
-
-#include "pac_common.h"
-#include "pac_field.h"
-#include "pac_id.h"
-#include "pac_type.h"
-
-class CaseType : public Type
-{
-public:
-	CaseType(Expr *index, CaseFieldList *cases);
-	~CaseType();
-
-	void AddCaseField(CaseField *f);
-
-	bool DefineValueVar() const;
-	string DataTypeStr() const;
-	string DefaultValue() const;
-
-	void Prepare(Env *env, int flags);
-
-	void GenPubDecls(Output *out, Env *env);
-	void GenPrivDecls(Output *out, Env *env);
-
-	void GenInitCode(Output *out, Env *env);
-	void GenCleanUpCode(Output *out, Env *env);
-
-	int StaticSize(Env *env) const;
-
-	void SetBoundaryChecked();
-
-	Type *ValueType() const;
-
-	bool IsPointerType() const	{ return ValueType()->IsPointerType(); }
-
-protected:
-	void DoGenParseCode(Output *out, Env *env, const DataPtr& data, int flags);
-	void GenDynamicSize(Output *out, Env *env, const DataPtr& data);
-	Type *DoClone() const 	{ return 0; }
-	void DoMarkIncrementalInput();
-
-	bool ByteOrderSensitive() const;
-
-	Expr *index_expr_;
-	ID *index_var_;
-	CaseFieldList *cases_;
-
-	typedef map<const ID*, CaseField*, ID_ptr_cmp> member_map_t;
-	member_map_t member_map_;
-};
-
-class CaseField : public Field
-{
-public:
-	CaseField(ExprList *index, ID *id, Type *type);
-	~CaseField();
-
-	CaseType *case_type() const	{ return case_type_; }
-	void set_case_type(CaseType *t)	{ case_type_ = t; }
-
-	ExprList *index() const		{ return index_; }
-
-	const char *lvalue() const	{ return type_->lvalue(); }
-
-	const char *CaseStr(Env *env);
-	void set_index_var(const ID *var) { index_var_ = var; }
-	
-	void Prepare(Env *env);
-
-	void GenPubDecls(Output *out, Env *env);
-
-	void GenInitCode(Output *out, Env *env);
-	void GenCleanUpCode(Output *out, Env *env);
-	void GenParseCode(Output *out, Env *env, 
-		const DataPtr& data, const ID *size_var);
-
-	int StaticSize(Env *env) const 	{ return type_->StaticSize(env); }
-
-	bool IsDefaultCase() const	{ return ! index_; }
-	void SetBoundaryChecked()	{ type_->SetBoundaryChecked(); }
-
-	bool RequiresByteOrder() const	{ return type_->RequiresByteOrder(); }
-	bool RequiresAnalyzerContext() const;
-
-protected:
-	bool DoTraverse(DataDepVisitor *visitor);
-
-protected:
-	CaseType *case_type_;
-	ExprList *index_;
-	const ID *index_var_;
-};
-
-// Generate a list of "case X:" lines from index_list. Each index
-// expression must be constant foldable.
-void GenCaseStr(ExprList *index_list, Output *out_cc, Env *env);
-
-#endif  // pac_case_h
diff --git a/aux/binpac/src/pac_cclass.h b/aux/binpac/src/pac_cclass.h
deleted file mode 100644
index 87a7595996..0000000000
--- a/aux/binpac/src/pac_cclass.h
+++ /dev/null
@@ -1,81 +0,0 @@
-#ifndef pac_cclass_h
-#define pac_cclass_h
-
-class CClass;
-class CClassMember;
-class CClassMethod;
-class CType;
-class CVariable;
-
-typedef vector<CClassMember *> CClassMemberList;
-typedef vector<CClassMethod *> CClassMethodList;
-typedef vector<CVariable *> CVariableList;
-
-#include "pac_common.h"
-
-// Represents a C++ class.
-// 
-// For now we adopt a simple model:
-// 
-// 1. All members have a protected member variable "name_" and a
-// public constant access method "name()".
-// 
-// 2. All methods are public.
-//
-// 3. We do not check repeated names.
-
-class CClass
-{
-public:
-	CClass(const string &class_name);
-
-	void AddMember(CClassMember *member);
-	void AddMethod(CClassMember *method);
-
-	void GenForwardDeclaration(Output *out_h);
-	void GenCode(Output *out_h, Output *out_cc);
-
-protected:
-	string class_name_;
-	CClassMemberList *members_;
-	CClassMethodList *methods_;
-};
-
-class CVariable
-{
-public:
-	CClassMember(const string &name, CType *type);
-
-	string name() const { return name_; }
-	CType *type() const { return type_; }
-
-protected:
-	string name_;
-	CType *type_;
-};
-
-class CClassMember
-{
-public:
-	CClassMember(CVariable *var);
-	void GenCode(Output *out_h, Output *out_cc);
-
-	string decl() const;
-
-protected:
-	CVariable *var_;
-};
-
-class CClassMethod
-{
-public:
-	CClassMethod(CVariable *var, CVariableList *params);
-
-	string decl() const;
-
-protected:
-	CVariable *var_;
-	CVariableList *params_;
-};
-
-#endif  // pac_cclass_h
diff --git a/aux/binpac/src/pac_common.h b/aux/binpac/src/pac_common.h
deleted file mode 100644
index 81e59c184e..0000000000
--- a/aux/binpac/src/pac_common.h
+++ /dev/null
@@ -1,134 +0,0 @@
-#ifndef pac_common_h
-#define pac_common_h
-
-#include "pac_utils.h"
-
-#include <vector>
-
-#include <ctype.h>
-#include <string.h>
-#include <stdlib.h>
-
-using namespace std;
-
-extern bool FLAGS_pac_debug;
-extern vector<string> FLAGS_include_directories;
-extern string input_filename;
-extern int line_number;
-
-// Definition of class Object, which is the base class for all objects
-// representing language elements -- identifiers, types, expressions,
-// etc.
-
-class Object
-{
-public:
-	Object()
-		{
-		filename = input_filename;
-		line_num = line_number;
-		location = strfmt("%s:%d", filename.c_str(), line_number);
-		}
-
-	~Object()
-		{
-		}
-
-	const char* Location() const	{ return location.c_str(); }
-
-protected:
-	string filename;
-	int line_num;
-	string location;
-};
-
-class ActionParam;
-class ActionParamType;
-class AnalyzerAction;
-class AnalyzerContextDecl;
-class AnalyzerDecl;
-class AnalyzerElement;
-class ArrayType;
-class Attr;
-class CClass;
-class CType;
-class ConstString;
-class CaseExpr;
-class CaseField;
-class ContextField;
-class DataPtr;
-class Decl;
-class EmbeddedCode;
-class Enum;
-class Env;
-class ExternType;
-class Expr;
-class Field;
-class Function;
-class InputBuffer;
-class LetDef;
-class LetField;
-class ID;
-class Number;
-class Output;
-class PacPrimitive;
-class Param;
-class ParameterizedType;
-class RecordType;
-class RecordField;
-class RecordDataField;
-class RecordPaddingField;
-class RegEx;
-class SeqEnd;
-class StateVar;
-class Type;
-class TypeDecl;
-class WithInputField;
-
-// The ID of the current declaration.
-extern const ID* current_decl_id;
-
-typedef vector<ActionParam*>		ActionParamList;
-typedef vector<AnalyzerAction*> 	AnalyzerActionList;
-typedef vector<AnalyzerElement*>	AnalyzerElementList;
-typedef vector<Attr*> 			AttrList;
-typedef vector<CaseExpr*> 		CaseExprList;
-typedef vector<CaseField*> 		CaseFieldList;
-typedef vector<ContextField*> 		ContextFieldList;
-typedef vector<Decl*> 			DeclList;
-typedef vector<Enum*>			EnumList;
-typedef vector<Expr*> 			ExprList;
-typedef vector<Field*> 			FieldList;
-typedef vector<LetField*> 		LetFieldList;
-typedef vector<Number*>			NumList;
-typedef vector<Param*> 			ParamList;
-typedef vector<RecordField*> 		RecordFieldList;
-typedef vector<StateVar*>		StateVarList;
-
-#define foreach(i, ct, pc) \
-	if ( pc ) \
-		for ( ct::iterator i = (pc)->begin(); i != (pc)->end(); ++i )
-
-#define delete_list(ct, pc) \
-	{ \
-	foreach(delete_list_i, ct, pc) 		\
-		delete *delete_list_i;		\
-	delete pc;				\
-	pc = 0;					\
-	}
-
-// Constants
-const char * const kComputeFrameLength = "compute_frame_length";
-const char * const kFlowBufferClass = "FlowBuffer";
-const char * const kFlowBufferVar = "flow_buffer";
-const char * const kFlowEOF = "FlowEOF";
-const char * const kFlowGap = "NewGap";
-const char * const kInitialBufferLengthFunc = "initial_buffer_length";
-const char * const kNeedMoreData = "need_more_data";
-const char * const kNewData = "NewData";
-const char * const kParseFuncWithBuffer = "ParseBuffer";
-const char * const kParseFuncWithoutBuffer = "Parse";
-const char * const kRefCountClass = "binpac::RefCount";
-const char * const kTypeWithLengthClass = "binpac::TypeWithLength";
-
-#endif  // pac_common_h
diff --git a/aux/binpac/src/pac_conn.cc b/aux/binpac/src/pac_conn.cc
deleted file mode 100644
index d9159cae5a..0000000000
--- a/aux/binpac/src/pac_conn.cc
+++ /dev/null
@@ -1,169 +0,0 @@
-#include "pac_analyzer.h"
-#include "pac_dataunit.h"
-#include "pac_embedded.h"
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_flow.h"
-#include "pac_output.h"
-#include "pac_paramtype.h"
-#include "pac_type.h"
-
-#include "pac_conn.h"
-
-ConnDecl::ConnDecl(ID *conn_id, 
-                   ParamList *params,
-                   AnalyzerElementList *elemlist)
-	: AnalyzerDecl(conn_id, CONN, params)
-	{
-	flows_[0] = flows_[1] = 0;
-	AddElements(elemlist);
-	data_type_ = new ParameterizedType(conn_id->clone(), 0);
-	}
-
-ConnDecl::~ConnDecl()
-	{
-	delete flows_[0];
-	delete flows_[1];
-	}
-
-void ConnDecl::AddBaseClass(vector<string> *base_classes) const
-	{
-	base_classes->push_back("binpac::ConnectionAnalyzer"); 
-	} 
-
-void ConnDecl::ProcessFlowElement(AnalyzerFlow *flow_elem)
-	{
-	int flow_index;
-
-	if ( flow_elem->dir() == AnalyzerFlow::UP )
-		flow_index = 0;
-	else
-		flow_index = 1;
-
-	if ( flows_[flow_index] )
-		{
-		throw Exception(flow_elem,
-		                fmt("%sflow already defined", 
-		                    flow_index == 0 ? "up" : "down"));
-		}
-
-	flows_[flow_index] = flow_elem;
-	type_->AddField(flow_elem->flow_field());
-	}
-
-void ConnDecl::ProcessDataUnitElement(AnalyzerDataUnit *dataunit_elem)
-	{
-	throw Exception(
-		dataunit_elem, 
-		"dataunit should be defined in only a flow declaration");
-	}
-
-void ConnDecl::Prepare()
-	{
-	AnalyzerDecl::Prepare();
-
-	flows_[0]->flow_decl()->set_conn_decl(this);
-	flows_[1]->flow_decl()->set_conn_decl(this);
-	}
-
-void ConnDecl::GenPubDecls(Output *out_h, Output *out_cc)
-	{
-	AnalyzerDecl::GenPubDecls(out_h, out_cc);
-	}
-
-void ConnDecl::GenPrivDecls(Output *out_h, Output *out_cc)
-	{
-	AnalyzerDecl::GenPrivDecls(out_h, out_cc);
-	}
-
-void ConnDecl::GenEOFFunc(Output *out_h, Output *out_cc)
-	{
-	string proto = strfmt("%s(bool is_orig)", kFlowEOF);
-
-	out_h->println("void %s;", proto.c_str());
-
-	out_cc->println("void %s::%s", class_name().c_str(), proto.c_str());
-	out_cc->inc_indent();
-	out_cc->println("{");
-
-	out_cc->println("if ( is_orig )");
-	out_cc->inc_indent();
-	out_cc->println("%s->%s();",
-	                env_->LValue(upflow_id),
-	                kFlowEOF);
-	out_cc->dec_indent();
-	out_cc->println("else");
-	out_cc->inc_indent();
-	out_cc->println("%s->%s();",
-	                env_->LValue(downflow_id),
-	                kFlowEOF);
-
-	foreach(i, AnalyzerHelperList, eof_helpers_)
-		{
-		(*i)->GenCode(0, out_cc, this);
-		}
-
-	out_cc->dec_indent();
-	
-	out_cc->println("}");
-	out_cc->dec_indent();
-	out_cc->println("");
-	}
-
-void ConnDecl::GenGapFunc(Output *out_h, Output *out_cc)
-	{
-	string proto = strfmt("%s(bool is_orig, int gap_length)", kFlowGap);
-
-	out_h->println("void %s;", proto.c_str());
-
-	out_cc->println("void %s::%s", class_name().c_str(), proto.c_str());
-	out_cc->inc_indent();
-	out_cc->println("{");
-
-	out_cc->println("if ( is_orig )");
-	out_cc->inc_indent();
-	out_cc->println("%s->%s(gap_length);",
-	                env_->LValue(upflow_id),
-	                kFlowGap);
-	out_cc->dec_indent();
-	out_cc->println("else");
-	out_cc->inc_indent();
-	out_cc->println("%s->%s(gap_length);",
-	                env_->LValue(downflow_id),
-	                kFlowGap);
-	out_cc->dec_indent();
-	
-	out_cc->println("}");
-	out_cc->dec_indent();
-	out_cc->println("");
-	}
-
-void ConnDecl::GenProcessFunc(Output *out_h, Output *out_cc)
-	{
-	string proto = 
-		strfmt("%s(bool is_orig, const_byteptr begin, const_byteptr end)",
-		       kNewData);
-
-	out_h->println("void %s;", proto.c_str());
-
-	out_cc->println("void %s::%s", class_name().c_str(), proto.c_str());
-	out_cc->inc_indent();
-	out_cc->println("{");
-
-	out_cc->println("if ( is_orig )");
-	out_cc->inc_indent();
-	out_cc->println("%s->%s(begin, end);",
-	                env_->LValue(upflow_id),
-	                kNewData);
-	out_cc->dec_indent();
-	out_cc->println("else");
-	out_cc->inc_indent();
-	out_cc->println("%s->%s(begin, end);",
-	                env_->LValue(downflow_id),
-	                kNewData);
-	out_cc->dec_indent();
-	
-	out_cc->println("}");
-	out_cc->dec_indent();
-	out_cc->println("");
-	}
diff --git a/aux/binpac/src/pac_conn.h b/aux/binpac/src/pac_conn.h
deleted file mode 100644
index 0247bf7f7b..0000000000
--- a/aux/binpac/src/pac_conn.h
+++ /dev/null
@@ -1,34 +0,0 @@
-#ifndef pac_conn_h
-#define pac_conn_h
-
-#include "pac_decl.h"
-#include "pac_analyzer.h"
-
-class ConnDecl : public AnalyzerDecl
-{
-public:
-	ConnDecl(ID *conn_id, ParamList *params, AnalyzerElementList *elemlist);
-	~ConnDecl();
-
-	void Prepare();
-
-	Type* DataType() const	{ return data_type_; }
-
-protected:
-	void AddBaseClass(vector<string> *base_classes) const;
-
-	void GenProcessFunc(Output *out_h, Output *out_cc);
-	void GenGapFunc(Output *out_h, Output *out_cc);
-	void GenEOFFunc(Output *out_h, Output *out_cc);
-
-	void GenPubDecls(Output *out_h, Output *out_cc);
-	void GenPrivDecls(Output *out_h, Output *out_cc);
-
-	void ProcessFlowElement(AnalyzerFlow *flow_elem);
-	void ProcessDataUnitElement(AnalyzerDataUnit *dataunit_elem);
-
-	AnalyzerFlow *flows_[2];
-	Type *data_type_;
-};
-
-#endif  // pac_conn_h
diff --git a/aux/binpac/src/pac_context.cc b/aux/binpac/src/pac_context.cc
deleted file mode 100644
index 94e4c4ce47..0000000000
--- a/aux/binpac/src/pac_context.cc
+++ /dev/null
@@ -1,120 +0,0 @@
-#include "pac_analyzer.h"
-#include "pac_exception.h"
-#include "pac_exttype.h"
-#include "pac_flow.h"
-#include "pac_id.h"
-#include "pac_output.h"
-#include "pac_param.h"
-#include "pac_paramtype.h"
-#include "pac_type.h"
-#include "pac_utils.h"
-
-#include "pac_context.h"
-
-ContextField::ContextField(ID *id, Type *type)
-	: Field(CONTEXT_FIELD, 
-		TYPE_NOT_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE, 
-		id, type)
-	{
-	}
-
-AnalyzerContextDecl *AnalyzerContextDecl::current_analyzer_context_ = 0;
-
-namespace {
-	ParamList *ContextFieldsToParams(ContextFieldList *context_fields)
-		{
-		// Convert context fields to parameters
-		ParamList *params = new ParamList();
-		foreach(i, ContextFieldList, context_fields)
-			{
-			ContextField *f = *i;
-			params->push_back(
-				new Param(f->id()->clone(), 
-				f->type()));
-			}
-		return params;
-		}
-} // namespace private
-
-AnalyzerContextDecl::AnalyzerContextDecl(
-		ID *id, 
-		ContextFieldList *context_fields)
-	: TypeDecl(new ID(fmt("Context%s", id->Name())), 
-		ContextFieldsToParams(context_fields), 
-		new DummyType())
-	{
-	context_name_id_ = id;
-	if ( current_analyzer_context_ != 0 )
-		{
-		throw Exception(this, 
-		                fmt("multiple declaration of analyzer context; "
-		                    "the previous one is `%s'",
-		                    current_analyzer_context_->id()->Name()));
-		}
-	else
-		current_analyzer_context_ = this;
-
-	context_fields_ = context_fields;
-
-	param_type_ = new ParameterizedType(id_->clone(), 0);
-
-	flow_buffer_added_ = false;
-
-	DEBUG_MSG("Context type: %s\n", param_type()->class_name().c_str());
-	}
-
-AnalyzerContextDecl::~AnalyzerContextDecl()
-	{
-	delete context_name_id_;
-	delete_list(ContextFieldList, context_fields_);
-	}
-
-void AnalyzerContextDecl::GenForwardDeclaration(Output *out_h)
-	{
-	GenNamespaceBegin(out_h);
-	TypeDecl::GenForwardDeclaration(out_h);
-	}
-
-void AnalyzerContextDecl::GenCode(Output *out_h, Output *out_cc)
-	{
-	GenNamespaceBegin(out_h);
-	GenNamespaceBegin(out_cc);
-	TypeDecl::GenCode(out_h, out_cc);
-	}
-
-void AnalyzerContextDecl::GenNamespaceBegin(Output *out) const
-	{
-	out->println("namespace %s {", context_name_id()->Name());
-	}
-
-void AnalyzerContextDecl::GenNamespaceEnd(Output *out) const
-	{
-	out->println("} // namespace %s", context_name_id()->Name());
-	}
-
-void AnalyzerContextDecl::AddFlowBuffer()
-	{
-	if ( flow_buffer_added_ )
-		return;
-
-	AddParam(new Param(
-		new ID(kFlowBufferVar), 
-		FlowDecl::flow_buffer_type()->Clone()));
-
-	flow_buffer_added_ = true;
-	}
-
-string AnalyzerContextDecl::mb_buffer(Env *env)
-	{
-	// A hack. The orthodox way would be to build an Expr of
-	// context.flow_buffer_var, and then EvalExpr.
-	return fmt("%s->%s()", 
-		env->RValue(analyzer_context_id), 
-		kFlowBufferVar);
-	}
-
-Type *DummyType::DoClone() const
-	{
-	// Fields will be copied in Type::Clone().
-	return new DummyType();
-	}
diff --git a/aux/binpac/src/pac_context.h b/aux/binpac/src/pac_context.h
deleted file mode 100644
index 29704e0b8d..0000000000
--- a/aux/binpac/src/pac_context.h
+++ /dev/null
@@ -1,97 +0,0 @@
-#ifndef pac_context_h
-#define pac_context_h
-
-#include "pac_common.h"
-#include "pac_field.h"
-#include "pac_type.h"
-#include "pac_typedecl.h"
-
-// AnalyzerContext represents a cookie that an analyzer gives to
-// parse functions of various message types. The cookie is parsed
-// to every parse function (if necessary) as parameter 'binpac_context'.
-// 
-// The members of the cookie is declared through 'analyzer' declarations,
-// such as in:
-//
-// analyzer SunRPC withcontext {
-//        connection:     RPC_Conn;
-//        flow:           RPC_Flow;
-// };      
-//
-// The cookie usually contains the connection and flow in which 
-// the message appears, and the context information can be 
-// accessed as members of the cookie, such as 
-// ``binpac_context.connection''.
-
-class ContextField : public Field
-{
-public:
-	ContextField(ID *id, Type *type);
-};
-
-class AnalyzerContextDecl : public TypeDecl
-{
-public:
-	AnalyzerContextDecl(ID *id, ContextFieldList *context_fields);
-	~AnalyzerContextDecl();
-
-	void AddFlowBuffer();
-
-	const ID *context_name_id() const { return context_name_id_; }
-
-	// The type of analyzer context as a parameter
-	ParameterizedType *param_type() const { return param_type_; }
-
-	void GenForwardDeclaration(Output *out_h);
-	void GenCode(Output *out_h, Output *out_cc);
-
-	void GenNamespaceBegin(Output *out) const;
-	void GenNamespaceEnd(Output *out) const;
-
-private:
-	ID *context_name_id_;
-	ContextFieldList *context_fields_;
-	ParameterizedType *param_type_;
-	bool flow_buffer_added_;
-
-// static members
-public:
-	static AnalyzerContextDecl *current_analyzer_context()
-		{
-		return current_analyzer_context_;
-		}
-
-	static string mb_buffer(Env *env);
-
-private:
-	static AnalyzerContextDecl *current_analyzer_context_;
-};
-
-class DummyType : public Type 
-{
-public:
-	DummyType() : Type(DUMMY) {}
-
-	bool DefineValueVar() const 	{ return false; }
-	string DataTypeStr() const 	{ ASSERT(0); return ""; }
-
-	int StaticSize(Env* env) const 	{ ASSERT(0); return -1; }
-
-	bool ByteOrderSensitive() const { return false; }
-
-	bool IsPointerType() const 	{ ASSERT(0); return false; }
-
-	void DoGenParseCode(Output* out, Env* env,
-			const DataPtr& data, int flags)
-		{ ASSERT(0); }
-
-	// Generate code for computing the dynamic size of the type
-	void GenDynamicSize(Output* out, Env* env, const DataPtr& data)
-		{ ASSERT(0); }
-
-protected:
-	Type *DoClone()	const;
-	void DoMarkIncrementalInput()		{ ASSERT(0); }
-};
-
-#endif  // pac_context_h
diff --git a/aux/binpac/src/pac_cstr.cc b/aux/binpac/src/pac_cstr.cc
deleted file mode 100644
index 2d41bf7d1b..0000000000
--- a/aux/binpac/src/pac_cstr.cc
+++ /dev/null
@@ -1,127 +0,0 @@
-#include "pac_cstr.h"
-#include "pac_dbg.h"
-#include "pac_exception.h"
-
-namespace {
-
-class EscapeException
-{
-public:
-	explicit EscapeException(const string &s)
-		{
-		msg_ = s;
-		}
-
-	const string &msg() const	{ return msg_; }
-
-private:
-	string msg_;
-};
-
-// Copied from util.cc of Bro
-int expand_escape(const char*& s)
-	{
-	switch ( *(s++) ) {
-	case 'b': return '\b';
-	case 'f': return '\f';
-	case 'n': return '\n';
-	case 'r': return '\r';
-	case 't': return '\t';
-	case 'a': return '\a';
-	case 'v': return '\v';
-
-	case '0': case '1': case '2': case '3': case '4':
-	case '5': case '6': case '7':
-		{ // \<octal>{1,3}
-		--s;	// put back the first octal digit
-		const char* start = s;
-
-		// Don't increment inside loop control
-		// because if isdigit() is a macro it might
-		// expand into multiple increments ...
-
-		// Here we define a maximum length for escape sequence
-		// to allow easy handling of string like: "^H0" as
-		// "\0100".
-
-		for ( int len = 0; len < 3 && isascii(*s) && isdigit(*s); ++s, ++len)
-			;
-
-		int result;
-		if ( sscanf(start, "%3o", &result) != 1 )
-			{
-			throw EscapeException(fmt("bad octal escape: \"%s", start));
-			result = 0;
-			}
-
-		return result;
-		}
-
-	case 'x':
-		{ /* \x<hex> */
-		const char* start = s;
-
-		// Look at most 2 characters, so that "\x0ddir" -> "^Mdir".
-		for ( int len = 0; len < 2 && isascii(*s) && isxdigit(*s);
-		      ++s, ++len)
-			;
-
-		int result;
-		if ( sscanf(start, "%2x", &result) != 1 )
-			{
-			throw EscapeException(fmt("bad hexadecimal escape: \"%s", start));
-			result = 0;
-			}
-
-		return result;
-		}
-
-	default:
-		return s[-1];
-	}
-	}
-
-}  // private namespace
-
-ConstString::ConstString(const string &s)
-	: str_(s)
-	{
-	// Copied from scan.l of Bro
-	try 
-		{
-		const char* text = str_.c_str();
-		int len = strlen(text) + 1;
-		int i = 0;
-
-		char* s = new char[len];
-
-		// Skip leading quote.
-		for ( ++text; *text; ++text )
-			{
-			if ( *text == '\\' )
-				{
-				++text;	// skip '\'
-				s[i++] = expand_escape(text);
-				--text;	// point to end of sequence
-				}
-			else
-				{
-				s[i++] = *text;
-				}
-			}
-		ASSERT(i < len);
-
-		// Get rid of trailing quote.
-		ASSERT(s[i-1] == '"');
-		s[i-1] = '\0';
-
-		unescaped_ = s;
-		delete [] s;
-		}
-	catch(EscapeException const &e)
-		{
-		// Throw again with the object
-		throw Exception(this, e.msg().c_str());
-		}
-	}
-
diff --git a/aux/binpac/src/pac_cstr.h b/aux/binpac/src/pac_cstr.h
deleted file mode 100644
index d1faaf7604..0000000000
--- a/aux/binpac/src/pac_cstr.h
+++ /dev/null
@@ -1,23 +0,0 @@
-#ifndef pac_cstr_h
-#define pac_cstr_h
-
-#include "pac_common.h"
-
-class ConstString : public Object
-{
-public:
-	ConstString(const string &s);
-
-	// The string in its escaped form, with surrounding '"'s
-	const string &str() const	{ return str_; }
-	const char *c_str() const	{ return str_.c_str(); }
-
-	// The unescaped string, without surrounding '"'s
-	const string &unescaped() const { return unescaped_; }
-
-private:
-	string str_;
-	string unescaped_;
-};
-
-#endif  // pac_cstr_h
diff --git a/aux/binpac/src/pac_ctype.cc b/aux/binpac/src/pac_ctype.cc
deleted file mode 100644
index cfde2f461b..0000000000
--- a/aux/binpac/src/pac_ctype.cc
+++ /dev/null
@@ -1,21 +0,0 @@
-#include "pac_ctype.h"
-
-string CType::DeclareInstance(const string &var) const
-	{
-	return strfmt("%s %s", name().c_str(), var.c_str());
-	}
-
-string CType::DeclareConstReference(const string &var) const
-	{
-	return strfmt("%s const &%s", name().c_str(), var.c_str());
-	}
-
-string CType::DeclareConstPointer(const string &var) const
-	{
-	return strfmt("%s const *%s", name().c_str(), var.c_str());
-	}
-
-string CType::DeclarePointer(const string &var) const
-	{
-	return strfmt("%s *%s", name().c_str(), var.c_str());
-	}
diff --git a/aux/binpac/src/pac_ctype.h b/aux/binpac/src/pac_ctype.h
deleted file mode 100644
index aebbc34d6a..0000000000
--- a/aux/binpac/src/pac_ctype.h
+++ /dev/null
@@ -1,23 +0,0 @@
-#ifndef pac_ctype_h
-#define pac_ctype_h
-
-#include "pac_common.h"
-
-// Represents a C++ type
-class CType
-{
-public:
-	CType(const string &name);
-
-	string name() const 	{ return name_; }
-
-	string DeclareInstance(const string &var) const;
-	string DeclareConstReference(const string &var) const;
-	string DeclareConstPointer(const string &var) const;
-	string DeclarePointer(const string &var) const;
-
-protected:
-	string name_;
-};
-
-#endif  // pac_ctype_h
diff --git a/aux/binpac/src/pac_datadep.cc b/aux/binpac/src/pac_datadep.cc
deleted file mode 100644
index 8c43e0e106..0000000000
--- a/aux/binpac/src/pac_datadep.cc
+++ /dev/null
@@ -1,76 +0,0 @@
-#include "pac_datadep.h"
-#include "pac_expr.h"
-#include "pac_id.h"
-#include "pac_type.h"
-
-DataDepElement::DataDepElement(DDE_Type type) 
-	: dde_type_(type), in_traversal(false)
-	{ 
-	}
-
-bool DataDepElement::Traverse(DataDepVisitor *visitor)
-	{
-	// Avoid infinite loop
-	if ( in_traversal )
-		return true;
-	if ( ! visitor->PreProcess(this) )
-		return false;
-
-	in_traversal = true;
-	bool cont = DoTraverse(visitor);
-	in_traversal = false;
-
-	if ( ! cont )
-		return false;
-	if ( ! visitor->PostProcess(this) )
-		return false;
-	return true;
-	}
-
-Expr *DataDepElement::expr()
-	{ 
-	return static_cast<Expr *>(this); 
-	}
-
-Type *DataDepElement::type()
-	{ 
-	return static_cast<Type *>(this); 
-	}
-
-bool RequiresAnalyzerContext::PreProcess(DataDepElement *element)
-	{
-	switch ( element->dde_type() ) 
-		{
-		case DataDepElement::EXPR:
-			ProcessExpr(element->expr());
-			break;
-		default:
-			break;
-		}
-
-	// Continue traversal until we know the answer is 'yes'
-	return ! requires_analyzer_context_;
-	}
-
-bool RequiresAnalyzerContext::PostProcess(DataDepElement *element)
-	{
-	return ! requires_analyzer_context_;
-	}
-
-void RequiresAnalyzerContext::ProcessExpr(Expr *expr)
-	{
-	if ( expr->expr_type() == Expr::EXPR_ID )
-		{
-		requires_analyzer_context_ = 
-			(requires_analyzer_context_ || 
-		       	 *expr->id() == *analyzer_context_id ||
-		       	 *expr->id() == *context_macro_id);
-		}
-	}
-
-bool RequiresAnalyzerContext::compute(DataDepElement *element)
-	{
-	RequiresAnalyzerContext visitor;
-	element->Traverse(&visitor);
-	return visitor.requires_analyzer_context_;
-	}
diff --git a/aux/binpac/src/pac_datadep.h b/aux/binpac/src/pac_datadep.h
deleted file mode 100644
index a45053fb01..0000000000
--- a/aux/binpac/src/pac_datadep.h
+++ /dev/null
@@ -1,71 +0,0 @@
-#ifndef pac_datadep_h
-#define pac_datadep_h
-
-// To provide a way to traverse through the data dependency graph.
-// That is, to evaluate X, what must be evaluated.
-
-#include "pac_common.h"
-#include "pac_dbg.h"
-
-class DataDepVisitor;
-
-class DataDepElement {
-public:
-	enum DDE_Type {
-		ATTR,
-		CASEEXPR,
-		EXPR,
-		FIELD,
-		INPUT_BUFFER,
-		PARAM,
-		TYPE,
-	};
-
-	DataDepElement(DDE_Type type);
-	virtual ~DataDepElement() {}
-
-	// Returns whether to continue traversal
-	bool Traverse(DataDepVisitor *visitor);
-
-	// Returns whether to continue traversal
-	virtual bool DoTraverse(DataDepVisitor *visitor) = 0;
-
-	DDE_Type dde_type() const	{ return dde_type_; }
-	Expr *expr();
-	Type *type();
-
-protected:
-	DDE_Type dde_type_;
-	bool in_traversal;
-};
-
-class DataDepVisitor {
-public:
-	virtual ~DataDepVisitor() {}
-	// Returns whether to continue traversal
-	virtual bool PreProcess(DataDepElement *element) = 0;
-	virtual bool PostProcess(DataDepElement *element) = 0;
-};
-
-class RequiresAnalyzerContext : public DataDepVisitor {
-public:
-	RequiresAnalyzerContext() : requires_analyzer_context_(false) {}
-
-	// Returns whether to continue traversal
-	bool PreProcess(DataDepElement *element);
-	bool PostProcess(DataDepElement *element);
-
-	bool requires_analyzer_context() const
-		{
-		return requires_analyzer_context_;
-		}
-
-	static bool compute(DataDepElement *element);
-
-protected:
-	void ProcessExpr(Expr *expr);
-
-	bool requires_analyzer_context_;
-};
-
-#endif // pac_datadep_h
diff --git a/aux/binpac/src/pac_dataptr.cc b/aux/binpac/src/pac_dataptr.cc
deleted file mode 100644
index beac6997cb..0000000000
--- a/aux/binpac/src/pac_dataptr.cc
+++ /dev/null
@@ -1,66 +0,0 @@
-#include "pac_exception.h"
-#include "pac_id.h"
-#include "pac_output.h"
-#include "pac_utils.h"
-
-#include "pac_dataptr.h"
-
-DataPtr::DataPtr(Env* env, const ID* id, const int offset)
-	: id_(id), offset_(offset)
-	{
-	if ( id_ )
-		{
-		if ( ! env->Evaluated(id_) )
-			throw ExceptionIDNotEvaluated(id_);
-
-		if ( offset_ == 0 )
-			ptr_expr_ = strfmt("%s", env->RValue(id_));
-		else
-			ptr_expr_ = strfmt("(%s + %d)", env->RValue(id_), offset_);
-		}
-	else
-		ptr_expr_ = "(null id)";
-	}
-
-int DataPtr::AbsOffset(const ID* base_ptr) const
-	{
-	return ( id() == base_ptr ) ? offset() : -1;
-	}
-
-char* DataPtr::AbsOffsetExpr(Env* env, const ID* base_ptr) const
-	{
-	if ( AbsOffset(base_ptr) >= 0 )
-		return nfmt("%d", offset());
-	else
-		return nfmt("(%s - %s)", ptr_expr(), env->RValue(base_ptr));
-	}
-
-void DataPtr::GenBoundaryCheck(Output* out_cc, Env* env,
-		const char* data_size, const char* data_name) const
-	{
-	ASSERT(id_);
-
-	out_cc->println("// Checking out-of-bound for \"%s\"", data_name);
-	out_cc->println("if ( %s + (%s) > %s )",
-		ptr_expr(),
-		data_size,
-		env->RValue(end_of_data));
-
-	out_cc->inc_indent(); 
-	out_cc->println("{");
-
-	char* data_offset = AbsOffsetExpr(env, begin_of_data); 
-
-	out_cc->println("// Handle out-of-bound condition");
-	out_cc->println("throw ExceptionOutOfBound(\"%s\",", data_name);
-	out_cc->println("	(%s) + (%s), ", 
-		data_offset, data_size);
-	out_cc->println("	(%s) - (%s));", 
-		env->RValue(end_of_data), env->RValue(begin_of_data));
-
-	delete [] data_offset;
-
-	out_cc->println("}");
-	out_cc->dec_indent(); 
-	}
-
diff --git a/aux/binpac/src/pac_dataptr.h b/aux/binpac/src/pac_dataptr.h
deleted file mode 100644
index 602843ff56..0000000000
--- a/aux/binpac/src/pac_dataptr.h
+++ /dev/null
@@ -1,47 +0,0 @@
-#ifndef pac_dataptr_h
-#define pac_dataptr_h
-
-#include <string>
-#include "pac_common.h"
-
-// A data pointer is represented by an data pointer variable
-// plus a constant offset.
-
-class DataPtr
-{
-public:
-	DataPtr(Env* env, const ID* arg_id, const int arg_off);
-
-	DataPtr const &operator=(DataPtr const &x)
-		{
-		id_ = x.id();
-		offset_ = x.offset();
-		ptr_expr_ = x.ptr_expr();
-
-		return *this;
-		}
-
-	const ID* id() const 	{ return id_; }
-	int offset() const 	{ return offset_; }
-
-	const char* ptr_expr() const
-		{
-		ASSERT(id_); 
-		return ptr_expr_.c_str(); 
-		}
-
-	int AbsOffset(const ID* base_ptr) const;
-	char* AbsOffsetExpr(Env* env, const ID* base_ptr) const;
-
-	void GenBoundaryCheck(Output* out, 
-                              Env* env, 
-                              const char* data_size, 
-                              const char* data_name) const;
-
-protected:
-	const ID* id_;
-	int offset_;
-	string ptr_expr_;
-};
-
-#endif  // pac_dataptr_h
diff --git a/aux/binpac/src/pac_dataunit.cc b/aux/binpac/src/pac_dataunit.cc
deleted file mode 100644
index 2b7218963d..0000000000
--- a/aux/binpac/src/pac_dataunit.cc
+++ /dev/null
@@ -1,60 +0,0 @@
-#include "pac_context.h"
-#include "pac_dataunit.h"
-#include "pac_output.h"
-#include "pac_paramtype.h"
-#include "pac_varfield.h"
-
-AnalyzerDataUnit::AnalyzerDataUnit(
-		DataUnitType type, 
-		ID *id, 
-		ExprList *type_params,
-		ExprList *context_params)
-	: AnalyzerElement(DATAUNIT),
-	  type_(type),
-	  id_(id),
-	  type_params_(type_params),
-	  context_params_(context_params) 
-	{
-	data_type_ = new ParameterizedType(id_, type_params_);
-	context_type_ = new ParameterizedType(
-		AnalyzerContextDecl::current_analyzer_context()->id()->clone(),
-		context_params_);
-
-	dataunit_var_field_ = new ParseVarField(
-		Field::CLASS_MEMBER,
-		dataunit_id->clone(),
-		data_type());
-	context_var_field_ = new PrivVarField(
-		analyzer_context_id->clone(),
-		context_type());
-	}
-
-AnalyzerDataUnit::~AnalyzerDataUnit()
-	{
-	delete dataunit_var_field_;
-	delete context_var_field_;
-	}
-
-void AnalyzerDataUnit::Prepare(Env *env)
-	{
-	dataunit_var_field_->Prepare(env);
-	context_var_field_->Prepare(env);
-	}
-
-void AnalyzerDataUnit::GenNewDataUnit(Output *out_cc, Env *env)
-	{
-	out_cc->println("%s = new %s(%s);",
-		env->LValue(dataunit_id),
-		data_type()->class_name().c_str(),
-		data_type()->EvalParameters(out_cc, env).c_str());
-	}
-
-void AnalyzerDataUnit::GenNewContext(Output *out_cc, Env *env)
-	{
-	out_cc->println("%s = new %s(%s);", 
-		env->LValue(analyzer_context_id),
-		context_type()->class_name().c_str(),
-		context_type()->EvalParameters(out_cc, env).c_str());
-	env->SetEvaluated(analyzer_context_id);
-	}
-
diff --git a/aux/binpac/src/pac_dataunit.h b/aux/binpac/src/pac_dataunit.h
deleted file mode 100644
index eb76378afa..0000000000
--- a/aux/binpac/src/pac_dataunit.h
+++ /dev/null
@@ -1,49 +0,0 @@
-#ifndef pac_dataunit_h
-#define pac_dataunit_h
-
-#include "pac_analyzer.h"
-
-// The type and parameters of input data unit of a flow. For instance, the
-// data unit of a DCE/RPC flow is DCE_RPC_PDU.
-
-class AnalyzerDataUnit : public AnalyzerElement
-{
-public:
-	enum DataUnitType { DATAGRAM, FLOWUNIT };
-	AnalyzerDataUnit(
-		DataUnitType type, 
-		ID *id, 
-		ExprList *type_params, 
-		ExprList *context_params);
-	~AnalyzerDataUnit();
-
-	void Prepare(Env *env);
-
-	// Initializes dataunit_id
-	void GenNewDataUnit(Output *out_cc, Env *env);
-	// Initializes analyzer_context_id
-	void GenNewContext(Output *out_cc, Env *env);
-
-	DataUnitType type() const		{ return type_; }
-	const ID *id() const			{ return id_; }
-	ExprList *type_params() const		{ return type_params_; }
-	ExprList *context_params() const	{ return context_params_; }
-
-	ParameterizedType *data_type() const	{ return data_type_; }
-	ParameterizedType *context_type() const	{ return context_type_; }
-
-	Field *dataunit_var_field() const	{ return dataunit_var_field_; }
-	Field *context_var_field() const	{ return context_var_field_; }
-
-private:
-	DataUnitType type_;
-	ID *id_;
-	ExprList *type_params_;
-	ExprList *context_params_;
-	ParameterizedType *data_type_;
-	ParameterizedType *context_type_;
-	Field *dataunit_var_field_;
-	Field *context_var_field_;
-};
-
-#endif // pac_dataunit_h
diff --git a/aux/binpac/src/pac_dbg.h b/aux/binpac/src/pac_dbg.h
deleted file mode 100644
index bcd87639fb..0000000000
--- a/aux/binpac/src/pac_dbg.h
+++ /dev/null
@@ -1,14 +0,0 @@
-/* $Id: pac_dbg.h 3265 2006-06-09 21:16:12Z rpang $ */
-
-#ifndef pac_dbg_h
-#define pac_dbg_h
-
-#include <assert.h>
-#include <stdio.h>
-
-extern bool FLAGS_pac_debug;
-
-#define ASSERT(x)	assert(x)
-#define DEBUG_MSG(x...)	if ( FLAGS_pac_debug ) fprintf(stderr, x)
-
-#endif /* pac_dbg_h */
diff --git a/aux/binpac/src/pac_decl-inl.h b/aux/binpac/src/pac_decl-inl.h
deleted file mode 100644
index 97c369fa9f..0000000000
--- a/aux/binpac/src/pac_decl-inl.h
+++ /dev/null
@@ -1,6 +0,0 @@
-#ifndef pac_decl_inl_h
-#define pac_decl_inl_h
-
-#include "pac_id.h"
-
-#endif  // pac_decl_inl_h
diff --git a/aux/binpac/src/pac_decl.cc b/aux/binpac/src/pac_decl.cc
deleted file mode 100644
index 3c3ae95aa9..0000000000
--- a/aux/binpac/src/pac_decl.cc
+++ /dev/null
@@ -1,191 +0,0 @@
-#include "pac_attr.h"
-#include "pac_context.h"
-#include "pac_dataptr.h"
-#include "pac_embedded.h"
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_exttype.h"
-#include "pac_id.h"
-#include "pac_output.h"
-#include "pac_param.h"
-#include "pac_record.h"
-#include "pac_type.h"
-#include "pac_utils.h"
-
-#include "pac_decl.h"
-
-DeclList *Decl::decl_list_ = 0;
-Decl::DeclMap Decl::decl_map_;
-
-Decl::Decl(ID* id, DeclType decl_type)
-	: id_(id), decl_type_(decl_type), attrlist_(0)
-	{
-	decl_map_[id_] = this;
-	if ( ! decl_list_ )
-		decl_list_ = new DeclList();
-	decl_list_->push_back(this);
-
-	DEBUG_MSG("Finished Decl %s\n", id_->Name());
-
-	analyzer_context_ = 0;
-	}
-
-Decl::~Decl()
-	{
-	delete id_;
-	delete_list(AttrList, attrlist_);
-	}
-
-void Decl::AddAttrs(AttrList* attrs)
-	{
-	if ( ! attrs )
-		return;
-	if ( ! attrlist_ )
-		attrlist_ = new AttrList();
-	foreach ( i, AttrList, attrs )
-		{
-		attrlist_->push_back(*i);
-		ProcessAttr(*i);
-		}
-	}
-
-void Decl::ProcessAttr(Attr *attr)
-	{
-	throw Exception(attr, "unhandled attribute");
-	}
-
-void Decl::SetAnalyzerContext()
-	{
-	analyzer_context_ = 
-		AnalyzerContextDecl::current_analyzer_context();
-	if ( ! analyzer_context_ )
-		{
-		throw Exception(this, 
-		                "analyzer context not defined");
-		}
-	}
-
-void Decl::ProcessDecls(Output *out_h, Output *out_cc)
-	{
-	if ( ! decl_list_ )
-		return;
-
-	foreach(i, DeclList, decl_list_)
-		{
-		Decl *decl = *i;
-		current_decl_id = decl->id();
-		decl->Prepare();
-		}
-
-	foreach(i, DeclList, decl_list_)
-		{
-		Decl *decl = *i;
-		current_decl_id = decl->id();
-		decl->GenExternDeclaration(out_h);
-		}
-
-	out_h->println("namespace binpac {\n");
-	out_cc->println("namespace binpac {\n");
-
-	AnalyzerContextDecl *analyzer_context =
-		AnalyzerContextDecl::current_analyzer_context();
-
-	foreach(i, DeclList, decl_list_)
-		{
-		Decl *decl = *i;
-		current_decl_id = decl->id();
-		decl->GenForwardDeclaration(out_h);
-		}
-
-	if ( analyzer_context )
-		analyzer_context->GenNamespaceEnd(out_h);
-
-	out_h->println("");
-
-	foreach(i, DeclList, decl_list_)
-		{
-		Decl *decl = *i;
-		current_decl_id = decl->id();
-		decl->GenCode(out_h, out_cc);
-		}
-
-	if ( analyzer_context )
-		{
-		analyzer_context->GenNamespaceEnd(out_h);
-		analyzer_context->GenNamespaceEnd(out_cc);
-		}
-
-	out_h->println("}  // namespace binpac");
-	out_cc->println("}  // namespace binpac");
-	}
-
-Decl* Decl::LookUpDecl(const ID* id)
-	{
-	DeclMap::iterator it = decl_map_.find(id);
-	if ( it == decl_map_.end() )
-		return 0;
-	return it->second;
-	}
-
-int HelperDecl::helper_id_seq = 0;
-
-HelperDecl::HelperDecl(HelperType helper_type, 
-                       ID* context_id, 
-                       EmbeddedCode* code)
- 	: Decl(new ID(fmt("helper_%d", ++helper_id_seq)), HELPER), 
-	  helper_type_(helper_type),
-	  context_id_(context_id),
-	  code_(code)
-	{
-	}
-
-HelperDecl::~HelperDecl()
-	{
-	delete context_id_;
-	delete code_;
-	}
-
-void HelperDecl::Prepare()
-	{
-	// Do nothing
-	}
-
-void HelperDecl::GenExternDeclaration(Output *out_h)
-	{
-	if ( helper_type_ == EXTERN )
-		code_->GenCode(out_h, global_env());
-	}
-
-void HelperDecl::GenCode(Output *out_h, Output *out_cc)
-	{
-	Env *env = global_env();
-
-#if 0
-	if ( context_id_ )
-		{
-		Decl *decl = Decl::LookUpDecl(context_id_);
-		if ( ! decl )
-			{
-			throw Exception(context_id_, 
-			                fmt("cannot find declaration for %s", 
-			                    context_id_->Name()));
-			}
-		env = decl->env();
-		if ( ! env )
-			{
-			throw Exception(context_id_,
-			                fmt("not a type or analyzer: %s",
-			                    context_id_->Name()));
-			}
-		}
-#endif
-
-	if ( helper_type_ == HEADER )
-		code_->GenCode(out_h, env);
-	else if ( helper_type_ == CODE )
-		code_->GenCode(out_cc, env);
-	else if ( helper_type_ == EXTERN )
-		; // do nothing
-	else
-		ASSERT(0);
-	}
diff --git a/aux/binpac/src/pac_decl.h b/aux/binpac/src/pac_decl.h
deleted file mode 100644
index 6151022d20..0000000000
--- a/aux/binpac/src/pac_decl.h
+++ /dev/null
@@ -1,81 +0,0 @@
-#ifndef pac_decl_h
-#define pac_decl_h
-
-#include "pac_common.h"
-#include "pac_id.h"
-
-class Decl : public Object
-{
-public:
-	// Note: ANALYZER is not for AnalyzerDecl (which is an
-	// abstract class) , but for AnalyzerContextDecl.
-	enum DeclType { ENUM, LET, TYPE, FUNC, CONN, FLOW, ANALYZER, HELPER, REGEX };
-
-	Decl(ID *id, DeclType decl_type);
-	virtual ~Decl();
-
-	const ID *id() const		{ return id_; }
-	DeclType decl_type() const	{ return decl_type_; }
-	AnalyzerContextDecl *analyzer_context() const 
-		{ return analyzer_context_; }
-
-	// NULL except for TypeDecl or AnalyzerDecl
-	virtual Env *env() const	{ return 0; }
-
-	virtual void Prepare() = 0;
-
-	// Generate declarations out of the "binpac" namespace
-	virtual void GenExternDeclaration(Output *out_h) { /* do nothing */ }
-
-	// Generate declarations before definition of classes
-	virtual void GenForwardDeclaration(Output *out_h) = 0;
-
-	virtual void GenCode(Output *out_h, Output *out_cc) = 0;
-
-	void TakeExprList();
-	void AddAttrs(AttrList *attrlist);
-	void SetAnalyzerContext();
-
-protected:
-	virtual void ProcessAttr(Attr *a);
-
-	ID *id_;
-	DeclType decl_type_;
-	AttrList *attrlist_;
-	ExprList *expr_list_;
-	AnalyzerContextDecl *analyzer_context_;
-
-public:
-	static void ProcessDecls(Output *out_h, Output *out_cc);
-	static Decl *LookUpDecl(const ID *id);
-
-private:
-	static DeclList *decl_list_;
-	typedef map<const ID *, Decl*, ID_ptr_cmp> DeclMap;
-	static DeclMap decl_map_;
-};
-
-class HelperDecl : public Decl
-{
-public:
-	enum HelperType {
-		HEADER, CODE, EXTERN,
-	};
-	HelperDecl(HelperType type, ID *context_id, EmbeddedCode *code);
-	~HelperDecl();
-
-	void Prepare();
-	void GenExternDeclaration(Output *out_h);
-	void GenForwardDeclaration(Output *out_h) { /* do nothing */ }
-	void GenCode(Output *out_h, Output *out_cc);
-
-private:
-	HelperType helper_type_;
-	ID *context_id_;
-	ID *helper_id_;
-	EmbeddedCode *code_;
-
-	static int helper_id_seq;
-};
-
-#endif  // pac_decl_h
diff --git a/aux/binpac/src/pac_embedded.cc b/aux/binpac/src/pac_embedded.cc
deleted file mode 100644
index aca2d03a19..0000000000
--- a/aux/binpac/src/pac_embedded.cc
+++ /dev/null
@@ -1,82 +0,0 @@
-#include "pac_id.h"
-#include "pac_primitive.h"
-#include "pac_output.h"
-
-#include "pac_embedded.h"
-
-EmbeddedCodeSegment::EmbeddedCodeSegment(const string &s)
-	: s_(s), primitive_(0)
-	{
-	}
-
-EmbeddedCodeSegment::EmbeddedCodeSegment(PacPrimitive *primitive)
-	: s_(""), primitive_(primitive)
-	{
-	}
-
-EmbeddedCodeSegment::~EmbeddedCodeSegment()
-	{
-	delete primitive_;
-	}
-
-string EmbeddedCodeSegment::ToCode(Env *env)
-	{
-	if ( primitive_ &&  s_.empty() )
-		s_ = primitive_->ToCode(env);
-	return s_;
-	}
-
-EmbeddedCode::EmbeddedCode()
-	{
-	segments_ = new EmbeddedCodeSegmentList();
-	}
-
-EmbeddedCode::~EmbeddedCode()
-	{
-	delete_list(EmbeddedCodeSegmentList, segments_);
-	}
-
-void EmbeddedCode::Append(int atom)
-	{
-	current_segment_ += static_cast<char>(atom);
-	}
-
-void EmbeddedCode::Append(const char *str)
-	{
-	current_segment_ += str;
-	}
-
-void EmbeddedCode::Append(PacPrimitive *primitive)
-	{
-	if ( ! current_segment_.empty() )
-		{
-		segments_->push_back(new EmbeddedCodeSegment(current_segment_));
-		current_segment_ = "";
-		}
-	segments_->push_back(new EmbeddedCodeSegment(primitive));
-	}
-
-void EmbeddedCode::GenCode(Output *out, Env *env)
-	{
-	if ( ! current_segment_.empty() )
-		{
-		segments_->push_back(new EmbeddedCodeSegment(current_segment_));
-		current_segment_ = "";
-		}
-
-	// TODO: return to the generated file after embedded code
-	// out->print("#line %d \"%s\"\n", line_num, filename.c_str());
-
-	// Allow use of RValue for undefined ID, in which case the
-	// ID's name is used as its RValue
-	env->set_allow_undefined_id(true);
-
-	foreach(i, EmbeddedCodeSegmentList, segments_)
-		{
-		EmbeddedCodeSegment *segment = *i;
-		out->print("%s", segment->ToCode(env).c_str());
-		}
-
-	env->set_allow_undefined_id(false);
-	out->print("\n");
-	}
diff --git a/aux/binpac/src/pac_embedded.h b/aux/binpac/src/pac_embedded.h
deleted file mode 100644
index b84de746e1..0000000000
--- a/aux/binpac/src/pac_embedded.h
+++ /dev/null
@@ -1,42 +0,0 @@
-#ifndef pac_embedded_h
-#define pac_embedded_h
-
-#include "pac_common.h"
-
-class EmbeddedCodeSegment
-{
-public:
-	explicit EmbeddedCodeSegment(const string &s);
-	explicit EmbeddedCodeSegment(PacPrimitive *primitive);
-	~EmbeddedCodeSegment();
-
-	string ToCode(Env *env);
-
-private:
-	string s_;
-	PacPrimitive *primitive_;
-};
-
-typedef vector<EmbeddedCodeSegment *> EmbeddedCodeSegmentList;
-
-class EmbeddedCode : public Object
-{
-public:
-	EmbeddedCode();
-	~EmbeddedCode();
-
-	// Append a character
-	void Append(int atom);
-	void Append(const char *str);
-
-	// Append a PAC primitive
-	void Append(PacPrimitive *primitive);
-
-	void GenCode(Output *out, Env *env);
-
-private:
-	string current_segment_;
-	EmbeddedCodeSegmentList *segments_;
-};
-
-#endif  // pac_embedded_h
diff --git a/aux/binpac/src/pac_enum.cc b/aux/binpac/src/pac_enum.cc
deleted file mode 100644
index deb1711bc6..0000000000
--- a/aux/binpac/src/pac_enum.cc
+++ /dev/null
@@ -1,70 +0,0 @@
-#include "pac_exception.h"
-#include "pac_enum.h"
-#include "pac_expr.h"
-#include "pac_exttype.h"
-#include "pac_output.h"
-#include "pac_typedecl.h"
-
-Enum::Enum(ID* id, Expr* expr)
-	: id_(id), expr_(expr)
-	{
-	}
-
-Enum::~Enum()
-	{
-	delete id_;
-	delete expr_;
-	}
-
-void Enum::GenHeader(Output* out_h, int *pval)
-	{
-	ASSERT(pval);
-	if ( expr_ )
-		{
-		if ( ! expr_->ConstFold(global_env(), pval) )
-			throw ExceptionNonConstExpr(expr_);
-		out_h->println("%s = %d,", id_->Name(), *pval);
-		}
-	else
-		out_h->println("%s,", id_->Name());
-	global_env()->AddConstID(id_, *pval);
-	}
-
-EnumDecl::EnumDecl(ID *id, EnumList *enumlist)
-	: Decl(id, ENUM), enumlist_(enumlist) 
-	{
-	ID *type_id = id->clone();
-	datatype_ = new ExternType(type_id, ExternType::NUMBER);
-	extern_typedecl_ = new TypeDecl(type_id, 0, datatype_);
-	}
-
-EnumDecl::~EnumDecl()
-	{ 
-	delete_list(EnumList, enumlist_); 
-	delete extern_typedecl_;
-	}
-
-void EnumDecl::Prepare() 
-	{ 
-	// Do nothing 
-	}
-
-void EnumDecl::GenForwardDeclaration(Output *out_h)
-	{ 
-	out_h->println("enum %s {", id_->Name());
-	out_h->inc_indent();
-	int c = 0;
-	foreach(i, EnumList, enumlist_)
-		{
-		(*i)->GenHeader(out_h, &c);
-		++c;
-		}
-	out_h->dec_indent();
-	out_h->println("};");
-	}
-
-void EnumDecl::GenCode(Output* out_h, Output* /* out_cc */)
-	{
-	// Do nothing 
-	}
-
diff --git a/aux/binpac/src/pac_enum.h b/aux/binpac/src/pac_enum.h
deleted file mode 100644
index 6b255912b6..0000000000
--- a/aux/binpac/src/pac_enum.h
+++ /dev/null
@@ -1,37 +0,0 @@
-#ifndef pac_enum_h
-#define pac_enum_h
-
-#include "pac_decl.h"
-
-class Enum
-{
-public:
-	Enum(ID *id, Expr *expr = 0);
-	~Enum();
-
-	void GenHeader(Output *out_h, int *pval);
-
-private:
-	ID *id_;
-	Expr *expr_;
-};
-
-class EnumDecl : public Decl
-{
-public:
-	EnumDecl(ID *id, EnumList *enumlist);
-	~EnumDecl();
-
-	Type *DataType() const	{ return datatype_; }
-
-	void Prepare();
-	void GenForwardDeclaration(Output *out_h);
-	void GenCode(Output *out_h, Output *out_cc);
-
-private:
-	EnumList *enumlist_;
-	Type *datatype_;
-	TypeDecl *extern_typedecl_;
-};
-
-#endif // pac_enum_h
diff --git a/aux/binpac/src/pac_exception.cc b/aux/binpac/src/pac_exception.cc
deleted file mode 100644
index 462ef8e18f..0000000000
--- a/aux/binpac/src/pac_exception.cc
+++ /dev/null
@@ -1,70 +0,0 @@
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_id.h"
-#include "pac_utils.h"
-
-Exception::Exception(const Object* o, const char* msg)
-	{
-	if ( o )
-		{
-		msg_ = o->Location();
-		msg_ += ": error : ";
-		}
-	if ( msg )
-		msg_ += msg;
-	if ( FLAGS_pac_debug ) 
-		{
-		DEBUG_MSG("Exception: %s\n", msg_.c_str());
-		abort();
-		}
-	}
-
-ExceptionIDNotFound::ExceptionIDNotFound(const ID* id)
-	: Exception(id), id_(id) 
-	{
-	append(fmt("`%s' undeclared", id_->Name()));
-	}
-
-ExceptionIDRedefinition::ExceptionIDRedefinition(const ID* id)
-	: Exception(id), id_(id) 
-	{
-	append(fmt("`%s' redefined", id_->Name()));
-	}
-
-ExceptionIDNotEvaluated::ExceptionIDNotEvaluated(const ID* id)
-	: Exception(id), id_(id) 
-	{
-	append(fmt("ID `%s' not evaluated before used", id->Name()));
-	}
-
-ExceptionIDNotField::ExceptionIDNotField(const ID* id)
-	: Exception(id), id_(id) 
-	{
-	append(fmt("ID `%s' is not a field", id_->Name()));
-	}
-
-ExceptionMemberNotFound::ExceptionMemberNotFound(const ID* type_id, 
-                                                 const ID *member_id)
-	: Exception(member_id), type_id_(type_id), member_id_(member_id)
-	{
-	append(fmt("type %s does not have member `%s'",
-	           type_id_->Name(), member_id_->Name()));
-	}
-
-ExceptionCyclicDependence::ExceptionCyclicDependence(const ID* id)
-	: Exception(id), id_(id) 
-	{
-	append(fmt("cyclic dependence through `%s'", id_->Name()));
-	}
-
-ExceptionPaddingError::ExceptionPaddingError(const Object* o, const char* msg)
-	: Exception(o)
-	{
-	append(msg);
-	}
-
-ExceptionNonConstExpr::ExceptionNonConstExpr(const Expr* expr)
-	: Exception(expr)
-	{
-	append(fmt("Expression `%s' is not constant", expr->orig()));
-	}
diff --git a/aux/binpac/src/pac_exception.h b/aux/binpac/src/pac_exception.h
deleted file mode 100644
index 7653ffeacc..0000000000
--- a/aux/binpac/src/pac_exception.h
+++ /dev/null
@@ -1,97 +0,0 @@
-// $Id: pac_exception.h 3225 2006-06-08 00:00:01Z vern $
-
-#ifndef pac_exception_h
-#define pac_exception_h
-
-#include <string>
-using namespace std;
-
-#include "pac_common.h"
-
-class Exception
-{
-public:
-	Exception(const Object* o, const char* msg = 0);
-
-	const char* msg() const 	{ return msg_.c_str(); }
-	void append(const char* s) 	{ msg_ += s; }
-
-private:
-	string msg_;
-};
-
-class ExceptionIDNotFound : public Exception
-{
-public:
-	ExceptionIDNotFound(const ID* id);
-	const ID* id() const { return id_; }
-
-private:
-	const ID* id_;
-};
-
-class ExceptionIDRedefinition : public Exception
-{
-public:
-	ExceptionIDRedefinition(const ID* id);
-	const ID* id() const { return id_; }
-
-private:
-	const ID* id_;
-};
-
-class ExceptionIDNotEvaluated : public Exception
-{
-public:
-	ExceptionIDNotEvaluated(const ID* id);
-	const ID* id() const { return id_; }
-
-private:
-	const ID* id_;
-};
-
-class ExceptionCyclicDependence : public Exception
-{
-public:
-	ExceptionCyclicDependence(const ID* id);
-	const ID* id() const { return id_; }
-
-private:
-	const ID* id_;
-};
-
-class ExceptionPaddingError : public Exception
-{
-public:
-	ExceptionPaddingError(const Object* o, const char* msg);
-};
-
-class ExceptionIDNotField : public Exception
-{
-public:
-	ExceptionIDNotField(const ID* id);
-	const ID* id() const { return id_; }
-
-private:
-	const ID* id_;
-};
-
-class ExceptionMemberNotFound : public Exception
-{
-public:
-	ExceptionMemberNotFound(const ID* type_id, const ID *member_id);
-
-private:
-	const ID *type_id_, *member_id_;
-};
-
-class ExceptionNonConstExpr : public Exception
-{
-public:
-	ExceptionNonConstExpr(const Expr* expr);
-
-private:
-	const Expr *expr;
-};
-
-#endif /* pac_exception_h */
diff --git a/aux/binpac/src/pac_expr.cc b/aux/binpac/src/pac_expr.cc
deleted file mode 100644
index 02303bc953..0000000000
--- a/aux/binpac/src/pac_expr.cc
+++ /dev/null
@@ -1,1041 +0,0 @@
-#include "pac_case.h"
-#include "pac_cstr.h"
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_exttype.h"
-#include "pac_id.h"
-#include "pac_number.h"
-#include "pac_output.h"
-#include "pac_record.h"
-#include "pac_regex.h"
-#include "pac_strtype.h"
-#include "pac_typedecl.h"
-#include "pac_utils.h"
-
-string OrigExprList(ExprList *list)
-	{
-	bool first = true;
-	string str;
-	foreach(i, ExprList, list)
-		{
-		Expr *expr = *i;
-		if ( first )
-			first = false;
-		else
-			str += ", ";
-		str += expr->orig();
-		}
-	return str;
-	}
-
-string EvalExprList(ExprList *exprlist, Output *out, Env *env)
-	{
-	string val_list("");
-	bool first = true;
-
-	foreach(i, ExprList, exprlist)
-		{
-		if ( ! first )
-			val_list += ", ";
-		val_list += (*i)->EvalExpr(out, env);
-		first = false;
-		}
-
-	return val_list;
-	}
-
-static const char* expr_fmt[] = 
-{
-#	define EXPR_DEF(type, num_op, fmt) fmt,
-#	include "pac_expr.def"
-#	undef EXPR_DEF
-};
-
-void Expr::init()
-	{
-	id_ = 0;
-	num_ = 0;
-	cstr_ = 0;
-	regex_ = 0;
-	num_operands_ = 0;
-	operand_[0] = 0;
-	operand_[1] = 0;
-	operand_[2] = 0;
-	args_ = 0;
-	cases_ = 0;
-	}
-
-Expr::Expr(ID* arg_id)
-	: DataDepElement(EXPR)
-	{
-	init();
-	expr_type_ = EXPR_ID;
-	id_ = arg_id;
-	num_operands_ = 0;
-	orig_ = fmt("%s", id_->Name());
-	}
-
-Expr::Expr(Number* arg_num)
-	: DataDepElement(EXPR)
-	{
-	init();
-	expr_type_ = EXPR_NUM;
-	num_ = arg_num;
-	num_operands_ = 0;
-	orig_ = fmt("((int) %s)", num_->Str());
-	}
-
-Expr::Expr(ConstString *cstr)
-	: DataDepElement(EXPR)
-	{
-	init();
-	expr_type_ = EXPR_CSTR;
-	cstr_ = cstr;
-	num_operands_ = 0;
-	orig_ = cstr_->str();
-	}
-
-Expr::Expr(RegEx *regex)
-	: DataDepElement(EXPR)
-	{
-	init();
-	expr_type_ = EXPR_REGEX;
-	regex_ = regex;
-	num_operands_ = 0;
-	orig_ = fmt("/%s/", regex_->str().c_str());
-	}
-
-Expr::Expr(ExprType arg_type, Expr* op1)
-	: DataDepElement(EXPR)
-	{
-	init();
-	expr_type_ = arg_type;
-	num_operands_ = 1;
-	operand_[0] = op1;
-	orig_ = fmt(expr_fmt[expr_type_], op1->orig());
-	}
-
-Expr::Expr(ExprType arg_type, Expr* op1, Expr* op2)
-	: DataDepElement(EXPR)
-	{
-	init();
-	expr_type_ = arg_type;
-	num_operands_ = 2;
-	operand_[0] = op1;
-	operand_[1] = op2;
-	operand_[2] = 0;
-	orig_ = fmt(expr_fmt[expr_type_], op1->orig(), op2->orig());
-	}
-
-Expr::Expr(ExprType arg_type, Expr* op1, Expr* op2, Expr* op3)
-	: DataDepElement(EXPR)
-	{
-	init();
-	expr_type_ = arg_type;
-	num_operands_ = 3;
-	operand_[0] = op1;
-	operand_[1] = op2;
-	operand_[2] = op3;
-	orig_ = fmt(expr_fmt[expr_type_], op1->orig(), op2->orig(), op3->orig());
-	}
-
-Expr::Expr(ExprList *args)
-	: DataDepElement(EXPR)
-	{
-	init();
-	expr_type_ = EXPR_CALLARGS;
-	num_operands_ = -1;
-	args_ = args;
-
-	orig_ = OrigExprList(args_);
-	}
-
-Expr::Expr(Expr *index, CaseExprList *cases)
-	: DataDepElement(EXPR)
-	{
-	init();
-	expr_type_ = EXPR_CASE;
-	num_operands_ = -1;
-	operand_[0] = index;
-	cases_ = cases;
-
-	orig_ = strfmt("case %s of { ", index->orig());
-	foreach(i, CaseExprList, cases_)
-		{
-		CaseExpr *c = *i;
-		orig_ += strfmt("%s => %s; ", 
-		                OrigExprList(c->index()).c_str(), 
-		                c->value()->orig());
-		}
-	orig_ += "}";
-	}
-
-Expr::~Expr()
-	{
-	delete id_;
-	delete operand_[0];
-	delete operand_[1];
-	delete operand_[2];
-	delete_list(ExprList, args_);
-	delete_list(CaseExprList, cases_);
-	}
-
-void Expr::AddCaseExpr(CaseExpr *case_expr)
-	{
-	ASSERT(str_.empty());
-	ASSERT(expr_type_ == EXPR_CASE);
-	ASSERT(cases_);
-	cases_->push_back(case_expr);
-	}
-
-void Expr::GenStrFromFormat(Env *env)
-	{
-	// The format != "@custom@"
-	ASSERT(*expr_fmt[expr_type_] != '@');
-
-	switch ( num_operands_ )
-		{
-		case 1:
-			str_ = fmt(expr_fmt[expr_type_], 
-				operand_[0]->str());
-			break; 
-		case 2:
-			str_ = fmt(expr_fmt[expr_type_], 
-				operand_[0]->str(),
-				operand_[1]->str());
-			break; 
-		case 3:
-			str_ = fmt(expr_fmt[expr_type_], 
-				operand_[0]->str(),
-				operand_[1]->str(),
-				operand_[2]->str());
-			break; 
-		default:
-			DEBUG_MSG("num_operands_ = %d, orig = %s\n", num_operands_, orig());
-			ASSERT(0);
-			break;
-		}
-	}
-
-namespace {
-
-	RecordField *GetRecordField(const ID *id, Env *env)
-		{
-		Field* field = env->GetField(id);
-		ASSERT(field);
-		if ( field->tof() != RECORD_FIELD &&
-		     field->tof() != PADDING_FIELD )
-			throw Exception(id, "not a record field");
-		RecordField *r = static_cast<RecordField *>(field);
-		ASSERT(r);
-		return r;
-		}
-
-}  // private namespace
-
-void Expr::GenCaseEval(Output *out_cc, Env *env)
-	{
-	ASSERT(expr_type_ == EXPR_CASE);
-	ASSERT(operand_[0]);
-	ASSERT(cases_);
-
-	Type *val_type = DataType(env);
-	ID *val_var = env->AddTempID(val_type);
-
-	out_cc->println("%s %s;", 
-	                val_type->DataTypeStr().c_str(), 
-	                env->LValue(val_var));
-
-	// force evaluation of IDs appearing in case stmt
-        operand_[0]->ForceIDEval(out_cc, env);
-	foreach(i, CaseExprList, cases_)
-		(*i)->value()->ForceIDEval(out_cc, env);
-
-	out_cc->println("switch ( %s )", operand_[0]->EvalExpr(out_cc, env));
-
-	out_cc->inc_indent();
-	out_cc->println("{");
-
-	CaseExpr *default_case = 0;
-	foreach(i, CaseExprList, cases_)
-		{
-		CaseExpr *c = *i;
-		ExprList *index = c->index();
-		if ( ! index )
-			{
-			if ( default_case )
-				throw Exception(c, "duplicate default cases");
-			default_case = c;
-			}
-		else
-			{
-			GenCaseStr(index, out_cc, env);
-			out_cc->inc_indent();
-			out_cc->println("%s = %s;", 
-			                env->LValue(val_var),
-			                c->value()->EvalExpr(out_cc, env));
-			out_cc->println("break;");
-			out_cc->dec_indent();
-			}
-		}
-
-	// Generate the default case after all other cases
-	GenCaseStr(0, out_cc, env);
-	out_cc->inc_indent();
-	if ( default_case )
-		{
-		out_cc->println("%s = %s;", 
-	                	env->LValue(val_var),
-		                default_case->value()->EvalExpr(out_cc, env));
-		}
-	else
-		{
-		out_cc->println("throw ExceptionInvalidCaseIndex(\"%s\", %s);",
-			Location(), operand_[0]->EvalExpr(out_cc, env));
-		}
-	out_cc->println("break;");
-	out_cc->dec_indent();
-
-	out_cc->println("}");
-	out_cc->dec_indent();
-
-	env->SetEvaluated(val_var);
-	str_ = env->RValue(val_var);
-	}
-
-void Expr::GenEval(Output* out_cc, Env* env)
-	{
-	switch ( expr_type_ )
-		{
-		case EXPR_NUM:
-			str_ = num_->Str();
-			break;
-
-		case EXPR_ID:
-			if ( ! env->Evaluated(id_) )
-				env->Evaluate(out_cc, id_);
-			str_ = env->RValue(id_);
-			break;
-
-		case EXPR_MEMBER:
-			{
-			/*
-			For member expressions such X.Y, evaluating
-			X only is sufficient. (Actually trying to
-			evaluate Y will lead to error because Y is
-			not defined in the current environment.)
-			*/
-			operand_[0]->GenEval(out_cc, env);
-
-			Type *ty0 = operand_[0]->DataType(env);
-
-			str_ = fmt("%s%s",
-				operand_[0]->EvalExpr(out_cc, env),
-				ty0 ? 
-				ty0->EvalMember(operand_[1]->id()).c_str() :
-				fmt("->%s()", operand_[1]->id()->Name()));
-			}
-			break;
-
-		case EXPR_SUBSCRIPT:
-			{
-			operand_[0]->GenEval(out_cc, env);
-			operand_[1]->GenEval(out_cc, env);
-
-			string v0 = operand_[0]->EvalExpr(out_cc, env);
-			string v1 = operand_[1]->EvalExpr(out_cc, env);
-			
-			Type *ty0 = operand_[0]->DataType(env);
-			if ( ty0 )
-				str_ = ty0->EvalElement(v0, v1);
-			else
-				str_ = fmt("%s[%s]", v0.c_str(), v1.c_str());
-			}
-			break;
-
-		case EXPR_SIZEOF:
-			{
-			const ID *id = operand_[0]->id();
-			RecordField *rf;
-			Type *ty;
-
-			try 
-				{
-				if ( (rf = GetRecordField(id, env)) != 0 )
-					{
-					str_ = fmt("%s", rf->FieldSize(out_cc, env));
-					}
-				}
-			catch ( ExceptionIDNotFound &e )
-				{
-				if ( (ty = TypeDecl::LookUpType(id)) != 0 )
-					{
-					int ty_size = ty->StaticSize(global_env());
-					if ( ty_size >= 0 )
-						str_ = fmt("%d", ty_size);
-					else
-						throw Exception(id, "unknown size");
-					}
-				else
-					throw Exception(id, "not a record field or type");
-				}
-			}
-			break;
-
-		case EXPR_OFFSETOF:
-			{
-			const ID *id = operand_[0]->id();
-			RecordField *rf = GetRecordField(id, env);
-			str_ = fmt("%s", rf->FieldOffset(out_cc, env));
-			}
-			break;
-
-		case EXPR_CALLARGS:
-			str_ = EvalExprList(args_, out_cc, env);
-			break;
-
-		case EXPR_CASE:
-			GenCaseEval(out_cc, env);
-			break;
-
-		default:
-			// Evaluate every operand by default
-			for ( int i = 0; i < 3; ++i )
-				if ( operand_[i] )
-					operand_[i]->GenEval(out_cc, env);
-			GenStrFromFormat(env);
-			break;
-		}
-	}
-
-void Expr::ForceIDEval(Output* out_cc, Env* env)
-        {
-	switch ( expr_type_ )
-		{
-		case EXPR_NUM:
-		case EXPR_SIZEOF:
-		case EXPR_OFFSETOF:
-			break;
-
-		case EXPR_ID:
-			if ( ! env->Evaluated(id_) )
-				env->Evaluate(out_cc, id_);
-			break;
-
-		case EXPR_MEMBER:
-			operand_[0]->ForceIDEval(out_cc, env);
-			break;
-
-		case EXPR_CALLARGS:
-		        {
-		        foreach(i, ExprList, args_)
-			        (*i)->ForceIDEval(out_cc, env);
-			}
-			break;
-
-		case EXPR_CASE:
-		        {
-		        operand_[0]->ForceIDEval(out_cc, env);
-			foreach(i, CaseExprList, cases_)
-				(*i)->value()->ForceIDEval(out_cc, env);
-		        }
-			break;
-
-		default:
-			// Evaluate every operand by default
-			for ( int i = 0; i < 3; ++i )
-				if ( operand_[i] )
-					operand_[i]->ForceIDEval(out_cc, env);
-			break;
-		}
-	}
-
-
-const char* Expr::EvalExpr(Output* out_cc, Env* env)
-	{
-	GenEval(out_cc, env);
-	return str();
-	}
-
-Type *Expr::DataType(Env *env) const
-	{
-	Type *data_type;
-
-	switch ( expr_type_ )
-		{
-		case EXPR_ID:
-			data_type = env->GetDataType(id_);
-			break;
-
-		case EXPR_MEMBER:
-			{
-			// Get type of the parent
-			Type *parent_type = operand_[0]->DataType(env);
-			if ( ! parent_type )
-				return 0;
-			data_type = parent_type->MemberDataType(operand_[1]->id());
-			}
-			break;
-
-		case EXPR_SUBSCRIPT:
-			{
-			// Get type of the parent
-			Type *parent_type = operand_[0]->DataType(env);
-			data_type = parent_type->ElementDataType();
-			}
-			break;
-
-		case EXPR_PAREN:
-			data_type = operand_[0]->DataType(env);
-			break;
-
-		case EXPR_COND:
-			{
-			Type *type1 = operand_[1]->DataType(env);
-			Type *type2 = operand_[2]->DataType(env);
-			if ( ! Type::CompatibleTypes(type1, type2) )
-				{
-				throw Exception(this, 
-					fmt("type mismatch: %s vs %s",
-					    type1->DataTypeStr().c_str(),
-					    type2->DataTypeStr().c_str()));
-				}
-			data_type = type1;
-			}
-			break;
-
-		case EXPR_CALL:
-			data_type = operand_[0]->DataType(env);
-			break;
-
-		case EXPR_CASE:
-			{
-			if ( cases_ && ! cases_->empty() )
-				{
-				Type *type1 = 
-					cases_->front()->value()->DataType(env);
-				foreach(i, CaseExprList, cases_)
-					{
-					Type *type2 = 
-						(*i)->value()->DataType(env);
-					if ( ! Type::CompatibleTypes(type1, type2) )
-						{
-						throw Exception(this, 
-							fmt("type mismatch: %s vs %s",
-					    		    type1->DataTypeStr().c_str(),
-					                    type2->DataTypeStr().c_str()));
-						}
-					if ( type1 == extern_type_nullptr )
-						type1 = type2;
-					}
-				data_type = type1;
-				}
-			else
-				data_type = 0;
-			}
-			break;
-
-		case EXPR_NUM:
-		case EXPR_SIZEOF:
-		case EXPR_OFFSETOF:
-		case EXPR_NEG:
-		case EXPR_PLUS:
-		case EXPR_MINUS:
-		case EXPR_TIMES:
-		case EXPR_DIV:
-		case EXPR_MOD:
-		case EXPR_BITNOT:
-		case EXPR_BITAND:
-		case EXPR_BITOR:
-		case EXPR_BITXOR:
-		case EXPR_LSHIFT:
-		case EXPR_RSHIFT:
-		case EXPR_EQUAL:
-		case EXPR_GE:
-		case EXPR_LE:
-		case EXPR_GT:
-		case EXPR_LT:
-		case EXPR_NOT:
-		case EXPR_AND:
-		case EXPR_OR:
-			data_type = extern_type_int;
-			break;
-
-		default:
-			data_type = 0;
-			break;
-		}
-
-	return data_type;
-	}
-
-string Expr::DataTypeStr(Env *env) const
-	{
-	Type *type = DataType(env);
-
-	if ( ! type )
-		{
-		throw Exception(this, 
-		                fmt("cannot find data type for expression `%s'",
-		                    orig()));
-		}
-
-	return type->DataTypeStr();
-	}
-
-string Expr::SetFunc(Output *out, Env *env)
-	{
-	switch ( expr_type_ )
-		{
-		case EXPR_ID:
-			return set_function(id_);
-		case EXPR_MEMBER:
-			{
-			// Evaluate the parent
-			string parent_val(operand_[0]->EvalExpr(out, env));
-			return parent_val 
-				+ "->" 
-				+ set_function(operand_[1]->id());
-			}
-			break;
-		default:
-			throw Exception(this, 
-			                fmt("cannot generate set function "
-			                    "for expression `%s'", orig()));
-			break;
-		}
-	}
-
-bool Expr::ConstFold(Env* env, int* pn) const
-	{
-	switch ( expr_type_ ) 
-		{
-		case EXPR_NUM:	
-			*pn = num_->Num();
-			return true;
-		case EXPR_ID:
-			return env->GetConstant(id_, pn);
-		default:	
-			// ### FIXME: folding consts
-			return false;
-		}
-	}
-
-// TODO: build a generic data dependency extraction process
-namespace {
-
-	// Maximum of two minimal header sizes
-	int mhs_max(int h1, int h2) 
-		{
-		if ( h1 < 0 || h2 < 0 )
-			return -1;
-		else
-			{
-			// return max(h1, h2);
-			return h1 > h2 ? h1 : h2;
-			}
-		}
-			
-	// MHS required to evaluate the field
-	int mhs_letfield(Env* env, LetField* field)
-		{
-		return field->expr()->MinimalHeaderSize(env);
-		}
-
-	int mhs_recordfield(Env* env, RecordField* field)
-		{
-		int offset = field->static_offset();
-		if ( offset < 0 )  // offset cannot be statically determined
-			return -1;
-		int size = field->StaticSize(env, offset);
-		if ( size < 0 )  // size cannot be statically determined
-			return -1;
-		return offset + size;
-		}
-
-	int mhs_casefield(Env* env, CaseField* field)
-		{
-		// TODO: deal with the index
-		int size = field->StaticSize(env);
-		if ( size < 0 )  // size cannot be statically determined
-			return -1;
-		return size;
-		}
-
-	int mhs_field(Env* env, Field* field)
-		{
-		int mhs = -1;
-		switch ( field->tof() )
-			{
-			case LET_FIELD:
-				{
-				LetField *f = 
-					static_cast<LetField *>(field);
-				ASSERT(f);
-				mhs = mhs_letfield(env, f);
-				}
-				break;
-
-			case CONTEXT_FIELD:
-			case FLOW_FIELD:
-				ASSERT(0);
-				break;
-
-			case PARAM_FIELD:
-				mhs = 0;
-				break;
-
-			case RECORD_FIELD:
-			case PADDING_FIELD:
-				{
-				RecordField *f = 
-					static_cast<RecordField *>(field);
-				ASSERT(f);
-				mhs = mhs_recordfield(env, f);
-				}
-				break;
-
-			case CASE_FIELD:
-				{
-				CaseField *f = 
-					static_cast<CaseField *>(field);
-				ASSERT(f);
-				mhs = mhs_casefield(env, f);
-				}
-				break;
-
-			case PARSE_VAR_FIELD:
-			case PRIV_VAR_FIELD:
-			case PUB_VAR_FIELD:
-			case TEMP_VAR_FIELD:
-				mhs = 0;
-				break;
-
-			case WITHINPUT_FIELD:
-				{
-				// ### TODO: fix this
-				mhs = -1;
-				}
-				break;
-			}
-		return mhs;
-		}
-
-	int mhs_id(Env *env, const ID *id)
-		{
-		int mhs = -1;
-		switch ( env->GetIDType(id) ) 
-			{
-			case CONST:
-			case GLOBAL_VAR:
-			case TEMP_VAR:
-			case STATE_VAR:
-			case FUNC_ID:
-			case FUNC_PARAM:
-				mhs = 0;
-				break;
-			case MEMBER_VAR:
-			case PRIV_MEMBER_VAR:
-				{
-				Field* field = env->GetField(id);
-				if ( ! field )
-					throw ExceptionIDNotField(id);
-				mhs = mhs_field(env, field);
-				}
-				break;
-			case UNION_VAR:
-				// TODO: deal with UNION_VAR
-				mhs = -1;
-				break;
-			case MACRO:
-				{
-				Expr *e = env->GetMacro(id);
-				mhs = e->MinimalHeaderSize(env);
-				}
-				break;
-			}
-		return mhs;
-		}
-}
-
-int Expr::MinimalHeaderSize(Env *env)
-	{
-	int mhs;
-
-	switch ( expr_type_ )
-		{
-		case EXPR_NUM:
-			// Zero byte is required
-			mhs = 0;
-			break;
-
-		case EXPR_ID:
-			mhs = mhs_id(env, id_);
-			break;
-
-		case EXPR_MEMBER:
-			// TODO: this is not a tight bound because
-			// one actually does not have to parse the
-			// whole record to compute one particular
-			// field.
-			mhs = operand_[0]->MinimalHeaderSize(env);
-			break;
-
-		case EXPR_SUBSCRIPT:
-			{
-			int index;
-			Type *array_type = operand_[0]->DataType(env);
-			Type *elem_type = array_type->ElementDataType();
-			int elem_size = elem_type->StaticSize(env);
-			if ( elem_size >= 0 &&
-			     operand_[1]->ConstFold(env, &index) )
-				{
-				mhs = elem_size * index;
-				}
-			else
-				{
-				mhs = -1;
-				}
-			}
-
-		case EXPR_SIZEOF:
-			{
-			const ID* id = operand_[0]->id();
-			ASSERT(id);
-			RecordField *rf;
-			Type *ty;
-
-			if ( (rf = GetRecordField(id, env)) != 0 )
-				{
-				if ( rf->StaticSize(env, -1) >= 0 )
-					mhs = 0;
-				else
-					mhs = mhs_recordfield(env, rf);
-				}
-
-			else if ( (ty = TypeDecl::LookUpType(id)) != 0 )
-				{
-				mhs = 0;
-				}
-
-			else
-				throw Exception(id, "not a record field or type");
-			}
-			break;
-
-		case EXPR_OFFSETOF:
-			{
-			const ID* id = operand_[0]->id();
-			ASSERT(id);
-			RecordField *field = GetRecordField(id, env);
-			
-			mhs = field->static_offset();
-			if ( mhs < 0 )
-				{
-				mhs = 0;
-				// Take the MHS of the preceding (non-let) field
-				RecordField* prev_field = field->prev();
-				ASSERT(prev_field);
-				mhs = mhs_recordfield(env, prev_field);
-				}
-			}
-			break;
-
-		case EXPR_CALLARGS:
-		        {
-		        mhs = 0;
-			if ( args_ )
-			        for ( unsigned int i = 0; i < args_->size(); ++i )
-					mhs = mhs_max(mhs, (*args_)[i]->MinimalHeaderSize(env));
-			}
-		        break;
-		case EXPR_CASE:
-		        {
-		        mhs = operand_[0]->MinimalHeaderSize(env);
-			for ( unsigned int i = 0; i < cases_->size(); ++i )
-			        {
-				CaseExpr * ce = (*cases_)[i];
-				if ( ce->index() )
-				        for ( unsigned int j = 0; j < ce->index()->size(); ++j )
-						mhs = mhs_max(mhs, (*ce->index())[j]->MinimalHeaderSize(env));
-				mhs = mhs_max(mhs, ce->value()->MinimalHeaderSize(env));
-				}
-			}
-			break;
-		default:
-			// Evaluate every operand by default
-			mhs = 0;
-			for ( int i = 0; i < 3; ++i )
-				if ( operand_[i] )
-					mhs = mhs_max(mhs, operand_[i]->MinimalHeaderSize(env));
-			break;
-		}
-
-	return mhs;
-	}
-
-bool Expr::HasReference(const ID *id) const
-	{
-	switch ( expr_type_ )
-		{
-		case EXPR_ID:
-			return *id == *id_;
-
-		case EXPR_MEMBER:
-			return operand_[0]->HasReference(id);
-
-		case EXPR_CALLARGS:
-			{
-			foreach(i, ExprList, args_)
-				if ( (*i)->HasReference(id) )
-					return true;
-			}
-			return false;
-
-		case EXPR_CASE:
-			{
-			foreach(i, CaseExprList, cases_)
-				if ( (*i)->HasReference(id) )
-					return true;
-			}
-			return false;
-
-		default:
-			// Evaluate every operand by default
-			for ( int i = 0; i < 3; ++i )
-				{
-				if ( operand_[i] && 
-				     operand_[i]->HasReference(id) )
-					{
-					return true;
-					}
-				}
-			return false;
-		}
-	}
-
-bool Expr::DoTraverse(DataDepVisitor *visitor)
-	{
-	switch ( expr_type_ )
-		{
-		case EXPR_ID:
-			break;
-
-		case EXPR_MEMBER:
-			/*
-			For member expressions such X.Y, evaluating
-			X only is sufficient. (Actually trying to
-			evaluate Y will lead to error because Y is
-			not defined in the current environment.)
-			*/
-			if ( ! operand_[0]->Traverse(visitor) )
-				return false;
-			break;
-
-		case EXPR_CALLARGS:
-			{
-			foreach(i, ExprList, args_)
-				if ( ! (*i)->Traverse(visitor) )
-					return false;
-			}
-			break;
-
-		case EXPR_CASE:
-			{
-			foreach(i, CaseExprList, cases_)
-				if ( ! (*i)->Traverse(visitor) )
-					return false;
-			}
-			break;
-
-		default:
-			// Evaluate every operand by default
-			for ( int i = 0; i < 3; ++i )
-				{
-				if ( operand_[i] && 
-				     ! operand_[i]->Traverse(visitor) )
-					{
-					return false;
-					}
-				}
-			break;
-		}
-
-	return true;
-	}
-
-bool Expr::RequiresAnalyzerContext() const
-	{
-	switch ( expr_type_ )
-		{
-		case EXPR_ID:
-			return *id_ == *analyzer_context_id;
-
-		case EXPR_MEMBER:
-			/*
-			For member expressions such X.Y, evaluating
-			X only is sufficient. (Actually trying to
-			evaluate Y will lead to error because Y is
-			not defined in the current environment.)
-			*/
-			return operand_[0]->RequiresAnalyzerContext();
-
-		case EXPR_CALLARGS:
-			{
-			foreach(i, ExprList, args_)
-				if ( (*i)->RequiresAnalyzerContext() )
-					return true;
-			}
-			return false;
-
-		case EXPR_CASE:
-			{
-			foreach(i, CaseExprList, cases_)
-				if ( (*i)->RequiresAnalyzerContext() )
-					return true;
-			}
-			return false;
-
-		default:
-			// Evaluate every operand by default
-			for ( int i = 0; i < 3; ++i )
-				if ( operand_[i] && 
-				     operand_[i]->RequiresAnalyzerContext() )
-					{
-					DEBUG_MSG("'%s' requires analyzer context\n", operand_[i]->orig());
-					return true;
-					}
-			return false;
-		}
-	}
-
-CaseExpr::CaseExpr(ExprList *index, Expr *value)
-	: DataDepElement(DataDepElement::CASEEXPR), 
-	  index_(index), value_(value)
-	{
-	}
-
-CaseExpr::~CaseExpr()
-	{
-	delete_list(ExprList, index_);
-	delete value_;
-	}
-
-bool CaseExpr::DoTraverse(DataDepVisitor *visitor)
-	{
-	foreach(i, ExprList, index_)
-		if ( ! (*i)->Traverse(visitor) )
-			return false;
-	return value_->Traverse(visitor);
-	}
-
-bool CaseExpr::HasReference(const ID *id) const
-	{
-	return value_->HasReference(id);
-	}
-
-bool CaseExpr::RequiresAnalyzerContext() const
-	{
-	// index_ should evaluate to constants
-	return value_->RequiresAnalyzerContext();
-	}
diff --git a/aux/binpac/src/pac_expr.def b/aux/binpac/src/pac_expr.def
deleted file mode 100644
index d7c0319522..0000000000
--- a/aux/binpac/src/pac_expr.def
+++ /dev/null
@@ -1,34 +0,0 @@
-EXPR_DEF(EXPR_ID, 		0, "%s")
-EXPR_DEF(EXPR_NUM,		0, "%s")
-EXPR_DEF(EXPR_CSTR,		0, "%s")
-EXPR_DEF(EXPR_REGEX,		0, "REGEX(%s)")
-EXPR_DEF(EXPR_SUBSCRIPT,	2, "@element@(%s[%s])") 
-EXPR_DEF(EXPR_MEMBER,		2, "@%s->%s@") 
-EXPR_DEF(EXPR_PAREN,		1, " ( %s ) ") 
-EXPR_DEF(EXPR_CALL,		1, "%s(%s)")
-EXPR_DEF(EXPR_CALLARGS,		-1, "@custom@")
-EXPR_DEF(EXPR_SIZEOF,		1, "@sizeof(%s)@")
-EXPR_DEF(EXPR_OFFSETOF,		1, "@offsetof(%s)@")
-EXPR_DEF(EXPR_NEG,		1, "-%s") 
-EXPR_DEF(EXPR_PLUS,		2, "%s + %s")
-EXPR_DEF(EXPR_MINUS,		2, "%s - %s")
-EXPR_DEF(EXPR_TIMES,		2, "%s * %s")
-EXPR_DEF(EXPR_DIV,		2, "%s / %s")
-EXPR_DEF(EXPR_MOD,		2, "%s %% %s")
-EXPR_DEF(EXPR_BITNOT,		1, "~%s")
-EXPR_DEF(EXPR_BITAND,		2, "%s & %s")
-EXPR_DEF(EXPR_BITOR,		2, "%s | %s")
-EXPR_DEF(EXPR_BITXOR,		2, "%s ^ %s")
-EXPR_DEF(EXPR_LSHIFT,		2, "%s << %s")
-EXPR_DEF(EXPR_RSHIFT,		2, "%s >> %s")
-EXPR_DEF(EXPR_EQUAL,		2, "%s == %s")
-EXPR_DEF(EXPR_NEQ,		2, "%s != %s")
-EXPR_DEF(EXPR_GE,		2, "%s >= %s")
-EXPR_DEF(EXPR_LE,		2, "%s <= %s")
-EXPR_DEF(EXPR_GT,		2, "%s > %s")
-EXPR_DEF(EXPR_LT,		2, "%s < %s")
-EXPR_DEF(EXPR_NOT,		1, "! %s")
-EXPR_DEF(EXPR_AND,		2, "%s && %s")
-EXPR_DEF(EXPR_OR,		2, "%s || %s")
-EXPR_DEF(EXPR_COND,		3, "%s ? %s : %s")
-EXPR_DEF(EXPR_CASE,		-1, "@custom@")
diff --git a/aux/binpac/src/pac_expr.h b/aux/binpac/src/pac_expr.h
deleted file mode 100644
index be1e70c6ea..0000000000
--- a/aux/binpac/src/pac_expr.h
+++ /dev/null
@@ -1,139 +0,0 @@
-#ifndef pac_expr_h
-#define pac_expr_h
-
-#include "pac_common.h"
-#include "pac_datadep.h"
-
-class CaseExpr;
-
-class Expr : public Object, public DataDepElement
-{
-public:
-	enum ExprType {
-#		define EXPR_DEF(type, x, y) type,
-#		include "pac_expr.def"
-#		undef EXPR_DEF
-	};
-
-	void init();
-
-	Expr(ID *id);
-	Expr(Number *num);
-	Expr(ConstString *s);
-	Expr(RegEx *regex);
-	Expr(ExprList *args);	// for EXPR_CALLARGS
-	Expr(Expr *index, CaseExprList *cases);
-
-	Expr(ExprType type, Expr *op1);
-	Expr(ExprType type, Expr *op1, Expr *op2);
-	Expr(ExprType type, Expr *op1, Expr *op2, Expr *op3);
-
-	virtual ~Expr();
-
-	const char *orig() const	{ return orig_.c_str(); }
-	const ID *id() const 		{ return id_; }
-	const char *str() const		{ return str_.c_str(); }
-	ExprType expr_type() const	{ return expr_type_; }
-
-	void AddCaseExpr(CaseExpr *case_expr);
-
-	// Returns the data "type" of the expression. Here we only
-	// do a serious job for the EXPR_MEMBER and EXPR_SUBSCRIPT
-	// operators. For arithmetic operations, we fall back
-	// to "int".
-	Type *DataType(Env *env) const;
-	string DataTypeStr(Env *env) const;
-
-	// Note: EvalExpr() may generate C++ statements in order to evaluate 
-	// variables in the expression, so the following is wrong:
-	//
-	// out->print("int x = ");
-	// out->println("%s", expr->EvalExpr(out, env));
-	//
-	// While putting them together is right:
-	//
-	// out->println("int x = %s", expr->EvalExpr(out, env));
-	//
-	const char *EvalExpr(Output *out, Env *env);
-
-	// force evaulation of IDs contained in this expression;
-	// necessary with case expr and conditional let fields (&if)
-	// for correct parsing of fields
-	void ForceIDEval(Output *out_cc, Env *env);
-
-	// Returns the set_* function of the expression. 
-	// The expression must be of form ID or x.ID.
-	string SetFunc(Output *out, Env *env);
-
-	// Returns true if the expression folds to an integer
-	// constant with env, and puts the constant in *pn.
-	//
-	bool ConstFold(Env *env, int *pn) const;
-
-	// Whether id is referenced in the expression
-	bool HasReference(const ID *id) const;
-
-	// Suppose the data for type might be incomplete, what is
-	// the minimal number of bytes from data head required to
-	// compute the expression? For example, how many bytes of frame
-	// header do we need to determine the length of the frame?
-	//
-	// The parameter <env> points to the Env of a type.
-	// 
-	// Returns -1 if the number is not a constant.
-	//
-	int MinimalHeaderSize(Env *env);
-
-	// Whether evaluation of the expression requires the analyzer context
-	bool RequiresAnalyzerContext() const;
-
-protected:
-	bool DoTraverse(DataDepVisitor *visitor);
-
-private:
-	ExprType expr_type_;
-
-	int num_operands_;
-	Expr *operand_[3];
-
-	ID *id_;		// EXPR_ID
-	Number *num_;		// EXPR_NUM
-	ConstString *cstr_;	// EXPR_CSTR
-	RegEx *regex_;		// EXPR_REGEX
-	ExprList *args_;	// EXPR_CALLARGS
-	CaseExprList *cases_;	// EXPR_CASE
-
-	string str_;		// value string
-	string orig_;		// original string for debugging info
-
-	void GenStrFromFormat(Env *env);
-	void GenEval(Output *out, Env *env);
-	void GenCaseEval(Output *out_cc, Env *env);
-};
-
-string OrigExprList(ExprList *exprlist);
-string EvalExprList(ExprList *exprlist, Output *out, Env *env);
-
-// An entry of the case expression, consisting of one or more constant
-// expressions for the case index and a value expression.
-class CaseExpr : public Object, public DataDepElement
-{
-public:
-	CaseExpr(ExprList *index, Expr *value);
-	virtual ~CaseExpr();
-
-	ExprList *index() const 	{ return index_; }
-	Expr *value() const 		{ return value_; }
-
-	bool HasReference(const ID *id) const;
-	bool RequiresAnalyzerContext() const;
-
-protected:
-	bool DoTraverse(DataDepVisitor *visitor);
-
-private:
-	ExprList *index_;
-	Expr *value_;
-};
-
-#endif  // pac_expr_h
diff --git a/aux/binpac/src/pac_externtype.def b/aux/binpac/src/pac_externtype.def
deleted file mode 100644
index aeac5a51b0..0000000000
--- a/aux/binpac/src/pac_externtype.def
+++ /dev/null
@@ -1,15 +0,0 @@
-EXTERNTYPE(bool, bool, NUMBER)
-EXTERNTYPE(int, int, NUMBER)
-EXTERNTYPE(double, double, NUMBER)
-EXTERNTYPE(string, string, PLAIN)
-EXTERNTYPE(void, void, PLAIN)
-EXTERNTYPE(voidptr, void, POINTER)
-EXTERNTYPE(nullptr, nullptr, PLAIN)
-EXTERNTYPE(bytearray, bytearray, PLAIN)
-EXTERNTYPE(const_charptr, const_charptr, PLAIN)
-EXTERNTYPE(const_byteptr, const_byteptr, PLAIN)
-// EXTERNTYPE(const_byteseg, const_byteseg, PLAIN)
-EXTERNTYPE(const_bytestring, const_bytestring, PLAIN)
-// EXTERNTYPE(bytestring, bytestring, PLAIN)
-EXTERNTYPE(re_matcher, re_matcher, PLAIN)
-EXTERNTYPE(flowbuffer, FlowBuffer, POINTER)
diff --git a/aux/binpac/src/pac_exttype.cc b/aux/binpac/src/pac_exttype.cc
deleted file mode 100644
index 659d4cdc5e..0000000000
--- a/aux/binpac/src/pac_exttype.cc
+++ /dev/null
@@ -1,76 +0,0 @@
-#include "pac_exttype.h"
-#include "pac_id.h"
-#include "pac_decl.h"
-
-bool ExternType::DefineValueVar() const
-	{
-	return true;
-	}
-
-string ExternType::DataTypeStr() const
-	{ 
-	switch ( ext_type_ )
-		{
-		case PLAIN:
-		case NUMBER:
-			return id_->Name(); 
-		case POINTER:
-			return string(id_->Name()) + " *"; 
-		default:
-			ASSERT(0);
-			return "";
-		}
-	}
-
-int ExternType::StaticSize(Env* env) const
-	{
-	ASSERT(0);
-	return -1;
-	}
-
-bool ExternType::ByteOrderSensitive() const 
-	{ 
-	return false;
-	}
-
-string ExternType::EvalMember(const ID *member_id) const
-	{
-	return strfmt("%s%s", 
-		ext_type_ == POINTER ? "->" : ".",
-		member_id->Name());
-	}
-
-void ExternType::DoGenParseCode(Output* out, Env* env, const DataPtr& data, int flags)
-	{
-	ASSERT(0);
-	}
-
-void ExternType::GenDynamicSize(Output* out, Env* env, const DataPtr& data)
-	{
-	ASSERT(0);
-	}
-
-Type *ExternType::DoClone() const
-	{ 
-	return new ExternType(id_->clone(), ext_type_); 
-	}
-
-// Definitions of pre-defined external types
-
-#define EXTERNTYPE(name, ctype, exttype) ExternType *extern_type_##name = 0;
-#include "pac_externtype.def"
-#undef EXTERNTYPE
-
-void ExternType::static_init()
-	{
-	ID *id;
-	// TypeDecl *decl;
-	// decl = new TypeDecl(id, 0, extern_type_##name);
-
-#define EXTERNTYPE(name, ctype, exttype) \
-	id = new ID(#ctype); \
-	extern_type_##name = new ExternType(id, ExternType::exttype); \
-	Type::AddPredefinedType(#name, extern_type_##name); 
-#include "pac_externtype.def"
-#undef EXTERNTYPE
-	}
diff --git a/aux/binpac/src/pac_exttype.h b/aux/binpac/src/pac_exttype.h
deleted file mode 100644
index 6d81608195..0000000000
--- a/aux/binpac/src/pac_exttype.h
+++ /dev/null
@@ -1,47 +0,0 @@
-#ifndef pac_exttype_h
-#define pac_exttype_h
-
-#include "pac_type.h"
-
-// ExternType represent external C++ types that are not defined in
-// PAC specification (therefore they cannot appear in data layout
-// spefication, e.g., in a record field). The type name is copied
-// literally to the compiled code. 
-
-class ExternType : public Type
-{
-public:
-	enum EXTType { PLAIN, NUMBER, POINTER };
-	ExternType(const ID *id, EXTType ext_type)
-		: Type(EXTERN), 
-		  id_(id), 
-		  ext_type_(ext_type) {}
-
-	bool DefineValueVar() const;
-	string DataTypeStr() const;
-	int StaticSize(Env *env) const;
-	bool ByteOrderSensitive() const;
-
-	string EvalMember(const ID *member_id) const;
-	bool IsNumericType() const		{ return ext_type_ == NUMBER; }
-	bool IsPointerType() const		{ return ext_type_ == POINTER; }
-
-protected:
-	void DoGenParseCode(Output *out, Env *env, const DataPtr& data, int flags);
-	void GenDynamicSize(Output *out, Env *env, const DataPtr& data);
-
-	Type *DoClone() const;
-
-private:
-	const ID *id_;
-	EXTType ext_type_;
-
-public:
-	static void static_init();
-};
-
-#define EXTERNTYPE(name, ctype, exttype) extern ExternType *extern_type_##name;
-#include "pac_externtype.def"
-#undef EXTERNTYPE
-
-#endif  // pac_exttype_h
diff --git a/aux/binpac/src/pac_field.cc b/aux/binpac/src/pac_field.cc
deleted file mode 100644
index 0ee70e4b28..0000000000
--- a/aux/binpac/src/pac_field.cc
+++ /dev/null
@@ -1,143 +0,0 @@
-#include "pac_attr.h"
-#include "pac_common.h"
-#include "pac_exception.h"
-#include "pac_field.h"
-#include "pac_id.h"
-#include "pac_type.h"
-
-Field::Field(FieldType tof, int flags, ID *id, Type *type)
-	: DataDepElement(DataDepElement::FIELD),
-	  tof_(tof), flags_(flags), id_(id), type_(type)
-	{
-	decl_id_ = current_decl_id;
-	field_id_str_ = strfmt("%s:%s", decl_id()->Name(), id_->Name());
-	attrs_ = 0;
-	}
-
-Field::~Field()
-	{
-	delete id_;
-	delete type_;
-	delete_list(AttrList, attrs_);
-	}
-
-void Field::AddAttr(AttrList* attrs)
-	{
-	if ( ! attrs_ )
-		{
-		attrs_ = attrs;
-		}
-	else
-		{
-		attrs_->insert(attrs_->end(), attrs->begin(), attrs->end());
-		delete attrs;
-		}
-
-	foreach(i, AttrList, attrs)
-		ProcessAttr(*i);
-	}
-
-void Field::ProcessAttr(Attr *a)
-	{
-	switch ( a->type() )
-		{
-		case ATTR_IF:
-			if ( tof() != LET_FIELD &&
-			     tof() != WITHINPUT_FIELD )
-				{
-				throw Exception(a, 
-					"&if can only be applied to a "
-					"let field");
-				}
-			break;
-		default:
-			break;
-		}
-
-	if ( type_ )
-		type_->ProcessAttr(a);
-	}
-
-bool Field::anonymous_field() const
-	{
-	return type_ && type_->anonymous_value_var();
-	}
-
-int Field::ValueVarType() const
-	{
-	if ( flags_ & CLASS_MEMBER )
-		return (flags_ & PUBLIC_READABLE) ? MEMBER_VAR : PRIV_MEMBER_VAR;
-	else
-		return TEMP_VAR;
-	}
-
-void Field::Prepare(Env *env)
-	{
-	if ( type_ )
-		{
-		if ( anonymous_field() )
-			flags_ &= ~(CLASS_MEMBER | PUBLIC_READABLE);
-		if ( ! type_->persistent() )
-			flags_ &= (~PUBLIC_READABLE);
-
-		type_->set_value_var(id(), ValueVarType());
-		type_->Prepare(env, 
-			flags_ & TYPE_TO_BE_PARSED ? 
-				Type::TO_BE_PARSED : 0);
-		env->SetField(id(), this);
-		}
-	}
-
-void Field::GenPubDecls(Output* out_h, Env* env)
-	{
-	if ( type_ && (flags_ & PUBLIC_READABLE) && (flags_ & CLASS_MEMBER) )
-		type_->GenPubDecls(out_h, env);
-	}
-
-void Field::GenPrivDecls(Output* out_h, Env* env)
-	{
-	// Generate private declaration only if it is a class member
-	if ( type_ && (flags_ & CLASS_MEMBER) )
-		type_->GenPrivDecls(out_h, env);
-	}
-
-void Field::GenTempDecls(Output* out_h, Env* env)
-	{
-	// Generate temp field
-	if ( type_ && !(flags_ & CLASS_MEMBER) )
-		type_->GenPrivDecls(out_h, env);
-	}
-
-void Field::GenInitCode(Output* out_cc, Env* env)
-	{
-	if ( type_ && ! anonymous_field() )
-		type_->GenInitCode(out_cc, env);
-	}
-
-void Field::GenCleanUpCode(Output* out_cc, Env* env)
-	{
-	if ( type_ && ! anonymous_field() )
-		type_->GenCleanUpCode(out_cc, env);
-	}
-
-bool Field::DoTraverse(DataDepVisitor *visitor)
-	{
-	// Check parameterized type
-	if ( type_ && ! type_->Traverse(visitor) )
-		return false;
-	foreach(i, AttrList, attrs_)
-		if ( ! (*i)->Traverse(visitor) )
-			return false;
-	return true;
-	}
-
-bool Field::RequiresAnalyzerContext() const
-	{
-	// Check parameterized type
-	if ( type_ && type_->RequiresAnalyzerContext() )
-		return true;
-	foreach(i, AttrList, attrs_)
-		if ( (*i)->RequiresAnalyzerContext() )
-			return true;
-	return false;
-	}
diff --git a/aux/binpac/src/pac_field.h b/aux/binpac/src/pac_field.h
deleted file mode 100644
index 169c8110ec..0000000000
--- a/aux/binpac/src/pac_field.h
+++ /dev/null
@@ -1,84 +0,0 @@
-#ifndef pac_field_h
-#define pac_field_h
-
-#include "pac_common.h"
-#include "pac_datadep.h"
-
-// A "field" is a member of class.
-
-enum FieldType {
-	CASE_FIELD, 
-	CONTEXT_FIELD,
-	FLOW_FIELD,
-	LET_FIELD, 
-	PADDING_FIELD, 
-	PARAM_FIELD,
-	RECORD_FIELD, 
-	PARSE_VAR_FIELD,
-	PRIV_VAR_FIELD,
-	PUB_VAR_FIELD,
-	TEMP_VAR_FIELD,
-	WITHINPUT_FIELD,
-};
-
-class Field : public Object, public DataDepElement
-{
-public:
-	Field(FieldType tof, int flags, ID *id, Type *type);
-	// Field flags
-
-	// Whether the field will be evaluated by calling the Parse()
-	// function of the type
-	static const int TYPE_TO_BE_PARSED = 1;	
-	static const int TYPE_NOT_TO_BE_PARSED = 0;
-
-	// Whether the field is a member of the class or a temp
-	// variable
-	static const int CLASS_MEMBER = 2;
-	static const int NOT_CLASS_MEMBER = 0;
-
-	// Whether the field is public readable
-	static const int PUBLIC_READABLE = 4;
-	static const int NOT_PUBLIC_READABLE = 0;
-
-	virtual ~Field();
-
-	FieldType tof() const 	{ return tof_; }
-	const ID* id() const		{ return id_; }
-	Type *type() const		{ return type_; }
-	const ID* decl_id() const	{ return decl_id_; }
-
-	bool anonymous_field() const;
-
-	void AddAttr(AttrList* attrs);
-
-	// The field interface
-	virtual void ProcessAttr(Attr *attr);
-	virtual void Prepare(Env* env);
-
-	virtual void GenPubDecls(Output* out, Env* env);
-	virtual void GenPrivDecls(Output* out, Env* env);
-	virtual void GenTempDecls(Output* out, Env* env);
-
-	virtual void GenInitCode(Output* out, Env* env);
-	virtual void GenCleanUpCode(Output* out, Env* env);
-
-	virtual bool RequiresAnalyzerContext() const;
-
-protected:
-	int ValueVarType() const;
-	bool ToBeParsed() const;
-
-	bool DoTraverse(DataDepVisitor *visitor);
-
-protected:
-	FieldType tof_;
-	int flags_;
-	ID* id_;
-	Type *type_;
-	const ID* decl_id_;
-	string field_id_str_;
-	AttrList* attrs_;
-};
-
-#endif  // pac_field_h
diff --git a/aux/binpac/src/pac_flow.cc b/aux/binpac/src/pac_flow.cc
deleted file mode 100644
index adf574e879..0000000000
--- a/aux/binpac/src/pac_flow.cc
+++ /dev/null
@@ -1,340 +0,0 @@
-#include "pac_analyzer.h"
-#include "pac_conn.h"
-#include "pac_context.h"
-#include "pac_dataptr.h"
-#include "pac_dataunit.h"
-#include "pac_embedded.h"
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_exttype.h"
-#include "pac_flow.h"
-#include "pac_output.h"
-#include "pac_param.h"
-#include "pac_paramtype.h"
-#include "pac_type.h"
-#include "pac_varfield.h"
-
-
-FlowDecl::FlowDecl(ID *id, 
-                   ParamList *params, 
-                   AnalyzerElementList *elemlist)
-	: AnalyzerDecl(id, FLOW, params)
-	{
-	dataunit_ = 0;
-	conn_decl_ = 0;
-	flow_buffer_var_field_ = 0;
-	AddElements(elemlist);
-	}
-
-FlowDecl::~FlowDecl()
-	{
-	delete flow_buffer_var_field_;
-	delete dataunit_;
-	}
-
-ParameterizedType *FlowDecl::flow_buffer_type_ = 0;
-
-ParameterizedType *FlowDecl::flow_buffer_type()
-	{
-	if ( ! flow_buffer_type_ )
-		{
-		flow_buffer_type_ = new ParameterizedType(new ID(kFlowBufferClass), 0);
-		}
-	return flow_buffer_type_;
-	}
-
-void FlowDecl::AddBaseClass(vector<string> *base_classes) const
-	{
-	base_classes->push_back("binpac::FlowAnalyzer"); 
-	} 
-
-void FlowDecl::ProcessFlowElement(AnalyzerFlow *flow_elem)
-	{
-	throw Exception(
-		flow_elem, 
-		"flow should be defined in only a connection declaration");
-	}
-
-void FlowDecl::ProcessDataUnitElement(AnalyzerDataUnit *dataunit_elem)
-	{
-	if ( dataunit_ )
-		{
-		throw Exception(dataunit_elem,
-		                "dataunit already defined");
-		}
-	dataunit_ = dataunit_elem;
-
-	if ( dataunit_->type() == AnalyzerDataUnit::FLOWUNIT )
-		{
-		dataunit_->data_type()->MarkIncrementalInput();
-
-		flow_buffer_var_field_ = new PrivVarField(
-			flow_buffer_id->clone(),
-			FlowDecl::flow_buffer_type()->Clone());
-		type_->AddField(flow_buffer_var_field_);
-
-		ASSERT(AnalyzerContextDecl::current_analyzer_context());
-		AnalyzerContextDecl::current_analyzer_context()->AddFlowBuffer();
-
-		// Add an argument to the context initiation
-		dataunit_->context_type()->AddParamArg(
-			new Expr(flow_buffer_var_field_->id()->clone()));
-		}
-	}
-
-void FlowDecl::Prepare()
-	{
-	// Add the connection parameter
-	if ( ! conn_decl_ )
-		{
-		throw Exception(this, 
-		                "no connection is not declared for the flow");
-		}
-
-	if ( ! params_ )
-		params_ = new ParamList();
-
-	params_->insert(params_->begin(),
-	                new Param(connection_id->clone(), 
-	                          conn_decl_->DataType()));
-
-	AnalyzerDecl::Prepare();
-
-	dataunit_->Prepare(env_);
-	}
-
-void FlowDecl::GenPubDecls(Output *out_h, Output *out_cc)
-	{
-	AnalyzerDecl::GenPubDecls(out_h, out_cc);
-	}
-
-void FlowDecl::GenPrivDecls(Output *out_h, Output *out_cc)
-	{
-	// Declare the data unit
-	dataunit_->dataunit_var_field()->GenPrivDecls(out_h, env_);
-
-	// Declare the analyzer context
-	dataunit_->context_var_field()->GenPrivDecls(out_h, env_);
-
-	AnalyzerDecl::GenPrivDecls(out_h, out_cc);
-	}
-
-void FlowDecl::GenInitCode(Output *out_cc)
-	{
-	AnalyzerDecl::GenInitCode(out_cc);
-
-	out_cc->println("%s = 0;",
-	                env_->LValue(dataunit_id));
-	out_cc->println("%s = 0;",
-	                env_->LValue(analyzer_context_id));
-
-	if ( dataunit_->type() == AnalyzerDataUnit::FLOWUNIT )
-		{
-		flow_buffer_var_field_->type()->GenPreParsing(out_cc, env_);
-		env_->SetEvaluated(flow_buffer_var_field_->id());
-		}
-	}
-
-void FlowDecl::GenCleanUpCode(Output *out_cc)
-	{
-	GenDeleteDataUnit(out_cc);
-	AnalyzerDecl::GenCleanUpCode(out_cc);
-	}
-
-void FlowDecl::GenEOFFunc(Output *out_h, Output *out_cc)
-	{
-	string proto = strfmt("%s()", kFlowEOF);
-
-	out_h->println("void %s;", proto.c_str());
-
-	out_cc->println("void %s::%s", class_name().c_str(), proto.c_str());
-	out_cc->inc_indent();
-	out_cc->println("{");
-
-	foreach(i, AnalyzerHelperList, eof_helpers_)
-		{
-		(*i)->GenCode(0, out_cc, this);
-		}
-
-	if ( dataunit_->type() == AnalyzerDataUnit::FLOWUNIT )
-		{
-		out_cc->println("%s->set_eof();", 
-			env_->LValue(flow_buffer_id));
-		out_cc->println("%s(0, 0);", kNewData);
-		}
-	
-	out_cc->println("}");
-	out_cc->dec_indent();
-	}
-
-void FlowDecl::GenGapFunc(Output *out_h, Output *out_cc)
-	{
-	string proto = strfmt("%s(int gap_length)", kFlowGap);
-
-	out_h->println("void %s;", proto.c_str());
-
-	out_cc->println("void %s::%s", class_name().c_str(), proto.c_str());
-	out_cc->inc_indent();
-	out_cc->println("{");
-
-	if ( dataunit_->type() == AnalyzerDataUnit::FLOWUNIT )
-		{
-		out_cc->println("%s->NewGap(gap_length);", 
-			env_->LValue(flow_buffer_id));
-		}
-	
-	out_cc->println("}");
-	out_cc->dec_indent();
-	}
-
-void FlowDecl::GenProcessFunc(Output *out_h, Output *out_cc)
-	{
-	env_->AddID(begin_of_data, TEMP_VAR, extern_type_const_byteptr);
-	env_->AddID(end_of_data, TEMP_VAR, extern_type_const_byteptr);
-
-	string proto = 
-		strfmt("%s(const_byteptr %s, const_byteptr %s)",
-			kNewData,
-			env_->LValue(begin_of_data),
-			env_->LValue(end_of_data));
-
-	out_h->println("void %s;", proto.c_str());
-
-	out_cc->println("void %s::%s", class_name().c_str(), proto.c_str());
-	out_cc->inc_indent();
-	out_cc->println("{");
-
-	out_cc->println("try");
-	out_cc->inc_indent();
-	out_cc->println("{");
-
-	env_->SetEvaluated(begin_of_data);
-	env_->SetEvaluated(end_of_data);
-
-	switch ( dataunit_->type() )
-		{
-		case AnalyzerDataUnit::DATAGRAM:
-			GenCodeDatagram(out_cc);
-			break;
-		case AnalyzerDataUnit::FLOWUNIT:
-			GenCodeFlowUnit(out_cc);
-			break;
-		default:
-			ASSERT(0);
-		}
-
-	out_cc->println("}");
-	out_cc->dec_indent();
-
-	out_cc->println("catch ( Exception const &e )");
-	out_cc->inc_indent();
-	out_cc->println("{");
-	GenCleanUpCode(out_cc);
-	if ( dataunit_->type() == AnalyzerDataUnit::FLOWUNIT )
-		{
-		out_cc->println("%s->DiscardData();",
-			env_->LValue(flow_buffer_id));
-		}
-	out_cc->println("throw e;");
-	out_cc->println("}");
-	out_cc->dec_indent();
-
-	out_cc->println("}");
-	out_cc->dec_indent();
-	out_cc->println("");
-	}
-
-void FlowDecl::GenNewDataUnit(Output *out_cc)
-	{
-	Type *unit_datatype = dataunit_->data_type();
-	// dataunit_->data_type()->GenPreParsing(out_cc, env_);
-	dataunit_->GenNewDataUnit(out_cc, env_);
-	if ( unit_datatype->buffer_input() &&
-	     unit_datatype->buffer_mode() == Type::BUFFER_BY_LENGTH )
-		{
-		out_cc->println("%s->NewFrame(0, false);", 
-			env_->LValue(flow_buffer_id));
-		}
-	dataunit_->GenNewContext(out_cc, env_);
-	}
-
-void FlowDecl::GenDeleteDataUnit(Output *out_cc)
-	{
-	// Do not just delete dataunit, because we may just want to Unref it.
-	// out_cc->println("delete %s;", env_->LValue(dataunit_id));
-	dataunit_->data_type()->GenCleanUpCode(out_cc, env_);
-	dataunit_->context_type()->GenCleanUpCode(out_cc, env_);
-	}
-
-void FlowDecl::GenCodeFlowUnit(Output *out_cc)
-	{
-	Type *unit_datatype = dataunit_->data_type();
-
-	out_cc->println("%s->NewData(%s, %s);",
-		env_->LValue(flow_buffer_id),
-		env_->RValue(begin_of_data), 
-		env_->RValue(end_of_data)); 
-
-	out_cc->println("while ( %s->data_available() && ",
-		env_->LValue(flow_buffer_id));
-	out_cc->inc_indent();
-	out_cc->println("( !%s->have_pending_request() || %s->ready() ) )",
-		env_->LValue(flow_buffer_id), env_->LValue(flow_buffer_id));
-	out_cc->println("{");
-
-	// Generate a new dataunit if necessary
-	out_cc->println("if ( ! %s )", env_->LValue(dataunit_id));
-	out_cc->inc_indent();
-	out_cc->println("{");
-	out_cc->println("BINPAC_ASSERT(!%s);", 
-		env_->LValue(analyzer_context_id));
-	GenNewDataUnit(out_cc);
-	out_cc->println("}");
-	out_cc->dec_indent();
-
-	DataPtr data(env_, 0, 0);
-	unit_datatype->GenParseCode(out_cc, env_, data, 0);
-
-	out_cc->println("if ( %s )", 
-		unit_datatype->parsing_complete(env_).c_str());
-	out_cc->inc_indent();
-	out_cc->println("{");
-	out_cc->println("// Clean up the flow unit after parsing");
-	GenDeleteDataUnit(out_cc);
-	// out_cc->println("BINPAC_ASSERT(%s == 0);", env_->LValue(dataunit_id));
-	out_cc->println("}");
-	out_cc->dec_indent();
-	out_cc->println("else");
-	out_cc->inc_indent();
-	out_cc->println("{");
-	out_cc->println("// Resume upon next input segment");
-	out_cc->println("BINPAC_ASSERT(!%s->ready());",
-		env_->RValue(flow_buffer_id));
-	out_cc->println("break;");
-	out_cc->println("}");
-	out_cc->dec_indent();
-
-	out_cc->println("}");
-	out_cc->dec_indent();
-	}
-
-void FlowDecl::GenCodeDatagram(Output *out_cc)
-	{
-	Type *unit_datatype = dataunit_->data_type();
-	GenNewDataUnit(out_cc);
-
-	string parse_params = strfmt("%s, %s", 
-		env_->RValue(begin_of_data), 
-		env_->RValue(end_of_data)); 
-
-	if ( RequiresAnalyzerContext::compute(unit_datatype) )
-		{
-		parse_params += ", ";
-		parse_params += env_->RValue(analyzer_context_id);
-		}
-
-	DataPtr dataptr(env_, begin_of_data, 0);
-	unit_datatype->GenParseCode(out_cc, env_, dataptr, 0);
-
-	GenDeleteDataUnit(out_cc);
-	}
diff --git a/aux/binpac/src/pac_flow.h b/aux/binpac/src/pac_flow.h
deleted file mode 100644
index 652f206992..0000000000
--- a/aux/binpac/src/pac_flow.h
+++ /dev/null
@@ -1,47 +0,0 @@
-#ifndef pac_flow_h
-#define pac_flow_h
-
-#include "pac_analyzer.h"
-
-class FlowDecl : public AnalyzerDecl
-{
-public:
-	FlowDecl(ID *flow_id, ParamList *params, AnalyzerElementList *elemlist);
-	~FlowDecl();
-
-	void Prepare();
-
-	void set_conn_decl(ConnDecl *c)	{ conn_decl_ = c; }
-
-	static ParameterizedType *flow_buffer_type();
-
-protected:
-	void AddBaseClass(vector<string> *base_classes) const;
-
-	void GenInitCode(Output *out_cc);
-	void GenCleanUpCode(Output *out_cc);
-	void GenProcessFunc(Output *out_h, Output *out_cc);
-	void GenEOFFunc(Output *out_h, Output *out_cc);
-	void GenGapFunc(Output *out_h, Output *out_cc);
-
-	void GenPubDecls(Output *out_h, Output *out_cc);
-	void GenPrivDecls(Output *out_h, Output *out_cc);
-
-	void ProcessFlowElement(AnalyzerFlow *flow_elem);
-	void ProcessDataUnitElement(AnalyzerDataUnit *dataunit_elem);
-
-private:
-	void GenNewDataUnit(Output *out_cc);
-	void GenDeleteDataUnit(Output *out_cc);
-	void GenCodeFlowUnit(Output *out_cc);
-	void GenCodeDatagram(Output *out_cc);
-
-	AnalyzerDataUnit *dataunit_;
-	ConnDecl *conn_decl_;
-
-	Field *flow_buffer_var_field_;
-
-	static ParameterizedType *flow_buffer_type_;
-};
-
-#endif  // pac_flow_h
diff --git a/aux/binpac/src/pac_func.cc b/aux/binpac/src/pac_func.cc
deleted file mode 100644
index 8bde6e10f6..0000000000
--- a/aux/binpac/src/pac_func.cc
+++ /dev/null
@@ -1,123 +0,0 @@
-#include "pac_embedded.h"
-#include "pac_expr.h"
-#include "pac_func.h"
-#include "pac_output.h"
-#include "pac_param.h"
-#include "pac_type.h"
-
-Function::Function(ID *id, Type *type, ParamList *params)
- 	: id_(id), type_(type), params_(params), expr_(0), code_(0)
-	{
-	analyzer_decl_ = 0;
-	env_ = 0;
-	}
-
-Function::~Function()
-	{
-	delete id_;
-	delete type_;
-	delete_list(ParamList, params_);
-	delete env_;
-	delete expr_;
-	delete code_;
-	}
-
-void Function::Prepare(Env *env)
-	{
-	env->AddID(id_, FUNC_ID, type_);
-	env->SetEvaluated(id_);
-
-	env_ = new Env(env, this);
-
-	foreach(i, ParamList, params_)
-		{
-		Param *p = *i;
-		env_->AddID(p->id(), FUNC_PARAM, p->type());
-		env_->SetEvaluated(p->id());
-		}
-	}
-
-void Function::GenForwardDeclaration(Output* out_h)
-	{
-	// Do nothing
-	}
-
-void Function::GenCode(Output* out_h, Output* out_cc)
-	{
-	out_h->println("%s %s(%s);", 
-		type_->DataTypeStr().c_str(),
-		id_->Name(),
-		ParamDecls(params_).c_str());
-
-	string class_str = "";
-	if ( analyzer_decl_ )
-		class_str = strfmt("%s::", analyzer_decl_->id()->Name());
-
-	string proto_str = strfmt("%s %s%s(%s)", 
-				type_->DataTypeStr().c_str(),
-				class_str.c_str(),
-				id_->Name(),
-				ParamDecls(params_).c_str());
-
-	ASSERT(!(expr_ && code_));
-
-	if ( expr_ )
-		{
-		out_cc->println("%s", proto_str.c_str());
-
-		out_cc->inc_indent();
-		out_cc->println("{");
-
-		out_cc->println("return static_cast<%s>(%s);", 
-			type_->DataTypeStr().c_str(),
-			expr_->EvalExpr(out_cc, env_));
-
-		out_cc->println("}");
-		out_cc->dec_indent();
-		}
-
-	else if ( code_ )
-		{
-		out_cc->println("%s", proto_str.c_str());
-
-		out_cc->inc_indent();
-		out_cc->println("{");
-
-		code_->GenCode(out_cc, env_);
-
-		out_cc->println("}");
-		out_cc->dec_indent();
-		}
-
-	out_cc->println("");
-	}
-
-FuncDecl::FuncDecl(Function *function)
-	: Decl(function->id()->clone(), FUNC), function_(function)
-	{
-	function_->Prepare(global_env());
-	}
-
-FuncDecl::~FuncDecl()
-	{
-	delete function_;
-	}
-
-void FuncDecl::Prepare()
-	{
-	}
-
-void FuncDecl::GenForwardDeclaration(Output *out_h)
-	{
-	function_->GenForwardDeclaration(out_h);
-	}
-
-void FuncDecl::GenCode(Output *out_h, Output *out_cc)
-	{
-	function_->GenCode(out_h, out_cc);
-	}
-
-AnalyzerFunction::AnalyzerFunction(Function *function)
-	: AnalyzerElement(FUNCTION), function_(function)
-	{
-	}
diff --git a/aux/binpac/src/pac_func.h b/aux/binpac/src/pac_func.h
deleted file mode 100644
index df862323bb..0000000000
--- a/aux/binpac/src/pac_func.h
+++ /dev/null
@@ -1,68 +0,0 @@
-#ifndef pac_func_h
-#define pac_func_h
-
-#include "pac_decl.h"
-#include "pac_analyzer.h"
-
-class Function : public Object
-{
-public:
-	Function(ID *id, Type *type, ParamList *params);
-	~Function();
-
-	ID *id() const			{ return id_; }
-
-	AnalyzerDecl *analyzer_decl() const { return analyzer_decl_; }
-	void set_analyzer_decl(AnalyzerDecl *decl) { analyzer_decl_ = decl; }
-
-	Expr *expr() const		{ return expr_; }
-	void set_expr(Expr *expr) 	{ expr_ = expr; }
-
-	EmbeddedCode *code() const	{ return code_; }
-	void set_code(EmbeddedCode *code) { code_ = code; }
-
-	void Prepare(Env *env);
-	void GenForwardDeclaration(Output *out_h);
-	void GenCode(Output *out_h, Output *out_cc);
-
-private:
-	Env *env_;
-
-	ID *id_;
-	Type *type_;
-	ParamList *params_;
-
-	AnalyzerDecl *analyzer_decl_;
-
-	Expr *expr_;
-	EmbeddedCode *code_;
-};
-
-class FuncDecl : public Decl
-{
-public:
-	FuncDecl(Function *function);
-	~FuncDecl();
-
-	Function *function() const	{ return function_; }
-
-	void Prepare();
-	void GenForwardDeclaration(Output *out_h);
-	void GenCode(Output *out_h, Output *out_cc);
-
-private:
-	Function *function_;
-};
-
-class AnalyzerFunction : public AnalyzerElement
-{
-public:
-	AnalyzerFunction(Function *function);
-
-	Function *function() const	{ return function_; }
-
-private:
-	Function *function_;
-};
-
-#endif // pac_func_h
diff --git a/aux/binpac/src/pac_id.cc b/aux/binpac/src/pac_id.cc
deleted file mode 100644
index 5eb7a0d985..0000000000
--- a/aux/binpac/src/pac_id.cc
+++ /dev/null
@@ -1,440 +0,0 @@
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_exttype.h"
-#include "pac_field.h"
-#include "pac_id.h"
-#include "pac_type.h"
-#include "pac_utils.h"
-
-const ID *default_value_var = 0;
-const ID *null_id = 0;
-const ID *null_byteseg_id = 0;
-const ID *null_decl_id = 0;
-const ID *begin_of_data = 0;
-const ID *end_of_data = 0;
-const ID *len_of_data = 0;
-const ID *byteorder_id = 0;
-const ID *bigendian_id = 0;
-const ID *littleendian_id = 0;
-const ID *unspecified_byteorder_id = 0;
-const ID *const_true_id = 0;
-const ID *const_false_id = 0;
-const ID *analyzer_context_id = 0;
-const ID *context_macro_id = 0;
-const ID *this_id = 0;
-const ID *sourcedata_id = 0;
-const ID *connection_id = 0;
-const ID *upflow_id = 0;
-const ID *downflow_id = 0;
-const ID *dataunit_id = 0;
-const ID *flow_buffer_id = 0;
-const ID *element_macro_id = 0;
-const ID *input_macro_id = 0;
-const ID *cxt_connection_id = 0;
-const ID *cxt_flow_id = 0;
-const ID *parsing_state_id = 0;
-const ID *buffering_state_id = 0;
-
-int ID::anonymous_id_seq = 0;
-
-ID *ID::NewAnonymousID(const string &prefix)
-	{
-	ID *id = new ID(fmt("%s%03d", prefix.c_str(), ++anonymous_id_seq));
-	id->anonymous_id_ = true;
-	return id;
-	}
-
-IDRecord::IDRecord(Env *arg_env, const ID* arg_id, IDType arg_id_type)
-	: env(arg_env), id(arg_id), id_type(arg_id_type)
-	{
-	eval = 0;
-	evaluated = in_evaluation = false;
-	setfunc = "";  // except for STATE_VAR
-	switch (id_type)
-		{
-		case MEMBER_VAR:
-			rvalue = strfmt("%s()", id->Name());
-			lvalue = strfmt("%s_", id->Name());
-			break;
-		case PRIV_MEMBER_VAR:
-			rvalue = strfmt("%s_", id->Name());
-			lvalue = strfmt("%s_", id->Name());
-			break;
-		case UNION_VAR:
-			rvalue = strfmt("%s()", id->Name());
-			lvalue = strfmt("%s_", id->Name());
-			break;
-		case CONST:
-		case GLOBAL_VAR:
-			rvalue = strfmt("%s", id->Name());
-			lvalue = strfmt("%s", id->Name());
-			break;
-		case TEMP_VAR:
-			rvalue = strfmt("t_%s", id->Name());
-			lvalue = strfmt("t_%s", id->Name());
-			break;
-		case STATE_VAR:
-			rvalue = strfmt("%s()", id->Name());
-			lvalue = strfmt("%s_", id->Name());
-			break;
-		case MACRO:
-			rvalue = "@MACRO@";
-			lvalue = "@MACRO@";
-			break;
-		case FUNC_ID:
-			rvalue = strfmt("%s", id->Name());
-			lvalue = "@FUNC_ID@";
-			break;
-		case FUNC_PARAM:
-			rvalue = strfmt("%s", id->Name());
-			lvalue = "@FUNC_PARAM@";
-			break;
-		}
-	field = 0;
-	constant_set = false;
-	}
-
-IDRecord::~IDRecord()
-	{
-	}
-
-void IDRecord::SetConstant(int c)			
-	{ 
-	ASSERT(id_type == CONST);
-	constant_set = true;
-	constant = c; 
-	}
-
-bool IDRecord::GetConstant(int *pc) const
-	{ 
-	if ( constant_set ) 
-		*pc = constant;
-	return constant_set;
-	}
-
-void IDRecord::SetMacro(Expr *e)
-	{
-	ASSERT(id_type == MACRO);
-	macro = e;
-	}
-
-Expr *IDRecord::GetMacro() const
-	{
-	ASSERT(id_type == MACRO);
-	return macro;
-	}
-
-void IDRecord::SetEvaluated(bool v)
-	{
-	if ( v )
-		ASSERT(! evaluated);
-	evaluated = v;
-	}
-
-void IDRecord::Evaluate(Output* out, Env* env)	
-	{ 
-	if ( evaluated )
-		return;
-
-	if ( ! out )
-		throw ExceptionIDNotEvaluated(id);
-
-	if ( ! eval )
-		throw Exception(id, "no evaluation method");
-		
-	if ( in_evaluation )
-		throw ExceptionCyclicDependence(id);
-
-	in_evaluation = true;
-	eval->GenEval(out, env); 
-	in_evaluation = false;
-
-	evaluated = true;
-	}
-
-const char* IDRecord::RValue() const
-	{
-	if ( id_type == MACRO )
-		return macro->EvalExpr(0, env);
-
-	if ( id_type == TEMP_VAR && ! evaluated )
-		throw ExceptionIDNotEvaluated(id);
-
-	return rvalue.c_str();
-	}
-
-const char* IDRecord::LValue() const
-	{
-	ASSERT(id_type != MACRO && id_type != FUNC_ID);
-	return lvalue.c_str();
-	}
-
-Env::Env(Env* parent_env, Object* context_object)
-	: parent(parent_env), context_object_(context_object)
-	{
-	allow_undefined_id_ = false;
-	in_branch_ = false;
-	}
-
-Env::~Env()
-	{
-	for ( id_map_t::iterator it = id_map.begin(); it != id_map.end(); ++it )
-		{
-		delete it->second;
-		it->second = 0;
-		}
-	}
-
-void Env::AddID(const ID* id, IDType id_type, Type *data_type)
-	{
-	DEBUG_MSG("To add ID `%s'...\n", id->Name());
-	id_map_t::iterator it = id_map.find(id);
-	if ( it != id_map.end() )
-		{
-		DEBUG_MSG("Duplicate definition: `%s'\n", it->first->Name());
-		throw ExceptionIDRedefinition(id);
-		}
-	id_map[id] = new IDRecord(this, id, id_type);
-	// TODO: figure out when data_type must be non-NULL
-	// ASSERT(data_type);
-	SetDataType(id, data_type);
-	}
-
-void Env::AddConstID(const ID* id, const int c, Type *type)
-	{
-	if ( ! type )
-		type = extern_type_int;
-	AddID(id, CONST, type);
-	SetConstant(id, c);
-	SetEvaluated(id);  // a constant is always evaluated
-	}
-
-void Env::AddMacro(const ID *id, Expr *macro)
-	{
-	AddID(id, MACRO, macro->DataType(this));
-	SetMacro(id, macro);
-	SetEvaluated(id);
-	}
-
-ID *Env::AddTempID(Type *type)
-	{
-	ID *id = ID::NewAnonymousID("t_var_");
-	AddID(id, TEMP_VAR, type);
-	return id;
-	}
-
-IDRecord* Env::lookup(const ID* id, bool recursive, bool raise_exception) const
-	{
-	ASSERT(id);
-
-	id_map_t::const_iterator it = id_map.find(id);
-	if ( it != id_map.end() )
-		return it->second;
-
-	if ( recursive && parent )
-		return parent->lookup(id, recursive, raise_exception);
-
-	if ( raise_exception )
-		throw ExceptionIDNotFound(id);
-	else
-		return 0;
-	}
-
-IDType Env::GetIDType(const ID* id) const
-	{
-	return lookup(id, true, true)->GetType();
-	}
-
-const char* Env::RValue(const ID* id) const
-	{
-	IDRecord *r = lookup(id, true, false);
-	if ( r )
-		return r->RValue();
-	else
-		{
-		if ( allow_undefined_id() )
-			return id->Name();
-		else
-			throw ExceptionIDNotFound(id);
-		}
-	}
-
-const char* Env::LValue(const ID* id) const
-	{
-	return lookup(id, true, true)->LValue();
-	}
-
-void Env::SetEvalMethod(const ID* id, Evaluatable* eval)
-	{
-	lookup(id, true, true)->SetEvalMethod(eval);
-	}
-
-void Env::Evaluate(Output* out, const ID* id)
-	{
-	IDRecord *r = lookup(id, true, !allow_undefined_id());
-	if ( r )
-		r->Evaluate(out, this);
-	}
-
-bool Env::Evaluated(const ID* id) const
-	{
-	IDRecord *r = lookup(id, true, !allow_undefined_id());
-	if ( r )
-		return r->Evaluated();
-	else
-		// Assume undefined variables are already evaluated
-		return true;  
-	}
-
-void Env::SetEvaluated(const ID* id, bool v)
-	{
-	if ( in_branch() )
-		{
-		Field *f = GetField(id);
-		if (f && f->tof() == LET_FIELD)
-			{
-			throw Exception(
-				context_object_,
-				fmt("INTERNAL ERROR: "
-				"evaluating let field '%s' in a branch! "
-				"To work around this problem, "
-				"add '&requires(%s)' to the case type. "
-				"Sorry for the inconvenience.\n",
-				id->Name(),
-				id->Name()));
-			ASSERT(0);
-			}
-		}
-
-	IDRecord *r = lookup(id, false, false);
-	if ( r )
-		r->SetEvaluated(v);
-	else if ( parent )
-		parent->SetEvaluated(id, v);
-	else
-		throw ExceptionIDNotFound(id);
-	}
-
-void Env::SetField(const ID* id, Field* field)
-	{
-	lookup(id, false, true)->SetField(field);
-	}
-
-Field* Env::GetField(const ID* id) const
-	{
-	return lookup(id, true, true)->GetField();
-	}
-
-void Env::SetDataType(const ID* id, Type* type)
-	{
-	lookup(id, true, true)->SetDataType(type);
-	}
-
-Type* Env::GetDataType(const ID* id) const
-	{
-	IDRecord *r = lookup(id, true, false);
-	if ( r )
-		return r->GetDataType();
-	else
-		return 0;  
-	}
-
-string Env::DataTypeStr(const ID *id) const
-	{
-	Type *type = GetDataType(id);
-	if ( ! type )
-		throw Exception(id, "data type not defined");
-	return type->DataTypeStr();
-	}
-
-void Env::SetConstant(const ID* id, int constant)
-	{
-	lookup(id, false, true)->SetConstant(constant);
-	}
-
-bool Env::GetConstant(const ID* id, int* pc) const
-	{
-	ASSERT(pc);
-	// lookup without raising exception
-	IDRecord* r = lookup(id, true, false);
-	if ( r )
-		return r->GetConstant(pc);
-	else
-		return false;
-	}
-
-void Env::SetMacro(const ID* id, Expr *macro)
-	{
-	lookup(id, true, true)->SetMacro(macro);
-	}
-
-Expr* Env::GetMacro(const ID* id) const
-	{
-	return lookup(id, true, true)->GetMacro();
-	}
-
-void init_builtin_identifiers()
-	{
-	default_value_var = new ID("val");
-	null_id = new ID("NULL");
-	null_byteseg_id = new ID("null_byteseg");
-	begin_of_data = new ID("begin_of_data");
-	end_of_data = new ID("end_of_data");
-	len_of_data = new ID("length_of_data");
-	byteorder_id = new ID("byteorder");
-	bigendian_id = new ID("bigendian");
-	littleendian_id = new ID("littleendian");
-	unspecified_byteorder_id = new ID("unspecified_byteorder");
-	const_true_id = new ID("true");
-	const_false_id = new ID("false");
-	analyzer_context_id = new ID("context");
-	this_id = new ID("this");
-	sourcedata_id = new ID("sourcedata");
-	connection_id = new ID("connection");
-	upflow_id = new ID("upflow");
-	downflow_id = new ID("downflow");
-	dataunit_id = new ID("dataunit");
-	flow_buffer_id = new ID("flow_buffer");
-	element_macro_id = new ID("$element");
-	input_macro_id = new ID("$input"); 
-	context_macro_id = new ID("$context"); 
-	parsing_state_id = new ID("parsing_state");
-	buffering_state_id = new ID("buffering_state");
-
-	null_decl_id = new ID("<null-decl>");
-	current_decl_id = null_decl_id;
-	}
-
-Env* global_env()
-	{
-	static Env *the_global_env = 0;
-
-	if ( ! the_global_env )
-		{
-		the_global_env = new Env(0, 0);
-
-		// These two are defined in binpac.h, so we do not need to
-		// generate code for them.
-		the_global_env->AddConstID(bigendian_id, 0);
-		the_global_env->AddConstID(littleendian_id, 1);
-		the_global_env->AddConstID(unspecified_byteorder_id, -1);
-		the_global_env->AddConstID(const_false_id, 0);
-		the_global_env->AddConstID(const_true_id, 1);
-		// A hack for ID "this"
-		the_global_env->AddConstID(this_id, 0);
-		the_global_env->AddConstID(null_id, 0, extern_type_nullptr);
-
-#if 0
-		the_global_env->AddID(null_byteseg_id, 
-			GLOBAL_VAR, 
-			extern_type_const_byteseg);
-#endif
-		}
-
-	return the_global_env;
-	}
-
-string set_function(const ID *id)
-	{
-	return strfmt("set_%s", id->Name());
-	}
diff --git a/aux/binpac/src/pac_id.h b/aux/binpac/src/pac_id.h
deleted file mode 100644
index 6ac89687d4..0000000000
--- a/aux/binpac/src/pac_id.h
+++ /dev/null
@@ -1,246 +0,0 @@
-#ifndef pac_id_h
-#define pac_id_h
-
-#include <map>
-#include <string>
-using namespace std;
-
-#include "pac_common.h"
-#include "pac_dbg.h"
-#include "pac_utils.h"
-
-// Classes handling identifiers.
-// 
-// ID -- name and location of definition of an ID
-//
-// IDRecord -- association of an ID, its definition type (const, global, temp, 
-//   member, or union member), and its evaluation method. 
-//
-// Evaluatable -- interface for a variable or a field that needs be evaluated
-//   before referenced.
-//
-// Env -- a mapping from ID names to their L/R-value expressions and evaluation
-//   methods.
-
-enum IDType {
-	CONST,
-	GLOBAL_VAR,
-	TEMP_VAR,
-	MEMBER_VAR,
-	PRIV_MEMBER_VAR,
-	UNION_VAR,
-	STATE_VAR,
-	MACRO,
-	FUNC_ID,
-	FUNC_PARAM,
-};
-
-class ID;
-class IDRecord;
-class Env;
-class Evaluatable;
-
-class ID : public Object
-{
-public:
-	ID(const char *arg_name)
-		: name(arg_name), anonymous_id_(false)
-		{
-		locname = nfmt("%s:%s", Location(), Name());
-		}
-	~ID()
-		{
-		delete locname;
-		}
-
-	bool operator==(ID const &x) const { return name == x.Name(); }
-
-	const char *Name() const 	{ return name.c_str(); }
-	const char *LocName() const 	{ return locname; }
-	bool is_anonymous() const	{ return anonymous_id_; }
-
-	ID *clone() const		{ return new ID(Name()); }
-
-protected:
-	string name;
-	bool anonymous_id_;
-	char *locname;
-	friend class ID_ptr_cmp;
-
-public:
-	static ID *NewAnonymousID(const string &prefix);
-private:
-	static int anonymous_id_seq;
-};
-
-// A comparison operator for pointers to ID's.
-class ID_ptr_cmp
-{
-public:
-	bool operator()(const ID *const & id1, const ID *const & id2) const
-		{
-		ASSERT(id1);
-		ASSERT(id2);
-		return id1->name < id2->name;
-		}
-};
-
-class IDRecord
-{
-public:
-	IDRecord(Env *env, const ID *id, IDType id_type);
-	~IDRecord();
-
-	IDType GetType() const			{ return id_type; }
-
-	void SetDataType(Type *type) 		{ data_type = type; }
-	Type *GetDataType() const		{ return data_type; }
-
-	void SetEvalMethod(Evaluatable *arg_eval) { eval = arg_eval; }
-	void Evaluate(Output *out, Env *env);
-	void SetEvaluated(bool v);
-	bool Evaluated() const 			{ return evaluated; }
-
-	void SetField(Field *f)			{ field = f; }
-	Field *GetField() const			{ return field; }
-
-	void SetConstant(int c);			
-	bool GetConstant(int *pc) const;
-
-	void SetMacro(Expr *expr);
-	Expr *GetMacro() const;
-
-	const char * RValue() const;
-	const char * LValue() const;
-
-protected:
-	Env *env;
-	const ID *id;
-	IDType id_type;
-
-	string rvalue;
-	string lvalue;
-	string setfunc;
-
-	Type *data_type;
-
-	Field *field;
-
-	int constant;
-	bool constant_set;
-
-	Expr *macro;
-
-	bool evaluated;
-	bool in_evaluation;	// to detect cyclic dependence
-	Evaluatable *eval;
-};
-
-class Evaluatable
-{
-public:
-	virtual ~Evaluatable() {}
-	virtual void GenEval(Output *out, Env *env) = 0;
-};
-
-class Env
-{
-public:
-	Env(Env *parent_env, Object *context_object);
-	~Env();
-
-	bool allow_undefined_id() const		{ return allow_undefined_id_; }
-	void set_allow_undefined_id(bool x)	{ allow_undefined_id_ = x; }
-
-	bool in_branch() const			{ return in_branch_; }
-	void set_in_branch(bool x)		{ in_branch_ = x; }
-
-	void AddID(const ID *id, IDType id_type, Type *type);
-	void AddConstID(const ID *id, const int c, Type *type = 0);
-	void AddMacro(const ID *id, Expr *expr);
-
-	// Generate a temp ID with a unique name
-	ID *AddTempID(Type *type);
-
-	IDType GetIDType(const ID *id) const;
-	const char * RValue(const ID *id) const;
-	const char * LValue(const ID *id) const;
-	// const char *SetFunc(const ID *id) const;
-
-	// Set evaluation method for the ID
-	void SetEvalMethod(const ID *id, Evaluatable *eval);
-
-	// Evaluate the ID according to the evaluation method. It
-	// assumes the ID has an evaluation emthod. It does nothing
-	// if the ID has already been evaluated.
-	void Evaluate(Output *out, const ID *id);
-
-	// Whether the ID has already been evaluated.
-	bool Evaluated(const ID *id) const;
-
-	// Set the ID as evaluated (or not).
-	void SetEvaluated(const ID *id, bool v = true);
-
-	void SetField(const ID *id, Field *field);
-	Field *GetField(const ID *id) const;
-
-	bool GetConstant(const ID *id, int *pc) const;
-
-	Expr *GetMacro(const ID *id) const;
-
-	Type *GetDataType(const ID *id) const;
-
-	string DataTypeStr(const ID *id) const;
-
-protected:
-	IDRecord *lookup(const ID *id, 
-	                 bool recursive, 
-	                 bool raise_exception) const;
-
-	void SetDataType(const ID *id, Type *type);
-	void SetConstant(const ID *id, int constant);
-	void SetMacro(const ID *id, Expr *macro);
-
-private:
-	Env *parent;
-	Object *context_object_;
-	typedef map<const ID*, IDRecord*, ID_ptr_cmp> id_map_t;
-	id_map_t id_map;
-	bool allow_undefined_id_;
-	bool in_branch_;
-};
-
-extern const ID *default_value_var;
-extern const ID *null_id;
-extern const ID *null_byteseg_id;
-extern const ID *begin_of_data;
-extern const ID *end_of_data;
-extern const ID *len_of_data;
-extern const ID *byteorder_id;
-extern const ID *bigendian_id;
-extern const ID *littleendian_id;
-extern const ID *unspecified_byteorder_id;
-extern const ID *analyzer_context_id;
-extern const ID *context_macro_id;
-extern const ID *this_id;
-extern const ID *sourcedata_id;
-// extern const ID *sourcedata_begin_id;
-// extern const ID *sourcedata_end_id;
-extern const ID *connection_id;
-extern const ID *upflow_id;
-extern const ID *downflow_id;
-extern const ID *dataunit_id;
-extern const ID *flow_buffer_id;
-extern const ID *element_macro_id;
-extern const ID *cxt_connection_id;
-extern const ID *cxt_flow_id;
-extern const ID *input_macro_id;
-extern const ID *parsing_state_id;
-extern const ID *buffering_state_id;
-
-extern void init_builtin_identifiers();
-extern Env *global_env();
-
-extern string set_function(const ID *id);
-
-#endif // pac_id_h
diff --git a/aux/binpac/src/pac_inputbuf.cc b/aux/binpac/src/pac_inputbuf.cc
deleted file mode 100644
index 1974860693..0000000000
--- a/aux/binpac/src/pac_inputbuf.cc
+++ /dev/null
@@ -1,44 +0,0 @@
-#include "pac_expr.h"
-#include "pac_exttype.h"
-#include "pac_id.h"
-#include "pac_inputbuf.h"
-#include "pac_output.h"
-#include "pac_type.h"
-
-InputBuffer::InputBuffer(Expr *expr)
-	: DataDepElement(INPUT_BUFFER), expr_(expr)
-	{
-	}
-
-bool InputBuffer::DoTraverse(DataDepVisitor *visitor)
-	{
-	if ( expr_ && ! expr_->Traverse(visitor) )
-		return false;
-	return true;
-	}
-
-bool InputBuffer::RequiresAnalyzerContext() const
-	{
-	return expr_->RequiresAnalyzerContext();
-	}
-
-DataPtr InputBuffer::GenDataBeginEnd(Output *out_cc, Env *env)
-	{
-	env->AddID(begin_of_data, TEMP_VAR, extern_type_const_byteptr);
-	env->AddID(end_of_data, TEMP_VAR, extern_type_const_byteptr);
-
-	out_cc->println("%s %s, %s;",
-		extern_type_const_byteptr->DataTypeStr().c_str(),
-		env->LValue(begin_of_data),
-		env->LValue(end_of_data));
-
-	out_cc->println("get_pointers(%s, &%s, &%s);",
-		expr_->EvalExpr(out_cc, env),
-		env->LValue(begin_of_data),
-		env->LValue(end_of_data));
-
-	env->SetEvaluated(begin_of_data);
-	env->SetEvaluated(end_of_data);
-
-	return DataPtr(env, begin_of_data, 0);
-	}
diff --git a/aux/binpac/src/pac_inputbuf.h b/aux/binpac/src/pac_inputbuf.h
deleted file mode 100644
index f03a5193ab..0000000000
--- a/aux/binpac/src/pac_inputbuf.h
+++ /dev/null
@@ -1,24 +0,0 @@
-#ifndef pac_inputbuf_h
-#define pac_inputbuf_h
-
-#include "pac_datadep.h"
-#include "pac_dataptr.h"
-
-class Expr;
-
-class InputBuffer : public Object, public DataDepElement
-{
-public:
-	InputBuffer(Expr *expr);
-
-	bool RequiresAnalyzerContext() const;
-	DataPtr GenDataBeginEnd(Output *out_cc, Env *env);
-
-protected:
-	bool DoTraverse(DataDepVisitor *visitor);
-
-private:
-	Expr *expr_;
-};
-
-#endif // pac_inputbuf_h
diff --git a/aux/binpac/src/pac_let.cc b/aux/binpac/src/pac_let.cc
deleted file mode 100644
index ebd7caef90..0000000000
--- a/aux/binpac/src/pac_let.cc
+++ /dev/null
@@ -1,167 +0,0 @@
-#include "pac_expr.h"
-#include "pac_exttype.h"
-#include "pac_let.h"
-#include "pac_output.h"
-#include "pac_type.h"
-
-namespace {
-
-void GenLetEval(const ID *id, Expr *expr, string prefix, Output* out, Env* env)
-	{
-	if ( expr )
-		{
-		}
-	}
-
-} // private namespace
-
-LetField::LetField(ID* id, Type *type, Expr* expr)
-	: Field(LET_FIELD, 
-		TYPE_NOT_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE, 
-		id, type), 
-	  expr_(expr)
-	{
-	ASSERT(expr_);
-	}
-
-LetField::~LetField()
-	{
-	delete expr_;
-	}
-
-bool LetField::DoTraverse(DataDepVisitor *visitor)
-	{ 
-	return Field::DoTraverse(visitor) &&
-	       expr()->Traverse(visitor); 
-	}
-
-bool LetField::RequiresAnalyzerContext() const 
-	{ 
-	return Field::RequiresAnalyzerContext() ||
-	       (expr() && expr()->RequiresAnalyzerContext()); 
-	}
-
-void LetField::Prepare(Env* env)
-	{
-	if ( ! type_ )
-		{
-		ASSERT(expr_);
-		type_ = expr_->DataType(env);
-		if ( type_ )
-			type_ = type_->Clone();		
-		else
-			type_ = extern_type_int->Clone();
-
-		foreach(i, AttrList, attrs_)
-			ProcessAttr(*i);
-		}
-
-	Field::Prepare(env);
-	env->SetEvalMethod(id_, this);
-	}
-
-void LetField::GenInitCode(Output* out_cc, Env* env)
-	{
-	int v;
-	if ( expr_ && expr_->ConstFold(env, &v) )
-		{
-		DEBUG_MSG("Folding const for `%s'\n", id_->Name());
-		GenEval(out_cc, env);
-		}
-	else
-		type_->GenInitCode(out_cc, env);
-	}
-
-void LetField::GenParseCode(Output* out_cc, Env* env)
-	{
-	if ( env->Evaluated(id_) )
-		return;
-
-	if ( type_->attr_if_expr() )
-		{
-		// A conditional field
-
-		env->Evaluate(out_cc, type_->has_value_var());
-
-		// force evaluation of IDs contained in this expr
-		expr()->ForceIDEval(out_cc, env);
-
-		out_cc->println("if ( %s )", 
-			env->RValue(type_->has_value_var()));
-		out_cc->inc_indent();
-		out_cc->println("{");
-		}
-
-	out_cc->println("%s = %s;", 
-		env->LValue(id_), 
-	       	expr()->EvalExpr(out_cc, env));
-	if ( ! env->Evaluated(id_) )
-		env->SetEvaluated(id_);
-
-	if ( type_->attr_if_expr() )
-		{
-		out_cc->println("}");
-		out_cc->dec_indent();
-		}
-	}
-
-void LetField::GenEval(Output* out_cc, Env* env)
-	{
-	GenParseCode(out_cc, env);
-	}
-
-LetDecl::LetDecl(ID *id, Type *type, Expr *expr)
- 	: Decl(id, LET), type_(type), expr_(expr)
-	{
-	if ( ! type_ )
-		{
-		ASSERT(expr_);
-	        type_ = expr_->DataType(global_env());
-		if ( type_ )
-			type_ = type_->Clone();		
-		else
-			type_ = extern_type_int->Clone();
-		}
-
-	Env *env = global_env();
-	int c;
-	if ( expr_ && expr_->ConstFold(env, &c) )
-		env->AddConstID(id_, c);
-	else
-		env->AddID(id_, GLOBAL_VAR, type_);
-	}
-
-LetDecl::~LetDecl()
-	{
-	delete id_;
-	delete type_;
-	delete expr_;
-	}
-
-void LetDecl::Prepare()
-	{
-	}
-
-void LetDecl::GenForwardDeclaration(Output* out_h)
-	{
-	}
-
-void LetDecl::GenCode(Output * out_h, Output *out_cc)
-	{
-	out_h->println("extern %s const %s;",
-		type_->DataTypeStr().c_str(),
-		global_env()->RValue(id_));
-	GenEval(out_cc, global_env());
-	}
-
-void LetDecl::GenEval(Output *out_cc, Env * /* env */)
-	{
-	Env *env = global_env();
-	out_cc->println("%s %s = %s;", 
-		fmt("%s const", type_->DataTypeStr().c_str()),
-		env->LValue(id_), 
-	       	expr_->EvalExpr(out_cc, env));
-
-	if ( ! env->Evaluated(id_) )
-		env->SetEvaluated(id_);
-	}
diff --git a/aux/binpac/src/pac_let.h b/aux/binpac/src/pac_let.h
deleted file mode 100644
index aba8128511..0000000000
--- a/aux/binpac/src/pac_let.h
+++ /dev/null
@@ -1,48 +0,0 @@
-#ifndef pac_let_h
-#define pac_let_h
-
-#include "pac_decl.h"
-#include "pac_field.h"
-
-class LetField : public Field, Evaluatable
-{
-public:
-	LetField(ID* arg_id, Type *type, Expr* arg_expr);
-	~LetField();
-
-	Expr *expr() const			{ return expr_; }
-
-	void Prepare(Env* env);
-
-	void GenInitCode(Output* out, Env* env);
-	void GenParseCode(Output* out, Env* env);
-	void GenEval(Output* out, Env* env);
-
-	bool RequiresAnalyzerContext() const;
-
-protected:
-	bool DoTraverse(DataDepVisitor *visitor);
-
-protected:
-	Expr* expr_;
-};
-
-class LetDecl : public Decl, Evaluatable
-{
-public:
-	LetDecl(ID *id, Type *type, Expr *expr);
-	~LetDecl();
-
-	Expr *expr() const	{ return expr_; }
-
-	void Prepare();
-	void GenForwardDeclaration(Output *out_h);
-	void GenCode(Output *out_h, Output *out_cc);
-	void GenEval(Output* out, Env* env);
-
-private:
-	Type *type_;
-	Expr *expr_;
-};
-
-#endif  // pac_let_h
diff --git a/aux/binpac/src/pac_main.cc b/aux/binpac/src/pac_main.cc
deleted file mode 100644
index 7c98e526fa..0000000000
--- a/aux/binpac/src/pac_main.cc
+++ /dev/null
@@ -1,259 +0,0 @@
-// $Id: pac_main.cc 3320 2006-06-20 21:19:33Z rpang $
-
-#include <unistd.h>
-#include <ctype.h>
-
-#include "pac_common.h"
-#include "pac_decl.h"
-#include "pac_exttype.h"
-#include "pac_id.h"
-#include "pac_output.h"
-#include "pac_parse.h"
-#include "pac_type.h"
-#include "pac_utils.h"
-#include "pac_exception.h"
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-extern int yydebug;
-extern int yyparse();
-extern void switch_to_file(FILE* fp_input);
-string input_filename;
-
-bool FLAGS_pac_debug = false;
-string FLAGS_output_directory;
-vector<string> FLAGS_include_directories;
-
-Output* header_output = 0;
-Output* source_output = 0;
-
-void add_to_include_directories(string dirs)
-	{
-	unsigned int dir_begin = 0, dir_end;
-	while ( dir_begin < dirs.length() )
-		{
-		for ( dir_end = dir_begin; dir_end < dirs.length(); ++dir_end)
-			if ( dirs[dir_end] == ':' )
-				break;
-
-		string dir = dirs.substr(dir_begin, dir_end - dir_begin);
-
-		// Add a trailing '/' if necessary
-		if ( dir.length() > 0 && *(dir.end() - 1) != '/' )
-			dir += '/';
-			
-		FLAGS_include_directories.push_back(dir);
-		dir_begin = dir_end + 1;
-		}
-	}
-
-void pac_init()
-	{
-	init_builtin_identifiers();
-	Type::init();
-	}
-
-void insert_comments(Output* out, const char* source_filename)
-	{
-	out->println("// This file is automatically generated from %s.\n",
-		source_filename);
-	}
-
-void insert_basictype_defs(Output* out)
-	{
-	out->println("#ifndef pac_type_defs");
-	out->println("#define pac_type_defs");
-	out->println("");
-	out->println("typedef char int8;");
-	out->println("typedef short int16;");
-	out->println("typedef long int32;");
-	out->println("typedef unsigned char uint8;");
-	out->println("typedef unsigned short uint16;");
-	out->println("typedef unsigned long uint32;");
-	out->println("");
-	out->println("#endif /* pac_type_defs */");
-	out->println("");
-	}
-
-void insert_byteorder_macros(Output* out)
-	{
-	out->println("#define FixByteOrder16(x)	(byteorder == HOST_BYTEORDER ? (x) : pac_swap16(x))");
-	out->println("#define FixByteOrder32(x)	(byteorder == HOST_BYTEORDER ? (x) : pac_swap32(x))");
-	out->println("");
-	}
-
-const char* to_id(const char* s)
-	{
-	static char t[1024];
-	int i;
-	for ( i = 0; s[i] && i < (int) sizeof(t) - 1; ++i )
-		t[i] = isalnum(s[i]) ? s[i] : '_';
-	if ( isdigit(t[0]) )
-		t[0] = '_'; 
-	t[i] = '\0';
-	return t;
-	}
-
-int compile(const char* filename)
-	{
-	FILE* fp_input = fopen(filename, "r");
-	if ( ! fp_input )
-		{
-		perror(fmt("Error in opening %s", filename));
-		return -1;
-		}
-	input_filename = filename;
-
-	string basename;
-
-	if ( ! FLAGS_output_directory.empty() )
-		{
-		// Strip leading directories of filename
-		const char *last_slash = strrchr(filename, '/');
-		if ( last_slash )
-			basename = last_slash + 1;
-		else
-			basename = filename;
-		basename = FLAGS_output_directory + "/" + basename;
-		}
-	else
-		basename = filename;
-
-	// If the file name ends with ".pac"
-	if ( basename.length() > 4 &&
-	     basename.substr(basename.length() - 4) == ".pac" )
-		{
-		basename = basename.substr(0, basename.length() - 4);
-		}
-
-	basename += "_pac";
-
-	DEBUG_MSG("Output file: %s.{h,cc}\n", basename.c_str());
-
-	int ret = 0;
-
-	try 
-		{
-		switch_to_file(fp_input);
-		if ( yyparse() )
-			return 1;
-
-		Output out_h(fmt("%s.h", basename.c_str()));
-		Output out_cc(fmt("%s.cc", basename.c_str()));
-
-		header_output = &out_h;
-		source_output = &out_cc;
-
-		insert_comments(&out_h, filename);
-		insert_comments(&out_cc, filename);
-
-		const char* filename_id = to_id(filename);
-
-		out_h.println("#ifndef %s_h", filename_id);
-		out_h.println("#define %s_h", filename_id);
-		out_h.println("");
-		out_h.println("#include <vector>");
-		out_h.println("");
-		out_h.println("#include \"binpac.h\"");
-		out_h.println("");
-
-		out_cc.println("#include \"%s.h\"\n", basename.c_str());
-
-		Decl::ProcessDecls(&out_h, &out_cc);
-
-		out_h.println("#endif /* %s_h */", filename_id);
-		} 
-	catch ( OutputException& e ) 
-		{
-		fprintf(stderr, "Error in compiling %s: %s\n",
-			filename, e.errmsg());
-		ret = 1;
-		}
-	catch ( Exception& e )
-		{
-		fprintf(stderr, "%s\n", e.msg());
-		exit(1);
-		}
-
-	header_output = 0;
-	source_output = 0;
-	input_filename = "";
-	fclose(fp_input);
-
-	return ret;
-	}
-
-void usage()
-	{
-#ifdef VERSION
-	fprintf(stderr, "binpac version %s\n", VERSION);
-#endif
-	fprintf(stderr, "usage: binpac [options] <pac files>\n");
-	fprintf(stderr, "     <pac files>           | pac-language input files\n");
-	fprintf(stderr, "     -d <dir>              | use given directory for compiler output\n");
-	fprintf(stderr, "     -D                    | enable debugging output\n");
-	fprintf(stderr, "     -h                    | show command line help\n");
-	fprintf(stderr, "     -I <dir>              | include <dir> in input file search path\n");
-	exit(1);
-	}
-
-int main(int argc, char* argv[])
-	{
-#ifdef HAVE_MALLOC_OPTIONS
-	extern char *malloc_options;
-#endif
-	int o;
-	while ( (o = getopt(argc, argv, "DI:d:h")) != -1 )
-		{
-		switch(o)
-			{
-			case 'D': 
-				yydebug = 1;
-				FLAGS_pac_debug = true;
-#ifdef HAVE_MALLOC_OPTIONS
-				malloc_options = "A";
-#endif
-				break;
-
-			case 'I':
-				// Add to FLAGS_include_directories
-				add_to_include_directories(optarg);
-				break;
-
-			case 'd': 
-				FLAGS_output_directory = optarg;
-				break;
-
-			case 'h':
-				usage();
-				break;
-			}
-		}
-
-	// Strip the trailing '/'s
-	while ( ! FLAGS_output_directory.empty() &&
-	        *(FLAGS_output_directory.end() - 1) == '/' )
-		{
-		FLAGS_output_directory.erase(FLAGS_output_directory.end()-1);
-		}
-
-	// Add the current directory to FLAGS_include_directories
-	add_to_include_directories(".");
-
-	pac_init();
-
-	argc -= optind;
-	argv += optind;
-	if ( argc == 0 )
-		compile("-");
-
-	int ret = 0;
-	for ( int i = 0; i < argc; ++i )
-		if ( compile(argv[i]) )
-			ret = 1;
-
-	return ret;
-	}
-
diff --git a/aux/binpac/src/pac_number.h b/aux/binpac/src/pac_number.h
deleted file mode 100644
index f923068700..0000000000
--- a/aux/binpac/src/pac_number.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef pac_number_h
-#define pac_number_h
-
-#include "pac_common.h"
-
-class Number : public Object
-{
-public:
-	Number(int arg_n)
-		: s(fmt("%d", arg_n)), n(arg_n) {}
-	Number(const char* arg_s, int arg_n)
-		: s(arg_s), n(arg_n) {}
-	const char* Str() const 	{ return s.c_str(); }
-	int Num() const 		{ return n; }
-
-protected:
-	const string s;
-	const int n;
-};
-
-#endif  // pac_number_h
diff --git a/aux/binpac/src/pac_output.cc b/aux/binpac/src/pac_output.cc
deleted file mode 100644
index 404b4422cc..0000000000
--- a/aux/binpac/src/pac_output.cc
+++ /dev/null
@@ -1,61 +0,0 @@
-// $Id: pac_output.cc 3225 2006-06-08 00:00:01Z vern $
-
-#include <string.h>
-#include <errno.h>
-#include <stdarg.h>
-#include <stdio.h>
-
-#include "pac_utils.h"
-#include "pac_output.h"
-
-OutputException::OutputException(const char* arg_msg)
-	{
-	msg = arg_msg;
-	}
-
-OutputException::~OutputException()
-	{
-	}
-
-Output::Output(const char* filename)
-	{
-	fp = fopen(filename, "w");
-	if ( ! fp )
-		throw OutputException(strerror(errno));
-	indent_ = 0;
-	}
-
-Output::~Output()
-	{
-	if ( fp )
-		fclose(fp);
-	}
-
-int Output::print(const char* fmt, va_list ap)
-	{
-	int r = vfprintf(fp, fmt, ap);
-	if ( r == -1 )
-		throw OutputException(strerror(errno));
-	return r;
-	}
-
-int Output::print(const char* fmt, ...)
-	{
-	va_list ap;
-	va_start(ap, fmt);
-	return print(fmt, ap);
-	}
-
-int Output::println(const char* fmt, ...)
-	{
-	for ( int i = 0; i < indent(); ++i )
-		fprintf(fp, "\t");
-
-	int r;
-	va_list ap;
-	va_start(ap, fmt);
-	r = print(fmt, ap);
-
-	fprintf(fp, "\n");
-	return r;
-	}
diff --git a/aux/binpac/src/pac_output.h b/aux/binpac/src/pac_output.h
deleted file mode 100644
index 9911f3a2b4..0000000000
--- a/aux/binpac/src/pac_output.h
+++ /dev/null
@@ -1,42 +0,0 @@
-// $Id: pac_output.h 3225 2006-06-08 00:00:01Z vern $
-
-#ifndef pac_output_h
-#define pac_output_h
-
-#include <stdio.h>
-#include <stdarg.h>
-#include <string>
-
-using namespace std;
-
-class OutputException {
-public:
-	OutputException(const char* arg_msg);
-	~OutputException();
-	const char* errmsg() const { return msg.c_str(); }
-
-protected:
-	string msg;
-};
-
-class Output {
-public:
-	Output(const char *filename);
-	~Output();
-
-	int println(const char* fmt, ...);
-	int print(const char* fmt, ...);
-
-	int indent() const { return indent_; }
-
-	void inc_indent() { ++indent_; }
-	void dec_indent() { --indent_; }
-
-protected:
-	int print(const char* fmt, va_list ap);
-
-	FILE* fp;
-	int indent_;
-};
-
-#endif /* pac_output_h */
diff --git a/aux/binpac/src/pac_param.cc b/aux/binpac/src/pac_param.cc
deleted file mode 100644
index 21e452ee05..0000000000
--- a/aux/binpac/src/pac_param.cc
+++ /dev/null
@@ -1,70 +0,0 @@
-#include "pac_decl.h"
-#include "pac_exttype.h"
-#include "pac_field.h"
-#include "pac_id.h"
-#include "pac_output.h"
-#include "pac_type.h"
-#include "pac_utils.h"
-
-#include "pac_param.h"
-
-Param::Param(ID* id, Type *type)
-	: id_(id), type_(type)
-	{
-	if ( ! type_ )
-		type_ = extern_type_int->Clone();
-
-	decl_str_ = strfmt("%s %s", 
-	                   type_->DataTypeConstRefStr().c_str(), 
-	                   id_->Name());
-
-	param_field_ = new ParamField(this);
-	}
-
-Param::~Param()
-	{
-	}
-
-const string &Param::decl_str() const
-	{ 
-	ASSERT(!decl_str_.empty()); 
-	return decl_str_; 
-	}
-
-string ParamDecls(ParamList *params)
-	{
-	string param_decls;
-
-	int first = 1;
-	foreach (i, ParamList, params)
-			{
-			Param* p = *i;
-			const char* decl_str = p->decl_str().c_str();
-			if ( first )
-				first = 0;
-			else
-				param_decls += ", ";
-			param_decls += decl_str;
-			}
-	return param_decls;
-	}
-
-ParamField::ParamField(const Param *param)
-	: Field(PARAM_FIELD, 
-		TYPE_NOT_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE,
-		param->id(), 
-		param->type())
-	{
-	}
-
-void ParamField::GenInitCode(Output *out_cc, Env *env)
-	{
-	out_cc->println("%s = %s;", 
-		env->LValue(id()), id()->Name());
-	env->SetEvaluated(id());
-	}
-
-void ParamField::GenCleanUpCode(Output* out_cc, Env* env)
-	{
-	// Do nothing
-	}
diff --git a/aux/binpac/src/pac_param.h b/aux/binpac/src/pac_param.h
deleted file mode 100644
index 5efc60fd3a..0000000000
--- a/aux/binpac/src/pac_param.h
+++ /dev/null
@@ -1,48 +0,0 @@
-#ifndef pac_param_h
-#define pac_param_h
-
-#include "pac_common.h"
-#include "pac_field.h"
-
-class Param : public Object
-{
-public:
-	Param(ID* id, Type* type); 
-	~Param();
-
-	ID *id() const			{ return id_; }
-	Type *type() const		{ return type_; }
-	const string & decl_str() const;
-	Field *param_field() const	{ return param_field_; }
-
-private:
-	ID* id_;
-	Type* type_;
-	string decl_str_;
-	Field *param_field_;
-};
-
-class ParamField : public Field
-{
-public:
-	ParamField(const Param *param);
-
-	void GenInitCode(Output *out, Env *env);
-	void GenCleanUpCode(Output* out, Env* env);
-};
-
-// Returns the string with a list of param declarations separated by ','.
-string ParamDecls(ParamList *params);
-
-#if 0
-// Generate assignments to parameters, in the form of "%s_ = %s;" % (id, id).
-void GenParamAssignments(ParamList *params, Output *out_cc, Env *env);
-
-// Generate public access methods to parameter members.
-void GenParamPubDecls(ParamList *params, Output *out_h, Env *env);
-
-// Generate private definitions of parameter members.
-void GenParamPrivDecls(ParamList *params, Output *out_h, Env *env);
-#endif
-
-#endif  // pac_param_h
diff --git a/aux/binpac/src/pac_paramtype.cc b/aux/binpac/src/pac_paramtype.cc
deleted file mode 100644
index 96e79735a3..0000000000
--- a/aux/binpac/src/pac_paramtype.cc
+++ /dev/null
@@ -1,289 +0,0 @@
-#include "pac_context.h"
-#include "pac_dataptr.h"
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_output.h"
-#include "pac_paramtype.h"
-#include "pac_typedecl.h"
-
-ParameterizedType::ParameterizedType(ID* type_id, ExprList* args)
-	: Type(PARAMETERIZED), type_id_(type_id), args_(args)
-	{
-	checking_requires_analyzer_context_ = false;
-	}
-
-ParameterizedType::~ParameterizedType()
-	{
-	}
-
-string ParameterizedType::EvalMember(const ID *member_id) const
-	{
-	Type *ty = ReferredDataType(true);
-	return strfmt("->%s", ty->env()->RValue(member_id));
-	}
-
-string ParameterizedType::class_name() const
-	{ 
-	return type_id_->Name(); 
-	}
-
-Type *ParameterizedType::DoClone() const
-	{
-	return new ParameterizedType(type_id_->clone(), args_);
-	}
-
-void ParameterizedType::AddParamArg(Expr *arg)
-	{
-	args_->push_back(arg);
-	}
-
-bool ParameterizedType::DefineValueVar() const
-	{
-	return true;
-	}
-
-string ParameterizedType::DataTypeStr() const
-	{
-	return strfmt("%s *", type_id_->Name());
-	}
-
-Type *ParameterizedType::MemberDataType(const ID *member_id) const
-	{
-	Type *ref_type = TypeDecl::LookUpType(type_id_);
-	if ( ! ref_type )
-		return 0;
-	return ref_type->MemberDataType(member_id);
-	}
-
-Type *ParameterizedType::ReferredDataType(bool throw_exception) const
-	{
-	Type* type = TypeDecl::LookUpType(type_id_);
-	if ( ! type )
-		{
-		DEBUG_MSG("WARNING: cannot find referenced type for %s\n",
-			type_id_->Name());
-		if ( throw_exception )
-			throw ExceptionIDNotFound(type_id_);
-		}
-	return type;
-	}
-
-int ParameterizedType::StaticSize(Env* env) const
-	{
-	return ReferredDataType(true)->StaticSize(env);
-	}
-
-void ParameterizedType::DoMarkIncrementalInput()
-	{
-	Type *ty = ReferredDataType(true);
-
-	ty->MarkIncrementalInput();
-
-	buffer_input_ = ty->buffer_input();
-	incremental_parsing_ = ty->incremental_parsing();
-	}
-
-Type::BufferMode ParameterizedType::buffer_mode() const
-	{
-	// Note that the precedence is on attributes (&oneline or &length) 
-	// specified on the parameterized type directly than on the type
-	// declaration. 
-	//
-	// If both &oneline and &length are specified at the same place, 
-	// use &length.
-	//
-	BufferMode mode = Type::buffer_mode();
-	Type *ty = ReferredDataType(true);
-
-	if ( mode != NOT_BUFFERABLE )
-		return mode;
-	else if ( ty->BufferableByLength() )
-		return BUFFER_BY_LENGTH;
-	else if ( ty->BufferableByLine() )
-		return BUFFER_BY_LINE;
-
-	return NOT_BUFFERABLE;
-	}
-
-bool ParameterizedType::ByteOrderSensitive() const
-	{
-	return ReferredDataType(true)->RequiresByteOrder();
-	}
-
-bool ParameterizedType::DoTraverse(DataDepVisitor *visitor)
-	{
-	if ( ! Type::DoTraverse(visitor) )
-		return false;
-
-	foreach(i, ExprList, args_)
-		if ( ! (*i)->Traverse(visitor) )
-			return false;
-
-	Type *ty = ReferredDataType(false);
-	if ( ty && ! ty->Traverse(visitor) )
-		return false;
-
-	return true;
-	}
-
-bool ParameterizedType::RequiresAnalyzerContext()
-	{
-	if ( checking_requires_analyzer_context_ )
-		return false;
-	checking_requires_analyzer_context_ = true;
-
-	bool ret = false;
-	// If any argument expression refers to analyzer context
-	foreach(i, ExprList, args_)
-		if ( (*i)->RequiresAnalyzerContext() )
-			{
-			ret = true;
-			break;
-			}
-	ret = ret ||
-	      Type::RequiresAnalyzerContext();
-
-	if ( ! ret )
-		{
-		Type *ty = ReferredDataType(false);
-		if ( ty )
-	      		ret = ty->RequiresAnalyzerContext();
-		}
-
-	checking_requires_analyzer_context_ = false;
-	return ret;
-	}
-
-void ParameterizedType::GenInitCode(Output* out_cc, Env* env)
-	{
-	ASSERT(persistent());
-	out_cc->println("%s = 0;", env->LValue(value_var()));
-	Type::GenInitCode(out_cc, env);
-	}
-
-void ParameterizedType::GenCleanUpCode(Output* out_cc, Env* env)
-	{
-	Type *ty = ReferredDataType(false);
-	if ( ty && ty->attr_refcount() )
-		out_cc->println("Unref(%s);", lvalue());
-	else
-		out_cc->println("delete %s;", lvalue());
-	out_cc->println("%s = 0;", lvalue());
-	Type::GenCleanUpCode(out_cc, env);
-	}
-
-string ParameterizedType::EvalParameters(Output* out_cc, Env *env) const
-	{
-	string arg_str;
-
-	int first = 1;
-	foreach (i, ExprList, args_)
-		{
-		Expr* e = *i;
-		if ( first )
-			first = 0;
-		else
-			arg_str += ", ";
-		arg_str += e->EvalExpr(out_cc, env);
-		}
-
-	return arg_str;
-	}
-
-void ParameterizedType::GenNewInstance(Output *out_cc, Env *env)
-	{
-	out_cc->println("%s = new %s(%s);", 
-		lvalue(), 
-		type_id_->Name(), 
-		EvalParameters(out_cc, env).c_str());
-	}
-
-void ParameterizedType::DoGenParseCode(Output* out_cc, Env* env,
-		const DataPtr& data, int flags)
-	{
-	DEBUG_MSG("DoGenParseCode for %s\n", type_id_->Name());
-
-	Type *ref_type = ReferredDataType(true);
-
-	const char *parse_func;
-	string parse_params;
-
-	if ( buffer_mode() == BUFFER_NOTHING )
-	        {
-		ASSERT(!ref_type->incremental_input());
-		parse_func = kParseFuncWithoutBuffer;
-		parse_params = "0, 0";
-		}
-	else if ( ref_type->incremental_input() )
-		{
-		parse_func = kParseFuncWithBuffer;
-		parse_params = env->RValue(flow_buffer_id);
-		}
-	else
-		{
-		parse_func = kParseFuncWithoutBuffer;
-		parse_params = strfmt("%s, %s",
-			data.ptr_expr(), 
-			env->RValue(end_of_data));
-		}
-
-	if ( RequiresAnalyzerContext::compute(ref_type) )
-		{
-		parse_params += strfmt(", %s", env->RValue(analyzer_context_id));
-		}
-
-	if ( ref_type->RequiresByteOrder() )
-		{
-		env->Evaluate(out_cc, byteorder_id);
-		parse_params += strfmt(", %s", env->RValue(byteorder_id));
-		}
-
-	string call_parse_func = strfmt("%s->%s(%s)",
-			lvalue(), // parse() needs an LValue
-			parse_func,
-			parse_params.c_str());
-
-	if ( incremental_input() )
-		{
-		if ( buffer_mode() == BUFFER_NOTHING )
-		        {
-		        out_cc->println("%s;", call_parse_func.c_str());
-			out_cc->println("%s = true;", 
-				env->LValue(parsing_complete_var()));
-			}
-		else
-		        {
-			ASSERT(parsing_complete_var());
-			out_cc->println("%s = %s;",
-				env->LValue(parsing_complete_var()),
-				call_parse_func.c_str());
-
-			// parsing_complete_var might have been already
-			// evaluated when set to false
-			if ( ! env->Evaluated(parsing_complete_var()) )
-			        env->SetEvaluated(parsing_complete_var());
-			}
-		}
-	else
-		{
-		if ( AddSizeVar(out_cc, env) )
-			{
-			out_cc->println("%s = %s;", 
-				env->LValue(size_var()),
-				call_parse_func.c_str());
-			env->SetEvaluated(size_var());
-			}
-		else
-			{
-			out_cc->println("%s;", 
-				call_parse_func.c_str());
-			}
-		}
-	}
-
-void ParameterizedType::GenDynamicSize(Output* out_cc, Env* env,
-		const DataPtr& data)
-	{
-	GenParseCode(out_cc, env, data, 0);
-	}
-
diff --git a/aux/binpac/src/pac_paramtype.h b/aux/binpac/src/pac_paramtype.h
deleted file mode 100644
index 4a2ef4e1d7..0000000000
--- a/aux/binpac/src/pac_paramtype.h
+++ /dev/null
@@ -1,62 +0,0 @@
-#ifndef pac_paramtype_h
-#define pac_paramtype_h
-
-#include "pac_type.h"
-
-// An instantiated type: ID + expression list
-class ParameterizedType : public Type
-{
-public:
-	ParameterizedType(ID *type_id, ExprList *args);
-	~ParameterizedType();
-
-	Type *clone() const;
-
-	string EvalMember(const ID *member_id) const;
-	// Env *member_env() const;
-
-	void AddParamArg(Expr *arg);
-
-	bool DefineValueVar() const;
-	string DataTypeStr() const;
-	string DefaultValue() const	{ return "0"; }
-	Type *MemberDataType(const ID *member_id) const;
-
-	// "throw_exception" specifies whether to throw an exception
-	// if the referred data type is not found
-	Type *ReferredDataType(bool throw_exception) const;
-
-	void GenCleanUpCode(Output *out, Env *env);
-
-	int StaticSize(Env *env) const;
-
-	bool IsPointerType() const	{ return true; }
-
-	bool ByteOrderSensitive() const;
-	bool RequiresAnalyzerContext();
-
-	void GenInitCode(Output *out_cc, Env *env);
-
-	string class_name() const;
-	string EvalParameters(Output *out_cc, Env *env) const;
-
-	BufferMode buffer_mode() const;
-
-protected:
-	void GenNewInstance(Output *out, Env *env);
-
-	bool DoTraverse(DataDepVisitor *visitor);
-	Type *DoClone() const;
-	void DoMarkIncrementalInput();
-
-private:
-	ID *type_id_;
-	ExprList *args_;
-	char *data_type_;
-	bool checking_requires_analyzer_context_;
-
-	void DoGenParseCode(Output *out, Env *env, const DataPtr& data, int flags);
-	void GenDynamicSize(Output *out, Env *env, const DataPtr& data);
-};
-
-#endif  // pac_paramtype_h
diff --git a/aux/binpac/src/pac_parse.yy b/aux/binpac/src/pac_parse.yy
deleted file mode 100644
index 3d7f9a328f..0000000000
--- a/aux/binpac/src/pac_parse.yy
+++ /dev/null
@@ -1,1095 +0,0 @@
-/* $Id: pac_parse.yy 3225 2006-06-08 00:00:01Z vern $ */
-
-%token TOK_TYPE TOK_RECORD TOK_CASE TOK_ENUM TOK_LET TOK_FUNCTION
-%token TOK_REFINE TOK_CASEFUNC TOK_CASETYPE TOK_TYPEATTR
-%token TOK_HELPERHEADER TOK_HELPERCODE
-%token TOK_RIGHTARROW TOK_DEFAULT TOK_OF 
-%token TOK_PADDING TOK_TO TOK_ALIGN
-%token TOK_WITHINPUT
-%token TOK_INT8 TOK_INT16 TOK_INT32
-%token TOK_UINT8 TOK_UINT16 TOK_UINT32
-%token TOK_ID TOK_NUMBER TOK_REGEX TOK_STRING
-%token TOK_BEGIN_RE TOK_END_RE
-%token TOK_ATTR_ALSO
-%token TOK_ATTR_BYTEORDER TOK_ATTR_CHECK TOK_ATTR_CHUNKED 
-%token TOK_ATTR_EXPORTSOURCEDATA TOK_ATTR_IF
-%token TOK_ATTR_LENGTH TOK_ATTR_LET 
-%token TOK_ATTR_LINEBREAKER TOK_ATTR_MULTILINE TOK_ATTR_ONELINE
-%token TOK_ATTR_REFCOUNT TOK_ATTR_REQUIRES 
-%token TOK_ATTR_RESTOFDATA TOK_ATTR_RESTOFFLOW
-%token TOK_ATTR_TRANSIENT TOK_ATTR_UNTIL
-%token TOK_ANALYZER TOK_CONNECTION TOK_FLOW 
-%token TOK_STATE TOK_ACTION TOK_WHEN TOK_HELPER 
-%token TOK_DATAUNIT TOK_FLOWDIR TOK_WITHCONTEXT
-%token TOK_LPB_EXTERN TOK_LPB_HEADER TOK_LPB_CODE 
-%token TOK_LPB_MEMBER TOK_LPB_INIT TOK_LPB_CLEANUP TOK_LPB_EOF
-%token TOK_LPB TOK_RPB 
-%token TOK_EMBEDDED_ATOM TOK_EMBEDDED_STRING
-%token TOK_PAC_VAL TOK_PAC_SET TOK_PAC_TYPE TOK_PAC_TYPEOF TOK_PAC_CONST_DEF 
-%token TOK_END_PAC
-%token TOK_EXTERN
-
-%nonassoc '=' TOK_PLUSEQ
-%left ';'
-%left ','
-%left '?' ':'
-%left TOK_OR
-%left TOK_AND
-%nonassoc TOK_EQUAL TOK_NEQ TOK_LE TOK_GE '<' '>'
-%left '&' '|' '^'
-%left TOK_LSHIFT TOK_RSHIFT 
-%left '+' '-'
-%left '*' '/' '%'
-%right '~' '!'
-%right TOK_SIZEOF TOK_OFFSETOF
-%right '(' ')' '[' ']'
-%left '.'
-
-%type <actionparam> actionparam
-%type <actionparamtype> actionparamtype
-%type <aelem> sah
-%type <aelemlist> sahlist conn flow
-%type <attr> attr
-%type <attrlist> optattrs attrlist
-%type <caseexpr> caseexpr
-%type <caseexprlist> caseexprlist
-%type <casefield> casefield casefield0
-%type <casefieldlist> casefieldlist
-%type <contextfield> contextfield
-%type <contextfieldlist> analyzercontext contextfieldlist
-%type <decl> decl decl_with_attr decl_without_attr
-%type <embedded_code> embedded_code
-%type <enumlist> enumlist enumlist1
-%type <enumitem> enumitem
-%type <expr> expr caseindex optinit optlinebreaker
-%type <exprlist> exprlist optexprlist optargs
-%type <field> withinputfield letfield
-%type <fieldlist> letfieldlist
-%type <function> funcproto function
-%type <id> TOK_ID tok_id optfieldid 
-%type <input> input
-%type <num> TOK_NUMBER
-%type <pacprimitive> embedded_pac_primitive
-%type <param> param
-%type <paramlist> optparams paramlist
-%type <recordfield> recordfield recordfield0 padding 
-%type <recordfieldlist> recordfieldlist
-%type <regex> regex
-%type <statevar> statevar
-%type <statevarlist> statevarlist
-%type <str> TOK_EMBEDDED_STRING TOK_STRING TOK_REGEX
-%type <cstr> cstr
-%type <type> type type3 type2 type1 opttype
-%type <val> TOK_EMBEDDED_ATOM TOK_WHEN TOK_FLOWDIR TOK_DATAUNIT
-
-%{
-
-#include "pac_action.h"
-#include "pac_analyzer.h"
-#include "pac_array.h"
-#include "pac_attr.h"
-#include "pac_case.h"
-#include "pac_common.h"
-#include "pac_conn.h"
-#include "pac_context.h"
-#include "pac_cstr.h"
-#include "pac_dataptr.h"
-#include "pac_dataunit.h"
-#include "pac_dbg.h"
-#include "pac_decl.h"
-#include "pac_embedded.h"
-#include "pac_enum.h"
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_exttype.h"
-#include "pac_flow.h"
-#include "pac_func.h"
-#include "pac_id.h"
-#include "pac_inputbuf.h"
-#include "pac_let.h"
-#include "pac_output.h"
-#include "pac_param.h"
-#include "pac_paramtype.h"
-#include "pac_primitive.h"
-#include "pac_record.h"
-#include "pac_redef.h"
-#include "pac_regex.h"
-#include "pac_state.h"
-#include "pac_strtype.h"
-#include "pac_type.h"
-#include "pac_utils.h"
-#include "pac_withinput.h"
-
-extern int yyerror(const char msg[]);
-extern int yylex();
-extern int yychar;
-extern char* yytext;
-extern int yyleng;
-extern void begin_RE();
-extern void end_RE();
-
-extern string input_filename;
-extern int line_number;
-extern Output* header_output;
-extern Output* source_output;
-
-%}
-
-%union {
-	ActionParam		*actionparam;
-	ActionParamType		*actionparamtype;
-	AnalyzerElement		*aelem;
-	AnalyzerElementList	*aelemlist;
-	Attr			*attr;
-	AttrList		*attrlist;
-	ConstString		*cstr;
-	CaseExpr		*caseexpr;
-	CaseExprList		*caseexprlist;
-	CaseField		*casefield;
-	CaseFieldList 		*casefieldlist;
-	ContextField		*contextfield;
-	ContextFieldList 	*contextfieldlist;
-	Decl			*decl;
-	EmbeddedCode		*embedded_code;
-	Enum			*enumitem;
-	EnumList		*enumlist;
-	Expr			*expr;
-	ExprList 		*exprlist;
-	Field 			*field;
-	FieldList 		*fieldlist;
-	Function		*function;
-	ID			*id;
-	InputBuffer		*input;
-	LetFieldList		*letfieldlist;
-	LetField		*letfield;
-	Number			*num;
-	PacPrimitive		*pacprimitive;
-	Param 			*param;
-	ParamList 		*paramlist;
-	RecordFieldList 	*recordfieldlist;
-	RecordField		*recordfield;
-	RegEx			*regex;
-	StateVar		*statevar;
-	StateVarList		*statevarlist;
-	const char		*str;
-	Type 			*type;
-	int			val;
-}
-
-%%
-
-decls		:	/* empty */
-				{
-				// Put initialization here
-				}
-		|	decls  decl optsemicolon
-				{
-				}
-		;
-
-decl		:	decl_with_attr optattrs
-				{
-				$$ = $1;
-				$1->AddAttrs($2);
-				}
-		|	decl_without_attr
-				{
-				$$ = $1;
-				}
-		;
-
-decl_with_attr	:	TOK_TYPE tok_id { current_decl_id = $2; } optparams '=' type
-				{
-				TypeDecl* decl = new TypeDecl($2, $4, $6);
-				$$ = decl;
-				}
-		|	TOK_LET tok_id { current_decl_id = $2; } opttype optinit
-				{
-				$$ = new LetDecl($2, $4, $5);
-				}
-		|	TOK_FUNCTION function
-				{
-				current_decl_id = $2->id();
-				$$ = new FuncDecl($2);
-				}
-		|	TOK_ENUM tok_id { current_decl_id = $2; } '{' enumlist '}'
-				{
-				$$ = new EnumDecl($2, $5);
-				}
-		|	TOK_EXTERN TOK_TYPE tok_id { current_decl_id = $3; }
-				{
-				Type *extern_type = new ExternType($3, ExternType::PLAIN);
-				$$ = new TypeDecl($3, 0, extern_type);
-				}
-		|	TOK_ANALYZER tok_id { current_decl_id = $2; } TOK_WITHCONTEXT analyzercontext
-				{
-				$$ = new AnalyzerContextDecl($2, $5);
-				}
-		|	TOK_ANALYZER tok_id { current_decl_id = $2; } optparams '{' conn '}'
-				{
-				$$ = new ConnDecl($2, $4, $6);
-				}
-		|	TOK_CONNECTION tok_id { current_decl_id = $2; } optparams '{' conn '}'
-				{
-				$$ = new ConnDecl($2, $4, $6);
-				}
-		|	TOK_FLOW tok_id { current_decl_id = $2; } optparams '{' flow '}'
-				{
-				$$ = new FlowDecl($2, $4, $6);
-				}
-		|	TOK_REFINE TOK_CASETYPE tok_id TOK_PLUSEQ '{' casefieldlist '}'
-				{
-				$$ = ProcessCaseTypeRedef($3, $6);
-				}
-		|	TOK_REFINE TOK_CASEFUNC tok_id TOK_PLUSEQ '{' caseexprlist '}'
-				{
-				$$ = ProcessCaseExprRedef($3, $6);
-				}
-		|	TOK_REFINE TOK_ANALYZER tok_id TOK_PLUSEQ '{' sahlist '}'
-				{
-				$$ = ProcessAnalyzerRedef($3, Decl::CONN, $6);
-				}
-		|	TOK_REFINE TOK_CONNECTION tok_id TOK_PLUSEQ '{' sahlist '}'
-				{
-				$$ = ProcessAnalyzerRedef($3, Decl::CONN, $6);
-				}
-		|	TOK_REFINE TOK_FLOW tok_id TOK_PLUSEQ '{' sahlist '}'
-				{
-				$$ = ProcessAnalyzerRedef($3, Decl::FLOW, $6);
-				}
-		;
-
-decl_without_attr: 	TOK_LPB_HEADER embedded_code TOK_RPB
-				{
-				$$ = new HelperDecl(HelperDecl::HEADER, 0, $2);
-				}
-		|	TOK_LPB_CODE embedded_code TOK_RPB
-				{
-				$$ = new HelperDecl(HelperDecl::CODE, 0, $2);
-				}
-		|	TOK_LPB_EXTERN embedded_code TOK_RPB
-				{
-				$$ = new HelperDecl(HelperDecl::EXTERN, 0, $2);
-				}
-		|	TOK_REFINE TOK_TYPEATTR tok_id TOK_PLUSEQ attrlist
-				{
-				$$ = ProcessTypeAttrRedef($3, $5);
-				}
-		;
-
-optsemicolon	:	/* nothing */
-		|	';'
-		;
-
-tok_id		:	TOK_ID
-				{
-				$$ = $1;
-				}
-		|	TOK_CONNECTION
-				{
-				$$ = new ID("connection");
-				}
-		|	TOK_ANALYZER
-				{
-				$$ = new ID("analyzer");
-				}
-		|	TOK_FLOW
-				{
-				$$ = new ID("flow");
-				}
-		| 	TOK_FUNCTION
-				{
-				$$ = new ID("function");
-				}
-		|	TOK_TYPE
-				{
-				$$ = new ID("type");
-				}
-		;
-
-analyzercontext :	'{' contextfieldlist '}'
-				{
-				$$ = $2;
-				}
-		;
-
-contextfieldlist:	contextfieldlist contextfield ';'
-				{
-				$1->push_back($2);
-				$$ = $1;
-				}
-		|	/* nothing */
-				{
-				$$ = new ContextFieldList();
-				}
-		;
-
-contextfield	:	tok_id ':' type1
-				{
-				$$ = new ContextField($1, $3);
-				}
-		;
-
-funcproto	:	tok_id '(' paramlist ')' ':' type2
-				{
-				$$ = new Function($1, $6, $3);
-				}
-		;
-
-function	:	funcproto '=' expr
-				{
-				$1->set_expr($3);
-				$$ = $1;
-				}
-		|	funcproto TOK_LPB embedded_code TOK_RPB
-				{
-				$1->set_code($3);
-				$$ = $1;
-				}
-		|	funcproto ';'
-				{
-				$$ = $1;
-				}
-		;
-
-optparams	:	'(' paramlist ')'
-				{
-				$$ = $2;
-				}
-		|	/* empty */
-				{
-				$$ = 0;
-				}
-		;
-
-paramlist	:	paramlist ',' param 
-				{
-				$1->push_back($3);
-				$$ = $1;
-				}
-		|	param
-				{
-				$$ = new ParamList();
-				$$->push_back($1);
-				}
-		|	/* empty */
-				{
-				$$ = new ParamList();
-				}
-		;
-
-param		:	tok_id ':' type2
-				{
-				$$ = new Param($1, $3);
-				}
-		;
-
-optinit		:	/* nothing */
-				{
-				$$ = 0;
-				}
-		|	'=' expr
-				{
-				$$ = $2;
-				}
-		;
-
-opttype		:	/* nothing */
-				{
-				$$ = 0;
-				}
-		|	':' type2
-				{
-				$$ = $2;
-				}
-		;
-
-type		: 	type3
-				{
-				$$ = $1;
-				}
-		;
-
-/* type3 is for record or type2 */
-type3		:	type2
-				{
-				$$ = $1;
-				}
-		|	TOK_RECORD '{' recordfieldlist '}'
-				{
-				$$ = new RecordType($3);
-				}
-		;
-
-/* type2 is for array or case or type1 */
-type2		:	type1
-				{
-				$$ = $1;
-				}
-		|	type1 '[' expr ']'
-				{
-				$$ = new ArrayType($1, $3);
-				}
-		|	type1 '[' ']'
-				{
-				$$ = new ArrayType($1);
-				}
-		|	TOK_CASE caseindex TOK_OF '{' casefieldlist '}'
-				{
-				$$ = new CaseType($2, $5);
-				}
-		;
-
-/* type1 is for built-in, parameterized, or string types */
-type1		: 	tok_id
-				{
-				$$ = Type::LookUpByID($1);
-				}
-		|	tok_id '(' exprlist ')'
-				{
-				$$ = new ParameterizedType($1, $3);
-				}
-		|	regex
-				{
-				$$ = new StringType($1);
-				}
-		|	cstr
-				{
-				$$ = new StringType($1);
-				}
-		;
-
-recordfieldlist	:	recordfieldlist recordfield ';'
-				{
-				$1->push_back($2);
-				$$ = $1;
-				}
-		|	/* empty */	
-				{
-				$$ = new RecordFieldList();
-				}
-		;
-
-recordfield	: 	recordfield0 optattrs
-				{
-				$1->AddAttr($2);
-				$$ = $1;
-				}
-		;
-
-recordfield0	:	optfieldid type2
-				{
-				$$ = new RecordDataField($1, $2);
-				}
-		|	padding
-				{
-				$$ = $1;
-				}
-		;
-
-padding		:	optfieldid TOK_PADDING '[' expr ']'
-				{
-				$$ = new RecordPaddingField(
-					$1, PAD_BY_LENGTH, $4);
-				}
-		|	optfieldid TOK_PADDING TOK_TO expr
-				{
-				$$ = new RecordPaddingField(
-					$1, PAD_TO_OFFSET, $4);
-				}
-		|	optfieldid TOK_PADDING TOK_ALIGN expr
-				{
-				$$ = new RecordPaddingField(
-					$1, PAD_TO_NEXT_WORD, $4);
-				}
-		;
-
-optfieldid	:	tok_id ':'
-				{
-				$$ = $1;
-				}
-		|	':'
-				{
-				$$ = ID::NewAnonymousID("anonymous_field_");
-				}
-		;
-
-caseindex	:	expr
-				{
-				$$ = $1;
-				}
-		;
-
-casefieldlist	:	casefieldlist casefield ';'
-				{
-				$1->push_back($2);
-				$$ = $1;
-				}
-		|	/* empty */	
-				{
-				$$ = new CaseFieldList();
-				}
-		;
-
-casefield	:	casefield0 optattrs
-				{
-				$1->AddAttr($2);	
-				$$ = $1;
-				}
-		;
-
-casefield0	:	exprlist TOK_RIGHTARROW tok_id ':' type2
-				{
-				$$ = new CaseField($1, $3, $5);
-				}
-		|	TOK_DEFAULT TOK_RIGHTARROW tok_id ':' type2
-				{
-				$$ = new CaseField(0, $3, $5);
-				}
-		;
-
-optexprlist	:	/* nothing */
-				{
-				$$ = 0;
-				}
-		|	exprlist
-				{
-				$$ = $1;
-				}
-		;
-
-exprlist	:	exprlist ',' expr
-				{
-				$1->push_back($3);
-				$$ = $1;
-				}
-		|	expr
-				{
-				$$ = new ExprList();
-				$$->push_back($1);
-				}
-		;
-
-expr		:	tok_id
-				{
-				$$ = new Expr($1);
-				}
-		|	TOK_NUMBER
-				{
-				$$ = new Expr($1);
-				}
-		|	expr '[' expr ']'
-				{
-				$$ = new Expr(Expr::EXPR_SUBSCRIPT, $1, $3);
-				}
-		|	expr '.' tok_id
-				{
-				$$ = new Expr(Expr::EXPR_MEMBER, $1, new Expr($3));
-				}
-		|	TOK_SIZEOF '(' tok_id ')'
-				{
-				$$ = new Expr(Expr::EXPR_SIZEOF, new Expr($3));
-				}
-		|	TOK_OFFSETOF '(' tok_id ')'
-				{
-				$$ = new Expr(Expr::EXPR_OFFSETOF, new Expr($3));
-				}
-		|	'(' expr ')'
-				{
-				$$ = new Expr(Expr::EXPR_PAREN, $2);
-				}
-		|	expr '(' optexprlist ')'
-				{
-				$$ = new Expr(Expr::EXPR_CALL, 
-				              $1, 
-				              new Expr($3));
-				}
-		|	'-' expr
-				{
-				$$ = new Expr(Expr::EXPR_NEG, $2);
-				}
-		|	expr '+' expr
-				{
-				$$ = new Expr(Expr::EXPR_PLUS, $1, $3);
-				}
-		|	expr '-' expr
-				{
-				$$ = new Expr(Expr::EXPR_MINUS, $1, $3);
-				}
-		|	expr '*' expr
-				{
-				$$ = new Expr(Expr::EXPR_TIMES, $1, $3);
-				}
-		|	expr '/' expr
-				{
-				$$ = new Expr(Expr::EXPR_DIV, $1, $3);
-				}
-		|	expr '%' expr
-				{
-				$$ = new Expr(Expr::EXPR_MOD, $1, $3);
-				}
-		|	'~' expr
-				{
-				$$ = new Expr(Expr::EXPR_BITNOT, $2);
-				}
-		|	expr '&' expr
-				{
-				$$ = new Expr(Expr::EXPR_BITAND, $1, $3);
-				}
-		|	expr '|' expr
-				{
-				$$ = new Expr(Expr::EXPR_BITOR, $1, $3);
-				}
-		|	expr '^' expr
-				{
-				$$ = new Expr(Expr::EXPR_BITXOR, $1, $3);
-				}
-		|	expr TOK_LSHIFT expr
-				{
-				$$ = new Expr(Expr::EXPR_LSHIFT, $1, $3);
-				}
-		|	expr TOK_RSHIFT expr
-				{
-				$$ = new Expr(Expr::EXPR_RSHIFT, $1, $3);
-				}
-		|	expr TOK_EQUAL expr
-				{
-				$$ = new Expr(Expr::EXPR_EQUAL, $1, $3);
-				}
-		|	expr TOK_NEQ expr
-				{
-				$$ = new Expr(Expr::EXPR_NEQ, $1, $3);
-				}
-		|	expr TOK_GE expr
-				{
-				$$ = new Expr(Expr::EXPR_GE, $1, $3);
-				}
-		|	expr TOK_LE expr
-				{
-				$$ = new Expr(Expr::EXPR_LE, $1, $3);
-				}
-		|	expr '>' expr
-				{
-				$$ = new Expr(Expr::EXPR_GT, $1, $3);
-				}
-		|	expr '<' expr
-				{
-				$$ = new Expr(Expr::EXPR_LT, $1, $3);
-				}
-		|	'!' expr
-				{
-				$$ = new Expr(Expr::EXPR_NOT, $2);
-				}
-		|	expr TOK_AND expr
-				{
-				$$ = new Expr(Expr::EXPR_AND, $1, $3);
-				}
-		|	expr TOK_OR expr
-				{
-				$$ = new Expr(Expr::EXPR_OR, $1, $3);
-				}
-		|	expr '?' expr ':' expr
-				{
-				$$ = new Expr(Expr::EXPR_COND, $1, $3, $5);
-				}
-		|	TOK_CASE expr TOK_OF '{' caseexprlist '}' 
-				{
-				$$ = new Expr($2, $5);
-				}
-		|	cstr
-				{
-				$$ = new Expr($1);
-				}
-		|	regex
-				{
-				$$ = new Expr($1);
-				}
-		;
-
-cstr		:	TOK_STRING
-				{
-				$$ = new ConstString($1);
-				}
-		;
-
-regex		: 	TOK_BEGIN_RE TOK_REGEX TOK_END_RE
-				{ 
-				$$ = new RegEx($2); 
-				}
-		;
-
-caseexprlist	:	/* nothing */
-				{
-				$$ = new CaseExprList();
-				}
-		|	caseexprlist caseexpr ';'
-				{
-				$1->push_back($2);
-				$$ = $1;
-				}
-		;
-
-caseexpr	:	exprlist TOK_RIGHTARROW expr
-				{
-				$$ = new CaseExpr($1, $3);
-				}
-		|	TOK_DEFAULT TOK_RIGHTARROW expr
-				{
-				$$ = new CaseExpr(0, $3);
-				}
-		;
-
-enumlist	: 	enumlist1
-				{
-				$$ = $1;
-				}
-		|	enumlist1 ','
-				{
-				$$ = $1;
-				}
-		;
-
-enumlist1	:	enumlist1 ',' enumitem
-				{
-				$1->push_back($3);
-				$$ = $1;
-				}
-		|	enumitem
-				{
-				$$ = new EnumList();
-				$$->push_back($1);
-				}
-		;
-
-enumitem	:	tok_id
-				{
-				$$ = new Enum($1);
-				}
-		|	tok_id '=' expr
-				{
-				$$ = new Enum($1, $3);
-				}
-		;
-
-conn		:	sahlist
-				{
-				$$ = $1;
-				}
-		;
-
-flow		:	sahlist
-				{
-				$$ = $1;
-				}
-		;
-
-/* State-Action-Helper List */
-sahlist		:	/* empty */
-				{
-				$$ = new AnalyzerElementList();
-				}
-		|	sahlist sah
-				{
-				$1->push_back($2);
-				$$ = $1;
-				}
-		;
-
-sah		:	TOK_LPB_MEMBER embedded_code TOK_RPB
-				{
-				$$ = new AnalyzerHelper(AnalyzerHelper::MEMBER_DECLS, $2);
-				}
-		|	TOK_LPB_INIT embedded_code TOK_RPB
-				{
-				$$ = new AnalyzerHelper(AnalyzerHelper::INIT_CODE, $2);
-				}
-		|	TOK_LPB_CLEANUP embedded_code TOK_RPB
-				{
-				$$ = new AnalyzerHelper(AnalyzerHelper::CLEANUP_CODE, $2);
-				}
-		|	TOK_LPB_EOF embedded_code TOK_RPB
-				{
-				$$ = new AnalyzerHelper(AnalyzerHelper::EOF_CODE, $2);
-				}
-		|	TOK_FLOWDIR '=' tok_id optargs ';'
-				{
-				$$ = new AnalyzerFlow((AnalyzerFlow::Direction) $1, $3, $4);
-				}
-		|	TOK_DATAUNIT '=' tok_id optargs TOK_WITHCONTEXT '(' optexprlist ')' ';'
-				{
-				$$ = new AnalyzerDataUnit(
-					(AnalyzerDataUnit::DataUnitType) $1, 
-					$3, 
-					$4,
-					$7);
-				}
-		|	TOK_FUNCTION function
-				{
-				$$ = new AnalyzerFunction($2);
-				}
-		|	TOK_STATE '{' statevarlist '}'
-				{
-				$$ = new AnalyzerState($3);
-				}
-		|	TOK_ACTION tok_id TOK_WHEN '(' actionparam ')' TOK_LPB embedded_code TOK_RPB
-				{
-				$$ = new AnalyzerAction($2, (AnalyzerAction::When) $3, $5, $8);
-				}
-		;
-
-statevarlist	:	/* empty */
-				{
-				$$ = new StateVarList();
-				}
-		|	statevarlist statevar ';'
-				{
-				$1->push_back($2);
-				$$ = $1;
-				}
-		;
-
-statevar	:	tok_id ':' type1
-				{
-				$$ = new StateVar($1, $3);
-				}
-		;
-
-actionparam	:	tok_id TOK_LE actionparamtype
-				{
-				$$ = new ActionParam($1, $3);
-				}
-		;
-
-actionparamtype :	tok_id
-				{
-				$$ = new ActionParamType($1);
-				}
-		|	tok_id '.' tok_id
-				{
-				$$ = new ActionParamType($1, $3);
-				}
-		;
-
-embedded_code	:	/* empty */
-				{
-				$$ = new EmbeddedCode();
-				}
-		|	embedded_code TOK_EMBEDDED_ATOM
-				{
-				$1->Append($2);
-				$$ = $1;
-				}
-		|	embedded_code TOK_EMBEDDED_STRING
-				{
-				$1->Append($2);
-				$$ = $1;
-				}
-		|	embedded_code embedded_pac_primitive
-				{
-				$1->Append($2);
-				$$ = $1;
-				}
-		;
-
-embedded_pac_primitive:	TOK_PAC_VAL expr TOK_END_PAC
-				{
-				$$ = new PPVal($2);
-				}
-		|	TOK_PAC_SET expr TOK_END_PAC
-				{
-				$$ = new PPSet($2);
-				}
-		|	TOK_PAC_TYPE expr TOK_END_PAC
-				{
-				$$ = new PPType($2);
-				}
-		|	TOK_PAC_CONST_DEF tok_id '=' expr TOK_END_PAC
-				{
-				$$ = new PPConstDef($2, $4);
-				}
-		;
-
-optargs		:	/* empty */
-				{
-				$$ = 0;
-				}
-		|	'(' optexprlist ')'
-				{
-				$$ = $2;
-				}
-		;
-
-letfieldlist	:	letfieldlist letfield ';' 
-				{
-				$1->push_back($2);
-				$$ = $1;
-				}
-		|	letfieldlist withinputfield ';'
-				{
-				$1->push_back($2);
-				$$ = $1;
-				}
-		|	/* empty */
-				{
-				$$ = new FieldList();
-				}
-		;
-
-letfield	:	tok_id opttype optinit optattrs
-				{
-				$$ = new LetField($1, $2, $3);
-				$$->AddAttr($4);
-				}
-		;
-
-withinputfield	:	tok_id ':' type1 TOK_WITHINPUT input optattrs
-				{
-				$$ = new WithInputField($1, $3, $5);
-				$$->AddAttr($6);
-				}
-		;
-
-/* There can be other forms of input */
-input		:	expr
-				{
-				$$ = new InputBuffer($1);
-				}
-		;
-
-optattrs	:	/* empty */	
-				{
-				$$ = 0;
-				}
-		|	attrlist
-				{
-				$$ = $1;
-				}
-		;
-
-attrlist	:	attrlist optcomma attr
-				{
-				if ( $3 )
-					$1->push_back($3);
-				$$ = $1;
-				}
-		|	attr
-				{
-				$$ = new AttrList();
-				if ( $1 )
-					$$->push_back($1);
-				}
-		;
-
-optcomma	:	/* nothing */
-		|	','
-		;
-
-attr		:	TOK_ATTR_BYTEORDER '=' expr
-				{
-				$$ = new Attr(ATTR_BYTEORDER, $3);
-				}
-		|	TOK_ATTR_CHECK expr 
-				{
-				$$ = new Attr(ATTR_CHECK, $2);
-				}
-		|	TOK_ATTR_CHUNKED
-				{
-				$$ = new Attr(ATTR_CHUNKED);
-				}
-		|	TOK_ATTR_EXPORTSOURCEDATA
-				{
-				$$ = new Attr(ATTR_EXPORTSOURCEDATA);
-				}
-		|	TOK_ATTR_IF expr 
-				{
-				$$ = new Attr(ATTR_IF, $2);
-				}
-		|	TOK_ATTR_LENGTH '=' expr
-				{
-				$$ = new Attr(ATTR_LENGTH, $3);
-				}
-		|	TOK_ATTR_LET '{' letfieldlist '}'
-				{
-				$$ = new LetAttr($3);
-				}
-		|	TOK_ATTR_LINEBREAKER '=' expr
-				{
-				$$ = new Attr(ATTR_LINEBREAKER, $3);
-				}
-		|	TOK_ATTR_MULTILINE '(' expr ')'
-				{
-				$$ = new Attr(ATTR_MULTILINE, $3);
-				}
-		|	TOK_ATTR_ONELINE optlinebreaker
-				{
-				$$ = new Attr(ATTR_ONELINE, $2);
-				}
-		|	TOK_ATTR_REFCOUNT
-				{
-				$$ = new Attr(ATTR_REFCOUNT);
-				}
-		|	TOK_ATTR_REQUIRES '(' optexprlist ')'
-				{
-				$$ = new Attr(ATTR_REQUIRES, $3);
-				}
-		|	TOK_ATTR_RESTOFDATA
-				{
-				$$ = new Attr(ATTR_RESTOFDATA);
-				}
-		|	TOK_ATTR_RESTOFFLOW
-				{
-				$$ = new Attr(ATTR_RESTOFFLOW);
-				}
-		|	TOK_ATTR_TRANSIENT
-				{
-				$$ = new Attr(ATTR_TRANSIENT);
-				}
-		|	TOK_ATTR_UNTIL expr
-				{
-				$$ = new Attr(ATTR_UNTIL, $2);
-				}
-		;
-
-optlinebreaker	:	/* nothing */
-				{
-				$$ = 0;
-				}
-		|	'(' expr ')'
-				{
-				$$ = $2;
-				}
-		;
-
-%%
-
-const ID* current_decl_id = 0;
-
-int yyerror(const char msg[])
-	{
-	char* msgbuf = 
-		new char[strlen(msg) + yyleng + 64];
-
-	if ( ! yychar || ! yytext || yytext[0] == '\0' )
-		sprintf(msgbuf, "%s, at end of file", msg);
-
-	else if ( yytext[0] == '\n' )
-		sprintf(msgbuf, "%s, on previous line", msg);
-
-	else
-		sprintf(msgbuf, "%s, at or near \"%s\"", msg, yytext);
-
-	/*
-	extern int column;
-	sprintf(msgbuf, "%*s\n%*s\n", column, "^", column, msg);
-	*/
-
-	if ( ! input_filename.empty() )
-		fprintf(stderr, "%s:%d: ", input_filename.c_str(), line_number);
-	else
-		fprintf(stderr, "line %d: ", line_number);
-	fprintf(stderr, "%s", msgbuf);
-	fprintf(stderr, " (yychar=%d)", yychar);
-	fprintf(stderr, "\n");
-
-	return 0;
-        }
diff --git a/aux/binpac/src/pac_primitive.cc b/aux/binpac/src/pac_primitive.cc
deleted file mode 100644
index c4893a63ed..0000000000
--- a/aux/binpac/src/pac_primitive.cc
+++ /dev/null
@@ -1,39 +0,0 @@
-#include "pac_dbg.h"
-#include "pac_expr.h"
-#include "pac_id.h"
-#include "pac_primitive.h"
-#include "pac_type.h"
-
-string PPVal::ToCode(Env *env)
-	{
-	ASSERT(expr_);
-	return string(expr_->EvalExpr(0, env));
-	}
-
-string PPSet::ToCode(Env *env)
-	{
-	ASSERT(expr_);
-	return expr_->SetFunc(0, env);
-	}
-
-string PPType::ToCode(Env *env)
-	{
-	Type *type = expr_->DataType(env);
-	if ( ! type )
-		{
-		}
-	return type->DataTypeStr();
-	}
-
-string PPConstDef::ToCode(Env *env)
-	{
-	Type *type = expr_->DataType(env);
-	env->AddID(id_, TEMP_VAR, type);
-	env->SetEvaluated(id_);
-
-	string type_str = type->DataTypeStr();
-	return strfmt("%s %s = %s", 
-	              type_str.c_str(),
-	              env->LValue(id_),
-	              expr_->EvalExpr(0, env));
-	}
diff --git a/aux/binpac/src/pac_primitive.h b/aux/binpac/src/pac_primitive.h
deleted file mode 100644
index 47d06a1e72..0000000000
--- a/aux/binpac/src/pac_primitive.h
+++ /dev/null
@@ -1,75 +0,0 @@
-#ifndef pac_primitive_h
-#define pac_primitive_h
-
-#include "pac_common.h"
-
-class PacPrimitive
-{
-public:
-	enum PrimitiveType { VAL, SET, TYPE, CONST_DEF };
-
-	explicit PacPrimitive(PrimitiveType type) : type_(type) {}
-	virtual ~PacPrimitive() {}
-
-	PrimitiveType type() const	{ return type(); }
-
-	virtual string ToCode(Env *env) = 0;
-
-private:
-	PrimitiveType type_;
-};
-
-class PPVal : public PacPrimitive
-{
-public:
-	PPVal(Expr *expr) : PacPrimitive(VAL), expr_(expr) {}
-	Expr *expr() const	{ return expr_; }
-
-	string ToCode(Env *env);
-
-private:
-	Expr *expr_;
-};
-
-class PPSet : public PacPrimitive
-{
-public:
-	PPSet(Expr *expr) : PacPrimitive(SET), expr_(expr) {}
-	Expr *expr() const	{ return expr_; }
-
-	string ToCode(Env *env);
-
-private:
-	Expr *expr_;
-};
-
-class PPType : public PacPrimitive
-{
-public:
-	PPType(Expr *expr) : PacPrimitive(TYPE), expr_(expr) {}
-	Expr *expr() const	{ return expr_; }
-
-	string ToCode(Env *env);
-
-private:
-	Expr *expr_;
-};
-
-class PPConstDef : public PacPrimitive
-{
-public:
-	PPConstDef(const ID *id, Expr *expr) 
-		: PacPrimitive(CONST_DEF), 
-		  id_(id),
-		  expr_(expr) {}
-	const ID *id() const	{ return id_; }
-	Expr *expr() const	{ return expr_; }
-
-	string ToCode(Env *env);
-
-private:
-	const ID *id_;
-	Expr *expr_;
-};
-
-#endif  // pac_primitive_h
diff --git a/aux/binpac/src/pac_record.cc b/aux/binpac/src/pac_record.cc
deleted file mode 100644
index 9875195033..0000000000
--- a/aux/binpac/src/pac_record.cc
+++ /dev/null
@@ -1,680 +0,0 @@
-#include "pac_attr.h"
-#include "pac_dataptr.h"
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_exttype.h"
-#include "pac_field.h"
-#include "pac_output.h"
-#include "pac_record.h"
-#include "pac_type.h"
-#include "pac_typedecl.h"
-#include "pac_utils.h"
-#include "pac_varfield.h"
-
-
-RecordType::RecordType(RecordFieldList* record_fields)
-	: Type(RECORD)
-	{
-	// Here we assume that the type is a standalone type.
-	value_var_ = 0;
-
-	// Put all fields in fields_
-	foreach (i, RecordFieldList, record_fields)
-		AddField(*i);
-
-	// Put RecordField's in record_fields_
-	record_fields_ = record_fields;
-
-	parsing_dataptr_var_field_ = 0;
-	}
-
-RecordType::~RecordType()
-	{
-	// Do not delete_list(RecordFieldList, record_fields_)
-	// because the fields are also in fields_.
-	delete record_fields_;
-	delete parsing_dataptr_var_field_;
-	}
-
-const ID *RecordType::parsing_dataptr_var() const
-	{ 
-	return parsing_dataptr_var_field_ ?
-		parsing_dataptr_var_field_->id() : 0;
-	}
-
-bool RecordType::DefineValueVar() const
-	{
-	return false;
-	}
-
-string RecordType::DataTypeStr() const
-	{
-	ASSERT(type_decl());
-	return strfmt("%s *", type_decl()->class_name().c_str());
-	}
-
-void RecordType::Prepare(Env* env, int flags)
-	{
-	ASSERT(flags & TO_BE_PARSED);
-
-	RecordField *prev = 0;
-	int offset = 0;
-	int seq = 0;
-	foreach (i, RecordFieldList, record_fields_)
-		{
-		RecordField *f = *i;
-		f->set_record_type(this);
-		f->set_prev(prev);
-		if ( prev )
-			prev->set_next(f);
-		prev = f;
-		if ( offset >= 0 )
-			{
-			f->set_static_offset(offset);
-			int w = f->StaticSize(env, offset);
-			if ( w < 0 )
-				offset = -1;
-			else
-				offset += w;
-			}
-		++seq;
-		f->set_parsing_state_seq(seq);
-		}
-
-	if ( incremental_parsing() )
-		{
-#if 0
-		ASSERT(! parsing_state_var_field_);
-		ID *parsing_state_var_id = new ID("parsing_state");
-		parsing_state_var_field_ = new PrivVarField(
-			parsing_state_var_id, extern_type_int->Clone());
-		AddField(parsing_state_var_field_);
-
-		ID *parsing_dataptr_var_id = new ID("parsing_dataptr");
-		parsing_dataptr_var_field_ = new TempVarField(
-			parsing_dataptr_var_id, extern_type_const_byteptr->Clone());
-		parsing_dataptr_var_field_->Prepare(env);
-#endif
-		}
-
-	Type::Prepare(env, flags);
-	}
-
-void RecordType::GenPubDecls(Output* out_h, Env* env)
-	{
-	Type::GenPubDecls(out_h, env);
-	}
-
-void RecordType::GenPrivDecls(Output* out_h, Env* env)
-	{
-	Type::GenPrivDecls(out_h, env);
-	}
-
-void RecordType::GenInitCode(Output* out_cc, Env* env)
-	{
-	Type::GenInitCode(out_cc, env);
-	}
-
-void RecordType::GenCleanUpCode(Output* out_cc, Env* env)
-	{
-	Type::GenCleanUpCode(out_cc, env);
-	}
-
-void RecordType::DoGenParseCode(Output* out_cc, Env* env, 
-		const DataPtr& data, int flags)
-	{
-	  if ( !incremental_input() && StaticSize(env) >= 0 )
-		GenBoundaryCheck(out_cc, env, data);
-
-	if ( incremental_parsing() )
-		{
-		out_cc->println("switch ( %s ) {",
-			env->LValue(parsing_state_id));
-
-		out_cc->println("case 0:");
-		out_cc->inc_indent();
-		foreach (i, RecordFieldList, record_fields_)
-			{
-			RecordField *f = *i;
-			f->GenParseCode(out_cc, env);
-			out_cc->println("");
-			}
-		out_cc->println("");
-		out_cc->println("%s = true;", 
-			env->LValue(parsing_complete_var()));
-		out_cc->dec_indent();
-		out_cc->println("}");
-		}
-	else
-		{
-		ASSERT(	data.id() == begin_of_data && 
-			data.offset() == 0 );
-		foreach (i, RecordFieldList, record_fields_)
-			{
-			RecordField *f = *i;
-			f->GenParseCode(out_cc, env);
-			out_cc->println("");
-			}
-		if ( incremental_input() )
-			{
-			ASSERT(parsing_complete_var());
-			out_cc->println("%s = true;", 
-				env->LValue(parsing_complete_var()));
-			}
-		}
-
-	if ( ! incremental_input() && AddSizeVar(out_cc, env) )
-		{
-		const DataPtr& end_of_record_dataptr = 
-			record_fields_->back()->getFieldEnd(out_cc, env);
-
-		out_cc->println("%s = %s - %s;", 
-			env->LValue(size_var()), 
-			end_of_record_dataptr.ptr_expr(), 
-			env->RValue(begin_of_data));
-		env->SetEvaluated(size_var());
-		}
-
-	if ( ! boundary_checked() )
-		{
-		RecordField *last_field = record_fields_->back();
-		if ( ! last_field->BoundaryChecked() )
-			GenBoundaryCheck(out_cc, env, data);
-		}
-	}
-
-void RecordType::GenDynamicSize(Output* out_cc, Env* env,
-		const DataPtr& data)
-	{
-	GenParseCode(out_cc, env, data, 0);
-	}
-
-int RecordType::StaticSize(Env* env) const
-	{
-	int tot_w = 0;
-	foreach (i, RecordFieldList, record_fields_)
-		{
-		RecordField *f = *i;
-		int w = f->StaticSize(env, tot_w);
-		if ( w < 0 )
-			return -1;
-		tot_w += w;
-		}
-	return tot_w;
-	}
-
-void RecordType::SetBoundaryChecked()
-	{
-	Type::SetBoundaryChecked();
-	foreach (i, RecordFieldList, record_fields_)
-		{
-		RecordField *f = *i;
-		f->SetBoundaryChecked();
-		}
-	}
-
-void RecordType::DoMarkIncrementalInput()
-	{
-	foreach (i, RecordFieldList, record_fields_)
-		{
-		RecordField *f = *i;
-		f->type()->MarkIncrementalInput();
-		}
-	}
-
-bool RecordType::DoTraverse(DataDepVisitor *visitor)
-	{
-	return Type::DoTraverse(visitor);
-	}
-
-bool RecordType::ByteOrderSensitive() const
-	{
-	foreach (i, RecordFieldList, record_fields_)
-		{
-		RecordField *f = *i;
-		if ( f->RequiresByteOrder() )
-			return true;
-		}
-	return false;
-	}
-
-RecordField::RecordField(FieldType tof, ID *id, Type *type)
-	: Field(tof, 
-		TYPE_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE,
-		id, type)
-	{
-	begin_of_field_dataptr = 0;
-	end_of_field_dataptr = 0;
-	field_size_expr = 0;
-	field_offset_expr = 0;
-	end_of_field_dataptr_var = 0;
-	record_type_ = 0;
-	prev_ = 0;
-	next_ = 0;
-	static_offset_ = -1;
-	boundary_checked_ = false;
-	}
-
-RecordField::~RecordField()
-	{
-	delete begin_of_field_dataptr;
-	delete end_of_field_dataptr;
-	delete [] field_size_expr;
-	delete [] field_offset_expr;
-	delete end_of_field_dataptr_var;
-	}
-
-const DataPtr& RecordField::getFieldBegin(Output* out_cc, Env* env)
-	{
-	if ( prev() )
-		return prev()->getFieldEnd(out_cc, env);
-	else
-		{
-		// The first field
-		if ( ! begin_of_field_dataptr )
-			{
-			begin_of_field_dataptr = 
-				new DataPtr(env, begin_of_data, 0);
-			}
-		return *begin_of_field_dataptr;
-		}	
-	}
-
-const DataPtr& RecordField::getFieldEnd(Output* out_cc, Env* env)
-	{
-	if ( end_of_field_dataptr )
-		return *end_of_field_dataptr;
-
-	const DataPtr& begin_ptr = getFieldBegin(out_cc, env);
-
-	if ( record_type()->incremental_parsing() )
-		{
-		ASSERT(0);
-		if ( ! end_of_field_dataptr )
-			{
-			const ID *dataptr_var = 
-				record_type()->parsing_dataptr_var();
-			ASSERT(dataptr_var);
-
-			end_of_field_dataptr = 
-				new DataPtr(env, dataptr_var, 0);
-			}
-		}
-	else
-		{
-		int field_offset;
-		if ( begin_ptr.id() == begin_of_data )
-			field_offset = begin_ptr.offset();
-		else
-			field_offset = -1;	// unknown
-			
-		int field_size = StaticSize(env, field_offset);
-		if ( field_size >= 0 ) // can be statically determinted 
-			{
-			end_of_field_dataptr = new DataPtr(
-				env,
-				begin_ptr.id(), 
-				begin_ptr.offset() + field_size);
-			}
-		else
-			{
-			// If not, we add a variable for the offset after the field
-			end_of_field_dataptr_var = new ID(
-				fmt("dataptr_after_%s", id()->Name()));
-			env->AddID(end_of_field_dataptr_var, 
-		           	TEMP_VAR, 
-		           	extern_type_const_byteptr);
-
-			GenFieldEnd(out_cc, env, begin_ptr);
-
-			end_of_field_dataptr = new DataPtr(
-				env, 
-				end_of_field_dataptr_var, 
-				0);
-			}
-		}
-
-	return *end_of_field_dataptr;
-	}
-
-const char* RecordField::FieldSize(Output* out_cc, Env* env)
-	{
-	if ( field_size_expr )
-		return field_size_expr;
-
-	const DataPtr& begin = getFieldBegin(out_cc, env);
-	const DataPtr& end = getFieldEnd(out_cc, env);
-	if ( begin.id() == end.id() )
-		field_size_expr = nfmt("%d", end.offset() - begin.offset());
-	else
-		field_size_expr = nfmt("(%s - %s)", end.ptr_expr(), begin.ptr_expr());
-	return field_size_expr;
-	}
-
-const char* RecordField::FieldOffset(Output* out_cc, Env* env)
-	{
-	if ( field_offset_expr )
-		return field_offset_expr;
-
-	const DataPtr& begin = getFieldBegin(out_cc, env);
-	if ( begin.id() == begin_of_data )
-		field_offset_expr = nfmt("%d", begin.offset());
-	else
-		field_offset_expr = nfmt("(%s - %s)", 
-			begin.ptr_expr(), env->RValue(begin_of_data));
-	return field_offset_expr;
-	}
-
-// The reasoning behind AttemptBoundaryCheck is: "If my next field
-// can check its boundary, then I don't have to check mine, and it
-// will save me a boundary-check."
-bool RecordField::AttemptBoundaryCheck(Output* out_cc, Env* env)
-	{
-	if ( boundary_checked_ )
-		return true;
-
-	// If I do not even know my size till I parse the data, my
-	// next field won't be able to check its boundary now.  
-
-	const DataPtr& begin = getFieldBegin(out_cc, env);
-	if ( StaticSize(env, begin.AbsOffset(begin_of_data)) < 0 )
-		return false;
-
-	// Now we ask the next field to check its boundary. 
-	if ( next() && next()->AttemptBoundaryCheck(out_cc, env) ) 
-		{
-		// If it works, we are all set
-		SetBoundaryChecked();
-		return true;
-		}
-	else
-		// If it fails, then I can still try to do it by myself
-		return GenBoundaryCheck(out_cc, env);
-	}
-
-RecordDataField::RecordDataField(ID* id, Type* type)
-	: RecordField(RECORD_FIELD, id, type)
-	{
-	ASSERT(type_);
-	}
-
-RecordDataField::~RecordDataField()
-	{
-	}
-
-void RecordDataField::Prepare(Env* env)
-	{
-	Field::Prepare(env);
-	env->SetEvalMethod(id_, this);
-	env->SetField(id_, this);
-	}
-
-void RecordDataField::GenParseCode(Output* out_cc, Env* env)
-	{
-	if ( env->Evaluated(id()) )
-		return;
-
-	// Always evaluate record fields in order if parsing
-	// is incremental.
-	if ( record_type()->incremental_parsing() && prev() )
-		prev()->GenParseCode(out_cc, env);
-
-	DataPtr data(env, 0, 0);
-	if ( ! record_type()->incremental_parsing() )
-		{
-		data = getFieldBegin(out_cc, env);	
-		AttemptBoundaryCheck(out_cc, env);
-		}
-
-	out_cc->println("// Parse \"%s\"", id_->Name());
-#if 0
-	out_cc->println("DEBUG_MSG(\"%%.6f Parse %s\\n\", network_time());", 
-		id_->Name());
-#endif
-	type_->GenPreParsing(out_cc, env);
-	if ( type_->incremental_input() )
-		{
-		// The enclosing record type must be incrementally parsed
-		out_cc->println("%s = %d;", 
-			env->LValue(parsing_state_id),
-			parsing_state_seq());
-		out_cc->dec_indent();
-		out_cc->println("case %d:", parsing_state_seq());
-		out_cc->inc_indent();
-		out_cc->println("{");
-		}
-
-	type_->GenParseCode(out_cc, env, data, 0);
-
-	if ( record_type()->incremental_parsing() )
-		{
-		ASSERT(type_->incremental_input());
-
-		out_cc->println("if ( ! (%s) )", 
-			type_->parsing_complete(env).c_str());
-		out_cc->inc_indent();
-		out_cc->println("goto %s;", kNeedMoreData);
-		out_cc->dec_indent();
-		}
-
-	if ( record_type()->incremental_parsing() )
-		{
-#if 0
-		const ID *dataptr_var = 
-			record_type()->parsing_dataptr_var();
-		ASSERT(dataptr_var);
-		out_cc->println("%s += (%s);",
-			env->LValue(dataptr_var),
-			type_->DataSize(out_cc, env, data).c_str());
-#endif
-		out_cc->println("}");
-		}
-
-	SetBoundaryChecked();
-	}
-
-void RecordDataField::GenEval(Output* out_cc, Env* env)
-	{
-	GenParseCode(out_cc, env);
-	}
-
-void RecordDataField::GenFieldEnd(Output* out_cc, Env* env, 
-		const DataPtr& field_begin)
-	{
-	out_cc->println("const_byteptr const %s = %s + (%s);", 
-		env->LValue(end_of_field_dataptr_var),
-		field_begin.ptr_expr(),
-		type_->DataSize(out_cc, env, field_begin).c_str());
-	env->SetEvaluated(end_of_field_dataptr_var);
-
-	out_cc->println("BINPAC_ASSERT(%s <= %s);",
-		env->RValue(end_of_field_dataptr_var),
-		env->RValue(end_of_data));
-	}
-
-void RecordDataField::SetBoundaryChecked()
-	{
-	RecordField::SetBoundaryChecked();
-	type_->SetBoundaryChecked();
-	}
-
-bool RecordDataField::GenBoundaryCheck(Output* out_cc, Env* env)
-	{
-	if ( boundary_checked_ )
-		return true;
-
-	type_->GenBoundaryCheck(out_cc, env, getFieldBegin(out_cc, env));
-
-	SetBoundaryChecked();
-	return true;
-	}
-
-bool RecordDataField::DoTraverse(DataDepVisitor *visitor)
-	{ 
-	return Field::DoTraverse(visitor);
-	}
-
-bool RecordDataField::RequiresAnalyzerContext() const 
-	{ 
-	return Field::RequiresAnalyzerContext() ||
-	       type()->RequiresAnalyzerContext(); 
-	}
-
-RecordPaddingField::RecordPaddingField(ID* id, PaddingType ptype, Expr* expr)
-	: RecordField(PADDING_FIELD, id, 0), ptype_(ptype), expr_(expr)
-	{
-	wordsize_ = -1;
-	}
-
-RecordPaddingField::~RecordPaddingField()
-	{
-	}
-
-void RecordPaddingField::Prepare(Env* env)
-	{
-	Field::Prepare(env);
-	if ( ptype_ == PAD_TO_NEXT_WORD )
-		{
-		if ( ! expr_->ConstFold(env, &wordsize_) )
-			throw ExceptionPaddingError(this, 
-				fmt("padding word size not a constant"));
-		}
-	}
-
-void RecordPaddingField::GenParseCode(Output* out_cc, Env* env)
-	{
-	// Always evaluate record fields in order if parsing
-	// is incremental.
-	if ( record_type()->incremental_parsing() && prev() )
-		prev()->GenParseCode(out_cc, env);
-	}
-
-int RecordPaddingField::StaticSize(Env* env, int offset) const
-	{
-	int length;
-	int target_offset;
-	int offset_in_word;
-
-	switch ( ptype_ )
-		{
-		case PAD_BY_LENGTH:
-			return expr_->ConstFold(env, &length) ? length : -1;
-
-		case PAD_TO_OFFSET:
-			// If the current offset cannot be statically
-			// determined, we need to Generate code to
-			// check the offset
-			if ( offset == -1 )
-				return -1;
-
-			if ( ! expr_->ConstFold(env, &target_offset) )
-				return -1;
-
-			// If both the current and target offsets
-			// can be statically computed, we can get its
-			// static size
-			if ( offset > target_offset )
-				throw ExceptionPaddingError(
-					this,
-					fmt("current offset = %d, "
-					    "target offset = %d", 
-					    offset, target_offset));
-			return target_offset - offset;
-
-		case PAD_TO_NEXT_WORD:
-			if ( offset == -1 || wordsize_ == -1 )
-				return -1;
-
-			offset_in_word = offset % wordsize_;
-			return ( offset_in_word == 0 ) ? 
-				0 : wordsize_ - offset_in_word;
-		}
-
-	return -1;
-	}
-
-void RecordPaddingField::GenFieldEnd(Output* out_cc, Env* env, const DataPtr& field_begin)
-	{
-	ASSERT(! env->Evaluated(end_of_field_dataptr_var));
-
-	char* padding_var;
-	switch ( ptype_ )
-		{
-		case PAD_BY_LENGTH:
-			out_cc->println("const_byteptr const %s = %s + (%s);",
-				env->LValue(end_of_field_dataptr_var),
-				field_begin.ptr_expr(),
-				expr_->EvalExpr(out_cc, env));
-			break;
-
-		case PAD_TO_OFFSET:
-			out_cc->println("const_byteptr %s = %s + (%s);",
-				env->LValue(end_of_field_dataptr_var),
-				env->RValue(begin_of_data),
-				expr_->EvalExpr(out_cc, env));
-			out_cc->println("if ( %s < %s )",
-				env->LValue(end_of_field_dataptr_var),
-				field_begin.ptr_expr());
-			out_cc->inc_indent();
-			out_cc->println("{");
-			out_cc->println("// throw ExceptionInvalidOffset(\"%s\", %s - %s, %s);",
-				id_->LocName(), 
-				field_begin.ptr_expr(),
-				env->RValue(begin_of_data),
-				expr_->EvalExpr(out_cc, env));
-			out_cc->println("%s = %s;", 
-				env->LValue(end_of_field_dataptr_var),
-				field_begin.ptr_expr());
-			out_cc->println("}");
-			out_cc->dec_indent();
-			break;
-
-		case PAD_TO_NEXT_WORD:
-			padding_var = nfmt("%s__size", id()->Name());
-			out_cc->println("int %s = (%s - %s) %% %d;",
-				padding_var, 
-				field_begin.ptr_expr(),
-				env->RValue(begin_of_data),
-				wordsize_);
-			out_cc->println("%s = (%s == 0) ? 0 : %d - %s;",
-				padding_var,
-				padding_var,
-				wordsize_,
-				padding_var);
-			out_cc->println("const_byteptr const %s = %s + %s;",
-				env->LValue(end_of_field_dataptr_var), 
-				field_begin.ptr_expr(),
-				padding_var);
-			delete [] padding_var;
-			break;
-		}
-
-	env->SetEvaluated(end_of_field_dataptr_var);
-	}
-
-bool RecordPaddingField::GenBoundaryCheck(Output* out_cc, Env* env)
-	{
-	if ( boundary_checked_ )
-		return true;
-
-	const DataPtr& begin = getFieldBegin(out_cc, env);
-
-	char* size;
-	int ss = StaticSize(env, begin.AbsOffset(begin_of_data));
-	ASSERT ( ss >= 0 );
- 	size = nfmt("%d", ss);
-	
-	begin.GenBoundaryCheck(out_cc, env, size, field_id_str_.c_str());
-
-	delete [] size;
-
-	SetBoundaryChecked();
-	return true;
-	}
-
-bool RecordPaddingField::DoTraverse(DataDepVisitor *visitor)
-	{ 
-	return Field::DoTraverse(visitor) && 
-	       (! expr_ || expr_->Traverse(visitor));
-	}
-
diff --git a/aux/binpac/src/pac_record.h b/aux/binpac/src/pac_record.h
deleted file mode 100644
index 04daa3a9f4..0000000000
--- a/aux/binpac/src/pac_record.h
+++ /dev/null
@@ -1,169 +0,0 @@
-#ifndef pac_record_h
-#define pac_record_h
-
-#include "pac_common.h"
-#include "pac_field.h"
-#include "pac_id.h"
-#include "pac_let.h"
-#include "pac_type.h"
-
-class RecordType : public Type
-{
-public:
-	RecordType(RecordFieldList* fields);
-	~RecordType();
-
-	bool DefineValueVar() const;
-	string DataTypeStr() const;
-
-	void Prepare(Env* env, int flags);
-
-	void GenPubDecls(Output* out, Env* env);
-	void GenPrivDecls(Output* out, Env* env);
-
-	void GenInitCode(Output* out, Env* env);
-	void GenCleanUpCode(Output* out, Env* env);
-
-	int StaticSize(Env* env) const;
-
-	void SetBoundaryChecked();
-
-	const ID *parsing_dataptr_var() const;
-
-	bool IsPointerType() const	{ ASSERT(0); return false; }
-
-protected:
-	void DoGenParseCode(Output* out, Env* env, const DataPtr& data, int flags);
-	void GenDynamicSize(Output* out, Env* env, const DataPtr& data);
-
-	Type *DoClone() const 	{ return 0; }
-
-	void DoMarkIncrementalInput();
-
-	bool DoTraverse(DataDepVisitor *visitor);
-	bool ByteOrderSensitive() const;
-
-private:
-	Field *parsing_dataptr_var_field_;
-	RecordFieldList* record_fields_;
-};
-
-// A data field of a record type. A RecordField corresponds to a
-// segment of input data, and therefore RecordField's are ordered---each
-// of them has a known previous and next field.
-
-class RecordField : public Field
-{
-public:
-	RecordField(FieldType tof, ID* id, Type *type);
-	~RecordField();
-
-	RecordType *record_type() const		{ return record_type_; }
-	void set_record_type(RecordType* ty) 	{ record_type_ = ty; }
-
-	virtual void GenParseCode(Output* out, Env* env) = 0;
-
-	RecordField* prev() const		{ return prev_; }
-	RecordField* next() const		{ return next_; }
-	void set_prev(RecordField* f) 		{ prev_ = f; }
-	void set_next(RecordField* f) 		{ next_ = f; }
-
-	int static_offset() const 		{ return static_offset_; }
-	void set_static_offset(int offset)	{ static_offset_ = offset; }
-
-	int parsing_state_seq() const		{ return parsing_state_seq_; }
-	void set_parsing_state_seq(int x) 	{ parsing_state_seq_ = x; }
-
-	virtual int StaticSize(Env* env, int offset) const = 0;
-	const char* FieldSize(Output* out, Env* env);
-	const char* FieldOffset(Output* out, Env* env);
-
-	virtual bool BoundaryChecked() const	{ return boundary_checked_; }
-	virtual void SetBoundaryChecked()	{ boundary_checked_ = true; }
-
-	virtual bool RequiresByteOrder() const = 0;
-
-	friend class RecordType;
-
-protected:
-	RecordType* record_type_;
-	RecordField* prev_;
-	RecordField* next_;
-	bool boundary_checked_;
-	int static_offset_;
-	int parsing_state_seq_;
-
-	DataPtr* begin_of_field_dataptr;
-	DataPtr* end_of_field_dataptr;
-	char* field_size_expr;
-	char* field_offset_expr;
-	ID* end_of_field_dataptr_var;
-
-	const DataPtr& getFieldBegin(Output* out_cc, Env* env);
-	const DataPtr& getFieldEnd(Output* out_cc, Env* env);
-	virtual void GenFieldEnd(Output* out, Env* env, const DataPtr& begin) = 0; 
-
-	bool AttemptBoundaryCheck(Output* out_cc, Env* env);
-	virtual bool GenBoundaryCheck(Output* out_cc, Env* env) = 0;
-};
-
-class RecordDataField : public RecordField, public Evaluatable
-{
-public:
-	RecordDataField(ID* arg_id, Type* arg_type);
-	~RecordDataField();
-
-	// Instantiates abstract class Field
-	void Prepare(Env* env);
-	void GenParseCode(Output* out, Env* env);
-
-	// Instantiates abstract class Evaluatable
-	void GenEval(Output* out, Env* env);
-
-	int StaticSize(Env* env, int) const 	{ return type()->StaticSize(env); }
-
-	void SetBoundaryChecked();
-
-	bool RequiresByteOrder() const
-		{ return type()->RequiresByteOrder(); }
-	bool RequiresAnalyzerContext() const;
-
-protected:
-	void GenFieldEnd(Output* out, Env* env, const DataPtr& begin); 
-	bool GenBoundaryCheck(Output* out_cc, Env* env);
-	bool DoTraverse(DataDepVisitor *visitor);
-};
-
-enum PaddingType { PAD_BY_LENGTH, PAD_TO_OFFSET, PAD_TO_NEXT_WORD };
-
-class RecordPaddingField : public RecordField
-{
-public:
-	RecordPaddingField(ID* id, PaddingType ptype, Expr* expr);
-	~RecordPaddingField();
-
-	void Prepare(Env* env);
-
-	void GenPubDecls(Output* out, Env* env) 	{ /* nothing */ }
-	void GenPrivDecls(Output* out, Env* env) 	{ /* nothing */ }
-
-	void GenInitCode(Output* out, Env* env) 	{ /* nothing */ }
-	void GenCleanUpCode(Output* out, Env* env)	{ /* nothing */ }
-	void GenParseCode(Output* out, Env* env);
-
-	int StaticSize(Env* env, int offset) const;
-
-	bool RequiresByteOrder() const		{ return false; }
-
-protected:
-	void GenFieldEnd(Output* out, Env* env, const DataPtr& begin); 
-	bool GenBoundaryCheck(Output* out_cc, Env* env);
-	bool DoTraverse(DataDepVisitor *visitor);
-
-private:
-	PaddingType ptype_;
-	Expr* expr_;
-	int wordsize_;
-};
-
-#endif  // pac_record_h
diff --git a/aux/binpac/src/pac_redef.cc b/aux/binpac/src/pac_redef.cc
deleted file mode 100644
index 9f09b457bd..0000000000
--- a/aux/binpac/src/pac_redef.cc
+++ /dev/null
@@ -1,173 +0,0 @@
-#include "pac_analyzer.h"
-#include "pac_case.h"
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_func.h"
-#include "pac_record.h"
-#include "pac_redef.h"
-#include "pac_type.h"
-#include "pac_typedecl.h"
-
-namespace {
-
-Decl *find_decl(const ID *id)
-	{
-	Decl *decl = Decl::LookUpDecl(id);
-	if ( ! decl )
-		{
-		throw Exception(id, 
-		                fmt("cannot find declaration for %s", 
-		                    id->Name()));
-		}
-
-	return decl;
-	}
-
-}
-
-Decl *ProcessTypeRedef(const ID *id, FieldList *fieldlist)
-	{
-	Decl *decl = find_decl(id);
-
-	if ( decl->decl_type() != Decl::TYPE )
-		{
-		throw Exception(id, 
-		                fmt("not a type declaration: %s", 
-		                    id->Name()));
-		}
-
-	TypeDecl *type_decl = static_cast<TypeDecl *>(decl);
-	ASSERT(type_decl);
-	Type *type = type_decl->type();
-
-	foreach(i, FieldList, fieldlist)
-		{
-		Field *f = *i;
-
-		// One cannot change data layout in 'redef'.
-		// Only 'let' or 'action' can be added
-		if ( f->tof() == LET_FIELD ||
-		     f->tof() == WITHINPUT_FIELD )
-			{
-			type->AddField(f);
-			}
-		else if ( f->tof() == RECORD_FIELD || 
-		          f->tof() == PADDING_FIELD )
-			{
-			throw Exception(f, 
-				"cannot change data layout in redef");
-			}
-		else if ( f->tof() == CASE_FIELD )
-			{
-			throw Exception(f, 
-				"use 'redef case' adding cases");
-			}
-		}
-
-	return decl;
-	}
-
-Decl *ProcessCaseTypeRedef(const ID *id, CaseFieldList *casefieldlist)
-	{
-	Decl *decl = find_decl(id);
-
-	if ( decl->decl_type() != Decl::TYPE )
-		{
-		throw Exception(id, 
-		                fmt("not a type declaration: %s", 
-		                    id->Name()));
-		}
-
-	TypeDecl *type_decl = static_cast<TypeDecl *>(decl);
-	ASSERT(type_decl);
-
-	Type *type = type_decl->type();
-	if ( type->tot() != Type::CASE )
-		{
-		throw Exception(id, 
-		                fmt("not a case type: %s", 
-		                    id->Name()));
-		}
-
-	CaseType *casetype = static_cast<CaseType*>(type);
-	ASSERT(casetype);
-
-	foreach(i, CaseFieldList, casefieldlist)
-		{
-		CaseField *f = *i;
-		casetype->AddCaseField(f);
-		}
-
-	return decl;
-	}
-
-Decl *ProcessCaseExprRedef(const ID *id, CaseExprList *caseexprlist)
-	{
-	Decl *decl = find_decl(id);
-
-	if ( decl->decl_type() != Decl::FUNC )
-		{
-		throw Exception(id, 
-		                fmt("not a function declaration: %s", 
-		                    id->Name()));
-		}
-
-	FuncDecl *func_decl = static_cast<FuncDecl *>(decl);
-	ASSERT(func_decl);
-
-	Expr *expr = func_decl->function()->expr();
-	if ( ! expr ||expr->expr_type() != Expr::EXPR_CASE )
-		{
-		throw Exception(id, 
-		                fmt("function not defined by a case expression: %s", 
-		                    id->Name()));
-		}
-
-	foreach(i, CaseExprList, caseexprlist)
-		{
-		CaseExpr *e = *i;
-		expr->AddCaseExpr(e);
-		}
-	
-	return decl;
-	}
-
-Decl *ProcessAnalyzerRedef(const ID *id, 
-		Decl::DeclType decl_type, 
-		AnalyzerElementList *elements)
-	{
-	Decl *decl = find_decl(id);
-
-	if ( decl->decl_type() != decl_type )
-		{
-		throw Exception(id, 
-		                fmt("not a connection/flow declaration: %s", 
-		                    id->Name()));
-		}
-
-	AnalyzerDecl *analyzer_decl = static_cast<AnalyzerDecl *>(decl);
-	ASSERT(analyzer_decl);
-
-	analyzer_decl->AddElements(elements);
-
-	return decl;
-	}
-
-Decl *ProcessTypeAttrRedef(const ID *id, AttrList *attrlist)
-	{
-	Decl *decl = find_decl(id);
-
-	if ( decl->decl_type() != Decl::TYPE )
-		{
-		throw Exception(id, 
-		                fmt("not a type declaration: %s", 
-		                    id->Name()));
-		}
-
-	TypeDecl *type_decl = static_cast<TypeDecl *>(decl);
-	ASSERT(type_decl);
-
-	type_decl->AddAttrs(attrlist);
-
-	return decl;
-	}
diff --git a/aux/binpac/src/pac_redef.h b/aux/binpac/src/pac_redef.h
deleted file mode 100644
index 9a9c3030c4..0000000000
--- a/aux/binpac/src/pac_redef.h
+++ /dev/null
@@ -1,13 +0,0 @@
-#ifndef pac_redef_h
-#define pac_redef_h
-
-#include "pac_decl.h"
-
-Decl *ProcessCaseTypeRedef(const ID *id, CaseFieldList *casefieldlist);
-Decl *ProcessCaseExprRedef(const ID *id, CaseExprList *caseexprlist);
-Decl *ProcessAnalyzerRedef(const ID *id, 
-			Decl::DeclType decl_type, 
-			AnalyzerElementList *elements);
-Decl *ProcessTypeAttrRedef(const ID *id, AttrList *attrlist);
-
-#endif  // pac_redef_h
diff --git a/aux/binpac/src/pac_regex.cc b/aux/binpac/src/pac_regex.cc
deleted file mode 100644
index 6265c02876..0000000000
--- a/aux/binpac/src/pac_regex.cc
+++ /dev/null
@@ -1,82 +0,0 @@
-#include "pac_exttype.h"
-#include "pac_id.h"
-#include "pac_output.h"
-#include "pac_regex.h"
-#include "pac_type.h"
-
-// Depends on the regular expression library we are using
-const char *RegEx::kREMatcherType = "RegExMatcher";
-const char *RegEx::kMatchPrefix = "MatchPrefix";
-
-string escape_char(const string &s)
-	{
-	char buf[s.length() * 2 + 1];
-	int j = 0;
-	for ( int i = 0; i < (int) s.length(); ++i )
-		{
-		if ( s[i] == '\\' )
-			{
-			if ( i + 1 < (int) s.length() ) 
-				{
-				buf[j++] = '\\';
-				if ( s[i+1] == '/' )
-					buf[j-1] = s[++i];
-				else if ( s[i+1] == '/' || s[i+1] == '\\' || s[i+1] == '"' )
-					buf[j++] = s[++i];
-				else
-					buf[j++] = '\\';
-				}
-			}
-		else if ( s[i] == '"' )
-			{
-			buf[j++] = '\\';
-			buf[j++] = '"';
-			}
-		else
-			{
-			buf[j++] = s[i];
-			}
-		}
-
-	buf[j++] = '\0';
-
-	return string(buf);
-	}
-
-RegEx::RegEx(const string &s)
-	{
-	str_ = escape_char(s);
-	string prefix = strfmt("%s_re_", current_decl_id->Name());
-	matcher_id_ = ID::NewAnonymousID(prefix);
-	decl_ = new RegExDecl(this);
-	}
-
-RegEx::~RegEx()
-	{
-	}
-
-RegExDecl::RegExDecl(RegEx *regex)
-	: Decl(regex->matcher_id(), REGEX)
-	{
-	regex_ = regex;
-	}
-
-void RegExDecl::Prepare()
-	{
-	global_env()->AddID(id(), GLOBAL_VAR, extern_type_re_matcher);
-	}
-
-void RegExDecl::GenForwardDeclaration(Output *out_h)
-	{
-	out_h->println("extern %s %s;\n", 
-		RegEx::kREMatcherType,
-		global_env()->LValue(regex_->matcher_id()));
-	}
-
-void RegExDecl::GenCode(Output *out_h, Output *out_cc)
-	{
-	out_cc->println("%s %s(\"%s\");\n", 
-		RegEx::kREMatcherType,
-		global_env()->LValue(regex_->matcher_id()),
-		regex_->str().c_str());
-	}
diff --git a/aux/binpac/src/pac_regex.h b/aux/binpac/src/pac_regex.h
deleted file mode 100644
index 47c601b729..0000000000
--- a/aux/binpac/src/pac_regex.h
+++ /dev/null
@@ -1,41 +0,0 @@
-#ifndef pac_regex_h
-#define pac_regex_h
-
-#include "pac_common.h"
-#include "pac_decl.h"
-
-class RegExDecl;
-
-class RegEx : public Object
-{
-public:
-	RegEx(const string &str);
-	~RegEx();
-
-	const string &str() const	{ return str_; }
-	ID *matcher_id() const		{ return matcher_id_; }
-
-private:
-	string str_;
-	ID *matcher_id_;
-	RegExDecl *decl_;
-
-public:
-	static const char *kREMatcherType;
-	static const char *kMatchPrefix;
-};
-
-class RegExDecl : public Decl
-{
-public:
-	RegExDecl(RegEx *regex);
-
-	void Prepare();
-	void GenForwardDeclaration(Output *out_h); 
-	void GenCode(Output *out_h, Output *out_cc);
-
-private:
-	RegEx *regex_;
-};
-
-#endif  // pac_regex_h
diff --git a/aux/binpac/src/pac_scan.ll b/aux/binpac/src/pac_scan.ll
deleted file mode 100644
index ec435ea4ea..0000000000
--- a/aux/binpac/src/pac_scan.ll
+++ /dev/null
@@ -1,356 +0,0 @@
-%{
-// $Id: pac_scan.ll 3361 2006-07-06 18:06:49Z rpang $
-
-#include "pac_action.h"
-#include "pac_array.h"
-#include "pac_attr.h"
-#include "pac_case.h"
-#include "pac_common.h"
-#include "pac_conn.h"
-#include "pac_dataptr.h"
-#include "pac_dataunit.h"
-#include "pac_dbg.h"
-#include "pac_decl.h"
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_flow.h"
-#include "pac_id.h"
-#include "pac_number.h"
-#include "pac_output.h"
-#include "pac_param.h"
-#include "pac_parse.h"
-#include "pac_record.h"
-#include "pac_type.h"
-#include "pac_utils.h"
-
-int line_number = 1;
-
-int begin_pac_primitive(int tok);
-int end_pac_primitive();
-
-int string_token(int tok)
-	{
-	yylval.str = copy_string(yytext);
-	return tok;
-	}
-
-int char_token(int tok)
-	{
-	yylval.val = yytext[0];
-	return tok;
-	}
-
-void include_file(const char *filename);
-
-%}
-
-/* EC -- embedded code state */
-/* PP -- PAC primitive state */
-/* INCL -- @include line */
-
-%s EC INCL PP RE
-
-WS	[ \t]+
-ID	[A-Za-z_][A-Za-z_0-9]*
-D	[0-9]+
-HEX	[0-9a-fA-F]+
-FILE	[A-Za-z._0-9\-]+
-ESCSEQ	(\\([^\n]|[0-7]{3}|x[[:xdigit:]]{2}))
-
-%option nounput
-
-%%
-
-<INITIAL>"%include"		{
-				BEGIN(INCL);
-				}
-
-<INCL>{WS}			/* skip whitespace */
-
-<INCL>{FILE}			{
-				BEGIN(INITIAL);
-				include_file(yytext);
-				}
-
-<INITIAL>"%extern{"		{
-				BEGIN(EC);
-				return TOK_LPB_EXTERN;
-				}
-<INITIAL>"%header{"		{
-				BEGIN(EC);
-				return TOK_LPB_HEADER;
-				}
-<INITIAL>"%code{"		{
-				BEGIN(EC);
-				return TOK_LPB_CODE;
-				}
-<INITIAL>"%init{"		{
-				BEGIN(EC);
-				return TOK_LPB_INIT;
-				}
-<INITIAL>"%cleanup{"		{
-				BEGIN(EC);
-				return TOK_LPB_CLEANUP;
-				}
-<INITIAL>"%member{"		{
-				BEGIN(EC);
-				return TOK_LPB_MEMBER;
-				}
-<INITIAL>"%eof{"		{
-				BEGIN(EC);
-				return TOK_LPB_EOF;
-				}
-<INITIAL>"%{"			{
-				BEGIN(EC);
-				return TOK_LPB;
-				}
-<EC>"%}"			{
-				BEGIN(INITIAL);
-				return TOK_RPB;
-				}
-
-<EC>"${"			return begin_pac_primitive(TOK_PAC_VAL);
-<EC>"$set{"			return begin_pac_primitive(TOK_PAC_SET); 
-<EC>"$type{"			return begin_pac_primitive(TOK_PAC_TYPE);
-<EC>"$typeof{"			return begin_pac_primitive(TOK_PAC_TYPEOF);
-<EC>"$const_def{"		return begin_pac_primitive(TOK_PAC_CONST_DEF);
-
-<EC>"//".*			return string_token(TOK_EMBEDDED_STRING);
-<EC>.				return char_token(TOK_EMBEDDED_ATOM);
-<EC>\n				{ ++line_number; return char_token(TOK_EMBEDDED_ATOM); }
-
-<PP>"}"				return end_pac_primitive();
-
-<INITIAL,PP>\n			++line_number;
-<INITIAL>#.*			/* eat comments */
-<INITIAL,PP>{WS}		/* eat whitespace */
-
-<INITIAL>"RE/"			{
-				BEGIN(RE);
-				return TOK_BEGIN_RE;
-				}
-
-<RE>([^/\\\n]|{ESCSEQ})+	return string_token(TOK_REGEX);
-
-<RE>"/"				{
-				BEGIN(INITIAL);
-				return TOK_END_RE;
-				}
-
-<RE>[\\\n]			return yytext[0];
-
-<INITIAL>analyzer		return TOK_ANALYZER;
-<INITIAL>enum			return TOK_ENUM;
-<INITIAL>extern			return TOK_EXTERN;
-<INITIAL>flow			return TOK_FLOW;
-<INITIAL>function		return TOK_FUNCTION;
-<INITIAL>let			return TOK_LET;
-<INITIAL>refine			return TOK_REFINE;
-<INITIAL>type			return TOK_TYPE;
-
-<INITIAL>align			return TOK_ALIGN;
-<INITIAL>case			return TOK_CASE;
-<INITIAL>casefunc		return TOK_CASEFUNC;
-<INITIAL>casetype		return TOK_CASETYPE;
-<INITIAL>connection		return TOK_CONNECTION;
-<INITIAL>datagram		{
-				yylval.val = AnalyzerDataUnit::DATAGRAM;
-				return TOK_DATAUNIT;
-				}
-<INITIAL>default 		return TOK_DEFAULT;
-<INITIAL>downflow		{
-				yylval.val = AnalyzerFlow::DOWN;
-				return TOK_FLOWDIR;
-				}
-<INITIAL>flowunit		{
-				yylval.val = AnalyzerDataUnit::FLOWUNIT;
-				return TOK_DATAUNIT;
-				}
-<INITIAL>of			return TOK_OF;
-<INITIAL>offsetof 		return TOK_OFFSETOF;
-<INITIAL>padding		return TOK_PADDING;
-<INITIAL>record			return TOK_RECORD;
-<INITIAL>sizeof			return TOK_SIZEOF;
-<INITIAL>to			return TOK_TO;
-<INITIAL>typeattr		return TOK_TYPEATTR;
-<INITIAL>upflow			{
-				yylval.val = AnalyzerFlow::UP;
-				return TOK_FLOWDIR;
-				}
-<INITIAL>withcontext		return TOK_WITHCONTEXT;
-<INITIAL>withinput		return TOK_WITHINPUT;
-
-<INITIAL>&also			return TOK_ATTR_ALSO;
-<INITIAL>&byteorder		return TOK_ATTR_BYTEORDER;
-<INITIAL>&check			return TOK_ATTR_CHECK;
-<INITIAL>&chunked		return TOK_ATTR_CHUNKED;
-<INITIAL>&exportsourcedata	return TOK_ATTR_EXPORTSOURCEDATA;
-<INITIAL>&if			return TOK_ATTR_IF;
-<INITIAL>&length		return TOK_ATTR_LENGTH;
-<INITIAL>&let			return TOK_ATTR_LET;
-<INITIAL>&linebreaker		return TOK_ATTR_LINEBREAKER;
-<INITIAL>&oneline		return TOK_ATTR_ONELINE;
-<INITIAL>&refcount		return TOK_ATTR_REFCOUNT;
-<INITIAL>&requires		return TOK_ATTR_REQUIRES;
-<INITIAL>&restofdata		return TOK_ATTR_RESTOFDATA;
-<INITIAL>&restofflow		return TOK_ATTR_RESTOFFLOW;
-<INITIAL>&transient		return TOK_ATTR_TRANSIENT;
-<INITIAL>&until			return TOK_ATTR_UNTIL;
-
-<INITIAL,PP>"0x"{HEX}		{
-				int n;
-				sscanf(yytext + 2, "%x", &n);
-				yylval.num = new Number(yytext, n);
-				return TOK_NUMBER;
-				}
-
-<INITIAL,PP>{D}			{
-				int n;
-				sscanf(yytext, "%d", &n);
-				yylval.num = new Number(yytext, n);
-				return TOK_NUMBER;
-				}
-
-<INITIAL,PP>{ID}		{
-				yylval.id = new ID(yytext);
-				return TOK_ID;
-				}
-
-<INITIAL>"$"{ID}		{
-				yylval.id = new ID(yytext);
-				return TOK_ID;
-				}
-
-<INITIAL>\"([^\\\n\"]|{ESCSEQ})*\" return string_token(TOK_STRING);
-
-<INITIAL,PP>"=="		return TOK_EQUAL;
-<INITIAL,PP>"!="		return TOK_NEQ;
-<INITIAL,PP>">="		return TOK_GE;
-<INITIAL,PP>"<="		return TOK_LE;
-<INITIAL,PP>"<<"		return TOK_LSHIFT;
-<INITIAL,PP>">>"		return TOK_RSHIFT;
-<INITIAL,PP>"&&"		return TOK_AND;
-<INITIAL,PP>"||"		return TOK_OR;
-<INITIAL,PP>"+="		return TOK_PLUSEQ;
-<INITIAL>"->"			return TOK_RIGHTARROW;
-
-<INITIAL,PP>[\.!%*/+\-&|\^,:;<=>?()\[\]{}~]	return yytext[0];
-
-%%
-
-void begin_RE()
-	{
-	BEGIN(RE);
-	}
-
-void end_RE()
-	{
-	BEGIN(INITIAL);
-	}
-
-// The DECL state is deprecated
-void begin_decl()
-	{
-	// BEGIN(DECL);
-	}
-
-void end_decl()
-	{
-	// BEGIN(INITIAL);
-	}
-
-int begin_pac_primitive(int tok)
-	{
-	BEGIN(PP);
-	return tok;
-	}
-
-int end_pac_primitive()
-	{
-	BEGIN(EC);
-	return TOK_END_PAC;
-	}
-
-const int MAX_INCLUDE_DEPTH = 100;
-
-struct IncludeState {
-	YY_BUFFER_STATE yystate;
-	string input_filename;
-	int line_number;
-};
-
-IncludeState include_stack[MAX_INCLUDE_DEPTH];
-int include_stack_ptr = 0;
-
-void switch_to_file(FILE *fp)
-	{
-	yy_switch_to_buffer(yy_create_buffer(fp, YY_BUF_SIZE));
-	}
-
-void switch_to_file(const char *filename)
-	{
-	if ( include_stack_ptr >= MAX_INCLUDE_DEPTH )
-		{
-		fprintf( stderr, "Includes nested too deeply" );
-		exit( 1 );
-		}
-
-	IncludeState state = 
-		{ YY_CURRENT_BUFFER, input_filename, line_number };
-	include_stack[include_stack_ptr++] = state;
-
-	FILE *fp = fopen(filename, "r");
-
-	if ( ! fp )
-		{
-		fprintf(stderr, "%s:%d: error: cannot include file \"%s\"\n", 
-			input_filename.c_str(), line_number,filename);
-		--include_stack_ptr;
-		return;
-		}
-
-	yyin = fp;
-	input_filename = string(filename);
-	line_number = 1;
-	switch_to_file(yyin);
-	fprintf(stderr, "switching to file %s\n", input_filename.c_str());
-	}
-
-void include_file(const char *filename)
-	{
-	ASSERT(filename);
-
-	string full_filename;
-	if ( filename[0] == '/' || filename[0] == '.' )
-		full_filename = filename;
-	else
-		{
-		int i;
-		for ( i = 0; i < (int) FLAGS_include_directories.size(); ++i )
-			{
-			full_filename = FLAGS_include_directories[i] + filename;
-			DEBUG_MSG("Try include file: \"%s\"\n", 
-				full_filename.c_str());
-			if ( access(full_filename.c_str(), R_OK) == 0 )
-				break;
-			}
-		if ( i >= (int) FLAGS_include_directories.size() )
-			full_filename = filename;
-		}
-
-	switch_to_file(full_filename.c_str());
-	}
-
-int yywrap()
-	{
-	yy_delete_buffer(YY_CURRENT_BUFFER);
-	--include_stack_ptr;
-	if ( include_stack_ptr < 0 )
-		return 1;
-
-	IncludeState state = include_stack[include_stack_ptr];
-	yy_switch_to_buffer(state.yystate);
-	input_filename = state.input_filename;
-	line_number = state.line_number;
-	return 0;
-	}
diff --git a/aux/binpac/src/pac_state.cc b/aux/binpac/src/pac_state.cc
deleted file mode 100644
index 83ee974391..0000000000
--- a/aux/binpac/src/pac_state.cc
+++ /dev/null
@@ -1,36 +0,0 @@
-#include "pac_id.h"
-#include "pac_output.h"
-#include "pac_type.h"
-
-#include "pac_state.h"
-
-void StateVar::GenDecl(Output *out_h, Env *env)
-	{
-	out_h->println("%s %s;", 
-		type_->DataTypeStr().c_str(), 
-		env->LValue(id_));
-	}
-
-void StateVar::GenAccessFunction(Output *out_h, Env *env)
-	{
-	out_h->println("%s %s const	{ return %s; }", 
-		type_->DataTypeConstRefStr().c_str(), 
-		env->RValue(id_), 
-		env->LValue(id_));
-	}
-
-void StateVar::GenSetFunction(Output *out_h, Env *env)
-	{
-	out_h->println("void %s(%s x) 	{ %s = x; }", 
-		set_function(id_).c_str(),
-		type_->DataTypeConstRefStr().c_str(), 
-		env->LValue(id_));
-	}
-
-void StateVar::GenInitCode(Output *out_cc, Env *env)
-	{
-	}
-
-void StateVar::GenCleanUpCode(Output *out_cc, Env *env)
-	{
-	}
diff --git a/aux/binpac/src/pac_state.h b/aux/binpac/src/pac_state.h
deleted file mode 100644
index 82bb580f47..0000000000
--- a/aux/binpac/src/pac_state.h
+++ /dev/null
@@ -1,28 +0,0 @@
-#ifndef pac_state_h
-#define pac_state_h
-
-// Classes representing analyzer states.
-
-#include "pac_common.h"
-
-class StateVar
-{
-public:
-	StateVar(ID *id, Type *type)
-		: id_(id), type_(type) {}
-
-	const ID *id() const	{ return id_; }
-	Type *type() const	{ return type_; }
-
-	void GenDecl(Output *out_h, Env *env);
-	void GenAccessFunction(Output *out_h, Env *env);
-	void GenSetFunction(Output *out_h, Env *env);
-	void GenInitCode(Output *out_cc, Env *env);
-	void GenCleanUpCode(Output *out_cc, Env *env);
-
-private:
-	ID *id_;
-	Type *type_;
-};
-
-#endif  // pac_state_h
diff --git a/aux/binpac/src/pac_strtype.cc b/aux/binpac/src/pac_strtype.cc
deleted file mode 100644
index 48e1eb5ad0..0000000000
--- a/aux/binpac/src/pac_strtype.cc
+++ /dev/null
@@ -1,425 +0,0 @@
-#include "pac_attr.h"
-#include "pac_btype.h"
-#include "pac_cstr.h"
-#include "pac_dataptr.h"
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_exttype.h"
-#include "pac_id.h"
-#include "pac_output.h"
-#include "pac_regex.h"
-#include "pac_strtype.h"
-#include "pac_varfield.h"
-
-const char *StringType::kStringTypeName = "bytestring";
-const char *StringType::kConstStringTypeName = "const_bytestring";
-
-StringType::StringType(StringTypeEnum anystr)
-	: Type(STRING), type_(ANYSTR), str_(0), regex_(0)
-	{
-	ASSERT(anystr == ANYSTR);
-	init();
-	}
-
-StringType::StringType(ConstString *str)
-	: Type(STRING), type_(CSTR), str_(str), regex_(0)
-	{
-	init();
-	}
-
-StringType::StringType(RegEx *regex)
-	: Type(STRING), type_(REGEX), str_(0), regex_(regex)
-	{
-	ASSERT(regex_);
-	init();
-	}
-
-void StringType::init()
-	{
-	string_length_var_field_ = 0;
-	elem_datatype_ = new BuiltInType(BuiltInType::UINT8);
-	}
-
-StringType::~StringType()
-	{
-	// TODO: Unref for Objects
-	// Question: why Unref?
-	// 
-	// Unref(str_);
-	// Unref(regex_);
-
-	delete string_length_var_field_;
-	delete elem_datatype_;
-	}
-
-Type *StringType::DoClone() const
-	{
-	StringType *clone;
-
-	switch ( type_ )
-		{
-		case ANYSTR:
-			clone = new StringType(ANYSTR);
-			break;
-		case CSTR:
-			clone = new StringType(str_);
-			break;
-		case REGEX:
-			clone = new StringType(regex_);
-			break;
-		default:
-			ASSERT(0);
-			return 0;
-		}
-
-	return clone;
-	}
-
-bool StringType::DefineValueVar() const
-	{
-	return true;
-	}
-
-string StringType::DataTypeStr() const
-	{
-	return strfmt("%s", 
-		persistent() ? kStringTypeName : kConstStringTypeName);
-	}
-
-Type *StringType::ElementDataType() const
-	{
-	return elem_datatype_;
-	}
-
-void StringType::ProcessAttr(Attr *a)
-	{
-	Type::ProcessAttr(a);
-
-	switch ( a->type() )
-		{
-		case ATTR_CHUNKED:
-			{
-			if ( type_ != ANYSTR )
-				{
-				throw Exception(a, 
-					"&chunked can be applied"
-					" to only type bytestring");
-				}
-			attr_chunked_ = true;
-			SetBoundaryChecked();
-			}
-			break;
-
-		case ATTR_RESTOFDATA:
-			{
-			if ( type_ != ANYSTR )
-				{
-				throw Exception(a, 
-					"&restofdata can be applied"
-					" to only type bytestring");
-				}
-			attr_restofdata_ = true;
-			// As the string automatically extends to the end of 
-			// data, we do not have to check boundary.
-			SetBoundaryChecked();
-			}
-			break;
-
-		case ATTR_RESTOFFLOW:
-			{
-			if ( type_ != ANYSTR )
-				{
-				throw Exception(a, 
-					"&restofflow can be applied"
-					" to only type bytestring");
-				}
-			attr_restofflow_ = true;
-			// As the string automatically extends to the end of 
-			// flow, we do not have to check boundary.
-			SetBoundaryChecked();
-			}
-			break;
-
-		default:
-			break;
-		}
-	}
-
-void StringType::Prepare(Env* env, int flags)
-	{
-	if ( (flags & TO_BE_PARSED) && StaticSize(env) < 0 )
-		{
-		ID *string_length_var = new ID(fmt("%s_string_length", 
-			value_var() ? value_var()->Name() : "val"));
-		string_length_var_field_ = new TempVarField(
-			string_length_var, extern_type_int->Clone());
-		string_length_var_field_->Prepare(env);
-		}
-	Type::Prepare(env, flags);
-	}
-
-void StringType::GenPubDecls(Output* out_h, Env* env)
-	{
-	Type::GenPubDecls(out_h, env);
-	}
-
-void StringType::GenPrivDecls(Output* out_h, Env* env)
-	{
-	Type::GenPrivDecls(out_h, env);
-	}
-
-void StringType::GenInitCode(Output* out_cc, Env* env)
-	{
-	Type::GenInitCode(out_cc, env);
-	}
-
-void StringType::GenCleanUpCode(Output* out_cc, Env* env)
-	{
-	Type::GenCleanUpCode(out_cc, env);
-	if ( persistent() )
-		out_cc->println("%s.free();", env->LValue(value_var()));
-	}
-
-void StringType::DoMarkIncrementalInput()
-	{
-	if ( attr_restofflow_ )
-		{
-		// Do nothing
-		ASSERT(type_ == ANYSTR);
-		}
-	else
-		{
-		Type::DoMarkIncrementalInput();
-		}
-	}
-
-int StringType::StaticSize(Env* env) const
-	{
-	switch ( type_ )
-		{
-		case CSTR:
-			// Use length of the unescaped string
-			return str_->unescaped().length();
-		case REGEX:
-			// TODO: static size for a regular expression?
-		case ANYSTR:
-			return -1;
-
-		default:
-			ASSERT(0);
-			return -1;
-		}
-	}
-
-const ID *StringType::string_length_var() const
-	{
-	return string_length_var_field_ ? string_length_var_field_->id() : 0;
-	}
-
-void StringType::GenDynamicSize(Output* out_cc, Env* env,
-		const DataPtr& data)
-	{
-	ASSERT(StaticSize(env) < 0);
-	DEBUG_MSG("Generating dynamic size for string `%s'\n", 
-		value_var()->Name());
-
-	if ( env->Evaluated(string_length_var()) )
-		return;
-
-	string_length_var_field_->GenTempDecls(out_cc, env);
-
-	switch ( type_ )
-		{
-		case ANYSTR:
-			GenDynamicSizeAnyStr(out_cc, env, data);
-			break;
-		case CSTR:
-			ASSERT(0);
-			break;
-		case REGEX:
-			// TODO: static size for a regular expression?
-			GenDynamicSizeRegEx(out_cc, env, data);
-			break;
-		}
-
-	if ( ! incremental_input() && AddSizeVar(out_cc, env) )
-		{
-		out_cc->println("%s = %s;", 
-			env->LValue(size_var()),
-			env->RValue(string_length_var()));
-		env->SetEvaluated(size_var());
-		}
-	}
-
-string StringType::GenStringSize(Output* out_cc, Env* env, 
-		const DataPtr& data)
-	{
-	int static_size = StaticSize(env);
-	if ( static_size >= 0 )
-		return strfmt("%d", static_size);
-	GenDynamicSize(out_cc, env, data);
-	return env->RValue(string_length_var());
-	}
-
-void StringType::DoGenParseCode(Output* out_cc, Env* env, 
-		const DataPtr& data, int flags)
-	{
-	string str_size = GenStringSize(out_cc, env, data);
-
-	// Generate additional checking
-	switch ( type_ )
-		{
-		case CSTR:
-			GenCheckingCStr(out_cc, env, data, str_size);
-			break;
-		case REGEX:
-		case ANYSTR:
-			break;
-		}
-
-	if ( ! anonymous_value_var() )
-		{
-		// Set the value variable
-		out_cc->println("// check for negative sizes");
-		out_cc->println("if ( %s < 0 )",
-			str_size.c_str());
-		out_cc->println("throw ExceptionInvalidStringLength(\"%s\", %s);",
-			Location(), str_size.c_str());
-		out_cc->println("%s.init(%s, %s);",
-			env->LValue(value_var()),
-			data.ptr_expr(),
-			str_size.c_str());
-		}
-
-	if ( parsing_complete_var() )
-		{
-		out_cc->println("%s = true;", 
-			env->LValue(parsing_complete_var()));
-		}
-	}
-
-void StringType::GenStringMismatch(Output* out_cc, Env* env, 
-		const DataPtr& data, const char *pattern)
-	{
-	out_cc->println("throw ExceptionStringMismatch(\"%s\", %s, %s);",
-		Location(), 
-		pattern,
-		fmt("string((const char *) (%s), (const char *) %s).c_str()", 
-			data.ptr_expr(),
-			env->RValue(end_of_data)));
-	}
-
-void StringType::GenCheckingCStr(Output* out_cc, Env* env, 
-		const DataPtr& data, const string &str_size)
-	{
-	// TODO: extend it for dynamic strings
-	ASSERT(type_ == CSTR);
-
-	GenBoundaryCheck(out_cc, env, data);
-
-	string str_val = str_->str();
-
-	// Compare the string and report error on mismatch
-	out_cc->println("if ( memcmp(%s, %s, %s) != 0 )",
-		data.ptr_expr(), 
-		str_val.c_str(),
-		str_size.c_str());
-	out_cc->inc_indent();
-	out_cc->println("{");
-	GenStringMismatch(out_cc, env, data, str_val.c_str());
-	out_cc->println("}");
-	out_cc->dec_indent();
-	}
-
-void StringType::GenDynamicSizeRegEx(Output* out_cc, Env* env, 
-		const DataPtr& data)
-	{
-	// string_length_var = 
-	// 	matcher.match_prefix(
-	// 		begin,
-	//		end);
-
-	out_cc->println("%s = ",
-		env->LValue(string_length_var()));
-	out_cc->inc_indent();
-
-	out_cc->println("%s.%s(", 
-		env->RValue(regex_->matcher_id()),
-		RegEx::kMatchPrefix);
-
-	out_cc->inc_indent();
-	out_cc->println("%s,",
-		data.ptr_expr());
-	out_cc->println("%s - %s);", 
-		env->RValue(end_of_data),
-		data.ptr_expr());
-
-	out_cc->dec_indent();
-	out_cc->dec_indent();
-
-	env->SetEvaluated(string_length_var());
-
-	out_cc->println("if ( %s < 0 )", 
-		env->RValue(string_length_var()));
-	out_cc->inc_indent();
-	out_cc->println("{");
-	GenStringMismatch(out_cc, env, data, 
-		fmt("\"%s\"", regex_->str().c_str()));
-	out_cc->println("}");
-	out_cc->dec_indent();
-	}
-
-void StringType::GenDynamicSizeAnyStr(Output* out_cc, Env* env, 
-		const DataPtr& data)
-	{
-	ASSERT(type_ == ANYSTR);
-
-	if ( attr_restofdata_ || attr_oneline_ )
-		{
-		out_cc->println("%s = (%s) - (%s);", 
-			env->LValue(string_length_var()),
-			env->RValue(end_of_data),
-			data.ptr_expr());
-		}
-	else if ( attr_restofflow_ )
-		{
-		out_cc->println("%s = (%s) - (%s);", 
-			env->LValue(string_length_var()),
-			env->RValue(end_of_data),
-			data.ptr_expr());
-		}
-	else if ( attr_length_expr_ )
-		{
-		out_cc->println("%s = %s;", 
-			env->LValue(string_length_var()),
-			attr_length_expr_->EvalExpr(out_cc, env));
-		}
-	else
-		{
-		throw Exception(this,
-			"cannot determine length of bytestring");
-		}
-
-	env->SetEvaluated(string_length_var());
-	}
-
-bool StringType::DoTraverse(DataDepVisitor *visitor)
-	{ 
-	if ( ! Type::DoTraverse(visitor) )
-		return false;
-
-	switch ( type_ )
-		{
-		case ANYSTR:
-		case CSTR:
-		case REGEX:
-			break;
-		}
-
-	return true;
-	}
-
-void StringType::static_init()
-	{
-	Type::AddPredefinedType("bytestring", new StringType(ANYSTR));
-	}
diff --git a/aux/binpac/src/pac_strtype.h b/aux/binpac/src/pac_strtype.h
deleted file mode 100644
index 55b35e54ab..0000000000
--- a/aux/binpac/src/pac_strtype.h
+++ /dev/null
@@ -1,82 +0,0 @@
-#ifndef pac_strtype_h
-#define pac_strtype_h
-
-#include "pac_type.h"
-
-// TODO: question: shall we merge it with ArrayType?
-class StringType : public Type
-{
-public:
-	enum StringTypeEnum { CSTR, REGEX, ANYSTR };
-
-	explicit StringType(StringTypeEnum anystr);
-	explicit StringType(ConstString *str);
-	explicit StringType(RegEx *regex);
-	~StringType();
-
-	bool DefineValueVar() const;
-	string DataTypeStr() const;
-	string DefaultValue() const	{ return "0"; }
-	Type *ElementDataType() const;
-
-	void Prepare(Env* env, int flags);
-
-	void GenPubDecls(Output* out, Env* env);
-	void GenPrivDecls(Output* out, Env* env);
-
-	void GenInitCode(Output* out, Env* env);
-	void GenCleanUpCode(Output* out, Env* env);
-
-	void DoMarkIncrementalInput();
-
-	int StaticSize(Env* env) const;
-
-	bool IsPointerType() const	{ return false; }
-
-	void ProcessAttr(Attr *a);
-
-protected:
-	void init();
-
-	// Generate computation of size of the string and returns the string 
-	// representing a constant integer or name of the length variable.
-	string GenStringSize(Output* out_cc, Env* env, const DataPtr& data);
-
-	// Generate a string mismatch exception
-	void GenStringMismatch(Output* out_cc, Env* env, 
-		const DataPtr& data, const char *pattern);
-
-	void DoGenParseCode(Output* out, Env* env, const DataPtr& data, int flags);
-
-	void GenCheckingCStr(Output* out, Env* env, 
-		const DataPtr& data, const string &str_size);
-
-	void GenDynamicSize(Output* out, Env* env, const DataPtr& data);
-	void GenDynamicSizeAnyStr(Output* out_cc, Env* env, const DataPtr& data);
-	void GenDynamicSizeRegEx(Output* out_cc, Env* env, const DataPtr& data);
-
-	Type *DoClone() const;
-
-	// TODO: insensitive towards byte order till we support unicode
-	bool ByteOrderSensitive() const 	{ return false; }
-
-protected:
-	bool DoTraverse(DataDepVisitor *visitor);
-
-private:
-	const ID *string_length_var() const;
-
-	StringTypeEnum type_;
-	ConstString *str_;
-	RegEx *regex_;
-	Field *string_length_var_field_;
-	Type *elem_datatype_;
-
-public:
-	static void static_init();
-private:
-	static const char *kStringTypeName;
-	static const char *kConstStringTypeName;
-};
-
-#endif  // pac_strtype_h
diff --git a/aux/binpac/src/pac_type.cc b/aux/binpac/src/pac_type.cc
deleted file mode 100644
index a30295aa0e..0000000000
--- a/aux/binpac/src/pac_type.cc
+++ /dev/null
@@ -1,1137 +0,0 @@
-#include "pac_action.h"
-#include "pac_array.h"
-#include "pac_attr.h"
-#include "pac_btype.h"
-#include "pac_context.h"
-#include "pac_dataptr.h"
-#include "pac_decl.h"
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_exttype.h"
-#include "pac_field.h"
-#include "pac_id.h"
-#include "pac_let.h"
-#include "pac_output.h"
-#include "pac_paramtype.h"
-#include "pac_strtype.h"
-#include "pac_type.h"
-#include "pac_utils.h"
-#include "pac_varfield.h"
-#include "pac_withinput.h"
-
-
-Type::type_map_t Type::type_map_;
-
-Type::Type(TypeType tot) 
-	: DataDepElement(DataDepElement::TYPE), tot_(tot)
-	{ 
-	type_decl_ = 0;
-	type_decl_id_ = current_decl_id;
-	declared_as_type_ = false;
-	env_ = 0;
-	value_var_ = default_value_var; 
-	ASSERT(value_var_);
-	value_var_type_ = MEMBER_VAR;
-	anonymous_value_var_ = false;
-	size_var_field_ = 0;
-	size_expr_ = 0;
-	boundary_checked_ = false;
-	parsing_complete_var_field_ = 0;
-	parsing_state_var_field_ = 0;
-	buffering_state_var_field_ = 0;
-	has_value_field_ = 0;
-
-	array_until_input_ = 0;
-
-	incremental_input_ = false;
-	buffer_input_ = false;
-	incremental_parsing_ = false;
-
-	fields_ = new FieldList();
-
-	attrs_ = new AttrList();
-	attr_byteorder_expr_ = 0;
-	attr_checks_ = new ExprList();
-	attr_chunked_ = false;
-	attr_exportsourcedata_ = false;
-	attr_if_expr_ = 0;
-	attr_length_expr_ = 0;
-	attr_letfields_ = 0;
-	attr_multiline_end_ = 0;
-	attr_oneline_ = false;
-	attr_refcount_ = false;
-	attr_requires_ = 0;
-	attr_restofdata_ = false;
-	attr_restofflow_ = false;
-	attr_transient_ = false;
-	}
-
-Type::~Type()
-	{
-	delete size_var_field_;
-	delete parsing_complete_var_field_;
-	delete parsing_state_var_field_;
-	delete buffering_state_var_field_;
-	delete has_value_field_;
-	delete [] size_expr_;
-	delete_list(FieldList, fields_);
-	delete attrs_;
-	delete attr_byteorder_expr_;
-	delete attr_if_expr_;
-	delete attr_length_expr_;
-	delete_list(ExprList, attr_checks_);
-	delete attr_requires_;
-	}
-
-Type *Type::Clone() const
-	{
-	Type *clone = DoClone();
-	if ( clone )
-		{
-		foreach(i, FieldList, fields_)
-			{
-			Field *f = *i;
-			clone->AddField(f);
-			}
-
-		foreach(i, AttrList, attrs_)
-			{
-			Attr *a = *i;
-			clone->ProcessAttr(a);
-			}
-		}
-	return clone;
-	}
-
-string Type::EvalMember(const ID *member_id) const
-	{
-	ASSERT(0);
-	return "@@@";
-	}
-
-string Type::EvalElement(const string &array, const string &index) const
-	{
-	return strfmt("%s[%s]", array.c_str(), index.c_str());
-	}
-
-const ID *Type::decl_id() const
-	{ 
-	return type_decl_id_;
-	}
-
-void Type::set_type_decl(const TypeDecl *decl, bool declared_as_type)	
-	{ 
-	type_decl_ = decl; 
-	type_decl_id_ = decl->id();
-	declared_as_type_ = declared_as_type;
-	}
-
-void Type::set_value_var(const ID* arg_id, int arg_id_type)
- 	{ 
-	value_var_ = arg_id; 
-	value_var_type_ = arg_id_type; 
-
-	if ( value_var_ )
-		anonymous_value_var_ = value_var_->is_anonymous();
-	}
-
-const ID *Type::size_var() const
-	{
-	return size_var_field_ ? size_var_field_->id() : 0;
-	}
-
-void Type::AddField(Field *f)
-	{
-	ASSERT(f);
-	fields_->push_back(f);
-	}
-
-void Type::ProcessAttr(Attr* a)
-	{
-	switch ( a->type() )
-		{
-		case ATTR_BYTEORDER:
-			attr_byteorder_expr_ = a->expr();
-			break;
-
-		case ATTR_CHECK:
-			attr_checks_->push_back(a->expr());
-			break;
-
-		case ATTR_EXPORTSOURCEDATA:
-			attr_exportsourcedata_ = true;
-			break;
-
-		case ATTR_LENGTH:
-			attr_length_expr_ = a->expr();
-			break;
-
-		case ATTR_IF:
-			attr_if_expr_ = a->expr();
-			break;
-
-		case ATTR_LET:
-			{
-			LetAttr *letattr = static_cast<LetAttr *>(a);
-			if ( ! attr_letfields_ )
-				attr_letfields_ = letattr->letfields();
-			else
-				{
-				// Append to attr_letfields_
-				attr_letfields_->insert(
-					attr_letfields_->end(),
-					letattr->letfields()->begin(),
-					letattr->letfields()->end());
-				}
-			}
-			break;
-
-		case ATTR_LINEBREAKER:
-			ASSERT(0);
-			break;
-
-		case ATTR_MULTILINE:
-			attr_multiline_end_ = a->expr();
-			break;
-
-		case ATTR_ONELINE:
-			attr_oneline_ = true;
-			break;
-
-		case ATTR_REFCOUNT:
-			attr_refcount_ = true;
-			break;
-
-		case ATTR_REQUIRES:
-			attr_requires_ = a->expr();
-			break;
-
-		case ATTR_TRANSIENT:
-			attr_transient_ = true;
-			break;
-		
-		case ATTR_CHUNKED:
-		case ATTR_UNTIL:
-		case ATTR_RESTOFDATA:
-		case ATTR_RESTOFFLOW:
-			// Ignore 
-			// ... these are processed by {
-			// {ArrayType, StringType}::ProcessAttr
-			break;
-		}
-
-	attrs_->push_back(a);
-	}
-
-string Type::EvalByteOrder(Output *out_cc, Env *env) const
-	{
-	// If &byteorder is specified for a field, rather
-	// than a type declaration, we do not add a byteorder variable
-	// to the class, but instead evaluate it directly.
-	if ( attr_byteorder_expr() && ! declared_as_type() )
-		return attr_byteorder_expr()->EvalExpr(out_cc, global_env());
-	env->Evaluate(out_cc, byteorder_id);
-	return env->RValue(byteorder_id);
-	}
-
-void Type::Prepare(Env* env, int flags)
-	{
-	env_ = env;
-	ASSERT(env_);
-
-	// The name of the value variable
-	if ( value_var() )	
-		{
-		data_id_str_ = strfmt("%s:%s", 
-			decl_id()->Name(), value_var()->Name());
-		}
-	else
-		{
-		data_id_str_ = strfmt("%s", decl_id()->Name());
-		}
-
-	if ( value_var() )
-		{
-		env_->AddID(value_var(), 
-			static_cast<IDType>(value_var_type_), 
-			this);
-		lvalue_ = strfmt("%s", env_->LValue(value_var()));
-		}
-
-	foreach(i, FieldList, attr_letfields_)
-		{
-		AddField(*i);
-		}
-
-	if ( attr_exportsourcedata_ )
-		{
-		ASSERT(flags & TO_BE_PARSED);
-		AddField(new PubVarField(sourcedata_id->clone(),
-			extern_type_const_bytestring->Clone()));
-		}
-
-	// An optional field
-	if ( attr_if_expr() )
-		{
-		ASSERT(value_var());
-		ID *has_value_id = new ID(fmt("has_%s", value_var()->Name()));
-		has_value_field_ = new LetField(has_value_id, 
-			extern_type_bool->Clone(),
-			attr_if_expr());
-		AddField(has_value_field_);
-		}
-
-	if ( incremental_input() )
-		{
-		ASSERT(flags & TO_BE_PARSED);
-		ID *parsing_complete_var = 
-			new ID(fmt("%s_parsing_complete", 
-				value_var() ? value_var()->Name() : "val"));
-		DEBUG_MSG("Adding parsing complete var: %s\n",
-			parsing_complete_var->Name());
-		parsing_complete_var_field_ = new TempVarField(
-			parsing_complete_var, extern_type_bool->Clone());
-		parsing_complete_var_field_->Prepare(env);
-
-		if ( NeedsBufferingStateVar() && 
-		       ! env->GetDataType(buffering_state_id) )
-			{
-			buffering_state_var_field_ = new PrivVarField(
-				buffering_state_id->clone(), 
-				extern_type_int->Clone());
-			AddField(buffering_state_var_field_);
-			}
-
-		if ( incremental_parsing() && tot_ == RECORD )
-			{
-			ASSERT(! parsing_state_var_field_);
-			parsing_state_var_field_ = new PrivVarField(
-				parsing_state_id->clone(), 
-				extern_type_int->Clone());
-			AddField(parsing_state_var_field_);
-			}
-		}
-
-	foreach (i, FieldList, fields_)
-		{
-		Field *f = *i;
-		f->Prepare(env);
-		}
-	}
-
-void Type::GenPubDecls(Output* out_h, Env* env)
-	{
-	if ( DefineValueVar() )
-		{
-		if ( attr_if_expr_ )
-		        out_h->println("%s %s const { BINPAC_ASSERT(%s); return %s; }",
-			        DataTypeConstRefStr().c_str(), 
-			        env->RValue(value_var()),
-			        env->RValue(has_value_var()), lvalue());
-		else
-		        out_h->println("%s %s const { return %s; }",
-			        DataTypeConstRefStr().c_str(), 
-			        env->RValue(value_var()), lvalue());
-		}
-
-	foreach (i, FieldList, fields_)
-		{
-		Field *f = *i;
-		f->GenPubDecls(out_h, env);
-		}
-	}
-
-void Type::GenPrivDecls(Output* out_h, Env* env)
-	{
-	if ( DefineValueVar() )
-		{
-		out_h->println("%s %s;", 
-			DataTypeStr().c_str(), 
-			env->LValue(value_var()));
-		}
-
-	foreach (i, FieldList, fields_)
-		{
-		Field *f = *i;
-		f->GenPrivDecls(out_h, env);
-		}
-	}
-
-void Type::GenInitCode(Output* out_cc, Env* env)
-	{
-	foreach (i, FieldList, fields_)
-		{
-		Field *f = *i;
-		f->GenInitCode(out_cc, env);
-		}
-
-	if ( parsing_state_var_field_ )
-		{
-		out_cc->println("%s = 0;", 
-			env->LValue(parsing_state_var_field_->id()));
-		}
-
-	if ( buffering_state_var_field_ )
-		{
-		out_cc->println("%s = 0;", 
-			env->LValue(buffering_state_var_field_->id()));
-		}
-	}
-
-void Type::GenCleanUpCode(Output* out_cc, Env* env)
-	{
-	foreach (i, FieldList, fields_)
-		{
-		Field *f = *i;
-		if ( f->tof() != CASE_FIELD )
-			f->GenCleanUpCode(out_cc, env);
-		}
-	}
-
-void Type::GenBufferConfiguration(Output *out_cc, Env *env)
-	{
-	ASSERT(buffer_input());
-
-	string frame_buffer_arg;
-	
-	switch ( buffer_mode() )
-		{
-		case BUFFER_NOTHING:
-			break;
-
-		case BUFFER_BY_LENGTH:
-			if ( ! NeedsBufferingStateVar() )
- 				break;
-		
-			if ( buffering_state_var_field_ )
-				{
-				out_cc->println("if ( %s == 0 )",
-					env->RValue(buffering_state_id));
-				out_cc->inc_indent();
-				out_cc->println("{");
-				}
-
-			if ( attr_length_expr_ )
-				{
-				// frame_buffer_arg = attr_length_expr_->EvalExpr(out_cc, env);
-				frame_buffer_arg = strfmt("%d", InitialBufferLength());
-				}
-			else if ( attr_restofflow_ )
-				{
-				ASSERT(attr_chunked());
-				frame_buffer_arg = "-1";
-				}
-			else
-				{
-				ASSERT(0);
-				}
-
-			out_cc->println("%s->NewFrame(%s, %s);",
-				env->LValue(flow_buffer_id),
-				frame_buffer_arg.c_str(),
-				attr_chunked() ? "true" : "false");
-
-			if ( buffering_state_var_field_ )
-				{
-				out_cc->println("%s = 1;",
-					env->LValue(buffering_state_id));
-				out_cc->println("}");
-				out_cc->dec_indent();
-				}
-			break;
-
-		case BUFFER_BY_LINE:
-			out_cc->println("if ( %s == 0 )",
-				env->RValue(buffering_state_id));
-			out_cc->inc_indent();
-			out_cc->println("{");
-
-			out_cc->println("%s->NewLine();",
-				env->LValue(flow_buffer_id));
-
-			out_cc->println("%s = 1;",
-				env->LValue(buffering_state_id));
-			out_cc->println("}");
-			out_cc->dec_indent();
-			break;
-
-		default:
-			ASSERT(0);
-			break;
-		}
-	}
-
-void Type::GenPreParsing(Output *out_cc, Env *env)
-	{
-	if ( incremental_input() && IsPointerType() )
-		{
-		out_cc->println("if ( ! %s )", env->LValue(value_var()));
-		out_cc->inc_indent();
-		out_cc->println("{");
-		GenNewInstance(out_cc, env);
-		out_cc->println("}");
-		out_cc->dec_indent();
-		}
-	else
-		GenNewInstance(out_cc, env);
-
-	if ( buffer_input() )
-		{
-		GenBufferConfiguration(out_cc, env);
-		}
-	}
-
-// Wrappers around DoGenParseCode, which does the real job
-void Type::GenParseCode(Output* out_cc, Env* env, const DataPtr& data, int flags)
-	{
-	if ( value_var() && env->Evaluated(value_var()) )
-		return;
-
-	DEBUG_MSG("GenParseCode for %s\n", data_id_str_.c_str());
-
-	if ( attr_if_expr() )
-		{
-		ASSERT(has_value_var());
-		ASSERT(env->Evaluated(has_value_var()));
-		}
-
-	if ( value_var() && anonymous_value_var() )
-		{
-		GenPrivDecls(out_cc, env);
-		GenInitCode(out_cc, env);
-		}
-
-	if ( incremental_input() )
-		{
-		parsing_complete_var_field_->GenTempDecls(out_cc, env);
-
-		out_cc->println("%s = false;", 
-			env->LValue(parsing_complete_var()));
-		env->SetEvaluated(parsing_complete_var());
-
-		if ( buffer_mode() == BUFFER_NOTHING )
-			{
-			out_cc->println("%s = true;", 
-				env->LValue(parsing_complete_var()));
-			}
-		else if ( buffer_input() )
-			{
-			if ( declared_as_type() )
-				GenParseBuffer(out_cc, env, flags);
-			else
-				GenBufferingLoop(out_cc, env, flags);
-			}
-		else
-			GenParseCode2(out_cc, env, data, flags);
-		}
-	else
-		{
-		if ( attr_length_expr_)
-			{
-			EvalLengthExpr(out_cc, env);
-
-			GenBoundaryCheck(out_cc, env, data);
-
-			out_cc->println("{");
-			out_cc->println("// Setting %s with &length", 
-				env->RValue(end_of_data)); 
-			out_cc->println("%s %s = %s + %s;",
-				extern_type_const_byteptr->DataTypeStr().c_str(),
-				env->LValue(end_of_data),
-				data.ptr_expr(),
-				EvalLengthExpr(out_cc, env).c_str());
-
-			GenParseCode2(out_cc, env, data, flags);
-
-			out_cc->println("}");
-			}
-		else
-			{
-			GenParseCode2(out_cc, env, data, flags);
-			}
-		}
-	}
-
-void Type::GenBufferingLoop(Output* out_cc, Env* env, int flags)
-	{
-	out_cc->println("while ( ! %s && %s->ready() )", 
-		env->LValue(parsing_complete_var()),
-		env->LValue(flow_buffer_id));
-
-	out_cc->inc_indent();
-	out_cc->println("{");
-
-	Env buffer_env(env, this);
-	GenParseBuffer(out_cc, &buffer_env, flags);
-
-	out_cc->println("}");
-	out_cc->dec_indent();
-	}
-
-void Type::GenParseBuffer(Output* out_cc, Env* env, int flags)
-	{
-	ASSERT(incremental_input());
-
-	const ID *data_begin;
-
-	if ( ! incremental_parsing() )
-		{
-		env->AddID(begin_of_data, TEMP_VAR, extern_type_const_byteptr);
-		env->AddID(end_of_data, TEMP_VAR, extern_type_const_byteptr);
-
-		out_cc->println("%s %s = %s->begin();",
-			env->DataTypeStr(begin_of_data).c_str(),
-			env->LValue(begin_of_data),
-			env->RValue(flow_buffer_id));
-
-		out_cc->println("%s %s = %s->end();",
-			env->DataTypeStr(end_of_data).c_str(),
-			env->LValue(end_of_data),
-			env->RValue(flow_buffer_id));
-
-		env->SetEvaluated(begin_of_data);
-		env->SetEvaluated(end_of_data);
-
-		data_begin = begin_of_data;
-		}
-	else
-		data_begin = 0;
-
-	if ( array_until_input_ )
-		{
-		if ( incremental_parsing() )
-			{
-			throw Exception(this, 
-				"cannot handle &until($input...) "
-				"for incrementally parsed type");
-			}
-		array_until_input_->GenUntilInputCheck(out_cc, env);
-		}
-
-	DataPtr data(env, data_begin, 0);
-
-	if ( attr_length_expr() )
-		{
-		ASSERT(buffer_mode() == BUFFER_BY_LENGTH);
-		out_cc->println("switch ( %s )", 
-			env->LValue(buffering_state_id));
-		out_cc->inc_indent();
-		out_cc->println("{");
-		out_cc->println("case 0:");
-		out_cc->inc_indent();
-		GenBufferConfiguration(out_cc, env);
-		out_cc->println("%s = 1;", env->LValue(buffering_state_id));
-		out_cc->println("break;");
-		out_cc->dec_indent();
-
-		out_cc->println("case 1:");
-		out_cc->inc_indent();
-
-		out_cc->println("{");
-
-		out_cc->println("%s = 2;", env->LValue(buffering_state_id));
-
-		Env frame_length_env(env, this);
-		out_cc->println("%s->GrowFrame(%s);", 
-			env->LValue(flow_buffer_id),
-			attr_length_expr_->EvalExpr(out_cc, &frame_length_env));
-		out_cc->println("}");
-		out_cc->println("break;");
-
-		out_cc->dec_indent();
-		out_cc->println("case 2:");
-		out_cc->inc_indent();
-
-		out_cc->println("BINPAC_ASSERT(%s->ready());", 
-			env->RValue(flow_buffer_id));
-		out_cc->println("if ( %s->ready() )", 
-			env->RValue(flow_buffer_id));
-		out_cc->inc_indent();
-		out_cc->println("{");
-
-		Env parse_env(env, this);
-		GenParseCode2(out_cc, &parse_env, data, 0);
-		
-		out_cc->println("BINPAC_ASSERT(%s);", 
-			parsing_complete(env).c_str());
-		out_cc->println("%s = 0;", 
-			env->LValue(buffering_state_id));
-		out_cc->println("}");
-		out_cc->dec_indent();
-
-		out_cc->println("break;");
-
-		out_cc->dec_indent();
-		out_cc->println("default:");
-		out_cc->inc_indent();
-
-		out_cc->println("BINPAC_ASSERT(%s <= 2);",
-			env->LValue(buffering_state_id));
-		out_cc->println("break;");
-		
-		out_cc->dec_indent();
-		out_cc->println("}");
-		out_cc->dec_indent();
-		}
-	else if ( attr_restofflow_ )
-		{
-		out_cc->println("BINPAC_ASSERT(%s->eof());", 
-			env->RValue(flow_buffer_id));
-		GenParseCode2(out_cc, env, data, 0);
-		}
-	else if ( buffer_mode() == BUFFER_BY_LINE )
-		{
-		GenParseCode2(out_cc, env, data, 0);
-		out_cc->println("%s = 0;", env->LValue(buffering_state_id));
-		}
-	else
-		GenParseCode2(out_cc, env, data, 0);
-	}
-
-void Type::GenParseCode2(Output* out_cc, Env* env, 
-		const DataPtr& data, int flags)
-	{
-	DEBUG_MSG("GenParseCode2 for %s\n", data_id_str_.c_str());
-
-	if ( attr_exportsourcedata_ )
-		{
-		if ( incremental_parsing() )
-			{
-			throw Exception(this, 
-				"cannot export raw data for incrementally parsed types");
-			}
-
-		out_cc->println("%s = const_bytestring(%s, %s);",
-			env->LValue(sourcedata_id),
-			data.ptr_expr(),
-			env->RValue(end_of_data));
-		env->SetEvaluated(sourcedata_id);
-	
-		GenParseCode3(out_cc, env, data, flags);
-
-		string datasize_str = DataSize(out_cc, env, data);
-		out_cc->println("%s.set_end(%s + %s);",
-			env->LValue(sourcedata_id),
-			data.ptr_expr(),
-			datasize_str.c_str());
-		}
-	else
-		{
-		GenParseCode3(out_cc, env, data, flags);
-		}
-	}
-
-void Type::GenParseCode3(Output* out_cc, Env* env, const DataPtr& data, int flags)
-	{
-	if ( attr_requires_ )
-		attr_requires_->EvalExpr(out_cc, env);
-
-	foreach(i, FieldList, fields_)
-		{
-		Field *f = *i;
-		f->GenTempDecls(out_cc, env);
-		}
-
-	DoGenParseCode(out_cc, env, data, flags);
-
-	if ( incremental_input() )
-		{
-		out_cc->println("if ( %s )", parsing_complete(env).c_str());
-		out_cc->inc_indent();
-		out_cc->println("{");
-		}
-
-	out_cc->println("// Evaluate 'let' and 'withinput' fields");
-	foreach(i, FieldList, fields_)
-		{
-		Field *f = *i;
-		if ( f->tof() == LET_FIELD )
-			{
-			LetField *lf = static_cast<LetField *>(f);
-			lf->GenParseCode(out_cc, env);
-			}
-		else if ( f->tof() == WITHINPUT_FIELD )
-			{
-			WithInputField *af = static_cast<WithInputField *>(f);
-			af->GenParseCode(out_cc, env);
-			}
-		}
-
-	if ( value_var() && anonymous_value_var() )
-		{
-		GenCleanUpCode(out_cc, env);
-		}
-
-	if ( incremental_input() )
-		{
-		out_cc->println("}");
-		out_cc->dec_indent();
-		}
-
-	if ( value_var() )
-		env->SetEvaluated(value_var());
-
-	if ( size_var() )
-		ASSERT(env->Evaluated(size_var()));
-	}
-
-Type *Type::MemberDataType(const ID *member_id) const
-	{
-	DEBUG_MSG("MemberDataType: %s::%s\n", type_decl_id_->Name(), member_id->Name());
-	ASSERT(env_);
-	env_->set_allow_undefined_id(true);
-	Type *t = env_->GetDataType(member_id);
-	env_->set_allow_undefined_id(false);
-	return t;
-	}
-
-Type *Type::ElementDataType() const
-	{
-	return 0;
-	}
-
-// Returns false if it is not necessary to add size_var
-// (it is already added or the type has a fixed size).
-bool Type::AddSizeVar(Output* out_cc, Env* env)
-	{
-	if ( size_var() )
-		{
-		DEBUG_MSG("size var `%s' already added\n", size_var()->Name());
-		ASSERT(env->Evaluated(size_var()));
-		return false;
-		}
-
-	if ( StaticSize(env) >= 0 )
-		return false;
-
-	ASSERT(! incremental_input());
-
-	ID *size_var_id = new ID(fmt("%s__size", 
-		value_var() ? value_var()->Name() : decl_id()->Name()));
-
-	DEBUG_MSG("adding size var `%s' to env %p\n", size_var_id->Name(), env);
-
-	size_var_field_ = new TempVarField(
-		size_var_id, extern_type_int->Clone());
-	size_var_field_->Prepare(env);
-	size_var_field_->GenTempDecls(out_cc, env);
-
-	return true;
-	}
-
-string Type::EvalLengthExpr(Output* out_cc, Env* env)
-	{
-	ASSERT(!incremental_input());
-	ASSERT(attr_length_expr_);
-	int static_length;
-	if ( attr_length_expr_->ConstFold(env, &static_length) )
-		return strfmt("%d", static_length);
-	// How do we make sure size_var is evaluated with attr_length_expr_?
-	if ( AddSizeVar(out_cc, env) )
-		{
-		out_cc->println("%s = %s;",
-			env->LValue(size_var()),
-			attr_length_expr_->EvalExpr(out_cc, env));
-		env->SetEvaluated(size_var());
-		}
-	return env->RValue(size_var());
-	}
-
-string Type::DataSize(Output* out_cc, Env* env, const DataPtr& data)
-	{
-	if ( attr_length_expr_ )
-		return EvalLengthExpr(out_cc, env);
-
-	int ss = StaticSize(env);
-	if ( ss >= 0 )
-		{
-		return strfmt("%d", ss);
-		}
-	else
-		{
-		if ( ! size_var() || ! env->Evaluated(size_var()) )
-			{
-			ASSERT(out_cc != 0);
-			GenDynamicSize(out_cc, env, data);
-			ASSERT(size_var());
-			}
-		return env->RValue(size_var());
-		}
-	}
-
-void Type::GenBoundaryCheck(Output* out_cc, Env* env,
-		const DataPtr& data)
-	{
-	if ( boundary_checked() )
-		return;
-
-	data.GenBoundaryCheck(out_cc, env, 
-		DataSize(out_cc, env, data).c_str(),
-		data_id_str_.c_str());
-
-	SetBoundaryChecked();
-	}
-
-bool Type::NeedsCleanUp() const
-	{
-	switch ( tot_ )
-		{
-		case EMPTY:
-		case BUILTIN:
-			return false;
-		case ARRAY:
-		case PARAMETERIZED:
-		case STRING:
-			return true;
-		default:
-			ASSERT(0);
-			return true;
-		}
-	return true;
-	}
-
-bool Type::RequiresByteOrder() const
-	{ 
-	return ! attr_byteorder_expr() && ByteOrderSensitive(); 
-	}
-
-bool Type::NeedsBufferingStateVar() const
-	{
-	if ( !incremental_input() )
-		return false;
-	switch ( buffer_mode() )
-		{
-		case BUFFER_NOTHING:
-		case NOT_BUFFERABLE:
-			return false;
-		case BUFFER_BY_LINE:
-			return true;
-		case BUFFER_BY_LENGTH:
-			return ( attr_length_expr_ || attr_restofflow_ );
-		default:
-			ASSERT(0);
-			return false;
-		}
-	}
-
-bool Type::DoTraverse(DataDepVisitor *visitor)
-	{
-	foreach (i, FieldList, fields_)
-		{
-		if ( ! (*i)->Traverse(visitor) )
-			return false;
-		}
-
-	foreach(i, AttrList, attrs_)
-		{
-		if ( ! (*i)->Traverse(visitor) )
-			return false;
-		}
-
-	return true;
-	}
-
-bool Type::RequiresAnalyzerContext()
-	{
-	ASSERT(0);
-
-	if ( buffer_input() )
-		return true;
-	
-	foreach (i, FieldList, fields_)
-		{
-		Field *f = *i;
-		if ( f->RequiresAnalyzerContext() )
-			return true;
-		}
-
-	foreach(i, AttrList, attrs_)
-		if ( (*i)->RequiresAnalyzerContext() )
-			return true;
-
-	return false;
-	}
-
-bool Type::IsEmptyType() const
-	{
-	return ( StaticSize(global_env()) == 0 );
-	}
-
-void Type::MarkIncrementalInput()
-	{
-	DEBUG_MSG("Handle incremental input for %s.%s\n", 
-		decl_id()->Name(),
-		value_var() ? value_var()->Name() : "*");
-
-	incremental_input_ = true;
-	if ( Bufferable() )
-		buffer_input_ = true;
-	else
-		{
-		incremental_parsing_ = true;
-		DoMarkIncrementalInput();
-		}
-	}
-
-void Type::DoMarkIncrementalInput()
-	{
-	throw Exception(this, "cannot handle incremental input");
-	}
-
-bool Type::BufferableByLength() const
-	{
-	// If the input is an "frame buffer" with specified length
-	return attr_length_expr_ || attr_restofflow_;
-	}
-
-bool Type::BufferableByLine() const
-	{
-	// If the input is an ASCII line;
-	return attr_oneline_;
-	}
-
-bool Type::Bufferable() const
-	{
-	// If the input is an ASCII line or an "frame buffer"
-	return IsEmptyType() || BufferableByLength() || BufferableByLine();
-	}
-
-Type::BufferMode Type::buffer_mode() const
-	{
-	if ( IsEmptyType() )
-		return BUFFER_NOTHING;
-	else if ( BufferableByLength() )
-		return BUFFER_BY_LENGTH;
-	else if ( BufferableByLine() )
-		return BUFFER_BY_LINE;
-	return NOT_BUFFERABLE;
-	}
-
-const ID *Type::parsing_complete_var() const
-	{
-	if ( parsing_complete_var_field_ )
-		return parsing_complete_var_field_->id();
-	else
-		return 0;
-	}
-
-string Type::parsing_complete(Env *env) const
-	{
-	ASSERT(parsing_complete_var());
-	return env->RValue(parsing_complete_var());
-	}
-
-const ID *Type::has_value_var() const
-	{
-	if ( has_value_field_ )
-		return has_value_field_->id();
-	else
-		return 0;
-	}
-
-int Type::InitialBufferLength() const
-	{
-	if ( ! attr_length_expr_ )
-		return 0;
-	return attr_length_expr_->MinimalHeaderSize(env());
-	}
-
-bool Type::CompatibleTypes(Type *type1, Type *type2)
-	{
-	// If we cannot deduce one of the data types, assume that
-	// they are compatible.
-	if ( ! type1 || ! type2 )
-		return true;
-
-	// We do not have enough information about extern types
-	if ( type1->tot() == EXTERN || type2->tot() == EXTERN )
-		return true;
-
-	if ( type1->tot() != type2->tot() )
-		{
-		if ( type1->IsNumericType() && type2->IsNumericType() )
-			return true;
-		else
-			return false;
-		}
-
-	switch( type1->tot() )
-		{
-		case UNDEF:
-		case EMPTY:
-			return true;
-		case BUILTIN:
-			{
-			BuiltInType *t1 = 
-				static_cast<BuiltInType *>(type1);
-			BuiltInType *t2 = 
-				static_cast<BuiltInType *>(type2);
-			return BuiltInType::CompatibleBuiltInTypes(t1, t2);
-			}
-
-		case PARAMETERIZED:
-		case RECORD:
-		case CASE:
-		case EXTERN:
-			return type1->DataTypeStr() == type2->DataTypeStr();
-			break;
-			
-		case ARRAY:
-			{
-			ArrayType *t1 = 
-				static_cast<ArrayType *>(type1);
-			ArrayType *t2 = 
-				static_cast<ArrayType *>(type2);
-			return CompatibleTypes(t1->ElementDataType(),
-			                       t2->ElementDataType());
-			}
-
-		default:
-			ASSERT(0);
-			return false;
-		}
-	}
-
-Type *Type::LookUpByID(ID *id)
-	{
-	// 1. Is it a pre-defined type?
-	string name = id->Name();
-	if ( type_map_.find(name) != type_map_.end() )
-		{
-		return type_map_[name]->Clone();
-		}
-
-	// 2. Is it a simple declared type?
-	Type *type = TypeDecl::LookUpType(id);
-	if ( type )
-		{
-		// Note: as a Type is always associated with a variable, 
-		// return a clone.
-		switch ( type->tot() )
-			{
-			case Type::BUILTIN:
-			case Type::EXTERN:
-	       		case Type::STRING:
-				return type->Clone();
-
-	       		case Type::ARRAY:
-			default:
-				break;
-			}
-		}
-
-	return new ParameterizedType(id, 0);
-	}
-
-void Type::AddPredefinedType(const string &type_name, Type *type)
-	{
-	ASSERT(type_map_.find(type_name) == type_map_.end());
-	type_map_[type_name] = type;
-	}
-
-void Type::init()
-	{
-	BuiltInType::static_init();
-	ExternType::static_init();
-	StringType::static_init();
-	}
diff --git a/aux/binpac/src/pac_type.def b/aux/binpac/src/pac_type.def
deleted file mode 100644
index 62939ec671..0000000000
--- a/aux/binpac/src/pac_type.def
+++ /dev/null
@@ -1,8 +0,0 @@
-// TYPEDEF(type_id,	pac_type,	c_type,		size)
-TYPE_DEF(INT8, 		"int8",		"int8",		1)
-TYPE_DEF(INT16,		"int16",	"int16",	2)
-TYPE_DEF(INT32,	 	"int32",	"int32",	4)
-TYPE_DEF(UINT8,		"uint8",	"uint8",	1)
-TYPE_DEF(UINT16,	"uint16",	"uint16",	2)
-TYPE_DEF(UINT32, 	"uint32",	"uint32",	4)
-TYPE_DEF(EMPTY,		"empty",	"", 		0)
diff --git a/aux/binpac/src/pac_type.h b/aux/binpac/src/pac_type.h
deleted file mode 100644
index 08252cf637..0000000000
--- a/aux/binpac/src/pac_type.h
+++ /dev/null
@@ -1,309 +0,0 @@
-#ifndef pac_type_h
-#define pac_type_h
-
-#include <map>
-using namespace std;
-
-#include "pac_common.h"
-#include "pac_datadep.h"
-#include "pac_dbg.h"
-
-class Type : public Object, public DataDepElement
-{
-public:
-	enum TypeType {
-		UNDEF = -1,
-		EMPTY,
-		BUILTIN,
-		PARAMETERIZED,
-		RECORD,
-		CASE,
-		ARRAY,
-		STRING,
-		EXTERN,
-		DUMMY,
-	};
-
-	explicit Type(TypeType tot);
-	virtual ~Type();
-
-	Type *Clone() const;
-
-	// Type of type
-	TypeType tot() const			{ return tot_; }
-
-	////////////////////////////////////////
-	// Code generation
-	virtual void Prepare(Env *env, int flags);
-
-	// Flag(s) for Prepare()
-	static const int TO_BE_PARSED = 1;
-
-	virtual void GenPubDecls(Output *out, Env *env);
-	virtual void GenPrivDecls(Output *out, Env *env);
-
-	virtual void GenInitCode(Output *out, Env *env);
-	virtual void GenCleanUpCode(Output *out, Env *env);
-
-	void GenPreParsing(Output *out, Env *env);
-	void GenParseCode(Output *out, Env *env, const DataPtr& data, int flags);
-
-	////////////////////////////////////////
-	// TODO: organize the various methods below
-
-	// The LValue string of the variable defined by the type. 
-	// For example, if the type defines a record field, the 
-	// lvalue is the member variable corresponding to the field; 
-	// if the type appears in a type decl, then the lvalue is the
-	// default value var.
-	//
-	const char *lvalue() const		{ return lvalue_.c_str(); }
-
-	// The TypeDecl that defined the type.
-	//
-	const TypeDecl *type_decl() const	{ return type_decl_; }
-	void set_type_decl(const TypeDecl *decl, bool declared_as_type);
-
-	// Returns whether the type appears in a type declaration
-	// (true) or as type specification of a field (false).
-	//
-	bool declared_as_type() const		{ return declared_as_type_; }
-
-	// The ID of the decl in which the type appear. 
-	//
-	const ID *decl_id() const;
-
-	Env *env() const			{ return env_; }
-
-	string EvalByteOrder(Output *out_cc, Env *env) const;
-
-	virtual string EvalMember(const ID *member_id) const;
-	virtual string EvalElement(const string &array, 
-	                           const string &index) const;
-
-	// The variable defined by the type
-	const ID *value_var() const		{ return value_var_; }
-	void set_value_var(const ID *arg_id, int arg_id_type);
-
-	bool anonymous_value_var() const	{ return anonymous_value_var_; }
-
-	const ID *size_var() const;
-
-	// Adds a variable to env to represent the size of this type.
-	// Returns false if we do not need a size variable (because 
-	// the type has a static size) or the size variable is already added.
-	bool AddSizeVar(Output *out, Env *env);
-
-	const ID *parsing_state_var() const;
-
-	const ID *has_value_var() const;
-
-	void AddField(Field *f);
-
-	void AddCheck(Expr *expr)		{ /* TODO */ }
-
-	virtual bool DefineValueVar() const = 0;
-
-	// Returns C++ datatype string
-	virtual string DataTypeStr() const = 0;
-
-	// Returns const reference of the C++ data type (unless the type
-	// is numeric or pointer)
-	string DataTypeConstRefStr() const
-		{
-		string data_type = DataTypeStr();
-		if ( ! IsPointerType() && ! IsNumericType() )
-			data_type += " const &";
-		return data_type;
-		}
-
-	// Returns a default value for the type
-	virtual string DefaultValue() const	
-		{ 
-		ASSERT(0); return "@@@";
-		}
-
-	// Returns the data type of the member field/case
-	virtual Type *MemberDataType(const ID *member_id) const;
-
-	// Returns the data type of the element type of an array
-	virtual Type *ElementDataType() const;
-
-	// Whether the type needs clean-up at deallocation.
-	bool NeedsCleanUp() const;
-
-	// Whether byte order must be determined before parsing the type.
-	bool RequiresByteOrder() const;
-
-	// Whether class of the type requires a parameter of analyzer context. 
-	virtual bool RequiresAnalyzerContext();
-
-	virtual bool IsPointerType() const = 0;
-	virtual bool IsNumericType() const	{ return false; }
-	bool IsEmptyType() const;
-
-	////////////////////////////////////////
-	// Attributes
-	virtual void ProcessAttr(Attr *a);
-
-	bool  attr_chunked() const		{ return attr_chunked_; }
-	Expr *attr_byteorder_expr() const	{ return attr_byteorder_expr_; }
-	Expr *attr_if_expr() const		{ return attr_if_expr_; }
-	// TODO: generate the length expression automatically.
-	Expr *attr_length_expr() const		{ return attr_length_expr_; }
-	bool  attr_refcount() const		{ return attr_refcount_; }
-	bool  attr_transient() const		{ return attr_transient_; }
-
-	// Whether the value remains valid outside the parse function
-	bool persistent() const
-		{
-		return ! attr_transient() && ! attr_chunked();
-		}
-
-	void SetUntilCheck(ArrayType *t)	{ array_until_input_ = t; }
-
-	////////////////////////////////////////
-	// Size and boundary checking
-	virtual int StaticSize(Env *env) const = 0;
-	string DataSize(Output *out, Env *env, const DataPtr& data);
-
-	bool boundary_checked() const		{ return boundary_checked_; }
-	virtual void SetBoundaryChecked() 	{ boundary_checked_ = true; }
-	void GenBoundaryCheck(Output *out, Env *env, const DataPtr& data);
-
-	////////////////////////////////////////
-	// Handling incremental input
-	// 
-	// There are two ways to handle incremental input: (1) to
-	// buffer the input before parsing; (2) to parse incrementally.
-	// 
-	// The type must be "bufferable" for (1). While for (2),
-	// each member of the type must be able to handle incremental
-	// input.
-
-	void MarkIncrementalInput();
-	virtual void DoMarkIncrementalInput();
-
-	// Whether the type may receive incremental input
-	bool incremental_input() const		{ return incremental_input_; }
-
-	// Whether parsing should also be incremental
-	bool incremental_parsing() const	{ return incremental_parsing_; }
-
-	// Whether we should buffer the input
-	bool buffer_input() const		{ return buffer_input_; }
-
-	// Whether parsing of the type is completed
-	const ID *parsing_complete_var() const;
-	string parsing_complete(Env *env) const;
-
-	// Whether the input is bufferable
-	bool Bufferable() const;
-	bool BufferableByLength() const;
-	bool BufferableByLine() const;
-
-	enum BufferMode {
-		NOT_BUFFERABLE,
-		BUFFER_NOTHING,		// for type "empty"
-		BUFFER_BY_LENGTH,
-		BUFFER_BY_LINE,
-	};
-	virtual BufferMode buffer_mode() const;
-
-	void GenBufferConfiguration(Output *out, Env *env);
-
-	int InitialBufferLength() const;
-
-protected:
-	virtual void GenNewInstance(Output *out, Env *env) {}
-
-	virtual bool ByteOrderSensitive() const = 0;
-
-	bool NeedsBufferingStateVar() const;
-
-	void GenBufferingLoop(Output* out_cc, Env* env, int flags);
-	void GenParseBuffer(Output* out_cc, Env* env, int flags);
-	void GenParseCode2(Output* out_cc, Env* env, const DataPtr& data, int flags);
-	void GenParseCode3(Output* out_cc, Env* env, const DataPtr& data, int flags);
-
-	virtual void DoGenParseCode(Output *out, Env *env,
-		const DataPtr& data, 
-		int flags) = 0;
-
-	string EvalLengthExpr(Output* out_cc, Env* env);
-
-	// Generate code for computing the dynamic size of the type
-	virtual void GenDynamicSize(Output *out, Env *env,
-		const DataPtr& data) = 0;
-
-	bool DoTraverse(DataDepVisitor *visitor);
-
-	virtual Type *DoClone() const = 0;
-
-protected:
-	TypeType tot_;
-	const TypeDecl *type_decl_;
-	bool declared_as_type_;
-	const ID *type_decl_id_;
-	Env *env_;
-
-	const ID *value_var_;
-	bool anonymous_value_var_;	// whether the ID is anonymous
-
-	string data_id_str_;
-	int value_var_type_;
-	Field *size_var_field_;
-	char *size_expr_;
-	bool boundary_checked_;
-	string lvalue_;
-	FieldList *fields_;
-
-	bool incremental_input_;
-	bool incremental_parsing_;
-	bool buffer_input_;
-
-	// A boolean variable on whether parsing of the type is completed
-	Field *parsing_complete_var_field_;
-
-	// An integer variable holding the parsing state
-	Field *parsing_state_var_field_;
-
-	Field *buffering_state_var_field_;
-
-	// The array type with &until($input...) condition, if
-	// "this" is the element type
-	ArrayType *array_until_input_;
-
-	// A "has_*" member var for fields with &if
-	LetField *has_value_field_;
-
-	// Attributes
-	AttrList *attrs_;
-
-	Expr *attr_byteorder_expr_;
-	ExprList *attr_checks_;
-	bool attr_chunked_;
-	bool attr_exportsourcedata_;
-	Expr *attr_if_expr_;
-	Expr *attr_length_expr_;
-	FieldList *attr_letfields_;
-	Expr *attr_multiline_end_;
-	bool attr_oneline_;
-	bool attr_refcount_;
-	Expr *attr_requires_;
-	bool attr_restofdata_;
-	bool attr_restofflow_;
-	bool attr_transient_;
-
-public:
-	static void init();
-	static bool CompatibleTypes(Type *type1, Type *type2);
-	static void AddPredefinedType(const string &type_name, Type *type);
-	static Type *LookUpByID(ID *id);
-
-protected:
-	typedef map<string, Type *> type_map_t;
-	static type_map_t type_map_;
-};
-
-#endif  // pac_type_h
diff --git a/aux/binpac/src/pac_typedecl.cc b/aux/binpac/src/pac_typedecl.cc
deleted file mode 100644
index c989869d20..0000000000
--- a/aux/binpac/src/pac_typedecl.cc
+++ /dev/null
@@ -1,409 +0,0 @@
-#include "pac_attr.h"
-#include "pac_context.h"
-#include "pac_dataptr.h"
-#include "pac_embedded.h"
-#include "pac_enum.h"
-#include "pac_exception.h"
-#include "pac_expr.h"
-#include "pac_exttype.h"
-#include "pac_id.h"
-#include "pac_output.h"
-#include "pac_param.h"
-#include "pac_paramtype.h"
-#include "pac_record.h"
-#include "pac_type.h"
-#include "pac_typedecl.h"
-#include "pac_utils.h"
-
-TypeDecl::TypeDecl(ID* id, ParamList* params, Type* type)
-	: Decl(id, TYPE), params_(params), type_(type)
-	{
-	env_ = 0;
-	type_->set_type_decl(this, true);
-	}
-
-TypeDecl::~TypeDecl()
-	{
-	delete env_;
-	delete type_;
-
-	delete_list(ParamList, params_);
-	}
-
-void TypeDecl::ProcessAttr(Attr* a)
-	{
-	type_->ProcessAttr(a);
-	}
-
-void TypeDecl::AddParam(Param *param)
-	{
-	// Cannot work after Prepare()
-	ASSERT(! env_);
-	params_->push_back(param);
-	}
-
-void TypeDecl::Prepare()
-	{
-	DEBUG_MSG("Preparing type %s\n", id()->Name());
-
-	if ( type_->tot() != Type::EXTERN && type_->tot() != Type::DUMMY )
-		SetAnalyzerContext();
-
-	// As a type ID can be used in the same way function is, add the
-	// id as a FUNC_ID and set it as evaluated.
-	global_env()->AddID(id(), FUNC_ID, type_);
-	global_env()->SetEvaluated(id());
-
-	env_ = new Env(global_env(), this);
-
-	foreach (i, ParamList, params_)
-		{
-		Param* p = *i;
-		// p->Prepare(env_);
-		type_->AddField(p->param_field());
-		}
-
-	if ( type_->attr_byteorder_expr() )
-		{
-		DEBUG_MSG("Adding byteorder field to %s\n",
-			id()->Name());
-		type_->AddField(new LetField(byteorder_id->clone(), 
-		                         extern_type_int, 
-		                         type_->attr_byteorder_expr()));
-		}
-
-	type_->Prepare(env_, Type::TO_BE_PARSED);
-	}
-
-string TypeDecl::class_name() const
-	{ 
-	return id_->Name(); 
-	}
-
-void TypeDecl::GenForwardDeclaration(Output* out_h)
-	{
-	// Do not generate declaration for external types
-	if ( type_->tot() == Type::EXTERN )
-		return;
-	out_h->println("class %s;", class_name().c_str());
-	}
-
-void TypeDecl::GenCode(Output* out_h, Output* out_cc)
-	{
-	// Do not generate code for external types
-	if ( type_->tot() == Type::EXTERN || type_->tot() == Type::STRING )
-		return;
-
-	fprintf(stderr, "Generating code for %s\n", class_name().c_str());
-
-	if ( RequiresAnalyzerContext::compute(type_) )
-		{
-		DEBUG_MSG("%s requires analyzer context\n", 
-			id()->Name());
-		Type *param_type = analyzer_context()->param_type();
-		env_->AddID(analyzer_context_id, TEMP_VAR, param_type);
-		env_->SetEvaluated(analyzer_context_id);
-		env_->AddMacro(context_macro_id, 
-			new Expr(analyzer_context_id->clone()));
-		}
-
-	// Add parameter "byteorder"
-	if ( type_->RequiresByteOrder() && ! type_->attr_byteorder_expr() )
-		{
-		env_->AddID(byteorder_id, TEMP_VAR, extern_type_int);
-		env_->SetEvaluated(byteorder_id);
-		}
-
-	vector<string> base_classes;
-
-	AddBaseClass(&base_classes);
-
-	if ( type_->attr_refcount() )
-		base_classes.push_back(kRefCountClass);
-
-	// The first line of class definition
-	out_h->println("");
-	out_h->print("class %s", class_name().c_str());
-	bool first = true;
-	foreach(i, vector<string>, &base_classes)
-		{
-		if ( first )
-			{
-			out_h->print(" : public %s", i->c_str());
-			first = false;
-			}
-		else
-			out_h->print(", public %s", i->c_str());
-		}
-	out_h->print("\n");
-
-	// Public members
-	out_h->println("{");
-	out_h->println("public:");
-	out_h->inc_indent();
-
-	GenConstructorFunc(out_h, out_cc);
-	GenDestructorFunc(out_h, out_cc);
-
-	if ( type_->attr_length_expr() )
-		GenInitialBufferLengthFunc(out_h, out_cc);
-
-	GenParseFunc(out_h, out_cc);
-
-	out_h->println("");
-	out_h->println("// Member access functions");
-	type_->GenPubDecls(out_h, env_);
-	out_h->println("");
-
-	GenPubDecls(out_h, out_cc);
-
-	out_h->dec_indent();
-	out_h->println("protected:");
-	out_h->inc_indent();
-
-	GenPrivDecls(out_h, out_cc);
-	type_->GenPrivDecls(out_h, env_);
-
-	out_h->dec_indent();
-	out_h->println("};\n");
-	}
-
-void TypeDecl::GenPubDecls(Output* out_h, Output *out_cc)
-	{
-	// GenParamPubDecls(params_, out_h, env_);
-	}
-
-void TypeDecl::GenPrivDecls(Output* out_h, Output *out_cc)
-	{
-	// GenParamPrivDecls(params_, out_h, env_);
-	}
-
-void TypeDecl::GenInitCode(Output *out_cc)
-	{
-	}
-
-void TypeDecl::GenCleanUpCode(Output *out_cc)
-	{
-	}
-
-void TypeDecl::GenConstructorFunc(Output* out_h, Output* out_cc)
-	{
-	string params_str = ParamDecls(params_);
-
-	string proto = 
-		strfmt("%s(%s)", class_name().c_str(), params_str.c_str());
-
-	out_h->println("%s;", proto.c_str());
-
-	out_cc->println("%s::%s", class_name().c_str(), proto.c_str());
-	out_cc->inc_indent();
-
-	out_cc->println("{");
-
-	// GenParamAssignments(params_, out_cc, env_);
-
-	type_->GenInitCode(out_cc, env_);
-	GenInitCode(out_cc);
-
-	out_cc->println("}\n");
-	out_cc->dec_indent();
-	}
-
-void TypeDecl::GenDestructorFunc(Output* out_h, Output* out_cc)
-	{
-	string proto = strfmt("~%s()", class_name().c_str());
-
-	out_h->println("%s;", proto.c_str());
-
-	out_cc->println("%s::%s", class_name().c_str(), proto.c_str());
-	out_cc->inc_indent();
-	out_cc->println("{");
-
-	GenCleanUpCode(out_cc);
-	type_->GenCleanUpCode(out_cc, env_);
-
-	out_cc->println("}\n");
-	out_cc->dec_indent();
-	}
-
-string TypeDecl::ParseFuncPrototype(Env* env)
-	{
-	const char *func_name = 0;
-	const char *return_type = 0;
-	string params;
-
-	if ( type_->incremental_input() )
-		{
-		func_name = kParseFuncWithBuffer;
-		return_type = "bool";
-		params = strfmt("flow_buffer_t %s",
-			env->LValue(flow_buffer_id));
-		}
-	else
-		{
-		func_name = kParseFuncWithoutBuffer;
-		return_type = "int";
-		params = strfmt("const_byteptr const %s, const_byteptr const %s",
-			env->LValue(begin_of_data), 
-			env->LValue(end_of_data));
-		}
-
-	if ( RequiresAnalyzerContext::compute(type_) )
-		{
-		Type *param_type = analyzer_context()->param_type();
-		params += fmt(", %s %s", 
-			param_type->DataTypeConstRefStr().c_str(),
-			env->LValue(analyzer_context_id));
-		}
-
-	// Add parameter "byteorder"
-	if ( type_->RequiresByteOrder() && ! type_->attr_byteorder_expr() )
-		{
-		params += fmt(", int %s", env->LValue(byteorder_id));
-		}
-
-	// Returns "<return type> %s<func name>(<params>)%s".
-	return strfmt("%s %%s%s(%s)%%s", 
-		return_type, func_name, params.c_str());
-	}
-
-void TypeDecl::GenParsingEnd(Output *out_cc, Env *env, const DataPtr &data)
-	{
-	string ret_val_0, ret_val_1;
-
-	if ( type_->incremental_input() )
-		{
-		ret_val_0 = type_->parsing_complete(env).c_str();
-		ret_val_1 = "false";
-		}
-	else
-		{
-		ret_val_0 = type_->DataSize(0, env, data).c_str();
-		ret_val_1 = "@@@";
-
-		out_cc->println("BINPAC_ASSERT(%s + (%s) <= %s);", 
-			env->RValue(begin_of_data),
-			ret_val_0.c_str(),
-			env->RValue(end_of_data));
-		}
-
-	if ( type_->incremental_parsing() && 
-	     ( type_->tot() == Type::RECORD || type_->tot() == Type::ARRAY ) )
-		{
-		// In which case parsing may jump to label 
-		// "need_more_data" ...
-		out_cc->println("BINPAC_ASSERT(%s);",
-			type_->parsing_complete(env).c_str());
-		out_cc->println("return %s;", ret_val_0.c_str());
-
-		out_cc->println("");
-		out_cc->dec_indent();
-		out_cc->println("%s:", kNeedMoreData);
-		out_cc->inc_indent();
-		out_cc->println("BINPAC_ASSERT(!(%s));",
-			type_->parsing_complete(env).c_str());
-		out_cc->println("return %s;", ret_val_1.c_str());
-		}
-	else if ( type_->incremental_input() )
-		{
-		out_cc->println("return %s;", ret_val_0.c_str());
-		}
-	else	
-		{
-		out_cc->println("return %s;", ret_val_0.c_str());
-		}
-	}
-
-void TypeDecl::GenParseFunc(Output* out_h, Output* out_cc)
-	{
-	if ( type_->tot() == Type::DUMMY )
-		return;
-
-	// Env within the parse function
-	Env p_func_env(env_, this);
-	Env *env = &p_func_env;
-
-	if ( type_->incremental_input() )
-		{
-		env->AddID(flow_buffer_id, TEMP_VAR, extern_type_flowbuffer);
-		env->SetEvaluated(flow_buffer_id);
-		}
-	else
-		{
-		env->AddID(begin_of_data, TEMP_VAR, extern_type_const_byteptr);
-		env->AddID(end_of_data, TEMP_VAR, extern_type_const_byteptr);
-
-		env->SetEvaluated(begin_of_data);
-		env->SetEvaluated(end_of_data);
-		}
-
-	string proto;
-	proto = ParseFuncPrototype(env);
-
-#if 0
-	if ( func_type == PARSE )
-		{
-		out_h->println("// 1. If the message is completely parsed, returns number of");
-		out_h->println("//    input bytes parsed.");
-		out_h->println("// 2. If the input is not complete but the type supports");
-		out_h->println("//    incremental input, returns number of input bytes + 1");
-		out_h->println("//    (%s - %s + 1).",
-			env->LValue(end_of_data), 
-			env->LValue(begin_of_data)); 
-		out_h->println("// 3. An exception will be thrown on error.");
-		}
-#endif
-
-	out_h->println(proto.c_str(), "", ";");
-
-	out_cc->println(proto.c_str(), fmt("%s::", class_name().c_str()), "");
-	out_cc->inc_indent();
-	out_cc->println("{");
-
-	DataPtr data(env, 0, 0);
-
-	if ( ! type_->incremental_input() )
-		data = DataPtr(env, begin_of_data, 0);
-	type_->GenParseCode(out_cc, env, data, 0);
-	GenParsingEnd(out_cc, env, data);
-
-	out_cc->println("}\n");
-	out_cc->dec_indent();
-	}
-
-void TypeDecl::GenInitialBufferLengthFunc(Output* out_h, Output* out_cc)
-	{
-	string func(kInitialBufferLengthFunc);
-
-	int init_buffer_length = type_->InitialBufferLength();
-
-	if ( init_buffer_length < 0 )  // cannot be statically determined
-		{
-		throw Exception(type()->attr_length_expr(), 
-		                fmt("cannot determine initial buffer length"
-		                    " for type %s", id_->Name()));
-		}
-
-	out_h->println("int %s() const { return %d; }", 
-	               func.c_str(),
-	               init_buffer_length);
-	}
-
-Type* TypeDecl::LookUpType(const ID *id)
-	{
-	Decl *decl = LookUpDecl(id);
-	if ( ! decl )
-		return 0;
-	switch ( decl->decl_type() )
-		{
-		case TYPE:
-		case CONN:
-		case FLOW:
-			return static_cast<TypeDecl *>(decl)->type();
-		case ENUM:
-			return static_cast<EnumDecl *>(decl)->DataType();
-		default:
-			return 0;
-		}
-	}
-
diff --git a/aux/binpac/src/pac_typedecl.h b/aux/binpac/src/pac_typedecl.h
deleted file mode 100644
index 37631af18e..0000000000
--- a/aux/binpac/src/pac_typedecl.h
+++ /dev/null
@@ -1,49 +0,0 @@
-#ifndef pac_typedecl_h
-#define pac_typedecl_h
-
-#include "pac_decl.h"
-
-class TypeDecl : public Decl
-{
-public:
-	TypeDecl(ID *arg_id, ParamList *arg_params, Type *arg_type);
-	~TypeDecl();
-	void Prepare();
-	void GenForwardDeclaration(Output *out_h);
-	void GenCode(Output *out_h, Output *out_cc);
-
-	Env *env() const	{ return env_; }
-	Type *type() const	{ return type_; }
-	string class_name() const;
-	static Type *LookUpType(const ID *id);
-
-protected:
-	void AddParam(Param *param);
-	virtual void AddBaseClass(vector<string> *base_classes) const {}
-	void ProcessAttr(Attr *a);
-
-	virtual void GenPubDecls(Output *out_h, Output *out_cc);
-	virtual void GenPrivDecls(Output *out_h, Output *out_cc);
-	virtual void GenInitCode(Output *out_cc);
-	virtual void GenCleanUpCode(Output *out_cc);
-
-	void GenConstructorFunc(Output *out_h, Output *out_cc);
-	void GenDestructorFunc(Output *out_h, Output *out_cc);
-
-	string ParseFuncPrototype(Env* env);
-	void GenParseFunc(Output *out_h, Output *out_cc);
-
-	void GenParsingEnd(Output *out_cc, Env *env, const DataPtr &data);
-
-	void GenInitialBufferLengthFunc(Output *out_h, Output *out_cc);
-
-protected:
-	Env *env_;
-
-	ParamList *params_;
-	Type *type_;
-
-	bool inherits_frame_buffer_;
-};
-
-#endif  // pac_typedecl_h
diff --git a/aux/binpac/src/pac_utils.cc b/aux/binpac/src/pac_utils.cc
deleted file mode 100644
index a9118fc256..0000000000
--- a/aux/binpac/src/pac_utils.cc
+++ /dev/null
@@ -1,43 +0,0 @@
-// $Id: pac_utils.cc 3225 2006-06-08 00:00:01Z vern $
-
-#include <stdarg.h>
-#include <string.h>
-#include <stdio.h>
-
-#include "pac_utils.h"
-
-char* copy_string(const char* s)
-        {
-        char* c = new char[strlen(s)+1];
-        strcpy(c, s);
-        return c;
-        }
-
-namespace {
-
-const char* do_fmt(const char* format, va_list ap)
-	{
-	static char buf[1024];
-	vsnprintf(buf, sizeof(buf), format, ap);
-	return buf;
-	}
-
-}
-
-string strfmt(const char* format, ...)
-	{
-	va_list ap;
-	va_start(ap, format);
-	const char* r = do_fmt(format, ap);
-	va_end(ap);
-	return string(r);
-	}
-
-char* nfmt(const char* format, ...)
-	{
-	va_list ap;
-	va_start(ap, format);
-	const char* r = do_fmt(format, ap);
-	va_end(ap);
-	return copy_string(r);
-	}
diff --git a/aux/binpac/src/pac_utils.h b/aux/binpac/src/pac_utils.h
deleted file mode 100644
index deef850245..0000000000
--- a/aux/binpac/src/pac_utils.h
+++ /dev/null
@@ -1,17 +0,0 @@
-// $Id: pac_utils.h 3225 2006-06-08 00:00:01Z vern $
-
-#ifndef pac_utils_h
-#define pac_utils_h
-
-#include <sys/types.h>
-#include <string>
-using namespace std;
-
-char* copy_string(const char* s);
-string strfmt(const char* fmt, ...);
-char* nfmt(const char* fmt, ...);
-
-// const char* fmt(const char* fmt, ...);
-#define fmt(x...) strfmt(x).c_str()
-
-#endif /* pac_utils_h */
diff --git a/aux/binpac/src/pac_varfield.cc b/aux/binpac/src/pac_varfield.cc
deleted file mode 100644
index 76f36910f6..0000000000
--- a/aux/binpac/src/pac_varfield.cc
+++ /dev/null
@@ -1,6 +0,0 @@
-#include "pac_varfield.h"
-
-void PrivVarField::Prepare(Env *env)
-	{
-	Field::Prepare(env);
-	}
diff --git a/aux/binpac/src/pac_varfield.h b/aux/binpac/src/pac_varfield.h
deleted file mode 100644
index 8fea8879f9..0000000000
--- a/aux/binpac/src/pac_varfield.h
+++ /dev/null
@@ -1,51 +0,0 @@
-#ifndef pac_varfield_h
-#define pac_varfield_h
-
-#include "pac_field.h"
-
-// A private variable evaluated with parsing
-class ParseVarField : public Field
-{
-public:
-	ParseVarField(int is_class_member, ID* id, Type *type) 
-	: Field(PARSE_VAR_FIELD, 
-		TYPE_TO_BE_PARSED | is_class_member | NOT_PUBLIC_READABLE,
-		id, type) {}
-	void GenPubDecls(Output* out, Env* env) { /* do nothing */ }
-};
-
-// A public variable
-class PubVarField : public Field
-{
-public:
-	PubVarField(ID* id, Type *type) 
-	: Field(PUB_VAR_FIELD, 
-		TYPE_NOT_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE, 
-		id, type) {}
-	~PubVarField() {}
-};
-
-// A private variable
-class PrivVarField : public Field
-{
-public:
-	PrivVarField(ID* id, Type *type) 
-	: Field(PRIV_VAR_FIELD, 
-		TYPE_NOT_TO_BE_PARSED | CLASS_MEMBER | NOT_PUBLIC_READABLE, 
-		id, type) {}
-	~PrivVarField() {}
-
-	void GenPubDecls(Output* out, Env* env) { /* do nothing */ }
-};
-
-class TempVarField : public Field
-{
-public:
-	TempVarField(ID* id, Type *type) 
-	: Field(TEMP_VAR_FIELD, 
-		TYPE_NOT_TO_BE_PARSED | NOT_CLASS_MEMBER, 
-		id, type) {}
-	~TempVarField() {}
-};
-
-#endif  // pac_varfield_h
diff --git a/aux/binpac/src/pac_withinput.cc b/aux/binpac/src/pac_withinput.cc
deleted file mode 100644
index 8c39053046..0000000000
--- a/aux/binpac/src/pac_withinput.cc
+++ /dev/null
@@ -1,80 +0,0 @@
-#include "pac_withinput.h"
-#include "pac_dataptr.h"
-#include "pac_expr.h"
-#include "pac_inputbuf.h"
-#include "pac_output.h"
-#include "pac_type.h"
-
-WithInputField::WithInputField(ID* id, Type *type, InputBuffer* input)
-	: Field(WITHINPUT_FIELD, 
-		TYPE_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE, 
-		id, type), 
-	  input_(input)
-	{
-	ASSERT(type_);
-	ASSERT(input_);
-	}
-
-WithInputField::~WithInputField()
-	{
-	delete input_;
-	}
-
-bool WithInputField::DoTraverse(DataDepVisitor *visitor)
-	{ 
-	return Field::DoTraverse(visitor) &&
-	       input()->Traverse(visitor); 
-	}
-
-bool WithInputField::RequiresAnalyzerContext() const 
-	{ 
-	return Field::RequiresAnalyzerContext() ||
-	       (input() && input()->RequiresAnalyzerContext()); 
-	}
-
-void WithInputField::Prepare(Env* env)
-	{
-	Field::Prepare(env);
-	env->SetEvalMethod(id_, this);
-	}
-
-void WithInputField::GenEval(Output* out_cc, Env* env)
-	{
-	GenParseCode(out_cc, env);
-	if ( type_->attr_if_expr() )
-		{
-		out_cc->println("BINPAC_ASSERT(%s);", 
-			env->RValue(type_->has_value_var()));
-		}
-	}
-	
-void WithInputField::GenParseCode(Output* out_cc, Env* env)
-	{
-	out_cc->println("// Parse \"%s\"", id_->Name());
-	if ( type_->attr_if_expr() )
-		{
-		// A conditional field
-		env->Evaluate(out_cc, type_->has_value_var());
-		out_cc->println("if ( %s )", 
-			env->RValue(type_->has_value_var()));
-		out_cc->inc_indent();
-		out_cc->println("{");
-		}
-	else
-		out_cc->println("{");
-
-	Env field_env(env, this);
-	ASSERT(! type_->incremental_input());
-	type_->GenPreParsing(out_cc, &field_env);
-	type_->GenParseCode(out_cc, &field_env, 
-		input()->GenDataBeginEnd(out_cc, &field_env),
-		0);
-
-	if ( type_->attr_if_expr() )
-		{
-		out_cc->println("}");
-		out_cc->dec_indent();
-		}
-	else
-		out_cc->println("}");
-	}
diff --git a/aux/binpac/src/pac_withinput.h b/aux/binpac/src/pac_withinput.h
deleted file mode 100644
index 18b086d61a..0000000000
--- a/aux/binpac/src/pac_withinput.h
+++ /dev/null
@@ -1,38 +0,0 @@
-#ifndef pac_withinput_h
-#define pac_withinput_h
-
-#include "pac_datadep.h"
-#include "pac_decl.h"
-#include "pac_field.h"
-
-class WithInputField : public Field, public Evaluatable
-{
-public:
-	WithInputField(ID* id, Type *type, InputBuffer* input);
-	virtual ~WithInputField();
-
-	InputBuffer *input() const	{ return input_; }
-
-	void Prepare(Env* env);
-
-	// void GenPubDecls(Output* out, Env* env);
-	// void GenPrivDecls(Output* out, Env* env);
-
-	// void GenInitCode(Output* out, Env* env);
-	// void GenCleanUpCode(Output* out, Env* env);
-
-	void GenParseCode(Output* out, Env* env);
-
-	// Instantiate the Evaluatable interface
-	void GenEval(Output* out, Env* env);
-
-	bool RequiresAnalyzerContext() const;
-
-protected:
-	bool DoTraverse(DataDepVisitor *visitor);
-
-protected:
-	InputBuffer *input_;
-};
-
-#endif  // pac_withinput_h
diff --git a/aux/bro-aux b/aux/bro-aux
new file mode 160000
index 0000000000..14a7cfe4ea
--- /dev/null
+++ b/aux/bro-aux
@@ -0,0 +1 @@
+Subproject commit 14a7cfe4ea2ff6c7f5301dcb81a869adcd6e9834
diff --git a/aux/broccoli b/aux/broccoli
new file mode 160000
index 0000000000..8843da57dc
--- /dev/null
+++ b/aux/broccoli
@@ -0,0 +1 @@
+Subproject commit 8843da57dc8aee433550727dcbd1199824ca9da4
diff --git a/aux/broccoli/AUTHORS b/aux/broccoli/AUTHORS
deleted file mode 100644
index 7167bfcffc..0000000000
--- a/aux/broccoli/AUTHORS
+++ /dev/null
@@ -1,3 +0,0 @@
-Christian Kreibich <christian AT icir.org> and various contributors,
-see ChangeLog for details.
-
diff --git a/aux/broccoli/COPYING b/aux/broccoli/COPYING
deleted file mode 100644
index 265fcf14d4..0000000000
--- a/aux/broccoli/COPYING
+++ /dev/null
@@ -1,21 +0,0 @@
-
-Broccoli is copyright (C) 2000-2009 Christian Kreibich <christian@icir.org>.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/aux/broccoli/ChangeLog b/aux/broccoli/ChangeLog
deleted file mode 100644
index 8d5c52cf88..0000000000
--- a/aux/broccoli/ChangeLog
+++ /dev/null
@@ -1,1547 +0,0 @@
-Broccoli Changelog
-========================================================================
-
-Tue Jan 12 12:32:12 PST 2010             Christian <christian@whoop.org>
-
-- Build warning fixes (Kevin Lo).
-
-------------------------------------------------------------------------
-
-Fri Oct  9 18:42:05 PDT 2009             Christian <christian@whoop.org>
-
-- Version bump to 1.5.
-
-------------------------------------------------------------------------
-
-Fri Sep 25 10:09:03 PDT 2009             Christian <christian@whoop.org>
-
-- Bropipe fixes: set a connection class for robustness reasons;
-  removes some C/C++ confusion (Seth Hall).
-
-------------------------------------------------------------------------
-
-Mon Jun 29 17:56:00 PDT 2009             Christian <christian@whoop.org>
-
-- SWIG bindings update.
-
-------------------------------------------------------------------------
-
-Mon Jun 29 15:29:35 PDT 2009             Christian <christian@whoop.org>
-
-- Support for sending raw serialized events via the new API function
-  bro_event_send_raw(), with much help from Matthias Vallentin.
-
-------------------------------------------------------------------------
-
-Mon Jun 29 15:20:58 PDT 2009             Christian <christian@whoop.org>
-
-- Fix for buffered data remaining in transmit buffer when calling
-  for_event_queue_flush().
-
-- Added bro_conn_get_connstats() which reports statistical information 
-  about a connection in a new dedicated structure BroConnStats. For now 
-  this is only the amount of data buffered in the rx/tx buffers.
-
-------------------------------------------------------------------------
-
-Mon Jun 29 15:18:10 PDT 2009             Christian <christian@whoop.org>
-
-- All multiprocess/-threading synchronization code has been removed.
-
-------------------------------------------------------------------------
-
-Mon Jun 29 15:10:59 PDT 2009             Christian <christian@whoop.org>
-
-- Broccoli now requires initialization before any connections may be
-  created. The reason is twofold: (i) it provides a clean method for
-  initializing relevant parts of Broccoli in multithreaded environments,
-  and (ii) it allows configuration of parts of Broccoli where the
-  normal approach via configuration files is insufficient.
-
-  For details on the initialization process, refer to the manual, but
-  generally speaking, a call to
-
-    bro_init(NULL);
-
-  at the beginning of your application is all that is required. For the
-  time being, a number of high-level API calls double-check whether you
-  have called bro_init() previously.
-
-- Broccoli now supports the callback functions OpenSSL requires for
-  thread-safe operation.  Implement those callbacks as required by your 
-  threading library, hook them into a BroCtx structure previously
-  initialized using bro_ctx_init(), and pass the structure to  
-  bro_init().  This will hook the callbacks into OpenSSL for you. 
-
-  O'Reilly's book "Network Security with OpenSSL" provides an example
-  of how to implement the callbacks.
-
-------------------------------------------------------------------------
-
-Thu Jun 25 16:46:37 PDT 2009             Christian <christian@whoop.org>
-
-- Fix to Python bindings: added required bro_init() call (Matthias
-  Vallentin).
-
-------------------------------------------------------------------------
-
-Thu May 28 10:27:30 PDT 2009             Christian <christian@whoop.org>
-
-- The BroEvMeta structure used in compact event callbacks now allows
-  access to the timestamp of event creation.
-
-------------------------------------------------------------------------
-
-Fri Mar 27 23:39:10 CET 2009             Christian <christian@whoop.org>
-
-- Fixed a memory leak triggered by bro_event_send() but actually caused
-  by lack of cleanup after an underlying string duplication. Thanks to
-  Steve Chan and Matthias Vallentin for helpful feedback.
-
-------------------------------------------------------------------------
-
-Wed Mar 25 11:26:16 CET 2009             Christian <christian@whoop.org>
-
-Formatting robustness fixes to bropipe (Steve Chan).
-
-------------------------------------------------------------------------
-
-Thu Feb 12 19:28:24 PST 2009             Christian <christian@whoop.org>
-
-- Updates to contributed bropipe command (Steve Chan):
-  - Proper parsing of default host/port.
-  - Support for "urlstring" type, which urlencodes spaces in strings
-    and other special characters.
-
-------------------------------------------------------------------------
-
-Thu Dec 11 09:37:12 PST 2008             Christian <christian@whoop.org>
-
-- Optimization: the internal slots vector of hashtables is now lazily
-  allocated when the first actual insertion happens. Since hashtables
-  are used in various places in the BroVal structures but frequently
-  remain empty, the savings are substantial. Thanks to Matthias
-  Vallentin for pointing this out.
-
-------------------------------------------------------------------------
-
-Mon Nov  3 11:07:49 PST 2008             Christian <christian@whoop.org>
-
-- Fixes for I/O deadlocking problems:
-
-  - A bug in the implementation of BRO_CFLAG_YIELD has been
-    fixed. Input processing now only yields after the
-    handshake is complete on *both* endpoints.
-
-  - When events arrive during bro_conn_connect(), it could happen
-    that deadlock ensues if no additional data are sent and
-    __bro_io_process_input() can not read new input data. It no
-    longer returns immediately in that case, and instead attempts
-    to process any available input data.
-
-------------------------------------------------------------------------
-
-Sat Oct  4 15:05:07 CEST 2008            Christian <christian@whoop.org>
-
-- Added bro_record_get_nth_name() to the API (Seth Hall).
-- make install no longer worked for documentation, apparently as part
-  of Bro's make install cleanup. This isn't quite right since gtk-doc
-  documentation is normally installed in a well-known place and 
-  Broccoli will normally need to be installed via "make install", but 
-  for now I'm leaving it uninstalled and instead provide a specific 
-  "install-docs" target for people who want documentation installed.
-- Documentation updated where missing, and rebuilt.
-- Copyright years updated.
-
-------------------------------------------------------------------------
-
-Mon Sep 22 21:34:13 CEST 2008            Christian <christian@whoop.org>
-
-- Updated broping.bro (and broping-record.bro, slightly) to explicitly 
-  declare the used event types ahead of their use.
-
-------------------------------------------------------------------------
-
-Mon Sep  8 11:30:35 CEST 2008            Christian <christian@whoop.org>
-
-- Use of caching on received objects is now disabled by default, but can
-  be enabled using the new connection flag BRO_CFLAG_CACHE.  The old
-  BRO_CFLAG_DONTCACHE is kept for backward compatibility but no longer
-  does anything. Keeping the caches between Bro instances and Broccoli
-  synchronized still needs to be implemented completely, and in the
-  meantime no caching is the safer default.  Thanks to Stephen Chan for
-  helping track this down.
-
-------------------------------------------------------------------------
-
-Wed Jul 16 01:47:16 PDT 2008             Christian <christian@whoop.org>
-
-- Python bindings for Broccoli are now provided in the bindings/python
-  subdirectory (Robin Sommer).  They are not built automatically. See 
-  the instructions in bindings/python/README for details.
-- Minor documentation setup tweaks.
-
-------------------------------------------------------------------------
-
-Thu May 15 14:05:10 PDT 2008             Christian <christian@whoop.org>
-
-Event callbacks of the "compact" type are now able to obtain start- and
-end pointers of the currently processed event in serialized form, from
-the receive buffer stored with the connection handle.
-
-------------------------------------------------------------------------
-
-Wed Feb 20 13:53:51 PST 2008             Christian <christian@whoop.org>
-
-- Fix to __bro_openssl_read(), which handled some error cases
-  reported by BIO_read() incorrectly. (Robin Sommer)
-- Clarifications to documentation of bro_conn_active() and
-  bro_conn_process_input().
-- Version bump to 1.4.0.
-
-------------------------------------------------------------------------
-
-Thu Sep 13 13:56:58 PDT 2007             Christian <christian@whoop.org>
-
-- autogen.sh now uses --force when running libtoolize, which at least
-  in some setups seems to be necessary to avoid bizarre build issues.
-  (In the particular case encountered, these looked like run-together 
-  ar and runlib invocations). Thanks to Po-Ching Lin for helping nail
-  this down.
-
-------------------------------------------------------------------------
-
-Mon Sep 10 18:17:29 PDT 2007             Christian <christian@whoop.org>
-
-- Broccoli now supports table and set container types. Have a look at
-  the bro_table_...() and bro_set_...() families of functions in
-  broccoli.h, the updated manual, and the updated broconn and brotable
-  examples in the test/ directory.
-
-------------------------------------------------------------------------
-
-Tue Sep  4 15:53:27 PDT 2007             Christian <christian@whoop.org>
-
-- Major bugfix for capabilities exchange during handshake: Broccoli did
-  not convert into NBO, causing successful event exchange to fail. :(
-  Amazingly, this means disabling cache usage per Broccoli's request
-  never worked...
-
-------------------------------------------------------------------------
-
-Tue Sep  4 12:36:53 PDT 2007             Christian <christian@whoop.org>
-
-- Changed the way compact argument passing to event callbacks works.
-  All event metadata is now represented by a single argument, a pointer
-  to a BroEvMeta structure. It contains the name of the event, the
-  number of arguments, and the arguments along with their types.
-
-  Updated documentation and broping demo accordingly.
-
-  NOTE: This introduces an API incompatibility. If you were previously
-        using the compact callback API, you will need to update your
-        code! I bumped up the library version info to 2:0:0 to signal
-        this.  
-
-- Fixed a bug in the implementation of BRO_CFLAG_YIELD and some SGML-
-  violating documentation of same.
-
-------------------------------------------------------------------------
-
-Thu Aug 16 15:24:51 CEST 2007            Christian <christian@whoop.org>
-
-- Include autogen.sh in the distribution.
-
-------------------------------------------------------------------------
-
-Sat Aug 11 04:59:35 PDT 2007                      Robin <robin@icir.org>
-	
-- New flag for Broccoli's connections: with BRO_CFLAG_YIELD,
-  bro_conn_process_input() processes at most one event at a time and then
-  returns (Robin Sommer).
-
-- The new Broccoli function bro_conn_new_socket() creates a connection
-  from an existing socket, which can then be used with listen()/accept()
-  to have Broccoli listen for incoming connections (Robin Sommer).
-	
-------------------------------------------------------------------------
-
-Fri Jul  6 18:18:05 PDT 2007             Christian <christian@whoop.org>
-
-- Bumped up the version number to 1.3. Now that Broccoli is bundled
-  with Bro, it makes sense to keep Broccoli's release version number
-  in synch with Bro's.
-- Added the automake-provided ylwrap wrapper script to the distribution.
-  This is for compatibility reasons: some automakes believe that
-  Broccoli requires ylwrap, others don't. The distcheck target however
-  needs ylwrap when it *is* required, so it's easiest to just provide
-  one. It can always be overwritten locally, should the need arise.
-
-------------------------------------------------------------------------
-
-Wed Mar  7 10:49:25 PST 2007             Christian <christian@whoop.org>
-
-- Data format version number bumped up, in sync with Bro again.
-
-------------------------------------------------------------------------
-
-Mon Dec  4 12:07:12 PST 2006             Christian <christian@whoop.org>
-
-- Updated broconn.c to new bro_record_get_named_val().
-
-------------------------------------------------------------------------
-
-Tue Nov 28 11:16:04 PST 2006             Christian <christian@whoop.org>
-
-- Run-time type information is now also available for the values stored
-  in records (previously there was only type-checking, but no way to
-  obtain the type of the vals). See the manual and API documentation of
-  the functions bro_record_get_nth_val() and bro_record_get_named_val()
-  for details.
-
-------------------------------------------------------------------------
-
-Mon Nov 27 18:38:06 PST 2006             Christian <christian@whoop.org>
-
-- Compact argument passing for event callbacks: as an alternative to the
-  argument passing style used so far for event callbacks (dubbed "expan-
-  ded"), one can now request "compressed" passing by using the
-  bro_event_registry_add_compact() variant. Instead of passing every
-  event argument as a separate pointer, compact passing provides only
-  the number of arguments, and a pointer to an array of BroEvArgs.
-  The elements of this array then provide pointers to the actual argu-
-  ments as well as pointers to the new BroValMeta metadata structure,
-  which currently contains type information about the argument.
-
-  This style is better suited for applications that don't know the type
-  of events they will have to handle at compile time, for example when
-  writing language bindings.
-
-  broping.c features example code, also see the manual for detailed
-  explanation.
-
-------------------------------------------------------------------------
-
-Mon Nov 27 16:32:52 PST 2006             Christian <christian@whoop.org>
-
-- Bumped up version to 0.9
-- I'm starting to use shared library version numbers to indicate API
-  changes. Their correspondence to the release version number will be
-  listed in VERSION.
-- Fixed a warning in bro_packet.c
-
-------------------------------------------------------------------------
-
-Mon Nov 27 16:23:46 PST 2006             Christian <christian@whoop.org>
-
-- Renamed cvs.pl to svn.pl
-- Bumped up BRO_DATA_FORMAT_VERSION to 13, to match that of Bro trunk.
-
-------------------------------------------------------------------------
-
-Mon Nov 27 16:21:28 PST 2006             Christian <christian@whoop.org>
-
-- Updating my commit script to SVN -- let's see if this works...
-
-------------------------------------------------------------------------
-
-Mon May 15 19:21:30 BST 2006             Christian <christian@whoop.org>
-
-- Correction to the explanation of bro_event_registry_add(), pointed
-  out by Robin Sommer.
-
-------------------------------------------------------------------------
-
-Mon May  8 08:14:31 PDT 2006             Christian <christian@whoop.org>
-
-- Added config.sub and config.guess versions that seem to work well with
-  MacOS X to the tree, to remove the dependency on the libtool/automake
-  versions installed on the machine where tarballs are built.
-
-- Removed -f from libtoolize invocation in autogen.sh, so we don't
-  overwrite the above.
-
-- Fixed COPYING, which wasn't actually referring to Broccoli. :)
-
-------------------------------------------------------------------------
-
-Sat May  6 20:17:32 BST 2006             Christian <christian@whoop.org>
-
-- Last-minute tweaks bring last-minute brokenness, especially when
-  configuring without --enable-debug... :(
-
-------------------------------------------------------------------------
-
-Tue May  2 13:25:31 BST 2006             Christian <christian@whoop.org>
-
-- Added generated HTML documentation to CVS, so it is guaranteed to be
-  included in tarballs generated via dist/distcheck, regardless of
-  whether GtkDoc support exists on the build system or not. 
-
-------------------------------------------------------------------------
-
-Tue May  2 02:31:39 BST 2006             Christian <christian@whoop.org>
-
-- Changed connection setup debugging output to state more clearly
-  whether an SSL or cleartext connection is attempted, as suggested
-  by Brian Tierney.
-- New configuration item /broccoli/use_ssl to enable/disable SSL
-  connections, as suggested by Jason Lee. Documentation and sample
-  configuration in broccoli.conf updated accordingly, look at the latter
-  for a quick explanation.
-- A bunch of small tweaks to get distcheck to work properly when invoked
-  from the Bro tree.
-- Other doc/Makefile.am cleanups.
-
-------------------------------------------------------------------------
-
-Sat Apr 29 19:12:07 PDT 2006             Christian <christian@whoop.org>
-
-- Fixed bogusness in docs/Makefile.am's dist-hook target. Should now
-  work much better in general, and in particular not bomb out with
-  non-GNU make.
-
-------------------------------------------------------------------------
-
-Fri Apr  7 23:52:20 BST 2006             Christian <christian@whoop.org>
-
-- Bumped up BRO_DATA_FORMAT_VERSION to 12, to match the one in Bro's
-  CVS HEAD again.
-
-------------------------------------------------------------------------
-
-Mon Mar 27 22:59:04 BST 2006             Christian <christian@whoop.org>
-
-- This should fix a memleak detected by Jim Mellander and reported with
-  a test case by Mark Dedlow.
-
-------------------------------------------------------------------------
-
-Fri Mar  3 16:40:56 GMT 2006             Christian <christian@whoop.org>
-
-- Warning for invalid permissions on ~/.broccoli.conf has been upgraded
-  from debugging output to stderr, per request from Mark Dedlow.
-- Only check validity of config file name assembled via getenv("HOME")
-  if it yields a filename different from the one assembled via the
-  passwd entry.
-
-------------------------------------------------------------------------
-
-Thu Mar  2 17:57:49 GMT 2006             Christian <christian@whoop.org>
-
-- Reintroducing file needed for distcheck.
-
-------------------------------------------------------------------------
-
-Thu Mar  2 16:27:55 GMT 2006             Christian <christian@whoop.org>
-
-- Debugging fixlet.
-
-------------------------------------------------------------------------
-
-Fri Feb  3 20:31:08 GMT 2006             Christian <christian@whoop.org>
-
-- Embarrassing debugging output fixes.
-
-------------------------------------------------------------------------
-
-Fri Jan 27 23:40:23 GMT 2006             Christian <christian@whoop.org>
-
-- Only do lock operations when there's any need for them.
-
-------------------------------------------------------------------------
-
-Fri Jan 27 18:30:06 GMT 2006             Christian <christian@whoop.org>
-
-I am *so* fired. Overlooked a very clear warning that bro_io.c:lock()
-wasn't returning a value.
-
-------------------------------------------------------------------------
-
-Wed Jan 18 10:45:33 GMT 2006             Christian <christian@whoop.org>
-
-- Fixed call trace debugging inconsistencies, this will hopefully fix a
-  case of runaway call trace indentation depth that Robin + Stefan have
-  bumped into.
-
-------------------------------------------------------------------------
-
-Wed Jan  4 16:21:07 GMT 2006             Christian <christian@whoop.org>
-
-- Documentation fixlet, pointed out by Stefan Kornexl.
-
-------------------------------------------------------------------------
-
-Thu Dec 22 00:48:20 GMT 2005             Christian <christian@whoop.org>
-
-- Attempt at a more portable detecting of [g]libtoolize. Let me know if
-  this works any better.
-
-------------------------------------------------------------------------
-
-Mon Dec 19 17:48:19 PST 2005             Christian <christian@whoop.org>
-
-- Moved brosendpkts.c and rcvpackets.bro from test/ to contrib/, i.e.,
-  out of the default build process. brosendpkts.c defines variables in
-  the middle of main(), which some compilers tolerate while others
-  don't. This should fix build issues reported by Brian Tierney.
-
-------------------------------------------------------------------------
-
-Thu Dec 15 18:38:18 GMT 2005             Christian <christian@whoop.org>
-
-Configuration tweaks to run smoothly when invoked from a Bro build.
-
-- Added AC_CONFIG_AUX_DIR(.) to make sure things are exclusively run
-  out of our tree.
-- Added flags to autogen.sh and configure.in to indicate that we're
-  part of a Bro build.
-
-------------------------------------------------------------------------
-
-Fri Dec  2 14:04:05 GMT 2005             Christian <christian@whoop.org>
-
-- Removed EXTRA_DIST for the test app policies, since they are included
-  in the tarball and installed anyway via pkgdata_DATA.
-
-------------------------------------------------------------------------
-
-Fri Dec  2 13:59:27 GMT 2005             Christian <christian@whoop.org>
-
-- Added "brosendpkts", a test program for sending pcap packets to a Bro,
-  plus the accompanying Bro policy. Contributed by Stefan Kornexl and
-  Robin Sommer, with a tiny tweak to build only when pcap support is
-  available.
-
-------------------------------------------------------------------------
-
-Wed Nov 23 11:59:03 PST 2005             Christian <christian@whoop.org>
-
-- Avoided the keyword "class" to prevent problems with using broccoli.h
-  in a C++ context. Pointed out by Stefan Kornexl.
-
-------------------------------------------------------------------------
-
-Tue Nov  8 14:10:23 PST 2005             Christian <christian@whoop.org>
-
-- Added support for connection classes, updated documentation.
-
-------------------------------------------------------------------------
-
-Mon Oct 31 19:37:55 PST 2005             Christian <christian@whoop.org>
-
-- Support for specifying type names along with values. This is done
-through a new and optional argument to bro_event_add_val(), bro_
-record_add_val(), and friends. See manual for details.
-
-- Added a test program "broenum" for demonstrating this. When running
-Bro with the provided broenum.bro policy, it sends a single event with
-an enum val to the remote Bro, which will print both numerical and
-string representations of the value. For example, broenum.bro defines
-an enum type
-
-  type enumtype: enum { ENUM1, ENUM2, ENUM3, ENUM4 };
-
-Given this,
-
-  $ broenum -n 0              yields	 Received enum val 0/ENUM1
-  $ broenum -n 1              yields	 Received enum val 1/ENUM2
-  $ broenum -n 4              yields	 Received enum val 4/<undefined>
-
-You can also test predefined enums:
-
-  $ broenum -t transport_proto -n 1
-
-yields
-
-  Received enum val 1/tcp
-
-------------------------------------------------------------------------
-
-Mon Oct 31 17:07:15 PST 2005             Christian <christian@whoop.org>
-
-Changed commit script to pass the commit message through the generated
-file via -F, instead of via -m and the command line. D'oh.
-
-------------------------------------------------------------------------
-
-Mon Oct 31 17:03:47 PST 2005             Christian <christian@whoop.org>
-
-- Support for the new abbreviated serialization format for types. Need
-to come up with a decent API for actually using this feature now.
-
-------------------------------------------------------------------------
-
-Mon Oct 31 11:25:22 PST 2005             Christian <christian@whoop.org>
-
-Several changes to handshake implementation and API(!).
-
-- Refactored the handshake code to make the multiple phases of the
-connection's initialization phase more explicit. Our own and the peer's
-handshake state are now tracked separately. conn_init_configure() takes
-care of our state machine with a separate function per phase, and
-__bro_io_process_input() handles the peer's state.
-
-- Added support for capabilities. The only capability Broccoli currently
-supports is a non-capability: it can ask the remote Bro not to use the
-serialization cache. In order to do so, pass BRO_CONN_DONTCACHE as
-a connection flag when obtaining the connection handle. Needs more
-testing.
-
-- Several API changes. Given the more complex handshake procedure that
-is in place now, the old approach of only completing the handshake half-
-way in bro_connect() so the user can requests before calling
-bro_conn_await_handshake() (or alternatively, passing
-BRO_CONN_COMPLETE_HANDSHAKE as a connection flag) is just too messy now.
-The two steps of obtaining a connection handle and establishing a
-connection have been split into separate functions, so the user can
-register event handlers in between.
-
-What was
-
- BroConn *bc = bro_connect(..., BRO_CFLAGS_NONE);
-
- bro_event_registry_add(bc,...);
- bro_event_registry_add(bc,...);
- bro_event_registry_request(bc);
-
- bro_conn_await_handshake(bc);
- /* ... */
- bro_disconnect(bc);
-
-is now
-
- BroConn *bc = bro_conn_new(..., BRO_CFLAGS_NONE);
-
- bro_event_registry_add(bc,...);
- bro_event_registry_add(bc,...);
-
- bro_conn_connect(bc);
- /* ... */
- bro_conn_delete(bc);
-
-Note that the explicit call to bro_event_registry_request() is gone as
-bro_conn_connect() will automatically request event types for which
-handlers have been installed via bro_event_registry_add(). What was
-
- BroConn *bc = bro_connect(..., BRO_CFLAGS_COMPLETE_HANDSHAKE);
- bro_disconnect(bc);
-
-is now
-
- BroConn *bc = bro_conn_new(..., BRO_CFLAGS_NONE);
- bro_conn_connect(bc);
- /* ... */
- bro_conn_delete(bc);
-
-I might add bro_conn_disconnect() in the near future. It'd allow us
-to keep a completely configured connection handle around and use it
-repeatedly for establishing connections.
-
-Sorry for the inconvenience but I really think this is a lot nicer than
-the old API. The examples and documentation have been updated accor-
-dingly.	
-
-------------------------------------------------------------------------
-
-Sat Oct 29 15:43:18 PDT 2005             Christian <christian@whoop.org>
-
-Added an optional age list to the hash table implementation. We'll
-need this to duplicate Bro's object serialization caching strategy.
-
-------------------------------------------------------------------------
-
-Fri Oct 28 15:26:55 PDT 2005             Christian <christian@whoop.org>
-
-Brothers and sisters, hallelujah! On the 27th day Christian looked at
-record vals in the Broccoli, and he saw that it was leaking like a
-sieve. So Christian ran the valgrind. On the 28th day Christian still
-looked at Broccoli, with tired eyes, ground the vals[1] a bit more,
-and he saw that it was plugged[2].
-
-Amen. :)
-
-[1] Really really bad pun. Sorry.
-[2] I get zero memleaks on broping -r -c 100 now. :)
-
-------------------------------------------------------------------------
-
-Thu Oct 27 20:02:39 PDT 2005             Christian <christian@whoop.org>
-
-First crack at reference-counted sobjects. I need reference counting
-in order to get rid of objects in the serialization cache (since they
-can contain nested objects etc -- it's nasty), which I had ignored so
-far. There are still leaks in the event transmission code, dammit. :(
-
-------------------------------------------------------------------------
-
-Thu Oct 27 15:06:10 PDT 2005             Christian <christian@whoop.org>
-
-Added my own list implementation due to suckiness of the TAILQ_xxx
-macro stuff which I never liked anyway. The problem is that elements
-of lists built using these macros can only have each member exactly
-once as the prev/next pointers are part of the structs.
-
-A few uses of TAILQ_xxx remain, these will go in the near future.
-
-------------------------------------------------------------------------
-
-Tue Oct 25 19:57:42 PDT 2005             Christian <christian@whoop.org>
-
-Partial support for enum vals, per request from Weidong. Sending enum
-vals should work, though the underlying enum types aren't fully handled
-yet.
-
-------------------------------------------------------------------------
-
-Mon Oct 24 16:31:56 PDT 2005             Christian <christian@whoop.org>
-
-TODO item: clean up generated parser/lexer files when we know we can
-regenerate them. make clean currently does not erase them, which caused
-Weidong some trouble.
-
-------------------------------------------------------------------------
-
-Fri Oct 21 17:48:51 PDT 2005             Christian <christian@whoop.org>
-
-Clarification to the manual, after a question from Weidong.
-
-------------------------------------------------------------------------
-
-Fri Oct 14 18:05:39 PDT 2005             Christian <christian@whoop.org>
-
-Transparent reconnects should work again (took all *day*, argh -- I
-totally broke it with the connection sharing stuff). Try broping while
-occasionally stopping and restarting the Bro side.
-
-Fixed a number of memleaks -- broping is now leak-free according to
-valgrind.
-
-Clarifications in the debugging output.
-
-------------------------------------------------------------------------
-
-Fri Oct 14 12:07:10 PDT 2005             Christian <christian@whoop.org>
-
-Added documentation for the new user data argument to
-bro_event_registry_add().
-
-------------------------------------------------------------------------
-
-Fri Oct 14 11:48:00 PDT 2005             Christian <christian@whoop.org>
-
-Added user data to event handler callbacks. This is necessary for
-example when using class members in C++ as callbacks since the object
-needs to be provided at the time of dereferencing. It's also easier to
-use than the existing bro_conn_{set,get}_data() mechanism.
-
-Updated documentation with more details on the broccoli-config script.
-
-------------------------------------------------------------------------
-
-Thu Oct 13 15:08:56 PDT 2005             Christian <christian@whoop.org>
-
-When supporting packets (the default), check whether pcap.h actually
-exists. This has thus far just been assumed. We don't actually use
-the library, so there's no need to test for it.
-
-------------------------------------------------------------------------
-
-Mon Oct 10 20:37:15 PDT 2005             Christian <christian@whoop.org>
-
-Changed bro_record_get_named_val() and bro_record_get_nth_val() to
-return a pointer to the queried value directly, instead of through
-a pointer argument. These arguments' type used to be void* though it
-should really be void**, but switching to void** causes lots of warnings
-with current GCCs ('dereferencing type-punned pointer will break
-strict-aliasing rules'). NULL is perfectly usable as an error indicator
-here, and thus used from now on. Updated manual, broping, and broconn
-accordingly.
-
-------------------------------------------------------------------------
-
-Tue Sep 20 17:19:58 PDT 2005             Christian <christian@whoop.org>
-
-Fixed a varargs buglet that is tolerated on Linux but not BSD. Pointed
-out by Scott Campbell.
-
-------------------------------------------------------------------------
-
-Fri Sep  9 18:48:54 PDT 2005             Christian <christian@whoop.org>
-
-Support for textual tags on packets, also an upgrade to more complex
-handshake procedure that allows for synchronization of state (Robin
-Sommer).
-
-Note: as of this change, at least Bro 1.0a2 is required.
-
-------------------------------------------------------------------------
-
-Wed Aug 10 01:36:47 BST 2005             Christian <christian@whoop.org>
-
-Fixed my insecure usage of snprintf.
-
-------------------------------------------------------------------------
-
-Tue Jul 19 10:11:49 PDT 2005             Christian <christian@whoop.org>
-
-Forgot to include broconn's policy file in the distribution.
-
-------------------------------------------------------------------------
-
-Mon Jul 18 16:34:22 PDT 2005             Christian <christian@whoop.org>
-
-Fixed a bug that caused the lookup of record fields by name to fail.
-
-------------------------------------------------------------------------
-
-Fri Jul  1 00:44:49 BST 2005             Christian <christian@whoop.org>
-
-The sequence of tests determining which config file to read from
-failed to fall back properly to the global config file in case of
-incorrect user permissions. Fixed.
-
-------------------------------------------------------------------------
-
-Mon Jun 27 19:34:56 PDT 2005             Christian <christian@whoop.org>
-
-Added bro_buf_reset() to the user-visible API.
-
-------------------------------------------------------------------------
-
-Mon Jun 27 17:58:53 PDT 2005             Christian <christian@whoop.org>
-
-When a configuration item cannot be found in the current config file
-section, a lookup is also attempted in the default section (the one
-at the top of the file, before any sections are defined). This allows
-the sections to override the default section, which is what one would
-expect.
-
-------------------------------------------------------------------------
-
-Mon Jun 27 14:43:56 PDT 2005             Christian <christian@whoop.org>
-
-Debugging output tweak. When providing the SSL cert passphrase via
-the config file, do no longer report it in the debugging output.
-
-------------------------------------------------------------------------
-
-Mon Jun 27 12:33:52 PDT 2005             Christian <christian@whoop.org>
-
-Cosmetics in the debugging output of __bro_openssl_write().
-
-------------------------------------------------------------------------
-
-Fri Jun 24 18:13:49 PDT 2005             Christian <christian@whoop.org>
-
-Added --build flag to broccoli-config. It reports various details
-about the build, for example whether debugging support was compiled in.
-
-------------------------------------------------------------------------
-
-Fri Jun 24 10:37:23 PDT 2005             Christian <christian@whoop.org>
-
-I'm adding a little test app that subscribes to a few connection
-events and prints out the fields of the received connection records,
-both for testing and code demonstration purposes. So far it has
-highlighted a bug in Bro that occurs when a remote app is a pure
-requester of events and not sending anything. Fix pending.
-
-------------------------------------------------------------------------
-
-Mon Jun 20 18:21:24 PDT 2005             Christian <christian@whoop.org>
-
-Show the names of requested events in the debugging output -- it
-had to be deciphered from the hex string which isn't that much fun.
-
-------------------------------------------------------------------------
-
-Thu Jun 16 14:02:59 PDT 2005             Christian <christian@whoop.org>
-
-Better documentation of how to extract record fields.
-
-------------------------------------------------------------------------
-
-Thu Jun 16 11:51:02 PDT 2005             Christian <christian@whoop.org>
-
-- Added bro_string_get_data() and bro_string_get_length() to avoid
-making people access BroString's internal fields directly.
-
-- Moved BroString's internal storage format to uchar*.
-
-------------------------------------------------------------------------
-
-Sun Jun 12 19:17:31 PDT 2005             Christian <christian@whoop.org>
-
-Debugging output now shows the correct function and line numbers again.
-I had accidentially moved __FUNCTION__ and __LINE__ into bro_debug.c :(
-
-------------------------------------------------------------------------
-
-Fri Jun  3 15:00:48 PDT 2005             Christian <christian@whoop.org>
-
-I broke the sanity checks for semaphore initialization when I moved
-the semaphore structures to shared memory. Fixed.
-
-------------------------------------------------------------------------
-
-Mon May 16 22:25:41 PDT 2005             Christian <christian@whoop.org>
-
-- Debugging output now goes to stderr instead of stdout. That keeps it
-out of the way if an instrumented app dups() stdout to another file
-descriptor.
-- Debugging output is now disabled by default (even when compiled in),
-so it needs to be enabled explicitly in the code or in the config file.
-
-------------------------------------------------------------------------
-
-Fri May 13 18:24:23 PDT 2005             Christian <christian@whoop.org>
-
-Synchronization fixes and minor cleanups.
-
-- Unsuccessful connection attempts to remote Bros in combination with
-connection sharing caused the caller to hang indefinitely. This should
-now be fixed, but required some fairly intricate tweaks to the locking
-constructs. Still needs more testing.
-
-- Bumped version to 0.8.
-
-------------------------------------------------------------------------
-
-Fri May  6 23:09:29 BST 2005             Christian <christian@whoop.org>
-
-This is the 0.7.1 release.
-
-------------------------------------------------------------------------
-
-Fri May  6 14:44:53 PDT 2005             Christian <christian@whoop.org>
-
-Documentation for shareable connection handles.
-
-------------------------------------------------------------------------
-
-Fri May  6 12:11:17 PDT 2005             Christian <christian@whoop.org>
-
-Build fixlets.
-
-- Don't only test for the first of the documentation extraction tools,
-but also for those used later on.
-
-- Few more signedness warnings fixed.
-
-------------------------------------------------------------------------
-
-Wed May  4 18:33:40 PDT 2005             Christian <christian@whoop.org>
-
-Fixed a whole bunch of signedness warnings reported by gcc 4 on MacOS
-10.4. Thanks to Roger for the quick reply.
-
-------------------------------------------------------------------------
-
-Wed May  4 17:41:40 PDT 2005             Christian <christian@whoop.org>
-
-Fix for a little-endian bug that I managed to introduce when testing on
-Solaris ... *sigh* :(
-
-------------------------------------------------------------------------
-
-Wed May  4 17:30:07 PDT 2005             Christian <christian@whoop.org>
-
-A number of portability fixes after testing the build on Linux, FreeBSD
-and Solaris.
-
-------------------------------------------------------------------------
-
-Mon May  2 20:17:04 PDT 2005             Christian <christian@whoop.org>
-
-Fixed an obvious bug the config file parser. I'm baffled as to how it
-could go unnoticed for so long.
-
-------------------------------------------------------------------------
-
-Mon May  2 20:11:25 PDT 2005             Christian <christian@whoop.org>
-
-Portability fixes.
-
-- Use -pthread (not -lpthread) in both the --cflags and --libs options
-to broccoli-config, if required. -lpthread does not work on BSDs, where
--pthread has different effects on the linker.
-
-- s/System V/SYSV/ in configure script output for consistency.
-
-- Bumped version to 0.7.1.
-
-It should build correctly on BSDs and Linux now. Still need to check
-whether synchronization actually works on the BSDs.
-
-------------------------------------------------------------------------
-
-Fri Apr 29 23:12:01 BST 2005             Christian <christian@whoop.org>
-
-If the configure script determines we need -lpthread, it's a good idea
-to actually reflect that in broccoli-config.
-
-------------------------------------------------------------------------
-
-Fri Apr 29 22:36:26 BST 2005             Christian <christian@whoop.org>
-
-Fix for SYSV semaphores pointed out by Craig Leres -- I completely
-forgot to test the SYSV stuff before the release. *sigh*.
-
-------------------------------------------------------------------------
-
-Thu Apr 28 13:46:57 BST 2005             Christian <christian@whoop.org>
-
-- This is the 0.7 release.
-
-------------------------------------------------------------------------
-
-Thu Apr 28 13:43:44 BST 2005             Christian <christian@whoop.org>
-
-RPM spec file fixlet.
-
-------------------------------------------------------------------------
-
-Wed Apr 27 18:04:57 BST 2005             Christian <christian@whoop.org>
-
-Preparations for the 0.7 release.
-
-------------------------------------------------------------------------
-
-Wed Mar 16 18:34:27 GMT 2005             Christian <christian@whoop.org>
-
-I think shared connections w/ SSL work. :) They key aspects are
-
-- We want to be able to use a single connection handle in arbitrary
-process/thread scenarios: in sshd, a single handle created in the
-listening process should work in all forked children (right now I'm
-created separate ones in each child, yuck), in Apache it should work
-in all servicing threads (creating a separate connection in each
-servicing thread would be far too costly), etc.
-
-- However, all SSL I/O on a single BIO must happen in the same *thread*
-according to openssl-users -- same process seems intuitive because of
-cipher streams etc; why it's per thread I don't know.
-
-The approach is now as follows: when a connection handle is marked as
-shareable, an I/O handler process is forked off during handle setup
-that processes all I/O for a single connection handle exclusively.
-Data are processed through separate tx/rx buffers that live in shared
-memory and are protected by semaphores. Additionally, a number of
-fields in the connection handle also live in shared memory so can be
-used to send back and forth messages etc. By using global semaphores as
-condition variables, rx/tx requests are dispatched to the I/O handler
-process. Therefore this should work for all multi-process/thread
-scenarios in which processes/threads are created after the connection
-handle is set up.
-
-This all is transparent when a connection is not marked shareable. The
-main optimization left to do now is to make the locking more fine-
-grained -- a throughput comparison is going to be interesting...
-
-I haven't tried transparent reconnects again; I'd presume I managed
-to break them in the process.
-
-------------------------------------------------------------------------
-
-Mon Mar 14 17:31:17 GMT 2005             Christian <christian@whoop.org>
-
-- Lots of work on shared connection handles. This is going to take a
-while to work robustly. For now steer clear of BRO_CFLAG_SHAREABLE.
-
-- Fixed wrong ordering of semaphore locks in __bro_io_msg_queue_flush().
-
-- The connection hack to work around OpenSSL's 'temporary unavailable'
-beliefs is now only used when the problem occurs, namely during
-reconnects.
-
-- Fixed a bug in the Posix version of __bro_sem_new() that prevented
-processes from creating more than one different semaphores. Doh.
-
-- Bumped BRO_DATA_FORMAT_VERSION to 9, to sync up with Bro tree.
-
-- Added __bro_sem_get(), returning the current value of a sempahore,
-with implementations for Posix + SYSV.
-
-- Lots of calltracing added.
-
-------------------------------------------------------------------------
-
-Mon Mar 14 10:24:54 GMT 2005             Christian <christian@whoop.org>
-
-Code for shared connection handles with SSL enabled. Pretty much done,
-but needs a lot of testing now.
-
-------------------------------------------------------------------------
-
-Sat Mar 12 18:13:58 GMT 2005             Christian <christian@whoop.org>
-
-Beginning of support for sharing connection handles for SSL-enabled
-connections. Since supporting this is complex, it will be optional,
-and enabled by using the new BRO_CFLAG_SHAREABLE connection flag.
-
-------------------------------------------------------------------------
-
-Fri Mar 11 14:50:23 GMT 2005             Christian <christian@whoop.org>
-
-Move to AC_PROG_LIBTOOL.
-
-------------------------------------------------------------------------
-
-Fri Mar 11 14:33:57 GMT 2005             Christian <christian@whoop.org>
-
-Portability and robustness fixes.
-
-- auto* calls in autgen.sh are now checked for success and cause the
-script to abort on error.
-- Instead of trying to figure out what libraries the various OSs need
-in order to be able to use Posix semaphors, I'm now attempting to use
-the -pthread flag directly. If that fails, we just fall back to SYSV
-semaphores.
-- All semaphore + shmem implementations are now included in the tarball,
-the point is to include them selectively in the *build*.
-- Stevens' ifdef magic for union semun doesn't work on at least OpenBSD
-so I'm using the BSD_HOST macro from config.h now.
-- Apparently AM_PROG_LIBTOOL causes some people trouble so we need to
-check how to get that working realiably :(
-
-------------------------------------------------------------------------
-
-Mon Feb 21 14:45:51 GMT 2005             Christian <christian@whoop.org>
-
-- Partial-write bugfix. When we succeed only partially in writing out
-a message, report success, not failure. Failure is handled by queuing
-the message for later transmission, but we have already sent it
-partially and the rest is still stuck in the output buffer, so if we
-queue it again, it'll get sent at least twice.
-
-I had noticed that out of 100000 events sent by 100 processes in
-parallel, typically around 100020 arrived :)
-
-------------------------------------------------------------------------
-
-Sat Feb 19 21:04:46 GMT 2005             Christian <christian@whoop.org>
-
-- Lots of synchronization work. This generally seems to work now! :) It
-required one major addition: support for shared memory. The problem is
-that if multiple threads/processes attempt to write at the same time
-and one write succeeds only partially, then *whichever* thread/process
-gets to write next needs to write out the rest before writing any new
-messages. The only alternative is to have write operations block until
-entire messages are sent, which seems dangerous from an instrumentation
-point of view. To share the remaining message data, shared memory is
-required: both the tx and rx buffers now operate in shared memory and
-are protected by semaphores. The current implementation uses SYSV shared
-memory.
-
-I think shared memory is a good idea in general; for example it could be
-used during instrumentation to get information from one corner of an app
-to another without changing the application's structure. I don't think
-we'll need  this right away, but it's nice to have a possible technique
-for it.
-
-- bro_disconnect() is now more tricky to use than before: if you use
-it in a parallel setting, you *must* call it from the same process that
-called bro_connect() and you must do so *after* all the other processes
-have finished using the connection (typically this is not hard to do, so
-I think we can live with that).
-
-The reason is that semaphores + shared memory need to be uninstalled
-specifically and I haven't yet figured out a way to automate reference
-counting so that the last thread/process using a connection could do
-this automatically. It would be very cool if the functions that are
-used for deinstallation could be asked to fail while the IPC objects are
-still in use, but that's not the case.
-
-- You can still build the whole thing without semaphores or shared mem
-and it'll work for single-threaded apps. The configure script now issues
-a warning if not all tools required for stable parallel operation can be
-found.
-
-- Added bro_event_queue_length_max() to allow applications to find out
-the maximum queue length before messages will get dropped. brohose uses
-this to wait until the queue gets half full before insisting on a flush.
-
-------------------------------------------------------------------------
-
-Fri Feb 18 17:14:40 GMT 2005             Christian <christian@whoop.org>
-
-- SYSV semaphore implementation. Configure checks are included
-and work as follows: if both Posix + SYSV semaphores are found,
-Posix are preferred, however the user can override this by passing
---disable-posix-semaphores. Semaphores are still not actually used.
-
-
-------------------------------------------------------------------------
-
-Thu Feb 17 22:24:12 GMT 2005             Christian <christian@whoop.org>
-
-- First shot at semaphore support. Checking for Posix named semaphores
-and making sure they actually work at configure time was the hardest
-part; actual semaphore code untested and still unused. No ifdefs
-anywhere :)
-
-------------------------------------------------------------------------
-
-Thu Feb 17 20:06:00 GMT 2005             Christian <christian@whoop.org>
-
-- Incompletely sent chunks are now recognized and remaining parts are
-shipped as soon as possible: repeated brohose -n 1 -e 1000 runs do not
-take out Bro any more. :)
-
-------------------------------------------------------------------------
-
-Thu Feb 17 19:21:15 GMT 2005             Christian <christian@whoop.org>
-
-- Added "brohose", which lets you hose a Bro with events by forking a
-configurable number of processes, and having each process pump out an
-event a configurable number of times as fast as possible. This is meant
-as both a stress-testing tool for the protocol as well as obviously for
-the synchronization stuff that'll go into Broccoli soon.
-
-------------------------------------------------------------------------
-
-Wed Feb 16 17:40:47 GMT 2005             Christian <christian@whoop.org>
-
-- Documentation for the configuration options for debugging output.
-
-------------------------------------------------------------------------
-
-Thu Feb 10 11:39:57 GMT 2005             Christian <christian@whoop.org>
-
-- Changed bro_event_queue_empty() to bro_event_queue_length(),
-which is more useful in general and can be used to find out
-whether the queue is empty, too.
-
-------------------------------------------------------------------------
-
-Tue Feb  8 14:45:58 GMT 2005             Christian <christian@whoop.org>
-
-- This is release 0.6.
-
-------------------------------------------------------------------------
-
-Mon Feb  7 14:54:15 GMT 2005             Christian <christian@whoop.org>
-
-- Additional byte swaps for IP addresses + subnets for compatibility
-with Bro.
-
-------------------------------------------------------------------------
-
-Sun Feb  6 23:55:07 GMT 2005             Christian <christian@whoop.org>
-
-- Debugging output can now be configured from the config file,
-using the /broccoli/debug_messages and /broccoli/debug_calltrace
-config items.
-
-------------------------------------------------------------------------
-
-Tue Feb  1 21:34:17 GMT 2005             Christian <christian@whoop.org>
-
-- During handshake, data format compatibility is now confirmed as well
-as matching protocol version.
-
-------------------------------------------------------------------------
-
-Tue Feb  1 21:04:43 GMT 2005             Christian <christian@whoop.org>
-
-- Initial commit of support for sending/receiving libpcap packets.
-Totally untested, and not documented yet. More on this once support
-for packets is committed into the Bro tree.
-
-------------------------------------------------------------------------
-
-Tue Feb  1 18:39:02 GMT 2005             Christian <christian@whoop.org>
-
-- Transparent reconnects now also work for non-SSL connections. I was
-just lucky that the SSL handshake prevented the same problem from
-occurring in the SSL-enabled case. Two fixes were necessary:
-
- 1) a separate attempt to connect to the peer that I have full control
-    over, and
- 2) a fixlet in queue management that caused the event that
-    triggers the reconnect to be sent before any handshake information
-    for the new connection, thus causing a connection teardown by the
-    Bro end because the version number was not seen at the right time.
-
-
-------------------------------------------------------------------------
-
-Mon Jan 31 19:38:36 GMT 2005             Christian <christian@whoop.org>
-
-- Fixed a few spots where D_ENTER was not balanced with D_RETURN
-- Added an int-to-string table for message types, for debugging
-- Added a flag to the connection structure that prevents reconnect
-attempts while one is already in progress
-- Made io_msg_queue() private to bro_io.c because it was only called
-from there.
-
-------------------------------------------------------------------------
-
-Fri Jan 28 12:35:03 GMT 2005             Christian <christian@whoop.org>
-
-- Changed the error semantics of in __bro_io_msg_queue() so that queuing
-a message after failure to send is not a failure. This fixes an issue
-with handshake completion that I have observed with broping across
-different machines, where events could still get lost despite explicit
-request to complete the handshake.
-
-------------------------------------------------------------------------
-
-Sun Jan 16 20:45:42 GMT 2005             Christian <christian@whoop.org>
-
-- Serialization/Unserialization for ports fixed, support for ICMP ports.
-
-------------------------------------------------------------------------
-
-Sat Jan 15 13:58:16 GMT 2005             Christian <christian@whoop.org>
-
-- Sending and receiving IP addresses and subnets was broken, fixed now.
-- Fixed a small memleak when first-time connection setup fails.
-
-------------------------------------------------------------------------
-
-Thu Jan 13 21:03:45 GMT 2005             Christian <christian@whoop.org>
-
-- When using reconnects, Broccoli will now not attempt to reconnect
-more than once every 5s.
-
-------------------------------------------------------------------------
-
-Thu Jan 13 20:43:13 GMT 2005             Christian <christian@whoop.org>
-
-- Added connection flag BRO_CFLAG_ALWAYS_QUEUE that causes events
-always to be queued in the connection's event queue regardless of
-whether the peer is currently dead or not.
-
-- Moved the test of whether the peer requested an event that is
-about to be sent or not to the point where the event actually is
-about to be sent, from the point where it is requested to be sent.
-The difference is that now an event will get silently dropped on
-the floor if after a connection outage and a reconnect, a change
-in the events requested from the peer will prevent the old queued
-events to be sent anyway, even if they are no longer requested.
-
-------------------------------------------------------------------------
-
-Wed Jan 12 20:46:10 GMT 2005             Christian <christian@whoop.org>
-
-- Added support for transparent reconnects for broken connections.
-When using BRO_CFLAG_RECONNECT, Broccoli now attempts to reconnect
-whenever a peer died and the user tries to read from or write to
-the peer. This can aways be triggered manually using
-bro_reconnect().
-
-- Added bro_conn_alive() to determine if a connection is currently
-alive or not.
-
-------------------------------------------------------------------------
-
-Tue Jan 11 17:33:51 GMT 2005             Christian <christian@whoop.org>
-
-- Added connection flags parameter to bro_connect() and
-bro_connect_str(): BRO_CFLAG_COMPLETE_HANDSHAKE completes
-the handshake right away before returning from bro_connect()/
-bro_connect_str(), and BRO_CFLAG_RECONNECT still needs to be
-implemented. Documentation updated accordingly.
-
-------------------------------------------------------------------------
-
-Sat Jan  8 21:07:30 CET 2005             Christian <christian@whoop.org>
-
-- Allow empty (or comments-only) configuration files.
-
-------------------------------------------------------------------------
-
-Sat Jan  8 20:52:56 CET 2005             Christian <christian@whoop.org>
-
-- Fixed the home directory lookup via getpwent() -- now correctly looks
-up the entry of the current effective user. Doh.
-
-- Beginning of code for connection flags to use when creating a
-connection, for example for handshake behaviour, automatic reconnection
-attempts, etc.
-
-------------------------------------------------------------------------
-
-Tue Jan  4 23:28:59 CET 2005             Christian <christian@whoop.org>
-
-- constness fixes for functions that accept values for events and
-record fields.
-
-------------------------------------------------------------------------
-
-Tue Jan  4 22:07:35 CET 2005             Christian <christian@whoop.org>
-
-- Encrpyted connections now extract as much data as possible from
-the underlying buffer by calling BIO_read() optimistically.
-
-- For encrypted connections, the passphrase for the certificate's
-private key can now be specified in the configuration file using key
-"/broccoli/host_pass".
-
-- Added support for the handshake message in the Bro protocol.
-
-- If the ca_cert or host_cert keys are found in the config file, but
-there is a problem loading the crypto files, don't attempt to connect.
-
-- Completed documentation on encrypted communication, explaining the
-use of ca-create and ca-issue.
-
-- Fixed several bugs in the handling of sections in config files.
-Matching of domain names is now case-insensitive.
-
-- The ~/.broccoli.conf file is now only used when it is readable only
-by the user owning it.
-
-- More robustness for corner cases of buffer sizes.
-
-- Fixed a bug in sending messages that consist of only a single chunk
-(like the handshake message).
-
-- The library now attempts to initialize the random number generator
-in OpenSSL from /dev/random if possible.
-
-------------------------------------------------------------------------
-
-Fri Dec 24 11:58:08 CET 2004             Christian <christian@whoop.org>
-
-- If the ca_cert or host_cert keys are found in the config file, but
-there is a problem loading the crypto files, don't attempt to connect.
-
-- Completed documentation on encrypted communication, explaining the
-use of ca-create and ca-issue.
-
-- Fixed several bugs in the handling of sections in config files.
-
-------------------------------------------------------------------------
-
-Thu Dec 23 14:33:56 GMT 2004             Christian <christian@whoop.org>
-
-- Added sections support for configuration files. Sections can be 
-declared at arbitrary points in the config file, using the same syntax
-as in OpenSSL config files. There can be a global section at the
-beginning of the file, before the first declared sections. Sections are
-selected using bro_conf_set_domain().
-
-- Support for a per-user config file in ~/.broccoli.conf. This does
-not override settings in the global config file but completely replaces
-it, i.e., when the user-specific file is found, the global one is
-ignored.
-
-- Added bro_conn_await_handshake() that blocks for limitable amount of
-time, waiting for the handshake of a new Bro connection to complete.
-This still needs some fixing, but is definitely necessary to prevent
-weird races from occurring when a client tries to use a new connection
-that has not yet been established completely.
-
-- Test applications are now linked to static libraries. This will
-hopefully keep the build more portable.
-
-- Use of LFLAGS and YFLAGS moved to AM_LFLAGS and AM_YFLAGS, given the
-warnings issued when using automake 1.9.
-
-- First shot at fixing the buffer flushing issues I see when using 
-encrypted connections.
-
-------------------------------------------------------------------------
-
-Fri Dec 10 16:31:26 GMT 2004             Christian <christian@whoop.org>
-
-- Added + fixed OpenSSL code to support encrypted communication.
-- Added OpenSSL as requirement to spec file.
-- Changed broping policies to always use the same port
-- Updated broccoli.conf: added keys for the CA's and the host's cert.
-	
-------------------------------------------------------------------------
-
-Thu Dec  9 14:59:24 GMT 2004             Christian <christian@whoop.org>
-
-- Build fixes in case documentation tools are not found
-- Documentation polishing -- only SSL setup section todo still.
-
-------------------------------------------------------------------------
-
-Thu Dec  9 00:48:05 GMT 2004             Christian <christian@whoop.org>
-
-- Final documentation passes for the 0.6 release.
-
-------------------------------------------------------------------------
-
-Mon Dec  6 17:18:55 GMT 2004             Christian <christian@whoop.org>
-
-- More documentation, explaining the data types, records, Bro policy
-configuration, started section on SSL setup (copied from Robin right
-now), and minor fixes.
-
-------------------------------------------------------------------------
-
-Mon Dec  6 15:17:05 GMT 2004             Christian <christian@whoop.org>
-
-- Added spec file for building RPMs -- seems to work
-- Aest policies are now installed in $prefix/share/broccoli
-
-------------------------------------------------------------------------
-
-Mon Dec  6 00:22:02 GMT 2004             Christian <christian@whoop.org>
-
-- Dropped the ..._raw() functions for records. These won't be used
-internally ever. Their implementation moved to bro.c, and only the high-
-level code remained in bro_record.c.
-
-- Added bro_event_set_val() to replace a val in an existing event.
-There's not much use in resending an existing event unless it is
-identical, which is not that useful. High-level code is in
-__bro_event_set_val().
-
-- Made it more clear in the comments explaining the
-bro_record_get_..._val() functions that the "result" argument must
-actually be the address of a pointer. (void * as argument type means
-that the compiler does not issue a warning when passing in, say, a
-double * -- but it would do so if we would use void **.)
-
-------------------------------------------------------------------------
-
-Sun Dec  5 22:05:53 GMT 2004             Christian <christian@whoop.org>
-
-- Updates to the cvs wrapper script: surround with date and name
-only in the ChangeLog, not in the commit message itself.
-
-------------------------------------------------------------------------
-
-Sun Dec  5 02:15:29 GMT 2004             Christian <christian@whoop.org>
-
-- Fixed a bug in __bro_val_clone(): forgot to handle BRO_INTTYPE_OTHER.
-
-- Changed --enable-debugging flag to --enable-debug, for consistency
-with the Bro tree.
-
-- Fixed bugs in several cloning implementations that didn't call the
-parent's implementation.
-
-------------------------------------------------------------------------
-
-Sun Dec  5 01:40:52 GMT 2004             Christian <christian@whoop.org>
-
-- Added __bro_event_copy() to clone events internally.
-
-- Events are now duplicated in __bro_io_event_queue() before they're
-sent so the user's event remains unaffected (and thus could be sent
-repeatedly etc).
-
-- Extensive pass over the documentation; still a good deal to do.
-
-------------------------------------------------------------------------
-
-Sat Dec  4 03:09:05 GMT 2004             Christian <christian@whoop.org>
-
-More work on documentation, much is outdated now.
-
-------------------------------------------------------------------------
-
-Sat Dec  4 02:05:30 GMT 2004             Christian <christian@whoop.org>
- 
-- Started a ChangeLog. No detailed ChangeLog information was kept
-previous to this commit.
- 
-------------------------------------------------------------------------
diff --git a/aux/broccoli/INSTALL b/aux/broccoli/INSTALL
deleted file mode 100644
index b42a17ac46..0000000000
--- a/aux/broccoli/INSTALL
+++ /dev/null
@@ -1,182 +0,0 @@
-Basic Installation
-==================
-
-   These are generic installation instructions.
-
-   The `configure' shell script attempts to guess correct values for
-various system-dependent variables used during compilation.  It uses
-those values to create a `Makefile' in each directory of the package.
-It may also create one or more `.h' files containing system-dependent
-definitions.  Finally, it creates a shell script `config.status' that
-you can run in the future to recreate the current configuration, a file
-`config.cache' that saves the results of its tests to speed up
-reconfiguring, and a file `config.log' containing compiler output
-(useful mainly for debugging `configure').
-
-   If you need to do unusual things to compile the package, please try
-to figure out how `configure' could check whether to do them, and mail
-diffs or instructions to the address given in the `README' so they can
-be considered for the next release.  If at some point `config.cache'
-contains results you don't want to keep, you may remove or edit it.
-
-   The file `configure.in' is used to create `configure' by a program
-called `autoconf'.  You only need `configure.in' if you want to change
-it or regenerate `configure' using a newer version of `autoconf'.
-
-The simplest way to compile this package is:
-
-  1. `cd' to the directory containing the package's source code and type
-     `./configure' to configure the package for your system.  If you're
-     using `csh' on an old version of System V, you might need to type
-     `sh ./configure' instead to prevent `csh' from trying to execute
-     `configure' itself.
-
-     Running `configure' takes awhile.  While running, it prints some
-     messages telling which features it is checking for.
-
-  2. Type `make' to compile the package.
-
-  3. Optionally, type `make check' to run any self-tests that come with
-     the package.
-
-  4. Type `make install' to install the programs and any data files and
-     documentation.
-
-  5. You can remove the program binaries and object files from the
-     source code directory by typing `make clean'.  To also remove the
-     files that `configure' created (so you can compile the package for
-     a different kind of computer), type `make distclean'.  There is
-     also a `make maintainer-clean' target, but that is intended mainly
-     for the package's developers.  If you use it, you may have to get
-     all sorts of other programs in order to regenerate files that came
-     with the distribution.
-
-Compilers and Options
-=====================
-
-   Some systems require unusual options for compilation or linking that
-the `configure' script does not know about.  You can give `configure'
-initial values for variables by setting them in the environment.  Using
-a Bourne-compatible shell, you can do that on the command line like
-this:
-     CC=c89 CFLAGS=-O2 LIBS=-lposix ./configure
-
-Or on systems that have the `env' program, you can do it like this:
-     env CPPFLAGS=-I/usr/local/include LDFLAGS=-s ./configure
-
-Compiling For Multiple Architectures
-====================================
-
-   You can compile the package for more than one kind of computer at the
-same time, by placing the object files for each architecture in their
-own directory.  To do this, you must use a version of `make' that
-supports the `VPATH' variable, such as GNU `make'.  `cd' to the
-directory where you want the object files and executables to go and run
-the `configure' script.  `configure' automatically checks for the
-source code in the directory that `configure' is in and in `..'.
-
-   If you have to use a `make' that does not supports the `VPATH'
-variable, you have to compile the package for one architecture at a time
-in the source code directory.  After you have installed the package for
-one architecture, use `make distclean' before reconfiguring for another
-architecture.
-
-Installation Names
-==================
-
-   By default, `make install' will install the package's files in
-`/usr/local/bin', `/usr/local/man', etc.  You can specify an
-installation prefix other than `/usr/local' by giving `configure' the
-option `--prefix=PATH'.
-
-   You can specify separate installation prefixes for
-architecture-specific files and architecture-independent files.  If you
-give `configure' the option `--exec-prefix=PATH', the package will use
-PATH as the prefix for installing programs and libraries.
-Documentation and other data files will still use the regular prefix.
-
-   In addition, if you use an unusual directory layout you can give
-options like `--bindir=PATH' to specify different values for particular
-kinds of files.  Run `configure --help' for a list of the directories
-you can set and what kinds of files go in them.
-
-   If the package supports it, you can cause programs to be installed
-with an extra prefix or suffix on their names by giving `configure' the
-option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
-
-Optional Features
-=================
-
-   Some packages pay attention to `--enable-FEATURE' options to
-`configure', where FEATURE indicates an optional part of the package.
-They may also pay attention to `--with-PACKAGE' options, where PACKAGE
-is something like `gnu-as' or `x' (for the X Window System).  The
-`README' should mention any `--enable-' and `--with-' options that the
-package recognizes.
-
-   For packages that use the X Window System, `configure' can usually
-find the X include and library files automatically, but if it doesn't,
-you can use the `configure' options `--x-includes=DIR' and
-`--x-libraries=DIR' to specify their locations.
-
-Specifying the System Type
-==========================
-
-   There may be some features `configure' can not figure out
-automatically, but needs to determine by the type of host the package
-will run on.  Usually `configure' can figure that out, but if it prints
-a message saying it can not guess the host type, give it the
-`--host=TYPE' option.  TYPE can either be a short name for the system
-type, such as `sun4', or a canonical name with three fields:
-     CPU-COMPANY-SYSTEM
-
-See the file `config.sub' for the possible values of each field.  If
-`config.sub' isn't included in this package, then this package doesn't
-need to know the host type.
-
-   If you are building compiler tools for cross-compiling, you can also
-use the `--target=TYPE' option to select the type of system they will
-produce code for and the `--build=TYPE' option to select the type of
-system on which you are compiling the package.
-
-Sharing Defaults
-================
-
-   If you want to set default values for `configure' scripts to share,
-you can create a site shell script called `config.site' that gives
-default values for variables like `CC', `cache_file', and `prefix'.
-`configure' looks for `PREFIX/share/config.site' if it exists, then
-`PREFIX/etc/config.site' if it exists.  Or, you can set the
-`CONFIG_SITE' environment variable to the location of the site script.
-A warning: not all `configure' scripts look for a site script.
-
-Operation Controls
-==================
-
-   `configure' recognizes the following options to control how it
-operates.
-
-`--cache-file=FILE'
-     Use and save the results of the tests in FILE instead of
-     `./config.cache'.  Set FILE to `/dev/null' to disable caching, for
-     debugging `configure'.
-
-`--help'
-     Print a summary of the options to `configure', and exit.
-
-`--quiet'
-`--silent'
-`-q'
-     Do not print messages saying which checks are being made.  To
-     suppress all normal output, redirect it to `/dev/null' (any error
-     messages will still be shown).
-
-`--srcdir=DIR'
-     Look for the package's source code in directory DIR.  Usually
-     `configure' can determine that directory automatically.
-
-`--version'
-     Print the version of Autoconf used to generate the `configure'
-     script, and exit.
-
-`configure' also accepts some other, not widely useful, options.
diff --git a/aux/broccoli/Makefile.am b/aux/broccoli/Makefile.am
deleted file mode 100644
index 0a3046a11b..0000000000
--- a/aux/broccoli/Makefile.am
+++ /dev/null
@@ -1,20 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-SUBDIRS = src test docs bindings
-
-# When running distcheck, make sure we skip building documentation.
-#
-DISTCHECK_CONFIGURE_FLAGS = --disable-gtk-doc
-
-MAINTAINERCLEANFILES = Makefile.in aclocal.m4 config.guess \
-                       config.h.in config.sub configure install-sh \
-		       ltconfig ltmain.sh missing mkinstalldirs \
-		       stamp-h.in
-
-bin_SCRIPTS = broccoli-config
-dist_sysconf_DATA = broccoli.conf
-
-EXTRA_DIST = README AUTHORS COPYING depcomp ylwrap shtool \
-	compat/sys/queue.h broccoli.spec contrib \
-	autogen.sh
-
diff --git a/aux/broccoli/NEWS b/aux/broccoli/NEWS
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/aux/broccoli/README b/aux/broccoli/README
deleted file mode 100644
index d34833c367..0000000000
--- a/aux/broccoli/README
+++ /dev/null
@@ -1,66 +0,0 @@
-
-			B  R  O  C  C  O  L  I
-
-		 The Bro Client Communications Library
-
-                        http://www.bro-ids.org
-
-________________________________________________________________________
-
-This package contains Broccoli, the Bro client communications library.
-It allows you to create client sensors for the Bro intrusion detection
-system. Broccoli can speak a good subset of the Bro communication
-protocol, in particular, it can receive Bro IDs, send and receive Bro
-events, and send and receive event requests to/from peering Bros. You
-can currently create and receive values of pure types like integers,
-counters, timestamps, IP addresses, port numbers, booleans, and strings.
-
-The library uses OpenSSL for encrypted communication. Other than that,
-the library has no other dependencies and has been tested on Linux, the
-BSDs, and Solaris. A Windows build has not currently been tried but
-is part of our future plans. If you succeed in building Broccoli on
-other platforms, let us know!
-
-To build, do the usual ./configure; make; make install routine. Here's
-a list of the current configure options:
-	
-  --enable-debug
- 
-  This one enables lots of debugging output. Be sure to disable this
-  when using the library in a production environment! The output could
-  easily end up in undersired places when the stdout of the program
-  you've instrumented is used in other ways.
-
-  --with-configfile=FILE
-  
-  Broccoli can read key/value pairs from a config file. By default it
-  is located in the etc directory of the installation root (exception:
-  when using --prefix=/usr, /etc is used instead of /usr/etc). The
-  default config file name is broccoli.conf. Using --with-configfile,
-  you can override the location and name of the config file.
-
-To use the library in other programs & configure scripts, use the
-broccoli-config script. It gives you the necessary configuration flags
-and linker flags for your system, see --cflags and --libs.
-
-The API is contained in broccoli.h and pretty well documented. A few
-usage examples can be found in the test directory, in particular, the
-broping tool can be used to test event transmission and reception. Have
-a look at the policy file broping.bro for the events that need to be
-defined at the peering Bro. Try broping -h for a look at the available
-options.
-
-Broccoli knows two kinds of version numbers: the release version number
-(as in "broccoli-x.y.tar.gz", or as shipped with Bro) and the shared
-library API version number. The former relates to changes in the tree,
-the latter to compatibility changes in the API. You can see their
-correspondence in VERSION.
-
-Comments, feedback and patches are appreciated, please send them to
-the Bro mailing list at bro(at)bro-ids.org or directly to the author at
-christian (at) icir.org.
-
-						Enjoy!
-					        --Christian.
-________________________________________________________________________
-$Id: README 4043 2007-03-01 23:15:14Z kreibich $
diff --git a/aux/broccoli/TODO b/aux/broccoli/TODO
deleted file mode 100644
index 10d875aac6..0000000000
--- a/aux/broccoli/TODO
+++ /dev/null
@@ -1,27 +0,0 @@
-- Separate method pointers (i.e., the vtable) in the various classes into
-  separate "class" structs (think klass in Gtk). Right now these waste
-  space because they're allocated with every instance, but since they're
-  not used extensively it hasn't really been worth it so far.
-
-- The init methods must be allowed to fail. Currently allocations in that
-  method can fail but this failure can not be signaled to the caller.
-
-- Add an error variable so the user has a way to figure out what happened
-  when things go wrong.
-
-- Add support for at least a small number of expressions -- needed in
-  bro_attr.[ch].
-
-- Add support for tables/sets.
-
-- Add a server-suitable API, i.e., how can one write an application that
-  listens on a given port, using Broccoli.
-
-- When configure determined that lex+yacc exist, make clean doesn't clean
-  up the generated lexer/parser C files. I presume this is because I keep
-  them all in EXTRA_DIST. Ensure make clean removes the generated files
-  when we know we can regenerate them.
-
-- There's a segfault lurking in __bro_record_get_nth_val() with records
-  that don't have all members assigned to. Investigate whether dummy
-  val approach really works or whether it's a design flaw.
diff --git a/aux/broccoli/autogen.sh b/aux/broccoli/autogen.sh
deleted file mode 100755
index ef3e9188f5..0000000000
--- a/aux/broccoli/autogen.sh
+++ /dev/null
@@ -1,131 +0,0 @@
-#!/bin/sh
-
-# Initialization script to set up the initial configuration files etc.
-# shtool usage inspired by the autogen script of the ferite scripting
-# language -- cheers Chris :)
-
-BLD_ON=`./shtool echo -n -e %B`
-BLD_OFF=`./shtool echo -n -e %b`
-
-LT=libtoolize
-DIE=0
-NAME=broccoli
-
-echo
-echo "             "${BLD_ON}"Broccoli Build Tools Setup"${BLD_OFF}
-echo "===================================================="
-echo
-echo "Checking whether we have all tools available ..."
-
-(autoconf --version) < /dev/null > /dev/null 2>&1 || {
-  echo
-  echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`autoconf' installed to."
-  echo "Download the appropriate package for your distribution,"
-  echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/"
-  DIE=1
-}
-
-($LT --version) < /dev/null > /dev/null 2>&1 || {
-  LT=glibtoolize
-
-  ($LT --version) < /dev/null > /dev/null 2>&1 || {
-    echo
-    echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`libtool' installed."
-    echo "Download the appropriate package for your distribution,"
-    echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/"
-    DIE=1
-  }
-}
-
-(automake --version) < /dev/null > /dev/null 2>&1 || {
-  echo
-  echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`automake' installed."
-  echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
-  echo "(or a newer version if it is available)"
-  DIE=1
-  NO_AUTOMAKE=yes
-}
-
-
-# if no automake, don't bother testing for aclocal
-test -n "$NO_AUTOMAKE" || (aclocal --version) < /dev/null > /dev/null 2>&1 || {
-  echo
-  echo ${BLD_ON}"Error"${BLD_OFF}": Missing \`aclocal'.  The version of \`automake'"
-  echo "installed doesn't appear recent enough."
-  echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
-  echo "(or a newer version if it is available)"
-  DIE=1
-}
-
-if test "$DIE" -eq 1; then
-  exit 1
-fi
-
-echo "All necessary tools found."
-echo
-
-if [ -d autom4te.cache ] ; then
-    echo "Removing autom4te.cache ..."
-    rm -rf autom4te.cache
-fi
-
-echo
-echo "running "${BLD_ON}$LT${BLD_OFF}
-echo "----------------------------------------------------"
-$LT -c -f
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-echo
-echo "running "${BLD_ON}"aclocal"${BLD_OFF}
-echo "----------------------------------------------------"
-aclocal -I . $ACLOCAL_FLAGS
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-echo
-echo "running "${BLD_ON}"autoheader"${BLD_OFF}
-echo "----------------------------------------------------"
-autoheader
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-echo
-echo "running "${BLD_ON}"automake"${BLD_OFF}
-echo "----------------------------------------------------"
-automake -a -c
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-echo
-echo "running "${BLD_ON}"autoconf"${BLD_OFF}
-echo "----------------------------------------------------"
-autoconf
-if [ $? -ne 0 ]; then
-    echo "*** ERROR($NAME), aborting."
-    exit 1
-fi
-
-if ! test "x$BROBUILD" = xyes; then
-echo
-echo 
-echo "Setup finished. Now run:"
-echo
-echo "  $ "${BLD_ON}"./configure"${BLD_OFF}" (with options as needed, try --help)"
-echo
-echo "and then"
-echo
-echo "  $ "${BLD_ON}"make"${BLD_OFF}
-echo "  # "${BLD_ON}"make install"${BLD_OFF}
-echo
-echo "  (or use "${BLD_ON}"gmake"${BLD_OFF}" when make on your platform isn't GNU make)"
-echo
-fi
diff --git a/aux/broccoli/bindings/Makefile.am b/aux/broccoli/bindings/Makefile.am
deleted file mode 100644
index dfc9c49f30..0000000000
--- a/aux/broccoli/bindings/Makefile.am
+++ /dev/null
@@ -1,18 +0,0 @@
-# While recursive inclusion is possible, this would include
-# *anything* found in there, which is not what we want. --cpk
-#
-EXTRA_DIST = \
-./python/README \
-./python/README.html \
-./python/TODO \
-./python/broccoli_intern.i \
-./python/broccoli_intern.py \
-./python/broccoli_intern_wrap.c \
-./python/broccoli.py \
-./python/Makefile \
-./python/setup.py \
-./python/tests \
-./python/tests/broping.py \
-./python/tests/broping-record.py \
-./python/tests/test.bro \
-./python/tests/test.py
diff --git a/aux/broccoli/bindings/python/Makefile b/aux/broccoli/bindings/python/Makefile
deleted file mode 100644
index 35bfa53b1b..0000000000
--- a/aux/broccoli/bindings/python/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-# $Id$
-#
-# Makefile not need to build module. Use "python setup.py install" instead.
-
-CLEAN=build broccoli_intern_wrap.c broccoli_intern.py README.html *.pyc 
-
-all : doc broccoli_intern_wrap.c
- 
-broccoli_intern_wrap.c :  broccoli_intern.i
-	swig -python -I../../src -o broccoli_intern_wrap.c broccoli_intern.i
-
-doc : README.html
-
-clean:
-	rm -rf $(CLEAN)
-
-README.html : README
-	-asciidoc -a toc -b xhtml11-custom README
diff --git a/aux/broccoli/bindings/python/README b/aux/broccoli/bindings/python/README
deleted file mode 100644
index d8b0b2f466..0000000000
--- a/aux/broccoli/bindings/python/README
+++ /dev/null
@@ -1,240 +0,0 @@
-//	-*- AsciiDoc -*-
-Python Bindings for Broccoli
-============================
-
-Overview
---------
-
-This Python module provides bindings for
-http://www.icir.org/christian/broccoli/index.html[Broccoli], Bro's
-client communication library. In general, the bindings provide the
-same functionality as Broccoli's C API. 
-
-Download
---------
-
-Since Bro 1.4, a stable version of the Python module ships as part
-of the Bro distribution in +aux/broccoli/bindings/python+. 
-
-The most current development version is part of the Bro Subversion
-repository. To get it, use:
-
-   > svn checkout http://svn.icir.org/bro/trunk/bro/aux/broccoli/bindings/python
-
-Installation
-------------
-
-Installation of the Python module is pretty straight-forward. After
-Broccoli itself has been
-http://www.icir.org/christian/broccoli/manual/c55.html[installed],
-it follows the standard installation process for Python modules:
-
-    > python setup.py install
-
-Try the following to test the installation. If you do not see any
-error message, everything should be fine:
-
-    > python -c "import broccoli"
-    > 
-
-Usage
------
-
-The following examples demonstrate how to send and receive Bro
-events in Python. 
-
-The main challenge when using Broccoli from Python is dealing with
-the data types of Bro event parameters as there is no one-to-one
-mapping between Bro's types and Python's types. The Python modules
-automatically maps between those types which both systems provide
-(such as strings) and provides a set of wrapper classes for Bro
-types which do not have a direct Python equivalent (such as IP
-addresses). 
-
-Connecting to Bro
-~~~~~~~~~~~~~~~~~
-
-The following code sets up a connection from Python to a remote Bro
-instance (or another Broccoli) and provides a connection handle for
-further communication:
-
-     from broccoli import *
-     bc = Connection("127.0.0.1:47758")
-     
-An +IOError+ will be raised if the connection cannot be established. 
-
-Sending Events
-~~~~~~~~~~~~~~
-
-Once you have a connection handle +bc+ set up as shown above, you can
-start sending events:
-
-     bc.send("foo", 5, "attack!")
-
-This sends an event called +foo+ with two parameters, +5+ and
-+attack!+. Broccoli operates asynchronously, i.e., events scheduled
-with +send()+ are not always sent out immediately but might be
-queued for later transmission. To ensure that all events get out
-(and incoming events are processed, see below), you need to call
-+bc.processInput()+ regularly.
-
-Data Types
-~~~~~~~~~~
-
-In the example above, the types of the event parameters are
-automatically derived from the corresponding Python types: the first
-parameter (+5+) has the Bro type +int+ and the second one
-(+attack!+) has Bro type +string+. 
-
-For types which do not have a Python equivalent, the +broccoli+
-module provides wrapper classes which have the same names as the
-corresponding Bro types. For example, to send an event called +bar+
-with one +addr+ argument and one +count+ argument, you can write:
-
-     bc.send("bar", addr("192.168.1.1"), count(42))
-
-The following table summarizes the available atomic types and their
-usage.
-
-.Bro vs. Python types
-[grid="all"] 
-.---------.-----------.-------------------------- 
-Bro Type   Python Type   Example
--------------------------------------------------
-addr                   +addr("192.168.1.1")+
-bool       bool        +True+
-count                  +count(42)+
-double     float       +3.14+             
-enum                   _Type currently not supported_
-int 	   int         +5+
-interval               +interval(60)+
-net                    _Type currently not supported_
-port	               +port("80/tcp")+
-string     string      +"attack!"+
-subnet                 +subnet("192.168.1.0/24")+
-time                   +time(1111111111.0)+
--------------------------------------------------
-
-The +broccoli+ module also supports sending Bro records as event
-parameters. To send a record, you first define a record type. For
-example, a Bro record type
-
-    type my_record: record {
-        a: int;
-        b: addr;
-        c: subnet;
-    };
-    
-turns into Python as
-
-    my_record = record_type("a", "b", "c")
-  
-As the example shows, Python only needs to know the attribute names
-but not their types. The types are derived automatically in the same
-way as discussed above for atomic event parameters. 
-
-Now you can instantiate a record instance of the newly defined type
-and send it out:
-
-    rec = record(my_record)
-    rec.a = 5
-    rec.b = addr("192.168.1.1")
-    rec.c = subnet("192.168.1.0/24")
-    bc.send("my_event", rec)
-    
-NOTE: The Python module does not support nested records at this
-time. 
-
-Receiving Events
-~~~~~~~~~~~~~~~~
-
-To receive events, you define a callback function having the same
-name as the event and mark it with the +event+ decorator:
-
-   @event
-   def foo(arg1, arg2):
-       print arg1, arg2    
-
-Once you start calling +bc.processInput()+ regularly (see above),
-each received +foo+ event will trigger the callback function. 
-
-By default, the event's arguments are always passed in with built-in
-Python types. For Bro types which do not have a direct Python
-equivalent (see table above), a substitute built-in type is used
-which corresponds to the type the wrapper class' constructor expects
-(see the examples in the table). For example, Bro type +addr+ is
-passed in as a string and Bro type +time+ is passed in as a float.
-
-Alternatively, you can define a _typed_ prototype for the event. If you
-do so, arguments will first be type-checked and then passed to the
-call-back with the specified type (which means instances of the
-wrapper classes for non-Python types). Example:
-
-   @event(count, addr)
-   def bar(arg1, arg2):
-       print arg1, arg2
-
-Here, +arg1+ will be an instance of the +count+ wrapper class and
-+arg2+ will be an instance of the +addr+ wrapper class. 
-
-Protoyping works similarly with built-in Python types:
-
-   @event(int, string):
-   def foo(arg1, arg2):
-       print arg1, arg2
-       
-In general, the prototype specifies the types in which the callback
-wants to receive the arguments. This actually provides support for
-simple type casts as some types support conversion to into something
-different. If for instance the event source sends an event with a
-single port argument, +@event(port)+ will pass the port as an
-instance of the +port+ wrapper class; +@event(string)+ will pass it
-as a string (e.g., +"80/tcp"+); and +@event(int)+ will pass it as an
-integer without protocol information (e.g., just +80+). If an
-argument cannot be converted into the specified type, a +TypeError+
-will be raised.
-
-To receive an event with a record parameter, the record type first
-needs to be defined, as described above. Then the type can be used
-with the +@event+ decorator in the same way as atomic types:
-
-   my_record = record_type("a", "b", "c")
-   @event(my_record)
-   def my_event(rec):
-       print rec.a, rec.b, rec.c
-
-Helper Functions
-----------------
-
-The +broccoli+ module provides one helper function: +current_time()+
-returns the current time as a float which, if necessary, can be
-wrapped into a +time+ parameter (i.e., +time(current_time()+)
-
-Examples
---------
-
-There are some example scripts in
-http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/[+aux/broccoli/bindings/python/tests+]:
-
-   - http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/broping.py[+broping.py+]
-   is a (simplified) Python version of Broccoli's test program
-   +broping+. Start Bro with
-   http://svn.icir.org/bro/branches/robin/work/aux/broccoli/test/broping.bro[+aux/broccoli/test/broping.bro+].
-   
-   - Similarly,
-   http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/broping-record.py[+broping-record.py+]
-   is a Python version of Broccoli's +broping+ for records. Start
-   Bro with
-   http://svn.icir.org/bro/branches/robin/work/aux/broccoli/test/broping-record.bro[+aux/broccoli/test/broping-record.bro+].
-   
-   - http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/test.py[+test.py+]
-   is a very ugly but comprehensive regression test and part of the
-   communication test-suite. Start Bro with
-   http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/test.bro[+test.bro+].
-   
-   
-
-
-
-
-
diff --git a/aux/broccoli/bindings/python/README.html b/aux/broccoli/bindings/python/README.html
deleted file mode 100644
index d8792f8485..0000000000
--- a/aux/broccoli/bindings/python/README.html
+++ /dev/null
@@ -1,800 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
-    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
-<meta name="generator" content="AsciiDoc 8.2.3" />
-<style type="text/css">
-/* Debug borders */
-p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {
-/*
-  border: 1px solid red;
-*/
-}
-
-body {
-  background:#ffffff;
-  margin:0;
-  padding:20px 10px;
-  font-size: small;
-  font-family: sans-serif;
-  color: #505050;
-  margin: 1em 10% 1em 10%;
-}
-
-a {
-  color: #005000;
-}
-
-a:visited {
-  color: #005000;
-}
-
-a:hover {
-  color: #002000;
-}
-
-em {
-  font-style: italic;
-}
-
-strong {
-  font-weight: bold;
-}
-
-tt {
-  color: #000000;
-}
-
-h1, h2, h3, h4, h5, h6, div#toctitle {
-  color: #227022;
-  font-family: sans-serif;
-  margin-top: 1.2em;
-  margin-bottom: 0.5em;
-  line-height: 1.3;
-  font-weight: normal;
-}
-
-h1, h2, h3, div#toctitle {
-  border-bottom: 1px solid;
-  border-color: #000000;
-}
-
-h1 {
-  font-size: x-large;
-  }
-
-h2, div#toctitle {
-  padding-top: 0.5em;
-  font-size: medium;
-}
-h3 {
-  float: left;
-  font-size: small;
-}
-h3 + * {
-  clear: left;
-}
-
-div.sectionbody {
-  font-family: sans-serif;
-  margin-left: 0;
-}
-
-hr {
-  border: 1px solid;
-}
-
-p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-}
-
-pre {
-  padding: 0;
-  margin: 0;
-}
-
-span#author {
-  color: #338033;
-  font-family: sans-serif;
-  font-size: 1.1em;
-}
-span#email {
-}
-span#revision {
-  font-family: sans-serif;
-}
-
-div#footer {
-  font-family: sans-serif;
-  font-size: x-small;
-  border-top: 1px solid;
-  padding-top: 0.5em;
-  margin-top: 4.0em;
-}
-div#footer-text {
-  float: left;
-  padding-bottom: 0.5em;
-}
-div#footer-badges {
-  float: right;
-  padding-bottom: 0.5em;
-}
-
-div#preamble,
-div.tableblock, div.imageblock, div.exampleblock, div.verseblock,
-div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
-div.admonitionblock {
-  margin-top: 1.5em;
-  margin-left: 1em;
-  margin-bottom: 1.5em;
-/*  background: #eeffcc; */
-}
-div.admonitionblock {
-  margin-top: 2.5em;
-  margin-bottom: 2.5em;
-}
-
-div.content { /* Block element content. */
-  padding: 0;
-}
-
-/* Block element titles. */
-div.title, caption.title {
-  font-family: sans-serif;
-  text-align: left;
-  margin-top: 1.0em;
-  margin-bottom: 0.5em;
-}
-div.title + * {
-  margin-top: 0;
-}
-
-td div.title:first-child {
-  margin-top: 0.0em;
-}
-div.content div.title:first-child {
-  margin-top: 0.0em;
-}
-div.content + div.title {
-  margin-top: 0.0em;
-}
-
-div.sidebarblock > div.content {
-  background: #ffffee;
-  border: 1px solid;
-  padding: 0.5em;
-}
-
-div.listingblock {
-  margin-right: 0%;
-}
-div.listingblock > div.content {
-  border: 1px solid;
-  background: #f4f4f4;
-  padding: 0.5em;
-}
-
-div.quoteblock > div.content {
-  padding-left: 2.0em;
-}
-
-div.attribution {
-  text-align: right;
-}
-
-div.verseblock + div.attribution {
-  text-align: left;
-}
-
-div.admonitionblock .icon {
-  vertical-align: top;
-  font-size: 1.1em;
-  color: #338033;
-  padding-right: 0.5em;
-}
-div.admonitionblock td.content {
-  padding-left: 0.5em;
-  border-left: 2px solid;
-}
-
-div.exampleblock > div.content {
-  border-left: 2px solid;
-  padding: 0.5em;
-}
-
-div.verseblock div.content {
-  white-space: pre;
-}
-
-div.imageblock div.content { padding-left: 0; }
-div.imageblock img { border: 1px solid ; }
-span.image img { border-style: none; }
-
-dl {
-  margin-top: 0.8em;
-  margin-bottom: 0.8em;
-}
-dt {
-  margin-top: 0.5em;
-  margin-bottom: 0;
-  font-style: italic;
-}
-dd > *:first-child {
-  margin-top: 0;
-}
-
-ul, ol {
-    list-style-position: outside;
-}
-div.olist2 ol {
-  list-style-type: lower-alpha;
-}
-
-div.tableblock > table {
-  border: 3px solid #527bbd;
-}
-
-div.addrblock > table {
-  border: 0px 0px 0px 0px;
-  border-style: none none none none;
-  padding: 0px;
-  margin: 10px;
-  color: #000000;
-}
-
-table.addrblockbg {
-  /*
-  border-top: 1px solid;
-  border-bottom: 1px solid;
-  */
-  background: #e0ffe0 ;
-  border-style: none;
-  outline-style: none;
-}
-
-thead {
-  font-family: sans-serif;
-  color: #000000;
-}
-tfoot {
-  font-weight: bold;
-  color: #000000;
-}
-
-div.hlist {
-  margin-top: 0.8em;
-  margin-bottom: 0.8em;
-}
-div.hlist td {
-  padding-bottom: 5px;
-}
-td.hlist1 {
-  vertical-align: top;
-  font-style: italic;
-  padding-right: 0.8em;
-}
-td.hlist2 {
-  vertical-align: top;
-}
-
-@media print {
-  div#footer-badges { display: none; }
-}
-
-div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
-  margin-top: .5ex;
-  margin-bottom: 0;
-  margin-left: 2em;
-  line-height: 1.3;
-}
-div.toclevel1 {
-  margin-top: 1ex;
-}
-div.toclevel2 {
-  margin-left: 4em;
-}
-
-div.toclevel3 {
-  margin-left: 6em;
-}
-div.toclevel4 {
-  margin-left: 8em;
-}
-/* Workarounds for IE6's broken and incomplete CSS2. */
-
-div.sidebar-content {
-  background: #ffffee;
-  border: 1px solid silver;
-  padding: 0.5em;
-}
-div.sidebar-title, div.image-title {
-  font-family: sans-serif;
-  font-weight: bold;
-  margin-top: 0.0em;
-  margin-bottom: 0.5em;
-}
-
-div.listingblock div.content {
-  border: 1px solid silver;
-  background: #f4f4f4;
-  padding: 0.5em;
-}
-
-div.quoteblock-content {
-  padding-left: 2.0em;
-}
-
-div.exampleblock-content {
-  border-left: 2px solid silver;
-  padding-left: 0.5em;
-}
-
-/* IE6 sets dynamically generated links as visited. */
-div#toc a:visited { color: blue; }
-</style>
-<script type="text/javascript">
-/*<![CDATA[*/
-window.onload = function(){generateToc(2)}
-/* Author: Mihai Bazon, September 2002
- * http://students.infoiasi.ro/~mishoo
- *
- * Table Of Content generator
- * Version: 0.4
- *
- * Feel free to use this script under the terms of the GNU General Public
- * License, as long as you do not remove or alter this notice.
- */
-
- /* modified by Troy D. Hanson, September 2006. License: GPL */
- /* modified by Stuart Rackham, October 2006. License: GPL */
-
-function getText(el) {
-  var text = "";
-  for (var i = el.firstChild; i != null; i = i.nextSibling) {
-    if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
-      text += i.data;
-    else if (i.firstChild != null)
-      text += getText(i);
-  }
-  return text;
-}
-
-function TocEntry(el, text, toclevel) {
-  this.element = el;
-  this.text = text;
-  this.toclevel = toclevel;
-}
-
-function tocEntries(el, toclevels) {
-  var result = new Array;
-  var re = new RegExp('[hH]([2-'+(toclevels+1)+'])');
-  // Function that scans the DOM tree for header elements (the DOM2
-  // nodeIterator API would be a better technique but not supported by all
-  // browsers).
-  var iterate = function (el) {
-    for (var i = el.firstChild; i != null; i = i.nextSibling) {
-      if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
-        var mo = re.exec(i.tagName)
-        if (mo)
-          result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
-        iterate(i);
-      }
-    }
-  }
-  iterate(el);
-  return result;
-}
-
-// This function does the work. toclevels = 1..4.
-function generateToc(toclevels) {
-  var toc = document.getElementById("toc");
-  var entries = tocEntries(document.getElementsByTagName("body")[0], toclevels);
-  for (var i = 0; i < entries.length; ++i) {
-    var entry = entries[i];
-    if (entry.element.id == "")
-      entry.element.id = "toc" + i;
-    var a = document.createElement("a");
-    a.href = "#" + entry.element.id;
-    a.appendChild(document.createTextNode(entry.text));
-    var div = document.createElement("div");
-    div.appendChild(a);
-    div.className = "toclevel" + entry.toclevel;
-    toc.appendChild(div);
-  }
-}
-/*]]>*/
-</script>
-<title>Python Bindings for Broccoli</title>
-</head>
-<body>
-<div id="header">
-<h1>Python Bindings for Broccoli</h1>
-<div id="toc">
-  <div id="toctitle">Table of Contents</div>
-  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
-</div>
-</div>
-<h2>Overview</h2><p/>
-<div class="sectionbody">
-<p>This Python module provides bindings for
-<a href="http://www.icir.org/christian/broccoli/index.html">Broccoli</a>, Bro's
-client communication library. In general, the bindings provide the
-same functionality as Broccoli's C API.</p>
-</div>
-<h2>Download</h2><p/>
-<div class="sectionbody">
-<p>Since Bro 1.4, a stable version of the Python module ships as part
-of the Bro distribution in <tt>aux/broccoli/bindings/python</tt>.</p>
-<p>The most current development version is part of the Bro Subversion
-repository. To get it, use:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; svn checkout http://svn.icir.org/bro/trunk/bro/aux/broccoli/bindings/python</tt></pre>
-</div></div>
-</div>
-<h2>Installation</h2><p/>
-<div class="sectionbody">
-<p>Installation of the Python module is pretty straight-forward. After
-Broccoli itself has been
-<a href="http://www.icir.org/christian/broccoli/manual/c55.html">installed</a>,
-it follows the standard installation process for Python modules:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; python setup.py install</tt></pre>
-</div></div>
-<p>Try the following to test the installation. If you do not see any
-error message, everything should be fine:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; python -c "import broccoli"
-&gt;</tt></pre>
-</div></div>
-</div>
-<h2>Usage</h2><p/>
-<div class="sectionbody">
-<p>The following examples demonstrate how to send and receive Bro
-events in Python.</p>
-<p>The main challenge when using Broccoli from Python is dealing with
-the data types of Bro event parameters as there is no one-to-one
-mapping between Bro's types and Python's types. The Python modules
-automatically maps between those types which both systems provide
-(such as strings) and provides a set of wrapper classes for Bro
-types which do not have a direct Python equivalent (such as IP
-addresses).</p>
-<h3>Connecting to Bro</h3><p/>
-<p>The following code sets up a connection from Python to a remote Bro
-instance (or another Broccoli) and provides a connection handle for
-further communication:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>from broccoli import *
-bc = Connection("127.0.0.1:47758")</tt></pre>
-</div></div>
-<p>An <tt>IOError</tt> will be raised if the connection cannot be established.</p>
-<h3>Sending Events</h3><p/>
-<p>Once you have a connection handle <tt>bc</tt> set up as shown above, you can
-start sending events:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>bc.send("foo", 5, "attack!")</tt></pre>
-</div></div>
-<p>This sends an event called <tt>foo</tt> with two parameters, <tt>5</tt> and
-<tt>attack!</tt>. Broccoli operates asynchronously, i.e., events scheduled
-with <tt>send()</tt> are not always sent out immediately but might be
-queued for later transmission. To ensure that all events get out
-(and incoming events are processed, see below), you need to call
-<tt>bc.processInput()</tt> regularly.</p>
-<h3>Data Types</h3><p/>
-<p>In the example above, the types of the event parameters are
-automatically derived from the corresponding Python types: the first
-parameter (<tt>5</tt>) has the Bro type <tt>int</tt> and the second one
-(<tt>attack!</tt>) has Bro type <tt>string</tt>.</p>
-<p>For types which do not have a Python equivalent, the <tt>broccoli</tt>
-module provides wrapper classes which have the same names as the
-corresponding Bro types. For example, to send an event called <tt>bar</tt>
-with one <tt>addr</tt> argument and one <tt>count</tt> argument, you can write:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>bc.send("bar", addr("192.168.1.1"), count(42))</tt></pre>
-</div></div>
-<p>The following table summarizes the available atomic types and their
-usage.</p>
-<div class="tableblock">
-<table rules="all"
-frame="hsides"
-cellspacing="0" cellpadding="4">
-<caption class="title">Table: Bro vs. Python types</caption>
-<col width="114" />
-<col width="137" />
-<col width="308" />
-<thead>
-  <tr>
-    <th align="center">
-    Bro Type
-    </th>
-    <th align="center">
-    Python Type
-    </th>
-    <th align="center">
-    Example
-    </th>
-  </tr>
-</thead>
-<tbody valign="top">
-  <tr>
-    <td align="center">
-    addr
-    </td>
-    <td align="center">
-    
-    </td>
-    <td align="center">
-    <tt>addr("192.168.1.1")</tt>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    bool
-    </td>
-    <td align="center">
-    bool
-    </td>
-    <td align="center">
-    <tt>True</tt>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    count
-    </td>
-    <td align="center">
-    
-    </td>
-    <td align="center">
-    <tt>count(42)</tt>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    double
-    </td>
-    <td align="center">
-    float
-    </td>
-    <td align="center">
-    <tt>3.14</tt>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    enum
-    </td>
-    <td align="center">
-    
-    </td>
-    <td align="center">
-    <em>Type currently not supported</em>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    int
-    </td>
-    <td align="center">
-    int
-    </td>
-    <td align="center">
-    <tt>5</tt>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    interval
-    </td>
-    <td align="center">
-    
-    </td>
-    <td align="center">
-    <tt>interval(60)</tt>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    net
-    </td>
-    <td align="center">
-    
-    </td>
-    <td align="center">
-    <em>Type currently not supported</em>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    port
-    </td>
-    <td align="center">
-    
-    </td>
-    <td align="center">
-    <tt>port("80/tcp")</tt>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    string
-    </td>
-    <td align="center">
-    string
-    </td>
-    <td align="center">
-    <tt>"attack!"</tt>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    subnet
-    </td>
-    <td align="center">
-    
-    </td>
-    <td align="center">
-    <tt>subnet("192.168.1.0/24")</tt>
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    time
-    </td>
-    <td align="center">
-    
-    </td>
-    <td align="center">
-    <tt>time(1111111111.0)</tt>
-    </td>
-  </tr>
-</tbody>
-</table>
-</div>
-<p>The <tt>broccoli</tt> module also supports sending Bro records as event
-parameters. To send a record, you first define a record type. For
-example, a Bro record type</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>type my_record: record {
-    a: int;
-    b: addr;
-    c: subnet;
-};</tt></pre>
-</div></div>
-<p>turns into Python as</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>my_record = record_type("a", "b", "c")</tt></pre>
-</div></div>
-<p>As the example shows, Python only needs to know the attribute names
-but not their types. The types are derived automatically in the same
-way as discussed above for atomic event parameters.</p>
-<p>Now you can instantiate a record instance of the newly defined type
-and send it out:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>rec = record(my_record)
-rec.a = 5
-rec.b = addr("192.168.1.1")
-rec.c = subnet("192.168.1.0/24")
-bc.send("my_event", rec)</tt></pre>
-</div></div>
-<div class="admonitionblock">
-<table><tr>
-<td class="icon">
-<div class="title">Note</div>
-</td>
-<td class="content">The Python module does not support nested records at this
-time.</td>
-</tr></table>
-</div>
-<h3>Receiving Events</h3><p/>
-<p>To receive events, you define a callback function having the same
-name as the event and mark it with the <tt>event</tt> decorator:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>@event
-def foo(arg1, arg2):
-    print arg1, arg2</tt></pre>
-</div></div>
-<p>Once you start calling <tt>bc.processInput()</tt> regularly (see above),
-each received <tt>foo</tt> event will trigger the callback function.</p>
-<p>By default, the event's arguments are always passed in with built-in
-Python types. For Bro types which do not have a direct Python
-equivalent (see table above), a substitute built-in type is used
-which corresponds to the type the wrapper class' constructor expects
-(see the examples in the table). For example, Bro type <tt>addr</tt> is
-passed in as a string and Bro type <tt>time</tt> is passed in as a float.</p>
-<p>Alternatively, you can define a <em>typed</em> prototype for the event. If you
-do so, arguments will first be type-checked and then passed to the
-call-back with the specified type (which means instances of the
-wrapper classes for non-Python types). Example:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>@event(count, addr)
-def bar(arg1, arg2):
-    print arg1, arg2</tt></pre>
-</div></div>
-<p>Here, <tt>arg1</tt> will be an instance of the <tt>count</tt> wrapper class and
-<tt>arg2</tt> will be an instance of the <tt>addr</tt> wrapper class.</p>
-<p>Protoyping works similarly with built-in Python types:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>@event(int, string):
-def foo(arg1, arg2):
-    print arg1, arg2</tt></pre>
-</div></div>
-<p>In general, the prototype specifies the types in which the callback
-wants to receive the arguments. This actually provides support for
-simple type casts as some types support conversion to into something
-different. If for instance the event source sends an event with a
-single port argument, <tt>@event(port)</tt> will pass the port as an
-instance of the <tt>port</tt> wrapper class; <tt>@event(string)</tt> will pass it
-as a string (e.g., <tt>"80/tcp"</tt>); and <tt>@event(int)</tt> will pass it as an
-integer without protocol information (e.g., just <tt>80</tt>). If an
-argument cannot be converted into the specified type, a <tt>TypeError</tt>
-will be raised.</p>
-<p>To receive an event with a record parameter, the record type first
-needs to be defined, as described above. Then the type can be used
-with the <tt>@event</tt> decorator in the same way as atomic types:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>my_record = record_type("a", "b", "c")
-@event(my_record)
-def my_event(rec):
-    print rec.a, rec.b, rec.c</tt></pre>
-</div></div>
-</div>
-<h2>Helper Functions</h2><p/>
-<div class="sectionbody">
-<p>The <tt>broccoli</tt> module provides one helper function: <tt>current_time()</tt>
-returns the current time as a float which, if necessary, can be
-wrapped into a <tt>time</tt> parameter (i.e., <tt>time(current_time()</tt>)</p>
-</div>
-<h2>Examples</h2><p/>
-<div class="sectionbody">
-<p>There are some example scripts in
-<a href="http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/"><tt>aux/broccoli/bindings/python/tests</tt></a>:</p>
-<ul>
-<li>
-<p>
-<a href="http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/broping.py"><tt>broping.py</tt></a>
-   is a (simplified) Python version of Broccoli's test program
-   <tt>broping</tt>. Start Bro with
-   <a href="http://svn.icir.org/bro/branches/robin/work/aux/broccoli/test/broping.bro"><tt>aux/broccoli/test/broping.bro</tt></a>.
-</p>
-</li>
-<li>
-<p>
-Similarly,
-   <a href="http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/broping-record.py"><tt>broping-record.py</tt></a>
-   is a Python version of Broccoli's <tt>broping</tt> for records. Start
-   Bro with
-   <a href="http://svn.icir.org/bro/branches/robin/work/aux/broccoli/test/broping-record.bro"><tt>aux/broccoli/test/broping-record.bro</tt></a>.
-</p>
-</li>
-<li>
-<p>
-<a href="http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/test.py"><tt>test.py</tt></a>
-   is a very ugly but comprehensive regression test and part of the
-   communication test-suite. Start Bro with
-   <a href="http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/test.bro"><tt>test.bro</tt></a>.
-</p>
-</li>
-</ul>
-</div>
-<div id="footer">
-<div id="footer-text">
-<a href="http://www.icir.org/robin">Back to Homepage</a><br />
-</div>
-</div>
-</body>
-</html>
diff --git a/aux/broccoli/bindings/python/TODO b/aux/broccoli/bindings/python/TODO
deleted file mode 100644
index 0bfc98af3e..0000000000
--- a/aux/broccoli/bindings/python/TODO
+++ /dev/null
@@ -1,7 +0,0 @@
-
-- nested records are not support. 
-- type net does not work because I'm too lazy to implement the parsing ...
-- type enum disabled because there seems to be some Broccoli problem with them.
-- would be nice to have some more standard operations (+,-, etc.)
-  defined for the wrapper classes.
-- listen() not available in Python
diff --git a/aux/broccoli/bindings/python/broccoli.py b/aux/broccoli/bindings/python/broccoli.py
deleted file mode 100644
index e8992eed32..0000000000
--- a/aux/broccoli/bindings/python/broccoli.py
+++ /dev/null
@@ -1,425 +0,0 @@
-
-import socket
-import struct
-from types import FunctionType 
-
-from _broccoli_intern import *
-
-bro_init(None)
-
-##### Connection class which capsulates a Broccoli connection.
-class Connection:
-    # Connection to destination given as string "host:port"
-    def __init__(self, destination, broclass="", flags=BRO_CFLAG_RECONNECT | BRO_CFLAG_ALWAYS_QUEUE, connect=True):
-        self.bc = bro_conn_new_str(destination, flags)
-        self.destination = destination
-        if not self.bc:
-            raise IOError("cannot init Broccoli connection handle")
-        
-        self._registerHandlers()
-        
-        if broclass:
-            bro_conn_set_class(self.bc, broclass)
-        
-        if connect:
-            self.connect();
-
-    # If the instance was created with connect=False, this will trigger the connect.
-    def connect(self):
-        if not bro_conn_connect(self.bc):
-            raise IOError("cannot connect to %s" % self.destination)
-        
-    # Hand control to Broccoli's I/O loop.
-    # Returns true if the send queue is non-empty.
-    def processInput(self):
-        bro_conn_process_input(self.bc);
-        return bro_event_queue_length(self.bc) > 0
-
-    # Send an event of name with args.
-    def send(self, name, *args):
-        ev = bro_event_new(name)
-        for arg in args:
-            bro_event_add_val(ev, _getInternalVal(arg));
-            
-        bro_event_send(self.bc, ev);
-        bro_event_free(ev);
-        self.processInput()
-        
-    # Explicit subscribe
-    def subscribe(self, event_name, callback):
-        ev = event(callback)
-        bro_event_registry_add_compact(self.bc, event_name, ev);
-
-    # Register all decorated event callbacks.
-    def _registerHandlers(self):
-        for ev in _Events:
-            bro_event_registry_add_compact(self.bc, ev.__name__, ev);
-
-            
-##### Wrapped helper functions.        
-def current_time():
-    return bro_util_current_time()
-
-##### Decorator @event(val-type1, val-type2, val-type3, ...)
-
-# List of all functions declared with the @event decorator 
-# (more precisely, list of all of their wrappers; see below).
-_Events = []
-
-def event(*types):
-
-    # We wrap the event callback into a function which turns the 2-tuples (type,val)
-    # that we get from the C layer into the corresponding Python object.
-    def make_wrapper(func):
-        
-        def wrapped_f(*args):
-            
-	    new_args = []
-            
-            ptypes = types
-            if not ptypes:
-                # Allow omitting types. 
-                ptypes =  [None] *len(args)
-                
-            for (arg, type) in zip(args, ptypes):
-                # Split the 2-tuples passed to us by the C layer.
-                (btype, val) = arg
-                # Create an instance of the corresponding Python type.
-		new_args += [instantiate(btype, val, type)]
-                
-            # Finally call the callback.
-	    return func(*new_args);
-
-        # Pretend the wrapper has the name of the actual callback (rather than "wrapped_f" ...)
-	wrapped_f.func_name = func.func_name
-	
-        # Add the wrapped function to the list of events handlers.
-        global _Events
-        _Events += [wrapped_f]
-            
-        return wrapped_f
-
-    # Allow @event instead of @event()
-    if len(types) == 1 and type(types[0]) == FunctionType:
-        func = types[0]
-        types = ()
-        return make_wrapper(func)
-    
-    else:
-        return make_wrapper
-
-##### Data types
-
-# For those Bro types which do not direcly correspond to Python type, we create
-# wrapper classes. For those which do (int, float), we use the Python type directly.
-
-# Base class for our wrapper classes.
-# For atomic types, the classes here act as both type and instances. For non-atomic
-# types (i.e., records) we define separate type and instance classes below. 
-class Val:
-    # Type is the Bro type BRO_TYPE_*.
-    # Val is representation of the Val in a standard Python type. 
-    def __init__(self, type, val):
-        self.type = type
-        self.val = val
-        
-        self.__class__._bro_type = type # Doing it once would be sufficient.
-
-    def __str__(self):
-	return str(self.val)
-	
-    # Convert value into a 2-tuple (type, val) as expected by the C layer.
-    def internalVal(self):
-        return (self.type, self.val)
-    
-class count(Val):
-    def __init__(self, val):
-        Val.__init__(self, BRO_TYPE_COUNT, int(val))
-
-    @staticmethod
-    def _factory(val, dst_type):
-        v = count(val)
-        if dst_type == int or not dst_type:
-            return v.val
-        _typeCheck(dst_type, count)
-        return v
-
-class interval(Val):
-    def __init__(self, val):
-        Val.__init__(self, BRO_TYPE_INTERVAL, float(val))
-	
-    @staticmethod
-    def _factory(val, dst_type):
-        v = interval(val)
-        if dst_type == float or not dst_type:
-            return v.val
-        _typeCheck(dst_type, interval)
-        return v
-
-class time(Val):
-    def __init__(self, val):
-        Val.__init__(self, BRO_TYPE_TIME, float(val))
-	
-    @staticmethod
-    def _factory(val, dst_type):
-        v = time(val)
-        if dst_type == float or not dst_type:
-            return v.val
-        _typeCheck(dst_type, time)
-        return v
-
-class port(Val):
-    
-    protos_by_name = { "tcp": 6, "udp": 17, "icmp": 1 }
-    protos_by_num =  { 6: "tcp", 17: "udp", 1: "icmp" }
-    
-    def __init__(self, str=None, internal=None):
-        v = internal and internal or self._parse(str)
-        Val.__init__(self, BRO_TYPE_PORT, v)
-
-    def __str__(self):
-        (port, proto) = self.val
-        try:
-            return "%d/%s" % (port, self.protos_by_num[proto])
-        except IndexError:
-            return "%s/unknown" % port
-        
-    @staticmethod
-    def _factory(val, dst_type):
-        v = port(internal=val)
-        if dst_type == str or not dst_type:
-            return str(v)
-        if dst_type == int:
-            return v[0]
-        _typeCheck(dst_type, port)
-        return v
-    
-    def _parse(self, str):
-        (port, proto) = str.split("/")
-        try:
-            return (int(port), self.protos_by_name[proto.lower()])
-        except (IndexError, ValueError):
-            return (0, 0)
-        
-class addr(Val):
-    def __init__(self, str=None, internal=None):
-        v = internal and internal or self._parse(str)
-        Val.__init__(self, BRO_TYPE_IPADDR, v)
-
-    def __str__(self):
-        return socket.inet_ntoa(struct.pack('=l', self.val))
-        
-    @staticmethod
-    def _factory(val, dst_type):
-        v = addr(internal=val)
-        if dst_type == str or not dst_type:
-            return str(v)
-        _typeCheck(dst_type, addr)
-        return v
-    
-    def _parse(self, str):
-        return struct.unpack('=l',socket.inet_aton(str))[0]
-
-# Not supported at this point. Need to write a parse function.
-class net(Val):
-    def __init__(self, str=None, internal=None):
-        v = internal and internal or self._parse(str)
-        Val.__init__(self, BRO_TYPE_NET, v)
-
-    def __str__(self):
-        return "X.X.X"  # FIXME
-        
-    @staticmethod
-    def _factory(val, dst_type):
-        v = net(internal=val)
-        if dst_type == str or not dst_type:
-            return str(v)
-        _typeCheck(dst_type, net)
-        return v
-    
-    def _parse(self, str):
-        return 0   # FIXME
-
-class subnet(Val):
-    def __init__(self, str=None, internal=None):
-        v = internal and internal or self._parse(str)
-        Val.__init__(self, BRO_TYPE_SUBNET, v)
-
-    def __str__(self):
-        (net, mask) = self.val
-        return "%s/%d" % (socket.inet_ntoa(struct.pack('=l', net)), mask)
-    
-    @staticmethod
-    def _factory(val, dst_type):
-        v = subnet(internal=val)
-        if dst_type == str or not dst_type:
-            return str(v)
-        _typeCheck(dst_type, subnet)
-        return v
-    
-    def _parse(self, str):
-        (net, mask) = str.split("/")
-        return (struct.unpack('=l',socket.inet_aton(net))[0], int(mask))
-
-# Not supported at this point since Broccoli seems to have problems with
-# enums. Also need to write parse functions.
-class enum(Val):
-    def __init__(self, str=None, internal=None):
-        v = internal and internal or self._parse(str)
-        Val.__init__(self, BRO_TYPE_ENUM, v)
-
-    def __str__(self):
-        return "XXXX"  # FIXME
-        
-    @staticmethod
-    def _factory(val, dst_type):
-        v = enum(internal=val)
-        _typeCheck(dst_type, enum)
-        return v
-    
-    def _parse(self, str):
-        return 0   # FIXME
-    
-# Helper class for unset values.    
-class unknown(Val):        
-    def __init__(self):
-        Val.__init__(self, BRO_TYPE_UNKNOWN, None)
-
-# Dictionary of all defined record types.         
-RecTypes = {}
-
-# Type class for records, which maps field names to indices.
-# E.g., conn_id = record_type("orig_h", "orig_p", "resp_h", "resp_p")
-class record_type:
-    def __init__(self, *fields):
-        self.fields = fields
-	
-	global RecTypes
-        # Remember this type by its name.
-	RecTypes[self.__class__.__name__] = self
-
-    @classmethod
-    def _factory(self, vals, dst_type):
-        # FIXME: Add _typeCheck(),
-        # FIXME: For recursive records we'd need to pass the right record type
-        # here instead of none, which we don't have. How to do that?
-        
-        # Get the type.
-        rec_type = RecTypes[dst_type.__class__.__name__]
-        
-        # Init the field values.
-        vals = [instantiate(btype, val, None) for (btype, val) in vals]
-        
-	return record(rec_type, vals)
-
-# Class for record instances.
-class record(Val):
-    def __init__(self, type, vals = None):
-        Val.__init__(self, BRO_TYPE_RECORD, {})
-        
-        # Save the record's type.
-	self._type = type
-
-        if not vals:
-            # Use Nones if we didn't get any values.
-            vals = [None] * len(type.fields)
-
-        # Initialize record fields.
-        for (key, val) in zip(type.fields, vals):
-            self.val[key] = val
-                
-    def internalVal(self):
-        vals = [_getInternalVal(self.val.get(f, unknown())) for f in self._type.fields]
-        return (BRO_TYPE_RECORD, vals)
-
-    # Provide attribute access via "val.attr".
-    def __getattr__(self, key):
-        if "_type" in self.__dict__ and key in self._type.fields:
-            return self.val[key]
-        raise AttributeError
-        
-    def __setattr__(self, key, val):
-        try:
-            if key in self._type.fields:
-                self.val[key] = val
-                return
-        except AttributeError:
-            pass
-
-        # FIXME: Check that key is defined in type.
-        self.__dict__[key] = val
-
-# Helper to check whether two Python types match.
-def _typeCheck(type1, type2):
-    def typeToBro(type):
-        # Do the Python types manually.
-        if type == int:
-            return BRO_TYPE_INT;
-        if type == bool:
-            return BRO_TYPE_BOOL;
-        if type == float:
-            return BRO_TYPE_DOUBLE;
-        if type == str:
-            return BRO_TYPE_STRING;
-        return type._bro_type
-    
-    if type1 and type2 and typeToBro(type1) != typeToBro(type2):
-        raise TypeError
-
-# Helper to create the 2-tuple val.
-def _getInternalVal(arg):
-
-    if arg == None:
-        raise ValueError("uninitialized event argument")
-
-    if type(arg) == int:
-        return (BRO_TYPE_INT, arg)
-    elif type(arg) == bool:
-        return (BRO_TYPE_BOOL, arg)
-    elif type(arg) == str:
-        return(BRO_TYPE_STRING, arg)
-    elif type(arg) == float:
-        return(BRO_TYPE_DOUBLE, arg)
-    else:
-        return arg.internalVal()
-    
-# Factories for Python internal types.
-def _int_factory(val, dst_type):
-    return int(val)
-
-def _bool_factory(val, dst_type):
-    return bool(val)
-
-def _string_factory(val, dst_type):
-    return str(val)
-
-def _float_factory(val, dst_type):
-    return float(val)
-
-string = str    
-double = float
-
-# Table of factories for all supported types so that we can dynamically
-# instantiate them.
-_Factories = {
-    BRO_TYPE_INT: _int_factory,
-    BRO_TYPE_BOOL: _bool_factory,
-    BRO_TYPE_COUNT: count._factory,
-    BRO_TYPE_TIME: time._factory,
-    BRO_TYPE_INTERVAL: interval._factory,
-    BRO_TYPE_DOUBLE: _float_factory,
-    BRO_TYPE_STRING: _string_factory,
-    BRO_TYPE_PORT: port._factory,
-    BRO_TYPE_IPADDR: addr._factory,
-    BRO_TYPE_NET: net._factory,
-    BRO_TYPE_SUBNET: subnet._factory,
-    BRO_TYPE_ENUM: enum._factory,
-    BRO_TYPE_RECORD: record_type._factory,
-}
-
-def instantiate(src_type, val, dst_type):
-    return _Factories[src_type](val, dst_type)
-
-        
-
-
diff --git a/aux/broccoli/bindings/python/broccoli_intern.i b/aux/broccoli/bindings/python/broccoli_intern.i
deleted file mode 100644
index 95e7757f37..0000000000
--- a/aux/broccoli/bindings/python/broccoli_intern.i
+++ /dev/null
@@ -1,392 +0,0 @@
-// $Id$
-
-%module broccoli_intern
-%{
-// Include the header in the wrapper code.
-#include <broccoli.h>
-
-// Broccoli internal struct. Easier to copy that here than to include a bunch
-// of Broccoli's internal headers.  
-struct bro_record {
-    void *val_list;
-    int val_len;
-};
-    
-typedef BroRecord bro_record ;
-
-// Builds a 2-tuple (type, object).     
-PyObject* makeTypeTuple(int type, PyObject *val)
-{
- 	PyObject *tuple = PyTuple_New(2);
-    PyTuple_SetItem(tuple, 0, PyInt_FromLong(type));
-    PyTuple_SetItem(tuple, 1, val);
-    return tuple;
-}
-
-// Parses a 2-tuple (type, object). Return 1 on success. 
-// Borrows input's reference to object.
-int parseTypeTuple(PyObject* input, int *type, PyObject **val)
-{
-    if ( ! (PyTuple_Check(input) && PyTuple_Size(input) == 2) ) {
-		PyErr_SetString(PyExc_RuntimeError, "argument must be 2-tuple");
-		return 0;
-    }
-    
-	PyObject *ptype = PyTuple_GetItem(input, 0);
-	PyObject *pval = PyTuple_GetItem(input, 1);
-	
-	if ( ! PyInt_Check(ptype) ) {
-		PyErr_SetString(PyExc_RuntimeError, "first tuple element must be integer");
-		return 0;
-    }
-    
-    *type = PyInt_AsLong(ptype);
-    
-	if ( *type < 0 || *type > BRO_TYPE_MAX ) {
-		PyErr_SetString(PyExc_RuntimeError, "unknown type in tuple");
-		return 0;
-    }
-    
-    *val = pval;
-    return 1;
-}
-
-// Release the memory associated with the Broccoli value.
-void freeBroccoliVal(int type, void* data)
-{
-    if ( ! data )
-        return;
-    
-    switch ( type ) {
-      case BRO_TYPE_STRING:
-        free(((BroString *)data)->str_val);
-        free(data);
-        break;
-        
-      case BRO_TYPE_RECORD:
-        bro_record_free((BroRecord *)data);
-        break;
-        
-      default:
-        free(data);
-    }
-    
-}
-
-// Converts a Broccoli value into a Python object.
-PyObject* valToPyObj(int type, void* data)
-{
- 	PyObject* val = 0;
-
-	switch (type) {
-      case BRO_TYPE_BOOL:
-        val = PyBool_FromLong(*((int *)data));   
-        break;
-        
-      case BRO_TYPE_INT:
-      case BRO_TYPE_COUNT:
-      case BRO_TYPE_COUNTER:
-      case BRO_TYPE_IPADDR:
-      case BRO_TYPE_NET: {
-        val = PyInt_FromLong(*((long *)data));
-        break;
-      }
-        
-      case BRO_TYPE_DOUBLE:
-      case BRO_TYPE_TIME:
-      case BRO_TYPE_INTERVAL: {
-          val = PyFloat_FromDouble(*((double *)data));
-          break;
-      }
-        
-      case BRO_TYPE_STRING: {
-          BroString *str = (BroString*)data;
-          val = PyString_FromStringAndSize(str->str_val, str->str_len);
-          break;
-      }
-
-      case BRO_TYPE_ENUM: {
-          val = PyTuple_New(2);
-          PyTuple_SetItem(val, 0, PyBool_FromLong(*((int *)data)));
-          PyTuple_SetItem(val, 1, PyString_FromString("broccoli-doesnt-give-use-the-enum-type! :-("));
-          break;
-      }
-        
-        
-      case BRO_TYPE_PORT: {
-          BroPort *port = (BroPort*)data;
-          val = PyTuple_New(2);
-          PyTuple_SetItem(val, 0, PyInt_FromLong(port->port_num));
-          PyTuple_SetItem(val, 1, PyInt_FromLong(port->port_proto));
-          break;
-      }
-            
-      case BRO_TYPE_SUBNET: {
-          BroSubnet *subnet = (BroSubnet*)data;
-          val = PyTuple_New(2);
-          PyTuple_SetItem(val, 0, PyInt_FromLong(subnet->sn_net));
-          PyTuple_SetItem(val, 1, PyInt_FromLong(subnet->sn_width));
-          break;
-      }
-        
-      case BRO_TYPE_RECORD: { 
-          BroRecord *rec = (BroRecord*)data;
-          PyObject *fields = PyList_New(rec->val_len);
-          int i;
-          for ( i = 0; i < rec->val_len; i++ ) {
-              int type = BRO_TYPE_UNKNOWN;
-              void *data = bro_record_get_nth_val(rec, i, &type);
-              PyList_SetItem(fields, i, valToPyObj(type, data));
-          }
-          val = fields;
-          break;
-      }
-    
-      default:
-        PyErr_SetString(PyExc_RuntimeError, "unknown type");
-        return 0;
-        
-    }
-    
-    return makeTypeTuple(type, val);
-}
-    
-// Converts a Python object into Broccoli value.
-int pyObjToVal(PyObject *val, int type, const char **type_name, void** data)
-{
-	*type_name = 0;
-    *data = 0;
-
-    switch (type) {
-      case BRO_TYPE_BOOL:
-      case BRO_TYPE_INT:
-      case BRO_TYPE_COUNT:
-      case BRO_TYPE_COUNTER:
-      case BRO_TYPE_IPADDR:
-      case BRO_TYPE_NET: {
-          int* tmp = (int *)malloc(sizeof(int));
-		  *tmp = PyInt_AsLong(val);
-          *data = tmp;
-          break;
-      }
-        
-      case BRO_TYPE_DOUBLE:
-      case BRO_TYPE_TIME:
-      case BRO_TYPE_INTERVAL: {
-          double* tmp = (double *)malloc(sizeof(double));
-		  *tmp = PyFloat_AsDouble(val);
-          *data = tmp;
-          break;
-      }
-
-      case BRO_TYPE_STRING: {
-          BroString* str = (BroString *)malloc(sizeof(BroString));
-          
-          const char* tmp = PyString_AsString(val);
-          if ( ! tmp )
-              return 0;
-          
-          str->str_len = strlen(tmp);
-          str->str_val = strdup(tmp);
-          *data = str;
-          break;
-      }
-
-      case BRO_TYPE_ENUM: {
-          if ( ! (PyTuple_Check(val) && PyTuple_Size(val) == 2) ) {
-              PyErr_SetString(PyExc_RuntimeError, "enum must be 2-tuple");
-              return 0;
-          }
-          
-          int* tmp = (int *)malloc(sizeof(int));
-		  *tmp = PyInt_AsLong(PyTuple_GetItem(val, 0));
-          *data = tmp;
-          
-          const char* enum_type = PyString_AsString(PyTuple_GetItem(val, 1));
-          if ( ! enum_type )
-              return 0;
-          
-          *type_name = strdup(enum_type);
-          break;
-      }
-        
-      case BRO_TYPE_PORT: {
-          if ( ! (PyTuple_Check(val) && PyTuple_Size(val) == 2) ) {
-              PyErr_SetString(PyExc_RuntimeError, "port must be 2-tuple");
-              return 0;
-          }
-    
-          BroPort* port = (BroPort *)malloc(sizeof(BroPort));
-          port->port_num = PyInt_AsLong(PyTuple_GetItem(val, 0));
-          port->port_proto = PyInt_AsLong(PyTuple_GetItem(val, 1));
-          *data = port;
-          break;
-      }
-            
-      case BRO_TYPE_SUBNET: {
-          if ( ! (PyTuple_Check(val) && PyTuple_Size(val) == 2) ) {
-              PyErr_SetString(PyExc_RuntimeError, "subnet must be 2-tuple");
-              return 0;
-          }
-    
-          BroSubnet* subnet = (BroSubnet *)malloc(sizeof(BroSubnet));
-          subnet->sn_net = PyInt_AsLong(PyTuple_GetItem(val, 0));
-          subnet->sn_width = PyInt_AsLong(PyTuple_GetItem(val, 1));
-          *data = subnet;
-          break;
-      }
-        
-      case BRO_TYPE_RECORD: {
-          BroRecord *rec = bro_record_new();
-          int i;
-          for ( i = 0; i < PyList_Size(val); i++ ) {
-              int ftype;
-              PyObject *fval;
-              if ( ! parseTypeTuple(PyList_GetItem(val, i), &ftype, &fval) )
-                  return 0;
-                  
-              const char *ftype_name;
-              void *fdata;
-              if ( ! pyObjToVal(fval, ftype, &ftype_name, &fdata) ) 
-                  return 0;
-              
-              bro_record_add_val(rec, "<unknown>", ftype, 0, fdata);
-              freeBroccoliVal(ftype, fdata);
-          }
-          
-          *data = rec;
-          break;
-      }
-        
-      default:
-        PyErr_SetString(PyExc_RuntimeError, "unknown type");
-        return 0;
-    }
-    
-    return 1;
-}
-
-// C-level event handler for events. We register all events with this callback,
-// passing the target Python function in via data. 
-void event_callback(BroConn *bc, void *data, BroEvMeta *meta)
-{
-    PyObject *func = (PyObject*)data;
-    
-	int i;
-	PyObject *pyargs = PyTuple_New(meta->ev_numargs);
-	for ( i = 0; i < meta->ev_numargs; i++ )
-		PyTuple_SetItem(pyargs, i, valToPyObj(meta->ev_args[i].arg_type, meta->ev_args[i].arg_data));
-	
-	PyObject *result = PyObject_Call(func, pyargs, 0);
-
-    Py_DECREF(pyargs);
-    
-    if ( result )
-	    Py_DECREF(result);
-}
-
-%}
-
-// For bro_event_registry_add_compact().
-%typemap(in) (BroCompactEventFunc func, void *user_data)
-{
-    if ( ! PyFunction_Check($input) ) {
-        PyErr_SetString(PyExc_RuntimeError, "callback must be a function");
-        return NULL;
-    }
-    
-	$1 = event_callback;
-	$2 = $input;
-    Py_INCREF($input);
-}
-
-// For bro_event_add_val() and bro_record_add_val().
-%typemap(in) (int type, const char *type_name, const void *val)
-{
-    int type;
-    const char* type_name;
-    void *data;
-
-    PyObject *val;
-
-//bro_debug_messages = 1;
-//bro_debug_calltrace = 1;
-
-
-    if ( ! parseTypeTuple($input, &type, &val) )
-        return NULL;
-    
-    if ( ! pyObjToVal(val, type, &type_name, &data) )
-        return NULL;
-    
-    $1 = type;
-    $2 = type_name;
-    $3 = data;
-}
-
-%typemap(freearg) (int type, const char *type_name, const void *val)
-{
-    // Broccoli makes copies of the passed data so we need to clean up.
-    freeBroccoliVal($1, $3);
-    
-    if ( $2 )
-        free($2);
-}
-
-///// The following is a subset of broccoli.h for which we provide wrappers. 
-
-#define BRO_TYPE_UNKNOWN           0
-#define BRO_TYPE_BOOL              1
-#define BRO_TYPE_INT               2
-#define BRO_TYPE_COUNT             3
-#define BRO_TYPE_COUNTER           4
-#define BRO_TYPE_DOUBLE            5
-#define BRO_TYPE_TIME              6
-#define BRO_TYPE_INTERVAL          7
-#define BRO_TYPE_STRING            8
-#define BRO_TYPE_PATTERN           9
-#define BRO_TYPE_ENUM             10
-#define BRO_TYPE_TIMER            11
-#define BRO_TYPE_PORT             12
-#define BRO_TYPE_IPADDR           13
-#define BRO_TYPE_NET              14
-#define BRO_TYPE_SUBNET           15
-#define BRO_TYPE_ANY              16
-#define BRO_TYPE_TABLE            17
-#define BRO_TYPE_UNION            18
-#define BRO_TYPE_RECORD           19
-#define BRO_TYPE_LIST             20
-#define BRO_TYPE_FUNC             21
-#define BRO_TYPE_FILE             22
-#define BRO_TYPE_VECTOR           23
-#define BRO_TYPE_ERROR            24
-#define BRO_TYPE_PACKET           25 
-#define BRO_TYPE_SET              26
-#define BRO_TYPE_MAX              27
-#define BRO_CFLAG_NONE                      0
-#define BRO_CFLAG_RECONNECT           (1 << 0)
-#define BRO_CFLAG_ALWAYS_QUEUE        (1 << 1)
-#define BRO_CFLAG_SHAREABLE           (1 << 2)
-#define BRO_CFLAG_DONTCACHE           (1 << 3)
-#define BRO_CFLAG_YIELD               (1 << 4)
-#define BRO_CFLAG_CACHE               (1 << 5)
-
-// The exact types of these don't really matter as we're only
-// passing pointers around.
-typedef void BroCtx;
-typedef void BroConn;
-typedef void BroEvent;
-
-int            bro_init(const BroCtx *ctx);
-BroConn       *bro_conn_new_str(const char *hostname, int flags);
-void           bro_conn_set_class(BroConn *bc, const char *classname);
-int            bro_conn_connect(BroConn *bc);
-int            bro_conn_process_input(BroConn *bc);
-int            bro_event_queue_length(BroConn *bc);
-BroEvent      *bro_event_new(const char *event_name);
-void           bro_event_free(BroEvent *be);
-int            bro_event_add_val(BroEvent *be, int type, const char *type_name,const void *val);
-int            bro_event_send(BroConn *bc, BroEvent *be);
-void           bro_event_registry_add_compact(BroConn *bc, const char *event_name, BroCompactEventFunc func, void *user_data);
-double         bro_util_current_time(void);
-                          
diff --git a/aux/broccoli/bindings/python/broccoli_intern.py b/aux/broccoli/bindings/python/broccoli_intern.py
deleted file mode 100644
index 0acd03f869..0000000000
--- a/aux/broccoli/bindings/python/broccoli_intern.py
+++ /dev/null
@@ -1,99 +0,0 @@
-# This file was automatically generated by SWIG (http://www.swig.org).
-# Version 1.3.31
-#
-# Don't modify this file, modify the SWIG interface instead.
-# This file is compatible with both classic and new-style classes.
-
-import _broccoli_intern
-import new
-new_instancemethod = new.instancemethod
-try:
-    _swig_property = property
-except NameError:
-    pass # Python < 2.2 doesn't have 'property'.
-def _swig_setattr_nondynamic(self,class_type,name,value,static=1):
-    if (name == "thisown"): return self.this.own(value)
-    if (name == "this"):
-        if type(value).__name__ == 'PySwigObject':
-            self.__dict__[name] = value
-            return
-    method = class_type.__swig_setmethods__.get(name,None)
-    if method: return method(self,value)
-    if (not static) or hasattr(self,name):
-        self.__dict__[name] = value
-    else:
-        raise AttributeError("You cannot add attributes to %s" % self)
-
-def _swig_setattr(self,class_type,name,value):
-    return _swig_setattr_nondynamic(self,class_type,name,value,0)
-
-def _swig_getattr(self,class_type,name):
-    if (name == "thisown"): return self.this.own()
-    method = class_type.__swig_getmethods__.get(name,None)
-    if method: return method(self)
-    raise AttributeError,name
-
-def _swig_repr(self):
-    try: strthis = "proxy of " + self.this.__repr__()
-    except: strthis = ""
-    return "<%s.%s; %s >" % (self.__class__.__module__, self.__class__.__name__, strthis,)
-
-import types
-try:
-    _object = types.ObjectType
-    _newclass = 1
-except AttributeError:
-    class _object : pass
-    _newclass = 0
-del types
-
-
-BRO_TYPE_UNKNOWN = _broccoli_intern.BRO_TYPE_UNKNOWN
-BRO_TYPE_BOOL = _broccoli_intern.BRO_TYPE_BOOL
-BRO_TYPE_INT = _broccoli_intern.BRO_TYPE_INT
-BRO_TYPE_COUNT = _broccoli_intern.BRO_TYPE_COUNT
-BRO_TYPE_COUNTER = _broccoli_intern.BRO_TYPE_COUNTER
-BRO_TYPE_DOUBLE = _broccoli_intern.BRO_TYPE_DOUBLE
-BRO_TYPE_TIME = _broccoli_intern.BRO_TYPE_TIME
-BRO_TYPE_INTERVAL = _broccoli_intern.BRO_TYPE_INTERVAL
-BRO_TYPE_STRING = _broccoli_intern.BRO_TYPE_STRING
-BRO_TYPE_PATTERN = _broccoli_intern.BRO_TYPE_PATTERN
-BRO_TYPE_ENUM = _broccoli_intern.BRO_TYPE_ENUM
-BRO_TYPE_TIMER = _broccoli_intern.BRO_TYPE_TIMER
-BRO_TYPE_PORT = _broccoli_intern.BRO_TYPE_PORT
-BRO_TYPE_IPADDR = _broccoli_intern.BRO_TYPE_IPADDR
-BRO_TYPE_NET = _broccoli_intern.BRO_TYPE_NET
-BRO_TYPE_SUBNET = _broccoli_intern.BRO_TYPE_SUBNET
-BRO_TYPE_ANY = _broccoli_intern.BRO_TYPE_ANY
-BRO_TYPE_TABLE = _broccoli_intern.BRO_TYPE_TABLE
-BRO_TYPE_UNION = _broccoli_intern.BRO_TYPE_UNION
-BRO_TYPE_RECORD = _broccoli_intern.BRO_TYPE_RECORD
-BRO_TYPE_LIST = _broccoli_intern.BRO_TYPE_LIST
-BRO_TYPE_FUNC = _broccoli_intern.BRO_TYPE_FUNC
-BRO_TYPE_FILE = _broccoli_intern.BRO_TYPE_FILE
-BRO_TYPE_VECTOR = _broccoli_intern.BRO_TYPE_VECTOR
-BRO_TYPE_ERROR = _broccoli_intern.BRO_TYPE_ERROR
-BRO_TYPE_PACKET = _broccoli_intern.BRO_TYPE_PACKET
-BRO_TYPE_SET = _broccoli_intern.BRO_TYPE_SET
-BRO_TYPE_MAX = _broccoli_intern.BRO_TYPE_MAX
-BRO_CFLAG_NONE = _broccoli_intern.BRO_CFLAG_NONE
-BRO_CFLAG_RECONNECT = _broccoli_intern.BRO_CFLAG_RECONNECT
-BRO_CFLAG_ALWAYS_QUEUE = _broccoli_intern.BRO_CFLAG_ALWAYS_QUEUE
-BRO_CFLAG_SHAREABLE = _broccoli_intern.BRO_CFLAG_SHAREABLE
-BRO_CFLAG_DONTCACHE = _broccoli_intern.BRO_CFLAG_DONTCACHE
-BRO_CFLAG_YIELD = _broccoli_intern.BRO_CFLAG_YIELD
-BRO_CFLAG_CACHE = _broccoli_intern.BRO_CFLAG_CACHE
-bro_init = _broccoli_intern.bro_init
-bro_conn_new_str = _broccoli_intern.bro_conn_new_str
-bro_conn_set_class = _broccoli_intern.bro_conn_set_class
-bro_conn_connect = _broccoli_intern.bro_conn_connect
-bro_conn_process_input = _broccoli_intern.bro_conn_process_input
-bro_event_queue_length = _broccoli_intern.bro_event_queue_length
-bro_event_new = _broccoli_intern.bro_event_new
-bro_event_free = _broccoli_intern.bro_event_free
-bro_event_add_val = _broccoli_intern.bro_event_add_val
-bro_event_send = _broccoli_intern.bro_event_send
-bro_event_registry_add_compact = _broccoli_intern.bro_event_registry_add_compact
-bro_util_current_time = _broccoli_intern.bro_util_current_time
-
-
diff --git a/aux/broccoli/bindings/python/broccoli_intern_wrap.c b/aux/broccoli/bindings/python/broccoli_intern_wrap.c
deleted file mode 100644
index fdae51ce8c..0000000000
--- a/aux/broccoli/bindings/python/broccoli_intern_wrap.c
+++ /dev/null
@@ -1,3922 +0,0 @@
-/* ----------------------------------------------------------------------------
- * This file was automatically generated by SWIG (http://www.swig.org).
- * Version 1.3.31
- * 
- * This file is not intended to be easily readable and contains a number of 
- * coding conventions designed to improve portability and efficiency. Do not make
- * changes to this file unless you know what you are doing--modify the SWIG 
- * interface file instead. 
- * ----------------------------------------------------------------------------- */
-
-#define SWIGPYTHON
-#define SWIG_PYTHON_DIRECTOR_NO_VTABLE
-/* -----------------------------------------------------------------------------
- *  This section contains generic SWIG labels for method/variable
- *  declarations/attributes, and other compiler dependent labels.
- * ----------------------------------------------------------------------------- */
-
-/* template workaround for compilers that cannot correctly implement the C++ standard */
-#ifndef SWIGTEMPLATEDISAMBIGUATOR
-# if defined(__SUNPRO_CC)
-#   if (__SUNPRO_CC <= 0x560)
-#     define SWIGTEMPLATEDISAMBIGUATOR template
-#   else
-#     define SWIGTEMPLATEDISAMBIGUATOR 
-#   endif
-# else
-#   define SWIGTEMPLATEDISAMBIGUATOR 
-# endif
-#endif
-
-/* inline attribute */
-#ifndef SWIGINLINE
-# if defined(__cplusplus) || (defined(__GNUC__) && !defined(__STRICT_ANSI__))
-#   define SWIGINLINE inline
-# else
-#   define SWIGINLINE
-# endif
-#endif
-
-/* attribute recognised by some compilers to avoid 'unused' warnings */
-#ifndef SWIGUNUSED
-# if defined(__GNUC__)
-#   if !(defined(__cplusplus)) || (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4))
-#     define SWIGUNUSED __attribute__ ((__unused__)) 
-#   else
-#     define SWIGUNUSED
-#   endif
-# elif defined(__ICC)
-#   define SWIGUNUSED __attribute__ ((__unused__)) 
-# else
-#   define SWIGUNUSED 
-# endif
-#endif
-
-#ifndef SWIGUNUSEDPARM
-# ifdef __cplusplus
-#   define SWIGUNUSEDPARM(p)
-# else
-#   define SWIGUNUSEDPARM(p) p SWIGUNUSED 
-# endif
-#endif
-
-/* internal SWIG method */
-#ifndef SWIGINTERN
-# define SWIGINTERN static SWIGUNUSED
-#endif
-
-/* internal inline SWIG method */
-#ifndef SWIGINTERNINLINE
-# define SWIGINTERNINLINE SWIGINTERN SWIGINLINE
-#endif
-
-/* exporting methods */
-#if (__GNUC__ >= 4) || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)
-#  ifndef GCC_HASCLASSVISIBILITY
-#    define GCC_HASCLASSVISIBILITY
-#  endif
-#endif
-
-#ifndef SWIGEXPORT
-# if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
-#   if defined(STATIC_LINKED)
-#     define SWIGEXPORT
-#   else
-#     define SWIGEXPORT __declspec(dllexport)
-#   endif
-# else
-#   if defined(__GNUC__) && defined(GCC_HASCLASSVISIBILITY)
-#     define SWIGEXPORT __attribute__ ((visibility("default")))
-#   else
-#     define SWIGEXPORT
-#   endif
-# endif
-#endif
-
-/* calling conventions for Windows */
-#ifndef SWIGSTDCALL
-# if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
-#   define SWIGSTDCALL __stdcall
-# else
-#   define SWIGSTDCALL
-# endif 
-#endif
-
-/* Deal with Microsoft's attempt at deprecating C standard runtime functions */
-#if !defined(SWIG_NO_CRT_SECURE_NO_DEPRECATE) && defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
-# define _CRT_SECURE_NO_DEPRECATE
-#endif
-
-
-/* Python.h has to appear first */
-#include <Python.h>
-
-/* -----------------------------------------------------------------------------
- * swigrun.swg
- *
- * This file contains generic CAPI SWIG runtime support for pointer
- * type checking.
- * ----------------------------------------------------------------------------- */
-
-/* This should only be incremented when either the layout of swig_type_info changes,
-   or for whatever reason, the runtime changes incompatibly */
-#define SWIG_RUNTIME_VERSION "3"
-
-/* define SWIG_TYPE_TABLE_NAME as "SWIG_TYPE_TABLE" */
-#ifdef SWIG_TYPE_TABLE
-# define SWIG_QUOTE_STRING(x) #x
-# define SWIG_EXPAND_AND_QUOTE_STRING(x) SWIG_QUOTE_STRING(x)
-# define SWIG_TYPE_TABLE_NAME SWIG_EXPAND_AND_QUOTE_STRING(SWIG_TYPE_TABLE)
-#else
-# define SWIG_TYPE_TABLE_NAME
-#endif
-
-/*
-  You can use the SWIGRUNTIME and SWIGRUNTIMEINLINE macros for
-  creating a static or dynamic library from the swig runtime code.
-  In 99.9% of the cases, swig just needs to declare them as 'static'.
-  
-  But only do this if is strictly necessary, ie, if you have problems
-  with your compiler or so.
-*/
-
-#ifndef SWIGRUNTIME
-# define SWIGRUNTIME SWIGINTERN
-#endif
-
-#ifndef SWIGRUNTIMEINLINE
-# define SWIGRUNTIMEINLINE SWIGRUNTIME SWIGINLINE
-#endif
-
-/*  Generic buffer size */
-#ifndef SWIG_BUFFER_SIZE
-# define SWIG_BUFFER_SIZE 1024
-#endif
-
-/* Flags for pointer conversions */
-#define SWIG_POINTER_DISOWN        0x1
-
-/* Flags for new pointer objects */
-#define SWIG_POINTER_OWN           0x1
-
-
-/* 
-   Flags/methods for returning states.
-   
-   The swig conversion methods, as ConvertPtr, return and integer 
-   that tells if the conversion was successful or not. And if not,
-   an error code can be returned (see swigerrors.swg for the codes).
-   
-   Use the following macros/flags to set or process the returning
-   states.
-   
-   In old swig versions, you usually write code as:
-
-     if (SWIG_ConvertPtr(obj,vptr,ty.flags) != -1) {
-       // success code
-     } else {
-       //fail code
-     }
-
-   Now you can be more explicit as:
-
-    int res = SWIG_ConvertPtr(obj,vptr,ty.flags);
-    if (SWIG_IsOK(res)) {
-      // success code
-    } else {
-      // fail code
-    }
-
-   that seems to be the same, but now you can also do
-
-    Type *ptr;
-    int res = SWIG_ConvertPtr(obj,(void **)(&ptr),ty.flags);
-    if (SWIG_IsOK(res)) {
-      // success code
-      if (SWIG_IsNewObj(res) {
-        ...
-	delete *ptr;
-      } else {
-        ...
-      }
-    } else {
-      // fail code
-    }
-    
-   I.e., now SWIG_ConvertPtr can return new objects and you can
-   identify the case and take care of the deallocation. Of course that
-   requires also to SWIG_ConvertPtr to return new result values, as
-
-      int SWIG_ConvertPtr(obj, ptr,...) {         
-        if (<obj is ok>) {			       
-          if (<need new object>) {		       
-            *ptr = <ptr to new allocated object>; 
-            return SWIG_NEWOBJ;		       
-          } else {				       
-            *ptr = <ptr to old object>;	       
-            return SWIG_OLDOBJ;		       
-          } 				       
-        } else {				       
-          return SWIG_BADOBJ;		       
-        }					       
-      }
-
-   Of course, returning the plain '0(success)/-1(fail)' still works, but you can be
-   more explicit by returning SWIG_BADOBJ, SWIG_ERROR or any of the
-   swig errors code.
-
-   Finally, if the SWIG_CASTRANK_MODE is enabled, the result code
-   allows to return the 'cast rank', for example, if you have this
-
-       int food(double)
-       int fooi(int);
-
-   and you call
- 
-      food(1)   // cast rank '1'  (1 -> 1.0)
-      fooi(1)   // cast rank '0'
-
-   just use the SWIG_AddCast()/SWIG_CheckState()
-
-
- */
-#define SWIG_OK                    (0) 
-#define SWIG_ERROR                 (-1)
-#define SWIG_IsOK(r)               (r >= 0)
-#define SWIG_ArgError(r)           ((r != SWIG_ERROR) ? r : SWIG_TypeError)  
-
-/* The CastRankLimit says how many bits are used for the cast rank */
-#define SWIG_CASTRANKLIMIT         (1 << 8)
-/* The NewMask denotes the object was created (using new/malloc) */
-#define SWIG_NEWOBJMASK            (SWIG_CASTRANKLIMIT  << 1)
-/* The TmpMask is for in/out typemaps that use temporal objects */
-#define SWIG_TMPOBJMASK            (SWIG_NEWOBJMASK << 1)
-/* Simple returning values */
-#define SWIG_BADOBJ                (SWIG_ERROR)
-#define SWIG_OLDOBJ                (SWIG_OK)
-#define SWIG_NEWOBJ                (SWIG_OK | SWIG_NEWOBJMASK)
-#define SWIG_TMPOBJ                (SWIG_OK | SWIG_TMPOBJMASK)
-/* Check, add and del mask methods */
-#define SWIG_AddNewMask(r)         (SWIG_IsOK(r) ? (r | SWIG_NEWOBJMASK) : r)
-#define SWIG_DelNewMask(r)         (SWIG_IsOK(r) ? (r & ~SWIG_NEWOBJMASK) : r)
-#define SWIG_IsNewObj(r)           (SWIG_IsOK(r) && (r & SWIG_NEWOBJMASK))
-#define SWIG_AddTmpMask(r)         (SWIG_IsOK(r) ? (r | SWIG_TMPOBJMASK) : r)
-#define SWIG_DelTmpMask(r)         (SWIG_IsOK(r) ? (r & ~SWIG_TMPOBJMASK) : r)
-#define SWIG_IsTmpObj(r)           (SWIG_IsOK(r) && (r & SWIG_TMPOBJMASK))
-
-
-/* Cast-Rank Mode */
-#if defined(SWIG_CASTRANK_MODE)
-#  ifndef SWIG_TypeRank
-#    define SWIG_TypeRank             unsigned long
-#  endif
-#  ifndef SWIG_MAXCASTRANK            /* Default cast allowed */
-#    define SWIG_MAXCASTRANK          (2)
-#  endif
-#  define SWIG_CASTRANKMASK          ((SWIG_CASTRANKLIMIT) -1)
-#  define SWIG_CastRank(r)           (r & SWIG_CASTRANKMASK)
-SWIGINTERNINLINE int SWIG_AddCast(int r) { 
-  return SWIG_IsOK(r) ? ((SWIG_CastRank(r) < SWIG_MAXCASTRANK) ? (r + 1) : SWIG_ERROR) : r;
-}
-SWIGINTERNINLINE int SWIG_CheckState(int r) { 
-  return SWIG_IsOK(r) ? SWIG_CastRank(r) + 1 : 0; 
-}
-#else /* no cast-rank mode */
-#  define SWIG_AddCast
-#  define SWIG_CheckState(r) (SWIG_IsOK(r) ? 1 : 0)
-#endif
-
-
-
-
-#include <string.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef void *(*swig_converter_func)(void *);
-typedef struct swig_type_info *(*swig_dycast_func)(void **);
-
-/* Structure to store inforomation on one type */
-typedef struct swig_type_info {
-  const char             *name;			/* mangled name of this type */
-  const char             *str;			/* human readable name of this type */
-  swig_dycast_func        dcast;		/* dynamic cast function down a hierarchy */
-  struct swig_cast_info  *cast;			/* linked list of types that can cast into this type */
-  void                   *clientdata;		/* language specific type data */
-  int                    owndata;		/* flag if the structure owns the clientdata */
-} swig_type_info;
-
-/* Structure to store a type and conversion function used for casting */
-typedef struct swig_cast_info {
-  swig_type_info         *type;			/* pointer to type that is equivalent to this type */
-  swig_converter_func     converter;		/* function to cast the void pointers */
-  struct swig_cast_info  *next;			/* pointer to next cast in linked list */
-  struct swig_cast_info  *prev;			/* pointer to the previous cast */
-} swig_cast_info;
-
-/* Structure used to store module information
- * Each module generates one structure like this, and the runtime collects
- * all of these structures and stores them in a circularly linked list.*/
-typedef struct swig_module_info {
-  swig_type_info         **types;		/* Array of pointers to swig_type_info structures that are in this module */
-  size_t                 size;		        /* Number of types in this module */
-  struct swig_module_info *next;		/* Pointer to next element in circularly linked list */
-  swig_type_info         **type_initial;	/* Array of initially generated type structures */
-  swig_cast_info         **cast_initial;	/* Array of initially generated casting structures */
-  void                    *clientdata;		/* Language specific module data */
-} swig_module_info;
-
-/* 
-  Compare two type names skipping the space characters, therefore
-  "char*" == "char *" and "Class<int>" == "Class<int >", etc.
-
-  Return 0 when the two name types are equivalent, as in
-  strncmp, but skipping ' '.
-*/
-SWIGRUNTIME int
-SWIG_TypeNameComp(const char *f1, const char *l1,
-		  const char *f2, const char *l2) {
-  for (;(f1 != l1) && (f2 != l2); ++f1, ++f2) {
-    while ((*f1 == ' ') && (f1 != l1)) ++f1;
-    while ((*f2 == ' ') && (f2 != l2)) ++f2;
-    if (*f1 != *f2) return (*f1 > *f2) ? 1 : -1;
-  }
-  return (l1 - f1) - (l2 - f2);
-}
-
-/*
-  Check type equivalence in a name list like <name1>|<name2>|...
-  Return 0 if not equal, 1 if equal
-*/
-SWIGRUNTIME int
-SWIG_TypeEquiv(const char *nb, const char *tb) {
-  int equiv = 0;
-  const char* te = tb + strlen(tb);
-  const char* ne = nb;
-  while (!equiv && *ne) {
-    for (nb = ne; *ne; ++ne) {
-      if (*ne == '|') break;
-    }
-    equiv = (SWIG_TypeNameComp(nb, ne, tb, te) == 0) ? 1 : 0;
-    if (*ne) ++ne;
-  }
-  return equiv;
-}
-
-/*
-  Check type equivalence in a name list like <name1>|<name2>|...
-  Return 0 if equal, -1 if nb < tb, 1 if nb > tb
-*/
-SWIGRUNTIME int
-SWIG_TypeCompare(const char *nb, const char *tb) {
-  int equiv = 0;
-  const char* te = tb + strlen(tb);
-  const char* ne = nb;
-  while (!equiv && *ne) {
-    for (nb = ne; *ne; ++ne) {
-      if (*ne == '|') break;
-    }
-    equiv = (SWIG_TypeNameComp(nb, ne, tb, te) == 0) ? 1 : 0;
-    if (*ne) ++ne;
-  }
-  return equiv;
-}
-
-
-/* think of this as a c++ template<> or a scheme macro */
-#define SWIG_TypeCheck_Template(comparison, ty)         \
-  if (ty) {                                             \
-    swig_cast_info *iter = ty->cast;                    \
-    while (iter) {                                      \
-      if (comparison) {                                 \
-        if (iter == ty->cast) return iter;              \
-        /* Move iter to the top of the linked list */   \
-        iter->prev->next = iter->next;                  \
-        if (iter->next)                                 \
-          iter->next->prev = iter->prev;                \
-        iter->next = ty->cast;                          \
-        iter->prev = 0;                                 \
-        if (ty->cast) ty->cast->prev = iter;            \
-        ty->cast = iter;                                \
-        return iter;                                    \
-      }                                                 \
-      iter = iter->next;                                \
-    }                                                   \
-  }                                                     \
-  return 0
-
-/*
-  Check the typename
-*/
-SWIGRUNTIME swig_cast_info *
-SWIG_TypeCheck(const char *c, swig_type_info *ty) {
-  SWIG_TypeCheck_Template(strcmp(iter->type->name, c) == 0, ty);
-}
-
-/* Same as previous function, except strcmp is replaced with a pointer comparison */
-SWIGRUNTIME swig_cast_info *
-SWIG_TypeCheckStruct(swig_type_info *from, swig_type_info *into) {
-  SWIG_TypeCheck_Template(iter->type == from, into);
-}
-
-/*
-  Cast a pointer up an inheritance hierarchy
-*/
-SWIGRUNTIMEINLINE void *
-SWIG_TypeCast(swig_cast_info *ty, void *ptr) {
-  return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr);
-}
-
-/* 
-   Dynamic pointer casting. Down an inheritance hierarchy
-*/
-SWIGRUNTIME swig_type_info *
-SWIG_TypeDynamicCast(swig_type_info *ty, void **ptr) {
-  swig_type_info *lastty = ty;
-  if (!ty || !ty->dcast) return ty;
-  while (ty && (ty->dcast)) {
-    ty = (*ty->dcast)(ptr);
-    if (ty) lastty = ty;
-  }
-  return lastty;
-}
-
-/*
-  Return the name associated with this type
-*/
-SWIGRUNTIMEINLINE const char *
-SWIG_TypeName(const swig_type_info *ty) {
-  return ty->name;
-}
-
-/*
-  Return the pretty name associated with this type,
-  that is an unmangled type name in a form presentable to the user.
-*/
-SWIGRUNTIME const char *
-SWIG_TypePrettyName(const swig_type_info *type) {
-  /* The "str" field contains the equivalent pretty names of the
-     type, separated by vertical-bar characters.  We choose
-     to print the last name, as it is often (?) the most
-     specific. */
-  if (!type) return NULL;
-  if (type->str != NULL) {
-    const char *last_name = type->str;
-    const char *s;
-    for (s = type->str; *s; s++)
-      if (*s == '|') last_name = s+1;
-    return last_name;
-  }
-  else
-    return type->name;
-}
-
-/* 
-   Set the clientdata field for a type
-*/
-SWIGRUNTIME void
-SWIG_TypeClientData(swig_type_info *ti, void *clientdata) {
-  swig_cast_info *cast = ti->cast;
-  /* if (ti->clientdata == clientdata) return; */
-  ti->clientdata = clientdata;
-  
-  while (cast) {
-    if (!cast->converter) {
-      swig_type_info *tc = cast->type;
-      if (!tc->clientdata) {
-	SWIG_TypeClientData(tc, clientdata);
-      }
-    }    
-    cast = cast->next;
-  }
-}
-SWIGRUNTIME void
-SWIG_TypeNewClientData(swig_type_info *ti, void *clientdata) {
-  SWIG_TypeClientData(ti, clientdata);
-  ti->owndata = 1;
-}
-  
-/*
-  Search for a swig_type_info structure only by mangled name
-  Search is a O(log #types)
-  
-  We start searching at module start, and finish searching when start == end.  
-  Note: if start == end at the beginning of the function, we go all the way around
-  the circular list.
-*/
-SWIGRUNTIME swig_type_info *
-SWIG_MangledTypeQueryModule(swig_module_info *start, 
-                            swig_module_info *end, 
-		            const char *name) {
-  swig_module_info *iter = start;
-  do {
-    if (iter->size) {
-      register size_t l = 0;
-      register size_t r = iter->size - 1;
-      do {
-	/* since l+r >= 0, we can (>> 1) instead (/ 2) */
-	register size_t i = (l + r) >> 1; 
-	const char *iname = iter->types[i]->name;
-	if (iname) {
-	  register int compare = strcmp(name, iname);
-	  if (compare == 0) {	    
-	    return iter->types[i];
-	  } else if (compare < 0) {
-	    if (i) {
-	      r = i - 1;
-	    } else {
-	      break;
-	    }
-	  } else if (compare > 0) {
-	    l = i + 1;
-	  }
-	} else {
-	  break; /* should never happen */
-	}
-      } while (l <= r);
-    }
-    iter = iter->next;
-  } while (iter != end);
-  return 0;
-}
-
-/*
-  Search for a swig_type_info structure for either a mangled name or a human readable name.
-  It first searches the mangled names of the types, which is a O(log #types)
-  If a type is not found it then searches the human readable names, which is O(#types).
-  
-  We start searching at module start, and finish searching when start == end.  
-  Note: if start == end at the beginning of the function, we go all the way around
-  the circular list.
-*/
-SWIGRUNTIME swig_type_info *
-SWIG_TypeQueryModule(swig_module_info *start, 
-                     swig_module_info *end, 
-		     const char *name) {
-  /* STEP 1: Search the name field using binary search */
-  swig_type_info *ret = SWIG_MangledTypeQueryModule(start, end, name);
-  if (ret) {
-    return ret;
-  } else {
-    /* STEP 2: If the type hasn't been found, do a complete search
-       of the str field (the human readable name) */
-    swig_module_info *iter = start;
-    do {
-      register size_t i = 0;
-      for (; i < iter->size; ++i) {
-	if (iter->types[i]->str && (SWIG_TypeEquiv(iter->types[i]->str, name)))
-	  return iter->types[i];
-      }
-      iter = iter->next;
-    } while (iter != end);
-  }
-  
-  /* neither found a match */
-  return 0;
-}
-
-/* 
-   Pack binary data into a string
-*/
-SWIGRUNTIME char *
-SWIG_PackData(char *c, void *ptr, size_t sz) {
-  static const char hex[17] = "0123456789abcdef";
-  register const unsigned char *u = (unsigned char *) ptr;
-  register const unsigned char *eu =  u + sz;
-  for (; u != eu; ++u) {
-    register unsigned char uu = *u;
-    *(c++) = hex[(uu & 0xf0) >> 4];
-    *(c++) = hex[uu & 0xf];
-  }
-  return c;
-}
-
-/* 
-   Unpack binary data from a string
-*/
-SWIGRUNTIME const char *
-SWIG_UnpackData(const char *c, void *ptr, size_t sz) {
-  register unsigned char *u = (unsigned char *) ptr;
-  register const unsigned char *eu = u + sz;
-  for (; u != eu; ++u) {
-    register char d = *(c++);
-    register unsigned char uu;
-    if ((d >= '0') && (d <= '9'))
-      uu = ((d - '0') << 4);
-    else if ((d >= 'a') && (d <= 'f'))
-      uu = ((d - ('a'-10)) << 4);
-    else 
-      return (char *) 0;
-    d = *(c++);
-    if ((d >= '0') && (d <= '9'))
-      uu |= (d - '0');
-    else if ((d >= 'a') && (d <= 'f'))
-      uu |= (d - ('a'-10));
-    else 
-      return (char *) 0;
-    *u = uu;
-  }
-  return c;
-}
-
-/* 
-   Pack 'void *' into a string buffer.
-*/
-SWIGRUNTIME char *
-SWIG_PackVoidPtr(char *buff, void *ptr, const char *name, size_t bsz) {
-  char *r = buff;
-  if ((2*sizeof(void *) + 2) > bsz) return 0;
-  *(r++) = '_';
-  r = SWIG_PackData(r,&ptr,sizeof(void *));
-  if (strlen(name) + 1 > (bsz - (r - buff))) return 0;
-  strcpy(r,name);
-  return buff;
-}
-
-SWIGRUNTIME const char *
-SWIG_UnpackVoidPtr(const char *c, void **ptr, const char *name) {
-  if (*c != '_') {
-    if (strcmp(c,"NULL") == 0) {
-      *ptr = (void *) 0;
-      return name;
-    } else {
-      return 0;
-    }
-  }
-  return SWIG_UnpackData(++c,ptr,sizeof(void *));
-}
-
-SWIGRUNTIME char *
-SWIG_PackDataName(char *buff, void *ptr, size_t sz, const char *name, size_t bsz) {
-  char *r = buff;
-  size_t lname = (name ? strlen(name) : 0);
-  if ((2*sz + 2 + lname) > bsz) return 0;
-  *(r++) = '_';
-  r = SWIG_PackData(r,ptr,sz);
-  if (lname) {
-    strncpy(r,name,lname+1);
-  } else {
-    *r = 0;
-  }
-  return buff;
-}
-
-SWIGRUNTIME const char *
-SWIG_UnpackDataName(const char *c, void *ptr, size_t sz, const char *name) {
-  if (*c != '_') {
-    if (strcmp(c,"NULL") == 0) {
-      memset(ptr,0,sz);
-      return name;
-    } else {
-      return 0;
-    }
-  }
-  return SWIG_UnpackData(++c,ptr,sz);
-}
-
-#ifdef __cplusplus
-}
-#endif
-
-/*  Errors in SWIG */
-#define  SWIG_UnknownError    	   -1 
-#define  SWIG_IOError        	   -2 
-#define  SWIG_RuntimeError   	   -3 
-#define  SWIG_IndexError     	   -4 
-#define  SWIG_TypeError      	   -5 
-#define  SWIG_DivisionByZero 	   -6 
-#define  SWIG_OverflowError  	   -7 
-#define  SWIG_SyntaxError    	   -8 
-#define  SWIG_ValueError     	   -9 
-#define  SWIG_SystemError    	   -10
-#define  SWIG_AttributeError 	   -11
-#define  SWIG_MemoryError    	   -12 
-#define  SWIG_NullReferenceError   -13
-
-
-
-
-/* Add PyOS_snprintf for old Pythons */
-#if PY_VERSION_HEX < 0x02020000
-# if defined(_MSC_VER) || defined(__BORLANDC__) || defined(_WATCOM)
-#  define PyOS_snprintf _snprintf
-# else
-#  define PyOS_snprintf snprintf
-# endif
-#endif
-
-/* A crude PyString_FromFormat implementation for old Pythons */
-#if PY_VERSION_HEX < 0x02020000
-
-#ifndef SWIG_PYBUFFER_SIZE
-# define SWIG_PYBUFFER_SIZE 1024
-#endif
-
-static PyObject *
-PyString_FromFormat(const char *fmt, ...) {
-  va_list ap;
-  char buf[SWIG_PYBUFFER_SIZE * 2];
-  int res;
-  va_start(ap, fmt);
-  res = vsnprintf(buf, sizeof(buf), fmt, ap);
-  va_end(ap);
-  return (res < 0 || res >= (int)sizeof(buf)) ? 0 : PyString_FromString(buf);
-}
-#endif
-
-/* Add PyObject_Del for old Pythons */
-#if PY_VERSION_HEX < 0x01060000
-# define PyObject_Del(op) PyMem_DEL((op))
-#endif
-#ifndef PyObject_DEL
-# define PyObject_DEL PyObject_Del
-#endif
-
-/* A crude PyExc_StopIteration exception for old Pythons */
-#if PY_VERSION_HEX < 0x02020000
-# ifndef PyExc_StopIteration
-#  define PyExc_StopIteration PyExc_RuntimeError
-# endif
-# ifndef PyObject_GenericGetAttr
-#  define PyObject_GenericGetAttr 0
-# endif
-#endif
-/* Py_NotImplemented is defined in 2.1 and up. */
-#if PY_VERSION_HEX < 0x02010000
-# ifndef Py_NotImplemented
-#  define Py_NotImplemented PyExc_RuntimeError
-# endif
-#endif
-
-
-/* A crude PyString_AsStringAndSize implementation for old Pythons */
-#if PY_VERSION_HEX < 0x02010000
-# ifndef PyString_AsStringAndSize
-#  define PyString_AsStringAndSize(obj, s, len) {*s = PyString_AsString(obj); *len = *s ? strlen(*s) : 0;}
-# endif
-#endif
-
-/* PySequence_Size for old Pythons */
-#if PY_VERSION_HEX < 0x02000000
-# ifndef PySequence_Size
-#  define PySequence_Size PySequence_Length
-# endif
-#endif
-
-
-/* PyBool_FromLong for old Pythons */
-#if PY_VERSION_HEX < 0x02030000
-static
-PyObject *PyBool_FromLong(long ok)
-{
-  PyObject *result = ok ? Py_True : Py_False;
-  Py_INCREF(result);
-  return result;
-}
-#endif
-
-/* Py_ssize_t for old Pythons */
-/* This code is as recommended by: */
-/* http://www.python.org/dev/peps/pep-0353/#conversion-guidelines */
-#if PY_VERSION_HEX < 0x02050000 && !defined(PY_SSIZE_T_MIN)
-typedef int Py_ssize_t;
-# define PY_SSIZE_T_MAX INT_MAX
-# define PY_SSIZE_T_MIN INT_MIN
-#endif
-
-/* -----------------------------------------------------------------------------
- * error manipulation
- * ----------------------------------------------------------------------------- */
-
-SWIGRUNTIME PyObject*
-SWIG_Python_ErrorType(int code) {
-  PyObject* type = 0;
-  switch(code) {
-  case SWIG_MemoryError:
-    type = PyExc_MemoryError;
-    break;
-  case SWIG_IOError:
-    type = PyExc_IOError;
-    break;
-  case SWIG_RuntimeError:
-    type = PyExc_RuntimeError;
-    break;
-  case SWIG_IndexError:
-    type = PyExc_IndexError;
-    break;
-  case SWIG_TypeError:
-    type = PyExc_TypeError;
-    break;
-  case SWIG_DivisionByZero:
-    type = PyExc_ZeroDivisionError;
-    break;
-  case SWIG_OverflowError:
-    type = PyExc_OverflowError;
-    break;
-  case SWIG_SyntaxError:
-    type = PyExc_SyntaxError;
-    break;
-  case SWIG_ValueError:
-    type = PyExc_ValueError;
-    break;
-  case SWIG_SystemError:
-    type = PyExc_SystemError;
-    break;
-  case SWIG_AttributeError:
-    type = PyExc_AttributeError;
-    break;
-  default:
-    type = PyExc_RuntimeError;
-  }
-  return type;
-}
-
-
-SWIGRUNTIME void
-SWIG_Python_AddErrorMsg(const char* mesg)
-{
-  PyObject *type = 0;
-  PyObject *value = 0;
-  PyObject *traceback = 0;
-
-  if (PyErr_Occurred()) PyErr_Fetch(&type, &value, &traceback);
-  if (value) {
-    PyObject *old_str = PyObject_Str(value);
-    PyErr_Clear();
-    Py_XINCREF(type);
-    PyErr_Format(type, "%s %s", PyString_AsString(old_str), mesg);
-    Py_DECREF(old_str);
-    Py_DECREF(value);
-  } else {
-    PyErr_Format(PyExc_RuntimeError, mesg);
-  }
-}
-
-
-
-#if defined(SWIG_PYTHON_NO_THREADS)
-#  if defined(SWIG_PYTHON_THREADS)
-#    undef SWIG_PYTHON_THREADS
-#  endif
-#endif
-#if defined(SWIG_PYTHON_THREADS) /* Threading support is enabled */
-#  if !defined(SWIG_PYTHON_USE_GIL) && !defined(SWIG_PYTHON_NO_USE_GIL)
-#    if (PY_VERSION_HEX >= 0x02030000) /* For 2.3 or later, use the PyGILState calls */
-#      define SWIG_PYTHON_USE_GIL
-#    endif
-#  endif
-#  if defined(SWIG_PYTHON_USE_GIL) /* Use PyGILState threads calls */
-#    ifndef SWIG_PYTHON_INITIALIZE_THREADS
-#     define SWIG_PYTHON_INITIALIZE_THREADS  PyEval_InitThreads() 
-#    endif
-#    ifdef __cplusplus /* C++ code */
-       class SWIG_Python_Thread_Block {
-         bool status;
-         PyGILState_STATE state;
-       public:
-         void end() { if (status) { PyGILState_Release(state); status = false;} }
-         SWIG_Python_Thread_Block() : status(true), state(PyGILState_Ensure()) {}
-         ~SWIG_Python_Thread_Block() { end(); }
-       };
-       class SWIG_Python_Thread_Allow {
-         bool status;
-         PyThreadState *save;
-       public:
-         void end() { if (status) { PyEval_RestoreThread(save); status = false; }}
-         SWIG_Python_Thread_Allow() : status(true), save(PyEval_SaveThread()) {}
-         ~SWIG_Python_Thread_Allow() { end(); }
-       };
-#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK   SWIG_Python_Thread_Block _swig_thread_block
-#      define SWIG_PYTHON_THREAD_END_BLOCK     _swig_thread_block.end()
-#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW   SWIG_Python_Thread_Allow _swig_thread_allow
-#      define SWIG_PYTHON_THREAD_END_ALLOW     _swig_thread_allow.end()
-#    else /* C code */
-#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK   PyGILState_STATE _swig_thread_block = PyGILState_Ensure()
-#      define SWIG_PYTHON_THREAD_END_BLOCK     PyGILState_Release(_swig_thread_block)
-#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW   PyThreadState *_swig_thread_allow = PyEval_SaveThread()
-#      define SWIG_PYTHON_THREAD_END_ALLOW     PyEval_RestoreThread(_swig_thread_allow)
-#    endif
-#  else /* Old thread way, not implemented, user must provide it */
-#    if !defined(SWIG_PYTHON_INITIALIZE_THREADS)
-#      define SWIG_PYTHON_INITIALIZE_THREADS
-#    endif
-#    if !defined(SWIG_PYTHON_THREAD_BEGIN_BLOCK)
-#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK
-#    endif
-#    if !defined(SWIG_PYTHON_THREAD_END_BLOCK)
-#      define SWIG_PYTHON_THREAD_END_BLOCK
-#    endif
-#    if !defined(SWIG_PYTHON_THREAD_BEGIN_ALLOW)
-#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW
-#    endif
-#    if !defined(SWIG_PYTHON_THREAD_END_ALLOW)
-#      define SWIG_PYTHON_THREAD_END_ALLOW
-#    endif
-#  endif
-#else /* No thread support */
-#  define SWIG_PYTHON_INITIALIZE_THREADS
-#  define SWIG_PYTHON_THREAD_BEGIN_BLOCK
-#  define SWIG_PYTHON_THREAD_END_BLOCK
-#  define SWIG_PYTHON_THREAD_BEGIN_ALLOW
-#  define SWIG_PYTHON_THREAD_END_ALLOW
-#endif
-
-/* -----------------------------------------------------------------------------
- * Python API portion that goes into the runtime
- * ----------------------------------------------------------------------------- */
-
-#ifdef __cplusplus
-extern "C" {
-#if 0
-} /* cc-mode */
-#endif
-#endif
-
-/* -----------------------------------------------------------------------------
- * Constant declarations
- * ----------------------------------------------------------------------------- */
-
-/* Constant Types */
-#define SWIG_PY_POINTER 4
-#define SWIG_PY_BINARY  5
-
-/* Constant information structure */
-typedef struct swig_const_info {
-  int type;
-  char *name;
-  long lvalue;
-  double dvalue;
-  void   *pvalue;
-  swig_type_info **ptype;
-} swig_const_info;
-
-#ifdef __cplusplus
-#if 0
-{ /* cc-mode */
-#endif
-}
-#endif
-
-
-/* -----------------------------------------------------------------------------
- * See the LICENSE file for information on copyright, usage and redistribution
- * of SWIG, and the README file for authors - http://www.swig.org/release.html.
- *
- * pyrun.swg
- *
- * This file contains the runtime support for Python modules
- * and includes code for managing global variables and pointer
- * type checking.
- *
- * ----------------------------------------------------------------------------- */
-
-/* Common SWIG API */
-
-/* for raw pointers */
-#define SWIG_Python_ConvertPtr(obj, pptr, type, flags)  SWIG_Python_ConvertPtrAndOwn(obj, pptr, type, flags, 0)
-#define SWIG_ConvertPtr(obj, pptr, type, flags)         SWIG_Python_ConvertPtr(obj, pptr, type, flags)
-#define SWIG_ConvertPtrAndOwn(obj,pptr,type,flags,own)  SWIG_Python_ConvertPtrAndOwn(obj, pptr, type, flags, own)
-#define SWIG_NewPointerObj(ptr, type, flags)            SWIG_Python_NewPointerObj(ptr, type, flags)
-#define SWIG_CheckImplicit(ty)                          SWIG_Python_CheckImplicit(ty) 
-#define SWIG_AcquirePtr(ptr, src)                       SWIG_Python_AcquirePtr(ptr, src)
-#define swig_owntype                                    int
-
-/* for raw packed data */
-#define SWIG_ConvertPacked(obj, ptr, sz, ty)            SWIG_Python_ConvertPacked(obj, ptr, sz, ty)
-#define SWIG_NewPackedObj(ptr, sz, type)                SWIG_Python_NewPackedObj(ptr, sz, type)
-
-/* for class or struct pointers */
-#define SWIG_ConvertInstance(obj, pptr, type, flags)    SWIG_ConvertPtr(obj, pptr, type, flags)
-#define SWIG_NewInstanceObj(ptr, type, flags)           SWIG_NewPointerObj(ptr, type, flags)
-
-/* for C or C++ function pointers */
-#define SWIG_ConvertFunctionPtr(obj, pptr, type)        SWIG_Python_ConvertFunctionPtr(obj, pptr, type)
-#define SWIG_NewFunctionPtrObj(ptr, type)               SWIG_Python_NewPointerObj(ptr, type, 0)
-
-/* for C++ member pointers, ie, member methods */
-#define SWIG_ConvertMember(obj, ptr, sz, ty)            SWIG_Python_ConvertPacked(obj, ptr, sz, ty)
-#define SWIG_NewMemberObj(ptr, sz, type)                SWIG_Python_NewPackedObj(ptr, sz, type)
-
-
-/* Runtime API */
-
-#define SWIG_GetModule(clientdata)                      SWIG_Python_GetModule()
-#define SWIG_SetModule(clientdata, pointer)             SWIG_Python_SetModule(pointer)
-#define SWIG_NewClientData(obj)                         PySwigClientData_New(obj)
-
-#define SWIG_SetErrorObj                                SWIG_Python_SetErrorObj                            
-#define SWIG_SetErrorMsg                        	SWIG_Python_SetErrorMsg				   
-#define SWIG_ErrorType(code)                    	SWIG_Python_ErrorType(code)                        
-#define SWIG_Error(code, msg)            		SWIG_Python_SetErrorMsg(SWIG_ErrorType(code), msg) 
-#define SWIG_fail                        		goto fail					   
-
-
-/* Runtime API implementation */
-
-/* Error manipulation */
-
-SWIGINTERN void 
-SWIG_Python_SetErrorObj(PyObject *errtype, PyObject *obj) {
-  SWIG_PYTHON_THREAD_BEGIN_BLOCK; 
-  PyErr_SetObject(errtype, obj);
-  Py_DECREF(obj);
-  SWIG_PYTHON_THREAD_END_BLOCK;
-}
-
-SWIGINTERN void 
-SWIG_Python_SetErrorMsg(PyObject *errtype, const char *msg) {
-  SWIG_PYTHON_THREAD_BEGIN_BLOCK;
-  PyErr_SetString(errtype, (char *) msg);
-  SWIG_PYTHON_THREAD_END_BLOCK;
-}
-
-#define SWIG_Python_Raise(obj, type, desc)  SWIG_Python_SetErrorObj(SWIG_Python_ExceptionType(desc), obj)
-
-/* Set a constant value */
-
-SWIGINTERN void
-SWIG_Python_SetConstant(PyObject *d, const char *name, PyObject *obj) {   
-  PyDict_SetItemString(d, (char*) name, obj);
-  Py_DECREF(obj);                            
-}
-
-/* Append a value to the result obj */
-
-SWIGINTERN PyObject*
-SWIG_Python_AppendOutput(PyObject* result, PyObject* obj) {
-#if !defined(SWIG_PYTHON_OUTPUT_TUPLE)
-  if (!result) {
-    result = obj;
-  } else if (result == Py_None) {
-    Py_DECREF(result);
-    result = obj;
-  } else {
-    if (!PyList_Check(result)) {
-      PyObject *o2 = result;
-      result = PyList_New(1);
-      PyList_SetItem(result, 0, o2);
-    }
-    PyList_Append(result,obj);
-    Py_DECREF(obj);
-  }
-  return result;
-#else
-  PyObject*   o2;
-  PyObject*   o3;
-  if (!result) {
-    result = obj;
-  } else if (result == Py_None) {
-    Py_DECREF(result);
-    result = obj;
-  } else {
-    if (!PyTuple_Check(result)) {
-      o2 = result;
-      result = PyTuple_New(1);
-      PyTuple_SET_ITEM(result, 0, o2);
-    }
-    o3 = PyTuple_New(1);
-    PyTuple_SET_ITEM(o3, 0, obj);
-    o2 = result;
-    result = PySequence_Concat(o2, o3);
-    Py_DECREF(o2);
-    Py_DECREF(o3);
-  }
-  return result;
-#endif
-}
-
-/* Unpack the argument tuple */
-
-SWIGINTERN int
-SWIG_Python_UnpackTuple(PyObject *args, const char *name, int min, int max, PyObject **objs)
-{
-  if (!args) {
-    if (!min && !max) {
-      return 1;
-    } else {
-      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got none", 
-		   name, (min == max ? "" : "at least "), min);
-      return 0;
-    }
-  }  
-  if (!PyTuple_Check(args)) {
-    PyErr_SetString(PyExc_SystemError, "UnpackTuple() argument list is not a tuple");
-    return 0;
-  } else {
-    register int l = PyTuple_GET_SIZE(args);
-    if (l < min) {
-      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
-		   name, (min == max ? "" : "at least "), min, l);
-      return 0;
-    } else if (l > max) {
-      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
-		   name, (min == max ? "" : "at most "), max, l);
-      return 0;
-    } else {
-      register int i;
-      for (i = 0; i < l; ++i) {
-	objs[i] = PyTuple_GET_ITEM(args, i);
-      }
-      for (; l < max; ++l) {
-	objs[l] = 0;
-      }
-      return i + 1;
-    }    
-  }
-}
-
-/* A functor is a function object with one single object argument */
-#if PY_VERSION_HEX >= 0x02020000
-#define SWIG_Python_CallFunctor(functor, obj)	        PyObject_CallFunctionObjArgs(functor, obj, NULL);
-#else
-#define SWIG_Python_CallFunctor(functor, obj)	        PyObject_CallFunction(functor, "O", obj);
-#endif
-
-/*
-  Helper for static pointer initialization for both C and C++ code, for example
-  static PyObject *SWIG_STATIC_POINTER(MyVar) = NewSomething(...);
-*/
-#ifdef __cplusplus
-#define SWIG_STATIC_POINTER(var)  var
-#else
-#define SWIG_STATIC_POINTER(var)  var = 0; if (!var) var
-#endif
-
-/* -----------------------------------------------------------------------------
- * Pointer declarations
- * ----------------------------------------------------------------------------- */
-
-/* Flags for new pointer objects */
-#define SWIG_POINTER_NOSHADOW       (SWIG_POINTER_OWN      << 1)
-#define SWIG_POINTER_NEW            (SWIG_POINTER_NOSHADOW | SWIG_POINTER_OWN)
-
-#define SWIG_POINTER_IMPLICIT_CONV  (SWIG_POINTER_DISOWN   << 1)
-
-#ifdef __cplusplus
-extern "C" {
-#if 0
-} /* cc-mode */
-#endif
-#endif
-
-/*  How to access Py_None */
-#if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
-#  ifndef SWIG_PYTHON_NO_BUILD_NONE
-#    ifndef SWIG_PYTHON_BUILD_NONE
-#      define SWIG_PYTHON_BUILD_NONE
-#    endif
-#  endif
-#endif
-
-#ifdef SWIG_PYTHON_BUILD_NONE
-#  ifdef Py_None
-#   undef Py_None
-#   define Py_None SWIG_Py_None()
-#  endif
-SWIGRUNTIMEINLINE PyObject * 
-_SWIG_Py_None(void)
-{
-  PyObject *none = Py_BuildValue((char*)"");
-  Py_DECREF(none);
-  return none;
-}
-SWIGRUNTIME PyObject * 
-SWIG_Py_None(void)
-{
-  static PyObject *SWIG_STATIC_POINTER(none) = _SWIG_Py_None();
-  return none;
-}
-#endif
-
-/* The python void return value */
-
-SWIGRUNTIMEINLINE PyObject * 
-SWIG_Py_Void(void)
-{
-  PyObject *none = Py_None;
-  Py_INCREF(none);
-  return none;
-}
-
-/* PySwigClientData */
-
-typedef struct {
-  PyObject *klass;
-  PyObject *newraw;
-  PyObject *newargs;
-  PyObject *destroy;
-  int delargs;
-  int implicitconv;
-} PySwigClientData;
-
-SWIGRUNTIMEINLINE int 
-SWIG_Python_CheckImplicit(swig_type_info *ty)
-{
-  PySwigClientData *data = (PySwigClientData *)ty->clientdata;
-  return data ? data->implicitconv : 0;
-}
-
-SWIGRUNTIMEINLINE PyObject *
-SWIG_Python_ExceptionType(swig_type_info *desc) {
-  PySwigClientData *data = desc ? (PySwigClientData *) desc->clientdata : 0;
-  PyObject *klass = data ? data->klass : 0;
-  return (klass ? klass : PyExc_RuntimeError);
-}
-
-
-SWIGRUNTIME PySwigClientData * 
-PySwigClientData_New(PyObject* obj)
-{
-  if (!obj) {
-    return 0;
-  } else {
-    PySwigClientData *data = (PySwigClientData *)malloc(sizeof(PySwigClientData));
-    /* the klass element */
-    data->klass = obj;
-    Py_INCREF(data->klass);
-    /* the newraw method and newargs arguments used to create a new raw instance */
-    if (PyClass_Check(obj)) {
-      data->newraw = 0;
-      data->newargs = obj;
-      Py_INCREF(obj);
-    } else {
-#if (PY_VERSION_HEX < 0x02020000)
-      data->newraw = 0;
-#else
-      data->newraw = PyObject_GetAttrString(data->klass, (char *)"__new__");
-#endif
-      if (data->newraw) {
-	Py_INCREF(data->newraw);
-	data->newargs = PyTuple_New(1);
-	PyTuple_SetItem(data->newargs, 0, obj);
-      } else {
-	data->newargs = obj;
-      }
-      Py_INCREF(data->newargs);
-    }
-    /* the destroy method, aka as the C++ delete method */
-    data->destroy = PyObject_GetAttrString(data->klass, (char *)"__swig_destroy__");
-    if (PyErr_Occurred()) {
-      PyErr_Clear();
-      data->destroy = 0;
-    }
-    if (data->destroy) {
-      int flags;
-      Py_INCREF(data->destroy);
-      flags = PyCFunction_GET_FLAGS(data->destroy);
-#ifdef METH_O
-      data->delargs = !(flags & (METH_O));
-#else
-      data->delargs = 0;
-#endif
-    } else {
-      data->delargs = 0;
-    }
-    data->implicitconv = 0;
-    return data;
-  }
-}
-
-SWIGRUNTIME void 
-PySwigClientData_Del(PySwigClientData* data)
-{
-  Py_XDECREF(data->newraw);
-  Py_XDECREF(data->newargs);
-  Py_XDECREF(data->destroy);
-}
-
-/* =============== PySwigObject =====================*/
-
-typedef struct {
-  PyObject_HEAD
-  void *ptr;
-  swig_type_info *ty;
-  int own;
-  PyObject *next;
-} PySwigObject;
-
-SWIGRUNTIME PyObject *
-PySwigObject_long(PySwigObject *v)
-{
-  return PyLong_FromVoidPtr(v->ptr);
-}
-
-SWIGRUNTIME PyObject *
-PySwigObject_format(const char* fmt, PySwigObject *v)
-{
-  PyObject *res = NULL;
-  PyObject *args = PyTuple_New(1);
-  if (args) {
-    if (PyTuple_SetItem(args, 0, PySwigObject_long(v)) == 0) {
-      PyObject *ofmt = PyString_FromString(fmt);
-      if (ofmt) {
-	res = PyString_Format(ofmt,args);
-	Py_DECREF(ofmt);
-      }
-      Py_DECREF(args);
-    }
-  }
-  return res;
-}
-
-SWIGRUNTIME PyObject *
-PySwigObject_oct(PySwigObject *v)
-{
-  return PySwigObject_format("%o",v);
-}
-
-SWIGRUNTIME PyObject *
-PySwigObject_hex(PySwigObject *v)
-{
-  return PySwigObject_format("%x",v);
-}
-
-SWIGRUNTIME PyObject *
-#ifdef METH_NOARGS
-PySwigObject_repr(PySwigObject *v)
-#else
-PySwigObject_repr(PySwigObject *v, PyObject *args)
-#endif
-{
-  const char *name = SWIG_TypePrettyName(v->ty);
-  PyObject *hex = PySwigObject_hex(v);    
-  PyObject *repr = PyString_FromFormat("<Swig Object of type '%s' at 0x%s>", name, PyString_AsString(hex));
-  Py_DECREF(hex);
-  if (v->next) {
-#ifdef METH_NOARGS
-    PyObject *nrep = PySwigObject_repr((PySwigObject *)v->next);
-#else
-    PyObject *nrep = PySwigObject_repr((PySwigObject *)v->next, args);
-#endif
-    PyString_ConcatAndDel(&repr,nrep);
-  }
-  return repr;  
-}
-
-SWIGRUNTIME int
-PySwigObject_print(PySwigObject *v, FILE *fp, int SWIGUNUSEDPARM(flags))
-{
-#ifdef METH_NOARGS
-  PyObject *repr = PySwigObject_repr(v);
-#else
-  PyObject *repr = PySwigObject_repr(v, NULL);
-#endif
-  if (repr) {
-    fputs(PyString_AsString(repr), fp);
-    Py_DECREF(repr);
-    return 0; 
-  } else {
-    return 1; 
-  }
-}
-
-SWIGRUNTIME PyObject *
-PySwigObject_str(PySwigObject *v)
-{
-  char result[SWIG_BUFFER_SIZE];
-  return SWIG_PackVoidPtr(result, v->ptr, v->ty->name, sizeof(result)) ?
-    PyString_FromString(result) : 0;
-}
-
-SWIGRUNTIME int
-PySwigObject_compare(PySwigObject *v, PySwigObject *w)
-{
-  void *i = v->ptr;
-  void *j = w->ptr;
-  return (i < j) ? -1 : ((i > j) ? 1 : 0);
-}
-
-SWIGRUNTIME PyTypeObject* _PySwigObject_type(void);
-
-SWIGRUNTIME PyTypeObject*
-PySwigObject_type(void) {
-  static PyTypeObject *SWIG_STATIC_POINTER(type) = _PySwigObject_type();
-  return type;
-}
-
-SWIGRUNTIMEINLINE int
-PySwigObject_Check(PyObject *op) {
-  return ((op)->ob_type == PySwigObject_type())
-    || (strcmp((op)->ob_type->tp_name,"PySwigObject") == 0);
-}
-
-SWIGRUNTIME PyObject *
-PySwigObject_New(void *ptr, swig_type_info *ty, int own);
-
-SWIGRUNTIME void
-PySwigObject_dealloc(PyObject *v)
-{
-  PySwigObject *sobj = (PySwigObject *) v;
-  PyObject *next = sobj->next;
-  if (sobj->own) {
-    swig_type_info *ty = sobj->ty;
-    PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
-    PyObject *destroy = data ? data->destroy : 0;
-    if (destroy) {
-      /* destroy is always a VARARGS method */
-      PyObject *res;
-      if (data->delargs) {
-	/* we need to create a temporal object to carry the destroy operation */
-	PyObject *tmp = PySwigObject_New(sobj->ptr, ty, 0);
-	res = SWIG_Python_CallFunctor(destroy, tmp);
-	Py_DECREF(tmp);
-      } else {
-	PyCFunction meth = PyCFunction_GET_FUNCTION(destroy);
-	PyObject *mself = PyCFunction_GET_SELF(destroy);
-	res = ((*meth)(mself, v));
-      }
-      Py_XDECREF(res);
-    } else {
-      const char *name = SWIG_TypePrettyName(ty);
-#if !defined(SWIG_PYTHON_SILENT_MEMLEAK)
-      printf("swig/python detected a memory leak of type '%s', no destructor found.\n", name);
-#endif
-    }
-  } 
-  Py_XDECREF(next);
-  PyObject_DEL(v);
-}
-
-SWIGRUNTIME PyObject* 
-PySwigObject_append(PyObject* v, PyObject* next)
-{
-  PySwigObject *sobj = (PySwigObject *) v;
-#ifndef METH_O
-  PyObject *tmp = 0;
-  if (!PyArg_ParseTuple(next,(char *)"O:append", &tmp)) return NULL;
-  next = tmp;
-#endif
-  if (!PySwigObject_Check(next)) {
-    return NULL;
-  }
-  sobj->next = next;
-  Py_INCREF(next);
-  return SWIG_Py_Void();
-}
-
-SWIGRUNTIME PyObject* 
-#ifdef METH_NOARGS
-PySwigObject_next(PyObject* v)
-#else
-PySwigObject_next(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
-#endif
-{
-  PySwigObject *sobj = (PySwigObject *) v;
-  if (sobj->next) {    
-    Py_INCREF(sobj->next);
-    return sobj->next;
-  } else {
-    return SWIG_Py_Void();
-  }
-}
-
-SWIGINTERN PyObject*
-#ifdef METH_NOARGS
-PySwigObject_disown(PyObject *v)
-#else
-PySwigObject_disown(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
-#endif
-{
-  PySwigObject *sobj = (PySwigObject *)v;
-  sobj->own = 0;
-  return SWIG_Py_Void();
-}
-
-SWIGINTERN PyObject*
-#ifdef METH_NOARGS
-PySwigObject_acquire(PyObject *v)
-#else
-PySwigObject_acquire(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
-#endif
-{
-  PySwigObject *sobj = (PySwigObject *)v;
-  sobj->own = SWIG_POINTER_OWN;
-  return SWIG_Py_Void();
-}
-
-SWIGINTERN PyObject*
-PySwigObject_own(PyObject *v, PyObject *args)
-{
-  PyObject *val = 0;
-#if (PY_VERSION_HEX < 0x02020000)
-  if (!PyArg_ParseTuple(args,(char *)"|O:own",&val))
-#else
-  if (!PyArg_UnpackTuple(args, (char *)"own", 0, 1, &val)) 
-#endif
-    {
-      return NULL;
-    } 
-  else
-    {
-      PySwigObject *sobj = (PySwigObject *)v;
-      PyObject *obj = PyBool_FromLong(sobj->own);
-      if (val) {
-#ifdef METH_NOARGS
-	if (PyObject_IsTrue(val)) {
-	  PySwigObject_acquire(v);
-	} else {
-	  PySwigObject_disown(v);
-	}
-#else
-	if (PyObject_IsTrue(val)) {
-	  PySwigObject_acquire(v,args);
-	} else {
-	  PySwigObject_disown(v,args);
-	}
-#endif
-      } 
-      return obj;
-    }
-}
-
-#ifdef METH_O
-static PyMethodDef
-swigobject_methods[] = {
-  {(char *)"disown",  (PyCFunction)PySwigObject_disown,  METH_NOARGS,  (char *)"releases ownership of the pointer"},
-  {(char *)"acquire", (PyCFunction)PySwigObject_acquire, METH_NOARGS,  (char *)"aquires ownership of the pointer"},
-  {(char *)"own",     (PyCFunction)PySwigObject_own,     METH_VARARGS, (char *)"returns/sets ownership of the pointer"},
-  {(char *)"append",  (PyCFunction)PySwigObject_append,  METH_O,       (char *)"appends another 'this' object"},
-  {(char *)"next",    (PyCFunction)PySwigObject_next,    METH_NOARGS,  (char *)"returns the next 'this' object"},
-  {(char *)"__repr__",(PyCFunction)PySwigObject_repr,    METH_NOARGS,  (char *)"returns object representation"},
-  {0, 0, 0, 0}  
-};
-#else
-static PyMethodDef
-swigobject_methods[] = {
-  {(char *)"disown",  (PyCFunction)PySwigObject_disown,  METH_VARARGS,  (char *)"releases ownership of the pointer"},
-  {(char *)"acquire", (PyCFunction)PySwigObject_acquire, METH_VARARGS,  (char *)"aquires ownership of the pointer"},
-  {(char *)"own",     (PyCFunction)PySwigObject_own,     METH_VARARGS,  (char *)"returns/sets ownership of the pointer"},
-  {(char *)"append",  (PyCFunction)PySwigObject_append,  METH_VARARGS,  (char *)"appends another 'this' object"},
-  {(char *)"next",    (PyCFunction)PySwigObject_next,    METH_VARARGS,  (char *)"returns the next 'this' object"},
-  {(char *)"__repr__",(PyCFunction)PySwigObject_repr,   METH_VARARGS,  (char *)"returns object representation"},
-  {0, 0, 0, 0}  
-};
-#endif
-
-#if PY_VERSION_HEX < 0x02020000
-SWIGINTERN PyObject *
-PySwigObject_getattr(PySwigObject *sobj,char *name)
-{
-  return Py_FindMethod(swigobject_methods, (PyObject *)sobj, name);
-}
-#endif
-
-SWIGRUNTIME PyTypeObject*
-_PySwigObject_type(void) {
-  static char swigobject_doc[] = "Swig object carries a C/C++ instance pointer";
-  
-  static PyNumberMethods PySwigObject_as_number = {
-    (binaryfunc)0, /*nb_add*/
-    (binaryfunc)0, /*nb_subtract*/
-    (binaryfunc)0, /*nb_multiply*/
-    (binaryfunc)0, /*nb_divide*/
-    (binaryfunc)0, /*nb_remainder*/
-    (binaryfunc)0, /*nb_divmod*/
-    (ternaryfunc)0,/*nb_power*/
-    (unaryfunc)0,  /*nb_negative*/
-    (unaryfunc)0,  /*nb_positive*/
-    (unaryfunc)0,  /*nb_absolute*/
-    (inquiry)0,    /*nb_nonzero*/
-    0,		   /*nb_invert*/
-    0,		   /*nb_lshift*/
-    0,		   /*nb_rshift*/
-    0,		   /*nb_and*/
-    0,		   /*nb_xor*/
-    0,		   /*nb_or*/
-    (coercion)0,   /*nb_coerce*/
-    (unaryfunc)PySwigObject_long, /*nb_int*/
-    (unaryfunc)PySwigObject_long, /*nb_long*/
-    (unaryfunc)0,                 /*nb_float*/
-    (unaryfunc)PySwigObject_oct,  /*nb_oct*/
-    (unaryfunc)PySwigObject_hex,  /*nb_hex*/
-#if PY_VERSION_HEX >= 0x02020000
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */ 
-#elif PY_VERSION_HEX >= 0x02000000
-    0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_or */
-#endif
-  };
-
-  static PyTypeObject pyswigobject_type;  
-  static int type_init = 0;
-  if (!type_init) {
-    const PyTypeObject tmp
-      = {
-	PyObject_HEAD_INIT(NULL)
-	0,				    /* ob_size */
-	(char *)"PySwigObject",		    /* tp_name */
-	sizeof(PySwigObject),		    /* tp_basicsize */
-	0,			            /* tp_itemsize */
-	(destructor)PySwigObject_dealloc,   /* tp_dealloc */
-	(printfunc)PySwigObject_print,	    /* tp_print */
-#if PY_VERSION_HEX < 0x02020000
-	(getattrfunc)PySwigObject_getattr,  /* tp_getattr */ 
-#else
-	(getattrfunc)0,			    /* tp_getattr */ 
-#endif
-	(setattrfunc)0,			    /* tp_setattr */ 
-	(cmpfunc)PySwigObject_compare,	    /* tp_compare */ 
-	(reprfunc)PySwigObject_repr,	    /* tp_repr */    
-	&PySwigObject_as_number,	    /* tp_as_number */
-	0,				    /* tp_as_sequence */
-	0,				    /* tp_as_mapping */
-	(hashfunc)0,			    /* tp_hash */
-	(ternaryfunc)0,			    /* tp_call */
-	(reprfunc)PySwigObject_str,	    /* tp_str */
-	PyObject_GenericGetAttr,            /* tp_getattro */
-	0,				    /* tp_setattro */
-	0,		                    /* tp_as_buffer */
-	Py_TPFLAGS_DEFAULT,	            /* tp_flags */
-	swigobject_doc, 	            /* tp_doc */        
-	0,                                  /* tp_traverse */
-	0,                                  /* tp_clear */
-	0,                                  /* tp_richcompare */
-	0,                                  /* tp_weaklistoffset */
-#if PY_VERSION_HEX >= 0x02020000
-	0,                                  /* tp_iter */
-	0,                                  /* tp_iternext */
-	swigobject_methods,		    /* tp_methods */ 
-	0,			            /* tp_members */
-	0,				    /* tp_getset */	    	
-	0,			            /* tp_base */	        
-	0,				    /* tp_dict */	    	
-	0,				    /* tp_descr_get */  	
-	0,				    /* tp_descr_set */  	
-	0,				    /* tp_dictoffset */ 	
-	0,				    /* tp_init */	    	
-	0,				    /* tp_alloc */	    	
-	0,			            /* tp_new */	    	
-	0,	                            /* tp_free */	   
-        0,                                  /* tp_is_gc */  
-	0,				    /* tp_bases */   
-	0,				    /* tp_mro */
-	0,				    /* tp_cache */   
- 	0,				    /* tp_subclasses */
-	0,				    /* tp_weaklist */
-#endif
-#if PY_VERSION_HEX >= 0x02030000
-	0,                                  /* tp_del */
-#endif
-#ifdef COUNT_ALLOCS
-	0,0,0,0                             /* tp_alloc -> tp_next */
-#endif
-      };
-    pyswigobject_type = tmp;
-    pyswigobject_type.ob_type = &PyType_Type;
-    type_init = 1;
-  }
-  return &pyswigobject_type;
-}
-
-SWIGRUNTIME PyObject *
-PySwigObject_New(void *ptr, swig_type_info *ty, int own)
-{
-  PySwigObject *sobj = PyObject_NEW(PySwigObject, PySwigObject_type());
-  if (sobj) {
-    sobj->ptr  = ptr;
-    sobj->ty   = ty;
-    sobj->own  = own;
-    sobj->next = 0;
-  }
-  return (PyObject *)sobj;
-}
-
-/* -----------------------------------------------------------------------------
- * Implements a simple Swig Packed type, and use it instead of string
- * ----------------------------------------------------------------------------- */
-
-typedef struct {
-  PyObject_HEAD
-  void *pack;
-  swig_type_info *ty;
-  size_t size;
-} PySwigPacked;
-
-SWIGRUNTIME int
-PySwigPacked_print(PySwigPacked *v, FILE *fp, int SWIGUNUSEDPARM(flags))
-{
-  char result[SWIG_BUFFER_SIZE];
-  fputs("<Swig Packed ", fp); 
-  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))) {
-    fputs("at ", fp); 
-    fputs(result, fp); 
-  }
-  fputs(v->ty->name,fp); 
-  fputs(">", fp);
-  return 0; 
-}
-  
-SWIGRUNTIME PyObject *
-PySwigPacked_repr(PySwigPacked *v)
-{
-  char result[SWIG_BUFFER_SIZE];
-  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))) {
-    return PyString_FromFormat("<Swig Packed at %s%s>", result, v->ty->name);
-  } else {
-    return PyString_FromFormat("<Swig Packed %s>", v->ty->name);
-  }  
-}
-
-SWIGRUNTIME PyObject *
-PySwigPacked_str(PySwigPacked *v)
-{
-  char result[SWIG_BUFFER_SIZE];
-  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))){
-    return PyString_FromFormat("%s%s", result, v->ty->name);
-  } else {
-    return PyString_FromString(v->ty->name);
-  }  
-}
-
-SWIGRUNTIME int
-PySwigPacked_compare(PySwigPacked *v, PySwigPacked *w)
-{
-  size_t i = v->size;
-  size_t j = w->size;
-  int s = (i < j) ? -1 : ((i > j) ? 1 : 0);
-  return s ? s : strncmp((char *)v->pack, (char *)w->pack, 2*v->size);
-}
-
-SWIGRUNTIME PyTypeObject* _PySwigPacked_type(void);
-
-SWIGRUNTIME PyTypeObject*
-PySwigPacked_type(void) {
-  static PyTypeObject *SWIG_STATIC_POINTER(type) = _PySwigPacked_type();
-  return type;
-}
-
-SWIGRUNTIMEINLINE int
-PySwigPacked_Check(PyObject *op) {
-  return ((op)->ob_type == _PySwigPacked_type()) 
-    || (strcmp((op)->ob_type->tp_name,"PySwigPacked") == 0);
-}
-
-SWIGRUNTIME void
-PySwigPacked_dealloc(PyObject *v)
-{
-  if (PySwigPacked_Check(v)) {
-    PySwigPacked *sobj = (PySwigPacked *) v;
-    free(sobj->pack);
-  }
-  PyObject_DEL(v);
-}
-
-SWIGRUNTIME PyTypeObject*
-_PySwigPacked_type(void) {
-  static char swigpacked_doc[] = "Swig object carries a C/C++ instance pointer";
-  static PyTypeObject pyswigpacked_type;
-  static int type_init = 0;  
-  if (!type_init) {
-    const PyTypeObject tmp
-      = {
-	PyObject_HEAD_INIT(NULL)
-	0,				    /* ob_size */	
-	(char *)"PySwigPacked",		    /* tp_name */	
-	sizeof(PySwigPacked),		    /* tp_basicsize */	
-	0,				    /* tp_itemsize */	
-	(destructor)PySwigPacked_dealloc,   /* tp_dealloc */	
-	(printfunc)PySwigPacked_print,	    /* tp_print */   	
-	(getattrfunc)0,			    /* tp_getattr */ 	
-	(setattrfunc)0,			    /* tp_setattr */ 	
-	(cmpfunc)PySwigPacked_compare,	    /* tp_compare */ 	
-	(reprfunc)PySwigPacked_repr,	    /* tp_repr */    	
-	0,	                            /* tp_as_number */	
-	0,				    /* tp_as_sequence */
-	0,				    /* tp_as_mapping */	
-	(hashfunc)0,			    /* tp_hash */	
-	(ternaryfunc)0,			    /* tp_call */	
-	(reprfunc)PySwigPacked_str,	    /* tp_str */	
-	PyObject_GenericGetAttr,            /* tp_getattro */
-	0,				    /* tp_setattro */
-	0,		                    /* tp_as_buffer */
-	Py_TPFLAGS_DEFAULT,	            /* tp_flags */
-	swigpacked_doc, 	            /* tp_doc */
-	0,                                  /* tp_traverse */
-	0,                                  /* tp_clear */
-	0,                                  /* tp_richcompare */
-	0,                                  /* tp_weaklistoffset */
-#if PY_VERSION_HEX >= 0x02020000
-	0,                                  /* tp_iter */
-	0,                                  /* tp_iternext */
-	0,		                    /* tp_methods */ 
-	0,			            /* tp_members */
-	0,				    /* tp_getset */	    	
-	0,			            /* tp_base */	        
-	0,				    /* tp_dict */	    	
-	0,				    /* tp_descr_get */  	
-	0,				    /* tp_descr_set */  	
-	0,				    /* tp_dictoffset */ 	
-	0,				    /* tp_init */	    	
-	0,				    /* tp_alloc */	    	
-	0,			            /* tp_new */	    	
-	0, 	                            /* tp_free */	   
-        0,                                  /* tp_is_gc */  
-	0,				    /* tp_bases */   
-	0,				    /* tp_mro */
-	0,				    /* tp_cache */   
- 	0,				    /* tp_subclasses */
-	0,				    /* tp_weaklist */
-#endif
-#if PY_VERSION_HEX >= 0x02030000
-	0,                                  /* tp_del */
-#endif
-#ifdef COUNT_ALLOCS
-	0,0,0,0                             /* tp_alloc -> tp_next */
-#endif
-      };
-    pyswigpacked_type = tmp;
-    pyswigpacked_type.ob_type = &PyType_Type;
-    type_init = 1;
-  }
-  return &pyswigpacked_type;
-}
-
-SWIGRUNTIME PyObject *
-PySwigPacked_New(void *ptr, size_t size, swig_type_info *ty)
-{
-  PySwigPacked *sobj = PyObject_NEW(PySwigPacked, PySwigPacked_type());
-  if (sobj) {
-    void *pack = malloc(size);
-    if (pack) {
-      memcpy(pack, ptr, size);
-      sobj->pack = pack;
-      sobj->ty   = ty;
-      sobj->size = size;
-    } else {
-      PyObject_DEL((PyObject *) sobj);
-      sobj = 0;
-    }
-  }
-  return (PyObject *) sobj;
-}
-
-SWIGRUNTIME swig_type_info *
-PySwigPacked_UnpackData(PyObject *obj, void *ptr, size_t size)
-{
-  if (PySwigPacked_Check(obj)) {
-    PySwigPacked *sobj = (PySwigPacked *)obj;
-    if (sobj->size != size) return 0;
-    memcpy(ptr, sobj->pack, size);
-    return sobj->ty;
-  } else {
-    return 0;
-  }
-}
-
-/* -----------------------------------------------------------------------------
- * pointers/data manipulation
- * ----------------------------------------------------------------------------- */
-
-SWIGRUNTIMEINLINE PyObject *
-_SWIG_This(void)
-{
-  return PyString_FromString("this");
-}
-
-SWIGRUNTIME PyObject *
-SWIG_This(void)
-{
-  static PyObject *SWIG_STATIC_POINTER(swig_this) = _SWIG_This();
-  return swig_this;
-}
-
-/* #define SWIG_PYTHON_SLOW_GETSET_THIS */
-
-SWIGRUNTIME PySwigObject *
-SWIG_Python_GetSwigThis(PyObject *pyobj) 
-{
-  if (PySwigObject_Check(pyobj)) {
-    return (PySwigObject *) pyobj;
-  } else {
-    PyObject *obj = 0;
-#if (!defined(SWIG_PYTHON_SLOW_GETSET_THIS) && (PY_VERSION_HEX >= 0x02030000))
-    if (PyInstance_Check(pyobj)) {
-      obj = _PyInstance_Lookup(pyobj, SWIG_This());      
-    } else {
-      PyObject **dictptr = _PyObject_GetDictPtr(pyobj);
-      if (dictptr != NULL) {
-	PyObject *dict = *dictptr;
-	obj = dict ? PyDict_GetItem(dict, SWIG_This()) : 0;
-      } else {
-#ifdef PyWeakref_CheckProxy
-	if (PyWeakref_CheckProxy(pyobj)) {
-	  PyObject *wobj = PyWeakref_GET_OBJECT(pyobj);
-	  return wobj ? SWIG_Python_GetSwigThis(wobj) : 0;
-	}
-#endif
-	obj = PyObject_GetAttr(pyobj,SWIG_This());
-	if (obj) {
-	  Py_DECREF(obj);
-	} else {
-	  if (PyErr_Occurred()) PyErr_Clear();
-	  return 0;
-	}
-      }
-    }
-#else
-    obj = PyObject_GetAttr(pyobj,SWIG_This());
-    if (obj) {
-      Py_DECREF(obj);
-    } else {
-      if (PyErr_Occurred()) PyErr_Clear();
-      return 0;
-    }
-#endif
-    if (obj && !PySwigObject_Check(obj)) {
-      /* a PyObject is called 'this', try to get the 'real this'
-	 PySwigObject from it */ 
-      return SWIG_Python_GetSwigThis(obj);
-    }
-    return (PySwigObject *)obj;
-  }
-}
-
-/* Acquire a pointer value */
-
-SWIGRUNTIME int
-SWIG_Python_AcquirePtr(PyObject *obj, int own) {
-  if (own) {
-    PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
-    if (sobj) {
-      int oldown = sobj->own;
-      sobj->own = own;
-      return oldown;
-    }
-  }
-  return 0;
-}
-
-/* Convert a pointer value */
-
-SWIGRUNTIME int
-SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int flags, int *own) {
-  if (!obj) return SWIG_ERROR;
-  if (obj == Py_None) {
-    if (ptr) *ptr = 0;
-    return SWIG_OK;
-  } else {
-    PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
-    while (sobj) {
-      void *vptr = sobj->ptr;
-      if (ty) {
-	swig_type_info *to = sobj->ty;
-	if (to == ty) {
-	  /* no type cast needed */
-	  if (ptr) *ptr = vptr;
-	  break;
-	} else {
-	  swig_cast_info *tc = SWIG_TypeCheck(to->name,ty);
-	  if (!tc) {
-	    sobj = (PySwigObject *)sobj->next;
-	  } else {
-	    if (ptr) *ptr = SWIG_TypeCast(tc,vptr);
-	    break;
-	  }
-	}
-      } else {
-	if (ptr) *ptr = vptr;
-	break;
-      }
-    }
-    if (sobj) {
-      if (own) *own = sobj->own;
-      if (flags & SWIG_POINTER_DISOWN) {
-	sobj->own = 0;
-      }
-      return SWIG_OK;
-    } else {
-      int res = SWIG_ERROR;
-      if (flags & SWIG_POINTER_IMPLICIT_CONV) {
-	PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
-	if (data && !data->implicitconv) {
-	  PyObject *klass = data->klass;
-	  if (klass) {
-	    PyObject *impconv;
-	    data->implicitconv = 1; /* avoid recursion and call 'explicit' constructors*/
-	    impconv = SWIG_Python_CallFunctor(klass, obj);
-	    data->implicitconv = 0;
-	    if (PyErr_Occurred()) {
-	      PyErr_Clear();
-	      impconv = 0;
-	    }
-	    if (impconv) {
-	      PySwigObject *iobj = SWIG_Python_GetSwigThis(impconv);
-	      if (iobj) {
-		void *vptr;
-		res = SWIG_Python_ConvertPtrAndOwn((PyObject*)iobj, &vptr, ty, 0, 0);
-		if (SWIG_IsOK(res)) {
-		  if (ptr) {
-		    *ptr = vptr;
-		    /* transfer the ownership to 'ptr' */
-		    iobj->own = 0;
-		    res = SWIG_AddCast(res);
-		    res = SWIG_AddNewMask(res);
-		  } else {
-		    res = SWIG_AddCast(res);		    
-		  }
-		}
-	      }
-	      Py_DECREF(impconv);
-	    }
-	  }
-	}
-      }
-      return res;
-    }
-  }
-}
-
-/* Convert a function ptr value */
-
-SWIGRUNTIME int
-SWIG_Python_ConvertFunctionPtr(PyObject *obj, void **ptr, swig_type_info *ty) {
-  if (!PyCFunction_Check(obj)) {
-    return SWIG_ConvertPtr(obj, ptr, ty, 0);
-  } else {
-    void *vptr = 0;
-    
-    /* here we get the method pointer for callbacks */
-    const char *doc = (((PyCFunctionObject *)obj) -> m_ml -> ml_doc);
-    const char *desc = doc ? strstr(doc, "swig_ptr: ") : 0;
-    if (desc) {
-      desc = ty ? SWIG_UnpackVoidPtr(desc + 10, &vptr, ty->name) : 0;
-      if (!desc) return SWIG_ERROR;
-    }
-    if (ty) {
-      swig_cast_info *tc = SWIG_TypeCheck(desc,ty);
-      if (!tc) return SWIG_ERROR;
-      *ptr = SWIG_TypeCast(tc,vptr);
-    } else {
-      *ptr = vptr;
-    }
-    return SWIG_OK;
-  }
-}
-
-/* Convert a packed value value */
-
-SWIGRUNTIME int
-SWIG_Python_ConvertPacked(PyObject *obj, void *ptr, size_t sz, swig_type_info *ty) {
-  swig_type_info *to = PySwigPacked_UnpackData(obj, ptr, sz);
-  if (!to) return SWIG_ERROR;
-  if (ty) {
-    if (to != ty) {
-      /* check type cast? */
-      swig_cast_info *tc = SWIG_TypeCheck(to->name,ty);
-      if (!tc) return SWIG_ERROR;
-    }
-  }
-  return SWIG_OK;
-}  
-
-/* -----------------------------------------------------------------------------
- * Create a new pointer object
- * ----------------------------------------------------------------------------- */
-
-/*
-  Create a new instance object, whitout calling __init__, and set the
-  'this' attribute.
-*/
-
-SWIGRUNTIME PyObject* 
-SWIG_Python_NewShadowInstance(PySwigClientData *data, PyObject *swig_this)
-{
-#if (PY_VERSION_HEX >= 0x02020000)
-  PyObject *inst = 0;
-  PyObject *newraw = data->newraw;
-  if (newraw) {
-    inst = PyObject_Call(newraw, data->newargs, NULL);
-    if (inst) {
-#if !defined(SWIG_PYTHON_SLOW_GETSET_THIS)
-      PyObject **dictptr = _PyObject_GetDictPtr(inst);
-      if (dictptr != NULL) {
-	PyObject *dict = *dictptr;
-	if (dict == NULL) {
-	  dict = PyDict_New();
-	  *dictptr = dict;
-	  PyDict_SetItem(dict, SWIG_This(), swig_this);
-	}
-      }
-#else
-      PyObject *key = SWIG_This();
-      PyObject_SetAttr(inst, key, swig_this);
-#endif
-    }
-  } else {
-    PyObject *dict = PyDict_New();
-    PyDict_SetItem(dict, SWIG_This(), swig_this);
-    inst = PyInstance_NewRaw(data->newargs, dict);
-    Py_DECREF(dict);
-  }
-  return inst;
-#else
-#if (PY_VERSION_HEX >= 0x02010000)
-  PyObject *inst;
-  PyObject *dict = PyDict_New();
-  PyDict_SetItem(dict, SWIG_This(), swig_this);
-  inst = PyInstance_NewRaw(data->newargs, dict);
-  Py_DECREF(dict);
-  return (PyObject *) inst;
-#else
-  PyInstanceObject *inst = PyObject_NEW(PyInstanceObject, &PyInstance_Type);
-  if (inst == NULL) {
-    return NULL;
-  }
-  inst->in_class = (PyClassObject *)data->newargs;
-  Py_INCREF(inst->in_class);
-  inst->in_dict = PyDict_New();
-  if (inst->in_dict == NULL) {
-    Py_DECREF(inst);
-    return NULL;
-  }
-#ifdef Py_TPFLAGS_HAVE_WEAKREFS
-  inst->in_weakreflist = NULL;
-#endif
-#ifdef Py_TPFLAGS_GC
-  PyObject_GC_Init(inst);
-#endif
-  PyDict_SetItem(inst->in_dict, SWIG_This(), swig_this);
-  return (PyObject *) inst;
-#endif
-#endif
-}
-
-SWIGRUNTIME void
-SWIG_Python_SetSwigThis(PyObject *inst, PyObject *swig_this)
-{
- PyObject *dict;
-#if (PY_VERSION_HEX >= 0x02020000) && !defined(SWIG_PYTHON_SLOW_GETSET_THIS)
- PyObject **dictptr = _PyObject_GetDictPtr(inst);
- if (dictptr != NULL) {
-   dict = *dictptr;
-   if (dict == NULL) {
-     dict = PyDict_New();
-     *dictptr = dict;
-   }
-   PyDict_SetItem(dict, SWIG_This(), swig_this);
-   return;
- }
-#endif
- dict = PyObject_GetAttrString(inst, (char*)"__dict__");
- PyDict_SetItem(dict, SWIG_This(), swig_this);
- Py_DECREF(dict);
-} 
-
-
-SWIGINTERN PyObject *
-SWIG_Python_InitShadowInstance(PyObject *args) {
-  PyObject *obj[2];
-  if (!SWIG_Python_UnpackTuple(args,(char*)"swiginit", 2, 2, obj)) {
-    return NULL;
-  } else {
-    PySwigObject *sthis = SWIG_Python_GetSwigThis(obj[0]);
-    if (sthis) {
-      PySwigObject_append((PyObject*) sthis, obj[1]);
-    } else {
-      SWIG_Python_SetSwigThis(obj[0], obj[1]);
-    }
-    return SWIG_Py_Void();
-  }
-}
-
-/* Create a new pointer object */
-
-SWIGRUNTIME PyObject *
-SWIG_Python_NewPointerObj(void *ptr, swig_type_info *type, int flags) {
-  if (!ptr) {
-    return SWIG_Py_Void();
-  } else {
-    int own = (flags & SWIG_POINTER_OWN) ? SWIG_POINTER_OWN : 0;
-    PyObject *robj = PySwigObject_New(ptr, type, own);
-    PySwigClientData *clientdata = type ? (PySwigClientData *)(type->clientdata) : 0;
-    if (clientdata && !(flags & SWIG_POINTER_NOSHADOW)) {
-      PyObject *inst = SWIG_Python_NewShadowInstance(clientdata, robj);
-      if (inst) {
-	Py_DECREF(robj);
-	robj = inst;
-      }
-    }
-    return robj;
-  }
-}
-
-/* Create a new packed object */
-
-SWIGRUNTIMEINLINE PyObject *
-SWIG_Python_NewPackedObj(void *ptr, size_t sz, swig_type_info *type) {
-  return ptr ? PySwigPacked_New((void *) ptr, sz, type) : SWIG_Py_Void();
-}
-
-/* -----------------------------------------------------------------------------*
- *  Get type list 
- * -----------------------------------------------------------------------------*/
-
-#ifdef SWIG_LINK_RUNTIME
-void *SWIG_ReturnGlobalTypeList(void *);
-#endif
-
-SWIGRUNTIME swig_module_info *
-SWIG_Python_GetModule(void) {
-  static void *type_pointer = (void *)0;
-  /* first check if module already created */
-  if (!type_pointer) {
-#ifdef SWIG_LINK_RUNTIME
-    type_pointer = SWIG_ReturnGlobalTypeList((void *)0);
-#else
-    type_pointer = PyCObject_Import((char*)"swig_runtime_data" SWIG_RUNTIME_VERSION,
-				    (char*)"type_pointer" SWIG_TYPE_TABLE_NAME);
-    if (PyErr_Occurred()) {
-      PyErr_Clear();
-      type_pointer = (void *)0;
-    }
-#endif
-  }
-  return (swig_module_info *) type_pointer;
-}
-
-#if PY_MAJOR_VERSION < 2
-/* PyModule_AddObject function was introduced in Python 2.0.  The following function
-   is copied out of Python/modsupport.c in python version 2.3.4 */
-SWIGINTERN int
-PyModule_AddObject(PyObject *m, char *name, PyObject *o)
-{
-  PyObject *dict;
-  if (!PyModule_Check(m)) {
-    PyErr_SetString(PyExc_TypeError,
-		    "PyModule_AddObject() needs module as first arg");
-    return SWIG_ERROR;
-  }
-  if (!o) {
-    PyErr_SetString(PyExc_TypeError,
-		    "PyModule_AddObject() needs non-NULL value");
-    return SWIG_ERROR;
-  }
-  
-  dict = PyModule_GetDict(m);
-  if (dict == NULL) {
-    /* Internal error -- modules must have a dict! */
-    PyErr_Format(PyExc_SystemError, "module '%s' has no __dict__",
-		 PyModule_GetName(m));
-    return SWIG_ERROR;
-  }
-  if (PyDict_SetItemString(dict, name, o))
-    return SWIG_ERROR;
-  Py_DECREF(o);
-  return SWIG_OK;
-}
-#endif
-
-SWIGRUNTIME void
-SWIG_Python_DestroyModule(void *vptr)
-{
-  swig_module_info *swig_module = (swig_module_info *) vptr;
-  swig_type_info **types = swig_module->types;
-  size_t i;
-  for (i =0; i < swig_module->size; ++i) {
-    swig_type_info *ty = types[i];
-    if (ty->owndata) {
-      PySwigClientData *data = (PySwigClientData *) ty->clientdata;
-      if (data) PySwigClientData_Del(data);
-    }
-  }
-  Py_DECREF(SWIG_This());
-}
-
-SWIGRUNTIME void
-SWIG_Python_SetModule(swig_module_info *swig_module) {
-  static PyMethodDef swig_empty_runtime_method_table[] = { {NULL, NULL, 0, NULL} };/* Sentinel */
-
-  PyObject *module = Py_InitModule((char*)"swig_runtime_data" SWIG_RUNTIME_VERSION,
-				   swig_empty_runtime_method_table);
-  PyObject *pointer = PyCObject_FromVoidPtr((void *) swig_module, SWIG_Python_DestroyModule);
-  if (pointer && module) {
-    PyModule_AddObject(module, (char*)"type_pointer" SWIG_TYPE_TABLE_NAME, pointer);
-  } else {
-    Py_XDECREF(pointer);
-  }
-}
-
-/* The python cached type query */
-SWIGRUNTIME PyObject *
-SWIG_Python_TypeCache(void) {
-  static PyObject *SWIG_STATIC_POINTER(cache) = PyDict_New();
-  return cache;
-}
-
-SWIGRUNTIME swig_type_info *
-SWIG_Python_TypeQuery(const char *type)
-{
-  PyObject *cache = SWIG_Python_TypeCache();
-  PyObject *key = PyString_FromString(type); 
-  PyObject *obj = PyDict_GetItem(cache, key);
-  swig_type_info *descriptor;
-  if (obj) {
-    descriptor = (swig_type_info *) PyCObject_AsVoidPtr(obj);
-  } else {
-    swig_module_info *swig_module = SWIG_Python_GetModule();
-    descriptor = SWIG_TypeQueryModule(swig_module, swig_module, type);
-    if (descriptor) {
-      obj = PyCObject_FromVoidPtr(descriptor, NULL);
-      PyDict_SetItem(cache, key, obj);
-      Py_DECREF(obj);
-    }
-  }
-  Py_DECREF(key);
-  return descriptor;
-}
-
-/* 
-   For backward compatibility only
-*/
-#define SWIG_POINTER_EXCEPTION  0
-#define SWIG_arg_fail(arg)      SWIG_Python_ArgFail(arg)
-#define SWIG_MustGetPtr(p, type, argnum, flags)  SWIG_Python_MustGetPtr(p, type, argnum, flags)
-
-SWIGRUNTIME int
-SWIG_Python_AddErrMesg(const char* mesg, int infront)
-{
-  if (PyErr_Occurred()) {
-    PyObject *type = 0;
-    PyObject *value = 0;
-    PyObject *traceback = 0;
-    PyErr_Fetch(&type, &value, &traceback);
-    if (value) {
-      PyObject *old_str = PyObject_Str(value);
-      Py_XINCREF(type);
-      PyErr_Clear();
-      if (infront) {
-	PyErr_Format(type, "%s %s", mesg, PyString_AsString(old_str));
-      } else {
-	PyErr_Format(type, "%s %s", PyString_AsString(old_str), mesg);
-      }
-      Py_DECREF(old_str);
-    }
-    return 1;
-  } else {
-    return 0;
-  }
-}
-  
-SWIGRUNTIME int
-SWIG_Python_ArgFail(int argnum)
-{
-  if (PyErr_Occurred()) {
-    /* add information about failing argument */
-    char mesg[256];
-    PyOS_snprintf(mesg, sizeof(mesg), "argument number %d:", argnum);
-    return SWIG_Python_AddErrMesg(mesg, 1);
-  } else {
-    return 0;
-  }
-}
-
-SWIGRUNTIMEINLINE const char *
-PySwigObject_GetDesc(PyObject *self)
-{
-  PySwigObject *v = (PySwigObject *)self;
-  swig_type_info *ty = v ? v->ty : 0;
-  return ty ? ty->str : (char*)"";
-}
-
-SWIGRUNTIME void
-SWIG_Python_TypeError(const char *type, PyObject *obj)
-{
-  if (type) {
-#if defined(SWIG_COBJECT_TYPES)
-    if (obj && PySwigObject_Check(obj)) {
-      const char *otype = (const char *) PySwigObject_GetDesc(obj);
-      if (otype) {
-	PyErr_Format(PyExc_TypeError, "a '%s' is expected, 'PySwigObject(%s)' is received",
-		     type, otype);
-	return;
-      }
-    } else 
-#endif      
-    {
-      const char *otype = (obj ? obj->ob_type->tp_name : 0); 
-      if (otype) {
-	PyObject *str = PyObject_Str(obj);
-	const char *cstr = str ? PyString_AsString(str) : 0;
-	if (cstr) {
-	  PyErr_Format(PyExc_TypeError, "a '%s' is expected, '%s(%s)' is received",
-		       type, otype, cstr);
-	} else {
-	  PyErr_Format(PyExc_TypeError, "a '%s' is expected, '%s' is received",
-		       type, otype);
-	}
-	Py_XDECREF(str);
-	return;
-      }
-    }   
-    PyErr_Format(PyExc_TypeError, "a '%s' is expected", type);
-  } else {
-    PyErr_Format(PyExc_TypeError, "unexpected type is received");
-  }
-}
-
-
-/* Convert a pointer value, signal an exception on a type mismatch */
-SWIGRUNTIME void *
-SWIG_Python_MustGetPtr(PyObject *obj, swig_type_info *ty, int argnum, int flags) {
-  void *result;
-  if (SWIG_Python_ConvertPtr(obj, &result, ty, flags) == -1) {
-    PyErr_Clear();
-    if (flags & SWIG_POINTER_EXCEPTION) {
-      SWIG_Python_TypeError(SWIG_TypePrettyName(ty), obj);
-      SWIG_Python_ArgFail(argnum);
-    }
-  }
-  return result;
-}
-
-
-#ifdef __cplusplus
-#if 0
-{ /* cc-mode */
-#endif
-}
-#endif
-
-
-
-#define SWIG_exception_fail(code, msg) do { SWIG_Error(code, msg); SWIG_fail; } while(0) 
-
-#define SWIG_contract_assert(expr, msg) if (!(expr)) { SWIG_Error(SWIG_RuntimeError, msg); SWIG_fail; } else 
-
-
-
-/* -------- TYPES TABLE (BEGIN) -------- */
-
-#define SWIGTYPE_p_BroCompactEventFunc swig_types[0]
-#define SWIGTYPE_p_char swig_types[1]
-#define SWIGTYPE_p_void swig_types[2]
-static swig_type_info *swig_types[4];
-static swig_module_info swig_module = {swig_types, 3, 0, 0, 0, 0};
-#define SWIG_TypeQuery(name) SWIG_TypeQueryModule(&swig_module, &swig_module, name)
-#define SWIG_MangledTypeQuery(name) SWIG_MangledTypeQueryModule(&swig_module, &swig_module, name)
-
-/* -------- TYPES TABLE (END) -------- */
-
-#if (PY_VERSION_HEX <= 0x02000000)
-# if !defined(SWIG_PYTHON_CLASSIC)
-#  error "This python version requires swig to be run with the '-classic' option"
-# endif
-#endif
-
-/*-----------------------------------------------
-              @(target):= _broccoli_intern.so
-  ------------------------------------------------*/
-#define SWIG_init    init_broccoli_intern
-
-#define SWIG_name    "_broccoli_intern"
-
-#define SWIGVERSION 0x010331 
-#define SWIG_VERSION SWIGVERSION
-
-
-#define SWIG_as_voidptr(a) (void *)((const void *)(a)) 
-#define SWIG_as_voidptrptr(a) ((void)SWIG_as_voidptr(*a),(void**)(a)) 
-
-
-// Include the header in the wrapper code.
-#include <broccoli.h>
-
-// Broccoli internal struct. Easier to copy that here than to include a bunch
-// of Broccoli's internal headers.  
-struct bro_record {
-    void *val_list;
-    int val_len;
-};
-    
-typedef BroRecord bro_record ;
-
-// Builds a 2-tuple (type, object).     
-PyObject* makeTypeTuple(int type, PyObject *val)
-{
- 	PyObject *tuple = PyTuple_New(2);
-    PyTuple_SetItem(tuple, 0, PyInt_FromLong(type));
-    PyTuple_SetItem(tuple, 1, val);
-    return tuple;
-}
-
-// Parses a 2-tuple (type, object). Return 1 on success. 
-// Borrows input's reference to object.
-int parseTypeTuple(PyObject* input, int *type, PyObject **val)
-{
-    if ( ! (PyTuple_Check(input) && PyTuple_Size(input) == 2) ) {
-		PyErr_SetString(PyExc_RuntimeError, "argument must be 2-tuple");
-		return 0;
-    }
-    
-	PyObject *ptype = PyTuple_GetItem(input, 0);
-	PyObject *pval = PyTuple_GetItem(input, 1);
-	
-	if ( ! PyInt_Check(ptype) ) {
-		PyErr_SetString(PyExc_RuntimeError, "first tuple element must be integer");
-		return 0;
-    }
-    
-    *type = PyInt_AsLong(ptype);
-    
-	if ( *type < 0 || *type > BRO_TYPE_MAX ) {
-		PyErr_SetString(PyExc_RuntimeError, "unknown type in tuple");
-		return 0;
-    }
-    
-    *val = pval;
-    return 1;
-}
-
-// Release the memory associated with the Broccoli value.
-void freeBroccoliVal(int type, void* data)
-{
-    if ( ! data )
-        return;
-    
-    switch ( type ) {
-      case BRO_TYPE_STRING:
-        free(((BroString *)data)->str_val);
-        free(data);
-        break;
-        
-      case BRO_TYPE_RECORD:
-        bro_record_free((BroRecord *)data);
-        break;
-        
-      default:
-        free(data);
-    }
-    
-}
-
-// Converts a Broccoli value into a Python object.
-PyObject* valToPyObj(int type, void* data)
-{
- 	PyObject* val = 0;
-
-	switch (type) {
-      case BRO_TYPE_BOOL:
-        val = PyBool_FromLong(*((int *)data));   
-        break;
-        
-      case BRO_TYPE_INT:
-      case BRO_TYPE_COUNT:
-      case BRO_TYPE_COUNTER:
-      case BRO_TYPE_IPADDR:
-      case BRO_TYPE_NET: {
-        val = PyInt_FromLong(*((long *)data));
-        break;
-      }
-        
-      case BRO_TYPE_DOUBLE:
-      case BRO_TYPE_TIME:
-      case BRO_TYPE_INTERVAL: {
-          val = PyFloat_FromDouble(*((double *)data));
-          break;
-      }
-        
-      case BRO_TYPE_STRING: {
-          BroString *str = (BroString*)data;
-          val = PyString_FromStringAndSize(str->str_val, str->str_len);
-          break;
-      }
-
-      case BRO_TYPE_ENUM: {
-          val = PyTuple_New(2);
-          PyTuple_SetItem(val, 0, PyBool_FromLong(*((int *)data)));
-          PyTuple_SetItem(val, 1, PyString_FromString("broccoli-doesnt-give-use-the-enum-type! :-("));
-          break;
-      }
-        
-        
-      case BRO_TYPE_PORT: {
-          BroPort *port = (BroPort*)data;
-          val = PyTuple_New(2);
-          PyTuple_SetItem(val, 0, PyInt_FromLong(port->port_num));
-          PyTuple_SetItem(val, 1, PyInt_FromLong(port->port_proto));
-          break;
-      }
-            
-      case BRO_TYPE_SUBNET: {
-          BroSubnet *subnet = (BroSubnet*)data;
-          val = PyTuple_New(2);
-          PyTuple_SetItem(val, 0, PyInt_FromLong(subnet->sn_net));
-          PyTuple_SetItem(val, 1, PyInt_FromLong(subnet->sn_width));
-          break;
-      }
-        
-      case BRO_TYPE_RECORD: { 
-          BroRecord *rec = (BroRecord*)data;
-          PyObject *fields = PyList_New(rec->val_len);
-          int i;
-          for ( i = 0; i < rec->val_len; i++ ) {
-              int type = BRO_TYPE_UNKNOWN;
-              void *data = bro_record_get_nth_val(rec, i, &type);
-              PyList_SetItem(fields, i, valToPyObj(type, data));
-          }
-          val = fields;
-          break;
-      }
-    
-      default:
-        PyErr_SetString(PyExc_RuntimeError, "unknown type");
-        return 0;
-        
-    }
-    
-    return makeTypeTuple(type, val);
-}
-    
-// Converts a Python object into Broccoli value.
-int pyObjToVal(PyObject *val, int type, const char **type_name, void** data)
-{
-	*type_name = 0;
-    *data = 0;
-
-    switch (type) {
-      case BRO_TYPE_BOOL:
-      case BRO_TYPE_INT:
-      case BRO_TYPE_COUNT:
-      case BRO_TYPE_COUNTER:
-      case BRO_TYPE_IPADDR:
-      case BRO_TYPE_NET: {
-          int* tmp = (int *)malloc(sizeof(int));
-		  *tmp = PyInt_AsLong(val);
-          *data = tmp;
-          break;
-      }
-        
-      case BRO_TYPE_DOUBLE:
-      case BRO_TYPE_TIME:
-      case BRO_TYPE_INTERVAL: {
-          double* tmp = (double *)malloc(sizeof(double));
-		  *tmp = PyFloat_AsDouble(val);
-          *data = tmp;
-          break;
-      }
-
-      case BRO_TYPE_STRING: {
-          BroString* str = (BroString *)malloc(sizeof(BroString));
-          
-          const char* tmp = PyString_AsString(val);
-          if ( ! tmp )
-              return 0;
-          
-          str->str_len = strlen(tmp);
-          str->str_val = strdup(tmp);
-          *data = str;
-          break;
-      }
-
-      case BRO_TYPE_ENUM: {
-          if ( ! (PyTuple_Check(val) && PyTuple_Size(val) == 2) ) {
-              PyErr_SetString(PyExc_RuntimeError, "enum must be 2-tuple");
-              return 0;
-          }
-          
-          int* tmp = (int *)malloc(sizeof(int));
-		  *tmp = PyInt_AsLong(PyTuple_GetItem(val, 0));
-          *data = tmp;
-          
-          const char* enum_type = PyString_AsString(PyTuple_GetItem(val, 1));
-          if ( ! enum_type )
-              return 0;
-          
-          *type_name = strdup(enum_type);
-          break;
-      }
-        
-      case BRO_TYPE_PORT: {
-          if ( ! (PyTuple_Check(val) && PyTuple_Size(val) == 2) ) {
-              PyErr_SetString(PyExc_RuntimeError, "port must be 2-tuple");
-              return 0;
-          }
-    
-          BroPort* port = (BroPort *)malloc(sizeof(BroPort));
-          port->port_num = PyInt_AsLong(PyTuple_GetItem(val, 0));
-          port->port_proto = PyInt_AsLong(PyTuple_GetItem(val, 1));
-          *data = port;
-          break;
-      }
-            
-      case BRO_TYPE_SUBNET: {
-          if ( ! (PyTuple_Check(val) && PyTuple_Size(val) == 2) ) {
-              PyErr_SetString(PyExc_RuntimeError, "subnet must be 2-tuple");
-              return 0;
-          }
-    
-          BroSubnet* subnet = (BroSubnet *)malloc(sizeof(BroSubnet));
-          subnet->sn_net = PyInt_AsLong(PyTuple_GetItem(val, 0));
-          subnet->sn_width = PyInt_AsLong(PyTuple_GetItem(val, 1));
-          *data = subnet;
-          break;
-      }
-        
-      case BRO_TYPE_RECORD: {
-          BroRecord *rec = bro_record_new();
-          int i;
-          for ( i = 0; i < PyList_Size(val); i++ ) {
-              int ftype;
-              PyObject *fval;
-              if ( ! parseTypeTuple(PyList_GetItem(val, i), &ftype, &fval) )
-                  return 0;
-                  
-              const char *ftype_name;
-              void *fdata;
-              if ( ! pyObjToVal(fval, ftype, &ftype_name, &fdata) ) 
-                  return 0;
-              
-              bro_record_add_val(rec, "<unknown>", ftype, 0, fdata);
-              freeBroccoliVal(ftype, fdata);
-          }
-          
-          *data = rec;
-          break;
-      }
-        
-      default:
-        PyErr_SetString(PyExc_RuntimeError, "unknown type");
-        return 0;
-    }
-    
-    return 1;
-}
-
-// C-level event handler for events. We register all events with this callback,
-// passing the target Python function in via data. 
-void event_callback(BroConn *bc, void *data, BroEvMeta *meta)
-{
-    PyObject *func = (PyObject*)data;
-    
-	int i;
-	PyObject *pyargs = PyTuple_New(meta->ev_numargs);
-	for ( i = 0; i < meta->ev_numargs; i++ )
-		PyTuple_SetItem(pyargs, i, valToPyObj(meta->ev_args[i].arg_type, meta->ev_args[i].arg_data));
-	
-	PyObject *result = PyObject_Call(func, pyargs, 0);
-
-    Py_DECREF(pyargs);
-    
-    if ( result )
-	    Py_DECREF(result);
-}
-
-
-
-  #define SWIG_From_long   PyInt_FromLong 
-
-
-SWIGINTERNINLINE PyObject *
-SWIG_From_int  (int value)
-{    
-  return SWIG_From_long  (value);
-}
-
-
-SWIGINTERN swig_type_info*
-SWIG_pchar_descriptor(void)
-{
-  static int init = 0;
-  static swig_type_info* info = 0;
-  if (!init) {
-    info = SWIG_TypeQuery("_p_char");
-    init = 1;
-  }
-  return info;
-}
-
-
-SWIGINTERN int
-SWIG_AsCharPtrAndSize(PyObject *obj, char** cptr, size_t* psize, int *alloc)
-{
-  if (PyString_Check(obj)) {
-    char *cstr; Py_ssize_t len;
-    PyString_AsStringAndSize(obj, &cstr, &len);
-    if (cptr)  {
-      if (alloc) {
-	/* 
-	   In python the user should not be able to modify the inner
-	   string representation. To warranty that, if you define
-	   SWIG_PYTHON_SAFE_CSTRINGS, a new/copy of the python string
-	   buffer is always returned.
-
-	   The default behavior is just to return the pointer value,
-	   so, be careful.
-	*/ 
-#if defined(SWIG_PYTHON_SAFE_CSTRINGS)
-	if (*alloc != SWIG_OLDOBJ) 
-#else
-	if (*alloc == SWIG_NEWOBJ) 
-#endif
-	  {
-	    *cptr = (char *)memcpy((char *)malloc((len + 1)*sizeof(char)), cstr, sizeof(char)*(len + 1));
-	    *alloc = SWIG_NEWOBJ;
-	  }
-	else {
-	  *cptr = cstr;
-	  *alloc = SWIG_OLDOBJ;
-	}
-      } else {
-	*cptr = PyString_AsString(obj);
-      }
-    }
-    if (psize) *psize = len + 1;
-    return SWIG_OK;
-  } else {
-    swig_type_info* pchar_descriptor = SWIG_pchar_descriptor();
-    if (pchar_descriptor) {
-      void* vptr = 0;
-      if (SWIG_ConvertPtr(obj, &vptr, pchar_descriptor, 0) == SWIG_OK) {
-	if (cptr) *cptr = (char *) vptr;
-	if (psize) *psize = vptr ? (strlen((char *)vptr) + 1) : 0;
-	if (alloc) *alloc = SWIG_OLDOBJ;
-	return SWIG_OK;
-      }
-    }
-  }
-  return SWIG_TypeError;
-}
-
-
-
-
-
-#include <limits.h>
-#ifndef LLONG_MIN
-# define LLONG_MIN	LONG_LONG_MIN
-#endif
-#ifndef LLONG_MAX
-# define LLONG_MAX	LONG_LONG_MAX
-#endif
-#ifndef ULLONG_MAX
-# define ULLONG_MAX	ULONG_LONG_MAX
-#endif
-
-
-SWIGINTERN int
-SWIG_AsVal_double (PyObject *obj, double *val)
-{
-  int res = SWIG_TypeError;
-  if (PyFloat_Check(obj)) {
-    if (val) *val = PyFloat_AsDouble(obj);
-    return SWIG_OK;
-  } else if (PyInt_Check(obj)) {
-    if (val) *val = PyInt_AsLong(obj);
-    return SWIG_OK;
-  } else if (PyLong_Check(obj)) {
-    double v = PyLong_AsDouble(obj);
-    if (!PyErr_Occurred()) {
-      if (val) *val = v;
-      return SWIG_OK;
-    } else {
-      PyErr_Clear();
-    }
-  }
-#ifdef SWIG_PYTHON_CAST_MODE
-  {
-    int dispatch = 0;
-    double d = PyFloat_AsDouble(obj);
-    if (!PyErr_Occurred()) {
-      if (val) *val = d;
-      return SWIG_AddCast(SWIG_OK);
-    } else {
-      PyErr_Clear();
-    }
-    if (!dispatch) {
-      long v = PyLong_AsLong(obj);
-      if (!PyErr_Occurred()) {
-	if (val) *val = v;
-	return SWIG_AddCast(SWIG_AddCast(SWIG_OK));
-      } else {
-	PyErr_Clear();
-      }
-    }
-  }
-#endif
-  return res;
-}
-
-
-#include <float.h>
-
-
-#include <math.h>
-
-
-SWIGINTERNINLINE int
-SWIG_CanCastAsInteger(double *d, double min, double max) {
-  double x = *d;
-  if ((min <= x && x <= max)) {
-   double fx = floor(x);
-   double cx = ceil(x);
-   double rd =  ((x - fx) < 0.5) ? fx : cx; /* simple rint */
-   if ((errno == EDOM) || (errno == ERANGE)) {
-     errno = 0;
-   } else {
-     double summ, reps, diff;
-     if (rd < x) {
-       diff = x - rd;
-     } else if (rd > x) {
-       diff = rd - x;
-     } else {
-       return 1;
-     }
-     summ = rd + x;
-     reps = diff/summ;
-     if (reps < 8*DBL_EPSILON) {
-       *d = rd;
-       return 1;
-     }
-   }
-  }
-  return 0;
-}
-
-
-SWIGINTERN int
-SWIG_AsVal_long (PyObject *obj, long* val)
-{
-  if (PyInt_Check(obj)) {
-    if (val) *val = PyInt_AsLong(obj);
-    return SWIG_OK;
-  } else if (PyLong_Check(obj)) {
-    long v = PyLong_AsLong(obj);
-    if (!PyErr_Occurred()) {
-      if (val) *val = v;
-      return SWIG_OK;
-    } else {
-      PyErr_Clear();
-    }
-  }
-#ifdef SWIG_PYTHON_CAST_MODE
-  {
-    int dispatch = 0;
-    long v = PyInt_AsLong(obj);
-    if (!PyErr_Occurred()) {
-      if (val) *val = v;
-      return SWIG_AddCast(SWIG_OK);
-    } else {
-      PyErr_Clear();
-    }
-    if (!dispatch) {
-      double d;
-      int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d));
-      if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, LONG_MIN, LONG_MAX)) {
-	if (val) *val = (long)(d);
-	return res;
-      }
-    }
-  }
-#endif
-  return SWIG_TypeError;
-}
-
-
-SWIGINTERN int
-SWIG_AsVal_int (PyObject * obj, int *val)
-{
-  long v;
-  int res = SWIG_AsVal_long (obj, &v);
-  if (SWIG_IsOK(res)) {
-    if ((v < INT_MIN || v > INT_MAX)) {
-      return SWIG_OverflowError;
-    } else {
-      if (val) *val = (int)(v);
-    }
-  }  
-  return res;
-}
-
-
-  #define SWIG_From_double   PyFloat_FromDouble 
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-SWIGINTERN PyObject *_wrap_bro_init(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  BroCtx *arg1 = (BroCtx *) 0 ;
-  int result;
-  int res1 ;
-  PyObject * obj0 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"O:bro_init",&obj0)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_init" "', argument " "1"" of type '" "BroCtx const *""'"); 
-  }
-  result = (int)bro_init((void const *)arg1);
-  resultobj = SWIG_From_int((int)(result));
-  return resultobj;
-fail:
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_bro_conn_new_str(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  char *arg1 = (char *) 0 ;
-  int arg2 ;
-  BroConn *result = 0 ;
-  int res1 ;
-  char *buf1 = 0 ;
-  int alloc1 = 0 ;
-  int val2 ;
-  int ecode2 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OO:bro_conn_new_str",&obj0,&obj1)) SWIG_fail;
-  res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1);
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_conn_new_str" "', argument " "1"" of type '" "char const *""'");
-  }
-  arg1 = (char *)(buf1);
-  ecode2 = SWIG_AsVal_int(obj1, &val2);
-  if (!SWIG_IsOK(ecode2)) {
-    SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "bro_conn_new_str" "', argument " "2"" of type '" "int""'");
-  } 
-  arg2 = (int)(val2);
-  result = (BroConn *)bro_conn_new_str((char const *)arg1,arg2);
-  resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_void, 0 |  0 );
-  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
-  return resultobj;
-fail:
-  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_bro_conn_set_class(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  BroConn *arg1 = (BroConn *) 0 ;
-  char *arg2 = (char *) 0 ;
-  int res1 ;
-  int res2 ;
-  char *buf2 = 0 ;
-  int alloc2 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OO:bro_conn_set_class",&obj0,&obj1)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_conn_set_class" "', argument " "1"" of type '" "BroConn *""'"); 
-  }
-  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
-  if (!SWIG_IsOK(res2)) {
-    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "bro_conn_set_class" "', argument " "2"" of type '" "char const *""'");
-  }
-  arg2 = (char *)(buf2);
-  bro_conn_set_class(arg1,(char const *)arg2);
-  resultobj = SWIG_Py_Void();
-  if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
-  return resultobj;
-fail:
-  if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_bro_conn_connect(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  BroConn *arg1 = (BroConn *) 0 ;
-  int result;
-  int res1 ;
-  PyObject * obj0 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"O:bro_conn_connect",&obj0)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_conn_connect" "', argument " "1"" of type '" "BroConn *""'"); 
-  }
-  result = (int)bro_conn_connect(arg1);
-  resultobj = SWIG_From_int((int)(result));
-  return resultobj;
-fail:
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_bro_conn_process_input(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  BroConn *arg1 = (BroConn *) 0 ;
-  int result;
-  int res1 ;
-  PyObject * obj0 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"O:bro_conn_process_input",&obj0)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_conn_process_input" "', argument " "1"" of type '" "BroConn *""'"); 
-  }
-  result = (int)bro_conn_process_input(arg1);
-  resultobj = SWIG_From_int((int)(result));
-  return resultobj;
-fail:
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_bro_event_queue_length(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  BroConn *arg1 = (BroConn *) 0 ;
-  int result;
-  int res1 ;
-  PyObject * obj0 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"O:bro_event_queue_length",&obj0)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_event_queue_length" "', argument " "1"" of type '" "BroConn *""'"); 
-  }
-  result = (int)bro_event_queue_length(arg1);
-  resultobj = SWIG_From_int((int)(result));
-  return resultobj;
-fail:
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_bro_event_new(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  char *arg1 = (char *) 0 ;
-  BroEvent *result = 0 ;
-  int res1 ;
-  char *buf1 = 0 ;
-  int alloc1 = 0 ;
-  PyObject * obj0 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"O:bro_event_new",&obj0)) SWIG_fail;
-  res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1);
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_event_new" "', argument " "1"" of type '" "char const *""'");
-  }
-  arg1 = (char *)(buf1);
-  result = (BroEvent *)bro_event_new((char const *)arg1);
-  resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_void, 0 |  0 );
-  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
-  return resultobj;
-fail:
-  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_bro_event_free(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  BroEvent *arg1 = (BroEvent *) 0 ;
-  int res1 ;
-  PyObject * obj0 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"O:bro_event_free",&obj0)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_event_free" "', argument " "1"" of type '" "BroEvent *""'"); 
-  }
-  bro_event_free(arg1);
-  resultobj = SWIG_Py_Void();
-  return resultobj;
-fail:
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_bro_event_add_val(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  BroEvent *arg1 = (BroEvent *) 0 ;
-  int arg2 ;
-  char *arg3 = (char *) 0 ;
-  void *arg4 = (void *) 0 ;
-  int result;
-  int res1 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OO:bro_event_add_val",&obj0,&obj1)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_event_add_val" "', argument " "1"" of type '" "BroEvent *""'"); 
-  }
-  {
-    int type;
-    const char* type_name;
-    void *data;
-    
-    PyObject *val;
-    
-    //bro_debug_messages = 1;
-    //bro_debug_calltrace = 1;
-    
-    
-    if ( ! parseTypeTuple(obj1, &type, &val) )
-    return NULL;
-    
-    if ( ! pyObjToVal(val, type, &type_name, &data) )
-    return NULL;
-    
-    arg2 = type;
-    arg3 = type_name;
-    arg4 = data;
-  }
-  result = (int)bro_event_add_val(arg1,arg2,(char const *)arg3,(void const *)arg4);
-  resultobj = SWIG_From_int((int)(result));
-  {
-    // Broccoli makes copies of the passed data so we need to clean up.
-    freeBroccoliVal(arg2, arg4);
-    
-    if ( arg3 )
-    free(arg3);
-  }
-  return resultobj;
-fail:
-  {
-    // Broccoli makes copies of the passed data so we need to clean up.
-    freeBroccoliVal(arg2, arg4);
-    
-    if ( arg3 )
-    free(arg3);
-  }
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_bro_event_send(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  BroConn *arg1 = (BroConn *) 0 ;
-  BroEvent *arg2 = (BroEvent *) 0 ;
-  int result;
-  int res1 ;
-  int res2 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OO:bro_event_send",&obj0,&obj1)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_event_send" "', argument " "1"" of type '" "BroConn *""'"); 
-  }
-  res2 = SWIG_ConvertPtr(obj1,SWIG_as_voidptrptr(&arg2), 0, 0);
-  if (!SWIG_IsOK(res2)) {
-    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "bro_event_send" "', argument " "2"" of type '" "BroEvent *""'"); 
-  }
-  result = (int)bro_event_send(arg1,arg2);
-  resultobj = SWIG_From_int((int)(result));
-  return resultobj;
-fail:
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_bro_event_registry_add_compact(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  BroConn *arg1 = (BroConn *) 0 ;
-  char *arg2 = (char *) 0 ;
-  BroCompactEventFunc arg3 ;
-  void *arg4 = (void *) 0 ;
-  int res1 ;
-  int res2 ;
-  char *buf2 = 0 ;
-  int alloc2 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  PyObject * obj2 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OOO:bro_event_registry_add_compact",&obj0,&obj1,&obj2)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_event_registry_add_compact" "', argument " "1"" of type '" "BroConn *""'"); 
-  }
-  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
-  if (!SWIG_IsOK(res2)) {
-    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "bro_event_registry_add_compact" "', argument " "2"" of type '" "char const *""'");
-  }
-  arg2 = (char *)(buf2);
-  {
-    if ( ! PyFunction_Check(obj2) ) {
-      PyErr_SetString(PyExc_RuntimeError, "callback must be a function");
-      return NULL;
-    }
-    
-    arg3 = event_callback;
-    arg4 = obj2;
-    Py_INCREF(obj2);
-  }
-  bro_event_registry_add_compact(arg1,(char const *)arg2,arg3,arg4);
-  resultobj = SWIG_Py_Void();
-  if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
-  return resultobj;
-fail:
-  if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_bro_util_current_time(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  double result;
-  
-  if (!PyArg_ParseTuple(args,(char *)":bro_util_current_time")) SWIG_fail;
-  result = (double)bro_util_current_time();
-  resultobj = SWIG_From_double((double)(result));
-  return resultobj;
-fail:
-  return NULL;
-}
-
-
-static PyMethodDef SwigMethods[] = {
-	 { (char *)"bro_init", _wrap_bro_init, METH_VARARGS, NULL},
-	 { (char *)"bro_conn_new_str", _wrap_bro_conn_new_str, METH_VARARGS, NULL},
-	 { (char *)"bro_conn_set_class", _wrap_bro_conn_set_class, METH_VARARGS, NULL},
-	 { (char *)"bro_conn_connect", _wrap_bro_conn_connect, METH_VARARGS, NULL},
-	 { (char *)"bro_conn_process_input", _wrap_bro_conn_process_input, METH_VARARGS, NULL},
-	 { (char *)"bro_event_queue_length", _wrap_bro_event_queue_length, METH_VARARGS, NULL},
-	 { (char *)"bro_event_new", _wrap_bro_event_new, METH_VARARGS, NULL},
-	 { (char *)"bro_event_free", _wrap_bro_event_free, METH_VARARGS, NULL},
-	 { (char *)"bro_event_add_val", _wrap_bro_event_add_val, METH_VARARGS, NULL},
-	 { (char *)"bro_event_send", _wrap_bro_event_send, METH_VARARGS, NULL},
-	 { (char *)"bro_event_registry_add_compact", _wrap_bro_event_registry_add_compact, METH_VARARGS, NULL},
-	 { (char *)"bro_util_current_time", _wrap_bro_util_current_time, METH_VARARGS, NULL},
-	 { NULL, NULL, 0, NULL }
-};
-
-
-/* -------- TYPE CONVERSION AND EQUIVALENCE RULES (BEGIN) -------- */
-
-static swig_type_info _swigt__p_BroCompactEventFunc = {"_p_BroCompactEventFunc", "BroCompactEventFunc *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_char = {"_p_char", "char *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_void = {"_p_void", "void *|BroEvent *", 0, 0, (void*)0, 0};
-
-static swig_type_info *swig_type_initial[] = {
-  &_swigt__p_BroCompactEventFunc,
-  &_swigt__p_char,
-  &_swigt__p_void,
-};
-
-static swig_cast_info _swigc__p_BroCompactEventFunc[] = {  {&_swigt__p_BroCompactEventFunc, 0, 0, 0},{0, 0, 0, 0}};
-static swig_cast_info _swigc__p_char[] = {  {&_swigt__p_char, 0, 0, 0},{0, 0, 0, 0}};
-static swig_cast_info _swigc__p_void[] = {  {&_swigt__p_void, 0, 0, 0},{0, 0, 0, 0}};
-
-static swig_cast_info *swig_cast_initial[] = {
-  _swigc__p_BroCompactEventFunc,
-  _swigc__p_char,
-  _swigc__p_void,
-};
-
-
-/* -------- TYPE CONVERSION AND EQUIVALENCE RULES (END) -------- */
-
-static swig_const_info swig_const_table[] = {
-{0, 0, 0, 0.0, 0, 0}};
-
-#ifdef __cplusplus
-}
-#endif
-/* -----------------------------------------------------------------------------
- * Type initialization:
- * This problem is tough by the requirement that no dynamic 
- * memory is used. Also, since swig_type_info structures store pointers to 
- * swig_cast_info structures and swig_cast_info structures store pointers back
- * to swig_type_info structures, we need some lookup code at initialization. 
- * The idea is that swig generates all the structures that are needed. 
- * The runtime then collects these partially filled structures. 
- * The SWIG_InitializeModule function takes these initial arrays out of 
- * swig_module, and does all the lookup, filling in the swig_module.types
- * array with the correct data and linking the correct swig_cast_info
- * structures together.
- *
- * The generated swig_type_info structures are assigned staticly to an initial 
- * array. We just loop through that array, and handle each type individually.
- * First we lookup if this type has been already loaded, and if so, use the
- * loaded structure instead of the generated one. Then we have to fill in the
- * cast linked list. The cast data is initially stored in something like a
- * two-dimensional array. Each row corresponds to a type (there are the same
- * number of rows as there are in the swig_type_initial array). Each entry in
- * a column is one of the swig_cast_info structures for that type.
- * The cast_initial array is actually an array of arrays, because each row has
- * a variable number of columns. So to actually build the cast linked list,
- * we find the array of casts associated with the type, and loop through it 
- * adding the casts to the list. The one last trick we need to do is making
- * sure the type pointer in the swig_cast_info struct is correct.
- *
- * First off, we lookup the cast->type name to see if it is already loaded. 
- * There are three cases to handle:
- *  1) If the cast->type has already been loaded AND the type we are adding
- *     casting info to has not been loaded (it is in this module), THEN we
- *     replace the cast->type pointer with the type pointer that has already
- *     been loaded.
- *  2) If BOTH types (the one we are adding casting info to, and the 
- *     cast->type) are loaded, THEN the cast info has already been loaded by
- *     the previous module so we just ignore it.
- *  3) Finally, if cast->type has not already been loaded, then we add that
- *     swig_cast_info to the linked list (because the cast->type) pointer will
- *     be correct.
- * ----------------------------------------------------------------------------- */
-
-#ifdef __cplusplus
-extern "C" {
-#if 0
-} /* c-mode */
-#endif
-#endif
-
-#if 0
-#define SWIGRUNTIME_DEBUG
-#endif
-
-
-SWIGRUNTIME void
-SWIG_InitializeModule(void *clientdata) {
-  size_t i;
-  swig_module_info *module_head, *iter;
-  int found;
-  
-  clientdata = clientdata;
-  
-  /* check to see if the circular list has been setup, if not, set it up */
-  if (swig_module.next==0) {
-    /* Initialize the swig_module */
-    swig_module.type_initial = swig_type_initial;
-    swig_module.cast_initial = swig_cast_initial;
-    swig_module.next = &swig_module;
-  }
-  
-  /* Try and load any already created modules */
-  module_head = SWIG_GetModule(clientdata);
-  if (!module_head) {
-    /* This is the first module loaded for this interpreter */
-    /* so set the swig module into the interpreter */
-    SWIG_SetModule(clientdata, &swig_module);
-    module_head = &swig_module;
-  } else {
-    /* the interpreter has loaded a SWIG module, but has it loaded this one? */
-    found=0;
-    iter=module_head;
-    do {
-      if (iter==&swig_module) {
-        found=1;
-        break;
-      }
-      iter=iter->next;
-    } while (iter!= module_head);
-    
-    /* if the is found in the list, then all is done and we may leave */
-    if (found) return;
-    /* otherwise we must add out module into the list */
-    swig_module.next = module_head->next;
-    module_head->next = &swig_module;
-  }
-  
-  /* Now work on filling in swig_module.types */
-#ifdef SWIGRUNTIME_DEBUG
-  printf("SWIG_InitializeModule: size %d\n", swig_module.size);
-#endif
-  for (i = 0; i < swig_module.size; ++i) {
-    swig_type_info *type = 0;
-    swig_type_info *ret;
-    swig_cast_info *cast;
-    
-#ifdef SWIGRUNTIME_DEBUG
-    printf("SWIG_InitializeModule: type %d %s\n", i, swig_module.type_initial[i]->name);
-#endif
-    
-    /* if there is another module already loaded */
-    if (swig_module.next != &swig_module) {
-      type = SWIG_MangledTypeQueryModule(swig_module.next, &swig_module, swig_module.type_initial[i]->name);
-    }
-    if (type) {
-      /* Overwrite clientdata field */
-#ifdef SWIGRUNTIME_DEBUG
-      printf("SWIG_InitializeModule: found type %s\n", type->name);
-#endif
-      if (swig_module.type_initial[i]->clientdata) {
-        type->clientdata = swig_module.type_initial[i]->clientdata;
-#ifdef SWIGRUNTIME_DEBUG
-        printf("SWIG_InitializeModule: found and overwrite type %s \n", type->name);
-#endif
-      }
-    } else {
-      type = swig_module.type_initial[i];
-    }
-    
-    /* Insert casting types */
-    cast = swig_module.cast_initial[i];
-    while (cast->type) {
-      /* Don't need to add information already in the list */
-      ret = 0;
-#ifdef SWIGRUNTIME_DEBUG
-      printf("SWIG_InitializeModule: look cast %s\n", cast->type->name);
-#endif
-      if (swig_module.next != &swig_module) {
-        ret = SWIG_MangledTypeQueryModule(swig_module.next, &swig_module, cast->type->name);
-#ifdef SWIGRUNTIME_DEBUG
-        if (ret) printf("SWIG_InitializeModule: found cast %s\n", ret->name);
-#endif
-      }
-      if (ret) {
-        if (type == swig_module.type_initial[i]) {
-#ifdef SWIGRUNTIME_DEBUG
-          printf("SWIG_InitializeModule: skip old type %s\n", ret->name);
-#endif
-          cast->type = ret;
-          ret = 0;
-        } else {
-          /* Check for casting already in the list */
-          swig_cast_info *ocast = SWIG_TypeCheck(ret->name, type);
-#ifdef SWIGRUNTIME_DEBUG
-          if (ocast) printf("SWIG_InitializeModule: skip old cast %s\n", ret->name);
-#endif
-          if (!ocast) ret = 0;
-        }
-      }
-      
-      if (!ret) {
-#ifdef SWIGRUNTIME_DEBUG
-        printf("SWIG_InitializeModule: adding cast %s\n", cast->type->name);
-#endif
-        if (type->cast) {
-          type->cast->prev = cast;
-          cast->next = type->cast;
-        }
-        type->cast = cast;
-      }
-      cast++;
-    }
-    /* Set entry in modules->types array equal to the type */
-    swig_module.types[i] = type;
-  }
-  swig_module.types[i] = 0;
-  
-#ifdef SWIGRUNTIME_DEBUG
-  printf("**** SWIG_InitializeModule: Cast List ******\n");
-  for (i = 0; i < swig_module.size; ++i) {
-    int j = 0;
-    swig_cast_info *cast = swig_module.cast_initial[i];
-    printf("SWIG_InitializeModule: type %d %s\n", i, swig_module.type_initial[i]->name);
-    while (cast->type) {
-      printf("SWIG_InitializeModule: cast type %s\n", cast->type->name);
-      cast++;
-      ++j;
-    }
-    printf("---- Total casts: %d\n",j);
-  }
-  printf("**** SWIG_InitializeModule: Cast List ******\n");
-#endif
-}
-
-/* This function will propagate the clientdata field of type to
-* any new swig_type_info structures that have been added into the list
-* of equivalent types.  It is like calling
-* SWIG_TypeClientData(type, clientdata) a second time.
-*/
-SWIGRUNTIME void
-SWIG_PropagateClientData(void) {
-  size_t i;
-  swig_cast_info *equiv;
-  static int init_run = 0;
-  
-  if (init_run) return;
-  init_run = 1;
-  
-  for (i = 0; i < swig_module.size; i++) {
-    if (swig_module.types[i]->clientdata) {
-      equiv = swig_module.types[i]->cast;
-      while (equiv) {
-        if (!equiv->converter) {
-          if (equiv->type && !equiv->type->clientdata)
-          SWIG_TypeClientData(equiv->type, swig_module.types[i]->clientdata);
-        }
-        equiv = equiv->next;
-      }
-    }
-  }
-}
-
-#ifdef __cplusplus
-#if 0
-{
-  /* c-mode */
-#endif
-}
-#endif
-
-
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-  
-  /* Python-specific SWIG API */
-#define SWIG_newvarlink()                             SWIG_Python_newvarlink()
-#define SWIG_addvarlink(p, name, get_attr, set_attr)  SWIG_Python_addvarlink(p, name, get_attr, set_attr)
-#define SWIG_InstallConstants(d, constants)           SWIG_Python_InstallConstants(d, constants)
-  
-  /* -----------------------------------------------------------------------------
-   * global variable support code.
-   * ----------------------------------------------------------------------------- */
-  
-  typedef struct swig_globalvar {
-    char       *name;                  /* Name of global variable */
-    PyObject *(*get_attr)(void);       /* Return the current value */
-    int       (*set_attr)(PyObject *); /* Set the value */
-    struct swig_globalvar *next;
-  } swig_globalvar;
-  
-  typedef struct swig_varlinkobject {
-    PyObject_HEAD
-    swig_globalvar *vars;
-  } swig_varlinkobject;
-  
-  SWIGINTERN PyObject *
-  swig_varlink_repr(swig_varlinkobject *SWIGUNUSEDPARM(v)) {
-    return PyString_FromString("<Swig global variables>");
-  }
-  
-  SWIGINTERN PyObject *
-  swig_varlink_str(swig_varlinkobject *v) {
-    PyObject *str = PyString_FromString("(");
-    swig_globalvar  *var;
-    for (var = v->vars; var; var=var->next) {
-      PyString_ConcatAndDel(&str,PyString_FromString(var->name));
-      if (var->next) PyString_ConcatAndDel(&str,PyString_FromString(", "));
-    }
-    PyString_ConcatAndDel(&str,PyString_FromString(")"));
-    return str;
-  }
-  
-  SWIGINTERN int
-  swig_varlink_print(swig_varlinkobject *v, FILE *fp, int SWIGUNUSEDPARM(flags)) {
-    PyObject *str = swig_varlink_str(v);
-    fprintf(fp,"Swig global variables ");
-    fprintf(fp,"%s\n", PyString_AsString(str));
-    Py_DECREF(str);
-    return 0;
-  }
-  
-  SWIGINTERN void
-  swig_varlink_dealloc(swig_varlinkobject *v) {
-    swig_globalvar *var = v->vars;
-    while (var) {
-      swig_globalvar *n = var->next;
-      free(var->name);
-      free(var);
-      var = n;
-    }
-  }
-  
-  SWIGINTERN PyObject *
-  swig_varlink_getattr(swig_varlinkobject *v, char *n) {
-    PyObject *res = NULL;
-    swig_globalvar *var = v->vars;
-    while (var) {
-      if (strcmp(var->name,n) == 0) {
-        res = (*var->get_attr)();
-        break;
-      }
-      var = var->next;
-    }
-    if (res == NULL && !PyErr_Occurred()) {
-      PyErr_SetString(PyExc_NameError,"Unknown C global variable");
-    }
-    return res;
-  }
-  
-  SWIGINTERN int
-  swig_varlink_setattr(swig_varlinkobject *v, char *n, PyObject *p) {
-    int res = 1;
-    swig_globalvar *var = v->vars;
-    while (var) {
-      if (strcmp(var->name,n) == 0) {
-        res = (*var->set_attr)(p);
-        break;
-      }
-      var = var->next;
-    }
-    if (res == 1 && !PyErr_Occurred()) {
-      PyErr_SetString(PyExc_NameError,"Unknown C global variable");
-    }
-    return res;
-  }
-  
-  SWIGINTERN PyTypeObject*
-  swig_varlink_type(void) {
-    static char varlink__doc__[] = "Swig var link object";
-    static PyTypeObject varlink_type;
-    static int type_init = 0;  
-    if (!type_init) {
-      const PyTypeObject tmp
-      = {
-        PyObject_HEAD_INIT(NULL)
-        0,                                  /* Number of items in variable part (ob_size) */
-        (char *)"swigvarlink",              /* Type name (tp_name) */
-        sizeof(swig_varlinkobject),         /* Basic size (tp_basicsize) */
-        0,                                  /* Itemsize (tp_itemsize) */
-        (destructor) swig_varlink_dealloc,   /* Deallocator (tp_dealloc) */ 
-        (printfunc) swig_varlink_print,     /* Print (tp_print) */
-        (getattrfunc) swig_varlink_getattr, /* get attr (tp_getattr) */
-        (setattrfunc) swig_varlink_setattr, /* Set attr (tp_setattr) */
-        0,                                  /* tp_compare */
-        (reprfunc) swig_varlink_repr,       /* tp_repr */
-        0,                                  /* tp_as_number */
-        0,                                  /* tp_as_sequence */
-        0,                                  /* tp_as_mapping */
-        0,                                  /* tp_hash */
-        0,                                  /* tp_call */
-        (reprfunc)swig_varlink_str,        /* tp_str */
-        0,                                  /* tp_getattro */
-        0,                                  /* tp_setattro */
-        0,                                  /* tp_as_buffer */
-        0,                                  /* tp_flags */
-        varlink__doc__,                     /* tp_doc */
-        0,                                  /* tp_traverse */
-        0,                                  /* tp_clear */
-        0,                                  /* tp_richcompare */
-        0,                                  /* tp_weaklistoffset */
-#if PY_VERSION_HEX >= 0x02020000
-        0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* tp_iter -> tp_weaklist */
-#endif
-#if PY_VERSION_HEX >= 0x02030000
-        0,                                  /* tp_del */
-#endif
-#ifdef COUNT_ALLOCS
-        0,0,0,0                             /* tp_alloc -> tp_next */
-#endif
-      };
-      varlink_type = tmp;
-      varlink_type.ob_type = &PyType_Type;
-      type_init = 1;
-    }
-    return &varlink_type;
-  }
-  
-  /* Create a variable linking object for use later */
-  SWIGINTERN PyObject *
-  SWIG_Python_newvarlink(void) {
-    swig_varlinkobject *result = PyObject_NEW(swig_varlinkobject, swig_varlink_type());
-    if (result) {
-      result->vars = 0;
-    }
-    return ((PyObject*) result);
-  }
-  
-  SWIGINTERN void 
-  SWIG_Python_addvarlink(PyObject *p, char *name, PyObject *(*get_attr)(void), int (*set_attr)(PyObject *p)) {
-    swig_varlinkobject *v = (swig_varlinkobject *) p;
-    swig_globalvar *gv = (swig_globalvar *) malloc(sizeof(swig_globalvar));
-    if (gv) {
-      size_t size = strlen(name)+1;
-      gv->name = (char *)malloc(size);
-      if (gv->name) {
-        strncpy(gv->name,name,size);
-        gv->get_attr = get_attr;
-        gv->set_attr = set_attr;
-        gv->next = v->vars;
-      }
-    }
-    v->vars = gv;
-  }
-  
-  SWIGINTERN PyObject *
-  SWIG_globals(void) {
-    static PyObject *_SWIG_globals = 0; 
-    if (!_SWIG_globals) _SWIG_globals = SWIG_newvarlink();  
-    return _SWIG_globals;
-  }
-  
-  /* -----------------------------------------------------------------------------
-   * constants/methods manipulation
-   * ----------------------------------------------------------------------------- */
-  
-  /* Install Constants */
-  SWIGINTERN void
-  SWIG_Python_InstallConstants(PyObject *d, swig_const_info constants[]) {
-    PyObject *obj = 0;
-    size_t i;
-    for (i = 0; constants[i].type; ++i) {
-      switch(constants[i].type) {
-      case SWIG_PY_POINTER:
-        obj = SWIG_NewPointerObj(constants[i].pvalue, *(constants[i]).ptype,0);
-        break;
-      case SWIG_PY_BINARY:
-        obj = SWIG_NewPackedObj(constants[i].pvalue, constants[i].lvalue, *(constants[i].ptype));
-        break;
-      default:
-        obj = 0;
-        break;
-      }
-      if (obj) {
-        PyDict_SetItemString(d, constants[i].name, obj);
-        Py_DECREF(obj);
-      }
-    }
-  }
-  
-  /* -----------------------------------------------------------------------------*/
-  /* Fix SwigMethods to carry the callback ptrs when needed */
-  /* -----------------------------------------------------------------------------*/
-  
-  SWIGINTERN void
-  SWIG_Python_FixMethods(PyMethodDef *methods,
-    swig_const_info *const_table,
-    swig_type_info **types,
-    swig_type_info **types_initial) {
-    size_t i;
-    for (i = 0; methods[i].ml_name; ++i) {
-      const char *c = methods[i].ml_doc;
-      if (c && (c = strstr(c, "swig_ptr: "))) {
-        int j;
-        swig_const_info *ci = 0;
-        const char *name = c + 10;
-        for (j = 0; const_table[j].type; ++j) {
-          if (strncmp(const_table[j].name, name, 
-              strlen(const_table[j].name)) == 0) {
-            ci = &(const_table[j]);
-            break;
-          }
-        }
-        if (ci) {
-          size_t shift = (ci->ptype) - types;
-          swig_type_info *ty = types_initial[shift];
-          size_t ldoc = (c - methods[i].ml_doc);
-          size_t lptr = strlen(ty->name)+2*sizeof(void*)+2;
-          char *ndoc = (char*)malloc(ldoc + lptr + 10);
-          if (ndoc) {
-            char *buff = ndoc;
-            void *ptr = (ci->type == SWIG_PY_POINTER) ? ci->pvalue : 0;
-            if (ptr) {
-              strncpy(buff, methods[i].ml_doc, ldoc);
-              buff += ldoc;
-              strncpy(buff, "swig_ptr: ", 10);
-              buff += 10;
-              SWIG_PackVoidPtr(buff, ptr, ty->name, lptr);
-              methods[i].ml_doc = ndoc;
-            }
-          }
-        }
-      }
-    }
-  } 
-  
-#ifdef __cplusplus
-}
-#endif
-
-/* -----------------------------------------------------------------------------*
- *  Partial Init method
- * -----------------------------------------------------------------------------*/
-
-#ifdef __cplusplus
-extern "C"
-#endif
-SWIGEXPORT void SWIG_init(void) {
-  PyObject *m, *d;
-  
-  /* Fix SwigMethods to carry the callback ptrs when needed */
-  SWIG_Python_FixMethods(SwigMethods, swig_const_table, swig_types, swig_type_initial);
-  
-  m = Py_InitModule((char *) SWIG_name, SwigMethods);
-  d = PyModule_GetDict(m);
-  
-  SWIG_InitializeModule(0);
-  SWIG_InstallConstants(d,swig_const_table);
-  
-  
-  SWIG_Python_SetConstant(d, "BRO_TYPE_UNKNOWN",SWIG_From_int((int)(0)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_BOOL",SWIG_From_int((int)(1)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_INT",SWIG_From_int((int)(2)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_COUNT",SWIG_From_int((int)(3)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_COUNTER",SWIG_From_int((int)(4)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_DOUBLE",SWIG_From_int((int)(5)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_TIME",SWIG_From_int((int)(6)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_INTERVAL",SWIG_From_int((int)(7)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_STRING",SWIG_From_int((int)(8)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_PATTERN",SWIG_From_int((int)(9)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_ENUM",SWIG_From_int((int)(10)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_TIMER",SWIG_From_int((int)(11)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_PORT",SWIG_From_int((int)(12)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_IPADDR",SWIG_From_int((int)(13)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_NET",SWIG_From_int((int)(14)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_SUBNET",SWIG_From_int((int)(15)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_ANY",SWIG_From_int((int)(16)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_TABLE",SWIG_From_int((int)(17)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_UNION",SWIG_From_int((int)(18)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_RECORD",SWIG_From_int((int)(19)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_LIST",SWIG_From_int((int)(20)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_FUNC",SWIG_From_int((int)(21)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_FILE",SWIG_From_int((int)(22)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_VECTOR",SWIG_From_int((int)(23)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_ERROR",SWIG_From_int((int)(24)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_PACKET",SWIG_From_int((int)(25)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_SET",SWIG_From_int((int)(26)));
-  SWIG_Python_SetConstant(d, "BRO_TYPE_MAX",SWIG_From_int((int)(27)));
-  SWIG_Python_SetConstant(d, "BRO_CFLAG_NONE",SWIG_From_int((int)(0)));
-  SWIG_Python_SetConstant(d, "BRO_CFLAG_RECONNECT",SWIG_From_int((int)((1 << 0))));
-  SWIG_Python_SetConstant(d, "BRO_CFLAG_ALWAYS_QUEUE",SWIG_From_int((int)((1 << 1))));
-  SWIG_Python_SetConstant(d, "BRO_CFLAG_SHAREABLE",SWIG_From_int((int)((1 << 2))));
-  SWIG_Python_SetConstant(d, "BRO_CFLAG_DONTCACHE",SWIG_From_int((int)((1 << 3))));
-  SWIG_Python_SetConstant(d, "BRO_CFLAG_YIELD",SWIG_From_int((int)((1 << 4))));
-  SWIG_Python_SetConstant(d, "BRO_CFLAG_CACHE",SWIG_From_int((int)((1 << 5))));
-}
-
diff --git a/aux/broccoli/bindings/python/setup.py b/aux/broccoli/bindings/python/setup.py
deleted file mode 100755
index 1960f22203..0000000000
--- a/aux/broccoli/bindings/python/setup.py
+++ /dev/null
@@ -1,21 +0,0 @@
-#! /usr/bin/env python
-
-import os
-import sys
-
-from distutils.core import setup, Extension
-
-setup(name="pybroccoli", 
-    version="0.1",
-    author="Robin Sommer",
-    author_email="robin@icir.org",
-    license="GPL",
-    url="http://www.icir.org/robin/pybroccoli",
-    py_modules=['broccoli'],
-    ext_modules = [ 
-        Extension("_broccoli_intern", ["broccoli_intern_wrap.c"],
-                  include_dirs=["../../src"],
-                  library_dirs=["../../src/.libs"],
-                  libraries=["broccoli"])]
-)
-
diff --git a/aux/broccoli/bindings/python/tests/broping-record.py b/aux/broccoli/bindings/python/tests/broping-record.py
deleted file mode 100755
index 305e5821ec..0000000000
--- a/aux/broccoli/bindings/python/tests/broping-record.py
+++ /dev/null
@@ -1,30 +0,0 @@
-#! /usr/bin/env python
-#
-# Use with broccoli/test/broping-record.bro.
-
-from time import sleep
-from broccoli import *
-
-ping_data = record_type("seq", "src_time")
-pong_data = record_type("seq", "src_time", "dst_time")
-
-@event(pong_data)
-def pong(data):
-    print "pong event: seq=%i, time=%f/%f s" % (data.seq, 
-        data.dst_time - data.src_time, current_time() - data.src_time)
-
-bc = Connection("127.0.0.1:47758")
-
-seq = 1
-
-while True:
-    data = record(ping_data)
-    data.seq = count(seq)
-    data.src_time = time(current_time())
-    bc.send("ping", data)
-    
-    seq += 1
-    sleep(1)
-    
-
-
diff --git a/aux/broccoli/bindings/python/tests/broping.py b/aux/broccoli/bindings/python/tests/broping.py
deleted file mode 100755
index eec1d9efb3..0000000000
--- a/aux/broccoli/bindings/python/tests/broping.py
+++ /dev/null
@@ -1,24 +0,0 @@
-#! /usr/bin/env python
-#
-# Use with broccoli/test/broping.bro.
-
-from time import sleep
-from broccoli import *
-
-@event
-def pong(src_time, dst_time, seq):
-    print "pong event: seq=%i, time=%f/%f s" % (seq, 
-        dst_time - src_time, current_time() - src_time)
-             
-bc = Connection("127.0.0.1:47758")
-
-seq = 1
-
-while True:
-    bc.send("ping", time(current_time()), count(seq))
-
-    seq += 1
-    sleep(1)
-    
-
-
diff --git a/aux/broccoli/bindings/python/tests/test.bro b/aux/broccoli/bindings/python/tests/test.bro
deleted file mode 100644
index 0bb72722b3..0000000000
--- a/aux/broccoli/bindings/python/tests/test.bro
+++ /dev/null
@@ -1,57 +0,0 @@
-
-@load listen-clear
-redef listen_port_clear    = 47758/tcp;
-
-redef Remote::destinations += {
-	["broping"] = [$host = 127.0.0.1, $events = /test1|test3/, $connect=F, $ssl=F]
-};
-
-
-### Testing atomic types.
-
-type foo: enum { CONST1, CONST2, CONST3 };
-
-# No enum currently as Broccoli has trouble receiving them.
-global test2: event(a: int, b: count, c: time, d: interval, e: bool, f: double, g: string, h: port, i: addr, j: net, k: subnet);
-global test2b: event(a: int, b: count, c: time, d: interval, e: bool, f: double, g: string, h: port, i: addr, j: net, k: subnet);
-
-event test1(a: int, b: count, c: time, d: interval, e: bool, f: double, g: string, h: port, i: addr, j: net, k: subnet)
-{
-    print "==== atomic";
-    print a;
-    print b;
-    print c;
-    print d;
-    print e;
-    print f;
-    print g;
-    print h;
-    print i;
-    print j;
-    print k;
-    
-    event test2(-4, 42, current_time(), 1min, T, 3.14, "Hurz", 12345/udp, 1.2.3.4, 10.0., 22.33.44.0/24);
-    event test2(a,b,c,d,e,f,g,h,i,j,k);
-    event test2b(a,b,c,d,e,f,g,h,i,j,k);
-}
-
-### Testing record types.
-
-type rec: record {
-    a: int;
-    b: addr;
-};
-
-global test4: event(r: rec);
-
-event test3(r: rec)
-{
-    print "==== record";
-    print r$a, r$b;
-    event test4(r);
-    
-    local r2 : rec;
-    r2$a = 99;
-    r2$b = 3.4.5.1;
-    event test4(r2);
-}
diff --git a/aux/broccoli/bindings/python/tests/test.py b/aux/broccoli/bindings/python/tests/test.py
deleted file mode 100755
index 95143708f8..0000000000
--- a/aux/broccoli/bindings/python/tests/test.py
+++ /dev/null
@@ -1,89 +0,0 @@
-#! /usr/bin/env python
-
-import time as Time
-
-from broccoli import *
-
-@event
-def test2(a,b,c,d,e,f,g,h,i,j,k):
-    global recv
-    recv += 1
-    print "==== atomic a %d ====" % recv
-    print repr(a), a
-    print repr(b), b
-    print repr(c), c
-    print repr(d), d
-    print repr(e), e
-    print repr(f), f
-    print repr(g), g
-    print repr(h), h
-    print repr(i), i
-    print repr(j), j
-    print repr(j), k
-
-# Same except with typing this time.    
-@event(int,count,time,interval,bool,double,addr,port,addr,net,subnet)
-def test2b(a,b,c,d,e,f,g,h,i,j,k):
-    print "==== atomic b %d ====" % recv
-    print repr(a), a
-    print repr(b), b
-    print repr(c), c
-    print repr(d), d
-    print repr(e), e
-    print repr(f), f
-    print repr(g), g
-    print repr(h), h
-    print repr(i), i
-    print repr(j), j
-    print repr(j), k
-    
-rec = record_type("a", "b")    
-    
-@event(rec)    
-def test4(r):
-    global recv
-    recv += 1
-    print "==== record %d ====" % recv
-    print repr(r)
-    print repr(r.a), r.a
-    print repr(r.b), r.b
-    
-bc = Connection("127.0.0.1:47758")
-
-bc.send("test1", 
-    int(-10), 
-    count(2), 
-    time(current_time()), 
-    interval(120), 
-    bool(False), 
-    double(1.5), 
-    string("Servus"), 
-    port("5555/tcp"), 
-    addr("6.7.6.5"), 
-    net("20.0."), 
-    subnet("192.168.0.0/16")
-    )
-
-recv = 0
-while True:
-    bc.processInput();
-    if recv == 2:
-        break
-    Time.sleep(1)
-
-    
-r = record(rec)
-r.a = 42;
-r.b = addr("6.6.7.7")
-
-bc.send("test3", r)
-    
-recv = 0
-while True:
-    bc.processInput();
-    if recv == 2:
-        break
-    Time.sleep(1)
-    
-    
-
diff --git a/aux/broccoli/broccoli-config.in b/aux/broccoli/broccoli-config.in
deleted file mode 100644
index 952bc82cb3..0000000000
--- a/aux/broccoli/broccoli-config.in
+++ /dev/null
@@ -1,66 +0,0 @@
-#!/bin/sh
-
-buildinfo=@BUILDINFO@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-exec_prefix_set=no
-
-usage="\
-Usage: broccoli-config [--build] [--prefix[=DIR]] [--exec-prefix[=DIR]] [--version] [--libs] [--cflags] [--config]"
-
-if test $# -eq 0; then
-      echo "${usage}" 1>&2
-      exit 1
-fi
-
-while test $# -gt 0; do
-  case "$1" in
-  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
-
-  case $1 in
-    --build)
-      echo $buildinfo
-      ;;
-    --prefix=*)
-      prefix=$optarg
-      if test $exec_prefix_set = no ; then
-        exec_prefix=$optarg
-      fi
-      ;;
-    --prefix)
-      echo $prefix
-      ;;
-    --exec-prefix=*)
-      exec_prefix=$optarg
-      exec_prefix_set=yes
-      ;;
-    --exec-prefix)
-      echo $exec_prefix
-      ;;
-    --version)
-      echo @VERSION@
-      ;;
-    --cflags)
-      if test @includedir@ != /usr/include ; then
-        includes=-I@includedir@
-      fi
-      echo $includes -I$prefix/include @BRO_CFLAGSADD@ -DBROCCOLI 
-      ;;
-    --libs)
-      libdirs=-L@libdir@
-      echo $libdirs -lbroccoli @BRO_LIBADD@
-      ;;
-    --config)
-      echo @BRO_SYSCONF_FILE@
-      ;;
-    *)
-      echo "${usage}" 1>&2
-      exit 1
-      ;;
-  esac
-  shift
-done
-
-exit 0
diff --git a/aux/broccoli/broccoli.conf b/aux/broccoli/broccoli.conf
deleted file mode 100644
index c067d01f49..0000000000
--- a/aux/broccoli/broccoli.conf
+++ /dev/null
@@ -1,61 +0,0 @@
-# This is the Broccoli system-wide configuration file. 
-#
-# The config file is structured into sections. The settings in each
-# section are called a domain. Each domain is identified as follows:
-#
-# [ name ]
-# 
-# where "name" is a single word consisting of alphanumeric letters
-# without whitespace. The beginning of the document can contain
-# additional settings, these comprise the default domain. It will be
-# used when bro_conf_set_domain() is never used.
-#
-# Entries are of the form <identifier> <value>, where the identifier
-# is a sequence of letters, and value can be a string (including
-# whitespace), and floating point or integer numbers. Comments start
-# with a "#" and go to the end of the line. For boolean values, you
-# may also use "yes", "on", "true", "no", "off", or "false".
-# Strings may contain whitespace, but need to be surrounded by
-# double quotes '"'.
-#
-# You can name identifiers any way you like, but to keep things
-# organized we recommend a hierarchical structure. Case matters.
-#
-# Examples:
-#
-# Foo/PeerName		mybro.securesite.com
-# Foo/PortNum		123
-# Bar/SomeFloat		1.23443543
-# Bar/SomeLongStr	"Hello World"
-#
-
-# Debugging output
-# ----------------
-#/broccoli/debug_messages	yes
-#/broccoli/debug_calltrace	yes
-
-# Encryption setup
-# ----------------
-#
-# In order to configure encrypted communications, you have to point
-# these two entries to this agent's certificate + private key and
-# the trusted CA's certificate, respectively. You can optionally
-# store the passphrase for this agent's private key in the config
-# file as well, but you should obviously only do so when the config
-# file has appropriate access restrictions. Check the manual for
-# details.
-#
-# use_ssl is the main switch to control whether the SSL settings
-# are used (yes/on/1) or not (no/false/0). When use_ssl is not
-# present, SSL is attempted if certificates are configured, other-
-# wise cleartext connections are used. When it is present and enabled,
-# then setup is aborted if certificates are not found. In no case
-# does an SSL setup ever fall back to a cleartext one.
-#
-#/broccoli/use_ssl      yes
-#/broccoli/ca_cert      <path>/ca_cert.pem
-#/broccoli/host_cert    <path>/bro_cert.pem
-#/broccoli/host_pass    foo
-
-# Your settings below
-# -------------------
diff --git a/aux/broccoli/broccoli.spec b/aux/broccoli/broccoli.spec
deleted file mode 100644
index 74a09e4ca8..0000000000
--- a/aux/broccoli/broccoli.spec
+++ /dev/null
@@ -1,69 +0,0 @@
-# This spec file creates a single relocatable RPM.
-#
-%define prefix /usr
-
-Summary: The Bro Client Communications Library
-Name: broccoli
-Version: 0.9
-Release: 1
-License: BSD
-Group: Development/Libraries
-URL: http://www.bro-ids.org
-Source: http://www.icir.org/christian/downloads/%{name}-%{version}.tar.gz
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
-Packager: Christian Kreibich <christian@whoop.org> 
-Requires: openssl >= 0.9.7a
-Requires: openssl-devel >= 0.9.7a
-Prefix: %{prefix}
-
-%description
-Broccoli enables your applications to speak the Bro communication protocol,
-allowing you to compose, send, request, and receive events. You can register
-your own event handlers. You can talk to other Broccoli applications or Bro
-agents -- Bro agents cannot tell whether they are talking to another
-Bro or a Broccoli application. Communications can be SSL-encrypted. Broccoli
-turns Bro into a distributed policy-controlled event management system.
-
-%prep
-%setup -q
-# Needed for snapshot releases.
-if [ ! -f configure ]; then
-  CFLAGS="$RPM_OPT_FLAGS" ./autogen.sh --prefix=%prefix
-else
-  CFLAGS="$RPM_OPT_FLAGS" ./configure --prefix=%prefix
-fi
-
-%build
-
-if [ "$SMP" != "" ]; then
-  (make "MAKE=make -k -j $SMP"; exit 0)
-  make
-else
-  make
-fi
-
-%install
-rm -rf $RPM_BUILD_ROOT
-make prefix=$RPM_BUILD_ROOT%{prefix} sysconfdir=$RPM_BUILD_ROOT/etc install
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post -p /sbin/ldconfig
-
-%postun -p /sbin/ldconfig
-
-%files
-%defattr(-,root,root,-)
-%doc AUTHORS COPYING ChangeLog NEWS README TODO
-%doc %{prefix}/share/gtk-doc/html/broccoli
-%{prefix}/lib/lib*.so.*
-%{prefix}/lib/lib*a
-%{prefix}/include/broccoli.h
-%{prefix}/bin/bro*
-%{prefix}/share/broccoli/*.bro
-/etc/broccoli.conf
-
-%changelog
-* Tue Dec  6 2004 Christian Kreibich <christian@whoop.org> 
-- Added spec file to tree.
diff --git a/aux/broccoli/compat/sys/queue.h b/aux/broccoli/compat/sys/queue.h
deleted file mode 100644
index 5b6e2a0a23..0000000000
--- a/aux/broccoli/compat/sys/queue.h
+++ /dev/null
@@ -1,241 +0,0 @@
-/*
- * Copyright (c) 1991, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)queue.h	8.3 (Berkeley) 12/13/93
- */
-
-#ifndef	_SYS_QUEUE_H
-#define	_SYS_QUEUE_H 1
-
-/*
- * This file defines three types of data structures: lists, tail queues,
- * and circular queues.
- *
- * A list is headed by a single forward pointer (or an array of forward
- * pointers for a hash table header). The elements are doubly linked
- * so that an arbitrary element can be removed without a need to
- * traverse the list. New elements can be added to the list after
- * an existing element or at the head of the list. A list may only be
- * traversed in the forward direction.
- *
- * A tail queue is headed by a pair of pointers, one to the head of the
- * list and the other to the tail of the list. The elements are doubly
- * linked so that an arbitrary element can be removed without a need to
- * traverse the list. New elements can be added to the list after
- * an existing element, at the head of the list, or at the end of the
- * list. A tail queue may only be traversed in the forward direction.
- *
- * A circle queue is headed by a pair of pointers, one to the head of the
- * list and the other to the tail of the list. The elements are doubly
- * linked so that an arbitrary element can be removed without a need to
- * traverse the list. New elements can be added to the list before or after
- * an existing element, at the head of the list, or at the end of the list.
- * A circle queue may be traversed in either direction, but has a more
- * complex end of list detection.
- *
- * For details on the use of these macros, see the queue(3) manual page.
- */
-
-/*
- * List definitions.
- */
-#define LIST_HEAD(name, type)						\
-struct name {								\
-	struct type *lh_first;	/* first element */			\
-}
-
-#define LIST_ENTRY(type)						\
-struct {								\
-	struct type *le_next;	/* next element */			\
-	struct type **le_prev;	/* address of previous next element */	\
-}
-
-/*
- * List functions.
- */
-#define	LIST_INIT(head) {						\
-	(head)->lh_first = NULL;					\
-}
-
-#define LIST_INSERT_AFTER(listelm, elm, field) {			\
-	if (((elm)->field.le_next = (listelm)->field.le_next) != NULL)	\
-		(listelm)->field.le_next->field.le_prev =		\
-		    &(elm)->field.le_next;				\
-	(listelm)->field.le_next = (elm);				\
-	(elm)->field.le_prev = &(listelm)->field.le_next;		\
-}
-
-#define LIST_INSERT_HEAD(head, elm, field) {				\
-	if (((elm)->field.le_next = (head)->lh_first) != NULL)		\
-		(head)->lh_first->field.le_prev = &(elm)->field.le_next;\
-	(head)->lh_first = (elm);					\
-	(elm)->field.le_prev = &(head)->lh_first;			\
-}
-
-#define LIST_REMOVE(elm, field) {					\
-	if ((elm)->field.le_next != NULL)				\
-		(elm)->field.le_next->field.le_prev = 			\
-		    (elm)->field.le_prev;				\
-	*(elm)->field.le_prev = (elm)->field.le_next;			\
-}
-
-/*
- * Tail queue definitions.
- */
-#define TAILQ_HEAD(name, type)						\
-struct name {								\
-	struct type *tqh_first;	/* first element */			\
-	struct type **tqh_last;	/* addr of last next element */		\
-}
-
-#define TAILQ_ENTRY(type)						\
-struct {								\
-	struct type *tqe_next;	/* next element */			\
-	struct type **tqe_prev;	/* address of previous next element */	\
-}
-
-/*
- * Tail queue functions.
- */
-#define	TAILQ_INIT(head) {						\
-	(head)->tqh_first = NULL;					\
-	(head)->tqh_last = &(head)->tqh_first;				\
-}
-
-#define TAILQ_INSERT_HEAD(head, elm, field) {				\
-	if (((elm)->field.tqe_next = (head)->tqh_first) != NULL)	\
-		(elm)->field.tqe_next->field.tqe_prev =			\
-		    &(elm)->field.tqe_next;				\
-	else								\
-		(head)->tqh_last = &(elm)->field.tqe_next;		\
-	(head)->tqh_first = (elm);					\
-	(elm)->field.tqe_prev = &(head)->tqh_first;			\
-}
-
-#define TAILQ_INSERT_TAIL(head, elm, field) {				\
-	(elm)->field.tqe_next = NULL;					\
-	(elm)->field.tqe_prev = (head)->tqh_last;			\
-	*(head)->tqh_last = (elm);					\
-	(head)->tqh_last = &(elm)->field.tqe_next;			\
-}
-
-#define TAILQ_INSERT_AFTER(head, listelm, elm, field) {			\
-	if (((elm)->field.tqe_next = (listelm)->field.tqe_next) != NULL)\
-		(elm)->field.tqe_next->field.tqe_prev = 		\
-		    &(elm)->field.tqe_next;				\
-	else								\
-		(head)->tqh_last = &(elm)->field.tqe_next;		\
-	(listelm)->field.tqe_next = (elm);				\
-	(elm)->field.tqe_prev = &(listelm)->field.tqe_next;		\
-}
-
-#define TAILQ_REMOVE(head, elm, field) {				\
-	if (((elm)->field.tqe_next) != NULL)				\
-		(elm)->field.tqe_next->field.tqe_prev = 		\
-		    (elm)->field.tqe_prev;				\
-	else								\
-		(head)->tqh_last = (elm)->field.tqe_prev;		\
-	*(elm)->field.tqe_prev = (elm)->field.tqe_next;			\
-}
-
-/*
- * Circular queue definitions.
- */
-#define CIRCLEQ_HEAD(name, type)					\
-struct name {								\
-	struct type *cqh_first;		/* first element */		\
-	struct type *cqh_last;		/* last element */		\
-}
-
-#define CIRCLEQ_ENTRY(type)						\
-struct {								\
-	struct type *cqe_next;		/* next element */		\
-	struct type *cqe_prev;		/* previous element */		\
-}
-
-/*
- * Circular queue functions.
- */
-#define	CIRCLEQ_INIT(head) {						\
-	(head)->cqh_first = (void *)(head);				\
-	(head)->cqh_last = (void *)(head);				\
-}
-
-#define CIRCLEQ_INSERT_AFTER(head, listelm, elm, field) {		\
-	(elm)->field.cqe_next = (listelm)->field.cqe_next;		\
-	(elm)->field.cqe_prev = (listelm);				\
-	if ((listelm)->field.cqe_next == (void *)(head))		\
-		(head)->cqh_last = (elm);				\
-	else								\
-		(listelm)->field.cqe_next->field.cqe_prev = (elm);	\
-	(listelm)->field.cqe_next = (elm);				\
-}
-
-#define CIRCLEQ_INSERT_BEFORE(head, listelm, elm, field) {		\
-	(elm)->field.cqe_next = (listelm);				\
-	(elm)->field.cqe_prev = (listelm)->field.cqe_prev;		\
-	if ((listelm)->field.cqe_prev == (void *)(head))		\
-		(head)->cqh_first = (elm);				\
-	else								\
-		(listelm)->field.cqe_prev->field.cqe_next = (elm);	\
-	(listelm)->field.cqe_prev = (elm);				\
-}
-
-#define CIRCLEQ_INSERT_HEAD(head, elm, field) {				\
-	(elm)->field.cqe_next = (head)->cqh_first;			\
-	(elm)->field.cqe_prev = (void *)(head);				\
-	if ((head)->cqh_last == (void *)(head))				\
-		(head)->cqh_last = (elm);				\
-	else								\
-		(head)->cqh_first->field.cqe_prev = (elm);		\
-	(head)->cqh_first = (elm);					\
-}
-
-#define CIRCLEQ_INSERT_TAIL(head, elm, field) {				\
-	(elm)->field.cqe_next = (void *)(head);				\
-	(elm)->field.cqe_prev = (head)->cqh_last;			\
-	if ((head)->cqh_first == (void *)(head))			\
-		(head)->cqh_first = (elm);				\
-	else								\
-		(head)->cqh_last->field.cqe_next = (elm);		\
-	(head)->cqh_last = (elm);					\
-}
-
-#define	CIRCLEQ_REMOVE(head, elm, field) {				\
-	if ((elm)->field.cqe_next == (void *)(head))			\
-		(head)->cqh_last = (elm)->field.cqe_prev;		\
-	else								\
-		(elm)->field.cqe_next->field.cqe_prev =			\
-		    (elm)->field.cqe_prev;				\
-	if ((elm)->field.cqe_prev == (void *)(head))			\
-		(head)->cqh_first = (elm)->field.cqe_next;		\
-	else								\
-		(elm)->field.cqe_prev->field.cqe_next =			\
-		    (elm)->field.cqe_next;				\
-}
-#endif	/* sys/queue.h */
diff --git a/aux/broccoli/configure.in b/aux/broccoli/configure.in
deleted file mode 100644
index 61e07de967..0000000000
--- a/aux/broccoli/configure.in
+++ /dev/null
@@ -1,297 +0,0 @@
-dnl Process this file with autoconf to produce a configure script.
-
-AC_INIT
-AC_CONFIG_SRCDIR([src/broccoli.h.in])
-
-AC_CANONICAL_TARGET
-AC_CANONICAL_HOST
-
-AC_CONFIG_AUX_DIR(.)
-AM_CONFIG_HEADER(config.h)
-AM_INIT_AUTOMAKE(broccoli, 1.5.0)
-
-dnl Commands for funkier shell output:
-BLD_ON=`./shtool echo -n -e %B`
-BLD_OFF=`./shtool echo -n -e %b`
-
-AC_PROG_CC
-AM_PROG_CC_STDC
-AC_HEADER_STDC
-AC_PROG_INSTALL
-AM_PROG_LEX
-AC_PROG_YACC
-
-dnl According to the autobook, we need to add this extra directive
-dnl before AM_PROG_LIBTOOL to make libtool work on Windows:
-AC_LIBTOOL_WIN32_DLL
-AC_PROG_LIBTOOL
-
-
-dnl Okay, the lex and yacc checks suck big time because they
-dnl just fall back to assgning "yacc" to YACC and "lex" to LEX
-dnl (in the best case -- I even just get ":" sometimes) as a
-dnl fallback, without checking if those actually exist.
-dnl (Someone correct me if this is wrong, though I doubt it)
-dnl So in those cases, run an extra AC_PROG_CHECK to see if we
-dnl actually have them. Argh.
-have_lex=true
-have_yacc=true
-
-if test "x$YACC" = "xyacc"; then 
-   AC_PATH_PROG(have_yacc, yacc, no)
-fi
-
-if test ! "x$LEX" = "xflex"; then 
-   AC_PATH_PROG(have_lex, lex, no)
-fi
-
-AM_CONDITIONAL(HAVE_LEX_AND_YACC, test "x$have_yacc" != "xno" && test "x$have_lex" != "xno")
-
-AC_C_BIGENDIAN       
-
-AM_CONDITIONAL(SOLARIS_HOST, false)
-AM_CONDITIONAL(LINUX_HOST, false)
-AM_CONDITIONAL(BSD_HOST, false)
-AM_CONDITIONAL(APPLE_HOST, false)
-AM_CONDITIONAL(WINDOWS_HOST, false)
-
-bro_libcrypto=crypto
-bro_libssl=ssl
-
-case "$host" in
-  *-solaris*)
-    AC_DEFINE(SOLARIS_HOST, 1, [Whether this is a Solaris host])
-    AM_CONDITIONAL(SOLARIS_HOST, true)
-    BRO_LIBADD="-lsocket -lnsl"
-    ;;
-  *-linux*)
-    AC_DEFINE(LINUX_HOST, 1, [Whether this is a Linux host])
-    AM_CONDITIONAL(LINUX_HOST, true)
-    ;;
-  *bsd*)
-    AC_DEFINE(BSD_HOST, 1, [Whether this is a BSD host])
-    AM_CONDITIONAL(BSD_HOST, true)
-    ;;
-  *apple*)
-    AC_DEFINE(APPLE_HOST, 1, [Whether this is a APPLE host])
-    AM_CONDITIONAL(APPLE_HOST, true)
-    ;;
-  *-mingw32*)
-    AC_DEFINE(WINDOWS_HOST, 1, [Whether this run on Windows in a MinGW environment])
-    AM_CONDITIONAL(WINDOWS_HOST, true)
-    bro_libcrypto=eay32
-    bro_libssl=ssleay32
-    BRO_LIBADD="-lwsock32"
-    ;;
-esac
-
-AC_SUBST(BRO_LIBADD)
-AC_SUBST(BRO_CFLAGSADD)
-
-dnl ##################################################
-dnl # Check for getuid() and getpwuid().
-dnl ##################################################
-AC_CHECK_FUNCS([geteuid getpwuid])
-
-dnl ##################################################
-dnl # Check for type uint in sys/types.h
-dnl ##################################################
-AC_CHECK_TYPE([uint],,
-	      [TYPEDEF_UINT="typedef unsigned int uint;"
-	       AC_SUBST(TYPEDEF_UINT)])
-
-dnl ##################################################
-dnl # Config directory and config file:
-dnl # Define BRO_SYSCONF_DIR and BRO_SYSCONF_FILE.
-dnl ##################################################
-
-dnl Unless --disable-etc-tweak is given, we check if
-dnl the prefix is /usr, and in that case tweak sysconfdir
-dnl to /etc (nobody cares about /usr/etc really). 
-dnl Otherwise we use what's given.
-dnl
-AC_ARG_ENABLE(etc-tweak,
-	      AC_HELP_STRING([--disable-etc-tweak], [Do not tweak config file location to /etc if prefix is /usr]),
-	      etc_tweak="no",
-	      etc_tweak="yes")
-
-BRO_SYSCONF_DIR=`eval eval eval eval "echo $sysconfdir"`
-
-if test x$etc_tweak = xyes; then
-  if test "x${sysconfdir}" = 'x${prefix}/etc'; then
-    if test "x${prefix}" = "x/usr"; then
-      sysconfdir="/etc"
-      BRO_SYSCONF_DIR="$sysconfdir"
-    elif test "x${prefix}" = "xNONE"; then
-      BRO_SYSCONF_DIR="${ac_default_prefix}/etc"
-    fi
-  fi
-fi
-
-AC_DEFINE_UNQUOTED(BRO_SYSCONF_DIR, "$BRO_SYSCONF_DIR", [Configuration directory])
-AC_SUBST(BRO_SYSCONF_DIR)
-
-dnl Now derive config file name from that, or use the
-dnl requested one if provided.
-
-AC_ARG_WITH(configfile,
-	    AC_HELP_STRING([--with-configfile=FILE], [Use config file at location <FILE>]),
-	    [BRO_SYSCONF_FILE="$withval"],
-	    [BRO_SYSCONF_FILE="$BRO_SYSCONF_DIR/broccoli.conf"])
-
-AC_DEFINE_UNQUOTED(BRO_SYSCONF_FILE, "$BRO_SYSCONF_FILE", [Location of config file])
-AC_SUBST(BRO_SYSCONF_FILE)
-
-dnl ##################################################
-dnl # Packet support enable/disable switch
-dnl ##################################################
-AC_ARG_WITH(pcap-headers,
-            [  --with-pcap-headers=PATH      Add PATH to include path searched for pcap.h],
-	    CPPFLAGS="$CPPFLAGS -I$withval")
-
-AC_ARG_ENABLE(packets,
-	      AC_HELP_STRING([--disable-packets], [Do not support tx/rx of pcap packets]),
-	      packet_support="no",
-	      packet_support="yes")
-
-if test "$packet_support" = "yes"; then
-   AC_CHECK_HEADERS(pcap.h, , packet_support="no")
-   if test "$packet_support" = "yes"; then
-      BRO_PCAP_SUPPORT="#define BRO_PCAP_SUPPORT"
-   fi
-fi
-
-AM_CONDITIONAL(BRO_PCAP_SUPPORT, test "$packet_support" = "yes")
-AC_SUBST(BRO_PCAP_SUPPORT)
-
-dnl ##################################################
-dnl # Debugging enable/disable switch
-dnl ##################################################
-AC_ARG_ENABLE(debug,
-	      AC_HELP_STRING([--enable-debug], [Use debugging macros to produce helpful output (disabled by default)]),
-	      debug="yes",
-	      debug="no")
-
-if test x$debug = xyes; then
-   
-
-  AC_DEFINE_UNQUOTED(BRO_DEBUG, 1, [Enable debugging output])
-fi
-
-
-dnl ##################################################
-dnl # Check for OpenSSL.
-dnl ##################################################
-dnl
-dnl This is mostly easy, with one exception: in the MinGW
-dnl environment, instead of libcrypto we need to look for
-dnl libeay32.a, and instead of libssl we need to look for
-dnl ssleay32.a. This is with the OpenSSL for Windows package
-dnl from http://www.slproweb.com/products/Win32OpenSSL.html.
-dnl
-AC_ARG_WITH(openssl,
-            [  --with-openssl=DIR       Use OpenSSL installation in DIR],
-	    [CPPFLAGS="-I$withval/include $CPPFLAGS"
-	     LIBS="-L$withval/lib $LIBS"])
-AC_ARG_WITH(kerberos,
-            [  --with-kerberos=DIR      Use Kerberos installation in DIR],
-	    [CPPFLAGS="$CPPFLAGS -I$withval/include" ],
-	    [if test -d "/usr/kerberos"; then CPPFLAGS="$CPPFLAGS -I/usr/kerberos/include"; fi])
-
-AC_CHECK_HEADERS([openssl/ssl.h],,
-		 [AC_MSG_ERROR([cannot find openssl/ssl.h, sorry])])
-AC_CHECK_LIB($bro_libcrypto, OPENSSL_add_all_algorithms_conf,,
-	     [AC_MSG_ERROR([cannot find libcrypto, sorry])], $BRO_LIBADD)
-AC_CHECK_LIB($bro_libssl, SSL_new,,
-	     [AC_MSG_ERROR([cannot find libssl, sorry])], $BRO_LIBADD)
-
-
-dnl ##################################################
-dnl # Check for gtk-doc.
-dnl ##################################################
-
-AC_ARG_WITH(html-dir, [  --with-html-dir=PATH path to installed docs ])
-
-if test "x$with_html_dir" = "x" ; then
-  HTML_DIR='${datadir}/gtk-doc/html'
-else
-  HTML_DIR=$with_html_dir
-fi
-
-AC_SUBST(HTML_DIR)
-
-AC_CHECK_PROG(GTKDOC, gtkdoc-mkdb, true, false)
-AC_PATH_PROG(OPENJADE, openjade, no)
-
-gtk_doc_min_version_maj=0
-gtk_doc_min_version_min=6
-
-if test x$GTKDOC = xtrue -a x$OPENJADE != xno; then
-    gtk_doc_version=`gtkdoc-mkdb --version`
-    AC_MSG_CHECKING([gtk-doc version ($gtk_doc_version) >= $gtk_doc_min_version_maj.$gtk_doc_min_version_min])
-    if perl <<EOF ; then
-      exit (("$gtk_doc_version" =~ /^(\d+)\.(\d+)$/ &&
-            (("\$1" > "$gtk_doc_min_version_maj") ||
-             (("\$1" == "$gtk_doc_min_version_maj") &&
-              ("\$2" >= "$gtk_doc_min_version_min")))) ? 0 : 1);
-EOF
-      AC_MSG_RESULT(yes)
-   else
-      AC_MSG_RESULT(no)
-      GTKDOC=false
-   fi
-fi
-
-dnl Let people disable the gtk-doc stuff.
-AC_ARG_ENABLE(gtk-doc, [  --enable-gtk-doc  Use gtk-doc to build documentation [default=auto]], enable_gtk_doc="$enableval", enable_gtk_doc=auto)
-if test x$enable_gtk_doc = xauto ; then
-  if test x$GTKDOC = xtrue ; then
-    enable_gtk_doc=yes
-  else
-    enable_gtk_doc=no
-  fi
-fi
-
-AM_CONDITIONAL(ENABLE_GTK_DOC, test x$enable_gtk_doc = xyes)
-
-dnl ##################################################
-dnl # Fix build info output string for broccoli-config
-dnl ##################################################
-broc_buildinfo=`uname -n`
-broc_builddate=`date`
-broc_builddebug="Debugging support: $debug"
-BUILDINFO="\"$broc_buildinfo, $broc_builddate, $broc_builddebug\""
-AC_SUBST(BUILDINFO)
-
-AC_CONFIG_FILES([
-Makefile
-broccoli-config
-src/Makefile
-src/broccoli.h
-test/Makefile
-docs/Makefile
-docs/mkhtml
-bindings/Makefile
-])
-AC_CONFIG_COMMANDS([default],[[
-chmod +x broccoli-config
-chmod +x docs/mkhtml
-]],[[]])
-AC_OUTPUT
-
-echo  
-echo "               "${BLD_ON}"Broccoli Configuration Summary"${BLD_OFF}
-echo "=========================================================="
-echo
-echo "   - Debugging enabled:     "${BLD_ON}$debug${BLD_OFF}
-echo "   - Pcap packet support:   "${BLD_ON}$packet_support${BLD_OFF}
-echo
-if test "x$bro_build" = xno; then
-echo "  Now run:"
-echo
-echo "  $ "${BLD_ON}"make"${BLD_OFF}
-echo "  # "${BLD_ON}"make install"${BLD_OFF}
-echo
-echo "  (or use "${BLD_ON}"gmake"${BLD_OFF}" when make on your platform isn't GNU make)"
-echo
-fi
diff --git a/aux/broccoli/contrib/README b/aux/broccoli/contrib/README
deleted file mode 100644
index 28e72b8d06..0000000000
--- a/aux/broccoli/contrib/README
+++ /dev/null
@@ -1,12 +0,0 @@
-This directory contains code contributed by others, until it's clear
-where's the best place to put it.
-
-Note: given broccoli-config, the generic build command for a Broccoli
-application is
-
-  $ <compiler> -o output <source files> `broccoli-config --cflags` \
-  `broccoli-config --libs`
-
-					        --Christian.
-________________________________________________________________________
-$Id: README 2035 2005-12-20 04:16:11Z vern $
diff --git a/aux/broccoli/contrib/broclient.cc b/aux/broccoli/contrib/broclient.cc
deleted file mode 100644
index 21693b8052..0000000000
--- a/aux/broccoli/contrib/broclient.cc
+++ /dev/null
@@ -1,339 +0,0 @@
-#include <string>
-#include <vector>
-#include <iostream>
-#include <iomanip>
-#include <errno.h>
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-
-#include <broccoli.h>
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-using std::string;
-using std::vector;
-using std::cout;
-using std::cin;
-using std::cerr;
-
-string default_host = "127.0.0.1";
-string default_port = "47757";
-string host;
-string port;
-
-int count = -1;
-int seq;
-
-void
-usage(void)
-	{
-	cout << "broclient - sends events with string arguments from stdin to a running Bro\n"
-		"USAGE: broclient [-p port=47757] [host=127.0.0.1]\n"
-		"Input format (each line): event_name type=arg1 type=arg2...\n";
-	exit(0);
-	}
-
-void
-showtypes(void)
-	{
-	cout << "Legitimate event types are:\n"
-		"string, int, count, double, bool, time, \n"
-		"interval, port, addr, net, subnet\n\n"
-		"eamples: string=foo, port=23/tcp, addr=10.10.10.10, \n"
-		"net=10.10.10.0 and subnet=10.0.0.0/8\n";
-	exit(0);
-	}
-
-
-void tokenize(const string& str, vector<string>& tokens)
-	{
-	int num_tokens = 0;
-	char delim = '\0';
-
-	for ( unsigned int i = 0; i < str.length(); ++i )
-		{
-		while ( isspace(str[i]) )
-			++i;
-
-		string next_arg;
-
-		if (str[i] == '"' || str[i] == '\'')
-			{
-			delim = str[i];
-			++i;
-			}
-		else
-			delim = '\0';
-			
-
-		for ( ; str[i]; ++i )
-			{
-			if ( delim && str[i] == '\\' && 
-			     i < str.length() && str[i+1] == delim )
-				{
-				++i;
-				next_arg.push_back(str[i]);
-				}
-
-			else if ( delim && str[i] == delim )
-				{
-				++i;
-				break;
-				}
-
-			else if ( ! delim && isspace(str[i]) )
-				break;
-			else
-				next_arg.push_back(str[i]);
-			}
-
-		tokens.push_back(next_arg);
-		}
-	}
-
-
-
-int
-main(int argc, char **argv)
-	{
-	int opt, use_record = 0, debugging = 0;
-	BroConn *bc;
-	extern char *optarg;
-	extern int optind;
-
-	bro_init(NULL);
-
-	bro_debug_calltrace = 0;
-	bro_debug_messages  = 0;
-
-	host = default_host;
-	port = default_port;
-
-	while ( (opt = getopt(argc, argv, "p:dh?")) != -1)
-		{
-		switch (opt)
-			{
-			case 'd':
-				debugging++;
-
-				if (debugging == 1)
-					bro_debug_messages = 1;
-	  
-				if (debugging > 1)
-					bro_debug_calltrace = 1;
-				break;
-
-			case 'h':
-			case '?':
-				usage();
-
-			case 'p':
-				port = optarg;
-				break;
-
-			default:
-				usage();
-			}
-		}
-
-	argc -= optind;
-	argv += optind;
-
-	if (argc > 0)
-		host = argv[0];
-
-	/* Connect to Bro */
-	if (! (bc = bro_conn_new_str( (host + ":" + port).c_str(), BRO_CFLAG_NONE )))
-		{
-		cerr << "Could not obtain connection handle for Bro at " << 
-			host.c_str() << ":" << port.c_str() << "\n";
-		exit(-1);
-		}
-
-	cout << "Connecting... \n";
-	if (! bro_conn_connect(bc))
-		{
-		cout << "Could not connect to Bro.\n";
-		exit(-1);
-		}
-  
-	cout << "Handshake Complete \n";
-	/* Enter pinging loop */
-	while ( ! cin.eof() )
-		{
-		string inp;
-		vector<string> tokens;
-		cout << "Calling getline .. \n";
-		std::getline(cin, inp);
-
-		tokenize(inp, tokens);
-		if ( tokens.size() == 0 )
-			continue;
-
-		BroEvent *ev;
-
-		cout << "Calling bro_conn_process_input .. \n";
-		bro_conn_process_input(bc);
-
-		cout << "Generating Bro event \n";
-		if ( (ev = bro_event_new(tokens[0].c_str())) )
-			{
-      
-			for ( unsigned int i = 1; i < tokens.size(); ++i )
-				{
-				// this is something of a nasty hack, but it does work
-
-				string tkn,tkn_type,tkn_data;
-				char delim = '=';
-
-				tkn=tokens[i].c_str();
-				string::size_type position = tkn.find_first_of("=",0);
-
-				tkn_type = tkn.substr(0,position);
-				tkn_data = tkn.substr(position+1,tkn.length());
-
-				if ( tkn_type == "string" )
-					{
-					BroString arg;
-					bro_string_init(&arg);
-					bro_string_set(&arg, tkn_data.c_str());
-					bro_event_add_val(ev, BRO_TYPE_STRING, NULL, &arg);
-					bro_string_cleanup(&arg);
-					}
-				else if ( tkn_type == "int" )
-					{
-					int bint;
-					bint = atoi(tkn_data.c_str());
-					bro_event_add_val(ev, BRO_TYPE_INT, NULL, (int*)bint);
-					}
-				else if ( tkn_type == "count" )
-					{
-					uint32 buint;
-					buint = atoi(tkn_data.c_str());
-					bro_event_add_val(ev, BRO_TYPE_COUNT, NULL, (uint32*)buint);
-					}
-				else if ( tkn_type == "double" )
-					{
-					double bdouble;
-					char* end_s;
-					bdouble = strtod(tkn_data.c_str(),&end_s);
-					bro_event_add_val(ev, BRO_TYPE_DOUBLE, NULL, &bdouble);
-					}
-				else if ( tkn_type == "bool" )
-					{
-					int bbool=0;
-
-					if ( tkn_data == "T" || 
-						tkn_data == "TRUE" || 
-						tkn_data == "1" )
-						bbool = 1;
-					
-					bro_event_add_val(ev, BRO_TYPE_BOOL, NULL, &bbool);
-					}
-				else if ( tkn_type == "time" )
-					{
-					double btime;
-					char* end_s;
-					btime = strtod(tkn_data.c_str(),&end_s);
-					bro_event_add_val(ev, BRO_TYPE_TIME, NULL, &btime);
-					}
-				else if ( tkn_type == "interval" )
-					{
-					double binterval;
-					char* end_s;
-					binterval = strtod(tkn_data.c_str(),&end_s);
-					bro_event_add_val(ev, BRO_TYPE_INTERVAL, NULL, &binterval);
-					}
-				else if ( tkn_type == "port" )
-					{
-					BroPort BP;	
-					string port_value;
-					string::size_type port_offset;
-					int broport;
-					
-					//determine protocol type, start with tcp/udp do icmp
-					// later since the 'ports' are not as simple...
-					if ( tkn_data.find("tcp",0) <  tkn_data.length() )
-						BP.port_proto = IPPROTO_TCP;
-					else BP.port_proto = IPPROTO_UDP;
-
-					// parse out the numeric values
-					port_offset = tkn_data.find_first_of("/",0);
-					port_value = tkn_data.substr(0,port_offset);
-
-					broport = atoi(port_value.c_str());
-					BP.port_num = broport;
-
-					bro_event_add_val(ev, BRO_TYPE_PORT, NULL, &BP);
-					
-					}
-				else if ( tkn_type == "addr" )
-					{
-					uint32 badd;
-					// badd=htonl((uint32)inet_addr(tkn_data.c_str()));
-					badd=(uint32)inet_addr(tkn_data.c_str());
-
-					bro_event_add_val(ev, BRO_TYPE_IPADDR, NULL, &badd);
-					}	
-				else if ( tkn_type == "net" )
-					{
-					uint32 bnet;
-					// bnet=htonl((uint32)inet_addr(tkn_data.c_str()));
-					bnet=(uint32)inet_addr(tkn_data.c_str());
-
-					bro_event_add_val(ev, BRO_TYPE_NET, NULL, &bnet);
-					}
-				else if ( tkn_type == "subnet" )
-					{
-					// this is assuming a string that looks like
-					// "subnet=10.0.0.0/8"
-					BroSubnet BS;
-					string subnet_value;
-					string subnet_width;
-					string::size_type mask_offset;
-					uint32 sn_net, sn_width;
-
-					//parse out numeric values
-					mask_offset = tkn_data.find_first_of("/",0);
-					subnet_value = tkn_data.substr(0,mask_offset);
-					subnet_width = tkn_data.substr(mask_offset+1,tkn_data.length());
-
-					sn_net = (uint32)inet_addr(subnet_value.c_str());
-					sn_width = (uint32)atol(subnet_width.c_str());
-
-					BS.sn_net = sn_net;
-					BS.sn_width = sn_width;
-
-					bro_event_add_val(ev, BRO_TYPE_SUBNET, NULL, &BS);
-					}
-				else
-					{
-					// there is something wrong here
-					cerr << "unknown data type: " << tkn_type << "\n\n";
-					bro_event_free(ev);
-					showtypes();
-					}
-
-				}
-			
-			/* Ship it -- sends it if possible, queues it otherwise */
-		        cout << "Sending event to Bro \n";
-			if ( ! bro_event_send(bc, ev) )
-				cerr << "event could not be sent right away\n";
-
-			bro_event_free(ev);
-			}
-		}
-
-
-	/* Disconnect from Bro */
-	bro_conn_delete(bc);
-	
-	return 0;
-	}
diff --git a/aux/broccoli/contrib/bropipe.cc b/aux/broccoli/contrib/bropipe.cc
deleted file mode 100644
index e1b059f372..0000000000
--- a/aux/broccoli/contrib/bropipe.cc
+++ /dev/null
@@ -1,657 +0,0 @@
-// $Id: bropipe.cc 6940 2009-11-14 00:38:53Z robin $
-// bropipe.cc: pipe version of generic client
-// 02/04/05
-//
-// to compile:  g++ `broccoli-config --cflags` `broccoli-config --libs` -o bropipe bropipe.cc
-//
-
-
-#include <vector>
-#include <iostream>
-#include <iomanip>
-#include <errno.h>
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <string.h>
-#include "broccoli.h"
-
-using std::string;
-using std::vector;
-using std::cout;
-using std::cin;
-using std::cerr;
-
-string default_host = "127.0.0.1";
-string default_port = "47757";
-string default_input_file = "brocsock";
-string default_log_file = "/tmp/bropipe.log";
-
-string conn_str;
-string host;
-string port;
-string input_file;
-string log_file;
-int debug;
-BroConn *bc;
-
-// The following are declarations needed for the modp_burl string decoding
-// functions. They were cribbed from the stringencoders-v3.7.0 source tree.
-// syc 1/20/09
-
-/**
- * \file
- * <pre>
- * BFASTURL.c High performance URL encoder/decoder
- * http://code.google.com/p/stringencoders/
- *
- * Copyright &copy; 2006,2007  Nick Galbreath -- nickg [at] modp [dot] com
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are
- * met:
- *
- *   Redistributions of source code must retain the above copyright
- *   notice, this list of conditions and the following disclaimer.
- *
- *   Redistributions in binary form must reproduce the above copyright
- *   notice, this list of conditions and the following disclaimer in the
- *   documentation and/or other materials provided with the distribution.
- *
- *   Neither the name of the modp.com nor the names of its
- *   contributors may be used to endorse or promote products derived from
- *   this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * This is the standard "new" BSD license:
- * http://www.opensource.org/licenses/bsd-license.php
- * </PRE>
- */
-
-static const uint32_t gsHexDecodeMap[256] = {
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-  0,   1,   2,   3,   4,   5,   6,   7,   8,   9, 256, 256,
-256, 256, 256, 256, 256,  10,  11,  12,  13,  14,  15, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256,  10,  11,  12,  13,  14,  15, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
-256, 256, 256, 256
-};
-
-
-int modp_burl_decode(char* dest, const char* s, int len)
-{
-    uint32_t d = 0; // used for decoding %XX
-    const uint8_t* src = (const uint8_t*) s;
-    const char* deststart = dest;
-    const uint8_t* srcend = (const uint8_t*)(src + len);
-    const uint8_t* srcendloop = (const uint8_t*)(srcend - 2);
-
-    while (src < srcendloop) {
-        switch (*src) {
-        case '+':
-            *dest++ = ' ';
-            src++;
-            break;
-        case '%':
-            d = (gsHexDecodeMap[(uint32_t)(*(src + 1))] << 4) |
-                gsHexDecodeMap[(uint32_t)(*(src + 2))];
-            if (d < 256) { // if one of the hex chars is bad,  d >= 256
-                *dest = (char) d;
-                dest++;
-                src += 3;
-            } else {
-                *dest++ = '%';
-                src++;
-            }
-            break;
-        default:
-            *dest++ = *src++;
-        }
-    }
-
-    // handle last two chars
-    // dont decode "%XX"
-    while (src < srcend) {
-        switch (*src) {
-        case '+':
-            *dest++ = ' ';
-            src++;
-            break;
-        default:
-            *dest++ = *src++;
-        }
-    }
-
-    *dest = '\0';
-    return dest - deststart; // compute "strlen" of dest.
-}
-
-void usage(void)
-	{
-	cout << "bropipe - sends events with string arguments from file to a\n"
-		"	running Bro\n"
-		"USAGE: bropipe [-p port=47757] [-f input] [host=127.0.0.1[:port]] [-d]\n"
-		"Input format (each line): event_name type=arg1 type=arg2...\n";
-	exit(0);
-	}
-
-void showtypes(void)
-	{
-	cout << "Legitimate event types are:\n"
-		"	string, urlstring, int, count, double, bool, time, \n"
-		"	interval, port, addr, net, subnet\n\n"
-		"	examples: string=foo, port=23/tcp, addr=10.10.10.10, \n"
-		"	net=10.10.10.0, subnet=10.0.0.0/8\n"
-		"	urlstring is a url encoded string type - use this when\n"
-		"	whitespace can be found in the strings\n";
-	exit(0);
-	}
-
-void tokenize(const string& str, vector<string>& tokens)
-	{
-	int num_tokens = 0;
-	char delim = '\0';
- 
-	for ( unsigned int i = 0; i < str.length(); ++i ) {
-		while ( isspace(str[i]) )
-		      ++i;
- 
-		string next_arg;
- 
-		if (str[i] == '"' || str[i] == '\'')
-			{
-			delim = str[i];
-			++i;
-			}
-		else
-		delim = '\0';
- 
-		for ( ; str[i]; ++i )
-			{
-			if ( delim && str[i] == '\\' &&
-				 i < str.length() && str[i+1] == delim )
-				{
-				++i;
-				next_arg.push_back(str[i]);
-				}
-	 
-			else if ( delim && str[i] == delim )
-				{
-				++i;
-				break;
-				}
- 
-			else if ( ! delim && isspace(str[i]) )
-				break;
-			else
-				next_arg.push_back(str[i]);
-			}
- 
-		tokens.push_back(next_arg);
-		}
-	}
-
-void ntokenize(const string& str, vector<string>& inText)
-		{
-		int num_tokens = 0;
-		char delim = '\n';
-																											
-		for ( unsigned int i = 0; i < str.length(); ++i )
-				{
-				while ( isspace(str[i]) )
-				++i;
-																											
-				string next_arg;
-																											
-				if (str[i] == '"' || str[i] == '\'')
-						{
-						delim = str[i];
-						++i;
-						}
-				else
-				delim = '\n';
-																											
-				for ( ; str[i]; ++i )
-						{
-						if ( delim && str[i] == '\\' &&
-								 i < str.length() && str[i+1] == delim )
-								{
-								next_arg.push_back(str[i]);
-								++i;
-								}
-																											
-						else if ( delim && str[i] == delim )
-								{
-								break;
-								}
-																											
-						else if ( ! delim && isspace(str[i]) )
-								break;
-						else
-								next_arg.push_back(str[i]);
-						}
-								
-				inText.push_back(next_arg);
-				}
-		}
-
-
-FILE * open_input_stream()
-	{
-	FILE *fp;
-
-	if (input_file == "-") 
-		{
-		fp = stdin;
-		if (debug)
-			fprintf(stderr, "DEBUG: input is STDIN.\n");
-		}
-	else
-		{
-		if (debug)
-			fprintf(stderr, "DEBUG: try opening `%s' as input\n", input_file.c_str());
-		fp = fopen(input_file.c_str(),"r");
-	  	if (fp == NULL)
-		  	{
-			if (debug)
-				fprintf(stderr, "DEBUG: can't open, so creating pipe %s\n", input_file.c_str());
-
-			mkfifo(input_file.c_str(), S_IRUSR | S_IRGRP | S_IROTH );
-	  		fp = fopen(input_file.c_str(),"r");
-
-			if (fp==NULL) 
-				fprintf(stderr, "Failed to create pipe %s\n", input_file.c_str());
-			else
-				if (debug)
-					fprintf(stderr, "DEBUG: created and opened pipe `%s'\n", input_file.c_str());
-
-	  		}
-		}
-
-	return(fp);
-	}
-
-
-int make_connection()
-	{
-	// now connect to the bro host - on failure, try again three times
-	// the flags here are telling us to block on connect, reconnect in the
-	// event of a connection failure, and queue up events in the event of a
-	// failure to the bro host
-	//
-	// the flags have been modified to allow for connect back and event queuing
-
-	if ((bc = bro_conn_new_str(conn_str.c_str(), BRO_CFLAG_RECONNECT | BRO_CFLAG_ALWAYS_QUEUE)))
-		{
-		if (debug)
-			fprintf(stderr, "DEBUG: got BroConn handle\n");
-		}
-	else
-		{
-		fprintf(stderr, "fatal: could not get BroConn handle.\n");
-		exit(-1);
-		}
-
-        if (debug)
-	    fprintf(stderr, "DEBUG: attempt to connect to %s...", conn_str.c_str());
-
-	bro_conn_set_class(bc, "bropipe");
-
-        while (!bro_conn_connect (bc)) {
-            fprintf (stderr, "could not connect to Bro at %s:%s.\n",
-                     host.c_str (), port.c_str ());
-            fprintf (stderr, "Will try again in 5 seconds \n");
-            sleep (5);
-        }
-
-        if (debug)
-            fprintf(stderr, "DEBUG: connected\n");
-                                                
-	return(0);
-	}
-
-int main(int argc, char **argv)
-	{
-	int fd,rc,n;
-	int j;
-	int ecount=0;
-	fd_set readfds;
-	char buf[1024];
-	char *urlstr = NULL;
-	int urlstrsz = 0;
-
-	struct timeval tv;
-	FILE *fp;
-
-	int opt, use_record = 0;
-	extern char *optarg;
-	extern int optind;
-
-	bro_init(NULL);
-
-	host = default_host + ":" + default_port;
-	input_file = default_input_file;
-
-	while ( (opt = getopt(argc, argv, "l:f:p:dDh?")) != -1)
-	{
-		switch (opt)
-			{
-			case 'l':
-				log_file = optarg;				
-				break;
-
-			case 'f':
-				input_file = optarg;				
-				break;
-
-			case 'd':
-				debug++;
-				break;
- 
-			case 'D':
-				debug++; 
-				debug++;
-				break;
-
-			case 'h':
-			case '?':
-				usage();
-				break;
- 
-			case 'p':
-				port = optarg;
-				break;
- 
-			default:
-				usage();
-				break;
-			}
-	}
- 
-	argc -= optind;
-	argv += optind;
-
-	if (argc == 1) {
-	  host = argv[0];
-	  if (host.find(':') == string::npos)
-	    host += ":" + default_port;
-	}
-
-
-    if (argc > 1)
-        usage();
-        
-    // config destination connection string
-    conn_str = host;
-    if (port != "")
-        {
-        conn_str += ":"; 
-        conn_str += port;
-        }
-
-	// open input 
-	fp = open_input_stream();
-	if (fp == NULL) {
-		fprintf(stderr, "fatal: failed to get input stream\n");
-		return(1);
-	}
-
-	if (!debug || debug < 2) 
-		make_connection();
-	else 
-		if (debug)
-			fprintf(stderr, "DEBUG: not connecting to Bro (debug level >1)\n");
-
-
-
-	// socket and pipe are set up, now start processing
-	if(debug)
-		fprintf(stderr, "DEBUG: waiting for data on input stream...\n");
-
-	while(fgets(buf, sizeof(buf), fp)) 
-		{
-		ecount++;
-		string inp;
-		vector<string> inText; //text inputts within the pipe
-		vector<string> tokens;
-
-		if (debug) 
-			fprintf(stderr, "DEBUG: read event #%d: %s", ecount, buf);
-
-		if(debug >1)
-			continue;
-		
-		
-		inp = buf;
-		ntokenize(inp, inText);
-
-		BroEvent *ev;
-		bro_conn_process_input(bc);
-
-		for(j=0;j<inText.size();++j) 
-		{
-
-		tokens.clear(); // make sure that the vector is clear
-		tokenize(inText[j].c_str(), tokens);
-	        // if this line didn't tokenize to anything, skip the rest of the block
-                if ( tokens.size() == 0)
-                     continue;
-
-		if ( ev = bro_event_new(tokens[0].c_str()) )
-			{
-			for ( unsigned int i = 1; i < tokens.size(); ++i )
-				{
-				// this is something of a nasty hack, but it does work
-				string tkn,tkn_type,tkn_data;
-				char delim = '=';
- 
-				tkn=tokens[i].c_str();
-				string::size_type position = tkn.find_first_of("=",0);
- 
-				tkn_type = tkn.substr(0,position);
-				tkn_data = tkn.substr(position+1,tkn.length());
- 
-				if ( tkn_type == "string" )
-					{
-					BroString arg;
-					bro_string_init(&arg);
-					bro_string_set(&arg,tkn_data.c_str());
-					bro_event_add_val(ev, BRO_TYPE_STRING, NULL, &arg);
-					bro_string_cleanup(&arg);
-					}
-				else if (tkn_type == "urlstring")
-				        {
-					BroString arg;
-					bro_string_init(&arg);
-					int sz= strlen(tkn_data.c_str()) + 1;
-					if ( sz > urlstrsz) {
-					    if (urlstr)
-					        free( urlstr);
-					    urlstr = (char *)malloc( sz);
-					    if (urlstr == NULL) {
-					        fprintf( stderr,"Could not allocate %d bytes for url conversion buffer\n",sz);
-						return(1);
-					    }
-					    urlstrsz = sz;
-					}
-					modp_burl_decode(urlstr,tkn_data.c_str(),strlen(tkn_data.c_str()));
-					bro_string_set(&arg,urlstr);
-					bro_event_add_val(ev, BRO_TYPE_STRING, NULL, &arg);
-					bro_string_cleanup(&arg);
-					}
-					  
-				else if ( tkn_type == "int" )
-					{
-					int bint;
-					bint = atoi(tkn_data.c_str());
-					bro_event_add_val(ev, BRO_TYPE_INT, NULL, &bint);
-					}
-				else if ( tkn_type == "count" )
-					{
-					uint32 buint;
-					buint = atoi(tkn_data.c_str());
-					bro_event_add_val(ev, BRO_TYPE_COUNT, NULL, &buint);
-					}
-				else if ( tkn_type == "double" )
-					{
-					double bdouble;
-					char* end_s;
-					bdouble = strtod(tkn_data.c_str(),&end_s);
-					bro_event_add_val(ev, BRO_TYPE_DOUBLE, NULL, &bdouble);
-					}
-				else if ( tkn_type == "bool" )
-					{
-					int bbool=0;
- 
-					if ( tkn_data == "T" ||
-						tkn_data == "TRUE" ||
-						tkn_data == "1" )
-						bbool = 1;	
- 
-					bro_event_add_val(ev, BRO_TYPE_BOOL, NULL, &bbool);
-					}	
-				else if ( tkn_type == "time" )	
-					{	
-					double btime;
-					char* end_s;
-					btime = strtod(tkn_data.c_str(),&end_s);
-					bro_event_add_val(ev, BRO_TYPE_TIME, NULL, &btime);
-					}
-				else if ( tkn_type == "interval" )
-					{
-					double binterval;
-					char* end_s;
-					binterval = strtod(tkn_data.c_str(),&end_s);
-					bro_event_add_val(ev, BRO_TYPE_INTERVAL, NULL, &binterval);
-					}
-				else if ( tkn_type == "port" )
-					{
-					BroPort BP;
-					string port_value;
-					string::size_type port_offset;
-					int broport;
- 
-					//determine protocol type, start with tcp/udp do icmp
-					// later since the 'ports' are not as simple...
-					if ( tkn_data.find("tcp",0) <tkn_data.length() )
-						BP.port_proto = IPPROTO_TCP;
-					else BP.port_proto = IPPROTO_UDP;
- 
-					// parse out the numeric values
-					port_offset = tkn_data.find_first_of("/",0);
-					port_value = tkn_data.substr(0,port_offset);
- 
-					broport = atoi(port_value.c_str());
-					BP.port_num = broport;
-					bro_event_add_val(ev, BRO_TYPE_PORT, NULL, &BP);
-					}
-				else if ( tkn_type == "addr" )
-					{	
-					uint32 badd;
-					badd=(uint32)inet_addr(tkn_data.c_str());
-					//badd=htonl((uint32)inet_addr(tkn_data.c_str()));
- 
-					bro_event_add_val(ev, BRO_TYPE_IPADDR, NULL, &badd);
-					}
-				else if ( tkn_type == "net" )
-					{
-					uint32 bnet;
-					// bnet=htonl((uint32)inet_addr(tkn_data.c_str()));
-					bnet=(uint32)inet_addr(tkn_data.c_str());
- 
-					bro_event_add_val(ev, BRO_TYPE_NET, NULL, &bnet);
-					}
-				else if ( tkn_type == "subnet" )
-					{
-					// this is assuming a string that looks like
-					// "subnet=10.0.0.0/8"
-					BroSubnet BS;
-					string subnet_value;
-					string subnet_width;
-					string::size_type mask_offset;
-					uint32 sn_net, sn_width;
- 
-					//parse out numeric values
-					mask_offset = tkn_data.find_first_of("/",0);
-					subnet_value = tkn_data.substr(0,mask_offset);
-					subnet_width = tkn_data.substr(mask_offset+1,tkn_data.length());
- 
-					sn_net = (uint32)inet_addr(subnet_value.c_str());
-					sn_width = (uint32)atol(subnet_width.c_str());
- 
-					BS.sn_net = sn_net;
-					BS.sn_width = sn_width;
- 
-					bro_event_add_val(ev, BRO_TYPE_SUBNET,NULL,  &BS);
-					}
-				else
-					{
-					// there is something wrong here with the data
-					// type.  since it might be binary data, don't 
-					// punt it out.  Also showtypes() will just toss
-					// junk to the bro, so comment out.
-					cerr << "unknown data type " << tkn_type << "\n";
-					//cerr << " from -|" << inText[j].c_str() << "|-\n";
-					//showtypes();
-					}
- 
-				}
-			}
-			/* Ship it -- sends it if possible, queues it otherwise */
-			if ( !bro_conn_alive(bc) )
-				{
-				cerr << "connection bad, resetting\n";
-				make_connection();
-				}
-			//else
-			//	cerr << "connection ok!\n";
-
-
-			//bro_event_send(bc, ev);
-			if ( ! bro_event_send(bc, ev) )
-				cerr << "event could not be sent right away\n";
-
-			// now clean up after ourselves...
-			bro_event_free(ev);	
-		}			
-	}
-	fclose(fp);
-
-	if (debug)
-		fprintf(stderr, "DEBUG: End of input stream; exiting\n");
-}
-
-
diff --git a/aux/broccoli/contrib/brosendpkts.c b/aux/broccoli/contrib/brosendpkts.c
deleted file mode 100644
index 7cc4e2cf1f..0000000000
--- a/aux/broccoli/contrib/brosendpkts.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/* NOTE: This file needs to be cleaned up to build with all
- * C compilers -- no variable definitions in the middle of
- * functions, etc. Conditional compilation depending on
- * whether we're using a Broccoli with or without pcap support
- * can be done with #ifdef BRO_PCAP_SUPPORT. --ck.
- */
-
-#include <string.h>
-#include <broccoli.h>
-#include <pcap.h>
-
-void usage() {
-  fprintf(stderr, "usage: brosendpkts -r file -b host:port [-t tag]\n");
-  exit(1);
-} 
-
-
-int main(int argc, char** argv) {
-  char* filename=NULL;
-  char* bro_connection=NULL;
-  char* tag="";
-
-  bro_init(NULL);
-
-  int opt;
-  while ((opt=getopt(argc, argv, "r:b:t:h?")) != -1) {
-    switch(opt) {
-    case 'r':
-      filename=strdup(optarg);
-      break;
-    case 'b':
-      bro_connection=strdup(optarg);
-      break;
-    case 't':
-      tag=strdup(optarg);
-      break;
-    case 'h':
-    case '?':
-    default:
-      usage();
-    }
-  }
-  argc -= optind;
-  argv += optind;
-
-
-  if (filename==NULL || bro_connection==NULL) usage();
-
-  BroConn *broccoli_p=bro_conn_new_str(bro_connection, BRO_CFLAG_NONE);
-  if (!broccoli_p)
-    {
-	fprintf(stderr, "can't instantiate connection object\n");
-	exit(1);
-	}
-								   
-  if (! bro_conn_connect(broccoli_p)) {
-    fprintf(stderr, "Bro connection to %s failed\n",
-	    bro_connection);
-    exit(1);
-  }
-  printf("connected to Bro %s\n", bro_connection);
-
-  char pcap_errbuf[PCAP_ERRBUF_SIZE]="";
-  pcap_t* pcap_p=pcap_open_offline(filename, pcap_errbuf);
-
-  if (!pcap_p) {
-    fprintf(stderr, "pcap eror: %s\n", pcap_errbuf);
-    exit(1);
-  }
-
-  bro_conn_set_packet_ctxt(broccoli_p, pcap_datalink(pcap_p));
-
-  const uchar* packet_p=NULL;
-  struct pcap_pkthdr pkthdr;
-  
-  int pkt_cnt=0;
-  while ((packet_p=pcap_next(pcap_p, &pkthdr))) {
-    pkt_cnt++;
-    BroPacket* broccoli_packet_p=bro_packet_new(&pkthdr, packet_p, tag);
-    bro_packet_send(broccoli_p, broccoli_packet_p);
-    bro_packet_free(broccoli_packet_p);
-  }
-
-  printf("sent %d packets\n",pkt_cnt);
-  
-  bro_conn_delete(broccoli_p);
-  printf("connection to Bro %s closed\n", bro_connection);
-
-  return 0;
-}
diff --git a/aux/broccoli/contrib/rcvpackets.bro b/aux/broccoli/contrib/rcvpackets.bro
deleted file mode 100644
index 339bf815b8..0000000000
--- a/aux/broccoli/contrib/rcvpackets.bro
+++ /dev/null
@@ -1,11 +0,0 @@
-
-@load listen-clear
-	
-redef Remote::destinations +=  {
-    ["broccoli"] = [$host=127.0.0.1, $accept_state=T, $sync=F]
-};
-	
-
-	
-	
-	
diff --git a/aux/broccoli/docs/Makefile.am b/aux/broccoli/docs/Makefile.am
deleted file mode 100644
index 9828f010e0..0000000000
--- a/aux/broccoli/docs/Makefile.am
+++ /dev/null
@@ -1,205 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-# This is a blank Makefile.am for using gtk-doc.
-# Copy this to your project's API docs directory and modify the variables to
-# suit your project. See the GTK+ Makefiles in gtk+/docs/reference for examples
-# of using the various options.
-
-# The name of the module, e.g. 'glib'.
-DOC_MODULE=broccoli
-
-# The top-level SGML file. Change it if you want.
-DOC_MAIN_SGML_FILE=$(DOC_MODULE)-manual.sgml
-
-# The directory containing the source code. Relative to $(srcdir).
-# CAUTION: this will usually be the current directory.
-# gtk-doc will search all .c & .h files beneath here for inline comments
-# documenting functions and macros.
-DOC_SOURCE_DIR=$(top_srcdir)/src
-
-# Extra options to pass to gtkdoc-scanobj or gtkdoc-scangobj.
-SCANOBJ_OPTIONS=
-
-# Extra options to supply to gtkdoc-scan.
-SCAN_OPTIONS=
-
-# Extra options to supply to gtkdoc-mkdb.
-MKDB_OPTIONS=--ignore-files=bro_lexer.c
-
-# Extra options to supply to gtkdoc-fixref.
-FIXXREF_OPTIONS=
-
-# Used for dependencies.
-HFILE_GLOB=
-CFILE_GLOB=
-
-# Header files to ignore when scanning.
-IGNORE_HFILES=
-
-# Images to copy into HTML directory.
-HTML_IMAGES = \
-	images/caution.gif \
-	images/note.gif \
-	images/warning.gif \
-	images/logo.jpg
-
-# Other HTML stuff that needs installing
-HTML_MISC = \
-	stylesheet.css
-
-# Extra SGML files that are included by $(DOC_MAIN_SGML_FILE).
-content_files =
-
-# Other files to distribute.
-extra_files = broccoli.types
-
-# CFLAGS and LDFLAGS for compiling scan program. Only needed if your app/lib
-# contains GtkObjects/GObjects and you want to document signals and properties.
-GTKDOC_CFLAGS =
-GTKDOC_LIBS =
-
-GTKDOC_CC=$(LIBTOOL) --mode=compile $(CC)
-GTKDOC_LD=$(LIBTOOL) --mode=link $(CC)
-
-# If you need to override some of the declarations, place them in the
-# $(DOC_MODULE)-overrides.txt file and uncomment the second line here.
-DOC_OVERRIDES =
-#DOC_OVERRIDES = $(DOC_MODULE)-overrides.txt
-
-# You can pass in a different stylesheet (or none, for the default look).
-STYLESHEET=stylesheet.dsl
-
-###########################################################################
-# Everything below here is generic and you shouldn't need to change it.
-###########################################################################
-
-TARGET_DIR=$(HTML_DIR)/$(DOC_MODULE)
-
-EXTRA_DIST = 				\
-	$(content_files)		\
-	$(extra_files)			\
-	$(HTML_IMAGES)			\
-	$(HTML_MISC)			\
-	$(DOC_MAIN_SGML_FILE)		\
-	$(DOC_MODULE).types		\
-	$(DOC_MODULE)-sections.txt	\
-	$(DOC_OVERRIDES)                \
-	broccoli.types			\
-	mkhtml				\
-	stylesheet.dsl
-
-DOC_STAMPS=scan-build.stamp tmpl-build.stamp sgml-build.stamp html-build.stamp \
-	   $(srcdir)/tmpl.stamp $(srcdir)/sgml.stamp $(srcdir)/html.stamp
-
-SCANOBJ_FILES = 		 \
-	$(DOC_MODULE).args 	 \
-	$(DOC_MODULE).hierarchy  \
-	$(DOC_MODULE).interfaces \
-	$(DOC_MODULE).prerequisites \
-	$(DOC_MODULE).signals
-
-if ENABLE_GTK_DOC
-all-local: html-build.stamp
-
-#### scan ####
-
-scan-build.stamp: $(HFILE_GLOB)
-	@echo '*** Scanning header files ***'
-	if grep -l '^..*$$' $(srcdir)/$(DOC_MODULE).types > /dev/null ; then \
-	    CC="$(GTKDOC_CC)" LD="$(GTKDOC_LD)" CFLAGS="$(GTKDOC_CFLAGS)" LDFLAGS="$(GTKDOC_LIBS)" gtkdoc-scanobj $(SCANOBJ_OPTIONS) --module=$(DOC_MODULE) --output-dir=$(srcdir) ; \
-	else \
-	    cd $(srcdir) ; \
-	    for i in $(SCANOBJ_FILES) ; do \
-               test -f $(srcdir)/$$i || touch $(srcdir)/$$i ; \
-	    done \
-	fi
-	cd $(srcdir) && \
-	  gtkdoc-scan --module=$(DOC_MODULE) --source-dir=$(DOC_SOURCE_DIR) --ignore-headers="$(IGNORE_HFILES)" $(SCAN_OPTIONS) $(EXTRA_HFILES)
-	touch scan-build.stamp
-
-$(DOC_MODULE)-decl.txt $(SCANOBJ_FILES): scan-build.stamp
-	@true
-
-#### templates ####
-
-tmpl-build.stamp: $(DOC_MODULE)-decl.txt $(SCANOBJ_FILES) $(DOC_MODULE)-sections.txt $(DOC_OVERRIDES)
-	@echo '*** Rebuilding template files ***'
-	cd $(srcdir) && gtkdoc-mktmpl --module=$(DOC_MODULE)
-	touch tmpl-build.stamp
-
-tmpl.stamp: tmpl-build.stamp
-	@true
-
-#### sgml ####
-
-sgml-build.stamp: tmpl.stamp $(CFILE_GLOB)
-	@echo '*** Building SGML ***'
-	cd $(srcdir) && \
-	gtkdoc-mkdb --module=$(DOC_MODULE) --source-dir=$(DOC_SOURCE_DIR) --main-sgml-file=$(DOC_MAIN_SGML_FILE) $(MKDB_OPTIONS)
-	touch sgml-build.stamp
-
-sgml.stamp: sgml-build.stamp
-	@true
-
-#### html ####
-
-html-build.stamp: sgml.stamp $(DOC_MAIN_SGML_FILE) $(content_files)
-	@echo '*** Building HTML ***'
-	test -d $(srcdir)/html || mkdir $(srcdir)/html
-	mkhtmldir=`cd $(srcdir) && pwd` && \
-	cd $(srcdir)/html && $$mkhtmldir/mkhtml $(DOC_MODULE) ../$(DOC_MAIN_SGML_FILE) $$mkhtmldir/$(STYLESHEET)
-	test "x$(HTML_MISC)" = "x" || ( cd $(srcdir) && cp $(HTML_MISC) html )
-	@echo '-- Fixing Crossreferences' 
-	cd $(srcdir) && gtkdoc-fixxref --module-dir=html --html-dir=$(HTML_DIR) $(FIXXREF_OPTIONS)
-	touch html-build.stamp
-else
-all-local:
-endif
-
-##############
-
-clean-local:
-	rm -f *~ *.bak $(SCANOBJ_FILES) *-unused.txt $(DOC_STAMPS)
-
-maintainer-clean-local: clean
-	cd $(srcdir) && rm -rf sgml html $(DOC_MODULE)-decl-list.txt $(DOC_MODULE)-decl.txt
-
-# Manual rule here, global install was removed as part of Bro's "make
-# install" cleanup for the 1.4 release. --cpk
-#
-install-docs:
-	$(mkinstalldirs) $(DESTDIR)$(TARGET_DIR)/images
-	(installfiles=`echo $(srcdir)/html/*.html`; \
-	if test "$$installfiles" = '$(srcdir)/html/*.html'; \
-	then echo '-- Nothing to install'; \
-	else \
-	  for i in $$installfiles; do \
-	    echo '-- Installing '$$i; \
-	    $(INSTALL_DATA) $$i $(DESTDIR)$(TARGET_DIR); \
-	  done; \
-	  echo '-- Installing $(srcdir)/images/'; \
-	  for i in $(HTML_IMAGES); do \
-	    $(INSTALL_DATA) $(srcdir)/$$i $(DESTDIR)$(TARGET_DIR)/images; \
-	  done; \
-	  echo '-- Installing additional files'; \
-	  for i in $(HTML_MISC); do \
-	    $(INSTALL_DATA) $(srcdir)/$$i $(DESTDIR)$(TARGET_DIR); \
-	  done; \
-	fi)
-
-uninstall-local:
-	rm -rf $(DESTDIR)$(TARGET_DIR)
-
-dist-hook:
-	mkdir -p $(distdir)/tmpl
-	mkdir -p $(distdir)/sgml
-	mkdir -p $(distdir)/html/images
-	-cp $(srcdir)/tmpl/*.sgml $(distdir)/tmpl
-	-cp $(srcdir)/sgml/*.sgml $(distdir)/sgml
-	-cp $(srcdir)/html/*.html $(distdir)/html
-	for i in $(HTML_MISC); do \
-	  cp $(srcdir)/$$i $(distdir)/html; \
-	done
-	for i in $(HTML_IMAGES); do \
-	  cp $(srcdir)/$$i $(distdir)/html/images ; \
-	done
diff --git a/aux/broccoli/docs/broccoli-manual.sgml b/aux/broccoli/docs/broccoli-manual.sgml
deleted file mode 100644
index e4c20ff491..0000000000
--- a/aux/broccoli/docs/broccoli-manual.sgml
+++ /dev/null
@@ -1,1822 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.2//EN" [
-<!ENTITY bc "<function>broccoli</function>">
-<!ENTITY bcc "<filename>broccoli-config</filename>">
-<!ENTITY bc-latest-rel "1.5">
-<!ENTITY bc-header SYSTEM "sgml/broccoli.sgml">
-<!ENTITY bp "<function>broping</function>">
-]>
-<book id="index">
-  <title>Broccoli: The Bro Client Communications Library</title>
-  <bookinfo>
-    <mediaobject>
-      <imageobject>
-	<imagedata fileref="images/logo.jpg" format="jpg" align="center">
-      </imageobject>
-      <textobject>
-	<phrase>Broccoli Logo</phrase>
-      </textobject>
-    </mediaobject>
-    <abstract>
-      <para>
-	This is documentation for release <emphasis>&bc-latest-rel;</emphasis>
-	of Broccoli, compatible with Bro IDS releases of <emphasis>1.4</emphasis>
-	or newer. Broccoli is free software under terms of the BSD license as given
-	in the <link linkend="license" endterm="license.title">License</link>
-	section. This documentation is always available on the web for download
-	and online browsing at
-	<ulink url="http://www.icir.org/christian/broccoli">http://www.icir.org/christian/broccoli</ulink>.
-      </para>
-      <para>Feedback, patches and bug reports are all welcome, please
-	<ulink url="http://mailman.icsi.berkeley.edu/mailman/listinfo/bro">join the Bro mailing list</ulink>.
-      </para>
-      <para>
-	Yet Another SRG/ICIR Production &mdash;
-	<ulink url="http://www.cl.cam.ac.uk/Research/SRG">http://www.cl.cam.ac.uk/Research/SRG</ulink> &mdash;
-	<ulink url="http://www.icir.org">http://www.icir.org</ulink>
-      </para>
-    </abstract>
-  </bookinfo>
-
-  <chapter>
-    <title>Introduction</title>
-    <para>
-    Welcome! You're looking at the Broccoli manual. Thanks for reading this.
-    </para>
-    <sect1>
-      <title>What is Broccoli?</title>
-      <para>
-	Broccoli is the <emphasis>BRO</emphasis> <emphasis>C</emphasis>lient
-	<emphasis>CO</emphasis>mmunications <emphasis>LI</emphasis>brary. It allows
-	you to write applications that speak the communication protocol of the
-	<ulink url="http://www.bro-ids.org">Bro intrusion detection system</ulink>.	
-	In this document, we assume that you are familiar with the basic concepts
-	of Bro. If you need a refresher, please have a look at the
-	<ulink url="http://www.icir.org/vern/papers/bro-CN99.html">original paper</ulink>,
-	the <ulink url="http://www.bro-ids.org/Bro-user-manual/index.html">user manual</ulink>,
-	and the material on <ulink url="http://www.bro-ids.org">bro-ids.org</ulink> in general.
-      </para>      
-    </sect1>
-    <sect1>
-      <title>Why do I care?</title>
-      <para>
-        Having a single IDS on your network is good, but things become a lot more interesting
-	when you can communicate information among multiple vantage points in your network.
-	Bro agents can communicate with other Bro agents, sending and receiving events and
-	other state information. In the Bro context this is particularly interesting because
-	it means that you can build sophisticated policy-controlled distributed event
-	management systems.
-      </para>
-      <para>
-	Broccoli enters the picture when it comes to integrating components that are not
-	Bro agents themselves. Broccoli lets you create applications that can speak the Bro
-	communication protocol. You can compose, send, request, and receive events.
-	You can register your own event handlers. You can talk to other Broccoli
-	applications or Bro agents &mdash; Bro agents cannot tell whether they are talking
-	to another Bro or a Broccoli application. Broccoli allows you to integrate applications
-	of your choosing into a distributed policy-controlled event management system.
-	Broccoli is intended
-	to be portable: it should build on Linux, the BSDs, Solaris, and Windows
-	(in the <ulink url="http://www.mingw.org">MinGW</ulink> environment).
-      </para>
-      <para>
-	Unlike other distributed IDSs, Bro does not assume a strict sensor&ndash;manager
-	hierarchy in the information flow. Instead, Bro agents can request delivery of
-	arbitrary <emphasis>events</emphasis>
-	from other instances. When an event is triggered in a Bro agent, it checks
-	whether any connected agents have requested notification of this event,
-	and send a <emphasis>copy</emphasis> of the event, including the <emphasis>event arguments</emphasis>.
-	Recall that in Bro, an event handler is essentially a function defined in
-	the Bro language, and an event materializes through invocation of an event handler.
-	Each remote agent can define its own event handlers.
-      </para>
-      <para>
-        Broccoli applications will typically do one or more of the following:
-      </para>
-      <itemizedlist>	 
-	<listitem>
-	  <para>
-	   <emphasis>Configuration/Management Tasks:</emphasis> the Broccoli application
-	   is used to configure remotely running Bros without the need for a restart.
-	  </para>
-	</listitem>
-	<listitem>
-	  <para>
-	   <emphasis>Interfacing other Systems:</emphasis> the Broccoli application
-	   is used to convert Bro events to other alert/notice formats, for into
-	   syslogd entries.
-	  </para>
-	</listitem>
-	<listitem>
-	  <para>
-	   <emphasis>Host-based Sensor Feeds into Bro:</emphasis> the Broccoli
-	   application reports events based on host-based activity generated in
-	   kernel space or user space applications.
-	  </para>
-	</listitem>
-      </itemizedlist>	 
-    </sect1>
-  </chapter>
-
-  <chapter>
-    <title>Installing Broccoli</title>
-    <para>
-      The installation process will hopefully be painless: Broccoli is installed from source
-      using the usual <command>./configure &lt;options&gt; && make && make install</command>
-      routine after extraction of the tarball. Or if you're on a Linux systems supporting
-      RPMs, we provide those as well.
-    </para>
-    <para>
-      The relevant configuration options to pass to configure are:
-      <itemizedlist>	 
-	<listitem>
-	  <para><command>--prefix=&lt;DIR&gt;</command>: sets the installation root to DIR.
-	  The default is to install below <filename>/usr/local</filename>.</para>
-	</listitem>
-	<listitem>
-	  <para><command>--enable-debug</command>: enables debugging output.
-          Please refer to the <link linkend="broccoli-debugging">Broccoli debugging</link>
-	  section for details on configuring and using debugging output.
-          </para>
-	</listitem>
-	<listitem>
-	  <para><command>--with-configfile=&lt;FILE&gt;</command>: use FILE as location of configuration file.
-	  See the section on <link linkend="config-files">configuration files</link>
-	  below for more on this.
-	  </para>
-	</listitem>
-	<listitem>
-	  <para><command>--with-openssl=&lt;DIR&gt;</command>: use the OpenSSL installation below DIR.</para>
-	</listitem>
-	<listitem>
-	  <para><command>--with-kerberos=&lt;DIR&gt;</command>: use the Kerberos installation below DIR.</para>
-	</listitem>
-      </itemizedlist>
-    </para>
-    <para>
-      After installation, you'll find the library in shared and static versions in <filename>&lt;prefix&gt;/lib</filename>
-      the header file for compilation in <filename>&lt;prefix&gt;/include</filename>, and the
-      manual in HTML below <filename>&lt;prefix&gt;/share/gtk-doc/html/broccoli</filename>.      
-    </para>
-    <para>
-      When installing from source, you can get rid of the installation using <command>make uninstall</command>.
-    </para>
-  </chapter>
-  
-  <chapter>
-    <title>Using Broccoli</title>
-    <para>
-    </para>
-
-    <sect1>
-      <title>Obtaining information about your build using <filename>broccoli-config</filename></title>
-      <para>
-	Similarly to many other software packages, the Broccoli distribution
-	provides a script that you can use to obtain details about your
-	Broccoli setup. The script currently provides the following flags:
-	<itemizedlist>	 
-	  <listitem>
-	    <para><command>--build</command> prints the name of the machine the build was
-		made on, when, and whether debugging support was enabled or not.</para>
-	  </listitem>
-	  <listitem>
-	    <para><command>--prefix</command> prints the directory in the filesystem
-		below which Broccoli was installed.</para>
-	  </listitem>
-	  <listitem>
-	    <para><command>--version</command> prints the version of the distribution
-		you have installed.</para>
-	  </listitem>
-	  <listitem>
-	    <para><command>--libs</command> prints the flags to pass to the
-		linker in order to link in the Broccoli library.</para>
-	  </listitem>
-	  <listitem>
-	    <para><command>--cflags</command> prints the flags to pass to the
-		compiler in order to properly include Broccoli's header file.</para>
-	  </listitem>
-	  <listitem>
-	    <para><command>--config</command> prints the location of the system-wide
-		config file your installation will use.</para>
-	  </listitem>
-	</itemizedlist>	 
-      </para>
-      <para>
-	  The <filename>--cflags</filename> and <filename>--libs</filename> flags
-	  are the suggested way of obtaining the necessary information for integrating
-	  Broccoli into your build environment. It is generally recommended to use
-	  <filename>broccoli-config</filename> for this purpose, rather than, say,
-	  develop new <command>autoconf </command> tests. 
-          If you use the <command>autoconf</command>/<command>automake</command>
-          tools, we recommend something along the following lines for your
-	  <filename>configure</filename> script:
-      </para>      
-      <programlisting>
-<![CDATA[
-dnl ##################################################
-dnl # Check for Broccoli
-dnl ##################################################
-AC_ARG_WITH(broccoli-config,
-    AC_HELP_STRING([--with-broccoli-config=FILE], [Use given broccoli-config]),
-    [ brocfg="$withval" ],
-    [ AC_PATH_GENERIC(broccoli,,
-          brocfg="broccoli-config",
-          AC_MSG_ERROR(Cannot find Broccoli: Is broccoli-config in path? Use more fertilizer?)) ])
-
-broccoli_libs=`$brocfg --libs`
-broccoli_cflags=`$brocfg --cflags`
-AC_SUBST(broccoli_libs)
-AC_SUBST(broccoli_cflags)
-]]>
-      </programlisting>
-      <para>
-      You can then use the compiler/linker flags in your Makefile.in/ams by
-      substituting in the values accordingly, which might look as follows:
-      </para>
-      <programlisting>
-<![CDATA[
-CFLAGS = -W -Wall -g -DFOOBAR @broccoli_cflags@
-LDFLAGS = -L/usr/lib/foobar @broccoli_libs@
-]]>
-      </programlisting>
-    </sect1>
-
-    <sect1>
-      <title>Suggestions for instrumenting applications</title>
-      <para>
-          Often you will want to make existing applications Bro-aware,
-	  that is, <emphasis>instrument</emphasis> them so that they can send and
-	  receive Bro events at appropriate moments in the execution flow.
-	  This will involve modifying an existing code tree, so care needs to
-	  be taken to avoid unwanted side effects. By protecting the instrumented
-	  code with
-	  <function>#ifdef</function>/<function>#endif</function>
-	  statements you can still build the original application, using the
-	  instrumented source tree. The &bcc; script helps you in doing so because
-	  it already adds <function>-DBROCCOLI</function> to the compiler flags
-	  reported when run with the <filename>--cflags</filename> option:
-      </para>
-      <programlisting>
-<![CDATA[
-cpk25@localhost:/home/cpk25 > broccoli-config --cflags
--I/usr/local/include -I/usr/local/include -DBROCCOLI
-]]>
-      </programlisting>
-      <para>
-	  So simply surround all inserted code with a preprocessor check
-	  for <function>BROCCOLI</function> and you will be able to
-	  build the original application as soon as <function>BROCCOLI</function>
-	  is not defined.
-      </para>
-    </sect1>
-    <sect1>
-      <title>The Broccoli API</title>
-      <para>
-          Time for some code. In the code snippets below we will introduce variables
-	  whenever context requires them and not necessarily when C requires them.
-	  The library does not require calling a global initialization function.
-	  In order to make the API known, include <filename>broccoli.h</filename>:
-      </para>
-      <programlisting>
-<![CDATA[
-#ifdef BROCCOLI
-#include <broccoli.h>
-#endif
-]]>
-      </programlisting>
-      <note>
-        <para><emphasis>A note on Broccoli's memory management philosophy:</emphasis></para>
-	  <para>Broccoli generally does not release objects you allocate.
-	    The approach taken is "you clean up what you allocate."
-	</para>
-      </note>
-
-      <sect2>
-	<title>Initialization</title>
-        <para>
-	  Broccoli requires global initialization before most of its
-	  other other functions can be used. Generally, the way to
-	  initialize Broccoli is as follows:
-        </para>
-        <programlisting>
-<![CDATA[
-bro_init(NULL);
-]]>
-        </programlisting>
-        <para>
-          The argument to
-          <link linkend="bro-init"><function>bro_init()</function></link>
-          provides optional initialization context, and may be kept
-          <constant>NULL</constant> for normal use. If required, you may
-          allocate a <filename>BroCtx</filename> structure locally,
-          initialize it using
-          <link linkend="bro-ctx-init"><function>bro_ctx_init()</function></link>,
-          fill in additional values as required and and subsequently pass it to
-          <link linkend="bro-init"><function>bro_init()</function></link>:
-        </para>
-        <programlisting>
-<![CDATA[
-BroCtx ctx;
-bro_ctx_init(&ctx);
-/* Make adjustments to the context structure as required... */
-bro_init(&ctx);
-]]>
-        </programlisting>
-	<caution>
-          <para>
-          The <filename>BroCtx</filename> structure currently contains
-          a set of five different callback function pointers.  These
-          are <emphasis>required</emphasis> for thread-safe operation
-          of OpenSSL (Broccoli itself is thread-safe).  If you intend
-          to use Broccoli in a multithreaded environment, you need to
-          implement functions and register them via the
-          <filename>BroCtx</filename> structure.  The O'Reilly book
-          "Network Security with OpenSSL" by Viega et al. shows how to
-          implement these callbacks.
-          </para>
-	</caution>
-	<caution>
-	  <para>You <emphasis>must</emphasis> call
-          <link linkend="bro-init"><function>bro_init()</function></link>
-	  at the start of your application. Undefined behavior may result
-          if you don't.
-          </para>
-	</caution>
-      </sect2>
-
-      <sect2>
-	<title>Data types in Broccoli</title>
-        <para>
-	  Broccoli declares a number of data types in <filename>broccoli.h</filename> that
-	  you should know about. The more complex ones are kept opaque, while you do get
-	  access to the fields in the simpler ones. The full list is as follows:
-
-	  <itemizedlist>	 
-	    <listitem>
-	      <para>Simple signed and unsigned types: <type>int</type>, <type>uint</type>,
-	        <type>uint32</type>, <type>uint16</type> and <type>uchar</type>.</para>
-	    </listitem>
-	    <listitem>
-	      <para>Connection handles: <type>BroConn</type>, kept opaque.</para>
-	    </listitem>
-	    <listitem>
-	      <para>Bro events: <type>BroEvent</type>, kept opaque.</para>
-	    </listitem>
-	    <listitem>
-	      <para>Buffer objects: <type>BroBuf</type>, kept opaque. See the separate
-	      <link linkend="buffers">section on buffer management</link> for details.</para>
-	    </listitem>
-	    <listitem>
-	      <para>Ports: <type>BroPort</type> for network ports, defined as follows:
-	      </para>
-	      <programlisting>
-<![CDATA[
-typedef struct bro_port {
-  uint16       port_num;   /* port number in host byte order */
-  int          port_proto; /* IPPROTO_xxx */
-} BroPort;
-]]>
-              </programlisting>
-	    </listitem>
-	    <listitem>
-	      <para>Records: <type>BroRecord</type>, kept opaque. See the separate
-	      <link linkend="records">section on record handling</link> for details.</para>
-	    </listitem>
-	    <listitem>
-	      <para>Strings (character and binary): <type>BroString</type>, defined as follows:
-	      </para>
-	      <programlisting>
-<![CDATA[
-typedef struct bro_string {
-  int          str_len;
-  char        *str_val;
-} BroString;
-]]>
-              </programlisting>
-	      <para>
-	      BroStrings are mostly kept transparent for convenience; please have a look at the
-	      string API:
-<link linkend="bro-string-init"><function>bro_string_init()</function></link>,
-<link linkend="bro-string-set"><function>bro_string_set()</function></link>,
-<link linkend="bro-string-set-data"><function>bro_string_set_data()</function></link>,
-<link linkend="bro-string-copy"><function>bro_string_copy()</function></link>,
-<link linkend="bro-string-cleanup"><function>bro_string_cleanup()</function></link>, and
-<link linkend="bro-string-free"><function>bro_string_free()</function></link>.
-	      </para>
-	    </listitem>
-	    <listitem>
-	      <para>Tables: <type>BroTable</type>, kept opaque. See the separate
-	      <link linkend="tables">section on table handling</link> for details.</para>
-	    </listitem>
-	    <listitem>
-	      <para>Sets: <type>BroSet</type>, kept opaque. See the separate
-	      <link linkend="sets">section on table handling</link> for details.</para>
-	    </listitem>
-	    <listitem>
-	      <para>Subnets: <type>BroSubnet</type>, defined as follows:
-	      </para>
-	      <programlisting>
-<![CDATA[
-typedef struct bro_subnet
-{
-  uint32       sn_net;     /* IP address in network byte order */
-  uint32       sn_width;   /* Length of prefix to consider. */
-} BroSubnet;
-]]>
-              </programlisting>
-	    </listitem>
-	  </itemizedlist>
-	</para>
-      </sect2>
-
-      <sect2>
-	<title>Managing connections</title>
-        <para>
-	    You can use Broccoli to establish a connection to a remote Bro, or to create a
-	    Broccoli-enabled server application that other Bros will connect to. (This
-	    means that in principle, you can also use Broccoli purely as middleware and
-	    have multiple Broccoli applications communicate directly.)
-        </para>
-        <para>	    
-	    In order to establish a connection to a remote Bro, you first obtain a connection
-	    handle. You then use this connection handle to request events, connect to the
-	    remote Bro, send events, etc. Connection handles are pointers to <function>BroConn</function>
-	    structures, which are kept opaque. Use
-	    <link linkend="bro-conn-new"><function>bro_conn_new()</function></link> or
-	    <link linkend="bro-conn-new-str"><function>bro_conn_new_str()</function></link>
-	    to obtain a handle, depending on what parameters are more convenient for
-	    you: the former accepts the IP address and port number as separate numerical
-	    arguments, the latter uses a single string to encode both, in "hostname:port"
-	    format.
-        </para>
-        <para>
-	    To write a Broccoli-enabled server, you first need to implement the usual
-	    <function>socket()</function> / <function>bind()</function> /
-	    <function>listen()</function> / <function>accept()</function> routine.
-	    Once you have obtained a file descriptor for the new connection from <function>accept()</function>,
-	    you pass it to the third function that returns a <function>BroConn</function>
-	    handle, 
-	    <link linkend="bro-conn-new-socket"><function>bro_conn_new_socket()</function></link>.
-	    The rest of the connection handling then proceeds as in the client scenario.
-        </para>
-        <para>	    
-	    All three calls accept additional flags for fine-tuning connection behaviour.
-	    These flags are:
-	    <itemizedlist>	    
-              <listitem>
-                <para><constant>BRO_CFLAG_NONE</constant>: no functionality. Use when
-		  no flags are desired.
-		</para>
-              </listitem>
-              <listitem>
-                <para><constant>BRO_CFLAG_RECONNECT</constant>:
-		  When using this option, Broccoli will attempt to reconnect to the peer
-		  after lost connectivity transparently. Essentially whenever you try to
-		  read from or write to the peer and its connection broke down, a
-		  full reconnect including complete handshaking is attempted. You can check
-		  whether the connection to a peer is alive at any time using
-	    	  <link linkend="bro-conn-alive"><function>bro_conn_alive()</function></link>.
-		</para>
-	      </listitem> 
-              <listitem>
-                <para><constant>BRO_CFLAG_ALWAYS_QUEUE</constant>:
-		  When using this option, Broccoli will queue any events you send for
-		  later transmission when a connection is currently down. Without using this
-		  flag, any events you attempt to send while a connection is down get dropped
-		  on the floor. Note that Broccoli maintains a maximum queue size per connection
-		  so if you attempt to send lots of events while the connection is down, the
-		  oldest events may start to get dropped nonetheless. Again, you can check
-		  whether the connection is currently okay by using
-	    	  <link linkend="bro-conn-alive"><function>bro_conn_alive()</function></link>.
-		</para>
-	      </listitem> 		  
-              <listitem>
-                <para><constant>BRO_CFLAG_DONTCACHE</constant>:
-		  When using this option, Broccoli will ask the peer not to use caching on
-		  the objects it sends to us. This is the default, and the flag need not
-		  normally be used. It is kept to maintain backward compatibility.
-		</para>
-	      </listitem> 		  
-              <listitem>
-                <para><constant>BRO_CFLAG_CACHE</constant>:
-		  When using this option, Broccoli will ask the peer to use caching on
-		  the objects it sends to us. Caching is normally disabled.
-		</para>
-	      </listitem> 		  
-              <listitem>
-                <para><constant>BRO_CFLAG_YIELD</constant>: When
-                using this option,
-                <function>bro_conn_process_input()</function>
-                processes at most one event at a time and then
-                returns. 
-		</para>
-              </listitem>
-	    </itemizedlist>
-                
-        </para>
-	<para>
-	    By obtaining a connection handle, you do not also establish a connection right
-	    away. This is done using 
-	    <link linkend="bro-conn-connect"><function>bro_conn_connect()</function></link>.
-	    The main reason for this is to allow you to subscribe to events
-	    (using
-	    <link linkend="bro-event-registry-add"><function>bro_event_registry_add()</function></link>,
-	    see <link linkend="receiving-events">below</link>)
-	    before establishing the connection. Upon returning from 
-	    <link linkend="bro-conn-connect"><function>bro_conn_connect()</function></link>
-	    you are guaranteed to receive all instances of the event types you have
-	    requested, while later on during the connection some time may elapse between
-	    the issuing of a request for events and the processing of that request at the
-	    remote end.
-	    Connections are established via TCP, optionally using SSL encryption. See
-	    <link linkend="encryption">"Configuring encrypted communication"</link> below for more
-	    information on setting up enncryption.
-	    The port numbers Bro agents and Broccoli applications listen on can vary from peer
-	    to peer. 
-	</para>
-	<para>
-	    Finally, <link linkend="bro-conn-delete"><function>bro_conn_delete()</function></link>
-	    terminates a connection and releases all resources associated with it.
-	    You can create as many connections as you like, to one or more peers.
-	    You can obtain the file descriptor of a connection using
-	    <link linkend="bro-conn-get-fd"><function>bro_conn_get_fd()</function></link>.
-        </para>
-        <programlisting>
-<![CDATA[
-char host_str = "bro.yourorganization.com";
-int port      = 1234;
-struct hostent *host;
-BroConn *bc;
-
-if (! (host = gethostbyname(host_str)) ||
-    ! (host->h_addr_list[0])) {
-	/* Error handling -- could not resolve host */
-}
-
-/* In this example, we obtain a connection handle, then register event handlers,
- * and finally connect to the remote Bro.
- *
- * First obtain a connection handle:
- */
-if (! (bc = bro_conn_new((struct in_addr*) host->h_addr_list[0], htons(port), BRO_CFLAG_NONE))) {
-	/* Error handling  - could not get connection handle */
-}
-
-/* Register event handlers:
- */
-bro_event_registry_add(bc, "foo", bro_foo_handler, NULL);
-/* ... */
-
-/* Now connect to the peer:
- */
-if (! bro_conn_connect(bc)) {
-	/* Error handling - could not connect to remote Bro. */
-}
-
-/* Send and receive events ... */
-
-/* Disconnect from Bro and clean up connection */
-bro_conn_delete(bc);
-]]>
-        </programlisting>
-        <para>
-	    Or simply use the string-based version:
-	</para>
-        <programlisting>
-<![CDATA[
-char host_str = "bro.yourcompany.com:1234";
-BroConn *bc;
-
-/* In this example we don't request any events from the peer, but
- * we ask it not to use the serialization cache.
- *
- * Again, first obtain a connection handle:
- */
-if (! (bc = bro_conn_new_str(host_str, BRO_CFLAG_DONTCACHE))) {
-	/* Error handling  - could not get connection handle */
-}
-
-/* Now connect to the peer:
- */
-if (! bro_conn_connect(bc)) {
-	/* Error handling - could not connect to remote Bro. */
-}
-
-/* ... */
-]]>
-        </programlisting>
-      </sect2>
-
-      <sect2>
-	<title>Connection classes</title>
-        <para>
-	    When you want to establish connections from multiple Broccoli applications
-	    with different purposes, the peer needs a means to understand what kind of
-	    application each connection belongs to. The real meaning of "kind of application"
-	    here is "sets of event types to request", because depending on the class of
-	    an application, the peer will likey want to receive different types of events.
-	</para>
-	<para>
-	    Broccoli lets you set the class of a connection using
-	    <link linkend="bro-conn-set-class"><function>bro_conn_set_class()</function></link>.
-	    When using this feature, you need to call that function before issuing a
-	    <link linkend="bro-conn-connect"><function>bro_conn_connect()</function></link>,
-	    since the class of a connection is determined at connection startup.
-	</para>
-        <programlisting>
-<![CDATA[
-if (! (bc = bro_conn_new_str(host_str, BRO_CFLAG_DONTCACHE))) {
-	/* Error handling  - could not get connection handle */
-}
-
-/* Set class of this connection: */
-bro_conn_set_class(bc, "syslog");
-
-if (! bro_conn_connect(bc)) {
-	/* Error handling - could not connect to remote Bro. */
-}
-]]>
-        </programlisting>
-	<para>
-	    If your peer is a Bro node, you need to match the chosen connection class in
-	    the remote Bro's <function>Remote::destinations</function> configuration.
-	    See <link linkend="bro-event-config">below</link> for how to do this.
-	    Finally, in order to obtain the class of a connection as indicated by the remote side, use
-	    <link linkend="bro-conn-get-peer-class"><function>bro_conn_get_peer_class()</function></link>.
-	</para>
-      </sect2> 
-
-      <sect2>
-	<title>Composing and sending events</title>
-        <para>
-	    In order to send an event to the remote Bro agent, you first create
-	    an empty event structure with the name of the event, then add parameters
-	    to pass to the event handler at the remote agent, and then send off the
-	    event.
-        </para>
-	<note>
-	  <para>
-            <emphasis>Bro peers ignore unrequested events.</emphasis>
-          </para>
-          <para>
-	    You need to make sure that the remote Bro agent is interested in receiving
-	    the events you send. This interest is expressed in policy configuration.
-	    We'll explain this in more detail <link linkend="bro-event-config">below</link>
-	    and for now assume that our remote peer is configured to receive the
-	    events we send.
-          </para>
-	</note>
-        <para>
-	    Let's assume we want to request a report of all connections a remote
-	    Bro currently keeps state for that match a given destination port and
-	    host name and that have amassed more than a certain number of bytes.
-	    The idea is to send an event to the remote Bro that contains the
-	    query, identifiable through a request ID, and have the remote Bro
-	    answer us with <function>remote_conn</function> events
-	    containing the information we asked for. The definition of our
-	    requesting event could look as follows in the Bro policy:
-        </para>
-        <programlisting>
-<![CDATA[
-event report_conns(req_id: int, dest_host: string, dest_port: port, min_size: count);
-]]>
-        </programlisting>
-        <para>
-            First, create a new event:
-        </para>
-        <programlisting>
-<![CDATA[
-BroEvent *ev;
-
-if (! (ev = bro_event_new("report_conns"))) {
-	/* Error handling - could not allocate new event. */
-}
-]]>
-        </programlisting>
-	<para>
-	    Now we need to add parameters to the event. The sequence and types must
-	    match the event handler declaration &mdash; check the Bro policy to make
-	    sure they match. The function to use for adding parameter values is
-	    <link linkend="bro-event-add-val"><function>bro_event_add_val()</function></link>
-	    All values are passed as <emphasis>pointer arguments</emphasis> and are copied internally,
-	    so the object you're pointing to stays unmodified at all times. You clean
-	    up what you allocate. In order to indicate the type of the value passed into the
-	    function, you need to pass a numerical type identifier along as well.
-            <link linkend="table-1">Table 1</link> lists the value types that Broccoli supports along with
-	    the type identifier and data structures to point to.
-	</para>
-<table frame="sides" id="table-1">
-<title>Types, type tags, and data structures for event parameters in Broccoli</title>
-<tgroup cols="3" align="left" colsep="1" rowsep="1">
-<thead>
-<row>
-  <entry align="center">Type</entry>
-  <entry align="center">Type tag</entry>
-  <entry align="center">Data type pointed to</entry>
-</row>
-</thead>
-<tbody>
-<row>
-  <entry>Boolean</entry>
-  <entry><constant>BRO_TYPE_BOOL</constant></entry>
-  <entry><function>int</function></entry>
-</row><row>
-  <entry>Integer value</entry>
-  <entry><constant>BRO_TYPE_INT</constant></entry>
-  <entry><function>int</function></entry>
-</row><row>
-  <entry>Counter (nonnegative integers)</entry>
-  <entry><constant>BRO_TYPE_COUNT</constant></entry>
-  <entry><function>uint32</function></entry>
-</row><row>
-  <entry>Enums (enumerated values)</entry>
-  <entry><constant>BRO_TYPE_ENUM</constant></entry>
-  <entry><function>int</function> (see also the description of
-         <link linkend="bro-event-add-val"><function>bro_event_add_val()</function></link>'s
-	 <function>type_name</function> argument below)</entry>
-</row><row>
-  <entry>Floating-point number</entry>
-  <entry><constant>BRO_TYPE_DOUBLE</constant></entry>
-  <entry><function>double</function></entry>
-</row><row>
-  <entry>Timestamp</entry>
-  <entry><constant>BRO_TYPE_TIME</constant></entry>
-  <entry><function>double</function> (see also
-         <link linkend="bro-util-timeval-to-double"><function>bro_util_timeval_to_double()</function></link> and
-	 <link linkend="bro-util-current-time"><function>bro_util_current_time()</function></link>)</entry>
-</row><row>
-  <entry>Time interval</entry>
-  <entry><constant>BRO_TYPE_INTERVAL</constant></entry>
-  <entry><function>double</function></entry>
-</row><row>
-  <entry>Strings (text and binary)</entry>
-  <entry><constant>BRO_TYPE_STRING</constant></entry>
-  <entry><function>BroString</function> (see also the family of <function>bro_string_xxx()</function> functions)</entry>
-</row><row>
-  <entry>Network ports</entry>
-  <entry><constant>BRO_TYPE_PORT</constant></entry>
-  <entry><function>BroPort</function>, with the port number in host byte order</entry>
-</row><row>
-  <entry>IPv4 address</entry>
-  <entry><constant>BRO_TYPE_IPADDR</constant></entry>
-  <entry><function>uint32</function>, in network byte order</entry>
-</row><row>
-  <entry>IPv4 network</entry>
-  <entry><constant>BRO_TYPE_NET</constant></entry>
-  <entry><function>uint32</function>, in network byte order</entry>
-</row><row>
-  <entry>IPv4 subnet</entry>
-  <entry><constant>BRO_TYPE_SUBNET</constant></entry>
-  <entry><function>BroSubnet</function>, with the sn_net member in network byte order</entry>
-</row><row>
-  <entry>Record</entry>
-  <entry><constant>BRO_TYPE_RECORD</constant></entry>
-  <entry><function>BroRecord</function> (see also the family of
-	 <function>bro_record_xxx()</function> functions and their
-	  explanation below)</entry>
-</row>
-<row>
-  <entry>Table</entry>
-  <entry><constant>BRO_TYPE_TABLE</constant></entry>
-  <entry><function>BroTable</function> (see also the family of
-	 <function>bro_table_xxx()</function> functions and their
-	  explanation below)</entry>
-</row>
-<row>
-  <entry>Record</entry>
-  <entry><constant>BRO_TYPE_SET</constant></entry>
-  <entry><function>BroSet</function> (see also the family of
-	 <function>bro_set_xxx()</function> functions and their
-	  explanation below)</entry>
-</row>
-</tbody>
-</tgroup>
-</table>
-	<para>
-	    Knowing these, we can now compose a 
-	   <function>request_connections</function> event:
-        </para>
-        <programlisting>
-<![CDATA[
-BroString dest_host;
-BroPort dest_port;
-uint32 min_size;
-int req_id = 0;
-
-bro_event_add_val(ev, BRO_TYPE_INT, NULL, &req_id);
-req_id++;
-
-bro_string_set(&dest_host, "desthost.destdomain.com");
-bro_event_add_val(ev, BRO_TYPE_STRING, NULL, &dest_host);
-bro_string_cleanup(&dest_host);
-
-dest_port.dst_port = 80;
-dest_port.dst_proto = IPPROTO_TCP;
-bro_event_add_val(ev, BRO_TYPE_PORT, NULL, &dest_port);
-
-min_size = 1000;
-bro_event_add_val(ev, BRO_TYPE_COUNT, NULL, &min_size);
-]]>
-        </programlisting>
-	<para>
-	    The third argument to
-	    <link linkend="bro-event-add-val"><function>bro_event_add_val()</function></link>
-	    lets you specify a specialization of the types listed in
-	    <link linkend="table-1">Table 1</link>. This is generally not necessary
-	    except for one situationn: When using <constant>BRO_TYPE_ENUM</constant>. You currently
-	    cannot define
-	    a Bro-level enum type in Broccoli, and thus when sending an enum value, you
-	    have to specify the type of the enum along with the value. For example, in order
-	    to add an instance of enum <function>transport_type</function> defined in
-	    Bro's <filename>bro.init</filename>, you would use
-	    <programlisting>
-<![CDATA[
-int transport_proto = 2;
-/* ... */
-bro_event_add_val(ev, BRO_TYPE_ENUM, "transport_proto", &transport_proto);
-]]>
-	    </programlisting>
-	    to get the equivalent of "udp" on the remote side. The same system is used
-	    to point out type names when calling
-	    <link linkend="bro-event-set-val"><function>bro_event_set_val()</function></link>,
-	    <link linkend="bro-record-add-val"><function>bro_record_add_val()</function></link>,
-	    <link linkend="bro-record-set-nth-val"><function>bro_record_set_nth_val()</function></link>, and
-	    <link linkend="bro-record-set-named-val"><function>bro_record_set_named_val()</function></link>.
-	</para>
-	<para>
-	    All that's left to do now is to send off the event. For this, use
-	    <link linkend="bro-event-send"><function>bro_event_send()</function></link>
-	    and pass it the connection handle and the event. The function returns
-	    <constant>TRUE</constant> when the event could be sent right away or if
-	    it was queued for later delivery. <constant>FALSE</constant> is returned
-	    on error. If the event get queued, this does not indicate an error &mdash;
-	    likely the connection was just not
-	    ready to send the event at this point. Whenever you call
-	    <link linkend="bro-event-send"><function>bro_event_send()</function></link>,
-            Broccoli attempts to send as much of an existing event queue as possible.
-	    Again, the event is copied internally to make it easier for you to
-	    send the same event repeatedly. You clean up what you allocate.
-	</para>
-        <programlisting>
-<![CDATA[
-bro_event_send(bc, ev);
-bro_event_free(ev);
-]]>
-        </programlisting>
-        <para>
-	    Two other functions may be useful to you:
-	    <link linkend="bro-event-queue-length"><function>bro_event_queue_length()</function></link>
-            tells you how many events are currently queued, and 
-	    <link linkend="bro-event-queue-flush"><function>bro_event_queue_flush()</function></link>
-	    attempts to flush the current event queue and returns the number of events that do remain
-	    in the queue after the flush. <emphasis>Note:</emphasis> you do not normally need
-	    to call this function, queue flushing is attempted every time you send an event.
-        </para>
-      </sect2>
-
-      <sect2>
-	<title id="receiving-events">Receiving events</title>
-        <para>
-	  Receiving events is a little more work because you need to
-        </para>
-        <orderedlist>	 
-	  <listitem>
-	    <para>tell Broccoli what to do when requested events arrive,</para>
-	  </listitem>
-	  <listitem>
-	    <para>let the remote Bro agent know that you would like to receive those events,</para>
-	  </listitem>
-	  <listitem>
-	    <para>find a spot in the code path suitable for extracting and processing arriving events.</para>
-	  </listitem>	 
-        </orderedlist>
-	<para>
-	  Each of these steps is explained in the following sections.
-	</para>
-
-	<sect3>
-	  <title>Implementing event callbacks</title>
-	  <para>
-            When Broccoli receives an event, it tries to dispatch the event to callbacks
-	    registered for that event type. The place where callbacks get registered is
-	    called the callback registry. Any callbacks registered for the arriving
-	    event's name are invoked with the parameters shipped with the event. There
-	    are two styles of argument passing to the event callbacks.
-	    Which one is better suited depends on your application.
-	    <itemizedlist>
-              <listitem>
-		<para><emphasis>Expanded argument passing.</emphasis> Each event argument
-		  is passed via a pointer to the callback. This makes best sense when you
-		  know the type of the event and of its arguments, because it provides you
-		  immediate access to arguments as when using a normal C function.
-		</para>
-		<para>
-	    	  In order to register a callback with expanded argument passing, use
-	  	  <link linkend="bro-event-registry-add"><function>bro_event_registry_add()</function></link>
-		  and pass it the connection handle, the name of the event for which you
-	          register the callback, the callback itself that matches the signature
-	          of the <filename>BroEventFunc</filename> type, and any user data (or
-	          <constant>NULL</constant>) you want to see passed to the callback on
-	          each invocation. The callback's type is defined rather generically as follows:
-	        </para>
-                <programlisting>
-<![CDATA[
-typedef void (*BroEventFunc) (BroConn *bc, void *user_data, ...);
-]]>
-                </programlisting>
-                <para>
-                  It requires a connection handle as its first argument
-	          and a pointer to user-provided callback data as the second argument.
-                  Broccoli will pass the connection handle of the connection on which the event
-                  arrived through to the callback. <function>BroEventFunc</function>s
-	          are variadic, because each callback you provide is directly invoked with
-	          pointers to the parameters of the event, in a format directly usable in C.
-	          All you need to know is what type to point to in order to receive the
-	          parameters in the right layout. Refer to <link linkend="table-1">Table 1</link>
-	          again for a summary of those types. Record types are more involved and are
-	          addressed in more detail <link linkend="records">below</link>.
-                </para>
-	        <note>
-	          <para>Note that <emphasis>all</emphasis> parameters are passed to the
-	            callback as pointers, even elementary types such as <constant>int</constant>s
-	            that would normally be passed directly.
-		    Also note that Broccoli manages the lifecycle of event parameters
-	            and therefore you do <emphasis>not</emphasis> have to clean them up inside
-	            the event handler. 
-                  </para>
-                </note>
-                <para>
-	          Continuing our example, we will want to process the connection reports
-	          that contain the responses to our <function>report_conns</function>
-	          event. Let's assume those look as follows:
-	        </para>
-                <programlisting>
-<![CDATA[
-event remote_conn(req_id: int, conn: connection);
-]]>
-                </programlisting>
-	        <para>
-                  The reply events contain the request ID so we can associate requests
-	          with replies, and a connection record (defined in <filename>bro.init</filename>
-	          in Bro. (It'd be nicer to report all replies in a single event but we'll
-	          ignore that for now.) For this event, our callback would look like this:
-	        </para>
-                <programlisting>
-<![CDATA[
-void remote_conn_cb(BroConn *bc, void *user_data, int *req_id, BroRecord *conn);
-]]>
-                </programlisting>
-	        <para>
-	          Once more, you clean up what you allocate, and since you never allocated the
-	      	  space these arguments point to, you also don't clean them up. Finally, we register
-	      	  the callback using
-	      	  <link linkend="bro-event-registry-add"><function>bro_event_registry_add()</function></link>:	    
-		</para>
-	        <programlisting>
-<![CDATA[
-bro_event_registry_add(bc, "remote_conn", remote_conn_cb, NULL);
-]]>
-	        </programlisting>
-		<para>
-		  In this case we have no additional data to be passed into the
-		  callback, so we use <constant>NULL</constant> for the last argument.
-		  If you have multiple events you are interested in, register
-		  each one in this fashion.
-		</para>
-	      </listitem>
-	      <listitem>
-		<para><emphasis>Compact argument passing.</emphasis> This is designed for
-		  situations when you have to determine how to handle different types of
-		  events at runtime, for example when writing language bindings or when
-		  implementing generic event handlers for multiple event types.
-		  The callback is passed a connection handle and the
-		  user data as above but is only passed one additional pointer, to a
-		  <type>BroEvMeta</type> structure. This structure contains all metadata
-		  about the event, including its name, timestamp (in UTC) of creation,
-		  number of arguments, the arguments'
-		  types (via type tags as listed in <link linkend="table-1">Table 1</link>),
-		  and the arguments themselves.
-		</para>
-		<para>
-	    	  In order to register a callback with compact argument passing, use
-	  	  <link linkend="bro-event-registry-add-compact"><function>bro_event_registry_add_compact()</function></link>
-		  and pass it similar arguments as you'd use with
-	  	  <link linkend="bro-event-registry-add"><function>bro_event_registry_add()</function></link>.
-		  The callback's type is defined as follows:
-	        </para>
-                <programlisting>
-<![CDATA[
-typedef void (*BroCompactEventFunc) (BroConn *bc, void *user_data, BroEvMeta *meta);
-]]>
-                </programlisting>
-	        <note>
-	          <para>As before, Broccoli manages the lifecycle of event parameters.
-	            You do not  have to clean up the <type>BroEvMeta</type>
-		    structure or any of its contents.
-                  </para>
-                </note>
-                <para>
-		  Below is sample code for extracting the arguments form the <type>BroEvMeta</type>
-		  structure, using our running example. This is still written with the assumption
-		  that we know the types of the arguments, but note that this is not a requirement
-		  for this style of callback.
-	        </para>
-                <programlisting>
-<![CDATA[
-void remote_conn_cb(BroConn *bc, void *user_data, BroEvMeta *meta)
-{
-	int *req_id;
-	BroRecord *rec;
-
-	/* For demonstration, print out the event's name: */
-
-	printf("Handling a %s event.\n", meta->ev_name);
-
-	/* Sanity-check the number of arguments: */
-
-	if (meta->ev_numargs != 2)
-		{ /* error */ }
-
-	/* Sanity-check the argument types: */
-
-	if (meta->ev_args[0].arg_type != BRO_TYPE_INT)
-		{ /* error */ }
-
-	if (meta->ev_args[1].arg_type != BRO_TYPE_RECORD)
-		{ /* error */ }
-
-	req_id = (int *) meta->ev_args[0].arg_data;
-	rec = (BroRecord *) meta->ev_args[1].arg_data;
-
-	/* ... */
-}
-]]>
-                </programlisting>
-	        <para>
-		  Finally, register the callback using
-	      	  <link linkend="bro-event-registry-add-compact"><function>bro_event_registry_add_compact()</function></link>:	    
-		</para>
-	        <programlisting>
-<![CDATA[
-bro_event_registry_add_compact(bc, "remote_conn", remote_conn_cb, NULL);
-]]>
-	        </programlisting>
-	      </listitem>
-	    </itemizedlist>
-	  </para>
-	</sect3>
-
-	<sect3>
-	  <title id="event-request">Requesting event delivery</title>
-          <para>
-	    At this point, Broccoli knows what to do with the requested events upon
-	    arrival.  What's left to do is to let the remote Bro know that you
-	    would like to receive the events for which you registered. If you haven't
-	    yet called <link linkend="bro-conn-connect"><function>bro_conn_connect()</function></link>,
-	    then there is nothing to do, since that function will request the registered
-	    events anyway. Once connected, you can still request events. To do so, call
-	    <link linkend="bro-event-registry-request"><function>bro_event_registry_request()</function></link>:
-	  </para>
-          <programlisting>
-<![CDATA[
-bro_event_registry_request(bc);
-]]>
-          </programlisting>
-          <para>
-	    This mechanism also implies that no unrequested events will be delivered
-	    to us (and if that happened for whatever reason, the event would simply
-	    be dropped on the floor).
-	  </para>
-	  <note>
-	    <para><emphasis>Note that at the moment you cannot unrequest events, nor
-		can you request events based on predicates on the values of the
-		events' arguments.</emphasis></para>
-          </note>
-	</sect3>
-
-	<sect3>
-	  <title>Reading events from the connection handle</title>
-	  <para>
-	    At this point the remote Bro will start sending you the requested events
-	    once they are triggered. What is left to do is to read the arriving events
-	    from the connection and trigger dispatching them to the registered callbacks.
-	  </para>
-	  <para>
-	    If you are writing a new Bro-enabled application, this is easy, and you can
-	    choose among two approaches: polling explicitly via Broccoli's API, or using
-	    <function>select()</function> on the file handle associated with a <type>BroConn</type>.
-	    The former case is particularly straightforward; all you need to do is
-	    call 
-	    <link linkend="bro-conn-process-input"><function>bro_conn_process_input()</function></link>,
-	    which will go off and check if any events have arrived and if so, dispatch
-	    them accordingly. This function does not block &mdash; if no events have
-	    arrived, then the call will return immediately. For more fine-grained control
-	    over your I/O handling, you will probably want to use
-	    <link linkend="bro-conn-get-fd"><function>bro_conn_get_fd()</function></link>
-	    to obtain the file descriptor of your connection and then incorporate that
-	    in your standard <function>FD_SET</function>/<function>select()</function>
-	    code. Once you have determined that data in fact are ready to be read from
-	    the obtained file descriptor, you can then try another
-	    <link linkend="bro-conn-process-input"><function>bro_conn_process_input()</function></link>,
-	    this time knowing that it'll find something to dispatch.
-	  </para>
-	  <para>
-	    As a side note, if you don't process arriving events frequently enough,
-	    then TCP's flow control will start to slow down the sender until eventually
-	    events will queue up and be dropped at the sending end.
-	  </para>
-	</sect3>
-      </sect2>
-
-      <sect2>
-	<title id="records">Handling records</title>
-        <para>
-	  Broccoli supports record structures, i.e., types that pack a set of values
-	  together, placing each value into its own field. In Broccoli, the way you handle
-	  records is somewhat similar to events:
-	  after creating an empty record (of opaque type <type>BroRecord</type>, you can
-	  iteratively add fields and values to it. The main difference is that you must specify a
-	  field name with the value; each value in a record can be identified both by position
-	  (a numerical index starting from zero), and by field name. You can retrieve vals
-	  in a record by field index or field name. You can also reassign values.
-	  There is no explicit, IDL-style definition of record types. You define the type of
-	  a record implicitly by the sequence of field names and the sequence of the types
-	  of the values you put into the record.
-	</para>
-	<para>
-	  Note that all fields in a record must be assigned before it can be shipped.
-	</para>
-	<para>
-	  The API for record composition consists of
-	  <link linkend="bro-record-new"><function>bro_record_new()</function></link>,
-	  <link linkend="bro-record-free"><function>bro_record_free()</function></link>,
-	  <link linkend="bro-record-add-val"><function>bro_record_add_val()</function></link>,
-	  <link linkend="bro-record-set-nth-val"><function>bro_record_set_nth_val()</function></link>, and
-	  <link linkend="bro-record-set-named-val"><function>bro_record_set_named_val()</function></link>.
-	</para>
-	<para>
-	  On records that use field names, the names of individual fields can be extracted using
-	  <link linkend="bro-record-get-nth-name"><function>bro_record_get_nth_name()</function></link>.
-	  Extracting values from a record is done using
-	  <link linkend="bro-record-get-nth-val"><function>bro_record_get_nth_val()</function></link> and
-	  <link linkend="bro-record-get-named-val"><function>bro_record_get_named_val()</function></link>.
-	  The former allows numerical indexing of the fields in the record, the latter provides
-	  name-based lookups. Both need to be passed the record you want to extract a value from,
-	  the index or name of the field, and either a pointer to an <type>int</type> holding a
-	  <type>BRO_TYPE_xxx</type> value (see again <link linkend="table-1">Table 1</link> for a
-	  summary of those types) or <constant>NULL</constant>. The pointer, if not
-	  <constant>NULL</constant>, serves two purposes: type checking and type retrieval.
-	  Type checking is performed if the value of the <type>int</type> upon calling the
-	  functions is not <type>BRO_TYPE_UNKNOWN</type>. The type tag of the requested record
-	  field then has to match the type tag stored in the <type>int</type>, otherwise
-          <constant>NULL</constant> is returned. If the <type>int</type> stores <type>BRO_TYPE_UNKNOWN</type>
-          upon calling, no type-checking is performed. In <emphasis>both</emphasis> cases,
-	  the <emphasis>actual</emphasis> type of the
-	  requested record field is returned in the <type>int</type> pointed to upon
-	  return from the function. Since you have no guarantees of the type of the value
-	  upon return if you pass <constant>NULL</constant> as the <type>int</type> pointer,
-	  this is a bad idea and either <type>BRO_TYPE_UNKNOWN</type> or another type value
-	  should always be used.
-        </para>
-        <para>
-	  For example, you could extract the value of the record field "label", which
-	  we assume should be a string, in the following ways:
-	</para>
-        <programlisting>
-<![CDATA[
-BroRecord *rec = /* obtained somehow */
-BroString *string;
-int type;
-
-/* --- Example 1 --- */
-
-type = BRO_TYPE_STRING; /* Use type-checking, will not accept other type */
-
-if (! (string = bro_record_get_named_val(rec, "label", &type))) {
-	/* Error handling, either there's no field of that value,
-	 * or the value is not of BRO_TYPE_STRING. The actual
-	 * type is now stored in "type".
-	 */
-}
-
-/* --- Example 2 --- */
-
-type = BRO_TYPE_UNKNOWN; /* No type checking, just report the existant type */
-
-if (! (string = bro_record_get_named_val(rec, "label", &type))) {
-	/* Error handling, no field of that name exists. */
-}
-
-printf("The type of the value in field 'label' is %i\n", type);
-
-/* --- Example 3 --- */
-
-if (! (string = bro_record_get_named_val(rec, "label", NULL))) {
-	/* Error handling, no field of that name exists. */
-}
-
-/* We now have a value, but we can't really be sure of its type */
-
-]]>
-        </programlisting>	
-	<para>
-	  Record fields can be records, for example in the case of Bro's standard
-	  connection record type. In this case, in order to get to a nested record, you
-	  use <constant>BRO_TYPE_RECORD</constant>:
-	</para>
-        <programlisting>
-<![CDATA[
-void remote_conn_cb(BroConn *bc, int *req_id, BroRecord *conn) {
-	BroRecord *conn_id;
-	int type = BRO_TYPE_RECORD;
-	if (! (conn_id = bro_record_get_named_val(conn, "id", &type))) {
-		/* Error handling */
-	}
-}
-]]>
-        </programlisting>	
-      </sect2>
-
-      <sect2>
-	<title id="tables">Handling tables</title>
-        <para>
-	  Broccoli supports Bro-style tables, i.e., associative containers that map
-	  instances of a key type to an instance of a value type. A given key
-	  can only ever point to a single value. The key type can be
-	  <emphasis>composite</emphasis>, i.e., it may consist of an ordered
-	  sequence ofdifferent types, or it can be <emphasis>direct</emphasis>,
-	  i.e., consisting of a single type (such as an integer, a string, or
-	  a record).
-        </para>
-	<para>
-	  The API for table manipulation consists of
-	  <link linkend="bro-table-new"><function>bro_table_new()</function></link>,
-	  <link linkend="bro-table-free"><function>bro_table_free()</function></link>,
-	  <link linkend="bro-table-insert"><function>bro_table_insert()</function></link>,
-	  <link linkend="bro-table-find"><function>bro_table_find()</function></link>,
-	  <link linkend="bro-table-get-size"><function>bro_table_get_size()</function></link>,
-	  <link linkend="bro-table-get-types"><function>bro_table_get_types()</function></link>,
-	  and
-	  <link linkend="bro-table-foreach"><function>bro_table_foreach()</function></link>.
-        </para>
-	<para>
-	  Tables are handled similarly to records in that typing is determined
-	  dynamically by the initial key/value pair inserted. The resulting types
-	  can be obtained via 	
-	  <link linkend="bro-table-get-types"><function>bro_table_get_types()</function></link>.
-	  Should the types not have been determined yet, <constant>BRO_TYPE_UNKNOWN</constant>
-	  will result. Also, as with records,
-	  values inserted into the table are copied internally, and the ones passed
-	  to the insertion functions remain unaffected.
-        </para>
-	<para>
-	  In contrast to records, table entries can be iterated. By passing a function
-	  of signature 
-	  <link linkend="brotablecallback"><function>BroTableCallback()</function></link>
-	  and a pointer to data of your choosing,
-	  <link linkend="bro-table-foreach"><function>bro_table_foreach()</function></link>
-	  will invoke the given function for each key/value pair stored in the table.
-	  Return <constant>TRUE</constant> to keep the iteration going, or <constant>FALSE</constant>
-	  to stop it.
-        </para>
-	<caution><para>
-	  The main thing to know about Broccoli's tables is how to use composite key
-	  types. To avoid additional API calls, you may treat composite key types
-	  exactly as records, though you do not need to use field names when assigning
-	  elements to individual fields. So in order to insert a key/value pair, you
-	  create a record with the needed items assigned to its slots, and use this
-	  record as the key object. In order to differentiate composite index types
-	  from direct ones consisting of a single record, use <constant>BRO_TYPE_LIST</constant>
-	  as the type of the record, as opposed to <constant>BRO_TYPE_RECORD</constant>.
-	  Broccoli will then know to interpret the record
-	  as an ordered sequence of items making up a composite element, not a regular
-	  record.
-        </para></caution>
-	<para>
-	  <filename>brotable.c</filename> in the test subdirectory of the Broccoli tree
-	  contains an extensive example of using tables with composite as well as direct
-	  indexing types.
-        </para>
-      </sect2>
-
-      <sect2>
-	<title id="sets">Handling sets</title>
-        <para>
-	  Sets are essentially tables with void value types.
-	  The API for set manipulation consists of
-	  <link linkend="bro-set-new"><function>bro_set_new()</function></link>,
-	  <link linkend="bro-set-free"><function>bro_set_free()</function></link>,
-	  <link linkend="bro-set-insert"><function>bro_set_insert()</function></link>,
-	  <link linkend="bro-set-find"><function>bro_set_find()</function></link>,
-	  <link linkend="bro-set-get-size"><function>bro_set_get_size()</function></link>,
-	  <link linkend="bro-set-get-type"><function>bro_set_get_type()</function></link>,
-	  and
-	  <link linkend="bro-set-foreach"><function>bro_set_foreach()</function></link>.
-        </para>
-      </sect2>
-
-      <sect2>
-	<title>Associating data with connections</title>
-        <para>
-	    You will often find that you would like to connect data with
-	    a <filename>BroConn</filename>. Broccoli provides an API that
-	    lets you associate data items with a connection handle through
-	    a string-based key&ndash;value registry. The functions of interest
-	    are
-	    <link linkend="bro-conn-data-set"><function>bro_conn_data_set()</function></link>,
-	    <link linkend="bro-conn-data-get"><function>bro_conn_data_get()</function></link>, and
-	    <link linkend="bro-conn-data-del"><function>bro_conn_data_del()</function></link>.
-	    You need to provide a string identifier for a data item and can then use
-	    that string to register, look up, and remove the associated data item.
-	    Note that there is currently no mechanism to trigger a destructor
-	    function for registered data items when the Bro connection is terminated.
-	    You therefore need to make sure that all data items that you do
-	    not have pointers to via some other means are properly released before
-	    calling 
-	    <link linkend="bro-disconnect"><function>bro_disconnect()</function></link>.
-        </para>
-      </sect2>
-
-      <sect2>
-	<title id="config-files">Configuration files</title>
-        <para>	  
-	    Imagine you have instrumented the mother of all server applications.
-	    Building it takes forever, and every now and then you need to change
-	    some of the parameters that your Broccoli code uses, such as the host names
-	    of the Bro agents to talk to.
-	    To allow you to do this quickly, Broccoli comes with support for
-	    configuration files. All you need to do is change the settings in the
-	    file and restart the application (we're considering adding support
-	    for volatile configuration items that are read from the file every
-	    time they are requested).	  
-        </para>
-        <para>
-	    A configuration is read from a single configuration file.
-	    This file can be read from two different locations:
-	    <itemizedlist>
-              <listitem>
-                <para>The system-wide configuration file. You can obtain the location
-	          of this config file by running <filename>broccoli-config --config</filename>.
-		</para>
-              </listitem>
-              <listitem>
-                <para>Alternatively, a per-user configuration file stored in <filename>~/.broccoli.conf</filename>
-		  can be used.
-		</para>
-              </listitem>
-            </itemizedlist>
-            If a user has a configuration file in <filename>~/.broccoli.conf</filename>,
-	    it is used exclusively, otherwise the global one is used.
-         </para>
-         <caution>
-	  <para><emphasis><filename>~/.broccoli.conf</filename> will only be used if
-	    it is a regular file, not executable, and neither group nor others have
-	    any permissions on the file. That is, the file's permissions must look
-	    like <function>-rw-------</function> or <function>-r--------</function>.
-	    </emphasis></para>
-         </caution>
-         <para>
-	    In the configuration file, a "#" anywhere starts a comment that runs
-	    to the end of the line. Configuration items are specified as key-value
-	    pairs:
-        </para>
-        <programlisting>
-<![CDATA[
-# This is the Broccoli system-wide configuration file.
-#
-# Entries are of the form <identifier> <value>, where the identifier
-# is a sequence of letters, and value can be a string (including
-# whitespace), and floating point or integer numbers. Comments start
-# with a "#" and go to the end of the line. For boolean values, you
-# may also use "yes", "on", "true", "no", "off", or "false".
-# Strings may contain whitespace, but need to be surrounded by
-# double quotes '"'.
-#
-# Examples:
-#
-Foo/PeerName          mybro.securesite.com
-Foo/PortNum           123
-Bar/SomeFloat         1.23443543
-Bar/SomeLongStr       "Hello World"
-]]>
-        </programlisting>
-        <para>
-            You can also have multiple sections in your configuration. Your application can
-	    select a section as the current one, and queries for configuration settings will
-	    then only be answered with values specified in that section. A section is started
-	    by putting its name (no whitespace please) between square brackets. Configuration
-	    items positioned before the first section title are in the default domain and
-	    will be used by default.
-        </para>
-        <programlisting>
-<![CDATA[
-# This section contains all settings for myapp.
-[ myapp ]
-]]>
-        </programlisting>
-        <para>
-	    You can name identifiers any way you like, but to keep things
-	    organized it is recommended to keep a namespace hierarchy similar
-	    to the file system. In the code, you can query configuration
-	    items using
-	    <link linkend="bro-conf-get-str"><function>bro_conf_get_str()</function></link>,
-            <link linkend="bro-conf-get-int"><function>bro_conf_get_int()</function></link>, and
-            <link linkend="bro-conf-get-dbl"><function>bro_conf_get_dbl()</function></link>.
-	    You can switch between sections using 
-            <link linkend="bro-conf-set-domain"><function>bro_conf_set_domain()</function></link>.
-        </para>
-      </sect2>      
-
-      <sect2>
-	<title id="buffers">Using dynamic buffers</title>
-        <para>
-	    Broccoli provides an API for dynamically allocatable, growable, shrinkable,
-	    and consumable buffers with <function>BroBuf</function>s. You may or may
-	    not find this useful &mdash; Broccoli mainly provides this feature in
-	    <filename>broccoli.h</filename> because these buffers are used internally
-	    anyway and because they are typical case of something that people implement
-	    themselves over and over again, for example to collect a set of data before
-	    sending it through a file descriptor, etc.
-        </para>
-        <para>
-	    The buffers work as follows. The structure implementing a buffer is
-	    called BroBuf. BroBufs are initialized to a default size when created via
-	    <link linkend="bro-buf-new"><function>bro_buf_new()</function></link>,
-	    and released using 
-	    <link linkend="bro-buf-free"><function>bro_buf_free()</function></link>.
-            Each BroBuf has a content
-	    pointer that points to an arbitrary location between the start of the
-            buffer and the first byte after the last byte currently
-            used in the buffer (see buf_off in the illustration below). The content
-	    pointer can seek to arbitrary locations, and data can be copied from and
-	    into the buffer, adjusting the content pointer accordingly.
-	    You can repeatedly append data to end of the buffer's used contents using
-	    <link linkend="bro-buf-append"><function>bro_buf_append()</function></link>.	    
-        </para>
-        <programlisting>
-<![CDATA[
-
-   <---------------- allocated buffer space ------------>
-   <======== used buffer space ========>
-   ^              ^                    ^               ^                 
-   |              |                    |               |
-   `buf           `buf_ptr             `buf_off        `buf_len
-]]>
-        </programlisting>
-        <para>
-	    Have a look at the following functions for the details:
-	    <link linkend="bro-buf-new"><function>bro_buf_new()</function></link>,
-	    <link linkend="bro-buf-free"><function>bro_buf_free()</function></link>,
-	    <link linkend="bro-buf-append"><function>bro_buf_append()</function></link>,
-	    <link linkend="bro-buf-consume"><function>bro_buf_consume()</function></link>,
-	    <link linkend="bro-buf-reset"><function>bro_buf_reset()</function></link>,
-	    <link linkend="bro-buf-get"><function>bro_buf_get()</function></link>,
-	    <link linkend="bro-buf-get-end"><function>bro_buf_get_end()</function></link>,
-	    <link linkend="bro-buf-get-size"><function>bro_buf_get_size()</function></link>,
-	    <link linkend="bro-buf-get-used-size"><function>bro_buf_get_used_size()</function></link>,
-	    <link linkend="bro-buf-ptr-get"><function>bro_buf_ptr_get()</function></link>,
-	    <link linkend="bro-buf-ptr-tell"><function>bro_buf_ptr_tell()</function></link>,
-	    <link linkend="bro-buf-ptr-seek"><function>bro_buf_ptr_seek()</function></link>,
-	    <link linkend="bro-buf-ptr-check"><function>bro_buf_ptr_check()</function></link>, and
-	    <link linkend="bro-buf-ptr-read"><function>bro_buf_ptr_read()</function></link>.
-        </para>
-      </sect2>
-    </sect1>
-
-    <sect1>
-      <title id="encryption">Configuring encrypted communication</title>
-      <para>
-	Encrypted communication between Bro peers takes place over an SSL connection in
-	which both endpoints of the connection are authenticated. This requires at least
-	some PKI in the form of a certificate authority (CA) which you use to issue and sign
-	certificates for your Bro peers. To facilitate the SSL setup, each peer requires
-	three documents: a certificate signed by the CA and containing the public key, the
-	corresponding private key, and a copy of the CA's certificate.
-      </para>
-      <para>
-        The OpenSSL command line tool <command>openssl</command> can be used to create all
-	files neccessary, but its unstructured arguments and poor documentation make it
-	a pain to use and waste lots of people a lot of time<footnote><para>In other
-	documents and books on OpenSSL you will find this expressed more politely, using
-	terms such as "daunting to the uninitiated", "challenging", "complex", "intimidating".
-	</para></footnote>. Therefore, the Bro distribution comes with two scripts,
-	<command>ca-create</command> and <command>ca-issue</command>. You use the former
-	once to set up your CA, and the latter to create a certificate for each of the Bro
-	peers in your infrastructure.
-	<itemizedlist>	 
-	  <listitem>
-	    <para><command>ca-create</command> lets you choose a directory in which the
-	      CA maintains its files. If you set <varname>BRO_CA_DIR</varname> in your
-	      environment, it will be used for this purpose. After entering a passphrase
-	      for the private key of your CA, you can find the self-signed certificate
-	      of your CA in <filename>$BRO_CA_DIR/ca_cert.pem</filename>.
-	    </para>
-	  </listitem>
-	  <listitem>
-	    <para><command>ca-issue</command> first requires the directory of the CA,
-	      offering <filename>$BRO_CA_DIR</filename> if that is found. It asks you for
-	      a prefix for the certificate to be generated, for the passphrase of the
-	      private key of the CA so the new certificate can be signed, for the
-	      passphrase for the new private key, and for a few parameters that make up
-	      the "distinguished name" of the certificate. This name (i.e., the combination
-	      of all the fields you enter a value for) must be unique among all your Bro
-	      peers. Once that is done, you find a new certificate named
-	      <filename>&lt;prefix&gt;.pem</filename> in your current
-	      directory. This file actually consists of two of the three cryptographic
-	      documents mentioned above, namely the new certificate and the private key.
-              We refer to it as "certificate" for simplicity.
-	    </para>
-	  </listitem>
-	</itemizedlist>
-	In order to enable encrypted communication for your Broccoli application, you
-	need to put the CA certificate and the peer certificate in the
-	<varname>/broccoli/ca_cert</varname> and 
-	<varname>/broccoli/host_cert</varname> keys, respectively, in the configuration file.
-	To quickly enable/disable a certificate configuration, the
-	<varname>/broccoli/use_ssl</varname> key can be used.
-	<caution>
-          <para><emphasis>This is where you configure whether to use encrypted or unencrypted
-	    connections.</emphasis></para>
-          <para>If the <varname>/broccoli/use_ssl</varname> key is present and set to one of
-		"yes", "true", "on", or 1, then SSL will be used and an incorrect or
-		missing certificate configuration will cause connection attempts to fail.
-		If the key's value is one of "no", "false", "off", or 0, then in no case
-		will SSL be used and connections will always be cleartext.
-	  </para>
-          <para>If the <varname>/broccoli/use_ssl</varname> key is <emphasis>not</emphasis>
-		present, then SSL will be used if a certificate configuration is
-		found, and invalid certificates will cause the connection to fail.
-		If no certificates are configured, cleartext connections will be used.
-	  </para>
-	  <para>In no case does an SSL-enabled setup ever fall back to a cleartext one.</para>
-        </caution>
-      </para>
-      <programlisting>
-<![CDATA[
-/broccoli/use_ssl	   yes
-/broccoli/ca_cert          <path>/ca_cert.pem
-/broccoli/host_cert        <path>/bro_cert.pem
-]]>
-      </programlisting>
-      <para>
-        In a Bro policy, you need to load the <filename>listen-ssl.bro</filename> policy and
-	redef <varname>ssl_ca_certificate</varname> and <varname>ssl_private_key</varname>,
-	defined in <filename>bro.init</filename>:
-      </para>
-      <programlisting>
-<![CDATA[
-@load listen-ssl
-
-redef ssl_ca_certificate   = "<path>/ca_cert.pem";
-redef ssl_private_key      = "<path>/bro.pem";
-]]>
-      </programlisting>
-      <para>
-	By default, you will be prompted for the passphrase for the private key matching
-	the public key in your agent's certificate. Depending on your application's user
-	interface and deployment, this may be inappropriate. You can store the passphrase
-	in the config file as well, using the following identifier:
-      </para>
-      <programlisting>
-<![CDATA[
-/broccoli/host_pass        foobar
-]]>
-      </programlisting>
-      <caution>
-        <para><emphasis>Make sure that access to your configuration is restricted.</emphasis></para>
-        <para>
-	  If you provide the passphrase this way, it is obviously essential to have
-	  restrictive permissions on the configuration file. Broccoli partially enforces
-	  this. Please refer to the section on
-	  <link linkend="config-files">configuration files</link> for details.
-        </para>
-      </caution>
-    </sect1>
-
-    <sect1>
-      <title id="bro-event-config">Configuring event reception in Bro policies</title>
-      <para>
-	Before a remote Bro will accept your connection and your events, it needs to have its
-	policy configured accordingly:	  
-	<orderedlist>	 
-	  <listitem>
-	    <para>Load either <filename>listen-ssl</filename> or <filename>listen-clear</filename>,
-	      depending on whether you want to have encrypted or cleartext communication. Obviously,
-	      encrypting the event exchange is recommended and cleartext should only be used for
-	      early experimental setups. See below for details on how to set up encrypted
-	      communication via SSL.
-	    </para>
-	  </listitem>
-	  <listitem>
-	    <para>
-	      You need to find a port to use for the Bros and Broccoli applications that will
-	      listen for connections. Every such agent can use a different port, though default
-	      ports are provided in the Bro policies.
-	      To change the port the Bro agent will be listening on from its default
-	      redefine the <varname>listen_port_ssl</varname> or
-	      <varname>listen_port_clear</varname> variables from <filename>listen-clear.bro</filename>
-	      or <filename>listen-ssl.bro</filename>, respectively. Have a look at these policies as well
-	      as <filename>remote.bro</filename> for the default values. Here is the policy
-	      for the unencrypted case:
-	    </para>
-	    <programlisting>
-<![CDATA[
-@load listen-clear
-
-redef listen_port_clear = 12345/tcp;
-]]>
-            </programlisting>
-	    <para>
-	      Including the settings for the cryptographic files introduced in the previous section, 
-	      here is the encrypted one:
-	    </para>
-	    <programlisting>
-<![CDATA[
-@load listen-ssl
-
-redef listen_port_ssl = 12345/tcp;
-redef ssl_ca_certificate   = "<path>/ca_cert.pem";
-redef ssl_private_key      = "<path>/bro.pem";
-]]>
-            </programlisting>
-	  </listitem>
-	  <listitem>
-	    <para>
-	      The policy controlling which peers a Bro agent will communicate with and how this
-	      communication will happen are defined in the <varname>destinations</varname> table
-	      defined in <filename>remote.bro</filename>. This table contains entries of type
-	      <type>Destination</type>, whose members mostly provide default values so you do not
-	      need to define everything. You need to come up with a tag for the connection
-	      under which it can be found in the table (a creative one would be "broccoli"),
-	      the IP address of the peer, the pattern of names of the events the Bro will accept
-	      from you, whether you want Bro to connect to your
-	      machine on startup or not, if so, a port to connect to (defaults are
-	      <varname>default_port_ssl</varname> and <varname>default_port_clear</varname>, also
-	      defined in <filename>remote.bro</filename>), a retry timeout, whether to use SSL,
-	      and the class of a connection as set on the Broccoli side via
-	    <link linkend="bro-conn-set-class"><function>bro_conn_set_class()</function></link>.
-	    </para>
-	    <para>
-	      An example could look as follows:
-	    </para>
-	    <programlisting>
-<![CDATA[
-
-redef Remote::destinations += {
-	["broping"] = [$host = 127.0.0.1, $class="broping", $events = /ping/, $connect=F, $ssl=F]
-};
-]]>
-            </programlisting>
-	    <para>
-	      This example is taken from <filename>broping.bro</filename>, the policy the
-	      remote Bro must run when you want to use the <command>broping</command> tool
-	      explained in the <link linkend="testing">section on testing</link> below.
-	      It will allow an agent on the local host to connect and send "ping" events.
-	      Our Bro will not attempt to connect, and incoming connections will be expected
-	      in cleartext.
-	    </para>
-	  </listitem>
-	</orderedlist>
-      </para>
-    </sect1>
-
-    <sect1>
-      <title id="broccoli-debugging">Configuring debugging output</title>
-      <para>
-	  If your Broccoli installation was configured with <command>--enable-debug</command>,
-	  Broccoli will report two kinds of debugging information: (<emphasis>i</emphasis>)
-	  function call traces and
-	  (<emphasis>ii</emphasis>) individual debugging messages. Both are enabled by default, but can be adjusted
-	  in two ways.
-	  <itemizedlist>	 
-	    <listitem>
-	      <para>In the configuration file: in the appropriate section of the configuration
-	        file, you can set the keys <function>/broccoli/debug_messages</function> and
-		<function>/broccoli/debug_calltrace</function> to <function>on</function>/<function>off</function>
-		to enable/disable the corresponding output.
-	      </para>
-            </listitem>
-	    <listitem>
-	      <para>In code: you can set the variables 
-	      	<link linkend="bro-debug-calltrace"><function>bro_debug_calltrace</function></link> and
-	        <link linkend="bro-debug-messages"><function>bro_debug_messages</function></link>
-	        to 1/0 at any time to enable/disable the corresponding output.
-	      </para>
-            </listitem>
-	  </itemizedlist>	 
-      </para>
-      <para>
-	  By default, debugging output is inactive (even with debuggin support compiled in).
-	  You need to enable it explicitly either in your code by assigning 1 to 
-	  <link linkend="bro-debug-calltrace"><function>bro_debug_calltrace</function></link> and
-	  <link linkend="bro-debug-messages"><function>bro_debug_messages</function></link>,
-	  or by enabling it in the configuration file.
-      </para>
-    </sect1>
-
-    <sect1>
-      <title id="testing">Test programs</title>
-      <para>
-	  The Broccoli distribution comes with a few small test programs,
-	  located in the <filename>test/</filename> directory of the tree.
-	  The most notable one is &bp;
-	  <footnote><para>Pronunciation is said to be somewhere on the continuum between
-	  "brooping" and "burping".</para></footnote>, a mini-version of ping.
-	  It sends "ping" events to a remote Bro agent, expecting "pong" events
-	  in return. It operates in two flavours: one uses atomic types for sending
-	  information across, and the other one uses records. The Bro agent you want
-	  to ping needs to run either the <filename>broping.bro</filename> or
-	  <filename>broping-record.bro</filename> policies. You can find these
-	  in the <filename>test/</filename> directory of the source tree, and
-	  in <filename>&lt;prefix&gt/share/broccoli</filename> in the installed
-	  version. <filename>broping.bro</filename> is shown below. By default,
-	  pinging a Bro on the same machine is configured. If you want your Bro
-	  to be pinged from another machine, you need to update the
-	  <varname>destinations</varname> variable accordingly.
-      </para>
-      <programlisting>
-<![CDATA[
-@load listen-clear;
-
-global ping_log = open_log_file("ping");
-
-redef Remote::destinations += {
-	["broping"] = [$host = 127.0.0.1, $events = /ping/, $connect=F, $retry = 60 secs, $ssl=F]
-};
-
-event ping(src_time: time, seq: count)
-{
-        event pong(src_time, current_time(), seq);
-}
-
-event pong(src_time: time, dst_time: time, seq: count)
-{
-        print ping_log, fmt("ping received, seq %d, %f at src, %f at dest, one-way: %f",
-                            seq, src_time, dst_time, dst_time-src_time);
-}
-]]>
-      </programlisting>
-      <para>
-        &bp; sends ping events to Bro. Bro accepts those because they are configured
-	accordingly in the destinations table. As shown in the policy, ping events
-	trigger pong events, and &bc; requests delivery of all pong events back to it.
-	When running &bp;, you'll see something like this:
-      </para>
-      <programlisting>
-<![CDATA[
-cpk25@localhost:/home/cpk25/devel/broccoli > ./test/broping
-pong event from 127.0.0.1: seq=1, time=0.004700/1.010303 s
-pong event from 127.0.0.1: seq=2, time=0.053777/1.010266 s
-pong event from 127.0.0.1: seq=3, time=0.006435/1.010284 s
-pong event from 127.0.0.1: seq=4, time=0.020278/1.010319 s
-pong event from 127.0.0.1: seq=5, time=0.004563/1.010187 s
-pong event from 127.0.0.1: seq=6, time=0.005685/1.010393 s
-]]>
-      </programlisting>
-    </sect1>      
-  </chapter>
-  
-  <chapter id="api">
-    <title id="api.title">Broccoli API Reference</title>
-    &bc-header;
-  </chapter>
-
-  <appendix>
-    <title>Appendix</title>
-    <sect1 id="license">
-      <title id="license.title">License</title>
-      <para>
-	Copyright (C) 2004-2008 Christian Kreibich and various contributors.
-      </para>
-      <para>	
-	Permission is hereby granted, free of charge, to any person obtaining a copy
-	of this software and associated documentation files (the "Software"), to
-	deal in the Software without restriction, including without limitation the
-	rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-	sell copies of the Software, and to permit persons to whom the Software is
-	furnished to do so, subject to the following conditions:
-      </para>
-      <para>
-	The above copyright notice and this permission notice shall be included in
-	all copies of the Software and its documentation and acknowledgment shall be
-	given in the documentation and software packages that this Software was
-	used.
-      </para>
-      <para>	
-	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-	THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-	IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-	CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.	
-      </para>
-    </sect1>
-    <sect1 id="about">
-      <title>About this document</title>
-      <para>
-	This documentation is maintained in SGML <ulink url="http://www.docbook.org">DocBook</ulink>,
-	API documentation is extracted from the code using the
-	<ulink url="http://www.gtk.org/gtk-doc/"><command>gtk-doc</command></ulink> tools.
-      </para>
-    </sect1>
-  </appendix>
-</book>
diff --git a/aux/broccoli/docs/broccoli-sections.txt b/aux/broccoli/docs/broccoli-sections.txt
deleted file mode 100644
index 2c32d932ff..0000000000
--- a/aux/broccoli/docs/broccoli-sections.txt
+++ /dev/null
@@ -1,91 +0,0 @@
-<SECTION>
-<FILE>broccoli</FILE>
-bro_debug_calltrace
-bro_debug_messages
-BroEventFunc
-BroCompactEventFunc
-bro_conn_new
-bro_conn_new_str
-bro_conn_new_socket
-bro_conn_set_class
-bro_conn_get_peer_class
-bro_conn_connect
-bro_conn_alive
-bro_conn_delete
-bro_conn_adopt_events
-bro_conn_get_fd
-bro_conn_process_input
-bro_conn_data_set
-bro_conn_data_get
-bro_conn_data_del
-bro_event_new
-bro_event_free
-bro_event_add_val
-bro_event_set_val
-bro_event_send
-bro_event_queue_length
-bro_event_queue_flush
-bro_event_registry_add
-bro_event_registry_add_compact
-bro_event_registry_remove
-bro_event_registry_request
-bro_buf_new
-bro_buf_free
-bro_buf_append
-bro_buf_consume
-bro_buf_reset
-bro_buf_get
-bro_buf_get_end
-bro_buf_get_size
-bro_buf_get_used_size
-bro_buf_ptr_get
-bro_buf_ptr_tell
-bro_buf_ptr_seek
-bro_buf_ptr_check
-bro_buf_ptr_read
-bro_buf_ptr_write
-bro_conf_get_int
-bro_conf_get_dbl
-bro_conf_get_str
-bro_conf_set_domain
-bro_string_init
-bro_string_set
-bro_string_set_data
-bro_string_get_data
-bro_string_get_length
-bro_string_copy
-bro_string_cleanup
-bro_string_free
-bro_record_new
-bro_record_free
-bro_record_add_val
-bro_record_get_nth_val
-bro_record_get_nth_name
-bro_record_get_named_val
-bro_record_set_nth_val
-bro_record_set_named_val
-BroTableCallback
-bro_table_new
-bro_table_free
-bro_table_insert
-bro_table_find
-bro_table_get_size
-bro_table_get_types
-bro_table_foreach
-BroSetCallback
-bro_set_new
-bro_set_free
-bro_set_insert
-bro_set_find
-bro_set_get_size
-bro_set_get_type
-bro_set_foreach
-bro_conn_set_packet_ctxt
-bro_conn_get_packet_ctxt
-bro_packet_new
-bro_packet_clone
-bro_packet_free
-bro_packet_send
-bro_util_current_time
-bro_util_timeval_to_double
-</SECTION>
diff --git a/aux/broccoli/docs/broccoli.types b/aux/broccoli/docs/broccoli.types
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/aux/broccoli/docs/html/a3621.html b/aux/broccoli/docs/html/a3621.html
deleted file mode 100644
index cc9d735b8d..0000000000
--- a/aux/broccoli/docs/html/a3621.html
+++ /dev/null
@@ -1,210 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<HTML
-><HEAD
-><TITLE
->Appendix</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
-REL="HOME"
-TITLE="Broccoli: The Bro Client Communications Library"
-HREF="index.html"><LINK
-REL="PREVIOUS"
-TITLE="broccoli"
-HREF="broccoli-broccoli.html"><LINK
-REL="STYLESHEET"
-TYPE="text/css"
-HREF="stylesheet.css"></HEAD
-><BODY
-CLASS="APPENDIX"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><DIV
-CLASS="NAVHEADER"
-><TABLE
-SUMMARY="Header navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TH
-COLSPAN="3"
-ALIGN="center"
->Broccoli: The Bro Client Communications Library</TH
-></TR
-><TR
-><TD
-WIDTH="10%"
-ALIGN="left"
-VALIGN="bottom"
-><A
-HREF="broccoli-broccoli.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="80%"
-ALIGN="center"
-VALIGN="bottom"
-></TD
-><TD
-WIDTH="10%"
-ALIGN="right"
-VALIGN="bottom"
->&nbsp;</TD
-></TR
-></TABLE
-><HR
-ALIGN="LEFT"
-WIDTH="100%"></DIV
-><DIV
-CLASS="APPENDIX"
-><H1
-><A
-NAME="AEN3621"
-></A
->Appendix A. Appendix</H1
-><DIV
-CLASS="TOC"
-><DL
-><DT
-><B
->Table of Contents</B
-></DT
-><DT
->A.1. <A
-HREF="a3621.html#LICENSE"
->License</A
-></DT
-><DT
->A.2. <A
-HREF="a3621.html#ABOUT"
->About this document</A
-></DT
-></DL
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="LICENSE"
->A.1. License</A
-></H1
-><P
->	Copyright (C) 2004-2008 Christian Kreibich and various contributors.
-      </P
-><P
->	
-	Permission is hereby granted, free of charge, to any person obtaining a copy
-	of this software and associated documentation files (the "Software"), to
-	deal in the Software without restriction, including without limitation the
-	rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-	sell copies of the Software, and to permit persons to whom the Software is
-	furnished to do so, subject to the following conditions:
-      </P
-><P
->	The above copyright notice and this permission notice shall be included in
-	all copies of the Software and its documentation and acknowledgment shall be
-	given in the documentation and software packages that this Software was
-	used.
-      </P
-><P
->	
-	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-	THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-	IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-	CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.	
-      </P
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="ABOUT"
->A.2. About this document</A
-></H1
-><P
->	This documentation is maintained in SGML <A
-HREF="http://www.docbook.org"
-TARGET="_top"
->DocBook</A
->,
-	API documentation is extracted from the code using the
-	<A
-HREF="http://www.gtk.org/gtk-doc/"
-TARGET="_top"
-><B
-CLASS="COMMAND"
->gtk-doc</B
-></A
-> tools.
-      </P
-></DIV
-></DIV
-><DIV
-CLASS="NAVFOOTER"
-><HR
-ALIGN="LEFT"
-WIDTH="100%"><TABLE
-SUMMARY="Footer navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
-><A
-HREF="broccoli-broccoli.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
-><A
-HREF="index.html"
-ACCESSKEY="H"
->Home</A
-></TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
->&nbsp;</TD
-></TR
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
->broccoli</TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
->&nbsp;</TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
->&nbsp;</TD
-></TR
-></TABLE
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/aux/broccoli/docs/html/api.html b/aux/broccoli/docs/html/api.html
deleted file mode 100644
index cb4a6b72e5..0000000000
--- a/aux/broccoli/docs/html/api.html
+++ /dev/null
@@ -1,139 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<HTML
-><HEAD
-><TITLE
->Broccoli API Reference</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
-REL="HOME"
-TITLE="Broccoli: The Bro Client Communications Library"
-HREF="index.html"><LINK
-REL="PREVIOUS"
-TITLE="Using Broccoli"
-HREF="c84.html"><LINK
-REL="NEXT"
-TITLE="broccoli"
-HREF="broccoli-broccoli.html"><LINK
-REL="STYLESHEET"
-TYPE="text/css"
-HREF="stylesheet.css"></HEAD
-><BODY
-CLASS="CHAPTER"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><DIV
-CLASS="NAVHEADER"
-><TABLE
-SUMMARY="Header navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TH
-COLSPAN="3"
-ALIGN="center"
->Broccoli: The Bro Client Communications Library</TH
-></TR
-><TR
-><TD
-WIDTH="10%"
-ALIGN="left"
-VALIGN="bottom"
-><A
-HREF="c84.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="80%"
-ALIGN="center"
-VALIGN="bottom"
-></TD
-><TD
-WIDTH="10%"
-ALIGN="right"
-VALIGN="bottom"
-><A
-HREF="broccoli-broccoli.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-></TABLE
-><HR
-ALIGN="LEFT"
-WIDTH="100%"></DIV
-><DIV
-CLASS="CHAPTER"
-><H1
-><A
-NAME="API"
-></A
->Chapter 4. Broccoli API Reference</H1
-></DIV
-><DIV
-CLASS="NAVFOOTER"
-><HR
-ALIGN="LEFT"
-WIDTH="100%"><TABLE
-SUMMARY="Footer navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
-><A
-HREF="c84.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
-><A
-HREF="index.html"
-ACCESSKEY="H"
->Home</A
-></TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
-><A
-HREF="broccoli-broccoli.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
->Using Broccoli</TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
->&nbsp;</TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
->broccoli</TD
-></TR
-></TABLE
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/aux/broccoli/docs/html/broccoli-broccoli.html b/aux/broccoli/docs/html/broccoli-broccoli.html
deleted file mode 100644
index 5dd659d482..0000000000
--- a/aux/broccoli/docs/html/broccoli-broccoli.html
+++ /dev/null
@@ -1,6645 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<HTML
-><HEAD
-><TITLE
->broccoli</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
-REL="HOME"
-TITLE="Broccoli: The Bro Client Communications Library"
-HREF="index.html"><LINK
-REL="UP"
-TITLE="Broccoli API Reference"
-HREF="api.html"><LINK
-REL="PREVIOUS"
-TITLE="Broccoli API Reference"
-HREF="api.html"><LINK
-REL="NEXT"
-TITLE="Appendix"
-HREF="a3637.html"><LINK
-REL="STYLESHEET"
-TYPE="text/css"
-HREF="stylesheet.css"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><DIV
-CLASS="NAVHEADER"
-><TABLE
-SUMMARY="Header navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TH
-COLSPAN="3"
-ALIGN="center"
->Broccoli: The Bro Client Communications Library</TH
-></TR
-><TR
-><TD
-WIDTH="10%"
-ALIGN="left"
-VALIGN="bottom"
-><A
-HREF="api.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="80%"
-ALIGN="center"
-VALIGN="bottom"
-></TD
-><TD
-WIDTH="10%"
-ALIGN="right"
-VALIGN="bottom"
-><A
-HREF="a3637.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-></TABLE
-><HR
-ALIGN="LEFT"
-WIDTH="100%"></DIV
-><H1
-><A
-NAME="BROCCOLI-BROCCOLI"
-></A
->broccoli</H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN868"
-></A
-><H2
->Name</H2
->broccoli&nbsp;--&nbsp;</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="BROCCOLI-BROCCOLI.SYNOPSIS"
-></A
-><H2
->Synopsis</H2
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="SYNOPSIS"
->extern              int <A
-HREF="broccoli-broccoli.html#BRO-DEBUG-CALLTRACE"
->bro_debug_calltrace</A
->;
-extern              int <A
-HREF="broccoli-broccoli.html#BRO-DEBUG-MESSAGES"
->bro_debug_messages</A
->;
-void                (<A
-HREF="broccoli-broccoli.html#BROEVENTFUNC"
->*BroEventFunc</A
->)                     (BroConn *bc,
-                                                         void *user_data,
-                                                         ...);
-void                (<A
-HREF="broccoli-broccoli.html#BROCOMPACTEVENTFUNC"
->*BroCompactEventFunc</A
->)              (BroConn *bc,
-                                                         void *user_data,
-                                                         BroEvMeta *meta);
-BroConn*            <A
-HREF="broccoli-broccoli.html#BRO-CONN-NEW"
->bro_conn_new</A
->                        (struct in_addr *ip_addr,
-                                                         uint16 port,
-                                                         int flags);
-BroConn*            <A
-HREF="broccoli-broccoli.html#BRO-CONN-NEW-STR"
->bro_conn_new_str</A
->                    (const char *hostname,
-                                                         int flags);
-BroConn*            <A
-HREF="broccoli-broccoli.html#BRO-CONN-NEW-SOCKET"
->bro_conn_new_socket</A
->                 (int socket,
-                                                         int flags);
-void                <A
-HREF="broccoli-broccoli.html#BRO-CONN-SET-CLASS"
->bro_conn_set_class</A
->                  (BroConn *bc,
-                                                         const char *classname);
-const char*         <A
-HREF="broccoli-broccoli.html#BRO-CONN-GET-PEER-CLASS"
->bro_conn_get_peer_class</A
->             (const BroConn *bc);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
->bro_conn_connect</A
->                    (BroConn *bc);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-CONN-ALIVE"
->bro_conn_alive</A
->                      (const BroConn *bc);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-CONN-DELETE"
->bro_conn_delete</A
->                     (BroConn *bc);
-void                <A
-HREF="broccoli-broccoli.html#BRO-CONN-ADOPT-EVENTS"
->bro_conn_adopt_events</A
->               (BroConn *src,
-                                                         BroConn *dst);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-CONN-GET-FD"
->bro_conn_get_fd</A
->                     (BroConn *bc);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-CONN-PROCESS-INPUT"
->bro_conn_process_input</A
->              (BroConn *bc);
-void                <A
-HREF="broccoli-broccoli.html#BRO-CONN-DATA-SET"
->bro_conn_data_set</A
->                   (BroConn *bc,
-                                                         const char *key,
-                                                         void *val);
-void*               <A
-HREF="broccoli-broccoli.html#BRO-CONN-DATA-GET"
->bro_conn_data_get</A
->                   (BroConn *bc,
-                                                         const char *key);
-void*               <A
-HREF="broccoli-broccoli.html#BRO-CONN-DATA-DEL"
->bro_conn_data_del</A
->                   (BroConn *bc,
-                                                         const char *key);
-BroEvent*           <A
-HREF="broccoli-broccoli.html#BRO-EVENT-NEW"
->bro_event_new</A
->                       (const char *event_name);
-void                <A
-HREF="broccoli-broccoli.html#BRO-EVENT-FREE"
->bro_event_free</A
->                      (BroEvent *be);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-EVENT-ADD-VAL"
->bro_event_add_val</A
->                   (BroEvent *be,
-                                                         int type,
-                                                         const char *type_name,
-                                                         const void *val);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-EVENT-SET-VAL"
->bro_event_set_val</A
->                   (BroEvent *be,
-                                                         int val_num,
-                                                         int type,
-                                                         const char *type_name,
-                                                         const void *val);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-EVENT-SEND"
->bro_event_send</A
->                      (BroConn *bc,
-                                                         BroEvent *be);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-EVENT-QUEUE-LENGTH"
->bro_event_queue_length</A
->              (BroConn *bc);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-EVENT-QUEUE-FLUSH"
->bro_event_queue_flush</A
->               (BroConn *bc);
-void                <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
->bro_event_registry_add</A
->              (BroConn *bc,
-                                                         const char *event_name,
-                                                         <A
-HREF="broccoli-broccoli.html#BROEVENTFUNC"
->BroEventFunc</A
-> func,
-                                                         void *user_data);
-void                <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD-COMPACT"
->bro_event_registry_add_compact</A
->      (BroConn *bc,
-                                                         const char *event_name,
-                                                         <A
-HREF="broccoli-broccoli.html#BROCOMPACTEVENTFUNC"
->BroCompactEventFunc</A
-> func,
-                                                         void *user_data);
-void                <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-REMOVE"
->bro_event_registry_remove</A
->           (BroConn *bc,
-                                                         const char *event_name);
-void                <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-REQUEST"
->bro_event_registry_request</A
->          (BroConn *bc);
-BroBuf*             <A
-HREF="broccoli-broccoli.html#BRO-BUF-NEW"
->bro_buf_new</A
->                         (void);
-void                <A
-HREF="broccoli-broccoli.html#BRO-BUF-FREE"
->bro_buf_free</A
->                        (BroBuf *buf);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-BUF-APPEND"
->bro_buf_append</A
->                      (BroBuf *buf,
-                                                         void *data,
-                                                         int data_len);
-void                <A
-HREF="broccoli-broccoli.html#BRO-BUF-CONSUME"
->bro_buf_consume</A
->                     (BroBuf *buf);
-void                <A
-HREF="broccoli-broccoli.html#BRO-BUF-RESET"
->bro_buf_reset</A
->                       (BroBuf *buf);
-uchar*              <A
-HREF="broccoli-broccoli.html#BRO-BUF-GET"
->bro_buf_get</A
->                         (BroBuf *buf);
-uchar*              <A
-HREF="broccoli-broccoli.html#BRO-BUF-GET-END"
->bro_buf_get_end</A
->                     (BroBuf *buf);
-uint                <A
-HREF="broccoli-broccoli.html#BRO-BUF-GET-SIZE"
->bro_buf_get_size</A
->                    (BroBuf *buf);
-uint                <A
-HREF="broccoli-broccoli.html#BRO-BUF-GET-USED-SIZE"
->bro_buf_get_used_size</A
->               (BroBuf *buf);
-uchar*              <A
-HREF="broccoli-broccoli.html#BRO-BUF-PTR-GET"
->bro_buf_ptr_get</A
->                     (BroBuf *buf);
-uint32              <A
-HREF="broccoli-broccoli.html#BRO-BUF-PTR-TELL"
->bro_buf_ptr_tell</A
->                    (BroBuf *buf);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-BUF-PTR-SEEK"
->bro_buf_ptr_seek</A
->                    (BroBuf *buf,
-                                                         int offset,
-                                                         int whence);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-BUF-PTR-CHECK"
->bro_buf_ptr_check</A
->                   (BroBuf *buf,
-                                                         int size);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-BUF-PTR-READ"
->bro_buf_ptr_read</A
->                    (BroBuf *buf,
-                                                         void *data,
-                                                         int size);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-BUF-PTR-WRITE"
->bro_buf_ptr_write</A
->                   (BroBuf *buf,
-                                                         void *data,
-                                                         int size);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-CONF-GET-INT"
->bro_conf_get_int</A
->                    (const char *val_name,
-                                                         int *val);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-CONF-GET-DBL"
->bro_conf_get_dbl</A
->                    (const char *val_name,
-                                                         double *val);
-const char*         <A
-HREF="broccoli-broccoli.html#BRO-CONF-GET-STR"
->bro_conf_get_str</A
->                    (const char *val_name);
-void                <A
-HREF="broccoli-broccoli.html#BRO-CONF-SET-DOMAIN"
->bro_conf_set_domain</A
->                 (const char *domain);
-void                <A
-HREF="broccoli-broccoli.html#BRO-STRING-INIT"
->bro_string_init</A
->                     (BroString *bs);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-STRING-SET"
->bro_string_set</A
->                      (BroString *bs,
-                                                         const char *s);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-STRING-SET-DATA"
->bro_string_set_data</A
->                 (BroString *bs,
-                                                         const uchar *data,
-                                                         int data_len);
-const uchar*        <A
-HREF="broccoli-broccoli.html#BRO-STRING-GET-DATA"
->bro_string_get_data</A
->                 (const BroString *bs);
-uint32              <A
-HREF="broccoli-broccoli.html#BRO-STRING-GET-LENGTH"
->bro_string_get_length</A
->               (const BroString *bs);
-BroString*          <A
-HREF="broccoli-broccoli.html#BRO-STRING-COPY"
->bro_string_copy</A
->                     (BroString *bs);
-void                <A
-HREF="broccoli-broccoli.html#BRO-STRING-CLEANUP"
->bro_string_cleanup</A
->                  (BroString *bs);
-void                <A
-HREF="broccoli-broccoli.html#BRO-STRING-FREE"
->bro_string_free</A
->                     (BroString *bs);
-BroRecord*          <A
-HREF="broccoli-broccoli.html#BRO-RECORD-NEW"
->bro_record_new</A
->                      (void);
-void                <A
-HREF="broccoli-broccoli.html#BRO-RECORD-FREE"
->bro_record_free</A
->                     (BroRecord *rec);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-RECORD-ADD-VAL"
->bro_record_add_val</A
->                  (BroRecord *rec,
-                                                         const char *name,
-                                                         int type,
-                                                         const char *type_name,
-                                                         const void *val);
-void*               <A
-HREF="broccoli-broccoli.html#BRO-RECORD-GET-NTH-VAL"
->bro_record_get_nth_val</A
->              (BroRecord *rec,
-                                                         int num,
-                                                         int *type);
-const char*         <A
-HREF="broccoli-broccoli.html#BRO-RECORD-GET-NTH-NAME"
->bro_record_get_nth_name</A
->             (BroRecord *rec,
-                                                         int num);
-void*               <A
-HREF="broccoli-broccoli.html#BRO-RECORD-GET-NAMED-VAL"
->bro_record_get_named_val</A
->            (BroRecord *rec,
-                                                         const char *name,
-                                                         int *type);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-RECORD-SET-NTH-VAL"
->bro_record_set_nth_val</A
->              (BroRecord *rec,
-                                                         int num,
-                                                         int type,
-                                                         const char *type_name,
-                                                         const void *val);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-RECORD-SET-NAMED-VAL"
->bro_record_set_named_val</A
->            (BroRecord *rec,
-                                                         const char *name,
-                                                         int type,
-                                                         const char *type_name,
-                                                         const void *val);
-int                 (<A
-HREF="broccoli-broccoli.html#BROTABLECALLBACK"
->*BroTableCallback</A
->)                 (void *key,
-                                                         void *val,
-                                                         void *user_data);
-BroTable*           <A
-HREF="broccoli-broccoli.html#BRO-TABLE-NEW"
->bro_table_new</A
->                       (void);
-void                <A
-HREF="broccoli-broccoli.html#BRO-TABLE-FREE"
->bro_table_free</A
->                      (BroTable *tbl);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-TABLE-INSERT"
->bro_table_insert</A
->                    (BroTable *tbl,
-                                                         int key_type,
-                                                         const void *key,
-                                                         int val_type,
-                                                         const void *val);
-void*               <A
-HREF="broccoli-broccoli.html#BRO-TABLE-FIND"
->bro_table_find</A
->                      (BroTable *tbl,
-                                                         const void *key);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-TABLE-GET-SIZE"
->bro_table_get_size</A
->                  (BroTable *tbl);
-void                <A
-HREF="broccoli-broccoli.html#BRO-TABLE-GET-TYPES"
->bro_table_get_types</A
->                 (BroTable *tbl,
-                                                         int *key_type,
-                                                         int *val_type);
-void                <A
-HREF="broccoli-broccoli.html#BRO-TABLE-FOREACH"
->bro_table_foreach</A
->                   (BroTable *tbl,
-                                                         <A
-HREF="broccoli-broccoli.html#BROTABLECALLBACK"
->BroTableCallback</A
-> cb,
-                                                         void *user_data);
-int                 (<A
-HREF="broccoli-broccoli.html#BROSETCALLBACK"
->*BroSetCallback</A
->)                   (void *val,
-                                                         void *user_data);
-BroSet*             <A
-HREF="broccoli-broccoli.html#BRO-SET-NEW"
->bro_set_new</A
->                         (void);
-void                <A
-HREF="broccoli-broccoli.html#BRO-SET-FREE"
->bro_set_free</A
->                        (BroSet *set);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-SET-INSERT"
->bro_set_insert</A
->                      (BroSet *set,
-                                                         int type,
-                                                         const void *val);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-SET-FIND"
->bro_set_find</A
->                        (BroSet *set,
-                                                         const void *key);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-SET-GET-SIZE"
->bro_set_get_size</A
->                    (BroSet *set);
-void                <A
-HREF="broccoli-broccoli.html#BRO-SET-GET-TYPE"
->bro_set_get_type</A
->                    (BroSet *set,
-                                                         int *type);
-void                <A
-HREF="broccoli-broccoli.html#BRO-SET-FOREACH"
->bro_set_foreach</A
->                     (BroSet *set,
-                                                         <A
-HREF="broccoli-broccoli.html#BROSETCALLBACK"
->BroSetCallback</A
-> cb,
-                                                         void *user_data);
-void                <A
-HREF="broccoli-broccoli.html#BRO-CONN-SET-PACKET-CTXT"
->bro_conn_set_packet_ctxt</A
->            (BroConn *bc,
-                                                         int link_type);
-void                <A
-HREF="broccoli-broccoli.html#BRO-CONN-GET-PACKET-CTXT"
->bro_conn_get_packet_ctxt</A
->            (BroConn *bc,
-                                                         int *link_type);
-BroPacket*          <A
-HREF="broccoli-broccoli.html#BRO-PACKET-NEW"
->bro_packet_new</A
->                      (const struct pcap_pkthdr *hdr,
-                                                         const u_char *data,
-                                                         const char *tag);
-BroPacket*          <A
-HREF="broccoli-broccoli.html#BRO-PACKET-CLONE"
->bro_packet_clone</A
->                    (const BroPacket *packet);
-void                <A
-HREF="broccoli-broccoli.html#BRO-PACKET-FREE"
->bro_packet_free</A
->                     (BroPacket *packet);
-int                 <A
-HREF="broccoli-broccoli.html#BRO-PACKET-SEND"
->bro_packet_send</A
->                     (BroConn *bc,
-                                                         BroPacket *packet);
-double              <A
-HREF="broccoli-broccoli.html#BRO-UTIL-CURRENT-TIME"
->bro_util_current_time</A
->               (void);
-double              <A
-HREF="broccoli-broccoli.html#BRO-UTIL-TIMEVAL-TO-DOUBLE"
->bro_util_timeval_to_double</A
->          (const struct timeval *tv);</PRE
-></TD
-></TR
-></TABLE
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="BROCCOLI-BROCCOLI.DESCRIPTION"
-></A
-><H2
->Description</H2
-><P
-></P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="BROCCOLI-BROCCOLI.DETAILS"
-></A
-><H2
->Details</H2
-><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-DEBUG-CALLTRACE"
-></A
-><H3
->bro_debug_calltrace</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->extern int bro_debug_calltrace;</PRE
-></TD
-></TR
-></TABLE
-><P
->If you have debugging support built in (i.e., your package was configured
-with --enable-debugging), you can enable/disable debugging output for
-call tracing by setting this to 0 (off) or 1 (on). Default is off.</P
-><P
-></P
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-DEBUG-MESSAGES"
-></A
-><H3
->bro_debug_messages</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->extern int bro_debug_messages;</PRE
-></TD
-></TR
-></TABLE
-><P
->If you have debugging support built in (i.e., your package was configured
-with --enable-debugging), you can enable/disable debugging messages
-by setting this to 0 (off) or 1 (on). Default is off.</P
-><P
-></P
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BROEVENTFUNC"
-></A
-><H3
->BroEventFunc ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                (*BroEventFunc)                     (BroConn *bc,
-                                                         void *user_data,
-                                                         ...);</PRE
-></TD
-></TR
-></TABLE
-><P
->This is the signature of callbacks for handling received
-Bro events, called in the argument-expanded style.  For details
-see <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_add()</CODE
-></A
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->user_data</TT
->&nbsp;:</DT
-><DD
-><P
-> user data provided to <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_add()</CODE
-></A
->.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->...</TT
->&nbsp;:</DT
-><DD
-><P
-> varargs.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BROCOMPACTEVENTFUNC"
-></A
-><H3
->BroCompactEventFunc ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                (*BroCompactEventFunc)              (BroConn *bc,
-                                                         void *user_data,
-                                                         BroEvMeta *meta);</PRE
-></TD
-></TR
-></TABLE
-><P
->This is the signature of callbacks for handling received
-Bro events, called in the compact-argument style. For details
-see <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD-COMPACT"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_add_compact()</CODE
-></A
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->user_data</TT
->&nbsp;:</DT
-><DD
-><P
-> user data provided to <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD-COMPACT"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_add_compact()</CODE
-></A
->.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->meta</TT
->&nbsp;:</DT
-><DD
-><P
-> metadata for the event</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-NEW"
-></A
-><H3
->bro_conn_new ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroConn*            bro_conn_new                        (struct in_addr *ip_addr,
-                                                         uint16 port,
-                                                         int flags);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function creates a new Bro connection handle for communication with
-Bro through a network. Depending on the flags passed in, the connection
-and its setup process can be adjusted. If you don't want to pass any
-flags, use <TT
-CLASS="LITERAL"
->BRO_CFLAG_NONE</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->ip_addr</TT
->&nbsp;:</DT
-><DD
-><P
-> 4-byte IP address of Bro to contact, in network byte order.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->port</TT
->&nbsp;:</DT
-><DD
-><P
-> port of machine at <TT
-CLASS="PARAMETER"
->ip_addr</TT
-> to contact, in network byte order.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->flags</TT
->&nbsp;:</DT
-><DD
-><P
-> an or-combination of the <TT
-CLASS="LITERAL"
->BRO_CONN_xxx</TT
-> flags.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> pointer to a newly allocated and initialized
-Bro connection structure. You need this structure for all
-other calls in order to identify the connection to Bro.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-NEW-STR"
-></A
-><H3
->bro_conn_new_str ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroConn*            bro_conn_new_str                    (const char *hostname,
-                                                         int flags);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function is identical to <A
-HREF="broccoli-broccoli.html#BRO-CONN-NEW"
-><CODE
-CLASS="FUNCTION"
->bro_conn_new()</CODE
-></A
->, but allows you to specify the
-host and port to connect to in a string as "&lt;hostname&gt;:&lt;port&gt;". <TT
-CLASS="PARAMETER"
->flags</TT
-> can
-be used to adjust the connection features and the setup process. If you don't
-want to pass any flags, use <TT
-CLASS="LITERAL"
->BRO_CFLAG_NONE</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->hostname</TT
->&nbsp;:</DT
-><DD
-><P
-> string describing the host and port to connect to.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->flags</TT
->&nbsp;:</DT
-><DD
-><P
-> an or-combination of the <TT
-CLASS="LITERAL"
->BRO_CONN_xxx</TT
-> flags.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> pointer to a newly allocated and initialized
-Bro connection structure. You need this structure for all
-other calls in order to identify the connection to Bro.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-NEW-SOCKET"
-></A
-><H3
->bro_conn_new_socket ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroConn*            bro_conn_new_socket                 (int socket,
-                                                         int flags);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function is identical to <A
-HREF="broccoli-broccoli.html#BRO-CONN-NEW"
-><CODE
-CLASS="FUNCTION"
->bro_conn_new()</CODE
-></A
->, but allows you to pass in an
-open socket to use for the communication. <TT
-CLASS="PARAMETER"
->flags</TT
-> can be used to
-adjust the connection features and the setup process. If you don't want to
-pass any flags, use <TT
-CLASS="LITERAL"
->BRO_CFLAG_NONE</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->socket</TT
->&nbsp;:</DT
-><DD
-><P
-> open socket.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->flags</TT
->&nbsp;:</DT
-><DD
-><P
-> an or-combination of the <TT
-CLASS="LITERAL"
->BRO_CONN_xxx</TT
-> flags.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> pointer to a newly allocated and initialized
-Bro connection structure. You need this structure for all
-other calls in order to identify the connection to Bro.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-SET-CLASS"
-></A
-><H3
->bro_conn_set_class ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_conn_set_class                  (BroConn *bc,
-                                                         const char *classname);</PRE
-></TD
-></TR
-></TABLE
-><P
->Broccoli connections can indicate that they belong to a certain class
-of connections, which is needed primarily if multiple Bro/Broccoli
-instances are running on the same node and connect to a single remote
-peer. You can set this class with this function, and you have to do so
-before calling <CODE
-CLASS="FUNCTION"
->bro_connect()</CODE
-> since the connection class is determined
-upon connection establishment. You remain responsible for the memory
-pointed to by <TT
-CLASS="PARAMETER"
->classname</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> connection handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->classname</TT
->&nbsp;:</DT
-><DD
-><P
-> class identifier.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-GET-PEER-CLASS"
-></A
-><H3
->bro_conn_get_peer_class ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->const char*         bro_conn_get_peer_class             (const BroConn *bc);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> connection handle.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> a string containing the connection class indicated by the peer,
-if any, otherwise <TT
-CLASS="LITERAL"
->NULL</TT
->.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-CONNECT"
-></A
-><H3
->bro_conn_connect ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_conn_connect                    (BroConn *bc);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function attempts to set up and configure a connection to
-the peer configured when the connection handle was obtained.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> connection handle.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> on success, <TT
-CLASS="LITERAL"
->FALSE</TT
-> on failure.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-ALIVE"
-></A
-><H3
->bro_conn_alive ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_conn_alive                      (const BroConn *bc);</PRE
-></TD
-></TR
-></TABLE
-><P
->This predicate reports whether the connection handle is currently
-usable for sending/receiving data or not, e.g. because the peer
-died. The function does not actively check and update the
-connection's state, it only reports the value of flags indicating
-its status. In particular, this means that when calling
-<A
-HREF="broccoli-broccoli.html#BRO-CONN-ALIVE"
-><CODE
-CLASS="FUNCTION"
->bro_conn_alive()</CODE
-></A
-> directly after a <CODE
-CLASS="FUNCTION"
->select()</CODE
-> on the connection's
-descriptor, <A
-HREF="broccoli-broccoli.html#BRO-CONN-ALIVE"
-><CODE
-CLASS="FUNCTION"
->bro_conn_alive()</CODE
-></A
-> may return an incorrent value. It will
-however return the correct value after a subsequent call to
-<A
-HREF="broccoli-broccoli.html#BRO-CONN-PROCESS-INPUT"
-><CODE
-CLASS="FUNCTION"
->bro_conn_process_input()</CODE
-></A
->. Also note that the connection is also
-dead after the connection handle is obtained and before
-<A
-HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
-><CODE
-CLASS="FUNCTION"
->bro_conn_connect()</CODE
-></A
-> is called.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> if the connection is alive, <TT
-CLASS="LITERAL"
->FALSE</TT
-> otherwise.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-DELETE"
-></A
-><H3
->bro_conn_delete ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_conn_delete                     (BroConn *bc);</PRE
-></TD
-></TR
-></TABLE
-><P
->This function will terminate the given connection if necessary
-and release all resources associated with the connection handle.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->FALSE</TT
-> on error, <TT
-CLASS="LITERAL"
->TRUE</TT
-> otherwise.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-ADOPT-EVENTS"
-></A
-><H3
->bro_conn_adopt_events ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_conn_adopt_events               (BroConn *src,
-                                                         BroConn *dst);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function makes the connection identified by <TT
-CLASS="PARAMETER"
->dst</TT
-> use the same event
-mask as the one identified by <TT
-CLASS="PARAMETER"
->src</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->src</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle for connection whose event list to adopt.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->dst</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle for connection whose event list to change.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-GET-FD"
-></A
-><H3
->bro_conn_get_fd ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_conn_get_fd                     (BroConn *bc);</PRE
-></TD
-></TR
-></TABLE
-><P
->If you need to know the file descriptor of the connection
-(such as when <CODE
-CLASS="FUNCTION"
->select()</CODE
->ing it etc), use this accessor function.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> file descriptor for connection <TT
-CLASS="PARAMETER"
->bc</TT
->, or negative value
-on error.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-PROCESS-INPUT"
-></A
-><H3
->bro_conn_process_input ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_conn_process_input              (BroConn *bc);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function reads all input sent to the local sensor by the
-Bro peering at the connection identified by <TT
-CLASS="PARAMETER"
->bc</TT
->. It is up
-to you to find a spot in the application you're instrumenting
-to make sure this is called. This function cannot block.
-<A
-HREF="broccoli-broccoli.html#BRO-CONN-ALIVE"
-><CODE
-CLASS="FUNCTION"
->bro_conn_alive()</CODE
-></A
-> will report the actual state of the connection
-after a call to <A
-HREF="broccoli-broccoli.html#BRO-CONN-PROCESS-INPUT"
-><CODE
-CLASS="FUNCTION"
->bro_conn_process_input()</CODE
-></A
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> if any input was processed, <TT
-CLASS="LITERAL"
->FALSE</TT
-> otherwise.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-DATA-SET"
-></A
-><H3
->bro_conn_data_set ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_conn_data_set                   (BroConn *bc,
-                                                         const char *key,
-                                                         void *val);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function stores <TT
-CLASS="PARAMETER"
->val</TT
-> under name <TT
-CLASS="PARAMETER"
->key</TT
-> in the connection handle <TT
-CLASS="PARAMETER"
->bc</TT
->.
-<TT
-CLASS="PARAMETER"
->key</TT
-> is copied internally so you do not need to duplicate it before
-passing.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->key</TT
->&nbsp;:</DT
-><DD
-><P
-> name of the data item.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->val</TT
->&nbsp;:</DT
-><DD
-><P
-> data item.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-DATA-GET"
-></A
-><H3
->bro_conn_data_get ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void*               bro_conn_data_get                   (BroConn *bc,
-                                                         const char *key);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function tries to look up the data item with name <TT
-CLASS="PARAMETER"
->key</TT
-> and
-if found, returns it.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->key</TT
->&nbsp;:</DT
-><DD
-><P
-> name of the data item.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> data item if lookup was successful, <TT
-CLASS="LITERAL"
->NULL</TT
-> otherwise.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-DATA-DEL"
-></A
-><H3
->bro_conn_data_del ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void*               bro_conn_data_del                   (BroConn *bc,
-                                                         const char *key);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function tries to remove the data item with name <TT
-CLASS="PARAMETER"
->key</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->key</TT
->&nbsp;:</DT
-><DD
-><P
-> name of the data item.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> the removed data item if it exists, <TT
-CLASS="LITERAL"
->NULL</TT
-> otherwise.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-EVENT-NEW"
-></A
-><H3
->bro_event_new ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroEvent*           bro_event_new                       (const char *event_name);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function creates a new empty event with the given
-name and returns it.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->event_name</TT
->&nbsp;:</DT
-><DD
-><P
-> name of the Bro event.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> new event, or <TT
-CLASS="LITERAL"
->NULL</TT
-> if allocation failed.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-EVENT-FREE"
-></A
-><H3
->bro_event_free ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_event_free                      (BroEvent *be);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function releases all memory associated with <TT
-CLASS="PARAMETER"
->be</TT
->. Note 
-that you do NOT have to call this after sending an event.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->be</TT
->&nbsp;:</DT
-><DD
-><P
-> event to release.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-EVENT-ADD-VAL"
-></A
-><H3
->bro_event_add_val ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_event_add_val                   (BroEvent *be,
-                                                         int type,
-                                                         const char *type_name,
-                                                         const void *val);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function adds the given <TT
-CLASS="PARAMETER"
->val</TT
-> to the argument list of
-event <TT
-CLASS="PARAMETER"
->be</TT
->. The type of <TT
-CLASS="PARAMETER"
->val</TT
-> is derived from <TT
-CLASS="PARAMETER"
->type</TT
->, and may be
-specialized to the type named <TT
-CLASS="PARAMETER"
->type_name</TT
->. If <TT
-CLASS="PARAMETER"
->type_name</TT
-> is not
-desired, use <TT
-CLASS="LITERAL"
->NULL</TT
->.</P
-><P
-><TT
-CLASS="PARAMETER"
->val</TT
-> remains the caller's responsibility and is copied internally.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->be</TT
->&nbsp;:</DT
-><DD
-><P
-> event to add to.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->type</TT
->&nbsp;:</DT
-><DD
-><P
-> numerical type identifier (a <TT
-CLASS="LITERAL"
->BRO_TYPE_xxx</TT
-> constant).</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->type_name</TT
->&nbsp;:</DT
-><DD
-><P
-> optional name of specialized type.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->val</TT
->&nbsp;:</DT
-><DD
-><P
-> value to add to event.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> if the operation was successful, <TT
-CLASS="LITERAL"
->FALSE</TT
-> otherwise.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-EVENT-SET-VAL"
-></A
-><H3
->bro_event_set_val ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_event_set_val                   (BroEvent *be,
-                                                         int val_num,
-                                                         int type,
-                                                         const char *type_name,
-                                                         const void *val);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function replaces whatever value is currently stored in the
-event pointed to by <TT
-CLASS="PARAMETER"
->be</TT
-> with the val specified through the <TT
-CLASS="PARAMETER"
->type</TT
-> and
-<TT
-CLASS="PARAMETER"
->val</TT
-> arguments. If the event does not currently hold enough
-values to replace one in position <TT
-CLASS="PARAMETER"
->val_num</TT
->, the function does
-nothing. If you want to indicate a type specialized from <TT
-CLASS="PARAMETER"
->type</TT
->,
-use <TT
-CLASS="PARAMETER"
->type_name</TT
-> to give its name, otherwise pass <TT
-CLASS="LITERAL"
->NULL</TT
-> for <TT
-CLASS="PARAMETER"
->type_name</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->be</TT
->&nbsp;:</DT
-><DD
-><P
-> event handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->val_num</TT
->&nbsp;:</DT
-><DD
-><P
-> number of the value to replace, starting at 0.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->type</TT
->&nbsp;:</DT
-><DD
-><P
-> numerical type identifier (a <TT
-CLASS="LITERAL"
->BRO_TYPE_xxx</TT
-> constant).</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->type_name</TT
->&nbsp;:</DT
-><DD
-><P
-> optional name of specialized type.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->val</TT
->&nbsp;:</DT
-><DD
-><P
-> value to put in.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> if successful, <TT
-CLASS="LITERAL"
->FALSE</TT
-> on error.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-EVENT-SEND"
-></A
-><H3
->bro_event_send ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_event_send                      (BroConn *bc,
-                                                         BroEvent *be);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function tries to send <TT
-CLASS="PARAMETER"
->be</TT
-> to the Bro agent connected
-through <TT
-CLASS="PARAMETER"
->bc</TT
->. Regardless of the outcome, you do NOT have
-to release the event afterwards using <A
-HREF="broccoli-broccoli.html#BRO-EVENT-FREE"
-><CODE
-CLASS="FUNCTION"
->bro_event_free()</CODE
-></A
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->be</TT
->&nbsp;:</DT
-><DD
-><P
-> event to send.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> if the event got sent or queued for later transmission,
-<TT
-CLASS="LITERAL"
->FALSE</TT
-> on error. There are no automatic repeated send attempts
-(to minimize the effect on the code that Broccoli is linked to).
-If you have to make sure that everything got sent, you have
-to try to empty the queue using <A
-HREF="broccoli-broccoli.html#BRO-EVENT-QUEUE-FLUSH"
-><CODE
-CLASS="FUNCTION"
->bro_event_queue_flush()</CODE
-></A
->, and
-also look at <CODE
-CLASS="FUNCTION"
->bro_event_queue_empty()</CODE
->.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-EVENT-QUEUE-LENGTH"
-></A
-><H3
->bro_event_queue_length ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_event_queue_length              (BroConn *bc);</PRE
-></TD
-></TR
-></TABLE
-><P
->Use this function to find out how many events are currently queued
-on the client side.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> number of items currently queued.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-EVENT-QUEUE-FLUSH"
-></A
-><H3
->bro_event_queue_flush ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_event_queue_flush               (BroConn *bc);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function tries to send as many queued events to the Bro
-agent as possible.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> remaining queue length after flush.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-EVENT-REGISTRY-ADD"
-></A
-><H3
->bro_event_registry_add ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_event_registry_add              (BroConn *bc,
-                                                         const char *event_name,
-                                                         <A
-HREF="broccoli-broccoli.html#BROEVENTFUNC"
->BroEventFunc</A
-> func,
-                                                         void *user_data);</PRE
-></TD
-></TR
-></TABLE
-><P
->This function registers the callback <TT
-CLASS="PARAMETER"
->func</TT
-> to be invoked when events
-of name <TT
-CLASS="PARAMETER"
->event_name</TT
-> arrive on connection <TT
-CLASS="PARAMETER"
->bc</TT
->. <TT
-CLASS="PARAMETER"
->user_data</TT
-> is passed along
-to the callback, which will receive it as the second parameter. You
-need to ensure that the memory <TT
-CLASS="PARAMETER"
->user_data</TT
-> points to is valid during the
-time the callback might be invoked.</P
-><P
->Note that this function only registers the callback in the state
-associated with <TT
-CLASS="PARAMETER"
->bc</TT
->. If you use <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_add()</CODE
-></A
-> and <TT
-CLASS="PARAMETER"
->bc</TT
->
-has not yet been connected via <A
-HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
-><CODE
-CLASS="FUNCTION"
->bro_conn_connect()</CODE
-></A
->, then no further
-action is required. <A
-HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
-><CODE
-CLASS="FUNCTION"
->bro_conn_connect()</CODE
-></A
-> request ant registered event types.
-If however you are requesting additional event types after the connection has
-been established, then you also need to call <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-REQUEST"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_request()</CODE
-></A
->
-in order to signal to the peering Bro that you want to receive those events.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->event_name</TT
->&nbsp;:</DT
-><DD
-><P
-> Name of events that trigger callback</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->func</TT
->&nbsp;:</DT
-><DD
-><P
-> callback to invoke.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->user_data</TT
->&nbsp;:</DT
-><DD
-><P
-> user data passed through to the callback.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-EVENT-REGISTRY-ADD-COMPACT"
-></A
-><H3
->bro_event_registry_add_compact ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_event_registry_add_compact      (BroConn *bc,
-                                                         const char *event_name,
-                                                         <A
-HREF="broccoli-broccoli.html#BROCOMPACTEVENTFUNC"
->BroCompactEventFunc</A
-> func,
-                                                         void *user_data);</PRE
-></TD
-></TR
-></TABLE
-><P
->This function registers the callback <TT
-CLASS="PARAMETER"
->func</TT
-> to be invoked when events
-of name <TT
-CLASS="PARAMETER"
->event_name</TT
-> arrive on connection <TT
-CLASS="PARAMETER"
->bc</TT
->. <TT
-CLASS="PARAMETER"
->user_data</TT
-> is passed along
-to the callback, which will receive it as the second parameter. You
-need to ensure that the memory <TT
-CLASS="PARAMETER"
->user_data</TT
-> points to is valid during the
-time the callback might be invoked. See <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_add()</CODE
-></A
-> for
-details.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->event_name</TT
->&nbsp;:</DT
-><DD
-><P
-> Name of events that trigger callback</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->func</TT
->&nbsp;:</DT
-><DD
-><P
-> callback to invoke.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->user_data</TT
->&nbsp;:</DT
-><DD
-><P
-> user data passed through to the callback.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-EVENT-REGISTRY-REMOVE"
-></A
-><H3
->bro_event_registry_remove ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_event_registry_remove           (BroConn *bc,
-                                                         const char *event_name);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function removes all callbacks for event <TT
-CLASS="PARAMETER"
->event_name</TT
-> from the
-event registry for connection <TT
-CLASS="PARAMETER"
->bc</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->event_name</TT
->&nbsp;:</DT
-><DD
-><P
-> event to ignore from now on.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-EVENT-REGISTRY-REQUEST"
-></A
-><H3
->bro_event_registry_request ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_event_registry_request          (BroConn *bc);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function requests the events you have previously requested using
-<A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_add()</CODE
-></A
-> from the Bro listening on <TT
-CLASS="PARAMETER"
->bc</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> Bro connection handle</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-NEW"
-></A
-><H3
->bro_buf_new ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroBuf*             bro_buf_new                         (void);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
->a new buffer object, or <TT
-CLASS="LITERAL"
->NULL</TT
-> on error. Use paired with
-<A
-HREF="broccoli-broccoli.html#BRO-BUF-FREE"
-><CODE
-CLASS="FUNCTION"
->bro_buf_free()</CODE
-></A
->.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-FREE"
-></A
-><H3
->bro_buf_free ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_buf_free                        (BroBuf *buf);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function releases all memory held by the buffer pointed
-to by <TT
-CLASS="PARAMETER"
->buf</TT
->. Use paired with <A
-HREF="broccoli-broccoli.html#BRO-BUF-NEW"
-><CODE
-CLASS="FUNCTION"
->bro_buf_new()</CODE
-></A
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->buf</TT
->&nbsp;:</DT
-><DD
-><P
-> buffer pointer.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-APPEND"
-></A
-><H3
->bro_buf_append ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_buf_append                      (BroBuf *buf,
-                                                         void *data,
-                                                         int data_len);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function appends data to the end of the buffer,
-enlarging it if necessary to hold the <TT
-CLASS="PARAMETER"
->len</TT
-> new bytes.
-NOTE: it does not modify the buffer pointer. It only
-appends new data where buf_off is currently pointing
-and updates it accordingly. If you DO want the buffer
-pointer to be updated, have a look at <A
-HREF="broccoli-broccoli.html#BRO-BUF-PTR-WRITE"
-><CODE
-CLASS="FUNCTION"
->bro_buf_ptr_write()</CODE
-></A
->
-instead.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->buf</TT
->&nbsp;:</DT
-><DD
-><P
-> buffer pointer.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->data</TT
->&nbsp;:</DT
-><DD
-><P
-> new data to append to buffer.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->data_len</TT
->&nbsp;:</DT
-><DD
-><P
-> size of <TT
-CLASS="PARAMETER"
->data</TT
->.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> if successful, <TT
-CLASS="LITERAL"
->FALSE</TT
-> otherwise.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-CONSUME"
-></A
-><H3
->bro_buf_consume ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_buf_consume                     (BroBuf *buf);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function removes the buffer contents between the start
-of the buffer and the point where the buffer pointer
-currently points to. The idea is that you call <A
-HREF="broccoli-broccoli.html#BRO-BUF-PTR-READ"
-><CODE
-CLASS="FUNCTION"
->bro_buf_ptr_read()</CODE
-></A
->
-a few times to extract data from the buffer, and then
-call <A
-HREF="broccoli-broccoli.html#BRO-BUF-CONSUME"
-><CODE
-CLASS="FUNCTION"
->bro_buf_consume()</CODE
-></A
-> to signal to the buffer that the
-extracted data are no longer needed inside the buffer.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->buf</TT
->&nbsp;:</DT
-><DD
-><P
-> buffer pointer.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-RESET"
-></A
-><H3
->bro_buf_reset ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_buf_reset                       (BroBuf *buf);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function resets the buffer pointers to the beginning of the
-currently allocated buffer, i.e., it marks the buffer as empty.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->buf</TT
->&nbsp;:</DT
-><DD
-><P
-> buffer pointer.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-GET"
-></A
-><H3
->bro_buf_get ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->uchar*              bro_buf_get                         (BroBuf *buf);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->buf</TT
->&nbsp;:</DT
-><DD
-><P
-> buffer pointer.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
->the entire buffer's contents.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-GET-END"
-></A
-><H3
->bro_buf_get_end ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->uchar*              bro_buf_get_end                     (BroBuf *buf);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->buf</TT
->&nbsp;:</DT
-><DD
-><P
-> buffer pointer.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> a pointer to the first byte in the
-buffer that is not currently used.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-GET-SIZE"
-></A
-><H3
->bro_buf_get_size ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->uint                bro_buf_get_size                    (BroBuf *buf);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->buf</TT
->&nbsp;:</DT
-><DD
-><P
-> buffer pointer.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> the number of actual bytes allocated for the
-buffer.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-GET-USED-SIZE"
-></A
-><H3
->bro_buf_get_used_size ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->uint                bro_buf_get_used_size               (BroBuf *buf);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->buf</TT
->&nbsp;:</DT
-><DD
-><P
-> buffer pointer.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> number of bytes currently used.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-PTR-GET"
-></A
-><H3
->bro_buf_ptr_get ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->uchar*              bro_buf_ptr_get                     (BroBuf *buf);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->buf</TT
->&nbsp;:</DT
-><DD
-><P
-> buffer pointer.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> current buffer content pointer.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-PTR-TELL"
-></A
-><H3
->bro_buf_ptr_tell ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->uint32              bro_buf_ptr_tell                    (BroBuf *buf);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->buf</TT
->&nbsp;:</DT
-><DD
-><P
-> buffer pointer.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> current offset of buffer content pointer.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-PTR-SEEK"
-></A
-><H3
->bro_buf_ptr_seek ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_buf_ptr_seek                    (BroBuf *buf,
-                                                         int offset,
-                                                         int whence);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function adjusts the position of <TT
-CLASS="PARAMETER"
->buf</TT
->'s content
-pointer. Call semantics are identical to <CODE
-CLASS="FUNCTION"
->fseek()</CODE
->, thus
-use <TT
-CLASS="PARAMETER"
->offset</TT
-> to indicate the offset by which to jump and
-use <TT
-CLASS="LITERAL"
->SEEK_SET</TT
->, <TT
-CLASS="LITERAL"
->SEEK_CUR</TT
->, or <TT
-CLASS="LITERAL"
->SEEK_END</TT
-> to specify the
-position relative to which to adjust.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->buf</TT
->&nbsp;:</DT
-><DD
-><P
-> buffer pointer.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->offset</TT
->&nbsp;:</DT
-><DD
-><P
-> number of bytes by which to adjust pointer, positive or negative.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->whence</TT
->&nbsp;:</DT
-><DD
-><P
-> location relative to which to adjust.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> if adjustment could be made, <TT
-CLASS="LITERAL"
->FALSE</TT
->
-if not (e.g. because the offset requested is not within
-legal bounds).</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-PTR-CHECK"
-></A
-><H3
->bro_buf_ptr_check ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_buf_ptr_check                   (BroBuf *buf,
-                                                         int size);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function checks whether <TT
-CLASS="PARAMETER"
->size</TT
-> bytes could be read from the
-buffer using <A
-HREF="broccoli-broccoli.html#BRO-BUF-PTR-READ"
-><CODE
-CLASS="FUNCTION"
->bro_buf_ptr_read()</CODE
-></A
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->buf</TT
->&nbsp;:</DT
-><DD
-><P
-> buffer pointer.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->size</TT
->&nbsp;:</DT
-><DD
-><P
-> number of bytes to check for availability.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> if <TT
-CLASS="PARAMETER"
->size</TT
-> bytes can be read, <TT
-CLASS="LITERAL"
->FALSE</TT
-> if not.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-PTR-READ"
-></A
-><H3
->bro_buf_ptr_read ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_buf_ptr_read                    (BroBuf *buf,
-                                                         void *data,
-                                                         int size);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function copies <TT
-CLASS="PARAMETER"
->size</TT
-> bytes into <TT
-CLASS="PARAMETER"
->data</TT
-> if the buffer
-has <TT
-CLASS="PARAMETER"
->size</TT
-> bytes available from the current location of
-the buffer content pointer onward, incrementing the content
-pointer accordingly. If not, the function doesn't do anything.
-It behaves thus different from the normal <CODE
-CLASS="FUNCTION"
->read()</CODE
-> in that
-it either copies the amount requested or nothing.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->buf</TT
->&nbsp;:</DT
-><DD
-><P
-> buffer pointer.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->data</TT
->&nbsp;:</DT
-><DD
-><P
-> destination area.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->size</TT
->&nbsp;:</DT
-><DD
-><P
-> number of bytes to copy into <TT
-CLASS="PARAMETER"
->data</TT
->.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> if <TT
-CLASS="PARAMETER"
->size</TT
-> bytes were copied, <TT
-CLASS="LITERAL"
->FALSE</TT
-> if not.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-BUF-PTR-WRITE"
-></A
-><H3
->bro_buf_ptr_write ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_buf_ptr_write                   (BroBuf *buf,
-                                                         void *data,
-                                                         int size);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function writes <TT
-CLASS="PARAMETER"
->size</TT
-> bytes of the area pointed to by <TT
-CLASS="PARAMETER"
->data</TT
->
-into the buffer <TT
-CLASS="PARAMETER"
->buf</TT
-> at the current location of its content pointer,
-adjusting the content pointer accordingly. If the buffer doesn't have
-enough space to receive <TT
-CLASS="PARAMETER"
->size</TT
-> bytes, more space is allocated.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->buf</TT
->&nbsp;:</DT
-><DD
-><P
-> buffer pointer.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->data</TT
->&nbsp;:</DT
-><DD
-><P
-> data to write.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->size</TT
->&nbsp;:</DT
-><DD
-><P
-> number of bytes to copy into <TT
-CLASS="PARAMETER"
->data</TT
->.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> if <TT
-CLASS="PARAMETER"
->size</TT
-> bytes were copied, <TT
-CLASS="LITERAL"
->FALSE</TT
-> if an error
-occurred and the bytes could not be copied.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONF-GET-INT"
-></A
-><H3
->bro_conf_get_int ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_conf_get_int                    (const char *val_name,
-                                                         int *val);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function tries to find an integer item named <TT
-CLASS="PARAMETER"
->val_name</TT
-> in the
-configuration. If it is found, its value is placed into the
-int pointed to by <TT
-CLASS="PARAMETER"
->val</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->val_name</TT
->&nbsp;:</DT
-><DD
-><P
-> key name for the value.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->val</TT
->&nbsp;:</DT
-><DD
-><P
-> result pointer for the value.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> if <TT
-CLASS="PARAMETER"
->val_name</TT
-> was found, <TT
-CLASS="LITERAL"
->FALSE</TT
-> otherwise.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONF-GET-DBL"
-></A
-><H3
->bro_conf_get_dbl ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_conf_get_dbl                    (const char *val_name,
-                                                         double *val);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function tries to find a double float item named <TT
-CLASS="PARAMETER"
->val_name</TT
-> 
-in the configuration. If it is found, its value is placed into the
-double pointed to by <TT
-CLASS="PARAMETER"
->val</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->val_name</TT
->&nbsp;:</DT
-><DD
-><P
-> key name for the value.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->val</TT
->&nbsp;:</DT
-><DD
-><P
-> result pointer for the value.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> if <TT
-CLASS="PARAMETER"
->val_name</TT
-> was found, <TT
-CLASS="LITERAL"
->FALSE</TT
-> otherwise.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONF-GET-STR"
-></A
-><H3
->bro_conf_get_str ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->const char*         bro_conf_get_str                    (const char *val_name);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function tries to find a string item named <TT
-CLASS="PARAMETER"
->val_name</TT
-> in the
-configuration.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->val_name</TT
->&nbsp;:</DT
-><DD
-><P
-> key name for the value.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> the config item if <TT
-CLASS="PARAMETER"
->val_name</TT
-> was found, <TT
-CLASS="LITERAL"
->NULL</TT
-> otherwise.
-A returned string is stored internally and not to be modified. If
-you need to keep it around, <CODE
-CLASS="FUNCTION"
->strdup()</CODE
-> it.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONF-SET-DOMAIN"
-></A
-><H3
->bro_conf_set_domain ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_conf_set_domain                 (const char *domain);</PRE
-></TD
-></TR
-></TABLE
-><P
->Broccoli's config files are divided into sections. At the beginning of
-each config file you can have an unnamed section that will be used by
-default. Case is irrelevant. By passing <TT
-CLASS="LITERAL"
->NULL</TT
-> for <TT
-CLASS="PARAMETER"
->domain</TT
->, you select
-the default domain, otherwise the one that matches <TT
-CLASS="PARAMETER"
->domain</TT
->. <TT
-CLASS="PARAMETER"
->domain</TT
-> is
-copied internally.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->domain</TT
->&nbsp;:</DT
-><DD
-><P
-> name of the domain, or <TT
-CLASS="LITERAL"
->NULL</TT
->.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-STRING-INIT"
-></A
-><H3
->bro_string_init ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_string_init                     (BroString *bs);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function initializes the BroString pointed to by <TT
-CLASS="PARAMETER"
->bs</TT
->. Use this
-function before using the members of a BroString you're using on the
-stack.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bs</TT
->&nbsp;:</DT
-><DD
-><P
-> string pointer.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-STRING-SET"
-></A
-><H3
->bro_string_set ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_string_set                      (BroString *bs,
-                                                         const char *s);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function initializes the BroString pointed to by <TT
-CLASS="PARAMETER"
->bs</TT
-> to the string
-given in <TT
-CLASS="PARAMETER"
->s</TT
->. <TT
-CLASS="PARAMETER"
->s</TT
->'s content is copied, so you can modify or free <TT
-CLASS="PARAMETER"
->s</TT
->
-after calling this, and you need to call <A
-HREF="broccoli-broccoli.html#BRO-STRING-CLEANUP"
-><CODE
-CLASS="FUNCTION"
->bro_string_cleanup()</CODE
-></A
-> on the
-BroString pointed to by <TT
-CLASS="PARAMETER"
->bs</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bs</TT
->&nbsp;:</DT
-><DD
-><P
-> string pointer.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->s</TT
->&nbsp;:</DT
-><DD
-><P
-> C ASCII string.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> is successful, <TT
-CLASS="LITERAL"
->FALSE</TT
-> otherwise.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-STRING-SET-DATA"
-></A
-><H3
->bro_string_set_data ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_string_set_data                 (BroString *bs,
-                                                         const uchar *data,
-                                                         int data_len);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function initializes the BroString pointed to by <TT
-CLASS="PARAMETER"
->bs</TT
-> to <TT
-CLASS="PARAMETER"
->data_len</TT
->
-bytes starting at <TT
-CLASS="PARAMETER"
->data</TT
->. <TT
-CLASS="PARAMETER"
->data</TT
->'s content is copied, so you can modify
-or free <TT
-CLASS="PARAMETER"
->data</TT
-> after calling this.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bs</TT
->&nbsp;:</DT
-><DD
-><P
-> string pointer.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->data</TT
->&nbsp;:</DT
-><DD
-><P
-> arbitrary data.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->data_len</TT
->&nbsp;:</DT
-><DD
-><P
-> length of <TT
-CLASS="PARAMETER"
->data</TT
->.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> is successful, <TT
-CLASS="LITERAL"
->FALSE</TT
-> otherwise.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-STRING-GET-DATA"
-></A
-><H3
->bro_string_get_data ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->const uchar*        bro_string_get_data                 (const BroString *bs);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function returns a pointer to the string's internal data. You
-can copy out the string using this function in combination with
-<A
-HREF="broccoli-broccoli.html#BRO-STRING-GET-LENGTH"
-><CODE
-CLASS="FUNCTION"
->bro_string_get_length()</CODE
-></A
->, for obtaining the string's length.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bs</TT
->&nbsp;:</DT
-><DD
-><P
-> string pointer.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> pointer to string, or <TT
-CLASS="LITERAL"
->NULL</TT
-> on error.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-STRING-GET-LENGTH"
-></A
-><H3
->bro_string_get_length ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->uint32              bro_string_get_length               (const BroString *bs);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bs</TT
->&nbsp;:</DT
-><DD
-><P
-> string pointer.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> the string's length.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-STRING-COPY"
-></A
-><H3
->bro_string_copy ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroString*          bro_string_copy                     (BroString *bs);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bs</TT
->&nbsp;:</DT
-><DD
-><P
-> string pointer.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> a deep copy of the BroString pointed to by <TT
-CLASS="PARAMETER"
->bs</TT
->, or <TT
-CLASS="LITERAL"
->NULL</TT
-> on
-error.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-STRING-CLEANUP"
-></A
-><H3
->bro_string_cleanup ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_string_cleanup                  (BroString *bs);</PRE
-></TD
-></TR
-></TABLE
-><P
->This function releases all contents claimed by the BroString pointed
-to by <TT
-CLASS="PARAMETER"
->bs</TT
->, without releasing that BroString structure itself. Use
-this when manipulating a BroString on the stack, paired with
-<A
-HREF="broccoli-broccoli.html#BRO-STRING-INIT"
-><CODE
-CLASS="FUNCTION"
->bro_string_init()</CODE
-></A
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bs</TT
->&nbsp;:</DT
-><DD
-><P
-> string pointer.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-STRING-FREE"
-></A
-><H3
->bro_string_free ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_string_free                     (BroString *bs);</PRE
-></TD
-></TR
-></TABLE
-><P
->This function releases the entire BroString pointed to by <TT
-CLASS="PARAMETER"
->bs</TT
->, including
-the BroString structure itself.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bs</TT
->&nbsp;:</DT
-><DD
-><P
-> string pointer.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-RECORD-NEW"
-></A
-><H3
->bro_record_new ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroRecord*          bro_record_new                      (void);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function allocates and initializes a new empty record. BroRecords
-are used for adding and retrieving records vals to/from events. You
-do not have to specify a record type separately when you create a
-record. The type is defined implicitly by the sequence of types formed
-by the sequence of vals added to the record, along with the names for
-each val. See the manual for details.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> a new record, or <TT
-CLASS="LITERAL"
->NULL</TT
-> on error.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-RECORD-FREE"
-></A
-><H3
->bro_record_free ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_record_free                     (BroRecord *rec);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function releases all memory consumed by the record pointed to
-by <TT
-CLASS="PARAMETER"
->rec</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->rec</TT
->&nbsp;:</DT
-><DD
-><P
-> record handle.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-RECORD-ADD-VAL"
-></A
-><H3
->bro_record_add_val ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_record_add_val                  (BroRecord *rec,
-                                                         const char *name,
-                                                         int type,
-                                                         const char *type_name,
-                                                         const void *val);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function adds a new field to the record pointed to by <TT
-CLASS="PARAMETER"
->rec</TT
-> and
-assigns the value passed in to that field. The field name is given
-in <TT
-CLASS="PARAMETER"
->name</TT
->, the type of the val is given in <TT
-CLASS="PARAMETER"
->type</TT
-> and must be one of
-the <TT
-CLASS="LITERAL"
->BRO_TYPE_xxx</TT
-> constants defined in broccoli.h. The type you give
-implies what data type <TT
-CLASS="PARAMETER"
->val</TT
-> must be pointing to; see the manual for
-details. If you want to indicate a type specialized from <TT
-CLASS="PARAMETER"
->type</TT
->,
-use <TT
-CLASS="PARAMETER"
->type_name</TT
-> to give its name, otherwise pass <TT
-CLASS="LITERAL"
->NULL</TT
-> for <TT
-CLASS="PARAMETER"
->type_name</TT
->.
-It is possible to leave fields unassigned, in that case, pass in
-<TT
-CLASS="LITERAL"
->NULL</TT
-> for <TT
-CLASS="PARAMETER"
->val</TT
->.</P
-><P
-><TT
-CLASS="PARAMETER"
->val</TT
-> remains the caller's responsibility and is copied internally.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->rec</TT
->&nbsp;:</DT
-><DD
-><P
-> record handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->name</TT
->&nbsp;:</DT
-><DD
-><P
-> field name of the added val.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->type</TT
->&nbsp;:</DT
-><DD
-><P
-> numerical type tag of the new val.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->type_name</TT
->&nbsp;:</DT
-><DD
-><P
-> optional name of specialized type.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->val</TT
->&nbsp;:</DT
-><DD
-><P
-> pointer to the new val*.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> on success, <TT
-CLASS="LITERAL"
->FALSE</TT
-> on error.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-RECORD-GET-NTH-VAL"
-></A
-><H3
->bro_record_get_nth_val ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void*               bro_record_get_nth_val              (BroRecord *rec,
-                                                         int num,
-                                                         int *type);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function returns the <TT
-CLASS="PARAMETER"
->num</TT
->'th value of the record pointed to
-by <TT
-CLASS="PARAMETER"
->rec</TT
->, expected to be of <TT
-CLASS="PARAMETER"
->type</TT
->. The returned value is internal
-and needs to be duplicated if you want to keep it around. Upon
-return, the int pointed to by <TT
-CLASS="PARAMETER"
->type</TT
-> tells you the type of the returned
-val, as a BRO_TYPE_xxx type tag. If the int pointed to upon calling
-the function has the value BRO_TYPE_UNKNOWN, no type checking is
-performed and the value is returned. If it is any other type tag,
-its value is compared to that of the value, and if they match, the
-value is returned. Otherwise, the return value is <TT
-CLASS="LITERAL"
->NULL</TT
->. If you don't
-care about type enforcement and don't want to know the value's type,
-you may pass <TT
-CLASS="LITERAL"
->NULL</TT
-> for <TT
-CLASS="PARAMETER"
->type</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->rec</TT
->&nbsp;:</DT
-><DD
-><P
-> record handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->num</TT
->&nbsp;:</DT
-><DD
-><P
-> field index, starting from 0.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->type</TT
->&nbsp;:</DT
-><DD
-><P
-> value-result argument for the expected/actual type of the value.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> pointer to queried value on success, <TT
-CLASS="LITERAL"
->NULL</TT
-> on error.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-RECORD-GET-NTH-NAME"
-></A
-><H3
->bro_record_get_nth_name ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->const char*         bro_record_get_nth_name             (BroRecord *rec,
-                                                         int num);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function returns the <TT
-CLASS="PARAMETER"
->num</TT
->'th name of the record pointed to by <TT
-CLASS="PARAMETER"
->rec</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->rec</TT
->&nbsp;:</DT
-><DD
-><P
-> record handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->num</TT
->&nbsp;:</DT
-><DD
-><P
-> field index, starting from 0.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> field name on success, <TT
-CLASS="LITERAL"
->NULL</TT
-> on error.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-RECORD-GET-NAMED-VAL"
-></A
-><H3
->bro_record_get_named_val ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void*               bro_record_get_named_val            (BroRecord *rec,
-                                                         const char *name,
-                                                         int *type);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function returns the value of the field named <TT
-CLASS="PARAMETER"
->name</TT
-> in the
-record pointed to by <TT
-CLASS="PARAMETER"
->rec</TT
->. The returned value is internal and needs
-to be duplicated if you want to keep it around. <TT
-CLASS="PARAMETER"
->type</TT
-> works as with
-<A
-HREF="broccoli-broccoli.html#BRO-RECORD-GET-NTH-VAL"
-><CODE
-CLASS="FUNCTION"
->bro_record_get_nth_val()</CODE
-></A
->, see there for more details.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->rec</TT
->&nbsp;:</DT
-><DD
-><P
-> record handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->name</TT
->&nbsp;:</DT
-><DD
-><P
-> field name.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->type</TT
->&nbsp;:</DT
-><DD
-><P
-> value-result argument for the expected/actual type of the value.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> pointer to queried value on success, <TT
-CLASS="LITERAL"
->NULL</TT
-> on error.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-RECORD-SET-NTH-VAL"
-></A
-><H3
->bro_record_set_nth_val ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_record_set_nth_val              (BroRecord *rec,
-                                                         int num,
-                                                         int type,
-                                                         const char *type_name,
-                                                         const void *val);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function replaces the <TT
-CLASS="PARAMETER"
->num</TT
->'th value of the record pointed to
-by <TT
-CLASS="PARAMETER"
->rec</TT
->, expected to be of <TT
-CLASS="PARAMETER"
->type</TT
->. All values are copied internally
-so what <TT
-CLASS="PARAMETER"
->val</TT
-> points to stays unmodified. The value of <TT
-CLASS="PARAMETER"
->type</TT
-> implies
-what <TT
-CLASS="PARAMETER"
->result</TT
-> must be pointing to. See the manual for details.
-If you want to indicate a type specialized from <TT
-CLASS="PARAMETER"
->type</TT
->, use
-<TT
-CLASS="PARAMETER"
->type_name</TT
-> to give its name, otherwise pass <TT
-CLASS="LITERAL"
->NULL</TT
-> for <TT
-CLASS="PARAMETER"
->type_name</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->rec</TT
->&nbsp;:</DT
-><DD
-><P
-> record handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->num</TT
->&nbsp;:</DT
-><DD
-><P
-> field index, starting from 0.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->type</TT
->&nbsp;:</DT
-><DD
-><P
-> expected type of the value.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->type_name</TT
->&nbsp;:</DT
-><DD
-><P
-> optional name of specialized type.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->val</TT
->&nbsp;:</DT
-><DD
-><P
-> pointer to new val.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> on success, <TT
-CLASS="LITERAL"
->FALSE</TT
-> on error.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-RECORD-SET-NAMED-VAL"
-></A
-><H3
->bro_record_set_named_val ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_record_set_named_val            (BroRecord *rec,
-                                                         const char *name,
-                                                         int type,
-                                                         const char *type_name,
-                                                         const void *val);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function replaces the value named <TT
-CLASS="PARAMETER"
->name</TT
-> in the record pointed to
-by <TT
-CLASS="PARAMETER"
->rec</TT
->, expected to be of <TT
-CLASS="PARAMETER"
->type</TT
->. All values are copied internally
-so what <TT
-CLASS="PARAMETER"
->val</TT
-> points to stays unmodified. The value of <TT
-CLASS="PARAMETER"
->type</TT
-> implies
-what <TT
-CLASS="PARAMETER"
->result</TT
-> must be pointing to. See the manual for details.
-If you want to indicate a type specialized from <TT
-CLASS="PARAMETER"
->type</TT
->,
-use <TT
-CLASS="PARAMETER"
->type_name</TT
-> to give its name, otherwise pass <TT
-CLASS="LITERAL"
->NULL</TT
-> for <TT
-CLASS="PARAMETER"
->type_name</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->rec</TT
->&nbsp;:</DT
-><DD
-><P
-> record handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->name</TT
->&nbsp;:</DT
-><DD
-><P
-> field name.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->type</TT
->&nbsp;:</DT
-><DD
-><P
-> expected type of the value.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->type_name</TT
->&nbsp;:</DT
-><DD
-><P
-> optional name of specialized type.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->val</TT
->&nbsp;:</DT
-><DD
-><P
-> pointer to new val.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> on success, <TT
-CLASS="LITERAL"
->FALSE</TT
-> on error.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BROTABLECALLBACK"
-></A
-><H3
->BroTableCallback ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 (*BroTableCallback)                 (void *key,
-                                                         void *val,
-                                                         void *user_data);</PRE
-></TD
-></TR
-></TABLE
-><P
->This is the signature of callbacks used when iterating over all
-elements stored in a BroSet.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->key</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->val</TT
->&nbsp;:</DT
-><DD
-><P
-> a pointer to an element in the set.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->user_data</TT
->&nbsp;:</DT
-><DD
-><P
-> user data passed through.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> TRUE if iteration should continue, FALSE if done.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-TABLE-NEW"
-></A
-><H3
->bro_table_new ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroTable*           bro_table_new                       (void);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-TABLE-FREE"
-></A
-><H3
->bro_table_free ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_table_free                      (BroTable *tbl);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->tbl</TT
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-TABLE-INSERT"
-></A
-><H3
->bro_table_insert ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_table_insert                    (BroTable *tbl,
-                                                         int key_type,
-                                                         const void *key,
-                                                         int val_type,
-                                                         const void *val);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->tbl</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->key_type</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->key</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->val_type</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->val</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-TABLE-FIND"
-></A
-><H3
->bro_table_find ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void*               bro_table_find                      (BroTable *tbl,
-                                                         const void *key);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->tbl</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->key</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-TABLE-GET-SIZE"
-></A
-><H3
->bro_table_get_size ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_table_get_size                  (BroTable *tbl);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->tbl</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-TABLE-GET-TYPES"
-></A
-><H3
->bro_table_get_types ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_table_get_types                 (BroTable *tbl,
-                                                         int *key_type,
-                                                         int *val_type);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->tbl</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->key_type</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->val_type</TT
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-TABLE-FOREACH"
-></A
-><H3
->bro_table_foreach ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_table_foreach                   (BroTable *tbl,
-                                                         <A
-HREF="broccoli-broccoli.html#BROTABLECALLBACK"
->BroTableCallback</A
-> cb,
-                                                         void *user_data);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->tbl</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->cb</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->user_data</TT
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BROSETCALLBACK"
-></A
-><H3
->BroSetCallback ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 (*BroSetCallback)                   (void *val,
-                                                         void *user_data);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->val</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->user_data</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-SET-NEW"
-></A
-><H3
->bro_set_new ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroSet*             bro_set_new                         (void);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-SET-FREE"
-></A
-><H3
->bro_set_free ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_set_free                        (BroSet *set);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->set</TT
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-SET-INSERT"
-></A
-><H3
->bro_set_insert ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_set_insert                      (BroSet *set,
-                                                         int type,
-                                                         const void *val);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->set</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->type</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->val</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-SET-FIND"
-></A
-><H3
->bro_set_find ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_set_find                        (BroSet *set,
-                                                         const void *key);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->set</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->key</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-SET-GET-SIZE"
-></A
-><H3
->bro_set_get_size ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_set_get_size                    (BroSet *set);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->set</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-SET-GET-TYPE"
-></A
-><H3
->bro_set_get_type ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_set_get_type                    (BroSet *set,
-                                                         int *type);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->set</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->type</TT
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-SET-FOREACH"
-></A
-><H3
->bro_set_foreach ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_set_foreach                     (BroSet *set,
-                                                         <A
-HREF="broccoli-broccoli.html#BROSETCALLBACK"
->BroSetCallback</A
-> cb,
-                                                         void *user_data);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->set</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->cb</TT
->&nbsp;:</DT
-><DD
-><P
-></P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->user_data</TT
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-SET-PACKET-CTXT"
-></A
-><H3
->bro_conn_set_packet_ctxt ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_conn_set_packet_ctxt            (BroConn *bc,
-                                                         int link_type);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function sets the packet context for <TT
-CLASS="PARAMETER"
->bc</TT
-> for future BroPackets
-handled by this connection.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> connection handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->link_type</TT
->&nbsp;:</DT
-><DD
-><P
-> libpcap DLT linklayer type.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-CONN-GET-PACKET-CTXT"
-></A
-><H3
->bro_conn_get_packet_ctxt ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_conn_get_packet_ctxt            (BroConn *bc,
-                                                         int *link_type);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function returns <TT
-CLASS="PARAMETER"
->bc</TT
->'s current packet context through <TT
-CLASS="PARAMETER"
->link_type</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> connection handle.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->link_type</TT
->&nbsp;:</DT
-><DD
-><P
-> result pointer for libpcap DLT linklayer type.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-PACKET-NEW"
-></A
-><H3
->bro_packet_new ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroPacket*          bro_packet_new                      (const struct pcap_pkthdr *hdr,
-                                                         const u_char *data,
-                                                         const char *tag);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function creates a new BroPacket by copying <TT
-CLASS="PARAMETER"
->hdr</TT
-> and <TT
-CLASS="PARAMETER"
->data</TT
-> internally.
-Release the resulting packet using <A
-HREF="broccoli-broccoli.html#BRO-PACKET-FREE"
-><CODE
-CLASS="FUNCTION"
->bro_packet_free()</CODE
-></A
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->hdr</TT
->&nbsp;:</DT
-><DD
-><P
-> pointer to libpcap packet header.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->data</TT
->&nbsp;:</DT
-><DD
-><P
-> pointer to libpcap packet data.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->tag</TT
->&nbsp;:</DT
-><DD
-><P
-> pointer to ASCII tag (0 for no tag).</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
->&#13;</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-PACKET-CLONE"
-></A
-><H3
->bro_packet_clone ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroPacket*          bro_packet_clone                    (const BroPacket *packet);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->packet</TT
->&nbsp;:</DT
-><DD
-><P
-> packet to clone.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> a copy of <TT
-CLASS="PARAMETER"
->packet</TT
->, or <TT
-CLASS="LITERAL"
->NULL</TT
-> on error.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-PACKET-FREE"
-></A
-><H3
->bro_packet_free ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void                bro_packet_free                     (BroPacket *packet);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function releases all memory occupied by a packet previously allocated
-using <A
-HREF="broccoli-broccoli.html#BRO-PACKET-NEW"
-><CODE
-CLASS="FUNCTION"
->bro_packet_new()</CODE
-></A
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->packet</TT
->&nbsp;:</DT
-><DD
-><P
-> packet to release.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-PACKET-SEND"
-></A
-><H3
->bro_packet_send ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int                 bro_packet_send                     (BroConn *bc,
-                                                         BroPacket *packet);</PRE
-></TD
-></TR
-></TABLE
-><P
->The function sends <TT
-CLASS="PARAMETER"
->packet</TT
-> to the Bro peer connected via <TT
-CLASS="PARAMETER"
->bc</TT
->.</P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->bc</TT
->&nbsp;:</DT
-><DD
-><P
-> connection on which to send packet.</P
-></DD
-><DT
-><TT
-CLASS="PARAMETER"
->packet</TT
->&nbsp;:</DT
-><DD
-><P
-> packet to send.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> <TT
-CLASS="LITERAL"
->TRUE</TT
-> if successful, <TT
-CLASS="LITERAL"
->FALSE</TT
-> otherwise.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-UTIL-CURRENT-TIME"
-></A
-><H3
->bro_util_current_time ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->double              bro_util_current_time               (void);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> the current system time as a double, in seconds, suitable
-for passing to <CODE
-CLASS="FUNCTION"
->bro_event_add_time()</CODE
->.</P
-></DD
-></DL
-></DIV
-></DIV
-><HR><DIV
-CLASS="REFSECT2"
-><A
-NAME="BRO-UTIL-TIMEVAL-TO-DOUBLE"
-></A
-><H3
->bro_util_timeval_to_double ()</H3
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->double              bro_util_timeval_to_double          (const struct timeval *tv);</PRE
-></TD
-></TR
-></TABLE
-><P
-></P
-><P
-></P
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="PARAMETER"
->tv</TT
->&nbsp;:</DT
-><DD
-><P
-> pointer to timeval structure.</P
-></DD
-><DT
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Returns</B
-></SPAN
->&nbsp;:</DT
-><DD
-><P
-> a double encoding the timestamp given in <TT
-CLASS="PARAMETER"
->tv</TT
-> in a floating
-point double, with the fraction of a second between 0.0 and 1.0.</P
-></DD
-></DL
-></DIV
-></DIV
-></DIV
-><DIV
-CLASS="NAVFOOTER"
-><HR
-ALIGN="LEFT"
-WIDTH="100%"><TABLE
-SUMMARY="Footer navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
-><A
-HREF="api.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
-><A
-HREF="index.html"
-ACCESSKEY="H"
->Home</A
-></TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
-><A
-HREF="a3637.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
->Broccoli API Reference</TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
-><A
-HREF="api.html"
-ACCESSKEY="U"
->Up</A
-></TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
->Appendix</TD
-></TR
-></TABLE
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/aux/broccoli/docs/html/c20.html b/aux/broccoli/docs/html/c20.html
deleted file mode 100644
index d903a4f4f9..0000000000
--- a/aux/broccoli/docs/html/c20.html
+++ /dev/null
@@ -1,330 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<HTML
-><HEAD
-><TITLE
->Introduction</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
-REL="HOME"
-TITLE="Broccoli: The Bro Client Communications Library"
-HREF="index.html"><LINK
-REL="PREVIOUS"
-TITLE="Broccoli: The Bro Client Communications Library"
-HREF="index.html"><LINK
-REL="NEXT"
-TITLE="Installing Broccoli"
-HREF="c54.html"><LINK
-REL="STYLESHEET"
-TYPE="text/css"
-HREF="stylesheet.css"></HEAD
-><BODY
-CLASS="CHAPTER"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><DIV
-CLASS="NAVHEADER"
-><TABLE
-SUMMARY="Header navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TH
-COLSPAN="3"
-ALIGN="center"
->Broccoli: The Bro Client Communications Library</TH
-></TR
-><TR
-><TD
-WIDTH="10%"
-ALIGN="left"
-VALIGN="bottom"
-><A
-HREF="index.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="80%"
-ALIGN="center"
-VALIGN="bottom"
-></TD
-><TD
-WIDTH="10%"
-ALIGN="right"
-VALIGN="bottom"
-><A
-HREF="c54.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-></TABLE
-><HR
-ALIGN="LEFT"
-WIDTH="100%"></DIV
-><DIV
-CLASS="CHAPTER"
-><H1
-><A
-NAME="AEN20"
-></A
->Chapter 1. Introduction</H1
-><DIV
-CLASS="TOC"
-><DL
-><DT
-><B
->Table of Contents</B
-></DT
-><DT
->1.1. <A
-HREF="c20.html#AEN23"
->What is Broccoli?</A
-></DT
-><DT
->1.2. <A
-HREF="c20.html#AEN34"
->Why do I care?</A
-></DT
-></DL
-></DIV
-><P
->    Welcome! You're looking at the Broccoli manual. Thanks for reading this.
-    </P
-><BR
-CLEAR="all"><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN23"
->1.1. What is Broccoli?</A
-></H1
-><P
->	Broccoli is the <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->BRO</B
-></SPAN
-> <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->C</B
-></SPAN
->lient
-	<SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->CO</B
-></SPAN
->mmunications <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->LI</B
-></SPAN
->brary. It allows
-	you to write applications that speak the communication protocol of the
-	<A
-HREF="http://www.bro-ids.org"
-TARGET="_top"
->Bro intrusion detection system</A
->.	
-	In this document, we assume that you are familiar with the basic concepts
-	of Bro. If you need a refresher, please have a look at the
-	<A
-HREF="http://www.icir.org/vern/papers/bro-CN99.html"
-TARGET="_top"
->original paper</A
->,
-	the <A
-HREF="http://www.bro-ids.org/Bro-user-manual/index.html"
-TARGET="_top"
->user manual</A
->,
-	and the material on <A
-HREF="http://www.bro-ids.org"
-TARGET="_top"
->bro-ids.org</A
-> in general.
-      </P
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN34"
->1.2. Why do I care?</A
-></H1
-><P
->        Having a single IDS on your network is good, but things become a lot more interesting
-	when you can communicate information among multiple vantage points in your network.
-	Bro agents can communicate with other Bro agents, sending and receiving events and
-	other state information. In the Bro context this is particularly interesting because
-	it means that you can build sophisticated policy-controlled distributed event
-	management systems.
-      </P
-><P
->	Broccoli enters the picture when it comes to integrating components that are not
-	Bro agents themselves. Broccoli lets you create applications that can speak the Bro
-	communication protocol. You can compose, send, request, and receive events.
-	You can register your own event handlers. You can talk to other Broccoli
-	applications or Bro agents &mdash; Bro agents cannot tell whether they are talking
-	to another Bro or a Broccoli application. Broccoli allows you to integrate applications
-	of your choosing into a distributed policy-controlled event management system.
-	Broccoli is intended
-	to be portable: it should build on Linux, the BSDs, Solaris, and Windows
-	(in the <A
-HREF="http://www.mingw.org"
-TARGET="_top"
->MinGW</A
-> environment).
-      </P
-><P
->	Unlike other distributed IDSs, Bro does not assume a strict sensor&ndash;manager
-	hierarchy in the information flow. Instead, Bro agents can request delivery of
-	arbitrary <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->events</B
-></SPAN
->
-	from other instances. When an event is triggered in a Bro agent, it checks
-	whether any connected agents have requested notification of this event,
-	and send a <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->copy</B
-></SPAN
-> of the event, including the <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->event arguments</B
-></SPAN
->.
-	Recall that in Bro, an event handler is essentially a function defined in
-	the Bro language, and an event materializes through invocation of an event handler.
-	Each remote agent can define its own event handlers.
-      </P
-><P
->        Broccoli applications will typically do one or more of the following:
-      </P
-><P
-></P
-><UL
-><LI
-><P
->	   <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Configuration/Management Tasks:</B
-></SPAN
-> the Broccoli application
-	   is used to configure remotely running Bros without the need for a restart.
-	  </P
-></LI
-><LI
-><P
->	   <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Interfacing other Systems:</B
-></SPAN
-> the Broccoli application
-	   is used to convert Bro events to other alert/notice formats, for into
-	   syslogd entries.
-	  </P
-></LI
-><LI
-><P
->	   <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Host-based Sensor Feeds into Bro:</B
-></SPAN
-> the Broccoli
-	   application reports events based on host-based activity generated in
-	   kernel space or user space applications.
-	  </P
-></LI
-></UL
-></DIV
-></DIV
-><DIV
-CLASS="NAVFOOTER"
-><HR
-ALIGN="LEFT"
-WIDTH="100%"><TABLE
-SUMMARY="Footer navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
-><A
-HREF="index.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
-><A
-HREF="index.html"
-ACCESSKEY="H"
->Home</A
-></TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
-><A
-HREF="c54.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
->Broccoli: The Bro Client Communications Library</TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
->&nbsp;</TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
->Installing Broccoli</TD
-></TR
-></TABLE
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/aux/broccoli/docs/html/c54.html b/aux/broccoli/docs/html/c54.html
deleted file mode 100644
index b80639b22c..0000000000
--- a/aux/broccoli/docs/html/c54.html
+++ /dev/null
@@ -1,227 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<HTML
-><HEAD
-><TITLE
->Installing Broccoli</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
-REL="HOME"
-TITLE="Broccoli: The Bro Client Communications Library"
-HREF="index.html"><LINK
-REL="PREVIOUS"
-TITLE="Introduction"
-HREF="c20.html"><LINK
-REL="NEXT"
-TITLE="Using Broccoli"
-HREF="c84.html"><LINK
-REL="STYLESHEET"
-TYPE="text/css"
-HREF="stylesheet.css"></HEAD
-><BODY
-CLASS="CHAPTER"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><DIV
-CLASS="NAVHEADER"
-><TABLE
-SUMMARY="Header navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TH
-COLSPAN="3"
-ALIGN="center"
->Broccoli: The Bro Client Communications Library</TH
-></TR
-><TR
-><TD
-WIDTH="10%"
-ALIGN="left"
-VALIGN="bottom"
-><A
-HREF="c20.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="80%"
-ALIGN="center"
-VALIGN="bottom"
-></TD
-><TD
-WIDTH="10%"
-ALIGN="right"
-VALIGN="bottom"
-><A
-HREF="c84.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-></TABLE
-><HR
-ALIGN="LEFT"
-WIDTH="100%"></DIV
-><DIV
-CLASS="CHAPTER"
-><H1
-><A
-NAME="AEN54"
-></A
->Chapter 2. Installing Broccoli</H1
-><P
->      The installation process will hopefully be painless: Broccoli is installed from source
-      using the usual <B
-CLASS="COMMAND"
->./configure &lt;options&gt; &#38;&#38; make &#38;&#38; make install</B
->
-      routine after extraction of the tarball. Or if you're on a Linux systems supporting
-      RPMs, we provide those as well.
-    </P
-><P
->      The relevant configuration options to pass to configure are:
-      <P
-></P
-><UL
-><LI
-><P
-><B
-CLASS="COMMAND"
->--prefix=&lt;DIR&gt;</B
->: sets the installation root to DIR.
-	  The default is to install below <TT
-CLASS="FILENAME"
->/usr/local</TT
->.</P
-></LI
-><LI
-><P
-><B
-CLASS="COMMAND"
->--enable-debug</B
->: enables debugging output.
-          Please refer to the <A
-HREF="c84.html#AEN818"
->Broccoli debugging</A
->
-	  section for details on configuring and using debugging output.
-          </P
-></LI
-><LI
-><P
-><B
-CLASS="COMMAND"
->--with-configfile=&lt;FILE&gt;</B
->: use FILE as location of configuration file.
-	  See the section on <A
-HREF="c84.html#AEN665"
->configuration files</A
->
-	  below for more on this.
-	  </P
-></LI
-><LI
-><P
-><B
-CLASS="COMMAND"
->--with-openssl=&lt;DIR&gt;</B
->: use the OpenSSL installation below DIR.</P
-></LI
-><LI
-><P
-><B
-CLASS="COMMAND"
->--with-kerberos=&lt;DIR&gt;</B
->: use the Kerberos installation below DIR.</P
-></LI
-></UL
->
-    </P
-><P
->      After installation, you'll find the library in shared and static versions in <TT
-CLASS="FILENAME"
->&lt;prefix&gt;/lib</TT
->
-      the header file for compilation in <TT
-CLASS="FILENAME"
->&lt;prefix&gt;/include</TT
->, and the
-      manual in HTML below <TT
-CLASS="FILENAME"
->&lt;prefix&gt;/share/gtk-doc/html/broccoli</TT
->.      
-    </P
-><P
->      When installing from source, you can get rid of the installation using <B
-CLASS="COMMAND"
->make uninstall</B
->.
-    </P
-></DIV
-><DIV
-CLASS="NAVFOOTER"
-><HR
-ALIGN="LEFT"
-WIDTH="100%"><TABLE
-SUMMARY="Footer navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
-><A
-HREF="c20.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
-><A
-HREF="index.html"
-ACCESSKEY="H"
->Home</A
-></TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
-><A
-HREF="c84.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
->Introduction</TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
->&nbsp;</TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
->Using Broccoli</TD
-></TR
-></TABLE
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/aux/broccoli/docs/html/c84.html b/aux/broccoli/docs/html/c84.html
deleted file mode 100644
index 66175af506..0000000000
--- a/aux/broccoli/docs/html/c84.html
+++ /dev/null
@@ -1,4038 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<HTML
-><HEAD
-><TITLE
->Using Broccoli</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
-REL="HOME"
-TITLE="Broccoli: The Bro Client Communications Library"
-HREF="index.html"><LINK
-REL="PREVIOUS"
-TITLE="Installing Broccoli"
-HREF="c54.html"><LINK
-REL="NEXT"
-TITLE="Broccoli API Reference"
-HREF="api.html"><LINK
-REL="STYLESHEET"
-TYPE="text/css"
-HREF="stylesheet.css"></HEAD
-><BODY
-CLASS="CHAPTER"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><DIV
-CLASS="NAVHEADER"
-><TABLE
-SUMMARY="Header navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TH
-COLSPAN="3"
-ALIGN="center"
->Broccoli: The Bro Client Communications Library</TH
-></TR
-><TR
-><TD
-WIDTH="10%"
-ALIGN="left"
-VALIGN="bottom"
-><A
-HREF="c54.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="80%"
-ALIGN="center"
-VALIGN="bottom"
-></TD
-><TD
-WIDTH="10%"
-ALIGN="right"
-VALIGN="bottom"
-><A
-HREF="api.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-></TABLE
-><HR
-ALIGN="LEFT"
-WIDTH="100%"></DIV
-><DIV
-CLASS="CHAPTER"
-><H1
-><A
-NAME="AEN84"
-></A
->Chapter 3. Using Broccoli</H1
-><DIV
-CLASS="TOC"
-><DL
-><DT
-><B
->Table of Contents</B
-></DT
-><DT
->3.1. <A
-HREF="c84.html#AEN87"
->Obtaining information about your build using <TT
-CLASS="FILENAME"
->broccoli-config</TT
-></A
-></DT
-><DT
->3.2. <A
-HREF="c84.html#AEN121"
->Suggestions for instrumenting applications</A
-></DT
-><DT
->3.3. <A
-HREF="c84.html#AEN134"
->The Broccoli API</A
-></DT
-><DT
->3.4. <A
-HREF="c84.html#AEN738"
->Configuring encrypted communication</A
-></DT
-><DT
->3.5. <A
-HREF="c84.html#AEN784"
->Configuring event reception in Bro policies</A
-></DT
-><DT
->3.6. <A
-HREF="c84.html#AEN818"
->Configuring debugging output</A
-></DT
-><DT
->3.7. <A
-HREF="c84.html#AEN842"
->Test programs</A
-></DT
-></DL
-></DIV
-><P
->    </P
-><BR
-CLEAR="all"><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN87"
->3.1. Obtaining information about your build using <TT
-CLASS="FILENAME"
->broccoli-config</TT
-></A
-></H1
-><P
->	Similarly to many other software packages, the Broccoli distribution
-	provides a script that you can use to obtain details about your
-	Broccoli setup. The script currently provides the following flags:
-	<P
-></P
-><UL
-><LI
-><P
-><B
-CLASS="COMMAND"
->--build</B
-> prints the name of the machine the build was
-		made on, when, and whether debugging support was enabled or not.</P
-></LI
-><LI
-><P
-><B
-CLASS="COMMAND"
->--prefix</B
-> prints the directory in the filesystem
-		below which Broccoli was installed.</P
-></LI
-><LI
-><P
-><B
-CLASS="COMMAND"
->--version</B
-> prints the version of the distribution
-		you have installed.</P
-></LI
-><LI
-><P
-><B
-CLASS="COMMAND"
->--libs</B
-> prints the flags to pass to the
-		linker in order to link in the Broccoli library.</P
-></LI
-><LI
-><P
-><B
-CLASS="COMMAND"
->--cflags</B
-> prints the flags to pass to the
-		compiler in order to properly include Broccoli's header file.</P
-></LI
-><LI
-><P
-><B
-CLASS="COMMAND"
->--config</B
-> prints the location of the system-wide
-		config file your installation will use.</P
-></LI
-></UL
->	 
-      </P
-><P
->	  The <TT
-CLASS="FILENAME"
->--cflags</TT
-> and <TT
-CLASS="FILENAME"
->--libs</TT
-> flags
-	  are the suggested way of obtaining the necessary information for integrating
-	  Broccoli into your build environment. It is generally recommended to use
-	  <TT
-CLASS="FILENAME"
->broccoli-config</TT
-> for this purpose, rather than, say,
-	  develop new <B
-CLASS="COMMAND"
->autoconf </B
-> tests. 
-          If you use the <B
-CLASS="COMMAND"
->autoconf</B
->/<B
-CLASS="COMMAND"
->automake</B
->
-          tools, we recommend something along the following lines for your
-	  <TT
-CLASS="FILENAME"
->configure</TT
-> script:
-      </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->dnl ##################################################
-dnl # Check for Broccoli
-dnl ##################################################
-AC_ARG_WITH(broccoli-config,
-    AC_HELP_STRING([--with-broccoli-config=FILE], [Use given broccoli-config]),
-    [ brocfg="$withval" ],
-    [ AC_PATH_GENERIC(broccoli,,
-          brocfg="broccoli-config",
-          AC_MSG_ERROR(Cannot find Broccoli: Is broccoli-config in path? Use more fertilizer?)) ])
-
-broccoli_libs=`$brocfg --libs`
-broccoli_cflags=`$brocfg --cflags`
-AC_SUBST(broccoli_libs)
-AC_SUBST(broccoli_cflags)
-      </PRE
-></TD
-></TR
-></TABLE
-><P
->      You can then use the compiler/linker flags in your Makefile.in/ams by
-      substituting in the values accordingly, which might look as follows:
-      </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->CFLAGS = -W -Wall -g -DFOOBAR @broccoli_cflags@
-LDFLAGS = -L/usr/lib/foobar @broccoli_libs@
-      </PRE
-></TD
-></TR
-></TABLE
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN121"
->3.2. Suggestions for instrumenting applications</A
-></H1
-><P
->          Often you will want to make existing applications Bro-aware,
-	  that is, <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->instrument</B
-></SPAN
-> them so that they can send and
-	  receive Bro events at appropriate moments in the execution flow.
-	  This will involve modifying an existing code tree, so care needs to
-	  be taken to avoid unwanted side effects. By protecting the instrumented
-	  code with
-	  <CODE
-CLASS="FUNCTION"
->#ifdef</CODE
->/<CODE
-CLASS="FUNCTION"
->#endif</CODE
->
-	  statements you can still build the original application, using the
-	  instrumented source tree. The <TT
-CLASS="FILENAME"
->broccoli-config</TT
-> script helps you in doing so because
-	  it already adds <CODE
-CLASS="FUNCTION"
->-DBROCCOLI</CODE
-> to the compiler flags
-	  reported when run with the <TT
-CLASS="FILENAME"
->--cflags</TT
-> option:
-      </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->cpk25@localhost:/home/cpk25 &#62; broccoli-config --cflags
--I/usr/local/include -I/usr/local/include -DBROCCOLI
-      </PRE
-></TD
-></TR
-></TABLE
-><P
->	  So simply surround all inserted code with a preprocessor check
-	  for <CODE
-CLASS="FUNCTION"
->BROCCOLI</CODE
-> and you will be able to
-	  build the original application as soon as <CODE
-CLASS="FUNCTION"
->BROCCOLI</CODE
->
-	  is not defined.
-      </P
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN134"
->3.3. The Broccoli API</A
-></H1
-><P
->          Time for some code. In the code snippets below we will introduce variables
-	  whenever context requires them and not necessarily when C requires them.
-	  The library does not require calling a global initialization function.
-	  In order to make the API known, include <TT
-CLASS="FILENAME"
->broccoli.h</TT
->:
-      </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->#ifdef BROCCOLI
-#include &#60;broccoli.h&#62;
-#endif
-      </PRE
-></TD
-></TR
-></TABLE
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="images/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->A note on Broccoli's memory management philosophy:</B
-></SPAN
-></P
-><P
->Broccoli generally does not release objects you allocate.
-	    The approach taken is "you clean up what you allocate."
-	</P
-></TD
-></TR
-></TABLE
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN143"
->3.3.1. Initialization</A
-></H2
-><P
->	  Broccoli requires global initialization before most of its
-	  other other functions can be used. Generally, the way to
-	  initialize Broccoli is as follows:
-        </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->bro_init(NULL);
-        </PRE
-></TD
-></TR
-></TABLE
-><P
->          The argument to
-          <CODE
-CLASS="FUNCTION"
->bro_init()</CODE
->
-          provides optional initialization context, and may be kept
-          <CODE
-CLASS="CONSTANT"
->NULL</CODE
-> for normal use. If required, you may
-          allocate a <TT
-CLASS="FILENAME"
->BroCtx</TT
-> structure locally,
-          initialize it using
-          <CODE
-CLASS="FUNCTION"
->bro_ctx_init()</CODE
->,
-          fill in additional values as required and and subsequently pass it to
-          <CODE
-CLASS="FUNCTION"
->bro_init()</CODE
->:
-        </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroCtx ctx;
-bro_ctx_init(&#38;ctx);
-/* Make adjustments to the context structure as required... */
-bro_init(&#38;ctx);
-        </PRE
-></TD
-></TR
-></TABLE
-><DIV
-CLASS="CAUTION"
-><P
-></P
-><TABLE
-CLASS="CAUTION"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="images/caution.gif"
-HSPACE="5"
-ALT="Caution"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->          The <TT
-CLASS="FILENAME"
->BroCtx</TT
-> structure currently contains
-          a set of five different callback function pointers.  These
-          are <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->required</B
-></SPAN
-> for thread-safe operation
-          of OpenSSL (Broccoli itself is thread-safe).  If you intend
-          to use Broccoli in a multithreaded environment, you need to
-          implement functions and register them via the
-          <TT
-CLASS="FILENAME"
->BroCtx</TT
-> structure.  The O'Reilly book
-          "Network Security with OpenSSL" by Viega et al. shows how to
-          implement these callbacks.
-          </P
-></TD
-></TR
-></TABLE
-></DIV
-><DIV
-CLASS="CAUTION"
-><P
-></P
-><TABLE
-CLASS="CAUTION"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="images/caution.gif"
-HSPACE="5"
-ALT="Caution"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->You <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->must</B
-></SPAN
-> call
-          <CODE
-CLASS="FUNCTION"
->bro_init()</CODE
->
-	  at the start of your application. Undefined behavior may result
-          if you don't.
-          </P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN167"
->3.3.2. Data types in Broccoli</A
-></H2
-><P
->	  Broccoli declares a number of data types in <TT
-CLASS="FILENAME"
->broccoli.h</TT
-> that
-	  you should know about. The more complex ones are kept opaque, while you do get
-	  access to the fields in the simpler ones. The full list is as follows:
-
-	  <P
-></P
-><UL
-><LI
-><P
->Simple signed and unsigned types: <SPAN
-CLASS="TYPE"
->int</SPAN
->, <SPAN
-CLASS="TYPE"
->uint</SPAN
->,
-	        <SPAN
-CLASS="TYPE"
->uint32</SPAN
->, <SPAN
-CLASS="TYPE"
->uint16</SPAN
-> and <SPAN
-CLASS="TYPE"
->uchar</SPAN
->.</P
-></LI
-><LI
-><P
->Connection handles: <SPAN
-CLASS="TYPE"
->BroConn</SPAN
->, kept opaque.</P
-></LI
-><LI
-><P
->Bro events: <SPAN
-CLASS="TYPE"
->BroEvent</SPAN
->, kept opaque.</P
-></LI
-><LI
-><P
->Buffer objects: <SPAN
-CLASS="TYPE"
->BroBuf</SPAN
->, kept opaque. See the separate
-	      <A
-HREF="c84.html#AEN696"
->section on buffer management</A
-> for details.</P
-></LI
-><LI
-><P
->Ports: <SPAN
-CLASS="TYPE"
->BroPort</SPAN
-> for network ports, defined as follows:
-	      </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->typedef struct bro_port {
-  uint16       port_num;   /* port number in host byte order */
-  int          port_proto; /* IPPROTO_xxx */
-} BroPort;
-              </PRE
-></TD
-></TR
-></TABLE
-></LI
-><LI
-><P
->Records: <SPAN
-CLASS="TYPE"
->BroRecord</SPAN
->, kept opaque. See the separate
-	      <A
-HREF="c84.html#AEN554"
->section on record handling</A
-> for details.</P
-></LI
-><LI
-><P
->Strings (character and binary): <SPAN
-CLASS="TYPE"
->BroString</SPAN
->, defined as follows:
-	      </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->typedef struct bro_string {
-  int          str_len;
-  char        *str_val;
-} BroString;
-              </PRE
-></TD
-></TR
-></TABLE
-><P
->	      BroStrings are mostly kept transparent for convenience; please have a look at the
-	      string API:
-<A
-HREF="broccoli-broccoli.html#BRO-STRING-INIT"
-><CODE
-CLASS="FUNCTION"
->bro_string_init()</CODE
-></A
->,
-<A
-HREF="broccoli-broccoli.html#BRO-STRING-SET"
-><CODE
-CLASS="FUNCTION"
->bro_string_set()</CODE
-></A
->,
-<A
-HREF="broccoli-broccoli.html#BRO-STRING-SET-DATA"
-><CODE
-CLASS="FUNCTION"
->bro_string_set_data()</CODE
-></A
->,
-<A
-HREF="broccoli-broccoli.html#BRO-STRING-COPY"
-><CODE
-CLASS="FUNCTION"
->bro_string_copy()</CODE
-></A
->,
-<A
-HREF="broccoli-broccoli.html#BRO-STRING-CLEANUP"
-><CODE
-CLASS="FUNCTION"
->bro_string_cleanup()</CODE
-></A
->, and
-<A
-HREF="broccoli-broccoli.html#BRO-STRING-FREE"
-><CODE
-CLASS="FUNCTION"
->bro_string_free()</CODE
-></A
->.
-	      </P
-></LI
-><LI
-><P
->Tables: <SPAN
-CLASS="TYPE"
->BroTable</SPAN
->, kept opaque. See the separate
-	      <A
-HREF="c84.html#AEN599"
->section on table handling</A
-> for details.</P
-></LI
-><LI
-><P
->Sets: <SPAN
-CLASS="TYPE"
->BroSet</SPAN
->, kept opaque. See the separate
-	      <A
-HREF="c84.html#AEN636"
->section on table handling</A
-> for details.</P
-></LI
-><LI
-><P
->Subnets: <SPAN
-CLASS="TYPE"
->BroSubnet</SPAN
->, defined as follows:
-	      </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->typedef struct bro_subnet
-{
-  uint32       sn_net;     /* IP address in network byte order */
-  uint32       sn_width;   /* Length of prefix to consider. */
-} BroSubnet;
-              </PRE
-></TD
-></TR
-></TABLE
-></LI
-></UL
->
-	</P
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN226"
->3.3.3. Managing connections</A
-></H2
-><P
->	    You can use Broccoli to establish a connection to a remote Bro, or to create a
-	    Broccoli-enabled server application that other Bros will connect to. (This
-	    means that in principle, you can also use Broccoli purely as middleware and
-	    have multiple Broccoli applications communicate directly.)
-        </P
-><P
->	    
-	    In order to establish a connection to a remote Bro, you first obtain a connection
-	    handle. You then use this connection handle to request events, connect to the
-	    remote Bro, send events, etc. Connection handles are pointers to <CODE
-CLASS="FUNCTION"
->BroConn</CODE
->
-	    structures, which are kept opaque. Use
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-NEW"
-><CODE
-CLASS="FUNCTION"
->bro_conn_new()</CODE
-></A
-> or
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-NEW-STR"
-><CODE
-CLASS="FUNCTION"
->bro_conn_new_str()</CODE
-></A
->
-	    to obtain a handle, depending on what parameters are more convenient for
-	    you: the former accepts the IP address and port number as separate numerical
-	    arguments, the latter uses a single string to encode both, in "hostname:port"
-	    format.
-        </P
-><P
->	    To write a Broccoli-enabled server, you first need to implement the usual
-	    <CODE
-CLASS="FUNCTION"
->socket()</CODE
-> / <CODE
-CLASS="FUNCTION"
->bind()</CODE
-> /
-	    <CODE
-CLASS="FUNCTION"
->listen()</CODE
-> / <CODE
-CLASS="FUNCTION"
->accept()</CODE
-> routine.
-	    Once you have obtained a file descriptor for the new connection from <CODE
-CLASS="FUNCTION"
->accept()</CODE
->,
-	    you pass it to the third function that returns a <CODE
-CLASS="FUNCTION"
->BroConn</CODE
->
-	    handle, 
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-NEW-SOCKET"
-><CODE
-CLASS="FUNCTION"
->bro_conn_new_socket()</CODE
-></A
->.
-	    The rest of the connection handling then proceeds as in the client scenario.
-        </P
-><P
->	    
-	    All three calls accept additional flags for fine-tuning connection behaviour.
-	    These flags are:
-	    <P
-></P
-><UL
-><LI
-><P
-><CODE
-CLASS="CONSTANT"
->BRO_CFLAG_NONE</CODE
->: no functionality. Use when
-		  no flags are desired.
-		</P
-></LI
-><LI
-><P
-><CODE
-CLASS="CONSTANT"
->BRO_CFLAG_RECONNECT</CODE
->:
-		  When using this option, Broccoli will attempt to reconnect to the peer
-		  after lost connectivity transparently. Essentially whenever you try to
-		  read from or write to the peer and its connection broke down, a
-		  full reconnect including complete handshaking is attempted. You can check
-		  whether the connection to a peer is alive at any time using
-	    	  <A
-HREF="broccoli-broccoli.html#BRO-CONN-ALIVE"
-><CODE
-CLASS="FUNCTION"
->bro_conn_alive()</CODE
-></A
->.
-		</P
-></LI
-><LI
-><P
-><CODE
-CLASS="CONSTANT"
->BRO_CFLAG_ALWAYS_QUEUE</CODE
->:
-		  When using this option, Broccoli will queue any events you send for
-		  later transmission when a connection is currently down. Without using this
-		  flag, any events you attempt to send while a connection is down get dropped
-		  on the floor. Note that Broccoli maintains a maximum queue size per connection
-		  so if you attempt to send lots of events while the connection is down, the
-		  oldest events may start to get dropped nonetheless. Again, you can check
-		  whether the connection is currently okay by using
-	    	  <A
-HREF="broccoli-broccoli.html#BRO-CONN-ALIVE"
-><CODE
-CLASS="FUNCTION"
->bro_conn_alive()</CODE
-></A
->.
-		</P
-></LI
-><LI
-><P
-><CODE
-CLASS="CONSTANT"
->BRO_CFLAG_DONTCACHE</CODE
->:
-		  When using this option, Broccoli will ask the peer not to use caching on
-		  the objects it sends to us. This is the default, and the flag need not
-		  normally be used. It is kept to maintain backward compatibility.
-		</P
-></LI
-><LI
-><P
-><CODE
-CLASS="CONSTANT"
->BRO_CFLAG_CACHE</CODE
->:
-		  When using this option, Broccoli will ask the peer to use caching on
-		  the objects it sends to us. Caching is normally disabled.
-		</P
-></LI
-><LI
-><P
-><CODE
-CLASS="CONSTANT"
->BRO_CFLAG_YIELD</CODE
->: When
-                using this option,
-                <CODE
-CLASS="FUNCTION"
->bro_conn_process_input()</CODE
->
-                processes at most one event at a time and then
-                returns. 
-		</P
-></LI
-></UL
->
-                
-        </P
-><P
->	    By obtaining a connection handle, you do not also establish a connection right
-	    away. This is done using 
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
-><CODE
-CLASS="FUNCTION"
->bro_conn_connect()</CODE
-></A
->.
-	    The main reason for this is to allow you to subscribe to events
-	    (using
-	    <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_add()</CODE
-></A
->,
-	    see <A
-HREF="c84.html#AEN461"
->below</A
->)
-	    before establishing the connection. Upon returning from 
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
-><CODE
-CLASS="FUNCTION"
->bro_conn_connect()</CODE
-></A
->
-	    you are guaranteed to receive all instances of the event types you have
-	    requested, while later on during the connection some time may elapse between
-	    the issuing of a request for events and the processing of that request at the
-	    remote end.
-	    Connections are established via TCP, optionally using SSL encryption. See
-	    <A
-HREF="c84.html#AEN738"
->"Configuring encrypted communication"</A
-> below for more
-	    information on setting up enncryption.
-	    The port numbers Bro agents and Broccoli applications listen on can vary from peer
-	    to peer. 
-	</P
-><P
->	    Finally, <A
-HREF="broccoli-broccoli.html#BRO-CONN-DELETE"
-><CODE
-CLASS="FUNCTION"
->bro_conn_delete()</CODE
-></A
->
-	    terminates a connection and releases all resources associated with it.
-	    You can create as many connections as you like, to one or more peers.
-	    You can obtain the file descriptor of a connection using
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-GET-FD"
-><CODE
-CLASS="FUNCTION"
->bro_conn_get_fd()</CODE
-></A
->.
-        </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->char host_str = "bro.yourorganization.com";
-int port      = 1234;
-struct hostent *host;
-BroConn *bc;
-
-if (! (host = gethostbyname(host_str)) ||
-    ! (host-&#62;h_addr_list[0])) {
-	/* Error handling -- could not resolve host */
-}
-
-/* In this example, we obtain a connection handle, then register event handlers,
- * and finally connect to the remote Bro.
- *
- * First obtain a connection handle:
- */
-if (! (bc = bro_conn_new((struct in_addr*) host-&#62;h_addr_list[0], htons(port), BRO_CFLAG_NONE))) {
-	/* Error handling  - could not get connection handle */
-}
-
-/* Register event handlers:
- */
-bro_event_registry_add(bc, "foo", bro_foo_handler, NULL);
-/* ... */
-
-/* Now connect to the peer:
- */
-if (! bro_conn_connect(bc)) {
-	/* Error handling - could not connect to remote Bro. */
-}
-
-/* Send and receive events ... */
-
-/* Disconnect from Bro and clean up connection */
-bro_conn_delete(bc);
-        </PRE
-></TD
-></TR
-></TABLE
-><P
->	    Or simply use the string-based version:
-	</P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->char host_str = "bro.yourcompany.com:1234";
-BroConn *bc;
-
-/* In this example we don't request any events from the peer, but
- * we ask it not to use the serialization cache.
- *
- * Again, first obtain a connection handle:
- */
-if (! (bc = bro_conn_new_str(host_str, BRO_CFLAG_DONTCACHE))) {
-	/* Error handling  - could not get connection handle */
-}
-
-/* Now connect to the peer:
- */
-if (! bro_conn_connect(bc)) {
-	/* Error handling - could not connect to remote Bro. */
-}
-
-/* ... */
-        </PRE
-></TD
-></TR
-></TABLE
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN286"
->3.3.4. Connection classes</A
-></H2
-><P
->	    When you want to establish connections from multiple Broccoli applications
-	    with different purposes, the peer needs a means to understand what kind of
-	    application each connection belongs to. The real meaning of "kind of application"
-	    here is "sets of event types to request", because depending on the class of
-	    an application, the peer will likey want to receive different types of events.
-	</P
-><P
->	    Broccoli lets you set the class of a connection using
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-SET-CLASS"
-><CODE
-CLASS="FUNCTION"
->bro_conn_set_class()</CODE
-></A
->.
-	    When using this feature, you need to call that function before issuing a
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
-><CODE
-CLASS="FUNCTION"
->bro_conn_connect()</CODE
-></A
->,
-	    since the class of a connection is determined at connection startup.
-	</P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->if (! (bc = bro_conn_new_str(host_str, BRO_CFLAG_DONTCACHE))) {
-	/* Error handling  - could not get connection handle */
-}
-
-/* Set class of this connection: */
-bro_conn_set_class(bc, "syslog");
-
-if (! bro_conn_connect(bc)) {
-	/* Error handling - could not connect to remote Bro. */
-}
-        </PRE
-></TD
-></TR
-></TABLE
-><P
->	    If your peer is a Bro node, you need to match the chosen connection class in
-	    the remote Bro's <CODE
-CLASS="FUNCTION"
->Remote::destinations</CODE
-> configuration.
-	    See <A
-HREF="c84.html#AEN784"
->below</A
-> for how to do this.
-	    Finally, in order to obtain the class of a connection as indicated by the remote side, use
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-GET-PEER-CLASS"
-><CODE
-CLASS="FUNCTION"
->bro_conn_get_peer_class()</CODE
-></A
->.
-	</P
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN300"
->3.3.5. Composing and sending events</A
-></H2
-><P
->	    In order to send an event to the remote Bro agent, you first create
-	    an empty event structure with the name of the event, then add parameters
-	    to pass to the event handler at the remote agent, and then send off the
-	    event.
-        </P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="images/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->            <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Bro peers ignore unrequested events.</B
-></SPAN
->
-          </P
-><P
->	    You need to make sure that the remote Bro agent is interested in receiving
-	    the events you send. This interest is expressed in policy configuration.
-	    We'll explain this in more detail <A
-HREF="c84.html#AEN784"
->below</A
->
-	    and for now assume that our remote peer is configured to receive the
-	    events we send.
-          </P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->	    Let's assume we want to request a report of all connections a remote
-	    Bro currently keeps state for that match a given destination port and
-	    host name and that have amassed more than a certain number of bytes.
-	    The idea is to send an event to the remote Bro that contains the
-	    query, identifiable through a request ID, and have the remote Bro
-	    answer us with <CODE
-CLASS="FUNCTION"
->remote_conn</CODE
-> events
-	    containing the information we asked for. The definition of our
-	    requesting event could look as follows in the Bro policy:
-        </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->event report_conns(req_id: int, dest_host: string, dest_port: port, min_size: count);
-        </PRE
-></TD
-></TR
-></TABLE
-><P
->            First, create a new event:
-        </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroEvent *ev;
-
-if (! (ev = bro_event_new("report_conns"))) {
-	/* Error handling - could not allocate new event. */
-}
-        </PRE
-></TD
-></TR
-></TABLE
-><P
->	    Now we need to add parameters to the event. The sequence and types must
-	    match the event handler declaration &mdash; check the Bro policy to make
-	    sure they match. The function to use for adding parameter values is
-	    <A
-HREF="broccoli-broccoli.html#BRO-EVENT-ADD-VAL"
-><CODE
-CLASS="FUNCTION"
->bro_event_add_val()</CODE
-></A
->
-	    All values are passed as <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->pointer arguments</B
-></SPAN
-> and are copied internally,
-	    so the object you're pointing to stays unmodified at all times. You clean
-	    up what you allocate. In order to indicate the type of the value passed into the
-	    function, you need to pass a numerical type identifier along as well.
-            <A
-HREF="c84.html#TABLE-1"
->Table 1</A
-> lists the value types that Broccoli supports along with
-	    the type identifier and data structures to point to.
-	</P
-><DIV
-CLASS="TABLE"
-><A
-NAME="TABLE-1"
-></A
-><P
-><B
->Table 3-1. Types, type tags, and data structures for event parameters in Broccoli</B
-></P
-><TABLE
-BORDER="1"
-FRAME="vsides"
-RULES="all"
-CLASS="CALSTABLE"
-><COL><COL><COL><THEAD
-><TR
-><TH
-ALIGN="CENTER"
->Type</TH
-><TH
-ALIGN="CENTER"
->Type tag</TH
-><TH
-ALIGN="CENTER"
->Data type pointed to</TH
-></TR
-></THEAD
-><TBODY
-><TR
-><TD
->Boolean</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_BOOL</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->int</CODE
-></TD
-></TR
-><TR
-><TD
->Integer value</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_INT</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->int</CODE
-></TD
-></TR
-><TR
-><TD
->Counter (nonnegative integers)</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_COUNT</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->uint32</CODE
-></TD
-></TR
-><TR
-><TD
->Enums (enumerated values)</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_ENUM</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->int</CODE
-> (see also the description of
-         <A
-HREF="broccoli-broccoli.html#BRO-EVENT-ADD-VAL"
-><CODE
-CLASS="FUNCTION"
->bro_event_add_val()</CODE
-></A
->'s
-	 <CODE
-CLASS="FUNCTION"
->type_name</CODE
-> argument below)</TD
-></TR
-><TR
-><TD
->Floating-point number</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_DOUBLE</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->double</CODE
-></TD
-></TR
-><TR
-><TD
->Timestamp</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_TIME</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->double</CODE
-> (see also
-         <A
-HREF="broccoli-broccoli.html#BRO-UTIL-TIMEVAL-TO-DOUBLE"
-><CODE
-CLASS="FUNCTION"
->bro_util_timeval_to_double()</CODE
-></A
-> and
-	 <A
-HREF="broccoli-broccoli.html#BRO-UTIL-CURRENT-TIME"
-><CODE
-CLASS="FUNCTION"
->bro_util_current_time()</CODE
-></A
->)</TD
-></TR
-><TR
-><TD
->Time interval</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_INTERVAL</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->double</CODE
-></TD
-></TR
-><TR
-><TD
->Strings (text and binary)</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_STRING</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->BroString</CODE
-> (see also the family of <CODE
-CLASS="FUNCTION"
->bro_string_xxx()</CODE
-> functions)</TD
-></TR
-><TR
-><TD
->Network ports</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_PORT</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->BroPort</CODE
->, with the port number in host byte order</TD
-></TR
-><TR
-><TD
->IPv4 address</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_IPADDR</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->uint32</CODE
->, in network byte order</TD
-></TR
-><TR
-><TD
->IPv4 network</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_NET</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->uint32</CODE
->, in network byte order</TD
-></TR
-><TR
-><TD
->IPv4 subnet</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_SUBNET</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->BroSubnet</CODE
->, with the sn_net member in network byte order</TD
-></TR
-><TR
-><TD
->Record</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_RECORD</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->BroRecord</CODE
-> (see also the family of
-	 <CODE
-CLASS="FUNCTION"
->bro_record_xxx()</CODE
-> functions and their
-	  explanation below)</TD
-></TR
-><TR
-><TD
->Table</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_TABLE</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->BroTable</CODE
-> (see also the family of
-	 <CODE
-CLASS="FUNCTION"
->bro_table_xxx()</CODE
-> functions and their
-	  explanation below)</TD
-></TR
-><TR
-><TD
->Record</TD
-><TD
-><CODE
-CLASS="CONSTANT"
->BRO_TYPE_SET</CODE
-></TD
-><TD
-><CODE
-CLASS="FUNCTION"
->BroSet</CODE
-> (see also the family of
-	 <CODE
-CLASS="FUNCTION"
->bro_set_xxx()</CODE
-> functions and their
-	  explanation below)</TD
-></TR
-></TBODY
-></TABLE
-></DIV
-><P
->	    Knowing these, we can now compose a 
-	   <CODE
-CLASS="FUNCTION"
->request_connections</CODE
-> event:
-        </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroString dest_host;
-BroPort dest_port;
-uint32 min_size;
-int req_id = 0;
-
-bro_event_add_val(ev, BRO_TYPE_INT, NULL, &#38;req_id);
-req_id++;
-
-bro_string_set(&#38;dest_host, "desthost.destdomain.com");
-bro_event_add_val(ev, BRO_TYPE_STRING, NULL, &#38;dest_host);
-bro_string_cleanup(&#38;dest_host);
-
-dest_port.dst_port = 80;
-dest_port.dst_proto = IPPROTO_TCP;
-bro_event_add_val(ev, BRO_TYPE_PORT, NULL, &#38;dest_port);
-
-min_size = 1000;
-bro_event_add_val(ev, BRO_TYPE_COUNT, NULL, &#38;min_size);
-        </PRE
-></TD
-></TR
-></TABLE
-><P
->	    The third argument to
-	    <A
-HREF="broccoli-broccoli.html#BRO-EVENT-ADD-VAL"
-><CODE
-CLASS="FUNCTION"
->bro_event_add_val()</CODE
-></A
->
-	    lets you specify a specialization of the types listed in
-	    <A
-HREF="c84.html#TABLE-1"
->Table 1</A
->. This is generally not necessary
-	    except for one situationn: When using <CODE
-CLASS="CONSTANT"
->BRO_TYPE_ENUM</CODE
->. You currently
-	    cannot define
-	    a Bro-level enum type in Broccoli, and thus when sending an enum value, you
-	    have to specify the type of the enum along with the value. For example, in order
-	    to add an instance of enum <CODE
-CLASS="FUNCTION"
->transport_type</CODE
-> defined in
-	    Bro's <TT
-CLASS="FILENAME"
->bro.init</TT
->, you would use
-	    <TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->int transport_proto = 2;
-/* ... */
-bro_event_add_val(ev, BRO_TYPE_ENUM, "transport_proto", &#38;transport_proto);
-	    </PRE
-></TD
-></TR
-></TABLE
->
-	    to get the equivalent of "udp" on the remote side. The same system is used
-	    to point out type names when calling
-	    <A
-HREF="broccoli-broccoli.html#BRO-EVENT-SET-VAL"
-><CODE
-CLASS="FUNCTION"
->bro_event_set_val()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-RECORD-ADD-VAL"
-><CODE
-CLASS="FUNCTION"
->bro_record_add_val()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-RECORD-SET-NTH-VAL"
-><CODE
-CLASS="FUNCTION"
->bro_record_set_nth_val()</CODE
-></A
->, and
-	    <A
-HREF="broccoli-broccoli.html#BRO-RECORD-SET-NAMED-VAL"
-><CODE
-CLASS="FUNCTION"
->bro_record_set_named_val()</CODE
-></A
->.
-	</P
-><P
->	    All that's left to do now is to send off the event. For this, use
-	    <A
-HREF="broccoli-broccoli.html#BRO-EVENT-SEND"
-><CODE
-CLASS="FUNCTION"
->bro_event_send()</CODE
-></A
->
-	    and pass it the connection handle and the event. The function returns
-	    <CODE
-CLASS="CONSTANT"
->TRUE</CODE
-> when the event could be sent right away or if
-	    it was queued for later delivery. <CODE
-CLASS="CONSTANT"
->FALSE</CODE
-> is returned
-	    on error. If the event get queued, this does not indicate an error &mdash;
-	    likely the connection was just not
-	    ready to send the event at this point. Whenever you call
-	    <A
-HREF="broccoli-broccoli.html#BRO-EVENT-SEND"
-><CODE
-CLASS="FUNCTION"
->bro_event_send()</CODE
-></A
->,
-            Broccoli attempts to send as much of an existing event queue as possible.
-	    Again, the event is copied internally to make it easier for you to
-	    send the same event repeatedly. You clean up what you allocate.
-	</P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->bro_event_send(bc, ev);
-bro_event_free(ev);
-        </PRE
-></TD
-></TR
-></TABLE
-><P
->	    Two other functions may be useful to you:
-	    <A
-HREF="broccoli-broccoli.html#BRO-EVENT-QUEUE-LENGTH"
-><CODE
-CLASS="FUNCTION"
->bro_event_queue_length()</CODE
-></A
->
-            tells you how many events are currently queued, and 
-	    <A
-HREF="broccoli-broccoli.html#BRO-EVENT-QUEUE-FLUSH"
-><CODE
-CLASS="FUNCTION"
->bro_event_queue_flush()</CODE
-></A
->
-	    attempts to flush the current event queue and returns the number of events that do remain
-	    in the queue after the flush. <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Note:</B
-></SPAN
-> you do not normally need
-	    to call this function, queue flushing is attempted every time you send an event.
-        </P
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN461"
->3.3.6. Receiving events</A
-></H2
-><P
->	  Receiving events is a little more work because you need to
-        </P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
->tell Broccoli what to do when requested events arrive,</P
-></LI
-><LI
-><P
->let the remote Bro agent know that you would like to receive those events,</P
-></LI
-><LI
-><P
->find a spot in the code path suitable for extracting and processing arriving events.</P
-></LI
-></OL
-><P
->	  Each of these steps is explained in the following sections.
-	</P
-><BR
-CLEAR="all"><DIV
-CLASS="SECT3"
-><H3
-CLASS="SECT3"
-><A
-NAME="AEN472"
->3.3.6.1. Implementing event callbacks</A
-></H3
-><P
->            When Broccoli receives an event, it tries to dispatch the event to callbacks
-	    registered for that event type. The place where callbacks get registered is
-	    called the callback registry. Any callbacks registered for the arriving
-	    event's name are invoked with the parameters shipped with the event. There
-	    are two styles of argument passing to the event callbacks.
-	    Which one is better suited depends on your application.
-	    <P
-></P
-><UL
-><LI
-><P
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Expanded argument passing.</B
-></SPAN
-> Each event argument
-		  is passed via a pointer to the callback. This makes best sense when you
-		  know the type of the event and of its arguments, because it provides you
-		  immediate access to arguments as when using a normal C function.
-		</P
-><P
->	    	  In order to register a callback with expanded argument passing, use
-	  	  <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_add()</CODE
-></A
->
-		  and pass it the connection handle, the name of the event for which you
-	          register the callback, the callback itself that matches the signature
-	          of the <TT
-CLASS="FILENAME"
->BroEventFunc</TT
-> type, and any user data (or
-	          <CODE
-CLASS="CONSTANT"
->NULL</CODE
->) you want to see passed to the callback on
-	          each invocation. The callback's type is defined rather generically as follows:
-	        </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->typedef void (*BroEventFunc) (BroConn *bc, void *user_data, ...);
-                </PRE
-></TD
-></TR
-></TABLE
-><P
->                  It requires a connection handle as its first argument
-	          and a pointer to user-provided callback data as the second argument.
-                  Broccoli will pass the connection handle of the connection on which the event
-                  arrived through to the callback. <CODE
-CLASS="FUNCTION"
->BroEventFunc</CODE
->s
-	          are variadic, because each callback you provide is directly invoked with
-	          pointers to the parameters of the event, in a format directly usable in C.
-	          All you need to know is what type to point to in order to receive the
-	          parameters in the right layout. Refer to <A
-HREF="c84.html#TABLE-1"
->Table 1</A
->
-	          again for a summary of those types. Record types are more involved and are
-	          addressed in more detail <A
-HREF="c84.html#AEN554"
->below</A
->.
-                </P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="90%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="images/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->Note that <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->all</B
-></SPAN
-> parameters are passed to the
-	            callback as pointers, even elementary types such as <CODE
-CLASS="CONSTANT"
->int</CODE
->s
-	            that would normally be passed directly.
-		    Also note that Broccoli manages the lifecycle of event parameters
-	            and therefore you do <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->not</B
-></SPAN
-> have to clean them up inside
-	            the event handler. 
-                  </P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->	          Continuing our example, we will want to process the connection reports
-	          that contain the responses to our <CODE
-CLASS="FUNCTION"
->report_conns</CODE
->
-	          event. Let's assume those look as follows:
-	        </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->event remote_conn(req_id: int, conn: connection);
-                </PRE
-></TD
-></TR
-></TABLE
-><P
->                  The reply events contain the request ID so we can associate requests
-	          with replies, and a connection record (defined in <TT
-CLASS="FILENAME"
->bro.init</TT
->
-	          in Bro. (It'd be nicer to report all replies in a single event but we'll
-	          ignore that for now.) For this event, our callback would look like this:
-	        </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void remote_conn_cb(BroConn *bc, void *user_data, int *req_id, BroRecord *conn);
-                </PRE
-></TD
-></TR
-></TABLE
-><P
->	          Once more, you clean up what you allocate, and since you never allocated the
-	      	  space these arguments point to, you also don't clean them up. Finally, we register
-	      	  the callback using
-	      	  <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_add()</CODE
-></A
->:	    
-		</P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->bro_event_registry_add(bc, "remote_conn", remote_conn_cb, NULL);
-	        </PRE
-></TD
-></TR
-></TABLE
-><P
->		  In this case we have no additional data to be passed into the
-		  callback, so we use <CODE
-CLASS="CONSTANT"
->NULL</CODE
-> for the last argument.
-		  If you have multiple events you are interested in, register
-		  each one in this fashion.
-		</P
-></LI
-><LI
-><P
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Compact argument passing.</B
-></SPAN
-> This is designed for
-		  situations when you have to determine how to handle different types of
-		  events at runtime, for example when writing language bindings or when
-		  implementing generic event handlers for multiple event types.
-		  The callback is passed a connection handle and the
-		  user data as above but is only passed one additional pointer, to a
-		  <SPAN
-CLASS="TYPE"
->BroEvMeta</SPAN
-> structure. This structure contains all metadata
-		  about the event, including its name, timestamp (in UTC) of creation,
-		  number of arguments, the arguments'
-		  types (via type tags as listed in <A
-HREF="c84.html#TABLE-1"
->Table 1</A
->),
-		  and the arguments themselves.
-		</P
-><P
->	    	  In order to register a callback with compact argument passing, use
-	  	  <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD-COMPACT"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_add_compact()</CODE
-></A
->
-		  and pass it similar arguments as you'd use with
-	  	  <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_add()</CODE
-></A
->.
-		  The callback's type is defined as follows:
-	        </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->typedef void (*BroCompactEventFunc) (BroConn *bc, void *user_data, BroEvMeta *meta);
-                </PRE
-></TD
-></TR
-></TABLE
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="90%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="images/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->As before, Broccoli manages the lifecycle of event parameters.
-	            You do not  have to clean up the <SPAN
-CLASS="TYPE"
->BroEvMeta</SPAN
->
-		    structure or any of its contents.
-                  </P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->		  Below is sample code for extracting the arguments form the <SPAN
-CLASS="TYPE"
->BroEvMeta</SPAN
->
-		  structure, using our running example. This is still written with the assumption
-		  that we know the types of the arguments, but note that this is not a requirement
-		  for this style of callback.
-	        </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void remote_conn_cb(BroConn *bc, void *user_data, BroEvMeta *meta)
-{
-	int *req_id;
-	BroRecord *rec;
-
-	/* For demonstration, print out the event's name: */
-
-	printf("Handling a %s event.\n", meta-&#62;ev_name);
-
-	/* Sanity-check the number of arguments: */
-
-	if (meta-&#62;ev_numargs != 2)
-		{ /* error */ }
-
-	/* Sanity-check the argument types: */
-
-	if (meta-&#62;ev_args[0].arg_type != BRO_TYPE_INT)
-		{ /* error */ }
-
-	if (meta-&#62;ev_args[1].arg_type != BRO_TYPE_RECORD)
-		{ /* error */ }
-
-	req_id = (int *) meta-&#62;ev_args[0].arg_data;
-	rec = (BroRecord *) meta-&#62;ev_args[1].arg_data;
-
-	/* ... */
-}
-                </PRE
-></TD
-></TR
-></TABLE
-><P
->		  Finally, register the callback using
-	      	  <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD-COMPACT"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_add_compact()</CODE
-></A
->:	    
-		</P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->bro_event_registry_add_compact(bc, "remote_conn", remote_conn_cb, NULL);
-	        </PRE
-></TD
-></TR
-></TABLE
-></LI
-></UL
->
-	  </P
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT3"
-><H3
-CLASS="SECT3"
-><A
-NAME="AEN527"
->3.3.6.2. Requesting event delivery</A
-></H3
-><P
->	    At this point, Broccoli knows what to do with the requested events upon
-	    arrival.  What's left to do is to let the remote Bro know that you
-	    would like to receive the events for which you registered. If you haven't
-	    yet called <A
-HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
-><CODE
-CLASS="FUNCTION"
->bro_conn_connect()</CODE
-></A
->,
-	    then there is nothing to do, since that function will request the registered
-	    events anyway. Once connected, you can still request events. To do so, call
-	    <A
-HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-REQUEST"
-><CODE
-CLASS="FUNCTION"
->bro_event_registry_request()</CODE
-></A
->:
-	  </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->bro_event_registry_request(bc);
-          </PRE
-></TD
-></TR
-></TABLE
-><P
->	    This mechanism also implies that no unrequested events will be delivered
-	    to us (and if that happened for whatever reason, the event would simply
-	    be dropped on the floor).
-	  </P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="images/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Note that at the moment you cannot unrequest events, nor
-		can you request events based on predicates on the values of the
-		events' arguments.</B
-></SPAN
-></P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT3"
-><H3
-CLASS="SECT3"
-><A
-NAME="AEN539"
->3.3.6.3. Reading events from the connection handle</A
-></H3
-><P
->	    At this point the remote Bro will start sending you the requested events
-	    once they are triggered. What is left to do is to read the arriving events
-	    from the connection and trigger dispatching them to the registered callbacks.
-	  </P
-><P
->	    If you are writing a new Bro-enabled application, this is easy, and you can
-	    choose among two approaches: polling explicitly via Broccoli's API, or using
-	    <CODE
-CLASS="FUNCTION"
->select()</CODE
-> on the file handle associated with a <SPAN
-CLASS="TYPE"
->BroConn</SPAN
->.
-	    The former case is particularly straightforward; all you need to do is
-	    call 
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-PROCESS-INPUT"
-><CODE
-CLASS="FUNCTION"
->bro_conn_process_input()</CODE
-></A
->,
-	    which will go off and check if any events have arrived and if so, dispatch
-	    them accordingly. This function does not block &mdash; if no events have
-	    arrived, then the call will return immediately. For more fine-grained control
-	    over your I/O handling, you will probably want to use
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-GET-FD"
-><CODE
-CLASS="FUNCTION"
->bro_conn_get_fd()</CODE
-></A
->
-	    to obtain the file descriptor of your connection and then incorporate that
-	    in your standard <CODE
-CLASS="FUNCTION"
->FD_SET</CODE
->/<CODE
-CLASS="FUNCTION"
->select()</CODE
->
-	    code. Once you have determined that data in fact are ready to be read from
-	    the obtained file descriptor, you can then try another
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-PROCESS-INPUT"
-><CODE
-CLASS="FUNCTION"
->bro_conn_process_input()</CODE
-></A
->,
-	    this time knowing that it'll find something to dispatch.
-	  </P
-><P
->	    As a side note, if you don't process arriving events frequently enough,
-	    then TCP's flow control will start to slow down the sender until eventually
-	    events will queue up and be dropped at the sending end.
-	  </P
-></DIV
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN554"
->3.3.7. Handling records</A
-></H2
-><P
->	  Broccoli supports record structures, i.e., types that pack a set of values
-	  together, placing each value into its own field. In Broccoli, the way you handle
-	  records is somewhat similar to events:
-	  after creating an empty record (of opaque type <SPAN
-CLASS="TYPE"
->BroRecord</SPAN
->, you can
-	  iteratively add fields and values to it. The main difference is that you must specify a
-	  field name with the value; each value in a record can be identified both by position
-	  (a numerical index starting from zero), and by field name. You can retrieve vals
-	  in a record by field index or field name. You can also reassign values.
-	  There is no explicit, IDL-style definition of record types. You define the type of
-	  a record implicitly by the sequence of field names and the sequence of the types
-	  of the values you put into the record.
-	</P
-><P
->	  Note that all fields in a record must be assigned before it can be shipped.
-	</P
-><P
->	  The API for record composition consists of
-	  <A
-HREF="broccoli-broccoli.html#BRO-RECORD-NEW"
-><CODE
-CLASS="FUNCTION"
->bro_record_new()</CODE
-></A
->,
-	  <A
-HREF="broccoli-broccoli.html#BRO-RECORD-FREE"
-><CODE
-CLASS="FUNCTION"
->bro_record_free()</CODE
-></A
->,
-	  <A
-HREF="broccoli-broccoli.html#BRO-RECORD-ADD-VAL"
-><CODE
-CLASS="FUNCTION"
->bro_record_add_val()</CODE
-></A
->,
-	  <A
-HREF="broccoli-broccoli.html#BRO-RECORD-SET-NTH-VAL"
-><CODE
-CLASS="FUNCTION"
->bro_record_set_nth_val()</CODE
-></A
->, and
-	  <A
-HREF="broccoli-broccoli.html#BRO-RECORD-SET-NAMED-VAL"
-><CODE
-CLASS="FUNCTION"
->bro_record_set_named_val()</CODE
-></A
->.
-	</P
-><P
->	  On records that use field names, the names of individual fields can be extracted using
-	  <A
-HREF="broccoli-broccoli.html#BRO-RECORD-GET-NTH-NAME"
-><CODE
-CLASS="FUNCTION"
->bro_record_get_nth_name()</CODE
-></A
->.
-	  Extracting values from a record is done using
-	  <A
-HREF="broccoli-broccoli.html#BRO-RECORD-GET-NTH-VAL"
-><CODE
-CLASS="FUNCTION"
->bro_record_get_nth_val()</CODE
-></A
-> and
-	  <A
-HREF="broccoli-broccoli.html#BRO-RECORD-GET-NAMED-VAL"
-><CODE
-CLASS="FUNCTION"
->bro_record_get_named_val()</CODE
-></A
->.
-	  The former allows numerical indexing of the fields in the record, the latter provides
-	  name-based lookups. Both need to be passed the record you want to extract a value from,
-	  the index or name of the field, and either a pointer to an <SPAN
-CLASS="TYPE"
->int</SPAN
-> holding a
-	  <SPAN
-CLASS="TYPE"
->BRO_TYPE_xxx</SPAN
-> value (see again <A
-HREF="c84.html#TABLE-1"
->Table 1</A
-> for a
-	  summary of those types) or <CODE
-CLASS="CONSTANT"
->NULL</CODE
->. The pointer, if not
-	  <CODE
-CLASS="CONSTANT"
->NULL</CODE
->, serves two purposes: type checking and type retrieval.
-	  Type checking is performed if the value of the <SPAN
-CLASS="TYPE"
->int</SPAN
-> upon calling the
-	  functions is not <SPAN
-CLASS="TYPE"
->BRO_TYPE_UNKNOWN</SPAN
->. The type tag of the requested record
-	  field then has to match the type tag stored in the <SPAN
-CLASS="TYPE"
->int</SPAN
->, otherwise
-          <CODE
-CLASS="CONSTANT"
->NULL</CODE
-> is returned. If the <SPAN
-CLASS="TYPE"
->int</SPAN
-> stores <SPAN
-CLASS="TYPE"
->BRO_TYPE_UNKNOWN</SPAN
->
-          upon calling, no type-checking is performed. In <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->both</B
-></SPAN
-> cases,
-	  the <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->actual</B
-></SPAN
-> type of the
-	  requested record field is returned in the <SPAN
-CLASS="TYPE"
->int</SPAN
-> pointed to upon
-	  return from the function. Since you have no guarantees of the type of the value
-	  upon return if you pass <CODE
-CLASS="CONSTANT"
->NULL</CODE
-> as the <SPAN
-CLASS="TYPE"
->int</SPAN
-> pointer,
-	  this is a bad idea and either <SPAN
-CLASS="TYPE"
->BRO_TYPE_UNKNOWN</SPAN
-> or another type value
-	  should always be used.
-        </P
-><P
->	  For example, you could extract the value of the record field "label", which
-	  we assume should be a string, in the following ways:
-	</P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->BroRecord *rec = /* obtained somehow */
-BroString *string;
-int type;
-
-/* --- Example 1 --- */
-
-type = BRO_TYPE_STRING; /* Use type-checking, will not accept other type */
-
-if (! (string = bro_record_get_named_val(rec, "label", &#38;type))) {
-	/* Error handling, either there's no field of that value,
-	 * or the value is not of BRO_TYPE_STRING. The actual
-	 * type is now stored in "type".
-	 */
-}
-
-/* --- Example 2 --- */
-
-type = BRO_TYPE_UNKNOWN; /* No type checking, just report the existant type */
-
-if (! (string = bro_record_get_named_val(rec, "label", &#38;type))) {
-	/* Error handling, no field of that name exists. */
-}
-
-printf("The type of the value in field 'label' is %i\n", type);
-
-/* --- Example 3 --- */
-
-if (! (string = bro_record_get_named_val(rec, "label", NULL))) {
-	/* Error handling, no field of that name exists. */
-}
-
-/* We now have a value, but we can't really be sure of its type */
-
-        </PRE
-></TD
-></TR
-></TABLE
-><P
->	  Record fields can be records, for example in the case of Bro's standard
-	  connection record type. In this case, in order to get to a nested record, you
-	  use <CODE
-CLASS="CONSTANT"
->BRO_TYPE_RECORD</CODE
->:
-	</P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->void remote_conn_cb(BroConn *bc, int *req_id, BroRecord *conn) {
-	BroRecord *conn_id;
-	int type = BRO_TYPE_RECORD;
-	if (! (conn_id = bro_record_get_named_val(conn, "id", &#38;type))) {
-		/* Error handling */
-	}
-}
-        </PRE
-></TD
-></TR
-></TABLE
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN599"
->3.3.8. Handling tables</A
-></H2
-><P
->	  Broccoli supports Bro-style tables, i.e., associative containers that map
-	  instances of a key type to an instance of a value type. A given key
-	  can only ever point to a single value. The key type can be
-	  <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->composite</B
-></SPAN
->, i.e., it may consist of an ordered
-	  sequence ofdifferent types, or it can be <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->direct</B
-></SPAN
->,
-	  i.e., consisting of a single type (such as an integer, a string, or
-	  a record).
-        </P
-><P
->	  The API for table manipulation consists of
-	  <A
-HREF="broccoli-broccoli.html#BRO-TABLE-NEW"
-><CODE
-CLASS="FUNCTION"
->bro_table_new()</CODE
-></A
->,
-	  <A
-HREF="broccoli-broccoli.html#BRO-TABLE-FREE"
-><CODE
-CLASS="FUNCTION"
->bro_table_free()</CODE
-></A
->,
-	  <A
-HREF="broccoli-broccoli.html#BRO-TABLE-INSERT"
-><CODE
-CLASS="FUNCTION"
->bro_table_insert()</CODE
-></A
->,
-	  <A
-HREF="broccoli-broccoli.html#BRO-TABLE-FIND"
-><CODE
-CLASS="FUNCTION"
->bro_table_find()</CODE
-></A
->,
-	  <A
-HREF="broccoli-broccoli.html#BRO-TABLE-GET-SIZE"
-><CODE
-CLASS="FUNCTION"
->bro_table_get_size()</CODE
-></A
->,
-	  <A
-HREF="broccoli-broccoli.html#BRO-TABLE-GET-TYPES"
-><CODE
-CLASS="FUNCTION"
->bro_table_get_types()</CODE
-></A
->,
-	  and
-	  <A
-HREF="broccoli-broccoli.html#BRO-TABLE-FOREACH"
-><CODE
-CLASS="FUNCTION"
->bro_table_foreach()</CODE
-></A
->.
-        </P
-><P
->	  Tables are handled similarly to records in that typing is determined
-	  dynamically by the initial key/value pair inserted. The resulting types
-	  can be obtained via 	
-	  <A
-HREF="broccoli-broccoli.html#BRO-TABLE-GET-TYPES"
-><CODE
-CLASS="FUNCTION"
->bro_table_get_types()</CODE
-></A
->.
-	  Should the types not have been determined yet, <CODE
-CLASS="CONSTANT"
->BRO_TYPE_UNKNOWN</CODE
->
-	  will result. Also, as with records,
-	  values inserted into the table are copied internally, and the ones passed
-	  to the insertion functions remain unaffected.
-        </P
-><P
->	  In contrast to records, table entries can be iterated. By passing a function
-	  of signature 
-	  <A
-HREF="broccoli-broccoli.html#BROTABLECALLBACK"
-><CODE
-CLASS="FUNCTION"
->BroTableCallback()</CODE
-></A
->
-	  and a pointer to data of your choosing,
-	  <A
-HREF="broccoli-broccoli.html#BRO-TABLE-FOREACH"
-><CODE
-CLASS="FUNCTION"
->bro_table_foreach()</CODE
-></A
->
-	  will invoke the given function for each key/value pair stored in the table.
-	  Return <CODE
-CLASS="CONSTANT"
->TRUE</CODE
-> to keep the iteration going, or <CODE
-CLASS="CONSTANT"
->FALSE</CODE
->
-	  to stop it.
-        </P
-><DIV
-CLASS="CAUTION"
-><P
-></P
-><TABLE
-CLASS="CAUTION"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="images/caution.gif"
-HSPACE="5"
-ALT="Caution"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->	  The main thing to know about Broccoli's tables is how to use composite key
-	  types. To avoid additional API calls, you may treat composite key types
-	  exactly as records, though you do not need to use field names when assigning
-	  elements to individual fields. So in order to insert a key/value pair, you
-	  create a record with the needed items assigned to its slots, and use this
-	  record as the key object. In order to differentiate composite index types
-	  from direct ones consisting of a single record, use <CODE
-CLASS="CONSTANT"
->BRO_TYPE_LIST</CODE
->
-	  as the type of the record, as opposed to <CODE
-CLASS="CONSTANT"
->BRO_TYPE_RECORD</CODE
->.
-	  Broccoli will then know to interpret the record
-	  as an ordered sequence of items making up a composite element, not a regular
-	  record.
-        </P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->	  <TT
-CLASS="FILENAME"
->brotable.c</TT
-> in the test subdirectory of the Broccoli tree
-	  contains an extensive example of using tables with composite as well as direct
-	  indexing types.
-        </P
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN636"
->3.3.9. Handling sets</A
-></H2
-><P
->	  Sets are essentially tables with void value types.
-	  The API for set manipulation consists of
-	  <A
-HREF="broccoli-broccoli.html#BRO-SET-NEW"
-><CODE
-CLASS="FUNCTION"
->bro_set_new()</CODE
-></A
->,
-	  <A
-HREF="broccoli-broccoli.html#BRO-SET-FREE"
-><CODE
-CLASS="FUNCTION"
->bro_set_free()</CODE
-></A
->,
-	  <A
-HREF="broccoli-broccoli.html#BRO-SET-INSERT"
-><CODE
-CLASS="FUNCTION"
->bro_set_insert()</CODE
-></A
->,
-	  <A
-HREF="broccoli-broccoli.html#BRO-SET-FIND"
-><CODE
-CLASS="FUNCTION"
->bro_set_find()</CODE
-></A
->,
-	  <A
-HREF="broccoli-broccoli.html#BRO-SET-GET-SIZE"
-><CODE
-CLASS="FUNCTION"
->bro_set_get_size()</CODE
-></A
->,
-	  <A
-HREF="broccoli-broccoli.html#BRO-SET-GET-TYPE"
-><CODE
-CLASS="FUNCTION"
->bro_set_get_type()</CODE
-></A
->,
-	  and
-	  <A
-HREF="broccoli-broccoli.html#BRO-SET-FOREACH"
-><CODE
-CLASS="FUNCTION"
->bro_set_foreach()</CODE
-></A
->.
-        </P
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN653"
->3.3.10. Associating data with connections</A
-></H2
-><P
->	    You will often find that you would like to connect data with
-	    a <TT
-CLASS="FILENAME"
->BroConn</TT
->. Broccoli provides an API that
-	    lets you associate data items with a connection handle through
-	    a string-based key&ndash;value registry. The functions of interest
-	    are
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-DATA-SET"
-><CODE
-CLASS="FUNCTION"
->bro_conn_data_set()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-DATA-GET"
-><CODE
-CLASS="FUNCTION"
->bro_conn_data_get()</CODE
-></A
->, and
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-DATA-DEL"
-><CODE
-CLASS="FUNCTION"
->bro_conn_data_del()</CODE
-></A
->.
-	    You need to provide a string identifier for a data item and can then use
-	    that string to register, look up, and remove the associated data item.
-	    Note that there is currently no mechanism to trigger a destructor
-	    function for registered data items when the Bro connection is terminated.
-	    You therefore need to make sure that all data items that you do
-	    not have pointers to via some other means are properly released before
-	    calling 
-	    <CODE
-CLASS="FUNCTION"
->bro_disconnect()</CODE
->.
-        </P
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN665"
->3.3.11. Configuration files</A
-></H2
-><P
->	  
-	    Imagine you have instrumented the mother of all server applications.
-	    Building it takes forever, and every now and then you need to change
-	    some of the parameters that your Broccoli code uses, such as the host names
-	    of the Bro agents to talk to.
-	    To allow you to do this quickly, Broccoli comes with support for
-	    configuration files. All you need to do is change the settings in the
-	    file and restart the application (we're considering adding support
-	    for volatile configuration items that are read from the file every
-	    time they are requested).	  
-        </P
-><P
->	    A configuration is read from a single configuration file.
-	    This file can be read from two different locations:
-	    <P
-></P
-><UL
-><LI
-><P
->The system-wide configuration file. You can obtain the location
-	          of this config file by running <TT
-CLASS="FILENAME"
->broccoli-config --config</TT
->.
-		</P
-></LI
-><LI
-><P
->Alternatively, a per-user configuration file stored in <TT
-CLASS="FILENAME"
->~/.broccoli.conf</TT
->
-		  can be used.
-		</P
-></LI
-></UL
->
-            If a user has a configuration file in <TT
-CLASS="FILENAME"
->~/.broccoli.conf</TT
->,
-	    it is used exclusively, otherwise the global one is used.
-         </P
-><DIV
-CLASS="CAUTION"
-><P
-></P
-><TABLE
-CLASS="CAUTION"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="images/caution.gif"
-HSPACE="5"
-ALT="Caution"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
-><TT
-CLASS="FILENAME"
->~/.broccoli.conf</TT
-> will only be used if
-	    it is a regular file, not executable, and neither group nor others have
-	    any permissions on the file. That is, the file's permissions must look
-	    like <CODE
-CLASS="FUNCTION"
->-rw-------</CODE
-> or <CODE
-CLASS="FUNCTION"
->-r--------</CODE
->.
-	    </B
-></SPAN
-></P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->	    In the configuration file, a "#" anywhere starts a comment that runs
-	    to the end of the line. Configuration items are specified as key-value
-	    pairs:
-        </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
-># This is the Broccoli system-wide configuration file.
-#
-# Entries are of the form &#60;identifier&#62; &#60;value&#62;, where the identifier
-# is a sequence of letters, and value can be a string (including
-# whitespace), and floating point or integer numbers. Comments start
-# with a "#" and go to the end of the line. For boolean values, you
-# may also use "yes", "on", "true", "no", "off", or "false".
-# Strings may contain whitespace, but need to be surrounded by
-# double quotes '"'.
-#
-# Examples:
-#
-Foo/PeerName          mybro.securesite.com
-Foo/PortNum           123
-Bar/SomeFloat         1.23443543
-Bar/SomeLongStr       "Hello World"
-        </PRE
-></TD
-></TR
-></TABLE
-><P
->            You can also have multiple sections in your configuration. Your application can
-	    select a section as the current one, and queries for configuration settings will
-	    then only be answered with values specified in that section. A section is started
-	    by putting its name (no whitespace please) between square brackets. Configuration
-	    items positioned before the first section title are in the default domain and
-	    will be used by default.
-        </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
-># This section contains all settings for myapp.
-[ myapp ]
-        </PRE
-></TD
-></TR
-></TABLE
-><P
->	    You can name identifiers any way you like, but to keep things
-	    organized it is recommended to keep a namespace hierarchy similar
-	    to the file system. In the code, you can query configuration
-	    items using
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONF-GET-STR"
-><CODE
-CLASS="FUNCTION"
->bro_conf_get_str()</CODE
-></A
->,
-            <A
-HREF="broccoli-broccoli.html#BRO-CONF-GET-INT"
-><CODE
-CLASS="FUNCTION"
->bro_conf_get_int()</CODE
-></A
->, and
-            <A
-HREF="broccoli-broccoli.html#BRO-CONF-GET-DBL"
-><CODE
-CLASS="FUNCTION"
->bro_conf_get_dbl()</CODE
-></A
->.
-	    You can switch between sections using 
-            <A
-HREF="broccoli-broccoli.html#BRO-CONF-SET-DOMAIN"
-><CODE
-CLASS="FUNCTION"
->bro_conf_set_domain()</CODE
-></A
->.
-        </P
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN696"
->3.3.12. Using dynamic buffers</A
-></H2
-><P
->	    Broccoli provides an API for dynamically allocatable, growable, shrinkable,
-	    and consumable buffers with <CODE
-CLASS="FUNCTION"
->BroBuf</CODE
->s. You may or may
-	    not find this useful &mdash; Broccoli mainly provides this feature in
-	    <TT
-CLASS="FILENAME"
->broccoli.h</TT
-> because these buffers are used internally
-	    anyway and because they are typical case of something that people implement
-	    themselves over and over again, for example to collect a set of data before
-	    sending it through a file descriptor, etc.
-        </P
-><P
->	    The buffers work as follows. The structure implementing a buffer is
-	    called BroBuf. BroBufs are initialized to a default size when created via
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-NEW"
-><CODE
-CLASS="FUNCTION"
->bro_buf_new()</CODE
-></A
->,
-	    and released using 
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-FREE"
-><CODE
-CLASS="FUNCTION"
->bro_buf_free()</CODE
-></A
->.
-            Each BroBuf has a content
-	    pointer that points to an arbitrary location between the start of the
-            buffer and the first byte after the last byte currently
-            used in the buffer (see buf_off in the illustration below). The content
-	    pointer can seek to arbitrary locations, and data can be copied from and
-	    into the buffer, adjusting the content pointer accordingly.
-	    You can repeatedly append data to end of the buffer's used contents using
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-APPEND"
-><CODE
-CLASS="FUNCTION"
->bro_buf_append()</CODE
-></A
->.	    
-        </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->&#13;   &#60;---------------- allocated buffer space ------------&#62;
-   &#60;======== used buffer space ========&#62;
-   ^              ^                    ^               ^                 
-   |              |                    |               |
-   `buf           `buf_ptr             `buf_off        `buf_len
-        </PRE
-></TD
-></TR
-></TABLE
-><P
->	    Have a look at the following functions for the details:
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-NEW"
-><CODE
-CLASS="FUNCTION"
->bro_buf_new()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-FREE"
-><CODE
-CLASS="FUNCTION"
->bro_buf_free()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-APPEND"
-><CODE
-CLASS="FUNCTION"
->bro_buf_append()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-CONSUME"
-><CODE
-CLASS="FUNCTION"
->bro_buf_consume()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-RESET"
-><CODE
-CLASS="FUNCTION"
->bro_buf_reset()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-GET"
-><CODE
-CLASS="FUNCTION"
->bro_buf_get()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-GET-END"
-><CODE
-CLASS="FUNCTION"
->bro_buf_get_end()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-GET-SIZE"
-><CODE
-CLASS="FUNCTION"
->bro_buf_get_size()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-GET-USED-SIZE"
-><CODE
-CLASS="FUNCTION"
->bro_buf_get_used_size()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-PTR-GET"
-><CODE
-CLASS="FUNCTION"
->bro_buf_ptr_get()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-PTR-TELL"
-><CODE
-CLASS="FUNCTION"
->bro_buf_ptr_tell()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-PTR-SEEK"
-><CODE
-CLASS="FUNCTION"
->bro_buf_ptr_seek()</CODE
-></A
->,
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-PTR-CHECK"
-><CODE
-CLASS="FUNCTION"
->bro_buf_ptr_check()</CODE
-></A
->, and
-	    <A
-HREF="broccoli-broccoli.html#BRO-BUF-PTR-READ"
-><CODE
-CLASS="FUNCTION"
->bro_buf_ptr_read()</CODE
-></A
->.
-        </P
-></DIV
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN738"
->3.4. Configuring encrypted communication</A
-></H1
-><P
->	Encrypted communication between Bro peers takes place over an SSL connection in
-	which both endpoints of the connection are authenticated. This requires at least
-	some PKI in the form of a certificate authority (CA) which you use to issue and sign
-	certificates for your Bro peers. To facilitate the SSL setup, each peer requires
-	three documents: a certificate signed by the CA and containing the public key, the
-	corresponding private key, and a copy of the CA's certificate.
-      </P
-><P
->        The OpenSSL command line tool <B
-CLASS="COMMAND"
->openssl</B
-> can be used to create all
-	files neccessary, but its unstructured arguments and poor documentation make it
-	a pain to use and waste lots of people a lot of time<A
-NAME="AEN743"
-HREF="#FTN.AEN743"
-><SPAN
-CLASS="footnote"
->[1]</SPAN
-></A
->. Therefore, the Bro distribution comes with two scripts,
-	<B
-CLASS="COMMAND"
->ca-create</B
-> and <B
-CLASS="COMMAND"
->ca-issue</B
->. You use the former
-	once to set up your CA, and the latter to create a certificate for each of the Bro
-	peers in your infrastructure.
-	<P
-></P
-><UL
-><LI
-><P
-><B
-CLASS="COMMAND"
->ca-create</B
-> lets you choose a directory in which the
-	      CA maintains its files. If you set <CODE
-CLASS="VARNAME"
->BRO_CA_DIR</CODE
-> in your
-	      environment, it will be used for this purpose. After entering a passphrase
-	      for the private key of your CA, you can find the self-signed certificate
-	      of your CA in <TT
-CLASS="FILENAME"
->$BRO_CA_DIR/ca_cert.pem</TT
->.
-	    </P
-></LI
-><LI
-><P
-><B
-CLASS="COMMAND"
->ca-issue</B
-> first requires the directory of the CA,
-	      offering <TT
-CLASS="FILENAME"
->$BRO_CA_DIR</TT
-> if that is found. It asks you for
-	      a prefix for the certificate to be generated, for the passphrase of the
-	      private key of the CA so the new certificate can be signed, for the
-	      passphrase for the new private key, and for a few parameters that make up
-	      the "distinguished name" of the certificate. This name (i.e., the combination
-	      of all the fields you enter a value for) must be unique among all your Bro
-	      peers. Once that is done, you find a new certificate named
-	      <TT
-CLASS="FILENAME"
->&lt;prefix&gt;.pem</TT
-> in your current
-	      directory. This file actually consists of two of the three cryptographic
-	      documents mentioned above, namely the new certificate and the private key.
-              We refer to it as "certificate" for simplicity.
-	    </P
-></LI
-></UL
->
-	In order to enable encrypted communication for your Broccoli application, you
-	need to put the CA certificate and the peer certificate in the
-	<CODE
-CLASS="VARNAME"
->/broccoli/ca_cert</CODE
-> and 
-	<CODE
-CLASS="VARNAME"
->/broccoli/host_cert</CODE
-> keys, respectively, in the configuration file.
-	To quickly enable/disable a certificate configuration, the
-	<CODE
-CLASS="VARNAME"
->/broccoli/use_ssl</CODE
-> key can be used.
-	<DIV
-CLASS="CAUTION"
-><P
-></P
-><TABLE
-CLASS="CAUTION"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="images/caution.gif"
-HSPACE="5"
-ALT="Caution"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->This is where you configure whether to use encrypted or unencrypted
-	    connections.</B
-></SPAN
-></P
-><P
->If the <CODE
-CLASS="VARNAME"
->/broccoli/use_ssl</CODE
-> key is present and set to one of
-		"yes", "true", "on", or 1, then SSL will be used and an incorrect or
-		missing certificate configuration will cause connection attempts to fail.
-		If the key's value is one of "no", "false", "off", or 0, then in no case
-		will SSL be used and connections will always be cleartext.
-	  </P
-><P
->If the <CODE
-CLASS="VARNAME"
->/broccoli/use_ssl</CODE
-> key is <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->not</B
-></SPAN
->
-		present, then SSL will be used if a certificate configuration is
-		found, and invalid certificates will cause the connection to fail.
-		If no certificates are configured, cleartext connections will be used.
-	  </P
-><P
->In no case does an SSL-enabled setup ever fall back to a cleartext one.</P
-></TD
-></TR
-></TABLE
-></DIV
->
-      </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->/broccoli/use_ssl	   yes
-/broccoli/ca_cert          &#60;path&#62;/ca_cert.pem
-/broccoli/host_cert        &#60;path&#62;/bro_cert.pem
-      </PRE
-></TD
-></TR
-></TABLE
-><P
->        In a Bro policy, you need to load the <TT
-CLASS="FILENAME"
->listen-ssl.bro</TT
-> policy and
-	redef <CODE
-CLASS="VARNAME"
->ssl_ca_certificate</CODE
-> and <CODE
-CLASS="VARNAME"
->ssl_private_key</CODE
->,
-	defined in <TT
-CLASS="FILENAME"
->bro.init</TT
->:
-      </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->@load listen-ssl
-
-redef ssl_ca_certificate   = "&#60;path&#62;/ca_cert.pem";
-redef ssl_private_key      = "&#60;path&#62;/bro.pem";
-      </PRE
-></TD
-></TR
-></TABLE
-><P
->	By default, you will be prompted for the passphrase for the private key matching
-	the public key in your agent's certificate. Depending on your application's user
-	interface and deployment, this may be inappropriate. You can store the passphrase
-	in the config file as well, using the following identifier:
-      </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->/broccoli/host_pass        foobar
-      </PRE
-></TD
-></TR
-></TABLE
-><DIV
-CLASS="CAUTION"
-><P
-></P
-><TABLE
-CLASS="CAUTION"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="images/caution.gif"
-HSPACE="5"
-ALT="Caution"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
-><SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->Make sure that access to your configuration is restricted.</B
-></SPAN
-></P
-><P
->	  If you provide the passphrase this way, it is obviously essential to have
-	  restrictive permissions on the configuration file. Broccoli partially enforces
-	  this. Please refer to the section on
-	  <A
-HREF="c84.html#AEN665"
->configuration files</A
-> for details.
-        </P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN784"
->3.5. Configuring event reception in Bro policies</A
-></H1
-><P
->	Before a remote Bro will accept your connection and your events, it needs to have its
-	policy configured accordingly:	  
-	<P
-></P
-><OL
-TYPE="1"
-><LI
-><P
->Load either <TT
-CLASS="FILENAME"
->listen-ssl</TT
-> or <TT
-CLASS="FILENAME"
->listen-clear</TT
->,
-	      depending on whether you want to have encrypted or cleartext communication. Obviously,
-	      encrypting the event exchange is recommended and cleartext should only be used for
-	      early experimental setups. See below for details on how to set up encrypted
-	      communication via SSL.
-	    </P
-></LI
-><LI
-><P
->	      You need to find a port to use for the Bros and Broccoli applications that will
-	      listen for connections. Every such agent can use a different port, though default
-	      ports are provided in the Bro policies.
-	      To change the port the Bro agent will be listening on from its default
-	      redefine the <CODE
-CLASS="VARNAME"
->listen_port_ssl</CODE
-> or
-	      <CODE
-CLASS="VARNAME"
->listen_port_clear</CODE
-> variables from <TT
-CLASS="FILENAME"
->listen-clear.bro</TT
->
-	      or <TT
-CLASS="FILENAME"
->listen-ssl.bro</TT
->, respectively. Have a look at these policies as well
-	      as <TT
-CLASS="FILENAME"
->remote.bro</TT
-> for the default values. Here is the policy
-	      for the unencrypted case:
-	    </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->@load listen-clear
-
-redef listen_port_clear = 12345/tcp;
-            </PRE
-></TD
-></TR
-></TABLE
-><P
->	      Including the settings for the cryptographic files introduced in the previous section, 
-	      here is the encrypted one:
-	    </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->@load listen-ssl
-
-redef listen_port_ssl = 12345/tcp;
-redef ssl_ca_certificate   = "&#60;path&#62;/ca_cert.pem";
-redef ssl_private_key      = "&#60;path&#62;/bro.pem";
-            </PRE
-></TD
-></TR
-></TABLE
-></LI
-><LI
-><P
->	      The policy controlling which peers a Bro agent will communicate with and how this
-	      communication will happen are defined in the <CODE
-CLASS="VARNAME"
->destinations</CODE
-> table
-	      defined in <TT
-CLASS="FILENAME"
->remote.bro</TT
->. This table contains entries of type
-	      <SPAN
-CLASS="TYPE"
->Destination</SPAN
->, whose members mostly provide default values so you do not
-	      need to define everything. You need to come up with a tag for the connection
-	      under which it can be found in the table (a creative one would be "broccoli"),
-	      the IP address of the peer, the pattern of names of the events the Bro will accept
-	      from you, whether you want Bro to connect to your
-	      machine on startup or not, if so, a port to connect to (defaults are
-	      <CODE
-CLASS="VARNAME"
->default_port_ssl</CODE
-> and <CODE
-CLASS="VARNAME"
->default_port_clear</CODE
->, also
-	      defined in <TT
-CLASS="FILENAME"
->remote.bro</TT
->), a retry timeout, whether to use SSL,
-	      and the class of a connection as set on the Broccoli side via
-	    <A
-HREF="broccoli-broccoli.html#BRO-CONN-SET-CLASS"
-><CODE
-CLASS="FUNCTION"
->bro_conn_set_class()</CODE
-></A
->.
-	    </P
-><P
->	      An example could look as follows:
-	    </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->&#13;redef Remote::destinations += {
-	["broping"] = [$host = 127.0.0.1, $class="broping", $events = /ping/, $connect=F, $ssl=F]
-};
-            </PRE
-></TD
-></TR
-></TABLE
-><P
->	      This example is taken from <TT
-CLASS="FILENAME"
->broping.bro</TT
->, the policy the
-	      remote Bro must run when you want to use the <B
-CLASS="COMMAND"
->broping</B
-> tool
-	      explained in the <A
-HREF="c84.html#AEN842"
->section on testing</A
-> below.
-	      It will allow an agent on the local host to connect and send "ping" events.
-	      Our Bro will not attempt to connect, and incoming connections will be expected
-	      in cleartext.
-	    </P
-></LI
-></OL
->
-      </P
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN818"
->3.6. Configuring debugging output</A
-></H1
-><P
->	  If your Broccoli installation was configured with <B
-CLASS="COMMAND"
->--enable-debug</B
->,
-	  Broccoli will report two kinds of debugging information: (<SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->i</B
-></SPAN
->)
-	  function call traces and
-	  (<SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->ii</B
-></SPAN
->) individual debugging messages. Both are enabled by default, but can be adjusted
-	  in two ways.
-	  <P
-></P
-><UL
-><LI
-><P
->In the configuration file: in the appropriate section of the configuration
-	        file, you can set the keys <CODE
-CLASS="FUNCTION"
->/broccoli/debug_messages</CODE
-> and
-		<CODE
-CLASS="FUNCTION"
->/broccoli/debug_calltrace</CODE
-> to <CODE
-CLASS="FUNCTION"
->on</CODE
->/<CODE
-CLASS="FUNCTION"
->off</CODE
->
-		to enable/disable the corresponding output.
-	      </P
-></LI
-><LI
-><P
->In code: you can set the variables 
-	      	<A
-HREF="broccoli-broccoli.html#BRO-DEBUG-CALLTRACE"
-><CODE
-CLASS="FUNCTION"
->bro_debug_calltrace</CODE
-></A
-> and
-	        <A
-HREF="broccoli-broccoli.html#BRO-DEBUG-MESSAGES"
-><CODE
-CLASS="FUNCTION"
->bro_debug_messages</CODE
-></A
->
-	        to 1/0 at any time to enable/disable the corresponding output.
-	      </P
-></LI
-></UL
->	 
-      </P
-><P
->	  By default, debugging output is inactive (even with debuggin support compiled in).
-	  You need to enable it explicitly either in your code by assigning 1 to 
-	  <A
-HREF="broccoli-broccoli.html#BRO-DEBUG-CALLTRACE"
-><CODE
-CLASS="FUNCTION"
->bro_debug_calltrace</CODE
-></A
-> and
-	  <A
-HREF="broccoli-broccoli.html#BRO-DEBUG-MESSAGES"
-><CODE
-CLASS="FUNCTION"
->bro_debug_messages</CODE
-></A
->,
-	  or by enabling it in the configuration file.
-      </P
-></DIV
-><BR
-CLEAR="all"><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN842"
->3.7. Test programs</A
-></H1
-><P
->	  The Broccoli distribution comes with a few small test programs,
-	  located in the <TT
-CLASS="FILENAME"
->test/</TT
-> directory of the tree.
-	  The most notable one is <CODE
-CLASS="FUNCTION"
->broping</CODE
->
-	  <A
-NAME="AEN847"
-HREF="#FTN.AEN847"
-><SPAN
-CLASS="footnote"
->[2]</SPAN
-></A
->, a mini-version of ping.
-	  It sends "ping" events to a remote Bro agent, expecting "pong" events
-	  in return. It operates in two flavours: one uses atomic types for sending
-	  information across, and the other one uses records. The Bro agent you want
-	  to ping needs to run either the <TT
-CLASS="FILENAME"
->broping.bro</TT
-> or
-	  <TT
-CLASS="FILENAME"
->broping-record.bro</TT
-> policies. You can find these
-	  in the <TT
-CLASS="FILENAME"
->test/</TT
-> directory of the source tree, and
-	  in <TT
-CLASS="FILENAME"
->&lt;prefix&gt;/share/broccoli</TT
-> in the installed
-	  version. <TT
-CLASS="FILENAME"
->broping.bro</TT
-> is shown below. By default,
-	  pinging a Bro on the same machine is configured. If you want your Bro
-	  to be pinged from another machine, you need to update the
-	  <CODE
-CLASS="VARNAME"
->destinations</CODE
-> variable accordingly.
-      </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->@load listen-clear;
-
-global ping_log = open_log_file("ping");
-
-redef Remote::destinations += {
-	["broping"] = [$host = 127.0.0.1, $events = /ping/, $connect=F, $retry = 60 secs, $ssl=F]
-};
-
-event ping(src_time: time, seq: count)
-{
-        event pong(src_time, current_time(), seq);
-}
-
-event pong(src_time: time, dst_time: time, seq: count)
-{
-        print ping_log, fmt("ping received, seq %d, %f at src, %f at dest, one-way: %f",
-                            seq, src_time, dst_time, dst_time-src_time);
-}
-      </PRE
-></TD
-></TR
-></TABLE
-><P
->        <CODE
-CLASS="FUNCTION"
->broping</CODE
-> sends ping events to Bro. Bro accepts those because they are configured
-	accordingly in the destinations table. As shown in the policy, ping events
-	trigger pong events, and <CODE
-CLASS="FUNCTION"
->broccoli</CODE
-> requests delivery of all pong events back to it.
-	When running <CODE
-CLASS="FUNCTION"
->broping</CODE
->, you'll see something like this:
-      </P
-><TABLE
-WIDTH="100%"
-BORDER="0"
-BGCOLOR="#eaeaf0"
-><TR
-><TD
-><PRE
-CLASS="PROGRAMLISTING"
->cpk25@localhost:/home/cpk25/devel/broccoli &#62; ./test/broping
-pong event from 127.0.0.1: seq=1, time=0.004700/1.010303 s
-pong event from 127.0.0.1: seq=2, time=0.053777/1.010266 s
-pong event from 127.0.0.1: seq=3, time=0.006435/1.010284 s
-pong event from 127.0.0.1: seq=4, time=0.020278/1.010319 s
-pong event from 127.0.0.1: seq=5, time=0.004563/1.010187 s
-pong event from 127.0.0.1: seq=6, time=0.005685/1.010393 s
-      </PRE
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-><H3
-CLASS="FOOTNOTES"
->Notes</H3
-><TABLE
-BORDER="0"
-CLASS="FOOTNOTES"
-WIDTH="100%"
-><TR
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-WIDTH="5%"
-><A
-NAME="FTN.AEN743"
-HREF="c84.html#AEN743"
-><SPAN
-CLASS="footnote"
->[1]</SPAN
-></A
-></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-WIDTH="95%"
-><P
->In other
-	documents and books on OpenSSL you will find this expressed more politely, using
-	terms such as "daunting to the uninitiated", "challenging", "complex", "intimidating".
-	</P
-></TD
-></TR
-><TR
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-WIDTH="5%"
-><A
-NAME="FTN.AEN847"
-HREF="c84.html#AEN847"
-><SPAN
-CLASS="footnote"
->[2]</SPAN
-></A
-></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-WIDTH="95%"
-><P
->Pronunciation is said to be somewhere on the continuum between
-	  "brooping" and "burping".</P
-></TD
-></TR
-></TABLE
-><DIV
-CLASS="NAVFOOTER"
-><HR
-ALIGN="LEFT"
-WIDTH="100%"><TABLE
-SUMMARY="Footer navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
-><A
-HREF="c54.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
-><A
-HREF="index.html"
-ACCESSKEY="H"
->Home</A
-></TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
-><A
-HREF="api.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
->Installing Broccoli</TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
->&nbsp;</TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
->Broccoli API Reference</TD
-></TR
-></TABLE
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/aux/broccoli/docs/html/index.html b/aux/broccoli/docs/html/index.html
deleted file mode 100644
index 75cb71912e..0000000000
--- a/aux/broccoli/docs/html/index.html
+++ /dev/null
@@ -1,331 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<HTML
-><HEAD
-><TITLE
->Broccoli: The Bro Client Communications Library</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
-REL="NEXT"
-TITLE="Introduction"
-HREF="c20.html"><LINK
-REL="STYLESHEET"
-TYPE="text/css"
-HREF="stylesheet.css"></HEAD
-><BODY
-CLASS="BOOK"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><DIV
-CLASS="BOOK"
-><DIV
-CLASS="TITLEPAGE"
-><H1
-CLASS="TITLE"
-><A
-NAME="INDEX"
->Broccoli: The Bro Client Communications Library</A
-></H1
-><DIV
-CLASS="MEDIAOBJECT"
-><P
-><IMG
-SRC="images/logo.jpg"
-ALIGN="CENTER"></P
-></DIV
-><DIV
-><DIV
-CLASS="ABSTRACT"
-><P
-></P
-><A
-NAME="AEN9"
-></A
-><P
->	This is documentation for release <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->1.5</B
-></SPAN
->
-	of Broccoli, compatible with Bro IDS releases of <SPAN
-CLASS="emphasis"
-><B
-CLASS="EMPHASIS"
->1.5</B
-></SPAN
->
-	or newer. Broccoli is free software under terms of the BSD license as given
-	in the <A
-HREF="a3637.html#LICENSE"
->License</A
->
-	section. This documentation is always available on the web for download
-	and online browsing at
-	<A
-HREF="http://www.icir.org/christian/broccoli"
-TARGET="_top"
->http://www.icir.org/christian/broccoli</A
->.
-      </P
-><P
->Feedback, patches and bug reports are all welcome, please
-	<A
-HREF="http://mailman.icsi.berkeley.edu/mailman/listinfo/bro"
-TARGET="_top"
->join the Bro mailing list</A
->.
-      </P
-><P
->	Yet Another SRG/ICIR Production &mdash;
-	<A
-HREF="http://www.cl.cam.ac.uk/Research/SRG"
-TARGET="_top"
->http://www.cl.cam.ac.uk/Research/SRG</A
-> &mdash;
-	<A
-HREF="http://www.icir.org"
-TARGET="_top"
->http://www.icir.org</A
->
-      </P
-><P
-></P
-></DIV
-></DIV
-></DIV
-><DIV
-CLASS="TOC"
-><DL
-><DT
-><B
->Table of Contents</B
-></DT
-><DT
->1. <A
-HREF="c20.html"
->Introduction</A
-></DT
-><DD
-><DL
-><DT
->1.1. <A
-HREF="c20.html#AEN23"
->What is Broccoli?</A
-></DT
-><DT
->1.2. <A
-HREF="c20.html#AEN34"
->Why do I care?</A
-></DT
-></DL
-></DD
-><DT
->2. <A
-HREF="c54.html"
->Installing Broccoli</A
-></DT
-><DT
->3. <A
-HREF="c84.html"
->Using Broccoli</A
-></DT
-><DD
-><DL
-><DT
->3.1. <A
-HREF="c84.html#AEN87"
->Obtaining information about your build using <TT
-CLASS="FILENAME"
->broccoli-config</TT
-></A
-></DT
-><DT
->3.2. <A
-HREF="c84.html#AEN121"
->Suggestions for instrumenting applications</A
-></DT
-><DT
->3.3. <A
-HREF="c84.html#AEN134"
->The Broccoli API</A
-></DT
-><DD
-><DL
-><DT
->3.3.1. <A
-HREF="c84.html#AEN143"
->Initialization</A
-></DT
-><DT
->3.3.2. <A
-HREF="c84.html#AEN167"
->Data types in Broccoli</A
-></DT
-><DT
->3.3.3. <A
-HREF="c84.html#AEN226"
->Managing connections</A
-></DT
-><DT
->3.3.4. <A
-HREF="c84.html#AEN286"
->Connection classes</A
-></DT
-><DT
->3.3.5. <A
-HREF="c84.html#AEN300"
->Composing and sending events</A
-></DT
-><DT
->3.3.6. <A
-HREF="c84.html#AEN461"
->Receiving events</A
-></DT
-><DT
->3.3.7. <A
-HREF="c84.html#AEN554"
->Handling records</A
-></DT
-><DT
->3.3.8. <A
-HREF="c84.html#AEN599"
->Handling tables</A
-></DT
-><DT
->3.3.9. <A
-HREF="c84.html#AEN636"
->Handling sets</A
-></DT
-><DT
->3.3.10. <A
-HREF="c84.html#AEN653"
->Associating data with connections</A
-></DT
-><DT
->3.3.11. <A
-HREF="c84.html#AEN665"
->Configuration files</A
-></DT
-><DT
->3.3.12. <A
-HREF="c84.html#AEN696"
->Using dynamic buffers</A
-></DT
-></DL
-></DD
-><DT
->3.4. <A
-HREF="c84.html#AEN738"
->Configuring encrypted communication</A
-></DT
-><DT
->3.5. <A
-HREF="c84.html#AEN784"
->Configuring event reception in Bro policies</A
-></DT
-><DT
->3.6. <A
-HREF="c84.html#AEN818"
->Configuring debugging output</A
-></DT
-><DT
->3.7. <A
-HREF="c84.html#AEN842"
->Test programs</A
-></DT
-></DL
-></DD
-><DT
->4. <A
-HREF="api.html"
->Broccoli API Reference</A
-></DT
-><DD
-><DL
-><DT
-><A
-HREF="broccoli-broccoli.html"
->broccoli</A
->&nbsp;--&nbsp;</DT
-></DL
-></DD
-><DT
->A. <A
-HREF="a3637.html"
->Appendix</A
-></DT
-><DD
-><DL
-><DT
->A.1. <A
-HREF="a3637.html#LICENSE"
->License</A
-></DT
-><DT
->A.2. <A
-HREF="a3637.html#ABOUT"
->About this document</A
-></DT
-></DL
-></DD
-></DL
-></DIV
-></DIV
-><DIV
-CLASS="NAVFOOTER"
-><HR
-ALIGN="LEFT"
-WIDTH="100%"><TABLE
-SUMMARY="Footer navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
->&nbsp;</TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
->&nbsp;</TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
-><A
-HREF="c20.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
->&nbsp;</TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
->&nbsp;</TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
->Introduction</TD
-></TR
-></TABLE
-></DIV
-></BODY
-></HTML
->
diff --git a/aux/broccoli/docs/html/index.sgml b/aux/broccoli/docs/html/index.sgml
deleted file mode 100644
index fec1661891..0000000000
--- a/aux/broccoli/docs/html/index.sgml
+++ /dev/null
@@ -1 +0,0 @@
-<ANCHOR id ="BROCCOLI-BROCCOLI" href="broccoli/broccoli-broccoli.html">
diff --git a/aux/broccoli/docs/html/stylesheet.css b/aux/broccoli/docs/html/stylesheet.css
deleted file mode 100644
index be89020cf9..0000000000
--- a/aux/broccoli/docs/html/stylesheet.css
+++ /dev/null
@@ -1,30 +0,0 @@
-body          { margin-left:10px;
-		margin-right:10px;
-		margin-top:10px;
-		margin-bottom:10px;
-		color:#101010;
-                background-repeat:no-repeat;
-              }
-
-h1.title      { text-align:center; }
-.abstract     { text-align:center;
-		margin-left:100px;
-		margin-right:100px; }
-
-.caption      { margin-left:100px;
-		margin-right:100px;
-		font-style:italic; }
-
-.programlisting { font-size:12px;
-		  font-family:courier;
-		}
-
-.type 		{ font-size:12px;
-		  font-family:courier;
-		}
-
-.mediaobject  { text-align:center; }
-
-span, h1, h2, h3, h4, p, div, table { font-family:arial,helvetica; }
-
-li            { margin-bottom:10px }
diff --git a/aux/broccoli/docs/images/caution.gif b/aux/broccoli/docs/images/caution.gif
deleted file mode 100644
index cf7c80e772..0000000000
Binary files a/aux/broccoli/docs/images/caution.gif and /dev/null differ
diff --git a/aux/broccoli/docs/images/logo.jpg b/aux/broccoli/docs/images/logo.jpg
deleted file mode 100644
index 35c50f6c4d..0000000000
Binary files a/aux/broccoli/docs/images/logo.jpg and /dev/null differ
diff --git a/aux/broccoli/docs/images/note.gif b/aux/broccoli/docs/images/note.gif
deleted file mode 100644
index d731483816..0000000000
Binary files a/aux/broccoli/docs/images/note.gif and /dev/null differ
diff --git a/aux/broccoli/docs/images/warning.gif b/aux/broccoli/docs/images/warning.gif
deleted file mode 100644
index 2abc1cfb89..0000000000
Binary files a/aux/broccoli/docs/images/warning.gif and /dev/null differ
diff --git a/aux/broccoli/docs/mkhtml.in b/aux/broccoli/docs/mkhtml.in
deleted file mode 100755
index 126e3dac65..0000000000
--- a/aux/broccoli/docs/mkhtml.in
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/sh
-#
-# Hacked version of gtkdoc-mkhtml to allow using different stylesheets.
-
-usage="\
-Usage: mkhtml MODULE SGML_FILE STYLESHEET"
-
-if test "x$1" = "x--version"; then
-      echo "0.10"
-      exit 0
-fi
-
-if test $# -lt 2; then
-      echo "${usage}" 1>&2
-      exit 1
-fi
-
-module=$1
-document=$2
-gtkdocdir=/usr/share/gtk-doc
-
-# Delete the old index.sgml file, if it exists.
-if test -f index.sgml; then
-      rm -f index.sgml
-fi
-
-stylesheet=$gtkdocdir/gtk-doc.dsl
-if test $# -ge 3; then
-    stylesheet=$3
-fi
-
-@OPENJADE@ -t sgml -w no-idref -d $stylesheet $document
-sed s%href=\"%href=\"$module/% < index.sgml > index.sgml.tmp && mv index.sgml.tmp index.sgml
-
-echo "timestamp" > ../html.stamp
diff --git a/aux/broccoli/docs/stylesheet.css b/aux/broccoli/docs/stylesheet.css
deleted file mode 100644
index be89020cf9..0000000000
--- a/aux/broccoli/docs/stylesheet.css
+++ /dev/null
@@ -1,30 +0,0 @@
-body          { margin-left:10px;
-		margin-right:10px;
-		margin-top:10px;
-		margin-bottom:10px;
-		color:#101010;
-                background-repeat:no-repeat;
-              }
-
-h1.title      { text-align:center; }
-.abstract     { text-align:center;
-		margin-left:100px;
-		margin-right:100px; }
-
-.caption      { margin-left:100px;
-		margin-right:100px;
-		font-style:italic; }
-
-.programlisting { font-size:12px;
-		  font-family:courier;
-		}
-
-.type 		{ font-size:12px;
-		  font-family:courier;
-		}
-
-.mediaobject  { text-align:center; }
-
-span, h1, h2, h3, h4, p, div, table { font-family:arial,helvetica; }
-
-li            { margin-bottom:10px }
diff --git a/aux/broccoli/docs/stylesheet.dsl b/aux/broccoli/docs/stylesheet.dsl
deleted file mode 100644
index b1b086a0f8..0000000000
--- a/aux/broccoli/docs/stylesheet.dsl
+++ /dev/null
@@ -1,263 +0,0 @@
-<!DOCTYPE style-sheet PUBLIC "-//James Clark//DTD DSSSL Style Sheet//EN" [
-<!ENTITY dbstyle PUBLIC "-//Norman Walsh//DOCUMENT DocBook HTML Stylesheet//EN" CDATA DSSSL>
-]>
-
-<style-sheet>
-<style-specification use="docbook">
-<style-specification-body>
-
-;; These are some customizations to the standard HTML output produced by the
-;; Modular DocBook Stylesheets.
-;; I've copied parts of a few functions from the stylesheets so these should
-;; be checked occasionally to ensure they are up to date.
-;;
-;; The last check was with version 1.40 of the stylesheets.
-;; It will not work with versions < 1.19 since the $shade-verbatim-attr$
-;; function was added then. Versions 1.19 to 1.39 may be OK, if you're lucky!
-
-;;(define %generate-book-toc% #f)
-
-
-;; The email content should not line wrap in HTML, that looks ugly.
-;; (okay there shouldn't be whitespace in there but when people want
-;; to avoid an @ they can fill in all kinds of things).
-(element email 
-  ($mono-seq$ 
-   (make sequence 
-     (make element gi: "NOBR"
-	   (literal "&#60;")
-	   (make element gi: "A"
-		 attributes: (list (list "HREF" 
-					 (string-append "mailto:" 
-							(data (current-node)))))
-		 (process-children))
-	   (literal "&#62;")))))
-
-
-;; We want to have some control over how sections are split up into
-;; separate pages.
-(define (chunk-element-list)
-  (list (normalize "preface")
-        (normalize "chapter")
-        (normalize "appendix")
-        (normalize "article")
-        (normalize "glossary")
-        (normalize "bibliography")
-        (normalize "index")
-        (normalize "colophon")
-        (normalize "setindex")
-        (normalize "reference")
-        (normalize "refentry")
-        (normalize "part")
-;; Commented out to prevent splitting up every section into its own document
-;;        (normalize "sect1")
-;;        (normalize "section")
-        (normalize "book") ;; just in case nothing else matches...
-        (normalize "set")  ;; sets are definitely chunks...
-        ))
-
-
-;; If a Chapter has role="no-toc" we don't generate a table of contents.
-;; This is useful if a better contents page has been added manually, e.g. for
-;; the GTK+ Widgets & Objects page. (But it is a bit of a hack.)
-(define ($generate-chapter-toc$)
-  (not (equal? (attribute-string (normalize "role") (current-node)) "no-toc")))
-
-(define %chapter-autolabel% 
-  ;; Are chapters enumerated?
-  #t)
-
-(define %section-autolabel% 
-  ;; Are sections enumerated?
-  #t)
-
-(define %use-id-as-filename% #t)
-
-(define %html-ext% ".html")
-
-(define %shade-verbatim% #t)
-
-(define (book-titlepage-separator side)
-  (empty-sosofo))
-
-
-(define ($shade-verbatim-attr$)
-  ;; Attributes used to create a shaded verbatim environment.
-  (list
-   (list "WIDTH" "100%")
-   (list "BORDER" "0")
-   (list "BGCOLOR" "#eaeaf0")))
-
-
-;; This overrides the refsect2 definition (copied from 1.20, dbrfntry.dsl).
-;; It puts a horizontal rule before each function/struct/... description,
-;; except the first one in the refsect1.
-(element refsect2
-  (make sequence
-    (if (first-sibling?)
-	(empty-sosofo)
-	(make empty-element gi: "HR"))
-    ($block-container$)))
-
-;; Override the book declaration, so that we generate a crossreference
-;; for the book
-
-(element book 
-  (let* ((bookinfo  (select-elements (children (current-node)) (normalize "bookinfo")))
-	 (ititle   (select-elements (children bookinfo) (normalize "title")))
-	 (title    (if (node-list-empty? ititle)
-		       (select-elements (children (current-node)) (normalize "title"))
-		       (node-list-first ititle)))
-	 (nl       (titlepage-info-elements (current-node) bookinfo))
-	 (tsosofo  (with-mode head-title-mode
-		     (process-node-list title)))
-	 (dedication (select-elements (children (current-node)) (normalize "dedication"))))
-    (make sequence
-     (html-document 
-      tsosofo
-      (make element gi: "DIV"
-	    attributes: '(("CLASS" "BOOK"))
-	    (if %generate-book-titlepage%
-		(make sequence
-		  (book-titlepage nl 'recto)
-		  (book-titlepage nl 'verso))
-		(empty-sosofo))
-	    
-	    (if (node-list-empty? dedication)
-		(empty-sosofo)
-		(with-mode dedication-page-mode
-		  (process-node-list dedication)))
-	    
-	    (if (not (generate-toc-in-front))
-		(process-children)
-		(empty-sosofo))
-	    
-	    (if %generate-book-toc%
-		(build-toc (current-node) (toc-depth (current-node)))
-		(empty-sosofo))
-	    
-	    ;;	  (let loop ((gilist %generate-book-lot-list%))
-	    ;;	    (if (null? gilist)
-	    ;;		(empty-sosofo)
-	    ;;		(if (not (node-list-empty? 
-	    ;;			  (select-elements (descendants (current-node))
-	    ;;					   (car gilist))))
-	    ;;		    (make sequence
-	    ;;		      (build-lot (current-node) (car gilist))
-	    ;;		      (loop (cdr gilist)))
-	    ;;		    (loop (cdr gilist)))))
-	  
-	    (if (generate-toc-in-front)
-		(process-children)
-		(empty-sosofo))))
-     (make entity 
-       system-id: "index.sgml"
-       (with-mode generate-index-mode
-	 (process-children))))))
-
-;; Mode for generating cross references
-
-(define (process-child-elements)
-  (process-node-list
-   (node-list-map (lambda (snl)
-                    (if (equal? (node-property 'class-name snl) 'element)
-                        snl
-                        (empty-node-list)))
-                  (children (current-node)))))
-
-(mode generate-index-mode
-  (element anchor
-    (if (attribute-string "href" (current-node))
-	(empty-sosofo)
-	(make formatting-instruction data:
-	      (string-append "\less-than-sign;ANCHOR id =\""
-			     (attribute-string "id" (current-node))
-			     "\" href=\""
-			     (href-to (current-node))
-			     "\"\greater-than-sign;
-"))))
-
-  ;; We also want to be able to link to complete RefEntry.
-  (element refentry
-    (make sequence
-      (make formatting-instruction data:
-	    (string-append "\less-than-sign;ANCHOR id =\""
-			   (attribute-string "id" (current-node))
-			   "\" href=\""
-			   (href-to (current-node))
-			   "\"\greater-than-sign;
-"))
-      (process-child-elements)))
-
-  (default
-    (process-child-elements)))
-
-;; For hypertext links for which no target is found in the document, we output
-;; our own special tag which we use later to resolve cross-document links.
-(element link 
-  (let* ((target (element-with-id (attribute-string (normalize "linkend")))))
-    (if (node-list-empty? target)
-      (make element gi: "GTKDOCLINK"
-	    attributes: (list
-			 (list "HREF" (attribute-string (normalize "linkend"))))
-            (process-children))
-      (make element gi: "A"
-            attributes: (list
-                         (list "HREF" (href-to target)))
-            (process-children)))))
-
-
-
-
-(define ($section-body$)
-  (make sequence
-    (make empty-element gi: "BR"
-	  attributes: (list (list "CLEAR" "all")))
-    (make element gi: "DIV"
-	  attributes: (list (list "CLASS" (gi)))
-	  ($section-separator$)
-	  ($section-title$)
-	  (process-children))))
-
-;; We want to use a stylesheet!
-(define %css-decoration%
-  ;; Enable CSS decoration of elements
-  #t)
-(define %stylesheet%
-  ;; Name of the stylesheet to use
-  "stylesheet.css")
-
-
-;; I want my own graphics with admonitions.
-(define %admon-graphics%
-  ;; Use graphics in admonitions?
-  #t)
-(define %admon-graphics-path%
-  ;; Path to admonition graphics
-  "images/")
-
-
-;; Some stuff I really didn't like -- italics are
-;; pretty hard to read most of the time. Don't use
-;; them for parameter names and structure fields.
-(element parameter ($mono-seq$))
-(element structfield ($mono-seq$))
-
-;; And don't use italics for emphasis either, just
-;; use bold text.
-(element emphasis
-  (let* ((class (if (and (attribute-string (normalize "role"))
-			 %emphasis-propagates-style%)
-		    (attribute-string (normalize "role"))
-		    "emphasis")))
-    (make element gi: "SPAN"
-	  attributes: (list (list "CLASS" class))
-	  (if (and (attribute-string (normalize "role"))
-		   (or (equal? (attribute-string (normalize "role")) "strong")
-		       (equal? (attribute-string (normalize "role")) "bold")))
-	      ($bold-seq$) ($bold-seq$)))))
-
-</style-specification-body>
-</style-specification>
-<external-specification id="docbook" document="dbstyle">
-</style-sheet>
diff --git a/aux/broccoli/shtool b/aux/broccoli/shtool
deleted file mode 100755
index 4c1a7396fd..0000000000
--- a/aux/broccoli/shtool
+++ /dev/null
@@ -1,716 +0,0 @@
-#!/bin/sh
-##
-##  GNU shtool -- The GNU Portable Shell Tool
-##  Copyright (c) 1994-2000 Ralf S. Engelschall <rse@engelschall.com>
-##
-##  See http://www.gnu.org/software/shtool/ for more information.
-##  See ftp://ftp.gnu.org/gnu/shtool/ for latest version.
-##
-##  Version 1.4.9 (16-Apr-2000)
-##  Ingredients: 3/17 available modules
-##
-
-##
-##  This program is free software; you can redistribute it and/or modify
-##  it under the terms of the GNU General Public License as published by
-##  the Free Software Foundation; either version 2 of the License, or
-##  (at your option) any later version.
-##
-##  This program is distributed in the hope that it will be useful,
-##  but WITHOUT ANY WARRANTY; without even the implied warranty of
-##  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-##  General Public License for more details.
-##
-##  You should have received a copy of the GNU General Public License
-##  along with this program; if not, write to the Free Software
-##  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
-##  USA, or contact Ralf S. Engelschall <rse@engelschall.com>.
-##
-##  Notice: Given that you include this file verbatim into your own
-##  source tree, you are justified in saying that it remains separate
-##  from your package, and that this way you are simply just using GNU
-##  shtool. So, in this situation, there is no requirement that your
-##  package itself is licensed under the GNU General Public License in
-##  order to take advantage of GNU shtool.
-##
-
-##
-##  Usage: shtool [<options>] [<cmd-name> [<cmd-options>] [<cmd-args>]]
-##
-##  Available commands:
-##    echo       Print string with optional construct expansion
-##    install    Install a program, script or datafile
-##    mkdir      Make one or more directories
-##
-##  Not available commands (because module was not built-in):
-##    mdate      Pretty-print modification time of a file or dir
-##    table      Pretty-print a field-separated list as a table
-##    prop       Display progress with a running propeller
-##    move       Move files with simultaneous substitution
-##    mkln       Make link with calculation of relative paths
-##    mkshadow   Make a shadow tree through symbolic links
-##    fixperm    Fix file permissions inside a source tree
-##    tarball    Roll distribution tarballs
-##    guessos    Simple operating system guesser
-##    arx        Extended archive command
-##    slo        Separate linker options by library class
-##    scpp       Sharing C Pre-Processor
-##    version    Generate and maintain a version information file
-##    path       Deal with program paths
-##
-
-if [ $# -eq 0 ]; then
-    echo "$0:Error: invalid command line" 1>&2
-    echo "$0:Hint:  run \`$0 -h' for usage" 1>&2
-    exit 1
-fi
-if [ ".$1" = ".-h" -o ".$1" = ".--help" ]; then
-    echo "This is GNU shtool, version 1.4.9 (16-Apr-2000)"
-    echo "Copyright (c) 1994-2000 Ralf S. Engelschall <rse@engelschall.com>"
-    echo "Report bugs to <bug-shtool@gnu.org>"
-    echo ''
-    echo "Usage: shtool [<options>] [<cmd-name> [<cmd-options>] [<cmd-args>]]" 
-    echo ''
-    echo 'Available global <options>:'
-    echo '  -v, --version   display shtool version information'
-    echo '  -h, --help      display shtool usage help page (this one)'
-    echo '  -d, --debug     display shell trace information'
-    echo ''
-    echo 'Available <cmd-name> [<cmd-options>] [<cmd-args>]:'
-    echo '  echo     [-n] [-e] [<str> ...]'
-    echo '  install  [-v] [-t] [-c] [-C] [-s] [-m<mode>] [-o<owner>] [-g<group>]'
-    echo '           [-e<ext>] <file> <path>'
-    echo '  mkdir    [-t] [-f] [-p] [-m<mode>] <dir> [<dir> ...]'
-    echo ''
-    echo 'Not available <cmd-name> (because module was not built-in):'
-    echo '  mdate    [-n] [-z] [-s] [-d] [-f<str>] [-o<spec>] <path>'
-    echo '  table    [-F<sep>] [-w<width>] [-c<cols>] [-s<strip>] <str><sep><str>...'
-    echo '  prop     [-p<str>]'
-    echo '  move     [-v] [-t] [-e] [-p] <src-file> <dst-file>'
-    echo '  mkln     [-t] [-f] [-s] <src-path> [<src-path> ...] <dst-path>'
-    echo '  mkshadow [-v] [-t] [-a] <src-dir> <dst-dir>'
-    echo '  fixperm  [-v] [-t] <path> [<path> ...]'
-    echo '  tarball  [-t] [-v] [-o <tarball>] [-c <prog>] [-d <dir>] [-u'
-    echo '           <user>] [-g <group>] [-e <pattern>] <path> [<path> ...]'
-    echo '  guessos  '
-    echo '  arx      [-t] [-C<cmd>] <op> <archive> [<file> ...]'
-    echo '  slo      [-p<str>] -- -L<dir> -l<lib> [-L<dir> -l<lib> ...]'
-    echo '  scpp     [-v] [-p] [-f<filter>] [-o<ofile>] [-t<tfile>] [-M<mark>]'
-    echo '           [-D<dname>] [-C<cname>] <file> [<file> ...]'
-    echo '  version  [-l<lang>] [-n<name>] [-p<prefix>] [-s<version>] [-i<knob>]'
-    echo '           [-d<type>] <file>'
-    echo '  path     [-s] [-r] [-d] [-b] [-m] [-p<path>] <str> [<str> ...]'
-    echo ''
-    exit 0
-fi
-if [ ".$1" = ".-v" -o ".$1" = ."--version" ]; then
-    echo "GNU shtool 1.4.9 (16-Apr-2000)"
-    exit 0
-fi
-if [ ".$1" = ".-d" -o ".$1" = ."--debug" ]; then
-    shift
-    set -x
-fi
-name=`echo "$0" | sed -e 's;.*/\([^/]*\)$;\1;' -e 's;-sh$;;' -e 's;\.sh$;;'`
-case "$name" in
-    echo|install|mkdir )
-        #   implicit tool command selection
-        tool="$name"
-        ;;
-    * )
-        #   explicit tool command selection
-        tool="$1"
-        shift
-        ;;
-esac
-arg_spec=""
-opt_spec=""
-gen_tmpfile=no
-
-##
-##  DISPATCH INTO SCRIPT PROLOG
-##
-
-case $tool in
-    echo )
-        str_tool="echo"
-        str_usage="[-n] [-e] [<str> ...]"
-        arg_spec="0+"
-        opt_spec="n.e."
-        opt_n=no
-        opt_e=no
-        ;;
-    install )
-        str_tool="install"
-        str_usage="[-v] [-t] [-c] [-C] [-s] [-m<mode>] [-o<owner>] [-g<group>] [-e<ext>] <file> <path>"
-        arg_spec="2="
-        opt_spec="v.t.c.C.s.m:o:g:e:"
-        opt_v=no
-        opt_t=no
-        opt_c=no
-        opt_C=no
-        opt_s=no
-        opt_m=""
-        opt_o=""
-        opt_g=""
-        opt_e=""
-        ;;
-    mkdir )
-        str_tool="mkdir"
-        str_usage="[-t] [-f] [-p] [-m<mode>] <dir> [<dir> ...]"
-        arg_spec="1+"
-        opt_spec="t.f.p.m:"
-        opt_t=no
-        opt_f=no
-        opt_p=no
-        opt_m=""
-        ;;
-    -* )
-        echo "$0:Error: unknown option \`$tool'" 2>&1
-        echo "$0:Hint:  run \`$0 -h' for usage" 2>&1
-        exit 1
-        ;;
-    * )
-        echo "$0:Error: unknown command \`$tool'" 2>&1
-        echo "$0:Hint:  run \`$0 -h' for usage" 2>&1
-        exit 1
-        ;;
-esac
-
-##
-##  COMMON UTILITY CODE
-##
-
-#   determine name of tool
-if [ ".$tool" != . ]; then
-    #   used inside shtool script
-    toolcmd="$0 $tool"
-    toolcmdhelp="shtool $tool"
-    msgprefix="shtool:$tool"
-else
-    #   used as standalone script
-    toolcmd="$0"
-    toolcmdhelp="sh $0"
-    msgprefix="$str_tool"
-fi
-
-#   parse argument specification string
-eval `echo $arg_spec |\
-      sed -e 's/^\([0-9]*\)\([+=]\)/arg_NUMS=\1; arg_MODE=\2/'`
-
-#   parse option specification string
-eval `echo h.$opt_spec |\
-      sed -e 's/\([a-zA-Z0-9]\)\([.:+]\)/opt_MODE_\1=\2;/g'`
-
-#   interate over argument line
-opt_PREV=''
-while [ $# -gt 0 ]; do
-    #   special option stops processing
-    if [ ".$1" = ".--" ]; then
-        shift
-        break
-    fi
-
-    #   determine option and argument
-    opt_ARG_OK=no
-    if [ ".$opt_PREV" != . ]; then
-        #   merge previous seen option with argument
-        opt_OPT="$opt_PREV"
-        opt_ARG="$1"
-        opt_ARG_OK=yes
-        opt_PREV=''
-    else
-        #   split argument into option and argument
-        case "$1" in
-            -[a-zA-Z0-9]*)
-                eval `echo "x$1" |\
-                      sed -e 's/^x-\([a-zA-Z0-9]\)/opt_OPT="\1";/' \
-                          -e 's/";\(.*\)$/"; opt_ARG="\1"/'`
-                ;;
-            -[a-zA-Z0-9])
-                opt_OPT=`echo "x$1" | cut -c3-`
-                opt_ARG=''
-                ;;
-            *)
-                break
-                ;;
-        esac
-    fi
-
-    #   eat up option
-    shift
-
-    #   determine whether option needs an argument
-    eval "opt_MODE=\$opt_MODE_${opt_OPT}"
-    if [ ".$opt_ARG" = . -a ".$opt_ARG_OK" != .yes ]; then
-        if [ ".$opt_MODE" = ".:" -o ".$opt_MODE" = ".+" ]; then
-            opt_PREV="$opt_OPT"
-            continue
-        fi
-    fi
-
-    #   process option
-    case $opt_MODE in
-        '.' )
-            #   boolean option
-            eval "opt_${opt_OPT}=yes"
-            ;;
-        ':' )
-            #   option with argument (multiple occurances override)
-            eval "opt_${opt_OPT}=\"\$opt_ARG\""
-            ;;
-        '+' )
-            #   option with argument (multiple occurances append)
-            eval "opt_${opt_OPT}=\"\$opt_${opt_OPT} \$opt_ARG\""
-            ;;
-        * )
-            echo "$msgprefix:Error: unknown option: \`-$opt_OPT'" 1>&2
-            echo "$msgprefix:Hint:  run \`$toolcmdhelp -h' or \`man shtool' for details" 1>&2
-            exit 1
-            ;;
-    esac
-done
-if [ ".$opt_PREV" != . ]; then
-    echo "$msgprefix:Error: missing argument to option \`-$opt_PREV'" 1>&2
-    echo "$msgprefix:Hint:  run \`$toolcmdhelp -h' or \`man shtool' for details" 1>&2
-    exit 1
-fi
-
-#   process help option
-if [ ".$opt_h" = .yes ]; then
-    echo "Usage: $toolcmdhelp $str_usage"
-    exit 0
-fi
-
-#   complain about incorrect number of arguments
-case $arg_MODE in
-    '=' )
-        if [ $# -ne $arg_NUMS ]; then
-            echo "$msgprefix:Error: invalid number of arguments (exactly $arg_NUMS expected)" 1>&2
-            echo "$msgprefix:Hint:  run \`$toolcmd -h' or \`man shtool' for details" 1>&2
-            exit 1
-        fi
-        ;;
-    '+' )
-        if [ $# -lt $arg_NUMS ]; then
-            echo "$msgprefix:Error: invalid number of arguments (at least $arg_NUMS expected)" 1>&2
-            echo "$msgprefix:Hint:  run \`$toolcmd -h' or \`man shtool' for details" 1>&2
-            exit 1
-        fi
-        ;;
-esac
-
-#   establish a temporary file on request
-if [ ".$gen_tmpfile" = .yes ]; then
-    if [ ".$TMPDIR" != . ]; then
-        tmpdir="$TMPDIR"
-    elif [ ".$TEMPDIR" != . ]; then
-        tmpdir="$TEMPDIR"
-    else
-        tmpdir="/tmp"
-    fi
-    tmpfile="$tmpdir/.shtool.$$"
-    rm -f $tmpfile >/dev/null 2>&1
-    touch $tmpfile
-fi
-
-##
-##  DISPATCH INTO SCRIPT BODY
-##
-
-case $tool in
-
-echo )
-    ##
-    ##  echo -- Print string with optional construct expansion
-    ##  Copyright (c) 1998-2000 Ralf S. Engelschall <rse@engelschall.com>
-    ##  Originally written for WML as buildinfo
-    ##
-    
-    text="$*"
-    
-    #   check for broken escape sequence expansion
-    seo=''
-    bytes=`echo '\1' | wc -c | awk '{ printf("%s", $1); }'`
-    if [ ".$bytes" != .3 ]; then
-        bytes=`echo -E '\1' | wc -c | awk '{ printf("%s", $1); }'`
-        if [ ".$bytes" = .3 ]; then
-            seo='-E'
-        fi
-    fi
-    
-    #   check for existing -n option (to suppress newline)
-    minusn=''
-    bytes=`echo -n 123 2>/dev/null | wc -c | awk '{ printf("%s", $1); }'`
-    if [ ".$bytes" = .3 ]; then
-        minusn='-n'
-    fi
-    
-    #   determine terminal bold sequence
-    term_bold='' 
-    term_norm=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[Bb]'`" != . ]; then
-        case $TERM in
-            #   for the most important terminal types we directly know the sequences
-            xterm|xterm*|vt220|vt220*)
-                term_bold=`awk 'BEGIN { printf("%c%c%c%c", 27, 91, 49, 109); }' </dev/null 2>/dev/null`
-                term_norm=`awk 'BEGIN { printf("%c%c%c", 27, 91, 109); }' </dev/null 2>/dev/null`
-                ;;
-            vt100|vt100*)
-                term_bold=`awk 'BEGIN { printf("%c%c%c%c%c%c", 27, 91, 49, 109, 0, 0); }' </dev/null 2>/dev/null`
-                term_norm=`awk 'BEGIN { printf("%c%c%c%c%c", 27, 91, 109, 0, 0); }' </dev/null 2>/dev/null`
-                ;;
-            #   for all others, we try to use a possibly existing `tput' or `tcout' utility
-            * )
-                paths=`echo $PATH | sed -e 's/:/ /g'`
-                for tool in tput tcout; do
-                    for dir in $paths; do
-                        if [ -r "$dir/$tool" ]; then
-                            for seq in bold md smso; do # 'smso' is last
-                                bold="`$dir/$tool $seq 2>/dev/null`"
-                                if [ ".$bold" != . ]; then
-                                    term_bold="$bold"
-                                    break
-                                fi
-                            done
-                            if [ ".$term_bold" != . ]; then
-                                for seq in sgr0 me rmso reset; do # 'reset' is last
-                                    norm="`$dir/$tool $seq 2>/dev/null`"
-                                    if [ ".$norm" != . ]; then
-                                        term_norm="$norm"
-                                        break
-                                    fi
-                                done
-                            fi
-                            break
-                        fi
-                    done
-                    if [ ".$term_bold" != . -a ".$term_norm" != . ]; then
-                        break;
-                    fi
-                done
-                ;;
-        esac
-        if [ ".$term_bold" = . -o ".$term_norm" = . ]; then
-            echo "$msgprefix:Warning: unable to determine terminal sequence for bold mode" 1>&2
-        fi
-    fi
-    
-    #   determine user name
-    username=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[uU]'`" != . ]; then
-        username="$LOGNAME"
-        if [ ".$username" = . ]; then
-            username="$USER"
-            if [ ".$username" = . ]; then
-                username="`(whoami) 2>/dev/null |\
-                           awk '{ printf("%s", $1); }'`"
-                if [ ".$username" = . ]; then
-                    username="`(who am i) 2>/dev/null |\
-                               awk '{ printf("%s", $1); }'`"
-                    if [ ".$username" = . ]; then
-                        username='unknown'
-                    fi
-                fi
-            fi
-        fi
-    fi
-    
-    #   determine user id
-    userid=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%U'`" != . ]; then
-        userid="`(id -u) 2>/dev/null`"
-        if [ ".$userid" = . ]; then
-            str="`(id) 2>/dev/null`"
-            if [ ".`echo $str | grep '^uid[ 	]*=[ 	]*[0-9]*('`" != . ]; then
-                userid=`echo $str | sed -e 's/^uid[ 	]*=[ 	]*//' -e 's/(.*//'`
-            fi
-            if [ ".$userid" = . ]; then
-                userid=`egrep "^${username}:" /etc/passwd 2>/dev/null | \
-                        sed -e 's/[^:]*:[^:]*://' -e 's/:.*$//'`
-                if [ ".$userid" = . ]; then
-                    userid=`(ypcat passwd) 2>/dev/null |
-                            egrep "^${username}:" | \
-                            sed -e 's/[^:]*:[^:]*://' -e 's/:.*$//'`
-                    if [ ".$userid" = . ]; then
-                        userid='?'
-                    fi
-                fi
-            fi
-        fi
-    fi
-    
-    #   determine host name
-    hostname=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%h'`" != . ]; then
-        hostname="`(uname -n) 2>/dev/null |\
-                   awk '{ printf("%s", $1); }'`"
-        if [ ".$hostname" = . ]; then
-            hostname="`(hostname) 2>/dev/null |\
-                       awk '{ printf("%s", $1); }'`"
-            if [ ".$hostname" = . ]; then
-                hostname='unknown'
-            fi
-        fi
-        case $hostname in
-            *.* )
-                domainname=".`echo $hostname | cut -d. -f2-`"
-                hostname="`echo $hostname | cut -d. -f1`"
-                ;;
-        esac
-    fi
-    
-    #   determine domain name
-    domainname=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%d'`" != . ]; then
-        if [ ".$domainname" = . ]; then
-            if [ -f /etc/resolv.conf ]; then
-                domainname="`egrep '^[ 	]*domain' /etc/resolv.conf | head -1 |\
-                             sed -e 's/.*domain//' \
-                                 -e 's/^[ 	]*//' -e 's/^ *//' -e 's/^	*//' \
-                                 -e 's/^\.//' -e 's/^/./' |\
-                             awk '{ printf("%s", $1); }'`"
-                if [ ".$domainname" = . ]; then
-                    domainname="`egrep '^[ 	]*search' /etc/resolv.conf | head -1 |\
-                                 sed -e 's/.*search//' \
-                                     -e 's/^[ 	]*//' -e 's/^ *//' -e 's/^	*//' \
-                                     -e 's/ .*//' -e 's/	.*//' \
-                                     -e 's/^\.//' -e 's/^/./' |\
-                                 awk '{ printf("%s", $1); }'`"
-                fi
-            fi
-        fi
-    fi
-    
-    #   determine current time
-    time_day=''
-    time_month=''
-    time_year=''
-    time_monthname=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[DMYm]'`" != . ]; then
-        time_day=`date '+%d'`
-        time_month=`date '+%m'`
-        time_year=`date '+%Y' 2>/dev/null`
-        if [ ".$time_year" = . ]; then
-            time_year=`date '+%y'`
-            case $time_year in
-                [5-9][0-9]) time_year="19$time_year" ;;
-                [0-4][0-9]) time_year="20$time_year" ;;
-            esac
-        fi
-        case $time_month in
-            1|01) time_monthname='Jan' ;;
-            2|02) time_monthname='Feb' ;;
-            3|03) time_monthname='Mar' ;;
-            4|04) time_monthname='Apr' ;;
-            5|05) time_monthname='May' ;;
-            6|06) time_monthname='Jun' ;;
-            7|07) time_monthname='Jul' ;;
-            8|08) time_monthname='Aug' ;;
-            9|09) time_monthname='Sep' ;;
-              10) time_monthname='Oct' ;;
-              11) time_monthname='Nov' ;;
-              12) time_monthname='Dec' ;;
-        esac
-    fi
-    
-    #   expand special ``%x'' constructs
-    if [ ".$opt_e" = .yes ]; then
-        text=`echo $seo "$text" |\
-              sed -e "s/%B/${term_bold}/g" \
-                  -e "s/%b/${term_norm}/g" \
-                  -e "s/%u/${username}/g" \
-                  -e "s/%U/${userid}/g" \
-                  -e "s/%h/${hostname}/g" \
-                  -e "s/%d/${domainname}/g" \
-                  -e "s/%D/${time_day}/g" \
-                  -e "s/%M/${time_month}/g" \
-                  -e "s/%Y/${time_year}/g" \
-                  -e "s/%m/${time_monthname}/g" 2>/dev/null`
-    fi
-    
-    #   create output
-    if [ .$opt_n = .no ]; then
-        echo $seo "$text"
-    else
-        #   the harder part: echo -n is best, because
-        #   awk may complain about some \xx sequences.
-        if [ ".$minusn" != . ]; then
-            echo $seo $minusn "$text"
-        else
-            echo dummy | awk '{ printf("%s", TEXT); }' TEXT="$text"
-        fi
-    fi
-    ;;
-
-install )
-    ##
-    ##  install -- Install a program, script or datafile
-    ##  Copyright (c) 1997-2000 Ralf S. Engelschall <rse@engelschall.com>
-    ##  Originally written for shtool
-    ##
-    
-    src="$1"
-    dst="$2"
-    
-    #  If destination is a directory, append the input filename
-    if [ -d $dst ]; then
-        dst=`echo "$dst" | sed -e 's:/$::'`
-        dstfile=`echo "$src" | sed -e 's;.*/\([^/]*\)$;\1;'`
-        dst="$dst/$dstfile"
-    fi
-    
-    #  Add a possible extension to src and dst
-    if [ ".$opt_e" != . ]; then
-        src="$src$opt_e"
-        dst="$dst$opt_e"
-    fi
-    
-    #  Check for correct arguments
-    if [ ".$src" = ".$dst" ]; then
-        echo "$msgprefix:Error: source and destination are the same" 1>&2
-        exit 1
-    fi
-    
-    #  Make a temp file name in the destination directory
-    dstdir=`echo $dst | sed -e 's;[^/]*$;;' -e 's;\(.\)/$;\1;' -e 's;^$;.;'`
-    dsttmp="$dstdir/#INST@$$#"
-    
-    #  Verbosity
-    if [ ".$opt_v" = .yes ]; then
-        echo "$src -> $dst" 1>&2
-    fi
-    
-    #  Copy or move the file name to the temp name
-    #  (because we might be not allowed to change the source)
-    if [ ".$opt_C" = .yes ]; then
-        opt_c=yes
-    fi
-    if [ ".$opt_c" = .yes ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "cp $src $dsttmp" 1>&2
-        fi
-        cp $src $dsttmp || exit $?
-    else
-        if [ ".$opt_t" = .yes ]; then
-            echo "mv $src $dsttmp" 1>&2
-        fi
-        mv $src $dsttmp || exit $?
-    fi
-    
-    #  Adjust the target file
-    #  (we do chmod last to preserve setuid bits)
-    if [ ".$opt_s" = .yes ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "strip $dsttmp" 1>&2
-        fi
-        strip $dsttmp || exit $?
-    fi
-    if [ ".$opt_o" != . ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "chown $opt_o $dsttmp" 1>&2
-        fi
-        chown $opt_o $dsttmp || exit $?
-    fi
-    if [ ".$opt_g" != . ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "chgrp $opt_g $dsttmp" 1>&2
-        fi
-        chgrp $opt_g $dsttmp || exit $?
-    fi
-    if [ ".$opt_m" != . ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "chmod $opt_m $dsttmp" 1>&2
-        fi
-        chmod $opt_m $dsttmp || exit $?
-    fi
-    
-    #   Determine whether to do a quick install
-    #   (has to be done _after_ the strip was already done)
-    quick=no
-    if [ ".$opt_C" = .yes ]; then
-        if [ -r $dst ]; then
-            if cmp -s $src $dst; then
-                quick=yes
-            fi
-        fi
-    fi
-    
-    #   Finally install the file to the real destination
-    if [ $quick = yes ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "rm -f $dsttmp" 1>&2
-        fi
-        rm -f $dsttmp
-    else
-        if [ ".$opt_t" = .yes ]; then
-            echo "rm -f $dst && mv $dsttmp $dst" 1>&2
-        fi
-        rm -f $dst && mv $dsttmp $dst
-    fi
-    ;;
-
-mkdir )
-    ##
-    ##  mkdir -- Make one or more directories
-    ##  Copyright (c) 1996-2000 Ralf S. Engelschall <rse@engelschall.com>
-    ##  Originally written for public domain by Noah Friedman <friedman@prep.ai.mit.edu>
-    ##  Cleaned up and enhanced for shtool
-    ##
-    
-    errstatus=0
-    for p in ${1+"$@"}; do
-        #   if the directory already exists...
-        if [ -d "$p" ]; then
-            if [ ".$opt_f" = .no ] && [ ".$opt_p" = .no ]; then
-                echo "$msgprefix:Error: directory already exists: $p" 1>&2
-                errstatus=1
-                break
-            else
-                continue
-            fi
-        fi
-        #   if the directory has to be created...
-        if [ ".$opt_p" = .no ]; then
-            if [ ".$opt_t" = .yes ]; then
-                echo "mkdir $p" 1>&2
-            fi
-            mkdir $p || errstatus=$?
-        else
-            #   the smart situation
-            set fnord `echo ":$p" |\
-                       sed -e 's/^:\//%/' \
-                           -e 's/^://' \
-                           -e 's/\// /g' \
-                           -e 's/^%/\//'`
-            shift
-            pathcomp=''
-            for d in ${1+"$@"}; do
-                pathcomp="$pathcomp$d"
-                case "$pathcomp" in
-                    -* ) pathcomp="./$pathcomp" ;;
-                esac
-                if [ ! -d "$pathcomp" ]; then
-                    if [ ".$opt_t" = .yes ]; then
-                        echo "mkdir $pathcomp" 1>&2
-                    fi
-                    mkdir $pathcomp || errstatus=$?
-                    if [ ".$opt_m" != . ]; then
-                        if [ ".$opt_t" = .yes ]; then
-                            echo "chmod $opt_m $pathcomp" 1>&2
-                        fi
-                        chmod $opt_m $pathcomp || errstatus=$?
-                    fi
-                fi
-                pathcomp="$pathcomp/"
-            done
-        fi
-    done
-    exit $errstatus
-    ;;
-
-esac
-
-exit 0
-
-##EOF##
diff --git a/aux/broccoli/src/Makefile.am b/aux/broccoli/src/Makefile.am
deleted file mode 100644
index 8044b37a1f..0000000000
--- a/aux/broccoli/src/Makefile.am
+++ /dev/null
@@ -1,91 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-# A list of all the files in the current directory which can be regenerated
-MAINTAINERCLEANFILES = Makefile.in Makefile
-
-# A list of everything we build locally, for distcheck.
-DISTCLEANFILES = bro_parser.c bro_parser.h bro_lexer.c
-
-# Always include the lexer and parser source and generated output in
-# the distribution, regardless of whether we have lex and yacc on
-# this system.
-#
-EXTRA_DIST = bro_parser.y bro_lexer.l bro_lexer.c bro_parser.c bro_parser.h
-
-# On Solaris, we need to specifically include networking libraries.
-# On Windows, we need to specifically include winsock. These are
-# handled through the substitution of BRO_LIBADD, which gets defined
-# according to the platform detection mechanism in the configure script.
-#
-# On Windows, we also need extra flags for the linker to build a DLL.
-# The approach taken here is described in more detail in
-# http://sources.redhat.com/autobook/autobook/autobook_253.html#SEC253
-#
-libbroccoli_la_LIBADD = @BRO_LIBADD@
-
-if WINDOWS_HOST
-libbroccoli_la_LDFLAGS = -mwindows -no-undefined -version-info 0:0:0
-else
-libbroccoli_la_LDFLAGS = -version-info 3:0:0
-endif
-
-# Optionally include support files for pcap packets
-#
-if BRO_PCAP_SUPPORT
-PACKET_FILES = bro_packet.c bro_packet.h
-else
-PACKET_FILES =
-endif
-
-# Use the parser source files when we do have lex/yacc, and the generated
-# parser code otherwise. Seeing .y/.l's triggers yacc/lex automatically.
-if HAVE_LEX_AND_YACC
-PARSER_FILES = bro_parser.y bro_lexer.l
-else
-PARSER_FILES = bro_lexer.c bro_parser.c bro_parser.h
-endif
-
-# lex/yacc flags -- those need to be defined regardless of whether
-# we have those tools because of automake bogosity.
-LEX_OUTPUT_ROOT = lex.bro
-AM_LFLAGS  = -Pbro
-AM_YFLAGS  = -d -v -p bro
-
-DEBUGFLAGS = -W -Wall -Wno-unused
-INCLUDES =  $(DEBUGFLAGS) -I$(top_srcdir)/compat
-
-# Make sure the main header file gets installed in the appropriate
-# include directory:
-include_HEADERS = broccoli.h
-
-# Most importantly, make sure we build a library out of all this.
-lib_LTLIBRARIES = libbroccoli.la
-
-# The sources. If we have lex and yacc, the .y and .l files for
-# the parser are included, otherwise the generated .c/.h's.
-libbroccoli_la_SOURCES = $(PARSER_FILES) \
-	$(PACKET_FILES) 		 \
-	broccoli.h			 \
-	bro.c				 \
-	bro_attr.c bro_attr.h		 \
-	bro_attrs.c bro_attrs.h		 \
-	bro_buf.h bro_buf.c 		 \
-	bro_config.h bro_config.c	 \
-	bro_debug.h bro_debug.c		 \
-	bro_event.h bro_event.c 	 \
-	bro_event_reg.h bro_event_reg.c  \
-	bro_hashtable.h bro_hashtable.c  \
-	bro_id.h bro_id.c		 \
-	bro_io.h bro_io.c 		 \
-	bro_list.h bro_list.c		 \
-	bro_location.h bro_location.c	 \
-	bro_object.h bro_object.c        \
-	bro_openssl.h bro_openssl.c	 \
-	bro_record.h bro_record.c	 \
-	bro_sobject.h bro_sobject.c	 \
-	bro_table.h bro_table.c          \
-	bro_type.h bro_type.c		 \
-	bro_type_decl.h bro_type_decl.c  \
-	bro_types.h			 \
-	bro_util.h bro_util.c 		 \
-	bro_val.h bro_val.c
diff --git a/aux/broccoli/src/bro.c b/aux/broccoli/src/bro.c
deleted file mode 100644
index c7e04d1315..0000000000
--- a/aux/broccoli/src/bro.c
+++ /dev/null
@@ -1,1976 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#include <stdlib.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <sys/time.h>
-#include <time.h>
-#include <signal.h>
-
-#ifdef __MINGW32__
-#include <winsock.h>
-#else
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#endif
-
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include "broccoli.h"
-#include "bro_debug.h"
-#include "bro_buf.h"
-#include "bro_config.h"
-#include "bro_hashtable.h"
-#include "bro_types.h"
-#include "bro_type.h"
-#include "bro_val.h"
-#include "bro_id.h"
-#include "bro_event.h"
-#include "bro_event_reg.h"
-#include "bro_io.h"
-#include "bro_util.h"
-#include "bro_openssl.h"
-#include "bro_record.h"
-#include "bro_table.h"
-#ifdef BRO_PCAP_SUPPORT
-#include "bro_packet.h"
-#endif
-
-
-/* Don't attempt to reconnect more than once every 5 seconds: */
-#define BRO_RECONNECT_MAX_RATE   5
-
-/* Default maximum cache size. */
-#define BRO_MAX_CACHE_SIZE       1000
-
-/* Macro for putting safety brakes on some functions to ensure the
- * user is now calling bro_init() first.
- */
-#define BRO_SAFETY_CHECK init_check(__FUNCTION__);
-
-/* Pointer to BroCtx provided by the user at initialization time. */
-const BroCtx *global_ctx = NULL;
-
-/* To make MinGW happy, we provide an initialization handler for the
- * DLL if we are building on Windows.
- */
-#ifdef __MINGW32__
-int main() { return 0; }
-#endif
-
-static int
-conn_init_await(BroConn *bc, int conn_state)
-{
-  /* Wait for a maximum of 10 seconds until the connection
-   * reaches the desired state. We check every 0.2 seconds.
-   */
-  int i = 0, intervals = 10 * 5 + 1;
-
-  D_ENTER;
-
-  if (bc->state->conn_state_self == conn_state)
-    {
-      D(("Self already in requested state.\n"));
-      D_RETURN_(TRUE);
-    }
-
-  /* Set our own connection state to the requested one.
-   */
-  bc->state->conn_state_self = conn_state;
-
-  /* Wait for a while, processing the peer's input,
-   * and return as soon as we reach the desired state.
-   */
-  while (i++ < intervals)
-    {
-      struct timeval timeout;
-      timeout.tv_sec  = 0;
-      timeout.tv_usec = 200000;
-
-      if (bc->state->conn_state_peer >= conn_state)
-	D_RETURN_(TRUE);
-      
-      if (select(0, NULL, NULL, NULL, &timeout) < 0)
-	{
-	  D(("select() caused '%s'\n", strerror(errno)));
-	  D_RETURN_(FALSE);
-	}
-      
-      __bro_io_process_input(bc);      
-    }
-  
-  D_RETURN_(FALSE);
-}
-  
-static int
-conn_init_setup(BroConn *bc)
-{
-  BroBuf buf;
-  uint32 descriptor[4];
-  int result;
-
-  D_ENTER;
-   
-  descriptor[0] = htonl((uint32) BRO_PROTOCOL_VERSION);
-  descriptor[1] = htonl((uint32) BRO_MAX_CACHE_SIZE);
-  descriptor[2] = htonl((uint32) BRO_DATA_FORMAT_VERSION);
-  descriptor[3] = 0; /* Relative uptime of the process */
-
-  __bro_buf_init(&buf);
-  __bro_buf_append(&buf, descriptor, 4 * sizeof(uint32));
-
-  if (bc->class)
-    __bro_buf_append(&buf, bc->class, strlen(bc->class) + 1);
-
-  if (! __bro_io_raw_queue(bc, BRO_MSG_VERSION,
-			   __bro_buf_get(&buf),
-			   __bro_buf_get_used_size(&buf)))
-    {
-      D(("Setup data not sent to %p\n", bc));
-      __bro_buf_cleanup(&buf);
-      D_RETURN_(FALSE);
-    }
-
-  __bro_buf_cleanup(&buf);
-
-  /* This phase does NOT send PHASE_END ... */
-  
-  D(("Phase done to peer on %p, self now in HANDSHAKE stage.\n", bc));
-  result = conn_init_await(bc, BRO_CONNSTATE_HANDSHAKE);  
-  D_RETURN_(result);
-}
-
-static int
-conn_init_handshake(BroConn *bc)
-{
-  uint32 caps[3];
-  int result;
-
-  D_ENTER;
-
-  /* --- Request events, if any -------------------------------------- */
-  if (bc->ev_reg->num_handlers > 0)
-    __bro_event_reg_request(bc);
-
-  /* --- Capabilities ------------------------------------------------ */
-
-  /* We never compress at the moment. */
-
-  /* Unless user requested caching, tell peer we do not cache. Note
-   * that at the moment we never cache data we send, so this only
-   * affects received data.
-   */
-  caps[0] = 0;
-  caps[1] = 0;
-  caps[2] = 0;
-
-  caps[0] |= (bc->conn_flags & BRO_CFLAG_CACHE) ? 0 : BRO_CAP_DONTCACHE;
-
-  caps[0] = htonl(caps[0]);
-  caps[1] = htonl(caps[1]);
-  caps[2] = htonl(caps[2]);
-
-  if (! __bro_io_raw_queue(bc, BRO_MSG_CAPS,
-			   (uchar*) caps, 3 * sizeof(uint32)))
-    {
-      D(("Handshake data not sent to %p\n", bc));
-      D_RETURN_(FALSE);
-    }
-
-  /* --- End of phase ------------------------------------------------ */
-  
-  if (! __bro_io_raw_queue(bc, BRO_MSG_PHASE_DONE, NULL, 0))
-    {
-      D(("End-of-Handshake not sent to %p\n", bc));
-      D_RETURN_(FALSE);
-    }
-  
-  if (bc->state->sync_state_requested)
-    {
-      D(("Phase done to peer on %p, sync requested, self now in SYNC stage.\n", bc));
-      result = conn_init_await(bc, BRO_CONNSTATE_SYNC);  
-    }
-  else
-    {
-      D(("Phase done to peer on %p, no sync requested, self now in RUNNING stage.\n", bc));
-      result = conn_init_await(bc, BRO_CONNSTATE_RUNNING);  
-    }
-
-  D_RETURN_(result);
-}
-
-static int
-conn_init_sync(BroConn *bc)
-{
-  int result = TRUE;
-
-  D_ENTER;
-
-  /* If the peer requested synced state, we just send another phase done.
-   * Otherwise we don't do anything and immediately move to the "running"
-   * state.
-   */
-  if (bc->state->sync_state_requested)
-    {
-      if (! __bro_io_raw_queue(bc, BRO_MSG_PHASE_DONE, NULL, 0))
-	{
-	  D(("End-of-Sync not sent to %p\n", bc));
-	  D_RETURN_(FALSE);
-	}
-
-      D(("Phase done to peer on %p\n", bc));
-    }
-  
-  D(("Self now in RUNNING stage.\n"));
-  result = conn_init_await(bc, BRO_CONNSTATE_RUNNING);
-  
-  D_RETURN_(result);
-}
-
-/* This function walks lock-step with the peer through
- * the entire handshake procedure.
- */
-static int
-conn_init_configure(BroConn *bc)
-{
-  if (! conn_init_setup(bc))
-    return FALSE;
-  if (! conn_init_handshake(bc))
-    return FALSE;
-  if (! conn_init_sync(bc))
-    return FALSE;
-  
-  return TRUE;
-}
-
-static int
-conn_init(BroConn *bc)
-{
-  D_ENTER;
-
-  if (! (bc->rx_buf = __bro_buf_new()))
-    goto error_exit;
-  if (! (bc->tx_buf = __bro_buf_new()))
-    goto error_exit;
-
-  if (! (bc->state = calloc(1, sizeof(BroConnState))))
-    goto error_exit;
-  
-  bc->state->conn_state_self = BRO_CONNSTATE_SETUP;
-  bc->state->conn_state_peer = BRO_CONNSTATE_SETUP;
-
-  if (! __bro_openssl_connect(bc))
-    goto error_exit;
-
-  D_RETURN_(TRUE);
-  
- error_exit:
-  __bro_buf_free(bc->rx_buf);
-  __bro_buf_free(bc->tx_buf);
-  bc->rx_buf = NULL;
-  bc->tx_buf = NULL;
-
-  D_RETURN_(FALSE);
-}
-
-static void
-conn_free(BroConn *bc)
-{
-  D_ENTER;
-
-  __bro_openssl_shutdown(bc);
-
-  if (bc->state)
-    free(bc->state);
-
-  __bro_buf_free(bc->rx_buf);
-  __bro_buf_free(bc->tx_buf);
-  bc->rx_buf = NULL;
-  bc->tx_buf = NULL;
-
-  D_RETURN;
-}
-
-static void
-init_check(const char *func)
-{
-  if (global_ctx == NULL) {
-    fprintf(stderr,
-	    "*** Broccoli error: %s called without prior initialization.\n"
-	    "*** Initialization of the Broccoli library is now required.\n"
-	    "*** See documentation for details. Aborting.\n",
-	    func);
-    exit(-1);
-  }
-}
-
-int
-bro_init(const BroCtx* ctx)
-{
-  if (global_ctx != NULL)
-    return TRUE;
-
-  if (ctx == NULL) {
-    ctx = calloc(1, sizeof(BroCtx));
-    bro_ctx_init((BroCtx*) ctx);
-  }
-
-  global_ctx = ctx;
-  __bro_conf_init();
-  if (! __bro_openssl_init())
-    return FALSE;
-
-  return TRUE;
-}
-
-void
-bro_ctx_init(BroCtx *ctx)
-{
-  memset(ctx, 0, sizeof(BroCtx));
-}
-
-BroConn *
-bro_conn_new_str(const char *hostname, int flags)
-{
-  BroConn *bc;
-  static int counter = 0;
-  
-  BRO_SAFETY_CHECK;
-
-  D_ENTER;
-  
-  if (! hostname || !*hostname)
-    D_RETURN_(NULL);
-  
-  if (! (bc = (BroConn *) calloc(1, sizeof(BroConn))))
-    D_RETURN_(NULL);
-  
-  D(("Connecting to host %s\n", hostname));
-
-  bc->conn_flags = flags;
-  bc->id_pid = getpid();
-  bc->id_num = counter++;
-  bc->peer = strdup(hostname);
-  bc->io_cache_maxsize = BRO_MAX_CACHE_SIZE;
-  bc->socket = -1;
-
-  TAILQ_INIT(&bc->msg_queue);
-  bc->msg_queue_len = 0;
-
-  if (! (bc->ev_reg = __bro_event_reg_new()))
-    goto error_exit;
-
-  if (! (bc->io_cache = __bro_ht_new(__bro_ht_int_hash,
-				     __bro_ht_int_cmp,
-				     NULL,
-				     (BroHTFreeFunc) __bro_sobject_release,
-				     TRUE)))
-    goto error_exit;
-  
-  if (! (bc->data = __bro_ht_new(__bro_ht_str_hash,
-				 __bro_ht_str_cmp,
-				 __bro_ht_mem_free,
-				 NULL, FALSE)))
-    goto error_exit;
-  
-  if (! (bc->ev_mask = __bro_ht_new(__bro_ht_str_hash,
-				    __bro_ht_str_cmp,
-				    __bro_ht_mem_free,
-				    NULL, FALSE)))
-    goto error_exit;  
-  
-  D_RETURN_(bc);
-
- error_exit:
-  __bro_event_reg_free(bc->ev_reg);
-  __bro_ht_free(bc->ev_mask);
-  __bro_ht_free(bc->io_cache);
-  __bro_ht_free(bc->data);
-  
-  if (bc->peer)
-    free(bc->peer);
-  
-  free(bc);
-  D_RETURN_(NULL);
-}
-
-
-BroConn *
-bro_conn_new(struct in_addr *ip_addr, uint16 port, int flags)
-{
-  BroConn *bc;
-  char hostname[1024];
-
-  BRO_SAFETY_CHECK;
-
-  D_ENTER;
-  __bro_util_snprintf(hostname, 1024, "%s:%hu", inet_ntoa(*ip_addr), ntohs(port));
-  bc = bro_conn_new_str(hostname, flags);
-  D_RETURN_(bc);
-}
-
-BroConn *
-bro_conn_new_socket(int fd, int flags)
-{
-  BroConn *bc;
-
-  BRO_SAFETY_CHECK;
-
-  D_ENTER;
-
-  if ( fd < 0 )
-    D_RETURN_(NULL);
-
-  bc = bro_conn_new_str("<fd>", flags);
-  if (! bc)
-    D_RETURN_(NULL);
-
-  bc->socket = fd;
-  D_RETURN_(bc);
-}
-
-void
-bro_conn_set_class(BroConn *bc, const char *class)
-{
-  if (! bc)
-    return;
-
-  if (bc->class)
-    free(bc->class);
-
-  bc->class = strdup(class);
-}
-
-const char *
-bro_conn_get_peer_class(const BroConn *bc)
-{
-  if (! bc)
-    return NULL;
-
-  return bc->peer_class;
-}
-
-void
-bro_conn_get_connstats(const BroConn *bc, BroConnStats *cs)
-{
-  if (! bc || ! cs)
-    return;
-
-  memset(cs, 0, sizeof(BroConnStats));
-  cs->tx_buflen =  __bro_buf_get_used_size(bc->tx_buf);
-  cs->rx_buflen =  __bro_buf_get_used_size(bc->rx_buf);
-}
-
-int
-bro_conn_connect(BroConn *bc)
-{
-  D_ENTER;
-
-  if (! bc)
-    D_RETURN_(FALSE);
-
-  if ( (bc->conn_flags & BRO_CFLAG_SHAREABLE))
-    fprintf(stderr, "WARNING: BRO_CFLAG_SHAREABLE is no longer supported.\n");
-
-  if (! conn_init(bc))
-    D_RETURN_(FALSE);
-  
-  /* Handshake procedure. */
-  if (! conn_init_configure(bc))
-    D_RETURN_(FALSE);
-
-  D_RETURN_(TRUE);
-}
-
-
-int
-bro_conn_reconnect(BroConn *bc)
-{
-  BroMsg *msg, *msg_first, **msg_last;
-  int msg_queue_len;
-  time_t current_time;
-
-  D_ENTER;
-
-  if (! bc)
-    D_RETURN_(FALSE);
-
-  if (bc->state->in_reconnect)
-    D_RETURN_(FALSE);
-  
-  if ( (current_time = time(NULL)) > 0)
-    {
-      if (current_time - bc->state->last_reconnect < BRO_RECONNECT_MAX_RATE)
-	{
-	  D(("Less than %i seconds since last reconnect attempt, not reconnecting.\n",
-	     BRO_RECONNECT_MAX_RATE));
-	  D_RETURN_(FALSE);
-	}
-
-      bc->state->last_reconnect = current_time;
-    }
-  
-  D(("Attempting reconnection...\n"));
-  bc->state->in_reconnect = TRUE;
-  
-  /* NOTE: the sequencing in this function is quite tricky and very picky.
-   * Don't move things around unneccesarily ...
-   */
-  bc->state->tx_dead = bc->state->rx_dead = FALSE;
-  
-  /* Clean up the old connection state: */
-  bc->state->conn_state_self = BRO_CONNSTATE_SETUP;
-  bc->state->conn_state_peer = BRO_CONNSTATE_SETUP;
-  bc->state->sync_state_requested = FALSE;
-  
-  if (bc->bio)
-    {
-      BIO_free_all(bc->bio);
-      bc->bio = NULL;
-    }
-
-  /* Attempt to establish new connection */
-  if (! __bro_openssl_reconnect(bc))
-    goto error_return;
-
-  __bro_buf_reset(bc->rx_buf);
-  __bro_buf_reset(bc->tx_buf);
-
-  /* Only *after* we managed to connect, we clear the event mask for events
-   * the peer expects, etc. If we do this earlier and fail to connect, then future
-   * sent events never trigger a reconnect because they're never sent since
-   * they don't seem to be requested.
-   */
-
-  /* Temporarily unhook messages from the message queue so the new messages
-   * get sent right away. We hook the old ones back in below.
-   */
-  msg_first = bc->msg_queue.tqh_first;
-  msg_last  = bc->msg_queue.tqh_last;
-  msg_queue_len = bc->msg_queue_len;
-  bc->msg_queue_len = 0;
-  TAILQ_INIT(&bc->msg_queue);
-
-  __bro_ht_free(bc->ev_mask);
-
-  if (! (bc->ev_mask = __bro_ht_new(__bro_ht_str_hash,
-				    __bro_ht_str_cmp,
-				    __bro_ht_mem_free,
-				    NULL, FALSE)))				    
-    goto reset_error_return;
-
-  __bro_ht_free(bc->io_cache);
-  
-  if (! (bc->io_cache = __bro_ht_new(__bro_ht_int_hash,
-				     __bro_ht_int_cmp,
-				     NULL,
-				     (BroHTFreeFunc) __bro_sobject_release,
-				     TRUE)))
-    goto reset_error_return;
-
-  if (! conn_init_configure(bc))
-    goto reset_error_return;
-
-  /* Hook old events back in */
-  if (bc->msg_queue_len == 0)
-    bc->msg_queue.tqh_first = msg_first;
-  else
-    {
-      msg_first->msg_queue.tqe_prev = bc->msg_queue.tqh_last;
-      *bc->msg_queue.tqh_last = msg_first;
-    }
-
-  bc->msg_queue.tqh_last = msg_last;
-  bc->msg_queue_len += msg_queue_len;
-
-  D(("Reconnect completed successfully.\n"));
-  bc->state->in_reconnect = FALSE;
-  
-  D_RETURN_(TRUE);
-
- reset_error_return:
-
-  /* If the reconnect went wrong somehow, nuke the queue and
-   * place old queue contents back in.
-   */
-  while ( (msg = bc->msg_queue.tqh_first))
-    {
-      TAILQ_REMOVE(&bc->msg_queue, msg, msg_queue);
-      __bro_io_msg_free(msg);
-    }
-  
-  bc->msg_queue.tqh_first = msg_first;
-  bc->msg_queue.tqh_last = msg_last;
-  bc->msg_queue_len = msg_queue_len;
-  
- error_return:
-  bc->state->tx_dead = bc->state->rx_dead = TRUE;
-  bc->state->in_reconnect = FALSE;
-
-  D_RETURN_(FALSE);
-}
-
-
-int 
-bro_conn_delete(BroConn *bc)
-{
-  BroMsg *msg;
-
-  D_ENTER;
-
-  if (!bc || !bc->state)
-    D_RETURN_(FALSE);
-
-  if (! bc->state->tx_dead)
-    {
-      /* Try to flush command queue */
-      __bro_io_msg_queue_flush(bc);
-    }
-
-  while ( (msg = bc->msg_queue.tqh_first))
-    {
-      TAILQ_REMOVE(&bc->msg_queue, msg, msg_queue);
-      __bro_io_msg_free(msg);
-    }
-
-  __bro_ht_free(bc->ev_mask);
-  __bro_event_reg_free(bc->ev_reg);
-  __bro_ht_free(bc->io_cache);
-  __bro_ht_free(bc->data);
-
-  conn_free(bc);
-
-  if (bc->class)
-    free(bc->class);
-  if (bc->peer_class)
-    free(bc->peer_class);
-
-  if (bc->peer)
-    free(bc->peer);
-
-  free(bc);
-  D_RETURN_(TRUE);
-}
-
-
-int
-bro_conn_alive(const BroConn *bc)
-{
-  if (!bc || !bc->state)
-    return FALSE;
-
-  return (! bc->state->tx_dead && ! bc->state->rx_dead);
-}
-
-
-static int
-conn_adopt_events_cb(char *ev_name, void *data, BroHT *dst)
-{
-  char *key;
-
-  /* If the event is already reported, ignore. */
-  if (__bro_ht_get(dst, ev_name))
-    return TRUE;
-  
-  D(("Adopting event %s\n", ev_name));
-  key = strdup(ev_name);
-  __bro_ht_add(dst, key, key);
-  
-  return TRUE;
-  data = NULL;
-}
-
-void
-bro_conn_adopt_events(BroConn *src, BroConn *dst)
-{
-  D_ENTER;
-
-  if (!src || !dst)
-    D_RETURN;
-
-  __bro_ht_foreach(src->ev_mask, (BroHTCallback) conn_adopt_events_cb, dst->ev_mask);
-
-  D_RETURN;
-}
-
-
-int
-bro_conn_get_fd(BroConn *bc)
-{
-  int fd;
-
-  if (! bc || !bc->state || bc->state->tx_dead || bc->state->rx_dead || !bc->bio)
-    return -1;
-  
-#ifdef __MINGW32__
-  return 0;
-#else
-  BIO_get_fd(bc->bio, &fd);
-  return fd;
-#endif
-}
-
-
-int
-bro_conn_process_input(BroConn *bc)
-{
-  if (! bc || !bc->state || bc->state->rx_dead)
-    return FALSE;
-
-  return __bro_io_process_input(bc);
-}
-
-
-int
-bro_event_queue_length(BroConn *bc)
-{
-  if (! bc)
-    return 0;
-
-  return bc->msg_queue_len;
-}
-
-
-int
-bro_event_queue_length_max(BroConn *bc)
-{
-  return BRO_MSG_QUEUELEN_MAX;
-  bc = NULL;
-}
-
-
-int            
-bro_event_queue_flush(BroConn *bc)
-{
-  return __bro_io_msg_queue_flush(bc);
-}
-
-
-int
-bro_event_send(BroConn *bc, BroEvent *ev)
-{
-  int result;
-
-  D_ENTER;
-
-  if (! bc || !ev)
-    {
-      D(("Input error\n"));
-      D_RETURN_(FALSE);
-    }
-
-  D(("Sending event with %i args\n", __bro_list_length(ev->val_list)));
-  result = __bro_io_event_queue(bc, ev);
-  D_RETURN_(result);
-}
-
-
-int
-bro_event_send_raw(BroConn *bc, const uchar *data, int data_len)
-{
-  BroBuf *buf = NULL;
-
-  D_ENTER;
-
-  if (! bc || !data)
-    {
-      D(("Input error\n"));
-      D_RETURN_(FALSE);
-    }
-
-  if (data_len == 0)
-    {
-      D(("Nothing to send\n"));
-      D_RETURN_(TRUE);
-    }
-
-  if (! (buf = __bro_buf_new()))
-    {
-      D(("Out of memory\n"));
-      D_RETURN_(FALSE);
-    }
-      
-  __bro_buf_write_char(buf, 'e');
-  __bro_buf_write_data(buf, data, data_len);
-
-  __bro_io_rawbuf_queue(bc, BRO_MSG_SERIAL, buf);
-  __bro_io_msg_queue_flush(bc);
-
-  D_RETURN_(TRUE);
-}
-
-
-void
-bro_conn_data_set(BroConn *bc, const char *key, void *val)
-{
-  if (!bc || !key || !*key)
-    return;
-
-  __bro_ht_add(bc->data, strdup(key), val);
-}
-
-
-void *
-bro_conn_data_get(BroConn *bc, const char *key)
-{
-  if (!bc || !key || !*key)
-    return NULL;
-
-  return __bro_ht_get(bc->data, (void *) key);
-}
-
-
-void *
-bro_conn_data_del(BroConn *bc, const char *key)
-{
-  if (!bc || !key || !*key)
-    return NULL;
-  
-  return __bro_ht_del(bc->data, (void *) key);
-}
-
-
-/* ----------------------------- Bro Events -------------------------- */
-
-BroEvent *
-bro_event_new(const char *event_name)
-{
-  BroString name;
-  BroEvent *result;
-
-  bro_string_set(&name, event_name);
-  result = __bro_event_new(&name);
-  bro_string_cleanup(&name);
-
-  return result;
-}
-
-
-void
-bro_event_free(BroEvent *be)
-{
-  __bro_event_free(be);
-}
-
-
-int
-bro_event_add_val(BroEvent *be, int type, const char *type_name, const void *val)
-{
-  BroVal *v;
-
-  D_ENTER;
-
-  if (! be || ! val || type < 0 || type >= BRO_TYPE_MAX)
-    {
-      D(("Invalid input: (%p, %i, %p)\n", be, type, val));
-      D_RETURN_(FALSE);
-    }
-  
-  if (! (v = __bro_val_new_of_type(type, type_name)))
-    D_RETURN_(FALSE);
-
-  if (! __bro_val_assign(v, val))
-    {
-      __bro_sobject_release((BroSObject *) v);
-      D_RETURN_(FALSE);
-    }
-
-  __bro_event_add_val(be, v);
-
-  D_RETURN_(TRUE);
-}
-
-
-int
-bro_event_set_val(BroEvent *be, int val_num,
-		  int type, const char *type_name,
-		  const void *val)
-{
-  BroVal *v;
-  int result;
-
-  D_ENTER;
-
-  if (! be || ! val || type < 0 || type >= BRO_TYPE_MAX)
-    {
-      D(("Invalid input: (%p, %i, %p)\n", be, type, val));
-      D_RETURN_(FALSE);
-    }
-
-  if (! (v = __bro_val_new_of_type(type, type_name)))
-    D_RETURN_(FALSE);
-
-  if (! __bro_val_assign(v, val))
-    {
-      __bro_sobject_release((BroSObject *) v);
-      D_RETURN_(FALSE);
-    }
-  
-  result = __bro_event_set_val(be, val_num, v);
-  D_RETURN_(result);
-}
-
-
-void
-bro_event_registry_add(BroConn *bc,
-		       const char *event_name,
-		       BroEventFunc func,
-		       void *user_data)		       
-{
-  __bro_event_reg_add(bc, event_name, func, user_data);
-}
-
-
-void
-bro_event_registry_add_compact(BroConn *bc,
-			       const char *event_name,
-			       BroCompactEventFunc func,
-			       void *user_data)		       
-{
-  __bro_event_reg_add_compact(bc, event_name, func, user_data);
-}
-
-
-void
-bro_event_registry_remove(BroConn *bc, const char *event_name)
-{
-  __bro_event_reg_remove(bc, event_name);
-}
-
-
-void
-bro_event_registry_request(BroConn *bc)
-{
-  D_ENTER;
-  
-  if (!bc || !bc->state)
-    D_RETURN;
-
-  /* A connection that isn't up and running yet cannot request
-   * events. The handshake phase will request any registered
-   * events automatically.
-   */
-  if (bc->state->conn_state_self != BRO_CONNSTATE_RUNNING)
-    D_RETURN;
-  
-  __bro_event_reg_request(bc);
-  
-  D_RETURN;
-}
-
-
-
-/* ------------------------ Dynamic-size Buffers --------------------- */
-
-BroBuf *
-bro_buf_new(void)
-{
-  BroBuf *buf;
-
-  if (! (buf = calloc(1, sizeof(BroBuf))))
-    return NULL;
-
-  __bro_buf_init(buf);
-  return buf;
-}
-
-
-void
-bro_buf_free(BroBuf *buf)
-{
-  if (!buf)
-    return;
-
-  __bro_buf_cleanup(buf);
-  free(buf);
-}
-
-
-int
-bro_buf_append(BroBuf *buf, void *data, int data_len)
-{
-  return __bro_buf_append(buf, data, data_len);
-}
-
-
-void
-bro_buf_consume(BroBuf *buf)
-{
-  __bro_buf_consume(buf);
-}
-
-
-void
-bro_buf_reset(BroBuf *buf)
-{
-  __bro_buf_reset(buf);
-}
-
-
-uchar *
-bro_buf_get(BroBuf *buf)
-{
-  return __bro_buf_get(buf);
-}
-
-
-uchar *
-bro_buf_get_end(BroBuf *buf)
-{
-  return __bro_buf_get_end(buf);
-}
-
-
-uint
-bro_buf_get_size(BroBuf *buf)
-{
-  return __bro_buf_get_size(buf);
-}
-
-
-uint
-bro_buf_get_used_size(BroBuf *buf)
-{
-  return __bro_buf_get_used_size(buf);
-}
-
-
-uchar *
-bro_buf_ptr_get(BroBuf *buf)
-{
-  return __bro_buf_ptr_get(buf);
-}
-
-
-uint32
-bro_buf_ptr_tell(BroBuf *buf)
-{
-  return __bro_buf_ptr_tell(buf);
-}
-
-
-int
-bro_buf_ptr_seek(BroBuf *buf, int offset, int whence)
-{
-  return __bro_buf_ptr_seek(buf, offset, whence);
-}
-
-
-int
-bro_buf_ptr_check(BroBuf *buf, int size)
-{
-  return __bro_buf_ptr_check(buf, size);
-}
-
-
-int
-bro_buf_ptr_read(BroBuf *buf, void *data, int size)
-{
-  return __bro_buf_ptr_read(buf, data, size);
-}
-
-
-int
-bro_buf_ptr_write(BroBuf *buf, void *data, int size)
-{
-  return __bro_buf_ptr_write(buf, data, size);
-}
-
-
-
-/* ------------------------ Configuration Access --------------------- */
-
-void
-bro_conf_set_domain(const char *domain)
-{
-  BRO_SAFETY_CHECK;
-  __bro_conf_set_domain(domain);
-}
-
-
-int
-bro_conf_get_int(const char *val_name, int *val)
-{
-  BRO_SAFETY_CHECK;
-
-  if (! val_name || ! val)
-    return FALSE;
-
-  return __bro_conf_get_int(val_name, val);
-}
-
-
-int
-bro_conf_get_dbl(const char *val_name, double *val)
-{
-  BRO_SAFETY_CHECK;
-
-  if (! val_name || ! val)
-    return FALSE;
-
-  return __bro_conf_get_dbl(val_name, val);
-}
-
-
-const char *
-bro_conf_get_str(const char *val_name)
-{
-  BRO_SAFETY_CHECK;
-
-  if (! val_name)
-    return FALSE;
-  
-  return __bro_conf_get_str(val_name);
-}
-
-
-/* -------------------------- Record Handling ------------------------ */
-
-BroRecord *
-bro_record_new(void)
-{
-  return __bro_record_new();
-}
-
-
-void
-bro_record_free(BroRecord *rec)
-{
-  __bro_record_free(rec);
-}
-
-int
-bro_record_get_length(BroRecord *rec)
-{
-  return __bro_record_get_length(rec);
-}
-
-int
-bro_record_add_val(BroRecord *rec, const char *name,
-		   int type, const char *type_name, const void *val)
-{
-  BroVal *v;
-
-  D_ENTER;
-
-  if (! rec)
-    {
-      D(("Input error: (%p, %s, %i, %p)\n", rec, name, type, val));
-      D_RETURN_(FALSE);
-    }
-  
-  if (! (v = __bro_val_new_of_type(type, type_name)))
-    {
-      D(("Could not get val of type %i\n", type));
-      D_RETURN_(FALSE);
-    }
-  
-  if (! name)
-    name = "";
-
-  __bro_sobject_data_set((BroSObject *) v, "field", strdup(name));
-
-  if (! __bro_val_assign(v, val))
-    {
-      D(("Could not assign value to the new val.\n"));
-      __bro_sobject_release((BroSObject *) v);
-      D_RETURN_(FALSE);
-    }
-
-  __bro_record_add_val(rec, v);
-  D_RETURN_(TRUE);
-}
-
-
-const char* 
-bro_record_get_nth_name(BroRecord *rec, int num)
-{
-  const char *name;
- 
-  if ( (name = __bro_record_get_nth_name(rec, num)))
-    return name;
-
-  return NULL;
-}
- 
-
-void *
-bro_record_get_nth_val(BroRecord *rec, int num, int *type)
-{
-  BroVal *val;
-  int type_found;
-  void *result = NULL;
-
-  if (type && (*type < BRO_TYPE_UNKNOWN || *type >= BRO_TYPE_MAX))
-    {
-      D(("Invalid value for type pointer (%i)\n", *type));
-      return NULL;
-    }
-
-  if (! (val = __bro_record_get_nth_val(rec, num)))
-    return NULL;
-
-  /* Now transform the val into a form expected in *result,
-   * based on the type given in the val.
-   */
-  if (! __bro_val_get_data(val, &type_found, &result))
-    return NULL;
-  
-  if (type)
-    {
-      if (*type != BRO_TYPE_UNKNOWN && type_found != *type)
-	{
-	  D(("Type mismatch: expected type tag %i, found type tag %i\n", *type, type_found));
-	  result = NULL;
-	}
-      
-      *type = type_found;
-    }
-  
-  return result;
-}
-
-
-void *
-bro_record_get_named_val(BroRecord *rec, const char *name, int *type)
-{
-  BroVal *val;
-  int type_found;
-  void *result = NULL;
- 
-  if (type && (*type < BRO_TYPE_UNKNOWN || *type >= BRO_TYPE_MAX))
-    {
-      D(("Invalid value for type pointer (%i)\n", *type));
-      return NULL;
-    }
- 
-  if (! (val = __bro_record_get_named_val(rec, name)))
-    return NULL;
-
-  /* Now transform the val into a form expected in *result,
-   * based on the type given in the val.
-   */
-  if (! __bro_val_get_data(val, &type_found, &result))
-    return NULL;
-  
-  if (type)
-    {
-      if (*type != BRO_TYPE_UNKNOWN && type_found != *type)
-	{
-	  D(("Type mismatch: expected type tag %i for field '%s', found tag %i\n",
-	     *type, name, type_found));
-	  result = NULL;
-	}
-
-      *type = type_found;
-    }
-  
-  return result;
-}
-
-
-int
-bro_record_set_nth_val(BroRecord *rec, int num,
-		       int type, const char *type_name, const void *val)
-{
-  BroVal *v;
-  char *name;
-
-  D_ENTER;
-
-  if (! rec || num < 0 || num >= rec->val_len ||
-      type < 0 || type >= BRO_TYPE_MAX || ! val)
-    {
-      D(("Input error: (%p, %i, %i, %p)\n", rec, num, type, val));
-      D_RETURN_(FALSE);
-    }
-  
-  if (! (v = __bro_record_get_nth_val(rec, num)))
-    D_RETURN_(FALSE);
-
-  if (! (name = __bro_sobject_data_get((BroSObject *) v, "field")))
-    D_RETURN_(FALSE);
-  
-  if (! (v = __bro_val_new_of_type(type, type_name)))
-    {
-      D(("Could not get val of type %i\n", type));
-      D_RETURN_(FALSE);
-    }
-  
-  __bro_sobject_data_set((BroSObject *) v, "field", strdup(name));
-
-  if (! __bro_val_assign(v, val))
-    {
-      D(("Could not assign value to the new val.\n"));
-      __bro_sobject_release((BroSObject *) v);
-      D_RETURN_(FALSE);
-    }
-
-  __bro_record_set_nth_val(rec, num, v);
-  D_RETURN_(TRUE);
-}
-
-
-int
-bro_record_set_named_val(BroRecord *rec, const char *name,
-			 int type, const char *type_name, const void *val)
-{
-  BroVal *v;
-
-  D_ENTER;
-
-  if (! rec || ! name || !*name ||
-      type < 0 || type >= BRO_TYPE_MAX || ! val)
-    {
-      D(("Input error: (%p, %s, %i, %p)\n", rec, name, type, val));
-      D_RETURN_(FALSE);
-    }
-  
-  if (! (v = __bro_val_new_of_type(type, type_name)))
-    {
-      D(("Could not get val of type %i\n", type));
-      D_RETURN_(FALSE);
-    }
-    
-  if (! __bro_val_assign(v, val))
-    {
-      D(("Could not assign value to the new val.\n"));
-      __bro_sobject_release((BroSObject *) v);
-      D_RETURN_(FALSE);
-    }
-  
-  __bro_record_set_named_val(rec, name, v);
-  D_RETURN_(TRUE);
-}
-
-
-/* -------------------------- Tables & Sets -------------------------- */
-
-BroTable *
-bro_table_new(void)
-{
-  BroTable *tbl;
-
-  D_ENTER;
-  tbl = __bro_table_new();
-  D_RETURN_(tbl);
-}
-
-
-void
-bro_table_free(BroTable *tbl)
-{
-  D_ENTER;
-  __bro_table_free(tbl);
-  D_RETURN;
-}
-
-
-int
-bro_table_insert(BroTable *tbl,
-		 int key_type, const void *key,
-		 int val_type, const void *val)
-{
-  BroVal *vv = NULL;
-  BroListVal *lv;
-
-  D_ENTER;
-
-  if (! tbl || !key || !val)
-    D_RETURN_(FALSE);
-
-  if (tbl->tbl_key_type != BRO_TYPE_UNKNOWN &&
-      tbl->tbl_key_type != key_type)
-    {
-      D(("Type mismatch when inserting key of type %d, expecting %d\n",
-	 key_type, tbl->tbl_key_type));
-      D_RETURN_(FALSE);
-    }
-
-  tbl->tbl_key_type = key_type;
-
-  if (tbl->tbl_val_type != BRO_TYPE_UNKNOWN &&
-      tbl->tbl_val_type != val_type)
-    {
-      D(("Type mismatch when inserting val of type %d, expecting %d\n",
-	 val_type, tbl->tbl_val_type));
-      D_RETURN_(FALSE);
-    }
-
-  tbl->tbl_val_type = val_type;
-
-  /* Now need to creat BroVals out of the raw data provided.
-   * If the key_type is BRO_TYPE_LIST, it means the argument
-   * is expected to be a BroRecord and its elements will be
-   * used as elements of a list of values, as used internally
-   * by Bro. For all other BRO_TYPE_xxx values, the type is
-   * used in the obvious way.
-   */
-  lv = __bro_list_val_new();
-  
-  if (key_type == BRO_TYPE_LIST)
-    {
-      /* We need to unroll the record elements and put them
-       * all in the list val.
-       */
-      
-      BroRecord *rec = (BroRecord*) key;
-      int i;
-
-      for (i = 0; i < __bro_record_get_length(rec); i++)
-	{
-	  /* We can here leverage the fact that internally, all
-	   * elements of a BroRec are BroVals.
-	   */
-	  BroVal *v = __bro_record_get_nth_val(rec, i);
-	  BroVal *v_copy = (BroVal*) __bro_sobject_copy((BroSObject*) v);
-	  __bro_list_val_append(lv, v_copy); 
-	}
-    }
-  else
-    {
-      BroVal *kv;
-
-      /* In this case we actually need to create a BroVal from
-       * the user's raw data first.
-       */
-      if (! (kv = __bro_val_new_of_type(key_type, NULL)))
-	{
-	  D(("Could not create val of type %d\n", key_type));
-	  D_RETURN_(FALSE);
-	}
-      
-      __bro_val_assign(kv, key);
-      __bro_list_val_append(lv, kv);
-    }  
-  
-  if (val)
-    {
-      if (! (vv = __bro_val_new_of_type(val_type, NULL)))
-	{
-	  D(("Could not crate val of type %d\n", val_type));
-	  D_RETURN_(FALSE);
-	}
-      
-      __bro_val_assign(vv, val);
-    }
-
-  __bro_table_insert(tbl, (BroVal*) lv, vv);  
-  
-  D_RETURN_(TRUE);
-}
-
-
-void *
-bro_table_find(BroTable *tbl, const void *key)
-{
-  BroListVal *lv;
-  BroVal *val, *result_val;
-  void *result = NULL;
-  BroRecord *rec = NULL;
-
-  D_ENTER;
-
-  lv = __bro_list_val_new();
-
-  if (tbl->tbl_key_type == BRO_TYPE_LIST)
-    {
-      /* Need to interpret the given key as a record and hook its
-       * elements into the list. Below we unhook the list from the
-       * ListVal before releasing it.
-       */
-      rec = (BroRecord *) key;
-      lv->list = rec->val_list;
-      lv->len = rec->val_len;
-    }
-  else
-    {
-      if (! (val = __bro_val_new_of_type(tbl->tbl_key_type, NULL)))
-	{
-	  D(("Could not create val of type %d.\n", tbl->tbl_key_type));
-	  D_RETURN_(NULL);
-	}
-      
-      __bro_val_assign(val, key);
-      __bro_list_val_append(lv, val);
-    }
-  
-  if ( (result_val = __bro_table_find(tbl, (BroVal*) lv)))
-    {
-      if (! __bro_val_get_data(result_val, NULL, &result))
-	{
-	  __bro_sobject_release((BroSObject*) lv);
-	  D_RETURN_(NULL);	  
-	}
-    }
-  
-  if (rec)
-    {
-      lv->list = NULL;
-      lv->len = 0;
-    }
-
-  __bro_sobject_release((BroSObject*) lv);
-  
-  D_RETURN_(result);
-}
-
-
-int
-bro_table_get_size(BroTable *tbl)
-{
-  int result;
-
-  D_ENTER;
-  result = __bro_table_get_size(tbl);
-  D_RETURN_(result);
-}
-
-typedef struct bro_table_cb_data
-{ 
-  void *user_data;
-  BroTableCallback cb;
-  int is_set;
-} BroTableCBData;
-
-static int
-bro_table_foreach_cb(BroListVal *key, BroVal *val, BroTableCBData *data)
-{
-  int result;
-  void *key_data = NULL, *val_data = NULL;
-  BroRecord *rec = NULL;
-  
-  if (__bro_list_val_get_length(key) > 1)
-    {
-      /* Need to shrink-wrap it into a record. */
-      BroList *l;
-      rec = __bro_record_new();
-      
-      for (l = key->list; l; l = __bro_list_next(l))
-	{
-	  BroVal *tmp = (BroVal*) __bro_list_data(l);
-	  
-	  /* __bro_record_add_val() does not internally copy the added
-	   * val. Without bumping up the val's refcount, __bro_record_free()
-	   * below would possibly nuke the val when it decrements the count
-	   * by 1.
-	   */
-	  __bro_sobject_ref((BroSObject*) tmp);
-	  __bro_record_add_val(rec, tmp);
-	}
-
-      key_data = (void*) rec;
-    }
-  else
-    {
-      /* Direct passthrough. */
-      BroVal *v = __bro_list_val_get_front(key);
-      D(("Index type is atomic, type %d/%d\n",
-	 v->val_type->tag, v->val_type->internal_tag));
-    
-      if (! __bro_val_get_data(v, NULL, &key_data))
-	{
-	  D(("Failed to obtain user-suitable data representation.\n"));
-	  return TRUE;
-	}
-    }
-  
-  if (! data->is_set && ! __bro_val_get_data(val, NULL, &val_data))
-    {
-      D(("Failed to obtain user-suitable data representation.\n"));
-      result = FALSE;
-      goto return_result;
-    }
-  
-  result = data->cb(key_data, val_data, data->user_data);
-  
- return_result:
-  if (rec)
-    __bro_record_free(rec);
-  
-  return result;
-}
-
-void
-bro_table_foreach(BroTable *tbl,
-		  BroTableCallback cb,
-		  void *user_data)
-{
-  BroTableCBData data;
-
-  D_ENTER;
-
-  data.user_data = user_data;
-  data.cb = cb;
-  data.is_set = __bro_table_is_set(tbl);
-
-  __bro_table_foreach(tbl,
-		      (BroTableCallback) bro_table_foreach_cb,
-		      &data);
-  D_RETURN;
-}
-
-void
-bro_table_get_types(BroTable *tbl,
-		    int *key_type, int *val_type)
-{
-  if (! tbl)
-    return;
-
-  if (key_type)
-    *key_type = tbl->tbl_key_type;
-  if (val_type)
-    *val_type = tbl->tbl_val_type;
-}
-
-
-BroSet *
-bro_set_new(void)
-{
-  BroSet *result;
-
-  D_ENTER;
-  result = (BroSet*) __bro_table_new();
-  D_RETURN_(result);
-}
-
-void
-bro_set_free(BroSet *set)
-{
-  D_ENTER;
-  __bro_table_free((BroTable*) set);
-  D_RETURN;
-}
-
-int
-bro_set_insert(BroSet *set, int type, const void *val)
-{
-  int result;
-
-  D_ENTER;
-  
-  result = bro_table_insert((BroTable*) set,
-			    type, val,
-			    BRO_TYPE_UNKNOWN, NULL);
-  
-  D_RETURN_(result);
-}
-
-int
-bro_set_find(BroSet *set, const void *key)
-{
-  int result;
-
-  D_ENTER;
-  result = (bro_table_find((BroTable*) set, key) != NULL);
-  D_RETURN_(result);
-}
-
-int
-bro_set_get_size(BroSet *set)
-{
-  int result;
-
-  D_ENTER;
-  result = __bro_table_get_size((BroTable*) set);
-  D_RETURN_(result);
-}
-
-typedef struct bro_set_cb_data
-{ 
-  void *user_data;
-  BroSetCallback cb;
-} BroSetCBData;
-
-static int
-bro_set_foreach_cb(void *key, void *val, BroSetCBData *data)
-{
-  return data->cb(key, data->user_data);
-}
-
-void
-bro_set_foreach(BroSet *set,
-		BroSetCallback cb,
-		void *user_data)
-{
-  BroSetCBData data;
-
-  D_ENTER;
-  
-  data.user_data = user_data;
-  data.cb = cb;
-
-  bro_table_foreach((BroTable*) set,
-		    (BroTableCallback) bro_set_foreach_cb,
-		    &data);
-  
-  D_RETURN;
-}
-
-void
-bro_set_get_type(BroSet *set, int *type)
-{
-  return bro_table_get_types((BroTable*) set, type, NULL);
-}
-
-/* ------------------------------ Strings ---------------------------- */
-
-void
-bro_string_init(BroString *bs)
-{
-  if (! bs)
-    return;
-
-  memset(bs, 0, sizeof(BroString));
-}
-
-
-int
-bro_string_set(BroString *bs, const char *s)
-{
-  if (! bs || !s)
-    return FALSE;
-  
-  return bro_string_set_data(bs, (const uchar *) s, strlen(s));
-}
-
-
-int
-bro_string_set_data(BroString *bs, const uchar *data, int data_len)
-{
-  uchar *data_copy;
-  
-  if (! bs || !data || data_len < 0)
-    return FALSE;
-  
-  if (! (data_copy = malloc(data_len + 1)))
-    return FALSE;
-  
-  memcpy(data_copy, data, data_len);
-  data_copy[data_len] = '\0';
-  
-  bs->str_len = data_len;
-  bs->str_val = data_copy;
-
-  return TRUE;
-}
-
-
-const uchar   *
-bro_string_get_data(const BroString *bs)
-{
-  return bs ? bs->str_val : NULL;
-}
-
-
-uint32
-bro_string_get_length(const BroString *bs)
-{
-  return bs ? bs->str_len : 0;
-}
-
-
-BroString *
-bro_string_copy(BroString *bs)
-{
-  BroString *result;
-
-  if (! bs)
-    return NULL;
-
-  if (! (result = calloc(1, sizeof(BroString))))
-    return NULL;
-
-  bro_string_assign(bs, result);
-  return result;
-}
-
-
-void
-bro_string_assign(BroString *src, BroString *dst)
-{
-  if (! src || ! dst)
-    return;
-
-  bro_string_cleanup(dst);
-  dst->str_len = src->str_len;
-
-  if (! (dst->str_val = malloc(dst->str_len + 1)))
-    {
-      D(("Out of memory.\n"));
-      dst->str_len = 0;
-      return;
-    }
-
-  memcpy(dst->str_val, src->str_val, dst->str_len);
-  dst->str_val[dst->str_len] = '\0';
-}
-
-
-void
-bro_string_cleanup(BroString *bs)
-{
-  if (! bs)
-    return;
-
-  if (bs->str_val)
-    free(bs->str_val);
-
-  memset(bs, 0, sizeof(BroString));
-}
-
-
-void
-bro_string_free(BroString *bs)
-{
-  if (! bs)
-    return;
-
-  bro_string_cleanup(bs);
-  free(bs);
-}
-
-/* ----------------------- Pcap Packet Handling ---------------------- */
-#ifdef BRO_PCAP_SUPPORT
-
-void
-bro_conn_set_packet_ctxt(BroConn *bc, int link_type)
-{
-  if (! bc)
-    return;
-
-  bc->pcap_link_type = link_type;
-}
-
-
-void
-bro_conn_get_packet_ctxt(BroConn *bc, int *link_type)
-{
-  if (! bc)
-    return;
-
-  if (link_type)
-    *link_type = bc->pcap_link_type;
-}
-
-
-BroPacket *
-bro_packet_new(const struct pcap_pkthdr *hdr, const u_char *data, const char *tag)
-{
-  BroPacket *packet;
-
-  if (! hdr || ! data)
-    return NULL;
-
-  if (! (packet = calloc(1, sizeof(BroPacket))))
-    return NULL;
- 
-  packet->pkt_pcap_hdr = *hdr;
-  packet->pkt_tag = strdup(tag ? tag : "");
-
-  if (! (packet->pkt_data = malloc(hdr->caplen)))
-    {
-      free(packet);
-      return NULL;
-    }
-
-  memcpy((u_char *) packet->pkt_data, data, hdr->caplen);
-  return packet;
-}
-
-
-BroPacket *
-bro_packet_clone(const BroPacket *src)
-{
-  BroPacket *dst;
-  
-  if (! (dst = calloc(1, sizeof(BroPacket))))
-    return NULL;
-  
-  if (! __bro_packet_clone(dst, src))
-    {
-      bro_packet_free(dst);
-      return NULL;
-    }
-
-  return dst;
-}
-
-
-void
-bro_packet_free(BroPacket *packet)
-{
-  if (! packet)
-    return;
-
-  if (packet->pkt_data)
-    free((u_char *) packet->pkt_data);
-
-  if (packet->pkt_tag)
-    free((u_char *) packet->pkt_tag);
-
-  free(packet);
-}
-
-int
-bro_packet_send(BroConn *bc, BroPacket *packet)
-{
-  if (! bc || ! packet)
-    {
-      D(("Invalid input.\n"));
-      return FALSE;
-    }
-
-  return __bro_io_packet_queue(bc, packet);
-}
-
-#endif
-
-/* --------------------------- Miscellaneous ------------------------- */
-
-double
-bro_util_current_time(void)
-{
-  return __bro_util_get_time();
-}
-
-
-double 
-bro_util_timeval_to_double(const struct timeval *tv)
-{
-  return __bro_util_timeval_to_double(tv);
-}
-
-
-
diff --git a/aux/broccoli/src/bro_attr.c b/aux/broccoli/src/bro_attr.c
deleted file mode 100644
index ad92dfe622..0000000000
--- a/aux/broccoli/src/bro_attr.c
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/time.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_types.h>
-#include <bro_val.h>
-#include <bro_debug.h>
-#include <bro_attr.h>
-
-
-BroAttr *
-__bro_attr_new(void)
-{
-  BroAttr *attr;
-
-  D_ENTER;
-  
-  if (! (attr = calloc(1, sizeof(BroAttr))))
-    D_RETURN_(NULL);
-  
-  D_RETURN_(attr);
-}
-
-
-BroAttr *
-__bro_attr_copy(BroAttr *attr)
-{
-  BroAttr *copy;
-
-  D_ENTER;
-
-  if (! (copy = __bro_attr_new()))
-    D_RETURN_(NULL);
-
-  if (! attr)
-    D_RETURN_(NULL);
-
-  copy->tag = attr->tag;
-  
-  /* FIXME copy->expr = __bro_sobject_copy((BroSObject *) attr->expr); */
-  
-  D_RETURN_(copy);
-}
-
-
-void
-__bro_attr_free(BroAttr *attr)
-{
-  D_ENTER;
-
-  /* FIXME __bro_expr_free(attr->expr); */
-  free(attr);
-
-  D_RETURN;
-}
-
-
-int
-__bro_attr_read(BroAttr *attr, BroConn *bc)
-{
-  char opt;
-
-  D_ENTER;
-  
-  if (! __bro_buf_read_char(bc->rx_buf, &opt))
-    D_RETURN_(FALSE);
-  if (opt)
-    {
-      /* FIXME
-      if (attr->expr)
-	__bro_expr_free(attr->expr);
-      if (! (attr->expr = (BroExpr *) __bro_sobject_unserialize(SER_IS_EXPR, buf)))
-	D_RETURN_(FALSE);
-      */
-    }
-  
-  if (! __bro_buf_read_char(bc->rx_buf, &attr->tag))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-int
-__bro_attr_write(BroAttr *attr, BroConn *bc)
-{
-  D_ENTER;
-  
-  if (! __bro_buf_write_char(bc->tx_buf, attr->expr ? 1 : 0))
-    D_RETURN_(FALSE);
-  if (attr->expr && ! __bro_sobject_serialize((BroSObject *) attr->expr, bc))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_write_char(bc->tx_buf, attr->tag))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
diff --git a/aux/broccoli/src/bro_attr.h b/aux/broccoli/src/bro_attr.h
deleted file mode 100644
index b82756ee03..0000000000
--- a/aux/broccoli/src/bro_attr.h
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_attr_h
-#define broccoli_attr_h
-
-#include <bro_object.h>
-
-/* Definitions of attribute type identifiers.
- * They must match the values of attr_tag in Bro's Attrs.h.
- */
-#define BRO_ATTR_OPTIONAL          0
-#define BRO_ATTR_DEFAULT           1
-#define BRO_ATTR_REDEF             2
-#define BRO_ATTR_ROTATE_INTERVAL   3
-#define BRO_ATTR_ROTATE_SIZE       4
-#define BRO_ATTR_ADD_FUNC          5
-#define BRO_ATTR_DEL_FUNC          6
-#define BRO_ATTR_EXPIRE_FUNC       7
-#define BRO_ATTR_EXPIRE_READ       8
-#define BRO_ATTR_EXPIRE_WRITE      9
-#define BRO_ATTR_EXPIRE_CREATE    10
-#define BRO_ATTR_PERSISTENT       11
-#define BRO_ATTR_SYNCHRONIZED     12
-#define BRO_ATTR_POSTPROCESSOR    13
-#define BRO_ATTR_ENCRYPT          14
-#define BRO_ATTR_MATCH            15
-
-typedef struct bro_expr
-{
-} BroExpr;
-
-/* NOTE: these attributes do *not* follow the inheritance approach,
- * unlike the attributes in Bro. This is because they're not currently
- * using the serialization framework like the rest of the Bro objects,
- * and all we need for Broccoli purposes is a (non-inherited) simple
- * way to read and write an attribute.
- */
-typedef struct bro_attr
-{
-  char             tag;
-  BroExpr         *expr;
-} BroAttr;
-
-BroAttr         *__bro_attr_new(void);
-BroAttr         *__bro_attr_copy(BroAttr *attr);
-void             __bro_attr_free(BroAttr *attr);
-
-int              __bro_attr_read(BroAttr *attr, BroConn *bc);
-int              __bro_attr_write(BroAttr *attr, BroConn *bc);
-
-#endif
diff --git a/aux/broccoli/src/bro_attrs.c b/aux/broccoli/src/bro_attrs.c
deleted file mode 100644
index 8ec4aafc96..0000000000
--- a/aux/broccoli/src/bro_attrs.c
+++ /dev/null
@@ -1,258 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/time.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_types.h>
-#include <bro_debug.h>
-#include <bro_attrs.h>
-#include <bro_type.h>
-
-
-BroAttrs         *
-__bro_attrs_new(void)
-{
-  BroAttrs *attrs;
-
-  D_ENTER;
-  
-  if (! (attrs = calloc(1, sizeof(BroAttrs))))
-    D_RETURN_(NULL);
-
-  __bro_attrs_init(attrs);
-  D_RETURN_(attrs);
-}
-
-
-void
-__bro_attrs_init(BroAttrs *attrs)
-{
-  BroSObject *sobj = (BroSObject *) attrs;
-
-  D_ENTER;
-
-  __bro_object_init((BroObject *) attrs);
-
-  sobj->read  = (BroSObjectRead) __bro_attrs_read;
-  sobj->write = (BroSObjectWrite) __bro_attrs_write;
-  sobj->free  = (BroSObjectFree) __bro_attrs_free;
-  sobj->clone = (BroSObjectClone) __bro_attrs_clone;
-  sobj->hash  = (BroSObjectHash) __bro_attrs_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_attrs_cmp;
-
-  sobj->type_id = SER_ATTRIBUTES;
-
-  D_RETURN;
-}
-
-
-void
-__bro_attrs_free(BroAttrs *attrs)
-{
-  uint32 i;
-
-  D_ENTER;
-
-  __bro_sobject_release((BroSObject *) attrs->type);
-  
-  for (i = 0; i < attrs->num_attrs; i++)
-    __bro_attr_free(attrs->attrs[i]);
-  free(attrs->attrs);
-  
-  __bro_object_free((BroObject *) attrs);
-  D_RETURN;
-}
-
-
-int
-__bro_attrs_read(BroAttrs *attrs, BroConn *bc)
-{
-  uint32 i;
-
-  D_ENTER;
-
-  if (! __bro_object_read((BroObject *) attrs, bc))
-    D_RETURN_(FALSE);
-
-  if (attrs->type)
-    __bro_sobject_release((BroSObject *) attrs->type);
-
-  if (! (attrs->type = (BroType *) __bro_sobject_unserialize(SER_IS_TYPE, bc)))
-    D_RETURN_(FALSE);
-
-  if (attrs->attrs)
-    {
-      for (i = 0; i < attrs->num_attrs; i++)
-	__bro_attr_free(attrs->attrs[i]);
-      free(attrs->attrs);
-    }
-
-  if (! __bro_buf_read_int(bc->rx_buf, &attrs->num_attrs))
-    D_RETURN_(FALSE);
-  
-  if (! (attrs->attrs = calloc(attrs->num_attrs, sizeof(BroAttr*))))
-    D_RETURN_(FALSE);
-  
-  for (i = 0; i < attrs->num_attrs; i++)
-    {
-      BroAttr *attr;
-      
-      if (! (attr = __bro_attr_new()))
-	D_RETURN_(FALSE);
-      
-      if (! __bro_attr_read(attr, bc))
-	D_RETURN_(FALSE);
-      
-      attrs->attrs[i] = attr;
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-
-int
-__bro_attrs_write(BroAttrs *attrs, BroConn *bc)
-{
-  uint32 i;
-  
-  D_ENTER;
-
-  if (! __bro_object_write((BroObject *) attrs, bc))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_sobject_serialize((BroSObject *) attrs->type, bc))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_write_int(bc->tx_buf, attrs->num_attrs))
-    D_RETURN_(FALSE);
-  
-  for (i = 0; i < attrs->num_attrs; i++)
-    {
-      if (! __bro_sobject_serialize((BroSObject *) attrs->attrs[i], bc))
-	D_RETURN_(FALSE);
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-
-int
-__bro_attrs_clone(BroAttrs *dst, BroAttrs *src)
-{
-  uint32 i;
-
-  D_ENTER;
-
-  if (! __bro_object_clone((BroObject *) dst, (BroObject *) src))
-    D_RETURN_(FALSE);
-
-  if (src->type && ! (dst->type = (BroType *) __bro_sobject_copy((BroSObject *) dst->type)))
-    D_RETURN_(FALSE);
-
-  if (dst->attrs)
-    {
-      for (i = 0; i < dst->num_attrs; i++)
-	__bro_attr_free(dst->attrs[i]);
-      free(dst->attrs);
-    }
-
-  dst->num_attrs = src->num_attrs;
-
-  if (! (dst->attrs = calloc(dst->num_attrs, sizeof(BroAttr *))))
-    D_RETURN_(FALSE);
-  
-  for (i = 0; i < dst->num_attrs; i++)
-    {
-      if (! (dst->attrs[i] = __bro_attr_copy(src->attrs[i])))
-	D_RETURN_(FALSE);
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-uint32
-__bro_attrs_hash(BroAttrs *attrs)
-{
-  uint32 result, i, shift;
-
-  D_ENTER;
-
-  if (! attrs)
-    D_RETURN_(0);
-
-  result = __bro_sobject_hash((BroSObject*) attrs->type) ^ attrs->num_attrs;
-  
-  /* Cycle through the attributes and XOR their tags, also
-   * cycling through a shifting regime shifting by 0, 8, 16,
-   * 24, 0, etc.
-   */
-  for (i = 0, shift = 0; i < attrs->num_attrs; i++, shift += 8)
-    {
-      uint32 val;
-
-      if (shift > 24)
-	shift = 0;
-      
-      val = (uint32) attrs->attrs[i]->tag;
-      result ^= val << shift;
-    }
-  
-  D_RETURN_(result);
-}
-
-int
-__bro_attrs_cmp(BroAttrs *attrs1, BroAttrs *attrs2)
-{
-  uint32 i, j;
-  
-  D_ENTER;
-  
-  if (! __bro_sobject_cmp((BroSObject*) attrs1->type, (BroSObject*) attrs2->type))
-    D_RETURN_(FALSE);
-  
-  if (attrs1->num_attrs != attrs2->num_attrs)
-    D_RETURN_(FALSE);
-  
-  for (i = 0, j = 0; i < attrs1->num_attrs && attrs2->num_attrs;
-       i++, j++)
-    {
-      if (attrs1->attrs[i]->tag != attrs2->attrs[j]->tag)
-	D_RETURN_(FALSE);
-    }
-  
-  D_RETURN_(TRUE);
-}
-
diff --git a/aux/broccoli/src/bro_attrs.h b/aux/broccoli/src/bro_attrs.h
deleted file mode 100644
index 4c221ce613..0000000000
--- a/aux/broccoli/src/bro_attrs.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_attrs_h
-#define broccoli_attrs_h
-
-#include <bro_types.h>
-#include <bro_attr.h>
-
-typedef struct bro_attrs
-{
-  BroObject        object;
-
-  BroType         *type;
-  uint32           num_attrs;
-  BroAttr        **attrs;
-} BroAttrs;
-
-BroAttrs        *__bro_attrs_new(void);
-void             __bro_attrs_init(BroAttrs *attrs);
-void             __bro_attrs_free(BroAttrs *attrs);
-
-int              __bro_attrs_read(BroAttrs *attrs, BroConn *bc);
-int              __bro_attrs_write(BroAttrs *attrs, BroConn *bc);
-int              __bro_attrs_clone(BroAttrs *dst, BroAttrs *src);
-uint32           __bro_attrs_hash(BroAttrs *attrs);
-int              __bro_attrs_cmp(BroAttrs *attrs1, BroAttrs *attrs2);
-
-#endif
diff --git a/aux/broccoli/src/bro_buf.c b/aux/broccoli/src/bro_buf.c
deleted file mode 100644
index 4d89f108ea..0000000000
--- a/aux/broccoli/src/bro_buf.c
+++ /dev/null
@@ -1,588 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_buf.h>
-#include <bro_types.h>
-#include <bro_debug.h>
-#include <bro_util.h>
-
-#define BRO_BUF_DEFAULT   4096
-
-#ifdef BRO_DEBUG
-
-/* Use this to get detailed output of what is read --
- * useful for debugging serialization format bugs.
- */
-#define DEBUG_READS
-
-#endif
-
-#ifndef DEBUG_READS
-#  define D(x)
-#endif
-
-BroBuf *
-__bro_buf_new(void)
-{
-  BroBuf *buf;
-
-  if (! (buf = calloc(1, sizeof(BroBuf))))
-    return NULL;
-
-  __bro_buf_init(buf);
-  buf->may_grow = TRUE;
-
-  return buf;
-}
-
-BroBuf *
-__bro_buf_new_mem(u_char *mem, int mem_size)
-{
-  BroBuf *buf;
-
-  if (! mem)
-    {
-      D(("Input error.\n"));
-      return NULL;
-    }
-
-  if ((size_t) mem_size < sizeof(BroBuf) + BRO_BUF_DEFAULT)
-    {
-      D(("Given memory chunk of size %i is not big enough, need at least %i\n",
-	 mem_size, sizeof(BroBuf) + BRO_BUF_DEFAULT));
-      return NULL;
-    }
-
-  buf = (BroBuf *) mem;
-  memset(buf, 0, sizeof(BroBuf));
-
-  buf->buf = mem + sizeof(BroBuf);
-  buf->buf_len = mem_size - sizeof(BroBuf);
-  buf->may_grow = FALSE;
-
-  return buf;
-}
-
-
-void
-__bro_buf_free(BroBuf *buf)
-{
-  if (! buf)
-    return;
-  
-  __bro_buf_cleanup(buf);
-  free(buf);
-}
-
-void
-__bro_buf_init(BroBuf *buf)
-{
-  D_ENTER;
-
-  if (!buf)
-    D_RETURN;
-
-  memset(buf, 0, sizeof(BroBuf));
-  buf->buf = calloc(1, BRO_BUF_DEFAULT);
-  buf->buf_len = BRO_BUF_DEFAULT;
-
-  D_RETURN;
-}
-
-
-void     
-__bro_buf_cleanup(BroBuf *buf)
-{
-  D_ENTER;
-
-  if (!buf)
-    D_RETURN;
-
-  if (buf->buf)
-    free(buf->buf);
-
-  memset(buf, 0, sizeof(BroBuf));
-
-  D_RETURN;
-}
-
-
-int
-__bro_buf_append(BroBuf *buf, void *data, int data_len)
-{
-  if (!buf)
-    return FALSE;
-  
-  if (data_len == 0)
-    return TRUE;
-  
-  if (buf->buf_off + data_len >= buf->buf_len)
-    {
-      uchar *new_buf;
-      
-      if (! buf->may_grow)
-	{
-	  D(("Cannot expand this buffer, sorry.\n"));
-	  return FALSE;
-	}
-      
-      buf->buf_len += MAX(BRO_BUF_DEFAULT, data_len);
-      
-      D(("Reallocating buffer\n"));      
-      if (! (new_buf = realloc(buf->buf, sizeof(uchar) * buf->buf_len)))
-	{
-	  D(("Realloc'ing buffer failed.\n"));
-	  return FALSE;
-	}
-      
-      buf->buf = new_buf;
-    }
-  
-  memcpy(buf->buf + buf->buf_off, data, data_len);
-  buf->buf_off += data_len;
-
-  return TRUE;
-}
-
-
-void
-__bro_buf_consume(BroBuf *buf)
-{
-  if (!buf || buf->buf_ptr == 0)
-    return;
-
-  D(("Consuming %i bytes in buffer.\n", buf->buf_ptr));
-  memmove(buf->buf, buf->buf + buf->buf_ptr, buf->buf_len - buf->buf_ptr);
-  buf->buf_off -= buf->buf_ptr;
-  buf->buf_ptr = 0;
-}
-
-
-void
-__bro_buf_reset(BroBuf *buf)
-{
-  if (! buf)
-    return;
-  
-  buf->buf_off = buf->buf_ptr = 0;
-}
-
-
-uchar *
-__bro_buf_get(BroBuf *buf)
-{
-  if (!buf)
-    return NULL;
-
-  return buf->buf;
-}
-
-uchar *
-__bro_buf_get_end(BroBuf *buf)
-{
-  if (!buf)
-    return NULL;
-
-  return (buf->buf + buf->buf_off);
-}
-
-
-uint     
-__bro_buf_get_size(BroBuf *buf)
-{
-  if (!buf)
-    return 0;
-
-  return buf->buf_len;
-}
-
-
-uint     
-__bro_buf_get_used_size(BroBuf *buf)
-{
-  if (!buf)
-    return 0;
-
-  return buf->buf_off;
-}
-
-
-uchar *
-__bro_buf_ptr_get(BroBuf *buf)
-{
-  if (!buf)
-    return NULL;
-
-  return (buf->buf + buf->buf_ptr);
-}
-
-
-uint32
-__bro_buf_ptr_tell(BroBuf *buf)
-{
-  if (!buf)
-    return 0;
-
-  return buf->buf_ptr;
-}
-
-
-int
-__bro_buf_ptr_seek(BroBuf *buf, int offset, int whence)
-{
-  if (!buf)
-    return FALSE;
-
-  switch (whence)
-    {
-    case SEEK_SET:
-      if (offset >= 0 && (uint32) offset <= buf->buf_off)
-	{
-	  buf->buf_ptr = offset;
-	  return TRUE;
-	}
-      break;
-
-    case SEEK_CUR:
-      if ((int) buf->buf_ptr + offset >= 0 &&
-	  buf->buf_ptr + offset <= buf->buf_off)
-	{
-	  buf->buf_ptr += offset;
-	  return TRUE;
-	}
-      break;
-
-    case SEEK_END:
-      if ((int) buf->buf_off + offset >= 0 &&
-	  buf->buf_off + offset <= buf->buf_off)
-	{
-	  buf->buf_ptr = buf->buf_off + offset;
-	  return TRUE;
-	}
-      break;
-      
-    default:
-      break;
-    }
-
-  return FALSE;
-}
-
-
-int      
-__bro_buf_ptr_check(BroBuf *buf, int size)
-{
-  if (!buf || size < 0)
-    return FALSE;
-
-  if (buf->buf_ptr + size > buf->buf_off)
-    {
-      D(("Checking for %i bytes available, but have only %i\n",
-	 size, buf->buf_off - buf->buf_ptr));
-      return FALSE;
-    }
-
-  return TRUE;
-}
-
-
-int
-__bro_buf_ptr_read(BroBuf *buf, void *data, int size)
-{
-  if (size == 0)
-    return TRUE;
-
-  if (!buf || !data)
-    return FALSE;
-
-  if (! __bro_buf_ptr_check(buf, size))
-    return FALSE;
-
-  memcpy(data, buf->buf + buf->buf_ptr, size);
-  buf->buf_ptr += size;
-
-  return TRUE;
-}
-
-
-int
-__bro_buf_ptr_write(BroBuf *buf, const void *data, int size)
-{
-  if (! buf || size < 0)
-    return FALSE;
-  
-  if (size == 0)
-    return TRUE;
-  
-  if (! data)
-    {
-      D(("Input error -- data length is %i but no data given.\n", size));
-      return FALSE;
-    }
-
-  if (buf->buf_ptr + size >= buf->buf_len)
-    {
-      /* Check how much the requested amount is bigger than
-       * what we have, and add some extra buffering on top of it.
-       */
-      uchar *new_buf;
-      int inc = size - (buf->buf_off - buf->buf_ptr);
-      
-      if (! buf->may_grow)
-	{
-	  D(("Cannot expand this buffer, sorry.\n"));
-	  return FALSE;
-	}
-      
-      D(("Reallocating buffer\n"));      
-
-      if (! (new_buf = realloc(buf->buf, buf->buf_len + inc + BRO_BUF_DEFAULT)))
-	{
-	  D(("Realloc'ing buffer failed.\n"));
-	  return FALSE;
-	}
-      
-      buf->buf_len += inc + BRO_BUF_DEFAULT;
-      buf->buf = new_buf;
-    }
-  
-  memcpy(buf->buf + buf->buf_ptr, data, size);
-  buf->buf_ptr += size;
-  
-  if (buf->buf_off < buf->buf_ptr)
-    buf->buf_off = buf->buf_ptr;
-  
-  return TRUE;
-}
-
-
-
-/* I/O API below ---------------------------------------------------- */
-
-int 
-__bro_buf_read_data(BroBuf *buf, void *dest, int size)
-{
-  return __bro_buf_ptr_read(buf, dest, size);
-}
-
-
-int
-__bro_buf_read_char(BroBuf *buf, char *val)
-{
-  int result;
-  
-  result = __bro_buf_ptr_read(buf, val, sizeof(char));
-  D(("Read char: %i/0x%02x\n", *val, *val));
-  
-  return result;
-}
-
-
-int
-__bro_buf_read_string(BroBuf *buf, BroString *val)
-{
-  if (!buf || !val)
-    return FALSE;
-  
-  bro_string_init(val);
-  
-  if (! __bro_buf_read_int(buf, &val->str_len))
-    return FALSE;
-  
-  /* We create space for the string's length plus one extra byte that
-   * we use as the string terminator so things work with normal C strings.
-   */
-  if (! (val->str_val = malloc(val->str_len + 1)))
-    return FALSE;
-  
-  if (val->str_len > 0)
-    {
-      if (! (__bro_buf_ptr_read(buf, val->str_val, val->str_len)))
-	{
-	  free(val->str_val);
-	  return FALSE;
-	}
-    }
-  
-  /* Terminate the string.
-   */
-  val->str_val[val->str_len] = '\0';
-  
-  D(("Read string: '%s'\n", val->str_val));
-  return TRUE;
-}
-
-
-int
-__bro_buf_read_double(BroBuf *buf, double *d)
-{
-  if (! buf || ! d)
-    return FALSE;
-
-  if (! __bro_buf_ptr_read(buf, d, sizeof(double)))
-    return FALSE;
-  
-  *d = __bro_util_ntohd(*d);
-  D(("Read double: %f\n", *d));
-
-  return TRUE;
-}
-
-
-int
-__bro_buf_read_int(BroBuf *buf, uint32 *i)
-{
-  if (! __bro_buf_ptr_read(buf, i, sizeof(uint32)))
-    return FALSE;
-  
-  *i = ntohl(*i);
-  D(("Read int: %i/0x%08x\n", *i, *i));
-
-  return TRUE;
-}
-
-
-int
-__bro_buf_read_short(BroBuf *buf, uint16 *i)
-{
-  if (! __bro_buf_ptr_read(buf, i, sizeof(uint16)))
-    return FALSE;
-  
-  *i = ntohs(*i);
-  D(("Read short: %i/0x%04x\n", *i, *i));
-
-  return TRUE;
-}
-
-
-int
-__bro_buf_write_data(BroBuf *buf, const void *data, int size)
-{
-  return __bro_buf_ptr_write(buf, data, size);
-}
-
-
-int
-__bro_buf_write_char(BroBuf *buf, char val)
-{
-  int result;
-  
-  result = __bro_buf_ptr_write(buf, &val, sizeof(char));
-  D(("Wrote char: %i/0x%02x\n", val, val));
-  return result;
-}
-
-
-int
-__bro_buf_write_string(BroBuf *buf, BroString *val)
-{
-  int result;
-  BroString tmp_val;
-
-  if (! buf)
-    return FALSE;
-
-  if (! val)
-    {
-      tmp_val.str_val = (uchar*) "";
-      tmp_val.str_len = 0;
-      
-      val = &tmp_val;
-    }
-  
-  if (! (__bro_buf_write_int(buf, val->str_len)))
-    return FALSE;
-  
-  result = __bro_buf_write_data(buf, val->str_val, val->str_len);
-  
-  D(("Wrote string: '%s'\n", val->str_val));
-  return result;
-}
-
-
-int
-__bro_buf_write_double(BroBuf *buf, double d)
-{
-  int result;
-  double d_tmp;
-
-  if (! buf)
-    return FALSE;
-
-  d_tmp = __bro_util_htond(d);
-  result =  __bro_buf_ptr_write(buf, &d_tmp, sizeof(double));
-  D(("Wrote double: %f\n", d));
-
-  return result;
-}
-
-
-int
-__bro_buf_write_int(BroBuf *buf, uint32 i)
-{
-  int result;
-  uint32 i_tmp;
-
-  if (! buf)
-    return FALSE;
-
-  i_tmp = htonl(i);
-  result = __bro_buf_write_data(buf, &i_tmp, sizeof(uint32));
-  D(("Wrote int: %i/0x%08x\n", i, i));
-
-  return result;
-}
-
-
-int
-__bro_buf_write_short(BroBuf *buf, uint16 i)
-{
-  int result;
-  uint16 i_tmp;
-  
-  if (! buf)
-    return FALSE;
-  
-  i_tmp = htons(i);
-  result =__bro_buf_write_data(buf, &i_tmp, sizeof(uint16));
-  D(("Wrote short: %i/0x%04x\n", i, i));
-
-  return result;
-}
diff --git a/aux/broccoli/src/bro_buf.h b/aux/broccoli/src/bro_buf.h
deleted file mode 100644
index e378b9d85d..0000000000
--- a/aux/broccoli/src/bro_buf.h
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_buf_h
-#define broccoli_buf_h
-
-#include <stdio.h>
-#include <broccoli.h>
-
-/*
- * BroBufs are self-allocating, seekable, and read/writable
- * buffers. You can repeatedly append data to the buffer
- * while the buffer makes sure it is large enough to handle
- * the amount requested. A buffer has a content pointer that
- * points to an arbitrary location between the start of the
- * buffer and the first byte after the last byte currently
- * used in the buffer (buf_off). The content pointer can be
- * seeked to arbitrary locations, and data can be copied from
- * the buffer, adjusting the content pointer at the same time.
- *
- * Illustration:
- *
- * <---------------- allocated buffer space ------------>
- * <======== used buffer space ========>
- * ^              ^                    ^               ^                 
- * |              |                    |               |
- * `buf           `buf_ptr             `buf_off        `buf_len
- */
-
-struct bro_buf {
-  uchar       *buf;
-  
-  /* The size of the allocated buffer BUF: */
-  uint32       buf_len;
-
-  /* The first byte in BUF after the ones occupied */
-  uint32       buf_off;
-
-  /* A pointer to a position between the start of BUF
-   * and BUF + BUF_OFF.
-   */
-  uint32       buf_ptr;
-
-  /* Flag that indicates whether or not the allocated buffer
-   * can grow or not. It can't if we require the buffer to
-   * live in a fixed amount of memory.
-   */
-  int          may_grow;
-};
-
-/* See API comments in broccoli.h for details */
-
-BroBuf  *__bro_buf_new(void);
-
-/* Creates a new buffer using a given chunk of memory. We use
- * this for example to allocate a buffer in shared memory.
- */
-BroBuf  *__bro_buf_new_mem(u_char *mem, int mem_size);
-
-void     __bro_buf_free(BroBuf *buf);
-
-/* Initializes an existing buffer structure to default values */
-void     __bro_buf_init(BroBuf *buf);
-void     __bro_buf_cleanup(BroBuf *buf);
-
-int      __bro_buf_append(BroBuf *buf, void *data, int data_len);
-void     __bro_buf_consume(BroBuf *buf);
-void     __bro_buf_reset(BroBuf *buf);
-
-uchar   *__bro_buf_get(BroBuf *buf);
-uchar   *__bro_buf_get_end(BroBuf *buf);
-uint     __bro_buf_get_size(BroBuf *buf);
-uint     __bro_buf_get_used_size(BroBuf *buf);
-uchar   *__bro_buf_ptr_get(BroBuf *buf);
-uint32   __bro_buf_ptr_tell(BroBuf *buf);
-int      __bro_buf_ptr_seek(BroBuf *buf, int offset, int whence);
-int      __bro_buf_ptr_check(BroBuf *buf, int size);
-int      __bro_buf_ptr_read(BroBuf *buf, void *data, int size);
-int      __bro_buf_ptr_write(BroBuf *buf, const void *data, int size);
-
-
-/* Buffer-based I/O API --------------------------------------------- */
-
-/* The read functions read data from the given buffer into the variables
- * pointed to by the arguments, the write functions to the opposite and
- * write the passed-in parameters into the given buffers.
- */
-
-int      __bro_buf_read_data(BroBuf *buf, void *dest, int size);
-int      __bro_buf_read_char(BroBuf *buf, char *val);
-int      __bro_buf_read_string(BroBuf *buf, BroString *val);
-int      __bro_buf_read_double(BroBuf *buf, double *d);
-int      __bro_buf_read_int(BroBuf *buf, uint32 *i);
-int      __bro_buf_read_short(BroBuf *buf, uint16 *i);
-
-int      __bro_buf_write_data(BroBuf *buf, const void *data, int size);
-int      __bro_buf_write_char(BroBuf *buf, char val);
-int      __bro_buf_write_string(BroBuf *buf, BroString *val);
-int      __bro_buf_write_double(BroBuf *buf, double d);
-int      __bro_buf_write_int(BroBuf *buf, uint32 i);
-int      __bro_buf_write_short(BroBuf *buf, uint16 i);
-
-#endif
diff --git a/aux/broccoli/src/bro_config.c b/aux/broccoli/src/bro_config.c
deleted file mode 100644
index 3edd6abc12..0000000000
--- a/aux/broccoli/src/bro_config.c
+++ /dev/null
@@ -1,492 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <errno.h>
-#include <pwd.h>
-#include <sys/param.h>
-#include <ctype.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_types.h>
-#include <bro_hashtable.h>
-#include <bro_debug.h>
-#include <bro_config.h>
-
-typedef enum {
-  BRO_CONF_INT,
-  BRO_CONF_DBL,
-  BRO_CONF_STR,
-  BRO_CONF_NET,
-  BRO_CONF_ERR
-} BroConfType;
-
-typedef struct bro_conf_it
-{
-  char        *ci_name;
-  BroConfType  ci_type;
-  
-  union {
-    int             ci_int;
-    double          ci_dbl;
-    char           *ci_str;
-  } ci_val;
-  
-#define ci_int ci_val.ci_int
-#define ci_dbl ci_val.ci_dbl
-#define ci_str ci_val.ci_str
-
-} BroConfIt;
-
-
-static char *config_file = BRO_SYSCONF_FILE;
-
-/* The name of the current domain, may be NULL. */
-static char  *cur_dom;
-
-/* The default domain's configuration, used when cur_dom == NULL. */
-static BroHT *default_conf;
-
-/* While parsing the configuration, we switch from domain to domain
- * as contained in the file, but leave the user's currently selected
- * domain unaffected. We point to the current domain while parsing
- * using parsing_conf, which by default is the same as default_conf.
- */
-static BroHT *parsing_conf;
-
-/* A hashtable of hashtables, indexed by domain names. The inner
- * hash tables contain BroConfIt items, indexed by strings.
- */
-static BroHT *dom_conf;
-
-extern int __bro_parse_config(const char *filename);
-
-
-static BroConfIt *
-conf_item_new(const char *name, BroConfType type, void *val)
-{
-  BroConfIt *ci;
-
-  if (! (ci = calloc(1, sizeof(BroConfIt))))
-    return NULL;
-
-  ci->ci_name = strdup(name);
-  ci->ci_type = type;
-
-  switch (type)
-    {
-    case BRO_CONF_INT:
-      ci->ci_int = *((int*) val);
-      break;
-
-    case BRO_CONF_DBL:
-      ci->ci_dbl = *((double*) val);
-      break;
-
-    case BRO_CONF_STR:
-      ci->ci_str = strdup((char *) val);
-      break;
-
-    default:
-      free(ci);
-      return NULL;
-    }
-
-  return ci;
-}
-
-static void
-conf_item_free(BroConfIt *ci)
-{
-  if (!ci)
-    return;
-
-  if (ci->ci_name)
-    free(ci->ci_name);
-  
-  if (ci->ci_type == BRO_CONF_STR)
-    {
-      memset(ci->ci_str, 0, strlen(ci->ci_str));
-      free(ci->ci_str);
-      ci->ci_str = NULL;
-    }
-  
-  free(ci);
-}
-
-static int
-conf_permissions_ok(struct stat *st)
-{
-  /* We consider the file okay if it is not a link, only
-   * the owner can read it, and the current user can open it.
-   */
-  if (S_ISREG(st->st_mode)      &&  /* regular file  */
-      (st->st_mode & S_IRUSR)   &&  /* user-readable */
-      ! (st->st_mode & S_IXUSR) &&  /* not user-exec'able (paranoia) */
-      ! (st->st_mode & S_IRWXG) &&  /* no group permissions */
-      ! (st->st_mode & S_IRWXO))    /* no other permissions */
-    {
-      if (st->st_uid == geteuid())
-	return TRUE;
-    }      
-  
-  fprintf(stderr, "Insufficient permissions for reading ~/.broccoli.conf.\n");
-  fprintf(stderr, "NOTE: ~/.broccoli.conf must be regular file and -rw-------\n");
-  return FALSE;
-}
-
-static char *
-get_passwd_home(void)
-{
-#if defined(HAVE_GETEUID) && defined(HAVE_GETPWUID)
-  struct passwd *passwd;
-  uid_t uid = geteuid();
-
-  if ( (passwd = getpwuid(uid)))
-    {
-      D(("Getting home directory from user %u's passwd entry: %s.\n", uid, passwd->pw_dir)); 
-      return strdup(passwd->pw_dir);
-    }
-#endif
-
-  return NULL;
-}
-
-
-void
-__bro_conf_init(void)
-{
-  static int deja_vu = FALSE;
-  struct stat st;    
-  char *pwd_home = NULL;
-  char home_config[MAXPATHLEN];
-  char home_config2[MAXPATHLEN];
-  int try_env = TRUE, debug_messages, debug_calltrace;
-
-  if (deja_vu)
-    return;
-
-  home_config[0] = '\0';
-  home_config2[0] = '\0';
-
-  parsing_conf = default_conf = __bro_ht_new(__bro_ht_str_hash,
-					     __bro_ht_str_cmp,
-					     NULL,
-					     (BroHTFreeFunc)conf_item_free,
-					     FALSE);
-  
-  dom_conf = __bro_ht_new(__bro_ht_str_hash,
-			  __bro_ht_str_cmp,
-			  __bro_ht_mem_free,
-			  (BroHTFreeFunc)__bro_ht_free,
-			  FALSE);
-  
-  /* Now figure out what config file to read: if the user
-   * has a ~/.broccoli.conf, use that, otherwise use the
-   * global one. We first try via the passwd entry, then
-   * fall back to using $HOME.
-   */
-  if ( (pwd_home = get_passwd_home()))
-    {
-      __bro_util_snprintf(home_config, MAXPATHLEN, "%s/.broccoli.conf", pwd_home);      
-      free(pwd_home);
-
-      if (stat(home_config, &st) == 0 && conf_permissions_ok(&st))
-	{
-	  config_file = strdup(home_config);
-	  try_env = FALSE;
-	}	
-    }
-  
-  if (try_env)
-    {
-      __bro_util_snprintf(home_config2, MAXPATHLEN, "%s/.broccoli.conf", getenv("HOME"));
-      
-      /* Only check this variant if it didn't yield the same file as the
-       * pwd-based filename.
-       */
-      if (strcmp(home_config, home_config2) &&
-	  stat(home_config2, &st) == 0 && conf_permissions_ok(&st))
-	config_file = strdup(home_config2);
-    }
-  
-  __bro_parse_config(config_file);
-  deja_vu = TRUE;
-
-  /* Read out debugging verbosity settings and assign if found. */
-  if (__bro_conf_get_int("/broccoli/debug_messages", &debug_messages))
-    bro_debug_messages = debug_messages;
-  if (__bro_conf_get_int("/broccoli/debug_calltrace", &debug_calltrace))
-    bro_debug_calltrace = debug_calltrace;
-  
-}
-
-static BroHT *
-assert_domain(void)
-{
-  BroHT *conf = default_conf;
-
-  D(("Selecting configuration domain, name is %s\n", cur_dom));
-
-  if (cur_dom && ! (conf = (BroHT *)  __bro_ht_get(dom_conf, cur_dom)))
-    {
-      D(("Allocating domain '%s'\n", cur_dom));
-      
-      conf = __bro_ht_new(__bro_ht_str_hash,
-			  __bro_ht_str_cmp,
-			  NULL,
-			  (BroHTFreeFunc)conf_item_free,
-			  FALSE);
-      
-      __bro_ht_add(dom_conf, strdup(cur_dom), conf);
-    }
-  
-  return conf;
-}
-
-
-void
-__bro_conf_set_domain(const char *new_domain)
-{
-  /* First reset to the default domain */
-  if (cur_dom)
-    free(cur_dom);
-  cur_dom = NULL;
-  
-  /* Then if given, switch to the new one. */
-  if (new_domain && *new_domain)
-    {
-      char *str;
-
-      str = cur_dom = strdup(new_domain);
-
-      while (*str != '\0')
-	{
-	  *str = tolower(*str);
-	  str++;
-	}
-      
-      D(("Configuration domain set to '%s'\n", cur_dom));
-    }
-}
-
-
-void
-__bro_conf_set_storage_domain(const char *storage_domain)
-{
-  if (! storage_domain || ! *storage_domain)
-    {
-      parsing_conf = default_conf;
-      return;
-    }
-
-  if (! (parsing_conf = (BroHT *)  __bro_ht_get(dom_conf, storage_domain)))
-    {
-      D(("Allocating domain '%s'\n", storage_domain));
-      
-      parsing_conf = __bro_ht_new(__bro_ht_str_hash,
-				  __bro_ht_str_cmp,
-				  NULL,
-				  (BroHTFreeFunc)conf_item_free,
-				  FALSE);
-      
-      __bro_ht_add(dom_conf, strdup(storage_domain), parsing_conf);
-    }
-}
-
-
-const char   *
-__bro_conf_get_domain(void)
-{
-  return cur_dom;
-}
-
-
-void
-__bro_conf_add_int(const char *val_name, int val)
-{
-  BroConfIt *ci;
-
-  if (! (ci = conf_item_new(val_name, BRO_CONF_INT, &val)))
-    return;
-
-  __bro_ht_add(parsing_conf, ci->ci_name, ci);
-}
-
-
-void
-__bro_conf_add_dbl(const char *val_name, double val)
-{
-  BroConfIt *ci;
-
-  if (! (ci = conf_item_new(val_name, BRO_CONF_DBL, &val)))
-    return;
-
-  __bro_ht_add(parsing_conf, ci->ci_name, ci);
-}
-
-
-void
-__bro_conf_add_str(const char *val_name, char *val)
-{
-  BroConfIt *ci;
-
-  if (! (ci = conf_item_new(val_name, BRO_CONF_STR, val)))
-    return;
-
-  __bro_ht_add(parsing_conf, ci->ci_name, ci);
-}
-
-
-int
-__bro_conf_get_int(const char *val_name, int *val)
-{
-  BroConfIt *ci;
-  BroHT *conf;
-
-  __bro_conf_init();
-  conf = assert_domain();
-
-  do {
-    if (! (ci = __bro_ht_get(conf, (void*) val_name)))
-      break;    
-    if (ci->ci_type != BRO_CONF_INT)
-      break;
-
-    *val = ci->ci_int;
-    return TRUE;
-
-  } while (0);
-
-  do {
-    if (! (ci = __bro_ht_get(default_conf, (void*) val_name)))
-      break;   
-    if (ci->ci_type != BRO_CONF_INT)
-      break;
-
-    *val = ci->ci_int;
-    return TRUE;
-
-  } while (0);
-
-  return FALSE;
-}
-
-
-int
-__bro_conf_get_dbl(const char *val_name, double *val)
-{
-  BroConfIt *ci;
-  BroHT *conf;
-
-  __bro_conf_init();
-  conf = assert_domain();
-
-  do {
-    if (! (ci = __bro_ht_get(conf, (void*) val_name)))
-      break;
-    if (ci->ci_type != BRO_CONF_DBL)
-      break;
-
-    *val = ci->ci_dbl;
-    return TRUE;
-  } while (0);
-
-  do {
-    if (! (ci = __bro_ht_get(default_conf, (void*) val_name)))
-      break;
-    if (ci->ci_type != BRO_CONF_DBL)
-      break;
-
-    *val = ci->ci_dbl;
-    return TRUE;
-  } while (0);
-
-  return FALSE;
-}
-
-
-const char *  
-__bro_conf_get_str(const char *val_name)
-{
-  BroConfIt *ci;
-  BroHT *conf;
-
-  __bro_conf_init();
-  conf = assert_domain();
-
-  do {
-    if (! (ci = __bro_ht_get(conf, (void*) val_name)))
-      break;
-    if (ci->ci_type != BRO_CONF_STR)
-      break;
-    
-    return ci->ci_str;
-  } while (0);
-
-  do {
-    if (! (ci = __bro_ht_get(default_conf, (void*) val_name)))
-      break;
-    if (ci->ci_type != BRO_CONF_STR)
-      break;
-    
-    return ci->ci_str;
-  } while (0);
-  
-  return NULL;
-}
-
-
-int
-__bro_conf_forget_item(const char *val_name)
-{
-  BroConfIt *ci;
-  BroHT *conf;
-
-  __bro_conf_init();
-  conf = assert_domain();
-
-  if (! (ci = __bro_ht_del(conf, (void*) val_name)))
-    {
-      if (! (ci = __bro_ht_del(default_conf, (void*) val_name)))
-	return FALSE;
-    }
-
-  conf_item_free(ci);
-  return TRUE;
-}
-
diff --git a/aux/broccoli/src/bro_config.h b/aux/broccoli/src/bro_config.h
deleted file mode 100644
index 91f22c1336..0000000000
--- a/aux/broccoli/src/bro_config.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_config_h
-#define broccoli_config_h
-
-void          __bro_conf_init(void);
-void          __bro_conf_set_domain(const char *domain);
-void          __bro_conf_set_storage_domain(const char *domain);
-const char   *__bro_conf_get_domain(void);
-
-void          __bro_conf_add_int(const char *val_name, int val);
-void          __bro_conf_add_dbl(const char *val_name, double val);
-void          __bro_conf_add_str(const char *val_name, char *val);
-
-int           __bro_conf_get_int(const char *val_name, int *val);
-int           __bro_conf_get_dbl(const char *val_name, double *val);
-const char *  __bro_conf_get_str(const char *val_name);
-
-int           __bro_conf_forget_item(const char *val_name);
-
-#endif
diff --git a/aux/broccoli/src/bro_debug.c b/aux/broccoli/src/bro_debug.c
deleted file mode 100644
index d5162268e8..0000000000
--- a/aux/broccoli/src/bro_debug.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifdef HAVE_CONFIG_H
-#  include <config.h>
-#endif
-
-#include <stdio.h>
-#include <stdarg.h>
-
-#include <bro_debug.h>
-#include <bro_util.h>
-
-int bro_debug_calltrace = 0;
-int bro_debug_messages  = 0;
-
-static int calldepth = 0;
-
-static void 
-debug_whitespace(void)
-{
-  int i;
-  
-  for (i = 0; i < 2*calldepth; i++)
-    fprintf(stderr, "-");
-}
-
-
-void
-bro_debug(const char *fmt, ...)
-{
-  va_list argp;
-
-  if (bro_debug_messages)
-    {
-      va_start(argp, fmt);
-      vfprintf(stderr, fmt, argp);
-      va_end(argp);
-    }
-}
-
-
-void
-bro_debug_enter(const char *function, int line)
-{
-  if (! bro_debug_calltrace)
-    return;
-
-  fprintf(stderr, "%u ", getpid());
-  calldepth++;
-  debug_whitespace();
-  fprintf(stderr, "> %s(%i)\n", function, line);
-}
-
-
-void
-bro_debug_return(const char *function, int line)
-{
-  if (! bro_debug_calltrace)
-    return;
-
-  fprintf(stderr, "%u <", getpid());
-  debug_whitespace();
-  fprintf(stderr, " %s(%i)\n", function, line);
-  
-  if (--calldepth < 0)
-    calldepth = 0;
-}
diff --git a/aux/broccoli/src/bro_debug.h b/aux/broccoli/src/bro_debug.h
deleted file mode 100644
index cc60f5af38..0000000000
--- a/aux/broccoli/src/bro_debug.h
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef __broccoli_debug_h
-#define __broccoli_debug_h
-
-#include <unistd.h>
-#include <stdio.h>
-
-#include <broccoli.h>
-#include <bro_util.h>
-
-void    bro_debug_enter(const char *function, int line);
-void    bro_debug_return(const char *function, int line);
-
-#ifdef BRO_DEBUG
-
-void    bro_debug(const char *msg, ...);
-
-/**
- * D - prints debugging output
- * @x: debugging information.
- *
- * Use this macro to output debugging information. @x is
- * the content as you would pass it to printf(), including
- * braces to make the arguments appear as one argument to
- * the macro. The macro is void if BRO_DEBUG is not defined
- * at compile time.
- */
-#undef  D
-#define D(x)                  do { bro_debug("%u %f %s/%i ", getpid(), __bro_util_get_time(),  __FILE__, __LINE__); bro_debug x ; } while (0) 
-
-#undef  D_ENTER
-#define D_ENTER               bro_debug_enter(__FUNCTION__, __LINE__)
-
-#undef  D_RETURN
-#define D_RETURN              do { bro_debug_return(__FUNCTION__, __LINE__); return; } while (0)
-
-#undef  D_RETURN_
-#define D_RETURN_(x)          do { bro_debug_return(__FUNCTION__, __LINE__); return (x); } while (0)
-
-#else
-
-#undef  D
-#define D(x)  
-
-#undef  D_ENTER
-#define D_ENTER
-
-#undef  D_RETURN
-#define D_RETURN              return
-
-#undef  D_RETURN_
-#define D_RETURN_(x)          return (x)
-
-#endif /* BRO_DEBUG */
-
-#endif 
-
diff --git a/aux/broccoli/src/bro_event.c b/aux/broccoli/src/bro_event.c
deleted file mode 100644
index 45b0dc1f9f..0000000000
--- a/aux/broccoli/src/bro_event.c
+++ /dev/null
@@ -1,247 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/time.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_types.h>
-#include <bro_type.h>
-#include <bro_val.h>
-#include <bro_debug.h>
-#include <bro_event.h>
-
-BroEvent      *
-__bro_event_new(BroString *name)
-{
-  BroEvent *ev;
-
-  if (!name)
-    return NULL;
-
-  if (! (ev = calloc(1, sizeof(BroEvent))))
-    return NULL;
-
-  if (! bro_string_set_data(&(ev->name), name->str_val, name->str_len))
-    {
-      free(ev);
-      return NULL;
-    }
-
-  return ev;
-}
-
-
-void           
-__bro_event_free(BroEvent *ev)
-{
-  if (!ev)
-    return;
-
-  bro_string_cleanup(&ev->name);
-  __bro_list_free(ev->val_list, (BroFunc) __bro_sobject_release);
-  free(ev);
-}
-
-
-BroEvent      *
-__bro_event_copy(BroEvent *ev)
-{
-  BroEvent *ev_copy;
-  BroVal *val, *val_copy;
-  BroList *l;
-
-  if (! ev)
-    return NULL;
-  
-  if (! (ev_copy = __bro_event_new(&ev->name)))
-    return NULL;
-  
-  for (l = ev->val_list; l; l = __bro_list_next(l))
-    {
-      val = __bro_list_data(l);
-
-      if (! (val_copy = (BroVal *) __bro_sobject_copy((BroSObject *) val)))
-	{
-	  __bro_event_free(ev_copy);
-	  return NULL;
-	}
-      
-      __bro_event_add_val(ev_copy, val_copy);
-    }
-  
-  D(("Copied event has %i arguments.\n", __bro_list_length(ev->val_list)));
-
-  return ev_copy;
-}
-
-
-const char *
-__bro_event_get_name(BroEvent *ev)
-{
-  if (! ev)
-    return NULL;
-
-  return (const char*) ev->name.str_val;
-}
-
-
-int
-__bro_event_serialize(BroEvent *ev, BroConn *bc)
-{
-  BroVal *val;
-  BroList *l;
-
-  D_ENTER;
-
-  /* Prepare the beginning of a serialized event call --
-   * event identifier, event name plus argument description.
-   */
-  if (! __bro_buf_write_char(bc->tx_buf, 'e'))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_string(bc->tx_buf, &ev->name))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_write_double(bc->tx_buf, __bro_util_get_time()))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_int(bc->tx_buf, ev->val_len))
-    D_RETURN_(FALSE);
-    
-  /* Now serialize each remaining parameter into the buffer: */
-  D(("Serializing event parameters\n"));
-  for (l = ev->val_list; l; l = __bro_list_next(l))
-    {
-      val = __bro_list_data(l);
-
-      if (! __bro_sobject_serialize((BroSObject *) val, bc))
-	D_RETURN_(FALSE);
-
-      D(("  Serialized one argument\n"));
-    }
-
-  D_RETURN_(TRUE);
-}
-
-
-BroEvent *
-__bro_event_unserialize(BroConn *bc)
-{
-  int i;
-  BroString ev_name;
-  double ev_ts;
-  uint32 ev_args;
-  BroEvent *ev = NULL;
-  BroVal *val = NULL;
-
-  D_ENTER;
-  
-  if (! __bro_buf_read_string(bc->rx_buf, &ev_name))
-    {
-      D(("Couldn't read event name.\n"));
-      D_RETURN_(NULL);
-    }
-  
-  if (! __bro_buf_read_double(bc->rx_buf, &ev_ts))
-    {
-      D(("Couldn't read event time.\n"));
-      bro_string_cleanup(&ev_name);
-      D_RETURN_(NULL);
-    }
-  
-  if (! __bro_buf_read_int(bc->rx_buf, &ev_args))
-    {
-      D(("Couldn't read number of event arguments.\n"));
-      bro_string_cleanup(&ev_name);
-      D_RETURN_(NULL);
-    }
-  
-  D(("Reading %i arguments for event %s\n", ev_args, ev_name.str_val));
-  ev = __bro_event_new(&ev_name);
-  ev->ts = ev_ts;
-  bro_string_cleanup(&ev_name);
-  
-  for (i = 0; i < (int) ev_args; i++)
-    {
-      D(("Reading parameter %i\n", i+1));
-      if (! (val = (BroVal *) __bro_sobject_unserialize(SER_IS_VAL, bc)))
-	{
-	  D(("Couldn't read parameter val %i.\n", i+1));
-	  __bro_event_free(ev);
-	  D_RETURN_(NULL);
-	}
-      
-      __bro_event_add_val(ev, val);
-    }
-
-  D_RETURN_(ev);
-}
-
-
-void
-__bro_event_add_val(BroEvent *ev, BroVal *v)
-{
-  D_ENTER;
-  ev->val_list = __bro_list_append(ev->val_list, v);
-  ev->val_len++;
-  D_RETURN;
-}
-
-
-int
-__bro_event_set_val(BroEvent *ev, int val_num, BroVal *v)
-{
-  BroList *l;
-
-  D_ENTER;
-
-  if (val_num < 0 || val_num >= ev->val_len)
-    {
-      D(("Invalid val index: given %i, having %i elements.\n", val_num, ev->val_len));
-      D_RETURN_(FALSE);
-    }
-
-  if ( (l = __bro_list_nth(ev->val_list, val_num)))
-    {
-      BroVal *val = __bro_list_set_data(l, v);
-      __bro_sobject_release((BroSObject *) val);
-      D_RETURN_(TRUE);
-    }
-
-  D_RETURN_(FALSE);
-}
diff --git a/aux/broccoli/src/bro_event.h b/aux/broccoli/src/bro_event.h
deleted file mode 100644
index 5a65c85320..0000000000
--- a/aux/broccoli/src/bro_event.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_event_h
-#define broccoli_event_h
-
-#include <broccoli.h>
-#include <bro_val.h>
-
-BroEvent      *__bro_event_new(BroString *name);
-void           __bro_event_free(BroEvent *be);
-BroEvent      *__bro_event_copy(BroEvent *be);
-const char    *__bro_event_get_name(BroEvent *be);
-
-int            __bro_event_serialize(BroEvent *be, BroConn *bc);
-BroEvent      *__bro_event_unserialize(BroConn *bc);
-
-void           __bro_event_add_val(BroEvent *be, BroVal *val);
-int            __bro_event_set_val(BroEvent *be, int val_num, BroVal *val);
-
-#endif
diff --git a/aux/broccoli/src/bro_event_reg.c b/aux/broccoli/src/bro_event_reg.c
deleted file mode 100644
index 67aa1b8860..0000000000
--- a/aux/broccoli/src/bro_event_reg.c
+++ /dev/null
@@ -1,643 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_types.h>
-#include <bro_event.h>
-#include <bro_debug.h>
-#include <bro_io.h>
-#include <bro_event_reg.h>
-
-typedef void (*BroEvDispatcher)(BroConn *bc, BroEventCB *cb, BroEvent *ev);
-
-#define DISPATCH_TABLE_SIZE 15
-
-/* Goes through all vals in the given event ev and extracts
- * from each val a pointer to its actual value, storing it
- * into the vals array.
- */
-static int
-event_reg_init_vals(BroEvent *ev, void **vals)
-{
-  int i;
-  BroList *l;
-  BroVal *val;
-  
-  for (i = 0, l = ev->val_list; l; i++, l = __bro_list_next(l))
-    {
-      val = __bro_list_data(l);
-      
-      if (! __bro_val_get_data(val, NULL, &(vals[i])))
-	{
-	  D(("Error during callback parameter marshaling of parameter %i\n", i));
-	  return FALSE;
-	}
-    }
-  
-  return TRUE;
-}
-
-/* Goes through all vals in the given event ev and extracts
- * from each val a pointer to its actual value and the type
- * of the val, storing it into the given BroEvArg and BroValMeta
- * structures.
- */
-static int
-event_reg_init_args(BroEvent *ev, BroEvArg *args)
-{
-  int i;
-  BroList *l;
-  BroVal *val;
-  
-  for (i = 0, l = ev->val_list; l; l = __bro_list_next(l), args++, i++)
-    {
-      val = __bro_list_data(l);
-
-      if (! __bro_val_get_data(val, &args->arg_type, &args->arg_data))
-	{
-	  D(("Error during callback parameter marshaling of parameter %i\n", i));
-	  return FALSE;
-	}
-    }
-  
-  return TRUE;
-}
-
-static void
-dispatcher_compact(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  BroEvMeta meta;
-  BroEvArg *args = NULL;
-
-  memset(&meta, 0, sizeof(meta));
-
-  if (! (args = calloc(ev->val_len, sizeof(BroEvArg)))) {
-    D(("Out of memory when allocating %d BroEvArgs\n", ev->val_len));
-    return;
-  }
-  
-  meta.ev_name = (const char*) bro_string_get_data(&ev->name);
-  meta.ev_ts = ev->ts;
-  meta.ev_numargs = ev->val_len;
-  meta.ev_args = args;
-  meta.ev_start = (const uchar*) bc->rx_ev_start;
-  meta.ev_end = (const uchar*) bc->rx_ev_end;
-
-  if (! event_reg_init_args(ev, args)) {
-    free(args);
-    return;
-  }
-  
-  cb->cb_compact_func(bc, cb->cb_user_data, &meta);
-
-  free(args);
-}
-
-static void
-dispatcher0(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  cb->cb_expanded_func(bc, cb->cb_user_data);
-  return; ev = 0;
-}
-
-static void
-dispatcher1(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[1];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0]);
-}
-
-static void
-dispatcher2(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[2];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1]);
-}
-
-static void
-dispatcher3(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[3];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2]);
-}
-
-static void
-dispatcher4(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[4];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2], vals[3]);
-}
-
-static void
-dispatcher5(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[5];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
-		       vals[3], vals[4]);
-}
-
-static void
-dispatcher6(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[6];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
-		       vals[3], vals[4], vals[5]);
-}
-
-static void
-dispatcher7(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[7];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
-		       vals[3], vals[4], vals[5], vals[6]);
-}
-
-static void
-dispatcher8(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[8];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
-		       vals[3], vals[4], vals[5], vals[6], vals[7]);
-}
-
-static void
-dispatcher9(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[9];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
-		       vals[3], vals[4], vals[5], vals[6], vals[7],
-		       vals[8]);
-}
-
-static void
-dispatcher10(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[10];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
-		       vals[3], vals[4], vals[5], vals[6], vals[7],
-		       vals[8], vals[9]);
-}
-
-static void
-dispatcher11(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[11];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
-		       vals[3], vals[4], vals[5], vals[6], vals[7],
-		       vals[8], vals[9], vals[10]);
-}
-
-static void
-dispatcher12(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[12];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
-		       vals[3], vals[4], vals[5], vals[6], vals[7],
-		       vals[8], vals[9], vals[10], vals[11]);
-}
-
-static void
-dispatcher13(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[13];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
-		       vals[3], vals[4], vals[5], vals[6], vals[7],
-		       vals[8], vals[9], vals[10], vals[11], vals[12]);
-}
-
-static void
-dispatcher14(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[14];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
-		       vals[3], vals[4], vals[5], vals[6], vals[7],
-		       vals[8], vals[9], vals[10], vals[11], vals[12],
-	      vals[13]);
-}
-
-static void
-dispatcher15(BroConn *bc, BroEventCB *cb, BroEvent *ev)
-{
-  void *vals[15];
-  
-  if (! event_reg_init_vals(ev, vals))
-    return;
-  
-  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
-		       vals[3], vals[4], vals[5], vals[6], vals[7],
-		       vals[8], vals[9], vals[10], vals[11], vals[12],
-		       vals[13], vals[14]);
-}
-
-static BroEvDispatcher disp_table[] = 
-  {
-    dispatcher0, dispatcher1, dispatcher2, dispatcher3,
-    dispatcher4, dispatcher5, dispatcher6, dispatcher7,
-    dispatcher8, dispatcher9, dispatcher10, dispatcher11,
-    dispatcher12, dispatcher13, dispatcher14, dispatcher15,
-  };
-
-static BroEventHandler*
-event_reg_handler_new(const char *ev_name)
-{
-  BroEventHandler *beh;
-
-  if (!ev_name || !*ev_name)
-    return NULL;
-
-  if (! (beh = calloc(1, sizeof(BroEventHandler))))
-    return NULL;
-
-  beh->ev_name = strdup(ev_name);
-  TAILQ_INIT(&beh->cb_list);
-  
-  return beh;
-}
-
-static void
-event_reg_handler_free(BroEventHandler *beh)
-{
-  BroEventCB *cb;
-
-  if (!beh)
-    return;
-
-  if (beh->ev_name)
-    free(beh->ev_name);
-
-  while ( (cb = beh->cb_list.tqh_first))
-    {
-      TAILQ_REMOVE(&beh->cb_list, cb, cb_list);
-      free(cb);
-    }
-  
-  free(beh);  
-}
-
-static void
-event_reg_handler_dispatch(BroConn *bc, BroEventHandler *beh, BroEvent *ev)
-{
-  BroEventCB *cb;
-
-  if (!beh || !ev)
-    return;
-
-  if (ev->val_len > DISPATCH_TABLE_SIZE)
-    return;
-
-  for (cb = beh->cb_list.tqh_first; cb; cb = cb->cb_list.tqe_next)
-    {
-      switch (cb->cb_style) {
-      case BRO_CALLBACK_EXPANDED:
-	disp_table[ev->val_len](bc, cb, ev);
-	break;
-
-      case BRO_CALLBACK_COMPACT:
-	dispatcher_compact(bc, cb, ev);
-	break;
-
-      default:
-	;
-      };
-    }
-}
-
-
-BroEventReg   *
-__bro_event_reg_new(void)
-{
-  BroEventReg *reg;
-
-  if (! (reg = calloc(1, sizeof(BroEventReg))))
-    return NULL;
-
-  TAILQ_INIT(&reg->handler_list);
-  return reg;
-}
-
-
-void
-__bro_event_reg_free(BroEventReg *reg)
-{
-  BroEventHandler *beh;
-
-  if (!reg)
-    return;
-
-  while ( (beh = reg->handler_list.tqh_first))
-    {
-      TAILQ_REMOVE(&reg->handler_list, beh, handler_list);
-      event_reg_handler_free(beh);
-    }
-
-  free(reg);
-}
-
-static void           
-event_reg_add(BroEventCB *cb, BroEventReg *reg,
-	      const char *ev_name)
-{
-  BroEventHandler *beh;
-
-  for (beh = reg->handler_list.tqh_first; beh; beh = beh->handler_list.tqe_next)
-    {
-      if (strcmp(beh->ev_name, ev_name))
-	continue;
-      
-      /* We have found a handler for this event.
-       * Add the new callback and return.
-       */
-      TAILQ_INSERT_TAIL(&beh->cb_list, cb, cb_list);      
-      reg->num_handlers++;
-      return;
-    }
-  
-  /* We don't have a handler for this event yet.
-   * Create it, add a callback for the given func,
-   * and register it.
-   */
-  if (! (beh = event_reg_handler_new(ev_name)))
-    {
-      free(cb);
-      return;
-    }
-
-  TAILQ_INSERT_TAIL(&beh->cb_list, cb, cb_list);
-  TAILQ_INSERT_TAIL(&reg->handler_list, beh, handler_list);  
-  reg->num_handlers++;
-}
-
-void           
-__bro_event_reg_add(BroConn *bc, const char *ev_name,
-		    BroEventFunc func, void *user_data)
-{
-  BroEventHandler *beh;
-  BroEventCB *cb;
-  BroEventReg *reg;
-
-  if (!bc || !ev_name || !*ev_name)
-    return;
-  if (! (reg = bc->ev_reg))
-    return;
-      
-  /* Create a new callback data structure */
-  if (! (cb = calloc(1, sizeof(BroEventCB))))
-    return;
-  
-  cb->cb_expanded_func = func;
-  cb->cb_user_data = user_data;
-  cb->cb_style = BRO_CALLBACK_EXPANDED;
-  
-  event_reg_add(cb, reg, ev_name);
-}
-
-
-void           
-__bro_event_reg_add_compact(BroConn *bc, const char *ev_name,
-			    BroCompactEventFunc func, void *user_data)
-{
-  BroEventHandler *beh;
-  BroEventCB *cb;
-  BroEventReg *reg;
-
-  if (!bc || !ev_name || !*ev_name)
-    return;
-  if (! (reg = bc->ev_reg))
-    return;
-      
-  /* Create a new callback data structure */
-  if (! (cb = calloc(1, sizeof(BroEventCB))))
-    return;
-  
-  cb->cb_compact_func = func;
-  cb->cb_user_data = user_data;
-  cb->cb_style = BRO_CALLBACK_COMPACT;
-  
-  event_reg_add(cb, reg, ev_name);
-}
-
-
-int
-__bro_event_reg_remove(BroConn *bc, const char *ev_name)
-{
-  BroEventHandler *beh;
-  BroEventReg *reg;
-
-  if (!bc || !ev_name || !*ev_name)
-    return FALSE;
-  if (! (reg = bc->ev_reg))
-    return FALSE;
-
-  for (beh = reg->handler_list.tqh_first; beh; beh = beh->handler_list.tqe_next)
-    {
-      if (strcmp(beh->ev_name, ev_name))
-	continue;
-
-      TAILQ_REMOVE(&reg->handler_list, beh, handler_list);
-      event_reg_handler_free(beh);
-      reg->num_handlers--;
-      return TRUE;
-    }
-
-  return FALSE;
-}
-
-
-int
-__bro_event_reg_request(BroConn *bc)
-{
-  BroEventReg *reg;
-  BroEventHandler *beh;
-  BroRequest *req;
-  int len = 0;
-  int result;
-  char *ptr;
-
-  D_ENTER;
-
-  if (!bc)
-    D_RETURN_(FALSE);
-  
-  if (! (reg = bc->ev_reg))
-    D_RETURN_(FALSE);
-  
-  /* Go over all handlers once, and collect the total length of
-   * all event names including terminating 0s.
-   */
-  for (beh = reg->handler_list.tqh_first; beh; beh = beh->handler_list.tqe_next)
-    len += strlen(beh->ev_name) + 1;
-
-  /* Allocate a request structure for that length */
-  if (! (req = __bro_event_request_new(len)))
-    D_RETURN_(FALSE);
-
-  /* Go through again and copy all event names into the
-   * request structure.
-   */
-  ptr = req->req_dat;
-  for (beh = reg->handler_list.tqh_first; beh; beh = beh->handler_list.tqe_next)
-    {
-      D(("Requesting event '%s'\n", beh->ev_name));
-      memcpy(ptr, beh->ev_name, strlen(beh->ev_name));
-      ptr += strlen(ptr) + 1;
-    }
-  
-  if (! __bro_io_request_queue(bc, req))
-    D_RETURN_(FALSE);
-
-  D_RETURN_(TRUE);
-}
-
-
-void
-__bro_event_reg_dispatch(BroConn *bc, BroEvent *ev)
-{
-  BroEventReg *reg;
-  BroEventHandler *beh;
-
-  D_ENTER;
-
-  if (!bc || !ev || ! (reg = bc->ev_reg))
-    {
-      D(("Input error\n"));
-      D_RETURN;
-    }
-  
-  D(("Dispatching event '%s' with %i paramaters.\n", ev->name.str_val, ev->val_len));
-
-  for (beh = reg->handler_list.tqh_first; beh; beh = beh->handler_list.tqe_next)
-    {
-      if (strcmp(__bro_event_get_name(ev), beh->ev_name) == 0)
-	event_reg_handler_dispatch(bc, beh, ev);
-    }  
-  
-  D_RETURN;
-}
-
-
-BroRequest *
-__bro_event_request_new(int len)
-{
-  BroRequest *req;
-
-  if (len <= 0)
-    return NULL;
-
-  if (! (req = calloc(1, sizeof(BroRequest))))
-    return NULL;
-
-  if (! (req->req_dat = calloc(len + 1, sizeof(char))))
-    {
-      free(req);
-      return NULL;
-    }
-  
-  req->req_len = len;
-  return req;
-}
-
-
-void
-__bro_event_request_free(BroRequest *req)
-{
-  if (! req)
-    return;
-
-  if (req->req_dat)
-    free(req->req_dat);
-  
-  free(req);
-}
-
diff --git a/aux/broccoli/src/bro_event_reg.h b/aux/broccoli/src/bro_event_reg.h
deleted file mode 100644
index e3320bb713..0000000000
--- a/aux/broccoli/src/bro_event_reg.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_event_reg_h
-#define broccoli_event_reg_h
-
-#include <broccoli.h>
-
-BroEventReg   *__bro_event_reg_new(void);
-void           __bro_event_reg_free(BroEventReg *reg);
-
-void           __bro_event_reg_add(BroConn *bc,
-				   const char *ev_name,
-				   BroEventFunc func,
-				   void *user_data);
-
-void           __bro_event_reg_add_compact(BroConn *bc,
-					   const char *ev_name,
-					   BroCompactEventFunc func,
-					   void *user_data);
-
-int            __bro_event_reg_remove(BroConn *bc, const char *ev_name);
-int            __bro_event_reg_request(BroConn *bc);
-void           __bro_event_reg_dispatch(BroConn *bc, BroEvent *ev);
-
-BroRequest    *__bro_event_request_new(int len);
-void           __bro_event_request_free(BroRequest *req);
-
-#endif
diff --git a/aux/broccoli/src/bro_hashtable.c b/aux/broccoli/src/bro_hashtable.c
deleted file mode 100644
index a450207dcb..0000000000
--- a/aux/broccoli/src/bro_hashtable.c
+++ /dev/null
@@ -1,424 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/time.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_types.h>
-#include <bro_debug.h>
-#include <bro_list.h>
-#include <bro_hashtable.h>
-
-#define BRO_HT_NUM_SLOTS 127
-
-#ifdef BRO_DEBUG
-#define DEBUG_HTS
-#endif
-
-#ifdef DEBUG_HTS
-#  define DEBUG_HT(x) do { printf("%s/%i: ", __FILE__, __LINE__); printf x ; } while (0);
-#else
-#  define DEBUG_HT(x)
-#endif
-
-typedef struct bro_hash_item
-{
-  /* For the age list in the hashtable. We know every node will
-   * occur only once in the hashtable, and we want the items 
-   * themselves to be the nodes, so the macros are okay.
-   */
-  TAILQ_ENTRY(bro_hash_item) age_list;
-
-  void         *it_key;
-  void         *it_data;
-
-} BroHTIt;
-
-typedef TAILQ_HEAD(hi_list, bro_hash_item) BroHIList;
-
-struct bro_ht
-{
-  BroList     **ht_slots;
-  int           ht_numslots;
-  int           ht_size;
-
-  /* Age list for elements in hash table, only used if
-   * requested in __bro_ht_new(). The youngest element
-   * of the age list sits at the *tail* of the list,
-   * the oldest is at the *front*.
-   */
-  int           use_age_list;
-  BroHIList     age_list;
-
-  BroHTHashFunc ht_hash_func;
-  BroHTCmpFunc  ht_cmp_func;
-  BroHTFreeFunc ht_key_free_func;
-  BroHTFreeFunc ht_val_free_func;
-};
-
-
-BroHT *
-__bro_ht_new(BroHTHashFunc hash_func,
-	     BroHTCmpFunc cmp_func,
-	     BroHTFreeFunc key_free_func,
-	     BroHTFreeFunc val_free_func,
-	     int use_age_list)
-{
-  BroHT *ht;
-  int i;
-
-  D_ENTER;
-
-  /* It may be okay if we get no free_funcs ... */
-  if (!hash_func || !cmp_func)
-    D_RETURN_(NULL);
-
-  if (! (ht = calloc(1, sizeof(BroHT))))
-    D_RETURN_(NULL);
-
-  ht->ht_numslots = BRO_HT_NUM_SLOTS;
-  ht->ht_size = 0;
-  ht->use_age_list = use_age_list;
-  ht->ht_hash_func = hash_func;
-  ht->ht_cmp_func = cmp_func;
-  ht->ht_key_free_func = key_free_func;
-  ht->ht_val_free_func = val_free_func;
-
-  /* ht_slots is kept NULL here to avoid work on tables that are never
-   * inserted into.
-   */
-  
-  /* Initialize the age list no matter whether it'll be
-   * used or not.
-   */
-  TAILQ_INIT(&ht->age_list);
-  
-  D_RETURN_(ht);
-}
-
-
-void
-__bro_ht_free(BroHT *ht)
-{
-  BroList *l;
-  BroHTIt *it;
-  int i;
-
-  D_ENTER;
-
-  if (! ht)
-    D_RETURN;
-
-  /* Age list doesn't need cleaning up as its nodes are 
-   * entries in the regular hashtable, which are cleaned
-   * up now:
-   */
-  
-  if (ht->ht_slots == NULL)
-    {
-      free(ht);
-      D_RETURN;
-    }
-
-  for (i = 0; i < ht->ht_numslots; i++)
-    {
-      for (l = ht->ht_slots[i]; l; l = __bro_list_next(l))
-	{
-	  it = __bro_list_data(l);
-
-	  if (ht->ht_key_free_func)    
-	    ht->ht_key_free_func(it->it_key);
-
-	  if (ht->ht_val_free_func)
-	    ht->ht_val_free_func(it->it_data);
-
-	  free(it);
-	}
-      
-      __bro_list_free(ht->ht_slots[i], NULL);
-    }
-  
-  free(ht->ht_slots);
-  free(ht);
-  D_RETURN;
-}
-
-
-int
-__bro_ht_add(BroHT *ht, void *key, void *data)
-{
-  uint32 slot;
-  BroHTIt *it;
-
-  D_ENTER;
-
-  if (!ht || !key)
-    {
-      D(("Input error: (%p, %p, %p)\n", ht, key, data));
-      D_RETURN_(FALSE);
-    }
-  
-  if (! (it = calloc(1, sizeof(BroHTIt))))
-    {
-      D(("Out of memory.\n"));
-      D_RETURN_(FALSE);
-    }
-  
-  it->it_key = key;
-  it->it_data = data;
-  
-  if (ht->ht_slots == NULL)
-    {
-      if (! (ht->ht_slots = calloc(ht->ht_numslots, sizeof(BroList*))))
-	{
-	  D(("Out of memory.\n"));
-	  D_RETURN_(FALSE);
-	}
-    }
-  
-  slot = ht->ht_hash_func(key) % ht->ht_numslots;
-  ht->ht_slots[slot] = __bro_list_append(ht->ht_slots[slot], it);
-  ht->ht_size++;
-
-  if (ht->use_age_list)
-    TAILQ_INSERT_TAIL(&ht->age_list, it, age_list);
-
-  D_RETURN_(TRUE);
-}
-
-
-void *
-__bro_ht_get(BroHT *ht, const void *key)
-{
-  BroList *l;
-  BroHTIt *it;
-  uint32 slot;
-  
-  if (!ht || !key)
-    {
-      D(("Input error: (%p, %p)\n", ht, key));
-      return NULL;
-    }
-
-  if (!ht->ht_slots)
-    return NULL;
-  
-  slot = ht->ht_hash_func(key) % ht->ht_numslots;
-
-  for (l = ht->ht_slots[slot]; l; l = __bro_list_next(l))
-    {
-      it = __bro_list_data(l);
-      
-      if (ht->ht_cmp_func(it->it_key, key))
-	{
-	  if (ht->use_age_list)
-	    {
-	      TAILQ_REMOVE(&ht->age_list, it, age_list);
-	      TAILQ_INSERT_TAIL(&ht->age_list, it, age_list);
-	    }
-
-	  return it->it_data;
-	}
-    }
-
-  return NULL;
-}
-
-
-void     *
-__bro_ht_del(BroHT *ht, void *key)
-{
-  void *result;
-  BroHTIt *it;
-  BroList *l;
-  uint32 slot;
-
-  D_ENTER;
-
-  if (!ht || !key)
-    D_RETURN_(NULL);
-
-  if (!ht->ht_slots)
-    D_RETURN_(NULL);
-  
-  slot = ht->ht_hash_func(key) % ht->ht_numslots;
-  
-  for (l = ht->ht_slots[slot]; l; l = __bro_list_next(l))
-    {
-      it = __bro_list_data(l);
-
-      if (ht->ht_cmp_func(it->it_key, key))
-	{
-	  result = it->it_data;
-	  ht->ht_slots[slot] = __bro_list_remove(ht->ht_slots[slot], l);
-	  ht->ht_size--;
-	  
-	  /* Free the key if possible -- don't free the
-	   * value, as we just return that.
-	   */
-	  if (ht->ht_key_free_func)
-	    ht->ht_key_free_func(it->it_key);
-	  
-	  if (ht->use_age_list)
-	    TAILQ_REMOVE(&ht->age_list, it, age_list);
-	  
-	  free(it);
-	  
-	  D_RETURN_(result);
-	}
-    }
-  
-  D_RETURN_(NULL);
-}
-
-
-int
-__bro_ht_get_size(BroHT *ht)
-{
-  if (! ht)
-    return -1;
-
-  return ht->ht_size;
-}
-
-
-void
-__bro_ht_get_oldest(BroHT *ht, void **key, void **data)
-{
-  if (! ht || !ht->use_age_list)
-    {
-      if (key)
-	*key = NULL;
-      if (data)
-	*data = NULL;
-
-      return;
-    }
-
-  if (key)
-    *key = ht->age_list.tqh_first->it_key;
-  
-  if (data)
-    *data = ht->age_list.tqh_first->it_data;
-}
-
-
-int
-__bro_ht_evict_oldest(BroHT *ht)
-{
-  if (! ht)
-    return 0;
-  
-  if (ht->use_age_list && ht->age_list.tqh_first)
-    __bro_ht_del(ht, ht->age_list.tqh_first->it_key);
-  
-  return ht->ht_size;
-}
-
-
-void
-__bro_ht_foreach(BroHT *ht, BroHTCallback callback, void *user_data)
-{
-  BroList *l;
-  BroHTIt *it;
-  int i;
-
-  if (!ht || !callback)
-    return;
-  
-  if (!ht->ht_slots)
-    return;
-
-  for (i = 0; i < ht->ht_numslots; i++)
-    {
-      for (l = ht->ht_slots[i]; l; l = __bro_list_next(l))
-	{
-	  it = __bro_list_data(l);
-
-	  if (! callback(it->it_key, it->it_data, user_data))
-	    return;
-	}
-    }
-}
-
-
-uint32
-__bro_ht_str_hash(const void *val)
-{
-  char *val_ptr;
-  uint32 hash;
-  
-  if (!val)
-    return 0;
-
-  val_ptr = (char *) val;
-  
-  for (hash = 0; *val_ptr != '\0'; val_ptr++)
-    hash = (64 * hash + *val_ptr);
-
-  return hash;
-}
-
-
-int
-__bro_ht_str_cmp(const void *val1, const void *val2)
-{
-  if (! val1 || ! val2)
-    return FALSE;
-
-  return strcmp((char*) val1, (char*) val2) == 0;
-}
-
-
-void
-__bro_ht_mem_free(void *data)
-{
-  if (data)
-    free(data);
-}
-
-
-uint32
-__bro_ht_int_hash(const void *val)
-{
-  return (uint32)(uintptr_t) val;
-}
-
-
-int
-__bro_ht_int_cmp(const void *val1, const void *val2)
-{
-  return val1 == val2;
-}
diff --git a/aux/broccoli/src/bro_hashtable.h b/aux/broccoli/src/bro_hashtable.h
deleted file mode 100644
index b289d68768..0000000000
--- a/aux/broccoli/src/bro_hashtable.h
+++ /dev/null
@@ -1,110 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_ht_h
-#define broccoli_ht_h
-
-#include <broccoli.h>
-
-typedef struct bro_ht BroHT;
-
-/* Hash function -- pass something in, get integer back.
- */
-typedef uint32 (*BroHTHashFunc)(const void *data);	     
-
-/* Key comparison function -- compares two keys, returns %TRUE
- * if equal, %FALSE otherwise, NOT -1/0/1.
- */
-typedef int (*BroHTCmpFunc)(const void *key1, const void *key2);
-
-/* Destructor function, one for keys, one for values.
- */
-typedef void (*BroHTFreeFunc)(void *data);
-
-/**
- * BroHTCallback - The signature of functions used with __bro_ht_foreach()
- * @key: key of current hash table item
- * @data: value part of current hash table item.
- * @user_data: arbitrary user data passed through from __bro_ht_foreach().
- *
- * Returning %FALSE signals abortion of the loop.
- */
-typedef int (*BroHTCallback)(void *key, void *data, void *user_data);
-
-/**
- * __bro_ht_new - creates new hashtable.
- * @hash_func: hashing function to use, see BroHTHashFunc.
- * @cmp_func: element comparison function to use, see BroHTCmpFunc.
- * @key_free_func: callback for erasing key of an item, if desirable.
- * @val_free_func: callback for erasing data item itself, if desirable.
- * @use_age_list: whether to maintain an age list (%TRUE) or not (%FALSE).
- *
- * The function creates and returns a new hashtable. @key_free_func and
- * @val_free_func can be used to clean up contained elements automatically
- * as they are removed from the table. If you don't want this feature,
- * pass %NULL -- you can still iterate over all items in the table using
- * __bro_ht_foreach().
- *
- * The table can optionally maintain an age list (see
- * __bro_ht_get_oldest() and __bro_ht_evict_oldest()), pass %TRUE to
- * @use_age_list if desired.
- *
- * Returns: new table, or %NULL when out of memory.
- */
-BroHT    *__bro_ht_new(BroHTHashFunc hash_func,
-		       BroHTCmpFunc cmp_func,
-		       BroHTFreeFunc key_free_func,
-		       BroHTFreeFunc val_free_func,
-		       int use_age_list);
-
-void      __bro_ht_free(BroHT *ht);
-
-int       __bro_ht_add(BroHT *ht, void *key, void *data);
-void     *__bro_ht_get(BroHT *ht, const void *key);
-void     *__bro_ht_del(BroHT *ht, void *key);
-int       __bro_ht_get_size(BroHT *ht);
-
-void      __bro_ht_foreach(BroHT *ht, BroHTCallback cb, void *user_data);
-
-/* Returns pointers to key and value of oldest item in the table,
- * if age list is maintained. Otherwise sets both @key and @data
- * to %NULL.
- */
-void      __bro_ht_get_oldest(BroHT *ht, void **key, void **data);
-
-/* If age list is used, removes oldest element from the table
- * and returns number of items in the table after eviction.
- * If age list is not used, does nothing and returns table size.
- */
-int       __bro_ht_evict_oldest(BroHT *ht);
-
-uint32    __bro_ht_str_hash(const void *val);
-int       __bro_ht_str_cmp(const void *val1, const void *val2);
-void      __bro_ht_mem_free(void *data);
-
-uint32    __bro_ht_int_hash(const void *val);
-int       __bro_ht_int_cmp(const void *val1, const void *val2);
-
-#endif
diff --git a/aux/broccoli/src/bro_id.c b/aux/broccoli/src/bro_id.c
deleted file mode 100644
index a72b85fd59..0000000000
--- a/aux/broccoli/src/bro_id.c
+++ /dev/null
@@ -1,296 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/time.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_types.h>
-#include <bro_debug.h>
-#include <bro_id.h>
-
-BroID *
-__bro_id_new(void)
-{
-  BroID *id;
-
-  D_ENTER;
-
-  if (! (id = calloc(1, sizeof(BroID))))
-    D_RETURN_(NULL);
-
-  __bro_id_init(id);
-
-  D_RETURN_(id);
-}
-
-void
-__bro_id_init(BroID *id)
-{
-  BroSObject *sobj = (BroSObject *) id;
-
-  D_ENTER;
-
-  /* First initialize parent */
-  __bro_object_init((BroObject *) id);
-
-  /* Now hook our callbacks into the vtable */
-  sobj->read  = (BroSObjectRead) __bro_id_read;
-  sobj->write = (BroSObjectWrite) __bro_id_write;
-  sobj->free  = (BroSObjectFree) __bro_id_free;
-  sobj->clone = (BroSObjectClone) __bro_id_clone;
-  sobj->hash  = (BroSObjectHash) __bro_id_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_id_cmp;
-
-  sobj->type_id = SER_ID;
-
-  /* And finally initialize our own stuff */
-  bro_string_init(&id->name);
-  id->type = __bro_type_new();
-
-  /* For now we don't have attrs + val, these get
-   * hooked in on demand.
-   */
-  D_RETURN;
-}
-
-void
-__bro_id_free(BroID *id)
-{
-  D_ENTER;
-
-  if (!id)
-    D_RETURN;
-
-  /* First clean up our stuff */
-  bro_string_cleanup(&id->name);
-
-  __bro_sobject_release((BroSObject *) id->type);
-  __bro_sobject_release((BroSObject *) id->attrs);
-  __bro_sobject_release((BroSObject *) id->val);
-  
-  /* Then clean up parent -- will eventually call free() */
-  __bro_object_free((BroObject *) id);
-
-  D_RETURN;
-}
-
-int
-__bro_id_read(BroID *id, BroConn *bc)
-{
-  char opt;
-
-  D_ENTER;
-
-  if (! id || ! bc)
-    D_RETURN_(FALSE);
-
-  if (! __bro_object_read((BroObject *) id, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_read_string(bc->rx_buf, &id->name))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_read_char(bc->rx_buf, &id->scope))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_read_char(bc->rx_buf, &id->is_export))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_int(bc->rx_buf, &id->is_const))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_int(bc->rx_buf, &id->is_enum_const))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_int(bc->rx_buf, &id->is_type))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_read_int(bc->rx_buf, &id->offset))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_read_char(bc->rx_buf, &id->infer_return_type))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_char(bc->rx_buf, &id->weak_ref))
-    D_RETURN_(FALSE);
-  
-  if (id->type)
-    __bro_sobject_release((BroSObject*) id->type);
-  if (! (id->type = (BroType *) __bro_sobject_unserialize(SER_IS_TYPE, bc)))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_read_char(bc->rx_buf, &opt))
-    D_RETURN_(FALSE);
-  if (opt)
-    {
-      if (id->attrs)
-	__bro_sobject_release((BroSObject *) id->attrs);
-
-      if (! (id->attrs = (BroAttrs *) __bro_sobject_unserialize(SER_ATTRIBUTES, bc)))
-	D_RETURN_(FALSE);
-    }
-
-  if (! __bro_buf_read_char(bc->rx_buf, &opt))
-    D_RETURN_(FALSE);
-  if (opt)
-    {
-      if (id->val)
-	__bro_sobject_release((BroSObject *) id->val);
-
-      if (! (id->val = (BroVal *) __bro_sobject_unserialize(SER_IS_VAL, bc)))
-	D_RETURN_(FALSE);
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-int
-__bro_id_write(BroID *id, BroConn *bc)
-{
-  D_ENTER;
-
-  if (! id || ! bc)
-    D_RETURN_(FALSE);
-
-  if (! __bro_object_write((BroObject *) id, bc))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_write_string(bc->tx_buf, &id->name))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_char(bc->tx_buf, id->scope))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_char(bc->tx_buf, id->is_export))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_int(bc->tx_buf, id->is_const))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_int(bc->tx_buf, id->is_enum_const))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_int(bc->tx_buf, id->is_type))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_int(bc->tx_buf, id->offset))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_write_char(bc->tx_buf, id->infer_return_type))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_char(bc->tx_buf, id->weak_ref))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_sobject_serialize((BroSObject *) id->type, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_char(bc->tx_buf, id->attrs ? 1 : 0))
-    D_RETURN_(FALSE);
-  if (id->attrs && ! __bro_sobject_serialize((BroSObject *) id->attrs, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_char(bc->tx_buf, id->val ? 1 : 0))
-    D_RETURN_(FALSE);
-  if (id->attrs && ! __bro_sobject_serialize((BroSObject *) id->val, bc))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-int
-__bro_id_clone(BroID *dst, BroID *src)
-{
-  BroString *string;
-
-  D_ENTER;
-  
-  if (! __bro_object_clone((BroObject *) dst, (BroObject *) src))
-    D_RETURN_(FALSE);
-  
-  if (! (string = bro_string_copy(&src->name)))
-    D_RETURN_(FALSE);
-  
-  dst->name = *string;
-  dst->scope = src->scope;
-  dst->is_export = src->is_export;
-  dst->is_const = src->is_const;
-  dst->is_enum_const = src->is_enum_const;
-  dst->is_type = src->is_type;
-  dst->offset = src->offset;
-  dst->infer_return_type = src->infer_return_type;
-  dst->weak_ref = src->weak_ref;
-  
-  if (src->type && ! (dst->type = (BroType *) __bro_sobject_copy((BroSObject *) src->type)))
-    D_RETURN_(FALSE);
-  
-  if (src->val && ! (dst->val = (BroVal *) __bro_sobject_copy((BroSObject *) src->val)))
-    D_RETURN_(FALSE);
-  
-  if (src->attrs && ! (dst->attrs = (BroAttrs *) __bro_sobject_copy((BroSObject *) src->attrs)))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-uint32
-__bro_id_hash(BroID *id)
-{
-  uint32 result = 0;
-
-  D_ENTER;
-
-  if (! id)
-    D_RETURN_(0);
-
-  result ^= __bro_ht_str_hash(id->name.str_val);
-  result ^= ((uint32) id->scope) << 8;
-  result ^= (uint32) id->is_export;
-  result ^= id->is_const;
-  result ^= id->is_enum_const;
-  result ^= id->is_type;
-  result ^= id->offset;
-  
-  D_RETURN_(result);
-}
-
-
-int
-__bro_id_cmp(BroID *id1, BroID *id2)
-{
-  D_ENTER;
-
-  if (! id1 || ! id2)
-    D_RETURN_(FALSE);
-
-  D_RETURN_(__bro_ht_str_cmp(id1->name.str_val, id2->name.str_val));
-}
diff --git a/aux/broccoli/src/bro_id.h b/aux/broccoli/src/bro_id.h
deleted file mode 100644
index fe81ed0b39..0000000000
--- a/aux/broccoli/src/bro_id.h
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_id_h
-#define broccoli_id_h
-
-#include <bro_object.h>
-#include <bro_val.h>
-#include <bro_type.h>
-#include <bro_attrs.h>
-
-struct bro_id
-{
-  BroObject                    object;
-  BroString                    name;
-  char                         scope;
-
-  char                         is_export;
-  uint32                       is_const;
-  uint32                       is_enum_const;
-  uint32                       is_type;
-
-  uint32                       offset;
-
-  char                         infer_return_type;
-  char                         weak_ref;
-
-  BroType                     *type;
-  BroVal                      *val;
-  BroAttrs                    *attrs;
-};
-
-BroID         *__bro_id_new(void);
-void           __bro_id_init(BroID *id);
-void           __bro_id_free(BroID *id);
-
-int            __bro_id_write(BroID *id, BroConn *bc);
-int            __bro_id_read(BroID *id, BroConn *bc);
-int            __bro_id_clone(BroID *dst, BroID *src);
-uint32         __bro_id_hash(BroID *obj);
-int            __bro_id_cmp(BroID *obj1, BroID *obj2);
-
-#endif
diff --git a/aux/broccoli/src/bro_io.c b/aux/broccoli/src/bro_io.c
deleted file mode 100644
index 2e4ad36902..0000000000
--- a/aux/broccoli/src/bro_io.c
+++ /dev/null
@@ -1,1205 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/param.h>
-#include <errno.h>
-
-#ifdef __MINGW32__
-#include <winsock.h>
-#else
-#include <sys/socket.h>
-#include <netinet/in.h>
-#endif
-
-#include <bro_types.h>
-#include <bro_debug.h>
-#include <bro_buf.h>
-#include <bro_event.h>
-#include <bro_event_reg.h>
-#include <bro_util.h>
-#include <bro_type.h>
-#include <bro_val.h>
-#include <bro_io.h>
-#include <bro_id.h>
-#ifdef BRO_PCAP_SUPPORT
-#include <bro_packet.h>
-#endif
-
-/* A static array that can translate message types into strings so
- * it's clearer what's going on when debugging:
- */
-static char * msg_type_str[] = {
-  "BRO_MSG_NONE",
-  "BRO_MSG_VERSION",
-  "BRO_MSG_SERIAL",
-  "BRO_MSG_CLOSE",
-  "BRO_MSG_CLOSE_ALL",
-  "BRO_MSG_ERROR",
-  "BRO_MSG_CONNECTTO",
-  "BRO_MSG_CONNECTED",
-  "BRO_MSG_REQUEST",
-  "BRO_MSG_LISTEN",
-  "BRO_MSG_LISTEN_STOP",
-  "BRO_MSG_STATS",
-  "BRO_MSG_CAPTURE_FILTER",
-  "BRO_MSG_REQUEST_SYNC",
-  "BRO_MSG_PHASE_DONE",
-  "BRO_MSG_PING",
-  "BRO_MSG_PONG",
-  "BRO_MSG_CAPS",
-  "BRO_MSG_COMPRESS",
-};
-
-static const char *
-msg_type_2_str(int type)
-{
-  if (type < 0 || type >= BRO_MSG_MAX)
-    return "<invalid>";
-
-  return msg_type_str[type];
-}
-
-/* The maximum number of attempts we make in one go in order
- * to extract data from the pipe. It appears that OpenSSL does
- * not fully hide the record-oriented transfer and repeated
- * writes at one end also require repeated reads at the other
- * end. If anyone can confirm or deny this, please get in touch.
- */
-#define BRO_BIO_READ_ROUNDS_MAX   20
-
-/* Reading-related --------------------------------------------------- */
-
-static int
-io_read_chunk_size(BroConn *bc, uint32 *chunk_size)
-{
-  if (! __bro_buf_ptr_read(bc->rx_buf, chunk_size, sizeof(uint32)))
-    {
-      D(("Couldn't read chunk size\n"));
-      return FALSE;
-    }
-
-  *chunk_size = ntohl(*chunk_size);
-
-  if (! __bro_buf_ptr_check(bc->rx_buf, *chunk_size))
-    {
-      D(("Not all chunk data available\n"));
-      return FALSE;
-    }
-
-  D(("We have a chunk of size %i\n", *chunk_size));
-  return TRUE;
-}
-
-static int
-io_read_msg_hdr(BroConn *bc, BroMsgHeader *msg_hdr)
-{
-  if (! __bro_buf_ptr_read(bc->rx_buf, msg_hdr, sizeof(BroMsgHeader)))
-    {
-      D(("Couldn't read message header\n"));
-      return FALSE;
-    }
-  
-  msg_hdr->hdr_peer_id = ntohs(msg_hdr->hdr_peer_id);
-  
-  return TRUE;
-}
-
-static int
-io_msg_fill_rx(BroConn *bc)
-{
-  BroBuf tmp_buf;
-  int i, n, total = 0;
-
-  if (bc->state->rx_dead)
-    {
-      if (! (bc->conn_flags & BRO_CFLAG_RECONNECT))
-	return FALSE;
-      
-      D(("Connection dead and we want to reconnect ...\n"));
-      
-      if (! bro_conn_reconnect(bc))
-	return FALSE;
-    }
-  
-  for (i = 0; i < BRO_BIO_READ_ROUNDS_MAX; i++)
-    {
-      __bro_buf_init(&tmp_buf);
-
-      n = __bro_openssl_read(bc, __bro_buf_get(&tmp_buf),
-			     __bro_buf_get_size(&tmp_buf));
-      
-      if (n <= 0)
-	{
-	  __bro_buf_cleanup(&tmp_buf);      	  
-	  
-	  if (n < 0)
-	    {
-	      D(("Read returned error after %i/%i rounds and %i bytes\n",
-		 i, BRO_BIO_READ_ROUNDS_MAX, total));
-	      return -1;
-	    }
-#ifdef BRO_DEBUG
-	  if (total > 0)
-	    D(("Read %i bytes in %i/%i rounds.\n",
-	       total, i, BRO_BIO_READ_ROUNDS_MAX));
-#endif	  
-	  if (total == 0)
-	    continue;
-	  
-	  return total;
-	}
-      
-      __bro_buf_append(bc->rx_buf, __bro_buf_get(&tmp_buf), n);
-      __bro_buf_cleanup(&tmp_buf);
-      total += n;      
-    }
-  
-  D(("Read %i bytes in %i/%i rounds.\n",
-     total, i, BRO_BIO_READ_ROUNDS_MAX));
-  
-  return total;
-}
-
-
-static int
-io_skip_chunk(BroBuf *buf, uint32 buf_off, uint32 chunk_size)
-{
-  if (! buf)
-    return FALSE;
-
-  if (! __bro_buf_ptr_seek(buf, buf_off, SEEK_SET))
-    return FALSE;
-
-  /* We skip a uint32 for the chunk size and then chunk_size
-   * bytes.
-   */
-  if (! __bro_buf_ptr_seek(buf, sizeof(uint32) + chunk_size, SEEK_CUR))
-    return FALSE;
-  
-  D(("Skipping %i + %i\n", sizeof(uint32), chunk_size));
-
-  return TRUE;
-}
-
-
-static int
-io_process_serialization(BroConn *bc)
-{
-  BroVal vbuf;
-
-  D_ENTER;
-
-  if (! __bro_buf_read_char(bc->rx_buf, &vbuf.val_char))
-    {
-      D(("Couldn't read serialization type\n"));
-      D_RETURN_(FALSE);
-    }
-
-  switch (vbuf.val_char)
-    {
-    case 'e':
-      {
-	BroEvent *ev;
-
-	bc->rx_ev_start = (const char*) bro_buf_ptr_get(bc->rx_buf);
-
-	D(("Processing serialized event.\n"));
-	if (! (ev = __bro_event_unserialize(bc)))
-	  {
-	    bc->rx_ev_start = bc->rx_ev_end = NULL;
-	    D_RETURN_(FALSE);
-	  }
-
-	bc->rx_ev_end = (const char*) bro_buf_ptr_get(bc->rx_buf);	
-	__bro_event_reg_dispatch(bc, ev);
-	__bro_event_free(ev);      
-	bc->rx_ev_start = bc->rx_ev_end = NULL;
-      }
-      break;
-
-    case 'i':
-      {
-	BroID *id;
-
-	D(("Processing serialized ID.\n"));
-	if (! (id = (BroID *) __bro_sobject_unserialize(SER_IS_ID, bc)))
-	  D_RETURN_(FALSE);
-	
-	D(("ID read successfully.\n"));
-	/* Except we don't do anything with it yet. :) */
-	__bro_sobject_release((BroSObject *) id);
-      }
-      break;
-
-    case 'p':
-      {
-#ifdef BRO_PCAP_SUPPORT
-	BroPacket *packet;
-	
-	if (! (packet = __bro_packet_unserialize(bc)))
-	  D_RETURN_(FALSE);
-	
-	D(("Packet read successfully.\n"));
-	bro_packet_free(packet);
-#else
-	D_RETURN_(FALSE);
-#endif
-      }
-      break;
-
-    default:
-      /* We do not handle anything else yet -- just say
-       * we are happy and return.
-       */
-      D(("Unknown serialization of type %c\n", vbuf.val_char));
-      D_RETURN_(FALSE);
-    }
-
-  /* After a complete unserialization, we enforce the size limit
-   * of the cache. We can't do it on the go as a new object that
-   * is unserialized may still contain references to previously
-   * cached items which we might evict.
-   */
-  while (__bro_ht_get_size(bc->io_cache) > bc->io_cache_maxsize)
-    __bro_ht_evict_oldest(bc->io_cache);
-  
-  D_RETURN_(TRUE);
-}
-
-
-/* Writing-related --------------------------------------------------- */
-
-static int
-io_fill_raw(BroBuf *buf, BroBuf *data)
-{
-  return __bro_buf_write_data(buf, __bro_buf_get(data), __bro_buf_get_used_size(data));
-}
-
-
-static int
-io_fill_request(BroBuf *buf, BroRequest *req)
-{
-  return __bro_buf_write_data(buf, req->req_dat, req->req_len);
-}
-
-static int
-io_fill_msg_header(BroBuf *buf, BroMsgHeader *mh)
-{
-  mh->hdr_peer_id = htonl(mh->hdr_peer_id);
-  return __bro_buf_write_data(buf, mh, sizeof(BroMsgHeader));
-}
-
-static int
-io_msg_empty_tx(BroConn *bc)
-{
-  int n;
-  int todo;
-
-  D_ENTER;
-
-  if (bc->state->tx_dead && (bc->conn_flags & BRO_CFLAG_RECONNECT))
-    bro_conn_reconnect(bc);      
-
-  if (bc->state->tx_dead)
-    {
-      D(("Connection dead, not writing anything. Todo: %i\n", __bro_buf_get_used_size(bc->tx_buf)));
-      D_RETURN_(FALSE);
-    }
-
-  /* This function loops until the entire buffer contents
-   * are written out. This is not perfect but easier for now.
-   * Revisit this as a FIXME.
-   */
-  for ( ; ; )
-    {
-      todo = __bro_buf_get_used_size(bc->tx_buf);
-
-      if (todo == 0)
-	D_RETURN_(TRUE);
-      
-      n = __bro_openssl_write(bc, __bro_buf_get(bc->tx_buf), todo);
-      
-      /* If we couldn't write out anything at all, then we report
-       * failure.
-       */      
-      if (n < 0)
-	{
-	  D(("SSL error -- nothing written.\n"));
-	  D_RETURN_(FALSE);
-	}
-      
-      if (0 < n && n < todo)
-	{
-	  /* We have an incomplete write. Consume what we were
-	   * able to write out.
-	   */
-	  D(("*** Incomplete write: %i/%i\n", n, todo));
-	  
-	  if (! __bro_buf_ptr_seek(bc->tx_buf, n, SEEK_SET))
-	    {
-	      /* This should never happen. */
-	      D(("*** Buffer contents are screwed :(\n"));
-	      D_RETURN_(FALSE);
-	    }
-	  
-	  __bro_buf_consume(bc->tx_buf);
-	}
-      
-      D(("<<< Sent %i/%i bytes.\n", n, todo));
-      
-      if (n == todo)
-	{
-	  /* If we wrote out everything that was left, report success. */
-	  __bro_buf_reset(bc->tx_buf);
-	  D_RETURN_(TRUE);
-	}
-    }
-}
-
-static int      
-io_msg_fill_tx(BroConn *bc, BroMsg *msg)
-{
-  int result = TRUE;
-
-  D_ENTER;
-
-  if (!bc || !msg)
-    {
-      D(("Input error.\n"));
-      D_RETURN_(FALSE);
-    }
-
-  /* Check if anything is still left in the input buffer. In that case,
-   * we don't fill anything in but return right away, so the message
-   * gets queued.
-   */
-  if (__bro_buf_get_used_size(bc->tx_buf) > 0)
-    {
-      D(("Buffer not empty; not filling!\n"));
-      D_RETURN_(FALSE);
-    }
-  
-  D((">>> Attempting write of %s\n", msg_type_2_str(msg->msg_header.hdr_type)));
-
-  /* We will collect the message chunk in the connection's tx buffer.
-   * We append stuff to it as we go along and at the end write it out.
-   * When being sent, he buffer has the amount of octets to send at
-   * the beginning, so the reader knows how much is coming.
-   */
-  __bro_buf_reset(bc->tx_buf);
-
-  msg->msg_header_size = sizeof(BroMsgHeader);
-  
-  if (! __bro_buf_write_int(bc->tx_buf, msg->msg_header_size))
-    {
-      __bro_buf_reset(bc->tx_buf);
-      D_RETURN_(FALSE);
-    }
-  
-  /* Hook in the Bro message header */
-  if (! io_fill_msg_header(bc->tx_buf, &msg->msg_header))
-    {
-      __bro_buf_reset(bc->tx_buf);
-      D_RETURN_(FALSE);
-    }
-  
-  if (msg->msg_cont_type != BRO_MSG_CONT_NONE)
-    {
-      uint32 msg_size_pos, msg_size_end;
-
-      /* This starts another chunk of data (in Bro protocol speak),
-       * but here we cannot yet know how big the chunk will be.
-       * We save the offset in the buffer and return to it later,
-       * overwriting the value with the then correct one.
-       */
-      msg_size_pos = __bro_buf_get_used_size(bc->tx_buf);
-      if (! __bro_buf_write_int(bc->tx_buf, msg->msg_size))
-	{
-	  __bro_buf_reset(bc->tx_buf);
-	  D_RETURN_(FALSE);
-	}
-      
-      /* Gather the payload of the message we are about
-       * to send into the buffer BUF.
-       */
-      switch (msg->msg_cont_type)
-	{
-	case BRO_MSG_CONT_RAW:
-	  D(("Filling raw data into buffer\n"));
-	  if (! io_fill_raw(bc->tx_buf, msg->msg_cont_raw))
-	    {
-	      __bro_buf_reset(bc->tx_buf);
-	      D_RETURN_(FALSE);
-	    }
-	  break;
-	  
-	case BRO_MSG_CONT_EVENT:
-	  /* Check if the peer actually requested the event, and if not,
-	   * drop it silently (i.e., still return success).
-	   */
-	  if (! __bro_ht_get(bc->ev_mask, msg->msg_cont_ev->name.str_val))
-	    {
-	      D(("Event '%s' not requested by peer -- dropping.\n",
-		 msg->msg_cont_ev->name.str_val));
-	      __bro_buf_reset(bc->tx_buf);
-
-	      /* This is not an error but a silent drop, so we
-	       * return success.
-	       */
-	      D_RETURN_(TRUE);
-	    }
-	  
-	  D(("Filling event into buffer\n"));
-	  
-	  if (! __bro_event_serialize(msg->msg_cont_ev, bc))
-	    {
-	      D(("Error during serialization.\n"));
-	      __bro_buf_reset(bc->tx_buf);
-	      D_RETURN_(FALSE);	
-	    }
-	  break;
-	  
-	case BRO_MSG_CONT_REQUEST:
-	  D(("Filling request into buffer\n"));
-	  if (! io_fill_request(bc->tx_buf, msg->msg_cont_req))
-	    {
-	      __bro_buf_reset(bc->tx_buf);
-	      D_RETURN_(FALSE);	
-	    }
-	  break;
-
-#ifdef BRO_PCAP_SUPPORT	  
-	case BRO_MSG_CONT_PACKET:
-	  if (! __bro_packet_serialize(msg->msg_cont_packet, bc))
-	    {
-	      __bro_buf_reset(bc->tx_buf);	      
-	      D_RETURN_(FALSE);
-	    }
-	  break;
-#endif
-	default:
-	  D(("ERROR -- invalid message content code %i\n", msg->msg_cont_type));
-	  break;
-	}
-      
-      /* Now calculate length of entire transmission --
-       * we know where we wrote the uint32 containing the
-       * size of the chunk, and we know where we are now,
-       * so the length is their difference, minus the uint32
-       * itself.
-       */
-      msg_size_end = __bro_buf_get_used_size(bc->tx_buf);
-      msg->msg_size = msg_size_end - msg_size_pos - sizeof(uint32);
-      D(("Serialized message sized %i bytes.\n", msg->msg_size));
-      
-      if (! __bro_buf_ptr_seek(bc->tx_buf, msg_size_pos, SEEK_SET))
-	{
-	  D(("Cannot seek to position %u -- we're screwed.\n", msg_size_pos));
-	  __bro_buf_reset(bc->tx_buf);
-	  D_RETURN_(FALSE);
-	}
-      
-      if (! __bro_buf_write_int(bc->tx_buf, msg->msg_size))
-	{
-	  __bro_buf_reset(bc->tx_buf);
-	  D_RETURN_(FALSE);
-	}
-    }
-  
-  D_RETURN_(result);
-}
-
-
-static int
-io_msg_queue(BroConn *bc, BroMsg *msg)
-{
-  D_ENTER;
-
-  if (!bc || !msg)
-    D_RETURN_(FALSE);
-
-  /* If anything is left over in the buffer, write it out now.
-   * We don't care if it succeeds or not.
-   */
-  io_msg_empty_tx(bc);
-
-  /* If the queue is empty, try to send right away.
-   * If not, enqueue the event, and try to flush.
-   */
-  D(("Enqueing msg of type %s\n", msg_type_2_str(msg->msg_header.hdr_type)));
-
-  if (! bc->msg_queue.tqh_first)
-    {
-      D(("No queue yet.\n"));
-      if (io_msg_fill_tx(bc, msg))
-	{
-	  D(("Message serialized.\n"));
-
-	  if (io_msg_empty_tx(bc))
-	    {
-	      D(("Message sent.\n"));
-	    }
-
-	  __bro_io_msg_free(msg);
-	  bc->state->io_msg = BRO_IOMSG_WRITE;
-	  D_RETURN_(TRUE);
-	}
-    }
-  
-  if (bc->state->tx_dead && ! (bc->conn_flags & BRO_CFLAG_ALWAYS_QUEUE))
-    {
-      D(("Connection %p disconnected, and no queuing requested: dropping message.\n", bc));
-      __bro_io_msg_free(msg);
-      D_RETURN_(FALSE);
-    }
-
-  TAILQ_INSERT_TAIL(&bc->msg_queue, msg, msg_queue);
-  bc->msg_queue_len++;
-  D(("Queue length now %i\n", bc->msg_queue_len));
-  
-  __bro_io_msg_queue_flush(bc);
-
-  /* Check that the queue does not grow too big: */
-  while (bc->msg_queue_len > BRO_MSG_QUEUELEN_MAX)
-    {
-      BroMsg *msg = bc->msg_queue.tqh_first;
-
-      TAILQ_REMOVE(&bc->msg_queue, msg, msg_queue);
-      __bro_io_msg_free(msg);
-      bc->msg_queue_len--;
-      
-      D(("Dropped one message due to excess queue length, now %i\n", bc->msg_queue_len));
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-
-/* Non-static stuff below: ------------------------------------------- */
-
-BroMsg *
-__bro_io_msg_new(char type, uint32 peer_id)
-{
-  static int msg_counter = 0;
-  BroMsg *msg;
-
-  if (! (msg = calloc(1, sizeof(BroMsg))))
-    return NULL;  
-  
-  msg->msg_header.hdr_type = type;
-  msg->msg_header.hdr_peer_id = peer_id;
-  msg->msg_cont_type = BRO_MSG_CONT_NONE;
-  msg->msg_num = msg_counter++;
-
-  return msg;
-}
-
-
-void
-__bro_io_msg_free(BroMsg *msg)
-{
-  if (!msg)
-    return;
-
-  switch (msg->msg_cont_type)
-    {
-    case BRO_MSG_CONT_RAW:
-      __bro_buf_free(msg->msg_cont_raw);
-      break;
-      
-    case BRO_MSG_CONT_EVENT:
-      __bro_event_free(msg->msg_cont_ev);
-      break;
-      
-    case BRO_MSG_CONT_REQUEST:
-      __bro_event_request_free(msg->msg_cont_req);
-      break;
-#ifdef BRO_PCAP_SUPPORT
-    case BRO_MSG_CONT_PACKET:
-      bro_packet_free(msg->msg_cont_packet);
-      break;
-#endif
-
-    default:
-      break;
-    }
-  
-  free(msg);
-}
-
-
-void     
-__bro_io_msg_set_cont(BroMsg *msg, int type, void *content)
-{
-  if (!msg)
-    return;
-
-  msg->msg_cont_type = type;
-
-  switch (type)
-    {
-    case BRO_MSG_CONT_RAW:
-      msg->msg_cont_raw = (BroBuf*) content;
-      D(("Setting raw buffer content for message, type now %i, buffer data: %p\n",
-	 msg->msg_cont_type, content));
-      break;
-      
-    case BRO_MSG_CONT_EVENT:
-      msg->msg_cont_ev = (BroEvent *) content;
-      D(("Setting event content for message, type now %i, event: %s\n",
-	 msg->msg_cont_type, msg->msg_cont.msg_ev->name.str_val));
-      break;
-      
-    case BRO_MSG_CONT_REQUEST:
-      msg->msg_cont_req = (BroRequest *) content;
-      D(("Setting request content for message, type now %i\n", msg->msg_cont_type));
-      break;
-
-#ifdef BRO_PCAP_SUPPORT
-    case BRO_MSG_CONT_PACKET:
-      msg->msg_cont_packet = (BroPacket *) content;
-      break;
-#endif
-
-    default:
-      msg->msg_cont_type = BRO_MSG_CONT_NONE;
-    }
-}
-
-
-int      
-__bro_io_msg_queue_flush(BroConn *bc)
-{
-  BroMsg *msg;
-  int result;
-
-  D_ENTER;
-    
-  if (! bc)
-    D_RETURN_(-1);
-  
-  for ( ; ; )
-    {
-      if (! io_msg_empty_tx(bc))
-	break;
-
-      if (! (msg = bc->msg_queue.tqh_first))
-	break;
-      
-      if (! io_msg_fill_tx(bc, msg))
-	break;
-      
-      TAILQ_REMOVE(&bc->msg_queue, msg, msg_queue);
-      __bro_io_msg_free(msg);
-      bc->msg_queue_len--;
-      
-      bc->state->io_msg = BRO_IOMSG_WRITE;
-    }
-  
-  result = bc->msg_queue_len;  
-  D_RETURN_(result);
-}
-
-
-void
-__bro_io_msg_queue_dump(BroConn *bc, const char *message)
-{
-  BroMsg *msg;
-  
-  printf("%s: connection %p, length %i\n", message, bc, bc->msg_queue_len);
-  
-  for (msg = bc->msg_queue.tqh_first; msg; msg = msg->msg_queue.tqe_next)
-    printf(" -- %s(%i)\n", msg_type_2_str(msg->msg_header.hdr_type), msg->msg_num);
-}
-
-int
-__bro_io_raw_queue(BroConn *bc, int type, uchar *data, int data_len)
-{
-  BroMsg *msg;
-  int result = FALSE;
-  
-  D_ENTER;
-
-  if (!bc)
-    D_RETURN_(FALSE);
-  
-  if (! (msg = __bro_io_msg_new(type, 0)))
-    D_RETURN_(FALSE);
-
-  if (data_len > 0)
-    {      
-      BroBuf *buf;
-
-      if (! (buf = __bro_buf_new()))
-	{
-	  __bro_io_msg_free(msg);
-	  D_RETURN_(FALSE);
-	}
-      
-      __bro_buf_append(buf, data, data_len);
-      __bro_io_msg_set_cont(msg, BRO_MSG_CONT_RAW, buf);
-    }
-
-  result = io_msg_queue(bc, msg);
-  
-  D_RETURN_(result);
-}
-
-int
-__bro_io_rawbuf_queue(BroConn *bc, int type, BroBuf *buf)
-{
-  BroMsg *msg;
-  int result = FALSE;
-  
-  D_ENTER;
-
-  if (!bc || !buf)
-    D_RETURN_(FALSE);
-  
-  if (! (msg = __bro_io_msg_new(type, 0)))
-    D_RETURN_(FALSE);
-
-  __bro_io_msg_set_cont(msg, BRO_MSG_CONT_RAW, buf);
-  result = io_msg_queue(bc, msg);
-  
-  D_RETURN_(result);
-}
-
-int
-__bro_io_event_queue(BroConn *bc, BroEvent *ev)
-{
-  BroEvent *ev_copy;
-  BroMsg *msg;
-  int result;
-
-  D_ENTER;
-
-  if (!bc)
-    D_RETURN_(FALSE);
-  
-  if (! (msg = __bro_io_msg_new(BRO_MSG_SERIAL, 0)))
-    D_RETURN_(FALSE);
-
-  if (! (ev_copy = __bro_event_copy(ev)))
-    {
-      D(("Could not clone event\n"));
-      D_RETURN_(FALSE);
-    }
-
-  __bro_io_msg_set_cont(msg, BRO_MSG_CONT_EVENT, ev_copy);
-  result = io_msg_queue(bc, msg);
-  D_RETURN_(result);  
-}
-
-int
-__bro_io_request_queue(BroConn *bc, BroRequest *req)
-{
-  BroMsg *msg;
-  int result;
-
-  D_ENTER;
-
-  if (!bc)
-    D_RETURN_(FALSE);
-
-  if (! (msg = __bro_io_msg_new(BRO_MSG_REQUEST, 0)))
-    D_RETURN_(FALSE);
-
-  __bro_io_msg_set_cont(msg, BRO_MSG_CONT_REQUEST, req);
-  result = io_msg_queue(bc, msg);
-  D_RETURN_(result);
-}
-
-#ifdef BRO_PCAP_SUPPORT
-int
-__bro_io_packet_queue(BroConn *bc, BroPacket *packet)
-{
-  BroPacket *clone;
-  BroMsg *msg;
-  int result;
-
-  D_ENTER;
-
-  if (!bc)
-    D_RETURN_(FALSE);
-
-  if (! (msg = __bro_io_msg_new(BRO_MSG_SERIAL, 0)))
-    D_RETURN_(FALSE);
-
-  if (! (clone = bro_packet_clone(packet)))
-    {
-      __bro_io_msg_free(msg);
-      D_RETURN_(FALSE);
-    }
-  
-  __bro_io_msg_set_cont(msg, BRO_MSG_CONT_PACKET, clone);
-  result = io_msg_queue(bc, msg);
-  D_RETURN_(result);
-}
-#endif
-
-int
-__bro_io_process_input(BroConn *bc)
-{
-  uint32          buf_off, chunk_size;
-  BroMsgHeader    msg_hdr;
-  int             result = FALSE;
-  
-  D_ENTER;
-  
-  /* Read all available data into receive buffer. Our socket is
-   * nonblocking so if nothing's available we'll be back right
-   * away. If nothing was read, the subsequent for loop will exit
-   * right away, so the io_msg_fill_rx() return code need not be
-   * checked here.
-   */
-  io_msg_fill_rx(bc);
-
-  /* Try to process as much in the input buffer as we can */
-  for ( ; ; )
-    {  
-      D(("----- Attempting to extract a message\n"));
-
-      /* Get the current offset of the buffer pointer to make
-       * sure we can reset to it if things go wrong.
-       */
-      buf_off = __bro_buf_ptr_tell(bc->rx_buf);
-      
-      /* Now check the buffer contents and see if there's enough
-       * for us to analyze it. Start with a uint32 for the size
-       * of the first chunk, and then the chunk itself.
-       */
-      if (! io_read_chunk_size(bc, &chunk_size))
-	goto reset_return;
-      
-      if (chunk_size != sizeof(BroMsgHeader))
-	{
-	  D(("Received chunk should be %i bytes, but is %i\n",
-	     sizeof(BroMsgHeader), chunk_size));
-	  io_skip_chunk(bc->rx_buf, buf_off, chunk_size);
-	  result = TRUE;
-	  continue;
-	}
-      
-      if (! io_read_msg_hdr(bc, &msg_hdr))
-	goto reset_return;
-      
-      switch (msg_hdr.hdr_type)
-	{
-	case BRO_MSG_REQUEST:
-	  {
-	    char *tmp = NULL, *tmp2 = NULL;
-	        
-	    D(("Received MSQ_REQUEST\n"));
-	        
-	    /* We need to read another chunk, whose data will contain
-	     * a sequence of 0-terminated strings, each one being the
-	     * name of an event that the peering Bro is interested in.
-	     */
-	    if (! io_read_chunk_size(bc, &chunk_size))
-	      goto reset_return;
-	        
-	    if (! (tmp = (char *) malloc(chunk_size * sizeof(char))))
-	      goto reset_return;
-	        
-	    if (! __bro_buf_read_data(bc->rx_buf, tmp, chunk_size))
-	      {
-		free(tmp);
-		goto reset_return;
-	      }
-	        
-	    for (tmp2 = tmp; tmp2 < tmp + chunk_size; tmp2 = tmp2 + strlen(tmp2) + 1)
-	      {
-		char *key;
-
-		if (__bro_ht_get(bc->ev_mask, tmp2))
-		  continue;
-		
-		key = strdup(tmp2);
-		__bro_ht_add(bc->ev_mask, key, key);
-		D(("Will report event '%s'\n", tmp2));
-	      }
-
-	    D(("Now reporting %i event(s).\n", __bro_ht_get_size(bc->ev_mask)));
-	    free(tmp);
-	  }
-	  break;
-	    
-	case BRO_MSG_VERSION:
-	  {
-	    uchar *data;
-	    uint32 proto_version;
-	    uint32 cache_size;
-	    uint32 data_version;
-	    uint32 runtime; /* unused */
-
-	    D(("Received MSG_VERSION\n"));
-
-	    /* We need to read another chunk for the raw data.
-	     */
-	    if (! io_read_chunk_size(bc, &chunk_size))
-	      goto reset_return;
-
-	    if (! (data = malloc(sizeof(uchar) * chunk_size)))
-	      goto reset_return;
-
-	    if (! __bro_buf_read_data(bc->rx_buf, data, chunk_size))
-	      {
-		free(data);
-		goto reset_return;
-	      }
-	        
-	    proto_version = ntohl(((uint32 *) data)[0]);
-	    cache_size    = ntohl(((uint32 *) data)[1]);
-	    data_version  = ntohl(((uint32 *) data)[2]);
-	    runtime       = ntohl(((uint32 *) data)[3]);
-
-	    /* If there are more bytes than required for the 4 uint32s
-	     * used above, it means that the peer has sent a connection class
-	     * identifier. Extract and register in the handle.
-	     */
-	    if (chunk_size > 4 * sizeof(uint32))
-	      {
-		if (bc->peer_class)
-		  free(bc->peer_class);
-		
-		bc->peer_class = strdup((char *) (data + 4 * sizeof(uint32)));
-	      }
-
-	    if (proto_version != BRO_PROTOCOL_VERSION)
-	      {
-		D(("EEEK -- we speak protocol version %i, peer speeks %i. Aborting.\n",
-		   BRO_PROTOCOL_VERSION, proto_version));		
-		__bro_openssl_shutdown(bc);
-		goto reset_return;
-	      } else {
-		D(("Protocols compatible, we speak version %i\n", BRO_PROTOCOL_VERSION));
-	      }
-	    
-	    if (data_version != 0 && data_version != BRO_DATA_FORMAT_VERSION)
-	      {
-		D(("EEEK -- we speak data format version %i, peer speeks %i. Aborting.\n",
-		   BRO_DATA_FORMAT_VERSION, data_version));		
-		__bro_openssl_shutdown(bc);
-		goto reset_return;
-	      } else {
-		D(("Data formats compatible, we speak version %i\n", BRO_DATA_FORMAT_VERSION));
-	      }
-	    
-	    bc->io_cache_maxsize = cache_size;
-	    D(("Receiver cache size set to %i entries.\n", cache_size));
-	    free(data);
-
-	    bc->state->conn_state_peer = BRO_CONNSTATE_HANDSHAKE;
-	    D(("VERSION received, on %p, peer now in HANDSHAKE stage.\n"));
-	  }
-	  break;
-	    
-	case BRO_MSG_SERIAL:
-	  {
-	    uint32 pre_serial;
-	        
-	    D(("Received MSQ_SERIAL\n"));
-	    pre_serial = __bro_buf_ptr_tell(bc->rx_buf);
-
-	    if (! io_read_chunk_size(bc, &chunk_size))
-	      goto reset_return;
-	        
-	    if (! io_process_serialization(bc))
-	      io_skip_chunk(bc->rx_buf, pre_serial, chunk_size);
-	  }
-	  break;
-	    
-	case BRO_MSG_CAPTURE_FILTER:
-	  {
-	    uint32 pre_capture;
-
-	    D(("Received MSQ_CAPTURE_FILTER\n"));
-	    pre_capture = __bro_buf_ptr_tell(bc->rx_buf);
-	        
-	    if (! io_read_chunk_size(bc, &chunk_size))
-	      goto reset_return;
-	        
-	    io_skip_chunk(bc->rx_buf, pre_capture, chunk_size);
-	  }
-	  break;
-
-	case BRO_MSG_PHASE_DONE:
-	  /* No additional content for this one. */
-	  switch (bc->state->conn_state_peer)
-	    {
-	    case BRO_CONNSTATE_HANDSHAKE:
-	      /* When we complete the handshake phase, it depends
-	       * on whether or not the peer has requested synced
-	       * state. If so, enter the sync phase, otherwise
-	       * we're up and running.
-	       */
-	      if (bc->state->sync_state_requested)
-		{
-		  bc->state->conn_state_peer = BRO_CONNSTATE_SYNC;
-		  D(("Phase done from peer on %p, sync requested, peer now in SYNC stage.\n", bc));
-		}
-	      else
-		{
-		  bc->state->conn_state_peer = BRO_CONNSTATE_RUNNING;
-		  D(("Phase done from peer on %p, no sync requested, peer now in RUNNING stage.\n", bc));
-		}
-	      break;
-
-	    case BRO_CONNSTATE_SYNC:
-	      bc->state->conn_state_peer = BRO_CONNSTATE_RUNNING;
-	      D(("Phase done from peer on %p, peer now in RUNNING stage.\n", bc));
-	      break;
-	      
-	    default:
-	      D(("Ignoring PHASE_DONE in conn state %i/%i on conn %p\n",
-		 bc->state->conn_state_self, bc->state->conn_state_peer, bc));
-	    }
-	  break;
-	  
-	case BRO_MSG_REQUEST_SYNC:
-		{   	  
-	    uchar *data;
-		
-	    D(("Received MSQ_REQUEST_SYNC, peer now in SYNC stage.\n"));
-		
-	    bc->state->sync_state_requested = 1;
-	    bc->state->conn_state_peer = BRO_CONNSTATE_SYNC;
-
-	    /* We need to read another chunk for the raw data.
-	     */
-	    if (! io_read_chunk_size(bc, &chunk_size))
-	      goto reset_return;
-
-	    if (! (data = malloc(sizeof(uchar) * chunk_size)))
-	      goto reset_return;
-
-	    if (! __bro_buf_read_data(bc->rx_buf, data, chunk_size))
-	      {
-		free(data);
-		goto reset_return;
-	      }
-	    D(("Skipping sync interpretation\n"));
-	    free(data);
-	    break;
-	  }
-	
-	
-	case BRO_MSG_CAPS:
-	  {
-	    uchar *data;
-
-	    D(("Received MSG_CAPS\n"));
-
-	    /* We need to read another chunk for the raw data.
-	     */
-	    if (! io_read_chunk_size(bc, &chunk_size))
-	      goto reset_return;
-
-	    if (! (data = malloc(sizeof(uchar) * chunk_size)))
-	      goto reset_return;
-
-	    if (! __bro_buf_read_data(bc->rx_buf, data, chunk_size))
-	      {
-		free(data);
-		goto reset_return;
-	      }
-	    D(("Skipping capabilities interpretation\n"));
-	    free(data);
-	    break;
-	  }
-
-	default:
-	  D(("Skipping unknown message type %i\n", msg_hdr.hdr_type));
-	  break;
-	}
-      
-      __bro_buf_consume(bc->rx_buf);
-      result = TRUE;
-
-      if ((bc->conn_flags & BRO_CFLAG_YIELD) &&
-	  bc->state->conn_state_self == BRO_CONNSTATE_RUNNING &&
-	  bc->state->conn_state_peer == BRO_CONNSTATE_RUNNING)	  
-	break;
-    }
-  
- reset_return:
-  __bro_buf_ptr_seek(bc->rx_buf, buf_off, SEEK_SET);
-  D_RETURN_(result);
-}
-
-
-void
-__bro_io_loop(BroConn *bc)
-{
-  D_ENTER;
-  
-  for ( ; ; )
-    {
-      D(("I/O loop iteration\n"));
-      
-      switch (bc->state->io_msg)
-	{
-	case BRO_IOMSG_STOP:
-	  D(("I/O process %u exiting by request.\n", getpid()));
-	  __bro_openssl_shutdown(bc);
-	  exit(0);
-	  
-	case BRO_IOMSG_WRITE:
-	  if (bc->state->tx_dead)
-	    break;
-
-	  if (! io_msg_empty_tx(bc))
-	    {	      
-	      D(("I/O handler %u encountered write error.\n", getpid()));
-	      __bro_openssl_shutdown(bc);
-	    }
-	  break;
-
-	case BRO_IOMSG_READ:
-	  if (bc->state->rx_dead)
-	    break;
-
-	  if (io_msg_fill_rx(bc) < 0)
-	    {
-	      D(("I/O handler %u encountered read error.\n", getpid()));
-	      __bro_openssl_shutdown(bc);
-	    }
-	  break;
-	}
-            
-      bc->state->io_msg = BRO_IOMSG_NONE;
-    }  
-}
diff --git a/aux/broccoli/src/bro_io.h b/aux/broccoli/src/bro_io.h
deleted file mode 100644
index 62b4cace38..0000000000
--- a/aux/broccoli/src/bro_io.h
+++ /dev/null
@@ -1,142 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_io_h
-#define broccoli_io_h
-
-#include <broccoli.h>
-#include <bro_sobject.h>
-
-/**
- * __bro_io_msg_new -- allocates a new message destined to a given peer.
- */
-BroMsg * __bro_io_msg_new(char type, uint32 peer_id);
-
-/**
- * __bro_io_msg_free -- releases message plus any data hooked into it.
- * @msg: msg to free.
- */
-void     __bro_io_msg_free(BroMsg *msg);
-
-/**
- * __bro_io_msg_set_cont -- sets the content of a message.
- * @msg: message to set content of.
- * @type: type of the message, a BRO_MSG_CONT_xxx constant.
- * @content: the content itself.
- *
- * The function sets @msg's content, of given @type, to @content.
- * Note that __bro_io_msg_free will release the data pointed to
- * by @content, depending on @type!
- */
-void     __bro_io_msg_set_cont(BroMsg *msg, int type, void *content);
-
-int      __bro_io_msg_queue_flush(BroConn *bc);
-void     __bro_io_msg_queue_dump(BroConn *bc, const char *message);
-
-/**
- * __bro_io_raw_queue -- enqueues raw data.
- * @bc: connection handle.
- * @type: type of the message, a BRO_MSG_xxx value.
- * @data: raw bytes of data
- * @data_len: length of @data.
- *
- * The function enqueues a message containing raw data for a
- * message of type @type.
- *
- * Returns: %FALSE on error, %TRUE otherwise.
- */
-int      __bro_io_raw_queue(BroConn *bc, int type,
-			    uchar *data, int data_len);
-
-/**
- * __bro_io_rawbuf_queue -- enqueues raw buffer data.
- * @bc: connection handle.
- * @type: type of the message, a BRO_MSG_xxx value.
- * @buf: buffer with payload to be enqueued.
- *
- * The function enqueues a message containing raw buffer data for a
- * message of type @type.
- *
- * NOTE: @buf's ownership is taken over by the function. You do not
- * need to clean it up, and should not expect the pointer to it to
- * remain valid.
- *
- * Returns: %FALSE on error, %TRUE otherwise.
- */
-int      __bro_io_rawbuf_queue(BroConn *bc, int type, BroBuf *buf);
-
-/**
- * __bro_io_event_queue -- enqueues an event.
- * @bc: connection handle.
- * @ev: event handle.
- *
- * The function enqueues an event for later transmission.
- *
- * Returns: %FALSE on error, %TRUE otherwise.
- */
-int      __bro_io_event_queue(BroConn *bc, BroEvent *ev);
-
-/**
- * __bro_io_request_queue -- enqueues a request.
- * @bc: connection handle.
- * @req: request handle.
- *
- * The function enqueues an request for later transmission.
- *
- * Returns: %FALSE on error, %TRUE otherwise.
- */
-int      __bro_io_request_queue(BroConn *bc, BroRequest *req);
-
-/**
- * __bro_io_packet_queue - enqueues a pcap packet.
- * @bc: connection handle.
- * @packet: pcap packet.
- *
- * The function enqueues a pcap packet wrapped via bro_packet_new()
- * for later transmission.
- *
- * Returns: %FALSE on error, %TRUE otherwise.
- */
-#ifdef BRO_PCAP_SUPPORT
-int      __bro_io_packet_queue(BroConn *bc, BroPacket *packet);
-#endif
-
-
-int      __bro_io_process_input(BroConn *bc);
-
-void     __bro_io_writer_loop(BroConn *bc);
-
-/**
- * __bro_io_loop -- performs I/O in the handler process.
- * @bc: connection handle.
- *
- * This function is the implementation of the I/O handler processes.
- * It sits in a blocking loop and depending on the request sent to it via
- * bc->state->io_msg it performs the requested I/O operation. It does not
- * return unless the connection encounters an error or teardown is requested.
- */
-void     __bro_io_loop(BroConn *bc);
-
-#endif
diff --git a/aux/broccoli/src/bro_lexer.l b/aux/broccoli/src/bro_lexer.l
deleted file mode 100644
index 0353e922e5..0000000000
--- a/aux/broccoli/src/bro_lexer.l
+++ /dev/null
@@ -1,42 +0,0 @@
-%option noyywrap
-
-%{
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include <string.h>
-#include "broccoli.h"
-#include "bro_debug.h"
-#include "bro_parser.h"
-
-int broerror(char *fmt, ...);
-#define yyerror broerror
-#define yylval brolval
-
-extern int bro_parse_lineno;
-
-%}
-
-
-%%
-[\[\]]	                 return yytext[0];
-
-yes|true|on    		 { yylval.i = 1; return BROINT; }
-no|false|off    	 { yylval.i = 0; return BROINT; }
-[ \t]+           	 ;
-[0-9]+                   { yylval.i = strtol(yytext, NULL, 10); return BROINT; }
-[0-9]+\.[0-9]+           { yylval.d = strtod(yytext, NULL); return BRODOUBLE; }
-[[:alnum:][:punct:]]+    { yylval.s = strdup(yytext); return BROWORD; }
-\".*\"                   { yylval.s = strdup(yytext+1);
-                           yylval.s[strlen(yylval.s) - 1] = '\0';
-                           return BROSTRING;
-                         }
-
-"#".*\n                  { bro_parse_lineno++; }
-"//".*\n                 { bro_parse_lineno++; }
-\n                       { bro_parse_lineno++; }
-
-.                        { D(("Syntax error: '%s'\n", yytext)); }
-
-%%
diff --git a/aux/broccoli/src/bro_list.c b/aux/broccoli/src/bro_list.c
deleted file mode 100644
index 729a6a033d..0000000000
--- a/aux/broccoli/src/bro_list.c
+++ /dev/null
@@ -1,302 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-#include <unistd.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <bro_debug.h>
-#include <bro_list.h>
-
-struct bro_list
-{
-  struct bro_list *prev;
-  struct bro_list *next;
-  void            *data;
-};
-
-
-BroList *
-__bro_list_new(void *data)
-{
-  BroList *l;
-
-  l = calloc(1, sizeof(BroList));
-  l->prev = l->next = NULL;
-  l->data = data;
-
-  return l;
-}
-
-
-void      
-__bro_list_free(BroList *l, BroFunc free_func)
-{
-  BroList *lnext;
-
-  while (l)
-    {
-      lnext = l->next;
-      if (l->data && free_func)
-	{
-	  free_func(l->data);     
-	}
-      free(l);
-      l = lnext;
-    }
-}
-
-
-BroList *
-__bro_list_head(BroList *l)
-{
-  if (!l)
-    return NULL;
-
-  while (l->prev)
-    l = l->prev;
-  
-  return l;
-}
-
-
-BroList *
-__bro_list_next(BroList *l)
-{
-  if (!l)
-    return NULL;
-
-  return l->next;
-}
-
-
-BroList *
-__bro_list_prev(BroList *l)
-{
-  if (!l)
-    return NULL;
-
-  return l->prev;
-}
-
-
-BroList *
-__bro_list_nth(BroList *l, int n)
-{
-  while (l && n > 0)
-    {
-      l = l->next;
-      n--;
-    }
-
-  return l;
-}
-
-
-int      
-__bro_list_length(BroList *l)
-{
-  int i = 0;
-
-  while (l)
-    {
-      i++;
-      l = l->next;
-    }
-
-  return i;
-}
-
-
-BroList *
-__bro_list_append(BroList *l, void *data)
-{
-  BroList *ltmp = NULL;
-  BroList *lnew = NULL;
-
-  lnew = __bro_list_new(data);
-
-  if (l)
-    {
-      ltmp = l;
-
-      while (ltmp->next)
-	ltmp = ltmp->next;
- 
-      ltmp->next = lnew;
-    }
-
-  lnew->prev = ltmp;
-  return l ? l : lnew;
-}
-
-
-BroList *
-__bro_list_prepend(BroList *l, void *data)
-{
-  BroList *lnew;
-
-  lnew = __bro_list_new(data);
-  lnew->next = l;
-
-  if (l)
-    l->prev = lnew;
-
-  return lnew;
-}
-
-
-BroList *
-__bro_list_insert(BroList *l, void *data)
-{
-  BroList *new;
-
-  /* Data item can be NULL if user wants that */
-  if (!l)
-    return NULL;
-
-  new = __bro_list_new(data);
-  new->next = l->next;
-  new->prev = l;
-  
-  l->next = new;
-
-  if (new->next)
-    new->next->prev = l;
-  
-  return new;
-}
-
-
-BroList *
-__bro_list_remove(BroList *l, BroList *item)
-{
-  BroList *prev;
-  BroList *next;
-
-  if (!l)
-    return NULL;
-
-  prev = item->prev;
-  next = item->next;
-  free(item);
-
-  /* first item */
-  if (!prev)
-    {
-      if (!next)
-	return NULL;
-      else
-	{
-	  next->prev = NULL;
-	  return next;
-	}
-    }
-
-  /* last item */
-  if (!next)
-    {
-      if (!prev)
-	return l;
-      else
-	{
-	  prev->next = NULL;
-	  return l;
-	}      
-    }
-
-  /* middle item */
-  prev->next = next;
-  next->prev = prev;
-
-  return l;
-}
-
-
-void     *
-__bro_list_data(BroList *l)
-{
-  if (!l)
-    return NULL;
-
-  return l->data;
-}
-
-
-void    *
-__bro_list_set_data(BroList *l, void *data)
-{
-  void *result;
-
-  if (!l)
-    return NULL;
-
-  result = l->data;
-  l->data = data;
-
-  return result;
-}
-
-
-BroList *
-__bro_list_move_to_front(BroList *l, BroList *item)
-{
-  BroList *prev;
-  BroList *next;
-
-  if (!l || !item)
-    return NULL;
-
-  prev = item->prev;
-  next = item->next;
-
-  /* first item already */
-  if (!prev)
-    return l;
-
-  /* last item */
-  if (!next)
-    {
-      prev->next = NULL;
-      item->prev = NULL;
-      item->next = l;
-      l->prev = item;
-
-      return item;
-    }      
-
-  /* middle item */
-  prev->next = next;
-  next->prev = prev;
-
-  item->next = l;
-  item->prev = NULL;
-  l->prev = item;
-
-  return item;
-}
diff --git a/aux/broccoli/src/bro_list.h b/aux/broccoli/src/bro_list.h
deleted file mode 100644
index 84479425cb..0000000000
--- a/aux/broccoli/src/bro_list.h
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_list_h
-#define broccoli_list_h
-
-typedef struct bro_list BroList;
-typedef void(*BroFunc) (void *data);
-
-/* Create new list with data item.
- */
-BroList *__bro_list_new(void *data);
-
-/* Erase entire list, applying free_func to each item
- * in order to free it. Pass %NULL for free_func if no-op
- * is desired.
- */
-void     __bro_list_free(BroList *l, BroFunc free_func);
-
-/* Given list element, returns the head of list by
- * walking back to it.
- */
-BroList *__bro_list_head(BroList *l);
-
-/* Next/prev items. */
-BroList *__bro_list_next(BroList *l);
-BroList *__bro_list_prev(BroList *l);
-
-/* Returns nth list member, starting at 0, or NULL if not found.
- */
-BroList *__bro_list_nth(BroList *l, int n);
-
-/* Returns length of list, or 0 on error.
- */
-int      __bro_list_length(BroList *l);
-
-/* Appends item to end of list and returns pointer to
- * the list. NOTE: O(N) runtime. Try to use
- * __bro_list_prepend() or track last list
- * element in case lists contain more than a handful
- * of elements.
- */
-BroList *__bro_list_append(BroList *l, void *data);
-
-/* Prepends item and returns pointer to it.
- */
-BroList *__bro_list_prepend(BroList *l, void *data);
-
-/* Inserts new node for @data after @l.
- * Returns pointer to new item.
- */
-BroList *__bro_list_insert(BroList *l, void *data);
-
-/* Removes a node and returns a pointer to the first
- * element of the resulting list.
- */
-BroList *__bro_list_remove(BroList *l, BroList *ll);
-
-/* List node data element accessor.
- */
-void    *__bro_list_data(BroList *l);
-
-/* Set data of list node, return old ones.
- */
-void    *__bro_list_set_data(BroList *l, void *data);
-
-/* Moves an item to the front of the list. For implementing
- * MRU/LRU schemes.
- */
-BroList *__bro_list_move_to_front(BroList *l, BroList *item);
-
-#endif
diff --git a/aux/broccoli/src/bro_location.c b/aux/broccoli/src/bro_location.c
deleted file mode 100644
index 38f342f815..0000000000
--- a/aux/broccoli/src/bro_location.c
+++ /dev/null
@@ -1,212 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/time.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_debug.h>
-#include <bro_location.h>
-
-BroLoc      *
-__bro_loc_new(void)
-{
-  BroLoc *loc;
-
-  D_ENTER;
-
-  if (! (loc = calloc(1, sizeof(BroLoc)))) {
-    D_RETURN_(NULL);
-  }
-
-  __bro_loc_init(loc);
-  
-  D_RETURN_(loc);
-}
-
-
-void
-__bro_loc_init(BroLoc *loc)
-{
-  BroSObject *sobj = (BroSObject *) loc;
-
-  D_ENTER;
-
-  __bro_sobject_init(sobj);
-
-  sobj->read  = (BroSObjectRead) __bro_loc_read;
-  sobj->write = (BroSObjectWrite)__bro_loc_write;
-  sobj->free  = (BroSObjectFree) __bro_loc_free;
-  sobj->clone = (BroSObjectClone) __bro_loc_clone;
-  sobj->hash  = (BroSObjectHash) __bro_loc_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_loc_cmp;
-  
-  sobj->type_id = SER_LOCATION;
-  bro_string_init(&loc->filename);
-
-  D_RETURN;
-}
-
-
-void
-__bro_loc_free(BroLoc *loc)
-{
-  D_ENTER;
-
-  if (! loc)
-    D_RETURN;
-
-  bro_string_cleanup(&loc->filename);
-  __bro_sobject_free((BroSObject *) loc);
-
-  D_RETURN;
-}
-
-
-int
-__bro_loc_read(BroLoc *loc, BroConn *bc)
-{
-  D_ENTER;
-  
-  if (! loc || ! bc)
-    D_RETURN_(FALSE);
-  
-  if (! __bro_sobject_read((BroSObject *) loc, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_read_string(bc->rx_buf, &loc->filename))
-    D_RETURN_(FALSE);  
-  if (! __bro_buf_read_int(bc->rx_buf, &loc->first_line))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_int(bc->rx_buf, &loc->last_line))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_int(bc->rx_buf, &loc->first_column))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_int(bc->rx_buf, &loc->last_column))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-int
-__bro_loc_write(BroLoc *loc, BroConn *bc)
-{
-  D_ENTER;
-
-  if (! loc || ! bc)
-    D_RETURN_(FALSE);
-  
-  if (! __bro_sobject_write((BroSObject *) loc, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_string(bc->tx_buf, &loc->filename))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_int(bc->tx_buf, loc->first_line))
-    D_RETURN_(FALSE);  
-  if (! __bro_buf_write_int(bc->tx_buf, loc->last_line))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_int(bc->tx_buf, loc->first_column))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_int(bc->tx_buf, loc->last_column))
-    D_RETURN_(FALSE);
-
-  D_RETURN_(TRUE);
-}
-
-
-int
-__bro_loc_clone(BroLoc *dst, BroLoc *src)
-{
-  BroString *string;
-
-  D_ENTER;
-
-  if (! __bro_sobject_clone((BroSObject *) dst, (BroSObject *) src))
-    D_RETURN_(FALSE);
-  
-  if (! (string = bro_string_copy(&src->filename)))
-    D_RETURN_(FALSE);
-  
-  dst->filename = *string;
-  dst->first_line = src->first_line;
-  dst->last_line = src->last_line;
-  dst->first_column = src->first_column;
-  dst->last_column = src->last_column;
-  
-  D_RETURN_(TRUE);
-}
-
-
-uint32
-__bro_loc_hash(BroLoc *loc)
-{
-  uint32 result;
-
-  D_ENTER;
-
-  if (! loc)
-    D_RETURN_(0);
-
-  result = __bro_ht_str_hash(loc->filename.str_val);
-  result ^= loc->first_line;
-  result ^= loc->last_line;
-  result ^= loc->first_column;
-  result ^= loc->last_column;
-
-  D_RETURN_(result);
-
-}
-
-
-int
-__bro_loc_cmp(BroLoc *loc1, BroLoc *loc2)
-{
-  D_ENTER;
-
-  if (! __bro_ht_str_cmp(loc1->filename.str_val, loc2->filename.str_val))
-    D_RETURN_(FALSE);
-  
-  if (loc1->first_line != loc2->first_line ||
-      loc1->last_line != loc2->last_line ||
-      loc1->first_column < loc2->first_column ||
-      loc1->last_column < loc2->last_column ||
-      loc1->last_column > loc2->last_column)
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
diff --git a/aux/broccoli/src/bro_location.h b/aux/broccoli/src/bro_location.h
deleted file mode 100644
index 4843a31299..0000000000
--- a/aux/broccoli/src/bro_location.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_location_h
-#define broccoli_location_h
-
-#include <bro_types.h>
-#include <bro_sobject.h>
-
-typedef struct bro_loc BroLoc;
-
-struct bro_loc
-{
-  BroSObject       sobject;
-  
-  BroString        filename;
-  uint32           first_line;
-  uint32           last_line;
-  uint32           first_column;
-  uint32           last_column;
-};
-
-BroLoc          *__bro_loc_new(void);
-void             __bro_loc_init(BroLoc *loc);
-void             __bro_loc_free(BroLoc *loc);
-
-int              __bro_loc_read(BroLoc *loc, BroConn *bc);
-int              __bro_loc_write(BroLoc *loc, BroConn *bc);
-int              __bro_loc_clone(BroLoc *dst, BroLoc *src);
-
-uint32           __bro_loc_hash(BroLoc *loc);
-int              __bro_loc_cmp(BroLoc *loc1, BroLoc *loc2);
-
-#endif
diff --git a/aux/broccoli/src/bro_object.c b/aux/broccoli/src/bro_object.c
deleted file mode 100644
index f388c80984..0000000000
--- a/aux/broccoli/src/bro_object.c
+++ /dev/null
@@ -1,183 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/time.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_debug.h>
-#include <bro_location.h>
-#include <bro_object.h>
-
-BroObject      *
-__bro_object_new(void)
-{
-  BroObject *obj;
-
-  D_ENTER;
-
-  if (! (obj = calloc(1, sizeof(BroObject))))
-    D_RETURN_(NULL);
-
-  __bro_object_init(obj);
-
-  D_RETURN_(obj);
-}
-
-void
-__bro_object_init(BroObject *obj)
-{
-  BroSObject *sobj = (BroSObject *) obj;
-
-  D_ENTER;
-
-  __bro_sobject_init(sobj);
-
-  sobj->read  = (BroSObjectRead) __bro_object_read;
-  sobj->write = (BroSObjectWrite)__bro_object_write;
-  sobj->free  = (BroSObjectFree) __bro_object_free;
-  sobj->clone = (BroSObjectClone) __bro_object_clone;
-  sobj->hash  = (BroSObjectHash) __bro_object_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_object_cmp;
-  
-  D_RETURN;
-}
-
-void
-__bro_object_free(BroObject *obj)
-{
-  D_ENTER;
-
-  if (! obj)
-    D_RETURN;
-  
-  __bro_sobject_release((BroSObject *) obj->loc);
-  __bro_sobject_free((BroSObject *) obj);
-  
-  D_RETURN;
-}
-
-
-int
-__bro_object_read(BroObject *obj, BroConn *bc)
-{
-  char opt;
-
-  D_ENTER;
-
-  if (! __bro_sobject_read((BroSObject *) obj, bc))
-    D_RETURN_(FALSE);
-    
-  if (! __bro_buf_read_char(bc->rx_buf, &opt))
-    D_RETURN_(FALSE);
-  if (opt)
-    {
-      if (! (obj->loc = (BroLoc *) __bro_sobject_unserialize(SER_LOCATION, bc)))
-	D_RETURN_(FALSE);      
-    }
-
-  D_RETURN_(TRUE);
-}
-
-
-int
-__bro_object_write(BroObject *obj, BroConn *bc)
-{
-  D_ENTER;
-  
-  if (! __bro_sobject_write((BroSObject *) obj, bc))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_write_char(bc->tx_buf, obj->loc ? 1 : 0))
-    D_RETURN_(FALSE);
-
-  if (obj->loc && ! __bro_sobject_serialize((BroSObject *) obj->loc, bc))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-int
-__bro_object_clone(BroObject *dst, BroObject *src)
-{
-  D_ENTER;
-  
-  if (! __bro_sobject_clone((BroSObject *) dst, (BroSObject *) src))
-    {
-      D(("Cloning parent failed.\n"));
-      D_RETURN_(FALSE);
-    }
-  
-  if (src->loc && ! (dst->loc = (BroLoc *) __bro_sobject_copy((BroSObject *) src->loc)))
-    {
-      D(("Cloning location failed.\n"));
-      D_RETURN_(FALSE);
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-
-uint32
-__bro_object_hash(BroObject *obj)
-{
-  uint32 result;
-  
-  D_ENTER;
-
-  if (! obj)
-    D_RETURN_(0);
-  
-  result = __bro_sobject_hash((BroSObject *) obj);
-  result ^= __bro_loc_hash(obj->loc);
-
-  D_RETURN_(result);
-
-}
-
-
-int
-__bro_object_cmp(BroObject *obj1, BroObject *obj2)
-{
-  D_ENTER;
-  
-  if (! obj1 || ! obj2)
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(__bro_loc_cmp(obj1->loc, obj2->loc));
-}
diff --git a/aux/broccoli/src/bro_object.h b/aux/broccoli/src/bro_object.h
deleted file mode 100644
index b5fdca6b8b..0000000000
--- a/aux/broccoli/src/bro_object.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_object_h
-#define broccoli_object_h
-
-#include <bro_location.h>
-#include <bro_sobject.h>
-
-typedef struct bro_object
-{
-  /* See comments in bro_sobject.h for how Broccoli models
-   * classes, objects, and inheritance. --cpk
-   */
-  BroSObject       sobject;
-  BroLoc          *loc;
-} BroObject;
-
-BroObject       *__bro_object_new(void);
-void             __bro_object_init(BroObject *obj);
-void             __bro_object_free(BroObject *obj);
-
-int              __bro_object_read(BroObject *obj, BroConn *bc);
-int              __bro_object_write(BroObject *obj, BroConn *bc);
-int              __bro_object_clone(BroObject *dst, BroObject *src);
-uint32           __bro_object_hash(BroObject *obj);
-int              __bro_object_cmp(BroObject *obj1, BroObject *obj2);
-
-#endif
diff --git a/aux/broccoli/src/bro_openssl.c b/aux/broccoli/src/bro_openssl.c
deleted file mode 100644
index cd1fbccfe5..0000000000
--- a/aux/broccoli/src/bro_openssl.c
+++ /dev/null
@@ -1,730 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <errno.h>
-#include <string.h>
-#include <strings.h>
-#include <signal.h>
-#include <netdb.h>
-
-#ifdef __MINGW32__
-#include <winsock.h>
-#else
-#include <fcntl.h>
-#include <sys/socket.h>
-#include <arpa/inet.h>
-#include <sys/un.h>
-#include <netinet/in.h>
-#endif
-
-#ifdef __EMX__
-#include <sys/select.h>
-#endif 
-
-#include <openssl/bio.h>
-#include <openssl/err.h>
-#include <openssl/rand.h>
-#include <openssl/ssl.h>
-#include <openssl/x509v3.h>
-
-#include <broccoli.h>
-#include <bro_types.h>
-#include <bro_debug.h>
-#include <bro_config.h>
-#include <bro_openssl.h>
-
-/* PLEASE NOTE: this file deals with handling I/O through OpenSSL in
- * an unencrypted and an encrypted fashion. There are no ifdefs for one
- * mode or the other, because using OpenSSL connection abstraction helps
- * portability so we always use OpenSSL, even when not encryting traffic.
- *
- * Encryption is automatically attempted if the certificate files can be
- * read from configuration items "/broccoli/host_cert" and "/broccoli/ca_cert".
- * (Note that when Bro peers communicate over an encrypted channel, they
- * both need to certify themselves).
- *
- * Much of the code here is from the O'Reilly book on OpenSSL, by Viega,
- * Messier, and Chandra. However the problem with their example application
- * is that they use SSL_read/SSL_write, thus losing the transparency of
- * the generic BIO_... functions regarding the use of encryption (we do
- * allow for plaintext communication as well). Since I don't want to write
- * duplicate code for the encrypted and unencrypted traffic, I use the
- * approach given in man BIO_f_ssl(3), which uses BIO_new_ssl_connect()
- * so I can still speak into a BIO at all times. In the case of no encryption,
- * it'll simply be a regular BIO.
- *
- * We currently do not support the following:
- * - ephemeral keying.
- * - session caching.
- *
- * I haven't specifically looked at whether this code supports session
- * renegotiation.
- */
-
-/* Broccoli initialization context; defined in bro.c. */
-extern const BroCtx *global_ctx;
-
-/* The connection creation context. If this context is NULL,
- * it means we are not using encryption.
- */
-static SSL_CTX *ctx = NULL;
-
-#ifdef BRO_DEBUG
-static void
-print_errors(void)
-{
-  if (bro_debug_messages)
-    {
-      D(("OpenSSL error dump:\n"));
-      if (ERR_peek_error() == 0)
-	fprintf(stdout, "--> %s\n", strerror(errno));
-      else
-	ERR_print_errors_fp(stdout);
-    }
-}
-#else
-#define print_errors()
-#endif
-
-
-static int
-verify_cb(int ok, X509_STORE_CTX *store)
-{
-  char data[256];
-  int depth, err;
-  X509 *cert;
-
-  if (ok)
-    return ok;
-
-  cert = X509_STORE_CTX_get_current_cert(store);
-  depth = X509_STORE_CTX_get_error_depth(store);
-  err = X509_STORE_CTX_get_error(store);
-  
-  D(("Handshake failure: verification problem at depth %i:\n", depth));
-  X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);
-  D(("  issuer  = %s\n", data));
-  X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
-  D(("  subject = %s\n", data));
-  D(("  error code %i: %s\n", err, X509_verify_cert_error_string(err)));
-  
-  return ok;
-}
-
-
-static int
-prng_init_file(char *file)
-{
-  struct stat st;
-  int fd, flags, i;
-  uchar buf[1024];
-  
-  /* Check if file  is available, and try to seed the PRNG
-   * from it. If things fail, do nothing and rely on OpenSSL to
-   * initialize from /dev/urandom.
-   */
-  
-  if (stat(file, &st) != 0)
-    {
-      D(("%s does not exist, not seeding from it.\n", file));
-      return FALSE;
-    }
-    
-  /* Now we need to figure out how much entropy the device
-   * can provide. We try to read 1K, and accept if it can
-   * read at least 256 bytes.
-   */
-  if ( (fd = open(file, O_RDONLY)) < 0)
-    {
-      D(("Could not read from %s.\n", file));
-      return FALSE;
-    }
-    
-  if ( (flags = fcntl(fd, F_GETFL, 0)) < 0)
-    {
-      D(("can't obtain socket flags: %s", strerror(errno)));
-      close(fd);
-      return FALSE;
-    }
-  
-  if ( fcntl(fd, F_SETFL, flags|O_NONBLOCK) < 0 )
-    {
-      D(("can't set fd to non-blocking: %s.", strerror(errno)));
-      close(fd);
-      return FALSE;
-    }
-    
-  if ( (i = read(fd, buf, 1024)) < 256)
-    {
-      D(("Could only read %i bytes from %s, not enough.\n", i, file));
-      close(fd);
-      return FALSE;
-    }
-  
-  D(("Seeding PRNG from %s, using %i bytes.\n", file, i));
-  close(fd);
-  RAND_seed(buf, i);
-  
-  return TRUE;
-}
-
-
-
-static void
-prng_init(void)
-{
-  static int deja_vu = FALSE;
-  
-  if (deja_vu)
-    return;
-  
-  if (prng_init_file("/dev/random"))
-    {
-      deja_vu = TRUE;
-      return;
-    }
-
-  if (prng_init_file("/dev/urandom"))
-    {
-      deja_vu = TRUE;
-      return;
-    }
-  
-  D(("*** CAUTION: Unable to initialize random number generator ***\n"));
-}
-
-
-static int
-pem_passwd_cb(char *buf, int size, int rwflag, void *pass)
-{
-  /* Note that if |pass| < size, the remainder in buf will be
-   * zero-padded by strncpy().
-   */
-  strncpy(buf, (char *) pass, size);
-  buf[size - 1] = '\0';
-
-  return strlen(buf);
-  rwflag = 0;
-}
-
-int
-__bro_openssl_init(void)
-{
-  static int deja_vu = FALSE;
-  int use_ssl = FALSE;
-  const char *our_cert, *our_pass, *ca_cert;
-  
-  D_ENTER;
-
-  if (deja_vu)
-    D_RETURN_(TRUE);
-
-  deja_vu = TRUE;
-
-  /* I hope these should go before SSL_library_init() -- not even the
-   * O'Reilly book is clear on that. :( --cpk
-   */
-  if (global_ctx)
-    {
-      if (global_ctx->id_func)
-	CRYPTO_set_id_callback(global_ctx->id_func);
-      if (global_ctx->lock_func)
-	CRYPTO_set_locking_callback(global_ctx->lock_func);
-      if (global_ctx->dl_create_func)
-	CRYPTO_set_dynlock_create_callback(global_ctx->dl_create_func);
-      if (global_ctx->dl_lock_func)
-	CRYPTO_set_dynlock_lock_callback(global_ctx->dl_lock_func);
-      if (global_ctx->dl_free_func)
-	CRYPTO_set_dynlock_destroy_callback(global_ctx->dl_free_func);
-    }
-  
-  SSL_library_init();
-  prng_init();
-  
-#ifdef BRO_DEBUG
-  D(("Loading OpenSSL error strings for debugging\n"));
-  SSL_load_error_strings();
-#endif
-
-  if (__bro_conf_get_int("/broccoli/use_ssl", &use_ssl) && ! use_ssl)
-    {
-      D(("SSL disabled in configuration, not using SSL.\n"));
-      D_RETURN_(TRUE);
-    }
-
-  if (! (our_cert = __bro_conf_get_str("/broccoli/host_cert")))
-    {
-      if (use_ssl)
-	{
-	  D(("SSL requested but host certificate not given -- aborting.\n"));
-	  D_RETURN_(FALSE);
-	}
-      else
-	{
-	  D(("use_ssl not used and host certificate not given -- not using SSL.\n"));
-	  D_RETURN_(TRUE);
-	}
-    }
-
-  /* At this point we either haven't seen use_ssl but a host_cert, or
-   * we have seen use_ssl and it is set to true. Either way, we attempt
-   * to set up an SSL connection now and abort if this fails in any way.
-   */
-
-  if (! (ctx = SSL_CTX_new(SSLv3_method())))
-    D_RETURN_(FALSE);
-  
-  /* We expect things to be stored in PEM format, which means that we
-   * can store multiple entities in one file. In this case, our own
-   * certificate is expected to be stored along with the private key
-   * in the file pointed to by preference setting /broccoli/certificate.
-   *
-   * See page 121 in O'Reilly's OpenSSL book for details.
-   */
-  if (SSL_CTX_use_certificate_chain_file(ctx, our_cert) != 1)
-    {
-      D(("Error loading certificate from '%s'.\n", our_cert));
-      goto error_return;
-    }
-  
-  if ( (our_pass = __bro_conf_get_str("/broccoli/host_pass")))
-    {
-      D(("Host passphrase given in config file, not prompting for input.\n"));
-      SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
-      SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *) our_pass);
-    }
-  
-  if (SSL_CTX_use_PrivateKey_file(ctx, our_cert, SSL_FILETYPE_PEM) != 1)
-    {
-      D(("SSL used but error loading private key from '%s' -- aborting.\n", our_cert));
-      goto error_return;
-    }
-  
-  /* We should not need the passphrase, if existant, ever again.
-   * Therefore we erase it from memory now.
-   */
-  if (our_pass)
-    {
-      our_pass = NULL;
-      __bro_conf_forget_item("/broccoli/host_pass");
-    }
-
-  /* For validation purposes, our trusted CA's certificate will
-   * be needed as well:
-   */
-  if (! (ca_cert = __bro_conf_get_str("/broccoli/ca_cert")))
-    {
-      D(("SSL used but CA certificate not given -- aborting."));
-      goto error_return;
-    }
-  
-  if (! SSL_CTX_load_verify_locations(ctx, ca_cert, 0))
-    {
-      D(("SSL used but CA certificate could not be loaded -- aborting\n"));
-      goto error_return;
-    }
-  
-  /* Only use real ciphers.
-   */
-  if (! SSL_CTX_set_cipher_list(ctx, "HIGH"))
-    {
-      D(("SSL used but can't set cipher list -- aborting\n"));
-      goto error_return;
-    }
-  
-  /* We require certificates from all communication peers, regardless of
-   * whether we're the "server" or "client" (these concepts are blurred in our
-   * case anyway). In order to be able to give better error feedback, we
-   * add our own verification filter callback, "verify_cb".
-   */
-  SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
-		     verify_cb);
-  
-  D(("SSL setup successful.\n"));
-  D_RETURN_(TRUE);
-  
- error_return:
-  SSL_CTX_free(ctx);
-  ctx = NULL;
-  D_RETURN_(FALSE);
-}
-
-int
-__bro_openssl_rand_bytes(u_char *buf, int num)
-{
-  if (! buf || num <= 0)
-    return FALSE;
-
-  /* Make sure PRNG is initialized; has effect only once. */
-  prng_init();
-
-  if (RAND_bytes(buf, num) > 0)
-    return TRUE;
-  
-  RAND_pseudo_bytes(buf, num);
-  return TRUE;
-}
-
-
-int
-__bro_openssl_encrypted(void)
-{
-  return ctx != NULL;
-}
-
-static int
-openssl_connect_impl(BIO *bio, int with_hack)
-{
-  int sockfd, port;
-  struct sockaddr_in addr;
-  char *hostname, *colon;
-  struct hostent *he;
- 
-  /* Okay, I must ask you not to scream now. All the rest of this function
-   * is to make sure that we detect whether the peer is listening or not.
-   * OpenSSL sometimes considers failure to connect() a temporary problem
-   * and I cannot figure out a way to force it to give up when connection
-   * establishment fails. So we establish our own connection and tear it
-   * down right away in case we succeeded. Unfortunately I cannot seem to
-   * figure out a way to just make OpenSSL use the existing connection
-   * either. It's such a mess.
-   */
-
-  /* In the encrypted case we do not have this problem, since the handshake
-   * here is a real one that only succeeds when the remote side answers.
-   */
-  if (ctx)
-    return BIO_do_connect(bio);
-  
-  if (! with_hack)
-    return 1;
-
-  /* I've found BIO_get_conn_...() to be broken even after calling
-   * BIO_do_connect() first, so I'm just doing this whole crap here
-   * manually to get to hostname and port.
-   */
-  if (! (hostname = strdup(BIO_get_conn_hostname(bio))))
-    {
-      D(("Out of memory.\n"));
-      return 0;
-    }
-
-  if (! (colon = strchr(hostname, ':')))
-    {
-      free(hostname);
-      return 0;
-    }
-
-  *colon = '\0';
-  port = atoi(colon + 1);
-  D(("OpenSSL kludge: manual connection to %s:%s\n", hostname, colon+1));
-  
-  if (! (he = gethostbyname(hostname)))
-    {
-      D(("gethostbyname() failed.\n"));
-      free(hostname);
-      return 0;
-    }
-  
-  free(hostname);
-  
-  if (he->h_addr_list[0] == NULL)
-    {
-      D(("Could not resolve hostname.\n"));
-      return 0;
-    }
-  
-  if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
-    {
-      D(("Could not create socket: %s\n", strerror(errno)));   
-      return 0;
-    }
-  
-  bzero(&addr, sizeof(struct sockaddr_in));
-  addr.sin_family = AF_INET;
-  addr.sin_port = htons(port);
-  addr.sin_addr = *((struct in_addr *) he->h_addr_list[0]);
-
-  if (connect(sockfd, (struct sockaddr *) &addr, sizeof(struct sockaddr_in)) != 0)
-    goto error_return;
-
-  close(sockfd);
-  return 1;
-
- error_return:
-  D(("Connection error: %s\n", strerror(errno)));
-  close(sockfd);
-  return 0;
-}
-
-
-static int
-openssl_connect(BroConn *bc, int with_hack)
-{
- int flags;
-  BIO *bio = NULL;
-
-  D_ENTER;
-
-  if (! bc || ! bc->peer || ! *(bc->peer))
-    D_RETURN_(FALSE);
-  
-  /* Make sure OpenSSL is initialised -- this has effect only once */
-  if (! __bro_openssl_init())
-    D_RETURN_(FALSE);
-
-  /* If we got a socket, we wrap it into a BIO and are done. */
-  if (bc->socket >= 0)
-    {
-      if (! (bio = BIO_new_socket(bc->socket, BIO_CLOSE)))
-	{
-	  D(("Error creating connection BIO from socket.\n"));
-	  goto err_return;
-	}
-
-      if ( (flags = fcntl(bc->socket, F_GETFL, 0)) < 0)
-	{
-	  D(("Error getting socket flags.\n"));
-	  goto err_return;
-	}
-	
-	if ( fcntl(bc->socket, F_SETFL, flags|O_NONBLOCK) < 0 )
-	{
-	  D(("Error setting socket to non-blocking.\n"));
-	  goto err_return;
-	}
-	
-	/* Don't know whether this is needed but it does not hurt either. 
-	 * It is however not sufficient to just call this; we manually need to
-	 * set the socket to non-blocking as done above. */
-	BIO_set_nbio(bio, 1);
-
-	bc->bio = bio;
-	D(("Connection created from externally provided socket.\n"));
-	D_RETURN_(TRUE);
-    }
-
-  /* If we managed to set up a context object, we use encryption. */
-  if (ctx)
-    {
-      if (! (bio = BIO_new_ssl_connect(ctx)))
-	{
-	  D(("Error creating SSL connection BIO.\n"));
-	  goto err_return;
-	}
-
-      BIO_set_conn_hostname(bio, bc->peer);
-    }
-  else
-    {
-      if (! (bio = BIO_new_connect(bc->peer)))
-	{
-	  D(("Error creating non-SSL connection BIO.\n"));
-	  goto err_return;
-	}
-    }
-
-  /* BIO_set_nbio's manpage says we need to set nonblocking before
-   * connecting.
-   */
-  BIO_set_nbio(bio, 1);
-
-  /* This is not exactly elegant but we want to make sure we only
-   * return once the potential SSL handshake is complete.
-   */
-  for ( ; ; )
-    {
-      if (openssl_connect_impl(bio, with_hack) > 0)
-	break;    
-
-      if ( ! BIO_should_retry(bio))
-	{
-	  D(("Error connecting to peer.\n"));
-	  goto err_return;
-	}
-    }
-  
-  bc->bio = bio;
-  D(("Connection established successfully.\n"));
-
-  D_RETURN_(TRUE);
-
- err_return:
-
-  print_errors();
-
-#ifdef BRO_DEBUG
-  if (ctx)
-    D(("--- SSL CONNECTION SETUP FAILED. ---"));
-  else
-    D(("--- CLEARTEXT CONNECTION SETUP FAILED. ---"));
-#endif  
-
-  if (bio)
-    BIO_free_all(bio);
-  
-  bc->state->rx_dead = bc->state->tx_dead = TRUE;
-  bc->bio = NULL;
-  D_RETURN_(FALSE);
-}
-
-
-int
-__bro_openssl_connect(BroConn *bc)
-{
-  return openssl_connect(bc, FALSE);
-}
-
-int
-__bro_openssl_reconnect(BroConn *bc)
-{
-  return openssl_connect(bc, TRUE);
-}
-
-
-void
-__bro_openssl_shutdown(BroConn *bc)
-{
-  if (!bc || !bc->bio)
-    return;
-  
-  if (getpid() != bc->id_pid)
-    return;
-  
-  if (bc->state->rx_dead)
-    return;
-  
-  bc->state->rx_dead = bc->state->tx_dead = TRUE;
-  
-  BIO_flush(bc->bio);
-  BIO_free_all(bc->bio);
-  bc->bio = NULL;
-}
-
-
-int       
-__bro_openssl_read(BroConn *bc, uchar *buf, uint buf_size)
-{
-  int n;
-
-  D_ENTER;
-  
-  /* It's important here to use <= for comparison, since, as the
-   * invaluable O'Reilly OpenSSL book reports, "for each of the four
-   * reading and writing functions, a 0 or -1 return value may or may
-   * not necessarily indicate that an error has occurred." This may or
-   * may not necessarily be indicative of the incredible PITA that
-   * OpenSSL is. --cpk
-   */
-  if ( (n = BIO_read(bc->bio, buf, buf_size)) <= 0)
-    {
-      if (BIO_should_retry(bc->bio))
-	D_RETURN_(0);
-      
-      __bro_openssl_shutdown(bc);
-      D(("Connection closed, BIO_read() returned %i.\n", n));      
-      print_errors();
-      D_RETURN_(-1);
-    }
-    
-  D_RETURN_(n);
-}
-
-
-int
-__bro_openssl_write(BroConn *bc, uchar *buf, uint buf_size)
-{
-  int n;
-  void *old_sig;
-  
-  D_ENTER;
-  
-#ifdef BRO_DEBUG
-  if (bro_debug_messages)
-    {
-      unsigned int i = 0;
-      int last_hex = 0;
-
-      D(("Sending %u bytes: ", buf_size));
- 
-      for (i = 0; i < buf_size; i++)
-	{
-	  if (buf[i] >= 32 && buf[i] <= 126)
-	    {
-	      printf("%s%c", last_hex ? " " : "", buf[i]);
-	      last_hex = 0;
-	    }
-	  else
-	    {
-	      printf(" 0x%.2x", buf[i]);
-	      last_hex = 1;
-	    }
-	}
-      printf("\n");
-    }
-#endif
-
-  /* We may get a SIGPIPE if we write to a connection whose peer
-   * died. Since we don't know the application context in which
-   * we're running, we temporarily set the SIGPIPE handler to our
-   * own and then set it back to the old one after we wrote.
-   */
-  old_sig = signal(SIGPIPE, SIG_IGN);
-  
-  n = BIO_write(bc->bio, buf, buf_size);
-  
-  if (n <= 0)
-    {
-      if (BIO_should_retry(bc->bio))
-	{
-	  n = 0;
-	  goto error_return;
-	}
-
-      print_errors();
-      __bro_openssl_shutdown(bc);
-      D(("Connection closed.\n"));
-      n = -1;
-    }
-  
-  BIO_flush(bc->bio);
-
- error_return:
-  
-  if (old_sig != SIG_ERR)
-    signal(SIGPIPE, old_sig);
-  
-  D_RETURN_(n);
-}
diff --git a/aux/broccoli/src/bro_openssl.h b/aux/broccoli/src/bro_openssl.h
deleted file mode 100644
index 0a450e9d46..0000000000
--- a/aux/broccoli/src/bro_openssl.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_openssl_h
-#define broccoli_openssl_h
-
-#include <broccoli.h>
-
-int       __bro_openssl_init(void);
-int       __bro_openssl_encrypted(void);
-int       __bro_openssl_rand_bytes(u_char *buf, int num);
-
-int       __bro_openssl_connect(BroConn *bc);
-
-/* Like __bro_openssl_connect, but uses gross manual-connect hack to make
- * sure peer is actually available.
- */
-int       __bro_openssl_reconnect(BroConn *bc);
-
-void      __bro_openssl_shutdown(BroConn *bc);
-
-int       __bro_openssl_read(BroConn *bc, uchar *buf, uint buf_size);
-
-/**
- * __bro_openssl_write - writes a chunk of data to the connection.
- * @bc: Bro connection handle.
- * @buf: buffer of data to write.
- * @buf_size: size of buffer pointed to by @buf.
- *
- * Returns: value < 0 on error, 1 if all data was written, 0
- * otherwise (*no* data being written).
- */
-int       __bro_openssl_write(BroConn *bc, uchar *buf, uint buf_size);
-
-#endif
diff --git a/aux/broccoli/src/bro_packet.c b/aux/broccoli/src/bro_packet.c
deleted file mode 100644
index da6d484a88..0000000000
--- a/aux/broccoli/src/bro_packet.c
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/time.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_types.h>
-#include <bro_debug.h>
-#include <bro_packet.h>
-
-
-static int
-packet_get_link_header_size(int dl)
-{
-  switch (dl)
-    {
-    case DLT_NULL:
-      return 4;
-      
-    case DLT_EN10MB:
-      return 14;
-      
-    case DLT_FDDI:
-      return 13 + 8;
-#ifdef LINUX_HOST      
-    case DLT_LINUX_SLL:
-      return 16;
-#endif
-    case DLT_RAW:
-      return 0;
-    }
-  
-  D(("WARNING: unknown DLT type %i encountered.\n", dl));
-  return -1;
-}
-
-
-BroPacket     *
-__bro_packet_unserialize(BroConn *bc)
-{
-  BroPacket *packet;
-
-  if (! (packet = calloc(1, sizeof(BroPacket))))
-    return NULL;
-
-  if (! __bro_packet_read(packet, bc))
-    {
-      bro_packet_free(packet);
-      return NULL;
-    }
-
-  return packet;
-}
-
-
-int
-__bro_packet_serialize(BroPacket *packet, BroConn *bc)
-{
-  D_ENTER;
-
-  /* Prepare the beginning of a serialized packet.
-   */
-  if (! __bro_buf_write_char(bc->tx_buf, 'p'))
-    D_RETURN_(FALSE);
-
-  if (! __bro_packet_write(packet, bc))
-    D_RETURN_(FALSE);
-
-  D_RETURN_(TRUE);
-}
-
-
-int
-__bro_packet_read(BroPacket *packet, BroConn *bc)
-{
-  BroString packet_data;
-  BroString packet_tag;
-  uint32 tv_sec, tv_usec, len, pcap_link_type;
-  
-  D_ENTER;
-  
-  if (! packet || ! bc)
-    D_RETURN_(FALSE);
-  
-  packet->pkt_link_type = bc->pcap_link_type;
-  packet->pkt_hdr_size  = packet_get_link_header_size(bc->pcap_link_type);
-
-  if (! __bro_buf_read_int(bc->rx_buf, &tv_sec))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_int(bc->rx_buf, &tv_usec))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_int(bc->rx_buf, &len))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_int(bc->rx_buf, &pcap_link_type))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_string(bc->rx_buf, &packet_tag))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_string(bc->rx_buf, &packet_data))
-    D_RETURN_(FALSE);
-  
-  packet->pkt_pcap_hdr.ts.tv_sec = tv_sec;
-  packet->pkt_pcap_hdr.ts.tv_usec = tv_usec;
-  packet->pkt_pcap_hdr.len = len;
-  packet->pkt_pcap_hdr.caplen = packet_data.str_len;
-  packet->pkt_link_type = pcap_link_type;
-  packet->pkt_data = (const u_char *) packet_data.str_val;
-  packet->pkt_tag = (const char *) packet_tag.str_val;
-  packet->pkt_time = bro_util_current_time();
-  
-  D_RETURN_(TRUE);
-}
-
-int
-__bro_packet_write(BroPacket *packet, BroConn *bc)
-{
-  BroString packet_data;
-  BroString packet_tag;
-  
-  D_ENTER;
-  
-  if (! packet || ! bc)
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_write_int(bc->tx_buf, (uint32)packet->pkt_pcap_hdr.ts.tv_sec))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_int(bc->tx_buf, (uint32)packet->pkt_pcap_hdr.ts.tv_usec))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_int(bc->tx_buf, (uint32)packet->pkt_pcap_hdr.len))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_int(bc->tx_buf, (uint32)bc->pcap_link_type))
-    D_RETURN_(FALSE);
-
-  bro_string_init(&packet_tag);
-  packet_tag.str_len = strlen(packet->pkt_tag);
-  packet_tag.str_val = (u_char *) packet->pkt_tag;
-
-  if (! __bro_buf_write_string(bc->tx_buf, &packet_tag))
-    D_RETURN_(FALSE);
-
-  bro_string_init(&packet_data);
-  packet_data.str_len = packet->pkt_pcap_hdr.caplen;
-  packet_data.str_val = (u_char *) packet->pkt_data;
-
-  if (! __bro_buf_write_string(bc->tx_buf, &packet_data))
-    D_RETURN_(FALSE);
-    
-  D_RETURN_(TRUE);
-}
-
-
-int
-__bro_packet_clone(BroPacket *dst, const BroPacket *src)
-{
-  D_ENTER;
-  
-  *dst = *src;
-  
-  if (! (dst->pkt_tag = strdup(src->pkt_tag)))
-    D_RETURN_(FALSE);
-
-  if (! (dst->pkt_data = malloc(src->pkt_pcap_hdr.caplen)))
-    D_RETURN_(FALSE);
-
-  memcpy((u_char *) dst->pkt_data, src->pkt_data, src->pkt_pcap_hdr.caplen);
-  D_RETURN_(TRUE);
-}
diff --git a/aux/broccoli/src/bro_packet.h b/aux/broccoli/src/bro_packet.h
deleted file mode 100644
index 138a5bf477..0000000000
--- a/aux/broccoli/src/bro_packet.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_packet_h
-#define broccoli_packet_h
-
-BroPacket     *__bro_packet_unserialize(BroConn *bc);
-int            __bro_packet_serialize(BroPacket *packet, BroConn *bc);
-
-int            __bro_packet_read(BroPacket *packet, BroConn *bc);
-int            __bro_packet_write(BroPacket *packet, BroConn *bc);
-int            __bro_packet_clone(BroPacket *dst, const BroPacket *src);
-
-#endif
diff --git a/aux/broccoli/src/bro_parser.y b/aux/broccoli/src/bro_parser.y
deleted file mode 100644
index 67811ce53d..0000000000
--- a/aux/broccoli/src/bro_parser.y
+++ /dev/null
@@ -1,124 +0,0 @@
-%{
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include <unistd.h>
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <stdio.h>
-#include <errno.h>
-
-#include "bro_debug.h"
-#include "bro_config.h"
-
-int brolex(void);
-int broparse(void);
-int broerror(char *, ...);
-
-#define yylex brolex
-#define yyparse broparse
-#define yyerror broerror
-
-int bro_parse_errors = 0;
-int bro_parse_lineno = 0;
-const char *bro_parse_filename = NULL;
- 
-%}
-
-%union {
-  int   i;
-  char *s;
-  double d;
-}
-
-%token <i> BROINT
-%token <s> BROWORD BROSTRING
-%token <d> BRODOUBLE
-
-%%
-configfile:
-	   | options
-           ;
-options:     option
-           | options option
-           ;
-
-option:      domain
-           | intopt
-           | stringopt
-           | floatopt
-           ;
-
-intopt:      BROWORD BROINT	{ __bro_conf_add_int($1, $2);
-				  free($1);
-				}
-           ;
-
-stringopt:   BROWORD BROSTRING  { __bro_conf_add_str($1, $2);
-                                  free($1); free($2);
-				}
-	   | BROWORD BROWORD    { __bro_conf_add_str($1, $2);
-                                  free($1); free($2);
-				}
-           ;
-
-floatopt:    BROWORD BRODOUBLE	{ __bro_conf_add_dbl($1, $2);
-				  free($1);
-				}
-           ;
-
-domain:      '[' BROWORD ']'	{ __bro_conf_set_storage_domain($2);
-				  free($2); 
-				}
-           ;
-%%
-
-int
-yyerror(char *fmt, ...)
-{
-  va_list ap;
-  bro_parse_errors++;
-  
-#ifdef BRO_DEBUG
-  va_start(ap, fmt);
-  fprintf(stderr, "%s:%d: ", bro_parse_filename, bro_parse_lineno);
-  vfprintf(stderr, fmt, ap);
-  fprintf(stderr, "\n");
-  va_end(ap);
-#endif
-  return 0;
-}
-
-int
-__bro_parse_config(const char *filename)
-{
-  const char *domain;
-  extern FILE *broin;
-
-  /* Save the current config domain */
-  if ( (domain = __bro_conf_get_domain()))
-    domain = strdup(domain);
-  
-  D(("Parsing configuration from '%s'.\n", filename));
-
-  if (! (broin = fopen(filename, "r")))
-    {
-      D(("Error opening config file %s: %s\n", filename, strerror(errno)));
-      return -1;
-    }
-  
-  bro_parse_lineno = 1;
-  bro_parse_filename = filename;
-  bro_parse_errors = 0;
-
-  yyparse();
-  fclose(broin);
-
-  /* Reset the config domain to the original one. */
-  __bro_conf_set_domain(domain);
-  
-  return (bro_parse_errors ? -1 : 0);
-}
diff --git a/aux/broccoli/src/bro_record.c b/aux/broccoli/src/bro_record.c
deleted file mode 100644
index 032773a028..0000000000
--- a/aux/broccoli/src/bro_record.c
+++ /dev/null
@@ -1,349 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_types.h>
-#include <bro_io.h>
-#include <bro_debug.h>
-#include <bro_val.h>
-#include <bro_record.h>
-
-
-BroRecord *
-__bro_record_new(void)
-{
-  BroRecord *rec;
-
-  if (! (rec = calloc(1, sizeof(BroRecord))))
-    return NULL;
-
-  return rec;
-}
-
-
-void
-__bro_record_free(BroRecord *rec)
-{
-  BroList *l;
-
-  if (! rec)
-    return;
-
-  for (l = rec->val_list; l; l = __bro_list_next(l))
-    {
-      char *field;
-      BroSObject *obj = __bro_list_data(l);
-      
-      if ( (field = __bro_sobject_data_del(obj, "field")))
-	free(field);
-      
-      __bro_sobject_release(obj);
-    }
-  
-  __bro_list_free(rec->val_list, NULL);
-  free(rec);
-}
-
-int
-__bro_record_get_length(BroRecord *rec)
-{
-  D_ENTER;
-
-  if (! rec)
-    D_RETURN_(0);
-
-  D_RETURN_(rec->val_len);
-}
-
-BroRecord     *
-__bro_record_copy(BroRecord *rec)
-{
-  BroList *l;
-  BroVal *val, *val_copy;
-  BroRecord *copy;
-
-  D_ENTER;
-  
-  if (! rec)
-    D_RETURN_(NULL);
-  
-  if (! (copy = __bro_record_new()))
-    D_RETURN_(NULL);
-
-  for (l = rec->val_list; l; l = __bro_list_next(l))
-    {
-      char *field;
-      
-      val = __bro_list_data(l);
-      
-      /* Check if it's an assigned val or not */
-      if (! val->val_type)
-	{
-	  D(("Error: unassigned val in record.\n"));
-	  goto error_return;
-	}
-      
-      if (! (val_copy = (BroVal *) __bro_sobject_copy((BroSObject *) val)))
-	goto error_return;
-      
-#ifdef BRO_DEBUG
-      if (! val_copy->val_type)
-	D(("WARNING -- typeless val duplicated as %p, original %p had type %p\n",
-	   val_copy, val, val->val_type));
-#endif
-      if (! (field = __bro_sobject_data_get((BroSObject *) val, "field")))
-	{
-	  D(("Val %p in record %p doesn't have a field name.\n", val, rec));
-	  goto error_return;
-	}
-            
-      __bro_sobject_data_set((BroSObject *) val_copy, "field", strdup(field));      
-      __bro_record_add_val(copy, val_copy);
-    }
-  
-  D_RETURN_(copy);
-  
- error_return:
-  __bro_record_free(copy);
-  D_RETURN_(NULL);
-}
-
-
-void
-__bro_record_add_val(BroRecord *rec, BroVal *val)
-{
-  if (! rec || ! val)
-    return;
-  
-  rec->val_list = __bro_list_append(rec->val_list, val);
-  rec->val_len++;
-}
-
-
-BroVal *
-__bro_record_get_nth_val(BroRecord *rec, int num)
-{
-  BroList *l;
-  
-  if (! rec || num < 0 || num >= rec->val_len)
-    return NULL;
-
-  if( (l = __bro_list_nth(rec->val_list, num)))
-    return __bro_list_data(l);
-  
-  return NULL;
-}
-
-
-const char *
-__bro_record_get_nth_name(BroRecord *rec, int num)
-{
-  BroList *l;
-
-  if (! rec || num < 0 || num >= rec->val_len)
-    return NULL;
-
-  if( (l = __bro_list_nth(rec->val_list, num)))
-    return __bro_sobject_data_get((BroSObject *) __bro_list_data(l), "field");
-  
-  return NULL;
-}
-
-
-BroVal *
-__bro_record_get_named_val(BroRecord *rec, const char *name)
-{
-  BroList *l;
-  BroVal *val;
-  
-  if (! rec || ! name || ! *name)
-    return NULL;
-  
-  for (l = rec->val_list; l; l = __bro_list_next(l))
-    {
-      char *val_name;
-      
-      val = __bro_list_data(l);
-      val_name = __bro_sobject_data_get((BroSObject *) val, "field");
-      
-      if (val_name && ! strcmp(val_name, name))
-	return val;
-    }
-  
-  return NULL;
-}
-
-
-int
-__bro_record_set_nth_val(BroRecord *rec, int num, BroVal *v)
-{
-  BroVal *val;
-  BroList *l;
-  
-  if (! rec || num < 0 || num >= rec->val_len || ! v)
-    return FALSE;
-  
-  if ( (l = __bro_list_nth(rec->val_list, num)))
-    {
-      val = __bro_list_set_data(l, v);
-      __bro_sobject_release((BroSObject *) val);	  
-      return TRUE;
-    }
-  
-  return FALSE;
-}
-
-
-int
-__bro_record_set_nth_name(BroRecord *rec, int num, const char *name)
-{  
-  BroVal *val;
-  BroList *l;
-
-  if (! rec || num < 0 || num >= rec->val_len || ! name)
-    return FALSE;
-
-  if ( (l = __bro_list_nth(rec->val_list, num)))
-    {
-      char *val_name;
-
-      val = __bro_list_data(l);
-      val_name = __bro_sobject_data_del((BroSObject *) val, "field");
-      if (val_name)
-	free(val_name);
-
-      __bro_sobject_data_set((BroSObject *) val, "field", strdup(name));
-      return TRUE;
-    }
-
-  return FALSE;
-}
-
-
-int
-__bro_record_set_named_val(BroRecord *rec, const char *name, BroVal *v)
-{
-  BroVal *val;
-  BroList *l;
-  
-  if (! rec || ! name || !*name || ! v)
-    return FALSE;
-
-  for (l = rec->val_list; l; l = __bro_list_next(l))
-    {
-      char *val_name;
-      
-      val = __bro_list_data(l);
-      val_name = __bro_sobject_data_get((BroSObject *) val, "field");
-      
-      if (val_name && ! strcmp(val_name, name))
-	{
-	  /* We're about to delete the old val, make sure it doesn't have
-	   * the name tag associated with it.
-	   */
-	  __bro_sobject_data_del((BroSObject *) val, "field");
-	  free(val_name);
-
-	  /* If the new val has a name tag, likewise delete it.
-	   */
-	  if ( (val_name = __bro_sobject_data_del((BroSObject *) val, "field")))
-	    free(val_name);
-
-	  /* Set the new val's name tag
-	   */
-	  __bro_sobject_data_set((BroSObject *) v, "field", strdup(name));
-
-	  __bro_list_set_data(l, v);
-	  __bro_sobject_release((BroSObject *) val);	  
-
-	  return TRUE;
-	}
-    }
-  
-  return FALSE;
-}
-
-uint32
-__bro_record_hash(BroRecord *rec)
-{
-  uint32 result;
-  BroList *l;
-  
-  D_ENTER;
-  
-  if (! rec)
-    D_RETURN_(0);
-  
-  result = rec->val_len;
-  
-  for (l = rec->val_list; l; l = __bro_list_next(l))
-    result ^= __bro_sobject_hash((BroSObject*) __bro_list_data(l));
-
-  D_RETURN_(result);
-}
-
-int
-__bro_record_cmp(BroRecord *rec1, BroRecord *rec2)
-{
-  BroList *l1, *l2;
-
-  D_ENTER;
-
-  if (! rec1 || ! rec2)
-    D_RETURN_(FALSE);
-
-  if (rec1->val_len != rec2->val_len)
-    D_RETURN_(FALSE);
-
-  for (l1 = rec1->val_list, l2 = rec2->val_list; l1 && l2;
-       l1 = __bro_list_next(l1), l2 = __bro_list_next(l2))
-    {
-      if (! __bro_sobject_cmp((BroSObject*) __bro_list_data(l1),
-			      (BroSObject*) __bro_list_data(l2)))
-	D_RETURN_(FALSE);
-    }
-
-  if (l1 || l2)
-    {
-      D(("WARNING -- value list inconsistency.\n"));
-      D_RETURN_(FALSE);
-    }
-  
-  D_RETURN_(TRUE);
-}
diff --git a/aux/broccoli/src/bro_record.h b/aux/broccoli/src/bro_record.h
deleted file mode 100644
index 41bef26678..0000000000
--- a/aux/broccoli/src/bro_record.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_record_h
-#define broccoli_record_h
-
-#include <broccoli.h>
-#include <bro_types.h>
-
-/* Typedef is in broccoli.h because the users need to know it -- we keep
- * it opaque for them though by defining it here.
- */
-struct bro_record
-{
-  BroList                     *val_list;
-  int                          val_len;
-};
-
-BroRecord     *__bro_record_new(void);
-void           __bro_record_free(BroRecord *rec);
-BroRecord     *__bro_record_copy(BroRecord *rec);
-int            __bro_record_get_length(BroRecord *rec);
-
-/* Adds the given val as a new field and adopts ownership,
- * i.e, the value is not duplicated internally.
- */
-void           __bro_record_add_val(BroRecord *rec, BroVal *val);
-
-BroVal        *__bro_record_get_nth_val(BroRecord *rec, int num);
-const char    *__bro_record_get_nth_name(BroRecord *rec, int num);
-BroVal        *__bro_record_get_named_val(BroRecord *rec, const char *name);
-
-int            __bro_record_set_nth_val(BroRecord *rec, int num, BroVal *val);
-int            __bro_record_set_nth_name(BroRecord *rec, int num, const char *name);
-int            __bro_record_set_named_val(BroRecord *rec, const char *name, BroVal *val);
-
-uint32         __bro_record_hash(BroRecord *rec);
-int            __bro_record_cmp(BroRecord *rec1, BroRecord *rec2);
-
-#endif
diff --git a/aux/broccoli/src/bro_sem.h b/aux/broccoli/src/bro_sem.h
deleted file mode 100644
index d061429649..0000000000
--- a/aux/broccoli/src/bro_sem.h
+++ /dev/null
@@ -1,106 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_sem_h
-#define broccoli_sem_h
-
-#include <broccoli.h>
-
-typedef struct bro_sem_impl BroSemImpl;
-
-typedef struct bro_sem {
-  int          sem_blocked;
-  BroSemImpl  *sem_impl;
-} BroSem;
-
-/* Broccoli semaphore abstractions.
- * ================================
- *
- * Semaphores are created with __bro_sem_new() and released with
- * __bro_sem_free(). Before being used they have to be
- * __bro_sem_attach()ed and after using them __bro_sem_detach()ed.
- *
- * Semaphores are initalized to 0.
- *
- * All functions can be called with NULL parameters, for robustness.
- */
-
-int     __bro_sem_init(BroSem *sem, const BroConn *bc);
-void    __bro_sem_cleanup(BroSem *sem);
-
-int     __bro_sem_attach(BroSem *sem);
-int     __bro_sem_detach(BroSem *sem);
-
-/**
- * __bro_sem_decr - decreases semaphore.
- * @sem: semaphore.
- *
- * The function decreases the value of the semaphore by one, returning
- * if the initial value was greater than 0, and blocking otherwise.
- * 
- * Returns: %TRUE on success, %FALSE otherwise.
- */
-int     __bro_sem_decr(BroSem *sem);
-
-
-/**
- * __bro_sem_trydecr - decreases semaphore, but never blocks
- * @sem: semaphore.
- *
- * The function decreases the value of the semaphore by one, returning
- * if the initial value was greater than 0. If the semaphore is
- * currently locked, the function returns %FALSE immediately.
- * 
- * Returns: %TRUE on success, %FALSE otherwise.
- */
-int     __bro_sem_trydecr(BroSem *sem);
-
-
-/**
- * __bro_sem_incr - increases semaphore.
- * @sem: semaphore.
- *
- * The function increases the value of the semaphore by 1.
- *
- * Returns: %TRUE on success, %FALSE otherwise.
- */
-int     __bro_sem_incr(BroSem *sem);
-
-
-/**
- * __bro_sem_get - returns current value of sempahore.
- * @sem: semaphore.
- * @result: result pointer.
- *
- * The function returns the current value of the semaphore through
- * the @result pointer.
- *
- * Returns: %TRUE on success, %FALSE otherwise.
- */
-int     __bro_sem_get(BroSem *sem, int *result);
-
-int     __bro_sem_get_blocked(BroSem *sem, int *result);
-
-#endif
diff --git a/aux/broccoli/src/bro_sem_none.c b/aux/broccoli/src/bro_sem_none.c
deleted file mode 100644
index e805f96aab..0000000000
--- a/aux/broccoli/src/bro_sem_none.c
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <bro_sem.h>
-
-struct bro_sem { };
-
-BroSem *
-__bro_sem_new(const BroConn *bc)
-{
-  bc = NULL;
-  return NULL;
-}
-
-
-void
-__bro_sem_free(BroSem *sem)
-{
-  sem = NULL;
-}
-
-
-int
-__bro_sem_attach(BroSem *sem)
-{
-  return TRUE;
-  sem = NULL;
-}
-
-
-int
-__bro_sem_detach(BroSem *sem)
-{
-  return TRUE;
-  sem = NULL;
-}
-
-
-int
-__bro_sem_decr(BroSem *sem)
-{
-  sem = NULL;
-}
-
-
-int
-__bro_sem_incr(BroSem *sem)
-{
-  sem = NULL;
-}
diff --git a/aux/broccoli/src/bro_sem_posix.c b/aux/broccoli/src/bro_sem_posix.c
deleted file mode 100644
index d1bf8486ea..0000000000
--- a/aux/broccoli/src/bro_sem_posix.c
+++ /dev/null
@@ -1,213 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/time.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <string.h>
-#include <fcntl.h>
-#include <semaphore.h>
-#include <errno.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_debug.h>
-#include <bro_util.h>
-#include <bro_types.h>
-#include <bro_sem.h>
-
-struct bro_sem_impl { 
-  char    *name;
-  sem_t   *sem;
-};
-
-int
-__bro_sem_init(BroSem *sem, const BroConn *bc)
-{
-  static int counter = 0;
-  char sem_name[512]; 
-  
-  D_ENTER;
-  
-  if (! sem || ! bc)
-    D_RETURN_(FALSE);
-  
-  memset(sem, 0, sizeof(BroSem));
-  
-  if (! (sem->sem_impl = calloc(1, sizeof(BroSemImpl))))
-    D_RETURN_(FALSE);
-  
-  __bro_util_snprintf(sem_name, 512, "/broccoli-%u-%i-%i", bc->id_pid, bc->id_num, counter++);
-  sem->sem_impl->name = strdup(sem_name);
-  sem->sem_impl->sem = sem_open(sem_name, O_CREAT, S_IRWXU, 1);
-  
-  if (sem->sem_impl->sem == SEM_FAILED)
-    {
-      if (sem->sem_impl->name)
-	free(sem->sem_impl->name);
-      
-      free(sem->sem_impl);
-      
-      D(("POSIX semaphore creation failed: %s\n", strerror(errno)));
-      D_RETURN_(FALSE);
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-
-void
-__bro_sem_cleanup(BroSem *sem)
-{
-  D_ENTER;
-  
-  if (! sem || ! sem->sem_impl)
-    D_RETURN;
-  
-  sem_unlink(sem->sem_impl->name);
-  
-  free(sem->sem_impl->name);
-  free(sem->sem_impl);
-  memset(sem, 0, sizeof(BroSem));
-  
-  D_RETURN;
-}
-
-
-int
-__bro_sem_attach(BroSem *sem)
-{
-  /* Unused in Posix. */
-  return TRUE;
-  sem = NULL;
-}
-
-
-int
-__bro_sem_detach(BroSem *sem)
-{
-  if (! sem || ! sem->sem_impl)
-    return FALSE;
-
-  sem_close(sem->sem_impl->sem);
-  return TRUE;
-}
-
-
-int
-__bro_sem_decr(BroSem *sem)
-{
-  D_ENTER;
-  
-  if (! sem || ! sem->sem_impl)
-    D_RETURN_(FALSE);
-
-  sem->sem_blocked++;
-
-  if (sem_wait(sem->sem_impl->sem) < 0)
-    {
-      D(("sem_wait() error: %s\n", strerror(errno)));
-      sem->sem_blocked--;
-      D_RETURN_(FALSE);
-    }
-  
-  sem->sem_blocked--;
-  D_RETURN_(TRUE);
-}
-
-
-int
-__bro_sem_trydecr(BroSem *sem)
-{
-  if (! sem || ! sem->sem_impl)
-    return FALSE;
-
-  sem->sem_blocked++;
-
-  if (sem_trywait(sem->sem_impl->sem) < 0)
-    {
-      sem->sem_blocked--;
-
-      if (errno == EAGAIN)
-	return FALSE;
-
-      D(("sem_wait() error: %s\n", strerror(errno)));
-      return FALSE;
-    }
-  
-  sem->sem_blocked--;
-  return TRUE;
-}
-
-
-int
-__bro_sem_incr(BroSem *sem)
-{
-  D_ENTER;
-
-  if (! sem || ! sem->sem_impl)
-    D_RETURN_(FALSE);
-
-  if (sem_post(sem->sem_impl->sem) < 0)
-    {
-      D(("sem_post() error: %s\n", strerror(errno)));
-      D_RETURN_(FALSE);
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-
-int
-__bro_sem_get(BroSem *sem, int *result)
-{
-  if (! sem || ! sem->sem_impl || ! result)
-    return FALSE;
-
-  if (! sem_getvalue(sem->sem_impl->sem, result))
-    return FALSE;
-  
-  return TRUE;
-}
-
-
-int
-__bro_sem_get_blocked(BroSem *sem, int *result)
-{
-  if (! sem || ! sem->sem_impl || ! result)
-    return FALSE;
-
-  *result = sem->sem_blocked;
-
-  return TRUE;
-}
diff --git a/aux/broccoli/src/bro_sem_sysv.c b/aux/broccoli/src/bro_sem_sysv.c
deleted file mode 100644
index 0c13d30373..0000000000
--- a/aux/broccoli/src/bro_sem_sysv.c
+++ /dev/null
@@ -1,255 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/ipc.h>
-#include <sys/sem.h>
-#include <sys/stat.h>
-#include <errno.h>
-#include <string.h>
-
-#include <bro_debug.h>
-#include <bro_util.h>
-#include <bro_openssl.h>
-#include <bro_sem.h>
-
-#define BRO_SEM_ATTEMPTS_MAX 50
-
-#ifdef SEM_R
-#define BRO_SEMFLAGS SEM_A|SEM_R
-#else
-#define BRO_SEMFLAGS S_IRWXU
-#endif
-
-/* It's not my fault -- blame the standards and deviating
- * implementations for this goop. :(
- */
-#if defined(BSD_HOST) && ! defined(__NetBSD__)
-/* union semun is defined by including <sys/sem.h> */
-#else
-/* according to X/OPEN we have to define it ourselves */
-union semun {
-  int val;                  /* value for SETVAL */
-  struct semid_ds *buf;     /* buffer for IPC_STAT, IPC_SET */
-  unsigned short *array;    /* array for GETALL, SETALL */
-  /* Linux specific part: */
-  struct seminfo *__buf;    /* buffer for IPC_INFO */
-};
-#endif
-
-
-struct bro_sem_impl { 
-  int      sem_id;
-};
-
-
-int
-__bro_sem_init(BroSem *sem, const BroConn *bc)
-{
-  int sem_id = -1;
-  union semun arg;
-
-  D_ENTER;
-
-  if (! sem || ! sem->sem_impl)
-    D_RETURN_(FALSE);
-
-  memset(sem, 0, sizeof(BroSem));
-
-  /* Attempt to allocate the semaphore set */
-  if ( (sem_id = semget(IPC_PRIVATE, 1, IPC_CREAT|IPC_EXCL|BRO_SEMFLAGS)) < 0)
-    {
-      D(("semget error: %s\n", strerror(errno)));
-      D_RETURN_(FALSE);
-    }
-  
-  /* Initialize the semaphore. Note: I'm not 100% sure whether this
-   * code is prone to the race condition that Stevens describes on
-   * p. 284 of UNP Vol 2 (IPC). It would likely be safer to take
-   * precautions, this is a FIXME.
-   */
-  arg.val = 1;
-  if (semctl(sem_id, 0, SETVAL, arg) < 0)
-    {
-      D(("semctl failed: %s\n", strerror(errno)));
-      D_RETURN_(FALSE);
-    }
-  
-  if (! (sem->sem_impl = calloc(1, sizeof(BroSemImpl))))
-    D_RETURN_(FALSE);
-  
-  sem->sem_impl->sem_id = sem_id;
-  
-  D_RETURN_(TRUE);
-  bc = NULL;
-}
-
-
-void
-__bro_sem_cleanup(BroSem *sem)
-{
-  D_ENTER;
-
-  if (! sem || ! sem->sem_impl)
-    D_RETURN;
-  
-  if (semctl(sem->sem_impl->sem_id, 0, IPC_RMID) < 0)
-    {
-      D(("semctl could not remove semaphore: %s.\n", strerror(errno)));
-    }
-  
-  free(sem->sem_impl);
-  memset(sem, 0, sizeof(BroSem));
-  D_RETURN;
-}
-
-
-int
-__bro_sem_attach(BroSem *sem)
-{
-  /* Unused in SYSV. */
-  return TRUE;
-  sem = NULL;
-}
-
-
-int
-__bro_sem_detach(BroSem *sem)
-{
-  /* Unused in SYSV. */
-  return TRUE;
-  sem = NULL;
-}
-
-
-int
-__bro_sem_decr(BroSem *sem)
-{
-  struct sembuf opt;
-
-  if (! sem || ! sem->sem_impl)
-    return FALSE;
-
-  /* This hopefully does the following atomically:
-   * 
-   * (1) block until the semaphore's value becomes >= 1
-   * (2) subtracts 1 from the semaphore's value (i.e., sets it to 0)
-   * (3) wakes up thread.
-   *
-   * This is how I parse Stevens UNP Vol 2 (IPC), p. 287.
-   */
-  opt.sem_num =  0;
-  opt.sem_op  = -1;
-  opt.sem_flg =  0;
-  sem->sem_blocked++;
-
-  if (semop(sem->sem_impl->sem_id, &opt, 1) < 0)
-    {
-      sem->sem_blocked--;
-      return FALSE;
-    }
-  
-  sem->sem_blocked--;
-  return TRUE;
-}
-
-
-int
-__bro_sem_trydecr(BroSem *sem)
-{
-  struct sembuf opt;
-
-  if (! sem || ! sem->sem_impl)
-    return FALSE;
-
-  opt.sem_num =  0;
-  opt.sem_op  = -1;
-  opt.sem_flg =  IPC_NOWAIT;
-  sem->sem_blocked++;
-
-  if (semop(sem->sem_impl->sem_id, &opt, 1) < 0)
-    {
-      sem->sem_blocked--;
-      return FALSE;
-    }
-
-  sem->sem_blocked--;
-  return TRUE;
-}
-
-
-int
-__bro_sem_incr(BroSem *sem)
-{
-  struct sembuf opt;
-  
-  if (! sem || ! sem->sem_impl)
-    return FALSE;
-  
-  /* Add one to the semaphore's value. That one should
-   * be easy ...
-   */
-  opt.sem_num =  0;
-  opt.sem_op  =  1;
-  opt.sem_flg =  0;
-  
-  if (semop(sem->sem_impl->sem_id, &opt, 1) < 0)
-    return FALSE;
-  
-  return TRUE;
-}
-
-
-int
-__bro_sem_get(BroSem *sem, int *result)
-{
-  if (! sem || ! sem->sem_impl || ! result)
-    return FALSE;
-  
-  if (semctl(sem->sem_impl->sem_id, 0, GETVAL, result) < 0)
-    {
-      D(("semctl failed: %s\n", strerror(errno)));
-      return FALSE;
-    }
-  
-  return TRUE;
-}
-
-
-int
-__bro_sem_get_blocked(BroSem *sem, int *result)
-{
-  if (! sem || ! sem->sem_impl || ! result)
-    return FALSE;
-  
-  *result = sem->sem_blocked;
-  
-  return TRUE;
-}
diff --git a/aux/broccoli/src/bro_shm.h b/aux/broccoli/src/bro_shm.h
deleted file mode 100644
index 0d5590e3a8..0000000000
--- a/aux/broccoli/src/bro_shm.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_shm_h
-#define broccoli_shm_h
-
-#include <stdlib.h>
-#include <broccoli.h>
-
-typedef struct bro_shared_mem BroSharedMem;
-
-BroSharedMem  *__bro_shm_new(int size);
-void           __bro_shm_free(BroSharedMem *shm);
-
-int            __bro_shm_attach(BroSharedMem *shm);
-int            __bro_shm_detach(BroSharedMem *shm);
-
-void          *__bro_shm_get_mem(const BroSharedMem *shm);
-int            __bro_shm_get_size(const BroSharedMem *shm);
-
-#endif
diff --git a/aux/broccoli/src/bro_shm_none.c b/aux/broccoli/src/bro_shm_none.c
deleted file mode 100644
index da49307b41..0000000000
--- a/aux/broccoli/src/bro_shm_none.c
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <bro_shm.h>
-
-struct bro_shared_mem {
-  void    *mem;
-  int      mem_size;
-};
-
-BroSharedMem  *
-__bro_shm_new(int size)
-{
-  BroSharedMem *shm;
-
-  if (size <= 0)
-    return NULL;
-
-  if (! (shm = calloc(1, sizeof(BroSharedMem))))
-    return NULL;
-  
-  if (! (shm->mem = malloc(size)))
-    {
-      free(shm);
-      return NULL;
-    }
-
-  shm->mem_size = size;
-
-  return shm;
-}
-
-
-void
-__bro_shm_free(BroSharedMem *shm)
-{
-  if (! shm)
-    return;
-
-  if (shm->mem)
-    free(shm->mem);
-
-  free(shm);
-}
-
-
-void *
-__bro_shm_get_mem(const BroSharedMem *shm)
-{
-  if (! shm)
-    return NULL;
-
-  return shm->mem;
-}
-
-
-int
-__bro_shm_get_size(const BroSharedMem *shm)
-{
-  return shm->mem_size;
-}
-
-
-int
-__bro_shm_attach(BroSharedMem *shm)
-{
-  return TRUE; 
-  shm = NULL;
-}
-
-
-int
-__bro_shm_detach(BroSharedMem *shm)
-{
-  return TRUE;
-  shm = NULL;
-}
diff --git a/aux/broccoli/src/bro_shm_sysv.c b/aux/broccoli/src/bro_shm_sysv.c
deleted file mode 100644
index 294c300258..0000000000
--- a/aux/broccoli/src/bro_shm_sysv.c
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/ipc.h>
-#include <sys/stat.h>
-#include <sys/shm.h>
-#include <errno.h>
-#include <string.h>
-
-#include <bro_debug.h>
-#include <bro_shm.h>
-
-struct bro_shared_mem {
-  int      shm_id;
-  int      shm_size;
-  void    *shm_mem;
-
-  int      shm_attached;
-};
-
-BroSharedMem  *
-__bro_shm_new(int size)
-{
-  int shm_id;
-  BroSharedMem *shm;
-
-  if (size <= 0)
-    return NULL;
-
-  if ( (shm_id = shmget(IPC_PRIVATE,size,  IPC_CREAT|IPC_EXCL|S_IRWXU)) < 0)
-    {
-      D(("shmget error: %s\n", strerror(errno)));
-      return NULL;
-    }
-  
-  if (! (shm = calloc(1, sizeof(BroSharedMem))))
-    return NULL;
-  
-  shm->shm_id = shm_id;
-  shm->shm_size = size;
-
-  return shm;
-}
-
-
-void
-__bro_shm_free(BroSharedMem *shm)
-{
-  if (! shm)
-    return;
-
-  shmctl(shm->shm_id, IPC_RMID, NULL);
-  free(shm);
-}
-
-
-void *
-__bro_shm_get_mem(const BroSharedMem *shm)
-{
-  if (! shm || ! shm->shm_attached)
-    return NULL;
-  
-  return shm->shm_mem;
-}
-
-
-int
-__bro_shm_get_size(const BroSharedMem *shm)
-{
-  return shm->shm_size;
-}
-
-
-
-int
-__bro_shm_attach(BroSharedMem *shm)
-{
-  if (! shm)
-    return FALSE;
-
-  shm->shm_mem = shmat(shm->shm_id, NULL, 0);
-  
-  if ((int) shm->shm_mem == -1)
-    {
-      D(("shmat problem: %s.\n", strerror(errno)));
-      return FALSE;
-    }
-
-  shm->shm_attached = TRUE;
-  return TRUE;
-}
-
-
-int
-__bro_shm_detach(BroSharedMem *shm)
-{
-  if (! shm || ! shm->shm_attached)
-    return FALSE;
-
-  if (shmdt(shm->shm_mem) < 0)
-    {
-      D(("shmdt problem: %s.\n", strerror(errno)));
-      return FALSE;
-    }
- 
-  return TRUE;
-}
diff --git a/aux/broccoli/src/bro_sobject.c b/aux/broccoli/src/bro_sobject.c
deleted file mode 100644
index c995cbb270..0000000000
--- a/aux/broccoli/src/bro_sobject.c
+++ /dev/null
@@ -1,519 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/time.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_debug.h>
-#include <bro_attr.h>
-#include <bro_attrs.h>
-#include <bro_id.h>
-#include <bro_location.h>
-#include <bro_object.h>
-#include <bro_type.h>
-#include <bro_val.h>
-#include <bro_sobject.h>
-
-static uint32 __bro_sobject_hash_impl(BroSObject *obj);
-static int    __bro_sobject_cmp_impl(BroSObject *obj1, BroSObject *obj2);
-
-/* Factory for object instances -- essentially a mapping from a type ID
- * to a function taking no arguments and returning an object derived
- * from BroSObject.
- */
-typedef struct bro_obj_factory_entry
-{
-  uint16       type_id;
-  BroSObject  *(* create)(void);
-} BroObjFactoryEntry;
-
-static BroObjFactoryEntry obj_factories[] = {
-  { SER_OBJ,              (BroSObjectNew) __bro_object_new },
-  { SER_VAL,              (BroSObjectNew) __bro_val_new },
-  { SER_INTERVAL_VAL,     (BroSObjectNew) __bro_val_new },
-  { SER_PORT_VAL,         (BroSObjectNew) __bro_val_new },
-  { SER_ADDR_VAL,         (BroSObjectNew) __bro_val_new },
-  { SER_SUBNET_VAL,       (BroSObjectNew) __bro_val_new },
-  { SER_NET_VAL,          (BroSObjectNew) __bro_val_new },
-  { SER_STRING_VAL,       (BroSObjectNew) __bro_val_new },
-  { SER_ENUM_VAL,         (BroSObjectNew) __bro_val_new },
-  { SER_LIST_VAL,         (BroSObjectNew) __bro_list_val_new },
-  { SER_MUTABLE_VAL,      (BroSObjectNew) __bro_mutable_val_new },
-  { SER_RECORD_VAL,       (BroSObjectNew) __bro_record_val_new },
-  { SER_TABLE_VAL,        (BroSObjectNew) __bro_table_val_new },
-
-  { SER_TYPE,             (BroSObjectNew) __bro_type_new },
-  { SER_TYPE_LIST,        (BroSObjectNew) __bro_type_list_new },
-  { SER_RECORD_TYPE,      (BroSObjectNew) __bro_record_type_new },
-  { SER_INDEX_TYPE,       (BroSObjectNew) __bro_index_type_new },
-  { SER_TABLE_TYPE,       (BroSObjectNew) __bro_table_type_new },
-  { SER_SET_TYPE,         (BroSObjectNew) __bro_set_type_new },
-  { SER_ATTRIBUTES,       (BroSObjectNew) __bro_attrs_new },
-  { SER_ID,               (BroSObjectNew) __bro_id_new },
-  { SER_LOCATION,         (BroSObjectNew) __bro_loc_new },
-};
-
-
-BroSObject *
-__bro_sobject_create(uint16 type_id)
-{
-  int i, num_factories;
-
-  D_ENTER;
-
-  num_factories = sizeof(obj_factories) / sizeof(BroObjFactoryEntry);
-  
-  for (i = 0; i < num_factories; i++)
-    {
-      if (obj_factories[i].type_id == type_id && obj_factories[i].create)
-	{
-	  BroSObject *result = obj_factories[i].create();
-	  D_RETURN_(result);
-	}
-    }
-  
-  D(("Creation of object type 0x%04x failed.\n", type_id));
-  D_RETURN_(NULL);
-}
-
-
-void
-__bro_sobject_release(BroSObject *obj)
-{
-  D_ENTER;
-
-  if (! obj)
-    D_RETURN;
-
-  obj->ref_count--;
-
-  if (obj->ref_count > 0)
-    {
-      D(("Object %p has non-zero refcount, not releasing\n", obj));
-      D_RETURN;
-    }
-
-  if (obj->free)
-    obj->free(obj);
-  
-  D_RETURN;
-}
-
-
-void
-__bro_sobject_ref(BroSObject *obj)
-{
-  obj->ref_count++;
-}
-
-
-BroSObject      *
-__bro_sobject_copy(BroSObject *obj)
-{
-  BroSObject *clone;
-  
-  D_ENTER;
-  
-  if (! obj)
-    D_RETURN_(NULL);
-  
-  if (! (clone = __bro_sobject_create(obj->type_id)))
-    D_RETURN_(NULL);
-  
-  if (clone->clone)
-    clone->clone(clone, obj);
-  
-  D_RETURN_(clone);
-}
-
-
-BroSObject      *
-__bro_sobject_new(void)
-{
-  BroSObject *obj;
-
-  D_ENTER;
-  
-  if (! (obj = calloc(1, sizeof(BroSObject))))
-    D_RETURN_(NULL);
-  
-  __bro_sobject_init(obj);
-    
-  D_RETURN_(obj);
-}
-
-void
-__bro_sobject_init(BroSObject *obj)
-{
-  D_ENTER;
-  
-  obj->ref_count = 1;
-
-  if (! (obj->data = __bro_ht_new(__bro_ht_str_hash,
-				  __bro_ht_str_cmp,
-				  __bro_ht_mem_free,
-				  NULL,
-				  FALSE)))
-    {
-      D(("Out of memory.\n"));
-      /* FIXME -- add return value to initializer methods. */
-    }
-  
-  obj->read  = __bro_sobject_read;
-  obj->write = __bro_sobject_write;
-  obj->free  = __bro_sobject_free;
-  obj->clone = __bro_sobject_clone;
-  obj->hash  = __bro_sobject_hash_impl;
-  obj->cmp   = __bro_sobject_cmp_impl;
-
-  D_RETURN;
-}
-
-void
-__bro_sobject_free(BroSObject *obj)
-{
-  D_ENTER;
-
-  if (! obj)
-    D_RETURN;
-
-  __bro_ht_free(obj->data);
-  free(obj);
-
-  D_RETURN;
-}
-
-
-int
-__bro_sobject_clone(BroSObject *dst, BroSObject *src)
-{
-  D_ENTER;
-  
-  dst->perm_id = src->perm_id;
-  dst->type_id = src->type_id; /* Should aready be set, but what the heck .. */
-  dst->ref_count = 1;
- 
-  /* We don't clone the contents of the data hashtable -- 
-   * actually we can't right now ...
-   */
- 
-  D_RETURN_(TRUE);
-}
-
-
-static uint32
-__bro_sobject_hash_impl(BroSObject *obj)
-{
-  uint32 result;
-  
-  D_ENTER;
-  
-  if (! obj)
-    D_RETURN_(0);
-  
-  result = obj->perm_id ^ (uint32) obj->type_id;
-  
-  D_RETURN_(result);
-}
-
-
-static int
-__bro_sobject_cmp_impl(BroSObject *obj1, BroSObject *obj2)
-{
-  D_ENTER;
-  
-  if (! obj1 || ! obj2)
-    D_RETURN_(FALSE);
-  
-  if (obj1->perm_id != obj2->perm_id)
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-uint32
-__bro_sobject_hash(BroSObject *obj)
-{
-  D_ENTER;
-
-  if (! obj)
-    D_RETURN_(0);
-
-  D_RETURN_(obj->hash(obj));
-}
-
-int
-__bro_sobject_cmp(BroSObject *obj1, BroSObject *obj2)
-{
-  D_ENTER;
-
-  if (! obj1 || !obj2)
-    D_RETURN_(FALSE);
-
-  D_RETURN_(obj1->cmp(obj1, obj2));
-}
-
-
-int
-__bro_sobject_serialize(BroSObject *obj, BroConn *bc)
-{
-  char full_obj;
-
-  D_ENTER;
-
-  if (! obj || !bc)
-    D_RETURN_(FALSE);
-
-  /* Special case for types: they indicate at the very beginning
-   * whether they're transferred in their entirety or just via
-   * their name (in which case we can't do much at the moment).
-   */
-  if ( (obj->type_id & SER_TYPE_MASK) == SER_IS_TYPE)
-    {      
-      BroType *type = (BroType *) obj;
-      
-      D(("Serializing type %X as type\n", obj->type_id));
-
-      if (! __bro_buf_write_char(bc->tx_buf, type->is_complete))
-	D_RETURN_(FALSE);
-      
-      if (! type->is_complete)
-	{
-	  if (! __bro_buf_write_string(bc->tx_buf, &type->type_name))
-	    D_RETURN_(FALSE);
-	  
-	  D(("Type sent by type-name '%s' only.\n", bro_string_get_data(&type->type_name)));
-	  D_RETURN_(TRUE);
-	}
-    }
-  
-  /* FIXME: for now we never use the serialization cache when sending. */
-  full_obj = 1;
-  
-  if (! __bro_buf_write_char(bc->tx_buf, full_obj))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_int(bc->tx_buf, obj->perm_id))
-    D_RETURN_(FALSE);
-
-  if (! obj->write(obj, bc))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-BroSObject      *
-__bro_sobject_unserialize(uint16 type_id_wanted, BroConn *bc)
-{
-  BroSObject *obj;
-  char full_obj;
-  uint32 perm_id;
-  uint16 type_id;
-
-  D_ENTER;
-
-  if (! bc)
-    D_RETURN_(NULL);
-  
-  /* Same special case for types as in __bro_sobject_serialize().
-   */
-  if ( (type_id_wanted & SER_TYPE_MASK) == SER_IS_TYPE)
-    {
-      D(("Unserializing a type, checking for name-only format.\n"));
-
-      if (! __bro_buf_read_char(bc->rx_buf, &full_obj))
-	D_RETURN_(NULL);
-
-      if (! full_obj)
-	{
-	  BroString tmp;
-	  bro_string_init(&tmp);
-	  
-	  /* We only get the name. */
-	  if (! __bro_buf_read_string(bc->rx_buf, &tmp))
-	    D_RETURN_(FALSE);
-	  
-	  /* We don't really have a namespace in which we can now
-	   * look up the type, so there's not much we can do!
-	   */
-	  D(("Received name-only type '%s', reporting failure.\n",
-	     bro_string_get_data(&tmp)));
-	  D_RETURN_(FALSE);
-	}
-    }
-  
-  if (! __bro_buf_read_char(bc->rx_buf, &full_obj))
-    D_RETURN_(NULL);
-  
-  if (! __bro_buf_read_int(bc->rx_buf, &perm_id))
-    D_RETURN_(NULL);
-
-  if (! full_obj)
-    {
-#ifdef BRO_DEBUG
-      if (! (bc->conn_flags & BRO_CFLAG_CACHE))
-	D(("WARNING: no caching requested, yet peer sends cached data.\n"));
-#endif
-      if (! (obj = __bro_ht_get(bc->io_cache, (void *)(uintptr_t)  perm_id)))
-	{
-	  D(("Cache inconsistency: cache should contain object %i\n", perm_id));
-	  D_RETURN_(NULL);
-	}
-      
-      __bro_sobject_ref(obj);
-
-      D(("Returning object %i/%p from cache.\n", perm_id, obj));
-      D_RETURN_(obj);
-    }
- 
-  if (! __bro_buf_read_short(bc->rx_buf, &type_id))
-    D_RETURN_(NULL);
-  
-  /* Now check if the stuff that's arriving is actually an
-   * instance of the type we'd like to see -- we can only do
-   * primitive checking for inherited types (when we want to
-   * know that it's a type, say, but we cannot know what exact
-   * kind of type) -- so we just check whether all the bits set
-   * in both type id's match:
-   */
-  if ((type_id_wanted & SER_TYPE_MASK) != (type_id & SER_TYPE_MASK))
-    {
-      D(("Type mismatch in serialization: wanted %04x, got %04x.\n",
-	 type_id_wanted, type_id));
-      D_RETURN_(NULL);
-    }
-  
-  if (! (obj = __bro_sobject_create(type_id)))
-    D_RETURN_(NULL);
-  
-  /* Polymorphism: depending on the constructor of the object,
-   * this call will start from the bottom of the hierarchy and
-   * read members in step by step, so by the time we return
-   * from this function the object is fully unserialized.
-   */
-  if (! obj->read(obj, bc))
-    {
-      D(("Reading object %i of type 0x%04x FAILED.\n", perm_id, type_id));
-      __bro_sobject_release(obj);
-      D_RETURN_(NULL);
-    }
-
-  /* If we have asked the peer to use caching,
-   * make sure the object is in the cache:
-   */
-  if ( (bc->conn_flags & BRO_CFLAG_CACHE) &&
-       ! __bro_ht_get(bc->io_cache, (void *)(uintptr_t) perm_id))
-    {
-      D(("Storing object %i in cache.\n", perm_id));
-      __bro_ht_add(bc->io_cache, (void *)(uintptr_t) perm_id, obj);
-      obj->perm_id = perm_id;
-      __bro_sobject_ref(obj);
-    }
-
-  D(("Object %i of type 0x%04x unserialized successfully.\n", perm_id, type_id));
-  D_RETURN_(obj);
-}
-
-
-int
-__bro_sobject_read(BroSObject *obj, BroConn *bc)
-{
-  D_ENTER;
-  D_RETURN_(TRUE);
-
-  obj = NULL;
-  bc = NULL;
-}
-
-
-int
-__bro_sobject_write(BroSObject *obj, BroConn *bc)
-{
-  D_ENTER;
-  
-  if (! __bro_buf_write_short(bc->tx_buf, obj->type_id))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-void
-__bro_sobject_data_set(BroSObject *obj, const char *key, void *val)
-{
-  D_ENTER;
-
-  if (! obj || ! key || ! *key)
-    D_RETURN;
-
-  __bro_ht_add(obj->data, strdup(key), val);
-  /* D(("Setting data item '%s' in object %p\n", key, obj)); */
-
-  D_RETURN;
-}
-
-
-void *
-__bro_sobject_data_get(BroSObject *obj, const char *key)
-{
-  void *result;
-
-  if (! obj || ! key || ! *key)
-    return NULL;
-
-  result = __bro_ht_get(obj->data, (void *) key);
-  /* D(("Retrieving data item '%s' from object %p yields %p\n", key, obj, result)); */
-  return result;
-}
-
-
-void *
-__bro_sobject_data_del(BroSObject *obj, const char *key)
-{
-  void *result;
-  
-  D_ENTER;
-  
-  if (! obj || ! key || ! *key)
-    D_RETURN_(NULL);
-  
-  result = __bro_ht_del(obj->data, (void *) key);
-  /* D(("Removing data item '%s' from object %p yields %p\n", key, obj, result)); */
-  D_RETURN_(result);
-}
diff --git a/aux/broccoli/src/bro_sobject.h b/aux/broccoli/src/bro_sobject.h
deleted file mode 100644
index c633fb2177..0000000000
--- a/aux/broccoli/src/bro_sobject.h
+++ /dev/null
@@ -1,263 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_serial_object_h
-#define broccoli_serial_object_h
-
-#include <broccoli.h>
-#include <bro_types.h>
-
-/* A whole bunch of definitons taken straight out of Bro and run through cpp :)
- * These are type tags -- see explanation in SerialTypes.h in the Bro tree. We use
- * these tags to map to the default constructor implementation for an
- * object upon unserialization.
- */
-#define SER_TYPE_MASK                 0xff00
-#define SER_NONE                      0
-
-
-/* "Abstract" parent classes, not used directly */
-#define SER_IS_OBJ                    0x8000
-#define SER_IS_CONNECTION            (0x0100 | SER_IS_OBJ)
-#define SER_IS_TIMER                  0x0200
-#define SER_IS_TCP_ENDPOINT           0x0300
-#define SER_IS_TCP_ANALYZER          (0x0400 | SER_IS_OBJ)
-#define SER_IS_TCP_ENDPOINT_ANALYZER (0x0500 | SER_IS_OBJ)
-#define SER_IS_TCP_CONTENTS           0x0600
-#define SER_IS_REASSEMBLER            0x0700
-#define SER_IS_VAL                   (0x0800 | SER_IS_OBJ)
-#define SER_IS_EXPR                  (0x0900 | SER_IS_OBJ)
-#define SER_IS_TYPE                  (0x0a00 | SER_IS_OBJ)
-#define SER_IS_STMT                  (0x0b00 | SER_IS_OBJ)
-#define SER_IS_ATTRIBUTES            (0x0c00 | SER_IS_OBJ)
-#define SER_IS_EVENT_HANDLER          0x0d00
-#define SER_IS_FILE                  (0x0e00 | SER_IS_OBJ)
-#define SER_IS_FUNC                  (0x0f00 | SER_IS_OBJ)
-#define SER_IS_ID                    (0x1000 | SER_IS_OBJ)
-#define SER_IS_STATE_ACCESS           0x1100
-#define SER_IS_CASE                  (0x1200 | SER_IS_OBJ)
-#define SER_IS_LOCATION               0x1300
-#define SER_IS_RE_MATCHER             0x1400
-
-/* Usable derivations */
-#define SER_OBJ                      (1  | SER_IS_OBJ)
-#define SER_VAL                      (1  | SER_IS_VAL)
-#define SER_INTERVAL_VAL             (2  | SER_IS_VAL)
-#define SER_PORT_VAL                 (3  | SER_IS_VAL)
-#define SER_ADDR_VAL                 (4  | SER_IS_VAL)
-#define SER_NET_VAL                  (5  | SER_IS_VAL)
-#define SER_SUBNET_VAL               (6  | SER_IS_VAL)
-#define SER_STRING_VAL               (7  | SER_IS_VAL)
-#define SER_PATTERN_VAL              (8  | SER_IS_VAL)
-#define SER_LIST_VAL                 (9  | SER_IS_VAL)
-#define SER_TABLE_VAL                (10 | SER_IS_VAL)
-#define SER_RECORD_VAL               (11 | SER_IS_VAL)
-#define SER_ENUM_VAL                 (12 | SER_IS_VAL)
-#define SER_VECTOR_VAL               (13 | SER_IS_VAL)
-#define SER_MUTABLE_VAL              (14 | SER_IS_VAL)
-
-#define SER_EXPR                     (1  | SER_IS_EXPR)
-#define SER_NAME_EXPR                (2  | SER_IS_EXPR)
-#define SER_CONST_EXPR               (3  | SER_IS_EXPR)
-#define SER_UNARY_EXPR               (4  | SER_IS_EXPR)
-#define SER_BINARY_EXPR              (5  | SER_IS_EXPR)
-#define SER_INCR_EXPR                (6  | SER_IS_EXPR)
-#define SER_NOT_EXPR                 (7  | SER_IS_EXPR)
-#define SER_POS_EXPR                 (8  | SER_IS_EXPR)
-#define SER_NEG_EXPR                 (9  | SER_IS_EXPR)
-#define SER_ADD_EXPR                 (10 | SER_IS_EXPR)
-#define SER_SUB_EXPR                 (11 | SER_IS_EXPR)
-#define SER_TIMES_EXPR               (12 | SER_IS_EXPR)
-#define SER_DIVIDE_EXPR              (13 | SER_IS_EXPR)
-#define SER_MOD_EXPR                 (14 | SER_IS_EXPR)
-#define SER_BOOL_EXPR                (15 | SER_IS_EXPR)
-#define SER_EQ_EXPR                  (16 | SER_IS_EXPR)
-#define SER_REL_EXPR                 (17 | SER_IS_EXPR)
-#define SER_COND_EXPR                (18 | SER_IS_EXPR)
-#define SER_REF_EXPR                 (19 | SER_IS_EXPR)
-#define SER_ASSIGN_EXPR              (20 | SER_IS_EXPR)
-#define SER_INDEX_EXPR               (21 | SER_IS_EXPR)
-#define SER_FIELD_EXPR               (22 | SER_IS_EXPR)
-#define SER_HAS_FIELD_EXPR           (23 | SER_IS_EXPR)
-#define SER_RECORD_CONSTRUCTOR_EXPR  (24 | SER_IS_EXPR)
-#define SER_FIELD_ASSIGN_EXPR        (25 | SER_IS_EXPR)
-#define SER_RECORD_MATCH_EXPR        (26 | SER_IS_EXPR)
-#define SER_ARITH_COERCE_EXPR        (27 | SER_IS_EXPR)
-#define SER_RECORD_COERCE_EXPR       (28 | SER_IS_EXPR)
-#define SER_FLATTEN_EXPR             (29 | SER_IS_EXPR)
-#define SER_SCHEDULE_EXPR            (30 | SER_IS_EXPR)
-#define SER_IN_EXPR                  (31 | SER_IS_EXPR)
-#define SER_CALL_EXPR                (32 | SER_IS_EXPR)
-#define SER_EVENT_EXPR               (33 | SER_IS_EXPR)
-#define SER_LIST_EXPR                (34 | SER_IS_EXPR)
-#define SER_RECORD_ASSIGN_EXPR       (35 | SER_IS_EXPR)
-
-#define SER_TYPE                     (1  | SER_IS_TYPE)
-#define SER_TYPE_LIST                (2  | SER_IS_TYPE)
-#define SER_INDEX_TYPE               (3  | SER_IS_TYPE)
-#define SER_TABLE_TYPE               (4  | SER_IS_TYPE)
-#define SER_SET_TYPE                 (5  | SER_IS_TYPE)
-#define SER_FUNC_TYPE                (6  | SER_IS_TYPE)
-#define SER_RECORD_TYPE              (7  | SER_IS_TYPE)
-#define SER_SUBNET_TYPE              (8  | SER_IS_TYPE)
-#define SER_FILE_TYPE                (9  | SER_IS_TYPE)
-#define SER_ENUM_TYPE                (10 | SER_IS_TYPE)
-#define SER_VECTOR_TYPE              (11 | SER_IS_TYPE)
-
-#define SER_ATTRIBUTES               (1  | SER_IS_ATTRIBUTES)
-
-#define SER_EVENT_HANDLER            (1  | SER_IS_EVENT_HANDLER)
-#define SER_FILE                     (1  | SER_IS_FILE)
-
-#define SER_FUNC                     (1  | SER_IS_FUNC)
-#define SER_BRO_FUNC                 (2  | SER_IS_FUNC)
-#define SER_DEBUG_FUNC               (3  | SER_IS_FUNC)
-#define SER_BUILTIN_FUNC             (4  | SER_IS_FUNC)
-
-#define SER_ID                       (1  | SER_IS_ID)
-#define SER_STATE_ACCESS             (1  | SER_IS_STATE_ACCESS)
-#define SER_CASE                     (1  | SER_IS_CASE)
-#define SER_LOCATION                 (1  | SER_IS_LOCATION)
-#define SER_RE_MATCHER               (1  | SER_IS_RE_MATCHER)
-
-typedef struct bro_serial_object BroSObject;
-
-typedef BroSObject *(* BroSObjectNew) (void);
-
-/* Signatures for all functions which we virtualize. */
-typedef int (* BroSObjectRead) (BroSObject *obj, BroConn *bc);
-typedef int (* BroSObjectWrite) (BroSObject *obj, BroConn *bc);
-typedef void (* BroSObjectFree) (BroSObject *obj);
-typedef int (* BroSObjectClone) (BroSObject *dst, BroSObject *src);
-typedef uint32 (* BroSObjectHash) (BroSObject *obj);
-typedef int (* BroSObjectCmp) (BroSObject *obj1, BroSObject *obj2);
-
-/* BroSObjects are the base "class" of objects that can be serialized.
- * They mirror SerialObj in Bro. The way Broccoli realizes classes,
- * objects, and inheritance is as follows:
- *
- * (1) There is no distinction between classes and the objects that
- *     are created from them. That means that each object carries with
- *     it all the function pointers needed to implement polymorphism.
- *     Yes, this wastes space, but for now I don't think it wastes
- *     enough to justify the additional complexity of explicit-class,
- *     Gtk-style object orientation in C.
- *
- * (2) Currently, the only virtualized functions are the ones defined
- *     in BroSObject below, though this may change in the future.
- *     These functions implement reading/writing from/to a buffer,
- *     cleanup, cloning, hashing to a uint32, and strcmp()-style
- *     instance comparison.
- *
- *     Implementations of these functions need to work in typical OO
- *     fashion, i.e., they may need to call the implementation of the
- *     parent "class" explicitly. This is the case for the (un)seriali-
- *     zation functions (which need to read/write all elements of the
- *     inheritance chain. It is not the case for the virtual ..._hash()
- *     and ..._cmp() implementations, which usually define equality
- *     and the computed hash value exclusively from the most derived
- *     type's values.
- *
- * (3) Instances of BroSObject are usually created either by
- *     unserializing them from a buffer (via __bro_sobject_unserialize())
- *     or by specialized "constructors" in inherited classes. The
- *     main constructor of this sort if __bro_val_new_of_type(), which
- *     initializes BroVals with correct type information.
- *     
- *     Instances of BroSObject are to be deallocated via
- *     __bro_sobject_release(). Since BroSObjects may be referenced
- *     in multiple locations (the serialization cache being a main
- *     example), you must not explicitly release the memory associated
- *     with a BroSObject but let the BroSObject implementation decide
- *     when to do so.
- */
-struct bro_serial_object
-{
-  /* The value by which the object is identified in the
-   * serialization cache.
-   */
-  uint32           perm_id;
-
-  /* One of the SER_xxx values above to identify the type
-   * of object upon (un)serialization.
-   */
-  uint16           type_id;
-
-  /* Reference count, used for unserialized objects that
-   * sit in the connection's serialization cache and may
-   * be referenced by multiple SObjects.
-   */
-  int              ref_count;
-
-  /* Storage for arbitrary user data:
-   */
-  BroHT           *data;
-
-  BroSObjectRead   read;
-  BroSObjectWrite  write;
-  BroSObjectFree   free;
-  BroSObjectClone  clone;
-  BroSObjectHash   hash;
-  BroSObjectCmp    cmp;
-};
-
-BroSObject      *__bro_sobject_create(uint16 type_id);
-void             __bro_sobject_release(BroSObject *obj);
-void             __bro_sobject_ref(BroSObject *obj);
-BroSObject      *__bro_sobject_copy(BroSObject *obj);
-
-BroSObject      *__bro_sobject_new(void);
-
-void             __bro_sobject_init(BroSObject *obj);
-void             __bro_sobject_free(BroSObject *obj);
-
-/* We need the connection handle for the next two and not just
- * a buffer because we might need the cache associated with the
- * connection.
- */
-int              __bro_sobject_serialize(BroSObject *obj, BroConn *bc);
-BroSObject      *__bro_sobject_unserialize(uint16 type_id, BroConn *bc);
-
-/* Hash a SObject or compare them. These are the virtualized
- * functions -- the actual implementation of these functions
- * for SObjects themselves are static in bro_sobject.c.
- */
-uint32           __bro_sobject_hash(BroSObject *obj);
-int              __bro_sobject_cmp(BroSObject *obj1, BroSObject *obj2);
-
-int              __bro_sobject_read(BroSObject *obj, BroConn *bc);
-int              __bro_sobject_write(BroSObject *obj, BroConn *bc);
-int              __bro_sobject_clone(BroSObject *dst, BroSObject *src);
-
-/* Our base class has a facility for associating arbitrary stuff
- * with each instance. Make sure to clean up the associated items
- * before releasing the instance, because the object doesn't know
- * how to do this.
- */
-void             __bro_sobject_data_set(BroSObject *obj, const char *key, void *val);
-void            *__bro_sobject_data_get(BroSObject *obj, const char *key);
-void            *__bro_sobject_data_del(BroSObject *obj, const char *key);
-
-#endif
diff --git a/aux/broccoli/src/bro_table.c b/aux/broccoli/src/bro_table.c
deleted file mode 100644
index 1197e27e1e..0000000000
--- a/aux/broccoli/src/bro_table.c
+++ /dev/null
@@ -1,227 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_types.h>
-#include <bro_io.h>
-#include <bro_debug.h>
-#include <bro_val.h>
-#include <bro_table.h>
-
-
-BroTable *
-__bro_table_new(void)
-{
-  BroTable *tbl;
-
-  if (! (tbl = calloc(1, sizeof(BroTable))))
-    return NULL;
-
-  tbl->tbl_impl = __bro_ht_new((BroHTHashFunc) __bro_table_hash_key,
-			       (BroHTCmpFunc) __bro_table_cmp_key,
-			       (BroHTFreeFunc) __bro_sobject_release,
-			       (BroHTFreeFunc) __bro_sobject_release, FALSE);
-
-  if (! tbl->tbl_impl)
-    {
-      free(tbl);
-      return NULL;
-    }
-  
-  return tbl;
-}
-
-void
-__bro_table_free(BroTable *tbl)
-{
-  if (! tbl)
-    return;
-
-  __bro_ht_free(tbl->tbl_impl);
-  free(tbl);
-}
-
-static int __bro_table_copy_cb(BroVal *key, BroVal *val, BroTable *dest)
-{
-  __bro_table_insert(dest, key, val);
-  return TRUE; /* Continue the iteration */
-}
-
-BroTable *
-__bro_table_copy(BroTable *tbl)
-{
-  BroVal *val, *val_copy;
-  BroTable *copy;
-
-  if (! tbl)
-    return NULL;
-  
-  if (! (copy = __bro_table_new()))
-    return NULL;
-  
-  __bro_ht_foreach(tbl->tbl_impl,
-		   (BroHTCallback) __bro_table_copy_cb,
-		   (void *) copy);
-  
-  return copy;
-}
-
-void
-__bro_table_insert(BroTable *tbl, BroVal *key, BroVal *val)
-{
-  if (! tbl || ! key) /* NULL for val is okay -- that's a set. */
-    return;
-  
-  __bro_ht_add(tbl->tbl_impl, key, val);  
-}
-
-BroVal *
-__bro_table_find(BroTable *tbl, const BroVal *key)
-{
-  if (! tbl || ! key)
-    return NULL;
-
-  return __bro_ht_get(tbl->tbl_impl, key);
-}
-
-int
-__bro_table_get_size(BroTable *tbl)
-{
-  if (! tbl)
-    return -1;
-  
-  return __bro_ht_get_size(tbl->tbl_impl);
-}
-
-void
-__bro_table_foreach(BroTable *tbl, BroTableCallback cb, void *user_data)
-{
-  if (! tbl || ! cb)
-    return;
-
-  __bro_ht_foreach(tbl->tbl_impl, cb, user_data);
-}
-
-int
-__bro_table_is_set(BroTable *tbl)
-{
-  return tbl->tbl_val_type == BRO_TYPE_UNKNOWN;
-}
-
-uint32
-__bro_table_hash_key(BroVal *key)
-{
-  return ((BroSObject *) key)->hash((BroSObject *) key);
-}
-
-int
-__bro_table_cmp_key(BroVal *val1, BroVal *val2)
-{
-  BroSObject *obj1 = (BroSObject *) val1;
-  BroSObject *obj2 = (BroSObject *) val2;
-
-  return obj1->cmp(obj1, obj2);
-}
-
-static int
-__bro_table_hash_cb(BroVal *key, BroVal *val, int *result)
-{
-  *result ^= __bro_sobject_hash((BroSObject*) key);
-  *result ^= __bro_sobject_hash((BroSObject*) val);
-  return TRUE;
-}
-
-uint32
-__bro_table_hash(BroTable *tbl)
-{
-  uint32 result;
-  
-  D_ENTER;
-  
-  if (! tbl)
-    D_RETURN_(0);
-  
-  result = __bro_ht_get_size(tbl->tbl_impl);
-  
-  __bro_ht_foreach(tbl->tbl_impl, (BroHTCallback) __bro_table_hash_cb, &result);
-  
-  D_RETURN_(result);
-}
-
-typedef struct bro_table_cmp
-{
-  BroHT *table;
-  int result;
-} BroTableCmp;
-
-static int
-__bro_table_cmp_cb(BroVal *key, BroVal *val, BroTableCmp *cmp)
-{
-  BroVal *val2 = __bro_ht_get(cmp->table, key);
-
-  if (! val2)
-    goto no_luck;
-  
-  if (! __bro_sobject_cmp((BroSObject*) val, (BroSObject*) val2))
-    goto no_luck;
-
-  return TRUE;
-
- no_luck:  
-  cmp->result = FALSE;
-  return FALSE;
-}
-
-int
-__bro_table_cmp(BroTable *tbl1, BroTable *tbl2)
-{
-  BroTableCmp cmp;
-
-  D_ENTER;
-
-  cmp.table = tbl2->tbl_impl;
-  cmp.result = TRUE;
-  
-  if (__bro_ht_get_size(tbl1->tbl_impl) != __bro_ht_get_size(tbl2->tbl_impl))
-    D_RETURN_(FALSE);
-
-  __bro_ht_foreach(tbl1->tbl_impl, (BroHTCallback) __bro_table_cmp_cb, &cmp);
-
-  D_RETURN_(TRUE);
-}
diff --git a/aux/broccoli/src/bro_table.h b/aux/broccoli/src/bro_table.h
deleted file mode 100644
index d12e629d31..0000000000
--- a/aux/broccoli/src/bro_table.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_table_h
-#define broccoli_table_h
-
-#include <broccoli.h>
-#include <bro_types.h>
-#include <bro_hashtable.h>
-
-/* BroTable is the table type we export to the user. It relies
- * on BroHTs for the implementation.
- *
- * Related typedefs are in broccoli.h because the users need
- * to know them -- we keep the definition opaque here.
- */
-struct bro_table
-{
-  /* The underlying hashtable */
-  BroHT   *tbl_impl;
-  int tbl_key_type, tbl_val_type;
-};
-
-BroTable      *__bro_table_new(void);
-void           __bro_table_free(BroTable *tbl);
-BroTable      *__bro_table_copy(BroTable *tbl);
-
-/* Inserts the given key-val pair and adopts ownership,
- * i.e., the values are not duplicated internally.
- */
-void           __bro_table_insert(BroTable *tbl, BroVal *key, BroVal *val);
-
-BroVal        *__bro_table_find(BroTable *tbl, const BroVal *key);
-int            __bro_table_get_size(BroTable *tbl);
-
-void           __bro_table_foreach(BroTable *tbl, BroTableCallback cb, void *user_data);
-
-/* Sets are just tables that have no meaningful values associated
- * with the keys. As long as a table's tbl_val_type remains unknown,
- * a table is in fact a set.
- */
-int            __bro_table_is_set(BroTable *tbl);
-
-uint32         __bro_table_hash_key(BroVal *key);
-int            __bro_table_cmp_key(BroVal *val1, BroVal *val2);
-
-uint32         __bro_table_hash(BroTable *tbl);
-int            __bro_table_cmp(BroTable *tbl1, BroTable *tbl2);
-
-#endif
diff --git a/aux/broccoli/src/bro_type.c b/aux/broccoli/src/bro_type.c
deleted file mode 100644
index 0d87693719..0000000000
--- a/aux/broccoli/src/bro_type.c
+++ /dev/null
@@ -1,1303 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/time.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_types.h>
-#include <bro_val.h>
-#include <bro_debug.h>
-#include <bro_object.h>
-#include <bro_type_decl.h>
-#include <bro_type.h>
-
-/* The virtual implementations of BroSObject's functions are
- * kept static in this module, and so are the ..._init() methods
- * not currently needed by other, derived classes.
- */
-
-static void         __bro_type_init(BroType *type);
-static void         __bro_type_free(BroType *type);
-static int          __bro_type_read(BroType *type, BroConn *bc);
-static int          __bro_type_write(BroType *type, BroConn *bc);
-static int          __bro_type_clone(BroType *dst, BroType *src);
-static uint32       __bro_type_hash(BroType *type);
-static int          __bro_type_cmp(BroType *type1, BroType *type2);
-
-static void         __bro_type_list_init(BroTypeList *tl);
-static void         __bro_type_list_free(BroTypeList *tl);
-static int          __bro_type_list_read(BroTypeList *tl, BroConn *bc);
-static int          __bro_type_list_write(BroTypeList *tl, BroConn *bc);
-static int          __bro_type_list_clone(BroTypeList *dst, BroTypeList *src);
-static uint32       __bro_type_list_hash(BroTypeList *tl);
-static int          __bro_type_list_cmp(BroTypeList *tl1, BroTypeList *tl2);
-
-static void         __bro_record_type_init(BroRecordType *rt);
-static void         __bro_record_type_free(BroRecordType *rt);
-static int          __bro_record_type_read(BroRecordType *rt, BroConn *bc);
-static int          __bro_record_type_write(BroRecordType *rt, BroConn *bc);
-static int          __bro_record_type_clone(BroRecordType *dst, BroRecordType *src);
-static uint32       __bro_record_type_hash(BroRecordType *rt);
-static int          __bro_record_type_cmp(BroRecordType *rt1, BroRecordType *rt2);
-
-static void         __bro_index_type_init(BroIndexType *it);
-static void         __bro_index_type_free(BroIndexType *it);
-static int          __bro_index_type_read(BroIndexType *it, BroConn *bc);
-static int          __bro_index_type_write(BroIndexType *it, BroConn *bc);
-static int          __bro_index_type_clone(BroIndexType *dst, BroIndexType *src);
-static uint32       __bro_index_type_hash(BroIndexType *it);
-static int          __bro_index_type_cmp(BroIndexType *it1, BroIndexType *it2);
-
-static void         __bro_table_type_init(BroTableType *tt);
-static void         __bro_table_type_free(BroTableType *tt);
-static int          __bro_table_type_read(BroTableType *tt, BroConn *bc);
-static int          __bro_table_type_write(BroTableType *tt, BroConn *bc);
-static int          __bro_table_type_clone(BroTableType *dst, BroTableType *src);
-static uint32       __bro_table_type_hash(BroTableType *tt);
-static int          __bro_table_type_cmp(BroTableType *tt1, BroTableType *tt2);
-
-static void         __bro_set_type_init(BroSetType *st);
-static void         __bro_set_type_free(BroSetType *st);
-static int          __bro_set_type_read(BroSetType *st, BroConn *bc);
-static int          __bro_set_type_write(BroSetType *st, BroConn *bc);
-static int          __bro_set_type_clone(BroSetType *dst, BroSetType *src);
-static uint32       __bro_set_type_hash(BroSetType *st);
-static int          __bro_set_type_cmp(BroSetType *st1, BroSetType *st2);
-
-
-BroType *
-__bro_type_new(void)
-{
-  BroType *type;
-
-  D_ENTER;
-
-  if (! (type = calloc(1, sizeof(BroType))))
-    D_RETURN_(NULL);
-
-  __bro_type_init(type);
-
-  D_RETURN_(type);
-}
-
-
-BroType *
-__bro_type_new_of_type(int type_tag, const char *type_name)
-{
-  BroType *type = NULL;
-  int internal_tag;
-  char is_nbo = 0;
-  
-  D_ENTER;
-  
-  switch (type_tag)
-    {
-    case BRO_TYPE_BOOL:
-    case BRO_TYPE_INT:
-    case BRO_TYPE_ENUM:
-      internal_tag = BRO_INTTYPE_INT;
-      break;
-      
-    case BRO_TYPE_COUNT:
-    case BRO_TYPE_COUNTER:
-      internal_tag = BRO_INTTYPE_UNSIGNED;
-      break;
-      
-    case BRO_TYPE_PORT:
-      internal_tag = BRO_INTTYPE_UNSIGNED;
-      is_nbo = 1;
-      break;
-      
-    case BRO_TYPE_DOUBLE:
-    case BRO_TYPE_TIME:
-    case BRO_TYPE_INTERVAL:
-      internal_tag = BRO_INTTYPE_DOUBLE;
-      break;
-      
-    case BRO_TYPE_STRING:
-      internal_tag = BRO_INTTYPE_STRING;
-      break;
-      
-    case BRO_TYPE_IPADDR:
-    case BRO_TYPE_NET:
-      internal_tag = BRO_INTTYPE_IPADDR;
-      break;
-      
-    case BRO_TYPE_SUBNET:
-      internal_tag = BRO_INTTYPE_SUBNET;
-      break;
-      
-    case BRO_TYPE_PATTERN:
-    case BRO_TYPE_TIMER:
-    case BRO_TYPE_ANY:
-    case BRO_TYPE_UNION:
-    case BRO_TYPE_LIST:      
-    case BRO_TYPE_FUNC:
-    case BRO_TYPE_FILE:
-    case BRO_TYPE_VECTOR:
-      internal_tag = BRO_INTTYPE_OTHER;
-      break;
-
-    case BRO_TYPE_TABLE:
-      if (! (type = (BroType *) __bro_table_type_new()))
-	D_RETURN_(NULL);
-      
-      internal_tag = BRO_INTTYPE_OTHER;
-      break;
-      
-    case BRO_TYPE_RECORD:
-      if (! (type = (BroType *) __bro_record_type_new()))
-	D_RETURN_(NULL);
-      
-      internal_tag = BRO_INTTYPE_OTHER;
-      break;
-      
-    case BRO_TYPE_SET:
-      if (! (type = (BroType *) __bro_set_type_new()))
-	D_RETURN_(NULL);
-
-      internal_tag = BRO_INTTYPE_OTHER;
-      break;
-
-    case BRO_TYPE_ERROR:
-    default:
-      internal_tag = BRO_INTTYPE_ERROR;
-    }
-
-  if (! type)
-    {
-      if (! (type = __bro_type_new()))
-	D_RETURN_(NULL);
-    }
- 
-  type->tag          = type_tag;
-  type->internal_tag = internal_tag;
-  type->is_nbo       = is_nbo;
-  type->is_complete  = TRUE;
-  
-  if (type_name)
-    {
-      type->is_complete = FALSE;
-      bro_string_set(&type->type_name, type_name);
-    }
-
-  D_RETURN_(type);
-}
-
-
-static void
-__bro_type_init(BroType *type)
-{
-  BroSObject *sobj = (BroSObject *) type;
-
-  D_ENTER;
-
-  __bro_object_init((BroObject *) type);
-
-  sobj->read  = (BroSObjectRead) __bro_type_read;
-  sobj->write = (BroSObjectWrite) __bro_type_write;
-  sobj->free  = (BroSObjectFree) __bro_type_free;
-  sobj->clone = (BroSObjectClone) __bro_type_clone;
-  sobj->hash  = (BroSObjectHash) __bro_type_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_type_cmp;
-
-  sobj->type_id = SER_TYPE;
-
-  bro_string_init(&type->type_name);
-  type->is_complete = TRUE;
-
-  D_RETURN;
-}
-
-
-static void
-__bro_type_free(BroType *type)
-{
-  D_ENTER;
-  bro_string_cleanup(&type->type_name);
-  __bro_sobject_release((BroSObject *) type->attrs_type);
-  __bro_object_free((BroObject *) type);
-  D_RETURN;
-}
-
-
-static int
-__bro_type_read(BroType *type, BroConn *bc)
-{
-  char opt;
-  
-  D_ENTER;
-
-  if (! __bro_object_read((BroObject *) type, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_read_char(bc->rx_buf, &type->tag))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_char(bc->rx_buf, &type->internal_tag))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_read_char(bc->rx_buf, &type->is_nbo))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_char(bc->rx_buf, &type->is_base_type))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_read_char(bc->rx_buf, &type->is_global_attrs_type))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_read_char(bc->rx_buf, &opt))
-    D_RETURN_(FALSE);
-  if (opt)
-    {
-      if (type->attrs_type)
-	__bro_sobject_release((BroSObject *) type->attrs_type);
-      
-      if (! (type->attrs_type = (BroRecordType *)
-	     __bro_sobject_unserialize(SER_RECORD_TYPE, bc)))
-	D_RETURN_(FALSE);
-    }
-
-  D_RETURN_(TRUE);
-}
-
-
-static int
-__bro_type_write(BroType *type, BroConn *bc)
-{
-  D_ENTER;
-
-   if (! __bro_object_write((BroObject *) type, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_char(bc->tx_buf, type->tag))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_char(bc->tx_buf, type->internal_tag))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_char(bc->tx_buf, type->is_nbo))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_char(bc->tx_buf, type->is_base_type))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_char(bc->tx_buf, type->is_global_attrs_type))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_char(bc->tx_buf, type->attrs_type ? 1 : 0))
-    D_RETURN_(FALSE);
-  
-  if (type->attrs_type && ! __bro_sobject_serialize((BroSObject *) type->attrs_type, bc))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-static int
-__bro_type_clone(BroType *dst, BroType *src)
-{
-  D_ENTER;
-
-  if (! __bro_object_clone((BroObject *) dst, (BroObject *) src))
-    D_RETURN_(FALSE);
-
-  dst->tag = src->tag;
-  dst->internal_tag = src->internal_tag;
-  dst->is_nbo = src->is_nbo;
-  dst->is_base_type = src->is_base_type;
-  dst->is_global_attrs_type = src->is_global_attrs_type;
-  dst->is_complete = src->is_complete;
-  bro_string_set(&dst->type_name, (const char *) bro_string_get_data(&src->type_name));
-
-  if (src->attrs_type &&
-      ! (dst->attrs_type = (BroRecordType *) __bro_sobject_copy((BroSObject *) src->attrs_type)))
-    D_RETURN_(FALSE);
-
-  D_RETURN_(TRUE);
-}
-
-
-static uint32
-__bro_type_hash(BroType *type)
-{
-  uint32 result;
-
-  D_ENTER;
-
-  if (! type)
-    D_RETURN_(0);
-
-  result = __bro_ht_str_hash(type->type_name.str_val);
-  result ^= (uint32) type->tag;
-  result ^= ((uint32) type->internal_tag) << 8;
-  result ^= ((uint32) type->is_nbo) << 8;
-  result ^= ((uint32) type->is_base_type) << 8;
-  result ^= (uint32) type->is_global_attrs_type;
-  result ^= ((uint32) type->is_complete) << 8;
-
-  D_RETURN_(result);
-
-}
-
-
-static int
-__bro_type_cmp(BroType *type1, BroType *type2)
-{
-  int result;
-
-  D_ENTER;
- 
-  if (! type1 || ! type2)
-    D_RETURN_(FALSE);
-
-  if (type1->type_name.str_val && type2->type_name.str_val &&
-      ! __bro_ht_str_cmp(type1->type_name.str_val, type2->type_name.str_val))
-    D_RETURN_(FALSE);
-  
-  if (type1->tag != type2->tag ||
-      type1->internal_tag != type2->internal_tag ||
-      type1->is_nbo != type2->is_nbo ||
-      type1->is_base_type != type2->is_base_type ||
-      type1->is_global_attrs_type != type2->is_global_attrs_type ||
-      type1->is_complete != type2->is_complete)
-    D_RETURN_(FALSE);
-
-  D_RETURN_(TRUE);
-
-}
-
-BroTypeList *
-__bro_type_list_new(void)
-{
-  BroTypeList *tl;
-
-  D_ENTER;
-
-  if (! (tl = calloc(1, sizeof(BroTypeList))))
-    D_RETURN_(NULL);
-
-  __bro_type_list_init(tl);
-
-  D_RETURN_(tl);
-}
-
-
-static void
-__bro_type_list_init(BroTypeList *tl)
-{
-  BroSObject *sobj = (BroSObject *) tl;
-
-  D_ENTER;
-  
-  __bro_type_init((BroType *) tl);
-  
-  sobj->read  = (BroSObjectRead) __bro_type_list_read;
-  sobj->write = (BroSObjectWrite) __bro_type_list_write;
-  sobj->free  = (BroSObjectFree) __bro_type_list_free;
-  sobj->clone = (BroSObjectClone) __bro_type_list_clone;
-  sobj->hash  = (BroSObjectHash) __bro_type_list_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_type_list_cmp;  
-
-  sobj->type_id = SER_TYPE_LIST;
-
-  tl->types = NULL;
-
-  D_RETURN;
-}
-
-
-static void
-__bro_type_list_free(BroTypeList *tl)
-{
-  D_ENTER;
-
-  __bro_list_free(tl->types, (BroFunc) __bro_sobject_release);
-  __bro_sobject_release((BroSObject *) tl->pure_type);  
-  __bro_type_free((BroType *) tl);
-  
-  D_RETURN;
-}
-
-
-static int
-__bro_type_list_read(BroTypeList *tl, BroConn *bc)
-{
-  char opt;
-  uint32 i;
-
-  D_ENTER;
-
-  if (! __bro_type_read((BroType *) tl, bc))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_read_char(bc->rx_buf, &opt))
-    D_RETURN_(FALSE);
-  
-  /* Clean out old optional pure type */
-  if (tl->pure_type)
-    __bro_sobject_release((BroSObject *) tl->pure_type);
-  
-  if (opt)
-    {
-      if (! (tl->pure_type = (BroType *) __bro_sobject_unserialize(SER_IS_TYPE, bc)))
-	D_RETURN_(FALSE);
-    }
-  
-  if (! __bro_buf_read_int(bc->rx_buf, &tl->num_types))
-    D_RETURN_(FALSE);
-  
-  if (tl->num_types > 0)
-    {
-      for (i = 0; i < tl->num_types; i++)
-	{
-	  BroType *type;
-	  
-	  if (! (type = (BroType *) __bro_sobject_unserialize(SER_IS_TYPE, bc)))
-	    D_RETURN_(FALSE);
-	  
-	  tl->types = __bro_list_append(tl->types, type);
-	}
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-
-static int
-__bro_type_list_write(BroTypeList *tl, BroConn *bc)
-{
-  BroList *l;
-
-  D_ENTER;
-
-  if (! __bro_type_write((BroType *) tl, bc))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_write_char(bc->tx_buf, tl->pure_type ? 1 : 0))
-    D_RETURN_(FALSE);
-  
-  if (tl->pure_type && ! __bro_sobject_serialize((BroSObject *) tl->pure_type, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_int(bc->tx_buf, tl->num_types))
-    D_RETURN_(FALSE);
-
-  for (l = tl->types; l; l = __bro_list_next(l))
-    {
-      if (! __bro_sobject_serialize((BroSObject *) __bro_list_data(l), bc))
-	D_RETURN_(FALSE);
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-
-static int
-__bro_type_list_clone(BroTypeList *dst, BroTypeList *src)
-{
-  BroList *l;
-  BroType *type;
-
-  D_ENTER;
-
-  if (! __bro_type_clone((BroType *) dst, (BroType *) src))
-    D_RETURN_(FALSE);
-
-  dst->num_types = src->num_types;
-
-  if (dst->types)
-    __bro_list_free(dst->types, (BroFunc) __bro_sobject_release);
-
-  dst->types = NULL;
-  
-  for (l = src->types; l; l = __bro_list_next(l))
-    {
-      BroType *type_copy;
-
-      type = __bro_list_data(l);
-      
-      if (! (type_copy = (BroType *) __bro_sobject_copy((BroSObject *) type)))
-	D_RETURN_(FALSE);
-
-      dst->types = __bro_list_append(dst->types, type_copy);
-    }
-  
-  if (src->pure_type && ! (dst->pure_type = (BroType *) __bro_sobject_copy((BroSObject *) src->pure_type)))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-static uint32
-__bro_type_list_hash(BroTypeList *tl)
-{
-  uint32 result;
-  BroList *l;
-
-  D_ENTER;
-
-  if (! tl)
-    D_RETURN_(0);
-
-  result = tl->num_types;
-  result ^= __bro_sobject_hash((BroSObject*) tl->pure_type);
-  
-  for (l = tl->types; l; l = __bro_list_next(l))
-    result ^= __bro_sobject_hash((BroSObject*) __bro_list_data(l));
-  
-  D_RETURN_(result);
-}
-
-
-static int
-__bro_type_list_cmp(BroTypeList *tl1, BroTypeList *tl2)
-{
-  BroList *l1, *l2;
-
-  D_ENTER;
-
-  if (! tl1 || ! tl2)
-    D_RETURN_(FALSE);
-  
-  if (tl1->num_types != tl2->num_types ||
-      ! __bro_sobject_cmp((BroSObject*) tl1->pure_type,
-			  (BroSObject*) tl2->pure_type))
-    D_RETURN_(FALSE);
-  
-  for (l1 = tl1->types, l2 = tl2->types; l1 && l2;
-       l1 = __bro_list_next(l1), l2 = __bro_list_next(l2))
-    {
-      if (! __bro_sobject_cmp((BroSObject*) __bro_list_data(l1),
-			      (BroSObject*) __bro_list_data(l2)))
-	D_RETURN_(FALSE);
-    }
-  
-  if (l1 || l2) D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-BroRecordType *
-__bro_record_type_new(void)
-{
-  BroRecordType *rt;
-  
-  D_ENTER;
-  
-  if (! (rt = calloc(1, sizeof(BroRecordType))))
-    D_RETURN_(NULL);
-  
-  __bro_record_type_init(rt);
-
-  D_RETURN_(rt);
-}
-
-
-static void
-__bro_record_type_init(BroRecordType *rt)
-{
-  BroSObject *sobj = (BroSObject *) rt;
-
-  D_ENTER;
-  
-  __bro_type_init((BroType *) rt);
-  
-  sobj->read  = (BroSObjectRead) __bro_record_type_read;
-  sobj->write = (BroSObjectWrite) __bro_record_type_write;
-  sobj->free  = (BroSObjectFree) __bro_record_type_free;
-  sobj->clone = (BroSObjectClone) __bro_record_type_clone;
-  sobj->hash  = (BroSObjectHash) __bro_record_type_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_record_type_cmp;
-  
-  sobj->type_id = SER_RECORD_TYPE;
-  
-  D_RETURN;
-}
-
-
-static void
-__bro_record_type_free(BroRecordType *rt)
-{
-  D_ENTER;
-  
-  __bro_sobject_release((BroSObject *) rt->base);
-  __bro_list_free(rt->type_decls, (BroFunc) __bro_type_decl_free);
-  __bro_type_free((BroType *) rt);
-  
-  D_RETURN;
-}
-
-
-void
-__bro_record_type_add_type(BroRecordType *rt, const char *field, BroType *type)
-{
-  BroTypeDecl *td;
-  
-  D_ENTER;
-  
-  if (! rt || ! type)
-    D_RETURN;
-  
-  if (! (td = __bro_type_decl_new()))
-    D_RETURN;
-
-  if (! (td->type = (BroType *) __bro_sobject_copy((BroSObject *) type)))
-    {
-      D(("Cloning of type failed.\n"));
-      __bro_type_decl_free(td);
-      D_RETURN;
-    }
-  
-  if (! bro_string_set(&td->id, field))
-    {
-      __bro_type_decl_free(td);
-      D_RETURN;
-    }
-  
-  rt->type_decls = __bro_list_append(rt->type_decls, td);
-  rt->num_fields++;
-  rt->num_types++;
-  D_RETURN;
-}
-
-
-const char *
-__bro_record_type_get_nth_field(BroRecordType *rt, int num)
-{
-  BroList *l;
-  
-  if (! rt || num < 0 || (uint) num >= rt->num_fields)
-    return NULL;
-  
-  if( (l = __bro_list_nth(rt->type_decls, num)))
-    {
-      BroTypeDecl *td = __bro_list_data(l);
-      return (const char *) td->id.str_val;
-    }
-  
-  return NULL;
-}
-
-
-static int
-__bro_record_type_read(BroRecordType *rt, BroConn *bc)
-{
-  uint32 i;
-  char opt;
-
-  D_ENTER;
-
-  if (! __bro_type_read((BroType *) rt, bc))
-    D_RETURN_(FALSE);
-
-  /* Read type declarations */
-
-  rt->type_decls = NULL;
-  rt->num_fields = 0;
-  rt->num_types = 0;
-
-  if (! __bro_buf_read_int(bc->rx_buf, &rt->num_fields))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_read_char(bc->rx_buf, &opt))
-    D_RETURN_(FALSE);
-  if (opt)
-    {
-      if (! __bro_buf_read_int(bc->rx_buf, &rt->num_types))
-	D_RETURN_(FALSE);
-      
-      if (rt->num_types > 0)
-	{
-	  for (i = 0; i < rt->num_types; i++)
-	    {
-	      BroTypeDecl *td;
-	      
-	      if (! (td = __bro_type_decl_new()))
-		D_RETURN_(FALSE);
-	      
-	      if (! __bro_type_decl_read(td, bc))
-		D_RETURN_(FALSE);
-
-	      rt->type_decls = __bro_list_append(rt->type_decls, td);
-	    }
-	}
-    }
-
-  /* Read optional base */
-
-  __bro_sobject_release((BroSObject *) rt->base);
-  rt->base = NULL;
-  
-  if (! __bro_buf_read_char(bc->rx_buf, &opt))
-    D_RETURN_(FALSE);
-  if (opt)
-    {
-      if (! (rt->base = (BroTypeList *) __bro_sobject_unserialize(SER_TYPE_LIST, bc)))
-	D_RETURN_(FALSE);
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-
-static int
-__bro_record_type_write(BroRecordType *rt, BroConn *bc)
-{
-  BroList *l;
-
-  D_ENTER;
-
-  if (! __bro_type_write((BroType *) rt, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_int(bc->tx_buf, rt->num_fields))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_char(bc->tx_buf, rt->type_decls ? 1 : 0))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_write_int(bc->tx_buf, rt->num_types))
-    D_RETURN_(FALSE);
-  
-  for (l = rt->type_decls; l; l = __bro_list_next(l))
-    {
-      BroTypeDecl *td = __bro_list_data(l);
-      
-      if (! __bro_type_decl_write(td, bc))
-	D_RETURN_(FALSE);
-    }
-  
-  if (! __bro_buf_write_char(bc->tx_buf, rt->base ? 1 : 0))
-    D_RETURN_(FALSE);
-  
-  if (rt->base && ! __bro_sobject_serialize((BroSObject *) rt->base, bc))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-static int
-__bro_record_type_clone(BroRecordType *dst, BroRecordType *src)
-{
-  BroList *l;
-
-  D_ENTER;
-
-  if (! __bro_type_clone((BroType *) dst, (BroType *) src))
-    D_RETURN_(FALSE);
-  
-  if (src->base && ! (dst->base = (BroTypeList *) __bro_sobject_copy((BroSObject *) src->base)))
-    D_RETURN_(FALSE);
-  
-  dst->num_fields = src->num_fields;
-  dst->num_types = src->num_types;
-  
-  for (l = src->type_decls; l; l = __bro_list_next(l))
-    {
-      BroTypeDecl *td = __bro_list_data(l);
-      BroTypeDecl *td_copy = __bro_type_decl_copy(td);
-      
-      if (! td_copy)
-	D_RETURN_(FALSE);
- 
-      dst->type_decls = __bro_list_append(dst->type_decls, td_copy);
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-
-static uint32
-__bro_record_type_hash(BroRecordType *rt)
-{
-  uint32 result;
-  BroList *l;
-
-  D_ENTER;
-
-  if (! rt)
-    D_RETURN_(0);
-
-  result = __bro_type_list_hash(rt->base);
-  result ^= rt->num_fields;
-  result ^= rt->num_types << 16;
-  
-  for (l = rt->type_decls; l; l = __bro_list_next(l))
-    result ^= __bro_type_decl_hash((BroTypeDecl*) __bro_list_data(l));
-
-  D_RETURN_(result);
-}
-
-
-static int
-__bro_record_type_cmp(BroRecordType *rt1, BroRecordType *rt2)
-{
-  BroList *l1, *l2;
-
-  D_ENTER;
-
-  if (! rt1 || ! rt2)
-    D_RETURN_(FALSE);
-  
-  if (rt1->num_fields != rt2->num_fields ||
-      rt1->num_types != rt2->num_types ||
-      ! __bro_type_list_cmp(rt1->base, rt2->base))
-    D_RETURN_(FALSE);
-  
-  for (l1 = rt1->type_decls, l2 = rt2->type_decls; l1 && l2;
-       l1 = __bro_list_next(l1), l2 = __bro_list_next(l2))
-    {
-      if (! __bro_type_decl_cmp((BroTypeDecl*) __bro_list_data(l1),
-				(BroTypeDecl*) __bro_list_data(l2)))
-	D_RETURN_(FALSE);
-    }
-  
-  if (l1 || l2)
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-BroIndexType *
-__bro_index_type_new(void)
-{
-  BroIndexType *it;
-  
-  D_ENTER;
-  
-  if (! (it = calloc(1, sizeof(BroIndexType))))
-    D_RETURN_(NULL);
-  
-  __bro_index_type_init(it);
-
-  D_RETURN_(it);
-}
-
-static void
-__bro_index_type_init(BroIndexType *it)
-{
-  BroSObject *sobj = (BroSObject *) it;
-
-  D_ENTER;
-  
-  __bro_type_init((BroType *) it);
-  
-  sobj->read  = (BroSObjectRead) __bro_index_type_read;
-  sobj->write = (BroSObjectWrite) __bro_index_type_write;
-  sobj->free  = (BroSObjectFree) __bro_index_type_free;
-  sobj->clone = (BroSObjectClone) __bro_index_type_clone;
-  sobj->hash  = (BroSObjectHash) __bro_index_type_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_index_type_cmp;
-  
-  sobj->type_id = SER_INDEX_TYPE;
-  
-  D_RETURN;
-}
-
-static void
-__bro_index_type_free(BroIndexType *it)
-{
-  D_ENTER;
-  
-  __bro_sobject_release((BroSObject *) it->indices);
-  __bro_sobject_release((BroSObject *) it->yield_type);
-  __bro_type_free((BroType *) it);
-  
-  D_RETURN;
-}
-
-void
-__bro_index_type_set_indices(BroIndexType *it, BroTypeList *indices)
-{
-  BroTypeList *tl;
-
-  D_ENTER;
-
-  if (! it || ! indices)
-    D_RETURN;
-
-  if (! (tl = __bro_type_list_new()))
-    D_RETURN;
-
-  if (! __bro_type_list_clone(tl, indices))
-    {
-      __bro_type_list_free(tl);
-      D_RETURN;
-    }
-
-  it->indices = tl;
-
-  D_RETURN;
-}
-
-void
-__bro_index_type_set_yield_type(BroIndexType *it, BroType *yield_type)
-{
-  D_ENTER;
-  
-  if (! it || ! yield_type)
-    D_RETURN;
-  
-  if (! (it->yield_type = (BroType *) __bro_sobject_copy((BroSObject *) yield_type)))
-    D_RETURN;
-  
-  D_RETURN;
-}
-
-static int
-__bro_index_type_read(BroIndexType *it, BroConn *bc)
-{
-  char opt;
-
-  D_ENTER;
-
-  if (! __bro_type_read((BroType *) it, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_read_char(bc->rx_buf, &opt))
-    D_RETURN_(FALSE);
-  if (opt)
-    {
-      if (! (it->yield_type = (BroType *) __bro_sobject_unserialize(SER_TYPE, bc)))
-	D_RETURN_(FALSE);
-    }
-  
-  if (! (it->indices = (BroTypeList *) __bro_sobject_unserialize(SER_TYPE_LIST, bc)))
-    D_RETURN_(FALSE);
-
-  D_RETURN_(TRUE);  
-}
-
-static int
-__bro_index_type_write(BroIndexType *it, BroConn *bc)
-{
-  D_ENTER;
-
-  if (! __bro_type_write((BroType *) it, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_char(bc->tx_buf, it->yield_type ? 1 : 0))
-    D_RETURN_(FALSE);
-
-  if (it->yield_type && ! __bro_sobject_serialize((BroSObject *) it->yield_type, bc))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_sobject_serialize((BroSObject *) it->indices, bc))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-static int
-__bro_index_type_clone(BroIndexType *dst, BroIndexType *src)
-{
-  D_ENTER;
-
-  if (! __bro_type_clone((BroType *) dst, (BroType *) src))
-    D_RETURN_(FALSE);
-
-  if (src->yield_type && ! (dst->yield_type = (BroType *) __bro_sobject_copy((BroSObject *) src->yield_type)))
-    D_RETURN_(FALSE);
-
-  if (! (dst->indices = (BroTypeList *) __bro_sobject_copy((BroSObject *) src->indices)))
-    D_RETURN_(FALSE);
-
-  D_RETURN_(TRUE);
-}
-
-static uint32
-__bro_index_type_hash(BroIndexType *it)
-{
-  uint32 result;
-
-  D_ENTER;
-
-  if (! it)
-    D_RETURN_(0);
-
-  result = __bro_type_list_hash(it->indices);
-  result ^= __bro_sobject_hash((BroSObject*) it->yield_type);
-
-  D_RETURN_(result);
-}
-
-static int
-__bro_index_type_cmp(BroIndexType *it1, BroIndexType *it2)
-{
-  D_ENTER;
-
-  if (! it1 || ! it2)
-    D_RETURN_(FALSE);
-
-  if (! __bro_type_list_cmp(it1->indices, it2->indices) ||
-      ! __bro_sobject_cmp((BroSObject*) it1->yield_type,
-			  (BroSObject*) it2->yield_type))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-BroTableType *
-__bro_table_type_new(void)
-{
-  BroTableType *tt;
-  
-  D_ENTER;
-  
-  if (! (tt = calloc(1, sizeof(BroTableType))))
-    D_RETURN_(NULL);
-  
-  __bro_table_type_init(tt);
-
-  D_RETURN_(tt);
-}
-
-static void
-__bro_table_type_init(BroTableType *tt)
-{
-  BroSObject *sobj = (BroSObject *) tt;
-
-  D_ENTER;
-  
-  __bro_index_type_init((BroIndexType *) tt); 
-
-  sobj->read  = (BroSObjectRead) __bro_table_type_read;
-  sobj->write = (BroSObjectWrite) __bro_table_type_write;
-  sobj->free  = (BroSObjectFree) __bro_table_type_free;
-  sobj->clone = (BroSObjectClone) __bro_table_type_clone;
-  sobj->hash  = (BroSObjectHash) __bro_table_type_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_table_type_cmp;
-  
-  sobj->type_id = SER_TABLE_TYPE;
-  
-  D_RETURN;
-}
-
-static void
-__bro_table_type_free(BroTableType *tt)
-{
-  D_ENTER;
-  __bro_index_type_free((BroIndexType *) tt);  
-  D_RETURN;
-}
-
-static int
-__bro_table_type_read(BroTableType *tt, BroConn *bc)
-{
-  D_ENTER;
-  
-  if (! __bro_index_type_read((BroIndexType *) tt, bc))
-    D_RETURN_(FALSE);
-
-  D_RETURN_(TRUE);
-}
-
-static int
-__bro_table_type_write(BroTableType *tt, BroConn *bc)
-{
-  D_ENTER;
-
-  if (! __bro_index_type_write((BroIndexType *) tt, bc))
-    D_RETURN_(FALSE);
-
-  D_RETURN_(TRUE);
-}
-
-static int
-__bro_table_type_clone(BroTableType *dst, BroTableType *src)
-{
-  D_ENTER;
-  
-  if (! __bro_index_type_clone((BroIndexType *) dst, (BroIndexType *) src))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-static uint32
-__bro_table_type_hash(BroTableType *tt)
-{
-  uint32 result;
-
-  D_ENTER;
-  result = __bro_index_type_hash((BroIndexType*) tt);
-  D_RETURN_(result);
-}
-
-static int
-__bro_table_type_cmp(BroTableType *tt1, BroTableType *tt2)
-{
-  D_ENTER;
-  
-  if (! tt1 || ! tt2)
-    D_RETURN_(FALSE);
-
-  D_RETURN_(__bro_index_type_cmp((BroIndexType*) tt1,
-				 (BroIndexType*) tt2));
-}
-
-
-BroSetType *
-__bro_set_type_new(void)
-{
-  BroSetType *st;
-  
-  D_ENTER;
-  
-  if (! (st = calloc(1, sizeof(BroSetType))))
-    D_RETURN_(NULL);
-  
-  __bro_set_type_init(st);
-  
-  D_RETURN_(st);
-}
-
-static void
-__bro_set_type_init(BroSetType *st)
-{
-  BroSObject *sobj = (BroSObject *) st;
-
-  D_ENTER;
-  
-  __bro_table_type_init((BroTableType *) st); 
-  
-  sobj->read  = (BroSObjectRead) __bro_set_type_read;
-  sobj->write = (BroSObjectWrite) __bro_set_type_write;
-  sobj->free  = (BroSObjectFree) __bro_set_type_free;
-  sobj->clone = (BroSObjectClone) __bro_set_type_clone;
-  sobj->hash  = (BroSObjectHash) __bro_set_type_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_set_type_cmp;
-  
-  sobj->type_id = SER_SET_TYPE;
-  
-  D_RETURN;
-}
-
-static void
-__bro_set_type_free(BroSetType *st)
-{
-  D_ENTER;  
-  __bro_table_type_free((BroTableType *) st);  
-  D_RETURN;
-}
-
-static int
-__bro_set_type_read(BroSetType *st, BroConn *bc)
-{
-  char opt;
-
-  D_ENTER;
-  
-  if (! __bro_table_type_read((BroTableType *) st, bc))
-    D_RETURN_(FALSE);
-
-  /* To allow unambiguous differentiation between tables and sets,
-   * we set the type tag to set here, in divergence of Bro's
-   * internal procedure.
-   */
-  ((BroType*) st)->tag = BRO_TYPE_SET;
-
-  if (! __bro_buf_read_char(bc->rx_buf, &opt))
-    D_RETURN_(FALSE);
-  if (opt)
-    {
-      D(("Error: expressions are not yet supported. Sorry.\n"));
-      D_RETURN_(FALSE);
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-static int
-__bro_set_type_write(BroSetType *st, BroConn *bc)
-{
-  int ret;
-
-  D_ENTER;
-
-  /* Compatibility hack for Bro: its type tags don't differentiate
-   * between sets and tables (they always indicate table types), so
-   * we must ensure here that we do appear as a table type.
-   */
-  ((BroType*) st)->tag = BRO_TYPE_TABLE;  
-  ret = __bro_table_type_write((BroTableType *) st, bc);
-  ((BroType*) st)->tag = BRO_TYPE_SET;  
-  
-  if (! ret)
-    D_RETURN_(FALSE);
-  
-  /* We never send expressions. */
-  if (! __bro_buf_write_char(bc->tx_buf, FALSE))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-static int
-__bro_set_type_clone(BroSetType *dst, BroSetType *src)
-{
-  D_ENTER;
-  
-  if (! __bro_table_type_clone((BroTableType *) dst, (BroTableType *) src))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-static uint32
-__bro_set_type_hash(BroSetType *st)
-{
-  uint32 result;
-
-  D_ENTER;
-  result = __bro_table_type_hash((BroTableType*) st);
-  D_RETURN_(result);
-}
-
-static int
-__bro_set_type_cmp(BroSetType *st1, BroSetType *st2)
-{
-  int result;
-
-  D_ENTER;
-  
-  if (! st1 || ! st2)
-    D_RETURN_(FALSE);
-  
-  result = __bro_table_type_cmp((BroTableType*) st1,
-				(BroTableType*) st2);;
-  D_RETURN_(result);
-}
diff --git a/aux/broccoli/src/bro_type.h b/aux/broccoli/src/bro_type.h
deleted file mode 100644
index c8c92c4b6f..0000000000
--- a/aux/broccoli/src/bro_type.h
+++ /dev/null
@@ -1,124 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_type_h
-#define broccoli_type_h
-
-#include <bro_attrs.h>
-#include <bro_object.h>
-
-/* Internal types used to represent a Bro type.
- * Taken from Type.h.
- */
-#define BRO_INTTYPE_INT            1
-#define BRO_INTTYPE_UNSIGNED       2
-#define BRO_INTTYPE_DOUBLE         3
-#define BRO_INTTYPE_STRING         4
-#define BRO_INTTYPE_IPADDR         5
-#define BRO_INTTYPE_SUBNET         6
-#define BRO_INTTYPE_OTHER          7
-#define BRO_INTTYPE_ERROR          8
-
-/* typedefs are in bro_types.h */
-
-struct bro_type
-{
-  BroObject        object;
-
-  char             tag;
-  char             internal_tag;
-
-  char             is_nbo;
-  char             is_base_type;
-  char             is_global_attrs_type;
-  
-  /* Whether or not this is a complete type object or
-   * just the name of type. In the latter case, type_name
-   * (below) will contain the name of the type.
-   */
-  char             is_complete;
-
-  BroString        type_name;
-
-  BroRecordType   *attrs_type;
-};
-
-struct bro_type_list
-{
-  BroType          type;
-
-  uint32           num_types;
-  BroList         *types;
-  BroType         *pure_type;
-};
-
-struct bro_record_type
-{
-  BroType          type;
-
-  BroTypeList     *base;
-  uint32           num_fields;
-
-  uint32           num_types;
-  BroList         *type_decls;
-};
-
-struct bro_index_type
-{
-  BroType          type;
-
-  BroTypeList     *indices;
-  BroType         *yield_type; /* optional */
-};
-
-struct bro_table_type
-{
-  BroIndexType     type;
-};
-
-struct bro_set_type
-{
-  BroTableType     type;
-};
-
-BroType         *__bro_type_new(void);
-BroType         *__bro_type_new_of_type(int type, const char *type_name);
-void             __bro_type_set_incomplete_impl(BroType *type, const BroString *type_name);
-
-BroTypeList     *__bro_type_list_new(void);
-
-BroRecordType   *__bro_record_type_new(void);
-void             __bro_record_type_add_type(BroRecordType *rt, const char *field, BroType *type);
-const char      *__bro_record_type_get_nth_field(BroRecordType *rt, int num);
-
-BroIndexType    *__bro_index_type_new(void);
-void             __bro_index_type_set_indices(BroIndexType *it, BroTypeList *indices);
-void             __bro_index_tye_set_yield_type(BroIndexType *it, BroType *yield_type);
-
-BroTableType    *__bro_table_type_new(void);
-
-BroSetType      *__bro_set_type_new();
-
-#endif
diff --git a/aux/broccoli/src/bro_type_decl.c b/aux/broccoli/src/bro_type_decl.c
deleted file mode 100644
index 2c061ef875..0000000000
--- a/aux/broccoli/src/bro_type_decl.c
+++ /dev/null
@@ -1,196 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <bro_debug.h>
-#include <bro_type_decl.h>
-
-BroTypeDecl *
-__bro_type_decl_new(void)
-{
-  BroTypeDecl *td;
-
-  D_ENTER;
-
-  if (! (td = calloc(1, sizeof(BroTypeDecl))))
-    D_RETURN_(NULL);
-
-  D_RETURN_(td);
-}
-
-
-BroTypeDecl     *
-__bro_type_decl_copy(BroTypeDecl *td)
-{
-  BroTypeDecl *copy;
-
-  D_ENTER;
-
-  if (! td)
-    D_RETURN_(NULL);
-
-  if (! (copy = __bro_type_decl_new()))
-    D_RETURN_(NULL);
-
-  if (td->attrs && ! (copy->attrs = (BroAttrs *) __bro_sobject_copy((BroSObject *) td->attrs)))
-    goto error_result;
-
-  if (td->type && ! (copy->type = (BroType *) __bro_sobject_copy((BroSObject *) td->type)))
-    goto error_result;
-  
-  if (! (bro_string_set_data(&copy->id,
-			     bro_string_get_data(&td->id),
-			     bro_string_get_length(&td->id))))
-    goto error_result;
-  
-  D_RETURN_(copy);
-  
- error_result:
-  __bro_type_decl_free(copy);
-  D_RETURN_(NULL);
-}
-
-
-void
-__bro_type_decl_free(BroTypeDecl *td)
-{
-  D_ENTER;
-
-  if (! td)
-    D_RETURN;
-  
-  __bro_sobject_release((BroSObject *) td->type);
-  __bro_sobject_release((BroSObject *) td->attrs);
-  bro_string_cleanup(&td->id);
-  free(td);
-  
-  D_RETURN;
-}
-
-
-int
-__bro_type_decl_read(BroTypeDecl *td, BroConn *bc)
-{
-  char opt;
-
-  D_ENTER;
-
-  if (! td || !bc)
-    D_RETURN_(FALSE);
-
-  /* Read an optional BroAttrs */
-
-  if (td->attrs)
-    __bro_sobject_release((BroSObject *) td->attrs);
-  td->attrs = NULL;
-
-  if (! __bro_buf_read_char(bc->rx_buf, &opt))
-    D_RETURN_(FALSE);
-  if (opt)
-    {
-      if (! (td->attrs = (BroAttrs *) __bro_sobject_unserialize(SER_ATTRIBUTES, bc)))
-	D_RETURN_(FALSE);
-    }
-
-  /* Read a type */
-
-  if (td->type)
-    __bro_sobject_release((BroSObject *) td->type);
-  td->type = NULL;
-
-  if (! (td->type = (BroType *) __bro_sobject_unserialize(SER_IS_TYPE, bc)))
-    D_RETURN_(FALSE);
-
-  /* Read ID name string */
-  
-  bro_string_cleanup(&td->id);
-  if (! __bro_buf_read_string(bc->rx_buf, &td->id))
-    D_RETURN_(FALSE);
-
-  D_RETURN_(TRUE);
-}
-
-
-int
-__bro_type_decl_write(BroTypeDecl *td, BroConn *bc)
-{
-  D_ENTER;
-
-  if (! td || !bc)
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_char(bc->tx_buf, td->attrs ? 1 : 0))
-    D_RETURN_(FALSE);
-
-  if (td->attrs && ! __bro_sobject_serialize((BroSObject *) td->attrs, bc))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_sobject_serialize((BroSObject *) td->type, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_string(bc->tx_buf, &td->id))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-uint32
-__bro_type_decl_hash(BroTypeDecl *td)
-{
-  uint32 result;
-
-  D_ENTER;
-
-  if (! td)
-    D_RETURN_(0);
-
-  result = __bro_ht_str_hash(td->id.str_val);
-  result ^= __bro_sobject_hash((BroSObject*) td->attrs);
-  result ^= __bro_sobject_hash((BroSObject*) td->type);
-
-  D_RETURN_(result);
-}
-
-
-int
-__bro_type_decl_cmp(BroTypeDecl *td1, BroTypeDecl *td2)
-{
-  D_ENTER;
-
-  if (! td1 || ! td2)
-    D_RETURN_(FALSE);
-
-  if (! __bro_sobject_cmp((BroSObject*) td1->attrs, (BroSObject*) td2->attrs) ||
-      ! __bro_sobject_cmp((BroSObject*) td1->type, (BroSObject*) td2->type))
-    D_RETURN_(FALSE);  
-  
-  D_RETURN_(TRUE);
-}
-
-
diff --git a/aux/broccoli/src/bro_type_decl.h b/aux/broccoli/src/bro_type_decl.h
deleted file mode 100644
index 8c579e5ed4..0000000000
--- a/aux/broccoli/src/bro_type_decl.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_type_decl_h
-#define broccoli_type_decl_h
-
-#include <bro_attrs.h>
-#include <bro_type.h>
-
-/* BroTypeDecls live outside the inheritance chain and are currently
- * only of interest for bro_type.c. The function names only resemble
- * the virtualized ones for easier integration with the virtualized
- * code.
- */
-
-typedef struct bro_type_decl
-{
-  BroAttrs        *attrs;
-  BroType         *type;
-  BroString        id;
-} BroTypeDecl;
-
-BroTypeDecl *__bro_type_decl_new(void);
-BroTypeDecl *__bro_type_decl_copy(BroTypeDecl *td);
-void         __bro_type_decl_free(BroTypeDecl *td);
-int          __bro_type_decl_read(BroTypeDecl *td, BroConn *bc);
-int          __bro_type_decl_write(BroTypeDecl *td, BroConn *bc);
-uint32       __bro_type_decl_hash(BroTypeDecl *td);
-int          __bro_type_decl_cmp(BroTypeDecl *td1, BroTypeDecl *td2);
-
-#endif
diff --git a/aux/broccoli/src/bro_types.h b/aux/broccoli/src/bro_types.h
deleted file mode 100644
index 847125413b..0000000000
--- a/aux/broccoli/src/bro_types.h
+++ /dev/null
@@ -1,414 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_types_h
-#define broccoli_types_h
-
-#include <sys/queue.h>
-#include <openssl/bio.h>
-
-#include <broccoli.h>
-#include <bro_buf.h>
-#include <bro_hashtable.h>
-#include <bro_list.h>
-#include <bro_openssl.h>
-
-/* Protocol version */
-#define BRO_PROTOCOL_VERSION       0x06
-
-/* Data format version */
-#define BRO_DATA_FORMAT_VERSION    18
-
-/* The maximum number of messages we queue before we start
- * dropping messages. Might be worth moving this to the
- * config file.
- *
- * FIXME: this should become configurable via the config file.
- *
- */
-#define BRO_MSG_QUEUELEN_MAX      1000
-
-/* Message codes, taken from RemoteSerializer.cc.
- * Don't know why the hex -- 0a-0f seem to be missing.
- * Doesn't really matter though.
- */
-#define BRO_MSG_NONE               0x00
-#define BRO_MSG_VERSION            0x01
-#define BRO_MSG_SERIAL             0x02
-#define BRO_MSG_CLOSE              0x03
-#define BRO_MSG_CLOSE_ALL          0x04
-#define BRO_MSG_ERROR              0x05
-#define BRO_MSG_CONNECTTO          0x06
-#define BRO_MSG_CONNECTED          0x07
-#define BRO_MSG_REQUEST            0x08
-#define BRO_MSG_LISTEN             0x09
-#define BRO_MSG_LISTEN_STOP        0x0a
-#define BRO_MSG_STATS              0x0b
-#define BRO_MSG_CAPTURE_FILTER     0x0c
-#define BRO_MSG_REQUEST_SYNC       0x0d
-#define BRO_MSG_PHASE_DONE         0x0e
-#define BRO_MSG_PING               0x0f
-#define BRO_MSG_PONG               0x10
-#define BRO_MSG_CAPS               0x11
-#define BRO_MSG_COMPRESS           0x12
-#define BRO_MSG_MAX                0x13
-
-/* State of the handshake of a connection. Both sides
- * can be in the handshake phase or have finished it.
- */
-#define BRO_CONNSTATE_SETUP        0 /* Version numbers, cache size...*/
-#define BRO_CONNSTATE_HANDSHAKE    1 /* Event request, capabilities... */
-#define BRO_CONNSTATE_SYNC         2 /* State synchronization */
-#define BRO_CONNSTATE_RUNNING      3 /* Up and running. */
-
-/* Capabilities we might have.
- */
-#define BRO_CAP_COMPRESS           1
-#define BRO_CAP_DONTCACHE          2
-
-/* Message payload types -- these do not
- * respond to anything inside Bro and are
- * used only locally.
- */
-#define BRO_MSG_CONT_NONE          0
-#define BRO_MSG_CONT_RAW           1 /* BroBufs, for strings, integer arrays, etc */
-#define BRO_MSG_CONT_EVENT         2 /* Events */
-#define BRO_MSG_CONT_REQUEST       3 /* Requests for events etc */
-#define BRO_MSG_CONT_PACKET        4 /* Pcap packets */
-
-/* Messages between master process and I/O handler in
- * shared connections case.
- */
-#define BRO_IOMSG_NONE             0
-#define BRO_IOMSG_STOP             1
-#define BRO_IOMSG_READ             2
-#define BRO_IOMSG_WRITE            3
-
-/* Event handler callback invocation styles
- */
-#define BRO_CALLBACK_EXPANDED      0 /* Each argument passed separately */
-#define BRO_CALLBACK_COMPACT       1 /* All arguments passed as a single BroEvArg* */
-
-typedef struct bro_type BroType;
-typedef struct bro_type_list BroTypeList;
-typedef struct bro_record_type BroRecordType;
-typedef struct bro_index_type BroIndexType;
-typedef struct bro_table_type BroTableType;
-typedef struct bro_set_type BroSetType;
-
-typedef struct bro_id BroID;
-typedef struct bro_val BroVal;
-typedef struct bro_list_val BroListVal;
-typedef struct bro_mutable_val BroMutableVal;
-typedef struct bro_record_val BroRecordVal;
-typedef struct bro_table_val BroTableVal;
-
-typedef struct bro_msg_header BroMsgHeader;
-typedef struct bro_msg BroMsg;
-typedef struct bro_event_reg BroEventReg;
-typedef struct bro_event_handler BroEventHandler;
-typedef struct bro_event_cb BroEventCB;
-typedef struct bro_request BroRequest;
-
-/* General per-connection state information that we keep in a separate
- * structure so we can put it into shared memory if required. This is
- * a remnant from older code, but seems to make sense to preserve.
- */
-typedef struct bro_conn_state
-{
-  /* Whether we are currently attempting a reconnect. Used to make
-   * sure we do not attempt reconnects while we are attempting a 
-   * reconnect. :)
-   */
-  int                          in_reconnect;
-  
-  /* Timestamp of the last reconnection attempt of this connection. */
-  time_t                       last_reconnect;
-  
-  
-  /* Flags declaring whether or not individual transmission
-   * directions have shut down (e.g., because of an error).
-   */
-  int                          tx_dead;
-  int                          rx_dead;
-
-  /* State of the connection, for ourselves and the peer.
-   * Connections go through a 
-   *
-   *   (1) setup
-   *   (2) handshake
-   *   (3) state synchronization
-   *   (4) normal operation
-   *
-   * lifecycle, of which phase 3 is optional.
-   */
-  int                          conn_state_self;
-  int                          conn_state_peer;
-
-  /* True if the other side has requested synchronized state. Then
-   * there is an additional phase in the communication. 
-   */
-  int                          sync_state_requested;
-
-  /* Messages for I/O handler. Only used in shared connection case. */
-  int                          io_msg;
-
-  /* If != 0, ID of writer process for messages in the tx buffer. */
-  pid_t                        io_pid;
-  
-} BroConnState;
-
-
-/* The most important structure: Bro connection handles.
- * =====================================================
- */
-struct bro_conn
-{
-  /* Flags set for this connection at creation time by the user.
-   */
-  int                          conn_flags;
-  
-  /* Two numerical values used for creating identifiers based on
-   * connection handles.
-   */
-  pid_t                        id_pid;
-  int                          id_num;
-
-  /* The peer we connect to, in <host>:<ip> format */
-  char                        *peer;
-
-  /* The class of this connection. It's just an (optional) string.
-   * If set, gets sent in the setup phase of the connection's
-   * configuration.
-   */
-  char                        *class;
-
-  /* A similar class identifier, if sent by the remote side. */
-  char                        *peer_class;
-
-  /* OpenSSL I/O buffer for communication regardless of whether
-   * we're using encryption or not.
-   */
-  BIO                         *bio;
-
-  /* Incoming data are buffered in the following buffer
-   * structure. Each time data arrive, Broccoli checks
-   * whether there's enough data in the buffer to do
-   * anything useful with in, in which case those data
-   * are consumed and make room for more input.
-   *
-   * The main purpose of the buffer is to disconnect
-   * the arrival of data from the time of processing
-   * because we want to avoid blocking of the instrumented
-   * application by all means.
-   *
-   * Note that the buffers are used in the code directly
-   * as rx_buf/tx_buf, but may actually live in the shared
-   * memory segments pointed to by rx_buf_shm/tx_buf_shm.
-   */
-  BroBuf                      *rx_buf;
-
-  /* Fields to mark the currently processed event in the
-   * input buffer if event is currently processed, NULLs
-   * otherwise:
-   */
-  const char                  *rx_ev_start;
-  const char                  *rx_ev_end;
-
-  /* Similar buffer for outgoing data:
-   */
-  BroBuf                      *tx_buf;
-
-  /* A message queue plus its length counter for messages
-   * that we haven't yet sent to the peer.
-   */
-  TAILQ_HEAD(mqueue, bro_msg)  msg_queue;
-  uint                         msg_queue_len;
-
-  /* A hashtable of all the names of events the peer accepts
-   * from us.
-   */
-  BroHT                       *ev_mask;
-
-  /* We maintain an event handler registry per conection:
-   * these registries define callbacks for events that we
-   * receive and at the same time can be using to request
-   * event delivery from the peering Bro agent.
-   */
-  BroEventReg                 *ev_reg;
-
-  /* Serialization data are cached when they will be
-   * repeated identically. To handle this, there's a per-
-   * connection cache implemented as a hash table:
-   */
-  BroHT                       *io_cache;
-
-  /* Size limit for io_cache. *Must* match MAX_CACHE_SIZE
-   * value defined in Bro's RemoteSerialier.cc.
-   */
-  int                          io_cache_maxsize;
-
-  /* Storage for arbitrary user data:
-   */
-  BroHT                       *data;
-
-#ifdef BRO_PCAP_SUPPORT
-  uint32                       pcap_link_type;
-#endif
-
-  /* General connection state */
-  BroConnState                *state;
-
-  /* Externally provided socket to be used for connection. */
-  int                         socket;
-};
-
-struct bro_msg_header
-{
-  char                         hdr_type;
-  uint32                       hdr_peer_id;
-};
-
-struct bro_msg
-{
-  /* Messages get queued inside BroConns.
-   * These are the list pointers for that.
-   */
-  TAILQ_ENTRY(bro_msg)         msg_queue;
-  uint32                       msg_size;
-  
-  /* Header of the message, a CMsg in Bro.
-   */
-  struct bro_msg_header        msg_header;
-
-  /* A counter for identifying this message. Not used otherwise. */
-  int                          msg_num;
-
-  /* We know the header size, but we need to store it
-   * somewhere when we send the message. We use this:
-   */
-  uint32                       msg_header_size;
-
-  /* A BRO_MSG_CONT_xxx value to identify the type of
-   * data in the union below. This is easier to use than
-   * using the type field in the message header all the time.
-   */
-  char                         msg_cont_type; 
-
-  union {
-    BroBuf                    *msg_raw;
-    BroEvent                  *msg_ev;
-    BroRequest                *msg_req;
-#ifdef BRO_PCAP_SUPPORT
-    BroPacket                 *msg_packet;
-#endif
-  } msg_cont;
-
-#define msg_cont_raw     msg_cont.msg_raw
-#define msg_cont_ev      msg_cont.msg_ev
-#define msg_cont_req     msg_cont.msg_req
-#define msg_cont_packet  msg_cont.msg_packet
-};
-
-struct bro_event
-{
-  /* Name of the event, as listed in event.bif.
-   */
-  BroString                    name;
-  
-  /* Timestamp (seconds since epoch) of creation of event.
-   */
-  double                       ts;
-
-  /* A list of values to pass to the event, plus the
-   * length of the list.
-   */
-  BroList                     *val_list;
-  int                          val_len;
-};
-
-
-struct bro_request
-{
-  int                          req_len;
-  char                        *req_dat;
-};
-
-/* The Bro event registry:
- * =======================
- *
- * Each Bro connection handle contains a BroEventReg structure.
- * In it, a list of BroEventHandlers registered. Each
- * handler represents one particular type of event that can
- * be received, and contains a list of BroEventCBs. Each of
- * those represents one actual callback performed when an
- * event for the handler is received (similarly to Bro, Broccoli
- * can have multiple event handlers for a single event type).
- *
- * Since the number and type of each event will vary, the callback
- * mechanism becomes a little tricky. When an event is received,
- * its parameters are deserialized accordingly. The registered
- * callbacks are then called with POINTERS to all these values --
- * since the size of a pointer is always the same no matter what
- * it's pointing to, we can in fact call the callbacks with
- * pointers to all these arguments. The number of parameters is
- * currently limited to a maximum of 15. If you need that many,
- * chances are you'll forget one anyway ;)
- */
-
-struct bro_event_cb
-{
-  TAILQ_ENTRY(bro_event_cb)    cb_list;
-
-  /* One of the various styles of callbacks,
-   * identified by cb_style below.
-   */
-  union {
-    BroEventFunc               cb_expd;  
-    BroCompactEventFunc        cb_comp;  
-  } cb_func;
-
-#define cb_expanded_func       cb_func.cb_expd
-#define cb_compact_func        cb_func.cb_comp
-
-  void                        *cb_user_data;
-  int                          cb_style; /* A BRO_CALLBACK_xxx value */
-};
-
-struct bro_event_handler
-{
-  char                        *ev_name;
-
-  TAILQ_ENTRY(bro_event_handler) handler_list;
-  TAILQ_HEAD(cblist, bro_event_cb) cb_list;
-};
-
-struct bro_event_reg
-{
-  TAILQ_HEAD(hlist, bro_event_handler) handler_list;
-  int                          num_handlers;
-};
-
-#endif 
diff --git a/aux/broccoli/src/bro_util.c b/aux/broccoli/src/bro_util.c
deleted file mode 100644
index 1bd1240799..0000000000
--- a/aux/broccoli/src/bro_util.c
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <sys/time.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_util.h>
-
-#ifdef __MINGW32__
-
-/* MinGW does not define a gettimeofday so we need to roll our own.
- * This one is largely following 
- * http://lists.gnu.org/archive/html/bug-gnu-chess/2004-01/msg00020.html
- */
-
-static int
-gettimeofday(struct timeval* p, void* tz /* IGNORED */){
-  union {
-    long long ns100; /*time since 1 Jan 1601 in 100ns units */
-    FILETIME ft;
-  } _now;
-  
-  GetSystemTimeAsFileTime( &(_now.ft) );
-  p->tv_usec=(long)((_now.ns100 / 10LL) % 1000000LL );
-  p->tv_sec= (long)((_now.ns100-(116444736000000000LL))/10000000LL);
-  return 0;
-}
-#endif
-
-
-int
-__bro_util_snprintf(char *str, size_t size, const char *format, ...)
-{
-  int result;
-  va_list al;
-  va_start(al, format);
-  result = vsnprintf(str, size, format, al);
-  va_end(al);
-  str[size-1] = '\0';
-  
-  return result;
-}
-
-void
-__bro_util_fill_subnet(BroSubnet *sn, uint32 net, uint32 width)
-{
-  if (! sn)
-    return;
-
-  sn->sn_net = net;
-  sn->sn_width = width;
-}
-
-
-double
-__bro_util_get_time(void)
-{
-  struct timeval tv;
-  
-  if (gettimeofday(&tv, 0) < 0)
-    return 0.0;
-  
-  return __bro_util_timeval_to_double(&tv);
-}
-
-
-double
-__bro_util_timeval_to_double(const struct timeval *tv)
-{
-  if (! tv)
-    return 0.0;
-
-  return ((double) tv->tv_sec) + ((double) tv->tv_usec) / 1000000;
-}
-
-#ifndef WORDS_BIGENDIAN
-double
-__bro_util_htond(double d)
-{
-  /* Should work as long as doubles have an even length */
-  int i, dsize;
-  double tmp;
-  char* src = (char*) &d;
-  char* dst = (char*) &tmp;
-  
-  dsize = sizeof(d) - 1;
-  
-  for (i = 0; i <= dsize; i++)
-    dst[i] = src[dsize - i];
-  
-  return tmp;
-}
-
-double
-__bro_util_ntohd(double d)
-{
-  return __bro_util_htond(d);
-}
-#endif
diff --git a/aux/broccoli/src/bro_util.h b/aux/broccoli/src/bro_util.h
deleted file mode 100644
index 4d56454230..0000000000
--- a/aux/broccoli/src/bro_util.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_util_h
-#define broccoli_util_h
-
-#include <broccoli.h>
-
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#ifndef MIN
-#define MIN(a,b) (((a)<(b))?(a):(b))
-#endif
-#ifndef MAX
-#define	MAX(a,b) (((a)>(b))?(a):(b))
-#endif
-
-int      __bro_util_snprintf(char *str, size_t size, const char *format, ...);
-
-void     __bro_util_fill_subnet(BroSubnet *sn, uint32 net, uint32 width);
-
-double   __bro_util_get_time(void);
-
-double   __bro_util_timeval_to_double(const struct timeval *tv);
-
-#ifdef WORDS_BIGENDIAN
-#define  __bro_util_ntohd(x) x
-#define  __bro_util_htond(x) x
-#else
-double   __bro_util_htond(double d);
-double   __bro_util_ntohd(double d);
-#endif
-
-#endif
diff --git a/aux/broccoli/src/bro_val.c b/aux/broccoli/src/bro_val.c
deleted file mode 100644
index 33502a3337..0000000000
--- a/aux/broccoli/src/bro_val.c
+++ /dev/null
@@ -1,1863 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#if HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/time.h>
-
-#ifdef __EMX__
-#include <strings.h>
-#endif 
-
-#include <bro_types.h>
-#include <bro_type.h>
-#include <bro_io.h>
-#include <bro_debug.h>
-#include <bro_val.h>
-#include <bro_record.h>
-#include <bro_table.h>
-
-/* The virtual implementations of BroSObject's functions are
- * kept static in this module, and so are the ..._init() methods
- * not currently needed by other, derived classes.
- */
-static void             __bro_val_init(BroVal *val);
-static void             __bro_val_free(BroVal *val);
-static int              __bro_val_read(BroVal *val, BroConn *bc);
-static int              __bro_val_write(BroVal *val, BroConn *bc);
-static int              __bro_val_clone(BroVal *dst, BroVal *src);
-static uint32           __bro_val_hash(BroVal *val);
-static int              __bro_val_cmp(BroVal *val1, BroVal *val2);
-static void            *__bro_val_get(BroVal *val);
-
-static void             __bro_list_val_init(BroListVal *lv);
-static void             __bro_list_val_free(BroListVal *lv);
-static int              __bro_list_val_read(BroListVal *lv, BroConn *bc);
-static int              __bro_list_val_write(BroListVal *lv, BroConn *bc);
-static int              __bro_list_val_clone(BroListVal *dst, BroListVal *src);
-static uint32           __bro_list_val_hash(BroListVal *lv);
-static int              __bro_list_val_cmp(BroListVal *lv1, BroListVal *lv2);
-static BroList         *__bro_list_val_get(BroListVal *lv);
-
-static void             __bro_mutable_val_init(BroMutableVal *mv);
-static void             __bro_mutable_val_free(BroMutableVal *mv);
-static int              __bro_mutable_val_read(BroMutableVal *mv, BroConn *bc);
-static int              __bro_mutable_val_write(BroMutableVal *mv, BroConn *bc);
-static int              __bro_mutable_val_clone(BroMutableVal *dst, BroMutableVal *src);
-static uint32           __bro_mutable_val_hash(BroMutableVal *mv);
-static int              __bro_mutable_val_cmp(BroMutableVal *mv1, BroMutableVal *mv2);
-
-static void             __bro_record_val_init(BroRecordVal *rv);
-static void             __bro_record_val_free(BroRecordVal *rv);
-static int              __bro_record_val_read(BroRecordVal *rv, BroConn *bc);
-static int              __bro_record_val_write(BroRecordVal *rv, BroConn *bc);
-static int              __bro_record_val_clone(BroRecordVal *dst, BroRecordVal *src);
-static uint32           __bro_record_val_hash(BroRecordVal *rv);
-static int              __bro_record_val_cmp(BroRecordVal *rv1, BroRecordVal *rv2);
-static void            *__bro_record_val_get(BroRecordVal *rv);
-
-static void             __bro_table_val_init(BroTableVal *tv);
-static void             __bro_table_val_free(BroTableVal *tv);
-static int              __bro_table_val_read(BroTableVal *tv, BroConn *bc);
-static int              __bro_table_val_write(BroTableVal *tv, BroConn *bc);
-static int              __bro_table_val_clone(BroTableVal *dst, BroTableVal *src);
-static uint32           __bro_table_val_hash(BroTableVal *tv);
-static int              __bro_table_val_cmp(BroTableVal *tv1, BroTableVal *tv2);
-static void            *__bro_table_val_get(BroTableVal *tv);
-
-BroVal *
-__bro_val_new(void)
-{
-  BroVal *val;
-
-  D_ENTER;
-
-  if (! (val = calloc(1, sizeof(BroVal))))
-    D_RETURN_(NULL);
-
-  __bro_val_init(val);
-
-  D_RETURN_(val);
-}
-
-
-BroVal *
-__bro_val_new_of_type(int type, const char *type_name)
-{
-  BroVal *val;
-
-  D_ENTER;
-
-  switch (type)
-    {
-    case BRO_TYPE_BOOL:
-    case BRO_TYPE_INT:
-    case BRO_TYPE_COUNT:
-    case BRO_TYPE_COUNTER:
-    case BRO_TYPE_DOUBLE:
-    case BRO_TYPE_TIME:
-    case BRO_TYPE_INTERVAL:
-    case BRO_TYPE_STRING:
-    case BRO_TYPE_TIMER:
-    case BRO_TYPE_PORT:
-    case BRO_TYPE_IPADDR:
-    case BRO_TYPE_NET:
-    case BRO_TYPE_SUBNET:
-    case BRO_TYPE_ENUM:
-      if (! (val = __bro_val_new()))
-	D_RETURN_(NULL);
-      break;
-      
-    case BRO_TYPE_SET:
-      /* A hack -- sets are table vals, but have set type,
-       * at least while Bro still has SetType.
-       */
-    case BRO_TYPE_TABLE:
-      if (! (val = (BroVal *) __bro_table_val_new()))
-	D_RETURN_(NULL);
-      break;
-
-    case BRO_TYPE_RECORD:
-      if (! (val = (BroVal *) __bro_record_val_new()))
-	D_RETURN_(NULL);
-      break;
-      
-    case BRO_TYPE_PATTERN:
-    case BRO_TYPE_ANY:
-    case BRO_TYPE_UNION:
-    case BRO_TYPE_LIST:
-    case BRO_TYPE_FUNC:
-    case BRO_TYPE_FILE:
-    case BRO_TYPE_VECTOR:
-    case BRO_TYPE_ERROR:
-    default:
-      D(("Unsupported value type %i\n", type));
-      D_RETURN_(NULL);
-    }
-  
-  if (! (val->val_type = __bro_type_new_of_type(type, type_name)))
-    {
-      __bro_val_free(val);
-      D_RETURN_(NULL);
-    }
-  
-  D_RETURN_(val);
-}
-
-
-int
-__bro_val_assign(BroVal *val, const void *data)
-{
-  D_ENTER;
-
-  if (! val)
-    {
-      D(("Input error: (%p, %p)\n", val, data));
-      D_RETURN_(FALSE);
-    }
-  
-  if (! data)
-    {
-      if (val->val_type)
-	{
-	  __bro_sobject_release((BroSObject *) val->val_type);
-	  val->val_type = NULL;
-	}
-
-      D(("Marked val %p as unassigned.\n", val));
-      D_RETURN_(TRUE);
-    }
-
-
-  /* If we intend to assign data to the val, it must have a type. */
-  if (! val->val_type)
-    {
-      D(("Cannot assign to val without a type.\n"));
-      D_RETURN_(FALSE);
-    }
-
-  switch (val->val_type->tag)
-    {
-    case BRO_TYPE_BOOL:
-      {
-	int tmp = *((int *) data);
-	val->val.char_val = (tmp != 0 ? 1 : 0);
-      }
-      break;
-
-    case BRO_TYPE_INT:
-    case BRO_TYPE_COUNT:
-    case BRO_TYPE_COUNTER:
-    case BRO_TYPE_ENUM:
-      val->val_int = *((int *) data);
-      break;
-
-    case BRO_TYPE_DOUBLE:
-    case BRO_TYPE_TIME:
-    case BRO_TYPE_INTERVAL:
-      val->val_double = *((double *) data);
-      break;
-
-    case BRO_TYPE_STRING:
-      {
-	BroString *str = (BroString *) data;
-	bro_string_set_data(&val->val_str, str->str_val, str->str_len);
-      }
-      break;
-      
-    case BRO_TYPE_PORT:
-      {
-	BroPort *tmp = (BroPort *) data;
-	
-	if (tmp->port_proto != IPPROTO_TCP &&
-	    tmp->port_proto != IPPROTO_UDP &&
-	    tmp->port_proto != IPPROTO_ICMP)
-	  {
-	    __bro_sobject_release((BroSObject *) data);
-	    D_RETURN_(FALSE);
-	  }
-	
-	val->val_port = *tmp;
-      }
-      break;
-      
-    case BRO_TYPE_IPADDR:
-    case BRO_TYPE_NET:
-      val->val_int = *((uint32 *) data);
-      break;
-      
-    case BRO_TYPE_SUBNET:
-      val->val_subnet = *((BroSubnet *) data);
-      break;
-      
-    case BRO_TYPE_RECORD:
-      {
-	BroList *l;
-	BroVal *tmp_val;
-	BroRecordVal *rv = (BroRecordVal *) val;
-	BroRecord *rec = (BroRecord *) data;
-	
-	if (rv->rec)
-	  __bro_record_free(rv->rec);
-	
-	rv->rec = __bro_record_copy(rec);
-
-	/* Record vals also have a record type, copy that: */
-	for (l = rec->val_list; l; l = __bro_list_next(l))
-	  {
-	    char *field;
-	    
-	    tmp_val = __bro_list_data(l);
-	    
-	    if (! tmp_val->val_type)
-	      {
-		D(("Cannot create record type component from val without type.\n"));
-		D_RETURN_(FALSE);
-	      }
-	    
-	    if (! (field = __bro_sobject_data_get((BroSObject *) tmp_val, "field")))
-	      {
-		D(("Val in record doesn't have field name associated with it.\n"));
-		D_RETURN_(FALSE);
-	      }
-	    
-	    __bro_record_type_add_type((BroRecordType *) val->val_type, field, tmp_val->val_type);;
-	  }
-      }
-      break;
-      
-    case BRO_TYPE_TABLE:
-      {
-	BroTableVal *tv = (BroTableVal *) val;
-	BroTable *table = (BroTable *) data;
-	
-	if (tv->table)
-	  __bro_table_free(tv->table);
-	
-	tv->table = __bro_table_copy(table);
-
-	/* XXX need to create the appropriate content in (BroTableType*) val->val_type! */
-      }
-      break;
-
-    case BRO_TYPE_PATTERN:
-    case BRO_TYPE_TIMER:
-    case BRO_TYPE_ANY:
-    case BRO_TYPE_UNION:
-    case BRO_TYPE_LIST:
-    case BRO_TYPE_FUNC:
-    case BRO_TYPE_FILE:
-    case BRO_TYPE_VECTOR:
-    case BRO_TYPE_ERROR:
-      D(("Type %i currently unsupported.\n", val->val_type->tag));
-      D_RETURN_(FALSE);
-      
-    default:
-      D(("Unknown type identifier %i\n", val->val_type->tag));
-      D_RETURN_(FALSE);
-    }
-
-  D_RETURN_(TRUE);
-}
-
-
-static void
-__bro_val_init(BroVal *val)
-{
-  BroSObject *sobj = (BroSObject *) val;
-
-  D_ENTER;
-  
-  __bro_object_init((BroObject *) val);
-  
-  sobj->read  = (BroSObjectRead) __bro_val_read;
-  sobj->write = (BroSObjectWrite) __bro_val_write;
-  sobj->free  = (BroSObjectFree) __bro_val_free;
-  sobj->clone = (BroSObjectClone) __bro_val_clone;
-  sobj->hash  = (BroSObjectHash) __bro_val_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_val_cmp;
-
-  /* Note: we don't know yet what type_id we'll be using since
-   * that will depend on the type object hooked into this val.
-   * We take care of that when we're serializing this val out
-   * in that case.
-   */
-  sobj->type_id = SER_VAL;
-
-  val->get_data = __bro_val_get;
-
-  D_RETURN;
-}
-
-
-static void
-__bro_val_free(BroVal *val)
-{
-  D_ENTER;
-
-  /* If there is no type in the val, then it's unassigned and
-   * hence there won't be anything to clean up anyway.
-   */
-  if (val->val_type)
-    {
-      switch (val->val_type->tag)
-	{
-	case BRO_TYPE_STRING:
-	  bro_string_cleanup(&val->val_str);
-	  break;
-	  
-	default:
-	  /* Nothing to do */
-	  break;
-	}
-    }
-  
-  __bro_sobject_release((BroSObject *) val->val_type);
-  __bro_object_free((BroObject *) val);
-
-  D_RETURN;
-}
-
-
-int
-__bro_val_get_type_num(const BroVal *val)
-{
-  if (! val)
-    return 0;
-
-  return val->val_type->tag;
-}
-
-
-int
-__bro_val_get_data(BroVal *val, int *type, void **data)
-{
-  if (! val || ! data)
-    return FALSE;
-
-  if (! val->get_data)
-    return FALSE;
-
-  if (type && val->val_type)
-    *type = val->val_type->tag;
-  
-  *data = val->get_data(val);
-  return TRUE;
-}
-
-
-static int
-__bro_val_read(BroVal *val, BroConn *bc)
-{
-  char opt;
-  uint32 tmp;
-
-  D_ENTER;
-
-  if (! val || !bc)
-    D_RETURN_(FALSE);
-
-  if (! __bro_object_read((BroObject *) val, bc))
-    D_RETURN_(FALSE);
-
-  /* Read type */
-
-  if (val->val_type)
-    {
-      __bro_sobject_release((BroSObject *) val->val_type);
-      val->val_type = NULL;
-    }
-
-  if (! (val->val_type = (BroType *) __bro_sobject_unserialize(SER_IS_TYPE, bc)))
-    D_RETURN_(FALSE);
-
-  D(("Type in val has type tags %i/%i\n",
-     val->val_type->tag, val->val_type->internal_tag));
-     
-  /* Read optional Attributes */
-  
-  if (val->val_attrs)
-    {
-      __bro_sobject_release((BroSObject *) val->val_attrs);
-      val->val_attrs = NULL;
-    }
-
-  if (! __bro_buf_read_char(bc->rx_buf, &opt))
-    D_RETURN_(FALSE);
-  if (opt)
-    {
-      if (! (val->val_attrs = (BroRecordVal *) __bro_sobject_unserialize(SER_RECORD_VAL, bc)))
-	D_RETURN_(FALSE);
-    }
-  
-  switch (val->val_type->internal_tag)
-    {
-    case BRO_INTTYPE_INT:
-    case BRO_INTTYPE_UNSIGNED:
-      /* Hack for ports */
-      if (val->val_type->tag == BRO_TYPE_PORT)
-	{
-	  if (! __bro_buf_read_int(bc->rx_buf, &tmp))
-	    D_RETURN_(FALSE);
-	  
-	  if ( (tmp & 0xf0000) == 0x10000 )
-	    val->val_port.port_proto = IPPROTO_TCP;
-	  else if ( (tmp & 0xf0000) == 0x20000 )
-	    val->val_port.port_proto = IPPROTO_UDP;
-	  else if ( (tmp & 0xf0000) == 0x30000 )
-	    val->val_port.port_proto = IPPROTO_ICMP;
-	    
-	  val->val_port.port_num = (tmp & 0xFFFF);
-	}
-      else
-	{
-	  if (! __bro_buf_read_int(bc->rx_buf, &val->val_int))
-	    D_RETURN_(FALSE);
-	}
-      break;
-      
-    case BRO_INTTYPE_DOUBLE:
-      if (! __bro_buf_read_double(bc->rx_buf, &val->val_double))
-	D_RETURN_(FALSE);
-      break;
-      
-    case BRO_INTTYPE_STRING:
-      if (! __bro_buf_read_string(bc->rx_buf, &val->val_str))
-	D_RETURN_(FALSE);
-      break;
-
-    case BRO_INTTYPE_IPADDR:
-      if (! __bro_buf_read_int(bc->rx_buf, &tmp))
-	D_RETURN_(FALSE);
-      
-      if (tmp != 1)
-	{
-	  D(("We don't handle IPv6 addresses yet.\n"));
-	  D_RETURN_(FALSE);
-	}
-      
-      if (! __bro_buf_read_int(bc->rx_buf, &val->val_int))
-	D_RETURN_(FALSE);
-
-      val->val_int = ntohl(val->val_int);
-      break;
-
-    case BRO_INTTYPE_SUBNET:
-      if (! __bro_buf_read_int(bc->rx_buf, &tmp))
-	D_RETURN_(FALSE);
-      
-      if (tmp != 1)
-	{
-	  D(("We don't handle IPv6 addresses yet.\n"));
-	  D_RETURN_(FALSE);
-	}
-
-      if (! __bro_buf_read_int(bc->rx_buf, &val->val_subnet.sn_net))
-	D_RETURN_(FALSE);
-      val->val_subnet.sn_net = ntohl(val->val_subnet.sn_net);
-
-      if (! __bro_buf_read_int(bc->rx_buf, &val->val_subnet.sn_width))
-	D_RETURN_(FALSE);
-      break;
-
-    case BRO_INTTYPE_OTHER:
-      /* See Val.cc around 165 -- these are handled by derived classes.
-       * We only make sure here it's not functions and not files.
-       */
-      if (val->val_type->tag != BRO_TYPE_FUNC &&
-	  val->val_type->tag != BRO_TYPE_FILE)
-	break;
-      
-      /* Otherwise fall through to warning. */
-
-    default:
-      D(("Unsupported internal type tag: %i\n", val->val_type->internal_tag));
-      D_RETURN_(FALSE);
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-
-static int
-__bro_val_write(BroVal *val, BroConn *bc)
-{
-  BroType *type;
-  BroSObject *obj;
-
-  D_ENTER;
-  
-  if (! val || !bc)
-    D_RETURN_(FALSE);
-
-  /* We need to make sure that the BroSObject at the root has the
-   * correct type_id (a SER_xxx value). This depends on the type object
-   * so map the type tag of that object to a SER_xxx value:
-   */
-  if (! val->val_type)
-    {
-      D(("Val %p doesn't have a type.\n", val));
-      D_RETURN_(FALSE);
-    }
-
-  type = (BroType *) val->val_type;
-  obj  = (BroSObject *) val;
-  
-  switch (type->tag)
-    {
-    case BRO_TYPE_BOOL:
-    case BRO_TYPE_INT:
-    case BRO_TYPE_COUNT:
-    case BRO_TYPE_COUNTER:
-    case BRO_TYPE_STRING:
-    case BRO_TYPE_DOUBLE:
-    case BRO_TYPE_TIME:
-      obj->type_id = SER_VAL;
-      break;
-
-    case BRO_TYPE_ENUM:
-      obj->type_id = SER_ENUM_VAL;
-      break;
-
-    case BRO_TYPE_PORT:
-      obj->type_id = SER_PORT_VAL;
-      break;
-      
-    case BRO_TYPE_INTERVAL:
-      obj->type_id = SER_INTERVAL_VAL;
-      break;
-      
-    case BRO_TYPE_IPADDR:
-      obj->type_id = SER_ADDR_VAL;
-      break;
-      
-    case BRO_TYPE_NET:
-      obj->type_id = SER_NET_VAL;
-      break;
-      
-    case BRO_TYPE_SUBNET:
-      obj->type_id = SER_SUBNET_VAL;
-      break;
-
-    case BRO_TYPE_RECORD:
-      obj->type_id = SER_RECORD_VAL;
-      break;
-      
-    default:
-      D(("Val %p's type unhandled: type tag is %i.\n", val, type->tag));
-      D_RETURN_(FALSE);
-    }
-
-  if (! __bro_object_write((BroObject *) val, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_sobject_serialize((BroSObject *) val->val_type, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_char(bc->tx_buf, val->val_attrs ? 1 : 0))
-    D_RETURN_(FALSE);
-  
-  if (val->val_attrs && ! __bro_sobject_serialize((BroSObject *) val->val_attrs, bc))
-    D_RETURN_(FALSE);
-  
-  switch (val->val_type->internal_tag)
-    {
-    case BRO_INTTYPE_INT:
-    case BRO_INTTYPE_UNSIGNED:
-      /* Hack for ports */
-      if (val->val_type->tag == BRO_TYPE_PORT)
-	{
-	  int tmp = val->val_port.port_num;
-	  
-	  if (val->val_port.port_proto == IPPROTO_TCP)
-	    tmp |= 0x10000;
-	  else if (val->val_port.port_proto == IPPROTO_UDP)
-	    tmp |= 0x20000;
-      else if (val->val_port.port_proto == IPPROTO_ICMP)
-	    tmp |= 0x30000;
-
-	  if (! __bro_buf_write_int(bc->tx_buf, tmp))
-	    D_RETURN_(FALSE);
-	}
-      else
-	{
-	  if (! __bro_buf_write_int(bc->tx_buf, val->val_int))
-	    D_RETURN_(FALSE);
-	}
-      break;
-      
-    case BRO_INTTYPE_DOUBLE:
-      if (! __bro_buf_write_double(bc->tx_buf, val->val_double))
-	D_RETURN_(FALSE);
-      break;
-      
-    case BRO_INTTYPE_STRING:
-      if (! __bro_buf_write_string(bc->tx_buf, &val->val_str))
-	D_RETURN_(FALSE);
-      break;
-
-    case BRO_INTTYPE_IPADDR:
-      if (! __bro_buf_write_int(bc->tx_buf, 1))
-	D_RETURN_(FALSE);
-      if (! __bro_buf_write_int(bc->tx_buf, htonl(val->val_int)))
-	D_RETURN_(FALSE);
-      break;
-
-    case BRO_INTTYPE_SUBNET:
-      if (! __bro_buf_write_int(bc->tx_buf, 1))
-	D_RETURN_(FALSE);
-      if (! __bro_buf_write_int(bc->tx_buf, htonl(val->val_subnet.sn_net)))
-	D_RETURN_(FALSE);
-      if (! __bro_buf_write_int(bc->tx_buf, val->val_subnet.sn_width))
-	D_RETURN_(FALSE);
-      break;
-
-    case BRO_INTTYPE_OTHER:
-      /* That's fine, will be handled in derived classes
-       * like __bro_record_val_write().
-       */
-      break;
-      
-    default:
-      D(("Unknown internal type tag: %i\n", val->val_type->internal_tag));
-      D_RETURN_(FALSE);
-    }  
-  
-  D_RETURN_(TRUE);
-}
-
-static int
-__bro_val_clone(BroVal *dst, BroVal *src)
-{
-  D_ENTER;
-  
-  if (! __bro_object_clone((BroObject *) dst, (BroObject *) src))
-    {
-      D(("Cloning parent failed.\n"));
-      D_RETURN_(FALSE);
-    }
-
-  if (src->val_type &&
-      ! (dst->val_type = (BroType *) __bro_sobject_copy((BroSObject *) src->val_type)))
-    {
-      D(("Cloning type failed.\n"));
-      D_RETURN_(FALSE);      
-    }
-  
-  if (src->val_attrs &&
-      ! (dst->val_attrs = (BroRecordVal *) __bro_sobject_copy((BroSObject *) src->val_attrs)))
-    {
-      D(("Cloning attributes failed.\n"));
-      D_RETURN_(FALSE);
-    }
-
-  switch (dst->val_type->internal_tag)
-    {
-    case BRO_INTTYPE_INT:
-    case BRO_INTTYPE_UNSIGNED:
-    case BRO_INTTYPE_IPADDR:
-      /* Hack for ports */
-      if (src->val_type->tag == BRO_TYPE_PORT)
-	dst->val_port = src->val_port;
-      else
-	dst->val_int = src->val_int;
-      break;
-      
-    case BRO_INTTYPE_DOUBLE:
-      dst->val_double = src->val_double;
-      break;
-      
-    case BRO_INTTYPE_STRING:
-      bro_string_assign(&src->val_str, &dst->val_str);
-      break;
-
-    case BRO_INTTYPE_SUBNET:
-      dst->val_subnet = src->val_subnet;
-      break;
-
-    case BRO_INTTYPE_OTHER:
-      /* That's okay, handled in subtype */
-      break;
-      
-    default:
-      D(("Unknown internal type tag: %i\n", dst->val_type->internal_tag));
-      D_RETURN_(FALSE);
-    }  
-  
-  D_RETURN_(TRUE);
-}
-
-static uint32
-__bro_val_hash(BroVal *val)
-{
-  uint32 result;
-
-  D_ENTER;
-
-  if (! val)
-    D_RETURN_(0);
-
-  result = __bro_sobject_hash((BroSObject*) val->val_type);
-  
-  switch (val->val_type->internal_tag)
-    {
-    case BRO_INTTYPE_INT:
-    case BRO_INTTYPE_UNSIGNED:
-    case BRO_INTTYPE_IPADDR:
-      result ^= val->val_int;
-      break;
-      
-    case BRO_INTTYPE_DOUBLE:
-      result ^= (uint32) val->val_double;
-      break;
-      
-    case BRO_INTTYPE_STRING:
-      result ^= __bro_ht_str_hash(val->val_str.str_val);
-      break;
-      
-    case BRO_INTTYPE_SUBNET:
-      result ^= val->val_subnet.sn_net;
-      result ^= val->val_subnet.sn_width;
-      break;
-
-    case BRO_INTTYPE_OTHER:
-      D(("WARNING -- __bro_val_hash() invoked on derived type.\n"));
-      break;
-      
-    default:
-      D(("Unknown internal type tag: %i\n", val->val_type->internal_tag));
-      break;
-    }  
-
-  D_RETURN_(result);
-}
-
-static int
-__bro_val_cmp(BroVal *val1, BroVal *val2)
-{
-  D_ENTER;
-  
-  if (! val1 || ! val2)
-    D_RETURN_(FALSE);
-
-  if (! __bro_sobject_cmp((BroSObject*) val1->val_type,
-			  (BroSObject*) val2->val_type))
-    D_RETURN_(FALSE);
-  
-  switch (val1->val_type->internal_tag)
-    {
-    case BRO_INTTYPE_INT:
-    case BRO_INTTYPE_UNSIGNED:
-    case BRO_INTTYPE_IPADDR:
-      if (val1->val_int != val2->val_int)
-	D_RETURN_(FALSE);
-      break;
-      
-    case BRO_INTTYPE_DOUBLE:
-      if (val1->val_double != val2->val_double)
-	D_RETURN_(FALSE);
-      break;
-      
-    case BRO_INTTYPE_STRING:
-      if (! __bro_ht_str_cmp(val1->val_str.str_val, val2->val_str.str_val))
-	D_RETURN_(FALSE);
-      break;
-      
-    case BRO_INTTYPE_SUBNET:
-      if (val1->val_subnet.sn_net != val2->val_subnet.sn_net ||
-	  val1->val_subnet.sn_width != val2->val_subnet.sn_width)
-	D_RETURN_(FALSE);
-      break;
-
-    case BRO_INTTYPE_OTHER:
-      D(("WARNING -- __bro_val_cmp() invoked on derived type.\n"));
-      break;
-      
-    default:
-      D(("Unknown internal type tag: %i\n", val1->val_type->internal_tag));
-      break;
-    }  
-  
-  D_RETURN_(TRUE);
-}
-
-static void *
-__bro_val_get(BroVal *val)
-{
-  /* Following the comments in broccoli.h, we return atomic values
-   * as copies into *result, and complex types (i.e., structs) have
-   * all members assigned to point to internal values so the user
-   * does not have to clean up the returned value. The user can 
-   * still keep those values around if necessary by copying them.
-   */
-  if (! val->val_type)
-    {
-      D(("No type in val %p\n", val));
-      return NULL;
-    }
-  
-   switch (val->val_type->tag)    
-    {
-    case BRO_TYPE_BOOL:
-    case BRO_TYPE_INT:
-    case BRO_TYPE_ENUM:
-    case BRO_TYPE_COUNT:
-    case BRO_TYPE_COUNTER:
-    case BRO_TYPE_IPADDR:
-    case BRO_TYPE_NET:
-      return &val->val_int;
-      
-    case BRO_TYPE_PORT:
-      return &val->val_port;
-      
-    case BRO_TYPE_DOUBLE:
-    case BRO_TYPE_TIME:
-    case BRO_TYPE_INTERVAL:
-      return &val->val_double;
-      
-    case BRO_TYPE_STRING:
-      return &val->val_str;
-      
-    case BRO_TYPE_SUBNET:
-      return &val->val_subnet;
-      
-    case BRO_TYPE_RECORD:
-      D(("WARNING: Inheritance broken -- record types should not be handled here.\n"));
-      return NULL;
-
-    case BRO_TYPE_TABLE:
-      D(("WARNING: Inheritance broken -- table types should not be handled here.\n"));
-      return NULL;
-      
-    default:
-      D(("Type %i currently not extractable.\n", val->val_type->tag));
-    }
-   
-   return NULL;
-}
-
-
-BroListVal *
-__bro_list_val_new(void)
-{
-  BroListVal *val;
-
-  D_ENTER;
-
-  if (! (val = calloc(1, sizeof(BroListVal))))
-    D_RETURN_(NULL);
-
-  __bro_list_val_init(val);
-  
-  D_RETURN_(val);
-}
-
-static void
-__bro_list_val_init(BroListVal *lv)
-{
-  BroSObject *sobj = (BroSObject *) lv;
-  BroVal *val = (BroVal *) lv;
-  
-  D_ENTER;
-  
-  __bro_val_init((BroVal *) lv);
-  
-  sobj->read  = (BroSObjectRead) __bro_list_val_read;
-  sobj->write = (BroSObjectWrite) __bro_list_val_write;
-  sobj->free  = (BroSObjectFree) __bro_list_val_free;
-  sobj->clone = (BroSObjectClone) __bro_list_val_clone;
-  sobj->hash  = (BroSObjectHash) __bro_list_val_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_list_val_cmp;
-  
-  sobj->type_id = SER_LIST_VAL;
-
-  val->get_data = (BroValAccessor) __bro_list_val_get;
-
-  D_RETURN;
-}
-
-static void
-__bro_list_val_free(BroListVal *lv)
-{
-  D_ENTER;
-  
-  if (! lv)
-    D_RETURN;
-  
-  __bro_list_free(lv->list, (BroFunc) __bro_sobject_release);
-  __bro_val_free((BroVal *) lv);
-  
-  D_RETURN;
-}
-
-static int
-__bro_list_val_read(BroListVal *lv, BroConn *bc)
-{
-  int i;
-  uint32 ui;
-
-  D_ENTER;
-  
-  if (! __bro_val_read((BroVal *) lv, bc))
-    D_RETURN_(FALSE);
-  
-  __bro_list_free(lv->list, (BroFunc) __bro_sobject_release);
-  lv->list = NULL;
-  
-  if (! __bro_buf_read_char(bc->rx_buf, &lv->type_tag))
-    goto error_return;
-  if (! __bro_buf_read_int(bc->rx_buf, &ui))
-    goto error_return;
-  
-  lv->len = (int) ui;
-
-  for (i = 0; i < lv->len; i++)
-    {
-      BroVal *val;
-      
-      if (! (val = (BroVal *) __bro_sobject_unserialize(SER_IS_VAL, bc)))
-	goto error_return;
-      
-      lv->list = __bro_list_append(lv->list, val);
-    }
-  
-  D_RETURN_(TRUE);
-  
- error_return:
-  __bro_list_free(lv->list, (BroFunc) __bro_sobject_release);
-  lv->list = NULL;
-  D_RETURN_(FALSE);
-}
-
-static int
-__bro_list_val_write(BroListVal *lv, BroConn *bc)
-{
-  BroList *l;
-  
-  D_ENTER;
-  
-  if (! __bro_val_write((BroVal *) lv, bc))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_write_char(bc->tx_buf, lv->type_tag))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_write_int(bc->tx_buf, lv->len))
-    D_RETURN_(FALSE);
-  
-  for (l = lv->list; l; l = __bro_list_next(l))
-    {
-      BroVal *val = __bro_list_data(l);
-      
-      if (! __bro_sobject_serialize((BroSObject *) val, bc))
-	D_RETURN_(FALSE);
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-static int
-__bro_list_val_clone(BroListVal *dst, BroListVal *src)
-{
-  BroList *l;
-
-  D_ENTER;
-
-  if (! __bro_val_clone((BroVal *) dst, (BroVal *) src))
-    D_RETURN_(FALSE);
-
-  dst->type_tag = src->type_tag;
-  dst->len = src->len;
-  
-  if (dst->list)
-    {
-      __bro_list_free(dst->list, (BroFunc) __bro_sobject_release);
-      dst->list = NULL;
-    }
-
-  for (l = src->list; l; l = __bro_list_next(l))
-    dst->list = __bro_list_append(dst->list, __bro_sobject_copy(__bro_list_data(l)));
-  
-  D_RETURN_(TRUE);
-}
-
-static uint32
-__bro_list_val_hash(BroListVal *lv)
-{
-  uint32 result;
-  BroList *l;
-
-  D_ENTER;
-  
-  if (! lv)
-    D_RETURN_(0);
-  
-  result = lv->len ^ lv->type_tag;
-  
-  for (l = lv->list; l; l = __bro_list_next(l))
-    result ^= __bro_sobject_hash((BroSObject *) __bro_list_data(l));
-  
-  D_RETURN_(result);
-}
-
-static int
-__bro_list_val_cmp(BroListVal *lv1, BroListVal *lv2)
-{
-  BroList *l1, *l2;
-
-  D_ENTER;
-  
-  if (! lv1 || ! lv2)
-    D_RETURN_(FALSE);
-
-  if (lv1->len != lv2->len ||
-      lv1->type_tag != lv2->type_tag)    
-    D_RETURN_(FALSE);
-      
-  for (l1 = lv1->list, l2 = lv2->list; l1 && l2;
-       l1 = __bro_list_next(l1), l2 = __bro_list_next(l2))
-    {
-      if (! __bro_sobject_cmp((BroSObject*) __bro_list_data(l1),
-			      (BroSObject*) __bro_list_data(l2)))
-	D_RETURN_(FALSE);
-    }
-
-  if (l1 || l2)
-    {
-      D(("WARNING -- list length inconsistency.\n"));
-      D_RETURN_(FALSE);
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-static BroList *
-__bro_list_val_get(BroListVal *lv)
-{
-  D_ENTER;
-  D_RETURN_(lv->list);
-}
-
-void
-__bro_list_val_append(BroListVal *lv, BroVal *val)
-{
-  D_ENTER;
-
-  if (! lv || ! val)
-    D_RETURN;
-
-  lv->list = __bro_list_append(lv->list, val);
-  lv->len++;
-
-  D_RETURN;
-}
-
-BroVal *
-__bro_list_val_pop_front(BroListVal *lv)
-{
-  BroVal *result;
-  BroList *l;
-
-  D_ENTER;
-
-  if (! lv)
-    D_RETURN_(NULL);
-  
-  l = lv->list;
-  lv->list = __bro_list_remove(lv->list, lv->list);
-  
-  result = (BroVal*) __bro_list_data(l);
-  __bro_list_free(l, NULL);
-  
-  D_RETURN_(result);
-}
-
-BroVal *
-__bro_list_val_get_front(BroListVal *lv)
-{
-  BroVal *result;
-  BroList *l;
-
-  D_ENTER;
-
-  if (! lv)
-    D_RETURN_(NULL);
-  
-  D_RETURN_((BroVal*) __bro_list_data(lv->list));
-}
-
-int
-__bro_list_val_get_length(BroListVal *lv)
-{
-  D_ENTER;
-  
-  if (! lv)
-    D_RETURN_(0);
-  
-  D_RETURN_(lv->len);
-}
-
-
-
-BroMutableVal *
-__bro_mutable_val_new(void)
-{
-  BroMutableVal *val;
-
-  D_ENTER;
-
-  if (! (val = calloc(1, sizeof(BroMutableVal))))
-    D_RETURN_(NULL);
-
-  __bro_mutable_val_init(val);
-
-  D_RETURN_(val);
-}
-
-
-static void
-__bro_mutable_val_init(BroMutableVal *mv)
-{
-  BroSObject *sobj = (BroSObject *) mv;
-  
-  D_ENTER;
-  
-  __bro_val_init((BroVal *) mv);
-  
-  sobj->read  = (BroSObjectRead) __bro_mutable_val_read;
-  sobj->write = (BroSObjectWrite) __bro_mutable_val_write;
-  sobj->free  = (BroSObjectFree) __bro_mutable_val_free;
-  sobj->clone = (BroSObjectClone) __bro_mutable_val_clone;
-  sobj->hash  = (BroSObjectHash) __bro_mutable_val_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_mutable_val_cmp;
-  
-  sobj->type_id = SER_MUTABLE_VAL;
-
-  /* BroMutableVal inherits __bro_val_get and doesn't override it. */
-
-  D_RETURN;
-}
-
-
-static void
-__bro_mutable_val_free(BroMutableVal *mv)
-{
-  D_ENTER;
-  
-  __bro_sobject_release((BroSObject *) mv->id);
-  __bro_val_free((BroVal *) mv);
-  
-  D_RETURN;
-}
-
-
-static int
-__bro_mutable_val_read(BroMutableVal *mv, BroConn *bc)
-{
-  BroString tmp;
-
-  D_ENTER;
-
-  bro_string_init(&tmp);
-
-  if (! __bro_val_read((BroVal *) mv, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_read_char(bc->rx_buf, &mv->props))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_read_string(bc->rx_buf, &tmp))
-    D_RETURN_(FALSE);
-
-  /* FIXME: now need to obtain real BroID from that name */
-  bro_string_cleanup(&tmp);
-
-  D_RETURN_(TRUE);
-}
-
-
-static int
-__bro_mutable_val_write(BroMutableVal *mv, BroConn *bc)
-{
-  D_ENTER;
-  
-  if (! __bro_val_write((BroVal *) mv, bc))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_write_char(bc->tx_buf, mv->props))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_write_string(bc->tx_buf, (mv->id ? &mv->id->name : NULL)))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-static int
-__bro_mutable_val_clone(BroMutableVal *dst, BroMutableVal *src)
-{
-  D_ENTER;
-  
-  if (! __bro_val_clone((BroVal *) dst, (BroVal *) src))
-    D_RETURN_(FALSE);
-  
-  if (src->id && ! (dst->id = (BroID *) __bro_sobject_copy((BroSObject *) src->id)))
-    D_RETURN_(FALSE);
-  
-  src->props = dst->props;
-  
-  D_RETURN_(TRUE);
-}
-
-
-static uint32
-__bro_mutable_val_hash(BroMutableVal *mv)
-{
-  uint32 result;
-
-  D_ENTER;
-
-  if (! mv)
-    D_RETURN_(0);
-
-  result = __bro_id_hash(mv->id) ^ mv->props;
-
-  D_RETURN_(result);
-}
-
-
-static int
-__bro_mutable_val_cmp(BroMutableVal *mv1, BroMutableVal *mv2)
-{
-  D_ENTER;
-
-  if (! mv1 || ! mv2)
-    D_RETURN_(FALSE);
-
-  if (! __bro_id_cmp(mv1->id, mv2->id))
-    D_RETURN_(FALSE);
-
-  if (mv1->props != mv2->props)
-    D_RETURN_(FALSE);
-
-  D_RETURN_(TRUE);
-}
-
-
-BroRecordVal *
-__bro_record_val_new(void)
-{
-  BroRecordVal *val;
-
-  D_ENTER;
-
-  if (! (val = calloc(1, sizeof(BroRecordVal))))
-    D_RETURN_(NULL);
-
-  __bro_record_val_init(val);
-
-  D_RETURN_(val);
-}
-
-
-static void
-__bro_record_val_init(BroRecordVal *rv)
-{
-  BroSObject *sobj = (BroSObject *) rv;
-  BroVal *val = (BroVal *) rv;
-
-  D_ENTER;
-  
-  __bro_mutable_val_init((BroMutableVal *) rv);
-  
-  sobj->read  = (BroSObjectRead) __bro_record_val_read;
-  sobj->write = (BroSObjectWrite) __bro_record_val_write;
-  sobj->free  = (BroSObjectFree) __bro_record_val_free;
-  sobj->clone = (BroSObjectClone) __bro_record_val_clone;
-  sobj->hash  = (BroSObjectHash) __bro_record_val_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_record_val_cmp;
-
-  sobj->type_id = SER_RECORD_VAL;
-
-  val->get_data = (BroValAccessor) __bro_record_val_get;
-  
-  D_RETURN;
-}
-
-
-static void
-__bro_record_val_free(BroRecordVal *rv)
-{
-  D_ENTER;
-
-  if (! rv)
-    D_RETURN;
-  
-  __bro_record_free(rv->rec);
-  __bro_mutable_val_free((BroMutableVal *) rv);
-
-  D_RETURN;
-}
-
-
-static int
-__bro_record_val_read(BroRecordVal *rv, BroConn *bc)
-{
-  char opt;
-  uint32 i, len;
-  BroVal *val;
-  
-  D_ENTER;
-  
-  if (! __bro_mutable_val_read((BroMutableVal *) rv, bc))
-    D_RETURN_(FALSE);
-
-  /* Clean out old vals, if any */
-  __bro_record_free(rv->rec);
-  
-  if (! (rv->rec = __bro_record_new()))
-    D_RETURN_(FALSE);
-  
-  /* Read in new vals */
-
-  if (! __bro_buf_read_int(bc->rx_buf, &len))
-    goto error_return;
-  
-  for (i = 0; i < len; i++)
-    {
-      const char *field_name;
-      BroVal *rv_val   = (BroVal *) rv;
-      BroType *rv_type = rv_val->val_type;
-
-      D(("Reading val %i/%i into record %p of val %p\n",
-	 i+1, len, rv->rec, rv));
-
-      if (! __bro_buf_read_char(bc->rx_buf, &opt))
-	goto error_return;
-      
-      if (opt)
-	{
-	  if (! (val = (BroVal *) __bro_sobject_unserialize(SER_IS_VAL, bc)))
-	    {
-	      D(("WARNING -- unserializing record element failed.\n"));
-	      goto error_return;
-	    }
-	}
-      else
-	{
-	  /* We need an empty val if none was given in order to maintain
-	   * a chain of vals nonetheless -- the missing type in this new
-	   * val indicates that it is an unassigned val.
-	   */
-	  D(("WARNING -- unassigned val.\n"));
-	  if (! (val = __bro_val_new()))
-	    goto error_return;
-	}
-      
-      __bro_record_add_val(rv->rec, val);
-      
-      if (! (field_name = __bro_record_type_get_nth_field((BroRecordType *) rv_type, i)))
-	{
-	  D(("WARNING -- record type field %i has no name.\n", i));
-	  goto error_return;
-	}
-
-      __bro_record_set_nth_name(rv->rec, i, field_name);
-    }
-  
-  D_RETURN_(TRUE);
-
- error_return:
-  __bro_record_free(rv->rec);
-  rv->rec = NULL;
-  D_RETURN_(FALSE);
-}
-
-
-static int
-__bro_record_val_write(BroRecordVal *rv, BroConn *bc)
-{
-  BroList *l;
-  BroVal *val;
-  int i;
-
-  D_ENTER;
-
-  if (! __bro_mutable_val_write((BroMutableVal *) rv, bc))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_buf_write_int(bc->tx_buf, rv->rec->val_len))
-    D_RETURN_(FALSE);
-  
-  if (! rv->rec && rv->rec->val_len > 0)
-    D_RETURN_(FALSE);
-  
-  D(("Writing out %i vals in record %p.\n", rv->rec->val_len, rv->rec));
-
-  for (i = 0, l = rv->rec->val_list; l; i++, l = __bro_list_next(l))
-    {
-      val = __bro_list_data(l);
-      
-      D(("Val %i/%p's type: %p\n", i, val, val->val_type));
-      
-      if (! __bro_buf_write_char(bc->tx_buf, (val->val_type ? 1 :0)))
-	D_RETURN_(FALSE);
-      
-      if (val->val_type)
-	{	  
-	  if (! __bro_sobject_serialize((BroSObject *) val, bc))
-	    D_RETURN_(FALSE);
-	}
-    }
-  
-  D_RETURN_(TRUE);
-}
-
-
-static int
-__bro_record_val_clone(BroRecordVal *dst, BroRecordVal *src)
-{
-  D_ENTER;
-  
-  if (! __bro_mutable_val_clone((BroMutableVal *) dst, (BroMutableVal *) src))
-    D_RETURN_(FALSE);
-  
-  if (src->rec && ! (dst->rec = __bro_record_copy(src->rec)))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-
-static uint32
-__bro_record_val_hash(BroRecordVal *rv)
-{
-  uint32 result;
-  
-  D_ENTER;
-  
-  if (! rv)
-    D_RETURN_(0);
-
-  result = __bro_record_hash(rv->rec);
-
-  D_RETURN_(result);
-
-}
-
-
-static int
-__bro_record_val_cmp(BroRecordVal *rv1, BroRecordVal *rv2)
-{
-  D_ENTER;
-
-  if (! rv1 || ! rv2)
-    D_RETURN_(FALSE);
-  
-  if (! __bro_record_cmp(rv1->rec, rv2->rec))
-    D_RETURN_(FALSE);
-
-  D_RETURN_(TRUE);
-
-}
-
-
-static void *
-__bro_record_val_get(BroRecordVal *rv)
-{
-  return rv->rec;
-}
-
-
-BroTableVal *
-__bro_table_val_new(void)
-{
-  BroTableVal *val;
-
-  D_ENTER;
-  
-  if (! (val = calloc(1, sizeof(BroTableVal))))
-    D_RETURN_(NULL);
-
-  __bro_table_val_init(val);
-  
-  D_RETURN_(val);
-}
-
-static void
-__bro_table_val_init(BroTableVal *tbl)
-{
-  BroSObject *sobj = (BroSObject *) tbl;
-  BroVal *val = (BroVal *) tbl;
-
-  D_ENTER;
-  
-  __bro_mutable_val_init((BroMutableVal *) tbl);
-  
-  sobj->read  = (BroSObjectRead) __bro_table_val_read;
-  sobj->write = (BroSObjectWrite) __bro_table_val_write;
-  sobj->free  = (BroSObjectFree) __bro_table_val_free;
-  sobj->clone = (BroSObjectClone) __bro_table_val_clone;
-  sobj->hash  = (BroSObjectHash) __bro_table_val_hash;
-  sobj->cmp   = (BroSObjectCmp) __bro_table_val_cmp;
-  
-  sobj->type_id = SER_TABLE_VAL;
-  
-  val->get_data = (BroValAccessor) __bro_table_val_get;  
-
-  D_RETURN;
-}
-
-static void
-__bro_table_val_free(BroTableVal *tbl)
-{
-  D_ENTER;
-  
-  if (! tbl)
-    D_RETURN;
-  
-  __bro_table_free(tbl->table);
-  __bro_mutable_val_free((BroMutableVal *) tbl);
-  
-  D_RETURN;
-}
-
-static int
-__bro_table_val_read(BroTableVal *tbl, BroConn *bc)
-{
-  double d;
-  char opt;
-  int num_keys = 0, num_vals = 0;
-
-  D_ENTER;
-  
-  if (! __bro_mutable_val_read((BroMutableVal *) tbl, bc))
-    D_RETURN_(FALSE);
-  
-  /* Clean out old vals, if any */
-  __bro_table_free(tbl->table);
-  
-  if (! (tbl->table = __bro_table_new()))
-    D_RETURN_(FALSE);
-  
-  /* expire_time, currently unused */
-  if (! __bro_buf_read_double(bc->rx_buf, &d))
-    goto error_return;
-
-  if (! __bro_buf_read_char(bc->rx_buf, &opt))
-    goto error_return;
-  if (opt)
-    {
-      if (! (tbl->attrs = (BroAttrs *) __bro_sobject_unserialize(SER_ATTRIBUTES, bc)))
-	{
-	  D(("WARNING -- unserializing table attributes failed.\n"));
-	  goto error_return;
-	}
-    }
-  
-  if (! __bro_buf_read_char(bc->rx_buf, &opt))
-    goto error_return;
-  if (opt)
-    {
-      D(("WARNING -- cannot unserialize expression, try to use table without expiration expression.\n"));
-      goto error_return;
-    }
-
-  /* Table entries are next: */
-  for ( ; ; )
-    {
-      BroType *type;
-      BroListVal *keys = NULL;
-      BroVal *val = NULL;
-      BroIndexType *itype = NULL;
-      int i, len, key_type = 0, val_type = 0;
-      double d;
-
-      if (! __bro_buf_read_char(bc->rx_buf, &opt))
-	goto error_return;
-
-      /* End of set members is announced if opt is 0: */
-      if (! opt)
-	break;
-
-      if (! (keys = (BroListVal *) __bro_sobject_unserialize(SER_LIST_VAL, bc)))
-	goto error_return;
-
-      /* If this isn't a set, we have a value associated with the keys too. */
-      type = ((BroVal *) tbl)->val_type;
-      itype = (BroIndexType*) type;
-      num_vals++;
-
-      if (itype->yield_type)
-	{
-	  if (! (val = (BroVal *) __bro_sobject_unserialize(SER_IS_VAL, bc)))
-	    goto error_return;
-
-	  val_type = val->val_type->tag;
-	  num_keys++;
-	}
-
-      /* If the key is a composite, we report BRO_TYPE_LIST to the user,
-       * so the user can access the individual values via a record. If
-       * the key is atomic, we extract its type and use it directly.
-       */
-
-      if (keys->len > 1)
-	key_type = BRO_TYPE_LIST;
-      else if (keys->len == 1)
-	key_type = __bro_list_val_get_front(keys)->val_type->tag;
-      else
-	goto error_return;
-      
-      if (tbl->table->tbl_key_type != BRO_TYPE_UNKNOWN &&
-	  tbl->table->tbl_key_type != key_type)
-	{
-	  D(("Type mismatch when unserializing key of type %d, expecting %d\n",
-	     key_type, tbl->table->tbl_key_type));
-	  goto error_return;
-	}
-
-      tbl->table->tbl_key_type = key_type;
-      
-      if (tbl->table->tbl_val_type != BRO_TYPE_UNKNOWN &&
-	  tbl->table->tbl_val_type != val_type)
-	{
-	  D(("Type mismatch when unserializing val of type %d, expecting %d\n",
-	     val_type, tbl->table->tbl_val_type));
-	  goto error_return;
-	}
-
-      tbl->table->tbl_val_type = val_type;	
-      
-      /* Eat two doubles -- one for the last access time and
-       * one for when the item is supposed to expire.
-       * XXX: currently unimplemented.
-       */
-      if (! __bro_buf_read_double(bc->rx_buf, &d) ||
-	  ! __bro_buf_read_double(bc->rx_buf, &d))
-	goto error_return;
-
-      /* The key type of a BroTable is always a BroListVal, even
-       * though it might well have only a single element.
-       *
-       * Since we just unserialized it, we pass on ownership of
-       * both key and value to the table.
-       */
-      __bro_table_insert(tbl->table, (BroVal*) keys, val);
-    }
-
-  D_RETURN_(TRUE);
-
- error_return:
-  __bro_table_free(tbl->table);
-  tbl->table = NULL;
-  D_RETURN_(FALSE);
-}
-
-static int
-__bro_table_val_write_cb_direct(BroVal *key, BroVal *val, BroConn *bc)
-{
-  if (! __bro_sobject_serialize((BroSObject *) key, bc))
-    return FALSE;
-  
-  if (val && ! __bro_sobject_serialize((BroSObject *) val, bc))
-    return FALSE;
-  
-  return TRUE;
-}
-
-static int
-__bro_table_val_write_cb_unpack(BroVal *key, BroRecordVal *val, BroConn *bc)
-{
-  BroRecord *rec = val->rec;
-  BroListVal *lv = __bro_list_val_new();
-  
-  /* Just hook the list into the list val, we unhook below. */
-  lv->list = rec->val_list;
-  lv->len = rec->val_len;
-  
-  if (! __bro_sobject_serialize((BroSObject *) lv, bc))
-    goto error_return;
-  
-  if (val && ! __bro_sobject_serialize((BroSObject *) val, bc))
-    goto error_return;
-  
-  lv->list = NULL;
-  __bro_list_val_free(lv);
-  
-  return TRUE;
-
- error_return:
-  lv->list = NULL;
-  __bro_list_val_free(lv);
-  return FALSE;
-}
-
-static int
-__bro_table_val_write(BroTableVal *tbl, BroConn *bc)
-{
-  double d = 0;
-  char opt = 0;
-
-  D_ENTER;
-
-  if (! __bro_mutable_val_write((BroMutableVal *) tbl, bc))
-    D_RETURN_(FALSE);
-
-  if (! __bro_buf_write_double(bc->tx_buf, d))
-    D_RETURN_(FALSE);
-
-  /* XXX For now we neever send any attributes, nor an expire expr */
-  if (! __bro_buf_write_char(bc->tx_buf, opt))
-    D_RETURN_(FALSE);
-  if (! __bro_buf_write_char(bc->tx_buf, opt))
-    D_RETURN_(FALSE);
-
-  /* How we iterate depends on whether the index type is atomic or not.
-   * If atomic, we use __bro_table_val_write_cb_direct(), otherwise
-   * we use ..._unpack(), which converts the elements of the RecordVal
-   * into a ListVal before sending.
-   */
-  if (__bro_table_val_has_atomic_key(tbl))
-    __bro_table_foreach(tbl->table, (BroTableCallback) __bro_table_val_write_cb_direct, bc);
-  else
-    __bro_table_foreach(tbl->table, (BroTableCallback) __bro_table_val_write_cb_unpack, bc);
-
-  D_RETURN_(TRUE);
-}
-
-static int
-__bro_table_val_clone(BroTableVal *dst, BroTableVal *src)
-{
-  D_ENTER;
-
-  if (! __bro_mutable_val_clone((BroMutableVal *) dst, (BroMutableVal *) src))
-    D_RETURN_(FALSE);
-
-  if (src->table && ! (dst->table = __bro_table_copy(src->table)))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-static uint32
-__bro_table_val_hash(BroTableVal *tv)
-{
-  uint32 result;
-
-  D_ENTER;
-  
-  if (! tv)
-    D_RETURN_(0);
-  
-  result = __bro_sobject_hash((BroSObject*) tv->table_type);
-  result ^= __bro_sobject_hash((BroSObject*) tv->attrs);
-  result ^= __bro_table_hash(tv->table);
-  
-  D_RETURN_(result);
-
-}
-
-static int
-__bro_table_val_cmp(BroTableVal *tv1, BroTableVal *tv2)
-{
-  D_ENTER;
-
-  if (! tv1 || ! tv2)
-    D_RETURN_(FALSE);
-
-  if (! __bro_sobject_cmp((BroSObject*) tv1->table_type,
-			  (BroSObject*) tv2->table_type))
-    D_RETURN_(FALSE);
-  
-  if (! __bro_table_cmp(tv1->table, tv2->table))
-    D_RETURN_(FALSE);
-  
-  D_RETURN_(TRUE);
-}
-
-static void *
-__bro_table_val_get(BroTableVal *tbl)
-{
-  return tbl->table;
-}
-
-int
-__bro_table_val_has_atomic_key(BroTableVal *tbl)
-{
-  if (! tbl || ! tbl->table_type) 
-    return FALSE;
-
-  return ((BroIndexType *) tbl->table_type)->indices->num_types == 1;
-}
diff --git a/aux/broccoli/src/bro_val.h b/aux/broccoli/src/bro_val.h
deleted file mode 100644
index 46a758e910..0000000000
--- a/aux/broccoli/src/bro_val.h
+++ /dev/null
@@ -1,147 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_val_h
-#define broccoli_val_h
-
-#include <broccoli.h>
-#include <bro_types.h>
-#include <bro_util.h>
-#include <bro_id.h>
-#include <bro_attrs.h>
-
-typedef void *(* BroValAccessor) (BroVal *val);
-
-struct bro_val
-{
-  BroObject                    object;
-
-  /* A class method for accessing the data contained by
-   * a val:
-   */
-  BroValAccessor               get_data;
-  
-  /* The full type object of this val -- this also yields
-   * what member of the union is used below (unless we're
-   * inside a derived type and store our data elsewhere).
-   * If val_type is NULL, it means we're dealing with an
-   * unassigned val.
-   */
-  BroType                     *val_type;
-  
-  BroRecordVal                *val_attrs;
-
-  union {
-    char                       char_val;
-    uint32                     int_val;
-    double                     double_val;
-    BroPort                    port_val;
-    BroString                  str_val;
-    BroSubnet                  subnet_val;
-  } val;
-
-#define val_char               val.char_val
-#define val_int                val.int_val
-#define val_double             val.double_val
-#define val_port               val.port_val
-#define val_str                val.str_val
-#define val_strlen             val.str_val.str_len
-#define val_subnet             val.subnet_val
-};
-
-struct bro_list_val
-{
-  BroVal                       val;
-
-  char                         type_tag;
-  int                          len;
-
-  BroList                     *list;
-};
-
-struct bro_mutable_val
-{
-  BroVal                       val;
-
-  BroID                       *id;
-  char                         props;
-};
-
-#define BRO_VAL_PROP_PERS      0x01
-#define BRO_VAL_PROP_SYNC      0x02
-
-struct bro_record_val
-{
-  BroMutableVal                mutable;
-  
-  /* We don't use the full record val when interacting
-   * with the user, but only what's really necessary.
-   */
-  BroRecord                   *rec;
-};
-
-struct bro_table_val
-{
-  BroMutableVal                mutable;
-
-  BroTableType                *table_type;
-  BroAttrs                    *attrs;
-  
-  BroTable                    *table;
-};
-
-
-BroVal          *__bro_val_new(void);
-BroVal          *__bro_val_new_of_type(int type, const char *type_name);
-int              __bro_val_assign(BroVal *val, const void *data);
-
-/* Returns a pointer to the val's data depending on its type.
- * Type is returned through *type if provided.
- */
-int              __bro_val_get_data(BroVal *val, int *type, void **data);
-int              __bro_val_get_type_num(const BroVal *val);
-
-BroListVal      *__bro_list_val_new(void);
-
-/* Append a val to the list. This does not duplicate, so adopts the
- * given val.
- */
-void             __bro_list_val_append(BroListVal *lv, BroVal *val);
-
-/* Removes the first value from the list and returns it. */
-BroVal          *__bro_list_val_pop_front(BroListVal *lv);
-
-/* Only returns the first value from the list. */
-BroVal          *__bro_list_val_get_front(BroListVal *lv);
-int              __bro_list_val_get_length(BroListVal *lv);
-
-BroMutableVal   *__bro_mutable_val_new(void);
-
-BroRecordVal    *__bro_record_val_new(void);
-
-BroTableVal     *__bro_table_val_new(void);
-int              __bro_table_val_has_atomic_key(BroTableVal *tv);
-
-#endif
diff --git a/aux/broccoli/src/broccoli.h.in b/aux/broccoli/src/broccoli.h.in
deleted file mode 100644
index f56f33957a..0000000000
--- a/aux/broccoli/src/broccoli.h.in
+++ /dev/null
@@ -1,1418 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2007 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#ifndef broccoli_h
-#define broccoli_h
-
-#include <unistd.h>
-#include <sys/types.h>
-#include <stdlib.h>
-#ifdef __MINGW32__
-#include <winsock.h>
-#else
-#include <netinet/in.h>
-#endif
-#include <openssl/crypto.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * bro_debug_calltrace - Debugging output switch for call tracing.
- *
- * If you have debugging support built in (i.e., your package was configured
- * with --enable-debugging), you can enable/disable debugging output for
- * call tracing by setting this to 0 (off) or 1 (on). Default is off.
- */
-extern int bro_debug_calltrace;
-
-/**
- * bro_debug_messages - Output switch for debugging messages.
- *
- * If you have debugging support built in (i.e., your package was configured
- * with --enable-debugging), you can enable/disable debugging messages
- * by setting this to 0 (off) or 1 (on). Default is off.
- */
-extern int bro_debug_messages;
-
-#ifndef	FALSE
-#define	FALSE	(0)
-#endif
-
-#ifndef	TRUE
-#define	TRUE	(!FALSE)
-#endif
-
-/* Numeric values of Bro type identifiers, corresponding
- * to the values of the TypeTag enum in Bro's Type.h. Use
- * these values with bro_event_add_val(), bro_record_add_val(),
- * bro_record_get_nth_val() and bro_record_get_named_val().
- *
- * BRO_TYPE_UNKNOWN is not used in the data exchange,
- * see bro_record_get_{nth,named}_val() for its use.
- */
-#define BRO_TYPE_UNKNOWN           0
-#define BRO_TYPE_BOOL              1
-#define BRO_TYPE_INT               2
-#define BRO_TYPE_COUNT             3
-#define BRO_TYPE_COUNTER           4
-#define BRO_TYPE_DOUBLE            5
-#define BRO_TYPE_TIME              6
-#define BRO_TYPE_INTERVAL          7
-#define BRO_TYPE_STRING            8
-#define BRO_TYPE_PATTERN           9
-#define BRO_TYPE_ENUM             10
-#define BRO_TYPE_TIMER            11
-#define BRO_TYPE_PORT             12
-#define BRO_TYPE_IPADDR           13
-#define BRO_TYPE_NET              14
-#define BRO_TYPE_SUBNET           15
-#define BRO_TYPE_ANY              16
-#define BRO_TYPE_TABLE            17
-#define BRO_TYPE_UNION            18
-#define BRO_TYPE_RECORD           19
-#define BRO_TYPE_LIST             20
-#define BRO_TYPE_FUNC             21
-#define BRO_TYPE_FILE             22
-#define BRO_TYPE_VECTOR           23
-#define BRO_TYPE_ERROR            24
-#define BRO_TYPE_PACKET           25 /* CAUTION -- not defined in Bro! */
-#define BRO_TYPE_SET              26 /* ----------- (ditto) ---------- */
-#define BRO_TYPE_MAX              27
-
-/* Flags for new connections, to pass to bro_conn_new()
- * and bro_conn_new_str(). See manual for details.
- */
-#define BRO_CFLAG_NONE                      0
-#define BRO_CFLAG_RECONNECT           (1 << 0) /* Attempt transparent reconnects */
-#define BRO_CFLAG_ALWAYS_QUEUE        (1 << 1) /* Queue events sent while disconnected */
-#define BRO_CFLAG_SHAREABLE           (1 << 2) /* DO NOT USE -- no longer supported */
-#define BRO_CFLAG_DONTCACHE           (1 << 3) /* Ask peer not to use I/O cache (default) */
-#define BRO_CFLAG_YIELD               (1 << 4) /* Process just one event at a time */
-#define BRO_CFLAG_CACHE               (1 << 5) /* Ask per to use I/O cache */
-
-
-/* ---------------------------- Typedefs ----------------------------- */
-
-@TYPEDEF_UINT@
-typedef unsigned int   uint32;
-typedef unsigned short uint16;
-typedef unsigned char  uchar;
-
-typedef struct bro_conn BroConn;
-typedef struct bro_event BroEvent;
-typedef struct bro_buf BroBuf;
-typedef struct bro_record BroRecord;
-typedef struct bro_table BroTable;
-typedef struct bro_table BroSet;
-typedef struct bro_ev_meta BroEvMeta;
-typedef struct bro_packet BroPacket;
-
-/* ----------------------- Callback Signatures ----------------------- */
-
-/**
- * BroEventFunc - The signature of expanded event callbacks.
- * @bc: Bro connection handle.
- * @user_data: user data provided to bro_event_registry_add().
- * @...: varargs.
- *
- * This is the signature of callbacks for handling received
- * Bro events, called in the argument-expanded style.  For details
- * see bro_event_registry_add().
- */
-typedef void (*BroEventFunc) (BroConn *bc, void *user_data, ...);
-
-/**
- * BroCompactEventFunc - The signature of compact event callbacks.
- * @bc: Bro connection handle.
- * @user_data: user data provided to bro_event_registry_add_compact().
- * @meta: metadata for the event
- *
- * This is the signature of callbacks for handling received
- * Bro events, called in the compact-argument style. For details
- * see bro_event_registry_add_compact().
- */
-typedef void (*BroCompactEventFunc) (BroConn *bc, void *user_data, BroEvMeta *meta);
-
-typedef void (*BroPacketFunc) (BroConn *bc, void *user_data,
-			       const BroPacket *packet);
-
-/**
- * OpenSSL_lockfunc - locking function for OpenSSL thread safeness.
- * @mode: acquire nth lock if (mode & CRYPTO_LOCK) is true, release otherwise.
- * @n: lock index. You need to support at least CRYPTO_num_locks().
- * @file: file from which OpenSSL invokes the callback.
- * @line: line in file from which OpenSSL invokes the callback.
- *
- * If you are using Broccoli in a multithreaded environment, you need
- * to use bro_init() with a BroCtx structure and use it to point at an
- * implementation of this callback. Refer to pages 74ff in O'Reilly's
- * OpenSSL book (by Viega et al.) for details. You could also look at 
- * 
- *   http://www.openssl.org/support/faq.html#PROG1
- *   http://www.openssl.org/docs/crypto/threads.html
- *
- * but you will only curse OpenSSL even more than you already do after
- * reading those.
- */
-typedef void (*OpenSSL_lock_func) (int mode, int n, const char *file, int line);
-
-/**
- * OpenSSL_thread_id_func - thread ID function for OpenSSL thread safeness.
- * @id: target pointer into which the current thread's numeric ID must be written.
- * 
- * Please refer to pages 74ff in O'Reilly's OpenSSL book, and also see
- * the comments for OpenSSL_lockfunc.
- */
-typedef unsigned long (*OpenSSL_thread_id_func) (void);
-
-
-/**
- * OpenSSL_dynlock_create_func - allocator for dynamic locks, for OpenSSL thread safeness.
- * @file: file from which OpenSSL invokes the callback.
- * @line: line in file from which OpenSSL invokes the callback.
- * 
- * Please refer to pages 74ff in O'Reilly's OpenSSL book, and also see
- * the comments for OpenSSL_lockfunc().
- */
-typedef struct CRYPTO_dynlock_value* (*OpenSSL_dynlock_create_func) (const char *file, int line);
-
-/**
- * OpenSSL_dynlock_lock_func - lock/unlock dynamic locks, for OpenSSL thread safeness.
- * @mode: acquire nth lock if (mode & CRYPTO_LOCK) is true, release otherwise.
- * @mutex: lock to lock/unlock.
- * @file: file from which OpenSSL invokes the callback.
- * @line: line in file from which OpenSSL invokes the callback.
- * 
- * Please refer to pages 74ff in O'Reilly's OpenSSL book, and also see
- * the comments for OpenSSL_lockfunc().
- */
-typedef void (*OpenSSL_dynlock_lock_func) (int mode, struct CRYPTO_dynlock_value *mutex,
-					   const char *file, int line);
-
-/**
- * OpenSSL_dynlock_free_func - dynamic lock deallocator, for OpenSSL thread safeness.
- * @mutex: lock to deallocate.
- * @file: file from which OpenSSL invokes the callback.
- * @line: line in file from which OpenSSL invokes the callback.
- * 
- * Please refer to pages 74ff in O'Reilly's OpenSSL book, and also see
- * the comments for OpenSSL_lockfunc().
- */
-typedef void (*OpenSSL_dynlock_free_func) (struct CRYPTO_dynlock_value *mutex,
-					   const char *file, int line);
-
-
-/* ---------------------------- Structures --------------------------- */
-
-
-/* Initialization context for the Broccoli library. */
-typedef struct bro_ctx {
-  OpenSSL_lock_func lock_func;
-  OpenSSL_thread_id_func id_func;
-  OpenSSL_dynlock_create_func dl_create_func;
-  OpenSSL_dynlock_lock_func dl_lock_func;
-  OpenSSL_dynlock_free_func dl_free_func;
-} BroCtx;
-
-/* Statistical properties of a given connection. */
-typedef struct bro_conn_stats {
-  int tx_buflen; // Number of bytes to process in output buffer.
-  int rx_buflen; // Number of bytes to process in input buffer.
-} BroConnStats;
-
-/* BroStrings are used to access string parameters in received events.
- */
-typedef struct bro_string {
-  uint32       str_len;
-  uchar       *str_val;
-} BroString;
-
-/* Ports in Broccoli do not only consist of a number but also indicate
- * whether they are TCP or UDP.
- */
-typedef struct bro_port {
-  uint16       port_num;   /* port number in host byte order */
-  int          port_proto; /* IPPROTO_xxx */
-} BroPort;
-
-/* Subnets are a 4-byte address with a prefix width in bits.
- */
-typedef struct bro_subnet
-{
-  uint32       sn_net;     /* IP address in network byte order */
-  uint32       sn_width;   /* Length of prefix to consider. */
-} BroSubnet;
-
-/* Encapsulation of arguments passed to an event callback,
- * for the compact style of argument passing.
- */
-typedef struct bro_ev_arg
-{
-  void        *arg_data;   /* Pointer to the actual event argument */
-  int          arg_type;   /* A BRO_TYPE_xxx constant */
-} BroEvArg;
-
-/* Metadata for an event, passed to callbacks of the BroCompactEventFunc
- * prototype.
- */
-struct bro_ev_meta
-{
-  const char  *ev_name;    /* The name of the event */
-  double       ev_ts;      /* Timestamp of event, taken from BroEvent itself */
-  int          ev_numargs; /* How many arguments are passed */
-  BroEvArg    *ev_args;    /* Array of BroEvArgs, one for each argument */
-  const uchar *ev_start;   /* Start and end pointers to serialized version */
-  const uchar *ev_end;     /* of currently processed event. */
-};
-
-@BRO_PCAP_SUPPORT@
-#ifdef BRO_PCAP_SUPPORT
-#include <pcap.h>
-
-/* Broccoli can send and receive pcap-captured packets, wrapped into
- * the following structure:
- */
-struct bro_packet
-{
-  double       pkt_time;
-  uint32       pkt_hdr_size;
-  uint32       pkt_link_type;
-  
-  struct pcap_pkthdr  pkt_pcap_hdr;
-  const u_char       *pkt_data;
-  const char         *pkt_tag;
-
-};
-
-#endif
-
-/* ============================ API ================================== */
-
-/* -------------------------- Initialization ------------------------- */
-
-/**
- * bro_init - Initializes the library.
- * @ctx: pointer to a BroCtx structure.
- *
- * The function initializes the library. It MUST be called before
- * anything else in Broccoli. Specific initialization context may be
- * provided using a BroCtx structure pointed to by ctx. It may be
- * omitted by passing %NULL, for default values. See bro_init_ctx() for
- * initialization of the context structure to default values.
- *
- * Returns: %TRUE if initialization succeeded, %FALSE otherwise.
- */
-int            bro_init(const BroCtx *ctx);
-
-
-/**
- * bro_ctx_init - Initializes initialization context to default values.
- * @ctx: pointer to a BroCtx structure.
- */
-void           bro_ctx_init(BroCtx *ctx);
-
-
-/* ----------------------- Connection Handling ----------------------- */
-
-/**
- * bro_conn_new - Creates and returns a handle for a connection to a remote Bro.
- * @ip_addr: 4-byte IP address of Bro to contact, in network byte order.
- * @port: port of machine at @ip_addr to contact, in network byte order.
- * @flags: an or-combination of the %BRO_CONN_xxx flags.
- *
- * The function creates a new Bro connection handle for communication with
- * Bro through a network. Depending on the flags passed in, the connection
- * and its setup process can be adjusted. If you don't want to pass any
- * flags, use %BRO_CFLAG_NONE.
- *
- * Returns: pointer to a newly allocated and initialized
- * Bro connection structure. You need this structure for all
- * other calls in order to identify the connection to Bro.
- */
-BroConn       *bro_conn_new(struct in_addr *ip_addr, uint16 port, int flags);
-
-
-/**
- * bro_conn_new_str - Same as bro_conn_new(), but accepts strings for hostname and port.
- * @hostname: string describing the host and port to connect to.
- * @flags: an or-combination of the %BRO_CONN_xxx flags.
- *
- * The function is identical to bro_conn_new(), but allows you to specify the
- * host and port to connect to in a string as "<hostname>:<port>". @flags can
- * be used to adjust the connection features and the setup process. If you don't
- * want to pass any flags, use %BRO_CFLAG_NONE.
- *
- * Returns: pointer to a newly allocated and initialized
- * Bro connection structure. You need this structure for all
- * other calls in order to identify the connection to Bro.
- */
-BroConn       *bro_conn_new_str(const char *hostname, int flags);
-
-/**
- * bro_conn_new_socket - Same as bro_conn_new(), but uses existing socket.
- * @socket: open socket.
- * @flags: an or-combination of the %BRO_CONN_xxx flags.
- *
- * The function is identical to bro_conn_new(), but allows you to pass in an
- * open socket to use for the communication. @flags can be used to
- * adjust the connection features and the setup process. If you don't want to
- * pass any flags, use %BRO_CFLAG_NONE.
- *
- * Returns: pointer to a newly allocated and initialized
- * Bro connection structure. You need this structure for all
- * other calls in order to identify the connection to Bro.
- */
-BroConn       *bro_conn_new_socket(int socket, int flags);
-
-/**
- * bro_conn_set_class - Sets a connection's class identifier.
- * @bc: connection handle.
- * @classname: class identifier.
- *
- * Broccoli connections can indicate that they belong to a certain class
- * of connections, which is needed primarily if multiple Bro/Broccoli
- * instances are running on the same node and connect to a single remote
- * peer. You can set this class with this function, and you have to do so
- * before calling bro_connect() since the connection class is determined
- * upon connection establishment. You remain responsible for the memory
- * pointed to by @classname.
- */
-void           bro_conn_set_class(BroConn *bc, const char *classname);
-
-/**
- * bro_conn_get_peer_class - Reports connection class indicated by peer.	
- * @bc: connection handle.
- *
- * Returns: a string containing the connection class indicated by the peer,
- * if any, otherwise %NULL.
- */
-const char    *bro_conn_get_peer_class(const BroConn *bc);
-
-
-/**
- * bro_conn_get_connstats - Reports connection properties.
- * @bc: connection handle.
- * @cs: BroConnStats handle.
- * 
- * The function fills the BroConnStats structure provided via @cs with
- * information about the given connection.
- */
-void           bro_conn_get_connstats(const BroConn *bc, BroConnStats *cs);
-
-
-/**
- * bro_conn_connect - Establish connection to peer.
- * @bc: connection handle.
- *
- * The function attempts to set up and configure a connection to
- * the peer configured when the connection handle was obtained.
- *
- * Returns: %TRUE on success, %FALSE on failure.
- */
-int            bro_conn_connect(BroConn *bc);
-
-
-/**
- * bro_conn_reconnect - Drop the current connection and reconnect, reusing all settings.
- * @bc: Bro connection handle.
- *
- * The functions drops the current connection identified by @bc and attempts to
- * establish a new one with all the settings associated with @bc, including full
- * handshake completion.
- *
- * Returns: %TRUE if successful, %FALSE otherwise. No matter what the outcome,
- * you can continue to use @bc as normal (e.g. you have to release it using
- * bro_conn_delete()).
- */
-int            bro_conn_reconnect(BroConn *bc);
-
-
-/**
- * bro_conn_delete - terminates and releases connection.
- * @bc: Bro connection handle
- *
- * This function will terminate the given connection if necessary
- * and release all resources associated with the connection handle.
- * 
- *
- * Returns: %FALSE on error, %TRUE otherwise.
- */
-int            bro_conn_delete(BroConn *bc);
-
-
-/**
- * bro_conn_alive - Reports whether a connection is currently alive or has died.
- * @bc: Bro connection handle.
- 
- * This predicate reports whether the connection handle is currently
- * usable for sending/receiving data or not, e.g. because the peer
- * died. The function does not actively check and update the
- * connection's state, it only reports the value of flags indicating
- * its status. In particular, this means that when calling
- * bro_conn_alive() directly after a select() on the connection's
- * descriptor, bro_conn_alive() may return an incorrent value. It will
- * however return the correct value after a subsequent call to
- * bro_conn_process_input(). Also note that the connection is also
- * dead after the connection handle is obtained and before
- * bro_conn_connect() is called.
- * 
- * Returns: %TRUE if the connection is alive, %FALSE otherwise.
- */
-int            bro_conn_alive(const BroConn *bc);
-
-
-/**
- * bro_conn_adopt_events - Makes one connection send out the same events as another.
- * @src: Bro connection handle for connection whose event list to adopt.
- * @dst: Bro connection handle for connection whose event list to change.
- *
- * The function makes the connection identified by @dst use the same event
- * mask as the one identified by @src.
- */
-void           bro_conn_adopt_events(BroConn *src, BroConn *dst);
-
-
-/**
- * bro_conn_get_fd - Returns file descriptor of a Bro connection.
- * @bc: Bro connection handle.
- *
- * If you need to know the file descriptor of the connection
- * (such as when select()ing it etc), use this accessor function.
- *
- * Returns: file descriptor for connection @bc, or negative value
- * on error.
- */
-int            bro_conn_get_fd(BroConn *bc);
-
-
-/**
- * bro_conn_process_input - Processes input sent to the sensor by Bro.
- * @bc: Bro connection handle
- *
- * The function reads all input sent to the local sensor by the
- * Bro peering at the connection identified by @bc. It is up
- * to you to find a spot in the application you're instrumenting
- * to make sure this is called. This function cannot block.
- * bro_conn_alive() will report the actual state of the connection
- * after a call to bro_conn_process_input().
- *
- * Returns: %TRUE if any input was processed, %FALSE otherwise.
- */
-int            bro_conn_process_input(BroConn *bc);
-
-
-/* ---------------------- Connection data storage -------------------- */
-
-/* Connection handles come with a faciity to store and retrieve
- * arbitrary data items. Use the following functions to store,
- * query, and remove items from a connection handle.
- */
-
-/**
- * bro_conn_data_set - Puts a data item into the registry.
- * @bc: Bro connection handle.
- * @key: name of the data item.
- * @val: data item.
- *
- * The function stores @val under name @key in the connection handle @bc.
- * @key is copied internally so you do not need to duplicate it before
- * passing.
- */
-void           bro_conn_data_set(BroConn *bc, const char *key, void *val);
-
-
-/**
- * bro_conn_data_get - Looks up a data item.
- * @bc: Bro connection handle.
- * @key: name of the data item.
- *
- * The function tries to look up the data item with name @key and
- * if found, returns it.
- * 
- * Returns: data item if lookup was successful, %NULL otherwise.
- */
-void          *bro_conn_data_get(BroConn *bc, const char *key);
-
-
-/**
- * bro_conn_data_del - Removes a data item.
- * @bc: Bro connection handle.
- * @key: name of the data item.
- *
- * The function tries to remove the data item with name @key.
- * 
- * Returns: the removed data item if it exists, %NULL otherwise.
- */
-void          *bro_conn_data_del(BroConn *bc, const char *key);
-
-
-/* ----------------------------- Bro Events -------------------------- */
-
-/**
- * bro_event_new - Creates a new empty event with a given name.
- * @event_name: name of the Bro event.
- *
- * The function creates a new empty event with the given
- * name and returns it.
- *
- * Returns: new event, or %NULL if allocation failed.
- */
-BroEvent      *bro_event_new(const char *event_name);
-
-
-/**
- * bro_event_free - Releases all memory associated with an event.
- * @be: event to release.
- *
- * The function releases all memory associated with @be. Note 
- * that you do NOT have to call this after sending an event.
- */
-void           bro_event_free(BroEvent *be);
-
-
-/**
- * bro_event_add_val - Adds a parameter to an event.
- * @be: event to add to.
- * @type: numerical type identifier (a %BRO_TYPE_xxx constant).
- * @type_name: optional name of specialized type.
- * @val: value to add to event.
- *
- * The function adds the given @val to the argument list of
- * event @be. The type of @val is derived from @type, and may be
- * specialized to the type named @type_name. If @type_name is not
- * desired, use %NULL.
- *
- * @val remains the caller's responsibility and is copied internally.
- *
- * Returns: %TRUE if the operation was successful, %FALSE otherwise.
- */
-int            bro_event_add_val(BroEvent *be, int type,
-				 const char *type_name,const void *val);
-
-
-/**
- * bro_event_set_val - Replace a value in an event.
- * @be: event handle.
- * @val_num: number of the value to replace, starting at 0.
- * @type: numerical type identifier (a %BRO_TYPE_xxx constant).
- * @type_name: optional name of specialized type.
- * @val: value to put in.
- *
- * The function replaces whatever value is currently stored in the
- * event pointed to by @be with the val specified through the @type and
- * @val arguments. If the event does not currently hold enough
- * values to replace one in position @val_num, the function does
- * nothing. If you want to indicate a type specialized from @type,
- * use @type_name to give its name, otherwise pass %NULL for @type_name.
- *
- * Returns: %TRUE if successful, %FALSE on error.
- */
-int            bro_event_set_val(BroEvent *be, int val_num,
-				 int type, const char *type_name,
-				 const void *val);
-
-/**
- * bro_event_send - Tries to send an event to a Bro agent.
- * @bc: Bro connection handle
- * @be: event to send.
- *
- * The function tries to send @be to the Bro agent connected
- * through @bc. Regardless of the outcome, you do NOT have
- * to release the event afterwards using bro_event_free().
- * 
- * Returns: %TRUE if the event got sent or queued for later transmission,
- * %FALSE on error. There are no automatic repeated send attempts
- * (to minimize the effect on the code that Broccoli is linked to).
- * If you have to make sure that everything got sent, you have
- * to try to empty the queue using bro_event_queue_flush(), and
- * also look at bro_event_queue_empty().
- */
-int            bro_event_send(BroConn *bc, BroEvent *be);
-	
-
-/**
- * bro_event_send_raw - Enqueues a serialized event directly into a connection's send buffer.
- * @bc: Bro connection handle
- * @data: pointer to serialized event data.
- * @data_len: length of buffer pointed to by @data.
- *
- * The function enqueues the given event data into @bc's transmit buffer.
- * @data_len bytes at @data must correspond to a single event.
- *
- * Returns: %TRUE if successful, %FALSE on error.
- */
-int            bro_event_send_raw(BroConn *bc, const uchar *data, int data_len);
-
-
-/**
- * bro_event_queue_length - Returns current queue length.
- * @bc: Bro connection handle
- *
- * Use this function to find out how many events are currently queued
- * on the client side.
- *
- * Returns: number of items currently queued.
- */
-int            bro_event_queue_length(BroConn *bc);
-
-
-/**
- * bro_event_queue_length_max - Returns maximum queue length.
- * @bc: Bro connection handle
- *
- * Use this function to find out how many events can be queued before
- * events start to get dropped.
- *
- * Returns: maximum possible queue size.
- */
-int            bro_event_queue_length_max(BroConn *bc);
-
-
-/**
- * bro_event_queue_flush - Tries to flush the send queue of a connection.
- * @bc: Bro connection handle
- *
- * The function tries to send as many queued events to the Bro
- * agent as possible.
- *
- * Returns: remaining queue length after flush.
- */
-int            bro_event_queue_flush(BroConn *bc);
-
-
-/* ------------------------ Bro Event Callbacks ---------------------- */
-
-/**
- * bro_event_registry_add - Adds an expanded-argument event callback to the event registry.
- * @bc: Bro connection handle
- * @event_name: Name of events that trigger callback
- * @func: callback to invoke.
- * @user_data: user data passed through to the callback.
- *
- * This function registers the callback @func to be invoked when events
- * of name @event_name arrive on connection @bc. @user_data is passed along
- * to the callback, which will receive it as the second parameter. You
- * need to ensure that the memory @user_data points to is valid during the
- * time the callback might be invoked.
- *
- * Note that this function only registers the callback in the state
- * associated with @bc. If you use bro_event_registry_add() and @bc
- * has not yet been connected via bro_conn_connect(), then no further
- * action is required. bro_conn_connect() request ant registered event types.
- * If however you are requesting additional event types after the connection has
- * been established, then you also need to call bro_event_registry_request()
- * in order to signal to the peering Bro that you want to receive those events.
- */
-void           bro_event_registry_add(BroConn *bc,
-				      const char *event_name,
-				      BroEventFunc func,
-				      void *user_data);
-
-/**
- * bro_event_registry_add_compact - Adds a compact-argument event callback to the event registry.
- * @bc: Bro connection handle
- * @event_name: Name of events that trigger callback
- * @func: callback to invoke.
- * @user_data: user data passed through to the callback.
- *
- * This function registers the callback @func to be invoked when events
- * of name @event_name arrive on connection @bc. @user_data is passed along
- * to the callback, which will receive it as the second parameter. You
- * need to ensure that the memory @user_data points to is valid during the
- * time the callback might be invoked. See bro_event_registry_add() for
- * details.
- */
-void           bro_event_registry_add_compact(BroConn *bc,
-					      const char *event_name,
-					      BroCompactEventFunc func,
-					      void *user_data);
-
-/**
- * bro_event_registry_remove - Removes an event handler.
- * @bc: Bro connection handle
- * @event_name: event to ignore from now on.
- *
- * The function removes all callbacks for event @event_name from the
- * event registry for connection @bc.
- */
-void           bro_event_registry_remove(BroConn *bc, const char *event_name);
-
-/**
- * bro_event_registry_request - Notifies peering Bro to send events.
- * @bc: Bro connection handle
- *
- * The function requests the events you have previously requested using
- * bro_event_registry_add() from the Bro listening on @bc.
- */
-void           bro_event_registry_request(BroConn *bc);
-
-
-
-/* ------------------------ Dynamic-size Buffers --------------------- */
-
-/**
- * bro_buf_new - Creates a new buffer object.
- *
- * Returns a new buffer object, or %NULL on error. Use paired with
- * bro_buf_free().
- */
-BroBuf        *bro_buf_new(void);
-
-/**
- * bro_buf_free - Releases a dynamically allocated buffer object.
- * @buf: buffer pointer.
- *
- * The function releases all memory held by the buffer pointed
- * to by @buf. Use paired with bro_buf_new().
- */
-void           bro_buf_free(BroBuf *buf);
-
-/**
- * bro_buf_append - appends data to the end of the buffer.
- * @buf: buffer pointer.
- * @data: new data to append to buffer.
- * @data_len: size of @data.
- *
- * The function appends data to the end of the buffer,
- * enlarging it if necessary to hold the @len new bytes.
- * NOTE: it does not modify the buffer pointer. It only
- * appends new data where buf_off is currently pointing
- * and updates it accordingly. If you DO want the buffer
- * pointer to be updated, have a look at bro_buf_ptr_write()
- * instead.
- *
- * Returns: %TRUE if successful, %FALSE otherwise.
- */
-int            bro_buf_append(BroBuf *buf, void *data, int data_len);
-
-
-/**
- * bro_buf_consume - shrinks the buffer.
- * @buf: buffer pointer.
- *
- * The function removes the buffer contents between the start
- * of the buffer and the point where the buffer pointer
- * currently points to. The idea is that you call bro_buf_ptr_read()
- * a few times to extract data from the buffer, and then
- * call bro_buf_consume() to signal to the buffer that the
- * extracted data are no longer needed inside the buffer.
- */
-void           bro_buf_consume(BroBuf *buf);
-
-
-/**
- * bro_buf_reset - resets the buffer.
- * @buf: buffer pointer.
- *
- * The function resets the buffer pointers to the beginning of the
- * currently allocated buffer, i.e., it marks the buffer as empty.
- */
-void           bro_buf_reset(BroBuf *buf);
-
-
-/**
- * bro_buf_get - Returns pointer to actual start of buffer.
- * @buf: buffer pointer.
- *
- * Returns the entire buffer's contents.
- */
-uchar         *bro_buf_get(BroBuf *buf);
-
-
-/**
- * bro_buf_get_end - Returns pointer to the end of the buffer.
- * @buf: buffer pointer.
- *
- * Returns: a pointer to the first byte in the
- * buffer that is not currently used.
- */ 
-uchar         *bro_buf_get_end(BroBuf *buf);
-
-
-/**
- * bro_buf_get_size - Returns number of bytes allocated for buffer.
- * @buf: buffer pointer.
- *
- * Returns: the number of actual bytes allocated for the
- * buffer.
- */
-uint           bro_buf_get_size(BroBuf *buf);
-
-
-/**
- * bro_buf_get_used_size - Returns number of bytes currently used.
- * @buf: buffer pointer.
- *
- * Returns: number of bytes currently used.
- */
-uint           bro_buf_get_used_size(BroBuf *buf);
-
-
-/**
- * bro_buf_ptr_get - Returns current buffer content pointer.
- * @buf: buffer pointer.
- *
- * Returns: current buffer content pointer.
- */
-uchar         *bro_buf_ptr_get(BroBuf *buf);
-
-
-/**
- * bro_buf_ptr_tell - Returns current offset of buffer content pointer.
- * @buf: buffer pointer.
- *
- * Returns: current offset of buffer content pointer.
- */
-uint32         bro_buf_ptr_tell(BroBuf *buf);
-
-
-/**
- * bro_buf_ptr_seek - Adjusts buffer content pointer.
- * @buf: buffer pointer.
- * @offset: number of bytes by which to adjust pointer, positive or negative.
- * @whence: location relative to which to adjust.
- *
- * The function adjusts the position of @buf's content
- * pointer. Call semantics are identical to fseek(), thus
- * use @offset to indicate the offset by which to jump and
- * use %SEEK_SET, %SEEK_CUR, or %SEEK_END to specify the
- * position relative to which to adjust.
- *
- * Returns: %TRUE if adjustment could be made, %FALSE
- * if not (e.g. because the offset requested is not within
- * legal bounds).
- */
-int            bro_buf_ptr_seek(BroBuf *buf, int offset, int whence);
-
-
-/** 
- * bro_buf_ptr_check - Checks whether a number of bytes can be read.
- * @buf: buffer pointer.
- * @size: number of bytes to check for availability.
- *
- * The function checks whether @size bytes could be read from the
- * buffer using bro_buf_ptr_read().
- *
- * Returns: %TRUE if @size bytes can be read, %FALSE if not.
- */
-int            bro_buf_ptr_check(BroBuf *buf, int size);
-
-
-/**
- * bro_buf_ptr_read - Extracts a number of bytes from buffer.
- * @buf: buffer pointer.
- * @data: destination area.
- * @size: number of bytes to copy into @data.
- *
- * The function copies @size bytes into @data if the buffer
- * has @size bytes available from the current location of
- * the buffer content pointer onward, incrementing the content
- * pointer accordingly. If not, the function doesn't do anything.
- * It behaves thus different from the normal read() in that
- * it either copies the amount requested or nothing.
- * 
- * Returns: %TRUE if @size bytes were copied, %FALSE if not.
- */
-int            bro_buf_ptr_read(BroBuf *buf, void *data, int size);
-
-/**
- * bro_buf_ptr_write - Writes a number of bytes into buffer.
- * @buf: buffer pointer.
- * @data: data to write.
- * @size: number of bytes to copy into @data.
- *
- * The function writes @size bytes of the area pointed to by @data
- * into the buffer @buf at the current location of its content pointer,
- * adjusting the content pointer accordingly. If the buffer doesn't have
- * enough space to receive @size bytes, more space is allocated.
- *
- * Returns: %TRUE if @size bytes were copied, %FALSE if an error
- * occurred and the bytes could not be copied.
- */
-int            bro_buf_ptr_write(BroBuf *buf, void *data, int size);
-
-
-/* ------------------------ Configuration Access --------------------- */
-
-/**
- * bro_conf_set_domain - Sets the current domain to use in a config file.
- * @domain: name of the domain, or %NULL.
- *
- * Broccoli's config files are divided into sections. At the beginning of
- * each config file you can have an unnamed section that will be used by
- * default. Case is irrelevant. By passing %NULL for @domain, you select
- * the default domain, otherwise the one that matches @domain. @domain is
- * copied internally.
- */
-void           bro_conf_set_domain(const char *domain);
-
-
-/**
- * bro_conf_get_int - Retrieves an integer from the configuration
- * @val_name: key name for the value.
- * @val: result pointer for the value.
- *
- * The function tries to find an integer item named @val_name in the
- * configuration. If it is found, its value is placed into the
- * int pointed to by @val.
- *
- * Returns: %TRUE if @val_name was found, %FALSE otherwise.
- */
-int            bro_conf_get_int(const char *val_name, int *val);
-
-
-/**
- * bro_conf_get_dbl - Retrieves a double float from the configuration
- * @val_name: key name for the value.
- * @val: result pointer for the value.
- *
- * The function tries to find a double float item named @val_name 
- * in the configuration. If it is found, its value is placed into the
- * double pointed to by @val.
- *
- * Returns: %TRUE if @val_name was found, %FALSE otherwise.
- */
-int            bro_conf_get_dbl(const char *val_name, double *val);
-
-
-/**
- * bro_conf_get_str - Retrieves an integer from the configuration
- * @val_name: key name for the value.
- *
- * The function tries to find a string item named @val_name in the
- * configuration.
- *
- * Returns: the config item if @val_name was found, %NULL otherwise.
- * A returned string is stored internally and not to be modified. If
- * you need to keep it around, strdup() it.
- */
-const char    *bro_conf_get_str(const char *val_name);
-
-
-
-/* ------------------------------ Strings ---------------------------- */
-
-/**
- * bro_string_init - Initializes an existing string structure.
- * @bs: string pointer.
- *
- * The function initializes the BroString pointed to by @bs. Use this
- * function before using the members of a BroString you're using on the
- * stack.
- */
-void           bro_string_init(BroString *bs);
-
-/**
- * bro_string_set - Sets a BroString's contents.
- * @bs: string pointer.
- * @s: C ASCII string.
- *
- * The function initializes the BroString pointed to by @bs to the string
- * given in @s. @s's content is copied, so you can modify or free @s
- * after calling this, and you need to call bro_string_cleanup() on the
- * BroString pointed to by @bs.
- *
- * Returns: %TRUE is successful, %FALSE otherwise.
- */
-int            bro_string_set(BroString *bs, const char *s);
-
-/**
- * bro_string_set_data - Sets a BroString's contents.
- * @bs: string pointer.
- * @data: arbitrary data.
- * @data_len: length of @data.
- *
- * The function initializes the BroString pointed to by @bs to @data_len
- * bytes starting at @data. @data's content is copied, so you can modify
- * or free @data after calling this.
- *
- * Returns: %TRUE is successful, %FALSE otherwise.
- */
-int            bro_string_set_data(BroString *bs, const uchar *data, int data_len);
-
-/**
- * bro_string_get_data - Returns pointer to the string data.
- * @bs: string pointer.
- *
- * The function returns a pointer to the string's internal data. You
- * can copy out the string using this function in combination with
- * bro_string_get_length(), for obtaining the string's length.
- *
- * Returns: pointer to string, or %NULL on error.
- */
-const uchar   *bro_string_get_data(const BroString *bs);
-
-/**
- * bro_string_get_length - Returns string's length.
- * @bs: string pointer.
- *
- * Returns: the string's length.
- */
-uint32         bro_string_get_length(const BroString *bs);
-  
-/**
- * bro_string_copy - Duplicates a BroString.
- * @bs: string pointer.
- *
- * Returns: a deep copy of the BroString pointed to by @bs, or %NULL on
- * error.
- */
-BroString     *bro_string_copy(BroString *bs);
-
-/**
- * bro_string_assign - Duplicates a BroString's content, assigning it to an existing one.
- * @src: source string.
- * @dst: target string.
- *
- * Copies the string content pointed to by @src into the existing
- * BroString pointed to by @dst. bro_string_cleanup() is called on
- * @dst before the assignment.
- */
-void           bro_string_assign(BroString *src, BroString *dst);
-
-/**
- * bro_string_cleanup - Cleans up existing BroString.
- * @bs: string pointer.
- *
- * This function releases all contents claimed by the BroString pointed
- * to by @bs, without releasing that BroString structure itself. Use
- * this when manipulating a BroString on the stack, paired with
- * bro_string_init().
- */
-void           bro_string_cleanup(BroString *bs);
-
-/**
- * bro_string_free - Cleans up dynamically allocated BroString.
- * @bs: string pointer.
- * 
- * This function releases the entire BroString pointed to by @bs, including
- * the BroString structure itself.
- */
-void           bro_string_free(BroString *bs);
-
-
-/* -------------------------- Record Handling ------------------------ */
-
-/**
- * bro_record_new - Creates a new record.
- *
- * The function allocates and initializes a new empty record. BroRecords
- * are used for adding and retrieving records vals to/from events. You
- * do not have to specify a record type separately when you create a
- * record. The type is defined implicitly by the sequence of types formed
- * by the sequence of vals added to the record, along with the names for
- * each val. See the manual for details.
- *
- * Returns: a new record, or %NULL on error.
- */
-BroRecord     *bro_record_new(void);
-
-/**
- * bro_record_free - Releases a record.
- * @rec: record handle.
- *
- * The function releases all memory consumed by the record pointed to
- * by @rec.
- */
-void           bro_record_free(BroRecord *rec);
- 
-/**
- * bro_record_get_length - Returns number of fields in record.
- * @rec: record handle.
- *
- * Returns the number of fields in the record.
- */
-int            bro_record_get_length(BroRecord *rec);
-
-/**
- * bro_record_add_val - Adds a val to a record.
- * @rec: record handle.
- * @name: field name of the added val.
- * @type: numerical type tag of the new val.
- * @type_name: optional name of specialized type.
- * @val: pointer to the new val*.
- *
- * The function adds a new field to the record pointed to by @rec and
- * assigns the value passed in to that field. The field name is given
- * in @name, the type of the val is given in @type and must be one of
- * the %BRO_TYPE_xxx constants defined in broccoli.h. The type you give
- * implies what data type @val must be pointing to; see the manual for
- * details. If you want to indicate a type specialized from @type,
- * use @type_name to give its name, otherwise pass %NULL for @type_name.
- * It is possible to leave fields unassigned, in that case, pass in
- * %NULL for @val.
- *
- * @val remains the caller's responsibility and is copied internally.
- *
- * Returns: %TRUE on success, %FALSE on error.
- */
-int            bro_record_add_val(BroRecord *rec, const char *name,
-				  int type, const char *type_name,
-				  const void *val);
-
-/**
- * bro_record_get_nth_val - Retrieves a val from a record by field index.
- * @rec: record handle.
- * @num: field index, starting from 0.
- * @type: value-result argument for the expected/actual type of the value.
- *
- * The function returns the @num'th value of the record pointed to
- * by @rec, expected to be of @type. The returned value is internal
- * and needs to be duplicated if you want to keep it around. Upon
- * return, the int pointed to by @type tells you the type of the returned
- * val, as a BRO_TYPE_xxx type tag. If the int pointed to upon calling
- * the function has the value BRO_TYPE_UNKNOWN, no type checking is
- * performed and the value is returned. If it is any other type tag,
- * its value is compared to that of the value, and if they match, the
- * value is returned. Otherwise, the return value is %NULL. If you don't
- * care about type enforcement and don't want to know the value's type,
- * you may pass %NULL for @type.
- *
- * Returns: pointer to queried value on success, %NULL on error.
- */
-void*          bro_record_get_nth_val(BroRecord *rec, int num, int *type);
-
-
-/**
- * bro_record_get_nth_name - Retrieves a name from a record by field index.
- * @rec: record handle.
- * @num: field index, starting from 0.
- *
- * The function returns the @num'th name of the record pointed to by @rec. 
- *
- * Returns: field name on success, %NULL on error.
- */
-const char*    bro_record_get_nth_name(BroRecord *rec, int num);
-
-
-/**
- * bro_record_get_named_val - Retrieves a val from a record by field name.
- * @rec: record handle.
- * @name: field name.
- * @type: value-result argument for the expected/actual type of the value.
- *
- * The function returns the value of the field named @name in the
- * record pointed to by @rec. The returned value is internal and needs
- * to be duplicated if you want to keep it around. @type works as with
- * bro_record_get_nth_val(), see there for more details.
- *
- * Returns: pointer to queried value on success, %NULL on error.
- */
-void*          bro_record_get_named_val(BroRecord *rec, const char *name, int *type);
-
-
-/**
- * bro_record_set_nth_val - Replaces a val in a record, identified by field index.
- * @rec: record handle.
- * @num: field index, starting from 0.
- * @type: expected type of the value.
- * @type_name: optional name of specialized type.
- * @val: pointer to new val.
- *
- * The function replaces the @num'th value of the record pointed to
- * by @rec, expected to be of @type. All values are copied internally
- * so what @val points to stays unmodified. The value of @type implies
- * what @result must be pointing to. See the manual for details.
- * If you want to indicate a type specialized from @type, use
- * @type_name to give its name, otherwise pass %NULL for @type_name.
- *
- * Returns: %TRUE on success, %FALSE on error.
- */
-int            bro_record_set_nth_val(BroRecord *rec, int num,
-				      int type, const char *type_name,
-				      const void *val);
-
-/**
- * bro_record_set_named_val - Replaces a val in a record, identified by name.
- * @rec: record handle.
- * @name: field name.
- * @type: expected type of the value.
- * @type_name: optional name of specialized type.
- * @val: pointer to new val.
- *
- * The function replaces the value named @name in the record pointed to
- * by @rec, expected to be of @type. All values are copied internally
- * so what @val points to stays unmodified. The value of @type implies
- * what @result must be pointing to. See the manual for details.
- * If you want to indicate a type specialized from @type,
- * use @type_name to give its name, otherwise pass %NULL for @type_name.
- *
- * Returns: %TRUE on success, %FALSE on error.
- */
-int            bro_record_set_named_val(BroRecord *rec, const char *name,
-					int type, const char *type_name,
-					const void *val);
-
-
-/* -------------------------- Tables & Sets -------------------------- */
-
-/**
- * BroTableCallback - The signature of callbacks for iterating over tables.
- * @key: a pointer to the key of a key-value pair.
- * @val: a pointer to @key's corresponding value.
- * @user_data: user data passed through.
- *
- * This is the signature of callbacks used when iterating over all
- * elements stored in a BroTable.
- *
- * Returns: TRUE if iteration should continue, FALSE if done.
- */
-typedef int (*BroTableCallback) (void *key, void *val, void *user_data);
-
-
-BroTable      *bro_table_new(void);
-void           bro_table_free(BroTable *tbl);
-
-int            bro_table_insert(BroTable *tbl,
-				int key_type, const void *key,
-				int val_type, const void *val);
-
-void          *bro_table_find(BroTable *tbl, const void *key);
-
-int            bro_table_get_size(BroTable *tbl);
-
-void           bro_table_foreach(BroTable *tbl, BroTableCallback cb,
-				 void *user_data);
-
-void           bro_table_get_types(BroTable *tbl,
-				   int *key_type, int *val_type);
-
-
-/**
- * BroTableCallback - The signature of callbacks for iterating over sets.
- * @val: a pointer to an element in the set.
- * @user_data: user data passed through.
- *
- * This is the signature of callbacks used when iterating over all
- * elements stored in a BroSet.
- *
- * Returns: TRUE if iteration should continue, FALSE if done.
- */
-typedef int (*BroSetCallback) (void *val, void *user_data);
-
-BroSet        *bro_set_new(void);
-void           bro_set_free(BroSet *set);
-
-int            bro_set_insert(BroSet *set, int type, const void *val);
-
-int            bro_set_find(BroSet *set, const void *key);
-
-int            bro_set_get_size(BroSet *set);
-
-void           bro_set_foreach(BroSet *set, BroSetCallback cb,
-			       void *user_data);
-
-void           bro_set_get_type(BroSet *set, int *type);
-
-	
-/* ----------------------- Pcap Packet Handling ---------------------- */
-#ifdef BRO_PCAP_SUPPORT
-
-/**
- * bro_conn_set_packet_ctxt - Sets current packet context for connection.
- * @bc: connection handle.
- * @link_type: libpcap DLT linklayer type.
- * 
- * The function sets the packet context for @bc for future BroPackets
- * handled by this connection.
- */
-void           bro_conn_set_packet_ctxt(BroConn *bc, int link_type);
-
-/**
- * bro_conn_get_packet_ctxt - Gets current packet context for connection.
- * @bc: connection handle.
- * @link_type: result pointer for libpcap DLT linklayer type.
- * 
- * The function returns @bc's current packet context through @link_type.
- */
-void           bro_conn_get_packet_ctxt(BroConn *bc, int *link_type);
-
-/** 
- * bro_packet_new - Creates new packet.
- * @hdr: pointer to libpcap packet header.
- * @data: pointer to libpcap packet data.
- * @tag: pointer to ASCII tag (0 for no tag).
- * 
- * The function creates a new BroPacket by copying @hdr and @data internally.
- * Release the resulting packet using bro_packet_free().
- */
-BroPacket     *bro_packet_new(const struct pcap_pkthdr *hdr, const u_char *data, const char* tag);
-
-/**
- * bro_packet_clone - Clones a packet.
- * @packet: packet to clone.
- *
- * Returns: a copy of @packet, or %NULL on error.
- */
-BroPacket     *bro_packet_clone(const BroPacket *packet);
-
-/**
- * bro_packet_free - Releases a packet.
- * @packet: packet to release.
- * 
- * The function releases all memory occupied by a packet previously allocated
- * using bro_packet_new().
- */
-void           bro_packet_free(BroPacket *packet);
-
-/**
- * bro_packet_send - Sends a packet over a given connection.
- * @bc: connection on which to send packet.
- * @packet: packet to send.
- *
- * The function sends @packet to the Bro peer connected via @bc.
- *
- * Returns: %TRUE if successful, %FALSE otherwise.
- */
-int            bro_packet_send(BroConn *bc, BroPacket *packet);
-
-#endif
-
-/* --------------------------- Miscellaneous ------------------------- */
-
-/**
- * bro_util_current_time - Gets current time
- * 
- * Returns: the current system time as a double, in seconds, suitable
- * for passing to bro_event_add_time().
- */
-double         bro_util_current_time(void);
-
-/**
- * bro_util_timeval_to_double - Converts timeval struct to double.
- * @tv: pointer to timeval structure.
- *
- * Returns: a double encoding the timestamp given in @tv in a floating
- * point double, with the fraction of a second between 0.0 and 1.0.
- */
-double         bro_util_timeval_to_double(const struct timeval *tv);
-  
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/aux/broccoli/svn.pl b/aux/broccoli/svn.pl
deleted file mode 100755
index 581593f615..0000000000
--- a/aux/broccoli/svn.pl
+++ /dev/null
@@ -1,183 +0,0 @@
-#!/usr/bin/perl -w
-
-# CVS/SVN wrapper script that maintains a nice ChangeLog for us.
-# Heavily hacked & cleaned up, originally based upon a script
-# that was once used in the Enlightenment project.
-
-use strict;
-use FileHandle;
-
-
-# Prototypes
-#_______________________________________________________________________
-
-sub create_changelog;
-sub validate_commit_message;
-sub create_commit_message;
-sub setup_username_translation;
-sub update_changelog;
-sub check_parameters;
-
-
-# Globals
-#_______________________________________________________________________
-my %names;
-my ($date, $author);
-
-# Formats
-#_______________________________________________________________________
-format ENTRY =
-@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-$date, $author
-.
-    
-    
-# Subroutines
-#_______________________________________________________________________
-    
-sub setup_username_translation {
-    
-    $names{"kreibich"} = "Christian <christian\@whoop.org>";
-    $names{"cpk25"} = "Christian <christian\@whoop.org>";    
-    $names{"christian"} = "Christian <christian\@whoop.org>";    
-}
-
-
-
-sub create_changelog {
-    
-    my $cl = "ChangeLog";
-    my $num_lines;
-    my $wc;
-    my @lines;
-    my @commitlines;
-    my $line;
-    
-    print "Updating the ChangeLog with your entry.\n";
-    
-    if (open CHANGELOG, $cl) {
-	@lines = <CHANGELOG>;
-	close CHANGELOG;
-	
-	shift (@lines);
-	shift (@lines);
-    }  
-    
-    
-    open CHANGELOG, ">$cl";
-    print CHANGELOG <<eof;
-Broccoli Changelog
-========================================================================
-
-eof
-
-    if (open COMMITLOG, "CommitLog") {
-	@commitlines = <COMMITLOG>;
-	close COMMITLOG;
-    }  
-    
-    CHANGELOG->format_name("ENTRY");
-    $date   = `date`;
-    $author = $names{$ENV{USER}};
-    write CHANGELOG;
-    CHANGELOG->format_name();
-    print CHANGELOG "\n";
-    print CHANGELOG @commitlines;
-    print CHANGELOG "\n------------------------------------------------------------------------\n";
-    print CHANGELOG @lines;
-    close CHANGELOG;
-}
-
-sub create_commit_message {
-    
-    print "Please create a log message for the ChangeLog.\n";
-    
-    if (open COMMITLOG, ">CommitLog") {
-	print COMMITLOG "-" x 72;
-	print COMMITLOG "\n";
-	close COMMITLOG;
-    }  
-
-    if($ENV{EDITOR}) {
-	system("$ENV{EDITOR} CommitLog");
-    } else {
-	system("vi CommitLog");
-    }
-}
-
-
-sub update_changelog {
-  
-    my @ARGV2;
-    
-    @ARGV2 = @ARGV;
-    $ARGV2[0] = "update";
-  
-    print "Force updating ChangeLog\n";
-    unlink "ChangeLog";
-    system("svn update ChangeLog");
-}
-
-
-sub check_parameters {
-
-    if (scalar(@ARGV) < 1) {
-	print "USAGE: cvs.pl <comands> <files>\n";
-	exit (0);
-    }
-}
-
-# Main Program
-#_______________________________________________________________________
-
-check_parameters();
-setup_username_translation();
-
-if (($ARGV[0] =~ /com/) || ($ARGV[0] =~ /ci/)) {
-    my @ARGV2;
-    
-    create_commit_message();
-    update_changelog();
-    
-    $ARGV[0] .= " -F CommitLog";
-    @ARGV2 = @ARGV;
-    $ARGV2[0] = "update";
-    
-    print "Updating the files you are committing.\n";
-    system("svn @ARGV2 2>&1 |tee errors");
-    
-    if (open ERRORS, "errors") {
-
-	while(<ERRORS>) {
-
-	    if (/conflicts during merge/) {
-		print "There are one or more conflicts,\n" .
-		      "Please resolve and try again.\n";
-		unlink "errors" if(-f "errors");
-		exit(0);
-	    }
-	}
-	
-	close ERRORS;
-    }
-    
-    unlink "errors" if(-f "errors");    
-    create_changelog();
-    
-    if($#ARGV >= 1) {
-
-	my $found;
-	
-	$found = 0;
-
-	foreach(@ARGV) {
-	    $found = 1 if(/ChangeLog$/);
-	}
-
-	push @ARGV, "ChangeLog" if(! $found);
-    }
-}
-
-print "svn @ARGV\n";
-system("svn @ARGV");
-print "Finished.\n"
diff --git a/aux/broccoli/test/Makefile.am b/aux/broccoli/test/Makefile.am
deleted file mode 100644
index a41709e187..0000000000
--- a/aux/broccoli/test/Makefile.am
+++ /dev/null
@@ -1,29 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-# A list of all the files in the current directory which can be regenerated
-MAINTAINERCLEANFILES = Makefile.in Makefile dummysensor
-
-INCLUDES = -I$(top_srcdir)/src -W -Wall -Wno-unused
-
-if BRO_PCAP_SUPPORT
-PCAP_TESTS =
-else
-PCAP_TESTS = 
-endif
-
-noinst_PROGRAMS = broping broconn brohose broconftest broenum brotable $(PCAP_TESTS)
-
-LDADD = $(top_builddir)/src/.libs/libbroccoli.a @BRO_LIBADD@
-
-broping_SOURCES = broping.c
-broconn_SOURCES = broconn.c
-brohose_SOURCES = brohose.c
-broenum_SOURCES = broenum.c
-broconftest_SOURCES = broconftest.c
-brotable_SOURCES = brotable.c
-
-# don't install any of this stuff
-#install-binPROGRAMS:
-#uninstall-binPROGRAMS:
-
-EXTRA_DIST = broping.bro brohose.bro broenum.bro broping-record.bro broconn.bro
diff --git a/aux/broccoli/test/broconftest.c b/aux/broccoli/test/broconftest.c
deleted file mode 100644
index d221d59968..0000000000
--- a/aux/broccoli/test/broconftest.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2007 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <broccoli.h>
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-int
-main(int argc, char **argv)
-{
-  int i;
-  const char *s;
-
-  bro_init(NULL);
-
-  if ( (s = bro_conf_get_str("PeerName")))
-    printf("PeerName: %s\n", s);
-
-  if (bro_conf_get_int("PeerPort", &i))
-    printf("PeerPort: %i\n", i);
-  
-  return 0;
-}
diff --git a/aux/broccoli/test/broconn.bro b/aux/broccoli/test/broconn.bro
deleted file mode 100644
index 37540df01b..0000000000
--- a/aux/broccoli/test/broconn.bro
+++ /dev/null
@@ -1,50 +0,0 @@
-# Depending on whether you want to use encryption or not,
-# include "listen-clear" or "listen-ssl":
-#
-# @load listen-ssl
-@load listen-clear
-@load conn
-@load dpd
-
-# Let's make sure we use the same port no matter whether we use encryption or not:
-#
-@ifdef (listen_port_clear)
-redef listen_port_clear    = 47758/tcp;
-@endif
-
-# If we're using encrypted communication, redef the SSL port and hook in
-# the necessary certificates:
-#
-@ifdef (listen_port_ssl)
-redef listen_port_ssl      = 47758/tcp;
-redef ssl_ca_certificate   = "<path>/ca_cert.pem";
-redef ssl_private_key      = "<path>/bro.pem";
-@endif
-
-redef Remote::destinations += {
-	["broconn"] = [$host = 127.0.0.1, $connect=F, $ssl=F]
-};
-
-redef dpd_conn_logs = T;
-
-function services_to_string(ss: string_set): string
-{
-	local result = "";
-
-	for (s in ss)
-	    result = fmt("%s %s", result, s);
-	
-	return result;
-}
-
-event new_connection(c: connection)
-{
-	print fmt("new_connection: %s, services:%s",
-	          id_string(c$id), services_to_string(c$service));
-}
-
-event connection_finished(c: connection)
-{
-	print fmt("connection_finished: %s, services:%s",
-	          id_string(c$id), services_to_string(c$service));
-}
diff --git a/aux/broccoli/test/broconn.c b/aux/broccoli/test/broconn.c
deleted file mode 100644
index dea050870d..0000000000
--- a/aux/broccoli/test/broconn.c
+++ /dev/null
@@ -1,354 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2007 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#include <sys/types.h>
-#include <sys/time.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <time.h>
-#include <errno.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <string.h>
-
-#include <broccoli.h>
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-char *host_default = "127.0.0.1";
-char *port_default = "47758";
-char *host_str;
-char *port_str;
-
-int count = -1;
-int seq;
-
-static void
-usage(void)
-{
-  printf("broconn - dumps arriving connection events to console.\n"
-	 "USAGE: broconn [-h|-?] [-d] [-p port] host\n");
-  exit(0);
-}
-
-/* Snippet from Bro policies containing relevant record types:
-
-type connection: record {
-	id: conn_id;
-	orig: endpoint;
-	resp: endpoint;
-	start_time: time;
-	duration: interval;
-	service: string;
-	addl: string;
-	hot: count;
-};
-
-type conn_id: record {
-	orig_h: addr;
-	orig_p: port;
-	resp_h: addr;
-	resp_p: port;
-};
-
-type endpoint: record {
-	size: count;
-	state: count;
-};
-
-*/
-
-static int
-services_print_cb(BroString *service, void *user_data)
-{
-  printf("'%s' ", service->str_val);
-  
-  return TRUE;
-  user_data = NULL;
-}
-
-static void
-conn_generic(BroConn *bc, BroRecord *conn)
-{
-  BroRecord *id, *orig, *resp;
-  BroSet *services;
-  BroString *addl;
-  BroPort *port;
-  uint32 *addr, *size, *state;
-  double *start_time, *duration;
-  struct in_addr ip;
-  int type = BRO_TYPE_RECORD;
-
-  if (! (id = bro_record_get_named_val(conn, "id", &type)))
-    {
-      printf("[Error obtaining 'id' member from connection record.]\n");
-      return;
-    }
-
-  if (! (orig = bro_record_get_named_val(conn, "orig", &type)))
-    {
-      printf("[Error obtaining 'orig' member from connection record.]\n");
-      return;
-    }
-
-  if (! (resp = bro_record_get_named_val(conn, "resp", &type)))
-    {
-      printf("[Error obtaining 'orig' member from connection record.]\n");
-      return;
-    }
-  
-  type = BRO_TYPE_IPADDR;
-
-  if (! (addr = bro_record_get_named_val(id, "orig_h", &type)))
-    {
-      printf("[Error obtaining 'orig_h' member from connection ID record.]\n");
-      return;
-    }
-
-  type = BRO_TYPE_PORT;
-
-  if (! (port = bro_record_get_named_val(id, "orig_p", &type)))
-    {
-      printf("[Error obtaining 'orig_p' member from connection ID record.]\n");
-      return;
-    }
-
-  type = BRO_TYPE_COUNT;
-
-  if (! (size = bro_record_get_named_val(orig, "size", &type)))
-    {
-      printf("[Error obtaining 'size' member from orig endpoint record.]\n");
-      return;
-    }
-
-  if (! (state = bro_record_get_named_val(orig, "state", &type)))
-    {
-      printf("[Error obtaining 'state' member from orig endpoint record.]\n");
-      return;
-    }
-
-  ip.s_addr = *addr;
-  printf("%s/%u [%u/%u] -> ", inet_ntoa(ip), port->port_num, *size, *state);
-  type = BRO_TYPE_IPADDR;
-
-  if (! (addr = bro_record_get_named_val(id, "resp_h", &type)))
-    {
-      printf("[Error obtaining 'resp_h' member from connection ID record.]\n");
-      return;
-    }
-
-  type = BRO_TYPE_PORT;
-
-  if (! (port = bro_record_get_named_val(id, "resp_p", &type)))
-    {
-      printf("[Error obtaining 'resp_p' member from connection ID record.]\n");
-      return;
-    }
-
-  type = BRO_TYPE_COUNT;
-
-  if (! (size = bro_record_get_named_val(resp, "size", &type)))
-    {
-      printf("[Error obtaining 'size' member from orig endpoint record.]\n");
-      return;
-    }
-
-  if (! (state = bro_record_get_named_val(resp, "state", &type)))
-    {
-      printf("[Error obtaining 'state' member from orig endpoint record.]\n");
-      return;
-    }
-
-  ip.s_addr = *addr;
-  printf("%s/%u [%u/%u], ", inet_ntoa(ip), port->port_num, *size, *state);
-  type = BRO_TYPE_TIME;
-
-  if (! (start_time = bro_record_get_named_val(conn, "start_time", &type)))
-    {
-      printf("[Error obtaining 'start_time' member from connection record.]\n");
-      return;
-    }
-
-  type = BRO_TYPE_INTERVAL;
-
-  if (! (duration = bro_record_get_named_val(conn, "duration", &type)))
-    {
-      printf("[Error obtaining 'duration' member from connection record.]\n");
-      return;
-    }
-
-  type = BRO_TYPE_SET;
-
-  services = bro_record_get_named_val(conn, "service", &type);
-
-  type = BRO_TYPE_STRING;
-  
-  if (! (addl = bro_record_get_named_val(conn, "addl", &type)))
-    {
-      printf("[Error obtaining 'addl' member from connection record.]\n");
-      return;
-    }
-  
-  printf("start: %f, duration: %f, addl: '%s', ",
-	 *start_time, *duration, addl->str_val);
-  
-  if (services)
-    {
-      int type;
-
-      bro_set_get_type(services, &type);
-
-      printf("%i services (type check: %d) ",
-	     bro_set_get_size(services), type);
-	     
-      if (bro_set_get_size(services) > 0)
-	bro_set_foreach(services, (BroSetCallback) services_print_cb, NULL);
-    }
-  else
-    printf("no services listed");
-  
-  printf("\n");
-}
-
-static void
-conn_new(BroConn *bc, void *data, BroRecord *conn)
-{
-  printf("new_connection: ");
-  conn_generic(bc, conn);
-  data = NULL;
-}
-
-static void
-conn_fin(BroConn *bc, void *data, BroRecord *conn)
-{
-  printf("connection_finished: ");
-  conn_generic(bc, conn);
-  data = NULL;
-}
-
-
-int
-main(int argc, char **argv)
-{
-  int opt, port, fd, debugging = 0;
-  BroConn *bc;
-  extern char *optarg;
-  extern int optind;
-  char hostname[512];
-  fd_set fd_read;
-
-  bro_init(NULL);
-
-  host_str = host_default;
-  port_str = port_default;
-
-  bro_debug_calltrace = 0;
-  bro_debug_messages  = 0;
-
-  while ( (opt = getopt(argc, argv, "c:p:dh?r")) != -1)
-    {
-      switch (opt)
-	{
-	case 'd':
-	  debugging++;
-
-	  if (debugging == 1)
-	    bro_debug_messages = 1;
-	  
-	  if (debugging > 1)
-	    bro_debug_calltrace = 1;
-	  break;
-
-	case 'h':
-	case '?':
-	  usage();
-
-	case 'p':
-	  port_str = optarg;
-	  break;
-
-	default:
-	  usage();
-	}
-    }
-
-  argc -= optind;
-  argv += optind;
-
-  if (argc > 0)
-    host_str = argv[0];
-
-  port = strtol(port_str, NULL, 0);
-  if (errno == ERANGE)
-    {
-      printf("Please provide a port number with -p.\n");
-      exit(-1);
-    }
-
-  snprintf(hostname, 512, "%s:%s", host_str, port_str);
-  
-  /* Connect to Bro */
-  if (! (bc = bro_conn_new_str(hostname, BRO_CFLAG_RECONNECT | BRO_CFLAG_ALWAYS_QUEUE)))
-    {
-      printf("Couldn't get Bro connection handle.\n");
-      exit(-1);
-    }
-  
-  /* Request a few event types and have the corresponding callbacks
-   * called when they arrive. The callback mechanism automatically figures out
-   * the number of arguments and invokes the callback accordingly.
-   */
-  bro_event_registry_add(bc, "new_connection", (BroEventFunc) conn_new, NULL);
-  bro_event_registry_add(bc, "connection_finished", (BroEventFunc) conn_fin, NULL);
- 
-  if (! bro_conn_connect(bc))
-    {
-      printf("Could not connect to Bro at %s:%s.\n", host_str, port_str);
-      exit(-1);
-    }
-  
-  /* Sit and wait for events */
-  fd = bro_conn_get_fd(bc);
-
-  for ( ; ; )
-    {
-      FD_ZERO(&fd_read);
-      FD_SET(fd, &fd_read);
-      
-      if (select(fd + 1, &fd_read, NULL, NULL, NULL) <= 0)
-	break;
-      
-      bro_conn_process_input(bc);
-    }
-  
-  /* Disconnect from Bro and release state. */
-  bro_conn_delete(bc);
-
-  return 0;
-}
diff --git a/aux/broccoli/test/broenum.bro b/aux/broccoli/test/broenum.bro
deleted file mode 100644
index fd4d55fc4f..0000000000
--- a/aux/broccoli/test/broenum.bro
+++ /dev/null
@@ -1,33 +0,0 @@
-# Depending on whether you want to use encryption or not,
-# include "listen-clear" or "listen-ssl":
-#
-# @load listen-ssl
-@load listen-clear
-
-# Let's make sure we use the same port no matter whether we use encryption or not:
-#
-@ifdef (listen_port_clear)
-redef listen_port_clear    = 47758/tcp;
-@endif
-
-# If we're using encrypted communication, redef the SSL port and hook in
-# the necessary certificates:
-#
-@ifdef (listen_port_ssl)
-redef listen_port_ssl      = 47758/tcp;
-redef ssl_ca_certificate   = "<path>/ca_cert.pem";
-redef ssl_private_key      = "<path>/bro.pem";
-@endif
-
-module enumtest;
-
-type enumtype: enum { ENUM1, ENUM2, ENUM3, ENUM4 };
-
-redef Remote::destinations += {
-	["broenum"] = [$host = 127.0.0.1, $events = /enumtest/, $connect=F, $ssl=F]
-};
-
-event enumtest(e: enumtype)
-	{
-	print fmt("Received enum val %d/%s", e, e);
-	}
diff --git a/aux/broccoli/test/broenum.c b/aux/broccoli/test/broenum.c
deleted file mode 100644
index a450dbfcb1..0000000000
--- a/aux/broccoli/test/broenum.c
+++ /dev/null
@@ -1,171 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2007 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#include <sys/types.h>
-#include <sys/time.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <time.h>
-#include <errno.h>
-
-#include <broccoli.h>
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-char *host_default = "127.0.0.1";
-char *port_default = "47758";
-char *host_str;
-char *port_str;
-
-char *type = "enumtest::enumtype";
-
-static void
-usage(void)
-{
-  printf("broenum - sends enum vals to a Bro node, printing the corresponding\n"
-	 "string value on the Bro side.\n"
-	 "USAGE: broping [-h|-?] [-d] [-p port] [-t type] [-n num] host\n");
-  exit(0);
-}
-
-int
-main(int argc, char **argv)
-{
-  int opt, port, debugging = 0;
-  BroConn *bc;
-  BroEvent *ev;
-  extern char *optarg;
-  extern int optind;
-  char hostname[512];
-  int enumval;
-
-  bro_init(NULL);
-
-  host_str = host_default;
-  port_str = port_default;
-
-  bro_debug_calltrace = 0;
-  bro_debug_messages  = 0;
-
-  while ( (opt = getopt(argc, argv, "t:n:p:dh?")) != -1)
-    {
-      switch (opt)
-	{
-	case 'd':
-	  debugging++;
-
-	  if (debugging == 1)
-	    bro_debug_messages = 1;
-	  
-	  if (debugging > 1)
-	    bro_debug_calltrace = 1;
-	  break;
-
-	case 'h':
-	case '?':
-	  usage();
-
-	case 't':
-	  type = optarg;
-	  break;
-
-	case 'n':
-	  enumval = strtol(optarg, NULL, 0);
-	  if (errno == ERANGE)
-	    {
-	      printf("Please provide an integer to -n.\n");
-	      exit(-1);
-	    }
-	  break;
-	  
-	case 'p':
-	  port_str = optarg;
-	  break;
-
-	default:
-	  usage();
-	}
-    }
-
-  argc -= optind;
-  argv += optind;
-
-  if (argc > 0)
-    host_str = argv[0];
-
-  port = strtol(port_str, NULL, 0);
-  if (errno == ERANGE)
-    {
-      printf("Please provide a port number with -p.\n");
-      exit(-1);
-    }
-
-  if (!type)
-    usage();
-
-  printf("Sending enum val %i to remote peer.\n", enumval);
-
-  snprintf(hostname, 512, "%s:%s", host_str, port_str);
-  
-  /* Connect to Bro */
-  if (! (bc = bro_conn_new_str(hostname, BRO_CFLAG_NONE)))
-    {
-      printf("Could not get Bro connection handle.\n");
-      exit(-1);
-    }
-  
-  if (! bro_conn_connect(bc))
-    {
-      printf("Could not connect to Bro at %s:%s.\n", host_str, port_str);
-      exit(-1);
-    }
-    
-  /* Create empty "ping" event */
-  if (! (ev = bro_event_new("enumtest")))
-    {
-      printf("Couldn't create event structure.\n");
-      exit(-1);
-    }
-
-  /* We send the given number as an instance of an enum type defined
-   * in the remote Bro's policy:
-   */
-  bro_event_add_val(ev, BRO_TYPE_ENUM, type, &enumval);
-	      
-  /* Ship it -- sends it if possible, queues it otherwise */
-  bro_event_send(bc, ev);
-  bro_event_free(ev);
-  
-  /* Make sure we sent the thing. */
-  while (bro_event_queue_length(bc) > 0)
-    bro_event_queue_flush(bc);
-
-  /* Disconnect from Bro and release state. */
-  bro_conn_delete(bc);
-  
-  return 0;
-}
diff --git a/aux/broccoli/test/brohose.bro b/aux/broccoli/test/brohose.bro
deleted file mode 100644
index a2081bb70c..0000000000
--- a/aux/broccoli/test/brohose.bro
+++ /dev/null
@@ -1,30 +0,0 @@
-# Depending on whether you want to use encryption or not,
-# include "listen-clear" or "listen-ssl":
-#
-# @load listen-ssl
-@load listen-clear
-
-global brohose_log = open_log_file("brohose");
-
-# Let's make sure we use the same port no matter whether we use encryption or not:
-#
-@ifdef (listen_port_clear)
-redef listen_port_clear    = 47758/tcp;
-@endif
-
-# If we're using encrypted communication, redef the SSL port and hook in
-# the necessary certificates:
-#
-@ifdef (listen_port_ssl)
-redef listen_port_ssl      = 47758/tcp;
-redef ssl_ca_certificate   = "<path>/ca_cert.pem";
-redef ssl_private_key      = "<path>/bro.pem";
-@endif
-
-redef Remote::destinations += {
-	["brohose"] = [$host = 127.0.0.1, $events = /brohose/, $connect=F, $ssl=F]
-};
-
-event brohose(id: string) {
-	print brohose_log, fmt("%s %s", id, current_time());
-}
diff --git a/aux/broccoli/test/brohose.c b/aux/broccoli/test/brohose.c
deleted file mode 100644
index b1c79adedb..0000000000
--- a/aux/broccoli/test/brohose.c
+++ /dev/null
@@ -1,236 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2007 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/wait.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <time.h>
-#include <errno.h>
-#include <unistd.h>
-
-#include <broccoli.h>
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-char *host_default = "127.0.0.1";
-char *port_default = "47758";
-char *host_str;
-char *port_str;
-
-int num_procs  = 10;
-int num_events = 1000;
-int seq;
-
-static void
-usage(void)
-{
-  printf("brohose - sends events to a Bro node from multiple processes in parallel.\n"
-	 "USAGE: brohose [-h|-?] [-n <# processes>] [-e <# events>] [-p port] host\n"
-	 "  -h|?                 this message\n"
-	 "  -n  <# processes>    number of processes to use (10)\n"
-	 "  -e  <# events>       number of events per process (1000)\n"
-	 "  -p <port>            port to contact\n"
-	 "  host                 host to contanct\n\n");
-  exit(0);
-}
-
-static void
-hose_away(BroConn *bc)
-{
-  BroEvent *ev;
-  BroString str;
-  int i;
-  pid_t pid = getpid();
-  char msg[1024];
-
-  printf("++ child %u\n", pid);
-  
-  for (i = 0; i < num_events; i++)
-    {
-      /* Create empty "ping" event */
-      if (! (ev = bro_event_new("brohose")))
-	{
-	  printf("**** EEEEK\n");
-	  bro_conn_delete(bc);
-	  return;
-	}
-
-      snprintf(msg, 1024, "%u-%i-%i", pid, i, bro_event_queue_length(bc));
-      bro_string_set(&str, msg);
-      bro_event_add_val(ev, BRO_TYPE_STRING, NULL, &str);
-      
-      /* Ship it -- sends it if possible, queues it otherwise */
-      bro_event_send(bc, ev);
-
-      bro_event_free(ev);
-      bro_string_cleanup(&str);
-      
-      if (bro_event_queue_length(bc) > bro_event_queue_length_max(bc) / 2)
-	{
-	  while (bro_event_queue_length(bc) > 0)
-	    bro_event_queue_flush(bc);
-	}
-    }
-
-  while (bro_event_queue_length(bc) > 0)
-    bro_event_queue_flush(bc);
-
-  printf("-- child %u, %i queued\n", pid, bro_event_queue_length(bc));
-  bro_conn_delete(bc);
-}
-
-
-int
-main(int argc, char **argv)
-{
-  int i, opt, port, debugging = 0;
-  BroConn *bc;
-  extern char *optarg;
-  extern int optind;
-  char hostname[512];
-  
-  bro_init(NULL);
-
-  host_str = host_default;
-  port_str = port_default;
-
-  bro_debug_calltrace = 0;
-  bro_debug_messages  = 0;
-
-  while ( (opt = getopt(argc, argv, "n:e:p:dh?")) != -1)
-    {
-      switch (opt)
-	{
-	case 'd':
-	  debugging++;
-
-	  if (debugging == 1)
-	    bro_debug_messages = 1;
-	  
-	  if (debugging > 1)
-	    bro_debug_calltrace = 1;
-	  break;
-	  
-	case 'h':
-	case '?':
-	  usage();
-	  
-	case 'n':
-	  num_procs = strtol(optarg, NULL, 0);
-	  if (errno == ERANGE || num_procs < 1 || num_procs > 100)
-	    {
-	      printf("Please restrict the number of processes to 1-100.\n");
-	      exit(-1);
-	    }
-	  break;
-	  
-	case 'e':
-	  num_events = strtol(optarg, NULL, 0);
-	  if (errno == ERANGE || num_events < 1 || num_events > 10000)
-	    {
-	      printf("Please restrict the number of events to 1-10,000..\n");
-	      exit(-1);
-	    }
-	  break;
-	  
-	case 'p':
-	  port_str = optarg;
-	  break;
-	  
-	default:
-	  usage();
-	}
-    }
-  
-  argc -= optind;
-  argv += optind;
-
-  if (argc > 0)
-    host_str = argv[0];
-
-  port = strtol(port_str, NULL, 0);
-  if (errno == ERANGE)
-    {
-      printf("Please provide a port number with -p.\n");
-      exit(-1);
-    }
-
-  snprintf(hostname, 512, "%s:%s", host_str, port_str);
-
-  printf("Will attempt to send %i events from %i processes, to %s\n",
-	 num_events, num_procs, hostname);
-  
-  /* Connect to Bro */
-  if (! (bc = bro_conn_new_str(hostname, BRO_CFLAG_SHAREABLE)))
-    {
-      printf("Couldn't get Bro connection handle.\n");
-      exit(-1);
-    }
-
-  if (! bro_conn_connect(bc))
-    {
-      printf("Could not connect to Bro at %s:%s.\n", host_str, port_str);
-      exit(-1);
-    }
-
-  for (i = 0; i < num_procs; i++)
-    {
-      int pid = fork();
-      
-      if (pid < 0)
-	{
-	  printf("Couldn't fork children, aborting.\n");
-	  exit(-1);
-	}
-      
-      if (pid == 0)
-	{
-	  hose_away(bc);
-	  exit(0);
-	}
-    }
-
-  while (i > 0)
-    {
-      int status;
-
-      wait(&status);
-      i--;
-    }
-
-  
-  /* Disconnect from Bro -- this will keep the copies in the children
-   * working but reduce the reference count of the underlying socket so
-   * that eventually it is really closed.
-   */
-  bro_conn_delete(bc);
-  printf("Exiting ...\n");
-
-  return 0;
-}
diff --git a/aux/broccoli/test/broping-record.bro b/aux/broccoli/test/broping-record.bro
deleted file mode 100644
index 3a4370fa1e..0000000000
--- a/aux/broccoli/test/broping-record.bro
+++ /dev/null
@@ -1,59 +0,0 @@
-# Depending on whether you want to use encryption or not,
-# include "listen-clear" or "listen-ssl":
-#
-# @load listen-ssl
-@load listen-clear
-
-global ping_log = open_log_file("ping");
-
-# Let's make sure we use the same port no matter whether we use encryption or not:
-#
-@ifdef (listen_port_clear)
-redef listen_port_clear    = 47758/tcp;
-@endif
-
-# If we're using encrypted communication, redef the SSL port and hook in
-# the necessary certificates:
-#
-@ifdef (listen_port_ssl)
-redef listen_port_ssl      = 47758/tcp;
-redef ssl_ca_certificate   = "<path>/ca_cert.pem";
-redef ssl_private_key      = "<path>/bro.pem";
-@endif
-
-redef Remote::destinations += {
-	["broping"] = [$host = 127.0.0.1, $events = /ping/, $connect=F, $ssl=F]
-};
-
-type ping_data: record {
-	seq: count;
-	src_time: time;
-};
-
-type pong_data: record {
-	seq: count;
-	src_time: time;
-	dst_time: time;
-};
-
-# global pdata: pong_data;
-
-global ping: event(data: ping_data);
-global pong: event(data: pong_data);
-
-event ping(data: ping_data)
-        {
-	local pdata: pong_data;
-	
-	pdata$seq      = data$seq;
-	pdata$src_time = data$src_time;
-	pdata$dst_time = current_time();
-
-        event pong(pdata);
-        }
-
-event pong(data: pong_data)
-        {
-        print ping_log, fmt("ping received, seq %d, %f at src, %f at dest, one-way: %f",
-                            data$seq, data$src_time, data$dst_time, data$dst_time - data$src_time);
-        }
diff --git a/aux/broccoli/test/broping.bro b/aux/broccoli/test/broping.bro
deleted file mode 100644
index 86e7f2d52e..0000000000
--- a/aux/broccoli/test/broping.bro
+++ /dev/null
@@ -1,40 +0,0 @@
-# Depending on whether you want to use encryption or not,
-# include "listen-clear" or "listen-ssl":
-#
-# @load listen-ssl
-@load listen-clear
-
-global ping_log = open_log_file("ping");
-
-# Let's make sure we use the same port no matter whether we use encryption or not:
-#
-@ifdef (listen_port_clear)
-redef listen_port_clear    = 47758/tcp;
-@endif
-
-# If we're using encrypted communication, redef the SSL port and hook in
-# the necessary certificates:
-#
-@ifdef (listen_port_ssl)
-redef listen_port_ssl      = 47758/tcp;
-redef ssl_ca_certificate   = "<path>/ca_cert.pem";
-redef ssl_private_key      = "<path>/bro.pem";
-@endif
-
-global ping: event(src_time: time, seq: count);
-global pong: event(src_time: time, dst_time: time, seq: count);
-
-redef Remote::destinations += {
-	["broping"] = [$host = 127.0.0.1, $events = /ping/, $connect=F, $ssl=F]
-};
-
-event ping(src_time: time, seq: count)
-        {
-        event pong(src_time, current_time(), seq);
-        }
-
-event pong(src_time: time, dst_time: time, seq: count)
-        {
-        print ping_log, fmt("ping received, seq %d, %f at src, %f at dest, one-way: %f",
-                            seq, src_time, dst_time, dst_time-src_time);
-        }
diff --git a/aux/broccoli/test/broping.c b/aux/broccoli/test/broping.c
deleted file mode 100644
index c3ccf4d57e..0000000000
--- a/aux/broccoli/test/broping.c
+++ /dev/null
@@ -1,456 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2007 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/wait.h>
-#include <sys/time.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <time.h>
-#include <errno.h>
-#include <string.h>
-
-#include <broccoli.h>
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-char *host_default = "127.0.0.1";
-char *port_default = "47758";
-char *host_str;
-char *port_str;
-
-int count = -1;
-int seq;
-
-static void
-usage(void)
-{
-  printf("broping - sends ping events to a Bro agent, expecting pong events.\n"
-	 "USAGE: broping [-h|-?] [-d] [-l] [-r] [-c num] [-p port] host\n"
-	 "   -h|-?       This message.\n"
-	 "   -d          Enable debugging (only useful if configured with --enable-debug).\n"
-	 "   -r          Use record types to transfer data.\n"
-	 "   -C          Use compact callback argument passing.\n"
-	 "   -c <num>    Number of events to send.\n"
-	 "   -p <port>   Port on <host> to contact.\n");
-
-  exit(0);
-}
-
-
-static void
-bro_pong(BroConn *conn, void *data, double *src_time, double *dst_time, uint32 *seq)
-{
-  double now = bro_util_current_time();
-
-  printf("pong event from %s: seq=%i, time=%f/%f s\n",
-	 host_str, *seq, *dst_time - *src_time,
-	 now - *src_time);
-
-  conn = NULL;
-  data = NULL;
-}
-
-static void
-bro_pong_record(BroConn *conn, void *data, BroRecord *rec)
-{
-  double now = bro_util_current_time();
-  double *src_time, *dst_time;
-  uint32 *seq;
-  int type = BRO_TYPE_COUNT;
-
-  if (! (seq = bro_record_get_nth_val(rec, 0, &type)))
-    {
-      printf("Error getting sequence count from event, got type %i\n", type);
-      return;
-    }
-
-  type = BRO_TYPE_TIME;
-
-  if (! (src_time = bro_record_get_nth_val(rec, 1, &type)))
-    {
-      printf("Error getting src time from event, got type %i.\n", type);
-      return;
-    }
-
-  type = BRO_TYPE_TIME;
-  
-  if (! (dst_time = bro_record_get_nth_val(rec, 2, &type)))
-    {
-      printf("Error getting dst time from event, got type %i\n", type);
-      return;
-    }
-
-  printf("pong event from %s: seq=%i, time=%f/%f s\n",
-	 host_str, *seq, *dst_time - *src_time,
-	 now - *src_time);
-  
-  conn = NULL;
-  data = NULL;
-}
-
-static void
-bro_pong_compact(BroConn *conn, void *data, BroEvMeta *meta)
-{
-  double *src_time;
-  double *dst_time;
-  uint32 *seq;
-  
-  /* Sanity-check arguments: */
-
-  if (strcmp(meta->ev_name, "pong") != 0)
-    {
-      printf("Event should be 'pong', is '%s', error.\n",
-	     meta->ev_name);
-      return;
-    }
-
-  if (meta->ev_numargs != 3)
-    {
-      printf("Pong event should have 3 arguments, has %d, error.\n",
-	     meta->ev_numargs);
-      return;
-    }
-
-  if (meta->ev_args[0].arg_type != BRO_TYPE_TIME)
-    {
-      printf("Type of first argument should be %i, is %i, error.\n",
-	     BRO_TYPE_TIME, meta->ev_args[0].arg_type);
-      return;
-    }
-
-  if (meta->ev_args[1].arg_type != BRO_TYPE_TIME)
-    {
-      printf("Type of second argument should be %i, is %i, error.\n",
-	     BRO_TYPE_TIME, meta->ev_args[1].arg_type);
-      return;
-    }
-
-  if (meta->ev_args[2].arg_type != BRO_TYPE_COUNT)
-    {
-      printf("Type of third argument should be %i, is %i, error.\n",
-	     BRO_TYPE_COUNT, meta->ev_args[2].arg_type);
-      return;
-    }
-
-  src_time = (double *) meta->ev_args[0].arg_data;
-  dst_time = (double *) meta->ev_args[1].arg_data;
-  seq = (uint32 *) meta->ev_args[2].arg_data;
-  
-  bro_pong(conn, data, src_time, dst_time, seq);
-}
-
-static void
-bro_pong_compact_record(BroConn *conn, void *data, BroEvMeta *meta)
-{
-  BroRecord *rec;
-
-  /* Sanity-check argument type: */
-
-  if (strcmp(meta->ev_name, "pong") != 0)
-    {
-      printf("Event should be 'pong', is '%s', error.\n",
-	     meta->ev_name);
-      return;
-    }
-
-  if (meta->ev_numargs != 1)
-    {
-      printf("Pong event should have 1 argument, has %d, error.\n",
-	     meta->ev_numargs);
-      return;
-    }
-
-  if (meta->ev_args[0].arg_type != BRO_TYPE_RECORD)
-    {
-      printf("Type of argument should be %i, is %i, error.\n",
-	     BRO_TYPE_RECORD, meta->ev_args[0].arg_type);
-      return;
-    }
-  
-  rec = (BroRecord *) meta->ev_args[0].arg_data;
-  
-  bro_pong_record(conn, data, rec);
-}
-
-BroConn*
-start_listen(int port)
-{
-  int fd = 0;
-  struct sockaddr_in server;
-  struct sockaddr_in client;
-  socklen_t len = sizeof(client);
-  fd_set fds;
-  const int turn_on = 1;
-  BroConn *bc = 0;
-
-  fd = socket(PF_INET, SOCK_STREAM, 0);
-  if ( fd < 0 )  
-	{
-	printf("can't create listen socket: %s\n", strerror(errno));
-	exit(-1);
-	}
-
-  // Set SO_REUSEADDR.
-  if ( setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &turn_on, sizeof(turn_on)) < 0 )
-	{
-	printf("can't set SO_REUSEADDR: %s\n", strerror(errno));
-	exit(-1);
-	}
-
-  bzero(&server, sizeof(server));
-  server.sin_family = AF_INET;
-  server.sin_port = htons(port);
-  server.sin_addr.s_addr = 0;
-
-  if ( bind(fd, (struct sockaddr*) &server, sizeof(server)) < 0 )
-	{
-	printf("can't bind to port %d: %s\n", port, strerror(errno));
-	exit(-1);
-	}
-
-  if ( listen(fd, 50) < 0 )
-	{
-	printf("can't listen: %s\n", strerror(errno));
-	exit(-1);
-	}
-
-   FD_ZERO(&fds);
-   FD_SET(fd, &fds);
-
-  if ( select(fd + 1, &fds, &fds, &fds, 0) < 0 )
-	{
-	printf("can't select: %s\n", strerror(errno));
-	exit(-1);
-	}
-	
-  fd = accept(fd, (struct sockaddr*) &client, &len);
-  if ( fd < 0 )
-	{
-	printf("can't accept: %s\n", strerror(errno));
-	exit(-1);
-	}
-
-  bc = bro_conn_new_socket(fd, BRO_CFLAG_ALWAYS_QUEUE);
-  if ( ! bc )
-	{
-	printf("can't create connection form fd\n");
-	exit(-1);
-	}
-
-  return bc;
-}
-
-int
-main(int argc, char **argv)
-{
-  int opt, port, use_record = 0, use_compact = 0, debugging = 0, listen = 0;
-  BroConn *bc;
-  extern char *optarg;
-  extern int optind;
-  char hostname[512];
-  int fd = -1;
-
-  bro_init(NULL);
-
-  host_str = host_default;
-  port_str = port_default;
-
-  bro_debug_calltrace = 0;
-  bro_debug_messages  = 0;
-
-  while ( (opt = getopt(argc, argv, "Cc:p:dh?lr")) != -1)
-    {
-      switch (opt)
-	{
-	case 'd':
-	  debugging++;
-
-	  if (debugging == 1)
-	    bro_debug_messages = 1;
-	  
-	  if (debugging > 1)
-	    bro_debug_calltrace = 1;
-	  break;
-	
-	case 'l':
-	  listen = 1;
-	  break;
-
-	case 'h':
-	case '?':
-	  usage();
-
-	case 'c':
-	  count = strtol(optarg, NULL, 0);
-	  if (errno == ERANGE || count < 1)
-	    {
-	      printf("Please provide an integer to -c.\n");
-	      exit(-1);
-	    }
-	  break;
-	  
-	case 'p':
-	  port_str = optarg;
-	  break;
-
-	case 'r':
-	  use_record = 1;
-	  break;
-
-	case 'C':
-	  use_compact = 1;
-	  break;
-
-	default:
-	  usage();
-	}
-    }
-
-  argc -= optind;
-  argv += optind;
-
-  if (argc > 0)
-    host_str = argv[0];
-
-  /*
-  if (! (host = gethostbyname(host_str)) ||
-      ! (host->h_addr_list[0]))
-    {
-      printf("Could not resolve host %s\n", host_str);
-      exit(-1);
-    }
-  */
-
-  port = strtol(port_str, NULL, 0);
-  if (errno == ERANGE)
-    {
-      printf("Please provide a port number with -p.\n");
-      exit(-1);
-    }
-
-  snprintf(hostname, 512, "%s:%s", host_str, port_str);
-
-
-  if ( listen )
-	bc  = start_listen(port);
-
-  /* Connect to Bro */
-  else if (! (bc = bro_conn_new_str(hostname, BRO_CFLAG_RECONNECT | BRO_CFLAG_ALWAYS_QUEUE)))
-    {
-      printf("Could not get Bro connection handle.\n");
-      exit(-1);
-    }
-  
-  /* Request "pong" events, and have bro_pong called when they
-   * arrive. The callback mechanism automatically figures out
-   * the number of arguments and invokes the callback accordingly.
-   * Use record-based callback if -r option was given, and compact
-   * argument passing if -C was provided.
-   */
-  if (use_compact)
-    {
-      if (use_record)
-	bro_event_registry_add_compact(bc, "pong", (BroCompactEventFunc)
-				       bro_pong_compact_record, NULL);
-      else
-	bro_event_registry_add_compact(bc, "pong", (BroCompactEventFunc)
-				       bro_pong_compact, NULL);
-    }
-  else
-    {
-      if (use_record)
-	bro_event_registry_add(bc, "pong", (BroEventFunc) bro_pong_record, NULL);
-      else
-	bro_event_registry_add(bc, "pong", (BroEventFunc) bro_pong, NULL);
-    }
-  
-  if (! bro_conn_connect(bc))
-    {
-      printf("Could not connect to Bro at %s:%s.\n", host_str, port_str);
-      exit(-1);
-    }
-  
-  /* Enter pinging loop */
-  for ( ; ; )
-    {
-      BroEvent *ev;
-      
-      bro_conn_process_input(bc);
-
-      if (count > 0 && seq == count)
-	break;
-      
-      /* Create empty "ping" event */
-      if ( (ev = bro_event_new("ping")))
-	{
-	  double timestamp = bro_util_current_time();
-
-	  if (use_record)
-	    {
-	      /* Create a record with the sequence number as first
-	       * element of type counter, and the second element the
-	       * current time:
-	       */
-	      BroRecord *rec = bro_record_new();
-	      
-	      bro_record_add_val(rec, "seq", BRO_TYPE_COUNT, NULL, &seq);
-	      bro_record_add_val(rec, "src_time", BRO_TYPE_TIME, NULL, &timestamp);
-	      
-	      bro_event_add_val(ev, BRO_TYPE_RECORD, NULL, rec);
-	      
-	      bro_record_free(rec);
-	    }
-	  else
-	    {
-	      /* Add a timestamp to it: */
-	      bro_event_add_val(ev, BRO_TYPE_TIME, NULL, &timestamp);
-	      
-	      /* Add the sequence counter: */
-	      bro_event_add_val(ev, BRO_TYPE_COUNT, NULL, &seq);
-	    }
-
-	  seq++;
-
-	  /* Ship it -- sends it if possible, queues it otherwise */
-	  bro_event_send(bc, ev);
-	  bro_event_free(ev);
-	}
-
-#ifdef __MINGW32__
-      sleep(1000);
-#else
-      sleep(1);
-#endif
-    }
-
-  /* Disconnect from Bro and release state. */
-  bro_conn_delete(bc);
-
-  return 0;
-}
diff --git a/aux/broccoli/test/brotable.c b/aux/broccoli/test/brotable.c
deleted file mode 100644
index 4249472477..0000000000
--- a/aux/broccoli/test/brotable.c
+++ /dev/null
@@ -1,328 +0,0 @@
-/*
-       B R O C C O L I  --  The Bro Client Communications Library
-
-Copyright (C) 2004-2007 Christian Kreibich <christian (at) icir.org>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies of the Software and its documentation and acknowledgment shall be
-given in the documentation and software packages that this Software was
-used.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-*/
-#include <sys/types.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <time.h>
-#include <errno.h>
-#include <string.h>
-
-#include <broccoli.h>
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-void
-print_val(void *val, int type)
-{
-  char br_open = '[';
-  char br_close = ']';
-
-  if (! val)
-    {
-      printf("NULL");
-      return;
-    }
-
-  switch (type) {
-  case BRO_TYPE_BOOL:
-    printf("%s", *((int*) val) == 0 ? "false" : "true");
-    break;
-
-  case BRO_TYPE_INT:
-    printf("%i", *((int*) val));
-    break;
-
-  case BRO_TYPE_DOUBLE:
-    printf("%f", *((double*) val));
-    break;
-
-  case BRO_TYPE_STRING:
-    printf("'%s'", bro_string_get_data((BroString*) val));
-    break;
-
-  case BRO_TYPE_LIST:
-    /* This means that we're dealing with a composite indexing type.
-     * Except for this differing type code, treatment is exactly as
-     * with a record:
-     */
-    br_open = '{';
-    br_close = '}';
-    
-    /* Fall through */
-    
-  case BRO_TYPE_RECORD:
-    {
-      void *item;
-      int i, type;
-      BroRecord *rec = (BroRecord*) val;
-      
-      printf("%c", br_open);
-      
-      for (i = 0; i < bro_record_get_length(rec); i++)
-	{
-	  /* We don't want to enforce typechecking of the
-	   * queried value, so we use BRO_TYPE_UNKNOWN.
-	   */
-	  type = BRO_TYPE_UNKNOWN;
-	  item = bro_record_get_nth_val(rec, i, &type);
-	  print_val(item, type);
-	  
-	  if (i + 1 < bro_record_get_length(rec))
-	    printf(", ");
-	}      
-      
-      printf("%c", br_close);
-    }
-    break;
-        
-  default:    
-    printf("<unimplemented %d>", type);
-  }
-}
-
-int
-table_it_cb(void *key, void *val, BroTable *table)
-{
-  int key_type, val_type;
-
-  bro_table_get_types(table, &key_type, &val_type);
-  
-  print_val(key, key_type);
-  printf(" -> ");
-  print_val(val, val_type);
-  printf("\n");
-
-  return TRUE;
-}
-
-int
-main(int argc, char **argv)
-{
-  int opt, debugging = 0;
-
-  /* A few tables with different atomic indexing/yield types: */
-  BroTable *int_to_str;
-  BroTable *str_to_double;
-  
-  /* A table with a composite indexing type: */
-  BroTable *int_str_double_to_int;
-
-  /* Placeholders for the stuff we insert/retrieve: */
-  BroString str, *str_ptr;
-  BroRecord *rec;
-  int i, i2, *i_ptr;
-  double d, *d_ptr;
-  
-  while ( (opt = getopt(argc, argv, "c:p:dh?r")) != -1)
-    {
-      switch (opt)
-	{
-	case 'd':
-	  debugging++;
-	  
-	  if (debugging == 1)
-	    bro_debug_messages = 1;
-	  
-	  if (debugging > 1)
-	    bro_debug_calltrace = 1;
-	  break;
-	  
-	default:
-	  break;
-	}
-    }
-
-  /* ---- Mandatory initialization ------------------------------------- */
-  bro_init(NULL);
-
-  /* ---- int -> string ------------------------------------------------ */
-
-  printf("int_to_str table dump:\n");
-  printf("----------------------\n");
-
-  int_to_str = bro_table_new();
-
-  i = 10;
-  bro_string_set(&str, "foo");  
-  bro_table_insert(int_to_str, BRO_TYPE_INT, &i, BRO_TYPE_STRING, &str);
-  bro_string_cleanup(&str);
-
-  i = 20;
-  bro_string_set(&str, "bar");  
-  bro_table_insert(int_to_str, BRO_TYPE_INT, &i, BRO_TYPE_STRING, &str);
-  bro_string_cleanup(&str);
-
-  i = 30;
-  bro_string_set(&str, "baz");  
-  bro_table_insert(int_to_str, BRO_TYPE_INT, &i, BRO_TYPE_STRING, &str);
-  bro_string_cleanup(&str);
-
-  bro_table_foreach(int_to_str, (BroTableCallback) table_it_cb, int_to_str);
-  
-  printf("\ntest lookup: ");
-  i = 20;
-  str_ptr = (BroString*) bro_table_find(int_to_str, &i);
-  
-  print_val(&i, BRO_TYPE_INT);
-  printf(" -> ");
-  print_val(str_ptr, BRO_TYPE_STRING);
-  printf("\n\n");
-
-  bro_table_free(int_to_str);
-
-
-  /* ---- string -> double --------------------------------------------- */
-  
-  printf("str_to_double table dump:\n");
-  printf("-------------------------\n");
-
-  str_to_double = bro_table_new();
-
-  d = 1.1;
-  bro_string_set(&str, "foo");  
-  bro_table_insert(str_to_double, BRO_TYPE_STRING, &str, BRO_TYPE_DOUBLE, &d);
-  bro_string_cleanup(&str);
-
-  d = 2.2;
-  bro_string_set(&str, "bar");  
-  bro_table_insert(str_to_double, BRO_TYPE_STRING, &str, BRO_TYPE_DOUBLE, &d);
-  bro_string_cleanup(&str);
-  
-  d = 3.3;
-  bro_string_set(&str, "baz");  
-  bro_table_insert(str_to_double, BRO_TYPE_STRING, &str, BRO_TYPE_DOUBLE, &d);
-  bro_string_cleanup(&str);
-  
-  bro_table_foreach(str_to_double, (BroTableCallback) table_it_cb, str_to_double);
-  
-  printf("\ntest lookup: ");
-  bro_string_set(&str, "bar");  
-  d_ptr = (double*) bro_table_find(str_to_double, &str);
-  
-  print_val(&str, BRO_TYPE_STRING);
-  printf(" -> ");
-  print_val(d_ptr, BRO_TYPE_DOUBLE);
-  printf("\n\n");
-  
-  bro_string_cleanup(&str);
-  
-  bro_table_free(str_to_double);
-
-
-  /* ---- {int, string, double} -> int --------------------------------- */
-  
-  printf("int_str_double_to_int table dump:\n");
-  printf("---------------------------------\n");
-
-  int_str_double_to_int = bro_table_new();
-
-  /* -- first element -- */
-
-  i = 1;
-  d = 1.1;
-  bro_string_set(&str, "foo");  
-  i2 = 10;
-
-  /* You may pass NULL as the field name, but then of course looking
-   * up elements by field name will not work in case you need it.
-   */
-  rec = bro_record_new();
-  bro_record_add_val(rec, NULL, BRO_TYPE_INT, NULL, &i);
-  bro_record_add_val(rec, NULL, BRO_TYPE_STRING, NULL, &str);
-  bro_record_add_val(rec, NULL, BRO_TYPE_DOUBLE, NULL, &d);
-  bro_table_insert(int_str_double_to_int, BRO_TYPE_LIST, rec, BRO_TYPE_INT, &i2);
-
-  bro_string_cleanup(&str);
-  bro_record_free(rec);
-
-  /* -- second element -- */
-
-  i = 2;
-  d = 2.2;
-  bro_string_set(&str, "bar");  
-  i2 = 20;
-
-  /* You may pass NULL as the field name, but then of course looking
-   * up elements by field name will not work in case you need it.
-   */
-  rec = bro_record_new();
-  bro_record_add_val(rec, NULL, BRO_TYPE_INT, NULL, &i);
-  bro_record_add_val(rec, NULL, BRO_TYPE_STRING, NULL, &str);
-  bro_record_add_val(rec, NULL, BRO_TYPE_DOUBLE, NULL, &d);
-  bro_table_insert(int_str_double_to_int, BRO_TYPE_LIST, rec, BRO_TYPE_INT, &i2);
-
-  bro_string_cleanup(&str);
-  bro_record_free(rec);
-
-  /* -- third element -- */
-
-  i = 3;
-  d = 3.3;
-  bro_string_set(&str, "baz");  
-  i2 = 30;
-
-  /* You may pass NULL as the field name, but then of course looking
-   * up elements by field name will not work in case you need it.
-   */
-  rec = bro_record_new();
-  bro_record_add_val(rec, NULL, BRO_TYPE_INT, NULL, &i);
-  bro_record_add_val(rec, NULL, BRO_TYPE_STRING, NULL, &str);
-  bro_record_add_val(rec, NULL, BRO_TYPE_DOUBLE, NULL, &d);
-  bro_table_insert(int_str_double_to_int, BRO_TYPE_LIST, rec, BRO_TYPE_INT, &i2);
-
-  bro_string_cleanup(&str);
-  bro_record_free(rec);
-  
-  bro_table_foreach(int_str_double_to_int, (BroTableCallback) table_it_cb, int_str_double_to_int);
-
-  printf("\ntest lookup: ");
-
-  i = 2;
-  d = 2.2;
-  bro_string_set(&str, "bar");  
-
-  rec = bro_record_new();
-  bro_record_add_val(rec, NULL, BRO_TYPE_INT, NULL, &i);
-  bro_record_add_val(rec, NULL, BRO_TYPE_STRING, NULL, &str);
-  bro_record_add_val(rec, NULL, BRO_TYPE_DOUBLE, NULL, &d);
-  
-  i_ptr = (int*) bro_table_find(int_str_double_to_int, rec);
-  
-  print_val(rec, BRO_TYPE_LIST);
-  printf(" -> ");
-  print_val(i_ptr, BRO_TYPE_INT);
-  printf("\n\n");
-  
-  bro_string_cleanup(&str);
-  bro_record_free(rec);
-  
-  bro_table_free(int_str_double_to_int);
-
-  return 0;
-}
diff --git a/aux/broccoli/test/dummysensor.c b/aux/broccoli/test/dummysensor.c
deleted file mode 100644
index aff40e8006..0000000000
--- a/aux/broccoli/test/dummysensor.c
+++ /dev/null
@@ -1,91 +0,0 @@
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <time.h>
-#include <errno.h>
-
-#include <broccoli.h>
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-char *ip_default   = "127.0.0.1";
-char *port_default = "47756";
-
-int
-main(int argc, char **argv)
-{
-  char *ip_str = ip_default;
-  char *port_str = port_default;
-  int port;
-  struct in_addr ipaddr;
-  BroConn *bc;
-  BroEvent *ev;
-  int i;
-
-  if (argc >= 2)
-    ip_str = argv[1];
-  if (argc >= 3)
-    port_str = argv[2];
-    
-  if (inet_pton(AF_INET, ip_str, &ipaddr) <= 0)
-    {
-      printf("Please provide an IP address to contact as first argument.\n");
-      exit(-1);
-    }
-
-  port = strtol(port_str, NULL, 0);
-  if (errno == ERANGE)
-    {
-      printf("Please provide a port number as second argument.\n");
-      exit(-1);
-    }
-
-  bro_init(NULL);
-
-  printf("Opening connection.\n");
-  if (! (bc = bro_connect_remote(0x0000, &ipaddr, port)))
-    {
-      printf("Couldn't connect.\n");
-      exit(-1);
-    }
-  
-  sleep(1);
-  bro_conn_process_input(bc);
-
-  sleep(5);
-  bro_conn_process_input(bc);
-
-  /*
-  if ( (ev = bro_event_new("bar")))
-    {
-      bro_event_add_string(ev, "hello world");
-
-      if (bro_event_send(bc, ev))
-	printf("Bro test event sent.\n");
-      else
-	printf("Bro test event queued.\n");
-    }
-
-  if ( (ev = bro_event_new("foo")))
-    {
-      bro_event_add_string(ev, "hello world");
-
-      if (bro_event_send(bc, ev))
-	printf("Bro test event sent.\n");
-      else
-	printf("Bro test event queued.\n");
-    }
-  */
-  sleep(2);
-
-  printf("Disconnecting.\n");
-  bro_disconnect(bc);
-
-  return 0;
-}
diff --git a/aux/broccoli/ylwrap b/aux/broccoli/ylwrap
deleted file mode 100755
index 102bd893f7..0000000000
--- a/aux/broccoli/ylwrap
+++ /dev/null
@@ -1,223 +0,0 @@
-#! /bin/sh
-# ylwrap - wrapper for lex/yacc invocations.
-
-scriptversion=2005-05-14.22
-
-# Copyright (C) 1996, 1997, 1998, 1999, 2001, 2002, 2003, 2004, 2005
-#   Free Software Foundation, Inc.
-#
-# Written by Tom Tromey <tromey@cygnus.com>.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
-# 02110-1301, USA.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# This file is maintained in Automake, please report
-# bugs to <bug-automake@gnu.org> or send patches to
-# <automake-patches@gnu.org>.
-
-case "$1" in
-  '')
-    echo "$0: No files given.  Try \`$0 --help' for more information." 1>&2
-    exit 1
-    ;;
-  --basedir)
-    basedir=$2
-    shift 2
-    ;;
-  -h|--h*)
-    cat <<\EOF
-Usage: ylwrap [--help|--version] INPUT [OUTPUT DESIRED]... -- PROGRAM [ARGS]...
-
-Wrapper for lex/yacc invocations, renaming files as desired.
-
-  INPUT is the input file
-  OUTPUT is one file PROG generates
-  DESIRED is the file we actually want instead of OUTPUT
-  PROGRAM is program to run
-  ARGS are passed to PROG
-
-Any number of OUTPUT,DESIRED pairs may be used.
-
-Report bugs to <bug-automake@gnu.org>.
-EOF
-    exit $?
-    ;;
-  -v|--v*)
-    echo "ylwrap $scriptversion"
-    exit $?
-    ;;
-esac
-
-
-# The input.
-input="$1"
-shift
-case "$input" in
-  [\\/]* | ?:[\\/]*)
-    # Absolute path; do nothing.
-    ;;
-  *)
-    # Relative path.  Make it absolute.
-    input="`pwd`/$input"
-    ;;
-esac
-
-pairlist=
-while test "$#" -ne 0; do
-  if test "$1" = "--"; then
-    shift
-    break
-  fi
-  pairlist="$pairlist $1"
-  shift
-done
-
-# The program to run.
-prog="$1"
-shift
-# Make any relative path in $prog absolute.
-case "$prog" in
-  [\\/]* | ?:[\\/]*) ;;
-  *[\\/]*) prog="`pwd`/$prog" ;;
-esac
-
-# FIXME: add hostname here for parallel makes that run commands on
-# other machines.  But that might take us over the 14-char limit.
-dirname=ylwrap$$
-trap "cd `pwd`; rm -rf $dirname > /dev/null 2>&1" 1 2 3 15
-mkdir $dirname || exit 1
-
-cd $dirname
-
-case $# in
-  0) $prog "$input" ;;
-  *) $prog "$@" "$input" ;;
-esac
-ret=$?
-
-if test $ret -eq 0; then
-  set X $pairlist
-  shift
-  first=yes
-  # Since DOS filename conventions don't allow two dots,
-  # the DOS version of Bison writes out y_tab.c instead of y.tab.c
-  # and y_tab.h instead of y.tab.h. Test to see if this is the case.
-  y_tab_nodot="no"
-  if test -f y_tab.c || test -f y_tab.h; then
-    y_tab_nodot="yes"
-  fi
-
-  # The directory holding the input.
-  input_dir=`echo "$input" | sed -e 's,\([\\/]\)[^\\/]*$,\1,'`
-  # Quote $INPUT_DIR so we can use it in a regexp.
-  # FIXME: really we should care about more than `.' and `\'.
-  input_rx=`echo "$input_dir" | sed 's,\\\\,\\\\\\\\,g;s,\\.,\\\\.,g'`
-
-  while test "$#" -ne 0; do
-    from="$1"
-    # Handle y_tab.c and y_tab.h output by DOS
-    if test $y_tab_nodot = "yes"; then
-      if test $from = "y.tab.c"; then
-    	from="y_tab.c"
-      else
-    	if test $from = "y.tab.h"; then
-    	  from="y_tab.h"
-    	fi
-      fi
-    fi
-    if test -f "$from"; then
-      # If $2 is an absolute path name, then just use that,
-      # otherwise prepend `../'.
-      case "$2" in
-    	[\\/]* | ?:[\\/]*) target="$2";;
-    	*) target="../$2";;
-      esac
-
-      # We do not want to overwrite a header file if it hasn't
-      # changed.  This avoid useless recompilations.  However the
-      # parser itself (the first file) should always be updated,
-      # because it is the destination of the .y.c rule in the
-      # Makefile.  Divert the output of all other files to a temporary
-      # file so we can compare them to existing versions.
-      if test $first = no; then
-	realtarget="$target"
-	target="tmp-`echo $target | sed s/.*[\\/]//g`"
-      fi
-      # Edit out `#line' or `#' directives.
-      #
-      # We don't want the resulting debug information to point at
-      # an absolute srcdir; it is better for it to just mention the
-      # .y file with no path.
-      #
-      # We want to use the real output file name, not yy.lex.c for
-      # instance.
-      #
-      # We want the include guards to be adjusted too.
-      FROM=`echo "$from" | sed \
-            -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'\
-            -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`
-      TARGET=`echo "$2" | sed \
-            -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'\
-            -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`
-
-      sed -e "/^#/!b" -e "s,$input_rx,," -e "s,$from,$2," \
-          -e "s,$FROM,$TARGET," "$from" >"$target" || ret=$?
-
-      # Check whether header files must be updated.
-      if test $first = no; then
-	if test -f "$realtarget" && cmp -s "$realtarget" "$target"; then
-	  echo "$2" is unchanged
-	  rm -f "$target"
-	else
-          echo updating "$2"
-          mv -f "$target" "$realtarget"
-        fi
-      fi
-    else
-      # A missing file is only an error for the first file.  This
-      # is a blatant hack to let us support using "yacc -d".  If -d
-      # is not specified, we don't want an error when the header
-      # file is "missing".
-      if test $first = yes; then
-        ret=1
-      fi
-    fi
-    shift
-    shift
-    first=no
-  done
-else
-  ret=$?
-fi
-
-# Remove the directory.
-cd ..
-rm -rf $dirname
-
-exit $ret
-
-# Local Variables:
-# mode: shell-script
-# sh-indentation: 2
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
-# End:
diff --git a/aux/broctl b/aux/broctl
new file mode 160000
index 0000000000..ad9528f679
--- /dev/null
+++ b/aux/broctl
@@ -0,0 +1 @@
+Subproject commit ad9528f6795f104db8ec2f1425fc0b69d77ab92d
diff --git a/aux/broctl/BroControl/__init__.py b/aux/broctl/BroControl/__init__.py
deleted file mode 100644
index 4f3d61a5d8..0000000000
--- a/aux/broctl/BroControl/__init__.py
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: __init__.py 6811 2009-07-06 20:41:10Z robin $
-#
-# Intentionally empty.
diff --git a/aux/broctl/BroControl/config.py b/aux/broctl/BroControl/config.py
deleted file mode 100644
index 86b4bfd2e2..0000000000
--- a/aux/broctl/BroControl/config.py
+++ /dev/null
@@ -1,513 +0,0 @@
-#! /usr/bin/env python
-#
-# $Id: config.py 6948 2009-12-03 20:59:41Z robin $
-#
-# Functions to read and access the broctl configuration.
-
-import os
-import sys
-import socket
-import imp
-import re
-
-import ConfigParser
-
-import options
-import execute
-import util
-
-# One broctl node. 
-class Node:
-
-    # Valid tags in nodes file. The values will be stored 
-    # in attributes of the same name.
-    _tags = { "type": 1, "host": 1, "interface": 1, "aux_scripts": 1, "brobase": 1, "ether": 1 }
-
-    def __init__(self, tag):
-        self.tag = tag
-
-    def __str__(self):
-        def fmt(v):
-            if type(v) == type([]):
-                v = ",".join(v)
-            return v
-
-        return ("%15s - " % self.tag) + " ".join(["%s=%s" % (k, fmt(self.__dict__[k])) for k in sorted(self.__dict__.keys())])
-
-    # Returns the working directory for this node. 
-    def cwd(self):
-        return os.path.join(Config.spooldir, self.tag)
-
-    # Stores the nodes process ID. 
-    def setPID(self, pid):
-        Config._setState("%s-pid" % self.tag, str(pid))
-
-    # Returns the stored process ID.
-    def getPID(self):
-        t = "%s-pid" % self.tag
-        if t in Config.state:
-            return Config.state[t]
-        return None
-
-    # Unsets the stored process ID.
-    def clearPID(self):
-        Config._setState("%s-pid" % self.tag, "")
-
-    # Mark node as having terminated unexpectedly.
-    def setCrashed(self):
-        Config._setState("%s-crashed" % self.tag, "1")
-
-    # Unsets the flag for unexpected termination.
-    def clearCrashed(self):
-        Config._setState("%s-crashed" % self.tag, "0")
-
-    # Returns true if node has terminated unexpectedly.
-    def hasCrashed(self):
-        t = "%s-crashed" % self.tag
-        return t in Config.state and Config.state[t] == "1"
-
-    # Set the Bro port this node is using.
-    def setPort(self, port):
-        Config._setState("%s-port" % self.tag, str(port))
-
-    # Get the Bro port this node is using.
-    def getPort(self):
-        t = "%s-port" % self.tag
-        return t in Config.state and int(Config.state[t]) or -1
-
-# Class managing types of analysis. 
-class Analysis:
-    def __init__(self, cfgfile):
-
-        self.types = {}
-        cnt = 0
-
-        if not os.path.exists(cfgfile):
-            if Installing:
-                return
-
-            util.error("analysis configuration %s does not exist" % cfgfile)
-
-        for line in open(cfgfile):
-            cnt += 1
-            line = line.strip()
-            if not line or line.startswith("#"): 
-                continue
-
-            f = line.split()
-            if len(f) < 2:
-                util.warn("cannot parse line %d in %s" % (cnt, cfgfile))
-                continue
-
-            type = f[0]
-            mechanism = f[1]
-            descr = ""
-            if len(f) > 2:
-                descr = " ".join(f[2:])
-
-            self.types[type] = (mechanism, descr)
-
-    # Returns true if we know this kind of analysis.
-    def isValid(self, type):
-        return type in self.types
-
-    # Returns true if type is enabled.
-    # Default is yes if we haven't disabled it.
-    def isEnabled(self, type):
-        tag = "analysis-%s" % type
-        try:
-            return int(Config.state[tag]) != 0
-        except KeyError:
-            return True
-
-    # Enable/disable type.
-    def toggle(self, type, enable=True):
-        tag = "analysis-%s" % type
-        if enable:
-            try:
-                del Config.state[tag]
-            except KeyError:
-                pass
-        else:
-            Config.state[tag] = 0
-
-    # Returns tuples (type, status, mechanism, descr) of all known analysis types.
-    # 'type' is tag for analysis.
-    # 'status' is True if analysis is activated.
-    # 'mechanism' gives the method how to control the analysis within Bro (see etc/analysis.dat).
-    # 'descr' is textual dscription for the kind of analysis.
-    def all(self):
-        result = []
-        keys = self.types.keys()
-        keys.sort()
-        for type in keys:
-            (mechanism, descr) = self.types[type]
-            result += [(type, self.isEnabled(type), mechanism, descr)]
-        return result
-
-# Class storing the broctl configuration.
-#
-# This class provides access to four types of configuration/state:
-#
-# - the global broctl configuration from broctl.cfg
-# - the node configuration from nodes.cfg
-# - dynamic state variables which are kept across restarts in spool/broctl.dat
-# - types of analysis which can be toggled via the shell
-
-Config = None # Globally accessible instance of Configuration.
-Installing = False
-BroBase = None
-MakeDestDir = None
-
-class Configuration:    
-    def __init__(self, config, basedir, distdir, version, standalone):
-        global Config
-        global Installing
-
-        Config = self
-
-        if "BROCTL_INSTALL" in os.environ:
-            Installing = True
-            
-            global BroBase
-            BroBase = basedir
-            
-            if "MAKE_DESTDIR" in os.environ:
-                global MakeDestDir
-                MakeDestDir = os.environ["MAKE_DESTDIR"]
-
-        self.config = {}
-        self.state = {}
-
-        # Read broctl.cfg.
-        self.config = self._readConfig(os.path.join(basedir, config))
-
-        # Set defaults for options we get passed in.
-        self._setOption("brobase", basedir)
-        self._setOption("distdir", distdir)
-        self._setOption("version", version)
-        self._setOption("standalone", standalone and "1" or "0")
-		
-		# Initialize options.
-        for opt in options.options:
-            if not opt.dontinit:
-                self._setOption(opt.name.lower(), opt.default)
-		
-		# Set defaults for options we derive dynamically.
-		self._setOption("mailto", "%s" % os.getenv("USER"))
-		self._setOption("mailfrom", "Big Brother <bro@%s>" % socket.gethostname())
-		self._setOption("home", os.getenv("HOME"))
-		self._setOption("mailalarmsto", self.config["mailto"]) 
-		
-        # Determine operating system.
-        (success, output) = execute.captureCmd("uname")
-        if not success:
-            util.error("cannot run uname")
-        self._setOption("os", output[0].lower().strip())
-
-        # Find the time command (should be a GNU time for best results).
-        (success, output) = execute.captureCmd("which time")
-        self._setOption("time", output[0].lower().strip())
-		
-        # Read nodes.cfg and broctl.dat.
-        self._readNodes()
-        self.readState()
-
-        # Setup the kinds of analyses which we support.
-        self._analysis = Analysis(self.analysiscfg)
-
-        # Make sure cron flag is cleared.
-        self.config["cron"] = "0"
-
-    # Provides access to the configuration options via the dereference operator.
-    # Lookups the attribute in broctl.cfg first, then in the dynamic variables from broctl.dat.
-    # Defaults to empty string for unknown options.
-    def __getattr__(self, attr):
-        if attr in self.config:
-            return self.config[attr]
-        if attr in self.state:
-            return self.state[attr]
-        return ""
-
-    # Returns True if attribute is defined.
-    def hasAttr(self, attr):
-        if attr in self.config:
-            return True
-        if attr in self.state:
-            return True
-        return False
-
-    # Returns a list of all broctl.cfg entries.
-    # Includes dynamic variables if dynamic is true.
-    def options(self, dynamic=True):
-        if dynamic:
-            return self.config.items() + self.state.items()
-        else:
-            return self.config.items()
-
-    # Returns a list of Nodes. 
-    # - If tag is "global" or "all", all Nodes are returned if "expand_all" is true.
-    #     If "expand_all" is false, returns an empty list in this case.
-    # - If tag is "proxies" or "proxy", all proxy Nodes are returned.
-    # - If tag is "workers" or "worker", all worker Nodes are returned.
-    # - If tag is "manager", the manager Node is returned.
-    def nodes(self, tag=None, expand_all=True):
-        nodes = []
-        type = None
-
-        if tag == "cluster" or tag == "all":
-            if not expand_all:
-                return []
-
-            tag = None
-
-        if tag == "proxies":
-            tag = "proxy"
-
-        if tag == "workers":
-            tag = "worker"
-
-        if ("scripts-%s" % tag) in self.config:
-            type = tag
-
-        for n in self.nodelist.values():
-
-            if type:
-                if type == n.type:
-                    nodes += [n]
-
-            elif tag == n.tag or not tag:
-                nodes += [n]
-
-        nodes.sort(key=lambda n: (n.type, n.tag))
-
-        if not nodes and tag == "manager":
-            nodes = self.nodes("standalone")
-
-        return nodes
-
-    # Returns the manager Node.
-    def manager(self):
-        n = self.nodes("manager")
-        if n:
-            return n[0]
-        n = self.nodes("standalone")
-        if n:
-            return n[0]
-        return None
-
-    # Returns a list of nodes which is a subset of the result a similar call to
-    # nodes() would yield but within which each host appears only once.
-    def hosts(self, tag = None):
-        hosts = {}
-        for node in self.nodes(tag):
-            if not node.host in hosts:
-                hosts[node.host] = node
-
-        return hosts.values()
-
-    # Replace all occurences of "${option}", with option being either
-    # broctl.cfg option or a dynamic variable, with the corresponding value. 
-    # Defaults to replacement with the empty string for unknown options.
-    def subst(self, str, make_dest=True):
-        while True:
-            m = re.search(r"(\$\{([A-Za-z]+)(:([^}]+))?\})", str)
-            if not m:
-                
-                # This is a hack to support make's DESTDIR: if the env variable
-                # MAKE_DESTDIR is set, and the string we return starts with  our
-                # installation prefix, we prepend the var's content. This it not
-                # totally perfect but should do the trick.
-                if Installing and MakeDestDir and MakeDestDir != "":
-                    
-                    if make_dest and str.startswith(BroBase):
-                        str = MakeDestDir + str
-
-                    if not make_dest:
-                        str = str.replace(MakeDestDir, "")
-                    
-                return str
-
-            key = m.group(2).lower()
-            if self.hasAttr(key):
-                value = self.__getattr__(key)
-            else:
-                value = m.group(4)
-
-            if not value:
-                value = ""
-
-            str = str[0:m.start(1)] + value + str[m.end(1):]
-
-    # Returns instance of class Analysis. 
-    def analysis(self):
-        return self._analysis
-
-    # Parse nodes.cfg.
-    def _readNodes(self):
-        self.nodelist = {}
-        config = ConfigParser.SafeConfigParser()
-        if not config.read(self.nodecfg) and not Installing:
-            util.error("cannot read '%s'" % self.nodecfg)
-
-        manager = False
-        proxy = False
-        standalone = False
-
-        file = self.nodecfg
-
-        counts = {}
-        for sec in config.sections():
-
-            node = Node(sec)
-            self.nodelist[sec] = node
-
-            for (key, val) in config.items(sec):
-                if not key in Node._tags:
-                    util.warn("%s: unknown key '%s' in section '%s'" % (file, key, sec))
-                    continue
-
-                if key == "type":
-                    # We determine which types are valid by checking for having an
-                    # option specifying which scripts to use for it.
-                    cfg = "scripts-%s" % val 
-                    if not cfg  in self.config:
-                        util.error("%s: unknown type '%s' in section '%s'" % (file, val, sec))
-
-                    self.nodelist[sec].scripts = self.config[cfg].split()
-
-                    if val == "manager":
-                        if manager:
-                            util.error("only one manager can be defined")
-                        manager = True
-
-                    if val == "proxy":
-                        proxy = True
-
-                    if val == "standalone":
-                        standalone = True
-
-                node.__dict__[key] = val
-
-            try:
-                node.addr = socket.gethostbyname(node.host)
-            except AttributeError:
-                util.error("%s: no host given in section '%s'" % (file, sec))
-            except socket.gaierror, e:
-                util.error("%s: unknown host '%s' in section '%s' [%s]" % (file, node.host, sec, e.args[1]))
-
-            # Each node gets a number unique across its type.
-            type = self.nodelist[sec].type
-            try: 
-                counts[type] += 1
-            except KeyError:
-                counts[type] = 1
-
-            node.count = counts[type]
-
-        if self.nodelist:
-
-            if not standalone:
-                if not manager:
-                    util.error("%s: no manager defined" % file)
-
-                if not proxy:
-                    util.error("%s: no proxy defined" % file)
-
-            else:
-                if len(self.nodelist) > 1:
-                    util.error("%s: more than one node defined in stand-alone setup" % file)
-
-        for n in self.nodelist.values():
-            if n.type == "manager":
-                if not execute.isLocal(n):
-                    util.error("script must be run on manager node")
-
-                if n.addr == "127.0.0.1" and n.type != "standalone":
-                    util.error("cannot use localhost/127.0.0.1 for manager host in nodes configuration")
-
-
-    # Parses broctl.cfg and returns a dictionary of all entries. 
-    def _readConfig(self, file):
-        config = {}
-        try:
-            for line in open(file):
-
-                line = line.strip()
-                if not line or line.startswith("#"):
-                    continue
-
-                args = line.split("=")
-                if len(args) != 2:
-                    util.error("%s: syntax error '%s'" % (file, line))
-
-                (key, val) = args
-                key = key.strip().lower()
-                val = val.strip()
-
-                config[key] = val
-
-        except IOError, e:
-            if not Installing:
-                util.error("cannot read '%s'" % file)
-
-        return config
-
-    # Initialize a global option if not already set.
-    def _setOption(self, val, key):
-        if not val in self.config:
-            self.config[val] = self.subst(key)
-
-    # Set a dynamic state variable.
-    def _setState(self, val, key):
-        self.state[val] = key
-
-    # Read dynamic state variables from {$spooldir}/broctl.dat .
-    def readState(self):
-        self.state = self._readConfig(self.statefile)
-
-    # Write the dynamic state variables into {$spooldir}/broctl.dat .
-    def writeState(self):
-        try:
-            out = open(self.statefile, "w")
-        except IOError:
-            if not Installing:
-                util.warn("can't write '%s'" % self.statefile)
-            return
-
-        print >>out, "# Automatically generated. Do not edit.\n"
-
-        for (key, val) in self.state.items():
-            print >>out, "%s = %s" % (key, self.subst(str(val), make_dest=False))
-
-    # Runs Bro to get its version numbers.
-    def determineBroVersion(self):
-        version = None
-        bro = os.path.join(self.distdir, "src/bro")
-        if execute.exists(None, bro):
-            (success, output) = execute.captureCmd("%s -v 2>&1" % bro)
-            if success:
-                version = output[0]
-
-        if not version:
-            # Ok if it's already set. 
-            if "broversion" in self.state:
-                return
-
-            util.error("cannot find Bro binary to determine version")
-
-        m = re.search(".* version ([^ ]*).*$", version)
-        if not m:
-            util.error("cannot determine Bro version [%s]" % version.strip())
-
-        version = m.group(1)
-        if version.endswith("-debug"):
-            version = version[:-6]
-
-        self.state["broversion"] = version
-        self.state["bro"] = self.subst("${bindir}/bro")
-
-    # Returns true if we're running via "make install"
-    def installing(self):
-        return Installing
-
diff --git a/aux/broctl/BroControl/control.py b/aux/broctl/BroControl/control.py
deleted file mode 100644
index fe4b94b9e1..0000000000
--- a/aux/broctl/BroControl/control.py
+++ /dev/null
@@ -1,1059 +0,0 @@
-#! /usr/bin/env python
-#
-# $Id: control.py 6948 2009-12-03 20:59:41Z robin $
-#
-# Functions to control the nodes' operations.
-
-import os
-import sys
-import glob
-import fileinput
-import time
-import tempfile
-import re
-
-import execute
-import util
-import config
-import cron
-import install
-
-# Convert a number into a string with a unit (e.g., 1024 into "1M").
-def prettyPrintVal(val):
-    for (prefix, unit, factor) in (("", "G", 1024*1024*1024), ("", "M", 1024*1024), ("", "K", 1024), (" ", "", 0)):
-        if val >= factor:
-            return "%s%3.0f%s" % (prefix, val / factor, unit)
-    return val # Should not happen
-
-# Checks multiple nodes in parallel and returns list of tuples (node, isrunning). 
-def isRunning(nodes, setcrashed=True):
-
-    results = []
-    cmds = []
-
-    for node in nodes:
-        pid = node.getPID()
-        if not pid:
-            results += [(node, False)]
-            continue
-
-        cmds += [(node, "check-pid", [pid])]
-
-    for (node, success, output) in execute.runHelperParallel(cmds):
-
-        # If we cannot connect to the host at all, we filter it out because
-        # the process might actually still be running but we can't tell.
-        if output == None:
-            util.warn("cannot connect to %s" % node.tag)
-            continue
-
-        results += [(node, success)]
-
-        if not success:
-            if setcrashed:
-                # Grmpf. It crashed. 
-                node.clearPID();
-                node.setCrashed()
-
-    return results
-
-# Waits for the nodes' Bro processes to reach the given status. 
-def waitForBros(nodes, status, timeout, ensurerunning):
-
-    # If ensurerunning is true, process must still be running.
-    if ensurerunning:
-        running = isRunning(nodes)
-    else:
-        running = [(node, True) for node in nodes]
-
-    results = []
-
-    # Determine set of nodes still to check.
-    todo = {}
-    for (node, isrunning) in running:
-        if isrunning:
-            todo[node.tag] = node 
-        else:
-            results += [(node, False)]
-
-    points = False
-    while True:
-
-        # Determine  whether process is still running. We need to do this
-        # before we get the state to avoid a race condition.
-        running = isRunning(todo.values(), setcrashed=False)
-
-        # Check nodes' .status file
-        cmds = []
-        for node in todo.values():
-            cmds += [(node, "cat-file", ["%s/.status" % node.cwd()])]
-
-        for (node, success, output) in execute.runHelperParallel(cmds):
-            if success:
-                try:
-                    (stat, loc) = output[0].split()
-                    if status in stat:
-                        # Status reached. Cool.
-                        del todo[node.tag]
-                        results += [(node, True)]
-                except IndexError:
-                    # Something's wrong. We give up on that node.
-                    del todo[node.tag]
-                    results += [(node, False)]
-
-        for (node, isrunning) in running:
-            if node.tag in todo and not isrunning:
-                # Alright, a dead node's status will not change anymore.
-                del todo[node.tag]
-                results += [(node, False)]
-
-        if len(todo) == 0:
-            # All done.
-            break
-
-        # Wait a bit before we start over.
-        time.sleep(1)
-
-        # Timeout reached?
-        timeout -= 1
-        if timeout <= 0:
-            break
-
-        util.output("%d " % len(todo), nl=False)
-        points = True
-
-    for node in todo.values():
-        # These did time-out.
-        results += [(node, False)]
-
-    if points:
-        util.output("%d " % len(todo))
-
-    return results
-
-# Build the Bro parameters for the given node. Include
-# script for live operation if live is true.
-def _makeBroParams(node, live):
-    args = []
-
-    if live:
-        try:
-            args += ["-i %s " % node.interface]
-        except AttributeError:
-            pass
-
-        if config.Config.savetraces == "1":
-            args += ["-w trace.pcap"]
-
-        args += ["-U .status"]
-
-    args += ["-p broctl"]
-
-    if node.type != "standalone":
-        args += ["-p cluster"]
-    else:
-        args += ["-p standalone"]
-
-    for p in config.Config.prefixes.split(":"):
-        args += ["-p %s" % p]
-
-    args += ["-p %s" % node.tag]         
-        
-    args += node.scripts
-
-    if live:
-        args += ["broctl-live"]
-    else:
-        args += ["broctl-check"]
-
-    if node.type == "worker" or node.type == "proxy":
-        args += config.Config.sitepolicyworker.split()
-        args += config.Config.auxscriptsworker.split()
-
-    if node.type == "manager":
-        args += config.Config.sitepolicymanager.split()
-        args += config.Config.auxscriptsmanager.split()
-
-    if node.type == "standalone":
-        args += config.Config.sitepolicystandalone.split()
-        args += config.Config.auxscriptsstandalone.split()
-
-    if "aux_scripts" in node.__dict__:
-        args += [node.aux_scripts]
-
-    args += ["analysis-policy"]
-
-    if config.Config.broargs:
-        args += [config.Config.broargs]
-
-#   args += ["-B comm,serial"]
-
-    return args
-
-# Build the environment variable for the given node. 
-def _makeEnvParam(node):
-    env = ""
-    env = "BRO_%s=%s" % (node.type.upper(), str(node.count))
-
-    return env
-
-# Do a "post-terminate crash" for the given nodes.
-def _makeCrashReports(nodes):
-    cmds = []
-    for node in nodes:
-        cmds += [(node, "run-cmd",  [os.path.join(config.Config.scriptsdir, "post-terminate"), node.cwd(),  "crash"])]
-
-    for (node, success, output) in execute.runHelperParallel(cmds):
-        if not success:
-            util.output("cannot run post-terminate for %s" % node.tag)
-        else:
-            util.sendMail("Crash report from %s" % node.tag, "\n".join(output))
-
-        node.clearCrashed()
-
-# Starts the given nodes. Returns true if all nodes were successfully started.
-def _startNodes(nodes):
-
-    result = True
-
-    filtered = []
-    # Ignore nodes which are still running.
-    for (node, isrunning) in isRunning(nodes):
-        if not isrunning: 
-            filtered += [node]
-            util.output("starting %s ..." % node.tag)
-        else:
-            util.output("%s still running" % node.tag)
-
-    nodes = filtered
-
-    # Generate crash report for any crashed nodes.
-    crashed = [node for node in nodes if node.hasCrashed()]
-    _makeCrashReports(crashed)
-
-    # Make working directories.
-    dirs = [(node, node.cwd()) for node in nodes]
-    nodes = []
-    for (node, success) in execute.mkdirs(dirs):
-        if success:
-            nodes += [node]
-        else:
-            util.output("cannot create working directory for %s" % node.tag)
-            result = False
-
-    # Start Bro process.
-    cmds = []
-    envs = []
-    for node in nodes:
-        cmds += [(node, "start", [node.cwd()] + _makeBroParams(node, True))]
-        envs += [_makeEnvParam(node)]
-
-    nodes = []
-    for (node, success, output) in execute.runHelperParallel(cmds, envs=envs):
-        if success:
-            nodes += [node]
-            node.setPID(int(output[0]))
-        else:
-            util.output("cannot start %s" % node.tag)
-            result = False
-
-    # Check whether processes did indeed start up.
-    hanging = []
-    running = []
-
-    for (node, success) in waitForBros(nodes, "RUNNING", 3, True):
-        if success:
-            running += [node]
-        else:
-            hanging += [node]
-
-    # It can happen that Bro hangs in DNS lookups at startup
-    # which can take a while. At this point we already know
-    # that the process has been started (waitForBro ensures that). 
-    # If by now there is not a TERMINATED status, we assume that it
-    # is doing fine and will move on to RUNNING once DNS is done.
-    for (node, success) in waitForBros(hanging, "TERMINATED", 0, False):
-        if success:
-            util.output("%s terminated immediately after starting; check output with \"diag\"" % node.tag)
-            node.clearPID()
-            result = False
-        else:
-            util.output("(%s still initializing)" % node.tag)
-            running += [node]
-
-    for node in running:
-        cron.logAction(node, "started")
-
-    return result
-
-# Start Bro processes on nodes if not already running.
-def start(nodes):
-
-    if len(nodes) > 0:
-        # User picked nodes to start.
-        _startNodes(nodes)
-        return
-
-    # Start all nodes. Do it in the order manager, proxies, workers. 
-    if not _startNodes(config.Config.nodes("manager")):
-        return
-
-    if not _startNodes(config.Config.nodes("proxies")):
-        return
-
-    if not _startNodes(config.Config.nodes("workers")):
-        return
-
-def _stopNodes(nodes):
-
-    running = []
-
-    # Check for crashed nodes. 
-    for (node, isrunning) in isRunning(nodes):
-        if isrunning: 
-            running += [node]
-            util.output("stopping %s ..." % node.tag)
-        else:
-            if node.hasCrashed():
-                _makeCrashReports([node])
-                util.output("%s not running (was crashed)" % node.tag)
-            else:
-                util.output("%s not running" % node.tag)
-
-    # Helper function to stop nodes with given signal. 
-    def stop(nodes, signal):
-        cmds = []
-        for node in nodes:
-            cmds += [(node, "stop", [node.getPID(), str(signal)])] 
-
-        return execute.runHelperParallel(cmds)
-
-    # Stop nodes.
-    for (node, success, output) in stop(running, 15):
-        if not success:
-            util.output("failed to send stop signal to %s" % node.tag)
-
-    if running:
-        time.sleep(1)
-
-    # Check whether they terminated.
-    terminated = []
-    kill = []
-    for (node, success) in waitForBros(running, "TERMINATED", 60, False):
-        if not success:
-            # Check whether it crashed during shutdown ...
-            result = isRunning([node])
-            for (node, isrunning) in result:
-                if isrunning:
-                    util.output("%s did not terminate ... killing ..." % node.tag)
-                    kill += [node]
-                else:
-                    # crashed flag is set by isRunning().
-                    util.output("%s crashed during shutdown" % node.tag)
-
-    if len(kill):
-        # Kill those which did not terminate gracefully.
-        stop(kill, 9)
-        # Given them a bit to disappear.
-        time.sleep(5) 
-
-    # Check which are still running. We check all nodes to be on the safe side
-    # and give them a bit more time to finally disappear.
-    timeout = 10
-
-    todo = {}
-    for node in running:
-        todo[node.tag] = node
-
-    while True:
-
-        running = isRunning(todo.values(), setcrashed=False)
-
-        for (node, isrunning) in running:
-            if node.tag in todo and not isrunning:
-                # Alright, it's gone. 
-                del todo[node.tag]
-                terminated += [node]
-
-        if len(todo) == 0:
-            # All done.
-            break
-
-        # Wait a bit before we start over.
-
-        if timeout <= 0:
-            break
-
-        time.sleep(1)
-        timeout -= 1
-
-    # Do post-terminate cleanup for those which terminated gracefully.
-    cleanup = [node for node in terminated if not node.hasCrashed()]
-
-    cmds = []
-    for node in cleanup:
-        cmds += [(node, "run-cmd",  [os.path.join(config.Config.scriptsdir, "post-terminate"), node.cwd()])] 
-
-    for (node, success, output) in execute.runHelperParallel(cmds):
-        if not success:
-            util.output("cannot run post-terminate for %s" % node.tag)
-            cron.logAction(node, "stopped (failed)")
-        else:
-            cron.logAction(node, "stopped")
-
-        node.clearPID()
-        node.clearCrashed()
-
-# Stop Bro processes on nodes.
-def stop(nodes):
-
-    if len(nodes) > 0:
-        # User picked nodes to stop.
-        _stopNodes(nodes)
-        return
-
-    # Start all nodes. Do it in the order workers, proxies, manager. 
-    _stopNodes(config.Config.nodes("workers"))
-    _stopNodes(config.Config.nodes("proxies"))
-    _stopNodes(config.Config.nodes("manager"))
-
-# First stop, then start Bro processes on nodes. 
-def restart(nodes, clean):
-
-    if len(nodes) > 0:
-        all_nodes = nodes
-    else:
-        all_nodes = config.Config.nodes()
-
-    util.output("stopping ...")
-    if len(nodes) > 0:
-        # User picked nodes to restart.
-        _stopNodes(nodes)
-    else:
-        stop([])
-
-    if clean:
-        # Can't delete the tmp here because log archival might still be going on there in the background.
-        cleanup(all_nodes, False)
-
-        util.output("checking configuration ...")
-        if not checkConfigs(all_nodes):
-            return 
-
-        util.output("installing ...")
-        install.install(False, False)
-
-    util.output("starting ...")
-    if len(nodes) > 0:
-        _startNodes(nodes)
-    else:
-        start([])
-
-# Output status summary for nodes. 
-def status(nodes):
-
-    util.output("%-10s %-10s %-10s %-13s %-6s %-6s %-20s " % ("Name",  "Type", "Host", "Status", "Pid", "Peers", "Started"))
-
-    all = isRunning(nodes)
-    running = []
-
-    cmds1 = []
-    cmds2 = []
-    for (node, isrunning) in all:
-        if isrunning:
-            running += [node]
-            cmds1 += [(node, "cat-file", ["%s/.startup" % node.cwd()])]
-            cmds2 += [(node, "cat-file", ["%s/.status" % node.cwd()])]
-
-    startups = execute.runHelperParallel(cmds1)
-    statuses = execute.runHelperParallel(cmds2)
-
-    startups = dict([(n.tag, success and util.fmttime(output[0]) or "???") for (n, success, output) in startups])
-    statuses = dict([(n.tag, success and output[0].split()[0].lower() or "???") for (n, success, output) in statuses])
-
-    peers = {}
-    nodes = [n for n in running if statuses[n.tag] == "running"]
-    for (node, success, args) in _queryPeerStatus(nodes):
-        if success:
-            peers[node.tag] = []
-            for f in args[0].split():
-                (key, val) = f.split("=")
-                if key == "peer" and val != "":
-                    peers[node.tag] += [val]
-        else:
-            peers[node.tag] = None
-
-    for (node, isrunning) in all:
-
-        util.output("%-10s " % node.tag, nl=False)
-        util.output("%-10s %-10s " % (node.type, node.host), nl=False)
-
-        if isrunning:
-            util.output("%-13s " % statuses[node.tag], nl=False)
-
-        elif node.hasCrashed():
-            util.output("%-13s " % "crashed", nl=False)
-        else:
-            util.output("%-13s " % "stopped", nl=False)
-
-        if isrunning:
-            util.output("%-6s " % node.getPID(), nl=False)
-
-            if node.tag in peers and peers[node.tag] != None:
-                util.output("%-6d " % len(peers[node.tag]), nl=False)
-            else: 
-                util.output("%-6s " % "???", nl=False)
-
-            util.output("%-8s  " % startups[node.tag], nl=False)
-
-        util.output()
-
-# Outputs state of remote connections for host.     
-
-
-# Helper for getting top output.
-#
-# Returns tuples of the form (node, error, vals) where  'error' is None if we 
-# were able to get the data or otherwise a string with an  error message; 
-# in case there's no error, 'vals' is a list of dicts which map tags to their values.
-#
-# Tags are "pid", "proc", "vsize", "rss", "cpu", and "cmd".
-#
-# We do all the stuff in parallel across all nodes which is why this looks 
-# a bit confusing ...
-def getTopOutput(nodes):
-
-    results = []
-    cmds = []
-
-    running = isRunning(nodes)
-
-    # Get all the PIDs first.
-
-    pids = {}
-    parents = {}
-
-    for (node, isrunning) in running:
-        if isrunning:
-            pid = node.getPID()
-            pids[node.tag] = [int(pid)]
-            parents[node.tag] = pid
-
-            cmds += [(node, "get-childs", [pid])]
-        else:
-            results += [(node, "not running", [{}])]
-            continue
-
-    if not cmds:
-        return results
-
-    for (node, success, output) in execute.runHelperParallel(cmds):
-
-        if not success:
-            results += [(node, "cannot get child pids", [{}])]
-            continue
-
-        pids[node.tag] += [int(line) for line in output]
-
-    cmds = []
-
-    # Now run top.
-    for node in nodes: # Do the loop again to keep the order.
-        if not node.tag in pids:
-            continue
-
-        cmds += [(node, "top", [])]
-
-    if not cmds:
-        return results
-
-    for (node, success, output) in execute.runHelperParallel(cmds):
-
-        if not success:
-            results += [(node, "cannot get top output", [{}])]
-
-        procs = [line.split() for line in output if int(line.split()[0]) in pids[node.tag]]
-
-        if not procs:
-            # It can happen that on the meantime the process is not there anymore.
-            results += [(node, "not running", [{}])]
-            continue
-
-        vals = []
-
-        for p in procs:
-            d = {}
-            d["pid"] = int(p[0])
-            d["proc"] = (p[0] == parents[node.tag] and "parent" or "child") 
-            d["vsize"] = int(p[1])
-            d["rss"] = int(p[2])
-            d["cpu"] = p[3]
-            d["cmd"] = " ".join(p[4:])
-            vals += [d]
-
-        results += [(node, None, vals)]
-
-    return results
-
-# Produce a top-like output for node's processes.
-# If hdr is true, output column headers first. 
-def top(nodes):
-
-    util.output("%-10s %-10s %-10s %-8s %-8s %-8s %-8s %-8s %-8s" % ("Name", "Type", "Node", "Pid", "Proc", "VSize", "Rss", "Cpu", "Cmd"))
-
-    for (node, error, vals) in getTopOutput(nodes):
-
-        if not error:
-            for d in vals:
-                util.output("%-10s " % node.tag, nl=False)
-                util.output("%-10s " % node.type, nl=False)
-                util.output("%-10s " % node.host, nl=False)
-                util.output("%-8s " % d["pid"], nl=False)
-                util.output("%-8s " % d["proc"], nl=False)
-                util.output("%-8s " % prettyPrintVal(d["vsize"]), nl=False)
-                util.output("%-8s " % prettyPrintVal(d["rss"]), nl=False)
-                util.output("%-8s " % ("%s%%" % d["cpu"]), nl=False)
-                util.output("%-8s " % d["cmd"], nl=False)
-                util.output()
-        else:
-            util.output("%-10s " % node.tag, nl=False)
-            util.output("%-8s " % node.type, nl=False)
-            util.output("%-8s " % node.host, nl=False)
-            util.output("<%s> " % error, nl=False)
-            util.output()
-
-def _doCheckConfig(nodes, installed, list_scripts, fullpaths):
-
-    ok = True
-
-    manager = config.Config.manager()
-
-    all = [(node, os.path.join(config.Config.tmpdir, "check-config-%s" % node.tag)) for node in nodes]
-
-    nodes = []
-    for (node, cwd) in all:
-        if os.path.isdir(cwd):
-            if not execute.rmdir(config.Config.manager(), cwd):
-                util.output("cannot remove directory %s on manager" % cwd)
-                continue
-
-        if not execute.mkdir(config.Config.manager(), cwd):
-            util.output("cannot create directory %s on manager" % cwd)
-            continue
-
-        nodes += [(node, cwd)]
-
-    cmds = []
-    for (node, cwd) in nodes:
-
-        env = ""
-        if node.type == "worker" or node.type == "proxy":
-            env = "BRO_%s=%s" % (node.type.upper(), str(node.count))
-
-        dashl = list_scripts and ["-l"] or []
-
-        broargs =  " ".join(dashl + _makeBroParams(node, False)) + " terminate"
-        installed_policies = installed and "1" or "0"
-
-        cmd = os.path.join(config.Config.scriptsdir, "check-config") + " %s %s %s" % (installed_policies, cwd, broargs)
-
-        cmds += [((node, cwd), cmd, env, None)]
-
-    for ((node, cwd), success, output) in execute.runLocalCmdsParallel(cmds):
-
-        if not list_scripts:
-
-            if success:
-                util.output("%s is ok." % node.tag)
-            else:
-                ok = False
-                util.output("%s failed." % node.tag)
-                for line in output:
-                    util.output("   %s" % line)
-
-        else:
-            util.output(node.tag)
-            for line in output:
-                if line.find("loading") >= 0:
-
-                    line = line.replace("loading ", "")
-                    if not fullpaths:
-                        line = re.sub("\S+/", "", line)
-
-                    util.output("   %s" % line)
-
-            if not success:
-                ok = False
-                util.output("%s failed to load all scripts correctly." % node.tag)
-
-        execute.rmdir(manager, cwd)
-
-    return ok
-
-# Check the configuration for nodes without installing first.
-def checkConfigs(nodes):
-    return _doCheckConfig(nodes, False, False, False)
-
-# Extracts the list of loaded scripts from the -l output. 
-def listScripts(nodes, paths, check):
-    _doCheckConfig(nodes, not check, True, paths)
-
-# Report diagostics for node (e.g., stderr output).
-def crashDiag(node):
-
-    util.output("[%s]" % node.tag)
-
-    if not execute.isdir(node, node.cwd()):
-        util.output("No work dir found\n")
-        return
-
-    (rc, output) = execute.runHelper(node, "run-cmd",  [os.path.join(config.Config.scriptsdir, "crash-diag"), node.cwd()])
-    if not rc:
-        util.output("cannot run crash-diag for %s" % node.tag)
-        return
-
-    for line in output:
-        util.output(line)
-
-# Clean up the working directory for nodes (flushes state). 
-# If cleantmp is true, also wipes ${tmpdir}; this is done
-# even when the node is still running.
-def cleanup(nodes, cleantmp=False):
-    util.output("cleaning up nodes ...")
-    result = isRunning(nodes)
-    running =    [node for (node, on) in result if on]
-    notrunning = [node for (node, on) in result if not on]
-
-    execute.rmdirs([(n, n.cwd()) for n in notrunning])
-    execute.mkdirs([(n, n.cwd()) for n in notrunning])
-
-    for node in notrunning:
-        node.clearCrashed();
-
-    for node in running:
-        util.output("   %s is still running, not cleaning work directory" % node.tag)
-
-    if cleantmp:
-        execute.rmdirs([(n, config.Config.tmpdir) for n in running + notrunning])
-        execute.mkdirs([(n, config.Config.tmpdir) for n in running + notrunning])
-
-# Attach gdb to the main Bro processes on the given nodes.    
-def attachGdb(nodes):
-    running = isRunning(nodes)
-
-    cmds = []
-    for (node, isrunning) in running:
-        if isrunning:
-            cmds += [(node, "gdb-attach", ["gdb-%s" % node.tag, config.Config.bro, node.getPID()])]
-
-    results = execute.runHelperParallel(cmds)
-    for (node, success, output) in results:
-        if success:
-            util.output("gdb attached on %s" % node.tag)
-        else:
-            util.output("cannot attach gdb on %s: %s" % node.tag, output)
-
-# Helper for getting capstats output.
-#
-# Returns tuples of the form (node, error, vals) where  'error' is None if we 
-# were able to get the data or otherwise a string with an error message; 
-# in case there's no error, 'vals' maps tags to their values.
-#
-# Tags are those as returned by capstats on the command-line
-#
-# We do all the stuff in parallel across all nodes which is why this looks 
-# a bit confusing ...
-
-# Gather capstats from interfaces.
-def getCapstatsOutput(nodes, interval):
-
-    if not config.Config.capstats:
-        if config.Config.cron == "0":
-            util.warn("do not have capstats binary available")
-        return []
-
-    results = []
-    cmds = []
-
-    hosts = {}
-    for node in nodes:
-        try:
-            hosts[(node.addr, node.interface)] = node
-        except AttributeError:
-            continue
-
-    for (addr, interface) in hosts.keys():
-        node = hosts[addr, interface]
-
-        capstats = [config.Config.capstats, "-i", interface, "-I", str(interval), "-n", "1"]
-
-# Unfinished feature: only consider a particular MAC. Works here for capstats
-# but Bro config is not adapted currently so we disable it for now. 
-#        try:
-#            capstats += ["-f", "\\'", "ether dst %s" % node.ether, "\\'"]
-#        except AttributeError:
-#            pass
-
-        cmds += [(node, "run-cmd", capstats)]
-
-    outputs = execute.runHelperParallel(cmds) 
-
-    for (node, success, output) in outputs:
-
-        if not success:
-            results += [(node, "%s: cannot execute capstats" % node.tag, {})]
-            continue
-
-        fields = output[0].split()
-        vals = { }
-
-        try:
-            for field in fields[1:]:
-                (key, val) = field.split("=")
-                vals[key] = float(val)
-
-            results += [(node, None, vals)]
-
-        except ValueError:
-            results += [(node, "%s: unexpected capstats output: %s" % (node.tag, output[0]), {})]
-
-    return results
-
-# Get current statistics from cFlow. 
-#
-# Returns dict of the form port->(cum-pkts, cum-bytes). 
-#
-# Returns None if we can't run the helper sucessfully.
-def getCFlowStatus():
-    (success, output) = execute.runLocalCmd(os.path.join(config.Config.scriptsdir, "cflow-stats"))
-    if not success or not output:
-        util.warn("failed to run cflow-stats")
-        return None
-
-    vals = {}
-
-    for line in output:
-        try:
-            (port, pps, bps, pkts, bytes) = line.split()
-            vals[port] = (float(pkts), float(bytes))
-        except ValueError:
-            # Probably an error message because we can't connect. 
-            util.warn("failed to get cFlow statistics: %s" % line)
-            return None
-
-    return vals
-
-# Calculates the differences between to getCFlowStatus() calls. 
-# Returns tuples in the same form as getCapstatsOutput() does.
-def calculateCFlowRate(start, stop, interval):
-    diffs = [(port, stop[port][0] - start[port][0], (stop[port][1] - start[port][1])) for port in start.keys() if port in stop]
-
-    rates = []
-    for (port, pkts, bytes) in diffs:
-        vals = { "kpps": "%.1f" % (pkts / 1e3 / interval) }
-        if start[port][1] >= 0:
-            vals["mbps"] = "%.1f" % (bytes * 8 / 1e6 / interval)
-
-        rates += [(port, None, vals)]
-
-    return rates
-
-def capstats(nodes, interval):
-
-    def output(tag, data):
-        util.output("\n%-12s %-10s %-10s (%ds average)" % (tag, "kpps", "mbps", interval))
-        util.output("-" * 30)
-
-        for (port, error, vals) in data:
-
-            if error:
-                util.output(error)
-                continue
-
-            util.output("%-12s " % port, nl=False)
-
-            if not error:
-                util.output("%-10s " % vals["kpps"], nl=False)
-                if "mbps" in vals:
-                    util.output("%-10s " % vals["mbps"], nl=False)
-                util.output()
-            else:
-                util.output("<%s> " % error)
-
-    have_cflow = config.Config.cflowaddress and config.Config.cflowuser and config.Config.cflowpassword
-    have_capstats = config.Config.capstats
-
-    if not have_cflow and not have_capstats:
-        util.warn("do not have capstats binary available")
-        return
-
-    if have_cflow:
-        cflow_start = getCFlowStatus()
-
-    if have_capstats:
-        capstats = [(node.tag, error, vals) for (node, error, vals) in getCapstatsOutput(nodes, interval)]
-
-    else:
-        time.sleep(interval)
-
-    if have_cflow:
-        cflow_stop = getCFlowStatus()
-
-    if have_capstats:    
-        output("Interface", sorted(capstats))
-
-    if have_cflow and cflow_start and cflow_stop:
-        diffs = calculateCFlowRate(cflow_start, cflow_stop, interval)
-        output("cFlow Port", sorted(diffs))
-
-# Update the configuration of a running instance on the fly.     
-def update(nodes):
-
-    running = isRunning(nodes)
-
-    cmds = []
-    for (node, isrunning) in running:
-        if isrunning:
-            env = _makeEnvParam(node)
-            env += " BRO_DNS_FAKE=1"
-            args = " ".join(_makeBroParams(node, False))
-            cmds += [(node.tag, os.path.join(config.Config.scriptsdir, "update") + " %s %s" % (node.tag.replace("worker-", "w"), args), env, None)]
-            util.output("updating %s ..." % node.tag)
-
-    results = execute.runLocalCmdsParallel(cmds)
-
-    for (tag, success, output) in results:
-        if not success:
-            util.output("could not update %s: %s" % (tag, output))
-        else:
-            util.output("%s: %s" % (tag, output[0]))
-
-# Enable/disable types of analysis.
-def toggleAnalysis(types, enable=True):
-
-    ana = config.Config.analysis()
-
-    for t in types:
-        if ana.isValid(t.lower()):
-            ana.toggle(t.lower(), enable)
-        else:
-            util.output("unknown analysis type '%s'" % t)
-
-
-# Print summary of analysis status.
-def showAnalysis():
-    for (tag, status, mechanism, descr) in config.Config.analysis().all():
-        print "%15s is %s  -  %s" % (tag, (status and "enabled " or "disabled"), descr)
-
-# Gets disk space on all volumes relevant to broctl installation.
-# Returns dict which for each node has a list of tuples (fs, total, used, avail).
-def getDf(nodes):
-
-    dirs = ("logdir", "bindir", "helperdir", "cfgdir", "spooldir", "policydir", "libdir", "tmpdir", "staticdir", "scriptsdir")
-
-    df = {}
-    for node in nodes:
-        df[node.tag] = {}
-
-    for dir in dirs:
-        path = config.Config.config[dir]
-
-        cmds = []
-        for node in nodes:
-            cmds += [(node, "df", [path])]
-
-        results = execute.runHelperParallel(cmds)
-
-        for (node, success, output) in results:
-            if success:
-                fields = output[0].split()
-
-                # Ignore NFS mounted volumes.
-                if fields[0].find(":") < 0:
-                    df[node.tag][fields[0]] = fields
-
-
-    result = {}
-    for node in df:
-        result[node] = df[node].values()
-
-    return result 
-
-def df(nodes):
-
-    util.output("%10s  %15s  %-5s  %-5s  %-5s" % ("", "", "total", "avail", "capacity"))
-
-    for (node, dfs) in getDf(nodes).items():
-        for df in dfs:
-            total = float(df[1])
-            used = float(df[2])
-            avail = float(df[3])
-            perc = used * 100.0 / (used + avail)
-
-            util.output("%10s  %15s  %-5s  %-5s  %-5.1f%%" % (node, df[0], 
-                prettyPrintVal(total), 
-                prettyPrintVal(avail), perc))
-
-
-def printID(nodes, id):
-    running = isRunning(nodes)
-
-    events = []
-    for (node, isrunning) in running:
-        if isrunning:
-            events += [(node, "request_id", [id], "request_id_response")]
-
-    results = execute.sendEventsParallel(events)
-
-    for (node, success, args) in results:
-        if success:
-            print "%10s   %s = %s" % (node.tag, args[0], args[1])
-        else:
-            print "%10s   <error: %s>" % (node.tag, args)
-
-def _queryPeerStatus(nodes):
-    running = isRunning(nodes)
-
-    events = []
-    for (node, isrunning) in running:
-        if isrunning:
-            events += [(node, "get_peer_status", [], "get_peer_status_response")]
-
-    return execute.sendEventsParallel(events)
-
-def _queryNetStats(nodes):
-    running = isRunning(nodes)
-
-    events = []
-    for (node, isrunning) in running:
-        if isrunning:
-            events += [(node, "get_net_stats", [], "get_net_stats_response")]
-
-    return execute.sendEventsParallel(events)
-
-def peerStatus(nodes):
-    for (node, success, args) in _queryPeerStatus(nodes):
-        if success:
-            print "%10s\n%s" % (node.tag, args[0])
-        else:
-            print "%10s   <error: %s>" % (node.tag, args)
-
-def netStats(nodes):
-    for (node, success, args) in _queryNetStats(nodes):
-        if success:
-            print "%10s: %s" % (node.tag, args[0]),
-        else:
-            print "%10s: <error: %s>" % (node.tag, args)
-
-def executeCmd(nodes, cmd):
-
-    for special in "|'\"":
-        cmd = cmd.replace(special, "\\" + special)
-
-    cmds = [(n, "run-cmd", [cmd]) for n in nodes]
-
-    for (node, success, output) in execute.runHelperParallel(cmds):
-      util.output("[%s] %s\n> %s" % (node.host, (success and " " or "error"), "\n> ".join(output)))
-
-
-
diff --git a/aux/broctl/BroControl/cron.py b/aux/broctl/BroControl/cron.py
deleted file mode 100644
index 8e77ba6509..0000000000
--- a/aux/broctl/BroControl/cron.py
+++ /dev/null
@@ -1,242 +0,0 @@
-#! /usr/bin/env python
-#
-# $Id: cron.py 6813 2009-07-07 18:54:12Z robin $
-#
-# Tasks which are to be done on a regular basis from cron.
-
-import os
-import sys
-
-import util
-import config
-import execute
-import control
-import time
-import shutil
-
-# Triggers all activity which is to be done regularly via cron.
-def doCron():
-
-    if config.Config.cronenabled == "0":
-        return
-
-    if not util.lock():
-        return
-
-    util.bufferOutput()
-    config.Config.config["cron"] = "1"  # Flag to indicate that we're running from cron.
-
-    # Check whether nodes are still running an restart if neccessary.
-    for (node, isrunning) in control.isRunning(config.Config.nodes()):
-        if not isrunning and node.hasCrashed():
-            control.start([node])
-
-    # Check for dead hosts.
-    _checkHosts()
-
-    # Generate statistics. 
-    _logStats(5)
-
-    # Check available disk space.
-    _checkDiskSpace()
-
-    # Expire old log files.
-    _expireLogs()
-
-    # Update the HTTP stats directory. 
-    _updateHTTPStats()
-
-    # Run external command if we have one.
-    if config.Config.croncmd:
-        execute.runLocalCmd(config.Config.croncmd)
-
-    # Mail potential output.
-    output = util.getBufferedOutput()
-    if output:
-        util.sendMail("cron: " + output.split("\n")[0], output)
-
-    config.Config.config["cron"] = "0"
-
-    util.unlock()
-
-def logAction(node, action):
-    t = time.time()
-    out = open(config.Config.statslog, "a")
-    print >>out, t, node.tag, "action", action
-    out.close()
-
-def _logStats(interval):
-
-    nodes = config.Config.nodes()
-    top = control.getTopOutput(nodes)
-
-    have_cflow = config.Config.cflowaddress and config.Config.cflowuser and config.Config.cflowpassword
-    have_capstats = config.Config.capstats
-    cflow_start = cflow_end = None
-    capstats = []
-    cflow_rates = []
-
-    if have_cflow:
-        cflow_start = control.getCFlowStatus()
-
-    if have_capstats:
-        capstats = control.getCapstatsOutput(nodes, interval)
-    elif have_cflow:
-        time.sleep(interval)
-
-    if have_cflow:
-        cflow_end = control.getCFlowStatus()
-        if cflow_start and cflow_end:
-            cflow_rates = control.calculateCFlowRate(cflow_start, cflow_end, interval)
-
-    t = time.time()
-
-    out = open(config.Config.statslog, "a")
-
-    for (node, error, vals) in top:
-        if not error:
-            for proc in vals:
-                type = proc["proc"]
-                for (val, key) in proc.items():
-                    if val != "proc":
-                        print >>out, t, node.tag, type, val, key
-        else:
-            print >>out, t, node.tag, "error", "error", error
-
-    for (node, error, vals) in capstats:
-        if not error:
-            for (key, val) in vals.items():
-                # Report if we don't see packets on an interface.
-                tag = "lastpkts-%s" % node.tag
-
-                if key == "pkts":
-                    if tag in config.Config.state:
-                        last = float(config.Config.state[tag])
-                    else:
-                        last = -1.0
-
-                    if float(val) == 0.0 and last != 0.0:
-                        util.output("%s is not seeing any packets on interface %s" % (node.host, node.interface))
-
-                    if float(val) != 0.0 and last == 0.0:
-                        util.output("%s is seeing packets again on interface %s" % (node.host, node.interface))
-
-                    config.Config._setState(tag, val)
-
-                print >>out, t, node.tag, "interface", key, val
-
-        else:
-            print >>out, t, node.tag, "error", "error", error
-
-    for (port, error, vals) in cflow_rates:
-        if not error:
-            for (key, val) in vals.items():
-                print >>out, t, "cflow", port.lower(), key, val
-
-    out.close()
-
-def _checkDiskSpace():
-
-    minspace = float(config.Config.mindiskspace)
-    if minspace == 0.0:
-        return
-
-    for (node, dfs) in control.getDf(config.Config.nodes()).items():
-        for df in dfs:
-            fs = df[0]
-            total = float(df[1])
-            used = float(df[2])
-            avail = float(df[3])
-            perc = used * 100.0 / (used + avail)
-            key = "disk-space-%s%s" % (node, fs.replace("/", "-"))
-
-            if perc > 100 - minspace:
-                try:
-                    if float(config.Config.state[key]) > 100 - minspace:
-                        # Already reported.
-                        continue
-                except KeyError:
-                    pass
-
-                util.output("Disk space low on %s:%s - %.1f%% used." % (node, fs, perc))
-
-            config.Config.state[key] = "%.1f" % perc
-
-def _expireLogs():
-
-    i = int(config.Config.logexpireinterval)
-
-    if not i:
-        return
-
-    (success, output) = execute.runLocalCmd(os.path.join(config.Config.scriptsdir, "expire-logs"))
-
-    if not success:
-        util.output("error running expire-logs\n\n")
-        util.output(output)
-
-def _checkHosts():
-
-    for node in config.Config.hosts():
-
-        tag = "alive-%s" % node.host
-        alive = execute.isAlive(node.addr) and "1" or "0"
-
-        if tag in config.Config.state:
-            previous = config.Config.state[tag]
-
-            if alive != previous:
-                util.output("host %s %s" % (node.host, alive == "1" and "up" or "down"))
-
-        config.Config._setState(tag, alive)
-
-def _getProfLogs():        
-
-    dir = config.Config.statsdir
-    if not os.path.exists(dir):
-        os.mkdir(dir)
-
-    if not os.path.exists(dir) or not os.path.isdir(dir):
-        util.output("cannot create directory %s" % dir)
-        return
-
-    cmds = []
-
-    for node in config.Config.hosts():
-        cmd = os.path.join(config.Config.scriptsdir, "get-prof-log") + " %s %s %s/prof.log" % (node.tag, node.host, node.cwd())
-        cmds += [(node, cmd, [], None)]
-
-    for (node, success, output) in execute.runLocalCmdsParallel(cmds):
-        if not success:
-            util.output("cannot get prof.log from %s" % node.tag)
-
-def _updateHTTPStats():
-
-    # Get the prof.logs.
-    _getProfLogs()
-
-    # Copy stats.dat.
-    shutil.copy(config.Config.statslog, config.Config.statsdir)
-
-    # Creat meta file. 
-    meta = open(os.path.join(config.Config.statsdir, "meta.dat"), "w")
-    for node in config.Config.hosts():
-        print >>meta, "node", node.tag, node.type, node.host
-
-    print >>meta, "time", time.asctime()
-    print >>meta, "version", config.Config.version
-
-    try:
-        print >>meta, "os", execute.captureCmd("uname -a")[1][0]
-    except IndexError:
-        print >>meta, "os <error>"
-
-    try:
-        print >>meta, "host", execute.captureCmd("hostname")[1][0]
-    except IndexError:
-        print >>meta, "host <error>"
-
-    meta.close()
-
-
-
diff --git a/aux/broctl/BroControl/execute.py b/aux/broctl/BroControl/execute.py
deleted file mode 100644
index 23e16c8f2a..0000000000
--- a/aux/broctl/BroControl/execute.py
+++ /dev/null
@@ -1,545 +0,0 @@
-# $Id: execute.py 6956 2009-12-14 22:01:17Z robin $
-#
-# These modules provides a set of functions to execute actions on a host.
-# If the host is local, it's done direcly; if it's remote we log in via SSH. 
-
-import os
-import sys
-import socket
-import shutil
-import re
-import util
-import time
-import subprocess
-
-import config
-
-haveBroccoli = True
-
-try:
-    import broccoli
-except ImportError:
-    haveBroccoli = False
-
-LocalAddrs = None 
-
-# Wrapper around subprocess.POpen()
-def popen(cmdline, stderr_to_stdout=False):
-    stderr = None
-    if stderr_to_stdout:
-        stderr = subprocess.STDOUT
-
-    # os.setid makes sure that the child process doesn't receive our CTRL-Cs.
-    proc = subprocess.Popen([cmdline], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=stderr, 
-                            close_fds=True, shell=True, preexec_fn=os.setsid)
-    # Compatibility with older popen4.
-    proc.tochild = proc.stdin
-    proc.fromchild = proc.stdout
-
-    return proc
-
-# Returns true if given node corresponds to the host we're running on.
-def isLocal(node):
-    global LocalAddrs 
-    if not LocalAddrs:
-        (success, output) = runLocalCmd(os.path.join(config.Config.scriptsdir, "local-interfaces"))
-        if not success:
-            if not config.Config.installing():
-                util.warn("cannot get list of local IP addresses")
-
-            try:
-                # This does not work for multi-homed hosts.
-                LocalAddrs = [socket.gethostbyname(socket.gethostname()), "127.0.0.1"]
-            except:
-                LocalAddrs = ["127.0.0.1"]
-        else:
-            LocalAddrs = [line.strip() for line in output]
-
-        util.debug(1, "Local IPs: %s" % ",".join(LocalAddrs))
-
-    return not node or node.host == "localhost" or node.addr in LocalAddrs
-
-# Takes list of (node, dir) pairs and ensures the directories exist on the nodes' host.
-# Returns list of (node, sucess) pairs.
-def mkdirs(dirs):
-
-    results = []
-    cmds = []
-    fullcmds = []
-
-    for (node, dir) in dirs:
-        # We make local directories directly. 
-        if isLocal(node):
-            if not exists(node, dir):
-                util.debug(1, "%-10s %s" % ("[local]", "mkdir %s" % dir))
-                os.mkdir(dir)
-
-            results += [(node, True)]
-
-        else:
-            cmds += [(node, [], [])]
-                # Need to be careful here as our helper scripts may not be installed yet. 
-            fullcmds += [("test -d %s || mkdir %s 2>/dev/null; echo $?; echo ~~~" % (dir, dir))]
-
-    for (node, success, output) in runHelperParallel(cmds, fullcmds=fullcmds):
-        results += [(node, success)]
-
-    return results
-
-# Takes list of (node, dir) pairs and ensures the directories exist on the nodes' host.
-# Returns list of (node, sucess) pairs.
-def mkdir(node, dir):
-    return mkdirs([(node, dir)])[0][1]
-
-def rmdirs(dirs):
-    results = []
-    cmds = []
-
-    for (node, dir) in dirs:
-        # We remove local directories directly. 
-        if isLocal(node):
-            (success, output) = captureCmd("rm -rf %s" % dir)
-            results += [(node, success)]
-        else:
-            cmds += [(node, "rmdir", [dir])]
-
-    for (node, success, output) in runHelperParallel(cmds):
-        results += [(node, success)]
-
-    return results
-
-# Removes the directory on the host if it's there.
-def rmdir(node, dir):
-    return rmdirs([(node, dir)])[0][1]
-
-# Returns true if the path exists on the host.
-def exists(host, path):
-    if isLocal(host):
-        return os.path.lexists(path)
-    else:
-        (success, output) = runHelper(host, "exists", [path])
-        return success
-
-# Returns true if the path exists and refers to a file on the host.
-def isfile(host, path):
-    if isLocal(host):
-        return os.path.isfile(path)
-    else:
-        util.error("isfile() not yet supported for remote hosts")
-
-# Returns true if the path exists and refers to a directory on the host.
-def isdir(host, path):
-    if isLocal(host):
-        return os.path.isdir(path)
-    else:
-        (success, output) = runHelper(host, "is-dir", [path])
-        return success
-
-# Copies src to dst, preserving permission bits.
-# Works for files and directories (non-recursive).
-def install(host, src, dst):
-    if isLocal(host):
-        if not exists(host, src):
-            util.output("file does not exist: %s" % src)
-            return False
-
-        if os.path.isfile(dst):
-            os.remove(dst)
-
-        util.debug(1, "cp %s %s" % (src, dst))
-        shutil.copy2(src, dst)
-        return True
-    else:
-        util.error("install() not yet supported for remote hosts")
-        return False
-
-# rsyns paths from localhost to destination hosts. 
-def sync(nodes, paths):
-
-    cmds = []
-    for n in nodes:
-        args = ["-a", "--delete", "--rsh=\"ssh -o ConnectTimeout=30\""]
-        dst = ["%s:%s/" % (n.host, config.Config.brobase)]
-        args += paths + dst
-        cmdline = "rsync %s" % " ".join(args)
-        cmds += [(n, cmdline, "", None)]
-
-    for (id, success, output) in runLocalCmdsParallel(cmds):
-        if not success:
-            util.warn("error rsyncing to %s: %s" % (id.host, output))
-
-# Checks whether the given host is alive.    
-_deadHosts = {}
-
-def isAlive(host):
-
-    if host in _deadHosts:
-        return False
-
-    (success, output) = runLocalCmd(os.path.join(config.Config.scriptsdir, "is-alive") + " " + host)
-
-    if not success and not config.Config.cron == "1":
-        _deadHosts[host] = True
-        util.warn("host %s is not alive" % host)
-
-    return success
-
-# Runs command locally and returns tuple (success, output)
-# with success being true if the command terminated with exit code 0, 
-# and output being the combinded stdout/stderr output of the command. 
-def captureCmd(cmd, env = "", input = None):
-
-    cmdline = env + " " + cmd
-    util.debug(1, "%-10s %s" % ("[local]", cmdline))
-
-    proc = popen(cmdline, stderr_to_stdout=True)
-
-    if input:
-        print >>proc.tochild, input
-        proc.tochild.close()
-
-    rc = proc.wait()
-    output = [line.strip() for line in proc.fromchild]
-
-    util.debug(1, "%-10s exit code %d" % ("[local]", os.WEXITSTATUS(rc)))
-    for line in output:
-        util.debug(2, "           > %s" % line)
-
-    return (os.WIFEXITED(rc) and os.WEXITSTATUS(rc) == 0, output)
-
-## FIXME: Replace "captureCmd" with "runLocalCmd".
-
-# Runs command locally and returns tuple (success, output)
-# with success being true if the command terminated with exit code 0, 
-# and output being the combinded stdout/stderr output of the command. 
-def runLocalCmd(cmd, env = "", input=None):
-    proc = _runLocalCmdInit("single", cmd, env, input)
-    if not proc:
-        return (False, [])
-
-    return _runLocalCmdWait(proc)
-
-# Same as above but runs a set of local commands in parallel.
-# Cmds is a list of (id, cmd, envs, input) tuples, where id is 
-# an arbitrary cookie identifying each command.
-# Returns a list of (id, success, output) tuples.
-# 'output' is None (vs. []) if we couldn't connect to host.
-def runLocalCmdsParallel(cmds):
-
-    results = []
-    running = []
-
-    for (id, cmd, envs, input) in cmds:
-        proc = _runLocalCmdInit(id, cmd, envs, input)
-        if proc:
-            running += [(id, proc)]
-        else:
-            results += [(id, False, None)]
-
-    for (id, proc) in running:
-        status  = _runLocalCmdWait(proc)
-        if status:
-            (success, output) = status
-            results += [(id, success, output)]
-        else:
-            results += [(id, False, None)]
-
-    return results
-
-def _runLocalCmdInit(id, cmd, env, input):
-
-    if not env:
-        env = ""
-
-    cmdline = env + " " + cmd
-    util.debug(1, "%-10s %s" % ("[local]", cmdline))
-
-    proc = popen(cmdline, stderr_to_stdout=True)
-
-    if input:
-        print >>proc.tochild, input
-
-    proc.tochild.close()
-    return proc
-
-def stripNL(str):
-    if len(str) == 0 or str[-1] != "\n":
-        return str
-
-    return str[0:-1]
-
-def _runLocalCmdWait(proc):
-
-    rc = proc.wait()
-    output = [stripNL(line) for line in proc.fromchild]
-
-    util.debug(1, "%-10s exit code %d" % ("[local]", os.WEXITSTATUS(rc)))
-    for line in output:
-        util.debug(2, "           > %s" % line)
-
-    return (os.WIFEXITED(rc) and os.WEXITSTATUS(rc) == 0, output)
-
-# Runs a helper script from bin/helpers, according to the helper
-# protocol. 
-# If fullcmd is given, this is the exact & complete command line (incl. paths). 
-# Otherwise, cmd is just the helper's name (wo/ path) and args are the 
-# arguments. Env is an optional enviroment variable of the form
-# "key=val". Return value as for captureCmd().
-# 'output' is None (vs. []) if we couldn't connect to host.
-def runHelper(host, cmd=None, args=None, fullcmd=None, env = ""):
-    util.disableSignals()
-    try:
-        status = _runHelperInit(host, cmd, args, fullcmd, env)
-        if not status:
-            return (False, None)
-
-        status = _runHelperWait(status)
-        if not status:
-            return (False, None)
-
-        return status
-
-    finally:
-        util.enableSignals()
-
-# Same as above but runs commands on a set of hosts in parallel.
-# Cmds is a list of (node, cmd, args) tuples.
-# Fullcmds, if given, is a parallel list of full command lines. 
-# Envs, if given, is a parallel list of env variables.
-# Returns a list of (node, success, output) tuples.
-# 'output' is None (vs. []) if we couldn't connect to host.
-def runHelperParallel(cmds, fullcmds = None, envs = None):
-
-    util.disableSignals()
-
-    try:
-        results = []
-        running = []
-
-        for (node, cmd, args) in cmds:
-
-            if fullcmds:
-                fullcmd = fullcmds[0]
-                fullcmds = fullcmds[1:]
-            else:
-                fullcmd = ""
-
-            if envs:
-                env = envs[0]
-                envs = envs[1:]
-            else:
-                env = ""
-
-            status = _runHelperInit(node, cmd, args, fullcmd, env)
-            if status:
-                running += [node]
-            else:
-                results += [(node, False, None)]
-
-        for node in running:
-            status =  _runHelperWait(node)
-            if status:
-                (success, output) = status
-                results += [(node, success, output)]
-            else:
-                results += [(node, False, None)]
-
-        return results
-
-    finally:
-        util.enableSignals()
-
-# Helpers for running helpers. 
-#
-# We keep the SSH sessions open across calls to runHelper.
-Connections = {}
-WhoAmI = None
-
-# FIXME: This is an ugly hack. The __del__ method produces
-# strange unhandled exceptions in the child at termination
-# of the main process. Not sure if disabling the cleanup
-# altogether is a good thing but right now that's the 
-# only fix I can come up with.
-def _emptyDel(self):
-    pass
-subprocess.Popen.__del__ = _emptyDel
-
-def _getConnection(host):
-
-    global WhoAmI
-    if not WhoAmI:
-        (success, output) = captureCmd("whoami")
-        if not success:
-            util.error("can't get 'whoami'")
-        WhoAmI = output[0]
-
-    if not host:
-        host = config.Config.manager()
-
-    if host.tag in Connections:
-        p = Connections[host.tag]
-        if p.poll() != None:
-            # Terminated.
-            global _deadHosts
-            _deadHosts[host.host] = True
-            util.warn("connection to %s broke" % host.host)
-            return None
-
-        return (p.stdin, p.stdout)
-
-    if isLocal(host):
-        cmdline = "sh"
-    else:
-        # Check whether host is alive. 
-        if not isAlive(host.host):
-            return None
-
-        cmdline = "ssh -o ConnectTimeout=30 -l %s %s sh" % (WhoAmI, host.host)
-
-    util.debug(1, "%-10s %s" % ("[local]", cmdline))
-
-    try:
-        p = popen(cmdline)
-    except OSError, e:
-        util.warn("cannot login into %s [IOError: %s]" % (host.host, e))
-        return None
-
-    Connections[host.tag] = p
-    return (p.stdin, p.stdout)
-
-def _runHelperInit(host, cmd, args, fullcmd, env):
-
-    c = _getConnection(host)
-    if not c:
-        return None
-
-    (stdin, stdout) = c
-
-    if not fullcmd:
-        cmdline = "%s %s %s" % (env, os.path.join(config.Config.helperdir, cmd), " ".join(args))
-    else:
-        cmdline = fullcmd
-
-    util.debug(1, "%-10s %s" % (("[%s]" % host.host), cmdline))
-    print >>stdin, cmdline
-    stdin.flush()
-
-    return host
-
-def _runHelperWait(host):
-    output = []
-    while True:
-
-        c = _getConnection(host)
-        if not c:
-            return None
-
-        (stdin, stdout) = c
-
-        line = stdout.readline().strip()
-        if line == "~~~":
-            break
-        output += [line]
-
-    try:
-        rc = int(output[0])
-    except ValueError:
-        util.warn("cannot parse exit code from helper on %s: %s" % (host.host, output[0]))
-        rc = 1
-
-    util.debug(1, "%-10s exit code %d" % (("[%s]" % host.host), rc))
-
-    for line in output:
-        util.debug(2, "           > %s" % line)
-
-    return (rc == 0, output[1:])
-
-# Broccoli communication with running nodes.
-
-# Sends event  to a set of nodes in parallel.
-#
-# events is a list of tuples of the form (node, event, args, result_event).
-#   node:    the destination node.
-#   event:   the name of the event to send (node that receiver must subscribe to it as well).
-#   args:    a list of event args; each arg must be a data type understood by the Broccoli module.
-#   result_event: name of a event the node sends back. None if no event is sent back.
-#
-# Returns a list of tuples (node, success, results_args).
-#   If success is True, result_args is a list of arguments as shipped with the result event, 
-#   or [] if no result_event was specified.
-#   If success is False, results_args is a string with an error message.
-
-def sendEventsParallel(events):
-
-    results = []
-    sent = []
-
-    for (node, event, args, result_event) in events:
-
-        if not haveBroccoli:
-            results += [(node, False, "no Python bindings for Broccoli installed")]
-            continue
-
-        (success, bc) = _sendEventInit(node, event, args, result_event)
-        if success and result_event:
-            sent += [(node, result_event, bc)]
-        else:
-            results += [(node, success, bc)]
-
-    for (node, result_event, bc) in sent:
-        (success, result_args) = _sendEventWait(node, result_event, bc)
-        results += [(node, success, result_args)]
-
-    return results
-
-def _sendEventInit(node, event, args, result_event):
-
-    try:
-        bc = broccoli.Connection("%s:%d" % (node.addr, node.getPort()), broclass="update", 
-                                 flags=broccoli.BRO_CFLAG_ALWAYS_QUEUE, connect=False)
-        bc.subscribe(result_event, _event_callback(bc))
-        bc.got_result = False
-        bc.connect()
-    except IOError, e:
-        util.debug(1, "%-10s broccoli: cannot connect" % (("[%s]" % node.tag)))
-        return (False, str(e))
-
-    util.debug(1, "%-10s broccoli: %s(%s)" % (("[%s]" % node.tag), event, ", ".join(args)))
-    bc.send(event, *args)
-    return (True, bc)
-
-def _sendEventWait(node, result_event, bc):
-    # Wait until we have sent the event out. 
-    cnt = 0
-    while bc.processInput():
-        time.sleep(1)
-
-        cnt += 1
-        if cnt > 10:
-            util.debug(1, "%-10s broccoli: timeout during send" % (("[%s]" % node.tag)))
-            return (False, "time-out")
-
-    if not result_event:
-        return (True, [])
-
-    # Wait for reply event.
-    cnt = 0
-    bc.processInput();
-    while not bc.got_result:
-        time.sleep(1)
-        bc.processInput();
-
-        cnt += 1
-        if cnt > 10:
-            util.debug(1, "%-10s broccoli: timeout during receive" % (("[%s]" % node.tag)))
-            return (False, "time-out")
-
-    util.debug(1, "%-10s broccoli: %s(%s)" % (("[%s]" % node.tag), result_event, ", ".join(bc.result_args)))
-    return (True, bc.result_args)
-
-def _event_callback(bc):
-    def save_results(*args):
-        bc.got_result = True
-        bc.result_args = args
-    return save_results
-
diff --git a/aux/broctl/BroControl/install.py b/aux/broctl/BroControl/install.py
deleted file mode 100644
index 77bf36603d..0000000000
--- a/aux/broctl/BroControl/install.py
+++ /dev/null
@@ -1,556 +0,0 @@
-#! /usr/bin/env python
-#
-# $Id: install.py 6948 2009-12-03 20:59:41Z robin $
-#
-# Functions to install files on all nodes. 
-
-import os
-import sys
-import glob
-import fileinput
-
-import util
-import execute
-import config
-
-# In all paths given in this file, ${<option>} will replaced with the value of the
-# corresponding configuration option.
-
-# Directories to be created on the manager. Each entry is a pair (path, clean)
-# in which 'clean' is a boolean indicating if True that the path is to be
-# deleted first before it is freshly installed. 
-Dirs = [
-    ("${brobase}", False),
-    ("${brobase}/share", False),
-    ("${staticdir}", True),
-    ("${logdir}", False),
-    ("${bindir}", False),
-    ("${scriptsdir}", False),
-    ("${postprocdir}", False),
-    ("${templatedir}", False),
-    ("${helperdir}", False),
-    ("${cfgdir}", False),
-
-    ("${policydir}", False),
-    ("${defsitepolicypath}", False),
-    ("${policydirsiteinstall}", True),
-    ("${policydirsiteinstallauto}", True),
-    ("${policydirbroctl}", True),
-
-    ("${spooldir}", False),
-    ("${tmpdir}", False),
-    ("${libdir}", False),
-    ("${libdirinternal}", False),
-    ("${libdirinternal}/BroControl", False),
-    ]    
-
-# Additional directories to be createdin development mode.     
-DirsDev = [
-     ("${policydir}/sigs", False),
-     ("${policydir}/time-machine", False),
-     ("${policydir}/xquery", False),
-    ]
-
-# List of files to be installed on the manager. Each entry is a pair
-# (src, dst, replace). 'src' must be a file (globs are ok). 
-# If replace is False, existing files will not be overwritten.
-# If source ends in ".in", it's passed through option substitution and
-# installed without the postfix.
-#
-# Note: all files ending in *.in will be copied first into ${templatedir}, and
-# then from there into their final destination in substitized form. 
-Targets = [ 
-    ("${distdir}/aux/broctl/bin/broctl", "${bindir}", True),
-    ("${distdir}/aux/broctl/aux/trace-summary/trace-summary", "${bindir}", True),
-    ("${distdir}/aux/broctl/aux/capstats/capstats", "${bindir}", True),
-    ("${distdir}/aux/broctl/BroControl/*.py", "${libdirinternal}/BroControl", True),
-    ("${distdir}/aux/broctl/policy/*.bro", "${policydir}/broctl", True),
-    ("${distdir}/aux/broctl/etc/analysis.dat", "${cfgdir}", True),
-    ("${distdir}/aux/broctl/bin/run-bro.in", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/check-config.in", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/archive-log.in", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/delete-log", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/expire-logs.in", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/post-terminate.in", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/crash-diag.in", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/send-mail.in", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/mail-alarm.in", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/update.in", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/remove-log", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/is-alive.in", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/local-interfaces", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/cflow-stats.in", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/get-prof-log.in", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/mail-contents.in", "${scriptsdir}", True),
-    ("${distdir}/aux/broctl/bin/helpers/start.in", "${helperdir}", True),
-    ("${distdir}/aux/broctl/bin/helpers/stop", "${helperdir}", True),
-    ("${distdir}/aux/broctl/bin/helpers/check-pid", "${helperdir}", True),
-    ("${distdir}/aux/broctl/bin/helpers/top.in", "${helperdir}", True),
-    ("${distdir}/aux/broctl/bin/helpers/get-childs", "${helperdir}", True),
-    ("${distdir}/aux/broctl/bin/helpers/df.in", "${helperdir}", True),
-    ("${distdir}/aux/broctl/bin/helpers/cat-file", "${helperdir}", True),
-    ("${distdir}/aux/broctl/bin/helpers/run-cmd", "${helperdir}", True),
-    ("${distdir}/aux/broctl/bin/helpers/to-bytes.awk", "${helperdir}", True),
-    ("${distdir}/aux/broctl/bin/helpers/rmdir", "${helperdir}", True),
-    ("${distdir}/aux/broctl/bin/helpers/is-dir", "${helperdir}", True),
-    ("${distdir}/aux/broctl/bin/helpers/exists", "${helperdir}", True),  
-    ("${distdir}/aux/broctl/bin/postprocessors/summarize-connections.in", "${postprocdir}", True),
-    ("${distdir}/aux/broctl/bin/postprocessors/mail-log.in", "${postprocdir}", True),
-    ("${distdir}/aux/broctl/.python-build/lib/_broccoli_intern.so", "${libdirinternal}", True),
-    ("${distdir}/aux/broctl/.python-build/lib/broccoli.py", "${libdirinternal}", True),
-    ("${distdir}/aux/broctl/.python-build/lib/_SubnetTree.so", "${libdirinternal}", True),
-    ("${distdir}/aux/broctl/.python-build/lib/SubnetTree.py", "${libdirinternal}", True),
-]
-
-# Additional list of files only copied when in development mode. 
-TargetsDev = [
-    # Note that the paths here should match with match Bro's "make install" is
-    # doing.
-    ("${distdir}/src/bro", "${bindir}/bro", True),
-    ("${distdir}/policy/*.bro", "${policydir}", True),
-    ("${distdir}/policy/bro.init", "${policydir}", True),
-    ("${distdir}/policy/sigs/*.sig", "${policydir}/sigs", True),
-    ("${distdir}/policy/time-machine/*.bro", "${policydir}/time-machine", True),
-    ("${distdir}/policy/xquery/*.xq", "${policydir}/xquery", True),
-    ("${distdir}/aux/broccoli/src/.libs/lib*", "${libdir}", True),
-]
-
-# Do not complain if these source files do no exist.
-OptionalTargets = [
-    ("${distdir}/aux/cf/cf", "${bindir}", True),
-    ("${distdir}/aux/hf/hf", "${bindir}", True),
-]
-
-# Diretories/files in form (path, mirror) which are synced from the manager to all nodes. 
-# If 'mirror' is true, the path is fully mirrored recursively, otherwise the 
-# directory is just created.
-Syncs = [
-    ("${brobase}", False),
-    ("${brobase}/share", True),
-    ("${cfgdir}", True),
-    ("${libdir}", True),
-    ("${bindir}", True),
-    # ("${policydir}", True),
-    # ("${staticdir}", True),
-    ("${logdir}", False),
-    ("${spooldir}", False),
-    ("${tmpdir}", False),
-    ];    
-
-def _canonTarget(file, dst):
-    manager = config.Config.manager()
-    if execute.isdir(manager, dst):
-        target = os.path.join(dst, os.path.basename(file))
-    else:
-        target = dst
-
-    subst = False
-    if target.endswith(".in"):
-        target = target[:-3]
-        subst = True
-
-    if file.endswith(".in"):
-        subst = True
-
-    return (target, subst)
-
-# Performs the complete broctl installion process.
-# 
-# If local_only is True, nothing is propagated to other nodes.
-# If make_install is True, the install adapts for usage from a "make install",
-# i.e., it will copy all the static files form the broctl distribution; if
-# False, it will perform the "broctl install" command which only updates
-# dynamically generated files plus the site policy. In development mode,
-# "make_install" is always overridden to be True.
-def install(local_only, make_install):
-    if config.Config.devmode == "1":
-        make_install = True
-
-    config.Config.determineBroVersion()
-
-    manager = config.Config.manager()
-
-    # Delete previously installed policy files to not mix things up.
-    policies = [config.Config.policydirsiteinstall, config.Config.policydirsiteinstallauto]
-
-    if make_install:
-        policies += [config.Config.subst("${policydir}/broctl")]
-
-    for p in policies:
-        if os.path.isdir(p):
-            util.output("removing old policies in %s ..." % p, False)
-            execute.rmdir(manager, p)
-            util.output(" done.")
-
-
-    util.output("creating policy directories ...", False)
-    for p in policies:
-        execute.mkdir(manager, p)
-    util.output(" done.")
-
-    custom = [(os.path.expanduser(file), "${bindir}", True, False) for file in config.Config.custominstallbin.split()]
-    pp = [(os.path.expanduser(file), "${postprocdir}", True, False) for file in config.Config.auxpostprocessors.split()]
-
-    targets = Targets
-    if config.Config.devmode == "1":
-        targets += TargetsDev
-
-    mandatory = [(src, dst, replace, False) for (src, dst, replace) in targets]
-    optional  = [(src, dst, replace, True) for (src, dst, replace) in OptionalTargets]
-
-    if config.Config.standalone == "0":
-        mandatory += [("${distdir}/aux/broctl/etc/node.cfg.cluster.in", "${cfgdir}/node.cfg.example", False, False)]
-        mandatory += [("${distdir}/aux/broctl/etc/broctl.cfg.cluster.in", "${cfgdir}/broctl.cfg.example", False, False)]
-        mandatory += [("${distdir}/aux/broctl/etc/networks.cfg.in", "${cfgdir}/networks.cfg.example", False, True)]
-        mandatory += [("${distdir}/aux/broctl/policy/local/cluster.local-manager.bro-template", "${defsitepolicypath}/local-manager.bro", False, True)]
-        mandatory += [("${distdir}/aux/broctl/policy/local/cluster.local-worker.bro-template", "${defsitepolicypath}/local-worker.bro", False, True)]
-        mandatory += [("${distdir}/aux/broctl/policy/local/cluster.local.bro-template", "${defsitepolicypath}/local.bro", False, True)]
-    else:
-        mandatory += [("${distdir}/aux/broctl/etc/node.cfg.standalone.in", "${cfgdir}/node.cfg", False, False)]
-        mandatory += [("${distdir}/aux/broctl/etc/broctl.cfg.standalone.in", "${cfgdir}/broctl.cfg", False, False)]
-        mandatory += [("${distdir}/aux/broctl/etc/networks.cfg.in", "${cfgdir}/networks.cfg", False, True)]
-        mandatory += [("${distdir}/aux/broctl/policy/local/standalone.local.bro-template", "${defsitepolicypath}/local.bro", False, True)]
-
-    all_targets = mandatory + optional + custom + pp
-
-    if make_install:
-        util.output("creating installation directories ...", False)
-        # Install the static parts of the broctl distribution. 
-        dirs = Dirs
-        if config.Config.devmode == "1":
-            dirs += DirsDev
-
-        for (dir, clean) in dirs:
-            dir = config.Config.subst(dir)
-            if clean:
-                execute.rmdir(manager, dir)
-
-            execute.mkdir(manager, dir)
-
-        util.output(" done.")
-
-        # Copy files.
-        util.output("installing files ...", False)
-
-        for (src, dst, replace, optional) in all_targets:
-            src = config.Config.subst(src)
-            dst = config.Config.subst(dst)
-
-            files = glob.glob(src)
-            if not files and not optional: 
-                util.warn("file does not exist: %s" % src)
-                continue
-
-            for file in files:
-                (target, subst) = _canonTarget(file, dst)
-
-                if not replace and execute.exists(manager, target):
-                    continue
-
-                if subst:
-                    # Installation copies to template directory only.
-                    # Substitution will be performed later. 
-                    target = config.Config.templatedir
-
-                if not execute.install(manager, file, target):
-                    continue
-
-        if manager:
-            if not execute.mkdir(manager, manager.cwd()):
-                util.warn("cannot create %s on manager" % manager.cwd())
-
-        util.output(" done.")
-
-    # Processing the templates by substitung all variables.
-    for (src, dst, replace, optional) in all_targets:
-        # Doesn't work with globs!
-
-        src = config.Config.subst(src)
-        dst = config.Config.subst(dst)
-        file = os.path.join(config.Config.templatedir, os.path.basename(src))
-
-        if not execute.exists(manager, file):
-            continue
-
-        (target, subst) = _canonTarget(file, dst)
-
-        assert subst
-
-        if not replace and execute.exists(manager, target):
-            continue
-
-        if not execute.install(manager, file, target):
-            continue
-
-        for line in fileinput.input(target, inplace=1):
-            print config.Config.subst(line, make_dest=False),
-        fileinput.close()
-
-    # Install local site policy.
-
-    if config.Config.sitepolicypath:
-        util.output("installing site policies ...", False)
-        dst = config.Config.policydirsiteinstall
-        for dir in config.Config.sitepolicypath.split(":"):
-            dir = config.Config.subst(dir)
-            for file in glob.glob(os.path.join(dir, "*")):
-                if execute.isfile(manager, file):
-                    execute.install(manager, file, dst)
-        util.output(" done.")
-
-    if not config.Config.nodes():
-        if config.Config.standalone == "0":
-            return
-
-        # The standalone installs default configs. Start over to read those.
-        util.output("[second install pass]")
-        os.system(config.Config.subst("${bindir}/broctl install"))
-        config.Config.readState()
-        config.Config._readNodes()
-        return
-
-    makeLayout()
-    makeAnalysisPolicy()
-    makeLocalNetworks()
-
-    current = config.Config.subst(os.path.join(config.Config.logdir, "current"), make_dest=False)
-    if not execute.exists(manager, current):
-        try:
-            os.symlink(manager.cwd(), current)
-        except (IOError, OSError), e:
-            util.warn("cannot link %s to %s: %s" % (manager.cwd(), current, e))
-
-    if local_only:
-        return
-
-    # Sync to clients.
-    util.output("updating nodes ... ", False)
-
-    hosts = {}
-    nodes = []
-
-    for n in config.Config.nodes():
-        # Make sure we do each host only once.
-        if n.host in hosts:
-            continue
-
-        hosts[n.host] = 1
-
-        if n == manager:
-            continue
-
-        if not execute.isAlive(n.addr):
-            continue
-
-        nodes += [n]
-
-    if config.Config.havenfs != "1":
-        # Non-NFS, need to explicitly synchronize.
-        dirs = []
-        for dir in [config.Config.subst(dir) for (dir, mirror) in Syncs if not mirror]:
-            dirs += [(n, dir) for n in nodes]
-
-        for (node, success) in execute.mkdirs(dirs):
-            if not success:
-                util.warn("cannot create directory %s on %s" % (dir, node.tag))
-
-        paths = [config.Config.subst(dir) for (dir, mirror) in Syncs if mirror]                
-        execute.sync(nodes, paths)
-        util.output("done.")
-
-        # Note: the old code created $brobase explicitly but it seems the loop above should 
-        # already take care of that.
-
-    else:
-        # NFS. We only need to take care of the spool/log directoryies.
-        paths = [config.Config.spooldir]
-        paths += [config.Config.logdir]
-
-        dirs = []
-        for dir in paths:
-            dirs += [(n, dir) for n in nodes]
-
-        for (node, success) in execute.mkdirs(dirs):
-            if not success:
-                util.warn("cannot create directory on %s" % (dir, node.tag))
-        util.output("done.")
-
-# Create Bro-side broctl configuration broctl-layout.bro.        
-
-port = -1
-
-def makeLayout():
-    def nextPort(node):
-        global port
-        port += 1
-        node.setPort(port)
-        return port
-
-    global port
-    port = 47759
-    manager = config.Config.manager()
-
-    if not manager:
-        return
-
-    util.output("generating broctl-layout.bro ...", False)
-
-    out = open(os.path.join(config.Config.policydirsiteinstallauto, "broctl-layout.bro"), "w")
-    print >>out, "# Automatically generated. Do not edit.\n"
-    print >>out, "redef BroCtl::manager = [$ip = %s, $p=%s/tcp, $tag=\"%s\"];\n" % (manager.addr, nextPort(manager), manager.tag);
-
-    proxies = config.Config.nodes("proxy")
-    print >>out, "redef BroCtl::proxies = {"
-    for p in proxies:
-        tag = p.tag.replace("proxy-", "p")
-        print >>out, "\t[%d] = [$ip = %s, $p=%s/tcp, $tag=\"%s\"]," % (p.count, p.addr, nextPort(p), tag)
-    print >>out, "};\n"
-
-    workers = config.Config.nodes("worker")
-    print >>out, "redef BroCtl::workers = {"
-    for s in workers:
-        tag = s.tag.replace("worker-", "w")
-        p = s.count % len(proxies) + 1
-        print >>out, "\t[%d] = [$ip = %s, $p=%s/tcp, $tag=\"%s\", $interface=\"%s\", $proxy=BroCtl::proxies[%d]]," % (s.count, s.addr, nextPort(s), tag, s.interface, p)
-    print >>out, "};\n"
-
-    print >>out, "redef BroCtl::log_dir = \"%s\";\n" % config.Config.subst(config.Config.logdir, make_dest=False)
-	
-    # Activate time-machine support if configured.
-    if config.Config.timemachinehost:
-        print >>out, "redef BroCtl::tm_host = %s;\n" % config.Config.timemachinehost
-        print >>out, "redef BroCtl::tm_port = %s;\n" % config.Config.timemachineport
-        print >>out
-
-    util.output(" done.")
-
-# Create Bro script to enable the selected types of analysis.
-def makeAnalysisPolicy():
-    manager = config.Config.manager()
-
-    if not manager:
-        return
-
-    util.output("generating analysis-policy.bro ...", False)
-
-    out = open(os.path.join(config.Config.policydirsiteinstallauto, "analysis-policy.bro"), "w")
-    print >>out, "# Automatically generated. Do not edit.\n"
-
-    disabled_event_groups = []
-    booleans = []
-    warns = []
-
-    analysis = config.Config.analysis()
-    redo = False
-
-    for (type, state, mechanisms, descr) in analysis.all():
-
-        for mechanism in mechanisms.split(","):
-
-            try:
-                i = mechanism.index(":")
-                scheme = mechanism[0:i]
-                arg = mechanism[i+1:]
-            except ValueError:
-                util.warn("error in %s: ignoring mechanism %s" % (config.Config.analysiscfg, mechanism))
-                continue
-
-            if scheme == "events":
-                # Default is on so only need to record those which are disabled.
-                if not state:
-                    disabled_event_groups += [type]
-
-            elif scheme == "bool":
-                booleans += [(arg, state)]
-
-            elif scheme == "bool-inv":
-                booleans += [(arg, not state)]
-
-            elif scheme == "disable":
-                if state:
-                    continue
-
-                if not analysis.isValid(arg):
-                    util.warn("error in %s: unknown type '%s'" % (config.Config.analysiscfg, arg))
-                    continue
-
-                if analysis.isEnabled(arg):
-                    warns += ["disabled analysis %s (depends on %s)" % (arg, type)]
-                    analysis.toggle(arg, False)
-                    redo = True
-
-            else:
-                util.warn("error in %s: ignoring unknown mechanism scheme %s" % (config.Config.analysiscfg, scheme))
-                continue
-
-    if disabled_event_groups:
-        print >>out, "redef AnalysisGroups::disabled_groups = {"
-        for g in disabled_event_groups:
-            print >>out, "\t\"%s\"," % g
-        print >>out, "};\n"
-
-    for (var, val) in booleans:
-        print >>out, "@ifdef ( %s )" % var
-        print >>out, "redef %s = %s;" % (var, val and "T" or "F");
-        print >>out, "@endif\n" 
-    print >>out, "\n"
-
-    out.close()
-
-    util.output(" done.")
-
-    for w in warns:
-        util.warn(w)
-
-    if redo:
-        # Second pass.
-        makeAnalysisPolicy()
-
-# Reads in a list of networks from file.
-def readNetworks(file):
-
-    nets = []
-
-    for line in open(file):
-        line = line.strip()
-        if not line or line.startswith("#"):
-            continue
-
-        fields = line.split()
-        nets += [(fields[0], " ".join(fields[1:]))]
-
-    return nets
-
-
-# Create Bro script which contains a list of local networks. 
-def makeLocalNetworks():
-
-    netcfg = config.Config.localnetscfg
-
-    if not os.path.exists(netcfg):
-        if not config.Installing:
-            util.warn("list of local networks does not exist in %s" % netcfg)
-        return
-
-    util.output("generating local-networks.bro ...", False)
-
-    out = open(os.path.join(config.Config.policydirsiteinstallauto, "local-networks.bro"), "w")
-    print >>out, "# Automatically generated. Do not edit.\n"
-
-    netcfg = config.Config.localnetscfg
-
-    if os.path.exists(netcfg):
-        nets = readNetworks(netcfg)
-
-        print >>out, "redef local_nets = {"
-        for (cidr, tag) in nets:
-            print >>out, "\t%s," % cidr,
-            if tag != "":
-                print >>out, "\t# %s" % tag,
-            print >>out
-        print >>out, "};\n"
-
-    util.output(" done.")
-
-
-
diff --git a/aux/broctl/BroControl/options.py b/aux/broctl/BroControl/options.py
deleted file mode 100644
index e07cdfc704..0000000000
--- a/aux/broctl/BroControl/options.py
+++ /dev/null
@@ -1,251 +0,0 @@
-# $Id: options.py 6813 2009-07-07 18:54:12Z robin $
-#
-# Configuration options. 
-#
-# If started directly, will print option reference documentation.
-
-class Option:
-
-    # Options category.
-    USER = 1       # Standard user-configurable option.
-    INTERNAL = 2   # internal, don't expose to user. 
-    AUTOMATIC = 3  # Set automatically, unlikely to be changed.
-
-    def __init__(self, name, default, type, category, dontinit, description):
-        self.name = name
-        self.default = default
-        self.type = type
-        self.dontinit = dontinit
-        self.category = category
-        self.description = description
-
-options = [
-    # User options.
-    Option("Debug", "0", "bool", Option.USER, False, 
-           "Enable extensive debugging output in spool/debug.log."),
-
-    Option("HaveNFS", "0", "bool", Option.USER, False, 
-           "True if shared files are mounted across all nodes via NFS (see FAQ)."),
-    Option("SaveTraces", "0", "bool", Option.USER, False,
-           "True to let backends capture short-term traces via '-w'. These are not archived but might be helpful for debugging."),
-    Option("DevMode", "0", "bool", Option.USER, False,
-           "Enable development mode, which changes how things are installed by the _install_ command."),
-
-    Option("LogDir", "${BroBase}/logs", "string", Option.USER, False,
-           "Directory for archived log files."),
-
-    Option("SendMail", "1", "bool", Option.USER, False,
-           "True if shell may send mails."),
-    Option("MailSubjectPrefix", "[Bro]", "string", Option.USER, False,
-           "General Subject prefix for broctl-generated mails."),
-    Option("MailAlarmPrefix", "ALERT:", "string", Option.USER, False,
-           "Subject prefix for individual alerts triggered by NOTICE_EMAIL."),
-    Option("MailReplyTo", "", "string", Option.USER, False,
-           "Reply-to address for broctl-generated mails."),
-    Option("MailTo", "<user>", "string", Option.USER, True,
-           "Destination address for broctl-generated non-alarm mails. Default is to use the same address as +MailTo+."),
-    Option("MailAlarmsTo", "${MailTo}", "string", Option.USER, True,
-           "Destination address for broctl-generated alarm mails."),
-    Option("MailFrom", "Big Brother <bro@localhost>", "string", Option.USER, True,
-           "Originator address for broctl-generated mails."),
-
-    Option("MailAlarms", "1", "bool", Option.USER, False,
-           "True if Bro should send mails for NOTICE_EMAIL alerts."),
-    Option("MinDiskSpace", "5", "int", Option.USER, False,
-           "Percentage of minimum disk space available before warning is mailed."),
-    Option("LogExpireInterval", "30", "int", Option.USER, False,
-           "Number of days log files are kept."),
-    Option("BroArgs", "", "string", Option.USER, False,
-           "Additional arguments to pass to Bro on the command-line."),
-    Option("MemLimit", "unlimited", "string", Option.USER, False,
-           "Maximum amount of memory for Bro processes to use (in KB, or the string 'unlimited')."),
-
-    Option("TimeFmt", "%d %b %H:%M:%S", "string", Option.USER, False,
-           "Format string to print data/time specifications (see 'man strftime')."),
-
-    Option("Prefixes", "local", "string", Option.USER, False,
-           "Additional script prefixes for Bro, separated by colons. Use this instead of @prefix."),
-
-    Option("AuxScriptsManager", "", "string", Option.USER, False,
-           "Additional Bro scripts loaded on the manager, separated by spaces."),
-    Option("AuxScriptsWorker", "", "string", Option.USER, False,
-           "Additional Bro scripts loaded on the workers, separated by spaces."),
-    Option("AuxScriptsStandalone", "", "string", Option.USER, False,
-           "Additional Bro scripts loaded on a standalone Brothe manage, separated by spaces."),
-
-    Option("AuxPostProcessors", "", "string", Option.USER, False,
-           "Additional log postprocessors, with paths separated by spaces."),
-
-    Option("SitePolicyManager", "local-manager.bro", "string", Option.USER, False,
-           "Local policy file for manager."),
-    Option("SitePolicyWorker", "local-worker.bro", "string", Option.USER, False,
-           "Local policy file for workers."),
-    Option("SitePolicyStandalone", "local.bro", "string", Option.USER, False,
-           "Local policy file for standalone Bro."),
-
-    Option("CustomInstallBin", "", "string", Option.USER, False,
-           "Additional executables to be installed into ${BinDir}, including full path and separated by spaces."),
-
-    Option("CronCmd", "", "string", Option.USER, False,
-           "A custom command to run everytime the cron command has finished."),
-
-    Option("CFlowAddr", "", "string", Option.USER, False,
-           "If a cFlow load-balander is used, the address of the device (format: <ip>:<port>)."),
-    Option("CFlowUser", "", "string", Option.USER, False,
-           "If a cFlow load-balander is used, the user name for accessing its configuration interface."),
-    Option("CFlowPassword", "", "string", Option.USER, False,
-           "If a cFlow load-balander is used, the password for accessing its configuration interface."),
-		   
-    Option("TimeMachineHost", "", "string", Option.USER, False,
-           "If the manager should connect to a Time Machine, the address of the host it is running on."),
-    Option("TimeMachinePort", "47757/tcp", "string", Option.USER, False,
-           "If the manager should connect to a Time Machine, the port it is running on (in Bro syntax, e.g., +47757/tcp+."),
-		
-    # Automatically set.
-    Option("BroBase", "", "string", Option.AUTOMATIC, True, 
-           "Base path of broctl installation on all nodes."),
-    Option("DistDir", "", "string", Option.AUTOMATIC, True, 
-           "Path to Bro distribution directory."),
-    Option("Version", "", "string", Option.AUTOMATIC, True, 
-           "Version of the broctl."),
-    Option("StandAlone", "0", "bool", Option.AUTOMATIC, True, 
-           "True if running in stand-alone mode (see elsewhere)."),
-    Option("OS", "", "string", Option.AUTOMATIC, True, 
-           "Name of operation systems as reported by uname."),
-    Option("Time", "", "string", Option.AUTOMATIC, True, 
-           "Path to time binary."),
-
-    Option("HaveBroccoli", "", "bool", Option.AUTOMATIC, False,
-           "True if Broccoli interface is available."),
-
-    Option("BinDir", "${BroBase}/bin", "string", Option.AUTOMATIC, False,
-           "Directory for executable files."),
-    Option("ScriptsDir", "${BroBase}/share/broctl/scripts", "string", Option.AUTOMATIC, False,
-           "Directory for executable scripts shipping as part of broctl."),
-    Option("PostProcDir", "${BroBase}/share/broctl/scripts/postprocessors", "string", Option.AUTOMATIC, False,
-           "Directory for log postprocessors."),
-    Option("HelperDir", "${BroBase}/share/broctl/scripts/helpers", "string", Option.AUTOMATIC, False,
-           "Directory for broctl helper scripts."),
-    Option("CfgDir", "${BroBase}/etc", "string", Option.AUTOMATIC, False,
-           "Directory for configuration files."),
-    Option("SpoolDir", "${BroBase}/spool", "string", Option.AUTOMATIC, False,
-           "Directory for run-time data."),
-    Option("PolicyDir", "${BroBase}/share/bro", "string", Option.AUTOMATIC, False,
-           "Directory for standard policy files."),
-    Option("StaticDir", "${BroBase}/share/broctl", "string", Option.AUTOMATIC, False,
-           "Directory for static, arch-independent files."),
-    Option("TemplateDir", "${BroBase}/share/broctl/templates", "string", Option.AUTOMATIC, False,
-           "Directory where the *.in templates are copied into."),
-
-    Option("LibDir", "${BroBase}/lib", "string", Option.AUTOMATIC, False,
-           "Directory for library files."),
-    Option("LibDirInternal", "${BroBase}/lib/broctl", "string", Option.AUTOMATIC, False,
-           "Directory for broctl-specific library files."),
-    Option("TmpDir", "${SpoolDir}/tmp", "string", Option.AUTOMATIC, False,
-           "Directory for temporary data."),
-    Option("TmpExecDir", "${SpoolDir}/tmp", "string", Option.AUTOMATIC, False,
-           "Directory where binaries are copied before execution."),
-    Option("StatsDir", "${LogDir}/stats", "string", Option.AUTOMATIC, False,
-           "Directory where statistics are kepts."),
-
-    Option("TraceSummary", "${bindir}/trace-summary", "string", Option.AUTOMATIC, False, 
-           "Path to trace-summary script; empty if not available."),
-    Option("Capstats", "${bindir}/capstats", "string", Option.AUTOMATIC, False, 
-           "Path to capstats binary; empty if not available."),
-
-    Option("NodeCfg", "${CfgDir}/node.cfg", "string", Option.AUTOMATIC, False,
-           "Node configuration file."),
-    Option("LocalNetsCfg", "${CfgDir}/networks.cfg", "string", Option.AUTOMATIC, False,
-           "File definining the local networks."),
-    Option("AnalysisCfg", "${CfgDir}/analysis.dat", "string", Option.AUTOMATIC, False,
-           "Configuration file defining types of analysis which can be toggled on-the-fly."),
-    Option("StateFile", "${SpoolDir}/broctl.dat", "string", Option.AUTOMATIC, False,
-           "File storing the current broctl state."),
-    Option("LockFile", "${SpoolDir}/lock", "string", Option.AUTOMATIC, False,
-           "Lock file preventing concurrent shell operations."),
-
-    Option("DebugLog", "${SpoolDir}/debug.log", "string", Option.AUTOMATIC, False,
-           "Log file for debugging information."),
-    Option("StatsLog", "${SpoolDir}/stats.log", "string", Option.AUTOMATIC, False,
-           "Log file for statistics."),
-
-    Option("SitePolicyPath", "${PolicyDir}/site", "string", Option.USER, False,
-           "Directories to search for local policy files, separated by colons."),           
-
-    Option("DefSitePolicyPath", "${PolicyDir}/site", "string", Option.INTERNAL, False,
-           "Default directory to search for local policy files."),           
-
-    Option("PolicyDirSiteInstall", "${PolicyDir}/.site", "string", Option.AUTOMATIC, False,
-           "Directory where the shell copies local policy scripts when installing."),
-    Option("PolicyDirSiteInstallAuto", "${PolicyDir}/.site/auto", "string", Option.AUTOMATIC, False,
-           "Directory where the shell copies auto-generated local policy scripts when installing."),
-    Option("PolicyDirBroCtl", "${PolicyDir}/broctl", "string", Option.AUTOMATIC, False,
-           "Directory where the shell copies the additional broctl policy scripts when installing."),
-
-    Option("Scripts-Manager", "cluster-manager", "string", Option.AUTOMATIC, False,
-           "Bro scripts loaded on the manager, separated by spaces."),
-    Option("Scripts-Worker", "cluster-worker", "string", Option.AUTOMATIC, False,
-           "Bro scripts loaded on the workers, separated by spaces."),
-    Option("Scripts-Proxy", "cluster-proxy", "string", Option.AUTOMATIC, False,
-           "Bro scripts loaded on the proxies, separated by spaces."),
-    Option("Scripts-Standalone", "standalone", "string", Option.AUTOMATIC, False,
-           "Bro scripts loaded on a standalone Bro, separated by spaces."),
-
-    # Internal, not documented. 
-    Option("SigInt", "0", "bool", Option.INTERNAL, False,
-           "True if SIGINT has been received."),
-
-    Option("Cron-Enabled", "1", "bool", Option.INTERNAL, False,
-           "True if cron command is enabled; if False, cron is silently ignored."),
-
-    Option("Home", "", "string", Option.INTERNAL, False, 
-           "User's home directory."),
-
-    Option("Cron", "0", "bool", Option.INTERNAL, False,
-           "True if we running from the cron command."),
-
-
-]
-
-def printOptions(cat):
-
-    for opt in sorted(options, key=lambda o: o.name):
-
-        if opt.category != cat:
-            continue
-
-        default = ""
-
-        if not opt.type:
-            print >>sys.stderr, "no type given for", opt.name
-
-        if opt.default and opt.type == "string":
-            opt.default = '"%s"' % opt.default
-
-        if not opt.default and opt.type == "string":
-            opt.default = "_empty_"      
-			
-        if opt.default:
-            default = ", default %s" % opt.default
-
-        default = default.replace("{", "\\{")
-        description = opt.description.replace("{", "\\{")    
-
-        print "[[opt_%s]] *%s* (%s%s)::\n%s" % (opt.name, opt.name, opt.type, default, description)
-
-
-if __name__ == '__main__':
-
-    print "// Automatically generated. Do not edit."
-    print
-    print "User Options"
-    print "~~~~~~~~~~~~"
-
-    printOptions(Option.USER)
-
-    print
-    print "Internal Options"
-    print "~~~~~~~~~~~~~~~~"
-    print
-
-    printOptions(Option.AUTOMATIC)
diff --git a/aux/broctl/BroControl/util.py b/aux/broctl/BroControl/util.py
deleted file mode 100644
index 4af1440659..0000000000
--- a/aux/broctl/BroControl/util.py
+++ /dev/null
@@ -1,283 +0,0 @@
-#! /usr/bin/env python
-#
-# $Id: util.py 6956 2009-12-14 22:01:17Z robin $
-
-import os
-import sys
-import socket
-import imp
-import re
-import time
-import tempfile
-import signal
-import StringIO
-import tty
-import termios
-import select
-import curses
-import atexit
-
-import config
-import execute
-
-def fmttime(t):
-    return time.strftime(config.Config.timefmt, time.localtime(float(t)))
-
-Buffer = None
-
-def bufferOutput():
-    global Buffer
-    Buffer = StringIO.StringIO()
-
-def getBufferedOutput():
-    global Buffer
-    buffer = Buffer.getvalue()
-    Buffer.close()
-    Buffer = None
-    return buffer
-
-def output(msg = "", nl = True):
-
-    debug(1, "[output] %s %s" % (msg, (not nl) and "..." or ""))
-
-    if Buffer:
-        out = Buffer
-    else:
-        out = sys.stderr
-
-    out.write(msg)
-    if nl:
-        out.write("\n")
-
-def error(msg):
-    output("error: %s" % msg)
-    sys.exit(1)
-
-def warn(msg):
-    output("warning: %s" % msg)
-
-DebugOut = None    
-
-def debug(msglevel, msg):
-    global DebugOut
-
-    try:
-        level = int(config.Config.debug)
-    except ValueError:
-        level = 0
-
-    if level < msglevel:
-        return
-
-    if not DebugOut:
-        try:
-            DebugOut = open(config.Config.debuglog, "a")
-        except IOError:
-            # During the initial install, tmpdir hasn't been setup yet. So we
-            # fall back to current dir.
-            DebugOut = open("debug.log", "a")
-
-    print >>DebugOut, time.strftime(config.Config.timefmt, time.localtime(time.time())), msg
-    DebugOut.flush()
-
-def sendMail(subject, body):
-    cmd = "%s '%s'" % (os.path.join(config.Config.scriptsdir, "send-mail"), subject)
-    (success, output) = execute.captureCmd(cmd, "", body)
-    if not success:
-        warn("cannot send mail")
-
-lockCount = 0        
-
-def _breakLock():
-    try:
-        # Check whether lock is stale.
-        pid = open(config.Config.lockfile, "r").readline().strip()
-        (success, output) = execute.runHelper(config.Config.manager(), "check-pid", args=[pid])
-        if success:
-            # Process still exissts.
-            return False
-
-        # Break lock.
-        warn("removing stale lock")
-        os.unlink(config.Config.lockfile)
-        return True
-
-    except IOError:
-        return False
-
-def _aquireLock():
-    if not config.Config.manager() or config.Installing:
-        # Initial install.
-        return True
-
-    pid = str(os.getpid())
-    tmpfile = config.Config.lockfile + "." + pid
-
-    try:
-        try:
-            # This should be NFS-safe.
-            f = open(tmpfile, "w")
-            print >>f, pid
-            f.close()
-
-            n = os.stat(tmpfile)[3]
-            os.link(tmpfile, config.Config.lockfile)
-            m = os.stat(tmpfile)[3]
-
-            if n == m-1:
-                return True
-
-            # File is locked.
-            if _breakLock():
-                return _aquireLock()
-
-        except OSError, e:
-            # File is already locked.
-            if _breakLock():
-                return _aquireLock()
-
-        except IOError, e:
-            if not config.Config.installing():
-                error("cannot aquire lock: %s" % e)
-                return False
-            else:
-                # The spool directory may not exist yet so we 
-                # silently ignore the failed lock.
-                return True
-
-    finally:
-        try:
-            os.unlink(tmpfile)
-        except OSError:
-            pass
-        except IOError: 
-            pass
-
-    return False
-
-def _releaseLock():
-    try:
-        os.unlink(config.Config.lockfile)
-    except OSError, e:
-        if not config.Config.installing():
-            warn("cannot remove lock file: %s" % e)
-
-def lock():
-    global lockCount
-
-    if lockCount > 0:
-        # Already locked.
-        lockCount += 1
-        return True
-
-    if not _aquireLock():
-        
-        if config.Config.cron == "1":
-            do_output = 0
-        else:
-            do_output = 2
-            
-        if do_ouput:
-            output("waiting for lock ...", nl=False)
-
-        count = 0
-        while not _aquireLock():
-            if do_output:
-                output(".", nl=False)
-            time.sleep(1)
-
-            count += 1
-            if count > 30:
-                output("cannot get lock") # always output this one.
-                return False
-
-        if do_output:
-            output(" ok")
-
-    lockCount = 1
-    return True
-
-def unlock():
-    global lockCount
-
-    if lockCount == 0:
-        error("mismatched lock/unlock")
-
-    if lockCount > 1:
-        # Still locked.
-        lockCount -= 1
-        return
-
-    _releaseLock()
-
-    lockCount = 0
-
-# Keyboard interrupt handler.
-def sigIntHandler(signum, frame):
-    config.Config.config["sigint"] = "1" 
-
-def enableSignals():
-    signal.signal(signal.SIGINT, sigIntHandler)
-
-def disableSignals():
-    signal.signal(signal.SIGINT, signal.SIG_IGN)
-
-
-# Curses functions
-
-_Stdscr = None
-
-def _finishCurses():
-    curses.nocbreak(); 
-    curses.echo()
-    curses.endwin()
-
-def _initCurses():
-    global _Stdscr
-    atexit.register(_finishCurses)
-    _Stdscr = curses.initscr()
-
-def enterCurses():    
-    if not _Stdscr:
-        _initCurses()
-
-    curses.cbreak()
-    curses.noecho()
-    _Stdscr.nodelay(1)
-    
-    signal.signal(signal.SIGWINCH, signal.SIG_IGN)
-
-def leaveCurses():
-    curses.reset_shell_mode()
-    signal.signal(signal.SIGWINCH, signal.SIG_DFL)
-
-# Check non-blockingly for a key press and returns it, or return None if no
-# key is found. enter/leaveCurses must surround the getc() call.
-def getCh():
-    ch = _Stdscr.getch()
-
-    if ch < 0:
-        return None
-
-    return chr(ch)
-
-def clearScreen():
-    if not _Stdscr:
-        _initCurses()
-
-    _Stdscr.clear()
-
-def printLines(lines):
-    y = 0
-    for line in lines.split("\n"):
-        try:
-            _Stdscr.insnstr(y, 0, line, len(line))
-        except:
-            pass
-        y += 1
-        
-    try:
-        _Stdscr.insnstr(y, 0, "", 0)
-    except:
-        pass
-
diff --git a/aux/broctl/Makefile.in b/aux/broctl/Makefile.in
deleted file mode 100644
index 15248155d7..0000000000
--- a/aux/broctl/Makefile.in
+++ /dev/null
@@ -1,70 +0,0 @@
-# $Id: Makefile.in 6952 2009-12-05 00:23:47Z robin $
-
-VPATH = $BROCTLSRC
-
-# capstats will be handled separately. 
-DIST_IGNORE = config.status aux/capstats
-
-all: pybroccoli pysubnettree capstats config.status
-
-config.status: $BROCTLSRC/bin/broctl.in $BROCTLSRC/Makefile.in $BROCTLSRC/VERSION
-	./config.status
-
-install:
-
-install-broctl: 
-	MAKE_DESTDIR=$(DESTDIR) ./bin/make-wrapper install --make
-
-install-local: 
-	MAKE_DESTDIR=$(DESTDIR) ./bin/make-wrapper install --local
-
-print-config:
-	./bin/make-wrapper config
-
-clean:
-	rm -f BroControl/*.pyc
-	rm -rf .python-build
-	( cd aux/capstats && ${MAKE} clean)
-
-distclean:
-	rm -f config.status Makefile bin/broctl bin/make-wrapper
-	rm -f BroControl/*.pyc
-	rm -rf .python-build
-	( cd aux/capstats && ${MAKE} distclean)
-	rm -rf aux/capstats/capstats-* 
-    
-distdir:
-	@test x"$(distdir)" != x"" || ( echo error: 'make dist' must be called from top-level Makefile && exit 1 )
-	rm -f .exclude
-	for i in $(DIST_IGNORE); do echo $$i >>.exclude; done;
-	find . -regex '.*/\.svn' | sed 's#^\./##g' >>.exclude
-	tar cf - -X .exclude * | ( cd $(distdir) && tar xf - )
-	rm -f .exclude
-
-	mkdir $(distdir)/aux/capstats; 
-	( cd aux/capstats; unset MAKEFLAGS; distdir="" top_distdir="" make distdir; ) 
-	( cd aux/capstats/capstats-* && tar cf - . ) | ( cd $(distdir)/aux/capstats && tar xf - ); 
-
-doc:
-	python BroControl/options.py >README.options
-	python ./bin/broctl --print-doc >README.cmds
-	asciidoc --unsafe -a toc -a no-homepage-link -b xhtml11-custom README
-
-pybroccoli:
-	@echo broctl: building Python bindings for Broccoli ...        
-	( cd $BRODIST/aux/broccoli/bindings/python \
-      && CFLAGS="-I$BRODIST/aux/broccoli/src" LDFLAGS="-L$BROBUILD/aux/broccoli/src/.libs" python setup.py build -b $BROCTLBUILD/.python-build )
-	@( cd $BROCTLBUILD/.python-build && test -e lib || ln -s lib.* lib )	
-
-pysubnettree:
-	@echo broctl: building pysubnettree Python module ...        
-	@( cd $BRODIST/aux/broctl/aux/pysubnettree \
-      && python setup.py build -b $BROCTLBUILD/.python-build )
-
-capstats:
-	@echo broctl: building capstats ...        
-	@( cd $BROCTLBUILD/aux/capstats && ${MAKE} )
-
-## Make distcheck happy.
-EMPTY_AUTOMAKE_TARGETS = dvi pdf ps info html tags ctags install-data install-exec uninstall install-dvi install-html install-info install-ps install-pdf installdirs check installcheck mostlyclean maintainer-clean tags ctags
-$(EMPTY_AUTOMAKE_TARGETS):
diff --git a/aux/broctl/README b/aux/broctl/README
deleted file mode 100644
index 0a838da2f1..0000000000
--- a/aux/broctl/README
+++ /dev/null
@@ -1,450 +0,0 @@
-//	-*- AsciiDoc -*-
-//
-// $Id: README 6948 2009-12-03 20:59:41Z robin $
-//
-// FIXME: This needs asciidoc 8.2.x plus some custom config files.
-
-BroControl
-===========
-Robin Sommer
-:email: robin@icir.org
-
-This document summarizes installation and use of _BroControl_,
-Bro's interactive shell for operating Bro installations. _Bro
-Control_ has two modes of operation: a _stand-alone_ mode for
-managing a traditional, single-system Bro setup; and a _cluster_
-mode for maintaining a multi-system setup of coordinated Bro
-instances load-balancing the work across a set of independent
-machines. Below, we describe the installation process separately for
-the two modes. Once installed, the operation is pretty similar for
-both types; just keep in mind that if this documents refers to
-"nodes" and you're in a stand-alone setup, there's is only a single
-one and no worker/proxies.)
-
-Prerequisites
--------------
-
-Running _BroControl_ requires the following prerequisites:
-
-  - A Unix system. FreeBSD, Linux, and MacOS are supported and
-  should work out of the box. Note however that FreeBSD usually sees
-  more testing as it is Bro's primary development platform.  Other
-  Unix systems will quite likely require some tweaking. Note that in
-  a cluster setup, all systems must be running exactly the _same_
-  operating system.
-
-  - A version of _Python_ >= 2.4. 
-
-  - A _bash_ (note in particular, that on FreeBSD, _bash_ is not
-  installed by default). 
-
-NOTE: If you're using a development version, you might need to apply
-a patch to Bro. Please xref:devversion[see below].
-
-Installing a Stand-alone Bro
-----------------------------
-
-This is the default installation. Configure and compile Bro as
-usual, specifying the target installation path as ``prefix`` (we use
-+/usr/local/bro+ as an example):
-
-  > cd /path/to/bro/source/distribution
-  > ./configure --prefix=/usr/local/bro
-  > make
-
-- Install _BroControl_:
-
-  > make install-broctl
-
-  (This includes the standard "make install".)
-
-- Add +<prefix>/bin+ to your +PATH+.
-
-- The installation installs three configuration files which you
-  should edit:
-
-  * +etc/broctl.cfg+ is the overall _BroControl_ configuration.
-  Initially, you probably only need to edit the email address for
-  mails sent by the framework; that's the +MailTo+ line. 
-
-  * In +etc/nodes.cfg+, you need to specify the network interface
-  Bro is to monitor; that's the +interface+ line. 
-
-  * In +etc/networks.cfg+, list all the networks which Bro should
-  consider as local to the monitored enviroment. 
-
-- Once you have updated these files, install the modified
-  configuration:
-
-  > broctl install
-
-- Some tasks need to be run on a regular basis. Insert a line like
-this into your crontab:
-
-  0-59/5 * * * * /usr/local/bro/bin/broctl cron
-
-- Finally, you can start Bro:
-
-  > broctl start
-
-Installing a Bro Cluster
-------------------------
-
-A _Bro Cluster_ is a set of systems jointly analyzing the traffic of
-a network link in a coordinated fashion. _BroControl_ is able to
-operate such a setup from a central manager system pretty much
-transparently, hiding much of the complexity of the multi-machine
-installation. 
-
-A cluster consists of four types of components:
-
-  1. One or more frontends.
-       Frontends load-balance the traffic across a set of worker
-       machines.
-
-  2. Worker nodes.
-       Workers are doing the actual analysis, with each seeing a
-       slice of the overall traffic as splitted up by the frontends.
-
-  3. One or more proxies.
-       Proxies relay the communication between worker nodes.
-
-  4. One manager.
-       The manager provides the cluster's user-interface for
-       controlling and logging. During operation, the user only
-       interacts with the manager; this is where _BroControl_ is
-       running.
-
-See http:///www.icir.org/robin/papers/raid07.pdf[this RAID Paper]
-for more information about the general cluster architecture. This
-document focusses on the installation of manager, workers, and the
-proxies. See <somewhere different> for a discussion of how to setup
-a frontend. If not otherwise stated, in the following we use the
-terms "manager", "worker", and "proxy" to refer to Bro instances,
-not to physical machines; rather, we use the term "node" to refer to
-physical machines. There may be multiple Bro instances running on
-the same node. For example, it's possible to run a proxy on the same
-node as the manager is operating on. 
-
-In the following, as an example setup, we will assume that our
-cluster consists of four nodes (not counting the frontend). The host
-names of the systems will be +host1+, +host2+, +host3+, and +host4+.
-We will configure the cluster so that +host1+ runs the manager and
-the (only) proxy, and +host{2,3,4}+ are each running one worker.
-This is a typical setup, which will work well for many sites.
-
-When installing a cluster, in addition to the prerequisites
-mentioned above, you need to
-
-  - have the same user account set up on all nodes. On the worker
-  nodes, this user must have access to target network interface in
-  promiscious mode. +ssh+ access from the manager node to this user
-  account must be setup on all machines, and must work without
-  asking for a password/passphrase.
-
-  - have some storage available on all nodes under the same path,
-  which we will call the cluster's _prefix_ path. In the following,
-  we will use +/usr/local/bro+ as an example. The Bro user must
-  be able to either create this directory or, where it already
-  exists, must have write permission inside this directory on all
-  nodes.
-
-  - have +ssh+ and +rdist+ installed. 
-
-With all prerequisites in place, as the Bro user, perform the
-following steps to install a Bro cluster:
-
-- Configure and compile the Bro distribution using the cluster's
-  prefix path as +--prefix+ +--prefix+, and selecting cluster
-  operation with the +--enable-cluster+ option:
-
-  > cd /path/to/bro/source/distribution
-  > ./configure --prefix=/usr/local/bro --enable-cluster
-  > make
-
-- Install _BroControl_:
-
-  > make install-broctl
-
-  (This includes the standard +make install+.)
-
-- Add +<prefix>/bin+ to your +PATH+.
-
-- Create a cluster configuration file. There is an example provided,
-which you can edit according to the instructions in the file:
-
-  > cd /usr/local/bro
-  > cp etc/broctl.cfg.example etc/broctl.cfg
-  > vi etc/broctl.cfg
-
-- Create a node configuration file to define where manager, workers,
-  and proxies are to run. There is again an example, which defines
-  the example scenario described above and can be edited as needed:
-
-  > cd /usr/local/bro
-  > cp etc/node.cfg.example etc/node.cfg
-  > vi etc/node.cfg
-
-- Create a network configuration file that lists all of the networks
-  which the cluster should consider as local to the monitored
-  enviroment. Once, again the installation installs a template for
-  editing:
-
-  > cd /usr/local/bro
-  > cp etc/networks.cfg.example etc/networks.cfg
-  > vi etc/networks.cfg
-
-- Install workers and proxies using _BroControl_:
-
-  > broctl install
-+ 
-This installation process uses +ssh+ and +rdist+ to copy the
-configuration over to the remote machines so, as described above,
-you need to ensure that logging in via SSH works before the install will
-succeed. 
-
-- Some tasks need to be run on a regular basis. On the manager node,
-insert a line like this into the crontab of the user running the
-cluster.
-
-  0-59/5 * * * * <prefix>/bin/broctl cron
-
-- Finally, you can start the cluster:
-
-  > broctl start
-
-Getting Started
----------------
-
-_BroControl_ is an interactive interface to the cluster which
-allows you to, e.g., start/stop the monitoring or update its
-configuration. It is started with the +broctl+ script and then
-expects commands on its command-line (alternatively, +broctl+ can
-also be started with a single command directly on the shell's
-command line):
-
-  > cluster
-  Welcome to BroControl 0.2
-
-  Type "help" for help.
-
-  [BroControl] >
-
-As the message says, type xref:cmd_help[+help+] to see a list of all
-commands. We will now briefly summarize the most important commands.
-A full reference follows link:cmd_reference[below]. 
-
-Once +broctl.cfg+ and +node.cfg+ are set up as described above, the
-monitoring can be started with the xref:cmd_start[+start+] command.
-In the cluster setup, this will successively start manager, proxies,
-and workers. The xref:cmd_status[+status+] command should then show
-all nodes as operating. To stop the monitoring, issue the
-xref:cmd_stop[+stop+] command. xref:cmd_exit[+exit+] leaves the
-shell. 
-
-On the manager system (and on the standalone system), you find the
-current set of (aggregated) logs in +logs/current+ (which is a
-symlink to the corresponding spool directory.) The workers and
-proxies log into +spool/proxy/+ and +spool/<worker-name>/+,
-respectively. The manager/stand-alone logs are archived in +logs/+,
-by default once a day. Logs files of workers and proxies are
-discarded at the same rotation interval.
-
-Whenenver the _BroControl_ configuration is modified in any way
-(including changes to configuration files and site-specific policy
-scripts), xref:cmd_install[+install+] installs the new version. _No
-changes will take effect until xref:cmd_install[+install+] is run_.
-Before you run xref:cmd_install[+install+], xref:cmd_check[+check+]
-can be used to check for any potential erros in the new
-configuration, e.g., typos in scripts. If xref:cmd_check[+check+]
-does not report any problems, doing xref:cmd_install[+install+] will
-pretty likely not break anything. 
-
-Note that generally configuration changes only take effect after a
-restart of the affected nodes. The xref:cmd_restart[+restart+]
-command triggers this. Some changes however can be put into effect
-on-the-fly without restarting any of the nodes by using the
-xref:cmd_update[+update+] command (again only after doing
-xref:cmd_install[+install+] first). Such dynamic updates work with
-all changes done via the xref:cmd_analysis[+analysis+] command (see
-below) as well as generally with all policy which only modify global
-variables declared as _redefinable_ (i.e., with Bro's _&redef_
-attribute).
-
-Generally, site-specific tuning needs to be done with local policy
-scripts, as in any Bro setup. This is described
-link:site_tuning[below]. Some general types of analysis can however
-be enabled/disabled via the xref:cmd_analysis[+analysis+] command.
-
-_BroControl_ provides various options to control the behaviour of the
-setup. These options can be set by editing +etc/broctl.cfg+. The
-xref:cmd_config[+config+] command gives list of all options with
-their current values. A list of the most important options also
-follows link:cmd_reference[below].
-
-Site-specific Customization
----------------------------
-[[site_tuning]]
-
-You'll most likely want to adapt the Bro policy to the local
-environment. While some types of analysis can be customized via the
-xref:cmd_analysis[+analysis+] command, much of the more specific
-tuning requires writing local policy files. 
-
-By default, it is assumed that you put site-specific policy scripts
-into the +share/bro/site+ directory. To change the location of site
-policies, set the option xref:opt_SitePolicyPath[+SitePolicyPath+]
-in +broctl.cfg+ to a different path.
-
-During the initial install, sample policy scripts are installed in
-+share/bro/site+, which you can edit as appropiate. In the stand-alone
-setup, this is just a single file called +local.bro+. In the cluster
-setup, there are three: +local-manager.bro+ and +local-worker.bro+
-are loaded by the manager and the workers (plus proxies),
-respectively. In turn, both of these load +local.bro+, which
-contains all configuration code shared by all nodes. If in doubt,
-put your customizations into +local.bro+ so that all nodes see it.
-If you want to change which local scripts are loaded by the nodes,
-you can set xref:opt_SitePolicyManager[+SitePolicyManager+] for the
-manager and xref:opt_SitePolicyWorker[+SitePolicyWorker+] for the
-workers.
-
-In the cluster setup, the main exception to putting everything into
-+local.bro+ is notice filtering, which should be done only on the
-manager. The example +local-manager.bro+ comes with an example setup
-to configure notice policy and notice actions. You should to adapt
-thiese to the local environment.
-
-In general, all of _BroControl_'s policy scripts are loaded before any
-site-specific policy so that you can redefine any of the defaults
-locally. The xref:cmd_scripts[+scripts+] shows precisely which
-policy scripts get loaded by a node; that can be very helpful for
-debugging. 
-
-Please note that enabling a particular kind of analysis via the
-xref:cmd_analysis[+analysis+] command only has an effect if the
-corresponding Bro scripts are loaded by the local site policy in
-+local.bro+. 
-
-It is also possible to add additional scripts to individual nodes
-only. This works by setting the option +aux_scripts+ for the
-corresponding node(s) in +etc/nodes.cfg+. For example, one could add
-a script +experimental.bro+ to a single worker for trying out new
-experimental code.
-
-Command Reference
------------------
-[[cmd_reference]]
-
-The following summary lists all commands supported by _BroControl_. All
-commands may be either entered interactively or specificed on the
-shell's command line. If not specified otherwise, commands taking
-_[<nodes>]_ as arguments apply their action either to the given set
-of nodes, or to all nodes if none is given.
-
-include::README.cmds[]
-
-Option Reference
-----------------
-
-This section summarizes the options that can be set in 
-+etc/broctl.cfg+ for customizing the behaviour of _BroControl_. Usually,
-one only needs to change the "user options", which are listed first.
-The "internal options" are, as the name suggests, primarily used
-internally and set automatically. They are documented here only for
-reference.
-
-include::README.options[]
-
-Miscellanous
-------------
-
-Mails
-~~~~~
-
-_BroControl_ sents four types of mails to the address given in +MailTo+:
-
-1. When logs are rotated (per default once a day), a list of all
-   alerts during the last rotation interval is sent. This can be
-   disabled by setting +MailAlarms=0+.
-
-2. When the +cron+ command noticies that a node has crashed, it
-   restarts it and sends a notification. It may also send a more
-   detailed crash report containing information about the crash. 
-
-3. NOTICES with a notice action of +NOTICE_EMAIL+; see the Bro
-   documentation for how to configure NOTICE priorities. 
-
-4. If link:trace_summary[+trace-summary+] is installed, a
-   traffic summary is sent each rotation interval. 
-
-Performance Analysis 
-~~~~~~~~~~~~~~~~~~~~
-
-_TODO_: +broctl cron+ logs a number of statistics, which can be
-analyzed/plotted for understanding the cluster's run-time behaviour.
-
-
-Questions and Answers
----------------------
-
-Can I use an NFS-mounted partition as the cluster's base directory to avoid the +rsync+'ing???  
-    Yes. xref:opt_BroBase[+BroBase+] can be on an NFS partition.
-    Configure and install the shell as usual with
-    +--prefix=<BroBase>+. Then add xref:opt_HaveNFS[HaveNFS]=1+ and
-    +SpoolDir=<spath>+ to +etc/broctl.cfg+, where +<spath>+ is a
-    path on the local disks of the nodes; +<spath>+ will be used for
-    all non-shared data (make sure that the parent directory exists
-    and is writable on all nodes!). Then run xref:cmd_install[+make
-    install-broctl+] again. Finally, you can remove
-    +<BroBase>/spool+ (or link it to <spath>). In addition, you
-    might want to keep the log files locally on the nodes as well by
-    setting xref:opt_LogDir[+LogDir+]+ to a non-NFS directory. (Only
-    the manager's logs will be kept permanently, the logs of
-    workers/proxies are discarded upon rotation.)
-
-When I'm using the xref:Standalone[standalone mode], do I still need to have +ssh+ and +rsync+ installed and configured???
-    No. The standalone performs all operations directly on the local
-    file system.
-
-What do I need to do when the something in the Bro distribution changes???
-    Just re-run +make broctl-install+. It will reinstall
-    all the files from the distribution, except for any of the
-    template files, as they might have been edited. 
-+
-In addition, _BroControl_ has a "development mode", which makes
-installation easier if distribution files change frequently
-(e.g., becayse you're working from SVN). Development mode
-activated by adding +DevMode=1+ to +etc/broctl.cfg+. Once done,
-_BroControl_'s +install+ command will also install all the files
-from the distribution, just as +make broctl-install+ does. Note
-that you obviously need to keep the distribution around to have
-this work. 
-+
-Note for folks who have used the old "cluster shell": the
-development mode corresponds to the old default behaviour, which
-worked with any +make install-broctl+.
-
-After a Bro crash, the timestamps of the archived log files sometimes seem to be wrong???
-   When Bro crashes, broctl archives the log files produced so far
-   at the normal location. However, for some files it can't (easily)
-   determine the right timestamps to put into the filename. This
-   affects in particular those log files that are not rotated on
-   regular basis (e.g., +stdout.log+, +prof.log+); their filenames
-   will indicate as their start time the point when all the other
-   files were _rotated_ most recently. In addition, for all log
-   files, after a crash the start/end times indicated by the file
-   names might be off a few seconds. 
-
-[[devversion]]Anything special to consider when using development versions???
-   If you are using a _development version_, _BroControl_ might
-   require patching Bro itself to work correctly. A "development
-   version" is defined as anything you have downloaded from Bro's
-   Subversion repository (as opposed to downloading a release
-   tar-ball). If so, see if there's a file called
-   +aux/broctl/patch-bro.diff+. If there is, apply it as follows
-   before you proceed with any of the steps below:
-+
-   > cd /path/to/bro/source/distribution
-   > patch -p0 <aux/broctl/patch-bro.diff
-   > ./autogen.sh
diff --git a/aux/broctl/README.cmds b/aux/broctl/README.cmds
deleted file mode 100644
index 64e9842991..0000000000
--- a/aux/broctl/README.cmds
+++ /dev/null
@@ -1,249 +0,0 @@
-// Automatically generated. Do not edit.
-
-
-[[cmd_analysis]] *analysis _enable|disable <type>_*::
-
-This command enables or disables certain kinds of analysis without the
-need for doing any changes to Bro scripts. Currently, the analyses
-shown in the table below can be controlled (in parentheses the
-corresponding Bro scripts; the effect of enabling/disabling is similar
-to loading or not loading these scripts, respectively). The list might
-be extended in the future. Any changes performed via this command are
-applied by xref:cmd_update[+update+] and therefore do not require a
-restart of the nodes.
-+
-[format="dsv",frame="none",grid="all",border="0",separator="|"]
-.10`20~
-Type          | Description
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-dns           | DNS analysis (+dns.bro+)
-ftp           | FTP analysis (+ftp.bro+)
-http-body     | HTTP body analysis (+http-body.bro+).
-http-request  | Client-side HTTP analysis only (+http-request.bro+)
-http-reply    | Client- and server-side HTTP analysis (+http-request.bro+/+http-reply.bro+)
-http-header   | HTTP header analysis (+http-headers.bro+)
-scan          | Scan detection (+scan.bro+)
-smtp          | SMTP analysis (+smtp.bro+)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-
-
-[[cmd_attachgdb]] *attachgdb _[<nodes>]_*::
-
-Primarily for debugging, the command attaches a _gdb_ to the main Bro
-process on the given nodes.
-
-
-[[cmd_capstats]] *capstats _[<interval>] [<nodes>]_*::
-
-Determines the current load on the network interfaces monitored by
-each of the given worker nodes. The load is measured over the
-specified interval (in seconds), or by default over 10 seconds. This
-command uses the http://www.icir.org/robin/capstats[capstats] tool,
-which is installed along with +broctl+.
-
-(Note: When using a CFlow and the CFlow command line utility is
-installed as well, the +capstats+ command can also query the device
-for port statistics. _TODO_: document how to set this up.)
-
-
-[[cmd_check]] *check _[<nodes>]_*::
-
-Verifies a modified configuration in terms of syntactical correctness
-(most importantly correct syntax in policy scripts). This command
-should be executed for each configuration change _before_
-xref:cmd_install[+install+] is used to put the change into place. Note
-that +check+ is the only command which operates correctly without a
-former xref:cmd_install[+install+] command; +check+ uses the policy
-files as found in xref:opt_SitePolicyPath[+SitePolicyPath+] to make
-sure they compile correctly. If they do, xref:cmd_install[+install+]
-will then copy them over to an internal place from where the nodes
-will read them at the next xref:cmd_start[+start+]. This approach
-ensures that new errors in a policy scripts will not affect currently
-running nodes, even when one or more of them needs to be restarted.
-
-
-[[cmd_cleanup]] *cleanup _[--all] [<nodes>]_*::
-
-Clears the nodes' spool directories (if they are not running
-currently). This implies that their persistent state is flushed. Nodes
-that were crashed are reset into _stopped_ state. If +--all+ is
-specified, this command also removes the content of the node's
-xref:opt_TmpDir[+TmpDir+], in particular deleteing any data
-potentially saved there for reference from previous crashes.
-Generally, if you want to reset the installation back into a clean
-state, you can first xref:cmd_stop[+stop+] all nodes, then execute
-+cleanup --all+, and finally xref:cmd_start[+start+] all nodes
-again.
-
-
-[[cmd_config]] *config *::
-Prints all configuration options with their current values.
-
-
-[[cmd_cron]] *cron _[<nodes>]_*::
-
-As the name implies, this command should be executed regularly via
-_cron_, as described xref:Installation[above]. It performs a set of
-maintainance tasks, including the logging of various statistical
-information, expiring old log files, checking for dead hosts, and
-restarting nodes which terminated unexpectedly.  While not intended
-for interactive use, no harm will be caused by executing the command
-manually: all the maintainance tasks will then just be performed one
-more time.
-
-
-[[cmd_df]] *df _[<nodes>]_*::
-
-Reports the amount of disk space available on the nodes. Shows only
-paths relevant to the broctl installation.
-
-
-[[cmd_diag]] *diag _[<nodes>]_*::
-
-If a node has terminated unexpectedly, this command prints a (somewhat
-cryptic) summary of its final state including excerpts of any
-stdout/stderr output, resource usage, and also a stack backtrace if a
-core dump is found. The same information is sent out via mail when a
-node is found to have crashed (the "crash report"). While the
-information is mainly intended for debugging, it can also help to find
-misconfigurations (which are usually, but not always, caught by the
-xref:cmd_check[+check+] command).
-
-
-[[cmd_exec]] *exec _<command line>_*::
-
-Executes the given Unix shell command line on all nodes configured to
-run at least one Bro instance. This is handy to quickly perform an
-action across all systems.
-
-
-[[cmd_exit]] *exit *::
-Terminates the shell.
-
-
-[[cmd_help]] *help *::
-Prints a brief summary of all commands understood by the shell.
-
-
-[[cmd_install]] *install *::
-
-
-Reinstalls the given nodes, including all configuration files and
-local policy scripts.  This command must be executed after _all_
-changes to any part of the broctl configuration, otherwise the
-modifications will not take effect. Usually all nodes should be
-reinstalled at the same time, as any inconsistencies between them will
-lead to strange effects. Before executing +install+, it is recommended
-to verify the configuration with xref:cmd_check[+check+].
-
-
-[[cmd_netstats]] *netstats _[<nodes>]_*::
-
-Queries each of the nodes for their current counts of captured and
-dropped packets.
-
-
-[[cmd_nodes]] *nodes *::
-Prints a list of all configured nodes.
-
-
-[[cmd_peerstatus]] *peerstatus _[<nodes>]_*::
-
-Primarily for debugging, +peerstatus+ reports statistics about the
-network connections cluster nodes are using to communicate with other
-nodes.
-
-
-[[cmd_print]] *print _<id> [<nodes>]_*::
-
-Reports the _current_ live value of the given Bro script ID on all of
-the specified nodes (which obviously must be running). This can for
-example be useful to (1) check that policy scripts are working as
-expected, or (2) confirm that configuration changes have in fact been
-applied.  Note that IDs defined inside a Bro namespace must be
-prefixed with +<namespace>::+ (e.g., +print SSH::did_ssh_version+ to
-print the corresponding table from +ssh.bro+.)
-
-
-[[cmd_quit]] *quit *::
-Terminates the shell.
-
-
-[[cmd_restart]] *restart _[--clean] [<nodes>]_*::
-
-Restarts the given nodes, or all nodes if none are specified. The
-effect is the same as first executing xref:cmd_stop[+stop+] followed
-by a xref:cmd_start[+start+], giving the same nodes in both cases.
-This command is most useful to activate any changes made to Bro policy
-scripts (after running xref:cmd_install[+install+] first). Note that a
-subset of policy changes can also be installed on the fly via the
-xref:cmd_updatel[+update+], without requiring a restart.
-
-If +--clean+ is given, the installation is reset into a clean state
-before restarting. More precisely, a +restart --clean+ turns into the
-command sequence xref:cmd_stop[+stop+], xref:cmd_cleanup[+cleanup
---all+], xref:cmd_check[+check+], xref:cmd_install[+install+], and
-xref:cmd_start[+start+].
-
-
-
-[[cmd_scripts]] *scripts _[-p|-c] [<nodes>]_*::
-
-Primarily for debugging Bro configurations, the +script+ command lists
-all the Bro scripts loaded by each of the nodes in the order as they
-will be parsed by the node at startup. If +-p+ is given, all scripts
-are listed with their full paths. If +-c+ is given, the command
-operates as xref:cmd_check::[+check+] does: it reads the policy files
-from their _original_ location, not the copies installed by
-xref:cmd_install[+install+]. The latter option is useful to check a
-not yet installed configuration.
-
-
-[[cmd_start]] *start _[<nodes>]_*::
-
-Starts the given nodes, or all nodes if none are specified. Nodes
-already running are left untouched.
-
-
-
-[[cmd_status]] *status _[<nodes>]_*::
-
-Prints the current status of the given nodes.
-
-
-[[cmd_stop]] *stop _[<nodes>]_*::
-
-Stops the given nodes, or all nodes if none are specified. Nodes not
-running are left untouched.
-
-
-
-[[cmd_top]] *top _[<nodes>]_*::
-
-For each of the nodes, prints the status of the two Bro
-processes (parent process and child process) in a _top_-like
-format, including CPU usage and memory consumption. If
-executed interactively, the display is updated frequently
-until key +q+ is pressed. If invoked non-interactively, the
-status is printed only once.
-
-
-[[cmd_update]] *update _[<nodes>]_*::
-
-After a change to Bro policy scripts, this command updates the Bro
-processes on the given nodes _while they are running_ (i.e., without
-requiring a xref:cmd_restart[+restart+]). However, such dynamic
-updates work only for a _subset_ of Bro's full configuration. The
-following changes can be applied on the fly: (1) The value of all
-script variables defined as +&redef+ can be changed; and (2) all
-configuration changes performed via the xref:cmd_analysis[+analysis+]
-command can be put into effect. More extensive script changes are not
-possible during runtime and always require a restart; if you change
-more than just the values of +&redef+ variables and still issue
-+update+, the results are undefined and can lead to crashes. Also note
-that before running +update+, you still need to do an
-xref:cmd_install[+install+] (preferably after
-xref:cmd_install[+check+]), as otherwise +update+ will not see the
-changes and resend the old configuration.
-
diff --git a/aux/broctl/README.html b/aux/broctl/README.html
deleted file mode 100644
index 1ec7ed060b..0000000000
--- a/aux/broctl/README.html
+++ /dev/null
@@ -1,1986 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
-    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
-<meta name="generator" content="AsciiDoc 8.2.7" />
-<style type="text/css">
-/* Debug borders */
-p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {
-/*
-  border: 1px solid red;
-
-  margin: 1.8em 10% 1.8em 10%;
-
-*/
-}
-
-body {
-  background:#ffffff;
-  padding: 20px 10px;
-  font-size: 90%;
-  font-family: sans-serif;
-  color: #505050;
-  margin: 2em 10% 2em 10%;
-  line-height: 1.4em;
-}
-
-a {
-  color: #005000;
-}
-
-a:visited {
-  color: #005000;
-}
-
-a:hover {
-  color: #002000;
-}
-
-em {
-  font-style: italic;
-}
-
-strong {
-  font-weight: bold;
-}
-
-tt {
-  color: #000000;
-}
-
-h1, h2, h3, h4, h5, h6, div#toctitle {
-  color: #227022;
-  font-family: sans-serif;
-  margin-top: 1.2em;
-  margin-bottom: 0.5em;
-  line-height: 1.3;
-  font-weight: normal;
-}
-
-h1, h2, h3, div#toctitle {
-  border-bottom: 1px solid;
-  border-color: #000000;
-}
-
-h1 {
-  font-size: 150%;
-  }
-
-h2, div#toctitle {
-  padding-top: 0.5em;
-  font-size: 120%;
-}
-h3 {
-  float: left;
-  font-size: 100%;
-}
-h3 + * {
-  clear: left;
-}
-
-div.sectionbody {
-  font-family: sans-serif;
-  margin-left: 0;
-}
-
-hr {
-  border: 1px solid;
-}
-
-p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-}
-
-pre {
-  padding: 0;
-  margin: 0;
-}
-
-span#author {
-  color: #338033;
-  font-family: sans-serif;
-  font-size: 100%;
-}
-span#email {
-}
-span#revision {
-  font-family: sans-serif;
-}
-
-div#footer {
-  font-family: sans-serif;
-  font-size: 70%;
-  border-top: 1px solid;
-  padding-top: 0.5em;
-  margin-top: 4.0em;
-}
-div#footer-text {
-  float: left;
-  padding-bottom: 0.5em;
-}
-div#footer-badges {
-  float: right;
-  padding-bottom: 0.5em;
-}
-
-div#preamble,
-div.tableblock, div.imageblock, div.exampleblock, div.verseblock,
-div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
-div.admonitionblock {
-  margin-top: 1.1em;
-  margin-left: 1em;
-  margin-bottom: 1.1em;
-/*  background: #eeffcc; */
-}
-div.admonitionblock {
-  margin-top: 2.5em;
-  margin-bottom: 2.5em;
-}
-
-div.content { /* Block element content. */
-  padding: 0;
-}
-
-/* Block element titles. */
-div.title, caption.title {
-  font-family: sans-serif;
-  text-align: left;
-  margin-top: 1.0em;
-  margin-bottom: 0.5em;
-}
-div.title + * {
-  margin-top: 0;
-}
-
-td div.title:first-child {
-  margin-top: 0.0em;
-}
-div.content div.title:first-child {
-  margin-top: 0.0em;
-}
-div.content + div.title {
-  margin-top: 0.0em;
-}
-
-div.sidebarblock > div.content {
-  background: #ffffee;
-  border: 1px solid;
-  padding: 0.5em;
-}
-
-div.listingblock {
-  margin-right: 0%;
-}
-div.listingblock > div.content {
-  border: 1px solid;
-  background: #f4f4f4;
-  padding: 0.5em;
-}
-
-div.quoteblock > div.content {
-  padding-left: 2.0em;
-}
-
-div.attribution {
-  text-align: right;
-}
-
-div.verseblock + div.attribution {
-  text-align: left;
-}
-
-div.admonitionblock .icon {
-  vertical-align: top;
-  font-size: 100%;
-  color: #338033;
-  padding-right: 0.5em;
-}
-div.admonitionblock td.content {
-  padding-left: 0.5em;
-  border-left: 2px solid;
-}
-
-div.exampleblock > div.content {
-  border-left: 2px solid;
-  padding: 0.5em;
-}
-
-div.verseblock div.content {
-  white-space: pre;
-}
-
-div.imageblock div.content { padding-left: 0; }
-div.imageblock img { border: 1px solid ; }
-span.image img { border-style: none; }
-
-dl {
-  margin-top: 0.8em;
-  margin-bottom: 0.8em;
-}
-dt {
-  margin-top: 0.5em;
-  margin-bottom: 0;
-  font-style: italic;
-}
-dd > *:first-child {
-  margin-top: 0;
-}
-
-ul, ol {
-    list-style-position: outside;
-}
-ol.olist2 {
-  list-style-type: lower-alpha;
-}
-
-div.tableblock > table {
-  border: 1px solid #527bbd;
-}
-
-div.addrblock > table {
-  border: 0px 0px 0px 0px;
-  border-style: none none none none;
-  padding: 0px;
-  margin: 10px;
-  color: #000000;
-}
-
-table.addrblockbg {
-  /*
-  border-top: 1px solid;
-  border-bottom: 1px solid;
-  */
-  background: #e0ffe0 ;
-  border-style: none;
-  outline-style: none;
-}
-
-thead {
-  font-family: sans-serif;
-  color: #000000;
-}
-tfoot {
-  font-weight: bold;
-  color: #000000;
-}
-
-div.hlist {
-  margin-top: 0.8em;
-  margin-bottom: 0.8em;
-}
-div.hlist td {
-  padding-bottom: 5px;
-}
-td.hlist1 {
-  vertical-align: top;
-  font-style: italic;
-  padding-right: 0.8em;
-}
-td.hlist2 {
-  vertical-align: top;
-}
-
-@media print {
-  div#footer-badges { display: none; }
-}
-
-div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
-  margin-top: .5ex;
-  margin-bottom: 0;
-  margin-left: 2em;
-  line-height: 1.3;
-}
-div.toclevel1 {
-  margin-top: 1ex;
-}
-div.toclevel2 {
-  margin-left: 4em;
-}
-
-div.toclevel3 {
-  margin-left: 6em;
-}
-div.toclevel4 {
-  margin-left: 8em;
-}
-/* Workarounds for IE6's broken and incomplete CSS2. */
-
-div.sidebar-content {
-  background: #ffffee;
-  border-top: 1px solid silver;
-  border-bottom: 1px solid silver;
-  padding: 0.5em;
-}
-div.sidebar-title, div.image-title {
-  font-family: sans-serif;
-  font-weight: bold;
-  margin-top: 0.0em;
-  margin-bottom: 0.5em;
-}
-
-div.listingblock div.content {
-  border: 1px solid silver;
-  background: #f4f4f4;
-  padding: 0.5em;
-}
-
-div.quoteblock-content {
-  padding-left: 2.0em;
-}
-
-div.exampleblock-content {
-  border-left: 2px solid silver;
-  padding-left: 0.5em;
-}
-
-/* IE6 sets dynamically generated links as visited. */
-div#toc a:visited { color: blue; }
-</style>
-<script type="text/javascript">
-/*<![CDATA[*/
-window.onload = function(){generateToc(2)}
-/* Author: Mihai Bazon, September 2002
- * http://students.infoiasi.ro/~mishoo
- *
- * Table Of Content generator
- * Version: 0.4
- *
- * Feel free to use this script under the terms of the GNU General Public
- * License, as long as you do not remove or alter this notice.
- */
-
- /* modified by Troy D. Hanson, September 2006. License: GPL */
- /* modified by Stuart Rackham, October 2006. License: GPL */
-
-function getText(el) {
-  var text = "";
-  for (var i = el.firstChild; i != null; i = i.nextSibling) {
-    if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
-      text += i.data;
-    else if (i.firstChild != null)
-      text += getText(i);
-  }
-  return text;
-}
-
-function TocEntry(el, text, toclevel) {
-  this.element = el;
-  this.text = text;
-  this.toclevel = toclevel;
-}
-
-function tocEntries(el, toclevels) {
-  var result = new Array;
-  var re = new RegExp('[hH]([2-'+(toclevels+1)+'])');
-  // Function that scans the DOM tree for header elements (the DOM2
-  // nodeIterator API would be a better technique but not supported by all
-  // browsers).
-  var iterate = function (el) {
-    for (var i = el.firstChild; i != null; i = i.nextSibling) {
-      if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
-        var mo = re.exec(i.tagName)
-        if (mo)
-          result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
-        iterate(i);
-      }
-    }
-  }
-  iterate(el);
-  return result;
-}
-
-// This function does the work. toclevels = 1..4.
-function generateToc(toclevels) {
-  var toc = document.getElementById("toc");
-  var entries = tocEntries(document.getElementsByTagName("body")[0], toclevels);
-  for (var i = 0; i < entries.length; ++i) {
-    var entry = entries[i];
-    if (entry.element.id == "")
-      entry.element.id = "toc" + i;
-    var a = document.createElement("a");
-    a.href = "#" + entry.element.id;
-    a.appendChild(document.createTextNode(entry.text));
-    var div = document.createElement("div");
-    div.appendChild(a);
-    div.className = "toclevel" + entry.toclevel;
-    toc.appendChild(div);
-  }
-  if (entries.length == 0)
-    document.getElementById("header").removeChild(toc);
-}
-/*]]>*/
-</script>
-<title>BroControl</title>
-</head>
-<body>
-<div id="header">
-<h1>BroControl</h1>
-<span id="author">Robin Sommer</span><br />
-<span id="email"><tt>&lt;<a href="mailto:robin@icir.org">robin@icir.org</a>&gt;</tt></span><br />
-<div id="toc">
-  <div id="toctitle">Table of Contents</div>
-  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
-</div>
-</div>
-<div id="preamble">
-<div class="sectionbody">
-<p>This document summarizes installation and use of <em>BroControl</em>,
-Bro's interactive shell for operating Bro installations. <em>Bro
-Control</em> has two modes of operation: a <em>stand-alone</em> mode for
-managing a traditional, single-system Bro setup; and a <em>cluster</em>
-mode for maintaining a multi-system setup of coordinated Bro
-instances load-balancing the work across a set of independent
-machines. Below, we describe the installation process separately for
-the two modes. Once installed, the operation is pretty similar for
-both types; just keep in mind that if this documents refers to
-"nodes" and you're in a stand-alone setup, there's is only a single
-one and no worker/proxies.)</p>
-</div>
-</div>
-<h2><a id="_prerequisites"></a>Prerequisites</h2><p/>
-<div class="sectionbody">
-<p>Running <em>BroControl</em> requires the following prerequisites:</p>
-<ul>
-<li>
-<p>
-A Unix system. FreeBSD, Linux, and MacOS are supported and
-  should work out of the box. Note however that FreeBSD usually sees
-  more testing as it is Bro's primary development platform.  Other
-  Unix systems will quite likely require some tweaking. Note that in
-  a cluster setup, all systems must be running exactly the <em>same</em>
-  operating system.
-</p>
-</li>
-<li>
-<p>
-A version of <em>Python</em> &gt;= 2.4.
-</p>
-</li>
-<li>
-<p>
-A <em>bash</em> (note in particular, that on FreeBSD, <em>bash</em> is not
-  installed by default).
-</p>
-</li>
-</ul>
-<div class="admonitionblock">
-<table><tr>
-<td class="icon">
-<div class="title">Note</div>
-</td>
-<td class="content">If you're using a development version, you might need to apply
-a patch to Bro. Please <a href="#devversion">see below</a>.</td>
-</tr></table>
-</div>
-</div>
-<h2><a id="_installing_a_stand_alone_bro"></a>Installing a Stand-alone Bro</h2><p/>
-<div class="sectionbody">
-<p>This is the default installation. Configure and compile Bro as
-usual, specifying the target installation path as <tt>`prefix</tt>` (we use
-<tt>/usr/local/bro</tt> as an example):</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; cd /path/to/bro/source/distribution
-&gt; ./configure --prefix=/usr/local/bro
-&gt; make</tt></pre>
-</div></div>
-<ul>
-<li>
-<p>
-Install <em>BroControl</em>:
-</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; make install-broctl</tt></pre>
-</div></div>
-<div class="literalblock">
-<div class="content">
-<pre><tt>(This includes the standard "make install".)</tt></pre>
-</div></div>
-</li>
-<li>
-<p>
-Add <tt>&lt;prefix&gt;/bin</tt> to your <tt>PATH</tt>.
-</p>
-</li>
-<li>
-<p>
-The installation installs three configuration files which you
-  should edit:
-</p>
-<ul>
-<li>
-<p>
-<tt>etc/broctl.cfg</tt> is the overall <em>BroControl</em> configuration.
-  Initially, you probably only need to edit the email address for
-  mails sent by the framework; that's the <tt>MailTo</tt> line.
-</p>
-</li>
-<li>
-<p>
-In <tt>etc/nodes.cfg</tt>, you need to specify the network interface
-  Bro is to monitor; that's the <tt>interface</tt> line.
-</p>
-</li>
-<li>
-<p>
-In <tt>etc/networks.cfg</tt>, list all the networks which Bro should
-  consider as local to the monitored enviroment.
-</p>
-</li>
-</ul>
-</li>
-<li>
-<p>
-Once you have updated these files, install the modified
-  configuration:
-</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; broctl install</tt></pre>
-</div></div>
-</li>
-<li>
-<p>
-Some tasks need to be run on a regular basis. Insert a line like
-this into your crontab:
-</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>0-59/5 * * * * /usr/local/bro/bin/broctl cron</tt></pre>
-</div></div>
-</li>
-<li>
-<p>
-Finally, you can start Bro:
-</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; broctl start</tt></pre>
-</div></div>
-</li>
-</ul>
-</div>
-<h2><a id="_installing_a_bro_cluster"></a>Installing a Bro Cluster</h2><p/>
-<div class="sectionbody">
-<p>A <em>Bro Cluster</em> is a set of systems jointly analyzing the traffic of
-a network link in a coordinated fashion. <em>BroControl</em> is able to
-operate such a setup from a central manager system pretty much
-transparently, hiding much of the complexity of the multi-machine
-installation.</p>
-<p>A cluster consists of four types of components:</p>
-<ol>
-<li>
-<p>
-One or more frontends.
-       Frontends load-balance the traffic across a set of worker
-       machines.
-</p>
-</li>
-<li>
-<p>
-Worker nodes.
-       Workers are doing the actual analysis, with each seeing a
-       slice of the overall traffic as splitted up by the frontends.
-</p>
-</li>
-<li>
-<p>
-One or more proxies.
-       Proxies relay the communication between worker nodes.
-</p>
-</li>
-<li>
-<p>
-One manager.
-       The manager provides the cluster's user-interface for
-       controlling and logging. During operation, the user only
-       interacts with the manager; this is where <em>BroControl</em> is
-       running.
-</p>
-</li>
-</ol>
-<p>See <a href="http:///www.icir.org/robin/papers/raid07.pdf">this RAID Paper</a>
-for more information about the general cluster architecture. This
-document focusses on the installation of manager, workers, and the
-proxies. See &lt;somewhere different&gt; for a discussion of how to setup
-a frontend. If not otherwise stated, in the following we use the
-terms "manager", "worker", and "proxy" to refer to Bro instances,
-not to physical machines; rather, we use the term "node" to refer to
-physical machines. There may be multiple Bro instances running on
-the same node. For example, it's possible to run a proxy on the same
-node as the manager is operating on.</p>
-<p>In the following, as an example setup, we will assume that our
-cluster consists of four nodes (not counting the frontend). The host
-names of the systems will be <tt>host1</tt>, <tt>host2</tt>, <tt>host3</tt>, and <tt>host4</tt>.
-We will configure the cluster so that <tt>host1</tt> runs the manager and
-the (only) proxy, and <tt>host{2,3,4}</tt> are each running one worker.
-This is a typical setup, which will work well for many sites.</p>
-<p>When installing a cluster, in addition to the prerequisites
-mentioned above, you need to</p>
-<ul>
-<li>
-<p>
-have the same user account set up on all nodes. On the worker
-  nodes, this user must have access to target network interface in
-  promiscious mode. <tt>ssh</tt> access from the manager node to this user
-  account must be setup on all machines, and must work without
-  asking for a password/passphrase.
-</p>
-</li>
-<li>
-<p>
-have some storage available on all nodes under the same path,
-  which we will call the cluster's <em>prefix</em> path. In the following,
-  we will use <tt>/usr/local/bro</tt> as an example. The Bro user must
-  be able to either create this directory or, where it already
-  exists, must have write permission inside this directory on all
-  nodes.
-</p>
-</li>
-<li>
-<p>
-have <tt>ssh</tt> and <tt>rdist</tt> installed.
-</p>
-</li>
-</ul>
-<p>With all prerequisites in place, as the Bro user, perform the
-following steps to install a Bro cluster:</p>
-<ul>
-<li>
-<p>
-Configure and compile the Bro distribution using the cluster's
-  prefix path as <tt>&#8212;prefix</tt> <tt>&#8212;prefix</tt>, and selecting cluster
-  operation with the <tt>&#8212;enable-cluster</tt> option:
-</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; cd /path/to/bro/source/distribution
-&gt; ./configure --prefix=/usr/local/bro --enable-cluster
-&gt; make</tt></pre>
-</div></div>
-</li>
-<li>
-<p>
-Install <em>BroControl</em>:
-</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; make install-broctl</tt></pre>
-</div></div>
-<div class="literalblock">
-<div class="content">
-<pre><tt>(This includes the standard +make install+.)</tt></pre>
-</div></div>
-</li>
-<li>
-<p>
-Add <tt>&lt;prefix&gt;/bin</tt> to your <tt>PATH</tt>.
-</p>
-</li>
-<li>
-<p>
-Create a cluster configuration file. There is an example provided,
-which you can edit according to the instructions in the file:
-</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; cd /usr/local/bro
-&gt; cp etc/broctl.cfg.example etc/broctl.cfg
-&gt; vi etc/broctl.cfg</tt></pre>
-</div></div>
-</li>
-<li>
-<p>
-Create a node configuration file to define where manager, workers,
-  and proxies are to run. There is again an example, which defines
-  the example scenario described above and can be edited as needed:
-</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; cd /usr/local/bro
-&gt; cp etc/node.cfg.example etc/node.cfg
-&gt; vi etc/node.cfg</tt></pre>
-</div></div>
-</li>
-<li>
-<p>
-Create a network configuration file that lists all of the networks
-  which the cluster should consider as local to the monitored
-  enviroment. Once, again the installation installs a template for
-  editing:
-</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; cd /usr/local/bro
-&gt; cp etc/networks.cfg.example etc/networks.cfg
-&gt; vi etc/networks.cfg</tt></pre>
-</div></div>
-</li>
-<li>
-<p>
-Install workers and proxies using <em>BroControl</em>:
-</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; broctl install</tt></pre>
-</div></div>
-<p>This installation process uses <tt>ssh</tt> and <tt>rdist</tt> to copy the
-configuration over to the remote machines so, as described above,
-you need to ensure that logging in via SSH works before the install will
-succeed.</p>
-</li>
-<li>
-<p>
-Some tasks need to be run on a regular basis. On the manager node,
-insert a line like this into the crontab of the user running the
-cluster.
-</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>0-59/5 * * * * &lt;prefix&gt;/bin/broctl cron</tt></pre>
-</div></div>
-</li>
-<li>
-<p>
-Finally, you can start the cluster:
-</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; broctl start</tt></pre>
-</div></div>
-</li>
-</ul>
-</div>
-<h2><a id="_getting_started"></a>Getting Started</h2><p/>
-<div class="sectionbody">
-<p><em>BroControl</em> is an interactive interface to the cluster which
-allows you to, e.g., start/stop the monitoring or update its
-configuration. It is started with the <tt>broctl</tt> script and then
-expects commands on its command-line (alternatively, <tt>broctl</tt> can
-also be started with a single command directly on the shell's
-command line):</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; cluster
-Welcome to BroControl 0.2</tt></pre>
-</div></div>
-<div class="literalblock">
-<div class="content">
-<pre><tt>Type "help" for help.</tt></pre>
-</div></div>
-<div class="literalblock">
-<div class="content">
-<pre><tt>[BroControl] &gt;</tt></pre>
-</div></div>
-<p>As the message says, type <a href="#cmd_help"><tt>help</tt></a> to see a list of all
-commands. We will now briefly summarize the most important commands.
-A full reference follows <a href="cmd_reference">below</a>.</p>
-<p>Once <tt>broctl.cfg</tt> and <tt>node.cfg</tt> are set up as described above, the
-monitoring can be started with the <a href="#cmd_start"><tt>start</tt></a> command.
-In the cluster setup, this will successively start manager, proxies,
-and workers. The <a href="#cmd_status"><tt>status</tt></a> command should then show
-all nodes as operating. To stop the monitoring, issue the
-<a href="#cmd_stop"><tt>stop</tt></a> command. <a href="#cmd_exit"><tt>exit</tt></a> leaves the
-shell.</p>
-<p>On the manager system (and on the standalone system), you find the
-current set of (aggregated) logs in <tt>logs/current</tt> (which is a
-symlink to the corresponding spool directory.) The workers and
-proxies log into <tt>spool/proxy/</tt> and <tt>spool/&lt;worker-name&gt;/</tt>,
-respectively. The manager/stand-alone logs are archived in <tt>logs/</tt>,
-by default once a day. Logs files of workers and proxies are
-discarded at the same rotation interval.</p>
-<p>Whenenver the <em>BroControl</em> configuration is modified in any way
-(including changes to configuration files and site-specific policy
-scripts), <a href="#cmd_install"><tt>install</tt></a> installs the new version. <em>No
-changes will take effect until <a href="#cmd_install"><tt>install</tt></a> is run</em>.
-Before you run <a href="#cmd_install"><tt>install</tt></a>, <a href="#cmd_check"><tt>check</tt></a>
-can be used to check for any potential erros in the new
-configuration, e.g., typos in scripts. If <a href="#cmd_check"><tt>check</tt></a>
-does not report any problems, doing <a href="#cmd_install"><tt>install</tt></a> will
-pretty likely not break anything.</p>
-<p>Note that generally configuration changes only take effect after a
-restart of the affected nodes. The <a href="#cmd_restart"><tt>restart</tt></a>
-command triggers this. Some changes however can be put into effect
-on-the-fly without restarting any of the nodes by using the
-<a href="#cmd_update"><tt>update</tt></a> command (again only after doing
-<a href="#cmd_install"><tt>install</tt></a> first). Such dynamic updates work with
-all changes done via the <a href="#cmd_analysis"><tt>analysis</tt></a> command (see
-below) as well as generally with all policy which only modify global
-variables declared as <em>redefinable</em> (i.e., with Bro's <em>&amp;redef</em>
-attribute).</p>
-<p>Generally, site-specific tuning needs to be done with local policy
-scripts, as in any Bro setup. This is described
-<a href="site_tuning">below</a>. Some general types of analysis can however
-be enabled/disabled via the <a href="#cmd_analysis"><tt>analysis</tt></a> command.</p>
-<p><em>BroControl</em> provides various options to control the behaviour of the
-setup. These options can be set by editing <tt>etc/broctl.cfg</tt>. The
-<a href="#cmd_config"><tt>config</tt></a> command gives list of all options with
-their current values. A list of the most important options also
-follows <a href="cmd_reference">below</a>.</p>
-</div>
-<h2><a id="_site_specific_customization"></a>Site-specific Customization</h2><p/>
-<div class="sectionbody">
-<p><a id="site_tuning"></a>You'll most likely want to adapt the Bro policy to the local
-environment. While some types of analysis can be customized via the
-<a href="#cmd_analysis"><tt>analysis</tt></a> command, much of the more specific
-tuning requires writing local policy files.</p>
-<p>By default, it is assumed that you put site-specific policy scripts
-into the <tt>share/bro/site</tt> directory. To change the location of site
-policies, set the option <a href="#opt_SitePolicyPath"><tt>SitePolicyPath</tt></a>
-in <tt>broctl.cfg</tt> to a different path.</p>
-<p>During the initial install, sample policy scripts are installed in
-<tt>share/bro/site</tt>, which you can edit as appropiate. In the stand-alone
-setup, this is just a single file called <tt>local.bro</tt>. In the cluster
-setup, there are three: <tt>local-manager.bro</tt> and <tt>local-worker.bro</tt>
-are loaded by the manager and the workers (plus proxies),
-respectively. In turn, both of these load <tt>local.bro</tt>, which
-contains all configuration code shared by all nodes. If in doubt,
-put your customizations into <tt>local.bro</tt> so that all nodes see it.
-If you want to change which local scripts are loaded by the nodes,
-you can set <a href="#opt_SitePolicyManager"><tt>SitePolicyManager</tt></a> for the
-manager and <a href="#opt_SitePolicyWorker"><tt>SitePolicyWorker</tt></a> for the
-workers.</p>
-<p>In the cluster setup, the main exception to putting everything into
-<tt>local.bro</tt> is notice filtering, which should be done only on the
-manager. The example <tt>local-manager.bro</tt> comes with an example setup
-to configure notice policy and notice actions. You should to adapt
-thiese to the local environment.</p>
-<p>In general, all of <em>BroControl</em>'s policy scripts are loaded before any
-site-specific policy so that you can redefine any of the defaults
-locally. The <a href="#cmd_scripts"><tt>scripts</tt></a> shows precisely which
-policy scripts get loaded by a node; that can be very helpful for
-debugging.</p>
-<p>Please note that enabling a particular kind of analysis via the
-<a href="#cmd_analysis"><tt>analysis</tt></a> command only has an effect if the
-corresponding Bro scripts are loaded by the local site policy in
-<tt>local.bro</tt>.</p>
-<p>It is also possible to add additional scripts to individual nodes
-only. This works by setting the option <tt>aux_scripts</tt> for the
-corresponding node(s) in <tt>etc/nodes.cfg</tt>. For example, one could add
-a script <tt>experimental.bro</tt> to a single worker for trying out new
-experimental code.</p>
-</div>
-<h2><a id="_command_reference"></a>Command Reference</h2><p/>
-<div class="sectionbody">
-<p><a id="cmd_reference"></a>The following summary lists all commands supported by <em>BroControl</em>. All
-commands may be either entered interactively or specificed on the
-shell's command line. If not specified otherwise, commands taking
-<em>[&lt;nodes&gt;]</em> as arguments apply their action either to the given set
-of nodes, or to all nodes if none is given.</p>
-<dl>
-<dt>
-<a id="cmd_analysis"></a> <strong>analysis <em>enable|disable &lt;type&gt;</em></strong>
-</dt>
-<dd>
-<p>
-This command enables or disables certain kinds of analysis without the
-need for doing any changes to Bro scripts. Currently, the analyses
-shown in the table below can be controlled (in parentheses the
-corresponding Bro scripts; the effect of enabling/disabling is similar
-to loading or not loading these scripts, respectively). The list might
-be extended in the future. Any changes performed via this command are
-applied by <a href="#cmd_update"><tt>update</tt></a> and therefore do not require a
-restart of the nodes.
-</p>
-<div class="tableblock">
-<table rules="all"
-frame="void"
-cellspacing="0" cellpadding="4">
-<col width="266" />
-<col width="533" />
-<thead>
-  <tr>
-    <th align="center">
-    Type
-    </th>
-    <th align="left">
-    Description
-    </th>
-  </tr>
-</thead>
-<tbody valign="top">
-  <tr>
-    <td align="center">
-    dns
-    </td>
-    <td align="left">
-    DNS analysis (<tt>dns.bro</tt>)
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    ftp
-    </td>
-    <td align="left">
-    FTP analysis (<tt>ftp.bro</tt>)
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    http-body
-    </td>
-    <td align="left">
-    HTTP body analysis (<tt>http-body.bro</tt>).
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    http-request
-    </td>
-    <td align="left">
-    Client-side HTTP analysis only (<tt>http-request.bro</tt>)
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    http-reply
-    </td>
-    <td align="left">
-    Client- and server-side HTTP analysis (<tt>http-request.bro</tt>/<tt>http-reply.bro</tt>)
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    http-header
-    </td>
-    <td align="left">
-    HTTP header analysis (<tt>http-headers.bro</tt>)
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    scan
-    </td>
-    <td align="left">
-    Scan detection (<tt>scan.bro</tt>)
-    </td>
-  </tr>
-  <tr>
-    <td align="center">
-    smtp
-    </td>
-    <td align="left">
-    SMTP analysis (<tt>smtp.bro</tt>)
-    </td>
-  </tr>
-</tbody>
-</table>
-</div>
-</dd>
-<dt>
-<a id="cmd_attachgdb"></a> <strong>attachgdb <em>[&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-Primarily for debugging, the command attaches a <em>gdb</em> to the main Bro
-process on the given nodes.
-</p>
-</dd>
-<dt>
-<a id="cmd_capstats"></a> <strong>capstats <em>[&lt;interval&gt;] [&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-Determines the current load on the network interfaces monitored by
-each of the given worker nodes. The load is measured over the
-specified interval (in seconds), or by default over 10 seconds. This
-command uses the <a href="http://www.icir.org/robin/capstats">capstats</a> tool,
-which is installed along with <tt>broctl</tt>.
-</p>
-</dd>
-</dl>
-<p>(Note: When using a CFlow and the CFlow command line utility is
-installed as well, the <tt>capstats</tt> command can also query the device
-for port statistics. <em>TODO</em>: document how to set this up.)</p>
-<dl>
-<dt>
-<a id="cmd_check"></a> <strong>check <em>[&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-Verifies a modified configuration in terms of syntactical correctness
-(most importantly correct syntax in policy scripts). This command
-should be executed for each configuration change <em>before</em>
-<a href="#cmd_install"><tt>install</tt></a> is used to put the change into place. Note
-that <tt>check</tt> is the only command which operates correctly without a
-former <a href="#cmd_install"><tt>install</tt></a> command; <tt>check</tt> uses the policy
-files as found in <a href="#opt_SitePolicyPath"><tt>SitePolicyPath</tt></a> to make
-sure they compile correctly. If they do, <a href="#cmd_install"><tt>install</tt></a>
-will then copy them over to an internal place from where the nodes
-will read them at the next <a href="#cmd_start"><tt>start</tt></a>. This approach
-ensures that new errors in a policy scripts will not affect currently
-running nodes, even when one or more of them needs to be restarted.
-</p>
-</dd>
-<dt>
-<a id="cmd_cleanup"></a> <strong>cleanup <em>[&#8212;all] [&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-Clears the nodes' spool directories (if they are not running
-currently). This implies that their persistent state is flushed. Nodes
-that were crashed are reset into <em>stopped</em> state. If <tt>&#8212;all</tt> is
-specified, this command also removes the content of the node's
-<a href="#opt_TmpDir"><tt>TmpDir</tt></a>, in particular deleteing any data
-potentially saved there for reference from previous crashes.
-Generally, if you want to reset the installation back into a clean
-state, you can first <a href="#cmd_stop"><tt>stop</tt></a> all nodes, then execute
-<tt>cleanup &#8212;all</tt>, and finally <a href="#cmd_start"><tt>start</tt></a> all nodes
-again.
-</p>
-</dd>
-<dt>
-<a id="cmd_config"></a> <strong>config </strong>
-</dt>
-<dd>
-<p>
-Prints all configuration options with their current values.
-</p>
-</dd>
-<dt>
-<a id="cmd_cron"></a> <strong>cron <em>[&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-As the name implies, this command should be executed regularly via
-<em>cron</em>, as described <a href="#Installation">above</a>. It performs a set of
-maintainance tasks, including the logging of various statistical
-information, expiring old log files, checking for dead hosts, and
-restarting nodes which terminated unexpectedly.  While not intended
-for interactive use, no harm will be caused by executing the command
-manually: all the maintainance tasks will then just be performed one
-more time.
-</p>
-</dd>
-<dt>
-<a id="cmd_df"></a> <strong>df <em>[&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-Reports the amount of disk space available on the nodes. Shows only
-paths relevant to the broctl installation.
-</p>
-</dd>
-<dt>
-<a id="cmd_diag"></a> <strong>diag <em>[&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-If a node has terminated unexpectedly, this command prints a (somewhat
-cryptic) summary of its final state including excerpts of any
-stdout/stderr output, resource usage, and also a stack backtrace if a
-core dump is found. The same information is sent out via mail when a
-node is found to have crashed (the "crash report"). While the
-information is mainly intended for debugging, it can also help to find
-misconfigurations (which are usually, but not always, caught by the
-<a href="#cmd_check"><tt>check</tt></a> command).
-</p>
-</dd>
-<dt>
-<a id="cmd_exec"></a> <strong>exec <em>&lt;command line&gt;</em></strong>
-</dt>
-<dd>
-<p>
-Executes the given Unix shell command line on all nodes configured to
-run at least one Bro instance. This is handy to quickly perform an
-action across all systems.
-</p>
-</dd>
-<dt>
-<a id="cmd_exit"></a> <strong>exit </strong>
-</dt>
-<dd>
-<p>
-Terminates the shell.
-</p>
-</dd>
-<dt>
-<a id="cmd_help"></a> <strong>help </strong>
-</dt>
-<dd>
-<p>
-Prints a brief summary of all commands understood by the shell.
-</p>
-</dd>
-<dt>
-<a id="cmd_install"></a> <strong>install </strong>
-</dt>
-<dd>
-<p>
-Reinstalls the given nodes, including all configuration files and
-local policy scripts.  This command must be executed after <em>all</em>
-changes to any part of the broctl configuration, otherwise the
-modifications will not take effect. Usually all nodes should be
-reinstalled at the same time, as any inconsistencies between them will
-lead to strange effects. Before executing <tt>install</tt>, it is recommended
-to verify the configuration with <a href="#cmd_check"><tt>check</tt></a>.
-</p>
-</dd>
-<dt>
-<a id="cmd_netstats"></a> <strong>netstats <em>[&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-Queries each of the nodes for their current counts of captured and
-dropped packets.
-</p>
-</dd>
-<dt>
-<a id="cmd_nodes"></a> <strong>nodes </strong>
-</dt>
-<dd>
-<p>
-Prints a list of all configured nodes.
-</p>
-</dd>
-<dt>
-<a id="cmd_peerstatus"></a> <strong>peerstatus <em>[&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-Primarily for debugging, <tt>peerstatus</tt> reports statistics about the
-network connections cluster nodes are using to communicate with other
-nodes.
-</p>
-</dd>
-<dt>
-<a id="cmd_print"></a> <strong>print <em>&lt;id&gt; [&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-Reports the <em>current</em> live value of the given Bro script ID on all of
-the specified nodes (which obviously must be running). This can for
-example be useful to (1) check that policy scripts are working as
-expected, or (2) confirm that configuration changes have in fact been
-applied.  Note that IDs defined inside a Bro namespace must be
-prefixed with <tt>&lt;namespace&gt;::</tt> (e.g., <tt>print SSH::did_ssh_version</tt> to
-print the corresponding table from <tt>ssh.bro</tt>.)
-</p>
-</dd>
-<dt>
-<a id="cmd_quit"></a> <strong>quit </strong>
-</dt>
-<dd>
-<p>
-Terminates the shell.
-</p>
-</dd>
-<dt>
-<a id="cmd_restart"></a> <strong>restart <em>[&#8212;clean] [&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-Restarts the given nodes, or all nodes if none are specified. The
-effect is the same as first executing <a href="#cmd_stop"><tt>stop</tt></a> followed
-by a <a href="#cmd_start"><tt>start</tt></a>, giving the same nodes in both cases.
-This command is most useful to activate any changes made to Bro policy
-scripts (after running <a href="#cmd_install"><tt>install</tt></a> first). Note that a
-subset of policy changes can also be installed on the fly via the
-<a href="#cmd_updatel"><tt>update</tt></a>, without requiring a restart.
-</p>
-</dd>
-</dl>
-<p>If <tt>&#8212;clean</tt> is given, the installation is reset into a clean state
-before restarting. More precisely, a <tt>restart &#8212;clean</tt> turns into the
-command sequence <a href="#cmd_stop"><tt>stop</tt></a>, <a href="#cmd_cleanup"><tt>cleanup
-&#8212;all</tt></a>, <a href="#cmd_check"><tt>check</tt></a>, <a href="#cmd_install"><tt>install</tt></a>, and
-<a href="#cmd_start"><tt>start</tt></a>.</p>
-<dl>
-<dt>
-<a id="cmd_scripts"></a> <strong>scripts <em>[-p|-c] [&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-Primarily for debugging Bro configurations, the <tt>script</tt> command lists
-all the Bro scripts loaded by each of the nodes in the order as they
-will be parsed by the node at startup. If <tt>-p</tt> is given, all scripts
-are listed with their full paths. If <tt>-c</tt> is given, the command
-operates as <a href="#cmd_check::"><tt>check</tt></a> does: it reads the policy files
-from their <em>original</em> location, not the copies installed by
-<a href="#cmd_install"><tt>install</tt></a>. The latter option is useful to check a
-not yet installed configuration.
-</p>
-</dd>
-<dt>
-<a id="cmd_start"></a> <strong>start <em>[&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-Starts the given nodes, or all nodes if none are specified. Nodes
-already running are left untouched.
-</p>
-</dd>
-<dt>
-<a id="cmd_status"></a> <strong>status <em>[&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-Prints the current status of the given nodes.
-</p>
-</dd>
-<dt>
-<a id="cmd_stop"></a> <strong>stop <em>[&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-Stops the given nodes, or all nodes if none are specified. Nodes not
-running are left untouched.
-</p>
-</dd>
-<dt>
-<a id="cmd_top"></a> <strong>top <em>[&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-For each of the nodes, prints the status of the two Bro
-processes (parent process and child process) in a <em>top</em>-like
-format, including CPU usage and memory consumption. If
-executed interactively, the display is updated frequently
-until key <tt>q</tt> is pressed. If invoked non-interactively, the
-status is printed only once.
-</p>
-</dd>
-<dt>
-<a id="cmd_update"></a> <strong>update <em>[&lt;nodes&gt;]</em></strong>
-</dt>
-<dd>
-<p>
-After a change to Bro policy scripts, this command updates the Bro
-processes on the given nodes <em>while they are running</em> (i.e., without
-requiring a <a href="#cmd_restart"><tt>restart</tt></a>). However, such dynamic
-updates work only for a <em>subset</em> of Bro's full configuration. The
-following changes can be applied on the fly: (1) The value of all
-script variables defined as <tt>&amp;redef</tt> can be changed; and (2) all
-configuration changes performed via the <a href="#cmd_analysis"><tt>analysis</tt></a>
-command can be put into effect. More extensive script changes are not
-possible during runtime and always require a restart; if you change
-more than just the values of <tt>&amp;redef</tt> variables and still issue
-<tt>update</tt>, the results are undefined and can lead to crashes. Also note
-that before running <tt>update</tt>, you still need to do an
-<a href="#cmd_install"><tt>install</tt></a> (preferably after
-<a href="#cmd_install"><tt>check</tt></a>), as otherwise <tt>update</tt> will not see the
-changes and resend the old configuration.
-</p>
-</dd>
-</dl>
-</div>
-<h2><a id="_option_reference"></a>Option Reference</h2><p/>
-<div class="sectionbody">
-<p>This section summarizes the options that can be set in
-<tt>etc/broctl.cfg</tt> for customizing the behaviour of <em>BroControl</em>. Usually,
-one only needs to change the "user options", which are listed first.
-The "internal options" are, as the name suggests, primarily used
-internally and set automatically. They are documented here only for
-reference.</p>
-<h3><a id="_user_options"></a>User Options</h3><p/>
-<dl>
-<dt>
-<a id="opt_AuxPostProcessors"></a> <strong>AuxPostProcessors</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-Additional log postprocessors, with paths separated by spaces.
-</p>
-</dd>
-<dt>
-<a id="opt_AuxScriptsManager"></a> <strong>AuxScriptsManager</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-Additional Bro scripts loaded on the manager, separated by spaces.
-</p>
-</dd>
-<dt>
-<a id="opt_AuxScriptsStandalone"></a> <strong>AuxScriptsStandalone</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-Additional Bro scripts loaded on a standalone Brothe manage, separated by spaces.
-</p>
-</dd>
-<dt>
-<a id="opt_AuxScriptsWorker"></a> <strong>AuxScriptsWorker</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-Additional Bro scripts loaded on the workers, separated by spaces.
-</p>
-</dd>
-<dt>
-<a id="opt_BroArgs"></a> <strong>BroArgs</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-Additional arguments to pass to Bro on the command-line.
-</p>
-</dd>
-<dt>
-<a id="opt_CFlowAddr"></a> <strong>CFlowAddr</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-If a cFlow load-balander is used, the address of the device (format: &lt;ip&gt;:&lt;port&gt;).
-</p>
-</dd>
-<dt>
-<a id="opt_CFlowPassword"></a> <strong>CFlowPassword</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-If a cFlow load-balander is used, the password for accessing its configuration interface.
-</p>
-</dd>
-<dt>
-<a id="opt_CFlowUser"></a> <strong>CFlowUser</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-If a cFlow load-balander is used, the user name for accessing its configuration interface.
-</p>
-</dd>
-<dt>
-<a id="opt_CronCmd"></a> <strong>CronCmd</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-A custom command to run everytime the cron command has finished.
-</p>
-</dd>
-<dt>
-<a id="opt_CustomInstallBin"></a> <strong>CustomInstallBin</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-Additional executables to be installed into ${BinDir}, including full path and separated by spaces.
-</p>
-</dd>
-<dt>
-<a id="opt_Debug"></a> <strong>Debug</strong> (bool, default 0)
-</dt>
-<dd>
-<p>
-Enable extensive debugging output in spool/debug.log.
-</p>
-</dd>
-<dt>
-<a id="opt_DevMode"></a> <strong>DevMode</strong> (bool, default 0)
-</dt>
-<dd>
-<p>
-Enable development mode, which changes how things are installed by the <em>install</em> command.
-</p>
-</dd>
-<dt>
-<a id="opt_HaveNFS"></a> <strong>HaveNFS</strong> (bool, default 0)
-</dt>
-<dd>
-<p>
-True if shared files are mounted across all nodes via NFS (see FAQ).
-</p>
-</dd>
-<dt>
-<a id="opt_LogDir"></a> <strong>LogDir</strong> (string, default "${BroBase}/logs")
-</dt>
-<dd>
-<p>
-Directory for archived log files.
-</p>
-</dd>
-<dt>
-<a id="opt_LogExpireInterval"></a> <strong>LogExpireInterval</strong> (int, default 30)
-</dt>
-<dd>
-<p>
-Number of days log files are kept.
-</p>
-</dd>
-<dt>
-<a id="opt_MailAlarmPrefix"></a> <strong>MailAlarmPrefix</strong> (string, default "ALERT:")
-</dt>
-<dd>
-<p>
-Subject prefix for individual alerts triggered by NOTICE_EMAIL.
-</p>
-</dd>
-<dt>
-<a id="opt_MailAlarms"></a> <strong>MailAlarms</strong> (bool, default 1)
-</dt>
-<dd>
-<p>
-True if Bro should send mails for NOTICE_EMAIL alerts.
-</p>
-</dd>
-<dt>
-<a id="opt_MailAlarmsTo"></a> <strong>MailAlarmsTo</strong> (string, default "${MailTo}")
-</dt>
-<dd>
-<p>
-Destination address for broctl-generated alarm mails.
-</p>
-</dd>
-<dt>
-<a id="opt_MailFrom"></a> <strong>MailFrom</strong> (string, default "Big Brother &lt;&gt;")
-</dt>
-<dd>
-<p>
-Originator address for broctl-generated mails.
-</p>
-</dd>
-<dt>
-<a id="opt_MailReplyTo"></a> <strong>MailReplyTo</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-Reply-to address for broctl-generated mails.
-</p>
-</dd>
-<dt>
-<a id="opt_MailSubjectPrefix"></a> <strong>MailSubjectPrefix</strong> (string, default "[Bro]")
-</dt>
-<dd>
-<p>
-General Subject prefix for broctl-generated mails.
-</p>
-</dd>
-<dt>
-<a id="opt_MailTo"></a> <strong>MailTo</strong> (string, default "&lt;user&gt;")
-</dt>
-<dd>
-<p>
-Destination address for broctl-generated non-alarm mails. Default is to use the same address as <tt>MailTo</tt>.
-</p>
-</dd>
-<dt>
-<a id="opt_MemLimit"></a> <strong>MemLimit</strong> (string, default "unlimited")
-</dt>
-<dd>
-<p>
-Maximum amount of memory for Bro processes to use (in KB, or the string <em>unlimited</em>).
-</p>
-</dd>
-<dt>
-<a id="opt_MinDiskSpace"></a> <strong>MinDiskSpace</strong> (int, default 5)
-</dt>
-<dd>
-<p>
-Percentage of minimum disk space available before warning is mailed.
-</p>
-</dd>
-<dt>
-<a id="opt_Prefixes"></a> <strong>Prefixes</strong> (string, default "local")
-</dt>
-<dd>
-<p>
-Additional script prefixes for Bro, separated by colons. Use this instead of @prefix.
-</p>
-</dd>
-<dt>
-<a id="opt_SaveTraces"></a> <strong>SaveTraces</strong> (bool, default 0)
-</dt>
-<dd>
-<p>
-True to let backends capture short-term traces via <em>-w</em>. These are not archived but might be helpful for debugging.
-</p>
-</dd>
-<dt>
-<a id="opt_SendMail"></a> <strong>SendMail</strong> (bool, default 1)
-</dt>
-<dd>
-<p>
-True if shell may send mails.
-</p>
-</dd>
-<dt>
-<a id="opt_SitePolicyManager"></a> <strong>SitePolicyManager</strong> (string, default "local-manager.bro")
-</dt>
-<dd>
-<p>
-Local policy file for manager.
-</p>
-</dd>
-<dt>
-<a id="opt_SitePolicyPath"></a> <strong>SitePolicyPath</strong> (string, default "${PolicyDir}/site")
-</dt>
-<dd>
-<p>
-Directories to search for local policy files, separated by colons.
-</p>
-</dd>
-<dt>
-<a id="opt_SitePolicyStandalone"></a> <strong>SitePolicyStandalone</strong> (string, default "local.bro")
-</dt>
-<dd>
-<p>
-Local policy file for standalone Bro.
-</p>
-</dd>
-<dt>
-<a id="opt_SitePolicyWorker"></a> <strong>SitePolicyWorker</strong> (string, default "local-worker.bro")
-</dt>
-<dd>
-<p>
-Local policy file for workers.
-</p>
-</dd>
-<dt>
-<a id="opt_TimeFmt"></a> <strong>TimeFmt</strong> (string, default "%d %b %H:%M:%S")
-</dt>
-<dd>
-<p>
-Format string to print data/time specifications (see <em>man strftime</em>).
-</p>
-</dd>
-<dt>
-<a id="opt_TimeMachineHost"></a> <strong>TimeMachineHost</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-If the manager should connect to a Time Machine, the address of the host it is running on.
-</p>
-</dd>
-<dt>
-<a id="opt_TimeMachinePort"></a> <strong>TimeMachinePort</strong> (string, default "47757/tcp")
-</dt>
-<dd>
-<p>
-If the manager should connect to a Time Machine, the port it is running on (in Bro syntax, e.g., <tt>47757/tcp</tt>.
-</p>
-</dd>
-</dl>
-<h3><a id="_internal_options"></a>Internal Options</h3><p/>
-<dl>
-<dt>
-<a id="opt_AnalysisCfg"></a> <strong>AnalysisCfg</strong> (string, default "${CfgDir}/analysis.dat")
-</dt>
-<dd>
-<p>
-Configuration file defining types of analysis which can be toggled on-the-fly.
-</p>
-</dd>
-<dt>
-<a id="opt_BinDir"></a> <strong>BinDir</strong> (string, default "${BroBase}/bin")
-</dt>
-<dd>
-<p>
-Directory for executable files.
-</p>
-</dd>
-<dt>
-<a id="opt_BroBase"></a> <strong>BroBase</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-Base path of broctl installation on all nodes.
-</p>
-</dd>
-<dt>
-<a id="opt_Capstats"></a> <strong>Capstats</strong> (string, default "${bindir}/capstats")
-</dt>
-<dd>
-<p>
-Path to capstats binary; empty if not available.
-</p>
-</dd>
-<dt>
-<a id="opt_CfgDir"></a> <strong>CfgDir</strong> (string, default "${BroBase}/etc")
-</dt>
-<dd>
-<p>
-Directory for configuration files.
-</p>
-</dd>
-<dt>
-<a id="opt_DebugLog"></a> <strong>DebugLog</strong> (string, default "${SpoolDir}/debug.log")
-</dt>
-<dd>
-<p>
-Log file for debugging information.
-</p>
-</dd>
-<dt>
-<a id="opt_DistDir"></a> <strong>DistDir</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-Path to Bro distribution directory.
-</p>
-</dd>
-<dt>
-<a id="opt_HaveBroccoli"></a> <strong>HaveBroccoli</strong> (bool)
-</dt>
-<dd>
-<p>
-True if Broccoli interface is available.
-</p>
-</dd>
-<dt>
-<a id="opt_HelperDir"></a> <strong>HelperDir</strong> (string, default "${BroBase}/share/broctl/scripts/helpers")
-</dt>
-<dd>
-<p>
-Directory for broctl helper scripts.
-</p>
-</dd>
-<dt>
-<a id="opt_LibDir"></a> <strong>LibDir</strong> (string, default "${BroBase}/lib")
-</dt>
-<dd>
-<p>
-Directory for library files.
-</p>
-</dd>
-<dt>
-<a id="opt_LibDirInternal"></a> <strong>LibDirInternal</strong> (string, default "${BroBase}/lib/broctl")
-</dt>
-<dd>
-<p>
-Directory for broctl-specific library files.
-</p>
-</dd>
-<dt>
-<a id="opt_LocalNetsCfg"></a> <strong>LocalNetsCfg</strong> (string, default "${CfgDir}/networks.cfg")
-</dt>
-<dd>
-<p>
-File definining the local networks.
-</p>
-</dd>
-<dt>
-<a id="opt_LockFile"></a> <strong>LockFile</strong> (string, default "${SpoolDir}/lock")
-</dt>
-<dd>
-<p>
-Lock file preventing concurrent shell operations.
-</p>
-</dd>
-<dt>
-<a id="opt_NodeCfg"></a> <strong>NodeCfg</strong> (string, default "${CfgDir}/node.cfg")
-</dt>
-<dd>
-<p>
-Node configuration file.
-</p>
-</dd>
-<dt>
-<a id="opt_OS"></a> <strong>OS</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-Name of operation systems as reported by uname.
-</p>
-</dd>
-<dt>
-<a id="opt_PolicyDir"></a> <strong>PolicyDir</strong> (string, default "${BroBase}/share/bro")
-</dt>
-<dd>
-<p>
-Directory for standard policy files.
-</p>
-</dd>
-<dt>
-<a id="opt_PolicyDirBroCtl"></a> <strong>PolicyDirBroCtl</strong> (string, default "${PolicyDir}/broctl")
-</dt>
-<dd>
-<p>
-Directory where the shell copies the additional broctl policy scripts when installing.
-</p>
-</dd>
-<dt>
-<a id="opt_PolicyDirSiteInstall"></a> <strong>PolicyDirSiteInstall</strong> (string, default "${PolicyDir}/.site")
-</dt>
-<dd>
-<p>
-Directory where the shell copies local policy scripts when installing.
-</p>
-</dd>
-<dt>
-<a id="opt_PolicyDirSiteInstallAuto"></a> <strong>PolicyDirSiteInstallAuto</strong> (string, default "${PolicyDir}/.site/auto")
-</dt>
-<dd>
-<p>
-Directory where the shell copies auto-generated local policy scripts when installing.
-</p>
-</dd>
-<dt>
-<a id="opt_PostProcDir"></a> <strong>PostProcDir</strong> (string, default "${BroBase}/share/broctl/scripts/postprocessors")
-</dt>
-<dd>
-<p>
-Directory for log postprocessors.
-</p>
-</dd>
-<dt>
-<a id="opt_Scripts-Manager"></a> <strong>Scripts-Manager</strong> (string, default "cluster-manager")
-</dt>
-<dd>
-<p>
-Bro scripts loaded on the manager, separated by spaces.
-</p>
-</dd>
-<dt>
-<a id="opt_Scripts-Proxy"></a> <strong>Scripts-Proxy</strong> (string, default "cluster-proxy")
-</dt>
-<dd>
-<p>
-Bro scripts loaded on the proxies, separated by spaces.
-</p>
-</dd>
-<dt>
-<a id="opt_Scripts-Standalone"></a> <strong>Scripts-Standalone</strong> (string, default "standalone")
-</dt>
-<dd>
-<p>
-Bro scripts loaded on a standalone Bro, separated by spaces.
-</p>
-</dd>
-<dt>
-<a id="opt_Scripts-Worker"></a> <strong>Scripts-Worker</strong> (string, default "cluster-worker")
-</dt>
-<dd>
-<p>
-Bro scripts loaded on the workers, separated by spaces.
-</p>
-</dd>
-<dt>
-<a id="opt_ScriptsDir"></a> <strong>ScriptsDir</strong> (string, default "${BroBase}/share/broctl/scripts")
-</dt>
-<dd>
-<p>
-Directory for executable scripts shipping as part of broctl.
-</p>
-</dd>
-<dt>
-<a id="opt_SpoolDir"></a> <strong>SpoolDir</strong> (string, default "${BroBase}/spool")
-</dt>
-<dd>
-<p>
-Directory for run-time data.
-</p>
-</dd>
-<dt>
-<a id="opt_StandAlone"></a> <strong>StandAlone</strong> (bool, default 0)
-</dt>
-<dd>
-<p>
-True if running in stand-alone mode (see elsewhere).
-</p>
-</dd>
-<dt>
-<a id="opt_StateFile"></a> <strong>StateFile</strong> (string, default "${SpoolDir}/broctl.dat")
-</dt>
-<dd>
-<p>
-File storing the current broctl state.
-</p>
-</dd>
-<dt>
-<a id="opt_StaticDir"></a> <strong>StaticDir</strong> (string, default "${BroBase}/share/broctl")
-</dt>
-<dd>
-<p>
-Directory for static, arch-independent files.
-</p>
-</dd>
-<dt>
-<a id="opt_StatsDir"></a> <strong>StatsDir</strong> (string, default "${LogDir}/stats")
-</dt>
-<dd>
-<p>
-Directory where statistics are kepts.
-</p>
-</dd>
-<dt>
-<a id="opt_StatsLog"></a> <strong>StatsLog</strong> (string, default "${SpoolDir}/stats.log")
-</dt>
-<dd>
-<p>
-Log file for statistics.
-</p>
-</dd>
-<dt>
-<a id="opt_TemplateDir"></a> <strong>TemplateDir</strong> (string, default "${BroBase}/share/broctl/templates")
-</dt>
-<dd>
-<p>
-Directory where the *.in templates are copied into.
-</p>
-</dd>
-<dt>
-<a id="opt_Time"></a> <strong>Time</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-Path to time binary.
-</p>
-</dd>
-<dt>
-<a id="opt_TmpDir"></a> <strong>TmpDir</strong> (string, default "${SpoolDir}/tmp")
-</dt>
-<dd>
-<p>
-Directory for temporary data.
-</p>
-</dd>
-<dt>
-<a id="opt_TmpExecDir"></a> <strong>TmpExecDir</strong> (string, default "${SpoolDir}/tmp")
-</dt>
-<dd>
-<p>
-Directory where binaries are copied before execution.
-</p>
-</dd>
-<dt>
-<a id="opt_TraceSummary"></a> <strong>TraceSummary</strong> (string, default "${bindir}/trace-summary")
-</dt>
-<dd>
-<p>
-Path to trace-summary script; empty if not available.
-</p>
-</dd>
-<dt>
-<a id="opt_Version"></a> <strong>Version</strong> (string, default <em>empty</em>)
-</dt>
-<dd>
-<p>
-Version of the broctl.
-</p>
-</dd>
-</dl>
-</div>
-<h2><a id="_miscellanous"></a>Miscellanous</h2><p/>
-<div class="sectionbody">
-<h3><a id="_mails"></a>Mails</h3><p/>
-<p><em>BroControl</em> sents four types of mails to the address given in <tt>MailTo</tt>:</p>
-<ol>
-<li>
-<p>
-When logs are rotated (per default once a day), a list of all
-   alerts during the last rotation interval is sent. This can be
-   disabled by setting <tt>MailAlarms=0</tt>.
-</p>
-</li>
-<li>
-<p>
-When the <tt>cron</tt> command noticies that a node has crashed, it
-   restarts it and sends a notification. It may also send a more
-   detailed crash report containing information about the crash.
-</p>
-</li>
-<li>
-<p>
-NOTICES with a notice action of <tt>NOTICE_EMAIL</tt>; see the Bro
-   documentation for how to configure NOTICE priorities.
-</p>
-</li>
-<li>
-<p>
-If <a href="trace_summary"><tt>trace-summary</tt></a> is installed, a
-   traffic summary is sent each rotation interval.
-</p>
-</li>
-</ol>
-<h3><a id="_performance_analysis"></a>Performance Analysis</h3><p/>
-<p><em>TODO</em>: <tt>broctl cron</tt> logs a number of statistics, which can be
-analyzed/plotted for understanding the cluster's run-time behaviour.</p>
-</div>
-<h2><a id="_questions_and_answers"></a>Questions and Answers</h2><p/>
-<div class="sectionbody">
-<ol>
-<li>
-<p><em>
-Can I use an NFS-mounted partition as the cluster's base directory to avoid the <tt>rsync</tt>'ing?
-</em></p>
-<p>
-    Yes. <a href="#opt_BroBase"><tt>BroBase</tt></a> can be on an NFS partition.
-    Configure and install the shell as usual with
-    <tt>&#8212;prefix=&lt;BroBase&gt;</tt>. Then add <a href="#opt_HaveNFS">HaveNFS</a>=1+ and
-    <tt>SpoolDir=&lt;spath&gt;</tt> to <tt>etc/broctl.cfg</tt>, where <tt>&lt;spath&gt;</tt> is a
-    path on the local disks of the nodes; <tt>&lt;spath&gt;</tt> will be used for
-    all non-shared data (make sure that the parent directory exists
-    and is writable on all nodes!). Then run <a href="#cmd_install"><tt>make
-    install-broctl</tt></a> again. Finally, you can remove
-    <tt>&lt;BroBase&gt;/spool</tt> (or link it to &lt;spath&gt;). In addition, you
-    might want to keep the log files locally on the nodes as well by
-    setting <a href="#opt_LogDir"><tt>LogDir</tt></a>+ to a non-NFS directory. (Only
-    the manager's logs will be kept permanently, the logs of
-    workers/proxies are discarded upon rotation.)
-</p>
-</li>
-<li>
-<p><em>
-When I'm using the <a href="#Standalone">standalone mode</a>, do I still need to have <tt>ssh</tt> and <tt>rsync</tt> installed and configured?
-</em></p>
-<p>
-    No. The standalone performs all operations directly on the local
-    file system.
-</p>
-</li>
-<li>
-<p><em>
-What do I need to do when the something in the Bro distribution changes?
-</em></p>
-<p>
-    Just re-run <tt>make broctl-install</tt>. It will reinstall
-    all the files from the distribution, except for any of the
-    template files, as they might have been edited.
-</p>
-<p>In addition, <em>BroControl</em> has a "development mode", which makes
-installation easier if distribution files change frequently
-(e.g., becayse you're working from SVN). Development mode
-activated by adding <tt>DevMode=1</tt> to <tt>etc/broctl.cfg</tt>. Once done,
-<em>BroControl</em>'s <tt>install</tt> command will also install all the files
-from the distribution, just as <tt>make broctl-install</tt> does. Note
-that you obviously need to keep the distribution around to have
-this work.</p>
-<p>Note for folks who have used the old "cluster shell": the
-development mode corresponds to the old default behaviour, which
-worked with any <tt>make install-broctl</tt>.</p>
-</li>
-<li>
-<p><em>
-After a Bro crash, the timestamps of the archived log files sometimes seem to be wrong?
-</em></p>
-<p>
-   When Bro crashes, broctl archives the log files produced so far
-   at the normal location. However, for some files it can't (easily)
-   determine the right timestamps to put into the filename. This
-   affects in particular those log files that are not rotated on
-   regular basis (e.g., <tt>stdout.log</tt>, <tt>prof.log</tt>); their filenames
-   will indicate as their start time the point when all the other
-   files were <em>rotated</em> most recently. In addition, for all log
-   files, after a crash the start/end times indicated by the file
-   names might be off a few seconds.
-</p>
-</li>
-<li>
-<p><em>
-<a id="devversion"></a>Anything special to consider when using development versions?
-</em></p>
-<p>
-   If you are using a <em>development version</em>, <em>BroControl</em> might
-   require patching Bro itself to work correctly. A "development
-   version" is defined as anything you have downloaded from Bro's
-   Subversion repository (as opposed to downloading a release
-   tar-ball). If so, see if there's a file called
-   <tt>aux/broctl/patch-bro.diff</tt>. If there is, apply it as follows
-   before you proceed with any of the steps below:
-</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; cd /path/to/bro/source/distribution
-&gt; patch -p0 &lt;aux/broctl/patch-bro.diff
-&gt; ./autogen.sh</tt></pre>
-</div></div>
-</li>
-</ol>
-</div>
-<div id="footer">
-<div id="footer-text">
-Last modified at 2009-12-03 12:58:36 PDT - Robin Sommer
-</div>
-</div>
-</body>
-</html>
diff --git a/aux/broctl/README.options b/aux/broctl/README.options
deleted file mode 100644
index 7b0baf233e..0000000000
--- a/aux/broctl/README.options
+++ /dev/null
@@ -1,150 +0,0 @@
-// Automatically generated. Do not edit.
-
-User Options
-~~~~~~~~~~~~
-[[opt_AuxPostProcessors]] *AuxPostProcessors* (string, default _empty_)::
-Additional log postprocessors, with paths separated by spaces.
-[[opt_AuxScriptsManager]] *AuxScriptsManager* (string, default _empty_)::
-Additional Bro scripts loaded on the manager, separated by spaces.
-[[opt_AuxScriptsStandalone]] *AuxScriptsStandalone* (string, default _empty_)::
-Additional Bro scripts loaded on a standalone Brothe manage, separated by spaces.
-[[opt_AuxScriptsWorker]] *AuxScriptsWorker* (string, default _empty_)::
-Additional Bro scripts loaded on the workers, separated by spaces.
-[[opt_BroArgs]] *BroArgs* (string, default _empty_)::
-Additional arguments to pass to Bro on the command-line.
-[[opt_CFlowAddr]] *CFlowAddr* (string, default _empty_)::
-If a cFlow load-balander is used, the address of the device (format: <ip>:<port>).
-[[opt_CFlowPassword]] *CFlowPassword* (string, default _empty_)::
-If a cFlow load-balander is used, the password for accessing its configuration interface.
-[[opt_CFlowUser]] *CFlowUser* (string, default _empty_)::
-If a cFlow load-balander is used, the user name for accessing its configuration interface.
-[[opt_CronCmd]] *CronCmd* (string, default _empty_)::
-A custom command to run everytime the cron command has finished.
-[[opt_CustomInstallBin]] *CustomInstallBin* (string, default _empty_)::
-Additional executables to be installed into $\{BinDir}, including full path and separated by spaces.
-[[opt_Debug]] *Debug* (bool, default 0)::
-Enable extensive debugging output in spool/debug.log.
-[[opt_DevMode]] *DevMode* (bool, default 0)::
-Enable development mode, which changes how things are installed by the _install_ command.
-[[opt_HaveNFS]] *HaveNFS* (bool, default 0)::
-True if shared files are mounted across all nodes via NFS (see FAQ).
-[[opt_LogDir]] *LogDir* (string, default "$\{BroBase}/logs")::
-Directory for archived log files.
-[[opt_LogExpireInterval]] *LogExpireInterval* (int, default 30)::
-Number of days log files are kept.
-[[opt_MailAlarmPrefix]] *MailAlarmPrefix* (string, default "ALERT:")::
-Subject prefix for individual alerts triggered by NOTICE_EMAIL.
-[[opt_MailAlarms]] *MailAlarms* (bool, default 1)::
-True if Bro should send mails for NOTICE_EMAIL alerts.
-[[opt_MailAlarmsTo]] *MailAlarmsTo* (string, default "$\{MailTo}")::
-Destination address for broctl-generated alarm mails.
-[[opt_MailFrom]] *MailFrom* (string, default "Big Brother <bro@localhost>")::
-Originator address for broctl-generated mails.
-[[opt_MailReplyTo]] *MailReplyTo* (string, default _empty_)::
-Reply-to address for broctl-generated mails.
-[[opt_MailSubjectPrefix]] *MailSubjectPrefix* (string, default "[Bro]")::
-General Subject prefix for broctl-generated mails.
-[[opt_MailTo]] *MailTo* (string, default "<user>")::
-Destination address for broctl-generated non-alarm mails. Default is to use the same address as +MailTo+.
-[[opt_MemLimit]] *MemLimit* (string, default "unlimited")::
-Maximum amount of memory for Bro processes to use (in KB, or the string 'unlimited').
-[[opt_MinDiskSpace]] *MinDiskSpace* (int, default 5)::
-Percentage of minimum disk space available before warning is mailed.
-[[opt_Prefixes]] *Prefixes* (string, default "local")::
-Additional script prefixes for Bro, separated by colons. Use this instead of @prefix.
-[[opt_SaveTraces]] *SaveTraces* (bool, default 0)::
-True to let backends capture short-term traces via '-w'. These are not archived but might be helpful for debugging.
-[[opt_SendMail]] *SendMail* (bool, default 1)::
-True if shell may send mails.
-[[opt_SitePolicyManager]] *SitePolicyManager* (string, default "local-manager.bro")::
-Local policy file for manager.
-[[opt_SitePolicyPath]] *SitePolicyPath* (string, default "$\{PolicyDir}/site")::
-Directories to search for local policy files, separated by colons.
-[[opt_SitePolicyStandalone]] *SitePolicyStandalone* (string, default "local.bro")::
-Local policy file for standalone Bro.
-[[opt_SitePolicyWorker]] *SitePolicyWorker* (string, default "local-worker.bro")::
-Local policy file for workers.
-[[opt_TimeFmt]] *TimeFmt* (string, default "%d %b %H:%M:%S")::
-Format string to print data/time specifications (see 'man strftime').
-[[opt_TimeMachineHost]] *TimeMachineHost* (string, default _empty_)::
-If the manager should connect to a Time Machine, the address of the host it is running on.
-[[opt_TimeMachinePort]] *TimeMachinePort* (string, default "47757/tcp")::
-If the manager should connect to a Time Machine, the port it is running on (in Bro syntax, e.g., +47757/tcp+.
-
-Internal Options
-~~~~~~~~~~~~~~~~
-
-[[opt_AnalysisCfg]] *AnalysisCfg* (string, default "$\{CfgDir}/analysis.dat")::
-Configuration file defining types of analysis which can be toggled on-the-fly.
-[[opt_BinDir]] *BinDir* (string, default "$\{BroBase}/bin")::
-Directory for executable files.
-[[opt_BroBase]] *BroBase* (string, default _empty_)::
-Base path of broctl installation on all nodes.
-[[opt_Capstats]] *Capstats* (string, default "$\{bindir}/capstats")::
-Path to capstats binary; empty if not available.
-[[opt_CfgDir]] *CfgDir* (string, default "$\{BroBase}/etc")::
-Directory for configuration files.
-[[opt_DebugLog]] *DebugLog* (string, default "$\{SpoolDir}/debug.log")::
-Log file for debugging information.
-[[opt_DistDir]] *DistDir* (string, default _empty_)::
-Path to Bro distribution directory.
-[[opt_HaveBroccoli]] *HaveBroccoli* (bool)::
-True if Broccoli interface is available.
-[[opt_HelperDir]] *HelperDir* (string, default "$\{BroBase}/share/broctl/scripts/helpers")::
-Directory for broctl helper scripts.
-[[opt_LibDir]] *LibDir* (string, default "$\{BroBase}/lib")::
-Directory for library files.
-[[opt_LibDirInternal]] *LibDirInternal* (string, default "$\{BroBase}/lib/broctl")::
-Directory for broctl-specific library files.
-[[opt_LocalNetsCfg]] *LocalNetsCfg* (string, default "$\{CfgDir}/networks.cfg")::
-File definining the local networks.
-[[opt_LockFile]] *LockFile* (string, default "$\{SpoolDir}/lock")::
-Lock file preventing concurrent shell operations.
-[[opt_NodeCfg]] *NodeCfg* (string, default "$\{CfgDir}/node.cfg")::
-Node configuration file.
-[[opt_OS]] *OS* (string, default _empty_)::
-Name of operation systems as reported by uname.
-[[opt_PolicyDir]] *PolicyDir* (string, default "$\{BroBase}/share/bro")::
-Directory for standard policy files.
-[[opt_PolicyDirBroCtl]] *PolicyDirBroCtl* (string, default "$\{PolicyDir}/broctl")::
-Directory where the shell copies the additional broctl policy scripts when installing.
-[[opt_PolicyDirSiteInstall]] *PolicyDirSiteInstall* (string, default "$\{PolicyDir}/.site")::
-Directory where the shell copies local policy scripts when installing.
-[[opt_PolicyDirSiteInstallAuto]] *PolicyDirSiteInstallAuto* (string, default "$\{PolicyDir}/.site/auto")::
-Directory where the shell copies auto-generated local policy scripts when installing.
-[[opt_PostProcDir]] *PostProcDir* (string, default "$\{BroBase}/share/broctl/scripts/postprocessors")::
-Directory for log postprocessors.
-[[opt_Scripts-Manager]] *Scripts-Manager* (string, default "cluster-manager")::
-Bro scripts loaded on the manager, separated by spaces.
-[[opt_Scripts-Proxy]] *Scripts-Proxy* (string, default "cluster-proxy")::
-Bro scripts loaded on the proxies, separated by spaces.
-[[opt_Scripts-Standalone]] *Scripts-Standalone* (string, default "standalone")::
-Bro scripts loaded on a standalone Bro, separated by spaces.
-[[opt_Scripts-Worker]] *Scripts-Worker* (string, default "cluster-worker")::
-Bro scripts loaded on the workers, separated by spaces.
-[[opt_ScriptsDir]] *ScriptsDir* (string, default "$\{BroBase}/share/broctl/scripts")::
-Directory for executable scripts shipping as part of broctl.
-[[opt_SpoolDir]] *SpoolDir* (string, default "$\{BroBase}/spool")::
-Directory for run-time data.
-[[opt_StandAlone]] *StandAlone* (bool, default 0)::
-True if running in stand-alone mode (see elsewhere).
-[[opt_StateFile]] *StateFile* (string, default "$\{SpoolDir}/broctl.dat")::
-File storing the current broctl state.
-[[opt_StaticDir]] *StaticDir* (string, default "$\{BroBase}/share/broctl")::
-Directory for static, arch-independent files.
-[[opt_StatsDir]] *StatsDir* (string, default "$\{LogDir}/stats")::
-Directory where statistics are kepts.
-[[opt_StatsLog]] *StatsLog* (string, default "$\{SpoolDir}/stats.log")::
-Log file for statistics.
-[[opt_TemplateDir]] *TemplateDir* (string, default "$\{BroBase}/share/broctl/templates")::
-Directory where the *.in templates are copied into.
-[[opt_Time]] *Time* (string, default _empty_)::
-Path to time binary.
-[[opt_TmpDir]] *TmpDir* (string, default "$\{SpoolDir}/tmp")::
-Directory for temporary data.
-[[opt_TmpExecDir]] *TmpExecDir* (string, default "$\{SpoolDir}/tmp")::
-Directory where binaries are copied before execution.
-[[opt_TraceSummary]] *TraceSummary* (string, default "$\{bindir}/trace-summary")::
-Path to trace-summary script; empty if not available.
-[[opt_Version]] *Version* (string, default _empty_)::
-Version of the broctl.
diff --git a/aux/broctl/TODO b/aux/broctl/TODO
deleted file mode 100644
index 982bbdf5ee..0000000000
--- a/aux/broctl/TODO
+++ /dev/null
@@ -1,21 +0,0 @@
-# $Id: TODO 6813 2009-07-07 18:54:12Z robin $
-
-Shell
-
-   - Unify argument handling for shell's commmands
-
-Bro config
-
-   - Make sessions IDs shorter
-
-Known bugs:
-
-   - We sometimes don't get the return events for
-   Broccoli-communication. Not sure where the problem is.
-
-   - Proxy reports wrong number of peer with "status" if multiple
-   worker sare running on the same box.
-
-   - bin/helpers/* should be more robust against unexpected output. 
-
-
diff --git a/aux/broctl/VERSION b/aux/broctl/VERSION
deleted file mode 100644
index be58634173..0000000000
--- a/aux/broctl/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-0.3
diff --git a/aux/broctl/aux/capstats/AUTHORS b/aux/broctl/aux/capstats/AUTHORS
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/aux/broctl/aux/capstats/COPYING b/aux/broctl/aux/capstats/COPYING
deleted file mode 100644
index 03a48c452f..0000000000
--- a/aux/broctl/aux/capstats/COPYING
+++ /dev/null
@@ -1,35 +0,0 @@
-
-Copyright (c) 2007-2009, Robin Sommer
-
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-    * Redistributions of source code must retain the above copyright
-      notice, this list of conditions and the following disclaimer.
-      
-    * Redistributions in binary form must reproduce the above
-      copyright notice, this list of conditions and the following
-      disclaimer in the documentation and/or other materials provided
-      with the distribution.
-      
-    * Neither the name of the International Computer Science
-      Institute nor the names of its contributors may be used to
-      endorse or promote products derived from this software without
-      specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
-ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
diff --git a/aux/broctl/aux/capstats/ChangeLog b/aux/broctl/aux/capstats/ChangeLog
deleted file mode 100644
index a195537d86..0000000000
--- a/aux/broctl/aux/capstats/ChangeLog
+++ /dev/null
@@ -1 +0,0 @@
-See README.
diff --git a/aux/broctl/aux/capstats/INSTALL b/aux/broctl/aux/capstats/INSTALL
deleted file mode 100644
index b42a17ac46..0000000000
--- a/aux/broctl/aux/capstats/INSTALL
+++ /dev/null
@@ -1,182 +0,0 @@
-Basic Installation
-==================
-
-   These are generic installation instructions.
-
-   The `configure' shell script attempts to guess correct values for
-various system-dependent variables used during compilation.  It uses
-those values to create a `Makefile' in each directory of the package.
-It may also create one or more `.h' files containing system-dependent
-definitions.  Finally, it creates a shell script `config.status' that
-you can run in the future to recreate the current configuration, a file
-`config.cache' that saves the results of its tests to speed up
-reconfiguring, and a file `config.log' containing compiler output
-(useful mainly for debugging `configure').
-
-   If you need to do unusual things to compile the package, please try
-to figure out how `configure' could check whether to do them, and mail
-diffs or instructions to the address given in the `README' so they can
-be considered for the next release.  If at some point `config.cache'
-contains results you don't want to keep, you may remove or edit it.
-
-   The file `configure.in' is used to create `configure' by a program
-called `autoconf'.  You only need `configure.in' if you want to change
-it or regenerate `configure' using a newer version of `autoconf'.
-
-The simplest way to compile this package is:
-
-  1. `cd' to the directory containing the package's source code and type
-     `./configure' to configure the package for your system.  If you're
-     using `csh' on an old version of System V, you might need to type
-     `sh ./configure' instead to prevent `csh' from trying to execute
-     `configure' itself.
-
-     Running `configure' takes awhile.  While running, it prints some
-     messages telling which features it is checking for.
-
-  2. Type `make' to compile the package.
-
-  3. Optionally, type `make check' to run any self-tests that come with
-     the package.
-
-  4. Type `make install' to install the programs and any data files and
-     documentation.
-
-  5. You can remove the program binaries and object files from the
-     source code directory by typing `make clean'.  To also remove the
-     files that `configure' created (so you can compile the package for
-     a different kind of computer), type `make distclean'.  There is
-     also a `make maintainer-clean' target, but that is intended mainly
-     for the package's developers.  If you use it, you may have to get
-     all sorts of other programs in order to regenerate files that came
-     with the distribution.
-
-Compilers and Options
-=====================
-
-   Some systems require unusual options for compilation or linking that
-the `configure' script does not know about.  You can give `configure'
-initial values for variables by setting them in the environment.  Using
-a Bourne-compatible shell, you can do that on the command line like
-this:
-     CC=c89 CFLAGS=-O2 LIBS=-lposix ./configure
-
-Or on systems that have the `env' program, you can do it like this:
-     env CPPFLAGS=-I/usr/local/include LDFLAGS=-s ./configure
-
-Compiling For Multiple Architectures
-====================================
-
-   You can compile the package for more than one kind of computer at the
-same time, by placing the object files for each architecture in their
-own directory.  To do this, you must use a version of `make' that
-supports the `VPATH' variable, such as GNU `make'.  `cd' to the
-directory where you want the object files and executables to go and run
-the `configure' script.  `configure' automatically checks for the
-source code in the directory that `configure' is in and in `..'.
-
-   If you have to use a `make' that does not supports the `VPATH'
-variable, you have to compile the package for one architecture at a time
-in the source code directory.  After you have installed the package for
-one architecture, use `make distclean' before reconfiguring for another
-architecture.
-
-Installation Names
-==================
-
-   By default, `make install' will install the package's files in
-`/usr/local/bin', `/usr/local/man', etc.  You can specify an
-installation prefix other than `/usr/local' by giving `configure' the
-option `--prefix=PATH'.
-
-   You can specify separate installation prefixes for
-architecture-specific files and architecture-independent files.  If you
-give `configure' the option `--exec-prefix=PATH', the package will use
-PATH as the prefix for installing programs and libraries.
-Documentation and other data files will still use the regular prefix.
-
-   In addition, if you use an unusual directory layout you can give
-options like `--bindir=PATH' to specify different values for particular
-kinds of files.  Run `configure --help' for a list of the directories
-you can set and what kinds of files go in them.
-
-   If the package supports it, you can cause programs to be installed
-with an extra prefix or suffix on their names by giving `configure' the
-option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
-
-Optional Features
-=================
-
-   Some packages pay attention to `--enable-FEATURE' options to
-`configure', where FEATURE indicates an optional part of the package.
-They may also pay attention to `--with-PACKAGE' options, where PACKAGE
-is something like `gnu-as' or `x' (for the X Window System).  The
-`README' should mention any `--enable-' and `--with-' options that the
-package recognizes.
-
-   For packages that use the X Window System, `configure' can usually
-find the X include and library files automatically, but if it doesn't,
-you can use the `configure' options `--x-includes=DIR' and
-`--x-libraries=DIR' to specify their locations.
-
-Specifying the System Type
-==========================
-
-   There may be some features `configure' can not figure out
-automatically, but needs to determine by the type of host the package
-will run on.  Usually `configure' can figure that out, but if it prints
-a message saying it can not guess the host type, give it the
-`--host=TYPE' option.  TYPE can either be a short name for the system
-type, such as `sun4', or a canonical name with three fields:
-     CPU-COMPANY-SYSTEM
-
-See the file `config.sub' for the possible values of each field.  If
-`config.sub' isn't included in this package, then this package doesn't
-need to know the host type.
-
-   If you are building compiler tools for cross-compiling, you can also
-use the `--target=TYPE' option to select the type of system they will
-produce code for and the `--build=TYPE' option to select the type of
-system on which you are compiling the package.
-
-Sharing Defaults
-================
-
-   If you want to set default values for `configure' scripts to share,
-you can create a site shell script called `config.site' that gives
-default values for variables like `CC', `cache_file', and `prefix'.
-`configure' looks for `PREFIX/share/config.site' if it exists, then
-`PREFIX/etc/config.site' if it exists.  Or, you can set the
-`CONFIG_SITE' environment variable to the location of the site script.
-A warning: not all `configure' scripts look for a site script.
-
-Operation Controls
-==================
-
-   `configure' recognizes the following options to control how it
-operates.
-
-`--cache-file=FILE'
-     Use and save the results of the tests in FILE instead of
-     `./config.cache'.  Set FILE to `/dev/null' to disable caching, for
-     debugging `configure'.
-
-`--help'
-     Print a summary of the options to `configure', and exit.
-
-`--quiet'
-`--silent'
-`-q'
-     Do not print messages saying which checks are being made.  To
-     suppress all normal output, redirect it to `/dev/null' (any error
-     messages will still be shown).
-
-`--srcdir=DIR'
-     Look for the package's source code in directory DIR.  Usually
-     `configure' can determine that directory automatically.
-
-`--version'
-     Print the version of Autoconf used to generate the `configure'
-     script, and exit.
-
-`configure' also accepts some other, not widely useful, options.
diff --git a/aux/broctl/aux/capstats/Makefile.am b/aux/broctl/aux/capstats/Makefile.am
deleted file mode 100644
index 68359269fa..0000000000
--- a/aux/broctl/aux/capstats/Makefile.am
+++ /dev/null
@@ -1,17 +0,0 @@
-
-EXTRA_DIST = autogen.sh VERSION README.html
-
-bin_PROGRAMS = capstats
-
-capstats_SOURCES = capstats.cc version.cc
-capstats_INCLUDES = -I/usr/local
-capstats_LDFLAGS = -L/usr/local
-capstats_LDADD = -lpcap 
-
-version.cc: VERSION
-	@rm -f $@
-	sed -e 's/.*/char Version[] = "&";/' VERSION > $@
-                        
-doc: 
-	-asciidoc --unsafe -a toc -b xhtml11-custom README
-    
diff --git a/aux/broctl/aux/capstats/NEWS b/aux/broctl/aux/capstats/NEWS
deleted file mode 100644
index a195537d86..0000000000
--- a/aux/broctl/aux/capstats/NEWS
+++ /dev/null
@@ -1 +0,0 @@
-See README.
diff --git a/aux/broctl/aux/capstats/README b/aux/broctl/aux/capstats/README
deleted file mode 100644
index 13857bd46a..0000000000
--- a/aux/broctl/aux/capstats/README
+++ /dev/null
@@ -1,69 +0,0 @@
-//	-*- AsciiDoc -*-
-capstats - A quick hack to get some NIC statistics.
-===================================================
-
-Overview
---------
-
-+capstats+ is a quick hack to get some statistics about the current
-load on a network interface, using either
-http://www.tcpdump.org[libpcap] or the native interface for
-http:///www.endace.com[Endace's] DAG cards. It reports statistics
-per time interval and/or for the tool's total run-time.
-
-Here's an example output with output in one-second intervals until +CTRL-C+ is hit:
-
-    >capstats -i nve0 -I 1
-    1186620936.890567 pkts=12747 kpps=12.6 kbytes=10807 mbps=87.5 nic_pkts=12822 nic_drops=0 u=960 t=11705 i=58 o=24 nonip=0
-    1186620937.901490 pkts=13558 kpps=13.4 kbytes=11329 mbps=91.8 nic_pkts=13613 nic_drops=0 u=1795 t=24339 i=119 o=52 nonip=0
-    1186620938.912399 pkts=14771 kpps=14.6 kbytes=13659 mbps=110.7 nic_pkts=14781 nic_drops=0 u=2626 t=38154 i=185 o=111 nonip=0
-    1186620939.012446 pkts=1332 kpps=13.3 kbytes=1129 mbps=92.6 nic_pkts=1367 nic_drops=0 u=2715 t=39387 i=194 o=112 nonip=0
-    === Total 
-    1186620939.012483 pkts=42408 kpps=13.5 kbytes=36925 mbps=96.5 nic_pkts=1 nic_drops=0 u=2715 t=39387 i=194 o=112 nonip=0
-
-Each line starts with a timestamp and the other fields are:
-    
-    pkts:: Absolute number of packets seen by +capstats+ during interval.
-    kpps:: Number of packets per second.
-    kbytes:: Absolute number of KBytes during interval.
-    mbps:: Mbits/sec.
-    nic_pkts:: Number of packets as reported by +libpcap+'s +pcap_stats()+ (may not match _pkts_)
-    nic_drops:: Number of packet drops as reported by +libpcap+'s +pcap_stats()+.
-    u:: Number of UDP packets.
-    t:: Number of TCP packets.
-    i:: Number of ICMP packets.
-    nonip:: Number of non-IP packets.
-    
-A list of all options:
-
-    capstats [Options] -i interface
-    
-       -i| --interface <interface>    Listen on interface
-       -d| --dag                      Use native DAG API
-       -f| --filter <filter>          BPF filter
-       -I| --interval <secs>          Stats logging interval
-       -l| --syslog                   Use syslog rather than print to stderr
-       -n| --number <count>           Stop after outputting <number> intervals
-       -N| --select                   Use select() for live pcap (for testing only)
-       -S| --size <size>              Verify packets to have given <size>
-       -s| --snaplen <size>           Use pcap snaplen <size>
-       -v| --version                  Print version and exit
-       -w| --write <filename>         Write packets to file
-
-Download
---------
-
-Download http://www.icir.org/robin/capstats/capstats-0.12.tar.gz[+capstats-0.12.tar.gz+]
-
-Installation
-------------
-
-   > ./configure
-   > make install
-   
-+capstats+ has been tested on Linux and FreeBSD.    
-    
-    
-
-
-
diff --git a/aux/broctl/aux/capstats/README.html b/aux/broctl/aux/capstats/README.html
deleted file mode 100644
index 8b5dd758a0..0000000000
--- a/aux/broctl/aux/capstats/README.html
+++ /dev/null
@@ -1,564 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
-    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
-<meta name="generator" content="AsciiDoc 8.2.7" />
-<style type="text/css">
-/* Debug borders */
-p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {
-/*
-  border: 1px solid red;
-
-  margin: 1.8em 10% 1.8em 10%;
-
-*/
-}
-
-body {
-  background:#ffffff;
-  padding: 20px 10px;
-  font-size: 90%;
-  font-family: sans-serif;
-  color: #505050;
-  margin: 2em 10% 2em 10%;
-  line-height: 1.4em;
-}
-
-a {
-  color: #005000;
-}
-
-a:visited {
-  color: #005000;
-}
-
-a:hover {
-  color: #002000;
-}
-
-em {
-  font-style: italic;
-}
-
-strong {
-  font-weight: bold;
-}
-
-tt {
-  color: #000000;
-}
-
-h1, h2, h3, h4, h5, h6, div#toctitle {
-  color: #227022;
-  font-family: sans-serif;
-  margin-top: 1.2em;
-  margin-bottom: 0.5em;
-  line-height: 1.3;
-  font-weight: normal;
-}
-
-h1, h2, h3, div#toctitle {
-  border-bottom: 1px solid;
-  border-color: #000000;
-}
-
-h1 {
-  font-size: 150%;
-  }
-
-h2, div#toctitle {
-  padding-top: 0.5em;
-  font-size: 120%;
-}
-h3 {
-  float: left;
-  font-size: 100%;
-}
-h3 + * {
-  clear: left;
-}
-
-div.sectionbody {
-  font-family: sans-serif;
-  margin-left: 0;
-}
-
-hr {
-  border: 1px solid;
-}
-
-p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-}
-
-pre {
-  padding: 0;
-  margin: 0;
-}
-
-span#author {
-  color: #338033;
-  font-family: sans-serif;
-  font-size: 100%;
-}
-span#email {
-}
-span#revision {
-  font-family: sans-serif;
-}
-
-div#footer {
-  font-family: sans-serif;
-  font-size: 70%;
-  border-top: 1px solid;
-  padding-top: 0.5em;
-  margin-top: 4.0em;
-}
-div#footer-text {
-  float: left;
-  padding-bottom: 0.5em;
-}
-div#footer-badges {
-  float: right;
-  padding-bottom: 0.5em;
-}
-
-div#preamble,
-div.tableblock, div.imageblock, div.exampleblock, div.verseblock,
-div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
-div.admonitionblock {
-  margin-top: 1.1em;
-  margin-left: 1em;
-  margin-bottom: 1.1em;
-/*  background: #eeffcc; */
-}
-div.admonitionblock {
-  margin-top: 2.5em;
-  margin-bottom: 2.5em;
-}
-
-div.content { /* Block element content. */
-  padding: 0;
-}
-
-/* Block element titles. */
-div.title, caption.title {
-  font-family: sans-serif;
-  text-align: left;
-  margin-top: 1.0em;
-  margin-bottom: 0.5em;
-}
-div.title + * {
-  margin-top: 0;
-}
-
-td div.title:first-child {
-  margin-top: 0.0em;
-}
-div.content div.title:first-child {
-  margin-top: 0.0em;
-}
-div.content + div.title {
-  margin-top: 0.0em;
-}
-
-div.sidebarblock > div.content {
-  background: #ffffee;
-  border: 1px solid;
-  padding: 0.5em;
-}
-
-div.listingblock {
-  margin-right: 0%;
-}
-div.listingblock > div.content {
-  border: 1px solid;
-  background: #f4f4f4;
-  padding: 0.5em;
-}
-
-div.quoteblock > div.content {
-  padding-left: 2.0em;
-}
-
-div.attribution {
-  text-align: right;
-}
-
-div.verseblock + div.attribution {
-  text-align: left;
-}
-
-div.admonitionblock .icon {
-  vertical-align: top;
-  font-size: 100%;
-  color: #338033;
-  padding-right: 0.5em;
-}
-div.admonitionblock td.content {
-  padding-left: 0.5em;
-  border-left: 2px solid;
-}
-
-div.exampleblock > div.content {
-  border-left: 2px solid;
-  padding: 0.5em;
-}
-
-div.verseblock div.content {
-  white-space: pre;
-}
-
-div.imageblock div.content { padding-left: 0; }
-div.imageblock img { border: 1px solid ; }
-span.image img { border-style: none; }
-
-dl {
-  margin-top: 0.8em;
-  margin-bottom: 0.8em;
-}
-dt {
-  margin-top: 0.5em;
-  margin-bottom: 0;
-  font-style: italic;
-}
-dd > *:first-child {
-  margin-top: 0;
-}
-
-ul, ol {
-    list-style-position: outside;
-}
-ol.olist2 {
-  list-style-type: lower-alpha;
-}
-
-div.tableblock > table {
-  border: 1px solid #527bbd;
-}
-
-div.addrblock > table {
-  border: 0px 0px 0px 0px;
-  border-style: none none none none;
-  padding: 0px;
-  margin: 10px;
-  color: #000000;
-}
-
-table.addrblockbg {
-  /*
-  border-top: 1px solid;
-  border-bottom: 1px solid;
-  */
-  background: #e0ffe0 ;
-  border-style: none;
-  outline-style: none;
-}
-
-thead {
-  font-family: sans-serif;
-  color: #000000;
-}
-tfoot {
-  font-weight: bold;
-  color: #000000;
-}
-
-div.hlist {
-  margin-top: 0.8em;
-  margin-bottom: 0.8em;
-}
-div.hlist td {
-  padding-bottom: 5px;
-}
-td.hlist1 {
-  vertical-align: top;
-  font-style: italic;
-  padding-right: 0.8em;
-}
-td.hlist2 {
-  vertical-align: top;
-}
-
-@media print {
-  div#footer-badges { display: none; }
-}
-
-div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
-  margin-top: .5ex;
-  margin-bottom: 0;
-  margin-left: 2em;
-  line-height: 1.3;
-}
-div.toclevel1 {
-  margin-top: 1ex;
-}
-div.toclevel2 {
-  margin-left: 4em;
-}
-
-div.toclevel3 {
-  margin-left: 6em;
-}
-div.toclevel4 {
-  margin-left: 8em;
-}
-/* Workarounds for IE6's broken and incomplete CSS2. */
-
-div.sidebar-content {
-  background: #ffffee;
-  border: 1px solid silver;
-  padding: 0.5em;
-}
-div.sidebar-title, div.image-title {
-  font-family: sans-serif;
-  font-weight: bold;
-  margin-top: 0.0em;
-  margin-bottom: 0.5em;
-}
-
-div.listingblock div.content {
-  border: 1px solid silver;
-  background: #f4f4f4;
-  padding: 0.5em;
-}
-
-div.quoteblock-content {
-  padding-left: 2.0em;
-}
-
-div.exampleblock-content {
-  border-left: 2px solid silver;
-  padding-left: 0.5em;
-}
-
-/* IE6 sets dynamically generated links as visited. */
-div#toc a:visited { color: blue; }
-</style>
-<script type="text/javascript">
-/*<![CDATA[*/
-window.onload = function(){generateToc(2)}
-/* Author: Mihai Bazon, September 2002
- * http://students.infoiasi.ro/~mishoo
- *
- * Table Of Content generator
- * Version: 0.4
- *
- * Feel free to use this script under the terms of the GNU General Public
- * License, as long as you do not remove or alter this notice.
- */
-
- /* modified by Troy D. Hanson, September 2006. License: GPL */
- /* modified by Stuart Rackham, October 2006. License: GPL */
-
-function getText(el) {
-  var text = "";
-  for (var i = el.firstChild; i != null; i = i.nextSibling) {
-    if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
-      text += i.data;
-    else if (i.firstChild != null)
-      text += getText(i);
-  }
-  return text;
-}
-
-function TocEntry(el, text, toclevel) {
-  this.element = el;
-  this.text = text;
-  this.toclevel = toclevel;
-}
-
-function tocEntries(el, toclevels) {
-  var result = new Array;
-  var re = new RegExp('[hH]([2-'+(toclevels+1)+'])');
-  // Function that scans the DOM tree for header elements (the DOM2
-  // nodeIterator API would be a better technique but not supported by all
-  // browsers).
-  var iterate = function (el) {
-    for (var i = el.firstChild; i != null; i = i.nextSibling) {
-      if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
-        var mo = re.exec(i.tagName)
-        if (mo)
-          result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
-        iterate(i);
-      }
-    }
-  }
-  iterate(el);
-  return result;
-}
-
-// This function does the work. toclevels = 1..4.
-function generateToc(toclevels) {
-  var toc = document.getElementById("toc");
-  var entries = tocEntries(document.getElementsByTagName("body")[0], toclevels);
-  for (var i = 0; i < entries.length; ++i) {
-    var entry = entries[i];
-    if (entry.element.id == "")
-      entry.element.id = "toc" + i;
-    var a = document.createElement("a");
-    a.href = "#" + entry.element.id;
-    a.appendChild(document.createTextNode(entry.text));
-    var div = document.createElement("div");
-    div.appendChild(a);
-    div.className = "toclevel" + entry.toclevel;
-    toc.appendChild(div);
-  }
-  if (entries.length == 0)
-    document.getElementById("header").removeChild(toc);
-}
-/*]]>*/
-</script>
-<title>capstats - A quick hack to get some NIC statistics.</title>
-</head>
-<body>
-<div id="header">
-<h1>capstats - A quick hack to get some NIC statistics.</h1>
-<div id="toc">
-  <div id="toctitle">Table of Contents</div>
-  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
-</div>
-</div>
-<h2><a id="_overview"></a>Overview</h2><p/>
-<div class="sectionbody">
-<p><tt>capstats</tt> is a quick hack to get some statistics about the current
-load on a network interface, using either
-<a href="http://www.tcpdump.org">libpcap</a> or the native interface for
-<a href="http:///www.endace.com">Endace's</a> DAG cards. It reports statistics
-per time interval and/or for the tool's total run-time.</p>
-<p>Here's an example output with output in one-second intervals until <tt>CTRL-C</tt> is hit:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt;capstats -i nve0 -I 1
-1186620936.890567 pkts=12747 kpps=12.6 kbytes=10807 mbps=87.5 nic_pkts=12822 nic_drops=0 u=960 t=11705 i=58 o=24 nonip=0
-1186620937.901490 pkts=13558 kpps=13.4 kbytes=11329 mbps=91.8 nic_pkts=13613 nic_drops=0 u=1795 t=24339 i=119 o=52 nonip=0
-1186620938.912399 pkts=14771 kpps=14.6 kbytes=13659 mbps=110.7 nic_pkts=14781 nic_drops=0 u=2626 t=38154 i=185 o=111 nonip=0
-1186620939.012446 pkts=1332 kpps=13.3 kbytes=1129 mbps=92.6 nic_pkts=1367 nic_drops=0 u=2715 t=39387 i=194 o=112 nonip=0
-=== Total
-1186620939.012483 pkts=42408 kpps=13.5 kbytes=36925 mbps=96.5 nic_pkts=1 nic_drops=0 u=2715 t=39387 i=194 o=112 nonip=0</tt></pre>
-</div></div>
-<p>Each line starts with a timestamp and the other fields are:</p>
-<div class="hlist"><table>
-<tr>
-<td class="hlist1">
-pkts
-</td>
-<td class="hlist2">
-Absolute number of packets seen by <tt>capstats</tt> during interval.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-kpps
-</td>
-<td class="hlist2">
-Number of packets per second.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-kbytes
-</td>
-<td class="hlist2">
-Absolute number of KBytes during interval.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-mbps
-</td>
-<td class="hlist2">
-Mbits/sec.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-nic_pkts
-</td>
-<td class="hlist2">
-Number of packets as reported by <tt>libpcap</tt>'s <tt>pcap_stats()</tt> (may not match <em>pkts</em>)
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-nic_drops
-</td>
-<td class="hlist2">
-Number of packet drops as reported by <tt>libpcap</tt>'s <tt>pcap_stats()</tt>.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-u
-</td>
-<td class="hlist2">
-Number of UDP packets.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-t
-</td>
-<td class="hlist2">
-Number of TCP packets.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-i
-</td>
-<td class="hlist2">
-Number of ICMP packets.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-nonip
-</td>
-<td class="hlist2">
-Number of non-IP packets.
-</td>
-</tr>
-</table></div>
-<p>A list of all options:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>capstats [Options] -i interface</tt></pre>
-</div></div>
-<div class="literalblock">
-<div class="content">
-<pre><tt>-i| --interface &lt;interface&gt;    Listen on interface
--d| --dag                      Use native DAG API
--f| --filter &lt;filter&gt;          BPF filter
--I| --interval &lt;secs&gt;          Stats logging interval
--l| --syslog                   Use syslog rather than print to stderr
--n| --number &lt;count&gt;           Stop after outputting &lt;number&gt; intervals
--N| --select                   Use select() for live pcap (for testing only)
--S| --size &lt;size&gt;              Verify packets to have given &lt;size&gt;
--s| --snaplen &lt;size&gt;           Use pcap snaplen &lt;size&gt;
--v| --version                  Print version and exit
--w| --write &lt;filename&gt;         Write packets to file</tt></pre>
-</div></div>
-</div>
-<h2><a id="_download"></a>Download</h2><p/>
-<div class="sectionbody">
-<p>Download <a href="http://www.icir.org/robin/capstats/capstats-0.12.tar.gz"><tt>capstats-0.12.tar.gz</tt></a></p>
-</div>
-<h2><a id="_installation"></a>Installation</h2><p/>
-<div class="sectionbody">
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; ./configure
-&gt; make install</tt></pre>
-</div></div>
-<p><tt>capstats</tt> has been tested on Linux and FreeBSD.</p>
-</div>
-<div id="footer">
-<div id="footer-text">
-<a href="http://www.icir.org/robin">Back to Homepage</a><br />
-</div>
-</div>
-</body>
-</html>
diff --git a/aux/broctl/aux/capstats/VERSION b/aux/broctl/aux/capstats/VERSION
deleted file mode 100644
index fe5c3f69a3..0000000000
--- a/aux/broctl/aux/capstats/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-0.12pre
diff --git a/aux/broctl/aux/capstats/autogen.sh b/aux/broctl/aux/capstats/autogen.sh
deleted file mode 100755
index 29891b7e38..0000000000
--- a/aux/broctl/aux/capstats/autogen.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-touch NEWS README AUTHORS ChangeLog
-
-rm -rf autom4te.cache aclocal.m4
-
-aclocal
-autoheader
-autoconf 
-automake -a
-
diff --git a/aux/broctl/aux/capstats/capstats.cc b/aux/broctl/aux/capstats/capstats.cc
deleted file mode 100644
index b38bf9a3f7..0000000000
--- a/aux/broctl/aux/capstats/capstats.cc
+++ /dev/null
@@ -1,610 +0,0 @@
-// $Id: capstats.cc 6813 2009-07-07 18:54:12Z robin $
-// 
-// Counts captured packets. 
-// 
-// Robin Sommer <robin@icir.org>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <getopt.h>
-#include <string.h>
-#include <pcap.h>
-#include <errno.h>
-#include <net/ethernet.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <signal.h>
-#include <unistd.h>
-#include <time.h>
-#include <iostream>
-#include <syslog.h>
-
-#include "config.h"
-
-extern char Version[];
-
-#ifdef USE_DAG
-# include <dagapi.h>
-// Length of ERF Header before Ethernet header.
-# define DAG_ETH_ERFLEN 18
-# define EXTRA_WINDOW_SIZE (4 * 1024 * 1024)
-#endif 
-
-bool CheckPayload = false;
-bool WritePackets = false;
-bool CheckSize = false;
-bool UseDag = false;
-bool UseSyslog = false;
-const char *Filter;
-const char *Interface = 0;
-const char *OutputFile = 0;
-int Interval = 0;
-int Payload = 0;
-int SnapLen = 8192;
-int NumberInts = 0;
-int UseSelect = false;
-unsigned int Size = 0;
-pcap_dumper_t *Dumper;
-
-bool GotBreak = false;
-bool GotAlarm = false;
-
-double current_time();
-
-struct Stats {
-    unsigned long packets;
-    unsigned long bytes;
-    unsigned long size_mismatches;
-    unsigned long payload_mismatches;
-    unsigned long dag_drops;
-    unsigned long dag_all;
-    unsigned long proto[256];
-    unsigned long non_ip;
-    double start;
-
-    Stats() { clear(); }
-
-    void clear() {
-        memset(proto, sizeof(proto), 0);
-        packets = bytes = size_mismatches = payload_mismatches = non_ip = 0;
-        dag_drops = dag_all = 0;
-        start = current_time();
-    }
-};
-
-Stats Total;
-Stats Current;
-
-unsigned long HdrSize = 14; // Ethernet
-
-pcap_t* Pcap = 0;
-struct bpf_program* Bpf = 0;
-int Dag = -1;
-
-const char* fmt_log(const char* prefix, const char* fmt, va_list ap)
-{
-    const int SIZE = 32768;
-    static char buffer[SIZE];
-    int n = 0;
-
-    n += snprintf(buffer + n, SIZE - n, "%s: ", prefix);
-	n += vsnprintf(buffer + n, SIZE - n, fmt, ap);
-
-    strcat(buffer + n, "\n");
-
-    return buffer;
-}
-
-void logMsg(const char* msg)
-{
-    if (UseSyslog) 
-        syslog(LOG_NOTICE, "%s", msg);
-    else 
-        fprintf(stderr, "%.6f %s\n", current_time(), msg);
-}
-
-void error(const char* fmt, ...)
-{
-    va_list ap;
-    va_start(ap, fmt);
-    const char* msg = fmt_log("error", fmt, ap);
-    va_end(ap);
-    fputs(msg, stdout);
-    exit(1);
-}
-
-double current_time()
-{
-    struct timeval tv;
-    if ( gettimeofday(&tv, 0) < 0 )
-        error("gettimeofday failed in current_time()");
-
-    return double(tv.tv_sec) + double(tv.tv_usec) / 1e6;
-}
-
-void setFilter()
-{
-    Bpf = new bpf_program;
-
-    if ( pcap_compile(Pcap, Bpf, (char*)Filter, 1, 0) < 0 )
-        error("can't compile %s: %s", Filter, pcap_geterr(Pcap));
-
-    if ( pcap_setfilter(Pcap, Bpf) < 0 ) 
-        error("can't set filter: %s", pcap_geterr(Pcap));
-}
-
-void pcapOpen()
-{
-    static char errbuf[PCAP_ERRBUF_SIZE];
-
-    Pcap = pcap_open_live((char *)Interface, SnapLen, 1, UseSelect ? 1 : 10, errbuf);
-
-    if ( ! Pcap )
-        error("%s", errbuf);
-
-#ifdef HAVE_LINUX
-    // Copied from Bro (we generally mimic how Bro is doing non-blocking i/o.)   
-    //    We use the smallest time-out possible to return almost immediately if
-    //    no packets are available. (We can't use set_nonblocking() as it's
-    //    broken on FreeBSD: even when select() indicates that we can read
-    //    something, we may get nothing if the store buffer hasn't filled up
-    //    yet.)
-	if ( pcap_setnonblock(Pcap, 1, errbuf) < 0 )
-        error("%s", errbuf);
-#endif
-
-	int dl = pcap_datalink(Pcap);
-    if ( dl != DLT_EN10MB )
-		error("unknown data link type 0x%x", dl);
-
-    if ( Filter )
-        setFilter();
-}
-
-bool pcapNext(const u_char **pkt, unsigned int *size)
-{
-    struct pcap_pkthdr* hdr;
-    const u_char* data;
-    int result;
-
-    if ( UseSelect ) {
-        int fd = pcap_fileno(Pcap);
-
-        struct timeval timeout;
-        timeout.tv_sec = 0;
-        timeout.tv_usec = 0;
-
-        fd_set fd_read;
-        FD_ZERO(&fd_read);
-        FD_SET(fd, &fd_read);
-
-        if ( select(fd + 1, &fd_read, 0, 0, &timeout) <= 0 ) {
-            // Wait a bit to allow packets to arrive for next time.
-            // This might look a bit odd (i.e., we could use a larger timeout 
-            // right away) but we try to mimic the way Bro operates.
-            struct timeval timeout;
-            timeout.tv_sec = 0;
-            timeout.tv_usec = 20;
-            select(0, 0, 0, 0, &timeout);
-            return false;
-        }
-    }
-
-    result = pcap_next_ex(Pcap, &hdr, &data);
-
-    if ( result < 0 )
-        error("no more input");
-
-    if ( result == 0 )
-        return false;
-
-    *pkt = data;
-    *size = hdr->caplen;
-
-    if ( WritePackets )
-        pcap_dump((u_char*) Dumper, hdr, data);
-
-    return true;
-}
-
-void pcapStats(unsigned int* pkts, unsigned int* drops)
-{
-    static pcap_stat stats;
-    if ( pcap_stats(Pcap, &stats) < 0 )
-        error("can't get pcap stats");
-
-#ifdef HAVE_LINUX
-	// Linux clears its counters each time.
-    if ( pkts )
-        *pkts = stats.ps_recv;
-
-    if ( drops )
-        *drops = stats.ps_drop;
-#else   
-    static pcap_stat *last_stats = 0;
-
-    if ( ! last_stats ) {
-        last_stats = new pcap_stat;
-        last_stats->ps_recv = 0;
-        last_stats->ps_drop = 0;
-    }
-
-    if ( pkts )
-        *pkts = stats.ps_recv - last_stats->ps_recv;
-
-    if ( drops )
-        *drops = stats.ps_drop - last_stats->ps_drop;
-
-    *last_stats = stats;
-#endif
-}
-
-void pcapClose()
-{
-    pcap_close(Pcap);
-}
-
-void dagOpen()
-{
-#ifdef USE_DAG
-	Dag = dag_open((char*)Interface);
-	if ( Dag < 0 )
-		error("can't open dag interface %s", Interface);
-
-	int dag_recordtype = dag_linktype(Dag);
-	if ( dag_recordtype < TYPE_MIN || dag_recordtype > TYPE_MAX )
-		error("dag_linktype");
-
-	if ( dag_recordtype != TYPE_ETH )
-		error("unsupported DAG link type 0x%x", dag_recordtype);
-
-	// long= is needed to prevent the DAG card from truncating jumbo frames.
-	const char* dag_configure_string = "slen=1500 varlen long=1500";
-
-	if ( dag_configure(Dag, (char*)dag_configure_string) < 0 )
-		error("dag_configure");
-
-	if ( dag_attach_stream(Dag, 0, 0, EXTRA_WINDOW_SIZE) < 0 )
-		error("dag_attach_stream");
-
-	if ( dag_start_stream(Dag, 0) < 0 )
-		error("dag_start_stream");
-
-    // We open a dummy pcap file to get access to pcap data structures.
-	Pcap = pcap_open_dead(DLT_EN10MB, 1500);
-	if ( ! Pcap )
-		error("pcap_open_dead");
-
-    if ( Filter )
-        setFilter();
-
-#endif    
-}
-
-bool dagNext(const u_char **pkt, unsigned int *size)
-{
-#ifdef USE_DAG
-    struct bpf_insn* fcode = 0;
-
-    if ( Filter ) {
-        fcode = Bpf->bf_insns;
-        if ( ! fcode )
-            error("filter code not valid when extracting DAG packet");
-    }
-
-    dag_record_t* r = (dag_record_t*) dag_rx_stream_next_record(Dag, 0);
-
-    if ( ! r ) {
-        if ( errno == EAGAIN )
-            // Dry.
-            return false;
-
-        error("dag_rx_stream_next_record: %s", strerror(errno));
-    }
-
-    *size = ntohs(r->rlen) - DAG_ETH_ERFLEN;
-    *pkt = (const u_char*) r->rec.eth.dst;
-    Current.dag_drops += ntohs(r->lctr);
-    Total.dag_drops += ntohs(r->lctr);
-
-    if ( fcode && ! bpf_filter(fcode, (u_char*) *pkt, *size, *size) )
-        return false;
-
-    return true;
-
-#else
-    return false;
-#endif    
-}
-
-void dagStats(unsigned int* pkts, unsigned int* drops, const Stats& s)
-{
-    *pkts = s.dag_all;
-    *drops = s.dag_drops;
-}
-
-void dagClose()
-{
-#ifdef USE_DAG
-    dag_stop_stream(Dag, 0);
-    dag_detach_stream(Dag, 0);
-    dag_close(Dag);
-#endif 
-}
-
-void reportStats(const Stats& s)
-{
-    unsigned int pkts = 0, drops = 0;
-    const int SIZE = 32768;
-    static char buffer[SIZE];
-    int n = 0;
-    int i;
-    unsigned long proto_other = 0;
-
-    if ( UseDag )
-        dagStats(&pkts, &drops, s);
-    else
-        pcapStats(&pkts, &drops);
-
-    double dt = current_time() - s.start;
-
-    double pps = s.packets / dt;
-    double mbps = s.bytes / dt * 8 / 1000 / 1000;
-
-    n += snprintf(buffer+n, SIZE-n, "pkts=%lu kpps=%.1f kbytes=%lu mbps=%.1f nic_pkts=%u nic_drops=%u",
-            s.packets, pps / 1000,
-            s.bytes / 1024, mbps,
-            pkts, drops);
-
-    for ( i=0; i<256; i++ )
-        if ( i != IPPROTO_UDP && i != IPPROTO_TCP && i != IPPROTO_ICMP )
-            proto_other += s.proto[i];
-
-    n += snprintf(buffer+n, SIZE-n, " u=%lu t=%lu i=%lu o=%lu nonip=%lu",
-                  s.proto[IPPROTO_UDP], s.proto[IPPROTO_TCP], s.proto[IPPROTO_ICMP], proto_other, s.non_ip);
-
-    if ( CheckSize )
-        n += snprintf(buffer+n, SIZE-n, " size_mism=%lu", s.size_mismatches);
-
-    if ( CheckPayload )
-        n += snprintf(buffer+n, SIZE-n, " payload_mism=%lu", s.size_mismatches);
-
-    logMsg(buffer);
-
-    Current.clear();
-}
-
-void alarmHandler(int signo)
-{
-    GotAlarm = true;
-}
-
-void scheduleAlarm()
-{
-    GotAlarm = false;
-    if ( Interval ) {
-        signal(SIGALRM, alarmHandler);
-        alarm(Interval);
-    }
-}
-
-void mainLoop()
-{
-    while ( ! GotBreak ) {        
-
-        if ( GotAlarm ) {
-            reportStats(Current);
-            scheduleAlarm();
-
-            if ( NumberInts == 1 )
-                exit(0);
-
-            if ( NumberInts )
-                NumberInts--;
-        }
-
-        bool result;
-        unsigned int size;
-        const u_char* pkt;
-        const struct ip *ip;
-        const struct ether_header *eh;
-
-        if ( UseDag )
-            result = dagNext(&pkt, &size);
-        else
-            result = pcapNext(&pkt, &size);
-
-        if ( ! result )
-            continue;
-
-        eh = (struct ether_header*)pkt;
-        if ( ntohs(eh->ether_type) == ETHERTYPE_IP ) {
-            ip = (struct ip*)(pkt + HdrSize);
-            ++Current.proto[ip->ip_p];
-            ++Total.proto[ip->ip_p];
-        }
-        else {
-            ++Current.non_ip;
-            ++Total.non_ip;
-        }
-
-        size -= HdrSize;
-        pkt += HdrSize;
-
-        ++Current.packets;
-        ++Total.packets;
-        Current.bytes += size;
-        Total.bytes += size;
-
-        if ( CheckSize )
-            if ( size != Size ) {
-                ++Current.size_mismatches;
-                ++Total.size_mismatches;
-            }
-
-        if ( CheckPayload )
-            for ( unsigned int i = 0; i < size; i++ ) {
-                if ( pkt[i] != Payload ) {
-                    ++Current.payload_mismatches;
-                    ++Total.payload_mismatches;
-                    break;
-                }
-            }
-
-    }
-}
-
-void breakHandler(int signo)
-{
-    GotBreak = true;
-}
-
-void usage()
-{
-    printf("capstats [Options] -i interface\n"
-           "\n"
-           "  -i| --interface <interface>    Listen on interface\n"
-           "  -d| --dag                      Use native DAG API\n"
-           "  -f| --filter <filter>          BPF filter\n"
-           "  -I| --interval <secs>          Stats logging interval\n"
-           "  -l| --syslog                   Use syslog rather than print to stderr\n"
-           "  -n| --number <count>           Stop after outputting <number> intervals\n"
-           "  -N| --select                   Use select() for live pcap (for testing only)\n"
-           "  -S| --size <size>              Verify packets to have given <size>\n"
-           "  -s| --snaplen <size>           Use pcap snaplen = <size>\n"
-           "  -v| --version                  Print version and exit\n"
-           "  -w| --write <filename>         Write packets to file\n"
-           "\n");
-
-    exit(1);
-}
-
-static struct option long_options[] = {
-    {"dag", no_argument, 0, 'd'},
-    {"filter", required_argument, 0, 'f'},
-    {"interface", required_argument, 0, 'i'},
-    {"interval", required_argument, 0, 'I'},
-    {"number", required_argument, 0, 'n'},
-    {"select", no_argument, 0, 'N'},
-    {"syslog", no_argument, 0, 'l'},
-    {"payload", required_argument, 0, 'p'},
-    {"size", required_argument, 0, 'S'},
-    {"snaplen", required_argument, 0, 's'},
-    {"version", no_argument, 0, 'v'},
-    {"write", required_argument, 0, 's'},
-    {0, 0, 0, 0}
-};
-
-int main(int argc, char **argv)
-{
-    while (1) {
-        char c = getopt_long (argc, argv, "df:i:I:n:Nps:lvw:S:", long_options, 0);
-
-        if ( c == -1 )
-            break;
-
-        switch ( c ) {
-          case 'd':
-            UseDag = true;
-            break;
-
-          case 'f':
-            Filter = optarg;
-            break;
-
-          case 'i':
-            Interface = optarg;
-            break;
-
-          case 'I':
-            Interval = atoi(optarg);
-            break;
-
-          case 'l':
-            UseSyslog = true;
-            break;
-
-          case 'n':
-            NumberInts = atoi(optarg);
-            break;
-
-          case 'N':
-            UseSelect = true;
-            break;
-
-          case 'p':
-            CheckPayload = true;
-            Payload = atoi(optarg);
-            break;
-
-          case 'S':
-            CheckSize = true;
-            Size = atoi(optarg);
-            break;
-
-          case 's':
-            SnapLen = atoi(optarg);
-            break;
-
-          case 'w':
-            OutputFile = optarg;
-            WritePackets = true;
-            break;
-
-          case 'v':
-            fprintf(stderr, "capstats %s\n", Version);
-            exit(0);
-            break;
-
-          default:
-            usage();
-        }
-    }
-
-    if ( optind != argc )
-        usage();
-
-    if ( ! Interface )
-        error("no interface given");
-
-    openlog("capstats", LOG_PID, LOG_NOTICE);
-    syslog(LOG_NOTICE, "starting if=%s interval=%d filter=%s", Interface, Interval, Filter);
-
-    if ( UseDag ) 
-        dagOpen();
-    else 
-        pcapOpen();
-
-    if ( WritePackets ) {
-        Dumper = pcap_dump_open(Pcap, OutputFile);
-        if (not Dumper) 
-            error("can't open pcap dump file: %s", pcap_geterr(Pcap));
-    }
-
-    signal(SIGINT, breakHandler);
-    signal(SIGTERM, breakHandler);
-    scheduleAlarm();
-
-    pcapStats(0, 0);
-    mainLoop();  
-
-    reportStats(Current);
-    logMsg("\n=== Total\n");
-    reportStats(Total);
-
-    if ( UseDag ) 
-        dagClose();
-    else 
-        pcapClose();
-
-    if ( Dumper ) 
-        pcap_dump_close(Dumper);
-
-    syslog(LOG_NOTICE, "exiting...");
-    return 0;
-    }
-
-
-
diff --git a/aux/broctl/aux/capstats/configure.ac b/aux/broctl/aux/capstats/configure.ac
deleted file mode 100644
index b87bd78ebc..0000000000
--- a/aux/broctl/aux/capstats/configure.ac
+++ /dev/null
@@ -1,78 +0,0 @@
-#                                               -*- Autoconf -*-
-# Process this file with autoconf to produce a configure script.
-
-AC_PREREQ(2.59)
-AC_INIT(capstats, esyscmd([tr -d '\n' < VERSION]), robin@icir.org)
-AM_INIT_AUTOMAKE
-
-AC_CONFIG_SRCDIR([capstats.cc])
-AM_CONFIG_HEADER([config.h])
-
-# Checks for programs.
-AC_PROG_CXX
-AC_PROG_CC
-
-AC_ARG_WITH(dag,
-       [  --with-dag=PATH         path to the DAG library (for native support for Endace Tech.'s DAG monitoring cards)],
-        if test "$withval" != "no" -a "$withval" != "NO"; then
-                use_dag=yes
-                DAGPATH="$withval"
-                LDFLAGS="${LDFLAGS} -L${DAGPATH}/lib "
-                V_INCLS="${V_INCLS} -I${DAGPATH}/include"
-        else
-                use_dag=no
-        fi
-        )
-
-# Checks for libraries.
-AC_CHECK_LIB([pcap], [dag_open])
-
-# Checks for header files.
-AC_HEADER_STDC
-AC_CHECK_HEADERS([netinet/in.h stdlib.h string.h syslog.h unistd.h])
-
-# Checks for typedefs, structures, and compiler characteristics.
-AC_HEADER_STDBOOL
-AC_C_CONST
-AC_HEADER_TIME
-
-# Checks for library functions.
-AC_FUNC_ERROR_AT_LINE
-AC_TYPE_SIGNAL
-AC_CHECK_FUNCS([alarm gettimeofday memset strerror])
-
-# Check for OS.
-case "$target_os" in
-linux*)
-        AC_DEFINE(HAVE_LINUX,,[We are on a Linux system])
-        ;;
-esac
-
-dnl ################################################
-dnl # Endace DAG support
-dnl ################################################
-
-if test "$use_dag" != "no" -a "$use_dag" != "NO"; then
-        AC_CHECK_LIB(dag, dag_open, use_dag=yes, use_dag=no)
-        AC_CHECK_HEADER(pcap.h,,use_dag=no)
-
-        if test "$use_dag" = "yes"; then
-                  AC_DEFINE(USE_DAG,,[Include Endace DAG support])
-                  LIBS="${LIBS} -ldag"
-        fi
-else
-        use_dag=no
-fi
-dnl #################################################
-
-AC_CONFIG_FILES([Makefile])
-AC_OUTPUT
-
-echo  
-echo "           Capstats Configuration Summary"
-echo "=========================================================="
-echo
-echo Configuration Summary:
-echo "  - DAG support: "$use_dag
-echo
-
diff --git a/aux/broctl/aux/pysubnettree/LICENSE b/aux/broctl/aux/pysubnettree/LICENSE
deleted file mode 100644
index 03a48c452f..0000000000
--- a/aux/broctl/aux/pysubnettree/LICENSE
+++ /dev/null
@@ -1,35 +0,0 @@
-
-Copyright (c) 2007-2009, Robin Sommer
-
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-    * Redistributions of source code must retain the above copyright
-      notice, this list of conditions and the following disclaimer.
-      
-    * Redistributions in binary form must reproduce the above
-      copyright notice, this list of conditions and the following
-      disclaimer in the documentation and/or other materials provided
-      with the distribution.
-      
-    * Neither the name of the International Computer Science
-      Institute nor the names of its contributors may be used to
-      endorse or promote products derived from this software without
-      specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
-ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
diff --git a/aux/broctl/aux/pysubnettree/Makefile b/aux/broctl/aux/pysubnettree/Makefile
deleted file mode 100644
index e3db026b4b..0000000000
--- a/aux/broctl/aux/pysubnettree/Makefile
+++ /dev/null
@@ -1,34 +0,0 @@
-# $Id: Makefile 6811 2009-07-06 20:41:10Z robin $
-#
-# Makefile not needed to build module. Use "python setup.py install" instead.
-#
-# This Makefile generates the SWIG wrappers and the documentation.
-
-VERSION=0.12
-
-DISTFILES=LICENSE Makefile README README.html SubnetTree.cc SubnetTree.h \
-	SubnetTree.i SubnetTree.py SubnetTree_wrap.cc patricia.c patricia.h setup.py test.py
-
-CLEAN=build SubnetTree_wrap.cc SubnetTree.py README.html *.pyc 
-
-TGZ=pysubnettree-$(VERSION)
-
-all: SubnetTree_wrap.cpp README.html
-
-SubnetTree_wrap.cpp SubnetTree.py: SubnetTree.i SubnetTree.h
-	swig -c++ -python -o SubnetTree_wrap.cc SubnetTree.i
-
-doc: README.html
-
-README.html : README
-	-asciidoc -a toc -b xhtml11-custom README
-
-clean:
-	rm -rf $(CLEAN)
-
-dist:
-	@rm -rf $(TGZ)
-	@mkdir $(TGZ)
-	@cp -rp $(DISTFILES) $(TGZ)
-	tar czvf $(TGZ).tar.gz $(TGZ)
-	@rm -rf $(TGZ)    
diff --git a/aux/broctl/aux/pysubnettree/README b/aux/broctl/aux/pysubnettree/README
deleted file mode 100644
index a6c0525730..0000000000
--- a/aux/broctl/aux/pysubnettree/README
+++ /dev/null
@@ -1,87 +0,0 @@
-//	-*- AsciiDoc -*-
-PySubnetTree - A Python Module for CIDR Lookups.
-================================================
-
-Overview
---------
-
-The PySubnetTree package provides a Python data structure
-+SubnetTree+ which maps subnets given in
-http://tools.ietf.org/html/rfc4632[CIDR] notation to Python
-objects. Lookups are performed by longest-prefix matching. 
-
-Simple example which associates CIDR prefixes with strings:
-
-    >>> import SubnetTree
-    >>> t = SubnetTree.SubnetTree()
-    >>> t["10.1.0.0/16"] = "Network 1"
-    >>> t["10.1.42.0/24"] = "Network 1, Subnet 42"
-    >>> t["10.2.0.0/16"] = "Network 2"
-    >>> print t["10.1.42.1"]
-    Network 1, Subnet 42
-    >>> print t["10.1.43.1"]
-    Network 1
-    >>> print "10.1.42.1" in t
-    True
-    >>> print "10.1.43.1" in t
-    True
-    >>> print "10.20.1.1" in t
-    False
-    >>> print t["10.20.1.1"]
-    Traceback (most recent call last):
-      File "<stdin>", line 1, in <module>
-      File "SubnetTree.py", line 67, in __getitem__
-        def __getitem__(*args): return _SubnetTree.SubnetTree___getitem__(*args)
-    KeyError: '10.20.1.1'
-
-
-CIDR prefixes are given as strings. Single addresses can
-alternatively also be passed in as integers as, e.g., returned by
-http://docs.python.org/lib/module-socket.html#l2h-3657[+socket.inet_aton+].
-
-A SubnetTree also provides methods +insert(prefix,object=None)+ for insertion
-of prefixes (+object+ can be skipped to use the tree like a set), and
-+remove(prefix)+ for removing entries (+remove+ performs an _exact_ match
-rather than longest-prefix). 
-
-Internally, the CIDR prefixes of a +SubnetTree+ are managed by a
-Patricia tree data structure and lookups are therefore efficient
-even for large number of prefixes.
-
-PySubnetTree comes with BSD license.
-
-Version History
----------------
-
-*Version 0.12*:: Better error handling. In particular, using None as
-an index now raises an IndexError.
-
-*Version 0.11*:: License changed from GPL to BSD-style.
-
-*Version 0.1*:: Initial release.
-
-Download
---------
-
-Download http://www.icir.org/robin/pysubnettree/pysubnettree-0.12.tar.gz[+pysubnettree-0.12.tar.gz+].
-
-Prerequisites
--------------
-
-This packages requires Python 2.4 or newer.
-
-Installation
-------------
-
-Installation is pretty simple:
-
-   > python setup.py install
-   
-   
-   
-   
-    
-    
-
-
-
diff --git a/aux/broctl/aux/pysubnettree/README.html b/aux/broctl/aux/pysubnettree/README.html
deleted file mode 100644
index ebd85cd2e7..0000000000
--- a/aux/broctl/aux/pysubnettree/README.html
+++ /dev/null
@@ -1,514 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
-    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
-<meta name="generator" content="AsciiDoc 8.2.3" />
-<style type="text/css">
-/* Debug borders */
-p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {
-/*
-  border: 1px solid red;
-*/
-}
-
-body {
-  background:#ffffff;
-  margin:0;
-  padding:20px 10px;
-  font-size: small;
-  font-family: sans-serif;
-  color: #505050;
-  margin: 1em 10% 1em 10%;
-}
-
-a {
-  color: #005000;
-}
-
-a:visited {
-  color: #005000;
-}
-
-a:hover {
-  color: #002000;
-}
-
-em {
-  font-style: italic;
-}
-
-strong {
-  font-weight: bold;
-}
-
-tt {
-  color: #000000;
-}
-
-h1, h2, h3, h4, h5, h6, div#toctitle {
-  color: #227022;
-  font-family: sans-serif;
-  margin-top: 1.2em;
-  margin-bottom: 0.5em;
-  line-height: 1.3;
-  font-weight: normal;
-}
-
-h1, h2, h3, div#toctitle {
-  border-bottom: 1px solid;
-  border-color: #000000;
-}
-
-h1 {
-  font-size: x-large;
-  }
-
-h2, div#toctitle {
-  padding-top: 0.5em;
-  font-size: medium;
-}
-h3 {
-  float: left;
-  font-size: small;
-}
-h3 + * {
-  clear: left;
-}
-
-div.sectionbody {
-  font-family: sans-serif;
-  margin-left: 0;
-}
-
-hr {
-  border: 1px solid;
-}
-
-p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-}
-
-pre {
-  padding: 0;
-  margin: 0;
-}
-
-span#author {
-  color: #338033;
-  font-family: sans-serif;
-  font-size: 1.1em;
-}
-span#email {
-}
-span#revision {
-  font-family: sans-serif;
-}
-
-div#footer {
-  font-family: sans-serif;
-  font-size: x-small;
-  border-top: 1px solid;
-  padding-top: 0.5em;
-  margin-top: 4.0em;
-}
-div#footer-text {
-  float: left;
-  padding-bottom: 0.5em;
-}
-div#footer-badges {
-  float: right;
-  padding-bottom: 0.5em;
-}
-
-div#preamble,
-div.tableblock, div.imageblock, div.exampleblock, div.verseblock,
-div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
-div.admonitionblock {
-  margin-top: 1.5em;
-  margin-left: 1em;
-  margin-bottom: 1.5em;
-/*  background: #eeffcc; */
-}
-div.admonitionblock {
-  margin-top: 2.5em;
-  margin-bottom: 2.5em;
-}
-
-div.content { /* Block element content. */
-  padding: 0;
-}
-
-/* Block element titles. */
-div.title, caption.title {
-  font-family: sans-serif;
-  text-align: left;
-  margin-top: 1.0em;
-  margin-bottom: 0.5em;
-}
-div.title + * {
-  margin-top: 0;
-}
-
-td div.title:first-child {
-  margin-top: 0.0em;
-}
-div.content div.title:first-child {
-  margin-top: 0.0em;
-}
-div.content + div.title {
-  margin-top: 0.0em;
-}
-
-div.sidebarblock > div.content {
-  background: #ffffee;
-  border: 1px solid;
-  padding: 0.5em;
-}
-
-div.listingblock {
-  margin-right: 0%;
-}
-div.listingblock > div.content {
-  border: 1px solid;
-  background: #f4f4f4;
-  padding: 0.5em;
-}
-
-div.quoteblock > div.content {
-  padding-left: 2.0em;
-}
-
-div.attribution {
-  text-align: right;
-}
-
-div.verseblock + div.attribution {
-  text-align: left;
-}
-
-div.admonitionblock .icon {
-  vertical-align: top;
-  font-size: 1.1em;
-  color: #338033;
-  padding-right: 0.5em;
-}
-div.admonitionblock td.content {
-  padding-left: 0.5em;
-  border-left: 2px solid;
-}
-
-div.exampleblock > div.content {
-  border-left: 2px solid;
-  padding: 0.5em;
-}
-
-div.verseblock div.content {
-  white-space: pre;
-}
-
-div.imageblock div.content { padding-left: 0; }
-div.imageblock img { border: 1px solid ; }
-span.image img { border-style: none; }
-
-dl {
-  margin-top: 0.8em;
-  margin-bottom: 0.8em;
-}
-dt {
-  margin-top: 0.5em;
-  margin-bottom: 0;
-  font-style: italic;
-}
-dd > *:first-child {
-  margin-top: 0;
-}
-
-ul, ol {
-    list-style-position: outside;
-}
-div.olist2 ol {
-  list-style-type: lower-alpha;
-}
-
-div.tableblock > table {
-  border: 3px solid #527bbd;
-}
-
-div.addrblock > table {
-  border: 0px 0px 0px 0px;
-  border-style: none none none none;
-  padding: 0px;
-  margin: 10px;
-  color: #000000;
-}
-
-table.addrblockbg {
-  /*
-  border-top: 1px solid;
-  border-bottom: 1px solid;
-  */
-  background: #e0ffe0 ;
-  border-style: none;
-  outline-style: none;
-}
-
-thead {
-  font-family: sans-serif;
-  color: #000000;
-}
-tfoot {
-  font-weight: bold;
-  color: #000000;
-}
-
-div.hlist {
-  margin-top: 0.8em;
-  margin-bottom: 0.8em;
-}
-div.hlist td {
-  padding-bottom: 5px;
-}
-td.hlist1 {
-  vertical-align: top;
-  font-style: italic;
-  padding-right: 0.8em;
-}
-td.hlist2 {
-  vertical-align: top;
-}
-
-@media print {
-  div#footer-badges { display: none; }
-}
-
-div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
-  margin-top: .5ex;
-  margin-bottom: 0;
-  margin-left: 2em;
-  line-height: 1.3;
-}
-div.toclevel1 {
-  margin-top: 1ex;
-}
-div.toclevel2 {
-  margin-left: 4em;
-}
-
-div.toclevel3 {
-  margin-left: 6em;
-}
-div.toclevel4 {
-  margin-left: 8em;
-}
-/* Workarounds for IE6's broken and incomplete CSS2. */
-
-div.sidebar-content {
-  background: #ffffee;
-  border: 1px solid silver;
-  padding: 0.5em;
-}
-div.sidebar-title, div.image-title {
-  font-family: sans-serif;
-  font-weight: bold;
-  margin-top: 0.0em;
-  margin-bottom: 0.5em;
-}
-
-div.listingblock div.content {
-  border: 1px solid silver;
-  background: #f4f4f4;
-  padding: 0.5em;
-}
-
-div.quoteblock-content {
-  padding-left: 2.0em;
-}
-
-div.exampleblock-content {
-  border-left: 2px solid silver;
-  padding-left: 0.5em;
-}
-
-/* IE6 sets dynamically generated links as visited. */
-div#toc a:visited { color: blue; }
-</style>
-<script type="text/javascript">
-/*<![CDATA[*/
-window.onload = function(){generateToc(2)}
-/* Author: Mihai Bazon, September 2002
- * http://students.infoiasi.ro/~mishoo
- *
- * Table Of Content generator
- * Version: 0.4
- *
- * Feel free to use this script under the terms of the GNU General Public
- * License, as long as you do not remove or alter this notice.
- */
-
- /* modified by Troy D. Hanson, September 2006. License: GPL */
- /* modified by Stuart Rackham, October 2006. License: GPL */
-
-function getText(el) {
-  var text = "";
-  for (var i = el.firstChild; i != null; i = i.nextSibling) {
-    if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
-      text += i.data;
-    else if (i.firstChild != null)
-      text += getText(i);
-  }
-  return text;
-}
-
-function TocEntry(el, text, toclevel) {
-  this.element = el;
-  this.text = text;
-  this.toclevel = toclevel;
-}
-
-function tocEntries(el, toclevels) {
-  var result = new Array;
-  var re = new RegExp('[hH]([2-'+(toclevels+1)+'])');
-  // Function that scans the DOM tree for header elements (the DOM2
-  // nodeIterator API would be a better technique but not supported by all
-  // browsers).
-  var iterate = function (el) {
-    for (var i = el.firstChild; i != null; i = i.nextSibling) {
-      if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
-        var mo = re.exec(i.tagName)
-        if (mo)
-          result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
-        iterate(i);
-      }
-    }
-  }
-  iterate(el);
-  return result;
-}
-
-// This function does the work. toclevels = 1..4.
-function generateToc(toclevels) {
-  var toc = document.getElementById("toc");
-  var entries = tocEntries(document.getElementsByTagName("body")[0], toclevels);
-  for (var i = 0; i < entries.length; ++i) {
-    var entry = entries[i];
-    if (entry.element.id == "")
-      entry.element.id = "toc" + i;
-    var a = document.createElement("a");
-    a.href = "#" + entry.element.id;
-    a.appendChild(document.createTextNode(entry.text));
-    var div = document.createElement("div");
-    div.appendChild(a);
-    div.className = "toclevel" + entry.toclevel;
-    toc.appendChild(div);
-  }
-}
-/*]]>*/
-</script>
-<title>PySubnetTree - A Python Module for CIDR Lookups.</title>
-</head>
-<body>
-<div id="header">
-<h1>PySubnetTree - A Python Module for CIDR Lookups.</h1>
-<div id="toc">
-  <div id="toctitle">Table of Contents</div>
-  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
-</div>
-</div>
-<h2>Overview</h2><p/>
-<div class="sectionbody">
-<p>The PySubnetTree package provides a Python data structure
-<tt>SubnetTree</tt> which maps subnets given in
-<a href="http://tools.ietf.org/html/rfc4632">CIDR</a> notation to Python
-objects. Lookups are performed by longest-prefix matching.</p>
-<p>Simple example which associates CIDR prefixes with strings:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt;&gt;&gt; import SubnetTree
-&gt;&gt;&gt; t = SubnetTree.SubnetTree()
-&gt;&gt;&gt; t["10.1.0.0/16"] = "Network 1"
-&gt;&gt;&gt; t["10.1.42.0/24"] = "Network 1, Subnet 42"
-&gt;&gt;&gt; t["10.2.0.0/16"] = "Network 2"
-&gt;&gt;&gt; print t["10.1.42.1"]
-Network 1, Subnet 42
-&gt;&gt;&gt; print t["10.1.43.1"]
-Network 1
-&gt;&gt;&gt; print "10.1.42.1" in t
-True
-&gt;&gt;&gt; print "10.1.43.1" in t
-True
-&gt;&gt;&gt; print "10.20.1.1" in t
-False
-&gt;&gt;&gt; print t["10.20.1.1"]
-Traceback (most recent call last):
-  File "&lt;stdin&gt;", line 1, in &lt;module&gt;
-  File "SubnetTree.py", line 67, in __getitem__
-    def __getitem__(*args): return _SubnetTree.SubnetTree___getitem__(*args)
-KeyError: '10.20.1.1'</tt></pre>
-</div></div>
-<p>CIDR prefixes are given as strings. Single addresses can
-alternatively also be passed in as integers as, e.g., returned by
-<a href="http://docs.python.org/lib/module-socket.html#l2h-3657"><tt>socket.inet_aton</tt></a>.</p>
-<p>A SubnetTree also provides methods <tt>insert(prefix,object=None)</tt> for insertion
-of prefixes (<tt>object</tt> can be skipped to use the tree like a set), and
-<tt>remove(prefix)</tt> for removing entries (<tt>remove</tt> performs an <em>exact</em> match
-rather than longest-prefix).</p>
-<p>Internally, the CIDR prefixes of a <tt>SubnetTree</tt> are managed by a
-Patricia tree data structure and lookups are therefore efficient
-even for large number of prefixes.</p>
-<p>PySubnetTree comes with BSD license.</p>
-</div>
-<h2>Version History</h2><p/>
-<div class="sectionbody">
-<div class="hlist"><table>
-<tr>
-<td class="hlist1">
-<strong>Version 0.12</strong>
-</td>
-<td class="hlist2">
-Better error handling. In particular, using None as
-an index now raises an IndexError.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-<strong>Version 0.11</strong>
-</td>
-<td class="hlist2">
-License changed from GPL to BSD-style.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-<strong>Version 0.1</strong>
-</td>
-<td class="hlist2">
-Initial release.
-</td>
-</tr>
-</table></div>
-</div>
-<h2>Download</h2><p/>
-<div class="sectionbody">
-<p>Download <a href="http://www.icir.org/robin/pysubnettree/pysubnettree-0.12.tar.gz"><tt>pysubnettree-0.12.tar.gz</tt></a>.</p>
-</div>
-<h2>Prerequisites</h2><p/>
-<div class="sectionbody">
-<p>This packages requires Python 2.4 or newer.</p>
-</div>
-<h2>Installation</h2><p/>
-<div class="sectionbody">
-<p>Installation is pretty simple:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt; python setup.py install</tt></pre>
-</div></div>
-</div>
-<div id="footer">
-<div id="footer-text">
-<a href="http://www.icir.org/robin">Back to Homepage</a><br />
-</div>
-</div>
-</body>
-</html>
diff --git a/aux/broctl/aux/pysubnettree/SubnetTree.cc b/aux/broctl/aux/pysubnettree/SubnetTree.cc
deleted file mode 100644
index ae61ed3e76..0000000000
--- a/aux/broctl/aux/pysubnettree/SubnetTree.cc
+++ /dev/null
@@ -1,155 +0,0 @@
-// $Id: SubnetTree.cc 6813 2009-07-07 18:54:12Z robin $
-
-#include <memory.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <arpa/inet.h>
-
-#include "SubnetTree.h"
-
-static PyObject* dummy = Py_BuildValue("s", "<dummy string>");
-
-inline static prefix_t* make_prefix(unsigned long addr, int width)
-	{
-	prefix_t* subnet = new prefix_t;
-
-	memcpy(&subnet->add.sin, &addr, sizeof(subnet->add.sin)) ;
-	subnet->family = AF_INET;
-	subnet->bitlen = width;
-	subnet->ref_count = 1;
-
-	return subnet;
-	}
-
-inline static bool parse_cidr(const char *cidr, unsigned long *subnet, unsigned short *mask)
-{
-    static char buffer[32];
-    struct in_addr addr;
-
-    if ( ! cidr )
-        return false;
-
-    const char *s = strchr(cidr, '/');
-    if ( s ) {
-        int len = s - cidr < 32 ? s - cidr : 31;
-        memcpy(buffer, cidr, len);
-        buffer[len] = '\0';
-        *mask = atoi(s+1);
-        s = buffer;
-    }
-    else {
-        s = cidr;
-        *mask = 32;
-    }
-
-    if ( ! inet_aton(const_cast<char *>(s), &addr) )
-        return false;
-
-    *subnet = addr.s_addr;
-
-    return true;
-
-}
-
-SubnetTree::SubnetTree()
-{
-    tree = New_Patricia(128);
-}
-
-SubnetTree::~SubnetTree()
-{
-    Destroy_Patricia(tree, 0);
-}
-
-bool SubnetTree::insert(const char *cidr, PyObject* data) 
-{
-    unsigned long subnet;
-    unsigned short mask;
-
-    if ( ! parse_cidr(cidr, &subnet, &mask) )
-        return false;
-
-    return insert(subnet, mask, data);
-}
-
-bool SubnetTree::insert(unsigned long subnet, unsigned short mask, PyObject* data)
-{
-	prefix_t* sn = make_prefix(subnet, mask);
-	patricia_node_t* node = patricia_lookup(tree, sn);
-	Deref_Prefix(sn);
-
-	if ( ! node ) {
-        fprintf(stderr, "Cannot create node in patricia tree");
-        return false;
-    }
-
-    if ( ! data )
-        data = dummy;
-
-    Py_INCREF(data);
-	node->data = data;
-
-	return true;
-}
-
-bool SubnetTree::remove(const char *cidr)
-{
-    unsigned long subnet;
-    unsigned short mask;
-
-    if ( ! parse_cidr(cidr, &subnet, &mask) )
-        return false;
-
-    return remove(subnet, mask);
-}
-
-bool SubnetTree::remove(unsigned long addr, unsigned short mask)
-{                                      /*  */
-	prefix_t* subnet = make_prefix(addr, mask);
-	patricia_node_t* node = patricia_search_exact(tree, subnet);
-	Deref_Prefix(subnet);
-
-	if ( ! node )
-		return false;
-
-    PyObject* data = (PyObject*)node->data;
-    Py_DECREF(data);
-
-	patricia_remove(tree, node);
-
-	return data != dummy;
-}
-
-PyObject* SubnetTree::lookup(const char *cidr, int size) const
-{
-    struct in_addr a;
-
-    if ( ! cidr )
-        return false;
-
-    // If it's a 4-byte string, it's probably a host address packed with
-    // socket.inet_aton().
-    if ( size == 4 )
-        return lookup(*((unsigned long *)cidr));
-
-    if ( ! inet_aton(cidr, &a) )
-        return false;
-
-    return lookup(a.s_addr);
-}
-
-PyObject* SubnetTree::lookup(unsigned long addr) const
-{
-	prefix_t* subnet = make_prefix(addr, 32);
-	patricia_node_t* node =	patricia_search_best(tree, subnet);
-	Deref_Prefix(subnet);
-
-    if ( ! node )
-        return 0;
-
-    PyObject* data = (PyObject*)node->data;
-
-    Py_INCREF(data);
-    return data;
-}
-
diff --git a/aux/broctl/aux/pysubnettree/SubnetTree.h b/aux/broctl/aux/pysubnettree/SubnetTree.h
deleted file mode 100644
index 01e4e236be..0000000000
--- a/aux/broctl/aux/pysubnettree/SubnetTree.h
+++ /dev/null
@@ -1,109 +0,0 @@
-// $Id: SubnetTree.h 6813 2009-07-07 18:54:12Z robin $
-
-extern "C" {
-#include "Python.h"
-#include "patricia.h"
-}
-
-#ifdef SWIG
-// If a function is supposed to accept 4-byte tuples as packet by
-// socket.inet_aton(), it needs to accept strings which contain 0s.
-// Therefore, we need a size parameter.
-%apply (char *STRING, int LENGTH) { (char *cidr, int size) };
-#endif
-
-class SubnetTree
-{
-public:
-   SubnetTree();
-   ~SubnetTree();
-
-   bool insert(const char *cidr, PyObject* data = 0);
-   bool insert(unsigned long subnet, unsigned short mask, PyObject* data = 0);
-
-   bool remove(const char *cidr);
-   bool remove(unsigned long subnet, unsigned short mask);
-
-   PyObject* lookup(const char *cidr, int size) const;
-   PyObject* lookup(unsigned long addr) const;
-
-#ifndef SWIG   
-   bool operator[](const char* addr) const { return lookup(addr, strlen(addr)); }
-   bool operator[](unsigned long addr) const { return lookup(addr); }
-#else
-   %extend {
-       PyObject* __contains__(char *cidr, int size) 
-       {
-           if ( ! cidr ) {
-               PyErr_SetString(PyExc_TypeError, "index must be string");
-               return 0;
-           }
-
-           PyObject* obj = self->lookup(cidr, size);
-           if ( obj )
-               Py_DECREF(obj);
-
-           if ( obj != 0 )
-               Py_RETURN_TRUE;
-           else
-               Py_RETURN_FALSE;
-       }
-
-       bool __contains__(unsigned long addr) 
-       {
-           return self->lookup(addr);
-       }
-
-       PyObject* __getitem__(char *cidr, int size) 
-       {
-           if ( ! cidr ) {
-               PyErr_SetString(PyExc_TypeError, "index must be string");
-               return 0;
-           }
-
-           PyObject* data = self->lookup(cidr, size);
-           if ( ! data ) {
-               PyErr_SetString(PyExc_KeyError, cidr ? cidr : "None");
-               return 0;
-           }
-
-           return data;
-       }
-
-       PyObject*  __setitem__(const char* cidr, PyObject* data) 
-       {
-           if ( ! cidr ) {
-               PyErr_SetString(PyExc_TypeError, "index must be string");
-               return 0; 
-           }
-
-           if ( ! self->insert(cidr, data) ) {
-               PyErr_SetString(PyExc_IndexError, "cannot insert network");
-               return 0;
-           }
-
-           return PyInt_FromLong(1);
-       }
-
-       PyObject* __delitem__(const char* cidr) 
-       {
-           if ( ! cidr ) {
-               PyErr_SetString(PyExc_TypeError, "index must be string");
-               return 0; 
-           }
-
-           if ( ! self->remove(cidr) ) {
-               PyErr_SetString(PyExc_IndexError, "cannot remove network");
-               return 0;
-           }
-
-           return PyInt_FromLong(1);
-       }
-
-   }
-#endif   
-
-private:
-   patricia_tree_t* tree;
-
-};
diff --git a/aux/broctl/aux/pysubnettree/SubnetTree.i b/aux/broctl/aux/pysubnettree/SubnetTree.i
deleted file mode 100644
index 289a92fe2f..0000000000
--- a/aux/broctl/aux/pysubnettree/SubnetTree.i
+++ /dev/null
@@ -1,8 +0,0 @@
-
-%module SubnetTree
-%{
-  #include "SubnetTree.h"
-%}
-      
-%include "SubnetTree.h"
- 
diff --git a/aux/broctl/aux/pysubnettree/SubnetTree.py b/aux/broctl/aux/pysubnettree/SubnetTree.py
deleted file mode 100644
index 307d1d61c0..0000000000
--- a/aux/broctl/aux/pysubnettree/SubnetTree.py
+++ /dev/null
@@ -1,74 +0,0 @@
-# This file was automatically generated by SWIG (http://www.swig.org).
-# Version 1.3.31
-#
-# Don't modify this file, modify the SWIG interface instead.
-# This file is compatible with both classic and new-style classes.
-
-import _SubnetTree
-import new
-new_instancemethod = new.instancemethod
-try:
-    _swig_property = property
-except NameError:
-    pass # Python < 2.2 doesn't have 'property'.
-def _swig_setattr_nondynamic(self,class_type,name,value,static=1):
-    if (name == "thisown"): return self.this.own(value)
-    if (name == "this"):
-        if type(value).__name__ == 'PySwigObject':
-            self.__dict__[name] = value
-            return
-    method = class_type.__swig_setmethods__.get(name,None)
-    if method: return method(self,value)
-    if (not static) or hasattr(self,name):
-        self.__dict__[name] = value
-    else:
-        raise AttributeError("You cannot add attributes to %s" % self)
-
-def _swig_setattr(self,class_type,name,value):
-    return _swig_setattr_nondynamic(self,class_type,name,value,0)
-
-def _swig_getattr(self,class_type,name):
-    if (name == "thisown"): return self.this.own()
-    method = class_type.__swig_getmethods__.get(name,None)
-    if method: return method(self)
-    raise AttributeError,name
-
-def _swig_repr(self):
-    try: strthis = "proxy of " + self.this.__repr__()
-    except: strthis = ""
-    return "<%s.%s; %s >" % (self.__class__.__module__, self.__class__.__name__, strthis,)
-
-import types
-try:
-    _object = types.ObjectType
-    _newclass = 1
-except AttributeError:
-    class _object : pass
-    _newclass = 0
-del types
-
-
-class SubnetTree(_object):
-    __swig_setmethods__ = {}
-    __setattr__ = lambda self, name, value: _swig_setattr(self, SubnetTree, name, value)
-    __swig_getmethods__ = {}
-    __getattr__ = lambda self, name: _swig_getattr(self, SubnetTree, name)
-    __repr__ = _swig_repr
-    def __init__(self, *args): 
-        this = _SubnetTree.new_SubnetTree(*args)
-        try: self.this.append(this)
-        except: self.this = this
-    __swig_destroy__ = _SubnetTree.delete_SubnetTree
-    __del__ = lambda self : None;
-    def insert(*args): return _SubnetTree.SubnetTree_insert(*args)
-    def remove(*args): return _SubnetTree.SubnetTree_remove(*args)
-    def lookup(*args): return _SubnetTree.SubnetTree_lookup(*args)
-    def __contains__(*args): return _SubnetTree.SubnetTree___contains__(*args)
-    def __getitem__(*args): return _SubnetTree.SubnetTree___getitem__(*args)
-    def __setitem__(*args): return _SubnetTree.SubnetTree___setitem__(*args)
-    def __delitem__(*args): return _SubnetTree.SubnetTree___delitem__(*args)
-SubnetTree_swigregister = _SubnetTree.SubnetTree_swigregister
-SubnetTree_swigregister(SubnetTree)
-
-
-
diff --git a/aux/broctl/aux/pysubnettree/SubnetTree_wrap.cc b/aux/broctl/aux/pysubnettree/SubnetTree_wrap.cc
deleted file mode 100644
index 489d50e52d..0000000000
--- a/aux/broctl/aux/pysubnettree/SubnetTree_wrap.cc
+++ /dev/null
@@ -1,4225 +0,0 @@
-/* ----------------------------------------------------------------------------
- * This file was automatically generated by SWIG (http://www.swig.org).
- * Version 1.3.31
- * 
- * This file is not intended to be easily readable and contains a number of 
- * coding conventions designed to improve portability and efficiency. Do not make
- * changes to this file unless you know what you are doing--modify the SWIG 
- * interface file instead. 
- * ----------------------------------------------------------------------------- */
-
-#define SWIGPYTHON
-#define SWIG_PYTHON_DIRECTOR_NO_VTABLE
-
-#ifdef __cplusplus
-template<class T> class SwigValueWrapper {
-    T *tt;
-public:
-    SwigValueWrapper() : tt(0) { }
-    SwigValueWrapper(const SwigValueWrapper<T>& rhs) : tt(new T(*rhs.tt)) { }
-    SwigValueWrapper(const T& t) : tt(new T(t)) { }
-    ~SwigValueWrapper() { delete tt; } 
-    SwigValueWrapper& operator=(const T& t) { delete tt; tt = new T(t); return *this; }
-    operator T&() const { return *tt; }
-    T *operator&() { return tt; }
-private:
-    SwigValueWrapper& operator=(const SwigValueWrapper<T>& rhs);
-};
-#endif
-
-/* -----------------------------------------------------------------------------
- *  This section contains generic SWIG labels for method/variable
- *  declarations/attributes, and other compiler dependent labels.
- * ----------------------------------------------------------------------------- */
-
-/* template workaround for compilers that cannot correctly implement the C++ standard */
-#ifndef SWIGTEMPLATEDISAMBIGUATOR
-# if defined(__SUNPRO_CC)
-#   if (__SUNPRO_CC <= 0x560)
-#     define SWIGTEMPLATEDISAMBIGUATOR template
-#   else
-#     define SWIGTEMPLATEDISAMBIGUATOR 
-#   endif
-# else
-#   define SWIGTEMPLATEDISAMBIGUATOR 
-# endif
-#endif
-
-/* inline attribute */
-#ifndef SWIGINLINE
-# if defined(__cplusplus) || (defined(__GNUC__) && !defined(__STRICT_ANSI__))
-#   define SWIGINLINE inline
-# else
-#   define SWIGINLINE
-# endif
-#endif
-
-/* attribute recognised by some compilers to avoid 'unused' warnings */
-#ifndef SWIGUNUSED
-# if defined(__GNUC__)
-#   if !(defined(__cplusplus)) || (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4))
-#     define SWIGUNUSED __attribute__ ((__unused__)) 
-#   else
-#     define SWIGUNUSED
-#   endif
-# elif defined(__ICC)
-#   define SWIGUNUSED __attribute__ ((__unused__)) 
-# else
-#   define SWIGUNUSED 
-# endif
-#endif
-
-#ifndef SWIGUNUSEDPARM
-# ifdef __cplusplus
-#   define SWIGUNUSEDPARM(p)
-# else
-#   define SWIGUNUSEDPARM(p) p SWIGUNUSED 
-# endif
-#endif
-
-/* internal SWIG method */
-#ifndef SWIGINTERN
-# define SWIGINTERN static SWIGUNUSED
-#endif
-
-/* internal inline SWIG method */
-#ifndef SWIGINTERNINLINE
-# define SWIGINTERNINLINE SWIGINTERN SWIGINLINE
-#endif
-
-/* exporting methods */
-#if (__GNUC__ >= 4) || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)
-#  ifndef GCC_HASCLASSVISIBILITY
-#    define GCC_HASCLASSVISIBILITY
-#  endif
-#endif
-
-#ifndef SWIGEXPORT
-# if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
-#   if defined(STATIC_LINKED)
-#     define SWIGEXPORT
-#   else
-#     define SWIGEXPORT __declspec(dllexport)
-#   endif
-# else
-#   if defined(__GNUC__) && defined(GCC_HASCLASSVISIBILITY)
-#     define SWIGEXPORT __attribute__ ((visibility("default")))
-#   else
-#     define SWIGEXPORT
-#   endif
-# endif
-#endif
-
-/* calling conventions for Windows */
-#ifndef SWIGSTDCALL
-# if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
-#   define SWIGSTDCALL __stdcall
-# else
-#   define SWIGSTDCALL
-# endif 
-#endif
-
-/* Deal with Microsoft's attempt at deprecating C standard runtime functions */
-#if !defined(SWIG_NO_CRT_SECURE_NO_DEPRECATE) && defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
-# define _CRT_SECURE_NO_DEPRECATE
-#endif
-
-
-/* Python.h has to appear first */
-#include <Python.h>
-
-/* -----------------------------------------------------------------------------
- * swigrun.swg
- *
- * This file contains generic CAPI SWIG runtime support for pointer
- * type checking.
- * ----------------------------------------------------------------------------- */
-
-/* This should only be incremented when either the layout of swig_type_info changes,
-   or for whatever reason, the runtime changes incompatibly */
-#define SWIG_RUNTIME_VERSION "3"
-
-/* define SWIG_TYPE_TABLE_NAME as "SWIG_TYPE_TABLE" */
-#ifdef SWIG_TYPE_TABLE
-# define SWIG_QUOTE_STRING(x) #x
-# define SWIG_EXPAND_AND_QUOTE_STRING(x) SWIG_QUOTE_STRING(x)
-# define SWIG_TYPE_TABLE_NAME SWIG_EXPAND_AND_QUOTE_STRING(SWIG_TYPE_TABLE)
-#else
-# define SWIG_TYPE_TABLE_NAME
-#endif
-
-/*
-  You can use the SWIGRUNTIME and SWIGRUNTIMEINLINE macros for
-  creating a static or dynamic library from the swig runtime code.
-  In 99.9% of the cases, swig just needs to declare them as 'static'.
-  
-  But only do this if is strictly necessary, ie, if you have problems
-  with your compiler or so.
-*/
-
-#ifndef SWIGRUNTIME
-# define SWIGRUNTIME SWIGINTERN
-#endif
-
-#ifndef SWIGRUNTIMEINLINE
-# define SWIGRUNTIMEINLINE SWIGRUNTIME SWIGINLINE
-#endif
-
-/*  Generic buffer size */
-#ifndef SWIG_BUFFER_SIZE
-# define SWIG_BUFFER_SIZE 1024
-#endif
-
-/* Flags for pointer conversions */
-#define SWIG_POINTER_DISOWN        0x1
-
-/* Flags for new pointer objects */
-#define SWIG_POINTER_OWN           0x1
-
-
-/* 
-   Flags/methods for returning states.
-   
-   The swig conversion methods, as ConvertPtr, return and integer 
-   that tells if the conversion was successful or not. And if not,
-   an error code can be returned (see swigerrors.swg for the codes).
-   
-   Use the following macros/flags to set or process the returning
-   states.
-   
-   In old swig versions, you usually write code as:
-
-     if (SWIG_ConvertPtr(obj,vptr,ty.flags) != -1) {
-       // success code
-     } else {
-       //fail code
-     }
-
-   Now you can be more explicit as:
-
-    int res = SWIG_ConvertPtr(obj,vptr,ty.flags);
-    if (SWIG_IsOK(res)) {
-      // success code
-    } else {
-      // fail code
-    }
-
-   that seems to be the same, but now you can also do
-
-    Type *ptr;
-    int res = SWIG_ConvertPtr(obj,(void **)(&ptr),ty.flags);
-    if (SWIG_IsOK(res)) {
-      // success code
-      if (SWIG_IsNewObj(res) {
-        ...
-	delete *ptr;
-      } else {
-        ...
-      }
-    } else {
-      // fail code
-    }
-    
-   I.e., now SWIG_ConvertPtr can return new objects and you can
-   identify the case and take care of the deallocation. Of course that
-   requires also to SWIG_ConvertPtr to return new result values, as
-
-      int SWIG_ConvertPtr(obj, ptr,...) {         
-        if (<obj is ok>) {			       
-          if (<need new object>) {		       
-            *ptr = <ptr to new allocated object>; 
-            return SWIG_NEWOBJ;		       
-          } else {				       
-            *ptr = <ptr to old object>;	       
-            return SWIG_OLDOBJ;		       
-          } 				       
-        } else {				       
-          return SWIG_BADOBJ;		       
-        }					       
-      }
-
-   Of course, returning the plain '0(success)/-1(fail)' still works, but you can be
-   more explicit by returning SWIG_BADOBJ, SWIG_ERROR or any of the
-   swig errors code.
-
-   Finally, if the SWIG_CASTRANK_MODE is enabled, the result code
-   allows to return the 'cast rank', for example, if you have this
-
-       int food(double)
-       int fooi(int);
-
-   and you call
- 
-      food(1)   // cast rank '1'  (1 -> 1.0)
-      fooi(1)   // cast rank '0'
-
-   just use the SWIG_AddCast()/SWIG_CheckState()
-
-
- */
-#define SWIG_OK                    (0) 
-#define SWIG_ERROR                 (-1)
-#define SWIG_IsOK(r)               (r >= 0)
-#define SWIG_ArgError(r)           ((r != SWIG_ERROR) ? r : SWIG_TypeError)  
-
-/* The CastRankLimit says how many bits are used for the cast rank */
-#define SWIG_CASTRANKLIMIT         (1 << 8)
-/* The NewMask denotes the object was created (using new/malloc) */
-#define SWIG_NEWOBJMASK            (SWIG_CASTRANKLIMIT  << 1)
-/* The TmpMask is for in/out typemaps that use temporal objects */
-#define SWIG_TMPOBJMASK            (SWIG_NEWOBJMASK << 1)
-/* Simple returning values */
-#define SWIG_BADOBJ                (SWIG_ERROR)
-#define SWIG_OLDOBJ                (SWIG_OK)
-#define SWIG_NEWOBJ                (SWIG_OK | SWIG_NEWOBJMASK)
-#define SWIG_TMPOBJ                (SWIG_OK | SWIG_TMPOBJMASK)
-/* Check, add and del mask methods */
-#define SWIG_AddNewMask(r)         (SWIG_IsOK(r) ? (r | SWIG_NEWOBJMASK) : r)
-#define SWIG_DelNewMask(r)         (SWIG_IsOK(r) ? (r & ~SWIG_NEWOBJMASK) : r)
-#define SWIG_IsNewObj(r)           (SWIG_IsOK(r) && (r & SWIG_NEWOBJMASK))
-#define SWIG_AddTmpMask(r)         (SWIG_IsOK(r) ? (r | SWIG_TMPOBJMASK) : r)
-#define SWIG_DelTmpMask(r)         (SWIG_IsOK(r) ? (r & ~SWIG_TMPOBJMASK) : r)
-#define SWIG_IsTmpObj(r)           (SWIG_IsOK(r) && (r & SWIG_TMPOBJMASK))
-
-
-/* Cast-Rank Mode */
-#if defined(SWIG_CASTRANK_MODE)
-#  ifndef SWIG_TypeRank
-#    define SWIG_TypeRank             unsigned long
-#  endif
-#  ifndef SWIG_MAXCASTRANK            /* Default cast allowed */
-#    define SWIG_MAXCASTRANK          (2)
-#  endif
-#  define SWIG_CASTRANKMASK          ((SWIG_CASTRANKLIMIT) -1)
-#  define SWIG_CastRank(r)           (r & SWIG_CASTRANKMASK)
-SWIGINTERNINLINE int SWIG_AddCast(int r) { 
-  return SWIG_IsOK(r) ? ((SWIG_CastRank(r) < SWIG_MAXCASTRANK) ? (r + 1) : SWIG_ERROR) : r;
-}
-SWIGINTERNINLINE int SWIG_CheckState(int r) { 
-  return SWIG_IsOK(r) ? SWIG_CastRank(r) + 1 : 0; 
-}
-#else /* no cast-rank mode */
-#  define SWIG_AddCast
-#  define SWIG_CheckState(r) (SWIG_IsOK(r) ? 1 : 0)
-#endif
-
-
-
-
-#include <string.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef void *(*swig_converter_func)(void *);
-typedef struct swig_type_info *(*swig_dycast_func)(void **);
-
-/* Structure to store inforomation on one type */
-typedef struct swig_type_info {
-  const char             *name;			/* mangled name of this type */
-  const char             *str;			/* human readable name of this type */
-  swig_dycast_func        dcast;		/* dynamic cast function down a hierarchy */
-  struct swig_cast_info  *cast;			/* linked list of types that can cast into this type */
-  void                   *clientdata;		/* language specific type data */
-  int                    owndata;		/* flag if the structure owns the clientdata */
-} swig_type_info;
-
-/* Structure to store a type and conversion function used for casting */
-typedef struct swig_cast_info {
-  swig_type_info         *type;			/* pointer to type that is equivalent to this type */
-  swig_converter_func     converter;		/* function to cast the void pointers */
-  struct swig_cast_info  *next;			/* pointer to next cast in linked list */
-  struct swig_cast_info  *prev;			/* pointer to the previous cast */
-} swig_cast_info;
-
-/* Structure used to store module information
- * Each module generates one structure like this, and the runtime collects
- * all of these structures and stores them in a circularly linked list.*/
-typedef struct swig_module_info {
-  swig_type_info         **types;		/* Array of pointers to swig_type_info structures that are in this module */
-  size_t                 size;		        /* Number of types in this module */
-  struct swig_module_info *next;		/* Pointer to next element in circularly linked list */
-  swig_type_info         **type_initial;	/* Array of initially generated type structures */
-  swig_cast_info         **cast_initial;	/* Array of initially generated casting structures */
-  void                    *clientdata;		/* Language specific module data */
-} swig_module_info;
-
-/* 
-  Compare two type names skipping the space characters, therefore
-  "char*" == "char *" and "Class<int>" == "Class<int >", etc.
-
-  Return 0 when the two name types are equivalent, as in
-  strncmp, but skipping ' '.
-*/
-SWIGRUNTIME int
-SWIG_TypeNameComp(const char *f1, const char *l1,
-		  const char *f2, const char *l2) {
-  for (;(f1 != l1) && (f2 != l2); ++f1, ++f2) {
-    while ((*f1 == ' ') && (f1 != l1)) ++f1;
-    while ((*f2 == ' ') && (f2 != l2)) ++f2;
-    if (*f1 != *f2) return (*f1 > *f2) ? 1 : -1;
-  }
-  return (l1 - f1) - (l2 - f2);
-}
-
-/*
-  Check type equivalence in a name list like <name1>|<name2>|...
-  Return 0 if not equal, 1 if equal
-*/
-SWIGRUNTIME int
-SWIG_TypeEquiv(const char *nb, const char *tb) {
-  int equiv = 0;
-  const char* te = tb + strlen(tb);
-  const char* ne = nb;
-  while (!equiv && *ne) {
-    for (nb = ne; *ne; ++ne) {
-      if (*ne == '|') break;
-    }
-    equiv = (SWIG_TypeNameComp(nb, ne, tb, te) == 0) ? 1 : 0;
-    if (*ne) ++ne;
-  }
-  return equiv;
-}
-
-/*
-  Check type equivalence in a name list like <name1>|<name2>|...
-  Return 0 if equal, -1 if nb < tb, 1 if nb > tb
-*/
-SWIGRUNTIME int
-SWIG_TypeCompare(const char *nb, const char *tb) {
-  int equiv = 0;
-  const char* te = tb + strlen(tb);
-  const char* ne = nb;
-  while (!equiv && *ne) {
-    for (nb = ne; *ne; ++ne) {
-      if (*ne == '|') break;
-    }
-    equiv = (SWIG_TypeNameComp(nb, ne, tb, te) == 0) ? 1 : 0;
-    if (*ne) ++ne;
-  }
-  return equiv;
-}
-
-
-/* think of this as a c++ template<> or a scheme macro */
-#define SWIG_TypeCheck_Template(comparison, ty)         \
-  if (ty) {                                             \
-    swig_cast_info *iter = ty->cast;                    \
-    while (iter) {                                      \
-      if (comparison) {                                 \
-        if (iter == ty->cast) return iter;              \
-        /* Move iter to the top of the linked list */   \
-        iter->prev->next = iter->next;                  \
-        if (iter->next)                                 \
-          iter->next->prev = iter->prev;                \
-        iter->next = ty->cast;                          \
-        iter->prev = 0;                                 \
-        if (ty->cast) ty->cast->prev = iter;            \
-        ty->cast = iter;                                \
-        return iter;                                    \
-      }                                                 \
-      iter = iter->next;                                \
-    }                                                   \
-  }                                                     \
-  return 0
-
-/*
-  Check the typename
-*/
-SWIGRUNTIME swig_cast_info *
-SWIG_TypeCheck(const char *c, swig_type_info *ty) {
-  SWIG_TypeCheck_Template(strcmp(iter->type->name, c) == 0, ty);
-}
-
-/* Same as previous function, except strcmp is replaced with a pointer comparison */
-SWIGRUNTIME swig_cast_info *
-SWIG_TypeCheckStruct(swig_type_info *from, swig_type_info *into) {
-  SWIG_TypeCheck_Template(iter->type == from, into);
-}
-
-/*
-  Cast a pointer up an inheritance hierarchy
-*/
-SWIGRUNTIMEINLINE void *
-SWIG_TypeCast(swig_cast_info *ty, void *ptr) {
-  return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr);
-}
-
-/* 
-   Dynamic pointer casting. Down an inheritance hierarchy
-*/
-SWIGRUNTIME swig_type_info *
-SWIG_TypeDynamicCast(swig_type_info *ty, void **ptr) {
-  swig_type_info *lastty = ty;
-  if (!ty || !ty->dcast) return ty;
-  while (ty && (ty->dcast)) {
-    ty = (*ty->dcast)(ptr);
-    if (ty) lastty = ty;
-  }
-  return lastty;
-}
-
-/*
-  Return the name associated with this type
-*/
-SWIGRUNTIMEINLINE const char *
-SWIG_TypeName(const swig_type_info *ty) {
-  return ty->name;
-}
-
-/*
-  Return the pretty name associated with this type,
-  that is an unmangled type name in a form presentable to the user.
-*/
-SWIGRUNTIME const char *
-SWIG_TypePrettyName(const swig_type_info *type) {
-  /* The "str" field contains the equivalent pretty names of the
-     type, separated by vertical-bar characters.  We choose
-     to print the last name, as it is often (?) the most
-     specific. */
-  if (!type) return NULL;
-  if (type->str != NULL) {
-    const char *last_name = type->str;
-    const char *s;
-    for (s = type->str; *s; s++)
-      if (*s == '|') last_name = s+1;
-    return last_name;
-  }
-  else
-    return type->name;
-}
-
-/* 
-   Set the clientdata field for a type
-*/
-SWIGRUNTIME void
-SWIG_TypeClientData(swig_type_info *ti, void *clientdata) {
-  swig_cast_info *cast = ti->cast;
-  /* if (ti->clientdata == clientdata) return; */
-  ti->clientdata = clientdata;
-  
-  while (cast) {
-    if (!cast->converter) {
-      swig_type_info *tc = cast->type;
-      if (!tc->clientdata) {
-	SWIG_TypeClientData(tc, clientdata);
-      }
-    }    
-    cast = cast->next;
-  }
-}
-SWIGRUNTIME void
-SWIG_TypeNewClientData(swig_type_info *ti, void *clientdata) {
-  SWIG_TypeClientData(ti, clientdata);
-  ti->owndata = 1;
-}
-  
-/*
-  Search for a swig_type_info structure only by mangled name
-  Search is a O(log #types)
-  
-  We start searching at module start, and finish searching when start == end.  
-  Note: if start == end at the beginning of the function, we go all the way around
-  the circular list.
-*/
-SWIGRUNTIME swig_type_info *
-SWIG_MangledTypeQueryModule(swig_module_info *start, 
-                            swig_module_info *end, 
-		            const char *name) {
-  swig_module_info *iter = start;
-  do {
-    if (iter->size) {
-      register size_t l = 0;
-      register size_t r = iter->size - 1;
-      do {
-	/* since l+r >= 0, we can (>> 1) instead (/ 2) */
-	register size_t i = (l + r) >> 1; 
-	const char *iname = iter->types[i]->name;
-	if (iname) {
-	  register int compare = strcmp(name, iname);
-	  if (compare == 0) {	    
-	    return iter->types[i];
-	  } else if (compare < 0) {
-	    if (i) {
-	      r = i - 1;
-	    } else {
-	      break;
-	    }
-	  } else if (compare > 0) {
-	    l = i + 1;
-	  }
-	} else {
-	  break; /* should never happen */
-	}
-      } while (l <= r);
-    }
-    iter = iter->next;
-  } while (iter != end);
-  return 0;
-}
-
-/*
-  Search for a swig_type_info structure for either a mangled name or a human readable name.
-  It first searches the mangled names of the types, which is a O(log #types)
-  If a type is not found it then searches the human readable names, which is O(#types).
-  
-  We start searching at module start, and finish searching when start == end.  
-  Note: if start == end at the beginning of the function, we go all the way around
-  the circular list.
-*/
-SWIGRUNTIME swig_type_info *
-SWIG_TypeQueryModule(swig_module_info *start, 
-                     swig_module_info *end, 
-		     const char *name) {
-  /* STEP 1: Search the name field using binary search */
-  swig_type_info *ret = SWIG_MangledTypeQueryModule(start, end, name);
-  if (ret) {
-    return ret;
-  } else {
-    /* STEP 2: If the type hasn't been found, do a complete search
-       of the str field (the human readable name) */
-    swig_module_info *iter = start;
-    do {
-      register size_t i = 0;
-      for (; i < iter->size; ++i) {
-	if (iter->types[i]->str && (SWIG_TypeEquiv(iter->types[i]->str, name)))
-	  return iter->types[i];
-      }
-      iter = iter->next;
-    } while (iter != end);
-  }
-  
-  /* neither found a match */
-  return 0;
-}
-
-/* 
-   Pack binary data into a string
-*/
-SWIGRUNTIME char *
-SWIG_PackData(char *c, void *ptr, size_t sz) {
-  static const char hex[17] = "0123456789abcdef";
-  register const unsigned char *u = (unsigned char *) ptr;
-  register const unsigned char *eu =  u + sz;
-  for (; u != eu; ++u) {
-    register unsigned char uu = *u;
-    *(c++) = hex[(uu & 0xf0) >> 4];
-    *(c++) = hex[uu & 0xf];
-  }
-  return c;
-}
-
-/* 
-   Unpack binary data from a string
-*/
-SWIGRUNTIME const char *
-SWIG_UnpackData(const char *c, void *ptr, size_t sz) {
-  register unsigned char *u = (unsigned char *) ptr;
-  register const unsigned char *eu = u + sz;
-  for (; u != eu; ++u) {
-    register char d = *(c++);
-    register unsigned char uu;
-    if ((d >= '0') && (d <= '9'))
-      uu = ((d - '0') << 4);
-    else if ((d >= 'a') && (d <= 'f'))
-      uu = ((d - ('a'-10)) << 4);
-    else 
-      return (char *) 0;
-    d = *(c++);
-    if ((d >= '0') && (d <= '9'))
-      uu |= (d - '0');
-    else if ((d >= 'a') && (d <= 'f'))
-      uu |= (d - ('a'-10));
-    else 
-      return (char *) 0;
-    *u = uu;
-  }
-  return c;
-}
-
-/* 
-   Pack 'void *' into a string buffer.
-*/
-SWIGRUNTIME char *
-SWIG_PackVoidPtr(char *buff, void *ptr, const char *name, size_t bsz) {
-  char *r = buff;
-  if ((2*sizeof(void *) + 2) > bsz) return 0;
-  *(r++) = '_';
-  r = SWIG_PackData(r,&ptr,sizeof(void *));
-  if (strlen(name) + 1 > (bsz - (r - buff))) return 0;
-  strcpy(r,name);
-  return buff;
-}
-
-SWIGRUNTIME const char *
-SWIG_UnpackVoidPtr(const char *c, void **ptr, const char *name) {
-  if (*c != '_') {
-    if (strcmp(c,"NULL") == 0) {
-      *ptr = (void *) 0;
-      return name;
-    } else {
-      return 0;
-    }
-  }
-  return SWIG_UnpackData(++c,ptr,sizeof(void *));
-}
-
-SWIGRUNTIME char *
-SWIG_PackDataName(char *buff, void *ptr, size_t sz, const char *name, size_t bsz) {
-  char *r = buff;
-  size_t lname = (name ? strlen(name) : 0);
-  if ((2*sz + 2 + lname) > bsz) return 0;
-  *(r++) = '_';
-  r = SWIG_PackData(r,ptr,sz);
-  if (lname) {
-    strncpy(r,name,lname+1);
-  } else {
-    *r = 0;
-  }
-  return buff;
-}
-
-SWIGRUNTIME const char *
-SWIG_UnpackDataName(const char *c, void *ptr, size_t sz, const char *name) {
-  if (*c != '_') {
-    if (strcmp(c,"NULL") == 0) {
-      memset(ptr,0,sz);
-      return name;
-    } else {
-      return 0;
-    }
-  }
-  return SWIG_UnpackData(++c,ptr,sz);
-}
-
-#ifdef __cplusplus
-}
-#endif
-
-/*  Errors in SWIG */
-#define  SWIG_UnknownError    	   -1 
-#define  SWIG_IOError        	   -2 
-#define  SWIG_RuntimeError   	   -3 
-#define  SWIG_IndexError     	   -4 
-#define  SWIG_TypeError      	   -5 
-#define  SWIG_DivisionByZero 	   -6 
-#define  SWIG_OverflowError  	   -7 
-#define  SWIG_SyntaxError    	   -8 
-#define  SWIG_ValueError     	   -9 
-#define  SWIG_SystemError    	   -10
-#define  SWIG_AttributeError 	   -11
-#define  SWIG_MemoryError    	   -12 
-#define  SWIG_NullReferenceError   -13
-
-
-
-
-/* Add PyOS_snprintf for old Pythons */
-#if PY_VERSION_HEX < 0x02020000
-# if defined(_MSC_VER) || defined(__BORLANDC__) || defined(_WATCOM)
-#  define PyOS_snprintf _snprintf
-# else
-#  define PyOS_snprintf snprintf
-# endif
-#endif
-
-/* A crude PyString_FromFormat implementation for old Pythons */
-#if PY_VERSION_HEX < 0x02020000
-
-#ifndef SWIG_PYBUFFER_SIZE
-# define SWIG_PYBUFFER_SIZE 1024
-#endif
-
-static PyObject *
-PyString_FromFormat(const char *fmt, ...) {
-  va_list ap;
-  char buf[SWIG_PYBUFFER_SIZE * 2];
-  int res;
-  va_start(ap, fmt);
-  res = vsnprintf(buf, sizeof(buf), fmt, ap);
-  va_end(ap);
-  return (res < 0 || res >= (int)sizeof(buf)) ? 0 : PyString_FromString(buf);
-}
-#endif
-
-/* Add PyObject_Del for old Pythons */
-#if PY_VERSION_HEX < 0x01060000
-# define PyObject_Del(op) PyMem_DEL((op))
-#endif
-#ifndef PyObject_DEL
-# define PyObject_DEL PyObject_Del
-#endif
-
-/* A crude PyExc_StopIteration exception for old Pythons */
-#if PY_VERSION_HEX < 0x02020000
-# ifndef PyExc_StopIteration
-#  define PyExc_StopIteration PyExc_RuntimeError
-# endif
-# ifndef PyObject_GenericGetAttr
-#  define PyObject_GenericGetAttr 0
-# endif
-#endif
-/* Py_NotImplemented is defined in 2.1 and up. */
-#if PY_VERSION_HEX < 0x02010000
-# ifndef Py_NotImplemented
-#  define Py_NotImplemented PyExc_RuntimeError
-# endif
-#endif
-
-
-/* A crude PyString_AsStringAndSize implementation for old Pythons */
-#if PY_VERSION_HEX < 0x02010000
-# ifndef PyString_AsStringAndSize
-#  define PyString_AsStringAndSize(obj, s, len) {*s = PyString_AsString(obj); *len = *s ? strlen(*s) : 0;}
-# endif
-#endif
-
-/* PySequence_Size for old Pythons */
-#if PY_VERSION_HEX < 0x02000000
-# ifndef PySequence_Size
-#  define PySequence_Size PySequence_Length
-# endif
-#endif
-
-
-/* PyBool_FromLong for old Pythons */
-#if PY_VERSION_HEX < 0x02030000
-static
-PyObject *PyBool_FromLong(long ok)
-{
-  PyObject *result = ok ? Py_True : Py_False;
-  Py_INCREF(result);
-  return result;
-}
-#endif
-
-/* Py_ssize_t for old Pythons */
-/* This code is as recommended by: */
-/* http://www.python.org/dev/peps/pep-0353/#conversion-guidelines */
-#if PY_VERSION_HEX < 0x02050000 && !defined(PY_SSIZE_T_MIN)
-typedef int Py_ssize_t;
-# define PY_SSIZE_T_MAX INT_MAX
-# define PY_SSIZE_T_MIN INT_MIN
-#endif
-
-/* -----------------------------------------------------------------------------
- * error manipulation
- * ----------------------------------------------------------------------------- */
-
-SWIGRUNTIME PyObject*
-SWIG_Python_ErrorType(int code) {
-  PyObject* type = 0;
-  switch(code) {
-  case SWIG_MemoryError:
-    type = PyExc_MemoryError;
-    break;
-  case SWIG_IOError:
-    type = PyExc_IOError;
-    break;
-  case SWIG_RuntimeError:
-    type = PyExc_RuntimeError;
-    break;
-  case SWIG_IndexError:
-    type = PyExc_IndexError;
-    break;
-  case SWIG_TypeError:
-    type = PyExc_TypeError;
-    break;
-  case SWIG_DivisionByZero:
-    type = PyExc_ZeroDivisionError;
-    break;
-  case SWIG_OverflowError:
-    type = PyExc_OverflowError;
-    break;
-  case SWIG_SyntaxError:
-    type = PyExc_SyntaxError;
-    break;
-  case SWIG_ValueError:
-    type = PyExc_ValueError;
-    break;
-  case SWIG_SystemError:
-    type = PyExc_SystemError;
-    break;
-  case SWIG_AttributeError:
-    type = PyExc_AttributeError;
-    break;
-  default:
-    type = PyExc_RuntimeError;
-  }
-  return type;
-}
-
-
-SWIGRUNTIME void
-SWIG_Python_AddErrorMsg(const char* mesg)
-{
-  PyObject *type = 0;
-  PyObject *value = 0;
-  PyObject *traceback = 0;
-
-  if (PyErr_Occurred()) PyErr_Fetch(&type, &value, &traceback);
-  if (value) {
-    PyObject *old_str = PyObject_Str(value);
-    PyErr_Clear();
-    Py_XINCREF(type);
-    PyErr_Format(type, "%s %s", PyString_AsString(old_str), mesg);
-    Py_DECREF(old_str);
-    Py_DECREF(value);
-  } else {
-    PyErr_Format(PyExc_RuntimeError, mesg);
-  }
-}
-
-
-
-#if defined(SWIG_PYTHON_NO_THREADS)
-#  if defined(SWIG_PYTHON_THREADS)
-#    undef SWIG_PYTHON_THREADS
-#  endif
-#endif
-#if defined(SWIG_PYTHON_THREADS) /* Threading support is enabled */
-#  if !defined(SWIG_PYTHON_USE_GIL) && !defined(SWIG_PYTHON_NO_USE_GIL)
-#    if (PY_VERSION_HEX >= 0x02030000) /* For 2.3 or later, use the PyGILState calls */
-#      define SWIG_PYTHON_USE_GIL
-#    endif
-#  endif
-#  if defined(SWIG_PYTHON_USE_GIL) /* Use PyGILState threads calls */
-#    ifndef SWIG_PYTHON_INITIALIZE_THREADS
-#     define SWIG_PYTHON_INITIALIZE_THREADS  PyEval_InitThreads() 
-#    endif
-#    ifdef __cplusplus /* C++ code */
-       class SWIG_Python_Thread_Block {
-         bool status;
-         PyGILState_STATE state;
-       public:
-         void end() { if (status) { PyGILState_Release(state); status = false;} }
-         SWIG_Python_Thread_Block() : status(true), state(PyGILState_Ensure()) {}
-         ~SWIG_Python_Thread_Block() { end(); }
-       };
-       class SWIG_Python_Thread_Allow {
-         bool status;
-         PyThreadState *save;
-       public:
-         void end() { if (status) { PyEval_RestoreThread(save); status = false; }}
-         SWIG_Python_Thread_Allow() : status(true), save(PyEval_SaveThread()) {}
-         ~SWIG_Python_Thread_Allow() { end(); }
-       };
-#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK   SWIG_Python_Thread_Block _swig_thread_block
-#      define SWIG_PYTHON_THREAD_END_BLOCK     _swig_thread_block.end()
-#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW   SWIG_Python_Thread_Allow _swig_thread_allow
-#      define SWIG_PYTHON_THREAD_END_ALLOW     _swig_thread_allow.end()
-#    else /* C code */
-#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK   PyGILState_STATE _swig_thread_block = PyGILState_Ensure()
-#      define SWIG_PYTHON_THREAD_END_BLOCK     PyGILState_Release(_swig_thread_block)
-#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW   PyThreadState *_swig_thread_allow = PyEval_SaveThread()
-#      define SWIG_PYTHON_THREAD_END_ALLOW     PyEval_RestoreThread(_swig_thread_allow)
-#    endif
-#  else /* Old thread way, not implemented, user must provide it */
-#    if !defined(SWIG_PYTHON_INITIALIZE_THREADS)
-#      define SWIG_PYTHON_INITIALIZE_THREADS
-#    endif
-#    if !defined(SWIG_PYTHON_THREAD_BEGIN_BLOCK)
-#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK
-#    endif
-#    if !defined(SWIG_PYTHON_THREAD_END_BLOCK)
-#      define SWIG_PYTHON_THREAD_END_BLOCK
-#    endif
-#    if !defined(SWIG_PYTHON_THREAD_BEGIN_ALLOW)
-#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW
-#    endif
-#    if !defined(SWIG_PYTHON_THREAD_END_ALLOW)
-#      define SWIG_PYTHON_THREAD_END_ALLOW
-#    endif
-#  endif
-#else /* No thread support */
-#  define SWIG_PYTHON_INITIALIZE_THREADS
-#  define SWIG_PYTHON_THREAD_BEGIN_BLOCK
-#  define SWIG_PYTHON_THREAD_END_BLOCK
-#  define SWIG_PYTHON_THREAD_BEGIN_ALLOW
-#  define SWIG_PYTHON_THREAD_END_ALLOW
-#endif
-
-/* -----------------------------------------------------------------------------
- * Python API portion that goes into the runtime
- * ----------------------------------------------------------------------------- */
-
-#ifdef __cplusplus
-extern "C" {
-#if 0
-} /* cc-mode */
-#endif
-#endif
-
-/* -----------------------------------------------------------------------------
- * Constant declarations
- * ----------------------------------------------------------------------------- */
-
-/* Constant Types */
-#define SWIG_PY_POINTER 4
-#define SWIG_PY_BINARY  5
-
-/* Constant information structure */
-typedef struct swig_const_info {
-  int type;
-  char *name;
-  long lvalue;
-  double dvalue;
-  void   *pvalue;
-  swig_type_info **ptype;
-} swig_const_info;
-
-#ifdef __cplusplus
-#if 0
-{ /* cc-mode */
-#endif
-}
-#endif
-
-
-/* -----------------------------------------------------------------------------
- * See the LICENSE file for information on copyright, usage and redistribution
- * of SWIG, and the README file for authors - http://www.swig.org/release.html.
- *
- * pyrun.swg
- *
- * This file contains the runtime support for Python modules
- * and includes code for managing global variables and pointer
- * type checking.
- *
- * ----------------------------------------------------------------------------- */
-
-/* Common SWIG API */
-
-/* for raw pointers */
-#define SWIG_Python_ConvertPtr(obj, pptr, type, flags)  SWIG_Python_ConvertPtrAndOwn(obj, pptr, type, flags, 0)
-#define SWIG_ConvertPtr(obj, pptr, type, flags)         SWIG_Python_ConvertPtr(obj, pptr, type, flags)
-#define SWIG_ConvertPtrAndOwn(obj,pptr,type,flags,own)  SWIG_Python_ConvertPtrAndOwn(obj, pptr, type, flags, own)
-#define SWIG_NewPointerObj(ptr, type, flags)            SWIG_Python_NewPointerObj(ptr, type, flags)
-#define SWIG_CheckImplicit(ty)                          SWIG_Python_CheckImplicit(ty) 
-#define SWIG_AcquirePtr(ptr, src)                       SWIG_Python_AcquirePtr(ptr, src)
-#define swig_owntype                                    int
-
-/* for raw packed data */
-#define SWIG_ConvertPacked(obj, ptr, sz, ty)            SWIG_Python_ConvertPacked(obj, ptr, sz, ty)
-#define SWIG_NewPackedObj(ptr, sz, type)                SWIG_Python_NewPackedObj(ptr, sz, type)
-
-/* for class or struct pointers */
-#define SWIG_ConvertInstance(obj, pptr, type, flags)    SWIG_ConvertPtr(obj, pptr, type, flags)
-#define SWIG_NewInstanceObj(ptr, type, flags)           SWIG_NewPointerObj(ptr, type, flags)
-
-/* for C or C++ function pointers */
-#define SWIG_ConvertFunctionPtr(obj, pptr, type)        SWIG_Python_ConvertFunctionPtr(obj, pptr, type)
-#define SWIG_NewFunctionPtrObj(ptr, type)               SWIG_Python_NewPointerObj(ptr, type, 0)
-
-/* for C++ member pointers, ie, member methods */
-#define SWIG_ConvertMember(obj, ptr, sz, ty)            SWIG_Python_ConvertPacked(obj, ptr, sz, ty)
-#define SWIG_NewMemberObj(ptr, sz, type)                SWIG_Python_NewPackedObj(ptr, sz, type)
-
-
-/* Runtime API */
-
-#define SWIG_GetModule(clientdata)                      SWIG_Python_GetModule()
-#define SWIG_SetModule(clientdata, pointer)             SWIG_Python_SetModule(pointer)
-#define SWIG_NewClientData(obj)                         PySwigClientData_New(obj)
-
-#define SWIG_SetErrorObj                                SWIG_Python_SetErrorObj                            
-#define SWIG_SetErrorMsg                        	SWIG_Python_SetErrorMsg				   
-#define SWIG_ErrorType(code)                    	SWIG_Python_ErrorType(code)                        
-#define SWIG_Error(code, msg)            		SWIG_Python_SetErrorMsg(SWIG_ErrorType(code), msg) 
-#define SWIG_fail                        		goto fail					   
-
-
-/* Runtime API implementation */
-
-/* Error manipulation */
-
-SWIGINTERN void 
-SWIG_Python_SetErrorObj(PyObject *errtype, PyObject *obj) {
-  SWIG_PYTHON_THREAD_BEGIN_BLOCK; 
-  PyErr_SetObject(errtype, obj);
-  Py_DECREF(obj);
-  SWIG_PYTHON_THREAD_END_BLOCK;
-}
-
-SWIGINTERN void 
-SWIG_Python_SetErrorMsg(PyObject *errtype, const char *msg) {
-  SWIG_PYTHON_THREAD_BEGIN_BLOCK;
-  PyErr_SetString(errtype, (char *) msg);
-  SWIG_PYTHON_THREAD_END_BLOCK;
-}
-
-#define SWIG_Python_Raise(obj, type, desc)  SWIG_Python_SetErrorObj(SWIG_Python_ExceptionType(desc), obj)
-
-/* Set a constant value */
-
-SWIGINTERN void
-SWIG_Python_SetConstant(PyObject *d, const char *name, PyObject *obj) {   
-  PyDict_SetItemString(d, (char*) name, obj);
-  Py_DECREF(obj);                            
-}
-
-/* Append a value to the result obj */
-
-SWIGINTERN PyObject*
-SWIG_Python_AppendOutput(PyObject* result, PyObject* obj) {
-#if !defined(SWIG_PYTHON_OUTPUT_TUPLE)
-  if (!result) {
-    result = obj;
-  } else if (result == Py_None) {
-    Py_DECREF(result);
-    result = obj;
-  } else {
-    if (!PyList_Check(result)) {
-      PyObject *o2 = result;
-      result = PyList_New(1);
-      PyList_SetItem(result, 0, o2);
-    }
-    PyList_Append(result,obj);
-    Py_DECREF(obj);
-  }
-  return result;
-#else
-  PyObject*   o2;
-  PyObject*   o3;
-  if (!result) {
-    result = obj;
-  } else if (result == Py_None) {
-    Py_DECREF(result);
-    result = obj;
-  } else {
-    if (!PyTuple_Check(result)) {
-      o2 = result;
-      result = PyTuple_New(1);
-      PyTuple_SET_ITEM(result, 0, o2);
-    }
-    o3 = PyTuple_New(1);
-    PyTuple_SET_ITEM(o3, 0, obj);
-    o2 = result;
-    result = PySequence_Concat(o2, o3);
-    Py_DECREF(o2);
-    Py_DECREF(o3);
-  }
-  return result;
-#endif
-}
-
-/* Unpack the argument tuple */
-
-SWIGINTERN int
-SWIG_Python_UnpackTuple(PyObject *args, const char *name, int min, int max, PyObject **objs)
-{
-  if (!args) {
-    if (!min && !max) {
-      return 1;
-    } else {
-      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got none", 
-		   name, (min == max ? "" : "at least "), min);
-      return 0;
-    }
-  }  
-  if (!PyTuple_Check(args)) {
-    PyErr_SetString(PyExc_SystemError, "UnpackTuple() argument list is not a tuple");
-    return 0;
-  } else {
-    register int l = PyTuple_GET_SIZE(args);
-    if (l < min) {
-      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
-		   name, (min == max ? "" : "at least "), min, l);
-      return 0;
-    } else if (l > max) {
-      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
-		   name, (min == max ? "" : "at most "), max, l);
-      return 0;
-    } else {
-      register int i;
-      for (i = 0; i < l; ++i) {
-	objs[i] = PyTuple_GET_ITEM(args, i);
-      }
-      for (; l < max; ++l) {
-	objs[l] = 0;
-      }
-      return i + 1;
-    }    
-  }
-}
-
-/* A functor is a function object with one single object argument */
-#if PY_VERSION_HEX >= 0x02020000
-#define SWIG_Python_CallFunctor(functor, obj)	        PyObject_CallFunctionObjArgs(functor, obj, NULL);
-#else
-#define SWIG_Python_CallFunctor(functor, obj)	        PyObject_CallFunction(functor, "O", obj);
-#endif
-
-/*
-  Helper for static pointer initialization for both C and C++ code, for example
-  static PyObject *SWIG_STATIC_POINTER(MyVar) = NewSomething(...);
-*/
-#ifdef __cplusplus
-#define SWIG_STATIC_POINTER(var)  var
-#else
-#define SWIG_STATIC_POINTER(var)  var = 0; if (!var) var
-#endif
-
-/* -----------------------------------------------------------------------------
- * Pointer declarations
- * ----------------------------------------------------------------------------- */
-
-/* Flags for new pointer objects */
-#define SWIG_POINTER_NOSHADOW       (SWIG_POINTER_OWN      << 1)
-#define SWIG_POINTER_NEW            (SWIG_POINTER_NOSHADOW | SWIG_POINTER_OWN)
-
-#define SWIG_POINTER_IMPLICIT_CONV  (SWIG_POINTER_DISOWN   << 1)
-
-#ifdef __cplusplus
-extern "C" {
-#if 0
-} /* cc-mode */
-#endif
-#endif
-
-/*  How to access Py_None */
-#if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
-#  ifndef SWIG_PYTHON_NO_BUILD_NONE
-#    ifndef SWIG_PYTHON_BUILD_NONE
-#      define SWIG_PYTHON_BUILD_NONE
-#    endif
-#  endif
-#endif
-
-#ifdef SWIG_PYTHON_BUILD_NONE
-#  ifdef Py_None
-#   undef Py_None
-#   define Py_None SWIG_Py_None()
-#  endif
-SWIGRUNTIMEINLINE PyObject * 
-_SWIG_Py_None(void)
-{
-  PyObject *none = Py_BuildValue((char*)"");
-  Py_DECREF(none);
-  return none;
-}
-SWIGRUNTIME PyObject * 
-SWIG_Py_None(void)
-{
-  static PyObject *SWIG_STATIC_POINTER(none) = _SWIG_Py_None();
-  return none;
-}
-#endif
-
-/* The python void return value */
-
-SWIGRUNTIMEINLINE PyObject * 
-SWIG_Py_Void(void)
-{
-  PyObject *none = Py_None;
-  Py_INCREF(none);
-  return none;
-}
-
-/* PySwigClientData */
-
-typedef struct {
-  PyObject *klass;
-  PyObject *newraw;
-  PyObject *newargs;
-  PyObject *destroy;
-  int delargs;
-  int implicitconv;
-} PySwigClientData;
-
-SWIGRUNTIMEINLINE int 
-SWIG_Python_CheckImplicit(swig_type_info *ty)
-{
-  PySwigClientData *data = (PySwigClientData *)ty->clientdata;
-  return data ? data->implicitconv : 0;
-}
-
-SWIGRUNTIMEINLINE PyObject *
-SWIG_Python_ExceptionType(swig_type_info *desc) {
-  PySwigClientData *data = desc ? (PySwigClientData *) desc->clientdata : 0;
-  PyObject *klass = data ? data->klass : 0;
-  return (klass ? klass : PyExc_RuntimeError);
-}
-
-
-SWIGRUNTIME PySwigClientData * 
-PySwigClientData_New(PyObject* obj)
-{
-  if (!obj) {
-    return 0;
-  } else {
-    PySwigClientData *data = (PySwigClientData *)malloc(sizeof(PySwigClientData));
-    /* the klass element */
-    data->klass = obj;
-    Py_INCREF(data->klass);
-    /* the newraw method and newargs arguments used to create a new raw instance */
-    if (PyClass_Check(obj)) {
-      data->newraw = 0;
-      data->newargs = obj;
-      Py_INCREF(obj);
-    } else {
-#if (PY_VERSION_HEX < 0x02020000)
-      data->newraw = 0;
-#else
-      data->newraw = PyObject_GetAttrString(data->klass, (char *)"__new__");
-#endif
-      if (data->newraw) {
-	Py_INCREF(data->newraw);
-	data->newargs = PyTuple_New(1);
-	PyTuple_SetItem(data->newargs, 0, obj);
-      } else {
-	data->newargs = obj;
-      }
-      Py_INCREF(data->newargs);
-    }
-    /* the destroy method, aka as the C++ delete method */
-    data->destroy = PyObject_GetAttrString(data->klass, (char *)"__swig_destroy__");
-    if (PyErr_Occurred()) {
-      PyErr_Clear();
-      data->destroy = 0;
-    }
-    if (data->destroy) {
-      int flags;
-      Py_INCREF(data->destroy);
-      flags = PyCFunction_GET_FLAGS(data->destroy);
-#ifdef METH_O
-      data->delargs = !(flags & (METH_O));
-#else
-      data->delargs = 0;
-#endif
-    } else {
-      data->delargs = 0;
-    }
-    data->implicitconv = 0;
-    return data;
-  }
-}
-
-SWIGRUNTIME void 
-PySwigClientData_Del(PySwigClientData* data)
-{
-  Py_XDECREF(data->newraw);
-  Py_XDECREF(data->newargs);
-  Py_XDECREF(data->destroy);
-}
-
-/* =============== PySwigObject =====================*/
-
-typedef struct {
-  PyObject_HEAD
-  void *ptr;
-  swig_type_info *ty;
-  int own;
-  PyObject *next;
-} PySwigObject;
-
-SWIGRUNTIME PyObject *
-PySwigObject_long(PySwigObject *v)
-{
-  return PyLong_FromVoidPtr(v->ptr);
-}
-
-SWIGRUNTIME PyObject *
-PySwigObject_format(const char* fmt, PySwigObject *v)
-{
-  PyObject *res = NULL;
-  PyObject *args = PyTuple_New(1);
-  if (args) {
-    if (PyTuple_SetItem(args, 0, PySwigObject_long(v)) == 0) {
-      PyObject *ofmt = PyString_FromString(fmt);
-      if (ofmt) {
-	res = PyString_Format(ofmt,args);
-	Py_DECREF(ofmt);
-      }
-      Py_DECREF(args);
-    }
-  }
-  return res;
-}
-
-SWIGRUNTIME PyObject *
-PySwigObject_oct(PySwigObject *v)
-{
-  return PySwigObject_format("%o",v);
-}
-
-SWIGRUNTIME PyObject *
-PySwigObject_hex(PySwigObject *v)
-{
-  return PySwigObject_format("%x",v);
-}
-
-SWIGRUNTIME PyObject *
-#ifdef METH_NOARGS
-PySwigObject_repr(PySwigObject *v)
-#else
-PySwigObject_repr(PySwigObject *v, PyObject *args)
-#endif
-{
-  const char *name = SWIG_TypePrettyName(v->ty);
-  PyObject *hex = PySwigObject_hex(v);    
-  PyObject *repr = PyString_FromFormat("<Swig Object of type '%s' at 0x%s>", name, PyString_AsString(hex));
-  Py_DECREF(hex);
-  if (v->next) {
-#ifdef METH_NOARGS
-    PyObject *nrep = PySwigObject_repr((PySwigObject *)v->next);
-#else
-    PyObject *nrep = PySwigObject_repr((PySwigObject *)v->next, args);
-#endif
-    PyString_ConcatAndDel(&repr,nrep);
-  }
-  return repr;  
-}
-
-SWIGRUNTIME int
-PySwigObject_print(PySwigObject *v, FILE *fp, int SWIGUNUSEDPARM(flags))
-{
-#ifdef METH_NOARGS
-  PyObject *repr = PySwigObject_repr(v);
-#else
-  PyObject *repr = PySwigObject_repr(v, NULL);
-#endif
-  if (repr) {
-    fputs(PyString_AsString(repr), fp);
-    Py_DECREF(repr);
-    return 0; 
-  } else {
-    return 1; 
-  }
-}
-
-SWIGRUNTIME PyObject *
-PySwigObject_str(PySwigObject *v)
-{
-  char result[SWIG_BUFFER_SIZE];
-  return SWIG_PackVoidPtr(result, v->ptr, v->ty->name, sizeof(result)) ?
-    PyString_FromString(result) : 0;
-}
-
-SWIGRUNTIME int
-PySwigObject_compare(PySwigObject *v, PySwigObject *w)
-{
-  void *i = v->ptr;
-  void *j = w->ptr;
-  return (i < j) ? -1 : ((i > j) ? 1 : 0);
-}
-
-SWIGRUNTIME PyTypeObject* _PySwigObject_type(void);
-
-SWIGRUNTIME PyTypeObject*
-PySwigObject_type(void) {
-  static PyTypeObject *SWIG_STATIC_POINTER(type) = _PySwigObject_type();
-  return type;
-}
-
-SWIGRUNTIMEINLINE int
-PySwigObject_Check(PyObject *op) {
-  return ((op)->ob_type == PySwigObject_type())
-    || (strcmp((op)->ob_type->tp_name,"PySwigObject") == 0);
-}
-
-SWIGRUNTIME PyObject *
-PySwigObject_New(void *ptr, swig_type_info *ty, int own);
-
-SWIGRUNTIME void
-PySwigObject_dealloc(PyObject *v)
-{
-  PySwigObject *sobj = (PySwigObject *) v;
-  PyObject *next = sobj->next;
-  if (sobj->own) {
-    swig_type_info *ty = sobj->ty;
-    PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
-    PyObject *destroy = data ? data->destroy : 0;
-    if (destroy) {
-      /* destroy is always a VARARGS method */
-      PyObject *res;
-      if (data->delargs) {
-	/* we need to create a temporal object to carry the destroy operation */
-	PyObject *tmp = PySwigObject_New(sobj->ptr, ty, 0);
-	res = SWIG_Python_CallFunctor(destroy, tmp);
-	Py_DECREF(tmp);
-      } else {
-	PyCFunction meth = PyCFunction_GET_FUNCTION(destroy);
-	PyObject *mself = PyCFunction_GET_SELF(destroy);
-	res = ((*meth)(mself, v));
-      }
-      Py_XDECREF(res);
-    } else {
-      const char *name = SWIG_TypePrettyName(ty);
-#if !defined(SWIG_PYTHON_SILENT_MEMLEAK)
-      printf("swig/python detected a memory leak of type '%s', no destructor found.\n", name);
-#endif
-    }
-  } 
-  Py_XDECREF(next);
-  PyObject_DEL(v);
-}
-
-SWIGRUNTIME PyObject* 
-PySwigObject_append(PyObject* v, PyObject* next)
-{
-  PySwigObject *sobj = (PySwigObject *) v;
-#ifndef METH_O
-  PyObject *tmp = 0;
-  if (!PyArg_ParseTuple(next,(char *)"O:append", &tmp)) return NULL;
-  next = tmp;
-#endif
-  if (!PySwigObject_Check(next)) {
-    return NULL;
-  }
-  sobj->next = next;
-  Py_INCREF(next);
-  return SWIG_Py_Void();
-}
-
-SWIGRUNTIME PyObject* 
-#ifdef METH_NOARGS
-PySwigObject_next(PyObject* v)
-#else
-PySwigObject_next(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
-#endif
-{
-  PySwigObject *sobj = (PySwigObject *) v;
-  if (sobj->next) {    
-    Py_INCREF(sobj->next);
-    return sobj->next;
-  } else {
-    return SWIG_Py_Void();
-  }
-}
-
-SWIGINTERN PyObject*
-#ifdef METH_NOARGS
-PySwigObject_disown(PyObject *v)
-#else
-PySwigObject_disown(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
-#endif
-{
-  PySwigObject *sobj = (PySwigObject *)v;
-  sobj->own = 0;
-  return SWIG_Py_Void();
-}
-
-SWIGINTERN PyObject*
-#ifdef METH_NOARGS
-PySwigObject_acquire(PyObject *v)
-#else
-PySwigObject_acquire(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
-#endif
-{
-  PySwigObject *sobj = (PySwigObject *)v;
-  sobj->own = SWIG_POINTER_OWN;
-  return SWIG_Py_Void();
-}
-
-SWIGINTERN PyObject*
-PySwigObject_own(PyObject *v, PyObject *args)
-{
-  PyObject *val = 0;
-#if (PY_VERSION_HEX < 0x02020000)
-  if (!PyArg_ParseTuple(args,(char *)"|O:own",&val))
-#else
-  if (!PyArg_UnpackTuple(args, (char *)"own", 0, 1, &val)) 
-#endif
-    {
-      return NULL;
-    } 
-  else
-    {
-      PySwigObject *sobj = (PySwigObject *)v;
-      PyObject *obj = PyBool_FromLong(sobj->own);
-      if (val) {
-#ifdef METH_NOARGS
-	if (PyObject_IsTrue(val)) {
-	  PySwigObject_acquire(v);
-	} else {
-	  PySwigObject_disown(v);
-	}
-#else
-	if (PyObject_IsTrue(val)) {
-	  PySwigObject_acquire(v,args);
-	} else {
-	  PySwigObject_disown(v,args);
-	}
-#endif
-      } 
-      return obj;
-    }
-}
-
-#ifdef METH_O
-static PyMethodDef
-swigobject_methods[] = {
-  {(char *)"disown",  (PyCFunction)PySwigObject_disown,  METH_NOARGS,  (char *)"releases ownership of the pointer"},
-  {(char *)"acquire", (PyCFunction)PySwigObject_acquire, METH_NOARGS,  (char *)"aquires ownership of the pointer"},
-  {(char *)"own",     (PyCFunction)PySwigObject_own,     METH_VARARGS, (char *)"returns/sets ownership of the pointer"},
-  {(char *)"append",  (PyCFunction)PySwigObject_append,  METH_O,       (char *)"appends another 'this' object"},
-  {(char *)"next",    (PyCFunction)PySwigObject_next,    METH_NOARGS,  (char *)"returns the next 'this' object"},
-  {(char *)"__repr__",(PyCFunction)PySwigObject_repr,    METH_NOARGS,  (char *)"returns object representation"},
-  {0, 0, 0, 0}  
-};
-#else
-static PyMethodDef
-swigobject_methods[] = {
-  {(char *)"disown",  (PyCFunction)PySwigObject_disown,  METH_VARARGS,  (char *)"releases ownership of the pointer"},
-  {(char *)"acquire", (PyCFunction)PySwigObject_acquire, METH_VARARGS,  (char *)"aquires ownership of the pointer"},
-  {(char *)"own",     (PyCFunction)PySwigObject_own,     METH_VARARGS,  (char *)"returns/sets ownership of the pointer"},
-  {(char *)"append",  (PyCFunction)PySwigObject_append,  METH_VARARGS,  (char *)"appends another 'this' object"},
-  {(char *)"next",    (PyCFunction)PySwigObject_next,    METH_VARARGS,  (char *)"returns the next 'this' object"},
-  {(char *)"__repr__",(PyCFunction)PySwigObject_repr,   METH_VARARGS,  (char *)"returns object representation"},
-  {0, 0, 0, 0}  
-};
-#endif
-
-#if PY_VERSION_HEX < 0x02020000
-SWIGINTERN PyObject *
-PySwigObject_getattr(PySwigObject *sobj,char *name)
-{
-  return Py_FindMethod(swigobject_methods, (PyObject *)sobj, name);
-}
-#endif
-
-SWIGRUNTIME PyTypeObject*
-_PySwigObject_type(void) {
-  static char swigobject_doc[] = "Swig object carries a C/C++ instance pointer";
-  
-  static PyNumberMethods PySwigObject_as_number = {
-    (binaryfunc)0, /*nb_add*/
-    (binaryfunc)0, /*nb_subtract*/
-    (binaryfunc)0, /*nb_multiply*/
-    (binaryfunc)0, /*nb_divide*/
-    (binaryfunc)0, /*nb_remainder*/
-    (binaryfunc)0, /*nb_divmod*/
-    (ternaryfunc)0,/*nb_power*/
-    (unaryfunc)0,  /*nb_negative*/
-    (unaryfunc)0,  /*nb_positive*/
-    (unaryfunc)0,  /*nb_absolute*/
-    (inquiry)0,    /*nb_nonzero*/
-    0,		   /*nb_invert*/
-    0,		   /*nb_lshift*/
-    0,		   /*nb_rshift*/
-    0,		   /*nb_and*/
-    0,		   /*nb_xor*/
-    0,		   /*nb_or*/
-    (coercion)0,   /*nb_coerce*/
-    (unaryfunc)PySwigObject_long, /*nb_int*/
-    (unaryfunc)PySwigObject_long, /*nb_long*/
-    (unaryfunc)0,                 /*nb_float*/
-    (unaryfunc)PySwigObject_oct,  /*nb_oct*/
-    (unaryfunc)PySwigObject_hex,  /*nb_hex*/
-#if PY_VERSION_HEX >= 0x02020000
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */ 
-#elif PY_VERSION_HEX >= 0x02000000
-    0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_or */
-#endif
-  };
-
-  static PyTypeObject pyswigobject_type;  
-  static int type_init = 0;
-  if (!type_init) {
-    const PyTypeObject tmp
-      = {
-	PyObject_HEAD_INIT(NULL)
-	0,				    /* ob_size */
-	(char *)"PySwigObject",		    /* tp_name */
-	sizeof(PySwigObject),		    /* tp_basicsize */
-	0,			            /* tp_itemsize */
-	(destructor)PySwigObject_dealloc,   /* tp_dealloc */
-	(printfunc)PySwigObject_print,	    /* tp_print */
-#if PY_VERSION_HEX < 0x02020000
-	(getattrfunc)PySwigObject_getattr,  /* tp_getattr */ 
-#else
-	(getattrfunc)0,			    /* tp_getattr */ 
-#endif
-	(setattrfunc)0,			    /* tp_setattr */ 
-	(cmpfunc)PySwigObject_compare,	    /* tp_compare */ 
-	(reprfunc)PySwigObject_repr,	    /* tp_repr */    
-	&PySwigObject_as_number,	    /* tp_as_number */
-	0,				    /* tp_as_sequence */
-	0,				    /* tp_as_mapping */
-	(hashfunc)0,			    /* tp_hash */
-	(ternaryfunc)0,			    /* tp_call */
-	(reprfunc)PySwigObject_str,	    /* tp_str */
-	PyObject_GenericGetAttr,            /* tp_getattro */
-	0,				    /* tp_setattro */
-	0,		                    /* tp_as_buffer */
-	Py_TPFLAGS_DEFAULT,	            /* tp_flags */
-	swigobject_doc, 	            /* tp_doc */        
-	0,                                  /* tp_traverse */
-	0,                                  /* tp_clear */
-	0,                                  /* tp_richcompare */
-	0,                                  /* tp_weaklistoffset */
-#if PY_VERSION_HEX >= 0x02020000
-	0,                                  /* tp_iter */
-	0,                                  /* tp_iternext */
-	swigobject_methods,		    /* tp_methods */ 
-	0,			            /* tp_members */
-	0,				    /* tp_getset */	    	
-	0,			            /* tp_base */	        
-	0,				    /* tp_dict */	    	
-	0,				    /* tp_descr_get */  	
-	0,				    /* tp_descr_set */  	
-	0,				    /* tp_dictoffset */ 	
-	0,				    /* tp_init */	    	
-	0,				    /* tp_alloc */	    	
-	0,			            /* tp_new */	    	
-	0,	                            /* tp_free */	   
-        0,                                  /* tp_is_gc */  
-	0,				    /* tp_bases */   
-	0,				    /* tp_mro */
-	0,				    /* tp_cache */   
- 	0,				    /* tp_subclasses */
-	0,				    /* tp_weaklist */
-#endif
-#if PY_VERSION_HEX >= 0x02030000
-	0,                                  /* tp_del */
-#endif
-#ifdef COUNT_ALLOCS
-	0,0,0,0                             /* tp_alloc -> tp_next */
-#endif
-      };
-    pyswigobject_type = tmp;
-    pyswigobject_type.ob_type = &PyType_Type;
-    type_init = 1;
-  }
-  return &pyswigobject_type;
-}
-
-SWIGRUNTIME PyObject *
-PySwigObject_New(void *ptr, swig_type_info *ty, int own)
-{
-  PySwigObject *sobj = PyObject_NEW(PySwigObject, PySwigObject_type());
-  if (sobj) {
-    sobj->ptr  = ptr;
-    sobj->ty   = ty;
-    sobj->own  = own;
-    sobj->next = 0;
-  }
-  return (PyObject *)sobj;
-}
-
-/* -----------------------------------------------------------------------------
- * Implements a simple Swig Packed type, and use it instead of string
- * ----------------------------------------------------------------------------- */
-
-typedef struct {
-  PyObject_HEAD
-  void *pack;
-  swig_type_info *ty;
-  size_t size;
-} PySwigPacked;
-
-SWIGRUNTIME int
-PySwigPacked_print(PySwigPacked *v, FILE *fp, int SWIGUNUSEDPARM(flags))
-{
-  char result[SWIG_BUFFER_SIZE];
-  fputs("<Swig Packed ", fp); 
-  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))) {
-    fputs("at ", fp); 
-    fputs(result, fp); 
-  }
-  fputs(v->ty->name,fp); 
-  fputs(">", fp);
-  return 0; 
-}
-  
-SWIGRUNTIME PyObject *
-PySwigPacked_repr(PySwigPacked *v)
-{
-  char result[SWIG_BUFFER_SIZE];
-  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))) {
-    return PyString_FromFormat("<Swig Packed at %s%s>", result, v->ty->name);
-  } else {
-    return PyString_FromFormat("<Swig Packed %s>", v->ty->name);
-  }  
-}
-
-SWIGRUNTIME PyObject *
-PySwigPacked_str(PySwigPacked *v)
-{
-  char result[SWIG_BUFFER_SIZE];
-  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))){
-    return PyString_FromFormat("%s%s", result, v->ty->name);
-  } else {
-    return PyString_FromString(v->ty->name);
-  }  
-}
-
-SWIGRUNTIME int
-PySwigPacked_compare(PySwigPacked *v, PySwigPacked *w)
-{
-  size_t i = v->size;
-  size_t j = w->size;
-  int s = (i < j) ? -1 : ((i > j) ? 1 : 0);
-  return s ? s : strncmp((char *)v->pack, (char *)w->pack, 2*v->size);
-}
-
-SWIGRUNTIME PyTypeObject* _PySwigPacked_type(void);
-
-SWIGRUNTIME PyTypeObject*
-PySwigPacked_type(void) {
-  static PyTypeObject *SWIG_STATIC_POINTER(type) = _PySwigPacked_type();
-  return type;
-}
-
-SWIGRUNTIMEINLINE int
-PySwigPacked_Check(PyObject *op) {
-  return ((op)->ob_type == _PySwigPacked_type()) 
-    || (strcmp((op)->ob_type->tp_name,"PySwigPacked") == 0);
-}
-
-SWIGRUNTIME void
-PySwigPacked_dealloc(PyObject *v)
-{
-  if (PySwigPacked_Check(v)) {
-    PySwigPacked *sobj = (PySwigPacked *) v;
-    free(sobj->pack);
-  }
-  PyObject_DEL(v);
-}
-
-SWIGRUNTIME PyTypeObject*
-_PySwigPacked_type(void) {
-  static char swigpacked_doc[] = "Swig object carries a C/C++ instance pointer";
-  static PyTypeObject pyswigpacked_type;
-  static int type_init = 0;  
-  if (!type_init) {
-    const PyTypeObject tmp
-      = {
-	PyObject_HEAD_INIT(NULL)
-	0,				    /* ob_size */	
-	(char *)"PySwigPacked",		    /* tp_name */	
-	sizeof(PySwigPacked),		    /* tp_basicsize */	
-	0,				    /* tp_itemsize */	
-	(destructor)PySwigPacked_dealloc,   /* tp_dealloc */	
-	(printfunc)PySwigPacked_print,	    /* tp_print */   	
-	(getattrfunc)0,			    /* tp_getattr */ 	
-	(setattrfunc)0,			    /* tp_setattr */ 	
-	(cmpfunc)PySwigPacked_compare,	    /* tp_compare */ 	
-	(reprfunc)PySwigPacked_repr,	    /* tp_repr */    	
-	0,	                            /* tp_as_number */	
-	0,				    /* tp_as_sequence */
-	0,				    /* tp_as_mapping */	
-	(hashfunc)0,			    /* tp_hash */	
-	(ternaryfunc)0,			    /* tp_call */	
-	(reprfunc)PySwigPacked_str,	    /* tp_str */	
-	PyObject_GenericGetAttr,            /* tp_getattro */
-	0,				    /* tp_setattro */
-	0,		                    /* tp_as_buffer */
-	Py_TPFLAGS_DEFAULT,	            /* tp_flags */
-	swigpacked_doc, 	            /* tp_doc */
-	0,                                  /* tp_traverse */
-	0,                                  /* tp_clear */
-	0,                                  /* tp_richcompare */
-	0,                                  /* tp_weaklistoffset */
-#if PY_VERSION_HEX >= 0x02020000
-	0,                                  /* tp_iter */
-	0,                                  /* tp_iternext */
-	0,		                    /* tp_methods */ 
-	0,			            /* tp_members */
-	0,				    /* tp_getset */	    	
-	0,			            /* tp_base */	        
-	0,				    /* tp_dict */	    	
-	0,				    /* tp_descr_get */  	
-	0,				    /* tp_descr_set */  	
-	0,				    /* tp_dictoffset */ 	
-	0,				    /* tp_init */	    	
-	0,				    /* tp_alloc */	    	
-	0,			            /* tp_new */	    	
-	0, 	                            /* tp_free */	   
-        0,                                  /* tp_is_gc */  
-	0,				    /* tp_bases */   
-	0,				    /* tp_mro */
-	0,				    /* tp_cache */   
- 	0,				    /* tp_subclasses */
-	0,				    /* tp_weaklist */
-#endif
-#if PY_VERSION_HEX >= 0x02030000
-	0,                                  /* tp_del */
-#endif
-#ifdef COUNT_ALLOCS
-	0,0,0,0                             /* tp_alloc -> tp_next */
-#endif
-      };
-    pyswigpacked_type = tmp;
-    pyswigpacked_type.ob_type = &PyType_Type;
-    type_init = 1;
-  }
-  return &pyswigpacked_type;
-}
-
-SWIGRUNTIME PyObject *
-PySwigPacked_New(void *ptr, size_t size, swig_type_info *ty)
-{
-  PySwigPacked *sobj = PyObject_NEW(PySwigPacked, PySwigPacked_type());
-  if (sobj) {
-    void *pack = malloc(size);
-    if (pack) {
-      memcpy(pack, ptr, size);
-      sobj->pack = pack;
-      sobj->ty   = ty;
-      sobj->size = size;
-    } else {
-      PyObject_DEL((PyObject *) sobj);
-      sobj = 0;
-    }
-  }
-  return (PyObject *) sobj;
-}
-
-SWIGRUNTIME swig_type_info *
-PySwigPacked_UnpackData(PyObject *obj, void *ptr, size_t size)
-{
-  if (PySwigPacked_Check(obj)) {
-    PySwigPacked *sobj = (PySwigPacked *)obj;
-    if (sobj->size != size) return 0;
-    memcpy(ptr, sobj->pack, size);
-    return sobj->ty;
-  } else {
-    return 0;
-  }
-}
-
-/* -----------------------------------------------------------------------------
- * pointers/data manipulation
- * ----------------------------------------------------------------------------- */
-
-SWIGRUNTIMEINLINE PyObject *
-_SWIG_This(void)
-{
-  return PyString_FromString("this");
-}
-
-SWIGRUNTIME PyObject *
-SWIG_This(void)
-{
-  static PyObject *SWIG_STATIC_POINTER(swig_this) = _SWIG_This();
-  return swig_this;
-}
-
-/* #define SWIG_PYTHON_SLOW_GETSET_THIS */
-
-SWIGRUNTIME PySwigObject *
-SWIG_Python_GetSwigThis(PyObject *pyobj) 
-{
-  if (PySwigObject_Check(pyobj)) {
-    return (PySwigObject *) pyobj;
-  } else {
-    PyObject *obj = 0;
-#if (!defined(SWIG_PYTHON_SLOW_GETSET_THIS) && (PY_VERSION_HEX >= 0x02030000))
-    if (PyInstance_Check(pyobj)) {
-      obj = _PyInstance_Lookup(pyobj, SWIG_This());      
-    } else {
-      PyObject **dictptr = _PyObject_GetDictPtr(pyobj);
-      if (dictptr != NULL) {
-	PyObject *dict = *dictptr;
-	obj = dict ? PyDict_GetItem(dict, SWIG_This()) : 0;
-      } else {
-#ifdef PyWeakref_CheckProxy
-	if (PyWeakref_CheckProxy(pyobj)) {
-	  PyObject *wobj = PyWeakref_GET_OBJECT(pyobj);
-	  return wobj ? SWIG_Python_GetSwigThis(wobj) : 0;
-	}
-#endif
-	obj = PyObject_GetAttr(pyobj,SWIG_This());
-	if (obj) {
-	  Py_DECREF(obj);
-	} else {
-	  if (PyErr_Occurred()) PyErr_Clear();
-	  return 0;
-	}
-      }
-    }
-#else
-    obj = PyObject_GetAttr(pyobj,SWIG_This());
-    if (obj) {
-      Py_DECREF(obj);
-    } else {
-      if (PyErr_Occurred()) PyErr_Clear();
-      return 0;
-    }
-#endif
-    if (obj && !PySwigObject_Check(obj)) {
-      /* a PyObject is called 'this', try to get the 'real this'
-	 PySwigObject from it */ 
-      return SWIG_Python_GetSwigThis(obj);
-    }
-    return (PySwigObject *)obj;
-  }
-}
-
-/* Acquire a pointer value */
-
-SWIGRUNTIME int
-SWIG_Python_AcquirePtr(PyObject *obj, int own) {
-  if (own) {
-    PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
-    if (sobj) {
-      int oldown = sobj->own;
-      sobj->own = own;
-      return oldown;
-    }
-  }
-  return 0;
-}
-
-/* Convert a pointer value */
-
-SWIGRUNTIME int
-SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int flags, int *own) {
-  if (!obj) return SWIG_ERROR;
-  if (obj == Py_None) {
-    if (ptr) *ptr = 0;
-    return SWIG_OK;
-  } else {
-    PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
-    while (sobj) {
-      void *vptr = sobj->ptr;
-      if (ty) {
-	swig_type_info *to = sobj->ty;
-	if (to == ty) {
-	  /* no type cast needed */
-	  if (ptr) *ptr = vptr;
-	  break;
-	} else {
-	  swig_cast_info *tc = SWIG_TypeCheck(to->name,ty);
-	  if (!tc) {
-	    sobj = (PySwigObject *)sobj->next;
-	  } else {
-	    if (ptr) *ptr = SWIG_TypeCast(tc,vptr);
-	    break;
-	  }
-	}
-      } else {
-	if (ptr) *ptr = vptr;
-	break;
-      }
-    }
-    if (sobj) {
-      if (own) *own = sobj->own;
-      if (flags & SWIG_POINTER_DISOWN) {
-	sobj->own = 0;
-      }
-      return SWIG_OK;
-    } else {
-      int res = SWIG_ERROR;
-      if (flags & SWIG_POINTER_IMPLICIT_CONV) {
-	PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
-	if (data && !data->implicitconv) {
-	  PyObject *klass = data->klass;
-	  if (klass) {
-	    PyObject *impconv;
-	    data->implicitconv = 1; /* avoid recursion and call 'explicit' constructors*/
-	    impconv = SWIG_Python_CallFunctor(klass, obj);
-	    data->implicitconv = 0;
-	    if (PyErr_Occurred()) {
-	      PyErr_Clear();
-	      impconv = 0;
-	    }
-	    if (impconv) {
-	      PySwigObject *iobj = SWIG_Python_GetSwigThis(impconv);
-	      if (iobj) {
-		void *vptr;
-		res = SWIG_Python_ConvertPtrAndOwn((PyObject*)iobj, &vptr, ty, 0, 0);
-		if (SWIG_IsOK(res)) {
-		  if (ptr) {
-		    *ptr = vptr;
-		    /* transfer the ownership to 'ptr' */
-		    iobj->own = 0;
-		    res = SWIG_AddCast(res);
-		    res = SWIG_AddNewMask(res);
-		  } else {
-		    res = SWIG_AddCast(res);		    
-		  }
-		}
-	      }
-	      Py_DECREF(impconv);
-	    }
-	  }
-	}
-      }
-      return res;
-    }
-  }
-}
-
-/* Convert a function ptr value */
-
-SWIGRUNTIME int
-SWIG_Python_ConvertFunctionPtr(PyObject *obj, void **ptr, swig_type_info *ty) {
-  if (!PyCFunction_Check(obj)) {
-    return SWIG_ConvertPtr(obj, ptr, ty, 0);
-  } else {
-    void *vptr = 0;
-    
-    /* here we get the method pointer for callbacks */
-    const char *doc = (((PyCFunctionObject *)obj) -> m_ml -> ml_doc);
-    const char *desc = doc ? strstr(doc, "swig_ptr: ") : 0;
-    if (desc) {
-      desc = ty ? SWIG_UnpackVoidPtr(desc + 10, &vptr, ty->name) : 0;
-      if (!desc) return SWIG_ERROR;
-    }
-    if (ty) {
-      swig_cast_info *tc = SWIG_TypeCheck(desc,ty);
-      if (!tc) return SWIG_ERROR;
-      *ptr = SWIG_TypeCast(tc,vptr);
-    } else {
-      *ptr = vptr;
-    }
-    return SWIG_OK;
-  }
-}
-
-/* Convert a packed value value */
-
-SWIGRUNTIME int
-SWIG_Python_ConvertPacked(PyObject *obj, void *ptr, size_t sz, swig_type_info *ty) {
-  swig_type_info *to = PySwigPacked_UnpackData(obj, ptr, sz);
-  if (!to) return SWIG_ERROR;
-  if (ty) {
-    if (to != ty) {
-      /* check type cast? */
-      swig_cast_info *tc = SWIG_TypeCheck(to->name,ty);
-      if (!tc) return SWIG_ERROR;
-    }
-  }
-  return SWIG_OK;
-}  
-
-/* -----------------------------------------------------------------------------
- * Create a new pointer object
- * ----------------------------------------------------------------------------- */
-
-/*
-  Create a new instance object, whitout calling __init__, and set the
-  'this' attribute.
-*/
-
-SWIGRUNTIME PyObject* 
-SWIG_Python_NewShadowInstance(PySwigClientData *data, PyObject *swig_this)
-{
-#if (PY_VERSION_HEX >= 0x02020000)
-  PyObject *inst = 0;
-  PyObject *newraw = data->newraw;
-  if (newraw) {
-    inst = PyObject_Call(newraw, data->newargs, NULL);
-    if (inst) {
-#if !defined(SWIG_PYTHON_SLOW_GETSET_THIS)
-      PyObject **dictptr = _PyObject_GetDictPtr(inst);
-      if (dictptr != NULL) {
-	PyObject *dict = *dictptr;
-	if (dict == NULL) {
-	  dict = PyDict_New();
-	  *dictptr = dict;
-	  PyDict_SetItem(dict, SWIG_This(), swig_this);
-	}
-      }
-#else
-      PyObject *key = SWIG_This();
-      PyObject_SetAttr(inst, key, swig_this);
-#endif
-    }
-  } else {
-    PyObject *dict = PyDict_New();
-    PyDict_SetItem(dict, SWIG_This(), swig_this);
-    inst = PyInstance_NewRaw(data->newargs, dict);
-    Py_DECREF(dict);
-  }
-  return inst;
-#else
-#if (PY_VERSION_HEX >= 0x02010000)
-  PyObject *inst;
-  PyObject *dict = PyDict_New();
-  PyDict_SetItem(dict, SWIG_This(), swig_this);
-  inst = PyInstance_NewRaw(data->newargs, dict);
-  Py_DECREF(dict);
-  return (PyObject *) inst;
-#else
-  PyInstanceObject *inst = PyObject_NEW(PyInstanceObject, &PyInstance_Type);
-  if (inst == NULL) {
-    return NULL;
-  }
-  inst->in_class = (PyClassObject *)data->newargs;
-  Py_INCREF(inst->in_class);
-  inst->in_dict = PyDict_New();
-  if (inst->in_dict == NULL) {
-    Py_DECREF(inst);
-    return NULL;
-  }
-#ifdef Py_TPFLAGS_HAVE_WEAKREFS
-  inst->in_weakreflist = NULL;
-#endif
-#ifdef Py_TPFLAGS_GC
-  PyObject_GC_Init(inst);
-#endif
-  PyDict_SetItem(inst->in_dict, SWIG_This(), swig_this);
-  return (PyObject *) inst;
-#endif
-#endif
-}
-
-SWIGRUNTIME void
-SWIG_Python_SetSwigThis(PyObject *inst, PyObject *swig_this)
-{
- PyObject *dict;
-#if (PY_VERSION_HEX >= 0x02020000) && !defined(SWIG_PYTHON_SLOW_GETSET_THIS)
- PyObject **dictptr = _PyObject_GetDictPtr(inst);
- if (dictptr != NULL) {
-   dict = *dictptr;
-   if (dict == NULL) {
-     dict = PyDict_New();
-     *dictptr = dict;
-   }
-   PyDict_SetItem(dict, SWIG_This(), swig_this);
-   return;
- }
-#endif
- dict = PyObject_GetAttrString(inst, (char*)"__dict__");
- PyDict_SetItem(dict, SWIG_This(), swig_this);
- Py_DECREF(dict);
-} 
-
-
-SWIGINTERN PyObject *
-SWIG_Python_InitShadowInstance(PyObject *args) {
-  PyObject *obj[2];
-  if (!SWIG_Python_UnpackTuple(args,(char*)"swiginit", 2, 2, obj)) {
-    return NULL;
-  } else {
-    PySwigObject *sthis = SWIG_Python_GetSwigThis(obj[0]);
-    if (sthis) {
-      PySwigObject_append((PyObject*) sthis, obj[1]);
-    } else {
-      SWIG_Python_SetSwigThis(obj[0], obj[1]);
-    }
-    return SWIG_Py_Void();
-  }
-}
-
-/* Create a new pointer object */
-
-SWIGRUNTIME PyObject *
-SWIG_Python_NewPointerObj(void *ptr, swig_type_info *type, int flags) {
-  if (!ptr) {
-    return SWIG_Py_Void();
-  } else {
-    int own = (flags & SWIG_POINTER_OWN) ? SWIG_POINTER_OWN : 0;
-    PyObject *robj = PySwigObject_New(ptr, type, own);
-    PySwigClientData *clientdata = type ? (PySwigClientData *)(type->clientdata) : 0;
-    if (clientdata && !(flags & SWIG_POINTER_NOSHADOW)) {
-      PyObject *inst = SWIG_Python_NewShadowInstance(clientdata, robj);
-      if (inst) {
-	Py_DECREF(robj);
-	robj = inst;
-      }
-    }
-    return robj;
-  }
-}
-
-/* Create a new packed object */
-
-SWIGRUNTIMEINLINE PyObject *
-SWIG_Python_NewPackedObj(void *ptr, size_t sz, swig_type_info *type) {
-  return ptr ? PySwigPacked_New((void *) ptr, sz, type) : SWIG_Py_Void();
-}
-
-/* -----------------------------------------------------------------------------*
- *  Get type list 
- * -----------------------------------------------------------------------------*/
-
-#ifdef SWIG_LINK_RUNTIME
-void *SWIG_ReturnGlobalTypeList(void *);
-#endif
-
-SWIGRUNTIME swig_module_info *
-SWIG_Python_GetModule(void) {
-  static void *type_pointer = (void *)0;
-  /* first check if module already created */
-  if (!type_pointer) {
-#ifdef SWIG_LINK_RUNTIME
-    type_pointer = SWIG_ReturnGlobalTypeList((void *)0);
-#else
-    type_pointer = PyCObject_Import((char*)"swig_runtime_data" SWIG_RUNTIME_VERSION,
-				    (char*)"type_pointer" SWIG_TYPE_TABLE_NAME);
-    if (PyErr_Occurred()) {
-      PyErr_Clear();
-      type_pointer = (void *)0;
-    }
-#endif
-  }
-  return (swig_module_info *) type_pointer;
-}
-
-#if PY_MAJOR_VERSION < 2
-/* PyModule_AddObject function was introduced in Python 2.0.  The following function
-   is copied out of Python/modsupport.c in python version 2.3.4 */
-SWIGINTERN int
-PyModule_AddObject(PyObject *m, char *name, PyObject *o)
-{
-  PyObject *dict;
-  if (!PyModule_Check(m)) {
-    PyErr_SetString(PyExc_TypeError,
-		    "PyModule_AddObject() needs module as first arg");
-    return SWIG_ERROR;
-  }
-  if (!o) {
-    PyErr_SetString(PyExc_TypeError,
-		    "PyModule_AddObject() needs non-NULL value");
-    return SWIG_ERROR;
-  }
-  
-  dict = PyModule_GetDict(m);
-  if (dict == NULL) {
-    /* Internal error -- modules must have a dict! */
-    PyErr_Format(PyExc_SystemError, "module '%s' has no __dict__",
-		 PyModule_GetName(m));
-    return SWIG_ERROR;
-  }
-  if (PyDict_SetItemString(dict, name, o))
-    return SWIG_ERROR;
-  Py_DECREF(o);
-  return SWIG_OK;
-}
-#endif
-
-SWIGRUNTIME void
-SWIG_Python_DestroyModule(void *vptr)
-{
-  swig_module_info *swig_module = (swig_module_info *) vptr;
-  swig_type_info **types = swig_module->types;
-  size_t i;
-  for (i =0; i < swig_module->size; ++i) {
-    swig_type_info *ty = types[i];
-    if (ty->owndata) {
-      PySwigClientData *data = (PySwigClientData *) ty->clientdata;
-      if (data) PySwigClientData_Del(data);
-    }
-  }
-  Py_DECREF(SWIG_This());
-}
-
-SWIGRUNTIME void
-SWIG_Python_SetModule(swig_module_info *swig_module) {
-  static PyMethodDef swig_empty_runtime_method_table[] = { {NULL, NULL, 0, NULL} };/* Sentinel */
-
-  PyObject *module = Py_InitModule((char*)"swig_runtime_data" SWIG_RUNTIME_VERSION,
-				   swig_empty_runtime_method_table);
-  PyObject *pointer = PyCObject_FromVoidPtr((void *) swig_module, SWIG_Python_DestroyModule);
-  if (pointer && module) {
-    PyModule_AddObject(module, (char*)"type_pointer" SWIG_TYPE_TABLE_NAME, pointer);
-  } else {
-    Py_XDECREF(pointer);
-  }
-}
-
-/* The python cached type query */
-SWIGRUNTIME PyObject *
-SWIG_Python_TypeCache(void) {
-  static PyObject *SWIG_STATIC_POINTER(cache) = PyDict_New();
-  return cache;
-}
-
-SWIGRUNTIME swig_type_info *
-SWIG_Python_TypeQuery(const char *type)
-{
-  PyObject *cache = SWIG_Python_TypeCache();
-  PyObject *key = PyString_FromString(type); 
-  PyObject *obj = PyDict_GetItem(cache, key);
-  swig_type_info *descriptor;
-  if (obj) {
-    descriptor = (swig_type_info *) PyCObject_AsVoidPtr(obj);
-  } else {
-    swig_module_info *swig_module = SWIG_Python_GetModule();
-    descriptor = SWIG_TypeQueryModule(swig_module, swig_module, type);
-    if (descriptor) {
-      obj = PyCObject_FromVoidPtr(descriptor, NULL);
-      PyDict_SetItem(cache, key, obj);
-      Py_DECREF(obj);
-    }
-  }
-  Py_DECREF(key);
-  return descriptor;
-}
-
-/* 
-   For backward compatibility only
-*/
-#define SWIG_POINTER_EXCEPTION  0
-#define SWIG_arg_fail(arg)      SWIG_Python_ArgFail(arg)
-#define SWIG_MustGetPtr(p, type, argnum, flags)  SWIG_Python_MustGetPtr(p, type, argnum, flags)
-
-SWIGRUNTIME int
-SWIG_Python_AddErrMesg(const char* mesg, int infront)
-{
-  if (PyErr_Occurred()) {
-    PyObject *type = 0;
-    PyObject *value = 0;
-    PyObject *traceback = 0;
-    PyErr_Fetch(&type, &value, &traceback);
-    if (value) {
-      PyObject *old_str = PyObject_Str(value);
-      Py_XINCREF(type);
-      PyErr_Clear();
-      if (infront) {
-	PyErr_Format(type, "%s %s", mesg, PyString_AsString(old_str));
-      } else {
-	PyErr_Format(type, "%s %s", PyString_AsString(old_str), mesg);
-      }
-      Py_DECREF(old_str);
-    }
-    return 1;
-  } else {
-    return 0;
-  }
-}
-  
-SWIGRUNTIME int
-SWIG_Python_ArgFail(int argnum)
-{
-  if (PyErr_Occurred()) {
-    /* add information about failing argument */
-    char mesg[256];
-    PyOS_snprintf(mesg, sizeof(mesg), "argument number %d:", argnum);
-    return SWIG_Python_AddErrMesg(mesg, 1);
-  } else {
-    return 0;
-  }
-}
-
-SWIGRUNTIMEINLINE const char *
-PySwigObject_GetDesc(PyObject *self)
-{
-  PySwigObject *v = (PySwigObject *)self;
-  swig_type_info *ty = v ? v->ty : 0;
-  return ty ? ty->str : (char*)"";
-}
-
-SWIGRUNTIME void
-SWIG_Python_TypeError(const char *type, PyObject *obj)
-{
-  if (type) {
-#if defined(SWIG_COBJECT_TYPES)
-    if (obj && PySwigObject_Check(obj)) {
-      const char *otype = (const char *) PySwigObject_GetDesc(obj);
-      if (otype) {
-	PyErr_Format(PyExc_TypeError, "a '%s' is expected, 'PySwigObject(%s)' is received",
-		     type, otype);
-	return;
-      }
-    } else 
-#endif      
-    {
-      const char *otype = (obj ? obj->ob_type->tp_name : 0); 
-      if (otype) {
-	PyObject *str = PyObject_Str(obj);
-	const char *cstr = str ? PyString_AsString(str) : 0;
-	if (cstr) {
-	  PyErr_Format(PyExc_TypeError, "a '%s' is expected, '%s(%s)' is received",
-		       type, otype, cstr);
-	} else {
-	  PyErr_Format(PyExc_TypeError, "a '%s' is expected, '%s' is received",
-		       type, otype);
-	}
-	Py_XDECREF(str);
-	return;
-      }
-    }   
-    PyErr_Format(PyExc_TypeError, "a '%s' is expected", type);
-  } else {
-    PyErr_Format(PyExc_TypeError, "unexpected type is received");
-  }
-}
-
-
-/* Convert a pointer value, signal an exception on a type mismatch */
-SWIGRUNTIME void *
-SWIG_Python_MustGetPtr(PyObject *obj, swig_type_info *ty, int argnum, int flags) {
-  void *result;
-  if (SWIG_Python_ConvertPtr(obj, &result, ty, flags) == -1) {
-    PyErr_Clear();
-    if (flags & SWIG_POINTER_EXCEPTION) {
-      SWIG_Python_TypeError(SWIG_TypePrettyName(ty), obj);
-      SWIG_Python_ArgFail(argnum);
-    }
-  }
-  return result;
-}
-
-
-#ifdef __cplusplus
-#if 0
-{ /* cc-mode */
-#endif
-}
-#endif
-
-
-
-#define SWIG_exception_fail(code, msg) do { SWIG_Error(code, msg); SWIG_fail; } while(0) 
-
-#define SWIG_contract_assert(expr, msg) if (!(expr)) { SWIG_Error(SWIG_RuntimeError, msg); SWIG_fail; } else 
-
-
-
-/* -------- TYPES TABLE (BEGIN) -------- */
-
-#define SWIGTYPE_p_SubnetTree swig_types[0]
-#define SWIGTYPE_p_char swig_types[1]
-static swig_type_info *swig_types[3];
-static swig_module_info swig_module = {swig_types, 2, 0, 0, 0, 0};
-#define SWIG_TypeQuery(name) SWIG_TypeQueryModule(&swig_module, &swig_module, name)
-#define SWIG_MangledTypeQuery(name) SWIG_MangledTypeQueryModule(&swig_module, &swig_module, name)
-
-/* -------- TYPES TABLE (END) -------- */
-
-#if (PY_VERSION_HEX <= 0x02000000)
-# if !defined(SWIG_PYTHON_CLASSIC)
-#  error "This python version requires swig to be run with the '-classic' option"
-# endif
-#endif
-
-/*-----------------------------------------------
-              @(target):= _SubnetTree.so
-  ------------------------------------------------*/
-#define SWIG_init    init_SubnetTree
-
-#define SWIG_name    "_SubnetTree"
-
-#define SWIGVERSION 0x010331 
-#define SWIG_VERSION SWIGVERSION
-
-
-#define SWIG_as_voidptr(a) const_cast< void * >(static_cast< const void * >(a)) 
-#define SWIG_as_voidptrptr(a) ((void)SWIG_as_voidptr(*a),reinterpret_cast< void** >(a)) 
-
-
-#include <stdexcept>
-
-
-namespace swig {
-  class PyObject_ptr {
-  protected:
-    PyObject *_obj;
-
-  public:
-    PyObject_ptr() :_obj(0)
-    {
-    }
-
-    PyObject_ptr(const PyObject_ptr& item) : _obj(item._obj)
-    {
-      Py_XINCREF(_obj);      
-    }
-    
-    PyObject_ptr(PyObject *obj, bool initial_ref = true) :_obj(obj)
-    {
-      if (initial_ref) Py_XINCREF(_obj);
-    }
-    
-    PyObject_ptr & operator=(const PyObject_ptr& item) 
-    {
-      Py_XINCREF(item._obj);
-      Py_XDECREF(_obj);
-      _obj = item._obj;
-      return *this;      
-    }
-    
-    ~PyObject_ptr() 
-    {
-      Py_XDECREF(_obj);
-    }
-    
-    operator PyObject *() const
-    {
-      return _obj;
-    }
-
-    PyObject *operator->() const
-    {
-      return _obj;
-    }
-  };
-}
-
-
-namespace swig {
-  struct PyObject_var : PyObject_ptr {
-    PyObject_var(PyObject* obj = 0) : PyObject_ptr(obj, false) { }
-    
-    PyObject_var & operator = (PyObject* obj)
-    {
-      Py_XDECREF(_obj);
-      _obj = obj;
-      return *this;      
-    }
-  };
-}
-
-
-  #include "SubnetTree.h"
-
-
-SWIGINTERN swig_type_info*
-SWIG_pchar_descriptor(void)
-{
-  static int init = 0;
-  static swig_type_info* info = 0;
-  if (!init) {
-    info = SWIG_TypeQuery("_p_char");
-    init = 1;
-  }
-  return info;
-}
-
-
-SWIGINTERN int
-SWIG_AsCharPtrAndSize(PyObject *obj, char** cptr, size_t* psize, int *alloc)
-{
-  if (PyString_Check(obj)) {
-    char *cstr; Py_ssize_t len;
-    PyString_AsStringAndSize(obj, &cstr, &len);
-    if (cptr)  {
-      if (alloc) {
-	/* 
-	   In python the user should not be able to modify the inner
-	   string representation. To warranty that, if you define
-	   SWIG_PYTHON_SAFE_CSTRINGS, a new/copy of the python string
-	   buffer is always returned.
-
-	   The default behavior is just to return the pointer value,
-	   so, be careful.
-	*/ 
-#if defined(SWIG_PYTHON_SAFE_CSTRINGS)
-	if (*alloc != SWIG_OLDOBJ) 
-#else
-	if (*alloc == SWIG_NEWOBJ) 
-#endif
-	  {
-	    *cptr = reinterpret_cast< char* >(memcpy((new char[len + 1]), cstr, sizeof(char)*(len + 1)));
-	    *alloc = SWIG_NEWOBJ;
-	  }
-	else {
-	  *cptr = cstr;
-	  *alloc = SWIG_OLDOBJ;
-	}
-      } else {
-	*cptr = PyString_AsString(obj);
-      }
-    }
-    if (psize) *psize = len + 1;
-    return SWIG_OK;
-  } else {
-    swig_type_info* pchar_descriptor = SWIG_pchar_descriptor();
-    if (pchar_descriptor) {
-      void* vptr = 0;
-      if (SWIG_ConvertPtr(obj, &vptr, pchar_descriptor, 0) == SWIG_OK) {
-	if (cptr) *cptr = (char *) vptr;
-	if (psize) *psize = vptr ? (strlen((char *)vptr) + 1) : 0;
-	if (alloc) *alloc = SWIG_OLDOBJ;
-	return SWIG_OK;
-      }
-    }
-  }
-  return SWIG_TypeError;
-}
-
-
-
-
-
-SWIGINTERNINLINE PyObject*
-  SWIG_From_bool  (bool value)
-{
-  return PyBool_FromLong(value ? 1 : 0);
-}
-
-
-SWIGINTERN int
-SWIG_AsVal_double (PyObject *obj, double *val)
-{
-  int res = SWIG_TypeError;
-  if (PyFloat_Check(obj)) {
-    if (val) *val = PyFloat_AsDouble(obj);
-    return SWIG_OK;
-  } else if (PyInt_Check(obj)) {
-    if (val) *val = PyInt_AsLong(obj);
-    return SWIG_OK;
-  } else if (PyLong_Check(obj)) {
-    double v = PyLong_AsDouble(obj);
-    if (!PyErr_Occurred()) {
-      if (val) *val = v;
-      return SWIG_OK;
-    } else {
-      PyErr_Clear();
-    }
-  }
-#ifdef SWIG_PYTHON_CAST_MODE
-  {
-    int dispatch = 0;
-    double d = PyFloat_AsDouble(obj);
-    if (!PyErr_Occurred()) {
-      if (val) *val = d;
-      return SWIG_AddCast(SWIG_OK);
-    } else {
-      PyErr_Clear();
-    }
-    if (!dispatch) {
-      long v = PyLong_AsLong(obj);
-      if (!PyErr_Occurred()) {
-	if (val) *val = v;
-	return SWIG_AddCast(SWIG_AddCast(SWIG_OK));
-      } else {
-	PyErr_Clear();
-      }
-    }
-  }
-#endif
-  return res;
-}
-
-
-#include <float.h>
-
-
-#include <math.h>
-
-
-SWIGINTERNINLINE int
-SWIG_CanCastAsInteger(double *d, double min, double max) {
-  double x = *d;
-  if ((min <= x && x <= max)) {
-   double fx = floor(x);
-   double cx = ceil(x);
-   double rd =  ((x - fx) < 0.5) ? fx : cx; /* simple rint */
-   if ((errno == EDOM) || (errno == ERANGE)) {
-     errno = 0;
-   } else {
-     double summ, reps, diff;
-     if (rd < x) {
-       diff = x - rd;
-     } else if (rd > x) {
-       diff = rd - x;
-     } else {
-       return 1;
-     }
-     summ = rd + x;
-     reps = diff/summ;
-     if (reps < 8*DBL_EPSILON) {
-       *d = rd;
-       return 1;
-     }
-   }
-  }
-  return 0;
-}
-
-
-SWIGINTERN int
-SWIG_AsVal_unsigned_SS_long (PyObject *obj, unsigned long *val) 
-{
-  if (PyInt_Check(obj)) {
-    long v = PyInt_AsLong(obj);
-    if (v >= 0) {
-      if (val) *val = v;
-      return SWIG_OK;
-    } else {
-      return SWIG_OverflowError;
-    }
-  } else if (PyLong_Check(obj)) {
-    unsigned long v = PyLong_AsUnsignedLong(obj);
-    if (!PyErr_Occurred()) {
-      if (val) *val = v;
-      return SWIG_OK;
-    } else {
-      PyErr_Clear();
-    }
-  }
-#ifdef SWIG_PYTHON_CAST_MODE
-  {
-    int dispatch = 0;
-    unsigned long v = PyLong_AsUnsignedLong(obj);
-    if (!PyErr_Occurred()) {
-      if (val) *val = v;
-      return SWIG_AddCast(SWIG_OK);
-    } else {
-      PyErr_Clear();
-    }
-    if (!dispatch) {
-      double d;
-      int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d));
-      if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, 0, ULONG_MAX)) {
-	if (val) *val = (unsigned long)(d);
-	return res;
-      }
-    }
-  }
-#endif
-  return SWIG_TypeError;
-}
-
-
-#include <limits.h>
-#ifndef LLONG_MIN
-# define LLONG_MIN	LONG_LONG_MIN
-#endif
-#ifndef LLONG_MAX
-# define LLONG_MAX	LONG_LONG_MAX
-#endif
-#ifndef ULLONG_MAX
-# define ULLONG_MAX	ULONG_LONG_MAX
-#endif
-
-
-SWIGINTERN int
-SWIG_AsVal_unsigned_SS_short (PyObject * obj, unsigned short *val)
-{
-  unsigned long v;
-  int res = SWIG_AsVal_unsigned_SS_long (obj, &v);
-  if (SWIG_IsOK(res)) {
-    if ((v > USHRT_MAX)) {
-      return SWIG_OverflowError;
-    } else {
-      if (val) *val = static_cast< unsigned short >(v);
-    }
-  }  
-  return res;
-}
-
-
-SWIGINTERN int
-SWIG_AsVal_long (PyObject *obj, long* val)
-{
-  if (PyInt_Check(obj)) {
-    if (val) *val = PyInt_AsLong(obj);
-    return SWIG_OK;
-  } else if (PyLong_Check(obj)) {
-    long v = PyLong_AsLong(obj);
-    if (!PyErr_Occurred()) {
-      if (val) *val = v;
-      return SWIG_OK;
-    } else {
-      PyErr_Clear();
-    }
-  }
-#ifdef SWIG_PYTHON_CAST_MODE
-  {
-    int dispatch = 0;
-    long v = PyInt_AsLong(obj);
-    if (!PyErr_Occurred()) {
-      if (val) *val = v;
-      return SWIG_AddCast(SWIG_OK);
-    } else {
-      PyErr_Clear();
-    }
-    if (!dispatch) {
-      double d;
-      int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d));
-      if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, LONG_MIN, LONG_MAX)) {
-	if (val) *val = (long)(d);
-	return res;
-      }
-    }
-  }
-#endif
-  return SWIG_TypeError;
-}
-
-
-SWIGINTERN int
-SWIG_AsVal_int (PyObject * obj, int *val)
-{
-  long v;
-  int res = SWIG_AsVal_long (obj, &v);
-  if (SWIG_IsOK(res)) {
-    if ((v < INT_MIN || v > INT_MAX)) {
-      return SWIG_OverflowError;
-    } else {
-      if (val) *val = static_cast< int >(v);
-    }
-  }  
-  return res;
-}
-
-SWIGINTERN PyObject *SubnetTree___contains____SWIG_0(SubnetTree *self,char *cidr,int size){
-           if ( ! cidr ) {
-               PyErr_SetString(PyExc_TypeError, "index must be string");
-               return 0;
-           }
-               
-           PyObject* obj = self->lookup(cidr, size);
-           if ( obj )
-               Py_DECREF(obj);
-           
-           if ( obj != 0 )
-               Py_RETURN_TRUE;
-           else
-               Py_RETURN_FALSE;
-       }
-SWIGINTERN bool SubnetTree___contains____SWIG_1(SubnetTree *self,unsigned long addr){
-           return self->lookup(addr);
-       }
-SWIGINTERN PyObject *SubnetTree___getitem__(SubnetTree *self,char *cidr,int size){
-           if ( ! cidr ) {
-               PyErr_SetString(PyExc_TypeError, "index must be string");
-               return 0;
-           }
-           
-           PyObject* data = self->lookup(cidr, size);
-           if ( ! data ) {
-               PyErr_SetString(PyExc_KeyError, cidr ? cidr : "None");
-               return 0;
-           }
-           
-           return data;
-       }
-SWIGINTERN PyObject *SubnetTree___setitem__(SubnetTree *self,char const *cidr,PyObject *data){
-           if ( ! cidr ) {
-               PyErr_SetString(PyExc_TypeError, "index must be string");
-               return 0; 
-           }
-           
-           if ( ! self->insert(cidr, data) ) {
-               PyErr_SetString(PyExc_IndexError, "cannot insert network");
-               return 0;
-           }
-           
-           return PyInt_FromLong(1);
-       }
-SWIGINTERN PyObject *SubnetTree___delitem__(SubnetTree *self,char const *cidr){
-           if ( ! cidr ) {
-               PyErr_SetString(PyExc_TypeError, "index must be string");
-               return 0; 
-           }
-           
-           if ( ! self->remove(cidr) ) {
-               PyErr_SetString(PyExc_IndexError, "cannot remove network");
-               return 0;
-           }
-           
-           return PyInt_FromLong(1);
-       }
-#ifdef __cplusplus
-extern "C" {
-#endif
-SWIGINTERN PyObject *_wrap_new_SubnetTree(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *result = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)":new_SubnetTree")) SWIG_fail;
-  result = (SubnetTree *)new SubnetTree();
-  resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_SubnetTree, SWIG_POINTER_NEW |  0 );
-  return resultobj;
-fail:
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_delete_SubnetTree(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *arg1 = (SubnetTree *) 0 ;
-  void *argp1 = 0 ;
-  int res1 = 0 ;
-  PyObject * obj0 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"O:delete_SubnetTree",&obj0)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, SWIG_POINTER_DISOWN |  0 );
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "delete_SubnetTree" "', argument " "1"" of type '" "SubnetTree *""'"); 
-  }
-  arg1 = reinterpret_cast< SubnetTree * >(argp1);
-  delete arg1;
-  
-  resultobj = SWIG_Py_Void();
-  return resultobj;
-fail:
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree_insert__SWIG_0(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *arg1 = (SubnetTree *) 0 ;
-  char *arg2 = (char *) 0 ;
-  PyObject *arg3 = (PyObject *) 0 ;
-  bool result;
-  void *argp1 = 0 ;
-  int res1 = 0 ;
-  int res2 ;
-  char *buf2 = 0 ;
-  int alloc2 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  PyObject * obj2 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OOO:SubnetTree_insert",&obj0,&obj1,&obj2)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_insert" "', argument " "1"" of type '" "SubnetTree *""'"); 
-  }
-  arg1 = reinterpret_cast< SubnetTree * >(argp1);
-  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
-  if (!SWIG_IsOK(res2)) {
-    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree_insert" "', argument " "2"" of type '" "char const *""'");
-  }
-  arg2 = reinterpret_cast< char * >(buf2);
-  arg3 = obj2;
-  result = (bool)(arg1)->insert((char const *)arg2,arg3);
-  resultobj = SWIG_From_bool(static_cast< bool >(result));
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return resultobj;
-fail:
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree_insert__SWIG_1(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *arg1 = (SubnetTree *) 0 ;
-  char *arg2 = (char *) 0 ;
-  bool result;
-  void *argp1 = 0 ;
-  int res1 = 0 ;
-  int res2 ;
-  char *buf2 = 0 ;
-  int alloc2 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OO:SubnetTree_insert",&obj0,&obj1)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_insert" "', argument " "1"" of type '" "SubnetTree *""'"); 
-  }
-  arg1 = reinterpret_cast< SubnetTree * >(argp1);
-  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
-  if (!SWIG_IsOK(res2)) {
-    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree_insert" "', argument " "2"" of type '" "char const *""'");
-  }
-  arg2 = reinterpret_cast< char * >(buf2);
-  result = (bool)(arg1)->insert((char const *)arg2);
-  resultobj = SWIG_From_bool(static_cast< bool >(result));
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return resultobj;
-fail:
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree_insert__SWIG_2(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *arg1 = (SubnetTree *) 0 ;
-  unsigned long arg2 ;
-  unsigned short arg3 ;
-  PyObject *arg4 = (PyObject *) 0 ;
-  bool result;
-  void *argp1 = 0 ;
-  int res1 = 0 ;
-  unsigned long val2 ;
-  int ecode2 = 0 ;
-  unsigned short val3 ;
-  int ecode3 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  PyObject * obj2 = 0 ;
-  PyObject * obj3 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OOOO:SubnetTree_insert",&obj0,&obj1,&obj2,&obj3)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_insert" "', argument " "1"" of type '" "SubnetTree *""'"); 
-  }
-  arg1 = reinterpret_cast< SubnetTree * >(argp1);
-  ecode2 = SWIG_AsVal_unsigned_SS_long(obj1, &val2);
-  if (!SWIG_IsOK(ecode2)) {
-    SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "SubnetTree_insert" "', argument " "2"" of type '" "unsigned long""'");
-  } 
-  arg2 = static_cast< unsigned long >(val2);
-  ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3);
-  if (!SWIG_IsOK(ecode3)) {
-    SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "SubnetTree_insert" "', argument " "3"" of type '" "unsigned short""'");
-  } 
-  arg3 = static_cast< unsigned short >(val3);
-  arg4 = obj3;
-  result = (bool)(arg1)->insert(arg2,arg3,arg4);
-  resultobj = SWIG_From_bool(static_cast< bool >(result));
-  return resultobj;
-fail:
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree_insert__SWIG_3(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *arg1 = (SubnetTree *) 0 ;
-  unsigned long arg2 ;
-  unsigned short arg3 ;
-  bool result;
-  void *argp1 = 0 ;
-  int res1 = 0 ;
-  unsigned long val2 ;
-  int ecode2 = 0 ;
-  unsigned short val3 ;
-  int ecode3 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  PyObject * obj2 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OOO:SubnetTree_insert",&obj0,&obj1,&obj2)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_insert" "', argument " "1"" of type '" "SubnetTree *""'"); 
-  }
-  arg1 = reinterpret_cast< SubnetTree * >(argp1);
-  ecode2 = SWIG_AsVal_unsigned_SS_long(obj1, &val2);
-  if (!SWIG_IsOK(ecode2)) {
-    SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "SubnetTree_insert" "', argument " "2"" of type '" "unsigned long""'");
-  } 
-  arg2 = static_cast< unsigned long >(val2);
-  ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3);
-  if (!SWIG_IsOK(ecode3)) {
-    SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "SubnetTree_insert" "', argument " "3"" of type '" "unsigned short""'");
-  } 
-  arg3 = static_cast< unsigned short >(val3);
-  result = (bool)(arg1)->insert(arg2,arg3);
-  resultobj = SWIG_From_bool(static_cast< bool >(result));
-  return resultobj;
-fail:
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree_insert(PyObject *self, PyObject *args) {
-  int argc;
-  PyObject *argv[5];
-  int ii;
-  
-  if (!PyTuple_Check(args)) SWIG_fail;
-  argc = PyObject_Length(args);
-  for (ii = 0; (ii < argc) && (ii < 4); ii++) {
-    argv[ii] = PyTuple_GET_ITEM(args,ii);
-  }
-  if (argc == 2) {
-    int _v;
-    void *vptr = 0;
-    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
-    _v = SWIG_CheckState(res);
-    if (_v) {
-      int res = SWIG_AsCharPtrAndSize(argv[1], 0, NULL, 0);
-      _v = SWIG_CheckState(res);
-      if (_v) {
-        return _wrap_SubnetTree_insert__SWIG_1(self, args);
-      }
-    }
-  }
-  if (argc == 3) {
-    int _v;
-    void *vptr = 0;
-    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
-    _v = SWIG_CheckState(res);
-    if (_v) {
-      {
-        int res = SWIG_AsVal_unsigned_SS_long(argv[1], NULL);
-        _v = SWIG_CheckState(res);
-      }
-      if (_v) {
-        {
-          int res = SWIG_AsVal_unsigned_SS_short(argv[2], NULL);
-          _v = SWIG_CheckState(res);
-        }
-        if (_v) {
-          return _wrap_SubnetTree_insert__SWIG_3(self, args);
-        }
-      }
-    }
-  }
-  if (argc == 3) {
-    int _v;
-    void *vptr = 0;
-    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
-    _v = SWIG_CheckState(res);
-    if (_v) {
-      int res = SWIG_AsCharPtrAndSize(argv[1], 0, NULL, 0);
-      _v = SWIG_CheckState(res);
-      if (_v) {
-        _v = (argv[2] != 0);
-        if (_v) {
-          return _wrap_SubnetTree_insert__SWIG_0(self, args);
-        }
-      }
-    }
-  }
-  if (argc == 4) {
-    int _v;
-    void *vptr = 0;
-    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
-    _v = SWIG_CheckState(res);
-    if (_v) {
-      {
-        int res = SWIG_AsVal_unsigned_SS_long(argv[1], NULL);
-        _v = SWIG_CheckState(res);
-      }
-      if (_v) {
-        {
-          int res = SWIG_AsVal_unsigned_SS_short(argv[2], NULL);
-          _v = SWIG_CheckState(res);
-        }
-        if (_v) {
-          _v = (argv[3] != 0);
-          if (_v) {
-            return _wrap_SubnetTree_insert__SWIG_2(self, args);
-          }
-        }
-      }
-    }
-  }
-  
-fail:
-  SWIG_SetErrorMsg(PyExc_NotImplementedError,"Wrong number of arguments for overloaded function 'SubnetTree_insert'.\n  Possible C/C++ prototypes are:\n    insert(char const *,PyObject *)\n    insert(char const *)\n    insert(unsigned long,unsigned short,PyObject *)\n    insert(unsigned long,unsigned short)\n");
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree_remove__SWIG_0(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *arg1 = (SubnetTree *) 0 ;
-  char *arg2 = (char *) 0 ;
-  bool result;
-  void *argp1 = 0 ;
-  int res1 = 0 ;
-  int res2 ;
-  char *buf2 = 0 ;
-  int alloc2 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OO:SubnetTree_remove",&obj0,&obj1)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_remove" "', argument " "1"" of type '" "SubnetTree *""'"); 
-  }
-  arg1 = reinterpret_cast< SubnetTree * >(argp1);
-  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
-  if (!SWIG_IsOK(res2)) {
-    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree_remove" "', argument " "2"" of type '" "char const *""'");
-  }
-  arg2 = reinterpret_cast< char * >(buf2);
-  result = (bool)(arg1)->remove((char const *)arg2);
-  resultobj = SWIG_From_bool(static_cast< bool >(result));
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return resultobj;
-fail:
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree_remove__SWIG_1(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *arg1 = (SubnetTree *) 0 ;
-  unsigned long arg2 ;
-  unsigned short arg3 ;
-  bool result;
-  void *argp1 = 0 ;
-  int res1 = 0 ;
-  unsigned long val2 ;
-  int ecode2 = 0 ;
-  unsigned short val3 ;
-  int ecode3 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  PyObject * obj2 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OOO:SubnetTree_remove",&obj0,&obj1,&obj2)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_remove" "', argument " "1"" of type '" "SubnetTree *""'"); 
-  }
-  arg1 = reinterpret_cast< SubnetTree * >(argp1);
-  ecode2 = SWIG_AsVal_unsigned_SS_long(obj1, &val2);
-  if (!SWIG_IsOK(ecode2)) {
-    SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "SubnetTree_remove" "', argument " "2"" of type '" "unsigned long""'");
-  } 
-  arg2 = static_cast< unsigned long >(val2);
-  ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3);
-  if (!SWIG_IsOK(ecode3)) {
-    SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "SubnetTree_remove" "', argument " "3"" of type '" "unsigned short""'");
-  } 
-  arg3 = static_cast< unsigned short >(val3);
-  result = (bool)(arg1)->remove(arg2,arg3);
-  resultobj = SWIG_From_bool(static_cast< bool >(result));
-  return resultobj;
-fail:
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree_remove(PyObject *self, PyObject *args) {
-  int argc;
-  PyObject *argv[4];
-  int ii;
-  
-  if (!PyTuple_Check(args)) SWIG_fail;
-  argc = PyObject_Length(args);
-  for (ii = 0; (ii < argc) && (ii < 3); ii++) {
-    argv[ii] = PyTuple_GET_ITEM(args,ii);
-  }
-  if (argc == 2) {
-    int _v;
-    void *vptr = 0;
-    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
-    _v = SWIG_CheckState(res);
-    if (_v) {
-      int res = SWIG_AsCharPtrAndSize(argv[1], 0, NULL, 0);
-      _v = SWIG_CheckState(res);
-      if (_v) {
-        return _wrap_SubnetTree_remove__SWIG_0(self, args);
-      }
-    }
-  }
-  if (argc == 3) {
-    int _v;
-    void *vptr = 0;
-    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
-    _v = SWIG_CheckState(res);
-    if (_v) {
-      {
-        int res = SWIG_AsVal_unsigned_SS_long(argv[1], NULL);
-        _v = SWIG_CheckState(res);
-      }
-      if (_v) {
-        {
-          int res = SWIG_AsVal_unsigned_SS_short(argv[2], NULL);
-          _v = SWIG_CheckState(res);
-        }
-        if (_v) {
-          return _wrap_SubnetTree_remove__SWIG_1(self, args);
-        }
-      }
-    }
-  }
-  
-fail:
-  SWIG_SetErrorMsg(PyExc_NotImplementedError,"Wrong number of arguments for overloaded function 'SubnetTree_remove'.\n  Possible C/C++ prototypes are:\n    remove(char const *)\n    remove(unsigned long,unsigned short)\n");
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree_lookup__SWIG_0(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *arg1 = (SubnetTree *) 0 ;
-  char *arg2 = (char *) 0 ;
-  int arg3 ;
-  PyObject *result = 0 ;
-  void *argp1 = 0 ;
-  int res1 = 0 ;
-  int res2 ;
-  char *buf2 = 0 ;
-  int alloc2 = 0 ;
-  int val3 ;
-  int ecode3 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  PyObject * obj2 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OOO:SubnetTree_lookup",&obj0,&obj1,&obj2)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_lookup" "', argument " "1"" of type '" "SubnetTree const *""'"); 
-  }
-  arg1 = reinterpret_cast< SubnetTree * >(argp1);
-  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
-  if (!SWIG_IsOK(res2)) {
-    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree_lookup" "', argument " "2"" of type '" "char const *""'");
-  }
-  arg2 = reinterpret_cast< char * >(buf2);
-  ecode3 = SWIG_AsVal_int(obj2, &val3);
-  if (!SWIG_IsOK(ecode3)) {
-    SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "SubnetTree_lookup" "', argument " "3"" of type '" "int""'");
-  } 
-  arg3 = static_cast< int >(val3);
-  result = (PyObject *)((SubnetTree const *)arg1)->lookup((char const *)arg2,arg3);
-  resultobj = result;
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return resultobj;
-fail:
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree_lookup__SWIG_1(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *arg1 = (SubnetTree *) 0 ;
-  unsigned long arg2 ;
-  PyObject *result = 0 ;
-  void *argp1 = 0 ;
-  int res1 = 0 ;
-  unsigned long val2 ;
-  int ecode2 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OO:SubnetTree_lookup",&obj0,&obj1)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_lookup" "', argument " "1"" of type '" "SubnetTree const *""'"); 
-  }
-  arg1 = reinterpret_cast< SubnetTree * >(argp1);
-  ecode2 = SWIG_AsVal_unsigned_SS_long(obj1, &val2);
-  if (!SWIG_IsOK(ecode2)) {
-    SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "SubnetTree_lookup" "', argument " "2"" of type '" "unsigned long""'");
-  } 
-  arg2 = static_cast< unsigned long >(val2);
-  result = (PyObject *)((SubnetTree const *)arg1)->lookup(arg2);
-  resultobj = result;
-  return resultobj;
-fail:
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree_lookup(PyObject *self, PyObject *args) {
-  int argc;
-  PyObject *argv[4];
-  int ii;
-  
-  if (!PyTuple_Check(args)) SWIG_fail;
-  argc = PyObject_Length(args);
-  for (ii = 0; (ii < argc) && (ii < 3); ii++) {
-    argv[ii] = PyTuple_GET_ITEM(args,ii);
-  }
-  if (argc == 2) {
-    int _v;
-    void *vptr = 0;
-    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
-    _v = SWIG_CheckState(res);
-    if (_v) {
-      {
-        int res = SWIG_AsVal_unsigned_SS_long(argv[1], NULL);
-        _v = SWIG_CheckState(res);
-      }
-      if (_v) {
-        return _wrap_SubnetTree_lookup__SWIG_1(self, args);
-      }
-    }
-  }
-  if (argc == 3) {
-    int _v;
-    void *vptr = 0;
-    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
-    _v = SWIG_CheckState(res);
-    if (_v) {
-      int res = SWIG_AsCharPtrAndSize(argv[1], 0, NULL, 0);
-      _v = SWIG_CheckState(res);
-      if (_v) {
-        {
-          int res = SWIG_AsVal_int(argv[2], NULL);
-          _v = SWIG_CheckState(res);
-        }
-        if (_v) {
-          return _wrap_SubnetTree_lookup__SWIG_0(self, args);
-        }
-      }
-    }
-  }
-  
-fail:
-  SWIG_SetErrorMsg(PyExc_NotImplementedError,"Wrong number of arguments for overloaded function 'SubnetTree_lookup'.\n  Possible C/C++ prototypes are:\n    lookup(char const *,int)\n    lookup(unsigned long)\n");
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree___contains____SWIG_0(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *arg1 = (SubnetTree *) 0 ;
-  char *arg2 = (char *) 0 ;
-  int arg3 ;
-  PyObject *result = 0 ;
-  void *argp1 = 0 ;
-  int res1 = 0 ;
-  int res2 ;
-  char *buf2 = 0 ;
-  size_t size2 = 0 ;
-  int alloc2 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OO:SubnetTree___contains__",&obj0,&obj1)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree___contains__" "', argument " "1"" of type '" "SubnetTree *""'"); 
-  }
-  arg1 = reinterpret_cast< SubnetTree * >(argp1);
-  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, &size2, &alloc2);
-  if (!SWIG_IsOK(res2)) {
-    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree___contains__" "', argument " "2"" of type '" "char *""'");
-  }  
-  arg2 = reinterpret_cast< char * >(buf2);
-  arg3 = static_cast< int >(size2 - 1);
-  result = (PyObject *)SubnetTree___contains____SWIG_0(arg1,arg2,arg3);
-  resultobj = result;
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return resultobj;
-fail:
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree___contains____SWIG_1(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *arg1 = (SubnetTree *) 0 ;
-  unsigned long arg2 ;
-  bool result;
-  void *argp1 = 0 ;
-  int res1 = 0 ;
-  unsigned long val2 ;
-  int ecode2 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OO:SubnetTree___contains__",&obj0,&obj1)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree___contains__" "', argument " "1"" of type '" "SubnetTree *""'"); 
-  }
-  arg1 = reinterpret_cast< SubnetTree * >(argp1);
-  ecode2 = SWIG_AsVal_unsigned_SS_long(obj1, &val2);
-  if (!SWIG_IsOK(ecode2)) {
-    SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "SubnetTree___contains__" "', argument " "2"" of type '" "unsigned long""'");
-  } 
-  arg2 = static_cast< unsigned long >(val2);
-  result = (bool)SubnetTree___contains____SWIG_1(arg1,arg2);
-  resultobj = SWIG_From_bool(static_cast< bool >(result));
-  return resultobj;
-fail:
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree___contains__(PyObject *self, PyObject *args) {
-  int argc;
-  PyObject *argv[3];
-  int ii;
-  
-  if (!PyTuple_Check(args)) SWIG_fail;
-  argc = PyObject_Length(args);
-  for (ii = 0; (ii < argc) && (ii < 2); ii++) {
-    argv[ii] = PyTuple_GET_ITEM(args,ii);
-  }
-  if (argc == 2) {
-    int _v;
-    void *vptr = 0;
-    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
-    _v = SWIG_CheckState(res);
-    if (_v) {
-      {
-        int res = SWIG_AsVal_unsigned_SS_long(argv[1], NULL);
-        _v = SWIG_CheckState(res);
-      }
-      if (_v) {
-        return _wrap_SubnetTree___contains____SWIG_1(self, args);
-      }
-    }
-  }
-  if (argc == 2) {
-    int _v;
-    void *vptr = 0;
-    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
-    _v = SWIG_CheckState(res);
-    if (_v) {
-      int res = SWIG_AsCharPtrAndSize(argv[1], 0, NULL, 0);
-      _v = SWIG_CheckState(res);
-      if (_v) {
-        if (argc <= 2) {
-          return _wrap_SubnetTree___contains____SWIG_0(self, args);
-        }
-        {
-          int res = SWIG_AsVal_int(argv[2], NULL);
-          _v = SWIG_CheckState(res);
-        }
-        if (_v) {
-          return _wrap_SubnetTree___contains____SWIG_0(self, args);
-        }
-      }
-    }
-  }
-  
-fail:
-  SWIG_SetErrorMsg(PyExc_NotImplementedError,"Wrong number of arguments for overloaded function 'SubnetTree___contains__'.\n  Possible C/C++ prototypes are:\n    __contains__(char *,int)\n    __contains__(unsigned long)\n");
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree___getitem__(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *arg1 = (SubnetTree *) 0 ;
-  char *arg2 = (char *) 0 ;
-  int arg3 ;
-  PyObject *result = 0 ;
-  void *argp1 = 0 ;
-  int res1 = 0 ;
-  int res2 ;
-  char *buf2 = 0 ;
-  size_t size2 = 0 ;
-  int alloc2 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OO:SubnetTree___getitem__",&obj0,&obj1)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree___getitem__" "', argument " "1"" of type '" "SubnetTree *""'"); 
-  }
-  arg1 = reinterpret_cast< SubnetTree * >(argp1);
-  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, &size2, &alloc2);
-  if (!SWIG_IsOK(res2)) {
-    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree___getitem__" "', argument " "2"" of type '" "char *""'");
-  }  
-  arg2 = reinterpret_cast< char * >(buf2);
-  arg3 = static_cast< int >(size2 - 1);
-  result = (PyObject *)SubnetTree___getitem__(arg1,arg2,arg3);
-  resultobj = result;
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return resultobj;
-fail:
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree___setitem__(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *arg1 = (SubnetTree *) 0 ;
-  char *arg2 = (char *) 0 ;
-  PyObject *arg3 = (PyObject *) 0 ;
-  PyObject *result = 0 ;
-  void *argp1 = 0 ;
-  int res1 = 0 ;
-  int res2 ;
-  char *buf2 = 0 ;
-  int alloc2 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  PyObject * obj2 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OOO:SubnetTree___setitem__",&obj0,&obj1,&obj2)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree___setitem__" "', argument " "1"" of type '" "SubnetTree *""'"); 
-  }
-  arg1 = reinterpret_cast< SubnetTree * >(argp1);
-  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
-  if (!SWIG_IsOK(res2)) {
-    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree___setitem__" "', argument " "2"" of type '" "char const *""'");
-  }
-  arg2 = reinterpret_cast< char * >(buf2);
-  arg3 = obj2;
-  result = (PyObject *)SubnetTree___setitem__(arg1,(char const *)arg2,arg3);
-  resultobj = result;
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return resultobj;
-fail:
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *_wrap_SubnetTree___delitem__(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *resultobj = 0;
-  SubnetTree *arg1 = (SubnetTree *) 0 ;
-  char *arg2 = (char *) 0 ;
-  PyObject *result = 0 ;
-  void *argp1 = 0 ;
-  int res1 = 0 ;
-  int res2 ;
-  char *buf2 = 0 ;
-  int alloc2 = 0 ;
-  PyObject * obj0 = 0 ;
-  PyObject * obj1 = 0 ;
-  
-  if (!PyArg_ParseTuple(args,(char *)"OO:SubnetTree___delitem__",&obj0,&obj1)) SWIG_fail;
-  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
-  if (!SWIG_IsOK(res1)) {
-    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree___delitem__" "', argument " "1"" of type '" "SubnetTree *""'"); 
-  }
-  arg1 = reinterpret_cast< SubnetTree * >(argp1);
-  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
-  if (!SWIG_IsOK(res2)) {
-    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree___delitem__" "', argument " "2"" of type '" "char const *""'");
-  }
-  arg2 = reinterpret_cast< char * >(buf2);
-  result = (PyObject *)SubnetTree___delitem__(arg1,(char const *)arg2);
-  resultobj = result;
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return resultobj;
-fail:
-  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
-  return NULL;
-}
-
-
-SWIGINTERN PyObject *SubnetTree_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
-  PyObject *obj;
-  if (!PyArg_ParseTuple(args,(char*)"O|swigregister", &obj)) return NULL;
-  SWIG_TypeNewClientData(SWIGTYPE_p_SubnetTree, SWIG_NewClientData(obj));
-  return SWIG_Py_Void();
-}
-
-static PyMethodDef SwigMethods[] = {
-	 { (char *)"new_SubnetTree", _wrap_new_SubnetTree, METH_VARARGS, NULL},
-	 { (char *)"delete_SubnetTree", _wrap_delete_SubnetTree, METH_VARARGS, NULL},
-	 { (char *)"SubnetTree_insert", _wrap_SubnetTree_insert, METH_VARARGS, NULL},
-	 { (char *)"SubnetTree_remove", _wrap_SubnetTree_remove, METH_VARARGS, NULL},
-	 { (char *)"SubnetTree_lookup", _wrap_SubnetTree_lookup, METH_VARARGS, NULL},
-	 { (char *)"SubnetTree___contains__", _wrap_SubnetTree___contains__, METH_VARARGS, NULL},
-	 { (char *)"SubnetTree___getitem__", _wrap_SubnetTree___getitem__, METH_VARARGS, NULL},
-	 { (char *)"SubnetTree___setitem__", _wrap_SubnetTree___setitem__, METH_VARARGS, NULL},
-	 { (char *)"SubnetTree___delitem__", _wrap_SubnetTree___delitem__, METH_VARARGS, NULL},
-	 { (char *)"SubnetTree_swigregister", SubnetTree_swigregister, METH_VARARGS, NULL},
-	 { NULL, NULL, 0, NULL }
-};
-
-
-/* -------- TYPE CONVERSION AND EQUIVALENCE RULES (BEGIN) -------- */
-
-static swig_type_info _swigt__p_SubnetTree = {"_p_SubnetTree", "SubnetTree *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_char = {"_p_char", "char *", 0, 0, (void*)0, 0};
-
-static swig_type_info *swig_type_initial[] = {
-  &_swigt__p_SubnetTree,
-  &_swigt__p_char,
-};
-
-static swig_cast_info _swigc__p_SubnetTree[] = {  {&_swigt__p_SubnetTree, 0, 0, 0},{0, 0, 0, 0}};
-static swig_cast_info _swigc__p_char[] = {  {&_swigt__p_char, 0, 0, 0},{0, 0, 0, 0}};
-
-static swig_cast_info *swig_cast_initial[] = {
-  _swigc__p_SubnetTree,
-  _swigc__p_char,
-};
-
-
-/* -------- TYPE CONVERSION AND EQUIVALENCE RULES (END) -------- */
-
-static swig_const_info swig_const_table[] = {
-{0, 0, 0, 0.0, 0, 0}};
-
-#ifdef __cplusplus
-}
-#endif
-/* -----------------------------------------------------------------------------
- * Type initialization:
- * This problem is tough by the requirement that no dynamic 
- * memory is used. Also, since swig_type_info structures store pointers to 
- * swig_cast_info structures and swig_cast_info structures store pointers back
- * to swig_type_info structures, we need some lookup code at initialization. 
- * The idea is that swig generates all the structures that are needed. 
- * The runtime then collects these partially filled structures. 
- * The SWIG_InitializeModule function takes these initial arrays out of 
- * swig_module, and does all the lookup, filling in the swig_module.types
- * array with the correct data and linking the correct swig_cast_info
- * structures together.
- *
- * The generated swig_type_info structures are assigned staticly to an initial 
- * array. We just loop through that array, and handle each type individually.
- * First we lookup if this type has been already loaded, and if so, use the
- * loaded structure instead of the generated one. Then we have to fill in the
- * cast linked list. The cast data is initially stored in something like a
- * two-dimensional array. Each row corresponds to a type (there are the same
- * number of rows as there are in the swig_type_initial array). Each entry in
- * a column is one of the swig_cast_info structures for that type.
- * The cast_initial array is actually an array of arrays, because each row has
- * a variable number of columns. So to actually build the cast linked list,
- * we find the array of casts associated with the type, and loop through it 
- * adding the casts to the list. The one last trick we need to do is making
- * sure the type pointer in the swig_cast_info struct is correct.
- *
- * First off, we lookup the cast->type name to see if it is already loaded. 
- * There are three cases to handle:
- *  1) If the cast->type has already been loaded AND the type we are adding
- *     casting info to has not been loaded (it is in this module), THEN we
- *     replace the cast->type pointer with the type pointer that has already
- *     been loaded.
- *  2) If BOTH types (the one we are adding casting info to, and the 
- *     cast->type) are loaded, THEN the cast info has already been loaded by
- *     the previous module so we just ignore it.
- *  3) Finally, if cast->type has not already been loaded, then we add that
- *     swig_cast_info to the linked list (because the cast->type) pointer will
- *     be correct.
- * ----------------------------------------------------------------------------- */
-
-#ifdef __cplusplus
-extern "C" {
-#if 0
-} /* c-mode */
-#endif
-#endif
-
-#if 0
-#define SWIGRUNTIME_DEBUG
-#endif
-
-
-SWIGRUNTIME void
-SWIG_InitializeModule(void *clientdata) {
-  size_t i;
-  swig_module_info *module_head, *iter;
-  int found;
-  
-  clientdata = clientdata;
-  
-  /* check to see if the circular list has been setup, if not, set it up */
-  if (swig_module.next==0) {
-    /* Initialize the swig_module */
-    swig_module.type_initial = swig_type_initial;
-    swig_module.cast_initial = swig_cast_initial;
-    swig_module.next = &swig_module;
-  }
-  
-  /* Try and load any already created modules */
-  module_head = SWIG_GetModule(clientdata);
-  if (!module_head) {
-    /* This is the first module loaded for this interpreter */
-    /* so set the swig module into the interpreter */
-    SWIG_SetModule(clientdata, &swig_module);
-    module_head = &swig_module;
-  } else {
-    /* the interpreter has loaded a SWIG module, but has it loaded this one? */
-    found=0;
-    iter=module_head;
-    do {
-      if (iter==&swig_module) {
-        found=1;
-        break;
-      }
-      iter=iter->next;
-    } while (iter!= module_head);
-    
-    /* if the is found in the list, then all is done and we may leave */
-    if (found) return;
-    /* otherwise we must add out module into the list */
-    swig_module.next = module_head->next;
-    module_head->next = &swig_module;
-  }
-  
-  /* Now work on filling in swig_module.types */
-#ifdef SWIGRUNTIME_DEBUG
-  printf("SWIG_InitializeModule: size %d\n", swig_module.size);
-#endif
-  for (i = 0; i < swig_module.size; ++i) {
-    swig_type_info *type = 0;
-    swig_type_info *ret;
-    swig_cast_info *cast;
-    
-#ifdef SWIGRUNTIME_DEBUG
-    printf("SWIG_InitializeModule: type %d %s\n", i, swig_module.type_initial[i]->name);
-#endif
-    
-    /* if there is another module already loaded */
-    if (swig_module.next != &swig_module) {
-      type = SWIG_MangledTypeQueryModule(swig_module.next, &swig_module, swig_module.type_initial[i]->name);
-    }
-    if (type) {
-      /* Overwrite clientdata field */
-#ifdef SWIGRUNTIME_DEBUG
-      printf("SWIG_InitializeModule: found type %s\n", type->name);
-#endif
-      if (swig_module.type_initial[i]->clientdata) {
-        type->clientdata = swig_module.type_initial[i]->clientdata;
-#ifdef SWIGRUNTIME_DEBUG
-        printf("SWIG_InitializeModule: found and overwrite type %s \n", type->name);
-#endif
-      }
-    } else {
-      type = swig_module.type_initial[i];
-    }
-    
-    /* Insert casting types */
-    cast = swig_module.cast_initial[i];
-    while (cast->type) {
-      /* Don't need to add information already in the list */
-      ret = 0;
-#ifdef SWIGRUNTIME_DEBUG
-      printf("SWIG_InitializeModule: look cast %s\n", cast->type->name);
-#endif
-      if (swig_module.next != &swig_module) {
-        ret = SWIG_MangledTypeQueryModule(swig_module.next, &swig_module, cast->type->name);
-#ifdef SWIGRUNTIME_DEBUG
-        if (ret) printf("SWIG_InitializeModule: found cast %s\n", ret->name);
-#endif
-      }
-      if (ret) {
-        if (type == swig_module.type_initial[i]) {
-#ifdef SWIGRUNTIME_DEBUG
-          printf("SWIG_InitializeModule: skip old type %s\n", ret->name);
-#endif
-          cast->type = ret;
-          ret = 0;
-        } else {
-          /* Check for casting already in the list */
-          swig_cast_info *ocast = SWIG_TypeCheck(ret->name, type);
-#ifdef SWIGRUNTIME_DEBUG
-          if (ocast) printf("SWIG_InitializeModule: skip old cast %s\n", ret->name);
-#endif
-          if (!ocast) ret = 0;
-        }
-      }
-      
-      if (!ret) {
-#ifdef SWIGRUNTIME_DEBUG
-        printf("SWIG_InitializeModule: adding cast %s\n", cast->type->name);
-#endif
-        if (type->cast) {
-          type->cast->prev = cast;
-          cast->next = type->cast;
-        }
-        type->cast = cast;
-      }
-      cast++;
-    }
-    /* Set entry in modules->types array equal to the type */
-    swig_module.types[i] = type;
-  }
-  swig_module.types[i] = 0;
-  
-#ifdef SWIGRUNTIME_DEBUG
-  printf("**** SWIG_InitializeModule: Cast List ******\n");
-  for (i = 0; i < swig_module.size; ++i) {
-    int j = 0;
-    swig_cast_info *cast = swig_module.cast_initial[i];
-    printf("SWIG_InitializeModule: type %d %s\n", i, swig_module.type_initial[i]->name);
-    while (cast->type) {
-      printf("SWIG_InitializeModule: cast type %s\n", cast->type->name);
-      cast++;
-      ++j;
-    }
-    printf("---- Total casts: %d\n",j);
-  }
-  printf("**** SWIG_InitializeModule: Cast List ******\n");
-#endif
-}
-
-/* This function will propagate the clientdata field of type to
-* any new swig_type_info structures that have been added into the list
-* of equivalent types.  It is like calling
-* SWIG_TypeClientData(type, clientdata) a second time.
-*/
-SWIGRUNTIME void
-SWIG_PropagateClientData(void) {
-  size_t i;
-  swig_cast_info *equiv;
-  static int init_run = 0;
-  
-  if (init_run) return;
-  init_run = 1;
-  
-  for (i = 0; i < swig_module.size; i++) {
-    if (swig_module.types[i]->clientdata) {
-      equiv = swig_module.types[i]->cast;
-      while (equiv) {
-        if (!equiv->converter) {
-          if (equiv->type && !equiv->type->clientdata)
-          SWIG_TypeClientData(equiv->type, swig_module.types[i]->clientdata);
-        }
-        equiv = equiv->next;
-      }
-    }
-  }
-}
-
-#ifdef __cplusplus
-#if 0
-{
-  /* c-mode */
-#endif
-}
-#endif
-
-
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-  
-  /* Python-specific SWIG API */
-#define SWIG_newvarlink()                             SWIG_Python_newvarlink()
-#define SWIG_addvarlink(p, name, get_attr, set_attr)  SWIG_Python_addvarlink(p, name, get_attr, set_attr)
-#define SWIG_InstallConstants(d, constants)           SWIG_Python_InstallConstants(d, constants)
-  
-  /* -----------------------------------------------------------------------------
-   * global variable support code.
-   * ----------------------------------------------------------------------------- */
-  
-  typedef struct swig_globalvar {
-    char       *name;                  /* Name of global variable */
-    PyObject *(*get_attr)(void);       /* Return the current value */
-    int       (*set_attr)(PyObject *); /* Set the value */
-    struct swig_globalvar *next;
-  } swig_globalvar;
-  
-  typedef struct swig_varlinkobject {
-    PyObject_HEAD
-    swig_globalvar *vars;
-  } swig_varlinkobject;
-  
-  SWIGINTERN PyObject *
-  swig_varlink_repr(swig_varlinkobject *SWIGUNUSEDPARM(v)) {
-    return PyString_FromString("<Swig global variables>");
-  }
-  
-  SWIGINTERN PyObject *
-  swig_varlink_str(swig_varlinkobject *v) {
-    PyObject *str = PyString_FromString("(");
-    swig_globalvar  *var;
-    for (var = v->vars; var; var=var->next) {
-      PyString_ConcatAndDel(&str,PyString_FromString(var->name));
-      if (var->next) PyString_ConcatAndDel(&str,PyString_FromString(", "));
-    }
-    PyString_ConcatAndDel(&str,PyString_FromString(")"));
-    return str;
-  }
-  
-  SWIGINTERN int
-  swig_varlink_print(swig_varlinkobject *v, FILE *fp, int SWIGUNUSEDPARM(flags)) {
-    PyObject *str = swig_varlink_str(v);
-    fprintf(fp,"Swig global variables ");
-    fprintf(fp,"%s\n", PyString_AsString(str));
-    Py_DECREF(str);
-    return 0;
-  }
-  
-  SWIGINTERN void
-  swig_varlink_dealloc(swig_varlinkobject *v) {
-    swig_globalvar *var = v->vars;
-    while (var) {
-      swig_globalvar *n = var->next;
-      free(var->name);
-      free(var);
-      var = n;
-    }
-  }
-  
-  SWIGINTERN PyObject *
-  swig_varlink_getattr(swig_varlinkobject *v, char *n) {
-    PyObject *res = NULL;
-    swig_globalvar *var = v->vars;
-    while (var) {
-      if (strcmp(var->name,n) == 0) {
-        res = (*var->get_attr)();
-        break;
-      }
-      var = var->next;
-    }
-    if (res == NULL && !PyErr_Occurred()) {
-      PyErr_SetString(PyExc_NameError,"Unknown C global variable");
-    }
-    return res;
-  }
-  
-  SWIGINTERN int
-  swig_varlink_setattr(swig_varlinkobject *v, char *n, PyObject *p) {
-    int res = 1;
-    swig_globalvar *var = v->vars;
-    while (var) {
-      if (strcmp(var->name,n) == 0) {
-        res = (*var->set_attr)(p);
-        break;
-      }
-      var = var->next;
-    }
-    if (res == 1 && !PyErr_Occurred()) {
-      PyErr_SetString(PyExc_NameError,"Unknown C global variable");
-    }
-    return res;
-  }
-  
-  SWIGINTERN PyTypeObject*
-  swig_varlink_type(void) {
-    static char varlink__doc__[] = "Swig var link object";
-    static PyTypeObject varlink_type;
-    static int type_init = 0;  
-    if (!type_init) {
-      const PyTypeObject tmp
-      = {
-        PyObject_HEAD_INIT(NULL)
-        0,                                  /* Number of items in variable part (ob_size) */
-        (char *)"swigvarlink",              /* Type name (tp_name) */
-        sizeof(swig_varlinkobject),         /* Basic size (tp_basicsize) */
-        0,                                  /* Itemsize (tp_itemsize) */
-        (destructor) swig_varlink_dealloc,   /* Deallocator (tp_dealloc) */ 
-        (printfunc) swig_varlink_print,     /* Print (tp_print) */
-        (getattrfunc) swig_varlink_getattr, /* get attr (tp_getattr) */
-        (setattrfunc) swig_varlink_setattr, /* Set attr (tp_setattr) */
-        0,                                  /* tp_compare */
-        (reprfunc) swig_varlink_repr,       /* tp_repr */
-        0,                                  /* tp_as_number */
-        0,                                  /* tp_as_sequence */
-        0,                                  /* tp_as_mapping */
-        0,                                  /* tp_hash */
-        0,                                  /* tp_call */
-        (reprfunc)swig_varlink_str,        /* tp_str */
-        0,                                  /* tp_getattro */
-        0,                                  /* tp_setattro */
-        0,                                  /* tp_as_buffer */
-        0,                                  /* tp_flags */
-        varlink__doc__,                     /* tp_doc */
-        0,                                  /* tp_traverse */
-        0,                                  /* tp_clear */
-        0,                                  /* tp_richcompare */
-        0,                                  /* tp_weaklistoffset */
-#if PY_VERSION_HEX >= 0x02020000
-        0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* tp_iter -> tp_weaklist */
-#endif
-#if PY_VERSION_HEX >= 0x02030000
-        0,                                  /* tp_del */
-#endif
-#ifdef COUNT_ALLOCS
-        0,0,0,0                             /* tp_alloc -> tp_next */
-#endif
-      };
-      varlink_type = tmp;
-      varlink_type.ob_type = &PyType_Type;
-      type_init = 1;
-    }
-    return &varlink_type;
-  }
-  
-  /* Create a variable linking object for use later */
-  SWIGINTERN PyObject *
-  SWIG_Python_newvarlink(void) {
-    swig_varlinkobject *result = PyObject_NEW(swig_varlinkobject, swig_varlink_type());
-    if (result) {
-      result->vars = 0;
-    }
-    return ((PyObject*) result);
-  }
-  
-  SWIGINTERN void 
-  SWIG_Python_addvarlink(PyObject *p, char *name, PyObject *(*get_attr)(void), int (*set_attr)(PyObject *p)) {
-    swig_varlinkobject *v = (swig_varlinkobject *) p;
-    swig_globalvar *gv = (swig_globalvar *) malloc(sizeof(swig_globalvar));
-    if (gv) {
-      size_t size = strlen(name)+1;
-      gv->name = (char *)malloc(size);
-      if (gv->name) {
-        strncpy(gv->name,name,size);
-        gv->get_attr = get_attr;
-        gv->set_attr = set_attr;
-        gv->next = v->vars;
-      }
-    }
-    v->vars = gv;
-  }
-  
-  SWIGINTERN PyObject *
-  SWIG_globals(void) {
-    static PyObject *_SWIG_globals = 0; 
-    if (!_SWIG_globals) _SWIG_globals = SWIG_newvarlink();  
-    return _SWIG_globals;
-  }
-  
-  /* -----------------------------------------------------------------------------
-   * constants/methods manipulation
-   * ----------------------------------------------------------------------------- */
-  
-  /* Install Constants */
-  SWIGINTERN void
-  SWIG_Python_InstallConstants(PyObject *d, swig_const_info constants[]) {
-    PyObject *obj = 0;
-    size_t i;
-    for (i = 0; constants[i].type; ++i) {
-      switch(constants[i].type) {
-      case SWIG_PY_POINTER:
-        obj = SWIG_NewPointerObj(constants[i].pvalue, *(constants[i]).ptype,0);
-        break;
-      case SWIG_PY_BINARY:
-        obj = SWIG_NewPackedObj(constants[i].pvalue, constants[i].lvalue, *(constants[i].ptype));
-        break;
-      default:
-        obj = 0;
-        break;
-      }
-      if (obj) {
-        PyDict_SetItemString(d, constants[i].name, obj);
-        Py_DECREF(obj);
-      }
-    }
-  }
-  
-  /* -----------------------------------------------------------------------------*/
-  /* Fix SwigMethods to carry the callback ptrs when needed */
-  /* -----------------------------------------------------------------------------*/
-  
-  SWIGINTERN void
-  SWIG_Python_FixMethods(PyMethodDef *methods,
-    swig_const_info *const_table,
-    swig_type_info **types,
-    swig_type_info **types_initial) {
-    size_t i;
-    for (i = 0; methods[i].ml_name; ++i) {
-      const char *c = methods[i].ml_doc;
-      if (c && (c = strstr(c, "swig_ptr: "))) {
-        int j;
-        swig_const_info *ci = 0;
-        const char *name = c + 10;
-        for (j = 0; const_table[j].type; ++j) {
-          if (strncmp(const_table[j].name, name, 
-              strlen(const_table[j].name)) == 0) {
-            ci = &(const_table[j]);
-            break;
-          }
-        }
-        if (ci) {
-          size_t shift = (ci->ptype) - types;
-          swig_type_info *ty = types_initial[shift];
-          size_t ldoc = (c - methods[i].ml_doc);
-          size_t lptr = strlen(ty->name)+2*sizeof(void*)+2;
-          char *ndoc = (char*)malloc(ldoc + lptr + 10);
-          if (ndoc) {
-            char *buff = ndoc;
-            void *ptr = (ci->type == SWIG_PY_POINTER) ? ci->pvalue : 0;
-            if (ptr) {
-              strncpy(buff, methods[i].ml_doc, ldoc);
-              buff += ldoc;
-              strncpy(buff, "swig_ptr: ", 10);
-              buff += 10;
-              SWIG_PackVoidPtr(buff, ptr, ty->name, lptr);
-              methods[i].ml_doc = ndoc;
-            }
-          }
-        }
-      }
-    }
-  } 
-  
-#ifdef __cplusplus
-}
-#endif
-
-/* -----------------------------------------------------------------------------*
- *  Partial Init method
- * -----------------------------------------------------------------------------*/
-
-#ifdef __cplusplus
-extern "C"
-#endif
-SWIGEXPORT void SWIG_init(void) {
-  PyObject *m, *d;
-  
-  /* Fix SwigMethods to carry the callback ptrs when needed */
-  SWIG_Python_FixMethods(SwigMethods, swig_const_table, swig_types, swig_type_initial);
-  
-  m = Py_InitModule((char *) SWIG_name, SwigMethods);
-  d = PyModule_GetDict(m);
-  
-  SWIG_InitializeModule(0);
-  SWIG_InstallConstants(d,swig_const_table);
-  
-  
-}
-
diff --git a/aux/broctl/aux/pysubnettree/patricia.c b/aux/broctl/aux/pysubnettree/patricia.c
deleted file mode 100644
index 6d7b272182..0000000000
--- a/aux/broctl/aux/pysubnettree/patricia.c
+++ /dev/null
@@ -1,1051 +0,0 @@
-/*
- * $Id: patricia.c 6811 2009-07-06 20:41:10Z robin $
- * Dave Plonka <plonka@doit.wisc.edu>
- *
- * This product includes software developed by the University of Michigan,
- * Merit Network, Inc., and their contributors. 
- *
- * This file had been called "radix.c" in the MRT sources.
- *
- * I renamed it to "patricia.c" since it's not an implementation of a general
- * radix trie.  Also I pulled in various requirements from "prefix.c" and
- * "demo.c" so that it could be used as a standalone API.
- */
-
-/* From copyright.txt:
- * 
- * Copyright (c) 1997, 1998, 1999
- * 
- * 
- * The Regents of the University of Michigan ("The Regents") and Merit Network,
- * Inc.  All rights reserved.
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * 1.  Redistributions of source code must retain the above 
- *     copyright notice, this list of conditions and the 
- *     following disclaimer.
- * 2.  Redistributions in binary form must reproduce the above 
- *     copyright notice, this list of conditions and the 
- *     following disclaimer in the documentation and/or other 
- *     materials provided with the distribution.
- * 3.  All advertising materials mentioning features or use of 
- *     this software must display the following acknowledgement:  
- * This product includes software developed by the University of Michigan, Merit
- * Network, Inc., and their contributors. 
- * 4.  Neither the name of the University, Merit Network, nor the
- *     names of their contributors may be used to endorse or 
- *     promote products derived from this software without 
- *     specific prior written permission.
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.  
- */
-
-static char copyright[] =
-"This product includes software developed by the University of Michigan, Merit"
-"Network, Inc., and their contributors.";
-
-#include <assert.h> /* assert */
-#include <ctype.h> /* isdigit */
-#include <errno.h> /* errno */
-#include <math.h> /* sin */
-#include <stddef.h> /* NULL */
-#include <stdio.h> /* sprintf, fprintf, stderr */
-#include <stdlib.h> /* free, atol, calloc */
-#include <string.h> /* memcpy, strchr, strlen */
-#include <arpa/inet.h> /* for inet_addr */
-#include <sys/types.h> /* for u_short, etc. */
-
-#include "patricia.h"
-
-#define Delete free
-
-/* { from prefix.c */
-
-/* prefix_tochar
- * convert prefix information to bytes
- */
-u_char *
-prefix_tochar (prefix_t * prefix)
-{
-    if (prefix == NULL)
-	return (NULL);
-
-    return ((u_char *) & prefix->add.sin);
-}
-
-int 
-comp_with_mask (void *addr, void *dest, u_int mask)
-{
-
-    if ( /* mask/8 == 0 || */ memcmp (addr, dest, mask / 8) == 0) {
-	int n = mask / 8;
-	int m = ((-1) << (8 - (mask % 8)));
-
-	if (mask % 8 == 0 || (((u_char *)addr)[n] & m) == (((u_char *)dest)[n] & m))
-	    return (1);
-    }
-    return (0);
-}
-
-/* inet_pton substitute implementation
- * Uses inet_addr to convert an IP address in dotted decimal notation into 
- * unsigned long and copies the result to dst.
- * Only supports AF_INET.  Follows standard error return conventions of 
- * inet_pton.
- */
-int
-local_inet_pton (int af, const char *src, void *dst)
-{
-    u_long result;  
-
-    if (af == AF_INET) {
-	result = inet_addr(src);
-	if (result == -1)
-	    return 0;
-	else {
-			memcpy (dst, &result, 4);
-	    return 1;
-		}
-	}
-#ifdef NT
-#ifdef HAVE_IPV6
-	else if (af == AF_INET6) {
-		struct in6_addr Address;
-		return (inet6_addr(src, &Address));
-	}
-#endif /* HAVE_IPV6 */
-#endif /* NT */
-#ifndef NT
-    else {
-
-	errno = EAFNOSUPPORT;
-	return -1;
-    }
-#endif /* NT */
-}
-
-/* this allows imcomplete prefix */
-int
-my_inet_pton (int af, const char *src, void *dst)
-{
-    if (af == AF_INET) {
-        int i, c, val;
-        u_char xp[4] = {0, 0, 0, 0};
-
-        for (i = 0; ; i++) {
-	    c = *src++;
-	    if (!isdigit (c))
-		return (-1);
-	    val = 0;
-	    do {
-		val = val * 10 + c - '0';
-		if (val > 255)
-		    return (0);
-		c = *src++;
-	    } while (c && isdigit (c));
-            xp[i] = val;
-	    if (c == '\0')
-		break;
-            if (c != '.')
-                return (0);
-	    if (i >= 3)
-		return (0);
-        }
-	memcpy (dst, xp, 4);
-        return (1);
-#ifdef HAVE_IPV6
-    } else if (af == AF_INET6) {
-        return (local_inet_pton (af, src, dst));
-#endif /* HAVE_IPV6 */
-    } else {
-#ifndef NT
-	errno = EAFNOSUPPORT;
-#endif /* NT */
-	return -1;
-    }
-}
-
-/* 
- * convert prefix information to ascii string with length
- * thread safe and (almost) re-entrant implementation
- */
-char *
-prefix_toa2x (prefix_t *prefix, char *buff, int with_len)
-{
-    if (prefix == NULL)
-	return ("(Null)");
-    assert (prefix->ref_count >= 0);
-    if (buff == NULL) {
-
-        struct buffer {
-            char buffs[16][48+5];
-            u_int i;
-        } *buffp;
-
-#    if 0
-	THREAD_SPECIFIC_DATA (struct buffer, buffp, 1);
-#    else
-        { /* for scope only */
-	   static struct buffer local_buff;
-           buffp = &local_buff;
-	}
-#    endif
-	if (buffp == NULL) {
-	    /* XXX should we report an error? */
-	    return (NULL);
-	}
-
-	buff = buffp->buffs[buffp->i++%16];
-    }
-    if (prefix->family == AF_INET) {
-	u_char *a;
-	assert (prefix->bitlen <= 32);
-	a = prefix_touchar (prefix);
-	if (with_len) {
-	    sprintf (buff, "%d.%d.%d.%d/%d", a[0], a[1], a[2], a[3],
-		     prefix->bitlen);
-	}
-	else {
-	    sprintf (buff, "%d.%d.%d.%d", a[0], a[1], a[2], a[3]);
-	}
-	return (buff);
-    }
-#ifdef HAVE_IPV6
-    else if (prefix->family == AF_INET6) {
-	char *r;
-	r = (char *) inet_ntop (AF_INET6, &prefix->add.sin6, buff, 48 /* a guess value */ );
-	if (r && with_len) {
-	    assert (prefix->bitlen <= 128);
-	    sprintf (buff + strlen (buff), "/%d", prefix->bitlen);
-	}
-	return (buff);
-    }
-#endif /* HAVE_IPV6 */
-    else
-	return (NULL);
-}
-
-/* prefix_toa2
- * convert prefix information to ascii string
- */
-char *
-prefix_toa2 (prefix_t *prefix, char *buff)
-{
-    return (prefix_toa2x (prefix, buff, 0));
-}
-
-/* prefix_toa
- */
-char *
-prefix_toa (prefix_t * prefix)
-{
-    return (prefix_toa2 (prefix, (char *) NULL));
-}
-
-prefix_t *
-New_Prefix2 (int family, void *dest, int bitlen, prefix_t *prefix)
-{
-    int dynamic_allocated = 0;
-    int default_bitlen = 32;
-
-#ifdef HAVE_IPV6
-    if (family == AF_INET6) {
-        default_bitlen = 128;
-	if (prefix == NULL) {
-            prefix = calloc(1, sizeof (prefix6_t));
-	    dynamic_allocated++;
-	}
-	memcpy (&prefix->add.sin6, dest, 16);
-    }
-    else
-#endif /* HAVE_IPV6 */
-    if (family == AF_INET) {
-		if (prefix == NULL) {
-#ifndef NT
-            prefix = calloc(1, sizeof (prefix4_t));
-#else
-			//for some reason, compiler is getting
-			//prefix4_t size incorrect on NT
-			prefix = calloc(1, sizeof (prefix_t)); 
-#endif /* NT */
-		
-			dynamic_allocated++;
-		}
-		memcpy (&prefix->add.sin, dest, 4);
-    }
-    else {
-        return (NULL);
-    }
-
-    prefix->bitlen = (bitlen >= 0)? bitlen: default_bitlen;
-    prefix->family = family;
-    prefix->ref_count = 0;
-    if (dynamic_allocated) {
-        prefix->ref_count++;
-   }
-/* fprintf(stderr, "[C %s, %d]\n", prefix_toa (prefix), prefix->ref_count); */
-    return (prefix);
-}
-
-prefix_t *
-New_Prefix (int family, void *dest, int bitlen)
-{
-    return (New_Prefix2 (family, dest, bitlen, NULL));
-}
-
-/* ascii2prefix
- */
-prefix_t *
-ascii2prefix (int family, char *string)
-{
-    u_long bitlen, maxbitlen = 0;
-    char *cp;
-    struct in_addr sin;
-#ifdef HAVE_IPV6
-    struct in6_addr sin6;
-#endif /* HAVE_IPV6 */
-    int result;
-    char save[MAXLINE];
-
-    if (string == NULL)
-		return (NULL);
-
-    /* easy way to handle both families */
-    if (family == 0) {
-       family = AF_INET;
-#ifdef HAVE_IPV6
-       if (strchr (string, ':')) family = AF_INET6;
-#endif /* HAVE_IPV6 */
-    }
-
-    if (family == AF_INET) {
-		maxbitlen = 32;
-    }
-#ifdef HAVE_IPV6
-    else if (family == AF_INET6) {
-		maxbitlen = 128;
-    }
-#endif /* HAVE_IPV6 */
-
-    if ((cp = strchr (string, '/')) != NULL) {
-		bitlen = atol (cp + 1);
-		/* *cp = '\0'; */
-		/* copy the string to save. Avoid destroying the string */
-		assert (cp - string < MAXLINE);
-		memcpy (save, string, cp - string);
-		save[cp - string] = '\0';
-		string = save;
-		if (bitlen < 0 || bitlen > maxbitlen)
-			bitlen = maxbitlen;
-		}
-		else {
-			bitlen = maxbitlen;
-		}
-
-		if (family == AF_INET) {
-			if ((result = my_inet_pton (AF_INET, string, &sin)) <= 0)
-				return (NULL);
-			return (New_Prefix (AF_INET, &sin, bitlen));
-		}
-
-#ifdef HAVE_IPV6
-		else if (family == AF_INET6) {
-// Get rid of this with next IPv6 upgrade
-#if defined(NT) && !defined(HAVE_INET_NTOP)
-			inet6_addr(string, &sin6);
-			return (New_Prefix (AF_INET6, &sin6, bitlen));
-#else
-			if ((result = local_inet_pton (AF_INET6, string, &sin6)) <= 0)
-				return (NULL);
-#endif /* NT */
-			return (New_Prefix (AF_INET6, &sin6, bitlen));
-		}
-#endif /* HAVE_IPV6 */
-		else
-			return (NULL);
-}
-
-prefix_t *
-Ref_Prefix (prefix_t * prefix)
-{
-    if (prefix == NULL)
-	return (NULL);
-    if (prefix->ref_count == 0) {
-	/* make a copy in case of a static prefix */
-        return (New_Prefix2 (prefix->family, &prefix->add, prefix->bitlen, NULL));
-    }
-    prefix->ref_count++;
-/* fprintf(stderr, "[A %s, %d]\n", prefix_toa (prefix), prefix->ref_count); */
-    return (prefix);
-}
-
-void 
-Deref_Prefix (prefix_t * prefix)
-{
-    if (prefix == NULL)
-	return;
-    /* for secure programming, raise an assert. no static prefix can call this */
-    assert (prefix->ref_count > 0);
-
-    prefix->ref_count--;
-    assert (prefix->ref_count >= 0);
-    if (prefix->ref_count <= 0) {
-	Delete (prefix);
-	return;
-    }
-}
-
-/* } */
-
-/* #define PATRICIA_DEBUG 1 */
-
-static int num_active_patricia = 0;
-
-/* these routines support continuous mask only */
-
-patricia_tree_t *
-New_Patricia (int maxbits)
-{
-    patricia_tree_t *patricia = calloc(1, sizeof *patricia);
-
-    patricia->maxbits = maxbits;
-    patricia->head = NULL;
-    patricia->num_active_node = 0;
-    assert (maxbits <= PATRICIA_MAXBITS); /* XXX */
-    num_active_patricia++;
-    return (patricia);
-}
-
-
-/*
- * if func is supplied, it will be called as func(node->data)
- * before deleting the node
- */
-
-void
-Clear_Patricia (patricia_tree_t *patricia, void_fn_t func)
-{
-    assert (patricia);
-    if (patricia->head) {
-
-        patricia_node_t *Xstack[PATRICIA_MAXBITS+1];
-        patricia_node_t **Xsp = Xstack;
-        patricia_node_t *Xrn = patricia->head;
-
-        while (Xrn) {
-            patricia_node_t *l = Xrn->l;
-            patricia_node_t *r = Xrn->r;
-
-    	    if (Xrn->prefix) {
-		Deref_Prefix (Xrn->prefix);
-		if (Xrn->data && func)
-	    	    func (Xrn->data);
-    	    }
-    	    else {
-		assert (Xrn->data == NULL);
-    	    }
-    	    Delete (Xrn);
-	    patricia->num_active_node--;
-
-            if (l) {
-                if (r) {
-                    *Xsp++ = r;
-                }
-                Xrn = l;
-            } else if (r) {
-                Xrn = r;
-            } else if (Xsp != Xstack) {
-                Xrn = *(--Xsp);
-            } else {
-                Xrn = (patricia_node_t *) 0;
-            }
-        }
-    }
-    assert (patricia->num_active_node == 0);
-    /* Delete (patricia); */
-}
-
-
-void
-Destroy_Patricia (patricia_tree_t *patricia, void_fn_t func)
-{
-    Clear_Patricia (patricia, func);
-    Delete (patricia);
-    num_active_patricia--;
-}
-
-
-/*
- * if func is supplied, it will be called as func(node->prefix, node->data)
- */
-
-void
-patricia_process (patricia_tree_t *patricia, void_fn_t func)
-{
-    patricia_node_t *node;
-    assert (func);
-
-    PATRICIA_WALK (patricia->head, node) {
-	func (node->prefix, node->data);
-    } PATRICIA_WALK_END;
-}
-
-
-patricia_node_t *
-patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix)
-{
-    patricia_node_t *node;
-    u_char *addr;
-    u_int bitlen;
-
-    assert (patricia);
-    assert (prefix);
-    assert (prefix->bitlen <= patricia->maxbits);
-
-    if (patricia->head == NULL)
-	return (NULL);
-
-    node = patricia->head;
-    addr = prefix_touchar (prefix);
-    bitlen = prefix->bitlen;
-
-    while (node->bit < bitlen) {
-
-	if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
-#ifdef PATRICIA_DEBUG
-	    if (node->prefix)
-    	        fprintf (stderr, "patricia_search_exact: take right %s/%d\n", 
-	                 prefix_toa (node->prefix), node->prefix->bitlen);
-	    else
-    	        fprintf (stderr, "patricia_search_exact: take right at %d\n", 
-			 node->bit);
-#endif /* PATRICIA_DEBUG */
-	    node = node->r;
-	}
-	else {
-#ifdef PATRICIA_DEBUG
-	    if (node->prefix)
-    	        fprintf (stderr, "patricia_search_exact: take left %s/%d\n", 
-	                 prefix_toa (node->prefix), node->prefix->bitlen);
-	    else
-    	        fprintf (stderr, "patricia_search_exact: take left at %d\n", 
-			 node->bit);
-#endif /* PATRICIA_DEBUG */
-	    node = node->l;
-	}
-
-	if (node == NULL)
-	    return (NULL);
-    }
-
-#ifdef PATRICIA_DEBUG
-    if (node->prefix)
-        fprintf (stderr, "patricia_search_exact: stop at %s/%d\n", 
-	         prefix_toa (node->prefix), node->prefix->bitlen);
-    else
-        fprintf (stderr, "patricia_search_exact: stop at %d\n", node->bit);
-#endif /* PATRICIA_DEBUG */
-    if (node->bit > bitlen || node->prefix == NULL)
-	return (NULL);
-    assert (node->bit == bitlen);
-    assert (node->bit == node->prefix->bitlen);
-    if (comp_with_mask (prefix_tochar (node->prefix), prefix_tochar (prefix),
-			bitlen)) {
-#ifdef PATRICIA_DEBUG
-        fprintf (stderr, "patricia_search_exact: found %s/%d\n", 
-	         prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	return (node);
-    }
-    return (NULL);
-}
-
-
-/* if inclusive != 0, "best" may be the given prefix itself */
-patricia_node_t *
-patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, int inclusive)
-{
-    patricia_node_t *node;
-    patricia_node_t *stack[PATRICIA_MAXBITS + 1];
-    u_char *addr;
-    u_int bitlen;
-    int cnt = 0;
-
-    assert (patricia);
-    assert (prefix);
-    assert (prefix->bitlen <= patricia->maxbits);
-
-    if (patricia->head == NULL)
-	return (NULL);
-
-    node = patricia->head;
-    addr = prefix_touchar (prefix);
-    bitlen = prefix->bitlen;
-
-    while (node->bit < bitlen) {
-
-	if (node->prefix) {
-#ifdef PATRICIA_DEBUG
-            fprintf (stderr, "patricia_search_best: push %s/%d\n", 
-	             prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	    stack[cnt++] = node;
-	}
-
-	if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
-#ifdef PATRICIA_DEBUG
-	    if (node->prefix)
-    	        fprintf (stderr, "patricia_search_best: take right %s/%d\n", 
-	                 prefix_toa (node->prefix), node->prefix->bitlen);
-	    else
-    	        fprintf (stderr, "patricia_search_best: take right at %d\n", 
-			 node->bit);
-#endif /* PATRICIA_DEBUG */
-	    node = node->r;
-	}
-	else {
-#ifdef PATRICIA_DEBUG
-	    if (node->prefix)
-    	        fprintf (stderr, "patricia_search_best: take left %s/%d\n", 
-	                 prefix_toa (node->prefix), node->prefix->bitlen);
-	    else
-    	        fprintf (stderr, "patricia_search_best: take left at %d\n", 
-			 node->bit);
-#endif /* PATRICIA_DEBUG */
-	    node = node->l;
-	}
-
-	if (node == NULL)
-	    break;
-    }
-
-    if (inclusive && node && node->prefix)
-	stack[cnt++] = node;
-
-#ifdef PATRICIA_DEBUG
-    if (node == NULL)
-        fprintf (stderr, "patricia_search_best: stop at null\n");
-    else if (node->prefix)
-        fprintf (stderr, "patricia_search_best: stop at %s/%d\n", 
-	         prefix_toa (node->prefix), node->prefix->bitlen);
-    else
-        fprintf (stderr, "patricia_search_best: stop at %d\n", node->bit);
-#endif /* PATRICIA_DEBUG */
-
-    if (cnt <= 0)
-	return (NULL);
-
-    while (--cnt >= 0) {
-	node = stack[cnt];
-#ifdef PATRICIA_DEBUG
-        fprintf (stderr, "patricia_search_best: pop %s/%d\n", 
-	         prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	if (comp_with_mask (prefix_tochar (node->prefix), 
-			    prefix_tochar (prefix),
-			    node->prefix->bitlen)) {
-#ifdef PATRICIA_DEBUG
-            fprintf (stderr, "patricia_search_best: found %s/%d\n", 
-	             prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	    return (node);
-	}
-    }
-    return (NULL);
-}
-
-
-patricia_node_t *
-patricia_search_best (patricia_tree_t *patricia, prefix_t *prefix)
-{
-    return (patricia_search_best2 (patricia, prefix, 1));
-}
-
-
-patricia_node_t *
-patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
-{
-    patricia_node_t *node, *new_node, *parent, *glue;
-    u_char *addr, *test_addr;
-    u_int bitlen, check_bit, differ_bit;
-    int i, j, r;
-
-    assert (patricia);
-    assert (prefix);
-    assert (prefix->bitlen <= patricia->maxbits);
-
-    if (patricia->head == NULL) {
-	node = calloc(1, sizeof *node);
-	node->bit = prefix->bitlen;
-	node->prefix = Ref_Prefix (prefix);
-	node->parent = NULL;
-	node->l = node->r = NULL;
-	node->data = NULL;
-	patricia->head = node;
-#ifdef PATRICIA_DEBUG
-	fprintf (stderr, "patricia_lookup: new_node #0 %s/%d (head)\n", 
-		 prefix_toa (prefix), prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	patricia->num_active_node++;
-	return (node);
-    }
-
-    addr = prefix_touchar (prefix);
-    bitlen = prefix->bitlen;
-    node = patricia->head;
-
-    while (node->bit < bitlen || node->prefix == NULL) {
-
-	if (node->bit < patricia->maxbits &&
-	    BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
-	    if (node->r == NULL)
-		break;
-#ifdef PATRICIA_DEBUG
-	    if (node->prefix)
-    	        fprintf (stderr, "patricia_lookup: take right %s/%d\n", 
-	                 prefix_toa (node->prefix), node->prefix->bitlen);
-	    else
-    	        fprintf (stderr, "patricia_lookup: take right at %d\n", node->bit);
-#endif /* PATRICIA_DEBUG */
-	    node = node->r;
-	}
-	else {
-	    if (node->l == NULL)
-		break;
-#ifdef PATRICIA_DEBUG
-	    if (node->prefix)
-    	        fprintf (stderr, "patricia_lookup: take left %s/%d\n", 
-	             prefix_toa (node->prefix), node->prefix->bitlen);
-	    else
-    	        fprintf (stderr, "patricia_lookup: take left at %d\n", node->bit);
-#endif /* PATRICIA_DEBUG */
-	    node = node->l;
-	}
-
-	assert (node);
-    }
-
-    assert (node->prefix);
-#ifdef PATRICIA_DEBUG
-    fprintf (stderr, "patricia_lookup: stop at %s/%d\n", 
-	     prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-
-    test_addr = prefix_touchar (node->prefix);
-    /* find the first bit different */
-    check_bit = (node->bit < bitlen)? node->bit: bitlen;
-    differ_bit = 0;
-    for (i = 0; i*8 < check_bit; i++) {
-	if ((r = (addr[i] ^ test_addr[i])) == 0) {
-	    differ_bit = (i + 1) * 8;
-	    continue;
-	}
-	/* I know the better way, but for now */
-	for (j = 0; j < 8; j++) {
-	    if (BIT_TEST (r, (0x80 >> j)))
-		break;
-	}
-	/* must be found */
-	assert (j < 8);
-	differ_bit = i * 8 + j;
-	break;
-    }
-    if (differ_bit > check_bit)
-	differ_bit = check_bit;
-#ifdef PATRICIA_DEBUG
-    fprintf (stderr, "patricia_lookup: differ_bit %d\n", differ_bit);
-#endif /* PATRICIA_DEBUG */
-
-    parent = node->parent;
-    while (parent && parent->bit >= differ_bit) {
-	node = parent;
-	parent = node->parent;
-#ifdef PATRICIA_DEBUG
-	if (node->prefix)
-            fprintf (stderr, "patricia_lookup: up to %s/%d\n", 
-	             prefix_toa (node->prefix), node->prefix->bitlen);
-	else
-            fprintf (stderr, "patricia_lookup: up to %d\n", node->bit);
-#endif /* PATRICIA_DEBUG */
-    }
-
-    if (differ_bit == bitlen && node->bit == bitlen) {
-	if (node->prefix) {
-#ifdef PATRICIA_DEBUG 
-    	    fprintf (stderr, "patricia_lookup: found %s/%d\n", 
-		     prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	    return (node);
-	}
-	node->prefix = Ref_Prefix (prefix);
-#ifdef PATRICIA_DEBUG
-	fprintf (stderr, "patricia_lookup: new node #1 %s/%d (glue mod)\n",
-		 prefix_toa (prefix), prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	assert (node->data == NULL);
-	return (node);
-    }
-
-    new_node = calloc(1, sizeof *new_node);
-    new_node->bit = prefix->bitlen;
-    new_node->prefix = Ref_Prefix (prefix);
-    new_node->parent = NULL;
-    new_node->l = new_node->r = NULL;
-    new_node->data = NULL;
-    patricia->num_active_node++;
-
-    if (node->bit == differ_bit) {
-	new_node->parent = node;
-	if (node->bit < patricia->maxbits &&
-	    BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
-	    assert (node->r == NULL);
-	    node->r = new_node;
-	}
-	else {
-	    assert (node->l == NULL);
-	    node->l = new_node;
-	}
-#ifdef PATRICIA_DEBUG
-	fprintf (stderr, "patricia_lookup: new_node #2 %s/%d (child)\n", 
-		 prefix_toa (prefix), prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	return (new_node);
-    }
-
-    if (bitlen == differ_bit) {
-	if (bitlen < patricia->maxbits &&
-	    BIT_TEST (test_addr[bitlen >> 3], 0x80 >> (bitlen & 0x07))) {
-	    new_node->r = node;
-	}
-	else {
-	    new_node->l = node;
-	}
-	new_node->parent = node->parent;
-	if (node->parent == NULL) {
-	    assert (patricia->head == node);
-	    patricia->head = new_node;
-	}
-	else if (node->parent->r == node) {
-	    node->parent->r = new_node;
-	}
-	else {
-	    node->parent->l = new_node;
-	}
-	node->parent = new_node;
-#ifdef PATRICIA_DEBUG
-	fprintf (stderr, "patricia_lookup: new_node #3 %s/%d (parent)\n", 
-		 prefix_toa (prefix), prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-    }
-    else {
-        glue = calloc(1, sizeof *glue);
-        glue->bit = differ_bit;
-        glue->prefix = NULL;
-        glue->parent = node->parent;
-        glue->data = NULL;
-        patricia->num_active_node++;
-	if (differ_bit < patricia->maxbits &&
-	    BIT_TEST (addr[differ_bit >> 3], 0x80 >> (differ_bit & 0x07))) {
-	    glue->r = new_node;
-	    glue->l = node;
-	}
-	else {
-	    glue->r = node;
-	    glue->l = new_node;
-	}
-	new_node->parent = glue;
-
-	if (node->parent == NULL) {
-	    assert (patricia->head == node);
-	    patricia->head = glue;
-	}
-	else if (node->parent->r == node) {
-	    node->parent->r = glue;
-	}
-	else {
-	    node->parent->l = glue;
-	}
-	node->parent = glue;
-#ifdef PATRICIA_DEBUG
-	fprintf (stderr, "patricia_lookup: new_node #4 %s/%d (glue+node)\n", 
-		 prefix_toa (prefix), prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-    }
-    return (new_node);
-}
-
-
-void
-patricia_remove (patricia_tree_t *patricia, patricia_node_t *node)
-{
-    patricia_node_t *parent, *child;
-
-    assert (patricia);
-    assert (node);
-
-    if (node->r && node->l) {
-#ifdef PATRICIA_DEBUG
-	fprintf (stderr, "patricia_remove: #0 %s/%d (r & l)\n", 
-		 prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	
-	/* this might be a placeholder node -- have to check and make sure
-	 * there is a prefix aossciated with it ! */
-	if (node->prefix != NULL) 
-	  Deref_Prefix (node->prefix);
-	node->prefix = NULL;
-	/* Also I needed to clear data pointer -- masaki */
-	node->data = NULL;
-	return;
-    }
-
-    if (node->r == NULL && node->l == NULL) {
-#ifdef PATRICIA_DEBUG
-	fprintf (stderr, "patricia_remove: #1 %s/%d (!r & !l)\n", 
-		 prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	parent = node->parent;
-	Deref_Prefix (node->prefix);
-	Delete (node);
-        patricia->num_active_node--;
-
-	if (parent == NULL) {
-	    assert (patricia->head == node);
-	    patricia->head = NULL;
-	    return;
-	}
-
-	if (parent->r == node) {
-	    parent->r = NULL;
-	    child = parent->l;
-	}
-	else {
-	    assert (parent->l == node);
-	    parent->l = NULL;
-	    child = parent->r;
-	}
-
-	if (parent->prefix)
-	    return;
-
-	/* we need to remove parent too */
-
-	if (parent->parent == NULL) {
-	    assert (patricia->head == parent);
-	    patricia->head = child;
-	}
-	else if (parent->parent->r == parent) {
-	    parent->parent->r = child;
-	}
-	else {
-	    assert (parent->parent->l == parent);
-	    parent->parent->l = child;
-	}
-	child->parent = parent->parent;
-	Delete (parent);
-        patricia->num_active_node--;
-	return;
-    }
-
-#ifdef PATRICIA_DEBUG
-    fprintf (stderr, "patricia_remove: #2 %s/%d (r ^ l)\n", 
-	     prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-    if (node->r) {
-	child = node->r;
-    }
-    else {
-	assert (node->l);
-	child = node->l;
-    }
-    parent = node->parent;
-    child->parent = parent;
-
-    Deref_Prefix (node->prefix);
-    Delete (node);
-    patricia->num_active_node--;
-
-    if (parent == NULL) {
-	assert (patricia->head == node);
-	patricia->head = child;
-	return;
-    }
-
-    if (parent->r == node) {
-	parent->r = child;
-    }
-    else {
-        assert (parent->l == node);
-	parent->l = child;
-    }
-}
-
-/* { from demo.c */
-
-patricia_node_t *
-make_and_lookup (patricia_tree_t *tree, char *string)
-{
-    prefix_t *prefix;
-    patricia_node_t *node;
-
-    prefix = ascii2prefix (AF_INET, string);
-    printf ("make_and_lookup: %s/%d\n", prefix_toa (prefix), prefix->bitlen);
-    node = patricia_lookup (tree, prefix);
-    Deref_Prefix (prefix);
-    return (node);
-}
-
-patricia_node_t *
-try_search_exact (patricia_tree_t *tree, char *string)
-{
-    prefix_t *prefix;
-    patricia_node_t *node;
-
-    prefix = ascii2prefix (AF_INET, string);
-    printf ("try_search_exact: %s/%d\n", prefix_toa (prefix), prefix->bitlen);
-    if ((node = patricia_search_exact (tree, prefix)) == NULL) {
-        printf ("try_search_exact: not found\n");
-    }
-    else {
-        printf ("try_search_exact: %s/%d found\n", 
-	        prefix_toa (node->prefix), node->prefix->bitlen);
-    }
-    Deref_Prefix (prefix);
-    return (node);
-}
-
-void
-lookup_then_remove (patricia_tree_t *tree, char *string)
-{
-    patricia_node_t *node;
-
-    if ((node = try_search_exact (tree, string)))
-        patricia_remove (tree, node);
-}
-
-patricia_node_t *
-try_search_best (patricia_tree_t *tree, char *string)
-{
-    prefix_t *prefix;
-    patricia_node_t *node;
-
-    prefix = ascii2prefix (AF_INET, string);
-    printf ("try_search_best: %s/%d\n", prefix_toa (prefix), prefix->bitlen);
-    if ((node = patricia_search_best (tree, prefix)) == NULL)
-        printf ("try_search_best: not found\n");
-    else
-        printf ("try_search_best: %s/%d found\n", 
-	        prefix_toa (node->prefix), node->prefix->bitlen);
-    Deref_Prefix (prefix);
-    return 0; // [RS] What is supposed to be returned here?
- }
-
-/* } */
diff --git a/aux/broctl/aux/pysubnettree/patricia.h b/aux/broctl/aux/pysubnettree/patricia.h
deleted file mode 100644
index ef7c5bf89f..0000000000
--- a/aux/broctl/aux/pysubnettree/patricia.h
+++ /dev/null
@@ -1,179 +0,0 @@
-/*
- * $Id: patricia.h 6811 2009-07-06 20:41:10Z robin $
- * Dave Plonka <plonka@doit.wisc.edu>
- *
- * This product includes software developed by the University of Michigan,
- * Merit Network, Inc., and their contributors. 
- *
- * This file had been called "radix.h" in the MRT sources.
- *
- * I renamed it to "patricia.h" since it's not an implementation of a general
- * radix trie.  Also, pulled in various requirements from "mrt.h" and added
- * some other things it could be used as a standalone API.
- */
-
-/* From copyright.txt:
- * 
- * Copyright (c) 1997, 1998, 1999
- * 
- * 
- * The Regents of the University of Michigan ("The Regents") and Merit Network,
- * Inc.  All rights reserved.
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * 1.  Redistributions of source code must retain the above 
- *     copyright notice, this list of conditions and the 
- *     following disclaimer.
- * 2.  Redistributions in binary form must reproduce the above 
- *     copyright notice, this list of conditions and the 
- *     following disclaimer in the documentation and/or other 
- *     materials provided with the distribution.
- * 3.  All advertising materials mentioning features or use of 
- *     this software must display the following acknowledgement:  
- * This product includes software developed by the University of Michigan, Merit
- * Network, Inc., and their contributors. 
- * 4.  Neither the name of the University, Merit Network, nor the
- *     names of their contributors may be used to endorse or 
- *     promote products derived from this software without 
- *     specific prior written permission.
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.  
- */
-
-#ifndef _PATRICIA_H
-#define _PATRICIA_H
-
-#include <sys/types.h>
-
-/* typedef unsigned int u_int; */
-typedef void (*void_fn_t)();
-/* { from defs.h */
-#define prefix_touchar(prefix) ((u_char *)&(prefix)->add.sin)
-#define MAXLINE 1024
-#define BIT_TEST(f, b)  ((f) & (b))
-/* } */
-
-#define addroute make_and_lookup
-
-#include <netinet/in.h> /* for struct in_addr */
-
-#include <sys/socket.h> /* for AF_INET */
-
-/* { from mrt.h */
-
-typedef struct _prefix4_t {
-    u_short family;		/* AF_INET | AF_INET6 */
-    u_short bitlen;		/* same as mask? */
-    int ref_count;		/* reference count */
-    struct in_addr sin;
-} prefix4_t;
-
-typedef struct _prefix_t {
-    u_short family;		/* AF_INET | AF_INET6 */
-    u_short bitlen;		/* same as mask? */
-    int ref_count;		/* reference count */
-    union {
-		struct in_addr sin;
-#ifdef HAVE_IPV6
-		struct in6_addr sin6;
-#endif /* IPV6 */
-    } add;
-} prefix_t;
-
-/* } */
-
-typedef struct _patricia_node_t {
-   u_int bit;			/* flag if this node used */
-   prefix_t *prefix;		/* who we are in patricia tree */
-   struct _patricia_node_t *l, *r;	/* left and right children */
-   struct _patricia_node_t *parent;/* may be used */
-   void *data;			/* pointer to data */
-   void	*user1;			/* pointer to usr data (ex. route flap info) */
-} patricia_node_t;
-
-typedef struct _patricia_tree_t {
-   patricia_node_t 	*head;
-   u_int		maxbits;	/* for IP, 32 bit addresses */
-   int num_active_node;		/* for debug purpose */
-} patricia_tree_t;
-
-
-patricia_node_t *patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix);
-patricia_node_t *patricia_search_best (patricia_tree_t *patricia, prefix_t *prefix);
-patricia_node_t * patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, 
-				   int inclusive);
-patricia_node_t *patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix);
-void patricia_remove (patricia_tree_t *patricia, patricia_node_t *node);
-patricia_tree_t *New_Patricia (int maxbits);
-void Clear_Patricia (patricia_tree_t *patricia, void_fn_t func);
-void Destroy_Patricia (patricia_tree_t *patricia, void_fn_t func);
-void patricia_process (patricia_tree_t *patricia, void_fn_t func);
-
-void Deref_Prefix (prefix_t * prefix);
-
-/* { from demo.c */
-
-prefix_t *
-ascii2prefix (int family, char *string);
-
-patricia_node_t *
-make_and_lookup (patricia_tree_t *tree, char *string);
-
-/* } */
-
-#define PATRICIA_MAXBITS 128
-#define PATRICIA_NBIT(x)        (0x80 >> ((x) & 0x7f))
-#define PATRICIA_NBYTE(x)       ((x) >> 3)
-
-#define PATRICIA_DATA_GET(node, type) (type *)((node)->data)
-#define PATRICIA_DATA_SET(node, value) ((node)->data = (void *)(value))
-
-#define PATRICIA_WALK(Xhead, Xnode) \
-    do { \
-        patricia_node_t *Xstack[PATRICIA_MAXBITS+1]; \
-        patricia_node_t **Xsp = Xstack; \
-        patricia_node_t *Xrn = (Xhead); \
-        while ((Xnode = Xrn)) { \
-            if (Xnode->prefix)
-
-#define PATRICIA_WALK_ALL(Xhead, Xnode) \
-do { \
-        patricia_node_t *Xstack[PATRICIA_MAXBITS+1]; \
-        patricia_node_t **Xsp = Xstack; \
-        patricia_node_t *Xrn = (Xhead); \
-        while ((Xnode = Xrn)) { \
-	    if (1)
-
-#define PATRICIA_WALK_BREAK { \
-	    if (Xsp != Xstack) { \
-		Xrn = *(--Xsp); \
-	     } else { \
-		Xrn = (patricia_node_t *) 0; \
-	    } \
-	    continue; }
-
-#define PATRICIA_WALK_END \
-            if (Xrn->l) { \
-                if (Xrn->r) { \
-                    *Xsp++ = Xrn->r; \
-                } \
-                Xrn = Xrn->l; \
-            } else if (Xrn->r) { \
-                Xrn = Xrn->r; \
-            } else if (Xsp != Xstack) { \
-                Xrn = *(--Xsp); \
-            } else { \
-                Xrn = (patricia_node_t *) 0; \
-            } \
-        } \
-    } while (0)
-
-#endif /* _PATRICIA_H */
diff --git a/aux/broctl/aux/pysubnettree/setup.py b/aux/broctl/aux/pysubnettree/setup.py
deleted file mode 100644
index d0b697d490..0000000000
--- a/aux/broctl/aux/pysubnettree/setup.py
+++ /dev/null
@@ -1,18 +0,0 @@
-#! /usr/bin/env python
-
-import sys
-
-from distutils.core import setup, Extension
-
-setup(name="pysubnettree", 
-    version="0.12",
-    author="Robin Sommer",
-    author_email="robin@icir.org",
-    license="BSD",
-    url="http://www.icir.org/robin/pysubnettree",
-    py_modules=['SubnetTree'],
-    ext_modules = [ 
-        Extension("_SubnetTree", ["SubnetTree.cc", "patricia.c", "SubnetTree_wrap.cc"]), 
-        ] 
-)
-
diff --git a/aux/broctl/aux/pysubnettree/test.py b/aux/broctl/aux/pysubnettree/test.py
deleted file mode 100644
index 0642c755d1..0000000000
--- a/aux/broctl/aux/pysubnettree/test.py
+++ /dev/null
@@ -1,86 +0,0 @@
-#! /usr/bin/env python
-
-import socket
-import SubnetTree
-
-t = SubnetTree.SubnetTree()
-
-t.insert("1.2.3.4/16")
-
-if "1.2.3.255" in t:
-    print "yes [correct]"
-else:
-    print "no [incorrect]"
-
-if socket.inet_aton("1.2.3.255") in t:
-    print "yes [correct]"
-else:
-    print "no [incorrect]"
-    
-if "1.3.3.255" in t:
-    print "yes [correct]"
-else:
-    print "no [correct]"
-
-if socket.inet_aton("1.3.3.255") in t:
-    print "yes [correct]"
-else:
-    print "no [correct]"
-    
-if socket.inet_aton("0.1.2.3") in t:
-    print "yes [incorrect]"
-else:
-    print "no [correct]"
-
-t["4.3.2.1/8"] = "indexing works [correct]"
-print t["4.3.255.255"]
-
-try:
-    print t["42.42.42.42"],
-    print "[incorect]"
-except KeyError:
-    print "catching lookup failure [correct]"
-
-del t["4.3.2.1/8"]
-
-try:
-    print t["4.3.2.1/8"],
-    print "[incorect]"
-except KeyError:
-    print "del works [correct]"
-
-try:
-    t["a.b.c.d/error"] = 5
-except IndexError:
-    print "catching parsing errors [correct]"
-
-try:
-    print None in t,
-    print "should not be printed [incorrect]"
-except TypeError:
-    print "catching None lookup [correct]"
-    
-try:    
-    t[None] = "should fail"   
-    print "should not be printed [incorrect]"
-except TypeError:
-    print "catching None assignment [correct]"
-    
-try: 
-    print t[None], 
-    print "should not be printed [incorrect]"
-except TypeError:
-    print "catching None access [correct]"
-
-try: 
-    del t[None],
-    print "should not be printed [incorrect]"
-except TypeError:
-    print "catching None delete [correct]"
-
-try: 
-    print t[42],
-    print "should not be printed [incorrect]"
-except TypeError:
-    print "catching integer lookup [correct]"
-
diff --git a/aux/broctl/aux/trace-summary/CHANGES b/aux/broctl/aux/trace-summary/CHANGES
deleted file mode 100644
index 683fcec38e..0000000000
--- a/aux/broctl/aux/trace-summary/CHANGES
+++ /dev/null
@@ -1,4 +0,0 @@
-
-0.6  -  License changed to BSD-style. 
-
-0.5  -  First release.
diff --git a/aux/broctl/aux/trace-summary/COPYING b/aux/broctl/aux/trace-summary/COPYING
deleted file mode 100644
index 03a48c452f..0000000000
--- a/aux/broctl/aux/trace-summary/COPYING
+++ /dev/null
@@ -1,35 +0,0 @@
-
-Copyright (c) 2007-2009, Robin Sommer
-
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-    * Redistributions of source code must retain the above copyright
-      notice, this list of conditions and the following disclaimer.
-      
-    * Redistributions in binary form must reproduce the above
-      copyright notice, this list of conditions and the following
-      disclaimer in the documentation and/or other materials provided
-      with the distribution.
-      
-    * Neither the name of the International Computer Science
-      Institute nor the names of its contributors may be used to
-      endorse or promote products derived from this software without
-      specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
-ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
diff --git a/aux/broctl/aux/trace-summary/Makefile b/aux/broctl/aux/trace-summary/Makefile
deleted file mode 100644
index 2cca32cb62..0000000000
--- a/aux/broctl/aux/trace-summary/Makefile
+++ /dev/null
@@ -1,19 +0,0 @@
-
-DISTFILES = README README.html COPYING CHANGES Makefile trace-summary 
-
-VERSION=$(shell grep ^Version trace-summary | awk 'BEGIN{IFS="[= ]}"}{print $$3}')
-DISTDIR=trace-summary-$(VERSION)
-
-doc: README.html
-
-README.html: README
-	asciidoc -a toc -b xhtml11-custom README
-    
-dist: doc
-	rm -rf $(DISTDIR)
-	mkdir $(DISTDIR)
-	cp $(DISTFILES) $(DISTDIR)
-	tar czvf $(DISTDIR).tgz $(DISTDIR)
-	rm -rf $(DISTDIR)
-	     
-
diff --git a/aux/broctl/aux/trace-summary/README b/aux/broctl/aux/trace-summary/README
deleted file mode 100644
index bcfa4e1672..0000000000
--- a/aux/broctl/aux/trace-summary/README
+++ /dev/null
@@ -1,129 +0,0 @@
-//	-*- AsciiDoc -*-
-trace-summary - Generating network traffic summaries.
-=====================================================
-
-Overview
---------
-
-+trace-summary+ is a Python script which generates break-downs of
-network traffic, including lists of the top hosts, protocols, ports,
-etc. Optionally, it can generate output separately for incoming vs.
-outgoing traffic, per subnet, and per time-interval.
-
-The script reads both packet traces in
-http://www.tcpdump.org[+libpcap+] format and connection logs 
-produced by the http://www.bro-ids.org[Bro] network intrusion
-detection system. 
-
-Here are two example outputs in the most basic form (note that IP
-addresses are 'anonymized'). The first is from a packet trace and
-the second from a Bro connection log:
-
-
- >== Total === 2005-01-06-14-23-33 - 2005-01-06-15-23-43
-   - Bytes 918.3m - Payload 846.3m - Pkts 1.8m - Frags   0.9% - MBit/s      1.9 - 
-     Ports        | Sources                   | Destinations              | Protocols |
-     80     33.8% | 131.243.89.214       8.5% | 131.243.89.214       7.7% | 6   76.0% | 
-     22     16.7% | 128.3.2.102          6.2% | 128.3.2.102          5.4% | 17  23.3% | 
-     11001  12.4% | 204.116.120.26       4.8% | 131.243.89.4         4.8% | 1    0.5% | 
-     2049   10.7% | 128.3.161.32         3.6% | 131.243.88.227       3.6% |           | 
-     1023   10.6% | 131.243.89.4         3.5% | 204.116.120.26       3.4% |           | 
-     993     8.2% | 128.3.164.194        2.7% | 131.243.89.64        3.1% |           | 
-     1049    8.1% | 128.3.164.15         2.4% | 128.3.164.229        2.9% |           | 
-     524     6.6% | 128.55.82.146        2.4% | 131.243.89.155       2.5% |           | 
-     33305   4.5% | 131.243.88.227       2.3% | 128.3.161.32         2.3% |           | 
-     1085    3.7% | 131.243.89.155       2.3% | 128.55.82.146        2.1% |           | 
-
-
- >== Total === 2005-01-06-14-23-33 - 2005-01-06-15-23-42
-   - Connections 43.4k - Payload 398.4m - 
-     Ports        | Sources                   | Destinations              | Services           | Protocols | States        |
-     80     21.7% | 207.240.215.71       3.0% | 239.255.255.253      8.0% | other        51.0% | 17  55.8% | S0      46.2% | 
-     427    13.0% | 131.243.91.71        2.2% | 131.243.91.255       4.0% | http         21.7% | 6   36.4% | SF      30.1% | 
-     443     3.8% | 128.3.161.76         1.7% | 131.243.89.138       2.1% | i-echo        7.3% | 1    7.7% | OTH      7.8% | 
-     138     3.7% | 131.243.90.138       1.6% | 255.255.255.255      1.7% | https         3.8% |           | RSTO     5.8% | 
-     515     2.4% | 131.243.88.159       1.6% | 128.3.97.204         1.5% | nb-dgm        3.7% |           | SHR      4.4% | 
-     11001   2.3% | 131.243.88.202       1.4% | 131.243.88.107       1.1% | printer       2.4% |           | REJ      3.0% | 
-     53      1.9% | 131.243.89.250       1.4% | 117.72.94.10         1.1% | dns           1.9% |           | S1       1.0% | 
-     161     1.6% | 131.243.89.80        1.3% | 131.243.88.64        1.1% | snmp          1.6% |           | RSTR     0.9% | 
-     137     1.4% | 131.243.90.52        1.3% | 131.243.88.159       1.1% | nb-ns         1.4% |           | SH       0.3% | 
-     2222    1.1% | 128.3.161.252        1.2% | 131.243.91.92        1.1% | ntp           1.0% |           | RSTRH    0.2% | 
-
-
-Download
---------
-
-Download http://www.icir.org/robin/trace-summary-0.5.tar.gz[+trace-summary-0.5.tar.gz+]
-
-Prerequisites
--------------
-
-* This script requires Python 2.4 or newer.
-
-* It also requires the installation of
-  - the http://www.icir.org/robin/pysubnettree[+pysubnettree+] Python module, and
-  - Eddie Kohler's http://www.cs.ucla.edu/~kohler/ipsumdump[+ipsumdump+] 
-
-Installation
-------------
-
-Simply copy the script into some directory which is in your +PATH+.
-
-Usage
------
-
-The general usage is 
-
-   trace-summary [options] [input-file]
-
-Per default, it assumes the +input-file+ to be a +libpcap+ trace
-file. If it is a Bro connection log, use +-c+. If +input-file+ is
-not given, the script reads from stdin. It writes its output to
-stdout. 
-
-Options
-~~~~~~~
-
-There are a bunch of options. The most important ones summmarized
-below. Run +trace-summary \--help+ to see the full list including
-some more estoric ones. 
-
-*-c*::         Input is a Bro connection log instead of a +libpcap+ trace
-               file.
-
-*-b*::         Counts all percentages in bytes rather than number of
-               packets/connections.
-       
-*-E <file>*::  Gives a file which contains a list of networks to
-               ignore for the analysis. The file must contain one
-               network per line, where each network is of the CIDR
-               form +a.b.c.d/mask+. Empty lines and lines starting
-               with a "#" are ignored. 
-
-*-i <duration>*:: Creates totals for each time interval of the given
-                  length (default is seconds; add "+m+" for minutes
-                  and "+h+" for hours). Use +-v+ if you also want to
-                  see the breakdowns for each interval.
-
-*-l <file>*::  Generates separate summaries for incoming and outgoing
-               traffic. +<file>+ is a file which contains a list of
-               networks to be considered local. Format as for +-E+.
-               
-*-n <n>*:: Show top n entries in each break-down.
-               Default is 10.
-              
-*-r*::         Resolves hostnames in the output.       
-
-*-s <n>*::     Gives the sample factor if the input has been sampled.
-
-*-S <n>*::     Sample input with the given factor; less accurate but
-               faster and saves memory.
-
-*-m*::         Does skip memory-expensive statistics.
-
-*-v*::         Generates full break-downs for each time interval. 
-               Requires +-i+.
-    
-
-
-
diff --git a/aux/broctl/aux/trace-summary/README.html b/aux/broctl/aux/trace-summary/README.html
deleted file mode 100644
index 8e6c6b59e3..0000000000
--- a/aux/broctl/aux/trace-summary/README.html
+++ /dev/null
@@ -1,592 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
-    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
-<meta name="generator" content="AsciiDoc 8.2.2" />
-<style type="text/css">
-/* Debug borders */
-p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {
-/*
-  border: 1px solid red;
-*/
-}
-
-body {
-  margin: 1em 5% 1em 5%;
-}
-
-a {
-  color: blue;
-  text-decoration: underline;
-}
-a:visited {
-  color: fuchsia;
-}
-
-em {
-  font-style: italic;
-}
-
-strong {
-  font-weight: bold;
-}
-
-tt {
-  color: navy;
-}
-
-h1, h2, h3, h4, h5, h6 {
-  color: #527bbd;
-  font-family: sans-serif;
-  margin-top: 1.2em;
-  margin-bottom: 0.5em;
-  line-height: 1.3;
-}
-
-h1 {
-  border-bottom: 2px solid silver;
-}
-h2 {
-  border-bottom: 2px solid silver;
-  padding-top: 0.5em;
-}
-
-div.sectionbody {
-  font-family: serif;
-  margin-left: 0;
-}
-
-hr {
-  border: 1px solid silver;
-}
-
-p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-}
-
-pre {
-  padding: 0;
-  margin: 0;
-}
-
-span#author {
-  color: #527bbd;
-  font-family: sans-serif;
-  font-weight: bold;
-  font-size: 1.1em;
-}
-span#email {
-}
-span#revision {
-  font-family: sans-serif;
-}
-
-div#footer {
-  font-family: sans-serif;
-  font-size: small;
-  border-top: 2px solid silver;
-  padding-top: 0.5em;
-  margin-top: 4.0em;
-}
-div#footer-text {
-  line-height: 1.3;
-  float: left;
-  padding-bottom: 0.5em;
-}
-div#footer-badges {
-  float: right;
-  padding-bottom: 0.5em;
-}
-
-div#preamble,
-div.tableblock, div.imageblock, div.exampleblock, div.verseblock,
-div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
-div.admonitionblock {
-  margin-right: 10%;
-  margin-top: 1.5em;
-  margin-bottom: 1.5em;
-}
-div.admonitionblock {
-  margin-top: 2.5em;
-  margin-bottom: 2.5em;
-}
-
-div.content { /* Block element content. */
-  padding: 0;
-}
-
-/* Block element titles. */
-div.title, caption.title {
-  font-family: sans-serif;
-  font-weight: bold;
-  text-align: left;
-  margin-top: 1.0em;
-  margin-bottom: 0.5em;
-}
-div.title + * {
-  margin-top: 0;
-}
-
-td div.title:first-child {
-  margin-top: 0.0em;
-}
-div.content div.title:first-child {
-  margin-top: 0.0em;
-}
-div.content + div.title {
-  margin-top: 0.0em;
-}
-
-div.sidebarblock > div.content {
-  background: #ffffee;
-  border: 1px solid silver;
-  padding: 0.5em;
-}
-
-div.listingblock {
-  margin-right: 0%;
-}
-div.listingblock > div.content {
-  border: 1px solid silver;
-  background: #f4f4f4;
-  padding: 0.5em;
-}
-
-div.quoteblock > div.content {
-  padding-left: 2.0em;
-}
-
-div.attribution {
-  text-align: right;
-}
-div.verseblock + div.attribution {
-  text-align: left;
-}
-
-div.admonitionblock .icon {
-  vertical-align: top;
-  font-size: 1.1em;
-  font-weight: bold;
-  text-decoration: underline;
-  color: #527bbd;
-  padding-right: 0.5em;
-}
-div.admonitionblock td.content {
-  padding-left: 0.5em;
-  border-left: 2px solid silver;
-}
-
-div.exampleblock > div.content {
-  border-left: 2px solid silver;
-  padding: 0.5em;
-}
-
-div.verseblock div.content {
-  white-space: pre;
-}
-
-div.imageblock div.content { padding-left: 0; }
-div.imageblock img { border: 1px solid silver; }
-span.image img { border-style: none; }
-
-dl {
-  margin-top: 0.8em;
-  margin-bottom: 0.8em;
-}
-dt {
-  margin-top: 0.5em;
-  margin-bottom: 0;
-  font-style: italic;
-}
-dd > *:first-child {
-  margin-top: 0;
-}
-
-ul, ol {
-    list-style-position: outside;
-}
-ol.olist2 {
-  list-style-type: lower-alpha;
-}
-
-div.tableblock > table {
-  border: 3px solid #527bbd;
-}
-thead {
-  font-family: sans-serif;
-  font-weight: bold;
-}
-tfoot {
-  font-weight: bold;
-}
-
-div.hlist {
-  margin-top: 0.8em;
-  margin-bottom: 0.8em;
-}
-div.hlist td {
-  padding-bottom: 5px;
-}
-td.hlist1 {
-  vertical-align: top;
-  font-style: italic;
-  padding-right: 0.8em;
-}
-td.hlist2 {
-  vertical-align: top;
-}
-
-@media print {
-  div#footer-badges { display: none; }
-}
-
-div#toctitle {
-  color: #527bbd;
-  font-family: sans-serif;
-  font-size: 1.1em;
-  font-weight: bold;
-  margin-top: 1.0em;
-  margin-bottom: 0.1em;
-}
-
-div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
-  margin-top: 0;
-  margin-bottom: 0;
-}
-div.toclevel2 {
-  margin-left: 2em;
-  font-size: 0.9em;
-}
-div.toclevel3 {
-  margin-left: 4em;
-  font-size: 0.9em;
-}
-div.toclevel4 {
-  margin-left: 6em;
-  font-size: 0.9em;
-}
-/* Workarounds for IE6's broken and incomplete CSS2. */
-
-div.sidebar-content {
-  background: #ffffee;
-  border: 1px solid silver;
-  padding: 0.5em;
-}
-div.sidebar-title, div.image-title {
-  font-family: sans-serif;
-  font-weight: bold;
-  margin-top: 0.0em;
-  margin-bottom: 0.5em;
-}
-
-div.listingblock div.content {
-  border: 1px solid silver;
-  background: #f4f4f4;
-  padding: 0.5em;
-}
-
-div.quoteblock-content {
-  padding-left: 2.0em;
-}
-
-div.exampleblock-content {
-  border-left: 2px solid silver;
-  padding-left: 0.5em;
-}
-
-/* IE6 sets dynamically generated links as visited. */
-div#toc a:visited { color: blue; }
-</style>
-<script type="text/javascript">
-/*<![CDATA[*/
-window.onload = function(){generateToc(2)}
-/* Author: Mihai Bazon, September 2002
- * http://students.infoiasi.ro/~mishoo
- *
- * Table Of Content generator
- * Version: 0.4
- *
- * Feel free to use this script under the terms of the GNU General Public
- * License, as long as you do not remove or alter this notice.
- */
-
- /* modified by Troy D. Hanson, September 2006. License: GPL */
- /* modified by Stuart Rackham, October 2006. License: GPL */
-
-function getText(el) {
-  var text = "";
-  for (var i = el.firstChild; i != null; i = i.nextSibling) {
-    if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
-      text += i.data;
-    else if (i.firstChild != null)
-      text += getText(i);
-  }
-  return text;
-}
-
-function TocEntry(el, text, toclevel) {
-  this.element = el;
-  this.text = text;
-  this.toclevel = toclevel;
-}
-
-function tocEntries(el, toclevels) {
-  var result = new Array;
-  var re = new RegExp('[hH]([2-'+(toclevels+1)+'])');
-  // Function that scans the DOM tree for header elements (the DOM2
-  // nodeIterator API would be a better technique but not supported by all
-  // browsers).
-  var iterate = function (el) {
-    for (var i = el.firstChild; i != null; i = i.nextSibling) {
-      if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
-        var mo = re.exec(i.tagName)
-        if (mo)
-          result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
-        iterate(i);
-      }
-    }
-  }
-  iterate(el);
-  return result;
-}
-
-// This function does the work. toclevels = 1..4.
-function generateToc(toclevels) {
-  var toc = document.getElementById("toc");
-  var entries = tocEntries(document.getElementsByTagName("body")[0], toclevels);
-  for (var i = 0; i < entries.length; ++i) {
-    var entry = entries[i];
-    if (entry.element.id == "")
-      entry.element.id = "toc" + i;
-    var a = document.createElement("a");
-    a.href = "#" + entry.element.id;
-    a.appendChild(document.createTextNode(entry.text));
-    var div = document.createElement("div");
-    div.appendChild(a);
-    div.className = "toclevel" + entry.toclevel;
-    toc.appendChild(div);
-  }
-}
-/*]]>*/
-</script>
-<title>trace-summary - Generating network traffic summaries.</title>
-</head>
-<body>
-<div id="header">
-<h1>trace-summary - Generating network traffic summaries.</h1>
-<div id="toc">
-  <div id="toctitle">Table of Contents</div>
-  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
-</div>
-</div>
-<h2>Overview</h2>
-<div class="sectionbody">
-<p><tt>trace-summary</tt> is a Python script which generates break-downs of
-network traffic, including lists of the top hosts, protocols, ports,
-etc. Optionally, it can generate output separately for incoming vs.
-outgoing traffic, per subnet, and per time-interval.</p>
-<p>The script reads both packet traces in
-<a href="http://www.tcpdump.org"><tt>libpcap</tt></a> format and connection logs
-produced by the <a href="http://www.bro-ids.org">Bro</a> network intrusion
-detection system.</p>
-<p>Here are two example outputs in the most basic form (note that IP
-addresses are <em>anonymized</em>). The first is from a packet trace and
-the second from a Bro connection log:</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt;== Total === 2005-01-06-14-23-33 - 2005-01-06-15-23-43
-  - Bytes 918.3m - Payload 846.3m - Pkts 1.8m - Frags   0.9% - MBit/s      1.9 -
-    Ports        | Sources                   | Destinations              | Protocols |
-    80     33.8% | 131.243.89.214       8.5% | 131.243.89.214       7.7% | 6   76.0% |
-    22     16.7% | 128.3.2.102          6.2% | 128.3.2.102          5.4% | 17  23.3% |
-    11001  12.4% | 204.116.120.26       4.8% | 131.243.89.4         4.8% | 1    0.5% |
-    2049   10.7% | 128.3.161.32         3.6% | 131.243.88.227       3.6% |           |
-    1023   10.6% | 131.243.89.4         3.5% | 204.116.120.26       3.4% |           |
-    993     8.2% | 128.3.164.194        2.7% | 131.243.89.64        3.1% |           |
-    1049    8.1% | 128.3.164.15         2.4% | 128.3.164.229        2.9% |           |
-    524     6.6% | 128.55.82.146        2.4% | 131.243.89.155       2.5% |           |
-    33305   4.5% | 131.243.88.227       2.3% | 128.3.161.32         2.3% |           |
-    1085    3.7% | 131.243.89.155       2.3% | 128.55.82.146        2.1% |           |</tt></pre>
-</div></div>
-<div class="literalblock">
-<div class="content">
-<pre><tt>&gt;== Total === 2005-01-06-14-23-33 - 2005-01-06-15-23-42
-  - Connections 43.4k - Payload 398.4m -
-    Ports        | Sources                   | Destinations              | Services           | Protocols | States        |
-    80     21.7% | 207.240.215.71       3.0% | 239.255.255.253      8.0% | other        51.0% | 17  55.8% | S0      46.2% |
-    427    13.0% | 131.243.91.71        2.2% | 131.243.91.255       4.0% | http         21.7% | 6   36.4% | SF      30.1% |
-    443     3.8% | 128.3.161.76         1.7% | 131.243.89.138       2.1% | i-echo        7.3% | 1    7.7% | OTH      7.8% |
-    138     3.7% | 131.243.90.138       1.6% | 255.255.255.255      1.7% | https         3.8% |           | RSTO     5.8% |
-    515     2.4% | 131.243.88.159       1.6% | 128.3.97.204         1.5% | nb-dgm        3.7% |           | SHR      4.4% |
-    11001   2.3% | 131.243.88.202       1.4% | 131.243.88.107       1.1% | printer       2.4% |           | REJ      3.0% |
-    53      1.9% | 131.243.89.250       1.4% | 117.72.94.10         1.1% | dns           1.9% |           | S1       1.0% |
-    161     1.6% | 131.243.89.80        1.3% | 131.243.88.64        1.1% | snmp          1.6% |           | RSTR     0.9% |
-    137     1.4% | 131.243.90.52        1.3% | 131.243.88.159       1.1% | nb-ns         1.4% |           | SH       0.3% |
-    2222    1.1% | 128.3.161.252        1.2% | 131.243.91.92        1.1% | ntp           1.0% |           | RSTRH    0.2% |</tt></pre>
-</div></div>
-</div>
-<h2>Download</h2>
-<div class="sectionbody">
-<p>Download <a href="http://www.icir.org/robin/trace-summary-0.5.tar.gz"><tt>trace-summary-0.5.tar.gz</tt></a></p>
-</div>
-<h2>Prerequisites</h2>
-<div class="sectionbody">
-<ul>
-<li>
-<p>
-This script requires Python 2.4 or newer.
-</p>
-</li>
-<li>
-<p>
-It also requires the installation of
-</p>
-<ul>
-<li>
-<p>
-the <a href="http://www.icir.org/robin/pysubnettree"><tt>pysubnettree</tt></a> Python module, and
-</p>
-</li>
-<li>
-<p>
-Eddie Kohler's <a href="http://www.cs.ucla.edu/~kohler/ipsumdump"><tt>ipsumdump</tt></a>
-</p>
-</li>
-</ul>
-</li>
-</ul>
-</div>
-<h2>Installation</h2>
-<div class="sectionbody">
-<p>Simply copy the script into some directory which is in your <tt>PATH</tt>.</p>
-</div>
-<h2>Usage</h2>
-<div class="sectionbody">
-<p>The general usage is</p>
-<div class="literalblock">
-<div class="content">
-<pre><tt>trace-summary [options] [input-file]</tt></pre>
-</div></div>
-<p>Per default, it assumes the <tt>input-file</tt> to be a <tt>libpcap</tt> trace
-file. If it is a Bro connection log, use <tt>-c</tt>. If <tt>input-file</tt> is
-not given, the script reads from stdin. It writes its output to
-stdout.</p>
-<h3>Options</h3>
-<p>There are a bunch of options. The most important ones summmarized
-below. Run <tt>trace-summary --help</tt> to see the full list including
-some more estoric ones.</p>
-<div class="hlist"><table>
-<tr>
-<td class="hlist1">
-<strong>-c</strong>
-</td>
-<td class="hlist2">
-Input is a Bro connection log instead of a <tt>libpcap</tt> trace
-               file.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-<strong>-b</strong>
-</td>
-<td class="hlist2">
-Counts all percentages in bytes rather than number of
-               packets/connections.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-<strong>-E &lt;file&gt;</strong>
-</td>
-<td class="hlist2">
-Gives a file which contains a list of networks to
-               ignore for the analysis. The file must contain one
-               network per line, where each network is of the CIDR
-               form <tt>a.b.c.d/mask</tt>. Empty lines and lines starting
-               with a "#" are ignored.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-<strong>-i &lt;duration&gt;</strong>
-</td>
-<td class="hlist2">
-Creates totals for each time interval of the given
-                  length (default is seconds; add "<tt>m</tt>" for minutes
-                  and "<tt>h</tt>" for hours). Use <tt>-v</tt> if you also want to
-                  see the breakdowns for each interval.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-<strong>-l &lt;file&gt;</strong>
-</td>
-<td class="hlist2">
-Generates separate summaries for incoming and outgoing
-               traffic. <tt>&lt;file&gt;</tt> is a file which contains a list of
-               networks to be considered local. Format as for <tt>-E</tt>.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-<strong>-n &lt;n&gt;</strong>
-</td>
-<td class="hlist2">
-Show top n entries in each break-down.
-               Default is 10.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-<strong>-r</strong>
-</td>
-<td class="hlist2">
-Resolves hostnames in the output.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-<strong>-s &lt;n&gt;</strong>
-</td>
-<td class="hlist2">
-Gives the sample factor if the input has been sampled.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-<strong>-S &lt;n&gt;</strong>
-</td>
-<td class="hlist2">
-Sample input with the given factor; less accurate but
-               faster and saves memory.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-<strong>-m</strong>
-</td>
-<td class="hlist2">
-Does skip memory-expensive statistics.
-</td>
-</tr>
-<tr>
-<td class="hlist1">
-<strong>-v</strong>
-</td>
-<td class="hlist2">
-Generates full break-downs for each time interval.
-               Requires <tt>-i</tt>.
-</td>
-</tr>
-</table></div>
-</div>
-<div id="footer">
-<div id="footer-text">
-<a href="http://www.icir.org/robin">Back to Homepage</a><br />
-12-Nov-2007 15:23:04 PDT - Robin Sommer
-</div>
-</div>
-</body>
-</html>
diff --git a/aux/broctl/aux/trace-summary/trace-summary b/aux/broctl/aux/trace-summary/trace-summary
deleted file mode 100755
index 12ac9bf167..0000000000
--- a/aux/broctl/aux/trace-summary/trace-summary
+++ /dev/null
@@ -1,884 +0,0 @@
-#! /usr/bin/env python
-
-import os
-import time
-import sys
-import socket
-import signal
-import posix
-import errno
-import resource
-import optparse
-import random
-
-Version = 0.6
-
-random.seed()
-
-import SubnetTree
-
-class IntervalUpdate:
-    pass
-
-class IntervalList:
-    def __init__(self):
-        self.ints = []
-        self.start = -1
-
-    def finish(self):
-        for i in self.ints:
-            if i:
-                i.start += self.start
-                i.end += self.start
-                i.applySampleFactor()
-            
-    def writeR(self, file, top_ports):
-        file = open(file, "w")
-        Interval.makeRHeader(file, top_ports)
-        next_start = self.start
-        
-        for i in self.ints:
-            if i:
-                i.formatForR(file, top_ports)
-                next_start = i.end
-            else:
-                empty = Interval()
-                empty.start = next_start
-                empty.end = next_start + Options.ilen
-                empty.formatForR(file, top_ports)
-                next_start = empty.end
-            
-class Interval:
-    def __init__(self):
-        self.start = 1e20
-        self.end = 0
-        self.bytes = 0
-        self.payload = 0
-        self.pkts = 0
-        self.frags = 0
-        self.updates = 0
-        self.ports = {}
-        self.prots = {}
-        self.servs = {}
-        self.srcs = {}
-        self.dsts = {}
-        self.states = {}
-
-    def update(self, iupdate, adjusttime=True):
-
-        self.updates += 1
-        self.pkts += iupdate.pkts
-        self.bytes += iupdate.bytes
-        self.payload += iupdate.payload
-        self.frags += iupdate.frags
-
-        if Options.bytes:
-            incr = iupdate.bytes
-        else:
-            incr = 1
-
-        # For packets, we need to look at the source port, too.
-        if not Options.conns:
-            if ( iupdate.src_port < 1024 ) or \
-                ( not Ports and not Options.save_mem ) or \
-                ( Ports and iupdate.src_port in Ports ) or \
-                Options.storeports:
-                try:
-                    self.ports[iupdate.src_port] += incr
-                except KeyError:
-                    self.ports[iupdate.src_port] = incr
-
-        if ( iupdate.dst_port < 1024 ) or \
-            ( not Ports and not Options.save_mem ) or \
-            ( Ports and iupdate.dst_port in Ports ) or \
-            Options.storeports:
-            try:
-                self.ports[iupdate.dst_port] += incr
-            except KeyError:
-                self.ports[iupdate.dst_port] = incr
-            
-        try:
-            self.prots[iupdate.prot] += incr
-        except KeyError:
-            self.prots[iupdate.prot] = incr
-
-        try:
-            self.servs[iupdate.service] += incr
-        except KeyError:
-            self.servs[iupdate.service] = incr
-            
-        try:
-            self.states[iupdate.state] += incr
-        except KeyError:
-            self.states[iupdate.state] = incr
-
-        if adjusttime:
-            if iupdate.start < self.start:
-                self.start = iupdate.start
-
-            if iupdate.end > self.end:
-                self.end = iupdate.end
-            
-        if not Options.save_mem and not Options.R:
-            try:
-                self.srcs[iupdate.src_ip] += incr
-            except KeyError:
-                self.srcs[iupdate.src_ip] = incr
-            
-            try:
-                self.dsts[iupdate.dst_ip] += incr
-            except KeyError:
-                self.dsts[iupdate.dst_ip] = incr
-
-    def applySampleFactor(self):
-        if Options.factor == 1:
-            return
-
-        self.bytes *= Options.factor
-        self.payload *= Options.factor
-        self.pkts *= Options.factor
-        self.frags *= Options.factor
-        self.updates *= Options.factor
-        
-        for i in self.ports.keys():
-             self.ports[i] *= Options.factor
-        for i in self.prots.keys():
-             self.prots[i] *= Options.factor
-        for i in self.servs.keys():
-             self.servs[i] *= Options.factor
-        for i in self.srcs.keys():
-             self.srcs[i] *= Options.factor
-        for i in self.dsts.keys():
-             self.dsts[i] *= Options.factor
-        for i in self.states.keys():
-             self.states[i] *= Options.factor
-                
-    def format(self, conns=False, title=""):
-        def fmt(tag, count, total=-1, sep=" - "):
-            if total >= 0:
-                try:
-                    return "%s %5.1f%%%s" % (tag, (float(count) / total) * 100, sep)
-                except ZeroDivisionError:
-                    return "%s (??%%)%s" % (tag, sep)
-                        
-            return "%s %s%s" % (tag, formatVal(count), sep)
-
-        s = "\n>== %s === %s - %s\n   - " % (title, isoTime(self.start), isoTime(self.end))
-
-        if not conns:
-            # Information for packet traces.
-            s += fmt("Bytes", self.bytes) + \
-                 fmt("Payload", self.payload) + \
-                 fmt("Pkts", self.pkts) + \
-                 fmt("Frags", self.frags, self.pkts)
-                 
-            try:
-                mbit = self.bytes * 8 / 1024.0 / 1024.0 / (self.end - self.start)
-            except ZeroDivisionError:
-                mbit = 0
-            
-            s += "MBit/s %8.1f - " % mbit
-                 
-        else:
-            # Information for connection summaries.
-            s += fmt("Connections", self.pkts) + \
-                 fmt("Payload", self.payload)
-        
-        if Options.verbose:    
-            ports = topx(self.ports)
-            srcs = topx(self.srcs)
-            dsts = topx(self.dsts)
-            prots = topx(self.prots)
-            servs = topx(self.servs)
-
-            servs = map(lambda (count, svc): (count, svc.replace("icmp-", "i-").replace("netbios", "nb")), servs)
-            
-            s += "\n     %-5s        | %-18s        | %-18s        | %-18s | %1s |" \
-                % ("Ports", "Sources", "Destinations", "Services", "Protocols") 
-
-            if conns:
-                s += " States        |"
-                states = (topx(self.states),6)
-            else:
-                states = ({},0)
-
-            s += "\n"
-                
-            addrs = []
-            
-            for i in range(Options.topx):
-                
-                s += "     "
-                
-                for (dict, length) in ((ports, 5), (srcs, 18), (dsts, 18), (servs,11), (prots,2), states): 
-                    try:
-                        item = None
-                        if dict == srcs or dict == dsts:
-                            item = socket.inet_ntoa(dict[i][1])
-                            if Options.resolve:
-                                addrs += [dict[i][1]]
-                                item += "#%d" % len(addrs)
-                        else:
-                            item = str(dict[i][1])
-                        
-                        s += fmt("%-*s" % (length, item), dict[i][0], (Options.bytes and self.bytes or self.pkts), sep=" | ") 
-                    except:
-                        s += " " * length + "        | "
-
-                s += "\n"
-                
-            if Options.resolve:
-                s += "\n        "
-                for i in range(1, len(addrs)+1):
-                    s +=  "#%d=%s  " % (i, gethostbyaddr(socket.inet_ntoa(addrs[i-1])))
-                    if i % 3 == 0:
-                        s += "\n        "
-                        
-            s += "\n"
-
-                
-        return s
-
-    def makeRHeader(f, top_ports):
-        print >>f, "start end count bytes payload frags srcs dsts prot.tcp prot.udp prot.icmp",
-        print >>f, " ".join(["state.%s" % s.lower() for s in States]),
-        print >>f, " ".join(["top.port.%d" % (i+1) for i in range(0,Options.topx)]),
-        print >>f, " ".join(["port.%d" % i for i in range(0,1024)]),
-        if not Options.save_mem:
-            print >>f, " ".join(["port.%d" % p[1] for p in top_ports if p[1] >= 1024]),
-        print >>f
-        
-    makeRHeader = staticmethod(makeRHeader)     
-    
-    def formatForR(self, f, top_ports):
-        print >>f, self.start, self.end, self.pkts, self.bytes, self.payload, self.frags,
-        print >>f, len(self.srcs), len(self.dsts),
-        print >>f, self.prots.get(6, 0), self.prots.get(17, 0), self.prots.get(1, 0),
-        print >>f, " ".join([str(self.states.get(i, 0)) for i in States]),
-        print >>f, " ".join([str(p[1]) for p in topx(self.ports, True)]),
-        print >>f, " ".join([str(self.ports.get(i, 0)) for i in range(0,1024)]),
-        if not Options.save_mem:
-            print >>f, " ".join([str(self.ports.get(p[1], 0)) for p in top_ports if p[1] >= 1024]),
-        print >>f
-            
-        
-    def __str__(self):
-        return self.format(True)
-
-def topx(dict, fill_if_empty=False):
-    top = map(lambda (val, count): (count, val), dict.items())
-    top.sort()
-    top.reverse()
-
-     # Filter out zero vals.
-    top = [(val, count) for (val, count) in top if count != 0]
-    
-    if fill_if_empty and len(top) < Options.topx:
-        top += [(0,0)] * Options.topx
-
-    return top[:Options.topx]
-    
-def findInterval(time, intervals):
-    
-    if intervals.start < 0:
-        intervals.start = int(time / Options.ilen) * Options.ilen
-   
-    i = (time - intervals.start) / Options.ilen
-    idx = int(i)
-
-    # Interval may be earlier than current start
-    if i < 0:
-        
-        if float(idx) != i:
-            # minus 1 since we will multiply by -1
-            idx = idx - 1
-            
-        idx *= -1
-        
-        for j in intervals.ints:
-            if j:
-                j.start += Options.ilen * idx
-                j.end += Options.ilen * idx
-        
-        intervals.ints = ([None] * idx) + intervals.ints
-        intervals.start = int(time / Options.ilen) * Options.ilen
-        first = time
-        idx = 0
-            
-    # Interval may be later than current end
-    while idx >= len(intervals.ints):
-        intervals.ints += [None]
-        
-    if not intervals.ints[idx]:
-        interv = Interval()
-        interv.start = float(idx * Options.ilen)
-        interv.end =  float((idx+1) * Options.ilen)
-        intervals.ints[idx] = interv
-        return interv
-
-    return intervals.ints[idx]
-
-def isoTime(t):
-    if t == 1e20 or t == 0:
-        return "N/A"
-    return time.strftime("%Y-%m-%d-%H-%M-%S", time.localtime(t))    
-
-def readPcap(file):
-    global Total
-    global Incoming
-    global Outgoing
-    
-    for line in os.popen("ipsumdump -r %s --timestamp --src --dst --sport --dport --length --protocol --fragment --payload-length -Q" % file):
-
-        if line.startswith("!"):
-            continue
-
-        if Options.sample > 0 and random.random() > Options.sample:
-            return
-        
-        f = line.split()
-        time = float(f[0])
-
-        if time < Options.mintime or time > Options.maxtime:
-            continue
-        
-        if Options.chema:
-            if f[6] != "T" or f[9] == "0":
-                continue
-        
-        if Options.tcp and f[6] != "T":
-            continue
-
-        if Options.udp and f[6] != "U":
-            continue
-        
-        iupdate = IntervalUpdate()
-        iupdate.pkts = 1
-        iupdate.bytes = int(f[5])
-        iupdate.payload = int(f[8])       
-        iupdate.service = ""
-        
-        try:
-            iupdate.src_ip = socket.inet_aton(f[1])
-        except socket.error:
-            iupdate.src_ip = socket.inet_aton("0.0.0.0")
-            
-        if iupdate.src_ip in ExcludeNets:
-            continue
-        
-        try:
-            iupdate.src_port = int(f[3])
-        except:
-            iupdate.src_port = 0
-            
-        try:
-            iupdate.dst_ip = socket.inet_aton(f[2])
-        except socket.error:
-            iupdate.dst_ip = socket.inet_aton("0.0.0.0")
-            
-        if iupdate.dst_ip in ExcludeNets:
-            continue
-        
-        try:
-            iupdate.dst_port = int(f[4])
-        except:
-            iupdate.dst_port = 0
-            
-        try:
-            iupdate.prot = Protocols[f[6]]
-        except KeyError:
-            iupdate.prot = 0
-        iupdate.state = 0
-        iupdate.start = time
-        iupdate.end = time
-
-        if f[7] != ".":
-            iupdate.frags = 1
-        else:
-            iupdate.frags = 0
-
-        if Options.external:
-            if iupdate.src_ip in LocalNetsIntervals and iupdate.dst_ip in LocalNetsIntervals:
-                continue
-            
-        Total.update(iupdate)
-
-        if Options.ilen > 0:
-            interval = findInterval(time, TotalIntervals)
-            interval.update(iupdate, adjusttime=False)
-        
-        if Options.localnets:
-            try:
-                LocalNetsIntervals[iupdate.src_ip].update(iupdate)
-                Outgoing.update(iupdate)
-                if Options.ilen > 0:
-                    interval = findInterval(time, OutgoingIntervals)
-                    interval.update(iupdate, adjusttime=False)
-            except KeyError:
-                try:
-                    LocalNetsIntervals[iupdate.dst_ip].update(iupdate)
-                    Incoming.update(iupdate)
-                    if Options.ilen > 0:
-                        interval = findInterval(time, IncomingIntervals)
-                        interval.update(iupdate, adjusttime=False)
-                except KeyError:
-                    global NonLocalCount
-                    NonLocalCount += 1
-                    if NonLocalCount < Options.topx:
-                        NonLocalConns[(iupdate.src_ip, iupdate.dst_ip)] = 1
-        
-Protocols = { "T": 6, "tcp": 6, "U": 17, "udp": 17, "I": 1, "icmp": 1 }
-States = ["OTH", "REJ", "RSTO", "RSTOS0", "RSTR", "RSTRH", "S0", "S1", "S2", "S3", "SF", "SH", "SHR"]    
-
-def readConnSummaries(file):
-    while True:
-        try:
-            for line in open(file):
-                parseConnLine(line)
-        except IOError, e:
-            if e.errno == errno.EINTR or e.errno == errno.EAGAIN:
-                continue
-            
-            print >>sys.stderr, e 
-            
-        return
-    
-    
-def parseConnLine(line):
-    global Total
-    global Incoming
-    global Outgoing
-    
-    global LastOutputTime, BaseTime
-    
-    if Options.sample > 0 and random.random() > Options.sample:
-        return
-    
-    f = line.split()
-
-    if len(f) < 11: # 11 is ok for icmp
-        print >>sys.stderr, "Ignoring corrupt line: '%s'" % line.strip()
-        return
-    
-    try:
-        time = float(f[0])
-    except ValueError:
-        print >>sys.stderr, "Invalid starting time %s" % f[0]
-        return
-
-    if f[1] != "?":
-        try:
-            duration = float(f[1])
-        except:
-            print >>sys.stderr, "Invalid starting time %s" % f[0]
-            return
-    else:
-        duration = 0;
-        
-    if time < Options.mintime or (time + duration) > Options.maxtime:
-        return
-    
-    if Options.tcp and f[7] != "tcp":
-        return
-
-    if Options.udp and f[7] != "udp":
-        return
-    
-    if not BaseTime:
-        BaseTime = time
-        LastOutputTime = time
-    
-    if time - LastOutputTime > 3600:
-        # print >>sys.stderr, "%d hours processed" % int((time - BaseTime) / 3600)
-        LastOutputTime = time
-    
-    try:
-        iupdate = IntervalUpdate()
-        iupdate.pkts = 1 # no. connections
-        
-        try:
-            bytes_orig = int(f[8])
-        except:
-            bytes_orig = 0
-            
-        try:
-            bytes_resp = int(f[9])
-        except:
-            bytes_resp = 0
-            
-        iupdate.bytes = bytes_orig + bytes_resp;
-        iupdate.src_ip = socket.inet_aton(f[2])
-        if iupdate.src_ip in ExcludeNets:
-            return
-        iupdate.src_port = int(f[5])
-        iupdate.dst_ip = socket.inet_aton(f[3])
-        if iupdate.dst_ip in ExcludeNets:
-            return
-        iupdate.dst_port = int(f[6])
-        iupdate.prot = Protocols[f[7]]
-
-        iupdate.service = f[4]
-        if iupdate.service[-1] == "?":
-            iupdate.service = iupdate.service[:-1]
-        iupdate.frags = 0
-        iupdate.state = f[10]
-        iupdate.start = time
-        
-    except LookupError:
-        print >>sys.stderr, "Ignoring corrupt line: '%s'" % line.strip()
-        return
-        
-    try:
-        iupdate.end = time + float(f[1])
-    except ValueError:
-        iupdate.end = time
-
-    try:
-        payload_orig = int(f[8])
-        
-        if duration and payload_orig * 8 / (1024 * 1024 * duration) > 700:
-            # Bandwith exceed due to Bro bug.
-            print >>sys.stderr, "%.6f originator exceeds bandwith" % time
-            payload_orig = 0
-            
-    except ValueError:
-        payload_orig = 0
-
-    try:
-        payload_resp = int(f[9])
-        
-        if duration and  payload_resp * 8 / (1024 * 1024 * duration) > 700:
-            # Bandwith exceed due to Bro bug.
-            print >>sys.stderr, "%.6f responder exceeds bandwith" % time
-            payload_resp = 0
-            
-    except ValueError:
-        payload_resp = 0
-        
-    iupdate.payload = payload_orig + payload_resp
-    
-    if Options.external:
-        if iupdate.src_ip in LocalNetsIntervals and iupdate.dst_ip in LocalNetsIntervals:
-            return
-    
-    Total.update(iupdate)
-
-    if Options.ilen > 0:
-        interval = findInterval(time, TotalIntervals)
-        interval.update(iupdate, adjusttime=False)
-    
-    if Options.localnets:
-        
-        try:
-            LocalNetsIntervals[iupdate.src_ip].update(iupdate)
-            Outgoing.update(iupdate)
-            if Options.ilen > 0:
-                interval = findInterval(time, OutgoingIntervals)
-                interval.update(iupdate, adjusttime=False)
-        except KeyError:
-            try:
-                LocalNetsIntervals[iupdate.dst_ip].update(iupdate)
-                Incoming.update(iupdate)
-                if Options.ilen > 0:
-                    interval = findInterval(time, IncomingIntervals)
-                    interval.update(iupdate, adjusttime=False)
-            except KeyError:
-                global NonLocalCount
-                NonLocalCount += 1
-                if NonLocalCount < Options.topx:
-                    NonLocalConns[(iupdate.src_ip, iupdate.dst_ip)] = 1
-
-Cache = {}
-
-def gethostbyaddr( ip, timeout = 5, default = "<???>" ):
-
-    try:
-        return Cache[ip]
-    except LookupError:
-        pass
-    
-    host = default
-    ( pin, pout ) = os.pipe()
-
-    pid = os.fork()
-    
-    if not pid:
-        # Child
-        os.close( pin )
-        try:
-            host = socket.gethostbyaddr( ip )[0]
-        except socket.herror:
-            pass
-        os.write( pout, host )
-        posix._exit(127)
-        
-    #Parent 
-    os.close( pout )
-    
-    signal.signal( signal.SIGALRM, lambda sig, frame: os.kill( pid, signal.SIGKILL ) )
-    signal.alarm( timeout )
-
-    try:
-        os.waitpid( pid, 0 )
-        host = os.read( pin, 8192 )
-    except OSError:
-        pass
-
-    signal.alarm( 0 )
-    
-    os.close( pin )
-    
-    Cache[ip] = host;
-    
-    return host
-
-def formatVal(val):
-    for (prefix, unit, factor) in (("", "g", 1e9), ("", "m", 1e6), ("", "k", 1e3), (" ", "", 1e0)):
-        if val >= factor:
-            return "%s%3.1f%s" % (prefix, val / factor, unit)
-    return val # Should not happen
-
-def readNetworks(file):
-    
-    nets = []
-    
-    for line in open(file):
-        line = line.strip()
-        if not line or line.startswith("#"):
-            continue
-        
-        fields = line.split()
-        nets += [(fields[0], " ".join(fields[1:]))]
-
-    return nets
-
-####### Main
-
-Total = Interval()
-Incoming = Interval()
-Outgoing = Interval()
-
-TotalIntervals = IntervalList()
-IncomingIntervals = IntervalList()
-OutgoingIntervals = IntervalList()
-
-BaseTime = None
-LastOutputTime = None
-
-LocalNets = {}
-LocalNetsIntervals = SubnetTree.SubnetTree()
-NonLocalConns = {}
-NonLocalCount = 0
-
-Ports = None
-
-ExcludeNets = SubnetTree.SubnetTree()
-
-optparser = optparse.OptionParser(usage="%prog [options] <pcap-file>|<conn-summaries>", version=Version)
-optparser.add_option("-b", "--bytes", action="store_true", dest="bytes", default=False,
-                     help="count fractions in terms of bytes rather than packets/connections")
-optparser.add_option("-c", "--conn-summaries", action="store_true", dest="conns", default=False, 
-                     help="input file contains Bro connection summaries")
-optparser.add_option("-C", "--chema", action="store_true", dest="chema", default=False,
-                     help="for packets: include only TCP, ignore when seq==0")
-optparser.add_option("-e", "--external", action="store_true", dest="external", default=False, 
-                     help="ignore strictly internal traffic")
-optparser.add_option("-E", "--exclude-nets", action="store", type="string", dest="excludenets", default=None, 
-                     help="excludes CIDRs in file from analysis")
-optparser.add_option("-i", "--intervals", action="store", type="string", dest="ilen", default="0", 
-                     help="create summaries for time intervals of given length")
-optparser.add_option("-l", "--local-nets", action="store", type="string", dest="localnets", default=None, 
-                     help="differentiate in/out based on CIDRs in file")
-optparser.add_option("-n", "--topn", action="store", type="int", dest="topx", default=10, 
-                     help="show top <n>")
-optparser.add_option("-p", "--ports", action="store", type="string", dest="ports", default=None, 
-                     help="include only ports listed in file")
-optparser.add_option("-P", "--write-ports", action="store", type="string", dest="storeports", default=None, 
-                     help="write top total/incoming/outgoing ports into files ")
-optparser.add_option("-r", "--resolve-host-names", action="store_true", dest="resolve", default=False, 
-                     help="resolve host names")
-optparser.add_option("-R", "--R", action="store", type="string", dest="R", default=None, metavar="tag",
-                     help="write output suitable for R into files <tag.*>")
-optparser.add_option("-s", "--sample-factor", action="store", type="int", dest="factor", default=1,
-                     help="sample factor of input")
-optparser.add_option("-S", "--do-sample", action="store", type="float", dest="sample", default=-1.0,
-                     help="sample input with probability (0.0 < prob < 1.0)")
-optparser.add_option("-m", "--save-mem", action="store_true", dest="save_mem", default=False, 
-                     help="do not make memory-expensive statistics")
-optparser.add_option("-t", "--tcp", action="store_true", dest="tcp", default=False, 
-                     help="include only TCP")
-optparser.add_option("-u", "--udp", action="store_true", dest="udp", default=False, 
-                     help="include only UDP")
-optparser.add_option("-U", "--min-time", action="store", type="string", dest="mintime", default=None,
-                     help="minimum time in ISO format (e.g. 2005-12-31-23-59-00)")
-optparser.add_option("-v", "--verbose", action="store_true", dest="verbose", default=False, 
-                     help="show top-n for every interval")
-optparser.add_option("-V", "--max-time", action="store", type="string", dest="maxtime", default=None,
-                     help="maximum time in ISO format")
-                     
-(Options, args) = optparser.parse_args()
-
-if len(args) > 2:
-    optparser.error("Wrong number of arguments")
-
-file = "-"
-    
-if len(args) > 0:
-    file = args[0]
-
-if Options.external and not Options.localnets:
-    print >>sys.stderr, "Need -l for -e."
-    sys.exit(1)
-    
-# Make per-interval summaries.    
-if Options.ilen:
-    if Options.ilen.endswith("m"):
-        Options.ilen = int(Options.ilen[:-1]) * 60
-    elif Options.ilen.endswith("h"):
-        Options.ilen = int(Options.ilen[:-1]) * 60 * 60
-    else:
-        Options.ilen = int(Options.ilen)
-
-# Read local networks.
-if Options.localnets:
-    
-    for (net, txt) in readNetworks(Options.localnets): 
-        try:
-            i = Interval()
-            LocalNetsIntervals[net] = i
-            LocalNets[net] = (txt, i)
-        except KeyError:
-            print >>sys.stderr, "Can't parse local network '%s'" % net
-
-# Read networks to exclude.
-if Options.excludenets:
-    for (net, txt) in readNetworks(Options.excludenets): 
-        try:
-            ExcludeNets[net] = txt
-        except KeyError:
-            print >>sys.stderr, "Can't parse exclude network '%s'" % net
-
-# Read ports file.
-if Options.ports:
-    Ports = {}
-    for line in open(Options.ports):
-        Ports[int(line.strip())] = 1
-            
-# Parse time-range if given.
-if Options.mintime:
-    Options.mintime = time.mktime(time.strptime(Options.mintime, "%Y-%m-%d-%H-%M-%S"))
-else:
-    Options.mintime = 0
-
-if Options.maxtime:
-    Options.maxtime = time.mktime(time.strptime(Options.maxtime, "%Y-%m-%d-%H-%M-%S"))
-else:
-    Options.maxtime = 1e20
-
-if Options.sample > 0:
-    Options.factor = 1.0 / Options.sample
-    
-if file == "-":
-    file = "/dev/stdin"
-    
-try:    
-    if Options.conns:
-        readConnSummaries(file)
-    else:
-        readPcap(file)
-except KeyboardInterrupt:
-    pass
-
-TotalIntervals.finish()
-IncomingIntervals.finish()
-OutgoingIntervals.finish()
-
-Total.applySampleFactor()
-Incoming.applySampleFactor()
-Outgoing.applySampleFactor()
-
-unique = {}
-for (count, port) in topx(Total.ports) + topx(Incoming.ports) + topx(Outgoing.ports):
-    unique[port] = (count, port)
-    
-top_ports = unique.values()
-
-if Options.storeports:
-    f = open(Options.storeports, "w")
-    for p in top_ports:
-        print >>f, p[1]
-
-if Options.R:
-    file = open(Options.R + ".dat", "w")
-
-    print >>file, "tag", 
-    Interval.makeRHeader(file, top_ports)
-    print >>file, "total",
-    Total.formatForR(file, top_ports)
-
-    print >>file, "incoming",
-    Incoming.formatForR(file, top_ports)
-    print >>file, "outgoing",
-    Outgoing.formatForR(file, top_ports)
-
-    for (net, data) in LocalNets.items():    
-        
-        (txt, i) = data
-        
-        if i.updates:
-            print >>file, net.replace(" ", "_"),
-            i.start += TotalIntervals.start
-            i.end += TotalIntervals.start
-            i.applySampleFactor()
-            i.formatForR(file, top_ports)
-    
-    TotalIntervals.writeR(Options.R + ".total.dat", top_ports)
-    IncomingIntervals.writeR(Options.R + ".incoming.dat", top_ports)
-    OutgoingIntervals.writeR(Options.R + ".outgoing.dat", top_ports)
-                
-    sys.exit(0)
-
-for i in TotalIntervals.ints:
-    if i:
-        print i.format(conns=Options.conns)
-    
-Options.verbose = True
-        
-print Total.format(conns=Options.conns, title="Total")
-
-locals = LocalNets.keys()    
-
-if locals:
-
-    type = "packets"
-    if Options.conns:
-        type = "connections"
-
-    locals.sort(lambda x,y: LocalNets[y][1].pkts - LocalNets[x][1].pkts)    
-
-    print "\n>== Top %d local networks by number of %s\n" % (Options.topx, type)
-        
-    for i in range(min(len(locals), Options.topx)):
-        print "    %2d %5s  %-16s %s " % (i+1, formatVal(LocalNets[locals[i]][1].pkts), locals[i], LocalNets[locals[i]][0])
-    print 
-
-    if len(NonLocalConns):
-        print "\n>== %d %s did not have any local address. Here are the first %d:\n" % (NonLocalCount, type, Options.topx)
-    
-        for (src,dst) in NonLocalConns.keys():
-            print "    %s <-> %s" % (socket.inet_ntoa(src), socket.inet_ntoa(dst))
-    
-if Options.localnets:
-    print Incoming.format(conns=Options.conns, title="Incoming")
-    print Outgoing.format(conns=Options.conns, title="Outgoing")
-        
-for net in locals:        
-    (txt, i) = LocalNets[net]
-
-    if i.updates:
-#        i.start += TotalIntervals.start
-#        i.end += TotalIntervals.start
-        i.applySampleFactor()
-        print i.format(conns=Options.conns, title=net + " " + txt)
-
-print "First: %16s (%.6f) Last: %s %.6f" % (isoTime(Total.start), Total.start, isoTime(Total.end), Total.end)
diff --git a/aux/broctl/bin/archive-log.in b/aux/broctl/bin/archive-log.in
deleted file mode 100755
index 6647617da6..0000000000
--- a/aux/broctl/bin/archive-log.in
+++ /dev/null
@@ -1,59 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: archive-log.in 6860 2009-08-14 19:01:47Z robin $
-#
-# Bro postprocessor script to archive log files. 
-# 
-# archive-log <rotated-file-name> <base-name> <timestamp-when-opened> <timestamp-when-closed> [<tag>]
-
-base=${logdir}
-
-delete=1
-if [ "$1" == "-c" ]; then
-    delete=0
-    shift
-fi
-
-# Record time of last rotation.
-date +%y-%m-%d_%H.%M.%S >.rotate # Bro default format when rotating files.
-
-# We do not keep the logs for workers/proxies.
-if [ -e .worker -o -e .proxy ]; then
-    test $delete = 0 || rm -rf $1
-    exit 0
-fi
-
-# Build archive name
-day=`echo $3 | sed 's/_.*$//'`
-from=`echo $3 | sed 's/^.*_//' | sed 's/\./:/g'`
-to=`echo $4 | sed 's/^.*._//' | sed 's/\./:/g'`
-century=`date +%Y | sed 's/..$//g'`
-day="$century$day"
-
-if [ ! -d "$base/$day" ]; then
-    mkdir "$base/$day" 2>/dev/null
-fi    
-
-#if [ $# == 5 ]; then
-#    dest="$base/$day/$5.$2.$from-$to.gz"
-#else
-    dest="$base/$day/$2.$from-$to.gz"
-#fi
-
-# Run other postprocessors. 
-for pp in ${postprocdir}/*; do
-    nice $pp $@ 
-done
-
-if [ -e $1 ]; then
-   nice gzip -9 <$1 >$dest 2>/dev/null 
-fi   
-
-if [ "$?" == "0" ]; then
-    if [ "$delete" == "1" ]; then 
-        rm -rf $1
-    else
-        # Only delete if too large (>100MB).
-        find $1 -size +104857600c -delete
-    fi
-fi
diff --git a/aux/broctl/bin/broctl.in b/aux/broctl/bin/broctl.in
deleted file mode 100755
index 792f6aea33..0000000000
--- a/aux/broctl/bin/broctl.in
+++ /dev/null
@@ -1,731 +0,0 @@
-#! /usr/bin/env python
-#
-# $Id: broctl.in 6948 2009-12-03 20:59:41Z robin $
-#
-# The Bro Control interactive shell.
-
-import os
-import sys
-import cmd
-import readline
-import time
-import signal
-import platform
-
-# Base directory of broctl installation.
-# $PREFIX is replaced by 'configure'.
-try:
-    BroBase = os.path.abspath(os.getenv("BROBASE"))
-except AttributeError:
-    BroBase = "$PREFIX"
-
-# Base directory of Bro distribution.              
-# $BRODIST is replaced by 'configure'.
-try:
-    BroDist = os.path.abspath(os.getenv("BRODIST"))
-except AttributeError:
-    BroDist = "$BRODIST"
-
-# Version of the broctl distribution.
-# $VERSION is replaced by 'configure'.
-Version = "$VERSION"
-
-# True if we do a stand-alone install. 
-# $STANDALONE is replaced by 'configure'.
-StandAlone = $STANDALONE
-
-# Adjust the PYTHONPATH. (If we're installing the make-wrapper will have already
-# set it correctly.)
-if not "BROCTL_INSTALL" in os.environ:
-    sys.path = [os.path.join(BroBase, "lib/broctl")] + sys.path
-
-# We need to add the directory of the Broccoli library files
-# to the linker's runtime search path. This is hack which 
-# restarts the script with the new environment. 
-ldpath = "LD_LIBRARY_PATH"
-if platform.system() == "Darwin":
-    ldpath = "DYLD_LIBRARY_PATH"
-
-old = os.environ.get(ldpath)
-dir = os.path.join(BroBase, "lib")
-if not old or not dir in old:
-    if old:
-        path = "%s:%s" % (dir, old)
-    else:
-        path = dir
-    os.environ[ldpath] = path
-    os.execv(sys.argv[0], sys.argv)
-
-## End of library hack.
-
-# Turns nodes arguments into a list of node names. 
-def nodeArgs(args, expand_all=True):
-    if not args:
-        args = "all"
-
-    nodes = []
-
-    for arg in args.split():
-        h = Config.nodes(arg, expand_all)
-        if not h and arg != "all":
-            util.output("unknown node '%s'" % arg)
-            return (False, [])
-
-        nodes += h
-
-    return (True, nodes)
-
-# Main command loop.
-class BroCtlCmdLoop(cmd.Cmd):
-
-    def __init__(self):
-        cmd.Cmd.__init__(self)
-        self.prompt = "[BroControl] > "
-
-    def output(self, text):
-        self.stdout.write(text)
-        self.stdout.write("\n")
-
-    def error(self, str):
-        self.output("Error: %s" % str)
-
-    def syntax(self, args):
-        self.output("Syntax error: %s" % args)
-
-    def lock(self):
-        if not util.lock():
-            sys.exit(1)
-
-        self._locked = True
-        Config.readState()
-        config.Config.config["sigint"] = "0" 
-
-    def precmd(self, line):
-        util.debug(1, "%-10s %s" % ("[command]", line))
-        self._locked = False
-        return line
-
-    def postcmd(self, stop, line):  
-        Config.writeState()
-        if self._locked:
-            util.unlock()
-            self._locked = False
-
-        util.debug(1, "%-10s %s" % ("[command]", "done"))
-        return stop
-
-    def do_EOF(self, args):
-        return True
-
-    def do_exit(self, args):
-        """Terminates the shell."""
-        return True
-
-    def do_quit(self, args):
-        """Terminates the shell."""
-        return True
-
-    def do_nodes(self, args):
-        """Prints a list of all configured nodes."""
-        if args:
-            self.syntax(args)
-            return
-
-        self.lock()
-        for n in Config.nodes():
-            print n
-
-    def do_config(self, args):
-        """Prints all configuration options with their current values."""
-        if args:
-            self.syntax(args)
-            return
-
-        for (key, val) in sorted(Config.options()):
-            print "%s = %s" % (key, val)
-
-    def do_install(self, args): 
-        """
-
-        Reinstalls the given nodes, including all configuration files and
-        local policy scripts.  This command must be executed after _all_
-        changes to any part of the broctl configuration, otherwise the
-        modifications will not take effect. Usually all nodes should be
-        reinstalled at the same time, as any inconsistencies between them will
-        lead to strange effects. Before executing +install+, it is recommended
-        to verify the configuration with xref:cmd_check[+check+]."""
-
-        local = False
-        make = False
-
-        for arg in args.split():
-            if arg == "--local":
-                local = True
-            elif arg == "--make":
-                make = True
-            else:
-                self.syntax(args)
-                return
-
-        self.lock()
-        install.install(local, make)
-
-    def do_start(self, args):
-        """- [<nodes>]
-
-        Starts the given nodes, or all nodes if none are specified. Nodes
-        already running are left untouched.
-        """ 
-
-        self.lock()
-        (success, nodes) = nodeArgs(args, expand_all=False) 
-        if success: 
-            control.start(nodes)
-
-    def do_stop(self, args):
-        """- [<nodes>]
-
-        Stops the given nodes, or all nodes if none are specified. Nodes not
-        running are left untouched.
-        """ 
-        self.lock()
-        (success, nodes) = nodeArgs(args, expand_all=False)
-        if success:
-            control.stop(nodes)
-
-    def do_restart(self, args):
-        """- [--clean] [<nodes>]
-
-        Restarts the given nodes, or all nodes if none are specified. The
-        effect is the same as first executing xref:cmd_stop[+stop+] followed
-        by a xref:cmd_start[+start+], giving the same nodes in both cases.
-        This command is most useful to activate any changes made to Bro policy
-        scripts (after running xref:cmd_install[+install+] first). Note that a
-        subset of policy changes can also be installed on the fly via the
-        xref:cmd_updatel[+update+], without requiring a restart.
-
-        If +--clean+ is given, the installation is reset into a clean state
-        before restarting. More precisely, a +restart --clean+ turns into the
-        command sequence xref:cmd_stop[+stop+], xref:cmd_cleanup[+cleanup
-        --all+], xref:cmd_check[+check+], xref:cmd_install[+install+], and
-        xref:cmd_start[+start+].
-        """
-
-        clean = False
-        try:
-            if args.startswith("--clean"):
-                args = args[7:]
-                clean = True
-        except IndexError:
-            pass
-
-        self.lock()
-        (success, nodes) = nodeArgs(args, expand_all=False)
-        if success:
-            control.restart(nodes, clean)
-
-    def do_status(self, args):
-        """- [<nodes>]
-
-        Prints the current status of the given nodes."""
-
-        self.lock()
-        (success, nodes) = nodeArgs(args)
-        if success:
-            control.status(nodes)
-
-    def _do_top_once(self, args):
-        if util.lock():
-            Config.readState() # May have changed by cron in the meantime.
-            (success, nodes) = nodeArgs(args)
-            if success:
-                control.top(nodes)
-            util.unlock()
-
-    def do_top(self, args):
-        """- [<nodes>]
-
-        For each of the nodes, prints the status of the two Bro
-        processes (parent process and child process) in a _top_-like
-        format, including CPU usage and memory consumption. If
-        executed interactively, the display is updated frequently
-        until key +q+ is pressed. If invoked non-interactively, the
-        status is printed only once.""" 
-
-        self.lock()
-
-        if not Interactive:
-            self._do_top_once(args)
-            return
-
-        util.unlock()
-
-        util.enterCurses()
-        util.clearScreen()
-
-        count = 0
-
-        while config.Config.sigint != "1" and util.getCh() != "q":
-            if count % 10 == 0:
-                util.bufferOutput()
-                self._do_top_once(args)
-                lines = util.getBufferedOutput()
-                util.clearScreen()
-                util.printLines(lines)
-            time.sleep(.1)
-            count += 1
-
-        util.leaveCurses()
-
-        if not util.lock():
-            sys.exit(1)
-
-    def do_diag(self, args):
-        """- [<nodes>]
-
-        If a node has terminated unexpectedly, this command prints a (somewhat
-        cryptic) summary of its final state including excerpts of any
-        stdout/stderr output, resource usage, and also a stack backtrace if a
-        core dump is found. The same information is sent out via mail when a
-        node is found to have crashed (the "crash report"). While the
-        information is mainly intended for debugging, it can also help to find
-        misconfigurations (which are usually, but not always, caught by the
-        xref:cmd_check[+check+] command).""" 
-
-        self.lock()
-        (success, nodes) = nodeArgs(args)
-        if not success:
-            return 
-
-        for h in nodes:
-            control.crashDiag(h)
-
-    def do_attachgdb(self, args):
-        """- [<nodes>]
-
-        Primarily for debugging, the command attaches a _gdb_ to the main Bro
-        process on the given nodes. """ 
-
-        self.lock()
-        (success, nodes) = nodeArgs(args)
-        if success:
-            control.attachGdb(nodes)
-
-    def do_cron(self, args):
-        """- [<nodes>]
-
-        As the name implies, this command should be executed regularly via
-        _cron_, as described xref:Installation[above]. It performs a set of
-        maintainance tasks, including the logging of various statistical
-        information, expiring old log files, checking for dead hosts, and
-        restarting nodes which terminated unexpectedly.  While not intended
-        for interactive use, no harm will be caused by executing the command 
-        manually: all the maintainance tasks will then just be performed one
-        more time."""
-
-        self.lock()
-
-        if len(args) > 0:
-            if args == "enable":
-                config.Config._setState("cronenabled", "1")
-                util.output("cron enabled")
-            elif args == "disable":
-                config.Config._setState("cronenabled", "0")
-                util.output("cron disabled")
-            elif args == "?":
-                util.output("cron " + (config.Config.cronenabled == "1"  and "enabled" or "disabled"))
-            else:
-                util.output("wrong cron argument")
-            return
-
-        cron.doCron()
-
-    def do_check(self, args):
-        """- [<nodes>]
-
-        Verifies a modified configuration in terms of syntactical correctness
-        (most importantly correct syntax in policy scripts). This command
-        should be executed for each configuration change _before_
-        xref:cmd_install[+install+] is used to put the change into place. Note
-        that +check+ is the only command which operates correctly without a
-        former xref:cmd_install[+install+] command; +check+ uses the policy
-        files as found in xref:opt_SitePolicyPath[+SitePolicyPath+] to make
-        sure they compile correctly. If they do, xref:cmd_install[+install+]
-        will then copy them over to an internal place from where the nodes
-        will read them at the next xref:cmd_start[+start+]. This approach
-        ensures that new errors in a policy scripts will not affect currently
-        running nodes, even when one or more of them needs to be restarted."""
-
-        self.lock()
-        (success, nodes) = nodeArgs(args)
-        if success:
-            control.checkConfigs(nodes)
-
-    def do_cleanup(self, args):
-        """- [--all] [<nodes>]
-
-        Clears the nodes' spool directories (if they are not running
-        currently). This implies that their persistent state is flushed. Nodes
-        that were crashed are reset into _stopped_ state. If +--all+ is
-        specified, this command also removes the content of the node's
-        xref:opt_TmpDir[+TmpDir+], in particular deleteing any data
-        potentially saved there for reference from previous crashes.
-        Generally, if you want to reset the installation back into a clean
-        state, you can first xref:cmd_stop[+stop+] all nodes, then execute
-        +cleanup --all+, and finally xref:cmd_start[+start+] all nodes
-        again.""" 
-
-        cleantmp = False
-        try:
-            if args.startswith("--all"):
-                args = args[5:]
-                cleantmp = True
-        except IndexError:
-            pass
-
-        self.lock()
-        (success, nodes) = nodeArgs(args)
-        if not success:
-            return 
-
-        control.cleanup(nodes, cleantmp)
-
-    def do_capstats(self, args):
-        """- [<interval>] [<nodes>]
-
-        Determines the current load on the network interfaces monitored by
-        each of the given worker nodes. The load is measured over the
-        specified interval (in seconds), or by default over 10 seconds. This
-        command uses the http://www.icir.org/robin/capstats[capstats] tool,
-        which is installed along with +broctl+.
-
-        (Note: When using a CFlow and the CFlow command line utility is
-        installed as well, the +capstats+ command can also query the device
-        for port statistics. _TODO_: document how to set this up.)"""
-
-        interval = 10
-        args = args.split()
-
-        try:
-            interval = max(1, int(args[-1]))
-            args = args[0:-1]
-        except ValueError:
-            pass
-        except IndexError:
-            pass
-
-        args = " ".join(args)
-
-        self.lock()
-        (success, nodes) = nodeArgs(args)
-        if success:
-            control.capstats(nodes, interval)
-
-    def do_update(self, args):
-        """- [<nodes>]
-
-        After a change to Bro policy scripts, this command updates the Bro
-        processes on the given nodes _while they are running_ (i.e., without
-        requiring a xref:cmd_restart[+restart+]). However, such dynamic
-        updates work only for a _subset_ of Bro's full configuration. The
-        following changes can be applied on the fly: (1) The value of all
-        script variables defined as +&redef+ can be changed; and (2) all
-        configuration changes performed via the xref:cmd_analysis[+analysis+]
-        command can be put into effect. More extensive script changes are not
-        possible during runtime and always require a restart; if you change
-        more than just the values of +&redef+ variables and still issue
-        +update+, the results are undefined and can lead to crashes. Also note
-        that before running +update+, you still need to do an
-        xref:cmd_install[+install+] (preferably after
-        xref:cmd_install[+check+]), as otherwise +update+ will not see the
-        changes and resend the old configuration.  """
-
-        self.lock()
-        (success, nodes) = nodeArgs(args)
-        if success:
-            control.update(nodes)
-
-    def do_analysis(self, args):
-        """- enable|disable <type>
-
-        This command enables or disables certain kinds of analysis without the
-        need for doing any changes to Bro scripts. Currently, the analyses
-        shown in the table below can be controlled (in parentheses the
-        corresponding Bro scripts; the effect of enabling/disabling is similar
-        to loading or not loading these scripts, respectively). The list might
-        be extended in the future. Any changes performed via this command are
-        applied by xref:cmd_update[+update+] and therefore do not require a
-        restart of the nodes. 
-        +
-        [format="dsv",frame="none",grid="all",border="0",separator="|"]
-        .10`20~
-        Type          | Description
-        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-        dns           | DNS analysis (+dns.bro+)
-        ftp           | FTP analysis (+ftp.bro+)
-        http-body     | HTTP body analysis (+http-body.bro+). 
-        http-request  | Client-side HTTP analysis only (+http-request.bro+)
-        http-reply    | Client- and server-side HTTP analysis (+http-request.bro+/+http-reply.bro+)
-        http-header   | HTTP header analysis (+http-headers.bro+)
-        scan          | Scan detection (+scan.bro+)
-        smtp          | SMTP analysis (+smtp.bro+)
-        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-        """
-
-        self.lock()
-        args = args.split()
-
-        if len(args) > 1:
-            if args[0].lower() == "enable":
-                control.toggleAnalysis(args[1:], True)
-
-            elif args[0].lower() == "disable":
-                control.toggleAnalysis(args[1:], False)
-
-            else:
-                self.syntax("'enable' or 'disable' expected")
-                return
-
-        control.showAnalysis()
-
-    def do_df(self, args):
-        """- [<nodes>]
-
-        Reports the amount of disk space available on the nodes. Shows only
-        paths relevant to the broctl installation."""
-
-        self.lock()
-        (success, nodes) = nodeArgs(args)
-        if success:
-            control.df(nodes)
-
-    def do_print(self, args):
-        """- <id> [<nodes>]
-
-        Reports the _current_ live value of the given Bro script ID on all of
-        the specified nodes (which obviously must be running). This can for
-        example be useful to (1) check that policy scripts are working as
-        expected, or (2) confirm that configuration changes have in fact been
-        applied.  Note that IDs defined inside a Bro namespace must be
-        prefixed with +<namespace>::+ (e.g., +print SSH::did_ssh_version+ to
-        print the corresponding table from +ssh.bro+.)"""
-
-        self.lock()
-        args = args.split()
-        try:
-            id = args[0]
-
-            (success, nodes) = nodeArgs(" ".join(args[1:]))
-            if success:
-                control.printID(nodes, id)
-        except IndexError:
-            self.syntax("no id to print given")
-
-    def do_peerstatus(self, args):
-        """- [<nodes>]
-		
-		Primarily for debugging, +peerstatus+ reports statistics about the
-        network connections cluster nodes are using to communicate with other
-        nodes."""
-
-        self.lock()
-        (success, nodes) = nodeArgs(args)
-        if success:
-            control.peerStatus(nodes)
-
-    def do_netstats(self, args):
-        """- [<nodes>]
-		
-		Queries each of the nodes for their current counts of captured and
-        dropped packets."""
-		
-        if not args:
-            if config.Config.standalone:
-                args = "standalone"
-            else:
-                args = "workers"
-
-        self.lock()
-        (success, nodes) = nodeArgs(args)
-        if success:
-            control.netStats(nodes)
-
-    def do_exec(self, args):
-        """- <command line>
-		
-		Executes the given Unix shell command line on all nodes configured to
-        run at least one Bro instance. This is handy to quickly perform an
-        action across all systems."""
-		
-        self.lock()
-        control.executeCmd(Config.nodes(), args)
-
-    def do_scripts(self, args):
-        """- [-p|-c] [<nodes>]
-		
-		Primarily for debugging Bro configurations, the +script+ command lists
-        all the Bro scripts loaded by each of the nodes in the order as they
-        will be parsed by the node at startup. If +-p+ is given, all scripts
-        are listed with their full paths. If +-c+ is given, the command
-        operates as xref:cmd_check::[+check+] does: it reads the policy files
-        from their _original_ location, not the copies installed by
-        xref:cmd_install[+install+]. The latter option is useful to check a
-        not yet installed configuration."""
-		
-        paths = False
-        check = False
-
-        args = args.split()
-
-        try:
-            while args[0].startswith("-"):
-
-                opt = args[0]
-
-                if opt == "-p":
-                    # Show full paths.
-                    paths = True
-                elif opt == "-c":
-                    # Check non-installed policies.
-                    check = True
-                else:
-                    self.syntax("unknown option %s" % args[0])
-                    return
-
-                args = args[1:]
-
-        except IndexError:
-            pass
-
-        args = " ".join(args)
-
-        self.lock()
-        (success, nodes) = nodeArgs(args)
-        if success:
-            control.listScripts(nodes, paths, check)
-
-    def completedefault(self, text, line, begidx, endidx):
-        # Commands taken a "<nodes>" argument.
-        nodes_cmds = ["check", "cleanup", "df", "diag", "restart", "start", "status", "stop", "top", "update", "attachgdb", "peerstatus", "list-scripts"], 
-
-        args = line.split()
-
-        if not args or not args[0] in nodes_cmds:
-            return []
-
-        nodes = ["manager", "workers", "proxies", "all"] + [n.tag for n in Config.nodes()]
-
-        return [n for n in nodes if n.startswith(text)]
-
-    # Prints the command's docstring in a form suitable for direct inclusion
-    # into the documentation.
-    def printReference(self):
-        print "// Automatically generated. Do not edit."
-        print 
-
-        cmds = []
-
-        for i in self.__class__.__dict__:
-            doc = self.__class__.__dict__[i].__doc__
-            if i.startswith("do_") and doc:
-                cmds += [(i[3:], doc)]
-
-        cmds.sort()
-
-        for (cmd, doc) in cmds:
-            if doc.startswith("- "):
-                # First line are arguments.
-                doc = doc.split("\n")
-                args = doc[0][2:]
-                doc = "\n".join(doc[1:])
-            else:
-                args = ""
-
-            if args:
-                args = ("_%s_" % args)
-            else:
-                args = ""
-
-            output = ""
-            for line in doc.split("\n"):
-                line = line.strip()
-                output += line + "\n"
-
-            print 
-            print "[[cmd_%s]] *%s %s*::" % (cmd, cmd, args)
-            print output
-
-    def do_help(self, args):
-        """Prints a brief summary of all commands understood by the shell."""
-        self.output(
-"""
-BroControl Version %s
-
-   analysis [enable/disable ...] - print or enable/disable types of analysis 
-   capstats <nodes> [secs]       - report interface statistics (needs capstats)
-   check <nodes>                 - check configuration before installing it
-   cleanup [--all] <nodes>       - delete working dirs on nodes (flushes state)
-   config                        - print broctl configuration
-   cron                          - perform jobs intended to run from cron
-   cron enable|disable|?         - enable/disable \"cron\" jobs
-   df                            - print nodes' current disk usage 
-   diag <nodes>                  - output diagnostics for nodes
-   exec <shell cmd>              - execute shell command on all nodes
-   exit                          - exit shell
-   install                       - update broctl installation/configuration
-   netstats                      - print nodes' current packet counters
-   nodes                         - print node configuration
-   print <id> <nodes>            - print current values of script variable at nodes
-   peerstatus <nodes>            - print current status of nodes' remote connections
-   quit                          - exit shell
-   restart [--clean] <nodes>     - stop and then restart processing
-   scripts [-p|-c] <nodes>       - Lists the Bro scripts the nodes will be loading
-   start <nodes>                 - start processing 
-   status <nodes>                - summarize node status              
-   stop <nodes>                  - stop processing 
-   update <nodes>                - update configuration of nodes on the fly
-   top <nodes>                   - show Bro processes ala top
-
-See Bro Control's Wiki page for more information:
-
-    http://www.bro-ids.org/wiki/index.php/BroControl
-
-Send questions to the Bro mailing list at bro@bro-ids.org.
-   """ % Version)
-
-# Hidden command to print the command documentation.   
-if len(sys.argv) == 2 and sys.argv[1] == "--print-doc":
-    loop = BroCtlCmdLoop()
-    loop.printReference()
-    sys.exit(0)
-
-# Here so that we don't need the PYTHONPATH to be setup for --print-doc.    
-from BroControl import util
-from BroControl import config
-from BroControl import execute
-from BroControl import install
-from BroControl import control
-from BroControl import cron
-from BroControl.config import Config
-
-Config = config.Configuration("etc/broctl.cfg", BroBase, BroDist, Version, StandAlone)
-
-util.enableSignals()
-
-loop = BroCtlCmdLoop()
-
-try:
-    os.chdir(Config.brobase)
-except:
-    pass
-
-if len(sys.argv) > 1:
-    Interactive = False
-    line = " ".join(sys.argv[1:])
-    loop.precmd(line)
-    loop.onecmd(line)
-    loop.postcmd(False, line)
-else:
-    Interactive = True
-    loop.cmdloop("\nWelcome to BroControl %s\n\nType \"help\" for help.\n" % Version)
-
diff --git a/aux/broctl/bin/cflow-stats.in b/aux/broctl/bin/cflow-stats.in
deleted file mode 100755
index 1b9c07f95b..0000000000
--- a/aux/broctl/bin/cflow-stats.in
+++ /dev/null
@@ -1,23 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: cflow-stats.in 6811 2009-07-06 20:41:10Z robin $
-#
-# Print cpacket stats in format:
-#
-# port pkts/sec bits/sec cum-pkts cum-bytes (-1 where not available)
-
-cflowcmd=`which cFlowCmd`
-
-if [ "$cflowcmd" == "" ]; then
-   exit 1
-fi   
-
-host=${cflowaddress}
-user=${cflowuser}
-pw=${cflowpassword}
-
-cFlowCmd $host $user:$pw list -m -p --format="rb rp cb cp" \
-         | awk '/^mac_/   {print substr($1, 0, length($1) - 1), $3, -1, $4, -1} 
-                /defmac/  {print "Fall-back", $3, -1, $4, -1;} 
-                /Receive/ {print "In", $4, $3, $6, $5}
-                /Transmit/{print "Out", $4, $3, $6, $5}'
diff --git a/aux/broctl/bin/check-config.in b/aux/broctl/bin/check-config.in
deleted file mode 100755
index c4eed8456f..0000000000
--- a/aux/broctl/bin/check-config.in
+++ /dev/null
@@ -1,39 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: check-config.in 6860 2009-08-14 19:01:47Z robin $
-#
-# Just check Bro's configuration for errors.
-#
-# check_config <installed_policies_flag> <dir-to-set-as-cwd> <Bro parameters>
-
-if [ "$1" == "1" ]; then
-   policies=${policydir}
-   export BROPATH=${policydirsiteinstallauto}:${policydirsiteinstall}:$policies:$policies/sigs:$policies/time-machine:$policies/broctl:$policies/xquery
-elif [ "${devmode}" == "0" ]; then
-   policies=${policydir}
-   export BROPATH=${policydirsiteinstallauto}:${sitepolicypath}:$policies:$policies/sigs:$policies/time-machine:$policies/broctl:$policies/xquery
-else
-   policies=${distdir}/policy
-   export BROPATH=${policydirsiteinstallauto}:${sitepolicypath}:$policies:$policies/sigs:$policies/time-machine:${distdir}/aux/broctl/policy:$policies/xquery
-fi
-
-shift 
-
-cd $1
-shift
-
-export PATH=${bindir}:${scriptsdir}:$PATH
-
-echo $@ >.cmdline
-
-if [ "${devmode}" == "0" ]; then
-    ${bro} $@
-else
-    ${distdir}/src/bro $@ 
-fi
-
-exit $?
-
-
-
-
diff --git a/aux/broctl/bin/crash-diag.in b/aux/broctl/bin/crash-diag.in
deleted file mode 100755
index d944747e99..0000000000
--- a/aux/broctl/bin/crash-diag.in
+++ /dev/null
@@ -1,56 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: crash-diag.in 6811 2009-07-06 20:41:10Z robin $
-#
-# crash-diag <cwd>
-
-(
-
-cd $1
-
-if [ -e stderr.log ]; then
-   echo ==== stderr.log 
-   tail -30 stderr.log 
-else
-   echo ==== No stderr.log.
-fi
-
-if [ -e stdout.log ]; then
-   echo ==== stdout.log 
-   tail -30 stdout.log 
-else
-   echo ==== No stdout.log.
-fi
-
-echo
-
-if [ -e .status ]; then
-   echo ==== .status
-   tail -30 .status
-else
-   echo ==== No .status.
-fi
-
-echo
-
-if [ -e prof.log ]; then
-   echo ==== prof.log 
-   tail -30 prof.log 
-else
-   echo ==== No prof.log.
-fi
-
-echo
-
-core=`ls -t *core* 2>&1`
-
-for c in $core; do 
-   if [ -e $c ]; then
-      echo $c
-      echo "bt" | gdb --batch -x /dev/stdin ${bro} $c
-   fi
-done
-
-) >.crash-diag.log
-
-cat .crash-diag.log
diff --git a/aux/broctl/bin/delete-log b/aux/broctl/bin/delete-log
deleted file mode 100755
index 109c9cf450..0000000000
--- a/aux/broctl/bin/delete-log
+++ /dev/null
@@ -1,10 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: delete-log 6811 2009-07-06 20:41:10Z robin $
-#
-# Bro postprocessor script to archive log files. 
-# 
-# archive-log <rotated-file-name> <base-name> <timestamp-when-opened> <timestamp-when-closed> [<tag>]
-
-rm -rf $1
-
diff --git a/aux/broctl/bin/expire-logs.in b/aux/broctl/bin/expire-logs.in
deleted file mode 100755
index 08e145cb8f..0000000000
--- a/aux/broctl/bin/expire-logs.in
+++ /dev/null
@@ -1,26 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: expire-logs.in 6860 2009-08-14 19:01:47Z robin $
-#
-# Delete logs older than ${log_expire_interval} days.
-
-base=${logdir}/
-
-file_pattern='.*/[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]/.*$'
-dir_pattern='.*/[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]$'
-
-exclude=""
-if [ "${keeplogs}" != "" ]; then
-   for name in ${keeplogs}; do
-      exclude="$exclude -not -name $name"
-   done
-fi   
-
-# Remove old files.
-find $base -type f -regex $file_pattern -mtime +${logexpireinterval} $exclude -delete 2>/dev/null
-rc=$?
-
-# Remove now empty directories (will fail for non-empty dirs).
-find $base -type d -regex $dir_pattern -exec rmdir '{}' ';' 2>/dev/null 
-
-exit $rc
diff --git a/aux/broctl/bin/extract-strictly-local-conns b/aux/broctl/bin/extract-strictly-local-conns
deleted file mode 100755
index 4f3b5e0af1..0000000000
--- a/aux/broctl/bin/extract-strictly-local-conns
+++ /dev/null
@@ -1,40 +0,0 @@
-#! /usr/bin/env python
-#
-# $Id: extract-strictly-local-conns 6813 2009-07-07 18:54:12Z robin $
-#
-
-import sys
-
-import SubnetTree
-
-def readNetworks(file):
-
-    nets = SubnetTree.SubnetTree()
-
-    for line in open(file):
-        line = line.strip()
-        if not line or line.startswith("#"):
-            continue
-
-        fields = line.split()
-        cidr = fields[0]
-        descr = " ".join(fields[1:])
-
-        try:
-            nets[cidr] = descr
-        except KeyError:
-            print >>sys.stderr, "cannot parse network specification '%s'" % cidr
-
-
-    return nets
-
-if len(sys.argv) != 2:
-    print >>sys.stderr, "usage: %s networks.cfg <conn.log" % sys.argv[0]
-    sys.exit(1)
-
-nets = readNetworks(sys.argv[1])
-
-for line in sys.stdin:
-    m = line.split()
-    if m[2] in nets and m[3] in nets:
-        print line,
diff --git a/aux/broctl/bin/get-prof-log.in b/aux/broctl/bin/get-prof-log.in
deleted file mode 100755
index 7576813118..0000000000
--- a/aux/broctl/bin/get-prof-log.in
+++ /dev/null
@@ -1,26 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: get-prof-log.in 6811 2009-07-06 20:41:10Z robin $
-#
-# Copies $3/prof.log from the node $1, running on host $2, to the manager 
-
-tag=$1
-host=$2
-path=$3
-
-dstbase=${statsdir}/prof.$tag
-tmp=$dstbase.$$.log.tmp
-
-# Ignore errors.
-scp $host:$path $tmp >/dev/null 2>&1
-
-if [ -e $tmp ]; then
-   # Rename the file to use the first non-zero timestamp in the filename. 
-   ts=`awk '$1 > 0 {print $1; exit(0); }' <$tmp`
-   if [ "$ts" != "" ]; then
-       mv $tmp $dstbase.$ts.log
-   fi
-fi
-
-
-
diff --git a/aux/broctl/bin/helpers/cat-file b/aux/broctl/bin/helpers/cat-file
deleted file mode 100755
index 2aab375fb7..0000000000
--- a/aux/broctl/bin/helpers/cat-file
+++ /dev/null
@@ -1,14 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: cat-file 6811 2009-07-06 20:41:10Z robin $
-#
-# cat-file <file>
-
-if [ -f $1 ]; then
-   echo 0
-   cat $1
-else
-   echo 1
-fi   
-
-echo ~~~
diff --git a/aux/broctl/bin/helpers/check-pid b/aux/broctl/bin/helpers/check-pid
deleted file mode 100755
index 1991c503ca..0000000000
--- a/aux/broctl/bin/helpers/check-pid
+++ /dev/null
@@ -1,19 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: check-pid 6811 2009-07-06 20:41:10Z robin $
-#
-#  check-pid <pid> 
-
-( ps aux | awk '{print $2}' | grep -v check-pid | grep -v grep | grep -q "^$1$" )  2>/dev/null
-
-if [ $? = 0 ]; then
-   echo 0
-else
-   echo 1
-fi
-
-echo ~~~
-
-
-
-
diff --git a/aux/broctl/bin/helpers/df.in b/aux/broctl/bin/helpers/df.in
deleted file mode 100755
index 553ae39ca1..0000000000
--- a/aux/broctl/bin/helpers/df.in
+++ /dev/null
@@ -1,11 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: df.in 6811 2009-07-06 20:41:10Z robin $
-#
-# df <path>
-#
-# Returns:  <fs> <fs-size> <fs-used> <fs-avail>
-
-echo 0
-df -h $1 | awk '{print $1, $2, $3, $4}' | tail -1 | awk -f ${helperdir}/to-bytes.awk
-echo ~~~
diff --git a/aux/broctl/bin/helpers/exists b/aux/broctl/bin/helpers/exists
deleted file mode 100755
index 9f60841e69..0000000000
--- a/aux/broctl/bin/helpers/exists
+++ /dev/null
@@ -1,13 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: exists 6811 2009-07-06 20:41:10Z robin $
-#
-# exists <path>
-
-if [ -e $1 ]; then
-   echo 0
-else
-   echo 1
-fi   
-
-echo ~~~
diff --git a/aux/broctl/bin/helpers/gdb-attach.in b/aux/broctl/bin/helpers/gdb-attach.in
deleted file mode 100755
index f1c4a6e35a..0000000000
--- a/aux/broctl/bin/helpers/gdb-attach.in
+++ /dev/null
@@ -1,17 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: gdb-attach.in 6811 2009-07-06 20:41:10Z robin $
-#
-# gdb-attach <screen-session-name> <binary> <pid>
-
-session=$1
-binary=$2
-pid=$3
-
-cmds=${tmpdir}/gdb.cmd
-echo "continue" >$cmds
-
-echo 0
-screen -s $session -X quit >/dev/null 2>&1 
-screen -dmS $session gdb -x $cmds $binary $pid
-echo ~~~
diff --git a/aux/broctl/bin/helpers/get-childs b/aux/broctl/bin/helpers/get-childs
deleted file mode 100755
index be4b38774c..0000000000
--- a/aux/broctl/bin/helpers/get-childs
+++ /dev/null
@@ -1,12 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: get-childs 6811 2009-07-06 20:41:10Z robin $
-#
-#  get-childs <pid> 
-
-echo 0
-ps ax -o pid,ppid | awk -v pid=$1 '$2==pid {print $1}'
-echo ~~~
-
-
-
diff --git a/aux/broctl/bin/helpers/is-alive b/aux/broctl/bin/helpers/is-alive
deleted file mode 100755
index e69de29bb2..0000000000
diff --git a/aux/broctl/bin/helpers/is-dir b/aux/broctl/bin/helpers/is-dir
deleted file mode 100755
index 0d8d1a9349..0000000000
--- a/aux/broctl/bin/helpers/is-dir
+++ /dev/null
@@ -1,13 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: is-dir 6811 2009-07-06 20:41:10Z robin $
-#
-# is-dir <path>
-
-if [ -d $1 ]; then
-   echo 0
-else
-   echo 1
-fi   
-
-echo ~~~
diff --git a/aux/broctl/bin/helpers/rmdir b/aux/broctl/bin/helpers/rmdir
deleted file mode 100755
index 0ca542fe19..0000000000
--- a/aux/broctl/bin/helpers/rmdir
+++ /dev/null
@@ -1,14 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: rmdir 6811 2009-07-06 20:41:10Z robin $
-#
-# rmdir <dir>
-
-if [ -d $1 ]; then
-   rm -rf $1 
-   echo $?
-else
-   echo 0
-fi   
-
-echo ~~~
diff --git a/aux/broctl/bin/helpers/run-cmd b/aux/broctl/bin/helpers/run-cmd
deleted file mode 100755
index c70b1e38e3..0000000000
--- a/aux/broctl/bin/helpers/run-cmd
+++ /dev/null
@@ -1,9 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: run-cmd 6811 2009-07-06 20:41:10Z robin $
-#
-#  run-cmd <cmd> 
-
-echo 0     # Fix me. Should be real return code.
-eval $@ 2>&1
-echo ~~~
diff --git a/aux/broctl/bin/helpers/run-cmd.in b/aux/broctl/bin/helpers/run-cmd.in
deleted file mode 100755
index f4571a08a2..0000000000
--- a/aux/broctl/bin/helpers/run-cmd.in
+++ /dev/null
@@ -1,35 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: run-cmd.in 6811 2009-07-06 20:41:10Z robin $
-#
-#  run-cmd [options] <cmd> 
-#
-#  -t 	time command
-#  -b   run in background
-
-time=""
-background=0
-
-while [ "$#" -gt "0" ]; do
-      case $1 in
-            -t) 
-                time=${time}
-                ;;
-            -b) background=1
-                ;;
-            *)
-              	break
-                ;;
-      esac
-      shift
-done                                                                                                                                                                              esac
-
-echo time, $time
-echo bg, $background
-echo rest, $@
-
-exit
-
-echo 0     # Fix me. Should be real return code.
-eval $@ 2>&1
-echo ~~~
diff --git a/aux/broctl/bin/helpers/start.in b/aux/broctl/bin/helpers/start.in
deleted file mode 100755
index be2cc9c431..0000000000
--- a/aux/broctl/bin/helpers/start.in
+++ /dev/null
@@ -1,23 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: start.in 6811 2009-07-06 20:41:10Z robin $
-#
-#  start <cwd> <Bro args>
-
-cd $1 2>/dev/null
-shift 
-
-rm -f .pid
-
-nohup ${scriptsdir}/run-bro $@ >stdout.log 2>stderr.log &
-
-while [ ! -e .pid ]; do
-   sleep 1
-done
-
-echo 0
-cat .pid
-echo ~~~
-
-
-
diff --git a/aux/broctl/bin/helpers/stop b/aux/broctl/bin/helpers/stop
deleted file mode 100755
index 8ca9143946..0000000000
--- a/aux/broctl/bin/helpers/stop
+++ /dev/null
@@ -1,13 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: stop 6811 2009-07-06 20:41:10Z robin $
-#
-#  stop <pid> <signal>
-
-kill -$2 $1 >/dev/null 2>&1 
-echo 0
-echo ~~~
-
-
-
-
diff --git a/aux/broctl/bin/helpers/to-bytes.awk b/aux/broctl/bin/helpers/to-bytes.awk
deleted file mode 100644
index 4b22539d65..0000000000
--- a/aux/broctl/bin/helpers/to-bytes.awk
+++ /dev/null
@@ -1,16 +0,0 @@
-# $Id: to-bytes.awk 6811 2009-07-06 20:41:10Z robin $
-
-# Converts strings such as 12K, 42M, etc. into bytes.
-
-{
-    for ( i = 1; i <= NF; i++) {
-	    if ( match($i, "^(-?[0-9.]+)By?$") ){ $i = substr($i, RSTART, RLENGTH-1); }
- 	    else if ( match($i, "^(-?[0-9.]+)Ki?$") ){ $i = substr($i, RSTART, RLENGTH-1) * 1024; }
-	    else if ( match($i, "^(-?[0-9.]+)Mi?$") ){ $i = substr($i, RSTART, RLENGTH-1) * 1024 * 1024; }
-	    else if ( match($i, "^(-?[0-9.]+)Gi?$") ){ $i = substr($i, RSTART, RLENGTH-1) * 1024 * 1024 * 1024; }
-	    else if ( match($i, "^(-?[0-9.]+)Te?$") ){ $i = substr($i, RSTART, RLENGTH-1) * 1024 * 1024 * 1024 * 1024; }
-	    printf("%s ", $i);
-	}
-
-    print ""; 
-}
diff --git a/aux/broctl/bin/helpers/top.in b/aux/broctl/bin/helpers/top.in
deleted file mode 100755
index ee05932011..0000000000
--- a/aux/broctl/bin/helpers/top.in
+++ /dev/null
@@ -1,29 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: top.in 6811 2009-07-06 20:41:10Z robin $
-#
-#  top 
-#
-#  Outputs one line per active process as follows:
-# 
-#           <pid> <vsize bytes> <rss in bytes> <%cpu> <cmdline>
-
-cmd_linux='top -b -n 1 | awk "/^ *[0-9]+ /{printf(\"%d %dK %dK %d %s\\n\", \$1, \$5, \$6, \$9, \$12)}"'
-cmd_freebsd='top -u -b all | awk "/^ *[0-9]+ /{printf(\"%d %s %s %d %s\\n\", \$1, \$6, \$7, \$11, \$12)}"'
-cmd_freebsd_nonsmp='top -u -b all | awk "/^ *[0-9]+ /{printf(\"%d %s %s %d %s\\n\", \$1, \$6, \$7, \$10, \$11)}"'
-cmd_darwin='top -l 1 | awk "/^ *[0-9]+ /{printf(\"%d %dK %dK %d %s\\n\", \$1, \$11, \$10, \$3, \$2)}"'
-cmd_netbsd='top -b -u  | awk "/^ *[0-9]+ /{printf(\"%d %s %s %d %s\\n\", \$1, \$5, \$6, \$10, \$11)}"'
-
-cmd="$cmd_${os}"
-
-if [ "${os}" == "freebsd" ]; then
-   # Top's output looks different on non-SMP FreeBSD machines.
-   top -u -b all | grep -q "STATE  C   TIME" || cmd="$cmd_freebsd_nonsmp"
-fi
-
-unset LINES
-unset COLUMNS
-
-echo 0
-eval $cmd | awk -f ${helperdir}/to-bytes.awk
-echo ~~~
diff --git a/aux/broctl/bin/is-alive b/aux/broctl/bin/is-alive
deleted file mode 100755
index e69de29bb2..0000000000
diff --git a/aux/broctl/bin/is-alive.in b/aux/broctl/bin/is-alive.in
deleted file mode 100755
index ef2bb705da..0000000000
--- a/aux/broctl/bin/is-alive.in
+++ /dev/null
@@ -1,16 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: is-alive.in 6811 2009-07-06 20:41:10Z robin $
-#
-# is-alive <host>
-
-cmd_linux='ping -c 1 -W 1'
-cmd_bsd='ping -q -t 1 -o'
-
-if [ "${os}" == "linux" ]; then
-   cmd=$cmd_linux
-else
-   cmd=$cmd_bsd
-fi
-
-$cmd $1 >/dev/null 2>&1
diff --git a/aux/broctl/bin/local-interfaces b/aux/broctl/bin/local-interfaces
deleted file mode 100755
index a3e6d66607..0000000000
--- a/aux/broctl/bin/local-interfaces
+++ /dev/null
@@ -1,9 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: local-interfaces 6811 2009-07-06 20:41:10Z robin $
-#
-# Returns a list of the IP addresses associated with local interfaces.
-
-# Tested with Linux, FreeBSD and MacOS.
-# TODO: Not sure if this is sufficient for IPv6 addresses.
-ifconfig -a | sed -n 's/.*inet6\{0,1\} \(addr: *\)\{0,1\}\([^ ]*\).*/\2/gp'
diff --git a/aux/broctl/bin/mail-alarm.in b/aux/broctl/bin/mail-alarm.in
deleted file mode 100755
index 10f3d42440..0000000000
--- a/aux/broctl/bin/mail-alarm.in
+++ /dev/null
@@ -1,33 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: mail-alarm.in 6811 2009-07-06 20:41:10Z robin $
-#
-# Mails out individual Bro alerts. 
-# Intended to be used as a Bro mail_script (see notice.bro), which
-# means that we will be called as /bin/mail would, i.e., 
-#
-# 		-s "[Bro Alarm] <notice_type>" <mail_dest>
-#
-
-subject="<No subject>"
-
-while getopts s: opt; do
-    case "$opt" in
-	    s) subject="$OPTARG";;
-	esac
-done
-
-shift $(($OPTIND - 1))
-
-# Remove Bro's subject prefix and insert our own.
-subject=`echo $subject | sed 's/\[Bro Alarm\] */${mailalarmprefix} /g'`
-
-# If the the destination given by Bro is "_broctl_default_", we use our 
-# configured address.
-if [ "$1" = "_broctl_default_" ]; then 
-    ${scriptsdir}/send-mail "$subject" "${mailalarmsto}"
-else
-    ${scriptsdir}/send-mail "$subject" "$1"
-fi 
-
-
diff --git a/aux/broctl/bin/mail-contents.in b/aux/broctl/bin/mail-contents.in
deleted file mode 100755
index ba0fec226b..0000000000
--- a/aux/broctl/bin/mail-contents.in
+++ /dev/null
@@ -1,34 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: mail-contents.in 6811 2009-07-06 20:41:10Z robin $
-#
-# mail-proto-violations 
-#
-# Gets its arguments via the environment. 
-
-tmp=${tmpdir}/`basename $0`.$$.tmp
-maxlen=8192
-
-function printData
-{
-   addr="$1"
-   name="$2"
-   file="$3"
-
-   title="$addr ($name)" 
-   echo >>$tmp
-   echo "> ---- $title ----------------------------" >>$tmp
-   echo >>$tmp
-   hexdump -e '60/ "%_c" "\n"' -n $maxlen $file >>$tmp 
-   rm -f $file
-}
-
-echo $BRO_ARG_BODY | sed 's/@@/\
-/g' >$tmp
-
-printData "$BRO_ARG_ORIG_H" "$BRO_ARG_ORIG_NAME" "$BRO_ARG_CONTENTS_ORIG"
-printData "$BRO_ARG_RESP_H" "$BRO_ARG_RESP_NAME" "$BRO_ARG_CONTENTS_RESP"
-
-${scriptsdir}/send-mail "$BRO_ARG_SUBJECT" $BRO_ARG_MAIL_DEST <$tmp 
-
-rm -f $tmp
diff --git a/aux/broctl/bin/make-plots.r b/aux/broctl/bin/make-plots.r
deleted file mode 100644
index cabef158df..0000000000
--- a/aux/broctl/bin/make-plots.r
+++ /dev/null
@@ -1,232 +0,0 @@
-
-# $Id: make-plots.r 6813 2009-07-07 18:54:12Z robin $
-
-# Text & pch scaling.
-scale.cex		<- 1.4 
-scale.cex.lab	<- 1.4
-scale.cex.legend <- 1.0
-
-# Parameters for nicer plotting
-sample <- 10
-num <- 50 
-shift <- 0
-
-plotLoad <- function(tag, host, key, style, factor=1)
-{                       
-    file <- paste(tag, ".", host, ".dat", sep="")
-    data <- read.table(file, header=TRUE)
-    print(file)
-
-    times <- data$time
-    vals  <- data[[key]] / factor
-
-	l <- xy.coords(times, vals)
-    l$x = l$x[seq(1, length(l$x), by=sample)]
-	l$y = l$y[seq(1, length(l$y), by=sample)]
-	p <- seq(1 + shift * length(l$x) / num, length(l$x), length=num)
-	lines(l$x, l$y, col=style)
-	points(l$x[p], l$y[p], col=style, pch=style)
-}
-
-plotSeries <- function(tag, hosts, type, factor=1)
-{
-   	style <- 1
-    labels <- c()
-    for ( i in seq(1, length(hosts)) ) {
-        plotLoad(tag, hosts[i], type, style, factor=factor)
-        style <- style + 1
-        labels <- c(labels, hosts[i])
-        }
-
-    lsize <- length(labels)
-    cornerLegend(legend=labels, col=c(1:lsize), lty=1, pch=c(1:lsize), corner=2, cex=scale.cex.legend, ncol=5)
-    dev.off()
-}
-
-
-plotScale <- function(file, tag, host, ymax, title, xlab, ylab)
-{
- 	postscript(file, paper="special", width=11, height=6.5)    
-    par(cex=1.3)
-    file <- paste(tag, ".", host, ".dat", sep="")
-    data <- read.table(file, header=TRUE)
-
-    times <- data$time
-
- 	timeplot(c(min(times), max(times)), c(0, ymax), type="n", xlab=xlab, ylab=ylab, timezone=7, main=title)
-}
-
-########## Stolen from Holger #######################
-
-weekdays<-c("Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat")
-weekdaysLong<-c("Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday")
-
-time2str<-function(unixt, timezone=1)
-{
-	t<-timestamp(unixt, timezone)
-	s<-weekdays[t[1]+1]
-	s<-paste(s, t[2], sep=" ")
-	s<-paste(s, sprintf("%02g", t[3]), sep=":")
-	s
-}
-
-timeticks <- function (start, end, tickdist=NULL, labeldist=NULL, offset=1, timezone=1)
-{
-	if(identical(tickdist,NULL)) 
-		tickdist<-timetickdist(start, end)
-	if(identical(labeldist, NULL)) 
-		labeldist<-tickdist
-	pos<-start-1
-	res=list(ticks=c(), labels=c())
-	while(pos < end)
-	{
-		pos<-nexttick(pos, tickdist, offset)
-		if(pos<=end)
-		{
-			res$ticks<-c(res$ticks, pos)
-			if (identical((pos+offset*3600)%%labeldist,0)) 
-				res$labels<-c(res$labels, time2str(pos, timezone=offset)) 
-			else 
-				res$labels<-c(res$labels, " ")
-
-		}
-	}
-	res
-}
-
-nexttick <- function (cur, dist, offset=1) 
-{
-	nextt <- cur
-	curTZ = cur+offset*3600
-	if (identical(curTZ%%dist,0)) 
-		nextt <- cur+dist 
-	else 
-		nextt <- cur+(dist-(curTZ%%dist))
-
-	nextt
-}
-
-timetickdist <- function (start, end)
-{
-  d <- end-start
-  tickdist <- 3600*24
-  if (d<=3600*24*7) tickdist<-3600*12
-  if (d<=3600*24*3) tickdist<-3600*6
-  if (d<=3600*24) tickdist<-3600*2
-  if (d<=3600*12) tickdist<-3600
-  if (d<=3600) tickdist<-15*60
-  tickdist
-}
-
-cet <- function (unixt)
-{
-	timestamp(unixt, 1)
-}
-
-timestamp<-function (unixt, offset)
-{
-	unixt<-floor(unixt)
-	secs<-unixt%%60
-	unixt<-unixt%/%60
-	mins<-unixt%%60
-	unixt<-(unixt%/%60) + offset
-	hrs<-unixt%%24
-	unixt<-unixt%/%24
-	days<-(unixt-3)%%7 
-	c(days,hrs,mins,secs)
-}
-
-timeaxis <- function(xrange, offset=1, labels=T, timezone=1)
-{
-	t <- timeticks(xrange[1], xrange[2], offset=offset, timezone=timezone)
-	if (labels) 
-		axis(1, at=t$ticks, labels=t$labels)
-	else 
-		axis(1, at=t$ticks, labels=F)
-}
-
-timeplot <- function(x, y, offset=1, labels=T, timezone=1, ...)
-{
-	plot(x, y, axes=F, ...)
-	box()
-	axis(2)
-	timeaxis(range(x), offset, labels, timezone=timezone)
-}
-
-cornerLegend<-function(corner = 1, xoffs=0, yoffs=0, ...) {
-	xalign = 0
-		yalign = 0
-		smoothf=c(1,1)
-		if (corner == 1){
-			corner<-c(par()$usr[1], par()$usr[3])
-				xalign = 0
-				yalign = 0
-		}else if (corner == 2){
-			corner<-c(par()$usr[1], par()$usr[4])
-				xalign = 0
-				yalign = 1
-				smoothf=c(1,-1)
-		}else if (corner == 3){
-			corner<-c(par()$usr[2], par()$usr[4])
-				xalign = 1
-				yalign = 1
-				smoothf= c(-1,-1)
-		}else{
-			corner<-c(par()$usr[2], par()$usr[3])
-				xalign = 1
-				yalign = 0
-				smoothf = c(-1,1)
-		}
-
-	cat(corner, "\n")
-
-		smooth<-c(0,0)
-		if(par("xlog")){
-			corner[1]<-10^corner[1]
-				smooth[1]<-0
-		}else{
-			smooth[1]<-(par("usr")[2]-par("usr")[1])/50
-		}
-	if(par("ylog")){
-		corner[2]<-10^corner[2]
-			smooth[2]<-(10^par("usr")[4]-10^par("usr")[3])/-50
-	}else{
-		smooth[2]<-(par("usr")[4]-par("usr")[3])/50
-	}
-	smooth<-smooth*smoothf
-		cat (smooth, "\n")
-		legend(x=corner[1]+smooth[1]+xoffs, y=corner[2]+smooth[2]+yoffs, xjust=xalign, yjust=yalign, ...)
-}
-
-########## End of Stolen from Holger #######################
-
-# Interface statistics
-
-hosts <- read.table("interface.hosts.dat", header=TRUE, as.is=TRUE)$name
-plotScale("bandwith.eps", "interface", hosts[1], 500, "Bandwidth", "Time", "Mbps")
-plotSeries("interface", hosts, "mbps")
-
-# CPU Load Child Process
-
-hosts <- read.table("child.hosts.dat", header=TRUE, as.is=TRUE)$name
-plotScale("cpu-child.eps", "child", hosts[1], 120, "CPU Load - Child Process", "Time", "Load")
-plotSeries("child", hosts, "cpu")
-
-# CPU Load Parent Process
-
-hosts <- read.table("parent.hosts.dat", header=TRUE, as.is=TRUE)$name
-plotScale("cpu-parent.eps", "parent", hosts[1], 120, "CPU Load - Parent Process", "Time", "Load")
-plotSeries("parent", hosts, "cpu")
-
-# Memory Parent Process
-
-hosts <- read.table("parent.hosts.dat", header=TRUE, as.is=TRUE)$name
-plotScale("mem-parent.eps", "parent", hosts[1], 2, "Memory - Parent Process", "Time", "GBytes")
-plotSeries("parent", hosts, "vsize", factor=1024*1024*1024)
-
-# Memory Child Process
-
-hosts <- read.table("child.hosts.dat", header=TRUE, as.is=TRUE)$name
-plotScale("mem-child.eps", "child", hosts[1], 2, "Memory - Child Process", "Time", "GBytes")
-plotSeries("child", hosts, "vsize", factor=1024*1024*1024)
-
diff --git a/aux/broctl/bin/make-wrapper.in b/aux/broctl/bin/make-wrapper.in
deleted file mode 100755
index e6f4003639..0000000000
--- a/aux/broctl/bin/make-wrapper.in
+++ /dev/null
@@ -1,14 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: make-wrapper.in 6811 2009-07-06 20:41:10Z robin $
-#
-# Wrapper to call the broctl script from the Makefile, settting
-# some environment variables first.
-
-export BROBASE=$PREFIX
-export BRODIST=$BRODIST
-
-export BROCTL_INSTALL=1
-export PYTHONPATH=$BRODIST/aux/broctl:$PYTHONPATH
-
-./bin/broctl $@
diff --git a/aux/broctl/bin/post-terminate.in b/aux/broctl/bin/post-terminate.in
deleted file mode 100755
index 8040086700..0000000000
--- a/aux/broctl/bin/post-terminate.in
+++ /dev/null
@@ -1,77 +0,0 @@
-#! /usr/bin/env bash 
-#
-# $Id: post-terminate.in 6813 2009-07-07 18:54:12Z robin $
-#
-# Cleans-up after termination.
-#
-# post-terminate <dir> [crash]
-#
-# If $2 is "crash", then the scripts assumes that Bro crashed and will return
-# information about the crash on stdout which is suitable for mailing to the user. 
-
-dir=$1
-
-crash=0
-if [ "$2" == "crash" ]; then
-   crash=1
-fi   
-
-if [ ! -d $dir ]; then
-   echo No $dir
-   exit
-fi
-
-date=`date +%Y-%m-%d-%H-%M-%S`
-tmp=${tmpdir}/post-terminate-$date-$$
-
-if [ "$crash" = "1" ]; then
-   cd $1
-   ${scriptsdir}/crash-diag $dir
-   tmp=$tmp-crash
-   archive_flags="-c" # Don't delete log files in work dir.
-fi    
-
-if [ ! -d ${tmpdir} ]; then 
-   mkdir ${tmpdir} 
-fi
-
-mv $dir $tmp 2>/dev/null
-
-mkdir $dir 2>/dev/null
-
-if [ -d $tmp/.state ]; then
-   mv $tmp/.state $dir 2>/dev/null
-fi   
-
-cd $tmp
-
-if [ "$crash" = "1" ]; then
-   tmpbro=${tmpexecdir}/`basename ${bro}`
-   cp $tmpbro .
-fi
-
-# Run post-processors manually. 
-
-if [ ! -f .startup ]; then
-   echo No .startup
-   exit
-fi
-
-end=`date +%y-%m-%d_%H.%M.%S`
-start=`cat .startup | tail -1`
-if [ "$crash" = "1" -a -e .rotate ]; then
-   start=`cat .rotate | tail -1`
-fi   
-
-#if [ -e .peer_description ]; then
-#   tag=`cat .peer_description | tail -1`
-#fi   
-
-( for i in *.log; do
-    if [ -s $i ]; then
-       ${scriptsdir}/archive-log $archive_flags $i $i $start $end $tag >/dev/null &
-    fi
-  done && wait && if [ "$crash" = "0" ]; then rm -rf $tmp; fi ) &
-
-
-
diff --git a/aux/broctl/bin/postprocessors/mail-log.in b/aux/broctl/bin/postprocessors/mail-log.in
deleted file mode 100755
index 5865cdcede..0000000000
--- a/aux/broctl/bin/postprocessors/mail-log.in
+++ /dev/null
@@ -1,35 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: mail-log.in 6811 2009-07-06 20:41:10Z robin $
-#
-# Formats Bro's mail.log, archives, encrypts and mails it (if requested).
-#
-# It's called as a Bro postprocessor so its arguments are:
-# 	   mail-log <logfile> <basename> <timestamp-when-opened> <timestamp-when-closed> [<tag>]
-
-if [ "$2" != "mail.log" ]; then
-   exit 0
-fi
-
-log=$1
-base=$2
-open=$3
-close=$4
-tag=$5
-
-# Do nothing if log is empty
-if [ ! -s $log ]; then
-    rm -f $log
-    exit 0;
-fi
-
-# Build subject 
-start=`echo $open | sed 's/^..-..-.._//' | sed 's/\./:/g'`
-end=`echo $close | sed 's/^..-..-.._//' | sed 's/\./:/g'`
-subject="Log from $start-$end"
-
-# Mail it.
-if [ "${mailalarms}" == "1" ]; then
-   ${scriptsdir}/send-mail "$subject" "${mailalarmsto}" <$log
-fi
-
diff --git a/aux/broctl/bin/postprocessors/summarize-connections.in b/aux/broctl/bin/postprocessors/summarize-connections.in
deleted file mode 100755
index 0aef658dc2..0000000000
--- a/aux/broctl/bin/postprocessors/summarize-connections.in
+++ /dev/null
@@ -1,54 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: summarize-connections.in 6813 2009-07-07 18:54:12Z robin $
-#
-# Bro postprocessor script to summarize connection summaries. 
-#
-# Needs trace-summary script.
-#
-# summarize-conns <rotated-file-name> <base-name> <timestamp-when-opened> <timestamp-when-closed> [<tag>]
-
-if [ "$2" != "conn.log" ]; then
-   exit 0
-fi
-
-summary_options="-c -r"
-
-# If we're a cluster installation, we assume we have lots of traffic and activate sampling.
-if [ "${standalone}" != "0" ]; then
-   summary_options="$summary_options -S 0.01" 
-fi    
-
-if [ -e ${localnetscfg} ]; then
-   summary_options="$summary_options -l ${localnetscfg}"
-fi
-
-input=$1
-open=$3
-close=$4
-
-output=conn-summary.log
-
-# GNU's time can do memory as well.
-export TIME="%E real, %U user, %S sys, %KK total memory"
-
-if [ "${tracesummary}" != "" ]; then
-   # Build subject 
-   start=`echo $open | sed 's/^..-..-.._//' | sed 's/\./:/g'`
-   end=`echo $close | sed 's/^..-..-.._//' | sed 's/\./:/g'`
-   subject="Connection summary from $start-$end"
-
-   LIMIT=${memlimit:1572864}
-   ulimit -m $LIMIT
-   ulimit -v $LIMIT
-
-   export PYTHONPATH=${libdirinternal}:$PYTHONPATH
-   nice ${time} ${tracesummary} $summary_options $input 2>&1 | grep -v "exceeds bandwith" >$output
-
-   ${scriptsdir}/send-mail "$subject" <$output
-   ${scriptsdir}/archive-log $output $output $3 $4 $5
-fi   
-
-
-
-
diff --git a/aux/broctl/bin/reformat-stats b/aux/broctl/bin/reformat-stats
deleted file mode 100755
index 04dba1cf12..0000000000
--- a/aux/broctl/bin/reformat-stats
+++ /dev/null
@@ -1,128 +0,0 @@
-#! /usr/bin/env python
-#
-# $Id: reformat-stats 6813 2009-07-07 18:54:12Z robin $
-#
-# Turns spool/stats.log into a format more something suitable for R.
-#
-# reformat-stats <stats.log> <dst-dir>
-#
-# Existing data in dst-dir will be deleted.
-
-import sys
-import math
-import os
-
-def filterOutput(tag, host):
-    os.system("cat %s/%s.dat | egrep '%s|^ *time' >%s/%s.%s.dat" % (Dest, tag, host, Dest, tag, host))
-
-def makeOutput(file, tag):
-
-    out = open("%s/%s.dat" % (Dest, tag), "w")
-
-    hosts = {}
-    data = {}
-    keys = {}
-
-    for line in open(file):
-
-        f = line.split()
-        if f[3] == "error": 
-            continue
-
-        try:
-            (time, host, t, key, val)  = f
-        except ValueError:
-            try:
-                (time, host, t, key)  = f
-                val = "-"
-            except ValueError:
-                print >>sys.stderr, "cannot parse '%s'" % line
-                continue
-
-        if t != tag:
-            continue
-
-        hosts[host] = 1
-
-        time = math.floor(float(time))
-        val = val
-
-        if not time in data:
-            data[time] = {}
-
-        interval = data[time]
-
-        if not host in interval:
-            interval[host] = {}
-
-        vals = interval[host]
-        vals[key] = val
-        keys[key] = 1
-
-    intervals = data.keys()
-    intervals.sort()
-
-    keys = keys.keys()
-
-    print >>out, "%10s %10s" % ("time", "node"),
-    for k in keys:
-        print >>out, "%10s" % k,
-    print >>out
-
-    for t in intervals:
-
-        itv = data[t]
-
-        idxs = itv.keys()
-        idxs.sort()
-
-        for idx in idxs:
-
-            vals = itv[idx]
-
-            print >>out, "%10.0f %10s" % (t, idx),
-
-            for k in keys:
-                if k in vals:
-                    print >>out, "%10s" % vals[k],
-                else:
-                    print >>out, "%10s" % "-",
-
-            print >>out
-
-    out.close()
-
-    hosts = hosts.keys()
-    hosts.sort()
-    for host in hosts:
-        filterOutput(tag, host)
-
-    hostlist = open("%s/%s.hosts.dat" % (Dest, tag), "w")
-    print >>hostlist, "name";
-    for host in hosts:
-        print >>hostlist, host;
-
-
-if len(sys.argv) != 3:
-    print "Usage: reformat-stats <stats.log> <dst-dir>"
-    print "Existing data in <dst-dir> will be deleted!"
-    sys.exit(1)
-
-Dest = sys.argv[2]
-
-os.system("rm -rf %s" % Dest)
-os.mkdir(Dest)
-
-for tag in ["parent", "child", "interface"]:
-    makeOutput(sys.argv[1], tag)
-
-
-
-
-
-
-
-
-
-
-
diff --git a/aux/broctl/bin/remove-log b/aux/broctl/bin/remove-log
deleted file mode 100755
index 3bb17a9a45..0000000000
--- a/aux/broctl/bin/remove-log
+++ /dev/null
@@ -1,9 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: remove-log 6811 2009-07-06 20:41:10Z robin $
-#
-# This script can be used as a Bro log postprocessor to simply *delete* 
-# the files after rotation.
-
-rm $1
-
diff --git a/aux/broctl/bin/run-bro.in b/aux/broctl/bin/run-bro.in
deleted file mode 100755
index d95a8dadf6..0000000000
--- a/aux/broctl/bin/run-bro.in
+++ /dev/null
@@ -1,75 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: run-bro.in 6860 2009-08-14 19:01:47Z robin $
-#
-# Wrapper script around the actual Bro invocation. 
-#
-# run-bro is automatically generated from run-bro.in. Edit only the latter!
-
-export PATH=${bindir}:${scriptsdir}:$PATH
-
-policies=${policydir}
-export BROPATH=${policydirsiteinstallauto}:${policydirsiteinstall}:$policies:$policies/sigs:$policies/time-machine:$policies/broctl:$policies/xquery
-
-if test `uname` == "FreeBSD" && uname -r | grep -q "^[456]"; then
-   export MALLOC_OPTIONS="HR" # Helps performance on FreeBSD < 7
-fi
-
-child=""
-
-trap sig_handler 0
-
-function sig_handler
-{
-    if [ "$child" != "" ]; then
-        kill -15 $child 2>/dev/null
-        echo KILLED 1>&2
-    fi;
-
-    if [ ! -e .pid ]; then
-       echo -1 >.pid
-    fi
-}
-
-LIMIT=${memlimit:1572864}
-ulimit -m $LIMIT
-ulimit -d $LIMIT
-ulimit -v $LIMIT
-ulimit -c unlimited
-
-echo $@ >.cmdline
-
-date +%s >.startup
-date >>.startup
-date +%y-%m-%d_%H.%M.%S >>.startup # Bro default format when rotating files. 
-
-if [ "$BRO_WORKER" != "" ]; then
-   touch .worker
-elif [ "$BRO_PROXY" != "" ]; then
-   touch .proxy
-elif [ "$BRO_MANAGER" != "" ]; then
-   touch .manager
-elif [ "$BRO_STANDALONE" != "" ]; then
-   touch .standalone
-else
-   echo "None of the environment variables BRO_{MANAGER,PROXY,WORKER,STANDALONE} set." 1>&2
-   echo -1 >.pid
-   exit 1
-fi
-
-# ulimit -a
-# echo 
-
-tmpbro=${tmpexecdir}/`basename ${bro}`
-
-rm -f $tmpbro
-cp -p ${bro} $tmpbro
-sleep 1
-nohup $tmpbro $@ &
-
-child=$!
-
-echo $child >.pid
-wait $child
-child=""
-
diff --git a/aux/broctl/bin/send-mail.in b/aux/broctl/bin/send-mail.in
deleted file mode 100755
index 6f857859af..0000000000
--- a/aux/broctl/bin/send-mail.in
+++ /dev/null
@@ -1,53 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: send-mail.in 6811 2009-07-06 20:41:10Z robin $
-#
-# Usage: send-mail subject [destination] <txt
-#
-# Sends stdin per mail to recipients, adding some common headers/footers
-
-if [ "${sendmail}" != "1" ]; then
-   exit 0
-fi
-
-if [ $# -lt 1 -o $# -gt 2 ]; then
-   echo Wrong usage.
-   exit 1
-fi
-
-from="${mailfrom}"
-replyto="${replyto}"
-subject="${mailsubjectprefix} $1"
-
-if [ $# = 2 ]; then
-   to=$2
-else
-   to="${mailto}"
-fi
-
-tmp=${tmpdir}/mail.$$.tmp
-
-rm -f $tmp
-touch $tmp
-
-echo From: $from >>$tmp
-echo Subject: $subject >>$tmp
-echo To: $to >>$tmp
-echo User-Agent: Bro Control ${version} >>$tmp
-
-if [ "$replyto" != "" ]; then
-   echo Reply-To: $replyto >>$tmp
-fi
-
-echo >>$tmp
-
-cat >>$tmp
-
-cat >>$tmp <<EOF
-
--- 
-[Automatically generated.]
-
-EOF
-
-sendmail -t -oi <$tmp && rm -f $tmp
diff --git a/aux/broctl/bin/update.in b/aux/broctl/bin/update.in
deleted file mode 100755
index eaaef3d5a0..0000000000
--- a/aux/broctl/bin/update.in
+++ /dev/null
@@ -1,29 +0,0 @@
-#! /usr/bin/env bash
-#
-# $Id: update.in 6860 2009-08-14 19:01:47Z robin $
-#
-# update <destination> <Bro args>
-
-dst=$1
-shift
-args=$@
-
-# Creating temporary working directory.
-dir=${tmpdir}/update-$1-$$
-rm -rf $dir
-mkdir $dir
-cd $dir
-
-export PATH=${bindir}:${scriptsdir}:$PATH
-
-policies=${policydir}
-export BROPATH=${policydirsiteinstallauto}:${policydirsiteinstall}:$policies:$policies/sigs:$policies/time-machine:$policies/broctl:$policies/xquery
-
-${bro} "SendConfig::dst=$dst-update" $args send-config >out.log 2>&1
-rc=$?
-
-cat out.log | egrep -v "warning: no such host|received termination signal"
-rm -rf $dir
-
-exit $rc
-
diff --git a/aux/broctl/configure b/aux/broctl/configure
deleted file mode 100755
index 2391b0b36b..0000000000
--- a/aux/broctl/configure
+++ /dev/null
@@ -1,157 +0,0 @@
-#! /usr/bin/env python
-#
-# $Id: configure 6952 2009-12-05 00:23:47Z robin $
-
-import os
-import os.path
-import sys
-import stat
-import subprocess
-
-Prefix = "/usr/local/bro"  # match Bro's default.
-BroDist = os.path.abspath("../..")
-BroCtlSrc = os.path.join(BroDist, "aux/broctl")
-BroBuild = BroDist
-BroCtlBuild = os.path.join(BroDist, "aux/broctl")
-StandAlone = False
-
-def usage():
-    print """
-Usage: ./configure [--prefix=<dir>] [--brodist=<dir>] [--standalone]
-
-     --prefix=<dir>    Base directory for cluster installation [Default: %s]
-     --brodist=<dir>   Base directory of Bro distribution      [Default: %s]
-
-     --standalone      Do a non-cluster, one-Bro-only installation
-""" % (Prefix, BroDist)
-    sys.exit(1)
-
-args = {}
-for arg in sys.argv[1:]:
-    try:
-        m = arg.find("=")
-        if m >= 0: 
-            opt = arg[0:m].strip()
-	    val = arg[m+1:].strip()
-        else:
-            opt = arg.strip()
-            val = None
-
-        if opt == "--prefix" and val:
-            if val != "NONE":
-                Prefix = os.path.abspath(val)
-                
-        elif opt == "--brodist" and val:
-            BroDist = os.path.abspath(val)
-            BroCtlSrc = os.path.join(BroDist, "aux/broctl")
-            
-        elif opt == "--builddir" and val:
-            BroCtlBuild = os.path.abspath(val)
-            BroBuild = os.path.abspath(os.path.join(BroCtlBuild, "../.."))
-                    
-        elif opt == "--standalone":
-            StandAlone = True
-        else:
-            usage()
-
-        args[opt] = val
-
-    except ValueError:
-        usage()
-
-Version = open(os.path.join(BroDist, "aux/broctl/VERSION")).readline().strip()
-
-try:
-    p = subprocess.Popen("svnversion", stdin=subprocess.PIPE, stdout=subprocess.PIPE, close_fds=True)
-    (stdin, stdout) = (p.stdin, p.stdout)
-    stdin.close()
-    svnversion = stdout.readline().split()[0]
-    if svnversion != "exported":
-        Version += " [r%s]" % svnversion
-except:
-    pass
-        
-bin = os.path.join(BroCtlBuild, "bin")        
-if not os.path.exists(bin):
-    os.mkdir(bin)
-        
-# Create Makefile, bin/broctl and bin/make-env by replacing configuration variables.
-for file in ("Makefile", "bin/broctl", "bin/make-wrapper"):
-
-    src = os.path.join(BroDist, "aux/broctl/%s.in" % file)
-    dst = os.path.join(BroCtlBuild, file)
-
-    try:
-        os.unlink(dst)
-    except OSError:
-        pass
-
-    out = open(dst, "w")
-    
-    for line in open(src):
-        line = line.replace("$PREFIX", Prefix)
-        line = line.replace("$BRODIST", BroDist)
-        line = line.replace("$BROBUILD", BroBuild)
-        line = line.replace("$BROCTLBUILD", BroCtlBuild)
-        line = line.replace("$BROCTLSRC", BroCtlSrc)
-        line = line.replace("$STANDALONE", StandAlone and "True" or "False")
-        line = line.replace("$VERSION", Version)
-        print >>out, line, 
-
-    # Copy the mode of the source file but remove write permission 
-    # to prevent accidental modifications.
-    mode = os.stat(src).st_mode
-    os.chmod(dst, mode &~ 0222)
-
-    print "Created %s." % file
-
-# Create config.status.
-status = os.path.join(BroCtlBuild, "config.status")
-out = open(status, "w")
-print >>out, """#! /bin/sh
-# Generated by configure.
-# Run this file to recreate the current configuration.
-echo Recreating configuration.
-echo
-
-if [ -e ./BroControl ]; then
-    configure=./configure
-    args["--brodist"] = "../../"
-else
-    configure=%s/configure
-fi
-
-$configure %s && exit
-""" % (BroCtlSrc, " ".join(["%s=%s" % (k, v) for (k, v) in args.items()]))
-
-os.chmod(status, 0750)
-
-# Done.
-
-print """
-            Bro Control Configuration Summary
-==========================================================
-
-   Installation directory:      %s
-   Bro distribution:            %s
-   Bro build directory:         %s
-   Bro Control distribution:    %s
-   Bro Control build directory: %s
-   
-   Standalone installation:     %s
-
-""" % (Prefix, BroDist, BroBuild, BroCtlSrc, BroCtlBuild, (StandAlone and "yes" or "no"))
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/aux/broctl/etc/analysis.dat b/aux/broctl/etc/analysis.dat
deleted file mode 100644
index 03911b7371..0000000000
--- a/aux/broctl/etc/analysis.dat
+++ /dev/null
@@ -1,28 +0,0 @@
-# $Id: analysis.dat 6811 2009-07-06 20:41:10Z robin $
-#
-# Types of analysis which we can enable/disable via the cluster shell. 
-#
-# Format: <tag>  <mechanism>   <descr>
-#
-#   tag: 	   The name used to reference the type within the shell.
-#   mechanism: How we can enable/disable the analysis. Currently defined:
-#
-#                  bool:<global>         <global> is a Bro script-level boolean
-#                                        which enables the analysis if true.
-#                 
-#                  bool-inv:<global>     <global> is a Bro script-level boolean
-#                                        which enables the analysis if *false*.
-#                  events:<tag>          <tag> is the name of a Bro event group 
-#                                        which corresponds to the analysis.
-#                  disable:<tag>		 If disabled, also disable analysis <tag>
-
-dns                events:dns            DNS analysis
-ftp                events:ftp            FTP analysis
-smtp               events:smtp           SMTP analysis
-
-http-request       events:http-request,disable:http-reply,disable:http-header,disable:http-body   Client-side HTTP analysis
-http-reply         events:http-reply,bool:HTTP::process_HTTP_replies                              Server-side HTTP analysis 
-http-body          events:http-body,bool:HTTP::process_HTTP_data                                  Analysis of HTTP bodies
-http-header        events:http-header                                                             Analysis of HTTP headers         
-
-scan               bool-inv:Scan::suppress_scan_checks                                            Scan detection
diff --git a/aux/broctl/etc/broctl.cfg.cluster.in b/aux/broctl/etc/broctl.cfg.cluster.in
deleted file mode 100644
index dd19c8e57d..0000000000
--- a/aux/broctl/etc/broctl.cfg.cluster.in
+++ /dev/null
@@ -1,27 +0,0 @@
-# $Id: broctl.cfg.cluster.in 6811 2009-07-06 20:41:10Z robin $
-#
-# Global cluster configuration file. 
-#
-
-# Directories with local policies which are to be installed in addition
-# to the distribution's scripts. ':' separates multiple directories.
-#
-SitePolicyPath = ${policydir}/site
-
-# Top-level script file for local manager policy.
-#
-SitePolicyManager = local-manager
-
-# Top-level script file for local worker policy.
-#
-SitePolicyWorker = local-worker
-
-# Local script prefixes (use this instead of the @prefix statement.)
-# Multiple prefixes are separated by a colon.
-Prefixes = local
-
-# Sends all mails to this address.
-MailTo = root@localhost
-
-# Logs debug information into spool/debug.log
-Debug = 1
diff --git a/aux/broctl/etc/broctl.cfg.standalone.in b/aux/broctl/etc/broctl.cfg.standalone.in
deleted file mode 100644
index a255c05e84..0000000000
--- a/aux/broctl/etc/broctl.cfg.standalone.in
+++ /dev/null
@@ -1,22 +0,0 @@
-# $Id: broctl.cfg.standalone.in 6811 2009-07-06 20:41:10Z robin $
-#
-# Global configuration file for a non-cluster, single-instance setup.
-#
-
-# Directories with local policies which are to be installed in addition
-# to the distribution's scripts. ':' separates multiple directories.
-#
-SitePolicyPath = ${policydir}/site
-
-# Top-level script file for local policy.
-SitePolicyStandalone = local
-
-# Local script prefixes (use this instead of the @prefix statement.)
-# Multiple prefixes are separated by a colon.
-Prefixes = local
-
-# Sends all mails to this address.
-MailTo = root@localhost
-
-# Logs debug information into spool/debug.log
-Debug = 1
diff --git a/aux/broctl/etc/networks.cfg.in b/aux/broctl/etc/networks.cfg.in
deleted file mode 100644
index aeeb1337fb..0000000000
--- a/aux/broctl/etc/networks.cfg.in
+++ /dev/null
@@ -1,7 +0,0 @@
-# $Id: networks.cfg.in 6811 2009-07-06 20:41:10Z robin $
-#
-# List of local networks in CIDR notation, optionally followed by a descriptive tag.
-# 
-
-10.0.0.0/8          Private IP space 
-192.168.0.0/16      Private IP space
diff --git a/aux/broctl/etc/node.cfg.cluster.in b/aux/broctl/etc/node.cfg.cluster.in
deleted file mode 100644
index 82c28a3c74..0000000000
--- a/aux/broctl/etc/node.cfg.cluster.in
+++ /dev/null
@@ -1,27 +0,0 @@
-# $Id: node.cfg.cluster.in 6811 2009-07-06 20:41:10Z robin $
-#
-# Node configuration
-#
-
-[manager]
-type=manager
-host=host1
-
-[proxy-1]
-type=proxy
-host=host1
-
-[worker-1]
-type=worker
-host=host2
-interface=em0
-
-[worker-2]
-type=worker
-host=host3
-interface=em0
-
-[worker-3]
-type=worker
-host=host4
-interface=em0
diff --git a/aux/broctl/etc/node.cfg.standalone.in b/aux/broctl/etc/node.cfg.standalone.in
deleted file mode 100644
index 2d62dbb462..0000000000
--- a/aux/broctl/etc/node.cfg.standalone.in
+++ /dev/null
@@ -1,9 +0,0 @@
-# $Id: node.cfg.standalone.in 6811 2009-07-06 20:41:10Z robin $
-#
-# Node configuration for a non-cluster, single-instance setup.
-#
-
-[bro]
-type=standalone
-host=localhost
-interface=em0
diff --git a/aux/broctl/policy/analysis-groups.bro b/aux/broctl/policy/analysis-groups.bro
deleted file mode 100644
index 3ec6ea01d1..0000000000
--- a/aux/broctl/policy/analysis-groups.bro
+++ /dev/null
@@ -1,46 +0,0 @@
-# $Id: analysis-groups.bro 6813 2009-07-07 18:54:12Z robin $
-#
-# This script allows to selectively enable/disable event groups. No events will be
-# raised for all memmbers of a disabled event group.
-
-module AnalysisGroups;
-
-export 
-	{
-	# By default, all event groups are enabled. We disable all groups in this table.
-	const disabled_groups: set[string] &redef; # = { "ftp" }
-
-	# When the table above gets modified during run-time, calling this function
-	# will put the changes into effect.
-	global update: function();
-	}
-
-# Set to remember all groups which were disabled by the last update().
-global currently_disabled: set[string];
-
-function update()
-	{
-	# Reenable those which are not to be disabled anymore.
-	for ( g in currently_disabled )
-		if ( g !in disabled_groups )
-			enable_event_group(g);
-	
-	# Disable those which are not already.
-	for ( g in disabled_groups )
-		if ( g !in currently_disabled )
-			disable_event_group(g);
-	
-	currently_disabled = copy(disabled_groups);
-	}
-
-event bro_init()
-	{
-	update();
-	}
-
-
-
-
-
-
-
diff --git a/aux/broctl/policy/broctl-check.bro b/aux/broctl/policy/broctl-check.bro
deleted file mode 100644
index c064a8b59a..0000000000
--- a/aux/broctl/policy/broctl-check.bro
+++ /dev/null
@@ -1,10 +0,0 @@
-# $Id: broctl-check.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# Only loaded when checking configuration, not when running live.
-
-@load rotate-logs
-
-redef RotateLogs::rotate_on_shutdown=F;
-
-	
-		
diff --git a/aux/broctl/policy/broctl-events.bro b/aux/broctl/policy/broctl-events.bro
deleted file mode 100644
index d75efe848e..0000000000
--- a/aux/broctl/policy/broctl-events.bro
+++ /dev/null
@@ -1,79 +0,0 @@
-# $Id: broctl-events.bro 6903 2009-09-04 23:34:56Z robin $
-#
-# Events which are sent by broctl.
-
-module BroCtl;
-
-global sh_log = open_log_file("broctl") &disable_print_hook;
-
-event bro_init()
-	{
-	set_buf(sh_log, F);
-	}
-
-# Request the value of an ID. 
-# (This is copied from remote-print-id-reply.bro for completeness here.)
-event request_id_response(id: string, val: string)
-	{
-	print sh_log, fmt("%.6f raised event request_id_response(%s, %s)", network_time(), id, val);
-	}
-
-event request_id(id: string)
-	{
-	print sh_log, fmt("%.6f got event request_id(%s)", network_time(), id);
-
-	local val = lookup_ID(id);
-	event request_id_response(id, fmt("%s", val));
-	}
-
-@load remote
-
-# Returns the current communication status (one line per connected peer).
-event get_peer_status_response(s: string)
-	{
-	print sh_log, fmt("%.6f raised event get_peer_status(%s)", network_time(), s);
-	}
-
-event get_peer_status()
-	{
-	print sh_log, fmt("%.6f got event get_peer_status()", network_time());
-	
-	local status = "";
-	
-	for ( p in Remote::destinations )
-		{
-		local peer = Remote::destinations[p];
-		if ( ! peer$connected )
-			next;
-		
-		status += fmt("peer=%s host=%s events_in=? events_out=? ops_in=? ops_out=? bytes_in=? bytes_out=?\n",
-					  peer$peer$descr, peer$host);
-		}
-	
-	event get_peer_status_response(status);
-	}
-
-# Returns net_stats.
-
-global last_cstat: net_stats;
-global last_cstat_time: time;
-
-event net_stats_update(t: time, ns: net_stats)
-	{
-	last_cstat = ns;
-	last_cstat_time = t;
-	}
-
-event get_net_stats_response(s: string)
-	{
-	print sh_log, fmt("%.6f raised event get_net_stats_response(%s)", network_time(), s);
-	}
-
-event get_net_stats()
-	{
-	local reply = fmt("%.6f recvd=%d dropped=%d link=%d\n", last_cstat_time, 
-				  last_cstat$pkts_recvd, last_cstat$pkts_dropped, last_cstat$pkts_link);
-	event get_net_stats_response(reply);
-	}
-
-
diff --git a/aux/broctl/policy/broctl-live.bro b/aux/broctl/policy/broctl-live.bro
deleted file mode 100644
index be34c6d46f..0000000000
--- a/aux/broctl/policy/broctl-live.bro
+++ /dev/null
@@ -1,6 +0,0 @@
-# $Id: broctl-live.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# Only loaded when running live, not when just checking configuration.
-
-	
-		
diff --git a/aux/broctl/policy/broctl.bro b/aux/broctl/policy/broctl.bro
deleted file mode 100644
index 7539cd6c4f..0000000000
--- a/aux/broctl/policy/broctl.bro
+++ /dev/null
@@ -1,96 +0,0 @@
-# $Id: broctl.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# Data structures to define the three types of nodes (workers, proxies, and manager).
-
-const BROCTL = T;
-
-const WORKER = to_count(getenv("BRO_WORKER")) &redef;
-const PROXY = to_count(getenv("BRO_PROXY")) &redef;
-const MANAGER = to_count(getenv("BRO_MANAGER")) &redef;
-const STANDALONE = to_count(getenv("BRO_STANDALONE")) &redef;
-
-const env_var_missing = (WORKER == 0 && PROXY == 0 && MANAGER == 0 && STANDALONE == 0);
-
-# Make sure we have some reasonable values because these are actually
-# used before we get a chance to abort.
-redef WORKER = WORKER > 0 ? WORKER : 1;
-redef PROXY = PROXY > 0 ? PROXY : 1;
-redef MANAGER = MANAGER > 0 ? MANAGER : 1;
-
-@load cluster-by-addrs
-@load remote-update
-@load checkpoint 
-
-# FIXME: Load them here to work around a namespace bug.
-@load conn
-@load port-name
-	
-module BroCtl;
-
-export {
-	# Events which are sent by the broctl when dynamically connecting to a
-	# running instance. 
-	const update_events = /.*(configuration_update|request_id|get_peer_status|get_net_stats).*/;
-
-    # The following options are configured from broctl-layout.bro.
-
-	# Directory where broctl is archiving logs. 
-	const log_dir = "/not/set" &redef;
-
-	# Host where TM is running or 0.0.0.0 if none. 
-	const tm_host = 0.0.0.0 &redef;
-
-	# Host where TM is running or 0.0.0.0 if none. 
-	const tm_port = 47757/tcp &redef;
-
-}
-
-# PROXY record.
-type pnode: record {
-	ip: addr;                       
-	p: port;                        
-	tag: string;
-};
-
-# WORKER record.
-type snode: record {
-    ip: addr;                       
-	p: port;                        
-	interface: string &optional;    
-	proxy: pnode;                   # proxy ip this worker uses
-	tag: string;
-};
-
-# MANAGER record.
-type mnode: record {
-    ip: addr;                       
-	p: port;                        
-	tag: string;
-};
-
-export {
-	global manager: mnode &redef;
-    global proxies: table[count] of pnode &redef;
-    global workers: table[count] of snode &redef;
-}
-
-@load broctl-layout
-	
-event bro_init()
-	{
-	if ( env_var_missing )
-		{
-		print "None of the broctl environment variables BRO_{MANAGER,WORKER,PROXY} set, aborting.";
-		terminate();
-		}
-	
-	local descr = open(".peer_description");
-	print descr, peer_description;
-	}
-
-@load broctl-events
-
-# Change some defaults.
-	
-redef enable_syslog = F;
-redef check_for_unused_event_handlers = F;
diff --git a/aux/broctl/policy/broctl.checkpoint.bro b/aux/broctl/policy/broctl.checkpoint.bro
deleted file mode 100644
index be10f52ce7..0000000000
--- a/aux/broctl/policy/broctl.checkpoint.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: broctl.checkpoint.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef state_checkpoint_interval = 0 min;
diff --git a/aux/broctl/policy/broctl.conn.bro b/aux/broctl/policy/broctl.conn.bro
deleted file mode 100644
index 4465282d61..0000000000
--- a/aux/broctl/policy/broctl.conn.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: broctl.conn.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef dpd_conn_logs = T;
diff --git a/aux/broctl/policy/broctl.remote.bro b/aux/broctl/policy/broctl.remote.bro
deleted file mode 100644
index b2d8e8d8eb..0000000000
--- a/aux/broctl/policy/broctl.remote.bro
+++ /dev/null
@@ -1,11 +0,0 @@
-# $Id: broctl.remote.bro 6811 2009-07-06 20:41:10Z robin $
-
-@load broctl
-
-# Configure Time Machine.
-event bro_init()
-	{
-	if ( BroCtl::tm_host != 0.0.0.0 )
-		Remote::destinations["time-machine"] = [$host=BroCtl::tm_host, $p=BroCtl::tm_port, $connect=T, $retry=1min];
-	}
-
diff --git a/aux/broctl/policy/broctl.site.bro b/aux/broctl/policy/broctl.site.bro
deleted file mode 100644
index 7f60cd6da1..0000000000
--- a/aux/broctl/policy/broctl.site.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: broctl.site.bro 6811 2009-07-06 20:41:10Z robin $
-
-@load local-networks
diff --git a/aux/broctl/policy/broctl.tm-contents.bro b/aux/broctl/policy/broctl.tm-contents.bro
deleted file mode 100644
index 1307043663..0000000000
--- a/aux/broctl/policy/broctl.tm-contents.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: broctl.tm-contents.bro 6811 2009-07-06 20:41:10Z robin $
-
-@load broctl
-
-redef TimeMachine::contents_dir = BroCtl::log_dir + "/tm-contents";
diff --git a/aux/broctl/policy/capture-unknown-protocols.bro b/aux/broctl/policy/capture-unknown-protocols.bro
deleted file mode 100644
index b824382223..0000000000
--- a/aux/broctl/policy/capture-unknown-protocols.bro
+++ /dev/null
@@ -1,95 +0,0 @@
-# $Id: capture-unknown-protocols.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# Capture the content of connections running a "foreign" protocol 
-# on a well-known port.
-
-module CaptureProtocolViolations;
-	
-@load site
-@load tm-mail-contents
-	
-export {
-	# We capture contents only for this subset of analyzers.
-	const analyzers: set[AnalyzerTag] = 
-		{ ANALYZER_SSH, ANALYZER_FTP, ANALYZER_SMTP, ANALYZER_POP3 } &redef;
-
-	# If true, capture only outgoing connections.
-	const outbound_only = F &redef;	
-
-	global mail_proto_violation: function(c: connection, atype: count, reason: string, destination: string);
-}
-
-global reported: set[addr,addr,count] &read_expire = 24hr &persistent;
-
-type violation_info: record {
-	atype: count;
-	reason: string;
-	start: time;
-	service: string;
-	destination: string;
-};
-
-# We postpone the mail until the connection is done so that we
-# can determine the real service.
-global conn_expire_func: function(t: table[conn_id] of violation_info, id: conn_id): interval;
-global mail_when_done: table[conn_id] of violation_info &create_expire=5mins &expire_func=conn_expire_func;
-
-function end_of_connection(id: conn_id)
-	{
-	local info = mail_when_done[id];
-	delete mail_when_done[id];
-	
-	local aname = analyzer_name(info$atype);
-
-	local service = info$service;
-	
-	if ( service != "other" )
-		service = to_upper(service);
-
-	local subject = fmt("%s -> %s: %s protocol on %s port %s",
-						id$orig_h, id$resp_h, service, aname, id$resp_p);
-	
-	local body = fmt("> %D %s@@@@Not %s: %s", info$start, id_string(id), aname, info$reason);
-	
-	TimeMachine::mail_contents(id, info$start, fmt("proto-violation.%s", aname), subject, body, info$destination);
-	}
-
-function conn_expire_func(t: table[conn_id] of violation_info, id: conn_id): interval
-	{
-	end_of_connection(id);
-	print "conn_expire_func", id;
-	return 0secs;
-	}
-
-event connection_state_remove(c: connection)
-	{
-	local id=c$id;
-	
-	if ( id !in mail_when_done )
-		return;
-	
-	mail_when_done[id]$service = determine_service(c);
-	
-	end_of_connection(c$id);
-	}
-
-function mail_proto_violation(c: connection, atype: count, reason: string, destination: string)
-	{
-	if ( [c$id$orig_h, c$id$resp_h, atype] in reported )
-		return;
-	
-	# Interesting analyzer?
-	if ( atype !in analyzers )
-		return;
-
-	# Outbound connection?
-	if ( outbound_only && is_local_addr(c$id$resp_h) )
-		return;
-	
-	# Well-known port?
-	if ( atype !in dpd_config || c$id$resp_p !in dpd_config[atype]$ports )
-		return;
-
-	mail_when_done[c$id] = [$atype=atype, $reason=reason, $destination=destination, $service=determine_service(c), $start=c$start_time];
-	add reported[c$id$orig_h, c$id$resp_h, atype];
-	}
diff --git a/aux/broctl/policy/cluster-addrs.anon.bro b/aux/broctl/policy/cluster-addrs.anon.bro
deleted file mode 100644
index f091669b7c..0000000000
--- a/aux/broctl/policy/cluster-addrs.anon.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: cluster-addrs.anon.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef ip_anon_mapping &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.blaster.bro b/aux/broctl/policy/cluster-addrs.blaster.bro
deleted file mode 100644
index c08c4569af..0000000000
--- a/aux/broctl/policy/cluster-addrs.blaster.bro
+++ /dev/null
@@ -1,4 +0,0 @@
-# $Id: cluster-addrs.blaster.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef w32b_scanned &persistent &synchronized;
-redef w32b_reported &persistent &synchronized &read_expire = 7 days;
diff --git a/aux/broctl/policy/cluster-addrs.bro b/aux/broctl/policy/cluster-addrs.bro
deleted file mode 100644
index 42fde63a27..0000000000
--- a/aux/broctl/policy/cluster-addrs.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: cluster-addrs.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# Cluster config for load-distribution based on a (src,dst) hash.
-
-@prefixes += cluster-addrs
diff --git a/aux/broctl/policy/cluster-addrs.conn.bro b/aux/broctl/policy/cluster-addrs.conn.bro
deleted file mode 100644
index d12d1c60ac..0000000000
--- a/aux/broctl/policy/cluster-addrs.conn.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: cluster-addrs.conn.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef RPC_server_map &persistent &synchronized &read_expire = 7 days;
diff --git a/aux/broctl/policy/cluster-addrs.ftp-cmd-arg.bro b/aux/broctl/policy/cluster-addrs.ftp-cmd-arg.bro
deleted file mode 100644
index b6901f049f..0000000000
--- a/aux/broctl/policy/cluster-addrs.ftp-cmd-arg.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: cluster-addrs.ftp-cmd-arg.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef ftp_unexpected_cmd_reply &persistent &synchronized &read_expire = 1 day;
diff --git a/aux/broctl/policy/cluster-addrs.ftp.bro b/aux/broctl/policy/cluster-addrs.ftp.bro
deleted file mode 100644
index 3b6afc1da3..0000000000
--- a/aux/broctl/policy/cluster-addrs.ftp.bro
+++ /dev/null
@@ -1,4 +0,0 @@
-# $Id: cluster-addrs.ftp.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef ftp_first_seen_cmds &persistent &synchronized;
-redef ftp_unlisted_cmds &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.hot.bro b/aux/broctl/policy/cluster-addrs.hot.bro
deleted file mode 100644
index 4a050f6a20..0000000000
--- a/aux/broctl/policy/cluster-addrs.hot.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: cluster-addrs.hot.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef ssh_notice_hosts &persistent &synchronized &create_expire = 7 days;
diff --git a/aux/broctl/policy/cluster-addrs.icmp.bro b/aux/broctl/policy/cluster-addrs.icmp.bro
deleted file mode 100644
index b7b20851f5..0000000000
--- a/aux/broctl/policy/cluster-addrs.icmp.bro
+++ /dev/null
@@ -1,4 +0,0 @@
-# $Id: cluster-addrs.icmp.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef conn_pair &persistent &synchronized;
-
diff --git a/aux/broctl/policy/cluster-addrs.irc.bro b/aux/broctl/policy/cluster-addrs.irc.bro
deleted file mode 100644
index 47cab169e8..0000000000
--- a/aux/broctl/policy/cluster-addrs.irc.bro
+++ /dev/null
@@ -1,4 +0,0 @@
-# $Id: cluster-addrs.irc.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef active_users &persistent &synchronized;
-redef active_channels &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.pop3.bro b/aux/broctl/policy/cluster-addrs.pop3.bro
deleted file mode 100644
index e61fdf498e..0000000000
--- a/aux/broctl/policy/cluster-addrs.pop3.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: cluster-addrs.pop3.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef pop_connection_weirds &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.portmapper.bro b/aux/broctl/policy/cluster-addrs.portmapper.bro
deleted file mode 100644
index 667f140417..0000000000
--- a/aux/broctl/policy/cluster-addrs.portmapper.bro
+++ /dev/null
@@ -1,4 +0,0 @@
-# $Id: cluster-addrs.portmapper.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef suppress_pm_log &persistent &synchronized &read_expire = 1 day
-	&synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.proxy.bro b/aux/broctl/policy/cluster-addrs.proxy.bro
deleted file mode 100644
index a50fa6c00a..0000000000
--- a/aux/broctl/policy/cluster-addrs.proxy.bro
+++ /dev/null
@@ -1,4 +0,0 @@
-# $Id: cluster-addrs.proxy.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef found_proxies &synchronized &persistent;
-redef requests &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.scan.bro b/aux/broctl/policy/cluster-addrs.scan.bro
deleted file mode 100644
index 765c2c0e72..0000000000
--- a/aux/broctl/policy/cluster-addrs.scan.bro
+++ /dev/null
@@ -1,20 +0,0 @@
-# $Id: cluster-addrs.scan.bro 6811 2009-07-06 20:41:10Z robin $
-
-# Backscatter.
-redef distinct_backscatter_peers &persistent &synchronized;
-
-# Address scans
-redef distinct_peers &persistent &synchronized;
-
-# Logins.
-redef accounts_tried &persistent &synchronized;
-
-## These tables are used to keep track of whether a threshold has been reached.
-redef shut_down_thresh_reached  &persistent &synchronized;
-redef rb_idx  &persistent &synchronized;
-redef rps_idx  &persistent &synchronized;
-redef rops_idx  &persistent &synchronized;
-redef rpts_idx  &persistent &synchronized;
-redef rat_idx  &persistent &synchronized;
-redef rrat_idx  &persistent &synchronized;
-
diff --git a/aux/broctl/policy/cluster-addrs.smtp-relay.bro b/aux/broctl/policy/cluster-addrs.smtp-relay.bro
deleted file mode 100644
index 908515a010..0000000000
--- a/aux/broctl/policy/cluster-addrs.smtp-relay.bro
+++ /dev/null
@@ -1,6 +0,0 @@
-# $Id: cluster-addrs.smtp-relay.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef smtp_relay_table &persistent &synchronized;
-redef smtp_session_by_recipient &persistent &synchronized;
-redef smtp_session_by_message_id &persistent &synchronized;
-redef smtp_session_by_content_hash &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.ssh.bro b/aux/broctl/policy/cluster-addrs.ssh.bro
deleted file mode 100644
index 36174087e7..0000000000
--- a/aux/broctl/policy/cluster-addrs.ssh.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: cluster-addrs.ssh.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef did_ssh_version &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.tftp.bro b/aux/broctl/policy/cluster-addrs.tftp.bro
deleted file mode 100644
index 52363b0aa2..0000000000
--- a/aux/broctl/policy/cluster-addrs.tftp.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: cluster-addrs.tftp.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef tftp_notice_count &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.weird.bro b/aux/broctl/policy/cluster-addrs.weird.bro
deleted file mode 100644
index 66819d4298..0000000000
--- a/aux/broctl/policy/cluster-addrs.weird.bro
+++ /dev/null
@@ -1,7 +0,0 @@
-# $Id: cluster-addrs.weird.bro 6811 2009-07-06 20:41:10Z robin $
-
-# Synchronizing the weird stuff is not really worth the trouble.
-# It can be a lot, and it's only there to suppress duplicate messages.
-# As we will put some infrastructure in place for filtering duplicates
-# on the master anyway, we can live without that.
-
diff --git a/aux/broctl/policy/cluster-addrs.worm.bro b/aux/broctl/policy/cluster-addrs.worm.bro
deleted file mode 100644
index db98715874..0000000000
--- a/aux/broctl/policy/cluster-addrs.worm.bro
+++ /dev/null
@@ -1,4 +0,0 @@
-# $Id: cluster-addrs.worm.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef worm_list &persistent &synchronized;
-redef worm_type_list &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-by-addrs.bro b/aux/broctl/policy/cluster-by-addrs.bro
deleted file mode 100644
index 9080da49cf..0000000000
--- a/aux/broctl/policy/cluster-by-addrs.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: cluster-by-addrs.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# Cluster config for load-distribution based on a (src,dst) hash.
-
-@prefixes += cluster-addrs
diff --git a/aux/broctl/policy/cluster-by-conns.bro b/aux/broctl/policy/cluster-by-conns.bro
deleted file mode 100644
index 61b813b780..0000000000
--- a/aux/broctl/policy/cluster-by-conns.bro
+++ /dev/null
@@ -1,7 +0,0 @@
-# $Id: cluster-by-conns.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef distinct_ports &persistent &synchronized;
-redef distinct_low_ports &persistent &synchronized;
-redef possible_scan_sources &persistent &synchronized;
-redef scan_triples &persistent &synchronized;
-
diff --git a/aux/broctl/policy/cluster-conns.ftp.bro b/aux/broctl/policy/cluster-conns.ftp.bro
deleted file mode 100644
index b6046f2a6a..0000000000
--- a/aux/broctl/policy/cluster-conns.ftp.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: cluster-conns.ftp.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef ftp_data_expected &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-conns.portmapper.bro b/aux/broctl/policy/cluster-conns.portmapper.bro
deleted file mode 100644
index 5d754b9bcb..0000000000
--- a/aux/broctl/policy/cluster-conns.portmapper.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: cluster-conns.portmapper.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef did_pm_log &persistent &synchronized &read_expire = 1 day &synchronized;
diff --git a/aux/broctl/policy/cluster-conns.scan.bro b/aux/broctl/policy/cluster-conns.scan.bro
deleted file mode 100644
index 389393d7fe..0000000000
--- a/aux/broctl/policy/cluster-conns.scan.bro
+++ /dev/null
@@ -1,7 +0,0 @@
-# $Id: cluster-conns.scan.bro 6811 2009-07-06 20:41:10Z robin $
-
-# Port scans
-redef distinct_ports &persistent &synchronized;
-redef distinct_low_ports &persistent &synchronized;
-redef possible_scan_sources &persistent &synchronized;
-redef scan_triples &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-manager.bro b/aux/broctl/policy/cluster-manager.bro
deleted file mode 100644
index 6b93dc6d3a..0000000000
--- a/aux/broctl/policy/cluster-manager.bro
+++ /dev/null
@@ -1,44 +0,0 @@
-# $Id: cluster-manager.bro 6860 2009-08-14 19:01:47Z robin $
-#
-# Cluster manager configuration.
-
-@prefixes += cluster-manager
-
-@load broctl
-@load filter-duplicates
-@load notice
-@load remote
-@load rotate-logs
-@load mail-alarms
-	
-# Since we don't capture, don't bother with this.
-@unload print-filter
-
-# Remote-print policy hooks into print() fucntion on remote hosts,
-# and gets a copy to print to local files.
-@load remote-print
-
-# This grabs the remote peers (workers) and saves some status info
-# to a local peer_status.log.
-@load save-peer-status
-	
-# We have to listen of course... 
-@load listen-clear
-redef listen_port_clear = BroCtl::manager$p;
-
-# The cluster manager does not capture.
-redef interfaces = "";
-
-# Give us a name. 
-redef peer_description = BroCtl::manager$tag;
-
-# Reraise remote notices locally.
-event notice_action(n: notice_info, action: NoticeAction)
-	{
-	if ( is_remote_event() && FilterDuplicates::is_new(n) )
-		NOTICE(n);
-	}
-
-redef FilterDuplicates::filters += {
-	[Drop::AddressSeenAgain] = FilterDuplicates::match_src,
-};
diff --git a/aux/broctl/policy/cluster-manager.detect-protocols.bro b/aux/broctl/policy/cluster-manager.detect-protocols.bro
deleted file mode 100644
index 2e09fe8866..0000000000
--- a/aux/broctl/policy/cluster-manager.detect-protocols.bro
+++ /dev/null
@@ -1,6 +0,0 @@
-# $Id: cluster-manager.detect-protocols.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef FilterDuplicates::filters += {
-    [ServerFound] = FilterDuplicates::match_src_port
-};
-
diff --git a/aux/broctl/policy/cluster-manager.drop.bro b/aux/broctl/policy/cluster-manager.drop.bro
deleted file mode 100644
index e058abe5e5..0000000000
--- a/aux/broctl/policy/cluster-manager.drop.bro
+++ /dev/null
@@ -1,42 +0,0 @@
-# $Id$
-
-# These will be generated by the workers.
-event Drop::address_seen_again(a: addr)
-	{
-	if ( ! use_catch_release )
-		return;
-	
-	if ( a !in drop_info )
-		# Never dropped.
-		return;
-	
-	local di = drop_info[a];
-	if ( is_dropped(a) )
-		# Still dropped.
-		return;
-	
-	NOTICE([$note=AddressSeenAgain, $src=a,
-			$msg=fmt("%s seen again after release", a)]);
-	}
-
-# $Id$
-
-# These will be generated by the workers.
-event Drop::address_seen_again(a: addr)
-	{
-	if ( ! use_catch_release )
-		return;
-	
-	if ( a !in drop_info )
-		# Never dropped.
-		return;
-	
-	local di = drop_info[a];
-	if ( is_dropped(a) )
-		# Still dropped.
-		return;
-	
-	NOTICE([$note=AddressSeenAgain, $src=a,
-			$msg=fmt("%s seen again after release", a)]);
-	}
-
diff --git a/aux/broctl/policy/cluster-manager.icmp.bro b/aux/broctl/policy/cluster-manager.icmp.bro
deleted file mode 100644
index a5ed72e8a1..0000000000
--- a/aux/broctl/policy/cluster-manager.icmp.bro
+++ /dev/null
@@ -1,12 +0,0 @@
-# $Id: cluster-manager.scan.bro 6740 2009-06-12 17:59:44Z robin $
-
-redef FilterDuplicates::filters += {
-    [ICMPAddressScan] = FilterDuplicates::match_src_num
-};
-	
-# $Id: cluster-manager.scan.bro 6740 2009-06-12 17:59:44Z robin $
-
-redef FilterDuplicates::filters += {
-    [ICMPAddressScan] = FilterDuplicates::match_src_num
-};
-	
diff --git a/aux/broctl/policy/cluster-manager.mail-alarms.bro b/aux/broctl/policy/cluster-manager.mail-alarms.bro
deleted file mode 100644
index 6c02a61ef2..0000000000
--- a/aux/broctl/policy/cluster-manager.mail-alarms.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: cluster-manager.mail-alarms.bro 6811 2009-07-06 20:41:10Z robin $
-
-@load rotate-logs
-
-redef MailAlarms::output &rotate_interval = 12hrs;
diff --git a/aux/broctl/policy/cluster-manager.notice.bro b/aux/broctl/policy/cluster-manager.notice.bro
deleted file mode 100644
index 000a2bf846..0000000000
--- a/aux/broctl/policy/cluster-manager.notice.bro
+++ /dev/null
@@ -1,8 +0,0 @@
-# $Id: cluster-manager.notice.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef mail_script = "mail-alarm";
-redef mail_dest = "_broctl_default_"; # Will be replace by mail script.  
-
-# These don't get cleared because we're not seeing the actual connections. 	
-redef notice_tags &read_expire = 2hrs;
-
diff --git a/aux/broctl/policy/cluster-manager.remote.bro b/aux/broctl/policy/cluster-manager.remote.bro
deleted file mode 100644
index b665fb6536..0000000000
--- a/aux/broctl/policy/cluster-manager.remote.bro
+++ /dev/null
@@ -1,34 +0,0 @@
-# $Id: cluster-manager.remote.bro 6860 2009-08-14 19:01:47Z robin $
-#
-# This is the MANAGER remote configuration.
-#
-# The manager is passive (the workers connect to us), and once connected
-# the manager registers for the events on the workers that are needed
-# to get the desired data from the workers.
-
-@load broctl
-
-const cluster_events = /.*(print_hook|notice_action|TimeMachine::command|Drop::).*/;
-
-event bro_init() 
-{
-	# Set up remote dests for WORKERS based on central cluster config.
-	for ( n in BroCtl::workers ) 
-		Remote::destinations[fmt("w%d", n)]
-			= [$host=BroCtl::workers[n]$ip, $connect=F, $sync=F, $class=BroCtl::workers[n]$tag, $events=cluster_events];
-
-	# Set up remote dests for PROXIES, just to get ResourceStats.
-	for ( n in BroCtl::proxies ) 
-		Remote::destinations[fmt("p%d", n)]
-			= [$host=BroCtl::proxies[n]$ip, $connect=F, $sync=F, $class=BroCtl::proxies[n]$tag, $events=/.*(notice_action).*/ ];
-
-	# Connections from the manager for configuration updates.
-	Remote::destinations["update"] 
-		=  [$host = BroCtl::manager$ip, $p=BroCtl::manager$p, $sync=F, $events=BroCtl::update_events, $class="update"];
-
-	# Configure Time Machine.
-	if ( BroCtl::tm_host != 0.0.0.0 )
-		Remote::destinations["time-machine"] = [$host=BroCtl::tm_host, $p=BroCtl::tm_port, $connect=T, $retry=1min];
-}
-
-
diff --git a/aux/broctl/policy/cluster-manager.rotate-logs.bro b/aux/broctl/policy/cluster-manager.rotate-logs.bro
deleted file mode 100644
index 807c4a46fe..0000000000
--- a/aux/broctl/policy/cluster-manager.rotate-logs.bro
+++ /dev/null
@@ -1,7 +0,0 @@
-# $Id: cluster-manager.rotate-logs.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef log_rotate_interval = 24hrs;
-redef log_rotate_base_time = "0:00";
-redef RotateLogs::default_postprocessor = "archive-log";
-
-redef conn_file &rotate_interval = 12hrs;
diff --git a/aux/broctl/policy/cluster-manager.scan.bro b/aux/broctl/policy/cluster-manager.scan.bro
deleted file mode 100644
index d469228742..0000000000
--- a/aux/broctl/policy/cluster-manager.scan.bro
+++ /dev/null
@@ -1,16 +0,0 @@
-# $Id: cluster-manager.scan.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef FilterDuplicates::filters += {
-    [AddressScan] = FilterDuplicates::match_src_num,
-    [PortScan] = FilterDuplicates::match_src_num,
-    [PasswordGuessing] = FilterDuplicates::match_src_num,
-	
-    [ScanSummary] = FilterDuplicates::match_src,
-    [PortScanSummary] = FilterDuplicates::match_src,
-    [LowPortScanSummary] = FilterDuplicates::match_src,
-    [BackscatterSeen] = FilterDuplicates::match_src,
-    [Landmine] = FilterDuplicates::match_src,
-    [ShutdownThresh] = FilterDuplicates::match_src,
-    [LowPortTrolling] = FilterDuplicates::match_src
-};
-
diff --git a/aux/broctl/policy/cluster-manager.time-machine.bro b/aux/broctl/policy/cluster-manager.time-machine.bro
deleted file mode 100644
index 418919e58f..0000000000
--- a/aux/broctl/policy/cluster-manager.time-machine.bro
+++ /dev/null
@@ -1,13 +0,0 @@
-# $Id: cluster-manager.time-machine.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# Relays TM commands received from the workers  to a TM connected to the 
-# manager. Note that potential responses from the TM will go to the manager 
-# and are *not* be propapated back to the workers.
-
-event TimeMachine::command(cmd: string)
-       {
-       if ( is_remote_event() )
-               event TimeMachine::command(cmd);
-       }
-
-
diff --git a/aux/broctl/policy/cluster-proxy.bro b/aux/broctl/policy/cluster-proxy.bro
deleted file mode 100644
index 5680a34fa9..0000000000
--- a/aux/broctl/policy/cluster-proxy.bro
+++ /dev/null
@@ -1,28 +0,0 @@
-# $Id: cluster-proxy.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# Common PROXY config.
-
-@prefixes += cluster-proxy
-
-@load broctl
-@load remote
-@load rotate-logs
-	
-# Since we don't capture, don't bother with this.
-@unload print-filter
-	
-# Communications. 
-@load listen-clear
-redef listen_port_clear = BroCtl::proxies[PROXY]$p;
-
-# No packet capture on proxy.
-redef interfaces = "";
-
-# The proxy only syncs state; does not forward events.
-redef forward_remote_events = F;
-redef forward_remote_state_changes = T;
-
-# Set our name.
-redef peer_description = BroCtl::proxies[PROXY]$tag;
-
-
diff --git a/aux/broctl/policy/cluster-proxy.notice.bro b/aux/broctl/policy/cluster-proxy.notice.bro
deleted file mode 100644
index fc90e207b6..0000000000
--- a/aux/broctl/policy/cluster-proxy.notice.bro
+++ /dev/null
@@ -1,4 +0,0 @@
-# $Id: cluster-proxy.notice.bro 6811 2009-07-06 20:41:10Z robin $
-
-# Expire these.
-redef notice_tags &read_expire = 30 mins;
diff --git a/aux/broctl/policy/cluster-proxy.remote.bro b/aux/broctl/policy/cluster-proxy.remote.bro
deleted file mode 100644
index 5d0bc378a5..0000000000
--- a/aux/broctl/policy/cluster-proxy.remote.bro
+++ /dev/null
@@ -1,33 +0,0 @@
-# $Id: cluster-proxy.remote.bro 6811 2009-07-06 20:41:10Z robin $
-
-event bro_init() 
-	{
-	# Set up worker connections.
-	for ( n in BroCtl::workers ) 
-		# We set up Bro to accept connection from all nodes, even those which 
-		# won't connect to us. It's easier this way. :-)
-		Remote::destinations[fmt("w%d", n)]
- 			= [$host=BroCtl::workers[n]$ip, $connect=F, $sync=T, $auth=T, $class="proxy"];
-
-	# Set up proxy connections. Each proxy connects to the next in line, and 
-	# accepts connections from the previous one. 
-	# (This is not ideal for setups with many proxies but we will quite 
-	# unlikely have those.)
-	# FIXME: Once we're using multiple proxies, we should also figure out some $class scheme ...
-
-	if ( PROXY > 1 )
-		Remote::destinations[fmt("p%d", PROXY-1)]
-			= [$host=BroCtl::proxies[PROXY-1]$ip, $p=BroCtl::proxies[PROXY-1]$p, $connect=F, $auth=T, $sync=T];
-
-	if ( PROXY < |BroCtl::proxies| )
-		Remote::destinations[fmt("p%d", PROXY+1)]
-			= [$host=BroCtl::proxies[PROXY+1]$ip, $p=BroCtl::proxies[PROXY+1]$p, $connect=T, $auth=F, $sync=T, $retry=1mins];
-
-	# Finally the manager, to send it status updates.
-	Remote::destinations["manager"] = 
-		[$host=BroCtl::manager$ip, $p=BroCtl::manager$p, $connect=T, $sync=F, $retry=1mins, $class=BroCtl::proxies[PROXY]$tag];
-
-	# Connections from the manager for configuration updates.
-	Remote::destinations["update"] 
-		=  [$host = BroCtl::manager$ip, $p=BroCtl::manager$p, $sync=F, $events=BroCtl::update_events, $class="update"];
-	}
diff --git a/aux/broctl/policy/cluster-proxy.rotate-logs.bro b/aux/broctl/policy/cluster-proxy.rotate-logs.bro
deleted file mode 100644
index 796127c3e9..0000000000
--- a/aux/broctl/policy/cluster-proxy.rotate-logs.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: cluster-proxy.rotate-logs.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef log_rotate_interval = 24 hrs;
-redef log_rotate_base_time = "0:00";
-redef RotateLogs::default_postprocessor = "delete-log";
diff --git a/aux/broctl/policy/cluster-proxy.scan.bro b/aux/broctl/policy/cluster-proxy.scan.bro
deleted file mode 100644
index b75c8bfcb2..0000000000
--- a/aux/broctl/policy/cluster-proxy.scan.bro
+++ /dev/null
@@ -1,10 +0,0 @@
-# $Id: cluster-proxy.scan.bro 6811 2009-07-06 20:41:10Z robin $
-
-# If scan is loaded, don't locally record ScanSummary events.
-# this is special in the way that it is implemented, in that these
-# events would be generated on a proxy.
-
-redef notice_action_filters += {
-        [ScanSummary] = ignore_notice,
-};
-
diff --git a/aux/broctl/policy/cluster-worker.alarm.bro b/aux/broctl/policy/cluster-worker.alarm.bro
deleted file mode 100644
index 546a3b97b9..0000000000
--- a/aux/broctl/policy/cluster-worker.alarm.bro
+++ /dev/null
@@ -1,8 +0,0 @@
-# $Id: cluster-worker.alarm.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# In the cluster worker node, we forward the NOTICE events to the manager, and all 
-# reasonable alarms are NOTICES these days, so there is no need to replicate
-# the local node's alarm file to the manager node.  Ergo, we disable remote
-# printing on the alarm file.
-
-redef bro_alarm_file &disable_print_hook;
diff --git a/aux/broctl/policy/cluster-worker.bro b/aux/broctl/policy/cluster-worker.bro
deleted file mode 100644
index bee08bb971..0000000000
--- a/aux/broctl/policy/cluster-worker.bro
+++ /dev/null
@@ -1,28 +0,0 @@
-# $Id: cluster-worker.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# This is the cluster WORKER top-level policy for configuration settings that are 
-# common to all worker node (as everything currently is except setting WORKER id).
-
-@prefixes += cluster-worker
-
-@load broctl
-@load remote
-@load rotate-logs
-
-@load trim-trace-file	
-
-@load analysis-groups
-	
-# Set up communications for updating workers.
-@load listen-clear
-
-redef listen_port_clear = BroCtl::workers[WORKER]$p;
-
-# Give us a name.
-redef peer_description = BroCtl::workers[WORKER]$tag;
-
-# Don't do any local logging.
-redef suppress_local_output = T;
-
-# Record all packets into trace file.
-redef record_all_packets = T;
diff --git a/aux/broctl/policy/cluster-worker.checkpoint.bro b/aux/broctl/policy/cluster-worker.checkpoint.bro
deleted file mode 100644
index 606cff289f..0000000000
--- a/aux/broctl/policy/cluster-worker.checkpoint.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: cluster-worker.checkpoint.bro 6811 2009-07-06 20:41:10Z robin $
-
-# redef state_checkpoint_interval = 15 min &redef;
diff --git a/aux/broctl/policy/cluster-worker.cluster-live.bro b/aux/broctl/policy/cluster-worker.cluster-live.bro
deleted file mode 100644
index 015201ee60..0000000000
--- a/aux/broctl/policy/cluster-worker.cluster-live.bro
+++ /dev/null
@@ -1,8 +0,0 @@
-# $Id: cluster-worker.cluster-live.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# Only loaded when running live, not when just checking configuration.
-
-@load print-filter
-	
-redef PrintFilter::terminate_bro = F; 
-redef PrintFilter::to_file = T; 
diff --git a/aux/broctl/policy/cluster-worker.drop.bro b/aux/broctl/policy/cluster-worker.drop.bro
deleted file mode 100644
index a2645511ee..0000000000
--- a/aux/broctl/policy/cluster-worker.drop.bro
+++ /dev/null
@@ -1,36 +0,0 @@
-# $Id$
-
-# The cluster manager will inform us with these events if he's interested in
-# further connection attempts from that source.
-
-global watch_addr_table: set[addr] &read_expire=7days &persistent;
-
-global address_seen_again: event(a: addr);
-
-event address_restored(a: addr)
-	{
-	add watch_addr_table[a];
-	}
-
-event address_dropped(a: addr)
-	{
-	delete watch_addr_table[a];
-	}
-
-event address_cleared(a: addr)
-	{
-	delete watch_addr_table[a];
-	}
-
-# We need to forward the new connection attempt.
-event new_connection(c: connection)
-	{
-	local a = c$id$orig_h;
-	if ( a in watch_addr_table )
-		{
-		event Drop::address_seen_again(a);
-		delete watch_addr_table[a];
-		}
-	}
-
-
diff --git a/aux/broctl/policy/cluster-worker.irc-bot.bro b/aux/broctl/policy/cluster-worker.irc-bot.bro
deleted file mode 100644
index 5a295d545f..0000000000
--- a/aux/broctl/policy/cluster-worker.irc-bot.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: cluster-worker.irc-bot.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef IrcBot::summary_interval = 0 min;
diff --git a/aux/broctl/policy/cluster-worker.notice.bro b/aux/broctl/policy/cluster-worker.notice.bro
deleted file mode 100644
index 9de6554253..0000000000
--- a/aux/broctl/policy/cluster-worker.notice.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: cluster-worker.notice.bro 6811 2009-07-06 20:41:10Z robin $
-
-# We forward the notice events, so don't (also) remote print them.
-redef notice_file &disable_print_hook;
-
diff --git a/aux/broctl/policy/cluster-worker.remote.bro b/aux/broctl/policy/cluster-worker.remote.bro
deleted file mode 100644
index b7d6a440d0..0000000000
--- a/aux/broctl/policy/cluster-worker.remote.bro
+++ /dev/null
@@ -1,21 +0,0 @@
-# $Id: cluster-worker.remote.bro 6860 2009-08-14 19:01:47Z robin $
-#
-# Remote config for cluster analysis WORKERS.
-
-# Do not copy the worker's remote.log to the manager
-redef Remote::rm_log &disable_print_hook;
-
-const manager_events = /.*(Drop::).*/;
-
-# The worker initiates connection to manager and proxy, but need no events from them.
-# (the manager and the proxy register for events from us workers)
-redef Remote::destinations += {
-	["manager"] = [$host=BroCtl::manager$ip, $p=BroCtl::manager$p, $events=manager_events,
-			$connect=T, $sync=F, $retry=1mins, $class=BroCtl::workers[WORKER]$tag],
-	["proxy"] = [$host=BroCtl::workers[WORKER]$proxy$ip, 
-			$p=BroCtl::workers[WORKER]$proxy$p, $connect=T, 
-				 $sync=T, $retry=1mins, $class="proxy"],
-
-	["update"] = [$host=BroCtl::manager$ip, $sync=F, $events=BroCtl::update_events, $class="update"]
-	};
-
diff --git a/aux/broctl/policy/cluster-worker.rotate-logs.bro b/aux/broctl/policy/cluster-worker.rotate-logs.bro
deleted file mode 100644
index 9e69f1c097..0000000000
--- a/aux/broctl/policy/cluster-worker.rotate-logs.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: cluster-worker.rotate-logs.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef log_rotate_interval = 24 hrs;
-redef log_rotate_base_time = "0:00";
-redef RotateLogs::default_postprocessor = "delete-log";
diff --git a/aux/broctl/policy/cluster-worker.time-machine.bro b/aux/broctl/policy/cluster-worker.time-machine.bro
deleted file mode 100644
index cb5fd10dff..0000000000
--- a/aux/broctl/policy/cluster-worker.time-machine.bro
+++ /dev/null
@@ -1,6 +0,0 @@
-# $Id: cluster-worker.time-machine.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# We connect the TM to the manager which relays (and logs) commands so we
-# do not propagate the worker's TM logs.
-
-redef TimeMachine::logfile &disable_print_hook;
diff --git a/aux/broctl/policy/cluster-worker.weird.bro b/aux/broctl/policy/cluster-worker.weird.bro
deleted file mode 100644
index bebb41e60f..0000000000
--- a/aux/broctl/policy/cluster-worker.weird.bro
+++ /dev/null
@@ -1,17 +0,0 @@
-# $Id: cluster-worker.weird.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# Important weird events are forwarded via NOTICE mechanism,
-# so we are not remote printing the worker weird.log.
-# (If one is never going to look at the worker weird log, it could be
-# suppressed with a local notice policy).
-
-redef Weird::weird_file &disable_print_hook;
-
-redef notice_action_filters += 
-	{
-	# Not worth forwarding as they can generate a lot of load
-	# if the machines gets really busy.
-	[Weird::ContentGap] = ignore_notice,
-	[Weird::AckAboveHole] = ignore_notice
-	};
-
diff --git a/aux/broctl/policy/cluster.detect-protocols.bro b/aux/broctl/policy/cluster.detect-protocols.bro
deleted file mode 100644
index 2cb71efc91..0000000000
--- a/aux/broctl/policy/cluster.detect-protocols.bro
+++ /dev/null
@@ -1,4 +0,0 @@
-# $Id: cluster.detect-protocols.bro 6811 2009-07-06 20:41:10Z robin $
-
-# There are so many HTTP servers out there that this consumes too much memory.
-redef ProtocolDetector::suppress_servers = { ANALYZER_HTTP };
diff --git a/aux/broctl/policy/cluster.dns.bro b/aux/broctl/policy/cluster.dns.bro
deleted file mode 100644
index f30770466e..0000000000
--- a/aux/broctl/policy/cluster.dns.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: cluster.dns.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef DNS::dns_sessions  &read_expire = 5 mins;
-redef DNS::hostile_domain_list = {};
-redef DNS::logging = F;
diff --git a/aux/broctl/policy/cluster.icmp.bro b/aux/broctl/policy/cluster.icmp.bro
deleted file mode 100644
index 4d6fbba816..0000000000
--- a/aux/broctl/policy/cluster.icmp.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: cluster.icmp.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef ICMP::detect_scans = F; ###
-redef ICMP::log_details = F;
-
diff --git a/aux/broctl/policy/cluster.irc.bro b/aux/broctl/policy/cluster.irc.bro
deleted file mode 100644
index 9e96bfc6a9..0000000000
--- a/aux/broctl/policy/cluster.irc.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: cluster.irc.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef active_users &read_expire= 1hr;
diff --git a/aux/broctl/policy/cluster.notice.bro b/aux/broctl/policy/cluster.notice.bro
deleted file mode 100644
index 5f1a1a59ab..0000000000
--- a/aux/broctl/policy/cluster.notice.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: cluster.notice.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef use_tagging = T;	
diff --git a/aux/broctl/policy/cluster.rotate-logs.bro b/aux/broctl/policy/cluster.rotate-logs.bro
deleted file mode 100644
index 3fed946a22..0000000000
--- a/aux/broctl/policy/cluster.rotate-logs.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: cluster.rotate-logs.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef RotateLogs::tag = peer_description;
diff --git a/aux/broctl/policy/cluster.scan.bro b/aux/broctl/policy/cluster.scan.bro
deleted file mode 100644
index 75a310681d..0000000000
--- a/aux/broctl/policy/cluster.scan.bro
+++ /dev/null
@@ -1,13 +0,0 @@
-# $Id: cluster.scan.bro 6860 2009-08-14 19:01:47Z robin $
-
-redef addr_scan_trigger = 3;  
-redef ignore_scanners_threshold = 500; 
-
-redef pre_distinct_peers &read_expire = 12hrs;
-
-redef distinct_backscatter_peers &read_expire = 30mins;
-redef distinct_peers &read_expire = 30mins;
-redef distinct_ports &read_expire = 30mins;
-redef distinct_low_ports &read_expire = 30mins;
-redef possible_scan_sources &read_expire = 30mins;
-
diff --git a/aux/broctl/policy/cluster.trw.bro b/aux/broctl/policy/cluster.trw.bro
deleted file mode 100644
index e8c41262c2..0000000000
--- a/aux/broctl/policy/cluster.trw.bro
+++ /dev/null
@@ -1,7 +0,0 @@
-# $Id: cluster.trw.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef TRW::target_false_positive_prob = 0.000001;
-redef TRW::failed_locals &write_expire = 15 mins;
-redef TRW::successful_locals &write_expire = 15 mins;
-redef TRW::num_scanned_locals &write_expire = 15 mins;
-redef TRW::lambda &write_expire = 15 mins;
diff --git a/aux/broctl/policy/filter-duplicates.bro b/aux/broctl/policy/filter-duplicates.bro
deleted file mode 100644
index 44eb188a1d..0000000000
--- a/aux/broctl/policy/filter-duplicates.bro
+++ /dev/null
@@ -1,86 +0,0 @@
-# $Id: filter-duplicates.bro 6868 2009-08-17 04:18:02Z robin $
-#
-# Script to filter out duplicate alarms reported by multiple backends. 
-
-module FilterDuplicates;
-
-@load notice
-
-export {
-	const log_duplicates = T &redef;
-
-	# Returns false if this notice is a duplicate of another notice 
-	# we have seen before; if log_duplicates is true, it also logs
-	# it into "notice.duplicates.log". Return true if we have not 
-	# seen it before.
-	global is_new: function(n: notice_info) : bool;
-
-	# Per default, a Notice is assumed to be unique. The following table
-	# defines functions finding duplicates on a per-notice bases. These 
-	# functions will be called with two instances of their notice type, and 
-	# must return T if they consider the two to be equal.
-	global filters: table[Notice] of function(n: notice_info): string &redef;
-
-	# Some predefined functions that can be used with the filters table.
-    
-		# Filters by matching source addresses.    
-	global match_src: function(n: notice_info) : string;
-		# Filters by matching source addresses and the number attributes.
-	global match_src_num: function(n: notice_info) : string;
-		# Filters by matching source addresses and the port attributes.
-	global match_src_port: function(n: notice_info) : string;
-}
-
-function match_src(n: notice_info) : string
-	{
-	local src = n?$src ? fmt("%s", n$src) : "";
-	return fmt("%s#%s", n$note, src);
-	}
-
-function match_src_num(n: notice_info) : string
-	{
-	local src = n?$src ? fmt("%s", n$src) : "";
-	local num = n?$src ? fmt("%d", n$n) : "";
-	return fmt("%s#%s#%s", n$note, src, num);
-	}
-
-function match_src_port(n: notice_info) : string
-	{
-	local src = n?$src ? fmt("%s", n$src) : "";
-	local p = n?$p ? fmt("%d", n$p) : "";
-	return fmt("%s#%s#%s", n$note, src, p);
-	}
-
-global dupl_log: file;
-
-event bro_init()
-	{
-	if ( log_duplicates )
-		dupl_log = open_log_file( "notice-duplicates" );
-	}
-
-global notices: set[string] &read_expire = 2mins;
-
-function is_new(n: notice_info) : bool
-	{
-	local idx = n$note;
-	
-	if ( idx !in filters )
-		# No filtering for this notice type.
-		return T;
-	
-	local key = filters[idx](n);
-	
-	if ( key in notices ) 
-		{
-		# A duplicate.
-		if ( log_duplicates )
-			print dupl_log, build_notice_info_string_tagged(n);
-	
-		return F;
-		}
-
-	# New one.
-	add notices[key];
-	return T;
-	}
diff --git a/aux/broctl/policy/local/cluster.local-manager.bro-template b/aux/broctl/policy/local/cluster.local-manager.bro-template
deleted file mode 100644
index 1a0fbf0fae..0000000000
--- a/aux/broctl/policy/local/cluster.local-manager.bro-template
+++ /dev/null
@@ -1,49 +0,0 @@
-# $Id: cluster.local-manager.bro-template 6811 2009-07-06 20:41:10Z robin $
-#
-# Local site policy loaded only by the manager. 
-# 
-# This template comes with a sample notice policy which you will
-# almost certainly want to adapt to your environment. 
-
-@load local 
-	
-redef notice_action_filters +=
-    {
-	# These are all very common.
-	[Weird::ContentGap] = tally_notice_type_and_ignore,
-	[Weird::AckAboveHole] = tally_notice_type_and_ignore,
-	[Weird::RetransmissionInconsistency] = tally_notice_type_and_ignore,
-	[Drop::AddressDropIgnored] = ignore_notice,
-	[Drop::AddressDropped] = ignore_notice,
-	[Weird::WeirdActivity] = file_local_bro_notices,
-	[DroppedPackets] = file_notice,
-	[TerminateConnection::TerminatingConnectionIgnored] = notice_alarm_per_orig,
-	[ProtocolDetector::ProtocolFound] = file_notice,
-	[ProtocolDetector::ServerFound] = file_if_remote,
-	[DynDisable::ProtocolViolation] = file_notice,
-	};
-
-redef Weird::weird_action += {
-	["window_recision"] = Weird::WEIRD_FILE,
-	["RST_with_data"] = Weird::WEIRD_FILE,
-	["line_terminated_with_single_CR"] = Weird::WEIRD_FILE,
-	["line_terminated_with_single_LF"] = Weird::WEIRD_FILE,
-	["spontaneous_RST"] = Weird::WEIRD_FILE,
-	["spontaneous_FIN"] = Weird::WEIRD_FILE,
-	["data_before_established"] = Weird::WEIRD_FILE,
-	["unsolicited_SYN_response"] = Weird::WEIRD_FILE,
-	["inappropriate_FIN"] = Weird::WEIRD_FILE,
-	["possible_split_routing"] = Weird::WEIRD_FILE,
-	["connection_originator_SYN_ack"] = Weird::WEIRD_FILE,
-	["fragment_inconsistency"] = Weird::WEIRD_NOTICE_PER_ORIG,
-	["fragment_size_inconsistency"] = Weird::WEIRD_NOTICE_PER_ORIG,
-	["fragment_overlap"] = Weird::WEIRD_NOTICE_PER_ORIG,
-	["ICMP-unreachable for wrong state"] = Weird::WEIRD_NOTICE_PER_ORIG,
-	["corrupt_tcp_options"] = Weird::WEIRD_NOTICE_PER_ORIG,
-};
-	
-
-
-
-
-	
diff --git a/aux/broctl/policy/local/cluster.local-worker.bro-template b/aux/broctl/policy/local/cluster.local-worker.bro-template
deleted file mode 100644
index d9cf66a007..0000000000
--- a/aux/broctl/policy/local/cluster.local-worker.bro-template
+++ /dev/null
@@ -1,6 +0,0 @@
-# $Id: cluster.local-worker.bro-template 6811 2009-07-06 20:41:10Z robin $
-#
-# Local site policy loaded only by the workers (and the proxy).
-
-@load local
-
diff --git a/aux/broctl/policy/local/cluster.local.bro-template b/aux/broctl/policy/local/cluster.local.bro-template
deleted file mode 100644
index 6cf6ddde57..0000000000
--- a/aux/broctl/policy/local/cluster.local.bro-template
+++ /dev/null
@@ -1,52 +0,0 @@
-# $Id: cluster.local.bro-template 6813 2009-07-07 18:54:12Z robin $
-#
-# Template for local site policy loaded manager and workers.
-# Customize as appropiate. 
-#
-# This file contains the main site policy. If in doubt, put any customizations
-# here or into a file loaded by this script. (The main exception to this rule
-# is all notice-filtering; see site-manager.bro). 
-#
-# Also note that enabling a particular kind of analysis via the cluster's 
-# "analysis command" only has an effect if the corresponding scripts are
-# loaded by this site policy. 
-
-@load alarm
-@load notice
-@load weird
-
-@load dpd
-@load detect-protocols
-@load detect-protocols-http
-@load dyn-disable
-@load inactivity        
-
-@load dns
-@load dns-lookup
-@load finger
-@load frag
-@load ftp
-@load icmp
-@load hot
-@load http-request
-@load http-reply
-@load ident
-@load irc   
-@load irc-bot
-@load login
-@load ntp
-@load pop3
-@load portmapper  
-@load scan
-@load smtp
-@load ssh
-@load ssl  
-@load synflood
-@load tcp
-@load tftp
-@load udp
-@load worm
-
-# Uncomment for profiling resource usage.
-# @load profiling 
-# redef expensive_profiling_multiple = 20;
diff --git a/aux/broctl/policy/local/standalone.local.bro-template b/aux/broctl/policy/local/standalone.local.bro-template
deleted file mode 100644
index 777e669d1e..0000000000
--- a/aux/broctl/policy/local/standalone.local.bro-template
+++ /dev/null
@@ -1,93 +0,0 @@
-# $Id: standalone.local.bro-template 6811 2009-07-06 20:41:10Z robin $
-#
-# Template for local site policy. Customize as appropiate. 
-#
-# (Note that enabling a particular kind of analysis via the cluster's 
-# "analysis command" only has an effect if the corresponding scripts are
-# loaded by this site policy.)
-
-@load alarm
-@load notice
-@load weird
-
-@load dpd
-@load detect-protocols
-@load detect-protocols-http
-@load dyn-disable
-@load inactivity        
-
-# Uncomment for profiling resource usage.
-# @load profiling 
-# redef expensive_profiling_multiple = 20;
-	
-@load dns
-@load dns-lookup
-@load finger
-@load frag
-@load ftp
-@load icmp
-@load hot
-@load http-request
-@load http-reply
-@load ident
-@load irc   
-@load irc-bot
-@load login
-@load ntp
-@load pop3
-@load portmapper  
-@load scan
-@load smtp
-@load ssh
-@load ssl  # Buggy?
-@load synflood
-@load tcp
-@load tftp
-@load udp
-@load worm
-
-# If you want to monitor locally generated traffic and your system
-# offloads checksum computation to the NIC (like Mac OS tends do),
-# you might want to disable Bro's checksum checking. 
-#
-# redef ignore_checksums = T;
-
-# Sample notice policy which you will almost certainly want 
-# to adapt to your environment. 
-	
-redef notice_action_filters +=
-    {
-	# These are all very common.
-	[Weird::ContentGap] = tally_notice_type_and_ignore,
-	[Weird::AckAboveHole] = tally_notice_type_and_ignore,
-	[Weird::RetransmissionInconsistency] = tally_notice_type_and_ignore,
-	[Drop::AddressDropIgnored] = ignore_notice,
-	[Drop::AddressDropped] = ignore_notice,
-	[Weird::WeirdActivity] = file_local_bro_notices,
-	[DroppedPackets] = file_notice,
-	[TerminateConnection::TerminatingConnectionIgnored] = notice_alarm_per_orig,
-	[ProtocolDetector::ProtocolFound] = file_notice,
-	[ProtocolDetector::ServerFound] = file_if_remote,
-	[DynDisable::ProtocolViolation] = file_notice,
-	};
-
-redef Weird::weird_action += {
-	["window_recision"] = Weird::WEIRD_FILE,
-	["RST_with_data"] = Weird::WEIRD_FILE,
-	["line_terminated_with_single_CR"] = Weird::WEIRD_FILE,
-	["line_terminated_with_single_LF"] = Weird::WEIRD_FILE,
-	["spontaneous_RST"] = Weird::WEIRD_FILE,
-	["spontaneous_FIN"] = Weird::WEIRD_FILE,
-	["data_before_established"] = Weird::WEIRD_FILE,
-	["unsolicited_SYN_response"] = Weird::WEIRD_FILE,
-	["inappropriate_FIN"] = Weird::WEIRD_FILE,
-	["possible_split_routing"] = Weird::WEIRD_FILE,
-	["connection_originator_SYN_ack"] = Weird::WEIRD_FILE,
-	["fragment_inconsistency"] = Weird::WEIRD_NOTICE_PER_ORIG,
-	["fragment_size_inconsistency"] = Weird::WEIRD_NOTICE_PER_ORIG,
-	["fragment_overlap"] = Weird::WEIRD_NOTICE_PER_ORIG,
-	["ICMP-unreachable for wrong state"] = Weird::WEIRD_NOTICE_PER_ORIG,
-	["corrupt_tcp_options"] = Weird::WEIRD_NOTICE_PER_ORIG,
-};
-	
-	
diff --git a/aux/broctl/policy/mail-alarms.bro b/aux/broctl/policy/mail-alarms.bro
deleted file mode 100644
index 645bea4f3d..0000000000
--- a/aux/broctl/policy/mail-alarms.bro
+++ /dev/null
@@ -1,117 +0,0 @@
-# $Id: mail-alarms.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# Script to prettify alarms into a form suitable for mailing out.
-# Output is written to mail.log which can be mailed out via post-processor.
-
-@load site
-@load notice
-
-module MailAlarms;
-
-export 	{
-	# If non-empty, we include only the given Notices into mail.
-	global include_only: set[Notice] &redef;
-
-	# If one of these networks is involved, we mark the entry with a quote 
-	# symbol (i.e., ">"). Many mailers flag such lines in some fashion.
-	global flag_nets: set[subnet] &redef;
-
-	# Skip the notice types for the mails.
-	global ignore: set[Notice] &redef;
-
-	global output = open_log_file( "mail" );
-	}
-
-function do_msg(line1: string, line2: string, line3: string, host: addr, name: string)
-	{
-	if ( host != 0.0.0.0 )
-		name = fmt("%s = %s", host, name);
-	
-	print output, cat(line1, name);
-	print output, line2;
-	if ( line3 != "" )
-		print output, line3;
-	}
-
-function message(msg: string, flag: bool, host: addr, n: notice_info)
-	{
-	if ( length(include_only) > 0 && n$note !in include_only )
-		return;
-	
-	local location = "";
-
-	if ( host != 0.0.0.0 )
-		location =  is_local_addr(host) ? "(L)" : "(R)";
-	
-	local line1 = fmt(">%s %D %s %s ", (flag ? ">" : " "), network_time(), n$note, location);
-	local line2 = fmt("   %s", msg);   
-	local line3 = "";
-
-	if ( n?$captured )
-		line3 = fmt("   [TM: %s]", n$captured);
-
-	if ( host == 0.0.0.0 )
-		{
-		do_msg(line1, line2, line3, 0.0.0.0, "");
-		return;
-		}
-	
-	when ( local name = lookup_addr(host) )
-		{
-		do_msg(line1, line2, line3, host, name);
-		}
-	timeout 5secs
-		{
-		do_msg(line1, line2, line3, host, "(dns timeout)");
-		}
-	}
-
-event bro_init()
-    {
-    set_buf( output, F );
-    }
-
-event notice_alarm(n: notice_info, action: NoticeAction) &priority = -10
-	{
-	if ( is_remote_event() )
-		return;
-
-	if ( n$note in ignore )
-		return;
-	
-	local pdescr = "local";
-	
-	if ( n?$src_peer )
-		pdescr = n$src_peer?$descr ? n$src_peer$descr : fmt("%s", n$src_peer$host);
-
-	local msg = fmt( "<%s> %s%s", pdescr, n$msg, n?$sub ? cat( " ", n$sub ) : "" );
-
-	local orig = 0.0.0.0;
-	local resp = 0.0.0.0;
-	local host = 0.0.0.0;
-
-	if ( n?$src )
-		orig = host = n$src;
-
-	if ( n?$conn )
-		{
-		orig = n$conn$id$orig_h;
-		resp = n$conn$id$resp_h;
-		}
-
-	else if ( n?$id )
-		{
-		orig = n$id$orig_h;
-		resp = n$id$resp_h;
-		}
-
-	if ( host == 0.0.0.0 )
-		host = orig; 
-
-	local flag = F;
-	if ( orig in flag_nets || resp in flag_nets )
-		flag = T;
-
-	message(msg, flag, host, n);
-	}
-
diff --git a/aux/broctl/policy/remote-update.bro b/aux/broctl/policy/remote-update.bro
deleted file mode 100644
index 9a76050bf4..0000000000
--- a/aux/broctl/policy/remote-update.bro
+++ /dev/null
@@ -1,16 +0,0 @@
-# $Id: remote-update.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# Code to be executed when we're dynamically updated on the fly. 
-
-@load analysis-groups
-
-module RemoteUpdate;
-
-event configuration_update()
-	{
-	if ( ! is_remote_event() )
-		return;
-	
-	AnalysisGroups::update();
-	event remote_log(REMOTE_LOG_INFO, REMOTE_SRC_SCRIPT, "configuration updated");
-	}
diff --git a/aux/broctl/policy/send-config.bro b/aux/broctl/policy/send-config.bro
deleted file mode 100644
index 9b51cc3d0c..0000000000
--- a/aux/broctl/policy/send-config.bro
+++ /dev/null
@@ -1,94 +0,0 @@
-# $Id: send-config.bro 6813 2009-07-07 18:54:12Z robin $
-#
-# Sends the current values of all &redef'able globals to a remote Bro
-# and then terminates processing.
-#
-# Intended to be used from the command line as in:
-#
-# bro SendConfig::dst=<dst> <scripts> send-config
-
-module SendConfig;
-
-@load remote
-
-export {
-    const dst = "<no-destination-given>" &redef;
-}
-
-const ignore_ids = { "Remote::destinations", "SendConfig::dst" };
-
-event terminate_event()
-	{
-	terminate_communication();
-	}
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	local peer = Remote::destinations[dst];
-
-	if ( peer$host != p$host )
-		return;
-
-	# Send all &redef'able globals to peer.
-	local globals = global_ids();
-    local cnt = 0;
-	for ( id in globals )
-		{
-        if ( id in ignore_ids )
-			next;
-
-		local t = globals[id];
-		
-		if ( ! t$redefinable )
-			next;
-
-		send_id(p, id);
-		++cnt;
-		}
-
-	print fmt("sent %d IDs", cnt);
-
-	# Signal configuration update to peer.
-	event configuration_update();
-	
-	# We can't terminate the communication right away here since the 
-	# event configuration_update is only queued but not send at this
-	# point. Therefore we raise another events which will trigger 
-	# termination only after the previous has been raised.
-	event terminate_event();
-	}
-
-function make_dest(tag: string, ip: addr, p: port)
-	{
-	Remote::destinations[fmt("%s-update", tag)] 
-		= [$host=ip, $p=p, $sync=F, $class="update"];
-	}
-
-# This handler is executed after the other bro_inits() so that we can
-# actually delete all previous destinations and fill the table ourselves.
-event bro_init() &priority=-1
-	{
-	clear_table(Remote::destinations);
-
-	for ( n in BroCtl::workers ) 
-		make_dest(BroCtl::workers[n]$tag, BroCtl::workers[n]$ip, BroCtl::workers[n]$p);
-
-	for ( n in BroCtl::proxies ) 
-		make_dest(BroCtl::proxies[n]$tag, BroCtl::proxies[n]$ip, BroCtl::proxies[n]$p);
-
-	make_dest(BroCtl::manager$tag, BroCtl::manager$ip, BroCtl::manager$p);
-	}
-
-event bro_init() &priority=-2
-	{
-	if ( dst !in Remote::destinations )
-		{
-		print fmt("unknown destination %s", dst);
-		terminate();
-		return;
-		}
-
-	Remote::connect_peer(dst);
-	}
-
-
diff --git a/aux/broctl/policy/standalone.bro b/aux/broctl/policy/standalone.bro
deleted file mode 100644
index d3eaf73305..0000000000
--- a/aux/broctl/policy/standalone.bro
+++ /dev/null
@@ -1,32 +0,0 @@
-# $Id: standalone.bro 6860 2009-08-14 19:01:47Z robin $
-#
-# Configuration for a standalone system.
-
-@load site
-
-@unload cluster-by-addrs
-@unload cluster-by-conns
-
-@load broctl
-@load notice
-@load remote
-@load rotate-logs
-@load mail-alarms
-	
-@load trim-trace-file	
-@load analysis-groups
-	
-# Even a stand-alone system has to listen so that we can do remote updates.
-@load listen-clear
-redef listen_port_clear = BroCtl::manager$p;
-
-# Give us a name. 
-redef peer_description = "bro";
-
-# Record all packets into trace file.
-redef record_all_packets = T;
-
-@load notice
-
-
-
diff --git a/aux/broctl/policy/standalone.checkpoint.bro b/aux/broctl/policy/standalone.checkpoint.bro
deleted file mode 100644
index 618cb87e6b..0000000000
--- a/aux/broctl/policy/standalone.checkpoint.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: standalone.checkpoint.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef state_checkpoint_interval = 15 min &redef;
diff --git a/aux/broctl/policy/standalone.irc-bot.bro b/aux/broctl/policy/standalone.irc-bot.bro
deleted file mode 100644
index 5eabe8601e..0000000000
--- a/aux/broctl/policy/standalone.irc-bot.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: standalone.irc-bot.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef IrcBot::summary_interval = 0 min;
diff --git a/aux/broctl/policy/standalone.mail-alarms.bro b/aux/broctl/policy/standalone.mail-alarms.bro
deleted file mode 100644
index 27e7833b9a..0000000000
--- a/aux/broctl/policy/standalone.mail-alarms.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: standalone.mail-alarms.bro 6811 2009-07-06 20:41:10Z robin $
-
-@load rotate-logs
-
-redef MailAlarms::output &rotate_interval = 12hrs;
diff --git a/aux/broctl/policy/standalone.notice.bro b/aux/broctl/policy/standalone.notice.bro
deleted file mode 100644
index 939be5bf10..0000000000
--- a/aux/broctl/policy/standalone.notice.bro
+++ /dev/null
@@ -1,7 +0,0 @@
-# $Id: standalone.notice.bro 6811 2009-07-06 20:41:10Z robin $
-
-redef mail_script = "mail-alarm";
-redef mail_dest = "_broctl_default_"; # Will be replaced by mail script.  
-
-redef use_tagging = T;	
-
diff --git a/aux/broctl/policy/standalone.remote.bro b/aux/broctl/policy/standalone.remote.bro
deleted file mode 100644
index c43aeee9c3..0000000000
--- a/aux/broctl/policy/standalone.remote.bro
+++ /dev/null
@@ -1,19 +0,0 @@
-# $Id: standalone.remote.bro 6860 2009-08-14 19:01:47Z robin $
-#
-# We only need to accept update connections from the shell.
-# 
-
-@load broctl
-
-event bro_init() 
-{
-	# Connections from the manager for configuration updates.
-	Remote::destinations["update"] 
-		=  [$host = BroCtl::manager$ip, $p=BroCtl::manager$p, $sync=F, $events=BroCtl::update_events, $class="update"];
-
-	# Configure Time Machine.
-	if ( BroCtl::tm_host != 0.0.0.0 )
-		Remote::destinations["time-machine"] = [$host=BroCtl::tm_host, $p=BroCtl::tm_port, $connect=T, $retry=1min];
-}
-
-
diff --git a/aux/broctl/policy/standalone.rotate-logs.bro b/aux/broctl/policy/standalone.rotate-logs.bro
deleted file mode 100644
index c4ff279775..0000000000
--- a/aux/broctl/policy/standalone.rotate-logs.bro
+++ /dev/null
@@ -1,9 +0,0 @@
-# $Id: standalone.rotate-logs.bro 6811 2009-07-06 20:41:10Z robin $
-
-@load mail-alarms
-
-redef log_rotate_interval = 24hrs;
-redef log_rotate_base_time = "0:00";
-redef RotateLogs::default_postprocessor = "archive-log";
-
-redef conn_file &rotate_interval = 12hrs;
diff --git a/aux/broctl/policy/terminate.bro b/aux/broctl/policy/terminate.bro
deleted file mode 100644
index b6cf0e2d98..0000000000
--- a/aux/broctl/policy/terminate.bro
+++ /dev/null
@@ -1,11 +0,0 @@
-# $Id: terminate.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# Just terminate Bro after it parsed its configuration.
-
-event bro_init() &priority = -10
-{
-	terminate();
-}
-
-
-
diff --git a/aux/broctl/policy/tm-mail-contents.bro b/aux/broctl/policy/tm-mail-contents.bro
deleted file mode 100644
index 56554be586..0000000000
--- a/aux/broctl/policy/tm-mail-contents.bro
+++ /dev/null
@@ -1,69 +0,0 @@
-# $Id: tm-mail-contents.bro 6811 2009-07-06 20:41:10Z robin $
-
-@load tm-contents
-
-module TimeMachine;
-
-export {
-
-	# Extracts the contents of the connection from the time-machine
-	# and mails it out with the specified subject and body prefix. 
-	# Also asks the TM to store a copy of the connection's packets
-	# under with given filename prefix. If the mail address is empty,
-	# the default is taken.
-	
-	global mail_contents:
-		function(id: conn_id, start: time, filename_prefix: string, 
-				 subject: string, body_prefix: string, email: string);
-}
-
-type mail_info: record {
-	subject: string;
-	body: string;
-	email: string;
-	};
-
-global conns: table[conn_id] of mail_info;
-
-function mail_contents(id: conn_id, start: time, filename_prefix: string, subject: string, body_prefix: string, email: string)
-	{
-	TimeMachine::save_contents_id(filename_prefix, id, start, F, "mail-contents-save");
-		
-	local idstr = fmt("%s.%d-%s.%d", id$orig_h, id$orig_p, id$resp_h, id$resp_p);
-	local fname = fmt("%s.%s", filename_prefix, idstr);
-	TimeMachine::capture_connection_id(fname, id, start, F, "mail-contents-capture");
-
-	body_prefix += fmt("@@@@Time Machine trace: %s@@", fname);
-	
-	conns[id] = [$subject=subject, $body=body_prefix, $email=email];
-	}
-
-
-event TimeMachine::contents_saved(c: connection, orig_file: string, resp_file: string)
-	{
-	if ( c$id !in conns )
-		return;
-
-	local ci = conns[c$id];
-	delete conns[c$id];
-	
-	when ( (local orig = lookup_addr(c$id$orig_h)) && 
-		   (local resp = lookup_addr(c$id$resp_h)) )
-		{
-		# Set arguments for script.
-		local args: table[string] of string;
-		args["contents_orig"] = orig_file;
-		args["contents_resp"] = resp_file;
-		args["orig_h"] = fmt("%s", c$id$orig_h);
-		args["resp_h"] = fmt("%s", c$id$resp_h);
-		args["orig_name"] = orig;
-		args["resp_name"] = resp;
-		args["subject"] = ci$subject;
-		args["body"] = ci$body;
-		args["mail_dest"] = ci$email;
-		
-		system_env("mail-contents", args);
-		}
-	}
-
-	
diff --git a/aux/broctl/policy/trim-trace-file.bro b/aux/broctl/policy/trim-trace-file.bro
deleted file mode 100644
index 716ef63c1a..0000000000
--- a/aux/broctl/policy/trim-trace-file.bro
+++ /dev/null
@@ -1,39 +0,0 @@
-# $Id: trim-trace-file.bro 6811 2009-07-06 20:41:10Z robin $
-#
-# Deletes the -w tracefile at regular intervals and starts from scratch. Separate 
-# from rotate-logs.bro because we might want to have a shorter rotation interval 
-# for this one due to its size.
-#
-# FIXME: Still, we eventually want to merge this with rotate-logs.bro by
-# allowing per-file intervals for aux files. 
-
-module TrimTraceFile;
-
-export {
-	const trim_interval = 10 mins &redef;
-	}
-
-global first_trim = T;
-
-event trim_tracefile()
-	{
-	if ( bro_is_terminating() || trace_output_file == "" )
-		return;
-
-	if ( ! first_trim )
-		{
-		local info = rotate_file_by_name(trace_output_file);
-		if ( info$old_name != "" )
-			system(fmt("/bin/rm %s", info$new_name));
-		}
-
-	first_trim = F;
-	schedule trim_interval { trim_tracefile() };
-	}
-
-event bro_init()
-	{
-	if ( trim_interval != 0 secs )
-		schedule trim_interval { trim_tracefile() };
-	}
-
diff --git a/aux/btest b/aux/btest
new file mode 160000
index 0000000000..f096c0e408
--- /dev/null
+++ b/aux/btest
@@ -0,0 +1 @@
+Subproject commit f096c0e4088f2d92743e0c28077f086dff216cce
diff --git a/aux/cf/Makefile.am b/aux/cf/Makefile.am
deleted file mode 100644
index 9f77c90020..0000000000
--- a/aux/cf/Makefile.am
+++ /dev/null
@@ -1,5 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-noinst_PROGRAMS = cf
-cf_CFLAGS = -I$(top_srcdir)/src -I../src/ -I../../src
-cf_SOURCES = cf.c version.c 
diff --git a/aux/cf/cf.1 b/aux/cf/cf.1
deleted file mode 100755
index 1f4808cfd5..0000000000
--- a/aux/cf/cf.1
+++ /dev/null
@@ -1,133 +0,0 @@
-.\"	@(#) $Id: cf.1 2410 2005-12-27 00:58:20Z vern $ (LBL)
-.\"
-.\" Copyright (c) 2004
-.\"     The Regents of the University of California.  All rights reserved.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that: (1) source code distributions
-.\" retain the above copyright notice and this paragraph in its entirety, (2)
-.\" distributions including binary code include the above copyright notice and
-.\" this paragraph in its entirety in the documentation or other materials
-.\" provided with the distribution, and (3) all advertising materials mentioning
-.\" features or use of this software display the following acknowledgement:
-.\" ``This product includes software developed by the University of California,
-.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
-.\" the University nor the names of its contributors may be used to endorse
-.\" or promote products derived from this software without specific prior
-.\" written permission.
-.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
-.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
-.TH CF 1 "December 20, 2005"
-.UC 4
-.SH NAME
-cf -  unix time to formated time and date filter
-.SH SYNOPSIS
-.B cf
-[
-.B -f fmt
-] [
-.B -lpsu
-] [
-.I file ...
-]
-.SH DESCRIPTION
-This filter reads the named files (or from stdin if there are none)
-and replaces numeric timestamps found at the beginning of each line
-with a formated time and date time and date. For example:
-.LP
-.RS
-.na
-.nh
-\% echo '1074558944 default format' | cf
-.br  
-Jan 19 16:35:44 default format
-.ad
-.hy
-.RE
-
-The default format is '%b\ %e\ %H:%M:%S'. The
-.B \-l
-flag appends the year ('%Y') to the default format. There are two
-ways to specify a custom format; one is with the
-.B \-f
-flag. The other is to set the
-.B CFTIMEFMT
-environment variable. Finally, using an empty format with the
-.B \-f
-flag causes
-.B cf
-to revert to its default format.
-Note that the
-.B \-f
-and
-.B \-l
-flags override the
-.B CFTIMEFMT
-environment variable.
-.SH OPTIONS
-.LP
-.TP
-.B \-f fmt
-Specify a strftime(1) format string. For example:
-.LP
-.RS
-.RS
-.na
-.nh
-% echo '1074558944 custom format' | \\
-    cf -f '%Y-%m-%d\ %H:%M:%S'
-.br  
-2004-01-19 16:35:44 custom format
-.ad
-.hy
-.RE
-.LP
-.RE
-.TP
-.B \-l
-Use the long format (which includes the year). For example:
-.LP
-.RS
-.RS
-.na
-.nh
-% echo '1074558944 long format' | cf -l
-.br  
-Jan 19 16:35:44 2004 long format
-.ad
-.hy
-.RE
-.RE
-.TP
-.B \-p
-Preserve sub-second timestamp info. For example:
-.LP
-.RS
-.RS
-.na
-.nh
-% echo '1100980501.867105 preserve format' | cf -p
-.br  
-Nov 20 11:55:01.867105 preserve format
-.ad
-.hy
-.RE
-.RE
-.TP
-.B \-s
-Do strict checking of the timestamp. The number is only considered
-to be a valid timestamp and converted if it 9 or more characters
-long and contains one or less dots.
-.TP
-.B \-u
-Format using UTC (Coordinated Universal) instead of local time.
-.LP
-.SH "SEE ALSO"
-.na
-.nh
-hf(1), strftime(3)
-.ad
-.hy
-.\" .SH BUGS
diff --git a/aux/cf/cf.c b/aux/cf/cf.c
deleted file mode 100755
index 00e46f4b41..0000000000
--- a/aux/cf/cf.c
+++ /dev/null
@@ -1,189 +0,0 @@
-/*
- * Copyright (c) 1991, 1994, 1995, 1996, 1998, 1999, 2001, 2004
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#ifndef lint
-static const char copyright[] =
-    "@(#) Copyright (c) 1991, 1994, 1995, 1996, 1998, 1999, 2001, 2004\n\
-The Regents of the University of California.  All rights reserved.\n";
-static const char rcsid[] =
-    "@(#) $Id: cf.c 5857 2008-06-26 23:00:03Z vern $ (LBL)";
-#endif
-
-#include <sys/types.h>
-
-#include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <unistd.h>
-
-static char *argv0;
-
-extern char *optarg;
-extern int optind, opterr;
-
-int preserve = 0;
-int strict = 0;
-int utc = 0;
-char *sfmt = "%b %e %H:%M:%S";
-char *lfmt = "%b %e %H:%M:%S %Y";
-char *fmt;
-
-/* Forwards */
-int main(int, char **);
-void doone(FILE *, FILE *);
-void usage(void);
-
-int
-main(argc, argv)
-	int argc;
-	char **argv;
-{
-	register char *cp;
-	register int status, didany, op;
-	FILE *f;
-	int targc;
-	char **targv;
-
-	if ((cp = strrchr(argv[0], '/')) != NULL)
-		argv0 = cp + 1;
-	else
-		argv0 = argv[0];
-
-	/* Set default format */
-	if ((fmt = getenv("CFTIMEFMT")) == NULL)
-		fmt = sfmt;
-
-	opterr = 0;
-	while ((op = getopt(argc, argv, "f:lpsu")) != EOF)
-		switch (op) {
-
-		case 'f':
-			if (*optarg == '\0')
-				fmt = sfmt;
-			else
-				fmt = optarg;
-			break;
-
-		case 'l':
-			fmt = lfmt;
-			break;
-
-		case 'p':
-			++preserve;
-			break;
-
-		case 's':
-			++strict;
-			break;
-
-		case 'u':
-			++utc;
-			break;
-
-		default:
-			usage();
-			/* NOTREACHED */
-		}
-	targc = argc - optind;
-	targv = &argv[optind];
-
-	status = 0;
-	didany = 0;
-	while (targc > 0) {
-		f = fopen(*targv, "r");
-		if (f) {
-			doone(f, stdout);
-			(void) fclose(f);
-		} else {
-			(void) fprintf(stderr, "%s: fopen: ", argv0);
-			perror(*targv);
-			status |= 1;
-		}
-		--targc;
-		++targv;
-		++didany;
-	}
-	if (!didany)
-		doone(stdin, stdout);
-	exit(status);
-}
-
-void
-doone(fin, fout)
-	FILE *fin, *fout;
-{
-	time_t ts;
-	register char *bp, *dotbp;
-	register struct tm *tp;
-	register int dot_count;
-	char buf[1024];
-	char tstr[128] = "";
-	static time_t lastts = 0;
-
-	while (fgets(buf, sizeof(buf), fin)) {
-		bp = buf;
-		dotbp = NULL;
-		if (isdigit(*bp)) {
-			ts = atol(bp);
-			++bp;
-			dot_count = 0;
-			while (isdigit(*bp) || *bp == '.') {
-				if (*bp == '.') {
-					dotbp = bp;
-					++dot_count;
-				}
-				++bp;
-			}
-			if (strict && (bp - buf < 9 || dot_count > 1 ||
-			    (bp - buf > 10 && dot_count != 1))) {
-				/* Doesn't look like a genuine timestamp -
-				 * skip it.
-				 */
-				fputs(buf, fout);
-				continue;
-			}
-			if (lastts != ts) {
-				if (!utc)
-					tp = localtime(&ts);
-				else
-					tp = gmtime(&ts);
-				(void)strftime(tstr, sizeof(tstr), fmt, tp);
-				lastts = ts;
-			}
-			fputs(tstr, fout);
-			if (preserve && dotbp != NULL)
-				bp = dotbp;
-		}
-		fputs(bp, fout);
-	}
-}
-
-void
-usage()
-{
-	extern char version[];
-
-	(void)fprintf(stderr, "%s version %s\n", argv0, version);
-	(void)fprintf(stderr, "usage: %s [-f fmt] [-lpsu] [file ...]\n", argv0);
-	exit(1);
-}
diff --git a/aux/cf/gnuc.h b/aux/cf/gnuc.h
deleted file mode 100755
index deba3e6fef..0000000000
--- a/aux/cf/gnuc.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/* @(#) $Header$ (LBL) */
-
-/* Define __P() macro, if necessary */
-#ifndef __P
-#if __STDC__
-#define __P(protos) protos
-#else
-#define __P(protos) ()
-#endif
-#endif
-
-/* inline foo */
-#ifdef __GNUC__
-#define inline __inline
-#else
-#define inline
-#endif
-
-/*
- * Handle new and old "dead" routine prototypes
- *
- * For example:
- *
- *	__dead void foo(void) __attribute__((volatile));
- *
- */
-#ifdef __GNUC__
-#ifndef __dead
-#define __dead volatile
-#endif
-#if __GNUC__ < 2  || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
-#ifndef __attribute__
-#define __attribute__(args)
-#endif
-#endif
-#else
-#ifndef __dead
-#define __dead
-#endif
-#ifndef __attribute__
-#define __attribute__(args)
-#endif
-#endif
diff --git a/aux/cf/version.c b/aux/cf/version.c
deleted file mode 100644
index 076ba4f713..0000000000
--- a/aux/cf/version.c
+++ /dev/null
@@ -1 +0,0 @@
-char version[] = "1.2";
diff --git a/aux/contrib/README b/aux/contrib/README
deleted file mode 100644
index fbba44b3b2..0000000000
--- a/aux/contrib/README
+++ /dev/null
@@ -1,8 +0,0 @@
-This directory contains unsupported contributions to Bro.  If you have
-something to contribute to this directory please send it to us.
-
-policy/
-	miscellaneous .bro policy file you might find useful
-
-scripts/
-	miscellaneous support scripts, alternate report formats, etc.
diff --git a/aux/contrib/policy/README b/aux/contrib/policy/README
deleted file mode 100644
index 5c63fd5017..0000000000
--- a/aux/contrib/policy/README
+++ /dev/null
@@ -1,8 +0,0 @@
-Contents of this directory:
-
-syslog.bro: Bro analyzer for broccoli-based syslog data
-
-user-check.bro: Bro analyzer for syslog-based user data (bad usernames, etc.)
-
-client-heartbeat.bro: Generate heartbeat events and send to other Bro's
-server-heartbeat.bro: Generate alarm if don't receive a heartbeat event
diff --git a/aux/contrib/policy/client-heartbeat.bro b/aux/contrib/policy/client-heartbeat.bro
deleted file mode 100644
index 36b1f81540..0000000000
--- a/aux/contrib/policy/client-heartbeat.bro
+++ /dev/null
@@ -1,55 +0,0 @@
-# client-heartbeat.bro
-# Send heartbeat events to a remote server
-# $Id: client-heartbeat.bro,v 1.3 2007/02/26 07:03:20 jason Exp $
-
-# load remote communications
-@load remote
-
-global bro_heartbeat_interval = 15 min &redef;
-
-# heartbeat server (ip address)
-global bro_heartbeat_server: addr = 127.0.0.1 &redef;
-
-# name of this host (optional, its not used)
-global myhostname = "foo.example.com" &redef; 
-global myip = 127.0.0.1 &redef; 
-
-######################################################################
-# Shouldn't need to modifiy anything below this
-# (Unless your not using SSL, then you will)
-######################################################################
-
-# who to 'heartbeat' to (i.e. the heartbeat server)
-# usually hostname-service (i.e. host.lbl.gov-syslog)
-redef Remote::destinations += { 
- 	["server-heartbeat"] = [$host=bro_heartbeat_server, 
- 		$retry=60 sec, $connect=T, $ssl=F],
- };
-
-# do nothing in the client
-event heartbeat_event( ts: double, myip: addr, hostname: string )
-    {
-    # intentionally left empty
-    }
-
-
-# call heartbeat_event and schedule ourselves to run again
-event send_heartbeat_event()
-	{
-	local hb_host = fmt ("%s", get_event_peer());
-    # NOT USED
-    local foo: double = 0.0;
-	event heartbeat_event( foo, myip, myhostname );
-	schedule bro_heartbeat_interval  { send_heartbeat_event() };
-	}
-
-# stick us in the queue to run
-event bro_init()
-	{
-# waiting till gethostname is put into production bro.bif
-#	if myhostname == "")
-#	{
-#		myhostname = gethostname();
-#	}
-	schedule bro_heartbeat_interval { send_heartbeat_event() };
-	}
diff --git a/aux/contrib/policy/server-heartbeat.bro b/aux/contrib/policy/server-heartbeat.bro
deleted file mode 100644
index 852f270fb1..0000000000
--- a/aux/contrib/policy/server-heartbeat.bro
+++ /dev/null
@@ -1,92 +0,0 @@
-# heartbeat-server.bro
-# Listen for remote heartbeat events
-# $Id: server-heartbeat.bro,v 1.6 2007/02/26 07:03:20 jason Exp $
-
-# To use this analyzer, be sure to redef Remote::destinations 
-# and probably mail_dest too.
-
-# start listening for remote hosts
-@load listen-clear
-
-# how long till 'lost' messages are genterated
-global max_timeout = 30 min &redef;
-
-# how often to bug about missing servers (60minutes)
-global report_nag_time = 1 hr &redef;
-
-# how many times to do this for? (0 forever)
-global report_nag_times: count = 0 &redef;
-
-#################################################
-# shouldn't need to modifiy anything below here #
-#################################################
-# setup our Notice type
-redef enum Notice += { LostHeartBeat } ;
-
-global report_missing_heartbeat: 
-    function(t: table[string] of count, idx: string) : interval;
-
-global reported_address_heartbeat: table[string] of count &default=0 
-    &create_expire = report_nag_time &expire_func = report_missing_heartbeat;
-
-# function called when a monitored stream times-out
-global lost_heartbeat:
-        function(t: table[string] of event_peer, idx: string) : interval;
-
-# table holding who we are monitoring (cache peer for use in notice)
-global heartbeats : table[string] of event_peer &write_expire = max_timeout &expire_func = lost_heartbeat;
-
-# send email if we expire an entry in the table
-function lost_heartbeat(t: table[string] of event_peer, idx: string): interval
-{
-    NOTICE([$note=LostHeartBeat, $src_peer=heartbeats[idx], 
-    	$msg=fmt("Lost heartbeat from %s", idx) ]);
-
-    # pop him into the report table
-    reported_address_heartbeat[idx]= report_nag_times;
-
-    return 0 sec;
-}
-
-# send email if this server is *still* down
-function report_missing_heartbeat(t: table[string] of count, idx: string): interval
-{
-    # if he is back, just let this entry expire
-    if (idx in heartbeats)
-    {
-    	return 0 secs;
-    }
-
-    NOTICE([$note=LostHeartBeat, 
-        $msg=fmt("Still missing heartbeat from %s", idx) ]);
-
-    # pop him back into the report table
-    local times: count;
-    times = reported_address_heartbeat[idx];
-
-    # if he has time left put him back
-    if ( times > 1 ) 
-        reported_address_heartbeat[idx] = times - 1;
-    # if he is set to 0, keep him forever
-    else if  (times == 0 )
-        reported_address_heartbeat[idx] = 0;
-
-    # not exactly sure why, but ....
-    return 60 sec;
-}
-
-
-# update table that we recieved a msg
-event heartbeat_event( ts:double, orig_h:addr, info:string )
-    {
-    local hb_peer = get_event_peer();
-    local hb_host = fmt("%s", hb_peer$host);
-
-    print fmt("got heartbeat from %s", orig_h) ;
-
-    # use this one if you want to be notified if the service
-    # went down and came back up on a differnt port
-    #local hb_host = fmt("%s:%s", hb_peer$host, hb_peer$p);
-    heartbeats[hb_host] = hb_peer;
-
-    }
diff --git a/aux/contrib/policy/syslog.bro b/aux/contrib/policy/syslog.bro
deleted file mode 100644
index 3f479812eb..0000000000
--- a/aux/contrib/policy/syslog.bro
+++ /dev/null
@@ -1,418 +0,0 @@
-# general syslog analyzer 0.3
-#
-# NOTES:
-# - for now, all IP addresses need to be expressed in IPv4 notation here or it will end up 
-#   looking like 255.255.255.255
-
-@load listen-clear
-@load listen-ssl
-@load user-check
-
-# put something like this in hostname.bro file
-#redef Remote::destinations += {
-#        ["syslog"] = [$host = 10.0.0.1, $events = /.*/, $connect=F, $retry = 60 secs, $ssl=T],
-#};
-
-
-# list of notices
-redef enum Notice += {
-	LoginFail, 		# too many failed attempt to a given dest
-	LoginFailSrc, 		# num failed logins from source IP exceeds thresh
-	LoginFailPair,		# num failed logins from IP pair exceeds thresh
-	LoginFailAccount,	# num failed accounts from IP->IP exceeds thresh
-	LoginFailAccountPair,	# num failed accounts from IP->account@IP exceeds thresh
-	LoginFailDict,		# num failed authentications for IP->account@IP exceeds thresh
-	LoginAfterFail,		# succ login after a series of bad from source IP
-};
-
-global syslog = open_log_file("syslog") &redef;
-
-
-# overall design is as follows:
-#
-# SIP --->table[DIPs] of login_record for each SIP<->DIP
-#     --->count of total failed logins for SIP
-#     --->count of total failed accounts for SIP
-#     access cluster data fia the cluster.bro script since it can
-#     deal better with the general notion.  
-#
-# data will be stored in two tables, one holding global data for the source IP,
-# the other holding origIP<->respIP information.  There is likely as better
-# way to go about this.
-
-# list of ssh auth_strings to ignore; 
-#  gssapi-with-mic: ssh sometimes tries, this, fails, and they
-#     uses pass phrase to log in. Dont count this type of failure for now
-#     (may need to revisit this later if every see attack using this)
-const skip_auth_strings =     {"gssapi-with-mic", } &redef;
-
-### config data ###
-const dest_num_fail_logins =     25;	# to a single dest
-const source_num_fail_logins =   20;	# across all hosts, from a single source
-const source_num_fail_accounts = 20;	# 
-const pair_num_fail_logins =     25;	# applies to single IP<->IP sets
-const pair_num_fail_accounts =   20;	#
-
-const single_account_fail =      25;	# threshold for a single IP -> account@IP fail
-					# works also as dictionary threshold on a single account
-
-### end config data ###
-
-### data structs ###
-	# IP<->IP record
-	type pair_record: record {
-		total_logins: count &default=0;		# failed login count in total
-		total_accounts: count &default=0;	# total count of accounts seen
-		accounts: table[string] of count;	# running count per unique account
-		#peer: set[count];			# event_peer$id for distributed analysis
-	};
-
-	# source record
-	type source_record: record {
-		stotal_logins: count &default=0;
-		stotal_accounts: count &default=0;
-	};
-
-# table for source data
-global source_list: table[addr] of source_record &write_expire  = 24 hr;
-
-# table for pair data
-global pair_list: table[addr,addr] of pair_record &write_expire  = 24 hr;
-
-global dests : table[addr] of count &write_expire = 1 hr; 
-
-### end data structs, config and control
-
-### begin functions and events ###
-
-# for the following events, the existance test takes place since
-# there is a chance that the postponed_ssh_login has removed the account
-# as a problem.  See that event for more information and complaining...
-
-event login_fail_src(ts:double, orig_h:addr)
-	{
-	# Here we look for the total number of failed accounts assosciated with
-	# a source IP.
-
-	# make sure the problem still exists for the host
-	if ( orig_h in source_list )
-		{
-		local srec: source_record = source_list[orig_h];
-
-		if ( srec$stotal_logins >= source_num_fail_logins )
-			NOTICE([$note=LoginFailSrc, $src=orig_h,
-				$msg=fmt("%s Exceeded %d failed logins to multiple hosts",
-					orig_h, source_num_fail_logins)]);
-		}
-	}
-
-event login_fail_account(ts:double, orig_h:addr, account:string)
-	{
-	# Here we look at the total number of unique failed accounts assosciated
-	# with a given source IP.
-
-	# make sure the problem still exists for the host
-	if ( orig_h in source_list )
-		{
-		local srec: source_record = source_list[orig_h];
-
-		if ( srec$stotal_accounts >= source_num_fail_accounts )
-			NOTICE([$note=LoginFailAccount, $src=orig_h,
-				$msg=fmt("%s has %s different account attempts to multiple hosts ",
-					orig_h, source_num_fail_accounts)]);
-		}
-	}
-
-event login_fail_pair(ts:double, orig_h:addr, resp_h:addr, account:string)
-	{
-	# Here we look at the number of failed logins for a pair of IP addresses.
-
-	# make sure the problem still exists for the host
-	if ( [orig_h, resp_h] in pair_list )
-		{
-		local prec: pair_record = pair_list[orig_h, resp_h];
-
-		if ( prec$total_logins >= pair_num_fail_logins )
-			NOTICE([$note=LoginFailPair, $src=orig_h, $dst=resp_h,
-				 $msg=fmt("%s -> %s Exceeded %s failed logins for %s",
-				orig_h, resp_h, prec$total_logins, account)]);
-
-		}
-	}
-
-event login_fail_account_pair(ts:double, orig_h:addr, resp_h:addr, account:string)
-	{
-	# Here we look at the number of failed accounts per IP pair.
-
-	if ( [orig_h, resp_h] in pair_list )
-		{
-		local prec: pair_record = pair_list[orig_h, resp_h];
-
-		if ( prec$total_logins >= pair_num_fail_accounts )
-			NOTICE([$note=LoginFailAccountPair, $src=orig_h, $dst=resp_h,
-				$msg=fmt("%s -> %s Exceeded %s failed accounts",
-				orig_h, resp_h, prec$total_accounts)]);
-		}
-	}
-
-event login_fail_dict(ts:double, orig_h:addr, resp_h:addr, account:string)
-	{
-	# Here we look at the number of times an account has failed for a given IP
-	# pair.  This is looking in particular for dictionary attacks
-
-	if ( [orig_h, resp_h] in pair_list )
-		{
-		local prec: pair_record = pair_list[orig_h, resp_h];
-		
-		# make sure that the account is still there
-		if ( account in prec$accounts )
-			{
-			if ( prec$accounts[account] >= single_account_fail )
-				# *finally* we are able to send the notice.  seems
-				# like a lot of work...
-				NOTICE([$note=LoginFailDict, $src=orig_h, $dst=resp_h,
-					$msg=fmt("%s -> %s@%s Exceeded %s failed tries",
-						orig_h, account, resp_h, prec$accounts[account])]);
-			}
-		} # end pair check
-	}
-
-
-event ssh_login(ts:double, orig_h:addr, resp_h:addr, account:string, auth_type:string)
-	{
-        print syslog, fmt("%.1f ssh_login %s -> %s@%s  %s", ts, orig_h, account, resp_h, auth_type);
-
-	local prec: pair_record;
-
-	# run a basic check on the user
-	check_user(ts, orig_h, resp_h, account, auth_type);
-
-	if ( [orig_h,resp_h] in pair_list )
-		{
-		# we have seen the pair, have we seen the account?
-		prec = pair_list[orig_h, resp_h];
-		
-		if ( account in prec$accounts )
-			{
-			# there is a history of failure, check threshold.  Also skip the
-			# informational accounts since there is a great deal of noise with them
-			if ( (prec$accounts[account] == single_account_fail) && (!informational_user(account)) )
-				{
-				NOTICE([$note=LoginAfterFail, $src=orig_h, $dst=resp_h,
-					$msg=fmt("%s -> %s@%s user login after %s failed logins ",
-						orig_h, account, resp_h, single_account_fail)]);
-				}
-			}
-		}	
-	else
-		{
-		# add new pair list
-		local tmp_accounts: table[string] of count;
-		tmp_accounts[account] = 1;
-		
-		prec$total_logins = 1;
-		prec$total_accounts = 1;
-		prec$accounts = tmp_accounts;
-
-		pair_list[orig_h, resp_h] = prec;
-		}
-
-	} # end ssh_ok_login
-
-event ssh_fail_login(ts:double, orig_h:addr, resp_h:addr, account:string, auth_type:string)
-	{
-	local prec: pair_record;
-	local srec: source_record;
-
-	print syslog, fmt("%.1f ssh_fail_login %s -> %s@%s  %s", ts, orig_h, account, resp_h, auth_type);
-
-        if (auth_type in skip_auth_strings )
-        {
-	        print syslog, fmt("ignoring ssh_fail: %s", auth_type);
-		return;
-        }
-
-	# run a basic check on the user
-	check_user(ts, orig_h, resp_h, account, "ssh_fail");
-
-	# there are a number of accounts that are infrastructural in nature
-	# and used internally.  We skip them for now even though this is 
-	# probably not such a good idea
-
-	# include local addrs too and see what happens
-	#if ( (!is_local_addr(orig_h)) && (!informational_user(account)) )
-
-	if ( (!informational_user(account)) )
-		{
-		# look at dest 
-		if ( resp_h !in dests )
-		    dests[resp_h] = 0;
-	        ++dests[resp_h];
-
-		if (dests[resp_h] == dest_num_fail_logins)
-			NOTICE([$note=LoginFail, $src=orig_h, $dst=resp_h,
-				$msg=fmt("Exceeded %d failed logins from %s to %s",
-					dest_num_fail_logins, orig_h, resp_h)]);
-
-		if ( orig_h !in source_list )
-			{ # add a new record
-			srec$stotal_logins = 1;
-			srec$stotal_accounts = 1;
-
-			source_list[orig_h] = srec;
-			}
-		else
-			{	
-			srec = source_list[orig_h];
-
-			# schedule an event to trigger the notice to provide an opportunity
-			# to correct for pam running thorough 'false negatives'
-			if ( ++srec$stotal_logins == source_num_fail_logins )
-				schedule 10 sec { login_fail_src(ts, orig_h) };
-
-			# for the time being this is being commented out ...
-			#if ( ++srec$stotal_accounts == source_num_fail_accounts ) 
-			#	schedule 10 sec { login_fail_account(ts, orig_h, account) };
-			}
-
-		# look at pair
-		if ( [orig_h, resp_h] !in pair_list )
-			{
-			local tmp_accounts: table[string] of count; 
-			tmp_accounts[account] = 1;
-
-			prec$total_logins = 1;
-			prec$total_accounts = 1;
-			prec$accounts = tmp_accounts;
-
-			}
-		else
-			{
-			prec = pair_list[orig_h, resp_h];
-
-			# this is a gross evaluation of the total login failures between two hosts
-			# which is really the sum of all failures - accounts single or multiple
-			if ( ++prec$total_logins == pair_num_fail_logins )
-				schedule 10 sec 
-					{ 
-					login_fail_pair(ts, orig_h, resp_h, account) 
-					};
-		
-			# have we seen the account before?
-			if ( account !in prec$accounts )
-				{
-				prec$accounts[account] = 1;
-
-				# look for multiple failures for many accounts: increment since this is new
-				if ( ++prec$total_accounts == pair_num_fail_accounts )
-					schedule 10 sec 
-						{ 
-						login_fail_account_pair(ts, orig_h, resp_h, account) 
-						};
-				}
-			else
-				{
-				# look for multiple failures for a single account
-				if ( ++prec$accounts[account] == single_account_fail )
-					schedule 10 sec 
-						{ 
-						login_fail_dict(ts, orig_h, resp_h, account) 
-						}; 
-				}
-			}
-
-			# update data
-		        #print "syslog: ssh_fail, updating source_list and pair_list ", srec, prec;
-			source_list[orig_h] = srec;
-			pair_list[orig_h, resp_h] = prec;
-
-		} # end initial internal/user filter
-			
-	}
-
-event postponed_ssh_login(ts:double, orig_h:addr, resp_h:addr, account:string, auth_type:string)
-	{
-	# This abomination is a result of a login passing through pam and ssh sending
-	# sperious 'failed' messages with the final successful login message.
-	# Here we intercept the data before the scheduled NOTICE event and change it back. 
-	# This is a prime example of how to introduce race conditions into code, but for the time 
-	# being I have nothing better.
-
-	print syslog, fmt("%.1f postponed_ssh_login %s -> %s@%s  %s", ts, orig_h, account, resp_h, auth_type);
-
-	# this code is almost the same as above except that we are removing values (which introduces 
-	# more testing).
-	local prec: pair_record;
-	local srec: source_record;
-	local delta: count = 2; # ammount to decrement 
-
-	# look at source, skip if record does not exist
-	if ( orig_h in source_list )
-		{	
-		srec = source_list[orig_h];
-
-		if ( (srec$stotal_logins - delta) >= 0 ) 
-			srec$stotal_logins = srec$stotal_logins - delta;
-
-		if ( (srec$stotal_accounts - delta) >= 0 )
-			srec$stotal_accounts = srec$stotal_logins - delta;
-		}
-
-	# look at pair, again skipping unknown sessions (throw weird?)
-	if ( [orig_h, resp_h] in pair_list )
-		{
-		prec = pair_list[orig_h, resp_h];
-
-		if ( (prec$total_logins - delta) >= 0 ) 
-			prec$total_logins = prec$total_logins - delta;
-		
-		if ( (prec$total_accounts - delta) >= 0 )
-			prec$total_accounts = prec$total_logins - delta;
-
-		if ( account in prec$accounts )
-			{
-			if ( (prec$accounts[account] - delta) >= 0 )  
-				prec$accounts[account] = prec$accounts[account] - delta;
-			}
-		} # end pair check
-
-		source_list[orig_h] = srec;
-		pair_list[orig_h, resp_h] = prec;
-
-
-	} # end of postpend
-
-# really want both users, waiting for fix..
-#event failed_su(ts:double, orig_h:addr, user:string, user2:string)
-event failed_su(ts:double, orig_h:addr, user:string)
-{
-        #print syslog, fmt("%.1f failed_su %s %s", ts, orig_h, user, user2 );
-        print syslog, fmt("%.1f failed_su %s %s", ts, orig_h, user);
-	# should generate a notice if too many of these
-}
-
-event successful_su (ts:double, orig_h:addr, logname: string, user:string  )
-{
-        print syslog, fmt("%.1f sucussful_su %s %s to %s", ts, orig_h, logname, user );
-}
-
-event failed_sudo (ts:double, orig_h:addr, user:string )
-{
-        print syslog, fmt("%.1f failed_sudo %s@%s", ts, user, orig_h );
-	# should generate a notice if too many of these
-}
-
-event successful_sudo (ts:double, orig_h:addr, user:string, command:string)
-{
-        print syslog, fmt("%.1f sucussful_sudo %s@%s %s", ts, user, orig_h, command );
-}
-
-#other syslog events: Grid stuff
-#"gateInit double=$time addr=$runhost addr=$reqhost count=$p \n";
-#"gateUser addr=$runhost count=$p2 string=$IDFields[9]\n";
-#"gateService addr=$runhost count=$p2 string=$srvFields[8]\n";
-#"gateLocalUser addr=$runhost count=$p2 string=$LUFields [10] string=$LUFields[6]\n";
-#"gateLocalUID addr=$runhost count=$p2 count=$LUFields[10] string=$LUFields[6]\n";
-#print "gateLocalGID addr=$runhost count=$p2 count=$GUFields[9]\n";
-
-
diff --git a/aux/contrib/policy/user-check.bro b/aux/contrib/policy/user-check.bro
deleted file mode 100644
index c3d929ba89..0000000000
--- a/aux/contrib/policy/user-check.bro
+++ /dev/null
@@ -1,82 +0,0 @@
-# version 0.1
-# script to make detailed decisions about user logins
-#
-# there are three levels of interest - 
-# 	informational : general interest (say root) for account use
-# 	suspicious : specific accounts that you do not
-# 	   expect to see and should know (such as 'lp')
-#	dead_man_walkin : accounts that may represent former employies 
-#	   or known bad entities.
-#
-# the choice to differentiate between the second and third may be gratuitious...
-#
-#
-
-redef enum Notice += {
-	SuspiciousUser,		# a user is seen that should not normally be there
-	ForbiddenUser,	        # known bad user account, more dangerous than suspicous
-	SensitiveRemoteLogin,        # root ssh connection from remote host
-};
-
-global check_dead_man_walkin = T &redef; 
-global check_user_list = T &redef;
-global check_remote_access_accounts = T &redef;
-
-# this one not finished: might want to flag these someday
-const information_accounts = { "operator", } &redef;
-
-const suspicious_accounts = { "lp", "toor", "admin", "test", "r00t", "bash", } &redef;
-
-const forbidden_accounts = { "", } &redef;
-
-# this is for accounts that you do not want logging in remotely 
-const no_remote_accounts = { "root", "system", "operator", } &redef; 
-
-function informational_user(user: string) : bool
-	{
-	if ( user in information_accounts )
-		return T;
-
-	return F;
-	}
-
-function check_user(ts:double, orig_h:addr, resp_h:addr, account:string, auth_type:string) : bool
-	{
-
-	# compare provided user with a list of potential bad accounts
-	# see note above about hot-ids: this provides a little better 
-	# flexability for general checking
-	#
-
-        #print "checking user: ", account;
-
-	if ( check_dead_man_walkin && account in forbidden_accounts )
-		{
-		NOTICE([$note=ForbiddenUser,
-			$msg=fmt("%s -> %s@%s forbidden user login",
-				 orig_h, account, resp_h)]);
-
-		return T;
-		}
-
-	if ( check_user_list && account in suspicious_accounts )
-		{
-		NOTICE([$note=SuspiciousUser,
-			$msg=fmt("%s -> %s@%s suspicious user login",
-				orig_h, account, resp_h)]);
-		return T;
-		}
-
-	if ( check_remote_access_accounts && account in no_remote_accounts 
-			&& !is_local_addr(orig_h) && auth_type != "ssh_fail" )
-		{
-		NOTICE([$note=SensitiveRemoteLogin,
-			$msg=fmt("%s -> %s@%s successful sensitive remote login",
-				orig_h, account, resp_h)]);
-		return T;
-		}
-
-	return F;
-		
-	}
-
diff --git a/aux/contrib/scripts/README b/aux/contrib/scripts/README
deleted file mode 100644
index 1b3c47ea7a..0000000000
--- a/aux/contrib/scripts/README
+++ /dev/null
@@ -1,5 +0,0 @@
-Contents of this directory:
-
-syslog2broccoli.py: converts syslog data to Broccoli events
-
-bro_report.py: alternate report script
diff --git a/aux/contrib/scripts/bro_report.py b/aux/contrib/scripts/bro_report.py
deleted file mode 100644
index f56f760dc0..0000000000
--- a/aux/contrib/scripts/bro_report.py
+++ /dev/null
@@ -1,553 +0,0 @@
-#!/usr/bin/env python
-#
-# Alternate script to generate a report using the alarm and 
-#    conn files for a given day. 
-# Notes: My experience is that everyone has their own ideas on what
-#   Bro reports should look like, so rather than try to please 
-#   everyone, we'd like to include several sample report scripts, and
-#   encourage people to generate their own script based on the 
-#   sample scripts. This is one such example. If you have your
-#   own script to contribute, please email to the Bro team.
-#
-# Brian Tierney, LBL
-#
-# input: date of report, bro.cfg file, and bro/site/local.site.bro file
-# output: a report emailed address specified
-#
-
-__doc__="""
-   Usage: bro_report.py [-s start_time -e end_time] [-x] -m email_address 
-	default start/end time = 24 period ending now
-	date format = YYYY-MM-DD-HH-mm
-	[-y] put connection logs at the end of the report 
-"""
-
-# TO DO:
-#  add ability to use report_alarms instead of ignore_alarms
-#  add non-html option (for Vern :-) )
-#  add css for more formatting options
-#
-
-import os, time, sys, datetime, socket, getopt, glob, re 
-
-# initialize globals
-
-# set this for your preferences
-ignore_alarms = ["AddressScan", "PortScan", "ScanSummary", "AddressDropped"]
-# not yet implemented
-report_alarms = []
-
-brohome = os.getenv("BROHOME")
-if brohome == None:
-    brohome = "/usr/local/bro" # try using this
-
-path = "%s/logs" % brohome
-cf = "%s/bin/cf" % brohome 
-hf = "%s/bin/hf -l" % brohome 
-# this program uses mutt to send email with attachment
-# Note: probably want to add something like this to your .muttrc file
-#    set from="bro@brohost.mysite.org"
-# There is probably a more standard way to make this work...
-
-mutt = "/usr/local/bin/mutt"
-bro_local_nets = "%s/site/local.site.bro" % brohome
-
-use_mtime = 1  # if set, use file modification time to find alarm files,
-#conn_reports_at_end = 0  # set if want all connection info at end of the report 
-########################################################
-#		otherwise use file name
-
-
-
-def get_file_names(start_time, end_time):
-    """
-     using stat, get a list of all files modified on a given date
-    """
-
-    global alarm_file_list
-    global conn_file_list
-
-    print "looking for alarms between %s and %s " % (time.ctime(start_time), time.ctime(end_time))
-    alarm_file_list = []
-    if use_mtime:
-        globstring = "%s/alarm*" % (path)
-        alarm_files = glob.glob(globstring)
-        cnt = 0
-        for afile in alarm_files:
-            st = os.stat(afile)
-            ctime = st[8]
-            mtime = st[9]
-            if (mtime >= start_time or ctime >= start_time) and (mtime <= end_time or ctime >= end_time):
-                alarm_file_list.append(afile)
-                cnt += 1
-    else:
-        rdate = time.strftime("%y-%m-%d", time.localtime(start_time))
-        globstring = "%s/alarm*%s*" % (path,rdate)
-        alarm_files = glob.glob(globstring)
-        cnt = 0
-        for afile in alarm_files:
-            alarm_file_list.append(afile)
-            cnt += 1
-
-    #print "Using this list of alarm files: ", alarm_file_list
-
-    conn_file_list = []
-    globstring = "%s/conn*" % (path)
-    conn_files = glob.glob(globstring)
-    for cfile in conn_files:
-        st = os.stat(cfile)
-        ctime = st[8]
-        mtime = st[9]
-        #if mtime >= start_time and mtime <= end_time:
-        if (mtime >= start_time or ctime >= start_time) and (mtime <= end_time or ctime >= end_time):
-            conn_file_list.append(cfile)
-
-    #print "Using this list of conn files: ", conn_file_list
-    return cnt
-
-########################################################
-
-def get_time(sdate):
-    """
-	take command line arg and generate time
-     """
-
-    if len(sdate.split("-")) == 3:
-        yr,mn,dy  = sdate.split("-")
-        stime = (int(yr), int(mn), int(dy), 0, 0, 0, 0, 0, -1)
-    elif len(sdate.split("-")) == 4:
-        yr,mn,dy,hr  = sdate.split("-")
-        stime = (int(yr), int(mn), int(dy), int(hr), 0, 0, 0, 0, -1)
-    elif len(sdate.split("-")) == 5:
-        try:
-            yr,mn,dy,hr,min  = sdate.split("-")
-        except:
-            print "Error parsing date: ", sdate
-            usage()
-        stime = (int(yr), int(mn), int(dy), int(hr), int(min), 0, 0, 0, -1)
-    else:
-        print "Invalid data format"
-        usage()
-    rtime = time.mktime(stime)
-
-    return rtime
-
-########################################################
-
-def get_site_name(broConfig):
-
-    f = open(broConfig)
-    lines = f.readlines()
-    site_name = "Default"
-    for line in lines:
-        if line.startswith("BRO_SITE_NAME"):
-            site_name = line.split("=")[1]
-            site_name = site_name.replace('"','')
-    # no way to pass this directly to mutt, need to put in .muttrc instead
-    #if line.startswith("BRO_EMAIL_FROM"):
-    #    mail_from = line.split("=")[1]
-    #    mail_from = site_name.replace('"','')
-
-    return site_name
-
-########################################################
-def get_local_nets(localnets):
-    """
-    reads Bro local.site.bro file to get a list of local networks
-    """
-
-    # this ugly thing will match IP addresses
-    regexp = re.compile("([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0 -5])\.([01]?\d\d?|2[0-4]\d|25[0-5])")
-
-    f = open(localnets)
-    lines = f.readlines()
-
-    local_nets = []
-    if len(lines) > 0: 
-        for line in lines:
-            fields = line.split()
-            if len(fields) > 0 and not fields[0].startswith("#"):  # skip comment lines
-                #print fields
-                for f in fields:
-                    match = regexp.match(f)
-                    if match:
-                        t = f.split("/")
-                        local_nets.append(t[0])
-    else:
-        print "Bro local nets not found. Exiting. "
-        sys.exit(-1)
-
-    return local_nets
-
-########################################################
-
-def get_local_host(ip1,ip2,sh,dh,local_nets):
-    """
-	based on contents of bro site file, determine which host is local
-    """
-    local_host = ""
-    if ip2 != "none":
-        #print "debug:", ip1, ip2, sh, dh, local_nets
-        # HACK Alert: this will only work for /16 and /24 networks
-        for net in local_nets:
-            if net.split(".")[2] == "0":  # assume class B
-                ipa = "%s.%s.0.0" % (ip1.split(".")[0] , ip1.split(".")[1] ) 
-                ipb = "%s.%s.0.0" % (ip2.split(".")[0] , ip2.split(".")[1] ) 
-            else: # assume class C
-                ipa = "%s.%s.%s.0" % (ip1.split(".")[0] , ip1.split(".")[1], ip1.split(".")[2] ) 
-                ipb = "%s.%s.%s.0" % (ip2.split(".")[0] , ip2.split(".")[1], ip2.split(".")[2] ) 
-
-            if ipa == net: 
-                local_host = sh
-                break
-            if ipb == net: 
-                local_host = dh
-                break
-    else:
-        local_host = sh
-    #print "   found local host: ", local_host
-
-    if local_host == "":  # sometimes see packets not on either net!
-        local_host = "host from unknown subnet!"
-    return local_host
-
-########################################################
-
-def create_alarm_info(aline, start_time, end_time):
-    """
-	create log info record from alarm message
-    """
-
-    # assume tagged alarm file; trick to parse correctly
-    if aline[:2] != "t=":   # if line does not start with "t=", continue
-        print "Warning: not a tagged alarm: ", aline
-	return []
-    reformated_alarm = [t.replace('~',' ') for t in aline.replace('\\ ','~').split()]
-    ip1 = ip2 = sp = dp =  "none"
-    alarm = msg = tm = tag = ""
-    for s in reformated_alarm:
-        field = s.split("=")
-        if field[0] == "sa":
-            ip1 = field[1]
-        if field[0] == "sp":
-            sp = field[1]
-        if field[0] == "da":
-            ip2 = field[1]
-        if field[0] == "dp":
-            dp = field[1]
-        if field[0] == "t":
-            try:
-                utime = float(field[1]) # unix-style time in seconds
-            except:
-                print "Error, unknown alarm format ", reformated_alarm
-                return []
-            if utime < start_time or utime > end_time:
-                return []
-            tm = time.ctime(float(field[1]))
-        if field[0] == "no":
-            alarm = field[1]
-        if field[0] == "tag":
-            tag = field[1]
-        if field[0] == "msg":
-            msg = field[1]
-            msg = msg.replace('\\ ', ' ')
-    # end for
-
-    if alarm in ignore_alarms:  # skip if wrong type of alarm
-        return []
-
-    if tag == "": 
-        tag = "missing tag"
-        print "Warning: Alarm tag not found: ", reformated_alarm
-    #return [] # only continue for tagged alarms
-
-    # look up src/dst addresses
-    sh = [""]
-    dh = [""]
-    try:
-        sh = socket.gethostbyaddr(ip1);
-    except:
-        sh[0] = ip1
-    try:
-        dh = socket.gethostbyaddr(ip2);
-    except:
-        dh[0] = ip2
-    #print "hostnames: %s = %s; %s = %s" % (ip1, sh[0], ip2, dh[0])
-
-    # save all useful info from this alarm
-    alarm_info = [alarm, tm, ip1, sp, sh[0], ip2, dp, dh[0], msg, tag, 0]
-
-    #print "alarm info: ", alarm_info
-    return alarm_info
-
-########################################################
-
-def load_alarms(start_time, end_time):
-    """
-	load alarms from alarm log files into alarm_list 
-    """
-
-    # fills in alarm_list and host_list data structure
-
-    global alarm_list 
-    global host_list 
-
-    alarm_list = []
-    host_list = []
-
-    report_date = time.strftime("%y-%m-%d", time.localtime(end_time))
-    yr, mn, dy = report_date.split("-")
-
-    cnt = 0
-    for afile in alarm_file_list:
-        print "opening file:", afile
-        fd = open(afile)
-
-        # first read through entire alarm file and create list of hosts involved.
-        done = 0
-        while not done:
-            try:
-                tl = fd.readline()
-            except Exception, E:
-                print E
-                done = 1
-                continue
-            #print "read line: ",tl
-
-            if len(tl) == 0:
-                done = 1
-                #print "end of file"
-                continue
-
-            alarm_info = create_alarm_info(tl,start_time, end_time)
-            if alarm_info != []:
-                cnt += 1
-                #only add if this alarm for this host pair has not been seen before
-                alarm_exists = 0
-                for curr_alarm_info in alarm_list:
-                    alarm,tm,ip1,sp,shost,ip2,dp,dhost,msg,tag,a_cnt = curr_alarm_info
-                    if alarm  == alarm_info[0] and ip1 == alarm_info[2] and ip2 == alarm_info[5]:
-                        curr_alarm_info[10] += 1   # increment count
-                        alarm_exists = 1
-                if not alarm_exists:
-                    alarm_list.append(alarm_info)
-
-                # figure out which host is local and add to host_list[]
-                local_host = get_local_host(alarm_info[2], alarm_info[5], alarm_info[4], alarm_info[7], local_nets)
-                if local_host not in host_list:
-                    print "Adding to host list: ", local_host
-                    host_list.append(local_host)
-
-    #print host_list
-    #print alarm_list
-    print "Found %d alarms in this time period " % cnt
-    return cnt
-
-######################################################################
-def print_alarm(alarminfo,out):
-    """ Formats and outputs the alarms
-    """
-
-    alarm,tm,ip1,sp,sh,ip2,dp,dh,msg,tag,a_cnt = alarminfo
-
-    out.write ('<table border="0" cellspacing="2" cellpadding="2"> \n <tr> \n')
-    out.write ('<td><div align="right"><strong> ')
-    # reformat alarm and write to file in a more readable format
-    alarm_string =  '<strong>%s</strong>: <td> %s </td> </tr> \n <tr align="left"> <td align="right"> source: </td> <td align="left"> %s </td> <td> %s </td> <td> port = %s </td> </tr> \n <tr align="left"> <td align="right"> dest: </td> <td align="left"> %s </td> <td> %s </td> <td> port = %s </td> </tr> \n <tr> <td align="right"> alarm message: </td> <td colspan= 3 align="left"> %s %s </td> </tr> </table> \n' % (alarm, tm, ip1, sh, sp, ip2, dh, dp, msg, tag) 
-    out.write(alarm_string)
-    if a_cnt > 1:
-        out.write("<ul>%d instances of this alarm for this host pair </ul>" % a_cnt)
-
-    out.write ("<p> \n")
-
-######################################################################
-def print_connections(connfiles,ip,tag,out):
-    """ Formats and outputs the connection logs
-     """
-
-    # there must be a clever way to do this with the pipes module, but this will work for now
-    # only include connections that have state SF or S1 (should also include RSTO)
-
-    cmd = "grep -h ' %s ' %s | grep -e 'SF' -e 'S1' -e 'RSTO' | grep -A 10 -B 5 '%s$' | %s | %s > %s" % (ip, connfiles, tag, cf, hf, "/tmp/bro-report.tmp")
-    print "running program: ", cmd
-    os.system(cmd)       
-    f = open("/tmp/bro-report.tmp")
-    lines = f.readlines()  # read entire file
-
-    if len(lines) > 0:
-        out.write ('\n <table border="0" cellspacing="2" cellpadding="2"> \n')
-        out.write('<tr align="right"><td colspan= 3> Time </td> <td> Duration </td><td> Src host </td><td> Dst host </td> <td> Service </td> <td> Src port </td> <td> Dst port </td> <td> Prot </td> <td> Bytes sent </td><td> Bytes rcv </td> <td> State </td><td> Flag </td><td> Tag </td> </tr>')
-
-        for line in lines:
-            fields = line.split()
-            out.write('<tr align="right">')
-            for f in fields:
-                out.write("<td> %s </td>" % f)
-            out.write("</tr>")
-        out.write("</table> \n ")
-
-    else:
-        out.write ("<ul> No suscessful connections found. </ul> \n")
-
-    out.write ("<hr>\n")
-
-
-######################################################################
-def usage(m=None):
-    """This just prints the doc string for the whole program.
-    """
-    if m: print "Error: %s" % m
-    print __doc__
-    sys.exit()
-
-########################################################
-
-def main():
-    """
-	parse opts, collect alarms, generate report
-    """
-
-    global local_nets 
-    global report_date
-    global conn_reports_at_end 
-    conn_reports_at_end = 0
-
-    try:    
-        options,prog_args = getopt.getopt(sys.argv[1:],'hxys:e:m:')
-    except getopt.GetoptError, E:       
-        usage(E)
-
-    do_today = 0
-    report_date = sdate = edate = dest = ""
-    for opt,val in options:
-        if opt == '-s':
-            sdate = val
-        elif opt == '-e':
-            edate = val
-        elif opt == '-m':
-            dest = val
-        elif opt == '-y':
-            conn_reports_at_end = 1 
-        else:
-            usage()
-
-    if dest == "":
-        print "Missing email address for report"
-        usage()
-
-    if sdate == "":
-        # set defauts
-        end_time = time.time()
-        start_time = end_time - (24 * 60 * 60)  # number of seconds in 1 day
-    else:
-        # if start/stop times given at the command line, convert them to Unix time
-        if sdate != "":
-            start_time = get_time(sdate)
-            if edate == "":  # if not specified, add 24 hrs
-                end_time = start_time + (24 * 60 * 60) 
-        if edate != "":
-            end_time = get_time(edate)
-            if sdate == "":  # if not specified, subtract 24 hrs
-                start_time = end_time + (24 * 60 * 60) 
-        else:
-            end_time = start_time + (24 * 60 * 60)  # number of seconds in 1 day
-
-    #print "start time: %f, %s " % (start_time, time.ctime(start_time))
-    #print "end time: %f, %s " % (end_time, time.ctime(end_time))
-
-    outfile = "%s/reports/bro.report.%d.html" % (brohome, os.getpid())
-    out = open(outfile, 'w') 
-
-    if conn_reports_at_end:   # open file to save all conn information, then cat to report at the end
-        outfile_conn = "%s/reports/bro.report.%d.tmp" % (brohome, os.getpid())
-        out_conn = open(outfile_conn, 'w') 
-
-    rstart = time.strftime("%y-%m-%d %H:%M", time.localtime(start_time))
-    rend = time.strftime("%y-%m-%d %H:%M", time.localtime(end_time))
-
-    if get_file_names(start_time, end_time) <= 0:
-        print "No alarms found for time specified"
-        out.write ("<HTML><HEAD><TITLE> Bro Report %s to %s </TITLE></HEAD>\n" % (rstart, rend ) )
-        out.write ("<BODY><p> Bro Report %s-%s <p> \n"  % (rstart, rend ) )
-        out.write ("<BODY><p><p> No alarms found for time specified \n </BODY></HTML>"  )
-        sys.exit(0)
-
-    connfiles = ""
-    for connfile in conn_file_list:  # build single string with all names in it
-        connfiles += "%s " % connfile
-    #print "connfiles ", connfiles
-
-    site_name = get_site_name("%s/etc/bro.cfg" % brohome)
-    local_nets = get_local_nets(bro_local_nets)
-    cnt = load_alarms(start_time, end_time)
-
-    out.write ("<HTML><HEAD><TITLE> Bro Report %s-%s </TITLE></HEAD>\n" % (rstart, rend ) )
-    out.write ("<BODY>")
-    out.write ("<p> Bro Report: %s-%s \n" % (rstart, rend ) )
-    out.write ("<p> Total Number of Alarms: %d \n " % cnt)
-    if cnt > 0:
-        out.write ("<br> List of %s hosts with Alarms in this report: \n <ul> " % site_name)
-
-        # now loop through alarm_list and generate report
-        for host in host_list:
-            out.write ("  <p> <strong> %s </strong>" % (host))
-        out.write ("</ul> <p> <hr> \n")
-    else:
-        print "No Alarms found"
-
-    for alarm in alarm_list:
-        #print alarm
-        print_alarm(alarm,out)
-        tag = alarm[9]
-
-        if conn_reports_at_end:   
-            taglink = "#alarm%s" % (tag)
-            out.write ('\n <ul> <a href="%s"> Successful Connections</a> just before and after this alarm </ul> <p>\n' % taglink)
-        else:
-            out.write ("Successful Connections just before and after this alarm: \n\n <p> \n" )
-
-        print "searching conn files '%s' for tag %s " % ( connfiles, tag)
-
-        if conn_reports_at_end:   
-            out_conn.write('<P><A name="%s"></A>\n' % taglink.strip("#"))
-
-        if len(connfiles) > 0:
-            if conn_reports_at_end:   
-                out_conn.write ('\n <p> \n Successful Connections just before and after alarm %s  <p>\n' % tag)
-                print_connections(connfiles, alarm[2], tag, out_conn )
-            else:
-                print_connections(connfiles, alarm[2], tag, out )
-
-    if conn_reports_at_end and cnt > 0:   
-        out.write ("<hr> \n")
-        out.write ("<p> Connection Summary Information \n" )
-        out_conn.close()
-        out.close()
-        cmd = "cat %s >> %s " % (outfile_conn, outfile)
-        print "Running command: ", cmd
-        os.system(cmd)       
-        # next reopen the file
-        out = open(outfile, 'a')  
-
-    out.write ("</body></html> \n")
-    out.close()
-
-    # done building report, now send it
-
-    #cmd = "/usr/bin/Mail -s 'Bro Report: %s' %s < %s" % (tm, dest, outfile)
-    # mail does not handle HTML attachments, so use mutt instead
-    cmd = "%s -s 'Bro Report from %s: %s to %s ' -a %s %s < /dev/null" % (mutt, socket.gethostname(), rstart, rend, outfile, dest)
-    print "running program: ", cmd
-    os.system(cmd)       
-
-    try:
-        os.remove("/tmp/bro-report.tmp")
-    #os.remove(outfile)
-    except:
-        pass
-
-    sys.exit(0)
-
-######################################################################
-if __name__ == '__main__': main()
-
diff --git a/aux/contrib/scripts/syslog2broccoli.py b/aux/contrib/scripts/syslog2broccoli.py
deleted file mode 100644
index 294486cb9f..0000000000
--- a/aux/contrib/scripts/syslog2broccoli.py
+++ /dev/null
@@ -1,600 +0,0 @@
-#! /usr/bin/env python
-#
-# this script finds the end of the syslog file, and then watches
-#  for new events to send to Bro.  Actually they are reformatted
-#  as Broccoli events, and written to stdout. Then some other
-#  process can send them to Bro.
-#
-# started as a perl script from unknon source
-# modified for syslog parsing by Scott Campbell
-# more options added by Brian Tierney
-#
-# CHANGELOG: started 07/07/05
-# fixed IPv6 support in sshd login analysis
-# 07/12/05 change logic in ssh deny parsing to only look at what
-#          we want rather than reverse.
-#
-"""
-script that looks at interesting entries in a syslog file
-and print out information in a format that broccoli understands
-"""
-import optparse, logging, re, time
-import select, socket, sys, threading
-
-RE_SSH = re.compile(r"[\w,\s,\W]*sshd") 
-RE_SSH_ACCEPT = re.compile(r"[\w,\s,\W]*Accept")
-# all Failures; leads to false possitives
-# RE_SSH_FAIL = re.compile(r"[\w,\s,\W]*Failed")
-# just failed passwords
-RE_SSH_FAIL = re.compile(r"[\w,\s,\W]*Failed[\s]*password")
-RE_SSH_FAIL_ILLEGAL_USER = re.compile(r"[\w,\s,\W]*illegal[\s]*user|[\w,\s,\W]*invalid[\s]*user")
-RE_SSH_EXCLUDE = re.compile(r"[\w,\s,\W]*com\.apple\.SecurityServer")
-
-# only do failures for now
-
-RE_SUDO = re.compile(r"[\w,\s,\W]*sudo[\w,\s,\W]+failure|[\w,\s,\W]*sudo[\w,\s,\W]+incorrect password attempts")
-RE_SUDO_FORMAT1 = re.compile(r"[\w,\s,\W]*sudo[\w,\s,\W]+failure")
-RE_SUDO_FORMAT2 = re.compile(r"[\w,\s,\W]*sudo[\w,\s,\W]+incorrect password attempts") 
-
-RE_SU_SUCCESS = re.compile(r"[\w,\s\W]*su: \(|[\w,\s,\W]*su: SU |[\w,\s,\W]*su[\w,s,\W]+session opened") 
-RE_SU_FORMAT1 = re.compile(r"[\w,\s,\W]*session opened for user [\w,\W]+ by [\w,\W]+")        
-RE_SU_FORMAT2 = re.compile(r"[\w,\s,\W]*su:[\s]*\(to [\w]+\) [\w]+")        
-RE_SU_FORMAT3 = re.compile(r"[\w,\s,\W]*su: SU")        
-
-
-RE_SU_FAIL = re.compile(r"[\w,\s\W]* BAD SU |[\w,\s,\W]* FAILED SU |[\w,\s,\W]*su[\w,\s,\W]*authentication failure") 
-RE_SU_FAIL_FORMAT1 = re.compile(r"[\w,\s,\W]*authentication failure")
-RE_SU_FAIL_FORMAT2 = re.compile(r"[\w,\s,\W]*FAILED SU")
-RE_SU_FAIL_FORMAT3 = re.compile(r"[\w,\s,\W]*BAD SU")
-
-RE_GRID = re.compile(r"[\w,\s\W]* GRAM")
-RE_GRID_AUTHORIZE_LOCALUSER = re.compile(r"[\w,\s,\W]* Authorized as local user")
-RE_GRID_AUTHORIZE_LOCALUID = re.compile(r"[\w,\s,\W]* Authorized as local uid:")
-RE_GRID_AUTHORIZE_LOCALGID = re.compile(r"[\w,\s,\W]* and local gid:")
-RE_GRID_AUTHENTICATE = re.compile(r"[\w,\s,\W]* Authenticated globus user:")
-RE_GRID_CONNECT = re.compile(r"[\w,\s,\W]* Got connection ")
-RE_GRID_SERVICE = re.compile(r"[\w,\s,\W]* Requested service: ")
-RE_GRID_INFO = re.compile(r"[\w,\s,W]*gridinfo")
-
-# not done: generate Bro event for these too
-RE_NEWUSER = re.compile(r"[\w,\s,\W]*new user:[\w,\s,\W]+useradd")
-
-# not done: generate Bro event for user root sending mail to yahoo, gmail, hotmail, aol, etc.
-#	(maybe even any .com ?)
-RE_ROOT_EMAIL = re.compile(r"[\w,\s,\W]*sendmail[\w,\s,\W]+root[\w,\s,\W]+to `[\w,\s,\W]+\.com")
-
-
-class HeartBeatThread(threading.Thread):
-    """
-    HeartBeat class that inherits from Python Thread class 
-    """
-    def __init__(self, sleep_seconds): 
-        threading.Thread.__init__(self)
-        self._sleeptime = sleep_seconds 
-
-    def run(self):
-        """
-        Sends out a heartbeat event, then goes to sleep for 15 minutes
-        """
-        addr = socket.gethostbyname(socket.gethostname())
-        heartbeat_string = "Syslog_daemon_heartbeat"
-        while True: 
-            time_double = time.time()
-            print "heartbeat_event double=%d addr=%s string=%s" % (time_double, addr, heartbeat_string)
-            time.sleep(self._sleeptime) 
-
-def time_conversion(month, date, clocktime):
-    """
-    Convert time string to double, need to handle the
-    year field
-    """ 
-    year = time.asctime().split()[-1:][0] 
-    time_str = " ".join((month, date, clocktime, year)) 
-    try:
-        time_tuple = time.strptime(time_str, "%b %d %H:%M:%S %Y")
-    except:
-        log.error( "time.strptime error converting %s" % time_str )
-        return 0.0
-    time_double = time.mktime(time_tuple) 
-    return time_double
-    
-def check_ip(ip):
-    """
-	Covert hostname to IP if necessary, and check if valid IP
-    """
-
-    try:
-        ip = socket.gethostbyname(ip)
-    except:
-        log.error( "Error converting %s to an IP " % ip )
-        return ""
-
-    # if passed in something that looked like an IP, gethostbyname might not return an error, so best to check
-    try:
-        ips = ip.split('.')
-    except:
-        log.error("Error spliting IP into components: %s" % ip)
-        return ""
-
-    if len(ips) == 4:
-        if int(ips[0]) < 256 and int(ips[1]) < 256 and int(ips[2]) < 256 and int(ips[3]) < 256:
-            return ip
-        else:
-            return ""
-    else:
-        return ""
-
-def find_user(fields):
-    """
-    Find the user in a list of fields where user is the name in user=name
-    """
-    user = "unknown"
-    for f in fields: 
-        try:
-            user1, user2 = f.split('=')
-            if user1 == 'user' or user1 == 'ruser':
-                if user2 != "": 
-                    return user2
-        except: 
-            pass 
-    return user 
-
-def parse_ssh(line, line_cnt): 
-    """
-    print out the ssh fields into the broccoli format
-
-    Note: still needs to handle odd syslog formats, such as (double set of timestamps):
-      Jan  1 00:03:44 127.0.0.1 2005-12-31 21:51:10.163447500 isthiswhatyouwant.jay.lbl.gov sshd[] PAM: Authentication failure for ldoolitt from astound-69-42-20-231.ca.astound.net
-
-    There are many different formats, but the following seem fairly consistant:
-        for username
-        from hostname
-     so look for works "for" and "from", and then take the fields after that
-
-    """ 
-    
-    fields = line.split() 
-    time_double = time_conversion(fields[0], fields[1], fields[2]) 
-    # look for 'from' hostname
-    n = 0
-    from_ip = ""
-    for f in fields:
-        if f == "from":
-            from_ip = fields[n+1]
-            break
-        n += 1
-
-    # check for valid IP (some look like this: "::ffff:128.3.60.86")
-    ipf = from_ip.split(':')
-    if len(ipf) > 1:
-        ip = ipf[len(ipf) - 1]
-    else:
-        ip = ipf[0]
-
-    # verify that this is a valid IP address
-    ip = check_ip(ip)
-    lh_ip = check_ip(fields[3])
-
-    success = False
-    failed = False
-    auth_type = "unknown"
-    username = "unknown"
-
-    if RE_SSH_ACCEPT.match(line):
-        success = True
-        try:
-            auth_index = fields.index('Accepted')
-            username_index = fields.index('for')
-        except ValueError:
-            log.error( "Error: sshd line with unknown format: line %d,%s" % (line_cnt, line))
-            return 
-            
-        auth_type = fields[auth_index +1] 
-        username = fields[username_index +1]
-
-    if RE_SSH_FAIL.match(line) and not RE_SSH_EXCLUDE.match(line): 
-        failed = True 
-        try:
-            auth_index = fields.index('Failed')
-            username_index = fields.index('for') 
-        except ValueError:
-            log.error( "Error: sshd line with unknown format: line %d,%s" % (line_cnt, line))
-            return 
-        
-        auth_type = fields[auth_index + 1] 
-        if RE_SSH_FAIL_ILLEGAL_USER.match(line):
-            username = fields[username_index +3] 
-        else:
-            username = fields[username_index +1]
-    
-    if ip and lh_ip:
-        if success: 
-            print "ssh_login double=%d addr=%s addr=%s string=%s string=%s" % (time_double, ip, lh_ip, username, auth_type)
-           
-        if failed:
-            print "ssh_fail_login double=%d addr=%s addr=%s string=%s string=%s" % (time_double, ip, lh_ip, username, auth_type)
-           
-    else:
-        log.error( "Error: sshd line with unknown format: line %d" % (line_cnt))
- 
-  
-def parse_sudo(line):
-    """
-    print out the sudo fields in the broccoli format 
-    Supports these formats
-        1. host sudo(pam_unix)[5835]: authentication failure; logname=user uid=0 euid=0 tty=pts/4 ruser= rhost=  user=user
-        2. host sudo:    user: 3 incorrect password attempts ;
-        TTY=pts/11 ; PWD=directory COMMAND=/bin/ls
-
-    """ 
-    
-    fields = line.split()
-    time_double = time_conversion(fields[0], fields[1], fields[2]) 
-
-    # look for user
-    user = "unknown" 
-    if RE_SUDO_FORMAT1.match(line): 
-        user = find_user(fields)        
-        
-    if RE_SUDO_FORMAT2.match(line): 
-        user = fields[5] 
-
-    if user == "":
-        user = "unknown" 
-
-    # check if need to convert to IP addr
-    lh_ip = check_ip(fields[3])
-
-    if user == "unknown":
-        log.debug("unhandled user in next line" )
-        log.debug(line)
-    
-    print "failed_sudo double=%d addr=%s string=%s " % (time_double, lh_ip, user )
-
-def parse_su_success(line, line_cnt):
-    """
-    print out the su fields in the broccoli format
-
-    This one is hard because there are MANY formats used for this, including: 
-        This function handles these 3 formats
-        1. session opened for user by user
-        2. (to root) user
-        3. su: SU 
-        
-        user to root
-        'su root' succeeded for user 
-
-        Not quite done: does not always correctly find logname or username
-    """
-    fields = line.split()
-    time_double = time_conversion(fields[0], fields[1], fields[2]) 
-    logname = "unknown"
-    user = "unknown" 
-     
-    if RE_SU_FORMAT1.match(line): 
-        try:
-            index = fields.index('user')
-        except ValueError:
-            log.error( "Error: su line with unknown format: line %d,%s" % (line_cnt, line))
-            return 
-            
-        logname = fields[index +1] 
-        user = fields[index +3] 
-    
-    if RE_SU_FORMAT2.match(line): 
-        logname = fields[6].rstrip(')')
-        user = fields[7]
-    
-    if RE_SU_FORMAT3.match(line): 
-        try:
-            index = fields.index('SU')
-        except ValueError:
-            log.error( "Error: su line with unknown format: line %d,%s" % (line_cnt, line))
-            return 
-        
-        user = fields[index +1] 
-
-    if user == "unknown": 
-        log.debug("unhandled case on line: %d " % line_cnt)
-        log.debug(line)
-    lh_ip = check_ip(fields[3])
-    print "successful_su double=%d addr=%s string=%s string=%s" % (time_double, lh_ip, logname, user) 
-     
-
-def parse_su_fail(line, line_cnt):
-    """
-    print out the su fields in the broccoli format
-    This one is hard because there are MANY formats used for this, including:
-        authentication failure; 
-        logname=user uid=uid euid=0 tty= ruser=jason rhost=  user=root
-        
-        We match this case only
-        1. BAD SU user to root
-        These cases are not handled
-        FAILED SU (to root) user
-        'su root' failed for user 
-    """
-    fields = line.split() 
-    time_double = time_conversion(fields[0], fields[1], fields[2]) 
-    user = "unknown"
-    
-    if RE_SU_FAIL_FORMAT1.match(line):
-        user = find_user(fields) 
-    
-    if RE_SU_FAIL_FORMAT2.match(line): 
-        fail_test1 = False
-        fail_test2 = False
-        try:
-            index = fields.index('to') 
-        except:
-            fail_test1 = True
-        try:
-            index = fields.index('(to') 
-        except:    
-            fail_test2 = True 
-        
-        if fail_test1 and fail_test2:
-            log.error("su fail: -to- not found: line %d" % line_cnt)
-        else: 
-            user = fields[index +1]
-    
-    if RE_SU_FAIL_FORMAT3.match(line): 
-        try:
-            index = fields.index('to') 
-            user = fields[index - 1]
-        except:
-            log.error("su fail: -to- not found: line %d " % line_cnt)
-        
-    if user == "":
-        user = "unknown" 
-
-    if user == "unknown":
-        log.debug("unhandled case on line %d" % line_cnt)
-        log.debug(line)
-
-    lh_ip = check_ip(fields[3])
-
-    print "failed_su double=%d addr=%s string=%s" % (time_double, lh_ip, user) 
-
-def parse_gate(line, line_cnt):
-    """
-    print out the globus fields in the broccoli format
-
-    Not finished
-    """
-    fields = line.split() 
-    time_double = time_conversion(fields[0], fields[1], fields[2]) 
-    
-    if RE_GRID_AUTHORIZE_LOCALUSER.match(line): 
-        gate_ip = check_ip(fields[3])
-        pid = fields[5].strip("gatekeeper[]:") 
-        user = fields[10]
-        print "gatekeeper_local_user addr=%s count=%s string=%s string=Authorized" % (gate_ip, pid, user) 
-        
-    elif RE_GRID_AUTHORIZE_LOCALUID.match(line):
-        gate_ip = check_ip(fields[3])
-        pid = fields[5].strip("gatekeeper[]:")
-        uid = fields[10]
-        print "gatekeeper_local_uid addr=%s count=%s string=%s string=Authorized" % (gate_ip, pid, uid)
-    elif RE_GRID_AUTHORIZE_LOCALGID.match(line):
-        gate_ip = check_ip(fields[3])
-        pid = fields[5].strip("gatekeeper[]:")
-        gid = fields[9]
-        print "gatekeeper_local_uid addr=%s count=%s string=%s string=Authorized" % (gate_ip, pid, gid)
-    elif RE_GRID_AUTHENTICATE.match(line):
-        print "authenticate"
-        gate_ip = check_ip(fields[3])
-        pid = fields[5].strip("gatekeeper[]:")
-        dn = " ".join(fields[9:])
-        print "gatekeeper_auth_user addr=%s count=%s string=%s string=Authorized" % (gate_ip, pid, dn) 
-    elif RE_GRID_CONNECT.match(line): 
-        gate_ip = check_ip(fields[3])
-        src_ip = check_ip(fields[8])
-        pid = fields[5].strip("gatekeeper[]:")
-        print "gateekeeper_connect double=%d addr=%s addr=%s count=%s" % (time_double, gate_ip, src_ip, pid) 
-    elif RE_GRID_SERVICE.match(line): 
-        gate_ip = check_ip(fields[3]) 
-        pid = fields[5].strip("gatekeeper[]:")
-        service = fields[8]
-        print "gatekeeper_service double=%d addr=%s count=%s string=%s" % (time_double, gate_ip, pid, service) 
-  
-    else:
-        log.debug("unhandled case on line %d" % line_cnt)
-        log.debug(line)
-    
-    
-    
-
-    
-
-    
-
-def parse_newuser(line):
-    """
-    print out the newuser fields in the broccoli format
-
-    Not finished
-    """
-    fields = line.split() 
-    time_double = time_conversion(fields[0], fields[1], fields[2]) 
-    lh_ip = check_ip(fields[3])
-
-    #print "new_user double=%d addr=%s string=%s" % (time_double, lh_ip, user) 
-
-def parse_root_email(line):
-    """
-    print out the root email fields in the broccoli format
-
-    Not finished
-    """
-    fields = line.split() 
-    time_double = time_conversion(fields[0], fields[1], fields[2]) 
-    lh_ip = check_ip(fields[3])
-
-    #print "root_email double=%d addr=%s addr=%s" % (time_double, lh_ip, ip) 
-
-
-
-def log_parse(syslog_file, opts):
-    """
-    Continually parse the log file, and print information to stdout
-    """
-
-    line_cnt = 0
-    done = 0
-    if opts.begin_tail or opts.begin:
-        tail = 0
-    else:
-        tail = 1
-
-    day = int(time.strftime("%d")) # day that program is started
-    today = time.strftime("%Y-%m-%d") 
-
-    while not done:
-        try:  
-            line = syslog_file.readline()
-        except Exception, E:
-            log.error ("Error reading file. Possibly log file was rotated, so try to reopen " )
-            syslog_file.close() 
-            fname = "%s/all-%s" % (opts.path, today)
-            try:
-                syslog_file = open(fname) 
-            except:
-                log.error( "Error opening syslog file %s " % (fname))
-                sys.exit(-1)
-
-        if len(line) == 0 and opts.begin: # if not tailing the file
-            done = 1
-            log.debug ("End of file. Num lines = %d. Exiting" % line_cnt)
-            sys.exit(1);
- 
-        if len(line) == 0 and opts.begin_tail and tail == 0:
-            tail = 1   # start tailing the file
-            log.debug ("Reached End of file, now tailing the file") 
-
-        line_cnt += 1
-        if not (line_cnt % 50000):
-            log.debug ("Processed %d lines" % line_cnt)
-
-
-	try:
-           if RE_SSH.match(line) and ( RE_SSH_ACCEPT.match(line) or RE_SSH_FAIL.match(line) ):
-               parse_ssh(line, line_cnt) 
-             
-           elif RE_SUDO.match(line):
-               parse_sudo(line) 
-             
-           elif RE_SU_SUCCESS.match(line):
-               parse_su_success(line, line_cnt)
- 
-           elif RE_SU_FAIL.match(line):
-               parse_su_fail(line, line_cnt)
-
-           elif RE_GRID.match(line):
-               parse_gate(line, line_cnt) 
-
-           elif RE_NEWUSER.match(line):
-               parse_newuser(line.split()) 
-
-           elif RE_ROOT_EMAIL.match(line):
-               parse_root_email(line.split()) 
-
-           else:
-               #This outputs too much information, this should be turned
-               #on if we set verbose to the next level
-               #log.debug("Not matching line: %s" % line)
-               pass 
-
-        except:
-            log.error ("Error parsing log file. Corrupt log entry: %s" % line )
-	    continue
-
-        sys.stdout.flush()
-
-        if tail: # go slow if tailing the file
-            select.select([], [], [], .01) 
-            # if tailing the file and path is set, 
-            #need to roll over to a new file at midnight
-            if opts.path:
-                check_day = int(time.strftime("%d"))
-                if day != check_day:
-                    # new day, so open new file
-                    syslog_file.close() 
-                    today = time.strftime("%Y-%m-%d") 
-                    fname = "%s/all-%s" % (opts.path, today)
-                    log.debug( "New Day, so opening new syslog file: %s " % (fname))
-                    try:
-                        syslog_file = open(fname) 
-                    except:
-                        log.error( "Error opening syslog file %s " % (fname))
-                        sys.exit(-1)
-                    day = check_day 
-                    line_cnt = 0
-
- 
-def log_open(opts):
-    """
-    open the logfile at the beginning or end
-    depending on the command line arguments
-    """
-    global log
-    logging.basicConfig()
-    log = logging.getLogger("sys2broccoli")
-
-    if opts.verbose:
-        log.setLevel(logging.DEBUG)
-    else:
-        log.setLevel(logging.NOTSET) 
-    
-    if opts.path and opts.start_date: 
-        fname = "%s/all-%s" % (opts.path, opts.start_date)
-    else:
-        fname = opts.syslog_file
-    
-    try:
-        syslog_file = open(fname) 
-    except:
-        log.error( "Error opening syslog file %s " % (fname))
-        sys.exit(-1)
-
-    if opts.begin or opts.begin_tail:
-        log.debug("Will start at the beginning of the file.")    
-    else:
-        syslog_file.seek(0, 2)
-
-    log_parse(syslog_file, opts)        
-            
-         
-
-def main():
-    """
-    Read in the command line arguments, then open the log
-    """
-    parser = optparse.OptionParser()
-    begin_help = """Start at the begining of the syslog file,
-                    and exit when get to the end""" 
-    parser.add_option("-b", action="store_true", dest="begin", 
-                      help=begin_help, default=False)
-    begin_tail_help = """Start at the begining of the syslog file, 
-                         and tail the file when get to the end""" 
-    parser.add_option("-B", action="store_true", dest="begin_tail", 
-                     help=begin_tail_help, default=False)
-    parser.add_option("-v", "--verbose", action="store_true", dest="verbose", 
-                      help="be more verbose", default=False)
-    parser.add_option("-f", "--file", action="store", dest="syslog_file", 
-                      help="Location of the syslog file.", 
-                      default="/var/log/syslog")
-    # these are for use on syslog.lbl.gov
-    parser.add_option("-d", "--dir", action="store", dest="path", 
-                      help="Directory of the archived syslog files.")
-    parser.add_option("-t", "--date", action="store", dest="start_date", 
-                      help="Date of file to process.", default=False)
-    opts, args = parser.parse_args()
-    heartbeat = HeartBeatThread(900)
-    heartbeat.setDaemon(True)
-    heartbeat.start() 
-    log_open(opts) 
-    
-
-
-if __name__ == "__main__": main()
diff --git a/aux/hf/Makefile.am b/aux/hf/Makefile.am
deleted file mode 100755
index 2e127f5084..0000000000
--- a/aux/hf/Makefile.am
+++ /dev/null
@@ -1,16 +0,0 @@
-DISTCLEANFILES = hf.c nf.c pf.c
-
-noinst_PROGRAMS = hf nf pf
-
-#LEX = @V_LEX@
-
-#.l.c:
-#	$(LEX) $(srcdir)/$*.l ; rm -f $@ ; mv lex.yy.c $@
-
-if USE_NBDNS
-dns_srcs = nb_dns.c
-endif
-
-hf_SOURCES = hf.l setsignal.c version.c nb_dns.h setsignal.h gnuc.h $(dns_srcs) 
-nf_SOURCES = nf.l setsignal.c 
-pf_SOURCES = pf.l setsignal.c 
diff --git a/aux/hf/VERSION b/aux/hf/VERSION
deleted file mode 100755
index f71668fbd8..0000000000
--- a/aux/hf/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-1.0a10
diff --git a/aux/hf/gnuc.h b/aux/hf/gnuc.h
deleted file mode 100755
index deba3e6fef..0000000000
--- a/aux/hf/gnuc.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/* @(#) $Header$ (LBL) */
-
-/* Define __P() macro, if necessary */
-#ifndef __P
-#if __STDC__
-#define __P(protos) protos
-#else
-#define __P(protos) ()
-#endif
-#endif
-
-/* inline foo */
-#ifdef __GNUC__
-#define inline __inline
-#else
-#define inline
-#endif
-
-/*
- * Handle new and old "dead" routine prototypes
- *
- * For example:
- *
- *	__dead void foo(void) __attribute__((volatile));
- *
- */
-#ifdef __GNUC__
-#ifndef __dead
-#define __dead volatile
-#endif
-#if __GNUC__ < 2  || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
-#ifndef __attribute__
-#define __attribute__(args)
-#endif
-#endif
-#else
-#ifndef __dead
-#define __dead
-#endif
-#ifndef __attribute__
-#define __attribute__(args)
-#endif
-#endif
diff --git a/aux/hf/hf.l b/aux/hf/hf.l
deleted file mode 100755
index d5ef9198c4..0000000000
--- a/aux/hf/hf.l
+++ /dev/null
@@ -1,950 +0,0 @@
-N              [0-9]
-O              ({N}{1,3})
-
-C              [0-9A-Fa-f]
-H              ({C}{1,4})
-
-    #include "config.h"
-    #include <sys/types.h>
-    #include <sys/socket.h>
-    #include <sys/time.h>
-    #include <sys/stat.h>
-
-    #include <netinet/in.h>
-
-    #include <arpa/inet.h>
-
-    #ifdef NEED_NAMESER_COMPAT_H
-        #include <arpa/nameser_compat.h>
-    #else
-        #include <arpa/nameser.h>
-    #endif
-
-    #ifndef NS_MAXDNAME
-	    #define NS_MAXDNAME 1025
-    #endif
-    #ifndef NS_INADDRSZ
-	    #define NS_INADDRSZ 4
-    #endif
-    #ifndef NS_IN6ADDRSZ
-	    #define NS_IN6ADDRSZ 16
-    #endif
-
-    #include <ctype.h>
-    #include <errno.h>
-    #ifdef HAVE_MEMORY_H
-    #include <memory.h>
-    #endif
-    #include <netdb.h>
-    #include <resolv.h>
-    #include <setjmp.h>
-    #include <signal.h>
-    #include <stdio.h>
-    #include <string.h>
-    #include <unistd.h>
-
-    #include "gnuc.h"
-    #ifdef HAVE_OS_PROTO_H
-    #include "os-proto.h"
-    #endif
-
-    #include "setsignal.h"
-    #include "nb_dns.h"
-
-    #undef yywrap
-    #ifdef FLEX_SCANNER
-    #define YY_NO_UNPUT
-    #endif
-    int yywrap(void);
-    int yylex(void);
-    void convert(const char *, int);
-
-    #ifdef HAVE_ASYNC_DNS
-    #define ECHO \
-	if (!lookup_pass) { (void) fwrite( yytext, yyleng, 1, yyout ); }
-    int lookup_pass;		/* true if lookup only */
-    #endif
-    int linemode;		/* convert at most one entry per line */
-    int triedone;
-
-%%
-
-
-::{O}(\.{O}){3}		convert(yytext, 1);
-{O}(\.{O}){3}		convert(yytext, 0);
-
-{H}(:{H}){7}		convert(yytext, 1);
-{H}:(:{H}){1,6}		convert(yytext, 1);
-({H}:){2}(:{H}){1,5}	convert(yytext, 1);
-({H}:){3}(:{H}){1,4}	convert(yytext, 1);
-({H}:){4}(:{H}){1,3}	convert(yytext, 1);
-({H}:){5}(:{H}){1,2}	convert(yytext, 1);
-({H}:){6}:{H}		convert(yytext, 1);
-
-({O}\.){1,3}		ECHO;		/* anti-backtrack */
-{O}((\.{O}){1,2})	ECHO;		/* anti-backtrack */
-
-{N}+			ECHO;
-[^0-9\n]+		ECHO;
-[^0-9\n]+\n		{
-			ECHO;
-			triedone = 0;
-			}
-
-\n			{
-			ECHO;
-			triedone = 0;
-			}
-
-%%
-
-/*
- * Copyright (c) 1989, 1990, 1991, 1992, 1993, 1994, 1996, 1998, 1999, 2000, 2001, 2002, 2004
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#ifndef lint
-static const char copyright[] =
-    "@(#) Copyright (c) 1989, 1990, 1991, 1992, 1993, 1994, 1996, 1998, 1999, 2000, 2001, 2002, 2004\n\
-The Regents of the University of California.  All rights reserved.\n";
-static const char rcsid[] =
-    "@(#) $Id: hf.l 1420 2005-09-29 22:25:14Z vern $ (LBL)";
-#endif
-
-
-#define HSIZE 8192		/* must be a power of two */
-
-struct htable {
-	char addr[NS_IN6ADDRSZ];
-	int af;			/* address family */
-	int alen;
-	int state;
-	char *name;		/* overloaded variable */
-	struct htable *next;
-} htable[HSIZE];
-
-#define STATE_FREE	0	/* not in use */
-#define STATE_RAW	1	/* couldn't translate */
-#define STATE_SENTPTR	2
-#define STATE_HAVEPTR	3
-#define STATE_SENTA	4
-#define STATE_HAVEA	5
-
-int strip = 1;			/* strip local domain when possible */
-int lcase = 1;			/* force lowercase */
-int shortdomain;		/* strip entire domain */
-int printboth;			/* print both addr & name */
-#ifdef HAVE_ASYNC_DNS
-int asyncdns;			/* 2 pass async dns hack */
-int numasync;			/* number of outstanding async requests */
-int asyncfd;
-#endif
-int networknumber;		/* convert to network numbers */
-int check;			/* check PTR's against A records */
-#ifdef DEBUG
-int debug = 0;
-#endif
-
-int tmo;			/* seconds to wait for a answer from the dns */
-int doingdns;			/* true if we're waiting for the nameserver */
-jmp_buf alrmenv;		/* longjmp() buffer */
-
-char *prog;
-
-char domain[64];		/* current domain name (including '.') */
-int domainlen;			/* length of domain name */
-
-char azero[NS_IN6ADDRSZ];
-
-#ifdef HAVE_ASYNC_DNS
-struct nb_dns_info *nd;
-#endif
-
-int targc;
-char **targv;
-
-extern char *optarg;
-extern int optind, opterr;
-
-/* ANSI C defines this */
-#ifndef __STDC__
-extern char *malloc();
-#endif
-
-/* Forwards */
-char *a2h(const char *, int, int);
-char *addr2host(const char *, int, int);
-#ifdef HAVE_ASYNC_DNS
-void asyncreap(int);
-#endif
-struct htable *cacheaddr(const char *, int, int, int, const char *);
-#ifdef DEBUG
-void dump(void);
-#endif
-int getdomain(void);
-struct htable *hash(const char *, int, int);
-#ifdef HAVE_ASYNC_DNS
-int ispipe(FILE *);
-#endif
-struct htable *lookupaddr(const char *, int, int);
-int main(int, char **);
-void massagename(char *);
-RETSIGTYPE timeout(int);
-void usage(void);
-
-int
-main(argc, argv)
-	int argc;
-	char **argv;
-{
-	register char *cp;
-	register int op;
-#ifdef HAVE_ASYNC_DNS
-	char errstr[NB_DNS_ERRSIZE];
-#endif
-
-	if ((cp = strrchr(argv[0], '/')) != NULL)
-		prog = cp + 1;
-	else
-		prog = argv[0];
-
-	opterr = 0;
-	while ((op = getopt(argc, argv, "1abcdilnNt:")) != EOF)
-		switch (op) {
-
-		case '1':
-			++linemode;
-			break;
-
-		case 'a':
-#ifdef HAVE_ASYNC_DNS
-			++asyncdns;
-#else
-			fprintf(stderr,
-			    "%s: warning: -a not supported; ignored\n", prog);
-#endif
-			break;
-
-		case 'b':
-			++printboth;
-			break;
-
-		case 'c':
-			++check;
-			break;
-
-#ifdef DEBUG
-		case 'd':
-			++debug;
-			break;
-#endif
-
-		case 'i':
-			lcase = 0;
-			break;
-
-		case 'l':
-			strip = 0;
-			break;
-
-		case 'n':
-#ifdef notdef
-			++networknumber;
-#else
-			fprintf(stderr, "%s: -n not currently impemented\n",
-			    prog);
-			exit(1);
-#endif
-			break;
-
-		case 'N':
-			++shortdomain;
-			break;
-
-		case 't':
-			tmo = atoi(optarg);
-			if (tmo <= 0)
-				usage();
-			break;
-
-		default:
-			usage();
-		}
-
-#ifdef HAVE_ASYNC_DNS
-	if (asyncdns) {
-		nd = nb_dns_init(errstr);
-		if (nd == NULL) {
-			fprintf(stderr, "%s: nb_dns_init: %s\n", prog, errstr);
-			exit(1);
-		}
-		asyncfd = nb_dns_fd(nd);
-		/* If no explicit timeout, use resolver retransmit */
-		if (tmo == 0)
-			tmo = _res.retrans;
-	}
-#endif
-
-	/* Figure out our domain, if necessary */
-	if (!strip || shortdomain || !getdomain())
-		domain[0] = '\0';
-
-	/* Up number of retries, we really want answers */
-	_res.retry = 20;
-
-	/* Don't search, we'll use only FQDNs */
-	_res.options &= ~RES_DNSRCH;
-
-	/* Setup alarm catcher if -t */
-#ifdef HAVE_ASYNC_DNS
-	if (!asyncdns)
-#endif
-		if (tmo > 0)
-			(void)setsignal(SIGALRM, timeout);
-
-	/* Let yywrap() figure out if there are any arguments to open */
-	targc = argc - optind;
-	targv = &argv[optind];
-	yyin = NULL;
-	(void)yywrap();
-
-	/* Process file opened by yywrap() or stdin if no arguments */
-	if (yyin) {
-#ifdef HAVE_ASYNC_DNS
-		/* XXX depends on the type of stdin */
-		/* XXX can we do a test rewind? */
-#ifdef notdef
-		if (asyncdns && yyin == stdin)
-			fprintf(stderr,
-			    "%s: warning: can't use -a on stdin\n", prog);
-#endif
-#endif
-		yylex();
-	}
-
-#ifdef DEBUG
-	if (debug) {
-		fflush(stdout);
-		dump();
-	}
-#endif
-	exit(0);
-}
-
-int
-yywrap()
-{
-	register char *file;
-	static int didany = 0;
-
-	/* Close file, if necessary */
-	if (yyin) {
-#ifdef HAVE_ASYNC_DNS
-		if (asyncdns) {
-			if (lookup_pass) {
-				if (fseek(yyin, 0L, SEEK_SET) < 0) {
-					fprintf(stderr,
-					    "%s: fseek/rewind: %s\n",
-					    prog, strerror(errno));
-					exit(1);
-				}
-				yyrestart(yyin);
-				lookup_pass = 0;
-				asyncreap(1);
-				return (0);
-			}
-			numasync = 0;
-		}
-#endif
-		if (yyin != stdin)
-			(void)fclose(yyin);
-		yyin = NULL;
-	}
-
-	/* Spin through arguments until we run out or successfully open one */
-	while (targc > 0) {
-		file = targv[0];
-		--targc;
-		++targv;
-		++didany;
-		if ((yyin = fopen(file, "r")) != NULL) {
-#ifdef HAVE_ASYNC_DNS
-			if (asyncdns)
-				lookup_pass = 1;
-#endif
-			return (0);
-		}
-		perror(file);
-	}
-	if (!didany) {
-		yyin = stdin;
-#ifdef HAVE_ASYNC_DNS
-		if (asyncdns) {
-			if (ispipe(yyin)) {
-				fprintf(stderr,
-				    "%s: warning: can't use -a on a pipe\n",
-				    prog);
-				asyncdns = 0;
-			} else
-				lookup_pass = 1;
-		}
-#endif
-	}
-	return (1);
-}
-
-int
-getdomain()
-{
-	register char *cp;
-	register struct hostent *hp;
-	char host[128];
-
-	if (gethostname(host, sizeof(host) - 1) < 0)
-		return (0);
-	if ((cp = strchr(host, '.')) == NULL) {
-		/* Not already canonical */
-		if (tmo > 0)
-			alarm(tmo);
-		doingdns = 1;
-		if (setjmp(alrmenv))
-			return (0);
-		hp = gethostbyname(host);
-		doingdns = 0;
-		if (hp == NULL)
-			return (0);
-		if ((cp = strchr(hp->h_name, '.')) == NULL)
-			return (0);
-	}
-	(void)strncpy(domain, cp, sizeof(domain));
-	domain[sizeof(domain) - 1] = '\0';
-	if (lcase)
-		for (cp = domain; *cp; ++cp)
-			if (isupper((int)*cp))
-				*cp = tolower(*cp);
-	domainlen = strlen(domain);
-	return (1);
-}
-
-RETSIGTYPE
-timeout(int signo)
-{
-
-	if (doingdns) {
-		doingdns = 0;
-		longjmp(alrmenv, 1);
-	}
-	return RETSIGVAL;
-}
-
-/* Convert address to hostname via the dns */
-char *
-a2h(register const char *ap, register int alen, register int af)
-{
-	register char **pp;
-	register size_t len;
-	static struct hostent *hp;
-	static char *host = NULL;
-	static size_t hostlen = 0;
-
-	/* Look up the PTR */
-	if (tmo > 0)
-		alarm(tmo);
-	doingdns = 1;
-	if (setjmp(alrmenv))
-		return (NULL);
-	hp = gethostbyaddr(ap, alen, af);
-	doingdns = 0;
-	if (hp == NULL)
-		return (NULL);
-
-	len = strlen(hp->h_name) + 1;
-	if (hostlen < len) {
-		if (len < 132)
-			len = 132;
-		if (host == NULL)
-			host = malloc(len);
-		else
-			host = realloc(host, len);
-		if (host == NULL) {
-			hostlen = 0;
-			return (NULL);
-		}
-		hostlen = len;
-	}
-	(void)strcpy(host, hp->h_name);
-
-	/* Done if we aren't checking */
-	if (!check)
-		return (host);
-
-#ifndef HAVE_GETHOSTBYNAME2
-	if (af != AF_INET)
-		return (NULL);
-#endif
-
-	/* Check PTR against the A record */
-	if (tmo > 0)
-		alarm(tmo);
-	doingdns = 1;
-	if (setjmp(alrmenv))
-		return (NULL);
-#ifdef HAVE_GETHOSTBYNAME2
-	hp = gethostbyname2(host, af);
-#else
-	hp = gethostbyname(host);
-#endif
-	doingdns = 0;
-	if (hp == NULL)
-		return (NULL);
-	if (af != hp->h_addrtype)
-		return (NULL);
-
-	/* Spin through ip addresses looking for a match */
-	for (pp = hp->h_addr_list; *pp != NULL; ++pp)
-		if (memcmp(ap, *pp, alen) == 0)
-			return (host);
-
-	return (NULL);
-}
-
-/* Convert address to hostname via the cache and/or dns */
-char *
-addr2host(register const char *ap, register int alen, register int af)
-{
-	register int state;
-	register char *host;
-	register struct htable *p;
-
-	/* First look in hash table */
-	p = lookupaddr(ap, alen, af);
-	if (p != NULL)
-		return (p->name);
-
-	/* Lookup this host */
-	host = a2h(ap, alen, af);
-	state = STATE_RAW;
-	if (host != NULL) {
-		if (check)
-			state = STATE_HAVEA;
-		else
-			state = STATE_HAVEPTR;
-		massagename(host);
-	}
-
-	p = cacheaddr(ap, state, alen, af, host);
-	if (p != NULL)
-		return (p->name);
-
-	return (host);
-}
-
-/* Look hash table entry for address */
-struct htable *
-lookupaddr(register const char *ap, register int alen, register int af)
-{
-	register struct htable *p;
-
-	for (p = hash(ap, alen, af); p != NULL; p = p->next)
-		if (p->af == af && memcmp(p->addr, ap, alen) == 0)
-			return (p);
-	return (NULL);
-}
-
-void
-massagename(register char *name)
-{
-	register char *cp;
-
-	if (shortdomain) {
-		/* Throw away entire domain */
-		cp = strchr(name, '.');
-		if (cp)
-			*cp = '\0';
-	} else if (strip && *domain != '\0') {
-		/* Strip the local domain */
-		cp = name + strlen(name) - domainlen;
-		if (cp > name && strcasecmp(cp, domain) == 0)
-			*cp = '\0';
-	}
-	if (lcase)
-		for (cp = name; *cp; ++cp)
-			if (isupper((int)*cp))
-				*cp = tolower(*cp);
-}
-
-struct htable *
-cacheaddr(register const char *ap, register int state, register int alen,
-    register int af, register const char *host)
-{
-	register struct htable *p, *p2;
-
-	/* Don't cache zero */
-	if (memcmp(ap, azero, alen) == 0)
-		return (NULL);
-
-	/* Look for existing slot in hash table */
-	for (p = hash(ap, alen, af); p != NULL; p = p->next)
-		if (p->state != STATE_FREE &&
-		    p->af == af &&
-		    memcmp(p->addr, ap, alen) == 0)
-			break;
-
-	/* Allocate a new slot */
-	if (p == NULL) {
-		p = hash(ap, alen, af);
-		if (p->state != STATE_FREE) {
-			/* Handle the collision */
-			p2 = (struct htable *)malloc(sizeof(struct htable));
-			/* Lose, lose */
-			if (p2 == NULL)
-				return (NULL);
-			memset((char *)p2, 0, sizeof(struct htable));
-			p2->next = p->next;
-			p->next = p2;
-			p = p2;
-		}
-	}
-
-	/* Install new host */
-	memmove(p->addr, ap, alen);
-	p->alen = alen;
-	p->af = af;
-	if (host != NULL)
-		p->name = strdup(host);
-	if (state != 0)
-		p->state = state;
-	if (p->state == STATE_FREE)
-		abort();
-
-	/* Return answer entry */
-	return (p);
-}
-
-#ifdef DEBUG
-void
-dump()
-{
-	register char *cp;
-	register int i, j, n, d;
-	register struct htable *p, *p2;
-	char buf[132];
-
-	d = n = 0;
-	for (p = htable, i = 0; i < HSIZE; ++p, ++i)
-		if (p->name) {
-			++n;
-			j = 0;
-			for (p2 = p; p2; p2 = p2->next) {
-				if ((cp = p2->name) == NULL)
-					cp = "<nil>";
-				else if (cp == (char *)1)
-					cp = "<raw>";
-				(void)fprintf(stderr, "%4d:%d ", i, j);
-				if (inet_ntop(p2->af, p2->addr,
-				    buf, sizeof(buf)) == NULL)
-					(void)fprintf(stderr, "?");
-				else
-					(void)fprintf(stderr, "%s", buf);
-				switch (p2->state) {
-
-				case STATE_HAVEA:
-					(void)fprintf(stderr, " HAVEA");
-					break;
-
-				case STATE_HAVEPTR:
-					(void)fprintf(stderr, " HAVEPTR");
-					break;
-
-				case STATE_SENTPTR:
-					(void)fprintf(stderr, " SENTPTR");
-					break;
-
-				case STATE_RAW:
-					(void)fprintf(stderr, " RAW");
-					break;
-
-				default:
-					(void)fprintf(stderr, " #%d",
-					    p2->state);
-					break;
-				}
-				(void)fprintf(stderr, " \"%s\"\n", cp);
-				++d;
-				++j;
-			}
-		}
-	d -= n;
-	(void)fprintf(stderr, "%d entries (%d dynamically linked)\n", n, d);
-}
-#endif
-
-#ifdef HAVE_ASYNC_DNS
-void
-asyncreap(register int ateof)
-{
-	register char *host;
-	register int n;
-	register char **pp;
-	register struct htable *p;
-	register struct nb_dns_result *nr;
-	register struct hostent *hp;
-	fd_set fds;
-	struct timeval to;
-	char errstr[NB_DNS_ERRSIZE];
-	struct nb_dns_result xxxnr;
-
-	nr = &xxxnr;
-	memset(nr, 0, sizeof(*nr));
-	while (numasync > 0) {
-		FD_ZERO(&fds);
-		FD_SET(asyncfd, &fds);
-		/* If we're not at EOF, just poll */
-		if (!ateof) {
-			to.tv_sec = 0;
-			to.tv_usec = 0;
-		} else {
-			to.tv_sec = tmo;
-			to.tv_usec = 0;
-		}
-		n = select(asyncfd + 1, &fds, NULL, NULL, &to);
-		if (n < 0) {
-			fprintf(stderr, "%s: select: %s\n",
-			    prog, strerror(errno));
-			exit(1);
-		}
-
-		/* Done if timed out */
-		if (n == 0)
-			break;
-
-		n = nb_dns_activity(nd, nr, errstr);
-		if (n < 0) {
-			fprintf(stderr, "%s: nb_dns_activity: %s\n",
-			    prog, errstr);
-			exit(1);
-		}
-
-		/* Bail if reply doesn't match any current queries */
-		if (n == 0)
-			continue;
-
-		/* Decrement outstanding request counter */
-		--numasync;
-
-		/* Bail if not a good answer */
-		if (nr->host_errno != NETDB_SUCCESS)
-			continue;
-
-		/* Bail if no hostname (probably shouldn't happen) */
-		hp = nr->hostent;
-		host = hp->h_name;
-		if (host == NULL)
-			continue;
-
-		/* Recover hash table pointer */
-		p = (struct htable *)nr->cookie;
-
-		switch (p->state) {
-
-		case STATE_SENTPTR:
-			/* Are we done? */
-			if (!check) {
-				p->state = STATE_HAVEPTR;
-				break;
-			}
-
-			/* Now look up the A record */
-			if (nb_dns_host_request2(nd, host, p->af,
-			    (void *)p, errstr) < 0) {
-				fprintf(stderr, "%s: nb_dns_host_request: %s\n",
-				    prog, errstr);
-				p->state = STATE_RAW;
-				free(p->name);
-				p->name = NULL;
-				break;
-			}
-
-			/* Cache the fact that we're looking */
-			++numasync;
-			p->state = STATE_SENTA;
-			break;
-
-		case STATE_SENTA:
-			/* Check A against our address */
-			if (p->af != hp->h_addrtype) {
-				p->state = STATE_RAW;
-				free(p->name);
-				p->name = NULL;
-				break;
-			}
-
-			/* Spin through ip addresses looking for a match */
-			for (pp = hp->h_addr_list; *pp != NULL; ++pp)
-				if (memcmp(p->addr, *pp, p->alen) == 0)
-					break;
-
-			if (pp == NULL) {
-				p->state = STATE_RAW;
-				free(p->name);
-				p->name = NULL;
-				break;
-			}
-			p->state = STATE_HAVEA;
-			break;
-
-		default:
-			abort();
-		}
-		massagename(host);
-		if (p->name != NULL)
-			abort();
-		if (host != NULL)
-			p->name = strdup(host);
-	}
-}
-#endif
-
-void
-convert(register const char *str, register int isv6)
-{
-	register char *host;
-	register int alen;
-	register int af;
-#ifdef HAVE_ASYNC_DNS
-	register struct htable *p;
-	char errstr[NB_DNS_ERRSIZE];
-	static int num = 0;
-#endif
-	char addr[NS_IN6ADDRSZ];
-
-	if (isv6) {
-#ifdef AF_INET6
-		af = AF_INET6;
-		alen = NS_IN6ADDRSZ;
-#else
-#ifdef HAVE_ASYNC_DNS
-		if (!asyncdns || !lookup_pass)
-#endif
-			fputs(str, stdout);
-		return;
-#endif
-	} else {
-		af = AF_INET;
-		alen = NS_INADDRSZ;
-	}
-
-#ifdef HAVE_ASYNC_DNS
-	if (asyncdns && lookup_pass) {
-		if (inet_pton(af, str, addr) != 1)
-			return;
-
-		/* Done if already in hash table */
-		if (lookupaddr(addr, alen, af) != NULL)
-			return;
-
-		p = cacheaddr(addr, STATE_SENTPTR, alen, af, NULL);
-		if (p == NULL)
-			return;
-
-		if (nb_dns_addr_request2(nd, addr, af,
-		    (void *)p, errstr) >= 0) {
-			/* Cache the fact that we're looking */
-			++numasync;
-			++num;
-		} else
-			fprintf(stderr, "%s: nb_dns_host_request: %s\n",
-			    prog, errstr);
-		/* reap replies after we send a number of queries */
-		if (num > 10) {
-			asyncreap(0);
-			num = 0;
-		}
-		return;
-	}
-#endif
-
-	if (linemode && triedone) {
-		fputs(str, stdout);
-		return;
-	}
-	++triedone;
-
-	if (inet_pton(af, str, addr) == 1) {
-		host = addr2host(addr, alen, af);
-		if (host != NULL) {
-			fputs(host, stdout);
-			if (printboth) {
-				putchar('(');
-				fputs(str, stdout);
-				putchar(')');
-			}
-			return;
-		}
-	}
-	fputs(str, stdout);
-}
-
-struct htable *
-hash(register const char *ap, register int alen, register int af)
-{
-	u_int32_t h;
-
-	switch (alen) {
-
-	case NS_INADDRSZ:
-		memmove(&h, ap, sizeof(h));
-		break;
-
-	case NS_IN6ADDRSZ:
-		memmove(&h, ap + NS_IN6ADDRSZ - sizeof(h), sizeof(h));
-		break;
-
-	default:
-		abort();
-	}
-	return (&htable[h & (HSIZE - 1)]);
-}
-
-#ifdef HAVE_ASYNC_DNS
-int
-ispipe(FILE *f)
-{
-	struct stat sbuf;
-
-	if (fstat(fileno(f), &sbuf) < 0) {
-		fprintf(stderr, "%s: fstat: %s\n", prog, strerror(errno));
-		exit(1);
-	}
-	if ((sbuf.st_mode & S_IFMT) != S_IFREG)
-		return (1);
-	return (0);
-}
-#endif
-
-void
-usage()
-{
-	extern char version[];
-
-	(void)fprintf(stderr, "Version %s\n", version);
-	(void)fprintf(stderr, "usage: %s [-1abcdilN] [-t secs] [file ...]\n",
-	    prog);
-	exit(1);
-}
diff --git a/aux/hf/nb_dns.c b/aux/hf/nb_dns.c
deleted file mode 100755
index 283bcde1a3..0000000000
--- a/aux/hf/nb_dns.c
+++ /dev/null
@@ -1,612 +0,0 @@
-/*
- * See the file "COPYING" in the main distribution directory for copyright.
- */
-#ifndef lint
-static const char rcsid[] =
-    "@(#) $Id: nb_dns.c 7074 2010-09-13 01:52:50Z vern $ (LBL)";
-#endif
-/*
- * nb_dns - non-blocking dns routines
- *
- * This version works with BIND 9
- *
- * Note: The code here is way more complicated than it should be but
- * although the interface to send requests is public, the routine to
- * crack reply buffers is private.
- */
-
-#include "config.h"			/* must appear before first ifdef */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#ifdef NEED_NAMESER_COMPAT_H
-#include <arpa/nameser_compat.h>
-#endif
-
-#include <errno.h>
-#ifdef HAVE_MEMORY_H
-#include <memory.h>
-#endif
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#ifdef notdef
-#include "gnuc.h"
-#ifdef HAVE_OS_PROTO_H
-#include "os-proto.h"
-#endif
-#endif
-
-#include "nb_dns.h"
-
-#if PACKETSZ > 1024
-#define MAXPACKET	PACKETSZ
-#else
-#define MAXPACKET	1024
-#endif
-
-#ifdef DO_SOCK_DECL
-extern int socket(int, int, int);
-extern int connect(int, const struct sockaddr *, int);
-extern int send(int, const void *, int, int);
-extern int recvfrom(int, void *, int, int, struct sockaddr *, int *);
-#endif
-
-/* Private data */
-struct nb_dns_entry {
-	struct nb_dns_entry *next;
-	char name[NS_MAXDNAME + 1];
-	int qtype;			/* query type */
-	int atype;			/* address family */
-	int asize;			/* address size */
-	u_short id;
-	void *cookie;
-};
-
-#ifndef MAXALIASES
-#define MAXALIASES	35
-#endif
-#ifndef MAXADDRS
-#define MAXADDRS	35
-#endif
-
-struct nb_dns_hostent {
-	struct hostent hostent;
-	int numaliases;
-	int numaddrs;
-	char *host_aliases[MAXALIASES + 1];
-	char *h_addr_ptrs[MAXADDRS + 1];
-	char hostbuf[8 * 1024];
-};
-
-struct nb_dns_info {
-	int s;				/* Resolver file descriptor */
-	struct sockaddr_in server;	/* server address to bind to */
-	struct nb_dns_entry *list;	/* outstanding requests */
-	struct nb_dns_hostent dns_hostent;
-};
-
-/* Forwards */
-static int _nb_dns_mkquery(struct nb_dns_info *, const char *, int, int,
-    void *, char *);
-static int _nb_dns_cmpsockaddr(struct sockaddr *, struct sockaddr *, char *);
-
-static char *
-my_strerror(int errnum)
-{
-#if HAVE_STRERROR
-	extern char *strerror(int);
-	return strerror(errnum);
-#else
-	static char errnum_buf[32];
-	snprintf(errnum_buf, sizeof(errnum_buf), "errno %d", errnum);
-	return errnum_buf;
-#endif
-}
-
-struct nb_dns_info *
-nb_dns_init(char *errstr)
-{
-	register struct nb_dns_info *nd;
-
-	nd = (struct nb_dns_info *)malloc(sizeof(*nd));
-	if (nd == NULL) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "nb_dns_init: malloc(): %s",
-		    my_strerror(errno));
-		return (NULL);
-	}
-	memset(nd, 0, sizeof(*nd));
-	nd->s = -1;
-
-	/* XXX should be able to init static hostent struct some other way */
-	(void)gethostbyname("localhost.");
-
-	if ((_res.options & RES_INIT) == 0 && res_init() == -1) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "res_init() failed");
-		free(nd);
-		return (NULL);
-	}
-	nd->s = socket(PF_INET, SOCK_DGRAM, 0);
-	if (nd->s < 0) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "socket(): %s",
-		    my_strerror(errno));
-		free(nd);
-		return (NULL);
-	}
-
-	/* XXX should use resolver config */
-	nd->server = _res.nsaddr_list[0];
-
-	if (connect(nd->s, (struct sockaddr *)&nd->server,
-	    sizeof(struct sockaddr)) < 0) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "connect(%s): %s",
-		    inet_ntoa(nd->server.sin_addr), my_strerror(errno));
-		close(nd->s);
-		free(nd);
-		return (NULL);
-	}
-
-	return (nd);
-}
-
-void
-nb_dns_finish(struct nb_dns_info *nd)
-{
-	register struct nb_dns_entry *ne, *ne2;
-
-	ne = nd->list;
-	while (ne != NULL) {
-		ne2 = ne;
-		ne = ne->next;
-		free(ne2);
-	}
-	close(nd->s);
-	free(nd);
-}
-
-int
-nb_dns_fd(struct nb_dns_info *nd)
-{
-
-	return (nd->s);
-}
-
-static int
-_nb_dns_cmpsockaddr(register struct sockaddr *sa1,
-    register struct sockaddr *sa2, register char *errstr)
-{
-	register struct sockaddr_in *sin1, *sin2;
-#ifdef AF_INET6
-	register struct sockaddr_in6 *sin6a, *sin6b;
-#endif
-	static const char serr[] = "answer from wrong nameserver (%d)";
-
-	if (sa1->sa_family != sa1->sa_family) {
-		snprintf(errstr, NB_DNS_ERRSIZE, serr, 1);
-		return (-1);
-	}
-	switch (sa1->sa_family) {
-
-	case AF_INET:
-		sin1 = (struct sockaddr_in *)sa1;
-		sin2 = (struct sockaddr_in *)sa2;
-		if (sin1->sin_port != sin2->sin_port) {
-			snprintf(errstr, NB_DNS_ERRSIZE, serr, 2);
-			return (-1);
-		}
-		if (sin1->sin_addr.s_addr != sin2->sin_addr.s_addr) {
-			snprintf(errstr, NB_DNS_ERRSIZE, serr, 3);
-			return (-1);
-		}
-		break;
-
-#ifdef AF_INET6
-	case AF_INET6:
-		sin6a = (struct sockaddr_in6 *)sa1;
-		sin6b = (struct sockaddr_in6 *)sa2;
-		if (sin6a->sin6_port != sin6b->sin6_port) {
-			snprintf(errstr, NB_DNS_ERRSIZE, serr, 2);
-			return (-1);
-		}
-		if (memcmp(&sin6a->sin6_addr, &sin6b->sin6_addr,
-		    sizeof(sin6a->sin6_addr)) != 0) {
-			snprintf(errstr, NB_DNS_ERRSIZE, serr, 3);
-			return (-1);
-		}
-		break;
-#endif
-
-	default:
-		snprintf(errstr, NB_DNS_ERRSIZE, serr, 4);
-		return (-1);
-	}
-	return (0);
-}
-
-static int
-_nb_dns_mkquery(register struct nb_dns_info *nd, register const char *name,
-    register int atype, register int qtype, register void * cookie,
-    register char *errstr)
-{
-	register struct nb_dns_entry *ne;
-	register HEADER *hp;
-	register int n;
-	u_long msg[MAXPACKET / sizeof(u_long)];
-
-	/* Allocate an entry */
-	ne = (struct nb_dns_entry *)malloc(sizeof(*ne));
-	if (ne == NULL) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "malloc(): %s",
-		    my_strerror(errno));
-		return (-1);
-	}
-	memset(ne, 0, sizeof(*ne));
-	strncpy(ne->name, name, sizeof(ne->name));
-	ne->name[sizeof(ne->name) - 1] = '\0';
-	ne->qtype = qtype;
-	ne->atype = atype;
-	switch (atype) {
-
-	case AF_INET:
-		ne->asize = NS_INADDRSZ;
-		break;
-
-#ifdef AF_INET6
-	case AF_INET6:
-		ne->asize = NS_IN6ADDRSZ;
-		break;
-#endif
-
-	default:
-		snprintf(errstr, NB_DNS_ERRSIZE,
-		    "_nb_dns_mkquery: bad family %d", atype);
-		return (-1);
-	}
-
-	/* Build the request */
-	n = res_mkquery(
-	    ns_o_query,			/* op code (query) */
-	    name,			/* domain name */
-	    ns_c_in,			/* query class (internet) */
-	    qtype,			/* query type */
-	    NULL,			/* data */
-	    0,				/* length of data */
-	    NULL,			/* new rr */
-	    (u_char *)msg,		/* buffer */
-	    sizeof(msg));		/* size of buffer */
-	if (n < 0) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "res_mkquery() failed");
-		free(ne);
-		return (-1);
-	}
-
-	hp = (HEADER *)msg;
-	ne->id = htons(hp->id);
-
-	if (send(nd->s, (char *)msg, n, 0) != n) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "send(): %s",
-		    my_strerror(errno));
-		free(ne);
-		return (-1);
-	}
-
-	ne->next = nd->list;
-	ne->cookie = cookie;
-	nd->list = ne;
-
-	return(0);
-}
-
-int
-nb_dns_host_request(register struct nb_dns_info *nd, register const char *name,
-    register void *cookie, register char *errstr)
-{
-
-	return (nb_dns_host_request2(nd, name, AF_INET, cookie, errstr));
-}
-
-int
-nb_dns_host_request2(register struct nb_dns_info *nd, register const char *name,
-    register int af, register void *cookie, register char *errstr)
-{
-	register int qtype;
-
-	switch (af) {
-
-	case AF_INET:
-		qtype = T_A;
-		break;
-
-#ifdef AF_INET6
-	case AF_INET6:
-		qtype = T_AAAA;
-		break;
-#endif
-
-	default:
-		snprintf(errstr, NB_DNS_ERRSIZE,
-		    "nb_dns_host_request2(): uknown address family %d", af);
-		return (-1);
-	}
-	return (_nb_dns_mkquery(nd, name, af, qtype, cookie, errstr));
-}
-
-int
-nb_dns_addr_request(register struct nb_dns_info *nd, nb_uint32_t addr,
-    register void *cookie, register char *errstr)
-{
-
-	return (nb_dns_addr_request2(nd, (char *)&addr, AF_INET,
-	    cookie, errstr));
-}
-
-int
-nb_dns_addr_request2(register struct nb_dns_info *nd, char *addrp,
-    register int af, register void *cookie, register char *errstr)
-{
-#ifdef AF_INET6
-	register char *cp;
-	register int n, i;
-	register size_t size;
-#endif
-	register u_char *uaddr;
-	char name[NS_MAXDNAME + 1];
-
-	switch (af) {
-
-	case AF_INET:
-		uaddr = (u_char *)addrp;
-		snprintf(name, sizeof(name), "%u.%u.%u.%u.in-addr.arpa",
-		    (uaddr[3] & 0xff),
-		    (uaddr[2] & 0xff),
-		    (uaddr[1] & 0xff),
-		    (uaddr[0] & 0xff));
-		break;
-
-#ifdef AF_INET6
-	case AF_INET6:
-		uaddr = (u_char *)addrp;
-		cp = name;
-		size = sizeof(name);
-		for (n = NS_IN6ADDRSZ - 1; n >= 0; --n) {
-			snprintf(cp, size, "%x.%x.",
-			    (uaddr[n] & 0xf),
-			    (uaddr[n] >> 4) & 0xf);
-			i = strlen(cp);
-			size -= i;
-			cp += i;
-		}
-		snprintf(cp, size, "ip6.int");
-		break;
-#endif
-
-	default:
-		snprintf(errstr, NB_DNS_ERRSIZE,
-		    "nb_dns_addr_request2(): uknown address family %d", af);
-		return (-1);
-	}
-
-	return (_nb_dns_mkquery(nd, name, af, T_PTR, cookie, errstr));
-}
-
-int
-nb_dns_abort_request(struct nb_dns_info *nd, void *cookie)
-{
-	register struct nb_dns_entry *ne, *lastne;
-
-	/* Try to find this request on the outstanding request list */
-	lastne = NULL;
-	for (ne = nd->list; ne != NULL; ne = ne->next) {
-		if (ne->cookie == cookie)
-			break;
-		lastne = ne;
-	}
-
-	/* Not a currently pending request */
-	if (ne == NULL)
-		return (-1);
-
-	/* Unlink this entry */
-	if (lastne == NULL)
-		nd->list = ne->next;
-	else
-		lastne->next = ne->next;
-	ne->next = NULL;
-
-	return (0);
-}
-
-/* Returns 1 with an answer, 0 when reply was old, -1 on fatal errors */
-int
-nb_dns_activity(struct nb_dns_info *nd, struct nb_dns_result *nr, char *errstr)
-{
-	register int msglen, qtype, atype, n, i;
-	register struct nb_dns_entry *ne, *lastne;
-	socklen_t fromlen;
-	struct sockaddr from;
-	u_long msg[MAXPACKET / sizeof(u_long)];
-	register char *bp, *ep;
-	register char **ap, **hap;
-	register u_int16_t id;
-	register const u_char *rdata;
-	register struct hostent *he;
-	register size_t rdlen;
-	ns_msg handle;
-	ns_rr rr;
-
-	/* This comes from the second half of do_query() */
-	fromlen = sizeof(from);
-	msglen = recvfrom(nd->s, (char *)msg, sizeof(msg), 0, &from, &fromlen);
-	if (msglen <= 0) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "recvfrom(): %s",
-		    my_strerror(errno));
-		return (-1);
-	}
-	if (msglen < HFIXEDSZ) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "recvfrom(): undersized: %d",
-		    msglen);
-		return (-1);
-	}
-	if (ns_initparse((u_char *)msg, msglen, &handle) < 0) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "ns_initparse(): %s",
-		    my_strerror(errno));
-		nr->host_errno = NO_RECOVERY;
-		return (-1);
-	}
-
-	/* RES_INSECURE1 style check */
-	if (_nb_dns_cmpsockaddr((struct sockaddr *)&nd->server, &from,
-	    errstr) < 0) {
-		nr->host_errno = NO_RECOVERY;
-		return (-1);
-	}
-
-	/* Search for this request */
-	lastne = NULL;
-	id = ns_msg_id(handle);
-	for (ne = nd->list; ne != NULL; ne = ne->next) {
-		if (ne->id == id)
-			break;
-		lastne = ne;
-	}
-
-	/* Not an answer to a question we care about anymore */
-	if (ne == NULL)
-		return (0);
-
-	/* Unlink this entry */
-	if (lastne == NULL)
-		nd->list = ne->next;
-	else
-		lastne->next = ne->next;
-	ne->next = NULL;
-
-	/* RES_INSECURE2 style check */
-	/* XXX not implemented */
-
-	/* Initialize result struct */
-	memset(nr, 0, sizeof(*nr));
-	nr->cookie = ne->cookie;
-	qtype = ne->qtype;
-
-	/* Deal with various errors */
-	switch (ns_msg_getflag(handle, ns_f_rcode)) {
-
-	case ns_r_nxdomain:
-		nr->host_errno = HOST_NOT_FOUND;
-		free(ne);
-		return (1);
-
-	case ns_r_servfail:
-		nr->host_errno = TRY_AGAIN;
-		free(ne);
-		return (1);
-
-	case ns_r_noerror:
-		break;
-
-	case ns_r_formerr:
-	case ns_r_notimpl:
-	case ns_r_refused:
-	default:
-		nr->host_errno = NO_RECOVERY;
-		free(ne);
-		return (1);
-	}
-
-	/* Loop through records in packet */
-	memset(&rr, 0, sizeof(rr));
-	memset(&nd->dns_hostent, 0, sizeof(nd->dns_hostent));
-	he = &nd->dns_hostent.hostent;
-	/* XXX no support for aliases */
-	he->h_aliases = nd->dns_hostent.host_aliases;
-	he->h_addr_list = nd->dns_hostent.h_addr_ptrs;
-	he->h_addrtype = ne->atype;
-	he->h_length = ne->asize;
-	free(ne);
-
-	bp = nd->dns_hostent.hostbuf;
-	ep = bp + sizeof(nd->dns_hostent.hostbuf);
-	hap = he->h_addr_list;
-	ap = he->h_aliases;
-
-	for (i = 0; i < ns_msg_count(handle, ns_s_an); i++) {
-		/* Parse next record */
-		if (ns_parserr(&handle, ns_s_an, i, &rr) < 0) {
-			if (errno != ENODEV) {
-				nr->host_errno = NO_RECOVERY;
-				return (1);
-			}
-			/* All done */
-			break;
-		}
-
-		/* Ignore records that don't answer our query (e.g. CNAMEs) */
-		atype = ns_rr_type(rr);
-		if (atype != qtype)
-			continue;
-
-		rdata = ns_rr_rdata(rr);
-		rdlen = ns_rr_rdlen(rr);
-		switch (atype) {
-
-		case T_A:
-		case T_AAAA:
-			if (rdlen != (unsigned int) he->h_length) {
-				snprintf(errstr, NB_DNS_ERRSIZE,
-				    "nb_dns_activity(): bad rdlen %d",
-				    (int) rdlen);
-				nr->host_errno = NO_RECOVERY;
-				return (-1);
-			}
-
-			if (bp + rdlen >= ep) {
-				snprintf(errstr, NB_DNS_ERRSIZE,
-				    "nb_dns_activity(): overflow 1");
-				nr->host_errno = NO_RECOVERY;
-				return (-1);
-			}
-			if (nd->dns_hostent.numaddrs + 1 >= MAXADDRS) {
-				snprintf(errstr, NB_DNS_ERRSIZE,
-				    "nb_dns_activity(): overflow 2");
-				nr->host_errno = NO_RECOVERY;
-				return (-1);
-			}
-			memcpy(bp, rdata, rdlen);
-			*hap++ = bp;
-			bp += rdlen;
-			++nd->dns_hostent.numaddrs;
-
-			/* Keep looking for more A records */
-			break;
-
-		case T_PTR:
-			n = dn_expand((const u_char *)msg,
-			    (const u_char *)msg + msglen, rdata, bp, ep - bp);
-			if (n < 0) {
-				/* XXX return -1 here ??? */
-				nr->host_errno = NO_RECOVERY;
-				return (1);
-			}
-			he->h_name = bp;
-			/* XXX check for overflow */
-			bp += n;		/* returned len includes EOS */
-
-			/* "Find first satisfactory answer" */
-			nr->hostent = he;
-			return (1);
-		}
-	}
-
-	nr->hostent = he;
-	return (1);
-}
diff --git a/aux/hf/nb_dns.h b/aux/hf/nb_dns.h
deleted file mode 100755
index 8a5a140c07..0000000000
--- a/aux/hf/nb_dns.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/* @(#) $Id: nb_dns.h 909 2004-12-09 04:27:10Z jason $ (LBL)
- *
- * Copyright (c) 2000, 2002
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-/* Private data */
-struct nb_dns_info;
-
-/* Public data */
-struct nb_dns_result {
-	void *cookie;
-	int host_errno;
-	struct hostent *hostent;
-};
-
-typedef unsigned int nb_uint32_t;
-
-/* Public routines */
-struct nb_dns_info *nb_dns_init(char *);
-void nb_dns_finish(struct nb_dns_info *);
-
-int nb_dns_fd(struct nb_dns_info *);
-
-int nb_dns_host_request(struct nb_dns_info *, const char *, void *, char *);
-int nb_dns_host_request2(struct nb_dns_info *, const char *, int,
-    void *, char *);
-
-int nb_dns_addr_request(struct nb_dns_info *, nb_uint32_t, void *, char *);
-int nb_dns_addr_request2(struct nb_dns_info *, char *, int, void *, char *);
-
-int nb_dns_abort_request(struct nb_dns_info *, void *);
-
-int nb_dns_activity(struct nb_dns_info *, struct nb_dns_result *, char *);
-
-#define NB_DNS_ERRSIZE 256
diff --git a/aux/hf/nf.l b/aux/hf/nf.l
deleted file mode 100755
index 485c6160d2..0000000000
--- a/aux/hf/nf.l
+++ /dev/null
@@ -1,312 +0,0 @@
-N              [0-9]
-O              ({N}{1,3})
-
-    #include <sys/types.h>
-    #include <sys/socket.h>
-
-    #include <netinet/in.h>
-
-    #include <arpa/inet.h>
-    #include <arpa/nameser.h>
-
-    #include <ctype.h>
-    #ifdef HAVE_MEMORY_H
-    #include <memory.h>
-    #endif
-    #include <netdb.h>
-    #include <resolv.h>
-    #include <stdio.h>
-    #include <string.h>
-    #include <unistd.h>
-
-    #include "gnuc.h"
-    #ifdef HAVE_OS_PROTO_H
-    #include "os-proto.h"
-    #endif
-
-    #undef yywrap
-    #ifdef FLEX_SCANNER
-    #define YY_NO_UNPUT
-    #endif
-    int yywrap(void);
-    int yylex(void);
-    char *addr2host(char *);
-    void convert(char *);
-    int pad;
-
-%%
-
-{O}\.{O}\.{O}\.{O}	convert(yytext);
-{O}\.{O}\.{O}		if (pad) {
-				char buf[256];
-				strcpy(buf, yytext);
-				strcat(buf, ".0");
-				convert(buf);
-			} else {
-				ECHO;
-			}
-{O}\.{O}		if (pad) {
-				char buf[256];
-				strcpy(buf, yytext);
-				strcat(buf, ".0.0");
-				convert(buf);
-			} else {
-				ECHO;
-			}
-{O}			if (pad) {
-				char buf[256];
-				strcpy(buf, yytext);
-				strcat(buf, ".0.0.0");
-				convert(buf);
-			} else {
-				ECHO;
-			}
-
-{N}+			ECHO;
-[^0-9\n]+		ECHO;
-[^0-9\n]+\n		ECHO;
-
-%%
-
-/*
- * Copyright (c) 1990, 1991, 1996, 1999, 2000, 2004
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#ifndef lint
-static const char copyright[] =
-    "@(#) Copyright (c) 1990, 1991, 1996, 1999, 2000, 2004\n\
-The Regents of the University of California.  All rights reserved.\n";
-static const char rcsid[] =
-    "@(#) $Id: nf.l 909 2004-12-09 04:27:10Z jason $ (LBL)";
-#endif
-
-#define HSIZE 2048		/* must be a power of two */
-
-struct htable {
-	u_int addr;
-	char *name;
-	struct htable *next;
-} htable[HSIZE];
-
-int lcase = 1;			/* force lowercase */
-int printboth = 0;
-#ifdef DEBUG
-int debug = 0;
-#endif
-
-int targc;
-char **targv;
-
-extern char *optarg;
-extern int optind, opterr;
-
-/* Forwards */
-int main(int, char **);
-#ifdef DEBUG
-void dump(void);
-#endif
-
-int
-main(argc, argv)
-	int argc;
-	char **argv;
-{
-	register char *cp;
-	register int op;
-	char *argv0;
-
-	if ((cp = strrchr(argv[0], '/')) != NULL)
-		argv0 = cp + 1;
-	else
-		argv0 = argv[0];
-
-	opterr = 0;
-	while ((op = getopt(argc, argv, "dibp")) != EOF)
-		switch (op) {
-
-#ifdef DEBUG
-		case 'd':
-			++debug;
-			break;
-#endif
-
-		case 'i':
-			lcase = 0;
-			break;
-
-		case 'p':
-			pad = 1;
-			break;
-
-		case 'b':
-			printboth = 1;
-			break;
-
-		default:
-			(void)fprintf(stderr, "usage: %s [-dibp] [file ...]\n",
-			    argv0);
-			exit(1);
-			/* NOTREACHED */
-		}
-
-	setnetent(1);
-
-	/* Let yywrap() figure out if there are any arguments to open */
-	targc = argc - optind;
-	targv = &argv[optind];
-	yyin = 0;
-	(void)yywrap();
-
-	/* Process file opened by yywrap() or stdin if no arguments */
-	if (yyin)
-		yylex();
-
-#ifdef DEBUG
-	if (debug) {
-		fflush(stdout);
-		dump();
-	}
-#endif
-	exit(0);
-}
-
-int
-yywrap()
-{
-	register char *file;
-	static int didany = 0;
-
-	/* Close file, if necessary */
-	if (yyin && yyin != stdin) {
-		(void)fclose(yyin);
-		yyin = 0;
-	}
-
-	/* Spin through arguments until we run out or successfully open one */
-	while (targc > 0) {
-		file = targv[0];
-		--targc;
-		++targv;
-		++didany;
-		if ((yyin = fopen(file, "r")) != NULL)
-			return(0);
-		else
-			perror(file);
-	}
-	if (!didany)
-		yyin = stdin;
-	return(1);
-}
-
-void
-convert(str)
-	char *str;
-{
-	fputs(addr2host(str), stdout);
-	if (printboth) {
-		putchar('(');
-		fputs(str, stdout);
-		putchar(')');
-	}
-}
-
-char *
-addr2host(str)
-	char *str;
-{
-	register u_long addr, net;
-	register char *cp, *host;
-	register struct netent *hp;
-	register struct htable *p, *p2;
-	struct in_addr ia;
-
-	addr = inet_addr(str);
-
-	/* First check if we already know about it */
-	for (p = &htable[addr & (HSIZE - 1)]; p; p = p->next)
-		if (p->addr == addr && p->name)
-			return(p->name);
-
-	/* Try to lookup this net */
-	ia.s_addr = addr;
-	net = inet_netof(ia);
-	if ((hp = getnetbyaddr(net, AF_INET)) != NULL)
-		host = hp->n_name;
-	else
-		host = inet_ntoa(ia);
-
-	if (lcase)
-		for (cp = host; *cp; ++cp)
-			if (isupper(*cp))
-				*cp = tolower(*cp);
-
-	/* Malloc space for new hostname */
-	cp = malloc((u_int) strlen(host) + 1);
-	if (cp == 0)
-		return(host);
-
-	/* Find slot in hash table */
-	p = &htable[addr & (HSIZE - 1)];
-	if (p->name) {
-		/* Handle the collision */
-		p2 = (struct htable *)malloc(sizeof(struct htable));
-		if (p2 == 0) {
-			/* Lose, lose */
-			free(cp);
-			return(host);
-		}
-		memset((char *)p2, 0, sizeof(struct htable));
-		p2->next = p->next;
-		p->next = p2;
-		p = p2;
-	}
-
-	/* Install new host */
-	p->addr = addr;
-	p->name = strcpy(cp, host);
-
-	/* Return answer */
-	return(p->name);
-}
-
-#ifdef DEBUG
-void
-dump()
-{
-	register int i, j, n, d;
-	register struct htable *p, *p2;
-
-	d = n = 0;
-	for (p = htable, i = 0; i < HSIZE; ++p, ++i)
-		if (p->name) {
-			++n;
-			j = 0;
-			for (p2 = p; p2; p2 = p2->next) {
-				(void)fprintf(stderr,
-				    "%4d:%d 0x%08x \"%s\"\n", i, j,
-				    p2->addr, p2->name ? p2->name : "<nil>");
-				++d;
-				++j;
-			}
-		}
-	d -= n;
-	(void)fprintf(stderr, "%d entries (%d dynamically linked)\n", n, d);
-}
-#endif
diff --git a/aux/hf/pf.l b/aux/hf/pf.l
deleted file mode 100755
index 734e43a7ec..0000000000
--- a/aux/hf/pf.l
+++ /dev/null
@@ -1,196 +0,0 @@
-N              [0-9]
-
-    #include <sys/types.h>
-
-    #include <netdb.h>
-    #include <string.h>
-    #include <unistd.h>
-
-    #include "gnuc.h"
-    #ifdef HAVE_OS_PROTO_H
-    #include "os-proto.h"
-    #endif
-
-    #undef yywrap
-    #ifdef FLEX_SCANNER
-    #define YY_NO_UNPUT
-    #endif
-    int yywrap(void);
-    int yylex(void);
-    void convert(char *);
-
-%%
-
-"["{N}+"]"		convert(yytext);
-[^0-9[\]\n]+\n?		ECHO;
-.|\n			ECHO;
-
-%%
-
-/*
- * Copyright (c) 1990, 1991, 1996, 1999, 2000, 2004
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#ifndef lint
-static const char copyright[] =
-    "@(#) Copyright (c) 1990, 1991, 1996, 1999, 2000, 2004\n\
-The Regents of the University of California.  All rights reserved.\n";
-static const char rcsid[] =
-    "@(#) $Id: pf.l 909 2004-12-09 04:27:10Z jason $ (LBL)";
-#endif
-
-#ifdef DEBUG
-int debug = 0;
-#endif
-
-#define MAX_PORT_NUM 65535
-char *port_to_name[MAX_PORT_NUM+1];
-
-int targc;
-char **targv;
-
-extern char *optarg;
-extern int optind, opterr;
-
-/* Forwards */
-int main(int, char **);
-char *dup_string(char *);
-void portinit(void);
-
-int
-main(argc, argv)
-	int argc;
-	char **argv;
-{
-	register char *cp;
-	register int op;
-	char *argv0;
-
-	if ((cp = strrchr(argv[0], '/')) != NULL)
-		argv0 = cp + 1;
-	else
-		argv0 = argv[0];
-
-	opterr = 0;
-	while ((op = getopt(argc, argv, "d")) != EOF)
-		switch (op) {
-
-#ifdef DEBUG
-		case 'd':
-			++debug;
-			break;
-#endif
-
-		default:
-			(void)fprintf(stderr, "usage: %s [-d] [file ...]\n",
-			    argv0);
-			exit(1);
-			/* NOTREACHED */
-		}
-
-	/* Let yywrap() figure out if there are any arguments to open */
-	targc = argc - optind;
-	targv = &argv[optind];
-	yyin = 0;
-	(void)yywrap();
-
-	portinit();
-
-	/* Process file opened by yywrap() or stdin if no arguments */
-	if (yyin)
-		yylex();
-
-#ifdef DEBUG
-	if (debug) {
-		register int i;
-		for (i=0; i <= MAX_PORT_NUM; ++i)
-			if (port_to_name[i])
-				fprintf(stderr, "[%d]\t%s\n", i,
-				    port_to_name[i]);
-	}
-#endif	/* DEBUG */
-	exit(0);
-}
-
-int
-yywrap()
-{
-	register char *file;
-	static int didany = 0;
-
-	/* Close file, if necessary */
-	if (yyin && yyin != stdin) {
-		(void)fclose(yyin);
-		yyin = 0;
-	}
-
-	/* Spin through arguments until we run out or successfully open one */
-	while (targc > 0) {
-		file = targv[0];
-		--targc;
-		++targv;
-		++didany;
-		if ((yyin = fopen(file, "r")) != NULL)
-			return(0);
-		else
-			perror(file);
-	}
-	if (!didany)
-		yyin = stdin;
-	return(1);
-}
-
-char *
-dup_string(src)
-	char *src;
-{
-	char *dst;
-
-	dst = malloc(strlen(src)+1);
-	if (dst)
-		strcpy(dst, src);
-	return dst;
-}
-
-void
-convert(str)
-	char *str;
-{
-	register int port;
-
-	port = atoi(str+1);
-	if (port >= 0 && port <= MAX_PORT_NUM && port_to_name[port] != 0)
-		str = port_to_name[port];
-	fputs(str, stdout);
-}
-
-void
-portinit()
-{
-	struct servent *sp;
-
-	while ((sp = getservent()) != 0) {
-		if (port_to_name[sp->s_port] == 0 ||
-		    sp->s_proto[0] == 't')
-			port_to_name[sp->s_port] = dup_string(sp->s_name);
-	}
-	endservent();
-
-}
diff --git a/aux/hf/setsignal.c b/aux/hf/setsignal.c
deleted file mode 100755
index 9711ebef49..0000000000
--- a/aux/hf/setsignal.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright (c) 1997
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#ifndef lint
-static const char rcsid[] =
-    "@(#) $Header$ (LBL)";
-#endif
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include <sys/types.h>
-
-#ifdef HAVE_MEMORY_H
-#include <memory.h>
-#endif
-#include <signal.h>
-#ifdef HAVE_SIGACTION
-#include <string.h>
-#endif
-
-#include "gnuc.h"
-#ifdef HAVE_OS_PROTO_H
-#include "os-proto.h"
-#endif
-
-#include "setsignal.h"
-
-/*
- * An os independent signal() with BSD semantics, e.g. the signal
- * catcher is restored following service of the signal.
- *
- * When sigset() is available, signal() has SYSV semantics and sigset()
- * has BSD semantics and call interface. Unfortunately, Linux does not
- * have sigset() so we use the more complicated sigaction() interface
- * there.
- *
- * Did I mention that signals suck?
- */
-RETSIGTYPE
-(*setsignal (int sig, RETSIGTYPE (*func)(int)))(int)
-{
-#ifdef HAVE_SIGACTION
-	struct sigaction old, new;
-
-	memset(&new, 0, sizeof(new));
-	new.sa_handler = func;
-#ifdef SA_RESTART
-	new.sa_flags |= SA_RESTART;
-#endif
-	if (sigaction(sig, &new, &old) < 0)
-		return (SIG_ERR);
-	return (old.sa_handler);
-
-#else
-#ifdef HAVE_SIGSET
-	return (sigset(sig, func));
-#else
-	return (signal(sig, func));
-#endif
-#endif
-}
-
diff --git a/aux/hf/setsignal.h b/aux/hf/setsignal.h
deleted file mode 100755
index 6df239f2d3..0000000000
--- a/aux/hf/setsignal.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright (c) 1997
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- *
- * @(#) $Header$ (LBL)
- */
-#ifndef setsignal_h
-#define setsignal_h
-
-RETSIGTYPE (*setsignal(int, RETSIGTYPE (*)(int)))(int);
-#endif
diff --git a/aux/hf/strerror.c b/aux/hf/strerror.c
deleted file mode 100755
index d330a6523e..0000000000
--- a/aux/hf/strerror.c
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright (c) 1988, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)strerror.c	8.1 (Berkeley) 6/4/93";
-#endif /* LIBC_SCCS and not lint */
-
-#include <sys/types.h>
-
-#include <string.h>
-
-#include "gnuc.h"
-#ifdef HAVE_OS_PROTO_H
-#include "os-proto.h"
-#endif
-
-char *
-strerror(num)
-	int num;
-{
-	extern int sys_nerr;
-	extern char *sys_errlist[];
-#define	UPREFIX	"Unknown error: "
-	static char ebuf[40] = UPREFIX;		/* 64-bit number + slop */
-	register unsigned int errnum;
-	register char *p, *t;
-	char tmp[40];
-
-	errnum = num;				/* convert to unsigned */
-	if (errnum < sys_nerr)
-		return(sys_errlist[errnum]);
-
-	/* Do this by hand, so we don't include stdio(3). */
-	t = tmp;
-	do {
-		*t++ = "0123456789"[errnum % 10];
-	} while (errnum /= 10);
-	for (p = ebuf + sizeof(UPREFIX) - 1;;) {
-		*p++ = *--t;
-		if (t <= tmp)
-			break;
-	}
-	*p = '\0';
-	return(ebuf);
-}
diff --git a/aux/hf/version.c b/aux/hf/version.c
deleted file mode 100644
index 1b09c66cdd..0000000000
--- a/aux/hf/version.c
+++ /dev/null
@@ -1 +0,0 @@
-char version[] = "1.0a10";
diff --git a/aux/libpcap-0.7.2.tar.gz b/aux/libpcap-0.7.2.tar.gz
deleted file mode 100644
index 435880ccf7..0000000000
Binary files a/aux/libpcap-0.7.2.tar.gz and /dev/null differ
diff --git a/aux/libpcap-0.8.3.tar.gz b/aux/libpcap-0.8.3.tar.gz
deleted file mode 100644
index 54ef183f4b..0000000000
Binary files a/aux/libpcap-0.8.3.tar.gz and /dev/null differ
diff --git a/aux/libpcap-0.9.8.tar.gz b/aux/libpcap-0.9.8.tar.gz
deleted file mode 100644
index 14344a44dd..0000000000
Binary files a/aux/libpcap-0.9.8.tar.gz and /dev/null differ
diff --git a/aux/nftools/Makefile.am b/aux/nftools/Makefile.am
deleted file mode 100644
index 4b2ace77d7..0000000000
--- a/aux/nftools/Makefile.am
+++ /dev/null
@@ -1,5 +0,0 @@
-
-noinst_PROGRAMS = ftwire2bro nfcollector
-
-ftwire2bro_SOURCES = ftwire2bro.c nfcommon.h
-nfcollector_SOURCES = nfcollector.c nfcommon.h
diff --git a/aux/nftools/ftwire2bro.c b/aux/nftools/ftwire2bro.c
deleted file mode 100644
index c277e23096..0000000000
--- a/aux/nftools/ftwire2bro.c
+++ /dev/null
@@ -1,94 +0,0 @@
-/* $Id:$ */
-/* Written by Bernhard Ager (2007). */
-/* Works only with NFv5. */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include "nfcommon.h"
-
-void leave (int errlvl, const char *msg) {
-  fprintf (stderr, "%s", msg);
-  exit (errlvl);
-}
-
-void usage () {
-  puts ("Converts NetFlow v5 files in 'wire' format to bro format.\n"
-	"A flow-tools file can be converted to 'wire' format with\n"
-	"        flow-export -f 4\n"
-	"Note this is a hack: The network time is calculated from the\n"
-        "export time and an optional offset; the exporter is set statically.\n"
-	"Usage: ftwire2bro [-e <exporter_ip> [-t <offset>]\n"
-	"       <exporter_ip> defaults to 0.0.0.0, <offset> defaults to 0.0\n"
-	"       data is read from stdin and written to stdout");
-}
-
-size_t pdusize(NFv5Header hdr) {
-  return sizeof(hdr)+ntohs(hdr.count)*V5_RECORD_SIZE;
-}
-
-int main (int argc, char** argv) {
-  int opt;
-  struct in_addr exporter = {0};
-  double offset = 0.0;
-  FlowFileSrcPDUHeader ffphdr;
-  NFv5PDU v5pdu;
-  unsigned short count;
-
-  while ((opt = getopt (argc, argv, "e:t:h")) >= 0) {
-    switch (opt) {
-    case 'e':
-      if (! inet_aton (optarg, &exporter)) {
-	fprintf (stderr, "could not convert exporter_ip: '%s'\n", optarg);
-	exit (1);
-      }
-      break;
-    case 't':
-      offset = atof(optarg);
-      break;
-    case 'h':
-      usage();
-      exit (0);
-    default:
-/*       fprintf (stderr, "Unknown option: %c\n", optopt); */
-      exit(1);
-    }
-  }
-
-  while (1) {
-    if (fread (&(v5pdu.header), sizeof (NFv5Header), 1, stdin) == 0) {
-      if (feof(stdin))
-	break;
-      leave (1, "Could not read header\n");
-    }
-
-    count = ntohs (v5pdu.header.count);
-    if (ntohs(v5pdu.header.version) != 5)
-      leave (1, "Header indicates flow not in version 5 format\n");
-    if (count > V5_RECORD_MAXCOUNT) {
-      fprintf (stderr, "header indicates too many records: %d\n", 
-	       count);
-      exit (1);
-    }
-    
-    if (fread (v5pdu.records, sizeof(NFv5Record), count, stdin) < count)
-      leave (1, "Could not read enough records from stdin\n");
-
-    ffphdr.network_time = ntohl(v5pdu.header.unix_secs) + 
-                          ntohl(v5pdu.header.unix_nsecs)/1e9 + offset;
-    ffphdr.pdu_length = pdusize(v5pdu.header);
-    ffphdr.ipaddr = exporter.s_addr;
-
-    if (fwrite (&ffphdr, sizeof(ffphdr), 1, stdout) == 0)
-      leave (1, "Could not write ffpheader\n");
-    if (fwrite (&v5pdu, ffphdr.pdu_length, 1, stdout) == 0)
-      leave (1, "Could not write netflow PDU\n");
-  }
-
-  return 0;
-}
diff --git a/aux/nftools/nfcollector.c b/aux/nftools/nfcollector.c
deleted file mode 100644
index 0b80983f8c..0000000000
--- a/aux/nftools/nfcollector.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/* $Id;$ */
-/* Written by Bernhard Ager (2007). */
-
-#include <unistd.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/socket.h>
-#include <stdlib.h>
-#include <fcntl.h>
-#include <sys/time.h>
-#include <netinet/in.h>
-
-#include "nfcommon.h"
-
-void pleave (int errlvl, const char *msg) {
-  perror (msg);
-  exit (errlvl);
-}
-
-void usage () {
-  puts ("collects NetFlow data and writes it to a file (or stdout)\n"
-	"       such that Bro can read the NetFlow dump file.\n"
-	"  Usage: nfcollector [-p <port>] [-o <outputfile>]\n"
-	"       port defaults to 1234, outputfile defaults to stdout");
-}
-
-int main (int argc, char** argv) {
-  int opt;
-  int s = -1;
-  char *outfile = NULL;
-  int outfd = 1; // default to stdout
-  struct timeval tv;
-  struct sockaddr_in sa = { .sin_family = AF_INET, 
-			    .sin_port = htons(1234),
-			    .sin_addr = {0} };
-  struct sockaddr_in from;
-  socklen_t fromlen;
-  FlowFilePDU ffp;
-
-  while ((opt = getopt (argc, argv, "p:o:h")) >= 0) {
-    switch (opt) {
-    case 'o':
-      outfile = malloc (strlen(optarg) + 1);
-      strcpy (outfile, optarg);
-      break;
-    case 'p':
-      sa.sin_port = htons(atoi(optarg));
-      break;
-    case 'h':
-      usage();
-      exit (0);
-    default:
-      fprintf (stderr, "Unknown option: %c\n", optopt);
-    }
-  }
-
-  if ((s = socket (PF_INET, SOCK_DGRAM, 0)) < 0)
-    pleave(1, "opening socket");
-
-  if (bind (s, (struct sockaddr*) &sa, sizeof (sa)) < 0)
-    pleave (1, "bind");
-
-  if (outfile && (outfd = open (outfile, O_TRUNC|O_WRONLY|O_CREAT, 0666)) < 0)
-    pleave (1, "open");
-
-  while (1) {
-    fromlen = sizeof (from);
-    if ((ffp.header.pdu_length = recvfrom(s, ffp.data, MAX_PKT_SIZE, 0, (struct sockaddr*)&from, &fromlen)) < 0)
-      pleave (1, "recvfrom");
-    if (gettimeofday(&tv, NULL) == 0)
-      ffp.header.network_time = tv.tv_sec + tv.tv_usec / 1000000.;
-    else {
-      ffp.header.network_time = -1.;
-      perror ("gettimeofday");
-    }
-
-    ffp.header.ipaddr = from.sin_addr.s_addr;
-    write (outfd, &ffp, ffp.header.pdu_length + sizeof (FlowFileSrcPDUHeader));
-  }
-
-  return 0;
-}
diff --git a/aux/nftools/nfcommon.h b/aux/nftools/nfcommon.h
deleted file mode 100644
index fd91d1341c..0000000000
--- a/aux/nftools/nfcommon.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/* $Id:$ */
-/* Written by Bernhard Ager (2007). */
-/* For now this only works with IPv4. */
-
-#include "../../config.h"
-
-/* Enough for NFv5 - how about the others? */
-#define MAX_PKT_SIZE 8192
-
-/* from FlowSrc.h */
-typedef struct {
-  double network_time;
-  int pdu_length;
-  u_int32_t ipaddr;
-} FlowFileSrcPDUHeader;
-
-typedef struct {
-  u_int16_t version;
-  u_int16_t count;
-  u_int32_t sysuptime;
-  u_int32_t unix_secs;
-  u_int32_t unix_nsecs;
-  u_int32_t flow_seq;
-  u_int8_t  eng_type;
-  u_int8_t  eng_id;
-  u_int16_t sample_int;
-} NFv5Header;
-
-#define V5_RECORD_SIZE 48
-#define V5_RECORD_MAXCOUNT 30
-
-typedef struct {
-  char data[V5_RECORD_SIZE];
-} NFv5Record;
-
-typedef struct {
-  NFv5Header header;
-  NFv5Record records[V5_RECORD_MAXCOUNT];
-} NFv5PDU;
-
-/* TODO: replace char data[] by NFv5PDU pdu*/
-typedef struct {
-  FlowFileSrcPDUHeader header;
-  char data [MAX_PKT_SIZE];
-} FlowFilePDU;
diff --git a/aux/rst/Makefile.am b/aux/rst/Makefile.am
deleted file mode 100644
index b56859335f..0000000000
--- a/aux/rst/Makefile.am
+++ /dev/null
@@ -1,4 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-noinst_PROGRAMS = rst
-rst_SOURCES = rst.c
diff --git a/aux/rst/rst.c b/aux/rst/rst.c
deleted file mode 100644
index 8dca07bb7f..0000000000
--- a/aux/rst/rst.c
+++ /dev/null
@@ -1,380 +0,0 @@
-/* $Id: rst.c 7073 2010-09-13 00:45:02Z vern $ */
-
-/* Derived from traceroute, which has the following copyright:
- *
- * Copyright (c) 1999, 2002
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-#ifndef lint
-static const char copyright[] =
-    "@(#) Copyright (c) 1999, 2002\nThe Regents of the University of California.  All rights reserved.\n";
-static const char rcsid[] =
-    "@(#) $Id: rst.c 7073 2010-09-13 00:45:02Z vern $ (LBL)";
-#endif
-
-/* need this due to linux's funny idea of a tcphdr */
-#if defined(__linux__)
-#define _BSD_SOURCE
-#endif
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in_systm.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "../../config.h"
-
-/* Forwards */
-void gripe(const char *, const char *);
-void pgripe(const char *);
-u_short in_cksum(register u_short *, register int);
-int ones_complement_checksum(const void *, int, u_int32_t);
-int tcp_checksum(const struct ip *, const struct tcphdr *, int);
-void send_pkt(int, struct in_addr, int, u_int32_t, struct in_addr,
-    int, u_int32_t, int, int, int, int, const char *);
-void terminate(int, const char *, int, u_int32_t, const char *,
-    int, u_int32_t, int, int, int, int, const char *);
-void usage(void);
-int main(int, char **);
-
-const char *prog_name;
-
-void gripe(const char *fmt, const char *arg)
-{
-	fprintf(stderr, "%s: ", prog_name);
-	fprintf(stderr, fmt, arg);
-	fprintf(stderr, "\n");
-}
-
-void pgripe(const char *msg)
-{
-	fprintf(stderr, "%s: %s (%s)\n", prog_name, msg, strerror(errno));
-	exit(1);
-}
-
-/*
- * Checksum routine for Internet Protocol family headers (C Version)
- */
-u_short
-in_cksum(register u_short *addr, register int len)
-{
-	register int nleft = len;
-	register u_short *w = addr;
-	register u_short answer;
-	register int sum = 0;
-
-	/*
-	 *  Our algorithm is simple, using a 32 bit accumulator (sum),
-	 *  we add sequential 16 bit words to it, and at the end, fold
-	 *  back all the carry bits from the top 16 bits into the lower
-	 *  16 bits.
-	 */
-	while (nleft > 1)  {
-		sum += *w++;
-		nleft -= 2;
-	}
-
-	/* mop up an odd byte, if necessary */
-	if (nleft == 1)
-		sum += *(u_char *)w;
-
-	/*
-	 * add back carry outs from top 16 bits to low 16 bits
-	 */
-	sum = (sum >> 16) + (sum & 0xffff);	/* add hi 16 to low 16 */
-	sum += (sum >> 16);			/* add carry */
-	answer = ~sum;				/* truncate to 16 bits */
-	return (answer);
-}
-
-// - adapted from tcpdump
-// Returns the ones-complement checksum of a chunk of b short-aligned bytes.
-int ones_complement_checksum(const void *p, int b, u_int32_t sum)
-{
-	const u_short *sp = (u_short *) p;	// better be aligned!
-
-	b /= 2;	// convert to count of short's
-
-	/* No need for endian conversions. */
-	while ( --b >= 0 )
-		sum += *sp++;
-
-	while ( sum > 0xffff )
-		sum = (sum & 0xffff) + (sum >> 16);
-
-	return sum;
-}
-
-int tcp_checksum(const struct ip *ip, const struct tcphdr *tp, int len)
-{
-	int tcp_len = tp->th_off * 4 + len;
-	u_int32_t sum, addl_pseudo;
-
-	if ( len % 2 == 1 )
-		// Add in pad byte.
-		sum = htons(((const u_char*) tp)[tcp_len - 1] << 8);
-	else
-		sum = 0;
-
-	sum = ones_complement_checksum((void*) &ip->ip_src.s_addr, 4, sum);
-	sum = ones_complement_checksum((void*) &ip->ip_dst.s_addr, 4, sum);
-
-	addl_pseudo = (htons(IPPROTO_TCP) << 16) | htons((unsigned short) tcp_len);
-
-	sum = ones_complement_checksum((void*) &addl_pseudo, 4, sum);
-	sum = ones_complement_checksum((void*) tp, tcp_len, sum);
-
-	return sum;
-}
-
-void send_pkt(int s, struct in_addr from, int from_port, u_int32_t from_seq,
-		struct in_addr to, int to_port, u_int32_t to_seq,
-		int size, int redundancy, int delay, int flags,
-		const char *inject)
-{
-	int cc;
-	int pktlen = 40 + size;
-	const int max_injection_size = 4096;
-	char *pkt = malloc(pktlen + max_injection_size + 1024 /* slop */);
-	struct ip *ip = (struct ip *) pkt;
-	struct tcphdr *tcp = (struct tcphdr *) &pkt[20];
-
-	if ( ! pkt )
-		pgripe("couldn't malloc memory");
-
-	if ( inject && *inject ) {
-		size = strlen(inject);
-
-		if ( size > max_injection_size )
-			gripe("injection text too large%s", "");
-
-		pktlen = 40 + size;
-	}
-
-	memset(pkt, 0, pktlen);
-
-	ip->ip_v = IPVERSION;
-	ip->ip_len = pktlen;	/* on FreeBSD, don't use htons(); YMMV */
-	ip->ip_off = 0;
-	ip->ip_src = from;
-	ip->ip_dst = to;
-	ip->ip_hl = 5;
-	ip->ip_p = IPPROTO_TCP;
-	ip->ip_ttl = 255;
-	ip->ip_id = 0;
-
-	ip->ip_sum = in_cksum((u_short *) ip, sizeof(*ip));
-
-	if (ip->ip_sum == 0)
-		ip->ip_sum = 0xffff;
-
-	tcp->th_sport = htons(from_port);
-	tcp->th_dport = htons(to_port);
-	tcp->th_seq = htonl(from_seq);
-	tcp->th_ack = htonl(to_seq);
-	tcp->th_off = 5;
-	tcp->th_flags = flags;
-	tcp->th_win = 0;
-	tcp->th_urp = 0;
-	tcp->th_sum = 0;
-
-	if ( inject && *inject ) {
-		char *payload = &pkt[40];
-		strcpy(payload, inject);
-
-	} else if ( size > 0 )
-		{
-		const char *fill_string =
-			(inject && *inject) ? inject : "BRO-RST\n";
-		char *payload = &pkt[40];
-		int n = strlen(fill_string);
-		int i;
-		for ( i = size; i > n + 1; i -= n )
-			{
-			strcpy(payload, fill_string);
-			payload += n;
-			}
-
-		for ( ; i > 0; --i )
-			*(payload++) = '\n';
-		}
-
-	tcp->th_sum = ~tcp_checksum(ip, tcp, size);
-
-	while ( redundancy-- > 0 )
-		{
-		cc = send(s, (char *) ip, pktlen, 0);
-		if (cc < 0 || cc != pktlen)
-			pgripe("problem in sendto()");
-		usleep(delay * 1000);
-		}
-
-	free(pkt);
-}
-
-void terminate(int s, const char *from_addr, int from_port, u_int32_t from_seq,
-		const char *to_addr, int to_port, u_int32_t to_seq,
-		int num, int redundancy, int stride, int delay,
-		const char *inject)
-{
-	struct sockaddr where_from, where_to;
-	struct sockaddr_in *from = (struct sockaddr_in *) &where_from;
-	struct sockaddr_in *to = (struct sockaddr_in *) &where_to;
-
-	memset(from, 0, sizeof(*from));
-	memset(to, 0, sizeof(*to));
-#ifdef SIN_LEN
-	from->sin_len = to->sin_len = sizeof(*to);
-#endif /* SIN_LEN */
-	from->sin_family = to->sin_family = AF_INET;
-
-	if ( inet_aton(from_addr, (struct in_addr *) &from->sin_addr) == 0 )
-		gripe("bad from address %s", from_addr);
-	if ( inet_aton(to_addr, (struct in_addr *) &to->sin_addr) == 0 )
-		gripe("bad to address %s", to_addr);
-
-	if ( connect(s, &where_to, sizeof(where_to)) < 0 )
-		pgripe("can't connect");
-
-	while ( num-- > 0 )
-		{
-		send_pkt(s, from->sin_addr, from_port, from_seq,
-			to->sin_addr, to_port, to_seq, 0, redundancy, delay,
-			(*inject ? 0 : TH_RST) | TH_ACK, inject);
-
-		if ( num > 0 && stride > 1 )
-			send_pkt(s, from->sin_addr, from_port, from_seq,
-				to->sin_addr, to_port, to_seq, stride,
-				redundancy, delay, TH_ACK, inject);
-
-		from_seq += stride;
-		}
-}
-
-void usage()
-{
-	fprintf(stderr, "%s [-R] [-I text-to-inject] [-d delay-msec] [-n num] [-r redundancy] [-s stride] from_addr from_port from_seq to_addr to_port to_seq\n", prog_name);
-	exit(0);
-}
-
-int main(int argc, char **argv)
-{
-	extern char* optarg;
-	extern int optind, opterr;
-	const char *from_addr, *to_addr;
-	char inject[8192];
-	int from_port, to_port;
-	u_int32_t from_seq, to_seq;
-	int delay = 0.0;
-	int redundancy = 1;
-	int num = 1;
-	int stride = 1;
-	int reverse = 0;
-	int s;
-	int on = 1;
-	int op;
-
-	prog_name = argv[0];
-
-	opterr = 0;
-
-	inject[0] = 0;
-
-	while ( (op = getopt(argc, argv, "RI:d:n:r:s:")) != EOF )
-		switch ( op ) {
-		case 'R':
-			reverse = 1;
-			break;
-
-		case 'I':
-			{
-			char *ap = optarg;
-			char *ip;
-			for ( ip = inject; *ap; ++ip, ++ap ) {
-				if ( ap[0] == '\\' && ap[1] == 'n' )
-					*ip = '\n', ++ap;
-				else
-					*ip = *ap;
-			}
-			}
-			break;
-
-		case 'd':
-			delay = atoi(optarg);
-			break;
-
-		case 'n':
-			num = atoi(optarg);
-			break;
-
-		case 'r':
-			redundancy = atoi(optarg);
-			break;
-
-		case 's':
-			stride = atoi(optarg);
-			break;
-
-		default:
-			usage();
-			break;
-		}
-
-	if ( argc - optind != 6 )
-		usage();
-
-	s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
-	if ( s < 0 )
-		pgripe("couldn't create raw socket");
-
-	setuid(getuid());
-
-	if (setsockopt(s, 0, IP_HDRINCL, (char *) &on, sizeof(on)) < 0)
-		pgripe("can't turn on IP_HDRINCL");
-
-	from_addr = argv[optind++];
-	from_port = atoi(argv[optind++]);
-	from_seq = strtoul(argv[optind++], 0, 10);
-
-	to_addr = argv[optind++];
-	to_port = atoi(argv[optind++]);
-	to_seq = strtoul(argv[optind++], 0, 10);
-
-	if ( reverse )
-		terminate(s, to_addr, to_port, to_seq,
-			from_addr, from_port, from_seq,
-			num, redundancy, stride, delay, inject);
-	else
-		terminate(s, from_addr, from_port, from_seq,
-			to_addr, to_port, to_seq,
-			num, redundancy, stride, delay, inject);
-
-	return 0;
-}
diff --git a/aux/scripts/Makefile.am b/aux/scripts/Makefile.am
deleted file mode 100644
index c0a7ebb1b1..0000000000
--- a/aux/scripts/Makefile.am
+++ /dev/null
@@ -1,3 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-EXTRA_DIST = hot-report mon-report ip-grep ca-create ca-issue bro-logchk.pl host-to-addrs mvlog host-grep lock_file
diff --git a/aux/scripts/bro-logchk.pl b/aux/scripts/bro-logchk.pl
deleted file mode 100755
index f711feab29..0000000000
--- a/aux/scripts/bro-logchk.pl
+++ /dev/null
@@ -1,197 +0,0 @@
-#!/usr/bin/perl
-
-# Written by:
-#     James J. Barlow <jbarlow@ncsa.uiuc.edu>
-#     June 2002
-#
-# Orders and scans through bro http and ftp logs.
-
-use Getopt::Std;
-use Socket;
-
-# Get the options on the command line
-getopts('DFHdshra:f:x:');
-
-# Check for invalid options or help option
-if ($opt_h || ($opt_a && $opt_x) || (($opt_s || $opt_d) && !$opt_a) ||
-   ($opt_F && $opt_H) || !($opt_F || $opt_H)) {
-    &Usage;
-}
-
-# Read file
-if ($opt_f) {
-    open(INFILE, "$opt_f") || die "Can't open $opt_f: $!\n";
-} else {
-    &Usage;
-}
-
-$max = 0;
-
-while (<INFILE>) {
-
-    # is it the start of a connection
-    if (check_start_conn()) {
-
-        # Set to resolve IP address if $opt_r.
-        $resolve = 1;
-
-        # Do we want a specific IP address
-        if ($opt_a) {
-            if ((($source EQ $opt_a) && !$opt_d) || (($dest EQ $opt_a) && !$opt_s)) {
-                # Yes, push connection number on list
-                push @ipconlist, $conn;
-            } else {
-                $resolve = 0; # don't try to resolve IP address
-            }
-        }
-
-        # Do we want to exclude an IP address
-        if ($opt_x) {
-            # Check if ipaddr is not excluded address
-            if (($source NE $opt_x) && ($dest NE $opt_x)) {
-                # if not push connection number on list
-                push @ipconlist, $conn;
-            } else {
-                $resolve = 0; # don't try to resolve IP address
-            }
-        }
-
-        # set max connection number
-        $max = $conn if ($max < $conn);
-
-        # Do we want to try and resolve IP addresses
-        if ($opt_r && $resolve) {
-            # get source and dest hostnames from IP addresses
-            $sname = gethostbyaddr(inet_aton($source), AF_INET);
-            # set source name to IP address if not resolvable
-            if (!$sname) {
-                $sname = $source;
-            }
-            $dname = gethostbyaddr(inet_aton($dest), AF_INET);
-            # set destination name to IP address if not resolvable
-            if (!$dname) {
-                $dname = $dest;
-            }
-        } else {
-            $sname = $source;
-            $dname = $dest;
-        }
-
-        # Get timestamp
-        $time = localtime($secs);
-
-        # push connection 
-        push @{$connlist[$conn]}, "$time - $conn  ${sname}${source_port} > $dname";
-        print "$time - $conn  ${sname}${source_port} > $dname\n" if $opt_D;
-        next;
-    }
-
-    # is it a request
-    if (check_request()) {
-
-        # set max connection number
-        $max = $conn if ($max < $conn);
-
-        push @{$connlist[$conn]}, "${time}${conn}  $request";
-        print "${time}${conn}  $request\n" if $opt_D;
-        next;
-    }
-
-    print "Unrecognized line: $_";
-}
-
-for ($i=1;$i<=$max;$i++) {
-    # skip connections not on list if we want specific addrs
-    # or are excluding addresses
-    if ($opt_a || $opt_x) {
-        next if !(grep /^$i$/, @ipconlist);
-    }
-    # print connections
-    foreach $entry (@{$connlist[$i]}) {
-        print "$entry\n";
-    }
-}
-
-close(INFILE);
-
-
-sub check_start_conn {
-
-    $valid_conn = 0;
-
-    # http connection?
-    if ($opt_H) {
-        if ((m/^(\d+)\s+%(\d+)\s+start\s+(\S+)\s+>\s+(\S+)/) ||
-            (m/^(\d+)\.\d+\s+%(\d+)\s+start\s+(\S+)\s+>\s+(\S+)/)) {
-            $secs = $1;
-            $conn = $2;
-            $source = $3;
-            $dest = $4;
-            chomp($dest);
-            $source_port = "";
-            $valid_conn = 1;
-        }
-    # ftp connection?
-    } elsif ($opt_F) {
-        if ((m/^(\d+)\s+#(\d+)\s+(\S+)\/(\d+)\s+>\s+(\S+)\/ftp start/) ||
-            (m/^(\d+)\.\d+\s+#(\d+)\s+(\S+)\/(\d+)\s+>\s+(\S+)\/ftp start/)) {
-            $secs = $1;
-            $conn = $2;
-            $source = $3;
-            $source_port = "/$4";
-            $dest = $5;
-            $valid_conn = 1;
-        }
-    }
-
-    return $valid_conn;
-}
-
-sub check_request {
-
-    $valid_request = 0;
-
-    if ($opt_H) {
-        if (m/^%(\d+)\s+\S+\s+(.*)/) {
-            $conn = $1;
-            $request = "GET $2";
-            chomp($request);
-            $time = "";
-            $valid_conn = 1;
-        }
-    } elsif ($opt_F) {
-        if (m/^(\d+)\.\d+ #(\d+) (.*)/) {
-            $time = localtime($1)." - ";
-            $conn = $2;
-            $request = $3;
-            chomp($request);
-            $valid_conn = 1;
-        }
-    }
-
-    return $valid_conn;
-}
-
-
-#
-# Usage
-#
-# Prints out usage for script.
-             
-sub Usage {
-    print "Usage:\n";
-    print "   bro-logchk.pl -[hrDFHds] -f filename -a ipaddr -x ipaddr\n";
-    print "       -h          print this usage information\n";
-    print "       -F          using ftp log\n";
-    print "       -H          using http log\n";
-    print "       -r          try to resolve IP addresses to hostnames\n";
-    print "       -f file     log file to parse\n";
-    print "       -a ipaddr   only output connections from this address\n";
-    print "       -s          only want matching source address (used with -a option)\n";
-    print "       -d          only want matching destination address (used with -a option)\n";
-    print "       -D          debug option\n";
-    print "       -x ipaddr   exclude connections from this address\n";
-    print "\n";
-    exit;
-}
-
diff --git a/aux/scripts/ca-create b/aux/scripts/ca-create
deleted file mode 100755
index f9cb5e13e8..0000000000
--- a/aux/scripts/ca-create
+++ /dev/null
@@ -1,148 +0,0 @@
-#! /bin/sh
-
-######################################################################
-# prompt for input for a variable
-# $1 name of var
-# $2 defualt value
-# $3 prompt string (if empty get from config file )
-bro_config_input()
-{
-    if [ -z $1 ] ; then
-        name=""
-    else
-        name=$1
-    fi
-    
-    if [ -z $2 ] ; then
-        default=""
-    else
-        default=$2
-    fi
-
-    if [ -z "$3" ] ; then 
-        prompt=""
-    else
-        prompt=$3
-    fi
-
-    #empty it out
-    RESP=
-    desc=$prompt
-    
-    while [ -z "$RESP" ]; do
-        echo -n "$desc [$default]: " >&0
-        read RESP
-
-        case "$RESP" in 
-            [Yy]|[Yy][Ee][Ss]) ret="YES"; RESP="YES";;
-            [Nn]|[Nn][Oo] ) ret="NO"; RESP="NO" ;;
-            "") ret=$default ; RESP="$default" ;;
-            *) ret=$RESP;;
-        esac
-    done
-
-    # set back the value
-    eval $1=\$ret
-    eval $name=\$ret
-    return 1
-}
-
-
-echo "Creating SSL certificate authority"
-echo "----------------------------------"
-echo
-
-dir=$HOME
-
-if [ "x$BRO_CA_DIR" != "x" ]; then
-    dir=$BRO_CA_DIR
-fi
-
-bro_config_input "dir" $dir "Directory for CA setup"
-
-mkdir -p $dir
-if [ $? -ne 0 ]; then
-	echo "Couldn't create directory $dir."
-	exit 1
-fi
-
-mkdir -p $dir/certs $dir/private
-chmod g-rwx,o-rwx $dir/private
-echo '01' > $dir/serial
-touch $dir/issued.txt
-
-echo "- Directory structure created in directory $dir"
-
-cat - > $dir/openssl.cfg << _EOF
-# OpenSSL config file for Root CA
-#
-
-# Global variable so it can be used everywhere:
-dir                = $dir
-
-[ ca ]
-default_ca = bro_ca
-
-[ bro_ca ]
-certificate        = \$dir/ca_cert.pem
-database           = \$dir/issued.txt
-new_certs_dir      = \$dir/certs
-private_key        = \$dir/private/ca_key.pem
-serial             = \$dir/serial
-
-# Number of days before CRLs are published
-default_crl_days   = 7
-
-# Number of days a certificate will be valud
-default_days       = 365
-
-# Digest used to sign issued certificates
-default_md         = sha1
-
-# Policy for distinguished name in certificate requests
-policy             = bro_policy
-x509_extensions    = cert_exts
-
-
-[ bro_policy ]
-commonName         = supplied
-emailAddress       = optional
-
-[ cert_exts ]
-# Certificates we hand out must not be used as CA certificates
-basicConstraints     = CA:false
-
-[ req ]
-default_bits       = 2048 # Private key length
-
-default_keyfile    = \$dir/private/ca_key.pem
-default_md         = sha1
-
-# Don't ask for distinguished name, use what's given below:
-prompt             = no
-distinguished_name = root_ca_dist_name
-
-x509_extensions    = root_ca_exts
-
-[ root_ca_dist_name ]
-commonName         = Bro Root Certification Authority
-
-[ root_ca_exts ]
-basicConstraints   = CA:true
-
-_EOF
-
-echo "- OpenSSL config file created at $dir/openssl.cfg"
-echo
-echo "I will now generate the CA's certificate. You will be asked to"
-echo "enter the password for the CA's private key."
-echo
-openssl req -config $dir/openssl.cfg -x509 -new -out $dir/ca_cert.pem -outform PEM
-
-if [ $? -ne 0 ]; then
-	echo "Couldn't create root certificate."
-	exit 1
-fi
-
-echo "- Root certificate created successfully"
-echo "- Done."
diff --git a/aux/scripts/ca-issue b/aux/scripts/ca-issue
deleted file mode 100755
index 6bac0bd1eb..0000000000
--- a/aux/scripts/ca-issue
+++ /dev/null
@@ -1,112 +0,0 @@
-#! /bin/sh
-
-######################################################################
-# prompt for input for a variable
-# $1 name of var
-# $2 defualt value
-# $3 prompt string (if empty get from config file )
-bro_config_input()
-{
-    if [ -z $1 ] ; then
-        name=""
-    else
-        name=$1
-    fi
-    
-    if [ -z $2 ] ; then
-        default=""
-    else
-        default=$2
-    fi
-
-    if [ -z "$3" ] ; then 
-        prompt=""
-    else
-        prompt=$3
-    fi
-
-    #empty it out
-    RESP=
-    desc=$prompt
-    
-    while [ -z "$RESP" ]; do
-        echo -n "$desc [$default]: " >&0
-        read RESP
-
-        case "$RESP" in 
-            [Yy]|[Yy][Ee][Ss]) ret="YES"; RESP="YES";;
-            [Nn]|[Nn][Oo] ) ret="NO"; RESP="NO" ;;
-            "") ret=$default ; RESP="$default" ;;
-            *) ret=$RESP;;
-        esac
-    done
-
-    # set back the value
-    eval $1=\$ret
-    eval $name=\$ret
-    return 1
-}
-
-
-echo "Issuing SSL certificate"
-echo "-----------------------"
-echo
-
-dir=$HOME
-
-if [ "x$BRO_CA_DIR" != "x" ]; then
-    dir=$BRO_CA_DIR
-fi
-
-bro_config_input "dir" $dir "CA installation directory"
-
-
-if [ ! -r $dir/openssl.cfg ]; then
-    echo "Could not find config file for root CA in $BRO_CA_DIR/openssl.cfg"
-    exit 1
-fi
-
-prefix=bro
-bro_config_input "prefix" $prefix "Prefix for the generated certificate request and private key"
-
-if [ "x$OPENSSL_CONF" = "x$BRO_CA_DIR/openssl.cfg" ]; then
-    OPENSSL_CONF=
-    echo "*Not* using $BRO_CA_DIR/openssl.cfg as configuration file"
-fi
-
-echo
-echo "I will now generate a certificate request. You will be asked"
-echo "for a passphrase with which the private key will be encrypted."
-echo "You will also be asked for a challenge phrase stored in the"
-echo "certificate request, which is ignored by OpenSSL."
-echo
-openssl req -newkey rsa:1024 -days 730 -nodes -keyout ${prefix}_key.pem -keyform PEM -out ${prefix}_req.pem
-
-if [ $? -ne 0 ]; then
-	echo "Couldn't create certificate request."
-	exit 1
-fi
-
-echo "- Certificate request created in ${prefix}_req.pem, with private key in ${prefix}_key.pem"
-echo
-echo "Issuing certificate using ${prefix}_req.pem"
-openssl ca -config $BRO_CA_DIR/openssl.cfg -days 730 -in ${prefix}_req.pem -notext -out ${prefix}_cert.pem
-
-if [ $? -ne 0 ]; then
-	echo "Couldn't create certificate. Make sure the parameters"
-	echo "of the certificate request are unique."
-	exit 1
-fi
-
-echo
-echo "- Certificate created in ${prefix}_cert.pem"
-
-cat ${prefix}_key.pem ${prefix}_cert.pem > ${prefix}.pem
-rm ${prefix}_key.pem ${prefix}_cert.pem ${prefix}_req.pem
-echo "- Created host certificate and key configuration in $prefix.pem"
-echo
-echo "Now configure your Bro agent to use"
-echo " * CA certificate $dir/ca_cert.pem"
-echo " * Host certificate $prefix.pem"
-echo
-echo "- Done."
diff --git a/aux/scripts/host-grep b/aux/scripts/host-grep
deleted file mode 100755
index 1aa62ad279..0000000000
--- a/aux/scripts/host-grep
+++ /dev/null
@@ -1,29 +0,0 @@
-#! /bin/csh -f
-#
-# Greps a Bro connection summary file on stdin for the given hosts.  Usage:
-#
-#	host-grep [-a] host ...
-#
-# If -a is specified then we only want lines with *all* of the listed hosts.
-
-if ( "$1" == "-a" ) then
-	shift
-	if ( "$2" != "" ) then
-		# More than one host, recurse.
-		set h1 = $1
-		shift
-		host-grep $h1 | host-grep -a $*
-		exit
-	else
-		# Just one host, fall through.
-	endif
-endif
-
-# Thank you csh, for your totally busted sense of command composition
-# and error propagation.
-set sheesh=`ip-grep $*`
-if ( $status != 0 ) then
-	exit 1
-endif
-
-grep -E " $sheesh "
diff --git a/aux/scripts/host-to-addrs b/aux/scripts/host-to-addrs
deleted file mode 100755
index ed0b615c01..0000000000
--- a/aux/scripts/host-to-addrs
+++ /dev/null
@@ -1,47 +0,0 @@
-#! /bin/sh -e
-#
-# Returns a list of IP addresses associated with hostname $1.
-
-sheesh=`dig +noauthor +noaddit $1 a |
-
-awk '
-BEGIN	{
-	name = "'$1'"
-
-	if ( name ~ /^[0-9][0-9]*\.[0-9][0-9]*/ )
-		# An address, not a name.
-		print name
-
-	name = name "."
-	}
-
-/^;; ANSWER/	{
-	getline
-
-	# First reduce CNAMEs.
-	while ( $4 == "CNAME" )
-		{
-		name = $5
-		getline
-		}
-
-	# Now pick off the addresses.
-	while ( $1 == name )
-		{
-		print $5
-		getline
-		}
-
-	++num_answers
-	}
-
-END	{
-	if ( num_answers == 0 )
-		{
-		print "no DNS answers to query for", name	>"/dev/stderr"
-		exit 1;
-		}
-	}
-'`
-
-echo "$sheesh" | sort -u
diff --git a/aux/scripts/hot-report b/aux/scripts/hot-report
deleted file mode 100755
index 2e8b5b7ab6..0000000000
--- a/aux/scripts/hot-report
+++ /dev/null
@@ -1,160 +0,0 @@
-#! /bin/sh
-#
-# Generate readable output from a Bro connection summary file.  If the
-# -n flag is given, then the input is not run through hf to convert addresses
-# to hostnames, otherwise it is.  If -x is given, then exact sizes and times
-# are reported, otherwise approximate.
-#
-# Requires the hf and cf utilities.  See doc/conn-logs for a summary of
-# the mnemonics used to indicate different connection states.
-
-if [ "$1" = "-n" ]
-then
-	shift
-	HF="cat" export HF
-	exec $0 "$@"
-fi
-
-if [ "$1" = "-x" ]
-then
-	shift
-	EXACT=1 export EXACT
-	exec $0 "$@"
-fi
-
-usage="usage: hot-report [-n -x] [file ...]"
-
-if [ ! "$HF" ]
-then
-	HF="hf -cl -t 15"
-fi
-
-if [ ! "$EXACT" ]
-then
-	EXACT=0
-fi
-
-$HF $* | cf |
-mawk '
-BEGIN	{
-	interactive["telnet"] = interactive["login"] = interative["klogin"] = 1
-	version_probe["smtp"] = 1
-
-	no_flag["www"] = no_flag["gopher"] = no_flag["smtp"] = 1
-	no_flag["www?"] = no_flag["www??"] = no_flag["gopher?"] = 1
-	no_flag["http"] = no_flag["http?"] = no_flag["http??"] = 1
-	no_flag["https"] = 1
-
-	no_rej["finger"] = no_rej["time"] = no_rej["daytime"] = 1
-	no_rej["nntp"] = no_rej["auth"] = 1
-	}
-
-	{
-	state = $10
-	if ( state == "REJ" )
-		marker = "["
-	else if ( state ~ /S0/ )
-		marker = "}"
-	else if ( state ~ /RSTR/ )
-		marker = state ~ /H/ ? "<[" : ">["
-	else if ( state ~ /RSTO/ )
-		marker = ">]"
-	else if ( state ~ /SHR/ )
-		marker = "<h"
-	else
-		marker = ">"
-
-	osize = size($6, state)
-	rsize = size($7, state)
-	dur = duration($4, state)
-
-	proto = $5
-
-	time = $1 " " ($2 "") " " $3
-
-	if ( $11 ~ /L/ )
-		{
-		ohost = $8
-		rhost = $9
-		}
-	else
-		{
-		ohost = $9
-		rhost = $8
-		}
-
-	status = ""
-	if ( NF > 11 )
-		{ # Collect additional status
-		for ( i = 12; i <= NF; ++i )
-			status = status " " $i
-		}
-
-	flag_it = flag(proto, $4+0, $6+0, $7+0, state)
-
-	printf("%-15s %s%s%s %s %s/%s%s%s%s\n", time, flag_it ? "*" : " ",
-		ohost, osize, marker, rhost, proto, rsize, dur, status)
-	}
-
-# Returns true if a connection should be flagged (represents successful
-# and sensitive activity), false otherwise
-function flag(proto, dur, osize, rsize, state)
-	{
-	if ( proto in interactive )
-		return osize > 200 || rsize > 1000 || dur > 300
-
-	if ( proto in version_probe && (osize == 0 || osize == 6) )
-		return 1
-
-	if ( proto in no_rej && (state == "REJ" || state == "S0") )
-		return 0
-
-	if ( proto ~ /^ftpdata-/ || proto ~ /^ftp-data/ )
-		return 0
-
-	return ! (proto in no_flag)
-	}
-
-function size(bytes, state)
-	{
-	if ( state == "S0" )
-		return ""
-
-	if ( state == "REJ" )
-		return ""
-
-	if ( bytes == "?" )
-		s = "?"
-
-	else if ( '$EXACT' )
-		s = sprintf("%db", bytes)
-
-	else if ( bytes < 1000 )
-		s = sprintf("%.1fkb", bytes / 1000)
-
-	else
-		s = sprintf("%.0fkb", bytes / 1000)
-
-	return " " s
-	}
-
-function duration(t, state)
-	{
-	if ( t == "?" )
-		return " " t
-
-	if ( state == "S0" || state == "S1" || state == "REJ" )
-		return ""
-
-	if ( '$EXACT' )
-		s = sprintf("%.1fs", t)
-
-	else if ( t < 60 )
-		s = sprintf("%.1fm", t / 60)
-
-	else
-		s = sprintf("%.0fm", t / 60)
-
-	return " " s
-	}
-'
diff --git a/aux/scripts/ip-grep b/aux/scripts/ip-grep
deleted file mode 100755
index 8f34d6040f..0000000000
--- a/aux/scripts/ip-grep
+++ /dev/null
@@ -1,9 +0,0 @@
-#! /bin/sh
-#
-# Returns a grep pattern for matching the IP addresses of the given hosts.
-# Note that generally when using the pattern you should surround it with
-# some form of anchoring, such as blanks, to avoid false hits.
-
-sheesh=`(for i do host-to-addrs $i; done)`
-if [ "$sheesh" = "" ]; then exit 1; fi;
-echo "$sheesh" | xargs | sed 's/\./\\./g;s/ /|/g;s/.*/(&)/'
diff --git a/aux/scripts/lock_file b/aux/scripts/lock_file
deleted file mode 100755
index 718b6c04c6..0000000000
--- a/aux/scripts/lock_file
+++ /dev/null
@@ -1,70 +0,0 @@
-#! /bin/sh
-# Inspired by http://members.toast.net/art.ross/rute/node24.html
-
-TAG=default
-CMD=
-
-help() {
-    echo "USAGE: lock_file (lock|unlock) [<tag>]"
-    echo
-    echo "lock_file locks or unlocks a lock file, for synchronization"
-    echo "across multiple processes. The lock command will block until"
-    echo "the lock can be obtained, upon which it exits with code 0."
-    echo "The exit code will be 1 on failures, and 2 on input error."
-    echo "You can use different tags for different locks."
-}
-
-while test "x$1" != "x"; do
-    case "$1" in 
-	"-h"|"--help"|"-help"|"-?"|"help")
-	    help
-	    exit 0
-	    ;;
-	"lock")
-	    CMD=lock
-	    shift 1
-	    ;;
-	"unlock")
-	    CMD=unlock
-	    shift 1
-	    ;;
-	*)
-	    TAG="$1"
-	    shift 1
-	    ;;
-    esac
-done
-
-TEMPFILE="/tmp/lock_${TAG}.$$"
-LOCKFILE="/tmp/lock_${TAG}.lock"
-
-if test "${CMD}" = "lock"; then
-
-    { echo $$ > $TEMPFILE; } >/dev/null 2>&1 || {
-	echo "You don't have permission to access `dirname $TEMPFILE`"
-	exit 1
-    }
-
-    while true; do
-	ln $TEMPFILE $LOCKFILE >/dev/null 2>&1 && {
-	    rm -f $TEMPFILE
-	    exit 0;
-	}
-
-	if test -e "$LOCKFILE"; then
-	    kill -0 `cat $LOCKFILE` >/dev/null 2>&1 || {
-		echo "Removing stale lock file"
-		rm -f $LOCKFILE
-	    }
-	fi
-	
-	sleep 1
-    done
-fi
-
-if test "${CMD}" = "unlock"; then
-    rm -f $LOCKFILE && exit 0
-    exit 1
-fi
-
-exit 2
diff --git a/aux/scripts/mon-report b/aux/scripts/mon-report
deleted file mode 100755
index 0b39819362..0000000000
--- a/aux/scripts/mon-report
+++ /dev/null
@@ -1,79 +0,0 @@
-#! /bin/csh -f
-#
-# Given Bro connection summary files, reports on the activities of
-# particular host(s) or net(s).
-#
-# mon-report [-n] [-t] [-x] h1 [-a h2] file ...
-#
-# reports on all connections involving host "h1", or "h1" and "h2" if -a
-# specified.  -n means that h1 and h2 should be interpreted as IP addresses
-# (either host or network) instead of hostnames.  -t means to write to stdout
-# the raw trace file instead of the hot report.  -x is passed along to
-# hot-report to specify exact byte counts and durations (unless -t is given).
-
-set usage = "mon-report [-n] [-t] [-x] h1 [-a h2] file ..."
-set GREP = "grep -E"
-
-if ( "$1" == "-n" ) then
-	setenv REPORT_NET
-	shift
-	mon-report $*
-	exit
-endif
-
-if ( "$1" == "-t" ) then
-	setenv REPORT_TO_STDOUT
-	shift
-	mon-report $*
-	exit
-endif
-
-if ( "$1" == "-x" ) then
-	setenv EXACT
-	shift
-	mon-report $*
-	exit
-endif
-
-if ( "$1" == "" ) then
-	echo "$usage"
-	exit
-endif
-
-set h1=$1
-shift
-
-set h2
-if ( "$1" == "-a" ) then
-	shift
-	if ( "$1" == "" ) then
-		echo "$usage"
-		exit
-	endif
-	setenv H2
-	set h2=$1
-	shift
-endif
-
-if ( $?REPORT_TO_STDOUT ) then
-	set out="cat"
-else
-	if ( $?EXACT ) then
-		set out="hot-report -x"
-	else
-		set out="hot-report"
-	endif
-endif
-
-if ( $?REPORT_NET ) then
-	if ( $?H2 ) then
-		cat $* | $GREP " `echo $h1 | sed 's/\./\\./g;s/ /|/g'`[. ]" | \
-			 $GREP " `echo $h2 | sed 's/\./\\./g;s/ /|/g'`[. ]" | \
-			 sort -n | $out
-	else
-		cat $* | $GREP " `echo $h1 | sed 's/\./\\./g;s/ /|/g'`[. ]" | \
-			 sort -n | $out
-	endif
-else
-	cat $* | host-grep -a $h1 $h2 | sort -n | $out
-endif
diff --git a/aux/scripts/mvlog b/aux/scripts/mvlog
deleted file mode 100755
index 6136744dec..0000000000
--- a/aux/scripts/mvlog
+++ /dev/null
@@ -1,58 +0,0 @@
-#! /usr/bin/env bash
-#
-# This script may be used as a postprocessor for Bro's log files to
-# automatically compress and archive them.
-# 
-# Example use: 
-#
-#     1. Add two lines to your Bro configuration:
-#
-#              redef log_rotate_interval = 6 hrs &redef;
-#              redef log_postprocessor = "mvlog";
-#
-#     2. Put the script into your PATH.
-#
-#     3. Define an environment variable BROBASE giving 
-#        a base directory to store the archived logs in.
-#
-#     Now Bro rotates log files every six hours, gzips them
-#     and moves them into directories $BROBASE/logs/<date>/
-#
-# General usage (this is how Bro calls all postprocessors):
-#
-#     mvlog <rotated-file-name> <base-name> <timestamp-when-opened> <timestamp-when-closed>
-#
-# Example of how Bro may call the script: 
-#
-#     mvlog alert.log.28799.1069381104 alert.log 03-11-21_03.18.18 03-11-21_04.0.24
-
-if [ "$BROBASE" == "" ]; then
-   echo BROBASE not set.
-   exit 1
-fi   
-
-# Base of archive.
-BASE="$BROBASE/logs"
-
-# Build archive name
-DAY=`echo $3 | sed 's/_.*$//'`
-FROM=`echo $3 | sed 's/^.*_//' | sed 's/\./:/g'`
-TO=`echo $4 | sed 's/^.*._//' | sed 's/\./:/g'`
-
-CENTURY=`date +%Y | sed 's/..$//g'`
-DAY="$CENTURY$DAY"
-
-DEST="$BASE/$DAY/$2.$FROM-$TO"
-
-# Create archive sub-dir if not existent.
-
-if [ ! -d "$BASE" ]; then
-    mkdir "$BASE"
-fi    
-
-if [ ! -d "$BASE/$DAY" ]; then
-    mkdir "$BASE/$DAY"
-fi    
-
-# Zip it and move into archive.
-nice gzip -6 <$1 >$DEST.gz && rm $1
diff --git a/bro-path-dev.in b/bro-path-dev.in
new file mode 100755
index 0000000000..394462924d
--- /dev/null
+++ b/bro-path-dev.in
@@ -0,0 +1,21 @@
+#!/bin/sh
+# After configured by CMake, this file prints the absolute path to policy
+# files that come with the source distributions of Bro and Broctl as well
+# as policy files that are generated by the BIF compiler at compile time
+#
+# The intended use of this script is to make it easier to run Bro from
+# the build directory, avoiding the need to install it.  This could be
+# done like:
+#
+#     BROPATH=`./bro-path-dev` ./src/bro
+#
+
+broPolicies=${PROJECT_SOURCE_DIR}/policy:${PROJECT_SOURCE_DIR}/policy/sigs:${PROJECT_SOURCE_DIR}/policy/time-machine
+
+broGenPolicies=${CMAKE_BINARY_DIR}/src
+
+broctlPolicies=${PROJECT_SOURCE_DIR}/aux/broctl/policy:${CMAKE_BINARY_DIR}/aux/broctl/policy/local
+
+installedPolicies=${POLICYDIR}:${POLICYDIR}/sigs:${POLICYDIR}/time-machine:${POLICYDIR}/site
+
+echo .:$broPolicies:$broGenPolicies:$broctlPolicies
diff --git a/cmake/ChangeMacInstallNames.cmake b/cmake/ChangeMacInstallNames.cmake
new file mode 100644
index 0000000000..1e7370d3e7
--- /dev/null
+++ b/cmake/ChangeMacInstallNames.cmake
@@ -0,0 +1,87 @@
+# Calling this macro with the name of a list variable will modify that
+# list such that any third party libraries that do not come with a
+# vanilla Mac OS X system will be replaced by an adjusted library that
+# has an install_name relative to the location of any executable that
+# links to it.
+#
+# Also, it will schedule the modified libraries for installation in a
+# 'support_libs' subdirectory of the CMAKE_INSTALL_PREFIX.
+#
+# The case of third party libraries depending on other third party
+# libraries is currently not handled by this macro.
+#
+# Ex.
+#
+# set(libs /usr/lib/libz.dylib
+#             /usr/lib/libssl.dylib
+#             /usr/local/lib/libmagic.dylib
+#             /usr/local/lib/libGeoIP.dylib
+#             /usr/local/lib/somestaticlib.a)
+#
+# include(ChangeMacInstallNames)
+# ChangeMacInstallNames(libs)
+#
+# Should result in ${libs} containing:
+#             /usr/lib/libz.dylib
+#             /usr/lib/libssl.dylib
+#             ${CMAKE_BINARY_DIR}/darwin_support_libs/libmagic.dylib
+#             ${CMAKE_BINARY_DIR}/darwin_support_libs/libGeoIP.dylib
+#             /usr/local/lib/somestaticlib.a
+#
+# such that we can now do:
+#
+# add_executable(some_exe ${srcs})
+# target_link_libraries(some_exe ${libs})
+#
+# Any binary packages created from such a build should be self-contained
+# and provide working installs on vanilla OS X systems.
+
+macro(ChangeMacInstallNames libListVar)
+    if (APPLE)
+        find_program(INSTALL_NAME_TOOL install_name_tool)
+
+        set(MAC_INSTALL_NAME_DEPS)
+        set(SUPPORT_BIN_DIR ${CMAKE_BINARY_DIR}/darwin_support_libs)
+        set(SUPPORT_INSTALL_DIR support_libs)
+
+        file(MAKE_DIRECTORY ${SUPPORT_BIN_DIR})
+
+        foreach (_lib ${${libListVar}})
+            # only care about install_name for shared libraries that are
+            # not shipped in Apple's vanilla OS X installs
+            string(REGEX MATCH ^/usr/lib/* apple_provided_lib ${_lib})
+            string(REGEX MATCH dylib$ is_shared_lib ${_lib})
+
+            if (NOT apple_provided_lib AND is_shared_lib)
+                get_filename_component(_libname ${_lib} NAME)
+                set(_adjustedLib ${SUPPORT_BIN_DIR}/${_libname})
+                set(_tmpLib
+                    ${CMAKE_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/${_libname})
+
+                # make a tempory copy so we can adjust permissions
+                configure_file(${_lib} ${_tmpLib} COPYONLY)
+
+                # copy to build directory with correct write permissions
+                file(COPY ${_tmpLib}
+                    DESTINATION ${SUPPORT_BIN_DIR}
+                    FILE_PERMISSIONS OWNER_READ OWNER_WRITE
+                                     GROUP_READ WORLD_READ)
+
+                # remove the old library from the list provided as macro
+                # argument and add the new library with modified install_name
+                list(REMOVE_ITEM ${libListVar} ${_lib})
+                list(APPEND ${libListVar} ${_adjustedLib})
+
+                # update the install target to install the third party libs
+                # with modified install_name
+                install(FILES ${_adjustedLib}
+                    DESTINATION ${SUPPORT_INSTALL_DIR})
+
+                # perform the install_name change
+                execute_process(COMMAND install_name_tool -id
+                    @executable_path/../${SUPPORT_INSTALL_DIR}/${_libname}
+                    ${_adjustedLib})
+            endif ()
+        endforeach ()
+    endif ()
+endmacro()
diff --git a/cmake/CheckFunctions.cmake b/cmake/CheckFunctions.cmake
new file mode 100644
index 0000000000..e378ef237b
--- /dev/null
+++ b/cmake/CheckFunctions.cmake
@@ -0,0 +1,12 @@
+include(CheckFunctionExists)
+
+check_function_exists(getopt_long HAVE_GETOPT_LONG)
+check_function_exists(mallinfo HAVE_MALLINFO)
+check_function_exists(strcasestr HAVE_STRCASESTR)
+check_function_exists(strerror HAVE_STRERROR)
+check_function_exists(strsep HAVE_STRSEP)
+check_function_exists(sigset HAVE_SIGSET)
+
+if (NOT HAVE_SIGSET)
+    check_function_exists(sigaction HAVE_SIGACTION)
+endif ()
diff --git a/cmake/CheckHeaders.cmake b/cmake/CheckHeaders.cmake
new file mode 100644
index 0000000000..ff206679d2
--- /dev/null
+++ b/cmake/CheckHeaders.cmake
@@ -0,0 +1,28 @@
+include(CheckIncludeFiles)
+include(CheckStructHasMember)
+
+check_include_files(getopt.h HAVE_GETOPT_H)
+check_include_files(magic.h HAVE_MAGIC_H)
+check_include_files(memory.h HAVE_MEMORY_H)
+check_include_files("sys/socket.h;netinet/in.h;net/if.h;netinet/if_ether.h"
+                    HAVE_NETINET_IF_ETHER_H)
+check_include_files("sys/socket.h;netinet/in.h;net/if.h;netinet/ip6.h"
+                    HAVE_NETINET_IP6_H)
+check_include_files("sys/socket.h;net/if.h;net/ethernet.h" HAVE_NET_ETHERNET_H)
+check_include_files(sys/ethernet.h HAVE_SYS_ETHERNET_H)
+check_include_files(sys/time.h HAVE_SYS_TIME_H)
+check_include_files("time.h;sys/time.h" TIME_WITH_SYS_TIME)
+check_include_files(os-proto.h HAVE_OS_PROTO_H)
+
+check_struct_has_member(HISTORY_STATE entries "stdio.h;readline/readline.h"
+                        HAVE_READLINE_HISTORY_ENTRIES)
+check_include_files("stdio.h;readline/readline.h" HAVE_READLINE_READLINE_H)
+check_include_files("stdio.h;readline/history.h" HAVE_READLINE_HISTORY_H)
+
+if (HAVE_READLINE_READLINE_H AND
+    HAVE_READLINE_HISTORY_H AND
+    HAVE_READLINE_HISTORY_ENTRIES)
+    set(HAVE_READLINE true)
+endif ()
+
+check_struct_has_member("struct sockaddr_in" sin_len "netinet/in.h" SIN_LEN)
diff --git a/cmake/CheckNameserCompat.cmake b/cmake/CheckNameserCompat.cmake
new file mode 100644
index 0000000000..1a71411f1b
--- /dev/null
+++ b/cmake/CheckNameserCompat.cmake
@@ -0,0 +1,21 @@
+include(CheckCSourceCompiles)
+
+# Check whether the namser compatibility header is required
+# This can be the case on the Darwin platform
+
+check_c_source_compiles("
+    #include <arpa/nameser.h>
+    int main() { HEADER *hdr; int d = NS_IN6ADDRSZ; return 0; }"
+    have_nameser_header)
+
+if (NOT have_nameser_header)
+    check_c_source_compiles("
+        #include <arpa/nameser.h>
+        #include <arpa/nameser_compat.h>
+        int main() { HEADER *hdr; int d = NS_IN6ADDRSZ; return 0; }"
+        NEED_NAMESER_COMPAT_H)
+    if (NOT NEED_NAMESER_COMPAT_H)
+        message(FATAL_ERROR
+            "Asynchronous DNS support compatibility check failed.")
+    endif ()
+endif ()
diff --git a/cmake/CheckOptionalBuildSources.cmake b/cmake/CheckOptionalBuildSources.cmake
new file mode 100644
index 0000000000..f901d432f6
--- /dev/null
+++ b/cmake/CheckOptionalBuildSources.cmake
@@ -0,0 +1,21 @@
+# A macro that checks whether optional sources exist and if they do, they
+# are added to the build/install process, else a warning is issued
+#
+#         _dir: the subdir of the current source dir in which the optional
+#               sources are located
+# _packageName: a string that identifies the package
+#     _varName: name of the variable indicating whether package is scheduled
+#               to be installed
+
+macro(CheckOptionalBuildSources _dir _packageName _varName)
+    if (${_varName})
+        if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${_dir}/CMakeLists.txt)
+            add_subdirectory(${_dir})
+        else ()
+            message(WARNING "${_packageName} source code does not exist in "
+                            "${CMAKE_CURRENT_SOURCE_DIR}/${_dir} "
+                            "so it will not be built or installed")
+            set(${_varName} false)
+        endif ()
+    endif ()
+endmacro(CheckOptionalBuildSources)
diff --git a/cmake/CheckTypes.cmake b/cmake/CheckTypes.cmake
new file mode 100644
index 0000000000..1fab29e3f8
--- /dev/null
+++ b/cmake/CheckTypes.cmake
@@ -0,0 +1,31 @@
+include(CheckTypeSize)
+
+check_type_size("long int" SIZEOF_LONG_INT)
+check_type_size("long long" SIZEOF_LONG_LONG)
+check_type_size("void *" SIZEOF_VOID_P)
+
+# checks existence of ${_type}, and if it does not, sets CMake variable ${_var}
+# to alternative type, ${_alt_type}
+macro(CheckType _type _alt_type _var)
+    # don't perform check if we have a result from a previous CMake run
+    if (NOT HAVE_${_var})
+        check_type_size(${_type} ${_var})
+        if (NOT ${_var})
+            set(${_var} ${_alt_type})
+        else ()
+            unset(${_var})
+            unset(${_var} CACHE)
+        endif ()
+    endif ()
+endmacro(CheckType _type _alt_type _var)
+
+set(CMAKE_EXTRA_INCLUDE_FILES sys/types.h)
+CheckType(int32_t   int     int32_t)
+CheckType(u_int32_t u_int   u_int32_t)
+CheckType(u_int16_t u_short u_int16_t)
+CheckType(u_int8_t  u_char  u_int8_t)
+set(CMAKE_EXTRA_INCLUDE_FILES)
+
+set(CMAKE_EXTRA_INCLUDE_FILES sys/socket.h)
+CheckType(socklen_t int     socklen_t)
+set(CMAKE_EXTRA_INCLUDE_FILES)
diff --git a/cmake/ConfigurePackaging.cmake b/cmake/ConfigurePackaging.cmake
new file mode 100644
index 0000000000..6d7cb3d76f
--- /dev/null
+++ b/cmake/ConfigurePackaging.cmake
@@ -0,0 +1,238 @@
+# A collection of macros to assist in configuring CMake/Cpack
+# source and binary packaging
+
+# Sets CPack version variables by splitting the first macro argument
+# using "." as a delimiter.  If the length of the split list is
+# greater than 2, all remaining elements are tacked on to the patch
+# level version.  Not that the version set by the macro is internal
+# to binary packaging, the file name of our package will reflect the
+# exact version number.
+macro(SetPackageVersion _version)
+    string(REPLACE "." " " version_numbers ${_version})
+    separate_arguments(version_numbers)
+
+    list(GET version_numbers 0 CPACK_PACKAGE_VERSION_MAJOR)
+    list(REMOVE_AT version_numbers 0)
+    list(GET version_numbers 0 CPACK_PACKAGE_VERSION_MINOR)
+    list(REMOVE_AT version_numbers 0)
+    list(LENGTH version_numbers version_length)
+
+    while (version_length GREATER 0)
+        list(GET version_numbers 0 patch_level)
+        if (CPACK_PACKAGE_VERSION_PATCH)
+            set(CPACK_PACKAGE_VERSION_PATCH
+                "${CPACK_PACKAGE_VERSION_PATCH}.${patch_level}")
+        else ()
+            set(CPACK_PACKAGE_VERSION_PATCH ${patch_level})
+        endif ()
+        list(REMOVE_AT version_numbers 0)
+        list(LENGTH version_numbers version_length)
+    endwhile ()
+
+    if (APPLE)
+        # Mac PackageMaker package requires only numbers in the versioning
+        string(REGEX REPLACE "[_a-zA-Z-]" "" CPACK_PACKAGE_VERSION_MAJOR
+               ${CPACK_PACKAGE_VERSION_MAJOR})
+        string(REGEX REPLACE "[_a-zA-Z-]" "" CPACK_PACKAGE_VERSION_MINOR
+               ${CPACK_PACKAGE_VERSION_MINOR})
+        if (CPACK_PACKAGE_VERSION_PATCH)
+            string(REGEX REPLACE "[_a-zA-Z-]" "" CPACK_PACKAGE_VERSION_PATCH
+                   ${CPACK_PACKAGE_VERSION_PATCH})
+        endif ()
+    endif ()
+
+    if (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
+        # RPM version accepts letters, but not dashes.
+        string(REGEX REPLACE "[-]" "" CPACK_PACKAGE_VERSION_MAJOR
+               ${CPACK_PACKAGE_VERSION_MAJOR})
+        string(REGEX REPLACE "[-]" "" CPACK_PACKAGE_VERSION_MINOR
+               ${CPACK_PACKAGE_VERSION_MINOR})
+        if (CPACK_PACKAGE_VERSION_PATCH)
+            string(REGEX REPLACE "[-]" "" CPACK_PACKAGE_VERSION_PATCH
+                   ${CPACK_PACKAGE_VERSION_PATCH})
+        endif ()
+    endif ()
+
+    # Minimum supported OS X version
+    set(CPACK_OSX_PACKAGE_VERSION 10.5)
+endmacro(SetPackageVersion)
+
+# Sets the list of desired package types to be created by the make
+# package target.  A .tar.gz is only made for source packages, and 
+# binary pacakage format depends on the operating system:
+#
+# Darwin - PackageMaker
+# Linux - RPM if the platform has rpmbuild installed
+#         DEB if the platform has dpkg-shlibdeps installed
+#
+# CPACK_GENERATOR is set by this macro
+# CPACK_SOURCE_GENERATOR is set by this macro
+macro(SetPackageGenerators)
+    set(CPACK_SOURCE_GENERATOR TGZ)
+    #set(CPACK_GENERATOR TGZ)
+    if (APPLE)
+        list(APPEND CPACK_GENERATOR PackageMaker)
+    elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
+        find_program(RPMBUILD_EXE rpmbuild)
+        find_program(DPKGSHLIB_EXE dpkg-shlibdeps)
+        if (RPMBUILD_EXE)
+            set(CPACK_GENERATOR ${CPACK_GENERATOR} RPM)
+        endif ()
+        if (DPKGSHLIB_EXE)
+            set(CPACK_GENERATOR ${CPACK_GENERATOR} DEB)
+            set(CPACK_DEBIAN_PACKAGE_SHLIBDEPS true)
+        endif ()
+    endif ()
+endmacro(SetPackageGenerators)
+
+# Sets CPACK_PACKAGE_FILE_NAME in the following format:
+#
+# <project_name>-<version>-<OS/platform>-<arch>
+#
+# and CPACK_SOURCE_PACKAGE_FILE_NAME as:
+#
+# <project_name>-<version>
+macro(SetPackageFileName _version)
+    if (PACKAGE_NAME_PREFIX)
+        set(CPACK_PACKAGE_FILE_NAME "${PACKAGE_NAME_PREFIX}-${_version}")
+        set(CPACK_SOURCE_PACKAGE_FILE_NAME "${PACKAGE_NAME_PREFIX}-${_version}")
+    else ()
+        set(CPACK_PACKAGE_FILE_NAME "${CMAKE_PROJECT_NAME}-${_version}")
+        set(CPACK_SOURCE_PACKAGE_FILE_NAME "${CMAKE_PROJECT_NAME}-${_version}")
+    endif ()
+
+    set(CPACK_PACKAGE_FILE_NAME
+        "${CPACK_PACKAGE_FILE_NAME}-${CMAKE_SYSTEM_NAME}")
+
+    if (APPLE)
+        # Only Intel-based Macs are supported.  CMAKE_SYSTEM_PROCESSOR may
+        # return the confusing 'i386' if running a 32-bit kernel, but chances
+        # are the binary is x86_64 (or more generally 'Intel') compatible.
+        set(arch "Intel")
+    else ()
+        set (arch ${CMAKE_SYSTEM_PROCESSOR})
+    endif ()
+
+    set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_FILE_NAME}-${arch}")
+endmacro(SetPackageFileName)
+
+# Sets up binary package metadata
+macro(SetPackageMetadata)
+    set(CPACK_PACKAGE_VENDOR "Lawrence Berkeley National Laboratory")
+    set(CPACK_PACKAGE_CONTACT "info@bro-ids.org")
+    set(CPACK_PACKAGE_DESCRIPTION_SUMMARY
+        "The Bro Network Intrusion Detection System")
+
+    # CPack may enforce file name extensions for certain package generators
+    configure_file(${CMAKE_CURRENT_SOURCE_DIR}/README
+                   ${CMAKE_CURRENT_BINARY_DIR}/README.txt
+                    COPYONLY)
+    configure_file(${CMAKE_CURRENT_SOURCE_DIR}/COPYING
+                   ${CMAKE_CURRENT_BINARY_DIR}/COPYING.txt
+                    COPYONLY)
+    configure_file(${CMAKE_CURRENT_SOURCE_DIR}/cmake/MAC_PACKAGE_INTRO
+                   ${CMAKE_CURRENT_BINARY_DIR}/MAC_PACKAGE_INTRO.txt)
+
+    set(CPACK_PACKAGE_DESCRIPTION_FILE ${CMAKE_CURRENT_BINARY_DIR}/README.txt)
+    set(CPACK_RESOURCE_FILE_LICENSE ${CMAKE_CURRENT_BINARY_DIR}/COPYING.txt)
+    set(CPACK_RESOURCE_FILE_README ${CMAKE_CURRENT_BINARY_DIR}/README.txt)
+    set(CPACK_RESOURCE_FILE_WELCOME
+        ${CMAKE_CURRENT_BINARY_DIR}/MAC_PACKAGE_INTRO.txt)
+
+    set(CPACK_RPM_PACKAGE_LICENSE "BSD")
+endmacro(SetPackageMetadata)
+
+# Sets pre and post install scripts for PackageMaker packages.
+# The main functionality that such scripts offer is a way to make backups
+# of "configuration" files that a user may have modified.
+# Note that RPMs already have a robust mechanism for dealing with
+# user-modified files, so we do not need this additional functionality
+macro(SetPackageInstallScripts VERSION)
+
+    if (INSTALLED_CONFIG_FILES)
+        # Remove duplicates from the list of installed config files
+        separate_arguments(INSTALLED_CONFIG_FILES)
+        list(REMOVE_DUPLICATES INSTALLED_CONFIG_FILES)
+        # Space delimit the list again
+        foreach (_file ${INSTALLED_CONFIG_FILES})
+            set(_tmp "${_tmp} ${_file}")
+        endforeach ()
+        set(INSTALLED_CONFIG_FILES "${_tmp}" CACHE STRING "" FORCE)
+    endif ()
+
+    if (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
+        # DEB packages can automatically handle configuration files
+        # if provided in a "conffiles" file in the packaging
+        set(conffiles_file ${CMAKE_CURRENT_BINARY_DIR}/conffiles)
+        if (INSTALLED_CONFIG_FILES)
+            string(REPLACE " " ";" conffiles ${INSTALLED_CONFIG_FILES})
+        endif ()
+        file(WRITE ${conffiles_file} "")
+        foreach (_file ${conffiles})
+            file(APPEND ${conffiles_file} "${_file}\n")
+        endforeach ()
+
+        list(APPEND CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
+            ${CMAKE_CURRENT_BINARY_DIR}/conffiles)
+
+        # RPMs don't need any explicit direction regarding config files.
+
+        # Leaving the set of installed config files empty will just
+        # bypass the logic in the default pre/post install scripts and let
+        # the RPMs/DEBs do their own thing (regarding backups, etc.)
+        # when upgrading packages.
+        set(INSTALLED_CONFIG_FILES "")
+    endif ()
+
+    if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_preinstall.sh.in)
+        configure_file(
+            ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_preinstall.sh.in
+            ${CMAKE_CURRENT_BINARY_DIR}/package_preinstall.sh
+            @ONLY)
+        configure_file(
+            ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_preinstall.sh.in
+            ${CMAKE_CURRENT_BINARY_DIR}/preinst
+            @ONLY)
+        set(CPACK_PREFLIGHT_SCRIPT
+            ${CMAKE_CURRENT_BINARY_DIR}/package_preinstall.sh)
+        set(CPACK_RPM_PRE_INSTALL_SCRIPT_FILE
+            ${CMAKE_CURRENT_BINARY_DIR}/package_preinstall.sh)
+        list(APPEND CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
+            ${CMAKE_CURRENT_BINARY_DIR}/preinst)
+    endif ()
+
+    if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_postupgrade.sh.in)
+        configure_file(
+            ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_postupgrade.sh.in
+            ${CMAKE_CURRENT_BINARY_DIR}/package_postupgrade.sh
+            @ONLY)
+        configure_file(
+            ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_postupgrade.sh.in
+            ${CMAKE_CURRENT_BINARY_DIR}/postinst
+            @ONLY)
+        set(CPACK_POSTUPGRADE_SCRIPT
+            ${CMAKE_CURRENT_BINARY_DIR}/package_postupgrade.sh)
+        set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE
+            ${CMAKE_CURRENT_BINARY_DIR}/package_postupgrade.sh)
+        list(APPEND CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
+            ${CMAKE_CURRENT_BINARY_DIR}/postinst)
+    endif ()
+endmacro(SetPackageInstallScripts)
+
+# Main macro to configure all the packaging options
+macro(ConfigurePackaging _version)
+    SetPackageVersion(${_version})
+    SetPackageGenerators()
+    SetPackageFileName(${_version})
+    SetPackageMetadata()
+    SetPackageInstallScripts(${_version})
+
+    set(CPACK_SET_DESTDIR true)
+    set(CPACK_PACKAGING_INSTALL_PREFIX ${CMAKE_INSTALL_PREFIX})
+
+    # add default files/directories to ignore for source package
+    # user may specify others via configure script
+    list(APPEND CPACK_SOURCE_IGNORE_FILES ${CMAKE_BINARY_DIR} ".git")
+
+    include(CPack)
+endmacro(ConfigurePackaging)
diff --git a/cmake/FindBIND.cmake b/cmake/FindBIND.cmake
new file mode 100644
index 0000000000..4cbc481ae6
--- /dev/null
+++ b/cmake/FindBIND.cmake
@@ -0,0 +1,101 @@
+# - Try to find libpcap include dirs and libraries 
+#
+# Usage of this module as follows:
+#
+#     find_package(BIND)
+#
+# Variables used by this module, they can change the default behaviour and need
+# to be set before calling find_package:
+#
+#  BIND_ROOT_DIR             Set this variable to the root installation of BIND
+#                            if the module has problems finding the proper
+#                            installation path.
+#
+# Variables defined by this module:
+#
+#  BIND_FOUND                System has BIND, include and library dirs found
+#  BIND_INCLUDE_DIR          The BIND include directories. 
+#  BIND_LIBRARY              The BIND library (if any) required for
+#                            ns_inittab and res_mkquery symbols
+
+find_path(BIND_ROOT_DIR
+    NAMES include/resolv.h
+)
+
+find_path(BIND_INCLUDE_DIR
+    NAMES resolv.h
+    HINTS ${BIND_ROOT_DIR}/include
+)
+
+if (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
+    # the static resolv library is preferred because
+    # on some systems, the ns_initparse symbol is not
+    # exported in the shared library (strangely)
+    # see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291609
+    set(bind_libs none libresolv.a resolv bind)
+else ()
+    set(bind_libs none resolv bind)
+endif ()
+
+include(CheckCSourceCompiles)
+
+# Find which library has the res_mkquery and ns_initparse symbols
+set(CMAKE_REQUIRED_INCLUDES ${BIND_INCLUDE_DIR})
+foreach (bindlib ${bind_libs})
+    if (NOT ${bindlib} MATCHES "none")
+        find_library(BIND_LIBRARY
+            NAMES ${bindlib}
+            HINTS ${BIND_ROOT_DIR}/lib
+        )
+    endif ()
+
+    set(CMAKE_REQUIRED_LIBRARIES ${BIND_LIBRARY})
+
+    check_c_source_compiles("
+        #include <arpa/nameser.h>
+        int main() {
+            ns_initparse(0, 0, 0);
+            return 0;
+        }
+" ns_initparse_works_${bindlib})
+
+    check_c_source_compiles("
+        #include <sys/types.h>
+        #include <sys/socket.h>
+        #include <netinet/in.h>
+        #include <arpa/nameser.h>
+        #include <resolv.h>
+        int main() {
+            int (*p)() = res_mkquery;
+        }
+" res_mkquery_works_${bindlib})
+
+    set(CMAKE_REQUIRED_LIBRARIES)
+
+    if (ns_initparse_works_${bindlib} AND res_mkquery_works_${bindlib})
+        break ()
+    else ()
+        set(BIND_LIBRARY BIND_LIBRARY-NOTFOUND)
+    endif ()
+endforeach ()
+set(CMAKE_REQUIRED_INCLUDES)
+
+include(FindPackageHandleStandardArgs)
+
+if (ns_initparse_works_none AND res_mkquery_works_none)
+    # system does not require linking to a BIND library
+    find_package_handle_standard_args(BIND DEFAULT_MSG
+        BIND_INCLUDE_DIR
+    )
+else ()
+    find_package_handle_standard_args(BIND DEFAULT_MSG
+        BIND_LIBRARY
+        BIND_INCLUDE_DIR
+    )
+endif ()
+
+mark_as_advanced(
+    BIND_ROOT_DIR
+    BIND_LIBRARY
+    BIND_INCLUDE_DIR
+)
diff --git a/cmake/FindBISON.cmake b/cmake/FindBISON.cmake
new file mode 100644
index 0000000000..3f6d11d04f
--- /dev/null
+++ b/cmake/FindBISON.cmake
@@ -0,0 +1,221 @@
+# - Find bison executable and provides macros to generate custom build rules
+# The module defines the following variables:
+#
+#  BISON_EXECUTABLE - path to the bison program
+#  BISON_VERSION - version of bison
+#  BISON_FOUND - true if the program was found
+#
+# If bison is found, the module defines the macros:
+#  BISON_TARGET(<Name> <YaccInput> <CodeOutput> [VERBOSE <file>]
+#              [COMPILE_FLAGS <string>] [HEADER <FILE>])
+# which will create  a custom rule to generate  a parser. <YaccInput> is
+# the path to  a yacc file. <CodeOutput> is the name  of the source file
+# generated by bison.  A header file containing the token  list is  also
+# generated according to bison's -d option by default  or if the  HEADER
+# option is used, the argument is passed to  bison's --defines option to
+# specify output file.  If COMPILE_FLAGS option is specified,  the  next
+# parameter is  added in the bison  command line.  if  VERBOSE option is
+# specified, <file> is created  and contains verbose descriptions of the
+# grammar and parser. The macro defines a set of variables:
+#  BISON_${Name}_DEFINED - true is the macro ran successfully
+#  BISON_${Name}_INPUT - The input source file, an alias for <YaccInput>
+#  BISON_${Name}_OUTPUT_SOURCE - The source file generated by bison
+#  BISON_${Name}_OUTPUT_HEADER - The header file generated by bison
+#  BISON_${Name}_OUTPUTS - The sources files generated by bison
+#  BISON_${Name}_COMPILE_FLAGS - Options used in the bison command line
+#
+#  ====================================================================
+#  Example:
+#
+#   find_package(BISON)
+#   BISON_TARGET(MyParser parser.y ${CMAKE_CURRENT_BINARY_DIR}/parser.cpp)
+#   add_executable(Foo main.cpp ${BISON_MyParser_OUTPUTS})
+#  ====================================================================
+
+#=============================================================================
+# Copyright 2009 Kitware, Inc.
+# Copyright 2006 Tristan Carel
+# Modified 2010 by Jon Siwek, adding HEADER option
+#
+# Distributed under the OSI-approved BSD License (the "License"):
+# CMake - Cross Platform Makefile Generator
+# Copyright 2000-2009 Kitware, Inc., Insight Software Consortium
+# All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# * Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright
+#   notice, this list of conditions and the following disclaimer in the
+#   documentation and/or other materials provided with the distribution.
+#
+# * Neither the names of Kitware, Inc., the Insight Software Consortium,
+#   nor the names of their contributors may be used to endorse or promote
+#   products derived from this software without specific prior written
+#   permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# This software is distributed WITHOUT ANY WARRANTY; without even the
+# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See the License for more information.
+#=============================================================================
+
+FIND_PROGRAM(BISON_EXECUTABLE bison DOC "path to the bison executable")
+MARK_AS_ADVANCED(BISON_EXECUTABLE)
+
+IF(BISON_EXECUTABLE)
+
+  EXECUTE_PROCESS(COMMAND ${BISON_EXECUTABLE} --version
+    OUTPUT_VARIABLE BISON_version_output
+    ERROR_VARIABLE BISON_version_error
+    RESULT_VARIABLE BISON_version_result
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  IF(NOT ${BISON_version_result} EQUAL 0)
+    MESSAGE(SEND_ERROR "Command \"${BISON_EXECUTABLE} --version\" failed with output:\n${BISON_version_error}")
+  ELSE()
+    STRING(REGEX REPLACE "^bison \\(GNU Bison\\) ([^\n]+)\n.*" "\\1"
+      BISON_VERSION "${BISON_version_output}")
+  ENDIF()
+
+  # internal macro
+  MACRO(BISON_TARGET_option_verbose Name BisonOutput filename)
+    LIST(APPEND BISON_TARGET_cmdopt "--verbose")
+    GET_FILENAME_COMPONENT(BISON_TARGET_output_path "${BisonOutput}" PATH)
+    GET_FILENAME_COMPONENT(BISON_TARGET_output_name "${BisonOutput}" NAME_WE)
+    ADD_CUSTOM_COMMAND(OUTPUT ${filename}
+      COMMAND ${CMAKE_COMMAND}
+      ARGS -E copy
+      "${BISON_TARGET_output_path}/${BISON_TARGET_output_name}.output"
+      "${filename}"
+      DEPENDS
+      "${BISON_TARGET_output_path}/${BISON_TARGET_output_name}.output"
+      COMMENT "[BISON][${Name}] Copying bison verbose table to ${filename}"
+      WORKING_DIRECTORY ${CMAKE_SOURCE_DIR})
+    SET(BISON_${Name}_VERBOSE_FILE ${filename})
+    LIST(APPEND BISON_TARGET_extraoutputs
+      "${BISON_TARGET_output_path}/${BISON_TARGET_output_name}.output")
+  ENDMACRO(BISON_TARGET_option_verbose)
+
+  # internal macro
+  MACRO(BISON_TARGET_option_extraopts Options)
+    SET(BISON_TARGET_extraopts "${Options}")
+    SEPARATE_ARGUMENTS(BISON_TARGET_extraopts)
+    LIST(APPEND BISON_TARGET_cmdopt ${BISON_TARGET_extraopts})
+  ENDMACRO(BISON_TARGET_option_extraopts)
+
+  #============================================================
+  # BISON_TARGET (public macro)
+  #============================================================
+  #
+  MACRO(BISON_TARGET Name BisonInput BisonOutput)
+    SET(BISON_TARGET_output_header "")
+    #SET(BISON_TARGET_command_opt "")
+    SET(BISON_TARGET_cmdopt "")
+    SET(BISON_TARGET_outputs "${BisonOutput}")
+    IF(NOT ${ARGC} EQUAL 3 AND
+       NOT ${ARGC} EQUAL 5 AND
+       NOT ${ARGC} EQUAL 7 AND
+       NOT ${ARGC} EQUAL 9)
+      MESSAGE(SEND_ERROR "Usage")
+    ELSE()
+      # Parsing parameters
+      IF(${ARGC} GREATER 5 OR ${ARGC} EQUAL 5)
+        IF("${ARGV3}" STREQUAL "VERBOSE")
+          BISON_TARGET_option_verbose(${Name} ${BisonOutput} "${ARGV4}")
+        ENDIF()
+        IF("${ARGV3}" STREQUAL "COMPILE_FLAGS")
+          BISON_TARGET_option_extraopts("${ARGV4}")
+        ENDIF()
+        IF("${ARGV3}" STREQUAL "HEADER")
+          set(BISON_TARGET_output_header "${ARGV4}")
+        ENDIF()
+      ENDIF()
+
+      IF(${ARGC} GREATER 7 OR ${ARGC} EQUAL 7)
+        IF("${ARGV5}" STREQUAL "VERBOSE")
+          BISON_TARGET_option_verbose(${Name} ${BisonOutput} "${ARGV6}")
+        ENDIF()
+      
+        IF("${ARGV5}" STREQUAL "COMPILE_FLAGS")
+          BISON_TARGET_option_extraopts("${ARGV6}")
+        ENDIF()
+
+        IF("${ARGV5}" STREQUAL "HEADER")
+          set(BISON_TARGET_output_header "${ARGV6}")
+        ENDIF()
+      ENDIF()
+
+      IF(${ARGC} EQUAL 9)
+        IF("${ARGV7}" STREQUAL "VERBOSE")
+          BISON_TARGET_option_verbose(${Name} ${BisonOutput} "${ARGV8}")
+        ENDIF()
+      
+        IF("${ARGV7}" STREQUAL "COMPILE_FLAGS")
+          BISON_TARGET_option_extraopts("${ARGV8}")
+        ENDIF()
+
+        IF("${ARGV7}" STREQUAL "HEADER")
+          set(BISON_TARGET_output_header "${ARGV8}")
+        ENDIF()
+      ENDIF()
+
+      IF(BISON_TARGET_output_header)
+          # Header's name passed in as argument to be used in --defines option
+          LIST(APPEND BISON_TARGET_cmdopt
+               "--defines=${BISON_TARGET_output_header}")
+          set(BISON_${Name}_OUTPUT_HEADER ${BISON_TARGET_output_header})
+      ELSE()
+          # Header's name generated by bison (see option -d)
+          LIST(APPEND BISON_TARGET_cmdopt "-d")
+          STRING(REGEX REPLACE "^(.*)(\\.[^.]*)$" "\\2" _fileext "${ARGV2}")
+          STRING(REPLACE "c" "h" _fileext ${_fileext})
+          STRING(REGEX REPLACE "^(.*)(\\.[^.]*)$" "\\1${_fileext}" 
+              BISON_${Name}_OUTPUT_HEADER "${ARGV2}")
+      ENDIF()
+
+      LIST(APPEND BISON_TARGET_outputs "${BISON_${Name}_OUTPUT_HEADER}")
+        
+      ADD_CUSTOM_COMMAND(OUTPUT ${BISON_TARGET_outputs}
+        ${BISON_TARGET_extraoutputs}
+        COMMAND ${BISON_EXECUTABLE}
+        ARGS ${BISON_TARGET_cmdopt} -o ${ARGV2} ${ARGV1}
+        DEPENDS ${ARGV1}
+        COMMENT "[BISON][${Name}] Building parser with bison ${BISON_VERSION}"
+        WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
+    
+      # define target variables
+      SET(BISON_${Name}_DEFINED TRUE)
+      SET(BISON_${Name}_INPUT ${ARGV1})
+      SET(BISON_${Name}_OUTPUTS ${BISON_TARGET_outputs})
+      SET(BISON_${Name}_COMPILE_FLAGS ${BISON_TARGET_cmdopt})
+      SET(BISON_${Name}_OUTPUT_SOURCE "${BisonOutput}")
+
+    ENDIF(NOT ${ARGC} EQUAL 3 AND
+          NOT ${ARGC} EQUAL 5 AND
+          NOT ${ARGC} EQUAL 7 AND
+          NOT ${ARGC} EQUAL 9)
+  ENDMACRO(BISON_TARGET)
+  #
+  #============================================================
+
+ENDIF(BISON_EXECUTABLE)
+
+INCLUDE(FindPackageHandleStandardArgs)
+FIND_PACKAGE_HANDLE_STANDARD_ARGS(BISON DEFAULT_MSG BISON_EXECUTABLE)
+
+# FindBISON.cmake ends here
diff --git a/cmake/FindBinPAC.cmake b/cmake/FindBinPAC.cmake
new file mode 100644
index 0000000000..5cd1697bb3
--- /dev/null
+++ b/cmake/FindBinPAC.cmake
@@ -0,0 +1,53 @@
+# - Try to find BinPAC binary and library
+#
+# Usage of this module as follows:
+#
+#     find_package(BinPAC)
+#
+# Variables used by this module, they can change the default behaviour and need
+# to be set before calling find_package:
+#
+#  BinPAC_ROOT_DIR           Set this variable to the root installation of
+#                            BinPAC if the module has problems finding the
+#                            proper installation path.
+#
+# Variables defined by this module:
+#
+#  BINPAC_FOUND              System has BinPAC binary and library
+#  BinPAC_EXE                The binpac executable
+#  BinPAC_LIBRARY            The libbinpac.a library
+#  BinPAC_INCLUDE_DIR        The binpac headers
+
+# look for BinPAC in standard locations or user-provided root
+find_path(BinPAC_ROOT_DIR
+    NAMES include/binpac.h
+)
+
+find_file(BinPAC_EXE
+    NAMES binpac
+    HINTS ${BinPAC_ROOT_DIR}/bin
+)
+
+find_library(BinPAC_LIBRARY
+    NAMES libbinpac.a
+    HINTS ${BinPAC_ROOT_DIR}/lib
+)
+
+find_path(BinPAC_INCLUDE_DIR
+    NAMES binpac.h
+    HINTS ${BinPAC_ROOT_DIR}/include
+)
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(BinPAC DEFAULT_MSG
+    BinPAC_EXE
+    BinPAC_LIBRARY
+    BinPAC_INCLUDE_DIR
+)
+
+mark_as_advanced(
+    BinPAC_ROOT_DIR
+    BinPAC_EXE
+    BinPAC_LIBRARY
+    BinPAC_INCLUDE_DIR
+)
diff --git a/cmake/FindFLEX.cmake b/cmake/FindFLEX.cmake
new file mode 100644
index 0000000000..c56e8edad8
--- /dev/null
+++ b/cmake/FindFLEX.cmake
@@ -0,0 +1,179 @@
+# - Find flex executable and provides a macro to generate custom build rules
+#
+# The module defines the following variables:
+#  FLEX_FOUND - true is flex executable is found
+#  FLEX_EXECUTABLE - the path to the flex executable
+#  FLEX_VERSION - the version of flex
+#  FLEX_LIBRARIES - The flex libraries
+#
+# The minimum required version of flex can be specified using the
+# standard syntax, e.g. FIND_PACKAGE(FLEX 2.5.13)
+#
+#
+# If flex is found on the system, the module provides the macro:
+#  FLEX_TARGET(Name FlexInput FlexOutput [COMPILE_FLAGS <string>])
+# which creates a custom command  to generate the <FlexOutput> file from
+# the <FlexInput> file.  If  COMPILE_FLAGS option is specified, the next
+# parameter is added to the flex  command line. Name is an alias used to
+# get  details of  this custom  command.  Indeed the  macro defines  the
+# following variables:
+#  FLEX_${Name}_DEFINED - true is the macro ran successfully
+#  FLEX_${Name}_OUTPUTS - the source file generated by the custom rule, an
+#  alias for FlexOutput
+#  FLEX_${Name}_INPUT - the flex source file, an alias for ${FlexInput}
+#
+# Flex scanners oftenly use tokens  defined by Bison: the code generated
+# by Flex  depends of the header  generated by Bison.   This module also
+# defines a macro:
+#  ADD_FLEX_BISON_DEPENDENCY(FlexTarget BisonTarget)
+# which  adds the  required dependency  between a  scanner and  a parser
+# where  <FlexTarget>  and <BisonTarget>  are  the  first parameters  of
+# respectively FLEX_TARGET and BISON_TARGET macros.
+#
+#  ====================================================================
+#  Example:
+#
+#   find_package(BISON)
+#   find_package(FLEX)
+#
+#   BISON_TARGET(MyParser parser.y ${CMAKE_CURRENT_BINARY_DIR}/parser.cpp
+#   FLEX_TARGET(MyScanner lexer.l  ${CMAKE_CURRENT_BIANRY_DIR}/lexer.cpp)
+#   ADD_FLEX_BISON_DEPENDENCY(MyScanner MyParser)
+#
+#   include_directories(${CMAKE_CURRENT_BINARY_DIR})
+#   add_executable(Foo
+#      Foo.cc
+#      ${BISON_MyParser_OUTPUTS}
+#      ${FLEX_MyScanner_OUTPUTS}
+#   )
+#  ====================================================================
+
+#=============================================================================
+# Copyright 2009 Kitware, Inc.
+# Copyright 2006 Tristan Carel
+# Modified 2010 by Jon Siwek, backporting for CMake 2.6 compat
+#
+# Distributed under the OSI-approved BSD License (the "License"):
+# CMake - Cross Platform Makefile Generator
+# Copyright 2000-2009 Kitware, Inc., Insight Software Consortium
+# All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# * Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright
+#   notice, this list of conditions and the following disclaimer in the
+#   documentation and/or other materials provided with the distribution.
+#
+# * Neither the names of Kitware, Inc., the Insight Software Consortium,
+#   nor the names of their contributors may be used to endorse or promote
+#   products derived from this software without specific prior written
+#   permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# This software is distributed WITHOUT ANY WARRANTY; without even the
+# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See the License for more information.
+#=============================================================================
+
+FIND_PROGRAM(FLEX_EXECUTABLE flex DOC "path to the flex executable")
+MARK_AS_ADVANCED(FLEX_EXECUTABLE)
+
+FIND_LIBRARY(FL_LIBRARY NAMES fl
+  DOC "path to the fl library")
+MARK_AS_ADVANCED(FL_LIBRARY)
+SET(FLEX_LIBRARIES ${FL_LIBRARY})
+
+IF(FLEX_EXECUTABLE)
+
+  EXECUTE_PROCESS(COMMAND ${FLEX_EXECUTABLE} --version
+    OUTPUT_VARIABLE FLEX_version_output
+    ERROR_VARIABLE FLEX_version_error
+    RESULT_VARIABLE FLEX_version_result
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  IF(NOT ${FLEX_version_result} EQUAL 0)
+    IF(FLEX_FIND_REQUIRED)
+      MESSAGE(SEND_ERROR "Command \"${FLEX_EXECUTABLE} --version\" failed with output:\n${FLEX_version_output}\n${FLEX_version_error}")
+    ELSE()
+      MESSAGE("Command \"${FLEX_EXECUTABLE} --version\" failed with output:\n${FLEX_version_output}\n${FLEX_version_error}\nFLEX_VERSION will not be available")
+    ENDIF()
+  ELSE()
+    STRING(REGEX REPLACE "^flex (.*)$" "\\1"
+      FLEX_VERSION "${FLEX_version_output}")
+  ENDIF()
+
+  #============================================================
+  # FLEX_TARGET (public macro)
+  #============================================================
+  #
+  MACRO(FLEX_TARGET Name Input Output)
+    SET(FLEX_TARGET_usage "FLEX_TARGET(<Name> <Input> <Output> [COMPILE_FLAGS <string>]")
+    IF(${ARGC} GREATER 3)
+      IF(${ARGC} EQUAL 5)
+        IF("${ARGV3}" STREQUAL "COMPILE_FLAGS")
+          SET(FLEX_EXECUTABLE_opts  "${ARGV4}")
+          SEPARATE_ARGUMENTS(FLEX_EXECUTABLE_opts)
+        ELSE()
+          MESSAGE(SEND_ERROR ${FLEX_TARGET_usage})
+        ENDIF()
+      ELSE()
+        MESSAGE(SEND_ERROR ${FLEX_TARGET_usage})
+      ENDIF()
+    ENDIF()
+
+    ADD_CUSTOM_COMMAND(OUTPUT ${Output}
+      COMMAND ${FLEX_EXECUTABLE}
+      ARGS ${FLEX_EXECUTABLE_opts} -o${Output} ${Input}
+      DEPENDS ${Input}
+      COMMENT "[FLEX][${Name}] Building scanner with flex ${FLEX_VERSION}"
+      WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
+
+    SET(FLEX_${Name}_DEFINED TRUE)
+    SET(FLEX_${Name}_OUTPUTS ${Output})
+    SET(FLEX_${Name}_INPUT ${Input})
+    SET(FLEX_${Name}_COMPILE_FLAGS ${FLEX_EXECUTABLE_opts})
+  ENDMACRO(FLEX_TARGET)
+  #============================================================
+
+
+  #============================================================
+  # ADD_FLEX_BISON_DEPENDENCY (public macro)
+  #============================================================
+  #
+  MACRO(ADD_FLEX_BISON_DEPENDENCY FlexTarget BisonTarget)
+
+    IF(NOT FLEX_${FlexTarget}_OUTPUTS)
+      MESSAGE(SEND_ERROR "Flex target `${FlexTarget}' does not exists.")
+    ENDIF()
+
+    IF(NOT BISON_${BisonTarget}_OUTPUT_HEADER)
+      MESSAGE(SEND_ERROR "Bison target `${BisonTarget}' does not exists.")
+    ENDIF()
+
+    SET_SOURCE_FILES_PROPERTIES(${FLEX_${FlexTarget}_OUTPUTS}
+      PROPERTIES OBJECT_DEPENDS ${BISON_${BisonTarget}_OUTPUT_HEADER})
+  ENDMACRO(ADD_FLEX_BISON_DEPENDENCY)
+  #============================================================
+
+ENDIF(FLEX_EXECUTABLE)
+
+INCLUDE(FindPackageHandleStandardArgs)
+FIND_PACKAGE_HANDLE_STANDARD_ARGS(FLEX FLEX_EXECUTABLE
+                                       FLEX_VERSION)
+
+# FindFLEX.cmake ends here
diff --git a/cmake/FindGooglePerftools.cmake b/cmake/FindGooglePerftools.cmake
new file mode 100644
index 0000000000..7ddd5a532e
--- /dev/null
+++ b/cmake/FindGooglePerftools.cmake
@@ -0,0 +1,44 @@
+# - Try to find GooglePerftools headers and libraries
+#
+# Usage of this module as follows:
+#
+#     find_package(GooglePerftools)
+#
+# Variables used by this module, they can change the default behaviour and need
+# to be set before calling find_package:
+#
+#  GooglePerftools_ROOT_DIR  Set this variable to the root installation of
+#                            GooglePerftools if the module has problems finding 
+#                            the proper installation path.
+#
+# Variables defined by this module:
+#
+#  GOOGLEPERFTOOLS_FOUND              System has GooglePerftools libs/headers
+#  GooglePerftools_LIBRARIES          The GooglePerftools libraries
+#  GooglePerftools_INCLUDE_DIR        The location of GooglePerftools headers
+
+find_path(GooglePerftools_ROOT_DIR
+    NAMES include/google/heap-profiler.h
+)
+
+find_library(GooglePerftools_LIBRARIES
+    NAMES tcmalloc
+    HINTS ${GooglePerftools_ROOT_DIR}/lib
+)
+
+find_path(GooglePerftools_INCLUDE_DIR
+    NAMES google/heap-profiler.h
+    HINTS ${GooglePerftools_ROOT_DIR}/include
+)
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(GooglePerftools DEFAULT_MSG
+    GooglePerftools_LIBRARIES
+    GooglePerftools_INCLUDE_DIR
+)
+
+mark_as_advanced(
+    GooglePerftools_ROOT_DIR
+    GooglePerftools_LIBRARIES
+    GooglePerftools_INCLUDE_DIR
+)
diff --git a/cmake/FindLibGeoIP.cmake b/cmake/FindLibGeoIP.cmake
new file mode 100644
index 0000000000..618dba6463
--- /dev/null
+++ b/cmake/FindLibGeoIP.cmake
@@ -0,0 +1,52 @@
+# - Try to find GeoIP headers and libraries
+#
+# Usage of this module as follows:
+#
+#     find_package(LibGeoIP)
+#
+# Variables used by this module, they can change the default behaviour and need
+# to be set before calling find_package:
+#
+#  LibGeoIP_ROOT_DIR         Set this variable to the root installation of
+#                            libGeoIP if the module has problems finding the
+#                            proper installation path.
+#
+# Variables defined by this module:
+#
+#  LIBGEOIP_FOUND              System has GeoIP libraries and headers
+#  LibGeoIP_LIBRARY            The GeoIP library
+#  LibGeoIP_INCLUDE_DIR        The location of GeoIP headers
+
+find_path(LibGeoIP_ROOT_DIR
+    NAMES include/GeoIPCity.h
+)
+
+if (${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
+    # the static version of the library is preferred on OS X for the
+    # purposes of making packages (libGeoIP doesn't ship w/ OS X)
+    set(libgeoip_names libGeoIp.a GeoIP)
+else ()
+    set(libgeoip_names GeoIP)
+endif ()
+
+find_library(LibGeoIP_LIBRARY
+    NAMES ${libgeoip_names}
+    HINTS ${LibGeoIP_ROOT_DIR}/lib
+)
+
+find_path(LibGeoIP_INCLUDE_DIR
+    NAMES GeoIPCity.h
+    HINTS ${LibGeoIP_ROOT_DIR}/include
+)
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(LibGeoIP DEFAULT_MSG
+    LibGeoIP_LIBRARY
+    LibGeoIP_INCLUDE_DIR
+)
+
+mark_as_advanced(
+    LibGeoIP_ROOT_DIR
+    LibGeoIP_LIBRARY
+    LibGeoIP_INCLUDE_DIR
+)
diff --git a/cmake/FindLibMagic.cmake b/cmake/FindLibMagic.cmake
new file mode 100644
index 0000000000..23cc7efe39
--- /dev/null
+++ b/cmake/FindLibMagic.cmake
@@ -0,0 +1,52 @@
+# - Try to find libmagic header and library
+#
+# Usage of this module as follows:
+#
+#     find_package(LibMagic)
+#
+# Variables used by this module, they can change the default behaviour and need
+# to be set before calling find_package:
+#
+#  LibMagic_ROOT_DIR         Set this variable to the root installation of
+#                            libmagic if the module has problems finding the
+#                            proper installation path.
+#
+# Variables defined by this module:
+#
+#  LIBMAGIC_FOUND              System has libmagic and magic.h
+#  LibMagic_LIBRARY            The libmagic library
+#  LibMagic_INCLUDE_DIR        The location of magic.h
+
+find_path(LibMagic_ROOT_DIR
+    NAMES include/magic.h
+)
+
+if (${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
+    # the static version of the library is preferred on OS X for the
+    # purposes of making packages (libmagic doesn't ship w/ OS X)
+    set(libmagic_names libmagic.a magic)
+else ()
+    set(libmagic_names magic)
+endif ()
+
+find_library(LibMagic_LIBRARY
+    NAMES ${libmagic_names}
+    HINTS ${LibMagic_ROOT_DIR}/lib
+)
+
+find_path(LibMagic_INCLUDE_DIR
+    NAMES magic.h
+    HINTS ${LibMagic_ROOT_DIR}/include
+)
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(LibMagic DEFAULT_MSG
+    LibMagic_LIBRARY
+    LibMagic_INCLUDE_DIR
+)
+
+mark_as_advanced(
+    LibMagic_ROOT_DIR
+    LibMagic_LIBRARY
+    LibMagic_INCLUDE_DIR
+)
diff --git a/cmake/FindOpenSSL.cmake b/cmake/FindOpenSSL.cmake
new file mode 100644
index 0000000000..599a846f0a
--- /dev/null
+++ b/cmake/FindOpenSSL.cmake
@@ -0,0 +1,56 @@
+# - Try to find openssl include dirs and libraries 
+#
+# Usage of this module as follows:
+#
+#     find_package(OpenSSL)
+#
+# Variables used by this module, they can change the default behaviour and need
+# to be set before calling find_package:
+#
+#  OpenSSL_ROOT_DIR          Set this variable to the root installation of
+#                            openssl if the module has problems finding the
+#                            proper installation path.
+#
+# Variables defined by this module:
+#
+#  OPENSSL_FOUND             System has openssl, include and library dirs found
+#  OpenSSL_INCLUDE_DIR       The openssl include directories. 
+#  OpenSSL_LIBRARIES         The openssl libraries.
+#  OpenSSL_CYRPTO_LIBRARY    The openssl crypto library.
+#  OpenSSL_SSL_LIBRARY       The openssl ssl library.
+
+find_path(OpenSSL_ROOT_DIR
+    NAMES include/openssl/ssl.h
+)
+
+find_path(OpenSSL_INCLUDE_DIR
+    NAMES openssl/ssl.h
+    HINTS ${OpenSSL_ROOT_DIR}/include
+)
+
+find_library(OpenSSL_SSL_LIBRARY
+    NAMES ssl ssleay32 ssleay32MD
+    HINTS ${OpenSSL_ROOT_DIR}/lib
+)
+
+find_library(OpenSSL_CRYPTO_LIBRARY
+    NAMES crypto
+    HINTS ${OpenSSL_ROOT_DIR}/lib
+)
+
+set(OpenSSL_LIBRARIES ${OpenSSL_SSL_LIBRARY} ${OpenSSL_CRYPTO_LIBRARY}
+    CACHE STRING "OpenSSL SSL and crypto libraries" FORCE)
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(OpenSSL DEFAULT_MSG
+    OpenSSL_LIBRARIES
+    OpenSSL_INCLUDE_DIR
+)
+
+mark_as_advanced(
+    OpenSSL_ROOT_DIR
+    OpenSSL_INCLUDE_DIR
+    OpenSSL_LIBRARIES
+    OpenSSL_CRYPTO_LIBRARY
+    OpenSSL_SSL_LIBRARY
+)
diff --git a/cmake/FindPCAP.cmake b/cmake/FindPCAP.cmake
new file mode 100644
index 0000000000..61ce602821
--- /dev/null
+++ b/cmake/FindPCAP.cmake
@@ -0,0 +1,44 @@
+# - Try to find libpcap include dirs and libraries 
+#
+# Usage of this module as follows:
+#
+#     find_package(PCAP)
+#
+# Variables used by this module, they can change the default behaviour and need
+# to be set before calling find_package:
+#
+#  PCAP_ROOT_DIR             Set this variable to the root installation of
+#                            libpcap if the module has problems finding the
+#                            proper installation path.
+#
+# Variables defined by this module:
+#
+#  PCAP_FOUND                System has libpcap, include and library dirs found
+#  PCAP_INCLUDE_DIR          The libpcap include directories. 
+#  PCAP_LIBRARY              The libpcap library.
+
+find_path(PCAP_ROOT_DIR
+    NAMES include/pcap.h
+)
+
+find_path(PCAP_INCLUDE_DIR
+    NAMES pcap.h
+    HINTS ${PCAP_ROOT_DIR}/include
+)
+
+find_library(PCAP_LIBRARY
+    NAMES pcap
+    HINTS ${PCAP_ROOT_DIR}/lib
+)
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(PCAP DEFAULT_MSG
+    PCAP_LIBRARY
+    PCAP_INCLUDE_DIR
+)
+
+mark_as_advanced(
+    PCAP_ROOT_DIR
+    PCAP_INCLUDE_DIR
+    PCAP_LIBRARY
+)
diff --git a/cmake/FindRequiredPackage.cmake b/cmake/FindRequiredPackage.cmake
new file mode 100644
index 0000000000..ff76b646cc
--- /dev/null
+++ b/cmake/FindRequiredPackage.cmake
@@ -0,0 +1,44 @@
+# A wrapper macro around the standard CMake find_package macro that
+# facilitates displaying better error messages by default, or even
+# accepting custom error messages on a per package basis.
+#
+# If a package is not found, then the MISSING_PREREQS variable gets
+# set to true and either a default or custom error message appended
+# to MISSING_PREREQ_DESCS.
+#
+# The caller can use these variables to display a list of any missing
+# packages and abort the build/configuration if there were any.
+# 
+# Use as follows:
+#
+# include(FindRequiredPackage)
+# FindRequiredPackage(Perl)
+# FindRequiredPackage(FLEX "You need to install flex (Fast Lexical Analyzer)")
+#
+# if (MISSING_PREREQS)
+#    foreach (prereq ${MISSING_PREREQ_DESCS})
+#        message(SEND_ERROR ${prereq})
+#    endforeach ()
+#    message(FATAL_ERROR "Configuration aborted due to missing prerequisites")
+# endif ()
+
+macro(FindRequiredPackage packageName)
+    find_package(${packageName})
+    string(TOUPPER ${packageName} canonPackageName)
+    if (NOT ${canonPackageName}_FOUND)
+        set(MISSING_PREREQS true)
+
+        set(customDesc)
+        foreach (descArg ${ARGN})
+            set(customDesc "${customDesc} ${descArg}")
+        endforeach ()
+
+        if (customDesc)
+            # append the custom error message that was provided as an argument
+            list(APPEND MISSING_PREREQ_DESCS ${customDesc})
+        else ()
+            list(APPEND MISSING_PREREQ_DESCS
+                 " Could not find prerequisite package '${packageName}'")
+        endif ()
+    endif ()
+endmacro(FindRequiredPackage)
diff --git a/cmake/InstallClobberImmune.cmake b/cmake/InstallClobberImmune.cmake
new file mode 100644
index 0000000000..77da312ef2
--- /dev/null
+++ b/cmake/InstallClobberImmune.cmake
@@ -0,0 +1,20 @@
+# Determines at `make install` time if a file, typically a configuration
+# file placed in $PREFIX/etc, shouldn't be installed to prevent overwrite
+# of an existing file.
+#
+# _srcfile: the file to install
+# _dstfile: the absolute file name after installation
+
+macro(InstallClobberImmune _srcfile _dstfile)
+    install(CODE "
+        if (EXISTS ${_dstfile})
+            message(STATUS \"Skipping: ${_dstfile} (already exists)\")
+        else ()
+            message(STATUS \"Installing: ${_dstfile}\")
+            # install() is not scriptable within install(), and
+            # configure_file() is the next best thing
+            configure_file(${_srcfile} ${_dstfile} COPY_ONLY)
+            # TODO: create additional install_manifest files?
+        endif ()
+    ")
+endmacro(InstallClobberImmune)
diff --git a/cmake/InstallPackageConfigFile.cmake b/cmake/InstallPackageConfigFile.cmake
new file mode 100644
index 0000000000..65a1724ea4
--- /dev/null
+++ b/cmake/InstallPackageConfigFile.cmake
@@ -0,0 +1,39 @@
+include(InstallClobberImmune)
+
+# This macro can be used to install configuration files which
+# users are expected to modify after installation.  It will:
+#
+#   - Always install one version of the file with a .example suffix
+#   - If binary packaging is enabled:
+#     Install the file in the typical CMake fashion, but append to the
+#     INSTALLED_CONFIG_FILES cache variable for use with the Mac package's
+#     pre/post install scripts
+#   - If binary packaging is not enabled:
+#     Install the script in a way such that it will check at `make install`
+#     time whether the file does not exist.  See InstallClobberImmune.cmake
+#
+#   _srcfile: the absolute path to the file to install
+#   _dstdir: absolute path to the directory in which to install the file
+#   _dstfilename: how to (re)name the file inside _dstdir
+
+macro(InstallPackageConfigFile _srcfile _dstdir _dstfilename)
+    set(_dstfile ${_dstdir}/${_dstfilename})
+
+    # Always install the latest version of the file renamed as an example
+    install(FILES ${_srcfile} DESTINATION ${_dstdir}
+            RENAME ${_dstfilename}.example)
+
+    if (BINARY_PACKAGING_MODE)
+        # If packaging mode is enabled, always install the distribution's
+        # version of the file.  The Mac package's pre/post install scripts
+        # or native functionality of RPMs will take care of not clobbering it.
+        install(FILES ${_srcfile} DESTINATION ${_dstdir} RENAME ${_dstfilename})
+        # This cache variable is what the Mac package pre/post install scripts
+        # use to avoid clobbering user-modified config files
+        set(INSTALLED_CONFIG_FILES
+            "${INSTALLED_CONFIG_FILES} ${_dstfile}" CACHE STRING "" FORCE)
+    else ()
+        # Have `make install` check at run time whether the file does not exist
+        InstallClobberImmune(${_srcfile} ${_dstfile})
+    endif ()
+endmacro(InstallPackageConfigFile)
diff --git a/cmake/MAC_PACKAGE_INTRO b/cmake/MAC_PACKAGE_INTRO
new file mode 100644
index 0000000000..ef37e62a1a
--- /dev/null
+++ b/cmake/MAC_PACKAGE_INTRO
@@ -0,0 +1,20 @@
+This package will install @CMAKE_PROJECT_NAME@ into the following location:
+
+    @CMAKE_INSTALL_PREFIX@
+
+You may choose to update your PATH environment variable:
+
+    # For Bash
+    export PATH=@CMAKE_INSTALL_PREFIX@/bin:$PATH
+
+    # For CSH
+    setenv PATH @CMAKE_INSTALL_PREFIX@/bin:$PATH
+ 
+If you have more than one volume, please choose the install
+destination as the one that contains the root filesystem.
+
+If you have existing configuration files that are modified or
+otherwise different from the version included in the package,
+this installer will attempt to prevent overwirting them,
+but its also advisable to make your own backups of important
+files before proceeding.
diff --git a/cmake/MacDependencyPaths.cmake b/cmake/MacDependencyPaths.cmake
new file mode 100644
index 0000000000..9a8c6efc6a
--- /dev/null
+++ b/cmake/MacDependencyPaths.cmake
@@ -0,0 +1,10 @@
+if (NOT _MAC_DEPENDENCY_PATHS)
+set(_MAC_DEPENDENCY_PATHS)
+    # As of CMake 2.8.3, Fink and MacPorts search paths are appended to the
+    # default search prefix paths, but the nicer thing would be if they are
+    # prepended to the default, so that is fixed here.
+    if (APPLE) 
+        list(INSERT CMAKE_SYSTEM_PREFIX_PATH 0 /opt/local) # MacPorts
+        list(INSERT CMAKE_SYSTEM_PREFIX_PATH 0 /sw)        # Fink
+    endif ()
+endif ()
diff --git a/cmake/MiscTests.cmake b/cmake/MiscTests.cmake
new file mode 100644
index 0000000000..da46dd83d7
--- /dev/null
+++ b/cmake/MiscTests.cmake
@@ -0,0 +1,34 @@
+include(CheckCXXSourceCompiles)
+include(CheckCSourceCompiles)
+
+# This autoconf variable is obsolete; it's portable to assume C89 and signal
+# handlers returning void
+set(RETSIGTYPE "void")
+set(RETSIGVAL "")
+
+check_c_source_compiles("
+    #include <sys/types.h>
+    #include <sys/socket.h>
+    extern int socket(int, int, int);
+    extern int connect(int, const struct sockaddr *, int);
+    extern int send(int, const void *, int, int);
+    extern int recvfrom(int, void *, int, int, struct sockaddr *, int *);
+    int main() { return 0; }
+" DO_SOCK_DECL)
+if (DO_SOCK_DECL)
+    message(STATUS "socket() and friends need explicit declaration")
+endif ()
+
+check_cxx_source_compiles("
+    #include <stdlib.h>
+    #include <syslog.h>
+    extern \"C\" {
+        int openlog(const char* ident, int logopt, int facility);
+        int syslog(int priority, const char* message_fmt, ...);
+        int closelog();
+    }
+    int main() { return 0; }
+" SYSLOG_INT)
+if (SYSLOG_INT)
+    message(STATUS "syslog prototypes need declaration")
+endif ()
diff --git a/cmake/OSSpecific.cmake b/cmake/OSSpecific.cmake
new file mode 100644
index 0000000000..03788813c3
--- /dev/null
+++ b/cmake/OSSpecific.cmake
@@ -0,0 +1,66 @@
+if (${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
+    # alternate malloc is faster for FreeBSD, but needs more testing
+    # need to add way to set this from the command line
+    set(USE_NMALLOC true)
+
+elseif (${CMAKE_SYSTEM_NAME} MATCHES "OpenBSD")
+    set(USE_NMALLOC true)
+
+elseif (${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
+
+elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
+    set(HAVE_LINUX true)
+
+elseif (${CMAKE_SYSTEM_NAME} MATCHES "Solaris")
+    set(SOCKET_LIBS nsl socket)
+
+elseif (${CMAKE_SYSTEM_NAME} MATCHES "osf")
+    # Workaround ip_hl vs. ip_vhl problem in netinet/ip.h
+    add_definitions(-D__STDC__=2)
+
+elseif (${CMAKE_SYSTEM_NAME} MATCHES "irix")
+    list(APPEND CMAKE_C_FLAGS -xansi -signed -g3)
+    list(APPEND CMAKE_CXX_FLAGS -xansi -signed -g3)
+
+elseif (${CMAKE_SYSTEM_NAME} MATCHES "ultrix")
+    list(APPEND CMAKE_C_FLAGS -std1 -g3)
+    list(APPEND CMAKE_CXX_FLAGS -std1 -g3)
+    include(CheckCSourceCompiles)
+    check_c_source_compiles("
+        #include <sys/types.h>
+        int main() {
+            void c(const struct a *);
+            return 0;
+        }
+    " have_ultrix_const)
+    if (NOT have_ultrix_const)
+        set(NEED_ULTRIX_CONST_HACK true)
+    endif ()
+
+elseif (${CMAKE_SYSTEM_NAME} MATCHES "hpux" OR
+        ${CMAKE_SYSTEM_NAME} MATCHES "HP-UX")
+    include(CheckCSourceCompiles)
+    set(CMAKE_REQUIRED_FLAGS -Aa)
+    set(CMAKE_REQUIRED_DEFINITIONS -D_HPUX_SOURCE)
+    check_c_source_compiles("
+        #include <sys/types.h>
+        int main() {
+            int frob(int, char *);
+            return 0;
+        }
+    " have_ansi_prototypes)
+    set(CMAKE_REQUIRED_FLAGS)
+    set(CMAKE_REQUIRED_DEFINITIONS)
+
+    if (have_ansi_prototypes)
+        add_definitions(-D_HPUX_SOURCE)
+        list(APPEND CMAKE_C_FLAGS -Aa)
+        list(APPEND CMAKE_CXX_FLAGS -Aa)
+    endif ()
+
+    if (NOT have_ansi_prototypes)
+        message(FATAL_ERROR "Can't get HPUX compiler to handle ANSI prototypes")
+    endif ()
+endif ()
+
+
diff --git a/cmake/OpenSSLTests.cmake b/cmake/OpenSSLTests.cmake
new file mode 100644
index 0000000000..1b418135e4
--- /dev/null
+++ b/cmake/OpenSSLTests.cmake
@@ -0,0 +1,72 @@
+include(CheckCSourceCompiles)
+include(CheckCXXSourceCompiles)
+
+set(CMAKE_REQUIRED_LIBRARIES ${OpenSSL_LIBRARIES})
+set(CMAKE_REQUIRED_INCLUDES ${OpenSSL_INCLUDE_DIR})
+
+check_c_source_compiles("
+    #include <openssl/ssl.h>
+    int main() { return 0; }
+" including_ssl_h_works)
+
+if (NOT including_ssl_h_works)
+    # On Red Hat we may need to include Kerberos header.
+    set(CMAKE_REQUIRED_INCLUDES ${OpenSSL_INCLUDE_DIR} /usr/kerberos/include)
+    check_c_source_compiles("
+        #include <krb5.h>
+        #include <openssl/ssl.h>
+        int main() { return 0; }
+    " NEED_KRB5_H)
+    set(CMAKE_REQUIRED_INCLUDES ${OpenSSL_INCLUDE_DIR})
+    if (NOT NEED_KRB5_H)
+        message(FATAL_ERROR
+            "OpenSSL test failure.  See CmakeError.log for details.")
+    else ()
+        message(STATUS "OpenSSL requires Kerberos header")
+        include_directories("/usr/kerberos/include")
+    endif ()
+endif ()
+
+# check for OPENSSL_add_all_algorithms_conf function
+# and thus OpenSSL >= v0.9.7
+check_c_source_compiles("
+    #include <openssl/evp.h>
+    int main() {
+        OPENSSL_add_all_algorithms_conf();
+        return 0;
+    }
+" openssl_greater_than_0_9_7)
+
+if (NOT openssl_greater_than_0_9_7)
+    message(FATAL_ERROR "OpenSSL >= v0.9.7 required")
+endif ()
+
+check_cxx_source_compiles("
+#include <openssl/x509.h>
+    int main() {
+        const unsigned char** cpp = 0;
+        X509** x =0;
+        d2i_X509(x, cpp, 0);
+        return 0;
+    }
+" OPENSSL_D2I_X509_USES_CONST_CHAR)
+
+if (NOT OPENSSL_D2I_X509_USES_CONST_CHAR)
+    # double check that it compiles without const
+    check_cxx_source_compiles("
+        #include <openssl/x509.h>
+        int main() {
+            unsigned char** cpp = 0;
+            X509** x =0;
+            d2i_X509(x, cpp, 0);
+            return 0;
+        }
+        " OPENSSL_D2I_X509_USES_CHAR)
+    if (NOT OPENSSL_D2I_X509_USES_CHAR)
+        message(FATAL_ERROR
+            "Can't determine if openssl_d2i_x509() takes const char parameter")
+    endif ()
+endif ()
+
+set(CMAKE_REQUIRED_INCLUDES)
+set(CMAKE_REQUIRED_LIBRARIES)
diff --git a/cmake/PCAPTests.cmake b/cmake/PCAPTests.cmake
new file mode 100644
index 0000000000..1b62d3ab57
--- /dev/null
+++ b/cmake/PCAPTests.cmake
@@ -0,0 +1,63 @@
+include(CheckFunctionExists)
+include(CheckCSourceCompiles)
+include(CheckIncludeFiles)
+
+set(CMAKE_REQUIRED_INCLUDES ${PCAP_INCLUDE_DIR})
+set(CMAKE_REQUIRED_LIBRARIES ${PCAP_LIBRARY})
+
+check_include_files(pcap-int.h HAVE_PCAP_INT_H)
+
+check_function_exists(pcap_freecode HAVE_LIBPCAP_PCAP_FREECODE)
+if (NOT HAVE_LIBPCAP_PCAP_FREECODE)
+    set(DONT_HAVE_LIBPCAP_PCAP_FREECODE true)
+    message(STATUS "No implementation for pcap_freecode()")
+endif ()
+
+check_c_source_compiles("
+#include <pcap.h>
+int main () {
+    int snaplen;
+    int linktype;
+    struct bpf_program fp;
+    int optimize;
+    bpf_u_int32 netmask;
+    char str[10];
+    char error[1024];
+    snaplen = 50;
+    linktype = DLT_EN10MB;
+    optimize = 1;
+    netmask = 0L;
+    str[0] = 'i'; str[1] = 'p'; str[2] = '\\\\0';
+    (void)pcap_compile_nopcap(
+        snaplen, linktype, &fp, str, optimize, netmask, &error);
+    return 0;
+}
+" LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER)
+if (NOT LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER)
+    # double check
+    check_c_source_compiles("
+#include <pcap.h>
+int main () {
+    int snaplen;
+    int linktype;
+    struct bpf_program fp;
+    int optimize;
+    bpf_u_int32 netmask;
+    char str[10];
+    snaplen = 50;
+    linktype = DLT_EN10MB;
+    optimize = 1;
+    netmask = 0L;
+    str[0] = 'i'; str[1] = 'p'; str[2] = '\\\\0';
+    (void)pcap_compile_nopcap(snaplen, linktype, &fp, str, optimize, netmask);
+    return 0;
+}
+" LIBPCAP_PCAP_COMPILE_NOPCAP_NO_ERROR_PARAMETER)
+    if (NOT LIBPCAP_PCAP_COMPILE_NOPCAP_NO_ERROR_PARAMETER)
+        message(FATAL_ERROR
+            "Can't determine if pcap_compile_nopcap takes an error parameter")
+    endif ()
+endif ()
+
+set(CMAKE_REQUIRED_INCLUDES)
+set(CMAKE_REQUIRED_LIBRARIES)
diff --git a/cmake/cmake_uninstall.cmake.in b/cmake/cmake_uninstall.cmake.in
new file mode 100644
index 0000000000..bed4da63d3
--- /dev/null
+++ b/cmake/cmake_uninstall.cmake.in
@@ -0,0 +1,35 @@
+function(uninstall_manifest manifestPath)
+    file(READ "${manifestPath}" files)
+    string(REGEX REPLACE "\n" ";" files "${files}")
+    foreach (file ${files})
+        set(fileName $ENV{DESTDIR}${file})
+
+        if (EXISTS "${fileName}" OR IS_SYMLINK "${fileName}")
+            message(STATUS "Uninstalling: ${fileName}")
+
+            execute_process(
+                COMMAND "@CMAKE_COMMAND@" -E remove "${fileName}"
+                OUTPUT_VARIABLE rm_out
+                RESULT_VARIABLE rm_retval
+            )
+
+            if (NOT ${rm_retval} EQUAL 0)
+                message(FATAL_ERROR "Problem when removing: ${fileName}")
+            endif ()
+        else ()
+            message(STATUS "Does not exist: ${fileName}")
+        endif ()
+
+    endforeach ()
+endfunction(uninstall_manifest)
+
+file(GLOB install_manifests @CMAKE_CURRENT_BINARY_DIR@/install_manifest*.txt)
+
+if (install_manifests)
+    foreach (manifest ${install_manifests})
+        uninstall_manifest(${manifest})
+    endforeach ()
+else ()
+    message(FATAL_ERROR "Cannot find any install manifests in: "
+                        "\"@CMAKE_CURRENT_BINARY_DIR@/install_manifest*.txt\"")
+endif ()
diff --git a/cmake/package_postupgrade.sh.in b/cmake/package_postupgrade.sh.in
new file mode 100755
index 0000000000..4e199d005c
--- /dev/null
+++ b/cmake/package_postupgrade.sh.in
@@ -0,0 +1,60 @@
+#!/bin/sh
+
+# This script is meant to be used by binary packages post-installation.
+# Variables between @ symbols are replaced by CMake at configure time.
+
+backupNamesFile=/tmp/bro_install_backups
+version=@VERSION@
+sampleFiles=""
+
+# check whether it's safe to remove backup configuration files that
+# the most recent package install created
+
+if [ -e ${backupNamesFile} ]; then
+    backupFileList=`cat ${backupNamesFile}`
+
+    for backupFile in ${backupFileList}; do
+        origFileName=`echo ${backupFile} | sed 's/\(.*\)\..*/\1/'`
+
+        diff ${origFileName} ${backupFile} > /dev/null 2>&1
+
+        if [ $? -eq 0 ]; then
+            # if the installed version and the backup version don't differ
+            # then we can remove the backup version
+            rm ${backupFile}
+        else
+            # The backup file differs from the newly installed version,
+            # since we can't tell if the backup version has been modified
+            # by the user, we should restore it to its original location
+            # and rename the new version appropriately.
+
+            sampleFiles="${sampleFiles}\n${origFileName}.example"
+
+            mv ${backupFile} ${origFileName}
+        fi
+
+    done
+
+    rm ${backupNamesFile}
+fi
+
+if [ -n "${sampleFiles}" ]; then
+# Use some apple script to display a message to user
+/usr/bin/osascript << EOF
+    tell application "System Events"
+        activate
+        display alert "Existing configuration files differ from the ones that would be installed by this package.  To avoid overwriting configuration which you may have modified, the following new config files have been installed:\n${sampleFiles}\n\nIf you have previously modified configuration files, please make sure that they are still compatible, else you should update your config files to the new versions."
+    end tell
+EOF
+fi
+
+# Set up world writeable spool and logs directory for broctl, making sure
+# to set the sticky bit so that unprivileged users can't rename/remove files.
+# (CMake/CPack is supposed to install them, but has problems with empty dirs)
+if [ -n "@EMPTY_WORLD_DIRS@" ]; then
+    for dir in "@EMPTY_WORLD_DIRS@"; do
+        mkdir -p ${dir}
+        chmod 777 ${dir}
+        chmod +t ${dir}
+    done
+fi
diff --git a/cmake/package_preinstall.sh.in b/cmake/package_preinstall.sh.in
new file mode 100755
index 0000000000..749b01fdfc
--- /dev/null
+++ b/cmake/package_preinstall.sh.in
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# This script is meant to be used by binary packages pre-installation.
+# Variables between @ symbols are replaced by CMake at configure time.
+
+configFiles="@INSTALLED_CONFIG_FILES@"
+backupNamesFile=/tmp/bro_install_backups
+
+# Checks if a config file exists in a default location and makes a backup
+# so that a modified version is not clobbered
+backupFile () {
+    origFile="$1"
+
+    if [ -e ${origFile} ]; then
+        # choose a file suffix that doesn't already exist
+        ver=1
+        while [ -e ${origFile}.${ver} ]; do
+            ver=$(( ver + 1 ))
+        done
+
+        backupFile=${origFile}.${ver}
+
+        cp -p ${origFile} ${backupFile}
+
+        # the post upgrade script will check whether the installed
+        # config file actually differs from existing version
+        # and delete unnecessary backups
+        echo "${backupFile}" >> ${backupNamesFile}
+    fi
+}
+
+for file in ${configFiles}; do
+    backupFile "${file}"
+done
diff --git a/compile b/compile
deleted file mode 100755
index a81e000ae1..0000000000
--- a/compile
+++ /dev/null
@@ -1,136 +0,0 @@
-#! /bin/sh
-# Wrapper for compilers which do not understand `-c -o'.
-
-scriptversion=2003-11-09.00
-
-# Copyright (C) 1999, 2000, 2003 Free Software Foundation, Inc.
-# Written by Tom Tromey <tromey@cygnus.com>.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# This file is maintained in Automake, please report
-# bugs to <bug-automake@gnu.org> or send patches to
-# <automake-patches@gnu.org>.
-
-case $1 in
-  '')
-     echo "$0: No command.  Try \`$0 --help' for more information." 1>&2
-     exit 1;
-     ;;
-  -h | --h*)
-    cat <<\EOF
-Usage: compile [--help] [--version] PROGRAM [ARGS]
-
-Wrapper for compilers which do not understand `-c -o'.
-Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
-arguments, and rename the output as expected.
-
-If you are trying to build a whole package this is not the
-right script to run: please start by reading the file `INSTALL'.
-
-Report bugs to <bug-automake@gnu.org>.
-EOF
-    exit 0
-    ;;
-  -v | --v*)
-    echo "compile $scriptversion"
-    exit 0
-    ;;
-esac
-
-
-prog=$1
-shift
-
-ofile=
-cfile=
-args=
-while test $# -gt 0; do
-  case "$1" in
-    -o)
-      # configure might choose to run compile as `compile cc -o foo foo.c'.
-      # So we do something ugly here.
-      ofile=$2
-      shift
-      case "$ofile" in
-	*.o | *.obj)
-	  ;;
-	*)
-	  args="$args -o $ofile"
-	  ofile=
-	  ;;
-      esac
-       ;;
-    *.c)
-      cfile=$1
-      args="$args $1"
-      ;;
-    *)
-      args="$args $1"
-      ;;
-  esac
-  shift
-done
-
-if test -z "$ofile" || test -z "$cfile"; then
-  # If no `-o' option was seen then we might have been invoked from a
-  # pattern rule where we don't need one.  That is ok -- this is a
-  # normal compilation that the losing compiler can handle.  If no
-  # `.c' file was seen then we are probably linking.  That is also
-  # ok.
-  exec "$prog" $args
-fi
-
-# Name of file we expect compiler to create.
-cofile=`echo $cfile | sed -e 's|^.*/||' -e 's/\.c$/.o/'`
-
-# Create the lock directory.
-# Note: use `[/.-]' here to ensure that we don't use the same name
-# that we are using for the .o file.  Also, base the name on the expected
-# object file name, since that is what matters with a parallel build.
-lockdir=`echo $cofile | sed -e 's|[/.-]|_|g'`.d
-while true; do
-  if mkdir $lockdir > /dev/null 2>&1; then
-    break
-  fi
-  sleep 1
-done
-# FIXME: race condition here if user kills between mkdir and trap.
-trap "rmdir $lockdir; exit 1" 1 2 15
-
-# Run the compile.
-"$prog" $args
-status=$?
-
-if test -f "$cofile"; then
-  mv "$cofile" "$ofile"
-fi
-
-rmdir $lockdir
-exit $status
-
-# Local Variables:
-# mode: shell-script
-# sh-indentation: 2
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
-# End:
diff --git a/config.guess b/config.guess
deleted file mode 100755
index 6bdac8d7b6..0000000000
--- a/config.guess
+++ /dev/null
@@ -1,1388 +0,0 @@
-#! /bin/sh
-# Attempt to guess a canonical system name.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003 Free Software Foundation, Inc.
-
-timestamp='2003-05-09'
-
-# This file is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# Originally written by Per Bothner <per@bothner.com>.
-# Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted ChangeLog entry.
-#
-# This script attempts to guess a canonical system name similar to
-# config.sub.  If it succeeds, it prints the system name on stdout, and
-# exits with 0.  Otherwise, it exits with 1.
-#
-# The plan is that this can be called by configure scripts if you
-# don't specify an explicit build system type.
-
-me=`echo "$0" | sed -e 's,.*/,,'`
-
-usage="\
-Usage: $0 [OPTION]
-
-Output the configuration name of the system \`$me' is run on.
-
-Operation modes:
-  -h, --help         print this help, then exit
-  -t, --time-stamp   print date of last modification, then exit
-  -v, --version      print version number, then exit
-
-Report bugs and patches to <config-patches@gnu.org>."
-
-version="\
-GNU config.guess ($timestamp)
-
-Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
-Free Software Foundation, Inc.
-
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-
-help="
-Try \`$me --help' for more information."
-
-# Parse command line
-while test $# -gt 0 ; do
-  case $1 in
-    --time-stamp | --time* | -t )
-       echo "$timestamp" ; exit 0 ;;
-    --version | -v )
-       echo "$version" ; exit 0 ;;
-    --help | --h* | -h )
-       echo "$usage"; exit 0 ;;
-    -- )     # Stop option processing
-       shift; break ;;
-    - )	# Use stdin as input.
-       break ;;
-    -* )
-       echo "$me: invalid option $1$help" >&2
-       exit 1 ;;
-    * )
-       break ;;
-  esac
-done
-
-if test $# != 0; then
-  echo "$me: too many arguments$help" >&2
-  exit 1
-fi
-
-trap 'exit 1' 1 2 15
-
-# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
-# compiler to aid in system detection is discouraged as it requires
-# temporary files to be created and, as you can see below, it is a
-# headache to deal with in a portable fashion.
-
-# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
-# use `HOST_CC' if defined, but it is deprecated.
-
-# Portable tmp directory creation inspired by the Autoconf team.
-
-set_cc_for_build='
-trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
-trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
-: ${TMPDIR=/tmp} ;
- { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
- { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
- { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
-dummy=$tmp/dummy ;
-tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
-case $CC_FOR_BUILD,$HOST_CC,$CC in
- ,,)    echo "int x;" > $dummy.c ;
-	for c in cc gcc c89 c99 ; do
-	  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
-	     CC_FOR_BUILD="$c"; break ;
-	  fi ;
-	done ;
-	if test x"$CC_FOR_BUILD" = x ; then
-	  CC_FOR_BUILD=no_compiler_found ;
-	fi
-	;;
- ,,*)   CC_FOR_BUILD=$CC ;;
- ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
-esac ;'
-
-# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
-# (ghazi@noc.rutgers.edu 1994-08-24)
-if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
-	PATH=$PATH:/.attbin ; export PATH
-fi
-
-UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
-UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
-UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
-UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
-
-# Note: order is significant - the case branches are not exclusive.
-
-case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
-    *:NetBSD:*:*)
-	# NetBSD (nbsd) targets should (where applicable) match one or
-	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
-	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
-	# switched to ELF, *-*-netbsd* would select the old
-	# object file format.  This provides both forward
-	# compatibility and a consistent mechanism for selecting the
-	# object file format.
-	#
-	# Note: NetBSD doesn't particularly care about the vendor
-	# portion of the name.  We always set it to "unknown".
-	sysctl="sysctl -n hw.machine_arch"
-	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
-	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
-	case "${UNAME_MACHINE_ARCH}" in
-	    armeb) machine=armeb-unknown ;;
-	    arm*) machine=arm-unknown ;;
-	    sh3el) machine=shl-unknown ;;
-	    sh3eb) machine=sh-unknown ;;
-	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
-	esac
-	# The Operating System including object format, if it has switched
-	# to ELF recently, or will in the future.
-	case "${UNAME_MACHINE_ARCH}" in
-	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
-		eval $set_cc_for_build
-		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
-			| grep __ELF__ >/dev/null
-		then
-		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
-		    # Return netbsd for either.  FIX?
-		    os=netbsd
-		else
-		    os=netbsdelf
-		fi
-		;;
-	    *)
-	        os=netbsd
-		;;
-	esac
-	# The OS release
-	# Debian GNU/NetBSD machines have a different userland, and
-	# thus, need a distinct triplet. However, they do not need
-	# kernel version information, so it can be replaced with a
-	# suitable tag, in the style of linux-gnu.
-	case "${UNAME_VERSION}" in
-	    Debian*)
-		release='-gnu'
-		;;
-	    *)
-		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
-		;;
-	esac
-	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
-	# contains redundant information, the shorter form:
-	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
-	echo "${machine}-${os}${release}"
-	exit 0 ;;
-    amiga:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    arc:OpenBSD:*:*)
-	echo mipsel-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    hp300:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mac68k:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    macppc:OpenBSD:*:*)
-	echo powerpc-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mvme68k:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mvme88k:OpenBSD:*:*)
-	echo m88k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mvmeppc:OpenBSD:*:*)
-	echo powerpc-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    pmax:OpenBSD:*:*)
-	echo mipsel-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    sgi:OpenBSD:*:*)
-	echo mipseb-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    sun3:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    wgrisc:OpenBSD:*:*)
-	echo mipsel-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    *:OpenBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    alpha:OSF1:*:*)
-	if test $UNAME_RELEASE = "V4.0"; then
-		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
-	fi
-	# According to Compaq, /usr/sbin/psrinfo has been available on
-	# OSF/1 and Tru64 systems produced since 1995.  I hope that
-	# covers most systems running today.  This code pipes the CPU
-	# types through head -n 1, so we only detect the type of CPU 0.
-	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
-	case "$ALPHA_CPU_TYPE" in
-	    "EV4 (21064)")
-		UNAME_MACHINE="alpha" ;;
-	    "EV4.5 (21064)")
-		UNAME_MACHINE="alpha" ;;
-	    "LCA4 (21066/21068)")
-		UNAME_MACHINE="alpha" ;;
-	    "EV5 (21164)")
-		UNAME_MACHINE="alphaev5" ;;
-	    "EV5.6 (21164A)")
-		UNAME_MACHINE="alphaev56" ;;
-	    "EV5.6 (21164PC)")
-		UNAME_MACHINE="alphapca56" ;;
-	    "EV5.7 (21164PC)")
-		UNAME_MACHINE="alphapca57" ;;
-	    "EV6 (21264)")
-		UNAME_MACHINE="alphaev6" ;;
-	    "EV6.7 (21264A)")
-		UNAME_MACHINE="alphaev67" ;;
-	    "EV6.8CB (21264C)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.8AL (21264B)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.8CX (21264D)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.9A (21264/EV69A)")
-		UNAME_MACHINE="alphaev69" ;;
-	    "EV7 (21364)")
-		UNAME_MACHINE="alphaev7" ;;
-	    "EV7.9 (21364A)")
-		UNAME_MACHINE="alphaev79" ;;
-	esac
-	# A Vn.n version is a released version.
-	# A Tn.n version is a released field test version.
-	# A Xn.n version is an unreleased experimental baselevel.
-	# 1.2 uses "1.2" for uname -r.
-	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-	exit 0 ;;
-    Alpha\ *:Windows_NT*:*)
-	# How do we know it's Interix rather than the generic POSIX subsystem?
-	# Should we change UNAME_MACHINE based on the output of uname instead
-	# of the specific Alpha model?
-	echo alpha-pc-interix
-	exit 0 ;;
-    21064:Windows_NT:50:3)
-	echo alpha-dec-winnt3.5
-	exit 0 ;;
-    Amiga*:UNIX_System_V:4.0:*)
-	echo m68k-unknown-sysv4
-	exit 0;;
-    *:[Aa]miga[Oo][Ss]:*:*)
-	echo ${UNAME_MACHINE}-unknown-amigaos
-	exit 0 ;;
-    *:[Mm]orph[Oo][Ss]:*:*)
-	echo ${UNAME_MACHINE}-unknown-morphos
-	exit 0 ;;
-    *:OS/390:*:*)
-	echo i370-ibm-openedition
-	exit 0 ;;
-    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
-	echo arm-acorn-riscix${UNAME_RELEASE}
-	exit 0;;
-    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
-	echo hppa1.1-hitachi-hiuxmpp
-	exit 0;;
-    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
-	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
-	if test "`(/bin/universe) 2>/dev/null`" = att ; then
-		echo pyramid-pyramid-sysv3
-	else
-		echo pyramid-pyramid-bsd
-	fi
-	exit 0 ;;
-    NILE*:*:*:dcosx)
-	echo pyramid-pyramid-svr4
-	exit 0 ;;
-    DRS?6000:UNIX_SV:4.2*:7*)
-	case `/usr/bin/uname -p` in
-	    sparc) echo sparc-icl-nx7 && exit 0 ;;
-	esac ;;
-    sun4H:SunOS:5.*:*)
-	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
-	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    i86pc:SunOS:5.*:*)
-	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    sun4*:SunOS:6*:*)
-	# According to config.sub, this is the proper way to canonicalize
-	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
-	# it's likely to be more like Solaris than SunOS4.
-	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    sun4*:SunOS:*:*)
-	case "`/usr/bin/arch -k`" in
-	    Series*|S4*)
-		UNAME_RELEASE=`uname -v`
-		;;
-	esac
-	# Japanese Language versions have a version number like `4.1.3-JL'.
-	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
-	exit 0 ;;
-    sun3*:SunOS:*:*)
-	echo m68k-sun-sunos${UNAME_RELEASE}
-	exit 0 ;;
-    sun*:*:4.2BSD:*)
-	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
-	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
-	case "`/bin/arch`" in
-	    sun3)
-		echo m68k-sun-sunos${UNAME_RELEASE}
-		;;
-	    sun4)
-		echo sparc-sun-sunos${UNAME_RELEASE}
-		;;
-	esac
-	exit 0 ;;
-    aushp:SunOS:*:*)
-	echo sparc-auspex-sunos${UNAME_RELEASE}
-	exit 0 ;;
-    # The situation for MiNT is a little confusing.  The machine name
-    # can be virtually everything (everything which is not
-    # "atarist" or "atariste" at least should have a processor
-    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
-    # to the lowercase version "mint" (or "freemint").  Finally
-    # the system name "TOS" denotes a system which is actually not
-    # MiNT.  But MiNT is downward compatible to TOS, so this should
-    # be no problem.
-    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
-	exit 0 ;;
-    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
-	echo m68k-atari-mint${UNAME_RELEASE}
-        exit 0 ;;
-    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
-	exit 0 ;;
-    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
-        echo m68k-milan-mint${UNAME_RELEASE}
-        exit 0 ;;
-    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
-        echo m68k-hades-mint${UNAME_RELEASE}
-        exit 0 ;;
-    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
-        echo m68k-unknown-mint${UNAME_RELEASE}
-        exit 0 ;;
-    powerpc:machten:*:*)
-	echo powerpc-apple-machten${UNAME_RELEASE}
-	exit 0 ;;
-    RISC*:Mach:*:*)
-	echo mips-dec-mach_bsd4.3
-	exit 0 ;;
-    RISC*:ULTRIX:*:*)
-	echo mips-dec-ultrix${UNAME_RELEASE}
-	exit 0 ;;
-    VAX*:ULTRIX*:*:*)
-	echo vax-dec-ultrix${UNAME_RELEASE}
-	exit 0 ;;
-    2020:CLIX:*:* | 2430:CLIX:*:*)
-	echo clipper-intergraph-clix${UNAME_RELEASE}
-	exit 0 ;;
-    mips:*:*:UMIPS | mips:*:*:RISCos)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-#ifdef __cplusplus
-#include <stdio.h>  /* for printf() prototype */
-	int main (int argc, char *argv[]) {
-#else
-	int main (argc, argv) int argc; char *argv[]; {
-#endif
-	#if defined (host_mips) && defined (MIPSEB)
-	#if defined (SYSTYPE_SYSV)
-	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
-	#endif
-	#if defined (SYSTYPE_SVR4)
-	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
-	#endif
-	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
-	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
-	#endif
-	#endif
-	  exit (-1);
-	}
-EOF
-	$CC_FOR_BUILD -o $dummy $dummy.c \
-	  && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
-	  && exit 0
-	echo mips-mips-riscos${UNAME_RELEASE}
-	exit 0 ;;
-    Motorola:PowerMAX_OS:*:*)
-	echo powerpc-motorola-powermax
-	exit 0 ;;
-    Motorola:*:4.3:PL8-*)
-	echo powerpc-harris-powermax
-	exit 0 ;;
-    Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
-	echo powerpc-harris-powermax
-	exit 0 ;;
-    Night_Hawk:Power_UNIX:*:*)
-	echo powerpc-harris-powerunix
-	exit 0 ;;
-    m88k:CX/UX:7*:*)
-	echo m88k-harris-cxux7
-	exit 0 ;;
-    m88k:*:4*:R4*)
-	echo m88k-motorola-sysv4
-	exit 0 ;;
-    m88k:*:3*:R3*)
-	echo m88k-motorola-sysv3
-	exit 0 ;;
-    AViiON:dgux:*:*)
-        # DG/UX returns AViiON for all architectures
-        UNAME_PROCESSOR=`/usr/bin/uname -p`
-	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
-	then
-	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
-	       [ ${TARGET_BINARY_INTERFACE}x = x ]
-	    then
-		echo m88k-dg-dgux${UNAME_RELEASE}
-	    else
-		echo m88k-dg-dguxbcs${UNAME_RELEASE}
-	    fi
-	else
-	    echo i586-dg-dgux${UNAME_RELEASE}
-	fi
- 	exit 0 ;;
-    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
-	echo m88k-dolphin-sysv3
-	exit 0 ;;
-    M88*:*:R3*:*)
-	# Delta 88k system running SVR3
-	echo m88k-motorola-sysv3
-	exit 0 ;;
-    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
-	echo m88k-tektronix-sysv3
-	exit 0 ;;
-    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
-	echo m68k-tektronix-bsd
-	exit 0 ;;
-    *:IRIX*:*:*)
-	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
-	exit 0 ;;
-    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
-	echo romp-ibm-aix      # uname -m gives an 8 hex-code CPU id
-	exit 0 ;;              # Note that: echo "'`uname -s`'" gives 'AIX '
-    i*86:AIX:*:*)
-	echo i386-ibm-aix
-	exit 0 ;;
-    ia64:AIX:*:*)
-	if [ -x /usr/bin/oslevel ] ; then
-		IBM_REV=`/usr/bin/oslevel`
-	else
-		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
-	fi
-	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
-	exit 0 ;;
-    *:AIX:2:3)
-	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
-		eval $set_cc_for_build
-		sed 's/^		//' << EOF >$dummy.c
-		#include <sys/systemcfg.h>
-
-		main()
-			{
-			if (!__power_pc())
-				exit(1);
-			puts("powerpc-ibm-aix3.2.5");
-			exit(0);
-			}
-EOF
-		$CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
-		echo rs6000-ibm-aix3.2.5
-	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
-		echo rs6000-ibm-aix3.2.4
-	else
-		echo rs6000-ibm-aix3.2
-	fi
-	exit 0 ;;
-    *:AIX:*:[45])
-	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
-	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
-		IBM_ARCH=rs6000
-	else
-		IBM_ARCH=powerpc
-	fi
-	if [ -x /usr/bin/oslevel ] ; then
-		IBM_REV=`/usr/bin/oslevel`
-	else
-		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
-	fi
-	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
-	exit 0 ;;
-    *:AIX:*:*)
-	echo rs6000-ibm-aix
-	exit 0 ;;
-    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
-	echo romp-ibm-bsd4.4
-	exit 0 ;;
-    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
-	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
-	exit 0 ;;                           # report: romp-ibm BSD 4.3
-    *:BOSX:*:*)
-	echo rs6000-bull-bosx
-	exit 0 ;;
-    DPX/2?00:B.O.S.:*:*)
-	echo m68k-bull-sysv3
-	exit 0 ;;
-    9000/[34]??:4.3bsd:1.*:*)
-	echo m68k-hp-bsd
-	exit 0 ;;
-    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
-	echo m68k-hp-bsd4.4
-	exit 0 ;;
-    9000/[34678]??:HP-UX:*:*)
-	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
-	case "${UNAME_MACHINE}" in
-	    9000/31? )            HP_ARCH=m68000 ;;
-	    9000/[34]?? )         HP_ARCH=m68k ;;
-	    9000/[678][0-9][0-9])
-		if [ -x /usr/bin/getconf ]; then
-		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
-                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
-                    case "${sc_cpu_version}" in
-                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
-                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
-                      532)                      # CPU_PA_RISC2_0
-                        case "${sc_kernel_bits}" in
-                          32) HP_ARCH="hppa2.0n" ;;
-                          64) HP_ARCH="hppa2.0w" ;;
-			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
-                        esac ;;
-                    esac
-		fi
-		if [ "${HP_ARCH}" = "" ]; then
-		    eval $set_cc_for_build
-		    sed 's/^              //' << EOF >$dummy.c
-
-              #define _HPUX_SOURCE
-              #include <stdlib.h>
-              #include <unistd.h>
-
-              int main ()
-              {
-              #if defined(_SC_KERNEL_BITS)
-                  long bits = sysconf(_SC_KERNEL_BITS);
-              #endif
-                  long cpu  = sysconf (_SC_CPU_VERSION);
-
-                  switch (cpu)
-              	{
-              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
-              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
-              	case CPU_PA_RISC2_0:
-              #if defined(_SC_KERNEL_BITS)
-              	    switch (bits)
-              		{
-              		case 64: puts ("hppa2.0w"); break;
-              		case 32: puts ("hppa2.0n"); break;
-              		default: puts ("hppa2.0"); break;
-              		} break;
-              #else  /* !defined(_SC_KERNEL_BITS) */
-              	    puts ("hppa2.0"); break;
-              #endif
-              	default: puts ("hppa1.0"); break;
-              	}
-                  exit (0);
-              }
-EOF
-		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
-		    test -z "$HP_ARCH" && HP_ARCH=hppa
-		fi ;;
-	esac
-	if [ ${HP_ARCH} = "hppa2.0w" ]
-	then
-	    # avoid double evaluation of $set_cc_for_build
-	    test -n "$CC_FOR_BUILD" || eval $set_cc_for_build
-	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E -) | grep __LP64__ >/dev/null
-	    then
-		HP_ARCH="hppa2.0w"
-	    else
-		HP_ARCH="hppa64"
-	    fi
-	fi
-	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
-	exit 0 ;;
-    ia64:HP-UX:*:*)
-	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
-	echo ia64-hp-hpux${HPUX_REV}
-	exit 0 ;;
-    3050*:HI-UX:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#include <unistd.h>
-	int
-	main ()
-	{
-	  long cpu = sysconf (_SC_CPU_VERSION);
-	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
-	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
-	     results, however.  */
-	  if (CPU_IS_PA_RISC (cpu))
-	    {
-	      switch (cpu)
-		{
-		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
-		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
-		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
-		  default: puts ("hppa-hitachi-hiuxwe2"); break;
-		}
-	    }
-	  else if (CPU_IS_HP_MC68K (cpu))
-	    puts ("m68k-hitachi-hiuxwe2");
-	  else puts ("unknown-hitachi-hiuxwe2");
-	  exit (0);
-	}
-EOF
-	$CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
-	echo unknown-hitachi-hiuxwe2
-	exit 0 ;;
-    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
-	echo hppa1.1-hp-bsd
-	exit 0 ;;
-    9000/8??:4.3bsd:*:*)
-	echo hppa1.0-hp-bsd
-	exit 0 ;;
-    *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
-	echo hppa1.0-hp-mpeix
-	exit 0 ;;
-    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
-	echo hppa1.1-hp-osf
-	exit 0 ;;
-    hp8??:OSF1:*:*)
-	echo hppa1.0-hp-osf
-	exit 0 ;;
-    i*86:OSF1:*:*)
-	if [ -x /usr/sbin/sysversion ] ; then
-	    echo ${UNAME_MACHINE}-unknown-osf1mk
-	else
-	    echo ${UNAME_MACHINE}-unknown-osf1
-	fi
-	exit 0 ;;
-    parisc*:Lites*:*:*)
-	echo hppa1.1-hp-lites
-	exit 0 ;;
-    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
-	echo c1-convex-bsd
-        exit 0 ;;
-    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
-	if getsysinfo -f scalar_acc
-	then echo c32-convex-bsd
-	else echo c2-convex-bsd
-	fi
-        exit 0 ;;
-    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
-	echo c34-convex-bsd
-        exit 0 ;;
-    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
-	echo c38-convex-bsd
-        exit 0 ;;
-    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
-	echo c4-convex-bsd
-        exit 0 ;;
-    CRAY*Y-MP:*:*:*)
-	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    CRAY*[A-Z]90:*:*:*)
-	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
-	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
-	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
-	      -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    CRAY*TS:*:*:*)
-	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    CRAY*T3E:*:*:*)
-	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    CRAY*SV1:*:*:*)
-	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    *:UNICOS/mp:*:*)
-	echo nv1-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' 
-	exit 0 ;;
-    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
-	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
-        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-        exit 0 ;;
-    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
-	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
-	exit 0 ;;
-    sparc*:BSD/OS:*:*)
-	echo sparc-unknown-bsdi${UNAME_RELEASE}
-	exit 0 ;;
-    *:BSD/OS:*:*)
-	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
-	exit 0 ;;
-    *:FreeBSD:*:*|*:GNU/FreeBSD:*:*)
-	# Determine whether the default compiler uses glibc.
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#include <features.h>
-	#if __GLIBC__ >= 2
-	LIBC=gnu
-	#else
-	LIBC=
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
-	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`${LIBC:+-$LIBC}
-	exit 0 ;;
-    i*:CYGWIN*:*)
-	echo ${UNAME_MACHINE}-pc-cygwin
-	exit 0 ;;
-    i*:MINGW*:*)
-	echo ${UNAME_MACHINE}-pc-mingw32
-	exit 0 ;;
-    i*:PW*:*)
-	echo ${UNAME_MACHINE}-pc-pw32
-	exit 0 ;;
-    x86:Interix*:3*)
-	echo i586-pc-interix3
-	exit 0 ;;
-    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
-	echo i${UNAME_MACHINE}-pc-mks
-	exit 0 ;;
-    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
-	# How do we know it's Interix rather than the generic POSIX subsystem?
-	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
-	# UNAME_MACHINE based on the output of uname instead of i386?
-	echo i586-pc-interix
-	exit 0 ;;
-    i*:UWIN*:*)
-	echo ${UNAME_MACHINE}-pc-uwin
-	exit 0 ;;
-    p*:CYGWIN*:*)
-	echo powerpcle-unknown-cygwin
-	exit 0 ;;
-    prep*:SunOS:5.*:*)
-	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    *:GNU:*:*)
-	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
-	exit 0 ;;
-    i*86:Minix:*:*)
-	echo ${UNAME_MACHINE}-pc-minix
-	exit 0 ;;
-    arm*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    ia64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    m68*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    mips:Linux:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#undef CPU
-	#undef mips
-	#undef mipsel
-	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-	CPU=mipsel
-	#else
-	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
-	CPU=mips
-	#else
-	CPU=
-	#endif
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
-	test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
-	;;
-    mips64:Linux:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#undef CPU
-	#undef mips64
-	#undef mips64el
-	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-	CPU=mips64el
-	#else
-	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
-	CPU=mips64
-	#else
-	CPU=
-	#endif
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
-	test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
-	;;
-    ppc:Linux:*:*)
-	echo powerpc-unknown-linux-gnu
-	exit 0 ;;
-    ppc64:Linux:*:*)
-	echo powerpc64-unknown-linux-gnu
-	exit 0 ;;
-    alpha:Linux:*:*)
-	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
-	  EV5)   UNAME_MACHINE=alphaev5 ;;
-	  EV56)  UNAME_MACHINE=alphaev56 ;;
-	  PCA56) UNAME_MACHINE=alphapca56 ;;
-	  PCA57) UNAME_MACHINE=alphapca56 ;;
-	  EV6)   UNAME_MACHINE=alphaev6 ;;
-	  EV67)  UNAME_MACHINE=alphaev67 ;;
-	  EV68*) UNAME_MACHINE=alphaev68 ;;
-        esac
-	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
-	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
-	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
-	exit 0 ;;
-    parisc:Linux:*:* | hppa:Linux:*:*)
-	# Look for CPU level
-	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
-	  PA7*) echo hppa1.1-unknown-linux-gnu ;;
-	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
-	  *)    echo hppa-unknown-linux-gnu ;;
-	esac
-	exit 0 ;;
-    parisc64:Linux:*:* | hppa64:Linux:*:*)
-	echo hppa64-unknown-linux-gnu
-	exit 0 ;;
-    s390:Linux:*:* | s390x:Linux:*:*)
-	echo ${UNAME_MACHINE}-ibm-linux
-	exit 0 ;;
-    sh*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    sparc:Linux:*:* | sparc64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    x86_64:Linux:*:*)
-	echo x86_64-unknown-linux-gnu
-	exit 0 ;;
-    i*86:Linux:*:*)
-	# The BFD linker knows what the default object file format is, so
-	# first see if it will tell us. cd to the root directory to prevent
-	# problems with other programs or directories called `ld' in the path.
-	# Set LC_ALL=C to ensure ld outputs messages in English.
-	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
-			 | sed -ne '/supported targets:/!d
-				    s/[ 	][ 	]*/ /g
-				    s/.*supported targets: *//
-				    s/ .*//
-				    p'`
-        case "$ld_supported_targets" in
-	  elf32-i386)
-		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
-		;;
-	  a.out-i386-linux)
-		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
-		exit 0 ;;
-	  coff-i386)
-		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
-		exit 0 ;;
-	  "")
-		# Either a pre-BFD a.out linker (linux-gnuoldld) or
-		# one that does not give us useful --help.
-		echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
-		exit 0 ;;
-	esac
-	# Determine whether the default compiler is a.out or elf
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#include <features.h>
-	#ifdef __ELF__
-	# ifdef __GLIBC__
-	#  if __GLIBC__ >= 2
-	LIBC=gnu
-	#  else
-	LIBC=gnulibc1
-	#  endif
-	# else
-	LIBC=gnulibc1
-	# endif
-	#else
-	#ifdef __INTEL_COMPILER
-	LIBC=gnu
-	#else
-	LIBC=gnuaout
-	#endif
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
-	test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0
-	test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0
-	;;
-    i*86:DYNIX/ptx:4*:*)
-	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
-	# earlier versions are messed up and put the nodename in both
-	# sysname and nodename.
-	echo i386-sequent-sysv4
-	exit 0 ;;
-    i*86:UNIX_SV:4.2MP:2.*)
-        # Unixware is an offshoot of SVR4, but it has its own version
-        # number series starting with 2...
-        # I am not positive that other SVR4 systems won't match this,
-	# I just have to hope.  -- rms.
-        # Use sysv4.2uw... so that sysv4* matches it.
-	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
-	exit 0 ;;
-    i*86:OS/2:*:*)
-	# If we were able to find `uname', then EMX Unix compatibility
-	# is probably installed.
-	echo ${UNAME_MACHINE}-pc-os2-emx
-	exit 0 ;;
-    i*86:XTS-300:*:STOP)
-	echo ${UNAME_MACHINE}-unknown-stop
-	exit 0 ;;
-    i*86:atheos:*:*)
-	echo ${UNAME_MACHINE}-unknown-atheos
-	exit 0 ;;
-    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
-	echo i386-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    i*86:*DOS:*:*)
-	echo ${UNAME_MACHINE}-pc-msdosdjgpp
-	exit 0 ;;
-    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
-	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
-	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
-		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
-	else
-		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
-	fi
-	exit 0 ;;
-    i*86:*:5:[78]*)
-	case `/bin/uname -X | grep "^Machine"` in
-	    *486*)	     UNAME_MACHINE=i486 ;;
-	    *Pentium)	     UNAME_MACHINE=i586 ;;
-	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
-	esac
-	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
-	exit 0 ;;
-    i*86:*:3.2:*)
-	if test -f /usr/options/cb.name; then
-		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
-		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
-	elif /bin/uname -X 2>/dev/null >/dev/null ; then
-		UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
-		(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
-		(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
-			&& UNAME_MACHINE=i586
-		(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
-			&& UNAME_MACHINE=i686
-		(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
-			&& UNAME_MACHINE=i686
-		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
-	else
-		echo ${UNAME_MACHINE}-pc-sysv32
-	fi
-	exit 0 ;;
-    pc:*:*:*)
-	# Left here for compatibility:
-        # uname -m prints for DJGPP always 'pc', but it prints nothing about
-        # the processor, so we play safe by assuming i386.
-	echo i386-pc-msdosdjgpp
-        exit 0 ;;
-    Intel:Mach:3*:*)
-	echo i386-pc-mach3
-	exit 0 ;;
-    paragon:*:*:*)
-	echo i860-intel-osf1
-	exit 0 ;;
-    i860:*:4.*:*) # i860-SVR4
-	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
-	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
-	else # Add other i860-SVR4 vendors below as they are discovered.
-	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
-	fi
-	exit 0 ;;
-    mini*:CTIX:SYS*5:*)
-	# "miniframe"
-	echo m68010-convergent-sysv
-	exit 0 ;;
-    mc68k:UNIX:SYSTEM5:3.51m)
-	echo m68k-convergent-sysv
-	exit 0 ;;
-    M680?0:D-NIX:5.3:*)
-	echo m68k-diab-dnix
-	exit 0 ;;
-    M68*:*:R3V[567]*:*)
-	test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
-    3[34]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0)
-	OS_REL=''
-	test -r /etc/.relid \
-	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
-	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-	  && echo i486-ncr-sysv4.3${OS_REL} && exit 0
-	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
-	  && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;;
-    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
-        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-          && echo i486-ncr-sysv4 && exit 0 ;;
-    m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
-	echo m68k-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    mc68030:UNIX_System_V:4.*:*)
-	echo m68k-atari-sysv4
-	exit 0 ;;
-    TSUNAMI:LynxOS:2.*:*)
-	echo sparc-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    rs6000:LynxOS:2.*:*)
-	echo rs6000-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
-	echo powerpc-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    SM[BE]S:UNIX_SV:*:*)
-	echo mips-dde-sysv${UNAME_RELEASE}
-	exit 0 ;;
-    RM*:ReliantUNIX-*:*:*)
-	echo mips-sni-sysv4
-	exit 0 ;;
-    RM*:SINIX-*:*:*)
-	echo mips-sni-sysv4
-	exit 0 ;;
-    *:SINIX-*:*:*)
-	if uname -p 2>/dev/null >/dev/null ; then
-		UNAME_MACHINE=`(uname -p) 2>/dev/null`
-		echo ${UNAME_MACHINE}-sni-sysv4
-	else
-		echo ns32k-sni-sysv
-	fi
-	exit 0 ;;
-    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
-                      # says <Richard.M.Bartel@ccMail.Census.GOV>
-        echo i586-unisys-sysv4
-        exit 0 ;;
-    *:UNIX_System_V:4*:FTX*)
-	# From Gerald Hewes <hewes@openmarket.com>.
-	# How about differentiating between stratus architectures? -djm
-	echo hppa1.1-stratus-sysv4
-	exit 0 ;;
-    *:*:*:FTX*)
-	# From seanf@swdc.stratus.com.
-	echo i860-stratus-sysv4
-	exit 0 ;;
-    *:VOS:*:*)
-	# From Paul.Green@stratus.com.
-	echo hppa1.1-stratus-vos
-	exit 0 ;;
-    mc68*:A/UX:*:*)
-	echo m68k-apple-aux${UNAME_RELEASE}
-	exit 0 ;;
-    news*:NEWS-OS:6*:*)
-	echo mips-sony-newsos6
-	exit 0 ;;
-    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
-	if [ -d /usr/nec ]; then
-	        echo mips-nec-sysv${UNAME_RELEASE}
-	else
-	        echo mips-unknown-sysv${UNAME_RELEASE}
-	fi
-        exit 0 ;;
-    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
-	echo powerpc-be-beos
-	exit 0 ;;
-    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
-	echo powerpc-apple-beos
-	exit 0 ;;
-    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
-	echo i586-pc-beos
-	exit 0 ;;
-    SX-4:SUPER-UX:*:*)
-	echo sx4-nec-superux${UNAME_RELEASE}
-	exit 0 ;;
-    SX-5:SUPER-UX:*:*)
-	echo sx5-nec-superux${UNAME_RELEASE}
-	exit 0 ;;
-    SX-6:SUPER-UX:*:*)
-	echo sx6-nec-superux${UNAME_RELEASE}
-	exit 0 ;;
-    Power*:Rhapsody:*:*)
-	echo powerpc-apple-rhapsody${UNAME_RELEASE}
-	exit 0 ;;
-    *:Rhapsody:*:*)
-	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
-	exit 0 ;;
-    *:Darwin:*:*)
-	case `uname -p` in
-	    *86) UNAME_PROCESSOR=i686 ;;
-	    powerpc) UNAME_PROCESSOR=powerpc ;;
-	esac
-	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
-	exit 0 ;;
-    *:procnto*:*:* | *:QNX:[0123456789]*:*)
-	UNAME_PROCESSOR=`uname -p`
-	if test "$UNAME_PROCESSOR" = "x86"; then
-		UNAME_PROCESSOR=i386
-		UNAME_MACHINE=pc
-	fi
-	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
-	exit 0 ;;
-    *:QNX:*:4*)
-	echo i386-pc-qnx
-	exit 0 ;;
-    NSR-[DGKLNPTVW]:NONSTOP_KERNEL:*:*)
-	echo nsr-tandem-nsk${UNAME_RELEASE}
-	exit 0 ;;
-    *:NonStop-UX:*:*)
-	echo mips-compaq-nonstopux
-	exit 0 ;;
-    BS2000:POSIX*:*:*)
-	echo bs2000-siemens-sysv
-	exit 0 ;;
-    DS/*:UNIX_System_V:*:*)
-	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
-	exit 0 ;;
-    *:Plan9:*:*)
-	# "uname -m" is not consistent, so use $cputype instead. 386
-	# is converted to i386 for consistency with other x86
-	# operating systems.
-	if test "$cputype" = "386"; then
-	    UNAME_MACHINE=i386
-	else
-	    UNAME_MACHINE="$cputype"
-	fi
-	echo ${UNAME_MACHINE}-unknown-plan9
-	exit 0 ;;
-    *:TOPS-10:*:*)
-	echo pdp10-unknown-tops10
-	exit 0 ;;
-    *:TENEX:*:*)
-	echo pdp10-unknown-tenex
-	exit 0 ;;
-    KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
-	echo pdp10-dec-tops20
-	exit 0 ;;
-    XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
-	echo pdp10-xkl-tops20
-	exit 0 ;;
-    *:TOPS-20:*:*)
-	echo pdp10-unknown-tops20
-	exit 0 ;;
-    *:ITS:*:*)
-	echo pdp10-unknown-its
-	exit 0 ;;
-esac
-
-#echo '(No uname command or uname output not recognized.)' 1>&2
-#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
-
-eval $set_cc_for_build
-cat >$dummy.c <<EOF
-#ifdef _SEQUENT_
-# include <sys/types.h>
-# include <sys/utsname.h>
-#endif
-main ()
-{
-#if defined (sony)
-#if defined (MIPSEB)
-  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
-     I don't know....  */
-  printf ("mips-sony-bsd\n"); exit (0);
-#else
-#include <sys/param.h>
-  printf ("m68k-sony-newsos%s\n",
-#ifdef NEWSOS4
-          "4"
-#else
-	  ""
-#endif
-         ); exit (0);
-#endif
-#endif
-
-#if defined (__arm) && defined (__acorn) && defined (__unix)
-  printf ("arm-acorn-riscix"); exit (0);
-#endif
-
-#if defined (hp300) && !defined (hpux)
-  printf ("m68k-hp-bsd\n"); exit (0);
-#endif
-
-#if defined (NeXT)
-#if !defined (__ARCHITECTURE__)
-#define __ARCHITECTURE__ "m68k"
-#endif
-  int version;
-  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
-  if (version < 4)
-    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
-  else
-    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
-  exit (0);
-#endif
-
-#if defined (MULTIMAX) || defined (n16)
-#if defined (UMAXV)
-  printf ("ns32k-encore-sysv\n"); exit (0);
-#else
-#if defined (CMU)
-  printf ("ns32k-encore-mach\n"); exit (0);
-#else
-  printf ("ns32k-encore-bsd\n"); exit (0);
-#endif
-#endif
-#endif
-
-#if defined (__386BSD__)
-  printf ("i386-pc-bsd\n"); exit (0);
-#endif
-
-#if defined (sequent)
-#if defined (i386)
-  printf ("i386-sequent-dynix\n"); exit (0);
-#endif
-#if defined (ns32000)
-  printf ("ns32k-sequent-dynix\n"); exit (0);
-#endif
-#endif
-
-#if defined (_SEQUENT_)
-    struct utsname un;
-
-    uname(&un);
-
-    if (strncmp(un.version, "V2", 2) == 0) {
-	printf ("i386-sequent-ptx2\n"); exit (0);
-    }
-    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
-	printf ("i386-sequent-ptx1\n"); exit (0);
-    }
-    printf ("i386-sequent-ptx\n"); exit (0);
-
-#endif
-
-#if defined (vax)
-# if !defined (ultrix)
-#  include <sys/param.h>
-#  if defined (BSD)
-#   if BSD == 43
-      printf ("vax-dec-bsd4.3\n"); exit (0);
-#   else
-#    if BSD == 199006
-      printf ("vax-dec-bsd4.3reno\n"); exit (0);
-#    else
-      printf ("vax-dec-bsd\n"); exit (0);
-#    endif
-#   endif
-#  else
-    printf ("vax-dec-bsd\n"); exit (0);
-#  endif
-# else
-    printf ("vax-dec-ultrix\n"); exit (0);
-# endif
-#endif
-
-#if defined (alliant) && defined (i860)
-  printf ("i860-alliant-bsd\n"); exit (0);
-#endif
-
-  exit (1);
-}
-EOF
-
-$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && $dummy && exit 0
-
-# Apollos put the system type in the environment.
-
-test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; }
-
-# Convex versions that predate uname can use getsysinfo(1)
-
-if [ -x /usr/convex/getsysinfo ]
-then
-    case `getsysinfo -f cpu_type` in
-    c1*)
-	echo c1-convex-bsd
-	exit 0 ;;
-    c2*)
-	if getsysinfo -f scalar_acc
-	then echo c32-convex-bsd
-	else echo c2-convex-bsd
-	fi
-	exit 0 ;;
-    c34*)
-	echo c34-convex-bsd
-	exit 0 ;;
-    c38*)
-	echo c38-convex-bsd
-	exit 0 ;;
-    c4*)
-	echo c4-convex-bsd
-	exit 0 ;;
-    esac
-fi
-
-cat >&2 <<EOF
-$0: unable to guess system type
-
-This script, last modified $timestamp, has failed to recognize
-the operating system you are using. It is advised that you
-download the most up to date version of the config scripts from
-
-    ftp://ftp.gnu.org/pub/gnu/config/
-
-If the version you run ($0) is already up to date, please
-send the following data and any information you think might be
-pertinent to <config-patches@gnu.org> in order to provide the needed
-information to handle your system.
-
-config.guess timestamp = $timestamp
-
-uname -m = `(uname -m) 2>/dev/null || echo unknown`
-uname -r = `(uname -r) 2>/dev/null || echo unknown`
-uname -s = `(uname -s) 2>/dev/null || echo unknown`
-uname -v = `(uname -v) 2>/dev/null || echo unknown`
-
-/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
-/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
-
-hostinfo               = `(hostinfo) 2>/dev/null`
-/bin/universe          = `(/bin/universe) 2>/dev/null`
-/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
-/bin/arch              = `(/bin/arch) 2>/dev/null`
-/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
-/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
-
-UNAME_MACHINE = ${UNAME_MACHINE}
-UNAME_RELEASE = ${UNAME_RELEASE}
-UNAME_SYSTEM  = ${UNAME_SYSTEM}
-UNAME_VERSION = ${UNAME_VERSION}
-EOF
-
-exit 1
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "timestamp='"
-# time-stamp-format: "%:y-%02m-%02d"
-# time-stamp-end: "'"
-# End:
diff --git a/config.h.in b/config.h.in
new file mode 100644
index 0000000000..2820875b78
--- /dev/null
+++ b/config.h.in
@@ -0,0 +1,150 @@
+/* enable IPV6 processing */
+#cmakedefine BROv6
+
+/* Old libpcap versions (< 0.6.1) need defining pcap_freecode and
+   pcap_compile_nopcap */
+#cmakedefine DONT_HAVE_LIBPCAP_PCAP_FREECODE
+
+/* should explicitly declare socket() and friends */
+#cmakedefine DO_SOCK_DECL
+
+/* Define if you have the <getopt.h> header file. */
+#cmakedefine HAVE_GETOPT_H
+
+/* Define if you have the `getopt_long' function. */
+#cmakedefine HAVE_GETOPT_LONG
+
+/* Define if you have the `magic' library (-lmagic). */
+#cmakedefine HAVE_LIBMAGIC
+
+/* Define if you have the `z' library (-lz). */
+#cmakedefine HAVE_LIBZ
+
+/* We are on a Linux system */
+#cmakedefine HAVE_LINUX
+
+/* Define if you have the <magic.h> header file. */
+#cmakedefine HAVE_MAGIC_H
+
+/* Define if you have the `mallinfo' function. */
+#cmakedefine HAVE_MALLINFO
+
+/* Define if you have the <memory.h> header file. */
+#cmakedefine HAVE_MEMORY_H
+
+/* Define if you have the <netinet/if_ether.h> header file. */
+#cmakedefine HAVE_NETINET_IF_ETHER_H
+
+/* Define if you have the <netinet/ip6.h> header file. */
+#cmakedefine HAVE_NETINET_IP6_H
+
+/* Define if you have the <net/ethernet.h> header file. */
+#cmakedefine HAVE_NET_ETHERNET_H
+
+/* We are on a OpenBSD system */
+#cmakedefine HAVE_OPENBSD
+
+/* have os-proto.h */
+#cmakedefine HAVE_OS_PROTO_H
+
+/* Define if you have the <pcap-int.h> header file. */
+#cmakedefine HAVE_PCAP_INT_H
+
+/* line editing & history powers */
+#cmakedefine HAVE_READLINE
+
+/* Define if you have the `sigaction' function, but not `sigset'. */
+#cmakedefine HAVE_SIGACTION
+
+/* Define if you have the `sigset' function. */
+#cmakedefine HAVE_SIGSET
+
+/* Define if you have the `strcasestr' function. */
+#cmakedefine HAVE_STRCASESTR
+
+/* Define if you have the `strerror' function. */
+#cmakedefine HAVE_STRERROR
+
+/* Define if you have the `strsep' function. */
+#cmakedefine HAVE_STRSEP
+
+/* Define if you have the <sys/ethernet.h> header file. */
+#cmakedefine HAVE_SYS_ETHERNET_H
+
+/* Some libpcap versions use an extra parameter (error) in pcap_compile_nopcap
+   */
+#cmakedefine LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER
+
+/* Include krb5.h */
+#cmakedefine NEED_KRB5_H
+
+/* Compatibility for Darwin */
+#cmakedefine NEED_NAMESER_COMPAT_H
+
+/* d2i_x509 uses const char** */
+#cmakedefine OPENSSL_D2I_X509_USES_CONST_CHAR
+
+/* Define as the return type of signal handlers (`int' or `void'). */
+#define RETSIGTYPE @RETSIGTYPE@
+
+/* signal function return value */
+#define RETSIGVAL @RETSIGVAL@
+
+/* have sin_len field in sockaddr_in */
+#cmakedefine SIN_LEN
+
+/* The size of `long int', as computed by sizeof. */
+#define SIZEOF_LONG_INT @SIZEOF_LONG_INT@
+
+/* The size of `long long', as computed by sizeof. */
+#define SIZEOF_LONG_LONG @SIZEOF_LONG_LONG@
+
+/* The size of `void *', as computed by sizeof. */
+#define SIZEOF_VOID_P @SIZEOF_VOID_P@
+
+/* should we declare syslog() and openlog() */
+#cmakedefine SYSLOG_INT
+
+/* Define if you have <sys/time.h> */
+#cmakedefine HAVE_SYS_TIME_H
+
+/* Define if you can safely include both <sys/time.h> and <time.h>. */
+#cmakedefine TIME_WITH_SYS_TIME
+
+/* GeoIP geographic lookup functionality */
+#cmakedefine USE_GEOIP
+
+/* Use Google's perftools */
+#cmakedefine USE_PERFTOOLS
+
+/* Version number of package */
+#define VERSION "@VERSION@"
+
+/* whether words are stored with the most significant byte first */
+#cmakedefine WORDS_BIGENDIAN
+
+/* ultrix can't hack const */
+#cmakedefine NEED_ULTRIX_CONST_HACK
+#ifdef NEED_ULTRIX_CONST_HACK
+#define const
+#endif
+
+/* Define int32_t */
+#cmakedefine int32_t @int32_t@
+
+/* use sigset() instead of signal() */
+#ifdef HAVE_SIGSET
+#define signal sigset
+#endif
+
+/* define to int if socklen_t not available */
+#cmakedefine socklen_t @socklen_t@
+
+/* Define u_int16_t */
+#cmakedefine u_int16_t @u_int16_t@
+
+/* Define u_int32_t */
+#cmakedefine u_int32_t @u_int32_t@
+
+/* Define u_int8_t */
+#cmakedefine u_int8_t @u_int8_t@
diff --git a/config.sub b/config.sub
deleted file mode 100755
index fe4f1edf3c..0000000000
--- a/config.sub
+++ /dev/null
@@ -1,1492 +0,0 @@
-#! /bin/sh
-# Configuration validation subroutine script.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003 Free Software Foundation, Inc.
-
-timestamp='2003-05-09'
-
-# This file is (in principle) common to ALL GNU software.
-# The presence of a machine in this file suggests that SOME GNU software
-# can handle that machine.  It does not imply ALL GNU software can.
-#
-# This file is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330,
-# Boston, MA 02111-1307, USA.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted ChangeLog entry.
-#
-# Configuration subroutine to validate and canonicalize a configuration type.
-# Supply the specified configuration type as an argument.
-# If it is invalid, we print an error message on stderr and exit with code 1.
-# Otherwise, we print the canonical config type on stdout and succeed.
-
-# This file is supposed to be the same for all GNU packages
-# and recognize all the CPU types, system types and aliases
-# that are meaningful with *any* GNU software.
-# Each package is responsible for reporting which valid configurations
-# it does not support.  The user should be able to distinguish
-# a failure to support a valid configuration from a meaningless
-# configuration.
-
-# The goal of this file is to map all the various variations of a given
-# machine specification into a single specification in the form:
-#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
-# or in some cases, the newer four-part form:
-#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
-# It is wrong to echo any other type of specification.
-
-me=`echo "$0" | sed -e 's,.*/,,'`
-
-usage="\
-Usage: $0 [OPTION] CPU-MFR-OPSYS
-       $0 [OPTION] ALIAS
-
-Canonicalize a configuration name.
-
-Operation modes:
-  -h, --help         print this help, then exit
-  -t, --time-stamp   print date of last modification, then exit
-  -v, --version      print version number, then exit
-
-Report bugs and patches to <config-patches@gnu.org>."
-
-version="\
-GNU config.sub ($timestamp)
-
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
-Free Software Foundation, Inc.
-
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-
-help="
-Try \`$me --help' for more information."
-
-# Parse command line
-while test $# -gt 0 ; do
-  case $1 in
-    --time-stamp | --time* | -t )
-       echo "$timestamp" ; exit 0 ;;
-    --version | -v )
-       echo "$version" ; exit 0 ;;
-    --help | --h* | -h )
-       echo "$usage"; exit 0 ;;
-    -- )     # Stop option processing
-       shift; break ;;
-    - )	# Use stdin as input.
-       break ;;
-    -* )
-       echo "$me: invalid option $1$help"
-       exit 1 ;;
-
-    *local*)
-       # First pass through any local machine types.
-       echo $1
-       exit 0;;
-
-    * )
-       break ;;
-  esac
-done
-
-case $# in
- 0) echo "$me: missing argument$help" >&2
-    exit 1;;
- 1) ;;
- *) echo "$me: too many arguments$help" >&2
-    exit 1;;
-esac
-
-# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
-# Here we must recognize all the valid KERNEL-OS combinations.
-maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
-case $maybe_os in
-  nto-qnx* | linux-gnu* | freebsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
-    os=-$maybe_os
-    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
-    ;;
-  *)
-    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
-    if [ $basic_machine != $1 ]
-    then os=`echo $1 | sed 's/.*-/-/'`
-    else os=; fi
-    ;;
-esac
-
-### Let's recognize common machines as not being operating systems so
-### that things like config.sub decstation-3100 work.  We also
-### recognize some manufacturers as not being operating systems, so we
-### can provide default operating systems below.
-case $os in
-	-sun*os*)
-		# Prevent following clause from handling this invalid input.
-		;;
-	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
-	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
-	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
-	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
-	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
-	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-	-apple | -axis)
-		os=
-		basic_machine=$1
-		;;
-	-sim | -cisco | -oki | -wec | -winbond)
-		os=
-		basic_machine=$1
-		;;
-	-scout)
-		;;
-	-wrs)
-		os=-vxworks
-		basic_machine=$1
-		;;
-	-chorusos*)
-		os=-chorusos
-		basic_machine=$1
-		;;
- 	-chorusrdb)
- 		os=-chorusrdb
-		basic_machine=$1
- 		;;
-	-hiux*)
-		os=-hiuxwe2
-		;;
-	-sco5)
-		os=-sco3.2v5
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco4)
-		os=-sco3.2v4
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco3.2.[4-9]*)
-		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco3.2v[4-9]*)
-		# Don't forget version if it is 3.2v4 or newer.
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco*)
-		os=-sco3.2v2
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-udk*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-isc)
-		os=-isc2.2
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-clix*)
-		basic_machine=clipper-intergraph
-		;;
-	-isc*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-lynx*)
-		os=-lynxos
-		;;
-	-ptx*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
-		;;
-	-windowsnt*)
-		os=`echo $os | sed -e 's/windowsnt/winnt/'`
-		;;
-	-psos*)
-		os=-psos
-		;;
-	-mint | -mint[0-9]*)
-		basic_machine=m68k-atari
-		os=-mint
-		;;
-esac
-
-# Decode aliases for certain CPU-COMPANY combinations.
-case $basic_machine in
-	# Recognize the basic CPU types without company name.
-	# Some are omitted here because they have special meanings below.
-	1750a | 580 \
-	| a29k \
-	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
-	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
-	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
-	| clipper \
-	| d10v | d30v | dlx | dsp16xx \
-	| fr30 | frv \
-	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
-	| i370 | i860 | i960 | ia64 \
-	| ip2k \
-	| m32r | m68000 | m68k | m88k | mcore \
-	| mips | mipsbe | mipseb | mipsel | mipsle \
-	| mips16 \
-	| mips64 | mips64el \
-	| mips64vr | mips64vrel \
-	| mips64orion | mips64orionel \
-	| mips64vr4100 | mips64vr4100el \
-	| mips64vr4300 | mips64vr4300el \
-	| mips64vr5000 | mips64vr5000el \
-	| mipsisa32 | mipsisa32el \
-	| mipsisa32r2 | mipsisa32r2el \
-	| mipsisa64 | mipsisa64el \
-	| mipsisa64sb1 | mipsisa64sb1el \
-	| mipsisa64sr71k | mipsisa64sr71kel \
-	| mipstx39 | mipstx39el \
-	| mn10200 | mn10300 \
-	| msp430 \
-	| ns16k | ns32k \
-	| openrisc | or32 \
-	| pdp10 | pdp11 | pj | pjl \
-	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
-	| pyramid \
-	| sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
-	| sh64 | sh64le \
-	| sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \
-	| strongarm \
-	| tahoe | thumb | tic80 | tron \
-	| v850 | v850e \
-	| we32k \
-	| x86 | xscale | xstormy16 | xtensa \
-	| z8k)
-		basic_machine=$basic_machine-unknown
-		;;
-	m6811 | m68hc11 | m6812 | m68hc12)
-		# Motorola 68HC11/12.
-		basic_machine=$basic_machine-unknown
-		os=-none
-		;;
-	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
-		;;
-
-	# We use `pc' rather than `unknown'
-	# because (1) that's what they normally are, and
-	# (2) the word "unknown" tends to confuse beginning users.
-	i*86 | x86_64)
-	  basic_machine=$basic_machine-pc
-	  ;;
-	# Object if more than one company name word.
-	*-*-*)
-		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
-		exit 1
-		;;
-	# Recognize the basic CPU types with company name.
-	580-* \
-	| a29k-* \
-	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
-	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
-	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
-	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
-	| avr-* \
-	| bs2000-* \
-	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
-	| clipper-* | cydra-* \
-	| d10v-* | d30v-* | dlx-* \
-	| elxsi-* \
-	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
-	| h8300-* | h8500-* \
-	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
-	| i*86-* | i860-* | i960-* | ia64-* \
-	| ip2k-* \
-	| m32r-* \
-	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
-	| m88110-* | m88k-* | mcore-* \
-	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
-	| mips16-* \
-	| mips64-* | mips64el-* \
-	| mips64vr-* | mips64vrel-* \
-	| mips64orion-* | mips64orionel-* \
-	| mips64vr4100-* | mips64vr4100el-* \
-	| mips64vr4300-* | mips64vr4300el-* \
-	| mips64vr5000-* | mips64vr5000el-* \
-	| mipsisa32-* | mipsisa32el-* \
-	| mipsisa32r2-* | mipsisa32r2el-* \
-	| mipsisa64-* | mipsisa64el-* \
-	| mipsisa64sb1-* | mipsisa64sb1el-* \
-	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
-	| mipstx39-* | mipstx39el-* \
-	| msp430-* \
-	| none-* | np1-* | nv1-* | ns16k-* | ns32k-* \
-	| orion-* \
-	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
-	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
-	| pyramid-* \
-	| romp-* | rs6000-* \
-	| sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \
-	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
-	| sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \
-	| sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
-	| tahoe-* | thumb-* \
-	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
-	| tron-* \
-	| v850-* | v850e-* | vax-* \
-	| we32k-* \
-	| x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \
-	| xtensa-* \
-	| ymp-* \
-	| z8k-*)
-		;;
-	# Recognize the various machine names and aliases which stand
-	# for a CPU type and a company and sometimes even an OS.
-	386bsd)
-		basic_machine=i386-unknown
-		os=-bsd
-		;;
-	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
-		basic_machine=m68000-att
-		;;
-	3b*)
-		basic_machine=we32k-att
-		;;
-	a29khif)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-	adobe68k)
-		basic_machine=m68010-adobe
-		os=-scout
-		;;
-	alliant | fx80)
-		basic_machine=fx80-alliant
-		;;
-	altos | altos3068)
-		basic_machine=m68k-altos
-		;;
-	am29k)
-		basic_machine=a29k-none
-		os=-bsd
-		;;
-	amd64)
-		basic_machine=x86_64-pc
-		;;
-	amdahl)
-		basic_machine=580-amdahl
-		os=-sysv
-		;;
-	amiga | amiga-*)
-		basic_machine=m68k-unknown
-		;;
-	amigaos | amigados)
-		basic_machine=m68k-unknown
-		os=-amigaos
-		;;
-	amigaunix | amix)
-		basic_machine=m68k-unknown
-		os=-sysv4
-		;;
-	apollo68)
-		basic_machine=m68k-apollo
-		os=-sysv
-		;;
-	apollo68bsd)
-		basic_machine=m68k-apollo
-		os=-bsd
-		;;
-	aux)
-		basic_machine=m68k-apple
-		os=-aux
-		;;
-	balance)
-		basic_machine=ns32k-sequent
-		os=-dynix
-		;;
-	c90)
-		basic_machine=c90-cray
-		os=-unicos
-		;;
-	convex-c1)
-		basic_machine=c1-convex
-		os=-bsd
-		;;
-	convex-c2)
-		basic_machine=c2-convex
-		os=-bsd
-		;;
-	convex-c32)
-		basic_machine=c32-convex
-		os=-bsd
-		;;
-	convex-c34)
-		basic_machine=c34-convex
-		os=-bsd
-		;;
-	convex-c38)
-		basic_machine=c38-convex
-		os=-bsd
-		;;
-	cray | j90)
-		basic_machine=j90-cray
-		os=-unicos
-		;;
-	crds | unos)
-		basic_machine=m68k-crds
-		;;
-	cris | cris-* | etrax*)
-		basic_machine=cris-axis
-		;;
-	da30 | da30-*)
-		basic_machine=m68k-da30
-		;;
-	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
-		basic_machine=mips-dec
-		;;
-	decsystem10* | dec10*)
-		basic_machine=pdp10-dec
-		os=-tops10
-		;;
-	decsystem20* | dec20*)
-		basic_machine=pdp10-dec
-		os=-tops20
-		;;
-	delta | 3300 | motorola-3300 | motorola-delta \
-	      | 3300-motorola | delta-motorola)
-		basic_machine=m68k-motorola
-		;;
-	delta88)
-		basic_machine=m88k-motorola
-		os=-sysv3
-		;;
-	dpx20 | dpx20-*)
-		basic_machine=rs6000-bull
-		os=-bosx
-		;;
-	dpx2* | dpx2*-bull)
-		basic_machine=m68k-bull
-		os=-sysv3
-		;;
-	ebmon29k)
-		basic_machine=a29k-amd
-		os=-ebmon
-		;;
-	elxsi)
-		basic_machine=elxsi-elxsi
-		os=-bsd
-		;;
-	encore | umax | mmax)
-		basic_machine=ns32k-encore
-		;;
-	es1800 | OSE68k | ose68k | ose | OSE)
-		basic_machine=m68k-ericsson
-		os=-ose
-		;;
-	fx2800)
-		basic_machine=i860-alliant
-		;;
-	genix)
-		basic_machine=ns32k-ns
-		;;
-	gmicro)
-		basic_machine=tron-gmicro
-		os=-sysv
-		;;
-	go32)
-		basic_machine=i386-pc
-		os=-go32
-		;;
-	h3050r* | hiux*)
-		basic_machine=hppa1.1-hitachi
-		os=-hiuxwe2
-		;;
-	h8300hms)
-		basic_machine=h8300-hitachi
-		os=-hms
-		;;
-	h8300xray)
-		basic_machine=h8300-hitachi
-		os=-xray
-		;;
-	h8500hms)
-		basic_machine=h8500-hitachi
-		os=-hms
-		;;
-	harris)
-		basic_machine=m88k-harris
-		os=-sysv3
-		;;
-	hp300-*)
-		basic_machine=m68k-hp
-		;;
-	hp300bsd)
-		basic_machine=m68k-hp
-		os=-bsd
-		;;
-	hp300hpux)
-		basic_machine=m68k-hp
-		os=-hpux
-		;;
-	hp3k9[0-9][0-9] | hp9[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hp9k2[0-9][0-9] | hp9k31[0-9])
-		basic_machine=m68000-hp
-		;;
-	hp9k3[2-9][0-9])
-		basic_machine=m68k-hp
-		;;
-	hp9k6[0-9][0-9] | hp6[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hp9k7[0-79][0-9] | hp7[0-79][0-9])
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k78[0-9] | hp78[0-9])
-		# FIXME: really hppa2.0-hp
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
-		# FIXME: really hppa2.0-hp
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[0-9][13679] | hp8[0-9][13679])
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[0-9][0-9] | hp8[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hppa-next)
-		os=-nextstep3
-		;;
-	hppaosf)
-		basic_machine=hppa1.1-hp
-		os=-osf
-		;;
-	hppro)
-		basic_machine=hppa1.1-hp
-		os=-proelf
-		;;
-	i370-ibm* | ibm*)
-		basic_machine=i370-ibm
-		;;
-# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
-	i*86v32)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv32
-		;;
-	i*86v4*)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv4
-		;;
-	i*86v)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv
-		;;
-	i*86sol2)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-solaris2
-		;;
-	i386mach)
-		basic_machine=i386-mach
-		os=-mach
-		;;
-	i386-vsta | vsta)
-		basic_machine=i386-unknown
-		os=-vsta
-		;;
-	iris | iris4d)
-		basic_machine=mips-sgi
-		case $os in
-		    -irix*)
-			;;
-		    *)
-			os=-irix4
-			;;
-		esac
-		;;
-	isi68 | isi)
-		basic_machine=m68k-isi
-		os=-sysv
-		;;
-	m88k-omron*)
-		basic_machine=m88k-omron
-		;;
-	magnum | m3230)
-		basic_machine=mips-mips
-		os=-sysv
-		;;
-	merlin)
-		basic_machine=ns32k-utek
-		os=-sysv
-		;;
-	mingw32)
-		basic_machine=i386-pc
-		os=-mingw32
-		;;
-	miniframe)
-		basic_machine=m68000-convergent
-		;;
-	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
-		basic_machine=m68k-atari
-		os=-mint
-		;;
-	mips3*-*)
-		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
-		;;
-	mips3*)
-		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
-		;;
-	mmix*)
-		basic_machine=mmix-knuth
-		os=-mmixware
-		;;
-	monitor)
-		basic_machine=m68k-rom68k
-		os=-coff
-		;;
-	morphos)
-		basic_machine=powerpc-unknown
-		os=-morphos
-		;;
-	msdos)
-		basic_machine=i386-pc
-		os=-msdos
-		;;
-	mvs)
-		basic_machine=i370-ibm
-		os=-mvs
-		;;
-	ncr3000)
-		basic_machine=i486-ncr
-		os=-sysv4
-		;;
-	netbsd386)
-		basic_machine=i386-unknown
-		os=-netbsd
-		;;
-	netwinder)
-		basic_machine=armv4l-rebel
-		os=-linux
-		;;
-	news | news700 | news800 | news900)
-		basic_machine=m68k-sony
-		os=-newsos
-		;;
-	news1000)
-		basic_machine=m68030-sony
-		os=-newsos
-		;;
-	news-3600 | risc-news)
-		basic_machine=mips-sony
-		os=-newsos
-		;;
-	necv70)
-		basic_machine=v70-nec
-		os=-sysv
-		;;
-	next | m*-next )
-		basic_machine=m68k-next
-		case $os in
-		    -nextstep* )
-			;;
-		    -ns2*)
-		      os=-nextstep2
-			;;
-		    *)
-		      os=-nextstep3
-			;;
-		esac
-		;;
-	nh3000)
-		basic_machine=m68k-harris
-		os=-cxux
-		;;
-	nh[45]000)
-		basic_machine=m88k-harris
-		os=-cxux
-		;;
-	nindy960)
-		basic_machine=i960-intel
-		os=-nindy
-		;;
-	mon960)
-		basic_machine=i960-intel
-		os=-mon960
-		;;
-	nonstopux)
-		basic_machine=mips-compaq
-		os=-nonstopux
-		;;
-	np1)
-		basic_machine=np1-gould
-		;;
-	nv1)
-		basic_machine=nv1-cray
-		os=-unicosmp
-		;;
-	nsr-tandem)
-		basic_machine=nsr-tandem
-		;;
-	op50n-* | op60c-*)
-		basic_machine=hppa1.1-oki
-		os=-proelf
-		;;
-	or32 | or32-*)
-		basic_machine=or32-unknown
-		os=-coff
-		;;
-	OSE68000 | ose68000)
-		basic_machine=m68000-ericsson
-		os=-ose
-		;;
-	os68k)
-		basic_machine=m68k-none
-		os=-os68k
-		;;
-	pa-hitachi)
-		basic_machine=hppa1.1-hitachi
-		os=-hiuxwe2
-		;;
-	paragon)
-		basic_machine=i860-intel
-		os=-osf
-		;;
-	pbd)
-		basic_machine=sparc-tti
-		;;
-	pbb)
-		basic_machine=m68k-tti
-		;;
-	pc532 | pc532-*)
-		basic_machine=ns32k-pc532
-		;;
-	pentium | p5 | k5 | k6 | nexgen | viac3)
-		basic_machine=i586-pc
-		;;
-	pentiumpro | p6 | 6x86 | athlon | athlon_*)
-		basic_machine=i686-pc
-		;;
-	pentiumii | pentium2)
-		basic_machine=i686-pc
-		;;
-	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
-		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentiumpro-* | p6-* | 6x86-* | athlon-*)
-		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentiumii-* | pentium2-*)
-		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pn)
-		basic_machine=pn-gould
-		;;
-	power)	basic_machine=power-ibm
-		;;
-	ppc)	basic_machine=powerpc-unknown
-		;;
-	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppcle | powerpclittle | ppc-le | powerpc-little)
-		basic_machine=powerpcle-unknown
-		;;
-	ppcle-* | powerpclittle-*)
-		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppc64)	basic_machine=powerpc64-unknown
-		;;
-	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
-		basic_machine=powerpc64le-unknown
-		;;
-	ppc64le-* | powerpc64little-*)
-		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ps2)
-		basic_machine=i386-ibm
-		;;
-	pw32)
-		basic_machine=i586-unknown
-		os=-pw32
-		;;
-	rom68k)
-		basic_machine=m68k-rom68k
-		os=-coff
-		;;
-	rm[46]00)
-		basic_machine=mips-siemens
-		;;
-	rtpc | rtpc-*)
-		basic_machine=romp-ibm
-		;;
-	s390 | s390-*)
-		basic_machine=s390-ibm
-		;;
-	s390x | s390x-*)
-		basic_machine=s390x-ibm
-		;;
-	sa29200)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-	sb1)
-		basic_machine=mipsisa64sb1-unknown
-		;;
-	sb1el)
-		basic_machine=mipsisa64sb1el-unknown
-		;;
-	sequent)
-		basic_machine=i386-sequent
-		;;
-	sh)
-		basic_machine=sh-hitachi
-		os=-hms
-		;;
-	sparclite-wrs | simso-wrs)
-		basic_machine=sparclite-wrs
-		os=-vxworks
-		;;
-	sps7)
-		basic_machine=m68k-bull
-		os=-sysv2
-		;;
-	spur)
-		basic_machine=spur-unknown
-		;;
-	st2000)
-		basic_machine=m68k-tandem
-		;;
-	stratus)
-		basic_machine=i860-stratus
-		os=-sysv4
-		;;
-	sun2)
-		basic_machine=m68000-sun
-		;;
-	sun2os3)
-		basic_machine=m68000-sun
-		os=-sunos3
-		;;
-	sun2os4)
-		basic_machine=m68000-sun
-		os=-sunos4
-		;;
-	sun3os3)
-		basic_machine=m68k-sun
-		os=-sunos3
-		;;
-	sun3os4)
-		basic_machine=m68k-sun
-		os=-sunos4
-		;;
-	sun4os3)
-		basic_machine=sparc-sun
-		os=-sunos3
-		;;
-	sun4os4)
-		basic_machine=sparc-sun
-		os=-sunos4
-		;;
-	sun4sol2)
-		basic_machine=sparc-sun
-		os=-solaris2
-		;;
-	sun3 | sun3-*)
-		basic_machine=m68k-sun
-		;;
-	sun4)
-		basic_machine=sparc-sun
-		;;
-	sun386 | sun386i | roadrunner)
-		basic_machine=i386-sun
-		;;
-	sv1)
-		basic_machine=sv1-cray
-		os=-unicos
-		;;
-	symmetry)
-		basic_machine=i386-sequent
-		os=-dynix
-		;;
-	t3e)
-		basic_machine=alphaev5-cray
-		os=-unicos
-		;;
-	t90)
-		basic_machine=t90-cray
-		os=-unicos
-		;;
-        tic4x | c4x*)
-		basic_machine=tic4x-unknown
-		os=-coff
-		;;
-	tic54x | c54x*)
-		basic_machine=tic54x-unknown
-		os=-coff
-		;;
-	tic55x | c55x*)
-		basic_machine=tic55x-unknown
-		os=-coff
-		;;
-	tic6x | c6x*)
-		basic_machine=tic6x-unknown
-		os=-coff
-		;;
-	tx39)
-		basic_machine=mipstx39-unknown
-		;;
-	tx39el)
-		basic_machine=mipstx39el-unknown
-		;;
-	toad1)
-		basic_machine=pdp10-xkl
-		os=-tops20
-		;;
-	tower | tower-32)
-		basic_machine=m68k-ncr
-		;;
-	udi29k)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-	ultra3)
-		basic_machine=a29k-nyu
-		os=-sym1
-		;;
-	v810 | necv810)
-		basic_machine=v810-nec
-		os=-none
-		;;
-	vaxv)
-		basic_machine=vax-dec
-		os=-sysv
-		;;
-	vms)
-		basic_machine=vax-dec
-		os=-vms
-		;;
-	vpp*|vx|vx-*)
-		basic_machine=f301-fujitsu
-		;;
-	vxworks960)
-		basic_machine=i960-wrs
-		os=-vxworks
-		;;
-	vxworks68)
-		basic_machine=m68k-wrs
-		os=-vxworks
-		;;
-	vxworks29k)
-		basic_machine=a29k-wrs
-		os=-vxworks
-		;;
-	w65*)
-		basic_machine=w65-wdc
-		os=-none
-		;;
-	w89k-*)
-		basic_machine=hppa1.1-winbond
-		os=-proelf
-		;;
-	xps | xps100)
-		basic_machine=xps100-honeywell
-		;;
-	ymp)
-		basic_machine=ymp-cray
-		os=-unicos
-		;;
-	z8k-*-coff)
-		basic_machine=z8k-unknown
-		os=-sim
-		;;
-	none)
-		basic_machine=none-none
-		os=-none
-		;;
-
-# Here we handle the default manufacturer of certain CPU types.  It is in
-# some cases the only manufacturer, in others, it is the most popular.
-	w89k)
-		basic_machine=hppa1.1-winbond
-		;;
-	op50n)
-		basic_machine=hppa1.1-oki
-		;;
-	op60c)
-		basic_machine=hppa1.1-oki
-		;;
-	romp)
-		basic_machine=romp-ibm
-		;;
-	rs6000)
-		basic_machine=rs6000-ibm
-		;;
-	vax)
-		basic_machine=vax-dec
-		;;
-	pdp10)
-		# there are many clones, so DEC is not a safe bet
-		basic_machine=pdp10-unknown
-		;;
-	pdp11)
-		basic_machine=pdp11-dec
-		;;
-	we32k)
-		basic_machine=we32k-att
-		;;
-	sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele)
-		basic_machine=sh-unknown
-		;;
-	sh64)
-		basic_machine=sh64-unknown
-		;;
-	sparc | sparcv9 | sparcv9b)
-		basic_machine=sparc-sun
-		;;
-	cydra)
-		basic_machine=cydra-cydrome
-		;;
-	orion)
-		basic_machine=orion-highlevel
-		;;
-	orion105)
-		basic_machine=clipper-highlevel
-		;;
-	mac | mpw | mac-mpw)
-		basic_machine=m68k-apple
-		;;
-	pmac | pmac-mpw)
-		basic_machine=powerpc-apple
-		;;
-	*-unknown)
-		# Make sure to match an already-canonicalized machine name.
-		;;
-	*)
-		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
-		exit 1
-		;;
-esac
-
-# Here we canonicalize certain aliases for manufacturers.
-case $basic_machine in
-	*-digital*)
-		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
-		;;
-	*-commodore*)
-		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
-		;;
-	*)
-		;;
-esac
-
-# Decode manufacturer-specific aliases for certain operating systems.
-
-if [ x"$os" != x"" ]
-then
-case $os in
-        # First match some system type aliases
-        # that might get confused with valid system types.
-	# -solaris* is a basic system type, with this one exception.
-	-solaris1 | -solaris1.*)
-		os=`echo $os | sed -e 's|solaris1|sunos4|'`
-		;;
-	-solaris)
-		os=-solaris2
-		;;
-	-svr4*)
-		os=-sysv4
-		;;
-	-unixware*)
-		os=-sysv4.2uw
-		;;
-	-gnu/linux*)
-		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
-		;;
-	# First accept the basic system types.
-	# The portable systems comes first.
-	# Each alternative MUST END IN A *, to match a version number.
-	# -sysv* is not here because it comes later, after sysvr4.
-	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
-	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
-	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
-	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
-	      | -aos* \
-	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
-	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
-	      | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \
-	      | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
-	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
-	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
-	      | -chorusos* | -chorusrdb* \
-	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \
-	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
-	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
-	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
-	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
-	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
-	      | -powermax* | -dnix*)
-	# Remember, each alternative MUST END IN *, to match a version number.
-		;;
-	-qnx*)
-		case $basic_machine in
-		    x86-* | i*86-*)
-			;;
-		    *)
-			os=-nto$os
-			;;
-		esac
-		;;
-	-nto-qnx*)
-		;;
-	-nto*)
-		os=`echo $os | sed -e 's|nto|nto-qnx|'`
-		;;
-	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
-	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* \
-	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
-		;;
-	-mac*)
-		os=`echo $os | sed -e 's|mac|macos|'`
-		;;
-	-linux*)
-		os=`echo $os | sed -e 's|linux|linux-gnu|'`
-		;;
-	-sunos5*)
-		os=`echo $os | sed -e 's|sunos5|solaris2|'`
-		;;
-	-sunos6*)
-		os=`echo $os | sed -e 's|sunos6|solaris3|'`
-		;;
-	-opened*)
-		os=-openedition
-		;;
-	-wince*)
-		os=-wince
-		;;
-	-osfrose*)
-		os=-osfrose
-		;;
-	-osf*)
-		os=-osf
-		;;
-	-utek*)
-		os=-bsd
-		;;
-	-dynix*)
-		os=-bsd
-		;;
-	-acis*)
-		os=-aos
-		;;
-	-atheos*)
-		os=-atheos
-		;;
-	-386bsd)
-		os=-bsd
-		;;
-	-ctix* | -uts*)
-		os=-sysv
-		;;
-	-nova*)
-		os=-rtmk-nova
-		;;
-	-ns2 )
-		os=-nextstep2
-		;;
-	-nsk*)
-		os=-nsk
-		;;
-	# Preserve the version number of sinix5.
-	-sinix5.*)
-		os=`echo $os | sed -e 's|sinix|sysv|'`
-		;;
-	-sinix*)
-		os=-sysv4
-		;;
-	-triton*)
-		os=-sysv3
-		;;
-	-oss*)
-		os=-sysv3
-		;;
-	-svr4)
-		os=-sysv4
-		;;
-	-svr3)
-		os=-sysv3
-		;;
-	-sysvr4)
-		os=-sysv4
-		;;
-	# This must come after -sysvr4.
-	-sysv*)
-		;;
-	-ose*)
-		os=-ose
-		;;
-	-es1800*)
-		os=-ose
-		;;
-	-xenix)
-		os=-xenix
-		;;
-	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
-		os=-mint
-		;;
-	-aros*)
-		os=-aros
-		;;
-	-kaos*)
-		os=-kaos
-		;;
-	-none)
-		;;
-	*)
-		# Get rid of the `-' at the beginning of $os.
-		os=`echo $os | sed 's/[^-]*-//'`
-		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
-		exit 1
-		;;
-esac
-else
-
-# Here we handle the default operating systems that come with various machines.
-# The value should be what the vendor currently ships out the door with their
-# machine or put another way, the most popular os provided with the machine.
-
-# Note that if you're going to try to match "-MANUFACTURER" here (say,
-# "-sun"), then you have to tell the case statement up towards the top
-# that MANUFACTURER isn't an operating system.  Otherwise, code above
-# will signal an error saying that MANUFACTURER isn't an operating
-# system, and we'll never get to this point.
-
-case $basic_machine in
-	*-acorn)
-		os=-riscix1.2
-		;;
-	arm*-rebel)
-		os=-linux
-		;;
-	arm*-semi)
-		os=-aout
-		;;
-	# This must come before the *-dec entry.
-	pdp10-*)
-		os=-tops20
-		;;
-	pdp11-*)
-		os=-none
-		;;
-	*-dec | vax-*)
-		os=-ultrix4.2
-		;;
-	m68*-apollo)
-		os=-domain
-		;;
-	i386-sun)
-		os=-sunos4.0.2
-		;;
-	m68000-sun)
-		os=-sunos3
-		# This also exists in the configure program, but was not the
-		# default.
-		# os=-sunos4
-		;;
-	m68*-cisco)
-		os=-aout
-		;;
-	mips*-cisco)
-		os=-elf
-		;;
-	mips*-*)
-		os=-elf
-		;;
-	or32-*)
-		os=-coff
-		;;
-	*-tti)	# must be before sparc entry or we get the wrong os.
-		os=-sysv3
-		;;
-	sparc-* | *-sun)
-		os=-sunos4.1.1
-		;;
-	*-be)
-		os=-beos
-		;;
-	*-ibm)
-		os=-aix
-		;;
-	*-wec)
-		os=-proelf
-		;;
-	*-winbond)
-		os=-proelf
-		;;
-	*-oki)
-		os=-proelf
-		;;
-	*-hp)
-		os=-hpux
-		;;
-	*-hitachi)
-		os=-hiux
-		;;
-	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
-		os=-sysv
-		;;
-	*-cbm)
-		os=-amigaos
-		;;
-	*-dg)
-		os=-dgux
-		;;
-	*-dolphin)
-		os=-sysv3
-		;;
-	m68k-ccur)
-		os=-rtu
-		;;
-	m88k-omron*)
-		os=-luna
-		;;
-	*-next )
-		os=-nextstep
-		;;
-	*-sequent)
-		os=-ptx
-		;;
-	*-crds)
-		os=-unos
-		;;
-	*-ns)
-		os=-genix
-		;;
-	i370-*)
-		os=-mvs
-		;;
-	*-next)
-		os=-nextstep3
-		;;
-	*-gould)
-		os=-sysv
-		;;
-	*-highlevel)
-		os=-bsd
-		;;
-	*-encore)
-		os=-bsd
-		;;
-	*-sgi)
-		os=-irix
-		;;
-	*-siemens)
-		os=-sysv4
-		;;
-	*-masscomp)
-		os=-rtu
-		;;
-	f30[01]-fujitsu | f700-fujitsu)
-		os=-uxpv
-		;;
-	*-rom68k)
-		os=-coff
-		;;
-	*-*bug)
-		os=-coff
-		;;
-	*-apple)
-		os=-macos
-		;;
-	*-atari*)
-		os=-mint
-		;;
-	*)
-		os=-none
-		;;
-esac
-fi
-
-# Here we handle the case where we know the os, and the CPU type, but not the
-# manufacturer.  We pick the logical manufacturer.
-vendor=unknown
-case $basic_machine in
-	*-unknown)
-		case $os in
-			-riscix*)
-				vendor=acorn
-				;;
-			-sunos*)
-				vendor=sun
-				;;
-			-aix*)
-				vendor=ibm
-				;;
-			-beos*)
-				vendor=be
-				;;
-			-hpux*)
-				vendor=hp
-				;;
-			-mpeix*)
-				vendor=hp
-				;;
-			-hiux*)
-				vendor=hitachi
-				;;
-			-unos*)
-				vendor=crds
-				;;
-			-dgux*)
-				vendor=dg
-				;;
-			-luna*)
-				vendor=omron
-				;;
-			-genix*)
-				vendor=ns
-				;;
-			-mvs* | -opened*)
-				vendor=ibm
-				;;
-			-ptx*)
-				vendor=sequent
-				;;
-			-vxsim* | -vxworks* | -windiss*)
-				vendor=wrs
-				;;
-			-aux*)
-				vendor=apple
-				;;
-			-hms*)
-				vendor=hitachi
-				;;
-			-mpw* | -macos*)
-				vendor=apple
-				;;
-			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
-				vendor=atari
-				;;
-			-vos*)
-				vendor=stratus
-				;;
-		esac
-		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
-		;;
-esac
-
-echo $basic_machine$os
-exit 0
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "timestamp='"
-# time-stamp-format: "%:y-%02m-%02d"
-# time-stamp-end: "'"
-# End:
diff --git a/configure b/configure
new file mode 100755
index 0000000000..864e3e4803
--- /dev/null
+++ b/configure
@@ -0,0 +1,246 @@
+#!/bin/sh
+# Convenience wrapper for easily viewing/setting options that
+# the project's CMake scripts will recognize
+
+command="$0 $*"
+
+# check for `cmake` command
+type cmake > /dev/null 2>&1 || {
+    echo "\
+This package requires CMake, please install it first, then you may
+use this configure script to access CMake equivalent functionality.\
+" >&2;
+    exit 1;
+}
+
+usage="\
+Usage: $0 [OPTION]... [VAR=VALUE]...
+
+  Build Options:
+    --builddir=DIR         place build files in directory [build]
+    --generator=GENERATOR  CMake generator to use (see cmake --help)
+
+  Installation Directories:
+    --prefix=PREFIX        installation directory [/usr/local/bro]
+    --policydir=PATH       policy file installation directory
+                           [PREFIX/share/bro]
+
+  Optional Features:
+    --enable-debug         compile in debugging mode
+    --enable-brov6         enable IPv6 processing
+    --enable-perftools     use Google's perftools
+    --enable-cluster       install Broctl configured for cluster operation
+                           (overridden by --disable-broctl)
+    --disable-broccoli     don't build or install the Broccoli library
+    --disable-broctl       don't install Broctl
+    --disable-auxtools     don't build or install auxilliary tools
+
+  Required Packages in Non-Standard Locations:
+    --with-openssl=PATH    path to OpenSSL install root
+    --with-bind=PATH       path to BIND install root
+    --with-pcap=PATH       path to libpcap install root
+    --with-binpac=PATH     path to BinPAC install root
+    --with-flex=PATH       path to flex executable
+    --with-bison=PATH      path to bison executable
+    --with-perl=PATH       path to perl executable
+
+  Optional Packages in Non-Standard Locations:
+    --with-libmagic=PATH   path to libmagic install root
+    --with-geoip=PATH      path to the libGeoIP install root
+    --with-perftools=PATH  path to Google Perftools install root
+    --with-python=PATH     path to Python interpreter
+    --with-python-lib=PATH path to libpython
+    --with-python-inc=PATH path to Python headers
+    --with-swig=PATH       path to SWIG executable
+
+  Packaging Options (for developers):
+    --binary-package       toggle special logic for binary packaging
+    --ignore-dirs=PATHS    paths to ignore when creating source package
+                           (semicolon delimited and quoted when multiple)
+    --pkg-name-prefix=NAME use the given name as the package prefix instead
+                           of the default CMake project name
+    --osx-sysroot=PATH     path to the OS X SDK to compile against
+    --osx-min-version=VER  minimum OS X version (the deployment target)
+
+  Influential Environment Variables (only on first invocation
+  per build directory):
+    CC                     C compiler command
+    CFLAGS                 C compiler flags
+    CXX                    C++ compiler command
+    CXXFLAGS               C++ compiler flags
+"
+
+sourcedir="$( cd "$( dirname "$0" )" && pwd )"
+
+# Function to append a CMake cache entry definition to the
+# CMakeCacheEntries variable
+#   $1 is the cache entry variable name
+#   $2 is the cache entry variable type
+#   $3 is the cache entry variable value
+append_cache_entry () {
+    CMakeCacheEntries="$CMakeCacheEntries -D $1:$2=$3"
+}
+
+# set defaults
+builddir=build
+CMakeCacheEntries=""
+append_cache_entry CMAKE_INSTALL_PREFIX PATH   /usr/local/bro
+append_cache_entry BRO_ROOT_DIR         PATH   /usr/local/bro
+append_cache_entry PY_MOD_INSTALL_DIR   PATH   /usr/local/bro/lib/broctl
+append_cache_entry POLICYDIR            STRING /usr/local/bro/share/bro
+append_cache_entry ENABLE_DEBUG         BOOL   false
+append_cache_entry BROv6                BOOL   false
+append_cache_entry ENABLE_PERFTOOLS     BOOL   false
+append_cache_entry BinPAC_SKIP_INSTALL  BOOL   true
+append_cache_entry BUILD_SHARED_LIBS    BOOL   true
+append_cache_entry INSTALL_AUX_TOOLS    BOOL   true
+append_cache_entry INSTALL_BROCCOLI     BOOL   true
+append_cache_entry INSTALL_BROCTL       BOOL   true
+append_cache_entry STANDALONE           BOOL   true
+append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING
+
+# parse arguments
+while [ $# -ne 0 ]; do
+    case "$1" in
+        -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+        *) optarg= ;;
+    esac
+
+    case "$1" in
+        --help|-h)
+            echo "${usage}" 1>&2
+            exit 1
+            ;;
+        --builddir=*)
+            builddir=$optarg
+            ;;
+        --generator=*)
+            CMakeGenerator="$optarg"
+            ;;
+        --prefix=*)
+            append_cache_entry CMAKE_INSTALL_PREFIX PATH   $optarg
+            append_cache_entry BRO_ROOT_DIR         PATH   $optarg
+            append_cache_entry PY_MOD_INSTALL_DIR   PATH   $optarg/lib/broctl
+            if [ "$user_set_policydir" != "true" ]; then
+                append_cache_entry POLICYDIR        STRING $optarg/share/bro
+            fi
+            ;;
+        --policydir=*)
+            append_cache_entry POLICYDIR            STRING $optarg
+            user_set_policydir="true"
+            ;;
+        --enable-debug)
+            append_cache_entry ENABLE_DEBUG         BOOL   true
+            ;;
+        --enable-brov6)
+            append_cache_entry BROv6                BOOL   true
+            ;;
+        --enable-perftools)
+            append_cache_entry ENABLE_PERFTOOLS     BOOL   true
+            ;;
+        --disable-broccoli)
+            append_cache_entry INSTALL_BROCCOLI     BOOL   false
+            ;;
+        --disable-broctl)
+            append_cache_entry INSTALL_BROCTL       BOOL   false
+            user_disabled_broctl="true"
+            ;;
+        --enable-cluster)
+            if [ "$user_disabled_broctl" != "true" ]; then
+                append_cache_entry STANDALONE       BOOL   false
+            fi
+            ;;
+        --disable-auxtools)
+            append_cache_entry INSTALL_AUX_TOOLS    BOOL   false
+            ;;
+        --with-openssl=*)
+            append_cache_entry OpenSSL_ROOT_DIR PATH $optarg
+            ;;
+        --with-bind=*)
+            append_cache_entry BIND_ROOT_DIR PATH $optarg
+            ;;
+        --with-pcap=*)
+            append_cache_entry PCAP_ROOT_DIR PATH $optarg
+            ;;
+        --with-binpac=*)
+            append_cache_entry BinPAC_ROOT_DIR PATH $optarg
+            ;;
+        --with-flex=*)
+            append_cache_entry FLEX_EXECUTABLE PATH $optarg
+            ;;
+        --with-bison=*)
+            append_cache_entry BISON_EXECUTABLE PATH $optarg
+            ;;
+        --with-perl=*)
+            append_cache_entry PERL_EXECUTABLE PATH $optarg
+            ;;
+        --with-libmagic=*)
+            append_cache_entry LibMagic_ROOT_DIR PATH $optarg
+            ;;
+        --with-geoip=*)
+            append_cache_entry LibGeoIP_ROOT_DIR PATH $optarg
+            ;;
+        --with-perftools=*)
+            append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg
+            ;;
+        --with-python=*)
+            append_cache_entry PYTHON_EXECUTABLE    PATH    $optarg
+            ;;
+        --with-python-lib=*)
+            append_cache_entry PYTHON_LIBRARY       PATH    $optarg
+            ;;
+        --with-python-inc=*)
+            append_cache_entry PYTHON_INCLUDE_DIR   PATH    $optarg
+            append_cache_entry PYTHON_INCLUDE_PATH  PATH    $optarg
+            ;;
+        --with-swig=*)
+            append_cache_entry SWIG_EXECUTABLE      PATH    $optarg
+            ;;
+        --binary-package)
+            append_cache_entry BINARY_PACKAGING_MODE BOOL true
+            ;;
+        --ignore-dirs=*)
+            append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING $optarg
+            ;;
+        --pkg-name-prefix=*)
+            append_cache_entry PACKAGE_NAME_PREFIX STRING $optarg
+            ;;
+        --osx-sysroot=*)
+            append_cache_entry CMAKE_OSX_SYSROOT PATH $optarg
+            ;;
+        --osx-min-version=*)
+            append_cache_entry CMAKE_OSX_DEPLOYMENT_TARGET STRING $optarg
+            ;;
+        *)
+            echo "Invalid option '$1'.  Try $0 --help to see available options."
+            exit 1
+            ;;
+    esac
+    shift
+done
+
+if [ -d $builddir ]; then
+    # If build directory exists, check if it has a CMake cache
+    if [ -f $builddir/CMakeCache.txt ]; then
+        # If the CMake cache exists, delete it so that this configuration
+        # is not tainted by a previous one
+        rm -f $builddir/CMakeCache.txt
+    fi
+else
+    # Create build directory
+    mkdir -p $builddir
+fi
+
+echo "Build Directory : $builddir"
+echo "Source Directory: $sourcedir"
+cd $builddir
+
+if [ -n "$CMakeGenerator" ]; then
+    cmake -G "$CMakeGenerator" $CMakeCacheEntries $sourcedir
+else
+    cmake $CMakeCacheEntries $sourcedir
+fi
+
+echo "# This is the command used to configure this build" > config.status
+echo $command >> config.status
+chmod u+x config.status
diff --git a/configure.in b/configure.in
deleted file mode 100644
index 16c1113a3a..0000000000
--- a/configure.in
+++ /dev/null
@@ -1,964 +0,0 @@
-dnl @(#) $Id: configure.in 6960 2009-12-19 06:22:16Z vern $ (LBL)
-dnl
-dnl Copyright (c) 1997, 1998, 2001, 2002
-dnl	The Regents of the University of California.  All rights reserved.
-dnl
-dnl Process this file with autoconf to produce a configure script.
-dnl
-
-## broken versioning stuff
-##m4_include([version.m4])
-##AC_INIT([bro], VERSION_NUMBER)
-
-## NOTICE: this sets the version at the autoconf time, not
-## at configure time, so it may be out of date!
-
-## start of changes for different versions of automake/conf
-
-# this will work with automake 1.8.5
-dnl AC_INIT(bro, esyscmd([tr -d '\n' < VERSION]))
-dnl AC_CONFIG_SRCDIR(src/Active.cc)
-dnl AC_CANONICAL_SYSTEM
-dnl AM_INIT_AUTOMAKE
-dnl AC_CONFIG_HEADER(config.h)
-dnl AC_LBL_C_INIT(V_CCOPT, V_INCLS)
-dnl AC_PROG_LEX
-
-## This should work with automake 1.6
-AC_INIT(src/Active.cc)
-AC_CANONICAL_SYSTEM
-#AM_INIT_AUTOMAKE(bro, 0.1.0)
-AM_INIT_AUTOMAKE(bro,  esyscmd([tr -d '\n' < VERSION]))
-AM_CONFIG_HEADER(config.h)
-AC_LBL_C_INIT(V_CCOPT, V_INCLS)
-AM_PROG_LEX
-
-## end of changes for versions of automake/conf
-
-dnl Commands for funkier shell output:
-BLD_ON=`./shtool echo -n -e %B`
-BLD_OFF=`./shtool echo -n -e %b`
-
-# We should install everything in /usr/local/bro{bin,lib,policy,etc}
-AC_PREFIX_DEFAULT(/usr/local/bro)
-
-dnl ################################################
-dnl # Checks for programs
-dnl ################################################
-AC_PROG_YACC
-AC_PROG_CXX
-AC_PROG_INSTALL
-AC_PROG_MAKE_SET
-AC_PROG_RANLIB
-AC_CHECK_PROGS(COMPRESS, gzip, compress)
-
-AM_CONDITIONAL(USEV6, false)
-
-AC_ARG_ENABLE(brov6,
-    [  --enable-brov6          enable IPV6 processing],
-    AC_DEFINE(BROv6,,[enable IPV6 processing])
-    AM_CONDITIONAL(USEV6,true))
-AC_ARG_ENABLE(int64,
-    [  --enable-int64          enable use of int64 (long long) for integers],
-    AC_DEFINE(USE_INT64,1,[enable use of 64-bit integers]))
-AC_ARG_ENABLE(activemapping,
-    [  --enable-activemapping  enable active mapping processing],
-    AC_DEFINE(ACTIVE_MAPPING,,[Enable active mapping processing]))
-AC_ARG_ENABLE(expire-dfa-states,
-    [  --enable-expire-dfa-states enable DFA state expiration],
-    AC_DEFINE(EXPIRE_DFA_STATES,,[Enable DFA state expiration]))
-
-AC_ARG_ENABLE(debug,
-    [  --enable-debug          no compiler optimizations],
-    debug="yes"
-    V_CCOPT="-g -DDEBUG"
-    CFLAGS="-DDEBUG `echo $CFLAGS | sed -e 's/-O2//'`"
-    CPPFLAGS="-DDEBUG `echo $CPPFLAGS | sed -e 's/-O2//'`"
-    CXXFLAGS="-DDEBUG `echo $CXXFLAGS | sed -e 's/-O2//'`",
-    debug="no")
-
-AC_ARG_ENABLE(select-loop,
-    [  --disable-select-loop   disable select-based main loop],
-    check_select_loop=no,
-    check_select_loop=yes)
-
-AC_ARG_ENABLE(perftools,
-    [  --enable-perftools      use Google's perftools],
-    use_perftools=yes,
-    use_perftools=no)
-
-AC_ARG_WITH(openssl,
-    [  --with-openssl=PATH     path to OpenSSL (needed for SSL analyzer and secure communication)],
-	if test "$withval" != "no" -a "$withval" != "NO"; then
-		use_openssl=yes
-		OPENSSL="$withval"
-		LDFLAGS="${LDFLAGS} -L${OPENSSL}/lib "
-		V_INCLS="${V_INCLS} -I${OPENSSL}/include"
-		CXXFLAGS="${CXXFLAGS} -I${OPENSSL}/include"
-	else
-		use_openssl=no
-	fi
-	)
-
-AC_ARG_ENABLE(shippedpcap, 
-              [  --enable-shippedpcap  use the shipped version of libpcap ],
-              [ if test "$enableval" = yes; then 
-                    use_shippedpcap=yes
-               else
-                   use_shippedpcap=no 
-               fi ],
-               [ use_shippedpcap=no ])
-
-AC_ARG_WITH(perl,     [  --with-perl=PATH        path/name of the Perl interpreter],
-            PERL=$withval, PERL=${PERL:-})
-
-AC_ARG_WITH(dag,
-	[  --with-dag=PATH         path to the DAG library (for native support for Endace Tech.'s DAG monitoring cards)],
-	if test "$withval" != "no" -a "$withval" != "NO"; then
-		use_dag=yes
-		DAGPATH="$withval"
-		LDFLAGS="${LDFLAGS} -L${DAGPATH}/lib "
-		V_INCLS="${V_INCLS} -I${DAGPATH}/include"
-	else
-		use_dag=no
-	fi
-	)
-
-AC_ARG_WITH(binpac,
-	[  --with-binpac=PATH	   path to a binpac executable for compiling analyzer code],
-	BINPAC="$withval")
-
-AC_ARG_ENABLE(nbdns,
-              AC_HELP_STRING([--disable-nbdns], [Disable non-blocking DNS support]),
-              nbdns="no", nbdns="yes")
-
-AC_LBL_ENABLE_CHECK([activemapping binpac broccoli brov6 debug \
-	expire-dfa-states gtk-doc int64 openssl perftools perl \
-	select-loop shippedpcap broctl cluster nbdns])
-
-dnl ################################################
-dnl # OpenSSL
-dnl ################################################
-
-if test "$use_openssl" != "no" -a "$use_openssl" != "NO"; then
-    saved_libs="${LIBS}"
-   	AC_CHECK_LIB(crypto, OPENSSL_add_all_algorithms_conf,
-   	   	LIBS="${LDFLAGS} -lcrypto"
-   	   	AC_CHECK_LIB(ssl, SSL_new,, AC_MSG_ERROR([Can't find SSL library]))
-   	   	LIBS="${LDFLAGS} -lssl"
-       	use_openssl=yes,
-        use_openssl=no
-        )
-    LIBS="${saved_libs}"
-else
-	use_openssl=no
-fi
-
-if test "$use_openssl" != "no"; then
-   saved_cflags="${CFLAGS}"
-   CFLAGS="${CFLAGS} -I${OPENSSL}/include"
-   AC_CHECK_DECL(OPENSSL_add_all_algorithms_conf,, 
-      use_openssl=no,
-      [#include <openssl/evp.h>])
-   CFLAGS="${saved_cflags}"
-fi
-
-if test "$use_openssl" = "yes"; then
-   # On Red Hat we may need to include Kerberos header.
-   # (CHECK_HEADER doesn't work here)
-   saved_cflags="${CFLAGS}"
-   CFLAGS="${CFLAGS} -I${OPENSSL}/include"
-   AC_COMPILE_IFELSE([#include <openssl/ssl.h>],,
-      CFLAGS="${CFLAGS} -I/usr/kerberos/include"
-      AC_CHECK_HEADER(krb5.h, 
-         V_INCLS="${V_INCLS} -I/usr/kerberos/include"
-         AC_DEFINE(NEED_KRB5_H,,[Include krb5.h]),
-         use_openssl=no
-         AC_MSG_WARN([Can't compile OpenSSL test; disabling OpenSSL.]);
-         ,
-         [#include <krb5.h>
-         #include <openssl/ssl.h>]
-         )   
-   CFLAGS="${saved_cflags}"
-   )
-fi
-
-# Check for version >= 0.9.7
-if test "$use_openssl" = "yes"; then
-   saved_libs="${LIBS}"
-   LIBS="${LIBS} -lssl -lcrypto"
-   AC_MSG_CHECKING([for OpenSSL >= 0.9.7])
-   AC_LINK_IFELSE(AC_LANG_PROGRAM([[#include <openssl/evp.h>]], [[OPENSSL_add_all_algorithms_conf();]]),
-      AC_MSG_RESULT(yes)
-      use_openssl=yes,
-      AC_MSG_RESULT(no)
-      use_openssl=no)
-   LIBS="${saved_libs}"
-fi
-
-AM_CONDITIONAL(USE_OPENSSL, false)
-if test "$use_openssl" = "yes"; then
-      AM_CONDITIONAL(USE_OPENSSL, true)
-      AC_DEFINE(USE_OPENSSL,,[Use OpenSSL])
-      LIBS="${LIBS} -lssl -lcrypto"
-fi
-
-# A test to see whether d2i_X509() uses const for the u_char**
-# argument. Since one cannot just cast a u_char** to a const one
-# (http://parashift.com/c++-faq-lite/const-correctness.html#faq-18.17)
-# we test and then force a u_char** cast only when needed.
-#
-if test "$use_openssl" = "yes"; then
-  AC_MSG_CHECKING([whether d2i_X509() uses a const unsigned char**])
-  AC_LANG_PUSH([C++])
-  AC_COMPILE_IFELSE(
-    AC_LANG_PROGRAM([[#include <openssl/x509.h>]],
-                    [[const unsigned char** cpp = 0;
-		      X509** x = 0; d2i_X509(x, cpp, 0);]]),
-    AC_DEFINE(OPENSSL_D2I_X509_USES_CONST_CHAR,,[d2i_x509 uses const char**])
-    AC_MSG_RESULT(yes),
-    AC_MSG_RESULT(no))
-  AC_LANG_POP([C++])
-fi
-
-# do we use ssl?
-AM_CONDITIONAL(USE_SSL, test "$use_openssl" = "yes")
-
-
-dnl ################################################
-dnl # Check for Perl executable
-dnl ################################################
-if test -n "$PERL"; then
-  if echo "$PERL" | grep '^/' >/dev/null; then
-    AC_MSG_CHECKING(for $PERL)
-    if test -s "$PERL"; then
-      AC_MSG_RESULT(yes)
-    else
-      AC_MSG_RESULT(no)
-      PERL='none'
-    fi
-  else
-    find_perl="$PERL"
-    PERL=''
-  fi
-fi
-
-dnl if there is no perl, go find one!
-if test -z "$PERL"; then
-  AC_PATH_PROGS(PERL,perl5 perl,,/usr/local/bin:/opt/local/bin:/usr/bin::.)
-fi
-
-dnl if we still can't find it, warn them
-if test -z "$PERL"; then
-   AC_MSG_WARN([Cannot find perl; please use --with-perl=/path/to/perl option.])
-else
-   dnl this seems backwards to me .....? but works
-   if ${PERL} -e 'exit ($] >= 5.006001)' > /dev/null 2>&1; then
-     AC_MSG_WARN([Bad perl version, need perl 5.6.1 or higher.; please use --with-perl=/path/to/perl option.])
-   fi
-fi
-
-AC_SUBST(PERL)
-
-dnl ################################################
-dnl # Check for chown binary
-dnl ################################################
-AC_PATH_PROG(CHOWN, chown, ,
-             [/usr/sbin:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin])
-AC_SUBST(CHOWN)
-
-dnl ################################################
-dnl # OS-specific hacks and tweaks
-dnl ################################################
-
-AC_LBL_DEVEL(V_CCOPT)
-AM_CONDITIONAL(USE_NMALLOC, false)
-
-dnl Our resolver tests below include an absolute libray location.
-dnl This is its default, it may be changed for some OSs.
-bro_absolute_libresolv="/usr/lib/libresolv.a"
-
-case "$target_os" in
-
-freebsd*)
-	# alternate malloc is faster for FreeBSD, but needs more testing
-	# need to add way to set this from the command line
-	AM_CONDITIONAL(USE_NMALLOC, true)
-	;;
-
-darwin*)
-	AC_MSG_CHECKING([if we need to include arpa/nameser_compat.h])
-	AC_COMPILE_IFELSE(AC_LANG_PROGRAM([[#include <arpa/nameser.h>]], [[HEADER *hdr; int d = NS_IN6ADDRSZ;]]), bro_ns_header_defined=yes, bro_ns_header_defined=no)
-	# if the header is found, we don't need compatibility
-	if test "x$bro_ns_header_defined" = xyes; then
-	   AC_MSG_RESULT(no)
-	else
-	   AC_DEFINE(NEED_NAMESER_COMPAT_H,,[Compatibility for Darwin])
-	   AC_MSG_RESULT(yes)
-	fi
-	# Support for MacPorts and Fink package-management.
-	test -d /opt/local/lib && LDFLAGS="${LDFLAGS} -L/opt/local/lib"
-	test -d /sw/lib && LDFLAGS="${LDFLAGS} -L/sw/lib"
-	V_INCLS="${V_INCLS} -I/opt/local/include -I/sw/include"
-	CXXFLAGS="${CXXFLAGS} -I/opt/local/include -I/sw/include"
-	;;
-
-openbsd*)
-	AM_CONDITIONAL(USE_NMALLOC, true)
-	AC_DEFINE(HAVE_OPENBSD,,[We are on a OpenBSD system])
-	LDFLAGS="${LDFLAGS} -L/usr/local/lib"
-	V_INCLS="${V_INCLS} -I/usr/local/include"
-	CXXFLAGS="${CXXFLAGS} -I/usr/local/include"
-	;;
-
-linux*)
-	V_INCLS="$V_INCLS -I\${top_srcdir}/linux-include"
-	AC_DEFINE(HAVE_LINUX,,[We are on a Linux system])
-	AC_MSG_CHECKING(Linux kernel version)
-	AC_CACHE_VAL(ac_cv_linux_vers,
-	    ac_cv_linux_vers=`uname -r 2>&1 | \
-		sed -n -e '$s/.* //' -e '$s/\..*//p'`)
-	AC_MSG_RESULT($ac_cv_linux_vers)
-	if test $ac_cv_linux_vers -lt 2 ; then
-            AC_MSG_ERROR(version 2 or higher required; see the INSTALL doc for more info)
-	fi
-        if test "a$build_cpu" = "ax86_64"; then
-           bro_absolute_libresolv="/usr/lib64/libresolv.a"
-        fi
-	;;
-
-solaris*)
-	LIBS="${LIBS} -lnsl -lsocket"
-	;;
-
-osf*)
-	dnl Workaround around ip_hl vs. ip_vhl problem in netinet/ip.h
-	V_CCOPT="$V_CCOPT -D__STDC__=2"
-esac
-
-dnl ################################################
-dnl # Enable large file support for all platforms.
-dnl # Can be disabled with --disable-largefile
-dnl ################################################
-AC_SYS_LARGEFILE
-
-dnl ################################################
-dnl # Checks for types and header files.
-dnl ################################################
-AC_HEADER_STDC
-AC_LBL_TYPE_SIGNAL
-AC_LBL_CHECK_TYPE(int32_t, int)
-AC_LBL_CHECK_TYPE(u_int32_t, u_int)
-AC_LBL_CHECK_TYPE(u_int16_t, u_short)
-AC_LBL_CHECK_TYPE(u_int8_t, u_char)
-AC_HEADER_TIME
-
-AC_CHECK_HEADERS(memory.h netinet/in.h socket.h getopt.h)
-AC_CHECK_HEADERS(net/ethernet.h netinet/ether.h netinet/if_ether.h sys/ethernet.h,,,
-    [#include <sys/types.h>
-    #include <sys/socket.h>
-    #include <netinet/in.h>
-    #include <net/if.h>])
-
-AC_CHECK_HEADERS(netinet/ip6.h,,,
-    [#include <sys/types.h>
-    #include <sys/socket.h>
-    #include <netinet/in.h>
-    #include <net/if.h>])
-
-AC_DEFUN([AC_C_SOCKLEN_T],
-[AC_CACHE_CHECK(for socklen_t, ac_cv_c_socklen_t,
-[
-  AC_TRY_COMPILE([
-    #include <sys/types.h>
-    #include <sys/socket.h>
-  ],[
-    socklen_t foo;
-  ],[
-    ac_cv_c_socklen_t=yes
-  ],[
-    ac_cv_c_socklen_t=no
-  ])
-])
-if test $ac_cv_c_socklen_t = no; then
-  AC_DEFINE(socklen_t, int, [define to int if socklen_t not available])
-fi
-])
-
-AC_C_SOCKLEN_T
-
-AC_BRO_SYSLOG_INT
-AC_BRO_SOCK_DECL
-
-dnl ################################################
-dnl # PCAP stuff.
-dnl ################################################
-
-# ensure we are either YES or NO
-if test "$use_shippedpcap" = "no" ; then
-    pcap_local="NO"
-    pcapmsg="system-provided"
-    AM_CONDITIONAL(USE_LOCALPCAP, false)
-else
-    pcap_local="YES"
-    pcapmsg="shipped with Bro"
-    AM_CONDITIONAL(USE_LOCALPCAP, true)
-fi
-
-# if not using local version, find one on the system
-if test "$pcap_local" = "NO"; then
-    AC_LBL_LIBPCAP(V_PCAPDEP, V_INCLS)
-    CPPFLAGS="$CPPFLAGS $V_INCLS"
-    AC_CHECK_HEADERS(pcap-int.h)
-    AC_CHECK_FUNCS(bpf_set_bufsize)
-    dnl ################################################
-    dnl # Check whether pcap provides pcap_version
-    dnl ################################################
-    AC_MSG_CHECKING([for pcap_version in libpcap])
-    AC_LINK_IFELSE(
-     AC_LANG_PROGRAM([extern char pcap_version[];], [puts(pcap_version);]),
-      AC_MSG_RESULT(yes)
-      AC_DEFINE(PCAP_VERSION_STRING,,[Have a version string in libpcap]),
-      AC_MSG_RESULT(no))
-    dnl ################################################
-    dnl # Check whether linking to pcap works 
-    dnl ################################################
-    AC_CHECK_LIB(pcap, main, , AC_MSG_ERROR([Bro requires pcap - install from aux/ if necessary.]))
-else
-    # we have to define the abilites of the local pcap
-    # as it hasn't been unpacked/configured/installed
-    # yet and we can't query it.
-    AC_DEFINE(HAVE_PCAP_INT_H, 1, [Define to 1 if you have the <pcap-int.h> header file.])
-    AC_DEFINE(HAVE_BPF_SET_BUFSIZE, 0, [Define to 1 if you have the bpf_set_bufsize function.])
-    AC_DEFINE(PCAP_VERSION_STRING, 1, [Have a version string in libpcap])
-    AC_DEFINE(HAVE_LIBPCAP, 1, [Define to 1 if you have the pcap library (-lpcap).])
-fi
-
-dnl AC_CHECK_HEADERS(pcap-int.h)
-dnl AC_CHECK_FUNCS(bpf_set_bufsize)
-
-dnl ################################################
-dnl # STL compatibility tests.
-dnl ################################################
-
-dnl # Whether basic_string<> requires additional
-dnl # definitions for char_traits. In that case, we
-dnl # fall back to vector.
-dnl #
-AC_MSG_CHECKING([if char_traits defines all methods])
-AC_LANG_PUSH([C++])
-AC_LINK_IFELSE(
-  AC_LANG_PROGRAM([[
-#include <string>
-using namespace std;
-class Foo { };
-]], [[
-char_traits<Foo*> foo;
-Foo f;
-Foo *fp;
-foo.assign(&fp, 10, &f);]]),
-  AC_MSG_RESULT([yes])
-  basic_string_works=yes,
-  AC_MSG_RESULT([no])
-  basic_string_works=no
-  AC_DEFINE(BASIC_STRING_BROKEN,,[basic_string not usable with non-char template arg]))
-AC_LANG_POP([C++])
-
-dnl ################################################
-dnl # Include the Broccoli tree in aux/broccoli in
-dnl # the setup, unless specifically disabled.
-dnl ################################################
-AC_ARG_ENABLE(broccoli,
-	      AC_HELP_STRING([--disable-broccoli], [Do not build/package Broccoli]),
-	      broccoli="no", broccoli="yes")
-
-AM_CONDITIONAL(USE_BROCCOLI, test "x$broccoli" = xyes)
-if test "x$broccoli" = xyes; then
-   AC_CONFIG_SUBDIRS(aux/broccoli)
-fi
-
-dnl ################################################
-dnl # Include the broctl tree in aux/broctl into
-dnl # the setup, unless specifically disabled. 
-dnl # Per default, we configure it in standalone mode;
-dnl # if --enable-cluster is given, we switch to 
-dnl # cluster mode.
-dnl ################################################
-AC_ARG_ENABLE(broctl,
-	      AC_HELP_STRING([--disable-broctl], [Do not build/package broctl framework]),
-	      broctl=$enableval, broctl="yes")
-
-AC_ARG_ENABLE(cluster,
-	      AC_HELP_STRING([--enable-cluster], [Configure broctl for cluster usage]),
-	      cluster=$enableval, cluster="no")
-
-dnl ################################################
-dnl # Include the Binpac tree in aux/binpac in the
-dnl # build, unless the user selected another binpac
-dnl # via --with-binpac=.
-dnl ################################################
-if test "$BINPAC" = ""; then
-   AC_CONFIG_SUBDIRS(aux/binpac)
-   BINPAC="\${top_builddir}/aux/binpac/src/binpac"
-   binpacmsg="shipped with Bro"
-else # Check (somewhat) whether the binpac given is valid
-   AC_MSG_CHECKING([whether given binpac is executable])
-   if test -x "$BINPAC"; then
-      AC_MSG_RESULT(yes)
-   else
-      AC_MSG_RESULT(no)
-      echo "Please check whether $BINPAC is correct."
-      exit 1
-   fi
-   binpacmsg="$BINPAC"
-fi
-
-AC_SUBST(BINPAC)
-
-dnl ################################################
-dnl # DNS resolver checks.
-dnl ################################################
-dnl
-dnl Check whether our arpa/nameser.h provides type ns_msg.
-dnl If not, we disable nonblocking DNS lookups.
-dnl We assume worst case first and improve on it below.
-AM_CONDITIONAL(USE_NBDNS, false)
-
-dnl Add potential header locations to path
-if test -d /usr/local/include/bind; then
-   CFLAGS="$CFLAGS -I/usr/local/include/bind"
-fi
-
-AC_CHECK_TYPE(ns_msg, bro_check_nb_dns=yes, bro_check_nb_dns=no, [#include <arpa/nameser.h>])
-
-if test $bro_check_nb_dns = no; then
-   AC_MSG_NOTICE([Nonblocking DNS disabled.])
-   use_nb_dns=no
-else
-   dnl We will check for ns_initparse and res_mkquery using a number
-   dnl of resolver library variations, a list of which we build up now.
-   bro_resolver_options="none -lresolv ${bro_absolute_libresolv} -lbind"
-
-   save_cflags="$CFLAGS"
-   save_ldflags="$LDFLAGS"
-   save_libs="$LIBS"
-
-   dnl Okay now try to link both symbols with each of the resolver
-   dnl location variants.  As soon as one works, we're happy.
-   for res in $bro_resolver_options; do
-
-      AC_MSG_CHECKING([for ns_inittab/res_mkquery with resolver '$res'])
-
-      dnl "none" just means "try without any additional flags".
-      if test "$res" = "none"; then
-	 res=""
-      fi
-
-      CFLAGS="${save_cflags}"
-      LDFLAGS="${save_ldflags}"
-      LIBS="${save_libs} $res"
-
-      dnl In the generic -lbind case, we check for the existence
-      dnl of a number of directories and add them to the relevant
-      dnl paths.
-      dnl
-      if test "$res" = "-lbind"; then
-	 if test -d /usr/local/bind/lib; then
-	    LDFLAGS="$LDFLAGS -L/usr/local/bind/lib"
-	 fi
-
-	 if test -d /usr/local/lib; then
-	    LDFLAGS="$LDFLAGS -L/usr/local/lib"
-	 fi
-      fi
-
-      bro_ns_initparse_works=no
-      bro_res_mkquery_works=no
-
-      AC_LINK_IFELSE(AC_LANG_PROGRAM([[#include <arpa/nameser.h>]],
-				      [[ns_initparse(0,0,0);]]),
-		     bro_ns_initparse_works=yes)
-
-      AC_LINK_IFELSE(AC_LANG_PROGRAM([[
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>]],
-[[int (*p)() = res_mkquery]]), bro_res_mkquery_works=yes)
-
-      if test $bro_ns_initparse_works = yes && test $bro_res_mkquery_works = yes && test $nbdns = yes; then
-         AC_MSG_RESULT(yes)
-	 AC_MSG_NOTICE([Nonblocking DNS enabled.])
-
-	 dnl Make sure that nb_dns.o is linked in.
-	 NBDNS="nb_dns.o"
-	 AC_SUBST(NBDNS)
-
-	 AM_CONDITIONAL(USE_NBDNS, true)
-	 AC_DEFINE(HAVE_NB_DNS,,[async dns support])
-	 use_nb_dns=yes
-	 break
-      else
-         AC_MSG_RESULT(no)
-      fi
-   done
-
-   if test "x$NBDNS" != "xnb_dns.o"; then
-      AC_MSG_NOTICE([Nonblocking DNS disabled.])
-      use_nb_dns=no
-      CFLAGS="${save_cflags}"
-      LDFLAGS="${save_ldflags}"
-      LIBS="${save_libs}"
-   fi
-fi
-
-dnl ################################################
-dnl # Checks for library functions.
-dnl ################################################
-
-AC_FUNC_MEMCMP
-AC_FUNC_STRFTIME
-AC_CHECK_FUNCS(strerror strsep strcasestr mallinfo getopt_long)
-AC_SEARCH_LIBS(inet_aton, resolv)
-
-# We use deflatePrime() to make sure that zlib is recent enough.
-AC_CHECK_LIB(z, deflatePrime)
-
-# Libmagic
-have_libmagic=yes
-AC_CHECK_HEADERS([magic.h],,have_libmagic=no)
-AC_CHECK_LIB(magic,magic_open,,have_libmagic=no)
-
-# Libclamav
-# have_libclamav=yes
-# AC_CHECK_HEADERS([clamav.h],,have_libclamav=no)
-# AC_CHECK_LIB(clamav,cl_retdbdir,,have_libclamav=no)
-
-# Libclamav is broken because of changed API.
-have_libclamav=no
-
-if test "$have_libclamav" = "yes"; then
-   AC_DEFINE(USE_LIBCLAMAV,,[Use libclamav])
-fi
-
-# LibGeoIP
-have_libgeoip=yes
-AC_CHECK_HEADERS([GeoIPCity.h],,have_libgeoip=no)
-if test "$have_libgeoip" = "yes"; then
-  AC_CHECK_LIB(GeoIP,GeoIP_open_type,,have_libgeoip=no)
-fi
-if test "$have_libgeoip" = "yes"; then
-  AC_DEFINE(USE_GEOIP,,[GeoIP geographic lookup functionality])
-fi
-
-dnl ################################################
-dnl # Terminal library support
-dnl ################################################
-
-bro_have_termlibrary=no
-
-dnl 1) Check if termcap is available
-AC_CHECK_LIB(termcap, tgetnum, 
-    [AC_CHECK_HEADERS([termcap.h term.h], 
-        LIBS="${LIBS} -ltermcap"
-        bro_have_termlibrary=yes)])
-
-dnl 2) Check if curses is available instaed
-if test "$bro_have_termlibrary" = no; then
-    AC_CHECK_LIB(curses, tgetnum, 
-        [AC_CHECK_HEADERS([curses.h term.h], 
-            LIBS="${LIBS} -lcurses"
-            bro_have_termlibrary=yes)])
-fi
-
-dnl 3) Check for ncurses as a final resort
-if test "$bro_have_termlibrary" = no; then
-    AC_CHECK_LIB(ncurses, tgetnum, 
-        [AC_CHECK_HEADERS([ncurses.h curses.h term.h], 
-            LIBS="${LIBS} -lncurses"
-            bro_have_termlibrary=yes)])
-fi
-
-if test "$bro_have_termlibrary" != yes; then
-    AC_MSG_RESULT(no)
-    AC_MSG_ERROR([No terminal emulation library found! Consider installing termcap, curses, or ncurses.])
-else
-    AC_MSG_RESULT(yes)
-fi
-
-dnl Check whether we have readline and history libraries
-AC_CHECK_HEADER([readline/readline.h], bro_readline=yes)
-AC_CHECK_HEADER([readline/history.h], bro_history=yes)
-AC_CHECK_LIB(readline, using_history,, bro_libreadline=no)
-
-if test "$bro_history" = yes; then
-   AC_CHECK_MEMBER([HISTORY_STATE.entries],
-                   [bro_history_entries=yes], [],
-                   [#include <stdio.h>
-                    #include <readline/history.h>])
-fi
-
-if test "$bro_readline" = yes -a \
-   "$bro_history" = yes -a \
-   "$bro_libreadline" != no -a \
-   "$bro_history_entries" = yes; then
-   AC_DEFINE(HAVE_READLINE,1,[line editing & history powers])
-fi 
-
-AC_C_BIGENDIAN(
-	AC_DEFINE(WORDS_BIGENDIAN,1,[whether words are stored with the most significant byte first])
-	dnl This is intentionally named differently so as to not collide with WORDS_BIGENDIAN
-	HOST_BIGENDIAN="#define HOST_BIGENDIAN 1"
-	AC_SUBST(HOST_BIGENDIAN))
-
-AC_CHECK_TYPES([union semun, struct sembuf],[],[],
-[#include <sys/types.h>
-#include <sys/sem.h>
-])
-
-# see if we have sin_len 
-AC_CHECK_MEMBER(struct sockaddr_in.sin_len,
-  [AC_DEFINE(SIN_LEN,,[have sin_len field in sockaddr_in])],,
-  [ 
-#if HAVE_SYS_TYPES_H
-# include <sys/types.h>
-#endif
-#if HAVE_SYS_SOCKET_H
-# include <sys/socket.h>
-#endif
-#if HAVE_NETINET_IN_H
-# include <netinet/in.h>
-#endif
-])
-
-AC_CHECK_SIZEOF(long long)
-AC_CHECK_SIZEOF(long int)
-AC_CHECK_SIZEOF(void *)
-
-# Per default we do not use the select-based main loop. We activate it only if
-#  (i) the user requests it
-# (ii) we know the OS to support selectable pcap fds
-use_select_loop=no
-
-if test $check_select_loop = yes; then
-	case "$target_os" in
-
-	linux*)
-		# Linux should support selectable at least since 2.2 (not sure
-		# about earlier versions)
-		AC_MSG_CHECKING(Linux kernel version support selectable fds)
-		AC_CACHE_VAL(ac_cv_linux_major_vers,
-		    ac_cv_linux_major_vers=`uname -r 2>&1 | \
-			sed 's/-.*$//g' | awk -v FS='.' '{print $1}'`)
-		AC_CACHE_VAL(ac_cv_linux_minor_vers,
-		    ac_cv_linux_minor_vers=`uname -r 2>&1 | \
-			sed 's/-.*$//g' | awk -v FS='.' '{print $2}'`)
-
-	    linux_version=`expr $ac_cv_linux_major_vers '*' 10 '+' $ac_cv_linux_minor_vers`
-		if test $linux_version -gt 21; then
-			use_select_loop=yes
-	        AC_MSG_RESULT($ac_cv_linux_major_vers.$ac_cv_linux_minor_vers is ok)
-		else
-	        AC_MSG_RESULT($ac_cv_linux_major_vers.$ac_cv_linux_minor_vers is too old)
-	    fi
-		;;
-
-	freebsd*)
-		# FreeBSD supports selectable fds correctly since 4.6.
-		AC_MSG_CHECKING(FreeBSD kernel version support selectable fds)
-		AC_CACHE_VAL(ac_cv_freebsd_major_vers,
-		    ac_cv_freebsd_major_vers=`uname -r 2>&1 | \
-			sed 's/-.*$//g' | awk -v FS='.' '{print $1}'`)
-		AC_CACHE_VAL(ac_cv_freebsd_minor_vers,
-		    ac_cv_freebsd_minor_vers=`uname -r 2>&1 | \
-			sed 's/-.*$//g' | awk -v FS='.' '{print $2}'`)
-
-	    freebsd_version=`expr $ac_cv_freebsd_major_vers '*' 10 '+' $ac_cv_freebsd_minor_vers`
-		if test $freebsd_version -gt 45; then
-			use_select_loop=yes
-	        AC_MSG_RESULT($ac_cv_freebsd_major_vers.$ac_cv_freebsd_minor_vers is ok)
-		else
-	        AC_MSG_RESULT($ac_cv_freebsd_major_vers X $ac_cv_freebsd_minor_vers is too old)
-		fi
-		;;
-
-	esac
-fi
-
-if test "$use_select_loop" = "yes"; then
-	AC_DEFINE(USE_SELECT_LOOP,,[Use select-based main loop])
-fi
-
-dnl ################################################
-dnl # Endace DAG support
-dnl ################################################
-
-if test "$use_dag" != "no" -a "$use_dag" != "NO"; then
-	AC_CHECK_LIB(dag, dag_open, use_dag=yes, use_dag=no)
-	AC_CHECK_HEADER(pcap.h,,use_dag=no)
-
-	if test "$use_dag" = "yes"; then
-		  AC_DEFINE(USE_DAG,,[Include Endace DAG support])
-		  LIBS="${LIBS} -ldag"
-		  AC_SUBST(WANT_DAG_OBJ, "\$(DAG_OBJ)")
-	else
-		  AC_SUBST(WANT_DAG_OBJ, "")
-	fi
-else
-	use_dag=no
-fi
-
-dnl ################################################
-dnl # If configured with --enable-perftools, look for
-dnl # Google's perftools to do heap checking.
-dnl ################################################
-
-if test "$use_perftools" != "no" -a "$use_perftools" != "NO"; then
-	AC_LANG_PUSH(C++)
-	saved_libs="${LIBS}"
-	LIBS="${LIBS} -ltcmalloc -lpthread"
-	AC_TRY_LINK([#include <google/heap-checker.h>],
-		[HeapLeakChecker heap_checker("test");],
-		[use_perftools="yes"],[use_perftools="no"])
-	LIBS="${saved_libs}"
-	AC_LANG_POP([C++])
-
-	if test "$use_perftools" = "yes"; then
-		AC_DEFINE(USE_PERFTOOLS,,[Use Google's perftools])
-		LIBS="${LIBS} -ltcmalloc -lpthread"
-	fi
-fi
-
-###############################
-# Configure broctl. 
-###############################
-
-# Need Python >= 2.4.
-have_python=no
-AC_PATH_TOOL(pybin, python, "")
-if test "x$pybin" != x -a "x$broctl" = xyes; then
-	AC_MSG_CHECKING([for Python >= 2.4])
-	AC_CACHE_VAL(ac_cv_python_major_vers,
-		ac_cv_python_major_vers=`python -V 2>&1 | \
-			sed 's/^Python //g' | awk -v FS='.' '{print $1}'`)
-	AC_CACHE_VAL(ac_cv_python_minor_vers,
-		ac_cv_python_minor_vers=`python -V 2>&1 | \
-			sed 's/^Python //g' | awk -v FS='.' '{print $2}'`)
-
-	pyversion=`expr $ac_cv_python_major_vers '*' 10 '+' $ac_cv_python_minor_vers`
-	if test $pyversion -ge 24; then
-		AC_MSG_RESULT([yes])
-		have_python=yes
-    fi
-    
-    AC_CHECK_PROG(have_python, python-config, $have_python, no)
-
-    if test "x$have_python" != xyes; then
-        AC_MSG_RESULT([no, disabling broctl])
-    fi
-fi    
-
-if test "x$have_python" != xyes; then
-    broctl=no
-fi
-
-AM_CONDITIONAL(USE_BROCTL, test "x$broctl" = xyes)
-
-if test "x$broctl" = xyes; then
-   if test "x$cluster" = xno; then
-       standalone="--standalone"
-   fi
-   echo "=== configuring in aux/broctl"
-
-   test -d aux || mkdir aux
-   test -d aux/broctl || mkdir aux/broctl
-   
-   ${srcdir}/aux/broctl/configure --prefix=${prefix} --builddir=`pwd`/aux/broctl --brodist=${srcdir} ${standalone}
-   
-   AC_CONFIG_SUBDIRS([aux/broctl/aux/capstats])
-fi   
-
-if test "$use_xqilla" = "yes"; then
-	LIBS="${LIBS} -lxqilla"
-fi
-
-# grab the hostname
-BROHOST=`hostname 2>/dev/null` || `uname -n 2>/dev/null`
-AC_SUBST(BROHOST)
-
-dnl Setup pcap path just before creating files, this way tests won't fail
-dnl with 'can't find libpcap' when we use the local pcap which hasn't 
-dnl been unpacked yet
-
-if test "$pcap_local" = "YES"; then
-    LIBS="-L\${top_srcdir}/aux/libpcap-0.9.8 -lpcap $LIBS"
-    V_INCLS="$V_INCLS -I\${top_builddir}/aux/libpcap-0.9.8"
-fi
-
-AC_SUBST(V_CCOPT)
-AC_SUBST(V_INCLS)
-AC_SUBST(LDFLAGS)
-
-
-dnl AC_SUBST(V_PCAPDEP) dnl (libpcap dependancies -- not used)
-AC_OUTPUT([Makefile 
-           src/Makefile 
-           doc/Makefile 
-           doc/ref-manual/Makefile 
-           doc/quick-start/Makefile
-           doc/user-manual/Makefile 
-           aux/adtrace/Makefile
-           aux/cf/Makefile
-           aux/hf/Makefile
-           aux/nftools/Makefile
-           aux/scripts/Makefile
-           aux/bdcat/Makefile
-           aux/rst/Makefile
-           aux/Makefile
-           policy/Makefile
-           policy/sigs/Makefile
-           policy/time-machine/Makefile
-           scripts/Makefile
-           scripts/bro_config
-           scripts/bro.rc
-           scripts/localnetMAC.pl
-           scripts/s2b/Makefile
-           scripts/s2b/bro-include/Makefile
-           scripts/s2b/example_bro_files/Makefile
-           scripts/s2b/etc/Makefile
-           scripts/s2b/bin/Makefile
-           scripts/s2b/pm/Makefile
-           scripts/s2b/snort_rules2.2/Makefile
-           ],
-           [chmod +x scripts/bro_config
-           chmod +x scripts/localnetMAC.pl]
-           )
-
-if test "$use_openssl" != "yes"; then
-    OPENSSL=""
-#else
-#   AC_OUTPUT(aux/bdcat/Makefile)
-fi
-
-echo
-echo "                  "${BLD_ON}"Bro Configuration Summary"${BLD_OFF}
-echo "=========================================================="
-echo
-echo "  - Debugging enabled:      "${BLD_ON}$debug${BLD_OFF}
-echo "  - OpenSSL support:        "${BLD_ON}$use_openssl $OPENSSL${BLD_OFF}
-echo "  - Non-blocking main loop: "${BLD_ON}$use_select_loop${BLD_OFF}
-echo "  - Non-blocking resolver:  "${BLD_ON}$use_nb_dns${BLD_OFF}
-echo "  - Installation prefix:    "${BLD_ON}$prefix${BLD_OFF}
-echo "  - Perl interpreter:       "${BLD_ON}$PERL${BLD_OFF}
-echo "  - Using basic_string:     "${BLD_ON}$basic_string_works${BLD_OFF}
-echo "  - Using libmagic:         "${BLD_ON}$have_libmagic${BLD_OFF}
-# echo "  - Using libclamav:        "${BLD_ON}$have_libclamav${BLD_OFF}
-echo "  - Using perftools:        "${BLD_ON}$use_perftools${BLD_OFF}
-echo "  - Binpac used:            "${BLD_ON}$binpacmsg${BLD_OFF}
-echo "  - Using libGeoIP:         "${BLD_ON}$have_libgeoip${BLD_OFF}
-echo "  - Enabled broctl:         "${BLD_ON}$broctl${BLD_OFF}
-echo "  - Enabled cluster:        "${BLD_ON}$cluster${BLD_OFF}
-echo "  - Pcap used:              "${BLD_ON}$pcapmsg${BLD_OFF}
-echo
-exit 0
diff --git a/depcomp b/depcomp
deleted file mode 100755
index 25bdb18892..0000000000
--- a/depcomp
+++ /dev/null
@@ -1,526 +0,0 @@
-#! /bin/sh
-# depcomp - compile a program generating dependencies as side-effects
-
-scriptversion=2004-04-25.13
-
-# Copyright (C) 1999, 2000, 2003, 2004 Free Software Foundation, Inc.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# Originally written by Alexandre Oliva <oliva@dcc.unicamp.br>.
-
-case $1 in
-  '')
-     echo "$0: No command.  Try \`$0 --help' for more information." 1>&2
-     exit 1;
-     ;;
-  -h | --h*)
-    cat <<\EOF
-Usage: depcomp [--help] [--version] PROGRAM [ARGS]
-
-Run PROGRAMS ARGS to compile a file, generating dependencies
-as side-effects.
-
-Environment variables:
-  depmode     Dependency tracking mode.
-  source      Source file read by `PROGRAMS ARGS'.
-  object      Object file output by `PROGRAMS ARGS'.
-  depfile     Dependency file to output.
-  tmpdepfile  Temporary file to use when outputing dependencies.
-  libtool     Whether libtool is used (yes/no).
-
-Report bugs to <bug-automake@gnu.org>.
-EOF
-    exit 0
-    ;;
-  -v | --v*)
-    echo "depcomp $scriptversion"
-    exit 0
-    ;;
-esac
-
-if test -z "$depmode" || test -z "$source" || test -z "$object"; then
-  echo "depcomp: Variables source, object and depmode must be set" 1>&2
-  exit 1
-fi
-# `libtool' can also be set to `yes' or `no'.
-
-if test -z "$depfile"; then
-   base=`echo "$object" | sed -e 's,^.*/,,' -e 's,\.\([^.]*\)$,.P\1,'`
-   dir=`echo "$object" | sed 's,/.*$,/,'`
-   if test "$dir" = "$object"; then
-      dir=
-   fi
-   # FIXME: should be _deps on DOS.
-   depfile="$dir.deps/$base"
-fi
-
-tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
-
-rm -f "$tmpdepfile"
-
-# Some modes work just like other modes, but use different flags.  We
-# parameterize here, but still list the modes in the big case below,
-# to make depend.m4 easier to write.  Note that we *cannot* use a case
-# here, because this file can only contain one case statement.
-if test "$depmode" = hp; then
-  # HP compiler uses -M and no extra arg.
-  gccflag=-M
-  depmode=gcc
-fi
-
-if test "$depmode" = dashXmstdout; then
-   # This is just like dashmstdout with a different argument.
-   dashmflag=-xM
-   depmode=dashmstdout
-fi
-
-case "$depmode" in
-gcc3)
-## gcc 3 implements dependency tracking that does exactly what
-## we want.  Yay!  Note: for some reason libtool 1.4 doesn't like
-## it if -MD -MP comes after the -MF stuff.  Hmm.
-  "$@" -MT "$object" -MD -MP -MF "$tmpdepfile"
-  stat=$?
-  if test $stat -eq 0; then :
-  else
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-  mv "$tmpdepfile" "$depfile"
-  ;;
-
-gcc)
-## There are various ways to get dependency output from gcc.  Here's
-## why we pick this rather obscure method:
-## - Don't want to use -MD because we'd like the dependencies to end
-##   up in a subdir.  Having to rename by hand is ugly.
-##   (We might end up doing this anyway to support other compilers.)
-## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
-##   -MM, not -M (despite what the docs say).
-## - Using -M directly means running the compiler twice (even worse
-##   than renaming).
-  if test -z "$gccflag"; then
-    gccflag=-MD,
-  fi
-  "$@" -Wp,"$gccflag$tmpdepfile"
-  stat=$?
-  if test $stat -eq 0; then :
-  else
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-  rm -f "$depfile"
-  echo "$object : \\" > "$depfile"
-  alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
-## The second -e expression handles DOS-style file names with drive letters.
-  sed -e 's/^[^:]*: / /' \
-      -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
-## This next piece of magic avoids the `deleted header file' problem.
-## The problem is that when a header file which appears in a .P file
-## is deleted, the dependency causes make to die (because there is
-## typically no way to rebuild the header).  We avoid this by adding
-## dummy dependencies for each header file.  Too bad gcc doesn't do
-## this for us directly.
-  tr ' ' '
-' < "$tmpdepfile" |
-## Some versions of gcc put a space before the `:'.  On the theory
-## that the space means something, we add a space to the output as
-## well.
-## Some versions of the HPUX 10.20 sed can't process this invocation
-## correctly.  Breaking it into two sed invocations is a workaround.
-    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-hp)
-  # This case exists only to let depend.m4 do its work.  It works by
-  # looking at the text of this script.  This case will never be run,
-  # since it is checked for above.
-  exit 1
-  ;;
-
-sgi)
-  if test "$libtool" = yes; then
-    "$@" "-Wp,-MDupdate,$tmpdepfile"
-  else
-    "$@" -MDupdate "$tmpdepfile"
-  fi
-  stat=$?
-  if test $stat -eq 0; then :
-  else
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-  rm -f "$depfile"
-
-  if test -f "$tmpdepfile"; then  # yes, the sourcefile depend on other files
-    echo "$object : \\" > "$depfile"
-
-    # Clip off the initial element (the dependent).  Don't try to be
-    # clever and replace this with sed code, as IRIX sed won't handle
-    # lines with more than a fixed number of characters (4096 in
-    # IRIX 6.2 sed, 8192 in IRIX 6.5).  We also remove comment lines;
-    # the IRIX cc adds comments like `#:fec' to the end of the
-    # dependency line.
-    tr ' ' '
-' < "$tmpdepfile" \
-    | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
-    tr '
-' ' ' >> $depfile
-    echo >> $depfile
-
-    # The second pass generates a dummy entry for each header file.
-    tr ' ' '
-' < "$tmpdepfile" \
-   | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
-   >> $depfile
-  else
-    # The sourcefile does not contain any dependencies, so just
-    # store a dummy comment line, to avoid errors with the Makefile
-    # "include basename.Plo" scheme.
-    echo "#dummy" > "$depfile"
-  fi
-  rm -f "$tmpdepfile"
-  ;;
-
-aix)
-  # The C for AIX Compiler uses -M and outputs the dependencies
-  # in a .u file.  In older versions, this file always lives in the
-  # current directory.  Also, the AIX compiler puts `$object:' at the
-  # start of each line; $object doesn't have directory information.
-  # Version 6 uses the directory in both cases.
-  stripped=`echo "$object" | sed 's/\(.*\)\..*$/\1/'`
-  tmpdepfile="$stripped.u"
-  if test "$libtool" = yes; then
-    "$@" -Wc,-M
-  else
-    "$@" -M
-  fi
-  stat=$?
-
-  if test -f "$tmpdepfile"; then :
-  else
-    stripped=`echo "$stripped" | sed 's,^.*/,,'`
-    tmpdepfile="$stripped.u"
-  fi
-
-  if test $stat -eq 0; then :
-  else
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-
-  if test -f "$tmpdepfile"; then
-    outname="$stripped.o"
-    # Each line is of the form `foo.o: dependent.h'.
-    # Do two passes, one to just change these to
-    # `$object: dependent.h' and one to simply `dependent.h:'.
-    sed -e "s,^$outname:,$object :," < "$tmpdepfile" > "$depfile"
-    sed -e "s,^$outname: \(.*\)$,\1:," < "$tmpdepfile" >> "$depfile"
-  else
-    # The sourcefile does not contain any dependencies, so just
-    # store a dummy comment line, to avoid errors with the Makefile
-    # "include basename.Plo" scheme.
-    echo "#dummy" > "$depfile"
-  fi
-  rm -f "$tmpdepfile"
-  ;;
-
-icc)
-  # Intel's C compiler understands `-MD -MF file'.  However on
-  #    icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
-  # ICC 7.0 will fill foo.d with something like
-  #    foo.o: sub/foo.c
-  #    foo.o: sub/foo.h
-  # which is wrong.  We want:
-  #    sub/foo.o: sub/foo.c
-  #    sub/foo.o: sub/foo.h
-  #    sub/foo.c:
-  #    sub/foo.h:
-  # ICC 7.1 will output
-  #    foo.o: sub/foo.c sub/foo.h
-  # and will wrap long lines using \ :
-  #    foo.o: sub/foo.c ... \
-  #     sub/foo.h ... \
-  #     ...
-
-  "$@" -MD -MF "$tmpdepfile"
-  stat=$?
-  if test $stat -eq 0; then :
-  else
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-  rm -f "$depfile"
-  # Each line is of the form `foo.o: dependent.h',
-  # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
-  # Do two passes, one to just change these to
-  # `$object: dependent.h' and one to simply `dependent.h:'.
-  sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
-  # Some versions of the HPUX 10.20 sed can't process this invocation
-  # correctly.  Breaking it into two sed invocations is a workaround.
-  sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
-    sed -e 's/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-tru64)
-   # The Tru64 compiler uses -MD to generate dependencies as a side
-   # effect.  `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
-   # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
-   # dependencies in `foo.d' instead, so we check for that too.
-   # Subdirectories are respected.
-   dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
-   test "x$dir" = "x$object" && dir=
-   base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
-
-   if test "$libtool" = yes; then
-      # Dependencies are output in .lo.d with libtool 1.4.
-      # They are output in .o.d with libtool 1.5.
-      tmpdepfile1="$dir.libs/$base.lo.d"
-      tmpdepfile2="$dir.libs/$base.o.d"
-      tmpdepfile3="$dir.libs/$base.d"
-      "$@" -Wc,-MD
-   else
-      tmpdepfile1="$dir$base.o.d"
-      tmpdepfile2="$dir$base.d"
-      tmpdepfile3="$dir$base.d"
-      "$@" -MD
-   fi
-
-   stat=$?
-   if test $stat -eq 0; then :
-   else
-      rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
-      exit $stat
-   fi
-
-   if test -f "$tmpdepfile1"; then
-      tmpdepfile="$tmpdepfile1"
-   elif test -f "$tmpdepfile2"; then
-      tmpdepfile="$tmpdepfile2"
-   else
-      tmpdepfile="$tmpdepfile3"
-   fi
-   if test -f "$tmpdepfile"; then
-      sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
-      # That's a tab and a space in the [].
-      sed -e 's,^.*\.[a-z]*:[	 ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
-   else
-      echo "#dummy" > "$depfile"
-   fi
-   rm -f "$tmpdepfile"
-   ;;
-
-#nosideeffect)
-  # This comment above is used by automake to tell side-effect
-  # dependency tracking mechanisms from slower ones.
-
-dashmstdout)
-  # Important note: in order to support this mode, a compiler *must*
-  # always write the preprocessed file to stdout, regardless of -o.
-  "$@" || exit $?
-
-  # Remove the call to Libtool.
-  if test "$libtool" = yes; then
-    while test $1 != '--mode=compile'; do
-      shift
-    done
-    shift
-  fi
-
-  # Remove `-o $object'.
-  IFS=" "
-  for arg
-  do
-    case $arg in
-    -o)
-      shift
-      ;;
-    $object)
-      shift
-      ;;
-    *)
-      set fnord "$@" "$arg"
-      shift # fnord
-      shift # $arg
-      ;;
-    esac
-  done
-
-  test -z "$dashmflag" && dashmflag=-M
-  # Require at least two characters before searching for `:'
-  # in the target name.  This is to cope with DOS-style filenames:
-  # a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
-  "$@" $dashmflag |
-    sed 's:^[  ]*[^: ][^:][^:]*\:[    ]*:'"$object"'\: :' > "$tmpdepfile"
-  rm -f "$depfile"
-  cat < "$tmpdepfile" > "$depfile"
-  tr ' ' '
-' < "$tmpdepfile" | \
-## Some versions of the HPUX 10.20 sed can't process this invocation
-## correctly.  Breaking it into two sed invocations is a workaround.
-    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-dashXmstdout)
-  # This case only exists to satisfy depend.m4.  It is never actually
-  # run, as this mode is specially recognized in the preamble.
-  exit 1
-  ;;
-
-makedepend)
-  "$@" || exit $?
-  # Remove any Libtool call
-  if test "$libtool" = yes; then
-    while test $1 != '--mode=compile'; do
-      shift
-    done
-    shift
-  fi
-  # X makedepend
-  shift
-  cleared=no
-  for arg in "$@"; do
-    case $cleared in
-    no)
-      set ""; shift
-      cleared=yes ;;
-    esac
-    case "$arg" in
-    -D*|-I*)
-      set fnord "$@" "$arg"; shift ;;
-    # Strip any option that makedepend may not understand.  Remove
-    # the object too, otherwise makedepend will parse it as a source file.
-    -*|$object)
-      ;;
-    *)
-      set fnord "$@" "$arg"; shift ;;
-    esac
-  done
-  obj_suffix="`echo $object | sed 's/^.*\././'`"
-  touch "$tmpdepfile"
-  ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
-  rm -f "$depfile"
-  cat < "$tmpdepfile" > "$depfile"
-  sed '1,2d' "$tmpdepfile" | tr ' ' '
-' | \
-## Some versions of the HPUX 10.20 sed can't process this invocation
-## correctly.  Breaking it into two sed invocations is a workaround.
-    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile" "$tmpdepfile".bak
-  ;;
-
-cpp)
-  # Important note: in order to support this mode, a compiler *must*
-  # always write the preprocessed file to stdout.
-  "$@" || exit $?
-
-  # Remove the call to Libtool.
-  if test "$libtool" = yes; then
-    while test $1 != '--mode=compile'; do
-      shift
-    done
-    shift
-  fi
-
-  # Remove `-o $object'.
-  IFS=" "
-  for arg
-  do
-    case $arg in
-    -o)
-      shift
-      ;;
-    $object)
-      shift
-      ;;
-    *)
-      set fnord "$@" "$arg"
-      shift # fnord
-      shift # $arg
-      ;;
-    esac
-  done
-
-  "$@" -E |
-    sed -n '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
-    sed '$ s: \\$::' > "$tmpdepfile"
-  rm -f "$depfile"
-  echo "$object : \\" > "$depfile"
-  cat < "$tmpdepfile" >> "$depfile"
-  sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-msvisualcpp)
-  # Important note: in order to support this mode, a compiler *must*
-  # always write the preprocessed file to stdout, regardless of -o,
-  # because we must use -o when running libtool.
-  "$@" || exit $?
-  IFS=" "
-  for arg
-  do
-    case "$arg" in
-    "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
-	set fnord "$@"
-	shift
-	shift
-	;;
-    *)
-	set fnord "$@" "$arg"
-	shift
-	shift
-	;;
-    esac
-  done
-  "$@" -E |
-  sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
-  rm -f "$depfile"
-  echo "$object : \\" > "$depfile"
-  . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::	\1 \\:p' >> "$depfile"
-  echo "	" >> "$depfile"
-  . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-none)
-  exec "$@"
-  ;;
-
-*)
-  echo "Unknown depmode $depmode" 1>&2
-  exit 1
-  ;;
-esac
-
-exit 0
-
-# Local Variables:
-# mode: shell-script
-# sh-indentation: 2
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
-# End:
diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
new file mode 100644
index 0000000000..e2c3f25f4e
--- /dev/null
+++ b/doc/CMakeLists.txt
@@ -0,0 +1 @@
+add_subdirectory(scripts)
diff --git a/doc/Makefile.am b/doc/Makefile.am
deleted file mode 100644
index 2842129441..0000000000
--- a/doc/Makefile.am
+++ /dev/null
@@ -1,9 +0,0 @@
-EXTRA_DIST = README.txt
-SUBDIRS = ref-manual quick-start user-manual
-
-doc:
-	@echo "Build Bro Documentation (html and pdf)"
-	for d in $(SUBDIRS); do \
-		( cd $$d && $(MAKE) $@ ); \
-	done
-
diff --git a/doc/README b/doc/README
new file mode 100644
index 0000000000..1333ed77b7
--- /dev/null
+++ b/doc/README
@@ -0,0 +1 @@
+TODO
diff --git a/doc/README.txt b/doc/README.txt
deleted file mode 100644
index 6b0a6b70c7..0000000000
--- a/doc/README.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-
-The current documentation is in the following directories:
-
-quick-start/ 
-user-manual/ 
-ref-manual/  
-
-To build html and pdf version of the documents, 'makeinfo' and 'texi2dvi', part
-of the GNU texinfo package, version 4.7 or higher is required.
-
-Pre-built (and probably more current) versions of the documentation 
-are available at:
-	http://www.bro-ids.org/manuals.html
- 
diff --git a/doc/misc/conn-logs b/doc/misc/conn-logs
deleted file mode 100644
index 88c156e261..0000000000
--- a/doc/misc/conn-logs
+++ /dev/null
@@ -1,82 +0,0 @@
-TCP connection logs are generated by tcp.bro.  The summaries are written
-to stdout, one line per connection:
-
-	start-time duration protocol orig-bytes resp-bytes \
-	local-addr remote-addr state flags additional
-
-	start-time: timestamp of when the connection's first packet was
-		observed
-
-	duration: time until connection finished, in seconds, or '?' if
-		not determined
-
-	protocol: TCP protocol, if well-known port; or portmapper request
-
-	orig-bytes: total bytes sent by originator.  Computed from difference
-		between starting and ending sequence numbers, so sometimes
-		wrong (if wrong, the values tend to be erroneously large)
-
-	resp-bytes: same for bytes sent by connection responder
-
-	local-addr: IP address of local end of connection
-	remote-addr: IP address of remote end of connection
-		Note that these would make more sense as originator/responder,
-		but for historical reasons they're defined in terms of
-		"local" and "remote", where "local" is specified by the
-		"local_nets" set in hot.bro.  To pull out the originator
-		and responder addresses requires looking at the "flags"
-		field to see whether the connection originated locally.
-
-	state: final connection state (see below)
-
-	flags: some characteristics of the connection.  The most important is
-		the 'L' flag, which if present indicates that the connection
-		was initiated by the local address (see above); otherwise
-		it was initiated by the remote address.
-
-	additional: protocol-specific additional information, such as the FTP
-		session identifier, telnet user name, finger request, or
-		portmapper results.
-
-The scripts "hot-report" and "mon-report" (in the aux/scripts/ directory) 
-generate readable versions of these connection summaries.  They include
-a mnemonic indicating the connection's state.  Here is the list of
-abbreviations used:
-
-	Symbol	Name	Meaning
-	------	-------	-------------------
-	}	S0	Initial SYN seen, no reply seen ("unanswered")
-	>	S1	Initial SYN handshake seen ("established")
-
-	>	SF	Established and normal FIN handshake seen
-			for termination.  Note that this is the same
-			symbol as for state S1.  You can tell the two
-			apart because for S1 there will not be any
-			byte counts, while for SF there will be.
-
-	[	REJ	Initial SYN elicited RST in reply ("rejected")
-
-	}2	S2	Established and FIN from originator only seen
-	}3	S3	Established and FIN from responder only seen
-
-	>]	RSTO	Established, originator sent a RST to terminate
-	>[	RSTR	Established, responder sent a RST to terminate
-
-	}]	RSTOS0	Originator sent a SYN followed by a RST,
-			we never saw a SYN ack from the responder
-	<[	RSTRH	Responder sent a SYN ack followed by a RST,
-			we never saw a SYN from the originator
-
-	>h	SH	Originator sent a SYN followed by a FIN,
-			we never saw a SYN ack from the responder
-			(so "half" open)
-	<h	SHR	Responder sent a SYN ack followed by a FIN,
-			we never saw a SYN from the originator
-
-	?>?	OTH	No SYN seen, just midstream traffic
-
-The sundry weird states can arise from broken TCPs, but also from split
-routing in which Bro just sees one side of a connection.
-
-For UDP, if we see a request but no reply, that's state S0 ("}"); a request
-followed by a reply is SF (">"); and a reply but no request is SHR ("<h").
diff --git a/doc/misc/ssl.txt b/doc/misc/ssl.txt
deleted file mode 100644
index dd8e1c11c9..0000000000
--- a/doc/misc/ssl.txt
+++ /dev/null
@@ -1,49 +0,0 @@
-
-How to create certificates to authorize Bro's SSL connections
-=============================================================
-
-- Create a global CA key/certificate once:
-
-  * Create some directory to store the CA stuff, and create
-  	a few things there:
-
-	    mkdir <ca-dir>
-		cd <ca-dir>
-  		mkdir private newcerts cert crl
-		chmod 700 private
-		touch index.txt
-		echo 01 >serial
-		cp bro/openssl.conf .
-
-  * Create a private CA key:
-   	    openssl genrsa -des3 -out private/ca_key.pem
-
-  * Self-sign it:
-  		openssl req -new -x509 -key private/ca_key.pem -out ca_cert.pem -days 1095
-
-- For each Bro:
-
-  * Create a private key (w/o password):
-  		openssl genrsa -out bro_key.pem
-
-  * Create a certification request:
-  		openssl req -new -key bro_key.pem -out bro.csr
-
-  * Create a certificate using the CA key:
-  		openssl ca -config openssl.cnf -in bro.csr -out bro_cert.pem
-
-  * Verify that the certicate is ok:
-  		openssl verify  -CAfile ca_cert.pem bro_cert.pem
-
-  * Concat Bro key and certificate:
-  		cat bro_key.pem bro_cert.pem >bro.pem
-
-  * Copy this and the CA certificate to the IDS machine:
-  		 scp bro.pem ca_cert.pem ids:...
-
-  * Redef Bro's variables to point to the files:
-  		 redef ssl_ca_certificate = "...../ca_cert.pem";
-  		 redef ssl_private_key = "...../bro.pem";
-
-  * Remove the unnecessary stuff:
-  		 rm bro_key.pem bro.csr bro_cert.pem bro.pem
diff --git a/doc/old/manual-src.tar.gz b/doc/old/manual-src.tar.gz
deleted file mode 100644
index 0e959c40a9..0000000000
Binary files a/doc/old/manual-src.tar.gz and /dev/null differ
diff --git a/doc/old/manual.pdf b/doc/old/manual.pdf
deleted file mode 100644
index b2e945acd5..0000000000
Binary files a/doc/old/manual.pdf and /dev/null differ
diff --git a/doc/old/manual/WARNINGS b/doc/old/manual/WARNINGS
deleted file mode 100644
index 41ac2abf00..0000000000
--- a/doc/old/manual/WARNINGS
+++ /dev/null
@@ -1,60 +0,0 @@
-
-The manual.aux file was not found, so sections will not be numbered 
-and cross-references will be shown as icons.
-
-There is no author for this document.
-
-? brace missing for \emph
-
-? brace missing for \index
-couldn't convert character bb into available encodings
-
- ...set $ACCENT_IMAGES  to get an image 
-couldn't convert character cring into available encodings
-couldn't convert character tt into available encodings
-
-No number for "Differenttypesofdirectionsfor<TT>set_contents_file</TT>"
-
-No number for "<TT>print-filter</TT>printsoutthe<TT>tcpdump</TT>filteryourBroscriptwoulduseandthenexits."
-
-No number for "Definitionofthe<TT>net_stats</TT>record."
-
-No number for "Definitionof<TT>conn_id</TT>and<TT>connection</TT>records."
-
-No number for "TCPandUDPconnectionstates,asstoredinan<TT>endpoint</TT>record."
-
-No number for "Summariesofconnectionstates,asreportedin<TT>red</TT>files."
-
-No number for "Differentconnectionstatestousewhencalling<TT>check_hot</TT>."
-
-No number for "Sampledefinitionof<TT>log_hook</TT>"
-
-No number for "Definitionofthe<TT>dns_mapping</TT>record."
-
-No number for "Definitionofthe<TT>ftp_session_info</TT>record"
-
-No number for "ExampleofFTPlogfileentriesforasingleFTPsession."
-
-No number for "ExampleofHTTPlogfileentriesforasingleHTTPsession."
-
-No number for "Differenttypesofconfusionthat<TT>login</TT>analyzercanreport."
-
-No number for "TypesofcallstotheRPCportmapperservice."
-
-No number for "TypesofRPCstatuscodes."
-
-No number for "<TT>endpoint_stats</TT>fieldsforsummarizingconnectionendpointstatistics,alloftype<TT>count</TT>."
-
-No number for "Possibleactionstotakeforsignaturesmatches.<I>signatures-log</I>defaultsto<TT>open_log_file(;SPMquot;signatures;SPMquot;)</TT>."
-
-No number for "Definitionofthe<TT>x509</TT>record"
-
-No number for "Definitionofthe<TT>ssl_connection_info</TT>record"
-
-No number for "ExampleofSSLlogfilewithasingleSSLsession."
-
-No number for "Differenttypesofpossibleactionstotakefor``weird''events."
-
-No number for "Definitionofthe<TT>signature_state</TT>record."
-
-Failed to convert image /tmp/l2h6233/image052.ps
diff --git a/doc/old/manual/images.aux b/doc/old/manual/images.aux
deleted file mode 100644
index f23e54680b..0000000000
--- a/doc/old/manual/images.aux
+++ /dev/null
@@ -1 +0,0 @@
-\relax 
diff --git a/doc/old/manual/images.idx b/doc/old/manual/images.idx
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/doc/old/manual/images.log b/doc/old/manual/images.log
deleted file mode 100644
index b1ffb1e95c..0000000000
--- a/doc/old/manual/images.log
+++ /dev/null
@@ -1,607 +0,0 @@
-This is TeX, Version 3.14159 (Web2C 7.3.1) (format=latex 2001.8.15)  21 MAR 2004 07:20
-**./images.tex
-(./images.tex
-LaTeX2e <1999/12/01> patch level 1
-Babel <v3.6Z> and hyphenation patterns for american, french, german, ngerman, n
-ohyphenation, loaded.
-
-(/usr/local/share/texmf/tex/latex/base/report.cls
-Document Class: report 1999/09/10 v1.4a Standard LaTeX document class
-(/usr/local/share/texmf/tex/latex/base/size10.clo
-File: size10.clo 1999/09/10 v1.4a Standard LaTeX file (size option)
-)
-\c@part=\count79
-\c@chapter=\count80
-\c@section=\count81
-\c@subsection=\count82
-\c@subsubsection=\count83
-\c@paragraph=\count84
-\c@subparagraph=\count85
-\c@figure=\count86
-\c@table=\count87
-\abovecaptionskip=\skip41
-\belowcaptionskip=\skip42
-\bibindent=\dimen102
-) (/usr/local/share/texmf/tex/latex/base/ifthen.sty
-Package: ifthen 1999/09/10 v1.1b Standard LaTeX ifthen package (DPC)
-) (/usr/local/share/texmf/tex/latex/base/makeidx.sty
-Package: makeidx 1999/09/17 v1.0l Standard LaTeX package
-) (/usr/local/share/texmf/tex/latex/psnfss/times.sty
-Package: times 1999/03/29 PSNFSS v.7.2 Times font as default roman : S Rahtz
-) (/usr/local/share/texmf/tex/generic/misc/psfig.sty
-\@unused=\write3
-\ps@stream=\read1
-\p@intvaluex=\dimen103
-\p@intvaluey=\dimen104
-psfig/tex 1.10-dvips
-) (/home/jaguar/u0/vern/latex2html/texinputs/html.sty
-Package: html 1999/07/19 v1.38 hypertext commands for latex2html (nd, hws, rrm)
-
-\c@lpart=\count88
-\c@lchapter=\count89
-\c@lsection=\count90
-\c@lsubsection=\count91
-\c@lsubsubsection=\count92
-\c@lparagraph=\count93
-\c@lsubparagraph=\count94
-\c@lsubsubparagraph=\count95
-\ptrfile=\write4
-)
-\@indexfile=\write5
-\openout5 = `images.idx'.
-
-Writing index file images.idx
-(/usr/local/share/texmf/tex/latex/graphics/color.sty
-Package: color 1999/02/16 v1.0i Standard LaTeX Color (DPC)
-(/usr/local/share/texmf/tex/latex/config/color.cfg)
-Package color Info: Driver file: dvips.def on input line 125.
-(/usr/local/share/texmf/tex/latex/graphics/dvips.def
-File: dvips.def 1999/02/16 v3.0i Driver-dependant file (DPC,SPQR)
-) (/usr/local/share/texmf/tex/latex/graphics/dvipsnam.def
-File: dvipsnam.def 1999/02/16 v3.0i Driver-dependant file (DPC,SPQR)
-)) (/usr/local/share/texmf/tex/latex/base/inputenc.sty
-Package: inputenc 1999/09/17 v0.992 Input encoding file 
-(/usr/local/share/texmf/tex/latex/base/latin1.def
-File: latin1.def 1999/09/17 v0.992 Input encoding file 
-))
-\sizebox=\box26
-\lthtmlwrite=\write6
-No file images.aux.
-\openout1 = `images.aux'.
-
-LaTeX Font Info:    Checking defaults for OML/cmm/m/it on input line 334.
-LaTeX Font Info:    ... okay on input line 334.
-LaTeX Font Info:    Checking defaults for T1/cmr/m/n on input line 334.
-LaTeX Font Info:    ... okay on input line 334.
-LaTeX Font Info:    Checking defaults for OT1/cmr/m/n on input line 334.
-LaTeX Font Info:    ... okay on input line 334.
-LaTeX Font Info:    Checking defaults for OMS/cmsy/m/n on input line 334.
-LaTeX Font Info:    ... okay on input line 334.
-LaTeX Font Info:    Checking defaults for OMX/cmex/m/n on input line 334.
-LaTeX Font Info:    ... okay on input line 334.
-LaTeX Font Info:    Checking defaults for U/cmr/m/n on input line 334.
-LaTeX Font Info:    ... okay on input line 334.
-LaTeX Font Info:    Try loading font information for OT1+ptm on input line 334.
-
-(/usr/local/share/texmf/tex/latex/psnfss/ot1ptm.fd
-File: ot1ptm.fd 1998/07/06 Fontinst v1.800 font definitions for OT1/ptm.
-)
-
-latex2htmlLength hsize=349.0pt
-
-latex2htmlLength vsize=633.0pt
-
-latex2htmlLength hoffset=0.0pt
-
-latex2htmlLength voffset=0.0pt
-
-latex2htmlLength topmargin=0.0pt
-
-latex2htmlLength topskip=0.00003pt
-
-latex2htmlLength headheight=0.0pt
-
-latex2htmlLength headsep=0.0pt
-
-latex2htmlLength parskip=0.0pt plus 1.0pt
-
-latex2htmlLength oddsidemargin=-10.84006pt
-
-latex2htmlLength evensidemargin=-10.84006pt
-
-LaTeX Font Info:    External font `cmex10' loaded for size
-(Font)              <7> on input line 399.
-LaTeX Font Info:    External font `cmex10' loaded for size
-(Font)              <5> on input line 399.
-l2hSize :tex2html_wrap_inline5436:6.74997pt::0.0pt::13.00003pt.
-[1
-
-
-
-]
-l2hSize :tex2html_wrap_inline5438:6.74997pt::0.0pt::8.00003pt.
-[2
-
-
-]
-l2hSize :tex2html_wrap_inline5440:6.83331pt::0.0pt::73.23354pt.
-[3
-
-
-]
-l2hSize :tex2html_wrap_inline5442:6.83331pt::0.0pt::15.04518pt.
-[4
-
-
-]
-l2hSize :tex2html_wrap_inline5444:8.14003pt::0.0pt::13.9723pt.
-[5
-
-
-]
-l2hSize :tex2html_wrap_inline5446:8.14003pt::0.0pt::13.9723pt.
-[6
-
-
-]
-l2hSize :tex2html_wrap_inline5448:8.14003pt::0.0pt::9.98618pt.
-[7
-
-
-]
-l2hSize :tex2html_wrap_inline5450:6.83331pt::0.0pt::41.50558pt.
-[8
-
-
-]
-l2hSize :tex2html_wrap_inline5452:6.83331pt::0.0pt::59.23058pt.
-[9
-
-
-]
-l2hSize :tex2html_wrap_inline5454:6.83331pt::0.0pt::16.67014pt.
-[10
-
-
-]
-l2hSize :tex2html_wrap_inline5456:7.96227pt::0.0pt::7.13895pt.
-[11
-
-
-]
-l2hSize :tex2html_wrap_inline5458:6.88586pt::0.0pt::5.09726pt.
-[12
-
-
-]
-l2hSize :tex2html_wrap_inline8536:7.24997pt::7.24997pt::4.98616pt.
-[13
-
-
-]
-l2hSize :tex2html_wrap_inline8540:7.24997pt::7.24997pt::4.98616pt.
-[14
-
-
-]
-l2hSize :tex2html_wrap_inline8614:7.24997pt::7.24997pt::4.98616pt.
-[15
-
-
-]
-l2hSize :tex2html_wrap_inline16373:7.24997pt::7.24997pt::21.05557pt.
-[16
-
-
-]
-l2hSize :tex2html_wrap_inline16375:6.74997pt::0.0pt::9.28017pt.
-[17
-
-
-]
-l2hSize :tex2html_wrap_inline16379:6.74997pt::0.0pt::6.50238pt.
-[18
-
-
-]
-l2hSize :tex2html_wrap_inline16393:6.94444pt::0.0pt::6.26161pt.
-[19
-
-
-]
-LaTeX Font Info:    Try loading font information for OT1+pcr on input line 614.
-
-(/usr/local/share/texmf/tex/latex/psnfss/ot1pcr.fd
-File: ot1pcr.fd 1998/07/06 Fontinst v1.800 font definitions for OT1/pcr.
-)
-Overfull \hbox (59.0pt too wide) in paragraph at lines 631--631
-[]        \OT1/pcr/m/n/10 print fmt("(%s) and (%s)", capture_filter, restrict_f
-ilter);[] 
- []
-
-l2hSize :figure22361:203.09998pt::0.0pt::349.0pt.
-[20
-
-
-]
-Overfull \hbox (41.0pt too wide) in paragraph at lines 647--647
-[]    \OT1/pcr/m/n/10 pkts_recvd: count;       # Number of packets received so 
-far.[] 
- []
-
-
-Overfull \hbox (59.0pt too wide) in paragraph at lines 647--647
-[]    \OT1/pcr/m/n/10 pkts_dropped: count;     # Number of packets *reported* d
-ropped.[] 
- []
-
-
-Overfull \hbox (83.0pt too wide) in paragraph at lines 647--647
-[]    \OT1/pcr/m/n/10 interface_drops: count;  # Number of drops reported by in
-terface(s).[] 
- []
-
-l2hSize :figure22485:83.09998pt::0.0pt::349.0pt.
-[21
-
-
-]
-Overfull \hbox (29.0pt too wide) in paragraph at lines 680--680
-[]    \OT1/pcr/m/n/10 id: conn_id;        # Originator/responder addresses/port
-s.[] 
- []
-
-
-Overfull \hbox (71.0pt too wide) in paragraph at lines 680--680
-[]    \OT1/pcr/m/n/10 duration: interval; # How long it was active (or has been
- so far).[] 
- []
-
-
-Overfull \hbox (95.0pt too wide) in paragraph at lines 680--680
-[]    \OT1/pcr/m/n/10 service: string;    # The service we associate with it (e
-.g., "http").[] 
- []
-
-
-Overfull \hbox (59.0pt too wide) in paragraph at lines 680--680
-[]    \OT1/pcr/m/n/10 addl: string;       # Additional information associated w
-ith it.[] 
- []
-
-
-Overfull \hbox (71.0pt too wide) in paragraph at lines 680--680
-[]    \OT1/pcr/m/n/10 hot: count;         # How many times we've marked it as s
-ensitive.[] 
- []
-
-l2hSize :figure22528:275.09998pt::0.0pt::349.0pt.
-[22
-
-
-]
-l2hSize :tex2html_wrap_inline31877:6.83331pt::0.0pt::8.00005pt.
-[23
-
-
-]
-l2hSize :tex2html_wrap_inline31879:6.83331pt::0.0pt::8.58684pt.
-[24
-
-
-]
-l2hSize :tex2html_wrap_inline31899:7.33331pt::7.33331pt::12.53233pt.
-[25
-
-
-]
-l2hSize :tex2html_wrap_inline31901:7.33331pt::7.33331pt::12.51337pt.
-[26
-
-
-]
-l2hSize :tex2html_wrap_inline31903:7.33331pt::7.33331pt::11.0695pt.
-[27
-
-
-]
-l2hSize :tex2html_wrap_inline31905:7.33331pt::7.33331pt::12.4283pt.
-[28
-
-
-]
-l2hSize :tex2html_wrap_inline31927:7.33331pt::7.33331pt::12.44727pt.
-[29
-
-
-]
-l2hSize :tex2html_wrap_inline31937:7.33331pt::7.33331pt::11.0792pt.
-[30
-
-
-]
-l2hSize :tex2html_wrap_inline31941:7.33331pt::7.33331pt::11.06023pt.
-[31
-
-
-]
-l2hSize :tex2html_wrap_inline31943:6.83331pt::0.0pt::9.05698pt.
-[32
-
-
-]
-l2hSize :tex2html_wrap_inline31957:7.33331pt::7.33331pt::11.36739pt.
-[33
-
-
-]
-l2hSize :tex2html_wrap_inline31961:7.33331pt::7.33331pt::11.34842pt.
-[34
-
-
-]
-l2hSize :tex2html_wrap_inline31971:7.24997pt::7.24997pt::5.53128pt.
-[35
-
-
-]
-l2hSize :figure23775:263.09998pt::0.0pt::349.0pt.
-[36
-
-
-]
-Overfull \hbox (35.0pt too wide) in paragraph at lines 830--830
-[]    \OT1/pcr/m/n/10 req_host: string;     # The hostname in the request, if a
-ny.[] 
- []
-
-
-Overfull \hbox (29.0pt too wide) in paragraph at lines 830--830
-[]    \OT1/pcr/m/n/10 req_addr: addr;       # The address in the request, if an
-y.[] 
- []
-
-
-Overfull \hbox (59.0pt too wide) in paragraph at lines 830--830
-[]    \OT1/pcr/m/n/10 hostname: string;     # The hostname in the answer, or "<
-none>".[] 
- []
-
-
-Overfull \hbox (35.0pt too wide) in paragraph at lines 830--830
-[]    \OT1/pcr/m/n/10 addrs: set[addr];     # The addresses in the answer, if a
-ny.[] 
- []
-
-l2hSize :figure23860:131.09998pt::0.0pt::349.0pt.
-[37
-
-
-]
-Overfull \hbox (41.0pt too wide) in paragraph at lines 858--858
-[]    \OT1/pcr/m/n/10 id: count;              # unique number associated w/ ses
-sion[] 
- []
-
-
-Overfull \hbox (71.0pt too wide) in paragraph at lines 858--858
-[]    \OT1/pcr/m/n/10 log_if_not_denied: bool;        # unless code 530 on repl
-y, log it[] 
- []
-
-
-Overfull \hbox (71.0pt too wide) in paragraph at lines 858--858
-[]    \OT1/pcr/m/n/10 log_if_not_unavail: bool;       # unless code 550 on repl
-y, log it[] 
- []
-
-l2hSize :figure24088:131.09998pt::0.0pt::349.0pt.
-[38
-
-
-]
-Overfull \hbox (35.0pt too wide) in paragraph at lines 877--877
-[]\OT1/pcr/m/n/10 972499885.784104 #26 131.243.70.68/1899 > 64.55.26.206/ftp st
-art[] 
- []
-
-
-Overfull \hbox (5.0pt too wide) in paragraph at lines 877--877
-[]\OT1/pcr/m/n/10 972499886.685046 #26 response (220 tuvok.ooc.com FTP server[]
- 
- []
-
-
-Overfull \hbox (23.0pt too wide) in paragraph at lines 877--877
-[]    \OT1/pcr/m/n/10 (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000) ready.
-)[] 
- []
-
-
-Overfull \hbox (41.0pt too wide) in paragraph at lines 877--877
-[]\OT1/pcr/m/n/10 972499889.493020 #26 SIZE /pub/OB/4.0/JOB-4.0.3.zip (213 1675
-597)[] 
- []
-
-
-Overfull \hbox (65.0pt too wide) in paragraph at lines 877--877
-[]\OT1/pcr/m/n/10 972499890.135706 #26 *RETR /pub/OB/4.0/JOB-4.0.3.zip, ABOR (c
-omplete)[] 
- []
-
-
-Overfull \hbox (11.0pt too wide) in paragraph at lines 877--877
-[]\OT1/pcr/m/n/10 972500055.491045 #26 response (225 ABOR command successful.)[
-] 
- []
-
-l2hSize :figure24192:119.53992pt::0.0pt::349.0pt.
-[39
-
-
-]
-l2hSize :figure24357:83.53992pt::0.0pt::349.0pt.
-[40
-
-
-]
-l2hSize :tex2html_wrap_inline31983:7.24997pt::7.24997pt::16.05556pt.
-[41
-
-
-]
-l2hSize :tex2html_wrap_inline31987:7.24997pt::7.24997pt::26.05559pt.
-[42
-
-
-]
-l2hSize :tex2html_wrap_inline31989:7.24997pt::7.24997pt::31.0556pt.
-[43
-
-
-]
-l2hSize :tex2html_wrap_inline31991:7.24997pt::7.24997pt::8.27783pt.
-[44
-
-
-]
-l2hSize :figure25695:59.09998pt::0.0pt::349.0pt.
-[45
-
-
-]
-Overfull \hbox (29.0pt too wide) in paragraph at lines 970--970
-[]    \OT1/pcr/m/n/10 id: count;                      # the log identifier numb
-er[] 
- []
-
-
-Overfull \hbox (29.0pt too wide) in paragraph at lines 970--970
-[]    \OT1/pcr/m/n/10 connection_id: conn_id;         # IP connection informati
-on[] 
- []
-
-
-Overfull \hbox (83.0pt too wide) in paragraph at lines 970--970
-[]    \OT1/pcr/m/n/10 version: count;                 # version associated with
- connection[] 
- []
-
-
-Overfull \hbox (59.0pt too wide) in paragraph at lines 970--970
-[]    \OT1/pcr/m/n/10 id_index: string;               # index for associated se
-ssionID[] 
- []
-
-
-Overfull \hbox (131.0pt too wide) in paragraph at lines 970--970
-[]    \OT1/pcr/m/n/10 handshake_cipher: count;        # cipher suite client and
- server agreed upon[] 
- []
-
-l2hSize :figure25707:119.09998pt::0.0pt::349.0pt.
-[46
-
-
-]
-Overfull \hbox (59.0pt too wide) in paragraph at lines 992--992
-[]\OT1/pcr/m/n/10 1046778101.534846 #1 192.168.0.98/32988 > 213.61.126.124/http
-s start[] 
- []
-
-
-Overfull \hbox (2135.0pt too wide) in paragraph at lines 992--992
-[]\OT1/pcr/m/n/10 1046778101.534846 #1 cipher suites: SSLv3x_RSA_WITH_RC4_128_M
-D5 (0x4), SSLv3x_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xFEFF), SSLv3x_RSA_WITH_3DES_
-EDE_CBC_SHA (0xA), SSLv3x_RSA_FIPS_WITH_DES_CBC_SHA (0xFEFE), SSLv3x_RSA_WITH_D
-ES_CBC_SHA(0x9), SSLv3x_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64), SSLv3x_RSA_EXPOR
-T1024_WITH_DES_CBC_SHA (0x62), SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 (0x3), SSLv3x_
-RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6),[] 
- []
-
-
-Overfull \hbox (65.0pt too wide) in paragraph at lines 992--992
-[]\OT1/pcr/m/n/10 1046778101.753356 #1 cipher suite: SSLv3x_RSA_WITH_RC4_128_MD
-5 (0x4),[] 
- []
-
-
-Overfull \hbox (749.0pt too wide) in paragraph at lines 992--992
-[]\OT1/pcr/m/n/10 1046778101.762601 #1 X.509 server issuer: /C=DE/ST=Hamburg/L=
-Hamburg/O=TC TrustCenter for Security in Data Networks GmbH/OU=TC TrustCenter C
-lass 3 CA/Email=certificate@trustcenter.de,[] 
- []
-
-
-Overfull \hbox (521.0pt too wide) in paragraph at lines 992--992
-[]\OT1/pcr/m/n/10 1046778101.762601 #1 X.509 server subject: /C=DE/ST=Berlin/O=
-Lehmanns Fachbuchhandlung GmbH/OU=Zentrale EDV/CN=www.jfl.de/Email=admin@lehman
-ns.de[] 
- []
-
-
-Overfull \hbox (257.0pt too wide) in paragraph at lines 992--992
-[]\OT1/pcr/m/n/10 1046778101.894567 #1 handshake finished, version 3.1, cipher 
-suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4)[] 
- []
-
-l2hSize :figure25794:155.25494pt::0.0pt::349.0pt.
-[47
-
-
-]
-l2hSize :tex2html_wrap_inline31993:7.31989pt::7.31989pt::51.61522pt.
-[48
-
-
-]
-Overfull \hbox (41.0pt too wide) in paragraph at lines 1037--1037
-[]    \OT1/pcr/m/n/10 is_orig: bool;       # True if current endpoint is origin
-ator[] 
- []
-
-
-Overfull \hbox (95.0pt too wide) in paragraph at lines 1037--1037
-[]    \OT1/pcr/m/n/10 payload_size: count; # Payload size of the first pkt of c
-urr. endpoint[] 
- []
-
-l2hSize :figure39539:83.09998pt::0.0pt::349.0pt.
-[49
-
-
-]
-l2hSize :tex2html_wrap_inline39988:6.83331pt::0.0pt::9.625pt.
-[50
-
-
-]
-l2hSize :tex2html_wrap_inline39992:7.33331pt::7.33331pt::17.4028pt.
-[51
-
-
-] (/home/jaguar/u0/vern/bro/bro-doc/index.tex (/home/jaguar/u0/vern/bro/bro-doc
-/doc.ind
-LaTeX Font Info:    Font shape `OT1/ptm/bx/n' in size <24.88> not available
-(Font)              Font shape `OT1/ptm/b/n' tried instead on input line 1.
-LaTeX Font Info:    Font shape `OT1/pcr/m/it' in size <10> not available
-(Font)              Font shape `OT1/pcr/m/sl' tried instead on input line 1539.
-
-! TeX capacity exceeded, sorry [main memory size=263001].
-\par ...@m \@noitemerr {\@@par }\fi \else {\@@par 
-                                                  }\fi 
-l.2843     \subitem
-                    reading, 17
-If you really absolutely need more capacity,
-you can ask a wizard to enlarge me.
-
- 
-Here is how much of TeX's memory you used:
- 1313 strings out of 10901
- 15527 string characters out of 72380
- 263001 words of memory out of 263001
- 4278 multiletter control sequences out of 10000+0
- 6696 words of font info for 23 fonts, out of 400000 for 1000
- 14 hyphenation exceptions out of 1000
- 23i,5n,19p,429b,425s stack positions out of 300i,100n,500p,50000b,4000s
-Output written on images.dvi (51 pages, 17976 bytes).
diff --git a/doc/old/manual/images.pl b/doc/old/manual/images.pl
deleted file mode 100644
index d419b8ea7a..0000000000
--- a/doc/old/manual/images.pl
+++ /dev/null
@@ -1,332 +0,0 @@
-# LaTeX2HTML 2002-2 (1.70)
-# Associate images original text with physical files.
-
-
-$key = q/B;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="19" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img24.gif"
- ALT="$B$">|; 
-
-$key = q/A_i;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="29" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img4.gif"
- ALT="$A\_i$">|; 
-
-$key = q/ge1024;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="55" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img43.gif"
- ALT="$\ge 1024$">|; 
-
-$key = q/2^{24};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="27" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img5.gif"
- ALT="$2^{24}$">|; 
-
-$key = q/S_{o};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img30.gif"
- ALT="$S_{o}$">|; 
-
-$key = q/ge256;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="47" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img42.gif"
- ALT="$\ge 256$">|; 
-
-$key = q/pmN;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="33" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img51.gif"
- ALT="$\pm N$">|; 
-
-$key = q/{figure}preform{<verbatim_mark>verbatim312#preform{{{{figure};FSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="645" HEIGHT="185" BORDER="0"
- SRC="|."$dir".q|img37.gif"
- ALT="\begin{figure}\begin{verbatim}type dns_mapping: record {
-creation_time: time;...
-... set[addr];  ...">|; 
-
-$key = q/_{2};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="13" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img13.gif"
- ALT="$_{2}$">|; 
-
-$key = q/N_1{{tt{.}N_2{{tt{.};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="71" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img8.gif"
- ALT="$N\_1 {\tt .} N\_2 {\tt .}$">|; 
-
-$key = q/{figure}preform{<verbatim_mark>verbatim338#preform{{{{figure};FSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="763" HEIGHT="166" BORDER="0"
- SRC="|."$dir".q|img46.gif"
- ALT="\begin{figure}\begin{verbatim}type ssl_connection_info: record {
-id: count;  ...">|; 
-
-$key = q/A_{l};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img27.gif"
- ALT="$A_{l}$">|; 
-
-$key = q/{figure}preform{<verbatim_mark>verbatim345#preform{{{{figure};FSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="705" HEIGHT="109" BORDER="0"
- SRC="|."$dir".q|img49.gif"
- ALT="\begin{figure}\begin{verbatim}type signature_state: record {
-id: string;  ...">|; 
-
-$key = q/ge;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="18" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img44.gif"
- ALT="$\ge$">|; 
-
-$key = q/{figure}preform{<verbatim_mark>verbatim298#preform{{{{figure};FSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="644" HEIGHT="299" BORDER="0"
- SRC="|."$dir".q|img20.gif"
- ALT="\begin{figure}\begin{verbatim}event bro_init()
-{
-if ( restrict_filter == '''...
-...%s)'', capture_filter, restrict_filter);exit();
-}\end{verbatim}
-\end{figure}">|; 
-
-$key = q/S_{r};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img31.gif"
- ALT="$S_{r}$">|; 
-
-$key = q/P_{o};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img33.gif"
- ALT="$P_{o}$">|; 
-
-$key = q/2^8;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="21" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img7.gif"
- ALT="$2^8$">|; 
-
-$key = q/A_{o};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img29.gif"
- ALT="$A_{o}$">|; 
-
-$key = q/p;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="14" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img35.gif"
- ALT="$p$">|; 
-
-$key = q/D;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="20" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img32.gif"
- ALT="$D$">|; 
-
-$key = q/_{1};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="13" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img14.gif"
- ALT="$_{1}$">|; 
-
-$key = q/N;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="21" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img50.gif"
- ALT="$N$">|; 
-
-$key = q/~tilde{~}~~~;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="26" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img1.gif"
- ALT="$&nbsp;\tilde{&nbsp;}&nbsp;&nbsp;&nbsp;$">|; 
-
-$key = q/P_{r};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img34.gif"
- ALT="$P_{r}$">|; 
-
-$key = q/A_{r};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img28.gif"
- ALT="$A_{r}$">|; 
-
-$key = q/N_i;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="32" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img10.gif"
- ALT="$N\_i$">|; 
-
-$key = q/B_{o};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img25.gif"
- ALT="$B_{o}$">|; 
-
-$key = q/2cdotmbox{MSL}=4;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="87" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img48.gif"
- ALT="$2 \cdot \mbox{MSL} = 4$">|; 
-
-$key = q/{figure}preform{<verbatim_mark>verbatim300#preform{{{{figure};FSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="703" HEIGHT="414" BORDER="0"
- SRC="|."$dir".q|img22.gif"
- ALT="\begin{figure}\begin{verbatim}type conn_id: record {
-orig_h: addr;  ...">|; 
-
-$key = q/{figure}preform{<verbatim_mark>verbatim319#preform{{{{figure};FSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="551" HEIGHT="109" BORDER="0"
- SRC="|."$dir".q|img40.gif"
- ALT="\begin{figure}\begin{verbatim}972482763.371224 %1596 start 200.241.229.80 &gt; 13...
-...g/movies/off.gif
-%1596 GET /vfrog/new.frog.small.gif
-\end{verbatim}
-\end{figure}">|; 
-
-$key = q/{figure}preform{<verbatim_mark>verbatim317#preform{{{{figure};FSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="652" HEIGHT="167" BORDER="0"
- SRC="|."$dir".q|img39.gif"
- ALT="\begin{figure}\begin{verbatim}972499885.784104  ...">|; 
-
-$key = q/{figure}preform{<verbatim_mark>verbatim315#preform{{{{figure};FSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="667" HEIGHT="185" BORDER="0"
- SRC="|."$dir".q|img38.gif"
- ALT="\begin{figure}\begin{verbatim}type ftp_session_info: record {
-id: count;  ...">|; 
-
-$key = q/{figure}preform{<verbatim_mark>verbatim311#preform{{{{figure};FSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="514" HEIGHT="394" BORDER="0"
- SRC="|."$dir".q|img36.gif"
- ALT="\begin{figure}\begin{verbatim}global msg_count: table[string] of count &amp;defaul...
-... schedule +5 min { log_summary(msg) };return F;
-}\end{verbatim}
-\end{figure}">|; 
-
-$key = q/{figure}preform{<verbatim_mark>verbatim339#preform{{{{figure};FSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="3949" HEIGHT="223" BORDER="0"
- SRC="|."$dir".q|img47.gif"
- ALT="\begin{figure}\begin{verbatim}1046778101.534846  ...">|; 
-
-$key = q/{figure}preform{<verbatim_mark>verbatim337#preform{{{{figure};FSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="515" HEIGHT="70" BORDER="0"
- SRC="|."$dir".q|img45.gif"
- ALT="\begin{figure}\begin{verbatim}type x509: record {
-issuer: string;  ...">|; 
-
-$key = q/^*;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="13" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img12.gif"
- ALT="$^*$">|; 
-
-$key = q/{figure}preform{<verbatim_mark>verbatim299#preform{{{{figure};FSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="684" HEIGHT="109" BORDER="0"
- SRC="|."$dir".q|img21.gif"
- ALT="\begin{figure}\begin{verbatim}type net_stats: record {
-...">|; 
-
-$key = q/h;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="15" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img19.gif"
- ALT="$h$">|; 
-
-$key = q/B_{r};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img26.gif"
- ALT="$B_{r}$">|; 
-
-$key = q/m;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="20" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img17.gif"
- ALT="$m$">|; 
-
-$key = q/le2;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="31" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img41.gif"
- ALT="$\le 2$">|; 
-
-$key = q/2^{16};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="27" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img6.gif"
- ALT="$2^{16}$">|; 
-
-$key = q/le26;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="39" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img16.gif"
- ALT="$\le 26$">|; 
-
-$key = q/A;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="18" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img23.gif"
- ALT="$A$">|; 
-
-$key = q/A_1{{tt{.}A_2{{tt{.}A_3{{tt{.}A_4;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="122" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img3.gif"
- ALT="$A\_1 {\tt .} A\_2 {\tt .} A\_3 {\tt .} A\_4$">|; 
-
-$key = q/_{3};MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="13" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
- SRC="|."$dir".q|img15.gif"
- ALT="$_{3}$">|; 
-
-$key = q/^+;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="17" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img11.gif"
- ALT="$^+$">|; 
-
-$key = q/N_1{{tt{.}N_2{{tt{.}N_3;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="99" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img9.gif"
- ALT="$N\_1 {\tt .} N\_2 {\tt .} N\_3 $">|; 
-
-$key = q/tilde{~}~~;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="18" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img2.gif"
- ALT="$\tilde{&nbsp;}&nbsp;&nbsp;$">|; 
-
-$key = q/n;MSF=1.6;AAT/;
-$cached_env_img{$key} = q|<IMG
- WIDTH="16" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
- SRC="|."$dir".q|img18.gif"
- ALT="$n$">|; 
-
-1;
-
diff --git a/doc/old/manual/images.tex b/doc/old/manual/images.tex
deleted file mode 100644
index ea01ededfa..0000000000
--- a/doc/old/manual/images.tex
+++ /dev/null
@@ -1,1104 +0,0 @@
-\batchmode
-
-
-\documentclass[twoside]{report}
-\RequirePackage{ifthen}
-
-
-
-
-\frenchspacing
-
-
-\sloppy
-
-
-\usepackage{makeidx}
-\usepackage{times}
-\usepackage{psfig}
-\usepackage{html}
-
-
-\textwidth=6.5in
-\oddsidemargin=-0.15in
-\evensidemargin=-0.15in
-
-
-\title{
-	The {\em Bro} 0.8 User Manual
-}
-
-%
-\providecommand{\note}[1]{\emph{Note: #1}}%
-\providecommand{\privatenote}[1]{}%
-\providecommand{\updateme}[1]{#1}%
-\providecommand{\unlikeC}[1]{\emph{Unlike with C,} #1}%
-\providecommand{\deficiency}[1]{\emph{Deficiency: #1}}%
-\providecommand{\fixme}[1]{\emph{Fix me: #1}} 
-
-%
-\providecommand{\xref}[1]{\hyperref{\S~\ref{#1}}{}{}{#1}}%
-\providecommand{\pxref}[1]{(\hyperref{\S~\ref{#1}}{}{}{#1})}%
-\providecommand{\cxref}[1]{\hyperref{Chapter~\ref{#1}}{}{}{#1}}%
-\providecommand{\link}[2]{\hyperref{#1}{}{}{#2}}%
-\providecommand{\lab}[2]{\label{#1}{#2}}%
-\providecommand{\labsectchapter}[2]{\chapter{#2 #1}}%
-\providecommand{\labsectsection}[2]{\section{#2 #1}}%
-\providecommand{\labsectsubsection}[2]{\subsection{#2 #1}}%
-\providecommand{\labsectsubsubsection}[2]{\subsubsection{#2 #1}}%
-\providecommand{\itemwithextra}[3]{\item[{\tt #1#3}]}%
-\providecommand{\optsyntax}[1]{{\emph{[} \texttt{#1} \emph{]}}}%
-\providecommand{\nl}{} 
-
-%
-\providecommand{\itemwithtype}[2]{\item[{\tt #1 : #2}]} 
-
-%
-\providecommand{\f}[1]{Figure~\ref{#1}}%
-\providecommand{\tbl}[1]{Table~\ref{#1}}%
-\providecommand{\percent}{{{\tt \%}}}%
-\providecommand{\hash}{{{\tt \#}}}%
-\providecommand{\caret}{{{\tt \^}}}%
-\providecommand{\load}{{{\tt @load}{ }}}%
-\providecommand{\loadx}{{{\tt @load}}}%
-\providecommand{\prefix}{{{\tt @prefix}{ }}}%
-\providecommand{\prefixx}{{{\tt @prefix}}}%
-\providecommand{\void}{void} 
-
-%
-\providecommand{\kludge}{{\tt \mbox{\hspace{0.01in}}~}} 
-
-%
-\providecommand{\indplain}[2]{\index{#1 #2}\index{#2s!#1}{#1}}%
-\providecommand{\indtt}[2]{\index{#1 #2@{\protect\tt #1} #2}\index{#2s}\index{#2s!#1@{\tt #1}}{{\tt #1}}}%
-\providecommand{\indttbang}[2]{\index{#1@{\tt #1}}\index{#1!#2@#2}{{\tt #1}}}%
-\providecommand{\indttparen}[2]{\index{#1 #2@{\protect\tt (#1)} #2}\index{#2s}\index{#2s!#1@{\tt (#1)}}{{\tt (#1)}}}%
-\providecommand{\indttnotext}[2]{\index{#1 #2@{\protect\tt #1} #2}\index{#2s}\index{#2s!#1@{\tt #1}}}%
-\providecommand{\indttnotexttwo}[3]{\index{#1 #2 #3@{\protect\tt #1 #2} #3}\index{#2 #3@{\tt #2} #3}\index{#2 #3!#1@{\tt #1}}}%
-\providecommand{\indttzero}[1]{\index{#1@{\protect\tt #1}}{{\tt #1}}}%
-\providecommand{\indtttwo}[3]{\index{#2@{\protect\tt #1} #3}\index{#3s}\index{#3s!#2@{\tt #1}}}%
-\providecommand{\itemindtt}[2]{\index{#1 #2@{\protect\tt #1} #2}\index{#2s}\index{#2s!#1@{\tt #1}}\item[{\tt #1}]}%
-\providecommand{\indttbegin}[2]{\index{#1 #2@{\protect\tt #1} #2|(}\index{#2s}\index{#2s!#1@{\tt #1}|(}{\tt #1}}%
-\providecommand{\indttend}[2]{\index{#1 #2@{\protect\tt #1} #2|)}\index{#2s}\index{#2s!#1@{\tt #1}|)}{\tt #1}} 
-
-%
-\providecommand{\opind}[1]{\index{#1 operator@{\protect\tt #1} operator}\index{operators!{\protect\tt #1}}}%
-\providecommand{\indopone}[2]{\index{#1 #2@{\protect\tt #1} #2}\index{operators!{\protect\tt #1}}}%
-\providecommand{\indoponekey}[3]{\index{#3@{\protect\tt #1} #2}\index{operators!{\protect\tt #1}}}%
-\providecommand{\indoptwo}[2]{\index{#1 #2@{\protect\tt #1\protect\ } #2}\index{operators!{\protect\tt #1}}} 
-
-%
-\providecommand{\keyind}[1]{\index{#1 keyword@{\protect\tt #1} keyword}\index{keywords!{\protect\tt #1}}} 
-
-%
-\providecommand{\indevent}[2]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\label{#2-event}{{\tt #1}}}%
-\providecommand{\itemindevent}[2]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\label{#2-event}{\item[{\tt #1}]}}%
-\providecommand{\indeventnolabel}[1]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}}%
-\providecommand{\indeventtype}[3]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\label{#2-event}{\item[{\tt \tt #1 (#3)}]}}%
-\providecommand{\indeventtypenolabel}[2]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\item[{\tt \tt #1 (#2)}]}%
-\providecommand{\xrefevent}[2]{\hyperref{\tt #1}{}{}{#2-event}}%
-\providecommand{\xrefindevent}[2]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\hyperref{\tt #1}{}{}{#2-event}} 
-
-%
-\providecommand{\indenvnotext}[1]{\index{#1 environment variable@{\protect\tt \$#1} environment variable}\index{environment variables!#1@{\tt \$#1}}}%
-\providecommand{\indenv}[2]{\index{#1 environment variable@{\protect\tt \$#1} environment variable}\index{environment variables!#1@{\tt \$#1}}\label{#2-env}{{\tt \$#1}}}%
-\providecommand{\itemindenv}[2]{\index{#1 environment variable@{\protect\tt \$#1} environment variable}\index{environment variables!#1@{\tt \$#1}}\label{#2-env}{\item[{\tt \$#1}]} }%
-\providecommand{\xrefenv}[2]{\hyperref{\tt \$#1}{}{}{#2-env}} 
-
-%
-\providecommand{\analyzer}[1]{{\tt #1}}%
-\providecommand{\indanalyzer}[2]{\index{#1 analyzer@{\protect\tt #1} analyzer}\index{analyzers!{\protect \tt #1}}\label{#2-analyzer-module}{{\tt #1}}}%
-\providecommand{\indanalyzernolabel}[1]{{\index{#1 analyzer@{\protect\tt #1} analyzer}\index{analyzers!{\protect \tt #1}}{\tt #1}}}%
-\providecommand{\xrefanalyzer}[2]{\hyperref{\tt #1}{}{}{#2-analyzer-module}} 
-
-%
-\providecommand{\module}[1]{{\tt #1}}%
-\providecommand{\indmodule}[2]{\index{#1 module@{\protect\tt #1} module}\index{modules!{\protect \tt #1}}\label{#2-analyzer-module}{{\tt #1}}}%
-\providecommand{\xrefmodule}[2]{\hyperref{\tt #1}{}{}{#2-analyzer-module}} 
-
-%
-\providecommand{\indfunc}[2]{\index{#1 function@{\protect\tt #1} function}\index{functions!{\protect \tt #1}}\label{#2-func}{{\tt #1}}}%
-\providecommand{\itemindfunc}[3]{\index{#1 function@{\protect\tt #1} function}\index{functions!{\protect \tt #1}}\label{#2-func}{\item[{\tt \tt #1\tt #3 }]}}%
-\providecommand{\indfuncnolabel}[2]{\index{#1 function@{\protect\tt #1} function}\index{functions!{\protect \tt #1}}{\tt #1}}%
-\providecommand{\xreffunc}[2]{\hyperref{\tt #1}{}{}{#2-func}}%
-\providecommand{\xrefindfunc}[2]{\index{#1 function@{\protect\tt #1} function}\index{functions!{\protect \tt #1}}\hyperref{\tt #1}{}{}{#2-func}}%
-\providecommand{\xreffuncnott}[2]{\hyperref{\S~\ref{#2-func}}{}{}{#2-func}} 
-
-%
-\providecommand{\xreflog}[1]{\hyperref{\tt #1}{}{}{#1-log}} 
-
-%
-\providecommand{\itemindstmtemph}[1]{\index{#1 statement@{\protect\emph{#1}} statement}\index{statements!{\protect\emph{#1}}}\label{#1-stmt}{\item[{\emph{#1}}]}}%
-\providecommand{\itemindstmttt}[1]{\index{#1 statement@{\protect\tt #1} statement}\index{statements!{\protect\tt #1}}\label{#1-stmt}{\item[{\tt #1}]}}%
-\providecommand{\itemindstmttttwo}[2]{\index{#1 statement@{\protect\tt #1} statement}\index{#2 statement@{\protect\tt #2} statement}\index{statements!{\protect\tt #1}}\index{statements!{\protect\tt #2}}\label{#1-stmt}\label{#2-stmt}{\item[{\tt #1}, {\tt #2}]}}%
-\providecommand{\xrefstmt}[2]{\hyperref{\tt #1}{}{}{#2-stmt}} 
-
-%
-\providecommand{\itemindexpremph}[1]{\index{#1 expression@{\protect\emph{#1}} expression}\index{expressions!{\protect\emph{#1}}}\label{#1-expr}{\item[{\emph{#1}}]}}%
-\providecommand{\itemindexprtt}[1]{\index{#1 expression@{\protect\tt #1} expression}\index{expressions!{\protect\tt #1}}\label{#1-expr}{\item[{\tt #1}]}}%
-\providecommand{\itemindexprtttwo}[2]{\index{#1 expressions@{\protect\tt #1} expressions}\index{#2 expressions@{\protect\tt #2} expressions}\index{expressions!{\protect\tt #1}}\index{expressions!{\protect\tt #2}}\label{#1-expr}\label{#2-expr}{\item[{\tt #1}, {\tt #2}]}}%
-\providecommand{\itemindexpremphtwo}[2]{\index{#1 expressions@{\protect\em #1} expressions}\index{#2 expressions@{\protect\em #2} expressions}\index{expressions!{\protect\em #1}}\index{expressions!{\protect\em #2}}\label{#1-expr}\label{#2-expr}{\item[{\em #1}, {\em #2}]}}%
-\providecommand{\itemindexprtttwonott}[2]{\index{#1 expressions@{#1} expressions}\index{#2 expressions@{#2} expressions}\index{expressions!{#1}}\index{expressions!{#2}}\label{#1-expr}\label{#2-expr}{\item[{#1}, {#2}]}}%
-\providecommand{\xrefexpr}[2]{\hyperref{\tt #1}{}{}{#2-expr}} 
-
-%
-\providecommand{\indfield}[4]{\index{#1@{\tt #1}}\index{#1!#3@{\tt #3} field}\index{#3 record@{\tt #3} record}\label{#4-#2-field}{\item[{\tt #1}]}}%
-\providecommand{\xreffield}[3]{\hyperref{\tt #1}{}{}{#3-#2-field}}%
-\providecommand{\xrefscript}[2]{\hyperref{\tt #1}{}{}{#2-script}} 
-
-%
-\providecommand{\indvar}[1]{\index{#1 variable@{\protect\tt #1} variable}\index{variables!{\protect \tt #1}}{\tt #1}}%
-\providecommand{\indvartype}[3]{\index{#1 variable@{\protect\tt #1} variable}\index{variables!{\protect \tt #1}}\label{#2-var}{\item[{\tt \tt #1 : #3}]}}%
-\providecommand{\indvarbegin}[1]{\index{#1 variable@{\tt #1} variable|(}\index{variables!{\protect \tt #1}|(}}%
-\providecommand{\indvarend}[1]{\index{#1 variable@{\tt #1} variable|)}\index{variables!{\protect \tt #1}|)}}%
-\providecommand{\xrefvar}[2]{\hyperref{\tt #1}{}{}{#2-var}}%
-\providecommand{\xrefvarnott}[2]{\hyperref{\S~\ref{#2-var}}{}{}{#2-var}}%
-\providecommand{\pxrefvarnott}[2]{(\hyperref{\S~\ref{#2-var}}{}{}{#2-var})} 
-
-%
-\providecommand{\xreftype}[2]{\hyperref{\tt #1}{}{}{#2-type}} 
-
-%
-\providecommand{\indattr}[2]{\index{#1 attribute@{\protect\tt \&#1} attribute}\index{attributes!#1@{\tt \&#1}}\label{#2-attr}{{\tt \&#1}}}%
-\providecommand{\indattrnotext}[1]{\index{#1 attribute@{\protect\tt \&#1} attribute}\index{attributes!#1@{\tt \&#1}}}%
-\providecommand{\itemindattr}[2]{\index{#1 attribute@{\protect\tt \&#1} attribute}\index{attributes!#1@{\tt \&#1}}\label{#2-attr}{\item[{\tt \&#1}]} }%
-\providecommand{\xrefattr}[2]{\hyperref{\tt \&#1}{}{}{#2-attr}} 
-
-%
-\providecommand{\indintvar}[1]{\index{#1 internal variable@{\protect\tt #1} internal variable}\index{internal variables!{\protect \tt #1}}{\tt #1}} 
-
-%
-\providecommand{\indformat}[1]{\index{#1 format@{\protect\tt #1} format}\index{format!#1@{\tt #1}}\item[#1]}%
-\providecommand{\indformatnoitem}[1]{\index{#1 format@{\protect\tt #1} format}\index{format!#1@{\tt #1}}} 
-
-%
-\providecommand{\indweird}[2]{\index{#1 (``weird'' event)@{\protect\tt #1} (``weird'' event)}\index{weird event@``weird'' event}\index{weird event!#1@{\protect \tt #1}}\label{#2-weird}{\item[{\tt #1}]}} 
-
-%
-\providecommand{\indextext}[2]{\index{#1 (#2)@{\protect\tt "#1"} (#2)}\index{#2s}\index{#2s!#1@{\tt "#1"}}{\tt "#1"}}%
-\providecommand{\indexmsg}[1]{\index{#1@{\protect\tt "#1"}}\index{message!{\protect \tt "#1"}}} 
-
-%
-\providecommand{\indfatal}[1]{\index{#1!fatal run-time error}\index{fatal run-time error!#1}\index{run-time error!#1}}%
-\providecommand{\indruntime}[1]{\index{#1!run-time error}\index{run-time error!#1}} 
-
-%
-\providecommand{\indglobalnotext}[1]{{\index{#1 global variable@{\protect\tt #1} global variable}}{\index{global variables!{\protect\tt #1}}}}%
-\providecommand{\indglobal}[1]{{\index{#1 global variable@{\protect\tt #1} global variable}}{\index{global variables!{\protect\tt #1}}}{\tt #1}} 
-
-%
-\providecommand{\indpredefvar}[3]{\index{#1 variable@{\protect\tt #1} variable}\index{predefined variables!{\protect \tt #1}}\index{variables!{\protect \tt #1}}\label{#2-global}{\item[{\tt \tt #1 : #3}]}} 
-
-%
-\providecommand{\xrefglobal}[2]{\hyperref{\tt #1}{}{}{#2-global}}%
-\providecommand{\xrefglobalind}[2]{\hyperref{\tt #1}{}{}{#2-global}{\index{#1 global variable@{\protect\tt #1} global variable}}{\index{global variables!{\protect\tt #1}}}} 
-
-%
-\providecommand{\indlibrary}[2]{{\index{#1 library@{\protect\em #1} library}}{\index{libraries!{\protect\em #1}}}{\index{libraries!{\protect\em #1}}}\label{#2-library}{{\em #1}}}%
-\providecommand{\xreflibrary}[2]{\hyperref{\emph{#1}}{}{}{#2-library}} 
-
-%
-\providecommand{\indutility}[2]{{\index{#1 utility program@{\protect\em #1} utility program}}{\index{programs!{\protect\em #1}}}{\index{utility programs!{\protect\em #1}}}\label{#2-utility}{{\em #1}}}%
-\providecommand{\xrefutility}[2]{\hyperref{\emph{#1}}{}{}{#2-utility}} 
-
-%
-\providecommand{\mkflagind}[1]{\index{#1 flag@{\protect\tt -#1} flag}\index{flags!{\protect \tt -#1}}\index{Bro!flags!{\protect \tt -#1}}}%
-\providecommand{\indflag}[1]{\index{#1 flag@{\protect\tt -#1} flag}\index{flags!{\protect \tt -#1}}\index{Bro!flags!{\protect \tt -#1}}\label{flag-#1}{\item[{\tt -#1}]}}%
-\providecommand{\indflagnoitem}[1]{\index{#1 flag@{\protect\tt -#1} flag}\index{flags!{\protect \tt -#1}}\index{Bro!flags!{\protect \tt -#1}}{\tt -#1}}%
-\providecommand{\indflagtwo}[2]{\index{#1 flag@{\protect\tt -#1} flag}\index{flags!{\protect \tt -#1}}\index{Bro!flags!{\protect \tt -#1}}\label{flag-#1}{\item[{\tt \tt -#1 \emph{#2}}] \\}}%
-\providecommand{\xrefflag}[1]{\hyperref{\tt #1}{}{}{flag#1}} 
-
-%
-\providecommand{\indpredeffunc}[3]{\index{#1 function@{\tt #1} function}\index{predefined functions!{\protect \tt #1}}\index{functions!{\protect \tt #1}}\label{#2-func}{\item[{\tt \tt #1 #3}]}}%
-\providecommand{\indpredeffuncnolab}[2]{\index{#1 predefined function@{\tt #1} predefined function}\index{predefined functions!{\protect \tt #1}}\index{functions!{\protect \tt #1}}\item[{\tt \tt #1 #2}]} 
-
-%
-\providecommand{\indtype}[1]{\index{#1@{\protect\tt #1}|see{types, {\protect\tt #1}}}} 
-
-%
-\providecommand{\indconfig}[2]{\index{#1 configuration option@{\tt {--}#1} configuration option}\index{configuration options!{\tt {--}#1}}\label{#2-config}{{\tt {--}#1}}}%
-\providecommand{\xrefconfig}[2]{\hyperref{\tt {--}#1}{}{}{#2-config}} 
-
-%
-\providecommand{\addindextocentry}{\addcontentsline{toc}{chapter}{\protect\numberline{Index}{}}} 
-
-%
-\providecommand{\indsigattr}[1]{\item[\tt #1]} 
-
-
-\makeindex
-
-
-
-
-\usepackage[dvips]{color}
-
-
-\pagecolor[gray]{.7}
-
-\usepackage[latin1]{inputenc}
-
-
-
-\makeatletter
-
-\makeatletter
-\count@=\the\catcode`\_ \catcode`\_=8 
-\newenvironment{tex2html_wrap}{}{}%
-\catcode`\<=12\catcode`\_=\count@
-\newcommand{\providedcommand}[1]{\expandafter\providecommand\csname #1\endcsname}%
-\newcommand{\renewedcommand}[1]{\expandafter\providecommand\csname #1\endcsname{}%
-  \expandafter\renewcommand\csname #1\endcsname}%
-\newcommand{\newedenvironment}[1]{\newenvironment{#1}{}{}\renewenvironment{#1}}%
-\let\newedcommand\renewedcommand
-\let\renewedenvironment\newedenvironment
-\makeatother
-\let\mathon=$
-\let\mathoff=$
-\ifx\AtBeginDocument\undefined \newcommand{\AtBeginDocument}[1]{}\fi
-\newbox\sizebox
-\setlength{\hoffset}{0pt}\setlength{\voffset}{0pt}
-\addtolength{\textheight}{\footskip}\setlength{\footskip}{0pt}
-\addtolength{\textheight}{\topmargin}\setlength{\topmargin}{0pt}
-\addtolength{\textheight}{\headheight}\setlength{\headheight}{0pt}
-\addtolength{\textheight}{\headsep}\setlength{\headsep}{0pt}
-\setlength{\textwidth}{349pt}
-\newwrite\lthtmlwrite
-\makeatletter
-\let\realnormalsize=\normalsize
-\global\topskip=2sp
-\def\preveqno{}\let\real@float=\@float \let\realend@float=\end@float
-\def\@float{\let\@savefreelist\@freelist\real@float}
-\def\liih@math{\ifmmode$\else\bad@math\fi}
-\def\end@float{\realend@float\global\let\@freelist\@savefreelist}
-\let\real@dbflt=\@dbflt \let\end@dblfloat=\end@float
-\let\@largefloatcheck=\relax
-\let\if@boxedmulticols=\iftrue
-\def\@dbflt{\let\@savefreelist\@freelist\real@dbflt}
-\def\adjustnormalsize{\def\normalsize{\mathsurround=0pt \realnormalsize
- \parindent=0pt\abovedisplayskip=0pt\belowdisplayskip=0pt}%
- \def\phantompar{\csname par\endcsname}\normalsize}%
-\def\lthtmltypeout#1{{\let\protect\string \immediate\write\lthtmlwrite{#1}}}%
-\newcommand\lthtmlhboxmathA{\adjustnormalsize\setbox\sizebox=\hbox\bgroup\kern.05em }%
-\newcommand\lthtmlhboxmathB{\adjustnormalsize\setbox\sizebox=\hbox to\hsize\bgroup\hfill }%
-\newcommand\lthtmlvboxmathA{\adjustnormalsize\setbox\sizebox=\vbox\bgroup %
- \let\ifinner=\iffalse \let\)\liih@math }%
-\newcommand\lthtmlboxmathZ{\@next\next\@currlist{}{\def\next{\voidb@x}}%
- \expandafter\box\next\egroup}%
-\newcommand\lthtmlmathtype[1]{\gdef\lthtmlmathenv{#1}}%
-\newcommand\lthtmllogmath{\lthtmltypeout{l2hSize %
-:\lthtmlmathenv:\the\ht\sizebox::\the\dp\sizebox::\the\wd\sizebox.\preveqno}}%
-\newcommand\lthtmlfigureA[1]{\let\@savefreelist\@freelist
-       \lthtmlmathtype{#1}\lthtmlvboxmathA}%
-\newcommand\lthtmlpictureA{\bgroup\catcode`\_=8 \lthtmlpictureB}%
-\newcommand\lthtmlpictureB[1]{\lthtmlmathtype{#1}\egroup
-       \let\@savefreelist\@freelist \lthtmlhboxmathB}%
-\newcommand\lthtmlpictureZ[1]{\hfill\lthtmlfigureZ}%
-\newcommand\lthtmlfigureZ{\lthtmlboxmathZ\lthtmllogmath\copy\sizebox
-       \global\let\@freelist\@savefreelist}%
-\newcommand\lthtmldisplayA{\bgroup\catcode`\_=8 \lthtmldisplayAi}%
-\newcommand\lthtmldisplayAi[1]{\lthtmlmathtype{#1}\egroup\lthtmlvboxmathA}%
-\newcommand\lthtmldisplayB[1]{\edef\preveqno{(\theequation)}%
-  \lthtmldisplayA{#1}\let\@eqnnum\relax}%
-\newcommand\lthtmldisplayZ{\lthtmlboxmathZ\lthtmllogmath\lthtmlsetmath}%
-\newcommand\lthtmlinlinemathA{\bgroup\catcode`\_=8 \lthtmlinlinemathB}
-\newcommand\lthtmlinlinemathB[1]{\lthtmlmathtype{#1}\egroup\lthtmlhboxmathA
-  \vrule height1.5ex width0pt }%
-\newcommand\lthtmlinlineA{\bgroup\catcode`\_=8 \lthtmlinlineB}%
-\newcommand\lthtmlinlineB[1]{\lthtmlmathtype{#1}\egroup\lthtmlhboxmathA}%
-\newcommand\lthtmlinlineZ{\egroup\expandafter\ifdim\dp\sizebox>0pt %
-  \expandafter\centerinlinemath\fi\lthtmllogmath\lthtmlsetinline}
-\newcommand\lthtmlinlinemathZ{\egroup\expandafter\ifdim\dp\sizebox>0pt %
-  \expandafter\centerinlinemath\fi\lthtmllogmath\lthtmlsetmath}
-\newcommand\lthtmlindisplaymathZ{\egroup %
-  \centerinlinemath\lthtmllogmath\lthtmlsetmath}
-\def\lthtmlsetinline{\hbox{\vrule width.1em \vtop{\vbox{%
-  \kern.1em\copy\sizebox}\ifdim\dp\sizebox>0pt\kern.1em\else\kern.3pt\fi
-  \ifdim\hsize>\wd\sizebox \hrule depth1pt\fi}}}
-\def\lthtmlsetmath{\hbox{\vrule width.1em\kern-.05em\vtop{\vbox{%
-  \kern.1em\kern0.8 pt\hbox{\hglue.17em\copy\sizebox\hglue0.8 pt}}\kern.3pt%
-  \ifdim\dp\sizebox>0pt\kern.1em\fi \kern0.8 pt%
-  \ifdim\hsize>\wd\sizebox \hrule depth1pt\fi}}}
-\def\centerinlinemath{%
-  \dimen1=\ifdim\ht\sizebox<\dp\sizebox \dp\sizebox\else\ht\sizebox\fi
-  \advance\dimen1by.5pt \vrule width0pt height\dimen1 depth\dimen1 
- \dp\sizebox=\dimen1\ht\sizebox=\dimen1\relax}
-
-\def\lthtmlcheckvsize{\ifdim\ht\sizebox<\vsize 
-  \ifdim\wd\sizebox<\hsize\expandafter\hfill\fi \expandafter\vfill
-  \else\expandafter\vss\fi}%
-\providecommand{\selectlanguage}[1]{}%
-\makeatletter \tracingstats = 1 
-
-
-\begin{document}
-\pagestyle{empty}\thispagestyle{empty}\lthtmltypeout{}%
-\lthtmltypeout{latex2htmlLength hsize=\the\hsize}\lthtmltypeout{}%
-\lthtmltypeout{latex2htmlLength vsize=\the\vsize}\lthtmltypeout{}%
-\lthtmltypeout{latex2htmlLength hoffset=\the\hoffset}\lthtmltypeout{}%
-\lthtmltypeout{latex2htmlLength voffset=\the\voffset}\lthtmltypeout{}%
-\lthtmltypeout{latex2htmlLength topmargin=\the\topmargin}\lthtmltypeout{}%
-\lthtmltypeout{latex2htmlLength topskip=\the\topskip}\lthtmltypeout{}%
-\lthtmltypeout{latex2htmlLength headheight=\the\headheight}\lthtmltypeout{}%
-\lthtmltypeout{latex2htmlLength headsep=\the\headsep}\lthtmltypeout{}%
-\lthtmltypeout{latex2htmlLength parskip=\the\parskip}\lthtmltypeout{}%
-\lthtmltypeout{latex2htmlLength oddsidemargin=\the\oddsidemargin}\lthtmltypeout{}%
-\makeatletter
-\if@twoside\lthtmltypeout{latex2htmlLength evensidemargin=\the\evensidemargin}%
-\else\lthtmltypeout{latex2htmlLength evensidemargin=\the\oddsidemargin}\fi%
-\lthtmltypeout{}%
-\makeatother
-\setcounter{page}{1}
-\onecolumn
-
-% !!! IMAGES START HERE !!!
-
-\stepcounter{chapter}
-\stepcounter{chapter}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsubsection}
-\stepcounter{subsubsection}
-\stepcounter{subsubsection}
-\stepcounter{subsubsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsubsection}
-\stepcounter{subsubsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsubsection}
-\stepcounter{subsubsection}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{chapter}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsubsection}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline5436}%
-$~\tilde{~}~~~$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline5438}%
-$\tilde{~}~~$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsubsection}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsubsection}
-\stepcounter{subsubsection}
-\stepcounter{subsubsection}
-\stepcounter{subsubsection}
-\stepcounter{subsubsection}
-\stepcounter{subsubsection}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline5440}%
-$A\_1 {\tt .} A\_2 {\tt .} A\_3 {\tt .} A\_4$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline5442}%
-$A\_i$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-\stepcounter{section}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline5444}%
-$2^{24}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline5446}%
-$2^{16}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline5448}%
-$2^8$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline5450}%
-$N\_1 {\tt .} N\_2 {\tt .}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline5452}%
-$N\_1 {\tt .} N\_2 {\tt .} N\_3 $%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline5454}%
-$N\_i$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline5456}%
-$^+$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline5458}%
-$^*$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{chapter}
-\stepcounter{section}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline8536}%
-$_{2}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline8540}%
-$_{1}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{section}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline8614}%
-$_{3}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{chapter}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-
-%
-\providecommand{\constmsg}{\\NOTE: This variable is {\tt const}, 
-so may only be changed via {\tt redef}.}%
-
-\stepcounter{chapter}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline16373}%
-$\le 26$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline16375}%
-$m$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline16379}%
-$n$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline16393}%
-$h$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{chapter}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlfigureA{figure22361}%
-\begin{figure}\begin{verbatim}
-
-event bro_init()
-    {
-    if ( restrict_filter == "" && capture_filter == "" )
-        print "tcp or not tcp";  # Capture everything.
-
-    else if ( restrict_filter == "" )
-        print capture_filter;
-
-    else if ( capture_filter == "" )
-        print restrict_filter;
-
-    else
-        print fmt("(%s) and (%s)", capture_filter, restrict_filter);
-
-    exit();
-    }\end{verbatim}
-
-\end{figure}%
-\lthtmlfigureZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{section}
-{\newpage\clearpage
-\lthtmlfigureA{figure22485}%
-\begin{figure}\begin{verbatim}
-
-type net_stats: record {
-    # All counts are cumulative.
-    pkts_recvd: count;       # Number of packets received so far.
-    pkts_dropped: count;     # Number of packets *reported* dropped.
-    interface_drops: count;  # Number of drops reported by interface(s).
-};\end{verbatim}
-
-\end{figure}%
-\lthtmlfigureZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{section}
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlfigureA{figure22528}%
-\begin{figure}\begin{verbatim}
-
-type conn_id: record {
-    orig_h: addr;  # Address of originating host.
-    orig_p: port;  # Port used by originator.
-    resp_h: addr;  # Address of responding host.
-    resp_p: port;  # Port used by responder.
-};
-
-type endpoint: record {
-    size: count;  # Bytes sent by this endpoint so far.
-    state: count; # The endpoint's current state.
-};
-
-type connection: record {
-    id: conn_id;        # Originator/responder addresses/ports.
-    orig: endpoint;     # Endpoint info for originator.
-    resp: endpoint;     # Endpoint info for responder.
-    start_time: time;   # When the connection began.
-    duration: interval; # How long it was active (or has been so far).
-    service: string;    # The service we associate with it (e.g., "http").
-    addl: string;       # Additional information associated with it.
-    hot: count;         # How many times we've marked it as sensitive.
-};\end{verbatim}
-
-\end{figure}%
-\lthtmlfigureZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31877}%
-$A$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31879}%
-$B$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31899}%
-$B_{o}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31901}%
-$B_{r}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31903}%
-$A_{l}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31905}%
-$A_{r}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31927}%
-$A_{o}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31937}%
-$S_{o}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31941}%
-$S_{r}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31943}%
-$D$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31957}%
-$P_{o}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31961}%
-$P_{r}$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31971}%
-$p$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-{\newpage\clearpage
-\lthtmlfigureA{figure23775}%
-\begin{figure}\begin{verbatim}
-
-global msg_count: table[string] of count &default = 0;
-
-event log_summary(msg: string)
-    {
-    log fmt("(%s) %d times", msg, msg_count[msg]);
-    }
-
-function log_hook(msg: string): bool
-    {
-    if ( ++msg_count[msg] == 1 )
-        # First time we've seen this message - log it.
-        return T;
-
-    if ( msg_count[msg] == 5 )
-        # We've seen it five times, enough to be worth
-        # summarizing.  Do so five minutes from now,
-        # for whatever total we've seen by then.
-        schedule +5 min { log_summary(msg) };
-
-    return F;
-    }\end{verbatim}
-
-\end{figure}%
-\lthtmlfigureZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlfigureA{figure23860}%
-\begin{figure}\begin{verbatim}
-
-type dns_mapping: record {
-    creation_time: time;  # When the mapping was created.
-
-    req_host: string;     # The hostname in the request, if any.
-    req_addr: addr;       # The address in the request, if any.
-
-    valid: bool;          # Whether we received an answer.
-    hostname: string;     # The hostname in the answer, or "<none>".
-    addrs: set[addr];     # The addresses in the answer, if any.
-};\end{verbatim}
-
-\end{figure}%
-\lthtmlfigureZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlfigureA{figure24088}%
-\begin{figure}\begin{verbatim}
-
-type ftp_session_info: record {
-    id: count;              # unique number associated w/ session
-    user: string;           # username, if determined
-    request: string;        # pending request or requests
-    num_requests: count;    # count of pending requests
-    request_t: time;        # time of request
-    log_if_not_denied: bool;        # unless code 530 on reply, log it
-    log_if_not_unavail: bool;       # unless code 550 on reply, log it
-    log_it: bool;           # if true, log the request(s)
-};\end{verbatim}
-
-\end{figure}%
-\lthtmlfigureZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlfigureA{figure24192}%
-\begin{figure}\begin{verbatim}
-
-972499885.784104 #26 131.243.70.68/1899 > 64.55.26.206/ftp start
-972499886.685046 #26 response (220 tuvok.ooc.com FTP server
-    (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000) ready.)
-972499886.686025 #26 USER anonymous/IEUser@ (logged in)
-972499887.850621 #26 TYPE I (ok)
-972499888.421741 #26 PASV (227 64.55.26.206/2427)
-972499889.493020 #26 SIZE /pub/OB/4.0/JOB-4.0.3.zip (213 1675597)
-972499890.135706 #26 *RETR /pub/OB/4.0/JOB-4.0.3.zip, ABOR (complete)
-972500055.491045 #26 response (225 ABOR command successful.)\end{verbatim}
-
-\end{figure}%
-\lthtmlfigureZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlfigureA{figure24357}%
-\begin{figure}\begin{verbatim}
-
-972482763.371224 %1596 start 200.241.229.80 > 131.243.2.12
-%1596 GET /ITG.hm.pg.docs/dissect/portuguese/dissect.html
-%1596 GET /vfrog/bottom.icon.gif
-%1596 GET /vfrog/top.icon.gif
-%1596 GET /vfrog/movies/off.gif
-%1596 GET /vfrog/new.frog.small.gif
-\end{verbatim}
-
-\end{figure}%
-\lthtmlfigureZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31983}%
-$\le 2$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31987}%
-$\ge 256$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31989}%
-$\ge 1024$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31991}%
-$\ge$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlfigureA{figure25695}%
-\begin{figure}\begin{verbatim}
-
-type x509: record {
-    issuer:  string; # issuer name of the certificate
-    subject: string; # subject name of the certificate
-};\end{verbatim}
-
-\end{figure}%
-\lthtmlfigureZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlfigureA{figure25707}%
-\begin{figure}\begin{verbatim}
-
-type ssl_connection_info: record {
-    id: count;                      # the log identifier number
-    connection_id: conn_id;         # IP connection information
-    version: count;                 # version associated with connection
-    client_cert: x509;
-    server_cert: x509;
-    id_index: string;               # index for associated sessionID
-    handshake_cipher: count;        # cipher suite client and server agreed upon
-};\end{verbatim}
-
-\end{figure}%
-\lthtmlfigureZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlfigureA{figure25794}%
-\begin{figure}\begin{verbatim}
-
-1046778101.534846 #1 192.168.0.98/32988 > 213.61.126.124/https start
-1046778101.534846 #1 connection attempt version: 3.1
-1046778101.534846 #1 cipher suites: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4), SSLv3x_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xFEFF), SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA (0xA), SSLv3x_RSA_FIPS_WITH_DES_CBC_SHA (0xFEFE), SSLv3x_RSA_WITH_DES_CBC_SHA(0x9), SSLv3x_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64), SSLv3x_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x62), SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 (0x3), SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6),
-1046778101.753356 #1 server reply, version: 3.1
-1046778101.753356 #1 cipher suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4),
-1046778101.762601 #1 X.509 server issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks GmbH/OU=TC TrustCenter Class 3 CA/Email=certificate@trustcenter.de,
-1046778101.762601 #1 X.509 server subject: /C=DE/ST=Berlin/O=Lehmanns Fachbuchhandlung GmbH/OU=Zentrale EDV/CN=www.jfl.de/Email=admin@lehmanns.de
-1046778101.894567 #1 handshake finished, version 3.1, cipher suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4)
-1046778104.877207 #1 finish
----
-Used cipher-suites statistics:
-SSLv3x_RSA_WITH_RC4_128_MD5 (0x4): 1\end{verbatim}
-
-\end{figure}%
-\lthtmlfigureZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline31993}%
-$2 \cdot \mbox{MSL} = 4$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{chapter}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{subsection}
-\stepcounter{subsubsection}
-\stepcounter{subsubsection}
-\stepcounter{subsubsection}
-\stepcounter{subsubsection}
-{\newpage\clearpage
-\lthtmlfigureA{figure39539}%
-\begin{figure}            \begin{verbatim}
-
-type signature_state: record {
-    id: string;          # ID of the signature
-    conn: connection;    # Current connection
-    is_orig: bool;       # True if current endpoint is originator
-    payload_size: count; # Payload size of the first pkt of curr. endpoint
-    };\end{verbatim}
-
-            
-        \end{figure}%
-\lthtmlfigureZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{subsection}
-\stepcounter{section}
-\stepcounter{chapter}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline39988}%
-$N$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-{\newpage\clearpage
-\lthtmlinlinemathA{tex2html_wrap_inline39992}%
-$\pm N$%
-\lthtmlinlinemathZ
-\lthtmlcheckvsize\clearpage}
-
-\stepcounter{chapter}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-\stepcounter{section}
-{\newpage\clearpage
-\lthtmlfigureA{center42103}%
-\begin{center}\vbox{\input{index.tex}
-}\end{center}%
-\lthtmlfigureZ
-\lthtmlcheckvsize\clearpage}
-
-
-\end{document}
diff --git a/doc/old/manual/img1.gif b/doc/old/manual/img1.gif
deleted file mode 100644
index 0223c17338..0000000000
Binary files a/doc/old/manual/img1.gif and /dev/null differ
diff --git a/doc/old/manual/img10.gif b/doc/old/manual/img10.gif
deleted file mode 100644
index 427749b200..0000000000
Binary files a/doc/old/manual/img10.gif and /dev/null differ
diff --git a/doc/old/manual/img11.gif b/doc/old/manual/img11.gif
deleted file mode 100644
index 8c06e38f4f..0000000000
Binary files a/doc/old/manual/img11.gif and /dev/null differ
diff --git a/doc/old/manual/img12.gif b/doc/old/manual/img12.gif
deleted file mode 100644
index 7555544ec5..0000000000
Binary files a/doc/old/manual/img12.gif and /dev/null differ
diff --git a/doc/old/manual/img13.gif b/doc/old/manual/img13.gif
deleted file mode 100644
index e96a66a481..0000000000
Binary files a/doc/old/manual/img13.gif and /dev/null differ
diff --git a/doc/old/manual/img14.gif b/doc/old/manual/img14.gif
deleted file mode 100644
index 5a93808349..0000000000
Binary files a/doc/old/manual/img14.gif and /dev/null differ
diff --git a/doc/old/manual/img15.gif b/doc/old/manual/img15.gif
deleted file mode 100644
index 7a9ad3b96c..0000000000
Binary files a/doc/old/manual/img15.gif and /dev/null differ
diff --git a/doc/old/manual/img16.gif b/doc/old/manual/img16.gif
deleted file mode 100644
index b52710213a..0000000000
Binary files a/doc/old/manual/img16.gif and /dev/null differ
diff --git a/doc/old/manual/img17.gif b/doc/old/manual/img17.gif
deleted file mode 100644
index c827cd1997..0000000000
Binary files a/doc/old/manual/img17.gif and /dev/null differ
diff --git a/doc/old/manual/img18.gif b/doc/old/manual/img18.gif
deleted file mode 100644
index 94fc1b7cbf..0000000000
Binary files a/doc/old/manual/img18.gif and /dev/null differ
diff --git a/doc/old/manual/img19.gif b/doc/old/manual/img19.gif
deleted file mode 100644
index bfce4a140d..0000000000
Binary files a/doc/old/manual/img19.gif and /dev/null differ
diff --git a/doc/old/manual/img2.gif b/doc/old/manual/img2.gif
deleted file mode 100644
index a1c67ed462..0000000000
Binary files a/doc/old/manual/img2.gif and /dev/null differ
diff --git a/doc/old/manual/img20.gif b/doc/old/manual/img20.gif
deleted file mode 100644
index 8f14da3376..0000000000
Binary files a/doc/old/manual/img20.gif and /dev/null differ
diff --git a/doc/old/manual/img21.gif b/doc/old/manual/img21.gif
deleted file mode 100644
index 0351618325..0000000000
Binary files a/doc/old/manual/img21.gif and /dev/null differ
diff --git a/doc/old/manual/img22.gif b/doc/old/manual/img22.gif
deleted file mode 100644
index bbd0b4f8a8..0000000000
Binary files a/doc/old/manual/img22.gif and /dev/null differ
diff --git a/doc/old/manual/img23.gif b/doc/old/manual/img23.gif
deleted file mode 100644
index 280d924c1c..0000000000
Binary files a/doc/old/manual/img23.gif and /dev/null differ
diff --git a/doc/old/manual/img24.gif b/doc/old/manual/img24.gif
deleted file mode 100644
index 7f4e0e7f12..0000000000
Binary files a/doc/old/manual/img24.gif and /dev/null differ
diff --git a/doc/old/manual/img25.gif b/doc/old/manual/img25.gif
deleted file mode 100644
index 8aa47363f5..0000000000
Binary files a/doc/old/manual/img25.gif and /dev/null differ
diff --git a/doc/old/manual/img26.gif b/doc/old/manual/img26.gif
deleted file mode 100644
index f1941a65d2..0000000000
Binary files a/doc/old/manual/img26.gif and /dev/null differ
diff --git a/doc/old/manual/img27.gif b/doc/old/manual/img27.gif
deleted file mode 100644
index b419999213..0000000000
Binary files a/doc/old/manual/img27.gif and /dev/null differ
diff --git a/doc/old/manual/img28.gif b/doc/old/manual/img28.gif
deleted file mode 100644
index 3212cf87f0..0000000000
Binary files a/doc/old/manual/img28.gif and /dev/null differ
diff --git a/doc/old/manual/img29.gif b/doc/old/manual/img29.gif
deleted file mode 100644
index 48c80016d5..0000000000
Binary files a/doc/old/manual/img29.gif and /dev/null differ
diff --git a/doc/old/manual/img3.gif b/doc/old/manual/img3.gif
deleted file mode 100644
index e620bb6822..0000000000
Binary files a/doc/old/manual/img3.gif and /dev/null differ
diff --git a/doc/old/manual/img30.gif b/doc/old/manual/img30.gif
deleted file mode 100644
index 33713b6a16..0000000000
Binary files a/doc/old/manual/img30.gif and /dev/null differ
diff --git a/doc/old/manual/img31.gif b/doc/old/manual/img31.gif
deleted file mode 100644
index 943f8a10bc..0000000000
Binary files a/doc/old/manual/img31.gif and /dev/null differ
diff --git a/doc/old/manual/img32.gif b/doc/old/manual/img32.gif
deleted file mode 100644
index 3b2228a5b3..0000000000
Binary files a/doc/old/manual/img32.gif and /dev/null differ
diff --git a/doc/old/manual/img33.gif b/doc/old/manual/img33.gif
deleted file mode 100644
index a6d458dd59..0000000000
Binary files a/doc/old/manual/img33.gif and /dev/null differ
diff --git a/doc/old/manual/img34.gif b/doc/old/manual/img34.gif
deleted file mode 100644
index 8d1959f6f7..0000000000
Binary files a/doc/old/manual/img34.gif and /dev/null differ
diff --git a/doc/old/manual/img35.gif b/doc/old/manual/img35.gif
deleted file mode 100644
index ab7db612f9..0000000000
Binary files a/doc/old/manual/img35.gif and /dev/null differ
diff --git a/doc/old/manual/img36.gif b/doc/old/manual/img36.gif
deleted file mode 100644
index a44fb49895..0000000000
Binary files a/doc/old/manual/img36.gif and /dev/null differ
diff --git a/doc/old/manual/img37.gif b/doc/old/manual/img37.gif
deleted file mode 100644
index bb04e6c790..0000000000
Binary files a/doc/old/manual/img37.gif and /dev/null differ
diff --git a/doc/old/manual/img38.gif b/doc/old/manual/img38.gif
deleted file mode 100644
index 802eb22a71..0000000000
Binary files a/doc/old/manual/img38.gif and /dev/null differ
diff --git a/doc/old/manual/img39.gif b/doc/old/manual/img39.gif
deleted file mode 100644
index 490e8c748c..0000000000
Binary files a/doc/old/manual/img39.gif and /dev/null differ
diff --git a/doc/old/manual/img4.gif b/doc/old/manual/img4.gif
deleted file mode 100644
index dfd4c3db1f..0000000000
Binary files a/doc/old/manual/img4.gif and /dev/null differ
diff --git a/doc/old/manual/img40.gif b/doc/old/manual/img40.gif
deleted file mode 100644
index b077d4b603..0000000000
Binary files a/doc/old/manual/img40.gif and /dev/null differ
diff --git a/doc/old/manual/img41.gif b/doc/old/manual/img41.gif
deleted file mode 100644
index 5e8e4cd56a..0000000000
Binary files a/doc/old/manual/img41.gif and /dev/null differ
diff --git a/doc/old/manual/img42.gif b/doc/old/manual/img42.gif
deleted file mode 100644
index 2460bbcbc6..0000000000
Binary files a/doc/old/manual/img42.gif and /dev/null differ
diff --git a/doc/old/manual/img43.gif b/doc/old/manual/img43.gif
deleted file mode 100644
index 9600430261..0000000000
Binary files a/doc/old/manual/img43.gif and /dev/null differ
diff --git a/doc/old/manual/img44.gif b/doc/old/manual/img44.gif
deleted file mode 100644
index 5a976f9f3f..0000000000
Binary files a/doc/old/manual/img44.gif and /dev/null differ
diff --git a/doc/old/manual/img45.gif b/doc/old/manual/img45.gif
deleted file mode 100644
index 1473999c89..0000000000
Binary files a/doc/old/manual/img45.gif and /dev/null differ
diff --git a/doc/old/manual/img46.gif b/doc/old/manual/img46.gif
deleted file mode 100644
index 11d39cbe0c..0000000000
Binary files a/doc/old/manual/img46.gif and /dev/null differ
diff --git a/doc/old/manual/img47.gif b/doc/old/manual/img47.gif
deleted file mode 100644
index 689f2bfe53..0000000000
Binary files a/doc/old/manual/img47.gif and /dev/null differ
diff --git a/doc/old/manual/img48.gif b/doc/old/manual/img48.gif
deleted file mode 100644
index 15317ea977..0000000000
Binary files a/doc/old/manual/img48.gif and /dev/null differ
diff --git a/doc/old/manual/img49.gif b/doc/old/manual/img49.gif
deleted file mode 100644
index 5b41f026ae..0000000000
Binary files a/doc/old/manual/img49.gif and /dev/null differ
diff --git a/doc/old/manual/img5.gif b/doc/old/manual/img5.gif
deleted file mode 100644
index d6e4587a50..0000000000
Binary files a/doc/old/manual/img5.gif and /dev/null differ
diff --git a/doc/old/manual/img50.gif b/doc/old/manual/img50.gif
deleted file mode 100644
index 61b654af90..0000000000
Binary files a/doc/old/manual/img50.gif and /dev/null differ
diff --git a/doc/old/manual/img51.gif b/doc/old/manual/img51.gif
deleted file mode 100644
index 16e570fe0c..0000000000
Binary files a/doc/old/manual/img51.gif and /dev/null differ
diff --git a/doc/old/manual/img6.gif b/doc/old/manual/img6.gif
deleted file mode 100644
index e92fc18acd..0000000000
Binary files a/doc/old/manual/img6.gif and /dev/null differ
diff --git a/doc/old/manual/img7.gif b/doc/old/manual/img7.gif
deleted file mode 100644
index 424994a0c6..0000000000
Binary files a/doc/old/manual/img7.gif and /dev/null differ
diff --git a/doc/old/manual/img8.gif b/doc/old/manual/img8.gif
deleted file mode 100644
index 95e3b29fc0..0000000000
Binary files a/doc/old/manual/img8.gif and /dev/null differ
diff --git a/doc/old/manual/img9.gif b/doc/old/manual/img9.gif
deleted file mode 100644
index b5af385015..0000000000
Binary files a/doc/old/manual/img9.gif and /dev/null differ
diff --git a/doc/old/manual/internals.pl b/doc/old/manual/internals.pl
deleted file mode 100644
index 1e5e6add77..0000000000
--- a/doc/old/manual/internals.pl
+++ /dev/null
@@ -1,3978 +0,0 @@
-# LaTeX2HTML 2002-2 (1.70)
-# Associate internals original text with physical files.
-
-
-$key = q/process-HTTP-data-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-connection-info-version-field/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/network-interfaces/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/signal-handling/;
-$ref_files{$key} = "$dir".q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stp-ratio-thresh-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stp-idle-min-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-deps/;
-$ref_files{$key} = "$dir".q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-request-event/;
-$ref_files{$key} = "$dir".q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-attempt-set-event/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-spoof-services-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-hot-cmds-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/spontaneous-FIN-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/USER-env/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-authentication-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-services-pairs-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-okay-nets-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/mask-addr-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-record-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:signature-state/;
-$ref_files{$key} = "$dir".q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/for-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fragment-size-inconsistency-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/site-analyzer-module/;
-$ref_files{$key} = "$dir".q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/exit-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/forbidden-id-patterns-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-SYN-ack-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/Land-attack-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-scan-nets-16-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/active-connection-reuse-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-legal-cmds-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-data-expected-session-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/set-record-packets-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/forbidden-ids-var/;
-$ref_files{$key} = "$dir".q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-login-func/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/var-redef/;
-$ref_files{$key} = "$dir".q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/endpoint-state-field/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/logical-operators/;
-$ref_files{$key} = "$dir".q|node10.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-PTR-scans-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/UDP-datagram-length-mismatch-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/always-hot-login-ids-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record-index/;
-$ref_files{$key} = "$dir".q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/address-type/;
-$ref_files{$key} = "$dir".q|node17.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-attempt-event/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RST-storm-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/NULs-allowed-in-strings/;
-$ref_files{$key} = "$dir".q|node13.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cross-product-init/;
-$ref_files{$key} = "$dir".q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-portmapper/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-SYN-ack-ok-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/remote-code-red-response-pgm-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-max-keystroke-pkt-size-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-standard-ports-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-request-func/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-analyzer-module/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/relay-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-partial-close-event/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-remote-sensitive-URIs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:ssl-log/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/debugger-overview/;
-$ref_files{$key} = "$dir".q|node69.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-do-not-complain-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/print-filter-analyzer-module/;
-$ref_files{$key} = "$dir".q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/debugger/;
-$ref_files{$key} = "$dir".q|node68.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/debugger-example/;
-$ref_files{$key} = "$dir".q|node70.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/get-resp-seq-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/return-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/num-distinct-ports-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/add-interface-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/scan-analyzer-module/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-hot-ids/;
-$ref_files{$key} = "$dir".q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-TCP-checksum-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-finger-request-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/temporal-types/;
-$ref_files{$key} = "$dir".q|node15.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/active-conn-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ignore-checksums-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-addrs-field/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-service-pairs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/udp-did-summary-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/neighbor-nets-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ack-above-hole-event/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/determine-service-func/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/did-sigconns-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record-decl/;
-$ref_files{$key} = "$dir".q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-RPC-program-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/relational-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-finished-event/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/max-count-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-analyzer-module/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-guest-ids-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-type/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-frag/;
-$ref_files{$key} = "$dir".q|node48.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/have-skip-remote-sensitive-URIs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/SYN-after-partial-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/num-distinct-peers-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-min-normal-line-ratio-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/log-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-stat-backoff-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-log/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/full-input-trouble-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-telnet-orig-ports-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-hot-guest-files-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/check-relay-4-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/debugger-reference/;
-$ref_files{$key} = "$dir".q|node73.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rlogin-conns-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-ident-request-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-content/;
-$ref_files{$key} = "$dir".q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/to-lower-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/finger-request-event/;
-$ref_files{$key} = "$dir".q|node47.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-ident-request-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-okay-var/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/mixing-numerics/;
-$ref_files{$key} = "$dir".q|node11.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/net-weird-event/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzers/;
-$ref_files{$key} = "$dir".q|node34.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-do-not-ignore-repeats-var/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rule-file-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interfaces-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-established-event/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/blank-in-HTTP-request-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-session-timer-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_tls-56/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/_-library/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/open-for-append-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-scan-nets-24-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/attrs/;
-$ref_files{$key} = "$dir".q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/code-red-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-connection/;
-$ref_files{$key} = "$dir".q|node86.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/input-trouble-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-analyzer-module/;
-$ref_files{$key} = "$dir".q|node62.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/horiz-scan-thresholds-var/;
-$ref_files{$key} = "$dir".q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/logical-negation/;
-$ref_files{$key} = "$dir".q|node10.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-interesting-changes-var/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/constant-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-terminal-types-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/red-log/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/router-prompts-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/NFS-world-servers-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-snort2bro/;
-$ref_files{$key} = "$dir".q|node67.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-mt/;
-$ref_files{$key} = "$dir".q|node42.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_RFC-NFS2/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_RFC-NFS3/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-dump-okay-var/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-UDP-checksum-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/equality-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/net-constants/;
-$ref_files{$key} = "$dir".q|node18.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/SYN-seq-jump-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-connection-ok-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/non-backdoor-prompts-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-analyzer-module/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-bytes-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rewrite-finger-trace-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/null-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/restrict-filter-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/scan-dropping/;
-$ref_files{$key} = "$dir".q|node84.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/is-forbidden-id-func/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-further-processing-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/max-request-length-var/;
-$ref_files{$key} = "$dir".q|node47.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-bad-port-event/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-connection-info-id-field/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-name-changed-event/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/net-type/;
-$ref_files{$key} = "$dir".q|node18.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/num-dns-sessions-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/arithmetic-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-conn-alert-event/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/field-test-op/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/gtld-servers-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sensitive-URIs-var/;
-$ref_files{$key} = "$dir".q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-request-getport-event/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-overview/;
-$ref_files{$key} = "$dir".q|node65.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/address-constants/;
-$ref_files{$key} = "$dir".q|node17.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ssh-orig-ports-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-conns-reported-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/packet-drops/;
-$ref_files{$key} = "$dir".q|node87.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-half-finished-event/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-log-file/;
-$ref_files{$key} = "$dir".q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-successful-service-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-successful-inbound-service-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/temporal-constants/;
-$ref_files{$key} = "$dir".q|node15.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/heartbeat-interval-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/distinct-answered-PTR-requests-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/restrict-filter/;
-$ref_files{$key} = "$dir".q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/last-stat-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-confused/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/internally-truncated-header-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-stat-backoff-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/byte-len-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-stats-event/;
-$ref_files{$key} = "$dir".q|node55.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_ssl-aes/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-scan-sources-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-ICMP-checksum-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/baroque-SYN-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-connection-linger-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-request-event/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/unsolicited-SYN-response-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/set-login-state-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rewriting-http-trace-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-request-dump-event/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/event-handlers/;
-$ref_files{$key} = "$dir".q|node24.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/authentication-accepted-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/frag-analyzer-module/;
-$ref_files{$key} = "$dir".q|node48.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-log/;
-$ref_files{$key} = "$dir".q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/edited-input-trouble-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/inappropriate-FIN-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/string-constants/;
-$ref_files{$key} = "$dir".q|node13.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sub-bytes-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/non-ASCII-hosts-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-connection-info-handshake-cipher-field/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:portmapper/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-accounts-tried-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-login-ids-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/root-servers-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/udp-req-count-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/patterns/;
-$ref_files{$key} = "$dir".q|node14.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/distinct-ports-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/FIN-storm-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-icmp/;
-$ref_files{$key} = "$dir".q|node59.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/NFS-world-servers-var/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/table-del/;
-$ref_files{$key} = "$dir".q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/reading-live-traffic-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/set-contents-file-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/check-relay-3-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/id-string-func/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:net-stats/;
-$ref_files{$key} = "$dir".q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-action-var/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/clean-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-weird-event/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/neighbor-marker/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/T-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/possible-port-scan-thresh-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-prompts-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-pop3/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-sessions-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-port-name/;
-$ref_files{$key} = "$dir".q|node41.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/write-expire-attr/;
-$ref_files{$key} = "$dir".q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/always-hot-ids-var/;
-$ref_files{$key} = "$dir".q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-dst-24nets-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-prompts-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-altered-event/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-rexmit-inconsistency-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/timer-management/;
-$ref_files{$key} = "$dir".q|node81.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/var-init/;
-$ref_files{$key} = "$dir".q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/event-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-cache/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/distinct-rejected-PTR-requests-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/active-conn-var/;
-$ref_files{$key} = "$dir".q|node44.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/kazaa-sig-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/distinct-peers-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/anonymous_function-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-filters/;
-$ref_files{$key} = "$dir".q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/possible-port-scan-thresh-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/demux-analyzer-module/;
-$ref_files{$key} = "$dir".q|node45.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-log/;
-$ref_files{$key} = "$dir".q|node43.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/truncated-header-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/code-red-list2-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-id/;
-$ref_files{$key} = "$dir".q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-normal-line-ratio-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/capture-filter-var/;
-$ref_files{$key} = "$dir".q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-ssh-stepping/;
-$ref_files{$key} = "$dir".q|node61.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-conn-established-event/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/check-spoof-func/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/active-file-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ids-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record_constructor-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-conn-attempt-event/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-active/;
-$ref_files{$key} = "$dir".q|node44.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/possible-scan-sources-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-max-interarrival-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-verify-certificates-var/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/router-prompts-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/addl-web-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/account-tried-event/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/portmapper-analyzer-module/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ids-var/;
-$ref_files{$key} = "$dir".q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/port-names-var/;
-$ref_files{$key} = "$dir".q|node41.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bro-log-file-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-weird-orig-func/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stp-demux-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fmt-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-sessions-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/predefineds-string/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-gamma-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-failure-msgs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-clear-ssh-reports-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/SYN-with-data-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/same-local-net-is-spoof-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/check-scan-func/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-failure-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/inconsistent-option-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fragment-inconsistency-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rlogin-sig-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/data-before-established-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/inserting-tables-into-tables/;
-$ref_files{$key} = "$dir".q|node90.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-stat-period-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/variable-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:http-log-eg/;
-$ref_files{$key} = "$dir".q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-unverified-event/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/detected-stones-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_RFC1122/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/if-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tag-to-conn-map-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/refinement/;
-$ref_files{$key} = "$dir".q|node79.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/gnutella-sig-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/napster-sig-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-analyzer-module/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-compare-cipherspecs-var/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/functions/;
-$ref_files{$key} = "$dir".q|node23.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-functions/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_tlsv1/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-demux-skip-tags-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-ident/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-rejected-event/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-rlogin-prolog-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/discarder-check-ip-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-attempt-null-event/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-store-certificates-var/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_pcap/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-log-file/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/non-backdoor-prompts-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-ignore-src-addrs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-store-cert-path-var/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/repeated-SYN-with-ack-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:conn-file-states/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/mt-analyzer-module/;
-$ref_files{$key} = "$dir".q|node42.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-valid-field/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-confused-text-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/variables/;
-$ref_files{$key} = "$dir".q|node29.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/net-done-event/;
-$ref_files{$key} = "$dir".q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/type-conversion/;
-$ref_files{$key} = "$dir".q|node9.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-non-failure-msgs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/check-hot-func/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-new-name-event/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-sig-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-lost-name-event/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-match-undelivered-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/num-backscatter-peers-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/software-table-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cf-utility/;
-$ref_files{$key} = "$dir".q|node7.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/simultaneous-open-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/discarder-check-tcp-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/demuxed-conn-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-accounts-tried-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/excessive-line-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-interarrival-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-sensitive-cmds-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-min-7bit-ascii-ratio-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/udp-rep-count-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flush-all-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:log-hook/;
-$ref_files{$key} = "$dir".q|node43.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-storm-thresh-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/split-routing/;
-$ref_files{$key} = "$dir".q|node83.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-successful-inbound-service-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-stepping/;
-$ref_files{$key} = "$dir".q|node60.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/table-attr/;
-$ref_files{$key} = "$dir".q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-ssh-len-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-activation/;
-$ref_files{$key} = "$dir".q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/expression-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/SYN-after-close-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/code-red-list1-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-24-nets-var/;
-$ref_files{$key} = "$dir".q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/edit-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/in-operator/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-relay-table-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-request-callit-event/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/output-trouble-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/contains-string-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/multiple-RPCs-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/membership-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-abstract-max-length-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/suppress-scan-checks-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fragment-protocol-inconsistency-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/todo/;
-$ref_files{$key} = "$dir".q|node74.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-services-to-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/non-ASCII-hosts-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssh-len-conns-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/done-with-network-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-num-requests-field/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/arith-operators/;
-$ref_files{$key} = "$dir".q|node11.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/num-scan-triples-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/last-stat-time-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/NFS-services-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record-connection-func/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-prompts-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/trace-log/;
-$ref_files{$key} = "$dir".q|node76.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/has-signature-matched-func/;
-$ref_files{$key} = "$dir".q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/service-name-func/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-scan-nets-24-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/var-scope/;
-$ref_files{$key} = "$dir".q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:ftp-log-eg/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/distinct-PTR-requests-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/signature-analyzer-module/;
-$ref_files{$key} = "$dir".q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/okay-to-lookup-sensitive-hosts-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sensitive-lookup-hosts-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/getting-started/;
-$ref_files{$key} = "$dir".q|node5.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-action-filters-var/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/statements/;
-$ref_files{$key} = "$dir".q|node26.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record-constructors/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/BRO-ID-env/;
-$ref_files{$key} = "$dir".q|node43.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/always-hot-ids-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-do-not-ignore-repeats-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/icmp-flows-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/max-interval-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-events/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-analyzer-module/;
-$ref_files{$key} = "$dir".q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/check-info-expanded-line-field/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-analy/;
-$ref_files{$key} = "$dir".q|node55.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/have-stats-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/var-mod/;
-$ref_files{$key} = "$dir".q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/suppress-pm-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/last-type/;
-$ref_files{$key} = "$dir".q|node25.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-log/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hf-utility/;
-$ref_files{$key} = "$dir".q|node7.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/is-hot-id-func/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/edit-and-check-line-func/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/data-after-reset-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/spontaneous-RST-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sensitive-post-URIs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/worm-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/policy-script-events/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-service-field/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-okay-services-var/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-alpha-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/repeated-SYN-reply-wo-ack-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-dsts-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-scan-sources-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-context/;
-$ref_files{$key} = "$dir".q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-src-24nets-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-request-unset-event/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/software-ident-by-major-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bro-log-file-var/;
-$ref_files{$key} = "$dir".q|node43.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/udp-reply-event/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/x509-trusted-cert-path-var/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/never-shut-down-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ident-request-event/;
-$ref_files{$key} = "$dir".q|node52.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/BROPATH-env/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/full-id-string-func/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/neighbor-16-nets-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/port-name-analyzer-module/;
-$ref_files{$key} = "$dir".q|node41.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-dns/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-dsts-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-pm-port-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/shut-down-all-scans-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-language/;
-$ref_files{$key} = "$dir".q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bibliography/;
-$ref_files{$key} = "$dir".q|node105.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/neighbor-addresses/;
-$ref_files{$key} = "$dir".q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/NFS-services-var/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-mail-addr-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/udp-analyzer-module/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-proxy-sig-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-HTTP-reply-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/debugger-notes/;
-$ref_files{$key} = "$dir".q|node72.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/have-FTP-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/first-type/;
-$ref_files{$key} = "$dir".q|node10.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/delete-func-attr/;
-$ref_files{$key} = "$dir".q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/did-ssh-version-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-num-lines-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/worm-list-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-16-nets-var/;
-$ref_files{$key} = "$dir".q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-storm-interarrival-thresh-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/shallow-copy/;
-$ref_files{$key} = "$dir".q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-logins-to-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/site-info/;
-$ref_files{$key} = "$dir".q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/any-RPC-okay-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/parse-ftp-port-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/positivation-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-ftp/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/mime-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stp-scale-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-weird-func/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hostnames-vs-addresses/;
-$ref_files{$key} = "$dir".q|node93.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pattern-matching-ops/;
-$ref_files{$key} = "$dir".q|node14.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/SYN-inside-connection-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/anonymize-ip-addr-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-weird-addl-event/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/forbidden-ids-if-no-password-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-check-getport-func/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/TCP-christmas-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-attempt-delayv-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-ident/;
-$ref_files{$key} = "$dir".q|node52.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-analyzer-module/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-option-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-rpc/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/scan-triples-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analy-conn/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/demux-conn-func/;
-$ref_files{$key} = "$dir".q|node45.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/udp-conn/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/non-analyzed-lifetime-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/always-hot-login-ids-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_bro-usenix-98/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/suppress-pm-log-var/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssh-sig-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/intro/;
-$ref_files{$key} = "$dir".q|node4.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-request-set-event/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:login-confusion/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/display-pairs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_sslv30/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssh-min-ssh-pkts-ratio-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/SYN-after-reset-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-unexpected-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_bro-comp-networks-99/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-log-if-not-unavail-field/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-request-field/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/open-log-file-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fragment-with-DF-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-peer-scan-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bro-done-event/;
-$ref_files{$key} = "$dir".q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-min-num-lines-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-originator-SYN-ack-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-success-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-terminal-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tables/;
-$ref_files{$key} = "$dir".q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-id-field/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-services-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/signatures/;
-$ref_files{$key} = "$dir".q|node64.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/telnet-sig-3byte-conns-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/default-attr/;
-$ref_files{$key} = "$dir".q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/always-hot-ids/;
-$ref_files{$key} = "$dir".q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/is-tcp-port-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/process-HTTP-replies-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-conditions/;
-$ref_files{$key} = "$dir".q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-load/;
-$ref_files{$key} = "$dir".q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-RPC-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-excessive-filename-trunc-len-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/log-hot-conn-func/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-guest-ids-var/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-backdoor/;
-$ref_files{$key} = "$dir".q|node62.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-hot-files-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/root-backdoor-sig-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flow-weird-event/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/max-double-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/alert-file-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-16-net-pairs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/terminate-connection-func/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/capture-filter/;
-$ref_files{$key} = "$dir".q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-dst-24nets-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-unexpected-net-var/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/NULs-run-time/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/reference/;
-$ref_files{$key} = "$dir".q|node73.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-server-map-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-ssh-pkts-ratio-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-skip-hot-var/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/is-login-conn-func/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-24-nets-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-ftp/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:sigs-modactions/;
-$ref_files{$key} = "$dir".q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/forbidden-id-patterns-var/;
-$ref_files{$key} = "$dir".q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-min-bytes-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-store-key-material-var/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/break-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/parenthesized-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/alert-action-filters-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-conn-server-reply-event/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/global-stmts/;
-$ref_files{$key} = "$dir".q|node89.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-id-orig-h-field/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/network-time-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-session-timeout-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/mkdir-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-login/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-option-termination-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/decrement-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-ignore-host-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-connection-info-connection-id-field/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-max-cipherspec-size-var/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/min-interval-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/set-type/;
-$ref_files{$key} = "$dir".q|node21.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_ssl-fips/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/preserved-net-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-demux-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-valid-event/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sensitive-post-URIs-var/;
-$ref_files{$key} = "$dir".q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-prompts-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/read-expire-attr/;
-$ref_files{$key} = "$dir".q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-unexpected-var/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-num-pkts-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/differences/;
-$ref_files{$key} = "$dir".q|node100.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-telnet/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-hot/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-sessions-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rlogin-sig-1byte-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/log-analyzer-module/;
-$ref_files{$key} = "$dir".q|node43.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/port-constants/;
-$ref_files{$key} = "$dir".q|node16.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/output-trouble-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-okay-nets-var/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/keystroke-editing/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-names-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/neighbor-nets-var/;
-$ref_files{$key} = "$dir".q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rpc-programs-var/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rpc-prog-func/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-16-nets-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/max-timer-expires-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-sessions-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:endpoint-stats/;
-$ref_files{$key} = "$dir".q|node55.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pattern-constants/;
-$ref_files{$key} = "$dir".q|node14.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-16-net-pairs-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-output-line-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/vert-scan-thresholds-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/port-ops/;
-$ref_files{$key} = "$dir".q|node16.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-analyzer-module/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/numeric-constants/;
-$ref_files{$key} = "$dir".q|node11.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/endpoint-size-field/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/active-analyzer-module/;
-$ref_files{$key} = "$dir".q|node44.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/excessively-large-fragment-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-nets-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/assignment-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-attempt-unset-event/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-IP-checksum-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-hot-cmds-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/multiple-HTTP-request-elements-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/worm-URIs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/telnet-sig-conns-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-creation-time-field/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/icmp-analyzer-module/;
-$ref_files{$key} = "$dir".q|node59.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/negation-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/FIN-after-reset-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-backscatter-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/var-type/;
-$ref_files{$key} = "$dir".q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-annotate-standard-ports-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_ptacek98/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/system-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/length-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/inactivity-timeout-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:ftp-session-info/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/demux/;
-$ref_files{$key} = "$dir".q|node91.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-action-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/icmp-conn/;
-$ref_files{$key} = "$dir".q|node59.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/include-HTTP-abstract-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_bpf/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bro-proc-events/;
-$ref_files{$key} = "$dir".q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sig-actions-var/;
-$ref_files{$key} = "$dir".q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ident-ids-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/get-orig-seq-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/telnet-sig-3byte-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-okay-services-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-demux/;
-$ref_files{$key} = "$dir".q|node45.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/horiz-scan-thresholds-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-rejected-service-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-hot-guest-files-var/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/address-ops/;
-$ref_files{$key} = "$dir".q|node17.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ident-analyzer-module/;
-$ref_files{$key} = "$dir".q|node52.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ident-reply-event/;
-$ref_files{$key} = "$dir".q|node52.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/num-accounts-tried-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/var-attr/;
-$ref_files{$key} = "$dir".q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-successful-service-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-weird-conn-func/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_sslv2/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tftp-alert-count-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-activity-func/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-TCP-header-len-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-services-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/redef/;
-$ref_files{$key} = "$dir".q|node79.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/port-type/;
-$ref_files{$key} = "$dir".q|node16.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pattern_matching-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/forbidden-ids-if-no-password-var/;
-$ref_files{$key} = "$dir".q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/redef-attr/;
-$ref_files{$key} = "$dir".q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/edit-and-check-user-func/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cat-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-nets-var/;
-$ref_files{$key} = "$dir".q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/log-file-name-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-reset-delay-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-connection-event/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/debugger-usage/;
-$ref_files{$key} = "$dir".q|node71.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/create-expire-attr/;
-$ref_files{$key} = "$dir".q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/add-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-certificate-event/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-id-resp-h-field/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rule-actions-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/records/;
-$ref_files{$key} = "$dir".q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-report-script/;
-$ref_files{$key} = "$dir".q|node94.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stp-common-host-thresh-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ident-exceptions-var/;
-$ref_files{$key} = "$dir".q|node52.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-ftp-request-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/excessive-ntp-request-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-accounts-tried-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/can-drop-connectivity-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-addl-field/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/index-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/getenv-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-req-host-field/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/activating-encryption-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-attempt-dump-event/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/truncated-IP-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/add-func-attr/;
-$ref_files{$key} = "$dir".q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/BRO-PREFIXES-env/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-xdr/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-srcs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-user-field/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-ssh/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/shut-down-thresh-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/unpaired-RPC-response-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/active-connection-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rewrite-ident-trace-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-src-24nets-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/demux-dir-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:conn-record-states/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/port-names-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-ignore-dst-addrs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ident-exceptions-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conditional-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-stat-period-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/delete-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/HTTP-version-mismatch-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/get-login-state-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/vert-scan-thresholds-var/;
-$ref_files{$key} = "$dir".q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:contents-dir/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/preserved-subnet-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_x509/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/precedence/;
-$ref_files{$key} = "$dir".q|node85.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/close-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-connection-info-server-cert-field/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-services-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backscatter-ports-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:portmapper-status/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:conn-record/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bro-signal-event/;
-$ref_files{$key} = "$dir".q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/omit-rewrite-place-holder-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-remote-accounts-tried-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/max-finger-request-len-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-demux-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RST-with-data-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssh-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-reply-event/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/finger-analyzer-module/;
-$ref_files{$key} = "$dir".q|node47.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/parse-ftp-pasv-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/public-ident-user-ids-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-scan/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:x509/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hostnames/;
-$ref_files{$key} = "$dir".q|node17.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/const-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-login-ids-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/distinct-backscatter-peers-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/temporal-ops/;
-$ref_files{$key} = "$dir".q|node15.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/table-access/;
-$ref_files{$key} = "$dir".q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-req-addr-field/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/scope_of_local_variables/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/account-tried/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-okay-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-pairs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-rejected-PTR-factor-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-HTTP-version-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-duration-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/compound-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-state-func/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rlogin-id-okay-if-no-password-exposed-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-skip-hot-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:weird-action/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/field-attrs/;
-$ref_files{$key} = "$dir".q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-attempt-getport-event/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/public-ident-systems-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/capture-filter-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/finger-reply-event/;
-$ref_files{$key} = "$dir".q|node47.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-failure-msgs-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/timer-expiration/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-ident-reply-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record-dollar/;
-$ref_files{$key} = "$dir".q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/excessively-small-fragment-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-close-delay-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/possible-split-routing-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stepping-analyzer-module/;
-$ref_files{$key} = "$dir".q|node60.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/log-HTTP-data-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rewriting-smtp-trace-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-not-actually-hot-files-var/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-connection-info-client-cert-field/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-session-by-message-id-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/terminate-successful-inbound-service-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/current-time-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/did-stone-summary-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-dump-okay-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/function_call-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/incompletely-captured-fragment-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-ssl/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/next-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-addresses/;
-$ref_files{$key} = "$dir".q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-interconn/;
-$ref_files{$key} = "$dir".q|node63.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-sig-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/actually-rejected-PTR-anno-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/anon-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/authentication-rejected-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rel-operators/;
-$ref_files{$key} = "$dir".q|node11.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/full-output-trouble-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-ignore-ports-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-F/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rlogin-text-after-rejected-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bro-init-file/;
-$ref_files{$key} = "$dir".q|node92.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-code-red-response-pgm-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/accounts-tried-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/shut-down-scans-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/open-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/process-smtp-relay-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-O/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-P/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-success-msgs-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/to-upper-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/NUL-in-line-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stp-random-pair-thresh-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sensitive-URIs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pending-data-when-closed-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/add-tcpdump-filter-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-peer-scan-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-W/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-size-func/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-analyzer-module/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/worm-type-list-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/print-stmt/;
-$ref_files{$key} = "$dir".q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/net-stats-update-event/;
-$ref_files{$key} = "$dir".q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-port-scan-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-default-pkt-size-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/filtering/;
-$ref_files{$key} = "$dir".q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-record/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-request-null-event/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-analyze-certificates-var/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-http-1-0/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-f/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_RFC791/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-http-1-1/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-log-it-field/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-h/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_RFC793/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-i/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-authentication-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:check-hot-states/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-p/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/terminate-successful-inbound-service-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-ignore-host-var/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ntp-session-timeout-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-r/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/neighbor-24-nets-var/;
-$ref_files{$key} = "$dir".q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-s/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analy-analyzer-module/;
-$ref_files{$key} = "$dir".q|node55.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ident-request-addendum-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-v/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-w/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/originator-RPC-reply-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ident-error-event/;
-$ref_files{$key} = "$dir".q|node52.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:print-filter/;
-$ref_files{$key} = "$dir".q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-outbound-peer-scan-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-rejected-service-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-actions/;
-$ref_files{$key} = "$dir".q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_RFC2373/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_RFC1644/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rpc-programs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/have-SMTP-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-reassembler-ports-orig-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/values-types-constants/;
-$ref_files{$key} = "$dir".q|node8.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/to-net-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-names-var/;
-$ref_files{$key} = "$dir".q|node47.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record-assign/;
-$ref_files{$key} = "$dir".q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/table-assign/;
-$ref_files{$key} = "$dir".q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/notes/;
-$ref_files{$key} = "$dir".q|node72.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/enable-brov6-config/;
-$ref_files{$key} = "$dir".q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-RPC-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rexmit-inconsistency-event/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/software-file-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-terminal-types-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/predefineds-time/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-excessive-filename-len-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-ignore-invalid-PORT-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-reset-event/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/is-ftp-data-conn-func/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-header/;
-$ref_files{$key} = "$dir".q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-remote-accounts-tried-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-id-orig-p-field/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/mime-sessions-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ids-analyzer-module/;
-$ref_files{$key} = "$dir".q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/event_scheduling-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-excessive-ntp-requests-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/discarders/;
-$ref_files{$key} = "$dir".q|node99.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-connection-info-id-index-field/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-partial-close-delay-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-request-t-field/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-hot-field/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rpc-timeout-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-input-line-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/authentication-skipped-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/load-directive/;
-$ref_files{$key} = "$dir".q|node88.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-rlogin/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/table-expire-interval-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/discarder-maxlen-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-session-by-recipient-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/endpoint-id-func/;
-$ref_files{$key} = "$dir".q|node41.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-log-file/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/net-ops/;
-$ref_files{$key} = "$dir".q|node18.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-start-time-field/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/discarder-check-udp-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record_field_access-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-timeouts-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/input-wait-for-output-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-outbound-services-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-outbound-services-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-ignore-privileged-PASVs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-success-msgs-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-http/;
-$ref_files{$key} = "$dir".q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/HTTP-unknown-method-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/excess-RPC-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/min-double-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-attempt-callit-event/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/set-buf-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/step-log-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/forbidden-ids-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-non-failure-msgs-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/discarder-check-icmp-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/edited-input-trouble-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-7bit-ascii-ratio-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-standard-ports-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/excessive-RPC-len-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-session-by-content-hash-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-attempt-func/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:ssl-connection-info/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/increment-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/table-decl/;
-$ref_files{$key} = "$dir".q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/direct-login-prompts-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/play-back/;
-$ref_files{$key} = "$dir".q|node98.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/signature-match-event/;
-$ref_files{$key} = "$dir".q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-finger/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-reassembler-ports-resp-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/log-hook-func/;
-$ref_files{$key} = "$dir".q|node43.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-signature/;
-$ref_files{$key} = "$dir".q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/predefineds/;
-$ref_files{$key} = "$dir".q|node31.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-ignore-standard-ports-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-tag-info-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-data-expected-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-action-filters-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-hot-files-var/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/FIN-advanced-last-seq-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-x11/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssh-min-num-pkts-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/addl-web-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-confused-event/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/expire-func-attr/;
-$ref_files{$key} = "$dir".q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-hostname-field/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-summaries/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/neighbor-16-nets-var/;
-$ref_files{$key} = "$dir".q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-pairs-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stp-delta-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/udp-request-event/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/any-RPC-okay-var/;
-$ref_files{$key} = "$dir".q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/responder-RPC-call-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-telnet-options/;
-$ref_files{$key} = "$dir".q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record-constants/;
-$ref_files{$key} = "$dir".q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/table-init/;
-$ref_files{$key} = "$dir".q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/telnet-sig-disabled-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-unexpected-net-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-conn-weak-event/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/logical-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/new-connection-event/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-spoof-services-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/direct-login-prompts-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-conn-reused-event/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/min-count-func/;
-$ref_files{$key} = "$dir".q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/type-inference/;
-$ref_files{$key} = "$dir".q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/syn-fin-filtering/;
-$ref_files{$key} = "$dir".q|node82.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-services-to-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:dns-mapping/;
-$ref_files{$key} = "$dir".q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-logins-to-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-srcs-var/;
-$ref_files{$key} = "$dir".q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-accounts-tried-var/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/SSL-analyzer-module/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/root-backdoor-sig-conns-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-portmapper-request-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-pending-event/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/did-PTR-scan-event-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-outbound-peer-scan-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/prefixes/;
-$ref_files{$key} = "$dir".q|node75.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record_field_test-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/function-call-expr/;
-$ref_files{$key} = "$dir".q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-rejected-PTR-thresh-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/premature-connection-reuse-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-conns-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-timeouts-var/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-id-resp-p-field/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-log-if-not-denied-field/;
-$ref_files{$key} = "$dir".q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-log/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-finger/;
-$ref_files{$key} = "$dir".q|node47.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-certificate-seen-event/;
-$ref_files{$key} = "$dir".q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/watchdog-interval-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/write-file/;
-$ref_files{$key} = "$dir".q|node76.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-telnet-orig-ports-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/edit-and-check-password-func/;
-$ref_files{$key} = "$dir".q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/boolean-constants/;
-$ref_files{$key} = "$dir".q|node10.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fragment-overlap-weird/;
-$ref_files{$key} = "$dir".q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/is-local-addr-func/;
-$ref_files{$key} = "$dir".q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ident-ids-var/;
-$ref_files{$key} = "$dir".q|node52.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/maintain-http-sessions-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-sessions-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-SYN-timeout-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-duration-field/;
-$ref_files{$key} = "$dir".q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rlogin-id-okay-if-no-password-exposed-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/same-local-net-is-spoof-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/input-trouble-global/;
-$ref_files{$key} = "$dir".q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/drop-address-func/;
-$ref_files{$key} = "$dir".q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bro-init-event/;
-$ref_files{$key} = "$dir".q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-1;
-
diff --git a/doc/old/manual/labels.pl b/doc/old/manual/labels.pl
deleted file mode 100644
index 866938d0e3..0000000000
--- a/doc/old/manual/labels.pl
+++ /dev/null
@@ -1,3985 +0,0 @@
-# LaTeX2HTML 2002-2 (1.70)
-# Associate labels original text with physical files.
-
-
-$key = q/process-HTTP-data-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-connection-info-version-field/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/network-interfaces/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/signal-handling/;
-$external_labels{$key} = "$URL/" . q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stp-ratio-thresh-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stp-idle-min-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-deps/;
-$external_labels{$key} = "$URL/" . q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-request-event/;
-$external_labels{$key} = "$URL/" . q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-attempt-set-event/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-spoof-services-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-hot-cmds-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/spontaneous-FIN-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/USER-env/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-authentication-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-services-pairs-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-okay-nets-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/mask-addr-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-record-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:signature-state/;
-$external_labels{$key} = "$URL/" . q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/for-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fragment-size-inconsistency-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/site-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/exit-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/forbidden-id-patterns-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-SYN-ack-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/Land-attack-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-scan-nets-16-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/active-connection-reuse-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-legal-cmds-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-data-expected-session-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/set-record-packets-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/forbidden-ids-var/;
-$external_labels{$key} = "$URL/" . q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-login-func/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/var-redef/;
-$external_labels{$key} = "$URL/" . q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/endpoint-state-field/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/logical-operators/;
-$external_labels{$key} = "$URL/" . q|node10.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-PTR-scans-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/UDP-datagram-length-mismatch-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/always-hot-login-ids-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record-index/;
-$external_labels{$key} = "$URL/" . q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/address-type/;
-$external_labels{$key} = "$URL/" . q|node17.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-attempt-event/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RST-storm-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/NULs-allowed-in-strings/;
-$external_labels{$key} = "$URL/" . q|node13.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cross-product-init/;
-$external_labels{$key} = "$URL/" . q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-portmapper/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-SYN-ack-ok-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/remote-code-red-response-pgm-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-max-keystroke-pkt-size-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-standard-ports-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-request-func/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/relay-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-partial-close-event/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-remote-sensitive-URIs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:ssl-log/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/debugger-overview/;
-$external_labels{$key} = "$URL/" . q|node69.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-do-not-complain-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/print-filter-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/debugger/;
-$external_labels{$key} = "$URL/" . q|node68.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/debugger-example/;
-$external_labels{$key} = "$URL/" . q|node70.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/get-resp-seq-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/return-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/num-distinct-ports-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/add-interface-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/scan-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-hot-ids/;
-$external_labels{$key} = "$URL/" . q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-TCP-checksum-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-finger-request-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/temporal-types/;
-$external_labels{$key} = "$URL/" . q|node15.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/active-conn-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ignore-checksums-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-addrs-field/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-service-pairs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/udp-did-summary-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/neighbor-nets-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ack-above-hole-event/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/determine-service-func/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/did-sigconns-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record-decl/;
-$external_labels{$key} = "$URL/" . q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-RPC-program-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/relational-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-finished-event/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/max-count-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-guest-ids-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-type/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-frag/;
-$external_labels{$key} = "$URL/" . q|node48.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/have-skip-remote-sensitive-URIs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/SYN-after-partial-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/num-distinct-peers-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-min-normal-line-ratio-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/log-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-stat-backoff-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-log/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/full-input-trouble-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-telnet-orig-ports-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-hot-guest-files-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/check-relay-4-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/debugger-reference/;
-$external_labels{$key} = "$URL/" . q|node73.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rlogin-conns-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-ident-request-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-content/;
-$external_labels{$key} = "$URL/" . q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/to-lower-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/finger-request-event/;
-$external_labels{$key} = "$URL/" . q|node47.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-ident-request-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-okay-var/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/mixing-numerics/;
-$external_labels{$key} = "$URL/" . q|node11.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/net-weird-event/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzers/;
-$external_labels{$key} = "$URL/" . q|node34.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-do-not-ignore-repeats-var/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rule-file-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interfaces-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-established-event/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/blank-in-HTTP-request-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-session-timer-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_tls-56/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/_-library/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/open-for-append-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-scan-nets-24-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/attrs/;
-$external_labels{$key} = "$URL/" . q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/code-red-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-connection/;
-$external_labels{$key} = "$URL/" . q|node86.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/input-trouble-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node62.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/horiz-scan-thresholds-var/;
-$external_labels{$key} = "$URL/" . q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/logical-negation/;
-$external_labels{$key} = "$URL/" . q|node10.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-interesting-changes-var/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/constant-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-terminal-types-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/red-log/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/router-prompts-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/NFS-world-servers-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-snort2bro/;
-$external_labels{$key} = "$URL/" . q|node67.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-mt/;
-$external_labels{$key} = "$URL/" . q|node42.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_RFC-NFS2/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_RFC-NFS3/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-dump-okay-var/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-UDP-checksum-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/equality-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/net-constants/;
-$external_labels{$key} = "$URL/" . q|node18.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/SYN-seq-jump-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-connection-ok-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/non-backdoor-prompts-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-bytes-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rewrite-finger-trace-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/null-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/restrict-filter-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/scan-dropping/;
-$external_labels{$key} = "$URL/" . q|node84.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/is-forbidden-id-func/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-further-processing-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/max-request-length-var/;
-$external_labels{$key} = "$URL/" . q|node47.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-bad-port-event/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-connection-info-id-field/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-name-changed-event/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/net-type/;
-$external_labels{$key} = "$URL/" . q|node18.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/num-dns-sessions-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/arithmetic-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-conn-alert-event/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/field-test-op/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/gtld-servers-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sensitive-URIs-var/;
-$external_labels{$key} = "$URL/" . q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-request-getport-event/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-overview/;
-$external_labels{$key} = "$URL/" . q|node65.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/address-constants/;
-$external_labels{$key} = "$URL/" . q|node17.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ssh-orig-ports-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-conns-reported-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/packet-drops/;
-$external_labels{$key} = "$URL/" . q|node87.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-half-finished-event/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-log-file/;
-$external_labels{$key} = "$URL/" . q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-successful-service-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-successful-inbound-service-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/temporal-constants/;
-$external_labels{$key} = "$URL/" . q|node15.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/heartbeat-interval-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/distinct-answered-PTR-requests-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/restrict-filter/;
-$external_labels{$key} = "$URL/" . q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/last-stat-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-confused/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/internally-truncated-header-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-stat-backoff-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/byte-len-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-stats-event/;
-$external_labels{$key} = "$URL/" . q|node55.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_ssl-aes/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-scan-sources-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-ICMP-checksum-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/baroque-SYN-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-connection-linger-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-request-event/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/unsolicited-SYN-response-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/set-login-state-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rewriting-http-trace-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-request-dump-event/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/event-handlers/;
-$external_labels{$key} = "$URL/" . q|node24.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/authentication-accepted-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/frag-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node48.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-log/;
-$external_labels{$key} = "$URL/" . q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/edited-input-trouble-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/inappropriate-FIN-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/string-constants/;
-$external_labels{$key} = "$URL/" . q|node13.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sub-bytes-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/non-ASCII-hosts-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-connection-info-handshake-cipher-field/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:portmapper/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-accounts-tried-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-login-ids-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/root-servers-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/udp-req-count-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/patterns/;
-$external_labels{$key} = "$URL/" . q|node14.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/distinct-ports-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/FIN-storm-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-icmp/;
-$external_labels{$key} = "$URL/" . q|node59.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/NFS-world-servers-var/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/table-del/;
-$external_labels{$key} = "$URL/" . q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/reading-live-traffic-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/set-contents-file-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/check-relay-3-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/id-string-func/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:net-stats/;
-$external_labels{$key} = "$URL/" . q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-action-var/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/clean-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-weird-event/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/neighbor-marker/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/T-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/possible-port-scan-thresh-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-prompts-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-pop3/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-sessions-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-port-name/;
-$external_labels{$key} = "$URL/" . q|node41.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/write-expire-attr/;
-$external_labels{$key} = "$URL/" . q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/always-hot-ids-var/;
-$external_labels{$key} = "$URL/" . q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-dst-24nets-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-prompts-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-altered-event/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-rexmit-inconsistency-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/timer-management/;
-$external_labels{$key} = "$URL/" . q|node81.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/var-init/;
-$external_labels{$key} = "$URL/" . q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/event-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-cache/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/distinct-rejected-PTR-requests-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/active-conn-var/;
-$external_labels{$key} = "$URL/" . q|node44.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/kazaa-sig-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/distinct-peers-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/anonymous_function-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-filters/;
-$external_labels{$key} = "$URL/" . q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/possible-port-scan-thresh-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/demux-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node45.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-log/;
-$external_labels{$key} = "$URL/" . q|node43.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/truncated-header-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/code-red-list2-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-id/;
-$external_labels{$key} = "$URL/" . q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-normal-line-ratio-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/capture-filter-var/;
-$external_labels{$key} = "$URL/" . q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-ssh-stepping/;
-$external_labels{$key} = "$URL/" . q|node61.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-conn-established-event/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/check-spoof-func/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/active-file-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ids-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record_constructor-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-conn-attempt-event/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-active/;
-$external_labels{$key} = "$URL/" . q|node44.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/possible-scan-sources-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-max-interarrival-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-verify-certificates-var/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/router-prompts-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/addl-web-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/account-tried-event/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/portmapper-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ids-var/;
-$external_labels{$key} = "$URL/" . q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/port-names-var/;
-$external_labels{$key} = "$URL/" . q|node41.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bro-log-file-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-weird-orig-func/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stp-demux-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fmt-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-sessions-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/predefineds-string/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-gamma-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-failure-msgs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-clear-ssh-reports-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/SYN-with-data-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/same-local-net-is-spoof-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/check-scan-func/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-failure-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/inconsistent-option-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fragment-inconsistency-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rlogin-sig-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/data-before-established-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/inserting-tables-into-tables/;
-$external_labels{$key} = "$URL/" . q|node90.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-stat-period-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/variable-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:http-log-eg/;
-$external_labels{$key} = "$URL/" . q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-unverified-event/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/detected-stones-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_RFC1122/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/if-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tag-to-conn-map-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/refinement/;
-$external_labels{$key} = "$URL/" . q|node79.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/gnutella-sig-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/napster-sig-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-compare-cipherspecs-var/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/functions/;
-$external_labels{$key} = "$URL/" . q|node23.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-functions/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_tlsv1/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-demux-skip-tags-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-ident/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-rejected-event/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-rlogin-prolog-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/discarder-check-ip-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-attempt-null-event/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-store-certificates-var/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_pcap/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-log-file/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/non-backdoor-prompts-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-ignore-src-addrs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-store-cert-path-var/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/repeated-SYN-with-ack-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:conn-file-states/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/mt-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node42.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-valid-field/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-confused-text-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/variables/;
-$external_labels{$key} = "$URL/" . q|node29.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/net-done-event/;
-$external_labels{$key} = "$URL/" . q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/type-conversion/;
-$external_labels{$key} = "$URL/" . q|node9.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-non-failure-msgs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/check-hot-func/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-new-name-event/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-sig-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-lost-name-event/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-match-undelivered-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/num-backscatter-peers-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/software-table-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cf-utility/;
-$external_labels{$key} = "$URL/" . q|node7.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/simultaneous-open-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/discarder-check-tcp-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/demuxed-conn-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-accounts-tried-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/excessive-line-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-interarrival-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-sensitive-cmds-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-min-7bit-ascii-ratio-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/udp-rep-count-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flush-all-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:log-hook/;
-$external_labels{$key} = "$URL/" . q|node43.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-storm-thresh-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/split-routing/;
-$external_labels{$key} = "$URL/" . q|node83.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-successful-inbound-service-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-stepping/;
-$external_labels{$key} = "$URL/" . q|node60.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/table-attr/;
-$external_labels{$key} = "$URL/" . q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-ssh-len-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-activation/;
-$external_labels{$key} = "$URL/" . q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/expression-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/SYN-after-close-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/code-red-list1-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-24-nets-var/;
-$external_labels{$key} = "$URL/" . q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/edit-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/in-operator/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-relay-table-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-request-callit-event/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/output-trouble-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/contains-string-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/multiple-RPCs-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/membership-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-abstract-max-length-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/suppress-scan-checks-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fragment-protocol-inconsistency-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/todo/;
-$external_labels{$key} = "$URL/" . q|node74.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-services-to-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/non-ASCII-hosts-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssh-len-conns-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/done-with-network-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-num-requests-field/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/arith-operators/;
-$external_labels{$key} = "$URL/" . q|node11.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/num-scan-triples-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/last-stat-time-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/NFS-services-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record-connection-func/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-prompts-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/trace-log/;
-$external_labels{$key} = "$URL/" . q|node76.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/has-signature-matched-func/;
-$external_labels{$key} = "$URL/" . q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/service-name-func/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-scan-nets-24-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/var-scope/;
-$external_labels{$key} = "$URL/" . q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:ftp-log-eg/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/distinct-PTR-requests-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/signature-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/okay-to-lookup-sensitive-hosts-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sensitive-lookup-hosts-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/getting-started/;
-$external_labels{$key} = "$URL/" . q|node5.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-action-filters-var/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/statements/;
-$external_labels{$key} = "$URL/" . q|node26.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record-constructors/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/BRO-ID-env/;
-$external_labels{$key} = "$URL/" . q|node43.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/always-hot-ids-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-do-not-ignore-repeats-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/icmp-flows-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/max-interval-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-events/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/check-info-expanded-line-field/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-analy/;
-$external_labels{$key} = "$URL/" . q|node55.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/have-stats-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/var-mod/;
-$external_labels{$key} = "$URL/" . q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/suppress-pm-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/last-type/;
-$external_labels{$key} = "$URL/" . q|node25.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-log/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hf-utility/;
-$external_labels{$key} = "$URL/" . q|node7.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/is-hot-id-func/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/edit-and-check-line-func/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/data-after-reset-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/spontaneous-RST-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sensitive-post-URIs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/worm-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/policy-script-events/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-service-field/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-okay-services-var/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-alpha-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/repeated-SYN-reply-wo-ack-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-dsts-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-scan-sources-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-context/;
-$external_labels{$key} = "$URL/" . q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-src-24nets-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-request-unset-event/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/software-ident-by-major-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bro-log-file-var/;
-$external_labels{$key} = "$URL/" . q|node43.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/udp-reply-event/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/x509-trusted-cert-path-var/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/never-shut-down-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ident-request-event/;
-$external_labels{$key} = "$URL/" . q|node52.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/BROPATH-env/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/full-id-string-func/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/neighbor-16-nets-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/port-name-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node41.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-dns/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-dsts-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-pm-port-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/shut-down-all-scans-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-language/;
-$external_labels{$key} = "$URL/" . q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bibliography/;
-$external_labels{$key} = "$URL/" . q|node105.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/neighbor-addresses/;
-$external_labels{$key} = "$URL/" . q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/NFS-services-var/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-mail-addr-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/udp-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-proxy-sig-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-HTTP-reply-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/debugger-notes/;
-$external_labels{$key} = "$URL/" . q|node72.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/have-FTP-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/first-type/;
-$external_labels{$key} = "$URL/" . q|node10.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/delete-func-attr/;
-$external_labels{$key} = "$URL/" . q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/did-ssh-version-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-num-lines-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/worm-list-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-16-nets-var/;
-$external_labels{$key} = "$URL/" . q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-storm-interarrival-thresh-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/shallow-copy/;
-$external_labels{$key} = "$URL/" . q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-logins-to-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/site-info/;
-$external_labels{$key} = "$URL/" . q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/any-RPC-okay-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/parse-ftp-port-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/positivation-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-ftp/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/mime-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stp-scale-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-weird-func/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hostnames-vs-addresses/;
-$external_labels{$key} = "$URL/" . q|node93.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pattern-matching-ops/;
-$external_labels{$key} = "$URL/" . q|node14.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/SYN-inside-connection-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/anonymize-ip-addr-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-weird-addl-event/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/forbidden-ids-if-no-password-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-check-getport-func/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/TCP-christmas-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-attempt-delayv-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-ident/;
-$external_labels{$key} = "$URL/" . q|node52.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-option-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-rpc/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/scan-triples-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analy-conn/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/demux-conn-func/;
-$external_labels{$key} = "$URL/" . q|node45.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/udp-conn/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/non-analyzed-lifetime-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/always-hot-login-ids-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_bro-usenix-98/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/suppress-pm-log-var/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssh-sig-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/intro/;
-$external_labels{$key} = "$URL/" . q|node4.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-request-set-event/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:login-confusion/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/display-pairs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_sslv30/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssh-min-ssh-pkts-ratio-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/SYN-after-reset-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-unexpected-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_bro-comp-networks-99/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-log-if-not-unavail-field/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-request-field/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/open-log-file-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fragment-with-DF-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-peer-scan-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bro-done-event/;
-$external_labels{$key} = "$URL/" . q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-min-num-lines-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-originator-SYN-ack-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-success-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-terminal-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tables/;
-$external_labels{$key} = "$URL/" . q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-id-field/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-services-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/signatures/;
-$external_labels{$key} = "$URL/" . q|node64.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/telnet-sig-3byte-conns-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/default-attr/;
-$external_labels{$key} = "$URL/" . q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/always-hot-ids/;
-$external_labels{$key} = "$URL/" . q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/is-tcp-port-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/process-HTTP-replies-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-conditions/;
-$external_labels{$key} = "$URL/" . q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-load/;
-$external_labels{$key} = "$URL/" . q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-RPC-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-excessive-filename-trunc-len-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/log-hot-conn-func/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-guest-ids-var/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-backdoor/;
-$external_labels{$key} = "$URL/" . q|node62.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-hot-files-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/root-backdoor-sig-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flow-weird-event/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/max-double-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/alert-file-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-16-net-pairs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/terminate-connection-func/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/capture-filter/;
-$external_labels{$key} = "$URL/" . q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-dst-24nets-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-unexpected-net-var/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/NULs-run-time/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/reference/;
-$external_labels{$key} = "$URL/" . q|node73.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-server-map-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-ssh-pkts-ratio-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-skip-hot-var/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/is-login-conn-func/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-24-nets-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-ftp/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:sigs-modactions/;
-$external_labels{$key} = "$URL/" . q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/forbidden-id-patterns-var/;
-$external_labels{$key} = "$URL/" . q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-min-bytes-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-store-key-material-var/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/break-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/parenthesized-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/alert-action-filters-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-conn-server-reply-event/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/global-stmts/;
-$external_labels{$key} = "$URL/" . q|node89.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-id-orig-h-field/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/network-time-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-session-timeout-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/mkdir-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-login/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-option-termination-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/decrement-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-ignore-host-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-connection-info-connection-id-field/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-max-cipherspec-size-var/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/min-interval-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/set-type/;
-$external_labels{$key} = "$URL/" . q|node21.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_ssl-fips/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/preserved-net-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-demux-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-valid-event/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sensitive-post-URIs-var/;
-$external_labels{$key} = "$URL/" . q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-prompts-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/read-expire-attr/;
-$external_labels{$key} = "$URL/" . q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-unexpected-var/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-num-pkts-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/differences/;
-$external_labels{$key} = "$URL/" . q|node100.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-telnet/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-hot/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-sessions-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rlogin-sig-1byte-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/log-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node43.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/port-constants/;
-$external_labels{$key} = "$URL/" . q|node16.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/output-trouble-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-okay-nets-var/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/keystroke-editing/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-names-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/neighbor-nets-var/;
-$external_labels{$key} = "$URL/" . q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rpc-programs-var/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rpc-prog-func/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-16-nets-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/max-timer-expires-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-sessions-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:endpoint-stats/;
-$external_labels{$key} = "$URL/" . q|node55.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pattern-constants/;
-$external_labels{$key} = "$URL/" . q|node14.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-16-net-pairs-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-output-line-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/vert-scan-thresholds-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/port-ops/;
-$external_labels{$key} = "$URL/" . q|node16.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/numeric-constants/;
-$external_labels{$key} = "$URL/" . q|node11.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/endpoint-size-field/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/active-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node44.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/excessively-large-fragment-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-nets-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/assignment-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-attempt-unset-event/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-IP-checksum-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-hot-cmds-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/multiple-HTTP-request-elements-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/worm-URIs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/telnet-sig-conns-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-creation-time-field/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/icmp-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node59.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/negation-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/FIN-after-reset-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-backscatter-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/var-type/;
-$external_labels{$key} = "$URL/" . q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-annotate-standard-ports-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_ptacek98/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/system-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/length-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/inactivity-timeout-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:ftp-session-info/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/demux/;
-$external_labels{$key} = "$URL/" . q|node91.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-action-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/icmp-conn/;
-$external_labels{$key} = "$URL/" . q|node59.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/include-HTTP-abstract-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_bpf/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bro-proc-events/;
-$external_labels{$key} = "$URL/" . q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sig-actions-var/;
-$external_labels{$key} = "$URL/" . q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ident-ids-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/get-orig-seq-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/telnet-sig-3byte-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-okay-services-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/module-demux/;
-$external_labels{$key} = "$URL/" . q|node45.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/horiz-scan-thresholds-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-rejected-service-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-hot-guest-files-var/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/address-ops/;
-$external_labels{$key} = "$URL/" . q|node17.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ident-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node52.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ident-reply-event/;
-$external_labels{$key} = "$URL/" . q|node52.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/num-accounts-tried-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/var-attr/;
-$external_labels{$key} = "$URL/" . q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-successful-service-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-weird-conn-func/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_sslv2/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tftp-alert-count-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-activity-func/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-TCP-header-len-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-services-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/redef/;
-$external_labels{$key} = "$URL/" . q|node79.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/port-type/;
-$external_labels{$key} = "$URL/" . q|node16.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pattern_matching-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/forbidden-ids-if-no-password-var/;
-$external_labels{$key} = "$URL/" . q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/redef-attr/;
-$external_labels{$key} = "$URL/" . q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/edit-and-check-user-func/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cat-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-nets-var/;
-$external_labels{$key} = "$URL/" . q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/log-file-name-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-reset-delay-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-connection-event/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/debugger-usage/;
-$external_labels{$key} = "$URL/" . q|node71.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/create-expire-attr/;
-$external_labels{$key} = "$URL/" . q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/add-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-certificate-event/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-id-resp-h-field/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rule-actions-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/records/;
-$external_labels{$key} = "$URL/" . q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-report-script/;
-$external_labels{$key} = "$URL/" . q|node94.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stp-common-host-thresh-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ident-exceptions-var/;
-$external_labels{$key} = "$URL/" . q|node52.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-ftp-request-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/excessive-ntp-request-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-accounts-tried-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/can-drop-connectivity-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-addl-field/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/index-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/getenv-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-req-host-field/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/activating-encryption-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-attempt-dump-event/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/truncated-IP-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/add-func-attr/;
-$external_labels{$key} = "$URL/" . q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/BRO-PREFIXES-env/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-xdr/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-srcs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-user-field/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-ssh/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/shut-down-thresh-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/unpaired-RPC-response-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/active-connection-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rewrite-ident-trace-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-src-24nets-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/demux-dir-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:conn-record-states/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/port-names-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-ignore-dst-addrs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ident-exceptions-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conditional-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-stat-period-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/delete-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/HTTP-version-mismatch-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/get-login-state-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/vert-scan-thresholds-var/;
-$external_labels{$key} = "$URL/" . q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:contents-dir/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/preserved-subnet-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_x509/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/precedence/;
-$external_labels{$key} = "$URL/" . q|node85.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/close-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-connection-info-server-cert-field/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-services-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backscatter-ports-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:portmapper-status/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:conn-record/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bro-signal-event/;
-$external_labels{$key} = "$URL/" . q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/omit-rewrite-place-holder-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-remote-accounts-tried-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/max-finger-request-len-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-demux-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RST-with-data-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssh-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-reply-event/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/finger-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node47.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/parse-ftp-pasv-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/public-ident-user-ids-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-scan/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:x509/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hostnames/;
-$external_labels{$key} = "$URL/" . q|node17.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/const-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-login-ids-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/distinct-backscatter-peers-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/temporal-ops/;
-$external_labels{$key} = "$URL/" . q|node15.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/table-access/;
-$external_labels{$key} = "$URL/" . q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-req-addr-field/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/scope_of_local_variables/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/account-tried/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-okay-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-pairs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-rejected-PTR-factor-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-HTTP-version-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-duration-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/compound-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-state-func/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rlogin-id-okay-if-no-password-exposed-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-skip-hot-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:weird-action/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/field-attrs/;
-$external_labels{$key} = "$URL/" . q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-attempt-getport-event/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/public-ident-systems-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/capture-filter-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/finger-reply-event/;
-$external_labels{$key} = "$URL/" . q|node47.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-failure-msgs-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/timer-expiration/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bad-ident-reply-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record-dollar/;
-$external_labels{$key} = "$URL/" . q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/excessively-small-fragment-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-close-delay-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/possible-split-routing-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stepping-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node60.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/log-HTTP-data-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rewriting-smtp-trace-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-not-actually-hot-files-var/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-connection-info-client-cert-field/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-session-by-message-id-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/terminate-successful-inbound-service-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/current-time-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/did-stone-summary-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/RPC-dump-okay-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/function_call-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/incompletely-captured-fragment-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-ssl/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/next-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-addresses/;
-$external_labels{$key} = "$URL/" . q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-interconn/;
-$external_labels{$key} = "$URL/" . q|node63.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/http-sig-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/actually-rejected-PTR-anno-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/anon-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/authentication-rejected-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rel-operators/;
-$external_labels{$key} = "$URL/" . q|node11.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/full-output-trouble-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-ignore-ports-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-F/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rlogin-text-after-rejected-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bro-init-file/;
-$external_labels{$key} = "$URL/" . q|node92.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/local-code-red-response-pgm-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/accounts-tried-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/shut-down-scans-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/open-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/process-smtp-relay-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-O/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-P/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-success-msgs-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/to-upper-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/NUL-in-line-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stp-random-pair-thresh-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sensitive-URIs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pending-data-when-closed-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/add-tcpdump-filter-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-peer-scan-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-W/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-size-func/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/worm-type-list-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/print-stmt/;
-$external_labels{$key} = "$URL/" . q|node27.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/net-stats-update-event/;
-$external_labels{$key} = "$URL/" . q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-port-scan-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-default-pkt-size-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/filtering/;
-$external_labels{$key} = "$URL/" . q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-record/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-request-null-event/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-analyze-certificates-var/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-http-1-0/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-f/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_RFC791/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-http-1-1/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-log-it-field/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-h/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_RFC793/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-i/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-authentication-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tbl:check-hot-states/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-p/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/terminate-successful-inbound-service-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-ignore-host-var/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ntp-session-timeout-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-r/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/neighbor-24-nets-var/;
-$external_labels{$key} = "$URL/" . q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-s/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analy-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node55.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ident-request-addendum-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-v/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-w/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/originator-RPC-reply-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ident-error-event/;
-$external_labels{$key} = "$URL/" . q|node52.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:print-filter/;
-$external_labels{$key} = "$URL/" . q|node35.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-outbound-peer-scan-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/flag-rejected-service-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-actions/;
-$external_labels{$key} = "$URL/" . q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_RFC2373/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_RFC1644/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rpc-programs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/have-SMTP-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-reassembler-ports-orig-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/values-types-constants/;
-$external_labels{$key} = "$URL/" . q|node8.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/to-net-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-names-var/;
-$external_labels{$key} = "$URL/" . q|node47.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record-assign/;
-$external_labels{$key} = "$URL/" . q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/table-assign/;
-$external_labels{$key} = "$URL/" . q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/notes/;
-$external_labels{$key} = "$URL/" . q|node72.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/enable-brov6-config/;
-$external_labels{$key} = "$URL/" . q|node6.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-RPC-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rexmit-inconsistency-event/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/software-file-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-terminal-types-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/predefineds-time/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-excessive-filename-len-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-ignore-invalid-PORT-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-reset-event/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/is-ftp-data-conn-func/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/sigs-header/;
-$external_labels{$key} = "$URL/" . q|node66.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-remote-accounts-tried-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-id-orig-p-field/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/mime-sessions-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ids-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node49.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/event_scheduling-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-excessive-ntp-requests-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/discarders/;
-$external_labels{$key} = "$URL/" . q|node99.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-connection-info-id-index-field/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-partial-close-delay-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-request-t-field/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-hot-field/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rpc-timeout-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-input-line-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/authentication-skipped-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/load-directive/;
-$external_labels{$key} = "$URL/" . q|node88.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-rlogin/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/table-expire-interval-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/discarder-maxlen-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-session-by-recipient-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/endpoint-id-func/;
-$external_labels{$key} = "$URL/" . q|node41.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-log-file/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/net-ops/;
-$external_labels{$key} = "$URL/" . q|node18.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-start-time-field/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/discarder-check-udp-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record_field_access-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-timeouts-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/input-wait-for-output-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-outbound-services-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-outbound-services-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-ignore-privileged-PASVs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-success-msgs-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-http/;
-$external_labels{$key} = "$URL/" . q|node51.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/HTTP-unknown-method-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/excess-RPC-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/min-double-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-attempt-callit-event/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/set-buf-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/step-log-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/forbidden-ids-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-non-failure-msgs-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/discarder-check-icmp-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/edited-input-trouble-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-min-7bit-ascii-ratio-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/backdoor-standard-ports-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/excessive-RPC-len-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/smtp-session-by-content-hash-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/pm-attempt-func/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:ssl-connection-info/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/increment-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/table-decl/;
-$external_labels{$key} = "$URL/" . q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/direct-login-prompts-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/play-back/;
-$external_labels{$key} = "$URL/" . q|node98.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/signature-match-event/;
-$external_labels{$key} = "$URL/" . q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-finger/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-reassembler-ports-resp-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/log-hook-func/;
-$external_labels{$key} = "$URL/" . q|node43.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-signature/;
-$external_labels{$key} = "$URL/" . q|node56.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/predefineds/;
-$external_labels{$key} = "$URL/" . q|node31.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-ignore-standard-ports-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-tag-info-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-data-expected-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/weird-action-filters-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-hot-files-var/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/FIN-advanced-last-seq-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-x11/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssh-min-num-pkts-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/addl-web-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-confused-event/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/expire-func-attr/;
-$external_labels{$key} = "$URL/" . q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/dns-mapping-hostname-field/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-summaries/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/neighbor-16-nets-var/;
-$external_labels{$key} = "$URL/" . q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-pairs-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/stp-delta-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/udp-request-event/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/any-RPC-okay-var/;
-$external_labels{$key} = "$URL/" . q|node54.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/responder-RPC-call-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/cite_rfc-telnet-options/;
-$external_labels{$key} = "$URL/" . q|node106.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record-constants/;
-$external_labels{$key} = "$URL/" . q|node19.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/table-init/;
-$external_labels{$key} = "$URL/" . q|node20.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/telnet-sig-disabled-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-unexpected-net-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-conn-weak-event/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/logical-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/new-connection-event/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-spoof-services-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/direct-login-prompts-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-conn-reused-event/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/min-count-func/;
-$external_labels{$key} = "$URL/" . q|node33.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/type-inference/;
-$external_labels{$key} = "$URL/" . q|node30.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/syn-fin-filtering/;
-$external_labels{$key} = "$URL/" . q|node82.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/allow-services-to-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fig:dns-mapping/;
-$external_labels{$key} = "$URL/" . q|node46.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/skip-logins-to-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-srcs-var/;
-$external_labels{$key} = "$URL/" . q|node39.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-accounts-tried-var/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/SSL-analyzer-module/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/root-backdoor-sig-conns-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/partial-portmapper-request-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-pending-event/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/did-PTR-scan-event-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-outbound-peer-scan-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/prefixes/;
-$external_labels{$key} = "$URL/" . q|node75.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/record_field_test-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/function-call-expr/;
-$external_labels{$key} = "$URL/" . q|node28.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/report-rejected-PTR-thresh-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/premature-connection-reuse-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/interconn-conns-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/login-timeouts-var/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/conn-id-resp-p-field/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-session-info-log-if-not-denied-field/;
-$external_labels{$key} = "$URL/" . q|node50.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-log/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/analyzer-finger/;
-$external_labels{$key} = "$URL/" . q|node47.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ssl-certificate-seen-event/;
-$external_labels{$key} = "$URL/" . q|node57.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/watchdog-interval-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/write-file/;
-$external_labels{$key} = "$URL/" . q|node76.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-telnet-orig-ports-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/edit-and-check-password-func/;
-$external_labels{$key} = "$URL/" . q|node53.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/boolean-constants/;
-$external_labels{$key} = "$URL/" . q|node10.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/fragment-overlap-weird/;
-$external_labels{$key} = "$URL/" . q|node58.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/is-local-addr-func/;
-$external_labels{$key} = "$URL/" . q|node38.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/hot-ident-ids-var/;
-$external_labels{$key} = "$URL/" . q|node52.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/maintain-http-sessions-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/ftp-sessions-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/tcp-SYN-timeout-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/connection-duration-field/;
-$external_labels{$key} = "$URL/" . q|node37.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/rlogin-id-okay-if-no-password-exposed-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/same-local-net-is-spoof-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/input-trouble-global/;
-$external_labels{$key} = "$URL/" . q|node32.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/drop-address-func/;
-$external_labels{$key} = "$URL/" . q|node40.html|; 
-$noresave{$key} = "$nosave";
-
-$key = q/bro-init-event/;
-$external_labels{$key} = "$URL/" . q|node36.html|; 
-$noresave{$key} = "$nosave";
-
-1;
-
-
-# LaTeX2HTML 2002-2 (1.70)
-# labels from external_latex_labels array.
-
-
-1;
-
diff --git a/doc/old/manual/manual.css b/doc/old/manual/manual.css
deleted file mode 100644
index d1824aff42..0000000000
--- a/doc/old/manual/manual.css
+++ /dev/null
@@ -1,30 +0,0 @@
-/* Century Schoolbook font is very similar to Computer Modern Math: cmmi */
-.MATH    { font-family: "Century Schoolbook", serif; }
-.MATH I  { font-family: "Century Schoolbook", serif; font-style: italic }
-.BOLDMATH { font-family: "Century Schoolbook", serif; font-weight: bold }
-
-/* implement both fixed-size and relative sizes */
-SMALL.XTINY		{ font-size : xx-small }
-SMALL.TINY		{ font-size : x-small  }
-SMALL.SCRIPTSIZE	{ font-size : smaller  }
-SMALL.FOOTNOTESIZE	{ font-size : small    }
-SMALL.SMALL		{  }
-BIG.LARGE		{  }
-BIG.XLARGE		{ font-size : large    }
-BIG.XXLARGE		{ font-size : x-large  }
-BIG.HUGE		{ font-size : larger   }
-BIG.XHUGE		{ font-size : xx-large }
-
-/* heading styles */
-H1		{  }
-H2		{  }
-H3		{  }
-H4		{  }
-H5		{  }
-
-/* mathematics styles */
-DIV.displaymath		{ }	/* math displays */
-TD.eqno			{ }	/* equation-number cells */
-
-
-/* document-specific styles come next */
diff --git a/doc/pubs/bro-CN99.ps b/doc/pubs/bro-CN99.ps
deleted file mode 100644
index 8ae2db3b4b..0000000000
--- a/doc/pubs/bro-CN99.ps
+++ /dev/null
@@ -1,5025 +0,0 @@
-%!PS-Adobe-2.0
-%%Creator: dvipsk 5.58f Copyright 1986, 1994 Radical Eye Software
-%%Title: bro.dvi
-%%Pages: 22
-%%PageOrder: Ascend
-%%BoundingBox: 0 0 612 792
-%%DocumentFonts: Times-Roman Times-Bold Times-Italic Courier
-%%+ Courier-Oblique
-%%EndComments
-%DVIPSCommandLine: dvips bro.dvi
-%DVIPSParameters: dpi=600, compressed, comments removed
-%DVIPSSource:  TeX output 2000.02.22:0012
-%%BeginProcSet: texc.pro
-/TeXDict 250 dict def TeXDict begin /N{def}def /B{bind def}N /S{exch}N
-/X{S N}B /TR{translate}N /isls false N /vsize 11 72 mul N /hsize 8.5 72
-mul N /landplus90{false}def /@rigin{isls{[0 landplus90{1 -1}{-1 1}
-ifelse 0 0 0]concat}if 72 Resolution div 72 VResolution div neg scale
-isls{landplus90{VResolution 72 div vsize mul 0 exch}{Resolution -72 div
-hsize mul 0}ifelse TR}if Resolution VResolution vsize -72 div 1 add mul
-TR[matrix currentmatrix{dup dup round sub abs 0.00001 lt{round}if}
-forall round exch round exch]setmatrix}N /@landscape{/isls true N}B
-/@manualfeed{statusdict /manualfeed true put}B /@copies{/#copies X}B
-/FMat[1 0 0 -1 0 0]N /FBB[0 0 0 0]N /nn 0 N /IE 0 N /ctr 0 N /df-tail{
-/nn 8 dict N nn begin /FontType 3 N /FontMatrix fntrx N /FontBBox FBB N
-string /base X array /BitMaps X /BuildChar{CharBuilder}N /Encoding IE N
-end dup{/foo setfont}2 array copy cvx N load 0 nn put /ctr 0 N[}B /df{
-/sf 1 N /fntrx FMat N df-tail}B /dfs{div /sf X /fntrx[sf 0 0 sf neg 0 0]
-N df-tail}B /E{pop nn dup definefont setfont}B /ch-width{ch-data dup
-length 5 sub get}B /ch-height{ch-data dup length 4 sub get}B /ch-xoff{
-128 ch-data dup length 3 sub get sub}B /ch-yoff{ch-data dup length 2 sub
-get 127 sub}B /ch-dx{ch-data dup length 1 sub get}B /ch-image{ch-data
-dup type /stringtype ne{ctr get /ctr ctr 1 add N}if}B /id 0 N /rw 0 N
-/rc 0 N /gp 0 N /cp 0 N /G 0 N /sf 0 N /CharBuilder{save 3 1 roll S dup
-/base get 2 index get S /BitMaps get S get /ch-data X pop /ctr 0 N ch-dx
-0 ch-xoff ch-yoff ch-height sub ch-xoff ch-width add ch-yoff
-setcachedevice ch-width ch-height true[1 0 0 -1 -.1 ch-xoff sub ch-yoff
-.1 sub]/id ch-image N /rw ch-width 7 add 8 idiv string N /rc 0 N /gp 0 N
-/cp 0 N{rc 0 ne{rc 1 sub /rc X rw}{G}ifelse}imagemask restore}B /G{{id
-gp get /gp gp 1 add N dup 18 mod S 18 idiv pl S get exec}loop}B /adv{cp
-add /cp X}B /chg{rw cp id gp 4 index getinterval putinterval dup gp add
-/gp X adv}B /nd{/cp 0 N rw exit}B /lsh{rw cp 2 copy get dup 0 eq{pop 1}{
-dup 255 eq{pop 254}{dup dup add 255 and S 1 and or}ifelse}ifelse put 1
-adv}B /rsh{rw cp 2 copy get dup 0 eq{pop 128}{dup 255 eq{pop 127}{dup 2
-idiv S 128 and or}ifelse}ifelse put 1 adv}B /clr{rw cp 2 index string
-putinterval adv}B /set{rw cp fillstr 0 4 index getinterval putinterval
-adv}B /fillstr 18 string 0 1 17{2 copy 255 put pop}for N /pl[{adv 1 chg}
-{adv 1 chg nd}{1 add chg}{1 add chg nd}{adv lsh}{adv lsh nd}{adv rsh}{
-adv rsh nd}{1 add adv}{/rc X nd}{1 add set}{1 add clr}{adv 2 chg}{adv 2
-chg nd}{pop nd}]dup{bind pop}forall N /D{/cc X dup type /stringtype ne{]
-}if nn /base get cc ctr put nn /BitMaps get S ctr S sf 1 ne{dup dup
-length 1 sub dup 2 index S get sf div put}if put /ctr ctr 1 add N}B /I{
-cc 1 add D}B /bop{userdict /bop-hook known{bop-hook}if /SI save N @rigin
-0 0 moveto /V matrix currentmatrix dup 1 get dup mul exch 0 get dup mul
-add .99 lt{/QV}{/RV}ifelse load def pop pop}N /eop{SI restore userdict
-/eop-hook known{eop-hook}if showpage}N /@start{userdict /start-hook
-known{start-hook}if pop /VResolution X /Resolution X 1000 div /DVImag X
-/IE 256 array N 0 1 255{IE S 1 string dup 0 3 index put cvn put}for
-65781.76 div /vsize X 65781.76 div /hsize X}N /p{show}N /RMat[1 0 0 -1 0
-0]N /BDot 260 string N /rulex 0 N /ruley 0 N /v{/ruley X /rulex X V}B /V
-{}B /RV statusdict begin /product where{pop product dup length 7 ge{0 7
-getinterval dup(Display)eq exch 0 4 getinterval(NeXT)eq or}{pop false}
-ifelse}{false}ifelse end{{gsave TR -.1 .1 TR 1 1 scale rulex ruley false
-RMat{BDot}imagemask grestore}}{{gsave TR -.1 .1 TR rulex ruley scale 1 1
-false RMat{BDot}imagemask grestore}}ifelse B /QV{gsave newpath transform
-round exch round exch itransform moveto rulex 0 rlineto 0 ruley neg
-rlineto rulex neg 0 rlineto fill grestore}B /a{moveto}B /delta 0 N /tail
-{dup /delta X 0 rmoveto}B /M{S p delta add tail}B /b{S p tail}B /c{-4 M}
-B /d{-3 M}B /e{-2 M}B /f{-1 M}B /g{0 M}B /h{1 M}B /i{2 M}B /j{3 M}B /k{
-4 M}B /w{0 rmoveto}B /l{p -4 w}B /m{p -3 w}B /n{p -2 w}B /o{p -1 w}B /q{
-p 1 w}B /r{p 2 w}B /s{p 3 w}B /t{p 4 w}B /x{0 S rmoveto}B /y{3 2 roll p
-a}B /bos{/SS save N}B /eos{SS restore}B end
-%%EndProcSet
-%%BeginFont: Times-Roman
-% @psencodingfile{
-%   author = "P. MacKay, Alan Jeffrey, S. Rahtz, K. Berry, B. Horn",
-%   version = "0.2",
-%   date = "7 September 94",
-%   filename = "8r.enc",
-%   email = "kb@cs.umb.edu",
-%   address = "135 Center Hill Rd. // Plymouth, MA 02360",
-%   codetable = "ISO/ASCII",
-%   checksum = "xx",
-%   docstring = "Encoding for TrueType or Type 1 fonts to be used with TeX."
-% }
-% 
-% Idea is to have all the characters normally included in Type 1 fonts
-% available for typesetting. This is effectively the characters in Adobe
-% Standard Encoding + ISO Latin 1 + extra characters from Lucida.
-% 
-% Character code assignments were made as follows:
-% 
-% (1) the Windows ANSI characters are in their Windows ANSI positions,
-% because Windows users cannot easily reencode the fonts, and it makes
-% no difference on other systems. The only Windows ANSI characters not
-% available are those that make no sense for typesetting -- rubout
-% (127 decimal), nobreakspace (160), softhyphen (173).
-% 
-% (2) The caron and dotlessi characters are in the positions used by
-% Y&Y for their modified ATM encoding.
-% 
-% (3) Remaining characters are assigned arbitrarily to the first few
-% positions.
-% 
-% (4) (Y&Y) Lucida Bright includes some extra text characters; in the
-% hopes that other PostScript fonts, perhaps created for public
-% consumption, will include them, they are included starting at 0x10.
-% 
-% (5) Remaining positions left undefined are for use in (hopefully)
-% upward-compatible revisions, if someday more characters are generally
-% available in the Type 1 fonts.
-% 
-% Ligatures are omitted, since this encoding is intended for use at the
-% driver end. Including ligatures and kerns would make the TFM files
-% much larger, to no particular purpose. If someone actually wants to
-% typeset in this encoding, they can pick a different name, and regenerate
-% the fonts.
- 
-/TeXBase1Encoding [
-% 0x00 (encoded characters from Adobe Standard not in Windows 3.1)
-  /breve /dotaccent /fi /fl
-  /fraction /hungarumlaut /Lslash /lslash
-  /ogonek /ring /tilde /minus
-  % These are the only two remaining unencoded characters, so may as
-  % well include them.
-  /Zcaron /zcaron /.notdef /.notdef
-% 0x10 (TeX characters from, e.g., Lucida Bright)
- /dotlessj /ff /ffi /ffl /.notdef /.notdef /.notdef /.notdef
- /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
-% 0x20 (ASCII begins)
- /space /exclam /quotedbl /numbersign
- /dollar /percent /ampersand /quotesingle
- /parenleft /parenright /asterisk /plus /comma /hyphen /period /slash
-% 0x30
- /zero /one /two /three /four /five /six /seven
- /eight /nine /colon /semicolon /less /equal /greater /question
-% 0x40
- /at /A /B /C /D /E /F /G /H /I /J /K /L /M /N /O
-% 0x50
- /P /Q /R /S /T /U /V /W
- /X /Y /Z /bracketleft /backslash /bracketright /asciicircum /underscore
-% 0x60
- /grave /a /b /c /d /e /f /g /h /i /j /k /l /m /n /o
-% 0x70
- /p /q /r /s /t /u /v /w
- /x /y /z /braceleft /bar /braceright /asciitilde
- /.notdef % rubout; ASCII ends
-% 0x80
- /.notdef /.notdef /quotesinglbase /florin
- /quotedblbase /ellipsis /dagger /daggerdbl
- /circumflex /perthousand /Scaron /guilsinglleft
- /OE
- /caron % Y&Y
- /.notdef
- /.notdef
-% 0x90
- /.notdef /quoteleft /quoteright /quotedblleft
- /quotedblright /bullet /endash /emdash
- /tildeaccent /trademark /scaron /guilsinglright
- /oe
- /dotlessi % Y&Y
- /.notdef
- /Ydieresis
-% 0xA0
- /.notdef % nobreakspace
- /exclamdown /cent /sterling
- /currency /yen /brokenbar /section
- /dieresis /copyright /ordfeminine /guillemotleft
- /logicalnot
- /hyphen % Y&Y (also at 45); Windows' softhyphen
- /registered
- /macron
-% 0xD0
- /degree /plusminus /twosuperior /threesuperior
- /acute /mu /paragraph /periodcentered
- /cedilla /onesuperior /ordmasculine /guillemotright
- /onequarter /onehalf /threequarters /questiondown
-% 0xC0
- /Agrave /Aacute /Acircumflex /Atilde /Adieresis /Aring /AE /Ccedilla
- /Egrave /Eacute /Ecircumflex /Edieresis
- /Igrave /Iacute /Icircumflex /Idieresis
-% 0xD0
- /Eth /Ntilde /Ograve /Oacute
- /Ocircumflex /Otilde /Odieresis /multiply
- /Oslash /Ugrave /Uacute /Ucircumflex
- /Udieresis /Yacute /Thorn /germandbls
-% 0xE0
- /agrave /aacute /acircumflex /atilde
- /adieresis /aring /ae /ccedilla
- /egrave /eacute /ecircumflex /edieresis
- /igrave /iacute /icircumflex /idieresis
-% 0xF0
- /eth /ntilde /ograve /oacute
- /ocircumflex /otilde /odieresis /divide
- /oslash /ugrave /uacute /ucircumflex
- /udieresis /yacute /thorn /ydieresis
-] def
-%%EndFont
-%%BeginProcSet: texps.pro
-TeXDict begin /rf{findfont dup length 1 add dict begin{1 index /FID ne 2
-index /UniqueID ne and{def}{pop pop}ifelse}forall[1 index 0 6 -1 roll
-exec 0 exch 5 -1 roll VResolution Resolution div mul neg 0 0]/Metrics
-exch def dict begin Encoding{exch dup type /integertype ne{pop pop 1 sub
-dup 0 le{pop}{[}ifelse}{FontMatrix 0 get div Metrics 0 get div def}
-ifelse}forall Metrics /Metrics currentdict end def[2 index currentdict
-end definefont 3 -1 roll makefont /setfont load]cvx def}def
-/ObliqueSlant{dup sin S cos div neg}B /SlantFont{4 index mul add}def
-/ExtendFont{3 -1 roll mul exch}def /ReEncodeFont{/Encoding exch def}def
-end
-%%EndProcSet
-%%BeginProcSet: special.pro
-TeXDict begin /SDict 200 dict N SDict begin /@SpecialDefaults{/hs 612 N
-/vs 792 N /ho 0 N /vo 0 N /hsc 1 N /vsc 1 N /ang 0 N /CLIP 0 N /rwiSeen
-false N /rhiSeen false N /letter{}N /note{}N /a4{}N /legal{}N}B
-/@scaleunit 100 N /@hscale{@scaleunit div /hsc X}B /@vscale{@scaleunit
-div /vsc X}B /@hsize{/hs X /CLIP 1 N}B /@vsize{/vs X /CLIP 1 N}B /@clip{
-/CLIP 2 N}B /@hoffset{/ho X}B /@voffset{/vo X}B /@angle{/ang X}B /@rwi{
-10 div /rwi X /rwiSeen true N}B /@rhi{10 div /rhi X /rhiSeen true N}B
-/@llx{/llx X}B /@lly{/lly X}B /@urx{/urx X}B /@ury{/ury X}B /magscale
-true def end /@MacSetUp{userdict /md known{userdict /md get type
-/dicttype eq{userdict begin md length 10 add md maxlength ge{/md md dup
-length 20 add dict copy def}if end md begin /letter{}N /note{}N /legal{}
-N /od{txpose 1 0 mtx defaultmatrix dtransform S atan/pa X newpath
-clippath mark{transform{itransform moveto}}{transform{itransform lineto}
-}{6 -2 roll transform 6 -2 roll transform 6 -2 roll transform{
-itransform 6 2 roll itransform 6 2 roll itransform 6 2 roll curveto}}{{
-closepath}}pathforall newpath counttomark array astore /gc xdf pop ct 39
-0 put 10 fz 0 fs 2 F/|______Courier fnt invertflag{PaintBlack}if}N
-/txpose{pxs pys scale ppr aload pop por{noflips{pop S neg S TR pop 1 -1
-scale}if xflip yflip and{pop S neg S TR 180 rotate 1 -1 scale ppr 3 get
-ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip
-not and{pop S neg S TR pop 180 rotate ppr 3 get ppr 1 get neg sub neg 0
-TR}if yflip xflip not and{ppr 1 get neg ppr 0 get neg TR}if}{noflips{TR
-pop pop 270 rotate 1 -1 scale}if xflip yflip and{TR pop pop 90 rotate 1
--1 scale ppr 3 get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg
-TR}if xflip yflip not and{TR pop pop 90 rotate ppr 3 get ppr 1 get neg
-sub neg 0 TR}if yflip xflip not and{TR pop pop 270 rotate ppr 2 get ppr
-0 get neg sub neg 0 S TR}if}ifelse scaleby96{ppr aload pop 4 -1 roll add
-2 div 3 1 roll add 2 div 2 copy TR .96 dup scale neg S neg S TR}if}N /cp
-{pop pop showpage pm restore}N end}if}if}N /normalscale{Resolution 72
-div VResolution 72 div neg scale magscale{DVImag dup scale}if 0 setgray}
-N /psfts{S 65781.76 div N}N /startTexFig{/psf$SavedState save N userdict
-maxlength dict begin /magscale true def normalscale currentpoint TR
-/psf$ury psfts /psf$urx psfts /psf$lly psfts /psf$llx psfts /psf$y psfts
-/psf$x psfts currentpoint /psf$cy X /psf$cx X /psf$sx psf$x psf$urx
-psf$llx sub div N /psf$sy psf$y psf$ury psf$lly sub div N psf$sx psf$sy
-scale psf$cx psf$sx div psf$llx sub psf$cy psf$sy div psf$ury sub TR
-/showpage{}N /erasepage{}N /copypage{}N /p 3 def @MacSetUp}N /doclip{
-psf$llx psf$lly psf$urx psf$ury currentpoint 6 2 roll newpath 4 copy 4 2
-roll moveto 6 -1 roll S lineto S lineto S lineto closepath clip newpath
-moveto}N /endTexFig{end psf$SavedState restore}N /@beginspecial{SDict
-begin /SpecialSave save N gsave normalscale currentpoint TR
-@SpecialDefaults count /ocount X /dcount countdictstack N}N /@setspecial
-{CLIP 1 eq{newpath 0 0 moveto hs 0 rlineto 0 vs rlineto hs neg 0 rlineto
-closepath clip}if ho vo TR hsc vsc scale ang rotate rwiSeen{rwi urx llx
-sub div rhiSeen{rhi ury lly sub div}{dup}ifelse scale llx neg lly neg TR
-}{rhiSeen{rhi ury lly sub div dup scale llx neg lly neg TR}if}ifelse
-CLIP 2 eq{newpath llx lly moveto urx lly lineto urx ury lineto llx ury
-lineto closepath clip}if /showpage{}N /erasepage{}N /copypage{}N newpath
-}N /@endspecial{count ocount sub{pop}repeat countdictstack dcount sub{
-end}repeat grestore SpecialSave restore end}N /@defspecial{SDict begin}
-N /@fedspecial{end}B /li{lineto}B /rl{rlineto}B /rc{rcurveto}B /np{
-/SaveX currentpoint /SaveY X N 1 setlinecap newpath}N /st{stroke SaveX
-SaveY moveto}N /fil{fill SaveX SaveY moveto}N /ellipse{/endangle X
-/startangle X /yrad X /xrad X /savematrix matrix currentmatrix N TR xrad
-yrad scale 0 0 1 startangle endangle arc savematrix setmatrix}N end
-%%EndProcSet
-TeXDict begin 40258431 52099146 1000 600 600 (bro.dvi)
-@start /Fa 171[36 6[52 77[{TeXBase1Encoding ReEncodeFont}2
-58.333336 /Times-Roman rf /Fb 172[50 6[50 6[50 50 1[50
-66[{TeXBase1Encoding ReEncodeFont}5 83.333336 /Courier-Oblique
-rf /Fc 6 112 df<146014E0EB01C0EB0380EB0700130E131E5B5BA25B485AA2485AA212
-075B120F90C7FCA25A121EA2123EA35AA65AB2127CA67EA3121EA2121F7EA27F12077F12
-03A26C7EA26C7E1378A27F7F130E7FEB0380EB01C0EB00E01460135278BD20>40
-D<12C07E12707E7E7E120F6C7E6C7EA26C7E6C7EA21378A2137C133C133E131EA2131F7F
-A21480A3EB07C0A6EB03E0B2EB07C0A6EB0F80A31400A25B131EA2133E133C137C1378A2
-5BA2485A485AA2485A48C7FC120E5A5A5A5A5A13527CBD20>I<EB01C013031307131F13
-FFB5FCA2131F1200B3B3A8497E007FB512F0A31C3879B72A>49 D<ED03F090390FF00FF8
-90393FFC3C3C9039F81F707C3901F00FE03903E007C03A07C003E010000FECF000A24848
-6C7EA86C6C485AA200075C6C6C485A6D485A6D48C7FC38073FFC38060FF0000EC9FCA412
-0FA213C06CB512C015F86C14FE6CECFF804815C03A0F80007FE048C7EA0FF0003E140348
-140116F8481400A56C1401007C15F06CEC03E0003F1407D80F80EB0F80D807E0EB3F0039
-01FC01FC39007FFFF0010790C7FC26387EA52A>103 D<EA03F012FFA3120F1203B3B3AD
-487EB512C0A3123A7EB917>108 D<EB03FE90380FFF8090383E03E09038F800F8484813
-7C48487F48487F4848EB0F80001F15C090C712074815E0A2007EEC03F0A400FE15F8A900
-7E15F0A2007F14076C15E0A26C6CEB0FC0000F15806D131F6C6CEB3F006C6C137EC66C13
-F890387E03F090381FFFC0D903FEC7FC25277EA52A>111 D E /Fd
-141[72 2[72 44[72 66[{TeXBase1Encoding ReEncodeFont}3
-119.999947 /Courier rf /Fe 2 67 df<4B7E1503150782150F151FA2153FA2156F15
-CF82EC0187140315071406140E140C02187FA2EC30031460A214C013011480D903007F91
-B5FC5B90380C0001A25B13380130805B01E013005B12011203000F4A7ED8FFF890381FFF
-E0A22B2A7DA932>65 D<013FB512F816FF903A01FC001FC04AEB07E0EE03F001031401A2
-4A14F8A2130717F04A130317E0010F1407EE0FC04AEB1F80EE7E00011F495A91B512F0A2
-91388001FC013FEB007E8291C7EA1F80160F4915C0A2137EA213FEEE1F805BEE3F000001
-153E16FE49EB01F84B5A0003EC1FC0B7C7FC15F82D287DA732>I
-E /Ff 130[40 40 40 40 40 40 40 40 40 40 40 40 40 40 40
-40 40 40 40 1[40 40 40 40 40 40 40 40 40 1[40 1[40 40
-40 1[40 1[40 40 40 40 40 40 40 40 40 40 1[40 2[40 40
-1[40 40 40 40 40 40 1[40 40 40 1[40 40 40 40 40 40 40
-40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40
-40 40 33[{TeXBase1Encoding ReEncodeFont}82 66.666664
-/Courier rf /Fg 143[60 3[60 2[60 5[60 60 60 97[{
-TeXBase1Encoding ReEncodeFont}6 100.000000 /Courier rf
-/Fh 134[50 2[50 55 33 39 44 1[55 50 55 83 28 55 1[28
-55 50 33 44 55 44 55 50 6[66 3[72 1[66 55 72 1[61 78
-1[94 3[39 2[61 66 72 72 11[50 50 50 50 50 50 50 2[25
-46[{TeXBase1Encoding ReEncodeFont}42 100.000000 /Times-Bold
-rf /Fi 4 121 df<EB0FE0EB7FFC497E0003EBFF804814C04814E04814F04814F8A24814
-FCA3B612FEA86C14FCA36C14F8A26C14F06C14E06C14C06C1480C6EBFE006D5AEB0FE01F
-207BA42A>15 D<EC01F8140FEC3F80ECFC00495A495A495AA2130F5CB3A7131F5C133F49
-C7FC13FEEA03F8EA7FE048C8FCEA7FE0EA03F8EA00FE137F6D7E131F80130FB3A7801307
-A26D7E6D7E6D7EEC3F80EC0FF814011D537ABD2A>102 D<12FCEAFFC0EA07F0EA01FCEA
-007E7F80131F80130FB3A7801307806D7E6D7EEB007EEC1FF0EC07F8EC1FF0EC7E00495A
-495A495A5C130F5CB3A7131F5C133F91C7FC137E485AEA07F0EAFFC000FCC8FC1D537ABD
-2A>I<137E3801FFC03807C1E0380F0070001E1338003E131C48130C141E147E5AA3143C
-1400A3127CA37E121E7E6C7E6C7EEA00F013FCEA03FF380F8780381F01E0003E13F0EB00
-F848137CA200FC133E5A141FA6127C143F6C133EA26C137CEA0F80000713F83801E1F038
-00FFC0EB3F00130FEB03C0EB01E0EB00F01478147C143EA3141FA3123C127EA3143E1278
-12300038137C6C13786C13F0380783E03803FF8038007E00184C7ABA25>120
-D E /Fj 9 113 df<121C127FEAFF80A5EA7F00121C0909798817>58
-D<1760177017F01601A21603A21607160FA24C7EA216331673166316C3A2ED0183A2ED03
-03150683150C160115181530A21560A215C014011580DA03007FA202061300140E140C5C
-021FB5FC5CA20260C7FC5C83495A8349C8FC1306A25BA25B13385B01F01680487E000716
-FFB56C013F13FF5EA2383C7DBB3E>65 D<0103B77E4916F018FC903B0007F80003FE4BEB
-00FFF07F80020FED3FC0181F4B15E0A2141FA25DA2143F19C04B143F1980027F157F1900
-92C812FE4D5A4A4A5AEF0FF04AEC1FC005FFC7FC49B612FC5F02FCC7B4FCEF3FC00103ED
-0FE0717E5C717E1307844A1401A2130F17035CA2131F4D5A5C4D5A133F4D5A4A4A5A4D5A
-017F4BC7FC4C5A91C7EA07FC49EC3FF0B812C094C8FC16F83B397DB83F>I<902603FFF8
-91381FFFF8496D5CA2D90007030113006FEC007C02061678DA0EFF157081020C6D1460A2
-DA1C3F15E0705CEC181F82023815016F6C5C1430150702706D1303030392C7FC02607FA2
-DAE0015C701306ECC0008201016E130EEF800C5C163F0103EDC01C041F131891C713E016
-0F49EDF03818300106140717F8010E02031370EFFC60130CEE01FE011C16E004005B0118
-15FF177F1338600130153FA20170151F95C8FC01F081EA07FCB512E01706A245397DB843
->78 D<4BB4FC031F13F09238FE01FC913903F0007EDA07C0EB1F80DA1F80EB0FC0023EC7
-EA07E002FCEC03F0495A4948EC01F8495A4948EC00FC495A49C912FE49167E13FE49167F
-1201485AA2485AA2120F5B001F17FFA2485AA34848ED01FEA400FFEE03FC90C9FCA2EF07
-F8A2EF0FF0A218E0171F18C0EF3F806C167F180017FE4C5A6C6C5D1603001F4B5A6D4A5A
-000FED1F806C6C4AC7FC6D147E0003EC01F8D801FC495AD8007EEB0FC090263F807FC8FC
-903807FFF801001380383D7CBA3F>I<0003B812FEA25A903AF8003FC00101C091388000
-7E4848163C90C7007F141C121E001C92C7FCA2485CA200305C007017180060130112E048
-5CA21403C716005DA21407A25DA2140FA25DA2141FA25DA2143FA25DA2147FA292C9FCA2
-5CA25CA21301A25CA21303A25CEB0FFC003FB6FC5AA237397EB831>84
-D<EB03F0EA01FFA3EA00075CA3130F5CA3131F5CA3133F91C8FCA35B017EEB07C0ED1FF0
-ED783801FEEBE0F89039FC01C1FCEC0383EC07070001130ED9F81C13F891383803F09138
-7001E0000349C7FCEBF1C0EBF38001F7C8FCEA07FEA2EBFFE0EBE7F8380FE0FEEBC07F6E
-7E141F001F80D9800F1330A21670003F011F136001001380A216E04815C0007E1481020F
-1380158300FE903807870048EB03FE0038EB00F8263B7CB92B>107
-D<D803E0137F3A07F801FFE03A0E3C0781F03A1C3E1E00F826383F387F00305B4A137C00
-705B00605BA200E090C712FC485A137EA20000140101FE5C5BA2150300015D5B15075E12
-0349010F133016C0031F13700007ED80605B17E0EE00C0000F15014915801603EE070000
-1FEC0F0E49EB07FC0007C7EA01F02C267EA432>110 D<90390F8003F090391FE00FFC90
-3939F03C1F903A70F8700F80903AE0FDE007C09038C0FF80030013E00001491303018015
-F05CEA038113015CA2D800031407A25CA20107140FA24A14E0A2010F141F17C05CEE3F80
-131FEE7F004A137E16FE013F5C6E485A4B5A6E485A90397F700F80DA383FC7FC90387E1F
-FCEC07E001FEC9FCA25BA21201A25BA21203A25B1207B512C0A32C3583A42A>112
-D E /Fk 5 54 df<13E01201120712FF12F91201B3A7487EB512C0A212217AA01E>49
-D<EA01FC3807FF80381C0FC0383003E0386001F0EB00F812F86C13FCA2147C1278003013
-FCC7FC14F8A2EB01F0EB03E014C0EB0780EB0F00131E13385B5B3801C00CEA0380380600
-185A5A383FFFF85AB512F0A216217CA01E>I<13FF000313C0380F03E0381C00F014F800
-3E13FC147CA2001E13FC120CC712F8A2EB01F0EB03E0EB0FC03801FF00A2380003E0EB00
-F01478147C143E143F1230127812FCA2143E48137E0060137C003813F8381E03F0380FFF
-C00001130018227DA01E>I<14E01301A213031307A2130D131D13391331136113E113C1
-EA01811203EA07011206120C121C12181230127012E0B6FCA2380001E0A6EB03F0EB3FFF
-A218227DA11E>I<00101330381E01F0381FFFE014C01480EBFE00EA1BF00018C7FCA513
-FE381BFF80381F03C0381C01E0381800F014F8C71278A2147CA21230127812F8A2147848
-13F8006013F0387001E01238381E07803807FF00EA01F816227CA01E>I
-E /Fl 133[37 42 42 60 42 46 28 32 37 1[46 42 46 69 23
-46 1[23 46 42 28 37 46 37 46 42 11[60 55 46 60 1[51 65
-60 78 1[65 1[32 65 2[55 60 60 1[60 18[21 28 21 47 40[46
-2[{TeXBase1Encoding ReEncodeFont}44 83.333336 /Times-Bold
-rf /Fm 131[50 1[50 50 50 50 50 50 50 50 50 50 50 50 50
-50 50 50 50 50 50 50 50 50 50 50 50 50 3[50 50 50 3[50
-50 50 50 50 50 1[50 50 50 1[50 1[50 50 50 1[50 50 50
-50 50 50 1[50 50 50 50 1[50 1[50 50 50 50 1[50 50 50
-50 50 50 50 50 50 50 50 50 1[50 50 50 2[50 33[{
-TeXBase1Encoding ReEncodeFont}74 83.333336 /Courier rf
-/Fn 5 54 df<13381378EA01F8121F12FE12E01200B3AB487EB512F8A215267BA521>49
-D<13FF000313E0380E03F0381800F848137C48137E00787F12FC6CEB1F80A4127CC7FC15
-005C143E147E147C5C495A495A5C495A010EC7FC5B5B903870018013E0EA018039030003
-0012065A001FB5FC5A485BB5FCA219267DA521>I<13FF000313E0380F01F8381C007C00
-30137E003C133E007E133FA4123CC7123E147E147C5C495AEB07E03801FF8091C7FC3800
-01E06D7E147C80143F801580A21238127C12FEA21500485B0078133E00705B6C5B381F01
-F03807FFC0C690C7FC19277DA521>I<1438A2147814F81301A2130313071306130C131C
-131813301370136013C012011380EA03005A120E120C121C5A12305A12E0B612E0A2C7EA
-F800A7497E90383FFFE0A21B277EA621>I<0018130C001F137CEBFFF85C5C1480D819FC
-C7FC0018C8FCA7137F3819FFE0381F81F0381E0078001C7F0018133EC7FC80A21580A212
-30127C12FCA3150012F00060133E127000305B001C5B380F03E03803FFC0C648C7FC1927
-7DA521>I E /Fo 136[44 1[33 18 26 26 1[33 33 1[48 1[29
-5[29 22[44 10[44 67[{TeXBase1Encoding ReEncodeFont}12
-66.666664 /Times-Italic rf /Fp 104[66 33 1[29 29 25[33
-33 48 33 33 18 26 22 33 33 33 33 52 18 33 1[18 33 33
-22 29 33 29 33 29 3[22 1[22 41 1[48 63 1[48 41 37 44
-1[37 48 48 59 41 1[26 22 48 1[37 41 48 44 44 48 6[18
-33 33 33 33 33 33 33 33 33 33 1[17 22 17 2[22 22 22 35[37
-37 2[{TeXBase1Encoding ReEncodeFont}70 66.666664 /Times-Roman
-rf /Fq 1 4 df<136013701360A20040132000E0137038F861F0387E67E0381FFF803807
-FE00EA00F0EA07FE381FFF80387E67E038F861F038E060700040132000001300A2137013
-6014157B9620>3 D E /Fr 134[37 37 55 37 42 23 32 32 42
-42 42 42 60 23 37 1[23 42 42 23 37 42 37 42 42 8[51 69
-1[60 46 42 51 1[51 60 55 69 46 2[28 60 60 51 51 1[55
-1[51 6[28 42 1[42 3[42 1[42 1[23 21 28 3[28 28 28 35[42
-3[{TeXBase1Encoding ReEncodeFont}54 83.333336 /Times-Italic
-rf /Fs 104[83 42 1[37 37 24[37 42 42 60 42 42 23 32 28
-42 42 42 42 65 23 42 23 23 42 42 28 37 42 37 42 37 3[28
-1[28 51 60 60 78 60 60 51 46 55 60 46 60 60 74 51 60
-32 28 60 60 46 51 60 55 55 60 5[23 23 42 42 42 42 42
-42 42 42 42 42 23 21 28 21 47 1[28 28 28 1[69 3[28 29[46
-46 2[{TeXBase1Encoding ReEncodeFont}82 83.333336 /Times-Roman
-rf /Ft 134[60 60 86 1[66 40 47 53 1[66 60 66 100 33 66
-1[33 66 60 40 53 66 53 66 60 12[80 66 86 8[47 2[73 80
-3[86 6[40 60 60 60 60 60 60 60 60 60 3[40 42[66 2[{
-TeXBase1Encoding ReEncodeFont}41 119.999947 /Times-Bold
-rf /Fu 1 4 df<130C131EA50060EB01800078130739FC0C0FC0007FEB3F80393F8C7F00
-3807CCF83801FFE038007F80011EC7FCEB7F803801FFE03807CCF8383F8C7F397F0C3F80
-00FCEB0FC039781E078000601301000090C7FCA5130C1A1D7C9E23>3
-D E /Fv 134[50 50 72 50 1[28 39 33 2[50 50 1[28 50 1[28
-50 50 33 44 50 44 50 44 10[72 1[61 55 66 1[55 1[72 1[61
-2[33 5[66 66 72 92 17[25 1[25 5[78 38[{TeXBase1Encoding ReEncodeFont}35
-100.000000 /Times-Roman rf /Fw 134[72 1[104 1[72 40 56
-48 2[72 72 112 40 72 1[40 1[72 48 64 72 64 1[64 12[88
-80 96 3[104 4[48 4[104 1[96 104 6[40 12[48 45[{
-TeXBase1Encoding ReEncodeFont}28 144.000000 /Times-Roman
-rf end
-%%EndProlog
-%%BeginSetup
-%%Feature: *Resolution 600dpi
-TeXDict begin
-
-%%EndSetup
-%%Page: 1 1
-1 0 bop 180 161 a Fw(Bro:)43 b(A)36 b(System)e(for)h(Detecting)f(Netw)o
-(ork)f(Intruders)h(in)i(Real-T)-5 b(ime)1700 402 y Fv(V)-11
-b(ern)25 b(P)o(axson)854 634 y(La)o(wrence)h(Berk)o(ele)o(y)f(National)
-f(Laboratory)-6 b(,)24 b(Berk)o(ele)o(y)-6 b(,)24 b(CA)3045
-598 y Fu(\003)1878 751 y Fv(and)792 867 y(A)-11 b(T&T)24
-b(Center)i(for)f(Internet)g(Research)h(at)f(ICSI,)h(Berk)o(ele)o(y)-6
-b(,)24 b(CA)1650 983 y(v)o(ern@aciri.or)n(g)-150 1309
-y Ft(Abstract)-150 1498 y Fs(W)-7 b(e)36 b(describe)f(Bro,)k(a)c
-(stand-alone)f(system)h(for)g(detecting)f(net-)-150 1598
-y(w)o(ork)c(intruders)f(in)i(real-time)e(by)h(passi)n(v)o(ely)g
-(monitoring)e(a)j(net-)-150 1698 y(w)o(ork)23 b(link)g(o)o(v)o(er)g
-(which)g(the)g(intruder')-5 b(s)23 b(traf)n(\002c)g(transits.)36
-b(W)-7 b(e)24 b(gi)n(v)o(e)-150 1797 y(an)c(o)o(v)o(ervie)n(w)e(of)h
-(the)h(system')-5 b(s)20 b(design,)f(which)h(emphasizes)f(high-)-150
-1897 y(speed)30 b(\(FDDI-rate\))f(monitoring,)i(real-time)f
-(noti\002cation,)i(clear)-150 1996 y(separation)18 b(between)g
-(mechanism)g(and)h(polic)o(y)-5 b(,)18 b(and)g(e)o(xtensibility)-5
-b(.)-150 2096 y(T)e(o)21 b(achie)n(v)o(e)f(these)h(ends,)g(Bro)g(is)h
-(di)n(vided)d(into)i(an)g(\223e)n(v)o(ent)f(engine\224)-150
-2196 y(that)e(reduces)f(a)h(k)o(ernel-\002ltered)e(netw)o(ork)g(traf)n
-(\002c)i(stream)f(into)h(a)g(se-)-150 2295 y(ries)27
-b(of)f(higher)n(-le)n(v)o(el)f(e)n(v)o(ents,)i(and)f(a)h(\223polic)o(y)
-f(script)g(interpreter\224)-150 2395 y(that)33 b(interprets)g(e)n(v)o
-(ent)f(handlers)g(written)h(in)h(a)f(specialized)g(lan-)-150
-2495 y(guage)17 b(used)g(to)h(e)o(xpress)g(a)g(site')-5
-b(s)19 b(security)e(polic)o(y)-5 b(.)23 b(Ev)o(ent)17
-b(handlers)-150 2594 y(can)24 b(update)f(state)i(information,)e
-(synthesize)h(ne)n(w)g(e)n(v)o(ents,)g(record)-150 2694
-y(information)e(to)i(disk,)g(and)g(generate)e(real-time)i
-(noti\002cations)f(via)-150 2793 y Fr(syslo)o(g)p Fs(.)62
-b(W)-7 b(e)34 b(also)f(discuss)g(a)g(number)d(of)j(attacks)f(that)h
-(attempt)-150 2893 y(to)25 b(sub)o(v)o(ert)f(passi)n(v)o(e)h
-(monitoring)e(systems)j(and)f(defenses)f(against)-150
-2993 y(these,)k(and)f(gi)n(v)o(e)f(particulars)f(of)i(ho)n(w)f(Bro)h
-(analyzes)f(the)h(six)g(ap-)-150 3092 y(plications)22
-b(inte)o(grated)e(into)i(it)h(so)g(f)o(ar:)29 b(Finger)m(,)22
-b(FTP)-9 b(,)22 b(Portmapper)m(,)-150 3192 y(Ident,)d(T)-6
-b(elnet)20 b(and)f(Rlogin.)24 b(The)c(system)g(is)h(publicly)d(a)n(v)n
-(ailable)h(in)-150 3292 y(source)g(code)h(form.)-150
-3584 y Ft(1)119 b(Intr)n(oduction)-150 3774 y Fs(W)m(ith)31
-b(gro)n(wing)f(Internet)g(connecti)n(vity)f(comes)i(gro)n(wing)e(oppor)
-n(-)-150 3873 y(tunities)j(for)e(attack)o(ers)i(to)f(illicitly)h
-(access)h(computers)c(o)o(v)o(er)i(the)-150 3973 y(netw)o(ork.)51
-b(The)29 b(problem)e(of)i(detecting)f(such)h(attacks)g(is)h(termed)-150
-4073 y Fr(network)19 b(intrusion)f(detection)p Fs(,)g(a)h(relati)n(v)o
-(ely)f(ne)n(w)g(area)h(of)f(security)-150 4172 y(research)29
-b([MHL94)n(].)53 b(W)-7 b(e)31 b(can)e(di)n(vide)g(these)h(systems)g
-(into)f(tw)o(o)-150 4272 y(types,)h(those)f(that)g(rely)f(on)g(audit)g
-(information)f(gathered)f(by)j(the)-150 4372 y(hosts)19
-b(in)h(the)f(netw)o(ork)e(the)o(y)i(are)g(trying)f(to)h(protect,)f(and)
-h(those)f(that)-150 4471 y(operate)24 b(\223stand-alone\224)f(by)h
-(observing)f(netw)o(ork)h(traf)n(\002c)h(directly)-5
-b(,)-150 4571 y(and)23 b(passi)n(v)o(ely)-5 b(,)23 b(using)g(a)h(pack)o
-(et)f(\002lter)-5 b(.)36 b(There)23 b(is)i(also)f(increasing)-150
-4670 y(interest)29 b(in)f(b)n(uilding)f(hybrid)g(systems)i(that)g
-(combine)e(these)h(tw)o(o)-150 4770 y(approaches)18 b([Ax99)n(].)p
--150 4850 801 4 v -66 4903 a Fq(\003)-30 4927 y Fp(This)f(paper)h
-(appears)h(in)f Fo(Computer)g(Networks)p Fp(,)h(31\(23\22624\),)f(pp.)g
-(2435\2262463,)-150 5006 y(14)i(Dec.)h(1999.)31 b(This)20
-b(w)o(ork)g(w)o(as)h(supported)h(by)e(the)h(Director)m(,)i(Of)n(\002ce)
-e(of)f(Ener)o(gy)-150 5085 y(Research,)k(Of)n(\002ce)e(of)f
-(Computational)k(and)d(T)-5 b(echnology)23 b(Research,)h(Mathemati-)
--150 5163 y(cal,)17 b(Information,)i(and)e(Computational)j(Sciences)f
-(Di)n(vision)f(of)f(the)g(United)h(States)-150 5242 y(Department)k(of)f
-(Ener)o(gy)f(under)h(Contract)i(No.)c(DE-A)m(C03-76SF00098.)32
-b(An)20 b(ear)o(-)-150 5321 y(lier)j(v)o(ersion)g(of)f(this)g(paper)h
-(appeared)h(in)e(the)h(Proceedings)h(of)e(the)g(7th)h(USENIX)-150
-5400 y(Security)c(Symposium,)e(San)g(Antonio,)h(TX,)d(January)k(1998.)
-2132 1309 y Fs(In)25 b(this)h(paper)e(we)i(focus)f(on)g(the)g(problem)f
-(of)h(b)n(uilding)f(stand-)2049 1408 y(alone)15 b(systems,)i(which)e
-(we)h(will)h(term)e(\223monitors.)-6 b(\224)22 b(Though)14
-b(mon-)2049 1508 y(itors)28 b(necessarily)g(f)o(ace)g(the)g(dif)n
-(\002culties)g(of)g(more)g(limited)g(infor)n(-)2049 1607
-y(mation)35 b(than)g(systems)h(with)f(access)h(to)g(audit)f(trails,)40
-b(monitors)2049 1707 y(also)26 b(gain)f(the)g(major)g(bene\002t)h(that)
-f(the)o(y)g(can)h(be)f(added)g(to)h(a)g(net-)2049 1807
-y(w)o(ork)k(without)g(requiring)e(an)o(y)i(changes)f(to)i(the)f(hosts.)
-56 b(F)o(or)30 b(our)2049 1906 y(purposes\227monitoring)22
-b(a)k(collection)f(of)h(se)n(v)o(eral)g(thousand)e(het-)2049
-2006 y(erogeneous,)17 b(di)n(v)o(ersely-administered)f(hosts\227this)k
-(adv)n(antage)e(is)2049 2106 y(immense.)2132 2211 y(Our)34
-b(monitoring)e(system)j(is)h(called)e(Bro)h(\(an)f(Orwellian)g(re-)2049
-2311 y(minder)f(that)h(monitoring)e(comes)i(hand)f(in)i(hand)e(with)h
-(the)g(po-)2049 2410 y(tential)48 b(for)f(pri)n(v)n(ac)o(y)e
-(violations\).)106 b(A)48 b(number)e(of)h(commer)n(-)2049
-2510 y(cial)35 b(products)d(e)o(xist)j(that)f(do)g(what)g(Bro)g(does,)k
-(generally)32 b(with)2049 2609 y(much)f(more)g(sophisticated)g(interf)o
-(aces)g(and)g(management)f(soft-)2049 2709 y(w)o(are)f([In99)n(,)h(T)-7
-b(o99)n(,)30 b(Ci99],)2900 2679 y Fn(1)2968 2709 y Fs(and)f(lar)o(ger)f
-(\223attack)h(signature\224)f(li-)2049 2809 y(braries.)51
-b(T)-7 b(o)29 b(our)f(kno)n(wledge,)h(ho)n(we)n(v)o(er)m(,)g(there)g
-(are)g(no)f(detailed)2049 2908 y(accounts)c(in)h(the)h(netw)o(ork)d
-(security)i(literature)f(of)h(ho)n(w)g(monitors)2049
-3008 y(can)f(be)h(b)n(uilt.)38 b(Furthermore,)23 b(monitors)g(can)i(be)
-f(susceptible)g(to)h(a)2049 3108 y(number)j(of)h(attacks)h(aimed)f(at)h
-(sub)o(v)o(erting)d(the)j(monitoring;)i(we)2049 3207
-y(belie)n(v)o(e)19 b(the)i(attacks)f(we)h(discuss)f(here)g(ha)n(v)o(e)g
-(not)g(been)g(pre)n(viously)2049 3307 y(described)g(in)i(the)g
-(literature.)29 b(Thus,)21 b(the)h(contrib)n(ution)d(of)j(this)g(pa-)
-2049 3406 y(per)h(is)i(not)e(at)h(heart)f(a)h(no)o(v)o(el)e(idea)h
-(\(though)f(we)i(belie)n(v)o(ed)e(it)i(no)o(v)o(el)2049
-3506 y(when)30 b(we)h(undertook)c(the)k(project,)h(in)e(1995\),)h(b)n
-(ut)g(rather)e(a)i(de-)2049 3606 y(tailed)i(o)o(v)o(ervie)n(w)d(of)i
-(some)h(e)o(xperiences)e(with)h(b)n(uilding)g(such)g(a)2049
-3705 y(system.)2132 3811 y(Prior)16 b(to)g(de)n(v)o(eloping)e(Bro,)j
-(we)f(had)g(signi\002cant)g(operational)e(e)o(x-)2049
-3910 y(perience)20 b(with)i(a)g(simpler)g(system)f(based)h(on)f(of)n
-(f-line)f(analysis)i(of)2049 4010 y Fm(tcpdump)29 b Fs([JLM89)o(])h
-(trace)f(\002les.)55 b(Out)30 b(of)g(this)g(e)o(xperience)e(we)2049
-4110 y(formulated)18 b(a)j(number)d(of)i(design)f(goals)i(and)e
-(requirements:)2049 4315 y Fl(High-speed,)h(lar)o(ge)g(v)o(olume)g
-(monitoring)40 b Fs(F)o(or)69 b(our)f(en)m(viron-)2215
-4415 y(ment,)20 b(we)h(vie)n(w)f(the)h(greatest)f(source)g(of)g
-(threats)h(as)g(e)o(xternal)2215 4515 y(hosts)28 b(connecting)d(to)j
-(our)f(hosts)g(o)o(v)o(er)f(the)i(Internet.)46 b(Since)2215
-4614 y(the)28 b(netw)o(ork)f(we)i(w)o(ant)f(to)g(protect)g(has)g(a)h
-(single)f(link)f(con-)2215 4714 y(necting)e(it)i(to)g(the)f(remainder)f
-(of)h(the)g(Internet)f(\(a)h(\223DMZ\224\),)2215 4814
-y(we)42 b(can)f(economically)f(monitor)g(our)h(greatest)g(potential)
-2215 4913 y(source)23 b(of)g(attacks)g(by)g(passi)n(v)o(ely)f(w)o
-(atching)h(the)g(DMZ)g(link.)p 2049 5007 V 2134 5061
-a Fk(1)2169 5085 y Fp(Or)18 b(at)h(least)h(appear)m(,)h(according)g(to)
-e(their)h(product)g(literature,)i(to)d(do)g(the)h(same)2049
-5163 y(things\227we)f(do)e(not)g(ha)o(v)o(e)h(direct)h(e)o(xperience)h
-(with)e(an)o(y)f(of)g(these)h(products.)2115 5242 y(A)h(some)n(what)i
-(dif)n(ferent)h(sort)d(of)g(product,)i(the)f(\223Netw)o(ork)h(Flight)g
-(Recorder)m(,)-5 b(\224)23 b(is)2049 5321 y(described)d(in)e([RLSSL)-5
-b(W97)o(],)17 b(though)i(it)f(is)g(no)n(w)f(increasingly)k(used)d(for)g
-(intrusion)2049 5400 y(detection)i([Ne99)q(].)1929 5649
-y Fs(1)p eop
-%%Page: 2 2
-2 1 bop 16 -104 a Fs(Ho)n(we)n(v)o(er)m(,)22 b(the)i(link)f(is)h(an)g
-(FDDI)g(ring,)f(so)h(to)g(monitor)e(it)i(re-)16 -5 y(quires)g(a)h
-(system)g(that)f(can)h(capture)e(traf)n(\002c)h(at)h(speeds)g(of)f(up)
-16 95 y(to)c(100)g(Mbps.)-150 266 y Fl(No)g(pack)o(et)g(\002lter)h(dr)o
-(ops)41 b Fs(If)25 b(an)h(application)e(using)h(a)h(pack)o(et)f(\002l-)
-16 366 y(ter)20 b(cannot)e(consume)g(pack)o(ets)h(as)i(quickly)d(as)i
-(the)o(y)f(arri)n(v)o(e)f(on)16 466 y(the)25 b(monitored)d(link,)j
-(then)f(the)h(\002lter)g(will)g(b)n(uf)n(fer)e(the)i(pack-)16
-565 y(ets)g(for)g(later)f(consumption.)36 b(Ho)n(we)n(v)o(er)m(,)24
-b(e)n(v)o(entually)e(the)j(\002l-)16 665 y(ter)30 b(will)g(run)e(out)h
-(of)h(b)n(uf)n(fer)m(,)f(at)h(which)f(point)g(it)h Fr(dr)l(ops)f
-Fs(an)o(y)16 765 y(further)i(pack)o(ets)g(that)h(arri)n(v)o(e.)60
-b(From)31 b(a)i(security)e(monitor)n(-)16 864 y(ing)25
-b(perspecti)n(v)o(e,)h(drops)e(can)i(completely)e(defeat)h(the)h(mon-)
-16 964 y(itoring,)41 b(since)c(the)h(missing)g(pack)o(ets)f(might)g
-(contain)f(e)o(x-)16 1063 y(actly)24 b(the)g(interesting)f(traf)n
-(\002c)h(that)g(identi\002es)g(a)g(netw)o(ork)f(in-)16
-1163 y(truder)-5 b(.)27 b(Gi)n(v)o(en)21 b(our)f(\002rst)i(design)f
-(requirement\227high-speed)16 1263 y(monitoring\227then)c(a)n(v)n
-(oiding)i(pack)o(et)h(\002lter)h(drops)f(becomes)16 1362
-y(another)f(strong)g(requirement.)16 1498 y(It)25 b(is)h(sometimes)f
-(tempting)f(to)h(dismiss)g(a)h(problem)d(such)i(as)16
-1598 y(pack)o(et)h(\002lter)h(drops)e(with)i(an)f(ar)o(gument)e(that)i
-(it)h(is)h(unlik)o(ely)16 1697 y(a)e(traf)n(\002c)g(spik)o(e)f(will)i
-(occur)d(at)i(the)g(same)g(time)g(as)g(an)g(attack)16
-1797 y(happens)j(to)h(be)g(underw)o(ay)-5 b(.)52 b(This)31
-b(ar)o(gument,)f(ho)n(we)n(v)o(er)m(,)g(is)16 1896 y(completely)e
-(undermined)f(if)j(we)h(assume)e(that)h(an)g(attack)o(er)16
-1996 y(might,)35 b(in)e(parallel)f(with)h(a)h(break-in)d(attempt,)k
-Fr(attac)n(k)e(the)16 2096 y(monitor)20 b(itself)33 b
-Fs(\(see)20 b(belo)n(w\).)-150 2267 y Fl(Real-time)g(noti\002cation)39
-b Fs(One)50 b(of)f(our)g(main)g(dissatisf)o(actions)16
-2367 y(with)31 b(our)e(initial)i(of)n(f-line)e(system)h(w)o(as)h(the)g
-(lengthy)d(delay)16 2467 y(incurred)33 b(before)h(detecting)g(an)h
-(attack.)69 b(If)35 b(an)g(attack,)j(or)16 2566 y(an)25
-b(attempted)f(attack,)h(is)h(detected)e(quickly)-5 b(,)24
-b(then)g(it)i(can)f(be)16 2666 y(much)c(easier)h(to)g(trace)g(back)f
-(the)h(attack)o(er)f(\(for)g(e)o(xample,)g(by)16 2765
-y(telephoning)d(the)i(site)h(from)d(which)i(the)o(y)f(are)h(coming\),)e
-(min-)16 2865 y(imize)35 b(damage,)i(pre)n(v)o(ent)c(further)g
-(break-ins,)k(and)d(initiate)16 2965 y(full)28 b(recording)d(of)j(all)h
-(of)e(the)h(attack)o(er')-5 b(s)28 b(netw)o(ork)f(acti)n(vity)-5
-b(.)16 3064 y(Therefore,)24 b(one)h(of)g(our)f(requirements)g(for)g
-(Bro)h(w)o(as)i(that)e(it)16 3164 y(detect)i(attacks)g(in)g(real-time.)
-44 b(This)27 b(is)g(not)g(to)g(discount)f(the)16 3264
-y(enormous)e(utility)i(of)f(k)o(eeping)f(e)o(xtensi)n(v)o(e,)i
-(permanent)e(logs)16 3363 y(of)g(netw)o(ork)e(acti)n(vity)i(for)f
-(later)h(analysis.)36 b(In)m(v)n(ariably)-5 b(,)21 b(when)16
-3463 y(we)28 b(ha)n(v)o(e)e(suf)n(fered)g(a)h(break-in,)g(we)h(turn)e
-(to)i(these)f(logs)g(for)16 3562 y(retrospecti)n(v)o(e)20
-b(damage)g(assessment,)i(sometimes)f(searching)16 3662
-y(back)f(a)g(number)f(of)g(months.)-150 3834 y Fl(Mechanism)i(separate)
-f(fr)o(om)f(policy)41 b Fs(Sound)h(softw)o(are)g(design)16
-3933 y(often)29 b(stresses)j(constructing)c(a)i(clear)g(separation)f
-(between)16 4033 y(mechanism)g(and)i(polic)o(y;)k(done)29
-b(properly)-5 b(,)31 b(this)g(b)n(uys)f(both)16 4133
-y(simplicity)f(and)g(\003e)o(xibility)-5 b(.)53 b(The)29
-b(problems)f(f)o(aced)h(by)g(our)16 4232 y(system)19
-b(particularly)d(bene\002t)i(from)g(separating)f(the)h(tw)o(o:)25
-b(be-)16 4332 y(cause)32 b(we)f(ha)n(v)o(e)g(a)h(f)o(airly)f(high)g(v)n
-(olume)g(of)g(traf)n(\002c)g(to)h(deal)16 4431 y(with,)i(we)d(need)f
-(to)h(be)g(able)f(to)h(easily)h(trade-of)n(f)c(at)k(dif)n(fer)n(-)16
-4531 y(ent)19 b(times)g(ho)n(w)g(we)g(\002lter)m(,)g(inspect)g(and)f
-(respond)f(to)i(dif)n(ferent)16 4631 y(types)d(of)h(traf)n(\002c.)23
-b(If)16 b(we)h(hardwired)e(these)h(responses)g(into)h(the)16
-4730 y(system,)j(then)g(these)g(changes)g(w)o(ould)f(be)h(cumbersome)e
-(\(and)16 4830 y(error)n(-prone\))f(to)j(mak)o(e.)-150
-5001 y Fl(Extensible)42 b Fs(Because)27 b(there)h(are)f(an)h(enormous)e
-(number)g(of)h(dif-)16 5101 y(ferent)39 b(netw)o(ork)g(attacks,)45
-b(with)40 b(who)g(kno)n(ws)f(ho)n(w)h(man)o(y)16 5201
-y(w)o(aiting)32 b(to)h(be)g(disco)o(v)o(ered,)g(the)f(system)h(clearly)
-f(must)h(be)16 5300 y(designed)17 b(in)h(order)f(to)h(mak)o(e)g(it)h
-(easy)f(to)g(add)g(to)g(it)h(kno)n(wledge)16 5400 y(of)25
-b(ne)n(w)g(types)f(of)h(attacks.)40 b(In)24 b(addition,)h(while)g(our)f
-(system)2215 -104 y(is)e(a)f(research)f(project,)g(it)i(is)g(at)g(the)f
-(same)g(time)g(a)g(production)2215 -5 y(system)30 b(that)h(plays)f(a)g
-(signi\002cant)g(role)f(in)i(our)e(daily)h(secu-)2215
-95 y(rity)h(operations.)56 b(Consequently)-5 b(,)31 b(we)g(need)f(to)i
-(be)f(able)f(to)2215 194 y(upgrade)18 b(it)j(in)f(small,)h(easily)f
-(deb)n(ugged)e(increments.)2049 394 y Fl(A)-8 b(v)o(oid)20
-b(simple)h(mistak)o(es)42 b Fs(Of)19 b(course,)g(we)g(al)o(w)o(ays)h(w)
-o(ant)f(to)h(a)n(v)n(oid)2215 493 y(mistak)o(es.)36 b(Ho)n(we)n(v)o(er)
-m(,)23 b(here)g(we)i(mean)e(that)h(we)g(particularly)2215
-593 y(desire)k(that)g(the)g(w)o(ay)g(that)g(a)h(site)g(de\002nes)f(its)
-h(security)e(pol-)2215 693 y(ic)o(y)22 b(be)g(both)f(clear)h(and)f(as)i
-(error)n(-free)c(as)k(possible.)30 b(\(F)o(or)21 b(e)o(x-)2215
-792 y(ample,)j(we)g(w)o(ould)f(not)g(consider)f(e)o(xpressing)g(the)i
-(polic)o(y)e(in)2215 892 y(C)f(code)f(as)h(meeting)e(these)h(goals.\))
-2049 1091 y Fl(The)h(monitor)f(will)h(be)g(attack)o(ed)40
-b Fs(W)-7 b(e)18 b(must)f(assume)h(that)f(attack-)2215
-1191 y(ers)30 b(will)h(\(e)n(v)o(entually\))c(ha)n(v)o(e)i(full)h(kno)n
-(wledge)e(of)h(the)h(tech-)2215 1290 y(niques)j(used)g(by)g(the)h
-(monitor)m(,)g(and)f(access)h(to)g(its)g(source)2215
-1390 y(code,)29 b(and)f(will)h(use)g(this)g(kno)n(wledge)d(in)i
-(attempts)h(to)f(sub-)2215 1490 y(v)o(ert)c(or)h(o)o(v)o(erwhelm)d(the)
-j(monitor)e(so)i(that)g(it)g(f)o(ails)h(to)f(detect)2215
-1589 y(the)18 b(attack)o(er')-5 b(s)17 b(break-in)f(acti)n(vity)-5
-b(.)23 b(This)18 b(assumption)f(signi\002-)2215 1689
-y(cantly)f(complicates)g(the)h(design)f(of)h(the)g(monitor;)f(b)n(ut)h
-(f)o(ailing)2215 1788 y(to)j(address)g(it)h(is)g(to)g(b)n(uild)e(a)i
-(house)e(of)h(cards.)2215 1938 y(W)-7 b(e)22 b(do,)f(ho)n(we)n(v)o(er)m
-(,)e(allo)n(w)i(one)g(further)f(assumption,)g(namely)2215
-2038 y(that)34 b Fr(the)f(monitor)h(will)g(only)f(be)h(attac)n(k)o(ed)f
-(fr)l(om)h(one)f(end)p Fs(.)2215 2137 y(That)c(is,)k(gi)n(v)o(en)28
-b(a)i(netw)o(ork)f(connection)e(between)i(hosts)h Fj(A)2215
-2237 y Fs(and)21 b Fj(B)t Fs(,)h(we)g(assume)f(that)g(at)h(most)g(one)e
-(of)h Fj(A)i Fs(or)e Fj(B)26 b Fs(has)21 b(been)2215
-2336 y(compromised)k(and)i(might)g(try)h(to)g(attack)f(the)h(monitor)m
-(,)g(b)n(ut)2215 2436 y(not)c(both.)37 b(This)25 b(assumption)e
-(greatly)h(aids)g(in)h(dealing)e(with)2215 2536 y(the)29
-b(problem)d(of)i(attacks)h(on)f(the)h(monitor)m(,)f(since)h(it)g(means)
-2215 2635 y(that)g Fr(we)i(can)d(trust)j(one)d(of)i(the)f(endpoints)f
-Fs(\(though)f(we)j(do)2215 2735 y(not)20 b(kno)n(w)f(which\).)2215
-2884 y(In)26 b(addition,)g(we)g(note)f(that)i(this)f(second)f
-(assumption)g(costs)2215 2984 y(us)17 b(virtually)e(nothing.)22
-b(If,)17 b(indeed,)f(both)g Fj(A)h Fs(and)f Fj(B)21 b
-Fs(ha)n(v)o(e)16 b(been)2215 3084 y(compromised,)28 b(then)g(the)h
-(attack)o(er)g(can)f(establish)h(intricate)2215 3183
-y(co)o(v)o(ert)19 b(channels)g(between)h(the)g(tw)o(o.)25
-b(These)20 b(can)g(be)g(immea-)2215 3283 y(surably)27
-b(hard)g(to)i(detect,)h(depending)25 b(on)j(ho)n(w)g(de)n(vious)f(the)
-2215 3383 y(channel)18 b(is;)i(that)f(our)e(system)i(f)o(ails)h(to)f
-(do)f(so)h(only)f(means)g(we)2215 3482 y(gi)n(v)o(e)h(up)h(on)g
-(something)f(e)o(xtremely)f(dif)n(\002cult)i(an)o(yw)o(ay)-5
-b(.)2132 3698 y(A)28 b(\002nal)g(important)f(point)g(concerns)f(the)i
-(broader)e(conte)o(xt)g(for)2049 3798 y(our)20 b(monitoring)e(system.)
-27 b(Our)21 b(site)g(is)h(engaged)c(in)j(basic,)g(unclas-)2049
-3897 y(si\002ed)k(research.)37 b(The)24 b(consequences)f(of)h(a)h
-(break-in)e(are)h(usually)2049 3997 y(limited)31 b(to)g(\(potentially)f
-(signi\002cant\))g(e)o(xpenditure)e(in)k(lost)f(time)2049
-4097 y(and)d(re-securing)e(the)j(compromised)d(machines,)j(and)f
-(perhaps)f(a)2049 4196 y(tarnished)20 b(public)g(image)h(depending)d
-(on)j(the)g(subsequent)f(actions)2049 4296 y(of)g(the)g(attack)o(ers.)
-25 b(Thus,)20 b(while)g(we)h(v)o(ery)e(much)h(aim)g(to)g(minimize)2049
-4395 y(break-in)d(acti)n(vity)-5 b(,)19 b(we)g(do)g(not)f(try)h(to)h
-(achie)n(v)o(e)e(\223airtight\224)g(security)-5 b(.)2049
-4495 y(W)e(e)18 b(instead)f(emphasize)f(monitoring)f(o)o(v)o(er)h
-(blocking)f(when)i(possi-)2049 4595 y(ble.)31 b(Ob)o(viously)-5
-b(,)20 b(other)h(sites)j(may)d(ha)n(v)o(e)h(quite)g(dif)n(ferent)e
-(security)2049 4694 y(priorities,)f(which)h(we)h(do)e(not)h(claim)g(to)
-h(address.)2132 4802 y(In)i(the)h(remainder)e(of)h(this)h(paper)f(we)h
-(discuss)g(ho)n(w)f(the)g(design)2049 4902 y(of)d(Bro)h(attempts)f(to)h
-(meet)f(these)h(goals)f(and)g(constraints.)25 b(First,)c(in)2049
-5001 y Fi(x)d Fs(2)g(we)g(gi)n(v)o(e)e(an)i(o)o(v)o(ervie)n(w)d(of)j
-(the)f(structure)g(of)g(the)h(whole)f(system.)2049 5101
-y Fi(x)23 b Fs(3)f(presents)g(the)h(specialized)f Fm(Bro)g
-Fs(language)f(used)h(to)g(e)o(xpress)g(a)2049 5201 y(site')-5
-b(s)21 b(security)e(polic)o(y)-5 b(.)23 b(W)-7 b(e)20
-b(turn)f(in)h Fi(x)g Fs(4)f(to)h(the)g(details)f(of)h(ho)n(w)f(the)2049
-5300 y(system)29 b(is)h(currently)e(implemented.)49 b
-Fi(x)30 b Fs(5)f(discusses)h(attacks)f(on)2049 5400 y(the)23
-b(monitoring)e(system.)33 b Fi(x)24 b Fs(6)f(looks)f(at)i(the)f
-(specialized)g(analysis)1929 5649 y(2)p eop
-%%Page: 3 3
-3 2 bop 175 -187 a
- 10656645 18968821 0 0 33285570 59269365 startTexFig
- 175 -187 a
-%%BeginDocument: structure.eps
-%Magnification: 1.00
-/$F2psDict 200 dict def
-$F2psDict begin
-$F2psDict /mtrx matrix put
-/col-1 {0 setgray} bind def
-/col0 {0.000 0.000 0.000 srgb} bind def
-/col1 {0.000 0.000 1.000 srgb} bind def
-/col2 {0.000 1.000 0.000 srgb} bind def
-/col3 {0.000 1.000 1.000 srgb} bind def
-/col4 {1.000 0.000 0.000 srgb} bind def
-/col5 {1.000 0.000 1.000 srgb} bind def
-/col6 {1.000 1.000 0.000 srgb} bind def
-/col7 {1.000 1.000 1.000 srgb} bind def
-/col8 {0.000 0.000 0.560 srgb} bind def
-/col9 {0.000 0.000 0.690 srgb} bind def
-/col10 {0.000 0.000 0.820 srgb} bind def
-/col11 {0.530 0.810 1.000 srgb} bind def
-/col12 {0.000 0.560 0.000 srgb} bind def
-/col13 {0.000 0.690 0.000 srgb} bind def
-/col14 {0.000 0.820 0.000 srgb} bind def
-/col15 {0.000 0.560 0.560 srgb} bind def
-/col16 {0.000 0.690 0.690 srgb} bind def
-/col17 {0.000 0.820 0.820 srgb} bind def
-/col18 {0.560 0.000 0.000 srgb} bind def
-/col19 {0.690 0.000 0.000 srgb} bind def
-/col20 {0.820 0.000 0.000 srgb} bind def
-/col21 {0.560 0.000 0.560 srgb} bind def
-/col22 {0.690 0.000 0.690 srgb} bind def
-/col23 {0.820 0.000 0.820 srgb} bind def
-/col24 {0.500 0.190 0.000 srgb} bind def
-/col25 {0.630 0.250 0.000 srgb} bind def
-/col26 {0.750 0.380 0.000 srgb} bind def
-/col27 {1.000 0.500 0.500 srgb} bind def
-/col28 {1.000 0.630 0.630 srgb} bind def
-/col29 {1.000 0.750 0.750 srgb} bind def
-/col30 {1.000 0.880 0.880 srgb} bind def
-/col31 {1.000 0.840 0.000 srgb} bind def
-
-end
-save
--142.0 971.0 translate
-1 -1 scale
-
-/cp {closepath} bind def
-/ef {eofill} bind def
-/gr {grestore} bind def
-/gs {gsave} bind def
-/sa {save} bind def
-/rs {restore} bind def
-/l {lineto} bind def
-/m {moveto} bind def
-/rm {rmoveto} bind def
-/n {newpath} bind def
-/s {stroke} bind def
-/sh {show} bind def
-/slc {setlinecap} bind def
-/slj {setlinejoin} bind def
-/slw {setlinewidth} bind def
-/srgb {setrgbcolor} bind def
-/rot {rotate} bind def
-/sc {scale} bind def
-/sd {setdash} bind def
-/ff {findfont} bind def
-/sf {setfont} bind def
-/scf {scalefont} bind def
-/sw {stringwidth} bind def
-/tr {translate} bind def
-/tnt {dup dup currentrgbcolor
-  4 -2 roll dup 1 exch sub 3 -1 roll mul add
-  4 -2 roll dup 1 exch sub 3 -1 roll mul add
-  4 -2 roll dup 1 exch sub 3 -1 roll mul add srgb}
-  bind def
-/shd {dup dup currentrgbcolor 4 -2 roll mul 4 -2 roll mul
-  4 -2 roll mul srgb} bind def
-/$F2psBegin {$F2psDict begin /$F2psEnteredState save def} def
-/$F2psEnd {$F2psEnteredState restore end} def
-
-$F2psBegin
-10 setmiterlimit
-n 0 79200 m 0 0 l 61200 0 l 61200 79200 l cp clip
- 0.06000 0.06000 sc
-7.500 slw
-% Polyline
-n 2385 5385 m 10785 5385 l 10785 3585 l 2385 3585 l cp gs col-1 s gr 
-% Polyline
-n 2385 8940 m 10785 8940 l 10785 7140 l 2385 7140 l cp gs col-1 s gr 
-60.000 slw
-% Polyline
-gs  clippath
-6435 13410 m 6585 12690 l 6735 13410 l 6735 12480 l 6435 12480 l  cp clip
-n 6585 14355 m 6585 12555 l gs col7 0.95 shd ef gr gs col-1 s gr gr
-
-% arrowhead
-n 6435 13410 m 6585 12690 l 6735 13410 l 6585 13290 l 6435 13410 l  cp gs 0.00 setgray ef gr  col-1 s
-7.500 slw
-% Polyline
-n 2385 12555 m 10785 12555 l 10785 10755 l 2385 10755 l cp gs col-1 s gr 
-45.000 slw
-% Polyline
-gs  clippath
-6465 9624 m 6585 9048 l 6705 9624 l 6705 8880 l 6465 8880 l  cp clip
-n 6585 10740 m 6585 8940 l gs col7 0.95 shd ef gr gs col-1 s gr gr
-
-% arrowhead
-n 6465 9624 m 6585 9048 l 6705 9624 l 6585 9528 l 6465 9624 l  cp gs 0.00 setgray ef gr  col-1 s
-30.000 slw
-% Polyline
-gs  clippath
-6495 5898 m 6585 5466 l 6675 5898 l 6675 5340 l 6495 5340 l  cp clip
-n 6585 7185 m 6585 5385 l gs col7 0.95 shd ef gr gs col-1 s gr gr
-
-% arrowhead
-n 6495 5898 m 6585 5466 l 6675 5898 l 6585 5826 l 6495 5898 l  cp gs 0.00 setgray ef gr  col-1 s
-15.000 slw
-% Polyline
-gs  clippath
-6540 1542 m 6600 1254 l 6660 1542 l 6660 1170 l 6540 1170 l  cp clip
-n 6600 3600 m 6600 1200 l gs col7 0.95 shd ef gr gs col-1 s gr gr
-
-% arrowhead
-n 6540 1542 m 6600 1254 l 6660 1542 l 6600 1494 l 6540 1542 l  cp gs 0.00 setgray ef gr  col-1 s
-% Polyline
- [100.0] 0 sd
-gs  clippath
-3060 10506 m 3000 10746 l 2940 10506 l 2940 10830 l 3060 10830 l  cp clip
-n 3000 9000 m 3000 10800 l gs col7 0.95 shd ef gr gs col-1 s gr gr
- [] 0 sd
-% arrowhead
-n 3060 10506 m 3000 10746 l 2940 10506 l 3000 10506 l 3060 10506 l  cp gs col7 1.00 shd ef gr  col-1 s
-% Polyline
- [100.0] 0 sd
-gs  clippath
-3060 6906 m 3000 7146 l 2940 6906 l 2940 7230 l 3060 7230 l  cp clip
-n 3000 5400 m 3000 7200 l gs col7 0.95 shd ef gr gs col-1 s gr gr
- [] 0 sd
-% arrowhead
-n 3060 6906 m 3000 7146 l 2940 6906 l 3000 6906 l 3060 6906 l  cp gs col7 1.00 shd ef gr  col-1 s
-% Polyline
- [100.0] 0 sd
-gs  clippath
-3060 3306 m 3000 3546 l 2940 3306 l 2940 3630 l 3060 3630 l  cp clip
-n 3000 1200 m 3000 3600 l gs col7 0.95 shd ef gr gs col-1 s gr gr
- [] 0 sd
-% arrowhead
-n 3060 3306 m 3000 3546 l 2940 3306 l 3000 3306 l 3060 3306 l  cp gs col7 1.00 shd ef gr  col-1 s
-7.500 slw
-% Polyline
-n 2385 14355 m 10785 14355 l 10785 16155 l 2385 16155 l cp gs col7 0.50 shd ef gr gs col-1 s gr 
-/Helvetica-Bold ff 540.00 scf sf
-5520 15442 m
-gs 1 -1 sc (Network) col-1 sh gr
-/Helvetica ff 360.00 scf sf
-6885 6405 m
-gs 1 -1 sc (Event stream) col-1 sh gr
-/Helvetica ff 360.00 scf sf
-6855 2835 m
-gs 1 -1 sc (Record to disk) col-1 sh gr
-/Helvetica ff 360.00 scf sf
-6825 2265 m
-gs 1 -1 sc (Real-time notification) col-1 sh gr
-/Helvetica ff 360.00 scf sf
-6885 9960 m
-gs 1 -1 sc (Filtered packet stream) col-1 sh gr
-/Times-Bold ff 540.00 scf sf
-6615 8220 m
-gs 1 -1 sc (Event Engine) dup sw pop 2 div neg 0 rm  col-1 sh gr
-/Helvetica ff 360.00 scf sf
-3210 2505 m
-gs 1 -1 sc (Policy script) col-1 sh gr
-/Helvetica ff 360.00 scf sf
-3210 6405 m
-gs 1 -1 sc (Event control) col-1 sh gr
-/Helvetica ff 360.00 scf sf
-3210 10005 m
-gs 1 -1 sc (Tcpdump filter) col-1 sh gr
-/Helvetica ff 360.00 scf sf
-6885 13575 m
-gs 1 -1 sc (Packet stream) col-1 sh gr
-/Times-Bold ff 540.00 scf sf
-6615 4665 m
-gs 1 -1 sc (Policy Script Interpreter) dup sw pop 2 div neg 0 rm  col-1 sh gr
-/Courier-Bold ff 540.00 scf sf
-6615 11835 m
-gs 1 -1 sc (libpcap) dup sw pop 2 div neg 0 rm  col-1 sh gr
-$F2psEnd
-rs
-%%EndDocument
-
- endTexFig
- 220 2398 a Fs(Figure)19 b(1:)25 b(Structure)20 b(of)f(the)i(Bro)f
-(system)-150 2675 y(Bro)d(does)h(for)e(six)i(Internet)e(applications:)
-23 b(FTP)-9 b(,)17 b(Finger)m(,)g(Portmap-)-150 2775
-y(per)m(,)22 b(Ident,)g(T)-6 b(elnet)22 b(and)g(Rlogin.)31
-b Fi(x)23 b Fs(7)g(gi)n(v)o(es)f(the)g(status)h(of)f(the)h(im-)-150
-2874 y(plementation)i(and)i(our)g(e)o(xperiences)e(with)j(it,)h
-(including)d(a)h(brief)-150 2974 y(assessment)d(of)g(its)g
-(performance.)33 b Fi(x)24 b Fs(8)g(of)n(fers)e(some)i(thoughts)e(on)
--150 3074 y(future)28 b(directions.)51 b(Finally)-5 b(,)30
-b(an)f(Appendix)e(illustrates)j(ho)n(w)f(the)-150 3173
-y(dif)n(ferent)21 b(elements)h(of)g(the)g(system)h(come)e(together)g
-(for)h(monitor)n(-)-150 3273 y(ing)e(Finger)f(traf)n(\002c.)-150
-3580 y Ft(2)119 b(Structur)n(e)31 b(of)f(the)g(system)-150
-3775 y Fs(Bro)e(is)g(conceptually)e(di)n(vided)g(into)h(an)h(\223e)n(v)
-o(ent)f(engine\224)f(that)i(re-)-150 3874 y(duces)15
-b(a)g(stream)h(of)f(\(\002ltered\))f(pack)o(ets)h(to)g(a)h(stream)f(of)
-g(higher)n(-le)n(v)o(el)-150 3974 y(netw)o(ork)i(e)n(v)o(ents,)i(and)f
-(an)g(interpreter)f(for)h(a)h(specialized)f(language)-150
-4074 y(that)25 b(is)i(used)e(to)g(e)o(xpress)g(a)h(site')-5
-b(s)26 b(security)f(polic)o(y)-5 b(.)39 b(More)25 b(gener)n(-)-150
-4173 y(ally)-5 b(,)20 b(the)g(system)h(is)g(structured)e(in)i(layers,)f
-(as)h(sho)n(wn)e(in)i(Figure)f(1.)-150 4273 y(The)26
-b(lo)n(wer)n(-most)f(layers)h(process)g(the)h(greatest)f(v)n(olume)f
-(of)h(data,)-150 4373 y(and)20 b(hence)f(must)i(limit)g(the)f(w)o(ork)g
-(performed)d(to)k(a)g(minimum.)j(As)-150 4472 y(we)i(go)g(higher)e(up)h
-(through)f(the)i(layers,)g(the)g(data)g(stream)g(dimin-)-150
-4572 y(ishes,)g(allo)n(wing)d(for)g(more)h(processing)f(per)g(data)h
-(item.)38 b(This)24 b(ba-)-150 4671 y(sic)h(design)f(re\003ects)h(the)g
-(need)f(to)h(conserv)o(e)e(processing)g(as)j(much)-150
-4771 y(as)i(possible,)h(in)f(order)e(to)i(meet)f(the)h(goals)f(of)h
-(monitoring)d(high-)-150 4871 y(speed,)20 b(lar)o(ge)f(v)n(olume)g
-(traf)n(\002c)h(\003o)n(ws)g(without)g(dropping)d(pack)o(ets.)-150
-5135 y Fh(2.1)99 b Fg(libpcap)-150 5300 y Fs(From)18
-b(the)h(perspecti)n(v)o(e)f(of)g(the)h(rest)h(of)f(the)g(system,)g
-(just)g(abo)o(v)o(e)f(the)-150 5400 y(netw)o(ork)24 b(itself)i(is)g
-Fm(libpcap)e Fs([MLJ94)n(],)j(the)e(pack)o(et-capture)d(li-)2049
--104 y(brary)j(used)h(by)g Fm(tcpdump)f Fs([JLM89)o(].)43
-b(Using)26 b Fm(libpcap)f Fs(gains)2049 -5 y(signi\002cant)34
-b(adv)n(antages:)51 b(it)35 b(isolates)g(Bro)f(from)f(details)i(of)f
-(the)2049 95 y(netw)o(ork)k(link)g(technology)f(\(Ethernet,)42
-b(FDDI,)d(SLIP)-9 b(,)39 b(etc.\);)48 b(it)2049 194 y(greatly)21
-b(aids)h(in)g(porting)f(Bro)g(to)i(dif)n(ferent)d(Unix)h(v)n(ariants)g
-(\(which)2049 294 y(also)28 b(mak)o(es)f(it)h(easier)f(to)h(upgrade)d
-(to)j(f)o(aster)f(hardw)o(are)f(as)i(it)g(be-)2049 394
-y(comes)34 b(a)n(v)n(ailable\);)41 b(and)34 b(it)h(means)f(that)g(Bro)h
-(can)f(also)h(operate)2049 493 y(on)c Fm(tcpdump)f Fs(sa)n(v)o(e)h
-(\002les,)k(making)29 b(of)n(f-line)h(de)n(v)o(elopment)e(and)2049
-593 y(analysis)20 b(easy)-5 b(.)2132 693 y(Another)24
-b(major)g(adv)n(antage)f(of)h Fm(libpcap)h Fs(is)g(that)g(if)h(the)f
-(host)2049 792 y(operating)41 b(system)i(pro)o(vides)e(a)i(suf)n
-(\002ciently)e(po)n(werful)g(k)o(ernel)2049 892 y(pack)o(et)32
-b(\002lter)m(,)k(such)d(as)h(BPF)g([MJ93)o(],)i(then)d
-Fm(libpcap)f Fs(do)n(wn-)2049 992 y(loads)18 b(the)f(\002lter)h(used)g
-(to)g(reduce)e(the)i(traf)n(\002c)f(into)h(the)g(k)o(ernel.)23
-b(Con-)2049 1091 y(sequently)-5 b(,)17 b(rather)g(than)h(ha)n(ving)g
-(to)g(haul)g(e)n(v)o(ery)f(pack)o(et)h(up)g(to)h(user)n(-)2049
-1191 y(le)n(v)o(el)30 b(merely)f(so)i(the)f(majority)f(can)h(be)g
-(discarded)f(\(if)h(the)g(\002lter)2049 1291 y(accepts)e(only)g(a)h
-(small)f(proportion)e(of)i(the)g(traf)n(\002c\),)i(the)e(rejected)2049
-1390 y(pack)o(ets)d(can)f(instead)h(be)g(discarded)e(in)i(the)g(k)o
-(ernel,)g(without)f(suf-)2049 1490 y(fering)i(a)i(conte)o(xt)e(switch)h
-(or)g(data)h(cop)o(ying.)44 b(W)m(inno)n(wing)26 b(do)n(wn)2049
-1589 y(the)c(pack)o(et)g(stream)g(as)h(soon)f(as)g(possible)g(greatly)g
-(abets)g(monitor)n(-)2049 1689 y(ing)e(at)h(high)e(speeds)h(without)f
-(losing)h(pack)o(ets.)2132 1789 y(The)26 b(k)o(e)o(y)g(to)h(pack)o(et)f
-(\002ltering)g(is,)j(of)d(course,)h(judicious)e(selec-)2049
-1889 y(tion)e(of)f(which)g(pack)o(ets)h(to)g(k)o(eep)f(and)h(which)f
-(to)h(discard.)32 b(F)o(or)23 b(the)2049 1988 y(application)17
-b(protocols)f(that)j(Bro)f(kno)n(ws)f(about,)h(it)h(captures)e(e)n(v)o
-(ery)2049 2088 y(pack)o(et,)25 b(so)g(it)g(can)f(analyze)g(ho)n(w)g
-(the)g(application)f(is)j(being)d(used.)2049 2187 y(In)d
-Fm(tcpdump)p Fs(')-5 b(s)20 b(\002ltering)f(language,)g(this)h(looks)g
-(lik)o(e:)2208 2351 y Ff(port)40 b(finger)f(or)g(port)g(ftp)h(or)f(tcp)
-h(port)f(113)g(or)2208 2430 y(port)h(telnet)f(or)g(port)g(login)h(or)f
-(port)g(111)2049 2613 y Fs(That)34 b(is,)k(the)c(\002lter)h(accepts)f
-(an)o(y)f(TCP)i(pack)o(ets)f(with)g(a)g(source)2049 2713
-y(or)g(destination)f(port)g(of)h(79)g(\(Finger\),)i(21)d(\(FTP\),)h
-(113)f(\(Ident\),)2049 2813 y(23)18 b(\(T)-6 b(elnet\),)17
-b(513)g(\(Rlogin\),)g(and)h(an)o(y)f(TCP)i(or)f(UDP)h(pack)o(ets)e
-(with)2049 2912 y(a)g(source)f(or)g(destination)f(port)h(of)g(111)g
-(\(Portmapper\).)21 b(In)16 b(addition,)2049 3012 y(Bro)k(uses:)2208
-3175 y Ff(tcp[13])39 b(&)h(7)g(!=)f(0)2049 3359 y Fs(to)19
-b(capture)f(an)o(y)g(TCP)i(pack)o(ets)e(with)h(the)g(SYN,)g(FIN,)g(or)g
-(RST)g(con-)2049 3458 y(trol)i(bits)g(set.)27 b(These)21
-b(pack)o(ets)f(delimit)h(the)f(be)o(ginning)f(\(SYN\))h(and)2049
-3558 y(end)f(\(FIN)g(or)h(RST\))g(of)f(each)g(TCP)i(connection.)h
-(Because)e(TCP/IP)2049 3658 y(pack)o(et)i(headers)g(contain)f
-(considerable)g(information)f(about)i(each)2049 3757
-y(TCP)36 b(connection,)i(from)c(just)i(these)g(control)e(pack)o(ets)i
-(one)f(can)2049 3857 y(e)o(xtract)30 b(connection)e(start)j(time,)j
-(duration,)d(participating)e(hosts,)2049 3957 y(ports)15
-b(\(and)g(hence,)g(generally)-5 b(,)15 b(the)g(application)f
-(protocol\),)h(and)g(the)2049 4056 y(number)24 b(of)h(bytes)h(sent)g
-(in)f(each)h(direction.)40 b(Thus,)26 b(by)f(capturing)2049
-4156 y(on)f(the)g(order)f(of)i(only)e(4)h(pack)o(ets)h(\(the)f(tw)o(o)g
-(initial)h(SYN)g(pack)o(ets)2049 4255 y(e)o(xchanged,)30
-b(and)g(the)g(\002nal)h(tw)o(o)g(FIN)f(pack)o(ets)g(e)o(xchanged\),)g
-(we)2049 4355 y(can)c(determine)f(a)i(great)f(deal)g(about)g(a)h
-(connection)d(e)n(v)o(en)h(though)2049 4455 y(we)c(\002lter)f(out)g
-(all)h(of)f(its)h(data)f(pack)o(ets.)2132 4555 y(The)g(\002nal)g
-(\002lter)h(we)f(use)h(is:)2208 4718 y Ff(ip[6:2])39
-b(&)h(0x3fff)f(!=)g(0)2049 4902 y Fs(which)f(captures)g(IP)i
-(fragments,)i(necessary)c(for)g(sound)g(traf)n(\002c)2049
-5001 y(analysis,)21 b(and)g(also)g(to)h(protect)e(against)h(particular)
-e(attacks)j(on)f(the)2049 5101 y(monitoring)d(system)i
-Fi(x)h Fs(5.3.)2132 5201 y(When)j(using)f(a)i(pack)o(et)e(\002lter)m(,)
-i(one)e(must)h(also)g(choose)f(a)i Fr(snap-)2049 5300
-y(shot)37 b(length)p Fs(,)j(which)c(determines)g(ho)n(w)h(much)f(of)g
-(each)h(pack)o(et)2049 5400 y(should)20 b(be)g(captured.)25
-b(F)o(or)20 b(e)o(xample,)f(by)h(def)o(ault)g Fm(tcpdump)g
-Fs(uses)1929 5649 y(3)p eop
-%%Page: 4 4
-4 3 bop -150 -104 a Fs(a)20 b(snapshot)e(length)g(of)h(68)g(bytes,)g
-(which)f(suf)n(\002ces)i(to)f(capture)f(link-)-150 -5
-y(layer)g(and)g(TCP/IP)i(headers,)e(b)n(ut)h(generally)e(discards)h
-(most)h(of)g(the)-150 95 y(data)j(in)h(the)f(pack)o(et.)32
-b(The)22 b(smaller)g(the)h(snapshot)e(length,)h(the)g(less)-150
-194 y(data)e(per)f(accepted)g(pack)o(et)g(needs)h(to)g(copied)e(up)i
-(to)g(the)g(user)n(-le)n(v)o(el)-150 294 y(by)29 b(the)g(pack)o(et)g
-(\002lter)m(,)i(which)d(aids)i(in)f(accelerating)f(pack)o(et)h(pro-)
--150 394 y(cessing)j(and)g(a)n(v)n(oiding)f(loss.)61
-b(On)32 b(the)g(other)f(hand,)j(to)e(analyze)-150 493
-y(connections)14 b(at)i(the)g(application)e(le)n(v)o(el,)i(Bro)g
-(requires)f(the)h(full)g(data)-150 593 y(contents)25
-b(of)h(each)g(pack)o(et.)42 b(Consequently)-5 b(,)25
-b(it)i(sets)g(the)f(snapshot)-150 693 y(length)19 b(to)i(capture)e
-(entire)h(pack)o(ets.)-150 945 y Fh(2.2)99 b(Ev)o(ent)26
-b(engine)-150 1105 y Fs(The)21 b(resulting)g(\002ltered)g(pack)o(et)g
-(stream)h(is)g(then)g(handed)e(up)h(to)h(the)-150 1205
-y(ne)o(xt)g(layer)m(,)g(the)h(Bro)g(\223e)n(v)o(ent)f(engine.)-6
-b(\224)32 b(This)22 b(layer)h(\002rst)g(performs)-150
-1305 y(se)n(v)o(eral)d(inte)o(grity)g(checks)h(to)g(assure)g(that)g
-(the)g(pack)o(et)f(headers)h(are)-150 1404 y(well-formed,)d(including)g
-(v)o(erifying)f(the)j(IP)h(header)d(checksum.)24 b(If)-150
-1504 y(these)e(checks)g(f)o(ail,)h(then)e(Bro)h(generates)g(an)g(e)n(v)
-o(ent)f(indicating)g(the)-150 1604 y(problem)h(and)h(discards)h(the)f
-(pack)o(et.)35 b(It)24 b(is)h(also)f(at)g(this)g(point)f(that)-150
-1703 y(Bro)29 b(reassembles)g(IP)h(fragments)d(so)j(it)g(can)f(then)f
-(analyze)g(com-)-150 1803 y(plete)20 b(IP)h(datagrams.)-67
-1905 y(If)37 b(the)h(checks)f(succeed,)k(then)c(the)g(e)n(v)o(ent)g
-(engine)f(looks)h(up)-150 2005 y(the)f(connection)f(state)i(associated)
-f(with)g(the)h(tuple)f(of)g(the)g(tw)o(o)-150 2104 y(IP)30
-b(addresses)g(and)f(the)h(tw)o(o)g(TCP)h(or)f(UDP)g(port)f(numbers,)i
-(cre-)-150 2204 y(ating)22 b(ne)n(w)g(state)i(if)f(none)e(already)g(e)o
-(xists.)33 b(It)23 b(then)f(dispatches)g(the)-150 2304
-y(pack)o(et)32 b(to)g(a)h(handler)e(for)h(the)g(corresponding)d
-(connection)h(\(de-)-150 2403 y(scribed)24 b(shortly\).)35
-b(Bro)25 b(maintains)e(a)i Fm(tcpdump)e Fs(trace)i(\002le)f(asso-)-150
-2503 y(ciated)i(with)g(the)f(traf)n(\002c)h(it)g(sees.)43
-b(The)25 b(connection)f(handler)g(indi-)-150 2603 y(cates)17
-b(upon)f(return)f(whether)h(the)h(engine)f(should)g(record)f(the)i
-(entire)-150 2702 y(pack)o(et)j(to)h(the)f(trace)h(\002le,)g(just)g
-(its)h(header)m(,)c(or)j(nothing)e(at)i(all.)26 b(This)-150
-2802 y(triage)f(trades)g(of)n(f)f(the)h(completeness)f(of)h(the)g(traf)
-n(\002c)g(trace)g(v)o(ersus)-150 2901 y(its)h(size)g(and)f(time)h
-(spent)f(generating)e(the)i(trace.)41 b(Generally)-5
-b(,)24 b(Bro)-150 3001 y(records)f(full)h(pack)o(ets)g(if)h(it)g
-(analyzed)e(the)h(entire)g(pack)o(et;)i(just)f(the)-150
-3101 y(header)16 b(if)h(it)h(only)e(analyzed)f(the)i(pack)o(et)f(for)h
-(SYN/FIN/RST)g(com-)-150 3200 y(putations;)j(and)h(skips)g(recording)e
-(the)h(pack)o(et)h(if)g(it)h(did)e(not)h(do)f(an)o(y)-150
-3300 y(processing)f(on)h(it.)-67 3402 y(W)-7 b(e)25 b(no)n(w)e(gi)n(v)o
-(e)g(an)h(o)o(v)o(ervie)n(w)e(of)h(general)g(processing)f(done)h(for)
--150 3502 y(TCP)28 b(and)f(UDP)h(pack)o(ets.)46 b(In)27
-b(both)g(cases,)i(the)f(processing)e(ends)-150 3601 y(with)j(in)m(v)n
-(oking)d(a)j(handler)e(to)i(process)f(the)g(data)g(payload)f(of)i(the)
--150 3701 y(pack)o(et.)24 b(F)o(or)c(applications)e(kno)n(wn)g(to)i
-(Bro,)g(this)g(results)g(in)g(further)-150 3801 y(analysis,)g(as)g
-(discussed)f(in)h Fi(x)g Fs(6.)25 b(F)o(or)19 b(other)g(applications,)g
-(analysis)-150 3900 y(ends)h(at)h(this)f(point.)-67 4003
-y Fl(TCP)41 b(pr)o(ocessing)o(.)87 b Fs(F)o(or)40 b(each)h(TCP)g(pack)o
-(et,)k(the)c(connec-)-150 4102 y(tion)25 b(handler)e(\(a)i(C++)h
-(virtual)e(function\))f(v)o(eri\002es)i(that)g(the)g(entire)-150
-4202 y(TCP)c(header)e(is)j(present)d(and)h(v)n(alidates)g(the)h(TCP)g
-(checksum)e(o)o(v)o(er)-150 4301 y(the)30 b(pack)o(et)g(header)f(and)h
-(payload.)53 b(If)30 b(successful,)j(it)e(then)e(tests)-150
-4401 y(whether)23 b(the)g(TCP)i(header)e(includes)g(an)o(y)g(of)g(the)h
-(SYN/FIN/RST)-150 4501 y(control)35 b(\003ags,)41 b(and)36
-b(if)h(so)g(adjusts)g(the)f(connection')-5 b(s)35 b(state)j(ac-)-150
-4600 y(cordingly)-5 b(.)46 b(Finally)-5 b(,)29 b(it)f(processes)g(an)o
-(y)f(data)h(ackno)n(wledgement)-150 4700 y(present)23
-b(in)h(the)f(header)m(,)g(and)g(then)g(in)m(v)n(ok)o(es)f(a)i(handler)e
-(to)i(process)-150 4800 y(the)c(payload)f(data,)h(if)g(an)o(y)-5
-b(.)-67 4902 y(Dif)n(ferent)28 b(changes)g(in)i(the)f(connection')-5
-b(s)28 b(state)i(generate)e(dif-)-150 5001 y(ferent)42
-b(e)n(v)o(ents.)93 b(When)43 b(the)g(initial)h(SYN)g(pack)o(et)e
-(requesting)-150 5101 y(a)37 b(connection)e(is)j(seen,)j(the)c(e)n(v)o
-(ent)f(engine)g(schedules)g(a)i(timer)-150 5201 y(for)i
-Fj(T)52 b Fs(seconds)40 b(in)g(the)h(future)e(\(presently)-5
-b(,)43 b(\002)n(v)o(e)e(minutes\);)49 b(if)-150 5300
-y(the)h(timer)g(e)o(xpires)g(and)f(the)i(connection)d(has)i(not)g
-(changed)-150 5400 y(state,)23 b(then)e(the)h(engine)f(generates)g(a)h
-Fm(connection)p 1479 5400 25 4 v 28 w(attempt)2049 -104
-y Fs(e)n(v)o(ent.)125 b(If)54 b(before)f(that)h(time,)62
-b(ho)n(we)n(v)o(er)m(,)e(the)54 b(other)f(con-)2049 -5
-y(nection)g(endpoint)f(replies)h(with)h(a)g(correct)f(SYN)h(ackno)n(w-)
-2049 95 y(ledgement)35 b(pack)o(et,)k(then)d(the)g(engine)f
-(immediately)g(generates)2049 194 y(a)44 b Fm(connection)p
-2635 194 V 28 w(established)e Fs(e)n(v)o(ent,)48 b(and)42
-b(cancels)i(the)2049 294 y(connection)49 b(attempt)i(timer)-5
-b(.)118 b(On)51 b(the)g(other)g(hand,)57 b(if)52 b(the)2049
-394 y(endpoint)c(replies)h(with)h(a)g(RST)g(pack)o(et,)57
-b(then)49 b(the)g(connec-)2049 493 y(tion)38 b(attempt)g(has)h(been)e
-(rejected,)42 b(and)c(the)g(engine)g(generates)2049 593
-y Fm(connection)p 2554 593 V 28 w(rejected)p Fs(.)47
-b(Similarly)-5 b(,)28 b(if)h(a)f(connection)d(ter)n(-)2049
-693 y(minates)31 b(via)g(a)h(normal)e(FIN)i(e)o(xchange,)f(then)g(the)g
-(engine)f(gen-)2049 792 y(erates)23 b Fm(connection)p
-2771 792 V 28 w(finished)p Fs(.)34 b(It)23 b(also)h(generates)e(se)n(v)
-o(eral)2049 892 y(other)f(e)n(v)o(ents)g(re\003ecting)g(more)g(unusual)
-g(w)o(ays)h(in)g(which)f(connec-)2049 991 y(tions)f(can)g(terminate.)
-2132 1099 y Fl(UDP)j(pr)o(ocessing)o(.)34 b Fs(UDP)24
-b(processing)e(is)i(similar)f(b)n(ut)h(simpler)m(,)2049
-1199 y(since)k(there)f(is)h(no)f(connection)f(state,)k(e)o(xcept)c(in)i
-(one)f(re)o(gard.)45 b(If)2049 1299 y(host)16 b Fj(A)g
-Fs(sends)g(a)g(UDP)g(pack)o(et)f(to)h(host)g Fj(B)k Fs(with)c(a)g
-(source)f(port)g(of)g Fj(p)3996 1311 y Fe(A)2049 1398
-y Fs(and)k(a)h(destination)e(port)h(of)g Fj(p)2915 1410
-y Fe(B)2972 1398 y Fs(,)h(then)f(Bro)h(considers)e Fj(A)i
-Fs(as)h(ha)n(ving)2049 1498 y(initiated)16 b(a)h(\223request\224)e(to)i
-Fj(B)t Fs(,)g(and)f(establishes)h(pseudo-connection)2049
-1597 y(state)27 b(associated)g(with)f(that)h(request.)43
-b(If)27 b Fj(B)k Fs(subsequently)25 b(sends)2049 1697
-y(a)31 b(UDP)g(pack)o(et)e(to)i Fj(A)g Fs(with)f(a)h(source)e(port)h
-(of)g Fj(p)3549 1709 y Fe(B)3636 1697 y Fs(and)g(destina-)2049
-1797 y(tion)d Fj(p)2248 1809 y Fe(A)2302 1797 y Fs(,)j(then)e(Bro)f
-(considers)g(this)i(pack)o(et)e(to)h(re\003ect)f(a)i(\223reply\224)2049
-1896 y(to)23 b(the)f(request.)32 b(The)22 b(handlers)g(\(virtual)f
-(functions\))g(for)h(the)h(UDP)2049 1996 y(payload)j(data)i(can)f(then)
-g(readily)g(distinguish)g(between)g(requests)2049 2096
-y(and)22 b(replies)g(for)g(the)g(usual)h(case)g(when)e(UDP)i(traf)n
-(\002c)f(follo)n(ws)g(that)2049 2195 y(pattern.)43 b(The)26
-b(def)o(ault)g(handlers)f(for)h(UDP)h(requests)f(and)g(replies)2049
-2295 y(simply)20 b(generate)f Fm(udp)p 2753 2295 V 29
-w(request)h Fs(and)f Fm(udp)p 3442 2295 V 30 w(reply)g
-Fs(e)n(v)o(ents.)2049 2578 y Fh(2.3)124 b(P)n(olicy)24
-b(script)h(inter)o(pr)n(eter)2049 2749 y Fs(After)30
-b(the)g(e)n(v)o(ent)f(engine)g(has)h(\002nished)g(processing)f(a)h
-(pack)o(et,)i(it)2049 2849 y(then)h(checks)g(whether)f(the)h
-(processing)f(generated)g(an)o(y)g(e)n(v)o(ents.)2049
-2948 y(\(These)26 b(are)h(k)o(ept)f(on)g(a)h(FIFO)g(queue.\))43
-b(If)27 b(so,)h(it)g(processes)e(each)2049 3048 y(e)n(v)o(ent)h(until)h
-(the)f(queue)g(is)i(empty)-5 b(,)28 b(as)h(described)d(belo)n(w)-5
-b(.)47 b(It)28 b(also)2049 3148 y(checks)19 b(whether)f(an)o(y)h(timer)
-g(e)n(v)o(ents)g(ha)n(v)o(e)g(e)o(xpired,)e(and)i(if)h(so)g(pro-)2049
-3247 y(cesses)h(them,)f(too)g(\(see)g Fi(x)h Fs(4)f(for)g(more)f(on)h
-(timer)g(e)o(xpiration\).)3882 3217 y Fn(2)2132 3355
-y Fs(A)d(k)o(e)o(y)e(f)o(acet)i(of)f(Bro')-5 b(s)17 b(design)e(is)i
-(the)g(clear)f(distinction)f(between)2049 3455 y(the)33
-b(generation)d(of)j(e)n(v)o(ents)e(v)o(ersus)i(what)f(to)h(do)f(in)h
-(response)e(to)2049 3554 y(the)26 b(e)n(v)o(ents.)40
-b(These)26 b(are)g(sho)n(wn)f(as)h(separate)f(box)o(es)g(in)h(Figure)f
-(1,)2049 3654 y(and)18 b(this)h(structure)f(re\003ects)g(the)h
-(separation)e(between)h(mechanism)2049 3754 y(and)25
-b(polic)o(y)g(discussed)g(in)h Fi(x)h Fs(1.)42 b(The)25
-b(\223polic)o(y)g(script)g(interpreter\224)2049 3853
-y(e)o(x)o(ecutes)17 b(scripts)h(written)g(in)g(the)g(specialized)f
-Fm(Bro)h Fs(language)e(\(de-)2049 3953 y(tailed)h(in)h
-Fi(x)g Fs(3\).)24 b(These)17 b(scripts)h(specify)f(e)n(v)o(ent)f
-(handlers,)h(which)g(are)2049 4052 y(essentially)26 b(identical)f(to)h
-(Bro)g(functions)e(e)o(xcept)h(that)h(the)o(y)f(don')o(t)2049
-4152 y(return)19 b(a)i(v)n(alue.)k(F)o(or)20 b(each)g(e)n(v)o(ent)f
-(passed)i(to)f(the)h(interpreter)m(,)d(it)j(re-)2049
-4252 y(trie)n(v)o(es)g(the)h(\(semi-\)compiled)d(code)i(for)g(the)g
-(corresponding)d(han-)2049 4351 y(dler)m(,)28 b(binds)e(the)h(v)n
-(alues)f(of)h(the)f(e)n(v)o(ents)h(to)f(the)h(ar)o(guments)e(of)i(the)p
-2049 4455 801 4 v 2134 4509 a Fk(2)2169 4532 y Fp(There)e(is)f(a)h
-(subtle)h(design)g(decision)g(in)m(v)o(olv)o(ed)h(with)e(processing)i
-(all)e(of)g(the)2049 4611 y(generated)g(e)n(v)o(ents)f(before)g
-(proceeding)h(to)e(read)g(the)g(ne)o(xt)g(pack)o(et.)39
-b(W)-5 b(e)22 b(might)h(be)2049 4690 y(tempted)f(to)e(defer)h(e)n(v)o
-(ent)h(processing)g(until)g(a)e(period)h(of)g(relati)n(v)o(ely)j(light)
-d(acti)n(vity)l(,)2049 4769 y(to)g(aid)g(the)g(engine)h(with)f(k)o
-(eeping)i(up)d(during)h(periods)h(of)e(hea)o(vy)h(load.)32
-b(Ho)n(we)n(v)o(er)m(,)2049 4848 y(doing)24 b(so)f(can)h(lead)h(to)f
-(races:)35 b(the)24 b(\223e)n(v)o(ent)h(control\224)h(arro)n(w)e(in)g
-(Figure)g(1)f(re\003ects)2049 4927 y(the)e(f)o(act)h(that)g(the)f
-(polic)o(y)h(script)g(can,)f(to)g(a)g(limited)h(de)o(gree,)h
-(manipulate)g(the)e(con-)2049 5006 y(nection)h(state)f(maintained)i
-(inside)e(the)f(engine.)31 b(If)19 b(e)n(v)o(ent)j(processing)f(is)f
-(deferred,)2049 5085 y(then)k(such)f(control)h(may)f(happen)h(after)g
-(the)f(connection)j(state)e(has)f(already)i(been)2049
-5163 y(changed)20 b(due)f(to)f(more)g(recently-recei)n(v)o(ed)24
-b(traf)n(\002c.)h(So,)18 b(to)g(ensure)h(that)g(e)n(v)o(ent)h(pro-)2049
-5242 y(cessing)e(al)o(w)o(ays)i(re\003ects)e(fresh)g(data,)g(and)g
-(does)g(not)g(inadv)o(ertently)j(lead)e(to)e(incon-)2049
-5321 y(sistent)k(connection)i(state,)e(we)f(process)h(e)n(v)o(ents)g
-(immediately)l(,)h(before)f(mo)o(ving)g(on)2049 5400
-y(to)c(ne)n(wly-arri)n(v)o(ed)k(netw)o(ork)e(traf)n(\002c.)1929
-5649 y Fs(4)p eop
-%%Page: 5 5
-5 4 bop -150 -104 a Fs(handler)m(,)23 b(and)h(interprets)g(the)g(code.)
-37 b(This)25 b(code)e(in)i(turn)e(can)i(e)o(x)o(e-)-150
--5 y(cute)19 b(arbitrary)e(Bro)i(scripting)f(commands,)f(including)h
-(generating)-150 95 y(ne)n(w)27 b(e)n(v)o(ents,)h(logging)e(real-time)g
-(noti\002cations)g(\(using)h(the)g(Unix)-150 194 y Fr(syslo)o(g)d
-Fs(function\),)e(recording)g(data)h(to)h(disk,)g(or)g(modifying)d
-(inter)n(-)-150 294 y(nal)k(state)g(for)f(access)i(by)e(subsequently)f
-(in)m(v)n(ok)o(ed)g(e)n(v)o(ent)h(handlers)-150 394 y(\(or)c(by)f(the)i
-(e)n(v)o(ent)e(engine)g(itself\).)-67 497 y(Finally)-5
-b(,)41 b(along)c(with)g(separating)g(mechanism)f(from)g(polic)o(y)-5
-b(,)-150 597 y(Bro')g(s)23 b(emphasis)g(on)f(asynchronous)e(e)n(v)o
-(ents)i(as)i(the)f(link)f(between)-150 696 y(the)c(e)n(v)o(ent)f
-(engine)g(and)h(the)g(polic)o(y)e(script)i(interpreter)f(b)n(uys)h(a)g
-(great)-150 796 y(deal)28 b(in)f(terms)h(of)f(e)o(xtensibility)-5
-b(.)46 b(Adding)26 b(ne)n(w)i(functionality)d(to)-150
-896 y(Bro)e(generally)f(consists)i(of)f(adding)e(a)j(ne)n(w)f(protocol)
-e(analyzer)h(to)-150 995 y(the)e(e)n(v)o(ent)f(engine)g(and)h(then)g
-(writing)f(ne)n(w)h(e)n(v)o(ent)f(handlers)g(for)h(the)-150
-1095 y(e)n(v)o(ents)27 b(generated)f(by)h(the)h(analyzer)-5
-b(.)46 b(Neither)27 b(the)h(analyzer)e(nor)-150 1194
-y(the)g(e)n(v)o(ent)f(handlers)g(tend)h(to)g(ha)n(v)o(e)g(much)f(o)o(v)
-o(erlap)f(with)i(e)o(xisting)-150 1294 y(functionality)-5
-b(,)16 b(so)k(for)e(the)h(most)f(part)h(we)g(can)g(a)n(v)n(oid)f(the)h
-(subtle)g(in-)-150 1394 y(teractions)25 b(between)g(loosely)g(coupled)f
-(modules)h(that)h(can)f(easily)-150 1493 y(lead)20 b(to)g(maintenance)f
-(headaches)g(and)g(b)n(uggy)g(programs.)-150 1794 y Ft(3)119
-b(The)31 b Fd(Bro)e Ft(language)-150 1987 y Fs(As)21
-b(discussed)g(abo)o(v)o(e,)d(we)j(e)o(xpress)f(security)g(policies)h
-(in)f(terms)h(of)-150 2086 y(scripts)i(written)g(in)g(the)g
-(specialized)f Fm(Bro)h Fs(language.)31 b(In)23 b(this)g(sec-)-150
-2186 y(tion)18 b(we)g(gi)n(v)o(e)f(an)g(o)o(v)o(ervie)n(w)f(of)h(the)h
-(language')-5 b(s)17 b(features.)23 b(The)17 b(aim)-150
-2285 y(is)25 b(to)g(con)m(v)o(e)o(y)d(the)i(\003a)n(v)n(or)h(of)f(the)g
-(language,)g(rather)f(than)h(describe)-150 2385 y(it)d(precisely)-5
-b(.)-67 2488 y(Our)23 b(goal)f(of)h(\223a)n(v)n(oid)g(simple)g(mistak)o
-(es\224)g(\()p Fi(x)g Fs(1\),)h(while)f(perhaps)-150
-2588 y(sounding)28 b(trite,)k(in)e(f)o(act)g(hea)n(vily)g(in\003uenced)
-e(the)i(design)f(of)h(the)-150 2688 y Fm(Bro)24 b Fs(language.)35
-b(Because)24 b(intrusion)f(detection)g(can)h(form)f(a)h(cor)n(-)-150
-2787 y(nerstone)18 b(of)i(the)f(security)g(measures)g(a)n(v)n(ailable)g
-(to)h(a)g(site,)g(we)g(v)o(ery)-150 2887 y(much)26 b(w)o(ant)g(our)g
-(polic)o(y)f(scripts)i(to)g(beha)n(v)o(e)e(as)j(e)o(xpected.)42
-b(From)-150 2987 y(our)20 b(o)n(wn)h(e)o(xperience,)e(a)j(big)f(step)g
-(to)n(w)o(ards)g(a)n(v)n(oiding)f(surprises)h(is)-150
-3086 y(to)d(use)g(a)g(strongly)f(typed)g(language)f(that)i(detects)g
-(typing)e(inconsis-)-150 3186 y(tencies)21 b(at)h(compile-time,)e(and)g
-(that)i(guarantees)e(that)h(all)h(v)n(ariable)-150 3285
-y(references)h(at)i(run-time)d(will)j(be)f(to)h(v)n(alid)f(v)n(alues.)
-36 b(Furthermore,)-150 3385 y(we)26 b(ha)n(v)o(e)e(come)h(to)g
-(appreciate)f(the)h(bene\002ts)g(of)g(domain-speci\002c)-150
-3485 y(languages,)32 b(that)f(is,)j(languages)29 b(tailored)h(for)g(a)h
-(particular)e(task.)-150 3584 y(Ha)n(ving)c(cobbled)f(together)g(our)h
-(\002rst)h(monitoring)d(system)j(out)f(of)-150 3684 y
-Fm(tcpdump)p Fs(,)30 b Fm(awk)p Fs(,)h(and)d(shell)h(scripts,)i(we)e
-(thirsted)f(for)g(w)o(ays)h(to)-150 3784 y(deal)j(directly)g(with)h
-(hostnames,)h(IP)f(addresses,)i(port)c(numbers,)-150
-3883 y(and)20 b(the)g(lik)o(e,)g(rather)f(than)h(de)n(vising)f(ASCII)h
-(pseudo-equi)n(v)n(alents.)-150 3983 y(By)c(making)e(these)h(sorts)g
-(of)g(entities)h(\002rst-class)g(v)n(alues)f(in)g Fm(Bro)p
-Fs(,)h(we)-150 4082 y(both)k(increase)g(the)h(ease)g(of)g(e)o
-(xpression)e(of)n(fered)g(by)h(the)h(language)-150 4182
-y(and,)h(due)f(to)h(strong)f(typing,)g(catch)h(errors)f(\(such)g(as)i
-(comparing)c(a)-150 4282 y(port)h(to)g(an)g(IP)h(address\))e(that)h
-(might)g(otherwise)f(slip)i(by)-5 b(.)-150 4540 y Fh(3.1)99
-b(Data)25 b(types)g(and)h(constants)-150 4703 y Fl(Atomic)d(types.)35
-b Fm(Bro)23 b Fs(supports)f(se)n(v)o(eral)h(types)g(f)o(amiliar)g(to)g
-(users)-150 4802 y(of)32 b(traditional)g(languages:)48
-b Fm(bool)32 b Fs(for)g(booleans,)i Fm(int)f Fs(for)f(in-)-150
-4902 y(te)o(gers,)25 b Fm(count)f Fs(for)g(non-ne)o(gati)n(v)o(e)d
-(inte)o(gers)j(\(\223unsigned\224)e(in)j(C\),)-150 5001
-y Fm(double)k Fs(for)g(double-precision)d(\003oating)j(point,)i(and)e
-Fm(string)-150 5101 y Fs(for)18 b(a)h(series)g(of)f(bytes.)24
-b(The)19 b(\002rst)g(four)e(of)h(these)h(\(all)g(b)n(ut)f
-Fm(string)p Fs(\))-150 5201 y(are)h(termed)g Fr(arithmetic)g
-Fs(types,)g(and)g(mixing)f(them)h(in)h(e)o(xpressions)-150
-5300 y(promotes)35 b Fm(bool)h Fs(to)h Fm(count)p Fs(,)i
-Fm(count)d Fs(to)h Fm(int)p Fs(,)j(and)c Fm(int)g Fs(to)-150
-5400 y Fm(double)p Fs(.)2132 -104 y Fm(Bro)e Fs(pro)o(vides)d
-Fm(T)j Fs(and)f Fm(F)h Fs(as)g Fm(bool)g Fs(constants)f(for)g(true)g
-(and)2049 -5 y(f)o(alse;)38 b(a)33 b(series)f(of)g(digits)g(for)g
-Fm(count)f Fs(constants;)38 b(and)31 b(C-style)2049 95
-y(constants)20 b(for)f Fm(double)h Fs(and)g Fm(string)p
-Fs(.)2132 194 y(Unlik)o(e)27 b(in)g(C,)g(ho)n(we)n(v)o(er)m(,)f
-Fm(Bro)h Fs(strings)g(are)g(represented)e(inter)n(-)2049
-294 y(nally)j(as)g(a)h(count)e(and)g(a)i(v)o(ector)d(of)i(bytes,)i
-(rather)d(than)g(a)i(NUL-)2049 394 y(terminated)24 b(series)j(of)e
-(bytes.)41 b(This)26 b(dif)n(ference)d(is)k(important)d(be-)2049
-493 y(cause)34 b(NULs)g(can)g(easily)g(be)g(introduced)d(into)j
-(strings)f(deri)n(v)o(ed)2049 593 y(from)22 b(netw)o(ork)f(traf)n
-(\002c,)i(either)f(by)h(the)f(nature)g(of)h(the)f(application,)2049
-693 y(inadv)o(ertently)-5 b(,)35 b(or)f(maliciously)g(by)g(an)g(attack)
-o(er)g(attempting)f(to)2049 792 y(sub)o(v)o(ert)21 b(the)i(monitor)-5
-b(.)30 b(An)23 b(e)o(xample)e(of)h(the)h(latter)g(is)g(sending)f(the)
-2049 892 y(follo)n(wing)d(to)h(an)g(FTP)h(serv)o(er:)2208
-1043 y Ff(USER)40 b(nice\\0USER)e(root)2049 1216 y Fs(where)20
-b(\223)p Fm(\\0)p Fs(\224)g(represents)f(a)i(NUL.)f(Depending)f(on)h
-(ho)n(w)f(it)i(is)h(writ-)2049 1315 y(ten,)33 b(the)e(FTP)h
-(application)d(recei)n(ving)h(this)h(te)o(xt)g(might)f(well)i(in-)2049
-1415 y(terpret)i(it)h(as)h(tw)o(o)f(separate)f(commands,)j(\223)p
-Fm(USER)49 b(nice)p Fs(\224)34 b(fol-)2049 1515 y(lo)n(wed)d(by)g(\223)
-p Fm(USER)49 b(root)p Fs(\224.)58 b(But)32 b(if)g(the)g(monitoring)d
-(program)2049 1614 y(uses)18 b(NUL-terminated)c(strings,)k(then)e(it)i
-(will)g(ef)n(fecti)n(v)o(ely)d(see)i(only)2049 1714 y(\223)p
-Fm(USER)49 b(nice)p Fs(\224)27 b(and)h(ha)n(v)o(e)f(no)h(opportunity)c
-(to)k(detect)g(the)g(sub-)2049 1813 y(v)o(ersi)n(v)o(e)19
-b(action.)2132 1913 y(Similarly)-5 b(,)22 b(it)h(is)h(important)c(that)
-j(when)f(Bro)g(logs)h(such)f(strings,)2049 2013 y(or)33
-b(prints)g(them)f(as)i(te)o(xt)f(to)g(a)h(\002le,)i(that)e(it)f(e)o
-(xpands)f(embedded)2049 2112 y(NULs)19 b(into)g(visible)f(escape)h
-(sequences)f(to)h(\003ag)f(their)h(appearance.)2132 2212
-y Fm(Bro)44 b Fs(also)f(includes)g(a)h(number)e(of)h(non-traditional)e
-(types,)2049 2312 y(geared)35 b(to)n(w)o(ards)h(its)i(speci\002c)f
-(problem)d(domain.)73 b(A)37 b(v)n(alue)f(of)2049 2411
-y(type)23 b Fm(time)h Fs(re\003ects)g(an)g(absolute)f(time,)i(and)e
-Fm(interval)g Fs(a)h(dif-)2049 2511 y(ference)35 b(in)h(time.)74
-b(Subtracting)34 b(tw)o(o)j Fm(time)f Fs(v)n(alues)g(yields)g(an)2049
-2610 y Fm(interval)p Fs(;)17 b(adding)e(or)h(subtracting)f(an)i
-Fm(interval)e Fs(to)i(a)g Fm(time)2049 2710 y Fs(yields)25
-b(a)h Fm(time)p Fs(;)j(adding)24 b(tw)o(o)i Fm(time)f
-Fs(v)n(alues)g(is)i(an)e(error)-5 b(.)40 b(There)2049
-2810 y(are)24 b(presently)e(no)i Fm(time)f Fs(constants,)h(b)n(ut)g
-Fm(interval)f Fs(constants)2049 2909 y(can)33 b(be)h(speci\002ed)f
-(using)g(a)h(numeric)f(\(possibly)f(\003oating-point\))2049
-3009 y(v)n(alue)i(follo)n(wed)f(by)h(a)g(unit)h(of)f(time,)j(such)e(as)
-g(\223)p Fm(30)49 b(min)p Fs(\224)34 b(for)2049 3109
-y(thirty)20 b(minutes.)2132 3208 y(The)k Fm(port)g Fs(type)g
-(corresponds)e(to)i(a)h(TCP)g(or)e(UDP)i(port)f(num-)2049
-3308 y(ber)-5 b(.)24 b(TCP)18 b(and)e(UDP)h(ports)g(are)g(distinct.)23
-b(Thus,)17 b(a)h(v)n(ariable)d(of)i(type)2049 3407 y
-Fm(port)j Fs(can)g(hold)f(either)h(a)h(TCP)g(or)f(a)g(UDP)h(port,)f(b)n
-(ut)g(at)g(an)o(y)g(gi)n(v)o(en)2049 3507 y(time)g(it)h(is)g(holding)e
-(e)o(xactly)g(one)h(of)g(these.)2132 3607 y(There)29
-b(are)h(tw)o(o)h(forms)e(of)h Fm(port)g Fs(constants.)55
-b(The)30 b(\002rst)g(con-)2049 3706 y(sists)h(of)f(an)g(unsigned)e
-(inte)o(ger)h(follo)n(wed)f(by)i(either)f(\223)p Fm(/tcp)p
-Fs(\224)h(or)2049 3806 y(\223)p Fm(/udp)p Fs(.)-6 b(\224)46
-b(So,)28 b(for)f(e)o(xample,)g(\223)p Fm(80/tcp)p Fs(\224)g
-(corresponds)d(to)k(TCP)2049 3906 y(port)c(80)h(\(the)f(HTTP)h
-(protocol)e(used)i(by)f(the)h(W)-7 b(orld)25 b(W)m(ide)f(W)-7
-b(eb\).)2049 4005 y(The)39 b(second)e(form)h(of)h(constant)f(is)i
-(speci\002ed)e(using)h(a)g(prede-)2049 4105 y(\002ned)28
-b(identi\002er)m(,)i(such)e(as)i(\223)p Fm(http)p Fs(\224,)g(equi)n(v)n
-(alent)d(to)h(\223)p Fm(80/tcp)p Fs(.)-6 b(\224)2049
-4204 y(Originally)h(,)15 b(we)h(w)o(ould)g(look)f(up)g
-(otherwise-unde\002ned)e(identi\002ers)2049 4304 y(using)33
-b(the)h Fr(g)o(etservbyname)e Fs(library)g(routine.)64
-b(Ho)n(we)n(v)o(er)m(,)35 b(doing)2049 4404 y(so)e(not)f(only)f(runs)h
-(into)h(dif)n(\002culties)f(when)f(a)i(single)g(name)e(lik)o(e)2049
-4503 y(\223)p Fm(domain)p Fs(\224)g(has)h(both)f(TCP)i(and)e(UDP)h
-(de\002nitions,)i(b)n(ut,)g(more)2049 4603 y(fundamentally)-5
-b(,)27 b(erodes)h(portability)e(because)i(a)h Fr(g)o(etservbyname)2049
-4703 y Fs(service)e(name)h(kno)n(wn)e(on)h(one)h(system)f(might)h(well)
-g(be)g(missing)2049 4802 y(from)17 b(another)g(system,)h(rendering)e
-(in)m(v)n(alid)h(an)o(y)g Fm(Bro)h Fs(scripts)h(writ-)2049
-4902 y(ten)h(using)g(the)g(service)g(name.)2132 5001
-y(V)-9 b(alues)20 b(of)g(type)g Fm(port)g Fs(may)g(be)g(compared)e(for)
-i(equality)f(or)h(or)n(-)2049 5101 y(dering)31 b(\(for)g(e)o(xample,)j
-(\223)p Fm(20/tcp)48 b(<)i(telnet)p Fs(\224)31 b(yields)i(true\),)2049
-5201 y(b)n(ut)20 b(otherwise)g(cannot)f(be)h(operated)f(on.)2132
-5300 y(Another)j(netw)o(orking)f(type)i(pro)o(vided)e(by)i
-Fm(Bro)g Fs(is)h Fm(addr)p Fs(,)g(cor)n(-)2049 5400 y(responding)29
-b(to)j(an)f(IP)h(address.)59 b(These)31 b(are)h(represented)e(inter)n
-(-)1929 5649 y(5)p eop
-%%Page: 6 6
-6 5 bop -150 -104 a Fs(nally)17 b(as)h(unsigned,)e(32-bit)g(inte)o
-(gers,)h(b)n(ut)g(in)h Fm(Bro)f Fs(scripts)h(the)f(only)-150
--5 y(operations)26 b(that)h(can)g(be)g(performed)d(on)j(them)f(are)h
-(comparisons)-150 95 y(for)e(equality)g(or)h(inequality)e(\(also,)j(a)f
-(b)n(uilt-in)f(function)f(pro)o(vides)-150 194 y(masking,)19
-b(as)h(discussed)g(belo)n(w\).)k(Constants)c(of)g(type)f
-Fm(addr)h Fs(ha)n(v)o(e)-150 294 y(the)g(f)o(amiliar)g(\223dotted)f
-(quad\224)g(format,)g Fj(A)1064 306 y Fn(1)1102 294 y
-Fj(:A)1187 306 y Fn(2)1224 294 y Fj(:A)1309 306 y Fn(3)1347
-294 y Fj(:A)1432 306 y Fn(4)1469 294 y Fs(.)-67 394 y(More)37
-b(interesting)g(are)g Fr(hostname)f Fs(constants.)77
-b(There)37 b(is)h(no)-150 493 y Fm(Bro)45 b Fs(type)f(corresponding)d
-(to)j(Internet)g(hostnames,)49 b(because)-150 593 y(hostnames)26
-b(can)g(correspond)e(to)j(multiple)f(IP)h(addresses,)g(so)g(one)-150
-693 y(quickly)34 b(runs)g(into)h(ambiguities)f(if)h(comparing)d(one)j
-(hostname)-150 792 y(with)h(another)-5 b(.)71 b Fm(Bro)36
-b Fs(does,)j(ho)n(we)n(v)o(er)m(,)e(support)e(hostnames)g(as)-150
-892 y(constants.)81 b(An)o(y)38 b(series)i(of)e(tw)o(o)i(or)e(more)h
-(identi\002ers)f(delim-)-150 991 y(ited)c(by)f(dots)h(forms)f(a)i
-(hostname)d(constant,)37 b(so,)g(for)c(e)o(xample,)-150
-1091 y(\223)p Fm(lbl.gov)p Fs(\224)23 b(and)h(\223)p
-Fm(www.microsoft.com)p Fs(\224)d(are)j(both)f(host-)-150
-1191 y(name)f(constants)g(\(the)h(latter)m(,)g(as)g(of)f(this)i
-(writing,)e(corresponds)e(to)-150 1290 y(6)27 b(distinct)g(IP)h
-(addresses\).)44 b(The)27 b(v)n(alue)f(of)h(a)g(hostname)f(constant)
--150 1390 y(is)21 b(a)g Fm(list)g Fs(of)f Fm(addr)g Fs(containing)f
-(one)h(or)g(more)g(elements.)26 b(These)-150 1490 y(lists)21
-b(cannot)e(be)g(used)h(in)g Fm(Bro)f Fs(e)o(xpressions;)g(b)n(ut)h(the)
-o(y)f(play)g(a)h(cen-)-150 1589 y(tral)27 b(role)f(in)h(initializing)f
-Fm(Bro)h(table)p Fs(')-5 b(s)26 b(and)g Fm(set)p Fs(')-5
-b(s,)29 b(discussed)-150 1689 y(in)20 b Fi(x)h Fs(3.3)f(belo)n(w)-5
-b(.)-67 1788 y Fl(Aggr)o(egate)22 b(types.)38 b Fm(Bro)24
-b Fs(also)h(supports)e(a)i(number)e(of)h(aggre-)-150
-1888 y(gate)j(types.)46 b(A)28 b Fm(record)f Fs(is)h(a)g(collection)e
-(of)h(elements)g(of)g(arbi-)-150 1988 y(trary)19 b(type.)25
-b(F)o(or)19 b(e)o(xample,)f(the)i(prede\002ned)e Fm(conn)p
-1370 1988 25 4 v 29 w(id)j Fs(type,)e(used)-150 2087
-y(to)f(hold)g(connection)e(identi\002ers,)i(is)i(de\002ned)d(in)h(the)h
-Fm(Bro)f Fs(run-time)-150 2187 y(initialization)i(\002le)g(as:)9
-2339 y Ff(type)40 b(conn_id:)e(record)h({)169 2418 y(orig_h:)g(addr;)
-169 2497 y(orig_p:)g(port;)169 2576 y(resp_h:)g(addr;)169
-2655 y(resp_p:)g(port;)9 2734 y(};)-150 2907 y Fs(The)27
-b Fm(orig)p 212 2907 V 29 w(h)h Fs(and)f Fm(resp)p 667
-2907 V 29 w(h)h Fs(elements)f(\(or)g(\223\002elds\224\))g(ha)n(v)o(e)g
-(type)-150 3006 y Fm(addr)e Fs(and)g(hold)g(the)h(connection)d
-(originator')-5 b(s)24 b(and)h(responder')-5 b(s)-150
-3106 y(IP)21 b(addresses.)26 b(Similarly)-5 b(,)20 b
-Fm(orig)p 862 3106 V 29 w(p)h Fs(and)f Fm(resp)p 1303
-3106 V 29 w(p)h Fs(hold)f(the)h(orig-)-150 3205 y(inator)g(and)f
-(responder)f(ports.)28 b(Record)21 b(\002elds)h(are)f(accessed)g(using)
--150 3305 y(the)f(\223)p Fm($)p Fs(\224)g(operator)-5
-b(.)-67 3405 y(F)o(or)20 b(specifying)e(security)i(policies,)f(a)i
-(particularly)d(useful)i Fm(Bro)-150 3504 y Fs(type)26
-b(is)i Fm(table)p Fs(.)44 b Fm(Bro)26 b Fs(tables)h(ha)n(v)o(e)f(tw)o
-(o)h(components,)f(a)h(set)h(of)-150 3604 y Fr(indices)c
-Fs(and)g(a)h Fr(yield)g(type)p Fs(.)37 b(The)24 b(indices)h(may)f(be)g
-(of)g(an)o(y)g(atomic)-150 3704 y(\(non-aggre)o(gate\))c(type,)25
-b(and/or)e(an)o(y)h Fm(record)g Fs(types)h(that,)g(when)-150
-3803 y(\(recursi)n(v)o(ely\))i(e)o(xpanded)g(into)i(all)h(of)f(their)g
-(elements,)i(are)e(com-)-150 3903 y(prised)h(of)h(only)f(atomic)h
-(types.)57 b(\(Thus,)32 b Fm(Bro)f Fs(tables)g(pro)o(vide)e(a)-150
-4002 y(form)19 b(of)h(associati)n(v)o(e)g(array)-5 b(.\))23
-b(So,)d(for)g(e)o(xample,)9 4155 y Ff(table[port])39
-b(of)g(string)-150 4307 y Fs(can)20 b(be)g(inde)o(x)o(ed)e(by)i(a)h
-Fm(port)f Fs(v)n(alue,)f(yielding)g(a)h Fm(string)p Fs(,)g(and:)9
-4445 y Ff(table[conn_id])38 b(of)i(ftp_session_info)-150
-4603 y Fs(is)34 b(inde)o(x)o(ed)c(by)i(a)h Fm(conn)p
-623 4603 V 30 w(id)f Fs(record\227or)m(,)h(equi)n(v)n(alently)-5
-b(,)33 b(by)g(an)-150 4703 y Fm(addr)p Fs(,)42 b(a)d
-Fm(port)p Fs(,)j(another)36 b Fm(addr)p Fs(,)43 b(and)37
-b(another)g Fm(port)p Fs(\227and)-150 4802 y(yields)20
-b(an)g Fm(ftp)p 323 4802 V 30 w(session)p 703 4802 V
-28 w(info)g Fs(record)f(as)i(a)f(result.)-67 4902 y(Closely)i(related)e
-(to)i Fm(table)e Fs(types)h(are)h Fm(set)f Fs(types.)28
-b(These)21 b(are)-150 5001 y(simply)d Fm(table)f Fs(types)h(that)h(do)e
-(not)h(yield)g(a)g(v)n(alue.)24 b(Their)17 b(purpose)-150
-5101 y(is)j(to)f(maintain)f(collections)h(of)g(tuples,)g(e)o(xpressed)e
-(in)j(terms)f(of)g(the)-150 5201 y(set')-5 b(s)18 b(indices.)23
-b(The)16 b(e)o(xamples)f(in)i Fi(x)g Fs(3.3)f(clarify)f(ho)n(w)h(this)h
-(is)g(useful.)-67 5300 y(Another)27 b(aggre)o(gate)e(type)i(supported)f
-(is)j Fm(file)p Fs(.)48 b(Support)26 b(for)-150 5400
-y(\002les)d(is)g(presently)d(crude:)28 b(a)22 b(script)g(can)g(open)f
-(\002les)h(for)g(writing)f(or)2049 -104 y(appending,)j(and)g(can)h
-(pass)h(the)g(resulting)e Fm(file)h Fs(v)n(ariable)f(to)i(the)2049
--5 y Fm(print)e Fs(command)f(to)i(specify)f(where)g(it)i(should)e
-(write,)i(b)n(ut)e(that)2049 95 y(is)j(all.)42 b(Also,)27
-b(these)f(\002les)h(are)f(simple)f(ASCII.)h(In)g(the)f(future,)h(we)
-2049 194 y(plan)g(to)h(e)o(xtend)f(\002les)i(to)f(support)e(reading,)i
-(ASCII)g(parsing,)g(and)2049 294 y(binary)19 b(\(typed\))f(reading)h
-(and)h(writing.)2132 394 y(Finally)-5 b(,)24 b(abo)o(v)o(e)d(we)j
-(alluded)f(to)h(the)f Fm(list)g Fs(type,)h(which)f(holds)2049
-493 y(zero)e(or)g(more)g(instances)h(of)f(a)h(v)n(alue.)28
-b(Currently)-5 b(,)20 b(this)i(type)f(is)i(not)2049 593
-y(directly)c(a)n(v)n(ailable)g(to)h(the)g Fm(Bro)f Fs(script)h(writer)m
-(,)f(other)g(than)g(implic-)2049 693 y(itly)k(when)e(using)h
-Fr(hostname)f Fs(constants.)30 b(Since)22 b(its)i(present)d(use)i(is)
-2049 792 y(primarily)g(internal)h(to)g(the)h(script)f(interpreter)f
-(\(when)g(initializing)2049 892 y(v)n(ariables,)c(per)h
-Fi(x)h Fs(3.3\),)e(we)h(do)g(not)g(describe)f(it)i(further)-5
-b(.)2132 991 y Fl(Regular)44 b(expr)o(essions.)99 b Fs(The)45
-b(last)g(b)n(uilt-in)f Fm(Bro)h Fs(type)g(is)2049 1091
-y Fm(pattern)p Fs(.)51 b(P)o(atterns)29 b(are)g(Unix-style)f(re)o
-(gular)g(e)o(xpressions;)k(in)2049 1191 y(particular)m(,)22
-b(the)h(syntax)f(used)h(by)g(the)g Fr(\003e)n(x)g Fs(utility)g([P)o
-(a96)n(].)34 b(P)o(attern)2049 1290 y(constants)20 b(are)g(enclosed)f
-(by)h Fm(/)g Fs(delimiters.)25 b(F)o(or)20 b(e)o(xample:)2208
-1435 y Ff(/sync|lp|uucp|operator|ezsetup|4dgifts/)2049
-1600 y Fs(is)k(a)f(pattern)f(that)i(matches)e(a)i(number)d(of)i(common)
-e(def)o(ault)h(Unix)2049 1700 y(accounts.)2132 1800 y(Presently)-5
-b(,)20 b(only)h(tw)o(o)g(operations)f(are)h(allo)n(wed)f(on)h(pattern)f
-(v)n(al-)2049 1899 y(ues:)25 b(assignment,)18 b(and)h(testing)g(to)h
-(see)f(whether)g(the)g(pattern)f(v)n(alue)2049 1999 y(matches)i(a)g(gi)
-n(v)o(en)f(string)h(\(discussed)g(belo)n(w\).)2049 2233
-y Fh(3.2)99 b(Operators)2049 2389 y Fm(Bro)27 b Fs(pro)o(vides)e(a)j
-(number)d(of)i(C-lik)o(e)g(operators)f(\()p Fm(+)p Fs(,)j
-Fm(-)p Fs(,)g Fm(*)p Fs(,)f Fm(/)p Fs(,)h Fm(\045)p Fs(,)2049
-2489 y Fm(!)p Fs(,)g Fm(&&)p Fs(,)f Fm(||)p Fs(,)h Fm(?:)p
-Fs(,)f(relationals)e(lik)o(e)h Fm(<=)p Fs(\))g(with)g(which)f(we)i
-(assume)2049 2588 y(the)e(reader)f(is)i(f)o(amiliar)m(,)f(and)g(will)h
-(not)e(detail)h(here.)42 b(Assignment)2049 2688 y(is)28
-b(done)e(using)h Fm(=)p Fs(,)i(table)e(and)f(set)i(inde)o(xing)d(with)i
-Fm([])p Fs(,)i(and)e(func-)2049 2787 y(tion)19 b(in)m(v)n(ocation)f
-(and)h(e)n(v)o(ent)g(generation)e(with)j Fm(\(\))p Fs(.)25
-b(Numeric)18 b(v)n(ari-)2049 2887 y(ables)35 b(can)g(be)f(incremented)f
-(and)h(decremented)f(using)h Fm(++)h Fs(and)2049 2987
-y Fm(--)p Fs(.)i(Record)23 b(\002elds)i(are)f(accessed)g(using)g
-Fm($)p Fs(,)h(to)f(a)n(v)n(oid)g(ambiguity)2049 3086
-y(with)30 b Fr(hostname)f Fs(constants.)54 b(Assignment)30
-b(of)f(aggre)o(gate)f(v)n(alues)2049 3186 y(is)h Fr(shallow)p
-Fs(\227the)e(ne)n(wly-assigned)e(v)n(ariable)i(refers)g(to)h(the)f
-(same)2049 3286 y(aggre)o(gate)20 b(v)n(alue)h(as)i(the)f(right-hand)d
-(side)j(of)g(the)g(assignment)f(e)o(x-)2049 3385 y(pression.)52
-b(This)30 b(choice)f(w)o(as)h(made)f(to)h(f)o(acilitate)f(performance;)
-2049 3485 y(we)e(ha)n(v)o(e)f(not)g(yet)h(been)f(bitten)g(by)h(the)f
-(semantics)h(\(which)f(dif)n(fer)2049 3585 y(from)21
-b(C\).)i(W)-7 b(e)24 b(may)d(in)i(the)f(future)g(add)f(a)i
-Fm(copy)f Fs(operator)f(to)h(con-)2049 3684 y(struct)e(\223deep\224)f
-(copies.)2132 3784 y(From)30 b(the)g(perspecti)n(v)o(e)e(of)i(C,)g(the)
-g(only)g(no)o(v)o(el)e(operators)h(are)2049 3883 y Fm(in)f
-Fs(and)e Fm(!in)p Fs(.)47 b(These)27 b(in\002x)g(operators)f(yield)h
-Fm(bool)g Fs(v)n(alues)g(de-)2049 3983 y(pending)16 b(on)h(whether)g
-(or)g(not)h(a)g(gi)n(v)o(en)e(inde)o(x)h(is)h(in)g(a)g(gi)n(v)o(en)f
-Fm(table)2049 4083 y Fs(or)k Fm(set)p Fs(.)26 b(F)o(or)21
-b(e)o(xample,)e(if)i Fm(sensitive)p 3322 4083 V 29 w(services)f
-Fs(is)h(a)h Fm(set)2049 4182 y Fs(inde)o(x)o(ed)c(by)i(a)h(single)f
-Fm(port)p Fs(,)f(then)2208 4327 y Ff(23/tcp)39 b(in)h
-(sensitive_services)2049 4492 y Fs(returns)20 b(true)g(if)h(the)g(set)h
-(has)f(an)g(element)f(corresponding)d(to)k(an)g(in-)2049
-4592 y(de)o(x)c(of)h(TCP)h(port)f(23,)g(f)o(alse)g(if)h(it)g(does)f
-(not)g(ha)n(v)o(e)f(such)h(an)g(element.)2049 4692 y(Similarly)-5
-b(,)25 b(if)f Fm(RPC)p 2630 4692 V 30 w(okay)g Fs(is)i(a)e
-Fm(set)h Fs(\(or)f Fm(table)p Fs(\))g(inde)o(x)o(ed)e(by)i(a)2049
-4791 y(source)30 b(address,)i(a)f(destination)e(address,)k(and)d(an)g
-(RPC)i(service)2049 4891 y(number)18 b(\(a)j Fm(count)p
-Fs(\),)e(then)2129 5035 y Ff([src_addr,)38 b(dst_addr,)h(serv])g(in)g
-(RPC_okay)2049 5201 y Fs(yields)34 b(true)f(if)h(the)g(gi)n(v)o(en)e
-(ordered)g(triple)h(is)i(present)e(as)h(an)g(in-)2049
-5300 y(de)o(x)26 b(into)h Fm(RPC)p 2507 5300 V 30 w(okay)p
-Fs(.)45 b(The)27 b Fm(!in)g Fs(operator)f(simply)g(returns)h(the)2049
-5400 y(boolean)19 b(ne)o(gation)f(of)i(the)g Fm(in)g
-Fs(operator)-5 b(.)1929 5649 y(6)p eop
-%%Page: 7 7
-7 6 bop -67 -104 a Fs(Presently)-5 b(,)17 b(inde)o(xing)e(a)j(table)g
-(or)f(set)h(with)g(a)g(v)n(alue)f(that)h(does)f(not)-150
--5 y(correspond)24 b(to)i(one)g(of)g(its)h(elements)f(leads)g(to)h(a)g
-(run-time)d(error)m(,)-150 95 y(so)d(such)g(operations)e(need)h(to)h
-(be)g(preceded)e(by)h Fm(in)h Fs(tests.)28 b(W)-7 b(e)22
-b(\002nd)-150 194 y(this)g(not)f(entirely)f(satisfying,)h(and)g(plan)f
-(to)i(add)f(a)g(mechanism)f(for)-150 294 y(optionally)28
-b(specifying)g(the)h(action)g(to)h(tak)o(e)f(in)h(such)f(cases)h(on)f
-(a)-150 394 y(per)n(-table)19 b(basis.)-67 498 y(Another)26
-b(use)h(of)f(the)h Fm(in)g Fs(and)g Fm(!in)g Fs(operators)e(is)j(for)e
-(re)o(gular)n(-)-150 598 y(e)o(xpression)19 b(pattern)g(matching.)k(F)o
-(or)d(e)o(xample,)-70 785 y Ff(filename)38 b(in)i(/rootkit-1\\.[5-8]/)
--150 987 y Fs(yields)20 b(true)h(if)g(the)f(v)n(alue)g(of)g(the)h(e)o
-(xpression)e Fm(filename)g Fs(\(which)-150 1087 y(must)26
-b(ha)n(v)o(e)g(type)g Fm(string)p Fs(\))f(matches)h(an)o(y)f(of)h
-Fm(rootkit-1.5)p Fs(,)-150 1187 y Fm(rootkit-1.6)p Fs(,)18
-b Fm(rootkit-1.7)p Fs(,)h(or)h Fm(rootkit-1.8)p Fs(.)-67
-1291 y(Finally)-5 b(,)33 b Fm(Bro)d Fs(includes)h(a)g(number)e(of)h
-(prede\002ned)f(functions)-150 1391 y(to)46 b(perform)e(operations)g
-(not)i(directly)f(a)n(v)n(ailable)h(in)g(the)g(lan-)-150
-1490 y(guage.)27 b(Some)21 b(of)g(the)g(more)f(interesting:)27
-b Fm(fmt)21 b Fs(pro)o(vides)e Fr(sprintf)12 b Fs(-)-150
-1590 y(style)26 b(formatting)d(for)i(use)g(in)h(printing)d(or)i
-(manipulating)f(strings;)-150 1690 y Fm(edit)j Fs(returns)f(a)i(cop)o
-(y)e(of)h(a)g(string)g(that)g(has)g(been)g(edited)f(using)-150
-1789 y(the)i(gi)n(v)o(en)f(editing)h(characters)f(\(currently)f(it)j
-(only)f(kno)n(ws)g(about)-150 1889 y(single-character)44
-b(deletions\);)57 b Fm(mask)p 1041 1889 25 4 v 29 w(addr)46
-b Fs(tak)o(es)g(an)g Fm(addr)-150 1989 y Fs(and)31 b(returns)f(another)
-g Fm(addr)g Fs(corresponding)e(to)j(its)i(top)d Fj(n)i
-Fs(bits;)-150 2088 y Fm(open)43 b Fs(and)g Fm(close)g
-Fs(manipulate)f Fm(file)p Fs(s;)55 b Fm(network)p 1628
-2088 V 29 w(time)-150 2188 y Fs(returns)62 b(the)h(timestamp)g(of)g
-(the)g(most)g(recently)f(recei)n(v)o(ed)-150 2287 y(pack)o(et;)29
-b Fm(getenv)d Fs(pro)o(vides)e(access)j(to)g(en)m(vironment)c(v)n
-(ariables;)-150 2387 y Fm(skip)p 55 2387 V 29 w(further)p
-434 2387 V 29 w(processing)e Fs(marks)h(a)h(connection)e(as)i(not)-150
-2487 y(requiring)d(an)o(y)h(further)f(analysis;)j Fm(set)p
-1035 2487 V 29 w(record)p 1364 2487 V 29 w(packets)e
-Fs(in-)-150 2586 y(structs)38 b(the)f(e)n(v)o(ent)f(engine)g(whether)g
-(or)h(not)g(to)h(record)d(an)o(y)i(of)-150 2686 y(a)j(connection')-5
-b(s)38 b(future)g(pack)o(ets)h(\(though)e(SYN/FIN/RST)k(are)-150
-2786 y(al)o(w)o(ays)c(recorded\);)43 b Fm(set)p 658 2786
-V 29 w(contents)p 1087 2786 V 29 w(file)36 b Fs(speci\002es)i(a)f
-(\002le)-150 2885 y(to)k(which)f(Bro)h(records)f(the)h(connection')-5
-b(s)39 b(reassembled)h(byte)-150 2985 y(stream;)46 b
-Fm(system)36 b Fs(e)o(x)o(ecutes)h(a)g(string)g(as)h(a)g(Unix)f(shell)g
-(com-)-150 3084 y(mand;)25 b(and)e Fm(parse)p 483 3084
-V 29 w(ftp)p 662 3084 V 30 w(port)g Fs(tak)o(es)i(an)e(FTP)i(\223POR)-5
-b(T\224)24 b(com-)-150 3184 y(mand)g(and)h(returns)g(a)g
-Fm(record)g Fs(with)h(the)f(corresponding)d Fm(addr)-150
-3284 y Fs(and)e Fm(port)p Fs(.)-150 3549 y Fh(3.3)99
-b(V)-9 b(ariables)-150 3714 y Fm(Bro)28 b Fs(supports)f(tw)o(o)h(le)n
-(v)o(els)g(of)f(scoping:)40 b(local)27 b(to)h(a)h(function)d(or)-150
-3813 y(e)n(v)o(ent)31 b(handler)m(,)i(and)e(global)g(to)h(the)g(entire)
-f Fm(Bro)h Fs(script.)60 b(Expe-)-150 3913 y(rience)28
-b(has)h(already)f(sho)n(wn)g(that)i(we)f(w)o(ould)f(bene\002t)g(by)h
-(adding)-150 4013 y(a)37 b(third,)i(intermediate)c(le)n(v)o(el)h(of)g
-(scoping,)j(perhaps)c(as)i(part)f(of)-150 4112 y(a)f(\223module\224)d
-(or)j(\223object\224)e(f)o(acility)-5 b(,)37 b(or)d(e)n(v)o(en)g(as)h
-(simple)f(as)h(C')-5 b(s)-150 4212 y Fm(static)33 b Fs(scoping.)65
-b(Local)33 b(v)n(ariables)g(are)h(declared)e(using)i(the)-150
-4312 y(k)o(e)o(yw)o(ord)20 b Fm(local)p Fs(,)i(and)f(the)h
-(declarations)f(must)g(come)h(inside)g(the)-150 4411
-y(body)c(of)i(a)g(function)e(or)h(e)n(v)o(ent)g(handler)-5
-b(.)24 b(There)19 b(is)i(no)e(requirement)-150 4511 y(to)31
-b(declare)f(v)n(ariables)g(at)i(the)f(be)o(ginning)d(of)j(the)g
-(function.)55 b(The)-150 4610 y(scope)21 b(of)h(the)g(v)n(ariable)e
-(ranges)h(from)g(the)h(point)f(of)g(declaration)f(to)-150
-4710 y(the)j(end)e(of)i(the)f(body)-5 b(.)30 b(Global)22
-b(v)n(ariables)g(are)g(declared)g(using)g(the)-150 4810
-y(k)o(e)o(yw)o(ord)28 b Fm(global)h Fs(and)g(the)g(declarations)g(must)
-g(come)g(outside)-150 4909 y(of)g(an)o(y)f(function)g(bodies.)51
-b(F)o(or)29 b(either)f(type)h(of)g(declaration,)h(the)-150
-5009 y(k)o(e)o(yw)o(ord)17 b(can)h(be)g(replaced)f(instead)i(by)f
-Fm(const)p Fs(,)g(which)g(indicates)-150 5109 y(that)i(the)g(v)n
-(ariable')-5 b(s)20 b(v)n(alue)f(is)j(constant)d(and)h(cannot)f(be)h
-(changed.)-67 5213 y(Syntactically)-5 b(,)19 b(a)h(v)n(ariable)f
-(declaration)g(looks)h(lik)o(e:)-150 5400 y Ff({class})39
-b({identifier})f([':')h({type}])g(['=')g({init}])2049
--104 y Fs(That)29 b(is,)j(a)d(class)h(\()p Fm(local)e
-Fs(or)h Fm(global)g Fs(scope,)h(or)f(the)g Fm(const)2049
--5 y Fs(quali\002er\),)21 b(the)h(name)f(of)h(the)f(v)n(ariable,)g(an)h
-(optional)f(type,)g(and)h(an)2049 95 y(optional)k(initialization)g(v)n
-(alue.)45 b(One)27 b(of)g(the)g(latter)g(tw)o(o)h(must)f(be)2049
-194 y(speci\002ed.)43 b(If)26 b(both)f(are,)i(then)f(naturally)f(the)h
-(type)g(of)f(the)i(initial-)2049 294 y(ization)22 b(much)g(agree)g
-(with)h(the)f(speci\002ed)g(type.)32 b(If)23 b(only)e(a)i(type)g(is)
-2049 394 y(gi)n(v)o(en,)e(then)g(the)h(v)n(ariable)f(is)i(mark)o(ed)d
-(as)j(not)e(ha)n(ving)g(a)h(v)n(alue)f(yet;)2049 493
-y(attempting)f(to)i(access)h(its)f(v)n(alue)f(before)g(\002rst)h
-(setting)g(it)g(results)g(in)2049 593 y(a)f(run-time)d(error)-5
-b(.)2132 694 y(If)23 b(only)f(an)g(initializer)h(is)h(speci\002ed,)f
-(then)f(Bro)h(infers)f(the)h(v)n(ari-)2049 793 y(able')-5
-b(s)19 b(type)g(from)f(the)h(form)f(of)h(the)g(initializer)-5
-b(.)25 b(This)19 b(pro)o(v)o(es)f(quite)2049 893 y(con)m(v)o(enient,)i
-(as)j(does)f(the)g(ease)h(with)f(which)g(comple)o(x)f(tables)h(and)2049
-993 y(sets)f(can)f(be)g(initialized.)25 b(F)o(or)20 b(e)o(xample,)2049
-1160 y Ff(const)39 b(IRC)h(=)f({)h(6666/tcp,)e(6667/tcp,)h(6668/tcp)g
-(};)2049 1348 y Fs(infers)20 b(a)g(type)g(of)g Fm(set[port])f
-Fs(for)h Fm(IRC)p Fs(,)g(while:)2049 1515 y Ff(const)39
-b(ftp_serv)g(=)g({)h(ftp.lbl.gov,)e(www.lbl.gov)g(};)2049
-1703 y Fs(infers)33 b(a)h(type)g(of)f Fm(set[addr])f
-Fs(for)i Fm(ftp)p 3393 1703 V 29 w(serv)p Fs(,)i(and)e(initial-)2049
-1802 y(izes)i(it)g(to)g(consist)f(of)g(the)h(IP)f(addresses)g(for)g
-Fm(ftp.lbl.gov)2049 1902 y Fs(and)30 b Fm(www.lbl.gov)p
-Fs(,)i(which,)g(as)g(noted)d(abo)o(v)o(e,)j(may)e(encom-)2049
-2001 y(pass)22 b(more)e(than)h(tw)o(o)h(addresses.)28
-b(Bro)21 b(infers)g(compound)e(indices)2049 2101 y(by)h(use)g(of)g
-Fm([])g Fs(notation:)2049 2269 y Ff(const)39 b(allowed_services)f(=)h
-({)2169 2348 y([ftp.lbl.gov,)e(ftp],)j([ftp.lbl.gov,)d(smtp],)2169
-2427 y([ftp.lbl.gov,)g(ident],)i([ftp.lbl.gov,)f(20/tcp],)2169
-2505 y([www.lbl.gov,)f(ftp],)j([www.lbl.gov,)d(smtp],)2169
-2584 y([www.lbl.gov,)g(ident],)i([www.lbl.gov,)f(20/tcp],)2169
-2663 y([nntp.lbl.gov,)f(nntp])2049 2742 y(};)2049 2929
-y Fs(results)25 b(in)g Fm(allowed)p 2736 2929 V 29 w(services)f
-Fs(ha)n(ving)f(type)i Fm(set[addr,)2049 3029 y(port])p
-Fs(.)47 b(Here)28 b(again,)g(the)g Fr(hostname)f Fs(constants)g(may)h
-(result)f(in)2049 3129 y(more)20 b(than)f(one)h(IP)h(address.)k(An)o(y)
-19 b(time)i(Bro)f(encounters)f(a)i Fm(list)2049 3228
-y Fs(of)33 b(v)n(alues)g(in)h(an)g(initialization,)h(it)g(replicates)e
-(the)g(correspond-)2049 3328 y(ing)22 b(inde)o(x.)31
-b(Furthermore,)21 b(one)h(can)g(e)o(xplicitly)g(introduce)e(lists)k(in)
-2049 3427 y(initializers)h(by)f(enclosing)f(a)i(series)g(of)f(v)n
-(alues)g(\(with)g(compatible)2049 3527 y(types\))c(in)g
-Fm([])p Fs(')-5 b(s,)21 b(so)f(the)g(abo)o(v)o(e)f(could)g(be)h
-(written:)2049 3695 y Ff(const)39 b(allowed_services:)e(set[addr,)i
-(port])g(=)h({)2169 3774 y([ftp.lbl.gov,)d([ftp,)j(smtp,)f(ident,)g
-(20/tcp]],)2169 3852 y([www.lbl.gov,)e([ftp,)j(smtp,)f(ident,)g
-(20/tcp]],)2169 3931 y([nntp.lbl.gov,)e(nntp])2049 4010
-y(};)2049 4198 y Fs(The)18 b(only)f(cost)i(of)f(such)g(an)g
-(initialization)g(is)h(that)f(Bro')-5 b(s)19 b(algorithm)2049
-4297 y(for)k(inferring)e(the)i(v)n(ariable')-5 b(s)23
-b(type)g(from)f(its)i(initializer)f(currently)2049 4397
-y(gets)17 b(confused)d(by)i(these)h(embedded)d(lists,)k(so)f(the)f
-(type)g(no)n(w)g(needs)2049 4496 y(to)k(be)g(e)o(xplicitly)g(supplied,)
-f(as)h(sho)n(wn.)2132 4597 y(In)h(addition,)e(an)o(y)h(pre)n
-(viously-de\002ned)d(global)j(v)n(ariable)g(can)h(be)2049
-4697 y(used)j(in)h(the)f(initialization)g(of)g(a)h(subsequent)e(global)
-h(v)n(ariable.)37 b(If)2049 4796 y(the)19 b(v)n(ariable)f(used)g(in)h
-(this)h(f)o(ashion)e(is)i(a)f Fm(set)p Fs(,)g(then)f(its)i(indices)f
-(are)2049 4896 y(e)o(xpanded)e(as)j(if)f(enclosed)g(in)g(their)g(o)n
-(wn)g(list.)26 b(So)20 b(the)f(abo)o(v)o(e)f(could)2049
-4996 y(be)i(further)f(simpli\002ed)h(to:)2049 5163 y
-Ff(const)39 b(allowed_services:)e(set[addr,)i(port])g(=)h({)2169
-5242 y([ftp_serv,)e([ftp,)h(smtp,)g(ident,)g(20/tcp]],)2169
-5321 y([nntp.lbl.gov,)e(nntp])2049 5400 y(};)1929 5649
-y Fs(7)p eop
-%%Page: 8 8
-8 7 bop -150 -104 a Fs(Initializing)17 b Fm(table)g Fs(v)n(alues)g
-(looks)g(v)o(ery)g(similar)m(,)g(with)h(the)g(dif)n(fer)n(-)-150
--5 y(ence)h(that)g(a)h Fm(table)f Fs(initializer)g(includes)f(a)i
-Fr(yield)h Fs(v)n(alue,)e(too.)24 b(F)o(or)-150 95 y(e)o(xample:)-150
-257 y Ff(global)39 b(port_names)f(=)i({)-30 336 y([7/tcp])e(=)i
-("echo",)-30 415 y([9/tcp])e(=)i("discard",)-30 493 y([11/tcp])e(=)i
-("systat",)-30 572 y(...)-150 651 y(};)-150 834 y Fs(which)20
-b(infers)f(a)i(type)f(of)g Fm(table[port])47 b(of)j(string)p
-Fs(.)-67 934 y(W)-7 b(e)35 b(\002nd)e(that)h(these)g(forms)f(of)g
-(initialization)g(shorthand)f(are)-150 1033 y(much)k(more)g(than)g
-(syntactic)h(sugar)-5 b(.)74 b(Because)37 b(the)o(y)f(allo)n(w)h(us)
--150 1133 y(to)29 b(de\002ne)g(lar)o(ge)f(tables)i(in)f(a)g(succinct)g
-(f)o(ashion,)i(by)d(referring)f(to)-150 1232 y(pre)n(viously-de\002ned)
-16 b(objects)j(and)g(by)h(concisely)e(capturing)g(forms)-150
-1332 y(of)i(replication)e(in)j(the)f(table,)g(we)g(can)g(specify)f
-(intricate)h(polic)o(y)f(re-)-150 1432 y(lationships)31
-b(in)g(a)h(f)o(ashion)e(that')-5 b(s)32 b(both)e(easy)i(to)f(write)h
-(and)e(easy)-150 1531 y(to)d(v)o(erify)-5 b(.)41 b(Certainly)-5
-b(,)27 b(we)g(w)o(ould)f(prefer)f(the)h(\002nal)h(de\002nition)e(of)
--150 1631 y Fm(allowed)p 205 1631 25 4 v 29 w(services)g
-Fs(abo)o(v)o(e)f(to)i(an)o(y)g(of)f(its)i(predecessors,)f(in)-150
-1731 y(terms)20 b(of)g(kno)n(wing)e(e)o(xactly)i(what)g(the)g(set)h
-(consists)g(of.)-67 1830 y(Along)39 b(with)h(clarity)f(and)g
-(conciseness,)44 b(another)38 b(important)-150 1930 y(adv)n(antage)31
-b(of)h Fm(Bro)p Fs(')-5 b(s)33 b(emphasis)f(on)g(tables)g(and)g(sets)i
-(is)f(speed.)-150 2030 y(Consider)c(the)h(common)d(problem)h(of)i
-(attempting)e(to)i(determine)-150 2129 y(whether)18 b(access)h(is)h
-(allo)n(wed)e(to)h(service)g Fm(S)g Fs(of)g(host)f Fm(H)p
-Fs(.)h(Rather)g(than)-150 2229 y(using)h(\(conceptually\):)-150
-2391 y Ff(if)40 b(\()f(H)h(==)g(ftp.lbl.gov)e(||)h(H)h(==)g
-(www.lbl.gov)e(\))9 2470 y(if)i(\()g(S)f(==)h(ftp)f(||)h(S)g(==)f(smtp)
-g(||)h(...)f(\))-150 2549 y(else)g(if)h(\()g(H)f(==)h(nntp.lbl.gov)e
-(\))9 2627 y(if)i(\()g(S)f(==)h(nntp)f(\))-150 2706 y(...)-150
-2889 y Fs(we)21 b(can)f(simply)f(use:)-150 3051 y Ff(if)40
-b(\()f([S,)h(H])f(in)h(allowed_services)d(\))49 3130
-y(...)j(it's)f(okay)g(...)-150 3313 y Fs(The)23 b Fm(in)h
-Fs(operation)d(translates)j(into)f(a)h(single)f(hash)g(table)h(lookup,)
--150 3412 y(a)n(v)n(oiding)17 b(the)i(cascaded)f Fm(if)p
-Fs(')-5 b(s)19 b(and)f(clearly)g(sho)n(wing)g(the)h(intent)f(of)-150
-3512 y(the)i(test.)-150 3750 y Fh(3.4)99 b(Statements)-150
-3906 y Fm(Bro)26 b Fs(currently)e(supports)h(only)g(a)i(modest)e(group)
-f(of)i(statements,)-150 4005 y(which)g(we)i(ha)n(v)o(e)e(so)h(f)o(ar)g
-(found)e(suf)n(\002cient.)45 b(Along)26 b(with)h(C-style)-150
-4105 y Fm(if)17 b Fs(and)g Fm(return)g Fs(and)g(e)o(xpression)e(e)n(v)n
-(aluation,)h(other)g(statements)-150 4204 y(are:)38 b
-Fm(print)27 b Fs(a)g(list)h(of)e(e)o(xpressions)g(to)g(a)i
-Fm(file)e Fs(\()p Fr(stdout)i Fs(by)e(de-)-150 4304 y(f)o(ault\);)f
-Fm(log)e Fs(a)h(list)h(of)e(e)o(xpressions;)h Fm(add)g
-Fs(an)f(element)g(to)h(a)f Fm(set)p Fs(;)-150 4404 y
-Fm(delete)g Fs(an)h(element)f(from)g(a)h Fm(set)g Fs(or)f(a)i
-Fm(table)p Fs(;)g(and)e Fm(event)p Fs(,)-150 4503 y(which)d(generates)f
-(a)i(ne)n(w)f(e)n(v)o(ent.)-67 4603 y(In)h(particular)m(,)e(the)h
-(language)g(does)g(not)h(support)e(looping)g(using)-150
-4703 y(a)27 b Fm(for)p Fs(-style)g(construct.)43 b(W)-7
-b(e)28 b(are)f(w)o(ary)g(of)f(loops)h(in)g(e)n(v)o(ent)e(han-)-150
-4802 y(dlers)33 b(because)f(the)o(y)f(can)i(lead)f(to)h(arbitrarily)e
-(lar)o(ge)h(processing)-150 4902 y(delays,)c(which)e(in)h(turn)f(could)
-g(lead)g(to)h(pack)o(et)g(\002lter)g(drops.)43 b(W)-7
-b(e)-150 5001 y(w)o(anted)23 b(to)g(see)h(whether)e(we)i(could)e(still)
-i(adequately)e(e)o(xpress)g(se-)-150 5101 y(curity)g(policies)g(in)g
-Fm(Bro)g Fs(without)g(resorting)f(to)i(loops;)f(if)h(so,)g(then)-150
-5201 y(we)17 b(ha)n(v)o(e)e(some)h(con\002dence)f(that)h(e)n(v)o(ery)f
-(e)n(v)o(ent)g(is)i(handled)e(quickly)-5 b(.)-150 5300
-y(So)23 b(f)o(ar)m(,)g(this)g(e)o(xperiment)e(has)i(been)f(successful.)
-33 b(Looping)21 b(is)i(still)-150 5400 y(possible)29
-b(via)g(recursion)f(\(either)g(functions)g(calling)h(themselv)o(es,)
-2049 -104 y(or)23 b(e)n(v)o(ent)g(handlers)f(generating)g(their)h(o)n
-(wn)g(e)n(v)o(ents\),)h(b)n(ut)f(we)h(ha)n(v)o(e)2049
--5 y(not)c(found)e(a)j(need)e(to)i(resort)f(to)g(it.)2132
-96 y(Lik)o(e)i(in)h(C,)g(we)g(can)f(group)f(sets)j(of)e(statements)g
-(into)g Fr(bloc)n(ks)h Fs(by)2049 196 y(enclosing)c(them)h(within)g
-Fi(fg)p Fs(')-5 b(s.)25 b(Function)19 b(de\002nitions)g(look)g(lik)o
-(e:)2049 367 y Ff(function)39 b(endpoint_id\(h:)e(addr,)j(p:)f(port\):)
-g(string)2169 445 y({)2169 524 y(if)g(\()h(p)g(in)f(port_names)f(\))
-2288 603 y(return)h(fmt\("\045s/\045s",)f(h,)i(port_names[p]\);)2169
-682 y(else)2288 761 y(return)f(fmt\("\045s/\045d",)f(h,)i(p\);)2169
-840 y(})2049 1029 y Fs(Ev)o(ent)63 b(handler)f(de\002nitions)h(look)f
-(the)i(same)g(e)o(xcept)e(that)2049 1129 y Fm(function)18
-b Fs(is)i(replaced)d(by)i Fm(event)f Fs(and)g(the)o(y)g(cannot)g
-(specify)g(a)2049 1229 y(return)h(type.)24 b(See)d(Appendix)d(A)j(for)f
-(an)g(e)o(xample.)2132 1330 y(Functions)f(are)i(in)m(v)n(ok)o(ed)d(the)
-j(usual)f(w)o(ay)-5 b(,)20 b(as)h(e)o(xpressions)e(spec-)2049
-1430 y(i\002ed)28 b(by)f(the)g(function')-5 b(s)26 b(name)h(follo)n
-(wed)f(by)h(its)i(ar)o(guments)c(en-)2049 1529 y(closed)d(within)f
-(parentheses.)29 b(Ev)o(ents)21 b(are)h(generated)e(in)i(a)g(similar)
-2049 1629 y(f)o(ashion,)31 b(e)o(xcept)d(using)h(the)g(k)o(e)o(yw)o
-(ord)f Fm(event)h Fs(before)f(the)h(han-)2049 1728 y(dler')-5
-b(s)30 b(name)g(and)f(ar)o(gument)f(list.)56 b(Since)31
-b(e)n(v)o(ents)e(do)h(not)g(return)2049 1828 y(v)n(alues)17
-b(\(the)o(y)f(can')o(t,)h(since)g(the)o(y)g(are)g(processed)f
-(asynchronously\),)2049 1928 y(e)n(v)o(ent)g(generation)e(is)k(a)e
-(statement)h(in)f Fm(Bro)h Fs(and)f(not)g(an)g(e)o(xpression.)2132
-2029 y Fm(Bro)22 b Fs(also)f(allo)n(ws)h(\223global\224)f(statements)g
-(that)h(are)f(not)h(part)f(of)g(a)2049 2129 y(function)15
-b(or)i(e)n(v)o(ent)f(handler)f(de\002nition.)23 b(These)16
-b(are)h(e)o(x)o(ecuted)e(after)2049 2228 y(parsing)30
-b(the)g(full)h(script,)i(and)d(can)h(of)g(course)f(in)m(v)n(ok)o(e)f
-(functions)2049 2328 y(or)e(generate)e(e)n(v)o(ents.)45
-b(The)26 b(e)n(v)o(ent)g(engine)g(also)h(generates)f(e)n(v)o(ents)2049
-2427 y(during)21 b(dif)n(ferent)f(phases)j(of)f(its)h(operation:)28
-b Fm(bro)p 3555 2427 V 29 w(init)22 b Fs(when)g(it)2049
-2527 y(is)27 b(about)f(to)g(be)o(gin)f(operation,)h Fm(bro)p
-3162 2527 V 29 w(done)g Fs(when)g(it)h(is)g(about)e(to)2049
-2627 y(terminate,)18 b(and)f Fm(bro)p 2696 2627 V 30
-w(signal)h Fs(when)f(it)j(recei)n(v)o(es)d(a)i(Unix)f(signal.)2132
-2728 y(One)32 b(dif)n(ference)e(between)h(de\002ning)g(functions)f(and)
-i(de\002ning)2049 2828 y(e)n(v)o(ent)24 b(handlers)f(is)i(that)g
-Fm(Bro)f Fs(allo)n(ws)h(multiple,)f(dif)n(ferent)f(de\002ni-)2049
-2927 y(tions)j(for)g(a)h(gi)n(v)o(en)e(e)n(v)o(ent)h(handler)-5
-b(.)42 b(Whene)n(v)o(er)25 b(an)i(e)n(v)o(ent)e(is)i(gen-)2049
-3027 y(erated,)f(each)f(instance)h(of)f(a)h(handler)e(is)j(in)m(v)n(ok)
-o(ed)c(in)j(turn)f(\(in)h(the)2049 3127 y(order)g(the)o(y)h(appear)f
-(in)h(the)h(script\).)46 b(So,)29 b(for)e(e)o(xample,)g(dif)n(ferent)
-2049 3226 y(\(conceptual\))f(modules)i(can)g(each)g(de\002ne)g
-Fm(bro)p 3516 3226 V 29 w(init)h Fs(handlers)2049 3326
-y(to)23 b(tak)o(e)f(care)g(of)h(their)f(initialization.)31
-b(W)-7 b(e)24 b(\002nd)e(this)h(considerably)2049 3425
-y(simpli\002es)17 b(the)g(task)h(of)e(creating)g(modular)f(sets)j(of)f
-(e)n(v)o(ent)f(handlers,)2049 3525 y(b)n(ut)21 b(we)h(anticipate)f
-(requiring)e(greater)i(control)f(in)h(the)h(future)e(o)o(v)o(er)2049
-3625 y(the)g(e)o(xact)g(order)f(in)h(which)g Fm(Bro)g
-Fs(in)m(v)n(ok)o(es)f(multiple)h(handlers.)2049 3914
-y Ft(4)119 b(Implementation)30 b(issues)2049 4103 y Fs(W)-7
-b(e)24 b(implemented)c(the)j(Bro)g(e)n(v)o(ent)e(engine)h(and)g(script)
-g(interpreter)2049 4203 y(in)35 b(C++,)k(currently)33
-b(about)g(27,000)g(lines.)69 b(In)34 b(this)i(section)e(we)2049
-4302 y(discuss)40 b(some)f(of)g(the)g(signi\002cant)g(implementation)e
-(decisions)2049 4402 y(and)29 b(tradeof)n(fs.)53 b(W)-7
-b(e)31 b(defer)e(to)h Fi(x)g Fs(5)g(discussion)f(of)h(ho)n(w)f(Bro)h
-(de-)2049 4502 y(fends)i(against)f(attacks)h(on)g(the)g(monitoring)e
-(system,)35 b(and)d(post-)2049 4601 y(pone)23 b(application-speci\002c)
-f(issues)k(until)e Fi(x)g Fs(6,)i(as)f(that)f(discussion)2049
-4701 y(bene\002ts)c(from)f(notions)g(de)n(v)o(eloped)f(in)i
-Fi(x)h Fs(5.)2132 4802 y Fl(Use)26 b(of)f(C++.)41 b Fs(Our)25
-b(use)g(of)g(C++)h(w)o(as)g(moti)n(v)n(ated)d(by)i(our)g(suc-)2049
-4902 y(cessful)33 b(e)o(xperience)d(with)j(using)f(it)h(for)f
-(implementing)e(another)2049 5001 y(e)n(v)o(ent-oriented)j(script)j
-(interpreter)m(,)i(the)e(Glish)g(\223softw)o(are)f(b)n(us\224)2049
-5101 y([PS93)o(].)29 b(F)o(or)21 b(Bro,)h(this)g(has)f(been)g(a)h
-(clear)f(success.)29 b(Class)23 b(hierar)n(-)2049 5201
-y(chies)g(map)f(well)i(to)e(protocol)f(layers,)i(which)g(then)f
-(simpli\002es)h(e)o(x-)2049 5300 y(tending)e(the)i(e)n(v)o(ent)e
-(engine)h(and)g(script)g(interpreter)-5 b(.)31 b(W)-7
-b(e)24 b(ha)n(v)o(e)e(not)2049 5400 y(percei)n(v)o(ed)17
-b(an)o(y)h(performance)e(problems)i(related)g(to)i(the)f(choice)f(of)
-1929 5649 y(8)p eop
-%%Page: 9 9
-9 8 bop -150 -104 a Fs(C++;)19 b(the)e(choice)g(of)g(interpreting)e(v)o
-(ersus)i(compiling)f(\(see)i(belo)n(w\))-150 -5 y(is)j(clearly)f(a)g
-(more)g(dominant)e(ef)n(fect.)-67 99 y Fl(Single-thr)o(eaded)k(design.)
-37 b Fs(Since)23 b(e)n(v)o(ent)g(handling)f(lies)i(at)h(the)-150
-199 y(heart)20 b(of)g(the)g(system,)h(it)g(is)g(natural)f(to)g
-(consider)f(a)i(multi-threaded)-150 298 y(design,)e(with)h(one)f
-(thread)g(per)h(acti)n(v)o(e)f(e)n(v)o(ent)g(handler)-5
-b(.)24 b(W)-7 b(e)21 b(ha)n(v)o(e)e(so)-150 398 y(f)o(ar)25
-b(resisted)g(this)g(approach,)e(because)h(of)h(concerns)e(that)i(it)h
-(could)-150 498 y(lead)20 b(to)g(subtle)h(race)e(conditions)g(in)i
-Fm(Bro)f Fs(scripts.)-67 602 y(An)25 b(important)f(consequence)e(of)j
-(a)h(single-threaded)c(design)j(is)-150 701 y(that)j(the)g(system)g
-(must)g(be)g(careful)f(before)g(initiating)g(an)o(y)g(acti)n(v-)-150
-801 y(ity)h(that)g(may)f(potentially)f(block)h(w)o(aiting)h(for)f(a)h
-(resource,)g(lead-)-150 900 y(ing)d(to)h(pack)o(et)f(\002lter)h(drops)e
-(as)j(the)e(engine)g(f)o(ails)h(to)g(consume)e(in-)-150
-1000 y(coming)g(traf)n(\002c.)41 b(A)26 b(particular)e(concern)g(is)i
-(performing)d(Domain)-150 1100 y(Name)18 b(System)h(\(DNS\))f(lookups,)
-f(which)h(can)g(tak)o(e)g(man)o(y)f(seconds)-150 1199
-y(to)24 b(complete)e(or)i(time)g(out.)35 b(Currently)-5
-b(,)22 b(Bro)i(only)f(performs)f(such)-150 1299 y(lookups)k(when)h
-(parsing)g(its)i(input)e(\002le,)j(b)n(ut)e(we)g(w)o(ant)g(in)f(the)h
-(fu-)-150 1399 y(ture)19 b(to)g(be)f(able)h(to)g(mak)o(e)f(address)h
-(and)f(hostname)g(translations)g(on)-150 1498 y(the)23
-b(\003y)-5 b(,)22 b(both)g(to)h(generate)e(clearer)h(messages,)h(and)f
-(to)h(detect)g(cer)n(-)-150 1598 y(tain)17 b(types)f(of)h(attacks.)24
-b(Consequently)-5 b(,)15 b(Bro)i(includes)f(customized)-150
-1697 y(non-blocking)d(DNS)18 b(routines)e(that)i(perform)d(DNS)j
-(lookups)d(asyn-)-150 1797 y(chronously)-5 b(.)-67 1901
-y(W)e(e)22 b(may)e(yet)h(adopt)f(a)h(multi-threaded)d(design.)26
-b(A)c(more)e(lik)o(ely)-150 2001 y(possibility)42 b(is)h(e)n(v)n
-(olving)e(Bro)h(to)n(w)o(ards)g(a)h(distrib)n(uted)e(design,)-150
-2100 y(in)28 b(which)f(loosely-coupled,)f(multiple)h(Bro')-5
-b(s)29 b(on)e(separate)g(hosts)-150 2200 y(monitor)17
-b(the)h(same)g(netw)o(ork)f(link.)24 b(Each)18 b(Bro)g(w)o(ould)f(w)o
-(atch)i(a)f(dif-)-150 2299 y(ferent)k(type)f(of)i(traf)n(\002c)f
-(\(e.g.,)f(HTTP)i(or)f(NFS\))h(and)f(communicate)-150
-2399 y(only)c(at)h(a)g(high)e(le)n(v)o(el,)i(to)f(con)m(v)o(e)o(y)e
-(current)i(threat)g(information.)1732 2369 y Fn(3)1791
-2399 y Fs(A)-150 2499 y(further)i(e)o(xtension)f(of)i(this)h(notion)e
-(is)i(a)g(more)e(general)g(distrib)n(uted)-150 2598 y(design,)25
-b(in)f(which)g(multiple)g(Bro')-5 b(s)25 b(w)o(atch)g(multiple)f
-(links,)h(parti-)-150 2698 y(tioning)i(the)h(monitoring)d(w)o(orkload;)
-30 b(and)e(also)g(interacting)e(with)-150 2798 y(host-based)18
-b(agents.)24 b(Others)19 b(ha)n(v)o(e)g(recently)f(also)i(be)o(gun)d
-(pursuing)-150 2897 y(distrib)n(uted)i(architectures)g([Ci99)o(,)i
-(In99)n(].)-67 3001 y Fl(Managing)27 b(timers.)49 b Fs(Bro)28
-b(uses)g(numerous)e(timers)i(internally)-150 3101 y(for)18
-b(operations)g(such)g(as)i(timing)f(out)f(a)i(connection)c
-(establishment)-150 3200 y(attempt.)57 b(It)31 b(sometimes)g(has)g
-(thousands)e(of)i(timers)g(pending)e(at)-150 3300 y(a)g(gi)n(v)o(en)f
-(moment.)50 b(Consequently)-5 b(,)29 b(it)h(is)g(important)d(that)i
-(timers)-150 3400 y(be)j(v)o(ery)g(lightweight:)49 b(quick)31
-b(to)i(set)g(and)f(to)h(e)o(xpire.)60 b(Our)33 b(ini-)-150
-3499 y(tial)f(implementation)e(used)h(a)h(single)f(priority)g(heap,)i
-(which)e(we)-150 3599 y(found)d(attracti)n(v)o(e)h(since)h(insert)g
-(and)f(delete)h(operations)e(both)h(re-)-150 3699 y(quire)19
-b(only)f Fj(O)r Fc(\(log)q(\()p Fj(N)9 b Fc(\)\))21 b
-Fs(time)f(if)f(the)h(heap)f(contains)f Fj(N)29 b Fs(elements.)-150
-3798 y(Ho)n(we)n(v)o(er)m(,)22 b(we)i(found)e(that)h(when)g(the)h(heap)
-f(gro)n(ws)f(quite)i(lar)o(ge\227)-150 3898 y(such)29
-b(as)g(during)f(a)h(hostile)g(port)f(scan)h(that)g(creates)g(hundreds)e
-(of)-150 3997 y(ne)n(w)d(connections)e(each)i(second\227then)e(this)i
-(o)o(v)o(erhead)e(becomes)-150 4097 y(signi\002cant.)43
-b(Consequently)-5 b(,)25 b(we)i(percei)n(v)o(ed)d(a)j(need)e(to)i
-(redesign)-150 4197 y(timers)21 b(to)g(bring)e(the)i(o)o(v)o(erhead)d
-(closer)i(to)h Fj(O)r Fc(\(1\))p Fs(.)28 b(T)-7 b(o)21
-b(achie)n(v)o(e)e(this,)-150 4296 y(Bro)h(no)n(w)g(uses)h(\223calendar)
-d(queues\224)i(instead)g([Br88)n(].)-67 4400 y(A)36 b(related)e(issue)i
-(with)f(managing)e(timers)j(concerns)d(e)o(xactly)-150
-4500 y(when)15 b(to)i(e)o(xpire)e(timers.)23 b(Bro)16
-b(deri)n(v)o(es)g(its)h(notion)d(of)i(time)h(from)e(the)-150
-4599 y(timestamps)28 b(pro)o(vided)d(by)j Fm(libpcap)g
-Fs(with)g(each)g(pack)o(et)f(it)i(de-)-150 4699 y(li)n(v)o(ers.)d
-(Whene)n(v)o(er)19 b(this)i(clock)f(adv)n(ances)g(to)h(a)g(time)g
-(later)f(than)h(the)-150 4799 y(\002rst)e(element)e(on)g(the)h(timer)g
-(queue,)e(Bro)i(be)o(gins)f(remo)o(ving)e(timers)-150
-4898 y(from)27 b(the)h(queue)f(and)g(processing)g(their)g(e)o
-(xpiration,)h(continuing)-150 4998 y(until)22 b(the)h(queue)e(is)i
-(empty)f(or)g(its)i(\002rst)f(element)f(has)g(a)h(timestamp)p
--150 5086 801 4 v -65 5140 a Fk(3)-30 5163 y Fp(Some)c(systems,)g(such)
-g(as)g(DIDS)g(and)h(CSM,)e(orchestrate)23 b(multiple)e(monitors)-150
-5242 y(w)o(atching)g(multiple)f(netw)o(ork)h(links,)e(in)g(order)g(to)g
-(track)h(users)e(as)h(the)o(y)g(mo)o(v)o(e)g(from)-150
-5321 y(machine)d(to)e(machine)i([MHL94,)d(WFP96].)19
-b(These)c(dif)n(fer)g(from)f(what)g(we)h(en)m(vision)-150
-5400 y(for)i(Bro)g(in)h(that)g(the)o(y)g(require)g(each)h(host)e(in)g
-(the)h(netw)o(ork)h(to)e(run)g(a)g(monitor)l(.)2049 -104
-y Fs(later)29 b(than)f(the)h(current)f(time.)51 b(This)29
-b(approach)d(is)k(\003a)o(wed,)g(ho)n(w-)2049 -5 y(e)n(v)o(er)m(,)i
-(because)e(in)g(some)h(situations\227such)e(as)j(port)e(scans\227the)
-2049 95 y(e)n(v)o(ent)23 b(engine)g(may)g(\002nd)h(it)g(needs)g(to)g(e)
-o(xpire)e(hundreds)g(of)h(timers)2049 194 y(that)29 b(ha)n(v)o(e)e
-(suddenly)g(become)g(due,)j(because)e(the)g(clock)g(has)h(ad-)2049
-294 y(v)n(anced)d(by)h(a)h(lar)o(ge)e(amount)g(due)h(to)g(a)h(lull)g
-(in)f(incoming)f(traf)n(\002c.)2049 394 y(W)-7 b(e)23
-b(a)n(v)n(oid)f(incurring)f(a)h(lar)o(ge)g(processing)f(spik)o(e)h(in)g
-(this)h(situation)2049 493 y(by)e(placing)f(an)h(upper)f(limit)i
-Fj(k)j Fs(on)c(the)g(number)f(of)h(timers)g(e)o(xpired)2049
-593 y(for)16 b(an)o(y)g(single)g(adv)n(ance)f(of)i(the)f(clock.)24
-b(Doing)15 b(so)i(trades)g(of)n(f)f(timer)2049 693 y(e)o(xactness)j
-(for)h(spreading)e(out)h(load.)25 b(Since)20 b(we)g(do)f(not)h(percei)n
-(v)o(e)e(a)2049 792 y(requirement)e(for)i(precise)h(timers,)g(this)g
-(is)h(an)e(acceptable)g(compro-)2049 892 y(mise.)2132
-996 y Fl(Implementing)28 b(r)o(egular)f(expr)o(essions.)47
-b Fs(Bro)28 b(uses)g(a)g(custom)2049 1095 y(re)o(gular)n(-e)o
-(xpression)e(matching)i(library)-5 b(,)30 b(rather)e(than)h(reusing)g
-(an)2049 1195 y(e)o(xisting)d(one,)i(for)f(tw)o(o)g(reasons.)46
-b(First,)29 b(we)e(were)g(unable)f(to)i(lo-)2049 1294
-y(cate)33 b(a)h(high)e(performance)f(re)o(gular)g(e)o(xpression)h
-(library)g(with)h(a)2049 1394 y(redistrib)n(ution)25
-b(license)h(we)h(found)e(acceptable.)43 b(In)26 b(addition,)h(in-)2049
-1494 y(trusion)20 b(detection)f(pattern-matching)e(dif)n(fers)j(from)f
-(more)h(typical)2049 1593 y(te)o(xt)g(matching)f(in)h(tw)o(o)h(w)o
-(ays.)2132 1697 y(First,)26 b(we)g(w)o(ant)e(the)h(ability)g(to)g
-(match)f(te)o(xt)g(piecemeal,)h(so)g(we)2049 1797 y(can)19
-b(feed)f(the)h(matcher)e(ne)n(w)i(chunks)e(of)i(te)o(xt)g(as)g(the)o(y)
-f(arri)n(v)o(e,)g(with-)2049 1896 y(out)23 b(ha)n(ving)g(to)h
-(construct)f(a)h(cop)o(y)f(of)g(the)h(entire)f(string)g(to)h(match.)
-2049 1996 y(Second,)31 b(we)e(anticipate)g(matching)f(sets)j(of)e
-(patterns)g(and)g(w)o(ant-)2049 2096 y(ing)g(to)h(kno)n(w)f(which)g
-(subset)h(were)f(matched)g(by)g(a)h(gi)n(v)o(en)e(set)j(of)2049
-2195 y(te)o(xt,)26 b(and)f(for)g(performance)e(reasons)i(we)h(w)o(ant)g
-(to)f(do)h(the)f(match)2049 2295 y(with)20 b(a)f(single)h(\002nite)f
-(automaton)f(rather)g(than)h(trying)f(each)h(pattern)2049
-2395 y(sequentially)-5 b(.)2132 2498 y(Since)22 b(we)h(had)f(e)o
-(xperience)e(writing)h(a)i(high)e(performance)f(re)o(g-)2049
-2598 y(ular)28 b(e)o(xpression)e(compiler)h([P)o(a96)n(],)j(and)e(one)f
-(that)h(already)f(sup-)2049 2698 y(ported)22 b(the)i(second)e(of)h(the)
-h(abo)o(v)o(e)d(requirements,)h(we)i(decided)e(to)2049
-2797 y(tak)o(e)f(that)g(compiler)f(and)g(reimplement)f(it)j(in)f(C++)g
-(to)g(\002t)h(into)f(Bro.)2049 2897 y(Doing)k(so)h(w)o(as)g(actually)f
-(considerably)e(easier)j(than)f(anticipated,)2049 2996
-y(and)30 b(the)g(only)g(remaining)f(piece)h(for)g(supporting)e(the)i
-(abo)o(v)o(e)f(re-)2049 3096 y(quirements)19 b(no)n(w)g(is)i(the)f
-(corresponding)d(Bro)j(interpreter)f(modi\002-)2049 3196
-y(cations.)2132 3300 y(One)24 b(\002nal)h(f)o(acet)f(of)g(implementing)
-e(re)o(gular)h(e)o(xpressions)f(con-)2049 3399 y(cerns)36
-b(caching:)55 b(we)36 b(emplo)o(y)f(a)h(lar)o(ge)f(number)f(of)h
-(patterns)g(in)2049 3499 y(our)29 b(analysis)g(\(particularly)f(for)h
-(scanning)f(interacti)n(v)o(e)g(sessions,)2049 3598 y(as)33
-b(discussed)f(in)g Fi(x)h Fs(6.5\).)60 b(These)32 b(can)g(tak)o(e)g(a)h
-(lar)o(ge)e(amount)g(of)2049 3698 y(CPU)24 b(time)e(\(minutes\))g(to)h
-(compile,)f(which)g(is)h(problematic)e(when)2049 3798
-y(we)j(w)o(ant)f(to)h(start)g(up)f(the)g(monitor)f(quickly)-5
-b(.)33 b(Consequently)-5 b(,)21 b(Bro)2049 3897 y(maintains)36
-b(a)g(cache)g(of)g(pre)n(viously-compiled)c(re)o(gular)j(e)o(xpres-)
-2049 3997 y(sions,)d(and)d(if)h(called)f(upon)f(to)i(compile)f(one)g
-(that)g(is)i(already)d(in)2049 4097 y(the)j(cache,)j(simply)d(loads)g
-(the)g(compiled)f(v)o(ersion,)i(taking)f(v)o(ery)2049
-4196 y(little)21 b(time.)2132 4300 y Fl(Inter)o(pr)o(eting)g(vs.)31
-b(compiling)o(.)g Fs(Presently)-5 b(,)21 b(Bro)h(interprets)g(the)2049
-4400 y(polic)o(y)j(script:)38 b(that)27 b(is,)i(it)e(parses)g(the)f
-(script)h(into)f(a)h(tree)g(of)f(C++)2049 4499 y(objects)i(that)h
-(re\003ect)f(an)g(abstract)g(syntax)g(tree)g(\(AST\),)g(and)g(then)2049
-4599 y(e)o(x)o(ecutes)i(portions)g(of)h(the)g(tree)g(as)h(needed)e(by)h
-(in)m(v)n(oking)e(a)j(vir)n(-)2049 4698 y(tual)27 b(e)n(v)n(aluation)f
-(method)f(at)j(the)f(root)f(of)h(a)h(gi)n(v)o(en)d(subtree.)45
-b(This)2049 4798 y(method)17 b(in)h(turn)g(recursi)n(v)o(ely)e(in)m(v)n
-(ok)o(es)i(e)n(v)n(aluation)e(methods)i(on)g(its)2049
-4898 y(children.)2132 5001 y(Such)32 b(a)g(design)g(has)g(the)g
-(virtues)g(of)g(simplicity)g(and)f(ease)i(of)2049 5101
-y(deb)n(ugging,)24 b(b)n(ut)h(comes)g(at)h(the)f(cost)h(of)f
-(considerable)e(o)o(v)o(erhead.)2049 5201 y(From)h(its)h(inception,)f
-(we)h(intended)e Fm(Bro)h Fs(to)h(readily)e(admit)h(com-)2049
-5300 y(pilation)29 b(to)h(a)f(lo)n(w-le)n(v)o(el)g(virtual)g(machine.)
-51 b(Ex)o(ecution)28 b(pro\002les)2049 5400 y(of)h(the)f(current)g
-(implementation)f(indicate)h(that)h(the)g(interpreti)n(v)o(e)1929
-5649 y(9)p eop
-%%Page: 10 10
-10 9 bop -150 -104 a Fs(o)o(v)o(erhead)17 b(is)j(indeed)e
-(signi\002cant,)h(so)h(we)g(anticipate)f(de)n(v)o(eloping)d(a)-150
--5 y(compiler)23 b(and)h(optimizer)-5 b(.)36 b(\(The)23
-b(current)g(interpreter)g(does)h(some)-150 95 y(simple)40
-b(constant)f(folding)g(and)g(peephole)g(optimization)f(when)-150
-194 y(b)n(uilding)19 b(the)h(AST)-6 b(,)20 b(b)n(ut)g(no)g(more.\))-67
-298 y(Using)25 b(an)f(interpreter)f(also)i(inadv)o(ertently)d
-(introduced)g(an)j(im-)-150 398 y(plementation)k(problem.)55
-b(By)31 b(structuring)e(the)i(interpreter)e(such)-150
-497 y(that)23 b(it)h(recursi)n(v)o(ely)d(in)m(v)n(ok)o(es)h(virtual)g
-(e)n(v)n(aluation)f(methods)h(on)h(the)-150 597 y(AST)-6
-b(,)23 b(we)h(wind)e(up)h(intricately)f(tying)h(the)g
-Fm(Bro)g Fs(e)n(v)n(aluation)e(stack)-150 697 y(with)i(the)h(C++)f
-(run-time)f(stack.)34 b(Consequently)-5 b(,)22 b(we)h(cannot)f(eas-)
--150 796 y(ily)f(b)n(undle)e(up)h(a)h Fm(Bro)f Fs(function')-5
-b(s)19 b(e)o(x)o(ecution)f(state)j(into)f(a)h(closure)-150
-896 y(to)i(e)o(x)o(ecute)f(at)i(some)f(later)g(point)f(in)i(time.)34
-b(Y)-8 b(et)23 b(we)h(w)o(ould)e(lik)o(e)h(to)-150 996
-y(ha)n(v)o(e)g(this)g(functionality)-5 b(,)21 b(so)j
-Fm(Bro)f Fs(scripts)g(ha)n(v)o(e)g(timers)g(a)n(v)n(ailable)-150
-1095 y(to)e(them;)f(the)h(semantics)f(of)h(these)f(timers)h(are)g(to)f
-(e)o(x)o(ecute)g(a)h(block)-150 1195 y(of)k(statements)h(when)f(a)i
-(timer)e(e)o(xpires,)h(including)e(access)j(to)f(the)-150
-1294 y(local)j(v)n(ariables)g(of)g(the)h(function)e(or)h(e)n(v)o(ent)f
-(handler)g(scheduling)-150 1394 y(the)23 b(timer)-5 b(.)35
-b(Therefore,)22 b(adding)g(timers)h(to)h Fm(Bro)f Fs(will)h(require)e
-(at)i(a)-150 1494 y(minimum)g(implementing)g(an)i(e)o(x)o(ecution)d
-(stack)j(for)f Fm(Bro)h Fs(scripts)-150 1593 y(separate)20
-b(from)f(that)h(of)g(the)g(interpreter)-5 b(.)-67 1697
-y Fl(Checkpointing)o(.)30 b Fs(W)-7 b(e)23 b(run)e(Bro)h(continuously)e
-(to)i(monitor)e(our)-150 1797 y(DMZ)d(netw)o(ork.)22
-b(Ho)n(we)n(v)o(er)m(,)16 b(we)h(need)f(to)h(periodically)e(checkpoint)
--150 1896 y(its)24 b(operation,)e(both)h(to)g(reclaim)g(memory)f(tied)h
-(up)g(in)g(remember)n(-)-150 1996 y(ing)16 b(state)h(for)f
-(long-dormant)d(connections)h(\(because)h(we)i(don')o(t)e(yet)-150
-2096 y(ha)n(v)o(e)j(timers)i(in)f(the)g(scripting)f(language;)g(see)h
-(abo)o(v)o(e\),)e(and)i(to)g(col-)-150 2195 y(lect)i(a)f(snapshot)f
-(for)h(archi)n(ving)e(and)h(of)n(f-line)g(analysis)h(\(discussed)-150
-2295 y(belo)n(w\).)-67 2399 y(Checkpointing)15 b(is)j(currently)e(a)i
-(three-stage)e(process.)24 b(First,)18 b(we)-150 2498
-y(run)27 b(a)g(ne)n(w)h(instance)f(of)g(Bro)g(that)h(parses)f(the)g
-(polic)o(y)g(script)g(and)-150 2598 y(resolv)o(es)d(all)h(of)f(the)g
-(DNS)h(names)f(in)h(it.)38 b(Because)24 b(we)h(ha)n(v)o(e)f(non-)-150
-2698 y(blocking)e(DNS)j(routines,)f(Bro)h(can)f(perform)e(a)j(lar)o(ge)
-e(number)g(of)-150 2797 y(lookups)30 b(in)h(parallel,)i(as)f(well)f(as)
-h(timing)f(out)f(lookup)g(attempts)-150 2897 y(whene)n(v)o(er)c(it)i
-(chooses.)47 b(F)o(or)27 b(each)h(lookup,)f(it)i(compares)d(the)i(re-)
--150 2996 y(sults)e(with)e(an)o(y)g(it)i(may)e(ha)n(v)o(e)g(pre)n
-(viously)f(cached)g(and)i(generates)-150 3096 y(corresponding)19
-b(e)n(v)o(ents)k(\(mapping)d(v)n(alid,)j(mapping)e(un)m(v)o(eri\002ed)f
-(if)-150 3196 y(it)25 b(had)e(to)i(time)f(out)g(the)g(lookup,)f(or)h
-(mapping)e(changed\).)35 b(It)24 b(then)-150 3295 y(updates)19
-b(the)i(DNS)f(cache)g(\002le)h(and)f(e)o(xits.)-67 3399
-y(In)25 b(the)h(second)e(stage,)j(we)f(run)e(another)g(instance)h(of)g
-(Bro,)i(this)-150 3499 y(time)j(specifying)e(that)i(it)g(should)e(only)
-h(consult)g(the)h(DNS)g(cache)-150 3598 y(and)15 b(not)g(perform)f
-(lookups.)21 b(Because)16 b(it)g(w)o(orks)f(directly)g(out)g(of)h(the)
--150 3698 y(cache,)27 b(it)g(starts)g(v)o(ery)e(quickly)-5
-b(.)42 b(After)26 b(w)o(aiting)g(a)h(short)f(interv)n(al,)-150
-3798 y(we)k(then)e(send)h(a)h(signal)f(to)g(the)g(long-running)c(Bro)30
-b(telling)f(it)g(to)-150 3897 y(terminate.)24 b(When)c(it)h(e)o(xits,)f
-(the)g(checkpointing)d(is)22 b(complete.)-67 4001 y(W)-7
-b(e)31 b(\002nd)f(the)g(checkpointing)d(de\002cient)j(in)g(tw)o(o)h(w)o
-(ays.)55 b(First,)-150 4101 y(it)26 b(w)o(ould)f(be)h(simpler)f(to)h
-(coordinate)e(a)i(checkpoint)d(if)j(a)g(ne)n(w)g(in-)-150
-4200 y(stance)33 b(of)g(Bro)g(could)f(directly)g(signal)h(an)g(old)g
-(instance)g(to)g(an-)-150 4300 y(nounce)20 b(that)h(it)i(is)f(ready)f
-(to)g(tak)o(e)h(o)o(v)o(er)e(monitoring.)27 b(Second,)20
-b(and)-150 4400 y(more)25 b(important,)g(currently)f(no)h(state)i
-(survi)n(v)o(es)d(the)i(checkpoint-)-150 4499 y(ing.)43
-b(In)26 b(particular)m(,)h(if)f(the)h(older)e(Bro)i(has)f(identi\002ed)
-g(some)g(sus-)-150 4599 y(pect)f(acti)n(vity)g(and)g(is)i(w)o(atching)e
-(it)h(particularly)e(closely)h(\(say)-5 b(,)26 b(by)-150
-4698 y(recording)16 b(all)i(of)g(its)h(pack)o(ets\),)f(this)h
-(information)c(is)k(lost)g(when)f(the)-150 4798 y(ne)n(w)i(Bro)g(tak)o
-(es)h(o)o(v)o(er)-5 b(.)24 b(Clearly)-5 b(,)19 b(we)i(need)e(to)i
-(\002x)f(this.)-67 4902 y Fl(Off-line)30 b(analysis.)56
-b Fs(As)31 b(mentioned)e(abo)o(v)o(e,)i(one)f(reason)g(for)-150
-5001 y(checkpointing)j(the)i(system)h(is)h(to)f(f)o(acilitate)g(of)n
-(f-line)e(analysis.)-150 5101 y(The)24 b(\002rst)i(step)f(of)f(this)h
-(analysis)g(is)g(to)g(cop)o(y)f(the)g Fm(libpcap)g Fs(sa)n(v)o(e)-150
-5201 y(\002le)k(and)g(an)o(y)e(\002les)j(generated)d(by)h(the)h(polic)o
-(y)f(script)h(to)f(an)h(anal-)-150 5300 y(ysis)h(machine.)46
-b(Our)28 b(polic)o(y)f(script)h(generates)f(six)h(such)g(\002les:)41
-b(a)-150 5400 y(summary)24 b(of)h(all)h(connection)d(acti)n(vity)-5
-b(,)25 b(including)f(starting)h(time,)2049 -104 y(duration,)c(size)i
-(in)f(each)g(direction,)f(protocol,)g(IP)h(addresses,)g(con-)2049
--5 y(nection)i(state,)j(and)e(an)o(y)f(additional)g(information)f
-(\(such)i(as)h(user)n(-)2049 95 y(name,)21 b(when)g(identi\002ed\);)h
-(a)g(summary)e(of)h(the)h(netw)o(ork)e(interf)o(ace)2049
-194 y(and)30 b(pack)o(et)g(\002lter)i(statistics;)37
-b(a)31 b(list)h(of)f(all)g(generated)e(log)i(mes-)2049
-294 y(sages;)f(summaries)c(of)g(Finger)f(and)h(FTP)h(commands;)h(and)e
-(a)g(list)2049 394 y(of)20 b(all)h(unusual)e(netw)o(orking)f(e)n(v)o
-(ents.)2132 498 y(Re)o(garding)k(this)j(last,)h(the)e(e)n(v)o(ent)g
-(engine)f(identi\002es)i(more)e(than)2049 598 y(70)17
-b(dif)n(ferent)f(types)h(of)g(unusual)f(beha)n(vior)m(,)f(such)j(as)g
-(incorrect)d(con-)2049 697 y(nection)h(initiations)h(and)f
-(terminations,)g(checksum)g(errors,)g(pack)o(et)2049
-797 y(length)h(mismatches,)h(and)f(protocol)f(violations.)24
-b(F)o(or)17 b(each,)h(it)g(gen-)2049 896 y(erates)g(a)h
-Fm(conn)p 2522 896 25 4 v 29 w(weird)f Fs(or)g Fm(net)p
-3057 896 V 29 w(weird)g Fs(e)n(v)o(ent,)f(identifying)g(the)2049
-996 y(beha)n(vior)25 b(with)j(a)f(prede\002ned)e(string.)46
-b(Our)26 b(polic)o(y)g(script)i(uses)f(a)2049 1096 y
-Fm(table[string])47 b(of)j(count)19 b Fs(to)h(map)f(these)h(strings)f
-(to)h(one)2049 1195 y(of)j(\223ignore,)-6 b(\224)22 b(\223\002le,)-6
-b(\224)24 b(\223log)e(al)o(w)o(ays,)-6 b(\224)24 b(\223log)f(once)f
-(per)h(connection,)-6 b(\224)2049 1295 y(and)26 b(\223log)f(once)h(per)
-g(originating)e(source)h(address,)-6 b(\224)27 b(meaning)e(ig-)2049
-1395 y(nore)e(the)i(beha)n(vior)e(entirely)-5 b(,)23
-b(record)g(it)i(to)g(the)f(anomaly)f(\002le,)j(log)2049
-1494 y(it)f(\(real-time)f(noti\002cation\))f(and)h(record)f(it)j(to)f
-(the)f(\002le,)i(and)f(log)f(it)2049 1594 y(b)n(ut)i(only)g(the)g
-(\002rst)h(time)f(it)h(occurs)f(for)f(the)i(gi)n(v)o(en)e(connection)f
-(or)2049 1693 y(the)16 b(gi)n(v)o(en)e(source)i(address.)23
-b(Some)15 b(anomalies)g(pro)o(v)o(e)f(surprisingly)2049
-1793 y(common,)j(and)i(on)g(a)g(typical)g(day)g(the)g(anomaly)e(\002le)
-j(contains)f(se)n(v-)2049 1893 y(eral)k(thousand)e(entries,)j(e)n(v)o
-(en)e(though)f(our)i(script)g(suppresses)f(du-)2049 1992
-y(plicate)h(messages.)32 b(\(See)23 b Fi(x)g Fs(7.3)f(belo)n(w)g(for)g
-(further)f(discussion)h(of)2049 2092 y(anomalies.\))2132
-2196 y(All)i(of)e(the)h(copied)f(\002les)h(thus)g(form)f(an)h(archi)n
-(v)n(al)f(record)f(of)i(the)2049 2296 y(day')-5 b(s)17
-b(traf)n(\002c.)23 b(W)-7 b(e)18 b(k)o(eep)e(these)h(\002les)h
-(inde\002nitely)-5 b(.)22 b(The)o(y)16 b(can)g(pro)o(v)o(e)2049
-2395 y(in)m(v)n(aluable)28 b(when)i(we)h(disco)o(v)o(er)e(a)h(break-in)
-f(that)h(\002rst)i(occurred)2049 2495 y(weeks)19 b(or)f(months)g(in)h
-(the)g(past.)25 b(In)18 b(addition,)g(once)g(we)h(ha)n(v)o(e)f(iden-)
-2049 2595 y(ti\002ed)25 b(an)f(attacking)g(site,)i(we)f(can)f(run)g(it)
-h(through)e(the)h(archi)n(v)o(e)f(to)2049 2694 y(\002nd)c(an)o(y)f
-(other)h(hosts)g(it)h(may)f(ha)n(v)o(e)g(attack)o(ed)f(that)i(the)f
-(monitoring)2049 2794 y(f)o(ailed)j(to)g(detect)g(\(for)f(e)o(xample,)g
-(the)h(attack)o(er)f(has)i(obtained)d(a)i(list)2049 2894
-y(of)e(passw)o(ords)g(using)f(a)i(passw)o(ord-snif)n(fer\).)2132
-2998 y(Finally)-5 b(,)28 b(the)f(of)n(f-line)f(analysis)h(generates)f
-(a)i(traf)n(\002c)f(summary)2049 3097 y(highlighting)14
-b(the)i(b)n(usiest)h(hosts)f(and)g(gi)n(ving)e(the)j(v)n(olume)e
-(\(number)2049 3197 y(of)23 b(connections)e(and)i(bytes)g
-(transferred\))e(due)i(to)h(dif)n(ferent)d(appli-)2049
-3297 y(cations.)27 b(As)22 b(of)f(this)g(writing,)g(on)f(a)i(typical)e
-(day)h(our)f(site)i(engages)2049 3396 y(in)k(about)e(1,200,000)f
-(connections)g(transferring)h(40)h(GB)i(of)e(data.)2049
-3496 y(The)e(great)g(majority)g(\(75\22680\045\))e(of)i(the)h
-(connections)e(are)h(HTTP;)2049 3596 y(the)28 b(highest)f(byte)g(v)n
-(olume)f(comes)h(from)g(HTTP)-9 b(,)27 b(FTP)h(data,)h(and)2049
-3695 y(sometimes)20 b(the)g(NFS)h(netw)o(ork)e(\002le)i(system.)2049
-4001 y Ft(5)119 b(Attacks)30 b(on)g(the)g(monitor)2049
-4195 y Fs(In)21 b(this)i(section)e(we)h(discuss)g(the)g(dif)n(\002cult)
-f(problem)f(of)h(defending)2049 4295 y(the)h(monitor)f(against)h
-(attacks)h(upon)e(itself.)32 b(W)-7 b(e)24 b(defer)d(discussion)2049
-4394 y(of)26 b(Bro')-5 b(s)27 b(application-speci\002c)d(processing)h
-(until)h(after)g(this)h(sec-)2049 4494 y(tion,)c(because)g(elements)g
-(of)g(that)g(processing)f(re\003ect)h(attempts)g(to)2049
-4594 y(defeat)d(the)g(types)g(of)g(attacks)g(we)h(describe)e(here.)2132
-4698 y(As)28 b(discussed)f(in)g Fi(x)g Fs(1,)i(we)e(assume)g(that)h
-(such)e(attack)o(ers)h(ha)n(v)o(e)2049 4798 y(full)c(access)g(to)h(the)
-f(monitor')-5 b(s)21 b(algorithms)h(and)h(source)f(code;)i(b)n(ut)2049
-4897 y(also)e(that)f(the)o(y)g(ha)n(v)o(e)g(control)f(o)o(v)o(er)g
-(only)h(one)g(of)g(the)h(tw)o(o)f(connec-)2049 4997 y(tion)g
-(endpoints.)26 b(In)21 b(addition,)f(we)i(assume)f(that)g(the)h(crack)o
-(er)e(does)2049 5096 y Fr(not)f Fs(ha)n(v)o(e)e(access)h(to)g(the)g
-Fm(Bro)f Fs(polic)o(y)g(script,)h(which)f(each)g(site)i(will)2049
-5196 y(ha)n(v)o(e)h(customized,)e(and)i(should)f(k)o(eep)h(well)g
-(protected.)2132 5300 y(While)c(pre)n(vious)f(w)o(ork)g(has)h
-(addressed)f(the)h(general)f(problem)f(of)2049 5400 y(testing)29
-b(intrusion)g(detection)f(systems)i([PZCMO96)o(],)h(this)f(w)o(ork)1908
-5649 y(10)p eop
-%%Page: 11 11
-11 10 bop -150 -104 a Fs(has)19 b(focused)e(on)h(correctness)f(of)h
-(the)g(system)h(in)f(terms)h(of)f(whether)-150 -5 y(it)23
-b(does)f(indeed)f(recognize)f(the)j(attacks)f(claimed.)30
-b(T)-7 b(o)22 b(our)g(kno)n(wl-)-150 95 y(edge,)i(the)h(\002rst)g
-(discussion)f(in)g(the)g(literature)g(speci\002cally)g(aimed)-150
-194 y(at)16 b(the)f(problem)e(of)i(attack)o(ers)g(sub)o(v)o(erting)e(a)
-j(netw)o(ork)e(intrusion)g(de-)-150 294 y(tection)24
-b(system)h(w)o(as)h(the)f(concurrent)d(publication)h(of)i(the)g
-(earlier)-150 394 y(v)o(ersion)16 b(of)h(this)h(paper)e([P)o(a98)o(])i
-(and)e(that)i(of)f(Ptacek)g(and)g(Ne)n(wsham)-150 493
-y([PN98)o(].)-67 595 y(The)34 b(second)f(of)h(these)g(is)h(the)f(more)g
-(thorough,)g(being)f(com-)-150 695 y(pletely)17 b(de)n(v)n(oted)f(to)h
-(the)g(topic.)24 b(The)17 b(authors)f(consider)g(three)h(types)-150
-794 y(of)i(attacks,)g(\223insertion,)-6 b(\224)18 b(in)h(which)g(the)g
-(attack)o(er)f(attempts)h(to)g(mis-)-150 894 y(lead)32
-b(the)h(monitor)e(into)h(accepting)f(traf)n(\002c)i(that)f(the)h
-(destination)-150 994 y(end-system)24 b(rejects;)j(\223e)n(v)n(asion,)
--6 b(\224)25 b(in)g(which)f(the)h(monitor)e(f)o(ails)i(to)-150
-1093 y(accept)31 b(traf)n(\002c)g(that)h(the)f(end-system)f(does)h(in)h
-(f)o(act)f(accept;)37 b(and)-150 1193 y(denial-of-service,)28
-b(in)i(which)f(the)g(attack)o(er)g(attempts)g(to)h(e)o(xploit)-150
-1293 y(a)21 b(monitor')-5 b(s)20 b(proacti)n(v)o(e)f(mechanisms)h
-(\(such)h(as)g(terminating)e(con-)-150 1392 y(nections)i(belonging)f
-(to)i(an)g(apparent)e(attack\))i(in)g(order)e(to)i(disrupt)-150
-1492 y(le)o(gitimate)e(uses)g(of)g(the)g(netw)o(ork.)-67
-1594 y(F)o(or)k(our)f(purposes,)h(ho)n(we)n(v)o(er)m(,)e(we)j(use)f(a)h
-(dif)n(ferent)d(attack)i(tax-)-150 1693 y(onomy)-5 b(,)34
-b(because)f(we)h(focus)e(on)h(designing)f(monitors)g(to)i(resist)-150
-1793 y(these)18 b(attacks.)25 b(W)-7 b(e)19 b(classify)g(netw)o(ork)e
-(monitor)g(attacks)h(into)g(three)-150 1893 y(cate)o(gories:)31
-b Fr(o)o(verload)p Fs(,)23 b Fr(cr)o(ash)p Fs(,)h(and)f
-Fr(subterfug)o(e)p Fs(.)35 b(The)23 b(remainder)-150
-1992 y(of)17 b(this)g(section)g(de\002nes)g(each)f(cate)o(gory)f(and)i
-(brie\003y)f(discusses)i(the)-150 2092 y(de)o(gree)h(to)h(which)g(Bro)g
-(meets)g(that)h(class)g(of)f(threat.)-150 2342 y Fh(5.1)99
-b(Ov)o(erload)25 b(attacks)-150 2502 y Fs(W)-7 b(e)24
-b(term)e(an)g(attack)h(as)g(an)f Fr(o)o(verload)i Fs(if)f(the)f(goal)g
-(of)h(the)f(attack)h(is)-150 2601 y(to)f(o)o(v)o(erb)n(urden)d(the)j
-(monitor)f(to)h(the)g(point)g(where)f(it)i(f)o(ails)g(to)f(k)o(eep)-150
-2701 y(up)h(with)g(the)g(data)g(stream)g(it)g(must)h(process.)32
-b(The)23 b(attack)g(has)g(tw)o(o)-150 2801 y(phases,)k(the)g(\002rst)f
-(in)h(which)e(the)i(attack)o(er)e(dri)n(v)o(es)h(the)g(monitor)e(to)
--150 2900 y(the)i(point)f(of)h(o)o(v)o(erload,)f(and)h(the)g(second)f
-(in)h(which)g(the)g(attack)o(er)-150 3000 y(attempts)c(a)h(netw)o(ork)e
-(intrusion.)30 b(The)22 b(monitor)f(w)o(ould)h(ordinarily)-150
-3100 y(detect)i(this)g(second)f(phase,)h(b)n(ut)f(f)o(ails)i(to)f(do)f
-(so\227or)g(at)h(least)h(f)o(ails)-150 3199 y(to)20 b(do)f(so)h(with)g
-(some)g(non-ne)o(gligible)c(probability\227because)g(it)21
-b(is)-150 3299 y(no)27 b(longer)e(tracking)h(all)h(of)g(the)g(data)g
-(necessary)f(to)h(detect)g(e)n(v)o(ery)-150 3398 y(current)19
-b(threat.)-67 3500 y(It)40 b(is)g(this)g(last)h(consideration,)h(that)e
-(the)f(attack)g(might)g(still)-150 3600 y(be)30 b(detected)e(because)h
-(the)h(monitor)e(w)o(as)j(not)e(suf)n(\002ciently)g(o)o(v)o(er)n(-)-150
-3700 y(whelmed,)18 b(that)g(complicates)g(the)g(use)h(of)f(o)o(v)o
-(erload)e(attacks;)j(so,)g(in)-150 3799 y(turn,)d(this)i(pro)o(vides)d
-(a)i(defensi)n(v)o(e)e(strate)o(gy)-5 b(,)16 b(namely)f(to)i(lea)n(v)o
-(e)g(some)-150 3899 y(doubt)i(as)i(to)f(the)g(e)o(xact)g(po)n(wer)f
-(and)h(typical)g(load)f(of)h(the)g(monitor)-5 b(.)-67
-4001 y(Another)19 b(defensi)n(v)o(e)g(strate)o(gy)g(is)j(for)d(the)i
-(monitor)e(to)h Fr(shed)g(load)-150 4100 y Fs(when)26
-b(it)h(becomes)f(unduly)f(stressed)i(\(see)f([CT94)o(])h(for)f(a)h
-(discus-)-150 4200 y(sion)f(of)g(shedding)f(load)h(in)g(a)h(dif)n
-(ferent)e(conte)o(xt\).)41 b(F)o(or)26 b(e)o(xample,)-150
-4300 y(the)21 b(monitor)f(might)h(decide)f(to)i(cease)f(to)h(capture)e
-(HTTP)h(pack)o(ets,)-150 4399 y(as)26 b(these)g(form)e(a)i(high)e
-(proportion)f(of)i(the)g(traf)n(\002c.)40 b(Of)26 b(course,)f(if)-150
-4499 y(the)31 b(attack)o(er)f(kno)n(ws)h(the)g(form)f(of)g
-(load-shedding)e(used)j(by)g(the)-150 4598 y(monitor)m(,)24
-b(then)h(the)o(y)f(can)h(e)o(xploit)f(its)i(consequent)d(blindness)h
-(and)-150 4698 y(launch)19 b(a)i(no)n(w-undetected)c(attack.)-67
-4800 y(F)o(or)29 b(Bro)g(in)h(particular)m(,)f(to)h(de)n(v)o(elop)d(an)
-i(o)o(v)o(erload)e(attack)i(one)-150 4900 y(might)16
-b(be)o(gin)g(by)g(inspecting)g(Figure)g(1)h(to)g(see)h(ho)n(w)e(to)h
-(increase)g(the)-150 4999 y(data)22 b(\003o)n(w)-5 b(.)32
-b(One)23 b(step)g(is)g(to)g(send)f(pack)o(ets)h(that)f(match)h(the)f
-(pack)o(et)-150 5099 y(\002lter;)35 b(another)m(,)30
-b(pack)o(et)f(streams)h(that)g(in)g(turn)f(generate)f(e)n(v)o(ents;)
--150 5198 y(and)20 b(a)g(third,)g(e)n(v)o(ents)f(that)h(lead)h(to)f
-(logging)e(or)i(recording)e(to)i(disk.)-67 5300 y(The)55
-b(\002rst)h(of)f(these)g(is)h(particularly)e(easy)-5
-b(,)63 b(because)55 b(the)-150 5400 y Fm(libpcap)26 b
-Fs(\002lter)i(used)f(by)g(Bro)g(is)h(\002x)o(ed.)45 b(One)27
-b(defense)f(against)2049 -104 y(it)32 b(is)g(to)f(use)g(a)g(hardw)o
-(are)f(platform)f(with)i(suf)n(\002cient)g(processing)2049
--5 y(po)n(wer)23 b(to)h(k)o(eep)g(up)f(with)h(a)h(high)e(v)n(olume)g
-(of)h(\002ltered)g(traf)n(\002c,)g(and)2049 95 y(it)c(w)o(as)h(this)f
-(consideration)e(that)i(lead)g(to)f(our)g(elaborating)f(the)i(goal)2049
-194 y(of)f(\223no)h(pack)o(et)f(\002lter)h(drops\224)e(in)i
-Fi(x)g Fs(1.)25 b(The)19 b(second)g(le)n(v)o(el)h(of)f(attack,)2049
-294 y(causing)h(the)i(engine)e(to)h(generate)f(a)h(lar)o(ge)g(v)n
-(olume)f(of)h(e)n(v)o(ents,)f(is)i(a)2049 394 y(bit)d(more)f(dif)n
-(\002cult)g(to)h(achie)n(v)o(e)f(because)g(Bro)h(e)n(v)o(ents)f(are)h
-(designed)2049 493 y(to)30 b(be)g(lightweight.)53 b(It)30
-b(is)h(only)e(the)h(e)n(v)o(ents)g(for)f(which)g(the)h(pol-)2049
-593 y(ic)o(y)24 b(speci\002es)g(quite)g(a)g(bit)h(of)f(w)o(ork)f(that)h
-(pro)o(vide)e(much)h(le)n(v)o(erage)2049 693 y(for)31
-b(an)h(attack)f(at)i(this)f(le)n(v)o(el,)i(and)d(we)i(do)e
-Fr(not)i Fs(assume)f(that)g(the)2049 792 y(attack)o(er)24
-b(has)i(access)f(to)g(the)g(polic)o(y)f(scripts.)39 b(This)25
-b(same)h(consid-)2049 892 y(eration)20 b(mak)o(es)i(an)f(attack)g(at)h
-(the)f(\002nal)h(le)n(v)o(el\227ele)n(v)n(ating)d(the)i(log-)2049
-991 y(ging)27 b(or)g(recording)e(rate\227dif)n(\002cult,)j(because)f
-(the)h(attack)o(er)f(does)2049 1091 y(not)20 b(necessarily)f(kno)n(w)h
-(which)f(e)n(v)o(ents)h(lead)g(to)g(logging.)2132 1193
-y(Finally)-5 b(,)55 b(to)49 b(help)f(defend)f(against)h(o)o(v)o(erload)
-e(attacks,)56 b(the)2049 1293 y(e)n(v)o(ent)18 b(engine)g(periodically)
-g(generates)g(a)i Fm(net)p 3448 1293 25 4 v 29 w(stats)p
-3727 1293 V 29 w(update)2049 1393 y Fs(e)n(v)o(ent.)59
-b(The)31 b(v)n(alue)g(of)g(this)i(e)n(v)o(ent)d(gi)n(v)o(es)i(the)f
-(number)f(of)i(pack-)2049 1492 y(ets)24 b(recei)n(v)o(ed,)f(the)g
-(number)f(dropped)f(by)i(the)h(pack)o(et)f(\002lter)g(due)g(to)2049
-1592 y(insuf)n(\002cient)h(b)n(uf)n(fer)m(,)g(and)g(the)h(number)e
-(reported)h(dropped)e(by)j(the)2049 1691 y(netw)o(ork)18
-b(interf)o(ace)g(because)g(the)h(k)o(ernel)f(f)o(ailed)g(to)h(consume)f
-(them)2049 1791 y(quickly)27 b(enough.)48 b(Thus,)30
-b Fm(Bro)f Fs(scripts)g(at)g(least)h(ha)n(v)o(e)e(some)g(ba-)2049
-1891 y(sic)g(information)d(a)n(v)n(ailable)i(to)h(them)f(to)h
-(determine)e(whether)h(the)2049 1990 y(monitor)19 b(is)i(becoming)d(o)o
-(v)o(erloaded.)2049 2243 y Fh(5.2)99 b(Crash)25 b(attacks)2049
-2403 y Fr(Cr)o(ash)30 b Fs(attacks)f(aim)g(to)h(knock)d(the)j(monitor)d
-(completely)h(out)h(of)2049 2503 y(action)17 b(by)h(causing)f(it)i(to)f
-(either)f(f)o(ault)h(or)g(run)f(out)h(of)g(resources.)23
-b(As)2049 2603 y(with)e(an)g(o)o(v)o(erload)d(attack,)j(the)g(crash)g
-(attack)f(has)i(tw)o(o)f(phases,)g(the)2049 2702 y(\002rst)27
-b(during)d(which)i(the)g(attack)o(er)f(crashes)h(the)h(monitor)m(,)e
-(and)h(the)2049 2802 y(second)19 b(during)g(which)g(the)o(y)h(then)g
-(proceed)e(with)j(an)f(intrusion.)2132 2904 y(Crash)25
-b(attacks)g(can)g(be)f(much)g(more)g(subtle)h(than)f(o)o(v)o(erload)e
-(at-)2049 3004 y(tacks,)32 b(though.)52 b(By)30 b(careful)f(source)g
-(code)g(analysis,)j(it)e(may)g(be)2049 3103 y(possible)g(to)g(\002nd)g
-(a)h(series)f(of)g(pack)o(ets,)i(or)e(e)n(v)o(en)f(just)i(one,)h(that,)
-2049 3203 y(when)18 b(recei)n(v)o(ed)f(by)h(the)h(monitor)m(,)e(causes)
-i(it)g(to)g(f)o(ault)g(due)f(to)g(a)h(cod-)2049 3303
-y(ing)h(error)-5 b(.)24 b(The)c(ef)n(fect)g(can)g(be)g(immediate)f(and)
-h(violent.)2132 3405 y(W)-7 b(e)29 b(can)e(perhaps)f(defend)g(against)g
-(this)i(form)f(of)g(crash)g(attack)2049 3504 y(by)22
-b(careful)g(coding)g(and)g(testing.)33 b(Another)21 b(type)i(of)f
-(crash)h(attack,)2049 3604 y(harder)15 b(to)j(defend)d(against,)i(is)g
-(one)g(that)g(causes)g(the)g(monitor)e(to)i(e)o(x-)2049
-3704 y(haust)f(its)h(a)n(v)n(ailable)e(resources:)23
-b(dynamic)14 b(memory)g(or)i(disk)g(space.)2049 3803
-y(Ev)o(en)28 b(if)i(the)f(monitor)f(has)h(no)g(memory)f(leaks,)j(it)f
-(still)h(needs)d(to)2049 3903 y(maintain)21 b(state)h(for)g(an)o(y)e
-(acti)n(v)o(e)i(traf)n(\002c.)29 b(Therefore,)20 b(one)h(attack)h(is)
-2049 4003 y(to)d(create)f(traf)n(\002c)h(that)g(consumes)f(a)h(lar)o
-(ge)f(amount)f(of)i(state.)25 b(When)2049 4102 y Fm(Bro)k
-Fs(supports)f(timers)h(for)g(polic)o(y)e(scripts,)32
-b(this)d(attack)g(will)h(be-)2049 4202 y(come)23 b(more)g(dif)n
-(\002cult,)h(because)f(it)h(will)h(be)e(harder)g(to)h(predict)f(the)
-2049 4301 y(necessary)k(le)n(v)o(el)g(of)h(bogus)f(traf)n(\002c.)47
-b(Attacks)28 b(on)f(disk)h(space)g(are)2049 4401 y(lik)o(e)n(wise)33
-b(dif)n(\002cult,)h(unless)f(one)f(kno)n(ws)f(the)h(a)n(v)n(ailable)g
-(disk)h(ca-)2049 4501 y(pacity)-5 b(.)39 b(In)25 b(addition,)g(the)g
-(monitor)f(might)g(continue)g(to)h(run)g(e)n(v)o(en)2049
-4600 y(with)j(no)g(disk)g(space)g(a)n(v)n(ailable,)h(sacri\002cing)f
-(an)g(archi)n(v)n(al)f(record)2049 4700 y(b)n(ut)20 b(still)h
-(producing)c(real-time)i(noti\002cations,)g(so)h(a)g(disk)g(space)f
-(at-)2049 4800 y(tack)h(might)g(f)o(ail)g(to)h(mask)f(a)g(follo)n(w-on)
-e(attack.)2132 4902 y(Bro)30 b(pro)o(vides)e(tw)o(o)i(features)f(to)g
-(aid)h(with)g(defending)d(against)2049 5001 y(crash)k(attacks.)57
-b(First,)34 b(the)d(e)n(v)o(ent)f(engine)f(maintains)i(a)g(\223w)o
-(atch-)2049 5101 y(dog\224)23 b(timer)i(that)f(e)o(xpires)g(e)n(v)o
-(ery)f Fj(T)36 b Fs(seconds.)i(\(This)24 b(timer)g(is)i(not)2049
-5201 y(a)c(Bro)g(internal)f(timer)m(,)h(b)n(ut)g(rather)f(a)h(Unix)g
-(\223alarm.)-6 b(\224\))29 b(Upon)21 b(e)o(xpi-)2049
-5300 y(ration,)d(the)g(w)o(atchdog)g(handler)f(checks)h(to)g(see)h
-(whether)f(the)g(e)n(v)o(ent)2049 5400 y(engine)28 b(has)i(f)o(ailed)f
-(to)g(\002nish)h(processing)e(the)h(pack)o(et)g(\(and)f(sub-)1908
-5649 y(11)p eop
-%%Page: 12 12
-12 11 bop -150 -104 a Fs(sequent)24 b(e)n(v)o(ents\))h(it)g(w)o(as)h(w)
-o(orking)e(on)h Fj(T)36 b Fs(seconds)25 b(before.)38
-b(If)25 b(so,)-150 -5 y(then)16 b(the)g(w)o(atchdog)f(presumes)g(that)h
-(the)h(engine)e(is)i(in)f(some)h(sort)f(of)-150 95 y(processing)24
-b(jam)h(\(perhaps)e(due)i(to)g(a)g(coding)f(error)m(,)g(perhaps)g(due)
--150 194 y(to)i(e)o(xcessi)n(v)o(e)f(time)h(spent)g(managing)d(o)o(v)o
-(erb)n(urdened)f(resources\),)-150 294 y(and)d(terminates)f(the)h
-(monitor)f(process)h(\(\002rst)g(logging)f(this)i(f)o(act,)f(of)-150
-394 y(course,)g(and)h(generating)e(a)j(core)e(image)h(for)f(later)i
-(analysis\).)-67 496 y(This)d(feature)g(might)f(not)h(seem)h
-(particularly)d(useful,)i(e)o(xcept)f(for)-150 596 y(the)28
-b(f)o(act)h(that)g(it)g(is)g(coupled)e(with)i(a)g(second)e(feature:)41
-b(the)29 b(script)-150 695 y(that)d(runs)f(Bro)g(also)h(detects)g(if)f
-(it)i(e)n(v)o(er)d(unduly)g(e)o(xits,)j(and,)f(if)f(so,)-150
-795 y(logs)e(this)g(f)o(act)f(and)h(e)o(x)o(ecutes)e(a)i(cop)o(y)f(of)g
-Fm(tcpdump)g Fs(that)h(records)-150 894 y(the)d(same)g(traf)n(\002c)g
-(that)g(the)g(monitor)e(w)o(ould)i(ha)n(v)o(e)f(captured.)k(Thus,)-150
-994 y(crash)k(attacks)h(are)g(\(1\))f(logged,)h(and)f(\(2\))g(do)h(not)
-f(allo)n(w)h(a)g(subse-)-150 1094 y(quent)18 b(intrusion)g(attempt)h
-(to)g(go)f(unrecorded,)e(only)j(to)g(e)n(v)n(ade)f(real-)-150
-1193 y(time)26 b(detection.)42 b(Ho)n(we)n(v)o(er)m(,)25
-b(there)h(is)h(a)g(windo)n(w)e(of)h(opportunity)-150
-1293 y(between)i(the)g(time)h(when)f(the)h(Bro)g(monitor)e(crashes)h
-(and)g(when)-150 1393 y Fm(tcpdump)21 b Fs(runs.)29 b(If)22
-b(an)f(attack)o(er)h(can)f(predict)g(e)o(xactly)g(when)g(this)-150
-1492 y(windo)n(w)i(occurs,)h(then)f(the)o(y)g(can)h(still)h(e)n(v)n
-(ade)e(detection.)35 b(But)24 b(de-)-150 1592 y(termining)g(the)h
-(windo)n(w)g(is)h(dif)n(\002cult)f(without)g(kno)n(wledge)e(of)j(the)
--150 1691 y(e)o(xact)h(con\002guration)f(of)h(the)h(monitoring)e
-(system.)48 b(One)28 b(w)o(ay)g(of)-150 1791 y(closing)21
-b(this)g(windo)n(w)f(is)j(to)e(emplo)o(y)f(a)h(second,)g(\223shado)n
-(w\224)f(moni-)-150 1891 y(toring)d(machine)g(that)h(simply)g(records)f
-(to)h(disk)g(the)g(same)g(traf)n(\002c)g(as)-150 1990
-y(the)i(Bro)g(monitor)f(inspects.)-150 2243 y Fh(5.3)99
-b(Subterfuge)27 b(attacks)-150 2403 y Fs(In)j(a)h Fr(subterfug)o(e)e
-Fs(attack,)k(an)d(attack)o(er)g(attempts)g(to)g(mislead)h(the)-150
-2503 y(monitor)26 b(as)i(to)g(the)f(meaning)f(of)h(the)g(traf)n(\002c)h
-(it)g(analyzes.)46 b(These)-150 2603 y(attacks)30 b(are)g(particularly)
-e(dif)n(\002cult)i(to)g(defend)f(against,)i(because)-150
-2702 y(\(1\))26 b(unlik)o(e)g(o)o(v)o(erload)e(and)i(crash)h(attacks,)h
-(if)f(successful)f(the)o(y)g(do)-150 2802 y(not)e(lea)n(v)o(e)g(an)o(y)
-f(traces)i(that)f(the)o(y)f(ha)n(v)o(e)h(occurred,)f(and)h(\(2\))f(the)
-h(at-)-150 2901 y(tacks)32 b(can)f(be)g(quite)g(subtle.)59
-b(Access)32 b(to)g(the)f(monitor')-5 b(s)30 b(source)-150
-3001 y(code)20 b(particularly)e(aids)i(with)h(de)n(vising)e(subterfuge)
-f(attacks.)-67 3103 y(W)-7 b(e)33 b(brie\003y)f(discussed)g(an)g(e)o
-(xample)e(of)i(a)h(subterfuge)d(attack)-150 3203 y(in)24
-b Fi(x)g Fs(3.1,)g(in)g(which)f(the)h(attack)o(er)g(sends)f(te)o(xt)h
-(with)g(an)g(embedded)-150 3303 y(NUL)d(in)g(the)f(hope)g(that)h(the)f
-(monitor)f(will)j(miss)f(the)g(te)o(xt)f(after)h(the)-150
-3402 y(NUL.)c(Another)g(form)f(of)h(subterfuge)f(attack)h(is)i(using)e
-(fragmented)-150 3502 y(IP)24 b(datagrams)e(in)h(an)h(attempt)f(to)g
-(elude)g(monitors)f(that)i(f)o(ail)f(to)h(re-)-150 3601
-y(assemble)d(IP)h(fragments)e(\(an)h(attack)g(well-kno)n(wn)e(to)j(the)
-f(\002re)n(w)o(all)-150 3701 y(community)-5 b(,)14 b(and)h(one)g(we)i
-(ha)n(v)o(e)e(increasingly)f(detected)h(in)h(our)f(on-)-150
-3801 y(going)k(operation)f(of)i(Bro\).)k(The)c(k)o(e)o(y)g(principle)e
-(is)j(to)g(\002nd)e(a)i(traf)n(\002c)-150 3900 y(pattern)f(interpreted)
-f(by)h(the)h(monitor)e(in)i(a)g(dif)n(ferent)e(f)o(ashion)h(than)-150
-4000 y(by)25 b(the)h(recei)n(ving)f(endpoint,)g(and)g(then)g(to)h(le)n
-(v)o(erage)f(this)h(into)g(an)-150 4100 y(insertion)19
-b(or)h(e)n(v)n(asion)f(attack,)h(as)h(discussed)f(abo)o(v)o(e.)-67
-4202 y(T)-7 b(o)23 b(thw)o(art)f(subterfuge)e(attacks,)j(as)g(we)f(de)n
-(v)o(eloped)e(Bro)j(we)f(at-)-150 4301 y(tempted)d(at)i(each)f(stage)h
-(to)f(analyze)f(the)i(e)o(xplicit)e(and)h(implicit)g(as-)-150
-4401 y(sumptions)h(made)g(by)h(the)f(system,)i(and)e(ho)n(w)-5
-b(,)21 b(by)h(violating)e(them,)-150 4501 y(an)31 b(attack)g(might)f
-(successfully)g(elude)h(detection.)56 b(This)31 b(can)g(be)-150
-4600 y(a)26 b(dif)n(\002cult)g(process,)h(though,)e(and)g(we)i(mak)o(e)
-e(no)h(claims)g(to)g(ha)n(v)o(e)-150 4700 y(found)17
-b(them)h(all!)25 b(In)19 b(the)g(remainder)d(of)j(this)g(section,)g(we)
-g(focus)f(on)-150 4800 y(subterfuge)k(attacks)i(on)g(the)g(inte)o
-(grity)f(of)h(the)g(byte)g(stream)g(moni-)-150 4899 y(tored)e(for)h(a)g
-(TCP)h(connection.)31 b(Then,)23 b(in)g Fi(x)g Fs(6.5,)g(we)g(look)g
-(at)g(sub-)-150 4999 y(terfuge)c(attacks)h(aimed)g(at)h(hiding)d(k)o(e)
-o(yw)o(ords)h(in)h(interacti)n(v)o(e)f(te)o(xt.)-67 5101
-y(T)-7 b(o)27 b(analyze)f(a)h(TCP)g(connection)e(at)i(the)f
-(application)g(le)n(v)o(el)g(re-)-150 5201 y(quires)17
-b(e)o(xtracting)f(the)i(payload)e(data)h(from)f(each)i(TCP)g(pack)o(et)
-f(and)-150 5300 y(reassembling)j(it)h(into)g(its)h(proper)d(sequence.)
-26 b(W)-7 b(e)22 b(no)n(w)e(consider)g(a)-150 5400 y(spectrum)k(of)i
-(approaches)d(to)j(this)g(problem,)e(ranging)g(from)g(sim-)2049
--104 y(plest)d(and)e(easiest)i(to)g(defeat,)e(to)h(increasingly)f
-(resilient.)2132 -1 y(Scanning)28 b(the)h(data)h(in)f(indi)n(vidual)f
-(pack)o(ets)h(without)g(remem-)2049 99 y(bering)20 b(an)o(y)h
-(connection)f(state,)i(while)g(easiest,)h(ob)o(viously)c(suf)n(fers)
-2049 199 y(from)24 b(major)g(problems:)33 b(an)o(y)24
-b(time)g(the)h(te)o(xt)g(of)f(interest)h(happens)2049
-298 y(to)e(straddle)g(the)g(boundary)d(between)i(the)h(end)f(of)h(one)g
-(pack)o(et)f(and)2049 398 y(the)g(be)o(ginning)d(of)i(the)h(ne)o(xt,)f
-(the)g(te)o(xt)h(will)g(go)g(unobserv)o(ed.)k(Such)2049
-497 y(a)e(split)f(can)g(happen)e(simply)i(by)g(accident,)g(and)f
-(certainly)g(by)h(ma-)2049 597 y(licious)d(intent.)2132
-701 y(Some)48 b(systems)h(address)f(this)h(problem)e(by)h(remembering)
-2049 801 y(pre)n(viously-seen)16 b(te)o(xt)j(up)f(to)h(a)h(certain)e
-(de)o(gree)f(\(perhaps)h(from)g(the)2049 900 y(be)o(ginning)25
-b(of)i(the)g(current)g(line\).)46 b(This)28 b(approach)d(f)o(ails)j(as)
-g(soon)2049 1000 y(as)g(a)g(sequence)e(\223hole\224)h(appears:)39
-b(that)28 b(is,)i(an)o(y)c(time)i(a)g(pack)o(et)f(is)2049
-1099 y(missing\227due)d(to)i(loss)g(or)g(out-of-order)21
-b(deli)n(v)o(ery\227then)i(the)j(re-)2049 1199 y(sulting)g
-(discontinuity)f(in)i(the)f(data)h(stream)f(again)g(can)g(mask)h(the)
-2049 1299 y(presence)19 b(of)h(k)o(e)o(y)g(te)o(xt)g(that)g(is)h(only)e
-(partially)h(present.)2132 1402 y(The)i(ne)o(xt)h(step)g(is)g(to)g
-(fully)g(reassemble)f(the)h(TCP)g(data)g(stream,)2049
-1502 y(based)c(on)g(the)g(sequence)g(numbers)f(associated)h(with)g
-(each)g(pack)o(et.)2049 1602 y(Doing)42 b(so)h(requires)e(maintaining)g
-(a)i(list)h(of)e(contiguous)f(data)2049 1701 y(blocks)27
-b(recei)n(v)o(ed)f(so)i(f)o(ar)m(,)h(and)e(\002tting)g(the)h(data)g
-(from)e(ne)n(w)i(pack-)2049 1801 y(ets)23 b(into)e(the)h(blocks,)g(mer)
-o(ging)e(no)n(w-adjacent)f(blocks)j(when)f(pos-)2049
-1901 y(sible.)26 b(At)21 b(an)o(y)e(gi)n(v)o(en)h(moment,)f(one)g(can)i
-(then)e(scan)i(the)f(te)o(xt)h(from)2049 2000 y(the)28
-b(be)o(ginning)e(of)i(the)h(connection)d(to)i(the)h(highest)e
-(in-sequence)2049 2100 y(byte)20 b(recei)n(v)o(ed.)2132
-2204 y(Unless)54 b(we)g(are)f(careful,)60 b(e)n(v)o(en)53
-b(k)o(eeping)f(track)h(of)g(non-)2049 2303 y(contiguous)31
-b(data)i(blocks)g(does)g(not)g(suf)n(\002ce)g(to)h(pre)n(v)o(ent)d(a)j
-(TCP)2049 2403 y(subterfuge)29 b(attack.)57 b(The)31
-b(k)o(e)o(y)f(observ)n(ation)f(is)j(that)f(an)g(attack)o(er)2049
-2502 y(can)20 b(manipulate)e(the)i(pack)o(ets)f(their)h(TCP)g(sends)g
-(so)g(that)g(the)g(mon-)2049 2602 y(itor)i(sees)i(a)f(particular)e
-(pack)o(et,)i(b)n(ut)f(the)h(endpoint)e(does)h(not.)32
-b(One)2049 2702 y(w)o(ay)h(of)g(doing)f(so)h(is)h(to)g(transmit)f(the)g
-(pack)o(et)f(with)i(an)f(in)m(v)n(alid)2049 2801 y(TCP)23
-b(checksum.)31 b(\(This)23 b(particular)e(attack)i(can)f(be)h(dealt)f
-(with)h(by)2049 2901 y(checksumming)g(e)n(v)o(ery)g(pack)o(et,)j(and)f
-(discarding)f(those)h(that)g(f)o(ail;)2049 3001 y(a)e(monitor)d(needs)i
-(to)h(do)e(this)i(an)o(yw)o(ay)e(so)i(that)f(it)h(correctly)e(tracks)
-2049 3100 y(the)30 b(endpoint')-5 b(s)29 b(state)i(in)f(the)g(presence)
-f(of)h(honest)g(data)g(corrup-)2049 3200 y(tion)18 b(errors,)g(which)g
-(are)g(not)g(particularly)f(rare)g([P)o(a97a)o(].\))24
-b(Another)2049 3300 y(w)o(ay)18 b(is)g(to)g(launch)e(the)i(pack)o(et)f
-(with)g(an)h(IP)g(\223T)m(ime)f(T)-7 b(o)18 b(Li)n(v)o(e\224)f(\(TTL\))
-2049 3399 y(\002eld)22 b(suf)n(\002cient)f(to)g(carry)g(the)g(pack)o
-(et)g(past)h(the)f(monitoring)f(point,)2049 3499 y(b)n(ut)30
-b(insuf)n(\002cient)f(to)h(carry)g(it)g(all)h(the)f(w)o(ay)g(to)g(the)g
-(endpoint.)53 b(\(If)2049 3598 y(the)28 b(site)h(has)f(a)g(comple)o(x)e
-(topology)-5 b(,)27 b(it)i(may)e(be)h(dif)n(\002cult)f(for)h(the)2049
-3698 y(monitor)19 b(to)h(detect)g(this)h(attack.\))j(A)d(third)e(w)o
-(ay)i(becomes)e(possible)2049 3798 y(if)27 b(the)f(\002nal)h(path)f(to)
-h(the)g(attack)o(ed)f(endpoint)e(happens)h(to)i(ha)n(v)o(e)f(a)2049
-3897 y(smaller)21 b(Maximum)f(T)m(ransmission)g(Unit)h(\(MTU\))g(than)f
-(the)h(Inter)n(-)2049 3997 y(net)c(path)f(from)g(the)h(attack)o(er')-5
-b(s)17 b(host)g(to)g(the)g(monitoring)e(point.)23 b(The)2049
-4097 y(attack)o(er)c(then)h(sends)g(a)g(pack)o(et)g(with)g(a)g(size)h
-(e)o(xceeding)d(this)j(MTU)2049 4196 y(and)c(with)h(the)g(IP)g
-(\223Don')o(t)e(Fragment\224)g(header)h(bit)g(set.)25
-b(This)18 b(pack)o(et)2049 4296 y(will)25 b(then)f(transit)g(past)h
-(the)f(monitoring)e(point,)i(b)n(ut)h(be)f(discarded)2049
-4395 y(by)c(the)g(router)f(at)i(the)f(point)f(where)h(the)g(MTU)g
-(narro)n(ws.)2132 4499 y(By)28 b(manipulating)e(pack)o(ets)i(in)g(this)
-h(f)o(ashion,)f(an)g(attack)o(er)g(can)2049 4599 y(send)38
-b(innocuous)f(te)o(xt)h(for)g(the)h(bene\002t)f(of)g(the)h(monitor)m(,)
-i(such)2049 4698 y(as)27 b(\223)p Fm(USER)49 b(nice)p
-Fs(\224,)26 b(and)g(then)f(retransmit)g(\(using)g(the)h(same)g(se-)2049
-4798 y(quence)d(numbers\))g(attack)i(te)o(xt)f(\(\223)p
-Fm(USER)49 b(root)p Fs(\224\),)24 b(this)i(time)e(al-)2049
-4898 y(lo)n(wing)k(the)i(pack)o(ets)f(to)g(tra)n(v)o(erse)g(all)h(the)f
-(w)o(ay)h(to)f(the)h(endpoint.)2049 4997 y(If)19 b(the)h(monitor)e
-(simply)h(discards)g(retransmitted)g(data)g(without)g(in-)2049
-5097 y(specting)k(it,)j(then)d(it)i(will)g(mistak)o(enly)e(belie)n(v)o
-(e)g(that)h(the)g(endpoint)2049 5197 y(recei)n(v)o(ed)19
-b(the)h(innocuous)e(te)o(xt,)i(and)f(f)o(ail)i(to)f(detect)g(the)g
-(attack.)2132 5300 y(Figure)29 b(2)h(illustrates)g(this)g(attack.)53
-b(Here,)32 b(the)d(attack)o(er)h(sends)2049 5400 y(the)19
-b(te)o(xt)g(\223)p Fm(USER)p Fs(\224)g(with)g(an)g(initial)h(TTL)e(of)h
-(20)g(hops,)g(co)o(v)o(ering)d(se-)1908 5649 y(12)p eop
-%%Page: 13 13
-13 12 bop -125 -187 a
- 15392931 10313261 5788794 18945146 34930114 38613893 startTexFig
- -125 -187 a
-%%BeginDocument: evasion.idraw
-
-/arrowhead {
-0 begin
-transform originalCTM itransform
-/taily exch def
-/tailx exch def
-transform originalCTM itransform
-/tipy exch def
-/tipx exch def
-/dy tipy taily sub def
-/dx tipx tailx sub def
-/angle dx 0 ne dy 0 ne or { dy dx atan } { 90 } ifelse def
-gsave
-originalCTM setmatrix
-tipx tipy translate
-angle rotate
-newpath
-arrowHeight neg arrowWidth 2 div moveto
-0 0 lineto
-arrowHeight neg arrowWidth 2 div neg lineto
-patternNone not {
-originalCTM setmatrix
-/padtip arrowHeight 2 exp 0.25 arrowWidth 2 exp mul add sqrt brushWidth mul
-arrowWidth div def
-/padtail brushWidth 2 div def
-tipx tipy translate
-angle rotate
-padtip 0 translate
-arrowHeight padtip add padtail add arrowHeight div dup scale
-arrowheadpath
-ifill
-} if
-brushNone not {
-originalCTM setmatrix
-tipx tipy translate
-angle rotate
-arrowheadpath
-istroke
-} if
-grestore
-end
-} dup 0 9 dict put def
-
-/arrowheadpath {
-newpath
-arrowHeight neg arrowWidth 2 div moveto
-0 0 lineto
-arrowHeight neg arrowWidth 2 div neg lineto
-} def
-
-/leftarrow {
-0 begin
-y exch get /taily exch def
-x exch get /tailx exch def
-y exch get /tipy exch def
-x exch get /tipx exch def
-brushLeftArrow { tipx tipy tailx taily arrowhead } if
-end
-} dup 0 4 dict put def
-
-/rightarrow {
-0 begin
-y exch get /tipy exch def
-x exch get /tipx exch def
-y exch get /taily exch def
-x exch get /tailx exch def
-brushRightArrow { tipx tipy tailx taily arrowhead } if
-end
-} dup 0 4 dict put def
-
-
-/arrowHeight 8 def
-/arrowWidth 4 def
-
-/IdrawDict 54 dict def
-IdrawDict begin
-
-/reencodeISO {
-dup dup findfont dup length dict begin
-{ 1 index /FID ne { def }{ pop pop } ifelse } forall
-/Encoding ISOLatin1Encoding def
-currentdict end definefont
-} def
-
-/ISOLatin1Encoding [
-/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
-/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
-/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
-/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
-/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright
-/parenleft/parenright/asterisk/plus/comma/minus/period/slash
-/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon
-/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N
-/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright
-/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m
-/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde
-/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
-/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
-/.notdef/dotlessi/grave/acute/circumflex/tilde/macron/breve
-/dotaccent/dieresis/.notdef/ring/cedilla/.notdef/hungarumlaut
-/ogonek/caron/space/exclamdown/cent/sterling/currency/yen/brokenbar
-/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot
-/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior
-/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine
-/guillemotright/onequarter/onehalf/threequarters/questiondown
-/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
-/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
-/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
-/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute
-/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis
-/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave
-/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex
-/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis
-/yacute/thorn/ydieresis
-] def
-/Helvetica-Bold reencodeISO def
-/Times-Roman reencodeISO def
-/Courier-Bold reencodeISO def
-/Helvetica-Oblique reencodeISO def
-
-/none null def
-/numGraphicParameters 17 def
-/stringLimit 65535 def
-
-/Begin {
-save
-numGraphicParameters dict begin
-} def
-
-/End {
-end
-restore
-} def
-
-/SetB {
-dup type /nulltype eq {
-pop
-false /brushRightArrow idef
-false /brushLeftArrow idef
-true /brushNone idef
-} {
-/brushDashOffset idef
-/brushDashArray idef
-0 ne /brushRightArrow idef
-0 ne /brushLeftArrow idef
-/brushWidth idef
-false /brushNone idef
-} ifelse
-} def
-
-/SetCFg {
-/fgblue idef
-/fggreen idef
-/fgred idef
-} def
-
-/SetCBg {
-/bgblue idef
-/bggreen idef
-/bgred idef
-} def
-
-/SetF {
-/printSize idef
-/printFont idef
-} def
-
-/SetP {
-dup type /nulltype eq {
-pop true /patternNone idef
-} {
-dup -1 eq {
-/patternGrayLevel idef
-/patternString idef
-} {
-/patternGrayLevel idef
-} ifelse
-false /patternNone idef
-} ifelse
-} def
-
-/BSpl {
-0 begin
-storexyn
-newpath
-n 1 gt {
-0 0 0 0 0 0 1 1 true subspline
-n 2 gt {
-0 0 0 0 1 1 2 2 false subspline
-1 1 n 3 sub {
-/i exch def
-i 1 sub dup i dup i 1 add dup i 2 add dup false subspline
-} for
-n 3 sub dup n 2 sub dup n 1 sub dup 2 copy false subspline
-} if
-n 2 sub dup n 1 sub dup 2 copy 2 copy false subspline
-patternNone not brushLeftArrow not brushRightArrow not and and { ifill } if
-brushNone not { istroke } if
-0 0 1 1 leftarrow
-n 2 sub dup n 1 sub dup rightarrow
-} if
-end
-} dup 0 4 dict put def
-
-/Circ {
-newpath
-0 360 arc
-patternNone not { ifill } if
-brushNone not { istroke } if
-} def
-
-/CBSpl {
-0 begin
-dup 2 gt {
-storexyn
-newpath
-n 1 sub dup 0 0 1 1 2 2 true subspline
-1 1 n 3 sub {
-/i exch def
-i 1 sub dup i dup i 1 add dup i 2 add dup false subspline
-} for
-n 3 sub dup n 2 sub dup n 1 sub dup 0 0 false subspline
-n 2 sub dup n 1 sub dup 0 0 1 1 false subspline
-patternNone not { ifill } if
-brushNone not { istroke } if
-} {
-Poly
-} ifelse
-end
-} dup 0 4 dict put def
-
-/Elli {
-0 begin
-newpath
-4 2 roll
-translate
-scale
-0 0 1 0 360 arc
-patternNone not { ifill } if
-brushNone not { istroke } if
-end
-} dup 0 1 dict put def
-
-/Line {
-0 begin
-2 storexyn
-newpath
-x 0 get y 0 get moveto
-x 1 get y 1 get lineto
-brushNone not { istroke } if
-0 0 1 1 leftarrow
-0 0 1 1 rightarrow
-end
-} dup 0 4 dict put def
-
-/MLine {
-0 begin
-storexyn
-newpath
-n 1 gt {
-x 0 get y 0 get moveto
-1 1 n 1 sub {
-/i exch def
-x i get y i get lineto
-} for
-patternNone not brushLeftArrow not brushRightArrow not and and { ifill } if
-brushNone not { istroke } if
-0 0 1 1 leftarrow
-n 2 sub dup n 1 sub dup rightarrow
-} if
-end
-} dup 0 4 dict put def
-
-/Poly {
-3 1 roll
-newpath
-moveto
--1 add
-{ lineto } repeat
-closepath
-patternNone not { ifill } if
-brushNone not { istroke } if
-} def
-
-/Rect {
-0 begin
-/t exch def
-/r exch def
-/b exch def
-/l exch def
-newpath
-l b moveto
-l t lineto
-r t lineto
-r b lineto
-closepath
-patternNone not { ifill } if
-brushNone not { istroke } if
-end
-} dup 0 4 dict put def
-
-/Text {
-ishow
-} def
-
-/idef {
-dup where { pop pop pop } { exch def } ifelse
-} def
-
-/ifill {
-0 begin
-gsave
-patternGrayLevel -1 ne {
-fgred bgred fgred sub patternGrayLevel mul add
-fggreen bggreen fggreen sub patternGrayLevel mul add
-fgblue bgblue fgblue sub patternGrayLevel mul add setrgbcolor
-eofill
-} {
-eoclip
-originalCTM setmatrix
-pathbbox /t exch def /r exch def /b exch def /l exch def
-/w r l sub ceiling cvi def
-/h t b sub ceiling cvi def
-/imageByteWidth w 8 div ceiling cvi def
-/imageHeight h def
-bgred bggreen bgblue setrgbcolor
-eofill
-fgred fggreen fgblue setrgbcolor
-w 0 gt h 0 gt and {
-l w add b translate w neg h scale
-w h true [w 0 0 h neg 0 h] { patternproc } imagemask
-} if
-} ifelse
-grestore
-end
-} dup 0 8 dict put def
-
-/istroke {
-gsave
-brushDashOffset -1 eq {
-[] 0 setdash
-1 setgray
-} {
-brushDashArray brushDashOffset setdash
-fgred fggreen fgblue setrgbcolor
-} ifelse
-brushWidth setlinewidth
-originalCTM setmatrix
-stroke
-grestore
-} def
-
-/ishow {
-0 begin
-gsave
-fgred fggreen fgblue setrgbcolor
-/fontDict printFont printSize scalefont dup setfont def
-/descender fontDict begin 0 [FontBBox] 1 get FontMatrix end
-transform exch pop def
-/vertoffset 1 printSize sub descender sub def {
-0 vertoffset moveto show
-/vertoffset vertoffset printSize sub def
-} forall
-grestore
-end
-} dup 0 3 dict put def
-/patternproc {
-0 begin
-/patternByteLength patternString length def
-/patternHeight patternByteLength 8 mul sqrt cvi def
-/patternWidth patternHeight def
-/patternByteWidth patternWidth 8 idiv def
-/imageByteMaxLength imageByteWidth imageHeight mul
-stringLimit patternByteWidth sub min def
-/imageMaxHeight imageByteMaxLength imageByteWidth idiv patternHeight idiv
-patternHeight mul patternHeight max def
-/imageHeight imageHeight imageMaxHeight sub store
-/imageString imageByteWidth imageMaxHeight mul patternByteWidth add string def
-0 1 imageMaxHeight 1 sub {
-/y exch def
-/patternRow y patternByteWidth mul patternByteLength mod def
-/patternRowString patternString patternRow patternByteWidth getinterval def
-/imageRow y imageByteWidth mul def
-0 patternByteWidth imageByteWidth 1 sub {
-/x exch def
-imageString imageRow x add patternRowString putinterval
-} for
-} for
-imageString
-end
-} dup 0 12 dict put def
-
-/min {
-dup 3 2 roll dup 4 3 roll lt { exch } if pop
-} def
-
-/max {
-dup 3 2 roll dup 4 3 roll gt { exch } if pop
-} def
-
-/midpoint {
-0 begin
-/y1 exch def
-/x1 exch def
-/y0 exch def
-/x0 exch def
-x0 x1 add 2 div
-y0 y1 add 2 div
-end
-} dup 0 4 dict put def
-
-/thirdpoint {
-0 begin
-/y1 exch def
-/x1 exch def
-/y0 exch def
-/x0 exch def
-x0 2 mul x1 add 3 div
-y0 2 mul y1 add 3 div
-end
-} dup 0 4 dict put def
-
-/subspline {
-0 begin
-/movetoNeeded exch def
-y exch get /y3 exch def
-x exch get /x3 exch def
-y exch get /y2 exch def
-x exch get /x2 exch def
-y exch get /y1 exch def
-x exch get /x1 exch def
-y exch get /y0 exch def
-x exch get /x0 exch def
-x1 y1 x2 y2 thirdpoint
-/p1y exch def
-/p1x exch def
-x2 y2 x1 y1 thirdpoint
-/p2y exch def
-/p2x exch def
-x1 y1 x0 y0 thirdpoint
-p1x p1y midpoint
-/p0y exch def
-/p0x exch def
-x2 y2 x3 y3 thirdpoint
-p2x p2y midpoint
-/p3y exch def
-/p3x exch def
-movetoNeeded { p0x p0y moveto } if
-p1x p1y p2x p2y p3x p3y curveto
-end
-} dup 0 17 dict put def
-
-/storexyn {
-/n exch def
-/y n array def
-/x n array def
-n 1 sub -1 0 {
-/i exch def
-y i 3 2 roll put
-x i 3 2 roll put
-} for
-} def
-
-/SSten {
-fgred fggreen fgblue setrgbcolor
-dup true exch 1 0 0 -1 0 6 -1 roll matrix astore
-} def
-
-/FSten {
-dup 3 -1 roll dup 4 1 roll exch
-newpath
-0 0 moveto
-dup 0 exch lineto
-exch dup 3 1 roll exch lineto
-0 lineto
-closepath
-bgred bggreen bgblue setrgbcolor
-eofill
-SSten
-} def
-
-/Rast {
-exch dup 3 1 roll 1 0 0 -1 0 6 -1 roll matrix astore
-} def
-
-
-%I Idraw 10 Grid 3 3 
-
-
-Begin
-%I b u
-%I cfg u
-%I cbg u
-%I f u
-%I p u
-%I t
-[ 0.955325 0 0 0.955325 0 0 ] concat
-/originalCTM matrix currentmatrix def
-
-Begin %I Line
-%I b 65520
-0 0 0 [12 4] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 1 -0 -0 1 117 149 ] concat
-%I
-228 226 228 451 Line
-%I 1
-End
-
-Begin %I Line
-%I b 65535
-0 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 1 -0 -0 1 117 149 ] concat
-%I
-213 211 228 181 Line
-%I 1
-End
-
-Begin %I Line
-%I b 65535
-0 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-%I p
-0 SetP
-%I t
-[ 1 -0 -0 1 117 149 ] concat
-%I
-228 181 243 211 Line
-%I 1
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-helvetica-bold-r-normal-*-14-*-*-*-*-*-*-*
-Helvetica-Bold 14 SetF
-%I t
-[ 1 0 0 1 322 317 ] concat
-%I
-[
-(Monitor)
-] Text
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
-Times-Roman 12 SetF
-%I t
-[ 0.92 0 0 0.92 355.92 609.68 ] concat
-%I
-[
-(\(10 hops\))
-] Text
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
-Times-Roman 12 SetF
-%I t
-[ 1 0 0 1 473 580 ] concat
-%I
-[
-(\(18 hops\))
-] Text
-End
-
-Begin %I Rect
-%I b 65535
-1 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 1 0 0 1 58.25 112.5 ] concat
-%I
-105 437 146 462 Rect
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-*
-Courier-Bold 12 SetF
-%I t
-[ 1 0 0 1 170.25 566.5 ] concat
-%I
-[
-(USER)
-] Text
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
-Times-Roman 12 SetF
-%I t
-[ 1 0 0 1 145 590 ] concat
-%I
-[
-(seq= 6 ... 9)
-] Text
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
-Times-Roman 12 SetF
-%I t
-[ 1 0 0 1 129.25 566.5 ] concat
-%I
-[
-(ttl=20)
-] Text
-End
-
-Begin %I Rect
-%I b 65535
-1 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 1 0 0 1 103.25 67.5 ] concat
-%I
-105 437 146 462 Rect
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
-Times-Roman 12 SetF
-%I t
-[ 1 0 0 1 173.25 522 ] concat
-%I
-[
-(ttl=12)
-] Text
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
-Times-Roman 12 SetF
-%I t
-[ 1 0 0 1 211 545 ] concat
-%I
-[
-(10 .. 13)
-] Text
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-*
-Courier-Bold 12 SetF
-%I t
-[ 1 0 0 1 215.25 521.5 ] concat
-%I
-[
-(nice)
-] Text
-End
-
-Begin %I Rect
-%I b 65535
-1 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 1 0 0 1 103.25 8.50003 ] concat
-%I
-105 437 146 462 Rect
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
-Times-Roman 12 SetF
-%I t
-[ 1 0 0 1 211 486 ] concat
-%I
-[
-(10 .. 13)
-] Text
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
-Times-Roman 12 SetF
-%I t
-[ 1 0 0 1 173.25 463 ] concat
-%I
-[
-(ttl=20)
-] Text
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-*
-Courier-Bold 12 SetF
-%I t
-[ 1 0 0 1 215.25 463 ] concat
-%I
-[
-(root)
-] Text
-End
-
-Begin %I Line
-%I b 65535
-2 0 1 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 1 -0 -0 1 172.25 248.5 ] concat
-%I
-88 211 308 212 Line
-%I 1
-End
-
-Begin %I Line
-%I b 65535
-2 0 1 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 1 -0 -0 1 169.25 246.5 ] concat
-%I
-93 271 206 272 Line
-%I 1
-End
-
-Begin %I Pict
-%I b u
-%I cfg u
-%I cbg u
-%I f u
-%I p u
-%I t
-[ 1 0 0 1 5 0.5 ] concat
-
-Begin %I Pict
-%I b u
-%I cfg u
-%I cbg u
-%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
-Times-Roman 12 SetF
-%I p u
-%I t
-[ 0.214567 0 0 0.214567 300.249 408.973 ] concat
-
-Begin %I Line
-%I b 65535
-0 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 0.125 -0 -0 0.125 346 477.5 ] concat
-%I
-329 115 40 403 Line
-%I 8
-End
-
-Begin %I Line
-%I b 65535
-0 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 0.125 -0 -0 0.125 346 477.5 ] concat
-%I
-41 115 329 403 Line
-%I 8
-End
-
-End %I eop
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
-Times-Roman 12 SetF
-%I t
-[ 1 0 0 1 374.75 510.25 ] concat
-%I
-[
-(ttl expires)
-] Text
-End
-
-End %I eop
-
-Begin %I Rect
-%I b 65535
-0 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 1.7938 0 0 0.865636 184.784 -12.9233 ] concat
-%I
-105 437 146 462 Rect
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-*
-Courier-Bold 12 SetF
-%I t
-[ 1 0 0 1 378.906 380.68 ] concat
-%I
-[
-(USER nice)
-] Text
-End
-
-Begin %I Line
-%I b 65535
-0 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 1 -0 -0 1 118.906 247.18 ] concat
-%I
-291 118 291 140 Line
-%I 1
-End
-
-Begin %I Rect
-%I b 65535
-0 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 1.7938 0 0 0.865636 184.784 -38.4233 ] concat
-%I
-105 437 146 462 Rect
-End
-
-Begin %I Line
-%I b 65535
-0 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 1 0 0 1 118.906 221.68 ] concat
-%I
-291 118 291 140 Line
-%I 1
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-*
-Courier-Bold 12 SetF
-%I t
-[ 1 0 0 1 378.906 355.18 ] concat
-%I
-[
-(USER root)
-] Text
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-helvetica-medium-o-normal-*-14-*-*-*-*-*-*-*
-Helvetica-Oblique 14 SetF
-%I t
-[ 1 0 0 1 453 382 ] concat
-%I
-[
-(?)
-] Text
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-helvetica-medium-o-normal-*-14-*-*-*-*-*-*-*
-Helvetica-Oblique 14 SetF
-%I t
-[ 1 0 0 1 453 357 ] concat
-%I
-[
-(?)
-] Text
-End
-
-Begin %I Rect
-%I b 65535
-0 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 1.7938 0 0 0.865636 292.284 104.577 ] concat
-%I
-105 437 146 462 Rect
-End
-
-Begin %I Line
-%I b 65535
-0 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 1 0 0 1 226.406 364.68 ] concat
-%I
-291 118 291 140 Line
-%I 1
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-*
-Courier-Bold 12 SetF
-%I t
-[ 1 0 0 1 486.406 498.18 ] concat
-%I
-[
-(USER root)
-] Text
-End
-
-Begin %I Line
-%I b 65535
-2 0 1 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 0.5 -0 -0 0.5 338.25 314.5 ] concat
-%I
--246 496 287 494 Line
-%I 2
-End
-
-Begin %I Pict
-%I b u
-%I cfg u
-%I cbg u
-%I f u
-%I p u
-%I t
-[ 1 0 0 1 6 32 ] concat
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-helvetica-bold-r-normal-*-14-*-*-*-*-*-*-*
-Helvetica-Bold 14 SetF
-%I t
-[ 1 0 0 1 477 493 ] concat
-%I
-[
-(Victim)
-] Text
-End
-
-Begin %I Text
-%I cfg Black
-0 0 0 SetCFg
-%I f -*-helvetica-bold-r-normal-*-14-*-*-*-*-*-*-*
-Helvetica-Bold 14 SetF
-%I t
-[ 1 0 0 1 89 494 ] concat
-%I
-[
-(Attacker)
-] Text
-End
-
-End %I eop
-
-Begin %I BSpl
-%I b 65535
-0 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-none SetP %I p n
-%I t
-[ 0.25 -0 -0 0.25 313.75 281.5 ] concat
-%I 3
-89 266
-126 302
-160 267
-3 BSpl
-%I 4
-End
-
-Begin %I BSpl
-%I b 65535
-0 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-%I p
-0 SetP
-%I t
-[ 0.25 -0 -0 0.25 313.75 281.5 ] concat
-%I 3
-106 279
-125 269
-145 282
-3 BSpl
-%I 4
-End
-
-Begin %I BSpl
-%I b 65535
-0 0 0 [] 0 SetB
-%I cfg Black
-0 0 0 SetCFg
-%I cbg White
-1 1 1 SetCBg
-%I p
-0 SetP
-%I t
-[ 0.25 -0 -0 0.25 313.75 281.5 ] concat
-%I 3
-145 281
-125 291
-106 281
-3 BSpl
-%I 4
-End
-
-End %I eop
-
-showpage
-
-
-end
-%%EndDocument
-
- endTexFig
- -150 1302 a Fs(Figure)19 b(2:)24 b(A)c(TTL-based)e(e)n(v)n(asion)g
-(attack)h(on)g(an)g(intrusion)f(detec-)-150 1401 y(tion)i(system)-150
-1691 y(quence)27 b(numbers)f(6)i(through)e(9)i(in)g(the)g(TCP)h(data)e
-(stream.)48 b(It)29 b(is)-150 1791 y(18)f(hops)h(to)g(the)g(victim)f
-(and)h(10)f(hops)g(to)h(the)g(monitor)m(,)g(so)g(both)-150
-1890 y(see)g(this)g(te)o(xt)g(and)f(accept)g(it.)51 b(The)29
-b(attack)o(er)f(ne)o(xt)g(transmits)h(the)-150 1990 y(te)o(xt)g(\223)p
-Fm(nice)p Fs(\224)f(co)o(v)o(ering)f(the)i(ne)o(xt)f(consecuti)n(v)o(e)
-f(span)i(of)f(the)h(se-)-150 2090 y(quence)34 b(space,)40
-b(10)35 b(through)e(13,)39 b(b)n(ut)d(with)g(an)f(initial)h(TTL)g(of)
--150 2189 y(only)19 b(12,)f(which)h(suf)n(\002ces)h(for)f(the)g(pack)o
-(et)g(to)g(tra)n(v)o(el)h(past)f(the)h(mon-)-150 2289
-y(itor)m(,)35 b(b)n(ut)e(not)g(all)g(the)g(w)o(ay)g(to)g(the)g(victim.)
-62 b(Hence,)36 b(the)d(moni-)-150 2388 y(tor)28 b(sees)h(this)g(te)o
-(xt)f(b)n(ut)g(the)g(victim)g(does)g(not.)49 b(The)28
-b(attack)o(er)g(the)-150 2488 y(sends)e(the)g(te)o(xt)g(\223)p
-Fm(root)p Fs(\224)g(with)g(the)g(same)g(sequence)f(numbers)g(as)-150
-2588 y(\223)p Fm(nice)p Fs(\224,)20 b(b)n(ut)h(this)g(time)g(with)g
-(enough)d(TTL)j(to)f(reach)g(the)h(victim.)-150 2687
-y(The)26 b(victim)f(will)i(thus)f(only)f(see)h(the)g(te)o(xt)g(\223)p
-Fm(USER)p Fs(\224)f(follo)n(wed)g(by)-150 2787 y(\223)p
-Fm(root)p Fs(\224,)d(while)h(the)f(monitor)f(will)i(see)g(tw)o(o)g(v)o
-(ersions)e(of)h(the)h(te)o(xt)-150 2887 y(for)17 b(sequence)g(numbers)f
-(10)i(through)d(13,)j(and)f(will)i(ha)n(v)o(e)e(to)h(decide)-150
-2986 y(which)i(to)h(assume)f(w)o(as)i(also)f(recei)n(v)o(ed)e(by)h(the)
-g(victim)h(\(if,)f(indeed,)-150 3086 y(it)e(e)n(v)o(en)f(detects)h
-(that)g(the)f(data)h(stream)f(includes)g(an)h(inconsistenc)o(y)-5
-b(,)-150 3185 y(which)25 b(requires)f(e)o(xtra)h(w)o(ork)f(on)h(the)h
-(monitor')-5 b(s)24 b(part\).)40 b(While)25 b(in)-150
-3285 y(this)c(case)g(by)f(inspecting)f(the)h(TTLs)h(it)g
-Fr(may)f Fs(be)g(able)g(to)h(determine)-150 3385 y(which)c(of)g(the)g
-(tw)o(o)g(v)o(ersions)g(the)g(victim)g(will)h(ha)n(v)o(e)e(seen,)i
-(there)f(are)-150 3484 y(man)o(y)28 b(other)g(w)o(ays)h(\(windo)n(w)e
-(checks,)j(the)f(MTU)g(attack)f(abo)o(v)o(e,)-150 3584
-y(checksums,)e(ackno)n(wledgement)c(sequence)j(number)f(checks\))h(of)
--150 3684 y(subtly)31 b(af)n(fecting)g(header)g(\002elds)h(such)g(that)
-g(the)g(victim)f(will)i(re-)-150 3783 y(ject)21 b(one)f(or)g(the)g
-(other)g(of)g(the)g(tw)o(o)h(v)o(ersions.)j(Fundamentally)-5
-b(,)18 b(the)-150 3883 y(monitor)j(cannot)h(con\002dently)f(kno)n(w)h
-(which)h(of)f(the)h(tw)o(o)h(v)o(ersions)-150 3982 y(to)c(accept.)-67
-4093 y(A)27 b(partial)g(defense)e(against)h(this)h(attack)g(is)h(that)e
-(when)g(we)h(ob-)-150 4193 y(serv)o(e)j(a)h(retransmitted)e(pack)o(et)h
-(\(one)f(with)i(data)f(that)g(wholly)g(or)-150 4293 y(partially)21
-b(o)o(v)o(erlaps)g(pre)n(viously-seen)e(data\),)j(we)g(compare)f(it)h
-(with)-150 4392 y(an)o(y)f(data)g(it)i(o)o(v)o(erlaps,)d(and)h(sound)g
-(an)g(alarm)h(\(or)m(,)f(for)g(Bro,)h(gener)n(-)-150
-4492 y(ate)k(an)g(e)n(v)o(ent\))f(if)h(the)o(y)f(disagree.)41
-b(A)27 b(properly-functioning)20 b(TCP)-150 4592 y(will)31
-b(al)o(w)o(ays)f(retransmit)f(the)h(same)g(data)f(as)i(originally)d
-(sent,)k(so)-150 4691 y(an)o(y)23 b(disagreement)f(is)j(either)f(due)f
-(to)h(a)h(brok)o(en)d(TCP)-9 b(,)24 b(undetected)-150
-4791 y(data)19 b(corruption)d(\(i.e.,)j(corruption)e(the)i(checksum)e
-(f)o(ails)j(to)f(catch\),)-150 4890 y(or)h(an)g(attack.)-67
-5001 y(W)-7 b(e)28 b(ha)n(v)o(e)e(ar)o(gued)f(that)i(the)g(monitor)e
-(must)i(retain)f(a)h(record)f(of)-150 5101 y(pre)n(viously)34
-b(transmitted)i(data,)k(both)35 b(in-sequence)g(and)g(out-of-)-150
-5201 y(sequence.)30 b(The)22 b(question)f(no)n(w)g(arises)i(as)g(to)f
-(ho)n(w)g(long)g(the)g(mon-)-150 5300 y(itor)f(must)g(k)o(eep)g(this)g
-(data)g(around.)26 b(If)21 b(it)h(k)o(eeps)e(it)i(for)f(the)g(lifetime)
--150 5400 y(of)d(the)h(connection,)d(then)i(it)i(may)e(require)f
-(prodigious)f(amounts)i(of)2049 -104 y(memory)25 b(an)o(y)g(time)i(it)g
-(happens)e(upon)g(a)h(particularly)f(lar)o(ge)g(con-)2049
--5 y(nection;)i(these)e(are)g(not)g(infrequent)e([P)o(a94)n(].)40
-b(W)-7 b(e)26 b(instead)f(w)o(ould)2049 95 y(lik)o(e)31
-b(to)g(discard)f(data)h(blocks)f(as)h(soon)g(as)g(possible,)i(to)e
-(reclaim)2049 194 y(the)g(associated)g(memory)-5 b(.)55
-b(Clearly)-5 b(,)33 b(we)f(cannot)d(safely)i(discard)2049
-294 y(blocks)17 b(abo)o(v)o(e)f(a)j(sequencing)c(hole,)j(as)h(we)f
-(then)f(lose)h(the)g(opportu-)2049 394 y(nity)i(to)h(scan)f(the)h(te)o
-(xt)f(that)h(crosses)g(from)e(the)i(sequence)e(hole)h(into)2049
-493 y(the)h(block.)28 b(But)22 b(we)g(w)o(ould)e(lik)o(e)i(to)g
-(determine)e(when)g(it)i(is)h(safe)e(to)2049 593 y(discard)f
-(in-sequence)e(data.)2132 698 y(Here)i(we)h(can)f(mak)o(e)g(use)h(of)f
-(our)f(assumption)g(that)i(the)f(attack)o(er)2049 798
-y(controls)j(only)f(one)h(of)h(the)f(connection)f(endpoints.)33
-b(Suppose)23 b(the)2049 897 y(stream)30 b(of)g(interest)g(\003o)n(ws)g
-(from)f(host)h Fj(A)h Fs(to)f(host)g Fj(B)t Fs(.)55 b(If)29
-b(the)h(at-)2049 997 y(tack)o(er)i(controls)g Fj(B)t
-Fs(,)k(then)c(the)o(y)g(are)g(unable)g(to)g(manipulate)g(the)2049
-1097 y(data)21 b(pack)o(ets)g(in)h(a)g(subterfuge)d(attack,)i(so)h(we)g
-(can)f(safely)g(discard)2049 1196 y(the)h(data)h(once)e(it)i(is)g
-(in-sequence)e(and)h(we)g(ha)n(v)o(e)g(had)g(an)g(opportu-)2049
-1296 y(nity)e(to)h(analyze)e(it.)26 b(On)21 b(the)f(other)g(hand,)f(if)
-h(the)o(y)g(control)f Fj(A)p Fs(,)i(then,)2049 1395 y(from)i(our)f
-(assumption,)h(an)o(y)g(traf)n(\002c)h(we)g(see)g(from)e
-Fj(B)29 b Fs(re\003ects)24 b(the)2049 1495 y(correct)16
-b(functioning)f(of)i(its)i(TCP)f(\(this)f(assumes)h(that)f(we)h(use)g
-(anti-)2049 1595 y(spoo\002ng)f(\002lters)j(so)f(that)g(the)g(attack)o
-(er)f(cannot)g(for)o(ge)f(bogus)h(traf)n(\002c)2049 1694
-y(purportedly)g(coming)h(from)h Fj(B)t Fs(\).)27 b(In)21
-b(particular)m(,)e(we)i(can)f(trust)h(that)2049 1794
-y(if)f(we)g(see)h(an)f(ackno)n(wledgement)c(from)j Fj(B)24
-b Fs(for)c(sequence)e(number)2049 1894 y Fj(n)p Fs(,)26
-b(then)e(indeed)f Fj(B)29 b Fs(has)c(recei)n(v)o(ed)e(all)i(data)g(in)f
-(sequence)g(up)g(to)g Fj(n)p Fs(.)2049 1993 y(At)d(this)f(point,)g
-Fj(B)t Fs(')-5 b(s)21 b(TCP)g(will)g(deli)n(v)o(er)m(,)d(or)i(has)h
-(already)e(deli)n(v)o(ered,)2049 2093 y(this)24 b(data)f(to)h(the)f
-(application)f(running)f(on)i Fj(B)t Fs(.)35 b(In)23
-b(particular)m(,)f Fj(B)t Fs(')-5 b(s)2049 2192 y(TCP)31
-b(cannot)e(accept)h(an)o(y)f(retransmitted)g(data)h(belo)n(w)g
-(sequence)2049 2292 y Fj(n)p Fs(,)24 b(as)g(it)f(has)h(already)e
-(indicated)g(it)h(has)h(no)e(more)h(interest)g(in)g(such)2049
-2392 y(data.)h(Therefore,)15 b(when)h(the)i(monitor)d(sees)j(an)f
-(ackno)n(wledgement)2049 2491 y(for)k Fj(n)p Fs(,)h(it)g(can)f(safely)h
-(release)f(an)o(y)g(memory)f(associated)h(with)h(data)2049
-2591 y(up)e(to)g(sequence)f Fj(n)p Fs(.)2132 2696 y(While)d(this)g
-(defense)e(w)o(orks)h(for)g(detecting)f(this)i(general)f(class)h(of)
-2049 2796 y(insertion)k(attacks,)h(it)h(suf)n(fers)e(from)g(f)o(alse)h
-(positi)n(v)o(es,)f(as)i(discussed)2049 2895 y(in)e Fi(x)h
-Fs(7.3)f(belo)n(w)-5 b(.)2132 3000 y(Finally)g(,)33 b(we)f(note)e(a)i
-(general)e(defense)h(against)f(certain)h(types)2049 3100
-y(of)22 b(subterfuge)e(attacks,)i(which)f(we)h(term)g(\223bifurcating)e
-(analysis.)-6 b(\224)2049 3200 y(The)23 b(idea)g(is)h(that)f(when)g
-(the)g(monitor)e(cannot)h(determine)g(ho)n(w)h(an)2049
-3299 y(endpoint)15 b(will)j(interpret)e(some)h(netw)o(ork)f(traf)n
-(\002c)g(\(such)h(as)h(whether)2049 3399 y(it)25 b(will)h(accept)e
-Fm(USER)49 b(nice)25 b Fs(or)f Fm(USER)49 b(root)p Fs(\),)25
-b(it)g(forms)f(mul-)2049 3499 y(tiple)c(threads)g(of)g(analysis,)g(e)o
-(xamining)e(each)i(of)g(the)g(possibilities.)2049 3598
-y(W)-7 b(e)25 b(note)d(one)h(e)o(xample)f(of)h(doing)g(so)g(in)h
-Fi(x)g Fs(6.5)e(belo)n(w)h(in)h(our)e(dis-)2049 3698
-y(cussion)e(of)g(analyzing)e(T)-6 b(elnet)20 b(and)g(Rlogin)g(traf)n
-(\002c.)2049 4008 y Ft(6)119 b(A)m(pplication-speci\002c)33
-b(pr)n(ocessing)2049 4204 y Fs(W)-7 b(e)21 b(\002nish)g(our)e(o)o(v)o
-(ervie)n(w)f(of)i(Bro)g(with)g(a)h(discussion)e(of)h(the)g(addi-)2049
-4304 y(tional)j(processing)f(it)i(does)g(for)e(the)i(six)g
-(applications)e(it)i(currently)2049 4404 y(kno)n(ws)33
-b(about:)51 b(Finger)m(,)36 b(FTP)-9 b(,)33 b(Portmapper)m(,)i(Ident,)h
-(T)-6 b(elnet)33 b(and)2049 4503 y(Rlogin.)e(Admittedly)21
-b(these)h(are)g(just)h(a)g(small)f(portion)f(of)h(the)g(dif-)2049
-4603 y(ferent)g(Internet)g(applications)g(used)g(in)h(attacks,)h(and)e
-(Bro')-5 b(s)24 b(ef)n(fec-)2049 4703 y(ti)n(v)o(eness)e(will)h
-(bene\002t)g(greatly)e(as)i(more)f(are)g(added.)31 b(F)o(ortunately)-5
-b(,)2049 4802 y(we)34 b(ha)n(v)o(e)f(in)h(general)f(found)f(that)i(the)
-g(system)g(meets)g(our)f(goal)2049 4902 y(of)f(e)o(xtensibility)e(\()p
-Fi(x)j Fs(1\),)h(and)d(adding)g(ne)n(w)h(applications)e(to)i(Bro)2049
-5001 y(is\227other)j(than)f(the)i(sometimes)f(major)f(headache)g(of)h
-(rob)n(ustly)2049 5101 y(interpreting)d(the)j(application)e(protocol)f
-(itself\227quite)i(straight-)2049 5201 y(forw)o(ard,)d(a)f(matter)g(of)
-g(deri)n(ving)e(a)i(C++)h(class)g(to)f(analyze)f(each)2049
-5300 y(connection')-5 b(s)18 b(traf)n(\002c,)h(and)g(de)n(vising)g(a)h
-(set)g(of)f(e)n(v)o(ents)g(correspond-)2049 5400 y(ing)h(to)g
-(signi\002cant)g(elements)g(of)g(the)g(application.)1908
-5649 y(13)p eop
-%%Page: 14 14
-14 13 bop -150 -104 a Fh(6.1)99 b(Finger)-150 51 y Fs(The)33
-b(\002rst)i(of)e(the)h(applications)f(is)h(the)g(Finger)f(\223User)h
-(Informa-)-150 151 y(tion\224)22 b(service)f([Zi91)o(].)30
-b(Structurally)-5 b(,)20 b(Finger)h(is)i(v)o(ery)e(simple:)29
-b(the)-150 250 y(connection)i(originator)f(sends)j(a)g(single)g(line,)i
-(terminated)d(by)g(a)-150 350 y(carriage-return)20 b(line-feed,)i
-(specifying)f(the)i(user)g(for)f(which)g(the)o(y)-150
-450 y(request)28 b(information.)50 b(An)29 b(optional)f(\003ag)h
-(requests)g(\223full\224)g(\(v)o(er)n(-)-150 549 y(bose\))g(output.)54
-b(The)29 b(responder)f(returns)h(whate)n(v)o(er)g(information)-150
-649 y(it)c(deems)f(appropriate)f(in)h(multiple)g(lines)h(of)f(te)o(xt,)
-i(after)e(which)g(it)-150 749 y(closes)d(the)f(connection.)-67
-848 y(Bro)37 b(generates)f(a)h Fm(finger)p 825 848 25
-4 v 28 w(request)f Fs(e)n(v)o(ent)g(whene)n(v)o(er)f(it)-150
-948 y(monitors)18 b(a)i(complete)e(Finger)h(request.)24
-b(A)c(handler)e(for)h(this)g(e)n(v)o(ent)-150 1047 y(looks)h(lik)o(e:)
--150 1191 y Ff(event)39 b(finger_request\(c:)e(connection,)687
-1270 y(user:)i(string,)g(full:)g(bool\))-150 1435 y Fs(Our)18
-b(site')-5 b(s)20 b(polic)o(y)d(for)h(Finger)g(requests)g(includes)g
-(testing)g(for)g(pos-)-150 1534 y(sible)j(b)n(uf)n(fer)n(-o)o(v)o
-(er\003o)n(w)16 b(attacks)21 b(and)e(checking)g(the)h(user)g(against)g
-(a)-150 1634 y(list)27 b(of)e(sensiti)n(v)o(e)h(user)g(ID')-5
-b(s,)27 b(such)f(as)g(pri)n(vile)o(ged)e(accounts.)41
-b(See)-150 1734 y(Appendix)26 b(A)i(for)f(a)h(discussion)f(of)h(ho)n(w)
-f(the)h(Finger)f(analysis)h(is)-150 1833 y(inte)o(grated)19
-b(into)g(Bro.)-67 1933 y(Bro)h(generates)g(an)g(analogous)e
-Fm(finger)p 1174 1933 V 29 w(reply)i Fs(e)n(v)o(ent:)-150
-2077 y Ff(event)39 b(finger_reply\(c:)f(connection,)607
-2155 y(reply_line:)g(string\))-150 2320 y Fs(for)20 b(each)f(line)i(of)
-f(the)g(reply)f(from)g(the)i(Finger)e(serv)o(er)-5 b(.)-67
-2420 y(A)19 b(\002nal)g(note:)24 b(if)19 b(the)f(e)n(v)o(ent)g(engine)f
-(\002nds)i(that)g(the)f(polic)o(y)g(script)-150 2519
-y(does)29 b(not)g(de\002ne)f(a)i Fm(finger)p 772 2519
-V 29 w(request)e Fs(or)h Fm(finger)p 1578 2519 V 29 w(reply)-150
-2619 y Fs(handler)m(,)19 b(then)h(it)h(does)f(not)g(bother)f(creating)h
-(Finger)n(-speci\002c)f(ana-)-150 2719 y(lyzers)j(for)g(ne)n(w)g
-(Finger)g(connections.)30 b(In)22 b(general,)g(the)g(e)n(v)o(ent)g(en-)
--150 2818 y(gine)g(tries)i(to)f(determine)e(as)j(early)f(as)g(possible)
-g(whether)f(the)h(user)-150 2918 y(has)c(de\002ned)f(a)h(particular)e
-(handler)m(,)g(and,)i(if)g(not,)f(a)n(v)n(oids)h(undertak-)-150
-3017 y(ing)29 b(the)g(w)o(ork)f(associated)h(with)h(generating)d(the)i
-(corresponding)-150 3117 y(e)n(v)o(ent.)-150 3351 y Fh(6.2)99
-b(FTP)-150 3507 y Fs(The)30 b(File)h(T)m(ransfer)f(Protocol)f([PR85)o
-(])i(is)g(much)f(more)f(comple)o(x)-150 3607 y(than)h(the)g(Finger)f
-(protocol;)k(it)e(also,)h(ho)n(we)n(v)o(er)m(,)e(is)h(highly)e(struc-)
--150 3706 y(tured)34 b(and)g(easy)h(to)g(parse,)j(so)d(interpreting)e
-(an)h(FTP)i(dialog)e(is)-150 3806 y(straight-forw)o(ard.)-67
-3906 y(F)o(or)28 b(FTP)h(requests,)i(Bro)d(parses)h(each)f(line)h(sent)
-g(by)f(the)g(con-)-150 4005 y(nection)22 b(originator)e(into)j(a)g
-(command)e(\(\002rst)i(w)o(ord\))f(and)g(an)g(ar)o(gu-)-150
-4105 y(ment)28 b(\(the)g(remainder\),)f(splitting)h(the)h(tw)o(o)f(at)h
-(the)f(\002rst)h(instance)-150 4204 y(of)f(whitespace)f(it)i(\002nds,)h
-(and)e(con)m(v)o(erting)d(the)j(command)e(to)i(up-)-150
-4304 y(percase)20 b(\(to)g(circumv)o(ent)e(problems)g(such)i(as)h(a)g
-(polic)o(y)e(script)h(test-)-150 4404 y(ing)i(for)g(\223store)g
-(\002le\224)h(commands)e(as)i Fm(STOR)f Fs(or)h Fm(stor)p
-Fs(,)f(and)g(an)g(at-)-150 4503 y(tack)o(er)j(instead)g(sending)f
-Fm(stOR)p Fs(,)g(which)h(the)g(remote)g(FTP)g(serv)o(er)-150
-4603 y(will)32 b(happily)e(accept\).)57 b(It)31 b(then)g(generates)f
-(an)h Fm(ftp)p 1478 4603 V 29 w(request)-150 4703 y Fs(e)n(v)o(ent)24
-b(with)h(these)g(and)f(the)h(corresponding)c(connection)i(as)i(ar)o
-(gu-)-150 4802 y(ments.)-67 4902 y(FTP)20 b(replies)f(be)o(gin)g(with)g
-(a)h(status)g(code)f(\(a)h(number\),)d(follo)n(wed)-150
-5001 y(by)f(an)o(y)g(accompan)o(ying)d(te)o(xt.)23 b(Replies)18
-b(also)e(can)h(indicate)f(whether)-150 5101 y(the)o(y)24
-b(continue)f(to)i(another)e(line.)38 b(Accordingly)-5
-b(,)23 b(for)h(each)g(line)h(of)-150 5201 y(reply)31
-b(the)i(e)n(v)o(ent)e(engine)g(generates)g(an)h Fm(ftp)p
-1263 5201 V 29 w(reply)g Fs(with)h(the)-150 5300 y(code,)25
-b(the)f(te)o(xt,)h(a)g(\003ag)g(indicating)e(continuation,)g(and)h(the)
-h(corre-)-150 5400 y(sponding)18 b(connection)g(as)j(ar)o(guments.)2132
--104 y(As)35 b(f)o(ar)f(as)h(the)f(e)n(v)o(ent)f(engine)g(is)i
-(concerned,)g(that')-5 b(s)34 b(it\227100)2049 -5 y(lines)18
-b(of)g(straight-forw)o(ard)d(C++.)24 b(What)19 b(is)f(interesting)f
-(about)g(FTP)2049 95 y(is)32 b(that)f(all)h(the)f(remaining)f(w)o(ork)g
-(can)h(be)g(done)f(in)i Fm(Bro)f Fs(\(about)2049 194
-y(400)d(lines)g(for)g(our)g(site\).)50 b(The)29 b Fm(ftp)p
-3182 194 V 29 w(request)f Fs(handler)f(k)o(eeps)2049
-294 y(track)k(of)f(distinct)i(FTP)f(sessions,)k(pulls)c(out)f
-(usernames)g(to)i(test)2049 394 y(against)26 b(a)h(list)g(of)g(sensiti)
-n(v)o(e)f(ID')-5 b(s)27 b(\(and)f(to)g(annotate)g(the)g(connec-)2049
-493 y(tion')-5 b(s)24 b(general)f(summary\),)g(and,)h(for)f(an)o(y)g
-(FTP)i(request)e(that)h(ma-)2049 593 y(nipulates)29 b(a)i(\002le,)i
-(checks)c(for)h(access)g(to)h(sensiti)n(v)o(e)e(\002les.)56
-b(Some)2049 693 y(of)23 b(these)g(checks)g(depend)e(on)i(conte)o(xt;)h
-(for)e(e)o(xample,)h(a)g(guest)g(\(or)2049 792 y(\223anon)o
-(ymous\224\))i(user)k(should)f(not)g(attempt)g(to)h(manipulate)f(user)n
-(-)2049 892 y(con\002guration)18 b(\002les,)i(while)h(for)e(other)h
-(users)g(doing)f(so)h(is)h(\002ne.)2132 998 y(One)f(subtlety)h(in)f
-(the)h(FTP)g(analysis)g(is)g(being)f(careful)g(to)g(main-)2049
-1097 y(tain)32 b(a)h(notion)d(of)i(\223current)f(requests)g(a)o(w)o
-(aiting)h(replies,)-6 b(\224)34 b(rather)2049 1197 y(than)f(just)h
-(\223the)f(most)g(recently)g(seen)g(request.)-6 b(\224)64
-b(Doing)33 b(so)g(cir)n(-)2049 1297 y(cumv)o(ents)23
-b(an)h(attack)h(in)f(which)g(the)h(attack)o(er)e(pipelines)h(multiple)
-2049 1396 y(requests\227rather)g(than)h(issuing)g(a)h(single)g(request)
-e(at)i(a)g(time)g(and)2049 1496 y(a)o(w)o(aiting)18 b(its)i
-(response\227and)c(confuses)i(the)h(monitor)e(as)i(to)g(which)2049
-1595 y(replies)h(go)g(with)g(which)g(requests.)2132 1701
-y(A)g(\002nal)g(analysis)f(step)h(for)f Fm(ftp)p 3093
-1701 V 29 w(request)g Fs(e)n(v)o(ents)g(is)h(to)g(parse)2049
-1801 y(an)o(y)i Fm(PORT)g Fs(request)g(to)h(e)o(xtract)f(the)g
-(hostname)g(and)g(TCP)h(port)f(as-)2049 1901 y(sociated)f(with)g(an)h
-(upcoming)c(transfer)-5 b(.)28 b(\(The)21 b(FTP)h(protocol)d(uses)2049
-2000 y(multiple)28 b(TCP)i(connections,)f(one)g(for)f(the)h(control)f
-(information)2049 2100 y(such)g(as)h(user)f(requests,)i(and)e(others,)h
-(dynamically)e(created,)i(for)2049 2199 y(each)34 b(data)f(transfer)-5
-b(.\))65 b(This)34 b(is)h(an)f(important)e(step,)38 b(because)33
-b(it)2049 2299 y(enables)27 b(the)g(script)g(to)g(tell)h(which)e
-(subsequent)g(connections)f(be-)2049 2399 y(long)h(to)g(this)i(FTP)f
-(session)g(and)f(which)g(do)g(not.)44 b(A)27 b(site')-5
-b(s)28 b(polic)o(y)2049 2498 y(might)d(allo)n(w)h(FTP)g(access)h(to)f
-(particular)e(serv)o(ers,)j(b)n(ut)e(an)o(y)g(other)2049
-2598 y(access)f(to)f(those)g(serv)o(ers)f(merits)i(an)f(alarm;)h(b)n
-(ut)f(without)g(parsing)2049 2698 y(the)c Fm(PORT)h Fs(request,)e(it)j
-(can)e(be)g(impossible)g(to)h(distinguish)e(a)i(le)o(git-)2049
-2797 y(imate)j(FTP)g(data)f(transfer)g(connection)f(from)g(an)i
-(illicit,)h(non-FTP)2049 2897 y(connection.)54 b(Consequently)-5
-b(,)30 b(the)h(script)f(k)o(eeps)h(track)f(of)g(pend-)2049
-2996 y(ing)23 b(data)h(transfer)e(connections,)g(and)h(when)g(it)h
-(encounters)e(them,)2049 3096 y(marks)g(them)g(as)h Fm(ftp-data)f
-Fs(applications,)f(e)n(v)o(en)g(if)i(the)o(y)f(do)g(not)2049
-3196 y(use)j(the)g(well-kno)n(wn)e(port)i(associated)g(with)g(such)f
-(transfers)h(\(the)2049 3295 y(standard)19 b(does)h(not)g(require)f
-(them)g(to)i(do)f(so\).)2132 3401 y(W)-7 b(e)18 b(also)f(note)f(that,)h
-(in)g(addition)f(to)g(correctly)g(identifying)e(FTP-)2049
-3501 y(related)30 b(traf)n(\002c,)i(parsing)d Fm(PORT)h
-Fs(requests)g(mak)o(es)g(it)h(possible)e(to)2049 3600
-y(detect)e(\223FTP)h(bounce\224)d(attacks.)47 b(In)27
-b(these)g(attacks,)i(a)f(malicious)2049 3700 y(FTP)j(client)g
-(instructs)g(an)g(FTP)g(serv)o(er)g(to)g(open)e(a)j(data)e(transfer)
-2049 3800 y(connection)f(not)i(back)f(to)i(it,)i(b)n(ut)d(to)h(a)f
-(third,)i(victim)e(site.)59 b(The)2049 3899 y(client)25
-b(can)f(thus)h(manipulate)e(the)h(serv)o(er)g(into)h(uploading)d(data)i
-(to)2049 3999 y(an)e(arbitrary)e(service)h(on)h(the)g(victim)f(site,)i
-(or)f(to)g(ef)n(fecti)n(v)o(ely)e(port-)2049 4099 y(scan)h(the)g
-(victim)g(site)h(\(which)e(the)h(client)g(does)g(by)g(using)f(multiple)
-2049 4198 y(bogus)30 b Fm(PORT)g Fs(requests)h(and)f(observing)f(the)i
-(completion)e(status)2049 4298 y(of)20 b(subsequent)f(data-transfer)g
-(requests\).)25 b(Our)20 b(script)h(\003ags)g Fm(PORT)2049
-4397 y Fs(requests)d(that)g(attempt)f(an)o(y)h(redirection)e(of)h(the)h
-(data)g(transfer)f(con-)2049 4497 y(nection.)23 b(Interestingly)-5
-b(,)16 b(we)j(added)e(this)i(check)e(mostly)h(because)g(it)2049
-4597 y(w)o(as)e(easy)g(to)g(do)f(so;)j(months)d(later)m(,)h(we)g
-(monitored)d(the)j(\002rst)g(of)g(se)n(v-)2049 4696 y(eral)22
-b(subsequent)e(FTP)i(bounce)e(attacks.)30 b(This)22 b(form)f(of)g
-(serendip-)2049 4796 y(itous)h(disco)o(v)o(ery)e(of)h(an)h
-(unanticipated)e(type)h(of)h(attack)g(ar)o(gues)e(for)2049
-4896 y(emplo)o(ying)c(a)j(general)f(principle)f(of)h(\223sanity)h
-(checking\224)d(the)j(mon-)2049 4995 y(itored)25 b(traf)n(\002c)g(as)h
-(much)e(as)i(possible.)40 b(F)o(or)25 b(a)h(dif)n(\002culty)e(with)i
-(this)2049 5095 y(principle,)19 b(ho)n(we)n(v)o(er)m(,)e(see)k
-Fi(x)g Fs(7.3.)2132 5201 y(F)o(or)26 b Fm(ftp)p 2428
-5201 V 29 w(reply)f Fs(e)n(v)o(ents,)i(most)f(of)g(the)g(w)o(ork)f(is)i
-(simply)e(for)n(-)2049 5300 y(matting)h(a)i(succinct)e(one-line)g
-(summary)g(of)h(the)g(request)f(and)h(its)2049 5400 y(result)f(for)f
-(recording)e(in)i(the)h(FTP)g(acti)n(vity)f(log.)41 b(In)25
-b(addition,)h(an)1908 5649 y(14)p eop
-%%Page: 15 15
-15 14 bop -150 -104 a Fs(FTP)19 b Fm(PASV)f Fs(request)g(has)g(a)h
-(structure)f(similar)g(to)h(a)f Fm(PORT)g Fs(request,)-150
--5 y(e)o(xcept)c(that)i(the)f(FTP)h(serv)o(er)f(instead)g(of)g(the)g
-(client)g(determines)g(the)-150 95 y(speci\002cs)22 b(of)g(the)f
-(subsequent)f(data)i(transfer)f(connection.)27 b(Conse-)-150
-194 y(quently)h(our)g(script)h(subjects)g Fm(PASV)g Fs(replies)g(to)g
-(the)g(same)g(anal-)-150 294 y(ysis)f(as)h Fm(PORT)e
-Fs(requests.)47 b(Finally)-5 b(,)28 b(there)f(is)i(nothing)d(to)h(pre)n
-(v)o(ent)-150 394 y(a)f Fr(dif)o(fer)m(ent)g Fs(remote)e(host)i(from)e
-(connecting)f(to)j(the)f(data)g(transfer)-150 493 y(port)c(of)n(fered)f
-(by)i(a)g(serv)o(er)f(via)h(a)g Fm(PASV)g Fs(reply)-5
-b(.)29 b(It)22 b(may)g(be)f(hard)g(to)-150 593 y(see)i(why)e(this)i
-(might)f(actually)f(occur)m(,)h(b)n(ut)g(putting)f(in)h(a)h(test)g(for)
-f(it)-150 693 y(is)k(simple)f(\(unfortunately)-5 b(,)21
-b(there)k(are)g(some)f(f)o(alse)h(alarms)g(due)f(to)-150
-792 y(multi-homed)17 b(clients;)j(we)f(use)h(heuristics)f(to)g(reduce)f
-(these\);)h(and,)-150 892 y(indeed,)32 b(se)n(v)o(eral)d(months)h
-(after)g(adding)f(it,)k(it)f(triggered,)f(due)e(to)-150
-991 y(an)18 b(attack)o(er)g(using)g(3-w)o(ay)f(FTP)i(as)g(\(e)n
-(vidently\))d(a)j(w)o(ay)f(to)h(disguise)-150 1091 y(their)d(trail,)i
-(another)d(serendipitous)g(result)i(of)g(the)f(sanity-checking)-150
-1191 y(principle.)-150 1587 y Fh(6.3)99 b(P)n(ortmapper)-150
-1798 y Fs(Man)o(y)26 b(services)h(based)g(on)g(Remote)g(Procedure)e
-(Call)k(\(RPC;)f(de-)-150 1897 y(\002ned)16 b(in)g([Sr95a)o(]\))g(do)f
-(not)h(listen)h(for)e(requests)h(on)g(a)h(\223well-kno)n(wn\224)-150
-1997 y(port,)k(b)n(ut)g(rather)g(pick)g(an)g(arbitrary)f(port)h(when)f
-(initialized.)29 b(The)o(y)-150 2096 y(then)22 b(re)o(gister)g(this)h
-(port)f(with)h(a)g(Portmapper)d(service)j(running)d(on)-150
-2196 y(the)32 b(same)h(machine.)60 b(Only)32 b(the)g(Portmapper)e
-(needs)i(to)g(run)g(on)-150 2296 y(a)24 b(well-kno)n(wn)e(port;)j(when)
-f(clients)g(w)o(ant)g(access)g(to)g(the)g(service,)-150
-2395 y(the)o(y)16 b(\002rst)i(contact)f(the)g(Portmapper)m(,)e(and)h
-(it)i(tells)g(them)f(which)f(port)-150 2495 y(the)o(y)24
-b(should)g(then)g(contact)g(in)h(order)e(to)i(reach)f(the)g(service.)38
-b(This)-150 2595 y(second)25 b(port)g(may)g(be)h(for)f(TCP)h(or)g(UDP)g
-(access)g(\(depending)d(on)-150 2694 y(which)d(of)g(these)g(the)g
-(client)g(requests)g(from)f(the)i(Portmapper\).)-67 2823
-y(Thus,)c(by)h(monitoring)d(Portmapper)g(traf)n(\002c,)j(we)g(can)f
-(detect)g(an)o(y)-150 2922 y(attempted)e(access)i(to)g(a)f(number)f(of)
-h(sensiti)n(v)o(e)g(RPC)i(services,)f(such)-150 3022
-y(as)j(NFS)h(and)e(YP)-9 b(,)19 b(e)o(xcept)g(in)g(cases)i(where)e(the)
-g(attack)o(er)g(learns)h(the)-150 3122 y(port)g(for)f(those)h(services)
-g(some)g(other)g(w)o(ay)g(\(e.g.,)f(port-scanning\).)-67
-3250 y(The)39 b(Portmapper)e(service)i(is)h(itself)g(b)n(uilt)g(on)e
-(top)h(of)g(RPC,)-150 3350 y(which)29 b(in)i(turn)e(uses)h(the)g(XDR)h
-(External)e(Data)h(Representation)-150 3449 y(Standard)23
-b([Sr95b)n(].)36 b(Furthermore,)23 b(one)g(can)h(use)g(RPC)i(on)d(top)h
-(of)-150 3549 y(either)f(TCP)i(or)e(UDP)-9 b(,)24 b(and)f(typically)g
-(the)h(Portmapper)e(listens)i(on)-150 3649 y(both)30
-b(a)i(well-kno)n(wn)d(TCP)j(port)e(and)h(a)g(well-kno)n(wn)f(UDP)h
-(port)-150 3748 y(\(both)21 b(are)h(port)f(111\).)29
-b(Consequently)-5 b(,)20 b(adding)g(Portmapper)g(anal-)-150
-3848 y(ysis)29 b(to)g(Bro)f(required)f(adding)g(a)i(generic)e(RPC)j
-(analyzer)m(,)f(TCP-)-150 3947 y(and)22 b(UDP-speci\002c)h(analyzers)f
-(to)h(unwrap)e(the)i(dif)n(ferent)e(w)o(ays)i(in)-150
-4047 y(which)34 b(RPCs)i(are)e(embedded)e(in)i(TCP)h(and)f(UDP)g(pack)o
-(ets,)k(an)-150 4147 y(XDR)21 b(analyzer)m(,)d(and)i(a)h(Portmapper)n
-(-speci\002c)c(analyzer)-5 b(.)-67 4275 y(This)32 b(last)g(generates)f
-(six)h(pairs)f(of)g(e)n(v)o(ents,)j(one)d(for)g(each)g(re-)-150
-4375 y(quest)23 b(and)f(reply)g(for)h(the)g(six)g(actions)g(the)g
-(Portmapper)e(supports:)-150 4474 y(a)27 b(null)f(call;)j(add)d(a)h
-(binding)d(between)h(a)i(service)f(and)g(a)g(port;)j(re-)-150
-4574 y(mo)o(v)o(e)21 b(a)h(binding;)f(look)h(up)f(a)i(binding;)e(dump)g
-(the)h(entire)g(table)g(of)-150 4674 y(bindings;)c(and)f(both)h(look)f
-(up)h(a)g(service)g(and)g(call)g(it)h(directly)f(with-)-150
-4773 y(out)h(requiring)f(a)i(second)e(connection.)23
-b(\(This)c(last)i(is)f(a)g(monitoring)-150 4873 y(headache)i(because)g
-(it)i(means)f(an)o(y)f(RPC)j(service)e(can)g(potentially)-150
-4973 y(be)d(accessed)g(directly)g(through)e(a)i(Portmapper)e
-(connection.\))-67 5101 y(Our)37 b(polic)o(y)f(script)i(for)f
-(Portmapper)e(traf)n(\002c)i(again)g(is)h(f)o(airly)-150
-5201 y(lar)o(ge,)i(more)d(than)g(300)f(lines.)76 b(Most)38
-b(of)f(this)h(concerns)e(what)-150 5300 y(Portmapper)17
-b(requests)j(we)g(allo)n(w)f(between)g(which)g(pairs)g(of)h(hosts,)-150
-5400 y(particularly)e(for)i(NFS)h(access.)2049 -104 y
-Fh(6.4)99 b(Ident)2049 63 y Fs(The)27 b(Identi\002cation)e(Protocol)h
-(\(\223ident\224\))g(is)i(used)e(to)i(query)d(hosts)2049
-162 y(for)34 b(the)h(user)g(identity)f(associated)h(with)g(an)g(acti)n
-(v)o(e)g(connection)2049 262 y([S-J93)o(].)52 b(The)29
-b(request)f(is)i(of)f(the)g(form)f(\223)p Fr(r)m(emote-port)i
-Fm(:)43 b Fr(local-)2049 361 y(port)q Fs(\224.)c(If)24
-b(host)h Fj(A)h Fs(sends)e(such)h(a)g(request)f(to)h(the)g(ident)f
-(serv)o(er)g(on)2049 461 y(host)19 b Fj(B)t Fs(,)g(then)f(the)h
-(request)f(is)h(asking)f(for)g(the)h(identi\002cation)e(of)i(the)2049
-561 y(user)i(on)g(host)h Fj(B)k Fs(who)21 b(has)g(a)h(connection)e
-(from)g(host)h Fj(B)t Fs(')-5 b(s)23 b Fr(r)m(emote-)2049
-660 y(port)c Fs(to)e(host)h Fj(A)p Fs(')-5 b(s)18 b Fr(local-port)p
-Fs(.)23 b(The)17 b(reply)g(identi\002es)g(the)g(operating)2049
-760 y(system,)25 b(perhaps)d(a)i(language)f(encoding,)f(and)h(a)h
-(username)f(\(or)g(a)2049 860 y(\223cookie\224)h(that)h(does)g(not)f
-(directly)h(re)n(v)o(eal)f(the)h(username)f(b)n(ut)h(can)2049
-959 y(be)d(used)f(subsequently)f(by)h(an)h(administrator)e(of)h(host)h
-Fj(B)27 b Fs(to)21 b(iden-)2049 1059 y(tify)f(the)g(user\).)2132
-1164 y(Bro)44 b(generates)f(three)g(e)n(v)o(ents,)49
-b Fm(ident)p 3404 1164 25 4 v 28 w(request)p Fs(,)g(which)2049
-1264 y(identi\002es)54 b(the)h Fr(r)m(emote-port)g Fs(and)f
-Fr(local-port)g Fs(in)h(a)f(request,)2049 1364 y Fm(ident)p
-2304 1364 V 29 w(reply)p Fs(,)33 b(which)d(includes)g(the)g(username)g
-(and)g(the)g(op-)2049 1463 y(erating)i(system,)k(and)d
-Fm(ident)p 3010 1463 V 29 w(error)p Fs(,)j(for)c(when)g(the)h(remote)
-2049 1563 y(serv)o(er)22 b(declares)g(that)h(the)g(ident)g(request)f(w)
-o(as)i(in)m(v)n(alid.)32 b(Our)22 b(site')-5 b(s)2049
-1663 y(polic)o(y)24 b(scripts)i(check)f(the)h(username)e(against)h(a)h
-(list)g(of)g(sensiti)n(v)o(e)2049 1762 y(user)16 b(ID')-5
-b(s)17 b(\(such)f(as)i(\223)p Fm(rewt)p Fs(\224,)e(a)h(name)f(commonly)
-e(used)j(for)f(back-)2049 1862 y(door)j(\223root\224)g(accounts\),)g
-(and)g(annotates)h(the)g(corresponding)c(con-)2049 1961
-y(nection)j(record)g(with)h(the)h(username.)2049 2232
-y Fh(6.5)99 b(T)-9 b(elnet)26 b(and)g(Rlogin)2049 2399
-y Fs(The)38 b(\002nal)h(applications)e(currently)f(b)n(uilt)j(into)f
-(Bro)g(are)h(T)-6 b(elnet)2049 2499 y(and)29 b(Rlogin,)h(services)g
-(for)e(remote)h(interacti)n(v)o(e)e(access)j([PR83a)o(,)2049
-2598 y(Ka91)o(].)42 b(There)25 b(are)h(se)n(v)o(eral)f(signi\002cant)g
-(dif)n(\002culties)h(with)g(moni-)2049 2698 y(toring)21
-b(interacti)n(v)o(e)g(traf)n(\002c.)30 b(The)21 b(\002rst)i(is)g(that,)
-f(unlik)o(e)g(FTP)-9 b(,)22 b(T)-6 b(elnet)2049 2798
-y(and)17 b(Rlogin)g(traf)n(\002c)h(is)g(virtually)f(unstructured.)k
-(There)c(are)h(no)f(nice)2049 2897 y(\223)p Fm(USER)49
-b(xyz)p Fs(\224)29 b(directi)n(v)o(es)f(that)i(mak)o(e)f(it)h(tri)n
-(vial)f(to)g(identify)g(the)2049 2997 y(account)c(associated)g(with)h
-(the)g(acti)n(vity;)j(instead,)e(one)e(must)h(em-)2049
-3097 y(plo)o(y)f(a)g(series)h(of)f(heuristics.)40 b(\(The)24
-b(Rlogin)h(protocol)f(includes)g(a)2049 3196 y(mechanism)g(for)g
-(specifying)g(an)h(initial)g(username,)g(b)n(ut)g(does)g(not)2049
-3296 y(include)15 b(a)h(mechanism)f(for)g(indicating)g(that)h(the)g
-(username)e(w)o(as)j(re-)2049 3395 y(jected,)j(so)g(the)g(situation)g
-(is)h(virtually)e(identical)g(to)h(that)g(for)g(T)-6
-b(elnet)2049 3495 y(in)17 b(which)g(the)g(initial)g(name)g(is)h
-(presumably)d(the)i(\002rst)h(te)o(xt)f(typed)f(by)2049
-3595 y(the)21 b(user)-5 b(.\))27 b(This)21 b(problem)e(mak)o(es)h
-(interacti)n(v)o(e)g(traf)n(\002c)g(particularly)2049
-3694 y(susceptible)g(to)h(subterfuge)e(attacks,)i(since)g(if)g(the)g
-(heuristics)f(ha)n(v)o(e)2049 3794 y(holes,)g(an)g(attack)o(er)g(can)g
-(slip)g(through)e(them)i(undetected.)2132 3900 y(There)35
-b(are)i(tw)o(o)f(parts)g(to)h(the)f(analysis:)58 b(determining)34
-b(user)n(-)2049 3999 y(names)22 b(in)g(a)h(rob)n(ust)f(f)o(ashion,)f
-(and)h(scanning)f(interacti)n(v)o(e)g(sessions)2049 4099
-y(for)j(strings)g(re\003ecting)f(questionable)g(acti)n(vity)-5
-b(.)36 b(W)-7 b(e)25 b(discuss)g(each)2049 4198 y(in)31
-b(turn.)55 b(Because)30 b(of)h(the)f(close)h(similarities)g(between)f
-(analyz-)2049 4298 y(ing)f(T)-6 b(elnet)30 b(and)f(Rlogin)g(sessions,)k
-(Bro)d(combines)e(them)i(into)f(a)2049 4398 y(generic)21
-b(\223Login\224)f(analyzer)m(,)g(which)h(is)i(the)e(term)h(we)g(use)f
-(for)g(both)2049 4497 y(in)f(the)h(remainder)d(of)i(the)g(section.)2132
-4603 y Fl(Recognizing)29 b(the)h(authentication)e(dialog)o(.)53
-b Fs(The)30 b(\002rst)h(f)o(acet)2049 4703 y(of)26 b(analyzing)f(Login)
-g(acti)n(vity)h(is)h(to)f(accurately)f(track)h(the)g(initial)2049
-4802 y(authentication)f(dialog)i(and)f(e)o(xtract)h(from)f(it)i(the)f
-(usernames)f(as-)2049 4902 y(sociated)c(with)h(both)f(login)g(f)o
-(ailures)h(and)f(successes.)33 b(Initially)22 b(we)2049
-5001 y(attempted)e(to)h(b)n(uild)g(a)g(state)h(machine)e(that)h(w)o
-(ould)g(track)f(the)h(v)n(ari-)2049 5101 y(ous)e(authentication)f
-(steps:)25 b(w)o(aiting)20 b(for)e(the)i(username,)e(scanning)2049
-5201 y(the)29 b(login)f(prompt)f(\(this)h(comes)h(after)f(the)h
-(username,)g(since)g(the)2049 5300 y(processing)22 b(is)i
-(line-oriented,)e(and)h(the)g(full,)h(ne)n(wline-terminated)2049
-5400 y(prompt)34 b(line)h(does)g(not)g(appear)f(until)h(after)g(the)g
-(username)f(has)1908 5649 y(15)p eop
-%%Page: 16 16
-16 15 bop -150 -104 a Fs(been)24 b(entered\),)g(w)o(aiting)h(for)f(the)
-g(passw)o(ord,)h(scanning)f(the)g(pass-)-150 -5 y(w)o(ord)34
-b(prompt,)i(and)f(then)f(looking)f(for)h(an)g(indication)g(that)h(the)
--150 95 y(passw)o(ord)29 b(w)o(as)j(rejected)d(\(in)h(which)g(case)g
-(the)h(process)e(repeats\))-150 194 y(or)f(accepted.)48
-b(This)29 b(approach,)e(though,)i(founders)d(on)i(the)g(great)-150
-294 y(v)n(ariety)21 b(of)i(authentication)d(dialogs)i(used)g(by)g(dif)n
-(ferent)e(operating)-150 394 y(systems,)25 b(some)e(of)g(which)h
-(sometimes)f(do)g(not)g(prompt)f(for)h(pass-)-150 493
-y(w)o(ords,)k(or)f(re-prompt)e(for)h(passw)o(ords)h(rather)g(than)f
-(login)h(names)-150 593 y(after)34 b(a)g(passw)o(ord)f(f)o(ailure,)k
-(or)d(utilize)g(tw)o(o)g(steps)h(of)e(passw)o(ord)-150
-693 y(authentication,)20 b(or)h(e)o(xtract)g(usernames)f(from)h(en)m
-(vironment)d(v)n(ari-)-150 792 y(ables,)25 b(and)e(so)h(on.)35
-b(W)-7 b(e)25 b(instead)f(use)g(a)g(simpler)g(approach,)e(based)-150
-892 y(on)h(associating)f(particular)g(strings)h(\(such)f(as)i(\223P)o
-(assw)o(ord:\224\))29 b(with)-150 991 y(particular)g(information,)i
-(and)f(not)g(attempting)f(to)h(track)g(the)h(au-)-150
-1091 y(thentication)16 b(states)j(e)o(xplicitly)-5 b(.)22
-b(It)c(w)o(orks)f(well,)h(although)e(not)h(per)n(-)-150
-1191 y(fectly)-5 b(,)19 b(and)h(its)h(w)o(orkings)e(are)h(certainly)f
-(easier)i(to)f(follo)n(w)-5 b(.)-67 1297 y(The)40 b(Login)e(analyzer)h
-(generates)g Fm(login)p 1272 1297 25 4 v 29 w(success)g
-Fs(upon)-150 1396 y(determining)51 b(that)h(a)i(user)e(has)h
-(successfully)g(authenticated,)-150 1496 y Fm(login)p
-105 1496 V 29 w(failure)40 b Fs(when)g(a)h(user')-5 b(s)41
-b(attempt)g(to)g(authenticate)-150 1595 y(f)o(ails,)18
-b Fm(authentication)p 736 1595 V 27 w(skipped)e Fs(if)g(it)i
-(recognizes)d(the)h(au-)-150 1695 y(thentication)28 b(dialog)h(as)i
-(one)e(speci\002ed)g(by)h(the)f(polic)o(y)g(script)h(as)-150
-1795 y(not)17 b(requiring)f(further)g(analysis,)h(and)g
-Fm(login)p 1240 1795 V 29 w(confused)g Fs(if)h(the)-150
-1894 y(analyzer)f(becomes)g(confused)f(re)o(garding)g(the)i
-(authentication)e(dia-)-150 1994 y(log.)24 b(\(This)19
-b(last)g(could,)f(for)g(e)o(xample,)g(trigger)f(full-pack)o(et)g
-(record-)-150 2094 y(ing)j(of)g(the)g(subsequent)f(session,)h(for)g
-(later)g(manual)f(analysis.\))-67 2199 y Fl(T)-6 b(ype-ahead.)28
-b Fs(A)22 b(basic)g(dif)n(\002culty)e(that)i(complicates)f(the)g(anal-)
--150 2299 y(ysis)j(is)g(type-ahead.)32 b(W)-7 b(e)24
-b(cannot)f(rely)g(on)f(the)i(most-recently)d(en-)-150
-2399 y(tered)h(string)g(as)i(corresponding)19 b(to)k(the)f(current)g
-(prompt)f(line.)32 b(In-)-150 2498 y(stead,)24 b(we)f(k)o(eep)f(track)h
-(of)g(user)f(input)h(lines)g(separately)-5 b(,)22 b(and)g(con-)-150
-2598 y(sume)27 b(them)h(as)g(we)g(observ)o(e)e(dif)n(ferent)g(prompts.)
-46 b(F)o(or)27 b(e)o(xample,)-150 2698 y(if)20 b(the)g(analyzer)f
-(scans)h(\223P)o(assw)o(ord:\224,)f(then)g(it)i(associates)g(with)f
-(the)-150 2797 y(prompt)15 b(the)i(\002rst)h(unread)d(line)i(in)g(the)g
-(user)g(type-ahead)d(b)n(uf)n(fer)m(,)i(and)-150 2897
-y(consumes)21 b(that)i(line.)31 b(The)22 b(hazard)f(of)h(this)h
-(approach)d(is)j(if)f(the)h(lo-)-150 2996 y(gin)h(serv)o(er)f(e)n(v)o
-(er)h(\003ushes)g(the)g(type-ahead)e(b)n(uf)n(fer)h(\(due)h(to)g(part)g
-(of)-150 3096 y(its)f(authentication)c(dialog,)j(or)f(upon)f(an)i(e)o
-(xplicit)f(signal)h(from)f(the)-150 3196 y(user\),)h(then)g(if)g(the)h
-(monitor)d(misses)k(this)e(f)o(act)h(it)g(will)g(become)e(out)-150
-3295 y(of)29 b(sync.)50 b(This)29 b(opens)f(the)h(monitor)e(to)i(a)g
-(subterfuge)e(attack,)j(in)-150 3395 y(which)c(an)h(attack)o(er)f
-(passes)h(of)n(f)f(an)h(innocuous)d(string)i(as)i(a)f(user)n(-)-150
-3495 y(name,)20 b(and)g(the)h(polic)o(y)f(script)g(in)h(turn)f(f)o
-(ails)i(to)f(recognize)e(that)i(the)-150 3594 y(attack)o(er)16
-b(in)h(f)o(act)f(has)h(authenticated)e(as)i(a)g(pri)n(vile)o(ged)d
-(user)-5 b(.)24 b(One)16 b(\002x)-150 3694 y(to)21 b(this)h
-(problem\227re\003ecting)c(a)j(strate)o(gy)f(we)i(adopt)e(for)g(the)h
-(more)-150 3793 y(general)g(\223k)o(e)o(ystrok)o(e)f(editing\224)g
-(problem)g(discussed)i(belo)n(w\227is)f(to)-150 3893
-y(test)29 b Fr(both)f Fs(usernames)f(and)h(passw)o(ords)g(against)g(an)
-o(y)f(list)j(of)e(sen-)-150 3993 y(siti)n(v)o(e)d(usernames,)h(an)f(e)o
-(xample)f(of)h(the)g(\223bifurcation\224)e(approach)-150
-4092 y(discussed)d(in)g Fi(x)h Fs(5.3)f(abo)o(v)o(e.)-67
-4198 y(Unless)37 b(we)f(are)g(careful,)j(type-ahead)34
-b(also)i(opens)g(the)g(door)-150 4298 y(to)28 b(another)e(subterfuge)g
-(attack.)47 b(F)o(or)27 b(e)o(xample,)h(an)g(attack)o(er)f(can)-150
-4397 y(type-ahead)41 b(the)i(string)g(\223P)o(assw)o(ord:\224,)48
-b(which,)g(when)43 b(echoed)-150 4497 y(by)49 b(the)g(login)f(serv)o
-(er)m(,)55 b(w)o(ould)49 b(be)g(interpreted)e(by)i(the)g(ana-)-150
-4597 y(lyzer)26 b(as)i(corresponding)23 b(to)k(a)g(passw)o(ord)g
-(prompt,)f(when)g(in)h(f)o(act)-150 4696 y(the)40 b(dialog)f(is)i(in)f
-(a)h(dif)n(ferent)d(state.)85 b(The)40 b(analyzer)f(defends)-150
-4796 y(against)32 b(these)i(attacks)f(by)f(checking)g(each)h
-(typed-ahead)d(string)-150 4896 y(against)16 b(the)g(dif)n(ferent)f
-(dialog)g(strings)h(it)h(kno)n(ws)f(about,)g(generating)-150
-4995 y Fm(possible)p 255 4995 V 28 w(login)p 533 4995
-V 29 w(ploy)k Fs(upon)f(a)i(match.)-67 5101 y Fl(K)n(eystr)o(ok)o(e)14
-b(editing)o(.)23 b Fs(Usernames)15 b(can)g(also)h(become)e(disguised)
--150 5201 y(due)21 b(to)g(use)g(of)g(k)o(e)o(ystrok)o(e)e(editing.)27
-b(F)o(or)21 b(e)o(xample,)e(we)j(w)o(ould)e(lik)o(e)-150
-5300 y(to)29 b(recognize)d(that)j(\223)p Fm(rb<)p Fb(DEL)q
-Fm(>oot)p Fs(\224)e(does)h(indeed)f(correspond)-150 5400
-y(to)22 b(a)g(username)e(of)h Fm(root)p Fs(,)h(assuming)f(that)g
-Fm(<)p Fb(DEL)q Fm(>)g Fs(is)h(the)g(single-)2049 -104
-y(character)k(deletion)f(operator)-5 b(.)44 b(W)-7 b(e)28
-b(\002nd)e(this)h(assumption,)g(ho)n(w-)2049 -5 y(e)n(v)o(er)m(,)d
-(problematic,)g(since)h(some)f(systems)h(use)g Fm(<)p
-Fb(DEL)q Fm(>)f Fs(and)g(oth-)2049 95 y(ers)30 b(use)g
-Fm(<)p Fb(BS)t Fm(>)p Fs(.)52 b(W)-7 b(e)31 b(address)e(this)h(problem)
-e(by)h(applying)e(both)2049 194 y(forms)h(of)h(editing)f(to)g
-(usernames,)i(yielding)e(possibly)g(three)g(dif-)2049
-294 y(ferent)21 b(strings,)g(each)g(of)h(which)f(the)g(script)h(then)f
-(assesses)i(in)e(turn.)2049 394 y(So,)29 b(for)d(e)o(xample,)i(the)f
-(string)g(\223)p Fm(rob<)p Fb(DEL)q Fm(><)p Fb(BS)t Fm(><)p
-Fb(BS)t Fm(>ot)p Fs(\224)d(is)2049 493 y(tested)19 b(both)g(directly)-5
-b(,)18 b(as)h(\223)p Fm(ro<)p Fb(BS)t Fm(><)p Fb(BS)t
-Fm(>ot)p Fs(\224,)f(and)g(as)i(\223)p Fm(root)p Fs(\224.)2049
-593 y(This)f(is)h(another)e(e)o(xample)f(of)i(using)f(bifurcation)f(to)
-i(address)g(anal-)2049 693 y(ysis)i(ambiguities.)2132
-898 y(Editing)35 b(is)h(not)f(limited)h(to)f(deleting)g(indi)n(vidual)f
-(characters,)2049 998 y(ho)n(we)n(v)o(er)-5 b(.)65 b(Some)34
-b(systems)g(support)f(deleting)g(entire)h(w)o(ords)g(or)2049
-1097 y(lines;)24 b(others)d(allo)n(w)i(access)g(to)f(pre)n
-(viously-typed)c(lines)23 b(using)f(an)2049 1197 y(escape)f(sequence.)
-26 b(W)-7 b(ord)21 b(and)g(line)g(deletion)f(do)h(not)f(allo)n(w)h(an)g
-(at-)2049 1297 y(tack)o(er)d(to)g(hide)f(their)h(username,)f(if)h
-(tests)h(for)f(sensiti)n(v)o(e)g(usernames)2049 1396
-y(check)k(for)g(an)o(y)g(embedded)e(occurrence)g(of)j(the)f(username)g
-(within)2049 1496 y(the)35 b(input)f(te)o(xt.)68 b(\223History\224)35
-b(access)g(to)g(pre)n(vious)e(te)o(xt)i(is)g(more)2049
-1595 y(problematic;)28 b(presently)-5 b(,)27 b(the)g(analyzer)e
-(recognizes)h(one)g(operat-)2049 1695 y(ing)18 b(system)g(that)g
-(supports)f(this)h(\(VMS\))g(and,)f(for)h(it)g(only)-5
-b(,)17 b(e)o(xpands)2049 1795 y(the)j(escape)g(sequence)f(into)h(the)g
-(te)o(xt)g(of)g(the)h(pre)n(vious)d(line.)2132 2000 y
-Fl(T)-8 b(elnet)42 b(options.)88 b Fs(The)41 b(T)-6 b(elnet)42
-b(protocol)d(supports)h(a)i(rich,)2049 2100 y(comple)o(x)37
-b(mechanism)h(for)g(e)o(xchanging)e(options)i(between)h(the)2049
-2199 y(client)d(and)g(serv)o(er)g([PR83b)o(])g(\(there)g(are)g(more)g
-(than)g(50)g(RFCs)2049 2299 y(discussing)27 b(dif)n(ferent)e(T)-6
-b(elnet)28 b(options\).)45 b(Unhappily)-5 b(,)26 b(we)i(cannot)2049
-2399 y(ignore)j(the)i(possible)g(presence)e(of)i(these)f(options)g(in)h
-(our)f(anal-)2049 2498 y(ysis,)j(because)c(an)h(attack)o(er)f(can)h
-(embed)e(one)h(in)h(the)g(middle)f(of)2049 2598 y(te)o(xt)d(the)o(y)g
-(transmit)g(in)h(order)e(to)i(disguise)f(their)g(intent\227for)f(e)o
-(x-)2049 2698 y(ample,)33 b(\223)p Fm(ro<)p Fr(option)p
-Fm(>ot)p Fs(\224.)55 b(The)31 b(T)-6 b(elnet)31 b(serv)o(er)f(will)i
-(dutifully)2049 2797 y(strip)25 b(out)f(the)h(option)e(before)g
-(passing)i(along)e(the)i(remaining)e(te)o(xt)2049 2897
-y(to)h(the)f(authentication)f(system.)35 b(W)-7 b(e)25
-b(must)e(do)g(the)h(same.)35 b(On)24 b(the)2049 2996
-y(other)30 b(hand,)j(parsing)e(options)f(also)i(yields)f(some)g
-(bene\002ts:)47 b(we)2049 3096 y(can)20 b(detect)g(connections)e(that)i
-(successfully)f(ne)o(gotiate)g(to)h(encrypt)2049 3196
-y(the)29 b(data)h(session,)h(and)e(skip)h(subsequent)d(analysis)j
-(\(rather)e(than)2049 3295 y(generating)16 b Fm(login)p
-2673 3295 V 29 w(confused)h Fs(e)n(v)o(ents\),)g(as)i(well)f(as)h
-(analyzing)2049 3395 y(options)j(used)g(for)g(authentication)e(\(for)i
-(e)o(xample,)f(K)n(erberos\))g(and)2049 3495 y(to)27
-b(transmit)f(the)g(user')-5 b(s)27 b(en)m(vironment)c(v)n(ariables)j
-(\(some)g(systems)2049 3594 y(use)j Fm($USER)e Fs(as)j(the)e(def)o
-(ault)f(username)g(during)g(subsequent)g(au-)2049 3694
-y(thentication\).)2132 3899 y Fl(Scanning)h(the)g(session)h(contents.)
-47 b Fs(The)27 b(last)i(form)d(of)i(Login)2049 3999 y(analysis,)c(and)g
-(in)f(our)g(e)o(xperience)f(f)o(ar)h(and)h(a)o(w)o(ay)f(the)h(most)f
-(po)n(w-)2049 4099 y(erful)18 b(for)h(detecting)f(break-ins,)f(is)j
-(looking)d(at)j(the)f(contents)f(of)h(the)2049 4198 y(lines)h(sent)g
-(by)g(the)g(user)g(\()p Fm(login)p 3048 4198 V 28 w(input)p
-3326 4198 V 29 w(line)g Fs(e)n(v)o(ents\))f(and)g(by)2049
-4298 y(the)h(remote)g(serv)o(er)f(\()p Fm(login)p 2928
-4298 V 28 w(output)p 3256 4298 V 29 w(line)p Fs(\).)2132
-4503 y(F)o(or)33 b(input)f(lines,)37 b(some)c(of)f(the)h(patterns)g(we)
-g(search)g(for)g(are)2049 4603 y(the)39 b(string)g(\223)p
-Fm(eggdrop)p Fs(\224)g(\(an)g(Internet)f(Relay)i(Chat)f(tool)g(that)
-2049 4703 y(man)o(y)34 b(attack)o(ers)i(install)g(upon)e(a)i
-(break-in\),)h(\223)p Fm(loadmodule)p Fs(\224)2049 4802
-y(and)24 b(\223)p Fm(/bin/eject)p Fs(\224)f(\(used)h(in)g(b)n(uf)n(fer)
-f(o)o(v)o(er\003o)n(w)g(attacks\),)i(and)2049 4902 y(access)34
-b(to)g(hidden)f(directories)f(with)i(names)g(lik)o(e)g(\223)p
-Fm(...)p Fs(\224.)65 b(F)o(or)2049 5001 y(output)29 b(lines,)j(we)e
-(look)f(for)g(\223)p Fm(ls)p Fs(\224)h(output)f(sho)n(wing)f
-(setuid-root)2049 5101 y(v)o(ersions)f(of)h(command-line)d
-(interpreters)i(lik)o(e)h Fr(csh)p Fs(,)i(and)e(strings)2049
-5201 y(lik)o(e)67 b(\223)p Fm(Jumping)48 b(to)i(address)p
-Fs(\224)66 b(and)g(\223)p Fm(Log)49 b(started)2049 5300
-y(at)p Fs(\224)24 b(which)f(correspond)d(to)k(popular)e(b)n(uf)n(fer)n
-(-o)o(v)o(er\003o)n(w)d(and)k(pass-)2049 5400 y(w)o(ord)d(snif)n(fer)f
-(tools,)h(respecti)n(v)o(ely)-5 b(.)1908 5649 y(16)p
-eop
-%%Page: 17 17
-17 16 bop -150 -104 a Fh(6.6)124 b(Scan)26 b(detection)-150
-70 y Fs(W)-7 b(e)34 b(\002nish)f(with)g(a)h(discussion)e(of)h
-(detecting)e(port)i(and)f(address)-150 170 y(scanning.)22
-b(While)17 b(not,)g(strictly)f(speaking,)g(a)h(form)e(of)h
-(application-)-150 269 y(speci\002c)29 b(processing,)g(we)f(ha)n(v)o(e)
-g(deferred)f(discussion)h(until)g(no)n(w)-150 369 y(so)21
-b(we)h(can)f(refer)f(to)h(the)g(pre)n(viously-de)n(v)o(eloped)16
-b(concepts)k(of)g(Bro)-150 469 y(language)e(mechanisms)i(and)f(attacks)
-i(on)e(the)i(monitor)-5 b(.)-67 578 y(Scan)18 b(detection)e(is)j(all)f
-(done)e(at)i(the)g(polic)o(y)e(script)i(le)n(v)o(el,)f(so)h(sites)-150
-678 y(may)j(of)g(course)g(tailor)g(the)g(detection)f(ho)n(we)n(v)o(er)g
-(the)o(y)g(wish.)29 b(Ho)n(w-)-150 777 y(e)n(v)o(er)m(,)h(the)g(basic)f
-(approach)e(we)j(use)g(is)g(to)f(maintain)g(pairs)g(of)g(ta-)-150
-877 y(bles.)38 b(F)o(or)24 b(detecting)f(address)h(scanning,)g(the)g
-(\002rst)h(of)f(the)h(pair)f(of)-150 977 y(tables,)39
-b Fm(distinct)p 509 977 25 4 v 28 w(peers)p Fs(,)f(is)e(a)f
-Fm(table[addr,)48 b(addr])-150 1076 y(of)h(bool)p Fs(.)67
-b(W)-7 b(e)36 b(inde)o(x)d(it)i(using)e(the)h(source)g(and)g
-(destination)-150 1176 y(address)26 b(of)g(each)h(ne)n(wly-attempted)d
-(connection.)42 b(If)26 b(the)h(pair)f(of)-150 1276 y(addresses)32
-b(is)h(not)e(in)i(the)f(table,)i(then)e(we)g(add)g(them)f(to)h(the)g
-(ta-)-150 1375 y(ble,)23 b(and)f(increment)f Fm(num)p
-649 1375 V 29 w(distinct)p 1078 1375 V 28 w(peers)p Fs(,)i(a)f
-(correspond-)-150 1475 y(ing)k Fm(table[addr])48 b(of)h(count)p
-Fs(.)42 b(This)27 b(second)e(table)h(k)o(eeps)-150 1574
-y(track)j(for)f(each)h(source)f(address)h(the)g(number)e(of)i(distinct)
-h(desti-)-150 1674 y(nation)e(addresses)h(to)g(which)f(it)i(has)f
-(attempted)f(to)h(connect.)50 b(As)-150 1774 y(that)19
-b(number)e(crosses)j(dif)n(ferent)d(thresholds,)h(the)h(script)h
-(generates)-150 1873 y(a)26 b(series)h(of)e(real-time)h
-(noti\002cations)f(indicating)f(that)i(an)g(address)-150
-1973 y(scan)31 b(is)h(underw)o(ay)-5 b(.)55 b(It)32 b(can)e(of)h
-(course)g(tak)o(e)g(additional)e(action,)-150 2073 y(too,)e(such)e(as)h
-(in)m(v)n(oking)e(via)i Fm(system\(\))e Fs(a)j(script)e(that)h(remo)o
-(v)o(es)-150 2172 y(the)20 b(attacking)f(site')-5 b(s)22
-b(connecti)n(vity)c(to)i(the)g(local)h(site)g(\()p Fi(x)f
-Fs(8\).)-67 2282 y(W)-7 b(e)60 b(detect)f(port)f(scanning)f(in)i(a)g
-(similar)g(f)o(ashion,)68 b(us-)-150 2381 y(ing)51 b
-Fm(distinct)p 413 2381 V 28 w(ports)p Fs(,)59 b(a)52
-b Fm(table[addr,)47 b(port])i(of)-150 2481 y(bool)24
-b Fs(inde)o(x)o(ed)e(by)i(source)g(address)g(and)g(destination)f(port)h
-(num-)-150 2581 y(ber)m(,)32 b(and)f(a)g(companion)d(table)j
-Fm(num)p 975 2581 V 29 w(distinct)p 1404 2581 V 28 w(ports)p
-Fs(,)i(and)-150 2680 y(again)28 b(generate)f(noti\002cations)h(as)h
-(the)g(distinct)f(port)g(count)g(for)g(a)-150 2780 y(gi)n(v)o(en)19
-b(address)h(crosses)g(dif)n(ferent)f(thresholds.)-67
-2889 y(Note)24 b(that)h(this)g(approach)d(does)i(not)h(ha)n(v)o(e)e(an)
-o(y)h(restrictions)g(on)-150 2989 y(the)j Fr(or)m(der)i
-Fs(in)e(which)f(addresses)h(or)f(ports)h(are)g(scanned,)g(nor)f(an)o(y)
--150 3089 y(particular)14 b(requirements)f(for)i(ho)n(w)f(quickly)g
-(the)o(y)h(are)g(scanned.)22 b(By)-150 3188 y(remo)o(ving)h(these)i
-(sorts)h(of)f(restrictions,)h(we)f(can)g(detect)g(not)g(only)-150
-3288 y(simple)30 b(brute-force)c(scans,)33 b(b)n(ut)c(also)h(some)f
-(forms)g(of)h(\223stealth\224)-150 3388 y(scanning,)19
-b(in)h(which)f(the)i(scan)f(is)h(done)e(slo)n(wly)h(across)g(a)h
-(random-)-150 3487 y(ized)f(list)h(of)f(addresses.)-67
-3597 y(There)c(are)h(tw)o(o)g(problems)e(with)i(the)g(approach,)e(ho)n
-(we)n(v)o(er)-5 b(.)22 b(First,)-150 3696 y(while)29
-b(the)g(abo)o(v)o(e)f(steps)h(do)g(indeed)f(detect)h(scanning)f(acti)n
-(vities,)-150 3796 y(the)o(y)17 b(also)h(generate)f(f)o(alse)h(hits,)g
-(because)g(some)f(services)h(naturally)-150 3896 y(result)25
-b(in)h(a)g(single)f(source)f(contacting)g(multiple)h(destination)f(ad-)
--150 3995 y(dresses)32 b(\(for)e(e)o(xample,)j(a)f(single)f(client)g
-(sur\002ng)g(multiple)g(W)-7 b(eb)-150 4095 y(serv)o(ers\),)36
-b(or)d(contacting)f(multiple)g(ports)h(on)g(the)h(same)f(remote)-150
-4195 y(host)24 b(\(an)g(FTP)g(serv)o(er)g(running)e(on)h(a)i
-(non-standard)c(port,)j(so)g(Bro)-150 4294 y(does)k(not)f(kno)n(w)g(to)
-i(track)e(its)i(POR)-5 b(T/P)d(ASV)30 b(directi)n(v)o(es)d(in)h(order)
--150 4394 y(to)j(associate)h(connections)d(on)h(ephemeral)g(ports)h
-(with)g(the)g(FTP)-150 4493 y(session\).)c(W)-7 b(e)22
-b(can)f(generally)f(deal)g(with)h(this)h(problem,)d(ho)n(we)n(v)o(er)m
-(,)-150 4593 y(by)e(introducing)e(some)j(additional)e(polic)o(y)h
-(elements)g(in)h(our)f(script,)-150 4693 y(such)25 b(as)g(a)h(list)g
-(of)f(services)g(which)f(we)h(should)f(ignore)g(when)g(up-)-150
-4792 y(dating)19 b(the)i(tables)f(to)g(re\003ect)h(ne)n(wly)e
-(attempted)g(connections.)-67 4902 y(The)28 b(second)f(dif)n(\002culty)
-f(concerns)h(consumption)e(of)j(memory)-5 b(.)-150 5001
-y(Depending)37 b(on)i(a)h(site')-5 b(s)41 b(traf)n(\002c)e(patterns,)44
-b(the)39 b(scan-detection)-150 5101 y(tables)j(can)g(gro)n(w)f(quite)g
-(lar)o(ge.)89 b(The)o(y)40 b(can)i(especially)f(gro)n(w)-150
-5201 y(lar)o(ge)34 b(if)i(an)f(attack)o(er)g(deliberately)f(tar)o(gets)
-h(them)g(as)h(a)g(w)o(ay)f(to)-150 5300 y(attempt)44
-b(to)g(compromise)e(the)i(monitor)f(via)h(an)g(o)o(v)o(erload)d(at-)
--150 5400 y(tack.)64 b(One)33 b(solution)g(for)g(addressing)f(this)h
-(problem)f(w)o(ould)h(be)2049 -104 y(to)c(introduce)e(the)j(notion)d
-(of)i(associating)g(timers)g(with)g(table)g(el-)2049
--5 y(ements.)60 b(W)m(ith)32 b(such)g(a)g(mechanism,)i(we)e(could,)i
-(for)d(e)o(xample,)2049 95 y(o)o(v)o(er)i(time)h(remo)o(v)o(e)e
-(elements)i(from)f Fm(distinct)p 3623 95 V 28 w(peers)h
-Fs(and)2049 194 y Fm(num)p 2204 194 V 29 w(distinct)p
-2633 194 V 29 w(peers)p Fs(.)73 b(Doing)36 b(so,)k(ho)n(we)n(v)o(er)m
-(,)e(trades)e(of)n(f)2049 294 y(reco)o(v)o(ering)22 b(resources)i
-(\(and)g(thus)h(impairing)e(an)i(attack)o(er')-5 b(s)25
-b(abil-)2049 394 y(ity)g(to)g(launch)f(an)h(o)o(v)o(erload)d(attack\))i
-(with)h(f)o(ailing)g(to)g(detect)f(slo)n(w)2049 493 y(stealth)d(scans.)
-2132 595 y(See)k Fi(x)g Fs(7.1)f(belo)n(w)f(for)h(a)h(brief)f
-(discussion)g(of)g(our)f(e)o(xperiences)2049 695 y(with)d
-(scan-detection.)2049 990 y Ft(7)119 b(Status)30 b(and)h(Experiences)
-2049 1180 y Fs(Bro)26 b(has)g(operated)f(continuously)e(since)k(April)e
-(1996)g(as)i(an)f(inte-)2049 1280 y(gral)i(part)g(of)h(our)e(site')-5
-b(s)30 b(security)e(system.)50 b(It)29 b(initially)f(included)2049
-1379 y(only)d(general)g(TCP/IP)i(analysis;)j(as)d(time)f(permitted,)g
-(we)h(added)2049 1479 y(the)c(additional)f(modules)g(discussed)g(in)i
-Fi(x)f Fs(6,)h(and)e(we)h(plan)g(to)g(add)2049 1579 y(man)o(y)h(more.)
-39 b(In)25 b(this)g(section)g(we)g(sk)o(etch)g(its)i(current)c(status)j
-(and)2049 1678 y(our)19 b(e)o(xperiences)g(with)h(operating)e(it.)2049
-1930 y Fh(7.1)99 b(Implementation)26 b(status)2049 2091
-y Fs(Presently)-5 b(,)26 b(the)g(implementation)d(is)j(about)f(27,000)f
-(lines)i(of)f(C++)2049 2190 y(and)e(another)f(3,200)g(lines)i(of)g
-Fm(Bro)f Fs(\(about)g(2,700)f(lines)i(of)f(which)2049
-2290 y(are)38 b(\223boilerplate\224)f(not)g(speci\002c)i(to)f(our)f
-(site\).)80 b(It)38 b(runs)g(under)2049 2389 y(Digital)33
-b(Unix,)h(FreeBSD,)f(Linux,)h(and)e(Solaris)h(operating)d(sys-)2049
-2489 y(tems.)57 b(W)-7 b(e)32 b(use)f(the)g Fr(autoconf)41
-b Fs(auto-con\002guration)27 b(tool)k(as)g(our)2049 2589
-y(main)20 b(mechanism)f(for)g(abetting)h(portability)-5
-b(.)2132 2691 y(Bro)58 b(is)h(publicly)d(a)n(v)n(ailable)i(in)g
-(source-code)d(form)i(\(see)2049 2791 y Fr(http://www-nr)m(g)o(.ee)o
-(.lbl.go)o(v/br)l(o-info.html)19 b Fs(for)k(release)i(informa-)2049
-2890 y(tion\),)34 b(though)d(the)h(current)f(release)h(is)h(of)f
-(\223alpha\224)f(quality)g(and)2049 2990 y(includes)19
-b(only)h(v)o(ery)f(limited)h(documentation.)2132 3092
-y(W)-7 b(e)32 b(hope)d(that)i(it)g(will)g(both)f(bene\002t)g(the)g
-(community)e(and)i(in)2049 3192 y(turn)22 b(bene\002t)h(from)e
-(community)g(ef)n(forts)h(to)h(enhance)e(it.)34 b(W)-7
-b(e)24 b(ha)n(v)o(e)2049 3291 y(set)c(up)f(a)g(mailing)g(list)h(for)f
-(discussion\227see)g(the)g(abo)o(v)o(e)e(W)-7 b(eb)20
-b(page)2049 3391 y(for)g(subscription)e(information.)2132
-3493 y(In)29 b(our)f(on-going)e(operations,)j(Bro)g(generates)f(about)f
-(85)i(MB)2049 3593 y(of)22 b(connection)f(summaries)h(each)h(day)-5
-b(,)22 b(and)g(around)f(40)h(real-time)2049 3692 y(noti\002cations,)28
-b(though)e(this)i(\002gure)f(v)n(aries)h(greatly)-5 b(.)45
-b(While)29 b(most)2049 3792 y(of)e(the)h(noti\002cations)e(are)i
-(innocuous)d(\(and)i(if)h(we)g(were)f(not)g(also)2049
-3892 y(de)n(v)o(elopers)21 b(of)h(the)h(system,)g(we)g(w)o(ould)g
-(suppress)f(these\),)h(we)g(not)2049 3991 y(infrequently)k(also)j
-(detect)f(break-in)f(attempts,)j(and)e(we)h(a)n(v)o(erage)2049
-4091 y(4\2265)15 b(address)h(and)f(port)g(scans)i(each)e(day)-5
-b(.)23 b(Operation)15 b(of)g(the)h(system)2049 4191 y(has)33
-b(resulted)f(so)g(f)o(ar)h(in)f(4,000)f(email)i(messages,)i(150)d
-(incident)2049 4290 y(reports)f(\002led)g(with)h(CIA)m(C)g(and)f(CER)-5
-b(T)f(,)32 b(a)g(number)d(of)j(accounts)2049 4390 y(deacti)n(v)n(ated)
-24 b(by)i(other)f(sites,)k(and)c(a)h(couple)f(incidents)h(in)m(v)n
-(olving)2049 4489 y(la)o(w)20 b(enforcement.)2049 4741
-y Fh(7.2)124 b(P)n(erf)n(ormance)2049 4902 y Fs(The)22
-b(system)h(generally)f(operates)g(without)g(incurring)e(an)o(y)i(pack)o
-(et)2049 5001 y(drops.)50 b(The)29 b(FDDI)g(ring)f(it)i(runs)f(on)f(is)
-i(f)o(airly)f(hea)n(vily)f(utilized:)2049 5101 y(a)e(January)-5
-b(,)26 b(1999)f(trace)h(of)f(a)i(14:30-15:30)22 b(b)n(usy)k(hour)f
-(re\003ects)h(a)2049 5201 y(traf)n(\002c)j(le)n(v)o(el)g(of)g(11,900)e
-(pack)o(ets/sec)i(\(34)g(Mbps\))f(sustained)h(for)2049
-5300 y(the)17 b(full)f(hour)m(,)g(with)h(peaks)f(of)h(18,000)e(pack)o
-(ets/sec.)23 b(Ho)n(we)n(v)o(er)m(,)16 b(the)2049 5400
-y(pack)o(et)i(\002lter)h(discards)f(a)h(great)f(deal)g(of)h(this,)g
-(both)e(due)h(to)h(\002ltering)1908 5649 y(17)p eop
-%%Page: 18 18
-18 17 bop -150 -104 a Fs(primarily)30 b(on)g(SYN,)i(FIN,)f(or)g(RST)h
-(control)e(bits,)k(and)c(because)-150 -5 y(only)f(about)g(20\045)g(of)g
-(the)h(traf)n(\002c)f(belongs)g(to)h(netw)o(orks)e(that)i(we)-150
-95 y(routinely)d(monitor)g(\(the)i(link)f(is)i(shared)e(with)h(a)g(lar)
-o(ge)f(neighbor)-150 194 y(institution\).)-67 296 y(T)-7
-b(o)24 b(test)h(the)f(system)g(under)e(stress,)k(we)e(ran)g(it)g(for)g
-(a)g(40)f(minute)-150 396 y(period)g(without)h(the)g(\223interesting)g
-(netw)o(orks\224)f(\002lter)m(,)j(resulting)d(in)-150
-495 y(a)j(much)e(higher)f(fraction)h(of)h(traf)n(\002c)g(accepted)f(by)
-h(the)g(pack)o(et)f(\002l-)-150 595 y(ter)-5 b(.)31 b(During)20
-b(this)j(period,)d(the)i(\002lter)h(accepted)d(an)i(a)n(v)o(erage)f(of)
-g(730)-150 694 y(pack)o(ets/sec,)36 b(with)d(peaks)g(o)o(v)o(er)e
-(1,200)h(pack)o(ets/sec,)j(and)e(with-)-150 794 y(out)20
-b(dropping)e(an)o(y)i(pack)o(ets.)25 b(The)c(monitor)e(system)h(uses)i
-(stripped)-150 894 y(disks)d(and)f(lar)o(ge)f(BPF)j(pack)o(et)e(b)n(uf)
-n(fers)f([RLSSL)-6 b(W97)o(])19 b(to)g(impro)o(v)o(e)-150
-993 y(performance.)-150 1242 y Fh(7.3)124 b(Crud)26 b(seen)f(on)h(a)e
-(DMZ)-150 1401 y Fs(An)k(important)e(and)h(sobering)g(aspect)g(of)h
-(our)f(operational)f(e)o(xpe-)-150 1501 y(rience)21 b(with)h(Bro)f(w)o
-(as)i(the)e(realization)g(of)g(ho)n(w)g(frequently)-5
-b(,)19 b(when)-150 1600 y(monitoring)c(a)j(lar)o(ge)f(v)n(olume)f(of)h
-(netw)o(ork)g(traf)n(\002c,)g(le)o(gitimate)g(\(i.e.,)-150
-1700 y(non-attacking\))23 b(traf)n(\002c)j(e)o(xhibits)f(abnormal)g
-(beha)n(vior)-5 b(.)42 b(W)-7 b(e)27 b(ha)n(v)o(e)-150
-1800 y(observ)o(ed)18 b(all)j(of)f(the)g(follo)n(wing:)-67
-1972 y Fi(\017)41 b Fs(\223Storms\224)23 b(of)g(10,000)f(FIN)h(or)h
-(RST)g(pack)o(ets,)g(in)f(which)g(due)16 2071 y(to)h(a)f(protocol)f
-(implementation)f(error)h(tw)o(o)i(hosts)g(e)o(xchange)16
-2171 y(FIN)d(or)e(RST)i(pack)o(ets)f(e)o(xtremely)f(rapidly)-5
-b(.)-67 2345 y Fi(\017)41 b Fs(Storms)20 b(due)g(to)g(foggy)f(days.)887
-2315 y Fn(4)-67 2519 y Fi(\017)41 b Fs(\223Pri)n(v)n(ate\224)19
-b(Internet)g(addresses)g([Re96)o(])h(leaking)f(out)g(into)h(the)16
-2618 y(public)39 b(Internet.)81 b(These)39 b(addresses)g(are)h
-(inherently)d(un-)16 2718 y(routable,)21 b(and)g(should)g(ne)n(v)o(er)g
-(be)h(used)g(by)f(a)i(public)e(Internet)16 2817 y(connection.)-67
-2991 y Fi(\017)41 b Fs(SYN)22 b(pack)o(ets)f(with)g(the)h(\223Ur)o
-(gent\224)d(bit)j(set.)29 b(F)o(or)21 b(SYN)h(pack-)16
-3091 y(ets,)f(setting)f(\223ur)o(gent\224)e(does)i(not)g(mak)o(e)g(an)o
-(y)g(sense,)g(since)h(the)16 3191 y(connection)c(is)k(not)e(yet)h
-(established)f(and)g(hence)g(cannot)f(pos-)16 3290 y(sibly)24
-b(ha)n(v)o(e)g(ur)o(gent)f(data)h(to)h(send.)37 b(Such)24
-b(pack)o(ets)g(are)g(prob-)16 3390 y(lematic,)e(ho)n(we)n(v)o(er)m(,)e
-(because)h(some)h(\002re)n(w)o(alls)g(and)g(monitors)16
-3489 y(that)29 b(are)g(not)f(carefully)f(coded)h(look)g(for)g(the)h(be)
-o(ginning)d(of)16 3589 y(connections)17 b(to)h(be)g(indicated)g(by)f
-(the)i(TCP)g(\223\003ags\224)f(\002eld)h(be-)16 3689
-y(ing)e(equal)h(to)f(the)h(SYN)g(\003ag,)g(rather)f(than)h(simply)f(ha)
-n(ving)g(the)16 3788 y(SYN)k(\003ag)g(set.)27 b(When)20
-b(the)h(Ur)o(gent)e(bit)i(is)g(set,)g(the)g(\002eld)f(is)i(no)16
-3888 y(longer)d Fr(equal)g Fs(to)i(the)f(SYN)h(\003ag.)-67
-4062 y Fi(\017)41 b Fs(TCPs)28 b(that)f(when)f(retransmitting)f(data)h
-(can)h(send)f(dif)n(ferent)16 4161 y(data)32 b(for)f(the)h(same)g
-(sequence)e(numbers)h(as)h(the)o(y)f(sent)i(the)16 4261
-y(\002rst)21 b(time.)-67 4435 y Fi(\017)41 b Fs(TCPs)18
-b(that)f(sometimes)f(ackno)n(wledge)e(receipt)i(of)g(data)h(ne)n(v)o
-(er)16 4535 y(sent.)-67 4708 y Fi(\017)41 b Fs(IP)20
-b(fragments)f(in)h(which)g(the)g(initial)g(fragment)e(is)j(v)o(ery)e
-(small)16 4808 y(and)24 b(the)g(\002nal)g(fragment)e(is)j(lar)o(ge.)36
-b(Such)23 b(fragments)g(can)h(be)16 4908 y(used)33 b(to)g(attempt)f(to)
-h(circumv)o(ent)e(\002re)n(w)o(alls)i(and)g(monitors)16
-5007 y(that)20 b(do)g(not)g(do)g(fragment)e(reassembly)-5
-b(.)p -150 5086 801 4 v -65 5140 a Fk(4)-30 5163 y Fp(One)20
-b(of)g(the)g(routers)h(on)f(our)g(DMZ)f(has)h(a)g(micro)n(w)o(a)o(v)o
-(e)i(link)f(to)f(a)g(peer)h(on)f(the)-150 5242 y(other)15
-b(side)g(of)f(San)g(Francisco)i(Bay)l(.)k(On)14 b(foggy)g(days,)h(this)
-g(link)g(sometimes)g(\223\003aps,)-5 b(\224)-150 5321
-y(leading)20 b(to)f(routing)g(loops)g(on)f(the)h(DMZ)e(in)i(which)g
-(sets)f(of)g(pack)o(ets)j(enter)e(routing)-150 5400 y(loops)f(and)f
-(cross)g(the)h(DMZ)e(10')l(s)h(or)g(100')l(s)h(of)f(times,)g(until)h
-(their)h(TTLs)c(e)o(xpire.)2132 -104 y Fi(\017)41 b Fs(Fragments)30
-b(with)h(the)g(\223Don')o(t)f(Fragment\224)g(bit)h(set.)58
-b(While)2215 -5 y(allo)n(wed)26 b(by)g(the)g(IP)h(standard,)g(it)g(is)h
-(dif)n(\002cult)d(to)i(en)m(vision)e(a)2215 95 y(situation)k(in)g
-(which)g(such)g(fragments)e(can)i(be)h(le)o(gitimately)2215
-194 y(constructed,)e(yet)f(we)h(do)f(indeed)g(see)h(them)f(on)h
-(clearly)f(in-)2215 294 y(nocuous)19 b(traf)n(\002c.)2132
-467 y Fi(\017)41 b Fs(Ov)o(erlapping)31 b(fragments,)36
-b(in)e(which)g(the)g(end)f(of)h(the)g(\002rst)2215 567
-y(fragment)21 b(is)j(common)d(with)i(the)g(be)o(ginning)d(of)j(the)g
-(second.)2215 666 y(Such)h(fragments)f(are)i(also)f(used)g(for)g
-(\223teardrop\224)f(denial-of-)2215 766 y(service)d(attacks.)2132
-939 y Fi(\017)41 b Fs(Ov)o(erlapping)36 b(fragments)g(for)i(which)f
-(the)i(tw)o(o)f(fragments)2215 1039 y(disagree)19 b(on)h(the)g
-(contents)g(of)g(the)g(o)o(v)o(erlapped)d(re)o(gion.)2049
-1210 y(W)-7 b(e)22 b(recount)d(these)i(pathologies)e(not)h(simply)g
-(because)g(it)i(is)f(some-)2049 1310 y(what)27 b(f)o(ascinating)g(to)g
-(see)h(what)f(a)h(broad)e(range)g(of)h(beha)n(vior)f(we)2049
-1410 y(can)i(observ)o(e)e(in)i(real)g(netw)o(ork)f(traf)n(\002c;)k(b)n
-(ut)d(also)g(for)g(the)g(impor)n(-)2049 1509 y(tant)33
-b(reason)g(that)g Fr(many)g(of)g(these)h(patholo)o(gies)d(look)i(very)h
-(sim-)2049 1609 y(ilar)i(to)f(g)o(enuine)f(attac)n(ks)p
-Fs(.)70 b(Thus,)38 b(the)d(di)n(v)o(ersity)f(of)h(le)o(gitimate)2049
-1708 y(netw)o(ork)28 b(traf)n(\002c,)j(including)c(the)i
-(implementation)e(errors)h(some-)2049 1808 y(times)22
-b(re\003ected)g(within)f(it,)i(leads)f(to)g(a)h(v)o(ery)d(real)i
-(problem)e(for)i(in-)2049 1908 y(trusion)h(detection,)g(namely)f
-(discerning)g(in)h(some)h(circumstances)2049 2007 y(between)k(a)i(true)
-f(attack)g(v)o(ersus)g(an)g(innocuous)e(implementation)2049
-2107 y(error)-5 b(.)46 b(F)o(or)27 b(e)o(xample,)g(it)i(can)e(be)g(e)o
-(xtremely)f(dif)n(\002cult)h(to)g(discern)2049 2207 y(between)18
-b(the)h(\223)p Fm(USER)49 b(nice)p Fs(\224)19 b(/)h(\223)p
-Fm(USER)49 b(root)p Fs(\224)18 b(subterfuge)f(at-)2049
-2306 y(tack)28 b(discussed)g(in)g Fi(x)g Fs(5.3,)h(and)e(a)i(brok)o(en)
-d(TCP)j(implementation)2049 2406 y(that)k(sometimes)f(retransmits)h
-(dif)n(ferent)e(te)o(xt)h(than)h(it)g(originally)2049
-2505 y(sent.)58 b(More)30 b(generally)-5 b(,)32 b(we)g(cannot)e(rely)g
-(on)h(\223clearly\224)f(brok)o(en)2049 2605 y(protocol)22
-b(beha)n(vior)g(as)i(de\002nitely)f(indicating)f(an)h(attack\227it)h(v)
-o(ery)2049 2705 y(well)f(may)f(simply)g(re\003ect)h(the)f(operation)f
-(of)h(an)g(incorrect)f(imple-)2049 2804 y(mentation)e(of)h(that)g
-(protocol.)2132 2906 y(W)-7 b(e)17 b(\002nish)g(our)e(discussion)h(by)f
-(noting)g(a)i(situation)f(that)g(does)g(not)2049 3005
-y(re\003ect)j(a)g(protocol)e(implementation)f(error)m(,)i(b)n(ut)g
-(rather)g(a)h(common)2049 3105 y(real-w)o(orld)14 b(problem,)g(one)h
-(that)h(greatly)f(complicates)f(monitoring.)2132 3206
-y(If)27 b(e)n(v)o(er)f(a)h(site')-5 b(s)29 b(netw)o(ork)c(topology)g
-(includes)h(multiple)h(paths)2049 3306 y(from)19 b(the)h(site)h(to)g
-(the)f(remainder)e(of)i(the)g(Internet,)f(then)g(the)i(moni-)2049
-3406 y(tor)g(may)f(observ)o(e)f(only)h(one)g(direction)g(of)g(a)i
-(connection,)c(because)2049 3505 y(the)27 b(traf)n(\002c)f(for)g(the)g
-(other)g(direction)f(transits)i(an)g(alternate)f(route.)2049
-3605 y(W)-7 b(e)35 b(term)f(this)h(situation)f(\223split)h(routing.)-6
-b(\224)65 b(\(In)34 b(the)g(Internet)f(at)2049 3705 y(lar)o(ge,)20
-b(asymmetric)g(routing)f(is)j(quite)f(common,)e(and)i(so)g(there)g(are)
-2049 3804 y(numerous)32 b(monitoring)f(points)j(that)g(suf)n(fer)f
-(from)g(split)h(routing)2049 3904 y([P)o(a97b)n(].)53
-b(Indi)n(vidual)27 b(sites,)33 b(ho)n(we)n(v)o(er)m(,)c(often)g(ha)n(v)
-o(e)f(full)i(control)2049 4003 y(o)o(v)o(er)19 b(whether)g(the)o(y)h
-(ha)n(v)o(e)g(multiple)f(Internet)g(connections.)24 b(Some)2049
-4103 y(pursue)e(multiple)g(connections)f(in)i(order)e(to)i(pro)o(vide)e
-(redundanc)o(y)2049 4203 y(in)f(their)g(connecti)n(vity)e(to)j(protect)
-e(against)h(occasional)f(outages.\))2132 4304 y(Split)28
-b(routing)d(can,)k(of)e(course,)g(lead)h(to)f(the)g(monitor)f(missing)
-2049 4404 y(attacks)e(entirely)f(because)g(it)h(ne)n(v)o(er)f(sees)h
-(the)g(traf)n(\002c)f(correspond-)2049 4503 y(ing)h(to)g(the)f(attack.)
-36 b(Ev)o(en)23 b(if)h(a)g(site)h(runs)f(multiple)f(monitors,)g(one)
-2049 4603 y(per)e(Internet)f(link,)i(a)f(subtle)h(problem)d(remains:)28
-b(the)21 b(split)h(routing)2049 4703 y(can)16 b(defeat)f(precautions)g
-(tak)o(en)g(by)h(the)g(monitor)f(because)g(it)i(can)f(no)2049
-4802 y(longer)f(assume)g(that)h(it)h(sees)g(traf)n(\002c)e(from)g(at)i
-(least)f(one)f(trustw)o(orthy)2049 4902 y(endpoint)22
-b(for)h(each)g(connection.)33 b(So,)24 b(for)f(e)o(xample,)g(the)g
-(monitor)2049 5001 y(loses)i(the)g(ability)g(to)g(determine)e(when)h
-(it)i(can)e(safely)h(discard)f(in-)2049 5101 y(sequence)i(data.)45
-b(Consequently)-5 b(,)26 b(unless)h(the)g(multiple)f(monitors)2049
-5201 y(communicate)19 b(with)j(one)e(another)g(concerning)f(connection)
-g(state,)2049 5300 y(an)g(attack)o(er)f(who)g(disco)o(v)o(ers)g(a)h
-(split-route)e(can)i(e)o(xploit)f(it)h(to)g(elude)2049
-5400 y(the)h(monitor)-5 b(.)1908 5649 y(18)p eop
-%%Page: 19 19
-19 18 bop -67 -104 a Fs(F)o(ortunately)-5 b(,)37 b(split)f(routing)e
-(is)j(at)f(least)g(easy)g(to)g(detect,)j(be-)-150 -5
-y(cause)32 b(the)g(monitor)e(observ)o(es)h(a)h(connection)e
-(transmitting)g(uni-)-150 95 y(directional)d(traf)n(\002c)h(without)f
-(ha)n(ving)g(\002rst)i(completed)e(the)h(initial)-150
-194 y(three-w)o(ay)17 b(SYN)h(handshak)o(e.)23 b(Whene)n(v)o(er)16
-b(Bro)i(detects)g(split)h(rout-)-150 294 y(ing,)h(it)h(generates)e(an)h
-(e)n(v)o(ent)f(announcing)e(the)j(problem.)-150 569 y
-Ft(8)119 b(Futur)n(e)31 b(dir)n(ections)-150 755 y Fs(In)16
-b(addition)g(to)g(de)n(v)o(eloping)e(more)i(application)f(analysis)i
-(modules,)-150 854 y(we)42 b(see)h(a)f(number)e(of)h(a)n(v)o(enues)g
-(for)g(future)g(w)o(ork.)89 b(As)42 b(dis-)-150 954 y(cussed)36
-b(abo)o(v)o(e,)h(compiling)e Fm(Bro)g Fs(scripts)h(and,)j(especially)-5
-b(,)39 b(de-)-150 1054 y(vising)f(mechanisms)f(to)h(distrib)n(ute)f
-(monitoring)f(across)i(multi-)-150 1153 y(ple)e(hosts)f(of)n(fer)g(the)
-g(promise)g(of)g(increasing)g(monitoring)e(per)n(-)-150
-1253 y(formance.)39 b(W)-7 b(e)27 b(are)e(also)h(v)o(ery)f(interested)g
-(in)g(e)o(xtending)f(BPF)i(to)-150 1353 y(better)c(support)e
-(monitoring,)g(such)i(as)h(adding)e(lookup)f(tables)i(and)-150
-1452 y(v)n(ariable-length)17 b(snapshots.)-67 1552 y(Another)f
-(interesting)g(direction)g(is)i(adding)e(\223teeth\224)h(to)g(the)h
-(mon-)-150 1651 y(itoring)i(in)h(the)f(form)g(of)h(acti)n(v)o(ely)e
-(terminating)h(misbeha)n(ving)e(con-)-150 1751 y(nections)h(by)g
-(sending)g(RST)h(pack)o(ets)g(to)g(their)f(endpoints,)f(or)h(com-)-150
-1851 y(municating)c(with)h(intermediary)f(routers,)h(as)h(some)f
-(commercially)-150 1950 y(a)n(v)n(ailable)27 b(monitors)g(already)f
-(do.)48 b(W)-7 b(e)28 b(ha)n(v)o(e)g(implemented)d(both)-150
-2050 y(of)20 b(these)g(for)g(Bro)g(and)g(are)g(no)n(w)g(e)o
-(xperimenting)d(with)k(their)f(ef)n(fec-)-150 2150 y(ti)n(v)o(eness.)31
-b(The)22 b(ability)g(to)h(ask)f(a)h(router)e(to)i(drop)e(traf)n(\002c)h
-(in)m(v)n(olving)-150 2249 y(a)i(particular)d(address)i(has)g(already)g
-(pro)o(v)o(en)d(e)o(xtremely)i(useful,)h(as)-150 2349
-y(it)h(greatly)f(limits)h(the)g(information)d(that)j(attack)o(ers)f
-(can)h(gather)e(by)-150 2449 y(scanning)29 b(our)h(site;)37
-b(once)30 b(Bro)g(recognizes)f(a)i(scan,)i(it)f(instructs)-150
-2548 y(the)i(border)f(router)g(to)h(drop)f(an)o(y)g(further)g(traf)n
-(\002c)h(in)m(v)n(olving)e(the)-150 2648 y(gi)n(v)o(en)24
-b(site.)39 b(Some)25 b(open)e(issues)j(with)f(this)h(form)d(of)i
-(reaction)f(are)-150 2747 y(the)e(impact)g(on)h(router)e(performance)e
-(as)24 b(the)e(number)f(of)h(such)g(\002l-)-150 2847
-y(ters)e(increases,)g(and)f(attack)o(ers)h(for)o(ging)d(traf)n(\002c)j
-(from)e(remote)h(sites)-150 2947 y(to)27 b(mislead)f(Bro)h(into)f
-(dropping)f(them,)i(as)h(a)f(form)e(of)i(denial-of-)-150
-3046 y(service)20 b(attack.)-67 3146 y(More)34 b(generally)-5
-b(,)36 b(ho)n(we)n(v)o(er)m(,)g(we)f(ha)n(v)o(e)f(found)f(our)h(f)o
-(airly)h(in-)-150 3246 y(depth)29 b(consideration)f(of)h(the)h(problem)
-f(of)g(attacks)h(on)g(monitors)-150 3345 y(\()p Fi(x)i
-Fs(5\))g(sobering.)59 b(Some)31 b(forms)h(of)f(subterfuge)f(attacks)i
-(are)g(e)o(x-)-150 3445 y(tremely)41 b(dif)n(\002cult)g(to)h(defend)e
-(against,)46 b(and)41 b(we)h(belie)n(v)o(e)f(it)i(is)-150
-3544 y(ine)n(vitable)33 b(that)h(attack)o(ers)g(will)h(de)n(vise)e(and)
-h(share)f(toolkits)h(for)-150 3644 y(launching)16 b(such)h(attacks.)25
-b(This)18 b(in)g(turn)f(suggests)h(three)f(important)-150
-3744 y(areas)i(for)g(research)f(into)h(intrusion)f(detection:)24
-b Fr(\(i\))19 b Fs(further)f(e)o(xplor)n(-)-150 3843
-y(ing)28 b(the)g(notion)f(of)h(\223bifurcating)f(analysis\224)h
-(discussed)g(in)g Fi(x)h Fs(5.3;)-150 3943 y Fr(\(ii\))24
-b Fs(studying)f(the)h(notion)f(of)h(traf)n(\002c)g(\223normalizers\224)
-e(that)j(remo)o(v)o(e)-150 4043 y(ambiguities)g(from)f(traf)n(\002c)h
-(streams)h(\(one)f(such)g(normalizer)f(is)j(an)-150 4142
-y(\223in-the-loop\224)16 b(monitor)m(,)i(one)g(that)h(must)g(appro)o(v)
-o(e)e(the)i(forw)o(arding)-150 4242 y(of)d(an)o(y)f(pack)o(et)h(it)g
-(recei)n(v)o(es\);)h(and)e Fr(\(iii\))h Fs(inte)o(grating)e(into)i(the)
-g(system)-150 4341 y(monitor)27 b(\223sensors\224)g(that)i(run)e(on)g
-(the)i(end)e(hosts.)49 b(Such)28 b(sensors)-150 4441
-y(can)16 b(analyze)f(netw)o(ork)g(traf)n(\002c)h(at)g(a)h(suf)n
-(\002ciently)e(high)g(layer)h(in)g(their)-150 4541 y(host')-5
-b(s)19 b(netw)o(ork)e(stack)i(where)e(ambiguities)h(about)f(ho)n(w)h
-(the)h(traf)n(\002c)-150 4640 y(will)32 b(be)f(interpreted)e(ha)n(v)o
-(e)i(already)f(been)g(resolv)o(ed.)56 b(Our)31 b(near)n(-)-150
-4740 y(term)22 b(research)f(is)j(focussing)d(on)h(the)g(second)f(of)h
-(these,)h(e)o(xploring)-150 4840 y(the)d(issues)h(associated)f(with)h
-(b)n(uilding)e(traf)n(\002c)g(normalizers.)-150 5115
-y Ft(9)119 b(Ackno)o(wledgements)-150 5300 y Fs(W)-7
-b(e)17 b(gratefully)d(ackno)n(wledge)g(Digital)i(Equipment)d
-(Corporation')-5 b(s)-150 5400 y(W)e(estern)17 b(Research)f(Laboratory)
-e(for)i(contrib)n(uting)e(the)i(Alpha)g(sys-)2049 -104
-y(tem)24 b(that)g(made)f(de)n(v)o(eloping)e(and)i(operating)f(Bro)i(at)
-h(high)e(speeds)2049 -5 y(possible.)30 b(I)22 b(w)o(ould)f
-(particularly)f(lik)o(e)i(to)g(thank)f(Jef)n(f)h(Mogul,)f(who)2049
-95 y(w)o(as)26 b(instrumental)f(in)g(arranging)f(this)i(through)d(WRL)
--8 b(')j(s)28 b(External)2049 194 y(Research)20 b(Program.)2132
-294 y(Man)o(y)49 b(thanks,)57 b(too,)h(to)50 b(Craig)g(Leres.)116
-b(Bro)50 b(has)h(bene-)2049 394 y(\002ted)32 b(greatly)e(from)h(man)o
-(y)f(discussions)h(with)h(him.)59 b(Craig)31 b(also)2049
-493 y(wrote)i(the)g(calendar)e(queue)h(and)h(non-blocking)c(DNS)34
-b(routines)2049 593 y(discussed)e(in)g Fi(x)h Fs(4.)61
-b(Along)31 b(with)h(Craig)h(Leres,)i(I')l(d)c(lik)o(e)h(to)h(ac-)2049
-693 y(kno)n(wledge)19 b(the)j(on-going)c(feedback)i(I)i(recei)n(v)o(e)e
-(from)g(Craig)i(Lant)2049 792 y(and)f(P)o(artha)h(Banerjee)f(on)h(the)f
-(daily)h(operation)e(of)h(Bro,)i(and)e(their)2049 892
-y(ef)n(forts)e(at)i(analyzing)e(security)g(incidents)h(detected)f(by)h
-(Bro.)2132 991 y(My)29 b(appreciation)e(to)i(Scott)g(Denton,)h(John)f
-(Antonishek,)g(and)2049 1091 y(man)o(y)20 b(others)h(for)g
-(alpha-testing)f(Bro)i(and)f(contrib)n(uting)e(portabil-)2049
-1191 y(ity)h(\002x)o(es)h(and)e(other)h(enhancements.)2132
-1290 y(Finally)-5 b(,)41 b(this)d(w)o(ork)e(w)o(ould)h(not)g(ha)n(v)o
-(e)f(been)h(possible)g(with-)2049 1390 y(out)f(the)g(support)f(and)h
-(enthusiasm)f(of)h(Mark)g(Rosenber)o(g,)i(V)-9 b(an)2049
-1490 y(Jacobson,)39 b(Jim)h(Rothfuss,)k(Stu)c(Lok)o(en)f(and)g(Da)n(v)o
-(e)h(Ste)n(v)o(ens\227)2049 1589 y(much)19 b(appreciated!)2049
-1869 y Ft(A)120 b(Example:)36 b(tracking)31 b(Finger)g(traf\002c)2049
-2055 y Fs(In)d(this)i(appendix)c(we)k(gi)n(v)o(e)d(an)i(o)o(v)o(ervie)n
-(w)e(of)h(ho)n(w)g(the)h(dif)n(ferent)2049 2155 y(elements)19
-b(of)g(Bro)h(come)f(together)f(for)h(monitoring)e(Finger)i(traf)n
-(\002c.)2049 2254 y(F)o(or)27 b(the)g(e)n(v)o(ent)f(engine,)h(we)h(ha)n
-(v)o(e)e(a)i(C++)f(class)h Fm(FingerConn)p Fs(,)2049
-2354 y(deri)n(v)o(ed)17 b(from)h(the)h(general-purpose)d
-Fm(TCP)p 3326 2354 25 4 v 29 w(Connection)i Fs(class.)2049
-2453 y(When)f(Bro)h(encounters)d(a)j(ne)n(w)f(connection)e(with)j
-(service)f(port)f(79,)2049 2553 y(it)j(instantiates)f(a)h
-(corresponding)14 b Fm(FingerConn)j Fs(object,)h(instead)2049
-2653 y(of)24 b(a)g Fm(TCP)p 2359 2653 V 30 w(Connection)f
-Fs(object)g(as)i(it)g(w)o(ould)e(for)h(an)g(unrecog-)2049
-2752 y(nized)c(port.)2132 2852 y Fm(FingerConn)129 b
-Fs(rede\002nes)h(the)h(virtual)f(function)2049 2952 y
-Fm(BuildEndpoints)p Fs(,)29 b(which)g(is)i(in)m(v)n(ok)o(ed)c(when)i(a)
-h(connection)2049 3051 y(object)20 b(is)h(\002rst)g(created:)2049
-3213 y Ff(void)39 b(FingerConn::BuildEndpoints\(\))2169
-3292 y({)2169 3371 y(resp)g(=)h(new)f(TCP_EndpointLine\(this,)d(1,)k
-(0,)g(1\);)2169 3449 y(orig)f(=)h(new)f(TCP_EndpointLine\(this,)d(0,)k
-(0,)g(1\);)2169 3528 y(})2049 3711 y Fs(Here,)70 b Fm(resp)p
-Fs(,)g(corresponding)57 b(to)k(the)f(responder)f(\(Finger)2049
-3810 y(serv)o(er\))28 b(side)i(of)f(the)g(connection,)g(is)h
-(initialized)f(to)h(an)f(ordinary)2049 3910 y Fm(TCP)p
-2204 3910 V 29 w(Endpoint)i Fs(object,)i(because)e(Bro)g(does)g(not)g
-(\(presently\))2049 4010 y(look)20 b(inside)h(Finger)f(replies.)27
-b(But)21 b Fm(orig)p Fs(,)g(the)f(Finger)h(client)f(side,)2049
-4109 y(and)g Fm(resp)p Fs(,)h(the)f(responder)f(\(Finger)h(serv)o(er\))
-f(side)i(of)g(the)f(connec-)2049 4209 y(tion)31 b(are)h(both)f
-(initialized)g(to)h Fm(TCP)p 3140 4209 V 29 w(EndpointLine)e
-Fs(objects,)2049 4308 y(which)23 b(means)g(Bro)g(will)h(track)f(the)g
-(contents)g(of)g(each)g(side)h(of)f(the)2049 4408 y(connection,)g(and,)
-h(furthermore,)d(deli)n(v)o(er)i(the)h(contents)f(in)h(a)h(line-)2049
-4508 y(oriented)19 b(f)o(ashion)h(to)h Fm(FingerConn)p
-Fs(')-5 b(s)19 b(virtual)h Fm(NewLine)g Fs(func-)2049
-4607 y(tion:)2049 4769 y Ff(int)39 b
-(FingerConn::NewLine\(TCP_Endpoint*)c(/*)40 b(s)g(*/,)2806
-4848 y(double)f(/*)h(t)f(*/,)h(char*)f(line\))2169 4927
-y({)2169 5006 y(line)g(=)h(skip_whitespace\(line\);)2169
-5163 y(//)f(Check)g(for)h(/W.)2169 5242 y(int)f(is_long)g(=)g
-(\(line[0])g(==)h('/')f(&&)2766 5321 y(toupper\(line[1]\))f(==)h
-('W'\);)2169 5400 y(if)g(\()h(is_long)f(\))1908 5649
-y Fs(19)p eop
-%%Page: 20 20
-20 19 bop 89 -104 a Ff(line)39 b(=)h(skip_whitespace\(line+2\);)-30
-53 y(val_list*)e(vl)i(=)f(new)h(val_list;)-30 132 y
-(vl->append\(BuildConnVal\(\)\);)-30 211 y(vl->append\(new)d
-(StringVal\(line\)\);)-30 290 y(vl->append\(new)g(Val\(is_long,)h
-(TYPE_BOOL\)\);)-30 448 y(mgr.QueueEvent\(finger_request,)d(vl\);)-30
-526 y(return)k(0;)-30 605 y(})-150 773 y Fs(\(F)o(or)89
-b(bre)n(vity)-5 b(,)104 b(we)90 b(sho)n(w)f Fm(NewLine)f
-Fs(only)h(for)g(the)-150 872 y Fm(finger)p 155 872 25
-4 v 29 w(request)66 b Fs(case.\))165 b Fm(NewLine)66
-b Fs(skips)i(whites-)-150 972 y(pace)29 b(in)g(the)g(request,)i(scans)e
-(it)h(for)e(the)i(\223)p Fm(/W)p Fs(\224)f(indicator)e(\(which)-150
-1072 y(requests)18 b(v)o(erbose)f(Finger)g(output\),)g(and)h(mo)o(v)o
-(es)f(past)h(it)h(if)f(present.)-150 1171 y(It)34 b(then)f(creates)h(a)
-h Fm(val)p 604 1171 V 29 w(list)f Fs(object,)i(which)d(holds)h(a)g
-(list)h(of)-150 1271 y(generic)i(Bro)h Fm(Val)g Fs(objects.)78
-b(The)38 b(\002rst)g(of)g(these)g(is)h(assigned)-150
-1371 y(to)i(a)g(generic)f(connection-identi\002er)d(v)n(alue)j(\(see)g
-(belo)n(w\);)51 b(the)-150 1470 y(second,)39 b(to)d(a)g(Bro)g
-Fm(string)f Fs(containing)f(the)i(Finger)f(request,)-150
-1570 y(and)41 b(the)h(third)f(to)h(a)h Fm(bool)e Fs(indicating)g
-(whether)f(the)i(request)-150 1669 y(w)o(as)37 b(v)o(erbose)e(or)h
-(not.)74 b(The)36 b(penultimate)f(line)h(queues)g(a)h(ne)n(w)-150
-1769 y Fm(finger)p 155 1769 V 29 w(request)k Fs(e)n(v)o(ent)f(with)i
-(the)f(corresponding)d(list)43 b(of)-150 1869 y(v)n(alues)28
-b(as)h(ar)o(guments;)h(\002nally)-5 b(,)29 b Fm(return)49
-b(0)28 b Fs(indicates)g(that)h(the)-150 1968 y Fm(FingerConn)22
-b Fs(is)i(all)f(done)f(with)h(the)g(memory)f(associated)g(with)-150
-2068 y Fm(line)34 b Fs(\(since)h Fm(new)49 b(StringVal\(line\))32
-b Fs(made)i(a)h(cop)o(y)f(of)-150 2168 y(it\),)20 b(so)h(that)f(memory)
-f(can)h(be)g(reclaimed)f(by)h(the)g(caller)-5 b(.)-67
-2267 y(The)34 b(connection)f(identi\002er)h(discussed)g(abo)o(v)o(e)f
-(is)j(de\002ned)d(in)-150 2367 y(Bro)20 b(as)h(a)g(\223)p
-Fm(connection)p Fs(\224)d(record:)-150 2514 y Ff(type)39
-b(endpoint:)g(record)g({)-30 2592 y(size:)g(count;)g(state:)g(count;)
--150 2671 y(};)-150 2750 y(type)g(connection:)f(record)h({)-30
-2829 y(id:)g(conn_id;)-30 2908 y(orig:)g(endpoint;)f(resp:)h(endpoint;)
--30 2987 y(start_time:)f(time;)-30 3066 y(duration:)g(interval;)-30
-3145 y(service:)g(string;)89 3223 y(#)i(if)f(empty,)g(service)g(not)h
-(yet)f(determined)-30 3302 y(addl:)g(string;)-30 3381
-y(hot:)g(count;)89 3460 y(#)h(how)f(hot;)g(0)h(=)g(don't)f(know)g(or)h
-(not)f(hot)-150 3539 y(};)-150 3706 y Fs(The)19 b Fm(id)h
-Fs(\002eld)g(is)g(a)g Fm(conn)p 624 3706 V 30 w(id)f
-Fs(record,)f(discussed)i(in)g Fi(x)g Fs(3.1.)k Fm(orig)-150
-3806 y Fs(and)29 b Fm(resp)h Fs(correspond)d(to)j(the)g(connection)e
-(originator)g(and)h(re-)-150 3906 y(sponder)m(,)22 b(each)h(a)h(Bro)f
-Fm(endpoint)f Fs(record)g(consisting)h(of)g Fm(size)-150
-4005 y Fs(\(the)c(number)f(of)i(bytes)g(transferred)d(by)j(that)g
-(endpoint)e(so)i(f)o(ar\))f(and)-150 4105 y Fm(state)p
-Fs(,)38 b(the)c(endpoint')-5 b(s)33 b(TCP)j(state)f(\(e.g.,)i(SYN)e
-(sent,)k(estab-)-150 4204 y(lished,)26 b(closed\).)40
-b(This)25 b(latter)h(w)o(ould)e(be)h(better)g(e)o(xpressed)f(using)-150
-4304 y(an)j(enumerated)e(type)i(\(rather)f(than)g(a)i
-Fm(count)p Fs(\),)g(which)f(we)g(may)-150 4404 y(add)20
-b(to)g(Bro)g(in)h(the)f(future.)-67 4503 y(The)36 b Fm(start)p
-354 4503 V 29 w(time)g Fs(\002eld)h(re\003ects)g(when)f(the)g
-(connection')-5 b(s)-150 4603 y(\002rst)21 b(pack)o(et)f(w)o(as)h
-(seen,)f(and)g Fm(duration)g Fs(ho)n(w)f(long)h(the)g(connec-)-150
-4703 y(tion)k(has)h(e)o(xisted.)38 b Fm(service)24 b
-Fs(corresponds)e(to)j(the)f(name)g(of)h(the)-150 4802
-y(service,)h(or)f(an)g(empty)f(string)h(if)g(it)h(has)g(not)f(been)f
-(identi\002ed.)39 b(By)-150 4902 y(con)m(v)o(ention,)33
-b Fm(addl)g Fs(holds)f(additional)g(information)f(associated)-150
-5001 y(with)e(the)g(connection;)i(better)d(than)h(a)g
-Fm(string)f Fs(here)h(w)o(ould)f(be)-150 5101 y(some)16
-b(sort)g(of)g(union)f(or)h(generic)f(type,)i(if)f(Bro)h(supported)d
-(such.)23 b(Fi-)-150 5201 y(nally)-5 b(,)18 b(by)h(con)m(v)o(ention)d
-(the)k(polic)o(y)e(script)h(increments)f Fm(hot)i Fs(when-)-150
-5300 y(e)n(v)o(er)g(it)i(\002nds)f(something)f(potentially)g
-(suspicious)g(about)g(the)h(con-)-150 5400 y(nection.)2132
--104 y(Here)f(is)h(the)f(corresponding)d(polic)o(y)i(script:)2049
-33 y Ff(global)39 b(hot_names)f(=)i({)g("root",)f("lp",)g("uucp")g(};)
-2049 111 y(global)g(finger_log)f(=)2169 190 y(open\(getenv\("BRO_ID"\))
-e(==)k("")f(?)2368 269 y("finger.log")f(:)2368 348 y
-(fmt\("finger.\045s",)f(getenv\("BRO_ID"\)\)\);)2049
-506 y(event)i(finger_request\(c:connection,)2886 585
-y(request:)g(string,)2886 664 y(full:)g(bool\))2169 742
-y({)2169 821 y(if)g(\()h(byte_len\(request\))d(>)j(80)f(\))h({)2288
-900 y(request)f(=)h(fmt\("\045s...",)2846 979 y(sub_bytes\(request,)d
-(1,)j(80\)\);)2288 1058 y(++c$hot;)2169 1137 y(})2169
-1216 y(if)f(\()h(request)f(in)g(hot_names)g(\))2288 1295
-y(++c$hot;)2169 1452 y(local)g(req)g(=)h(request)f(==)g("")h(?)2288
-1531 y("ANY")f(:)h(fmt\("\\"\045s\\"",)e(request\);)2169
-1610 y(if)h(\()h(c$addl)f(!=)g("")h(\))2288 1689 y(#)g(This)f(is)h(an)f
-(additional)g(request.)2288 1768 y(req)h(=)f(fmt\("\(\045s\)",)f
-(req\);)2169 1847 y(if)h(\()h(full)f(\))2288 1925 y(req)h(=)f
-(fmt\("\045s)g(\(/W\)",)g(req\);)2169 2083 y(local)g(msg)g(=)h
-(fmt\("\045s)f(>)g(\045s)h(\045s",)2806 2162 y(c$id$orig_h,)2806
-2241 y(c$id$resp_h,)2806 2320 y(req\);)2169 2399 y(if)f(\()h(c$hot)f(>)
-h(0)f(\))2288 2478 y(log)h(fmt\("finger:)e(\045s",)h(msg\);)2169
-2556 y(print)g(finger_log,)2408 2635 y(fmt\("\045.6f)f(\045s",)h
-(c$start_time,)f(msg\);)2169 2793 y(c$addl)h(=)g(c$addl)g(==)h("")f(?)
-2527 2872 y(req)h(:)f(fmt\("*\045s,)g(\045s",)g(c$addl,)g(req\);)2169
-2951 y(})2049 3109 y Fs(The)28 b(global)f Fm(hot)p 2598
-3109 V 30 w(names)h Fs(is)h(a)g(Bro)f Fm(set)h Fs(of)f
-Fm(string)p Fs(.)48 b(In)29 b(the)2049 3208 y(ne)o(xt)22
-b(line,)i Fm(finger)p 2689 3208 V 29 w(log)f Fs(is)g(initialized)g(to)g
-(a)h(Bro)f Fm(file)p Fs(,)g(either)2049 3308 y(named)f(\223\002nger)-5
-b(.log\224,)23 b(or)m(,)g(if)h(the)f Fm(BRO)p 3196 3308
-V 30 w(ID)g Fs(en)m(vironment)e(v)n(ariable)2049 3407
-y(is)g(set,)g(to)f(a)h(name)f(deri)n(v)o(ed)e(from)h(it)i(using)f(the)g
-(b)n(uilt-in)g Fm(fmt)g Fs(func-)2049 3507 y(tion.)2132
-3607 y(The)28 b Fm(finger)p 2595 3607 V 29 w(request)g
-Fs(e)n(v)o(ent)g(handler)f(follo)n(ws.)50 b(It)29 b(tak)o(es)2049
-3706 y(three)h(ar)o(guments,)i(corresponding)27 b(to)k(the)g(v)n(alues)
-g(added)e(to)j(the)2049 3806 y Fm(val)p 2204 3806 V 29
-w(list)24 b Fs(abo)o(v)o(e.)34 b(It)24 b(\002rst)h(checks)e(whether)g
-(the)g(request)h(is)g(e)o(x-)2049 3906 y(cessi)n(v)o(ely)15
-b(long,)h(and,)f(if)h(so,)h(truncates)e(it)h(and)f(increments)g(the)h
-Fm(hot)2049 4005 y Fs(\002eld)21 b(of)g(the)g(connection')-5
-b(s)19 b(information)g(record.)25 b(\(The)c(Bro)g(b)n(uilt-)2049
-4105 y(in)j(functions)f(used)h(here)g(are)g(named)g(in)g(terms)g(of)h
-(\223bytes\224)e(rather)2049 4204 y(than)16 b(\223string\224)g(because)
-f(the)o(y)h(mak)o(e)g(no)g(assumptions)f(about)h(NUL-)2049
-4304 y(termination)k(of)i(their)g(ar)o(guments;)e(in)i(particular)m(,)f
-Fm(byte)p 3762 4304 V 29 w(len)h Fs(re-)2049 4404 y(turns)g(the)h
-(length)f(of)h(its)h(ar)o(gument)c(including)h(a)i(\002nal)g(NUL)g
-(byte,)2049 4503 y(if)d(present.\))2132 4603 y(Ne)o(xt,)32
-b(the)e(script)g(checks)f(whether)g(the)h(request)f(corresponds)2049
-4703 y(to)e(an)o(y)e(of)h(the)h(entries)f(in)h(the)f
-Fm(hot)p 3134 4703 V 30 w(names)g Fs(set.)44 b(If)26
-b(so,)i(it)g(again)2049 4802 y(marks)20 b(the)g(connection)e(as)j
-(\223hot.)-6 b(\224)2132 4902 y(W)f(e)25 b(then)e(initialize)g(the)h
-(local)f(v)n(ariable)f Fm(req)i Fs(to)f(a)h(quoted)e(v)o(er)n(-)2049
-5001 y(sion)17 b(of)h(the)f(request;)h(or)m(,)f(if)h(the)g(request)e(w)
-o(as)j(empty)d(\(which)h(in)h(the)2049 5101 y(Finger)25
-b(protocol)g(indicates)g(a)i(request)e(type)h(of)f(\223)-7
-b(ANY\224\),)26 b(then)g(it)2049 5201 y(is)21 b(changed)e(to)h(\223)-7
-b(ANY\224.)2132 5300 y(The)19 b(e)n(v)o(ent)g(handler)g(stores)h(the)f
-(Finger)g(request)h(in)f(the)h(connec-)2049 5400 y(tion)g(record')-5
-b(s)19 b Fm(addl)h Fs(\002eld)g(\(see)h(belo)n(w\),)e(so)h(the)g(ne)o
-(xt)g(line)g(checks)1908 5649 y(20)p eop
-%%Page: 21 21
-21 20 bop -150 -104 a Fs(to)30 b(see)g(whether)f(this)h(\002eld)g
-(already)f(contains)g(a)h(request.)53 b(If)29 b(so,)-150
--5 y(then)19 b(we)h(are)g(seeing)f(multiple)g(requests)h(for)f(a)h
-(single)f(Finger)g(con-)-150 95 y(nection.)30 b(This)23
-b(is)g(not)f(allo)n(wed)g(by)f(the)i(Finger)e(protocol,)g(b)n(ut)h
-(that)-150 194 y(doesn')o(t)28 b(mean)h(we)g(w)o(on')o(t)g(see)h(them!)
-52 b(In)29 b(particular)m(,)g(we)h(might)-150 294 y(imagine)23
-b(a)i(subterfuge)d(attack)i(in)g(which)g(an)g(attack)o(er)f(queries)h
-(an)-150 394 y(innocuous)h(name)h(in)h(their)g(\002rst)h(request,)g
-(and)e(a)h(sensiti)n(v)o(e)g(name)-150 493 y(in)i(their)f(second,)h
-(and)f(depending)d(on)j(ho)n(w)g(the)h(\002nger)e(serv)o(er)h(is)-150
-593 y(written,)g(it)g(may)e(well)h(respond)f(to)h(both.)1102
-563 y Fn(5)1183 593 y Fs(This)g(script)g(will)g(still)-150
-693 y(catch)g(such)g(use,)i(since)f(it)g(fully)f(processes)g(each)g
-(request;)j(b)n(ut)e(it)-150 792 y(needs)21 b(to)g(be)g(careful)f(to)i
-(k)o(eep)e(the)i(global)e(state)i(corresponding)17 b(to)-150
-892 y(the)30 b(connection)e(\(in)i(the)g Fm(addl)f Fs(\002eld\))h
-(complete.)54 b(T)-7 b(o)30 b(do)f(so,)k(it)-150 991
-y(marks)21 b(additional)f(requests)h(by)g(enclosing)f(them)h(in)h
-(parentheses,)-150 1091 y(and)31 b(also)g(prepends)e(an)i(asterisk)h
-(to)f(the)g(entire)g Fm(addl)g Fs(\002eld)g(for)-150
-1191 y(each)25 b(additional)g(request,)h(so)g(that)f(in)h(later)g
-(visual)f(inspection)g(of)-150 1290 y(the)20 b(Finger)g(logs)g(these)g
-(requests)g(immediately)f(stand)h(out.)-67 1390 y(The)k
-Fm(msg)g Fs(local)g(v)n(ariable)f(holds)g(the)h(basic)g(description)f
-(of)h(the)-150 1490 y(Finger)29 b(request.)51 b(The)29
-b Fm(fmt)h Fs(function)d(kno)n(ws)i(to)h(format)e(the)h(IP)-150
-1589 y(addresses)38 b Fm(c$id$orig)p 662 1589 25 4 v
-28 w(h)h Fs(and)e Fm(c$id$resp)p 1387 1589 V 28 w(h)i
-Fs(as)g(\223dotted)-150 1689 y(quads.)-6 b(\224)-67 1788
-y(Ne)o(xt,)27 b(if)f(the)g(connection)e(has)i(been)f(mark)o(ed)f(as)j
-(\223hot\224)e(\(either)-150 1888 y(just)30 b(pre)n(viously)-5
-b(,)29 b(or)g(perhaps)f(by)g(a)i(completely)e(dif)n(ferent)f(e)n(v)o
-(ent)-150 1988 y(handler\),)17 b(then)g(the)h(script)h(generates)e(a)h
-(real-time)g(noti\002cation.)23 b(In)-150 2087 y(an)o(y)17
-b(case,)h(it)g(also)g(records)f(the)g(request)g(to)h(the)g
-Fm(finger)p 1533 2087 V 29 w(log)f Fs(\002le.)-150 2187
-y(Finally)-5 b(,)24 b(it)g(updates)e(the)i Fm(addl)f
-Fs(\002eld)h(to)g(re\003ect)f(the)h(request)e(\(and)-150
-2287 y(to)e(\003ag)h(multiple)e(requests,)h(as)h(discussed)f(abo)o(v)o
-(e\).)-67 2386 y(Entries)g(in)g(the)h(log)e(\002le)i(look)f(lik)o(e:)
--150 2530 y Ff(880988813.752829)37 b(171.64.15.68)i(>)527
-2609 y(128.3.253.104)f("feng")-150 2688 y(880991121.364126)f
-(131.243.168.28)h(>)527 2766 y(130.132.143.23)g("anlin")-150
-2845 y(880997120.932007)f(192.84.144.6)i(>)527 2924 y(128.3.32.16)g
-(ALL)-150 3003 y(881000846.603872)e(128.3.9.45)i(>)527
-3082 y(146.165.7.14)g(ALL)g(\(/W\))-150 3161 y(881001601.958411)e
-(152.66.83.11)i(>)527 3240 y(128.3.13.76)g("davfor")-150
-3404 y Fs(\(though)18 b(without)i(the)g(lines)g(split)h(after)f(the)g
-(\223)p Fm(>)p Fs(\224\).)-67 3504 y(The)37 b(real-time)f
-(noti\002cations)g(look)h(quite)f(similar)m(,)41 b(with)d(the)-150
-3603 y(k)o(e)o(yw)o(ord)24 b(\223)p Fm(finger:)p Fs(\224)34
-b(added)24 b(to)i(a)n(v)n(oid)f(ambiguity)f(with)h(other)-150
-3703 y(types)20 b(of)g(real-time)f(noti\002cation.)-150
-3980 y Ft(Refer)n(ences)-150 4165 y Fs([Ax99])95 b(AXENT)141
-b(T)-6 b(echnologies,)170 b Fr(Intruder)141 b(Alert)p
-Fs(,)187 4265 y(http://www)-5 b(.ax)o(ent.com/produ)o(ct/smsb)n(u/IT)c
-(A/,)187 4365 y(1999.)-150 4523 y([Br88])114 b(R.)32
-b(Bro)n(wn,)h(\223Calendar)d(Queues:)47 b(A)32 b(F)o(ast)g
-Fj(O)r Fc(\(1\))g Fs(Pri-)187 4623 y(ority)39 b(Queue)g(Implementation)
-e(for)j(the)g(Simulation)187 4723 y(Ev)o(ent)16 b(Set)j(Problem,)-6
-b(\224)17 b Fr(Communications)f(of)i(the)f(A)n(CM)p Fs(,)187
-4822 y(31\(10\),)g(pp.)j(1220-1227,)c(Oct.)21 b(1988.)-150
-4981 y([Ci99])119 b(Cisco)357 b(Systems,)440 b Fr(NetRang)o(er)p
-Fs(,)187 5081 y(http://www)-5 b(.cisco.com/w)o(arp/public/cc/cisco/m)o
-(kt/)187 5180 y(security/nranger/inde)o(x.htm)o(l,)15
-b(1999.)p -150 5244 801 4 v -65 5298 a Fk(5)-30 5321
-y Fp(W)-5 b(e)22 b(do)i(indeed)h(see)e(occasional)k(multiple)e
-(requests.)41 b(So)23 b(f)o(ar)m(,)i(the)o(y)g(ha)o(v)o(e)f(all)-150
-5400 y(appeared)19 b(fully)f(innocuous.)2049 -104 y Fs([CT94])91
-b(C.)44 b(Compton)f(and)h(D.)g(T)-6 b(ennenhouse,)47
-b(\223Collabora-)2386 -5 y(ti)n(v)o(e)e(Load)f(Shedding)f(for)i
-(Media-Based)g(Applica-)2386 95 y(tions,)-6 b(\224)45
-b Fr(Pr)l(oc.)c(International)d(Confer)m(ence)i(on)g(Mul-)2386
-194 y(timedia)i(Computing)f(and)h(Systems)p Fs(,)49 b(Boston,)e(MA,)
-2386 294 y(May)-5 b(.)19 b(1994.)2049 459 y([In99])127
-b(Internet)44 b(Security)h(Systems,)52 b(Inc.,)f Fr(RealSecur)m(e)3940
-429 y Fa(TM)4029 459 y Fs(,)2386 559 y(http://www)-5
-b(.iss.net/prod/rs.php3,)15 b(1999.)2049 725 y([JLM89])40
-b(V)-11 b(.)72 b(Jacobson,)83 b(C.)72 b(Leres,)84 b(and)71
-b(S.)g(McCanne,)2386 824 y Fm(tcpdump)p Fs(,)80 b(a)n(v)n(ailable)68
-b(via)h(anon)o(ymous)d(ftp)i(to)2386 924 y(ftp.ee.lbl.go)o(v)-5
-b(,)16 b(Jun.)k(1989.)2049 1089 y([Ka91])100 b(B.)36
-b(Kantor)m(,)j(\223BSD)d(Rlogin,)-6 b(\224)40 b(RFC)d(1282,)h(Netw)o
-(ork)2386 1189 y(Information)51 b(Center)m(,)63 b(SRI)55
-b(International,)61 b(Menlo)2386 1289 y(P)o(ark,)19 b(CA,)i(Dec.)f
-(1991.)2049 1454 y([MJ93])91 b(S.)30 b(McCanne)e(and)h(V)-11
-b(.)31 b(Jacobson,)f(\223The)f(BSD)i(P)o(ack)o(et)2386
-1554 y(Filter:)38 b(A)27 b(Ne)n(w)g(Architecture)f(for)g(User)n(-le)n
-(v)o(el)g(P)o(ack)o(et)2386 1653 y(Capture,)-6 b(\224)18
-b Fr(Pr)l(oc.)h(1993)e(W)-5 b(inter)20 b(USENIX)f(Confer)m(ence)p
-Fs(,)2386 1753 y(San)h(Die)o(go,)f(CA.)2049 1918 y([MLJ94])40
-b(S.)77 b(McCanne,)90 b(C.)78 b(Leres)e(and)h(V)-11 b(.)77
-b(Jacobson,)2386 2018 y Fm(libpcap)p Fs(,)j(a)n(v)n(ailable)68
-b(via)h(anon)o(ymous)d(ftp)i(to)2386 2118 y(ftp.ee.lbl.go)o(v)-5
-b(,)16 b(1994.)2049 2283 y([MHL94])39 b(B.)23 b(Mukherjee,)d(L.)i
-(Heberlein,)f(and)h(K.)g(Le)n(vitt,)g(\223Net-)2386 2383
-y(w)o(ork)33 b(Intrusion)f(Detection,)-6 b(\224)37 b
-Fr(IEEE)c(Network)p Fs(,)38 b(8\(3\),)2386 2482 y(pp.)19
-b(26-41,)f(May/Jun.)h(1994.)2049 2648 y([Ne99])100 b(Netw)o(ork)41
-b(Flight)g(Recorder)m(,)46 b(Inc.,)g Fr(Network)d(Flight)2386
-2747 y(Recor)m(der)p Fs(,)19 b(http://www)-5 b(.nfr)g(.com,)17
-b(1999.)2049 2913 y([PS93])105 b(V)-11 b(.)18 b(P)o(axson)g(and)g(C.)h
-(Saltmarsh,)f(\223Glish:)25 b(A)19 b(User)n(-Le)n(v)o(el)2386
-3012 y(Softw)o(are)46 b(Bus)i(for)f(Loosely-Coupled)d(Distrib)n(uted)
-2386 3112 y(Systems,)-6 b(\224)17 b Fr(Pr)l(oc.)f(1993)e(W)-5
-b(inter)17 b(USENIX)f(Confer)m(ence)p Fs(,)2386 3212
-y(San)k(Die)o(go,)f(CA.)2049 3377 y([P)o(a94])115 b(V)-11
-b(.)35 b(P)o(axson,)i(\223Empirically-Deri)n(v)o(ed)30
-b(Analytic)35 b(Mod-)2386 3477 y(els)28 b(of)f(W)m(ide-Area)g(TCP)h
-(Connections,)-6 b(\224)28 b Fr(IEEE/A)n(CM)2386 3576
-y(T)-5 b(r)o(ansactions)34 b(on)g(Networking)p Fs(,)39
-b(2\(4\),)e(pp.)e(316-336,)2386 3676 y(Aug.)19 b(1994.)2049
-3842 y([P)o(a96])115 b(V)-11 b(.)25 b(P)o(axson,)g Fm(flex)p
-Fs(,)g(a)n(v)n(ailable)f(via)h(anon)o(ymous)d(ftp)i(to)2386
-3941 y(ftp.ee.lbl.go)o(v)-5 b(,)16 b(Sep.)k(1996.)2049
-4107 y([P)o(a97a])78 b(V)-11 b(.)31 b(P)o(axson,)i(\223End-to-End)28
-b(Internet)i(P)o(ack)o(et)h(Dynam-)2386 4206 y(ics,)-6
-b(\224)67 b Fr(Pr)l(oc.)57 b(SIGCOMM)g('97)p Fs(,)65
-b(Cannes,)h(France,)2386 4306 y(Sep.)20 b(1997.)2049
-4471 y([P)o(a97b])73 b(V)-11 b(.)28 b(P)o(axson,)h(\223End-to-End)c
-(Routing)j(Beha)n(vior)f(in)i(the)2386 4571 y(Internet,)-6
-b(\224)41 b Fr(IEEE/A)n(CM)c(T)-5 b(r)o(ansactions)37
-b(on)h(Network-)2386 4671 y(ing)p Fs(,)19 b(5\(5\),)g(pp.)h(601-615,)d
-(Oct.)j(1997.)2049 4836 y([P)o(a98])115 b(V)-11 b(.)18
-b(P)o(axson,)g(\223Bro:)24 b(A)18 b(System)g(for)g(Detecting)f(Netw)o
-(ork)2386 4936 y(Intruders)h(in)i(Real-T)m(ime,)-6 b(\224)20
-b(Proc.)f(7th)h(USENIX)g(Secu-)2386 5035 y(rity)g(Symposium,)e(Jan.)i
-(1998.)2049 5201 y([PR83a])59 b(J.)26 b(Postel)h(and)f(J.)h(Re)o
-(ynolds,)f(\223T)-6 b(elnet)26 b(Protocol)f(Spec-)2386
-5300 y(i\002cation,)-6 b(\224)21 b(RFC)j(854,)d(Netw)o(ork)g
-(Information)e(Center)m(,)2386 5400 y(SRI)i(International,)c(Menlo)j(P)
-o(ark,)f(CA,)i(May)f(1983.)1908 5649 y(21)p eop
-%%Page: 22 22
-22 21 bop -150 -104 a Fs([PR83b])54 b(J.)24 b(Postel)g(and)f(J.)h(Re)o
-(ynolds,)g(\223T)-6 b(elnet)23 b(Option)g(Speci\002-)187
--5 y(cations,)-6 b(\224)30 b(RFC)g(855,)g(Netw)o(ork)d(Information)f
-(Center)m(,)187 95 y(SRI)21 b(International,)c(Menlo)j(P)o(ark,)f(CA,)i
-(May)f(1983.)-150 261 y([PR85])96 b(J.)25 b(Postel)g(and)f(J.)h(Re)o
-(ynolds,)f(\223File)h(T)m(ransfer)f(Protocol)187 360
-y(\(FTP\),)-6 b(\224)35 b(RFC)j(959,)h(Netw)o(ork)c(Information)e
-(Center)m(,)187 460 y(SRI)21 b(International,)c(Menlo)j(P)o(ark,)f(CA,)
-i(Oct.)f(1985.)-150 626 y([PN98])91 b(T)-6 b(.)52 b(Ptacek)g(and)g(T)-6
-b(.)53 b(Ne)n(wsham,)59 b(\223Insertion,)g(Ev)n(a-)187
-726 y(sion,)68 b(and)59 b(Denial)g(of)g(Service:)103
-b(Eluding)57 b(Net-)187 825 y(w)o(ork)i(Intrusion)f(Detection,)-6
-b(\224)69 b(Secure)59 b(Netw)o(orks,)187 925 y(Inc.,)45
-b(http://www)-5 b(.aciri.or)o(g/v)o(ern/Ptacek-)o(Ne)n(wsham)o(-)187
-1025 y(Ev)n(asion-98.ps,)17 b(Jan.)j(1998.)-150 1191
-y([PZCMO96])40 b(N.)22 b(Puk)o(etza,)f(K.)h(Zhang,)e(M.)i(Chung,)f(B.)h
-(Mukher)n(-)187 1290 y(jee)34 b(and)f(R.)h(Olsson,)j(\223)-7
-b(A)34 b(Methodology)d(for)i(T)-6 b(esting)187 1390 y(Intrusion)23
-b(Detection)i(Systems,)-6 b(\224)27 b Fr(IEEE)e(T)-5
-b(r)o(ansactions)187 1490 y(on)40 b(Softwar)m(e)g(Engineering)p
-Fs(,)j(22\(10\),)g(pp.)d(719-729,)187 1589 y(Oct.)20
-b(1996.)-150 1755 y([RLSSL)-6 b(W97])40 b(M.)25 b(Ranum,)g(K.)g
-(Land\002eld,)g(M.)f(Stolarchuk,)g(M.)187 1855 y(Sienkie)n(wicz,)41
-b(A.)d(Lambeth)e(and)i(E.)g(W)-7 b(all,)43 b(\223Imple-)187
-1954 y(menting)29 b(a)i(generalized)e(tool)h(for)g(netw)o(ork)f
-(monitor)n(-)187 2054 y(ing,)-6 b(\224)24 b Fr(Pr)l(oc.)g(LISA)f('97)p
-Fs(,)h(USENIX)g(11th)f(Systems)h(Ad-)187 2154 y(ministration)19
-b(Conference,)f(San)i(Die)o(go,)f(Oct.)i(1997.)-150 2320
-y([Re96])105 b(Y)-11 b(.)19 b(Rekhter)m(,)f(B.)i(Mosk)o(o)n(witz,)e(D.)
-h(Karrenber)o(g,)d(G.)j(J.)h(de)187 2419 y(Groot,)30
-b(and)f(E.)h(Lear)m(,)h(\223)-7 b(Address)29 b(Allocation)g(for)f(Pri-)
-187 2519 y(v)n(ate)20 b(Internets,)-6 b(\224)19 b(RFC)i(1918,)e(Feb)m
-(.)h(1996.)-150 2685 y([Sr95a])86 b(R.)21 b(Srini)n(v)n(asan,)f
-(\223RPC:)i(Remote)e(Procedure)f(Call)j(Pro-)187 2785
-y(tocol)30 b(Speci\002cation)g(V)-9 b(ersion)30 b(2,)-6
-b(\224)34 b(RFC)e(1831,)g(DDN)187 2884 y(Netw)o(ork)19
-b(Information)e(Center)m(,)j(Aug.)f(1995.)-150 3050 y([Sr95b])81
-b(R.)30 b(Srini)n(v)n(asan,)g(\223XDR:)g(External)e(Data)h(Representa-)
-187 3150 y(tion)g(Standard,)-6 b(\224)30 b(RFC)g(1832,)g(DDN)g(Netw)o
-(ork)e(Infor)n(-)187 3250 y(mation)19 b(Center)m(,)g(Aug.)h(1995.)-150
-3416 y([S-J93])91 b(M.)18 b(St.)h(Johns,)f(\223Identi\002cation)e
-(Protocol,)-6 b(\224)18 b(RFC)h(1413,)187 3515 y(Netw)o(ork)38
-b(Information)f(Center)m(,)44 b(SRI)c(International,)187
-3615 y(Menlo)19 b(P)o(ark,)h(CA,)g(Feb)m(.)g(1993.)-150
-3781 y([T)-7 b(o99])111 b(T)-7 b(ouch)65 b(T)-6 b(echnologies,)75
-b(Inc.,)i Fr(INT)o(OUCH)67 b(INSA)p Fs(,)187 3881 y(http://www)-5
-b(.ttisms.com/tti/nsa)p 1176 3881 25 4 v 27 w(www)g(.html,)19
-b(1999.)-150 4047 y([WFP96])41 b(G.)30 b(White,)i(E.)e(Fisch)h(and)e
-(U.)h(Pooch,)i(\223Cooperating)187 4146 y(Security)e(Managers:)47
-b(A)32 b(Peer)n(-Based)g(Intrusion)e(De-)187 4246 y(tection)22
-b(System,)-6 b(\224)23 b Fr(IEEE)f(Network)p Fs(,)i(10\(1\),)e(pp.)g
-(20-23,)187 4346 y(Jan./Feb)m(.)d(1994.)-150 4512 y([Zi91])123
-b(D.)41 b(Zimmerman,)k(\223The)c(Finger)g(User)h(Information)187
-4611 y(Protocol,)-6 b(\224)27 b(RFC)h(1288,)f(Netw)o(ork)f(Information)
-e(Cen-)187 4711 y(ter)m(,)16 b(SRI)g(International,)e(Menlo)h(P)o(ark,)
-g(CA,)h(Dec.)k(1991.)1908 5649 y(22)p eop
-%%Trailer
-end
-userdict /end-hook known{end-hook}if
-%%EOF
diff --git a/doc/quick-start/Bro-installation.texi b/doc/quick-start/Bro-installation.texi
deleted file mode 100644
index fcaddfe0f0..0000000000
--- a/doc/quick-start/Bro-installation.texi
+++ /dev/null
@@ -1,229 +0,0 @@
-
-@menu
-* Download ::
-* Install ::
-* Configuration ::
-* Encrypted Reports ::
-@end menu
-
-@node Download
-@section Download
-@cindex download
-
-Download Bro from: @uref{http://www.bro-ids.org/}
-
-You can unpack the distribution anywhere except into the directory
-you plan to install into. To untar the file, type:
-
-@example
-tar xvzf bro-0.9a6.6.tar.gz
-@end example
-
-@node Install
-@section Install
-
-You'll need to collect the following information before beginning the installation.
-
-@itemize
-@item localnets: a list of local subnets for your network. Bro needs to know which networks are "internal" and which are "external".
-
-@item interface names: the names of the capture interfaces in your host (e.g. sk0 or en1). Use @code{ifconfig -a} to get the list of all network interfaces on your Bro host.
-@end itemize
-
-If you want to use Bro's periodic email report feature, you'll also need:
-@itemize
-@item email list: a list of email addresses to send the reports to.
-
-@item pgp keys: if you want to encrypt all email reports, the location of the 
-@uref{http://www.gnupg.org/,GPG keyring} of all recipients.
-@end itemize
-
-Bro is very easy to install. Just log in as @code{root}, and type:
-@example
-./configure
-@end example
-or to install Bro in a location other than @file{/usr/local/bro}, use:
-@example
-./configure --prefix=/path/to/bro
-@end example
-and then type:
-@example
-make
-make install
-@end example
-
-To update an existing Bro installation with new binaries and standard policy file, instead
-of @code{'make install'} do a @code{'make update'}. This will preserve all your local customizations.
-
-@node Configuration
-@section Configuration
-@cindex bro_config
-@cindex bro.cfg
-
-The @emph{Bro-Lite} configuration script can be used to automatically configure Bro for you. It
-checks your system's BPF settings, creates a 'bro' user account, installs
-a script to start bro at boot time, and installs a number of @code{cron} jobs 
-to checkpoint bro every night, run perioidic reports, and manage log files.
-
-To run this configuration script type:
-@example
-make install-brolite 
-@end example
-
-
-This will run the script @code{bro_config}, which creates the file @file{$BROHOME/etc/bro.cfg}.
-@code{bro_config} will ask a number of simple questions.
-
-Sample output of @code{bro_config}, along with explanation, is shown below:
-
-@quotation
-
-@verbatim
-Running Bro Configuration Utility
-Checking interfaces ....  Done.
-Reading /usr/local/bro/etc/bro.cfg.example for defaults.
-@end verbatim
-@quotation 
-@quotation 
-The @code{bro_config} script looks first at ./bro.cfg, then /usr/local/bro/etc,  
-for default values to use below.
-@end quotation
-@end quotation
-
-@verbatim
-Bro Log archive location [/usr/local/bro/archive] 
-@end verbatim
-@quotation
-@quotation
-This is the directory where log file archives are kept. 
-If you expect the log files to be very large, it is recommended to put these in a separate disk partition.
-@end quotation
-@end quotation
-
-@verbatim
-User id to install and run Bro under [bro] 
-@end verbatim
-@quotation
-@quotation
-@code{bro_config} will create a new user account with this username if the user does not exist. 
-@end quotation
-@end quotation
-
-@verbatim
-Interface names to listen on. [en1,en2] 
-@end verbatim
-@quotation
-@quotation
-@code{bro_config} looks for all network interfaces and does a short test to determine which interfaces see the most traffic, and selects these interfaces as the default. 
-@end quotation
-@end quotation
-
-@verbatim
-Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG) [] 
-Starting Report Time [0600]
-Report interval (in hours) [24]
-Email addresses for internal reports [bro@localhost] 
-Do you want to send external reports to a incident 
-		reporting org (e.g.: CERT, CIAC, etc) (Y/N)
-Y
-Email addresses for external reports [] 
-@end verbatim
-
-@quotation
-@quotation
-Daily reports will be created.  
-Enter the site name you want to appear at the top and in the subject of all email reports.
-The 'start time' and 'interval' define the window of 
-network activity that the daily report will cover, starting at 'Starting Report Time' and 
-lasting through 'Report interval'. The start time should be entered using 24hr clock notation. 
-For example: 12:30am = 0030,  2pm = 1400
-
-Two types of reports will be generated,
-"internal" and "external". Internal reports contain the same basic information as
-the external reports, along with traffic statistics and more detailed information on 
-incidents. Both internal and external reports will be sent to the "internal" email address list.
-External reports are only sent if you answer "Y" and enter an external email address. 
-(Note: currently only internal reports are generated)
-@end quotation
-@end quotation
-
-
-@verbatim
-Do you want to encrypt the email reports (Y/N) [N]
-Y
-@end verbatim
-@quotation
-@quotation 
-If you want the email reports encrypted, you will need to set up GPG (@uref{http://www.gnupg.org})
-and create a GPG keyring containing the public keys of all email recipients. Instructions 
-for this are in @ref{Encrypted Reports}.
-
-@end quotation
-@end quotation
-
-@verbatim
-Running script to determine your local subnets ... 
-Your Local subnets [198.129.224.1/32] 
-@end verbatim
-@quotation
-@quotation
-Bro needs to know a list of your local subnets. @code{bro_config} runs a tool 
-that attempts to discover this automatically. 
-You should always verify the results of this tool. The format is a list of subnet/significant 
-bits of address. 
-For example: 131.243.0.0/16, 198.128.0.0/18, 198.129.224.1/32
-@end quotation
-This information will be stored in the file @code{$BROHOME/site/local.site.bro}
-@end quotation
-
-@verbatim
-Saving settings to file: /usr/local/bro/etc/bro.cfg
-Bro configuration finished. 
-To change these values, you can rerun bro_config at any time.
-@end verbatim
-@quotation
-@quotation
-Indicates that the script finished successfully.
-@end quotation
-@end quotation
-
-@end quotation
-
-For site monitoring very high traffic rates on Gigabit ethernet, there is some
-additional system tuning that should be done. See the @uref{http://www.bro-ids.org/, Bro User Guide} for more details.
-
-
-To reconfigure Bro, just type:
-@example
-bro_config
-@end example
-
-This will update your @file{/usr/local/bro/etc/bro.cfg} file. You can also edit this file using your favorite editor if you prefer.
-
-For other site customizations, you can edit the file $BROHOME/site/local.site.bro.
-For example, to tell bro to not look at traffic for host 198.162.44.66, add:
-@verbatim
-     redef restrict_filters += { ["ignore host 198.162.44.66 "] = "not (host 198.162.44.66)" };
-@end verbatim
-
-Or to disable alarms for "WeirdActivity", you can add this:
-@verbatim
-     redef notice_action_filters += { [[WeirdActivity]] = ignore_notice, };
-@end verbatim
-
-Any changes you make in $BROHOME/site will not be touched during an upgrade
-or reinstall of Bro. You should avoid editing files in $BROHOME/policy,
-as these will be overwritten.
-
-More details are available in the Bro user guide. 
-
-@node Encrypted Reports 
-@section Encrypted Reports 
-@cindex GPG
-
-Bro can use GPG (@uref{http://www.gnupg.org/}) to encrypt
-the reports that it sends. To have Bro encrypt your
-reports you must have said 'yes' to the bro_config question to
-encrypt your reports. For information on configuring
-GPG for Bro reports, see the @uref{http://www.bro-ids.org/, Bro User Manual}.
-
diff --git a/doc/quick-start/Bro-overview.texi b/doc/quick-start/Bro-overview.texi
deleted file mode 100644
index de02ec482c..0000000000
--- a/doc/quick-start/Bro-overview.texi
+++ /dev/null
@@ -1,143 +0,0 @@
-
-@menu
-* What is Bro? ::
-* Bro features and benefits ::
-* Getting more Information ::
-@end menu
-
-@node What is Bro?
-@section What is Bro?
-@cindex Network Intrusion Detection System
-
-Bro is a Unix-based Network Intrusion Detection System (IDS).  Bro monitors network traffic and detects intrusion attempts based on the traffic 
-characteristics and content.  Bro detects intrusions by comparing network traffic against rules describing events that are deemed troublesome.  These rules 
-might describe activities (e.g., certain hosts connecting to certain services), what activities are worth alerting (e.g., attempts to a given number of different hosts constitutes 
-a "scan"), or signatures describing known attacks or access to known vulnerabilities.  If Bro detects something of interest, it can be instructed to either issue a log entry or initiate the execution of an operating system command.
-
-Bro targets high-speed (Gbit/second), high-volume intrusion detection. By judiciously leveraging packet filtering techniques, 
-Bro is able to achieve the performance necessary to do so while running on commercially 
-available PC hardware, and thus can serve as a cost effective means of monitoring a site's Internet connection.
-
-
-@node Bro features and benefits
-@section Bro features and benefits
-
-@itemize
-@item @strong{Network Based}
-@quotation
-Bro is a network-based IDS.  It collects, filters, and analyzes traffic that passes through a specific
-network location.  A single Bro monitor, strategically placed at a key network junction, can be
-used to monitor all incoming and outgoing traffic for the entire site.  Bro does not use or
-require installation of client software on each individual, networked computer.
-@end quotation
-
-@item @strong{Custom Scripting Language}
-@quotation
-Bro policy scripts are programs written in the Bro language.  They contain the "rules" that
-describe what sorts of activities are deemed troublesome.  They analyze the network activity and
-initiate actions based on the analysis.  Although the Bro language takes some time and effort to
-learn, once mastered, the Bro user can write or modify Bro policies to detect and alert on virtually
-any type of network activity.
-@end quotation
-
-@item @strong{Pre-written Policy Scripts}
-@quotation
-Bro comes with a rich set of policy scripts designed to detect the most common Internet attacks
-while limiting the number of false positives, i.e., alerts that confuse uninteresting activity with the
-important attack activity.  These supplied policy scripts will run "out of the box" and do not
-require knowledge of the Bro language or policy script mechanics.
-@end quotation
-
-@item @strong{Powerful Signature Matching Facility}
-@quotation
-Bro policies incorporate a signature matching facility that looks for specific traffic content.  For
-Bro, these signatures are expressed as regular expressions, rather than fixed strings.  Bro adds a
-great deal of power to its signature-matching capability because of its rich language.  This allows
-Bro to not only examine the network content, but to understand the context of the signature,
-greatly reducing the number of false positives.  Bro comes with a set of high value signatures
-policies, selected for their high detection and low false positive characteristics.
-@end quotation
-
-@item @strong{Network Traffic Analysis}
-@quotation
-Bro not only looks for signatures, but can also analyze network protocols, connections,
-transactions, data amounts, and many other network characteristics.  It has powerful facilities for
-storing information about past activity and incorporating it into analyses of new activity.
-@end quotation
-
-@item @strong{Detection Followed by Action}
-@quotation
-Bro policy scripts can generate output files recording the activity seen on the network (including
-normal, non-attack activity).  They can also send alarms to event logs, including the
-operating system syslog facility.  In addition, scripts can execute programs, which can, in turn,
-send e-mail messages, page the on-call staff, automatically terminate existing connections, or, with
-appropriate additional software, insert access control blocks into a router's access control list.
-With Bro's ability to execute programs at the operating system level, the actions that Bro can
-initiate are only limited by the computer and network capabilities that support Bro.
-@end quotation
-
-@item @strong{@uref{http://www.snort.org/,Snort} Compatibility Support}
-@cindex Snort
-@quotation
-The Bro distribution includes a tool, snort2bro, which converts Snort signatures into Bro
-signatures.  Along with translating the format of the signatures, snort2bro also incorporates a large
-number of enhancements to the standard set of Snort signatures to take advantage of Bro's
-additional contextual power and reduce false positives.
-@end quotation
-
-
-@end itemize
-
-@node Getting more Information 
-@section Getting more Information 
-
-@itemize
-@item @strong{Reference manual}
-@quotation
-An extensive @uref{http://www.bro-ids.org/manuals.html,reference manual} is provided detailing the Bro Policy Language
-@end quotation
-
-@item @strong{FAQ}
-@cindex FAQ
-@quotation
-Several Frequently Asked Questions are outlined in the @uref{http://www.bro-ids.org/FAQ.html,Bro FAQ}.  
-Do you have a question that's not
-in the FAQ, send it to us and we'll add it.
-@end quotation
-
-@item @strong{E-mail list}
-@cindex Email list
-@quotation
-Send questions on any Bro subject to Bro@@bro-ids.org
-The list is frequented by all of the Bro developers, including the primary author of Bro, Dr. Vern
-Paxson.
-
-You can subscribe by going to the website: 
-@* @uref{http://mailman.icsi.berkeley.edu/mailman/listinfo/bro},
-@*
-or by placing the following command in either the subject or the body of a message addressed to
-Bro-request@@ICSI.Berkeley.EDU.
-
-@example
-subscribe [password] [digest-option] [address=<address>]
-@end example
-
-A password must be given to
-unsubscribe or change your options.  Once subscribed to the
-list, you'll be reminded of your password periodically.
-The 'digest-option' may be either: 'nodigest' or 'digest' (no
-quotes!)  If you wish to subscribe an address other than the
-address you use to send this request from, you may specify
-"address=<email address>" (no brackets around the email
-address, no quotes!)
-
-@end quotation
-
-@item @strong{Website}
-@quotation
-The official Bro website is located at:
-@uref{http://www.bro-ids.org}.
-It contains all of the above documentation and more.
-@end quotation
-
-@end itemize
diff --git a/doc/quick-start/Bro-quick-start.pdf b/doc/quick-start/Bro-quick-start.pdf
deleted file mode 100644
index 75f0a484c5..0000000000
Binary files a/doc/quick-start/Bro-quick-start.pdf and /dev/null differ
diff --git a/doc/quick-start/Bro-quick-start.texi b/doc/quick-start/Bro-quick-start.texi
deleted file mode 100644
index 166d1293f3..0000000000
--- a/doc/quick-start/Bro-quick-start.texi
+++ /dev/null
@@ -1,99 +0,0 @@
-\input texinfo   @c -*-texinfo-*-
-@comment $Id: Bro-quick-start.texi 958 2004-12-21 16:51:44Z tierney $
-@comment %**start of header
-@setfilename Bro-quick-start.info
-@settitle Bro Quick Start Guide 
-@setcontentsaftertitlepage 
-@comment %**end of header
-
-
-@set VERSION 0.9
-@set UPDATED 11-15-2004
-
-@copying
-This the Quick Start Guide for Bro
-version @value{VERSION}.
-
-This software is copyright @copyright{} 
-1995-2004, The Regents of the University of California
-and the International Computer Science Institute.  All rights reserved.
-
-For further information about this notice, contact:
-
-Vern Paxson
-email: @email{vern@@icir.org}
-
-@end copying
-
-@dircategory Bro
-@direntry
-* Bro: Network Intrusion Detection System
-@end direntry
-
-@ifnottex
-@node Top
-@top Bro Quick Start Guide
-@copyright{} Lawrence Berkeley National Laboratory
-@end ifnottex
-
-@titlepage
-@title Bro Quick Start Guide 
-@subtitle version @value{VERSION}, @value{UPDATED}, @strong{DRAFT}
-@author Vern Paxson, Jim Rothfuss, Brian Tierney
-@author Contact: @email{vern@@icir.org}
-@author @uref{http://www.bro-ids.org/}
-@page
-@insertcopying
-@vskip 0pt plus 1filll
-@end titlepage
-
-@contents
-
-@ifnottex
-@strong{Bro Quick Start Guide}: 
-This manual contains info on installing, configuring, and running
-Bro. For more details, see the @uref{http://www.bro-ids.org/Bro-user-manual/,
-Bro User Manual}
-@end ifnottex
-
-@menu
-* Overview of Bro::
-* Requirements ::
-* Installation and Configuration::
-* Running Bro ::
-* Index::  
-@end menu
-
-@comment ********************************************
-
-@node Overview of Bro
-@chapter Overview of Bro
-@include Bro-overview.texi
-
-@comment ********************************************
-@node Requirements 
-@chapter Requirements 
-@cindex Software requirements
-@cindex Hardware requirements
-
-@include Bro-requirements.texi
-
-@comment ********************************************
-@node Installation and Configuration 
-@chapter Installation and Configuration 
-@cindex Installation instructions 
-@include Bro-installation.texi
-@cindex Configuration instructions 
-
-@comment ********************************************
-@node Running Bro
-@chapter Running Bro
-@include Bro-running.texi
-
-@comment ********************************************
-@node Index
-@unnumbered Index 
-
-@printindex cp
-
-@bye
diff --git a/doc/quick-start/Bro-requirements.texi b/doc/quick-start/Bro-requirements.texi
deleted file mode 100644
index d3fa73b48e..0000000000
--- a/doc/quick-start/Bro-requirements.texi
+++ /dev/null
@@ -1,79 +0,0 @@
-
-
-@menu
-* Network Tap ::
-* Hardware and Software Requirements ::
-@end menu
-
-
-@node Network Tap
-@section Network Tap
-@cindex network tap
-
-A network tap must be installed to provide Bro with access to live network traffic. 
-For Bro to be most effective, access to the network must be full-bandwidth (no bandwidth limitations) and full-duplex. A passive tap is recommended to ensure minimal impact on network operations.
-
-Normally the network tap for Bro should be placed behind an external firewall and on the DMZ 
-(the portion of the network under the control of the organization but outside of the internal firewall), 
-as shown in the figure below. Some organizations might prefer to install the network tap before 
-the firewall in order to detect all scans or attacks.  Placing Bro before the firewall will allow
-the organization to better understand attacks, but will produce a much high number of alarms and alerts. Another option is to place Bro inside the internal firewall, allowing it to detect internal hosts with viruses or worms.
-In addition to the connection to the network tap, a separate network connection is required 
-for management of Bro and access to log files.
-
-For more information on taps and tap placement see the Netoptics White paper titled @emph{Deploying Network Taps with Intrusion Detection Systems} (@uref{http://www.netoptics.com/products/pdf/Taps-and-IDSs.pdf}).
-
-@float Figure, tap location
-@image{bro-deployment,6.3in}
-@caption{Typical location for network tap and Bro system}
-@end float
-
-@node Hardware and Software Requirements
-@section Hardware and Software Requirements
-
-Bro requires no custom hardware, and runs on low-cost commodity PC-style system.
-However, the Bro monitoring host must examine every packet into and out of 
-your site, so depending on your sites network traffic, you may need a fairly high-end machine.
-If you are trying to monitor a link with a large number of connections, we recommend using
-a second system for report generation, and run only Bro on the capture host.
-
-@quotation
-@multitable  @columnfractions .25 .75
-@comment only work with texiinfo 4.7 or higher: @headitem Item @tab Requirements
-@item @strong{Item} @tab @strong{Requirements}
-
-@item @strong{Processor}
-@tab 1 GHz CPU (for 100 BT Ethernet with average packet rate <= 5,000 packets/second)
-@* 2 GHz CPU (for 1000 BT Ethernet with average packet rate <= 10,000 packets/second)
-@* 3 GHz CPU (for 1000 BT Ethernet with average packet rate <= 20,000 packets/second)
-@* 4 GHz CPU (for 1000 BT Ethernet with average packet rate <= 50,000 packets/second)
-@* (Note: these are @strong{very} rough estimates, and much depends on the types of
-traffic on your network (e.g.: http, ftp, mail, etc.). See the Performance chapter of the Bro User Guide for more information)
-
-@item @strong{Operating System}
-@tab FreeBSD 4.10 (@uref{http://www.freebsd.org/})  Bro works with Linux 
-and Solaris as well, 
-but the performance is best under FreeBSD. In particular there are some performance issues with 
-packet capture under Linux. See the User Guide chapter on Bro and Linux for more information. FreeBSD 5.x should work, but may have performance issues. For sites with very high traffic loads, contact us for information on a FreeBSD 4.x patch to do @emph{bpf bonding}
-
-@item @strong{Memory}
-@tab 1 GB RAM is the minimum needed, but 2-3 GB is recommended
-
-@item @strong{Hard disk}
-@tab 10 GByte minimum, 50 GByte or more for log files recommended
-
-@item @strong{User privileges}
-@tab @emph{superuser} to install Bro, then Bro runs as user @emph{bro}
-
-@item @strong{Network Interfaces}
-@tab 3 interfaces are required: 2 for packet capture (1 for each direction), and 1 for host management. Capture interfaces should be identical.
-
-@item @strong{Other Software}
-@* - Perl version 5.6 or higher (@uref{http://www.perl.org})
-@* - libpcap version 0.8 or higher (@uref{http://www.tcpdump.org})
-@* - tcpdump version 3.8 or higher (@uref{http://www.tcpdump.org})
-@* Note: FreeBSD 4.x comes with older versions perl, libpcap, and tcpdump. Bro
-requires newer versions of these tools.
-
-@end multitable
-@end quotation
diff --git a/doc/quick-start/Bro-running.texi b/doc/quick-start/Bro-running.texi
deleted file mode 100644
index 6fd2d95d0a..0000000000
--- a/doc/quick-start/Bro-running.texi
+++ /dev/null
@@ -1,316 +0,0 @@
-
-@menu
-* Starting Bro ::
-* Bro Scripts ::
-* Sending (E-mail) Bro Reports ::
-* Reading a Bro Report ::
-@end menu
-
-@node Starting Bro 
-@section Starting Bro 
-@cindex starting Bro
-@cindex bro.rc
-
-Bro is automatically started at boot time via the @command{bro.rc} 
-script,
-( located in /usr/local/bro/etc and /usr/local/etc/rc.d on FreeBSD or 
-/usr/init.d on Linux )
-
-To run this script by hand, type:
-@example
-bro.rc start
-@end example
-or
-@example
-bro.rc checkpoint
-@end example
-or 
-@example
-bro.rc stop
-@end example
-
-Use @code{checkpoint} to restart Bro, loading a new policy file.
-
-To get feel for what Bro logs will look like on your traffic, do the following:
-
-Generate some "offline" data to play with:
-
-@example
- # tcpdump -s 0 -w trace.out 
-@end example
-
-Kill off the tcpdump after capturing traffic for a few minutes (use ctrl-C),
-then to run Bro against this captured trace file:
-
-@example
- # setenv BROHOME /usr/local/bro
- # setenv BROPATH $BROHOME/site:$BROHOME/policy
- # bro -r trace.out hostname.bro 
-@end example
-
-
-@node Bro Scripts
-@section Bro Scripts
-@cindex bro_generate_report
-@cindex bro_log_compress
-@cindex check_disk
-@cindex managing disk space
-
-Installing Bro automatically creates the following @command{cron} jobs, 
-which are
-automatically run on a specified interval.
-
-@itemize
-@item @command{site-report.pl}: generates an email report of all alarms 
-and alerts
-@item @command{mail_reports.sh}: send email reports 
-@end itemize
-
-These scripts can also all be run by hand at any time.
-
-Bro log files can get quick large, and it is important to make sure that 
-the Bro disk
-does not fill up. Bro includes some simple scripts to help manage disk 
-space. Most
-sites will want to customize these for their own requirements, and 
-integrate them into their
-backup system to make sure files are not removed before they are 
-archived.
-
-@itemize
-@item @command{check_disk.sh}: check for low disk space, and send email 
-@item @command{bro_log_compress.sh}: removes/compresses old log files 
-@end itemize
-
-These scripts can be customized by editing their settings in 
-@code{$BROHOME/etc/bro.cfg}.
-The settings are as follows:
-@itemize
-@item @command{check_disk.sh}: 
-@itemize
-@item @command{diskspace_pct}: when disk is >= this percent full, send 
-email
-@item @command{diskspace_watcher}: list of email addresses to send mail 
-to
-@end itemize
-@end itemize
-
-@itemize
-@item @command{bro_log_compress.sh}: 
-@itemize
-@item @command{Days2deletion}: remove files more than this many days old 
-(default = 60)
-@item @command{Days2compression}: compress files more than this many days 
-old (default = 30)
-@end itemize
-@end itemize
-
-
-
-@node Sending (E-mail) Bro Reports
-@section Sending (E-mail) Bro Reports
-@cindex e-mail reports
-@cindex internal report
-@cindex external report
-
-A daily 'internal' report is created that covers three sets of 
-information:
-
-@itemize
-@item Incident information
-@item Operational status of Bro
-@item General network traffic information
-@end itemize
-
-If the local organization is asked to report incidents to another 
-incident analysis organization (i.e. CERT, CIAC, FedCIRC, etc.) an 
-auxiliary 'external' report can be created that only contains the 
-incident information.  These reports are stored in $BRODIR/reports.
-
-The two reports will be mailed to the e-mail addresses specified during 
-Bro installation.  These e-mail addresses can be changed by re-running 
-the bro_config script or by editing $BROHOME/etc/bro.cfg  directly.  Each 
-report has it's own set of e-mail addresses.  If it is desired to send 
-the auxiliary report directly to the external incident analysis 
-organization without inspection, enter their e-mail address directly.  
-Otherwise, have the external e-mail sent to someone who can inspect and 
-forward it appropriately.
-
-@node Reading a Bro Report
-@section Reading a Bro Report
-@cindex incident
-@cindex incident type
-@cindex report period
-@cindex alarm
-@cindex connection, successful
-@cindex connection, unsuccessful
-@cindex connection, history
-@cindex scans
-@cindex system statistics
-@cindex traffic statistics
-
-The report is divided into three parts, the summary, incidents, and 
-scans.  The summary includes a rollup of incident information, Bro 
-operational statistics, and network information.  The incidents section 
-has details for each Bro alarm.  The scans section gives details about 
-scans that Bro detected.
-
-@subsection Parts of a Report
-
-@subsubheading Summary
-@quotation
-@strong{Report Period:} The beginning and ending date/times that define 
-the window of network data used to produce the report.  
-@*@*
-@strong{Incident Count:} The number of each type of incident that are 
-detailed in the report period
-@*@*
-@strong{System Statistics:} Operating system statistics that give some 
-idea of the 'health' of Bro's operation.
-@*@*
-@strong{Traffic Statistics:} Statistics gathered by Bro that may or may 
-not have significant value in evaluating intrusions, but are useful in 
-understanding the network environment.
-@end quotation
-
-@subsubheading Incidents
-@quotation
-@strong{Incident:} Each incident generated by the Bro installation is 
-assigned a unique identification number.  This number is unique for all 
-incidents, not just to the daily report.
-@*@*
-@strong{Incident Type:} Bro can detect attacks, but cannot make a 
-definitive judgment if an attack is successful without further 
-investigation and/or knowledge of the unique network environment.  Bro 
-uses an expert knowledge algorithm to make a determination if an incident 
-is 'Likely Successful', 'Unknown' (not enough information to make a 
-guess), or 'Likely Unsuccessful'.
-@*@*
-@strong{Local Host:} The local computer involved in the incident; usually 
-the victim.
-@*@*
-@strong{Remote Host:} The remote computer involved in the incident; 
-usually the attacker.
-@*@*
-@strong{Alarm(s}:) The network event(s) that Bro detected and identified 
-as probable attacks.
-@*@*
-@strong{Successful Connections:} Connections where one host initiates a 
-network request and the other host participates in the subsequent 
-requested transactions.
-@*@*
-@strong{Unsuccessful Connections:} Connections where one host initiates a 
-network request and the other host refuses the request.
-@*@*
-@strong{Unknown Connections:} Connections where one host initiated a 
-network request, but it is unclear if the other host participated in a 
-successful transaction.
-@*@*
-@strong{Connections History:} A summary tabulation of successful and 
-unsuccessful connections made in specific time periods.  The tabulations 
-are accumulative.  That is, the connections counted under 3 days will 
-also be counted in each subsequent column.
-@end quotation
-
-@subsubheading Scans
-Scans are repetitive (similar) probes, searching several victim hosts for 
-vulnerabilities.  The scan section gives the attack host instigating the 
-scan, the date/time of the scan, and the ports that were probed. 
-
-@subsection Example Report:
-
-@example
-@verbatim
-Bro Report                                              Organization Name 
-=========================================================================
-Summary                        July 28, 2004 17:01 to July 29, 2004 17:00
-=========================================================================
- Incident       Likely Successful          1	
- Summary        Unknown                    0			
-                Likely Unsuccessful        0
-                Scans                     10
-
- System         Bro disk space:   <% at time of report generation>
- Statistics     Bro Process cpu:  <time>
-                Bro restarts:     <date/time>
-                System reboots:   <date/time>
-
- Traffic        Number of packets:       <count>
- Statistics     Number of valid packets: <count>  <% of total>
-                Protocol summary
-                Http: <count>   <% of total>
-                SSH : <count>   <% of total>
-                SMTP: <count>   <% of total>
-                Etc.
-                Average bandwidth:
-                Peak bandwidth:
-=========================================================================
-Incident Details
-                       legend for connection type
-                > connection initiated by remote host
-                < connection initiated by local host
-                # number corresponds to alarm triggered by the connection
-                * successful connection, otherwise unsuccessful
-=========================================================================
-Incident     ORGCODE-000002                             LIKELY SUCCESSFUL
----------------------
-Remote Host: 84.136.138.21   p54877614.dip.hacker.net
- Local Host: 124.333.183.162 pooroljoe.dhcp.org.com
-
-Alarm(s) 1 MS-SQL xp_cmdshell - program execution
-           Jul 29 12:43 84.135.118.20 -> 128.3.183.62
-         2 TFTP Get Runtime.exe
-           Jul 29 12:43 128.3.183.62 -> 84.135.118.20
-
-Connections (only first 25 after alarm are listed)
------------
-                 time      byte   remote       local    byte
- date   time   duration  transfer  port  type   port  transfer  protocol
------ -------- -------- --------- -----  ---- ------ --------- ----------
-07/29 12:43:31        ?     566 b  4634  1  >  1433      467 b  tcp/MSSQL
-07/29 12:43:31        0         ?  2318  2 <     69       20 b  udp/tftp
-07/29 12:43:32    265.7       4 b  4638  * <   2318      3.0kb  udp
-07/29 12:48:56        ?         ?  4640     >  2362          ?  tcp
-07/29 12:50:05        ?    11.4kb  4639  * <   3333      8.6kb  tcp
-07/29 12:53:00        0         ?  4684  *  >  2362          ?  tcp
-07/29 12:53:07        ?         ?  4685  *  >  2362          ?  tcp
-07/29 12:53:59        ?         ?  4689  *  >  2362          ?  tcp
-07/29 12:54:14      6.1         0  4693  * <   2380     94.2kb  tcp
-07/29 12:54:21       .5      50 b  4694     >  2381          0  tcp
-07/29 12:54:23       .7         ?  4695    <   2382          0  tcp
-07/29 12:54:25       .5      51 b  4696  *  >  2383          0  tcp
-07/29 12:54:27       .5      61 b  4697  *  >  2384          0  tcp
-07/29 12:54:28       .7      39 b  4698     >  2385          0  tcp
-07/29 12:54:31       .5      41 b  4699  *  >  2386          0  tcp
-07/29 12:54:33      1.2    4.9 kb  4700     >  2387          0  tcp
-07/29 12:54:35     12.8  195.0 kb  4701  * <   2388          0  tcp
-07/29 12:54:53       .2         ?  4703    <   2390          0  tcp
-07/29 12:54:54       .5      37 b  4704     >  2391          0  tcp
-07/29 12:54:56      3.4      23 b  4705  *  >  2392          0  tcp
-07/29 12:55:04     21.4  308.7 kb  4706     >  2393          0  tcp
-07/29 12:55:27     50.7         ?  4707     >  2394          ?  tcp
-07/29 12:59:23        ?         ?  4775     >  1433          ?  tcp
-07/29 12:59:25        ?         ?  4774  *  >  3333          ?  tcp
-
-Remote Host Connection History (all successful/unsuccessful to site)
-      24 hrs     |      3 days      |      7 days     |      30 days
--------------------------------------------------------------------------
-       14/10     |        0/0       |        0/0      |        0/0
--------------------------------------------------------------------------
-  Total since remote host first seen on 07/29/04: 14/10
-
-=========================================================================
-Scans
-=======================================================================
-==
-Date Dropped		Host			             Port Scanned
--------------------------------------------------------------------------
-Jul 29 13:14 n219077002119.netvigator.com                     (3128/tcp)
-Jul 29 13:23 node1.lbnl.nodes.planet-lab.org                  (49702/tcp)
-Jul 29 13:30 213-145-189-50.dd.nextgentel.com                 (4899/tcp)
-Jul 29 13:32 211.55.52.67                                     (1034/tcp)
-Jul 29 13:52 user-69-1-11-116.knology.net                     (3128/tcp)
-
-*************************************************************************
-@end verbatim
-@end example
diff --git a/doc/quick-start/Makefile.am b/doc/quick-start/Makefile.am
deleted file mode 100644
index 5670736a60..0000000000
--- a/doc/quick-start/Makefile.am
+++ /dev/null
@@ -1,29 +0,0 @@
-prefix = @prefix@
-bro_dir         = ${prefix}/bro
-
-EXTRA_DIST = README.txt bro.css bro-deployment.pdf \
-	bro-deployment.png Bro-installation.texi \
-	Bro-overview.texi Bro-quick-start.pdf \
-	Bro-quick-start.texi Bro-requirements.texi \
-	Bro-running.texi Bro-quick-start
-
-clean-local: doc-clean
-
-doc: html pdf
-
-pdf: 
-	texi2dvi -s --clean --pdf Bro-quick-start.texi
-
-html:
-	@rm -rf Bro-quick-start
-	makeinfo --css-include=bro.css  --html Bro-quick-start.texi
-	@cp *.png Bro-quick-start
-
-doc-clean:
-	@echo "cleaning Quick Start Guide"
-	@rm -f *.log Bro-quick-start/*
-
-doc-distclean: clean
-	@rm Makefile
-
-
diff --git a/doc/quick-start/README.txt b/doc/quick-start/README.txt
deleted file mode 100644
index bf5d55c0b7..0000000000
--- a/doc/quick-start/README.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-
-to generate html:
-  makeinfo --css-include=bro.css --html Bro-quick-start.texi
-
-to generate PDF:
-
- texi2dvi --clean --pdf Bro-quick-start.texi
-
diff --git a/doc/quick-start/bro-deployment.pdf b/doc/quick-start/bro-deployment.pdf
deleted file mode 100644
index 20b4432d09..0000000000
Binary files a/doc/quick-start/bro-deployment.pdf and /dev/null differ
diff --git a/doc/quick-start/bro-deployment.png b/doc/quick-start/bro-deployment.png
deleted file mode 100644
index 6c4568c042..0000000000
Binary files a/doc/quick-start/bro-deployment.png and /dev/null differ
diff --git a/doc/quick-start/bro.css b/doc/quick-start/bro.css
deleted file mode 100644
index 0bebab8e63..0000000000
--- a/doc/quick-start/bro.css
+++ /dev/null
@@ -1,43 +0,0 @@
-/* 
- * Custom nllite stylesheet
- */
-body {  
-  font-family: Verdana, Arial, serif;
-}
-H1 {  
-  color: #339933;
-}
-A:link, A:active, A:visited, A:hover { 
-  color: #3333ff;
-  text-decoration: none; 
-}
-A:hover {
-  border-bottom: 1px dotted red;
-  color: red;
-  text-decoration: none;
-}
-ul.menu { 
-  list-style-type: circle;
-  list-style-position: inside;
-  padding: 5px;
-  background-color: #ccffcc;
-  border: 1px dashed #333333;
-}
-hr { 
-  display: none;
-}
-div.node { 
-  font-size: 12px;
-  font-weight: bold;
-  background-color: #ccffcc;
-/*
-  line-height: 0;
-*/
-  padding: 0.5em;
-}
-table.cartouche { 
-  background-color: white;
-}
-table { 
-  border: none;
-}
diff --git a/doc/ref-manual/Bro-Ref-Manual.pdf b/doc/ref-manual/Bro-Ref-Manual.pdf
deleted file mode 100644
index bac11c462e..0000000000
Binary files a/doc/ref-manual/Bro-Ref-Manual.pdf and /dev/null differ
diff --git a/doc/ref-manual/Bro-Ref-Manual.texi b/doc/ref-manual/Bro-Ref-Manual.texi
deleted file mode 100644
index d0c1067d3a..0000000000
--- a/doc/ref-manual/Bro-Ref-Manual.texi
+++ /dev/null
@@ -1,96 +0,0 @@
-\input texinfo   @c -*-texinfo-*-
-@comment $Id: Bro-Ref-Manual.texi 958 2004-12-21 16:51:44Z tierney $
-@comment %**start of header
-@setfilename Bro-reference-manual.info
-@settitle Bro Reference Guide 
-@setcontentsaftertitlepage 
-@comment %**end of header
-
-
-@set VERSION 0.8-alpha
-@set UPDATED 6-1-2004
-
-@copying
-This the Installation and User Manual is for Bro-Lite
-(version @value{VERSION}, @value{UPDATED}).
-
-This software is copyright @copyright{} 
-1995-2004, The Regents of the University of California
-and the International Computer Science Institute.  All rights reserved.
-
-For further information about this notice, contact:
-
-Vern Paxson
-email: @email{vern@@icir.org}
-
-@end copying
-
-@dircategory Bro
-@direntry
-* Bro: Network Intrution Detection System
-@end direntry
-
-@ifnottex
-@node Top
-@top Bro Reference Manual
-@copyright{} Lawrence Berkeley National Laboratory
-@end ifnottex
-
-@titlepage
-@title Bro Reference Manual
-@subtitle for version @value{VERSION}, @value{UPDATED}
-@author Vern Paxson, Brian Tierney
-@author Contact: @email{vern@@icir.org})
-@author @uref{http://www.bro-ids.org/}
-@page
-@insertcopying
-@vskip 0pt plus 1filll
-@end titlepage
-
-@contents
-
-@ifnothtml
-@unnumbered Figures and Tables
-@listoffloats Figure
-@*
-@listoffloats Table
-@end ifnothtml
-
-@menu
-* Introduction::
-* Getting Started::
-* Values::
-* Statements and Expressions::  
-* Global and Local Variables::  
-* Predefined Variables and Functions::
-* Analyzers and Events::        
-* Signatures::        
-* Interactive Debugger::        
-* Missing Documentation::
-* References::
-* Index::
-@end menu
-
-@include intro.texi
-@include started.texi
-@include values.texi
-@include stmts.texi
-@include vars.texi
-@include predefined.texi
-@include analysis.texi
-@include signatures.texi
-@include debugger.texi
-@include todo.texi
-@include references.texi
-
-@node Index
-@unnumbered Index
-@printindex cp
-Variable Index
-@printindex vr
-Function Index
-@printindex fn
-
-@contents
-@bye
-
diff --git a/doc/ref-manual/Makefile.am b/doc/ref-manual/Makefile.am
deleted file mode 100644
index 31c7e87751..0000000000
--- a/doc/ref-manual/Makefile.am
+++ /dev/null
@@ -1,27 +0,0 @@
-
-prefix = @prefix@
-bro_dir         = ${prefix}/bro
-
-EXTRA_DIST = README.txt bro.css Bro-Ref-Manual.texi \
-	analysis.texi debugger.texi intro.texi \
-	predefined.texi references.texi signatures.texi \
-	started.texi stmts.texi todo.texi values.texi \
-	vars.texi Bro-reference-manual
-
-clean-local: doc-clean
-
-doc: html pdf
-pdf: 
-	texi2dvi -s --clean --pdf Bro-Ref-Manual.texi
-
-html:
-	@rm -rf $(prefix)/Bro-reference-manual
-	makeinfo --css-include=bro.css --html Bro-Ref-Manual.texi
-
-doc-clean:
-	@echo "cleaning  Reference Manual"
-	@rm -f *.log Bro-reference-manual/*
-
-doc-distclean: clean
-	@rm Makefile
-
diff --git a/doc/ref-manual/README.txt b/doc/ref-manual/README.txt
deleted file mode 100644
index 8dfeda876c..0000000000
--- a/doc/ref-manual/README.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-
-to generate html:
-  makeinfo --css-include=bro.css  --html Bro-Ref-Manual.texi
-
-to generate PDF:
-
- texi2dvi --clean --pdf Bro-Ref-Manual.texi
-
diff --git a/doc/ref-manual/analysis.texi b/doc/ref-manual/analysis.texi
deleted file mode 100644
index af3f837588..0000000000
--- a/doc/ref-manual/analysis.texi
+++ /dev/null
@@ -1,6110 +0,0 @@
-
-@node Analyzers and Events
-@chapter Analyzers and Events
-
-@cindex analyzers
-@cindex scripts, standard
-@cindex standard scripts
-In this chapter we detail the different analyzers that Bro provides.
-Some analyzers look at traffic in fairly generic terms, such as at
-the level of TCP or UDP connections.  Others delve into the specifics
-of a particular application that is carried on top of TCP or UDP.
-
-As we use the term here, @emph{analyzer} primarily refers to Bro's event
-engine.  We use the term @emph{script} to refer to a set of event handlers
-(and related functions and variables) written in the Bro language;
-@emph{module} to refer to a script that serves primarily to provide utility
-(helper) functions and variables, rather than event handlers; and
-@emph{handler} to denote an event handler written in the Bro language.
-Furthermore, the @emph{standard script} is the
-script that comes with the Bro distribution for handling the events
-generated by a particular analyzer.
-
-Note: However, we also sometimes use @emph{analyzer} to refer to the event
-handler that processes events generated by the event engine. 
-
-We characterize the analyzers in terms of @emph{what} events they
-generate, but don't here go into the details of @emph{how} they
-generate the events (i.e., the nitty gritty C++ implementations of
-the analyzers).
-
-@menu
-* Activating an Analyzer::	
-* Module Facility::	
-* General Processing Events::	
-* Generic Connection Analysis::	 
-* Site-specific information::	
-* hot Analyzer::		
-* scan Analyzer::		
-* port-name Analysis Script::		
-* brolite Analysis Script::			
-* alarm Analysis Script::			
-* active Analysis Script::		
-* demux Analysis Script::		
-* dns Analysis Script::			
-* finger Analyzer::		
-* frag Analysis Script::			
-* hot-ids Analysis Script::		
-* ftp Analyzer::		
-* http Analyzer::		
-* ident Analyzer::		
-* irc Analyzer::
-* login Analyzer::		
-* pop3 Analyzer::		
-* portmapper Analyzer::		
-* analy Analyzer::		
-* signature Analysis Script::		
-* SSL Analyzer::		
-* weird Analysis Script::		
-* icmp Analyzer::		
-* stepping Analyzer::		
-* ssh-stepping Analysis Script::		
-* backdoor Analyzer::		
-* interconn Analyzer::		
-@end menu
-
-@node Activating an Analyzer,
-@section Activating an Analyzer
-
-@cindex analyzers, activating
-@cindex analyzers, instantiating
-@cindex performance, analysis tradeoffs
-In general, Bro will only do the work associated with a particular
-analyzer if your policy script defines one or more event handlers
-associated with the analyzer.  For example, Bro will
-instantiate an FTP analyzer only if your script defines an
-@code{ftp_request} or @code{ftp_reply} handler.  If it doesn't, then
-when a new FTP connection begins, Bro will only instantiate a
-generic TCP analyzer for it.  This is an important point, because
-some analyzers can require Bro to capture a large volume of
-traffic (See @ref{Filtering}) and perform a lot of computation;
-therefore, you need to have a way to trade off between the type
-of analysis you do and the performance requirements it entails,
-so you can strike the best balance for your particular monitoring needs.
-
-@emph{Deficiency: While Bro attempts to instantiate an analyzer if you define a handler for any of the events the analyzer generates, its method for doing so is incomplete: if you only define an analyzer's less mainstream handlers, Bro may fail to instantiate the analyzer.}
-
-@menu
-* Loading Analyzers::		
-* Filtering::			
-@end menu
-
-@node Loading Analyzers,
-@subsection Loading Analyzers
-
-@cindex analyzers,loading
-The simplest way to use an analyzer is to @code{@@load} the standard script
-associated with the analyzer.  (See @ref{load directive} for a discussion
-of @code{@@load}).  However, there's nothing magic about these scripts; you can
-freely modify or write your own.  The only caveat is that some scripts
-@code{@@load} other scripts, so the original version may wind up being loaded
-even though you've also written your own version.
-@emph{Deficiency: It would be useful to have a mechanism to fully override one script with another.}
-
-In this chapter we discuss each of the standard scripts
-as we discuss their associated analyzers.
-
-@node Filtering,
-@subsection Filtering
-
-@cindex filters
-@cindex analyzers, filtering
-@cindex performance, filtering
-Most analyzers require Bro to capture a particular type of network traffic.
-These traffic flows can vary immensely in volume, so different analyzers
-can cost greatly differing amounts in terms of performance.
-Bro declares two redefinable tables in @code{pcap.bro}
-that have special interpretations with regard to filtering:
-
-@example
-    global capture_filters: table[string] of string &redef;
-    global restrict_filters: table[string] of string &redef;
-@end example
-
-The key strings serve as a user-definable identifier for the filter
-strings they are associated with.  The entries of the @code{capture_filters}
-table define what traffic Bro @emph{should} capture, while @code{restrict_filters}'
-entries @emph{limit} what traffic Bro captures. Bro builds the following @code{tcpdump}
-filter from both tables:
-@quotation
-(@emph{OR of capture_filters' entries}) and (@emph{AND of restrict_filters' entries})
-@end quotation
-
-@cindex restricting traffic
-@cindex traffic, restricting
-@cindex excluding hosts
-@cindex hosts, excluding
-Thus, repeated @ref{Refinement}s of @code{capture_filters} using the @code{+=} initializer
-are combined using logical ``OR''s, whereas for @code{restrict_filters} ``AND''s are
-used.  This follows from the tables' respective purposes---@code{capture_filters}
-permits @emph{any} of its components, while @code{restrict_filters} rejects
-everything that does not comply with @emph{all} of its components.
-
-@cindex filtering, default
-@cindex default, filtering
-If you do not define @code{capture_filters}, then its value
-is set to ``@code{tcp or udp}'';
-if you do not define @code{restrict_filters}, then no restriction is
-in effect.
-
-Here is an example. If you specify:
-@example
-    redef capture_filters = @{ ["HTTP"] = "port http" @};
-    redef restrict_filter = @{ ["mynet"] = "net 128.3" @};
-@end example
-
-then the corresponding @code{tcpdump} filter will be:
-@example
-    (port http) and (net 128.3)
-@end example
-
-which will capture only the TCP port 80 traffic that has either a source
-or destination address belonging to the @code{128.3} network (i.e.,
-@code{128.3/16}). A more complex example:
-
-@example
-    redef capture_filters += @{ ["DNS"] = "udp port 53" @};
-    redef capture_filters += @{ ["FTP"] = "port ftp" @};
-
-    redef restrict_filters += @{ ["foonet"] = "net 128.3" @};
-    redef restrict_filters += @{ ["noflood"] = "not host syn-flood.magnet.com" @};
-@end example
-
-yields this @code{tcpdump} filter:
-
-@example
-    ((udp port 53) or (port ftp)) and ((net 128.3) and (not host syn-flood.magnet.com))
-@end example
-
-@cindex filters, displaying
-As you add analyzers, the final @code{tcpdump} filter can become quite
-complicated.  You can load the predefined @code{print-filter} script
-to print out the resulting filter.
-This script handles the @code{bro_init} event and exits Bro after printing
-the filter.  Its intended use is that you can add it to the Bro command
-line (``@code{bro @emph{my-own-script} print-filter}'') when you want to
-see what filter the script @emph{my-own-script} winds up using.
-
-@cindex debugging,filtering problems
-@cindex filters,errors
-@cindex tcpdump,bugs
-@cindex bugs,tcpdump
-
-There are two particular uses for @code{print-filter}.  The first is to debug
-filtering problems.  Unfortunately, Bro sometimes
-uses sufficiently complicated expressions that they tickle bugs in
-@code{tcpdump}'s optimizer.  You can take the filter printed out for
-your script and try running it through @code{tcpdump} by hand, and
-then also try using @code{tcpdump}'s
-@code{-O} option to see if turning
-off the optimizer fixes the problem.
-@cindex shadowing
-The second use is to provide a @emph{shadow} backup to Bro: that is,
-a version of @code{tcpdump}
-running either on the same machine or a
-separate machine that uses the same network filter as Bro.  While
-@code{tcpdump} can't perform any analysis of the traffic, the shadow
-guards against the possibility of Bro crashing, because if it does,
-you will still have a record of the subsequent network traffic which
-you can run through Bro for post-analysis.
-
-@cindex filters
-@cindex analyzers, filtering
-
-@node Module Facility
-@section Module Facility
-
-The module facility implements namespaces. Everything is in some namespace
-or other. The default namespace is called "GLOBAL" and is searched by
-default when doing name resolution. The scoping operator is "::" as in
-C++. You can only access things in the current namespace, things in the
-GLOBAL namespace, or things that have been explicitly exported from a
-different namespace. Exported variables and functions still require
-fully-qualified names. The syntax is as follows:
-
-@verbatim
-module foo;  # Sets the current namespace to "foo"
-  export {
-    int i;
-    int j;
-  }
-  int k;
-
-module bar;
-  int i;
-
-  foo::i = 1;
-  bar::i = 2;
-  print i;    # bar::i (since we're currently in module bar)
-  j = 3;      # ERROR: j is exported, but the fully qualified name
-              #        foo::j is required
-  foo::k = 4; # ERROR: k is not exported
-
-@end verbatim
-
-The same goes for calling functions.
-
-One restriction currently in place is that variables not in the "GLOBAL"
-namespace can't shadow those in GLOBAL, so you can't have:
-
-@example
-    module GLOBAL;
-    global i: int;
-
-    module other_module;
-    global i: int;
-@end example
-
-It is a little confusing that the "global" declaration really only means
-that the variable i is global to the current module, not that it is truly
-global and thus visible everywhere (that would require that it be in
-GLOBAL, or if using the full name is okay, that it be exported).  Perhaps
-there will be a change to the syntax in the future to address this.
-
-The "module" statement cuts across @@load commands, so that if you say:
-
-@example
-    module foo;
-    @@load other_script;
-@end example
-
-then other_script will be in module foo. Likewise if other_script changes
-to module bar, then the current module will be module bar even after
-other_script is done.  However, this functionality may change in the future
-if it proves problematic.
-
-The policy scripts in the Bro distribution have not yet been updated to
-use it, but there is a backward-compatibility feature so that existing
-scripts should work without modification. In particular, everything is
-put in GLOBAL by default.
-
-
-@node General Processing Events,
-@section General Processing Events
-
-@cindex general Bro processing events
-@cindex events, general Bro processing
-Bro provides the following events relating to its overall processing:
-
-@table @samp
-@cindex initialization event
-@cindex startup, event
-@cindex events, initialization
-@cindex events, startup
-@item @code{bro_init ()} 
-is generated when Bro first starts up.  In particular, after Bro has initialized
-the network (or initialized to read from a save file) and executed any
-initializations and global statements, and just before
-Bro begins to read packets from the network input source(s).
-
-@cindex termination event
-@cindex finish event
-@cindex network cleanup event
-@cindex events, termination
-@cindex events, finish
-
-@item @code{net_done (t: time)}
-generated when Bro has finished reading from the network,
-due to either having exhausted reading the save file(s), or having
-received a terminating signal (See @ref{General Processing Events}).  @emph{Deficiency: This event is generated on a terminating signal even if Bro is not reading network traffic. }  @code{t} gives the time at which network processing
-finished.
-
-This event is generated @emph{before} @code{bro_done}.  Note: If Bro
-terminates due to an invocation of @code{exit}, then this event is
-@emph{not} generated. 
-
-@cindex termination event
-@cindex finish event
-@cindex cleanup event
-@cindex events, termination
-@cindex events, finish
-
-@item @code{bro_done ()}
-generated when Bro is about to terminate, either due to having exhausted
-reading the save file(s), receiving a terminating signal
-(See @ref{General Processing Events}), or because Bro was run without the network input
-source and has finished executing any global statements .
-
-This event is generated @emph{after} @code{net_done}.  If you have cleanup
-that only needs to be done when processing network traffic, it likely is
-better done using @code{net_done}.  Note: If Bro terminates due to an
-invocation of @code{exit}, then this event is @emph{not} generated.  
-
-@cindex signal handling
-@cindex handling signals
-@cindex SIGTERM
- 
-@cindex TERM
-@cindex SIGINT
- 
-@cindex SIGHUP
- 
-@item @code{bro_signal (signal: count)}
-generated when Bro receives a signal.  Currently, the signals Bro
-handles are @emph{SIGTERM}, @emph{SIGINT}, and @emph{SIGHUP}.
-
-Receiving either of the first two terminates Bro, though if Bro is in the
-middle of processing a set of events, it first finishes with them before
-shutting down.  The shutdown leads to invocations of @code{net_done}
-and @code{bro_done}, in that order.  @emph{Deficiency: In this case, Bro fails to invoke @code{bro_signal}, clearly a bug. }
-
-Upon receiving @emph{SIGHUP}, Bro invokes @code{flush_all}  (in addition
-to your handler, if any).
-
-@cindex network statistics
-@cindex packets, drops
-@item @code{net_stats_update (t: time, ns: net_stats)}
-This event includes two arguments, @code{t}, the @code{time} at which
-the event was generated, and @code{ns}, a @code{net_stats} record,
-as defined in the example below.
-Regarding this second parameter,
-the @code{pkts_recvd} field gives the total number of packets accepted
-by the packet filter so far during this execution of Bro; @code{pkts_dropped}
-gives the total number of packets reported @emph{dropped} by the kernel;
-and @code{interface_drops} gives the total number of packets reported
-by the kernel as having been dropped by the network interface.
-
-Note: An important consideration is that, as shown by experience, the
-kernel's reporting of these statistics is not always accurate.
-In particular, the @code{$pkts_dropped}
-statistic is sometimes missing actual packet drops, and some operating
-systems do not support the @code{interface_drops} statistic at all.
-See the @code{ack_above_hole} event for an alternate
-way to detect if packets are being dropped.
-
-@end table
-
-@example
-type net_stats: record @{
-    # All counts are cumulative.
-    pkts_recvd: count;       # Number of packets received so far.
-    pkts_dropped: count;     # Number of packets *reported* dropped.
-    interface_drops: count;  # Number of drops reported by interface(s).
-@};
-@end example
-
-@node Generic Connection Analysis,
-@section Generic Connection Analysis
-
-@cindex analyzers, generic
-@cindex connection, analysis
-@cindex connection, generic analysis
-@cindex generic connection analysis
-The @code{conn} analyzer performs generic connection analysis:
-connection start time, duration, sizes, hosts, and the like.  You don't
-in general load @code{analyzer} directly, but instead do so implicitly
-by loading the  @code{tcp}, @code{udp}, or @code{icmp} 
-analyzers.
-Consequently, @code{analyzer} doesn't configure @code{capture_filters}
-by itself, but instead uses whatever is set up by these more specific
-analyzers.
-
-@code{conn} analyzes a number of events related to connections beginning
-or ending.  We first describe the @code{connection} record data type that
-keeps track of the state associated with each connection (See @ref{connection record}),
-and then we detail the events in @ref{Generic TCP connection events}.  The main output of its
-analysis are one-line connection summaries, which we describe in
-@ref{Connection summaries}, and in @ref{Connection functions} we give an overview
-of the different callable functions provided by @code{conn}.
-
-@code{conn} also loads three other Bro modules: the @code{hot}
-and @code{scan} analyzers, and the @code{port_name} utility
-module.
-
-@menu
-* connection record::		
-* Definitions of connections::	
-* Generic TCP connection events::  
-* tcp analyzer::		
-* udp analyzer::		
-* Connection summaries::	
-* Connection functions::	
-@end menu
-
-@node connection record,
-@subsection The @code{connection} record
-
-@cindex record, connection
-@cindex connection record
-
-@example
-type conn_id: record @{
-    orig_h: addr;  # Address of originating host.
-    orig_p: port;  # Port used by originator.
-    resp_h: addr;  # Address of responding host.
-    resp_p: port;  # Port used by responder.
-@};
-
-type endpoint: record @{
-    size: count;  # Bytes sent by this endpoint so far.
-    state: count; # The endpoint's current state.
-@};
-
-type connection: record @{
-    id: conn_id;        # Originator/responder addresses/ports.
-    orig: endpoint;     # Endpoint info for originator.
-    resp: endpoint;     # Endpoint info for responder.
-    start_time: time;   # When the connection began.
-    duration: interval; # How long it was active (or has been so far).
-    service: string;    # The service we associate with it (e.g., "http").
-    addl: string;       # Additional information associated with it.
-    hot: count;         # How many times we've marked it as sensitive.
-@};
-@end example
-
-@cindex connection, addresses
-@cindex connection, initiator
-@cindex connection, originator
-A connection record record holds the state associated with a connection,
-as shown in the example above.
-Its first field, @emph{id}, is
-defined in terms of the conn_id record, which has the
-following fields:
-
-@table @samp
-
-@item @code{orig_h}
-The IP address of the host that originated (initiated) the connection.
-In ``client/server'' terminology, this is the ``client.''
-
-@cindex connection, ports
-@item @code{orig_p}
-The TCP or UDP port used by the connection originator (client).  For
-ICMP ``connections'', it is set to 0 @ref{icmp Analyzer}.
-
-@cindex connection, addresses
-@cindex connection, initiator
-@cindex connection, originator
-@item @code{resp_h}
-The IP address of the host that responded (received) the connection.
-In ``client/server'' terminology, this is the ``server.''
-
-@cindex connection, ports
-@item @code{resp_p}
-The TCP or UDP port used by the connection responder (server).  For
-ICMP ``connections'', it is set to 0 @ref{icmp Analyzer}.
-
-@end table
-
-The @code{orig} and @code{resp} fields of a @code{connection}
-record both hold @code{endpoint} record values, which consist
-of the following fields:
-
-@table @samp
-@cindex connection, bytes
-@cindex connection, size
-@item @code{size}
-How many bytes the given endpoint has transmitted so far.  Note that
-for some types of filtering, the size will be zero until the connection
-terminates, because the nature of the filtering is to discard the
-connection's intermediary packets and only capture its start/stop packets.
-
-@cindex connection, state
-@item @code{state}
-The current state the endpoint is in with respect to the connection.
-The table below defines the different possible states
-for TCP and UDP connections.
-@emph{Deficiency:The states are currently defined as @code{count}, but should instead be an enumerated type; but Bro does not yet support enumerated types.}
-
-Note: UDP ``connections'' do not have a well-defined structure, so
-the states for them are quite simplistic.  See @ref{Definitions of connections} for
-further discussion. 
-
-@end table
-
-The remaining fields in a @code{connection}
-record are:
-
-@table @samp
-@cindex connection, start time
-@cindex beginning time of a connection
-@cindex start time of a connection
-@item @code{start_time}
-The time at which the first packet associated with this connection was seen.
-
-@cindex connection, duration
-@cindex duration of a connection
-@item @code{duration }
-How long the connection lasted, or, if it is still active, how long since
-it began.
-
-@cindex connection, service
-@cindex service associated with a connection
-
-@item @code{service}
-The name of the service associated with the connection.  For example,
-if @code{$id$resp_p} is @code{tcp/80}, then the service will be
-@code{"http"}.  Usually, this mapping is provided by the global variable, perhaps via the @code{endpoint_id} function; but
-the service does not always directly correspond to
-@code{$id$resp_p}, which is why it's a separate field.  In particular,
-an FTP data connection can have a @code{service} of @code{"ftp-data"}
-even though its @code{$id$resp_p} is something other than @code{tcp/20}
-(which is not consistently used by FTP servers).
-
-If the name of the service has not yet been determined, then this field
-is set to an empty string.
-
-@cindex connection, additional information
-@cindex information associated with a connection
-@cindex additional information associated with a connection
-
-@item @code{addl}
-Additional information associated with the connection.  For example,
-for a @emph{login} connection, this is the username associated with
-the login.
-
-@emph{Deficiency: A significant deficiency associated with the @code{addl} field is that it is simply a @code{string} without any further structure. In practice, this has proven too restrictive.  For example, we may well want to associate an unambiguous username with a login session, and also keep track of the names associated with failed login attempts.  (See the @code{login} analyzer for an example of how this is implemented presently.)  What's needed is a notion of @code{union} types which can then take on a variety of values in a type-safe manner. }
-
-If no additional information is yet associated with this connection,
-then this field is set to an empty string.
-
-@cindex connection, hot
-@cindex connection, sensitivity
-@cindex sensitivity associated with a connection
-
-@item @code{hot}
-How many times this connection has been marked as potentially sensitive
-or reflecting a break-in.  The default value of 0 means that so far the
-connection has not been regarded as ``hot''.
-
-Note: Bro does not presently make fine-grained use of this field; the
-standard scripts alarm on connections with a non-zero @code{hot} field,
-and do not in general alarm on those that do not, though there are exceptions.
-In particular, the @code{hot} field is @emph{not} rigorously maintained
-as an indicator of trouble; it instead is used loosely as an indicator
-of particular types of trouble (access to sensitive hosts or usernames).
-
-@end table
-
-@node Definitions of connections,
-@subsection Definitions of connections
-
-@cindex connection, definitions
-
-@cindex TCP, connections
-@cindex connection, TCP
-@cindex tcp_inactivity_timeout
-Connections
-for TCP are well-defined, because establishing and terminating a connection
-plays a central part of the TCP protocol. Beyond those, Bro enforces a hard
-connection timeout after the period of time specified through the
-@code{tcp_inactivity_timeout} variable, defined in bro.init.
-
-@cindex UDP, connections``connections''
-
-@cindex connection, UDP
-@cindex UDP, timeout
-@cindex udp_inactivity_timeout
-For UDP, a connection begins when host @emph{A} sends
-a packet to host @emph{B} for the first time, @emph{B} never having sent anything
-to @emph{A}.  This transmission is termed a @emph{request}, even if in fact
-the application protocol being used is not based on requests and replies.
-If @emph{B} sends a packet back, then that packet is termed a @emph{reply}.
-Each packet @emph{A} or @emph{B} sends is another request or reply.
-UDP connection timeouts are specified through the @code{udp_inactivity_timeout}
-variable, defined in bro.init.
-
-@cindex ICMP, connections
-@cindex connection, ICMP
-@cindex ICMP, timeout
-@cindex icmp_inactivity_timeout
-For ICMP, Bro likewise creates a connection the first time it sees
-an ICMP packet from @emph{A} to @emph{B}, even if @emph{B} previously sent a packet
-to @emph{A}, because that earlier packet would have been for a different
-@emph{transport} connection than the ICMP itself---the ICMP will likely
-@emph{refer} to that connection, but it itself is not part of
-the connection.  For simplicity, this holds even for ICMP ECHOs and
-ECHO_REPLYs; if you want to pair them up, you need to do so explicitly
-in the policy script.
-ICMP connection timeouts are specified through the @code{icmp_inactivity_timeout}
-variable, defined in bro.init.
-
-@node Generic TCP connection events,
-@subsection Generic TCP connection events
-
-@cindex events, generic TCP connection
-@cindex connection, events
-
-@cindex TCP, events
-@cindex TCP-specific connection events
-@cindex connection events, TCP-specific
-There are a number of generic events associated with TCP connections,
-all of which have a single @code{connection} record as their argument:
-
-@table @samp
-@cindex connection, new
-@cindex new connection
-@item @code{new_connection}
-Generated whenever state for a new (TCP) connection is instantiated.
-
-Note: Handling this event is potentially expensive.  For example,
-during a SYN flooding attack, every spoofed SYN packet will lead to
-a new @code{new_connection} event.
-
-@cindex connection, establishment
-@cindex established connections
-@item @code{connection_established}
-Generated when a connection has become established, i.e., both participating
-endpoints have agreed to open the connection.
-
-@cindex connection, attempt
-@cindex attempted connections
-@item @code{connection_attempt}
-Generated when the originator (client) has unsuccessfully attempted to
-establish a connection.  ``Unsuccessful'' is defined as at least
-@code{ATTEMPT_INTERVAL} seconds having elapsed since the client first
-sent a connection establishment packet to the responder (server),
-where @code{ATTEMPT_INTERVAL} is an internal Bro variable which is
-presently set to 300 seconds.
-@emph{Deficiency:This variable should be user-settable.}  If you want to
-@emph{immediately} detect that a client is attempting to connect to
-a server, regardless of whether it may soon succeed, then you want
-to handle the @code{new_connection} event instead.
-
-Note: Handling this event is potentially expensive.  For example,
-during a SYN flooding attack, every spoofed SYN packet will lead to
-a new @code{connection_attempt} event, albeit delayed by
-@code{ATTEMPT_INTERVAL.} 
-
-@cindex crud
-@cindex scanning, stealth
-@cindex stealth scans
-@cindex connection, partial
-@cindex partial connections
-
-@item @code{partial_connection}
-Generated when both connection endpoints enter the @code{TCP_PARTIAL} state
-This means that we have seen traffic generated by each endpoint, but
-the activity did not begin with the usual connection establishment.
-@emph{Deficiency:For completeness, Bro's event engine should generate another form of @code{partial_connection} event when a single endpoint becomes active (see @code{new_connection} below).  This hasn't been implemented because our experience is network traffic often contains a great deal of ``crud'', which would lead to a large number of these really-partial events.  However, by not providing the event handler, we miss an opportunity to detect certain forms of stealth scans until they begin to elicit some form of reply.}
-
-
-@float Table, Connection States
-@multitable  @columnfractions .25 .6
-@item @strong{State} @tab @strong{Meaning}
-@item @code{TCP_INACTIVE}
-@tab The endpoint has not sent any traffic.
-@item @code{TCP_SYN_SENT}
-@tab It has sent a SYN to initiated a connection.
-@item @code{TCP_SYN_ACK_SENT}
-@tab  It has sent a SYN ACK to respond to a connection request.
-@item @code{TCP_PARTIAL}
-@tab The endpoint has been active, but we did not see the beginning of the connection.
-@item @code{TCP_ESTABLISHED}
-@tab The two endpoints have established a connection.
-@item @code{TCP_CLOSED}
-@tab The endpoint has sent a FIN in order to close its end of the connection.
-@item @code{TCP_RESET}
-@tab The endpoint has sent a RST to abruptly terminate the connection.
-@item @code{UDP_INACTIVE}
-@tab The endpoint has not sent any traffic.
-@item @code{UDP_ACTIVE}
-@tab The endpoint has sent some traffic.
-@end multitable
-@caption{TCP and UDP connection states, as stored in an @code{endpoint} record}
-@end float
-
-@*
-
-
-@cindex connection, finished
-@cindex completed connections
-
-@item @code{connection_finished}
-Generated when a connection has gracefully closed.
-
-@cindex connection, rejected
-@cindex rejected connections
-
-@item @code{connection_rejected}
-Generated when a server rejects a connection attempt by a client.
-
-@cindex TCP Wrappers, reset vs. rejected connections
-Note: This event is only generated as the client attempts to establish
-a connection.  If the server instead accepts the connection and then
-later aborts it, a @code{connection_reset} event is generated (see below).
-This can happen, for example, due to use of TCP Wrappers.
-
-Note: Per the discussion above, a client attempting to connect to a server
-will result in @emph{one} of @code{connection_attempt},
-@code{connection_established}, or @code{connection_rejected}; they are
-mutually exclusive.
-
-@cindex connection, completion
-@cindex connection, half finished
-@cindex half-finished connections
-@item @code{connection_half_finished }
-Generated when Bro sees one endpoint of a connection attempt to gracefully
-close the connection, but the other endpoint is in the @code{TCP_INACTIVE}
-state.  This can happen due to @emph{split routing},
-in which Bro only sees one side of a connection.
-
-@cindex connection, reset
-@cindex reset connections
-@item @code{connection_reset}
-Generated when one endpoint of an established
-connection terminates the connection
-abruptly by sending a TCP RST packet.
-
-@cindex connection, partial close
-@cindex partially closed connections
-@item @code{connection_partial_close }
-Generated when a previously inactive endpoint attempts to close a connection
-via a normal FIN handshake or an abort RST sequence.  When it sends one
-of these packets, Bro waits @code{PARTIAL_CLOSE_INTERVAL} (an
-internal Bro variable set to 10 seconds) prior to generating the event,
-to give the other endpoint a chance to close the connection normally.
-
-@cindex connection, pending
-@cindex pending connections
-@item @code{connection_pending}
-Generated for each still-open connection when Bro terminates.
-
-@end table
-
-@node tcp analyzer,
-@subsection The @code{tcp} analyzer
-
-@cindex TCP, analysis
-@cindex SYN control packet
-@cindex FIN control packet
-@cindex RST control packet
-@cindex TCP control packets (SYN/FIN/RST)
-@cindex control packets (SYN/FIN/RST)
-@cindex packets, control (SYN/FIN/RST)
-The general @code{tcp} analyzer lets you specify that you're interested in
-generic connection analysis for TCP.  It
-simply @code{@@load}'s @code{conn} and adds the following
-to :
-@example
-    tcp[13] & 0x7 != 0
-@end example
-
-which instructs Bro to capture all TCP SYN, FIN and RST packets;
-that is, the control packets that delineate the beginning (SYN)
-and end (FIN) or abnormal termination (RST) of a connection.
-
-@node udp analyzer,
-@subsection The @code{udp} analyzer
-
-@cindex UDP, analysis
-The general @code{udp} analyzer lets you specify that you're interested in
-generic connection analysis for UDP.  It
-@code{@@load}'s both @code{hot} and @code{conn}, and defines two event handlers:
-
-@table @samp
-@item @code{udp_request (u: connection)}
-Invoked whenever a UDP packet is seen on the forward (request) direction of
-a UDP connection.  See @ref{Definitions of connections} for a discussion of how Bro
-defines UDP connections.
-
-The analyzer invokes @code{check_hot} with a mode of @code{CONN_ATTEMPTED}
-and then @code{record_connections} to generate a connection summary
-(necessary because Bro does not time out UDP connections, and hence
-cannot generate a connection-attempt-failed event).
-
-@item @code{udp_reply (u: connection)}
-Invoked whenever a UDP packet is seen on the reverse (reply) direction of
-a UDP connection.  See @ref{Definitions of connections} for a discussion of how Bro
-defines UDP connections.
-
-The analyzer invokes @code{check_hot} with a mode of @code{CONN_ESTABLISHED}
-and then again with a mode of @code{CONN_FINISHED} to cover the general
-case that the reply reflects that the connection was both established and
-is now complete.  Finally, it invokes  to
-generate a connection summary.
-
-@end table
-
-Note: The standard script does @emph{not} update @code{capture_filters}
-to capture UDP traffic.  Unlike for TCP, where there is a natural generic
-filter that captures only a subset of the traffic, the only natural UDP
-filter would be simply to capture all UDP traffic, and that can often be
-a huge load. 
-
-@node Connection summaries,
-@subsection Connection summaries
-@cindex connection, summaries
-
-The main output of @code{conn} is a one-line ASCII summary
-of each connection.  By tradition, these summaries are written to
-a file with the name @code{conn.tag.log}, where @emph{tag} uniquely
-identifies the Bro session generating the logs.  
-
-The summaries are produced by the @code{record_connection} function,
-and have the following format:
-
-@quotation
-@code{ <@emph{start}> <@emph{duration}> <@emph{local IP}> <@emph{remote IP}> 
-<@emph{service}> <@emph{local port}> <@emph{remote port}> 
-<@emph{protocol}> <@emph{org bytes sent}>, <@emph{res bytes sent}> 
-<@emph{state}> <@emph{flags}> <@emph{tag}>}
-@end quotation
-
-@cindex connection, start time
-@cindex beginning time of a connection
-@cindex start time of a connection
-@table @samp
-@item @emph{start}
-corresponds to the connection's start time, as defined by @code{start_time}.  
-@cindex connection, duration
-@cindex duration of a connection 
-@item @emph{duration}
-gives the connection's duration, as defined by @code{duration}.
-@cindex connection, hosts
-@cindex hosts, in a connection
-@cindex connection, addresses
-@cindex addresses, in a connection
-@item @emph{local IP}, @emph{remote IP}
-correspond to the @emph{local} and @emph{remote} addresses
-that participated in the connection, respectively.  The notion of which
-addresses are local is controlled by the 
-global variable @code{local_nets}, which has a default value of empty.  If
-@code{local_nets} has @emph{not} been redefined, then @emph{local IP} is the
-connection @emph{responder} and @emph{remote IP} is the connection @emph{originator}.
-@cindex service associated with a connection
-@item @emph{service}
-is the connection's service, as defined by @code{service}.
-@cindex ports associated with a connection
-@item @emph{local port}, @emph{remote port} 
-are the ports used by the connection.
-@cindex connection, size
-@cindex connection, bytes
-@cindex size of connection
-@cindex bytes in connection
-@item @emph{org bytes sent} @emph{res bytes sent}
-give the number of bytes sent by the @emph{originator}
-and @emph{responder}, respectively.  These correspond to the @code{size}
-fields of the corresponding @code{endpoint} records.
-@cindex connection, state
-@cindex state of connection
-@item @emph{state}
-reflects the state of the connection at the time
-the summary was written (which is usually either when the connection
-terminated, or when Bro terminated).  The different states are summarized
-in the table below.
-@quotation
-@float Table, Connection State Summaries
-@multitable  @columnfractions .15 .6
-@item @strong{Name} @tab @strong{Meaning}
-@item @code{S0}
-@tab Connection attempt seen, no reply.
-@item @code{S1}
-@tab Connection established, not terminated.
-@item @code{SF}
-@tab Normal establishment and termination. Note that this is the
-same symbol as for state S1. You can tell the two apart because
-for S1 there will not be any byte counts in the summary, while
-for SF there will be.
-@item @code{REJ}
-@tab Connection attempt rejected.
-@item @code{S2} 
-@tab Connection established and close attempt by originator seen
-(but no reply from responder).
-@item @code{S3} 
-@tab Connection established and close attempt by responder seen
-(but no reply from originator).
-@item @code{RSTO}
-@tab Connection established, originator aborted (sent a RST).
-@item @code{RSTR}
-@tab Established, responder aborted.
-@item @code{RSTOS0} 
-@tab Originator sent a SYN followed by a RST, we never saw a SYN
-ACK from the responder.
-@item @code{RSTRH}
-@tab Responder sent a SYN ACK followed by a RST, we never saw
-a SYN from the (purported) originator.
-@item @code{SH}
-@tab Originator sent a SYN followed by a FIN, we never saw a
-SYN ACK from the responder (hence the connection was "half" open).
-@item @code{SHR} 
-@tab Responder sent a SYN ACK followed by a FIN, we never saw
-a SYN from the originator.
-@item @code{OTH}
-@tab No SYN seen, just midstream traffic (a "partial connection" that
-was not later closed).
-@end multitable
-@caption{Summaries of connection states, as reported in @code{conn.log} files}
-@end float
-@end quotation
-
-The ASCII @code{Name} given in the Table is
-what appears in the @code{conn.tag.log} log file; it is returned by the @code{conn_state}
-function.  The @code{Symbol} is used when generating human-readable versions
-of the file---see @ref{hot-report script}.
-
-For UDP connections, the analyzer reports connections for which both
-endpoints have been active as @code{SF}; those for which just the originator
-was active as @code{S0}; those for which just the responder was active
-as @code{SHR}; and those for which neither was active as @code{OTH} (this
-latter shouldn't happen!).
-@cindex connection, flags
-@cindex flags of connection
-@item @emph{flags}
-reports a set of additional binary state associated with the connection:
-@table @samp
-@item @code{L}
-indicates that the connection was initiated @emph{locally},
-i.e., the host corresponding to @emph{@math{A_l}} initiated the connection.  If @code{L}
-is missing, then the host corresponding to @emph{@math{A_r}} initiated the connection.
-@item @code{U}
-indicates the connection involved one of the networks
-listed in the @code{neighbor_nets} variable.  The use
-of ``@code{U}'' for this indication (rather than ``@code{N}'', say) is
-historical, as for the most part is the whole notion of ``neighbor network.''
-Note that connection can have both @code{L} and @code{U} set (see next item).
-@item @code{X}
-is used to indicate that @emph{neither} the ``@code{L}''
-or ``@code{U}'' flags is associated with this connection.  
-@end table
-@cindex connection, additional information
-@cindex information associated with a connection
-@cindex additional information associated with a connection
-@item @emph{tag}
-Reference tag to log lines containing additional information associated with the
-connection in other log files, (e.g.: http.log).
-
-@end table
-
-@*
-Putting all of this together, here is an example of a @code{conn.log} connection
-summary:
-@example
-931803523.006848 54.3776 http 7320 38891 206.132.179.35 
-	128.32.162.134 RSTO X %103
-@end example
-
-The connection began at timestamp 931803523.006848 (18:18:43 hours GMT
-on July 12, 1999; see the @code{cf} utility for how to determine this)
-and lasted 54.3776 seconds.  The service was HTTP (presumably; this conclusion
-is based just on the responder's use of port @code{80/tcp}).
-The originator sent 7,320 bytes, and the responder sent 38,891 bytes.
-Because the ``@code{L}'' flag is absent, the connection was initiated by
-host 128.32.162.134, and the responding host was 206.132.179.35.  When
-the summary was written, the connection was in the ``@code{RSTO}'' state,
-i.e., after establishing the connection and transferring data, the originator 
-had terminated it with a RST (this is unfortunately common for Web clients).  The connection had neither
-the @code{L} or @code{U} flags associated with it, and there was additional
-information, summarized by the string ``@code{%103}'' (see the
-@code{http} analyzer for an explanation of this information).
-
-
-@node Connection functions,
-@subsection Connection functions
-@cindex connection, functions
-@cindex connection, functions
-We finish our discussion of generic connection analysis with a brief
-summary of the different Bro functions provided by the @code{conn} analyzer:
-
-@table @samp
-@cindex connection, size
-@cindex connection, bytes
-@cindex size of connection
-@cindex bytes in connection
-
-@item @code{conn_size e: endpoint, is_tcp: bool): string}
-returns a string giving either the number of bytes the endpoint sent
-during the given connection, or @code{"?"} if from the connection state
-this can't be determined.  The @code{is_tcp} parameter is needed
-so that the function can inspect the endpoint's state to determine
-whether the connection was closed.
-
-@cindex connection, state
-@cindex state of connection
-@item @code{conn_state (c: connection, is_tcp: bool): string}
-returns the name associated with the connection's state, as
-given in the above table.
-
-@cindex connection, service
-@cindex service associated with a connection
-@item @code{determine_service c: connection): bool}
-sets the @code{service} field of the given connection,
-using @code{port_names}.
-If you are using the @code{ftp} analyzer, then it knows about FTP
-data connections and maps them to @code{port_names[20/tcp]}, i.e.,
-@code{"ftp-data"}.
-
-@cindex connection ID
-@cindex ID of connection
-
-@item @code{full_id_string (c: connection): string}
-returns a string identifying the connection in one of the two
-following forms.  If the connection is in state @code{S0}, @code{S1},
-or @code{REJ}, then no data has been transferred,
-and the format is:
-@quotation
-@emph{@math{A_o} <state> @math{A_r}/<service> <addl>}
-@end quotation
-
-where @emph{@math{A_o}} is the IP address of the originator (@code{$id$orig_h}),
-@emph{state} is as
-given in the @strong{Symbol} column of the above table.
-@emph{@math{A_r}} is the
-IP address of the responder (@code{$id$resp_h}), @emph{service} gives
-the application service (@code{$service}) as set by @code{determine_service},
-and @emph{addl} is the contents of the @code{$addl} field (which may be
-an empty string).
-
-@cindex port, ephemeral
-@cindex ephemeral port
-Note that the ephemeral port used
-by the originator is not reported.  If you want to display it, use
-@code{id_string}.
-
-So, for example:
-@example
-    128.3.6.55 > 131.243.88.10/telnet "luser"
-@end example
-
-identifies a connection originated by @code{128.3.6.55} to @code{131.243.88.10}'s
-Telnet server, for which the additional associated information is @code{"luser"},
-the username successfully used during the authentication dialog as determined
-by the  analyzer.  From the table above we see that
-the connection must be in state @code{S1}, as that's the only state of
-@code{S0}, @code{S1}, or @code{REJ} that has a @code{>} symbol.  (We can tell
-it's @emph{not} in state @code{SF} because the format used for that state
-differs---see below.)
-
-For connections in other states, Bro has size and duration information
-available, and the format returned by @code{full_id_string} is:
-@quotation
-@emph{@math{A_o} @math{S_o}b <state> @math{A_r}/<service> @math{S_r}b @math{D_s} <addl>}
-@end quotation
-
-where @emph{@math{A_o}}, @emph{@math{A_r}}, @emph{state}, @emph{service}, and @emph{addl} are
-as before, @emph{@math{S_o}} and @emph{@math{S_r}} give the number of bytes transmitted so far
-by the originator to the responder and vice versa, and @emph{D} gives the
-duration of the connection in seconds (reported with one decimal place)
-so far.
-
-An example of this second format is:
-@example
-    128.3.6.55 63b > 131.243.88.10/telnet 391b 39.1s "luser"
-@end example
-
-which reflects the same connection as before, but now @code{128.3.6.55} has
-transmitted 63 bytes to @code{131.243.88.10}, which has transmitted 391 bytes
-in response, and the connection has been active for 39.1 seconds.  The
-``@code{>}'' indicates that the connection is in state @code{SF}.
-
-@cindex connection, ID
-@cindex ID of connection
-@item @code{id_string (id: conn_id): string}
-returns a string identifying the connection by its address/port quadruple.
-Regardless of the connection's state, the format is:
-@quotation
-@emph{@math{A_o}@code{/}@math{P_o} @code{>} @math{A_r}@code{/}@math{P_r}}
-@end quotation
-where @emph{@math{A_o}} and @emph{@math{A_r}} are the originator and responder addresses,
-respectively, and @emph{@math{P_o}} and @emph{@math{P_r}} are representations of the originator
-and responder ports as returned by the @code{port-name} module,
-i.e., either
-or a string like ``@code{http}'' for a well-known port such as @code{80/tcp}.
-
-An example:
-@example
-    128.3.6.55/2244 > 131.243.88.10/telnet
-@end example
-
-Note, @code{id_string} is implemented using a pair of calls to @code{endpoint_id}.
-
-@emph{Deficiency:It would be convenient to have a form of @code{id_string} that can incorporate a notion of directionality, for example @code{128.3.6.55/2244 < 131.243.88.10/telnet} to indicate the same connection as before, but referring specifically to the flow from responder to originator in that connection (indicated by using ``@code{<}'' instead of ``@code{>}'').}
-
-@cindex connection, hot
-@cindex connection, logging
-@cindex logging, connection
-@item @code{log_hot_conn (c: connection)}
-logs a real-time SensitiveConnection alarm of the form:
-@quotation
-hot: @code{<}@emph{connection-id}@code{>}
-@end quotation
-where @emph{connection-id} is the format returned by @code{full_id_string}.
-@code{log_hot_conn} keeps track of which connections it has logged and
-will not log the same connection more than once.
-
-@cindex log file, connection summary (red)
-@cindex connection, recording
-@cindex recording connections
-
-@item @code{record_connection (c: connection, disposition: string)}
-Generates a connection summary to the @file{conn} file
-in the format described in @ref{Connection summaries}.
-If the connection's @code{hot} field is positive, then also logs
-the connection using @code{log_hot_conn}.  The @code{disposition} is a text
-description of the connection's state, such as @code{"attempt"} or
-@code{"half_finished"}; it is not presently used.
-
-@cindex connection, service
-@cindex service associated with a connection
-
-@item  @code{service_name (c: connection): string}
-returns a string describing the service associated with the connection,
-computed as follows.  If the responder port (@code{$id$resp_p}), @emph{p}, is
-well-known, that is, in the @code{port_names} table,
-then @emph{p}'s entry in the table is returned (such as @code{"http"} for TCP
-port 80).  Otherwise, for TCP connections, if the responder port
-is less than 1024, then @code{priv-@emph{p}} is returned, otherwise
-@code{other-@emph{p}}.  For UDP connections, the corresponding service
-names are @code{upriv-@emph{p}} and @code{uother-@emph{p}}.
-
-@cindex connection, terminating with extreme prejudice
-@cindex terminating connections forcibly
-
-@item @code{terminate_connection (c: connection)}
-Attempts to terminate the given connection using the @code{rst} utility
-in the current directory.  It does not check to see whether the utility
-is actually present, so an unaesthetic shell error will appear if the utility
-is not available.
-
-@code{rst} terminates connections by forging RST packets.  It is not
-presently distributed with Bro, due to its potential for disruptive use.
-
-@cindex analysis, on-line
-@cindex on-line analysis
-@cindex analysis, off-line
-@cindex off-line analysis
-If Bro is reading a trace file rather than live network traffic,
-then @code{terminate_connection} logs the @code{rst} invocation
-but does not actually invoke the utility.  In either case, it finishes
-by logging that the connection is being terminated.
-
-@end table
-
-@cindex analyzers, generic
-
-@node Site-specific information,
-@section Site-specific information
-
-@cindex analyzers, site-specific information
-@cindex site-specific, information
-The @code{site} analyzer is not actually an analyzer but
-simply a set of global variables (and @emph{Updateme: one function}) used
-to define a site's basic topological information.
-
-@menu
-* Site variables::		
-* Site-specific functions::	
-@end menu
-
-@node Site variables,
-@subsection Site variables
-
-@cindex site-specific, variables
-
-The @code{site} module defines the following variables, all redefinable:
-
-@cindex addresses, local
-@cindex local addresses
-@cindex subnets
-@cindex prefixes, network
-@cindex network prefixes
-@table @samp
-@item @code{local_nets set[net]}
-Defines which @code{net}'s Bro should consider as reflecting a local address.
-
-Default: empty.
-
-@cindex CIDR
-@cindex addresses, local
-@cindex local addresses
-@cindex subnets
-@cindex prefixes, network
-@cindex network prefixes
-@item @code{local_16_nets set[net]}
-Defines which /16 prefixes Bro should consider as reflecting a local address.
-@emph{Deficiency:Bro currently is inconsistent regarding when it consults @code{local_nets} versus @code{local_16_nets}, so you should ensure that this variable and the previous one are always consistent.}
-
-Default: empty.
-
-@cindex addresses, local
-@cindex local addresses
-@item @code{local_24_nets set[net]}
-The same, but for /24 addresses.
-
-Default: empty.
-
-@cindex addresses, neighbor
-@cindex neighbor addresses
-@item @code{neighbor_nets set[net]}
-Defines which @code{net}'s Bro should consider as reflecting a ``neighbor.''
-Neighbors networks can be treated specially in some policies, distinct
-from other non-local addresses.  In particular, 
-will not drop connectivity to an address belonging to a neighbor.
-
-The notion is somewhat historical, as
-is the use of ``@code{U}'' to mark neighbors in connection summaries
-(See @ref{Connection summaries}).
-
-Default: empty.
-
-@cindex addresses, neighbor
-@cindex neighbor addresses
-@item @code{neighbor_16_nets set[addr]}
-Defines which /16 addresses Bro should consider as reflecting a neighbor;
-the only use of this variable in the standard scripts is that a scan
-originating from an address with one of these prefixes will not be dropped
-.  @emph{Deficiency:The name is poorly chosen and should be changed to better reflect this use.}  @emph{Deficiency:In addition, this variable should be kept consistent with @code{neighbor_nets}, until the fine day when the processing is rectified to only use one variable.}
-
-Default: empty.
-
-@cindex addresses, neighbor
-@cindex neighbor addresses
-@item @code{neighbor_24_nets set[net]}
-The same, but for /24 addresses.
-
-Default: empty.
-
-@end table
-
-@cindex site-specific, variables
-
-@node Site-specific functions,
-@subsection Site-specific functions
-
-@cindex functions, site-specific
-@cindex site-specific, functions
-
-Currently, the @code{site} module only defines one function:
-
-@table @samp
-@cindex addresses, local
-@cindex local addresses
-@cindex site addresses
-@item @code{is_local_addr (a: addr): bool}
-returns true if the given address belongs to one of the ``local'' networks,
-false otherwise.  @emph{Updateme: Currently, the test is made by masking the address to /16 and /24 and comparing it to @code{local_16_nets} and @code{local_24_nets}.}
-
-@end table
-
-@cindex site-specific, functions
-
-@cindex analyzers, site-specific information
-
-@node hot Analyzer,
-@section The @code{hot} Analyzer
-
-@cindex connection, analysis
-@cindex connection, hot analysis
-@cindex hot connection, analysis
-
-The standard @code{hot} script defines policy relating to fairly
-generic notions of allowed and prohibited connections.  It defines
-a number of variables that you will need to refine to customize your
-site's policies.  It also provides two functions for checking
-connections against the policies, which can be used by other of the standard
-scripts.
-
-@menu
-* hot variables::		
-* hot functions::		
-@end menu
-
-@node hot variables,
-@subsection @code{hot} variables
-
-@cindex analyzers, hot, variables
-
-The standard @code{hot} script defines the following variables, all redefinable:
-
-@table @samp
-@cindex spoofing, detection
-@cindex local addresses, spoofing
-@item @code{same_local_net_is_spoof : bool}
-If true, then a connection with a local originator address and a local
-responder address is considered by 
-to have been spoofed.  @emph{Deficiency:The name is poorly chosen (and may be changed in the future) to something more accurate like @code{both_local_nets_is_spoof}.}
-
-@cindex DMZ, spoof detection
-@cindex internal networks, spoof detection
-In general, you want to use true for a Bro that is monitoring Internet access
-links (DMZs) and false for internal monitors.
-
-Default: @code{F}.
-
-@cindex spoofing, allowable services
-@cindex local addresses, spoofing
-@item @code{allow_spoof_services : set[port]}
-Defines a set of services (responder ports) for which Bro should not
-generate notices if it sees apparent spoofed traffic.
-
-Default: @code{110/tcp} (POP version 3; RFC-1939).
-This default was chosen because
-in our experience one common form of benign spoof is an off-site laptop
-attempting to read mail while still configured to use its on-site address.
-
-@cindex access, allowable address pairs
-@cindex allowable address pairs
-@item @code{allow_pairs : set[addr, addr]}
-Defines pairs of source and destination addresses for which the
-source is allowed to connect to the destination.  The intent with
-this variable is that the source or destination address will be a sensitive
-host (such as defined with @code{host_src} or
-@code{host_dsts}), for which this particular access should
-be allowed.
-
-Default: empty.
-
-@cindex access, allowable /16 network pairs
-@cindex allowable /16 network pairs
-@item @code{allow_16_net_pairs : set[addr, addr]}
-Defines pairs of source and destination /16 networks for which the
-source is allowed to connect to the destination, similar to @code{allow_pairs}.
-@emph{Note: The set is defined in terms of @code{addr}'s and not @code{net}'s.
-So, for example, rather than specifying @code{128.32.}, which is a @code{net}
-constant, you'd use @code{128.32.0.0} (an @code{addr} constant).  }
-
-Default: empty.
-
-@cindex access, sensitive source addresses
-@cindex sensitive source addresses
-@cindex hot source addresses
-@cindex addresses, hot sources
-@item @code{hot_srcs : table[addr] of string}
-Defines source addresses that should be considered ``hot''.
-A successfully established connection from such a source address
-generates an alarm, unless one of the access exception variables such as
-@code{allow_pairs} also matches the connection.  The value of the
-table gives an explanatory message as to why the source is
-hot; for example, @code{"known attacker site"}.  
-Note: This value
-is not currently used, though it aids in documenting the policy script.
-
-Default: empty.
-
-Example: redefining @code{hot_srcs} using
-@example
-redef hot_srcs: table[addr] of string = @{
-    [ph33r.the.eleet.com] = "script kideez",
-@};
-@end example
-
-would result in Bro noticing any traffic coming @code{ph33r.the.eleet.com}.
-@cindex kiddies, script
-@cindex script kiddies
-
-@cindex access, sensitive destination addresses
-@cindex sensitive destination addresses
-@cindex hot destination addresses
-@cindex addresses, hot destinations
-@item @code{hot_dsts : table[addr] of string}
-Same as @code{hot_srcs}, except for destination addresses.
-
-Default: empty.
-
-@cindex access, sensitive /24 source networks
-@cindex sensitive /24 source networks
-@cindex hot /24 source networks
-@cindex networks, hot sources
-@item @code{hot_src_24nets : table[addr] of string}
-Defines /24 source networks should be considered ``hot,''
-similar to @code{hot_srcs}.  @emph{Deficiency:Other network masks, particularly /16, should be provided.}
-
-Default: empty.
-
-@cindex CIA detection
-@cindex Central Intelligence Agency, detection
-Example: redefining @code{hot_src_24nets} using
-@example
-redef hot_src_24nets: table[addr] of string = @{
-    [198.81.129.0] = "CIA incoming!",
-@};
-@end example
-
-would result in Bro noticing any traffic coming from the @code{198.81.129/24}
-network.
-
-@cindex access, sensitive /24 destination networks
-@cindex sensitive /24 destination networks
-@cindex hot /24 destination networks
-@cindex networks, hot destinations
-@item @code{hot_dst_24nets : table[addr] of string}
-same as @code{hot_src_24nets}, except for destination networks.
-
-Default: empty.
-
-@cindex access, allowable services
-@cindex services, allowable
-@item @code{allow_services : set[port]}
-Defines a set of services that are always allowed, regardless of
-whether the source or destination address is ``hot.''
-
-Default: @code{ssh}, @code{http}, @code{gopher} @code{ident}, @code{smtp},
-@code{20/tcp} (FTP data).
-
-Note: The defaults are a bit unusual.  They are intended for a quite open
-site with many services. 
-
-@cindex access, service allowed to a particular host
-@cindex services, allowed to a particular host
-@item @code{allow_services_to : set[addr, port]}
-Defines a set of services that are always allowed if the server is the
-given host, regardless of whether the source or destination address is
-``hot.''
-
-Default: empty.
-
-Example: redefining @code{allow_services_to} using
-@example
-redef allow_services_to: set[addr, port] += @{
-    [ns.mydomain.com, [domain, 123/tcp]],
-@} &redef;
-@end example
-
-would result in Bro not noticing any TCP DNS or NTP traffic heading
-to @code{ns.mydomain.com}.  You might add this if @code{ns.mydomain.com}
-is also in @code{hot_dsts}, because in general you want to consider
-any access (other than DNS or NTP) as sensitive.
-
-@cindex access, service allowed to particular host pairs
-@cindex services, allowed to particular host pairs
-@item @code{allow_services_pairs : set[addr, addr, port]}
-Defines a set of services that are always allowed if the connection
-originator is the first address and the responder (server) the second
-address.
-
-Default: empty.
-
-Example: redefining @code{allow_services_pairs} using
-@example
-redef allow_services_pairs: set[addr, addr, port] += @{
-    [ns2.mydomain.com, ns.mydomain.com, [domain, 123/tcp]],
-@} &redef;
-@end example
-
-would result in Bro not noticing any TCP DNS or NTP traffic initiated
-from @code{ns2.mydomain.com} to @code{ns.mydomain.com}.
-
-@cindex access, forbidden services
-@cindex services, forbidden
-@item @code{flag_successful_service : table[port] of string}
-The opposite of @code{allow_services}.
-Defines a set of services that should always be flagged as sensitive,
-even if neither the source nor the destination address is ``hot.''
-The @code{string} value in the table gives the reason for why
-the service is considered hot.
-Note: Bro currently does not use these explanatory messages.
-
-Default: @code{31337/tcp} (a popular backdoor because in stylized lettering
-it spells @code{ELEET}) and @code{2766/tcp} (the Solaris @code{listen} service,
-in our experience rarely used legitimately in wide-area traffic).
-
-@cindex ephemeral ports, confused with sensitive services
-@cindex sensitive services, confused with ephemeral ports
-@cindex FTP, ephemeral ports confused with sensitive services
-
-@emph{Note: Bro can flag these services erroneously when a server happens to
-run a different service on the same port.  For example, if you're not
-running the FTP analyzer, then Bro won't know that FTP data connections
-using ephemeral ports in fact belong to legitimate FTP traffic, and will
-flag any that coincide with these services.  A related problem arises 
-when a user has configured their SSH access to tunnel FTP control channels
-through the FTP connection, but not the corresponding data connections (so
-they don't pay the expense of encrypting the data transfers), so again
-Bro can't recognize that the ephemeral ports used for the data connections
-does not reflect the presumed sensitive service.}
-
-Example: redefining @code{flag_successful_service} using
-@example
-redef flag_successful_service: table[port] of string += @{
-        [1524/tcp] = "popular backdoor",
-@};
-@end example
-
-would result in Bro also noticing any successful connection to
-a server running on TCP port 1524.
-
-@cindex access, forbidden inbound services
-@cindex services, forbidden if inbound
-@cindex inbound services, forbidden
-
-@item @code{flag_successful_inbound_service : table[port] of string}
-The same as @code{flag_successful_service}, except only applies to
-connections with a remote initiator and a local responder (determined
-by finding the responder address in @code{local_nets}).
-
-@cindex etc/inetd.conf/etc/inetd.conf
-@cindex inetd.conf.conf
-Default: @code{1524/tcp} (@code{ingreslock}, a popular backdoor because an
-attacker can place an entry for the backdoor in @emph{/etc/inetd.conf} using
-a service name rather than a raw port number, and hence more likely to
-appear legitimate to casual inspection).  Note: There's no compelling 
-reason why @code{ingreslock} is in this table rather than the more
-general @code{flag_successful_service}, though it does tend to result
-in a few more false hits than the others, presumably because it's a lower
-port number, and hence more likely on some systems to be chosen for
-an ephemeral port.
-
-Note: Symmetry would call for @code{flag_successful_outbound_service}.
-This hasn't been implemented in Bro yet simply because the
-Bro development site has a threat model structured primarily around
-external threats.
-
-@cindex access, fatal inbound services
-@cindex services, fatal if inbound
-@cindex inbound services, fatal
-@item @code{terminate_successful_inbound_service : table[port] of string}
-The same as @code{flag_successful_inbound_service}, except invokes
- in an attempt to terminate the connection.
-
-Default: empty.
-
-Note: As for @code{flag_successful_inbound_service}, it would be symmetric
-to have @code{terminate_successful_outbound_service}, and also to have
-a more general @code{terminate_successful_service}.
-
-@cindex access, forbidden attempted services
-@cindex services, forbidden if attempted
-@cindex attempted services, forbidden
-@code{flag_rejected_service table[port] of string}
-Similar to @code{flag_successful_service}, except applies to connections
-that a server rejects.  For example, you could detect a particular, failed
-Linux @emph{mountd} attack by adding @code{10752/tcp} to this table, since
-that happens to be the port used by the commonly
-available version of the exploit
-for its backdoor if the attack succeeds.  Note: You would of course
-likely also want to put @code{10752/tcp} in @code{flag_successful_service};
-or put the entire @code{flag_rejected_service} table 
-into @code{flag_successful_service}, as discussed in @ref{Inserting tables into tables}.
-
-Default: none.
-
-@emph{Deficiency:It might make sense to have @code{flag_attempted_service}, which doesn't require that a server actively reject the connection, but Bro doesn't currently have this.}
-
-@end table
-
-@cindex analyzers, hot, variables
-
-@node hot functions,
-@subsection @code{hot} functions
-
-@cindex analyzers, hot, functions
-
-The @code{hot} module defines two functions for external use:
-
-@table @samp
-@cindex spoofing, detection
-@cindex local addresses, spoofing
-@item @code{check_spoof (c: connection): bool}
-checks the originator and responder addresses of the given connection to
-determine if they are both local (and the connection is not explicitly
-allowed in @code{allow_spoof_services}).  If so, and if @code{same_local_net_is_spoof} is true, then marks the connection as ``hot''.
-
-@cindex Land attack
-@cindex attack, Land
-The function also checks for a specific denial of service attack, the
-``Land'' attack, in which the addresses are the same and so are the ports.
-If so, then it generates a  event with a name of 
-@code{"Land_attack"}.  It makes this check even if is false.
-
-Returns: true if the connection is now hot (or was upon entry), false
-otherwise.
-
-@cindex hot detection
-@cindex detecting sensitive connections
-@cindex connection, detecting sensitive
-@item @code{check_hot (c: connection, state: count): bool}
-checks the given connection against the various policy variables discussed
-above, and bumps the connection's @code{hot} field if it matches
-the policies for being sensitive, and does not match the various exceptions.
-It also uses @code{check_spoof} to see if the connection reflects a possible
-spoofing attack; and terminates the connection if
-@code{terminate_successful_service} indicates so.
-
-The caller indicates the connection's state in the second parameter to the
-function, using one of the values given in the Table below.
-As noted in the Table, the processing differs depending on the state.
-
-
-@float Table, Hot connection states
-@multitable  @columnfractions .2 .4 .3
-@item @strong{State} @tab @strong{Meaning} @tab @strong{Tests}
-@item @code{CONN_ATTEMPTED}
-@tab Connection attempted, no reply seen.  Note that you should also use this value
-for scans with undetermined state, such as possible stealth scans. For example,
-connection @code{half_finished} does this.
-@tab @code{check_spoof}
-@item @code{CONN_ESTABLISHED}
-@tab Connection established. Also used for connections apparently established, per @code{partial_connection}.
-@tab @code{check_spoof, flag_successful_service,
-flag_successful_inbound service, allow_services_to,
-terminate_successful inbound_service}
-@item @code{APPL_ESTABLISHED}
-@tab The connection has reached application-layer establishment. For
-example, for Telnet or Rlogin, this is after the user has authenticated.
-@tab @code{allow_services_to, allow_service_pairs,
-allow_pairs, allow_16_net_pairs, hot_srcs,
-hot_dsts, hot_src_24nets, hot_dst_24nets}
-@item @code{CONN_FINISHED}
-@tab The connection has finished, either cleanly or abnormally (for example, @code{connection_reset}.
-@tab Same as @code{APPL_ESTABLISHED}, if the connection exchanged non-zero
-amounts of data in both directions, and if the service wasn’t one of the ones that
-generates @code{APPL_ESTABLISHED}
-@item @code{CONN_REJECTED}
-@tab The connection attempt was rejected by the server.  
-@tab @code{check_spoof, flag_rejected_service}
-@end multitable
-@caption{Different connection states to use when calling check @code{hot}}
-@end float
-@*
-
-
-In general, the pattern is to make one call when the connection is first
-seen, either @code{CONN_ATTEMPTED}, @code{CONN_ESTABLISHED},
-or @code{CONN_REJECTED}.  If the application is one for which connections
-should only be considered ``established'' after a successful pre-exchange
-between originator and responder, then a subsequent call is made
-with a state of @code{APPL_ESTABLISHED}.   The idea here is to provide a
-way to filter out what are in fact not really successful connections
-so that they are not analyzed in terms of successful service.
-Finally, for services that don't use @code{APPL_ESTABLISHED}, a
-call is made instead when the connection finishes for some reason,
-using state @code{CONN_FINISHED}.  Note: This approach delays
-noticing until the connection is over, which might be later than
-you want, in which case you may need to edit @code{check_hot} to 
-provide the desired functionality.
-
-Returns: true if the connection is now hot (or was upon entry), false
-otherwise.
-
-@end table
-
-@cindex analyzers, hot, functions
-
-@node scan Analyzer,
-@section The @code{scan} Analyzer
-
-@cindex scan detection
-@cindex detecting scans
-@cindex scanning, address
-@cindex scanning, port
-@cindex address scanning
-@cindex port scanning
-@cindex passwords, guessing
-The @code{scan} analyzer detects connection attempts to numerous machines
-(address scanning), connection attempts to many different services
-on the same machine (port scanning), and attempts to access many different
-accounts (password guessing).  The basic methodology is to use tables to
-keep track of the distinct addresses and ports to which a given host
-attempts to connect, and to trigger notices when either of these reaches
-a specified size.  @emph{Deficiency:As currently written, the analyzer will not detect distributed scans, i.e., when many sites are used to probe individually just a few, but together a large number, of ports or addresses.}
-
-A powerful technique that Bro potentially provides is dropping
-border connectivity with remote scanning sites, though you must
-supply the magic script to talk with your router and effect the
-block.  See @code{drop_address} below for a discussion of the
-interface provided.  Note: Naturally, providing this capability means
-you might become vulnerable to denial-of-service attacks in which spoofed
-packets are used in an attempt to trigger a block of a site to which
-you want to have access.
-
-@menu
-* scan variables::		
-* scan functions::		
-* scan event handlers::		
-@end menu
-
-@node scan variables,
-@subsection @code{scan} variables
-
-@cindex analyzers, scan, variables
-
-In addition to internal variables for its bookkeeping, the analyzer
-provides the following redefinable variables:
-
-@table @samp
-@code{report_peer_scan : set[count]}
-Generate an alarm whenever a remote host (as determined by
-@code{is_local_address}) has attempted to connect to the given
-number of distinct hosts.
-
-Default: @code{@{ 100, 1000, 10000, @}}.  So, for example, if
-a remote host attempts to connect to 3,500 different local hosts,
-a report will be generated when it makes the 100th attempt, and
-another when it makes the 1,000th attempt.
-
-@item @code{report_outbound_peer_scan : set[count]}
-The same as @code{report_peer_scan}, except for connections
-initiated locally.
-
-Default: @code{@{ 1000, 10000, @}}.
-
-@item @code{possible_port_scan_thresh : count}
-Initially, port scan detection is done based on how many different
-ports a given host connects to, regardless of on which hosts.  Once
-this threshold is reached, however, then the analyzer begins tracking
-ports accessed per-server, which is important for reducing false
-positives.  Note: The reason this variable exists  is because it
-is very expensive to track per-server ports accessed for every
-active host; this variable limits such tracking to only active hosts
-contacting a significant number of different ports.
-
-Default: @code{25}.
-
-@item @code{report_accounts_tried : set[count]}
-Whenever a remote host has attempted to access a number of local
-accounts present in this set, generate an alarm.  Each distinct
-username/password pair is considered a different access.
-
-Default: @code{@{ 25, 100, 500, @}}.
-
-@item @code{report_remote_accounts_tried : set[count]}
-The same, except for access to remote accounts rather than local ones.
-
-Default: @code{@{ 100, 500, @}}.
-
-@item @code{skip_accounts_tried : set[addr]}
-Do not do bookkeeping for account attempts for the given hosts.
-
-Default: empty.
-
-@item @code{skip_outbound_services : set[port]}
-Do not do outbound-scanning bookkeeping for connections involving
-the given services.
-
-Default: @code{allow_services}, @code{ftp}, @code{addl_web} (see next item).
-
-@item @code{addl_web : set[port]}
-Additional ports that should be considered as Web traffic (and hence skipped
-for outbound-scan bookkeeping).
-
-Default: @code{@{ 81/tcp, 443/tcp, 8000/tcp, 8001/tcp, 8080/tcp, @}}.
-
-@item @code{skip_scan_sources : set[addr]}
-Hosts that are allowed to address-scan without complaint.
-
-Default: @code{scooter.pa-x.dec.com}, @code{scooter2.av.pa-x.dec.com}
-(AltaVista crawlers; you get the idea.)
-
-@item @code{skip_scan_nets_24 : set[addr, port]}
-/24 networks that are allowed to address scan for the given port
-without complaint.
-
-Default: empty.
-
-@cindex connectivity, dropping
-@cindex dropping connectivity
-@cindex firewall, reactive
-@cindex reactive firewall
-@item @code{can_drop_connectivity : bool}
-True if the Bro has the capability of dropping connectivity,
-per @code{drop_address}.
-
-Default: false.
-
-@cindex scanning, shutting down
-@cindex shutting down scans
-@item @code{shut_down_scans : set[port]}
-Scans of these ports trigger connectivity-dropping (if the Bro
-is capable of dropping connectivity), unless @code{shut_down_all_scans}
-is defined (next item).
-
-Default: empty.
-
-@item @code{shut_down_all_scans : bool}
-Ignore @code{shut_down_scans} and simply drop all scans regardless of
-service.
-
-Default: false.
-
-@item @code{shut_down_thresh : count}
-Shut down connectivity after a host has scanned this many addresses.`
-
-Default: @code{100}.
-
-@item @code{never_shut_down : set[addr]}
-Purported scans from these addresses are never shut down.
-
-Default: the root name servers (@code{a.root-servers.net} through
-@code{m.root-servers.net}).
-
-@end table
-
-@cindex analyzers, scan, variables
-
-@node scan functions,
-@subsection @code{scan} functions
-
-@cindex analyzers, scan, functions
-The standard @code{scan} script provides the following functions:
-
-@table @samp
-@cindex connectivity, dropping
-@cindex dropping connectivity
-@cindex firewall, reactive
-@cindex reactive firewall
-@cindex scanning, shutting down
-@cindex shutting down scans
-@item @code{drop_address (a: addr, msg: string)}
-Drops external connectivity to the given address and generates a notification
-using the given message.
-
-@cindex drop-connectivity shell script-connectivity shell script
-@cindex shell scripts, drop-connectivity-connectivity
-Dropping connectivity requires all of the following to be true:
-@itemize @bullet
-@item  @code{can_drop_connectivity} is true.
-
-@item 
-The address is neither local
-nor a neighbor (See @ref{Site variables}).
-
-@item 
-The address is not in @code{never_shut_down}.
-@end itemize
-
-If these checks succeed, then the script simply attempts to invoke
-a shell script @emph{drop-connectivity} with a single argument, the IP
-address to block.  It is up to you to provide the script, using whatever
-interface to your router/firewall you have available.
-
-The function does not return a value.
-
-@cindex scanning, stealth
-@cindex stealth scans
-@item @code{check_scan (c: connection, established: bool, reverse: bool): bool}
-Updates the analyzer's internal bookkeeping on the basis of the
-new connection @code{c}.  If @code{established} is true, then the connection
-was successfully established, otherwise not.  If @code{reverse} is true,
-then the function should consider the originator/responder fields in
-the connection's record as reversed.  Note: This last is needed
-for some unusual new connections that may reflect stealth scanning.
-For example, when the event engine sees a SYN-ack without a corresponding
-SYN, it instantiates a new connection with an assumption that the SYN-ack
-came from the responder (and it missed the initial SYN either due to
-split routing (See @ref{Split routing}), a packet drop (See @ref{Packet drops}),
-or Bro having started running after the initial SYN was sent).
-
-If the originating host's activity matches the policy defined by the
-variables above, then the analyzer logs this fact, and possibly
-attempts to drop connectivity to the originating host.  The function
-also schedules an event for 24 hours in the future (or when Bro terminates)
-to generate a summary of the scanning activity (so if the host continues
-scanning, you get a report on how many hosts it wound up scanning).
-@emph{Deficiency:This time interval should be selectable.}
-
-Note: Purported scans of the FTP data port (@code{20/tcp}) or the @code{ident}
-service (@code{113/tcp}) are never reported or dropped, as experience
-has shown they yield too many false hits.
-
-The function does not return a value.
-
-@end table
-
-@cindex analyzers, scan, functions
-
-@node scan event handlers,
-@subsection @code{scan} event handlers
-
-@cindex analyzers, scan, event handlers
-
-The standard @code{scan} script defines one event handler:
-
-@table @samp
-@item @code{account_tried (c: connection, user: string, passwd: string)}
-The given connection made an attempt to access the given username and
-password.  Each distinct username/password pair is considered a new access.
-The event handler generates an alarm if the access matches the logging
-policy outlined above.
-
-Note: @code{account_tried} events are generated by  @code{login}
-and @code{ftp} analyzers.
-
-@end table
-
-@cindex analyzers, scan, event handlers
-
-@cindex scan detection
-
-@node port-name Analysis Script,
-@section The @code{port-name} Analysis Script
-
-The @code{port-name} utility module provides one redefinable variable
-and one callable function:
-
-@table @samp
-@item @code{port_names : table[port] of string}
-Maps TCP/UDP ports to names for the services associated with those ports.
-For example, @code{80/tcp} maps to @code{"http"}.  These names are used by
-the @code{conn} analyzer when generating connection logs
-(See @ref{Generic Connection Analysis}).
-
-@item @code{endpoint_id (h: addr, p: port): string }
-Returns a printable form of the given address/port connection
-endpoint.  The format is either 
-@code{<}@emph{address}@code{>/<}@emph{service-name}@code{>}
-or
-@code{<}@emph{address}@code{>/<}@emph{port-number}@code{>}
-depending on whether the port appears in @code{port_names}.
-@end table
-
-@node brolite Analysis Script,
-@section The @code{brolite} Analysis Script
-
-The @code{brolite} module is intended to provide a convenient way
-to run (almost) all of the analyzers.  It @code{@@load}'s the following
-other modules and analyzers:
-@code{alarm, dns, hot, port-name, frag, tcp, scan, weird, finger, ident, ftp,
-login} and @code{portmapper}.
-So you can run Bro using @emph{bro -i in0 brolite} to have it analyze
-traffic on interface @emph{in0} using the above analyzers
-; or you can @code{@@load brolite} to load in the above
-analyzers.
-
-Note: The @code{brolite} analyzer doesn't load @code{http}  (because
-it can prove a very high load for many sites)
-nor experimental analyzers such as  @code{stepping}
-or @code{backdoor}. 
-
-@node alarm Analysis Script,
-@section The @code{alarm} Analysis Script
-
-The @code{alarm} utility module redefines a single variable:
-
-@table @samp
-@cindex alarm file
-@item @code{bro_alarm_file : file}
-A special Bro variable used internally to specify a file where Bro should
-record messages logged by @code{alarm} statements (as well
-as generating real-time notifications via @emph{syslog}).
-
-Default: if the @code{$BRO_LOG_SUFFIX} environment variable is defined,
-then @code{alarm.@code{<}@emph{$BRO_LOG_SUFFIX}@code{>}}, otherwise @code{alarm.log}.
-
-See @code{bro_alarm_file} for further discussion.
-
-@end table
-
-If you do not include this module, then Bro records alarm messages
-to @emph{stderr}.
-@cindex stderr
-
-Here is a sample definition of @code{alarm_hook}:
-@example
-global msg_count: table[string] of count &default = 0;
-
-event alarm_summary(msg: string)
-    @{
-    alarm fmt("(%s) %d times", msg, msg_count[msg]);
-    @}
-
-function alarm_hook(msg: string): bool
-    @{
-    if ( ++msg_count[msg] == 1 )
-        # First time we've seen this message - log it.
-        return T;
-
-    if ( msg_count[msg] == 5 )
-        # We've seen it five times, enough to be worth
-        # summarizing.  Do so five minutes from now,
-        # for whatever total we've seen by then.
-        schedule +5 min @{ alarm_summary(msg) @};
-
-    return F;
-    @}
-
-@end example
-
-You can also control Bro's alarm processing by defining the
-special function @emph{alarm-hook}.  It takes a single
-argument, @code{msg: string}, the message in a just-executed
-@code{alarm} statement, and returns a boolean value: true if Bro
-should indeed log the message, false if not.  The above example
-shows a definition of @code{alarm_hook} that
-checks each alarm message to see whether the same text has
-been logged before.  It only logs the first instance of a message.
-If a message appears at least five times, then it schedules a
-future @code{alarm_summary} event for 5 minutes in the future;
-the purpose of this event is to summarize the total number of
-times the message has appeared at that point in time.
-
-@node active Analysis Script,
-@section The @code{active} Analysis Script
-
-The @emph{active} utility module provides a single, non-redefinable
-variable that holds information about active connections: 
-
-@table @samp
-@item @code{active_conn : table[conn_id] of connection}
-Indexed by a @code{conn_id} giving the
-originator/responder addresses/ports, returns the connection's
-@code{connection} record.  As usual, accessing
-the table with a non-existing index results in a run-time error,
-so you should first test for the presence of the index using
-the @code{in} operator.
-
-Default: empty.
-@end table
-
-This functionality is quite similar to that of the @code{active_connection}
-function, and @emph{Deficiency:arguably this module should be removed in favor of the function}.  It does, however, provide a useful example of maintaining
-bookkeeping by defining additional handlers for events that already have
-handlers elsewhere.
-
-@node demux Analysis Script,
-@section The @code{demux} Analysis Script
-
-The @emph{demux} utility module provides a single function:
-
-@table @samp
-@item @code{demux_conn (id: conn_id, tag: string, otag: string, rtag: string): bool }
-Instructs Bro to write (``demultiplex'') the contents of the connection
-with the given @code{id} to a pair of files whose names are constructed
-out of @code{tag}, @code{otag}, and @code{rtag}, as follows.
-
-The originator-to-responder direction of the connection goes into a file named:
-@quotation
-@code{<}@emph{otag}@code{>.<}@emph{tag}@code{>.<}@emph{orig-addr}@code{>.<}@emph{orig-port}@code{>-<}@emph{resp-addr}@code{>.<}@emph{resp-port}@code{>}
-@end quotation
-and the other direction in:
-@quotation
-@code{<}@emph{rtag}@code{>.<}@emph{tag}@code{>.<}@emph{resp-addr}@code{>.<}@emph{resp-port}@code{>-<}@emph{orig-addr}@code{>.<}@emph{orig-port}@code{>}
-@end quotation
-Accordingly, @emph{tag} can be used to associate a unique label with
-the pair of files, while @emph{otag} and @emph{rtag} provide distinct
-labels for the two directions.
-
-If Bro is already demuxing the connection, or if the connection is
-not active, then nothing happens, and the function returns false.
-Otherwise, it returns true.
-
-@end table
-
-Bro places demuxed streams in a directory defined by the redefinable
-global @code{demux_dir}, which defaults in the usual fashion to
-@code{open_log_file("xscript")}.
-
-@emph{Deficiency:Experience has shown that it would be highly convenient if Bro would demultiplex the @emph{entire} connection contents into the files, instead of just the part of the connection seen subsequently after the call to @code{demux_conn}.  One way to do this would be for @code{demux_conn} to offset the contents in the file by the current stream position, and then to invoke a utility tool that goes through the Bro output trace file  and copies the contents up to the current stream position to the front of the file.  This utility tool might even be another instance of Bro running with suitable arguments.}
-
-@node dns Analysis Script,
-@section The @code{dns} Analysis Script
-
-The @code{dns} module deals with Bro's internal mapping of hostnames
-to/from IP addresses.
-@emph{Deficiency: There is no DNS protocol analyzer available at present.}
-Furthermore, @emph{Deficiency: the lookup mechanisms discussed here are not available to the Bro script writer, other than implicitly by using hostnames in lieu of addresses in variable initializations (see @ref{Hostnames vs addresses}).}
-
-@cindex bro-dns-cache.bro-dns-cache
-@cindex DNS, Bro's private cache
-
-The module's function is to handle different events that can
-occur when Bro resolves hostnames upon startup.  Bro maintains its
-own cache of DNS information which persists across invocations of Bro
-on the same machine and by the same user.
-The role of the cache is to allow Bro to resolve
-hostnames even in the face of DNS outages; the philosophy is that it's
-better to use old addresses than none at all, and this helps harden Bro
-against attacks in which the attacker causes DNS outages in order to
-prevent Bro from resolving particular sensitive hostnames (e.g., @code{hot_srcs}
-).  The cache is stored in the file ``@code{.bro-dns-cache}''
-in the user's home directory.  You can delete this file whenever you want,
-for example to purge out old entries no longer needed, and Bro will recreate
-it next time it's invoked using @code{-P}.
-
-Currently, all of the event handlers are invoked upon @emph{comparing}
-the results of a new attempt to look up a name or an address versus the
-results obtained the @emph{last time} Bro did the lookup.  When Bro looks
-up a name for the first time, no events are generated.
-
-Also, Bro currently only looks up hostnames to map them to addresses.
-It does not perform inverse lookups.
-
-@menu
-* dns_mapping record::		
-* dns variables::
-* dns event handlers::      
-@end menu
-
-@node dns_mapping record,
-@subsection The @code{dns_mapping} record
-
-@cindex DNS, mappings
-
-All of the events handled by the module include at least one
-record of DNS mapping information, defined by the @code{dns_mapping}
-type shown in the example below.
-The corresponding fields are:
-
-@table @samp
-@item @code{creation_time}
-When the mapping was created.
-
-@item @code{req_host}
-The hostname looked up, or an empty string if this was not a hostname
-lookup.
-
-@item @code{req_addr}
-The address looked up (reverse lookup), or @code{0.0.0.0} if this was not
-an address lookup.
-
-@item @code{valid}
-True if an answer was received for a lookup (even if the answer was that
-the request name or address does not exist in the DNS).
-
-@item @code{hostname}
-The hostname answer in response to an address lookup, or the
-string @code{"@code{<}none@code{>"}} if an answer was received but
-it indicated there was no PTR record for the given address.
-
-@item @code{addrs}
-A set of addresses in response to a hostname lookup.  Empty
-if an answer was received but it indicated that there was no A record
-for the given hostname.
-
-@end table
-
-@example
-type dns_mapping: record @{
-    creation_time: time;  # When the mapping was created.
-
-    req_host: string;     # The hostname in the request, if any.
-    req_addr: addr;       # The address in the request, if any.
-
-    valid: bool;          # Whether we received an answer.
-    hostname: string;     # The hostname in the answer, or "<none>".
-    addrs: set[addr];     # The addresses in the answer, if any.
-@};
-@end example
-
-@node dns variables,
-@subsection @code{dns} variables
-
-@cindex modules, dns, variables
-
-The modules provides one redefinable variable:
-
-@table @samp
-@item @code{dns_interesting_changes : set[string]}
-The different DNS events have names associated with them.  If the
-name is present in this set, then the event will generate a notice, otherwise
-not.
-
-One exception to this list is that DNS changes involving the
-loopback address @code{127.0.0.1} are always considered notice-worthy,
-since they may reflect DNS corruption.
-
-Default: @code{@{ "unverified", "old name", "new name", "mapping", @}}.
-
-@end table
-
-@cindex modules, dns, variables
-
-@node dns event handlers,
-@subsection @code{dns} event handlers
-
-@cindex modules, dns, event handlers
-
-The DNS module supplies the following event handlers:
-
-@table @samp
-@item @code{dns_mapping_valid (dm: dns_mapping)}
-The given request was looked up and it was identical to its previous
-mapping.
-
-@item @code{dns_mapping_unverified (dm: dns_mapping)}
-The given request was looked up but no answer came back.
-
-@item @code{dns_mapping_new_name (dm: dns_mapping)}
-In the past, the given address did not resolve to a hostname;
-this time, it did.
-
-@item @code{dns_mapping_lost_name (dm: dns_mapping)}
-In the past, the given address resolved to a hostname; now,
-that name has gone away.  (An answer was received, but it stated
-that there is no hostname corresponding to the given address.)
-
-@item @code{dns_mapping_name_changed (old_dm: dns_mapping, new_dm: dns_mapping)}
-The name returned this time for the given address differs from the
-name returned in the past.
-
-@item @code{dns_mapping_altered (dm: dns_mapping, old_addrs: set[addr], new_addrs: set[addr])}
-The addresses associated with the given hostname have changed.  Those
-in @code{old_addrs} used to be part of the set returned for the name, but
-aren't any more; while those in @code{new_addrs} didn't used to be, but
-now are.  There may also be some unchanged addresses, which are those in
-@code{dm$addrs} but not in @code{new_addrs}.
-
-@end table
-
-@cindex modules, dns, event handlers
-
-@node finger Analyzer,
-@section The @code{finger} Analyzer
-
-@cindex analyzers, application-specific
-@cindex Finger, analysis
-The @code{finger} analyzer processes traffic associated with
-the Finger service RFC-1288.  Bro instantiates a @code{finger}
-analyzer for any connection with service port @code{79/tcp} (if you
-@code{@@load} the finger analyzer in your script, or define your own
-@code{finger_request} or @code{finger_reply} handlers, of course).
-
-The analyzer uses a capture filter of ``@code{port finger}''
-(See: @ref{Filtering}).
-
-In the past, attackers often used Finger requests to obtain information
-about a site's users, and sometimes to launch attacks of various forms
-(buffer overflows, in particular).  In our experience, exploitation
-of the service has
-greatly diminished over the past years (no doubt in part to the service
-being increasingly turned off, or prohibited by firewalls).  Now it is only
-rarely associated with an attack.
-
-@menu
-* finger variables::		
-* finger event handlers::	
-@end menu
-
-@node finger variables,
-@subsection @code{finger} variables
-
-@cindex analyzers, finger, variables
-
-The standard script defines two redefinable variables:
-
-@table @samp
-@item @code{hot_names : set[string]}
-A list of usernames that should be considered sensitive (notice-worthy)
-if included in a Finger request.
-
-Default: @code{@{ "root", "lp", "uucp", "nuucp", "demos", "operator", "sync", "guest", "visitor", @}}.
-
-@item @code{max_request_length : count}
-The largest reasonable request size (used to flag possible buffer
-overflow attacks).  Bro marks a connection as ``hot'' if its request
-exceeds this length, and truncates its logging of the request to
-this many bytes, followed by @code{"..."}.
-
-Default: @code{80}.
-
-@end table
-
-@cindex analyzers, finger, variables
-
-@node finger event handlers,
-@subsection @code{finger} event handlers
-
-@cindex analyzers, finger, event handlers
-
-The standard script defines one event handler:
-
-@table @samp
-@item @code{finger_request (c: connection, request: string, full: bool)}
-Invoked upon connection @code{c} having made the request @code{request}.
-The @code{full} flag is true if the request included the ``long format''
-option (which the event engine will have removed from the request).
-
-The standard script flags long requests and truncates them as noted above,
-and then checks whether the request is for a name in @code{hot_names}.
-It then formats the request either by placing double quotation marks
-around it, or, if the request was empty---indicating a request for
-information on all users---the request is changed to the string @code{ALL}
-with no quotes around it.
-
-If the originator already made a request, then this additional request
-is placed in parentheses (though multiple requests violate the Finger
-protocol).  If the request was for the @code{full} format, then the
-text ``@code{(/W)}'' is appended to the request.  Finally, the request
-is appended to the connection's  field.
-
-@end table
-
-The event engine generates an additional event that the predefined
-@code{finger} script does not handle:
-
-@table @samp
-@item @code{finger_reply (c: connection, reply_line: string)}
-Generated for each line of text sent in response to the originator's
-request.
-
-@end table
-
-@cindex analyzers, finger
-
-@node frag Analysis Script,
-@section The @code{frag} Analysis Script
-
-The @code{frag} utility module simply refines the capture filter
-(See: @ref{Filtering}) so that Bro will capture and reassemble IP fragments.
-Bro reassembles any fragments it receives; but normally it doesn't receive
-any, except the beginnings of TCP fragments (see the @code{tcp} 
-module), and UDP port 111 (per the @code{portmapper} module).
-
-@cindex fragment reassembly
-@cindex fragments, TCP vs. UDP
-@cindex TCP, fragments
-@cindex UDP, fragments
-So, to make Bro do fragment reassembly, you simply use ``@code{load} @code{frag}''.
-It effects this by adding:
-@example
-    (ip[6:2] & 0x3fff != 0) and tcp
-@end example
-
-to the filter.  The first part of this expression matches all IP fragments,
-while the second restricts those matched to TCP traffic.  We would @emph{like}
-to use:
-@example
-    (ip[6:2] & 0x3fff != 0) and (tcp or udp port 111)
-@end example
-
-to also include portmapper fragments, but that won't work---the port
-numbers will only be present in the first fragment, so the packet filter
-won't recognize the subsequent fragments as belonging to a UDP port 111
-packet, and will fail to capture them.
-
-@cindex NFS traffic, high volume fragments
-@emph{Note: Alternatively, we might be tempted to use ``@code{(tcp or udp)}''
-and so capture @emph{all} UDP fragments, including port 111.  This would
-work in principle, but in practice can capture very high volumes of
-traffic due to NFS traffic, which can send all of its file data in
-UDP fragments.}
-
-@node hot-ids Analysis Script,
-@section The @code{hot-ids} Analysis Script
-
-@cindex usernames, sensitive
-@cindex sensitive usernames
-@cindex hot usernames
-
-The @code{hot-ids} module defines a number of redefinable variables
-that specify usernames Bro should consider sensitive:
-
-@table @samp
-@item @code{forbidden_ids set[string]}
-lists usernames that should never be used.  If Bro detects use of one,
-it will attempt to terminate the corresponding connection.
-
-Default: @code{@{ "uucp", "daemon", "rewt", "nuucp", "EZsetup", "OutOfBox", "4Dgifts", "ezsetup", "outofbox", "4dgifts", "sgiweb", @}}.  
-All of these
-correspond to accounts that some systems have enabled by default
-(with well-known passwords), except for @code{"rewt"}, which corresponds
-to a username often used by (weenie) attackers.
-@cindex attackers, weenie
-
-@emph{Deficiency: The repeated definitions such as @code{"EZsetup"} and @code{"ezsetup"} reflect that this variable is a @code{set} and not a @code{pattern}.  Consequently, the exact username must appear in it (with a pattern, we could use character classes to match both upper and lower case).  }
-
-@item @code{forbidden_ids_if_no_password : set[string]}
-Same as @code{forbidden_ids} except only considered forbidden if
-the login succeeded with an empty password.
-
-Default: @code{"lp"}, a default passwordless IRIX account.
-
-@item @code{forbidden_id_patterns : pattern}
-A pattern giving user ids that should be considered forbidden.
-@emph{Deficiency: This pattern is currently only used to check Telnet/Rlogin user ids, not ids seen in other contexts, such as FTP sessions.}
-
-Default: @code{/(y[o0]u)(r|ar[e3])([o0]wn.*)/}, a particularly
-egregious style of username of which we've observed variants
-in different break-ins.
-
-@item @code{always_hot_ids : set[string]}
-A list of usernames that should always be considered sensitive,
-though not necessarily so sensitive that they should be terminated
-whenever used.
-
-Default: @code{@{ "lp", "warez", "demos", forbidden_ids, @}}.  The
-@code{"lp"} and @code{"demos"} accounts are specified here rather
-than @code{forbidden_ids} because it's possible that they might be
-used for legitimate accounts.  @code{"warez"} (for ``wares'', i.e.,
-bootlegged software) is listed because its use likely constitutes
-a policy violation, not a security violation.
-
-Note: @code{forbidden_ids} is incorporated into @code{always_hot_ids}
-to avoid replicating the list of particularly sensitive ids by listing
-it twice and risking inconsistencies.
-
-@item @code{hot_ids set[string]}
-User ids that generate notices if the user logs in successfully.
-
-Default: @code{@{ "root", "system", always_hot_ids, @}}.  The
-ones included in addition to @code{always_hot_ids} are only considered
-sensitive if the user logs in successfully.
-
-@end table
-
-@node ftp Analyzer,
-@section The @code{ftp} Analyzer
-
-@cindex FTP, analysis
-The @code{ftp} analyzer processes traffic associated with
-the FTP file transfer service RFC-959.  Bro instantiates an
-@code{ftp} analyzer for any connection with service port @code{21/tcp},
-providing you have loaded the @code{ftp} analyzer, or defined a handler
-for @code{ftp_request} or @code{ftp_reply}.
-
-The analyzer uses a capture filter of ``@code{port ftp}'' (See: @ref{Filtering}).
-It generates summaries of FTP sessions;
-looks for sensitive usernames, access to sensitive files, and possible
-FTP ``bounce'' attacks, in which the host specified in a ``@code{PORT}'' or
-``@code{PASV}'' directive does not correspond to the host sending
-the directive; or in which a different host than the server (client) connects
-to the endpoint specified in a @code{PORT} (@code{PASV}) directive.
-
-@menu
-* ftp_session_info record::	
-* ftp variables::		
-* ftp functions::		
-* ftp event handlers::		
-* ftp notices::		
-@end menu
-
-@node ftp_session_info record,
-@subsection The @code{ftp_session_info} record
-
-@cindex FTP, session information
-
-The main data structure managed by the @code{ftp} analyzer is
-a collection of @code{ftp_session_info} records, where the
-record type is shown below:
-
-@example
-type ftp_session_info: record @{
-    id: count;              # unique number associated w/ session
-    user: string;           # username, if determined
-    request: string;        # pending request or requests
-    num_requests: count;    # count of pending requests
-    request_t: time;        # time of request
-    log_if_not_denied: bool;        # unless code 530 on reply, log it
-    log_if_not_unavail: bool;       # unless code 550 on reply, log it
-    log_it: bool;           # if true, log the request(s)
-@};
-@end example
-
-The corresponding fields are:
-
-@table @samp
-@item @code{id}
-The unique session identifier assigned to this session.  Sessions
-are numbered starting at @code{1} and incrementing with each new session.
-
-@item @code{user}
-The username associated with this session (from the initial FTP
-authentication dialog), or an empty string if not yet determined.
-
-@item @code{request}
-The pending request, if the client has issued any.  Ordinarily there
-would be at most one pending request, but a client can in fact send
-multiple requests to the server all at once,
-and an attacker could do so attempting
-to confuse the analyzer into mismatching responses with requests,
-or simply forgetting about previous requests.
-
-@item @code{num_requests}
-A count of how many requests are currently pending.
-
-@item @code{request_t}
-The time at which the pending request was issued.
-
-@item @code{log_if_not_denied}
-If true, then when the reply to the current request comes in,
-Bro should log it, unless the reply code is @code{530} (``@code{denied}'').
-
-@item @code{log_if_not_unavail}
-If true, then when the reply to the current request comes in,
-Bro should log it, unless the reply code is @code{550} (``@code{unavail}'').
-
-@item @code{log_it}
-If true, then when the reply to the current request comes in,
-Bro should log it.
-
-@end table
-
-@node ftp variables,
-@subsection @code{ftp} variables
-
-@cindex analyzers, ftp, variables
-
-The standard script defines the following redefinable variables:
-
-@table @samp
-@item @code{ftp_guest_ids : set[string]}
-A set of usernames associated with publicly accessible ``guest''
-services.  Bro interprets guest usernames as indicating Bro should
-use the authentication @emph{password} as the effective username.
-
-Default: @code{@{ "anonymous", "ftp", "guest", @}}.
-
-@item @code{ftp_skip_hot : set[addr, addr, string]}
-Entries indicate that a connection from the first given address to the
-second given address, using the given string username, should not
-be treated as hot even if the username is sensitive.
-
-Default: empty.
-
-Example: redefining @code{ftp_skip_hot} using
-@example
-redef ftp_skip_hot: set[addr, addr, string] += @{
-    [[bob1.dsl.home.net, bob2.dsl.home.net], 
-      bob.work.com, "root"], @};
-@end example
-
-would result in Bro not noticing FTP connections as user @code{"root"}
-from either @code{bob1.dsl.home.net} or @code{bob2.dsl.home.net} to the
-server running on @code{bob.work.com}.
-
-@item @code{ftp_hot_files : pattern}
-Bro matches the argument given in each FTP file manipulation
-request (RETR, STOR, etc.)
-against this pattern to see if the file is sensitive. If so,
-and if the request succeeds, then the access is logged.
-
-@cindex eggdrop
-@cindex filenames, sensitive
-Default: @code{aggdrop} a pattern that matches various flavors of password files, plus
-any string with @code{eggdrop} in it.  @emph{Note: Eggdrop is an IRC management
-tool often installed by certain attackers upon a successful break-in.}
-
-@item @code{ftp_not_actually_hot_files : pattern}
-A pattern giving exceptions to @code{ftp_hot_files}.  It turns out
-that a pattern like @code{/passwd/} generates a lot of false hits,
-such as from @code{passwd.c} (source for the @emph{passwd} utility;
-this can turn up in FTP sessions that fetch entire sets of utility sources
-using @code{MGET}) or @code{passwd.html} (a Web page explaining how to enter
-a password for accessing a particular page).
-
-Default: @code{/(passwd|shadow).*@code{.}(c|gif|htm|pl|rpm|tar|zip)/} .
-
-@item @code{ftp_hot_guest_files pattern}
-Files that guests should not attempt to access.
-
-@cindex rhosts
-@cindex forward
-Default: @code{.rhosts} and @code{.forward} .
-
-@item @code{skip_unexpected : set[addr]}
-If a new host (address) unexpectedly connects to the endpoint specified in a
-@code{PORT} or @code{PASV} directive, then if either the original host
-or the new host is in this set, no message is
-generated.  The idea is that you can specify multi-homed hosts that
-frequently show up in your FTP traffic, as these can generate innocuous
-warnings about connections from unexpected hosts.
-
-Default: some @code{hp.com} hosts, as an example.  Most are specified
-as raw IP addresses rather than hostnames, since the hostnames
-don't always consistently resolve.
-
-@item @code{skip_unexpected_net : set[addr]}
-The same as @code{skip_unexpected}, except addresses are masked to /24 and
-/16 before looked up in this set.
-
-Default: empty.
-
-@end table
-
-@cindex FTP, log file
-@cindex log file, FTP
-@cindex ftp session summary file
-In addition, @code{ftp_log} holds the name of the FTP log file to
-which Bro writes FTP session summaries.  It defaults to
-@code{open_log_file("ftp")}.
-
-Here is an example of what entries in this file look like:
-
-@example
-972499885.784104 #26 131.243.70.68/1899 > 64.55.26.206/ftp start
-972499886.685046 #26 response (220 tuvok.ooc.com FTP server
-    (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000) ready.)
-972499886.686025 #26 USER anonymous/IEUser@@ (logged in)
-972499887.850621 #26 TYPE I (ok)
-972499888.421741 #26 PASV (227 64.55.26.206/2427)
-972499889.493020 #26 SIZE /pub/OB/4.0/JOB-4.0.3.zip (213 1675597)
-972499890.135706 #26 *RETR /pub/OB/4.0/JOB-4.0.3.zip, ABOR (complete)
-972500055.491045 #26 response (225 ABOR command successful.)
-@end example
-
-Here we see a transcript of
-the 26th FTP session seen since Bro started running.  The first line
-gives its start time and the participating hosts and ports.  The
-next line (split across two lines above for clarity) gives the server's
-welcome banner.  The client then logged in as user ``@code{anonymous}'',
-and because this is one of the guest usernames, Bro recorded their
-password too, which in this case was ``@code{IEUser@@}'' (a useless
-string supplied by their Web browser).  The server accepted this
-authentication, so the status on the line is ``@code{(logged in)}''.
-
-The client then issues a request for the Image file type, to which the
-server agreed.  Next they issued a @code{PASV} directive, and received a
-response instructing them to connect to the server on port @code{2427/tcp}
-for the next transfer.  At this point, after issuing a @code{SIZE} directive
-(to which the server returned 1,675,597 bytes), they send @code{RETR} to
-fetch the file @emph{/pub/OB/4.0/JOB-4.0.3.zip}.  However, before the
-transfer completed, they issued @code{ABOR}, but the transfer finished
-before the server processed the abort, so the log shows a status of @code{completed}.  Furthermore, because the client issued two commands without
-waiting for an intervening response, these are shown together in the log
-file, and the line marked with a ``@code{*}'' so it draws the eye.  Finally,
-because Bro paired up the @code{(completed)} with the multi-request line, it
-then treats the response to the @code{ABOR} command as a reply by itself,
-showing in the last line that the server reported it successfully carried
-out the abort.
-
-The corresponding lines in the @file{conn} file look like:
-@example
-    972499885.784104 565.836 ftp 118 427 131.243.70.68 64.55.26.206
-        RSTO L #26 anonymous/IEUser@@
-    972499888.984116 165.098 ftp-data ? 1675597 131.243.70.68 
-	64.55.26.206 RSTO L
-@end example
-
-The first line summarizes the FTP control session (over which the client
-sends its requests and receives the server's responses).  It includes
-an @code{addl} annotation of ``@code{#26 anonymous/IEUser@@}'',
-summarizing the session number (so you can find the corresponding records
-in the @code{ftp} log file) and the authentication information.
-
-@cindex connection size, undetermined for RST termination
-@cindex RST termination, causing undetermined connection size
-The second line summarizes the single FTP data transfer, of 1,675,597 bytes.
-The amount of data sent by the client for this connection is shown as
-unknown because the client aborted the connection with a RST (hence
-the state @code{RSTO}).   For connections that Bro does not look inside
-(such as FTP data transfers), it learns the amount of data transferred from
-the sequence numbers of the SYN and FIN connection control packets, and
-can't (reliably) learn them for the sender of a RST.  (It can for the
-receiver of the RST.)
-
-They also aborted the control session (again, state @code{RSTO}), but
-in this case, Bro captured all of the packets of the session, so it
-could still assign sizes to both directions.
-
-@cindex analyzers, ftp, variables
-
-@node ftp functions,
-@subsection @code{ftp} functions
-
-@cindex analyzers, ftp, functions
-
-The standard @code{ftp} script provides one function for external use:
-
-@table @samp
-@item @code{is_ftp_data_conn (c: connection): bool }
-Returns true if the given connection matches one we're expecting
-as the data connection half of an FTP session.  @emph{Note: This function is
-not idempotent: if the connection matches an expected one, then
-Bro updates its state such that that connection is no longer expected.
-It also logs a discrepancy if the connection appears to be usurping
-another one that generated either a ``@code{PORT}'' or a ``@code{PASV}''
-directive.}
-
-Also returns true if the source port is @code{20/tcp} and there's currently
-an FTP session active between the originator and responder, in case for
-some reason Bro's bookkeeping is inconsistent.
-
-@end table
-
-@cindex analyzers, ftp, functions
-
-@node ftp event handlers,
-@subsection @code{ftp} event handlers
-@cindex analyzers, ftp, event handlers
-
-The standard script handles the following events:
-
-@table @samp
-@item @code{ftp_request (c: connection, command: string, arg: string)}
-Invoked upon the client side of connection @code{c} having made the request
-@code{command} with the argument @code{arg}.
-
-The processing depends on the particular command:
-@table @samp
-
-@item @code{USER}
-Specifies the username that the client wishes to
-use for authentication. If it is sensitive---in @code{hot_ids} (which
-the @code{ftp} analyzer accesses via a @code{@@load} of @code{hot-ids})---then
-the analyzer flags the FTP session as notice-worthy.  In addition, if
-the username is in @code{forbidden_ids}, then the analyzer terminates
-the session.
-
-The analyzer also updates the connection's @code{addl} field
-with the username.
-
-@item @code{PASS}
-Specifies the password to use for authentication.
-
-If the password is empty and the username appears in
-@code{forbidden_ids_if_no_password} (also from the @code{hot-ids} analyzer),
-then the analyzer terminates the connection.
-
-If the username corresponds to a guest account (@code{ftp_guest_ids}),
-then the analyzer updates the connection's @code{addl}  field
-with the password as additional account information.  Otherwise,
-it generates an @code{account_tried} event to
-facilitate detection of password guessing.
-
-@item @code{PORT}
-Instructs the FTP server to connect to the given
-IP address and port for delivery of the next FTP data item.  The analyzer
-first checks the address/port specifier for validity.  If valid, it
-will generate a notice if either the address specified in the directive
-does not match that of the client, or if the port corresponds to a
-``privileged'' port, i.e., one in the range 0--1023.  Finally, it
-establishes state so that @code{is_ftp_data_conn} can identify a
-subsequent connection corresponding to this directive as belonging to
-this FTP session.
-
-@item @code{ACCT}
-Specifies additional accounting information associated with a session,
-which the analyzer simply adds to the connection's 
-field.
-
-@item @code{APPE}, @code{CWD}, @code{DELE}, @code{MKD}, @code{RETR}, @code{RMD}, @code{RNFR}, @code{RNTO}, @code{STOR}, @code{STOU}
-All of these manipulate files (and directories).  The analyzer checks
-the filename against the policies to see if it is sensitive in the
-context of the given username (i.e., guest or non-guest), and, if so,
-marks the connection to generate a notice unless the operation fails.
-The analyzer also checks for an excessively long filename, currently
-by checking its length against a @emph{Deficiency:hardwired maximum of 250 bytes}.
-@end table
-
-@item @code{ftp_reply (c: connection, code: count, msg: string, cont_resp: bool)}
-Invoked upon the server side of connection @code{c} having replied to
-a request using the given status code and text message.  @code{cont_resp}
-is true if the reply line is tagged as being continued to the next line.
-The analyzer only processes requests when the last line of a continued
-reply is received.
-
-The analyzer checks the reply against any expected for the connection
-(for example, ``@code{log_if_not_denied}'') and generates notices accordingly.
-If the reply corresponds to a @code{PASV} directive, then it parses the
-address/port specification in the reply and generates notices in an analogous
-fashion as done by the @code{ftp_request} handler for @code{PORT} directives.
-
-Finally, if the reply is not one that the analyzer is hardwired to skip
-(code @code{150}, used at the beginning of a data transfer, and code
-@code{331}, used to prompt for a password),
-then it writes a summary of the request and reply to the FTP log file
-(See: @ref{ftp variables}).  Also, if the reply is an ``orphan'' (there was
-no corresponding request, perhaps because Bro started up after the
-request was made), then the reply is summarized in the log file by
-itself.
-
-@end table
-
-The standard @code{ftp} script defines one other handler, an instance of
- used to flush FTP session information
-in case the session terminates abnormally and no reply is seen to
-the pending request(s).
-
-@cindex analyzers, ftp, event handlers
-
-@node ftp notices,
-@subsection ftp notices
-@cindex ftp, notices
-
-The FTP analyzer can generate the following Notices:
-
-@itemize
-@item FTP::FTP_BadPort	 - Bad format in PORT/PASV
-@item FTP::FTP_ExcessiveFilename	- Very long filename seen 
-@item FTP::FTP_PrivPort	- Privileged port used in PORT/PASV 
-@item FTP::FTP_Sensitive -Sensitive connection (as defined in hot) 
-@item FTP::FTP_UnexpectedConn	- Data transfer from unexpected src.
-Suppose there's an FTP session between client A and server B, and either
-A issues a PORT or B issues a PASV.  Then what's expected is that A will
-rendezvous with B using the port specified in the PORT/PASV.  If instead
-a new IP address C connects to (or accepts from) the negotiated port, that
-generated FTP_UnexpectedConn.
-@end itemize
-
-
-@node http Analyzer,
-@section The @code{http} Analyzer
-
-@cindex HTTP, analysis
-
-The @code{http} analyzer processes traffic associated with
-the Hyper Text Transfer Protocol (HTTP) [RFC-1945],
-the main protocol used by the Web.  Bro instantiates an
-@code{http} analyzer for any connection with service port @code{80/tcp},
-providing you have loaded the @code{http} analyzer, or defined a handler
-for @code{http_request}.  It also instantiates an analyzer for
-service ports @code{8080/tcp} and @code{8000/tcp}, as these are
-often also used for Web servers.
-
-The analyzer uses a capture filter of ``@code{tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000}'' (See: @ref{Filtering}).  Note: This filter excludes
-traffic sent by an HTTP server (that would be matched by @code{tcp src port 80},
-etc.), because @emph{Deficiency: Bro doesn't yet have an analyzer for HTTP replies.  It generates summaries of HTTP sessions (connections between the same client and server) and looks for access to sensitive URIs (effectively, URLs).}
-
-@menu
-* http variables::		
-* http event handlers::		
-@end menu
-
-@node http variables,
-@subsection @code{http} variables
-
-@cindex analyzers, http, variables
-
-@table @samp
-@cindex HTTP methods
-@item @code{sensitive_URIs : pattern}
-Any HTTP method (e.g., @code{GET}, @code{HEAD},
-@code{POST}) specifying
-a URI that matches this pattern is flagged as sensitive.
-
-@cindex etc/passwd
-@cindex etc/shadow
-@cindex Cold Fusion exploits
-Default: URIs with @code{/etc/passwd} or @code{/etc/shadow} embedded
-in them, or @code{/cfdocs/expeval} (used in some Cold Fusion exploits).
-Note: This latter generates some false hits; it's mainly included
-just to convey the notion of looking for direct attacks rather than
-attacks used to exploit sensitive files like the first ones. 
-
-@emph{Deficiency: It would be very handy to have variables providing hooks for more context when considering whether a particular access is sensitive, such as whether the request was inbound or outbound. }
-
-@item @code{sensitive_post_URIs : pattern}
-Any @code{POST} method specifying a URI that matches this pattern is flagged as
-sensitive.
-
-Default: URIs with @code{wwwroot} embedded in them.
-
-@end table
-
-@cindex frogs, dissecting
-@cindex http session summary file
-
-@cindex HTTP, log file
-@cindex log file, HTTP
-In addition, @code{http_log} holds the name of the HTTP log file to
-which Bro writes HTTP session summaries.  It defaults to
-@code{open_log_file("http")}.
-
-Here we show an example of what entries in this file look like:  
-
-@example
-972482763.371224 %1596 start 200.241.229.80 > 131.243.2.12
-%1596 GET /ITG.hm.pg.docs/dissect/portuguese/dissect.html
-%1596 GET /vfrog/bottom.icon.gif
-%1596 GET /vfrog/top.icon.gif
-%1596 GET /vfrog/movies/off.gif
-%1596 GET /vfrog/new.frog.small.gif
-@end example
-
-Here we see a transcript of
-the 1596th HTTP session seen since Bro started running.  The first line
-gives its start time and the participating hosts.  The
-next five lines all correspond to @code{GET} methods retrieving different
-items from the Web server.  @emph{Deficiency: Bro can't log whether the retrievals succeeded or failed because it doesn't yet have an HTTP reply analyzer. }
-
-The corresponding lines in the @code{conn} file look like:
-@example
-    972482762.872695 481.551 http 441 5040 131.243.2.12 200.241.229.80
-        S3 X %10596
-    972482764.686470 18.7611 http 596 7712 131.243.2.12 200.241.229.80
-        S3 X %10596
-    972482764.685047 ? http 603 2959 131.243.2.12 200.241.229.80
-        S1 X %10596
-@end example
-
-That there are three rather than five reflects @emph{(i)} that the client
-used persistent HTTP, and so didn't need one connection per item, but
-also @emph{(ii)} the client used three parallel connections (the maximum
-the standard allows is only two) to fetch the items more quickly.  As with FTP
-sessions, the @code{%10596} @code{addl} annotation lets you 
-correlate the @code{conn} entries with the log entries.
-
-@emph{Note: All three of the connections wound up in unusual states.  The first
-two are in state @code{S3}, which, as indicated by Table 7.3,
-means that the responder (in this case, the Web server) attempted to close
-the connection, but their was no reply from the originator.  The last is
-in state @code{S1}, indicating that neither side attempted to close the
-connection (which is why no duration is listed for the connection).}
-
-@cindex analyzers, http, variables
-
-@node http event handlers,
-@subsection @code{http} event handlers
-
-@cindex analyzers, http, event handlers
-
-The standard HTTP script defines one event handler:
-
-@table @samp
-@item @code{http_request c: connection, request: string, URI: string}
-Invoked whenever the client side of the given connection generates an
-HTTP request.  @code{request} gives the HTTP method and @code{URI} the
-associated resource.  The analyzer matches the URI against the ones
-defined as sensitive, as given above.
-@end table
-
-@emph{Deficiency: As mentioned above, the event engine does not currently generate an @code{http_reply} event.  This is for two reasons: first, the HTTP request stream is much lower volume than the HTTP reply stream, and I was interested in the degree to which Bro could get away without analyzing the higher volume stream.  (Of course, this argument is shallow, since one could control whether or not Bro should analyze HTTP replies by deciding whether or not to define an @code{http_reply} handler.)  Second, matching HTTP replies in their full generality involves a lot of work, because the HTTP standard allows replies to be delimited in a number of ways.  That said, most of the work for implementing @code{http_reply} is already done in the event engine, but it is missing testing and debugging.}
-
-@cindex analyzers, http, event handlers
-
-@node ident Analyzer,
-@section The @code{ident} Analyzer
-
-@cindex IDENT, analysis
-
-The @code{ident} analyzer processes traffic associated with
-the Identification Protocol [RFC-1413], which provides a simple
-service whereby clients can query Ident servers to discover user information
-associated with an existing connection between the server's host and
-the client's host.  Bro instantiates an @code{ident} analyzer for
-any connection with service port @code{113/tcp}, providing you have loaded
-the @code{ident} analyzer, or defined a handler for @code{ident_request},
-@code{ident_reply}, or @code{ident_error}.
-
-The analyzer uses a capture filter of ``@code{tcp port 113}''
-(See: @ref{Filtering}).
-The @code{ident_reply} handler annotates the @code{addl}
-field of the connection for which the Ident client made its query with the
-user information returned in the reply.  It also checks the user information
-against sensitive usernames, because a match indicates that the connection
-in the Ident query was initiated by a possibly-compromised account.
-
-@menu
-* ident variables::		
-* ident event handlers::	
-@end menu
-
-@node ident variables,
-@subsection @code{ident} variables
-
-@cindex analyzers, ident, variables
-
-The standard script defines the following pair of redefinable variables:
-
-@table @samp
-@item @code{hot_ident_ids : set[string]}
-usernames to flag as sensitive if they appear in an Ident reply.
-
-Default: @code{always_hot_ids} (See: @ref{hot-ids Analysis Script}).
-
-@item @code{hot_ident_exceptions : set[string]}
-usernames not to consider sensitive even if they appear in
-@code{hot_ident_ids}.
-
-@cindex daemons, as innocuous user names
-Default: @code{@{ "uucp", "nuucp", "daemon", @}}.  These usernames
-are exceptions because daemons sometimes run with the given user ids
-and their use is often innocuous.
-
-@end table
-
-@cindex analyzers, ident, variables
-
-@node ident event handlers,
-@subsection @code{ident} event handlers
-
-@cindex analyzers, ident, event handlers
-
-The standard script handles the following events:
-
-@table @samp
-@item @code{ident_request (c: connection, lport: port, rport: port)}
-Invoked when a client request arrives on connection @code{c}, querying
-about the connection from local port @code{lport} to remote port
-@code{rport}, where local and remote are relative to the client.
-
-@item @code{ident_reply (c: connection, lport: port, rport: port, user_id: string, system: string)}
-Invoked when a server replies to an Ident request.  @code{lport} and
-@code{rport} are again the local and remote ports (relative to the
-client) of the connection being asked about.  @code{user_id} is the
-user information returned in the Ident server's reply, and @code{system}
-is information regarding the operating system (the Ident specification
-does not further standardize this information).
-
-The handler annotates the queried connection with the user information,
-which it also checks against @code{hot_ident_ids} and @code{hot_ident_exceptions}
-as discussed above.  At present, it does nothing with the @code{system}
-information.
-
-@item @code{ident_error (c: connection, lport: port, rport: port, line: string)}
-Invoked when the given request yielded an error reply from the Ident
-server.  The handler annotates the connection with
-@code{ident/}@code{<}@emph{error}@code{>},
-where @emph{error} is the text given in @code{line}.
-
-@end table
-
-@cindex analyzers, ident, event handlers
-
-@node irc Analyzer,
-@section The @code{irc} Analyzer
-
-@cindex IRC, analysis
-
-The @code{IRC} analyzer processes traffic from chat sessions that
-use the IRC (Internet Relay Chat) protocol.
-It can analyze client-server connections and server-server connections.
-
-Bro instantiates an @code{IRC} analyzer for any connection with service
-ports @code{6666/tcp} or @code{6667/tcp},
-providing you have loaded the @code{IRC} analyzer, or defined a handler
-for one of the IRC events.
-It it also possible to analyze server connections, but to do so you need
-to recompile Bro to include the necessary ports if they are not the
-usual ones.
-
-Bro can analyze compressed connections if it sees the beginning of the
-connection.
-
-@menu
-* irc records::
-* irc variables::
-* irc event handlers::
-@end menu
-
-@node irc records,
-@subsection @code{irc} records
-
-@cindex analyzers, irc, records
-
-The standard script defines a record for users and one for channels.
-This is the user record:
-@example
-type irc_user: record @{
-	u_nick: string;			# nick name
-	u_real: string;			# real name
-	u_host: string;			# client host
-	u_channels: set[string];	# channels user is a member of
-	u_is_operator: bool;		# user is server operator
-	u_conn: connection;
-@}
-@end example
-
-This record represents a user inside the IRC network.
-The corresponding fields are:
-
-@table @samp
-
-@item @code{u_nick}
-The nick name of the user.
-
-@item @code{u_real}
-The real name of the user.
-
-@item @code{u_host}
-This is the client's host name.
-
-@item @code{u_channels}
-A list of channels the user has joined.
-
-@item @code{u_isOp}
-If the user got operator status in the IRC network this will be set to true.
-
-@item @code{u_conn}
-The TCP connection which this IRC connection is based on.
-
-@end table
-
-This is the channel record:
-@example
-type irc_channel: record @{
-	c_name: string;		# channel name
-	c_users: set[string];	# users in channel
-	c_ops: set[string];	# channel operators
-	c_type: string;		# channel type
-	c_modes: string;	# channel modes
-@}
-@end example
-
-This record represents a channel inside the IRC network.
-The corresponding fields are:
-
-@table @samp
-
-@item @code{c_name}
-The name of the channel.
-
-@item @code{c_users}
-A list of nick names of users in this channel.
-
-@item @code{c_ops}
-A list of nick names of users with operator status in this channel.
-
-@item @code{c_type}
-The channel type.
-
-@item @code{c_modes}
-The channel modes.
-@end table
-
-@cindex analyzers, irc, records
-
-@node irc variables,
-@subsection @code{irc} variables
-
-@cindex analyzers, irc, variables
-
-The standard script defines the following set of redefinable variables:
-
-@table @samp
-
-@item @code{IRC::hot_words}
-list of regular expressions which will generate notice messages.  The
-analyzer searches for these patterns in user messages, notices and all
-unknown IRC commands.
-
-@item @code{IRC::ignore_in_other_msgs: set[string]}
-list of IRC commands which are ignored in the events for unknown commands.
-
-@item @code{IRC::ignore_in_other_responses: set[count]}
-list of IRC return codes which are ignored in the event for unknown return
-codes.
-
-@end table
-
-These variables contain information about users and channels which were identified by Bro.
-
-@table @samp
-
-@item @code{IRC::users: table[string]}
-contains all identified IRC users as @code{irc_user} objects.
-
-@item @code{IRC::channels: table[string]}
-contains all identified IRC channels as @code{irc_channel} objects.
-
-@end table
-
-@cindex analyzers, irc, variables
-
-@node irc event handlers,
-@subsection @code{irc} event handlers
-
-@cindex analyzers, irc, event handlers
-
-The standard script handles the following events:
-
-@table @samp
-
-@item @code{irc_privmsg_message (c: connection, source: string, target: string, message: string)}
-A user sent a message to another user or channel.
-
-@code{IRC} command: PRIVMSG
-
-The source is the user who sent the message to the target user/channel.
-Message contains the data sent to the target.
-
-@item @code{irc_notice_message (c: connection, source: string, target: string, message: string)}
-This is very similar to the irc_privmsg_message. It is typically used by
-services or client scripts to send status messages.
-
-@code{IRC} command: NOTICE
-
-The source is the user who sent the message to the target user/channel.
-Message contains the data sent to the target.
-
-@item @code{irc_squery_message (c: connection, source: string, target: string, message: string)}
-This event is activated if somebody sends a message to an IRC service.
-
-@code{IRC} command: SQUERY
-
-The source is the user who sent the message to the target service.
-Message contains the data sent to the target.
-
-@item @code{irc_enter_message (c: connection, nick: string, realname: string)}
-Every time a user enters the IRC network this event occurs.
-
-@code{IRC} command: USER
-
-Nick contains the selected nick name of the user and realname the user's
-name in real life.
-
-@item @code{irc_quit_message (c: connection, nick: string, message: string)}
-
-Every time a user quits the IRC network this event occurs.
-
-@code{IRC} command: QUIT
-
-Nick contains the nick name of the sender. An optional quit message is included in message.
-
-@item @code{irc_join_message (c: connection, infoList: irc_join_list)}
-
-If a user joins one or more IRC channels this event occurs.
-
-@code{IRC} command: JOIN
-
-The infoList contains a list of joined channel names and - if provided by
-user - the passwords for them.
-
-@item @code{irc_part_message (c: connection, nick: string, channels: string_set, message: string)}
-
-If a user exits one or more IRC channels this event occurs.
-
-@code{IRC} command: PART
-
-Nick contains the nick name of the user.
-Channels is a set of channel names.
-If the user supplies a quit message it is included in message.
-
-@item @code{irc_nick_message (c: connection, who: string, newnick: string)}
-
-This event occurs when users change their nick names.
-
-@code{IRC} command: NICK
-
-Who contains the IRC message prefix which includes the user nick and host.
-Newnick is the new nick name of this user.
-
-@item @code{irc_invalid_nick (c: connection)}
-
-This event occurs when users change their nick names and the name was invalid.
-
-@code{IRC} response to: NICK
-
-@item @code{irc_network_info (c: connection, users: count, services: count, servers: count)}
-
-This a summary of the status of the whole IRC network.
-
-@code{IRC} response to: LUSERS
-
-Users, services and servers are the total number of users, services and IRC servers connected to the IRC network.
-
-@item @code{irc_server_info (c: connection, users: count, services: count, servers: count)}
-
-This a summary of an IRC server status.
-
-@code{IRC} response to: LUSERS
-
-Users, services and servers are the total number of users, services and IRC servers connected with this IRC server.
-
-@item @code{irc_channel_info (c: connection, channels: count)}
-
-Displays the total number of channels.
-
-@code{IRC} response to: LUSERS
-
-Channels is the number of IRC channels formed on this server (local + global).
-
-@item @code{irc_who_message (c: connection, mask: string, oper: bool)}
-
-The event occurs if an IRC user sent the WHO command to get information about an IRC user or channel.
-
-@code{IRC} command: WHO
-
-Mask is the target of the search. This can be a channel or user name,
-wildcards are allowed.  If oper is true then the user asks only for operator
-user results.
-
-@item @code{irc_who_line (c: connection, target_nick: string, channel:
-string, user: string, host: string, server: string, nick: string, params:
-string, hops: count, realname: string)}
-
-This includes several information about an IRC user.
-
-@code{IRC} response to: WHO
-
-@code{Target_nick} is the nick name of the IRC user who sent the WHO request.
-The username of the returned IRC user is included in @code{user}, his nick
-name in @code{nick} and real name in @code{realname}.  The client DNS/IP
-address is @code{host}. @code{Params} includes the channel parameters for
-this user (e.g. "@@" for channel operators).  The user is connected to IRC
-server @code{server} and the number of servers between him and the requester
-is @code{hops}.  @code{Channel} includes the channel name which was target
-for the request.
-
-@item @code{irc_whois_message (c: connection, server: string, users: string)}
-
-The event occurs if an IRC user sent the WHOIS command to get information
-about one or more IRC users.
-
-@code{IRC} command: WHOIS
-
-If server is given then the user wants this specific server to answer.
-Users is comma separated list of nick names for which information is
-requested.
-
-@item @code{irc_whois_user_line (c: connection, nick: string, user: string, host: string, realName: string)}
-
-This includes several information about an IRC user.
-
-@code{IRC} response to: WHOIS
-
-The user with nick name nick has the user name user and his real name is realname. The IRC client runs on host.
-
-@item @code{irc_whois_operator_line (c: connection, nick: string)}
-
-This response to an WHOIS command gives information if an IRC user is operator.
-
-@code{IRC} response to: WHOIS
-
-The IRC user with nick name nick has operator status.
-
-@item @code{irc_whois_channel_line (c: connection, nick: string, channels: string_set)}
-
-This response to an WHOIS command gives information on the channels of an
-IRC user.
-
-@code{IRC} response to: WHOIS
-
-The IRC user with nick name nick is member in all IRC channels of the
-variable channels.
-
-@item @code{irc_oper_message (c: connection, user: string, password: string)}
-
-This means that an IRC user requested operator status.
-
-@code{IRC} command: OPER
-
-The user and password parameters are used to authenticate the possible
-operator. They must fit to the IRCD server settings.
-
-@item @code{irc_oper_response (c: connection, got_oper: bool)}
-
-This is the answer to an operator request.
-
-@code{IRC} response to: OPER
-
-If the IRC user got operator status the got_oper variable is true.
-
-@item @code{irc_kick_message (c: connection, prefix: string, channels: string, users: string, comment: string)}
-
-An user requested to remove somebody from a channel.
-
-@code{IRC} command: KICK
-
-Prefix includes the requesters nick name and host. The user requested to
-remove the users (comma separated list) from the channels (comma separated
-list).  If the requester provided an optional kick message it is included
-in comment.
-
-@item @code{irc_error_message (c: connection, prefix: string, message: string)}
-
-An IRC server sent an error message to one or more clients.
-
-@code{IRC} command: ERROR
-
-Prefix includes the server name and message contains the error message.
-
-@item @code{irc_invite_message (c: connection, prefix: string, nickname: string, channel: string)}
-
-An IRC user sent an invitation for a closed channel to another user.
-
-@code{IRC} command: INVITE
-
-Prefix includes the senders nick and host. The IRC user with the nick name
-nickname is invited to the channel with name channel.
-
-@item @code{irc_mode_message (c: connection, prefix: string, params: string)}
-
-An IRC user sent an user or channel mode message.
-
-@code{IRC} command: MODE
-
-@item @code{irc_squit_message (c: connection, prefix: string, server: string, message: string)}
-
-This means that the disconnection of a server link was requested. This
-command is only available to operators.
-
-@code{IRC} command: SQUIT
-
-Prefix includes the requesters nick and host. Server is the host name of
-the server to disconnect and message contains an optional comment.
-
-@item @code{irc_names_info (c: connection, c_type: string, channel: string, users: string_set)}
-
-This reply to a NAMES command gives information what users are on what
-channels.
-
-@code{IRC} response to: NAMES
-
-C_type is "@@" for secret, "*" for private and "=" for public channels.
-Channel contains the channel name.  Users is a list of nick names that are
-member of this channel.
-
-@item @code{irc_dcc_message (c: connection, prefix: string, target: string, dcc_type: string,
-argument: string, address: addr, dest_port: count, size: count)}
-
-An user sent a DCC request to another user to setup a direct connection
-between these users.
-
-@code{IRC} command: PRIVMSG DCC
-
-Prefix contains the requesters nick and host. Target contains the target
-user's nick name.  Dcc_type can be "CHAT" for chat connections or "SEND"
-for file transfers.  Argument contains the file name for file transfers
-or "chat" for chat connections.  Address and dest_port specify where the
-target user should connect.  Size is only given for file transfers and
-contains the file size in bytes.
-
-@item @code{irc_request (c: connection, prefix: string, command: string, arguments: string)}
-
-All client messages that do not fit to the other events are handled here.
-
-Prefix is usually formated like this: <nickname>!<user>@@<hostname>.
-Command contains the command string which was sent and arguments the
-corresponding argument values.
-
-@item @code{irc_message (c: connection, prefix: string, command: string, message: string)}
-
-All server messages that do not fit to the other events are handled here.
-
-Prefix is usually the server name.  Command contains the command string
-which was sent and message contains additional parameters.
-
-@item @code{irc_response (c: connection, prefix: string, code: count, params: string)}
-
-All server response messages that do not fit to the other events are handled
-here.
-
-Prefix is usually the server name.  Code is the numeric reply code and
-params contains any additional parameters.
-
-@end table
-
-@node login Analyzer,
-@section The @code{login} Analyzer
-@cindex login session
-@cindex Rlogin, sessions
-@cindex Telnet, sessions
-@cindex Unix analysis
-@cindex keystrokes, analysis
-@cindex input, analysis
-@cindex user keystrokes, analysis
-The @code{login} analyzer inspects interactive login sessions
-to extract username and password information, and monitors user
-keystrokes and the text returned by the login server.  It is one of
-the most powerful Bro modules for detecting break-ins to Unix
-systems because of the ability to look for particular commands that
-attackers often execute once they have penetrated a Unix machine.
-
-The analyzer is generic in the sense that it applies to more
-than one protocol.  Currently, Bro instantiates a @code{login}
-analyzer for both Telnet [RFC-854] and Rlogin [RFC-1282]
-traffic.  In principle, it could do the same for other protocols such as
-SSH [RFC-XXX] or perhaps X11 [RFC-1013], if one could write
-the corresponding elements of the event engine to decrypt the
-SSH session (naturally, this would require access to the encryption keys)
-or extract authentication information and keystrokes from the
-X11 event stream.  @emph{Note: The analyzer does an exceedingly limited
-form of SSH analysis; see @code{hot_ssh_orig_ports} }. 
-
-@cindex authentication dialog
-@cindex usernames, extracting
-@cindex sniffing
-@cindex passwords, sniffing
-@cindex heuristics, extracting username information
-@cindex Telnet, options
-@cindex options, Telnet
-For Telnet, the event engine knows how to remove in-band Telnet option
-sequences [RFC-855]
-from the text stream, and does not deliver these to
-the event handlers, except for a few options
-that the engine
-analyzes in detail (such as attempts to negotiate authentication).
-Unfortunately, the Telnet protocol does not include any explicit
-marking of username or password information (unlike the FTP protocol,
-as discussed in @ref{ftp Analyzer}).  Consequently, Bro employs a series
-of heuristics that attempt to extract the username and password from the
-authentication dialog the session is presumed to begin with.  The
-analysis becomes quite complicated due to the possible use of
-type-ahead and editing sequences by the user, plus the possibility
-@cindex evasion, authentication dialog
-that the user may be an attacker who attempts to mislead the heuristics
-in order to disguise the username they are accessing.
-
-@cindex rhosts
-Analyzing Rlogin is nominally easier than analyzing Telnet because Rlogin
-has a simpler in-band option scheme, and because the Rlogin protocol
-explicitly indicates the username in the initial connection dialog.
-However, this last is not actually a help to the analyzer, because
-for most Rlogin servers, if the initial username fails authentication
-(for example, is not present in the @code{.rhosts} file local to
-the server), then the server falls back on the same authentication
-dialog as with Telnet
-(prompting for username and then password, or perhaps just
-for a password to go with the transmitted username).
-Consequently, the event engine employs the same set of heuristics
-as for Telnet.
-
-Each connection processed by the analyzer is in a distinct state:
-user attempting to authenticate, user has successfully authenticated,
-analyzer is skipping any further processing, or the analyzer is
-confused (See: @ref{login analyzer confusion}).  You can find out the state of
-a given connection using @code{get_login_state}.
-
-The analyzer uses a capture filter of ``@code{tcp port 23 or tcp port 513}''
-@code{@ref{Filtering}}.  It annotates each connection
-with the username(s) present in the authentication dialog.  If
-the username was authenticated successfully, then it encloses
-the annotation in quotes. If the authentication failed, then
-the name is marked as @code{failed/}@code{<}@emph{username}@code{>}.
-So, for example, if user ``smith'' successfully authenticates,
-then the connection's @code{addl} field will have
-@code{"smith"} appended to it:
-@example
-931803523.006848 254.377 telnet 324 8891 1.2.3.4 5.6.7.8 SF L "smith"
-@end example
-
-while if ``smith'' failed to authenticate, the report will look like:
-@example
-931803523.006848 254.377 telnet 324 8891 1.2.3.4 5.6.7.8 SF L fail/smith
-@end example
-
-and if they first tried as ``smith'' and failed, and then succeeded
-as ``jones'', the record would look like:
-@example
-931803523.006848 254.377 telnet 324 8891 1.2.3.4 5.6.7.8 SF L 
-	fail/smith "jones"
-@end example
-
-@cindex passwords, inadvertently exposed
-@cindex sensitive information, inadvertently exposed
-@emph{Note: The event engine's heuristics can sometimes get out of synch
-such that it interprets a password as a username; in addition, users
-sometimes type their password when they should instead enter
-their username.  Consequently, the connection logs sometimes include
-passwords in the annotations, and so should be treated as very sensitive
-information (e.g., not readable by any user other than the one running
-Bro). }
-
-@menu
-* login analyzer confusion::	
-* login variables::		
-* login functions::		
-* login event handlers::	
-@end menu
-
-@node login analyzer confusion,
-@subsection @code{login} analyzer confusion
-@cindex login analysis, confusion
-@cindex confused login analysis
-@cindex heuristics, confusion
-@cindex confusion of heuristics
-@cindex failure of heuristics
-@cindex authentication dialog
-@cindex usernames, extracting
-@cindex heuristics, extracting username information
-@cindex rhosts
-Because there is no well-defined protocol for Telnet authentication
-(or Rlogin, if the initial
-@code{.rhosts} authentication fails), the @code{login} analyzer employs a set
-of heuristics to detect the username, password, and whether the authentication
-attempt succeeded.  All in all, these heuristics work quite well, but
-it is possible for them to become confused and reach incorrect conclusions.
-
-Bro attempts to detect such confusion.  If it does, then it generates a
- event, after which the event engine will no
-longer attempt to follow the authentication dialog.  In particular, it will
-@emph{not} generate subsequent @code{login_failure} or
-@code{login_sucess} events.  The @code{login_confused} event includes
-a string describing the type of confusion, using one of the values
-given in the table below.
-
-
-@float Table, Login analyzer confusion
-@multitable  @columnfractions .35 .55
-@item @strong{Type of confusion} @tab @strong{Meaning}
-@item "excessive typeahead" 
-@tab The user has typed ahead 12 or more lines. Deficiency: The upper bound
-should be adjustable.
-@item "extra repeat text" 
-@tab The user has entered more than one VMS repeat sequence (an escape
-followed by "[A") on the same line. Note: Bro determines
-that a login session involves a VMS server if the server prompts with
-"@code{Username:}". It then interprets VMS repeat sequences as indicating
-it should replace the current line with the previous line.
-@item "multiple USERs" 
-@tab The user has specified more than one username using the $USER environment
-variable.
-@item "multiple login prompts" 
-@tab The analyzer has seen several login prompts on the same line, and has
-not seen a corresponding number of lines typed ahead previously by the
-user.
-@item "no login prompt" 
-@tab The analyzer has seen 50 lines sent by the server without any of them
-matching login prompts. Deficiency: The value of 50 should be adjustable.
-@item "no username" 
-@tab The analyzer is generating an event after having already seen a login
-failure, but the user's input has not provided another username to include
-with the event. Note: If the analyzer's heuristics indicate it's okay that
-no new username has been given, such as when the event is generated
-due to one connection endpoint closing the connection, then it instead
-uses the username @code{<none>}.
-@item "no username2" 
-@tab The analyzer saw an additional password prompt without seeing an intervening
-username, and it has no previous username to reuse.
-@item "non empty multi login" 
-@tab The analyzer saw multiple adjacent login prompts, with an apparently
-ignored intervening username typed-ahead between them.
-@item "possible login ploy" 
-@tab The client sent text that matches one of the patterns reflecting text usually
-sent by the server. This form of confusion can reflect an attacker attempting
-to evade the monitor. For example, the client may have sent the text
-"@code{login:} as a username so that when echoed back by the server, the
-analyzer would misinterpret it as reflecting another login prompt from
-the server.
-@item "repeat without username" 
-@tab The user entered a VMS repeat sequence but there is no username to
-repeat. (See extra repeat text for a discussion of the analyzer's
-heuristics for dealing with VMS servers.)
-@item "responder environment" 
-@tab The responder (login server) has signaled a set of environment variables
-to the originator (login client). This is in the opposite direction as to what
-makes sense.
-@item "username with embedded repeat" 
-@tab The line repeated by a VMS server in response to a repeat sequence itself
-contains a repeat sequence.
-@end multitable
-@caption{Different types of confusion that login analyzer can report}
-@end float
-
-@node login variables,
-@subsection @code{login} variables
-
-@cindex analyzers, login, variables
-
-The standard script defines a large number of variables for refining the
-analysis policy:
-
-@table @samp
-@item @code{input_trouble : pattern} 
-lists patterns that the analyzer
-should flag if they appear in the user's input (keystroke) stream.
-
-@cindex user keystrokes, editing
-@cindex keystrokes, editing
-@cindex input, editing
-The analyzer searches for these patterns both in the raw text typed
-by the user and the same lines after applying @emph{editing}
-using the @code{edit} function twice: once with interpreting
-@emph{BS} (ctrl-H) as delete-one-character, and once with @emph{DEL}
-as the edit character.  If any of these matches, then the analyzer
-considers the pattern to have matched.
-
-@code{eggdrop}
-@cindex root, backdoors
-@cindex Internet Relay Chat (IRC), attacker subpopulation
-@cindex exploits, Unix
-Default: a pattern matching occurrences of the strings
-``@code{rewt}'',
-``@code{eggdrop}'',
-``@code{loadmodule}'', or
-``@code{/bin/eject}''.  The first of these is a popular username attackers
-use for root backdoor accounts.  The second reflects that one prevalent
-class of attackers are devotees of Internet Relay Chat (IRC), who
-frequently upon breaking into an account install the IRC @code{eggdrop}
-utility.
-
-@item @code{edited_input_trouble : pattern} 
-is the same as @code{input_trouble} except the analyzer only checks the edited
-user input against the pattern, not the raw input (see above).
-
-This variable is provided so you can specify patterns that can
-occur innocuously as typos; whenever the user corrects the typo before
-terminating the line, the pattern won't match, because it won't be present
-in the edited version of the line.  In addition, for matches to
-these patterns, the analyzer @emph{delays} reporting the match until
-it sees the next line of output from the server.  It then includes
-both the line that triggered the match and the corresponding response
-from the server, which makes it easy for a human inspecting the logs
-to tell if the occurrence of the pattern was in fact innocuous.
-
-@cindex filenames, sensitive
-@cindex directory names, sensitive
-@cindex sensitive filenames
-Here's an example of an innocuous report:
-@example
-936723303.760483 1.2.3.4/21550 > 5.6.7.8/telnet
-    input "cd ..." yielded output "ksh: ...:  not found."
-@end example
-
-It was flagged because the user's input included
-``@code{...}'', a name commonly used by attackers to surreptitiously
-hide a directory containing their tools and the like.  However, we
-see from the Telnet server's response that this was not actual access
-to such a directory, but merely a typing mistake.
-
-On the other hand:
-@example
-937528764.579039 1.2.3.4/3834 > 5.6.7.8/telnet
-    input "cd ..." yielded output "maroon# ftp 
-	sunspot.sunspot.noao.edu "
-@end example
-
-shows a problem---the lines returned by the server was a root
-prompt (``@code{maroon@code{#}}''), to which the user issued a command to
-access a remote FTP server.
-
-@emph{Deficiency: The analyzer should decouple the notion of waiting to receive the server's reply from the notion of matching only the edited form of the line; there might be raw inputs for which it is useful to see the server's response, and edited inputs for which the server's response is unimportant in terms of knowing that the input spells trouble. }
-
-Default: the pattern
-@example
-    /[ \t]*cd[ \t]+((['"]?\.\.\.)|(["'](\.[^"']*)[ \t]))/
-@end example
-
-which looks for a ``@code{cd}'' command to either a directory beginning
-with ``@code{...}'' (optionally quoted by the user) or a directory
-name beginning with ``@code{.}'' that is quoted and includes an
-embedded blank or tab.
-
-@item @code{output_trouble : pattern} 
-lists patterns that
-the analyzer should flag if they occur in the output sent by the
-login server back to the user.
-
-@cindex buffer overflow tools
-@cindex exploits, buffer overflow
-@cindex sniffer logs
-@cindex trojaning
-@cindex Linux, super exploit
-@cindex smurf attacks
-@cindex attacks, smurf
-@cindex log file, altering
-@cindex altering log files
-@code{PATH_UTMP sensitive pattern}
-@code{smashdu.c exploit tool}
-@cindex root, setuid
-@cindex setuid root
-@cindex command shell, setuid root
-@cindex ls
-@cindex utilities, ls
-@cindex lynx utility
-@cindex utilities, lynx
-@cindex fetch utility
-@cindex utilities, fetch
-@cindex anticode.com
-@cindex TFreak
-Default: the pattern
-@example
-      /^-r.s.*root.*\/bin\/(sh|csh|tcsh)/
-    | /Jumping to address/
-    | /smashdu\.c/
-    | /PATH_UTMP/
-    | /Log started at =/    
-    | /www\.anticode\.com/
-    | /smurf\.c by TFreak/
-    | /Trojaning in progress/ 
-    | /Super Linux Xploit/
-@end example
-
-The first of these triggers any time the user inspects with the
-@emph{ls} utility an executable whose pathname ends in @code{/bin/} followed
-by one of the popular command shells, and the @emph{ls} output shows
-that the command shell has been altered to be setuid to root.
-The remainder match either the output generated by some popular
-exploit tools (for example, ``@code{Jumping to address}'', present
-in many buffer overflow exploit tools), exploit tool names (``@code{smashdu.c}''),
-text found within the tool source code (``@code{smurf.c by TFreak}''),
-or URLs accessed (say via the @emph{lynx} or @emph{fetch} utilities)
-to retrieve attack software (``@code{www.anticode.com}'').
-
-@cindex backdoor, prompts
-@item @code{backdoor_prompts : pattern} 
-lists patterns that
-the analyzer should flag if they are seen as the first line sent by the
-server to the user, because they often correspond with
-backdoors that offer a remote user immediate command shell access
-without having to first authenticate.
-
-Default: the pattern ``@code{/^[!-~]*( ?)[#%$] /}'', which matches
-a line that begins with a series of printable, non-blank characters and
-ends with a likely prompt character, with a blank just after
-the prompt character and perhaps before it.
-
-@cindex backdoor, avoiding false positives
-@item @code{non_backdoor_prompts : pattern} 
-lists patterns
-that if a possible backdoor prompt also matches, then the analyzer
-should not consider the server output as indicating a backdoor prompt.
-Used to limit false positives for @code{backdoor_prompts}.
-
-Default: the pattern ``@code{/^ *#.*#/}'', which catches lines with
-more than one occurrence of a @code{#}.  Some servers generate such
-lines as part of their welcome banner.
-
-@cindex backdoor, triggered by terminal type
-@cindex magic terminal types
-@item @code{hot_terminal_types : pattern} 
-lists ``magic''
-terminal types sometimes used by attackers to access backdoors.
-Both Telnet and Rlogin have mechanisms for negotiating a terminal
-type (name; e.g., ``@code{xterm}''); these backdoors trigger and skip
-authentication if the name has a particular value.
-
-@code{VT666}
-Default: the name ``@code{VT666}'', one of the trigger terminal types
-we've observed in practice.
-
-@cindex backdoor, triggered by ephemeral port
-@cindex ephemeral port, triggering a backdoor
-@cindex client port, triggering a backdoor
-
-@item @code{hot_telnet_orig_ports : set[port]} 
-Some Telnet backdoors trigger if the ephemeral port used by the client side of the connection
-happens to be a particular value.  This variable is used to list the
-port values whose use should be considered as possibly indicating
-a backdoor.  @emph{Note: Clearly, this mechanism can generate false
-positives when the client by chance happens to choose one of the
-listed ports.}
-
-Default: @code{53982/tcp}, one of the trigger ports we have observed
-in practice.
-
-@emph{Deficiency: There should be a corresponding variable for Rlogin backdoors triggered by a similar mechanism. }
-
-@item @code{hot_ssh_orig_ports : set[port]} 
-Similar to @code{hot_telnet_orig_ports}, only for SSH.
-
-Default: @code{31337/tcp}, a trigger port that we've observed in practice.
-
-@item @code{skip_authentication : set[string]} 
-A set of strings
-that, if present in the server's initial output (i.e., its welcome banner),
-indicates the analyzer should not attempt to analyze the session for an
-authentication dialog.  This is used for servers that provide public
-access and don't bother authenticating the user.
-
-Default: the string @code{"WELCOME TO THE BERKELEY PUBLIC LIBRARY"},
-which corresponds to a frequently accessed public server in the
-Berkeley area.  (Obviously, we include this default as an example,
-and not because it will be appropriate for most Bro users!  But it
-does little harm to include it.)
-
-@emph{Deficiency: It would be more natural if this variable and a number of others listed below were of type @code{pattern} rather than @code{set[string]}.  They are actually converted internally by the event engine into regular expressions. }
-
-@item @code{direct_login_prompts : set[string]} 
-A set of strings
-that if seen during the authentication dialog mean that the user will
-be logged in as soon as they answer the prompt.
-
-Default: @code{"TERMINAL?"}, a prompt used by some terminal servers.
-
-@code{login_prompts : set[string]} 
-A set of strings corresponding to login username prompts during an authentication
-dialog.
-
-Default: the strings
-@example
-    Login:
-    login:
-    Name:
-    Username:
-    User:
-    Member Name
-@end example
-
-and the default contents of @code{direct_login_prompts}.
-
-@item @code{login_failure_msgs : set[string]} 
-A set of strings
-that if seen in text sent by the server during the authentication dialog
-correspond to a failed login attempt.
-
-Default: the strings
-@example
-    invalid
-    Invalid
-    incorrect
-    Incorrect
-    failure
-    Failure,
-    User authorization failure,
-    Login failed,
-    INVALID
-    Sorry,
-    Sorry.
-@end example
-
-@item @code{login_non_failure_msgs : set[string]} 
-A set of strings
-similar to @code{login_failure_msgs} that if present mean that the
-server text does not actually correspond to an authentication failure
-(i.e., if @code{login_failure_msgs} also matches, it's a false
-positive).
-
-Default: the strings
-@example
-    Failures
-    failures
-    failure since last successful login
-    failures since last successful login
-@end example
-
-@item @code{router_prompts : set[string]} 
-A set of strings
-corresponding to prompts returned by the local routers when a
-user successfully authenticates to the router.
-For the purpose of this variable, see the next variable.
-
-Default: empty.
-
-@item @code{login_success_msgs : set[string]} 
-A set of strings
-that if seen in text sent by the server during the authentication dialog
-correspond to a successful authentication attempt.
-
-Default: the strings
-@example
-    Last login
-    Last successful login
-    Last   successful login
-    checking for disk quotas
-    unsuccessful login attempts
-    failure since last successful login
-    failures since last successful login
-@end example
-
-and the default contents of the @code{router_prompts} variable.
-
-@emph{Deficiency: Since by default @code{router_prompts} is empty, this last inclusion does nothing.  In particular, if you redefine @code{router_prompts} then @code{login_success_msgs} will @emph{not}  pick up the change; you will need to redefine it to (again) include @code{router_prompts}, using: @w{redef login_success_msgs += router_prompts}. This is clearly a misfeature of Bro and will be fixed one fine day. }
-
-@item @code{login_timeouts : set[string]} 
-A set of strings that if seen in text sent by the server during the authentication dialog
-correspond to the server having timed out the authentication attempt.
-
-Default: the strings
-@example
-    timeout
-    timed out
-    Timeout
-    Timed out
-    Error reading command input
-@end example
-
-(This last is returned by the VMS operating system.)
-
-@item @code{non_ASCII_hosts : set[addr]} 
-A set of addresses corresponding to hosts whose login servers do not (primarily) use
-7-bit ASCII.  The analyzer will not attempt to analyze authentication
-dialogs to such hosts, and will not complain about huge lines
-generated by either the sender or receiver (per @code{excessive_line}).
-
-Default: empty.
-
-@item @code{skip_logins_to : set[addr]} 
-A set of addresses corresponding to hosts for which the analyzer should not attempt
-to analyze authentication dialogs.
-
-Default: the (empty) contents of @code{non_ASCII_hosts}.
-
-@item @code{always_hot_login_ids : set[string]} A set of usernames
-that the analyzer should always flag as sensitive, even if they're seen in
-a session for which the analyzer is @emph{confused} @ref{login analyzer confusion}.
-
-Default: the value of @code{always_hot_ids} defined by the
-@code{hot} analyzer.
-
-@item @code{hot_login_ids : set[string]} 
-A set of usernames that the analyzer should flag as sensitive, unless it sees them
-in a session for which the analyzer is @emph{confused} 
-(See: @ref{login analyzer confusion}).
-
-Default: the value of @code{hot_ids} defined by the
-@code{hot-ids} analyzer.
-
-@cindex rhosts
-@item @code{rlogin_id_okay_if_no_password_exposed : set[string]}
-A set of username exceptions to @code{hot_login_ids} which the
-analyzer should not flag as sensitive if the user authenticated without
-exposing a password (so, for example, via @code{.rhosts}).
-
-Default: the username @code{"root"}.
-
-@end table
-
-@cindex analyzers, login, variables
-
-@node login functions,
-@subsection @code{login} functions
-
-@cindex analyzers, login, functions
-
-The standard @code{login} script provides the following functions for external use:
-
-@table @samp
-@item @code{is_login_conn (c: connection): bool }
-Returns true if the given connection is one analyzed by @code{login}
-(currently, Telnet or Rlogin), false otherwise.
-
-@item @code{hot_login (c: connection, msg: string, tag: string) }
-Marks the given connection as hot, logs the given message, and
-demultiplexes @code{demux} the subsequent server-side contents of the
-connection to a filename based on @code{tag} and the client-side
-to a filename based on the name @code{"keys"}.  No return value.
-
-@item @code{is_hot_id (id: string, successful: bool, confused: bool): bool}
-Returns true if the username id should be considered sensitive,
-given that the user either did or did not successfully authenticate,
-and that the analyze was or was not in a @emph{confused} state
-(See: @ref{login analyzer confusion}).
-
-@item @code{is_forbidden_id (id: string): bool }
-Returns true if the username id is present in 
-@code{forbidden_ids} or @code{forbidden_id_patterns}.
-
-@item @code{edit_and_check_line (c: connection, line: string, successful: bool): check_info}
-Tests whether the given line of text seen on connection @code{c} includes
-a sensitive username, after first applying @emph{BS} and @emph{DEL}
-keystroke editing (see: @ref{login variables}).  @code{successful} should
-be true if the user has successfully authenticated, false otherwise.
-
-The return value is a @code{check_info} record, which contains four
-@code{check_info}
-fields:
-@table @samp
-@item @code{expanded_line}
-All of the different editing interpretations of the line, separated
-by commas.  For example, if the original line is
-@quotation
-@code{"@code{rob<}@emph{DEL}@code{><}@emph{BS}@code{><}@emph{BS}@code{>ot}"}
-@end quotation
-then the different editing interpretations are
-@code{"@code{ro<}@emph{BS}@code{><}@emph{BS}@code{>ot}"}
-and @code{"root"}, so the return value will be:
-@quotation
-@code{"@code{rob<}@emph{DEL}@code{><}@emph{BS}@code{><}@emph{BS}@code{>ot},@code{ro<}@emph{BS}@code{><}@emph{BS}@code{>ot},root"}
-@end quotation
-
-@emph{Deficiency: Ideally, these values would be returned in a list of some form, so that they can be accessed separately and unambiguously. The current form is really suitable only for display to a person, and even that can be quite confusing if @code{line} happens to contain commas already.  @emph{Or}, perhaps an algorithm of ``simply pick the shortest'' would find the correct editing every time anyway.}
-
-@item @code{hot: bool}
-True if any editing sequence resulted in a match against a sensitive username.
-
-@item @code{hot_id: string}
-The version of the input line (with or without editing) that was considered
-hot, or an empty string if none.
-
-@item @code{forbidden: bool}
-True if any editing sequence resulted in a match against a username considered
-``forbidden'', per @code{is_forbidden_id}.
-
-@end table
-
-@item @code{edit_and_check_user (c: connection, user: string, successful: bool, fmt_s: string): bool}
-Tests whether the given username used for authentication on connection @code{c}
-is sensitive, after first applying @emph{BS} and @emph{DEL}
-keystroke editing (See: @ref{login variables}).  @code{successful} should be
-true if the user has successfully authenticated, false otherwise.
-
-@code{fmt_s} is a @code{fmt} format specifying how the username
-information should be included in the connection's 
-@code{addl} field.  It takes two @code{string} parameters, the current value of the
-field and the expanded version of the username as described in @code{expanded_line}.
-
-If @code{edit_and_check_line} indicates that the username is sensitive,
-then @code{edit_and_check_user} records the connection into its own
-demultiplexing files .  If the username is @emph{forbidden},
-then unless the analyzer is confused, we attempt to terminate the
-connection using @code{terminate_connection}.
-
-@cindex connection, hot
-@cindex hot connections
-Returns true if the connection is now considered ``hot,'' either
-due to having a sensitive username, or because it was hot upon
-entry to the function.
-
-@cindex connection, hot
-@cindex hot connections
-@item @code{edit_and_check_password(c: connection, password: string): bool}
-Checks the given password to see whether it contains a sensitive username.
-If so, then marks the connection as hot and logs the sensitive password.
-No return value.
-
-@emph{Note: The purpose of this function is to catch instances in which the
-event engine becomes out of synch with the authentication dialog and mistakes
-what is, in fact, a username being entered, for a password being entered.
-Such confusion can come about either due to a failure of the event
-engine's heuristics, or due to deliberate manipulation of the event
-engine by an attacker. }
-
-@end table
-
-@cindex analyzers, login, functions
-
-@node login event handlers,
-@subsection @code{login} event handlers
-
-@cindex analyzers, login, event handlers
-
-The standard @code{login} script handles the following events:
-
-@cindex rhosts
-@table @samp
-@item @code{login_failure (c: connection, user: string, client_user: string, password: string, line: string)}
-Invoked when the event engine has seen a failed attempt to authenticate
-as @code{user} with @code{password} on the given connection @code{c}.
-@code{client_user} is the user's username on the client side of the
-connection.  For Telnet connections, this is an empty string, but
-for Rlogin connections, it is the client name passed in the initial
-authentication information (to check against
-@code{.rhosts}).  @code{line} is the
-line of text that led the analyzer to conclude that the authentication
-had failed.
-
-The analyzer first generates an @code{account_tried}
-event to facilitate detection of password guessing, and then checks for
-a sensitive username or password.  If the username was not sensitive
-and the password is empty, then no further analysis is applied, since
-clearly the attempt was half-hearted and aborted.  Otherwise, the
-analyzer annotates the connection's @code{addl}
-field with @code{fail/@code{<}@emph{username}@code{>}} to mark the
-authentication failure, and also checks the @code{client_user} to
-see if it is sensitive.  If we then find that the connection is
-hot, the analyzer logs a message to that effect.
-
-@item @code{login_success (c: connection, user: string, client_user: string, password: string, line: string)}
-Invoked when the event engine has seen a successful attempt to authenticate.
-The parameters are the same as for @code{login_failure}.
-
-The analyzer invokes @code{check_hot} with mode @code{APPL_ESTABLISHED}
-since the application session has now been established.  It generates
-an @code{account_tried}
-event to facilitate detection of password guessing, and then checks for
-a sensitive username or password.  The event engine uses the special
-password @code{"@code{<}none@code{>}"} to indicate that no password
-was exposed, and this mitigates the sensitivity of logins using particular
-usernames per @code{rlogin_id_okay_if_no_password_exposed}.
-
-The analyzer annotates the connection's @code{addl}
-field with @code{"@code{<}@emph{username}@code{>}"} to mark the
-successful authentication.  Finally, if we then find that the connection
-is hot, the analyzer logs a message to that effect.
-
-@item @code{login_input_line (c: connection, line: string)}
-Invoked for every line of text sent by the client side of the login
-session to the server side.  The analyzer matches the text against
-@code{input_trouble} and @code{edited_input_trouble} and invokes
-@code{hot_login} with a tag of @code{"trb"} if it sees a match,
-which will log a notice concerning the connection.  However, this
-invocation is only done while the connection's @code{hot}
-field count is <= 2, to avoid cascaded notices when an attacker gets
-really busy and steps on a lot of sensitive patterns.
-
-@item @code{login_output_line (c: connection, line: string)}
-Invoked for every line of text sent by the server side of the login
-session to the client side.  The analyzer checks @code{backdoor_prompts}
- and any pending input notices that
-were waiting on the server output, per @code{edited_input_trouble}.
-These last are then logged unless the output matched the pattern:
-@example
-    /No such file or directory/
-@end example
-
-@emph{Deficiency: Clearly, this pattern should not be hardwired but instead specified by a redefinable variable. }
-
-Finally, if the line is not too long and the text matches @code{output_trouble}
-and the connection's @code{hot}
-field count is <= 2 (to avoid cascaded notices), the analyzer
-invokes @code{hot_login}  with a tag of @code{"trb"}.
-@emph{Deficiency: ``Too long'' is hardwired to be a length $\ge 256$ bytes. It, too, should be specifiable via a redefinable variable. } 
-Note: We might
-wonder if not checking overly long lines presents an evasion threat: the
-attacker can bury their access to a sensitive string in an excessive line
-and thus avoid detection.  While this is true, it doesn't appear to cost
-much.  First, some of the sensitive patterns are generated in server output
-that will be hard to manipulate into being overly long.  Second, if the
-attacker is trying to avoid detection, there are easier ways, such as
-passing their output through a filter that alters it a good deal. 
-
-@item @code{login_confused (c: connection, msg: string, line: string)}
-Invoked when the event engine's heuristics have concluded that they
-have become confused and can no longer correctly track the authentication
-dialog (See: @ref{login analyzer confusion}).
-@code{msg} gives the particular problem the heuristics detected
-(for example, @code{multiple_login_prompts} means that the engine saw
-several login prompts in a row, without the type-ahead from the client side
-presumed necessary to cause them) and @code{line} the line of text that
-caused the heuristics to conclude they were confused.
-
-Once declaring that it's confused, the event engine will no longer attempt
-to follow the authentication dialog.  In particular, it will @emph{not}
-generate subsequent @code{login_failure} or @code{login_success} events.
-
-Upon this event, the standard
-@code{login} script invokes @code{check_hot} with
-mode @code{APPL_ESTABLISHED} since it could well be that the application
-session is now established (it can't know for sure, of course, because
-the event engine has given up).  It annotates the connection's
- @code{addl} field with
-@code{confused}@code{<}@emph{line}@code{>} to mark the confused state,
-and then logs to the @file{weird} file the particulars of the
-connection and the type of confusion (@code{msg}).  @emph{Deficiency: This should be done by generating a @emph{weird}-related event instead. }
-
-Finally, the analyzer invokes @code{set_record_packets} to specify
-that all of the packets associated with this connection should be recorded
-to the @file{trace} file.
-@emph{Note: For the current @code{login} analyzer, this call is not needed---it
-records every packet of every login session anyway, because the generally
-philosophy is that Bro should record whatever it analyzes, so that the
-analysis may be repeated or examined in detail.  Since the current analyzer
-looks at every input and output line via @code{login_input} and @code{login_output}, it records all of the packets of every such analyzed session.
-There is commented-out text in @code{login_success} to be used if
-@code{login_input} and @code{login_output} are not being used; it turns
-off recording of a session's packets after the user has successfully logged
-in (assuming the connection is not considered hot).} 
-
-@item @code{login_confused_text (c: connection, line: string)}
-Invoked for every line the user types after the event engine has 
-entered the @emph{confused} state.  If the connection is not already
-considered hot, then the analyzer checks for the presence of sensitive
-usernames in the line using @code{edit_and_check_line}, and, if
-present, annotates the connection's @code{addl} field
-with 
-@code{confused}@code{<}@emph{line}@code{>}, logs that the connection
-has become hot, and invokes @code{set_record_packets} to record
-to the @file{trace} file all of the packets associated with the connection.
-
-@item @code{login_terminal (c: connection, terminal: string)}
-Invoked when the client transmits a terminal type to the server.
-The mechanism by which the client transmits the type depends on the
-underlying protocol (Rlogin or Telnet).
-
-The handler checks the terminal type against @code{hot_terminal_types}
-and if it finds a match invokes @code{hot_login} with a tag of
-@code{"trb"}.
-
-@cindex tunneling
-@cindex evasion, using tunneling
-@cindex Napster, tunneled over Telnet or Rlogin
-@cindex excessively long lines
-@item @code{excessive_line (c: connection)}
-Invoked when the event engine observes a very long line sent by either
-the client or the server.  Such long lines are seen as potential attempts
-by an attacker to evade the @code{login} analyzer; or, possibly, as
-a Login session carrying an unusual application.  @emph{Note: One example
-we have observed occurs when a high-bandwidth binary payload protocol such
-as Napster is sent over the Telnet or Rlogin well-known port in an
-attempt to either evade detection or tunnel through a firewall.}
-
-@cindex Network Virtual Terminal (NVT)
-@cindex NVT (Network Virtual Terminal)
-This event is actually generic to any TCP connection carrying
-an application that uses the ``Network Virtual Terminal'' (NVT) abstraction,
-which presently comprises Telnet and FTP.  But the only handler defined
-in the demonstration Bro policy is for Telnet, hence we discuss it here.
-For this reason, the handler first invokes @code{is_login_conn}
-to check whether the connection is in fact a login session.  If so, then
-if the connection is not hot, and if the analyzer finds the server
-listed in @code{non_ACSII_HOSTS}, then it presumes the long line
-is due to use of a non-ASCII character set; the analyzer invokes
-@code{set_login_state} and @code{set_record_packets} to avoid
-further analysis or recording of the connection.
-
-Otherwise, if the connection is still in the authentication dialog, then
-the handler generates a  event with a
-confusion-type of @code{"excessive_line"}, and changes the connection's
-state to @emph{confused}.
-
-@emph{Deficiency: The event engine is currently hardwired to consider a line of >= 1024 bytes as ``excessive''; clearly this should be user-redefinable. }
-
-@cindex NVT options, inconsistent
-@cindex Telnet, options, inconsistent
-@item @code{inconsistent_option (c: connection)}
-NVT options are specified by the client and server stating which options
-they are willing to support vs. which they are not, 
-and then instructing one another
-which in fact they should or should not use for the current connection.
-If the event engine sees a peer violate either what the other peer has
-instructed it to do, or what it itself offered in terms of options in 
-the past, then the engine generates an @code{inconsistent_option} event.
-
-The handler for this event simply records an entry about it to the
- file.  @emph{Deficiency: The event handler invocation does not include enough information to determine what option was inconsistently specified; in addition, it would be convenient to integrate the handling of problems like this within the general ``weird'' framework. }
-
-Note: As for @code{excessive_line} above, this event is actually a
-generic one applicable to any NVT-based protocol.  It is handled here
-because the problem most often crops up for Telnet sessions. 
-Note: Also, the handler does not check to see whether the connection
-is a login session (as it does for @code{excessive_line}); it serves
-as the handler for any NVT session with an excessive line. 
-
-Note: Finally, note that this event can be generated if the session
-contains a stream of binary data.  One way this can occur is when
-the session is encrypted but Bro fails to recognize this fact. 
-@cindex encryption, leading to ``excessive lines''
-
-@cindex NVT options, bad
-@cindex Telnet, options, bad
-@item @code{bad_option (c: connection)}
-If an NVT option is either ill-formed (e.g., a bad length field) or
-unrecognized, then the analyzer generates this event.
-
-The processing of this event (recording information to the 
-file) and the various notes and deficiencies associated with it are
-the same as those for @code{inconsistent_option} above.
-
-@cindex NVT options, bad termination
-@cindex Telnet, options, bad termination
-@item @code{bad_option_termination (c: connection)}
-If an NVT option fails to be terminated correctly (for example,
-a character is seen within the option that is disallowed for use
-in the option), then the analyzer generates this event.
-
-The processing of this event (recording information to the 
-file) and the various notes and deficiencies associated with it are
-the same as those for @code{inconsistent_option} above.
-
-@cindex NVT options, authentication
-@cindex Telnet, options, authentication
-@cindex authentication, accepted
-@item @code{authentication_accepted (name: string, c: connection)}
-The NVT framework includes options for negotiating authentication.
-When such an option is sent from client to server and the server
-replies that it accepts the authentication, then the event engine
-generates this event.
-
-The handler annotates the connection's @code{addl} field
-with 
-@code{auth}@code{<}@emph{name}@code{>}, 
-unless that annotation is already present.
-
-@cindex NVT options, authentication
-@cindex Telnet, options, authentication
-@cindex authentication, rejected
-@item @code{authentication_rejected (name: string, c: connection)}
-The same as @code{authentication_accepted}, except invoked when the
-server replies that it rejects the attempted authentication.
-
-The handler annotates the connection's @code{addl} field
-with @code{auth-failed}@code{<}@emph{name}@code{>}.
-
-@cindex authentication, skipped
-@item @code{authentication_skipped (c: connection)}
-Invoked when the event engine sees a line in the authentication dialog
-that matches .
-
-The handler annotates the connection's @code{addl} field
-with `` @code{skipped}''
-to mark that authentication was skipped,
-and then invokes @code{skip_further_processing} and (unless the
-connection is hot) @code{set_record_packets} to skip any further
-analysis of the connection, and to stop recording its packets to
-the @file{trace} file.
-
-@item @code{connection_established (c: connection)}
-@code{connection_established} is a generic
-event generated for all TCP connections; however, the @code{login} analyzer
-defines an additional handler for it.
-
-The handler first checks (via @code{is_login_conn}) whether this is a Telnet
-or Rlogin connection.  If so, it generates an @code{authentication_skipped}
- event if the server's address occurs
-in @code{skip_logins_to}, and also (for Telnet) checks whether the
-client's port occurs in @code{hot_telnet_orig_ports}, invoking @code{hot_login}
- with the tag @code{"orig"} if it does.
-
-For SSH connections, it likewise checks the client's port, but
-in @code{hot_ssh_orig_ports}, marking the connection as hot and
-logging a real-time notice if it is.
-
-@item @code{partial_connection (c: connection)}
-As noted earlier, @code{partial_connection} is a generic
-event generated for all TCP connections.  The @code{login} analyzer
-also defines a handler for it, one which (if it's a Telnet/Rlogin
-connection) sets the connection's state to @emph{confused} and
-checks for @code{hot_telnet_orig_ports}.
-
-@cindex NVT options, encryption
-@cindex Telnet, options, encryption
-@cindex encrypted login sessions
-@item @code{activating_encryption (c: connection)}
-The NVT framework includes options for negotiating encryption.  When such
-a series of options is successfully negotiated, the event engine generates
-this event.  @emph{Note: The negotiation sequence is complex and can fail at a number of points.  The event engine does not attempt to generate events for each possible failure, but instead only looks for the option sent after a successful negotiation sequence. }
-
-The handler annotates the connection's @code{addl} field
-with ``@code{(encrypted)}'' to mark that authentication was encrypted.
-@emph{Note: The event engine itself marks the connection as requiring no further processing.  This is done by the event engine rather than the handler because the event engine cannot do its job (regardless of the policy the handler might desire) in the face of encryption. }
-
-@end table
-
-@cindex analyzers, login, event handlers
-
-@node pop3 Analyzer,
-@section The @code{pop3} Analyzer
-The @code{pop3} analyzer does a protocol analysis of the Post Office
-Protocol - Version 3.
-
-When Bro runs with the pop3 Analyzer, it processes all packets with
-destination port 110/tcp, generating a log file @code{pop3.log}. Each line
-contains a timestamp, a connection ID, the originator and responder IP
-addresses, and the message sent. The message consists of the command and
-arguments on client side, and the status on server side.
-
-@menu
-* pop3 pop3_session_info record::	
-* pop3 variables::		
-* pop3 event handlers::	
-@end menu
-
-@node pop3 pop3_session_info record,
-@subsection The @code{pop3_session_info} record
-
-@cindex pop3, session information
-
-The @code{pop3} analyzer maintains a @code{pop3_session_info} record per
-@code{pop3} connection:
-
-@example
-type pop3_session_info: record @{
-    id: count;              # Unique session ID.
-    quit_sent: bool;        # Client issued a QUIT.
-    last_command: string;   # Last command of client.
-@};
-@end example
-
-The corresponding fields are:
-
-@table @samp
-@item @code{id}
-The unique session identifier assigned to this session.  Sessions
-are numbered starting at @code{1} and incremented with each new session.
-
-@item @code{quit_sent}
-True if the client has sent a QUIT command.
-
-@item @code{last_command}
-Last command issued by the client.
-
-@end table
-
-@node pop3 variables,
-@subsection @code{pop3} variables 
-@table @samp
-@item @code{pop_connections: table[conn_id] of pop3_session_info}
-This table contains all active POP3-sessions indexed by their Connection IDs.
-As soon as the TCP Connection terminates or expires, they are deleted.
-@item @code{pop_connection_weirds: table[addr] of count &default=0 &create_expire = 5 mins}
-This table contains all the POP3-session originators for which unexpected behavior was recorded.
-@item @code{error_threshold: count = 3}
-This variable contains a threshold for the maximum number of negative status
-indicators per originator received from a server. It is used for recognizing
-potential abuses, e.g., trial and error password guessing attacks.
-@item @code{ignore_commands: set[string] }
-Set of commands to ignore while generating the log file. 
-@end table
-
-@node pop3 event handlers,
-@subsection @code{pop3} event handlers 
-@table @samp
-@item @code{pop3_request(c: connection, is_orig: bool, command: string, arg: string)}
-Generated for each valid command sent from the client
-to the server.
-@item @code{pop3_reply(c: connection, is_orig: bool, cmd: string, msg: string) }
-Generated for each server reply containing a valid status indicator.
-@item @code{pop3_data(c: connection, is_orig: bool, data: string) }
-Generated for every data line sent by the server as a reply to the client,
-including commands that yield multi-line answers.
-@item @code{pop3_unexpected(c: connection, is_orig: bool, msg: string, detail: string) }
-Generated when something semantically unexpected has happened.	
-@item @code{pop3_login_success(c: connection, is_orig: bool, user: string, password: string)}
-Generated when a user authenticates successfully.
-The password may be empty if it has not been observed.
-@item @code{pop3_login_failure(c: connection, is_orig: bool, user: string, password: string)}
-Generated when a user fails to authenticate correctly. 
-@end table
-
-@node portmapper Analyzer,
-@section The @code{portmapper} Analyzer
-@cindex remote procedure call (RPC)
-@cindex RPC (Remote Procedure Call)
-The @code{portmapper} analyzer monitors one particularly
-important form of remote procedure call (RPC) [RFC-1831, RFC-1832] 
-traffic: the portmapper service, used to map between RPC program (and
-version) numbers and the TCP or UDP port on which the service runs for a
-particular host.  For example, @emph{rstatd} is an RPC service that provides
-``remote host status monitoring'' so that a set of hosts can be informed
-when any of them reboots.  @emph{rstatd} has been assigned a standard
-RPC program number of 100002.  To find out the corresponding TCP or UDP
-port on a given host, a remote host would usually first contact the
-portmapper RPC service running on the host and request the port
-corresponding to program 100002.
-
-@float Table, Calls to RPC portmapper service
-@multitable  @columnfractions .15 .55
-@item @strong{Call} @tab @strong{Meaning}
-@item NULL 
-@tab A do-nothing call typically provided by all RPC services.
-@item GETPORT 
-@tab Look up the port associated with a given RPC program.
-@item SET 
-@tab Add a new port mapping (or replace an existing mapping) for an RPC program.
-@item UNSET 
-@tab Remove a port mapping.
-@item DUMP 
-@tab Retrieve all of the RPC program mappings.
-@item CALLIT 
-@tab Both look up a program and then directly call it.
-@end multitable
-@caption{Types of calls to the RPC portmapper service}
-@end float
-
-All in all, clients can make six different types of calls to the portmapper,
-as summarized in the above table.
-Attackers often use
-GETPORT and DUMP to see whether a host may be running an RPC service
-vulnerable to a known exploit.
-
-The analyzer uses a capture filter of ``@code{port 111}'' (See: @ref{Filtering}),
-equivalent to ``@code{tcp port 111 or udp port 111}'' (since the portmapper
-service ordinarily accepts calls using either TCP or UDP, both on port 111).
-It checks the different types of portmapper calls against policies
-expressed using a number of different variables.
-
-@emph{Note:  An important point not to overlook is that an attacker does @emph{not} have to first call the portmapper service in order to call an RPC program.  They might instead happen to know the port on which the service runs @emph{a priori}, since for example it may generally run on the same port for a particular operating system; or they might scan the host's different TCP or UDP ports directly looking for a reply from the service.  Thus, while portmapper monitoring proves very useful in detecting attacks, it does @emph{not} provide comprehensive monitoring of attempts to exploit RPC services. }
-
-@menu
-* portmapper variables::	
-* portmapper functions::	
-* portmapper event handlers::	
-@end menu
-
-@node portmapper variables,
-@subsection @code{portmapper} variables
-
-@cindex analyzers, portmapper, variables
-
-The standard script provides the following redefinable variables:
-
-@table @samp
-@item @code{rpc_programs : table[count] of string}
-Maps RPC program numbers to a string used to name the service.
-For example, the @code{[100002]} entry is mapped to @code{"rstatd"}.
-
-Default: a large list of RPC services.
-
-@cindex NFS (Network File System)
-@cindex Network File System (NFS)
-@item @code{NFS_services : set of string}
-Lists the names of those RPC services that correspond to
-Network File System (NFS) [RFC-1094, RFC-1813] services.  This
-variable is provided because it is convenient to express policies
-specific to accessing NFS file systems.
-
-Default: the services @emph{mountd}, @emph{nfs}, @emph{pcnfsd},
-@emph{nlockmgr}, @emph{rquotad}, @emph{status}.
-
-@emph{Deficiency: Bro's notion of NFS is currently confined to just knowledge of the existence of these services.  It does not analyze the particulars of different NFS operations. }
-
-@item @code{RPC_okay : set[addr, addr, string]}
-Indexed by the host providing a given service and then by the host
-accessing the service.  If an entry is present, it means that the 
-given access is allowed.  For example, an entry of:
-@example
-    [1.2.3.4, 5.6.7.8, "rstatd"]
-@end example
-
-means that host @code{5.6.7.8} is allowed to access the @emph{rstatd}
-service on host @code{1.2.3.4}.
-
-Default: empty.
-
-@item @code{RPC_okay_nets : set[net]}
-A set of networks allowed to make GETPORT requests without complaint.
-The notion behind providing this variable is that the listed
-networks are trusted.  However, the trust doesn't extend beyond
-GETPORT to other portmapper requests, because GETPORT is the only
-portmapper operation used routinely by a set of hosts trusted by
-another set of hosts (but that don't belong to the same group, and hence
-are not issuing SET and UNSET calls).
-
-Default: empty.
-
-@cindex walld
-@item @code{RPC_okay_services : set[string]}
-A set of services for which GETPORT requests should not generate
-complaints.  These might be services that are widely invoked and
-believed exploit-free, such as @emph{walld}, though care should
-be taken with blithely assuming that a given service is indeed
-exploit-free.
-
-Note that, like for @code{RPC_okay_nets}, the trust does not
-extend beyond GETPORT, because it should be the only portmapper
-operation routinely invoked.
-
-Default: empty.
-
-@item @code{NFS_world_servers : set[addr]}
-A set of hosts that provide public access to an NFS file system,
-and thus should not have any of their NFS traffic flagged as
-possibly sensitive.  (The presumption here is that such public
-servers have been carefully secured against any remote NFS operations.)
-An example of such a server might be one providing read-only
-access to a public database.
-
-Default: empty.
-
-@item @code{RPC_dump_okay : set[addr, addr]}
-Indexed first by the host requesting a portmapper dump, and second
-by the host from which it's requesting the dump.  If an entry is
-present, then the dump operation is not flagged.
-
-Default: empty.
-
-@item @code{any_RPC_okay : set[addr, string]}
-Pairs of hosts and services for which any GETPORT access to the given
-service is allowed.
-
-@cindex ypserv
-@item @code{sun-rpc.mcast.net}
-@cindex RPC (Remote Procedure Call), reserved multicast address
-Default:
-@example
-    [NFS_world_servers, NFS_services],
-    [sun-rpc.mcast.net, "ypserv"]
-@end example
-
-The first of these allows access to any NFS service of any of the
-@code{NFS_world_servers}, using Bro's cross-product initialization
-feature (See @ref{Initializing Tables}).  The second allows @emph{ypserv}
-requests to the multicast address reserved for RPC multicasts.@footnote{ I don't know how much this type of access is actually used in practice, but experience shows that requests for @emph{ypserv} directed to that address pop up not infrequently. }
-
-@cindex walld
-@item @code{suppress_pm_log : table[addr, string] of bool}
-Do not generate real-time notices for access by the given address
-for the given service.  Note that unlike most Bro policy variables,
-this one is not @code{const} but is modified at run-time to add
-to it any host that invokes the @emph{walld} RPC service, so that
-such access is only reported once for each host.
-
-Default: empty, but dynamic as discussed above.
-
-@end table
-
-@cindex analyzers, portmapper, variables
-
-@node portmapper functions,
-@subsection @code{portmapper} functions
-
-@cindex analyzers, portmapper, functions
-
-The standard script provides the following externally accessible functions:
-
-@table @samp
-@item @code{rpc_prog (p: count): string }
-Returns the name of the RPC program with the given number,
-if it's present in ; otherwise returns
-the text @code{"unknown-@code{<}@emph{p}@code{>}"}.
-
-@item @code{pm_check_getport (r: connection, prog: string): bool }
-Checks a GETPORT request for the given program against the policy expressed
-by @code{RPC_okay_services}, @code{any_RPC_okay}, 
-@code{RPC_okay}, and @code{RPC_okay_nets},
-returning true if the request violates policy, false if it's allowed.
-
-@item @code{pm_activity (r: connection, log_it: bool) }
-A bookkeeping function invoked when there's been portmapper activity 
-on the given connection.
-
-The function records the connection via ,
-unless it is a TCP connection (which will instead be recorded by
-@code{connection_finished}).  If @code{log_it} is true then the
-function generates a real-time notice of the form:
-@quotation
-rpc:
-@code{<}@emph{connection-id}@code{>}
-@code{<}@emph{RPC-service}@code{>}
-@code{<}@emph{r$addl}@code{>}
-@end quotation
-For example:
-@example
-    972616255.679799 rpc: 65.174.102.21/832 > 
-	182.7.9.47/portmapper pm_getport: nfs -> 2049/udp
-@end example
-
-However, it does not generate the notice if either the client host and
-service are present in @code{suppress_pm_log}, or if it already generated
-a notice in the past for the same client, server and service (to prevent
-notice cascades).
-
-@item @code{pm_request (r: connection, proc: string, addl: string, log_it: bool) }
-Invoked when the given connection has made a portmapper request of some
-sort for the given RPC procedure @code{proc}.  @code{addl} gives an
-annotation to add to the connection's @code{addl} field.
-If @code{log_it} is true, then connection should be logged; it will also
-be logged if the function determines that it is hot.
-
-The function first invokes @code{check_scan} and @code{scan_hot}
-(with a mode of @code{CONN_ESTABLISHED}),
-unless @code{r} is a TCP connection, in which case these checks have already
-been made by @code{connection_established}.  The function then adds
-@code{addl} to the connection's @code{addl} field, though if the field's
-length already exceeds 80 bytes, then it just tacks on @code{"..."}
-(unless already present).  This last is necessary because Bro will sometimes
-see zillions of successive portmapper requests that all use the same
-connection ID, and these will each add to @code{addl} until it
-becomes unwieldy in size.  @emph{Deficiency: Clearly, the byte limit of 80 should be adjustable. }
-
-Finally, the function invokes @code{check_hot} with a mode
-of @code{CONN_FINISHED}, and @code{pm_activity} to finish up
-bookkeeping for the connection.
-
-No return value.
-
-@item @code{pm_attempt (r: connection, proc: string, status: count, addl: string, log_it: bool) }
-Invoked when the given connection attempted to make a portmapper request
-of some sort, but the request failed or went unanswered.  The arguments
-are the same as for @code{pm_request}, with the addition of
-@code{status}, which gives the RPC status code corresponding to why the
-attempt failed (see below).
-
-The function first invokes @code{check_scan} and @code{check_hot}
-(with a mode of @code{CONN_ATTEMPTED}),
-unless @code{r} is a TCP connection, in which case these checks have already
-been made by @code{connection_attempt}.
-
-The function then adds
-@code{addl} to the connection's @code{addl} field, along with
-a text description of the RPC status code, as given in
-the Table below.
-
-No return value.
-
-@float Table, RPC status codes
-@multitable  @columnfractions .2 .7
-@item @strong{Status description} @tab @strong{Meaning}
-@item "ok" 
-@tab The call succeeded.
-@item "prog unavail" 
-@tab The call was for an RPC program that has not registered with the portmapper.
-@item "mismatch" 
-@tab The call was for a version of the RPC program that has not registered with the portmapper.
-@item "garbage args" 
-@tab The parameters in the call did not decode correctly.
-@item "system err" 
-@tab A system error (such as out-of-memory) occurred when processing the call.
-@item "timeout" 
-@tab No reply was received within 24 seconds of the request.
-@item "auth error" 
-@tab The caller failed to authenticate to the server, or was not authorized to make the call.
-@item "unknown" 
-@tab An unknown error occurred.
-@end multitable 
-@caption{Types of RPC status codes}
-@end float 
-
-@end table
-
-@cindex analyzers, portmapper, functions
-
-@node portmapper event handlers,
-@subsection @code{portmapper} event handlers
-
-@cindex analyzers, portmapper, event handlers
-
-The standard script handles the following events:
-
-@table @samp
-@item @code{pm_request_null (r: connection)}
-Invoked upon a successful portmapper request for the ``null'' procedure.
-The script invokes @code{pm_request} with @code{log_it=F}.
-
-@item @code{pm_request_set (r: connection, m: pm_mapping, success: bool)}
-Invoked upon a nominally successful portmapper request to set the portmapper
-binding @code{m}.  The script invokes @code{pm_request} with @code{log_it=T}.
-@code{success} is true if the server honored the request, false otherwise;
-the script turns this into an annotation of @code{"ok"} or @code{"failed"}.
-
-The @code{pm_mapping} type (for @code{m}) has three fields,
-@code{program: count}, @code{version: count} and @code{p: port}, the
-port for the mapping of the given program and version.
-@code{pm_mapping}
-
-@item @code{pm_request_unset (r: connection, m: pm_mapping, success: bool)}
-Invoked upon a nominally successful portmapper request to remove a portmapper
-binding.  The script invokes @code{pm_request} with @code{log_it=T}.
-@code{success} is true if the server honored the request, false otherwise;
-the script turns this into an annotation of @code{"ok"} or @code{"failed"}.
-
-@item @code{pm_request_getport (r: connection, pr: pm_port_request, p: port)}
-Invoked upon a successful portmapper request to look up a portmapper
-binding.  @code{pr}, of type
-@code{pm_port_request}, has three fields:
-@code{program: count}, @code{version: count}, and @code{is_tcp: bool},
-this last indicating whether the caller is request the TCP or UDP
-port, if the given program/version has mappings for both.
-The script invokes @code{pm_request} with @code{log_it} set
-according to the return value of 
-and an annotation of the mapping.
-
-@item @code{pm_request_dump (r: connection, m: pm_mappings)}
-Invoked upon a successful portmapper request to dump the portmapper
-bindings.  The script invokes @code{pm_request} with @code{log_it=T}
-unless  indicates that the dump call is allowed.
-The script ignores @code{m}, which gives the mappings as a
-@code{table[count] of pm_mapping}, where the table index simply reflects
-the order in which the mappings were returned, starting with an index
-of 1.  @emph{Deficiency: What the script @emph{should} do, instead, is keep track of the mappings so that Bro can identify the service associated with connections for otherwise unknown ports. }
-
-@cindex walld
-@item @code{pm_request_callit (r: connection, pm_callit_request, p: port)}
-Invoked upon a successful portmapper request to look up and call
-an RPC procedure.  The script invokes @code{pm_request} with @code{log_it=T}
-unless the combination of the caller and the
-program are in @code{suppress_pm_log}.  Finally, if the program
-called is @emph{walld}, then the script adds the caller to @code{suppress_pm_log}.
-
-The @code{pm_callit_request} type has four fields:
-@code{pm_callit_request}
-@code{program: count}, @code{version: count}, @code{proc: count}, and
-@code{arg_size: count}.  These reflect the procedure being looked up and
-called, and the size of the arguments being passed to it, respectively.
-@emph{Deficiency: Currently, the event engine does not do any analysis or refinement of the arguments passed to the procedure (such as making them available to the event handler) or the return value.}  @code{p} is
-the port value returned by the call.
-
-@item @code{pm_attempt_null (r: connection, status: count)}
-Invoked upon a failed portmapper request for the ``null'' procedure.
-@code{status} gives the reason for the failure.
-The script invokes @code{pm_attempt} with @code{log_it=T}.
-
-@item @code{pm_attempt_set (r: connection, status: count, m: pm_mapping)}
-Invoked upon a failed portmapper request to set the portmapper
-binding @code{m}.  The script invokes @code{pm_attempt} with @code{log_it=T}.
-
-@item @code{pm_attempt_unset (r: connection, status: count, m: pm_mapping)}
-Invoked upon a failed portmapper request to remove a portmapper
-binding.  The script invokes @code{pm_attempt} with @code{log_it=T}.
-
-@item @code{pm_attempt_getport (r: connection, status: count, pr: pm_port_request)}
-Invoked upon a failed portmapper request to look up a portmapper
-binding.  @code{pr}, of type @code{pm_port_request}, has three fields:
-@code{program: count}, @code{version: count}, and @code{is_tcp: bool},
-this last indicating whether the caller requested the TCP or UDP port.
-The script invokes @code{pm_attempt} with @code{log_it} set
-according to the return value of @code{pm_check_get_port}.
-
-@item @code{pm_attempt_dump (r: connection, status: count)}
-Invoked upon a failed portmapper request to dump the portmapper
-bindings.  The script invokes @code{pm_attempt} with @code{log_it=T}
-unless @code{RPC_dump_okay} indicates that the dump call is allowed.
-
-@cindex walld
-@item @code{pm_attempt_callit (r: connection, status: count, pm_callit_request)}
-Invoked upon a failed portmapper request to look up and call
-an RPC procedure.  The script invokes @code{pm_attempt} with @code{log_it=T}
-unless the combination of the caller and the
-program are in @code{suppress_pm_log}.  Finally, if the program
-called is @emph{walld}, then the script adds the caller to
-@code{suppress_pm_log}.
-
-@item @code{pm_bad_port (r: connection, bad_p: count)}
-Invoked when a portmapper request or response includes an invalid
-port number.  Since ports are represented by unsigned 4-byte integers,
-they can stray outside the allowed range of 0--65535 by being >= 65536.
-The script invokes @code{conn_weird_log} with a @emph{weird tag}
-of @code{"bad_pm_port"}.
-
-@end table
-
-@cindex analyzers, portmapper, event handlers
-
-@cindex analyzers, application-specific
-
-@node analy Analyzer,
-@section The @code{analy} Analyzer
-@cindex statistical analysis
-@cindex connection, analysis
-The @code{analy} analyzer provides a limited mechanism to
-use Bro to do statistical analysis on TCP connections.  Its primary
-purpose is to demonstrate that Bro has applications to network
-traffic analysis beyond intrusion detection.  It defines one
-event handler:
-
-@table @samp
-@item @code{conn_stats c: connection, os: endpoint_stats, rs: endpoint_stats}
-Invoked for each connection when it terminates (for whatever reason).
-@code{os} and @code{rs} are the statistics for the originator endpoint and
-the responder endpoint, respectively; the table below 
-gives the different record fields.
-
-@end table
-
-@code{endpoint_stats} fields for summarizing connection endpoint statistics, 
-all of type @code{count}.
-
-@float Table, endpoint_stats fields 
-@multitable  @columnfractions .2 .75
-@item @strong{Field} @tab @strong{Meaning}
-@item num_pkts 
-@tab The number of packets sent by the endpoint, as seen by the monitor. The endpoint may
-have sent others that the network dropped upstream from the monitor.
-@item num_rxmit 
-@tab The number of packets retransmitted by the endpoint, as seen by the monitor.
-@item num_rxmit_bytes 
-@tab The number of bytes retransmitted by the endpoint.
-@item num_in_order 
-@tab The number of packets sent by the endpoint that arrived at the monitor in order, where "in
-order" means in the same order as sent by the endpoint, rather than in sequence number.
-(Thus, a retransmission can arrive in order, by this definition.) Bro determines if the packet
-arrived in order by applying heuristics to the IP identification (ID) field, which in general
-will increase by a small amount between successive packets transmitted by an endpoint.
-@item num_OO 
-@tab The number of packets sent by the endpoint that arrived at the monitor out of order. See the
-previous entry for the definition of "in order", and hence "out of order".
-@item num_repl 
-@tab The number of extra copies of packets sent by the endpoint that arrived at the monitor. Bro
-considers a packet replicated if its IP ID field is the same as for the previous packet it saw
-from the endpoint. Using this definition, a replication is most likely caused by a network
-mechanism such as duplication of a packet by a router, rather than a transport mechanism
-such as retransmission, though some TCPs fully reuse packets when retransmitting them,
-including their IP ID field.
-@item endian_type 
-@tab Whether the advance of the IP ID field as seen by the monitor was consistent with bigendian
-(network order) addition, little-endian, or undetermined. The three values are represented
-by the Bro constants ENDIAN_BIG, ENDIAN_LITTLE, and ENDIAN_UNKNOWN.
-In addition, the value can be ENDIAN_CONFUSED, meaning that the monitor saw conflicting
-evidence for little- and big-endian.
-@end multitable
-@caption{@code{endpoint_stats} fields for summarizing connection endpoint statistics, all of type @code{count}}
-@end float
-
-
-@node signature Analysis Script,
-@section The @code{signature} Analysis Script
-
-@cindex signature analysis
-@cindex exploit scans
-@cindex scans, exploit
-@cindex horizontal exploit scans
-@cindex vertical exploit scans
-The @code{signature} module analyzes @emph{signature matches} 
-(see @ref{Signatures}).
-For each signature, you can specify one of the actions
-defined in Table 7.2.
-In addition, the module identifies two types of @emph{exploit scans}:
-@emph{horizontal} (a host triggers a signature for multiple destinations) and
-@emph{vertical} (a host triggers multiple signature for the same destination).
-
-@cindex signatures, log file
-@cindex log file, signatures
-
-The module handles one event:
-
-@table @samp
-@item @code{signature_match (state: signature_state, msg: string, data: string)}
-Invoked upon a match of a signature which contains an @code{event} action (See @ref{Actions}).
-@end table
-
-It provides the following redefinable variables:
-
-@table @samp
-@item @code{sig_actions : table[string] of count}
-Maps signature IDs to actions as defined in the table below.
-
-@float Table, signature actions
-@multitable  @columnfractions .2 .6
-@item @strong{Action} @tab @strong{Meaning}
-@item SIG_IGNORE @tab Ignore the signature completely.
-@item SIG_QUIET @tab Process for scan detection but don't report individually.
-@item SIG_FILE @tab Write matches to signatures-log
-@item SIG_FILE_BUT_NOT_SCAN @tab Same, but ignore for scan processing
-@item SIG_ALARM @tab Alarm and write to signatures, notice, and alarm files
-@item SIG_ALARM_ONCE @tab Same, but only for the first instance
-@item SIG_ALARM_PER_ORIG @tab Same, but once per originator
-@item SIG_ALARM_NO_WORM @tab Same, but ignore if generated by known worm-source
-@item SIG_COUNT_PER_RESP @tab Count per destination and alarm if threshold reached
-@item SIG_SUMMARY @tab Don't alarm, but generate per-originator summary
-@end multitable
-@caption{Possible actions to take for signatures matches}
-@end float
-
-Default: @code{SIG_FILE}.
-
-@item @code{horiz_scan_thresholds : set[count]} 
-Generate a notice whenever a remote host triggers a signature for
-the given number of hosts.
-
-Default: @code{@{ 5, 10, 50, 100, 500, 1000@} }
-
-@item @code{vert_scan_thresholds : set[count]} 
-Generate a notice whenever a remote host triggers the
-given number of signatures for the same destination.
-
-Default: @code{@{ 5, 10, 50, 100, 500, 1000@} }
-
-@end table
-
-The module defines one function for external use:
-
-@table @samp
-@item @code{has_signature_matched (id: string, orig: addr, resp: addr): bool}
-Returns true if the given signature has already matched for the 
-(originator,responder) pair.
-@end table
-
-@node SSL Analyzer,
-@section The @code{SSL} Analyzer
-
-@cindex SSL, analysis
-The @code{SSL} analyzer processes traffic associated with the SSL
-(Secure Socket Layer) protocol versions 2.0, 3.0 
-and 3.1.  SSL version 3.1 is also known as TLS (Transport
-Layer Security) version 1.0 since from that version onward the IETF has taken
-responsibility for further development of SSL.
-
-Bro instantiates an @code{SSL} analyzer for any connection with service
-ports @code{443/tcp (https), 563/tcp (nntps), 585/tcp (imap4-ssl), 614/tcp (sshell), 636/tcp (ldaps), 989/tcp (ftps-data), 990/tcp (ftps), 992/tcp (telnets), 993/tcp (imaps), 994/tcp (ircs), 995/tcp (pop3s)}, providing
-you have loaded the @code{SSL} analyzer, or defined a handler for one of
-the SSL events.
-
-By default, the analyzer uses the above set of ports as a capture filter
-(See: @ref{Filtering}).  It currently checks the SSL handshake process for
-consistency, tries to verify seen certificates, generates several events,
-does connection logging, tries to detect security weaknesses, and produces
-simple statistics.  It is also able to store seen certificates on disk.
-However, it does no decryption, so analysis is limited to clear text SSL
-records. This means that analysis stops in the middle of the handshaking
-phase for SSLv2 and at the end of it for SSLv3.0/SSLv3.1 (TLS).  For this
-reason we have not implemented the SSL session caching mechanism (yet).
-
-The analyzer consists of the four files: @code{ssl.bro}, @code{ssl-ciphers.bro},
-@code{ssl-errors.bro},
-and @code{ssl-alerts.bro}, which are accessed by  @code{@@load} @code{ssl}.
-The analyzer writes to the @code{weird} and @code{ssl} log files.
-The first receives all non-conformant and ``weird'' activity, while
-the latter tracks the SSL handshaking phase.
-
-@menu
-* x509 record::			
-* ssl_connection_info record::	
-* SSL variables::		
-* SSL event handlers::		
-@end menu
-
-@node x509 record,
-@subsection The @code{x509} record
-
-@cindex SSL, x509
-
-This record is a very simplified structure for storing X.509 
-certificate information. It currently supports only the issuer and
-subject names.
-
-@example
-type x509: record @{
-    issuer:  string; # issuer name of the certificate
-    subject: string; # subject name of the certificate
-@};
-@end example
-
-@node ssl_connection_info record,
-@subsection The @code{ssl_connection_info} record
-
-@cindex SSL, connection information
-
-
-The main data structure managed by the @code{SSL} analyzer is
-a collection of @code{ssl_connection_info} records, where the
-record type is shown below.
-
-@example
-type ssl_connection_info: record @{
-id: count;                      # the log identifier number
-connection_id: conn_id;         # IP connection information
-version: count;                 # version associated with connection
-client_cert: x509;
-server_cert: x509;
-id_index: string;               # index for associated sessionID
-handshake_cipher: count;        # cipher suite client and server agreed upon
-@};
-@end example
-
-The corresponding fields are @emph{Fixme: the description here is out of date}:
-
-@table @samp
-@item @code{id}
-The unique connection identifier assigned to this connection.  Connections
-are numbered starting at @code{1} and incrementing with each new connection.
-
-@item @code{connection_id}
-The TCP connection which this SSL connection is based on.
-
-@item @code{version }
-The SSL version number for this connection. Possible values are
-@code{SSLv20}, for SSL version 2.0, @code{SSLv30} for version 3.0, and
-@code{SSLv31} for version 3.1.
-
-@item @code{client_cert }
-The information from the client certificate, if available.
-
-@item @code{server_cert }
-The information from the server certificate, if available.
-
-@item @code{id_index }
-Index into associated @code{SSL_sessionID_record} table.
-
-@item @code{handshake_cipher }
-The cipher suite client and server agreed upon.
-@emph{Note: For SSLv2 cached sessions, this is a placeholder (@code{0xABCD})}.
-
-@end table
-
-@node SSL variables,
-@subsection @code{SSL} variables
-
-@cindex analyzers, SSL, variables
-
-The standard script defines the following redefinable variables:
-
-@table @samp
-@item @code{ssl_compare_cipherspecs : bool}
-If true, remember the client and server cipher specs and perform additional
-tests.  This costs an extra amount of memory (normally only for a short
-time) but enables detection of non-intersecting cipher sets, for example.
-
-Default: @code{T}.
-
-@item @code{ssl_analyze_certificates : bool}
-If true, analyze certificates seen in SSL connections, which
-includes the following steps:
-@itemize @bullet
-@item 
-Generating a hash of the certificate and checking if we already
-saw it earlier from the current host. If so, we won't
-verify it, because we already did and verifying is a
-computational expensive process. If the certificate has
-changed for the current host, generate a weird event.
-
-@item 
-Verify the certificate.
-
-@item 
-Store of the certificate on disk in DER format.
-@end itemize
-
-Default: @code{T}.
-
-@item @code{ssl_store_certificates : bool}
-If certificates are analyzed, this variable determines they should be stored
-on disk.
-
-Default: @code{T}.
-
-@item @code{ssl_store_cert_path : string}
-Path where certificates are stored.
-If empty, use the current directory.
-@emph{Note: The path must not end with a slash!}
-
-Default: @code{"../certs"}.
-
-@item @code{ssl_verify_certificates : bool}
-If certificates are analyzed, whether to verify them.
-
-Default: @code{T}.
-
-@item @code{x509_trusted_cert_path : string}
-Path where OpenSSL looks for trusted certificates.
-If empty, use the default OpenSSL path.
-
-Default: @code{""}.
-
-@item @code{ssl_max_cipherspec_size : count}
-Maximum size in bytes for an SSL cipherspec.  If we see attempted use of
-larger cipherspecs, warn and skip comparing it.
-
-Default: @code{45}.
-
-@item @code{ssl_store_key_material : bool}
-If true, stores key material exchanged in the handshaking phase.
-@emph{Note: This is mainly for decryption purposes and currently useless.}
-
-Default: @code{T}.
-
-@float Figure, SSL example
-@example
-1046778101.534846 #1 192.168.0.98/32988 > 
-		213.61.126.124/https start
-1046778101.534846 #1 connection attempt version: 3.1
-1046778101.534846 #1 cipher suites: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4), 
-	SSLv3x_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xFEFF), 
-	SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA (0xA), 
-	SSLv3x_RSA_FIPS_WITH_DES_CBC_SHA (0xFEFE), 
-	SSLv3x_RSA_WITH_DES_CBC_SHA(0x9), SSLv3x_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64), 
-	SSLv3x_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x62), 
-	SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 (0x3), 
-	SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6),
-1046778101.753356 #1 server reply, version: 3.1
-1046778101.753356 #1 cipher suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4),
-1046778101.762601 #1 X.509 server issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC 
-	TrustCenter for Security in Data Networks GmbH/OU=TC 
-	TrustCenter Class 3 CA/Email=certificate@@trustcenter.de,
-1046778101.762601 #1 X.509 server subject: /C=DE/ST=Berlin/O=Lehmanns 
-	Fachbuchhandlung GmbH/OU=Zentrale EDV/CN=www.jfl.de/Email=admin@@lehmanns.de
-1046778101.894567 #1 handshake finished, version 3.1, cipher suite: 
-	SSLv3x_RSA_WITH_RC4_128_MD5 (0x4)
-1046778104.877207 #1 finish
----
-
-Used cipher-suites statistics:
-SSLv3x_RSA_WITH_RC4_128_MD5 (0x4): 1
-
-@end example
-@caption{Example of SSL log file with a single SSL session.}
-@end float 
-
-@cindex SSL, log file
-@cindex log file, SSL
-@cindex SSL session summary file
-In addition, @code{ssl_log} holds the name of the SSL log file to
-which Bro writes SSL connection summaries.  It defaults to
-@code{open_log_file("ssl")}.
-@end table
-
-The above figure shows an example of how entries in the SSL log file look like.
-We see a transcript of the first SSL connection seen since Bro started
-running.  The first line gives its start and the participating hosts and
-ports.  Next, we see a client trying to attempt a SSL (Version 3.1)
-connection and the cipher suites offered.  The server replies with a SSL
-3.1 @code{SERVER-REPLY} and the desired cipher suite.
-@emph{Note: In SSL v3.0/v3.1 this determines which cipher suite will be used for the connection}.  
-Following this is the certificate the server sends,
-including the issuer and subject.  Finally, we see that the handshaking
-phase for this SSL connection is finished now, and that client and server
-agreed on the cipher suite: @code{RSA_WITH_RC4_128_MD5}.  Due to encryption,
-the SSL analyzer skips all further data.  We only see the end of the
-connection.  When Bro finishes, we get some statistics about
-the cipher suites used in all monitored SSL connections. 
-
-@cindex analyzers, SSL, variables
-
-@node SSL event handlers,
-@subsection @code{SSL} event handlers
-
-@cindex analyzers, SSL, event handlers
-
-The standard script handles the following events:
-
-@table @samp
-@item @code{ssl_conn_attempt (c: connection, version: count, cipherSuites: cipher_suites_list)}
-
-Invoked upon the client side of connection @code{c} when the analyzer sees a @code{CLIENT-HELLO}
-of SSL version @code{version} including the cipher suites the client offers @code{cipherSuites}.
-
-The version can be @code{0x0002}, @code{0x0300} or @code{0x0301}.
-A new entry is generated inside the SSL connection table and the cipher suites
-are listed. Ciphers, that are known as weak (according to a corresponding table of
-weak ciphers) are logged inside the @code{weak.log} file. This also happens to
-cipher suites that we do not know yet. 
-@emph{Note: See the file @code{ssl-ciphers.bro} for a list of known cipher suites.}
-
-@item @code{ssl_conn_server_reply (c: connection, version: count, cipherSuites: cipher_suites_list)}
-
-This event is invoked upon the analyzer receiving a @code{SERVER-HELLO} of the SSL server.
-It contains the SSL version the server wishes to use (@emph{Note: This finally determines, which SSL version will be used further}) and the cipher suite he offers. If it is SSL version 3.0 or 3.1, the server determines
-within this @code{SERVER-HELLO} the cipher suite for the following connection (so it will only be one).
-But if it's a SSL version 2.0 connection, the server only announces the cipher suites he supports and
-it's up to the client to decide which one to use.
-
-Again, the cipher suites are listed and weak and unknown cipher suites are reported inside
-@code{weak.log}.
-
-@item @code{ssl_certificate_seen (c: connection, isServer: int)}
-
-Invoked whenever we see a certificate from client or server but before
-verification of the certificate takes place.
-This may be useful, if you want to do something before certificate verification
-(e.g. do not verify certificates of some given servers).
-
-@item @code{ssl_certificate (c: connection, cert: x509, isServer: bool)}
-
-Invoked after the certificate from server or client (@code{isServer}) has been verified. 
-@emph{Note: We only verify certificates once. If we see them again, we only check if they have changed!}
-@code{cert} holds the issuer and subject of the certificate, which gets stored
-inside this SSL connection's information record inside the SSL connection table and
-are written to @code{ssl.log}.
-
-@item @code{ssl_conn_reused (c: connection, session_id: string)}
-
-Invoked whenever a former SSL session is reused. @code{session_id} holds
-the session ID as string of the reused session and is written to @code{ssl.log}.
-Currently we don't do session tracking, because SSL version 2.0 doesn't
-send the session ID in clear text when it's generated.
-
-@item @code{ssl_conn_established (c: connection, version: count, cipher_suite: count)}
-
-Invoked when the handshaking phase of an SSL connection is finished.  We
-see the used SSL version and the cipher suite that will be used for
-cryptography (written to @code{ssl.log}) if we have SSL version 3.0 or 3.1.
-In case of SSL version 2.0 we can only determine the used cipher suite for
-new sessions, not for reused ones.  (@emph{Note: In SSL version 3.0 and 3.1 the 
-cipher suite to be used is already announced in the @code{SERVER-HELLO}.})
-
-@item @code{ssl_conn_alert (c: connection, version: count, level: count, description: count)}
-
-Invoked when the analyzer receives an SSL alert.  The @code{level} of the
-alert (warning or fatal) and the @code{description} are written into
-@code{ssl.log}. (@emph{Note: See @code{ssl-alerts.bro}}).
-
-@item @code{ssl_conn_weak (name: string, c: connection)}
-
-This event is called when the analyzer sees:
-@itemize @bullet
-@item weak ciphers (See: @code{ssl_conn_attempt}, @code{ssl_server_reply}, @code{ssl_conn_established}),
-@item unknown ciphers (See: @code{ssl_conn_attempt}, @code{ssl_server_reply}, @code{ssl_conn_established})
-@item or certificate verification failed.
-@end itemize
-
-See @code{weak.bro}.
-
-@end table
-
-@cindex analyzers, SSL, event handlers
-
-@node weird Analysis Script,
-@section The @code{weird} Analysis Script
-
-@cindex weird events
-@cindex events, exceptional
-@cindex exceptional events
-@cindex unusual events
-
-The @code{weird} module processes unusual or exceptional
-events.  A number of these ``shouldn't'' or even ``can't'' happen,
-yet they do.  The general design philosophy of Bro is to check
-for such events whenever possible, because they can reflect incorrect
-assumptions (either Bro's or the user's), attempts by attackers to
-confuse the monitor and evade detection, broken hardware, misconfigured
-networks, and so on.
-
-Weird events are divided into three categories, namely those pertaining
-to: connections; flows (a pair of hosts, but for which a specific connection
-cannot be identified); and network behavior (cannot be associated with a
-pair of hosts).  These categories have a total of four event handlers:
-@code{conn_weird}, @code{conn_weird_addl}, @code{flow_weird}, and @code{net_weird},
-and in the corresponding sections below we
-catalog the events handled by each.  In addition, we separately catalog
-the events generated by the standard scripts themselves
-(See: @ref{Events generated by the standard scripts}).  Finally, two more weird events have their
-own handlers, in order to associate detailed information with the event:
-@code{rexmit_inconsistency} and @code{ack_above_hole}.
-
-@cindex weird event summary file
-@cindex log file, weird events
-@code{weird_file} is the logging file  that
-the module uses to record exceptional
-events.  It defaults to @code{open_log_file("weird")}.
-
-@cindex crud
-@cindex unusual events, prevalence in actual network traffic
-@cindex weird events, prevalence in actual network traffic
-@cindex buggy implementations, causing ``weird'' events
-@cindex diverse network use, causing ``weird'' events
-@cindex Bro bugs/limitations, causing ``weird'' events
-@cindex bugs, causing ``weird'' events
-
-@emph{Note:  While these events ``shouldn't'' happen, in reality they often
-do.  For example, of the 73 listed below, a search of 10 months' worth of
-logs at LBNL shows that 42 were seen operationally.  While some of the
-instances reflect attacks, the great majority are simply due to i) buggy
-implementations, ii) diverse use of the network, or iii) Bro bugs or
-limitations.  Accordingly, you may initially be inclined to log each
-instance, but don't be surprised to find that you soon decide to only
-record many of them in the @code{weird} file, or not record them at all.
-(For further discussion, see the section on ``crud'' in [Pa99].) }
-
-@menu
-* Actions for weird events::	
-* weird variables::		
-* weird functions::		
-* Events handled by conn_weird::  
-* Events handled by conn_weird_addl::  
-* Events handled by flow_weird::  
-* Events handled by net_weird::	 
-* Events generated by the standard scripts::  
-* Additional handlers for weird events::  
-@end menu
-
-@node Actions for weird events,
-@subsection Actions for ``weird'' events
-
-@cindex weird events, actions
-
-The general approach taken by the module is to categorize for each event
-the action to take when the event engine generates the event.
-Table XX summarizes the different possible actions.
-
-@float Table, Weird Event Actions
-@multitable  @columnfractions .2 .75
-@item @strong{Action} @tab @strong{Meaning}
-@item WEIRD_UNSPECIFIED 
-@tab No action specified.
-@item WEIRD_IGNORE 
-@tab Ignore the event.
-@item WEIRD_FILE 
-@tab Record the event to weird file, if it has not been seen for these hosts before. (But see
-weird do not ignore repeats.)
-@item WEIRD_NOTICE_ALWAYS 
-@tab Record the event to weird file and generate a notice each time the event occurs.
-@item WEIRD_NOTICE_ONCE 
-@tab Record the event to weird file; generate a notice the first time the event occurs.
-@item WEIRD_NOTICE_PER_CONN 
-@tab Record the event to weird file; generate a notice the first time it occurs for a
-given connection.
-@item WEIRD_NOTICE_PER_ORIG 
-@tab Record the event to weird file; generate a notice the first time it occurs for a
-given originating host.
-@end multitable
-@caption{Different types of possible actions to take for "weird" events}
-@end float
-
-@node weird variables,
-@subsection @code{weird} variables
-
-The standard @code{weird} script provides the following redefinable variables:
-
-@table @samp
-@item @code{weird_action : table[string] of count}
-Maps different weird events to actions as given in Table in @ref{Actions for weird events} above.
-
-Default: as specified in @code{conn_weird}, @code{conn_weird_addl}, @code{flow_weird}, @code{net_weird},
-and @ref{Events generated by the standard scripts}.  As usual, you can change particular
-values using refinement.  For example:
-@example
-redef weird_action: table[string] of count += @{
-    [["bad_TCP_checksum", "bad_UDP_checksum"]] = WEIRD_IGNORE,
-    ["fragment_overlap"] = WEIRD_NOTICE_PER_CONN,
-@};
-@end example
-
-would specify to ignore TCP and UDP checksum errors (rather than the default
-of @code{WEIRD_FILE}), and to notice fragment overlaps once per connection
-in which they occur, rather than the default of @code{WEIRD_NOTICE_ALWAYS}.
-
-@item @code{weird_action_filters : table[string] of function(c: connection): count}
-Indexed by the name of a weird event, yields a function that when called
-for a given connection exhibiting the event, returns an action from
-the table in section @ref{Actions for weird events}.
-A return value of @code{WEIRD_UNSPECIFIED} 
-means ``no special action, use the action you normally would.''
-This variable thus allows arbitrary
-customization of the handling of particular events.
-
-Default: empty, for the @code{weird} analyzer itself.  The
- analyzer redefines this variable as follows:
-@example
-    redef weird_action_filters += @{
-        [["bad_RPC", "excess_RPC", "multiple_RPCs", 
-		"partial_RPC"]] = RPC_weird_action_filter,
-@};
-@end example
-
-where @code{RPC_weird_action_filter} is a function internal to the
-analyzer that returns @code{WEIRD_FILE} if the originating host
-is in , and @code{WEIRD_UNSPECIFIED} otherwise.
-
-@item @code{weird_ignore_host : set[addr, string]}
-Specifies that the analyzer should ignore the given weird event (named by
-the second index) if it involves the given address (as either originator
-or responder host).
-
-Default: empty.
-
-@item @code{weird_do_not_ignore_repeats : set[string]}
-Gives a set of weird events that, if their action is @code{WEIRD_FILE},
-should still be recorded to the @code{weird_file} each time they occur.
-
-Default: the events relating to checksum errors, i.e.,
-@code{"bad_IP_checksum"},
-@code{"bad_TCP_checksum"},
-@code{"bad_UDP_checksum"}, and
-@code{"bad_ICMP_checksum"}.
-These are recorded multiple times because it can prove handy to
-be able to track clusters of checksum errors.
-
-@end table
-
-@node weird functions,
-@subsection @code{weird} functions
-
-The @code{weird} analyzer includes the following functions:
-
-@table @samp
-@item @code{report_weird (t: time, name: string, id: string, action: WeirdAction, no_log: bool)}
-Processes an occurrence of the weird event @code{name} associated with
-the connection described by the string @code{id} (which may be empty
-if no connection is associated with the event).  @code{action} is the
-action associated with the event.  For @code{report_weird}, the only
-distinctions made between the different actions are that @code{WEIRD_IGNORE}
-causes the function to do nothing; any of @code{WEIRD_NOTICE_xxx}
-cause the function to generate a notice, unless @code{no_log} is true; and @code{WEIRD_UNSPECIFIED} 
-causes the function to look up the action in @code{weird_action}.
-If the function does @emph{not} find an action
-for the event, then it uses @code{WEIRD_NOTICE_ALWAYS} and prepends the log
-message with a pair of asterisks (``@code{**}'') to flag that this event
-does not have a specified action.
-
-For @code{WEIRD_FILE}, @code{report_weird} only
-records the event once to the file, unless the given event is present
-in @code{weird_do_not_ignore_repeats}.  Events with notice-able actions
-are always recorded to @code{weird_file}.
-
-@item @code{report_weird_conn (t: time, name: string, id: string, c: connection)}
-Processes an occurrence of the weird event @code{name} associated with
-the connection @code{c}, which is described by the string @code{id}.
-
-If @code{report_weird_conn} finds one of the hosts and the given event name
-in @code{weird_ignore_host}, then it does nothing.  Then, if the event
-is in @code{weird_action}, then it looks up the event in
-@code{weird_action_filters} and invokes the corresponding function
-if present, otherwise taking the action from @code{weird_action}.
-It then implements the various flavors of @code{WEIRD_NOTICE_xxx}
-by not generating notices more than once per connection, originator host,
-etc., though the events are still written to @code{weird_file}.
-Finally, the function invokes  to do the
-actual recording and/or writing to @code{weird_file}.
-
-@item @code{report_weird_orig (t: time, name: string, id: string, orig: addr)}
-Processes an occurrence of the weird event @code{name} associated with
-the source address @code{orig}.  @code{id} textually describes the flow from
-@code{orig} to the destination, for example using @code{endpoint_id}.
-
-The function looks up the event name in @code{weird_action} and
-passes it along to @code{report_weird}.
-
-@end table
-
-@node Events handled by conn_weird,
-@subsection Events handled by @code{conn_weird}
-
-@cindex weird events, handled by conn_weird
-@cindex event handling, weird
-
-@table @samp
-@item @code{conn_weird (name: string, c: connection)}
-Invoked for most ``weird'' events.
-@code{name} is the name of the weird event, and @code{c} is the
-connection with which it's associated.
-
-@end table
-
-@noindent @code{conn_weird} handles the following events, all of which have
-a default action of @code{WEIRD_FILE}:
-
-@table @samp
-@item @code{active_connection_reuse}
-A new connection attempt (initial SYN)
-was seen for an already-established connection that has not
-yet terminated.
-@cindex HTTP, weird events
-@item @code{bad_HTTP_reply}
-The first line of a reply from an HTTP
-server did not include @code{HTTP/}@emph{version}.
-@item @code{bad_HTTP_version}
-The first line of a request from an HTTP
-client did not include @code{HTTP/}@emph{version}.
-@cindex ICMP, weird events
-@cindex packets, corrupted
-@cindex corrupted packets
-@cindex checksum error, ICMP
-@cindex ICMP, checksum error
-@item @code{bad_ICMP_checksum}
-The checksum field in an
-ICMP packet was invalid.
-@cindex Rlogin, weird events
-@item @code{bad_rlogin_prolog}
-The beginning of an Rlogin connection had
-a syntactical error.
-@cindex RPC (Remote Procedure Call), weird events
-@item @code{bad_RPC}
-A Remote Procedure Call was ill-formed.
-@item @code{bad_RPC_program}
-A portmapper RPC call did not include the
-correct portmapper program number.
-@item @code{bad_SYN_ack}
-A TCP SYN acknowledgment (SYN-ack) did not acknowledge
-the sequence number sent in the initial SYN.
-@cindex TCP, weird events
-@cindex checksum error, TCP
-@cindex TCP, checksum error
-@item @code{bad_TCP_checksum}
-A TCP packet had a bad checksum.
-@cindex UDP, weird events
-@cindex checksum error, UDP
-@cindex UDP, checksum error
-@item @code{bad_UDP_checksum}
-A UDP packet had a bad checksum.
-@item @code{baroque_SYN}
-A TCP SYN was seen with an unlikely
-combination of other flags (the URGent pointer).
-@item @code{blank_in_HTTP_request}
-The URL in an HTTP request includes
-an embedded blank.
-@item @code{connection_originator_SYN_ack}
-A TCP endpoint that originated
-a connection by sending a SYN followed this up by sending a SYN-ack.
-@item @code{data_after_reset}
-After a TCP endpoint sent a RST to terminate
-a connection, it sent some data.
-@item @code{data_before_established}
-Before the connection was fully
-established, a TCP endpoint sent some data.
-@item @code{excessive_RPC_len}
-An RPC record sent over a TCP connection
-exceeded 8 KB.
-@item @code{excess_RPC}
-The sender of an RPC request or reply included
-leftover data beyond what the RPC parameters or result value
-themselves consumed.
-@item @code{FIN_advanced_last_seq}
-A TCP endpoint retransmitted a FIN with
-a higher sequence number than previously.
-@item @code{FIN_after_reset}
-A TCP endpoint sent a FIN after sending a RST.
-@cindex packets, storms
-@cindex storms
-@item @code{FIN_storm}
-The monitor saw a flurry of FIN packets all sent on
-the same connection.  A ``flurry'' is defined as 1,000 packets that
-arrived with less than 1 sec between successive FINs.
-@emph{Deficiency: Clearly, this numbers should be user-controllable. }
-@item @code{HTTP_unknown_method}
-The method in an HTTP request was
-not GET, POST or HEAD.
-@item @code{HTTP_version_mismatch}
-A persistent HTTP connection sent a
-different version number for a subsequent item than it
-did initially.
-@item @code{inappropriate_FIN}
-A TCP endpoint sent a FIN before the
-connection was fully established.
-@item @code{multiple_HTTP_request_elements}
-An HTTP request included multiple
-methods.
-@item @code{multiple_RPCs}
-A TCP RPC stream included more than one
-remote procedure call.
-@cindex NULs
-@item @code{NUL_in_line}
-A NUL (ASCII 0) was seen in a text stream
-that is expected to be free of NULs.  @emph{Updateme:  Currently, the only such stream is that associated with an FTP control connection. }
-@item @code{originator_RPC_reply}
-The originator (and hence presumed client)
-of an RPC connection sent an RPC reply (either instead of a request,
-or in addition to a request).
-@cindex Finger, weird events
-@item @code{partial_finger_request}
-When a Finger connection terminated, it
-included a final line of unanalyzed text because the text was
-not newline-terminated.
-@cindex FTP, weird events
-@item @code{partial_ftp_request}
-When an FTP connection terminated, it
-included a final line of unanalyzed text because the text was
-not newline-terminated.
-@item @code{partial_ident_request}
-When an IDENT connection terminated, it
-included a final line of unanalyzed text because the text was
-not newline-terminated.
-@item @code{partial_portmapper_request}
-A portmapper connection terminated with
-an unanalyzed request because the data stream was incomplete.
-@item @code{partial_RPC}
-An RPC was missing some required header information
-due to truncation.
-@cindex data, unanalyzed
-@cindex unanalyzed data
-@item @code{pending_data_when_closed}
-A TCP connection closed even though
-not all of the data in it was analyzed due to a sequence hole.
-@cindex split routing
-@cindex routing, split
-@cindex vantage point
-@cindex bidirectional vs. unidirectional analysis
-@cindex analysis, bidirectional vs. unidirectional
-@cindex undirectional analysis
-@cindex scanning, stealth
-@cindex stealth scans
-@item @code{possible_split_routing}
-Bro appears to be seeing only one
-direction of some bi-directional connections .
-This can also occur due to certain forms of stealth-scanning.
-@cindex connection, reuse
-@cindex Maximum Segment Lifetime (MSL)
-@cindex MSL (Maximum Segment Lifetime)
-@item @code{premature_connection_reuse}
-A TCP connection tuple is being
-reused less than 30 sec after its previous use.  (The standard
-requires waiting 2 * @w{MSL} = 4 minutes [p. 27] [RFC-793].)
-@item @code{repeated_SYN_reply_wo_ack}
-A TCP responder that replied to an
-initial SYN with a SYN-ack has subsequently sent a SYN @emph{without}
-an acknowledgment.
-@item @code{repeated_SYN_with_ack}
-A TCP originator that sent an
-initial SYN has subsequently sent a SYN-ack.
-@item @code{responder_RPC_call}
-The responder (and hence presumed server)
-of an RPC connection sent an RPC request (either instead of a reply,
-or in addition to a reply).
-@item @code{rlogin_text_after_rejected}
-An Rlogin client sent additional text
-to an Rlogin server after the server already presumably rejected
-the client's service request.
-@cindex retransmission, inconsistent
-@cindex inconsistent retransmission
-@cindex evasion, inconsistent RPC retransmission
-@item @code{RPC_rexmit_inconsistency}
-An RPC call was retransmitted, and
-the retransmitted call differed from the original call.  This
-could reflect an attempt by an attacker to evade the monitor.
-@emph{Note:  This type of inconsistency checking is not available for RPC replies because the transmission of the reply in general marks the end of the RPC connection, and the monitor deletes the connection state shortly afterward. }
-@item @code{RST_storm}
-The monitor saw a flurry of RST packets all sent on
-the same connection.  See @code{FIN_storm} for the definition of
-``flurry.''
-@item @code{RST_with_data}
-A TCP RST packet included data.  This actually
-is allowed by the specification [4.2.2.12] RFC-1122.
-@emph{Deficiency: This event should include the data. }
-@cindex simultaneous open
-@cindex connection, simultaneous open
-@item @code{simultaneous_open}
-The monitor saw a TCP simultaneous open,
-i.e., both endpoints sent initial SYNs to one another at the same time.
-While the specification allows this [p. 30] RFC-793, none of the
-protocols analyzed by Bro should be using it.
-@cindex transients, startup
-@cindex startup, transients
-@cindex scanning, stealth
-@cindex stealth scans
-@item @code{spontaneous_FIN}
-A TCP endpoint sent a FIN packet without
-sending any previous packets.  This event can reflect stealth-scanning,
-but can also occur when Bro has recently
-started up and has not seen other traffic on a connection and hence does
-not know that the connection already exists.
-@item @code{spontaneous_RST}
-A TCP endpoint sent a RST packet without
-sending any previous packets.  As with @code{spontaneous_FIN}, this
-event can reflect either stealth scanning or a Bro start-up
-transient.
-@item @code{SYN_after_close}
-A TCP endpoint sent a SYN (connection
-initiation) after sending a FIN (connection termination),
-but before the connection fully closed.
-@item @code{SYN_after_partial}
-A TCP endpoint in a ``partial'' connection
- sent a SYN.
-@item @code{SYN_after_reset}
-A TCP endpoint sent a SYN after sending a
-RST (reset connection).
-@item @code{SYN_inside_connection}
-A TCP endpoint sent a SYN during a
-connection (or partial connection) on which it had already
-sent data.
-@item @code{SYN_seq_jump}
-A TCP endpoint retransmitted a SYN or a
-SYN-ack, but with a different sequence number.
-@cindex T/TCP
-@cindex TCP, transaction
-@cindex transaction TCP
-@item @code{SYN_with_data}
-A TCP endpoint included data in a SYN packet
-it sent.  Note, this can legitimately occur for T/TCP connections
-[RFC-1644].
-@cindex TCP, Christmas packet
-@cindex Christmas packet
-@item @code{TCP_christmas}
-A TCP endpoint sent a SYN packet that
-included the RST flag (a nonsensical combination).  The
-term ``Christmas packet'' has been used in this context
-(particularly if other flags are set, too) because the
-packet's flags are ``lit up like a Christmas tree.''
-@cindex length mismatch, UDP
-@cindex UDP, length mismatch
-@cindex evasion, length mismatch
-@item @code{UDP_datagram_length_mismatch}
-The length field in a UDP header
-did not match the length field in the IP header.  This could
-reflect an attempt by an attacker to evade the monitor.
-@item @code{unpaired_RPC_response}
-An RPC reply was seen for which no
-request was seen.  This event could reflect a Bro start-up
-transient (it started running after the request was sent).
-@item @code{unsolicited_SYN_response}
-A TCP endpoint sent a SYN-ack without
-first receiving an initial SYN.  This event could reflect a
-Bro start-up transient.
-
-@end table
-
-@node Events handled by conn_weird_addl,
-@subsection Events handled by @code{conn_weird_addl}
-
-@cindex weird events, handled by conn_weird_addl
-
-@cindex polymorphic functions, need for
-@table @samp
-@item @code{conn_weird_addl (name: string, c: connection, addl: string)}
-Invoked for a few ``weird'' events that require an extra (string)
-argument to help clarify the event. @emph{Deficiency: It would likely be very handy if the general ``weird'' event handling was more flexible, with the ability to have various parameters associated with the events.  Doing so will likely have to wait on general Bro mechanism for dealing with default parameters and/or polymorphic functions and event handlers. }
-
-@end table
-
-@code{conn_weird_addl} handles the following events, all of which
-have a default action of @code{WEIRD_FILE}:
-
-@table @samp
-@cindex IDENT, weird events
-@item @code{bad_ident_reply}
-A reply from an IDENT server was
-syntactically invalid.
-@item @code{bad_ident_request}
-A request to an IDENT server was
-syntactically invalid.
-@item @code{ident_request_addendum}
-An IDENT request included additional
-text beyond that forming the request itself.
-@end table
-
-@node Events handled by flow_weird,
-@subsection Events handled by @code{flow_weird}
-
-@cindex weird events, handled by flow_weird
-
-@table @samp
-@item @code{flow_weird (name: string, src: addr, dst: addr)}
-is invoked for ``weird'' events that cannot be associated with a
-particular connection, but only with a pair of hosts, corresponding
-to a flow of packets from @code{src} to @code{dst}. Presently, all of
-these events deal with fragments.
-
-@end table
-
-@code{flow_weird} handles the following events:
-
-@table @samp
-@cindex IP, fragments
-@cindex fragments, excessively large
-@cindex denial of service, excessively large fragments
-@item @code{excessively_large_fragment}
-A set of IP fragments reassembled
-to a maximum size exceeding 64,000 bytes.  @emph{Note:  Sizes between 64,000 and 65,535 bytes are allowed, strictly speaking, but are highly unlikely in legitimate traffic.  Sizes above 65,535 bytes generally represent attempted denial-of-service attacks, due to IP implementations that crash upon receiving such impossibly-large fragment sets. }
-
-Default: @code{WEIRD_NOTICE_ALWAYS}.
-
-@cindex fragments, excessively small
-@cindex evasion, excessively small fragments
-@item @code{excessively_small_fragment}
-A fragment other than the
-last fragment in a set was less than 64 bytes in size.
-@emph{Note:  The standard allows such small fragments, but their presence may reflect an attacker attempting to evade the monitor by splitting header information across multiple fragments. }
-
-Default: @code{WEIRD_NOTICE_ALWAYS}.
-
-@cindex fragments, inconsistent
-@cindex evasion, inconsistent fragments
-@item @code{fragment_inconsistency}
-A fragment overlaps with a previously
-sent fragment, and the two disagree on data they share in common.
-This event could reflect an attacker attempting to evade the
-monitor; it can also occur because Bro keeps previous fragments
-indefinitely (@emph{Deficiency: it needs to provide a means for flushing old fragments, otherwise it becomes vulnerable to a state-holding attack}), and occasionally a fragment will
-overlap with one sent much earlier and long-since forgotten
-by the endpoints.
-
-Default: @code{WEIRD_NOTICE_ALWAYS}.
-
-@cindex fragments, overlapping
-@item @code{fragment_overlap}
-A fragment overlaps with a previously
-sent fragment.  As for @code{fragment_inconsistency}, this
-event can occur due to Bro keeping previous fragments
-indefinitely.  This event does not in general reflect a
-possible attempt at evasion.
-
-Default: @code{WEIRD_NOTICE_ALWAYS}.
-
-@cindex fragments, inconsistent protocols
-@item @code{fragment_protocol_inconsistency}
-Two fragments were seen
-for the same flow and IP ID which differed in their transport protocol
-(e.g., UDP, TCP).  According to the specification, this is allowed
-[p. 24] RFC-791, but its use appears highly unlikely.
-
-Default: @code{WEIRD_FILE}, because it is difficult to see how
-an attacker can exploit this anomaly.
-
-@cindex fragments, inconsistent sizes
-@cindex evasion, inconsistent fragment size
-@item @code{fragment_size_inconsistency}
-A ``last fragment'' was
-seen twice, and the two disagree on how large the reassembled datagram
-should be.  This event could reflect an attacker attempting to evade
-the monitor.
-
-Default: @code{WEIRD_FILE}, since it is more likely that this
-occurs due to a high volume flow of fragments wrapping the
-IP ID space than due to an actual attack.
-
-@item @code{fragment_with_DF}
-A fragment was seen with the ``Don't Fragment''
-bit set in its header.  While strictly speaking this is not illegal,
-and not impossible (a router could have fragmented a packet and then
-decided that the fragments should not be further fragmented), its
-presence is highly unusual.
-
-Default: @code{WEIRD_FILE}, because it's difficult to see how
-this could reflect malicious activity.
-
-@item @code{incompletely_captured_fragment}
-A fragment was seen whose
-length field is larger than the fragment datagram appearing on the
-monitored link.
-
-Default: @code{WEIRD_NOTICE_ALWAYS}.
-
-@end table
-
-@node Events handled by net_weird,
-@subsection Events handled by @code{net_weird}
-
-@cindex weird events, handled by net_weird
-
-@table @samp
-@item @code{net_weird (name: string)}
-is invoked for ``weird'' events that cannot be associated with
-a particular connection or set of hosts.  Except as noted, the
-default action for all such events is @code{WEIRD_FILE}.
-
-@end table
-
-@code{net_weird} handles the following events:
-
-@cindex packets, corrupted
-@cindex corrupted packets
-@cindex IP, weird events
-@cindex IP, checksum error
-@cindex checksum error, IP
-@table @samp
-@item @code{bad_IP_checksum}
-A packet had a bad IP header checksum.
-
-@cindex TCP, corrupted header
-@item @code{bad_TCP_header_len}
-The length of the TCP header (which is
-itself specified in the header) was smaller than the minimum
-allowed size.
-
-@cindex headers, truncated
-@cindex truncated headers
-@item @code{internally_truncated_header}
-A captured packet with a valid
-IP length field was smaller as actually recorded, such that the
-captured version of the packet was illegally small.  This event
-may reflect an error in Bro's packet capture hardware or software.
-
-Default: @code{WEIRD_NOTICE_ALWAYS}, because this event can indicate
-a basic problem with Bro's packet capture.
-
-@item @code{truncated_IP}
-A captured packet either was too small to
-include a minimal IP header, or the full length as recorded by
-the packet capture library was smaller than the length as indicated
-by the IP header.
-
-@item @code{truncated_header}
-An IP datagram's header indicates a length
-smaller than that required for the indicated transport type (TCP,
-UDP, ICMP).
-
-@end table
-
-@node Events generated by the standard scripts,
-@subsection Events generated by the standard scripts
-
-@cindex weird events, generated by standard scripts
-
-The following events are generated by the standard scripts themselves:
-
-@table @samp
-@item @code{bad_pm_port}
-See @code{pm_bad_port}.  Handled by  @code{conn_weird_addl},
-where the extra parameter is the text
-@code{"port <}@emph{bad-port}@code{>"}.
-
-@cindex denial of service, Land attack
-@cindex Land attack
-@code{Land_attack}
-A TCP connection attempt was seen with identical
-initiator and responder addresses and ports.  This event likely
-reflects an attempted denial-of-service attack known as a
-``Land'' attack.  See @code{check_spoof}.  Handled by @code{conn_weird}.
-
-@end table
-
-@node Additional handlers for weird events,
-@subsection Additional handlers for ``weird'' events
-
-@cindex weird events, additional handlers
-
-In addition to the above, generalized events, Bro includes two specific
-events that are defined by themselves so they can include additional
-parameterization:
-
-@cindex evasion, inconsistent TCP retransmission
-@cindex retransmission, inconsistent
-@cindex inconsistent retransmission
-@table @samp
-@item @code{rexmit_inconsistency (c: connection, t1: string, t2: string)}
-Invoked when a retransmission associated with connection @code{c} differed
-in its data from the contents transmitted previously.  @code{t1} gives
-the original data and @code{t2} the different retransmitted data.
-
-@cindex bugs, appalling
-This event may reflect an attacker attempting to evade the monitor.
-Unfortunately, however, experience has shown that
-@emph{(i)} inconsistent retransmissions do in fact
-happen due to (appalling) TCP implementation bugs, and
-@emph{(ii)} once they occur, they tend to cascade, because often
-the source of the bug is that the two endpoints have become
-desynchronized.
-
-The handler logs the message in the format
-@code{"}@emph{id}@code{ rexmit inconsistency (<t1>) (<t2>)"} .  However,
-the handler only logs the first instance of an inconsistency, due to
-the cascade problem mentioned above.
-
-@emph{Deficiency: The handler is not told which of the two connection endpoints was the faulty transmitter. }
-
-@cindex packets, drops
-@cindex acknowledgment holes
-@cindex inconsistent acknowledgment
-@cindex bugs, appalling
-@item @code{ack_above_hole (c: connection, t1: string, t2: string)}
-Invoked when Bro sees a TCP receiver acknowledge data above
-a sequence hole.  In principle, this should never occur.  Its
-presence generally means one of two things: @emph{(i)} a TCP
-implementation with an appalling bug (these definitely exist),
-or @emph{(ii)} a packet drop by Bro's packet capture facility,
-such that it never saw the data now being acknowledged.
-
-Because of the seriousness of this latter possibility, the
-handler logs a message 
-@code{ack above a hole}.  
-@emph{Note:  You can often distinguish between a truly broken TCP acknowledgment and Bro dropping packets by the fact that in the latter case you generally see a cluster of ack-above-a-hole messages among otherwise unrelated connections. }
-
-@emph{Deficiency: The handler is not told which of the two connection endpoints sent the acknowledgment. }
-
-@end table
-
-@cindex event handling, weird
-
-@cindex unusual events
-@cindex exceptional events
-@cindex events, exceptional
-@cindex weird events
-
-@node icmp Analyzer,
-@section The @code{icmp} Analyzer
-
-not done.
-
-@node stepping Analyzer,
-@section The @code{stepping} Analyzer
-
-not done.
-
-@node ssh-stepping Analysis Script,
-@section The @code{ssh-stepping} Analysis Script
-
-not done.
-
-@node backdoor Analyzer,
-@section The @code{backdoor} Analyzer
-
-not done.
-
-@node interconn Analyzer,
-@section The @code{interconn} Analyzer
-
-not done.
-
-@cindex standard scripts
-@cindex scripts, standard
-@cindex analyzers
-
-
diff --git a/doc/ref-manual/bro.css b/doc/ref-manual/bro.css
deleted file mode 100644
index 0bebab8e63..0000000000
--- a/doc/ref-manual/bro.css
+++ /dev/null
@@ -1,43 +0,0 @@
-/* 
- * Custom nllite stylesheet
- */
-body {  
-  font-family: Verdana, Arial, serif;
-}
-H1 {  
-  color: #339933;
-}
-A:link, A:active, A:visited, A:hover { 
-  color: #3333ff;
-  text-decoration: none; 
-}
-A:hover {
-  border-bottom: 1px dotted red;
-  color: red;
-  text-decoration: none;
-}
-ul.menu { 
-  list-style-type: circle;
-  list-style-position: inside;
-  padding: 5px;
-  background-color: #ccffcc;
-  border: 1px dashed #333333;
-}
-hr { 
-  display: none;
-}
-div.node { 
-  font-size: 12px;
-  font-weight: bold;
-  background-color: #ccffcc;
-/*
-  line-height: 0;
-*/
-  padding: 0.5em;
-}
-table.cartouche { 
-  background-color: white;
-}
-table { 
-  border: none;
-}
diff --git a/doc/ref-manual/debugger.texi b/doc/ref-manual/debugger.texi
deleted file mode 100644
index cb542edd89..0000000000
--- a/doc/ref-manual/debugger.texi
+++ /dev/null
@@ -1,389 +0,0 @@
-
-@node Interactive Debugger
-@chapter Interactive Debugger
-
-@menu
-* Debugger Overview::			
-* A Sample Session::		
-* Usage::			
-* Notes and Limitations::	
-* Reference::			
-@end menu
-
-@node Debugger Overview,
-@section Debugger Overview
-
-Bro's interactive debugger is intended to aid in the development,
-testing, and maintenance of policy scripts. The debugger's interface
-has been modeled after the popular @code{gdb} debugger; the
-command syntax is virtually identical. While at present the Bro
-debugger supports only a small subset of @code{gdb}'s features,
-these were chosen to be the most commonly used commands. Additional
-features beyond those of @code{gdb}, such as wildcarding, have
-been added to specifically address needs created by Bro policy scripts.
-
-@node A Sample Session,
-@section A Sample Session
-
-The transcript below should look very familiar to those familiar with
-@code{gdb}. The debugger's command prompt accepts debugger commands;
-before each prompt, the line of policy code that is next to be
-executed is displayed.
-
-First we activate the debugger with the @code{-d} command-line switch.
-@example
-bobcat:~/bro/bro$ ./bro -d -r slice.trace brolite
-Policy file debugging ON.
-In bro_init() at policy/ftp.bro:437
-437             have_FTP = T;
-@end example
- Next, we set a breakpoint in the @code{connection_finished}
-event handler [reference this somehow]. A breakpoint causes the
-script's execution to stop when it reaches the specified function. In
-this case, there are many event handlers for the
-@code{connection_finished} event, so we are given a choice.
-@example
-(Bro [0]) break connection_finished
-Setting breakpoint on connection_finished:
-
-There are multiple definitions of that event handler.
-Please choose one of the following options:
-[1] policy/conn.bro:268
-[2] policy/active.bro:14
-[3] policy/ftp.bro:413
-[4] policy/demux.bro:40
-[5] policy/login.bro:496
-[a] All of the above
-[n] None of the above
-Enter your choice: 1
-Breakpoint 1 set at connection_finished at policy/conn.bro:268
-@end example
- Now we resume execution; when the breakpoint is reached, execution
-stops and the debugger prompt returns.
-@example
-(Bro [1]) continue
-Continuing.
-Breakpoint 1, connection_finished(c = '[id=[orig_h=1.0.0.163,
-orig_p=2048/tcp, resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0,
-state=5], resp=[size=46, state=5], start_time=929729696.316166,
-duration=0.0773319005966187, service=, addl=, hot=0]') at
-policy/conn.bro:268
-In connection_finished(c = '[id=[orig_h=1.0.0.163, orig_p=2048/tcp,
-resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0, state=5], resp=[size=46,
-state=5], start_time=929729696.316166, duration=0.0773319005966187,
-service=, addl=, hot=0]') at policy/conn.bro:268
-268             if ( c$orig$size == 0 || c$resp$size == 0 )
-@end example
- We now step through a few lines of code and into the
-@code{record_connection} call.
-@example
-(Bro [2]) step
-274             record_connection(c, "finished");
-(Bro [3]) step
-In record_connection(c = '[id=[orig_h=1.0.0.163, orig_p=2048/tcp,
-resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0, state=5], resp=[size=46,
-state=5], start_time=929729696.316166, duration=0.0773319005966187,
-service=, addl=, hot=0]', disposition = 'finished') at
-policy/conn.bro:162
-162             local id = c$id;
-(Bro [4]) step
-163             local local_init = to_net(id$orig_h) in local_nets;
-@end example
-
-We now print the value of the @code{id} variable, which was set in
-the previously executed statement @code{local id = c$id;}. We follow
-that with a backtrace (@code{bt}) call, which prints a trace of the
-currently-executing functions and event handlers (along with their
-actual arguments). We then remove the breakpoint and continue
-execution to its end (the remaining output has been trimmed off). 
-@example
-(Bro [5]) print id
-[orig_h=1.0.0.163, orig_p=2048/tcp, resp_h=1.0.0.6, resp_p=23/tcp]
-(Bro [6]) bt
-#0 In record_connection(c = '[id=[orig_h=1.0.0.163, orig_p=2048/tcp,
- resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0, state=5],
- resp=[size=46, state=5], start_time=929729696.316166,
- duration=0.0773319005966187, service=, addl=, hot=0]', disposition =
- 'finished') at policy/conn.bro:163
-#1 In connection_finished(c = '[id=[orig_h=1.0.0.163, orig_p=2048/tcp,
- resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0, state=5],
- resp=[size=46, state=5], start_time=929729696.316166,
- duration=0.0773319005966187, service=, addl=, hot=0]') at
- policy/conn.bro:274
-(Bro [7]) delete
-Breakpoint 1 deleted
-(Bro [8]) continue
-Continuing.
-...
-@end example
- 
-
-@node Usage,
-@section Usage
-
-The Bro debugger is invoked with the @code{-d} command-line
-switch. It is strongly recommended that the debugger be used with a
-tcpdump capture file as input (the @code{-r} switch) rather than in
-``live'' mode, so that results are repeatable.
-
-Execution tracing is a feature which generates a complete record of
-which code statements are executed during a given run. It is enabled
-with the @code{-t} switch, whose argument specifies a file which
-will contain the trace. 
-
-Debugger commands all are a single word, though many of them take
-additional arguments. Commands may be abbreviated with a prefix
-(e.g., @code{fin} for @code{finish}); if the same prefix matches
-multiple commands, the debugger will list all that match. Certain
-very frequently-used commands, such as @code{next}, have been
-given specific one-character shortcuts (in this case,
-@code{n}). For more details on all the debugger commands, see the
-Reference in section @ref{Reference}, below.
-
-The debugger's prompt can be activated in three ways. First, when
-the @code{-d} switch is supplied, Bro stops in the
-@code{bro_init} initialization function (more precisely, after
-global-scope code has been executed; see section @ref{Notes and Limitations}). It is
-also activated when a breakpoint is hit. Breakpoints are set with
-the @code{break} command (see the Reference). The final way to
-invoke the debugger's prompt is to interrupt execution by pressing
-Ctrl-C (sending an Interrupt signal to the process). Execution will
-be suspended after the currently-executing line is completed.
-
-@node Notes and Limitations,
-@section Notes and Limitations
-
-@itemize @bullet
-@item 
-Statements at global scope, i.e., those executed before the
-@code{bro_init} function, may not be debugged at present. This is
-because those statements load declarations for other functions
-needed for the debugger to function properly.
-@end itemize
-
-@node Reference,
-@section Reference
-
-@strong{large Summary of Commands}
-Note: all commands may be abbreviated with a unique prefix. Shortcuts
-below are special exceptions to this rule.
-
-@float Table, Debugger commands
-@multitable  @columnfractions .15  .15  .6
-@item @strong{Command} @tab @strong{Shortcut} @tab @strong{Description} 
-@item help @tab @tab Get help with debugger commands 
-@item quit @tab @tab Exit Bro 
-@item next @tab n @tab Step to the following statement, skipping function calls 
-@item step @tab s @tab Step to following statements, stepping in to function calls 
-@item continue @tab c @tab Resume execution of the policy script 
-@item finish @tab @tab Run until the currently-executing function completes 
-@item break @tab b @tab Set a breakpoint 
-@item condition @tab @tab Set a condition on an existing breakpoint 
-@item delete @tab d @tab Delete the specified breakpoints; delete all if no arguments 
-@item disable @tab @tab Turn off the specified breakpoint; do not delete
-permanently 
-@item enable @tab @tab Undo a prior `disable' command 
-@item info @tab @tab Get information about the debugging environment  
-@item print @tab p @tab Evaluate an expression and print the result 
-@item set @tab @tab Alias for `print' 
-@item backtrace @tab bt @tab Print a stack trace  
-@item frame @tab @tab Select frame number N 
-@item up @tab @tab Select the stack frame one level up from the current one 
-@item down @tab @tab Select the stack frame one level down from the current one 
-@item list @tab l @tab Print source lines surrounding specified context 
-@item trace @tab @tab Turn on or off execution tracing 
-@end multitable
-@caption{Debugger Commands}
-@end float
-
-@*
-
-@strong{Getting Help}
-@table @samp
-
-@item help
-Help for each command may be invoked with the @code{help}
-command. Calling the command with no arguments displays a one-line
-summary of each command. 
-@end table
-
-@strong{Command-Line Options}
-@table @samp
-
-@item @code{-d} switch
-The @code{-d} switch enables the Bro
-script debugger.
-
-@item @code{-t} switch
-The @code{-t} enables execution
-tracing. There is an argument to the switch, which indicates a file
-that will contain the result of the trace. Trace output consists of
-the source code lines executed, indented for each nested function invocation.
-
-@strong{Example.} The following command invokes Bro, using @code{tcpdump_file} for
-the input packets and outputting the result of the trace to
-@code{execution_trace}.
-@example
-  ./bro -t execution_trace -r tcpdump_file policy_script.bro
-  @end example
-
-@strong{Example.} If the argument to @code{-t} is a single dash
-character (``@code{-}''), then the trace output is sent to
-@code{stderr}.
-@example
-  ./bro -t - -r tcpdump_file policy_script.bro
-  @end example
-
-@strong{Example.} Lastly, execution tracing may be combined with the
-debugger. Here we send output to @code{stderr}, so it will be
-intermingled with the debugger's output. Tracing may be turned off
-and on in the debugger using the @code{trace} command.
-@example
-  ./bro -d -t - -r tcpdump_file policy_script.bro
-  @end example
-
-@end table
-
-@strong{Running the Script}
-@table @samp
-
-@item quit
-Exit Bro, aborting execution of the currently executing script.
-
-@item restart (r)
-@emph{(Currently Unimplemented)} Restart the execution
-of the script, rewinding to the beginning of the input file(s), if
-appropriate. Breakpoints and other debugger state are preserved.
-
-@item continue (c)
-Resume execution of the script file. The script will
-continue running until interrupted by a breakpoint or a signal.
-
-@item next (n)
-Execute one statement, without entering any subroutines
-called in that statement. 
-
-@item step (s)
-Execute one statement, but stop on entry to any called subroutine.
-
-@item finish
-Run until the currently executing function returns.
-@end table
-
-@strong{Breakpoints}
-@table @samp
-
-@item break (b)
-Set a breakpoint. A breakpoint suspend execution when
-execution reaches a particular location and returns control to the
-debugger. Breakpoint locations may be specified in a number of ways:
-
-@multitable  @columnfractions .3  .6
-@item @code{break} @tab With no argument, the current line is used. 
-@item @code{break} @emph{[FILE:]LINE} @tab The specified line in the specified file; if
-no policy file is specified, the current file is implied. 
-@item @code{break} @emph{FUNCTION} @tab The first line of the specified function or
-event handler. If more than one event handler matches the name, a choice
-will be presented. 
-@item @code{break} @emph{WILDCARD} @tab Similar to @emph{FUNCTION}, but a
-POSIX-compliant regular expression (see the @code{regex(3)} man
-page )is supplied, which is matched against all functions and event
-handlers. One exception to the the POSIX syntax is that, as in the
-shell, the @code{*} character may be used to match zero or more
-of any character without a preceding period character (@code{.}).
-@end multitable
-
-@item condition @emph{N expression}
-The numeric argument
-$N$ indicates which breakpoint to add a condition to, and the
-expression is the conditional expression. A breakpoint with a
-condition will only stop execution when the supplied condition is
-true. The condition will be evaluated in the context of the
-breakpoint's location when it is reached.
-
-@item enable
-With no arguments, enable all breakpoints
-previously disabled with the @code{disable} command. If numeric
-arguments separated by spaces are provided, the breakpoints with those
-numbers will be enabled.
-
-@item disable
-With no arguments, disable all breakpoints. Disabled
-breakpoints will not stop execution, but will be retained to be
-enabled later. If numeric arguments separated by spaces are provided,
-the breakpoints with those numbers will be disabled.
-
-@item delete (d)
-With no arguments, permanently delete all
-breakpoints. If numeric arguments separated by spaces are provided,
-the breakpoints with those numbers will be deleted.
-@end table
-
-@strong{Debugger State}
-@table @samp
-
-@item @strong{info}
-Give information about the
-current script and debugging environment. A subcommand should follow
-the @code{info} command to indicate which information is
-desired. At present, the following subcommands are available: 
-
-@multitable  @columnfractions .2  .6
-@item @code{info break} @tab List all breakpoints and their status
-@end multitable
-
-@end table
-
-@strong{Inspecting Program State}
-@table @samp
-
-@item print (p) / set
-The @code{print} command and its alias,
-@code{set}, are used to evaluate any expression in the policy
-script language. The result of the evaluation is printed
-out. Results of the evaluation affect the current execution
-environment; expressions may include things like assignment. The
-expression is evaluated in the context of the currently selected
-stack frame. The @code{frame}, @code{up}, and @code{down}
-commands (below) are used to change the currently selected frame,
-which defaults to the innermost one.
-
-@item backtrace (bt)
-Print a description of all the stack frames (function
-invocations) of the currently executing script.\ With no arguments,
-prints out the currently selected stack frame.\ With a numeric
-argument @emph{+/- N}, prints the innermost @emph{N} frames if the argument is
-positive, or the outermost $N$ frames if the argument is negative.
-
-@item frame
-With no arguments, prints the currently selected
-frame. \ With a numeric argument $N$, selects frame $N$. Frame
-numbers are numbered inside-out from 0; the 
-
-@item up
-Select the stack frame that called the currently selected
-one. If a numeric argument $N$ is supplied, go up that many frames.
-
-@item down
-Select the stack frame called by the currently selected
-one. If a numeric argument $N$ is supplied, go down that many frames.
-
-@item list (l)
-With no argument, print the ten lines of script source
-code following the previous listing. If there was no previous
-listing, print ten lines surrounding the next statement to be
-executed. If an argument is supplied, ten lines are printed around
-the location it describes. The argument may take one of the
-following forms:
-
-@emph{[FILE:]LINE} 
-The specified line in the specified file; if
-no policy file is specified, the current file is implied. \
-@emph{FUNCTION} The first line of the specified function or
-event handler. If more than one event handler matches the name, a choice
-will be presented. \
-$\pm N$ With a numeric argument preceded by a plus or minus
-sign, the line at the supplied offset from the previously selected line.
-
-@end table
-
diff --git a/doc/ref-manual/intro.texi b/doc/ref-manual/intro.texi
deleted file mode 100644
index 9b96709f55..0000000000
--- a/doc/ref-manual/intro.texi
+++ /dev/null
@@ -1,170 +0,0 @@
-
-@node Introduction
-@chapter Introduction
-
-Bro is an intrusion detection system that works by passively watching
-traffic seen on a network link.  It is built around an @emph{event engine}
-that pieces network packets into events that reflect different types of
-activity.  Some events are quite low-level, such as the monitor seeing
-a connection attempt; some are specific to a particular network protocol,
-such as an FTP request or reply; and some reflect fairly high-level notions,
-such as a user having successfully authenticated during a login session.
-
-Bro runs the events produced by the event engine through a @emph{policy script}, which you (the Bro administrator) supply, though in general you will
-do so by using large portions of the scripts
-(``@emph{analyzers}''; see below) that come with the Bro distribution.
-
-You write policy scripts in ``Bro'', a specialized language geared towards
-network analysis in general and security analysis in particular.  Bro scripts
-are made up of @emph{event handlers} that specify what to do whenever a
-given event occurs.  Event handlers can maintain and update global state
-information, write arbitrary information to disk files, generate new
-events, call functions (either user-defined or predefined), generate
-@emph{alarms} that produce @emph{syslog} messages, and invoke arbitrary
-shell commands.  These latter might terminate a running connection or talk
-to your border router to install an ACL prohibiting traffic from a particular
-host, for example.
-
-The Bro language is strongly typed and includes a bunch of types designed
-to aid analyzing network traffic.  It also supports @emph{implicit typing},
-meaning that often you don't need to explicitly indicate a variable's type
-because Bro can figure it out from context.  This feature makes the strong typing
-a bit less of a pain, while retaining its bug-finding benefits.
-
-For high performance, Bro relies on use of an efficient @emph{packet filter}
-to capture only a (hopefully small) subset of the traffic that transits
-the link it monitors.  Related to this, Bro comes with a set of
-@emph{analyzers}, that is, scripts for analyzing different protocols and
-different types of activity.  In general you can pick and choose among
-these for which types of analysis you want to enable, and Bro will only
-capture traffic relating to the analyzers you choose.  Thus, you can
-control how much work Bro has to do by the analyzers you designate, a
-potentially major consideration if the monitored link has a high volume
-of traffic.
-
-Experience has shown that the policy scripts often require tailoring
-to each environment in which they're used; but if the tailoring is done
-by editing the analyzers supplied with the Bro distribution, you wind
-up with multiple copies of the analyzers, all slightly different, such
-that when you want to make a general change to all of them, it takes
-careful (and tedious) editing to correctly apply the change to all of
-the copies.
-
-Consequently, Bro emphasizes the use of tables and sets of values as ways
-to codify policy particulars such as which hosts should generate alarms
-if seen engaged in various types of connections, which usernames are sensitive
-and should trigger alarms when used, and so on.  The various analyzers
-are written such that you can (often) customize them by simply changing
-variables associated with the analyzer.  Furthermore, Bro
-supports a notion of @emph{refining} the initialization of a variable, so
-that, in a @emph{separate} file from the one defining an analyzer, you
-can either @emph{(i)} @emph{redefine} the variable's initial value,
-@emph{(ii)} @emph{add} new elements to a given table, set or pattern, or
-@emph{(iii)} @emph{remove} elements from a given table or set.
-In a nutshell, refinement allows you to specify particular policies
-in terms of their @emph{differences} from existing policies, rather
-than in their entirety.
-
-@cindex Bro!references
-You can find an overview of Bro in the paper
-``Bro: A System for Detecting Network Intruders in Real-Time,''
-Proceedings of the 1998 USENIX Security Symposium
-@uref{insert URL,Pa98}
-and a revised version
-in @emph{Computer Networks} 
-@uref{insert URL,Pa99}
-A copy of the latter is included in the Bro distribution.
-
-@strong{Using this manual:}
-
-This manual is intended to provide full documentation for users
-of Bro, both those who wish to write Bro scripts to use Bro's existing
-analyzers, and those who wish to implement event engine support for new Bro
-analyzers.  The current version of the manual is @emph{incomplete};
-in particular, it does not discuss the internals of the event engines,
-and a number of other topics have only placeholders.
-
-The manual is organized @emph{not} as a tutorial, but rather closer to a
-reference manual.  In particular, the intent is for the @emph{index} to
-be highly comprehensive, and to serve as one of the main tools to help
-you navigate through Bro's numerous features and capabilities.  Accordingly,
-the index contains many ``redundant'' entries, that is, the same
-information indexed in multiple ways, to try to make it particularly easy
-to look up information.  For example, you'll find a list of all of
-the predefined functions under ``predefined functions'', and also
-under ``functions''.  There are similar entries for ``events'' and
-``variables''.
-
-The manual also includes @emph{Note:}'s and @emph{Deficiency:}'s that
-emphasize points that may be subtle or counter-intuitive, or that
-reflect bugs of some form.  The general delineation between the two
-is that @emph{Note:}'s discuss facets of Bro not likely to change,
-while @emph{Deficiency:}'s will (should) eventually get fixed.
-
-I'm very interested in feedback on whether the manual in general and the
-index in particular is effective, what should be added or removed from it
-to improve it, any errors found in the index or (of course) elsewhere in
-the manual, and what topics you would give the highest priority for the
-next revision of the manual.  In addition, @emph{any contributions to the manual} will be highly welcome!  You'll find the source for the manual
-in @emph{doc/manual-src/}.
-
-The current version of the manual is organized as follows.
-We begin with an overview of how to get started using Bro: building
-and installing it, running it interactively and on live and prerecorded
-network traffic, and the helper utilities (scripts and programs) included
-in the distribution (Chapter N).
-
-Chapter N then discusses the different
-types, values, and constants that Bro supports.  The intent is to provide
-you with some of the flavor of the language.  In addition, later chapters
-use these concepts to explain things like the types associated with the
-arguments passed to different event handlers.
-
-Chapter N lists the different variables and functions
-that Bro predefines.  The variables generally reflect particular values
-that control the behavior of the event engine or reflect its status,
-and the functions are for the most part utilities to aid in the writing
-of Bro scripts.
-
-Chapter N discusses the different analyzers that
-Bro provides.  It is far and away the longest chapter, since there
-are a good number of analyzers, and some of them are quite rich
-in their analysis.
-
-Chapter N describes how to use Bro's @emph{signature engine}.
-The signature engine provides a general mechanism for searching for 
-regular expressions in packet payloads or reassembled TCP byte streams.
-Successful matches can then be fed as events into your policy script
-for further analysis, including the opportunity to assess the match
-in terms of surrounding context, which can greatly reduce the problem
-of ``false positives'' from which signature-matching can suffer.
-The chapter also discusses how to incorporate signatures from the popular
-@emph{Snort} intrusion detection system.
-
-Chapter N gives an overview of Bro's @emph{interactive debugger}.
-The debugger allows you to breakpoint your policy script and inspect and
-change the values of script variables.  The chapter also describes the
-generation of @emph{traces} of all of the events generated during execution.
-
-Finally, Chapter N briefly lists different aspects of Bro
-that have not yet been documented (in addition to the event engine
-and the Bro language itself).
-
-@noindent @emph{Acknowledgments:}
-
-Major components of Bro's functionality were contributed by Ruoming Pang,
-Umesh Shankar, Robin Sommer, and Chema Gonzalez.  Robin also wrote
-Chapter N of this manual; Umesh wrote Chapter N;
-and Michael Kuhn and Benedikt Ostermaier contributed the SSL analyzer
-(with additional development by Scott Campbell) and the associated
-documentation.
-
-Many thanks, too, to Craig Leres, Craig Lant, Jim Mellander, Anne Hutton,
-David Johnston, Mark Handley, and Partha Banerjee for their contributions
-and operational feedback.
-
-Finally, a number of people were instrumental to supporting Bro's development:
-Jim Rothfuss, Mark Rosenberg, Stu Loken, Van Jacobson, Dave Stevens, and
-Jeff Mogul.  Again, many thanks!
-
-
diff --git a/doc/ref-manual/predefined.texi b/doc/ref-manual/predefined.texi
deleted file mode 100644
index 639fe09de8..0000000000
--- a/doc/ref-manual/predefined.texi
+++ /dev/null
@@ -1,3108 +0,0 @@
-
-@node Predefined Variables and Functions
-@chapter Predefined Variables and Functions
-
-@menu
-* Predefined Variables::	
-* Predefined Functions::	
-@end menu
-
-@node Predefined Variables,
-@section Predefined Variables
-
-@cindex predefined variables
-
-Bro predefines and responds to the following variables, organized by
-the policy file in which they are contained. Note that you will only
-be able to access the variables in a policy file if you @code{load} it or
-a policy file which loads it.
-
-@menu
-* activebro::			
-* anonbro::			
-* backdoorbro::			
-* broinit::			
-* code-redbro::			
-* connbro::			
-* demuxbro::			
-* dnsbro::			
-* dns-mappingbro::		
-* fingerbro::			
-* ftpbro::			
-* hotbro::			
-* hot-idsbro::			
-* httpbro::			
-* http-abstractbro::		
-* http-requestbro::		
-* icmpbro::			
-* identbro::			
-* interconnbro::		
-* ircbro::
-* loginbro::			
-* mimebro::			
-* noticebro::			
-* ntpbro::			
-* pop3bro::			
-* port-namesbro::		
-* portmapperbro::		
-* scanbro::			
-* signaturesbro::			
-* sitebro::			
-* smtpbro::			
-* smtp-relaybro::		
-* softwarebro::			
-* sshbro::			
-* steppingbro::			
-* tftpbro::			
-* udpbro::			
-* weirdbro::			
-* wormbro::			
-* Uncategorized::		
-@end menu
-
-@node activebro,
-@subsection active.bro
-
-@table @samp
-
-@code{active_conn : table[conn_id] of connection}
-@vindex active_conn 
-@quotation
-A table of @code{connection} records corresponding to all active
-connections.
-@end quotation
-
-@end table
-
-@node anonbro,
-@subsection anon.bro
-
-@table @samp
-@code{anon_log : file}
-@vindex anon_log 
-@quotation
-The file into which anonymization @emph{Fixme: Add a reference to doc on anonymization when it is available.} IP address mappings are written.
-@end quotation
-
-@code{preserved_subnet : set[subnet]}
-@vindex preserved_subnet
-@quotation
-Addresses in these subnet are preserved when anonymization is being
-performed. See also @code{preserved_net}.  NOTE: The variable @code{const}. so may only be changed via @code{redef}
-@end quotation
-
-@code{preserved_net : set[net]}
-@vindex preserved_net 
-@quotation
-These Class A/B/C nets are preserved when anonymization is being
-performed. See also @code{preserved_subnet}.
-@end quotation
-
-@end table
-
-@node backdoorbro,
-@subsection backdoor.bro
-
-@table @samp
-@code{backdoor_log : file}
-@vindex backdoor_log 
-@quotation
-The file into which logs for backdoor servers
-() are written.
-@end quotation
-
-@code{backdoor_min_num_lines : count}
-@vindex backdoor_min_num_lines 
-@quotation
-The number of lines of @emph{Fixme: must be telnet?} input and output must be more than this amount to
-trigger backdoor checking.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{backdoor_min_normal_line_ratio : double}
-@vindex backdoor_min_normal_line_ratio 
-@quotation
-If the fraction of ``normal'' (less than a certain length) lines is
-below this value, then backdoor checking is not performed.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{backdoor_min_bytes : count}
-@vindex backdoor_min_bytes 
-@quotation
-The total number of bytes transferred on the connection must be at
-least this large in order for backdoor checking to be performed.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{backdoor_min_7bit_ascii_ratio : double}
-@vindex backdoor_min_7bit_ascii_ratio 
-@quotation
-The fraction of 7-bit ASCII characters out of all bytes transferred
-must be at least this large in order for backdoor checking to be performed.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{backdoor_demux_disabled : bool}
-@vindex backdoor_demux_disabled 
-@quotation
-If T (the default), then suspected backdoor connections are not
-demuxed into sender and receiver streams.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{backdoor_demux_skip_tags : set[string]}
-@vindex backdoor_demux_skip_tags 
-@quotation
-If the type of backdoor (the tag) is in this set, the connection will
-not be demuxed.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{backdoor_ignore_src_addrs : table[string, addr] of bool}
-@vindex backdoor_ignore_src_addrs 
-@quotation
-If the suspected backdoor name (``*'' for any) and source address (or
-its /16 or /24) subnet are in this table as a pair, then the backdoor
-will not be logged.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{backdoor_ignore_dst_addrs : table[string, addr] of bool}
-@vindex backdoor_ignore_dst_addrs 
-@quotation
-If the suspected backdoor name (``*'' for any) and destination address (or
-its /16 or /24) subnet are in this table as a pair, then the backdoor
-will not be logged.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{backdoor_ignore_ports : table[string, port] of bool}
-@quotation
-The following (signature, well-known port) pairs should not generated
-a backdoor notice.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{backdoor_standard_ports : set[port]}
-@quotation
-See @code{backdoor_annotate_standard_ports}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{backdoor_stat_period : interval}
-@quotation
-A report on backdoor stats is generated at this interval.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{backdoor_stat_backoff : interval}
-@quotation
-@emph{Fixme: Not sure about the exact definition here} The backdoor report
-interval (@code{backdoor_stat_period}) is increased by this factor each time it is generated,
-except if the timers are artificially expired.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{backdoor_annotate_standard_ports : bool}
-@quotation
-If T (the default), backdoor notices for those on @code{backdoor_standard_ports}
-should be annotated with the backdoor tag name.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{ssh_sig_disabled : bool}
-@quotation
-If T (default = F), then matches against the SSH signature are ignored.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{telnet_sig_disabled : bool}
-@quotation
-If T (default = F), then matches against the telnet signature are ignored.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{telnet_sig_3byte_disabled : bool}
-@quotation
-If T (default = F), then matches against the 3-byte telnet signature are ignored.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{rlogin_sig_disabled : bool}
-@quotation
-If T (default = F), then matches against the rlogin signature are ignored.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{rlogin_sig_1byte_disabled : bool}
-@quotation
-If T (default = F), then matches against the 1-byte rlogin signature are ignored.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{root_backdoor_sig_disabled : bool}
-@quotation
-If T (default = F), then matches against the root backdoor signature are ignored.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{ftp_sig_disabled : bool}
-@quotation
-If T (default = F), then matches against the FTP signature are ignored.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{napster_sig_disabled : bool}
-@quotation
-If T (default = F), then matches against the Napster signature are ignored.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{gnutella_sig_disabled : bool}
-@quotation
-If T (default = F), then matches against the Gnutella signature are ignored.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{kazaa_sig_disabled : bool}
-@quotation
-If T (default = F), then matches against the KaZaA signature are ignored.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{http_sig_disabled : bool}
-@quotation
-If T (default = F), then matches against the HTTP signature are ignored.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{http_proxy_sig_disabled : bool}
-@quotation
-If T (default = F), then matches against the HTTP proxy signature are ignored.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{did_sigconns : table[conn_id] of set[string]}
-@quotation
-A table which indicates, for each connection, which backdoor server
-signatures were found in the connection's traffic, e.g., ``ftp-sig''
-or ``napster-sig''.
-@end quotation
-
-@code{rlogin_conns : table[conn_id] of rlogin_conn_info}
-@quotation
-A table that holds relevant state variables (an @code{rlogin_conn_info}
- record) for @code{rsh} connections.
-@end quotation
-
-@code{root_backdoor_sig_conns : set[conn_id]}
-@quotation
-The set of connections for which a root backdoor signature
-(``root-bd-sig'') has been detected.
-@end quotation
-
-@code{ssh_len_conns : set[conn_id]}
-@quotation
-The set of connections that are predicted to contain SSH traffic,
-based on the proportion of packets that meet the expected packet size
-distribution. Relevant parameters are @code{ssh_min_num_pkts} and 
-@code{ssh_min_ssh_pkts_ratio}, which are local to @code{backdoor}.
-@end quotation
-
-@code{ssh_min_num_pkts : count}
-@quotation
-The minimum number of packets that look like SSH packets that allow a
-stream to be classified as such.
-@end quotation
-
-@code{ssh_min_ssh_pkts_ratio : double}
-@quotation
-The minimum fraction of packets in a stream that look like SSH packets that allow a
-stream to be classified as such.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{telnet_sig_conns : table[conn_id] of count}
-@quotation
-The set of connections that are predicted to be Telnet connections,
-based on observation of the Telnet signature, the IAC byte (0xff).
-@end quotation
-
-@code{telnet_sig_3byte_conns : table[conn_id] of count}
-@quotation
-Similar to @code{telnet_sig_conns}, but the signature matched is a
-whole 3-byte Telnet command sequence.
-@end quotation
-
-@end table
-
-@node broinit,
-@subsection bro.init
-
-@table @samp
-
-@code{ignore_checksums : bool}
-@quotation
-If T (default = F), packet checksums are not verified.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{partial_connection_ok : bool}
-@quotation
-If T (the default), instantiate connection state when a partial connection
-(one missing its initial establishment negotiation) is seen.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{tcp_SYN_ack_ok : bool}
-@quotation
-If T (the default), instantiate connection state when a SYN ack is seen
-but not the initial SYN (even if partial_connection_ok is false).
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{tcp_match_undelivered : bool}
-@quotation
-If a connection state is removed there may still be some undelivered
-data waiting in the reassembler. If T (the default), pass this to the signature
-engine before flushing the state.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{tcp_SYN_timeout : interval}
-@quotation
-Check up on the result of an initial SYN after this much
-time. @emph{Fixme: What exactly does this mean? Check that the connection is active?}
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{tcp_session_timer : interval}
-@quotation
-After a connection has closed, wait this long for further activity
-before checking whether to time out its state.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{tcp_connection_linger : interval}
-@quotation
-When checking a closed connection for further activity, consider it
-inactive if there hasn't been any for this long.  Complain if the
-connection is reused before this much time has elapsed.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{tcp_attempt_delayv : interval}
-@quotation
-Wait this long upon seeing an initial SYN before timing out the
-connection attempt.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{tcp_close_delay : interval}
-@quotation
-Upon seeing a normal connection close, flush state after this much time.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{tcp_reset_delay : interval}
-@quotation
-Upon seeing a RST, flush state after this much time.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{tcp_partial_close_delay : interval}
-@quotation
-Generate a connection_partial_close event this much time after one half
-of a partial connection closes, assuming there has been no subsequent
-activity.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{non_analyzed_lifetime : interval}
-@quotation
-If a connection belongs to an application that we don't analyze,
-time it out after this interval.  If 0 secs, then don't time it out.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{inactivity_timeout : interval}
-@quotation
-If a connection is inactive, time it out after this interval.
-If 0 secs, then don't time it out.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{tcp_storm_thresh : count}
-@quotation
-This many FINs/RSTs in a row constitutes a "storm". See also @code{tcp_storm_interarrival_thresh}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{tcp_storm_interarrival_thresh : interval}
-@quotation
-The FINs/RSTs must come with this much time or less between them to be
-considered a storm. See also @code{tcp_storm_thresh}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{tcp_reassembler_ports_orig : set[port]}
-@quotation
-For services without a handler, these sets define which
-side of a connection is to be reassembled. @emph{Fixme: What is the point of this exactly? What are you analyzing?}
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{tcp_reassembler_ports_resp : set[port]}
-@quotation
-For services without a handler, these sets define which
-side of a connection is to be reassembled. @emph{Fixme: What is the point of this exactly? What are you analyzing?}
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{table_expire_interval : interval}
-@quotation
-Check for expired table entries after this amount of time @emph{Fixme: Which tables?}
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{dns_session_timeout : interval}
-@quotation
-Time to wait before timing out a DNS request.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{ntp_session_timeout : interval}
-@quotation
-Time to wait before timing out an NTP request.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{rpc_timeout : interval}
-@quotation
-Time to wait before timing out an RPC request.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{watchdog_interval : interval}
-@quotation
-A SIGALRM is set for this interval to make sure that Bro does not get
-caught up doing something for too long. @emph{Fixme: True?} If this happens,
-Bro is termination after doing a dump of all remaining packets.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{heartbeat_interval : interval}
-@quotation
-After each interval of this length, update the 
-variable.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{anonymize_ip_addr : bool}
-@quotation
-If true (default = false), then IP addresses are anonymized in notice
-and log generation.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{omit_rewrite_place_holder : bool}
-@quotation
-If true, omit place holder packets when rewriting. @emph{Fixme: Should this go somewhere else?}
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{rewriting_http_trace : bool}
-@quotation
-If true (default = F), HTTP traces are rewritten.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{rewriting_smtp_trace : bool}
-@quotation
-If true (default = F), SMTP traces are rewritten.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@end table
-
-@node code-redbro,
-@subsection code-red.bro
-
-@table @samp
-
-@code{code_red_log file}
-@quotation
-The file into which Code Red-related logs are written.
-@end quotation
-
-@code{code_red_list1 : table[addr] of count}
-@quotation
-A table which contains, for each IP address, how many Code Red I attacks
-were observed (based on a signature) by the machine at that address.
-@end quotation
-
-@code{code_red_list2 : table[addr] of count}
-@quotation
-A table which contains, for each IP address, how many Code Red II attacks
-were observed (based on a signature) by the machine at that address.
-@end quotation
-
-@code{local_code_red_response_pgm : string}
-@quotation
-By default, an empty string; if @code{&redef}ed, the specified program
-will be invoked with the attack source IP as the argument the first
-time an attack from that IP is observed.
-@end quotation
-
-@code{remote_code_red_response_pgm : string}
-@quotation
-By default, an empty string; if @code{&redef}ed, the specified program
-will be invoked with the attack destination IP as the argument the first
-time an attack on that IP is observed.
-@end quotation
-
-@end table
-
-@node connbro,
-@subsection conn.bro
-
-@table @samp
-
-@code{have_FTP : bool}
-@quotation
-If true, @code{ftp.bro} has been loaded.
-@end quotation
-
-@code{have_SMTP : bool}
-@quotation
-If true, @code{smtp.bro} has been loaded.
-@end quotation
-
-@code{have_stats : bool}
-@quotation
-True if  was ever updated with packet capture statistics.
-@end quotation
-
-@code{hot_conns_reported : set[string]}
-@quotation
-The set of connections (indexed by the entire 'hot' message) that have
-previously been flagged as @code{hot}.
-@end quotation
-
-@code{last_stat : net_stats}
-@quotation
-The last recorded snapshot of packet capture statistics, in a  record.
-@end quotation
-
-@code{last_stat_time : time}
-@quotation
-The last time that network statistics were read into .
-@end quotation
-
-@code{RPC_server_map : table[addr, port] of string}
-@quotation
-Maps a given port on a given server's address to an RPC service.
-If we haven't loaded @code{portmapper.bro}, then it will be empty; see
-@code{portmapper.bro} and the @code{portmapper} module documentation 
-for more information.
-@end quotation
-
-@end table
-
-@node demuxbro,
-@subsection demux.bro
-
-For more information on demultiplexing of connections, see the
-@ref{demux Analysis Script,demux Analysis Script}.
-
-@table @samp
-
-@code{demux_dir : string}
-@quotation
-The name of the directory which will contain the files with
-demultiplexed connection data.
-@end quotation
-
-@code{demuxed_conn : set[conn_id]}
-@quotation
-The set of connections that are currently being demultiplexed.
-@end quotation
-
-@end table
-
-@node dnsbro,
-@subsection dns.bro
-
-@table @samp
-
-@code{actually_rejected_PTR_anno : set[string]}
-@quotation
-Annotations that if returned for a PTR lookup actually indicate
-a rejected query; for example, "illegal-address.lbl.gov".
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{sensitive_lookup_hosts : set[addr]}
-@quotation
-Hosts in this set generate a notice when they are
-returned in PTR queries, unless the originating host is in @code{sensitive_lookup_hosts}. 
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{okay_to_lookup_sensitive_hosts : set[addr]}
-@quotation
-If the DNS request originator is in this set, then it is allowed to
-look up ``sensitive'' hosts (see also @code{sensitive_lookup_hosts})
-without causing a notice.
-@end quotation
-
-@code{dns_log : file}
-@quotation
-The file into which DNS-related logs are written.
-@end quotation
-
-@code{dns_sessions : table[addr, addr] of dns_session_info}
-@quotation
-A table of outstanding DNS sessions indexed by [client IP, server IP].
-@emph{Fixme:  Need to illustrate dns_sessions_info. }
-@end quotation
-
-@code{num_dns_sessions : count}
-@quotation
-The total number of entries that have ever been in the  table.
-@end quotation
-
-@code{distinct_PTR_requests : table[addr, string] of count}
-@quotation
-The number of DNS PTR requests observed with the given source address
-and request string.
-@end quotation
-
-@code{distinct_rejected_PTR_requests : table[addr] of count}
-@quotation
-How many DNS PTR requests from the given source address were
-rejected.  A report is generated if this number crosses a threshold,
-namely, @code{report_rejected_PTR_thresh}.
-@end quotation
-
-@code{distinct_answered_PTR_requests : table[addr] of count}
-@quotation
-How many DNS PTR requests from the given source address were rejected.
-@end quotation
-
-@code{report_rejected_PTR_thresh : count}
-@quotation
-If this many DNS requests from a host are rejected, generate a
-possible PTR scan event.
-@end quotation
-
-@code{report_rejected_PTR_factor : double}
-@quotation
-If DNS requests from a host are rejected more than accepted by this
-factor, generate a  event.
-@end quotation
-
-@code{allow_PTR_scans set[addr]}
-@quotation
-The set of hosts for which a @code{PTR_scan} event does not generate a report
-(that is, the scan is allowed).
-@end quotation
-
-@code{did_PTR_scan_event table[addr] of count}
-@quotation
-A table of hosts for which a  event has been generated.
-@end quotation
-
-@end table
-
-@node dns-mappingbro,
-@subsection dns-mapping.bro
-
-@table @samp
-
-@code{dns_interesting_changes}
-@quotation
-The set of DNS mapping changes (according to lookups by Bro itself)
-that is interesting enough to notice.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@end table
-
-@node fingerbro,
-@subsection finger.bro
-
-@table @samp
-
-@code{hot_names : set[string]}
-@quotation
-If a finger request for any of the names in this set is observed, the
-associated connection is marked ``hot''.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{max_finger_request_len : count}
-@quotation
-If a finger request is longer than this length, then it is marked as ``hot''.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{rewrite_finger_trace : bool}
-@quotation
-Indicates whether or not finger requests are rewritten for anonymity.
-@end quotation
-
-@end table
-
-@node ftpbro,
-@subsection ftp.bro
-
-@table @samp
-
-@code{ftp_log : file}
-@quotation
-The file into which FTP-related logs are written.
-@end quotation
-
-@code{ftp_sessions : table[conn_id] of ftp_session_info}
-
-@code{ftp_guest_ids : set[string]}
-@quotation
-The set of login IDs which are guest logins, e.g., ``anonymous'' and
-``ftp''.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{ftp_skip_hot : set[addr, addr, string]}
-@quotation
-Indexed by source and destination addresses and the id, these
-connections are not marked as ``hot'' even if its data would to cause
-it to be otherwise.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{ftp_hot_files : pattern}
-@quotation
-If a filename matching this pattern is requested, the @code{ftp_sensitive_files}
- event is generated. The default behavior is to alarm the connection.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{ftp_hot_guest_files : pattern}
-@quotation
-If a user is logged in under a guest ID and attempts to retrieve a
-file matching this pattern,  the
-@code{ftp_sensitive} event is generated. The default
-behavior is to alarm the connection.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{ftp_hot_cmds : table[string] of pattern}
-@quotation
-If an FTP command matches an index into the table and its argument
-matches the associated pattern, the connection is alarmed.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{skip_unexpected : set[addr]}
-@quotation
-Pairs of IP addresses for which we shouldn't bother logging if one
-of them is used in lieu of the other in a PORT or PASV directive.
-@end quotation
-
-@code{skip_unexpected_net : set[addr]}
-@quotation
-Similar to @code{skip_unexpected}, but matches a /24 subnet.
-@end quotation
-
-@code{ftp_data_expected : table[addr, port] of addr}
-@quotation
-Indexed by the server's responder pair, yields the address expected to make an
-FTP data connection to it.
-@end quotation
-
-@code{ftp_data_expected_session : table[addr, port] of ftp_session_info}
-@quotation
-Indexed by the server's responder pair, yields the associated
-@code{ftp_session_info} record for the expected incoming FTP data
-connection.
-@end quotation
-
-@code{ftp_excessive_filename_len : count}
-@quotation
-If an FTP request filename meets or exceeds this length, an
-@code{FTP_ExcessiveFilename} notice is generated.
-@end quotation
-
-@code{ftp_excessive_filename_trunc_len : count}
-@quotation
-How much of the excessively long filename is printed in the notice message.
-@end quotation
-
-@code{ftp_ignore_invalid_PORT : pattern} 
-@quotation
-Invalid PORT/PASV directives that exactly match this pattern don't
-generate notices.
-@end quotation
-
-@code{ftp_ignore_privileged_PASVs : set[port]}
-@quotation
-If an FTP PASV port is specified to be a privileged port (< 1024/tcp)
-then an @code{FTP_PrivPort} event is generated, EXCEPT if the port is
-in this set.
-@end quotation
-
-@end table
-
-@node hotbro,
-@subsection hot.bro
-
-@table @samp
-
-@code{same_local_net_is_spoof : bool}
-@quotation
-If true (default = F), it should be considered a spoofing attack if a connection has
-the same local net for source and destination.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{allow_spoof_services : set[port]}
-@quotation
-The services in this set are not counted as spoofed even if they pass
-the test from @code{same_local_net_is_spoof}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{allow_pairs : set[addr, addr]}
-@quotation
-Connections between these (source address, destination address) pairs
-are never marked as ``hot''.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{allow_16_net_pairs : set[addr, addr]}
-@quotation
-Connections between these (/16 network, /32 destination host) pairs
-are never marked as ``hot''.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{hot_srcs : table[addr] of string}
-@quotation
-Connections from any of these sources are automatically marked ``hot''
-with the associated message in the table.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{hot_dsts : table[addr] of string}
-@quotation
-Connections to any of these destinations are automatically marked ``hot''
-with the associated message in the table.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{hot_src_24nets : table[addr] of string}
-@quotation
-Connections from any of these source /24 nets are automatically marked ``hot''
-with the associated message in the table.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{hot_dst_24nets : table[addr] of string}
-@quotation
-Connections to any of these destination /24 nets are automatically marked ``hot''
-with the associated message in the table.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{allow_services : set[port]}
-@quotation
-Connections to this set of services are never marked ``hot'' (based on port
-number).
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{allow_services_to : set[addr, port]}
-@quotation
-Connections to the specified host and port are never marked ``hot''.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{allow_service_pairs : set[addr, addr, port]}
-@quotation
-Connections from the first address to the second on the specified
-destination port are never marked ``hot''.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{flag_successful_service : table[port] of string}
-@quotation
-Successful connections to any of the specified ports are flagged with
-the accompanying message. Examples are popular backdoor ports.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{flag_successful_inbound_service : table[port] of string}
-@quotation
-Incoming connections to the specified ports are flagged with the
-accompanying message. This is similar to
-, but may be used when the port gives
-to many false positives for outgoing connections.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{terminate_successful_inbound_service : table[port] of string}
-@quotation
-Connections to this port, if previously flagged by @code{flag_successful_service}
- or @code{flag_incoming_service} are terminated.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{flag_rejected_service : table[port] of string}
-@quotation
-Failed connection attempts to the specified ports are marked as ``hot''.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@end table
-
-@node hot-idsbro,
-@subsection hot-ids.bro
-
-@table @samp
-
-@code{forbidden_ids : set[string]}
-@quotation
-If any of these usernames/login IDs are used, the corresponding
-connection is terminated.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{forbidden_ids_if_no_password : set[string]}
-@quotation
-If any of these usernames/login IDs are used with no password, the corresponding
-connection is terminated.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{forbidden_id_patterns : pattern}
-@quotation
-If a username/login ID matches this pattern, the corresponding
-connection is terminated.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{always_hot_ids : set[string]}
-@quotation
-Connections that attempt to login with these IDs are always marked
-``hot'', whether or not they succeed. See also @code{hot_ids}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{hot_ids : set[string]}
-@quotation
-Similar to , except that only successful connections are marked ``hot''.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@end table
-
-@node httpbro,
-@subsection http.bro
-
-@table @samp
-
-@code{http_log : file}
-@quotation
-The file into which HTTP-related logs are written.
-@end quotation
-
-@code{http_sessions : table[addr, addr] of http_session_info}
-@quotation
-A [source, destination] indexed table of @code{http_session_info} records.
-@end quotation
-
-@code{include_HTTP_abstract : bool}
-@quotation
-Currently used to indicate whether or not an abstract of the HTTP
-request data will be included in a rewritten connection.
-@end quotation
-
-@code{log_HTTP_data : bool}
-@quotation
-If true, an abstract of the HTTP request data is included in a log message.
-@end quotation
-
-@code{maintain_http_sessions : bool}
-@quotation
-If true, HTTP sessions are maintained across multiple connections,
-otherwise we not (which saves some memory).
-@end quotation
-
-@code{process_HTTP_replies : bool}
-@quotation
-If true, HTTP replies (not just requests) are processed.
-@end quotation
-
-@code{process_HTTP_data : bool}
-@quotation
-If true, HTTP data is examined as needed (e.g., for making HTTP abstracts,
-as discussed below).
-@end quotation
-
-@end table
-
-@node http-abstractbro,
-@subsection http-abstract.bro
-
-@table @samp
-
-@code{http_abstract_max_length : count}
-@quotation
-The maximum number of bytes used to store an abstract for an HTTP connection.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@end table
-
-@node http-requestbro,
-@subsection http-request.bro
-
-@table @samp
-
-@code{skip_remote_sensitive_URIs : pattern}
-@quotation
-URIs matching this pattern should not be considered sensitive if accessed 
-remotely, i.e., by a local client.
-@end quotation
-
-@code{have_skip_remote_sensitive_URIs : bool}
-@quotation
-Due to a quirk in Bro, this must be redef'ed to T if you want to use
-@code{skip_remote_sensitive_URIs}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{sensitive_URIs : pattern}
-@quotation
-URIs matching this pattern, but not matching @code{worm_URIs}, are
-noticed. See also @code{skip_remote_sensitive_URIs} and @code{sensitive_post_URIs}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{worm_URIs : pattern}
-@quotation
-URIs matching this pattern are not noticed even if they match
-@code{sensitive_URIs}, since worms are so common they would clutter
-the logs.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{sensitive_post_URIs : pattern}
-@quotation
-URIs matching this pattern are noticed if they are used with the HTTP
-``POST'' method (rather than ``GET''). 
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@end table
-
-@node icmpbro,
-@subsection icmp.bro
-
-@table @samp
-
-@code{icmp_flows : table[icmp_flow_id] of icmp_flow_info}
-@quotation
-A table tracking all ICMP ``flows'' by @code{icmp_flow_info}.
-``Flows'', which are simply inferred related
-sequences of packets between two machines, based on ICMP ID, are timed
-out after (currently) 30 seconds of inactivity.
-@end quotation
-
-@end table
-
-@node identbro,
-@subsection ident.bro
-
-@table @samp
-
-@code{hot_ident_ids : set[string]}
-@quotation
-If any of the User IDs in this set are returned in an @code{ident}
-response, an @emph{IdentSensitiveID} notice is generated.
-@end quotation
-
-@code{hot_ident_exceptions : set[string]}
-@quotation
-Exceptions to the @code{hot_ident_ids} set.
-@end quotation
-
-@code{public_ident_user_ids : set[string]}
-@quotation
-User IDs in this set are described as ``public'' in a rewritten  @code{ident}
-trace.
-@end quotation
-
-@code{public_ident_systems : set[string]}
-@quotation
-Operating system names in this set (e.g., ``UNIX'') are reported
-directly in a rewritten @code{ident} trace; other OSes will be reported
-as ``OTHER''.
-@end quotation
-
-@code{rewrite_ident_trace : bool}
-@quotation
-If true, traces will be rewritten (partially anonymized).
-@end quotation
-
-@end table
-
-@node interconnbro,
-@subsection interconn.bro
-
-@table @samp
-
-@code{interconn_conns : table [conn_id] of conn_info}
-@quotation
-A @code{conn_id}-indexed table of all currently-tracked interactive
-connections. The table entries are  records
-containing some very basic information about the connection.
-@end quotation
-
-@code{interconn_log : file}
-@quotation
-The file into which generic interactive-connection-related logs are written.
-@end quotation
-
-@code{interconn_min_interarrival : interval}
-@quotation
-Used in computing the ``alpha'' parameter, which is used to determine
-which connections are interactive, based on the distribution of
-interarrival times. See also @code{interconn_max_interarrival}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_max_interarrival : interval}
-@quotation
-Used in computing the ``alpha'' parameter, which is used to determine
-which connections are interactive, based on the distribution of
-interarrival times. See also @code{interconn_max_interarrival}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_max_keystroke_pkt_size : count}
-@quotation
-The maximum packet size used to classify keystroke-containing packets.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_default_pkt_size : count}
-@quotation
-The estimated packet size used to calculate the number of packets
-missed when we see an ack above a hole. @emph{Fixme: Please verify.}
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_stat_period : interval}
-@quotation
-How often to generate a report of interconn stats.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_stat_backoff : double}
-@quotation
-@emph{Fixme: I don't fully understand is_expire in timers.} The stat report
-generation interval (@code{interconn_stat_period}) is increased by this factor each time the report
-is generated [unless the report is generated because all timers are
-artificially expired].
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_min_num_pkts : count}
-@quotation
-A connection must have this number of packets transferred before it
-may be classified as interactive.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_min_duration : interval}
-@quotation
-A connection must last least this long before it may be classified as interactive.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_ssh_len_disabled : bool} 
-@quotation
-If false (default = T), and at least one side of the connection has
-partial state (the initial negotiation was missed), then packets are
-examined to see if they fit the size distribution associated with
-interactive SSH connections.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_min_ssh_pkts_ratio : double}
-@quotation
-Analogous to @code{ssh_min_ssh_pkts_ratio}, except used in the
-context described in @code{interconn_ssh_len_disabled}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_min_bytes : count}
-@quotation
-The number of bytes transferred on a connection must be at least this high before the
-connection may be classified as interactive.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_min_7bit_ascii_ratio : double}
-@quotation
-The ratio of 7-bit ASCII characters to total bytes must be at least
-this high before the connection may be classified as interactive.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_min_num_lines : count}
-@quotation
-The number of lines transferred on a connection must be at least
-this high before the connection may be classified as interactive.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_min_normal_line_ratio : double}
-@quotation
-The ratio of ``normal'' lines to total lines must be at least
-this high before the connection may be classified as interactive. A
-normal line, roughly speaking, is one whose length is within a certain
-bound. @emph{Fixme: Please verify this.}
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_min_alpha : double}
-@quotation
-The ``alpha'' parameter computed on connection must be at least
-this high before the connection may be classified as interactive. This
-parameter measures certain properties of packet interarrival
-times. See @code{interconn}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_min_gamma : double}
-@quotation
-The ``gamma'' parameter computed on connection must be at least
-this high before the connection may be classified as interactive. 
-@end quotation
-
-@code{interconn_standard_ports : set[port]}
-@quotation
-Connections to or from these ports are marked as interactive
-automatically, unless @code{interconn_standard_ports} is set
-to true.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_ignore_standard_ports : bool}
-@quotation
-If true (default = F), then all connections are analyzed for
-interactive patterns, regardless of port. See @code{interconn_standard_ports}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{interconn_demux_disabled : bool}
-@quotation
-If false (default = T), then interactive connections are demuxed
-when being logged.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@end table
-
-@node ircbro,
-@subsection irc.bro
-
-@table @samp
-
-@code{IRC::log_file: file}
-@quotation
-Where to log IRC sessions.
-@end quotation
-
-@code{hot_words}
-@quotation
-List of regular expressions that generate notices if found in session dialog.
-@end quotation
-
-@code{ignore_in_other_msgs: set[string]}
-@quotation
-Commands to ignore in generating events for unknown commands.
-@end quotation
-
-@code{ignore_in_other_responses: set[string]}
-@quotation
-Return codes to ignore in generating events for unknown return codes.
-@end quotation
-
-@end table
-
-These variables contain information about the users and channels
-identified by Bro:
-
-@table @samp
-
-@code{irc_users: table[string] of irc_user}
-@quotation
-All identified IRC users, indexed by IRC nick.
-@end quotation
-
-@code{irc_channels: table[string] of irc_channel}
-@quotation
-All identified IRC channels, indexed by IRC channel name.
-@end quotation
-
-@end table
-
-@node loginbro,
-@subsection login.bro
-
-@table @samp
-
-@code{input_trouble : pattern}
-@quotation
-If a user's keystroke input matches this pattern, then a notice is generated.
-@end quotation
-
-@code{edited_input_trouble : pattern}
-@quotation
-If a user's keystroke input matches this pattern, taking into account
-backspace and delete characters, then a notice is generated.
-@end quotation
-
-@code{full_input_trouble : pattern}
-@quotation
-If this pattern is matched in a full line of input, a notice is generated.
-@end quotation
-
-@code{input_wait_for_output : pattern}
-@quotation
-The same as @code{edited_input_trouble}, except that the notice is
-delayed until the corresponding output is seen, so that both may be
-logged together.
-@end quotation
-
-@code{output_trouble : pattern}
-@quotation
-If the login output matches this pattern, a notice is generated.
-@end quotation
-
-@code{full_output_trouble : pattern}
-@quotation
-Similar to @code{output_trouble}, but the pattern must match the
-entire output.
-@end quotation
-
-@code{backdoor_prompts : pattern} 
-@quotation
-If the login output matches this text, but not
-@code{non_backdoor_prompts}, generate a possible-backdoor notice.
-@end quotation
-
-@code{non_backdoor_prompts : pattern}
-@quotation
-See @code{backdoor_prompts}.
-@end quotation
-
-@code{hot_terminal_types : pattern} 
-@quotation
-If the terminal type used matches this pattern, generate a notice.
-@end quotation
-
-@code{hot_telnet_orig_ports : set[port]}
-@quotation
-If the source port of a telnet connection is in this set, generate a notice.
-@end quotation
-
-@code{skip_authentication : set[string] }
-@quotation
-If a string in this set appears where an authentication prompt would
-normally, skip processing of authentication (typically for an
-unauthenticated system). @emph{Fixme: Please verify.}
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{login_prompts : set[string]}
-@quotation
-The set of strings that are recognized as login prompts anywhere on a line, e.g.,
-``Login:''.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{login_failure_msgs : set[string]}
-@quotation
-If any of these strings appear on a line following an authentication
-attempt, the attempt is considered to have failed, unless a string
-from @code{login_non_failure_msgs} also appears on the line. This
-set has higher precedence than @code{login_success_msgs}, and the
-same precedence as @code{login_timeouts}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{login_non_failure_msgs : set[string]}
-@quotation
-If any of these strings appear on a line following an authentication
-attempt, the connection is not considered to have failed even if
-@code{login_failure_msgs} indicates otherwise.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{login_success_msgs : set[string]}
-@quotation
-If any of these messages is seen, the connection attempt is assumed to
-have succeeded. This set has lower precedence than @code{login_failure_msgs}
-and @code{login_timeouts} .
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{login_timeouts : set[string]}
-@quotation
-If any of these messages is seen during the login phase, the
-connection attempt is assumed to have timed out. This
-set has higher precedence than @code{login_success_msgs}, and the
-same precedence as @code{login_failure_msgs}.
-@end quotation
-
-@code{router_prompts : pattern}
-@quotation
-@emph{Fixme: Don't know what this is}
-@end quotation
-
-@code{non_ASCII_hosts : set[addr]} 
-@quotation
-The set of hosts that do not use ASCII (and to whom logins are thus
-not processed).
-@end quotation
-
-@code{skip_logins_to : set[addr]}
-@quotation
-Do not process logins to this set of hosts.
-@end quotation
-
-@code{always_hot_login_ids : pattern}
-@quotation
-Login names which generate a notice even if the login is not successful.
-@end quotation
-
-@code{hot_login_ids : pattern}
-@quotation
-Login names which generate a notice, if the login is successful.
-@end quotation
-
-@code{rlogin_id_okay_if_no_password_exposed : set[string]}
-@quotation
-Login names in this set are those which are normally considered
-sensitive, but are allowed if the associated password is not exposed.
-@end quotation
-
-@code{login_sessions : table[conn_id] of login_session_info}
-@quotation
-A table, indexed by connection ID, of @code{login_session_info}
-records, characterizing each login session.
-@end quotation
-
-@end table
-
-@node mimebro,
-@subsection mime.bro
-
-@table @samp
-
-@code{mime_log : file}
-@quotation
-MIME message-related logs are written to this file.
-@end quotation
-
-@code{mime_sessions : table[conn_id] of mime_session_info}
-@quotation
-A table, indexed by connection ID, of @code{mime_session_info}
-records, characterizing each MIME session.
-@end quotation
-
-@code{check_relay_3 function(session: mime_session_info, msg_id: string): bool}
-@quotation
-@emph{Fixme: Don't know about this}
-@end quotation
-
-@code{check_relay_4 function(session: mime_session_info, content_hash: string): bool}
-@quotation
-@emph{Fixme: Don't know about this}
-@end quotation
-
-@end table
-
-@node noticebro,
-@subsection notice.bro
-
-@table @samp
-@code{notice_action_filters : table[Notice] of function(n: notice_info: NoticeAction}
-@vindex notice_action_filters
-@quotation
-A table that maps each @code{notice} into a function that should be
-called to determine the action.
-@end quotation
-
-@code{notice_file : file}
-@vindex notice_file 
-@quotation
-The file into which notices are written.
-@end quotation
-
-@end table
-
-@node ntpbro,
-@subsection ntp.bro
-
-@table @samp
-
-@code{excessive_ntp_request : count}
-@quotation
-NTP requests over this length are considered ``excessive'' and will be
-flagged (marked ``hot'').
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{allow_excessive_ntp_requests : set[addr]}
-@quotation
-NTP requests from an address in this set are never considered
-excessively long (see @code{excessive_ntp_request}).
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@end table
-
-@node pop3bro,
-@subsection pop3.bro
-@table @samp
-@item @code{pop_connections: table[conn_id] of pop3_session_info}
-This table contains all active POP3-sessions indexed by their Connection IDs.
-Deleted as soon as the TCP Connection terminates or expires.
-@item @code{pop_connection_weirds: table[addr] of count &default=0 &create_expire = 5 mins}
-This table contains all the POP3-session originators for which unexpected
-behavior was recorded.
-@item @code{error_threshold: count = 3}
-A threshold for the maximum of negative status indicators per originator
-received by a server.
-@item @code{ignore_commands: set[string] }
-Set of commands that will be ignored while generating the log file. 
-@end table
-
-@node port-namesbro,
-@subsection port-names.bro
-
-@table @samp
-
-@code{port_names : table[port] of string}
-@quotation
-A mapping of well-known port numbers to the associated service names.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@end table
-
-@node portmapperbro,
-@subsection portmapper.bro
-
-@table @samp
-
-@code{rpc_programs : table[count] of string}
-@quotation
-A table correlating numeric RPC service IDs to string names of
-the services, e.g., @code{[1000000] = ``portmapper''}.
-@end quotation
-
-@code{NFS_services : set[string]}
-@quotation
-A set of string names of NFS-related RPC services.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{RPC_okay : set[addr, addr, string]}
-@quotation
-Indexed by the host providing the service, the host requesting it,
-and the service; do not notice Sun portmapper requests from the specified
-requester to the specified provider for the specified service.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{RPC_okay_nets : set[net]}
-@quotation
-Hosts in any of the networks in this set may make portmapper requests without
-being flagged.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{RPC_okay_services : set[string]}
-@quotation
-Requests for services in this set will not be flagged.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{NFS_world_servers : set[addr]}
-@quotation
-Any host may request NFS services from any of the machines in this set
-without being flagged..
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{any_RPC_okay : set[addr, string]}
-@quotation
-Indexed by the service provider and the service (in string form); any
-host may access these services without being flagged.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{RPC_dump_okay : set[addr, addr]}
-@quotation
-Indexed by requesting host and providing host, respectively; dumps of
-RPC portmaps are allowed between these pairs.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{RPC_do_not_complain : set[string, bool]} 
-@quotation
-Indexed by the portmapper request and a boolean that's T if the
-request was answered, F it was attempted but not answered.  If there's
-an entry in the set matching the current request/attempt, then the
-access won't be noticed (unless the connection is hot for some other
-reason).
-@end quotation
-
-@code{suppress_pm_log : set[addr, string]}
-@quotation
-Indexed by source and portmapper service.  If set, we already noticed
-and shouldn't do so again. @emph{Fixme: Presumably this can be preloaded 
-with stuff, or we wouldn't need to document it.}
-@end quotation
-
-@end table
-
-@node scanbro,
-@subsection scan.bro
-
-@table @samp
-
-@code{suppress_scan_checks : bool}
-@quotation
-If true, we suppress scan checking (we still do account-tried accounting).
-This is provided because scan checking can consume a lot of memory.
-@end quotation
-
-@code{report_peer_scan : set[count]}
-@quotation
-When the number of distinct machines connected to by a given external host reaches
-each of the levels in the set, a notice is generated.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{report_outbound_peer_scan : set[count]}
-@quotation
-When the number of distinct machines connected to by a given internal host reaches
-each of the levels in the set, a notice is generated.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{num_distinct_peers : table[addr] of count}
-@quotation
-A table indexed by a host's address which indicates how many distinct
-machines that host has connected to.
-@end quotation
-
-@code{distinct_peers : set[addr,addr]}
-@quotation
-A table indexed by source host and target machine that tracks which
-machines have been scanned by each host.
-@end quotation
-
-@code{num_distinct_ports : table[addr] of count}
-@quotation
-A table indexed by a host's address which indicates how many distinct
-ports that host has connected to.
-@end quotation
-
-@code{distinct_ports : set[addr, port]}
-@quotation
-A table indexed by source host and target port that tracks which
-ports have been scanned by each host.
-@end quotation
-
-@code{report_port_scan : set[count]}
-@quotation
-When the number of distinct ports connected to by a given external host reaches
-each of the levels in the set, a notice is generated.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{possible_port_scan_thresh : count}
-@quotation
-If a host tries to connect to more than this number of ports, it is
-considered a possible scanner.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{possible_scan_sources : set[addr]}
-@quotation
-Hosts are put in this set once they have scanned more than ports.
-@end quotation
-
-@code{num_scan_triples : table[addr, addr] of count}
-@quotation
-Indexed by source address and destination address, the number of
-services scanned for on the latter by the former. This is only tracked
-for @code{possible_scan_sources}.
-@end quotation
-
-@code{scan_triples : set[addr, addr, port]}
-@quotation
-For @code{possible_scan_sources} as a source address, the triples
-of (source address, destination address, and service/port) scanned.
-@end quotation
-
-@code{accounts_tried : set[addr, string, string]}
-@quotation
-Which account names were tried, indexed by source address, user name
-tried, password tried.
-@end quotation
-
-@code{num_accounts_tried : table[addr] of count}
-@quotation
-How many accounts, as defined by a (user name, password) pair, were
-tried by the host with the given address.
-@end quotation
-
-@code{report_accounts_tried : set[count]}
-@quotation
-When the number of distinct accounts (username, password) tried by a
-given external host reaches each of the levels in the set, a notice is
-generated.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{report_remote_accounts_tried : set[count]}
-@quotation
-When the number of distinct remote accounts (username, password) tried by a
-given internal host reaches each of the levels in the set, a notice is
-generated.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{skip_accounts_tried : set[addr]}
-@quotation
-Hosts in this set are not subject to notices based on
-@code{report_accounts_tried} and @code{report_remote_accounts_tried}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{addl_web : set[port]}
-@quotation
-Ports in this set are treated as HTTP services.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{skip_services : set[port]}
-@quotation
-Connections to ports in this set are ignored for the purposes of scan detection.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{skip_outbound_services : set[port]}
-@quotation
-Connections to external machines on ports in this set are ignored for
-the purposes of scan detection.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{skip_scan_sources : set[addr]}
-@quotation
-Hosts in this set are ignored as possible sources of scans.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{skip_scan_nets_16 : set[addr,port]}
-@quotation
-Connections matching the specified (source host /16 subnet, port) pairs
-are ignored for the purpose of scan detection.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{skip_scan_nets_24 : set[addr,port]}
-@quotation
-Connections matching the specified (source host /24 subnet, port) pairs
-are ignored for the purpose of scan detection.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{backscatter_ports : set[port]}
-@quotation
-Reverse (SYN-ack) scans seen from these ports are considered to reflect
-possible SYN flooding backscatter and not true (stealth) scans.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{num_backscatter_peers : table[addr] of count}
-@quotation
-Indexed by a host, how many other hosts it connected to with a possible backscatter
-signature.
-@end quotation
-
-@code{distinct_backscatter_peers :  table[addr, addr] of count}
-@quotation
-A table of [source, destination] observed backscatter activity; the
-table entry is a count of backscatter packets from the source to the destination.
-@end quotation
-
-@code{report_backscatter : set[count]}
-@quotation
-When the number of machines that a host has sent backscatter packets
-to reaches each of the levels in the set, a notice is generated.
-
-@emph{Fixme: Need to document connection-dropping related variables.}
-@example
-global can_drop_connectivity = F &redef;
-global drop_connectivity_script = "drop-connectivity" &redef;
-global connectivity_dropped set[addr];
-const shut_down_scans: set[port] &redef;
-const shut_down_all_scans = F &redef;
-const shut_down_thresh = 100 &redef;
-never_shut_down set[addr]
-never_drop_nets set[net]
-never_drop_16_nets set[net]
-did_drop_address table[addr] of count
-@end example
-@end quotation
-
-@code{root_servers : set[host]}
-@findex root_servers 
-@quotation
-The set of root DNS servers.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{gtld_servers : set[host]}
-@quotation
-The set of Generic Top-Level Domain servers (.com, .net, .org, etc.).
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@end table
-
-@node signaturesbro,
-@subsection signatures.bro
-
-@table @samp
-
-@code{horiz_scan_thresholds : set[count]}
-@quotation
-Notice if for a pair (orig, signature) the number of different responders has
-reached one of the thresholds in this set.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{vert_scan_thresholds : set[count]}
-@quotation
-Notice if for a pair (orig, resp) the number of different signature matches has
-reached one of the thresholds in this set.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@end table
-
-@node sitebro,
-@subsection site.bro
-
-@table @samp
-
-@code{local_nets : set[net]}
-@quotation
-Class A/B/C networks that are considered ``local''.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{local_16_nets : set[addr]}
-@quotation
-/16 address blocks that are considered ``local''. These are derived
-directly from @code{local_nets} . @emph{Fixme: Please verify this}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{local_24_nets : set[addr]}
-@quotation
-/24 address blocks that are considered ``local''. These are derived
-directly from  @code{local_nets}. @emph{Fixme: Please verify this}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{neighbor_nets : set[net]}
-@quotation
-Class A/B/C networks that are considered ``neighbors''. Note that
-unlike for local_nets, @code{local_16_nets} is @emph{not}
-merely a /16 addr version of neighbor_nets, but instead is consulted
-@emph{in addition} to neighbor_nets.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{neighbor_16_nets : set[addr]}
-@quotation
-/16 address blocks that are considered ``neighbors''. Note that
-unlike for local_nets, neighbor_16_nets is @emph{not}
-merely a /16 addr version of @code{neighbor_nets}, but instead is consulted
-@emph{in addition} to @code{neighbor_nets}.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@end table
-
-@node smtpbro,
-@subsection smtp.bro
-
-@table @samp
-
-@code{local_mail_addr : pattern}
-@quotation
-Email addresses matching this pattern are considered to be local. This
-is used to detect relaying.
-@end quotation
-
-@code{smtp_log : file}
-@quotation
-The file into which SMTP-related notices are written.
-@end quotation
-
-@code{smtp_sessions : table[conn_id] of smtp_session_info}
-@quotation
-A table of @code{smtp_session_info} records tracking SMTP-related
-state for a given connection.
-@end quotation
-
-@code{process_smtp_relay : bool}
-@quotation
-If true (default = F), processing is done to check for mail relaying.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-
-@example
-type smtp_session_info: record @{
-	id: count;
-	connection_id: conn_id;
-	external_orig: bool;
-	in_data: bool;
-	num_cmds: count;
-	num_replies: count;
-	cmds: smtp_cmd_info_list;
-	in_header: bool;
-	keep_current_header: bool;	# a hack till MIME rewriter is ready
-	recipients: string;
-	subject: string;
-	content_hash: string;
-	num_lines_in_body: count;	# lines in RFC 822 body before MIME decoding
-	num_bytes_in_body: count;	# bytes in entity bodies after MIME decoding
-	content_gap: bool;		# whether there is content gap in conversation
-
-	relay_1_rcpt: string;	# external recipients
-	relay_2_from: count; 	# session id of same recipient
-	relay_2_to: count;
-	relay_3_from: count; 	# session id of same msg id
-	relay_3_to: count;
-	relay_4_from: count; 	# session id of same content hash
-	relay_4_to: count;
-@};
-@end example
-@end quotation
-
-@code{smtp_legal_cmds : set[string]}
-@quotation
-The set of allowed SMTP commands (not currently used). @emph{Fixme: Is it used somewhere?}
-@end quotation
-
-@code{smtp_hot_cmds : table[string] of pattern}
-@quotation
-If an SMTP command matching an index into the table has an argument
-matching the associated pattern, then the request and its reply are logged.
-@end quotation
-
-@code{smtp_sensitive_cmds : set[string]}
-@quotation
-If an SMTP command is in this set, the request and its reply are logged.
-@end quotation
-
-@end table
-
-@node smtp-relaybro,
-@subsection smtp-relay.bro
-
-@table @samp
-
-@code{relay_log : file}
-@quotation
-Logs related to email relaying go in this file.
-@end quotation
-
-@code{smtp_relay_table : table[count] of smtp_session_info}
-@quotation
-A table indexed by SMTP session ID (session$id) that keeps track of
-each session in an  record.
-@end quotation
-
-@code{smtp_session_by_recipient : table[string] of smtp_session_info}
-@quotation
-A table indexed by the recipient that holds the corresponding
-@code{smtp_session_info} record.
-@end quotation
-
-@code{smtp_session_by_message_id : table[string] of smtp_session_info}
-@quotation
-A table indexed by the email message ID that holds the corresponding
-@code{smtp_session_info} record.
-@end quotation
-
-@code{smtp_session_by_content_hash : table[string] of smtp_session_info}
-@quotation
-A table indexed by the MD5 hash of the message that holds the corresponding
- record. @emph{Fixme: Currently unimplemented?}
-@end quotation
-
-@end table
-
-@node softwarebro,
-@subsection software.bro
-
-@table @samp
-
-@code{software_file : file}
-@quotation
-Logs related to host software detection go in this file.
-@end quotation
-
-@code{software_table : table[addr] of software_set}
-@quotation
-A table of the software running on each host. A
-@code{software_set} is itself a table, indexed by the name of the
-software, of @code{software} records.
-@end quotation
-
-@code{software_ident_by_major : set[string]}
-@quotation
-Software names in this set could be installed twice on the same
-machine with different major version numbers. Such software is
-identified as ``Software-N'' where N is the major version number, to
-disambiguate the two.
-@end quotation
-
-@end table
-
-@node sshbro,
-@subsection ssh.bro
-
-@table @samp
-
-@code{ssh_log : file}
-@quotation
-Logs related to ssh connections go in this file.
-@end quotation
-
-@code{did_ssh_version : table[addr, bool] of count}
-@quotation
-Indexed by host IP and (T for client, F for server), the table tracks
-if we have recorded the SSH version. Values of one and greater are
-essentially equivalent.
-@end quotation
-
-@end table
-
-@node steppingbro,
-@subsection stepping.bro
-
-@table @samp
-
-@code{step_log : file}
-@quotation
-Logs related to stepping-stone detection go in this file.
-@end quotation
-
-@code{display_pairs : table[addr, string] of connection}
-@quotation
-If <conn> was a login to <dst> propagating a $DISPLAY of <display>,
-then we make an entry of [<dst>, <display>] = <conn>.
-@end quotation
-
-@code{tag_to_conn_map : table[string] of connection}
-@quotation
-Maps login tags like "Last login ..." to connections.
-@end quotation
-
-@code{conn_tag_info : table[conn_id] of tag_info}
-@quotation
-A table, indexed by connection ID, of the @code{tag_info} related
-to it. Roughly, ``tag info'' consists of login strings like ``Last
-login'' and @code{$DISPLAY} variables. Since this information can stay
-constant across stepping stones, it is used to detect them.
-@end quotation
-
-@code{detected_stones : table[addr, port, addr, port, addr, port, addr, port] of count}
-@quotation
-Indexed by two pairs of connections: (addr,port)->(addr,port) and
-(addr,port)->(addr,port) that have been detected to be multiple links
-in a stepping stone chain. The table value is the ``score'' of the
-pair of connections; the higher the score, the more likely it is to be
-a real stepping stone pair. More points are assigned for a
-timing-based correlation than, say, a @code{$DISPLAY}-based correlation.
-@end quotation
-
-@code{did_stone_summary : table[addr, port, addr, port, addr, port, addr, port] of count}
-@quotation
-Basically tracks which suspected stepping stone connection pairs have had notices
-generated for them. See @code{detected_stones}  for the indexing scheme.
-@end quotation
-
-@code{stp_delta : interval}
-@quotation
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{stp_idle_min : interval}
-@quotation
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{stp_ratio_thresh : double}
-@quotation
-For timing correlations, the proportion of idle times that must match
-up for the correlation to be considered significant.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{stp_scale : double}
-@quotation
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{stp_common_host_thresh : count}
-@quotation
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{stp_random_pair_thresh : count}
-@quotation
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{stp_demux_disabled : count}
-@quotation
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{skip_clear_ssh_reports : set[addr, string]}
-@quotation
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@end table
-
-@node tftpbro,
-@subsection tftp.bro
-
-@table @samp
-
-@code{tftp_notice_count : table[addr] of count}
-@quotation
-Keeps track of the number of observed outbound TFTP connections from
-each host.
-@end quotation
-
-@end table
-
-@node udpbro,
-@subsection udp.bro
-
-@table @samp
-
-@code{udp_req_count : table[conn_id] of count}
-@quotation
-Keeps track of the number of UDP requests sent over each connection.
-@end quotation
-
-@code{udp_rep_count : table[conn_id] of count}
-@quotation
-@emph{Fixme: not really sure}
-@end quotation
-
-@code{udp_did_summary : table[conn_id] of count}
-@quotation
-Keeps track of which connections have been summarized/recorded
-@emph{Fixme: what is it really? do people use this?}
-@end quotation
-
-@end table
-
-@node weirdbro,
-@subsection weird.bro
-
-@table @samp
-
-@code{weird_log : file}
-@quotation
-Logs related to @code{weird}  (unexpected or inconsistent)
-traffic go in this file.
-@end quotation
-
-@code{weird_action : table[string] of WeirdAction}
-@quotation
-A table of what to do (a @code{WeirdAction} ) when faced with a
-particular ``weird'' scenario (the index). Example include logging to
-the special ``weird'' file or ignoring the condition.
-@end quotation
-
-@code{weird_action_filters : table[string] of function(c: connection): WeirdAction}
-@quotation
-If an entry exists in this table for a given weird situation, then the
-corresponding entry is used to determine what action to
-take; the default is to look in @code{weird_action}.
-@end quotation
-
-@code{weird_ignore_host : set[addr, string]}
-@quotation
-(host, weird condition) pairs in this set are ignored for the purposes
-of reporting.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@code{weird_do_not_ignore_repeats : set[string]}
-@quotation
-The included conditions are reported even if they are repeated.
-@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
-@end quotation
-
-@end table
-
-@node wormbro,
-@subsection worm.bro
-
-@table @samp
-
-@code{worm_log : file}
-@quotation
-The file into which worm-detection-related logs are written.
-@end quotation
-
-@code{worm_list : table[addr] of count}
-@quotation
-A table of infected hosts, indexed by the infected hosts'
-addresses. The value is how many times the instance has been seen
-sending packets.
-@end quotation
-
-@code{worm_type_list : table[addr, string] of count}
-@quotation
-A table of infected hosts, indexed by host address and type of
-worm. The value is how many times that particular worm has been seen
-on the host.
-@end quotation
-
-@end table
-
-@node Uncategorized,
-@subsection Uncategorized
-
-@emph{Fixme:  These need categorization. }
-
-@table @samp
-
-@code{bro_alarm_file : file}
-@quotation
-Used to record the messages logged by @code{alarm} statements.
-
-@cindex stderr
-@cindex alarm file
-Default: @emph{stderr}, unless you @code{@@load} the @code{alarm} analyzer;
-see @code{bro_alarm_file}  for further discussion.
-@end quotation
-
-@code{capture_filters : table[string] of string}
-@quotation
-Specifies what packets Bro's filter should record.
-@end quotation
-
-@code{direct_login_prompts : set[string]}
-@quotation
-Strings that when seen in a login dialog indicate that
-the user will be directly logged in after entering their username,
-without requiring a password. 
-@end quotation
-
-@code{discarder_maxlen : int}
-@quotation
-The maximum amount of data that Bro should pass to a TCP or UDP
-@emph{discarder}.
-@*Default: 128 bytes.
-@end quotation
-
-@code{done_with_network : bool}
-@quotation
-Set to true when Bro is done reading from the network (or from
-the save files being played back, per @ref{Playing back traces,play-back}).  The variable is set by a
-handler for @code{net_done}.
-@*Default: initially set to false.
-@end quotation
-
-@cindex network interfaces
-@cindex analysis, on-line
-@cindex on-line analysis
-
-@code{interfaces : string}
-@quotation
-A blank-separated list of network interfaces from which Bro should
-read network traffic.  Bro merges packets from the interfaces according
-to their timestamps.  @emph{Deficiency: All interfaces @emph{must} have the same link layer type. }
-
-If empty, then Bro does not read any network traffic, unless one
-or more interfaces are specified using the -i flag.
-
-@emph{Note:}  @code{interfaces} has an @code{&add_func} that allows you to add interfaces 
-to the list simply using a @code{+=} initialization refinement.
-
-@*Default: empty.
-@end quotation
-
-@cindex timer expiration
-@cindex expiration, timer
-
-@code{max_timer_expires : count}
-@quotation
-Sets an upper limit on how many pending timers Bro will expire per newly arriving packet.  If set to 0, then Bro expires all
-pending timers whose time has come or past.  This variable trades off
-timer accuracy and memory requirements (because a number of Bro's internal
-timers relate to expiring state) with potentially bursty load spikes due
-to a lot of timers expiring at the same time, which can trigger the
-watchdog, if active.
-@end quotation
-
-@code{restrict_filter : string}
-@quotation
-Restricts what packets Bro's filter should record.
-@end quotation
-
-@end table
-
-@cindex predefined variables
-
-@node Predefined Functions,
-@section Predefined Functions
-
-Bro provides a number of built-in functions:
-
-@cindex predefined functions
-
-@table @samp
-@cindex connection: testing for existence
-
-@code{active_connection (id: conn_id) : bool}
-@findex active_connection 
-@quotation
-Returns true if the given connection identifier (originator/responder
-addresses and ports) corresponds to a currently-active connection.
-@end quotation
-
-@code{active_file (f: file): bool}
-@quotation
-Returns true if the given @code{file} is open.
-@end quotation
-
-@code{add_interface (iold: string, inew: string): string}
-@quotation
-Used to refine the initialization of @code{interfaces}.  Meant
-for internal use, and as an example of refinement.
-@end quotation
-
-@code{add_tcpdump_filter (fold: string, fnew: string): string}
-@quotation
-Used to refine the initializations of  @code{capture_filters}
-and  @code{restrict_filters}.  Meant for internal use, and as an
-example of refinement.
-@end quotation
-
-@cindex alarms, control of
-@cindex logging, control of
-@code{alarm_hook (msg: string): bool}
-@quotation
-If you define this function, then Bro will call it with each string
-it is about to log in an alarm.  The function should return true if Bro should
-go ahead with the alarm, false otherwise.  See 
-for further discussion and an example.
-@end quotation
-
-@cindex strings, length
-@cindex length, of strings
-@code{byte_len (s: string): count}
-@quotation
-Returns the number of bytes in the given string.  This includes
-any embedded NULs, and also a trailing NUL, if any (which is why the
-function isn't called @emph{strlen}; to remind the user that Bro strings
-can include NULs).
-@end quotation
-
-@cindex strings, concatenation
-@cindex concatenation of strings
-@code{cat (args: any): string}
-@quotation
-Returns the concatenation of the string representation of its arguments,
-which can be of any type.  For example, @code{cat("foo", 3, T)} returns
-@code{"foo3T"}.
-@end quotation
-
-@cindex strings, cleaned up
-
-@code{clean (s: string): string}
-@quotation
-Returns a cleaned up version of @code{s}, meaning that:
-@cindex NUL
-@cindex DEL
-@cindex delete character
-@quotation
-@itemize @bullet
-@item 
-embedded NULs become the text ``@code{\0}''
-
-@item 
-embedded DELs (delete characters) become the text ``@code{^?}''
-
-@item 
-ASCII ``control'' characters with code <= 26 become the
-text ``@code{^}@emph{Letter}'', where @emph{Letter} is
-the corresponding (upper case) control character; for example,
-ASCII 2 becomes ``@code{^B}''
-
-@item 
-ASCII ``control'' characters with codes between 26 and 32 (non-inclusive)
-become the text ``@code{\x}@emph{hex-code}''; for example,
-ASCII 31 becomes ``@code{\x1f}''
-
-@item 
-if the string does not yet have a trailing NUL, one is added.
-@end itemize
-@end quotation
-@end quotation
-
-@code{close (f: file): bool}
-@quotation
-Flushes any buffered output for the given file and closes it.
-Returns true if the file was open, false if already closed or
-never opened.
-@end quotation
-
-@code{connection_record (id: conn_id): connection}
-@quotation
-Returns the @code{connection} record corresponding to the non-existing connection id if not a known connection.
-@emph{Note: If the connection does not exist, then exits with a fatal run-time error. }
-
-@emph{Deficiency: If Bro had an exception mechanism, then we could avoid the fatal run-time error, and likewise could get rid of @code{active_connection} . }
-@end quotation
-
-@code{contains_string (big: string, little: string): bool}
-@quotation
-Returns true if the string @code{little} occurs somewhere within
-@code{big}, false otherwise.
-@end quotation
-
-@cindex time, clock
-@cindex clock time
-@code{current_time (): time}
-@quotation
-Returns the current clock time.  You will usually instead want to
-use @code{network_time}.
-@end quotation
-
-@code{discarder_check_icmp (i: ip_hdr, ih: icmp_hdr): bool}
-@quotation
-Not documented.
-@end quotation
-
-@code{discarder_check_ip (i: ip_hdr): bool}
-@quotation
-Not documented.
-@end quotation
-
-@code{discarder_check_tcp (i: ip_hdr, t: tcp_hdr, d: string): bool}
-@quotation
-Not documented.
-@end quotation
-
-@code{discarder_check_udp (i: ip_hdr, u: udp_hdr, d: string): bool}
-@quotation
-Not documented.
-@end quotation
-
-@cindex line editing
-@cindex editing
-@cindex backspace character
-@cindex DEL
-@cindex BS
-@code{edit (s: string, edit_char: string): string}
-@quotation
-Returns a version of @code{s} assuming that @code{edit_char} is the ``backspace''
-character (usually @code{"\x08"} for backspace or @code{"\x7f"} for DEL).
-For example, @code{edit("hello there", "e")} returns @code{"llo t"}.
-
-@code{edit_char} must be a string of exactly one character, or Bro generates
-a run-time error and uses the first character in the string.
-
-@emph{Deficiency: To do a proper job, edit should also know about delete-word and delete-line editing; and it would be very convenient if it could do multiple types of edits all in one shot, rather than requiring separate invocations. }
-@end quotation
-
-@code{exit (): int}
-@quotation
-Exits Bro with a status of 0.
-
-@emph{Deficiency: This function should probably allow you to specify the exit status. }
-
-@emph{Note: If you invoke this function, then the usual cleanup functions  
-@code{net_done} and @code{bro_done} are NOT invoked. 
-There probably should be an additional ``@code{shutdown}'' function that provides for cleaner termination.  }
-@end quotation
-
-@code{flush_all (): bool}
-@quotation
-Flushes all open files to disk.
-@end quotation
-
-@cindex formatting text
-@cindex text, formatting
-@cindex string, formatting
-@cindex width, of formatted strings
-@cindex precision, of formatted strings
-@cindex format, width
-@cindex format, precision
-
-@code{fmt (args: any): string}
-@quotation
-Performs @emph{sprintf}-style formatting.  The first argument gives
-the format specifier to which the remaining arguments are formatted,
-left-to-right.  As with @emph{sprintf}, the format for each argument
-is introduced using ``%'', and
-formats beginning with a positive integer @emph{m} specify
-that the given field should have a width of @emph{m} characters.  Fields
-with fewer characters are right-padded with blanks up to this width.
-
-A format specifier of ``@code{.$n}'' (coming after @code{m}, if present)
-instructs @code{fmt} to use a precision of @emph{n} digits.  You can
-only specify a precision for the @code{e}, @code{f} or @code{g}
-formats.
-(@code{fmt} generates a run-time error if either @emph{m} or @emph{n} exceeds 127.)
-
-The different format specifiers are:
-
-@table @samp
-
-@item %
-A literal percent-sign character.
-
-@item @code{D} 
-Format as a date.  Valid only for values of type @code{time}.
-
-The exact format is
-@emph{yy}--@emph{mm}--@emph{dd}--@emph{hh}:@emph{mm}:@emph{ss}
-for the local time zone, per @emph{strftime}.
-
-@cindex little endian
-@cindex big endian
-@cindex endian issues
-@cindex host order (vs. network order)
-@cindex network order (vs. host order)
-@cindex integers, network vs. host order
-
-@item @code{d} 
-Format as an integer.  Valid for types @code{bool},
-@code{count}, @code{int}, @code{ port}, @code{addr}, and @code{net},
-with the latter three being converted from network order to
-host order prior to formatting.  @code{bool} values of true format
-as the number 1, and false as 0.
-
-@item @code{e, f, g}
-Format as a floating point value.
-Valid for types @code{double}, @code{time}, and @code{interval}.
-The formatting is the same as for @emph{printf}, including
-the field width @emph{m} and precision @emph{n}.
-
-@end table
-
-Given no arguments, @code{fmt} returns an empty string.
-
-Given a non-string first argument, @code{fmt} returns the concatenation of
-all its arguments, per @code{cat}.
-
-Finally, given the wrong number of additional arguments for the given
-format specifier, @code{fmt} generates a run-time error.
-@end quotation
-
-@cindex authentication dialog
-@cindex state, of a Telnet/Rlogin session
-@cindex Telnet, session state
-@cindex Rlogin, session state
-@cindex login session, state
-
-@code{get_login_state (c: conn_id): count}
-@quotation
-Returns the state of the given login (Telnet or Rlogin) connection,
-one of:
-
-@table @samp
-
-@item @code{LOGIN_STATE_AUTHENTICATE}
-The connection is in its initial authentication dialog.
-
-@item @code{LOGIN_STATE_LOGGED_IN}
-The analyzer believes the user has successfully authenticated.
-
-@item @code{LOGIN_STATE_SKIP}
-The analyzer has skipped any further processing of the connection.
-
-@item @code{LOGIN_STATE_CONFUSED}
-The analyzer has concluded that it does not correctly know the
-state of the connection, and/or the username associated with it.
-
-@end table
-@end quotation
-
-@code{connection_id} is not a known login connection
-or a run-time error and a value of @code{LOGIN_STATE_AUTHENTICATE}
-if the connection is not a login connection.
-
-@cindex sequence numbers, connection originator
-@cindex connection, sequence numbers
-@code{get_orig_seq (c: conn_id): count}
-@quotation
-Returns the highest sequence number sent by a connection's originator,
-or 0 if there's no such TCP connection.  Sequence numbers are absolute
-(i.e., they reflect the values seen directly in packet headers; they are
-not relative to the beginning of the connection).
-@end quotation
-
-@cindex sequence numbers, connection responder
-@cindex connection, sequence numbers
-@code{get_resp_seq (c: conn_id): count}
-@quotation
-Returns the highest sequence number sent by a connection's responder,
-or 0 if there's no such TCP connection.
-@end quotation
-
-@cindex environment, accessing
-@code{getenv (var: string): string}
-@quotation
-Looks up the given environment variable and returns its value,
-or an empty string if it is not defined.
-@end quotation
-
-@cindex ports, TCP vs. UDP
-@cindex TCP vs. UDP ports
-@code{is_tcp_port (p: port): bool}
-@quotation
-Returns true if the given @code{port} value corresponds to a TCP port,
-false otherwise (i.e., it belongs to a UDP port).
-@end quotation
-
-@cindex length, of table or set
-@cindex size, of table or set
-@cindex number of elements, in table or set
-@cindex table size
-@cindex set size
-@code{length (args: any): count}
-@quotation
-Returns the number of elements in its argument, which must be of
-type @code{table} or @code{set}.  If not exactly one argument is
-specified, or if the argument is not a table or a set, then generates
-a run-time message and returns 0.
-
-@cindex union type, need for
-@cindex any type, replacing with union type
-
-@emph{Deficiency: If Bro had a union type, then we could get rid of the magic ``@code{args: any}'' specification and catch parameter 
-mismatches at compile-time instead of run-time. }
-@end quotation
-
-@cindex log file
-@cindex name, of log file
-@code{log_file_name (tag: string): string}
-@quotation
-Returns a name for a log file (such as @code{weird} or @code{conn} )
-in a standard form.  The form depends on whether $BRO_LOG_SUFFIX is set.
-If so, then the format is ``@code{<}@emph{tag}@code{>.<\$BRO_LOG_SUFFIX>}''.  Otherwise,
-it is simply @code{tag}.
-@end quotation
-
-@cindex masking
-@cindex address masking
-@cindex CIDR
-@cindex subnets
-@code{mask_addr (a: addr, top_bits_to_keep: count): addr}
-@quotation
-Returns the address @code{a} masked down to the number of upper bits
-indicated by @code{top_bits_to_keep}, which must be greater than 0 and
-less than 33.  For example, @code{mask_addr(1.2.3.4, 18)} returns
-@code{1.2.0.0}, and @code{mask_addr(1.2.255.4, 18)} returns
-@code{1.2.192.0}.
-
-Compare with @code{to_net}.
-@end quotation
-
-@cindex maximum
-@code{max_count (a: count, b: count): count}
-@quotation
-Returns the larger of @code{a} or @code{b}.
-@end quotation
-
-@code{max_double (a: double, b: double): double}
-@quotation
-Returns the larger of @code{a} or @code{b}.
-@end quotation
-
-@code{max_interval (a: interval, b: interval): interval}
-@quotation
-Returns the larger of @code{a} or @code{b}.
-
-@cindex polymorphic functions, need for
-@emph{Deficiency: If Bro supported polymorphic functions, then this function could be merged with its predecessors, gaining simplicity and clarity. }
-@end quotation
-
-@cindex minimum
-@code{min_count (a: count, b: count): count}
-@quotation
-Returns the smaller of @code{a} or @code{b}.
-@end quotation
-
-@code{min_double (a: double, b: double): double}
-@quotation
-Returns the smaller of @code{a} or @code{b}.
-@end quotation
-
-
-@code{min_interval (a: interval, b: interval): interval}
-@quotation
-Returns the smaller of @code{a} or @code{b}.
-
-@cindex polymorphic functions, need for
-@emph{Deficiency: If Bro supported polymorphic functions, then this function could be merged with its predecessors, gaining simplicity and clarity. }
-@end quotation
-
-@cindex directories, creating
-@cindex creating directories
-@code{mkdir (f: string): bool}
-@quotation
-Creates a directory with the given name, if it does not already exist.
-Returns true upon success, false (with a run-time message) if
-unsuccessful.
-@end quotation
-
-@cindex time, clock
-@cindex time, packet
-@cindex clock time
-@cindex packets, time
-@cindex scripting, general
-@cindex general scripting
-@code{network_time (): time}
-@quotation
-Returns the timestamp of the most recently read packet, whether read
-from a live network interface or from a save file.
-Compare against @code{current_time}.  In general, you should use
-@code{network_time} unless you're using Bro for non-networking uses
-(such as general scripting;
-not particularly recommended), because otherwise your script may
-behave very differently on live traffic versus played-back traffic
-from a save file.
-@end quotation
-
-@cindex files, opening
-@cindex opening a file
-@code{open (f: string): file}
-@quotation
-Opens the given filename for write access.  Creates the file if it
-does not already exist.  Generates a run-time error if the file
-cannot be opened/created.
-@end quotation
-
-@cindex files, appending
-@cindex files, opening
-@cindex appending to a file
-@cindex opening a file
-@code{open_for_append (f: string): file}
-@quotation
-Opens the given filename for append access.  Creates the file if it
-does not already exist.  Generates a run-time error if the file
-cannot be opened/created.
-@end quotation
-
-@code{open_log_file (tag: string): file}
-@quotation
-Opens a log file associated with the given tag, using a filename
-format as returned by .
-@end quotation
-
-@cindex record, ftp_port
-@code{parse_ftp_pasv (s: string): ftp_port}
-@quotation
-Parses the server's reply to an FTP @code{PASV} command to extract the
-IP address and port number indicated by the server.  The values
-are returned in an @code{ftp_port} record, which has three
-fields: @code{h}, the address (@emph{h} is mnemonic for @emph{host});
-@code{p}, the (TCP) port; and @code{valid}, a boolean that is true
-if the server's reply was in the required format, false if not,
-or if any of the individual values (or the indicated port number)
-are out of range.
-@end quotation
-
-@cindex record, ftp_port
-@code{parse_ftp_port (s: string): ftp_port}
-@quotation
-Parses the argument included in a client's FTP @code{PORT} request to
-extract the IP address and port number indicated by the server.  The values
-are returned in an @code{ftp_port}, which has three fields, as
-indicated in the discussion of @code{parse_ftp_pasv}.
-@end quotation
-
-
-@cindex live traffic
-@cindex recorded traffic
-@cindex traffic, live vs. recorded
-@cindex analysis, on-line
-@cindex on-line analysis
-@cindex analysis, off-line
-@cindex off-line analysis
-
-@code{reading_live_traffic (): bool}
-@quotation
-Returns true if Bro was invoked to read live network traffic (from
-one or more network interfaces, per ), false
-if it's reading from save files being played back .
-
-@emph{Note: This function returns true even after Bro has stopped reading network traffic, for example due to receiving a termination signal. }
-
-@end quotation
-
-@code{set_buf (f: file, buffered: bool)}
-@quotation
-Specifies that writing to the given file should either be fully
-buffered (if @code{buffered} is true), or line-buffered (if false).
-Does not return a value.
-@end quotation
-
-@code{set_contents_file (c: conn_id, direction: count, f: file): bool}
-@quotation
-Specifies that the traffic stream of the given connection in the given
-direction should be recorded to the given file.  @code{direction} is one of
-the values given in the table below.
-
-@float Table, Directions
-@multitable  @columnfractions .25 .6 
-@item @strong{Direction} @tab @strong{Meaning}
-@item @code{CONTENTS_NONE}
-@tab Stop recording the connection's content
-@item @code{CONTENTS_ORIG}
-@tab Record the data sent by the connection originator (often the client).
-@item @code{CONTENTS_RESP}
-@tab Record the data sent by the connection responder (often the server).
-@item @code{CONTENTS_BOTH}
-@tab Record the data sent in both directions.
-@end multitable
-@caption{Different types of directions for @code{set_contents} file}
-@end float
-@*
-
-
-@emph{Note: CONTENTS_BOTH results in the two directions being intermixed in the file, in the order the data was seen by Bro. }
-
-@emph{Note: The data recorded to the file reflects the byte stream, not the contents of individual packets.  Reordering and duplicates are removed.  If any data is missing, the recording stops at the missing data; see @code{ack_above_hole} for how this can happen. }
-
-@emph{Deficiency: Bro begins recording the traffic stream starting with new traffic it sees.  Experience has shown it would be highly handy if Bro could record the entire connection to the file, including previously seen traffic.  In principle, this is possible if Bro is recording the traffic to a 
-save file , which a separate utility program could then read to extract the stream. }
-
-Returns true upon success, false upon an error.
-@end quotation
-
-@cindex authentication dialog
-@cindex state, of a Telnet/Rlogin session
-@cindex Telnet, session state
-@cindex Rlogin, session state
-@cindex login session, state
-
-@code{set_login_state (c: conn_id, new_state: count): bool}
-@quotation
-Manually sets the state of the given login (Telnet or Rlogin) connection
-to @code{new_state}, which should be one of the values described
-in .
-
-Generates a run-time error and returns false
-if the connection is not a login connection.  Otherwise, returns true.
-@end quotation
-
-@cindex packets, recording
-@cindex recording packets
-@cindex save file, control over what's recorded
-@cindex write file, control over what's recorded
-@cindex trace file, control over what's recorded
-
-@code{set_record_packets (c: conn_id, do_record: bool): bool}
-@quotation
-Controls whether Bro should or should not record the packets corresponding
-to the given connection to the save file , if any.
-
-Returns true upon success, false upon an error.
-@end quotation
-
-@cindex avoiding processing
-@cindex processing, avoiding
-@cindex shedding load
-@cindex load, shedding
-
-@code{skip_further_processing (c: conn_id): bool}
-@quotation
-Informs bro that it should skip any further processing of the contents
-of the given connection.  In particular, Bro will refrain from reassembling
-the TCP byte stream and from generating events relating to any analyzers
-that have been processing the connection.  Bro will still generate
-connection-oriented events such as @code{connection_finished} .
-
-This function provides a way to shed some load in order to reduce
-the computational burden placed on the monitor.
-
-Returns true upon success, false upon an error.
-@end quotation
-
-@cindex string, extraction
-@cindex substrings
-
-@code{sub_bytes (s: string, start: count, n: count): string}
-@quotation
-Returns a copy of @code{n} bytes from the given string, starting at position
-@code{start}.  The beginning of a string corresponds to position 1.
-
-If @code{start} is 0 or exceeds the length of the string, returns
-an empty string.
-
-If the string does not have @code{n} characters from @code{start} to
-its end, then returns the characters from @code{start} to the end.
-@end quotation
-
-@cindex command shell
-@cindex Bourne shell
-@cindex shell escape
-@cindex scripts, running
-@cindex executables, running
-@cindex running outside scripts or executables
-
-@code{system (s: string): int}
-@quotation
-Runs the given string as a @emph{sh} command (via C's @emph{system} call).
-
-@emph{Note: The command is run in the background with stdout redirected to stderr. }
-
-Returns the return value from the @emph{system} call.  @emph{Note: This corresponds to the status of backgrounding the given command, NOT to the exit status of the command itself. }  
-A value of 127 corresponds
-to a failure to execute @emph{sh}, and -1 to an internal system failure.
-@end quotation
-
-@code{to_lower (s: string): string}
-@quotation
-Returns a copy of the given string with the uppercase letters
-(as indicated by @emph{isascii} and @emph{isupper})
-folded to lowercase (via @emph{tolower}).
-@end quotation
-
-@cindex masking
-@cindex address masking
-@cindex CIDR
-@cindex subnets
-@cindex prefixes, network
-@cindex network prefixes
-
-@code{to_net (a: addr): net}
-@quotation
-Returns the network prefix historically associated with the given
-address.  That is, if @code{a}'s leading octet is less than 128,
-then returns
-@code{<}@emph{a}@code{>}@emph{/8};
-if between 128 and 191, inclusive, then
-@code{<}@emph{a}@code{>}@emph{/16};
-if between 192 and 223, then
-@code{<}@emph{a}@code{>}@emph{/24};
-and, otherwise,
-@code{<}@emph{a}@code{>}@emph{/32}.
-See the discussion of the  type for more about network prefixes.
-
-Generates a run-time error and returns @code{0.0.0.0} 
-if the address is IPv6.
-
-@emph{Note: Such network prefixes have become obsolete with the advent of CIDR; still, for some sites they prove useful because they correspond to existing address allocations. }
-
-Compare with @code{mask_addr}.
-@end quotation
-
-@code{to_upper s: string): string}
-@quotation
-Returns a copy of the given string with the lowercase letters
-(as indicated by @emph{isascii} and @emph{islower})
-folded to uppercase (via @emph{toupper}).
-@end quotation
-
-@end table
-
-@menu
-* Run-time errors for non-existing connections::  
-* Run-time errors for strings with NULs::  
-* Functions for manipulating strings::	
-* Functions for manipulating time::  
-@end menu
-
-@node Run-time errors for non-existing connections,
-@subsection Run-time errors for non-existing connections
-
-@cindex connection, non-existing
-
-Note that for all functions that take a @code{conn_id} argument
-except @code{active-connection}, Bro generates a run-time
-error and returns false if the given connection does not exist.
-
-@cindex NULs, disallowed in certain function calls
-@cindex NULs, termination
-@cindex strings, termination with NULs
-@cindex NULs, allowed in strings
-
-@node Run-time errors for strings with NULs,
-@subsection Run-time errors for strings with NULs
-
-While Bro allows NULs embedded within strings,
-for many of the predefined functions, their presence spells trouble,
-particularly when the string is being passed to a C run-time function.
-The same holds for strings that are @emph{not} NUL-terminated.  Because
-Bro string constants and values returned by Bro functions that construct
-strings such as @code{fmt} and @code{cat} are all NUL-terminated, such strings
-will not ordinarily arise; but their presence could indicate an attacker
-attempting to manipulate either a TCP endpoint, or the monitor itself,
-into misinterpreting a string they're sending.
-
-In general, any of the functions above that are passed a string argument
-will check for the presence of an embedded NUL or the lack of a terminating
-NUL.  If either occurs, they generate a run-time message, and the
-string is transformed into the value
-@code{"<string-with-NUL>"}.
-
-There are three exceptions: @code{clean}, @code{byte_len}, and
-@code{sub_bytes}.  These functions do not complain about embedded
-NULs or lack of trailing NULs.
-
-@node Functions for manipulating strings,
-@subsection Functions for manipulating strings
-
-@emph{Fixme: Missing}
-
-@node Functions for manipulating time,
-@subsection Functions for manipulating time
-
-@emph{Fixme: Missing}
-
-@cindex predefined functions
-
diff --git a/doc/ref-manual/references.texi b/doc/ref-manual/references.texi
deleted file mode 100644
index 760f8368f4..0000000000
--- a/doc/ref-manual/references.texi
+++ /dev/null
@@ -1,122 +0,0 @@
-@node References
-@chapter References
-
-
-@itemize
-@item [RFC2373] R. Hinden and S. Deering, IP Version 6 Addressing Architecture,
-RFC-2373, Jul. 1998.
-
-@item [MJ93] S. McCanne and V. Jacobson,
-The BSD Packet Filter:  A New Architecture for User-level Packet Capture,
-Proc.1993 Winter USENIX Conference, San Diego, CA.
-
-@item [MLJ94] S. McCanne, C. Leres and V. Jacobson,
-libpcap, available via anonymous ftp from @uref{http://www.tcpdump.org}, 1994.
-
-@item [Pa98] V. Paxson,
-Bro: A System for Detecting Network Intruders in Real-Time,
-Proc. 7th USENIX Security Symposium, Jan. 1998.
-
-@item [Pa99]
-V. Paxson, Bro: A System for Detecting Network Intruders
-in Real-Time, Computer Networks: special issue on intrusion detection,
-31(23--24), pp. 2435-2463, Dec. 1999.
-
-@item [PN98] T. Ptacek and T. Newsham,
-Insertion, Evasion, and Denial of Service: Eluding Network
-Intrusion Detection, Secure Networks, Inc.,
-@uref{http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps},
-Jan. 1998.
-
-@item [RFC791] J. Postel, Internet Protocol, RFC-791, Sep. 1981.
-
-@item [RFC793] J. Postel, Transmission Control Protocol,
-RFC-793, Sep. 1981.
-
-@item [RFC854] J. Postel and J. Reynolds,
-Telnet Protocol Specification, May 1983.
-
-@item [RFC855] J. Postel and J. Reynolds,
-Telnet Option Specifications, RFC-855, May 1983.
-
-@item [RFC959] J. Postel and J. Reynolds, File Transfer Protocol (FTP),
-RFC-959, Oct. 1985.
-
-@item [RFC1013] R. Scheifler,
-X Window System Protocol, version 11: Alpha update,
-RFC-1013, Apr. 1987.
-
-@item [RFC1094] Sun Microsystems,
-NFS: Network File System Protocol specification,
-RFC-1094, Mar. 1989.
-
-@item [RFC1122] B. Braden,
-Requirements for Internet hosts - communication layers,
-RFC-1122, Oct. 1989.
-
-@item [RFC1282] B. Kantor, BSD Rlogin, RFC-1282, Dec. 1991.
-
-@item [RFC1288] D. Zimmerman,
-The Finger User Information Protocol, RFC-1288, Dec. 1991.
-
-@item [RFC1413] M. St. Johns, Identification Protocol, RFC-1413, Jan. 1993.
-
-@item [RFC1644] B. Braden,
-T/TCP -- TCP Extensions for Transactions Functional Specification,
-RFC-1644, Jul. 1994.
-
-@item [RFC1813] B. Callaghan, B. Pawlowski, P. Staubach,
-NFS Version 3 Protocol Specification,
-RFC-1813, June 1995.
-
-@item [RFC1831] R. Srinivasan, 
-RPC: Remote Procedure Call Protocol Specification Version 2,
-RFC-1831, Aug. 1995.
-
-@item [RFC1832] R. Srinivasan, XDR: External Data Representation Standard,
-RFC-1832, Aug. 1995.
-
-@item [RFC1939] J. Myers and M. Rose, Post Office Protocol - Version 3,
-RFC-1939, May 1996.
-
-@item [RFC1945] T. Berners-Lee, R. Fielding and H. Frystyk,
-Hypertext Transfer Protocol -- HTTP/1.0,
-RFC-1945, May 1996.
-
-@item [RFC2616] J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee,
-Hypertext Transfer Protocol -- HTTP/1.1,
-RFC-2626, Jun. 1999.
-
-@item [YKSRL00] T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne and S. Lehtinen,
-SSH Connection Protocol, Internet Draft
-draft-ietf-secsh-connect-07.txt, May 2000.
-
-@item [SSLv2] Kipp E.B. Hickman, 
-The SSL Protocol, Netscape Communications Corp.
-@emph{http://wp.netscape.com/eng/security/SSL_2.html}, February 1995.
-
-@item [SSLv30] Alan O. Freier, Philip Karlton, Paul C. Kocher,
-The SSL Protocol Version 3.0, Internet Draft
-@emph{draft-freier-ssl-version3-02.txt}, November 1996.
-
-@item [TLSv1] T. Dierks, C. Allen,
-`` The TLS Protocol Version 1.0,'' RFC-2246, January 1999.
-
-@item [SSL-FIPS] Nelson Bolyard, Wan-Teh Chang,
-FIPS SSL CipherSuites,
-@uref{http://www.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html}, June 2001.
-
-@item [SSL-AES] P. Chown, 
-Advanced Encryption Standard (AES) Ciphersuites for Transport 
-Layer Security (TLS), RFC-3268, June 2002.
-
-@item [TLS-56] John Banes, Richard Harrington,
-56-bit Export Cipher Suites For TLS, Internet Draft
-@emph{draft-ietf-tls-56-bit-ciphersuites-00.txt}, April 1999.
-
-@item [X509] R. Housley, W. Polk, W. Ford, D. Solo,
-Internet X.509 Public Key Infrastructure Certificate and 
-Certificate Revocation List (CRL) Profile,
-RFC-3280, June 2002.
-
-@end itemize
diff --git a/doc/ref-manual/signatures.texi b/doc/ref-manual/signatures.texi
deleted file mode 100644
index 50ee0d3b08..0000000000
--- a/doc/ref-manual/signatures.texi
+++ /dev/null
@@ -1,295 +0,0 @@
-
-@node Signatures
-@chapter Signatures
-
-@menu
-* Overview::			
-* Signature language::		
-* snort2bro::			
-@end menu
-
-@node Overview,
-@section Overview
-
-In addition to the policy language, Bro provides another language which is
-specifically designed to define @emph{signatures}. Signatures precisely describe
-how network traffic looks for certain, well-known attacks. As soon as a attack
-described by a signature is recognized, Bro may generate an event for this
-@emph{signature match} which can then be analyzed by a policy script.
-To define signatures, Bro's language provides several powerful constructs like
-regular expressions @ and dependencies between multiple
-signatures.
-
-Signatures are independent of Bro's policy scripts and, therefore, are put
-into their own file(s). There two ways to specify which files contain
-signatures: By using the @code{-s} flag when you invoke Bro, or by extending
-the Bro variable @code{signatures_files} using the @code{+=} operator.
-If a signature file is given without a path, it is searched along
-. The default extension of the file name is @code{.sig} 
-which Bro appends automatically.
-
-@node Signature language,
-@section Signature language
-
-Each individual signature has the format 
-
-@quotation
-@code{signature @emph{id} @{ @emph{attribute-set} @} }
-@end quotation
-
-@code{id} is an unique label for the signature. There are two types of
-attributes: @emph{conditions} and @emph{actions}. The conditions define
-@emph{when} the signature matches, while the actions declare @emph{what to do} in the case of a match. Conditions can be further divided into
-four types: @emph{header}, @emph{content}, @emph{dependency}, and 
-@emph{context}. We will discuss these in more detail in the following
-subsections.
-
-This is an example of a signature:
-
-@example
-signature formmail-cve-1999-0172 @{
-  ip-proto == tcp
-  dst-ip == 1.2.0.0/16
-  dst-port = 80
-  http /.*formmail.*\?.*recipient=[^&]*[;|]/
-  event "formmail shell command"
-  @}
-@end example
-
-@menu
-* Conditions::			
-* Actions::			
-@end menu
-
-@node Conditions,
-@subsection Conditions
-
-@menu
-* Header conditions::		
-* Content conditions::		
-* Dependency conditions::	
-* Context conditions::		
-@end menu
-
-@node Header conditions,
-@subsubsection Header conditions
-
-Header conditions limit the applicability of the signature to a subset of
-traffic that contains matching packet headers. For TCP, this match is
-performed only for the first packet of a connection. For other protocols, it
-is done on each individual packet. There are pre-defined header conditions for
-some of the most used header fields:
-
-@table @samp
-
-@item @emph{address-list}
-Destination address of IP packet (may include CIDR masks for specifying networks)
-
-@item @emph{integer-list} 
-Destination port of TCP or UDP packet
-
-@item @emph{protocol-list}
-IP protocol; @emph{protocol} may be @code{tcp}, @code{udp}, or @code{icmp}.
-
-@item @emph{address-list} 
-Source address of IP packet (may include CIDR masks for specifying networks)
-
-@item @emph{integer-list} 
-Source port of TCP or UDP packet
-@end table
-
-@emph{comp} is one of @code{==}, @code{!=}, @code{<},
-@code{<=}, @code{>}, @code{>=}. All lists are comma-separated values of
-the given type which are sequentially compared against the corresponding
-header field. If at least one of the comparisons evaluates to true, the whole
-header condition matches (exception: if @emph{comp} is @code{!=}, the header
-condition only matches if @emph{all} values differ). @emph{address} is an
-dotted IP address optionally followed by a CIDR/mask to define a subnet
-instead of an individual address. @emph{protocol} is either one of @code{ip},
-@code{tcp}, @code{udp} and @code{icmp}, or an integer.
-
-In addition to this pre-defined short-cuts, a general header condition can be
-defined either as
-
-@quotation
-@code{header @emph{proto}[@emph{offset}:@emph{size}] @emph{comp} @emph{value-list}}
-@end quotation
-
-or as
-
-@quotation
-@code{header @emph{proto}[@emph{offset}:@emph{size}] & @emph{integer} @emph{comp} @emph{value-list}}
-@end quotation
-
-This compares the value found at the given position of the packet header with
-a list of values. @emph{offset} defines the position of the value within
-the header of the protocol defined by @emph{proto} (which can @code{ip}, @code{tcp},
-@code{udp} or@code{icmp}. @emph{size} is either 1, 2, or 4 and specifies the
-value to have a size of this many bytes. If the optimal
-@code{& @emph{integer}} is given, the packet's value is first masked
-with the @emph{integer} before it is compared to the value-list. @emph{comp}
-is one of @code{==}, @code{!=}, @code{<},
-@code{<=}, @code{>}, @code{>=}. @emph{value-list} is a list of
-comma-separated integers similar to those described above. The integers within
-the list may be followed by an additional @code{/@emph{mask}} where
-@emph{mask} is a value from 0 to 32. This corresponds to the CIDR notation
-for netmasks and is translated into a corresponding bitmask which is applied
-to the packet's value prior to the comparison (similar to the optional
-@code{& @emph{integer}}).
-
-Putting all together, this is an example which is equivalent to
-@code{dst-ip == 1.2.3.4/16, 5.6.7.8/24}:
-
-@quotation
-@code{header ip[16:4] == 1.2.3.4/16, 5.6.7.8/24}
-@end quotation 
-
-@node Content conditions,
-@subsubsection Content conditions
-
-Content conditions are defined by regular expressions. We differentiate two
-kinds of content conditions: first, the expression may be declared with the
-@code{payload} statement, in which case it is matched against the raw
-payload of a connection (for reassembled TCP streams) or of a each packet.
-Alternatively, it may be prefixed with an analyzer-specific label, in which
-case the expression is matched against the data as extracted by the
-corresponding analyzer.
-
-A @code{payload} condition has the form
-
-@quotation
-@code{payload /@emph{regular expression}/}
-@end quotation 
-
-Currently, the following analyzer-specific content conditions are defined (note that
-the corresponding analyzer has to be activated by loading its policy script):
-
-@table @samp
-
-@item @code{http-request @emph{/regular expression/}}
-The regular expression is matched against decoded URIs of the HTTP requests.
-
-@item @code{http-request-header @emph{/regular expression/} }
-The regular expression is matched against client-side HTTP headers.
-
-@item  @code{http-reply-header @emph{/regular expression/} }
-The regular expression is matched against server-side HTTP headers.
-
-@item @code{ftp @emph{/regular expression/} }   
-The regular expression is matched against the command line input of 
-FTP sessions.
-
-@item @code{finger @emph{/regular expression/}}
-The regular expression is matched against the finger requests.
-@end table
-
-For example, @code{http /(etc/(passwd|shadow)/} matches any URI
-containing either @code{etc/passwd} or @code{etc/shadow}.
-
-@node Dependency conditions,
-@subsubsection Dependency conditions
-
-To define dependencies between different signatures, there are two conditions:
-
-@table @samp
-
-@item requires-signature [! @emph{id}]
-Defines the current signature to match only if the signature given by @emph{id}
-matches for the same connection. Using `@code{!}' negates the
-condition: The current signature only matches if @emph{id} does not
-match for the same connection (this decision is necessarily deferred until
-the connection terminates).
-
-@item  requires-reverse-signature [! @emph{id}]
-Similar to @code{requires-signature}, but @emph{id} has to match for the
-other direction of the same connections than the current signature.
-This allows to model the notion of requests and replies.
-@end table
-
-@node Context conditions,
-@subsubsection Context conditions
-
-Context conditions pass the match decision on to various other components of
-Bro. They are only evaluated if all other conditions have already matched. The
-following context conditions are defined:
-
-@table @samp
-
-@item @code{eval @emph{policy function}}
-The given policy function is called and has to return a boolean
-indicating the match result. The function has to be of the type
-@code{function cond(state: signature_state): bool}. See
-\f@{fig:signature-state@} for the definition of @code{signature_state}.
-
-@float Figure, signature-state
-@example
-type signature_state: record @{
-    id: string;          # ID of the signature
-    conn: connection;    # Current connection
-    is_orig: bool;       # True if current endpoint is originator
-    payload_size: count; # Payload size of the first pkt of curr. endpoint
-    @};
-@end example
-@caption{Definition of the @code{signature_state} record}
-@end float
-
-@item @code{ip-options}
-Not implemented currently.
-
-@item @code{payload-size @emph{comp_integer}}
-Compares the integer to the size of the payload of a packet. For
-reassembled TCP streams, the integer is compared to the size of
-the first in-order payload chunk. Note that the latter is not well defined.
-
-@item @code{same-ip }
-Evaluates to true if the source address of the IP packets equals its
-destination address.
-
-@item @code{tcp-state @emph{state-list}}
-Poses restrictions on the current TCP state of the connection.
-@emph{state-list} is a comma-separated list of @code{established}
-(the three-way handshake has already been performed),
-@code{originator} (the current data is send by the originator of the
-connection), and @code{responder} (the current data is send by the
-responder of the connection).
-
-@end table
-
-@node Actions,
-@subsection Actions
-
-Actions define what to do if a signature matches. Currently, there is only one 
-action defined: @code{event @emph{string}} raises a @code{signature_match}
-event. The event handler has the following type: 
-
-@quotation
-@code{event signature_match(state: signature_state, msg: string, data: string)}
-@end quotation
-
-See \f@{fig:signature-state@} for a description of @code{signature_state}. The given string
-is passed as @code{msg}, and data is the current part of the payload that
-has eventually lead to the signature match (this may be empty for signatures without
-content conditions).
-
-@node snort2bro,
-@section snort2bro
-
-The open-source IDS Snort provides an extensive library of signatures.
-The Python script @{snort2bro@} converts Snort's signature into Bro signatures.
-Due to different internal architectures  of Bro and Snort, it is not always
-possible to keep the exact semantics of Snort's signatures, but most of the
-time it works very well.
-
-To convert Snort signatures into Bro's format, @code{snort2bro} needs a
-workable Snort configuration file (@code{snort.cfg}) which, in particular,
-defines the variables used in the Snort signatures (usually things like
-@code{$EXTERNAL_NET} or @code{$HTTP_SERVERS}). The conversion is
-performed by calling @code{snort2bro [-I @emph{dir}] snort.cfg} where the
-directory optionally given by @code{-I} contains the files imported by
-Snort's @code{include} statement. The converted signature set is written to
-standard output and may be redirected to a file. This file can then be
-evaluated by Bro using the @code{-s} flag or the @code{signatures_files}
-variable.
-
-@emph{Deficiency:@code{snort2bro} does not know about some of the newer Snort signature options and ignores them (but it gives a warning).}
-
diff --git a/doc/ref-manual/started.texi b/doc/ref-manual/started.texi
deleted file mode 100644
index 2f3d996e70..0000000000
--- a/doc/ref-manual/started.texi
+++ /dev/null
@@ -1,868 +0,0 @@
-
-@node Getting Started
-@chapter Getting Started
-
-
-This chapter gives an overview of how to get started with operating Bro:
-@emph{(i)} compiling it, @emph{(ii)} running it interactively, on live
-network traffic, and on recorded traces, @emph{(iii)} how Bro locates the
-policy files it should evaluate and how to modify them, @emph{(iv)} the
-arguments you can give it to control its operation, and @emph{(v)} some
-helper utilities also distributed with Bro that you'll often find handy.
-
-@menu
-* Running Bro::			
-* Helper utilities::		
-@end menu
-
-@node Running Bro,
-@section Running Bro
-
-@cindex running Bro
-@cindex Bro, running
-
-This section discusses how to build and install Bro, running it interactively
-(mostly useful for building up familiarity with the policy language, not
-for traffic analysis), running it on live and recorded network traffic,
-modifying Bro policy scripts, and the different run-time flags.
-
-@menu
-* Building and installing Bro::	 
-* Using Bro interactively::	
-* Specifying policy scripts::	
-* Running Bro on network traffic::  
-* Modifying Bro policy::	
-* Bro flags and run-time environment::	
-@end menu
-
-@node Building and installing Bro,
-@subsection Building and installing Bro
-
-@cindex Bro, installing
-@cindex building Bro
-@cindex compiling Bro
-
-@menu
-* Supported platforms::		
-* Bro source code distribution::  
-* Installing Bro::		
-* Tuning BPF::			
-@end menu
-
-@node  Supported platforms,
-@subsubsection  Supported platforms 
-
-@cindex Unix support
-@cindex Windows, not supported
-@cindex NT, not supported
-
-Bro builds on a number of types of Unix: @emph{ FreeBSD, Solaris, Linux}, though not all versions.  It does @emph{not}
-build under non-Unix operating systems such as Windows NT.
-
-@node  Bro source code distribution,
-@subsubsection  The Bro source code distribution 
-
-@cindex source code, for Bro
-@cindex Bro, source code
-@cindex Bro, web page
-
-You can get the latest public release of Bro from the Bro web page,
-@url{http://www.bro-ids.org/}.
-Bro is distributed as a @emph{gzip}'d Unix @emph{tar} archive, which
-you can unpack using:
-@quotation
-@code{gzcat +@emph{tar-file} | tar xf -}
-@end quotation
-or, on some Unix systems:
-@quotation
-@code{+tar zxf +@emph{tar-file}}
-@end quotation
-This creates a subdirectory
-@code{+bro-+@emph{XXX}+-+@emph{version}},
-where @emph{XXX} is a tag such as pub for public releases and
-priv for private releases, and @emph{version} reflects a version
-and possibly a subversion, such as @code{0.8a20} for version
-@emph{0.8} and subversion @emph{a20}.
-
-To build Bro, change to the Bro directory and enter:
-@quotation
-@noindent ./configure @* make 
-@end quotation
-
-Bro configuration is described in the 
-@uref{http://www.bro-ids.org/User-Manual, User Manual}
-
-@node  Installing Bro,
-@subsubsection  Installing Bro 
-
-@cindex installing Bro
-
-You install Bro by issuing:
-@quotation
-@noindent @code{make install}
-@end quotation
-
-@node  Tuning BPF,
-@subsubsection  Tuning BPF 
-
-@cindex Bro, system configuration
-@cindex system configuration
-@cindex optimizing your system for Bro
-@cindex BPF (Berkeley Packet Filter), tuning
-
-Bro is written using @command{libpcap}, the portable packet-capture
-library available from
-@code{ftp://ftp.ee.lbl.gov/libpcap.tar.Z}.  While
-@emph{libpcap} knows how to use a wide range of Unix packet filters, it
-far and away performs most efficiently used in conjunction with the Berkeley
-Packet Filter (BPF) and with BPF descendants (such as the Digital Unix
-packet filter).  Although BPF is available from
-@code{ftp://ftp.ee.lbl.gov/bpf.tar.Z}, installing
-it involves modifying your kernel, and perhaps requires significant porting
-work.  However, it comes as part of several operating systems, such as
-FreeBSD, NetBSD, and OpenBSD.
-
-For BPF systems, you should be aware of the following tuning and
-configuration issues:
-@table @samp
-
-@item BPF kernel support
-You need to make sure that kernel support for BPF is enabled.  In addition,
-some systems default to configuring kernel support for only one BPF device.
-This often proves to be a headache because it means you cannot run more
-than one Bro at a time, nor can you run it at the same time as
-
-@item /dev/bpf devices
-@cindex dev/bpf
-  
-Related to the
-previous item, on BPF systems access to the packet filter is via special
-@emph{/dev/bpf} devices, such as @emph{/dev/bpf0}.  Just as you need to
-make sure that the kernel's configuration supports multiple BPF devices,
-so to must you make sure that an equal number of device files reside in
-@emph{/dev/}.
-
-@item packet filter permissions
-@cindex packet filter, permissions
-@cindex packet filter, access
-@cindex root, Bro not running as
-@cindex Bro, not running as root
-On systems for which access to the packet filter is via the file system,
-you should consider whether you want to only allow root access, or instead
-create a Unix @emph{group} for which you enable read access to
-the device file(s).  The latter allows you to run Bro as a user other
-than root, which is @emph{strongly recommended}!
-
-@item large BPF buffers
-@cindex BPF buffers, ensuring they are large
-@cindex large BPF buffers
-@cindex buffers, large for BPF
-While running with BPF is often necessary for high performance, it's not
-necessarily sufficient.  By default, BPF programs use very modest kernel
-buffers for storing packets, which leads to high context switch overhead
-as the kernel very often has to deliver packets to the user-level Bro
-process.  Minimizing the overhead requires increasing the buffer sizes.
-This can make a @emph{large} difference!
-
-Under FreeBSD, the configuration variable to increase is
-@code{debug.bpf_bufsize}, which you can set via @emph{sysctl}.  We
-recommend creating a script run at boot-up time that increases it
-from its small default value to something on the order of 100 KB--2 MB,
-depending on how fast (heavily loaded) is the link being monitored,
-and how much physical memory the monitor machine has at its disposal.
-
-@cindex libpcap buffer size patch
-@emph{libpcap buffer size patch}:
-@emph{Important note}:  some versions of  have
-internal code that limits the maximum buffer size to 32 KB.  For
-these systems, you should apply the patch included in the Bro distribution
-in the file @code{libpcap.patch}.
-
-Finally, once you have increased the buffer sizes, you should @emph{check}
-that running Bro does indeed consume the amount of kernel memory you
-expect.  You can do this under FreeBSD using @emph{vmstat -m} and
-searching in the output for the summary of BPF memory.  You should find
-that the @emph{MemUse} statistic goes up by twice the buffer size for
-every concurrent Bro or @command{tcpdump} you run.@footnote{Providing
-that these programs have been recompiled with the corrected @emph{libpcap}
-noted above.}  The reason the increase is by twice the buffer size is
-because Bro uses double-buffering to avoid dropping packets when the
-buffer fills up.
-@end table
-
-@node Using Bro interactively,
-@subsection Using Bro interactively
-
-@cindex Bro, interactive use
-
-Once you've built Bro, you can run it interactively to try out simple
-facets of the policy language.  Note that in this mode, Bro is @emph{not}
-reading network traffic, so you cannot do any traffic analysis; this mode
-is simply to try out Bro language features.
-
-You run Bro interactively by simply executing ``bro'' without
-any arguments.  It then reads from @emph{stdin} and writes to @emph{stdout}.
-
-Try typing the following to it:
-@quotation
-@noindent @code{print "hello, world";}  @*
-@noindent @code{^D} @emph{(i.e., end of file)}
-@end quotation
-(The end-of-file is critical to remember.  It's also a bit annoying for
-interactive evaluation, but reflects the fact that Bro is not actually
-meant for interactive use, it simply works as a side-effect of Bro's
-structure.)
-
-Bro will respond by printing:
-@quotation
-@noindent hello, world
-@end quotation
-to @emph{stdout} and exiting.
-
-You can further declare variables and print expressions, for example:
-@example
-    global a = telnet;
-    print a, a > ftp;
-    print www.microsoft.com;
-@end example
-
-will print
-@example
-    23/tcp, T
-    207.46.230.229, 207.46.230.219, 207.46.230.218
-@end example
-(FIXME: this example needs to be updated. Format has changed.)
-
-where 23/tcp reflects the fact that telnet is a predefined
-variable whose value is TCP port 23, which is larger than TCP port 21
-(i.e., ftp); and the DNS name @emph{www.microsoft.com} currently
-returns the above three addresses.
-
-You can also define functions:
-@example
-    function top18bits(a: addr): addr
-        @{
-        return mask_addr(a, 18);
-        @}
-
-    print top18bits(128.3.211.7);
-@end example
-
-prints
-@example
-    128.3.192.0
-@end example
-
-and even event handlers:
-@example
-    event bro_done()
-        @{
-        print "all done!";
-        @}
-@end example
-
-which prints ``all done!'' when Bro exits.
-
-@node Specifying policy scripts,
-@subsection Specifying policy scripts
-
-Usually, rather than running Bro interactively you want it to execute
-a policy script or a set of policy scripts.  You do so by specifying
-the names of the scripts as command-line arguments, such as:
-@example
-    bro ~/my-policy.bro ~/my-additional-policy.bro
-@end example
-
-Bro provides several mechanisms for simplifying how you specify which
-policies to run.
-
-First, if a policy file doesn't exist then it will
-try again using .bro as a suffix, so the above could be specified as:
-@example
-    bro ~/my-policy ~/my-additional-policy
-@end example
-
-Second, Bro consults the colon-separated search path 
-to locate policy scripts.  If your home directory was listed in $BROPATH,
-then you could have invoked it above using:
-@example
-    bro my-policy my-additional-policy
-@end example
-
-@emph{Note:}  If you define $BROPATH, you @emph{must} include @emph{bro-dir}/policy, where @emph{bro-dir} is where you have built or installed Bro, because it has to be able to locate @emph{bro-dir}/policy/bro.init to initialize itself at run-time. 
-
-Third, the @code{@@load} directive can be used in a policy script to indicate the
-Bro should at that point process another policy script (like C's include
-directive; see ).  So you could have in @emph{my-policy}:
-@example
-    @@load my-additional-policy
-@end example
-
-and then just invoke Bro using:
-@example
-    bro my-policy
-@end example
-
-providing you @emph{always} want to load @emph{my-additional-policy}
-whenever you load @emph{my-policy}.
-
-Note that the predefined Bro module @code{brolite} loads almost
-all of the other standard Bro analyzers, so you can pull them in
-with simply:
-@example
-    @@load brolite
-@end example
-
-or by invoking Bro using ``@command{bro brolite @emph{my-policy}}''.
-
-@node Running Bro on network traffic,
-@subsection Running Bro on network traffic
-
-There are two ways to run Bro on network traffic: on traffic captured
-live by the network interface(s), and on traffic previously recorded
-using the @code{-w} flag of @code{tcpdump} or Bro itself.
-
-@menu
-* Live traffic::		
-* Traffic traces::		
-@end menu
-
-@node Live traffic,
-@subsubsection Live traffic
-@cindex network interfaces
-@cindex analysis, on-line
-@cindex on-line analysis
-
-Bro reads live traffic from the local network interface whenever you
-specify the @code{-i}  flag.  As mentioned below, you can specify
-multiple instances to read from multiple interfaces simultaneously,
-however the interfaces must all be of the same link type (e.g., you
-can't mix reading from a Fast Ethernet with reading from an FDDI link,
-though you can mix a 10 Mbps Ethernet interface with a 100 Mbps Ethernet).
-
-In addition, Bro will read live traffic from the interface(s) listed in
-the @code{interfaces} variable, @emph{unless} you specify
-the @code{-r} flag (and do not specify @code{-i}).  So, for
-example, if your policy script contains:
-@example
-    const interfaces += "sk0";
-    const interfaces += "sk1";
-@end example
-
-then Bro will read from the @emph{sk0} and @emph{sk1} interfaces,
-and you don't need to specify @code{-i}.
-
-@node Traffic traces,
-@subsubsection Traffic traces
-
-@cindex analysis, off-line
-@cindex off-line analysis
-
-To run on recorded traffic, you use the @code{-r} flag to indicate
-the trace file Bro should read.  As with @code{-i}, you can use the
-flag multiple times to read from multiple files; Bro will merge the packets
-from the files into a single packet stream based on their timestamps.
-
-The Bro distribution includes an example trace that you can try out,
-@emph{example.ftp-attack.trace}.  If you invoke Bro using:
-@example
-    bro -r example.ftp-attack.trace brolite
-@end example
-
-you'll see that it generates a connection summary to @emph{stdout},
-a summary of the FTP sessions to ftp.example, a copy of what
-would have been real-time alarms had Bro been running on live traffic
-to @code{alarm.example}, and a summary of unusual traffic anomalies (none in
-this trace) to @code{weird.example}.
-
-@node Modifying Bro policy,
-@subsection Modifying Bro policy
-
-One way to alter the policy Bro executes is of course to directly
-edit the scripts.  When this can be avoided, however, that is preferred,
-and Bro provides a pair of related mechanisms to help you specify
-@emph{refinements} to existing policies in separate files.
-
-The first such mechanism is that you can define @emph{multiple}
-handlers for a given event.  So, for example, even though the standard
-@command{ftp} analyzer (@code{@emph{bro-dir}/policy/ftp.bro})
-defines a handler for @code{ftp.request}, you can define another handler
-if you wish in your own policy script, even if that policy script loads
-(perhaps indirectly, via the @code{brolite} module) the @code{ftp} analyzer.
-When the event engine generates an ftp_request event, @emph{both}
-handlers will be invoked.  
-
-@emph{Deficiency: Presently, you do not have control over the order in which they are invoked; you also cannot completely override one handler with another, preventing the first from being invoked. }
-
-Second, the standard policy scripts are often written in terms of
-@emph{redefinable} variables.  For example, @code{ftp.bro} contains
-a variable @code{ftp_guest_ids} that defines a list of usernames
-the analyzer will consider to reflect guest accounts:
-@example
-    const ftp_guest_ids = @{ "anonymous", "ftp", "guest", @} &redef;
-@end example
-
-While ``@code{const}'' marks this variables as constant at run-time,
-the attribute ``@code{&redef}'' specifies that its value can be
-redefined.
-
-For example, in your own script you could have:
-@example
-    redef ftp_guest_ids = @{ "anonymous", "guest", "visitor", "student" @};
-@end example
-
-instead.  (Note the use of ``redef'' rather than ``const'',
-to indicate that you realize you are redefining an existing variable.)
-
-In addition, for most types of variables you can specify @emph{incremental}
-changes to the variable, either new elements to add or old ones to
-subtract.  For example, you could instead express the above as:
-@example
-    redef ftp_guest_ids += @{ "visitor", "student" @};
-    redef ftp_guest_ids -= "ftp";
-@end example
-
-The potential advantage of incremental refinements such as these are that
-if any @emph{other} changes are made to ftp.bro's original definition,
-your script will automatically inherit them, rather than replacing them
-if you used the first definition above (which explicitly lists all four
-names to include in the variable).  Sometimes, however, you don't want this
-form of inheriting later changes; you need to decide on a case-by-case
-basis, though our experience is that generally the incremental approach
-works best.
-
-Finally, the use of @emph{prefixes} provides a way
-to specify a whole set of policy scripts to load in a particular context.
-For example, if you set @code{$BRO_PREFIXES} to ``dialup'',
-then a load of @code{ftp.bro} will @emph{also} load dialup.ftp.bro
-automatically (if it exists).  See @ref{Run-time environment} for further discussion.
-
-@node Bro flags and run-time environment,
-@subsection Bro flags and run-time environment
-
-@menu
-* Flags::			
-* Run-time environment::	
-@end menu
-
-@node Flags,
-@subsubsection Flags
-
-@cindex command line options
-
-When invoking Bro, you can control its behavior using a large number of
-flags and arguments. Most options can be specified using either a more
-readable long version (starting with two dashes), or a more compact but
-sometimes less intuitive short version (single dash followed by a single
-letter).  Arguments can be provided after whitespace (i.e., ``@command{-r file.pcap}''
-or ``@command{--readfile file.pcap}'') and also using an equation mark
-when the long version is used (i.e., ``@command{--readfile=file.pcap}'').
-Single-letter flags without arguments can be combined into a single option
-element (i.e., ``-dWF'' is the same as ``-d -W -F'').
-
-@table @samp
-@c
-@c Note: the @*s are to provide consistent spacing between the items in HTML
-@c       output. Better solutions welcome. --cpk
-@c
-@item @code{-d|--debug-policy}
-Activates policy file debugging. See @ref{Interactive Debugger} for details.
-@cindex debugging, policy scripts
-@*
-
-@item @code{-e|--exec <Bro statements>}
-Adds the given Bro policy statements to the loaded policy.  Use for
-manual @ref{Refinement, refinement}, or for verifying the resulting value of a
-given variable.  Note that you can omit trailing semi-colons.
-@*
-
-@item @code{-f|--filter filter}
-Use @emph{filter} as the @command{tcpdump} filter for
-capturing packets, rather than the combination of 
-and @code{restrict_filter}, or the default of ``tcp or udp'' .
-@*
-
-@item @code{-h|--help|-?}
-Generate a help message summarizing Bro's options and environment variables,
-and exit.
-@cindex help message
-@cindex Bro, usage
-@cindex usage message
-@*
-
-@item @code{-g|--dump-config}
-Writes out the current configuration into the persistent state directory
-configured through the @code{state_dir} variable, defined in
-@ref{Bro init file, bro.init} and subject to @ref{Refinement, refinement}.
-@cindex persistent state
-@cindex configuration, dumping to directory
-@*
-
-@item @code{-i|--iface <interface>}
-Add @emph{interface} to the list of interfaces from which Bro should
-read @ref{Live traffic, network traffic}.  You can use this flag
-multiple times to direct Bro to read from multiple interfaces.
-You can also, or in addition, use refinements of the 
-variable to specify interfaces.
-
-Note that if no interfaces are specified, then Bro will not read
-any network traffic.  It does @emph{not} have a notion of a ``default''
-interface from which to read.
-@cindex network interfaces
-@cindex analysis, on-line
-@cindex on-line analysis
-@*
-
-@item @code{-p|--prefix <prefix>}
-Add @emph{prefix} to the list of prefixes searched by Bro when loading
-a script.  You can also, or in addition, use @emph{prefix} to specify search
-prefixes.  See @ref{use of prefixes, prefixes} for discussion.
-@cindex prefixes
-@*
-
-@item @code{-r|--readfile <readfile>}
-Add @emph{readfile} to the list of @command{tcpdump}
-save files that Bro should read.  You can use this flag multiple times to
-direct Bro to read from multiple save files; it will merge the packets
-read from the different files based on their timestamps.  Note that if
-the save files contain only packet headers and not contents, then of
-course Bro's analysis of them will be limited.
-
-Note that use of @code{-r} is @emph{mutually exclusive} with use of @code{-i}.
-However, you can use @code{-r} when running scripts that refine
-@code{interfaces}, in which case the -r option takes precedence
-and Bro performs off-line analysis.
-@cindex trace file, reading
-@cindex save file, reading
-@cindex analysis, off-line
-@cindex off-line analysis
-@cindex reading tcpdump files 
-@*
-
-@item @code{-s|--rulefile <signaturefile>}
-Add @emph{signaturefile} to the list of files containing signatures to match
-against the network traffic. See @ref{Signatures} for more information.
-@*
-
-@item @code{-t|--tracefile <tracefile>}
-Enables tracing of Bro script execution. See @ref{Execution tracing}.
-@cindex tracing
-@cindex execution tracing
-@*
-
-@item @code{-w|--writefile <writefile>}
-Write a @command{tcpdump} save file to the file
-@emph{writefile}.  Bro will record all of the packets it captures,
-including their contents, except as controlled by calls to @command{set_record_packets}.
-@cindex trace file, writing
-@cindex save file, writing
-@cindex writing tcpdump files 
-@cindex HTTP packets, contents not being recorded
-@cindex SYN control packet
-@cindex FIN control packet
-@cindex RST control packet
-@cindex TCP control packets (SYN/FIN/RST)
-@cindex control packets (SYN/FIN/RST)
-@cindex packets, control (SYN/FIN/RST)
-@emph{Note:}  One exception is that unless you are analyzing HTTP events (for example, by loading the @ ref@code{http} analyzer), 
-Bro does @emph{not} record the @emph{contents} of HTTP SYN/FIN/RST packets to the trace file.  
-The reason for this is that HTTP FIN packets often contain a large amount of data, which is not of any interest if you are not using HTTP analysis, 
-and due to the very high volume of HTTP traffic at many sites, removing this data can significantly reduce the size of the save file. @emph{Deficiency: Clearly, this should not be hardwired into Bro but under user control. }
-
-Save files written using @code{-w} are of course readable using @code{-r}.
-Accordingly, you will generally want to use @code{-w} when running Bro on
-live network traffic so you can rerun it off-line later to understand
-any problems that arise, and also to experiment with the effects of changes
-to the policy scripts.
-
-You can also combine @code{-r} with @code{-w} to both read a save file(s) and
-write another.  This is of interest when using multiple instances of
-@code{-r}, as it provides a way to merge @command{tcpdump}
-save files.
-@*
-
-@item @code{-v|--version}
-@cindex version message
-@cindex Bro, version
-Print the version of Bro and exit.
-@*
-
-@item @code{-x|--print-state <Bro state file>}
-Reads the contents of the specified Bro state file, prints them to the
-console, and exits.
-@*
-
-@item @code{-z|--analyze <analysis>}
-Runs the specified analyzer over the configured policy. See @ref{Policy analyzers}.
-@cindex policy analysis
-@*
-
-@item @code{-A|--transfile <writefile>}
-Write transformed trace to the @command{tcpdump} file given. See @ref{Trace rewriting}.
-@*
-
-@item @code{-C|--no-checksums}
-Incorrect IP, TCP, or UDP checksums normally trigger different variants of
-@code{net_weird} and @code{conn_weird} events (see also @ref{Events handled by net_weird},
-@ref{Events handled by conn_weird}, and @ref{weird variables}). This flag causes
-Bro to ignore incorrect checksums.
-@cindex checksums, disabling checks
-@*
-
-@item @code{-D|--dfa-size <size>}
-Sets the cache size of deterministic finite automata (used extensively for
-@ref{Signatures, signatures}) to the given number of entries. The default is
-10,000.
-@*
-
-@item @code{-F|--force-dns}
-@cindex DNS!Bro's private cache, forcing access to
-@cindex forcing access to Bro's private DNS cache
-@cindex Bro, private caches
-Instructs Bro that it @emph{must} resolve all hostnames out of its
-private DNS cache.  If the script refers to a hostname
-not in the cache, then Bro @emph{exits} with a fatal error.
-
-@cindex checkpointing Bro
-@cindex Bro, checkpointing
-The point behind this option is to ensure that Bro starts quickly, rather
-than possibly stalling for an undetermined amount of time resolving a
-hostname.  Fast startup simplifies checkpointing a running Bro---you can
-start up a new Bro and then killing off the old one shortly after.
-You'd like this to occur in a manner such that there's no period during
-which neither Bro is watching the network (the older because you killed
-it off too early, the newer because it's stuck resolving hostnames).
-@*
-
-@item @code{-I|--print-id <name>}
-Looks up the variable identified by ``name'' in the global scope
-(see @ref{Scope}) and prints it to the console.
-@*
-
-@item @code{-K|--md5-hashkey <hashkey>}
-Allows you to specify a fixed seed for MD5 initialization. MD5 is used
-by default for hashing elements in the Bro core, and by default some
-randomness is gathered at Bro startup before PRNG initialization.
-@*
-
-@emph{Note:  This means that by default repeated runs of Bro on identical
-inputs do @strong{not} necessarily yield identical output. If you want
-to ensure determinism, use the @code{--save-seeds} and @code{--load-seeds}
-options.}
-@cindex determinism
-@cindex indeterminism
-@cindex hashing, keys
-@*
-
-@item @code{-L|--rule-benchmark}
-See @ref{Rule benchmarking}.
-@*
-
-@item @code{-O|--optimize}
-@cindex optimizer for policy script interpreter
-@cindex policy script interpreter, optimizer
-@cindex Bro, optimizer
-Turns on Bro's optimizer for improving its internal representation
-of the policy script.  @emph{Note:}  Currently, the amount of improvement is modest, and there's (as always) a risk of an optimizer bug introducing errors into the execution of the script, so the optimizer is not enabled by default. 
-@*
-
-@item @code{-P|--prime-dns}
-@cindex caches, Bro's private ones
-@cindex Bro, private caches
-@cindex priming Bro's private DNS cache
-Instructs Bro to @emph{prime} its private DNS cache.
-It does so by parsing the policy scripts, but not executing them.
-Bro looks up each hostname's address(es) and records them in the private
-cache.  The idea is that once @command{bro -P} finishes, you can then use
-@command{bro -F} to start up Bro quickly because it will read all the
-information it needs from the cache.
-@*
-
-@c EventPlayer's class definition in Serializer.h says it's not currently
-@c usable, so -R is left out for now. --cpk
-@c 
-@c @item @code{-R|--replay <events file>}
-
-@item @code{-S|--debug-rules}
-Prints debugging output for the rules used in signature matching. See also
-@ref{Signatures}.
-@cindex signature debugging
-@*
-
-@item @code{-T|--re-level <level>}
-Sets the level in the tree of rules at which regular expressions are
-built. Default is 4.
-@*
-
-@item @code{-W|--watchdog}
-@cindex Bro, wedging
-@cindex watchdog
-@cindex Bro, watchdog
-@cindex Bro, execution aborted
-@cindex aborted execution
-Instructs Bro to activate its internal @emph{watchdog}.  The watchdog
-provides self-monitoring to enable Bro to detect if its processing is
-wedged.
-
-Bro only activates the watchdog if it is reading live network traffic.
-The watchdog consists of a periodic timer that fires every
-@code{WATCHDOG_INTERVAL} seconds.  (@emph{Deficiency:clearly this should be a user-definable value.})  At that point, the watchdog checks
-to see whether Bro is still working on the same packet as it was the last
-time the watchdog expired.  If so, then the watchdog logs this fact along
-with some information regarding when Bro began processing the current
-packet and how many events it processed after handling the packet.  Finally,
-it prints the packet drop information for the different interfaces Bro
-was reading from, and aborts execution.
-@*
-
-@item @code{--save-seeds <file>}
-Writes the seeds used for initializing the PRNGs in Bro to the given
-file. This can be combined with @code{-K|--md5-hashkey}, and is intended
-to be used with @code{--load-seeds} in future Bro runs.
-@cindex determinism
-@cindex indeterminism
-@cindex seeding Bro
-@*
-
-@item @code{--save-seeds <file>}
-Seeds the PRNGs in Bro using a file produced by @code{--save-seeds}
-in an earlier Bro invocation.
-@cindex determinism
-@cindex indeterminism
-@cindex seeding Bro
-@*
-
-@end table
-
-@node Run-time environment,
-@subsubsection Run-time environment
-
-Bro is also sensitive to the following environment variables:
-@table @samp
-
-@item $BROPATH
-@cindex search path
-@cindex Bro, search path
-@cindex policy directories
-@cindex usr/local/lib/bro/usr/local/lib/bro/ policy directory
-@cindex policy/ policy directory
-@cindex policy/local/local/ policy directory
-A colon-separated list of directories that Bro searches whenever
-you load a policy file.  It loads the first instance it finds (though
-see $BRO_PREFIXES for how a single load can lead to Bro loading
-multiple files).
-
-Default: if you don't set this variable, then Bro uses the path
-@example
-    .:policy:policy/local:/usr/local/lib/bro
-@end example
-
-That is, the current directory, any @emph{policy/} and @emph{policy/local/}
-subdirectories, and @emph{/usr/local/lib/bro/}.
-
-@item $BRO_PREFIXES
-@cindex prefixes
-@cindex bro suffix.bro suffix
-A colon-separate lists of @emph{prefixes} that Bro should apply to
-each name in a @code{@@load} directive.  For a given prefix and load-name, Bro
-constructs the filename:
-@quotation
-@emph{prefix}.@emph{load-name}.bro
-@end quotation
-(where it doesn't add .bro if @emph{load-name} already ends in
-.bro).  It then searches for the filename using $BROPATH
-and loads it if its found.  Furthermore, it @emph{repeats} this process
-for all of the other prefixes (left-to-right), and loads @emph{each}
-file it finds for the different prefixes.  @emph{Note:}  Bro @emph{also} first attempts to load the filename without any prefix at all. If this load fails, then Bro exits with an error complaining that it can't open the given @code{@@load} file.
-
-For example, if you set $BRO_PREFIXES to:
-@example
-    mysite:mysite.wan
-@end example
-
-and then issue ``@command{@@load ftp}'', Bro will attempt to load each of the
-following scripts in the following order:
-@example
-    ftp.bro
-    mysite.ftp.bro
-    mysite.wan.ftp.bro
-@end example
-
-Default: if you don't specify a value for $BRO_PREFIXES, it defaults
-to empty, and for the example above Bro would only attempt to @command{@@load ftp.bro}.
-
-@end table
-
-@node Helper utilities,
-@section Helper utilities
-
-@menu
-* Scripts::			
-* hf utility::	
-* cf utility::	
-@end menu
-
-@node Scripts,
-@subsection Scripts
-
-Documentation missing.
-
-@node hf utility,
-@subsection The @code{hf} utility
-
-@cindex hostnames, mapping addresses to
-@cindex addresses, mapping to hostnames
-@cindex dotted quads
-The @emph{hf} utility reads text on @emph{stdin} and attempts to convert any
-``dotted quads'' it sees to hostnames.  It is very convenient for running
-on Bro log files to generate human-readable forms.  See the manual page
-included with the distribution for details.
-
-@node cf utility,
-@subsection The @code{cf} utility
-
-@cindex timestamps, mapping to readable form
-@cindex Unix timestamps
-The @emph{cf} utility reads Unix timestamps at the beginning of lines on
-@emph{stdin} and converts them to human-readable form.  For example,
-for the input line:
-@example
-972499885.784104 #26 131.243.70.68/1899 > 64.55.26.206/ftp start
-@end example
-
-it will generate:
-@example
-Oct 25 11:51:25 #26 131.243.70.68/1899 > 64.55.26.206/ftp start
-@end example
-
-It takes two flags:
-@table @samp
-
-@item -l
-specifies the @emph{long} human-readable form, which includes the year.
-For example, on the above input, the output would instead be:
-@example
-Oct 25 11:51:25 2000 #26 131.243.70.68/1899 > 64.55.26.206/ftp start
-@end example
-
-@item -s
-specifies @emph{strict} checking to ensure that the number at the beginning
-of a line is a plausible timestamp: it must have at least 9 digits, at most
-one decimal, and must have a decimal if there are 10 or more digits.
-
-Without -s, an input like:
-@example
-131.243.70.68 > 64.55.26.206
-@end example
-
-generates the output:
-@example
-Dec 31 16:02:11 > 64.55.26.206
-@end example
-
-which, needless to say, is not very helpful.  
-
-@emph{Deficiency: It seems clear that -s should be the default behavior. }
-
-@end table
-
diff --git a/doc/ref-manual/stmts.texi b/doc/ref-manual/stmts.texi
deleted file mode 100644
index c09e9a8b16..0000000000
--- a/doc/ref-manual/stmts.texi
+++ /dev/null
@@ -1,773 +0,0 @@
-
-@node Statements and Expressions
-@chapter Statements and Expressions
-
-You express Bro's analysis of network traffic using @emph{event handlers},
-which, as discussed in XX,
-are essentially subroutines written in Bro's policy scripting
-language.  In this chapter we discuss the different types of statements
-and expressions available for expressing event handlers and the auxiliary
-functions they use.
-
-@menu
-* Statements::			
-* Expressions::			
-@end menu
-
-@node Statements,
-@section Statements
-
-@cindex statements
-Bro functions and event handlers are written in an imperative style, and
-the statements available for doing so are similar to those provided in C.
-@cindex statements, semi-colon termination
-@cindex semi-colon statement termination
-@cindex statements, multi-line
-@cindex whitespace, in statements
-As in C, statements are terminated with a semi-colon.  There are no
-restrictions on how many lines a statement can span.  Whitespace can appear
-between any of the syntactic components in a statement, and its presence
-always serves as a separator (that is, a single syntactic component cannot
-in general contain embedded whitespace, unless it is escaped in some form,
-such as appearing inside a string literal).
-
-Bro provides the following types of statements:
-
-@command{expression}
-@cindex expression
-@quotation
-Syntax:
-@quotation
-@emph{expr} ;
-@end quotation
-As in C, an expression by itself can also be used as a statement.
-For example, assignments, calling functions, and scheduling
-timers are all expressions; they also are often used as statements.
-@end quotation
-
-@command{print}
-@cindex print statement
-@quotation
-Syntax:
-@quotation
-print @emph{file} @emph{expr-list} ;
-@end quotation
-The expressions are converted to a list of strings, which are then
-printed as a comma-separated list.  If the first expression is of
-type , then the other expressions are printed to
-the corresponding file; otherwise they're written to
-@cindex stdout
-@emph{stdout}.
-
-For control over how the strings are formatted, see the @code{fmt}
-function.
-@end quotation
-
-@command{alarm}
-@cindex alarm statement
-@quotation
-Syntax:
-@quotation
-alarm @emph{expr-list} ;
-@end quotation
-The expressions are converted to a list of strings, which are then
-logged as a comma-separated list.  ``Logging'' means recording the
-values to @file{bro-alarm-file}.  In addition, if Bro is reading
-@cindex live traffic
-@cindex traffic, live vs. recorded
-@emph{live} network traffic (as opposed to from a trace file), then
-the messages are also reported via
-@cindex syslog
-@emph{syslog(3)} at level
-@emph{LOG_NOTICE}.  If the message does not already
-include a timestamp, one is added.
-
-See the @code{alarm}  module for a discussion of controlling logging
-behavior from your policy script.  In particular, an important feature of
-the @code{alarm} statement is that prior to logging the giving string(s),
-Bro first invokes @command{alarm-hook} to determine whether to suppress
-the logging.
-@end quotation
-
-@command{event}
-@cindex event statement
-@quotation
-Syntax:
-@quotation
-event @emph{expr} ( @emph{expr-list*} ) ;
-@end quotation
-Evaluates @emph{expr} to obtain an event handler and queues an event
-for it with the value corresponding to the optional comma-separated
-list of values given by @emph{expr-list}.
-
-@emph{Note:}  @code{event} statements look syntactically just like function calls, other than the 
-keyword ``@code{event}''.  However, @command{function-call-expr}, while queueing an event is not, since it does not return a value. 
-@end quotation
-
-@command{if}
-@cindex if statement
-@quotation
-Syntax:
-@quotation
-if ( @emph{expr} ) @emph{stmt}  @*
-if ( @emph{expr} ) @emph{stmt} else @emph{stmt2}
-@end quotation
-Evaluates @emph{expr}, which must yield a @command{bool} value.  If true,
-executes @emph{stmt}.  For the second form, if false, executes @emph{stmt2}.
-@end quotation
-
-@command{for}
-@cindex for statement
-@quotation
-Syntax:
-@quotation
-for ( @emph{var} in @emph{expr} ) @emph{stmt} 
-@end quotation
-Iterates over the indices of @emph{expr}, which must evaluate to either
-a @code{set} or a @code{table}.  For each iteration, @emph{var} is
-set to one of the indices and @emph{stmt} is executed.  @emph{var} needn't
-have been previously declared (in which case its type is implicitly inferred
-from that of the indices of @emph{expr}), and must not be a global variable.
-
-If @emph{expr} is a @code{set}, then the indices correspond to the
-members of the set.  If @emph{expr} is a @code{table}, then they correspond
-to the indices of the table.
-
-@emph{Deficiency: You can only use @code{for} statements to iterate over sets and tables with a single, non-compound index type.  You can't iterate over multi-dimensional or compound indices. }
-
-@emph{Deficiency: Bro lacks ways of controlling the order in which it iterates over the indices. }
-@end quotation
-
-@command{next}
-@cindex next statement
-@quotation
-Syntax:
-@quotation
-next ;  
-@end quotation
-Only valid within a @code{for} statement.  When executed, causes the
-loop to proceed to the next iteration value (i.e., the next index value).
-@end quotation
-
-@command{break}
-@cindex break statement
-@quotation
-Syntax:
-@quotation
-break ;  
-@end quotation
-Only valid within a @code{for} statement.  When executed, causes the
-loop to immediately exit.
-@end quotation
-
-@command{return}
-@cindex return statement
-@quotation
-Syntax:
-@quotation
-return @emph{expr} ;  
-@end quotation
-Immediately exits the current function or event handler.  For a function,
-returns the value @emph{expr} (which is omitted if the function does
-not return a value, or for event handlers).
-@end quotation
-
-@command{add}
-@cindex add statement
-@quotation
-Syntax:
-@quotation
-add @emph{expr1} @emph{expr2} ; 
-@end quotation
-Adds the element specified by @emph{expr2} to the
-set given by @emph{expr1}.  For example,
-@example
-    global active_hosts: set[addr, port];
-    ...
-    add active_hosts[1.44.33.7, 80/tcp];
-@end example
-
-adds an element corresponding to the pair
-1.44.33.7 and 80/tcp to the set active_hosts.
-@end quotation
-
-@command{delete}
-@cindex delete statement
-@quotation
-Syntax:
-@quotation
-delete @emph{expr1} [@emph{expr2}] ; 
-@end quotation
-Deletes the corresponding value, where @emph{expr1} corresponds
-to a set or table, and @emph{expr2} an element/index of the
-set/table.  If the element is not in the set/table, does nothing.
-@end quotation
-
-@command{compound}
-@cindex compound statement
-@quotation
-Compound statements are formed from a list of (zero or more)
-statements enclosed in
-@code{@{@}}'s:
-@quotation
-@{ @emph{statement*} @} 
-@end quotation
-@end quotation
-
-@command{null}
-@cindex null statement
-@quotation
-A lone:
-@quotation
-; 
-@end quotation
-denotes an empty, do-nothing statement.
-@end quotation
-
-@cindex variables, local
-@cindex local variables
-@cindex variables, constant
-@cindex constant variables
-
-@command{local,const}
-@cindex local 
-@quotation
-Syntax:
-@quotation
-local @emph{var} : @emph{type} = @emph{initialization} @emph{attributes} ; @*
-const @emph{var} : @emph{type} = @emph{initialization} @emph{attributes} ; 
-@end quotation
-Declares a local variable with the given type, initialization, and
-attributes, all of which are optional.  The syntax of these fields is the
-same as for @command{global-vars}.  The
-second form likewise declares a local variable, but one which is
-@emph{constant}: trying to assign a new value to it results in an error.
-@emph{Deficiency:Currently, this @code{const} restriction isn't detected/enforced. }
-
-@cindex variables, scope
-
-@emph{Unlike with C} the scope of a local variable is from the point of declaration to the end of the encompassing function or event handler.
-@end quotation
-
-@cindex statements
-
-@node Expressions,
-@section Expressions
-
-@cindex expressions|(
-Expressions in Bro are very similar to those in C, with similar precedence:
-
-@cindex left parenthesis operator( operator
-@cindex operator, left parenthesis( parenthesis
-@cindex right parenthesis operator) operator
-@cindex operator, right parenthesis) parenthesis
-@cindex parentheses operators()
-
-@command{parenthesized}
-@quotation
-Syntax:
-@quotation
-( @emph{expr} ) 
-@end quotation
-Parentheses are used as usual to override precedence.
-@end quotation
-
-@command{constant}
-@cindex constant 
-@quotation
-Any constant value  is an expression.
-@end quotation
-
-@command{variable}
-@cindex variable 
-@quotation
-The name of a @emph{variable} is an expression.
-@end quotation
-
-@command{clone}
-@cindex clone operator
-@quotation
-Syntax:
-@quotation
-copy( @emph{expr} )
-@end quotation
-Produces a clone, or deep copy, of the value produced by the expression
-it is applied to.
-@end quotation
-
-@command{increment,decrement}
-@cindex increment 
-@cindex decrement 
-@quotation
-Syntax:
-@quotation
-++ @emph{expr}  
-@*
--- @emph{expr} 
-@end quotation
-Increments or decrements the given expression, which must correspond
-to an assignable value (variable, table element, or record element)
-and of a number type.
-
-Yields the value of the expression after the increment.
-
-@emph{Unlike with C, these operators only are defined for ``pre''-increment/decrement; there is no post-increment/decrement.}
-@end quotation
-
-@command{negation}
-@cindex negation 
-@quotation
-Syntax:
-@quotation
-! @emph{expr}  @*
-- @emph{expr} 
-@end quotation
-Yields the boolean 
-or arithmetic negation for values of boolean
-or @emph{numeric} (or @emph{interval}) types, respectively.
-@end quotation
-
-@command{positivation}
-@quotation
-Syntax:
-@quotation
-+ @emph{expr} 
-@end quotation
-Yields the value of @emph{expr}, which must be of type @emph{numeric}
-or @emph{interval}.
-
-The point of this operator is to explicitly convert a value of type count
-to int.  For example, suppose you want to declare a local variable
-code to be of type int, but initialized to the value 2.
-If you used:
-@example
-    local code = 2;
-@end example
-
-then Bro's implicit typing would make it of type count, because
-that's the type of a
-@command{numeric-constants}.
-You could instead use:
-@example
-    local code = +2;
-@end example
-
-to direct the type inferencing to instead assign a type of int
-to code.  Or, of course, you could specify the type explicitly:
-@example
-    local code:int = 2;
-@end example
-@end quotation
-
-@command{arithmetic}
-@quotation
-Syntax:
-@quotation
-@emph{expr1} + @emph{expr2} @* 
-@emph{expr1} - @emph{expr2} @* 
-@emph{expr1} * @emph{expr2} @* 
-@emph{expr1} / @emph{expr2} @* 
-@emph{expr1} % @emph{expr2} 
-@end quotation
-The usual C arithmetic operators, 
-defined for numeric types, except
-modulus (@code{%}) is only defined for integral types.
-@end quotation
-
-@cindex & short-circuit&&@  short-circuit ``and''
-@cindex short-circuit1-circuit && ``and'' operator
-@cindex and operator&& ``and'' operator
-@cindex operator, and&& ``and''
-@cindex & or short-circuit"|"|@  short-circuit ``or''
-@cindex short-circuit2-circuit "|"| ``or'' operator
-@cindex or operator"|"| ``or'' operator
-@cindex operator, or"|"| ``or''
-
-@command{logical}
-@quotation
-Syntax:
-@quotation
-@emph{expr1} @code{&&} @emph{expr2} @*
-@emph{expr1} @code{||} @emph{expr2} 
-@end quotation
-The usual C logical operators, defined for boolean types.
-@end quotation
-
-@cindex == equality operator==@  equality operator
-@cindex == inequality operator", =@  inequality operator
-
-@command{equality}
-@quotation
-Syntax:
-@quotation
-@emph{expr1} @code{==} @emph{expr2}  \
-@emph{expr1} @code{"!=} @emph{expr2} 
-@end quotation
-@command{rel-operators},
-Compares two values for equality or inequality, yielding a @code{bool} value.  Defined for all non-compound types except pattern.
-@end quotation
-
-@cindex == less-than operator<@ @  less-than operator
-@cindex == less-than-or-equal operator<=@  less-or-equal operator
-@cindex == z operator>@ @  greater-than operator
-@cindex == zz operator>=@  greater-or-equal operator
-
-@command{relational}
-@quotation
-Syntax:
-@quotation
-@emph{expr1} @code{<} @emph{expr2}  \
-@emph{expr1} @code{<=} @emph{expr2}  \
-@emph{expr1} @code{>} @emph{expr2}  \
-@emph{expr1} @code{>=} @emph{expr2} 
-@end quotation
-Compares two values for magnitude ordering,
-yielding a bool value.  Defined for values of type @emph{numeric},
-time, interval, port, or addr.
-
-@emph{Note:} TCP port values are considered less than UDP port values.
-
-@emph{Note:} IPv4 addr values less than IPv6 addr values.
-
-@emph{Deficiency: Should also be defined at for @command{string} values. }
-@end quotation
-
-@command{conditional}
-@quotation
-Syntax:
-@quotation
-@emph{expr1} ? @emph{expr2} : @emph{expr3} 
-@end quotation
-Evaluates @emph{expr1} and, if true, evaluates and yields
-@emph{expr2}, otherwise evaluates and yields
-@emph{expr3}. 
-@emph{expr2} and @emph{expr3} must have compatible
-types.
-@end quotation
-
-@command{assignment}
-@quotation
-Syntax:
-@quotation
-@emph{expr1} = @emph{expr2} 
-@end quotation
-Assigns the value of @emph{expr2} to the storage defined
-by 
-@emph{expr1}, which must be an assignable value
-(variable, table element, or record element).  Yields the assigned value.
-@end quotation
-
-@cindex left parenthesis operator( operator
-@cindex operator, left parenthesis( parenthesis
-@cindex right parenthesis operator) operator
-@cindex operator, right parenthesis) parenthesis
-@cindex parentheses operators()
-
-@cindex invocation, function
-@cindex function invocation
-
-@command{function call}
-@quotation
-Syntax:
-@quotation
-@emph{expr1} ( @emph{expr-list2} ) 
-@end quotation
-Evaluates @emph{expr1} to obtain a value of type @code{function},
-which is then invoked with its arguments bound left-to-right to the values
-obtained from the comma-separated list of expressions
-@emph{expr-list2}.  Each element of @emph{expr-list2}
-must be assignment-compatible with the corresponding formal argument 
-in the type of @emph{expr1}.  The list may (and must) be empty if the
-function does not take any parameters.
-@end quotation
-
-@cindex functions, anonymous
-
-@command{anonymous function}
-@quotation
-Syntax:
-@quotation
-function ( @emph{parameters} ) @emph{body} 
-@end quotation
-Defines an @emph{anonymous function}, which, in abstract terms, is how
-you specify a constant of type @code{function}.  @emph{parameters} has
-the syntax of parameter declarations for
-@command{functions}, as does @emph{body},
-which is just a list of statements enclosed in braces.
-
-Anonymous functions can be used anywhere you'd usually instead use a
-function declared in the usual direct fashion.  For example, consider the
-function:
-@example
-    function demo(msg: string): bool
-        @{
-        if ( msg == "do the demo" )
-            @{
-            print "got it";  
-            return T;
-            @}
-        else
-            return F;
-        @}
-@end example
-
-You could instead declare demo as a global variable of type @code{function}:
-@example
-global demo: function(msg: string): bool;
-@end example
-
-and then later assign to it an anonymous function:
-@example
-    demo = function (msg: string): bool
-        @{
-        if ( msg == "do the demo" )
-            @{
-            print "got it";
-            return T;
-            @}
-        else
-            return F;
-        @};
-@end example
-
-You can even call the anonymous function directly:
-@example
-    (function (msg: string): bool
-        @{
-        if ( msg == "do the demo" )
-            @{
-            print "got it";
-            return T;
-            @}
-        else
-            return F;
-        @})("do the demo")
-@end example
-
-though to do so you need to enclose the function in parentheses to
-avoid confusing Bro's parser.
-
-One particularly handy form of anonymous function is that used
-for @command{&default}.
-@end quotation
-
-@cindex timers
-@cindex events, scheduling
-@cindex scheduling events
-
-@command{event scheduling}
-@quotation
-Syntax:
-@quotation
-schedule @emph{expr1} @code{@{} @emph{expr2} ( @emph{expr-list3} ) @code{@}} 
-@end quotation
-Evaluates @emph{expr1} to obtain a value of type @command{interval},
-and schedules the event given by @emph{expr2} with parameters
-@emph{expr-list3} for that time.  Note that the expressions are
-all evaluated and bound at the time of execution of the schedule
-expression; evaluation is @emph{not} deferred until the future execution
-of the event handler.
-
-For example, we could define the following event handler:
-@example
-    event once_in_a_blue_moon(moon_phase: interval)
-        @{
-        print fmt("wow, a blue moon - phase %s", moon_phase);
-        @}
-@end example
-
-and then we could schedule delivery of the event for 6 hours from
-the present, with a moon_phase of 12 days, using:
-@example
-    schedule +6 hr @{ once_in_a_blue_moon(12 days) @};
-@end example
-
-@emph{Note:  The syntax is admittedly a bit clunky.  In particular, it's easy to @emph{(i)} forget to include the braces (which are needed to avoid confusing Bro's parser), @emph{(ii)} forget the final semi-colon if the schedule expression is being used as an expression-statement, or @emph{(iii)} erroneously place a semi-colon after the event specification but before the closing brace.}
-
-@cindex timer expiration
-@cindex expiration, timer
-
-Timer invocation is inexact.  In general, Bro uses arriving packets to
-serve as its clock (when reading a trace file off-line, this is still the
-case---the timestamp of the latest packet read from the trace is used as
-the notion of ``now'').  Once this clock reaches or passes the time
-associated with a queued event, Bro will invoke the event handler,
-which is termed ``expiring'' the timer.  (However, Bro will only
-invoke @command{max-timer-expires} timers per packet, and these
-include its own internal timers for managing connection state, so this can
-also delay invocation.)
-
-It will also expire all pending timers (whose time has not yet arrived)
-when Bro terminates; if you don't want those event handlers to activate
-in this instance, you need to test @command{done-with-network}.
-
-You would think that @code{schedule} should just be a statement like
-@command{event-invocation} is,
-rather than an expression.  But it actually does return a value, of the
-undocumented type timer.  
-@cindex possible future changes,  type
- In the future, Bro may provide mechanisms for manipulating such
-timers; for example, to cancel them if you no longer want them to expire.
-@end quotation
-
-@command{index}
-@quotation
-Syntax:
-@quotation
-@emph{expr1} [ @emph{expr-list2} ] 
-@end quotation
-Returns the sub-value of @emph{expr1} indexed by
-the value of @emph{expr-list2}, which must be compatible with the index
-type of @emph{expr1}.
-
-@emph{expr-list2} is a comma-separated list of expressions
-(with at least one expression listed) whose values
-are matched left-to-right against the index types of @emph{expr1}.
-
-The only type of value that can be indexed
-in this fashion is a table.  @emph{Note:} set's cannot be indexed because they do not yield any value.  Use @code{in} to test for set membership.
-@end quotation
-
-@command{membership}
-@quotation
-Syntax:
-@quotation
-@emph{expr1} in @emph{expr2}  @*
-@emph{expr1} !in @emph{expr2} 
-@end quotation
-Yields true (false, respectively)
-if the index @emph{expr1} is present in
-the @code{table} or @code{set} @emph{expr2}.
-
-For example, if notice_level is a table index by an address
-and yielding a count:
-@example
-    global notice_level: table[addr] of count;
-@end example
-
-then we could test whether the address 127.0.0.1 is present using:
-@example
-    127.0.0.1 in notice_level
-@end example
-
-For table's and set's indexed by multiple dimensions,
-you enclose @emph{expr1} in brackets.  For example,
-if we have:
-@example
-    global connection_seen: set[addr, addr];
-@end example
-
-then we could test for the presence of the element indexed by
-8.1.14.2 and 129.186.0.77 using:
-@example
-    [8.1.14.2, 129.186.0.77] in connection_seen
-@end example
-
-We can also instead use a corresponding record type.
-If we had
-@example
-    local t = [$x = 8.1.14.2, $y = 129.186.0.77]
-@end example
-
-then we could test:
-@example
-    t in connection_seen
-@end example
-@end quotation
-
-@cindex == equality operator==@  equality operator
-@cindex == inequality operator", =@  inequality operator
-
-@command{pattern matching}
-@quotation
-Syntax:
-@quotation
-@emph{expr1} == @emph{expr2}  @*
-@emph{expr1} "!= @emph{expr2}  @*
-@emph{expr1} in @emph{expr2}  @*
-@emph{expr1} "!in @emph{expr2} 
-@end quotation
-As discussed for @command{pattern values}. 
-the first two forms yield true (false) if 
-the @code{pattern} @emph{expr1} exactly matches the string
-@emph{expr2}.  (You can also list the @code{string} value 
-on the left-hand side of the operator and the @code{pattern} on the right.)
-
-The second two forms yield true (false) if
-the pattern @emph{expr1} is present within the string
-@emph{expr2}.  (For these, you @emph{must} list the pattern
-as the left-hand operand.)
-@end quotation
-
-@cindex $$@  record field access operator
-
-@command{record field access}
-@quotation
-Syntax:
-@quotation
-@emph{expr} $ @emph{field-name} 
-@end quotation
-Returns the given field @emph{field-name} of the record
-@emph{expr}.  If the record does not contain the
-given field, a compile-time error results.
-@end quotation
-
-@cindex $$@  record constructor operator
-
-@command{record constructor}
-@quotation
-Syntax:
-@quotation
-[ @emph{field-constructor-list} ] 
-@end quotation
-
-Constructs a @code{record} value.  The @emph{field-constructor-list} is
-a comma-separated list of individual field constructors, which have the syntax:
-@quotation
-$ @emph{field-name} = @emph{expr} 
-@end quotation
-
-For example,
-@example
-    [$foo = 3, $bar = 23/tcp]
-@end example
-
-yields a @code{record} with two fields, @code{foo} of type @code{count} and
-@code{bar} of type @code{port}.  The values used in the constructor needn't
-be constants, however; they can be any expression of an assignable type.
-@end quotation
-
-@cindex ?$?$@  record field test
-
-@command{record field test}
-@quotation
-Syntax:
-@quotation
-@emph{expr} @code{?$} @emph{field-name} 
-@end quotation
-Returns true if the given field has been set in the record yielded by
-@emph{expr}.  Note that @emph{field-name} @emph{must} correspond to
-one of the fields in the record type of @emph{expr} (otherwise, the
-expression would always be false).  The point of this operator is
-to test whether an @emph{&optional} field of a record has been
-assigned to.
-
-For example, suppose we have:
-@example
-    type rap_sheet: record @{
-        num_scans: count &optional;
-        first_activity: time;
-    @};
-    global the_goods: table[addr] of rap_sheet;
-@end example
-
-and we want to test whether the address held in the variable perp
-exists in the_goods and, if so, whether num_scans has been
-assigned to, then we could use:
-@example
-    perp in the_goods && the_goods[perp]?$num_scans
-@end example
-@end quotation
-
-@cindex expressions
-
diff --git a/doc/ref-manual/todo.texi b/doc/ref-manual/todo.texi
deleted file mode 100644
index 9722d08c62..0000000000
--- a/doc/ref-manual/todo.texi
+++ /dev/null
@@ -1,174 +0,0 @@
-
-@node Missing Documentation
-@chapter Missing Documentation
-
-This chapter holds stubs for subjects that have yet to be documented.
-Some of these are actually already somewhat covered elsewhere in the
-manual.  In addition, a major missing piece for the manual is the
-Bro language itself; below we mention some Bro language topics that
-come up elsewhere in the current version of the manual.
-
-@menu
-* use of prefixes::		
-* tcpdump save file that Bro writes::  
-* init initialization file::	
-* Assignment operators such as +=::  
-* notion of redefinition/refinement::  
-* Notice/Alarm model::		
-* Timer management::		
-* SYN-FIN filtering::		
-* Split routing::		
-* Scan dropping::		
-* Operator precedence::		
-* Partial connections::		
-* Packet drops::		
-* load directive::		
-* Global statements::		
-* Inserting tables into tables::  
-* Demultiplexing::		
-* Bro init file::		
-* Hostnames vs addresses::	
-* hot-report script::		
-* Use of libpcap/BPF::		
-* problem of evasion::		
-* Backscatter::			
-* Playing back traces::		
-* Discarders::			
-* Differences between this release and the previous one::  
-* Notice cascade::		
-* need for subtyping::		
-* need for CIDR masks::		
-* wish list::			
-* Known bugs::			
-* Execution tracing::
-* Policy analyzers::
-* Trace rewriting::
-* Rule benchmarking::
-* Connection state history recording::
-@end menu
-
-@node use of prefixes,
-@section The use of @emph{prefixes}
-
-
-@node  tcpdump save file that Bro writes,
-@section  The tcpdump save file that Bro writes 
-
-
-@node  init initialization file,
-@section  The bro.init initialization file 
-
-@node  Assignment operators such as +=,
-@section  Assignment operators such as += 
-
-@node  notion of redefinition/refinement,
-@section  The notion of redefinition/refinement 
-
- 
-@node  Notice/Alarm model,
-@section  The notice/alarm model 
-
-@node  Timer management,
-@section  Timer management 
-
-@node  SYN-FIN filtering,
-@section  SYN-FIN filtering 
-
-@node  Split routing,
-@section  Split routing 
-
-@node  Scan dropping,
-@section  Scan dropping 
-
-@node  Operator precedence,
-@section  Operator precedence 
-
-@node  Partial connections,
-@section  Partial connections 
-
-@node  Packet drops,
-@section  Packet drops 
-
-@node  load directive,
-@section  The load directive 
-
-@node  Global statements,
-@section  Global statements 
-
-@node  Inserting tables into tables,
-@section  Inserting tables into tables 
-
-@node  Demultiplexing,
-@section  Demultiplexing 
-
-@node  Bro init file,
-@section  Bro init file 
-
-
-@node  Hostnames vs addresses,
-@section  Hostnames vs. addresses 
-
-
-@node  hot-report script,
-@section  The hot-report script 
-
-
-@node  Use of libpcap/BPF,
-@section  Use of libpcap/BPF 
-
-See: bpf,pcap refs XXX
-
-@node  problem of evasion,
-@section  The problem of evasion 
-
-See: ptacek98 paper XXX
-
-@node  Backscatter,
-@section  Backscatter 
-
-
-@node Playing back traces,
-@section Playing back traces 
-
-
-@node  Discarders,
-@section  Discarders 
-
-@node  Differences between this release and the previous one,
-@section  Differences between this release and the previous one 
-
-
-@node  Notice cascade,
-@section  Notice cascade 
-
-
-@node  need for subtyping,
-@section  The need for subtyping 
-
-E.g., src addr vs. dst addr, perhaps
-using attributes.
-
-@node  need for CIDR masks,
-@section  The need for CIDR masks 
-
-
-@node  wish list,
-@section  The wish list 
-
-@node  Known bugs,
-@section  Known bugs 
-
-@node  Execution tracing,
-@section  Execution tracing
-
-@node  Policy analyzers,
-@section  Policy analyzers
-
-@node  Trace rewriting,
-@section  Trace rewriting
-
-@node  Rule benchmarking,
-@section  Rule benchmarking
-
-@node  Connection state history recording,
-@section  Connection state history recording
diff --git a/doc/ref-manual/values.texi b/doc/ref-manual/values.texi
deleted file mode 100644
index 811c87e89f..0000000000
--- a/doc/ref-manual/values.texi
+++ /dev/null
@@ -1,1945 +0,0 @@
-
-@node Values
-@chapter Values, Types, and Constants
-
-@menu
-* Values Overview::			
-* Booleans::			
-* Numeric Types::		
-* Enumerations::		
-* Strings::			
-* Patterns::			
-* Temporal Types::		
-* Port Type::			
-* Address Type::		
-* Net Type::			
-* Records::			
-* Tables::			
-* Sets::			
-* Files::			
-* Functions::			
-* Event handlers::		
-* any type::			
-@end menu
-
-@node Values Overview,
-@section Values Overview
-
-@cindex values, overview
-We begin with an overview of the types of values supported by
-Bro, giving a brief description of each type and
-introducing the notions of type conversion and type inference.
-We discuss each type in detail in 
-
-@menu
-* Bro Types::			
-* Type Conversions::		
-@end menu
-
-@node Bro Types
-@subsection Bro Types
-
-There are 18 (XXX check this) types of values in the Bro type
-system:
-@cindex types, overview
-
-@itemize @bullet
-@cindex types, bool
-
-@item 
-@code{bool} for Booleans;
-
-@cindex types, numeric
-@cindex types, count
-@cindex types, int
-@cindex types, double
-@cindex numeric types, count
-@cindex numeric types, int
-@cindex numeric types, double
-
-@item 
-@code{count}, @code{int}, and @code{double} types, collectively 
-called @emph{numeric}, for arithmetic and logical operations, and comparisons;
-
-@cindex types, enumeration
-@cindex types, enum
-
-@item 
-@code{enum} for enumerated types similar to those in C;
-
-@cindex types, string
-
-@item 
-@code{string}, character strings that can be used
-for comparisons and to index tables and sets;
-
-@cindex types, pattern
-
-@item 
-@code{pattern}, regular expressions that can be used for pattern
-matching;
-
-@cindex types, temporal
-@cindex types, time
-@cindex types, interval
-
-@item 
-@code{time} and @code{interval}, for absolute and relative times,
-collectively termed @emph{temporal};
-
-@cindex types, port
-
-@item 
-@code{port}, a TCP or UDP port number;
-
-@cindex types, addr
-
-@item 
-@code{addr}, an IP address;
-
-@cindex types, net
-
-@item 
-@code{net}, a network prefix;
-
-@cindex types, record
-
-@item 
-@code{record}, a collection of values (of possibly different types),
-each of which has a name;
-
-@cindex types, table
-
-@item 
-@code{table}, an associative array, indexed by tuples of
-scalars and yielding values of a particular type;
-
-@cindex types, set
-
-@item 
-@code{set}, a collection of tuples-of-scalars, for which a
-particular tuple's membership can be tested;
-
-@cindex types, file
-
-@item 
-@code{file}, a disk file to write or append to;
-
-@cindex types, function
-
-@item 
-@code{function}, a function that when called with a list of
-values (arguments) returns a value;
-
-@cindex types, event
-
-@item 
-@code{event}, an event handler that is invoked with a list of
-values (arguments) any time an event occurs.
-
-@end itemize
-
-Every value in a Bro script has one of these types.
-For most types there are ways of specifying @emph{constants} representing
-values of the type.  For example, @code{2.71828} is a constant
-of type @code{double}, and @code{80/tcp} is a constant of type
-@code{port}.  The discussion of types below includes a description
-of how to specify constants for the types.
-
-@cindex typing, static
-@cindex static typing
-Finally, even though Bro variables have @emph{static} types,
-meaning that their type is fixed,
-often their type is @emph{inferred} from the value to which
-they are initially assigned when the variable is declared.
-For example,
-@example
-    local a = "hi there";
-@end example
-
-fixes @code{a}'s type as @code{string}, and
-@example
-    local b = 6;
-@end example
-
-sets @code{b}'s type to @code{count}.  See 
-for further discussion.
-
-@node Type Conversions,
-@subsection Type Conversions
-
-@cindex types, conversion
-Some types will be automatically converted to other types as
-needed.
-@cindex types, conversion, automatic
-For example, a @code{count} value can always be used where a @code{double}
-value is expected.  The following:
-@example
-    local a = 5;
-    local b = a * .2;
-@end example
-
-creates a local variable @code{a} of type @code{count} and
-assigns the @code{double} value @code{1.0} to @code{b}, which will
-also be of type @code{double}.
-Automatic conversions are limited to converting between @emph{numeric} types.
-The rules for how types are converted are given below.
-@cindex types, conversion
-
-@node Booleans,
-@section Booleans
-
-@cindex booleans
-The @code{bool} type reflects a value with one of two possible
-meanings: @emph{true} or @emph{false}.
-
-@menu
-* Boolean Constants::		
-* Logical Operators::		
-@end menu
-
-@node Boolean Constants,
-@subsection Boolean Constants
-
-@cindex constants, boolean
-@cindex T
-@cindex F
-There are two @code{bool} constants:
-@code{T} and @code{F}.  They
-represent the values of ``true" and ``false", respectively.
-
-@node Logical Operators,
-@subsection Logical Operators
-
-@cindex types, bool
-
-@cindex operators, logical
-Bro supports three logical operators:
-@code{&&},
-@cindex & short-circuit&&@  short-circuit ``and''
-@cindex short-circuit1-circuit && ``and'' operator
-@cindex and operator&& ``and'' operator
-@cindex operator, and&& ``and''
-@code{||},
-@cindex & or short-circuit"|"|@  short-circuit ``or''
-@cindex short-circuit2-circuit "|"| ``or'' operator
-@cindex or operator"|"| ``or'' operator
-@cindex operator, or"|"| ``or''
-and @code{!}
-@cindex & z not", @ @  ``not'' operator
-@cindex not operator",  ``not'' operator
-@cindex operator, not",  ``not''
-are Boolean ``and,'' ``or,'' and ``not,'' respectively.
-@code{&&} and @code{||} are ``short circuit'' operators, as in C:
-they evaluate their right-hand operand
-only if needed.
-
-The @code{&&} operator returns @code{F} if its
-first operand evaluates to @emph{false}, otherwise it evaluates its second
-operand and returns @code{T} if it evaluates to @emph{true}.
-The @code{||} operator evaluates its first operand and returns @code{T} if
-the operand evaluates to @emph{true}.  Otherwise it evaluates its second
-operand, and returns @code{T} if it is @emph{true}, @code{F} if @emph{false}.
-
-@cindex logical negation
-@cindex negation, logical
-The unary @code{!}
-operator returns the boolean negation of its argument.
-So, @code{!@ T} yields @code{F}, and @code{!@ F} yields @code{T}.
-
-@cindex operators, logical, associativity
-@cindex operators, logical, precedence
-The logical operators are left-associative.
-The @code{!}
-operator has very high precedence, the same as unary @code{+} and @code{-};
-see 
-The @code{||} operator has
-precedence just below @code{&&}, which in turn is just below that of
-the comparison operators (see @ref{Comparison Operators}).
-@cindex operators, logical
-@cindex booleans
-
-@node Numeric Types,
-@section Numeric Types
-
-@cindex types, count
-@cindex types, int
-@cindex types, double
-
-@cindex types, numeric
-@code{int}, @code{count}, and @code{double} types
-should be familiar to most programmers as integer, unsigned integer, and
-double-precision floating-point types.
-
-These types are referred to collectively as @emph{numeric}.  @emph{Numeric}
-types can be used in arithmetic operations (see 
-below) as well as in comparisons (@ref{Comparison Operators}).
-
-@menu
-* Numeric Constants::		
-* Mixing Numeric Types::	
-* Arithmetic Operators::	
-* Comparison Operators::	
-@end menu
-
-@node Numeric Constants,
-@subsection Numeric Constants
-
-@cindex constants, count
-@code{count} constants are just strings of digits: @code{1234} and @code{0}
-are examples.
-
-@cindex constants, integer
-@code{integer} constants are strings of digits preceded
-by a @code{+} or @code{-} sign: @code{-42} and @code{+5} for example.
-Because digit strings without a sign are of type @code{count}, occasionally
-you need to take care when defining a variable if it really needs to
-be of type @code{int} rather than @code{count}.  Because of type inferencing
-, a definition like:
-@example
-    local size_difference = 0;
-@end example
-
-will result in @code{size_difference} having type @code{count} when
-@code{int} is what's instead needed (because, say, the size difference can be
-negative).  This can be resolved either by using an @code{int} constant
-in the  initialization:
-@example
-    local size_difference = +0;
-@end example
-
-or explicitly indicating the type:
-@example
-    local size_difference: int = 0;
-@end example
-
-@cindex constants, floating-point
-You write floating-point constants in the usual ways, a string of digits
-with perhaps a decimal point and perhaps a scale-factor written in scientific
-notation.  Optional @code{+} or @code{-} signs may be given before the digits
-or before the scientific notation exponent.
-Examples are @code{-1234.}, @code{-1234e0}, @code{3.14159}, and @code{.003e-23}.
-All floating-point constants are of type @code{double}.
-
-@node Mixing Numeric Types,
-@subsection Mixing Numeric Types
-
-@cindex types, numeric, intermixing
-@cindex types, numeric, bool not numeric
-You can freely intermix @emph{numeric} types in expressions.  When intermixed,
-values are promoted to the ``highest" type in the expression.
-In general, this promotion follows a simple hierarchy: @code{double} is
-highest, @code{int} comes next, and @code{count} is lowest.  (Note that
-@code{bool} is not a numeric type.)
-
-@node Arithmetic Operators,
-@subsection Arithmetic Operators
-
-@cindex operators, arithmetic
-@cindex addition, numeric
-@cindex subtraction, numeric
-@cindex multiplication, numeric
-@cindex division, numeric
-@cindex operators, arithmetic, operand conversion
-For doing arithmetic, Bro supports
-@code{+}
-@code{-}
-@code{*}
-@code{/}
-and
-@code{%}
-@cindex percent modulus operator
-.
-In general, binary operators evaluate their operands after converting them
-to the higher type of the two and return a result of that type.
-However, subtraction of two @code{count} values yields an @code{int} value.
-Division is integral if its operands are @code{count} and/or @code{int}.
-
-@code{+}
-and @code{-}
-can also be used as unary operators.  If applied to a @code{count} type,
-they yield an @code{int} type.
-
-@code{%} computes a @emph{modulus}, defined in the same way as in
-the C language.  It can only be applied to @code{count} or @code{int}
-types, and yields @code{count} if both operands are @code{count} types,
-otherwise @code{int}.
-
-@cindex operators, arithmetic, precedence
-Binary @code{+} and @code{-}
-have the lowest precedence, @code{*}, @code{/}, and @code{%} have equal
-and next highest precedence.  The unary
-@code{+} and @code{-} operators have the same precedence as the @code{!}
-operator @ref{Logical Operators}.
-See , for a table of the precedence of all Bro
-operators.
-
-@cindex operators, arithmetic, associativity
-All arithmetic operators associate from left-to-right.
-@cindex operators, arithmetic
-
-@node Comparison Operators,
-@subsection Comparison Operators
-
-@cindex operators, comparison
-@cindex relationals, numeric
-@cindex operators, comparison, operand conversion
-Bro provides the usual comparison operators:
-@code{==}
-@cindex == equality operator==@  equality operator
-,
-@code{!=}
-@cindex == inequality operator", =@  inequality operator
-,
-@code{<}
-@cindex == less-than operator<@ @  less-than operator
-,
-@code{<=}
-@cindex == less-than-or-equal operator<=@  less-or-equal operator
-,
-@code{>}
-@cindex == z operator>@ @  greater-than operator
-,
-and
-@code{>=}
-@cindex == zz operator>=@  greater-or-equal operator
-.
-They each take two operands, which
-they convert to the higher of the two types (see @ref{Mixing Numeric Types}).
-They return a @code{bool} corresponding to the comparison of the operands.
-For example,
-@example
-    3 < 3.000001
-@end example
-
-yields true.
-
-@cindex operators, comparison, associativity
-@cindex operators, comparison, precedence
-The comparison operators are all non-associative and have equal precedence,
-just below that of the 
-just above that of the 
-See ,
-for a general discussion of precedence.
-@cindex operators, comparison
-@cindex types, numeric
-
-@node Enumerations,
-@section Enumerations
-
-@cindex enumerations
-@cindex types, enum
-Enumerations allow you to specify a set of related values that have
-no further structure, similar to @code{enum} types in C.  For example:
-@example
-    type color: enum @{ Red, White, Blue, @};
-@end example
-
-defines the values @code{Red}, @code{White}, and @code{Blue}.  A variable
-of type @code{color} holds one of these values.  Note that @code{Red} et al
-@cindex global scope, of enumerations
-have @emph{global scope}.  You @emph{cannot} define a variable or type
-with those names.  (Also note that, as usual, the comma after @code{Blue}
-is optional.)
-
-The only operations allowed on enumerations are comparisons for
-equality.  Unlike C enumerations, they do not have values or an
-ordering associated with them.
-
-You can extend the set of values in an enumeration using
-@code{redef enum @emph{identifier} += @{ @emph{name-list} @}}:
-@example
-    redef enum color += @{ Black, Yellow @};
-@end example
-
-@cindex enumerations
-
-@node Strings,
-@section Strings
-
-@cindex strings
-@cindex types, string
-The @code{string} type holds character-string values, used to represent
-and manipulate text.
-
-@menu
-* String Constants::		
-* String Operators::		
-@end menu
-
-@node String Constants,
-@subsection String Constants
-
-@cindex constants, string
-@cindex escape sequences
-@cindex possible future changes, breaking string constants across multiple lines
-You create string constants by enclosing text within double (@code{"}) quotes.
-A backslash character (@code{\}) 
-introduces an @emph{escape sequence}.  The following ANSI C escape
-sequences are recognized:
-FIXME
-the 8-bit ASCII character with code @emph{hex-digits}.
-Bro string constants currently @emph{cannot} be continued across
-multiple lines by escaping newlines in the input.  This may change
-in the future.
-Any other character following a @code{\} is passed along literally.
-
-@cindex NULs, allowed in strings
-
-@cindex evasion, inserting NULs
-
-Unlike in C, strings are represented internally as a count and a
-vector of bytes, rather than a NUL-terminated series of bytes.  This
-difference is important because NULs can easily be introduced into strings
-derived from network traffic, either by the nature of the application,
-inadvertently, or maliciously by an attacker attempting to subvert the
-monitor.  An example of the latter is sending the following to an FTP server:
-@example
-    USER nice\0USER root
-@end example
-
-where ``@code{\0}'' represents a NUL.  Depending on how it is written,
-the FTP application receiving this text might well interpret it as
-two separate commands, ``@code{USER nice}'' followed by ``@code{USER root}''.
-But if the monitoring program uses NUL-terminated strings, then it
-will effectively see only ``@code{USER nice}'' and have no opportunity
-to detect the subversive action.
-
-@cindex NULs, terminating string constants
-@cindex string constants, NUL terminated
-Note that Bro string constants are automatically NUL-terminated.
-
-Note: While Bro itself allows NULs in strings, their presence
-in arguments to many Bro functions results in a run-time error, as
-often their presence (or, conversely, lack of a NUL terminator)
-indicates some sort of problem (particularly
-for arguments that will be passed to C functions).  See 
-section @ref{Run-time errors for strings with NULs} for discussion. 
-
-@cindex constants, string
-
-@node String Operators,
-@subsection String Operators
-
-@cindex operators, string
-@cindex relationals, string
-@cindex ASCII, as usual character set
-@cindex character set, ASCII
-Currently the only string operators provided are the comparison
-operators discussed in @ref{Comparison Operators} and pattern-matching
-as discussed in @ref{Pattern Operators}.  These operators
-perform character by character comparisons based on the native
-character set, usually ASCII.
-
-Some functions for manipulating strings are also available.  See
-.
-@cindex strings
-
-@cindex strings
-
-@node Patterns,
-@section Patterns
-
-@cindex types, pattern
-@cindex searching for strings
-@cindex pattern matching
-
-@cindex patterns
-The @code{pattern} type holds regular-expression patterns, which can
-be used for fast text searching operations.
-
-@menu
-* Pattern Constants::		
-* Pattern Operators::		
-@end menu
-
-@node Pattern Constants,
-@subsection Pattern Constants
-
-@cindex constants, pattern
-@cindex flex utility
-@cindex lex utility
-@cindex utilities, flex
-@cindex utilities, lex
-You create pattern constants by enclosing text within forward slashes (@code{/}).
-The syntax is the same as for the @emph{flex} version of the @emph{lex}
-utility.
-For example,
-@example
-    /foo|bar/
-@end example
-
-specifies a pattern that matches either the text ``foo'' or the
-text ``bar'';
-@example
-    /[a-zA-Z0-9]+/
-@end example
-
-matches one or more letters or digits, as will
-@example
-    /[[:alpha:][:digit:]]+/
-@end example
-
-or
-@example
-    /[[:alnum:]]+/
-@end example
-
-and the pattern
-@example
-    /^rewt.*login/
-@end example
-
-matches any string with the text ``rewt'' at the beginning of
-a line followed somewhere later in the line by the text ``login''.
-
-You can create disjunctions (patterns the match any of a number of
-alternatives) both using the ``@{@code{|}@}'' regular expression
-operator directly, as in the first example above, or by using it
-to join multiple patterns.  So the first example above
-could instead be written:
-@example
-    /foo/ | /bar/
-@end example
-
-This form is convenient when constructing large disjunctions because
-it's easier to see what's going on.
-
-Note that the speed of the regular expression matching does @emph{not}
-depend on the complexity or size of the patterns, so you should feel
-free to make full use of the expressive power they afford.
-
-You can assign @code{pattern} values to variables, hold them in tables,
-and so on.  So for example you could have:
-@example
-    global address_filters: table[addr] of pattern = @{
-        [128.3.4.4] = /failed login/ | /access denied/,
-        [128.3.5.1] = /access timeout/
-    @};
-@end example
-
-and then could test, for example:
-@example
-    if ( address_filters[c$id$orig_h] in msg )
-        skip_the_activity();
-@end example
-
-Note though that you cannot use create patterns dynamically.
-this form (or any other) to create dynamic
-
-@cindex constants, pattern
-
-@node Pattern Operators,
-@subsection Pattern Operators
-
-@cindex operators, pattern
-
-There are two types of pattern-matching operators: @emph{exact}
-matching and @emph{embedded} matching.
-
-@menu
-* Exact Pattern Matching::	
-* Embedded Pattern Matching::	
-@end menu
-
-@node Exact Pattern Matching,
-@subsubsection Exact Pattern Matching
-
-@cindex pattern matching, exact
-Exact matching tests for a
-string entirely matching a given
-pattern.  You specify exact matching by using the
-@code{==} equality relational with one @code{pattern} operand and one
-@code{string} operand (order irrelevant).  For example,
-@example
-    "foo" == /foo|bar/
-@end example
-
-yields true, while
-@example
-    /foo|bar/ == "foobar"
-@end example
-
-yields false.  The @code{!=} operator is the negation of the @code{==}
-operator, just as when comparing strings or numerics.
-
-Note that for exact matching, the @code{^} (anchor to beginning-of-line)
-and @code{$} (anchor to end-of-line) regular expression operators are
-redundant: since the match is @emph{exact}, every pattern is implicitly
-anchored to the beginning and end of the line.
-
-@node Embedded Pattern Matching,
-@subsubsection Embedded Pattern Matching
-
-@cindex pattern matching, embedded
-
-@cindex in operator operator
-Embedded matching tests whether a given pattern appears anywhere
-within a given string.
-You specify embedded pattern matching
-using the @code{in} operator.  It takes two operands, the first
-(which must appear on the left-hand side) of type @code{pattern},
-the second of type @code{string}.
-For example,
-@example
-    /foo|bar/ in "foobar"
-@end example
-
-yields true, as does
-@example
-    /oob/ in "foobar"
-@end example
-
-but
-@example
-    /^oob/ in "foobar"
-@end example
-
-does not, since the text ``oob'' does not appear the beginning
-of the string ``foobar''.
-Note, though, that the @code{$} regular expression operator (anchor
-to end-of-line) is not currently supported, so:
-@example
-    /oob$/ in "foobar"
-@end example
-
-currently yields true.  This is likely to change in the future.
-@cindex bugs, $ pattern operator not supported
-
-@cindex in2 operator", in negation of  operator
-@cindex not in operator", in negation of  operator
-Finally, the @code{!in} operator yields the negation of the @code{in} operator.
-
-@cindex patterns
-
-@node Temporal Types,
-@section Temporal Types
-
-@cindex time
-@cindex absolute time
-@cindex relative time
-@cindex temporal, types
-@cindex types, time
-@cindex types, interval
-
-Bro supports types representing @emph{absolute} and @emph{relative}
-times with the @code{time} and @code{interval} types, respectively.
-
-@menu
-* Temporal Constants::		
-* Temporal Operators::		
-@end menu
-
-@node Temporal Constants,
-@subsection Temporal Constants
-
-@cindex constants, temporal
-@cindex temporal, constants
-@cindex constants, time
-@cindex constants, interval
-@cindex possible future changes, constants for absolute times
-There is currently no way to specify an absolute time as a constant
-(though see the @code{current_time} and @code{network_time} functions
-in @ref{Functions for manipulating time}).  You can specify @code{interval} constants,
-however, by appending a @emph{time unit} after a numeric constant.
-For example,
-@example
-    3.5 min
-@end example
-
-denotes 210 seconds.
-The different time units are @code{usec}, @code{sec},
-@code{min}, @code{hr}, and @code{day}, representing microseconds, seconds,
-minutes, hours, and days, respectively.  The whitespace between 
-the numeric constant and the unit is optional, and the letter ``s''
-may be added to pluralize the unit (this has no semantic effect).
-So the above
-example could also be written:
-@cindex usec (microseconds) interval unit
-@cindex sec (seconds) interval unit
-@cindex min (minutes) interval unit
-@cindex hr (hours) interval unit
-@cindex day interval unit
-@cindex interval units, usec
-@cindex interval units, sec
-@cindex interval units, min
-@cindex interval units, hr
-@cindex interval units, day
-@example
-    3.5mins
-@end example
-
-or
-@example
-    150 secs
-@end example
-
-@cindex constants, interval
-@cindex constants, time
-
-@node Temporal Operators,
-@subsection Temporal Operators
-
-@cindex operators, temporal
-
-You can apply arithmetic and relational operators to temporal
-values, as follows.
-
-@menu
-* Temporal Negation::		
-* Temporal Addition::		
-* Temporal Subtraction::	
-* Temporal Multiplication::	
-* Temporal Division::		
-* Temporal Relationals::	
-@end menu
-
-@node Temporal Negation,
-@subsubsection Temporal Negation
-
-@cindex temporal, negation
-@cindex negation, temporal
-
-The unary @code{-}
-operator can be applied to an @code{interval} value to yield another
-@code{interval} value.  For example,
-@example
-    - 12 hr
-@end example
-
-represents ``twelve hours in the past.''
-
-@node Temporal Addition,
-@subsubsection Temporal Addition
-
-@cindex temporal, addition
-@cindex addition, temporal
-
-Adding two @code{interval} values yields another @code{interval} value.
-For example,
-@example
-    5 sec + 2 min
-@end example
-
-yields 125 seconds.
-Adding a @code{time} value to an @code{interval} yields
-another @code{time} value.
-
-@node Temporal Subtraction,
-@subsubsection Temporal Subtraction
-
-@cindex temporal, subtraction
-@cindex subtraction, temporal
-
-Subtracting a @code{time} value from another @code{time} value
-yields an @code{interval} value, as does subtracting an @code{interval}
-value from another @code{interval}, while subtracting an @code{interval}
-from a @code{time} yields a @code{time}.
-
-@node Temporal Multiplication,
-@subsubsection Temporal Multiplication
-
-@cindex temporal, multiplication
-@cindex multiplication, temporal
-
-You can multiply an @code{interval} value by a @emph{numeric} value
-to yield another @code{interval} value.  For example,
-@example
-   5 min * 6.5
-@end example
-
-yields 1,950 seconds.  @code{time} values cannot be scaled by
-multiplication or division.
-
-@node Temporal Division,
-@subsubsection Temporal Division
-
-@cindex temporal, division
-@cindex division, temporal
-
-You can also divide an @code{interval} value by a @emph{numeric} value
-to yield another @code{interval} value.  For example,
-@example
-   5 min / 2
-@end example
-
-yields 150 seconds.  Furthermore, you can divide one @code{interval}
-value by another to yield a @code{double}. For example,
-@example
-   5 min / 30 sec
-@end example
-
-yields 10.
-
-@node Temporal Relationals,
-@subsubsection Temporal Relationals
-
-@cindex temporal, relationals
-@cindex relationals, temporal
-
-You may compare two @code{time} values or two @code{interval} values
-for equality, and also for ordering, where times or intervals
-further in the future are considered larger than times or intervals
-nearer in the future, or in the past.
-
-@cindex time
-
-@node Port Type,
-@section Port Type
-
-@cindex port type
-@cindex ports, UDP
-@cindex ports, TCP
-@cindex ports, ICMP
-@cindex ports, unknown
-
-The @code{port} type corresponds to transport-level port numbers.
-Besides TCP or UDP ports, these can also be ICMP ``ports'', where the
-source port is the ICMP message type and the destination port the ICMP
-message code.  Furthermore, the transport-level protocol of a port can
-remain unspecified.  In any case, a value of type @code{port}
-represents exactly one of those four transport protocol choices.
-
-@menu
-* Port Constants::		
-* Port Operators::		
-* Port Functions::		
-@end menu
-
-@node Port Constants,
-@subsection Port Constants
-
-@cindex constants, port
-@cindex ports, constants
-There are two forms of @code{port}
-constants.  The first consists of an unsigned integer followed by one of
-``@code{/tcp}'', ``@code{/udp}'', ``@code{/icmp}'', or ``@code{/unknown}''.
-So, for example, ``@code{80/tcp}'' corresponds to TCP port 80 (typically
-used for the HTTP protocol). The second form of constant is specified
-using a predefined identifier, such as ``@code{http}'', equivalent to
-``@code{80/tcp}.''  These predefined identifiers are simply @code{const}
-variables defined in the Bro initialization file, such as:
-@example
-    const http = 80/tcp;
-@end example
-
-@node Port Operators,
-@subsection Port Operators
-
-@cindex ports, operators
-@cindex operators, ports
-
-The only operations that can be applied to @code{port} values are
-relationals.  You may compare them for equality, and also for ordering.
-For example,
-@example
-     20/tcp < telnet
-@end example
-
-yields true because @code{telnet} is a predefined constant set to
-@code{23/tcp}.  
-
-When comparing ports across transport-level protocols, the following
-holds: unknown < TCP < UDP < ICMP. For example, ``@code{65535/tcp}'' is
-smaller than ``@code{0/udp}''.
-
-@cindex port type
-
-@node Port Functions,
-@subsection Port Functions
-
-@cindex ports, functions
-
-You can obtain the transport-level protocol type of a port as an
-@code{enum} constant of type @code{transport_proto} (defined in
-@code{bro.init}), using the built-in function (see @ref{Predefined Functions})
-@code{get_port_transport_proto(p: port): transport_proto}.
-
-@node Address Type,
-@section Address Type
-
-@cindex address type
-
-@cindex relationals, address
-Another networking type provided by Bro is @code{addr}, corresponding to an
-IP address.  The only operations that can be performed on them are
-comparisons for equality or inequality (also, a built-in function provides
-masking, as discussed below).
-
-When configuring the Bro distribution, if you specify @code{--enable-brov6}
-
-then Bro will be built to support both IPv4 and IPv6 addresses,
-and an @code{addr} can hold either.  Otherwise, addresses are
-restricted to IPv4.
-@cindex IPv6 support
-
-@menu
-* Address Constants::		
-* Address Operators::		
-@end menu
-
-@node Address Constants,
-@subsection Address Constants
-
-@cindex constants, address
-@cindex address type, constants
-@cindex IPv4/IPv6 address constants
-
-Constants of type @code{addr} have the familiar ``dotted quad'' format,
-@code{A_1.A_2.A_3.A_4}, where the A_i all lie
-between 0 and 255.  If you have configured for IPv6 support as discussed
-above, then you can also use the colon-separated hexadecimal form
-described in RFC2373.
-
-@cindex hostnames
-@cindex constants, hostname
-
-Often more useful are @emph{hostname} constants.  There is no Bro
-type corresponding to Internet hostnames. Because hostnames can correspond
-to multiple IP addresses, you quickly run into ambiguities if comparing
-one hostname with another.  Bro does, however, support hostnames as
-constants.  Any series of two or more identifiers delimited by dots
-forms a hostname constant, so, for example, ``@code{lbl.gov}'' and
-``@code{www.microsoft.com}'' are both hostname constants (the latter,
-as of this writing, corresponds to 5 distinct IP addresses).  The value of
-a hostname constant is a @code{list} of @code{addr} containing one
-or more elements.  These lists (as with the lists associated with
-certain @code{port} constants, discussed above) cannot be used in
-Bro expressions; but they play a central role in initializing Bro 
-@command{tables} and @command{sets}.
-
-@node Address Operators,
-@subsection Address Operators
-@cindex address type, operators
-@cindex operators, address
-
-The only operations that can be applied to @code{addr} values are
-comparisons for equality or inequality, using @code{==} and @code{!=}.
-However, you can also operate on @code{addr} values using
- to mask off lower address bits, and 
-to convert an @code{addr} to a @code{net} (see below).
-
-@cindex address type
-
-@node Net Type,
-@section Net Type
-@cindex net type
-
-@cindex address masking
-@cindex CIDR
-@cindex subnets
-@cindex prefixes, network
-@cindex network prefixes
-Related to the @code{addr} type is @code{net}.  @code{net} values hold address
-prefixes.  Historically, the IP address space was divided into different
-@emph{classes} of addresses, based on the uppermost components of a given
-address: class A spanned the range 0.0.0.0 to 127.255.255.255; class B from
-128.0.0.0 to 191.255.255.255; class C from 192.0.0.0 to 223.255.255.255;
-class D from 224.0.0.0 to 239.255.255.255; and class E from 240.0.0.0 to
-255.255.255.255.  Addresses were allocated to different networks out of
-either class A, B, or C, in blocks of @math{2^{24}}, @math{2^{16}}, and @math{2^8}
-addresses, respectively.
-
-Accordingly, @code{net} values hold either an 8-bit class A prefix,
-a 16-bit class B prefix, a 24-bit class C prefix, or a 32-bit class D
-``prefix'' (an entire address).  Values for class E prefixes are not
-defined (because no such addresses are currently allocated, and so shouldn't
-appear in other than clearly-bogus packets).
-
-Today, address allocations come not from class A, B or C, but instead
-from @emph{CIDR} blocks (CIDR = Classless Inter-Domain Routing), which
-are prefixes between 1 and 32 bits long in the range 0.0.0.0 to
-223.255.255.255.  @emph{Deficiency: Bro @emph{should} deal just with CIDR prefixes, rather than old-style network prefixes.  However, these are more difficult to implement efficiently for table searching and the like; hence currently Bro only supports the easier-to-implement old-style prefixes.  Since these don't match current allocation policies, often they don't really fit an address range you'll want to describe.  But for sites with older allocations, they do, which gives them some basic utility.}
-
-@cindex IPv6 and lack of CIDR prefixes
-In addition, @emph{Deficiency: IPv6 has no notion of old-style network prefixes, only CIDR prefixes, so the lack of support of CIDR prefixes impairs use of Bro to analyze IPv6 traffic. }
-
-@menu
-* Net Constants::		
-* Net Operators::		
-@end menu
-
-@node Net Constants,
-@subsection Net Constants
-
-@cindex constants, net
-@cindex net, constants
-You express constants of type @code{net} in one of two forms, either:
-@quotation
-@code{N_1.N_2.}
-@end quotation
-or
-@quotation
-@code{N_1.N_2.N_3}
-@end quotation
-where the N_i all lie between 0 and 255.  The first of these corresponds
-to class B prefixes (note the trailing ``@code{.}'' that's required to
-distinguish the constant from a floating-point number), and the second to
-class C prefixes.  @emph{Deficiency: There's currently no way to specify a class A prefix. }
-
-@node Net Operators,
-@subsection Net Operators
-@cindex net, operators
-@cindex operators, net
-
-@cindex relationals, net
-The only operations that can be applied to @code{net} values are
-comparisons for equality or inequality, using @code{==} and @code{!=}.
-
-@cindex net type
-
-@node Records,
-@section Records
-
-@cindex records
-@cindex records, fields
-A @code{record} is a collection of values.  Each value has a name,
-referred to as one of the record's @emph{fields},
-and a type.  The values do
-not need to have the same type, and there is no restriction on the
-allowed types (i.e., each field can be @emph{any} type).
-
-@menu
-* Defining records::		
-* Record Constants::		
-* Accessing Fields Using $::	
-* Record Assignment::		
-@end menu
-
-@node Defining records,
-@subsection Defining records
-
-A definition of a record type has the following syntax:
-@example
-record @{ @math{field^+} @}
-@end example
-
-(that is, the keyword @code{record} followed by one-or-more @emph{field}'s
-enclosed in braces), where a @emph{field} has the syntax:
-@example
-identifier : type @math{field-attributes^*}  ; identifier : type @math{field-attributes^*}  ,
-@end example
-
-Each field has a name given by the identifier (which can be the same
-as the identifier of an existing variable or a field in another record).
-@cindex records, fields, legal names
-@cindex names, case-sensitive
-Field names must follow the same syntax as that for Bro variable names (see @ref{Variables Overview, 
-Variables}),
-namely they must begin with a letter or
-an underscore (``@code{_}'') followed by zero or more letters, underscores,
-or digits.  Bro reserved words such as @code{if} or @code{event} cannot
-be used for field names.  Field names are
-case-sensitive.
-
-Each field holds a value of the given type.
-We discuss the optional 
-Finally, you can use either a semicolon or a comma to terminate the
-definition of a record field.
-
-For example, the following record type:
-@example
-    type conn_id: record @{
-        orig_h: addr;  # Address of originating host.
-        orig_p: port;  # Port used by originator.
-        resp_h: addr;  # Address of responding host.
-        resp_p: port;  # Port used by responder.
-    @};
-@end example
-
-is used throughout Bro scripts to denote a connection identifier
-by specifying the connections originating and responding addresses
-and ports.  It has four fields: @code{orig_h} and @code{resp_h} of type
-@code{addr}, and @code{orig_p} of @code{resp_p} of type @code{port}.
-
-@node Record Constants,
-@subsection Record Constants
-@cindex constants, record
-
-You can initialize values of type
-@code{record} using either assignment from another, already existing
-@code{record} value; or element-by-element; or using a 
-
-In a Bro function or event handler, we could declare a local
-variable the @code{conn_id} type given above:
-@example
-    local id: conn_id;
-@end example
-
-and then explicitly assign each of its fields:
-@example
-    id$orig_h = 207.46.138.11;
-    id$orig_p = 31337/tcp;
-    id$resp_h = 207.110.0.15;
-    id$resp_p = 22/tcp;
-@end example
-
-@emph{Deficiency: One danger with this initialization method is that if you forget to initialize a field, and then later access it, you will @emph{crash} Bro. }
-
-Or we could use:
-@example
-    id = [$orig_h = 207.46.138.11, $orig_p = 31337/tcp,
-          $resp_h = 207.110.0.15, $resp_p = 22/tcp];
-@end example
-
-This second form is no different from assigning a @code{record} value 
-computed in some other fashion, such as the value of another variable,
-a table element, or the value returned by a function call.  Such assignments
-must specify @emph{all} of the fields in the target (i.e., in @code{id} in
-this example), unless the missing field has the  @code{&optional} or @code{&default} attribute.
-
-@cindex constants, record
-
-@node Accessing Fields Using $,
-@subsection Accessing Fields Using ``@code{$}''
-
-@cindex records, fields, accessing
-You access and assign record fields using the ``@code{$}'' (dollar-sign)
-operator.  As indicated in the example above, for the record @code{id} we can
-access its @code{orig_h} field using:
-@example
-    id$orig_h
-@end example
-
-which will yield the @code{addr} value @code{207.46.138.11}.
-
-@node Record Assignment,
-@subsection Record Assignment
-@cindex records, assignment
-@cindex assigning records
-You can assign one record value to another using simple assignment:
-@example
-    local a: conn_id;
-    ...
-    local b: conn_id;
-    ...
-    b = a;
-@end example
-
-@cindex copy, shallow vs. deep
-@cindex shallow copy
-@cindex deep copy
-
-Doing so produces a @emph{shallow} copy.  That is, after the assignment,
-@code{b} refers to the same record as does @code{a}, and an assignment
-to one of @code{b}'s fields will alter the field in @code{a}'s value
-(and vice versa for an assignment to one of @code{a}'s fields).
-However, assigning again to @code{b} itself, or assigning to @code{a} itself,
-will break the connection.
-
-In order to produce a @emph{deep} copy, use the clone operator ``copy()''.
-For more details, see @ref{Expressions}.
-
-You can also assign to a record another record that has fields with
-the same names and types, even if they come in a different order.
-For example, if you have:
-@example
-    local b: conn_id;
-    local c: record @{
-        resp_h: addr, orig_h: addr;
-        resp_p: port, orig_p: port;
-    @};
-@end example
-
-then you can assign either @code{b} to @code{c} or vice versa.
-
-You could @emph{not}, however, make the assignment (in either
-direction) if you had:
-@example
-    local b: conn_id;
-    local c: record @{
-        resp_h: addr, orig_h: addr;
-        resp_p: port, orig_p: port;
-        num_notices: count;
-    @};
-@end example
-
-because the field @code{num_notices} would either be missing or excess.
-
-However, when declaring a record you can associate attributes with the fields. The relevant ones are 
-@code{&optional},
-which indicates that when assigning to the record you can omit the field, and 
-@code{&default = expr}, which indicates
-that if the field is missing, then a reference to it returns the value of the expression @emph{expr}. So if instead you had:
-
-@example
-    local b: conn_id;
-    local c: record @{
-        resp_h: addr, orig_h: addr;
-        resp_p: port, orig_p: port;
-        num_notices: count &optional;
-    @};
-@end example
-
-then you could execute @code{c = b} even though @code{num_notices} is missing from b. 
-You still could not execute @code{b = c},
-though, since in that direction, @code{num_notices} is an extra field (regardless of whether it has 
-been assigned to or not --- the error is a type-checking error, not a run-time error).
-
-The same holds for:
-
-@example
-    local b: conn_id;
-    local c: record @{
-        resp_h: addr, orig_h: addr;
-        resp_p: port, orig_p: port;
-        num_notices: count &default = 0;
-    @};
-@end example
-
-I.e., you could execute @code{c = b} but not @code{b = c}. The only difference between this example and the previous one is that
-for the previous one, access to @code{c$num_notices} without having first assigned to it 
-results in a run-time error, while in the second, it yields 0.
-
-You can test for whether a record field exists using the @code{?$} operator.
-
-Finally, all of the rules for assigning records also apply when passing a record value as an argument in a function
-call or an event handler invocation.
-
-@node Tables,
-@section Tables
-
-@cindex tables
-@cindex array, associative
-@cindex associative array
-@cindex index, of a table
-@cindex yield, of a table
-@code{table}'s provide @emph{associative arrays}: mappings from one set of
-values to another.  The values being mapped are termed the @emph{index}
-(or @emph{indices}, if they come in groups of more than one)
-and the results of the mapping the @emph{yield}.
-
-Tables are quite powerful, and indexing them is very efficient,
-boiling down to a single hash table lookup.  So you should take advantage
-of them whenever appropriate.
-
-@menu
-* Declaring Tables::		
-* Initializing Tables::		
-* Table Attributes::		
-* Accessing Tables::		
-* Table Assignment::		
-* Deleting Table Elements::	
-@end menu
-
-@node Declaring Tables,
-@subsection Declaring Tables
-You declare tables using the following syntax:
-@quotation
-@code{table [} @emph{@math{type^+}} @code{] of} @emph{type}
-@end quotation
-@cindex scalars
-where @emph{@math{type^+}} is one or more types, separated by commas.
-
-The indices can be of the following @emph{scalar} types: @emph{numeric},
-@emph{temporal}, @emph{enumerations},
-@emph{string}, @emph{port}, @emph{addr}, or @emph{net}.
-The yield can be of any type.  So, for example:
-@example
-    global a: table[count] of string;
-@end example
-
-declares @code{a} to be a table indexed by a @code{count} value and
-yielding a @code{string} value, similar to a regular array in a
-language like C.  The yield type can also be more complex:
-@example
-    global a: table[count] of table[addr, port] of conn_id;
-@end example
-
-declares @code{a} to be a table indexed by @code{count} and
-yielding another table, which itself is indexed by an @code{addr}
-and a @code{port} to yield a  @code{conn_id} record.
-
-@cindex array, multi-dimensional
-@cindex multi-dimensional table
-This second example illustrates a @emph{multi-dimensional} table,
-one indexed not by a single value but by a @emph{tuple} of values.
-
-@node Initializing Tables,
-@subsection Initializing Tables
-You initialize tables by enclosing a set of initializers within braces.
-Each initializer looks like:
-@quotation
-@code{[} @emph{expr-list} @code{] =} @emph{expr}
-@end quotation
-where @emph{expr-list} is a comma-separated list of expressions
-corresponding to an index of the table (so, for a table indexed
-by @code{count}, for example, this would be a single expression
-of type @code{count}) and @emph{expr} is the yield value to 
-assign to that index.
-
-For example,
-@example
-    global a: table[count] of string = @{
-        [11] = "eleven",
-        [5] = "five",
-    @};
-@end example
-
-initializes the table @code{a} to have two elements, one indexed
-by @code{11} and yielding the string @code{"eleven"} and the other
-indexed by @code{5} and yielding the string @code{"five"}.
-(Note the comma after the last list element; it is optional,
-similar to how C allows final commas in declarations.)
-
-You can also group together a set of indices together to initialize
-them to the same value:
-@example
-    type HostType: enum @{ DeskTop, Server, Router @};
-    global a: table[addr] of HostType = @{
-        [[155.26.27.2, 155.26.27.8, 155.26.27.44]] = Server,
-    @};
-@end example
-
-is equivalent to:
-@example
-    type HostType: enum @{ DeskTop, Server, Router @};
-    global a: table[addr] of HostType = @{
-        [155.26.27.2] = Server,
-        [155.26.27.8] = Server,
-        [155.26.27.44] = Server,
-    @};
-@end example
-
-This mechanism also applies to 
-which can be used in table initializations for any indices of
-type @code{addr}.  For example, if @code{www.my-server.com} corresponded
-to the addresses 155.26.27.2 and 155.26.27.44, then the above
-could be written:
-@example
-    global a: table[addr] of HostType = @{
-        [[www.my-server.com, 155.26.27.8]] = Server,
-    @};
-@end example
-
-and if it corresponded to all there, then:
-@example
-    global a: table[addr] of HostType = @{
-        [www.my-server.com] = Server,
-    @};
-@end example
-
-You can also use multiple index groupings across different indices:
-@example
-    global access_allowed: table[addr, port] of bool = @{
-        [www.my-server.com, [21/tcp, 80/tcp]] = T,
-    @};
-@end example
-
-is equivalent to:
-@example
-    global access_allowed: table[addr, port] of bool = @{
-        [155.26.27.2, 21/tcp] = T,
-        [155.26.27.2, 80/tcp] = T,
-        [155.26.27.8, 21/tcp] = T,
-        [155.26.27.8, 80/tcp] = T,
-        [155.26.27.44, 21/tcp] = T,
-        [155.26.27.44, 80/tcp] = T,
-    @};
-@end example
-
-@emph{Fixme: add example of cross-product initialization of sets}
-
-@node Table Attributes,
-@subsection Table Attributes
-
-When declaring a table, you can specify a number of attributes
-that affect its operation:
-
-@table @samp
-
-@cindex default values
-
-@item @code{&default}
-Specifies a value to yield when an index does not appear in the table.
-Syntax:
-@quotation
-@code{&default = @emph{expr}}
-@end quotation
-@emph{expr} can have one of two forms.  If it's type is the same as
-the table's yield type, then @emph{expr} is evaluated and returned.
-@cindex dynamic defaults
-If it's type is a @code{function} with arguments whose types correspond
-left-to-right with the index types of the table, and which returns
-a type the same as the yield type, then that function is called with
-the indices that yielded the missing value to compute the default value.
-
-For example:
-@example
-    global a: table[count] of string &default = "nothing special";
-@end example
-
-will return the string @code{"nothing special"} anytime @code{a} is
-indexed with a @code{count} value that does not appear in @code{a}.
-
-A more dynamic example:
-@example
-    function nothing_special(): string
-        @{
-        if ( panic_mode )
-            return "look out!";
-        else
-            return "nothing special";
-        @}
-
-    global a: table[count] of string &default = nothing_special;
-@end example
-
-An example of using a function that computes using the index:
-@example
-    function make_pretty(c: count): string
-        @{
-        return fmt("**%d**", c);
-        @}
-
-    global a: table[count] of string &default = make_pretty;
-@end example
-
-@cindex memory management
-@cindex state management
-@cindex management, of state
-
-@item @code{&create_expire}
-Specifies that elements in the table should be @emph{automatically deleted} after a given amount of time has elapsed since they were
-first entered into the table.
-Syntax:
-@quotation
-@code{&create_expire = @emph{expr}}
-@end quotation
-where @emph{expr} is of type @code{interval}.
-
-@item @code{&read_expire}
-The same as @code{create_expire} except the element is deleted
-when the given amount of time has lapsed since the last time the
-element was accessed from the table.
-
-@item @code{&write_expire}
-The same as @code{&create_expire}  except the element is deleted
-when the given amount of time has lapsed since the last time the
-element was entered or modified in the table.
-
-@item @code{&expire_func}
-Specifies a function to call when an element is due for expression
-because of @command{&create_expire}, @command{&read_expire}, or @command{&write_expire}.
-Syntax:
-@quotation
-@code{&expire_func = @emph{expr}}
-@end quotation
-@emph{expr} must be a function that takes two arguments:
-the first one is a table with the same index and yield types as the
-associated table.  The second one is of type @code{any} and
-corresponds to the index(es) of the element being expired.
-The function must return an
-@code{interval} value.
-The @code{interval} indicates for how much longer the element should
-remain in the table; returning @code{0 secs} or a negative value instructs
-Bro to go ahead and delete the element.
-
-@emph{Deficiency: The use of an @code{any} type here is @emph{temporary} and will be changing in the future to a general @emph{tuple} notion. }
-
-@end table
-
-You specify multiple attributes by listing one after the other,
-@emph{without} commas between them:
-@example
-    global a: table[count] of string &default="foo" &write_expire=5sec;
-@end example
-
-Note that you can specify each type of attribute only once.  You can,
-however, specify more than one of 
-@command{&create_expire}, @command{&read_expire}, or @command{&write_expire}.
-In that case, whenever any of the corresponding timers expires, the element will
-be deleted.
-
-@node Accessing Tables,
-@subsection Accessing Tables
-As usual, you access the values in tables by indexing them with 
-a value (for a single index) or list of values (multiple indices)
-enclosed in @code{[]}'s.
-@cindex sub-tables, lack of
-@emph{Deficiency: Presently, when indexing a multi-dimensional table you must provide @emph{all} of the relevant indices; you can't leave one out in order to extract a sub-table. }
-
-You can also index arrays using @code{record}'s, providing the
-record is comprised of values whose types match that of the table's
-indices.  (Any record fields whose types are themselves records
-are recursively unpacked to effect this matching.)  For example,
-if we have:
-@example
-    local b: table[addr, port] of conn_id;
-    local c = 131.243.1.10;
-    local d = 80/tcp;
-@end example
-
-then we could index @code{b} using @code{b[c, d]}, but if we had:
-@example
-    local e = [$field1 = c, $field2 = d];
-@end example
-
-we could also index it using @code{a[d]}
-
-You can test whether a table holds a given index using
-the @code{in} operator:
-@example
-    [131.243.1.10, 80/tcp] in b
-@end example
-
-or
-@example
-    e in b
-@end example
-
-per the examples above.  In addition, if the table has only
-a single index (not multi-dimensional), then you can omit
-the @code{[]}'s:
-@example
-    local active_connections: table[addr] of conn_id;
-    ...
-    if ( 131.243.1.10 in active_connections )
-        ...
-@end example
-
-@node Table Assignment,
-@subsection Table Assignment
-An indexed table can be the target of an assignment:
-@example
-    b[131.243.1.10, 80/tcp] = c$id;
-@end example
-
-You can also assign to an entire table.  For example, suppose we
-have the global:
-@example
-    global active_conn_count: table[addr, port] of count;
-@end example
-
-@cindex tables, clearing entries
-then we could later clear the contents of the table using:
-@example
-    local empty_table: table[addr, port] of count;
-    active_conn_count = empty_table;
-@end example
-
-Here the first statement declares a local variable @code{empty_table}
-with the same type as @code{active_conn_count}.  Since we don't
-initialize the table, it starts out empty.  Assigning it to
-@code{active_conn_count} then replaces the value of @code{active_conn_count}
-with an empty table.
-@cindex copy, shallow vs. deep
-@cindex shallow copy
-@cindex deep copy
-Note: As with @code{record}'s, assigning @code{table} values results
-in a @emph{shallow copy}. For @emph{deep copies}, use the clone operator ``copy()''
-explained in @ref{Expressions}.
-
-In addition to directly accessing an element of a table by specifying
-its index, you can also loop over all of the indices in a table
-using the  statement.
-
-@node Deleting Table Elements,
-@subsection Deleting Table Elements
-You can remove an individual element from a table using the
- statement:
-@example
-    delete active_host[c$id];
-@end example
-
-will remove the element in @code{active_host} corresponding to
-the connection identifier @code{c$id} (which is a @command{&conn_id} record).
-If the element isn't present, nothing happens.
-
-@cindex tables
-
-@node Sets,
-@section Sets
-
-@cindex set type
-Sets are very similar to tables.  The principle difference is that they are
-simply a collection of indices; they don't yield any values.
-You declare tables using the following syntax:
-@quotation
-@code{set [} @emph{@math{type^+}} @code{]}
-@end quotation
-where, as with @code{table}s,
-@emph{@math{type^+}} is one or more scalar types (or records), separated by commas.
-
-You initialize sets listing their elements in braces:
-@example
-    global a = @{ 21/tcp, 23/tcp, 80/tcp, 443/tcp @};
-@end example
-
-which implicitly types @code{a} as a @code{set[port]} and then
-initializes it to contain the given 4 @code{port} values.
-
-For multiple indices, you enclose each set of indices in brackets:
-@example
-    global b = @{ [21/tcp, "ftp"], [23/tcp, "telnet"], @};
-@end example
-
-which implicitly @code{b} as @code{set[port, string]} and then
-initializes it to contain the given two elements.  (As with tables,
-the comma after the last element is optional.)
-
-As with tables, you can group together sets of indices:
-@example
-    global c = @{ [21/tcp, "ftp"], [[80/tcp, 8000/tcp, 8080/tcp], "http"], @};
-@end example
-
-initializes @code{c} to contain 4 elements.
-
-Also as with tables, you can use the
-@command{&create_expire}, @command{&read_expire}, and @command{&write_expire}
-attributes to control the automatic expiration of elements in a set.
-@emph{Deficiency: However, the  attribute is not currently supported. }
-
-You can test for whether a particular member is in a set using
-the add elements using the @code{add} statement:
-@example
-    add c[443/tcp, "https"];
-@end example
-
-and can remove them using the @code{delete} statement:
-@example
-    delete c[21/tcp, "ftp"];
-@end example
-
-Also, as with tables, you can assign to the entire set, which assigns
-a 
-
-Finally, as with tables, you can loop over all of the indices in a set
-using the  statement.
-
-@cindex set type
-
-@node Files,
-@section Files
-
-@cindex file type
-@emph{Deficiency: Bro currently supports only a very simple notion of files. You can only write to files, you can't read from them: and files are essentially untyped---the only values you can write to them are @code{string}'s or values that can be converted to @code{string}.}
-
-You declare @code{file} variables simply as type @code{file}:
-@example
-    global f: file;
-@end example
-
-You can create values of type @code{file} by using the 
-function:
-@example
-    f = open("suspicious_info.log");
-@end example
-
-will create (or recreate, if it already exists) the file
-@emph{suspicious_info.log} and open it for writing.  You can also use
- to append to an existing file (or create
-a new one, if it doesn't exist).
-
-You write to files using the @code{print} statement:
-@example
-    print f, 5 * 6;
-@end example
-
-will print the text @code{30} to the file corresponding to the value of @code{f}.
-
-There is no restriction regarding how many files you can have open at a
-given time.  In particular, even if your system has a limit imposed by
-RLIMIT_NOFILE as set by the system call  @code{setrlimit}.
-If, however, you want to to close a file, you can do so using @code{close},
-and you can test whether a file is open using @code{active-file}.
-
-Finally, you can control whether a file is buffered using @code{set-buf},
-and can flush the buffers of all open files using @code{flush-all}.
-
-@cindex file type
-
-@node Functions,
-@section Functions
-
-@cindex functions
-@cindex function type
-You declare a Bro @code{function} type using:
-@quotation
-@code{function(} @emph{argument*} @code{)} @code{:} @emph{type}
-@end quotation
-where @emph{argument} is a (possibly empty)
-comma-separated list of arguments, and the final
-``@code{:} @emph{type}'' declares the return type of the function.
-It is optional; if missing, then the function does not return a value.
-
-Each argument is declared using:
-@quotation
-@emph{param-name} @code{:} @emph{type}
-@end quotation
-
-So, for example:
-@example
-    function(a: addr, p: port): string
-@end example
-
-corresponds to a function that takes two parameters, @code{a} of type
-@code{addr} and @code{p} of type @code{port}, and returns a value of
-type @code{string}.
-
-You could furthermore declare:
-@example
-    global generate_id: function(a: addr, p: port): string;
-@end example
-
-to define @code{generate_id} as a variable of this type.  Note that
-the declaration does @emph{not} define the body of the function,
-and, indeed, @code{generate_id} could have different function bodies
-at different times, by assigning different function values to it.
-
-When defining a function including its body, the syntax is slightly different:
-
-@example
-function @emph{func-name} ( @emph{argument*} ) [ : type ] @{ @emph{statement*} @}
-@end example
-
-That is, you introduce @emph{func-name}, the name of the function, between
-the keyword @code{function} and the opening parenthesis of the argument
-list, and you list the statements of the function within braces at the end.
-
-For the previous example, we could define its body using:
-@example
-    function generate_id(a: addr, p: port): string
-        @{
-        if ( a in local_servers )
-            # Ignore port, they're always the same.
-            return fmt("server %s", a);
-
-        if ( p < 1024/tcp )
-            # Privileged port, flag it.
-            return fmt("%s/priv-%s", a, p);
-
-        # Nothing special - default formatting.
-        return fmt("%s/%s", a, p);
-        @}
-@end example
-
-We also could have omitted the first definition; a function definition
-like the one immediately above automatically defines @code{generate_id}
-as a function of type @code{function(a: addr, p: port): string}.  Note
-@cindex redefining functions
-@cindex functions, redefining
-though that if @emph{func-name} was indeed already declared, then the
-argument list much match @emph{exactly} that of the previous definition.
-This includes the names of the arguments; @emph{Unlike in C}, you cannot change
-the argument names between their first (forward) definition and the
-full definition of the function.
-
-You can also define functions without using any name.  These are
-referred to as are a type of expression.
-
-You can only do two things with functions: 
-or assign them.  As an example of the latter, suppose we have:
-@example
-    local id_funcs: table[conn_id] of function(p: port, a: addr): string;
-@end example
-
-would declare a local variable indexed by a
-
-same type as in the previous example.  You could then execute:
-@example
-    id_funcs[c$id] = generate_id
-@end example
-
-or call whatever function is associated with a given @code{conn_id}:
-@example
-    print fmt("id is: %s", id_funcs[c$id](80/tcp, 1.2.3.4));
-@end example
-
-@cindex function type
-@cindex functions
-
-@node Event handlers,
-@section Event handlers
-
-@cindex event type
-
-Event handlers are nearly identical in both syntax and semantics
-to functions, with the two differences being that event handlers
-have no return type since they never return a value, and you cannot
-call an event handler.  You declare an event handler using:
-@quotation
-@code{event (} @emph{argument*} @code{)}
-@end quotation
-So, for example,
-@example
-    local eh: event(attack_source: addr, severity: count)
-@end example
-
-declares the local variable @code{eh} to have a type corresponding
-to an event handler that takes two arguments, @code{attack_source} of
-type @code{addr}, and @code{severity} of type @code{count}.
-
-To declare an event handler along with its body, the syntax is:
-@quotation
-@code{event} @emph{handler} @code{(} @emph{argument} @code{)} @code{@{} @emph{statement} @code{@}}
-@end quotation
-
-As with functions, you can assign event handlers to variables of the
-same type.  Instead of calling event handlers like functions, though,
-@cindex event handler, invocation
-@cindex invoking event handlers
-instead they are @emph{invoked}.  This can happen in one of three ways:
-@table @samp
-@cindex event engine
-
-@item From the event engine
-When the event engine detects an event for which you have defined a
-corresponding event handler, it queues an event for that handler.  The
-handler is invoked as soon as the event engine finishes processing the
-current packet (and invoking any other event handlers that were queued
-first).  The various event handlers known to the event engine are discussed
-in Chapter N .
-
-@item Via the @code{event} statement
-The @code{event} statement queues an event for the given event handler
-for immediate processing.  For example:
-@example
-    event password_exposed(c, user, password);
-@end example
-
-queues an invocation of the event handler @code{password_exposed} with
-the arguments @code{c}, @code{user}, and @code{password}.  Note that
-@code{password_exposed} must have been previously declared as an event
-handler with a compatible set of arguments.
-
-Or, if we had a local variable @code{eh} as defined above, we could execute:
-@example
-    event eh(src, how_severe);
-@end example
-
-if @code{src} is of type @code{addr} and @code{how_severe} of type @code{count}.
-
-@item Via the @code{schedule} expression
-The  expression queues an event for future invocation.
-For example:
-@example
-    schedule 5 secs @{ password_exposed(c, user, password) @};
-@end example
-
-would cause @code{password_exposed} to be invoked 5 seconds in the future.
-
-@end table
-
-@cindex event type
-@cindex event handlers
-
-@node any type,
-@section The @code{any} type
-
-@cindex any type``any'' type
-The @code{any} type is a type used internally by Bro to bypass strong
-typing.  For example, the  function takes arguments
-of type @code{any}, because its arguments can be of different types,
-and of variable length.  However, the @code{any} type is not supported
-@cindex casting, not provided in Bro
-@cindex type casting, not provided in Bro
-for use by the user; while Bro lets you declare variables of type @code{any},
-it does not allow assignment to them.
-@cindex possible future changes, use of any type for bypassing strong typing
-This may change in the future.  Note, though, that you can achieve
-some of the same effect using @code{record} values with @code{&optional}
-fields.
-
-@cindex any type``any'' type
-
diff --git a/doc/ref-manual/vars.texi b/doc/ref-manual/vars.texi
deleted file mode 100644
index c7ed8223ec..0000000000
--- a/doc/ref-manual/vars.texi
+++ /dev/null
@@ -1,294 +0,0 @@
-
-@node Global and Local Variables
-@chapter Global and Local Variables
-
-@menu
-* Variables Overview::			
-@end menu
-
-@node Variables Overview,
-@section Variables Overview
-
-@cindex variables, overview
-
-Bro variables can be complicated to understand because they have
-a number of possibilities and features.  They can be
-global or local in scope;
-modifiable or constant (unchangeable);
-explicitly or implicitly typed;
-optionally initialized;
-defined to have additional 
-@emph{attributes};
-and, for global variables,
-@emph{redefined} to have a different
-initialization or different attributes from their first declaration.
-
-Rather than giving the full syntax for variable declarations, which
-is messy, in the following sections we discuss each of these facets
-of variables in turn, illustrating them with the minimal necessary
-syntax.  However, keep in mind that the features can be combined
-as needed in a variable declaration.
-
-@menu
-* Scope::			
-* Assignment & call semantics::
-* Modifiability::		
-* Typing::			
-* Initialization::		
-* Attributes::			
-* Refinement::			
-@end menu
-
-@node Scope,
-@subsection Scope
-
-@cindex variables, scoping
-@cindex scoping of variables
-@cindex global variables
-@cindex local variables
-@emph{Global} variables are available throughout your policy script (once
-declared), while the scope of @emph{local} variables is confined to the
-function or event handler in which they're declared.  You indicate the
-variable's type using a corresponding keyword:
-@quotation
-@code{global} @emph{name} @code{:} @emph{type} @code{;}
-@end quotation
-or
-@quotation
-@code{local} @emph{name} @code{:} @emph{type} @code{;}
-@end quotation
-which declares @emph{name} to have the given type and the corresponding
-scope.
-
-You can intermix function/event handler definitions with declarations
-of global variables, and, indeed, they're in fact the same thing (that
-is, a function or event handler definition is equivalent to defining
-a global variable of type @code{function} or @code{event} and associating
-its initial value with that of the function or event handler).  So
-the following is fine:
-@example
-    global a: count;
-
-    function b(p: port): string
-        @{
-        if ( p < 1024/tcp )
-            return "privileged";
-        else
-            return "ephemeral";
-        @}
-
-    global c: addr;
-@end example
-
-However, you cannot mix declarations of global variables with
-global statements; the following is not allowed:
-@example
-    print "hello, world";
-    global a: count;
-@end example
-
-Local variables, on the other hand, can @emph{only} be declared within a
-function or event handler.  (Unlike for global statements, these declarations
-@emph{can} come after statements.)  Their scope persists to the end of
-the function.  For example:
-@example
-    function b(p: port): string
-        @{
-        if ( p < 1024/tcp )
-            local port_type = "privileged";
-        else
-            port_type = "ephemeral";
-
-        return port_type;
-        @}
-@end example
-
-@node Assignment & call semantics,
-@subsection Assignment & call semantics
-
-@cindex call semantics
-@cindex call by reference
-@cindex call by value
-@cindex assignment semantics
-@cindex aggregated types
-
-Assignments of aggregate types (such as records, tables, or vectors) are
-always @emph{shallow}, that is, they are performed @emph{by reference}.
-So when you assign a record or table value to another variable, any modifications
-you make to members become visible in both variables (see also
-@ref{Record Assignment}, @ref{Table Assignment}).
-
-The same holds for function calls: an aggregate value passed into a function
-is passed by reference, thus any modifications made to the value inside the
-function remain effective after the function returns.
- 
-@cindex reference counting
-@cindex shallow copy
-@cindex deep copy
-It is important to be aware of the fact that events triggered using the
-@code{event} statement remain on the event queue until they are processed,
-and that any aggregate values passed as arguments to @code{event} can be modified
-at any time before the event handlers are executed. If this is not desirable,
-you have to copy the values before passing them to @code{event}. The model that applies
-here is one of @emph{reference counting}, not local scope or deep copying.
-If deep copies are desirable, use the clone operator ``copy()'' explained in
-@ref{Expressions}.
-
-Therefore, if an event handler triggering a new event modifies the arguments
-after the @code{event} statement, these changes will be visible inside the event
-handlers running later. This also affects the lifetime of a value. If an aggregate
-is for example stored in a table and referenced nowhere else, then retrieved and
-passed to an @code{event} statement, and removed from the table before the
-event handlers execute, it does remain in existence until the event handlers
-are executed.
-
-Furthermore, if multiple event handlers exist for a single event type, any changes
-to the arguments made by an event handler will be visible in other
-event handlers still to follow.
-
-@node Modifiability,
-@subsection Modifiability
-
-@cindex variables, modifiability
-@cindex modifiability of variables
-For both global and local variables, you can declare that the
-variable @emph{cannot be modified} by declaring it using the const
-keyword rather than global or local:
-@example
-    const response_script = "./scripts/nuke-em";
-@end example
-
-Note that @code{const} variables @emph{must} be initialized (otherwise,
-of course, there's no way for them to ever hold a useful value).
-
-The utility of marking a variable as unmodifiable is for clarity
-in expressing your script---making it explicit that a particular value
-will never change---and also allows Bro to possibly optimize accesses
-to the variable (though it does little of this currently).
-
-Note that const variables @emph{can} be redefined via
-redef.
-
-@node Typing,
-@subsection Typing
-
-@cindex variables, typing
-@cindex typing of variables
-@cindex implicit typing
-@cindex explicit typing
-When you define a variable, you can @emph{explicitly} type it by
-specifying its type after a colon.  For example,
-@example
-    global a: count;
-@end example
-
-directly indicates that a's type is @code{count}.
-
-However, Bro can also @emph{implicitly} type the variable by looking
-at the type of the expression you use to initialize the variable:
-@example
-    global a = 5;
-@end example
-
-also declares a's type to be @code{count}, since that's
-the type of the initialization expression (the constant 5).
-There is no difference between this declaration and:
-@example
-    global a: count = 5;
-@end example
-
-except that it is more concise both to write and to read.  In particular,
-Bro remains @emph{strongly} typed, even though it also supports @emph{implicit}
-typing; the key is that once the type is implicitly inferred, it is thereafter
-strongly enforced.
-
-@cindex type inference
-@cindex inferring types
-Bro's @emph{type inference} is fairly powerful: it can generally figure
-out the type whatever initialization expression you use.  For example,
-it correctly infers that:
-@example
-    global c = @{ [21/tcp, "ftp"], [[80/tcp, 8000/tcp, 8080/tcp], "http"], @};
-@end example
-
-specifies that c's type is set[port, string].  But for still
-more complicated expressions, it is not always able to infer the correct
-type.  When this occurs, you need to explicitly specify the type.
-
-@node Initialization,
-@subsection Initialization
-
-@cindex variables, initialization
-@cindex initialization of variables
-When defining a variable, you can optionally specify an initial
-value for the variable:
-@example
-    global a = 5;
-@end example
-
-indicates that the initial value of @code{a} is the value @code{5}
-(and also implicitly types a as type count, per @ref{Typing}).
-
-The syntax of an initialization is ``= @emph{expression}'', where
-the given expression must be assignment-compatible with the variable's
-type (if explicitly given).  Tables and sets also have special initializer
-forms, which are discussed in @ref{Initializing Tables} and @ref{Sets}.
-
-@node Attributes,
-@subsection Attributes
-
-@cindex variables, attributes
-@cindex attributes
-
-When defining a variable, you can optionally specify a set of
-@emph{attributes} associated with the variable, which specify
-additional properties associated with it.  Attributes have two forms:
-@quotation
-@code{&} @emph{attr}
-@end quotation
-for attributes that are specified simply using their name, and
-@quotation
-@code{&} @emph{attr} @code{=} @emph{expr}
-@end quotation
-for attributes that have a value associated with them.
-
-The attributes
-@code{&redef}
-@code{&add_func}
-and
-@code{&delete_func},
-pertain to redefining variables; they are discussed in @ref{Refinement}.
-
-The attributes
-@code{&default},
-@code{&create_expire},
-@code{&read_expire},
-@code{&write_expire}, and
-@code{&expire_func}
-are for use with table's and set's.
-See @ref{Table Attributes} for discussion.
-
-The attribute
-@code{&optional}
-specifies that a @code{record} field is optional.  See 
-for discussion.
-
-Finally, to specify multiple attributes, you do @emph{not} separate them
-with commas (doing so would actually make Bro's grammar ambiguous), but
-just list them one after another.  For example:
-@example
-    global a: table[port] of string &redef &default="missing";
-@end example
-
-@node Refinement,
-@subsection Refinement
-
-@cindex variables, redefining
-@cindex variables, refinement
-@cindex refinement
-@cindex redefining variables
-
-To do:
-&redef @*
-&add func @*
-&delete func 
diff --git a/doc/scripts/CMakeLists.txt b/doc/scripts/CMakeLists.txt
new file mode 100644
index 0000000000..582676a9b3
--- /dev/null
+++ b/doc/scripts/CMakeLists.txt
@@ -0,0 +1,264 @@
+set(POLICY_SRC_DIR ${PROJECT_SOURCE_DIR}/policy)
+set(BIF_SRC_DIR ${PROJECT_SOURCE_DIR}/src)
+set(RST_OUTPUT_DIR ${CMAKE_CURRENT_BINARY_DIR}/rest_output)
+set(DOC_OUTPUT_DIR ${CMAKE_CURRENT_BINARY_DIR}/out)
+set(DOC_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/source)
+set(DOC_SOURCE_WORKDIR ${CMAKE_CURRENT_BINARY_DIR}/source)
+
+file(GLOB_RECURSE DOC_SOURCES FOLLOW_SYMLINKS "*")
+
+# configure the Sphinx config file (expand variables CMake might know about)
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/conf.py.in
+               ${CMAKE_CURRENT_BINARY_DIR}/conf.py
+               @ONLY)
+
+# find out what BROPATH to use when executing bro
+execute_process(COMMAND ${CMAKE_BINARY_DIR}/bro-path-dev
+                OUTPUT_VARIABLE BROPATH
+                RESULT_VARIABLE retval
+                OUTPUT_STRIP_TRAILING_WHITESPACE)
+if (NOT ${retval} EQUAL 0)
+    message(FATAL_ERROR "Problem setting BROPATH")
+endif ()
+
+# This macro is used to add a new makefile target for reST policy script
+# documentation that can be generated using Bro itself to parse policy scripts.
+# It's called like:
+#
+#     rest_target(srcDir broInput [group])
+#
+# srcDir: the directory which contains broInput
+# broInput: the file name of a bro policy script
+# group: optional name of group that the script documentation will belong to
+#
+# In addition to adding the makefile target, several CMake variables are set:
+#
+# MASTER_POLICY_INDEX_TEXT: a running list of policy scripts docs that have
+#   been generated so far, formatted such that it can be appended to a file
+#   that ends in a Sphinx toctree directive
+# ALL_REST_OUTPUTS: a running list (the CMake list type) of all reST docs
+#   that are to be generated
+# MASTER_GROUP_LIST: a running list (the CMake list type) of all script groups
+# ${group}_files: a running list of files belonging to a given group, from
+#   which summary text can be extracted at build time
+# ${group}_doc_names: a running list of reST style document names that can be
+#   given to a :doc: role, shared indices with ${group}_files
+#
+macro(REST_TARGET srcDir broInput)
+    get_filename_component(basename ${broInput} NAME_WE)
+    get_filename_component(extension ${broInput} EXT)
+    get_filename_component(relDstDir ${broInput} PATH)
+
+    set(sumTextSrc ${srcDir}/${broInput})
+    if (${extension} STREQUAL ".bif.bro")
+        set(basename "${basename}.bif")
+        # the summary text is taken at configure time, but .bif.bro files
+        # may not have been generated yet, so read .bif file instead
+        set(sumTextSrc ${BIF_SRC_DIR}/${basename})
+    elseif (${extension} STREQUAL ".init")
+        set(basename "${basename}.init")
+    endif ()
+
+    set (restFile "${basename}.rst")
+
+    if (NOT relDstDir)
+        set(docName "${basename}")
+        set(dstDir "${RST_OUTPUT_DIR}")
+    else ()
+        set(docName "${relDstDir}/${basename}")
+        set(dstDir "${RST_OUTPUT_DIR}/${relDstDir}")
+    endif ()
+
+    set(restOutput "${dstDir}/${restFile}")
+
+    set(indexEntry "   ${docName} <${docName}>")
+    set(MASTER_POLICY_INDEX_TEXT "${MASTER_POLICY_INDEX_TEXT}\n${indexEntry}")
+    list(APPEND ALL_REST_OUTPUTS ${restOutput})
+
+    if (NOT "${ARGN}" STREQUAL "")
+        set(group ${ARGN})
+        # add group to master group list if not already in it
+        list(FIND MASTER_GROUP_LIST ${group} _found)
+        if (_found EQUAL -1)
+            list(APPEND MASTER_GROUP_LIST ${group})
+            if (MASTER_GROUP_LIST_TEXT)
+               set(MASTER_GROUP_LIST_TEXT "${MASTER_GROUP_LIST_TEXT}\n${group}")
+            else ()
+               set(MASTER_GROUP_LIST_TEXT "${group}")
+            endif ()
+        endif ()
+
+        list(APPEND ${group}_files ${sumTextSrc})
+        list(APPEND ${group}_doc_names ${docName})
+    else ()
+        set(group "")
+    endif ()
+
+    if (${group} STREQUAL "default" OR ${group} STREQUAL "bifs")
+        set(BRO_ARGS --doc-scripts --exec '')
+    else ()
+        set(BRO_ARGS --doc-scripts ${srcDir}/${broInput})
+    endif ()
+
+    add_custom_command(OUTPUT ${restOutput}
+        # delete any leftover state from previous bro runs
+        COMMAND "${CMAKE_COMMAND}"
+        ARGS -E remove_directory .state
+        # generate the reST documentation using bro
+        COMMAND BROPATH=${BROPATH} ${CMAKE_BINARY_DIR}/src/bro
+        ARGS ${BRO_ARGS} || (rm -rf .state *.log *.rst && exit 1)
+        # move generated doc into a new directory tree that
+        # defines the final structure of documents
+        COMMAND "${CMAKE_COMMAND}"
+        ARGS -E make_directory ${dstDir}
+        COMMAND "${CMAKE_COMMAND}"
+        ARGS -E copy ${restFile} ${restOutput}
+        # copy the bro policy script, too
+        COMMAND "${CMAKE_COMMAND}"
+        ARGS -E copy ${srcDir}/${broInput} ${dstDir}
+        # clean up the build directory
+        COMMAND rm
+        ARGS -rf .state *.log *.rst
+        DEPENDS bro
+        DEPENDS ${srcDir}/${broInput}
+        COMMENT "[Bro] Generating reST docs for ${broInput}"
+    )
+
+endmacro(REST_TARGET)
+
+# Schedule Bro scripts for which to generate documentation.
+# Note: the script may be located in a subdirectory off of one of the main
+# directories in BROPATH.  In that case, just list the script as 'foo/bar.bro'
+rest_target(${POLICY_SRC_DIR} alarm.bro                         user)
+rest_target(${POLICY_SRC_DIR} arp.bro                           user)
+rest_target(${POLICY_SRC_DIR} conn.bro                          user)
+rest_target(${POLICY_SRC_DIR} dhcp.bro                          user)
+rest_target(${POLICY_SRC_DIR} dns.bro                           user)
+rest_target(${POLICY_SRC_DIR} ftp.bro                           user)
+rest_target(${POLICY_SRC_DIR} http.bro                          user)
+rest_target(${POLICY_SRC_DIR} http-reply.bro                    user)
+rest_target(${POLICY_SRC_DIR} http-request.bro                  user)
+rest_target(${POLICY_SRC_DIR} irc.bro                           user)
+rest_target(${POLICY_SRC_DIR} smtp.bro                          user)
+rest_target(${POLICY_SRC_DIR} ssl.bro                           user)
+rest_target(${POLICY_SRC_DIR} ssl-ciphers.bro                   user)
+rest_target(${POLICY_SRC_DIR} ssl-errors.bro                    user)
+rest_target(${POLICY_SRC_DIR} synflood.bro                      user)
+rest_target(${POLICY_SRC_DIR} tcp.bro                           user)
+rest_target(${POLICY_SRC_DIR} udp.bro                           user)
+rest_target(${POLICY_SRC_DIR} weird.bro                         user)
+rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro             internal)
+
+# Finding out what scripts bro will generate documentation for by default
+# can be done like: `bro --doc-scripts --exec ""`
+rest_target(${POLICY_SRC_DIR} bro.init                          default)
+rest_target(${POLICY_SRC_DIR} logging-ascii.bro                 default)
+rest_target(${POLICY_SRC_DIR} logging.bro                       default)
+rest_target(${POLICY_SRC_DIR} pcap.bro                          default)
+rest_target(${POLICY_SRC_DIR} server-ports.bro                  default)
+rest_target(${CMAKE_BINARY_DIR}/src bro.bif.bro                 bifs)
+rest_target(${CMAKE_BINARY_DIR}/src const.bif.bro               bifs)
+rest_target(${CMAKE_BINARY_DIR}/src event.bif.bro               bifs)
+rest_target(${CMAKE_BINARY_DIR}/src logging.bif.bro             bifs)
+rest_target(${CMAKE_BINARY_DIR}/src strings.bif.bro             bifs)
+rest_target(${CMAKE_BINARY_DIR}/src types.bif.bro               bifs)
+
+# create temporary list of all docs to include in the master policy/index file
+file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/tmp_policy_index
+    "${MASTER_POLICY_INDEX_TEXT}")
+
+# create temporary file containing list of all groups
+file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/group_list
+    "${MASTER_GROUP_LIST_TEXT}")
+
+# create temporary files containing list of each source file in a given group
+foreach (group ${MASTER_GROUP_LIST})
+    if (EXISTS ${CMAKE_CURRENT_BINARY_DIR}/${group}_files)
+        file(REMOVE ${CMAKE_CURRENT_BINARY_DIR}/${group}_files)
+    endif ()
+    if (EXISTS ${CMAKE_CURRENT_BINARY_DIR}/${group}_doc_names)
+        file(REMOVE ${CMAKE_CURRENT_BINARY_DIR}/${group}_doc_names)
+    endif ()
+    foreach (src ${${group}_files})
+        file(APPEND ${CMAKE_CURRENT_BINARY_DIR}/${group}_files "${src}\n")
+    endforeach ()
+    foreach (dname ${${group}_doc_names})
+        file(APPEND ${CMAKE_CURRENT_BINARY_DIR}/${group}_doc_names "${dname}\n")
+    endforeach ()
+endforeach ()
+
+# remove previously generated docs no longer scheduled for generation
+if (EXISTS ${RST_OUTPUT_DIR})
+    file(GLOB_RECURSE EXISTING_REST_DOCS "${RST_OUTPUT_DIR}/*.rst")
+    foreach (_doc ${EXISTING_REST_DOCS})
+        list(FIND ALL_REST_OUTPUTS ${_doc} _found)
+        if (_found EQUAL -1)
+            file(REMOVE ${_doc})
+            message(STATUS "Removing stale reST doc: ${_doc}")
+        endif ()
+    endforeach ()
+endif ()
+
+# The "restdoc" target uses Bro to parse policy scripts in order to
+# generate reST documentation from them.
+add_custom_target(restdoc
+                  # create symlink to the reST output directory for convenience
+                  COMMAND "${CMAKE_COMMAND}" -E create_symlink
+                          ${RST_OUTPUT_DIR}
+                          ${CMAKE_BINARY_DIR}/reST
+                  DEPENDS ${ALL_REST_OUTPUTS})
+
+# The "restclean" target removes all generated reST documentation from the
+# build directory.
+add_custom_target(restclean
+                  COMMAND "${CMAKE_COMMAND}" -E remove_directory
+                          ${RST_OUTPUT_DIR}
+                  VERBATIM)
+
+# The "doc" target generates reST documentation for any outdated bro scripts
+# and then uses Sphinx to generate HTML documentation from the reST
+add_custom_target(doc
+                  # copy the template documentation to the build directory
+                  # to give as input for sphinx
+                  COMMAND "${CMAKE_COMMAND}" -E copy_directory
+                          ${DOC_SOURCE_DIR}
+                          ${DOC_SOURCE_WORKDIR}
+                  # copy generated policy script documentation into the
+                  # working copy of the template documentation
+                  COMMAND "${CMAKE_COMMAND}" -E copy_directory
+                          ${RST_OUTPUT_DIR}
+                          ${DOC_SOURCE_WORKDIR}/policy
+                  # append to the master index of all policy scripts
+                  COMMAND cat ${CMAKE_CURRENT_BINARY_DIR}/tmp_policy_index >>
+                          ${DOC_SOURCE_WORKDIR}/policy/index.rst
+                  # construct a reST file for each group
+                  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/group_index_generator.py
+                          ${CMAKE_CURRENT_BINARY_DIR}/group_list
+                          ${CMAKE_CURRENT_BINARY_DIR}
+                          ${DOC_SOURCE_WORKDIR}
+                  # tell sphinx to generate html
+                  COMMAND sphinx-build
+                          -b html
+                          -c ${CMAKE_CURRENT_BINARY_DIR}
+                          -d ${DOC_OUTPUT_DIR}/doctrees
+                          ${DOC_SOURCE_WORKDIR}
+                          ${DOC_OUTPUT_DIR}/html
+                  # create symlink to the html output directory for convenience
+                  COMMAND "${CMAKE_COMMAND}" -E create_symlink
+                          ${DOC_OUTPUT_DIR}/html
+                          ${CMAKE_BINARY_DIR}/html
+                  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+                  COMMENT "[Sphinx] Generating HTML policy script docs"
+                  # SOURCES just adds stuff to IDE projects as a convienience
+                  SOURCES ${DOC_SOURCES})
+
+# The "docclean" target removes just the Sphinx input/output directories
+# from the build directory.
+add_custom_target(docclean
+                  COMMAND "${CMAKE_COMMAND}" -E remove_directory
+                          ${DOC_SOURCE_WORKDIR}
+                  COMMAND "${CMAKE_COMMAND}" -E remove_directory
+                          ${DOC_OUTPUT_DIR}
+                  VERBATIM)
+
+add_dependencies(doc docclean restdoc)
diff --git a/doc/scripts/README b/doc/scripts/README
new file mode 100644
index 0000000000..85496322d9
--- /dev/null
+++ b/doc/scripts/README
@@ -0,0 +1,61 @@
+This directory contains scripts and templates that can be used to automate
+the generation of Bro script documentation.  Several build targets are defined
+by CMake:
+
+``restdoc``
+
+    This target uses Bro to parse policy scripts in order to generate
+    reStructuredText (reST) documentation from them.  The list of scripts
+    for which to generate reST documentation is defined in the
+    ``CMakeLists.txt`` file in this directory.  Script documentation is
+    rebuild automatically if the policy script from which it is derived
+    or the Bro binary becomes out of date
+
+    The resulting output from this target can be found in the CMake
+    ``build/`` directory inside ``reST`` (a symlink to
+    ``doc/scripts/rest_output``).
+
+``doc``
+
+    This target depends on a Python interpreter (>=2.5) and
+    `Sphinx <http://sphinx.pocoo.org/>`_ being installed.  Sphinx can be
+    installed like::
+
+        > sudo easy_install sphinx
+
+    This target will first build ``restdoc`` target and then copy the
+    resulting reST files as an input directory to Sphinx.
+
+    After completion, HTML documentation can be located in the CMake
+    ``build/`` directory inside ``html`` (a symlink to
+    ``doc/scripts/out/html``)
+
+``restclean``
+
+    This target removes any reST documentation that has been generated so far.
+
+``docclean``
+
+    This target removes Sphinx inputs and outputs from the CMake ``build/`` dir.
+
+To schedule a script to be documented, edit ``CMakeLists.txt`` inside this
+directory add a call to the ``rest_target()`` macro.  Calling that macro
+with a group name for the script is optional, but if not given, the only
+link to the script will be in the master TOC tree for all policy scripts.
+
+When adding a new logical grouping for generated scripts, create a new
+reST document in ``source/<group_name>.rst`` and add some default
+documentation for the group.  References to (and summaries of) documents
+associated with the group get appended to this file during the
+``make doc`` process.
+
+The Sphinx source tree template in ``source/`` can be modified to add more
+common/general documentation, style sheets, JavaScript, etc.  The Sphinx
+config file is produced from ``conf.py.in``, so that can be edited to change
+various Sphinx options, like setting the default HTML rendering theme.
+There is also a custom Sphinx domain implemented in ``source/ext/bro.py``
+which adds some reST directives and roles that aid in generating useful
+index entries and cross-references.
+
+See ``example.bro`` for an example of how to document a Bro script such that
+``make doc`` will be able to produce reST/HTML documentation for it.
diff --git a/doc/scripts/conf.py.in b/doc/scripts/conf.py.in
new file mode 100644
index 0000000000..67e06abfb3
--- /dev/null
+++ b/doc/scripts/conf.py.in
@@ -0,0 +1,215 @@
+# -*- coding: utf-8 -*-
+#
+# Bro documentation build configuration file, created by sphinx-quickstart
+#
+# This file is execfile()d with the current directory set to its containing dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+
+import sys, os
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+sys.path.insert(0, os.path.abspath('source/ext'))
+
+# -- General configuration -----------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be extensions
+# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
+extensions = ['bro']
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['source/_templates']
+
+# The suffix of source filenames.
+source_suffix = '.rst'
+
+# The encoding of source files.
+#source_encoding = 'utf-8-sig'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = u'Bro'
+copyright = u'2011, Jon Siwek'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+#
+# The short X.Y version.
+version = '@VERSION_MAJ_MIN@'
+# The full version, including alpha/beta/rc tags.
+release = '@VERSION@'
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#language = None
+
+# There are two options for replacing |today|: either, you set today to some
+# non-false value, then it is used:
+#today = ''
+# Else, today_fmt is used as the format for a strftime call.
+#today_fmt = '%B %d, %Y'
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+exclude_patterns = []
+
+# The reST default role (used for this markup: `text`) to use for all documents.
+#default_role = None
+
+# If true, '()' will be appended to :func: etc. cross-reference text.
+#add_function_parentheses = True
+
+# If true, the current module name will be prepended to all description
+# unit titles (such as .. function::).
+#add_module_names = True
+
+# If true, sectionauthor and moduleauthor directives will be shown in the
+# output. They are ignored by default.
+show_authors = True
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+# A list of ignored prefixes for module index sorting.
+#modindex_common_prefix = []
+
+
+# -- Options for HTML output ---------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+html_theme = 'default'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further.  For a list of options available for each theme, see the
+# documentation.
+#html_theme_options = {}
+
+# Add any paths that contain custom themes here, relative to this directory.
+#html_theme_path = []
+
+# The name for this set of Sphinx documents.  If None, it defaults to
+# "<project> v<release> documentation".
+#html_title = None
+
+# A shorter title for the navigation bar.  Default is the same as html_title.
+#html_short_title = None
+
+# The name of an image file (relative to this directory) to place at the top
+# of the sidebar.
+#html_logo = None
+
+# The name of an image file (within the static path) to use as favicon of the
+# docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
+# pixels large.
+#html_favicon = None
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['source/_static']
+
+# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
+# using the given strftime format.
+#html_last_updated_fmt = '%b %d, %Y'
+
+# If true, SmartyPants will be used to convert quotes and dashes to
+# typographically correct entities.
+#html_use_smartypants = True
+
+# Custom sidebar templates, maps document names to template names.
+#html_sidebars = {}
+
+# Additional templates that should be rendered to pages, maps page names to
+# template names.
+#html_additional_pages = {}
+
+# If false, no module index is generated.
+#html_domain_indices = True
+
+# If false, no index is generated.
+#html_use_index = True
+
+# If true, the index is split into individual pages for each letter.
+#html_split_index = False
+
+# If true, links to the reST sources are added to the pages.
+#html_show_sourcelink = True
+
+# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
+#html_show_sphinx = True
+
+# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
+#html_show_copyright = True
+
+# If true, an OpenSearch description file will be output, and all pages will
+# contain a <link> tag referring to it.  The value of this option must be the
+# base URL from which the finished HTML is served.
+#html_use_opensearch = ''
+
+# This is the file name suffix for HTML files (e.g. ".xhtml").
+#html_file_suffix = None
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'Brodoc'
+
+
+# -- Options for LaTeX output --------------------------------------------------
+
+# The paper size ('letter' or 'a4').
+#latex_paper_size = 'letter'
+
+# The font size ('10pt', '11pt' or '12pt').
+#latex_font_size = '10pt'
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title, author, documentclass [howto/manual]).
+latex_documents = [
+  ('index', 'Bro.tex', u'Bro Documentation',
+   u'Jon Siwek', 'manual'),
+]
+
+# The name of an image file (relative to this directory) to place at the top of
+# the title page.
+#latex_logo = None
+
+# For "manual" documents, if this is true, then toplevel headings are parts,
+# not chapters.
+#latex_use_parts = False
+
+# If true, show page references after internal links.
+#latex_show_pagerefs = False
+
+# If true, show URL addresses after external links.
+#latex_show_urls = False
+
+# Additional stuff for the LaTeX preamble.
+#latex_preamble = ''
+
+# Documents to append as an appendix to all manuals.
+#latex_appendices = []
+
+# If false, no module index is generated.
+#latex_domain_indices = True
+
+
+# -- Options for manual page output --------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+    ('index', 'bro', u'Bro Documentation',
+     [u'Jon Siwek'], 1)
+]
diff --git a/doc/scripts/example.bro b/doc/scripts/example.bro
new file mode 100644
index 0000000000..2e2a8977ec
--- /dev/null
+++ b/doc/scripts/example.bro
@@ -0,0 +1,228 @@
+##! This is an example script that demonstrates how to document.  Comments
+##! of the form ``##!`` are for the script summary.  The contents of
+##! these comments are transferred directly into the auto-generated
+##! `reStructuredText <http://docutils.sourceforge.net/rst.html>`_
+##! (reST) document's summary section.
+##!
+##! .. tip:: You can embed directives and roles within ``##``-stylized comments.
+##!
+##! A script's logging information has to be documented manually as minimally
+##! shown below.  Note that references may not always be possible (e.g.
+##! anonymous filter functions) and a script may not need to document
+##! each of "columns", "event", "filter" depending on exactly what it's doing.
+##!
+##! **Logging Stream ID:** :bro:enum:`Example::EXAMPLE`
+##!     :Columns:    :bro:type:`Example::Info`
+##!     :Event:      :bro:id:`Example::log_example`
+##!     :Filter:     ``example-filter``
+##!         uses :bro:id:`Example::filter_func` to determine whether to
+##!         exclude the ``ts`` field
+##!
+##! :Author: Jon Siwek <jsiwek@ncsa.illinois.edu>
+
+# Comments that use a single pound sign (#) are not significant to
+# a script's auto-generated documentation, but ones that use a
+# double pound sign (##) do matter.  In some cases, like record
+# field comments, it's necessary to disambiguate the field with
+# which a comment associates: e.g. "##<" can be used on the same line
+# as a field to signify the comment relates to it and not the
+# following field.  "##<" is not meant for general use, just
+# record/enum fields.
+#
+# Generally, the auto-doc comments (##) are associated with the
+# next declaration/identifier found in the script, but the doc framework
+# will track/render identifiers regardless of whether they have any
+# of these special comments associated with them.
+#
+# The first sentence contained within the "##"-stylized comments for
+# a given identifier is special in that it will be used as summary
+# text in a table containing all such identifiers and short summaries.
+# If there are no sentences (text terminated with '.'), then everything
+# in the "##"-stylized comments up until the first empty comment
+# is taken as the summary text for a given identifier.
+
+# @load directives are self-documenting
+@load notice
+
+# "module" statements are self-documenting
+module Example;
+
+# redefinitions of "capture_filters" are self-documenting and
+# go into the generated documentation's "Packet Filter" section
+redef capture_filters += {
+    ["ssl"] = "tcp port 443",
+    ["nntps"] = "tcp port 562",
+};
+
+global example_ports = {
+    443/tcp, 562/tcp,
+} &redef;
+
+# redefinitions of "dpd_config" are self-documenting and
+# go into the generated doc's "Port Analysis" section
+redef dpd_config += {
+    [ANALYZER_SSL] = [$ports = example_ports]
+};
+
+# redefinitions of "Notice::Type" are self-documenting, but
+# more information can be supplied in two different ways
+redef enum Notice += {
+    ## any number of this type of comment
+    ## will document "Notice_One"
+    Notice_One,
+    Notice_Two,  ##< any number of this type of comment
+                 ##< will document "Notice_Two"
+    Notice_Three,
+    Notice_Four,
+};
+
+# Redef'ing the ID enumeration for logging streams is automatically tracked.
+# Comments of the "##" form can be use to further document it, but it's
+# better to do all documentation related to logging in the summary section
+# as is shown above.
+redef enum Log::ID += { EXAMPLE };
+
+# Anything declared in the export section will show up in the rendered
+# documentation's "public interface" section
+
+export {
+
+    # these headings don't mean anything special to the
+    # doc framework right now, I'm just including them
+    # to make it more clear to the reader how the doc
+    # framework will actually categorize a script's identifiers
+
+    ############## types ################
+
+    # Note that I'm just mixing the "##" and "##<"
+    # types of comments in the following declarations
+    # as a demonstration.  Normally, it would be good style
+    # to pick one and be consistent.
+
+    ## documentation for "SimpleEnum"
+    ## goes here.
+    type SimpleEnum: enum {
+        ## and more specific info for "ONE"
+        ## can span multiple lines
+        ONE,
+        TWO,  ##< or more info like this for "TWO"
+              ##< can span multiple lines
+        THREE,
+    };
+
+    ## document the "SimpleEnum" redef here
+    redef enum SimpleEnum  += {
+        FOUR, ##< and some documentation for "FOUR"
+        ## also "FIVE" for good measure
+        FIVE
+    };
+
+    ## general documentation for a type "SimpleRecord"
+    ## goes here.
+    type SimpleRecord: record {
+        ## counts something
+        field1: count;
+        field2: bool; ##< toggles something
+    };
+
+    ## document the record extension redef here
+    redef record SimpleRecord += {
+        ## document the extending field here
+        field_ext: string &optional; ##< (or here)
+    };
+
+    ## general documentation for a type "ComplexRecord" goes here
+    type ComplexRecord: record {
+        field1: count;               ##< counts something
+        field2: bool;                ##< toggles something
+        field3: SimpleRecord;
+        msg: string &default="blah"; ##< attributes are self-documenting
+    } &redef;
+
+    ## An example record to be used with a logging stream.
+    type Info: record {
+        ts:       time       &log;
+        uid:      string     &log;
+        status:   count      &log &optional;
+    };
+
+    ############## options ################
+    # right now, I'm just defining an option as
+    # any const with &redef (something that can
+    # change at parse time, but not at run time.
+
+    ## add documentation for "an_option" here
+    const an_option: set[addr, addr, string] &redef;
+
+    # default initialization will be self-documenting
+    const option_with_init = 0.01 secs &redef;
+
+    ############## state variables ############
+    # right now, I'm defining this as any global
+    # that's not a function/event.  doesn't matter
+    # if &redef attribute is present
+
+    ## put some documentation for "a_var" here
+    global a_var: bool;
+
+    # attributes are self-documenting
+    global var_with_attr: count &persistent;
+
+    # it's fine if the type is inferred, that information is self-documenting
+    global var_without_explicit_type = "this works";
+
+    ############## functions/events ############
+
+    ## Summarize purpose of "a_function" here.
+    ## Give more details about "a_function" here.
+    ## Separating the documentation of the params/return values with
+    ## empty comments is optional, but improves readability of script.
+    ##
+    ## tag: function arguments can be described
+    ##      like this
+    ## msg: another param
+    ##
+    ## Returns: describe the return type here
+    global a_function: function(tag: string, msg: string): string;
+
+    ## Summarize "an_event" here.
+    ## Give more details about "an_event" here.
+    ## name: describe the argument here
+    global an_event: event(name: string);
+
+    ## This is a declaration of an example event that can be used in
+    ## logging streams and is raised once for each log entry.
+    global log_example: event(rec: Info);
+}
+
+function filter_func(rec: Info): bool
+    {
+    return T;
+    }
+
+# this function is documented in the "private interface" section
+# of generated documentation and any "##"-stylized comments would also
+# be rendered there
+function function_without_proto(tag: string): string
+    {
+    return "blah";
+    }
+
+# this record type is documented in the "private interface" section
+# of generated documentation and any "##"-stylized comments would also
+# be rendered there
+type PrivateRecord: record {
+    field1: bool;
+    field2: count;
+};
+
+event bro_init()
+    {
+    Log::create_stream(EXAMPLE, [$columns=Info, $ev=log_example]);
+    Log::add_filter(EXAMPLE, [
+        $name="example-filter",
+        $path="example-filter",
+        $pred=filter_func,
+        $exclude=set("ts")
+        ]);
+    }
diff --git a/doc/scripts/group_index_generator.py b/doc/scripts/group_index_generator.py
new file mode 100755
index 0000000000..d143765ef9
--- /dev/null
+++ b/doc/scripts/group_index_generator.py
@@ -0,0 +1,52 @@
+#! /usr/bin/env python
+
+# This script automatically generates a reST documents that lists
+# a collection of Bro policy scripts that are "grouped" together.
+# The summary text (##! comments) of the policy script is embedded
+# in the list.
+#
+# 1st argument is the file containing list of groups
+# 2nd argument is the directory containing ${group}_files lists of
+#   scripts that belong to the group and ${group}_doc_names lists of
+#   document names that can be supplied to a reST :doc: role
+# 3rd argument is a directory in which write a ${group}.rst file (will
+#   append to existing file) that contains reST style references to
+#   script docs along with summary text contained in original script
+
+import sys
+import os
+import string
+
+group_list = sys.argv[1]
+file_manifest_dir = sys.argv[2]
+output_dir = sys.argv[3]
+
+with open(group_list, 'r') as f_group_list:
+    for group in f_group_list.read().splitlines():
+        #print group
+        file_manifest = os.path.join(file_manifest_dir, group + "_files")
+        doc_manifest = os.path.join(file_manifest_dir, group + "_doc_names")
+        src_files = []
+        doc_names = []
+
+        with open(file_manifest, 'r') as f_file_manifest:
+            src_files = f_file_manifest.read().splitlines()
+
+        with open(doc_manifest, 'r') as f_doc_manifest:
+            doc_names = f_doc_manifest.read().splitlines()
+
+        for i in range(len(src_files)):
+            src_file = src_files[i]
+            #print "\t" + src_file
+            summary_comments = []
+            with open(src_file, 'r') as f_src_file:
+                for line in f_src_file:
+                    sum_pos = string.find(line, "##!")
+                    if sum_pos != -1:
+                        summary_comments.append(line[(sum_pos+3):])
+            #print summary_comments
+            group_file = os.path.join(output_dir, group + ".rst")
+            with open(group_file, 'a') as f_group_file:
+                f_group_file.write("\n:doc:`/policy/%s`\n" % doc_names[i])
+                for line in summary_comments:
+                    f_group_file.write("   " + line)
diff --git a/doc/scripts/source/_static/showhide.js b/doc/scripts/source/_static/showhide.js
new file mode 100644
index 0000000000..d6a8923143
--- /dev/null
+++ b/doc/scripts/source/_static/showhide.js
@@ -0,0 +1,64 @@
+// make literal blocks corresponding to identifier initial values
+// hidden by default
+$(document).ready(function() {
+
+    var showText='(Show Value)';
+    var hideText='(Hide Value)';
+
+    var is_visible = false;
+
+    // select field-list tables that come before a literal block
+    tables = $('.highlight-python').prev('table.docutils.field-list');
+
+    tables.find('th.field-name').filter(function(index) {
+        return $(this).html() == "Default :";
+    }).next().append('<a href="#" class="toggleLink">'+showText+'</a>');
+
+    // hide all literal blocks that follow a field-list table
+    tables.next('.highlight-python').hide();
+
+    // register handler for clicking a "toggle" link
+    $('a.toggleLink').click(function() {
+        is_visible = !is_visible;
+
+        $(this).html( (!is_visible) ? showText : hideText);
+
+        // the link is inside a <table><tbody><tr><td> and the next
+        // literal block after the table is the literal block that we want
+        // to show/hide
+        $(this).parent().parent().parent().parent().next('.highlight-python').slideToggle('fast');
+
+        // override default link behavior
+        return false;
+    });
+});
+
+// make "Private Interface" sections hidden by default
+$(document).ready(function() {
+
+    var showText='Show Private Interface (for internal use)';
+    var hideText='Hide Private Interface';
+
+    var is_visible = false;
+
+    // insert show/hide links
+    $('#private-interface').children(":first-child").after('<a href="#" class="privateToggle">'+showText+'</a>');
+
+    // wrap all sub-sections in a new div that can be hidden/shown
+    $('#private-interface').children(".section").wrapAll('<div class="private" />');
+
+    // hide the given class
+    $('.private').hide();
+
+    // register handler for clicking a "toggle" link
+    $('a.privateToggle').click(function() {
+        is_visible = !is_visible;
+
+        $(this).html( (!is_visible) ? showText : hideText);
+
+        $('.private').slideToggle('fast');
+
+        // override default link behavior
+        return false;
+    });
+});
diff --git a/doc/scripts/source/_templates/layout.html b/doc/scripts/source/_templates/layout.html
new file mode 100644
index 0000000000..5685e1dc37
--- /dev/null
+++ b/doc/scripts/source/_templates/layout.html
@@ -0,0 +1,5 @@
+{% extends "!layout.html" %}
+{% block extrahead %}
+    <script type="text/javascript" src="{{ pathto('_static/showhide.js', 1) }}"></script>
+    {{ super() }}
+{% endblock %}
diff --git a/doc/scripts/source/bifs.rst b/doc/scripts/source/bifs.rst
new file mode 100644
index 0000000000..0c40404058
--- /dev/null
+++ b/doc/scripts/source/bifs.rst
@@ -0,0 +1,4 @@
+Built-In Functions (BIFs)
+=========================
+
+Here's a list of all documentation for BIFs that Bro provides:
diff --git a/doc/scripts/source/builtins.rst b/doc/scripts/source/builtins.rst
new file mode 100644
index 0000000000..d1c551339d
--- /dev/null
+++ b/doc/scripts/source/builtins.rst
@@ -0,0 +1,123 @@
+Builtin Types and Attributes
+============================
+
+Types
+-----
+
+The Bro scripting language supports the following built-in types.
+
+.. TODO: add documentation
+
+.. bro:type:: void
+
+.. bro:type:: bool
+
+.. bro:type:: int
+
+.. bro:type:: count
+
+.. bro:type:: counter
+
+.. bro:type:: double
+
+.. bro:type:: time
+
+.. bro:type:: interval
+
+.. bro:type:: string
+
+.. bro:type:: pattern
+
+.. bro:type:: enum
+
+.. bro:type:: timer
+
+.. bro:type:: port
+
+.. bro:type:: addr
+
+.. bro:type:: net
+
+.. bro:type:: subnet
+
+.. bro:type:: any
+
+.. bro:type:: table
+
+.. bro:type:: union
+
+.. bro:type:: record
+
+.. bro:type:: types
+
+.. bro:type:: func
+
+.. bro:type:: file
+
+.. bro:type:: vector
+
+.. TODO: below are kind of "special cases" that bro knows about?
+
+.. bro:type:: set
+
+.. bro:type:: function
+
+.. bro:type:: event
+
+.. TODO: Notice will get documented as part of notice.bro, which can eventually
+   be referenced here once that documentation is auto-generated.
+
+.. bro:type:: Notice
+
+Attributes
+----------
+
+The Bro scripting language supports the following built-in attributes.
+
+.. TODO: add documentation
+
+.. bro:attr:: &optional
+
+.. bro:attr:: &default
+
+.. bro:attr:: &redef
+
+.. bro:attr:: &rotate_interval
+
+.. bro:attr:: &rotate_size
+
+.. bro:attr:: &add_func
+
+.. bro:attr:: &delete_func
+
+.. bro:attr:: &expire_func
+
+.. bro:attr:: &read_expire
+
+.. bro:attr:: &write_expire
+
+.. bro:attr:: &create_expire
+
+.. bro:attr:: &persistent
+
+.. bro:attr:: &synchronized
+
+.. bro:attr:: &postprocessor
+
+.. bro:attr:: &encrypt
+
+.. bro:attr:: &match
+
+.. bro:attr:: &disable_print_hook
+
+.. bro:attr:: &raw_output
+
+.. bro:attr:: &mergeable
+
+.. bro:attr:: &priority
+
+.. bro:attr:: &group
+
+.. bro:attr:: &log
+
+.. bro:attr:: (&tracked)
diff --git a/doc/scripts/source/common.rst b/doc/scripts/source/common.rst
new file mode 100644
index 0000000000..6105585b2c
--- /dev/null
+++ b/doc/scripts/source/common.rst
@@ -0,0 +1,19 @@
+Common Documentation
+====================
+
+.. _common_port_analysis_doc:
+
+Port Analysis
+-------------
+
+TODO: add some stuff here
+
+.. _common_packet_filter_doc:
+
+Packet Filter
+-------------
+
+TODO: add some stuff here
+
+.. note:: Filters are only relevant when dynamic protocol detection (DPD)
+          is explicitly turned off (Bro release 1.6 enabled DPD by default).
diff --git a/doc/scripts/source/default.rst b/doc/scripts/source/default.rst
new file mode 100644
index 0000000000..6b79f20c79
--- /dev/null
+++ b/doc/scripts/source/default.rst
@@ -0,0 +1,3 @@
+Bro Scripts Loaded by Default
+=============================
+
diff --git a/doc/scripts/source/ext/bro.py b/doc/scripts/source/ext/bro.py
new file mode 100644
index 0000000000..7ec02f76a8
--- /dev/null
+++ b/doc/scripts/source/ext/bro.py
@@ -0,0 +1,167 @@
+"""
+    The Bro domain for Sphinx.
+"""
+
+def setup(Sphinx):
+    Sphinx.add_domain(BroDomain)
+
+from sphinx import addnodes
+from sphinx.domains import Domain, ObjType, Index
+from sphinx.locale import l_, _
+from sphinx.directives import ObjectDescription
+from sphinx.roles import XRefRole
+from sphinx.util.nodes import make_refnode
+import string
+
+from docutils import nodes
+from docutils.parsers.rst import Directive
+from docutils.parsers.rst import directives
+from docutils.parsers.rst.roles import set_classes
+
+class BroGeneric(ObjectDescription):
+    def add_target_and_index(self, name, sig, signode):
+        targetname = self.objtype + '-' + name
+        if targetname not in self.state.document.ids:
+            signode['names'].append(targetname)
+            signode['ids'].append(targetname)
+            signode['first'] = (not self.names)
+            self.state.document.note_explicit_target(signode)
+
+            objects = self.env.domaindata['bro']['objects']
+            key = (self.objtype, name)
+# this is commented out mostly just to avoid having a special directive
+# for events in order to avoid the duplicate warnings in that case
+            """
+            if key in objects:
+                self.env.warn(self.env.docname,
+                              'duplicate description of %s %s, ' %
+                              (self.objtype, name) +
+                              'other instance in ' +
+                              self.env.doc2path(objects[key]),
+                              self.lineno)
+            """
+            objects[key] = self.env.docname
+        indextext = self.get_index_text(self.objtype, name)
+        if indextext:
+            self.indexnode['entries'].append(('single', indextext,
+                                              targetname, targetname))
+
+    def get_index_text(self, objectname, name):
+        return _('%s (%s)') % (name, self.objtype)
+
+    def handle_signature(self, sig, signode):
+        signode += addnodes.desc_name("", sig)
+        return sig
+
+class BroNamespace(BroGeneric):
+    def add_target_and_index(self, name, sig, signode):
+        targetname = self.objtype + '-' + name
+        if targetname not in self.state.document.ids:
+            signode['names'].append(targetname)
+            signode['ids'].append(targetname)
+            signode['first'] = (not self.names)
+            self.state.document.note_explicit_target(signode)
+
+            objects = self.env.domaindata['bro']['objects']
+            key = (self.objtype, name)
+            objects[key] = self.env.docname
+        indextext = self.get_index_text(self.objtype, name)
+        self.indexnode['entries'].append(('single', indextext,
+                                          targetname, targetname))
+        self.indexnode['entries'].append(('single',
+                                          "namespaces; %s" % (sig),
+                                          targetname, targetname))
+
+    def get_index_text(self, objectname, name):
+        return _('%s (namespace); %s') % (name, self.env.docname)
+
+    def handle_signature(self, sig, signode):
+        signode += addnodes.desc_name("", sig)
+        return sig
+
+class BroEnum(BroGeneric):
+    def add_target_and_index(self, name, sig, signode):
+        targetname = self.objtype + '-' + name
+        if targetname not in self.state.document.ids:
+            signode['names'].append(targetname)
+            signode['ids'].append(targetname)
+            signode['first'] = (not self.names)
+            self.state.document.note_explicit_target(signode)
+
+            objects = self.env.domaindata['bro']['objects']
+            key = (self.objtype, name)
+            objects[key] = self.env.docname
+        indextext = self.get_index_text(self.objtype, name)
+        #self.indexnode['entries'].append(('single', indextext,
+        #                                  targetname, targetname))
+        m = sig.split()
+        self.indexnode['entries'].append(('single',
+                                          "%s (enum values); %s" % (m[1], m[0]),
+                                          targetname, targetname))
+
+    def handle_signature(self, sig, signode):
+        m = sig.split()
+        name = m[0]
+        signode += addnodes.desc_name("", name)
+        return name
+
+class BroIdentifier(BroGeneric):
+    def get_index_text(self, objectname, name):
+        return name
+
+class BroAttribute(BroGeneric):
+    def get_index_text(self, objectname, name):
+        return _('%s (attribute)') % (name)
+
+class BroDomain(Domain):
+    """Bro domain."""
+    name = 'bro'
+    label = 'Bro'
+
+    object_types = {
+        'type':             ObjType(l_('type'),             'type'),
+        'namespace':        ObjType(l_('namespace'),        'namespace'),
+        'id':               ObjType(l_('id'),               'id'),
+        'enum':             ObjType(l_('enum'),             'enum'),
+        'attr':             ObjType(l_('attr'),             'attr'),
+    }
+
+    directives = {
+        'type':             BroGeneric,
+        'namespace':        BroNamespace,
+        'id':               BroIdentifier,
+        'enum':             BroEnum,
+        'attr':             BroAttribute,
+    }
+
+    roles = {
+        'type':             XRefRole(),
+        'namespace':        XRefRole(),
+        'id':               XRefRole(),
+        'enum':             XRefRole(),
+        'attr':             XRefRole(),
+    }
+
+    initial_data = {
+        'objects': {},  # fullname -> docname, objtype
+    }
+
+    def clear_doc(self, docname):
+        for (typ, name), doc in self.data['objects'].items():
+            if doc == docname:
+                del self.data['objects'][typ, name]
+
+    def resolve_xref(self, env, fromdocname, builder, typ, target, node,
+                     contnode):
+        objects = self.data['objects']
+        objtypes = self.objtypes_for_role(typ)
+        for objtype in objtypes:
+            if (objtype, target) in objects:
+                return make_refnode(builder, fromdocname,
+                                    objects[objtype, target],
+                                    objtype + '-' + target,
+                                    contnode, target + ' ' + objtype)
+
+    def get_objects(self):
+        for (typ, name), docname in self.data['objects'].iteritems():
+            yield name, name, typ, docname, typ + '-' + name, 1
diff --git a/doc/scripts/source/index.rst b/doc/scripts/source/index.rst
new file mode 100644
index 0000000000..ef642d70c7
--- /dev/null
+++ b/doc/scripts/source/index.rst
@@ -0,0 +1,24 @@
+.. Bro documentation master file
+
+Welcome to Bro's documentation!
+===============================
+
+Contents:
+
+.. toctree::
+   :maxdepth: 1
+   :glob:
+
+   common
+   builtins
+   policy/index
+   default
+   bifs
+   user
+   internal
+
+Indices and tables
+==================
+
+* :ref:`genindex`
+* :ref:`search`
diff --git a/doc/scripts/source/internal.rst b/doc/scripts/source/internal.rst
new file mode 100644
index 0000000000..864ee75f8a
--- /dev/null
+++ b/doc/scripts/source/internal.rst
@@ -0,0 +1,3 @@
+Internal Policy Scripts
+=======================
+
diff --git a/doc/scripts/source/policy/index.rst b/doc/scripts/source/policy/index.rst
new file mode 100644
index 0000000000..6b8ed9319c
--- /dev/null
+++ b/doc/scripts/source/policy/index.rst
@@ -0,0 +1,6 @@
+Index of All Policy Script Documentation
+========================================
+
+.. toctree::
+   :maxdepth: 1
+
diff --git a/doc/scripts/source/user.rst b/doc/scripts/source/user.rst
new file mode 100644
index 0000000000..7a3bba29cb
--- /dev/null
+++ b/doc/scripts/source/user.rst
@@ -0,0 +1,3 @@
+User-Facing Policy Scripts
+==========================
+
diff --git a/doc/user-manual/Bro-Linux.texi b/doc/user-manual/Bro-Linux.texi
deleted file mode 100644
index 0dc44f29a5..0000000000
--- a/doc/user-manual/Bro-Linux.texi
+++ /dev/null
@@ -1,11 +0,0 @@
-
-The section not done!
-
-There are a number of patches needed to make Bro work well with Linux.
-
-These include:
-
-Luca Deri's patch to fix libpcap issues.
-
-
-
diff --git a/doc/user-manual/Bro-analysis.texi b/doc/user-manual/Bro-analysis.texi
deleted file mode 100644
index ad0f65f05e..0000000000
--- a/doc/user-manual/Bro-analysis.texi
+++ /dev/null
@@ -1,322 +0,0 @@
-
-@subheading Rule one: There are no rules @enddots{}
-
-This section describes a specific procedure that can be followed with each "incident" that  Bro uncovers, but one must keep in mind that intrusion detection is not a static problem.  The perpetrators of intrusions and malicious network activity are constantly changing their techniques with the express purpose of evading detection.  Unexpected activities are often found by investigation of seemingly innocuous network oddities or serendipitous inspection of logs.  While Bro is an exceptionally useful tool for collecting, sorting, analyzing and flagging suspect network data, it cannot be expected to flag all new, cleverly disguised attacks.  Nor can it be expected to differentiate with 100% accuracy between aberrant, but legitimate, user behavior and a malicious attack.  Sometimes a strong curiosity is an analyst's best friend and Bro is the vehicle for allowing him or her to follow that curiosity.
-
-@menu
-* Two Types of Triggers ::
-* General Process Steps ::
-* Understand What Triggered the Alarm(s) ::
-* Understand the Intent of the Alarm(s) ::
-* Examine HTTP FTP or SMTP Sessions ::
-* Examine the Connection and Weird Logs ::
-* Examine the Bulk Trace if Available  ::
-* Contact and Question Appropriate People ::
-@end menu
-
-@node Two Types of Triggers
-@section Two Types of Triggers
-
-There are two ways that alarms can be triggered.  One is when network traffic matches a @emph{signatures} that has been converted to work with Bro.  The other way is by matching Bro @emph{rules} that are embedded in the Bro analyzers.
-
-@subsection Converted Signatures
-In the Bro report, converted signatures are identified by the alarm type: @code{SensitiveSignature} and the existence of a @code{bro} identification number.  Each signature is distinct, targeting one specific set of network events for each alarm.  Currently the majority of converted @emph{signatures} are developed from Snort@copyright{} signatures using the @file{snort2bro} utility.  In addition, enhancing have been made by utilizing features in the Bro policy language that are absent in Snort@copyright{}.  Most Bro signatures are found in the @file{$BROHOME/site/signatures.sig}, however, they can exist in other @file{.sig} files.
-
-@subsection Embedded Bro Rule
-Bro rules are typically embedded in the Bro @emph{analyzers} or other @file{.bro} policy files.
-@comment ***** XXX: Need ref to analyzer section of ref manual
-Several trigger conditions are usually lumped into a grouping of Bro rules within a @file{.bro} file, making it difficult to separate the exact condition that triggered the alarm.  Hence, alarms triggered by an embedded Bro rule will not have a specific @code{bro} identification number, nor will the @emph{signature code} block appear in the report.
-
-@quotation Possible types of embedded bro rule alarms
-@multitable {SensitiveUsernameInPassword} {ICMPConnectionPair} {FTP_ExcessiveFilename}
-@item AddressDropped
-@tab AddressScan
-@tab BackscatterSeen
-@item ClearToEncrypted_SS
-@tab CountSignature
-@tab DNS::DNS_MappingChanged
-@item DNS::DNS_PTR_Scan
-@tab FTP::FTP_BadPort
-@tab FTP::FTP_ExcessiveFilename
-@item FTP::FTP_PrivPort
-@tab FTP::FTP_Sensitive
-@tab FTP::FTP_UnexpectedConn
-@item HTTP::HTTP_SensitiveURI
-@tab HotEmailRecipient
-@tab ICMP::ICMPAsymPayload
-@item ICMP::ICMPUnpairedEchoReply
-@tab ICMP::ICMPConnectionPair
-@tab IdentSensitiveID
-@item LoginForbiddenButConfused
-@tab LocalWorm
-@tab MultipleSigResponders
-@item MultipleSignatures
-@tab OutboundTFTP
-@tab PasswordGuessing
-@item PortScan
-@tab RemoteWorm
-@tab ResolverInconsistency
-@item SSH_Overflow
-@tab SSL_SessConIncon
-@tab SSL_X509Violation
-@item ScanSummary
-@tab SensitiveConnection
-@tab SensitiveDNS_Lookup
-@item SensitivePortmapperAccess
-@tab SensitiveLogin
-@tab SensitiveSignature
-@item SensitiveUsernameInPassword
-@tab SignatureSummary
-@tab SynFloodEnd
-@item SynFloodStart
-@tab SynFloodStatus
-@tab TRW::TRWAddressScan
-@item TerminatingConnection
-@tab W32B_SourceLocal
-@tab W32B_SourceRemote
-@item ZoneTransfer
-@end multitable
-@end quotation
-
-@node General Process Steps
-@section General Process Steps
-
-The following steps will both aid the Bro user with uncovering network 
-activity of interest, and also help acquaint the user with the anomalies that Bro detects, together building up an understanding of what constitutes "normal" network traffic for the local site.  The analyst might follow each successive step with each incident until a firm determination is made if the incident is malicious or a "false positive".
-
-@itemize
-@item Understand What Triggered the Alarm(s)
-@item Understand the Intent of the Alarm(s)
-@item Examine the Session(s) from the HTTP, FTP, or SMTP Logs
-@item Examine the Connection Logs for Breakin Indicators
-@item Examine for Connections to Other Computers
-@item Examine Other Bro Logs for Odd Activity
-@item Examine the Bulk Trace if Available 
-@item Contact and Question Appropriate People
-@end itemize 
-
-@node Understand What Triggered the Alarm(s)
-@section Understand What Triggered the Alarm(s)
-
-To understand what triggered the alarm, compare the signature or rule code with @emph{payload}.  The network traffic that matches the signature, rule, or policy is known as the payload.  The payload that triggers the alarm is usually included in the Bro's incident report.
-Often it is obvious that the payload is not malicious.
-
-@quotation Example
-The signature may trigger on the word @emph{shadow}, notifying that someone may be attempting to download the shadow password file.  However, the payload may reveal that the actual download is something like @emph{theshadow.jpg}, which is obliviously innocuous.
-@end quotation
-
-The two kinds of alarms, converted signatures and embedded rules trigger alarms differently, so they must be treated separately.  The following sections describe how to investigate the signature or rule code and payload of each.
-
-@subsection Converted Snort Signatures
-These signatures are recognizable by the inclusion of a @code{bro} number and the identification @code{SensitiveSignature}.  A @emph{signature code} and @emph{payload} block should be present in the incident report.  To understand what triggered the alarm, compare the payload to the signature code and find the defined signature within the payload.  Since some payload lines can get extremely long, the payload lines in the report and notice and alarm logs has been truncated to 250 characters.  Sometimes the actual trigger payload is beyond the 250 character cut off.  In this case, the protocol sessions log file must be examined.  @xref{Examine HTTP FTP or SMTP Sessions}.
-
-@subsection Embedded Bro Rule
-For alarms triggered by an embedded Bro rule the @emph{signature code} block will not appear, and in many cases, neither will the payload.  There is currently no direct way to find the specific Bro rule that triggered the alarm other than to search the Bro policy files.  Following is a process for conducting that search.  The example of the @code{HTTP_SensitiveURL} is used.  In actual practice, this rule appears quite often in the reports.
-
-@quotation Read about the specific analyzer
-In the Bro Technical Reference Manual there are sections for each type of analyzer.  In the case of our example the HTTP analyzer is the obvious choice.  In the section on the HTTP analyzer, it is noted that the variables @var{sensitive_URIs} and @var{sensitive_post_URIs} are responsible for flagging sensitive URIs.
-@end quotation
-
-@quotation Find the policy file that defines these variables
-Using egrep to search for @var{sensitive_URIs} and/or @var{sensitive_post_URIs} yields the following:
-
-@example
-> egrep "sensitive_URIs | sensitive_post_URIs" http*
-http-request.bro:   const sensitive_URIs =
-http-request.bro:  # URIs that match sensitive_URIs but can be generated by worms
-http-request.bro:   const skip_remote_sensitive_URIs = /\/cgi-bin\/(phf|php\.cgi|test-cgi)/ &redef;
-http-request.bro:   const sensitive_post_URIs = /wwwroot|WWWROOT/ &redef;
-http-request.bro:   if ( (sensitive_URIs in URI && URI != worm_URIs) ||
-http-request.bro:   (method == "POST" && sensitive_post_URIs in URI) )
-http-request.bro:   skip_remote_sensitive_URIs in URI )
-@end example
-
-Clearly @file{http-request.bro} is the file of interest.  If, in the case of other types of analyzers, more than one file appears, look for the place where the @code{const} statement is used to declare the variable(s).
-@end quotation
-
-@quotation Look into the policy file
-Search in the section of Bro policy code that describes the rule(s) for the specific notification.  In the file @file{http-request.bro}, is found:
-
-@verbatim
-export{
-   const sensitive_URIs =
-      /etc.*\/.*(passwd|shadow|netconfig)/
-      | /IFS[ \t]*=/
-      | /nph-test-cgi\?/
-      | /(%0a|\.\.)\/(bin|etc|usr|tmp)/
-      | /\/Admin_files\/order\.log/
-      | /\/carbo\.dll/
-      | /\/cgi-bin\/(phf|php\.cgi|test-cgi)/
-      | /\/cgi-dos\/args\.bat/
-      | /\/cgi-win\/uploader\.exe/
-      | /\/search97\.vts/
-      | /tk\.tgz/
-      | /ownz/        # somewhat prone to false positives
-     &redef;
-
-     # URIs that match sensitive_URIs but can be generated by worms,
-     # and hence should not be flagged (because they're so common).
-     const worm_URIs =
-          /.*\/c\+dir/
-          | /.*cool.dll.*/
-          | /.*Admin.dll.*Admin.dll.*/
-     &redef;
-}
-
-redef capture_filters +=  {
-        ["http-request"] = "tcp dst port 80 or tcp dst port 8080
-                            or tcp dst port 8000"
-};
-
-# URIs that should not be considered sensitive if accessed remotely,
-# i.e. by a local client.
-const skip_remote_sensitive_URIs = /\/cgi-bin\/(phf|php\.cgi|test-cgi)/
- &redef;
-
-const sensitive_post_URIs = /wwwroot|WWWROOT/ &redef;
-@end verbatim
-
-Unfortunately, there isn't any way of knowing exactly which one of these rules triggered the @code{HTTP_SensitiveURL} alarm.  As will be seen in the next section, the triggering payload must be compared against this entire section.
-@end quotation
-
-@node Understand the Intent of the Alarm(s)
-@section Understand the Intent of the Alarm(s)
-
-While understanding the technical signature or policy "code" that "triggered" the alarm, it is also useful to understand the reason the trigger was built.
-@itemize
-@item What attack or malicious behavior is the alarm trying to illuminate?
-@item What is the normal method of attack ... manual? automated?  expert? novice?
-@item How long has the particular attack existed?
-@item How often is it seen?  How often is it actually used by attackers?
-@end itemize
-All of these things, and any other information that can be gathered, will 
-help in differentiating attacks from legitimate behavior.  Although this process may seem tedious and time consuming in the beginning, the Bro analyst will quickly build up a substantial knowledge of known attacks.  Even if the incident in question turns out to be benign, the effort to learn about the attack almost always proves useful in future investigations.
-
-@subsection Converted Snort@copyright{} Signatures
-Since Snort@copyright{} signatures are usually fairly well documented, one way to discover the intent of the signature is to search the web for the title of the signature using any of the common search engines (Yahoo, Google, Teoma, AltaVista, or one of the may others).  For instance, a search on the @emph{MS SQL xp_cmdshell} vulnerability yields ~7000 hits.  One of those hits is:
-
-@example
-Zone-H.org * Advisories
-... Successful exploitation of this vulnerability can enable an attacker to 
-execute commands in the system (via MS SQL xp_cmdshell function). ...
-www.zone-h.org/advisories/read/id=4243 - 17k - Cached - Similar pages
-@end example
-
-This web site give a fairly detailed description of the exploit and verifies that it can be used to root compromise a computer and hence,  is a vulnerability of significant interest.  Several other sites also give details about the signature, the attack, and other useful information.
-
-@subsection Embedded Bro Rule
-Unfortunately, most of the embedded Bro rules have not been documented.  
-The analyst must rely on his/her own understand of network attacks to 
-guess what the intent of the rule is.  Sometimes useful comments are 
-written into the Bro policy source.
-
-@node Examine HTTP FTP or SMTP Sessions
-@section Examine HTTP FTP or SMTP Sessions
-
-These three files record session activity on ports 80(http), 21(ftp), and 25(smtp) respectively.  If the alarm involves any of these ports, these files may reveal the details of the sessions.  The general format of all three files is:
-date/time@key{SP}%sessionnumber@key{SP}Message
-
-where:
-@quotation date/time
-is the time in UNIX epoch time.  The @code{cf} utility can be used to convert this time to @cite{readable} time. Reference Tech Manual
-@comment ####################### need reference to Tech Manaual.
-@end quotation
-@quotation sessionnumber
-is the number assigned to session.  All subsequent records in the file that are part of the session will retain this same session number.  Session numbers are prefixed with the @samp{%} sign.
-@end quotation
-@quotation message
-is the message that Bro policy has formed to describe the session event.  Typically the message will be:
-@itemize
-@item the start of the session, including the two ip addresses involved
-@item an anomolous event
-@item the full protocol command line that was sent
-@item short statistics concerning the transaction (e.g. bytes sent)
-@end itemize
-@end quotation
-
-In an alarm where the session number is given (typically in a SensitiveSignature alarm), a search on the session number in the appropriate file(s) will show the full sessons.  @xref{The bro/logs Directory}.
-@*@*
-@strong{Example:}
-@*Consider the following alarm:
-
-@verbatim
-Alarm: HTTP_SensitiveURI
-       11/22_12.52.42                128.333.48.179 -> 80.143.378.186
-                                           3091/tcp -> 80/tcp
-       session: %73280
-       payload: GET\/NR/rdonlyres/eirownz4tqwlseoggqm2ahj5cqsdbedlaxyye
-                7kvdz7rnh6u4o2v2gpvmoggqjlekzdtulryyatiinj3xwimmiavgfb/
-                smallshoulders.gif\ (200\ "OK"\ [1134])
-@end verbatim
-
-From the payload shown, it is unclear what triggered the alarm.  To investigate further, the entire session can be viewed:
-
-Example:
-@verbatim
-> grep %73280 http.hostname.04-11-22_12.52.42 | cf
-Nov 22 15:18:30 %73280 start 128.333.48.179 > 80.143.378.186
-Nov 22 15:18:30 %73280 GET /fitness/default.htm (200 "OK" [10473])
-Nov 22 15:18:30 %73280 GET /javascripts/cms_common.js (304 "Not Modified"[0])
-Nov 22 15:19:47 %73280 GET /food_nutrition/default.htm (200 "OK"[13177])
-Nov 22 15:19:47 %73280 GET/NR/rdonlyres/eirwwu3xtlr22dkat5cim4ziupouzxb6kz4xb
-zbr4zs255ca57cvv5mhcjcrmrfg6kpcrevyndo2za3yoi5esheiolf/News111904Dairy NotFor
-Diet.jpg (200 "OK" [6572])
-Nov 22 15:19:51 %73280 GET /NR/rdonlyres/0D25692F-D59A-4B90-AB53-8BBC9E75A286.
-gif (200 "OK" [189])
-Nov 22 15:19:51 %73280 GET /NR/rdonlyres/eqpbdbex34wpqpagp2fcbxh35omcjtq45feyf7
-zgtjff6fhrybfbsvtszeu4rc2clayghhslfimaafkoocae6cv6wof/doctor.jpg (200 "OK" [161
-5])/NR/rdonlyres/enhskrfoodzuquvmbli2hasjspusrgsvyhbd3nlue5msoli2ueagrwdxw56gqa
-aa7sosee3yn2hwywcg6kgv4wcv6jc/bigback.gif (200 "OK" [8192 (interrupted)])/NR/rd
-onlyres/ej2cpd275ghrefp23ezou43haqe6fmj3oyeqxkvopf4bv4zhwbqimfrrbndqpotx55pogc7
-xiqvdcovaxo66afyqfof/smallleg.jpg (200 "OK" [1010])
-Nov 22 15:22:12 %73280 GET /NR/rdonlyres/eirownz4tqwlseoggqm2ahj5cqsdbedlaxyye7
-kvdz7rnh6u4o2v2gpvmoggqjlekzdtulryyatiinj3xwimmiavgfb/smallshoulders.gif (200 "
-OK" [1134])
-Nov 22 15:22:13 %73280 GET /NR/rdonlyres/49D86A33-AF6C-4873-AD11-F26DDBF222B1.g
-if (200 "OK" [167])
-@end verbatim
-By examining this session it can clearly be seen that the session is simply a web visit to a fitness website.  There is no need to investigate further.
-
-@node Examine the Connection and Weird Logs
-@section Examine the Connection and Weird Logs
-
-The connection logs are a record of every connection Bro detects.  Although they don't contain content, being able to track the network @emph{movement} of an attacking host is often very useful.
-
-@subsection Breakin Indicators
-
-If it is still not clear if a suspect host is an attacker, the connection surrounding the suspicious connection can be examined.  Here are some questions that might be answered by the @file{conn} logs.
-itemize
-item How many more successful connection the attacker make to the target host?
-item How much data was transfered? A lot of data means something more than an unsuccessful probe.
-item Did the target host connect back to the attacker?  This is a fairly sure sign of a successful attack.  The attacker has gained control of the target and is connecting back to his own host.
-item What was the time duration?  If several attacks occur in a very short time and then slow down to @emph{human} speed, it could indicate the attacker used an automated attack to gain control and then switched to a manual mode to "work on" the compromised target host.
-
-@subsection Connections to Other Computers
-If a host has been successfully identified as an attacker, it is useful to know what and how many other hosts the attacker has touched.  This can be found by grepping through the @file{conn} logs for instances of connections by the suspect host.
-@example
-example here
-@end example
-If the attack used a specific, little used, port; another investigation would be to search for other similar connection using that port.  Often the attacker might change attack hosts, but will continue to use the same attack method.
-@example
-example here
-@end example
-@quotation NOTES
-@i{You may want to go back several days, weeks, months, or even years to see if the attacker has visited (and perhaps compromised) you site earlier without being detected.
-@*However, be forwarned that the @file{conn} logs tend to get very large and doing extensive searches can take a very long time.}
-@end quotation
-
-@subsection Odd Activity
-Despite attempts to have the network community adhere to network standards, non-compliant traffic occurs all the time.  The @file{weird} logs are a record of instances of network traffic that simply should not happen.
-@*@*
-While these logs are usually of interest to the most hard-core of network engineers, if a unique attack is detected, it is sometimes valuable to search the weird logs for other unusual activities by the attacking host.  Hackers are not bound by standard protocol and sometimes find ways to circumvent security via @emph{weird} methods.
-
-@node Examine the Bulk Trace if Available 
-@section Examine the Bulk Trace if Available 
-
-For information on using the Bulk trace files for analysis, see 
-@ref{Bulk Traces and Off-line Analysis}.
-
-@node Contact and Question Appropriate People
-@section Contact and Question Appropriate People
-The final and usually the most definitive investigation is to call the owners of the hosts involved.  Often a call to the owner of the local host can reveal that the activity was not normal, but appropriate or a mistake.
-
diff --git a/doc/user-manual/Bro-blocking.texi b/doc/user-manual/Bro-blocking.texi
deleted file mode 100644
index 5cc3ed063e..0000000000
--- a/doc/user-manual/Bro-blocking.texi
+++ /dev/null
@@ -1,37 +0,0 @@
-
-
-@menu
-* To block or not to block -- That is the question::
-* Adjusting criteria for automatic blocking::
-* Manually blocking/unblocking hosts::
-* Sample Blocking Code::
-@end menu
-
-@comment ********************************************
-@node To block or not to block -- That is the question
-@section To block or not to block -- That is the question
-
-insert text here 
-
-@comment ********************************************
-@node Adjusting criteria for automatic blocking
-@section Adjusting criteria for automatic blocking
-
-insert text here 
-
-@comment ********************************************
-@node Manually blocking/unblocking hosts
-@section Manually blocking/unblocking hosts
-
-insert text here 
-
-@comment ********************************************
-@node Sample Blocking Code
-@section Sample Blocking Code
-
-At LBL we use a program called @uref{http://www-nrg.ee.lbl.gov/leres/acl2.html, acld}
-to update the ACLs in our boarder routers on the fly.
-This code is available at:  ftp://ftp.ee.lbl.gov/acld.tar.gz
-
-
-
diff --git a/doc/user-manual/Bro-customizing.texi b/doc/user-manual/Bro-customizing.texi
deleted file mode 100644
index 22c123053d..0000000000
--- a/doc/user-manual/Bro-customizing.texi
+++ /dev/null
@@ -1,508 +0,0 @@
-
-Bro is very customizable, and there are several ways to modify Bro to suit
-your environment. You can write your own policy analyzers using the Bro language.  
-Most sites will likely just want to do minor customizations, such as changing the level
-of an alert from "notice" to "alarm", or turning on or off particular analyzers.
-The chapter describes how to do these types of customizations.
-Information on how to write your own analyzers can be found in
-the @uref{http://www.bro-ids.org/Bro-reference-manual/, Bro Reference Manual}.
-
-The default policy scripts for Bro are all in $BROHOME/policy. These files should @strong{never} be 
-edited, as your edits will be lost when you upgrade Bro. To customize Bro for your site, you
-should make all your changes in $BROHOME/site. Many simple changes just require you
-to @emph{redefine} (using the @uref{
-http://www.bro-ids.org/Bro-reference-manual/Variables-Overview.html,
-@code{redef}} operator, 
-a Bro constant from a standard policy script with your own custom value. You can
-also write your own custom script to do whatever you want.
-
-For example, to add "guest" to the list of 
-@uref{http://www.bro-ids.org/Bro-reference-manual/hot_002dids-Module.html, forbidden_ids}
-(user names that generate a login alarm), you
-do this:
-
-@verbatim
-    redef forbidden_ids += { "guest", };
-@end verbatim
-
-In this chapter we give an overview of all the standard Bro policy scripts, what notices
-they generate, and how to customize the most commonly changed items, and how to write new policy 
-modules.
-
-@menu
-* Builtin Policy Files ::
-* Notices ::
-* Notice Actions ::
-* Customizing Builtin Policy::
-* Writing New Policy::
-* Signatures ::
-* Tuning Scan Detection ::
-* Other Customizations ::
-@end menu
-
-@node Builtin Policy Files
-@section Builtin Policy Files
-@cindex Policy Files
-
-
-Bro @emph{policy} script is the basic analyzer used by Bro to determine what network events are alarm worthy. 
-A policy can also specify what actions to take and how to report activities, as well as determine what activities to scrutinize.  
-Bro uses policies to determine what activities to classify as @emph{hot}, or questionable in intent. 
-These hot network sessions can then be flagged, watched, or responded to via other policies or applications determined to be necessary, such as calling @code{rst} to reset a connection on the local side, or to add an IP address block to a main router's ACL (Access Control List). 
-The policy files use the Bro scripting language, which is discussed in great detail in @uref{http://www.bro-ids.org/Bro-reference-manual/index.html, The Bro Reference Manual}.
-
-Policy files are loaded using an @code{@@load} command. The semantics of @code{@@load} are "load in this script if it hasn't already been loaded", so there is no harm in loading something in multiple policy scripts.
-The following policy scripts are included with Bro. The first set are all on by default, and the second group can be added by adding them to your @file{site/brohost.bro} policy file.
-
-Bro Analyzers are described in detail in the 
-@uref{http://www.bro-ids.org/Bro-reference-manual/Analyzers-and-Events.html, 
-Reference Manual}.
-These policy files are loaded by default:
-
-@quotation
-@multitable  @columnfractions .2 .7
-@item @code{site} @tab  defines local and neighbor networks from static config
-@item @code{alarm} @tab    open logging file for alarm events
-@item @code{tcp} @tab   initialize BPF filter for SYN/FIN/RST TCP packets
-@item @code{login} @tab  rlogin/telnet analyzer (or to ensure they are disabled)
-@item @code{weird} @tab  initialize generic mechanism for detecting unusual events
-@item @code{conn} @tab  access and record connection events
-@item @code{hot} @tab  defines certain forms of sensitive access
-@item @code{frag} @tab  process TCP fragments
-@item @code{print-resources} @tab  on exit, print resource usage information, useful for tuning
-@item @code{signatures} @tab   the signature policy engine
-@item @code{scan} @tab  generic scan detection mechanism
-@item @code{trw} @tab  additional, more sensitive scan detection  
-@item @code{http} @tab general http analyzer, low level of detail
-@item @code{http-request} @tab  detailed analysis of http requests
-@item @code{http-reply} @tab    detailed analysis of http replys 
-@item @code{ftp} @tab   FTP analysis
-@item @code{portmapper} @tab  record and analyze RPC portmapper requests
-@item @code{smtp} @tab  record and analyze email traffic
-@item @code{tftp} @tab  identify and log TFTP sessions
-@item @code{worm} @tab flag HTTP-based worm sources such as Code Red
-@item @code{software} @tab  track software versions; required for some signature matching
-@item @code{blaster} @tab looks for blaster worm 
-@item @code{synflood} @tab looks for synflood attacks
-@item @code{stepping} @tab used to detect when someone logs into 
-your site from an external net, and then soon logs into another site
-@item @code{reduce-memory} @tab sets shorter timeouts for saving state, 
-thus saving memory. If your Bro is using < 50% of you RAM, try not loading this
-@end multitable
-@end quotation
-
-These are @strong{not} loaded by default:
-
-@quotation
-@multitable  @columnfractions .14 .4 .03 .4
-@item @strong{Policy} @tab @strong{Description} @tab @tab @strong{Why off by default} 
-@item @code{drop} @tab    Include if site has ability to drop hostile remotes @tab @tab Turn on if needed
-@item @code{icmp} @tab    icmp analysis @tab @tab CPU intensive and low payoff 
-@item @code{dns} @tab   DNS analysis @tab @tab CPU intensive and low payoff
-@item @code{ident} @tab ident program analyzer @tab @tab historical, no longer interesting
-@item @code{gnutella} @tab looks for hosts running Gnutella @tab @tab Turn this on if you want
-to know about this 
-@item @code{ssl} @tab  ssl analyzer @tab @tab still experimental
-@item @code{ssh-stepping} @tab Detects stepping stones where both incoming and outgoing connections are ssh
-@tab @tab Possibly too CPU intensive (needs more testing)
-@item @code{analy} @tab Performs statistical analysis @tab @tab only used in off-line alalysis
-@item @code{backdoor} @tab Looks for backdoors @tab @tab only effective when also capturing bulk traffic
-@item @code{passwords} @tab Looks for clear text passwords @tab @tab may want to turn on if your site does not allow clear text passwords 
-@item @code{file-flush} @tab Causes all log files to be flushed every N seconds @tab @tab may want to turn on if you are doing "real time" analysis
-@end multitable
-@end quotation
-
-To modify which analyzers are loaded, edit or create a file in @file{$BROHOME/site}. 
-If you write your own new custom analyzer, it goes in this directory too. To disable an analyzer,
-add "@code{@@unload policy.bro}" to the beginning of the file 
-@file{$BROHOME/site/brohost.bro}, before
-the line "@code{@@load brolite.bro}". To add additional analyzers, add them @@load them 
-in @file{$BROHOME/site/brohost.bro}.
-
-
-@node Notices
-@section Notices
-@cindex Predefined Bro Notices
-
-The primary output facility in Bro is called a @emph{Notice}. 
-The Bro distribution includes a number of standard of Notices, listed below. The table 
-contains the name of the Notice, what Bro policy file generates it, and a short description
-of what the Notice is about.
-
-@quotation
-@multitable  @columnfractions .24 .15 .5 
-@item @strong{Notice} @tab @strong{Policy} @tab @strong{Description} 
-
-@item @code{AckAboveHole} @tab weird @tab Could mean packet drop; could also be a faulty TCP implementation 
-@item @code{AddressDropIgnored} @tab scan @tab A request to drop connectivity has been ignored ; (scan detected, but one of these flags is true:  !can_drop_connectivity, or never_shut_down, or never_drop_nets )
-@item @code{AddressDropped } @tab scan @tab Connectivity w/ given address has been dropped
-@item @code{AddressScan} @tab scan @tab The source has scanned a number of addrs
-@item @code{BackscatterSeen} @tab scan @tab Apparent flooding backscatter seen from source
-@item @code{ClearToEncrypted_SS} @tab stepping @tab  A stepping stone was seen in which the first part of the chain is a clear-text connection but the second part is encrypted. This often means that a password or passphrase has been exposed in the clear, and may also mean that the user has an incomplete notion that their connection is protected from eavesdropping.
-@item @code{ContentGap} @tab weird @tab Data has sequence hole; perhaps due to filtering
-@item @code{CountSignature}  @tab signatures @tab Signature has triggered multiple times for a destination
-@item @code{DNS::DNS_MappingChanged} @tab DNS @tab Some sort of change WRT previous Bro lookup
-@item @code{DNS::DNS_PTR_Scan} @tab dns @tab Summary of a set of PTR lookups (automatically generated once/day when dns policy is loaded)
-@item @code{DroppedPackets} @tab netstats @tab Number of packets dropped as reported by the packet filter
-@item @code{FTP::FTP_BadPort} @tab ftp @tab Bad format in PORT/PASV;
-@item @code{FTP::FTP_ExcessiveFilename} @tab ftp @tab  Very long filename seen
-@item @code{FTP::FTP_PrivPort} @tab ftp @tab Privileged port used in PORT/PASV
-@item @code{FTP::FTP_Sensitive} @tab ftp @tab Sensitive connection (as defined in @emph{hot})
-@item @code{FTP::FTP_UnexpectedConn} @tab ftp @tab FTP data transfer from unexpected src
-@item @code{HTTP::HTTP_SensitiveURI} @tab http @tab Sensitive URI in GET/POST/HEAD (default sensitive URIs defined http-request.bro; e.g.:  /etc.*\/.*(passwd|shadow|netconfig)
-@item @code{HotEmailRecipient} @tab smtp @tab XXX Need Example, default = NULL
-@item @code{ICMP::ICMPAsymPayload} @tab icmp @tab  Payload in echo req-resp not the same
-@item @code{ICMP::ICMPConnectionPair} @tab icmp @tab Too many ICMPs between hosts (default = 200)
-@item @code{IdentSensitiveID} @tab ident @tab Sensitive username in Ident lookup
-@item @code{LocalWorm} @tab worm @tab Worm seen in local host (searches for code red 1, code red 2, nimda, slammer) 
-@comment for PDF, need to break up long names 
-@ifnothtml
-@item @code{LoginForbidden ButConfused} @tab login  @tab Interactive login seen using forbidden username, but the analyzer was confused in following the login dialog, so may be in error.
-@end ifnothtml
-@ifnottex
-@item @code{LoginForbiddenButConfused} @tab login  @tab Interactive login seen using forbidden username, but the analyzer was confused in following the login dialog, so may be in error.
-@end ifnottex
-@ifnothtml
-@item @code{Multiple SigResponders} @tab signatures @tab  host has triggered the same signature on multiple responders
-@end ifnothtml
-@ifnottex
-@item @code{MultipleSigResponders} @tab signatures @tab  host has triggered the same signature on multiple responders
-@end ifnottex
-@item @code{MultipleSignatures} @tab signatures @tab host has triggered many signatures
-@item @code{Multiple SigResponders} @tab signatures @tab  host has triggered the same signature on multiple responders
-@item @code{OutboundTFTP} @tab tftp  @tab outbound TFTP seen
-@item @code{PasswordGuessing} @tab scan @tab source tried too many user/password combinations (default = 25)
-@item @code{PortScan} @tab scan  @tab the source has scanned a number of ports
-@item @code{RemoteWorm} @tab worm @tab worm seen in remote host
-@ifnothtml
-@item @code{Resolver Inconsistency} @tab  dns @tab  the answer returned by a DNS server differs from one previously returned
-@end ifnothtml
-@ifnottex
-@item @code{ResolverInconsistency} @tab  dns @tab  the answer returned by a DNS server differs from one previously returned
-@end ifnottex
-@item @code{ResourceSummary} @tab print-resources @tab prints Bro resource usage
-@ifnothtml
-@item @code{Retransmission Inconsistency} @tab weird @tab possible evasion; usually just bad TCP implementation
-@end ifnothtml
-@ifnottex
-@item @code{RetransmissionInconsistency} @tab weird @tab possible evasion; usually just bad TCP implementation
-@end ifnottex
-@item @code{SSL_SessConIncon} @tab ssl @tab session data not consistent with connection
-@item @code{SSL_X509Violation} @tab ssl @tab blanket X509 error
-@item @code{ScanSummary} @tab scan @tab a summary of scanning activity, output once / day
-@item @code{SensitiveConnection} @tab conn @tab connection marked "hot", See: @uref{http://www.bro-ids.org/Bro-reference-manual/hot_002dids-Module.html, Reference Manual section on hot ids} for more information. 
-@item @code{SensitiveDNS_Lookup} @tab dns @tab DNS lookup of sensitive hostname/addr; default list of sensitive hosts = NULL 
-@item @code{SensitiveLogin} @tab login @tab interactive login using sensitive username (defined in 'hot')
-@ifnothtml
-@item @code{Sensitive PortmapperAccess} @tab portmapper @tab the given combination of the service looked up via the pormapper, the host requesting the lookup, and the host from which it's requiesting it is deemed sensitive
-@end ifnothtml
-@ifnottex
-@item @code{SensitivePortmapperAccess} @tab portmapper @tab the given combination of the service looked up via the pormapper, the host requesting the lookup, and the host from which it's requiesting it is deemed sensitive
-@end ifnottex
-@item @code{SensitiveSignature} @tab signatures @tab  generic for alarm-worthy
-@ifnothtml
-@item @code{SensitiveUsername InPassword} @tab login @tab During a login dialog, a sensitive username (e.g., "rewt") was seen in the user's password.  This is reported as a notice because it could be that the login analyzer didn't track the authentication dialog correctly, and in fact what it thinks is the user's password is instead the user's username.
-@end ifnothtml
-@ifnottex
-@item @code{SensitiveUsernameInPassword} @tab login @tab During a login dialog, a sensitive username (e.g., "rewt") was seen in the user's password.  This is reported as a notice because it could be that the login analyzer didn't track the authentication dialog correctly, and in fact what it thinks is the user's password is instead the user's username.
-@end ifnottex
-@item @code{SignatureSummary} @tab signatures @tab summarize number of times a host triggered a signature (default = 1/day)
-@item @code{SynFloodEnd} @tab synflood @tab end of syn-flood against a certain victim. 
-A syn-flood is defined to be more than SYNFLOOD_THRESHOLD (default = 15000) new connections
-have been reported within the last SYNFLOOD_INTERVAL (default = 60 seconds) for a certain IP.
-@item @code{SynFloodStart} @tab synflood @tab start of syn-flood against a certain victim
-@item @code{SynFloodStatus} @tab synflood @tab report of ongoing syn-flood
-@item @code{TRWAddressScan} @tab trw @tab source flagged as scanner by TRW algorithm
-@item @code{TRWScanSummary} @tab trw @tab summary of scanning activities reported by TRW
-@ifnothtml
-@item @code{Terminating Connection} @tab conn @tab "rst" command sent to connection origin, connection terminated, triggered in the following policies: ftp and login: forbidden user id, hot (connection from host with spoofed IP address)
-@end ifnothtml
-@ifnottex
-@item @code{TerminatingConnection} @tab conn @tab "rst" command sent to connection origin, connection terminated, triggered in the following policies: ftp and login: forbidden user id, hot (connection from host with spoofed IP address?)
-@end ifnottex
-@item @code{W32B_SourceLocal} @tab blaster @tab report a local W32.Blaster-infected host
-@item @code{W32B_SourceRemote} @tab blaster @tab report a remote W32.Blaster-infected host
-@item @code{WeirdActivity} @tab Weird @tab generic unusual, alarm-worthy activity
-@end multitable
-@end quotation
-
-Note that some of the Notice names start with "ModuleName::" (e.g.: FTP::FTP_BadPort)
-and some do not. This is becuase not all of the Bro Analyzers
-have been converted to use the @uref{http://www.bro-ids.org/Bro-reference-manual/Module-Facility.html,
-Modules facility} yet.  Eventually all notices will start with "ModuleName::".
-
-To get a list of all Notices that your particular Bro configuration might generate,
-you can type:
-@example
-  sh . $BROHOME/etc/bro.cfg; bro -z notice $BRO_HOSTNAME.bro
-@end example
-
-@node Notice Actions
-@section Notice Actions
-@cindex Customizing Notice Actions
-
-Notices that are deemed particularly important
-are called @emph{Alarms}. Alarms are sent to the alarm log file, and to 
-optionally to @emph{syslog}. 
-
-The standard Bro distribution supports a number of types of @emph{notice actions}, these are:
-
-@quotation
-@multitable  @columnfractions .3 .5
-@item @code{NOTICE_IGNORE} @tab   do nothing
-@item @code{NOTICE_FILE} @tab  send to 'notice' file
-@item @code{NOTICE_ALARM_ALWAYS} @tab   send to alarm file and @emph{syslog}
-@item @code{NOTICE_ALARM_PER_CONN} @tab  send to alarm file once per connection
-@item @code{NOTICE_EMAIL} @tab  send to alarm file and send email
-@item @code{NOTICE_PAGE} @tab  send to alarm file and send to pager
-@end multitable
-@end quotation
-
-It is also possible to define your own custom notice actions.
-
-By default, all notices are set to NOTICE_ALARM_ALWAYS except for the following:
-@example
-ContentGap, AckAboveHole, AddressDropIgnored, PacketsDropped, 
-RetransmissionInconsistency
-@end example
-
-By default all Alarms are also sent to @emph{syslog}. To disable this, add:
-
-@verbatim
-   redef enable_syslog = F;
-@end verbatim
-
-To change the default notice action for a given notice, add something like this to your @file{site/brohost.bro} file:
-
-@verbatim
-   redef notice_action_filters += {
-        [[WeirdActivity, ContentGap]] = ignore_notice,
-   };
-@end verbatim
-
-This will cause the Notices @code{WeirdActivity} and @code{ContentGap} to no longer get logged anywhere.
-To send these Notices to the Notice log file only, and not to the Alarm log, add this:
-
-@verbatim
-   redef notice_action_filters += {
-        [[WeirdActivity, ContentGap]] = file_notice,
-   };
-@end verbatim
-
-For NOTICE_EMAIL and NOTICE_PAGE, 
-email is sent using the script specified by the mail_script variable
-(default: "mail_notice.sh"), which must be in $PATH. 
-To activate this, $mail_dest must be set. 
-Email is only sent if Bro is reading live traffic.
-
-For example, to send email on TerminatingConnection and FTP_Sensitive notices, add
-something like this:
-
-@verbatim
-redef mail_dest = "youremail@yoursite.edu";
-
-redef notice_action_filters += {
-    [[TerminatingConnection, FTP::FTP_Sensitive]] = send_email_notice,
-};
-
-@end verbatim
-
-
-@comment  XXX what if someone wanted to define their own new notice action. What would they do?
-
-@node Customizing Builtin Policy 
-@section Customizing Builtin Policy 
-@cindex Customizing Builtin Policy 
-
-The default policy scripts for Bro are all in $BROHOME/policy. Remember that 
-these files should @strong{never} be 
-edited, as your edits will be lost when you upgrade Bro. To customize Bro for your site, you
-should make all your changes in $BROHOME/site. Many simple changes just require you
-to @emph{redefine} (using the @uref{
-http://www.bro-ids.org/Bro-reference-manual/Variables-Overview.html,
-@code{redef}} operator, 
-a Bro constant from a standard policy script with your own custom value. You can
-also write your own custom script to do whatever you want.
-
-Here are some example of the types of things you may want to customize.
-
-To add "guest" to the list of 
-@uref{http://www.bro-ids.org/Bro-reference-manual/hot_002dids-Module.html, forbidden_ids}
-(user names that generate a login alarm), you
-do this:
-
-@verbatim
-    redef forbidden_ids += { "guest", };
-@end verbatim
-
-To add a new rootkit string to HTTP
-@uref{http://www.bro-ids.org/Bro-reference-manual/http_002drequestbro.html, sensitive_URIs}:
-@verbatim
-   redef HTTP::sensitive_URIs += /^.*rootdown.pl.*$/;
-@end verbatim
-
-
-@node Writing New Policy
-@section Writing New Policy 
-@cindex  Writing New Policy
-
-For example, if your site only allows external http and mail to a small, 
-controlled lists of hosts, you could write a new .bro file containing this:
-
-@verbatim
-const web_servers = { www.lbl.gov, www.bro-ids.org, };
-const mail_servers = { smtp.lbl.gov, smtp2.lbl.gov, };
-
-const allow_my_services: set[addr, port] = {
-        [mail_servers, smtp],
-        [web_servers, http],
-};
-@end verbatim
-
-Bro can then generate an Alarm or even terminate the connection for policy violations.
-For example:
-
-@verbatim
-
-event connection_established(c: connection)
-{
-   local id = c$id;
-   local service = id$resp_p;
-   local inbound = is_local_addr(id$resp_h);
-
-   if ( inbound && [id$resp_h, service] !in allow_my_services )
-      NOTICE ([$note=SensitiveConnection, $conn=c,
-		$msg=fmt("hot: %s", full_id_string(c)) ]);
-    if ( inbound && service in terminate_successful_inbound_service )
-            terminate_connection(c);
-}
-@end verbatim
-
-To test this you might do the following. First,
-generate some "offline" data to play with:
-
-@example
- # tcpdump -s 0 -w trace.out port smtp or port http 
-@end example
-
-Kill off the tcpdump after capturing traffic for a few minutes (use ctrl-C).
-Then add the above Bro code to your hostname.bro file, and 
-run Bro against this captured trace file: 
- 
-@example
- # setenv BROHOME /usr/local/bro
- # setenv BROPATH $BROHOME/site:$BROHOME/policy
- # bro -r trace.out hostname.bro       
-@end example
-
-
-
-
-@node Signatures
-@section Signatures
-@cindex Signatures
-
-@include Bro-signatures.texi
-
-@node Tuning Scan Detection
-@section Tuning Scan Detection 
-@cindex Tuning Scan Detection
-
-There are a large number of tunable parameters in the scan analyzer, all of which
-are described in @uref{http://www.bro-ids.org/Bro-reference-manual/scan-Analyzer.html,
-the reference manual}. Most of these parameters should be fine for all sites. The only settings
-that you may want to tune are:
-
-@itemize
-@item report_peer_scan: Generate a log message whenever a remote host has attempted to connect to the given number of distinct hosts. Default = @{ 100, 1000, 10000, @}.
-@item report_outbound_peer_scan: Generate a log message whenever a local host has attempted to connect to the given number of remost hosts. Default = @{ 100, 1000, @}.
-
-@item skip_services: list of ports to ignore scans on, because they often gets scanned
-by legitimate (or at least common) services. The default list can be found
-in the brolite.bro file.
-@end itemize
-
-If you want enable ICMP scan detection, set these:
-
-@example
-redef ICMP::detect_scans = T;
-redef ICMP::scan_threshold = 100;
-@end example
-
-@node Other Customizations
-@section Other Customizations
-@cindex Scan Thresholds
-
-There are a number of things you may wish to customize.
-
-@strong{hot_ids}
-
-The policy file @uref{http://www.bro-ids.org/Bro-reference-manual/hot_002dids-Module.html,
-@file{hot-ids.bro}} contains a number of constants that you
-might want to customize by "redef"ing them in your brohost.bro policy file.
-These are all used to generate FTP and login alarms (SensitiveConnection Notice) 
-for suspicious users.
-The user ID's that are in @code{hot_ids} and not in @code{always_hot_ids}
-are only hot upon successful login. For details see the
-@uref{http://www.bro-ids.org/Bro-reference-manual/hot_002dids-Module.html,
-Bro Reference Manual}.
-
-@quotation
-@multitable  @columnfractions .25  .6
-@item @strong{constant} @tab @strong{Defaults} 
-@item forbidden_ids @tab "uucp", "daemon", "rewt", "nuucp",
-        "EZsetup", "OutOfBox", "4Dgifts",
-        "ezsetup", "outofbox", "4dgifts", "sgiweb"
-	"r00t", "ruut", "bomb", "backdoor",
-	"bionic", "warhead", "check_mate", "checkmate", "check_made",
-	"themage", "darkmage", "y0uar3ownd", "netfrack", "netphrack"
-@item always_hot_ids @tab "lp", "demos", 
- 	"retro", "milk", "moof", "own", "gdm", "anacnd",
-	+ forbidden_ids 
-@item hot_ids @tab "root", "system", "smtp", "sysadm", "diag", "sysdiag", "sundiag",
-	"sync", "tutor", "tour",
- 	"operator", "sys", "toor", "issadmin", "msql", "sysop", "sysoper",
-         + always_hot_ids
-
-@end multitable
-@end quotation
-
-@strong{Input/Output Strings}
-
-The policy files login.bro and ftp.bro both contain a list of input and output strings
-that indicate suspicious activity. In you wish to add anything to this list, you
-may want to @code{redef} one of these. 
-@example
-login.bro: see @uref{http://www.bro-ids.org/Bro-reference-manual/login-variables.html,
-input_trouble and output_trouble}
-ftp.bro: see @uref{http://www.bro-ids.org/Bro-reference-manual/ftp-variables.html,
-ftp_hot_files}
-@end example
-
-@strong{Sensitive URIs}
-
-The policy file http-request.bro contain a list of http URI's 
-that indicate suspicious activity. In you wish to add anything to this list, you
-may want to @code{redef} one of these. 
-
-@comment XXX need to explain how this relates to signatures, and when to use each.
-
-@example
-sensitive_URIs 
-sensitive_post_URIs 
-@end example
-
-@strong{Log Files}
-
-@code{redef} this to rotate the log files every N seconds
-@example
-log_rotate_interval (default = 0 sec, don't rotate) 
-@end example
-
-@code{redef} this to rotate the log files when they get this big
-@example
-log_max_size (default = 250e6, rotate when any file exceeds 250 MB)
-@end example
-
-@comment XXX: what else should we document here?
-
diff --git a/doc/user-manual/Bro-dir-files.texi b/doc/user-manual/Bro-dir-files.texi
deleted file mode 100644
index 9258f517d9..0000000000
--- a/doc/user-manual/Bro-dir-files.texi
+++ /dev/null
@@ -1,647 +0,0 @@
-@float Figure, The Bro Directory Structure
-@image{BroDir}
-@caption{The Bro Directory Structure}
-@end float
-
-@menu
-* The bro/bin Directory ::
-* The bro/etc Directory ::
-* The bro/var Directory ::
-* The bro/scripts Directory ::
-* The bro/policy Directory ::
-@c * The bro/sigs Directory ::
-* The bro/site Directory ::
-* The bro/logs Directory ::
-* The bro/archive Directory ::
-* Other Files ::
-@end menu
-@cindex directory structure
-
-@node The bro/bin Directory
-@appendixsec The bro/bin Directory
-@cindex bro/bin Directory
-@cindex adtrace executible
-@c @cindex bdcat executible
-@c @cindex bifcl executible
-@cindex bro executible
-@cindex cf executible
-@cindex rst executible
-
-The bin directory is the storage area for executable binary 
-files used by Bro.
-
-@subsubheading adtrace
-adtrace retrieves MAC and IP address information from 
-tcpdump trace files
-@quotation
-   usage:
-@example
-         adtrace <trace-file>
-@end example
-@end quotation
-
-@ignore
->>>>>>>>>>>>>>>>>>>>>>>>
-@subsubheading bdcat
-In the Bro policy language, the files Bro access can be encrypted (see 
-the &encrypt attribute in the technical manual). bdcat is used to 
-decrypt the files.
-@comment add URL link to &encrypt attribute in the technical manual
-
-@subsubheading bifcl
-Built-in functions (.bif files) are implemented in C++ and 
-can be called by Bro policy scripts. The bif compiler, 
-bifcl, takes a .bif file and generates the corresponding 
-C++ segments and Bro language declarations, so that each 
-function only needs be written once in a .bif file and the 
-actual C++/Bro code will be automatically generated.
-<<<<<<<<<<<<<<<<<<<<<<<<
-@end ignore
-
-@subsubheading bro
-This program is the primary Bro executable.  
-Full use of the bro command is documented in the technical 
-manual.
-@comment add URL link to Bro command in technical manual
-
-@subsubheading cf
-A program that converts UNIX epoch time into a conventional 
-date.  Most of the raw Bro logs record UNIX epoch time as 
-the timestamp for their records.  Piping the file through 
-cf will convert the time.  Full use of cf is documented in 
-the technical manual.
-@comment add URL link to cf in technical manual
-
-@subsubheading rst
-A program that Bro calls to form and send a reset packet 
-which will tear down a tcp connection.  The use of rst is 
-documented in the Technical Manual and in chapter ### of 
-the User Manual.
-@comment add URL link to rst in Technical Manual
-@comment fix ### with correct chapter
-
-@node The bro/etc Directory
-@appendixsec The bro/etc Directory
-@cindex alert_scores
-@cindex bro/etc Directory
-@cindex bro.cfg file
-@cindex bro.cfg.example file
-@cindex bro.rc file
-@cindex bro.rc-hooks.sh file
-@cindex signature_scores
-@cindex VERSION file
-
-Configuration and other ancillary files are stored in the 
-etc directory.  These files are usually changed by 
-supplimentary configuration tools supplied with the Bro 
-distribution. Direct editing of these files is discouraged.  
-If direct edits are made, the changes may be reversed or 
-deleted during subsequent Bro updates.
-
-@subsubheading alert_scores
-This file contains ranking numbers for alarms (the use of the term "alert" is
-vestigial and will be changed in the future).  The ranking numbers are used as part of the ranking system for determining the success likelihood of an incident triggering a specific alarm.
-
-@subsubheading bro.cfg
-This file contains configuration criteria for operational 
-parameters.  Most of the parameters are set during the 
-installation process and can be changed using the bro-
-config script.
-@comment add URL link to bro-config script
-
-@subsubheading bro.cfg.example
-A annotated, generic bro.cfg file.  This file is not used 
-by Bro.  It is supplied for documentation purposes.
-
-@subsubheading bro.rc
-This is the script for controlled starting and stopping of 
-Bro.  See section ### for its use.
-@comment fix ### with correct chapter
-@comment add URL link to start/stop section
-
-@subsubheading bro.rc-hooks.sh
-This script is called by bro.rc at various points during 
-the starting and stopping of Bro.  It is presented as an 
-interface for customizations into the start and stop 
-process. 
-@comment need instruction on how to add hooks
-
-@subsubheading signature_scores
-This file contains ranking numbers for signatures.  The ranking numbers are used as part of the ranking system for determining the success likelyhood of an incident triggering a specific signature.
-
-@subsubheading VERSION
-A file containing the Bro version number for the installed 
-distribution.
-
-@node The bro/var Directory
-@section The bro/var Directory
-@cindex bro/var Directory
-@cindex autorestart file
-@cindex pid file
-@cindex start_time file
-
-Temporary information about the current Bro instance is 
-stored in the var directory.
-
-@subsubheading autorestart
-Contains the word "ON" if Bro is configured to autorestart.
-
-@subsubheading pid
-Contains the process ID number for the current instance of 
-Bro.
-
-@subsubheading start_time
-Contains the date and time when the current instance of Bro 
-was started.
-
-@node The bro/scripts Directory
-@appendixsec The bro/scripts Directory
-@cindex bro-config script
-@cindex bro/scripts Directory
-@cindex bro-logchk.pl script
-@cindex bro_log_compress.sh script
-@cindex host-grep script
-@cindex host-to-addrs script
-@c @cindex hot-report script
-@cindex ip-grep script
-@c @cindex mon-report script
-@c @cindex mvlog script
-@cindex site-report.pl script
-@cindex bro/scripts/pm Directory
-@cindex bro/pm Directory
-
-This directory contains a number of auxiliary scripts used 
-to suppliment Bro's operation.
-
-@subsubheading bro-config
-A utility script for changing the Bro operational 
-parameters in the bro.cfg file.
-@comment add URL link to installation instructions
-
-@subsubheading bro-logchk.pl
-@comment needs to be fixed or removed
-@emph{Currently, this file does not work}@*
-A utility program for searching ftp and http log files for 
-activity by specific ip addresses.
-@quotation
-Usage:
-@verbatim
-   bro-logchk.pl -[hrDFHds] -f filename -a ipaddr -x ipaddr
-       -h          print this usage information
-       -F          using ftp log
-       -H          using http log
-       -r          try to resolve IP addresses to hostnames
-       -f file     log file to parse
-       -a ipaddr   only output connections from this address
-       -s          only want matching source address (used with -a )
-       -d          only want matching dest address (used with -a )
-       -D          debug option
-       -x ipaddr   exclude connections from this address
-@end verbatim
-@end quotation
- 
-@subsubheading bro_log_compress.sh
-A very simple script written to manage log and coredump files.  By 
-default it compresses log files older than 30 days and sends them to 
-the archive directory; it deletes log files older than 60 days; and it 
-deletes coredump files older than 4 days.
-@quotation
-Restrictions:
-@itemize
-   @item Must be run from a user account that has read/write/execute access to files in the $BROHOME directory.
-@end itemize
-@end quotation
-
-@subsubheading host-grep
-Greps a Bro connection summary log on stdin for two given hostnames.
-@quotation
-Usage:
-@example
-      host-grep [-a] hostname hostname < connection_log
-      If -a is specified then we only want lines with *all* of the listed hosts.
-@end example
-Restrictions:
-@itemize
-   @item Must have $BROHOME/scripts included in the PATH environment variable.
-   @item Will only work with hostnames.  ip addresses are not accepted
-   @item Uses host-to-addrs and ip-grep scripts
-@end itemize
-@end quotation
-
-@subsubheading host-to-addrs
-Finds all ip addresses associated with a given hostname.
-@quotation
-Usage:
-@example
-      host-to-addrs hostname
-@end example
-Restrictions:
-@itemize
-   @item Must have $BROHOME/scripts included in the PATH environment variable.
-   @item Will only work with hostnames.  IP addresses are not accepted
-@end itemize
-@end quotation
-
-@ignore
->>>>>>>>>>>>>>>>>>>>>>>>>>
-@subsubheading hot-report
-@comment needs to be fixed or removed
-@emph{Currently, this file does not work}@*
-Obsolete report generator
-<<<<<<<<<<<<<<<<<<<<<<<<<<
-@end ignore
-
-@subsubheading ip-grep
-Returns an exact grep pattern for matching the IP addresses of the 
-given hosts
-@quotation
-Usage:
-@example
-ip-grep hostname hostname ...
-@end example
-Restrictions:
-@itemize
-   @item Must have $BROHOME/scripts included in the PATH environment variable.
-   @item Will only work with hostnames.  ip addresses are not accepted
-   @item Uses host-to-addrs script
-@end itemize
-@end quotation
-
-@ignore
->>>>>>>>>>>>>>>>>>>>>>>>>>
-subsubheading mon-report
-@comment needs to be fixed or removed
-@emph{Currently, this file does not work}@*
-Obsolete report generator
-
-@subsubheading mvlog
-@comment needs to be fixed or removed
-@emph{Currently, this file does not work}@*
-Rotates log files every six hours by gzipping them and moving them into directories $BROHOME/logs/<date>/.  The six hour interval is adjustable.  See the file header for more info.
-<<<<<<<<<<<<<<<<<<<<<<<<<<
-@end ignore
-
-@subsubheading site-report.pl
-This script produces the daily consolidated site report.  By default, it is run daily via the cron job submitted by the bro user via files in /var/cron/tabs.
-
-@subsubheading The bro/scripts/pm Directory
-This directory contains perl modules to support the perl scripts in the scripts directory.
-
-@node The bro/policy Directory
-@appendixsec The bro/policy Directory
-@cindex bro/policy Directory
-This directory contains all standard Bro policy files.  For more information about the policy files see section ###, Policy
-@comment need section number and name of section
-@comment add URL link to Policy section 
-
-Signature support files:
-
-@subsubheading sig-addendum.sig
-This file contains small support utilities that are used in the implementation of Bro signatures.
-
-@subsubheading sig-functions.bro
-@emph{To be completed}
-@comment need to add definition
-
-@subsubheading sig-action.bro
-@emph{To be completed}
-@comment need to add definition
-
-
-Policy files:
-@itemize
-@item active.bro
-@item alarm.bro
-@item analy.bro
-@item anon.bro
-@item backdoor.bro
-@item blaster.bro
-@item bro.bif.bro
-@item bro.init
-@item brolite.bro
-@item capture-events.bro
-@item checkpoint.bro
-@item common-rw.bif.bro
-@item conn-id.bro
-@item conn.bro
-@item const.bif.bro
-@item contents.bro
-@item cpu-adapt.bro
-@item demux.bro
-@item dns-info.bro
-@item dns-lookup.bro
-@item dns.bro
-@item drop-adapt.bro
-@item event.bif.bro
-@item finger-rw.bif.bro
-@item finger.bro
-@item flag-irc.bro
-@item flag-warez.bro
-@item frag.bro
-@item ftp-anonymizer.bro
-@item ftp-cmd-arg.bro
-@item ftp-reply-pattern.bro
-@item ftp-rw.bif.bro
-@item ftp-safe-words.bro
-@item ftp.bro
-@item gnutella.bro
-@item hand-over.bro
-@item hot-ids.bro
-@item hot.bro
-@item http-abstract.bro
-@item http-body.bro
-@item http-entity.bro
-@item http-event.bro
-@item http-header.bro
-@item http-reply.bro
-@item http-request.bro
-@item http-rewriter.bro
-@item http-rw.bif.bro
-@item http.bro
-@item icmp.bro
-@item ident-rewriter.bro
-@item ident-rw.bif.bro
-@item ident.bro
-@item inactivity.bro
-@item interconn.bro
-@item listen-clear.bro
-@item listen-ssl.bro
-@item load-level.bro
-@item login.bro
-@item mime.bro
-@item mt.bro
-@item netstats.bro
-@item notice.bro
-@item notice.bro.old
-@item ntp.bro
-@item pcap.bro
-@item pkt-profile.bro
-@item port-name.bro
-@item portmapper.bro
-@item print-filter.bro
-@item print-globals.bro
-@item print-resources.bro
-@item print-sig-states.bro
-@item profiling.bro
-@item reduce-memory.bro
-@item remote-pcap.bro
-@item remote-print.bro
-@item remote.bro
-@item scan.bro
-@item secondary-filter.bro
-@item signatures.bro
-@item signatures.bro.old
-@item site.bro
-@item smtp-relay.bro
-@item smtp-rewriter.bro
-@item smtp-rw.bif.bro
-@item smtp.bro
-@item snort.bro
-@item software.bro
-@item ssh-stepping.bro
-@item ssh.bro
-@item ssl-alerts.bro
-@item ssl-ciphers.bro
-@item ssl-errors.bro
-@item ssl-worm.bro
-@item ssl.bro
-@item stats.bro
-@item stepping.bro
-@item synflood.bro
-@item tcp.bro
-@item tftp.bro
-@item trw.bro
-@item udp.bro
-@item vlan.bro
-@item weird.bro
-@item worm.bro
-@end itemize
-
-@ignore
->>>>>>>>>>>>>>>>>>>>>>>>
-@node The bro/sigs Directory
-@appendixsec The bro/sigs Directory
-@cindex bro/sigs Directory
-@cindex ex.web-rules.sig
-@cindex snort-default.sig
-@cindex ssl-worm.sig
-@cindex worm.sig
-
-@subsubheading ex.web-rules.sig
-@*This file contains a subset of Snort's signatures pertaining to http activity that have been converted into Bro signature language.
-
-@subsubheading snort-default.sig
-@*This file contains a subset of Snort's signatures that have been converted into Bro signature language.
-
-@subsubheading ssl-worm.sig
-@*This file contains Bro signatures to detect the Apache/SSL worm.
-
-@subsubheading worm.sig
-@*This file contains Bro signatures to detect several different worms.
-<<<<<<<<<<<<<<<<<<<<<<<<<
-@end ignore
-
-@node The bro/site Directory
-@appendixsec The bro/site Directory
-@cindex bro/site Directory
-@cindex s2b-addendum-sigs.sig
-@cindex s2b-functions.bro
-@cindex s2b-sigaction.bro
-@cindex s2b.sig
-
-@subsubheading signatures.sig
-@emph{To be completed}
-@comment need to add definition
-
-@node The bro/logs Directory
-@appendixsec The bro/logs Directory
-@cindex bro/logs Directory
-@cindex alarm log
-@cindex conn log
-@cindex ftp log
-@cindex http log
-@cindex info log
-@cindex notice log
-@cindex signatures log
-@cindex smtp log
-@cindex software log
-@cindex weird log
-@cindex worm log
-@cindex .state
-@cindex active_log
-
-
-All logs take the form@*
-@example
-@emph{type.hostname.start_date/time-end_date/time}
-@end example
-The date/time stamps for 
-each record in the files are always in UNIX (ticks since 
-epoch) format.
-@*@*
-@emph{type} is one of the following:
-
-@subsubheading alarm
-Network occurrences that are determined to be of high 
-importance will be written into the alarm file.  The 
-determination is made by the Bro policy scripts.  Local 
-site modifications can override default Bro alarms or 
-create new ones that are site specific.
-Each entry contains the date/time, the alarm type, and a 
-description of the alarm.
-This file is usually the "starting point" for 
-investigation.  Each alarm should be evaluated for further 
-follow-up action.
-
-@subsubheading conn
-All network connections detected by Bro are recorded in 
-this file.  A connection is defined by an initial packet 
-that attempts to set up a session and all subsequent 
-packets that take part in the session.  Initial packets 
-that fail to set up a session are also recorded as 
-connections and are tagged with a failure state that 
-designates the reason for failure.
-Each entry contains the following data describing the 
-connection: date/time, the duration of the connection, the 
-local and remote ip addresses and ports, bytes transferred 
-in each direction, the transport protocol (udp, tcp), the 
-final state of the connection, and other information 
-describing the connection.
-This file is often used in forensic analysis to determine 
-network activity by a suspect host beyond the immediate 
-alarm.
-@comment add URL link to conn file description in tech manual
-
-@subsubheading ftp
-All transactions involving the well known ftp control port 
-(21) are recorded into this file.  Each entry is marked by 
-an arbitrary session number, allowing full ftp control 
-sessions to be reconstructed.
-Each entry contains the date/time, a session number, and 
-ftp connection information or the specific ftp commands 
-transferred.
-This file is often used to examine details of  suspect ftp 
-sessions.
-
-@subsubheading http
-All transaction involving the well known http ports (80, 
-8000, 8080) are recorded into this file.  Each entry is 
-marked by an arbitrary session number, allowing the full 
-http session to reconstructed
-Each entry contains the date/time, a session number, and 
-http connection information or the specific http commands 
-transferred.
-This file is often used to examine details of  suspect web 
-sessions.
-
-@subsubheading info
-This file contains information concerning the operation of 
-Bro during the time interval covered by the file.  The 
-entries will consist of the Bro version number, startup 
-information, and Bro runtime warnings and errors.
-This file is helpful in troubleshooting Bro operational 
-difficulties. 
-
-@subsubheading notice
-Network occurrences that are determined to be of nominal 
-importance will be written into the notice file.  The 
-determination is made by the Bro policy scripts.  Local 
-site modifications can override default Bro alarms or 
-create new ones that are site specific.  The notice files 
-are similar to the alarm files, but of lesser importance.
-Each entry contains the date/time, a notice type, a notice 
-action, the local and remote ip addresses and ports.  
-Optionally, depending on the type of notice, an entry might 
-contain information about user, filename, method, URL, and 
-other messages.
-This file alerts to occurrences that are worth noting, but 
-do not warrant an alarm.
-
-@subsubheading signatures
-This file contains information associated with specific 
-signature matches.  These matches do not necessarily 
-correspond to all alarms or notices, only to those that are 
-triggered by a signature.
-Each entry contains the date/time, a description of the 
-signature,  the local and remote ip addresses and ports,  
-the signature id number (if available),  a description of 
-the signature trigger, a portion of the offending payload 
-data, a count of that particular signature, and a count of 
-the number of involved hosts.
-This file gives details that are helpful in evaluating if 
-an event triggered by a signature match is a false-
-positive.
-
-@subsubheading smtp
-All transactions involving the well known smtp port (25) 
-are recorded into this file.  Each entry is marked by an 
-arbitrary session number, allowing full smtp sessions to be 
-reconstructed.
-Each entry contains the date/time, a session number, and 
-smtp connection information or the specific smtp commands 
-transferred.
-This file is often used to examine details of suspect mail 
-sessions.
-
-@subsubheading software
-This file is a record of all unique host/software pairs 
-detected by Bro during the time interval covered by the 
-file.
-Each entry in the file contains the date/time, the ip 
-address of the host, and information about the software 
-detected.
-This file can be useful for cataloging network software.  
-However, population of this file on a busy network often 
-results in a huge number of entries.  Since the relative 
-daily usefulness of the file usually does not warrant the 
-disk space it consumes, the software file is turned off by 
-default.  It can be turned on by <<<instructions>>>
-@comment needs instructions on how to turn on software file
-
-@subsubheading weird
-Network events that are unusual or exceptional are recorded 
-in this file.  A number of these events "shouldn't" or even 
-"can't" happen according to accepted protocol definitions, 
-yet they do.
-Each entry in the file contains the date/time, the local 
-and remote ip addresses and ports, and a short description 
-of the weird activity.
-This file is useful for detecting odd behavior that might 
-normally "fly under the radar" and also for getting a 
-general sense of the amount of "garbage" that is on the 
-network.
-
-@subsubheading worm
-Bro's worm.bro policy detects patterns generated by 
-specific worms and records the instance in this file.  
-Currently, the worms detected are code red1, code red2, 
-nimda, and slammer. 
-Each entry in the file contains the date/time, the worm 
-detected, and the source ip address of the worm.
-This file is useful for spotting hosts that have been 
-infected with worms.
-
-@*@*Other files in the /logs directory are:
-
-@subsubheading .state
-@emph{To be completed}
-@comment need to add definition
-
-@subsubheading active_log
-@emph{To be completed}
-@comment need to add definition
-
-@node The bro/archive Directory
-@appendixsec The bro/archive Directory
-@cindex bro/archive Directory
-
-The archive directory is initially empty.  The script 
-bro/script/bro_log_compress.sh populates the archive directory 
-with compressed log files.
-@comment add URL link to bro_log_compress.sh
-
-@node Other Files
-@appendixsec Other Files
-@comment need to add other files outside of the Bro directory tree
-
-
diff --git a/doc/user-manual/Bro-hardware.texi b/doc/user-manual/Bro-hardware.texi
deleted file mode 100644
index 4a76c7bcbb..0000000000
--- a/doc/user-manual/Bro-hardware.texi
+++ /dev/null
@@ -1,94 +0,0 @@
-
-@menu
-* Number and Type of Machines Needed::
-* Hard Drive and Controller Considerations::
-* NICs::
-* Taps::
-* ACL Mechanisms::
-@end menu
-@comment ********************************************
-
-@node Number and Type of Machines Needed
-@section Number and Type of Machines Needed
-@cindex Host issues
-
-
-Bro won't run well unless you use suitable hardware.  This section of the Bro User Manual
-describes the many hardware-related issues with which you'll need to deal if Bro is to run
-optimally.
-
-
-The better the equipment, the better Bro will run, so getting the best equipment you can afford is
-a good idea. In particular the speed of the CPU and motherboard will affect Bro's performance in
-filtering, analyzing, reacting and storing the network data that it encounters. Ideally the CPU
-should have a processing speed of around 1GHz or higher and the motherboard should be at least
-500MHz. The CPU and motherboard should be reliable and durable, and if possible obtain
-machines that support dual CPUs. RAM is also extremely important in dealing with the large
-amounts of network throughput without packet drops; a minimum of 1 GB of RAM is thus
-recommended, other than for small networks, with 2 GB approaching the optimal. The amount of motherboard BIOS memory
-can also make a big difference for Bro performance, and having more than one network port is
-also a very good idea, as explained shortly.
-
-The number of machines you will need depends on the scope of your Bro deployment (e.g., how
-many protocols you want to analyze, how much traffic Bro will need to process, whether you
-want to store packet capture data, and so on). No matter how small a deployment you have, you
-will probably at a minimum want two machines, one for bulk recording/data capture and one for
-analyzing live Bro data.  With large deployments Bro is likely to work best with a number of
-machines (perhaps up to five), each dedicated to a specific task. In this latter case it may be best
-to have one machine can perform data capture, another to process and store connection
-summaries, still another to run policy scripts, and a few redundant machines for the sake of
-operational continuity.
-
-
-@comment ********************************************
-
-@node Hard Drive and Controller Considerations
-@section Hard Drive and Controller Considerations
-@cindex Disk Issues
-@cindex Controller Issues
-
-Every Bro machine needs to have at least one large capacity hard drive, a minimum of 60 to 80
-GB of storage (and more in the case of the bulb trace host), and possible a second hard drive, too.
-Bro output files can fill a small capacity hard drive quickly, and the packet capture output can be
-voluminous if Bro is engaging in a considerable amount of analysis because the network
-throughput rate is high or a large amount of anomalous packets are traversing the network where
-Bro is placed.
-
-What type of hard drive is best? Although SCSI (Small Computer System Interface), SATA
-(Serial ATA) or IDE (Integrated Drive Electronics) disks may all potentially prove satisfactory
-from a performance standpoint, many people who run Bro choose IDE if they run Bro on
-FreeBSD. Why -- IDE has been tested in connection with FreeBSD more extensively than the
-other types of disk hardware. Obtaining a high-end disk controller card is also advantageous to
-performance.
-
-
-
-@comment ********************************************
-
-@node  NICs
-@section   NICs
-@cindex  NICs
-
-Bro deployments require at least two NICs, one for capturing network data and the other for
-interfacing with the network so that Bro can be remotely administered. Three NICs can also be
-used, with two of them for acquiring network data (to minimize data loss resulting from packet or
-frame errors) and one for remote administration. High-end NICs are recommended in that they
-generally result in far fewer packet drops or losses than do inexpensive ones. A NIC speed of
-about 1 Gb per second is usually more than sufficient. No more than two NICs for capturing
-network data is necessary.
-
-If two network data acquisition NICs are used, each needs to be suited for the type of network to
-which it will be attached. 
-SysKonnect SK-9844 Gigabit Ethernet cards are recommended because they have been tested extensively with Bro. 
-Having identical NICs is desirable from a management standpoint.
-
-@comment ********************************************
-@node Taps
-@section  Taps
-@cindex Taps
-
-@comment ********************************************
-@node ACL Mechanisms 
-@section  ACL Mechanisms 
-@cindex ACL Mechanisms 
-
diff --git a/doc/user-manual/Bro-installation.texi b/doc/user-manual/Bro-installation.texi
deleted file mode 100644
index 0e403b80f0..0000000000
--- a/doc/user-manual/Bro-installation.texi
+++ /dev/null
@@ -1,432 +0,0 @@
-
-@menu
-* Download ::
-* Install ::
-* Bro Configuration ::
-* OS Configuration ::
-* Encrypted Reports ::
-* Generating Reports on a Separate Host ::
-@end menu
-
-@node Download
-@section Download
-@cindex download
-
-Download Bro from: @uref{http://www.bro-ids.org/}
-
-You can unpack the distribution anywhere except into the directory
-you plan to install into. To untar the file, type:
-
-@example
-tar xzf bro-pub-0.9-current.tar.gz
-@end example
-
-@node Install
-@section Install
-@cindex BROHOME
-
-You'll need to collect the following information before beginning the installation.
-
-@itemize
-@item localnets: a list of local subnets for your network. Bro needs to know which networks are "internal" and which are "external".
-
-@item interface names: the names of the capture interfaces in your host (e.g. sk0 or en1). Use @code{ifconfig -a} to get the list of all network interfaces on your Bro host.
-@end itemize
-
-If you want to use Bro's periodic email report feature, you'll also need:
-@itemize
-@item email list: a list of email addresses to send the reports to.
-
-@item PGP keys: if you want to encrypt all email reports, the location of the 
-@uref{http://www.gnupg.org/,GPG keyring} of all recipients.
-@end itemize
-
-Bro is easy to install. Log in as @code{root}, and type:
-@example
-./configure
-@end example
-By default Bro is installed in @code{/usr/local/bro}. 
-This location
-is referred to in the rest of the manual as @code{$BROHOME}.
-To install Bro in a location other than @file{/usr/local/bro}, use:
-@example
-./configure --prefix=/path/to/bro
-@end example
-By default Bro uses the version of libpcap that is installed on
-the system. If your system version older than version 0.7.2, you can run configure
-Bro with --enable-shippedpcap to use the version of libpcap that comes packaged
-with Bro. For example:
-@example
-./configure --enable-shippedpcap
-@end example
-
-Then type:
-@example
-make
-make install
-@end example
-or
-@example
-make install-brolite
-@end example
-
-Use @emph{make install} to install all the Bro binaries and policy script files. Use
-@emph{make install-brolite} to also run the configuration script (described in the next section) and install all the configuration files and @code{cron} jobs. @emph{make install} can be run as any user, but @emph{make install-brolite} requires
-you to be root.
-
-To update an existing Bro installation with new binaries and standard policy files, instead
-of @code{"make install"} do a @code{"make update"}. This will preserve all your local customizations.
-
-Then add @code{$BROHOME/bin} and @code{$BROHOME/scripts} to your $PATH to use
-Bro's utilities and scripts.
-
-Also note that this documentation is installed in @code{$BROHOME/docs} as both HTML and PDF versions.
-
-@node Bro Configuration
-@section Bro Configuration
-@cindex bro_config
-@cindex bro.cfg
-
-The @emph{Bro-Lite} configuration script can be used to automatically configure (or reconfigure) Bro for you. It
-checks your system's BPF settings, creates a "bro" user account, installs
-a script to start Bro at boot time, installs the report generation package,
-and installs a number of @code{cron} jobs 
-to checkpoint Bro every night, run periodic reports, and manage log files.
-
-To run this configuration script type:
-@example
-bro_config
-@end example
-
-
-This script creates the file @file{$BROHOME/etc/bro.cfg}.
-@code{bro_config} will ask a number of simple questions. Note
-that the full functionality of this script is only supported
-under FreeBSD. Some additional configuration may need to be
-done by hand under Linux.
-
-Sample output of @code{bro_config}, along with explanation, is shown below:
-
-@quotation
-
-@verbatim
-Running Bro Configuration Utility
-Checking interfaces ....  Done.
-Reading /usr/local/bro/etc/bro.cfg.example for defaults.
-@end verbatim
-@quotation 
-@quotation 
-The @code{bro_config} script looks first at ./bro.cfg, then /usr/local/bro/etc,  
-for default values to use below.
-@end quotation
-@end quotation
-
-@verbatim
-Bro Log archive location [/usr/local/bro/archive] 
-@end verbatim
-@quotation
-@quotation
-This is the directory where log file archives are kept. 
-If you expect the log files to be very large, it is recommended to put these in a separate disk partition.
-@end quotation
-@end quotation
-
-@verbatim
-User id to install and run Bro under [bro] 
-@end verbatim
-@quotation
-@quotation
-@code{bro_config} will create a new user account with this username if the user does not exist. 
-@end quotation
-@end quotation
-
-@verbatim
-Interface names to listen on. [en1,en2] 
-@end verbatim
-@quotation
-@quotation
-@code{bro_config} looks for all network interfaces and does a short test to determine which interfaces see the most traffic, and selects these interfaces as the default. 
-@end quotation
-@end quotation
-
-@verbatim
-Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG) [] 
-Starting Report Time [0600]
-Report interval (in hours) [24]
-Email addresses for reports [bro@localhost] 
-@end verbatim
-
-@quotation
-@quotation
-Daily reports will be created.  
-Enter the site name you want to appear at the top and in the subject of all email reports.
-The "start time" and "interval" define the window of 
-network activity that the daily report will cover, starting at "Starting Report Time" and 
-lasting through "Report interval". The start time should be entered using 24hr clock notation. 
-For example: 12:30AM = 0030,  2PM = 1400
-@end quotation
-@end quotation
-
-
-@verbatim
-Do you want to encrypt the email reports (Y/N) [N]
-Y
-@end verbatim
-@quotation
-@quotation 
-If you want the email reports encrypted, you will need to set up GPG (@uref{http://www.gnupg.org})
-and create a GPG keyring containing the public keys of all email recipients. Instructions 
-for this are in @ref{Encrypted Reports}.
-@emph{Note: PGP keys are compatible with GPG, but the Bro supplied scripts 
-require GPG, not PGP}.
-
-@end quotation
-@end quotation
-
-@verbatim
-Running script to determine your local subnets ... 
-Your Local subnets [198.129.224.1/32] 
-@end verbatim
-
-@quotation
-Bro needs to know a list of your local subnets. @code{bro_config} runs a tool 
-that attempts to discover this automatically. 
-You should always verify the results of this tool. The format is a list of subnet/significant 
-bits of address. 
-For example: 131.243.0.0/16, 198.128.0.0/18, 198.129.224.1/32
-This information will be stored in the file @code{$BROHOME/site/local.site.bro}
-@end quotation
-
-@verbatim
-Saving settings to file: /usr/local/bro/etc/bro.cfg
-Bro configuration finished. 
-To change these values, you can rerun bro_config at any time.
-@end verbatim
-@quotation
-Indicates that the script finished successfully.
-@end quotation
-
-@end quotation
-
-For site monitoring very high traffic rates on Gigabit Ethernet, there is some
-additional system tuning that should be done. See the @ref{Performance Tuning} 
-section for more details.
-
-To reconfigure Bro, run:
-@example
-BRHOME/scripts/bro_config
-@end example
-
-This will update your @file{/usr/local/bro/etc/bro.cfg} file. You can also edit this file using your favorite editor if you prefer.
-
-For other site customizations, you can edit the file $BROHOME/site/brohost.bro.
-For example, to tell bro to not look at traffic for host 198.162.44.66, add:
-@verbatim
-     redef restrict_filters += {
-       ["ignore host 198.162.44.66 "] =
-	 "not host 198.162.44.66"
-     };
-@end verbatim
-
-More details are available in the section on @ref{Customizing Bro}.
-
-@node OS Configuration
-@section OS Configuration
-
-This section contains information on critical OS tuning items. More detailed
-tuning information can be found in the section on @ref{Performance Tuning}.
-
-@strong{FreeBSD Configuration}
-
-The standard FreeBSD kernel imposes a per-process limit of 512 MB of memory.
-This is not enough for most Bro installations. 
-
-To check your current limit type:
-
-@smallexample
-limits -H
-@end smallexample
-
-Unfortunately the only way to increase this limit in FreeBSD 4.x
-is to reconfigure and rebuild the kernel.
-In FreeBSD 5.x it is much easier. Just increase
-@code{kern.maxdsiz} in @file{/boot/defaults/loader.conf} and reboot.
-For example:
-@smallexample
-kern.maxdsiz="2G"
-@end smallexample
-
-
-and look at the @code{datasize} setting, which should be the same
-as your amount of RAM. If this is not true, see section @ref{Hardware and OS Tuning}
-for information on fixing this.
-
-For FreeBSD 5.3+, BPF devices are no longer created using MAKEDEV, but rather are
-created on demand. This is configured automatically by running '@code{make install-brolite}',
-or you can figure it by hand by adding the following to @code{/etc/rc.local}
-
-@verbatim
-devfs ruleset 15
-devfs rule add 15 path 'bpf*' mode 660 user bro
-@end verbatim
- 
-
-@strong{Linux Configuration}
-
-You may want increase these for a high traffic environment.
-
-@emph{not done: need to get recommended values for these}:
-
-@verbatim
-/proc/sys/net/core/rmem_default (IP-Stack socket receive queue)
-/proc/sys/net/core/rmem_max     (similar to rmem_default)
-/proc/sys/net/core/netdev_max_backlog (queue between driver and socket)
-@end verbatim
-
-
-@node Encrypted Reports 
-@section Encrypted Reports 
-@cindex GPG
-
-Bro can use GPG (@uref{http://www.gnupg.org/}) to encrypt
-the reports that it sends. To have Bro encrypt your
-reports you must have said "yes" to the bro_config question to
-encrypt your reports. 
-Then each email recipient much generate a public/private key pair, and their public key 
-must be installed on the Bro machine in the home directory of the user running
-the Bro process.
-
-To create a key-pair:
-
-@example
-gpg --gen-key
-@end example
-
-To export the public key:
-
-@example
-gpg --armor --output mykey.gpg --export myemail@@address.com
-@end example
-
-Then login to the machine running Bro and import the list of public keys:
-
-@example
-gpg --import mykey.gpg
-@end example
-
-
-Then you must to make the list of keys "trusted" so that they can be used
-to encrypt the email reports. To do this, you must 
-edit the key to add "ultimate" trust to the key.
-
-@example
-gpg --edit-key myemail@@address.com
-
-pub  1024D/4A872E40  created: 2001-02-05 expires: never      trust: -/f
-sub  3072g/B72DD7FE  created: 2001-02-05 expires: never     
-(1). Some R. User <myemaill@@address.com>
-
-Command> trust
-pub  1024D/4A872E40  created: 2001-02-05 expires: never      trust: -/f
-sub  3072g/B72DD7FE  created: 2001-02-05 expires: never     
-(1). Some R. User <myemail@@address.com>
-
-Please decide how far you trust this user to correctly
-verify other users' keys (by looking at passports,
-checking fingerprints from different sources...)?
-
- 1 = Don't know
- 2 = I do NOT trust
- 3 = I trust marginally
- 4 = I trust fully
- 5 = I trust ultimately
- m = back to the main menu
-
-Your decision? 5
-Do you really want to set this key to ultimate trust? yes
-
-pub  1024D/4A872E40  created: 2001-02-05 expires: never      trust: u/u
-sub  3072g/B72DD7FE  created: 2001-02-05 expires: never     
-(1). Some R. User <myemail@@address.com>
-
-Command> quit
-
-@end example
-
-For more information on GPG see @uref{http://www.gnupg.org/}
-
-@node Generating Reports on a Separate Host 
-@section Generating Reports on a Separate Host 
-@cindex report generate, separate host
-@cindex GPG
-
-@emph{Warning: this section assumes a reasonably high level of Unix system administration skills!}
-
-If your site has lots of traffic, lots of connections, or if Bro is using on average more than around 40% of your CPU,
-you'll want to use a second host for generating reports.
-
-To do this, on the Bro host, run bro_config, and say "N" to all report generation questions.
-Then install Bro on the second host using the following:
-
-@example
-./configure
-make
-make install-reports
-@end example
-
-Then follow the instructions in @ref{Bro Configuration} for setting up report generation.
-
-You'll also need to set up a method to copy files from the Bro host to the report generation
-host. One way to do this is using @code{rsync}, and the Bro script @code{push_logs.sh} 
-does this for you. For example, you can set up a cron job
-like this on the Bro host:
-
-@example
-1 1 * * * (push_logs.sh /usr/local/bro/etc/bro.cfg host:/home/bro) >> /tmp/bro-push.log
-@end example
-
-To make sure your @code{rsync} command has time to transfer
-all log files before your report generation
-script is run, the @code{push_logs.sh} script is designed to be used with the scripts
-@code{frontend-site-report.sh} and @code{frontend-mail-report.sh} on the frontend host. 
-These @code{frontend} scripts wait for a file with a particular name to exist before running.
-It is also important to use the @code{nice} 
-command to help ensure the network copy does not unduly divert processing away from Bro.
-
-You may want to @code{rsync} the log files over a secure ssh connection. To do this,
-you need to first generate a ssh key pair on the Bro capture host with no passphrase:
-@example
-ssh-keygen -t rsa -C "batch key" -f ./batch.key
-@end example
-
-Put this in user @code{bro}'s .ssh/config file, also on the Bro capture host
-@example
-Host recvhost brohost.foo.com
-IdentityFile ~/.ssh/batch.key
-@end example
-
-On the frontend host where the log files will be processed, add batch.pub 
-to the authorized_keys file
-@example
-cat batch.key.pub >> authorized_keys
-@end example
-
-Then create a cron entry on the Bro capture host 
-@example
-1 1 * * * nice -n 20 rsync -e 'ssh' -azv \
-  /usr/local/bro/logs host:/home/bro
-@end example
-
-@comment @node Web GUI Installation / Configuration 
-@comment @section Web GUI Installation / Configuration 
-
-@comment The Bro Web Logfile viewing GUI is not yet packaged in an easy to install format.
-@comment However if you want to give try installing it, there are
-@comment instructions at:
-@comment @uref{http://www.icir.org/twiki/bin/view/Bro/BrooeryGUI/}
-@comment 
-@comment This web GUI can run on a lightly loaded Bro host, but it is recommended to run this on a separate host. Use the @code{rsync} method described in 
-@comment @ref{Generating Reports on a Separate Host} to
-@comment copy files to the web host. Note: this web server should NOT be publicly accessible
-@comment to the Internet. Information in the log files is generally very sensitive.
-@comment 
diff --git a/doc/user-manual/Bro-intrusion-prevention.texi b/doc/user-manual/Bro-intrusion-prevention.texi
deleted file mode 100644
index 99ce165120..0000000000
--- a/doc/user-manual/Bro-intrusion-prevention.texi
+++ /dev/null
@@ -1,91 +0,0 @@
-
-Bro includes two important @emph{active response} capabilities that allow sites to use Bro
-for intrusion prevention, and not just intrusion detection. These include the ability to
-terminate a connection known to be an intrusion, and the ability to update a
-blocking router's access control list (ACL) to block attacking hosts.
-
-@menu
-* Terminating a Connection ::
-* Updating Router ACL ::
-@end menu
-
-@node Terminating a Connection
-@section Terminating a Connection
-@cindex Terminating a Connection
-
-The Bro distribution includes a program called @code{rst} that will terminate
-a active connection by sending a TCP "reset" packet to the sender. 
-The @code{ftp} and @code{login} analyzers look for connections that should be terminated.
-All connections from a @uref{http://www.bro-ids.org/Bro-reference-manual/hot_002dids-Module.html, 
-@code{forbidden_id}} get flagged for termination, as well as any service
-defined in @code{terminate_successful_inbound_service}. 
-
-Connection termination is off by default. To enable it, redefine the following
-flag in your @file{site/site.local.bro} file:
-
-@example
-  redef activate_terminate_connection = T ;
-@end example
-
-Connections are terminated using the @code{rst} program, which is installed
-in $BROHOME/bin. To use this program change the file permission to be setuid root.
-Whenever a connection is terminated you will see a @code{TerminatingConnection} alarm.
-If Bro detects a connection that Bro thinks is a candidate for termination, but
-@code{activate_terminate_connection = F}, then you will see the alarm: 
-@code{IgnoreTerminatingConnection}.
-
-You may want to add a number of services to the list of forbidden services. 
-For example, to terminate all successful attempts
-to access the RPC portmapper via TCP from an external network, you would add this:
-
-@verbatim
-    redef terminate_successful_inbound_service += {
-        [111/tcp] = "disallow external portmapper"
-    }; 
-@end verbatim
-
-This will prevent NFS connections from external hosts. P2P services such as KaZaa can 
-also be terminated in this manner. You can make exceptions to 
-@code{terminate_successful_inbound_service}
-by redefing @code{allow_services_to}. See @code{hot.bro} for details.
-
-@comment {Note: This functionality may no longer work. should include a more complex example here.}
-
-@comment : XXX For example, show a config for:
-@comment :   deny all NFS except to subnet XXX
-@comment :   deny all netbios except to subnet XXX
-@comment :   deny all Kazaa
-@comment :   deny all FTP except to host Y, Z
-@comment :     further restrict anonymous FTP to only host P
-@comment :   deny all DHCP servers except  a,b,c
-@comment :   deny all DNS except a,b,c
-@comment :   deny all SMTP except a,b,c
-@comment :   deny all pop, imap  to hosts a.b.c
-@comment :      only allow encrypted imap
-
-@node  Updating Router ACL
-@section  Updating Router ACL
-@cindex  Updating Router ACL
-
-Bro can be used to send the IPs of scanning or attacking hosts to your router, so
-that the router can drop these hosts.
-
-Since every router does this differently, you will need to write a script that works for your
-router. 
-
-To active your custom drop script, add this to your hostname.bro file:
-
-@verbatim
- @load scan
- redef can_drop_connectivity  = T;
- redef drop_connectivity_script = "my_drop_script";
-@end verbatim
-
-
-At LBL we use a program called @uref{http://www-nrg.ee.lbl.gov/leres/acl2.html, acld}
-to update the ACLs in our boarder routers on the fly.
-This code is available at:  ftp://ftp.ee.lbl.gov/acld.tar.gz
-
-
-
-
diff --git a/doc/user-manual/Bro-log-files.texi b/doc/user-manual/Bro-log-files.texi
deleted file mode 100644
index 2891ede950..0000000000
--- a/doc/user-manual/Bro-log-files.texi
+++ /dev/null
@@ -1,3 +0,0 @@
-
-
-coming soon
diff --git a/doc/user-manual/Bro-offline-analysis.texi b/doc/user-manual/Bro-offline-analysis.texi
deleted file mode 100644
index 17c22a725a..0000000000
--- a/doc/user-manual/Bro-offline-analysis.texi
+++ /dev/null
@@ -1,102 +0,0 @@
-
-@strong{NOTE: This chapter still a very rough draft and incomplete}
-
-Bro is most effective when used in conjunction with bulk traces
-from your site. Capturing bulk traces just involves using @code{tcpdump}
-to capture all traffic entering and leaving your site.
-
-Bulk traces can be very valuable for forensic analysis of all traffic
-in and out of a compromised host. It is also needed to run some
-particularly CPU intensive policy analyzers that can not be done
-in real time (as described in the Off-line Analysis section below).
-
-Depending on your traffic load, you might be able to bulk capture on
-the Bro host directly, but in general we recommend using a separate
-packet capture host for this. Unless you want to buy a huge amount
-of disk, you'll probably only be able to save a few days worth
-of traffic.
-
-@menu
-* Bulk Traces ::
-* Off-line Analysis ::
-@end menu
-
-@node Bulk Traces
-@section Bulk Traces 
-@cindex Bulk Traces
-
-The Bro distribution includes a couple scripts to make bulk capture
-easier. These are:
-
-@code{spot-trace}: called by @code{start-capture-all} script
-
-@code{start-capture-all}: captures all packets. This script looks
-for an existing instance of the @code{spot-trace} program, and if it finds one
-creates a new capture file name with an incremented filename, 
-and continues capturing data. Bulk
-capture files can get very large, so typically you run this as
-a cron job every 1-2 hours.
-
-@code{bro_bulk_compress.sh}: compress and/or delete old bulk trace files. Run as a cron job. 
-
-@comment XXX: need more details here: eg: edit bro.cfg settings, etc.
-
-Since the bulk trace files can be huge, you often will want 
-to run tcpdump on the raw trace with a filter to extract the packets 
-of interest. For example:
-
-@smallexample
-tcpdump -r bulkXXX.trace -w goodstuff.trace 'host w.x.y.z'
-@end smallexample
-
-If you know that that packets you want are bounded by a time interval, say
-it occurred 1:17PM-1:18PM, then you can speed this up a great deal
-using @uref{ftp://ftp.ee.lbl.gov/tcpslice.tar.Z, tcpslice}.
-For example:
-
-@smallexample
-tcpslice 13h15m +5m bulkXXX.trace | tcpdump -r - -w goodstuff.trace 'host w.x.y.z'
-@end smallexample
-
-It is recommend to use a somewhat broader time interval for tcpslice
-(such as in the above example) than when
-Bro reported the activity occurred, so you can catch additional related
-packets cheaply.
-
-
-@node Off-line Analysis
-@section Off-line Analysis
-@cindex Off-line Analysis
-
-There are some policy modules that are meant to be run as off-line
-analysis on bulk trace files. These include:
-
-@code{backdoor.bro}:  looks for standard services running on non-standard ports.
-These services include ssh, http, ftp, telnet, and rlogin.
-
-To run Bro on a tcpdump file, do something like this:
-
-@comment ### XXX we really need a version of this that works with tcsh, grrrr ...
-@smallexample
-# set up the Bro environment (sh or bash)
-. /usr/local/bro/etc/bro.cfg
-/usr/local/bro/bin/bro -r dumpfile backdoor.bro 
-@end smallexample
-
-To use Bro to extract the contents of a trace file, do:
-@smallexample
-    bro -r tracefile contents
-@end smallexample
-
-which will load policy/contents.bro.  It stores the contents of each
-connection in two files, contents.H1.P1.H2.P2 and contents.H2.P2.H1.P1,
-where H1/P1 is the host/port of the originator and H2/P2 the same for the
-responder. 
-
-You can extract just the connections of interest using, for example:
-@smallexample
-    bro -f "host 1.2.3.4" -r tracefile contents
-@end smallexample
-
-
-
diff --git a/doc/user-manual/Bro-output.texi b/doc/user-manual/Bro-output.texi
deleted file mode 100644
index ffce7a17ad..0000000000
--- a/doc/user-manual/Bro-output.texi
+++ /dev/null
@@ -1,806 +0,0 @@
-
-This section explains the contents of the various output files and reports
-that Bro creates.
-
-@menu
-* Alarm File::
-* Connection Summary File::
-* Analyzer-specific Files::
-* Tracefiles::
-* Bro Summary Reports::
-@comment add someday? * Creating your own Custom Output::
-@end menu
-
-@section Rotating Log Files
-
-There are a number of ways to control the rotation of Bro's log files.
-Here are some examples:
-
-@verbatim
-
-# if using one log, must open append (default = truncate )
-@load log-append
-
-@load rotate-logs
-
-# rotate at midnight
-redef log_rotate_base_time = "0:00";
-
-# do not rotate on shutdown  (default = T)
-redef RotateLogs::rotate_on_shutdown = F;
-
-# rotate frequency
-redef log_rotate_interval = 24 hr;
-
-@end verbatim
-
-
-@comment ********************************************
-
-@node Alarm File
-@section Alarm File
-
-@subsection Alarm File Format
-
-The alarm.log is 
-a 'tagged' format that is fairly self descriptive. This is
-an example from the alarm.log file:
-
-@verbatim
-   t=1000057981.940712 no=AddressScan na=NOTICE_ALARM_ALWAYS sa=10.1.1.1 sp=2222/tcp da=10.2.2.2 dp=3333/tcp msg=10.1.1.1\ has\ scanned\ 2000\ hosts\ (3333/tcp
-) tag=@42
-@end verbatim
-
-Where the tags indicate the following:
-@itemize
-@item t: time
-@item no: notice
-@item na: notice action
-@item sa: source address
-@item sp: source port
-@item da: destination address
-@item dp: destination port
-@item msg: message (in this case a host has scanned 20 hosts)
-@item tag: identifier to match this to lines in notice.log and conn.log:
-@end itemize
-
-The alarm file format is designed to be easy to parse and interpret by programs, not humans.
-
-@subsection Sample Alarm File Contents
-
-@emph{NOTE: the examples in this section still use the old log format. This needs to be updated}
-
-@c XXX fix these
-
-Bro generates a number of types of alarms, such as suspicious connection attempts directed 
-at your systems (address scanning), port scans, and attempts to gain access to user accounts. 
-We describe some of these in more detail here.
-
-@strong{Vulnerability scans directed against systems}
-
-The first category of suspicious connection attempts that Bro identifies and reports is vulnerability scans directed against systems. 
-Instead of burdening you with every vulnerability scan (no matter how tiny) against systems that occurs, 
-it reports only scans that occur at or above its threshold in terms of a specified size, such as the number of vulnerability scan attempts per second. 
-The following entry indicates that IP address 66.243.211.244 has scanned 10000 of your systems on tcp port 445, the port used by newer Windows systems such as Windows 2000, XP and Server 2003 for share access: 
-
-@smallexample
-Nov 16 06:30:49 AddressScan 66.243.211.244 has scanned 10000 hosts (445/tcp)
-@end smallexample
-
-Important note: If the source of a scan is an IP address within your own network, the probability that this system is infected or has been taken over by an attacker is very high.  
-
-At the bottom portion of each Bro report summaries of scan activity also will appear for your convenience (see the bottom part of Figure 1). Scan summaries look like the following:  
-
-@smallexample
-Nov 16  8 01:30:11 ScanSummary 194.201.88.100 scanned a total of 145 hosts
-@end smallexample
-
-@strong{Port scanning }
-
-Port scanning means that a system has targeted one system, connecting to one port, then another, until it has scanned a whole range of ports.  In the following example a system with an IP address of 218.204.91.85 has scanned 50 ports of a system named diblys.dhcp within an internal network:  
-
-@smallexample
-Nov 16 06:30:50 PortScan 218.204.91.85 has scanned 50 ports of siblys.dhcp
-@end smallexample
-
-An address dropped entry is likely to appear shortly after a port scan is reported. In the following entry, the system with an IP address of 218.204.91.85 was systematically probing low ports, that is, ports in the range from 0 to 1023, on sibyls.dhcp:
-
-@smallexample
-Nov 16 06:30:52 AddressDropped low port trolling 218.204.91.85 403/tcp
-@end smallexample
-
-
-@strong{Connection attempts}
-
-Bro finds attacks against user accounts, such as password guessing attempts. When it does, it reports them as follows:   
-
-(Need example here)
-
-@strong{Weird events}
-
-Bro labels unusual or exceptional events as @emph{weird} Weird events include a wide range of events, including malformed connections, 
-attacker's attempts to confuse or evade being detected, malfunctioning hardware, or misconfigured systems or network devices such as routers. 
-Some weird events could be the result of an attack; others are just anomalies. 
-The better you know your own systems and networks, the more likely you will be to correctly determine whether or not weird events compromise an attack. 
-Weird events are divided into three categories: 
-
-@enumerate
-1. Weird connections that are not formed in accordance with protocol conventions such as the way the tcp protocol should work
-
-1. Weird flows in which data is being sent between two systems, but no specific connection between them can be identified, and 
-
-1. Weird network behavior that cannot be associated with any particular system. 
-@end enumerate
-
-The following entry shows a weird connection in which packets are being sent between systems in what 
-appears to be an ongoing ftp session, but Bro has not identified any initial connection attempt (i.e., there is an @emph{ack above a hole}): 
-
-@smallexample
-Nov 16 06:30:58 WeirdActivity window/50406 > klecker.debian.org/ftp ack above a hole
-@end smallexample
-
-The next entry (below) shows another weird traffic pattern in which eqvaadvip1.doubleclick.net has sent a flood of FIN packets, packets that tell the other system in a connection to terminate the connection, to bcig-8 within the network that Bro protects.  
-
-@smallexample
-Nov 16 06:32:09 WeirdActivity bcig-8/2044 > eqvaadvip1.doubleclick.net/http: FIN_storm
-@end smallexample
-
-Here's another one --- in this case a system with an IP address of 222.64.93.208 has sent a flood of packets that have both the SYN and the ACK flags set, something that should normally happen only once in a TCP session. @command{nsx} is the destination system.  
-
-@smallexample
-Nov 16 06:30:58 WeirdActivity 222.64.93.208/1115 > nsx/dns: repeated_SYN_with_ack
-@end smallexample
-
-Packets sent over networks are often broken up (or @emph{fragmented}) for various reasons. 
-Fragmented packets are not necessarily a sign of an attack, but large fragments can 
-indicate suspicious activity such as attempts to cause denial of service. 
-In the following example Bro has identified a very large packet fragment sent by p508c7fc5.dip.t-dialin.net to an internal system with an IP  address of 131.243.3.162:  
-
-@smallexample
-Nov 16 06:30:50 WeirdActivity p508c7fc5.dip.t-dialin.net -> 131.243.3.162: excessively_large_fragment
-@end smallexample
-
-Sometimes attackers attempt to evade being detected by sending malformed packets to the system they are attacking. 
-The receiving system cannot process them, so it informs the sending (attacking system) accordingly, asking it to resend them. 
-The sending system may now send packets that constitute an attack. Some intrusion detection systems (but not Bro) ignore what is resent because in theory it is unnecessary to reanalyze what has already been sent. 
-Bro detects this kind of retransmission inconsistency (@emph{rexmit inconsistency}) and reports it. 
-The following example shows that there has been retransmission inconsistency in packets 
-sent by a system at IP address 131.243.223.212 to origin2.microsoft.com:  
-
-@smallexample
-Nov 16 06:30:59 RetransmissionInconsistency 131.243.223.212/2270 > origin2.microsoft.com/http @/ rexmit inconsistency (HTTP/1.1 200 OK^M^JDate: Tue, 16 Nov 2004
-@end smallexample
-
-
-@comment ********************************************
-@node Connection Summary File
-@section Connection Summary File
-
-See the 
-@uref{http://www.bro-ids.org/Bro-reference-manual/Connection-summaries.html, Connection Summary} 
-section in the reference manual for a description of the @code{conn.log} files.
-
-@comment ********************************************
-
-@node Analyzer-specific Files
-@section Analyzer-specific Files
-
-A number of analyzers such as HTTP and FTP generate their own log files. These files are
-fairly self explanatory.
-
-coming soon: sample http.log, ftp.log, etc
-
-@comment ********************************************
-
-@node Tracefiles
-@section Tracefiles
-
-Bro can be configured to output captured packets that look to be part of suspicious sessions.
-These files are in @code{tcpdump} format.
-
-@comment ********************************************
-
-
-@node Bro Summary Reports
-@section Bro Summary Reports
-
-@cindex e-mail reports
-
-@emph{NOTE: The Bro report facility is still under development. This section
-may be out of date. }
-
-Bro reports are generated using the @command{site-report.pl} script, which is
-typically run as a nightly @command{cron} job.
-
-A daily report is created that covers three sets of
-information:
-
-@itemize
-@item Incident information
-@item Operational status of Bro
-@item General network traffic information
-@end itemize
-
-The reports will be mailed to the email addresses specified during
-Bro installation.  These email addresses can be changed by re-running
-the @code{bro_config} script or by editing @code{$BROHOME/etc/bro.cfg} directly.
-
-@cindex incident
-@cindex incident type
-@cindex report period
-@cindex alarm
-@cindex connection, successful
-@cindex connection, unsuccessful
-@cindex connection, history
-@cindex scans
-@cindex scan, definition
-@cindex scans, successful
-@cindex system statistics
-@cindex traffic statistics
-
-The report is divided into three parts, the summary, incidents, and
-scans.  The summary includes a rollup of incident information, Bro
-operational statistics, and network information.  The incidents section
-has details for each Bro alarm.  The scans section gives details about
-scans that Bro detected.
-
-@subsection Parts of a Report
-
-@subsubheading Header
-The header gives some basic information about the report.
-@quotation
-@strong{Site name} is determined by the "Site name for reports" that was
-given during the installation and configuration process.
-@*@*
-@strong{Start time and interval} of the report are also entered during
-the configuration process.
-@end quotation
-@xref{Bro Configuration}.
-
-@subsubheading Summary
-This section give a numeric summary of the events that have happened in
-the reporting period.
-@quotation
-@strong{Incidents} shows the number of incidents that are recorded in
-the report period.  An incident is any occurrence that is deemed worth
-investigating.  An incident is formed by the triggering of one or more
-alarms.
-@*@*
-@strong{Scanning Hosts} are the number of specific IP addresses that
-have been detected scanning either into or out from the site.@*
-@quotation
- @strong{A scan can be a:}
- @itemize
- @item @strong{port scan:} scanning several ports of a single host.
- @item @strong{network scan:} scanning several hosts for open
-       ports.
- @item @strong{signature scan:} attacking multiple hosts with a
-       specific vulnerability attack (signature).
- @item @strong{targeted attack:} launching multiple signatures against
-       a single host.
- @item @strong{password scan:} attempts to guess passwords on telnet
-terminals.
- @end itemize
-
-@*
- @strong{A successful scan is when:}
- @itemize
- @item the bytes sent by a single probe of a scan against a host or
-several hosts are more than three deviations away from the standard
-deviation of the rest of scan.  In essence, where the bytes transferred
-on one connection is different than the rest of the scan other
-connections involved in the scan.
- @item a separate connection back to the attacker host is detected from
-the local network.
- @item the number of bytes sent back from the targeted victim host to
-the offender during a scan connection exceeds 20480.
- @end itemize
-@end quotation
-
-@comment ### it occurs to me that summarizing signatures here, but not alarms in general, probably overemphasizes the importance of signatures vs. other types of analysis.
-@strong{Signature Summary} shows the total number of alarms triggered by
-signatures during the report period and the number of those that are
-unique. These numbers do not include alarms triggered by embedded Bro
-rules. @xref{Understand What Triggered the Alarm(s)}.
-@end quotation
-
-@subsubheading Signature Distributions
-This is a list of all signatures that were triggered during the report
-period.
-@*
-NOTE:  This section does not include alarms triggered by embedded Bro
-rules. @xref{Understand What Triggered the Alarm(s)}.
-
-@quotation
-@strong{Count} is the number of times the signature was seen.
-@*@*
-@strong{Unique Sources} is the number of unique ip addresses that used
-the specific signature as an attack.
-@*@*
-@strong{Unique Dests} is the number of unique ip addresses that were
-attacked by the particular signature.
-@*@*
-@strong{Unique Pairs} are the number of unique source/dest ip address
-pairs where the source used the signature to attack the destination.
-@end quotation
-
-@subsubheading Incidents
-@quotation Legend
-This is the legend for reading the @i{connections} portions of the each
-incident.  It is shown once on each report at the top of the
-@i{Incidents} section.
-@end quotation
-@quotation Incident number
-Each incident listed in the Bro report is assigned a unique, sequential,
-identification number prefixed with the organization identifier.  This
-number is unique for all incidents, not just to the daily reports.
-@end quotation
-@quotation Remote and Local hosts
-The Remote and Local hosts are identified by both ip address and
-hostname.  The local hosts are those that are in local subnets as
-determined during Bro configuration.  It is important to note that
-@i{remote host} does not infer @i{attack host}.  Attacks can come from
-local hosts (indicating an inside hacker or a compromised host).
-@end quotation
-@quotation Alarms
-The network event(s) that Bro detects and identifies as possible
-attacks.  There are two general types of alarms, those triggered by
-signatures and those triggered by Bro rules.
-@xref{Understand What Triggered the Alarm(s)}, for more information about the differences.
-All alarms will include the date/time of the attack, the direction of
-the attack, and the ports involved.  A @code{SensitiveSignature} will
-include the signature code and payload to help evaluate what triggered
-the alarm.  Embedded Bro rules will include the payload and a session
-number which can be used for further investigation in the logs.
-@xref{Examine HTTP FTP or SMTP Sessions}.
-@end quotation
-@quotation Connections
-A list of the first 25 connections after the first alarm is triggered
-that are attempted between the attacking and victim host.  This
-tabulation of connections can be used to see if connections were
-accepted by the victim host, the amount of bytes transferred in both
-directions, the timing between the connections, and the ports involved.
-@end quotation
-
-@subsubheading Scans 
-This is a summary of the ip addresses involved in successful scans, the
-type of scans, and the attacks used by the scanners.
-
-@subsubheading Connection Log Summary
-This section gives a overview of the most prominent connections that 
-have occurred during the report period, as shown by way of five tables.
-
-@quotation Site-wide connection statistics
-The number of successful and unsuccessful connections and the ratio
-between the two.
-@end quotation 
-@quotation Top 20 Sources 
-Hosts that have initiated the most connections.
-@end quotation 
-@quotation Top 20 Destinations
-Hosts that have accepted connections.
-@end quotation 
-@quotation Top 20 Local E-mail Servers
-The most active E-mail servers.
-@end quotation 
-@quotation Top 20 Services
-The services, as determined by port number, that have been involved in
-connections.
-@end quotation
-
-@subsubheading Byte Transfer Pairs
-This section gives a summary of the ip address address pairs that have
-transferred the most bytes during the report period.
-
-@subsection Annotated Example Report:
-
-@verbatim
-Site Report for ORG_NAME 
-from 2004/11/03 00:00:00 to 2004/11/04 00:00:00
-generated on Sat Nov 13 12:02:48 2004
-@end verbatim
-
-@quotation annotation
-@i{ORG_NAME will normally be replaced with "Site name for reports" that
-was given during the installation and configuration process.}
-@end quotation
-
-@verbatim
-========================================================================
-Summary
-========================================================================
-@end verbatim
-
-@quotation annotation
-@i{Since this report is simple and only includes two incidents, the
-summary is rather uninteresting.  A glance at this summary would reveal
-a rather "slow" day (for which you should be thankful).}
-@end quotation
-
-@verbatim
-  Incidents               2
-  Scanning Hosts
-    Successful            8
-    Unsuccessful          15
-  Signature Summary
-    Total signatures          2
-    Unique signatures         2
-    Unique sources            2
-    Unique destinations       2
-    Unique source/dest pairs  1
-@end verbatim
-
-@quotation annotation
-@i{Since the same to ip addresses were involved in both signature
-attacks, there is only one unique source/dest pair.}
-@end quotation
-
-@verbatim
-========================================================================
-Signature Distributions
-========================================================================
-                                       Unique      Unique    Unique
-  Signature ID               Count     Sources     Dests      Pairs
-  ------------------------  --------  ---------  ---------  --------
-  bro-687-5                 1          1          1          1
-  bro-144-3                 1          1          1          1
-========================================================================
-Incident Details
-========================================================================
-@end verbatim
-
-@quotation annotation
-@i{The following legend appears once in every report at the top of the
-"Incidents" section}
-@end quotation
-
-@verbatim
-     # legend for connection type #
-                  ------------------------------
-         C Connection Status
-           # number corresponds to alarm triggered by the connection
-           * successful connection, otherwise unsuccessful.
-         I Initiatator of Connection
-           > connection initiated by remote host
-           < connection initiated by local host
-------------------------------------------------------------------------
-Incident      ORG_NAME-000004524
---------------------------------
-@end verbatim
-
-@quotation annotation
-@i{The host domain name "org_name.org" will normally be replaced by the
-local domain name.  The IP addresses in this example have been
-synthesized from an imaginary range outside of the octal range.  (We
-realize these ip addresses cannot exist).  In this example the ip ranges
-124.333.0.0/24 and 132.257.0.0/24 are considered the local subnets.}
-@end quotation
-
-@verbatim
-Remote Host: 84.136.338.21   p54877614.dip.hacker.net
- Local Host: 124.333.183.162 pooroljoe.dhcp.org_name.org
-@end verbatim
-
-@quotation annotation
-@i{This attacker was successful in using an SQL attack and then
-downloaded a "tool" using TFTP.  Both of these were detected and created
-the following alarms.}
-@end quotation
-
-@verbatim
-Alarm: SensitiveSignature
-  1    bro-687-5: MS-SQL xp_cmdshell - program execution
-       7/29 12:43:31                  84.136.338.21 -> 124.333.183.62
-                                            566/tcp -> 1433/tcp
-       signature code:
-       signature bro-687-5 {
-         ip-proto == tcp
-         dst-port == 1433
-         event "MS-SQL xp_cmdshell - program execution"
-         tcp-state established,originator
-         payload /.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]
-         \x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
-       }
-       payload: xp_cmdshell 'echo.> c:\\temp\\bcp.cmd'
-
-Alarm: SensitiveSignature
-  2    bro-1444-3: TFTP Get
-       7/29 12:43:31                  84.136.338.21 -> 124.333.183.62
-                                           2318/upd -> 69/udp
-       signature code:
-       signature bro-1444-3 {
-           ip-proto == udp
-           dst-port == 69
-           event "TFTP Get"
-           payload /\x00\x01/
-           }
-       payload: Runtime.exe
-@end verbatim
-
-@quotation annotation
-@i{Looking at the "C" column below, the alarms are signified by "1" and
-"2", both occuring at 12:43:31.  Since the attacks take place within one
-second, this is probably an automated attack.  The remote host continues
-to connect to the victim host, using a different port each time to avoid
-detection.  The large transfers from the local host to the remote host,
-subsequent to the alarmed attacks, signifies that the attack is probably
-successful.}
-@end quotation
-
-@verbatim
-Connections (only first 25 after first alarm are listed)
------------
-                 time     byte   remote        local   byte
- date   time   duration transfer  port  C   I   port transfer  protocol
------ -------- -------- -------- ------ ------ ----- -------- ----------
-07/29 12:43:31        ?     566 b  4634 1   >  1433      467 b tcp/MSSQL
-07/29 12:43:31        0         ?  2318 2  <     69       20 b udp/tftp
-07/29 12:43:32    265.7       4 b  4638 *  <   2318      3.0kb udp
-07/29 12:48:56        ?         ?  4640     >  2362          ? tcp
-07/29 12:50:05        ?    11.4kb  4639 *  <   3333      8.6kb tcp
-07/29 12:53:00        0         ?  4684 *   >  2362          ? tcp
-07/29 12:53:07        ?         ?  4685 *   >  2362          ? tcp
-07/29 12:53:59        ?         ?  4689 *   >  2362          ? tcp
-07/29 12:54:14      6.1         0  4693 *  <   2380     94.2kb tcp
-07/29 12:54:21       .5      50 b  4694     >  2381          0 tcp
-07/29 12:54:23       .7         ?  4695    <   2382          0 tcp
-07/29 12:54:25       .5      51 b  4696 *   >  2383          0 tcp
-07/29 12:54:27       .5      61 b  4697 *   >  2384          0 tcp
-07/29 12:54:28       .7      39 b  4698     >  2385          0 tcp
-07/29 12:54:31       .5      41 b  4699 *   >  2386          0 tcp
-07/29 12:54:33      1.2    4.9 kb  4700     >  2387          0 tcp
-07/29 12:54:35     12.8  195.0 kb  4701 *  <   2388          0 tcp
-07/29 12:54:53       .2         ?  4703    <   2390          0 tcp
-07/29 12:54:54       .5      37 b  4704     >  2391          0 tcp
-07/29 12:54:56      3.4      23 b  4705 *   >  2392          0 tcp
-07/29 12:55:04     21.4  308.7 kb  4706     >  2393          0 tcp
-07/29 12:55:27     50.7         ?  4707     >  2394          ? tcp
-07/29 12:59:23        ?         ?  4775     >  1433          ? tcp
-07/29 12:59:25        ?         ?  4774 *   >  3333          ? tcp
-@end verbatim
-
-@quotation annotation
-@i{The next Incident demonstrates alarms triggered by embedded rules,
-rather than signatures.}
-@end quotation
-
-@verbatim
-------------------------------------------------------------------------
-Incident      ORG_NAME-000004525
---------------------------------
-Remote Host:  80.143.378.186     p508FB2BA.dip.t-dialin.net
- Local Host:  128.333.181.191      lemonade.lbl.gov
-@end verbatim
-
-@quotation annotation
-@i{Since these alarms are triggered in the HTTP protocol, the actual
-trigger rules are found in the file} @file{bro/policy/http.bro}.
-@end quotation
-
-@verbatim
-Alarm: HTTP_SensitiveURI
-       11/13 11:36:05                80.143.378.186 -> 128.333.181.191
-                                           1560/tcp -> 80/tcp
-       session: %4672
-       payload: GET http://cn.edit.vip.cnb.yahoo.com/config/login?.redir
-                _from=PROFILES
-
-Alarm: HTTP_SensitiveURI
-       11/13 11:53:54                80.143.378.186 -> 128.333.181.191
-                                           2434/tcp -> 80/tcp
-       session:%7386
-       payload: GET http://l10.login.scd.yahoo.com/config/login?.redir_f
-                rom=PROFILES?&
-@end verbatim
-
-@quotation annotation
-@i{In the connections shown below, all connections are from the remote
-host to the local host, with no successful connections back.  Also the
-payload above is seeking yahoo.com.  Hence the likelihood is that this
-is not an attack.}
-@end quotation
-
-@verbatim
-Connections (only first 25 after alarm are listed)
------------
-                 time     byte   remote        local   byte
- date   time   duration transfer  port  C   I   port transfer  protocol
------ -------- -------- -------- ------ ------ ----- -------- ----------
-11/13 11:36:05 1.109227      297   1560 *    >    80     1531       http
-11/13 11:36:06        ?        ?   1560      >    80        ?       http
-11/13 11:41:51 0.843209      301   3175 *    >    80     1533       http
-11/13 11:41:52        ?        ?   3175      >    80        ?       http
-11/13 11:47:37 2.562365      281   4701 *    >    80     1382       http
-11/13 11:47:39        ?        ?   4701      >    80        ?       http
-11/13 11:53:53 0.694131      293   2434 *    >    80     1529       http
-11/13 11:53:54        ?        ?   2434      >    80        ?       http
-11/13 11:59:23 0.685181      301   3975 *    >    80     1529       http
-11/13 11:59:23        ?        ?   3975      >    80        ?       http
-11/13 12:04:53 1.054925      289   1700 *    >    80     1527       http
-11/13 12:04:54        ?        ?   1700      >    80        ?       http
-11/13 12:11:56 2.579652      283   3442 *    >    80     1523       http
-11/13 12:11:59        ?        ?   3442      >    80        ?       http
-11/13 12:18:08 1.046188      289   1083 *    >    80     1531       http
-11/13 13:14:42        ?        ?   3282      >    80        ?       http
-11/13 13:16:46        ?        ?   4802      >    80        ?       http
-11/13 13:19:04 1.731771        0   2764 *    >    80        0       http
-11/13 13:19:07        ?        ?   2764      >    80        ?       http
-11/13 13:20:42 0.994114      289   4142 *    >    80     1527       http
-11/13 13:20:43        ?        ?   4142      >    80        ?       http
-11/13 13:22:37 1.122448      292   1732 *    >    80     1523       http
-11/13 13:22:38        ?        ?   1732      >    80        ?       http
-11/13 13:24:40 1.042112      289   3179 *    >    80     1531       http
-11/13 13:24:41        ?        ?   3179      >    80        ?       http
-
-
-========================================================================
-Scans (only first 100 shown)
-========================================================================
-@end verbatim
-
-@quotation annotation
-@i{The scans show below are considered "successful".  Four interesting
-scans shown below are the ones originating from the 124.333 and 132.257
-domains, since they are local domains.  These should be investigated.
-The attack against 132.257.85.96 might also be investigated further.
-With each report, a review of the attacks will give an understanding of
-what types of scans are becoming "popular".}
-@end quotation
-
-@verbatim
-Scanning IP      Victim IP       Attack
-132.257.70.234   multiple        bro-1344-5
-132.257.52.64    multiple        bro-1367-5
-63.251.3.51      multiple        bro-2570-6
-124.333.181.191  multiple        bro-1599-7
-210.313.36.53    132.257.85.96   >1000 port scan
-211.300.24.151   132.257.85.96   >1000 port scan
-124.333.95.0     62.214.34.30    >250 port scan
-172.278.206.135  multiple       (3128/tcp)
-
-========================================================================
-Connection Log Summary
-========================================================================
-@end verbatim
-
-@quotation annotation
-@i{The connection log summary gives a general idea of what hosts are
-most active.  The analyst may want to become familiar with any new hosts
-that appear on the next three lists and services that appear or
-radically change position on the fourth list}
-@end quotation
-
-@verbatim
-Site-wide connection statistics
-    Successful:   4498748
-    Unsuccessful: 35941140
-    Ratio: 1:7.989
-
-Top 20 Sources
-                Host                      IP         Bytes   Conn. Count
-  --------------------------------  ---------------  ------  -----------
-                  ns1.org_name.org  124.333.34.186    3.7 G       683948
-                  ns2.org_name.org  132.257.64.2      165 M       231245
-             lemonade.org_name.org  124.333.181.191    88 M       217781
-                  nsx.org_name.org  132.257.64.3      371 M       200935
-               cinnamon.mining.com  207.5.380.138     4.5 M       103011
-       node2.lbnl.nodes.planet.org  198.328.56.12     106 M        75725
-       node1.lbnl.nodes.planet.org  198.328.56.11      85 M        73719
-      microscope.dhcp.org_name.org  132.257.19.79      61 M        54024
-                                    169.299.224.1     2.3 M        40348
-                uhuru.org_name.org  132.257.10.97     423 M        39847
-                                    132.257.77.246     13 M        29496
-            googledev.org_name.org  124.333.41.57      13 M        24930
-                                    64.46.248.43       60 M        19785
-  ...16-141.sfo4.dsl.contactor.net  66.292.16.141     6.2 M        19048
-                      rock.es.net  198.128.2.83      2.8 G        18459
-             perry.Geo.college.EDU  124.32.349.11     1.7 M        17326
-               google.org_name.org  124.333.41.70     8.5 M        15508
-             egspd42212.search.com  65.264.38.212     3.1 M        15138
-       hmb-330-042.MSE.college.EDU  124.32.349.20     222 M        14865
-          1rodan.dhcp.org_name.org  132.257.19.170    7.7 M        11873
-
-Top 20 Destinations
-                Host                      IP         Bytes   Conn. Count
-  --------------------------------  ---------------  ------  -----------
-                  nsx.org_name.org  132.257.64.3       14 G      1571638
-                  ns1.org_name.org  124.333.34.186    1.6 G       264976
-                  ns2.org_name.org  132.257.64.2       80 M       218740
-             lemonade.org_name.org  124.333.181.191   2.6 G       176788
-                 CS.university.EDU  128.312.136.10     10 M        81622
-                 g.old-servers.net  192.42.293.30      11 G        71407
-          engram.CS.university.EDU  128.312.136.12    7.5 M        61309
-               aulvs.realthing.com  207.288.24.156    792 M        50493
-                   ns1.college.EDU  124.32.349.9      995 M        39977
-                  rohan.superc.gov  128.550.6.34      4.7 G        32883
-            sportsmed.starship.com  199.281.132.79     17 M        32152
-                      ns2.yoho.com  66.263.169.170    2.1 G        24361
-                uhuru.org_name.org  132.257.10.97      58 M        19785
-                      g3.NSDDD.COM  192.342.93.32     488 M        19734
-                   w4.org_name.org  124.333.7.51      447 M        19334
-                 E.TOP-SERVERS.NET  192.303.230.10    195 M        19066
-               mantis.org_name.org  124.333.7.39      395 M        18811
-              postala.org_name.org  124.333.41.61     8.0 M        17283
-                vista.org_name.org  132.257.48.146    488 M        15961
-               calmail.college.EDU  128.32.349.103     73 M        15154
-
-Top 20 Local Email Senders
-                  Hostname                        IP          Conn.
-Count
-  ----------------------------------------  ---------------  -----------
-                         mta1.org_name.org  124.333.41.24           3869
-                      postala.org_name.org  124.333.41.61           2850
-                           ci.org_name.org  132.257.192.220          868
-                      postal2.org_name.org  132.257.248.26           376
-                           ee.org_name.org  132.257.1.10             173
-                         math.org_name.org  124.333.7.22             131
-                         rod2.org_name.org  132.257.112.183          121
-                         gigo.org_name.org  124.333.2.54             110
-                          mh1.org_name.org  124.333.7.48              82
-                          stm.org_name.org  132.257.16.51             81
-
-Top 20 Services
-  Service        Conn. Count  % of Total   Bytes In  Bytes Out
-  ------------  ------------  ----------  ---------  ---------
-  dns                3378522       75.10       30 G       11 G
-  http                902573       20.06       18 G       11 G
-  other                92913        2.07       14 G      249 G
-  smtp                 35942        0.80      458 M      196 M
-  https                33848        0.75      2.3 G      179 M
-  ssh                  25515        0.57      977 M      1.0 G
-  netbios-ssn          11004        0.24       65 M      9.5 M
-  pop-3                 5494        0.12       58 M      3.6 M
-  ftp-data              4495        0.10       37 G       34 G
-  ldap                  3549        0.08      740 K      2.0 M
-  ftp                   1061        0.02      1.3 M      873 K
-  ident                  970        0.02      29602       9039
-  printer                834        0.02        837       9176
-  time                   645        0.01       2416        166
-  imap4                  636        0.01       28 M       47 M
-  nntp                   308        0.01      355 M      1.5 M
-  pm_getport             238        0.01      13328       6664
-  telnet                 164        0.00      469 K       7850
-  ntp                     26        0.00       1344       1392
-  X11                      6        0.00      652 K      64280
-========================================================================
-Byte Transfer Pairs
-========================================================================
-@end verbatim
-
-@quotation annotation
-@i{Once again, this summary gives a general idea of what hosts are most
-active.  Radical changes to this list may indicate malicious activity.}
-@end quotation
-
-@verbatim
-Hot Report - Top 20
-                                    Local      Remote     Conn.
-  Local Host       Remote Host      Bytes      Bytes      Count
----------------  ---------------  ---------  ---------  ---------
-124.333.28.60    128.265.128.131      123 G     5327 K  3930
-124.333.28.60    128.265.128.132      123 G     5159 K  3927
-132.257.64.3     198.328.2.83        2855 M     11.9 G  15097
-124.333.34.186   192.342.93.30       2958 M     10.7 G  40033
-132.257.64.3     61.283.32.172       7469 M      10393  11
-124.333.41.57    128.256.6.34        12.0 M     4490 M  22360
-124.333.181.191  81.257.197.163      1350 M     4430 M  3341
-132.257.64.3     130.262.101.6        276 M     2200 M  13064
-124.333.34.186   66.263.169.170       389 M     2095 M  17919
-132.257.195.68   140.267.28.48       91.3 M     2029 M  6275
-132.257.212.232  151.293.199.65       39155     1994 M  24
-124.333.41.61    206.290.82.18         3401     1853 M  22
-132.257.64.3     61.278.72.30        1798 M          7  1
-124.333.181.191  61.263.209.246      16.8 M     1676 M  113
-132.257.64.3     261.232.163.3       1544 M      24069  9
-132.257.64.3     61.273.210.110      1517 M       4140  7
-124.333.34.186   128.342.121.70      1351 M      222 M  14861
-132.257.64.3     258.14.200.58       1350 M      24075  14
-132.257.64.3     222.330.100.28      1219 M       4077  7
-132.257.64.3     210.261.41.131      1162 M         25  3
-@end verbatim
-
-
-@comment ********************************************
-@comment node Creating your own Custom Output
-@comment section Creating your own Custom Output
-
diff --git a/doc/user-manual/Bro-overview.texi b/doc/user-manual/Bro-overview.texi
deleted file mode 100644
index e3353b1a58..0000000000
--- a/doc/user-manual/Bro-overview.texi
+++ /dev/null
@@ -1,143 +0,0 @@
-
-@menu
-* What is Bro? ::
-* Bro features and benefits ::
-* Getting more Information ::
-@end menu
-
-@node What is Bro?
-@section What is Bro?
-@cindex Network Intrusion Detection System
-
-Bro is a Unix-based Network Intrusion Detection System (IDS).  Bro monitors network traffic and detects intrusion attempts based on the traffic 
-characteristics and content.  Bro detects intrusions by passing network traffic through rules describing events that are deemed troublesome.  These rules 
-might describe activities (e.g., certain hosts connecting to certain services), what activities are worth alarming (e.g., attempts to a given number of different hosts constitutes 
-a "scan"), or signatures describing known attacks or access to known vulnerabilities.  If Bro detects something of interest, it can be instructed to either issue a log entry or initiate the execution of an operating system command (such as sending email, or creating a router entry to block an address).
-
-Bro targets high-speed (Gbit/second), high-volume intrusion detection. By judiciously leveraging packet filtering techniques, 
-Bro is able to achieve the performance necessary to do so while running on commercially 
-available PC hardware, and thus can serve as a cost effective means of monitoring a site's Internet connection.
-
-
-@node Bro features and benefits
-@section Bro features and benefits
-
-@itemize
-@item @strong{Network Based}
-@quotation
-Bro is a network-based IDS.  It collects, filters, and analyzes traffic that passes through a specific
-network location.  A single Bro monitor, strategically placed at a key network junction, can be
-used to monitor all incoming and outgoing traffic for the entire site.  Bro does not use or
-require installation of client software on each individual, networked computer.
-@end quotation
-
-@item @strong{Custom Scripting Language}
-@quotation
-Bro policy scripts are programs written in the Bro language.  They contain the "rules" that
-describe what sorts of activities are deemed troublesome.  They analyze the network activity and
-initiate actions based on the analysis.  Although the Bro language takes some time and effort to
-learn, once mastered, the Bro user can write or modify Bro policies to detect and notify or alarm on virtually
-any type of network activity.
-@end quotation
-
-@item @strong{Pre-written Policy Scripts}
-@quotation
-Bro comes with a rich set of policy scripts designed to detect the most common Internet attacks
-while limiting the number of false positives, i.e., alarms that confuse uninteresting activity with the
-important attack activity.  These supplied policy scripts will run "out of the box" and do not
-require knowledge of the Bro language or policy script mechanics.
-@end quotation
-
-@item @strong{Powerful Signature Matching Facility}
-@quotation
-Bro policies incorporate a signature matching facility that looks for specific traffic content.  For
-Bro, these signatures are expressed as regular expressions, rather than fixed strings.  Bro adds a
-great deal of power to its signature-matching capability because of its rich language.  This allows
-Bro to not only examine the network content, but to understand the context of the signature,
-greatly reducing the number of false positives.  Bro comes with a set of high-value signatures,
-selected for their high detection and low false positive characteristics,
-as well as policy scripts that perform more detailed analysis.
-@end quotation
-
-@item @strong{Network Traffic Analysis}
-@quotation
-Bro not only looks for signatures, but also analyzes network protocols, connections,
-transactions, data volumes, and many other network characteristics.  It has powerful facilities for
-storing information about past activity and incorporating it into analyses of new activity.
-@end quotation
-
-@item @strong{Detection Followed by Action}
-@quotation
-Bro policy scripts can generate output files recording the activity seen on the network (including
-normal, non-attack activity).  They can also send alarms to event logs, including the
-operating system @emph{syslog} facility.  In addition, scripts can execute programs, which can, in turn,
-send e-mail messages, page the on-call staff, automatically terminate existing connections, or, with
-appropriate additional software, insert access control blocks into a router's access control list.
-With Bro's ability to execute programs at the operating system level, the actions that Bro can
-initiate are only limited by the computer and network capabilities that support Bro.
-@end quotation
-
-@item @strong{@uref{http://www.snort.org/,Snort} Compatibility Support}
-@cindex Snort
-@quotation
-The Bro distribution includes a tool, snort2bro, which converts Snort signatures into Bro
-signatures.  Along with translating the format of the signatures, snort2bro also incorporates a large
-number of enhancements to the standard set of Snort signatures to take advantage of Bro's
-additional contextual power and reduce false positives.
-@end quotation
-
-
-@end itemize
-
-@node Getting more Information 
-@section Getting more Information 
-
-@itemize
-@item @strong{Reference manual}
-@quotation
-An extensive @uref{http://www.bro-ids.org/manuals.html,reference manual} is provided detailing the Bro Policy Language
-@end quotation
-
-@item @strong{FAQ}
-@cindex FAQ
-@quotation
-Several Frequently Asked Questions are outlined in the @uref{http://www.bro-ids.org/FAQ.html,Bro FAQ}.  
-If you have a question not already covered
-in the FAQ, send it to us and we'll add it.
-@end quotation
-
-@item @strong{E-mail list}
-@cindex Email list
-@quotation
-Send questions on any Bro subject to bro@@bro-ids.org
-The list is frequented by all of the Bro developers.
-
-You can subscribe by going to the website: 
-@* @uref{http://mailman.icsi.berkeley.edu/mailman/listinfo/bro},
-@*
-or by placing the following command in either the subject or the body of a message addressed to
-bro-request@@icsi.berkeley.edu.
-
-@example
-subscribe [password] [digest-option] [address=<address>]
-@end example
-
-A password must be given to
-unsubscribe or change your options.  Once subscribed to the
-list, you'll be reminded of your password periodically.
-The "digest-option" may be either: "nodigest" or "digest" (no
-quotes!).  If you wish to subscribe an address other than the
-address you use to send this request from, you may specify
-"address=<email address>" (no brackets around the email
-address, no quotes!)
-
-@end quotation
-
-@item @strong{Website}
-@quotation
-The official Bro website is located at:
-@uref{http://www.bro-ids.org}.
-It contains all of the above documentation and more.
-@end quotation
-
-@end itemize
diff --git a/doc/user-manual/Bro-production.texi b/doc/user-manual/Bro-production.texi
deleted file mode 100644
index 87e154abcc..0000000000
--- a/doc/user-manual/Bro-production.texi
+++ /dev/null
@@ -1,26 +0,0 @@
-
-@menu
-* Compiling Bro::
-* Starting Bro::
-* Disk space considerations::
-* Router/firewall ACL space considerations::
-* Other maintenance considerations::
-@end menu
-
-@node Compiling Bro
-@section Compiling Bro
-
-@node Running Bro
-@section Running Bro
-
-@node Disk space considerations
-@section Disk space considerations
-
-@node Router/firewall ACL space considerations
-@section Router/firewall ACL space considerations
-
-@node Other maintenance considerations
-@section Other maintenance considerations
-
-
-
diff --git a/doc/user-manual/Bro-requirements.texi b/doc/user-manual/Bro-requirements.texi
deleted file mode 100644
index 2f205c4269..0000000000
--- a/doc/user-manual/Bro-requirements.texi
+++ /dev/null
@@ -1,93 +0,0 @@
-
-
-@menu
-* Network Tap ::
-* Hardware and Software Requirements ::
-@end menu
-
-
-@node Network Tap
-@section Network Tap
-@cindex network tap
-
-Bro requires
-a network tap to give it access to live network traffic. 
-The tap needs to be full-speed for the link being monitored and must provide
-copies of both directions of the link, or you need to two taps, one in
-each direction.
-
-Normally the network tap for Bro should be placed behind an external firewall and on the DMZ 
-(the portion of the network under the control of the organization but outside of the internal firewall), 
-as shown in the figure below. Some organizations might prefer to install the network tap outside 
-the firewall in order to detect all scans or attacks.  Placing Bro outside the firewall will allow
-the organization to better understand attacks, but will produce a more notifications and alarms. Another option is to place Bro inside the internal firewall, allowing it to detect internal hosts with viruses or worms.
-In addition to the connection to the network tap, a separate network connection is recommended 
-for management of Bro and access to log files.
-
-For more information on taps and tap placement see the Netoptics White paper titled @emph{Deploying Network Taps with Intrusion Detection Systems} (@uref{http://www.netoptics.com/products/pdf/Taps-and-IDSs.pdf}).
-
-@float Figure, tap location
-@image{bro-deployment,6.3in}
-@caption{Typical location for network tap and Bro system}
-@end float
-
-@node Hardware and Software Requirements
-@section Hardware and Software Requirements
-
-Bro requires no custom hardware, and runs on low-cost commodity PC-style systems.
-However, the Bro monitoring host must examine every packet into and out of 
-your site, so depending on your site's network traffic, you may need a fairly high-end machine.
-If you are trying to monitor a link with a large number of connections, we recommend using
-a second system for report generation, and run only Bro on the packet-capture host.
-
-@quotation
-@multitable  @columnfractions .25 .75
-@comment only work with texiinfo 4.7 or higher: @headitem Item @tab Requirements
-@item @strong{Item} @tab @strong{Requirements}
-
-@item @strong{Processor}
-@tab Note: these are @strong{rough} estimates. Much depends on the
-number of connections/second, the types of
-traffic on your network (e.g., HTTP, FTP, email, etc.), and you can trade
-off depth of analysis (especially, which protocols are analyzed) for processing
-load.  (See the Performance chapter of the Bro User Guide for more information.)
-@* 1 GHz CPU for 100 Mbps monitoring with average packet rate <= 5,000 packets/second
-@* 2 GHz CPU for 1 Gbps monitoring with <= 10,000 packets/second
-@* 3 GHz CPU for 1 Gbps monitoring with <= 20,000 packets/second
-@* 4 GHz CPU for 1 Gbps monitoring with <= 50,000 packets/second
-
-@item @strong{Operating System}
-@tab Recommended: FreeBSD (@uref{http://www.freebsd.org/}).  Bro works with
-many Unix systems, including Linux and Solaris, but has been primarily tuned
-for FreeBSD. We currently recommend using FreeBSD version 4.10 for Bro.
-If your site has a large number of packets or connections per second you should
-look at the section on @ref{Hardware and OS Tuning}.
-FreeBSD 5.x should work, but is not quite as fast as 4.10. 
-For sites with very high traffic loads and capturing traffic on 
- two interfaces, contact us for a FreeBSD 4.x kernel patch 
-to do @emph{BPF bonding}, which allows merging the two directions of a
-network link into a single interface as seen by Bro.  While Bro can instead
-merge the two interfaces at user-level, this costs some performance.
-
-@item @strong{Memory}
-@tab 512 MB suffices for small networks (say 200 hosts connected via a
-100 Mbps link).  For larger networks, 1 GB RAM will be required, with
-2-3 GB is recommended.
-
-@item @strong{Hard disk}
-@tab 10 GB minimum, 50 GB or more for log files recommended.
-
-@item @strong{User privileges}
-@tab @emph{superuser} to install Bro, with Bro then running as user @emph{bro}.
-
-@item @strong{Network Interfaces}
-@tab 3 interfaces are recommended: 2 for packet capture (1 for each direction), and 1 for host management. Capture interfaces should be identical.  For some network taps, both directions of the link are captured using the same interface, and the separate host management interface, while prudent, is not required.
-
-@item @strong{Other Software}
-@tab - Perl version 5.6 or higher (@uref{http://www.perl.org}) (for report generation)
-@* - libpcap version 0.7.2 or higher (@uref{http://www.tcpdump.org}) 
-@*      Note: Some version of FreeBSD come with older versions of libpcap. Bro
-recommends newer versions of these tools for performance reasons.
-
-@end multitable
-@end quotation
diff --git a/doc/user-manual/Bro-running.texi b/doc/user-manual/Bro-running.texi
deleted file mode 100644
index 10e08762c9..0000000000
--- a/doc/user-manual/Bro-running.texi
+++ /dev/null
@@ -1,147 +0,0 @@
-
-@menu
-* Starting Bro Daemon::
-* Running Bro from the command line::
-* Bro Cron Scripts ::
-@end menu
-
-@c *********************************************************************
-@node Starting Bro Daemon
-@section Starting Bro Daemon
-@cindex starting Bro daemon
-@cindex bro.rc
-
-Bro is automatically started at boot time via the @command{bro.rc} 
-script (located in @file{$BROHOME/etc} and @file{/usr/local/etc/rc.d} on 
-FreeBSD, or @file{/etc/init.d} on Linux).
-
-To run this script by hand, type:
-@example
-bro.rc start
-@end example
-or
-@example
-bro.rc checkpoint
-@end example
-or 
-@example
-bro.rc stop
-@end example
-
-Use @code{checkpoint} to restart a running Bro, loading a new policy file.
-
-
-Note that under Linux, Bro must be run as the 'root' user. 
-Linux must have root privilages to capture packets.
-
-@c *********************************************************************
-
-@node Running Bro from the command line
-@section  Running Bro from the command line
-@cindex  Running Bro from the command line
-
-If you use @code{bash} for your shell, you do something like this
-to start Bro by hand:
-
-@example
-cd /usr/local/bro
-. etc/bro.cfg
-./bro -i eth1 -i eth2 myhost.mysite.org.bro
-@end example
-
-The '. etc/bro.cfg' should set your $BROHOME and $BROPATH
-correctly to find all of the needed the files.
-
-Files are loaded is the following order: Bro is invoked with a start
-file (in the above myhost.mysite.org.bro). In that file (which is
-in $BROHOME/site)  there should be a couple of lines like this at
-the top:
-
-@verbatim
----------------- myhost.mysite.org.bro ----------------------------
-@prefixes = local
-@load site      # file generated by the network script for dynamic config
-                   # of the local network subnets.
-
-# Make any changes to policy starting here
-....
--------------- end  --------------------------------------
-@end verbatim
-
-The '@@load site' will load the local.site.bro file from $BROHOME/site.
-If you are making changes, you should make them in 'myhost.mysite.bro'
-file.
-
-Bro can also be run on @code{tcpdump -w} files instead of on live traffic.
-To do this, you must set a @code{BROPATH} enviroment variable to point
-at your set of policy scripts. For example (in csh):
-
-@example
-setenv BROHOME /usr/local/bro
-setenv BROPATH $BROHOME/site:$BROHOME/policy
-bro -r dumpfile brohost
-@end example
-
-More information on Bro run-time flags and environment variables
-is available in the 
-@uref{http://www.bro-ids.org/Bro-reference-manual/Bro-flags-and-run_002dtime-environment.html,
-Reference Manual}.
-
-@c *********************************************************************
-@node Bro Cron Scripts
-@section Bro Cron Scripts
-@cindex bro_generate_report
-@cindex bro_log_compress
-@cindex check_disk
-@cindex managing disk space
-
-Installing @emph{brolite} automatically creates the 
-following @command{cron} jobs, 
-which are run on at the specified intervals.
-
-@itemize
-@item @command{site-report.pl}: generates a text report of all alarms 
-and notifications
-@item @command{mail_reports.sh}:emails the reports generated 
-by @command{site-report.pl}
-to the list of addresses specified in the file @code{$BROHOME/etc/bro.cfg}
-@end itemize
-
-These scripts can also all be run by hand at any time. Be sure your
-$BROHOME environment variable is set first.
-
-As Bro log files can get large quickly, it is important to ensure that 
-the Bro disk does not fill up. Bro includes some simple scripts to help 
-manage disk  space. Most sites will want to customize these for their 
-own requirements, and integrate them into their backup system to make 
-sure files are not removed before they are archived.
-
-@itemize
-@item @command{check_disk.sh}: send email if disk space is too low
-@item @command{bro_log_compress.sh}: remove/compress old log files 
-@end itemize
-
-These scripts can be customized by editing their settings in 
-@code{$BROHOME/etc/bro.cfg}.
-The settings are as follows:
-@itemize
-@item @command{check_disk.sh}: 
-@itemize
-@item @command{diskspace_pct}: when disk is >= this percent full, send 
-email (default = 85%)
-@item @command{diskspace_watcher}: list of email addresses to send mail 
-to
-@end itemize
-@end itemize
-
-@itemize
-@item @command{bro_log_compress.sh}: 
-@itemize
-@item @command{Days2deletion}: remove files more than this many days old 
-(default = 60)
-@item @command{Days2compression}: compress files more than this many 
-days 
-old (default = 30)
-@end itemize
-@end itemize
-
diff --git a/doc/user-manual/Bro-setup.texi b/doc/user-manual/Bro-setup.texi
deleted file mode 100644
index a8816fec61..0000000000
--- a/doc/user-manual/Bro-setup.texi
+++ /dev/null
@@ -1,40 +0,0 @@
-@menu
-* Bro Environment Variables::
-* Required files/directories::
-* System Configuration and Security of Bro Boxes::
-* Configuring syslog::
-* Placing Bro Boxes on the Network::
-* Filtering Traffic::
-* Selecting Analyzers::
-* Tuning Bro Policy Scripts/event Handlers::
-* Setting up Reports and Special Notifications::
-@end menu
-
-@node Bro Environment Variables
-@section Bro Environment Variables
-
-@node Required files/directories
-@section Required files/directories
-
-@node System Configuration and Security of Bro Boxes
-@section System Configuration and Security of Bro Boxes
-
-@node Configuring syslog
-@section Configuring @emph{syslog}
-
-@node Placing Bro Boxes on the Network
-@section Placing Bro Boxes on the Network
-
-@node Filtering Traffic
-@section Filtering Traffic
-
-@node Selecting Analyzers
-@section Selecting Analyzers
-
-@node Tuning Bro Policy Scripts/event Handlers
-@section Tuning Bro Policy Scripts/event Handlers
-
-@node Setting up Reports and Special Notifications
-@section Setting up Reports and Special Notifications
-
-
diff --git a/doc/user-manual/Bro-signatures.texi b/doc/user-manual/Bro-signatures.texi
deleted file mode 100644
index 085aa39eda..0000000000
--- a/doc/user-manual/Bro-signatures.texi
+++ /dev/null
@@ -1,143 +0,0 @@
-
-@emph{NOTE: Bro Signatures mechanism is still under development}
-
-Signatures in Bro are quite different than standard packet matching signatures such as those used in
-@uref{http://www.snort.org', Snort}. A Bro signature, or @emph{Rule}, is a @emph{contextual signature}
-that can include connection-level information. Hence Bro signatures generate @strong{far} fewer
-false positives.
-
-However, Bro's contextual signatures are fairly CPU and memory intensive,
-and still generate more false positives than we'd like,
-so for now they are turned off by default. See the next section for information on how to turn them on.
-
-For example, an packet-level signature of a HTTP attack only looks at the attack packet, where
-the Bro contextual signature also looks for the HTTP reply, and only generates an alarm if the attack was 
-successful.
-
-In this section we explain how to customize signatures for your site,
-and how to import new signatures from Snort and bro-ids.org. More
-information on the details of Bro signatures are in
-@uref{http://www.bro-ids.org/Bro-reference-manual/Signature-language.html, the
-signature section of the reference manual}.
-
-The following files are used to control and customize Bro signatures.
-
-@itemize
-@item @code{$BROHOME/site/signatures.sig}: Bro version of snort signatures
-@item @code{$BROHOME/policy/sig-addendum.sig}: Bro supplied signatures
-@item @code{$BROHOME/policy/sig-action.bro}: policy file to control signature notification type
-@end itemize
-
-Files in @code{$BROHOME/policy} contain the default Bro signatures, and should not be edited.
-Files in @code{$BROHOME/site} contain files you will use to customize signatures for your site.
-New signatures that you write go here too. All files ending in @code{.sig} in this directory
-will be loaded into the signature engine. In fact, all .sig files in any
-directory in @code{$BROPATH} (set in @code{$BROHOME/etc/bro.cfg}) will be loaded.
-
-@menu
-* Turning Signatures ON/OFF ::
-* Add a New Signature ::
-* Editing Existing Signatures ::
-* Importing Snort Signatures ::
-* Checking for new Signatures from bro-ids.org ::
-@end menu
-
-
-@node Turning Signatures ON/OFF 
-@subsection Turning Signatures ON/OFF
-@cindex Turning Signatures ON/OFF
-
-Signature matching is off by default. To use a small set of
-known, high quality signatures, add the following to your site policy file:
-@smallexample
-@@load brolite-sigs
-@end smallexample
-
-To use the full set of converted snort signatures,
-add both of these lines:
-@smallexample
-@@load brolite-sigs
-redef signature_files += "signatures";
-@end smallexample
-
-If signatures are turned on, then you can control the 
-signature "action" levels through the file 
-@code{$BROHOME/site/sigaction.bro}.
-You can set the signature action to the one of the following:
-
-@verbatim
-    SIG_IGNORE          # ignore this sig. completely 
-    SIG_FILE            # write to signatures and notice files
-    SIG_ALARM           # alarm and write to notice and alarm files
-    SIG_ALARM_PER_ORIG  # alarm once per originator
-    SIG_ALARM_ONCE      # alarm once and then never again
-@end verbatim
-
-All signatures default to action = @code{SIG_ALARM}. To lower the alarm level of the signature,
-add an entry to the file @code{$BROHOME/site/sigaction.bro}.  The Bro distribution
-contains a default sigaction.bro file that lowers the level of a number of signatures from ALARM
-to FILE (notice) .
-
-To permanently remove a signature you can delete it from the @code{.sig} file.
-
-
-@node  Add a New Signature
-@subsection  Add a New Signature
-@cindex  Add a New Signature
-
-To add a new signature to a running Bro, add the signature to the file
-@code{$BROHOME/site/site.sig} (or create a new @code{.sig} file in @code{$BROHOME/site}), 
-and then restart Bro using "@code{$BROHOME/etc/bro.rc checkpoint}".
-
-A sample signature looks like this:
-
-@verbatim
-signature formmail-cve-1999-0172 {
-       ip-proto == tcp
-       dst-ip == 1.2.0.0/16
-       dst-port = 80
-       http /.*formmail.*\?.*recipient=[^&]*[;|]/
-       event "formmail shell command"
-       }
-@end verbatim
-
-For more details, see the
-@uref{http://www.bro-ids.org/Bro-reference-manual/Signature-language.html, 
-reference manual}.
-
-@node   Editing Existing Signatures
-@subsection   Editing Existing Signatures
-@cindex   Editing Existing Signatures
-
-Bro supplied signatures are in $BROHOME/sigs. You should not edit these, as they will
-get overwritten when you update Bro. Instead, make your modifications in $BROHOME/site.
-If you use the same signature ID as an existing signature, the site sig will take precedence.
-
-@node Importing Snort Signatures
-@subsection Importing Snort Signatures
-@cindex Importing Snort Signatures
-
-New snort signatures come out almost every week. To add these to Bro, do the following:
-
-(XXX section not done!)
-
-Add instructions for incorporating new sigs from Snort.
-
-@node Checking for new Signatures from bro-ids.org
-@subsection Checking for new Signatures from bro-ids.org
-@cindex download new Signatures 
-
-note: this functionality is currently under development, and does
-not yet exist
-
-The Bro team will be constantly updating our set of default signatures and posting
-them on the Bro web site. To download the latest signatures and incorporate
-them into your Bro setup, run the script:
-@example
-$BROHOME/scripts/update-sigs
-@end example
-This script uses the @code{wget} command to download the latest signatures 
-and puts them into
-the required Bro files, and then restarts Bro to load the new signatures..
-
-
diff --git a/doc/user-manual/Bro-software.texi b/doc/user-manual/Bro-software.texi
deleted file mode 100644
index d15a57b30a..0000000000
--- a/doc/user-manual/Bro-software.texi
+++ /dev/null
@@ -1,71 +0,0 @@
-
-@menu
-* OS platform(s) to use::
-* Required software::
-* Optional software::
-@end menu
-
-@node OS platform(s) to use
-@section OS platform(s) to use
-@cindex OS issues
-
-Bro will run on a variety of UNIX flavors such as FreeBSD, NetBSD, and Solaris, and will also
-run on Linux. Although Bro has been ported or can readily be ported to many flavors of Unix,
-Bro currently runs best on FreeBSD for the following reasons:
-
-@itemize
-@item Most current development and system integration efforts are taking place on FreeBSD.
-@item Compiling Bro on FreeBSD is more straightforward than on any other OS.
-@item Bro performance on this platform has been extensively tested.
-@item Policy scripts have been tested more on Free BSD than on any other OS.
-@item Bro documentation (such as this User Manual) is oriented more towards FreeBSD than
-any other flavor of Unix. Discussion of startup scripts, for example, focuses on files and
-directories found in FreeBSD systems.
-@end itemize
-
-An important consideration in your choice of operating system on which Bro will run is whether
-@command{BPF}  runs in the kernel. Bro uses @command{BPF} to ignore packets that Bro does not need to inspect, thereby
-greatly increasing Bro's efficiency. The fact that @command{BPF} is not available in Solaris is a problem,
-although Solaris at least has a @command{BPF} compatibility mode that to some degree solves the problem.
-@command{BPF} is also not available in most flavors of Linux, although certain flavors of Linux such as
-RedHat run libpcap, making it possible to filter packets that are captured in a manner that will
-make Bro run efficiently.
-
-
-@node Required software
-@section Required software
-
-Additional software is necessary to support certain Bro functions. Each package or tool must be
-in the Bro user's PATH (as explained more fully in Section 4):
-
-@itemize
-@item tcpdump: This enables you to use certain rules ("filters") to determine the packets that are
-and are not captured on a network. You can obtain tcpdump from ftp://ftp.ee.lbl.gov
-
-@item libpcap: Available from ftp.ee.lbl.gov. This is the packet capture library, developed at
-LBNL.
-
-@item tcpslice: Available from ftp.ee.lbl.gov. This allows for the editing and extraction of
-heuristic-based TCP/IP traffic captured via tcpdump.
-
-@item Perl: Available from ftp.perl.org.  Perl version XX or higher is necessary for some of the scripts to run.
-
-@item BIND 8 or 9: Available from ftp.isc.org.
-It is necessary to run a caching DNS server on the Bro machine so that when Bro is
-run to prep the entries in the policies that a more consistent resolver is used. (not clear??) This can cause
-policies to not be interpreted correctly, so this is an important factor in setting up a Bro box. 
-The local DNS server is really present further for the DNS entries to persist throughout Bro's
-operation and rotation of its logs (which requires that Bro's process be checkpointed).
-
-@end itemize
-
-@node Optional software
-@section Optional software
-
-The utility called @command{ipw} is also very useful. There is a package available for FreeBSD
-from ftp.freebsd.org. This allows one to simply specify an IP address and it will
-determine who is responsible for that IP range and provide contact information for that
-person or persons. 
-
-
-
diff --git a/doc/user-manual/Bro-tuning.texi b/doc/user-manual/Bro-tuning.texi
deleted file mode 100644
index 538c5fb0c3..0000000000
--- a/doc/user-manual/Bro-tuning.texi
+++ /dev/null
@@ -1,144 +0,0 @@
-
-@strong{NOTE: This chapter still a rough draft and incomplete}
-
-If the link you are monitoring with Bro has
-too many connections per second, or if you have too many policy
-modules loaded, it is possible that Bro will not be able to keep
-up, and that the Bro host will drop too many packets to be able to
-perform accurate analysis.
-
-A "rule of thumb" for Bro is that if CPU usage is < 50% and memory
-use is < 70% of physical memory, than you should not have any worries.
-
-Otherwise you might want to explore the tuning options below.
-
-For sites with an extremely high load you might consider using multiple
-Bro boxes, each configured to capture and analyze different types of traffic.
-
-Note that the amount of CPU required by Bro is a function of both the number
-of connections/second and the number of packets/second. So it's possible
-that a large site (e.g., 2,000 hosts) on a slow link (e.g., 100 Mbps) would
-still have performance issues because it has a very large 
-number of connections / second. 
-
-@menu
-* Hardware and OS Tuning ::
-* Bro Policy Tuning ::
-@end menu
-
-@node Hardware  and OS Tuning
-@section Hardware  and OS Tuning
-@cindex Hardware Tuning
-@cindex OS Tuning
-
-If your CPU load > 50% or your memory footprint is > 70% of physical 
-memory, an obvious solution is to buy a faster CPU or more memory.
-
-If this is not possible, here are some other things to try.
-
-@strong{FreeBSD}
-
-First, check that your BPF buffer size is big enough. The Bro installation
-script should set this correctly for you, but to test this, do:
-@smallexample
-sysctl debug.bpf_bufsize
-sysctl debug.bpf_maxbufsize
-@end smallexample
-
-They should both be at least 4 MB.
-
-Next, if your Bro host is capturing packets on 2 interfaces and you are
-running FreeBSD, we provide a patched kernel that bonds both interfaces
-into a single interface at the BPF level. This reduces CPU load considerably.
-This patched kernel also increases the default per-process memory limits.
-
-This kernel source is available for download at:
-@smallexample
-@uref{http://www.bro-ids.org/download/FreeBSD.4.10.bro.tgz}.
-@end smallexample
-
-To install this kernel and the BPF bonding utilites, type:
-
-@smallexample
-tar xfz fbsd.4.10.bond.tgz
-cd FreeBSD-4-10-RELEASE/sys/i386/conf
-/usr/sbin/config BRO
-cd ../../compile/BRO
-make depend
-make
-make install
-
-cd FreeBSD-4-10-RELEASE/local/sbin/bpfbond/
-make
-make install
-
-reboot
-@end smallexample
-
-For more instructions on rebuilding the kernel, see:
-@uref{http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html}.
-
-
-@strong{Linux}
-
-Check that the net.core.rmem_max buffer is big enough. The Bro installation
-script should set this correctly for you, but to test this, do:
-@smallexample
-sysctl net.core.rmem_max 
-@end smallexample
-
-It should be at least 4 MB.
-
-For heavy traffic load, the Linux version of libpcap has a hard time keeping up.
-There are a couple a options available to improve Linux pcap performance.
-These include:
-
-Phil Wood's libpcap replacement: (see http://public.lanl.gov/cpw/)
-Luca Deri's patch to fix libpcap issues. (see http://luca.ntop.org/Ring.pdf)
-
-(Note that Phil Wood's version of libpcap seems to be buggy in non-blocking 
-mode. Build Bro using the --disable-selectloop option to disable non-blocking
-mode if using this version of libpcap.)
-
-
-@node  Bro Policy Tuning
-@section  Bro Policy Tuning
-@cindex  Bro Policy Tuning
-
-If the hardware and OS tuning solutions fail to bring your 
-CPU load or memory consumption under control, next you will
-have to start turning off analyzers. Signatures are particularly CPU 
-and memory intensive,
-so try turning it off or greatly reduce the number of signatures it
-is processing. The HTTP analyzers are also CPU intensive. For example,
-to turn off the HTTP reply analyzer, add the following lines at the beginning
-of the file @code{$BROHOME/site/brohost.bro}, before any @@load commands.
-
-@smallexample
-@@unload http-reply        
-@end smallexample
-
-Another solution is to modify libpcap filter for Bro. This is done
-by adding @code{restrict_filters}. For example, to only capture SYN/FIN
-packets from a large web proxy, you can do this:
-
-@verbatim
-redef restrict_filters += { ["not proxy outbound Web replies"] = 
-     "not (host bigproxy.mysite.net and
-           src port 80 and (tcp[13] & 7 == 0))" };
-@end verbatim
-
-This filter will allow you to record the number and size of the HTTP replies,
-but will not do further HTTP analysis.
- 
-Another way to reduce the CPU load of Bro analysis is to split the work
-across two Bro hosts. An easy way to do this is to take the sum of the
-source and destination IPs, and monitor even combinations
-on one host and odd combinations on a second host.
-
-For example:
-
-@verbatim
-redef restrict_filters += { ["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 0" };
-@end verbatim
-
diff --git a/doc/user-manual/Bro-user-manual.pdf b/doc/user-manual/Bro-user-manual.pdf
deleted file mode 100644
index 9e6f15a144..0000000000
Binary files a/doc/user-manual/Bro-user-manual.pdf and /dev/null differ
diff --git a/doc/user-manual/Bro-user-manual.texi b/doc/user-manual/Bro-user-manual.texi
deleted file mode 100644
index 6e6a8abfba..0000000000
--- a/doc/user-manual/Bro-user-manual.texi
+++ /dev/null
@@ -1,135 +0,0 @@
-\input texinfo   @c -*-texinfo-*-
-@comment $Id: Bro-user-manual.texi 1224 2005-07-23 03:58:34Z tierney $
-@comment %**start of header
-@setfilename Bro-user-manual.info
-@settitle Bro User Manual
-@setcontentsaftertitlepage 
-@comment %**end of header
-
-
-@set VERSION 0.9
-@set UPDATED 12-1-2004
-
-@copying
-This the User Manual for Bro
-version @value{VERSION}.
-
-This software is copyright @copyright{} 
-1995-2004, The Regents of the University of California
-and the International Computer Science Institute.  All rights reserved.
-
-For further information about this notice, contact:
-
-Vern Paxson
-email: @email{vern@@icir.org}
-
-@end copying
-
-@dircategory Bro
-@direntry
-* Bro: Network Intrusion Detection System
-@end direntry
-
-@ifnottex
-@node Top
-@top Bro User Manual 
-@copyright{} Lawrence Berkeley National Laboratory
-@end ifnottex
-
-@titlepage
-@title Bro User Manual
-@subtitle version @value{VERSION}, @value{UPDATED}, @strong{DRAFT}
-@author Vern Paxson, Jim Rothfuss, Brian Tierney
-@author Contact: @email{vern@@icir.org}
-@author @uref{http://www.bro-ids.org/}
-@page
-@insertcopying
-@vskip 0pt plus 1filll
-@end titlepage
-
-@contents
-
-@strong{Bro User Manual}
-@menu
-* Overview of Bro::
-* Requirements ::
-* Installation and Configuration::
-* Running Bro ::
-* Bro Output::
-* Analysis of Incidents and Alarms ::
-* Customizing Bro ::
-* Intrusion Prevention Using Bro ::
-* Performance Tuning ::
-* Bulk Traces and Off-line Analysis ::
-* Bro Directory and Files ::
-* Index::   Index
-@end menu
-
-@comment ********************************************
-
-@node Overview of Bro
-@chapter Overview of Bro
-@include Bro-overview.texi
-
-@comment ********************************************
-@node Requirements 
-@chapter Requirements 
-@cindex Software requirements
-@cindex Hardware requirements
-
-@include Bro-requirements.texi
-
-@comment ********************************************
-@node Installation and Configuration 
-@chapter Installation and Configuration 
-@cindex Installation instructions 
-@include Bro-installation.texi
-@cindex Configuration instructions 
-
-@comment ********************************************
-@node Running Bro
-@chapter Running Bro
-@include Bro-running.texi
-
-@comment ********************************************
-@node Bro Output
-@chapter Bro Output
-@include Bro-output.texi
-
-@comment ********************************************
-@node Analysis of Incidents and Alarms
-@chapter Analysis of Incidents and Alarms
-@include Bro-analysis.texi
-
-@comment ********************************************
-@node Customizing Bro
-@chapter Customizing Bro
-@include Bro-customizing.texi
-
-@comment ********************************************
-@node Intrusion Prevention Using Bro
-@chapter Intrusion Prevention Using Bro
-@include Bro-intrusion-prevention.texi
-
-@comment ********************************************
-@node Performance Tuning
-@chapter Performance Tuning
-@include Bro-tuning.texi
-
-@comment ********************************************
-@node Bulk Traces and Off-line Analysis 
-@chapter Bulk Traces and Off-line Analysis 
-@include Bro-offline-analysis.texi
-
-@comment ********************************************
-@node Bro Directory and Files
-@appendix Bro Directory and Files
-@include Bro-dir-files.texi
-
-@comment ********************************************
-@node Index
-@unnumbered Index 
-
-@printindex cp
-
-@bye
diff --git a/doc/user-manual/BroDir.pdf b/doc/user-manual/BroDir.pdf
deleted file mode 100644
index 7392093a78..0000000000
Binary files a/doc/user-manual/BroDir.pdf and /dev/null differ
diff --git a/doc/user-manual/BroDir.png b/doc/user-manual/BroDir.png
deleted file mode 100644
index cd28c5a0f1..0000000000
Binary files a/doc/user-manual/BroDir.png and /dev/null differ
diff --git a/doc/user-manual/Makefile.am b/doc/user-manual/Makefile.am
deleted file mode 100644
index 3a889a2db9..0000000000
--- a/doc/user-manual/Makefile.am
+++ /dev/null
@@ -1,32 +0,0 @@
-
-prefix = @prefix@
-bro_dir         = ${prefix}/bro
-
-EXTRA_DIST = README.txt bro.css Bro-user-manual.pdf bro-deployment.pdf \
-	BroDir.pdf BroDir.png \
-	bro-deployment.png Bro-analysis.texi Bro-blocking.texi \
-	Bro-customizing.texi Bro-dir-files.texi Bro-hardware.texi \
-	Bro-installation.texi Bro-intrusion-prevention.texi \
-	Bro-Linux.texi Bro-log-files.texi Bro-offline-analysis.texi \
-	Bro-output.texi Bro-overview.texi Bro-production.texi \
-	Bro-requirements.texi Bro-running.texi Bro-setup.texi \
-	Bro-signatures.texi Bro-software.texi Bro-tuning.texi \
-	Bro-user-manual.texi Bro-user-manual
-
-clean-local: doc-clean
-
-doc: html pdf
-
-pdf: 
-	texi2dvi -s --clean --pdf Bro-user-manual.texi
-
-html:
-	@rm -rf Bro-user-manual
-	makeinfo --css-include=bro.css  --html Bro-user-manual.texi
-
-doc-clean:
-	@echo "cleaning  User Manual"
-	@rm -f *.log Bro-user-manual/*
-
-doc-distclean:	clean
-	@rm Makefile
diff --git a/doc/user-manual/README.txt b/doc/user-manual/README.txt
deleted file mode 100644
index 5e2a8250b1..0000000000
--- a/doc/user-manual/README.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-
-to generate html:
-  makeinfo --css-include=bro.css --html Bro-user-manual.texi
-
-to generate PDF:
-
- texi2dvi --clean --pdf Bro-user-manual.texi
-
diff --git a/doc/user-manual/bro-deployment.pdf b/doc/user-manual/bro-deployment.pdf
deleted file mode 100644
index 43984adbe0..0000000000
Binary files a/doc/user-manual/bro-deployment.pdf and /dev/null differ
diff --git a/doc/user-manual/bro-deployment.png b/doc/user-manual/bro-deployment.png
deleted file mode 100644
index 6c4568c042..0000000000
Binary files a/doc/user-manual/bro-deployment.png and /dev/null differ
diff --git a/doc/user-manual/bro.css b/doc/user-manual/bro.css
deleted file mode 100644
index 0bebab8e63..0000000000
--- a/doc/user-manual/bro.css
+++ /dev/null
@@ -1,43 +0,0 @@
-/* 
- * Custom nllite stylesheet
- */
-body {  
-  font-family: Verdana, Arial, serif;
-}
-H1 {  
-  color: #339933;
-}
-A:link, A:active, A:visited, A:hover { 
-  color: #3333ff;
-  text-decoration: none; 
-}
-A:hover {
-  border-bottom: 1px dotted red;
-  color: red;
-  text-decoration: none;
-}
-ul.menu { 
-  list-style-type: circle;
-  list-style-position: inside;
-  padding: 5px;
-  background-color: #ccffcc;
-  border: 1px dashed #333333;
-}
-hr { 
-  display: none;
-}
-div.node { 
-  font-size: 12px;
-  font-weight: bold;
-  background-color: #ccffcc;
-/*
-  line-height: 0;
-*/
-  padding: 0.5em;
-}
-table.cartouche { 
-  background-color: white;
-}
-table { 
-  border: none;
-}
diff --git a/example-attacks/ftp-site-exec.trace b/example-attacks/ftp-site-exec.trace
deleted file mode 100644
index 2562eb7098..0000000000
Binary files a/example-attacks/ftp-site-exec.trace and /dev/null differ
diff --git a/example-attacks/ntp-attack.trace b/example-attacks/ntp-attack.trace
deleted file mode 100644
index b082e180c9..0000000000
Binary files a/example-attacks/ntp-attack.trace and /dev/null differ
diff --git a/install-sh b/install-sh
deleted file mode 100755
index ebc66913e9..0000000000
--- a/install-sh
+++ /dev/null
@@ -1,250 +0,0 @@
-#! /bin/sh
-#
-# install - install a program, script, or datafile
-# This comes from X11R5 (mit/util/scripts/install.sh).
-#
-# Copyright 1991 by the Massachusetts Institute of Technology
-#
-# Permission to use, copy, modify, distribute, and sell this software and its
-# documentation for any purpose is hereby granted without fee, provided that
-# the above copyright notice appear in all copies and that both that
-# copyright notice and this permission notice appear in supporting
-# documentation, and that the name of M.I.T. not be used in advertising or
-# publicity pertaining to distribution of the software without specific,
-# written prior permission.  M.I.T. makes no representations about the
-# suitability of this software for any purpose.  It is provided "as is"
-# without express or implied warranty.
-#
-# Calling this script install-sh is preferred over install.sh, to prevent
-# `make' implicit rules from creating a file called install from it
-# when there is no Makefile.
-#
-# This script is compatible with the BSD install script, but was written
-# from scratch.  It can only install one file at a time, a restriction
-# shared with many OS's install programs.
-
-
-# set DOITPROG to echo to test this script
-
-# Don't use :- since 4.3BSD and earlier shells don't like it.
-doit="${DOITPROG-}"
-
-
-# put in absolute paths if you don't have them in your path; or use env. vars.
-
-mvprog="${MVPROG-mv}"
-cpprog="${CPPROG-cp}"
-chmodprog="${CHMODPROG-chmod}"
-chownprog="${CHOWNPROG-chown}"
-chgrpprog="${CHGRPPROG-chgrp}"
-stripprog="${STRIPPROG-strip}"
-rmprog="${RMPROG-rm}"
-mkdirprog="${MKDIRPROG-mkdir}"
-
-transformbasename=""
-transform_arg=""
-instcmd="$mvprog"
-chmodcmd="$chmodprog 0755"
-chowncmd=""
-chgrpcmd=""
-stripcmd=""
-rmcmd="$rmprog -f"
-mvcmd="$mvprog"
-src=""
-dst=""
-dir_arg=""
-
-while [ x"$1" != x ]; do
-    case $1 in
-	-c) instcmd="$cpprog"
-	    shift
-	    continue;;
-
-	-d) dir_arg=true
-	    shift
-	    continue;;
-
-	-m) chmodcmd="$chmodprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-o) chowncmd="$chownprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-g) chgrpcmd="$chgrpprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-s) stripcmd="$stripprog"
-	    shift
-	    continue;;
-
-	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
-	    shift
-	    continue;;
-
-	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
-	    shift
-	    continue;;
-
-	*)  if [ x"$src" = x ]
-	    then
-		src=$1
-	    else
-		# this colon is to work around a 386BSD /bin/sh bug
-		:
-		dst=$1
-	    fi
-	    shift
-	    continue;;
-    esac
-done
-
-if [ x"$src" = x ]
-then
-	echo "install:	no input file specified"
-	exit 1
-else
-	true
-fi
-
-if [ x"$dir_arg" != x ]; then
-	dst=$src
-	src=""
-	
-	if [ -d $dst ]; then
-		instcmd=:
-	else
-		instcmd=mkdir
-	fi
-else
-
-# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
-# might cause directories to be created, which would be especially bad 
-# if $src (and thus $dsttmp) contains '*'.
-
-	if [ -f $src -o -d $src ]
-	then
-		true
-	else
-		echo "install:  $src does not exist"
-		exit 1
-	fi
-	
-	if [ x"$dst" = x ]
-	then
-		echo "install:	no destination specified"
-		exit 1
-	else
-		true
-	fi
-
-# If destination is a directory, append the input filename; if your system
-# does not like double slashes in filenames, you may need to add some logic
-
-	if [ -d $dst ]
-	then
-		dst="$dst"/`basename $src`
-	else
-		true
-	fi
-fi
-
-## this sed command emulates the dirname command
-dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
-
-# Make sure that the destination directory exists.
-#  this part is taken from Noah Friedman's mkinstalldirs script
-
-# Skip lots of stat calls in the usual case.
-if [ ! -d "$dstdir" ]; then
-defaultIFS='	
-'
-IFS="${IFS-${defaultIFS}}"
-
-oIFS="${IFS}"
-# Some sh's can't handle IFS=/ for some reason.
-IFS='%'
-set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
-IFS="${oIFS}"
-
-pathcomp=''
-
-while [ $# -ne 0 ] ; do
-	pathcomp="${pathcomp}${1}"
-	shift
-
-	if [ ! -d "${pathcomp}" ] ;
-        then
-		$mkdirprog "${pathcomp}"
-	else
-		true
-	fi
-
-	pathcomp="${pathcomp}/"
-done
-fi
-
-if [ x"$dir_arg" != x ]
-then
-	$doit $instcmd $dst &&
-
-	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
-	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
-	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
-	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
-else
-
-# If we're going to rename the final executable, determine the name now.
-
-	if [ x"$transformarg" = x ] 
-	then
-		dstfile=`basename $dst`
-	else
-		dstfile=`basename $dst $transformbasename | 
-			sed $transformarg`$transformbasename
-	fi
-
-# don't allow the sed command to completely eliminate the filename
-
-	if [ x"$dstfile" = x ] 
-	then
-		dstfile=`basename $dst`
-	else
-		true
-	fi
-
-# Make a temp file name in the proper directory.
-
-	dsttmp=$dstdir/#inst.$$#
-
-# Move or copy the file name to the temp name
-
-	$doit $instcmd $src $dsttmp &&
-
-	trap "rm -f ${dsttmp}" 0 &&
-
-# and set any options; do chmod last to preserve setuid bits
-
-# If any of these fail, we abort the whole thing.  If we want to
-# ignore errors from any of these, just make sure not to ignore
-# errors from the above "$doit $instcmd $src $dsttmp" command.
-
-	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
-	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
-	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
-	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
-
-# Now rename the file to the real destination.
-
-	$doit $rmcmd -f $dstdir/$dstfile &&
-	$doit $mvcmd $dsttmp $dstdir/$dstfile 
-
-fi &&
-
-
-exit 0
diff --git a/libpcap.bufsize.patch b/libpcap.bufsize.patch
deleted file mode 100644
index ac5293db5b..0000000000
--- a/libpcap.bufsize.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-*** pcap-bpf.c	1998/02/15 23:35:23	1.30
---- pcap-bpf.c	2000/01/26 23:20:35	1.32
-***************
-*** 159,165 ****
-  	int fd;
-  	struct ifreq ifr;
-  	struct bpf_version bv;
-! 	u_int v;
-  	pcap_t *p;
-  
-  	p = (pcap_t *)malloc(sizeof(*p));
---- 166,172 ----
-  	int fd;
-  	struct ifreq ifr;
-  	struct bpf_version bv;
-! 	u_int v, n;
-  	pcap_t *p;
-  
-  	p = (pcap_t *)malloc(sizeof(*p));
-***************
-*** 184,196 ****
-  		sprintf(ebuf, "kernel bpf filter out of date");
-  		goto bad;
-  	}
-! 	v = 32768;	/* XXX this should be a user-accessible hook */
-! 	/* Ignore the return value - this is because the call fails on
-! 	 * BPF systems that don't have kernel malloc.  And if the call
-! 	 * fails, it's no big deal, we just continue to use the standard
-! 	 * buffer size.
-  	 */
-! 	(void) ioctl(fd, BIOCSBLEN, (caddr_t)&v);
-  
-  	(void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
-  	if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) {
---- 191,211 ----
-  		sprintf(ebuf, "kernel bpf filter out of date");
-  		goto bad;
-  	}
-! 
-! 	/*
-! 	 * The bpf buffer length typically defaults to 4k. Check to see
-! 	 * what it is and if it's not larger than 32k, try to raise it.
-  	 */
-! 	n = 32768;	/* XXX this should be a user-accessible hook */
-! 	if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) >= 0 && v < n) {
-! 		/*
-! 		 * Ignore the return value - this is because the call
-! 		 * fails on BPF systems that don't have kernel malloc.
-! 		 * And if the call fails, it's no big deal, we just
-! 		 * continue to use the standard buffer size.
-! 		 */
-! 		(void) ioctl(fd, BIOCSBLEN, (caddr_t)&n);
-! 	}
-  
-  	(void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
-  	if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) {
diff --git a/linux-include/README b/linux-include/README
deleted file mode 100644
index d7f328aef0..0000000000
--- a/linux-include/README
+++ /dev/null
@@ -1,2 +0,0 @@
-This is the linux compatibility include tree from the tcpdump
-distribution.
diff --git a/linux-include/net/slcompress.h b/linux-include/net/slcompress.h
deleted file mode 100644
index 8075486120..0000000000
--- a/linux-include/net/slcompress.h
+++ /dev/null
@@ -1,148 +0,0 @@
-/*
- * Definitions for tcp compression routines.
- *
- * @(#) $Header$ (LBL)
- *
- * Copyright (c) 1989, 1990, 1992, 1993 Regents of the University of
- * California. All rights reserved.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that the above copyright notice and this paragraph are
- * duplicated in all such forms and that any documentation,
- * advertising materials, and other materials related to such
- * distribution and use acknowledge that the software was developed
- * by the University of California, Berkeley.  The name of the
- * University may not be used to endorse or promote products derived
- * from this software without specific prior written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- *
- *	Van Jacobson (van@ee.lbl.gov), Dec 31, 1989:
- *	- Initial distribution.
- */
-
-#define MAX_STATES 16		/* must be > 2 and < 256 */
-#define MAX_HDR MLEN		/* XXX 4bsd-ism: should really be 128 */
-
-/*
- * Compressed packet format:
- *
- * The first octet contains the packet type (top 3 bits), TCP
- * 'push' bit, and flags that indicate which of the 4 TCP sequence
- * numbers have changed (bottom 5 bits).  The next octet is a
- * conversation number that associates a saved IP/TCP header with
- * the compressed packet.  The next two octets are the TCP checksum
- * from the original datagram.  The next 0 to 15 octets are
- * sequence number changes, one change per bit set in the header
- * (there may be no changes and there are two special cases where
- * the receiver implicitly knows what changed -- see below).
- *
- * There are 5 numbers which can change (they are always inserted
- * in the following order): TCP urgent pointer, window,
- * acknowlegement, sequence number and IP ID.  (The urgent pointer
- * is different from the others in that its value is sent, not the
- * change in value.)  Since typical use of SLIP links is biased
- * toward small packets (see comments on MTU/MSS below), changes
- * use a variable length coding with one octet for numbers in the
- * range 1 - 255 and 3 octets (0, MSB, LSB) for numbers in the
- * range 256 - 65535 or 0.  (If the change in sequence number or
- * ack is more than 65535, an uncompressed packet is sent.)
- */
-
-/*
- * Packet types (must not conflict with IP protocol version)
- *
- * The top nibble of the first octet is the packet type.  There are
- * three possible types: IP (not proto TCP or tcp with one of the
- * control flags set); uncompressed TCP (a normal IP/TCP packet but
- * with the 8-bit protocol field replaced by an 8-bit connection id --
- * this type of packet syncs the sender & receiver); and compressed
- * TCP (described above).
- *
- * LSB of 4-bit field is TCP "PUSH" bit (a worthless anachronism) and
- * is logically part of the 4-bit "changes" field that follows.  Top
- * three bits are actual packet type.  For backward compatibility
- * and in the interest of conserving bits, numbers are chosen so the
- * IP protocol version number (4) which normally appears in this nibble
- * means "IP packet".
- */
-
-/* packet types */
-#define TYPE_IP 0x40
-#define TYPE_UNCOMPRESSED_TCP 0x70
-#define TYPE_COMPRESSED_TCP 0x80
-#define TYPE_ERROR 0x00
-
-/* Bits in first octet of compressed packet */
-#define NEW_C	0x40	/* flag bits for what changed in a packet */
-#define NEW_I	0x20
-#define NEW_S	0x08
-#define NEW_A	0x04
-#define NEW_W	0x02
-#define NEW_U	0x01
-
-/* reserved, special-case values of above */
-#define SPECIAL_I (NEW_S|NEW_W|NEW_U)		/* echoed interactive traffic */
-#define SPECIAL_D (NEW_S|NEW_A|NEW_W|NEW_U)	/* unidirectional data */
-#define SPECIALS_MASK (NEW_S|NEW_A|NEW_W|NEW_U)
-
-#define TCP_PUSH_BIT 0x10
-
-
-/*
- * "state" data for each active tcp conversation on the wire.  This is
- * basically a copy of the entire IP/TCP header from the last packet
- * we saw from the conversation together with a small identifier
- * the transmit & receive ends of the line use to locate saved header.
- */
-struct cstate {
-	struct cstate *cs_next;	/* next most recently used cstate (xmit only) */
-	u_short cs_hlen;	/* size of hdr (receive only) */
-	u_char cs_id;		/* connection # associated with this state */
-	u_char cs_filler;
-	union {
-		char csu_hdr[MAX_HDR];
-		struct ip csu_ip;	/* ip/tcp hdr from most recent packet */
-	} slcs_u;
-};
-#define cs_ip slcs_u.csu_ip
-#define cs_hdr slcs_u.csu_hdr
-
-/*
- * all the state data for one serial line (we need one of these
- * per line).
- */
-struct slcompress {
-	struct cstate *last_cs;	/* most recently used tstate */
-	u_char last_recv;	/* last rcvd conn. id */
-	u_char last_xmit;	/* last sent conn. id */
-	u_short flags;
-#ifndef SL_NO_STATS
-	u_int sls_packets;	/* outbound packets */
-	u_int sls_compressed;	/* outbound compressed packets */
-	u_int sls_searches;	/* searches for connection state */
-	u_int sls_misses;	/* times couldn't find conn. state */
-	u_int sls_uncompressedin;/* inbound uncompressed packets */
-	u_int sls_compressedin;	/* inbound compressed packets */
-	u_int sls_errorin;	/* inbound unknown type packets */
-	u_int sls_tossed;	/* inbound packets tossed because of error */
-#endif
-	struct cstate tstate[MAX_STATES];	/* xmit connection states */
-	struct cstate rstate[MAX_STATES];	/* receive connection states */
-};
-/* flag values */
-#define SLF_TOSS 1		/* tossing rcvd frames because of input err */
-
-#ifdef KERNEL
-#ifdef __STDC__
-extern	void sl_compress_init(struct slcompress *);
-extern	u_char sl_compress_tcp(struct mbuf *, struct ip *, struct slcompress *);
-extern	int sl_uncompress_tcp(struct mbuf *, int, u_int, struct slcompress *);
-#else
-extern	void sl_compress_init();
-extern	u_char sl_compress_tcp();
-extern	int sl_uncompress_tcp();
-#endif
-#endif
-
diff --git a/linux-include/net/slip.h b/linux-include/net/slip.h
deleted file mode 100644
index 8d62fa3336..0000000000
--- a/linux-include/net/slip.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Definitions that user level programs might need to know to interact
- * with serial line IP (slip) lines.
-
- * @(#) $Header$ (LBL)
- *
- * Copyright (c) 1990 Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that the above copyright notice and this paragraph are
- * duplicated in all such forms and that any documentation,
- * advertising materials, and other materials related to such
- * distribution and use acknowledge that the software was developed
- * by the University of California, Berkeley.  The name of the
- * University may not be used to endorse or promote products derived
- * from this software without specific prior written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-/*
- * ioctl to get slip interface unit number (e.g., sl0, sl1, etc.)
- * assigned to some terminal line with a slip module pushed on it.
- */
-#ifdef __STDC__
-#define SLIOGUNIT _IOR('B', 1, int)
-#else
-#define SLIOGUNIT _IOR(B, 1, int)
-#endif
-
-/*
- * definitions of the pseudo- link-level header attached to slip
- * packets grabbed by the packet filter (bpf) traffic monitor.
- */
-#define SLIP_HDRLEN 16
-
-#define SLX_DIR 0
-#define SLX_CHDR 1
-#define CHDR_LEN 15
-
-#define SLIPDIR_IN 0
-#define SLIPDIR_OUT 1
-
diff --git a/linux-include/netinet/if_ether.h b/linux-include/netinet/if_ether.h
deleted file mode 100644
index 4148ab83ea..0000000000
--- a/linux-include/netinet/if_ether.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Copyright (c) 1982, 1986, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)if_ether.h	8.3 (Berkeley) 5/2/95
- */
-
-#include <net/if_arp.h>
-
-/*
- * Ethernet address - 6 octets
- */
-struct ether_addr {
-	u_char	ether_addr_octet[6];
-};
-
-/*
- * Structure of a 10Mb/s Ethernet header.
- */
-struct	ether_header {
-	u_char	ether_dhost[6];
-	u_char	ether_shost[6];
-	u_short	ether_type;
-};
-
-#define	ETHERTYPE_PUP		0x0200	/* PUP protocol */
-#define	ETHERTYPE_IP		0x0800	/* IP protocol */
-#define ETHERTYPE_ARP		0x0806	/* Addr. resolution protocol */
-#define ETHERTYPE_REVARP	0x8035	/* reverse Addr. resolution protocol */
-
-/*
- * The ETHERTYPE_NTRAILER packet types starting at ETHERTYPE_TRAIL have
- * (type-ETHERTYPE_TRAIL)*512 bytes of data followed
- * by an ETHER type (as given above) and then the (variable-length) header.
- */
-#define	ETHERTYPE_TRAIL		0x1000		/* Trailer packet */
-#define	ETHERTYPE_NTRAILER	16
-
-#define	ETHERMTU	1500
-#define	ETHERMIN	(60-14)
-
-/*
- * Ethernet Address Resolution Protocol.
- *
- * See RFC 826 for protocol description.  Structure below is adapted
- * to resolving internet addresses.  Field names used correspond to 
- * RFC 826.
- */
-struct	ether_arp {
-	struct	arphdr ea_hdr;	/* fixed-size header */
-	u_char	arp_sha[6];	/* sender hardware address */
-	u_char	arp_spa[4];	/* sender protocol address */
-	u_char	arp_tha[6];	/* target hardware address */
-	u_char	arp_tpa[4];	/* target protocol address */
-};
-#define	arp_hrd	ea_hdr.ar_hrd
-#define	arp_pro	ea_hdr.ar_pro
-#define	arp_hln	ea_hdr.ar_hln
-#define	arp_pln	ea_hdr.ar_pln
-#define	arp_op	ea_hdr.ar_op
diff --git a/linux-include/netinet/in_systm.h b/linux-include/netinet/in_systm.h
deleted file mode 100644
index d9a7c3e233..0000000000
--- a/linux-include/netinet/in_systm.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (c) 1982, 1986, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)in_systm.h	8.1 (Berkeley) 6/10/93
- */
-
-/*
- * Miscellaneous internetwork
- * definitions for kernel.
- */
-
-/*
- * Network types.
- *
- * Internally the system keeps counters in the headers with the bytes
- * swapped so that VAX instructions will work on them.  It reverses
- * the bytes before transmission at each protocol level.  The n_ types
- * represent the types with the bytes in ``high-ender'' order.
- */
-typedef u_short n_short;		/* short as received from the net */
-typedef u_int	n_long;			/* long as received from the net */
-
-typedef	u_int	n_time;			/* ms since 00:00 GMT, byte rev */
-
-#ifdef KERNEL
-n_time	 iptime __P((void));
-#endif
diff --git a/linux-include/netinet/ip.h b/linux-include/netinet/ip.h
deleted file mode 100644
index 93f98cdbc9..0000000000
--- a/linux-include/netinet/ip.h
+++ /dev/null
@@ -1,170 +0,0 @@
-/*
- * Copyright (c) 1982, 1986, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)ip.h	8.2 (Berkeley) 6/1/94
- */
-
-#include <endian.h>
-
-/*
- * Definitions for internet protocol version 4.
- * Per RFC 791, September 1981.
- */
-#define	IPVERSION	4
-
-/*
- * Structure of an internet header, naked of options.
- *
- * We declare ip_len and ip_off to be short, rather than u_short
- * pragmatically since otherwise unsigned comparisons can result
- * against negative integers quite easily, and fail in subtle ways.
- */
-struct ip {
-#if BYTE_ORDER == LITTLE_ENDIAN 
-	u_char	ip_hl:4,		/* header length */
-		ip_v:4;			/* version */
-#endif
-#if BYTE_ORDER == BIG_ENDIAN 
-	u_char	ip_v:4,			/* version */
-		ip_hl:4;		/* header length */
-#endif
-	u_char	ip_tos;			/* type of service */
-	short	ip_len;			/* total length */
-	u_short	ip_id;			/* identification */
-	short	ip_off;			/* fragment offset field */
-#define	IP_DF 0x4000			/* dont fragment flag */
-#define	IP_MF 0x2000			/* more fragments flag */
-#define	IP_OFFMASK 0x1fff		/* mask for fragmenting bits */
-	u_char	ip_ttl;			/* time to live */
-	u_char	ip_p;			/* protocol */
-	u_short	ip_sum;			/* checksum */
-	struct	in_addr ip_src,ip_dst;	/* source and dest address */
-};
-
-#define	IP_MAXPACKET	65535		/* maximum packet size */
-
-/*
- * Definitions for IP type of service (ip_tos)
- */
-#define	IPTOS_LOWDELAY		0x10
-#define	IPTOS_THROUGHPUT	0x08
-#define	IPTOS_RELIABILITY	0x04
-
-/*
- * Definitions for IP precedence (also in ip_tos) (hopefully unused)
- */
-#define	IPTOS_PREC_NETCONTROL		0xe0
-#define	IPTOS_PREC_INTERNETCONTROL	0xc0
-#define	IPTOS_PREC_CRITIC_ECP		0xa0
-#define	IPTOS_PREC_FLASHOVERRIDE	0x80
-#define	IPTOS_PREC_FLASH		0x60
-#define	IPTOS_PREC_IMMEDIATE		0x40
-#define	IPTOS_PREC_PRIORITY		0x20
-#define	IPTOS_PREC_ROUTINE		0x00
-
-/*
- * Definitions for options.
- */
-#define	IPOPT_COPIED(o)		((o)&0x80)
-#define	IPOPT_CLASS(o)		((o)&0x60)
-#define	IPOPT_NUMBER(o)		((o)&0x1f)
-
-#define	IPOPT_CONTROL		0x00
-#define	IPOPT_RESERVED1		0x20
-#define	IPOPT_DEBMEAS		0x40
-#define	IPOPT_RESERVED2		0x60
-
-#define	IPOPT_EOL		0		/* end of option list */
-#define	IPOPT_NOP		1		/* no operation */
-
-#define	IPOPT_RR		7		/* record packet route */
-#define	IPOPT_TS		68		/* timestamp */
-#define	IPOPT_SECURITY		130		/* provide s,c,h,tcc */
-#define	IPOPT_LSRR		131		/* loose source route */
-#define	IPOPT_SATID		136		/* satnet id */
-#define	IPOPT_SSRR		137		/* strict source route */
-
-/*
- * Offsets to fields in options other than EOL and NOP.
- */
-#define	IPOPT_OPTVAL		0		/* option ID */
-#define	IPOPT_OLEN		1		/* option length */
-#define IPOPT_OFFSET		2		/* offset within option */
-#define	IPOPT_MINOFF		4		/* min value of above */
-
-/*
- * Time stamp option structure.
- */
-struct	ip_timestamp {
-	u_char	ipt_code;		/* IPOPT_TS */
-	u_char	ipt_len;		/* size of structure (variable) */
-	u_char	ipt_ptr;		/* index of current entry */
-#if BYTE_ORDER == LITTLE_ENDIAN 
-	u_char	ipt_flg:4,		/* flags, see below */
-		ipt_oflw:4;		/* overflow counter */
-#endif
-#if BYTE_ORDER == BIG_ENDIAN 
-	u_char	ipt_oflw:4,		/* overflow counter */
-		ipt_flg:4;		/* flags, see below */
-#endif
-	union ipt_timestamp {
-		n_long	ipt_time[1];
-		struct	ipt_ta {
-			struct in_addr ipt_addr;
-			n_long ipt_time;
-		} ipt_ta[1];
-	} ipt_timestamp;
-};
-
-/* flag bits for ipt_flg */
-#define	IPOPT_TS_TSONLY		0		/* timestamps only */
-#define	IPOPT_TS_TSANDADDR	1		/* timestamps and addresses */
-#define	IPOPT_TS_PRESPEC	3		/* specified modules only */
-
-/* bits for security (not byte swapped) */
-#define	IPOPT_SECUR_UNCLASS	0x0000
-#define	IPOPT_SECUR_CONFID	0xf135
-#define	IPOPT_SECUR_EFTO	0x789a
-#define	IPOPT_SECUR_MMMM	0xbc4d
-#define	IPOPT_SECUR_RESTR	0xaf13
-#define	IPOPT_SECUR_SECRET	0xd788
-#define	IPOPT_SECUR_TOPSECRET	0x6bc5
-
-/*
- * Internet implementation parameters.
- */
-#define	MAXTTL		255		/* maximum time to live (seconds) */
-#define	IPDEFTTL	64		/* default ttl, from RFC 1340 */
-#define	IPFRAGTTL	60		/* time to live for frags, slowhz */
-#define	IPTTLDEC	1		/* subtracted when forwarding */
-
-#define	IP_MSS		576		/* default maximum segment size */
diff --git a/linux-include/netinet/ip_icmp.h b/linux-include/netinet/ip_icmp.h
deleted file mode 100644
index c3fdc45390..0000000000
--- a/linux-include/netinet/ip_icmp.h
+++ /dev/null
@@ -1,160 +0,0 @@
-/*
- * Copyright (c) 1982, 1986, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)ip_icmp.h	8.1 (Berkeley) 6/10/93
- */
-
-/*
- * Interface Control Message Protocol Definitions.
- * Per RFC 792, September 1981.
- */
-
-/*
- * Structure of an icmp header.
- */
-struct icmp {
-	u_char	icmp_type;		/* type of message, see below */
-	u_char	icmp_code;		/* type sub code */
-	u_short	icmp_cksum;		/* ones complement cksum of struct */
-	union {
-		u_char ih_pptr;			/* ICMP_PARAMPROB */
-		struct in_addr ih_gwaddr;	/* ICMP_REDIRECT */
-		struct ih_idseq {
-			n_short	icd_id;
-			n_short	icd_seq;
-		} ih_idseq;
-		int ih_void;
-
-		/* ICMP_UNREACH_NEEDFRAG -- Path MTU Discovery (RFC1191) */
-		struct ih_pmtu {
-			n_short ipm_void;    
-			n_short ipm_nextmtu;
-		} ih_pmtu;
-	} icmp_hun;
-#define	icmp_pptr	icmp_hun.ih_pptr
-#define	icmp_gwaddr	icmp_hun.ih_gwaddr
-#define	icmp_id		icmp_hun.ih_idseq.icd_id
-#define	icmp_seq	icmp_hun.ih_idseq.icd_seq
-#define	icmp_void	icmp_hun.ih_void
-#define	icmp_pmvoid	icmp_hun.ih_pmtu.ipm_void
-#define	icmp_nextmtu	icmp_hun.ih_pmtu.ipm_nextmtu
-	union {
-		struct id_ts {
-			n_time its_otime;
-			n_time its_rtime;
-			n_time its_ttime;
-		} id_ts;
-		struct id_ip  {
-			struct ip idi_ip;
-			/* options and then 64 bits of data */
-		} id_ip;
-		u_int	id_mask;
-		char	id_data[1];
-	} icmp_dun;
-#define	icmp_otime	icmp_dun.id_ts.its_otime
-#define	icmp_rtime	icmp_dun.id_ts.its_rtime
-#define	icmp_ttime	icmp_dun.id_ts.its_ttime
-#define	icmp_ip		icmp_dun.id_ip.idi_ip
-#define	icmp_mask	icmp_dun.id_mask
-#define	icmp_data	icmp_dun.id_data
-};
-
-/*
- * Lower bounds on packet lengths for various types.
- * For the error advice packets must first insure that the
- * packet is large enought to contain the returned ip header.
- * Only then can we do the check to see if 64 bits of packet
- * data have been returned, since we need to check the returned
- * ip header length.
- */
-#define	ICMP_MINLEN	8				/* abs minimum */
-#define	ICMP_TSLEN	(8 + 3 * sizeof (n_time))	/* timestamp */
-#define	ICMP_MASKLEN	12				/* address mask */
-#define	ICMP_ADVLENMIN	(8 + sizeof (struct ip) + 8)	/* min */
-#define	ICMP_ADVLEN(p)	(8 + ((p)->icmp_ip.ip_hl << 2) + 8)
-	/* N.B.: must separately check that ip_hl >= 5 */
-
-/*
- * Definition of type and code field values.
- */
-#define	ICMP_ECHOREPLY		0		/* echo reply */
-#define	ICMP_UNREACH		3		/* dest unreachable, codes: */
-#define		ICMP_UNREACH_NET	0		/* bad net */
-#define		ICMP_UNREACH_HOST	1		/* bad host */
-#define		ICMP_UNREACH_PROTOCOL	2		/* bad protocol */
-#define		ICMP_UNREACH_PORT	3		/* bad port */
-#define		ICMP_UNREACH_NEEDFRAG	4		/* IP_DF caused drop */
-#define		ICMP_UNREACH_SRCFAIL	5		/* src route failed */
-#define		ICMP_UNREACH_NET_UNKNOWN 6		/* unknown net */
-#define		ICMP_UNREACH_HOST_UNKNOWN 7		/* unknown host */
-#define		ICMP_UNREACH_ISOLATED	8		/* src host isolated */
-#define		ICMP_UNREACH_NET_PROHIB	9		/* prohibited access */
-#define		ICMP_UNREACH_HOST_PROHIB 10		/* ditto */
-#define		ICMP_UNREACH_TOSNET	11		/* bad tos for net */
-#define		ICMP_UNREACH_TOSHOST	12		/* bad tos for host */
-#define	ICMP_SOURCEQUENCH	4		/* packet lost, slow down */
-#define	ICMP_REDIRECT		5		/* shorter route, codes: */
-#define		ICMP_REDIRECT_NET	0		/* for network */
-#define		ICMP_REDIRECT_HOST	1		/* for host */
-#define		ICMP_REDIRECT_TOSNET	2		/* for tos and net */
-#define		ICMP_REDIRECT_TOSHOST	3		/* for tos and host */
-#define	ICMP_ECHO		8		/* echo service */
-#define	ICMP_ROUTERADVERT	9		/* router advertisement */
-#define	ICMP_ROUTERSOLICIT	10		/* router solicitation */
-#define	ICMP_TIMXCEED		11		/* time exceeded, code: */
-#define		ICMP_TIMXCEED_INTRANS	0		/* ttl==0 in transit */
-#define		ICMP_TIMXCEED_REASS	1		/* ttl==0 in reass */
-#define	ICMP_PARAMPROB		12		/* ip header bad */
-#define		ICMP_PARAMPROB_OPTABSENT 1		/* req. opt. absent */
-#define	ICMP_TSTAMP		13		/* timestamp request */
-#define	ICMP_TSTAMPREPLY	14		/* timestamp reply */
-#define	ICMP_IREQ		15		/* information request */
-#define	ICMP_IREQREPLY		16		/* information reply */
-#define	ICMP_MASKREQ		17		/* address mask request */
-#define	ICMP_MASKREPLY		18		/* address mask reply */
-
-#define	ICMP_MAXTYPE		18
-
-#define	ICMP_INFOTYPE(type) \
-	((type) == ICMP_ECHOREPLY || (type) == ICMP_ECHO || \
-	(type) == ICMP_ROUTERADVERT || (type) == ICMP_ROUTERSOLICIT || \
-	(type) == ICMP_TSTAMP || (type) == ICMP_TSTAMPREPLY || \
-	(type) == ICMP_IREQ || (type) == ICMP_IREQREPLY || \
-	(type) == ICMP_MASKREQ || (type) == ICMP_MASKREPLY)
-
-#ifdef KERNEL
-void	icmp_error __P((struct mbuf *, int, int, n_int, struct ifnet *));
-void	icmp_input __P((struct mbuf *, int));
-void	icmp_reflect __P((struct mbuf *));
-void	icmp_send __P((struct mbuf *, struct mbuf *));
-int	icmp_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
-#endif
diff --git a/linux-include/netinet/ip_var.h b/linux-include/netinet/ip_var.h
deleted file mode 100644
index c528b62fa9..0000000000
--- a/linux-include/netinet/ip_var.h
+++ /dev/null
@@ -1,178 +0,0 @@
-/*
- * Copyright (c) 1982, 1986, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)ip_var.h	8.2 (Berkeley) 1/9/95
- */
-
-#include <endian.h>
-
-/*
- * Overlay for ip header used by other protocols (tcp, udp).
- */
-struct ipovly {
-	caddr_t	ih_next, ih_prev;	/* for protocol sequence q's */
-	u_char	ih_x1;			/* (unused) */
-	u_char	ih_pr;			/* protocol */
-	short	ih_len;			/* protocol length */
-	struct	in_addr ih_src;		/* source internet address */
-	struct	in_addr ih_dst;		/* destination internet address */
-};
-
-/*
- * Ip reassembly queue structure.  Each fragment
- * being reassembled is attached to one of these structures.
- * They are timed out after ipq_ttl drops to 0, and may also
- * be reclaimed if memory becomes tight.
- */
-struct ipq {
-	struct	ipq *next,*prev;	/* to other reass headers */
-	u_char	ipq_ttl;		/* time for reass q to live */
-	u_char	ipq_p;			/* protocol of this fragment */
-	u_short	ipq_id;			/* sequence id for reassembly */
-	struct	ipasfrag *ipq_next,*ipq_prev;
-					/* to ip headers of fragments */
-	struct	in_addr ipq_src,ipq_dst;
-};
-
-/*
- * Ip header, when holding a fragment.
- *
- * Note: ipf_next must be at same offset as ipq_next above
- */
-struct	ipasfrag {
-#if BYTE_ORDER == LITTLE_ENDIAN 
-	u_char	ip_hl:4,
-		ip_v:4;
-#endif
-#if BYTE_ORDER == BIG_ENDIAN 
-	u_char	ip_v:4,
-		ip_hl:4;
-#endif
-	u_char	ipf_mff;		/* XXX overlays ip_tos: use low bit
-					 * to avoid destroying tos;
-					 * copied from (ip_off&IP_MF) */
-	short	ip_len;
-	u_short	ip_id;
-	short	ip_off;
-	u_char	ip_ttl;
-	u_char	ip_p;
-	u_short	ip_sum;
-	struct	ipasfrag *ipf_next;	/* next fragment */
-	struct	ipasfrag *ipf_prev;	/* previous fragment */
-};
-
-/*
- * Structure stored in mbuf in inpcb.ip_options
- * and passed to ip_output when ip options are in use.
- * The actual length of the options (including ipopt_dst)
- * is in m_len.
- */
-#define MAX_IPOPTLEN	40
-
-struct ipoption {
-	struct	in_addr ipopt_dst;	/* first-hop dst if source routed */
-	char	ipopt_list[MAX_IPOPTLEN];	/* options proper */
-};
-
-struct	ipstat {
-	n_long	ips_total;		/* total packets received */
-	n_long	ips_badsum;		/* checksum bad */
-	n_long	ips_tooshort;		/* packet too short */
-	n_long	ips_toosmall;		/* not enough data */
-	n_long	ips_badhlen;		/* ip header length < data size */
-	n_long	ips_badlen;		/* ip length < ip header length */
-	n_long	ips_fragments;		/* fragments received */
-	n_long	ips_fragdropped;	/* frags dropped (dups, out of space) */
-	n_long	ips_fragtimeout;	/* fragments timed out */
-	n_long	ips_forward;		/* packets forwarded */
-	n_long	ips_cantforward;	/* packets rcvd for unreachable dest */
-	n_long	ips_redirectsent;	/* packets forwarded on same net */
-	n_long	ips_noproto;		/* unknown or unsupported protocol */
-	n_long	ips_delivered;		/* datagrams delivered to upper level*/
-	n_long	ips_localout;		/* total ip packets generated here */
-	n_long	ips_odropped;		/* lost packets due to nobufs, etc. */
-	n_long	ips_reassembled;	/* total packets reassembled ok */
-	n_long	ips_fragmented;		/* datagrams sucessfully fragmented */
-	n_long	ips_ofragments;		/* output fragments created */
-	n_long	ips_cantfrag;		/* don't fragment flag was set, etc. */
-	n_long	ips_badoptions;		/* error in option processing */
-	n_long	ips_noroute;		/* packets discarded due to no route */
-	n_long	ips_badvers;		/* ip version != 4 */
-	n_long	ips_rawout;		/* total raw ip packets generated */
-};
-
-#ifdef KERNEL
-/* flags passed to ip_output as last parameter */
-#define	IP_FORWARDING		0x1		/* most of ip header exists */
-#define	IP_RAWOUTPUT		0x2		/* raw ip header exists */
-#define	IP_ROUTETOIF		SO_DONTROUTE	/* bypass routing tables */
-#define	IP_ALLOWBROADCAST	SO_BROADCAST	/* can send broadcast packets */
-
-struct	ipstat	ipstat;
-struct	ipq	ipq;			/* ip reass. queue */
-u_short	ip_id;				/* ip packet ctr, for ids */
-int	ip_defttl;			/* default IP ttl */
-
-int	 in_control __P((struct socket *, n_long, caddr_t, struct ifnet *));
-int	 ip_ctloutput __P((int, struct socket *, int, int, struct mbuf **));
-void	 ip_deq __P((struct ipasfrag *));
-int	 ip_dooptions __P((struct mbuf *));
-void	 ip_drain __P((void));
-void	 ip_enq __P((struct ipasfrag *, struct ipasfrag *));
-void	 ip_forward __P((struct mbuf *, int));
-void	 ip_freef __P((struct ipq *));
-void	 ip_freemoptions __P((struct ip_moptions *));
-int	 ip_getmoptions __P((int, struct ip_moptions *, struct mbuf **));
-void	 ip_init __P((void));
-int	 ip_mforward __P((struct mbuf *, struct ifnet *));
-int	 ip_optcopy __P((struct ip *, struct ip *));
-int	 ip_output __P((struct mbuf *,
-	    struct mbuf *, struct route *, int, struct ip_moptions *));
-int	 ip_pcbopts __P((struct mbuf **, struct mbuf *));
-struct ip *
-	 ip_reass __P((struct ipasfrag *, struct ipq *));
-struct in_ifaddr *
-	 ip_rtaddr __P((struct in_addr));
-int	 ip_setmoptions __P((int, struct ip_moptions **, struct mbuf *));
-void	 ip_slowtimo __P((void));
-struct mbuf *
-	 ip_srcroute __P((void));
-void	 ip_stripoptions __P((struct mbuf *, struct mbuf *));
-int	 ip_sysctl __P((int *, n_long, void *, size_t *, void *, size_t));
-void	 ipintr __P((void));
-int	 rip_ctloutput __P((int, struct socket *, int, int, struct mbuf **));
-void	 rip_init __P((void));
-void	 rip_input __P((struct mbuf *));
-int	 rip_output __P((struct mbuf *, struct socket *, n_long));
-int	 rip_usrreq __P((struct socket *,
-	    int, struct mbuf *, struct mbuf *, struct mbuf *));
-#endif
diff --git a/linux-include/netinet/tcp.h b/linux-include/netinet/tcp.h
deleted file mode 100644
index 92654c6fb0..0000000000
--- a/linux-include/netinet/tcp.h
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- * Copyright (c) 1982, 1986, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)tcp.h	8.1 (Berkeley) 6/10/93
- */
-
-typedef	u_int	tcp_seq;
-/*
- * TCP header.
- * Per RFC 793, September, 1981.
- */
-struct tcphdr {
-	u_short	th_sport;		/* source port */
-	u_short	th_dport;		/* destination port */
-	tcp_seq	th_seq;			/* sequence number */
-	tcp_seq	th_ack;			/* acknowledgement number */
-#if BYTE_ORDER == LITTLE_ENDIAN 
-	u_char	th_x2:4,		/* (unused) */
-		th_off:4;		/* data offset */
-#endif
-#if BYTE_ORDER == BIG_ENDIAN 
-	u_char	th_off:4,		/* data offset */
-		th_x2:4;		/* (unused) */
-#endif
-	u_char	th_flags;
-#define	TH_FIN	0x01
-#define	TH_SYN	0x02
-#define	TH_RST	0x04
-#define	TH_PUSH	0x08
-#define	TH_ACK	0x10
-#define	TH_URG	0x20
-	u_short	th_win;			/* window */
-	u_short	th_sum;			/* checksum */
-	u_short	th_urp;			/* urgent pointer */
-};
-
-#define	TCPOPT_EOL		0
-#define	TCPOPT_NOP		1
-#define	TCPOPT_MAXSEG		2
-#define    TCPOLEN_MAXSEG		4
-#define TCPOPT_WINDOW		3
-#define    TCPOLEN_WINDOW		3
-#define TCPOPT_SACK_PERMITTED	4		/* Experimental */
-#define    TCPOLEN_SACK_PERMITTED	2
-#define TCPOPT_SACK		5		/* Experimental */
-#define TCPOPT_TIMESTAMP	8
-#define    TCPOLEN_TIMESTAMP		10
-#define    TCPOLEN_TSTAMP_APPA		(TCPOLEN_TIMESTAMP+2) /* appendix A */
-
-#define TCPOPT_TSTAMP_HDR	\
-    (TCPOPT_NOP<<24|TCPOPT_NOP<<16|TCPOPT_TIMESTAMP<<8|TCPOLEN_TIMESTAMP)
-
-/*
- * Default maximum segment size for TCP.
- * With an IP MSS of 576, this is 536,
- * but 512 is probably more convenient.
- * This should be defined as MIN(512, IP_MSS - sizeof (struct tcpiphdr)).
- */
-#define	TCP_MSS	512
-
-#define	TCP_MAXWIN	65535	/* largest value for (unscaled) window */
-
-#define TCP_MAX_WINSHIFT	14	/* maximum window shift */
-
-/*
- * User-settable options (used with setsockopt).
- */
-#ifndef TCP_NODELAY
-#define	TCP_NODELAY	0x01	/* don't delay send to coalesce packets */
-#endif
-#ifndef TCP_MAXSEG
-#define	TCP_MAXSEG	0x02	/* set maximum segment size */
-#endif
diff --git a/linux-include/netinet/tcp_var.h b/linux-include/netinet/tcp_var.h
deleted file mode 100644
index e94ccd65e0..0000000000
--- a/linux-include/netinet/tcp_var.h
+++ /dev/null
@@ -1,280 +0,0 @@
-/*
- * Copyright (c) 1982, 1986, 1993, 1994, 1995
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)tcp_var.h	8.4 (Berkeley) 5/24/95
- */
-
-/*
- * Kernel variables for tcp.
- */
-
-/*
- * Tcp control block, one per tcp; fields:
- */
-struct tcpcb {
-	struct	tcpiphdr *seg_next;	/* sequencing queue */
-	struct	tcpiphdr *seg_prev;
-	short	t_state;		/* state of this connection */
-	short	t_timer[TCPT_NTIMERS];	/* tcp timers */
-	short	t_rxtshift;		/* log(2) of rexmt exp. backoff */
-	short	t_rxtcur;		/* current retransmit value */
-	short	t_dupacks;		/* consecutive dup acks recd */
-	u_short	t_maxseg;		/* maximum segment size */
-	char	t_force;		/* 1 if forcing out a byte */
-	u_short	t_flags;
-#define	TF_ACKNOW	0x0001		/* ack peer immediately */
-#define	TF_DELACK	0x0002		/* ack, but try to delay it */
-#define	TF_NODELAY	0x0004		/* don't delay packets to coalesce */
-#define	TF_NOOPT	0x0008		/* don't use tcp options */
-#define	TF_SENTFIN	0x0010		/* have sent FIN */
-#define	TF_REQ_SCALE	0x0020		/* have/will request window scaling */
-#define	TF_RCVD_SCALE	0x0040		/* other side has requested scaling */
-#define	TF_REQ_TSTMP	0x0080		/* have/will request timestamps */
-#define	TF_RCVD_TSTMP	0x0100		/* a timestamp was received in SYN */
-#define	TF_SACK_PERMIT	0x0200		/* other side said I could SACK */
-
-	struct	tcpiphdr *t_template;	/* skeletal packet for transmit */
-	struct	inpcb *t_inpcb;		/* back pointer to internet pcb */
-/*
- * The following fields are used as in the protocol specification.
- * See RFC783, Dec. 1981, page 21.
- */
-/* send sequence variables */
-	tcp_seq	snd_una;		/* send unacknowledged */
-	tcp_seq	snd_nxt;		/* send next */
-	tcp_seq	snd_up;			/* send urgent pointer */
-	tcp_seq	snd_wl1;		/* window update seg seq number */
-	tcp_seq	snd_wl2;		/* window update seg ack number */
-	tcp_seq	iss;			/* initial send sequence number */
-	n_long	snd_wnd;		/* send window */
-/* receive sequence variables */
-	n_long	rcv_wnd;		/* receive window */
-	tcp_seq	rcv_nxt;		/* receive next */
-	tcp_seq	rcv_up;			/* receive urgent pointer */
-	tcp_seq	irs;			/* initial receive sequence number */
-/*
- * Additional variables for this implementation.
- */
-/* receive variables */
-	tcp_seq	rcv_adv;		/* advertised window */
-/* retransmit variables */
-	tcp_seq	snd_max;		/* highest sequence number sent;
-					 * used to recognize retransmits
-					 */
-/* congestion control (for slow start, source quench, retransmit after loss) */
-	n_long	snd_cwnd;		/* congestion-controlled window */
-	n_long	snd_ssthresh;		/* snd_cwnd size threshhold for
-					 * for slow start exponential to
-					 * linear switch
-					 */
-/*
- * transmit timing stuff.  See below for scale of srtt and rttvar.
- * "Variance" is actually smoothed difference.
- */
-	u_short	t_idle;			/* inactivity time */
-	short	t_rtt;			/* round trip time */
-	tcp_seq	t_rtseq;		/* sequence number being timed */
-	short	t_srtt;			/* smoothed round-trip time */
-	short	t_rttvar;		/* variance in round-trip time */
-	u_short	t_rttmin;		/* minimum rtt allowed */
-	n_long	max_sndwnd;		/* largest window peer has offered */
-
-/* out-of-band data */
-	char	t_oobflags;		/* have some */
-	char	t_iobc;			/* input character */
-#define	TCPOOB_HAVEDATA	0x01
-#define	TCPOOB_HADDATA	0x02
-	short	t_softerror;		/* possible error not yet reported */
-
-/* RFC 1323 variables */
-	u_char	snd_scale;		/* window scaling for send window */
-	u_char	rcv_scale;		/* window scaling for recv window */
-	u_char	request_r_scale;	/* pending window scaling */
-	u_char	requested_s_scale;
-	n_long	ts_recent;		/* timestamp echo data */
-	n_long	ts_recent_age;		/* when last updated */
-	tcp_seq	last_ack_sent;
-
-/* TUBA stuff */
-	caddr_t	t_tuba_pcb;		/* next level down pcb for TCP over z */
-};
-
-#define	intotcpcb(ip)	((struct tcpcb *)(ip)->inp_ppcb)
-#define	sototcpcb(so)	(intotcpcb(sotoinpcb(so)))
-
-/*
- * The smoothed round-trip time and estimated variance
- * are stored as fixed point numbers scaled by the values below.
- * For convenience, these scales are also used in smoothing the average
- * (smoothed = (1/scale)sample + ((scale-1)/scale)smoothed).
- * With these scales, srtt has 3 bits to the right of the binary point,
- * and thus an "ALPHA" of 0.875.  rttvar has 2 bits to the right of the
- * binary point, and is smoothed with an ALPHA of 0.75.
- */
-#define	TCP_RTT_SCALE		8	/* multiplier for srtt; 3 bits frac. */
-#define	TCP_RTT_SHIFT		3	/* shift for srtt; 3 bits frac. */
-#define	TCP_RTTVAR_SCALE	4	/* multiplier for rttvar; 2 bits */
-#define	TCP_RTTVAR_SHIFT	2	/* multiplier for rttvar; 2 bits */
-
-/*
- * The initial retransmission should happen at rtt + 4 * rttvar.
- * Because of the way we do the smoothing, srtt and rttvar
- * will each average +1/2 tick of bias.  When we compute
- * the retransmit timer, we want 1/2 tick of rounding and
- * 1 extra tick because of +-1/2 tick uncertainty in the
- * firing of the timer.  The bias will give us exactly the
- * 1.5 tick we need.  But, because the bias is
- * statistical, we have to test that we don't drop below
- * the minimum feasible timer (which is 2 ticks).
- * This macro assumes that the value of TCP_RTTVAR_SCALE
- * is the same as the multiplier for rttvar.
- */
-#define	TCP_REXMTVAL(tp) \
-	(((tp)->t_srtt >> TCP_RTT_SHIFT) + (tp)->t_rttvar)
-
-/* XXX
- * We want to avoid doing m_pullup on incoming packets but that
- * means avoiding dtom on the tcp reassembly code.  That in turn means
- * keeping an mbuf pointer in the reassembly queue (since we might
- * have a cluster).  As a quick hack, the source & destination
- * port numbers (which are no longer needed once we've located the
- * tcpcb) are overlayed with an mbuf pointer.
- */
-#define REASS_MBUF(ti) (*(struct mbuf **)&((ti)->ti_t))
-
-/*
- * TCP statistics.
- * Many of these should be kept per connection,
- * but that's inconvenient at the moment.
- */
-struct	tcpstat {
-	n_long	tcps_connattempt;	/* connections initiated */
-	n_long	tcps_accepts;		/* connections accepted */
-	n_long	tcps_connects;		/* connections established */
-	n_long	tcps_drops;		/* connections dropped */
-	n_long	tcps_conndrops;		/* embryonic connections dropped */
-	n_long	tcps_closed;		/* conn. closed (includes drops) */
-	n_long	tcps_segstimed;		/* segs where we tried to get rtt */
-	n_long	tcps_rttupdated;	/* times we succeeded */
-	n_long	tcps_delack;		/* delayed acks sent */
-	n_long	tcps_timeoutdrop;	/* conn. dropped in rxmt timeout */
-	n_long	tcps_rexmttimeo;	/* retransmit timeouts */
-	n_long	tcps_persisttimeo;	/* persist timeouts */
-	n_long	tcps_keeptimeo;		/* keepalive timeouts */
-	n_long	tcps_keepprobe;		/* keepalive probes sent */
-	n_long	tcps_keepdrops;		/* connections dropped in keepalive */
-
-	n_long	tcps_sndtotal;		/* total packets sent */
-	n_long	tcps_sndpack;		/* data packets sent */
-	n_long	tcps_sndbyte;		/* data bytes sent */
-	n_long	tcps_sndrexmitpack;	/* data packets retransmitted */
-	n_long	tcps_sndrexmitbyte;	/* data bytes retransmitted */
-	n_long	tcps_sndacks;		/* ack-only packets sent */
-	n_long	tcps_sndprobe;		/* window probes sent */
-	n_long	tcps_sndurg;		/* packets sent with URG only */
-	n_long	tcps_sndwinup;		/* window update-only packets sent */
-	n_long	tcps_sndctrl;		/* control (SYN|FIN|RST) packets sent */
-
-	n_long	tcps_rcvtotal;		/* total packets received */
-	n_long	tcps_rcvpack;		/* packets received in sequence */
-	n_long	tcps_rcvbyte;		/* bytes received in sequence */
-	n_long	tcps_rcvbadsum;		/* packets received with ccksum errs */
-	n_long	tcps_rcvbadoff;		/* packets received with bad offset */
-	n_long	tcps_rcvshort;		/* packets received too short */
-	n_long	tcps_rcvduppack;	/* duplicate-only packets received */
-	n_long	tcps_rcvdupbyte;	/* duplicate-only bytes received */
-	n_long	tcps_rcvpartduppack;	/* packets with some duplicate data */
-	n_long	tcps_rcvpartdupbyte;	/* dup. bytes in part-dup. packets */
-	n_long	tcps_rcvoopack;		/* out-of-order packets received */
-	n_long	tcps_rcvoobyte;		/* out-of-order bytes received */
-	n_long	tcps_rcvpackafterwin;	/* packets with data after window */
-	n_long	tcps_rcvbyteafterwin;	/* bytes rcvd after window */
-	n_long	tcps_rcvafterclose;	/* packets rcvd after "close" */
-	n_long	tcps_rcvwinprobe;	/* rcvd window probe packets */
-	n_long	tcps_rcvdupack;		/* rcvd duplicate acks */
-	n_long	tcps_rcvacktoomuch;	/* rcvd acks for unsent data */
-	n_long	tcps_rcvackpack;	/* rcvd ack packets */
-	n_long	tcps_rcvackbyte;	/* bytes acked by rcvd acks */
-	n_long	tcps_rcvwinupd;		/* rcvd window update packets */
-	n_long	tcps_pawsdrop;		/* segments dropped due to PAWS */
-	n_long	tcps_predack;		/* times hdr predict ok for acks */
-	n_long	tcps_preddat;		/* times hdr predict ok for data pkts */
-	n_long	tcps_pcbcachemiss;
-	n_long	tcps_persistdrop;	/* timeout in persist state */
-	n_long	tcps_badsyn;		/* bogus SYN, e.g. premature ACK */
-};
-
-#ifdef KERNEL
-struct	inpcb tcb;		/* head of queue of active tcpcb's */
-struct	tcpstat tcpstat;	/* tcp statistics */
-n_long	tcp_now;		/* for RFC 1323 timestamps */
-
-int	 tcp_attach __P((struct socket *));
-void	 tcp_canceltimers __P((struct tcpcb *));
-struct tcpcb *
-	 tcp_close __P((struct tcpcb *));
-void	 tcp_ctlinput __P((int, struct sockaddr *, struct ip *));
-int	 tcp_ctloutput __P((int, struct socket *, int, int, struct mbuf **));
-struct tcpcb *
-	 tcp_disconnect __P((struct tcpcb *));
-struct tcpcb *
-	 tcp_drop __P((struct tcpcb *, int));
-void	 tcp_dooptions __P((struct tcpcb *,
-	    u_char *, int, struct tcpiphdr *, int *, n_long *, n_long *));
-void	 tcp_drain __P((void));
-void	 tcp_fasttimo __P((void));
-void	 tcp_init __P((void));
-void	 tcp_input __P((struct mbuf *, int));
-int	 tcp_mss __P((struct tcpcb *, u_int));
-struct tcpcb *
-	 tcp_newtcpcb __P((struct inpcb *));
-void	 tcp_notify __P((struct inpcb *, int));
-int	 tcp_output __P((struct tcpcb *));
-void	 tcp_pulloutofband __P((struct socket *,
-	    struct tcpiphdr *, struct mbuf *));
-void	 tcp_quench __P((struct inpcb *, int));
-int	 tcp_reass __P((struct tcpcb *, struct tcpiphdr *, struct mbuf *));
-void	 tcp_respond __P((struct tcpcb *,
-	    struct tcpiphdr *, struct mbuf *, n_long, n_long, int));
-void	 tcp_setpersist __P((struct tcpcb *));
-void	 tcp_slowtimo __P((void));
-struct tcpiphdr *
-	 tcp_template __P((struct tcpcb *));
-struct tcpcb *
-	 tcp_timers __P((struct tcpcb *, int));
-void	 tcp_trace __P((int, int, struct tcpcb *, struct tcpiphdr *, int));
-struct tcpcb *
-	 tcp_usrclosed __P((struct tcpcb *));
-int	 tcp_usrreq __P((struct socket *,
-	    int, struct mbuf *, struct mbuf *, struct mbuf *));
-void	 tcp_xmit_timer __P((struct tcpcb *, int));
-#endif
diff --git a/linux-include/netinet/tcpip.h b/linux-include/netinet/tcpip.h
deleted file mode 100644
index 5000ae303c..0000000000
--- a/linux-include/netinet/tcpip.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (c) 1982, 1986, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)tcpip.h	8.1 (Berkeley) 6/10/93
- */
-
-/*
- * Tcp+ip header, after ip options removed.
- */
-struct tcpiphdr {
-	struct 	ipovly ti_i;		/* overlaid ip structure */
-	struct	tcphdr ti_t;		/* tcp header */
-};
-#define	ti_next		ti_i.ih_next
-#define	ti_prev		ti_i.ih_prev
-#define	ti_x1		ti_i.ih_x1
-#define	ti_pr		ti_i.ih_pr
-#define	ti_len		ti_i.ih_len
-#define	ti_src		ti_i.ih_src
-#define	ti_dst		ti_i.ih_dst
-#define	ti_sport	ti_t.th_sport
-#define	ti_dport	ti_t.th_dport
-#define	ti_seq		ti_t.th_seq
-#define	ti_ack		ti_t.th_ack
-#define	ti_x2		ti_t.th_x2
-#define	ti_off		ti_t.th_off
-#define	ti_flags	ti_t.th_flags
-#define	ti_win		ti_t.th_win
-#define	ti_sum		ti_t.th_sum
-#define	ti_urp		ti_t.th_urp
diff --git a/linux-include/netinet/udp.h b/linux-include/netinet/udp.h
deleted file mode 100644
index 354a213cbc..0000000000
--- a/linux-include/netinet/udp.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (c) 1982, 1986, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)udp.h	8.1 (Berkeley) 6/10/93
- */
-
-/*
- * Udp protocol header.
- * Per RFC 768, September, 1981.
- */
-struct udphdr {
-	u_short	uh_sport;		/* source port */
-	u_short	uh_dport;		/* destination port */
-	short	uh_ulen;		/* udp length */
-	u_short	uh_sum;			/* udp checksum */
-};
diff --git a/linux-include/netinet/udp_var.h b/linux-include/netinet/udp_var.h
deleted file mode 100644
index f36d832bae..0000000000
--- a/linux-include/netinet/udp_var.h
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- * Copyright (c) 1982, 1986, 1989, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)udp_var.h	8.1 (Berkeley) 6/10/93
- */
-
-/*
- * UDP kernel structures and variables.
- */
-struct	udpiphdr {
-	struct 	ipovly ui_i;		/* overlaid ip structure */
-	struct	udphdr ui_u;		/* udp header */
-};
-#define	ui_next		ui_i.ih_next
-#define	ui_prev		ui_i.ih_prev
-#define	ui_x1		ui_i.ih_x1
-#define	ui_pr		ui_i.ih_pr
-#define	ui_len		ui_i.ih_len
-#define	ui_src		ui_i.ih_src
-#define	ui_dst		ui_i.ih_dst
-#define	ui_sport	ui_u.uh_sport
-#define	ui_dport	ui_u.uh_dport
-#define	ui_ulen		ui_u.uh_ulen
-#define	ui_sum		ui_u.uh_sum
-
-struct	udpstat {
-				/* input statistics: */
-	n_long	udps_ipackets;		/* total input packets */
-	n_long	udps_hdrops;		/* packet shorter than header */
-	n_long	udps_badsum;		/* checksum error */
-	n_long	udps_badlen;		/* data length larger than packet */
-	n_long	udps_noport;		/* no socket on port */
-	n_long	udps_noportbcast;	/* of above, arrived as broadcast */
-	n_long	udps_fullsock;		/* not delivered, input socket full */
-	n_long	udpps_pcbcachemiss;	/* input packets missing pcb cache */
-				/* output statistics: */
-	n_long	udps_opackets;		/* total output packets */
-};
-
-/*
- * Names for UDP sysctl objects
- */
-#define	UDPCTL_CHECKSUM		1	/* checksum UDP packets */
-#define UDPCTL_MAXID		2
-
-#define UDPCTL_NAMES { \
-	{ 0, 0 }, \
-	{ "checksum", CTLTYPE_INT }, \
-}
-
-#ifdef KERNEL
-struct	inpcb udb;
-struct	udpstat udpstat;
-
-void	 udp_ctlinput __P((int, struct sockaddr *, struct ip *));
-void	 udp_init __P((void));
-void	 udp_input __P((struct mbuf *, int));
-int	 udp_output __P((struct inpcb *,
-	    struct mbuf *, struct mbuf *, struct mbuf *));
-int	 udp_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
-int	 udp_usrreq __P((struct socket *,
-	    int, struct mbuf *, struct mbuf *, struct mbuf *));
-#endif
diff --git a/linux-include/sys/mbuf.h b/linux-include/sys/mbuf.h
deleted file mode 100644
index b5df3899aa..0000000000
--- a/linux-include/sys/mbuf.h
+++ /dev/null
@@ -1,5 +0,0 @@
-/* @(#) $Header$ (LBL) */
-
-#ifndef MLEN
-#define MLEN 128			/* needed for slcompress.h */
-#endif
diff --git a/missing b/missing
deleted file mode 100755
index e7ef83a1c2..0000000000
--- a/missing
+++ /dev/null
@@ -1,360 +0,0 @@
-#! /bin/sh
-# Common stub for a few missing GNU programs while installing.
-
-scriptversion=2003-09-02.23
-
-# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003 
-#   Free Software Foundation, Inc.
-# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-if test $# -eq 0; then
-  echo 1>&2 "Try \`$0 --help' for more information"
-  exit 1
-fi
-
-run=:
-
-# In the cases where this matters, `missing' is being run in the
-# srcdir already.
-if test -f configure.ac; then
-  configure_ac=configure.ac
-else
-  configure_ac=configure.in
-fi
-
-msg="missing on your system"
-
-case "$1" in
---run)
-  # Try to run requested program, and just exit if it succeeds.
-  run=
-  shift
-  "$@" && exit 0
-  # Exit code 63 means version mismatch.  This often happens
-  # when the user try to use an ancient version of a tool on
-  # a file that requires a minimum version.  In this case we
-  # we should proceed has if the program had been absent, or
-  # if --run hadn't been passed.
-  if test $? = 63; then
-    run=:
-    msg="probably too old"
-  fi
-  ;;
-esac
-
-# If it does not exist, or fails to run (possibly an outdated version),
-# try to emulate it.
-case "$1" in
-
-  -h|--h|--he|--hel|--help)
-    echo "\
-$0 [OPTION]... PROGRAM [ARGUMENT]...
-
-Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
-error status if there is no known handling for PROGRAM.
-
-Options:
-  -h, --help      display this help and exit
-  -v, --version   output version information and exit
-  --run           try to run the given command, and emulate it if it fails
-
-Supported PROGRAM values:
-  aclocal      touch file \`aclocal.m4'
-  autoconf     touch file \`configure'
-  autoheader   touch file \`config.h.in'
-  automake     touch all \`Makefile.in' files
-  bison        create \`y.tab.[ch]', if possible, from existing .[ch]
-  flex         create \`lex.yy.c', if possible, from existing .c
-  help2man     touch the output file
-  lex          create \`lex.yy.c', if possible, from existing .c
-  makeinfo     touch the output file
-  tar          try tar, gnutar, gtar, then tar without non-portable flags
-  yacc         create \`y.tab.[ch]', if possible, from existing .[ch]
-
-Send bug reports to <bug-automake@gnu.org>."
-    ;;
-
-  -v|--v|--ve|--ver|--vers|--versi|--versio|--version)
-    echo "missing $scriptversion (GNU Automake)"
-    ;;
-
-  -*)
-    echo 1>&2 "$0: Unknown \`$1' option"
-    echo 1>&2 "Try \`$0 --help' for more information"
-    exit 1
-    ;;
-
-  aclocal*)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified \`acinclude.m4' or \`${configure_ac}'.  You might want
-         to install the \`Automake' and \`Perl' packages.  Grab them from
-         any GNU archive site."
-    touch aclocal.m4
-    ;;
-
-  autoconf)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified \`${configure_ac}'.  You might want to install the
-         \`Autoconf' and \`GNU m4' packages.  Grab them from any GNU
-         archive site."
-    touch configure
-    ;;
-
-  autoheader)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified \`acconfig.h' or \`${configure_ac}'.  You might want
-         to install the \`Autoconf' and \`GNU m4' packages.  Grab them
-         from any GNU archive site."
-    files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}`
-    test -z "$files" && files="config.h"
-    touch_files=
-    for f in $files; do
-      case "$f" in
-      *:*) touch_files="$touch_files "`echo "$f" |
-				       sed -e 's/^[^:]*://' -e 's/:.*//'`;;
-      *) touch_files="$touch_files $f.in";;
-      esac
-    done
-    touch $touch_files
-    ;;
-
-  automake*)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'.
-         You might want to install the \`Automake' and \`Perl' packages.
-         Grab them from any GNU archive site."
-    find . -type f -name Makefile.am -print |
-	   sed 's/\.am$/.in/' |
-	   while read f; do touch "$f"; done
-    ;;
-
-  autom4te)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
-    echo 1>&2 "\
-WARNING: \`$1' is needed, but is $msg.
-         You might have modified some files without having the
-         proper tools for further handling them.
-         You can get \`$1' as part of \`Autoconf' from any GNU
-         archive site."
-
-    file=`echo "$*" | sed -n 's/.*--output[ =]*\([^ ]*\).*/\1/p'`
-    test -z "$file" && file=`echo "$*" | sed -n 's/.*-o[ ]*\([^ ]*\).*/\1/p'`
-    if test -f "$file"; then
-	touch $file
-    else
-	test -z "$file" || exec >$file
-	echo "#! /bin/sh"
-	echo "# Created by GNU Automake missing as a replacement of"
-	echo "#  $ $@"
-	echo "exit 0"
-	chmod +x $file
-	exit 1
-    fi
-    ;;
-
-  bison|yacc)
-    echo 1>&2 "\
-WARNING: \`$1' $msg.  You should only need it if
-         you modified a \`.y' file.  You may need the \`Bison' package
-         in order for those modifications to take effect.  You can get
-         \`Bison' from any GNU archive site."
-    rm -f y.tab.c y.tab.h
-    if [ $# -ne 1 ]; then
-        eval LASTARG="\${$#}"
-	case "$LASTARG" in
-	*.y)
-	    SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
-	    if [ -f "$SRCFILE" ]; then
-	         cp "$SRCFILE" y.tab.c
-	    fi
-	    SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
-	    if [ -f "$SRCFILE" ]; then
-	         cp "$SRCFILE" y.tab.h
-	    fi
-	  ;;
-	esac
-    fi
-    if [ ! -f y.tab.h ]; then
-	echo >y.tab.h
-    fi
-    if [ ! -f y.tab.c ]; then
-	echo 'main() { return 0; }' >y.tab.c
-    fi
-    ;;
-
-  lex|flex)
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified a \`.l' file.  You may need the \`Flex' package
-         in order for those modifications to take effect.  You can get
-         \`Flex' from any GNU archive site."
-    rm -f lex.yy.c
-    if [ $# -ne 1 ]; then
-        eval LASTARG="\${$#}"
-	case "$LASTARG" in
-	*.l)
-	    SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
-	    if [ -f "$SRCFILE" ]; then
-	         cp "$SRCFILE" lex.yy.c
-	    fi
-	  ;;
-	esac
-    fi
-    if [ ! -f lex.yy.c ]; then
-	echo 'main() { return 0; }' >lex.yy.c
-    fi
-    ;;
-
-  help2man)
-    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
-       # We have it, but it failed.
-       exit 1
-    fi
-
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-	 you modified a dependency of a manual page.  You may need the
-	 \`Help2man' package in order for those modifications to take
-	 effect.  You can get \`Help2man' from any GNU archive site."
-
-    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
-    if test -z "$file"; then
-	file=`echo "$*" | sed -n 's/.*--output=\([^ ]*\).*/\1/p'`
-    fi
-    if [ -f "$file" ]; then
-	touch $file
-    else
-	test -z "$file" || exec >$file
-	echo ".ab help2man is required to generate this page"
-	exit 1
-    fi
-    ;;
-
-  makeinfo)
-    if test -z "$run" && (makeinfo --version) > /dev/null 2>&1; then
-       # We have makeinfo, but it failed.
-       exit 1
-    fi
-
-    echo 1>&2 "\
-WARNING: \`$1' is $msg.  You should only need it if
-         you modified a \`.texi' or \`.texinfo' file, or any other file
-         indirectly affecting the aspect of the manual.  The spurious
-         call might also be the consequence of using a buggy \`make' (AIX,
-         DU, IRIX).  You might want to install the \`Texinfo' package or
-         the \`GNU make' package.  Grab either from any GNU archive site."
-    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
-    if test -z "$file"; then
-      file=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
-      file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $file`
-    fi
-    touch $file
-    ;;
-
-  tar)
-    shift
-    if test -n "$run"; then
-      echo 1>&2 "ERROR: \`tar' requires --run"
-      exit 1
-    fi
-
-    # We have already tried tar in the generic part.
-    # Look for gnutar/gtar before invocation to avoid ugly error
-    # messages.
-    if (gnutar --version > /dev/null 2>&1); then
-       gnutar "$@" && exit 0
-    fi
-    if (gtar --version > /dev/null 2>&1); then
-       gtar "$@" && exit 0
-    fi
-    firstarg="$1"
-    if shift; then
-	case "$firstarg" in
-	*o*)
-	    firstarg=`echo "$firstarg" | sed s/o//`
-	    tar "$firstarg" "$@" && exit 0
-	    ;;
-	esac
-	case "$firstarg" in
-	*h*)
-	    firstarg=`echo "$firstarg" | sed s/h//`
-	    tar "$firstarg" "$@" && exit 0
-	    ;;
-	esac
-    fi
-
-    echo 1>&2 "\
-WARNING: I can't seem to be able to run \`tar' with the given arguments.
-         You may want to install GNU tar or Free paxutils, or check the
-         command line arguments."
-    exit 1
-    ;;
-
-  *)
-    echo 1>&2 "\
-WARNING: \`$1' is needed, and is $msg.
-         You might have modified some files without having the
-         proper tools for further handling them.  Check the \`README' file,
-         it often tells you about the needed prerequisites for installing
-         this package.  You may also peek at any GNU archive site, in case
-         some other package would contain this missing \`$1' program."
-    exit 1
-    ;;
-esac
-
-exit 0
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
-# End:
diff --git a/pkg/check-cmake b/pkg/check-cmake
new file mode 100755
index 0000000000..2c3ed765a6
--- /dev/null
+++ b/pkg/check-cmake
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# CMake/CPack versions before 2.8.3 have bugs that can create bad packages
+# Since packages will be built on several different systems, a single
+# version of CMake is required to obtain consistency, but can be increased
+# as new versions of CMake come out that also produce working packages.
+
+CMAKE_PACK_REQ="cmake version 2.8.4"
+CMAKE_VER=`cmake -version`
+
+if [ "${CMAKE_VER}" != "${CMAKE_PACK_REQ}" ]; then
+    echo "Package creation requires ${CMAKE_PACK_REQ}" >&2
+    exit 1
+fi
diff --git a/pkg/make-deb-packages b/pkg/make-deb-packages
new file mode 100755
index 0000000000..a9de210e52
--- /dev/null
+++ b/pkg/make-deb-packages
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# This script generates binary DEB packages.
+# They can be found in ../build/ after running.
+
+./check-cmake || { exit 1; }
+
+# The DEB CPack generator depends on `dpkg-shlibdeps` to automatically
+# determine what dependencies to set for the packages
+type dpkg-shlibdeps > /dev/null 2>&1 || {
+    echo "\
+Creating DEB packages requires the "dpkg-shlibs" command, usually provided by
+the 'dpkg-dev' package, please install it first.
+" >&2;
+    exit 1;
+}
+
+prefix=/opt/bro
+
+# During the packaging process, `dpkg-shlibs` will fail if used on a library
+# that links to other internal/project libraries unless an RPATH is used or
+# we set LD_LIBRARY_PATH such that it can find the internal/project library
+# in the temporary packaging tree.
+export LD_LIBRARY_PATH=./${prefix}/lib
+
+cd ..
+
+# Minimum Bro
+./configure --prefix=${prefix} --disable-broccoli --disable-broctl \
+            --pkg-name-prefix=Bro --binary-package
+( cd build && make package )
+
+# Full Bro package
+./configure --prefix=${prefix} --pkg-name-prefix=Bro-all --binary-package
+( cd build && make package )
+
+# Broccoli
+cd aux/broccoli
+./configure --prefix=${prefix} --binary-package
+( cd build && make package && mv Broccoli*.deb ../../../build/ )
+cd ../..
+
+# Broctl
+cd aux/broctl
+./configure --prefix=${prefix} --binary-package
+( cd build && make package && mv Broctl*.deb ../../../build/ )
+cd ../..
diff --git a/pkg/make-mac-packages b/pkg/make-mac-packages
new file mode 100755
index 0000000000..a8f7f965c8
--- /dev/null
+++ b/pkg/make-mac-packages
@@ -0,0 +1,59 @@
+#!/bin/sh
+
+# This script creates binary packages for Mac OS X.
+# They can be found in ../build/ after running.
+
+./check-cmake || { exit 1; }
+
+type sw_vers > /dev/null 2>&1 || {
+    echo "Unable to get Mac OS X version" >&2;
+    exit 1;
+}
+
+# Get the OS X minor version
+# 5 = Leopard, 6 = Snow Leopard, 7 = Lion ...
+osx_ver=`sw_vers | sed -n 's/ProductVersion://p' | cut -d . -f 2`
+
+if [ ${osx_ver} -lt 5 ]; then
+    echo "Packages for OS X < 10.5 are not supported" >&2
+    exit 1
+elif [ ${osx_ver} -eq 5 ]; then
+    # On OS X 10.5, the x86_64 version of libresolv is broken,
+    # so we build for i386 as the easiest solution
+    arch=i386
+else
+    # Currently it's just easiest to build the 10.5 package on
+    # on 10.5, but if it weren't for the libresolv issue, we could
+    # potentially build packages for older OS X version by using the
+    # --osx-sysroot and --osx-min-version options
+    arch=x86_64
+fi
+
+prefix=/opt/bro
+
+cd ..
+
+# Minimum Bro
+CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=${prefix} \
+    --disable-broccoli --disable-broctl --pkg-name-prefix=Bro \
+    --binary-package
+( cd build && make package )
+
+# Full Bro package
+CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=${prefix} \
+    --pkg-name-prefix=Bro-all --binary-package
+( cd build && make package )
+
+# Broccoli
+cd aux/broccoli
+CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=${prefix} \
+    --binary-package
+( cd build && make package && mv Broccoli*.dmg ../../../build/ )
+cd ../..
+
+# Broctl
+cd aux/broctl
+CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=${prefix} \
+    --binary-package
+( cd build && make package && mv Broctl*.dmg ../../../build/ )
+cd ../..
diff --git a/pkg/make-rpm-packages b/pkg/make-rpm-packages
new file mode 100755
index 0000000000..ac8dfa97b4
--- /dev/null
+++ b/pkg/make-rpm-packages
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# This script generates binary RPM packages.
+# They can be found in ../build/ after running.
+
+./check-cmake || { exit 1; }
+
+# The RPM CPack generator depends on `rpmbuild` to create packages
+type rpmbuild > /dev/null 2>&1 || {
+    echo "\
+Creating RPM packages requires the "rpmbuild" command, usually provided by
+the 'rpm-build' package, please install it first.
+" >&2;
+    exit 1;
+}
+
+prefix=/opt/bro
+
+cd ..
+
+# Minimum Bro
+./configure --prefix=${prefix} --disable-broccoli --disable-broctl \
+            --pkg-name-prefix=Bro --binary-package
+( cd build && make package )
+
+# Full Bro package
+./configure --prefix=${prefix} --pkg-name-prefix=Bro-all --binary-package
+( cd build && make package )
+
+# Broccoli
+cd aux/broccoli
+./configure --prefix=${prefix} --binary-package
+( cd build && make package && mv Broccoli*.rpm ../../../build/ )
+cd ../..
+
+# Broctl
+cd aux/broctl
+./configure --prefix=${prefix} --binary-package
+( cd build && make package && mv Broctl*.rpm ../../../build/ )
+cd ../..
diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt
new file mode 100644
index 0000000000..a79e841661
--- /dev/null
+++ b/policy/CMakeLists.txt
@@ -0,0 +1,10 @@
+install(DIRECTORY ./ DESTINATION ${POLICYDIR} FILES_MATCHING
+        PATTERN "summaries" EXCLUDE
+        PATTERN "all.bro" EXCLUDE
+        PATTERN "bro.init"
+        PATTERN "*.bro"
+        PATTERN "*.sig"
+        PATTERN "*.osf"
+)
+
+install(DIRECTORY DESTINATION ${POLICYDIR}/site)
diff --git a/policy/Makefile.am b/policy/Makefile.am
deleted file mode 100644
index 3e401db66c..0000000000
--- a/policy/Makefile.am
+++ /dev/null
@@ -1,71 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-SUBDIRS = sigs time-machine
-
-# These files are created and moved here by the src Makefile
-BIF_BRO_FILES = \
-	bro.bif.bro common-rw.bif.bro const.bif.bro \
-	dns-rw.bif.bro event.bif.bro finger-rw.bif.bro \
-	ftp-rw.bif.bro http-rw.bif.bro ident-rw.bif.bro \
-	smb-rw.bif.bro smtp-rw.bif.bro strings.bif.bro
-
-MOSTLYCLEANFILES = $(BIF_BRO_FILES)
-
-# doesn't end in a sig
-bropolicydir=$(datadir)/bro
-bropolicysitedir=$(datadir)/bro/site
-
-dist_bropolicy_DATA = bro.init adu.bro alarm.bro analy.bro \
-	anon.bro arp.bro backdoor.bro bittorrent.bro \
-	blaster.bro bt-tracker.bro brolite.bro \
-	brolite-backdoor.bro brolite-sigs.bro \
-	capture-events.bro capture-loss.bro capture-state-updates.bro \
-	checkpoint.bro clear-passwords.bro conn-flood.bro conn-id.bro \
-	conn.bro contents.bro cpu-adapt.bro dce.bro demux.bro \
-	detect-protocols.bro detect-protocols-http.bro \
-	dhcp.bro dns-anonymizer.bro dns-info.bro \
-	dns-lookup.bro dns.bro dpd.bro drop.bro \
-	drop-adapt.bro dyn-disable.bro \
-	file-flush.bro finger.bro firewall.bro \
-	flag-irc.bro flag-warez.bro frag.bro \
-	ftp-anonymizer.bro ftp-cmd-arg.bro ftp-reply-pattern.bro \
-	ftp-safe-words.bro ftp.bro gnutella.bro hand-over.bro \
-	heavy-analysis.bro heavy.http.bro heavy.irc.bro \
-	heavy.scan.bro heavy.software.bro heavy.trw.bro \
-	hot-ids.bro hot.bro \
-	http-abstract.bro http-anon-server.bro http-anon-useragent.bro \
-	http-anon-utils.bro http-anonymizer.bro http-body.bro \
-	http-detect-passwd.bro http-entity.bro \
-	http-event.bro http-extract-items.bro http-header.bro \
-	http-identified-files.bro http-reply.bro \
-	http-request.bro http-rewriter.bro http.bro \
-	icmp.bro ident-rewriter.bro ident.bro inactivity.bro \
-	interconn.bro irc.bro irc-bot.bro large-conns.bro listen-clear.bro \
-	listen-ssl.bro load-level.bro load-sample.bro log-append.bro \
-	login.bro mime.bro mime-pop.bro mt.bro \
-	ncp.bro netflow.bro netstats.bro nfs.bro \
-	notice.bro notice-policy.bro notice-action-filters.bro ntp.bro \
-	OS-fingerprint.bro pcap.bro peer-status.bro \
-	pkt-profile.bro pop3.bro port-name.bro portmapper.bro print-filter.bro \
-	print-globals.bro print-resources.bro print-sig-states.bro \
-	profiling.bro proxy.bro passwords.bro \
-	remote-pcap.bro remote-ping.bro \
-	remote-print-id-reply.bro remote-print-id.bro remote-print.bro \
-	remote-report-notices.bro remote-send-id.bro remote.bro \
-	rotate-logs.bro rsh.bro \
-	save-peer-status.bro scan.bro secondary-filter.bro sensor-sshd.bro \
-	server-ports.bro service-probe.bro signatures.bro site.bro \
-	smb.bro smtp-relay.bro smtp-rewriter.bro smtp.bro snort.bro \
-	software.bro ssh-stepping.bro ssh.bro ssl-alerts.bro \
-	ssl-ciphers.bro ssl-errors.bro ssl-worm.bro ssl.bro stats.bro \
-	stepping.bro synflood.bro targeted-scan.bro tcp.bro \
-	terminate-connection.bro tftp.bro trw.bro trw-impl.bro \
-	udp.bro udp-common.bro vlan.bro weird.bro worm.bro \
-	$(BIF_BRO_FILES)
-
-
-install-data-hook:
-	test -d $(DESTDIR)$(bropolicysitedir) || mkdir $(DESTDIR)$(bropolicysitedir)
-
-uninstall-local:
-	-rmdir $(DESTDIR)$(bropolicysitedir)
diff --git a/policy/all.bro b/policy/all.bro
index 4bbe3e8afe..637e0a3391 100644
--- a/policy/all.bro
+++ b/policy/all.bro
@@ -53,10 +53,8 @@
 @load http-identified-files.bro
 @load http-reply
 @load http-request
-@load http-rewriter
 @load http
 @load icmp
-@load ident-rewriter
 @load ident
 @load inactivity
 @load interconn
@@ -111,7 +109,6 @@
 @load site
 @load smb
 @load smtp-relay
-@load smtp-rewriter
 @load smtp
 @load snort
 @load software
diff --git a/policy/bro.init b/policy/bro.init
index 1ba8f59b4d..a9ed8fac82 100644
--- a/policy/bro.init
+++ b/policy/bro.init
@@ -1,6 +1,7 @@
 # $Id: bro.init 6887 2009-08-20 05:17:33Z vern $
 
 @load const.bif.bro
+@load types.bif.bro
 
 global bro_signal: event(signal: count);
 
@@ -20,7 +21,7 @@ type conn_id: record {
 	orig_p: port;
 	resp_h: addr;
 	resp_p: port;
-};
+} &log;
 
 type icmp_conn: record {
 	orig_h: addr;
@@ -65,8 +66,12 @@ type ftp_port: record {
 };
 
 type endpoint: record {
-	size: count;
+	size: count;	# logical size (for TCP: from seq numbers)
 	state: count;
+
+	# The following are set if use_conn_size_analyzer is T.
+	num_pkts: count &optional;	# number of packets on the wire
+	num_bytes_ip: count &optional;	# actual number of IP-level bytes on the wire
 };
 
 type endpoint_stats: record {
@@ -91,6 +96,7 @@ type connection: record {
 	addl: string;
 	hot: count;		# how hot; 0 = don't know or not hot
 	history: string;
+	uid: string;
 };
 
 type SYN_packet: record {
@@ -264,10 +270,21 @@ type geo_location: record {
 	longitude: double;
 };
 
+type entropy_test_result: record {
+	entropy: double;
+	chi_square: double;
+	mean: double;
+	monte_carlo_pi: double;
+	serial_correlation: double;
+};
+
 # Prototypes of Bro built-in functions.
 @load strings.bif.bro
 @load bro.bif.bro
 
+@load logging  # sic! Not logging.bif.
+@load logging-ascii
+
 global bro_alarm_file: file &redef;
 global alarm_hook: function(msg: string): bool &redef;
 global log_file_name: function(tag: string): string &redef;
@@ -484,6 +501,12 @@ const encap_hdr_size = 0 &redef;
 # ... or just for the following UDP port.
 const tunnel_port = 0/udp &redef;
 
+# Whether to use the ConnSize analyzer to count the number of
+# packets and IP-level bytes transfered by each endpoint. If
+# true, these values are returned in the connection's endpoint
+# record val.
+const use_conn_size_analyzer = F &redef;
+
 const UDP_INACTIVE = 0;
 const UDP_ACTIVE = 1;	# means we've seen something from this endpoint
 
@@ -904,8 +927,8 @@ global dns_skip_all_addl = T &redef;
 global dns_max_queries = 5;
 
 # The maxiumum size in bytes for an SSL cipherspec.  If we see a packet that
-# has bigger cipherspecs, we warn and won't do a comparisons of cipherspecs.
-const ssl_max_cipherspec_size = 45 &redef;
+# has bigger cipherspecs, we won't do a comparisons of cipherspecs.
+const ssl_max_cipherspec_size = 68 &redef;
 
 # SSL and X.509 types.
 type cipher_suites_list: set[count];
@@ -1108,14 +1131,6 @@ type bt_tracker_headers: table[string] of string;
 
 @load event.bif.bro
 
-@load common-rw.bif.bro
-@load finger-rw.bif.bro
-@load ftp-rw.bif.bro
-@load ident-rw.bif.bro
-@load smtp-rw.bif.bro
-@load http-rw.bif.bro
-@load dns-rw.bif.bro
-
 function subst(s: string, from: pattern, to: string): string
 	{
 	local p = split_all(s, from);
@@ -1166,6 +1181,10 @@ function string_escape(s: string, chars: string): string
 	return s;
 	}
 
+# The filter the user has set via the -f command line options, or
+# empty if none.
+const cmd_line_bpf_filter = "" &redef;
+
 @load pcap.bro
 
 # Rotate logs every x seconds.
@@ -1374,10 +1393,24 @@ const suppress_local_output = F &redef;
 
 # Holds the filename of the trace file given with -w (empty if none).
 const trace_output_file = "";
-  
+
 # If a trace file is given, dump *all* packets seen by Bro into it.
 # By default, Bro applies (very few) heuristics to reduce the volume.
 # A side effect of setting this to true is that we can write the
 # packets out before we actually process them, which can be helpful
 # for debugging in case the analysis triggers a crash.
 const record_all_packets = F &redef;
+
+# Some connections (e.g., SSH) retransmit the acknowledged last
+# byte to keep the connection alive. If ignore_keep_alive_rexmit
+# is set to T, such retransmissions will be excluded in the rexmit
+# counter in conn_stats.
+const ignore_keep_alive_rexmit = F &redef;
+
+# Skip HTTP data portions for performance considerations (the skipped
+# portion will not go through TCP reassembly).
+const skip_http_data = F &redef;
+
+# Whether the analysis engine parses IP packets encapsulated in
+# UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro.
+const parse_udp_tunnels = F &redef;
diff --git a/policy/conn.bro b/policy/conn.bro
index 134ac9db13..1c9b434ff4 100644
--- a/policy/conn.bro
+++ b/policy/conn.bro
@@ -14,12 +14,23 @@ const conn_closed = { TCP_CLOSED, TCP_RESET };
 
 global have_FTP = F;	# if true, we've loaded ftp.bro
 global have_SMTP = F;	# if true, we've loaded smtp.bro
-global is_ftp_data_conn: function(c: connection): bool;
+
+# TODO: Do we have a nicer way of defining this prototype?
+export { global FTP::is_ftp_data_conn: function(c: connection): bool; }
 
 # Whether to include connection state history in the logs generated
 # by record_connection.
 const record_state_history = F &redef;
 
+# Whether to add 4 more columns to conn.log with 
+# orig_packet orig_ip_bytes resp_packets resp_ip_bytes
+# Requires use_conn_size_analyzer=T
+# Columns are added after history but before addl
+const report_conn_size_analyzer = F &redef;
+
+# Activate conn-size analyzer if necessary.
+redef use_conn_size_analyzer = (! report_conn_size_analyzer);
+
 # Whether to translate the local address in SensitiveConnection notices
 # to a hostname.  Meant as a demonstration of the "when" construct.
 const xlate_hot_local_addr = F &redef;
@@ -94,6 +105,12 @@ function conn_size(e: endpoint, trans: transport_proto): string
 		return "?";
 	}
 
+function conn_size_from_analyzer(e: endpoint): string
+	{
+	return fmt("%d %d", (e?$num_pkts) ? e$num_pkts : 0,
+			(e?$num_bytes_ip) ? e$num_bytes_ip : 0);
+	}
+
 function service_name(c: connection): string
 	{
 	local p = c$id$resp_p;
@@ -186,7 +203,7 @@ function determine_service_non_DPD(c: connection) : string
 			return i;	# return first;
 		}
 
-	else if ( have_FTP && is_ftp_data_conn(c) )
+	else if ( have_FTP && FTP::is_ftp_data_conn(c) )
 		return port_names[20/tcp];
 
 	else if ( [c$id$resp_h, c$id$resp_p] in RPC_server_map )
@@ -302,6 +319,10 @@ function record_connection(f: file, c: connection)
 		log_msg = fmt("%s %s", log_msg,
 				c$history == "" ? "X" : c$history);
 
+	if ( use_conn_size_analyzer && report_conn_size_analyzer )
+		log_msg = fmt("%s %s %s", log_msg, 
+				conn_size_from_analyzer(c$orig),  conn_size_from_analyzer(c$resp));
+
 	if ( addl != "" )
 		log_msg = fmt("%s %s", log_msg, addl);
 
diff --git a/policy/dns-anonymizer.bro b/policy/dns-anonymizer.bro
deleted file mode 100644
index d85f31a395..0000000000
--- a/policy/dns-anonymizer.bro
+++ /dev/null
@@ -1,107 +0,0 @@
-# $Id:$
-
-@load dns
-@load anon
-
-module DNS;
-
-redef rewriting_dns_trace = T;
-
-event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
-	{
-	if ( get_conn_transport_proto(c$id) == udp )
-		rewrite_dns_message(c, is_orig, msg, len);
-	}
-
-event dns_request(c: connection, msg: dns_msg, query: string,
-			qtype: count, qclass: count)
-	{
-	if ( get_conn_transport_proto(c$id) == udp )
-		rewrite_dns_request(c, anonymize_host(query),
-					msg, qtype, qclass);
-	}
-
-event dns_end(c: connection, msg: dns_msg)
-	{
-	if ( get_conn_transport_proto(c$id) == udp )
-		rewrite_dns_end(c, T);
-	}
-
-event dns_query_reply(c: connection, msg: dns_msg, query: string,
-			qtype: count, qclass: count)
-	{
-	rewrite_dns_reply_question(c, msg, anonymize_host(query),
-					qtype, qclass);
-	}
-
-event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
-	{
-	ans$query = anonymize_host(ans$query);
-	rewrite_dns_A_reply(c, msg, ans, anonymize_address(a, c$id));
-	}
-
-#### FIXME: ANONYMIZE!
-event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer,
-			a: addr, astr: string)
-	{
-	ans$query = anonymize_host(ans$query);
-	astr = "::";
-	a = anonymize_address(a, c$id);
-	rewrite_dns_AAAA_reply(c, msg, ans, a, astr);
-	}
-
-event dns_NS_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string)
-	{
-	ans$query = anonymize_host(ans$query);
-	rewrite_dns_NS_reply(c, msg, ans, anonymize_host(name));
-	}
-
-event dns_CNAME_reply(c: connection, msg: dns_msg, ans: dns_answer,
-			name: string)
-	{
-	ans$query = anonymize_host(ans$query);
-	rewrite_dns_CNAME_reply(c, msg, ans, anonymize_host(name));
-	}
-
-event dns_MX_reply(c: connection, msg: dns_msg, ans: dns_answer,
-			name: string, preference: count)
-	{
-	ans$query = anonymize_host(ans$query);
-	rewrite_dns_MX_reply(c, msg, ans, anonymize_host(name), preference);
-	}
-
-event dns_PTR_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string)
-	{
-	ans$query = anonymize_host(ans$query);
-	rewrite_dns_PTR_reply(c, msg, ans, anonymize_host(name));
-	}
-
-event dns_SOA_reply(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa)
-	{
-	soa$mname = anonymize_host(soa$mname);
-	soa$rname = anonymize_host(soa$rname);
-	ans$query = anonymize_host(ans$query);
-	rewrite_dns_SOA_reply(c, msg, ans, soa);
-	}
-
-event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer,
-			str: string)
-	{
-	str = anonymize_string(str);
-	ans$query = anonymize_host(ans$query);
-	rewrite_dns_TXT_reply(c, msg, ans, str);
-	}
-
-event dns_EDNS_addl (c: connection, msg: dns_msg, ans: dns_edns_additional)
-	{
-	rewrite_dns_EDNS_addl(c, msg, ans);
-	}
-
-event dns_rejected(c: connection, msg: dns_msg, query: string,
-			qtype: count, qclass: count)
-	{
-	#### Hmmm, this is probably not right - we are going to have to look
-	# at the question type to determine how to anonymize this.
-	rewrite_dns_reply_question(c, msg, anonymize_host(query),
-					qtype, qclass);
-	}
diff --git a/policy/finger.bro b/policy/finger.bro
index 8cf1dbba65..7765ce45c6 100644
--- a/policy/finger.bro
+++ b/policy/finger.bro
@@ -60,19 +60,6 @@ event finger_request(c: connection, full: bool, username: string, hostname: stri
 		req = fmt("(%s)", req);
 
 	append_addl_marker(c, req, " *");
-
-	if ( rewriting_finger_trace )
-		rewrite_finger_request(c, full,
-				public_user(username) ? username : "private user",
-				hostname);
-	}
-
-event finger_reply(c: connection, reply_line: string)
-	{
-	local id = c$id;
-	if ( rewriting_finger_trace )
-		rewrite_finger_reply(c,
-				authorized_client(id$orig_h) ? "finger reply ..." : reply_line);
 	}
 
 function is_finger_conn(c: connection): bool
@@ -80,10 +67,3 @@ function is_finger_conn(c: connection): bool
 	return c$id$resp_p == finger;
 	}
 
-event connection_state_remove(c: connection)
-	{
-	if ( rewriting_finger_trace && requires_trace_commitment &&
-	     is_finger_conn(c) )
-		# Commit queued packets and all packets in future.
-		rewrite_commit_trace(c, T, T);
-	}
diff --git a/policy/firewall.bro b/policy/firewall.bro
index adbf7a450c..59a92206b4 100644
--- a/policy/firewall.bro
+++ b/policy/firewall.bro
@@ -151,7 +151,7 @@ function do_match(c: connection, r: rule): bool
 				return F;
 		}
 
-	if ( r$is_ftp && ! is_ftp_data_conn(c) )
+	if ( r$is_ftp && ! FTP::is_ftp_data_conn(c) )
 		return F;
 
 	return T;
diff --git a/policy/ftp-anonymizer.bro b/policy/ftp-anonymizer.bro
deleted file mode 100644
index 560b85119b..0000000000
--- a/policy/ftp-anonymizer.bro
+++ /dev/null
@@ -1,846 +0,0 @@
-# $Id: ftp-anonymizer.bro 47 2004-06-11 07:26:32Z vern $
-
-@load ftp
-@load anon
-
-# Definitions of constants.
-
-# Check if those commands carry any argument; anonymize non-empty
-# argument.
-const ftp_cmds_with_no_arg = {
-	"CDUP", "QUIT", "REIN", "PASV", "STOU",
-	"ABOR", "PWD", "SYST", "NOOP",
-
-	"FEAT",	"XPWD",
-};
-
-const ftp_cmds_with_file_arg = {
-	"APPE", "CWD", "DELE", "LIST", "MKD",
-	"NLST", "RMD", "RNFR", "RNTO", "RETR",
-	"STAT", "STOR", "SMNT",
-	# FTP extensions
-	"SIZE", "MDTM",
-	"MLSD", "MLST",
-	"XCWD",
-};
-
-# For following commands, we check if the argument conforms to the
-# specification -- if so, it is safe to be left in the clear.
-const ftp_cmds_with_safe_arg = {
-	"TYPE", "STRU", "MODE", "ALLO", "REST",
-	"HELP",
-
-	"MACB",	# MacBinary encoding
-};
-
-# ftp_other_cmds can be redefined in site/trace-specific ways.
-const ftp_other_cmds = {
-	"LPRT", "OPTS", "CLNT", "RETP",
-	"EPSV", "XPWD",
-	"SOCK",	# old FTP command (RFC 354)
-} &redef;
-
-# Below defines patterns of arguments of FTP commands
-
-# The following patterns are case-insensitive
-const ftp_safe_cmd_arg_pattern =
-	  /TYPE (([AE]( [NTC])?)|I|(L [0-9]+))/
-	| /STRU [FRP]/
-	| /MODE [SBC]/
-	| /ALLO [0-9]+([ \t]+R[ \t]+[0-9]+)?/
-	| /REST [!-~]+/
-	| /MACB (E|DISABLE|ENABLE)/
-	| /SITE TRUTH ON/
-	&redef;
-
-# The following list includes privacy-safe [cmd, arg] pairs and can be
-# customized for particular traces
-const ftp_safe_arg_list: set[string, string] = {
-} &redef;
-
-# ftp_special_cmd_args offers an even more flexible way of customizing
-# argument anonymization: for each [cmd, arg] pair in the table, the
-# corresponding value will be the anonymized argument.
-const ftp_special_cmd_args: table[string, string] of string = {
-} &redef;
-
-# The following words are safe to be left in the clear as the argument
-# of a HELP command.
-const ftp_help_words = {
-	"USER",	"PORT",	"STOR",	"MSAM",	"RNTO",	"NLST",	"MKD",	"CDUP",
-	"PASS",	"PASV",	"APPE",	"MRSQ",	"ABOR",	"SITE",	"XMKD",	"XCUP",
-	"ACCT",	"TYPE",	"MLFL",	"MRCP",	"DELE",	"SYST",	"RMD",	"STOU",
-	"SMNT",	"STRU",	"MAIL",	"ALLO",	"CWD",	"STAT",	"XRMD",	"SIZE",
-	"REIN",	"MODE",	"MSND",	"REST",	"XCWD",	"HELP",	"PWD",	"MDTM",
-	"QUIT",	"RETR",	"MSOM",	"RNFR",	"LIST",	"NOOP",	"XPWD",
-} &redef;
-
-const ftp_port_pat = /[0-9]+([[:blank:]]*,[[:blank:]]*[0-9]+){5}/;
-
-# Pattern for the argument of EPRT command.
-# TODO: the pattern works fot the common case but is not RFC2428-complete.
-const ftp_eprt_pat = /\|1\|[0-9]{1,3}(\.[0-9]{1,3}){3}\|[0-9]{1,5}\|/;
-
-# IP addresses.
-const ftp_ip_pat = /[0-9]{1,3}(\.[0-9]{1,3}){3}/;
-
-# Domain names (deficiency: domain suffices of countries).
-const ftp_domain_name_pat =
-	/([\-0-9a-zA-Z]+\.)+(com|edu|net|org|gov|mil|uk|fr|nl|es|jp|it)/;
-
-# File names (printable characters).
-const ftp_file_name_pat = /[[:print:]]+/;
-
-# File names that can be left in the clear.
-const ftp_public_files =
-	  /\// | /\.\./		# "/" and ".."
-	| /(\/etc\/|master\.)?(passwd|shadow|s?pwd\.db)/ # ftp_hot_files
-	| /\/(etc|usr\/bin|bin|sbin|kernel)(\/)?/
-	| /\.rhosts/ | /\.forward/			 # ftp_hot_guest_files
-&redef;
-
-const ftp_sensitive_files =
-	  /.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)/ # ftp_hot_files
-	| /\/(etc|usr\/bin|bin|sbin|kernel)\/.*/
-	| /.*\.rhosts/ | /.*\.forward/			 # ftp_hot_guest_files
-&redef;
-
-# Public servers.
-const ftp_public_servers: set[addr] = {} &redef;
-
-# Whether we keep all file names (valid or invalid) for public servers.
-const ftp_keep_all_files_for_public_servers = F &redef;
-
-# Public files.
-const ftp_known_public_files: set[addr, string] = {} &redef;
-
-# Hidden file/directory.
-const ftp_hidden_file = /.*\/\.[^.\/].*/;
-const ftp_public_hidden_file = /0/ &redef;
-
-# Options for file commands (LIST, NLST) that can be left in the clear.
-const ftp_known_option = /-[[:alpha:]]{1,5}[ ]*/;
-
-const ftp_known_site_cmd = {
-	"UMASK", "GROUP", "INDEX", "GROUPS",
-	"IDLE", "GPASS", "EXEC", "CHECKMETHOD",
-	"CHMOD", "NEWER", "ALIAS", "CHECKSUM",
-	"HELP", "MINFO", "CDPATH",
-
-	"TRUTH", "UTIME",
-} &redef;
-
-const ftp_sensitive_ids: set[string] = {
-	"backdoor", "bomb", "diag", "gdm", "issadmin", "msql", "netfrack",
-	"netphrack", "own", "r00t", "root", "ruut", "smtp", "sundiag", "sync",
-	"sys", "sysadm", "sysdiag", "sysop", "sysoper", "system", "toor", "tour",
-	"y0uar3ownd",
-};
-
-redef anonymize_ip_addr = T;
-redef rewriting_ftp_trace = T;
-
-global ftp_anon_log = open_log_file("ftp-anon") &redef;
-
-# Anonymized arguments, indexed by the anonymization seed.
-global anonymized_args: table[string] of string;
-
-# Arguments left in the clear, indexed by the argument and the context.
-global ftp_arg_left_in_the_clear: set[string, string];
-
-# Valid files on public servers.
-global ftp_valid_public_files: set[addr, string];
-
-type ftp_cmd_arg_anon_result: record {
-	anonymized: bool;
-	cmd: string;
-	arg: string;
-};
-
-
-# Whether anonymize_trace_specific_cmd_arg is defined:
-const trace_specific_cmd_arg_anonymization = F &redef;
-
-# This function is to be defined in a trace-specific script. By
-# default, use ftp-anonymizer-trace.bro.
-
-global anonymize_trace_specific_cmd_arg:
-	function(session: ftp_session_info, cmd: string, arg: string):
-		ftp_cmd_arg_anon_result;
-
-
-# Anonymize FTP replies by message patterns.
-const process_ftp_reply_by_message_pattern = F &redef;
-global anonymize_ftp_reply_by_msg_pattern:
-	function(code: count, act_msg: string,
-		cmd_arg: ftp_cmd_arg, session: ftp_session_info): string;
-
-
-# Anonymize an argument *completely* with a hash value of the string,
-# and log the anonymization.
-function anonymize_arg(typ: string, session: ftp_session_info, cmd: string, arg: string, seed: string): string
-	{
-	if ( arg == "" )
-		return ""; # an empty argument is safe
-
-	local arg_seed = string_cat(typ, seed, arg);
-
-	if ( arg_seed in anonymized_args )
-		return anonymized_args[arg_seed];
-
-	local a = anonymize_string(arg_seed);
-	anonymized_args[arg_seed] = a;
-
-	print ftp_anon_log,
-		fmt("anonymize_arg: (%s) {%s} %s \"%s\" to \"%s\" in [%s]",
-				typ, seed, cmd,
-				to_string_literal(arg), to_string_literal(a),
-				id_string(session$connection_id));
-	return a;
-	}
-
-# This function is called whenever an argument is to be left in the
-# clear. It logs the action if it hasn't occurred before.
-function leave_in_the_clear(msg: string, session: ftp_session_info,
-				arg: string, context: string): string
-	{
-	if ( [arg, context] !in ftp_arg_left_in_the_clear )
-		{
-		add ftp_arg_left_in_the_clear[arg, context];
-		print ftp_anon_log, fmt("leave_in_the_clear: (%s) \"%s\" [%s] in [%s]",
-				msg, to_string_literal(arg), context,
-				id_string(session$connection_id));
-		}
-	return arg;
-	}
-
-
-# Sometimes the argument of a file command contains an option string
-# before the file name, such as in 'LIST -l /xyz/', the following
-# function identifies such option strings and separate the argument
-# accordingly.
-
-type separate_option_str_result: record {
-	opt_str: string;
-	file_name: string;
-};
-
-function separate_option_str(file_name: string): separate_option_str_result
-	{
-	local ret: separate_option_str_result;
-	if ( file_name == /-[[:alpha:]]+( .*)?/ )
-		{
-		local parts = split_all(file_name, /-[[:alpha:]]+[ ]*/);
-		ret$opt_str = string_cat(parts[1], parts[2]);
-		parts[1] = ""; parts[2] = "";
-		ret$file_name = cat_string_array(parts);
-		return ret;
-		}
-	else
-		return [$opt_str = "", $file_name = file_name];
-	}
-
-
-# Anonymize a user id
-type login_status_type: enum {
-	LOGIN_PENDING,
-	LOGIN_SUCCESSFUL,
-	LOGIN_FAILED,
-	LOGIN_UNKNOWN,
-};
-
-function anonymize_user_id(session: ftp_session_info, id: string, login_status: login_status_type, msg: string): string
-	{
-	if ( id in ftp_guest_ids )
-		{
-		leave_in_the_clear("guest_id", session, id, msg);
-		return id;
-		}
-
-	else if ( id in ftp_sensitive_ids && login_status == LOGIN_FAILED )
-		{
-		leave_in_the_clear("sensitive_id", session, id, msg);
-		return id;
-		}
-
-	else
-		return anonymize_arg("user_name", session, "USER", id, cat(session$connection_id$resp_h, login_status));
-	}
-
-# Anonymize a file name argument.
-function anonymize_file_name_arg(session: ftp_session_info, cmd: string, arg: string, valid_file_name: bool): string
-	{
-	local file_name = arg;
-	local opt_str = "";
-	if ( cmd == /LIST|NLST/ )
-		{
-		# Separate the option from file name if there is one
-
-		local ret = separate_option_str(file_name);
-		if ( ret$opt_str != "" )
-			{
-			opt_str = ret$opt_str;
-
-			# Shall we anonymize the option string?
-			if ( opt_str != ftp_known_option )
-				{
-				# Anonymize the option conservatively
-				print ftp_anon_log, fmt("option_anonymized: \"%s\" from (%s %s)",
-					to_string_literal(opt_str), cmd, file_name);
-				opt_str = "-<option>";
-				}
-			else
-				# Leave in the clear
-				print ftp_anon_log, fmt("option_left_in_the_clear: \"%s\" from (%s %s)",
-					to_string_literal(opt_str), cmd, file_name);
-
-			file_name = ret$file_name;
-			}
-		}
-
-	if ( file_name == "" )
-		return opt_str;
-
-	if ( file_name != ftp_file_name_pat )
-		{
-		# Log special file names (e.g. those containing
-		# control characters) for manual inspection -- such
-		# file names are rare and may present problems in
-		# reply anonymization.
-
-		print ftp_anon_log, fmt("unrecognized_file_name: \"%s\" (%s) [%s]",
-			to_string_literal(file_name), cmd, id_string(session$connection_id));
-		}
-
-
-	if ( strstr(file_name, " ") > 0 )
-		{
-		# Log file names that contain spaces (for debugging only)
-
-		print ftp_anon_log, fmt("space_in_file_name: \"%s\" (%s) [%s]",
-			to_string_literal(file_name), cmd, id_string(session$connection_id));
-		}
-
-	# Compute the absolute and clean (without '..' and duplicate
-	# '/') path
-	local abs_path = absolute_path(session, file_name);
-	local resp_h = session$connection_id$resp_h;
-	local known_public_file =
-		[resp_h, abs_path] in ftp_known_public_files ||
-		[resp_h, abs_path] in ftp_valid_public_files;
-
-	if ( file_name == ftp_public_files || abs_path == ftp_public_files )
-		{
-		leave_in_the_clear("public_path_name", session,
-			arg, fmt("(%s %s) %s", cmd, file_name, abs_path));
-		}
-
-	else if ( resp_h in ftp_public_servers &&
-		  (abs_path != ftp_hidden_file ||
-		   abs_path == ftp_public_hidden_file) &&
-		  (ftp_keep_all_files_for_public_servers || valid_file_name ||
-		   known_public_file) )
-		{
-		if ( valid_file_name && ! known_public_file )
-			{
-			add ftp_valid_public_files[resp_h, abs_path];
-			print ftp_anon_log,
-				fmt("valid_public_file: [%s, \"%s\"]",
-					resp_h, to_string_literal(abs_path));
-			}
-
-		leave_in_the_clear("file_on_public_server", session, arg,
-			fmt("%s %s:%s", cmd, session$connection_id$resp_h, abs_path));
-		}
-	else
-		{
-		local anon_type: string;
-
-		if ( file_name == ftp_sensitive_files ||
-		     abs_path == ftp_sensitive_files )
-			anon_type = "sensitive_path_name";
-
-		else if ( abs_path == ftp_hidden_file )
-			anon_type = "hidden_path_name";
-
-		else if ( resp_h in ftp_public_servers )
-			anon_type = "invalid_public_file";
-
-		else
-			anon_type = "path_name";
-
-		file_name = anonymize_arg(anon_type, session, cmd, abs_path, cat("file:", session$connection_id$resp_h));
-		}
-
-	# concatenate the option string with the file_name
-	return string_cat(opt_str, file_name);
-	}
-
-
-# The argument is presumably privacy-safe, but we should not assume
-# that it is the case. Instead, we check if the argument is legal and
-# thus privacy-free.
-function check_safe_arg(session: ftp_session_info, cmd: string,
-			arg: string): string
-	{
-	if ( cmd == "HELP" )
-		return ( arg in ftp_help_words ) ?
-				leave_in_the_clear("known_help_word", session,
-					arg,
-					fmt("%s %s", cmd, arg))
-				: anonymize_arg("unknown_help_string", session, cmd, arg, cmd);
-
-	else
-		# Note that we have already checked the (cmd, arg)
-		# against ftp_safe_cmd_arg_pattern. So the argument
-		# here must have an unrecognized pattern and should be
-		# anonymized.
-		return anonymize_arg("illegal_argument", session, cmd, arg, cmd);
-	}
-
-function check_site_arg(session: ftp_session_info, cmd: string,
-			arg: string): string
-	{
-	local site_cmd_arg = split1(arg, /[ \t]*/);
-
-	local site_cmd = site_cmd_arg[1];
-	local site_cmd_upper = to_upper(site_cmd);
-
-	if ( site_cmd_upper in ftp_known_site_cmd )
-		{
-		if ( length(site_cmd_arg) > 1 )
-			{
-			# If the there is an argument after "SITE <cmd>"
-			local site_arg = site_cmd_arg[2];
-			site_arg =
-				anonymize_arg(fmt("arg_of_site_%s", site_cmd),
-						session, cmd, site_arg, cmd);
-			return string_cat(site_cmd, " ", site_arg);
-			}
-		else
-			{
-			return leave_in_the_clear("known_site_command", session,
-						site_cmd,
-						fmt("%s %s", cmd, arg));
-			}
-		}
-	else
-		return anonymize_arg("site_arg", session, cmd, arg, cmd);
-	}
-
-function anonymize_port_arg(session: ftp_session_info, cmd: string,
-				arg: string): string
-	{
-	local data = parse_ftp_port(arg);
-
-	if ( data$valid )
-		{
-		local a: addr;
-		# Anonymize the address part
-		a = anonymize_address(data$h, session$connection_id);
-		return fmt_ftp_port(a, data$p);
-		}
-	else
-		return anonymize_arg("unrecognized_ftp_port", session, cmd, arg, "");
-	}
-
-# EPRT is an extension to the PORT command
-function anonymize_eprt_arg(session: ftp_session_info, cmd: string,
-				arg: string): string
-	{
-	if ( arg != ftp_eprt_pat )
-		return anonymize_arg("unrecognized_EPRT_arg", session, cmd, arg, "");
-
-	local parts = split(arg, /\|/);
-	# Anonymize the address part
-	local a = parse_dotted_addr(parts[3]);
-	a = anonymize_address(a, session$connection_id);
-	return fmt("|%s|%s|%s|", parts[2], a, parts[4]);
-	}
-
-# Anonymize arguments of commands that we do not understand
-function anonymize_other_arg(session: ftp_session_info, cmd: string, arg: string): string
-	{
-	local anon: string;
-
-	# Try to guess what the arg is
-
-	local data = parse_ftp_port(arg);
-	if ( arg == ftp_port_pat && data$valid )
-		# Here we do not check whether data$h == session$connection_id$orig_h
-		# because sometimes it's not the case, but we will try to anonymize it anyway.
-		{
-		anon = anonymize_port_arg(session, cmd, arg);
-		print ftp_anon_log, fmt("anonymize_arg: (%s) {} %s \"%s\" to \"%s\" in [%s]",
-					"port arg of non-port command",
-					cmd, arg, anon, id_string(session$connection_id));
-		}
-
-	else if ( arg == ftp_ip_pat )
-		{
-		local a = parse_dotted_addr(arg);
-		a = anonymize_address(a, session$connection_id);
-		anon = cat(a);
-		}
-
-	else if ( arg == ftp_domain_name_pat )
-		{
-		anon = "<domain name>";
-		}
-
-	else if ( arg == "." )
-		{
-		anon = arg;
-		leave_in_the_clear(".", session, arg, fmt("%s %s", cmd, arg));
-		}
-
-	else
-		# Anonymize by default.
-		anon = anonymize_arg("cannot_understand_arg",
-					session, cmd, arg, cmd);
-
-	return anon;
-	}
-
-# Anonymize the command and argument, and put the results in
-# cmd_arg$anonymized_{cmd, arg}
-function anonymize_ftp_cmd_arg(session: ftp_session_info,
-				cmd_arg: ftp_cmd_arg)
-	{
-	local cmd = cmd_arg$cmd;
-	local arg = cmd_arg$arg;
-	local anon : string;
-
-	cmd_arg$anonymized_cmd = cmd;
-
-	local ret: ftp_cmd_arg_anon_result;
-
-	if ( trace_specific_cmd_arg_anonymization )
-		ret = anonymize_trace_specific_cmd_arg(session, cmd, arg);
-	else
-		ret$anonymized = F;
-
-	if ( ret$anonymized )
-		{
-		# If the trace-specific anonymization applies to the cmd_arg
-			print ftp_anon_log, fmt("anonymize_arg: (%s) \"%s %s\" to \"%s %s\" in [%s]",
-				"trace-specific",
-				cmd, to_string_literal(arg),
-				ret$cmd, to_string_literal(ret$arg),
-				id_string(session$connection_id));
-		cmd_arg$anonymized_cmd = ret$cmd;
-		anon = ret$arg;
-		}
-
-	else if ( [cmd, arg] in ftp_special_cmd_args )
-		{
-		anon = ftp_special_cmd_args[cmd, arg];
-		print ftp_anon_log, fmt("anonymize_arg: (%s) [%s] \"%s\" to \"%s\" in [%s]",
-					"special_arg_transformation",
-					cmd,
-					to_string_literal(arg),
-					to_string_literal(anon),
-					id_string(session$connection_id));
-		}
-
-	else if ( to_upper(string_cat(cmd, " ", arg)) == ftp_safe_cmd_arg_pattern ||
-		  [cmd, arg] in ftp_safe_arg_list )
-		{
-		leave_in_the_clear("safe_arg", session, arg, fmt("%s %s", cmd, arg));
-		anon = arg;
-		}
-
-	else if ( cmd == "USER" || cmd == "ACCT" )
-		anon = (arg in ftp_guest_ids) ?
-			arg : anonymize_user_id(session, arg, LOGIN_PENDING, "");
-
-	else if ( cmd == "PASS" )
-		anon = "<password>";
-
-	else if ( cmd in ftp_cmds_with_no_arg )
-		anon = (arg == "") ?
-			"" :
-			anonymize_arg("should_have_been_empty",
-					session, cmd, arg, cmd);
-
-	else if ( cmd in ftp_cmds_with_file_arg )
-		{
-		if ( session$user in ftp_guest_ids )
-			anon = ( arg == "" ) ? "" : anonymize_file_name_arg(session, cmd, arg, F);
-		else
-			anon = "<path>";
-		}
-
-	else if ( cmd in ftp_cmds_with_safe_arg )
-		anon = check_safe_arg(session, cmd, arg);
-
-	else if ( cmd == "SITE" )
-		anon = check_site_arg(session, cmd, arg);
-
-	else if ( cmd == "PORT" )
-		anon = anonymize_port_arg(session, cmd, arg);
-
-	else if ( cmd == "EPRT" )
-		anon = anonymize_eprt_arg(session, cmd, arg);
-
-	else if ( cmd == "AUTH" )
-		anon = anonymize_arg("rejected_auth_arg", session, cmd, arg, cmd);
-
-	else
-		{
-		if ( cmd == /<.*>/ )
-			cmd_arg$anonymized_cmd = "";
-
-		else if ( cmd !in ftp_other_cmds )
-			{
-			local a = anonymize_string(string_cat("cmd:", cmd));
-			print ftp_anon_log, fmt("anonymize_cmd: (%s) \"%s\" [%s] to \"%s\" in [%s]",
-				"unrecognized command", to_string_literal(cmd),
-				to_string_literal(arg), a,
-				id_string(session$connection_id));
-			cmd_arg$anonymized_cmd = a;
-			}
-
-		anon = anonymize_other_arg(session, cmd, arg);
-		}
-
-	if ( cmd == "USER" )
-		session$anonymized_user = anon;
-
-	cmd_arg$anonymized_arg = anon;
-	}
-
-
-# We delay anonymization of certain requests till we see the reply:
-# when the argument of a USER command is a sensitive user ID, we
-# anonymize the ID if the login is successful and leave the ID in the
-# clear otherwise.
-#
-# The function returns T if the decision should be delayed.
-
-function delay_rewriting_request(session: ftp_session_info, cmd: string,
-				 arg: string): bool
-	{
-	return (cmd == "USER" && arg !in ftp_guest_ids) ||
-		(cmd == "AUTH") ||
-		(cmd in ftp_cmds_with_file_arg &&
-		 session$connection_id$resp_h in ftp_public_servers);
-	}
-
-function ftp_request_rewrite(c: connection, session: ftp_session_info,
-				cmd_arg: ftp_cmd_arg): bool
-	{
-	local cmd = cmd_arg$cmd;
-	local arg = cmd_arg$arg;
-
-	if ( delay_rewriting_request(session, cmd, arg) )
-		{
-		cmd_arg$rewrite_slot = reserve_rewrite_slot(c);
-		session$delayed_request_rewrite[cmd_arg$seq] = cmd_arg;
-		return F;
-		}
-	else
-		{
-		anonymize_ftp_cmd_arg(session, cmd_arg);
-		rewrite_ftp_request(c, cmd_arg$anonymized_cmd,
-					cmd_arg$anonymized_arg);
-		return T;
-		}
-	}
-
-function do_rewrite_delayed_ftp_request(c: connection, delayed: ftp_cmd_arg)
-	{
-	seek_rewrite_slot(c, delayed$rewrite_slot);
-
-	rewrite_ftp_request(c, delayed$cmd == /<.*>/ ? "" : delayed$cmd,
-				delayed$anonymized_arg);
-	release_rewrite_slot(c, delayed$rewrite_slot);
-
-	delayed$rewrite_slot = 0;
-	}
-
-function delayed_ftp_request_rewrite(c: connection, session: ftp_session_info,
-					delayed: ftp_cmd_arg,
-					current: ftp_cmd_arg,
-					reply_code: count)
-	{
-	local cmd = delayed$cmd;
-	local arg = delayed$arg;
-
-	if ( cmd == "USER" )
-		{
-		delayed$anonymized_cmd = cmd;
-
-		local login_status: login_status_type;
-
-		if ( reply_code == 0 )
-			login_status = LOGIN_UNKNOWN;
-
-		else if ( delayed$seq == current$seq ||
-		     current$cmd == "PASS" ||
-		     current$cmd == "ACCT" )
-				{
-			if ( reply_code >= 330 && reply_code < 340 ) # need PASS/ACCT
-				login_status = LOGIN_PENDING; # wait to see outcome of PASS
-
-			else if ( reply_code >= 400 && reply_code < 600 )
-					login_status = LOGIN_FAILED;
-
-			else if ( reply_code >= 230 && reply_code < 240 )
-				login_status = LOGIN_SUCCESSFUL;
-
-			else
-				login_status = LOGIN_UNKNOWN;
-			}
-
-		else if ( current$cmd == "USER" ) # another login attempt
-			login_status = LOGIN_FAILED;
-
-		else if ( reply_code == 230 )
-			login_status = LOGIN_SUCCESSFUL;
-
-		else if ( reply_code == 530 )
-			login_status = LOGIN_FAILED;
-
-		else
-			login_status = LOGIN_UNKNOWN;
-
-		if ( login_status != LOGIN_PENDING )
-			{
-			delayed$anonymized_arg =
-				anonymize_user_id(session, arg, login_status,
-					fmt("(%s %s) %s %s -> %d", cmd, arg, current$cmd, current$arg, reply_code));
-			do_rewrite_delayed_ftp_request(c, delayed);
-			}
-		}
-
-	else if ( cmd == "AUTH" )
-		{
-		delayed$anonymized_cmd = cmd;
-
-		if ( reply_code >= 500 && reply_code < 600 )
-			# if AUTH fails
-			{
-			anonymize_ftp_cmd_arg(session, delayed);
-			do_rewrite_delayed_ftp_request(c, delayed);
-			}
-
-		else if ( reply_code >= 300 && reply_code < 400 )
-			;
-		else 	# otherwise always anonymize the argument
-			{
-			delayed$anonymized_arg = "<auth_mechanism>";
-			do_rewrite_delayed_ftp_request(c, delayed);
-			}
-		}
-
-	else if ( cmd in ftp_cmds_with_file_arg && session$connection_id$resp_h in ftp_public_servers )
-		{
-		delayed$anonymized_cmd = cmd;
-
-		# The argument represents a valid file name on a
-		# public server only if the operation is successful.
-		delayed$anonymized_arg =
-			anonymize_file_name_arg(session, cmd, arg,
-				(cmd != "LIST" && cmd != "NLST" &&
-				 reply_code >= 100 && reply_code < 300));
-		do_rewrite_delayed_ftp_request(c, delayed);
-		}
-
-	else
-		{
-		print ftp_anon_log, "ERROR! unrecognizable delayed ftp request rewrite";
-
-		anonymize_ftp_cmd_arg(session, delayed);
-		do_rewrite_delayed_ftp_request(c, delayed);
-		}
-	}
-
-function process_delayed_rewrites(c: connection, session: ftp_session_info, reply_code: count, cmd_arg: ftp_cmd_arg)
-	{
-	local written: table[count] of ftp_cmd_arg;
-
-	for ( s in session$delayed_request_rewrite )
-		{
-		local ca = session$delayed_request_rewrite[s];
-		delayed_ftp_request_rewrite(c, session, ca, cmd_arg,
-					reply_code);
-
-		if ( ca$rewrite_slot == 0 )
-			written[ca$seq] = ca;
-		}
-
-	for ( s in written )
-		delete session$delayed_request_rewrite[s];
-	}
-
-function ftp_reply_rewrite(c: connection, session: ftp_session_info,
-				code: count, msg: string, cont_resp: bool,
-				cmd_arg: ftp_cmd_arg)
-	{
-	local actual_code = session$reply_code;
-	local xyz = parse_ftp_reply_code(actual_code);
-
-	process_delayed_rewrites(c, session, actual_code, cmd_arg);
-
-	if ( process_ftp_reply_by_message_pattern )
-		{
-		# See *ftp-reply-pattern.bro* for reply anonymization
-		local anon_msg = anonymize_ftp_reply_by_msg_pattern(actual_code, msg,
-					cmd_arg, session);
-		rewrite_ftp_reply(c, code, anon_msg, cont_resp);
-		}
-	else
-		rewrite_ftp_reply(c, code, "<ftp reply message stripped out>", cont_resp);
-	}
-
-
-const eliminate_scans = F &redef;
-const port_scanners: set[addr] &redef;
-global eliminate_scan_for_host: table[addr] of bool;
-
-function eliminate_scan(id: conn_id): bool
-	{
-	local h = id$resp_h;
-
-	if ( h !in eliminate_scan_for_host )
-		{
-		# if the hash string starts with [0-7], i.e. with probability of 50%
-		eliminate_scan_for_host[h] = (/^[0-7]/ in md5_hmac(h));
-		if ( eliminate_scan_for_host[h] )
-			print ftp_anon_log, fmt("eliminate_scans_for_host %s", h);
-		}
-
-	return eliminate_scan_for_host[h];
-	}
-
-redef call_ftp_connection_remove = T;
-
-function ftp_connection_remove(c: connection)
-	{
-	if ( c$id in ftp_sessions )
-		{
-		local session = ftp_sessions[c$id];
-		process_delayed_rewrites(c, session, 0, find_ftp_pending_cmd(session$pending_requests, 0, ""));
-		}
-
-	if ( eliminate_scans && ! requires_trace_commitment )
-		print ftp_anon_log,
-			fmt("ERROR: requires_trace_commitment must be set to true in order to allow scan elimination");
-
-	if ( requires_trace_commitment )
-		{
-		local id = c$id;
-		local eliminate = F;
-
-		if ( eliminate_scans &&
-		     # To check if the connection is part of a port scan
-		     (id !in ftp_sessions ||
-		      ftp_sessions[id]$num_requests == 0 ||
-		      id$orig_h in port_scanners) &&
-		     eliminate_scan(id) )
-			rewrite_commit_trace(c, F, T);
-		else
-			rewrite_commit_trace(c, T, T);
-		}
-	}
diff --git a/policy/ftp.bro b/policy/ftp.bro
index 4fc86df2c4..8c5383a227 100644
--- a/policy/ftp.bro
+++ b/policy/ftp.bro
@@ -348,12 +348,6 @@ event ftp_excessive_filename(session: ftp_session_info,
 	session$log_it = T;
 	}
 
-global ftp_request_rewrite: function(c: connection, session: ftp_session_info,
-					cmd_arg: ftp_cmd_arg);
-global ftp_reply_rewrite: function(c: connection, session: ftp_session_info,
-					code: count, msg: string,
-					cont_resp: bool, cmd_arg: ftp_cmd_arg);
-
 # Returns true if the given string is at least 25% composed of 8-bit
 # characters.
 function is_string_binary(s: string): bool
@@ -518,9 +512,6 @@ event ftp_request(c: connection, command: string, arg: string)
 			}
 		}
 
-	if ( rewriting_ftp_trace )
-		ftp_request_rewrite(c, session, cmd_arg);
-
 	if ( command in ftp_all_cmds )
 		{
 		if ( command in ftp_untested_cmds )
@@ -761,11 +752,6 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
 		do_ftp_reply(c, session, code, msg, cmd_arg$cmd, cmd_arg$arg);
 		}
 
-	if ( rewriting_ftp_trace )
-		{
-		ftp_reply_rewrite(c, session, code, msg, cont_resp, cmd_arg);
-		}
-
 	if ( ! cont_resp )
 		{
 		if ( ftp_cmd_pending(session$pending_requests) )
diff --git a/policy/heavy.http.bro b/policy/heavy.http.bro
deleted file mode 100644
index f3be0bf058..0000000000
--- a/policy/heavy.http.bro
+++ /dev/null
@@ -1,3 +0,0 @@
-# $Id: heavy.http.bro 4723 2007-08-07 18:14:35Z vern $
-
-redef http_sessions &write_expire = 5 hrs;
diff --git a/policy/http-anonymizer.bro b/policy/http-anonymizer.bro
deleted file mode 100644
index 21cf8a37a5..0000000000
--- a/policy/http-anonymizer.bro
+++ /dev/null
@@ -1,433 +0,0 @@
-# $Id:$
-
-# We can't do HTTP rewriting unless we process everything in the connection.
-@load http-reply
-@load http-entity
-@load http-anon-server
-@load http-anon-useragent
-@load http-anon-utils
-@load http-abstract
-
-@load anon
-
-module HTTP;
-
-redef rewriting_http_trace = T;
-redef http_entity_data_delivery_size = 18874368;
-redef abstract_max_length = 18874368;
-
-const rewrite_header_in_position = F;
-
-const http_response_reasons = {
-	"no content", "ok", "moved permanently", "not modified",
-	"use local copy", "object not found", "forbidden", "okay",
-	"object moved", "found", "http", "redirecting to main server",
-	"internal server error", "not found", "unauthorized", "moved",
-	"redirected", "continue", "access forbidden", "partial content",
-	"redirect", "<empty>", "authorization required",
-	"request time-out", "moved temporarily", "",
-};
-
-const keep_alive_pat = /(([0-9]+|timeout=[0-9]+|max=[0-9]+),?)*/ ;
-
-const content_type =
-	  /video\/(x-flv)(;)?/ 	# video
-	| /audio\/(x-scpls)/
-	| /image\/(gif|bmp|jpeg|pjpeg|tiff|png|x-icon)(;)?(qs\=[0-9](\.[0-9])?)?,?/
-	| /application\/(octet-stream|x-www-form-urlencoded|x-javascript|rss\+xml|x-gzip|x-ns-proxy-autoconfig|pdf|pkix-crl|x-shockwave-flash|postscript|xml|rdf\+xml|excel|msword|x-wais-source)(;)?(charset=(iso-8859-1|iso8859-1|gb2312|windows-1251|windows-1252|utf-8))?/
-	| /text\/(plain|js|html|\*|css|xml|javascript);?(charset=(iso-8859-1|iso8859-1|gb2312|windows-1251|windows-1252|utf-8))?/
-	| /^unknown$/
-	;
-
-const accept_enc_pat =
-	/(((x-)?deflate|(x-)?compress|\*|identity|(x-)?gzip|bzip|bzip2)(\; *q\=[0-9](\.[0-9])?)?,?)*/ ;
-const accept_charset_pat =
-	/((windows-(1252|1251)|big5|iso-8859-(1|15)|\*|utf-(8|16))(\; *q\=[0-9](\.[0-9])?)?,?)*/ ;
-const connection_pat = /((close|keep\-alive|transfer\-encoding|te),?)*/ ;
-
-const http_methods =
-	/get|put|post|head|propfind|connect|options|proppatch|lock|unlock|move|delete|mkcol/ ;
-
-const http_version = /(1\.0|1\.1)/ ;
-
-const last_modified_pat =
-	  /(Sun|Mon|Tue|Wed|Thu|Fri|Sat), [0-9]+ (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) [0-9][0-9][0-9][0-9] .*/
-	| /(-)?[0-9]+/
-	;
-
-const vary_pat =
-	/((\*| *|accept|accept\-charset|negotiate|host|user\-agent|accept\-language|accept\-encoding|cookie),?)*/ ;
-
-const accept_lang_pat =
-	/(( *|tw|cs|mx|tr|ru|sk|au|hn|sv|no|bg|en|ko|kr|ca|pl|nz|fr|ch|jo|gb|zh|hk|cn|lv|de|nl|dk|fi|nl|es|pe|it|pt|br|ve|cl|ja|jp|he|ha|ar|us|en-us|da)(\; *q\=[0-9](\.[0-9]+)?)?(,|-|\_)?)*/ ;
-
-const accept_pat =
-	/(( *|audio|application|\*|gif|xml|xhtml\+xml|x-rgb|x-xbm|video|x-gsarcade-launch|mpeg|sgml|tiff|x-rgb|x-xbm|postscript|text|html|x-xbitmap|pjpeg|vnd.ms-powerpoint|vnd.ms-excel|msword|salt\+html|xhtml|plain|jpeg|jpg|x-shockwave-flash|x-|css|image|png|\*)(\; *q\=[0-9]*(\.[0-9]+)?)?(,|\/|\+)?)*/ ;
-
-const tcn_pat = /list|choice|adhoc|re-choose|keep/;
-
-const date_pat =
-	  /(sun|mon|tue|wed|thu|fri|sat)\,*[0-9]+ *(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) *[0-9]+ ([0-9]+:)*[0-9]+ gmt/
-	| /(sun|mon|tue|wed|thu|fri|sat)*(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) *[0-9]+ *([0-9]+:)*[0-9]+(am|pm)?( *[0-9]+)?( *gmt)?/ ;
-
-const content_encoding_pat = /gzip|deflate|x-compress|x-gzip/;
-
-const hashed_headers =
-	  /COOKIE/
-	| /AUTHOR/
-	| /CACHE-CONTROL/
-	| /ETAG/
-	| /VIA/
-	| /X-VIA/
-	| /IISEXPORT/
-	| /SET-COOKIE/
-	| /X-JUNK/
-	| /PRAGMA/
-	| /AUTHORIZATION/
-	| /X-POWERED-BY/
-	| /X-CACHE/
-	| /X-FORWARDED-FOR/
-	| /X-PAD/
-	| /X-C/
-	| /XSERVER/
-	| /FROM/
-	| /CONTENT-DISPOSITION/
-	| /X-ASPNET-VERSION/
-	| /GUID/
-	| /REGIONDATA/
-	| /CLIENTID/
-	| /X-CACHE-HEADERS-SET-BY/
-	| /X-CACHE-LOOKUP/
-	| /WARNING/
-	| /MICROSOFTOFFICEWEBSERVER/
-	| /IF-NONE-MATCH/
-	| /X-AMZ-ID-[0-9]/
-	| /X-N/
-	| /X-TR/
-	| /X-RSN/
-	#| /X-POOKIE/	# these are weird ... next two are from slashdot
-	#| /X-FRY/
-	#| /X-BENDER/
-	| /RANGE/
-	| /IF-RANGE/
-	| /CONTENT-RANGE/
-	| /AD-REACH/
-	| /HMSERVER/
-	| /STATUS/
-	| /X-SERVED/
-	| /WWW-AUTHENTICATE/
-	| /X-RESPONDING-SERVER/
-	| /MAX-AGE/
-	| /POST-CHECK/
-	| /PRE-CHECK/
-	| /X-CONTENT-ENCODED-BY/
-	| /X-USER-IP/
-	| /X-ICAP-VERSION/
-	| /X-DELPHI/
-	| /AUTHENTICATION-INFO/
-	| /PPSERVER/
-	| /EDGE-CONTROL/
-	| /COMPRESSION-CONTROL/
-	| /CONTENT-MD5/
-	| /X-HOST/
-	| /P3P/
-	;
-
-event http_request(c: connection, method: string,
-		   original_URI: string, unescaped_URI: string, version: string)
-	{
-	if (! rewriting_trace() )
-		return;
-
-	print http_anon_log,
-		fmt(" > %s %s %s ", method, original_URI, version);
-
-	if ( to_lower(method) != http_methods )
-		{
-		print http_anon_log, fmt("*** Unknown method %s", method);
-		method = string_cat(" (anon-unknown) ", anonymize_string(method));
-		}
-
-	original_URI = anonymize_http_URI(original_URI);
-
-	if ( version != http_version )
-		{
-		print http_anon_log, fmt("*** Unknown version %s ", version);
-		version = string_cat(" (anon-unknown) ", anonymize_string(version));
-		}
-
-	print http_anon_log, fmt(" < %s %s %s ", method, original_URI, version);
-
-	rewrite_http_request(c, method, original_URI, version);
-	}
-
-event http_reply(c: connection, version: string, code: count, reason: string)
-	{
-	if ( rewriting_trace() )
-		{
-		reason = to_lower(strip(reason));
-		if ( reason !in http_response_reasons )
-			{
-			print http_anon_log,
-				fmt("*** Unknown reply reason %s ", reason);
-			rewrite_http_reply(c, version, code,
-				anonymize_string(reason));
-			}
-		else
-			rewrite_http_reply(c, version, code, reason);
-		}
-	}
-
-function check_pat(value: string, pat: pattern, name: string): string
-	{
-	if ( value == pat )
-		return value;
-
-	print http_anon_log, fmt("*** invalid %s: %s", name, value);
-	return "(anon-unknown): ";
-	}
-
-function check_pat2(value: string, pat: pattern, name: string): string
-	{
-	if ( value == pat )
-		return value;
-
-	print http_anon_log, fmt("*** invalid %s: %s", name, value);
-	return fmt("(anon-unknown): %s", anonymize_string(value));
-	}
-
-function check_pat3(value: string, pat: pattern): string
-	{
-	if ( value == pat )
-		return value;
-
-	return fmt("(anon-unknown): %s", anonymize_string(value));
-	}
-
-event http_header(c: connection, is_orig: bool, name: string, value: string)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	# Only rewrite top-level headers.
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-
-	if ( msg$entity_level != 1 )
-		return;
-
-	value = strip(value);
-
-	if ( name == "CONTENT-LENGTH" )
-		{
-		# if ( rewrite_header_in_position )
-		# {
-		#     local p = current_packet(c);
-		#     if ( p$is_orig == is_orig )
-		#     {
-		#         # local s = lookup_http_request_stream(c);
-		#         # local msg = get_http_message(s, is_orig);
-		#         if ( msg$header_slot == 0 )
-		#             msg$header_slot = reserve_rewrite_slot(c);
-		#     }
-		#     else
-		#         print fmt("cannot reserve a slot at %.6f", network_time());
-		# }
-		print http_anon_log,
-			fmt("X-Original-Content-Length: %s --", value);
-		name = "X-Original-Content-Length";
-		}
-
-	else if ( name == "TRANSFER-ENCODING" || name == "TE" )
-		{
-		print http_anon_log, fmt("TRANSFER-ENCOODING: %s --", value);
-		name = "X-Original-Transfer-Encoding";
-		}
-
-	else if ( name == "HOST" )
-		{
-		local anon_host = "";
-
-		if ( value == simple_filename )
-			anon_host = anonymize_path(value);
-		else
-			anon_host = anonymize_host(value);
-
-		print http_anon_log, fmt("HOST: %s > %s", value, anon_host);
-		value = anon_host;
-		}
-
-	else if ( name == "REFERER" )
-		{
-		local anon_ref = anonymize_http_URI(value);
-		print http_anon_log, fmt("REFERER: %s > %s", value, anon_ref);
-		value = anon_ref;
-		}
-
-	else if ( name == "LOCATION" || name == "CONTENT-LOCATION" )
-		value = anonymize_http_URI(value);
-
-	else if ( name == "SERVER" )
-		value = filter_in_http_server(to_lower(value));
-
-	else if ( name == "USER-AGENT" )
-		value = filter_in_http_useragent(to_lower(value));
-
-	else if ( name == "KEEP-ALIVE" )
-		value = check_pat(value, keep_alive_pat, "keep-alive");
-
-	else if ( name == "DATE" || name == "IF-MODIFIED-SINCE" ||
-		  name == "UNLESS-MODIFIED-SINCE" )
-		value = check_pat2(to_lower(value), date_pat, "date");
-
-	else if ( name == "ACCEPT-CHARSET" )
-		value = check_pat(to_lower(value), accept_charset_pat,
-					"accept-charset");
-
-	else if ( name == "CONTENT-TYPE" )
-		{
-		value = check_pat2(to_lower(value), content_type, "content-type");
-		# local stream = lookup_http_request_stream(c);
-		# local the_http_msg = get_http_message(stream, is_orig);
-		# the_http_msg$content_type = value;
-		}
-
-	else if ( name == "ACCEPT-ENCODING" )
-		value = check_pat2(to_lower(value), accept_enc_pat,
-					"accept-encoding");
-
-	else if ( name == "PAGE-COMPLETION-STATUS" )
-		value = check_pat2(to_lower(value), /(ab)?normal/,
-					"page-completion-status");
-
-	else if ( name == "CONNECTION" || name == "PROXY-CONNECTION" )
-		value = check_pat2(to_lower(value), connection_pat,
-					"connection type");
-
-	else if ( name == "LAST-MODIFIED" || name == "EXPIRES" )
-		value = check_pat(value, last_modified_pat, name);
-
-	else if (name == "ACCEPT-LANGUAGE" || name == "LANGUAGE")
-		value = check_pat2(to_lower(value), accept_lang_pat,
-					"accept-language");
-
-	else if ( name == "ACCEPT" )
-		value = check_pat(to_lower(value), accept_pat, "accept");
-
-	else if ( name == "ACCEPT-RANGES" )
-		value = check_pat2(to_lower(value), /(bytes|none) */,
-					"accept-ranges");
-
-	else if ( name == "MIME-VERSION" )
-		value = check_pat3(value, /[0-9]\.[0-9]/);
-
-	else if ( name == "TCN" )
-		value = check_pat3(value, tcn_pat);
-
-	else if ( name == "CONTENT-ENCODING" )
-		value = check_pat2(value, content_encoding_pat,
-					"content-encoding");
-
-	else if ( name == "CONTENT-LANGUAGE" )
-		value = check_pat2(value, accept_lang_pat, "content-language");
-
-	else if ( name == "ALLOW" )
-		value = check_pat3(value, http_methods);
-
-	else if ( name == "AGE" || name == "BANDWIDTH" )
-		value = check_pat3(value, /[0-9]+/);
-
-	else if ( name == "VARY" )
-		value = check_pat2(value, vary_pat, "vary");
-
-	else if ( name == hashed_headers )
-		value = anonymize_string(value);
-
-	else
-		{
-		print http_anon_log, fmt("unknown header: %s : %s", name, value);
-		value = string_cat("(anon-unknown): ", anonymize_string(value));
-		}
-
-	rewrite_http_header(c, is_orig, name, value);
-	}
-
-event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	if ( rewrite_header_in_position )
-		{
-		local p = current_packet(c);
-		if ( p$is_orig == is_orig )
-			{
-			local s = lookup_http_request_stream(c);
-			local msg = get_http_message(s, is_orig);
-			if ( msg$header_slot == 0 )
-				msg$header_slot = reserve_rewrite_slot(c);
-			}
-		else
-			print fmt("cannot reserve a slot at %.6f", network_time());
-
-		# An empty line to mark the end of headers.
-		rewrite_http_data(c, is_orig, "\r\n");
-		}
-	}
-
-event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	if ( stat$interrupted )
-		{
-		print http_log,
-			fmt("%.6f %s message interrupted at length=%d \"%s\"",
-				network_time(), id_string(c$id),
-				stat$body_length, stat$finish_msg);
-		}
-
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-	if ( msg$header_slot > 0 )
-		seek_rewrite_slot(c, msg$header_slot);
-
-	local data_length = 0;
-	local data_hash = "";
-	local sanitized_abstract = "";
-
-	if ( ! is_orig || stat$body_length > 0 )
-		{
-		data_length = byte_len(msg$abstract);
-		data_hash = anonymize_string(msg$abstract);
-		sanitized_abstract = string_fill(data_length, data_hash);
-
-		data_length += stat$content_gap_length;
-
-		rewrite_http_header(c, is_orig, "Content-Length",
-					fmt(" %d", data_length));
-
-		rewrite_http_header(c, is_orig, "X-anon-content-hash",
-					fmt(" %s", data_hash));
-
-		rewrite_http_header(c, is_orig, "X-Actual-Data-Length",
-					fmt(" %d; gap=%d, content-length=%s",
-						stat$body_length,
-						stat$content_gap_length,
-						msg$content_length));
-		}
-
-	if ( msg$header_slot > 0 )
-		{
-		release_rewrite_slot(c, msg$header_slot);
-		msg$header_slot = 0;
-		}
-
-	if ( ! rewrite_header_in_position )
-		# An empty line to mark the end of headers.
-		rewrite_http_data(c, is_orig, "\r\n");
-
-	if ( data_length > 0 )
-		rewrite_http_data(c, is_orig, sanitized_abstract);
-	}
diff --git a/policy/http-header.bro b/policy/http-header.bro
index 3d676488ff..259031b024 100644
--- a/policy/http-header.bro
+++ b/policy/http-header.bro
@@ -2,6 +2,8 @@
 
 # Prints out detailed HTTP headers.
 
+@load http
+
 module HTTP;
 
 export {
diff --git a/policy/http-rewriter.bro b/policy/http-rewriter.bro
deleted file mode 100644
index 3b8222c21a..0000000000
--- a/policy/http-rewriter.bro
+++ /dev/null
@@ -1,137 +0,0 @@
-# $Id: http-rewriter.bro 416 2004-09-17 03:52:28Z vern $
-
-# We can't do HTTP rewriting unless we process everything in the connection.
-@load http-reply
-@load http-entity
-
-module HTTP;
-
-redef rewriting_http_trace = T;
-redef http_entity_data_delivery_size = 4096;
-
-const rewrite_header_in_position = F;
-
-event http_request(c: connection, method: string,
-		   original_URI: string, unescaped_URI: string, version: string)
-	{
-	if ( rewriting_trace() )
-		rewrite_http_request(c, method, original_URI, version);
-	}
-
-event http_reply(c: connection, version: string, code: count, reason: string)
-	{
-	if ( rewriting_trace() )
-		rewrite_http_reply(c, version, code, reason);
-	}
-
-event http_header(c: connection, is_orig: bool, name: string, value: string)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	# Only rewrite top-level headers.
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-
-	if ( msg$entity_level == 1 )
-		{
-		if ( name == "CONTENT-LENGTH" )
-			{
-			if ( rewrite_header_in_position )
-				{
-				local p = current_packet(c);
-				if ( p$is_orig == is_orig )
-					{
-					# local s = lookup_http_request_stream(c);
-					# local msg = get_http_message(s, is_orig);
-					if ( msg$header_slot == 0 )
-						msg$header_slot = reserve_rewrite_slot(c);
-					}
-				else
-					print fmt("cannot reserve a slot at %.6f", network_time());
-				}
-			# rewrite_http_header(c, is_orig,
-			#		"X-Original-Content-Length", value);
-			}
-
-		else if ( name == "TRANSFER-ENCODING" )
-			rewrite_http_header(c, is_orig,
-					"X-Original-Transfer-Encoding", value);
-
-		else
-			rewrite_http_header(c, is_orig, name, value);
-		}
-	}
-
-event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	if ( rewrite_header_in_position )
-		{
-		local p = current_packet(c);
-		if ( p$is_orig == is_orig )
-			{
-			local s = lookup_http_request_stream(c);
-			local msg = get_http_message(s, is_orig);
-			if ( msg$header_slot == 0 )
-				msg$header_slot = reserve_rewrite_slot(c);
-			}
-		else
-			print fmt("cannot reserve a slot at %.6f", network_time());
-
-	      # An empty line to mark the end of headers.
-	      rewrite_http_data(c, is_orig, "\r\n");
-	      }
-	}
-
-event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	local s = lookup_http_request_stream(c);
-	local msg = get_http_message(s, is_orig);
-	local data_length = 0;
-
-	if ( stat$interrupted )
-		{
-		print http_log,
-			fmt("%.6f %s message interrupted at length=%d \"%s\"",
-				network_time(), id_string(c$id),
-				stat$body_length, stat$finish_msg);
-		}
-
-	if ( msg$header_slot > 0 )
-		seek_rewrite_slot(c, msg$header_slot);
-
-	if ( ! is_orig || stat$body_length > 0 )
-		{
-		if ( include_HTTP_abstract )
-			data_length = byte_len(msg$abstract);
-
-		data_length = data_length + stat$content_gap_length;
-
-		rewrite_http_header(c, is_orig, "Content-Length",
-					fmt(" %d", data_length));
-		}
-
-	rewrite_http_header(c, is_orig, "X-Actual-Data-Length",
-				fmt(" %d; gap=%d, content-length=%s",
-					stat$body_length,
-					stat$content_gap_length,
-					msg$content_length));
-	if ( msg$header_slot > 0 )
-		{
-		release_rewrite_slot(c, msg$header_slot);
-		msg$header_slot = 0;
-		}
-
-	if ( ! rewrite_header_in_position )
-		# An empty line to mark the end of headers.
-		rewrite_http_data(c, is_orig, "\r\n");
-
-	if ( data_length > 0 )
-		rewrite_http_data(c, is_orig, msg$abstract);
-	}
diff --git a/policy/http.bro b/policy/http.bro
index 90b0aa2daa..5a774b6e97 100644
--- a/policy/http.bro
+++ b/policy/http.bro
@@ -79,17 +79,8 @@ type http_session_info: record {
 
 const http_log = open_log_file("http") &redef;
 
-# Called when an HTTP session times out.
-global expire_http_session:
-	function(t: table[conn_id] of http_session_info, id: conn_id)
-		: interval;
-
 export {
-	# Indexed by conn_id.
-	# (Exported so that we can define a timeout on it.)
-	global http_sessions: table[conn_id] of http_session_info
-			&expire_func = expire_http_session
-			&read_expire = 15 min;
+	global http_sessions: table[conn_id] of http_session_info;
 }
 
 global http_session_id = 0;
@@ -202,30 +193,6 @@ event connection_state_remove(c: connection)
 	delete http_sessions[c$id];
 	}
 
-function expire_http_session(t: table[conn_id] of http_session_info,
-				id: conn_id): interval
-	{
-	### FIXME: not really clear that we need this function at all ...
-	#
-	# One would think that connection_state_remove() already takes care
-	# of everything.  However, without this expire-handler, some requests
-	# don't show up with the test-suite (but haven't reproduced with
-	# smaller traces) - Robin.
-
-	local s = http_sessions[id];
-	finish_stream(id, s$id, s$request_stream);
-	return 0 sec;
-	}
-
-# event connection_timeout(c: connection)
-# 	{
-# 	if ( ! maintain_http_sessions )
-# 		{
-# 		local id = c$id;
-# 		if ( [id$orig_h, id$resp_h] in http_sessions )
-# 			delete http_sessions[id$orig_h, id$resp_h];
-# 		}
-# 	}
 
 # event http_stats(c: connection, stats: http_stats_rec)
 # 	{
diff --git a/policy/ident-rewriter.bro b/policy/ident-rewriter.bro
deleted file mode 100644
index 2cf1d03720..0000000000
--- a/policy/ident-rewriter.bro
+++ /dev/null
@@ -1,115 +0,0 @@
-# $Id: ident-rewriter.bro 47 2004-06-11 07:26:32Z vern $
-
-@load ident
-
-redef rewriting_ident_trace = T;
-
-global public_ident_user_ids = { "root", } &redef;
-global public_ident_systems = { "UNIX", } &redef;
-
-const delay_rewriting_request = T;
-
-function public_ident_user(id: string): bool
-	{
-	return id in public_ident_user_ids;
-	}
-
-function public_system(system: string): bool
-	{
-	return system in public_ident_systems;
-	}
-
-type ident_req: record {
-	lport: port;
-	rport: port;
-	rewrite_slot: count;
-};
-
-# Does not support pipelining ....
-global ident_req_slots: table[addr, port, addr, port] of ident_req;
-
-event ident_request(c: connection, lport: port, rport: port)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	local id = c$id;
-	if ( delay_rewriting_request )
-		{
-		local slot = reserve_rewrite_slot(c);
-		ident_req_slots[id$orig_h, id$orig_p, id$resp_h, id$resp_p] =
-			[$lport = lport, $rport = rport, $rewrite_slot = slot];
-		}
-	else
-		rewrite_ident_request(c, lport, rport);
-	}
-
-event ident_reply(c: connection, lport: port, rport: port,
-		user_id: string, system: string)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	local id = c$id;
-
-	if ( [id$orig_h, id$orig_p, id$resp_h, id$resp_p] in ident_req_slots )
-		{
-		local req = ident_req_slots[id$orig_h, id$orig_p,
-						id$resp_h, id$resp_p];
-
-		seek_rewrite_slot(c, req$rewrite_slot);
-		rewrite_ident_request(c, req$lport, req$rport);
-		release_rewrite_slot(c, req$rewrite_slot);
-
-		delete ident_req_slots[id$orig_h, id$orig_p,
-					id$resp_h, id$resp_p];
-		}
-
-	rewrite_ident_reply(c, lport, rport,
-			public_system(system) ? system : "OTHER",
-			public_ident_user(user_id) ? user_id : "private user");
-	}
-
-event ident_error(c: connection, lport: port, rport: port, line: string)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	local id = c$id;
-
-	if ( [id$orig_h, id$orig_p, id$resp_h, id$resp_p] in ident_req_slots )
-		{
-		local req = ident_req_slots[id$orig_h, id$orig_p,
-						id$resp_h, id$resp_p];
-
-		seek_rewrite_slot(c, req$rewrite_slot);
-		rewrite_ident_request(c, req$lport, req$rport);
-		release_rewrite_slot(c, req$rewrite_slot);
-
-		delete ident_req_slots[id$orig_h, id$orig_p,
-					id$resp_h, id$resp_p];
-		}
-
-	rewrite_ident_error(c, lport, rport, line);
-	}
-
-event connection_state_remove(c: connection)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	local id = c$id;
-
-	if ( [id$orig_h, id$orig_p, id$resp_h, id$resp_p] in ident_req_slots )
-		{
-		local req = ident_req_slots[id$orig_h, id$orig_p,
-						id$resp_h, id$resp_p];
-
-		seek_rewrite_slot(c, req$rewrite_slot);
-		rewrite_ident_request(c, req$lport, req$rport);
-		release_rewrite_slot(c, req$rewrite_slot);
-
-		delete ident_req_slots[id$orig_h, id$orig_p,
-					id$resp_h, id$resp_p];
-		}
-	}
diff --git a/policy/irc-bot.bro b/policy/irc-bot.bro
index 8375aa91d6..4bbe072b7d 100644
--- a/policy/irc-bot.bro
+++ b/policy/irc-bot.bro
@@ -500,7 +500,7 @@ event irc_channel_topic(c: connection, channel: string, topic: string)
 	local conn = get_conn(c);
 
 	local ch = get_channel(conn, channel);
-	ch$topic_history[|ch$topic_history| + 1] = ch$topic;
+	ch$topic_history[|ch$topic_history|] = ch$topic;
 	ch$topic = topic;
 
 	if ( c$id in bot_conns )
diff --git a/policy/logging-ascii.bro b/policy/logging-ascii.bro
new file mode 100644
index 0000000000..ad59e8dcf5
--- /dev/null
+++ b/policy/logging-ascii.bro
@@ -0,0 +1,29 @@
+##! Interface for the ascii log writer.
+
+module LogAscii;
+
+export {
+	## If true, output everything to stdout rather than
+	## into files. This is primarily for debugging purposes.
+	const output_to_stdout = F &redef;
+
+	## If true, include a header line with column names.
+	const include_header = T &redef;
+
+	# Prefix for the header line if included.
+	const header_prefix = "# " &redef;
+
+	## Separator between fields.
+	const separator = "\t" &redef;
+
+	## Separator between set elements.
+	const set_separator = "," &redef;
+
+	## String to use for empty fields.
+	const empty_field = "" &redef;
+
+	## String to use for an unset &optional field.
+	const unset_field = "-" &redef;
+}
+
+
diff --git a/policy/logging.bro b/policy/logging.bro
new file mode 100644
index 0000000000..410bc20da8
--- /dev/null
+++ b/policy/logging.bro
@@ -0,0 +1,209 @@
+##! The Bro logging interface.
+##!
+##! See XXX for a introduction to Bro's logging framework.
+
+module Log;
+
+# Log::ID and Log::Writer are defined in bro.init due to circular dependencies.
+
+export {
+	## If true, is local logging is by default enabled for all filters.
+	const enable_local_logging = T &redef;
+
+	## If true, is remote logging is by default enabled for all filters.
+	const enable_remote_logging = T &redef;
+
+	## Default writer to use if a filter does not specify
+	## anything else.
+	const default_writer = WRITER_ASCII &redef;
+
+	## Type defining the content of a logging stream.
+	type Stream: record {
+		## A record type defining the log's columns.
+		columns: any;
+
+		## Event that will be raised once for each log entry.
+		## The event receives a single same parameter, an instance of type ``columns``.
+		ev: any &optional;
+	};
+
+	## Filter customizing logging.
+	type Filter: record {
+		## Descriptive name to reference this filter.
+		name: string;
+
+		## The writer to use.
+		writer: Writer &default=default_writer;
+
+		## Predicate indicating whether a log entry should be recorded.
+		## If not given, all entries are recorded.
+		##
+		## rec: An instance of the streams's ``columns`` type with its
+		## fields set to the values to logged.
+		##
+		## Returns: True if the entry is to be recorded.
+		pred: function(rec: any): bool &optional;
+
+		## Output path for recording entries matching this
+		## filter.
+                ##
+		## The specific interpretation of the string is up to
+		## the used writer, and may for example be the destination
+		## file name. Generally, filenames are expected to given
+		## without any extensions; writers will add appropiate 
+		## extensions automatically.
+		path: string &optional;
+
+		## A function returning the output path for recording entries
+		## matching this filter. This is similar to ``path`` yet allows
+		## to compute the string dynamically. It is ok to return
+		## different strings for separate calls, but be careful: it's
+		## easy to flood the disk by returning a new string for each
+		## connection ...
+		path_func: function(id: ID, path: string): string &optional;
+
+		## Subset of column names to record. If not given, all
+		## columns are recorded.
+		include: set[string] &optional;
+
+		## Subset of column names to exclude from recording. If not given,
+		## all columns are recorded.
+		exclude: set[string] &optional;
+
+		## If true, entries are recorded locally.
+		log_local: bool &default=enable_local_logging;
+
+		## If true, entries are passed on to remote peers.
+		log_remote: bool &default=enable_remote_logging;
+	};
+
+	# Log rotation support.
+
+	## Information passed into rotation callback functions.
+	type RotationInfo: record {
+		writer: Writer;	##< Writer.
+		path: string;	##< Original path value.
+		open: time;	##< Time when opened.
+		close: time;	##< Time when closed.
+	};
+
+	## Default rotation interval. Zero disables rotation.
+	const default_rotation_interval = 0secs &redef;
+
+	## Default naming suffix format. Uses a strftime() style.
+	const default_rotation_date_format = "%y-%m-%d_%H.%M.%S" &redef;
+
+	## Default postprocessor for writers outputting into files.
+	const default_rotation_postprocessor = "" &redef;
+
+	## Default function to construct the name of a rotated output file.
+	## The default implementation appends info$date_fmt to the original
+	## file name.
+	##
+	## info: Meta-data about the file to be rotated.
+	global default_rotation_path_func: function(info: RotationInfo) : string &redef;
+
+	## Type for controlling file rotation.
+	type RotationControl: record  {
+		## Rotation interval.
+		interv: interval &default=default_rotation_interval;
+		## Format for timestamps embedded into rotated file names.
+		date_fmt: string &default=default_rotation_date_format;
+		## Postprocessor process to run on rotate file.
+		postprocessor: string &default=default_rotation_postprocessor;
+	};
+
+	## Specifies rotation parameters per ``(id, path)`` tuple.
+	## If a pair is not found in this table, default values defined in
+	## ``RotationControl`` are used.
+	const rotation_control: table[Writer, string] of RotationControl &default=[] &redef;
+
+	## Sentinel value for indicating that a filter was not found when looked up.
+	const no_filter: Filter = [$name="<not found>"]; # Sentinel.
+
+	# TODO: Document.
+	global create_stream: function(id: ID, stream: Stream) : bool;
+	global enable_stream: function(id: ID) : bool;
+	global disable_stream: function(id: ID) : bool;
+	global add_filter: function(id: ID, filter: Filter) : bool;
+	global remove_filter: function(id: ID, name: string) : bool;
+	global get_filter: function(id: ID, name: string) : Filter; # Returns no_filter if not found.
+	global write: function(id: ID, columns: any) : bool;
+	global set_buf: function(id: ID, buffered: bool): bool;
+	global flush: function(id: ID): bool;
+	global add_default_filter: function(id: ID) : bool;
+	global remove_default_filter: function(id: ID) : bool;
+}
+
+# We keep a script-level copy of all filters so that we can manipulate them.
+global filters: table[ID, string] of Filter;
+
+@load logging.bif.bro # Needs Filter and Stream defined.
+
+module Log;
+
+function default_rotation_path_func(info: RotationInfo) : string
+	{
+	local date_fmt = rotation_control[info$writer, info$path]$date_fmt;
+	return fmt("%s-%s", info$path, strftime(date_fmt, info$open));
+	}
+
+function create_stream(id: ID, stream: Stream) : bool
+	{
+	if ( ! __create_stream(id, stream) )
+		return F;
+
+	return add_default_filter(id);
+	}
+
+function disable_stream(id: ID) : bool
+	{
+	if ( ! __disable_stream(id) )
+		return F;
+	}
+						   
+function add_filter(id: ID, filter: Filter) : bool
+	{
+	filters[id, filter$name] = filter;
+	return __add_filter(id, filter);
+	}
+
+function remove_filter(id: ID, name: string) : bool
+	{
+	delete filters[id, name];
+	return __remove_filter(id, name);
+	}
+
+function get_filter(id: ID, name: string) : Filter
+	{
+	if ( [id, name] in filters )
+		return filters[id, name];
+
+	return no_filter;
+	}
+
+function write(id: ID, columns: any) : bool
+	{
+	return __write(id, columns);
+	}
+
+function set_buf(id: ID, buffered: bool): bool
+	{
+	return __set_buf(id, buffered);
+	}
+
+function flush(id: ID): bool
+	{
+	return __flush(id);
+	}
+
+function add_default_filter(id: ID) : bool
+	{
+	return add_filter(id, [$name="default"]);
+	}
+
+function remove_default_filter(id: ID) : bool
+	{
+	return remove_filter(id, "default");
+	}
+
diff --git a/policy/login.bro b/policy/login.bro
index 26d32ca08c..9d45249bb1 100644
--- a/policy/login.bro
+++ b/policy/login.bro
@@ -544,10 +544,7 @@ event login_confused(c: connection, msg: string, line: string)
 
 	append_addl(c, "<confused>");
 
-	if ( line == "" )
-		print Weird::weird_file, fmt("%.6f %s %s", network_time(), id_string(c$id), msg);
-	else
-		print Weird::weird_file, fmt("%.6f %s %s (%s)", network_time(), id_string(c$id), msg, line);
+	event conn_weird_addl(msg, c, line);
 
 	set_record_packets(c$id, T);
 	}
diff --git a/policy/mime.bro b/policy/mime.bro
index 7f923aac08..73a4ecefee 100644
--- a/policy/mime.bro
+++ b/policy/mime.bro
@@ -74,13 +74,14 @@ function mime_header_subject(session: mime_session_info,
 ### This is a bit clunky.  These are functions we call out to, defined
 # elsewhere.  The way we really ought to do this is to have them passed
 # in during initialization.  But for now, we presume knowledge of their
-# names in global scope.
-module GLOBAL;
-global check_relay_3:
-	function(session: MIME::mime_session_info, msg_id: string);
-global check_relay_4:
-	function(session: MIME::mime_session_info, content_hash: string);
-module MIME;
+# names.
+export
+	{
+	global SMTP::check_relay_3:
+		function(session: MIME::mime_session_info, msg_id: string);
+	global SMTP::check_relay_4:
+		function(session: MIME::mime_session_info, content_hash: string);
+	}
 
 function mime_header_message_id(session: mime_session_info, name: string, arg: string)
 	{
@@ -107,7 +108,7 @@ function mime_header_message_id(session: mime_session_info, name: string, arg: s
 	s = t[1];
 
 	if ( session$level == 1 && SMTP::process_smtp_relay )
-		check_relay_3(session, s);
+		SMTP::check_relay_3(session, s);
 	}
 
 redef mime_header_handler = {
diff --git a/policy/notice.bro b/policy/notice.bro
index b19a4fb860..9b434032f0 100644
--- a/policy/notice.bro
+++ b/policy/notice.bro
@@ -272,6 +272,8 @@ function build_notice_info_string_tagged(n: notice_info) : string
 	return cur_info;
 	}
 
+global email_notice_to: function(n: notice_info, dest: string) &redef;
+
 function email_notice_to(n: notice_info, dest: string)
 	{
 	if ( reading_traces() || dest == "" )
diff --git a/policy/pcap.bro b/policy/pcap.bro
index 091233dd52..021884a700 100644
--- a/policy/pcap.bro
+++ b/policy/pcap.bro
@@ -4,8 +4,16 @@
 global capture_filters: table[string] of string &redef;
 global restrict_filters: table[string] of string &redef;
 
-# Filter string which is unconditionally or'ed to every pcap filter.
-global unrestricted_filter = "" &redef;
+# By default, Bro will examine all packets. If this is set to false,
+# it will dynamically build a BPF filter that only select protocols
+# for which the user has loaded a corresponding analysis script.
+# The latter used to be default for Bro versions < 1.6. That has now
+# changed however to enable port-independent protocol analysis.
+const all_packets = T &redef;
+
+# Filter string which is unconditionally or'ed to every dynamically
+# built pcap filter.
+const unrestricted_filter = "" &redef;
 
 redef enum PcapFilterID += {
 	DefaultPcapFilter,
@@ -27,6 +35,7 @@ function join_filters(capture_filter: string, restrict_filter: string): string
 
 	if ( capture_filter != "" && restrict_filter != "" )
 		filter = fmt( "(%s) and (%s)", restrict_filter, capture_filter );
+
 	else if ( capture_filter != "" )
 		filter = capture_filter;
 
@@ -34,7 +43,7 @@ function join_filters(capture_filter: string, restrict_filter: string): string
 		filter = restrict_filter;
 
 	else
-		filter = "tcp or udp or icmp";
+		filter = "ip or not ip";
 
 	if ( unrestricted_filter != "" )
 		filter = fmt( "(%s) or (%s)", unrestricted_filter, filter );
@@ -44,28 +53,39 @@ function join_filters(capture_filter: string, restrict_filter: string): string
 
 function build_default_pcap_filter(): string
 	{
-	# Build capture_filter.
-	local cfilter = "";
+	if ( cmd_line_bpf_filter != "" )
+		# Return what the user specified on the command line;
+		return cmd_line_bpf_filter;
 
+	if ( all_packets )
+		{
+		# Return an "always true" filter.
+		if ( bro_has_ipv6() )
+			return "ip or not ip";
+		else
+			return "not ip6";
+		}
+
+	## Build filter dynamically.
+
+	# First the capture_filter.
+	local cfilter = "";
 	for ( id in capture_filters )
 		cfilter = add_to_pcap_filter(cfilter, capture_filters[id], "or");
 
-	# Build restrict_filter.
+	# Then the restrict_filter.
 	local rfilter = "";
-	local saw_VLAN = F;
 	for ( id in restrict_filters )
-		{
-		if ( restrict_filters[id] == "vlan" )
-			# These are special - they need to come first.
-			saw_VLAN = T;
-		else
-			rfilter = add_to_pcap_filter(rfilter, restrict_filters[id], "and");
-		}
+		rfilter = add_to_pcap_filter(rfilter, restrict_filters[id], "and");
 
-	if ( saw_VLAN )
-		rfilter = add_to_pcap_filter("vlan", rfilter, "and");
+	# Finally, join them.
+	local filter = join_filters(cfilter, rfilter);
 
-	return join_filters(cfilter, rfilter);
+	# Exclude IPv6 if we don't support it.
+	if ( ! bro_has_ipv6() )
+		filter = fmt("(not ip6) and (%s)", filter);
+
+	return filter;
 	}
 
 function install_default_pcap_filter()
diff --git a/policy/portmapper.bro b/policy/portmapper.bro
index ecf952e9fc..a67f24821b 100644
--- a/policy/portmapper.bro
+++ b/policy/portmapper.bro
@@ -4,6 +4,7 @@
 @load hot
 @load conn
 @load weird
+@load scan
 
 module Portmapper;
 
@@ -294,8 +295,8 @@ function pm_mapping_to_text(server: addr, m: pm_mappings): string
 		if ( [prog, p] !in mapping_seen )
 			{
 			add mapping_seen[prog, p];
-			addls[++num_addls] = fmt("%s -> %s", rpc_prog(prog), p);
-
+			addls[num_addls] = fmt("%s -> %s", rpc_prog(prog), p);
+			++num_addls;
 			update_RPC_server_map(server, p, rpc_prog(prog));
 			}
 		}
diff --git a/policy/remote.bro b/policy/remote.bro
index fad2beb900..294c8fcd1e 100644
--- a/policy/remote.bro
+++ b/policy/remote.bro
@@ -43,6 +43,9 @@ export {
 		# Whether to perform state synchronization with peer.
 		sync: bool &default = T;
 
+		# Whether to request logs from the peer.
+		request_logs: bool &default = F;
+
 		# When performing state synchronization, whether we consider
 		# our state to be authoritative.  If so, we will send the peer
 		# our current set when the connection is set up.
@@ -176,6 +179,12 @@ function setup_peer(p: event_peer, dst: Destination)
 		request_remote_sync(p, dst$auth);
 		}
 
+	if ( dst$request_logs )
+		{
+		do_script_log(p, "requesting logs");
+		request_remote_logs(p);
+		}
+
 	dst$peer = p;
 	dst$connected = T;
 	connected_peers[p$id] = dst;
diff --git a/policy/rotate-logs.bro b/policy/rotate-logs.bro
index 65bfa05474..92ab4cf455 100644
--- a/policy/rotate-logs.bro
+++ b/policy/rotate-logs.bro
@@ -56,10 +56,11 @@ function run_pp(info: rotate_info)
 	if ( pp != "" )
 		# The date format is hard-coded here to provide a standardized
 		# script interface.
-		system(fmt("%s %s %s %s %s %s",
+		system(fmt("%s %s %s %s %s %s %s",
 				pp, info$new_name, info$old_name,
 				strftime("%y-%m-%d_%H.%M.%S", info$open),
 				strftime("%y-%m-%d_%H.%M.%S", info$close),
+				bro_is_terminating() ? "1" : "0",
 				tag));
 	else
 		system(fmt("/bin/mv %s %s %s",
diff --git a/policy/scan.bro b/policy/scan.bro
index c1e956125b..d3ee0574c3 100644
--- a/policy/scan.bro
+++ b/policy/scan.bro
@@ -186,17 +186,17 @@ export {
 	# More precisely, the counter is the next index of threshold vector.
 	global shut_down_thresh_reached: table[addr] of bool &default=F;
 	global rb_idx: table[addr] of count
-			&default=1 &read_expire = 1 days &redef;
+			&default=0 &read_expire = 1 days &redef;
 	global rps_idx: table[addr] of count
-			&default=1 &read_expire = 1 days &redef;
+			&default=0 &read_expire = 1 days &redef;
 	global rops_idx: table[addr] of count
-			&default=1 &read_expire = 1 days &redef;
+			&default=0 &read_expire = 1 days &redef;
 	global rpts_idx: table[addr,addr] of count
-			&default=1 &read_expire = 1 days &redef;
+			&default=0 &read_expire = 1 days &redef;
 	global rat_idx: table[addr] of count
-			&default=1 &read_expire = 1 days &redef;
+			&default=0 &read_expire = 1 days &redef;
 	global rrat_idx: table[addr] of count
-			&default=1 &read_expire = 1 days &redef;
+			&default=0 &read_expire = 1 days &redef;
 }
 
 global thresh_check: function(v: vector of count, idx: table[addr] of count,
@@ -609,7 +609,7 @@ function thresh_check(v: vector of count, idx: table[addr] of count,
 		return F;
 		}
 
-	if ( idx[orig] <= |v| && n >= v[idx[orig]] )
+	if ( idx[orig] < |v| && n >= v[idx[orig]] )
 		{
 		++idx[orig];
 		return T;
@@ -628,7 +628,7 @@ function thresh_check_2(v: vector of count, idx: table[addr, addr] of count,
 		return F;
 		}
 
-	if ( idx[orig,resp] <= |v| && n >= v[idx[orig, resp]] )
+	if ( idx[orig,resp] < |v| && n >= v[idx[orig, resp]] )
 		{
 		++idx[orig,resp];
 		return T;
diff --git a/policy/sigs/Makefile.am b/policy/sigs/Makefile.am
deleted file mode 100644
index 389de9f94a..0000000000
--- a/policy/sigs/Makefile.am
+++ /dev/null
@@ -1,6 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-sigsdir=${datadir}/bro/sigs
-dist_sigs_DATA = dpd.sig ex.web-rules.sig http-bots.sig p0fsyn.osf \
-	snort-default.sig ssl-worm.sig worm.sig 
-
diff --git a/policy/sigs/ex.web-rules.sig b/policy/sigs/ex.web-rules.sig
deleted file mode 100644
index cd2571b33b..0000000000
--- a/policy/sigs/ex.web-rules.sig
+++ /dev/null
@@ -1,8914 +0,0 @@
-# $Id: ex.web-rules.sig 6 2004-04-30 00:31:26Z jason $
-#
-# This is a subset of Snort's signatures (automatically converted into Bro's 
-# language by snort2bro).
-#
-# [web-*.rules from snortrules-current.tar.gz as of Oct 9 19:15:02 2003 GMT]
-#
-# To use it, customize the variables contained in snort.bro and load snort.bro 
-# and signatures.bro.
-
-signature sid-1328 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS ps command attempt"
-  http /.*[\/\\]bin[\/\\]ps/
-  tcp-state established,originator
-  }
-
-signature sid-1329 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS /bin/ps command attempt"
-  http /.*ps%20/
-  tcp-state established,originator
-  }
-
-signature sid-1330 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS wget command attempt"
-  tcp-state established,originator
-  payload /.*[wW][gG][eE][tT]%20/
-  }
-
-signature sid-1331 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS uname -a command attempt"
-  tcp-state established,originator
-  payload /.*[uU][nN][aA][mM][eE]%20-[aA]/
-  }
-
-signature sid-1332 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS /usr/bin/id command attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[iI][dD]/
-  }
-
-signature sid-1333 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS id command attempt"
-  tcp-state established,originator
-  payload /.*;[iI][dD]/
-  }
-
-signature sid-1334 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS echo command attempt"
-  tcp-state established,originator
-  payload /.*\/[bB][iI][nN]\/[eE][cC][hH][oO]/
-  }
-
-signature sid-1335 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS kill command attempt"
-  tcp-state established,originator
-  payload /.*\/[bB][iI][nN]\/[kK][iI][lL][lL]/
-  }
-
-signature sid-1336 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS chmod command attempt"
-  tcp-state established,originator
-  payload /.*\/[bB][iI][nN]\/[cC][hH][mM][oO][dD]/
-  }
-
-signature sid-1337 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS chgrp command attempt"
-  tcp-state established,originator
-  payload /.*\/[cC][hH][gG][rR][pP]/
-  }
-
-signature sid-1338 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS chown command attempt"
-  tcp-state established,originator
-  payload /.*\/[cC][hH][oO][wW][nN]/
-  }
-
-signature sid-1339 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS chsh command attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][hH][sS][hH]/
-  }
-
-signature sid-1340 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS tftp command attempt"
-  tcp-state established,originator
-  payload /.*[tT][fF][tT][pP]%20/
-  }
-
-signature sid-1341 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS /usr/bin/gcc command attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[gG][cC][cC]/
-  }
-
-signature sid-1342 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS gcc command attempt"
-  tcp-state established,originator
-  payload /.*[gG][cC][cC]%20-[oO]/
-  }
-
-signature sid-1343 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS /usr/bin/cc command attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][cC]/
-  }
-
-signature sid-1344 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS cc command attempt"
-  tcp-state established,originator
-  payload /.*[cC][cC]%20/
-  }
-
-signature sid-1345 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS /usr/bin/cpp command attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][pP][pP]/
-  }
-
-signature sid-1346 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS cpp command attempt"
-  tcp-state established,originator
-  payload /.*[cC][pP][pP]%20/
-  }
-
-signature sid-1347 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS /usr/bin/g++ command attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[gG]\+\+/
-  }
-
-signature sid-1348 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS g++ command attempt"
-  tcp-state established,originator
-  payload /.*[gG]\+\+%20/
-  }
-
-signature sid-1349 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS bin/python access attempt"
-  tcp-state established,originator
-  payload /.*[bB][iI][nN]\/[pP][yY][tT][hH][oO][nN]/
-  }
-
-signature sid-1350 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS python access attempt"
-  tcp-state established,originator
-  payload /.*[pP][yY][tT][hH][oO][nN]%20/
-  }
-
-signature sid-1351 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS bin/tclsh execution attempt"
-  tcp-state established,originator
-  payload /.*[bB][iI][nN]\/[tT][cC][lL][sS][hH]/
-  }
-
-signature sid-1352 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS tclsh execution attempt"
-  tcp-state established,originator
-  payload /.*[tT][cC][lL][sS][hH]8%20/
-  }
-
-signature sid-1353 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS bin/nasm command attempt"
-  tcp-state established,originator
-  payload /.*[bB][iI][nN]\/[nN][aA][sS][mM]/
-  }
-
-signature sid-1354 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS nasm command attempt"
-  tcp-state established,originator
-  payload /.*[nN][aA][sS][mM]%20/
-  }
-
-signature sid-1355 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS /usr/bin/perl execution attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[pP][eE][rR][lL]/
-  }
-
-signature sid-1356 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS perl execution attempt"
-  tcp-state established,originator
-  payload /.*[pP][eE][rR][lL]%20/
-  }
-
-signature sid-1357 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS nt admin addition attempt"
-  tcp-state established,originator
-  payload /.*[nN][eE][tT] [lL][oO][cC][aA][lL][gG][rR][oO][uU][pP] [aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR][sS] \/[aA][dD][dD]/
-  }
-
-signature sid-1358 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS traceroute command attempt"
-  tcp-state established,originator
-  payload /.*[tT][rR][aA][cC][eE][rR][oO][uU][tT][eE]%20/
-  }
-
-signature sid-1359 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS ping command attempt"
-  tcp-state established,originator
-  payload /.*\/[bB][iI][nN]\/[pP][iI][nN][gG]/
-  }
-
-signature sid-1360 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS netcat command attempt"
-  tcp-state established,originator
-  payload /.*[nN][cC]%20/
-  }
-
-signature sid-1361 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS nmap command attempt"
-  tcp-state established,originator
-  payload /.*[nN][mM][aA][pP]%20/
-  }
-
-signature sid-1362 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS xterm command attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[xX]11[rR]6\/[bB][iI][nN]\/[xX][tT][eE][rR][mM]/
-  }
-
-signature sid-1363 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS X application to remote host attempt"
-  tcp-state established,originator
-  payload /.*%20-[dD][iI][sS][pP][lL][aA][yY]%20/
-  }
-
-signature sid-1364 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS lsof command attempt"
-  tcp-state established,originator
-  payload /.*[lL][sS][oO][fF]%20/
-  }
-
-signature sid-1365 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS rm command attempt"
-  tcp-state established,originator
-  payload /.*[rR][mM]%20/
-  }
-
-signature sid-1366 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS mail command attempt"
-  tcp-state established,originator
-  payload /.*\/[bB][iI][nN]\/[mM][aA][iI][lL]/
-  }
-
-signature sid-1367 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS mail command attempt"
-  tcp-state established,originator
-  payload /.*[mM][aA][iI][lL]%20/
-  }
-
-signature sid-1368 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS /bin/ls| command attempt"
-  http /.*[\/\\]bin[\/\\]ls\|/
-  tcp-state established,originator
-  }
-
-signature sid-1369 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS /bin/ls command attempt"
-  http /.*[\/\\]bin[\/\\]ls/
-  tcp-state established,originator
-  }
-
-signature sid-1370 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS /etc/inetd.conf access"
-  tcp-state established,originator
-  payload /.*\/[eE][tT][cC]\/[iI][nN][eE][tT][dD]\.[cC][oO][nN][fF]/
-  }
-
-signature sid-1371 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS /etc/motd access"
-  tcp-state established,originator
-  payload /.*\/[eE][tT][cC]\/[mM][oO][tT][dD]/
-  }
-
-signature sid-1372 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS /etc/shadow access"
-  tcp-state established,originator
-  payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW]/
-  }
-
-signature sid-1373 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS conf/httpd.conf attempt"
-  tcp-state established,originator
-  payload /.*[cC][oO][nN][fF]\/[hH][tT][tT][pP][dD]\.[cC][oO][nN][fF]/
-  }
-
-signature sid-1374 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-ATTACKS .htgroup access"
-  http /.*\.htgroup/
-  tcp-state established,originator
-  }
-
-signature sid-803 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI HyperSeek hsx.cgi directory traversal attempt"
-  http /.*[\/\\]hsx\.cgi/
-  tcp-state established,originator
-  payload /.*\.\.\/\.\.\/.{1}.*%00/
-  }
-
-signature sid-1607 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI HyperSeek hsx.cgi access"
-  http /.*[\/\\]hsx\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-804 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI SWSoft ASPSeek Overflow attempt"
-  http /.*[\/\\]s\.cgi/
-  tcp-state established,originator
-  payload /.*[tT][mM][pP][lL]=/
-  }
-
-signature sid-805 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webspeed access"
-  http /.*[\/\\]wsisa\.dll[\/\\]WService=/
-  tcp-state established,originator
-  payload /.*[wW][sS][mM][aA][dD][mM][iI][nN]/
-  }
-
-signature sid-806 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI yabb.cgi directory traversal attempt"
-  http /.*[\/\\]YaBB\.pl/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  }
-
-signature sid-1637 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI yabb.cgi access"
-  http /.*[\/\\]YaBB\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-807 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI /wwwboard/passwd.txt access"
-  http /.*[\/\\]wwwboard[\/\\]passwd\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-808 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webdriver access"
-  http /.*[\/\\]webdriver/
-  tcp-state established,originator
-  }
-
-signature sid-809 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI whois_raw.cgi arbitrary command execution attempt"
-  http /.*[\/\\]whois_raw\.cgi\?/
-  tcp-state established,originator
-  payload /.*\x0a/
-  }
-
-signature sid-810 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI whois_raw.cgi access"
-  http /.*[\/\\]whois_raw\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-811 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI websitepro path access"
-  tcp-state established,originator
-  payload /.* \/[hH][tT][tT][pP]\/1\./
-  }
-
-signature sid-812 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webplus version access"
-  http /.*[\/\\]webplus\?about/
-  tcp-state established,originator
-  }
-
-signature sid-813 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webplus directory traversal"
-  http /.*[\/\\]webplus\?script/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  }
-
-signature sid-815 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI websendmail access"
-  http /.*[\/\\]websendmail/
-  tcp-state established,originator
-  }
-
-signature sid-1571 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI dcforum.cgi directory traversal attempt"
-  http /.*[\/\\]dcforum\.cgi/
-  tcp-state established,originator
-  payload /.*forum=\.\.\/\.\./
-  }
-
-signature sid-818 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI dcforum.cgi access"
-  http /.*[\/\\]dcforum\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-817 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI dcboard.cgi invalid user addition attempt"
-  http /.*[\/\\]dcboard\.cgi/
-  tcp-state established,originator
-  payload /.*command=register/
-  payload /.*%7cadmin/
-  }
-
-signature sid-1410 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI dcboard.cgi access"
-  http /.*[\/\\]dcboard\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-819 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI mmstdod.cgi access"
-  http /.*[\/\\]mmstdod\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-820 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI anaconda directory transversal attempt"
-  http /.*[\/\\]apexec\.pl/
-  tcp-state established,originator
-  payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=\.\.\//
-  }
-
-signature sid-821 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI imagemap.exe overflow attempt"
-  http /.*[\/\\]imagemap\.exe\?/
-  tcp-state established,originator
-  }
-
-signature sid-1700 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI imagemap.exe access"
-  http /.*[\/\\]imagemap\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-823 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cvsweb.cgi access"
-  http /.*[\/\\]cvsweb\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-824 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI php.cgi access"
-  http /.*[\/\\]php\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-825 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI glimpse access"
-  http /.*[\/\\]glimpse/
-  tcp-state established,originator
-  }
-
-signature sid-1608 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI htmlscript attempt"
-  http /.*[\/\\]htmlscript\?\.\.[\/\\]\.\./
-  tcp-state established,originator
-  }
-
-signature sid-826 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI htmlscript access"
-  http /.*[\/\\]htmlscript/
-  tcp-state established,originator
-  }
-
-signature sid-827 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI info2www access"
-  http /.*[\/\\]info2www/
-  tcp-state established,originator
-  }
-
-signature sid-828 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI maillist.pl access"
-  http /.*[\/\\]maillist\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-829 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI nph-test-cgi access"
-  http /.*[\/\\]nph-test-cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1451 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI NPH-publish access"
-  http /.*[\/\\]nph-maillist\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-830 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI NPH-publish access"
-  http /.*[\/\\]nph-publish/
-  tcp-state established,originator
-  }
-
-signature sid-833 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI rguest.exe access"
-  http /.*[\/\\]rguest\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-834 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI rwwwshell.pl access"
-  http /.*[\/\\]rwwwshell\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1644 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI test-cgi attempt"
-  http /.*[\/\\]test-cgi[\/\\]\*\?\*/
-  tcp-state established,originator
-  }
-
-signature sid-835 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI test-cgi access"
-  http /.*[\/\\]test-cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1645 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI testcgi access"
-  http /.*[\/\\]testcgi/
-  tcp-state established,originator
-  }
-
-signature sid-1646 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI test.cgi access"
-  http /.*[\/\\]test\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-836 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI textcounter.pl access"
-  http /.*[\/\\]textcounter\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-837 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI uploader.exe access"
-  http /.*[\/\\]uploader\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-838 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webgais access"
-  http /.*[\/\\]webgais/
-  tcp-state established,originator
-  }
-
-signature sid-839 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI finger access"
-  http /.*[\/\\]finger/
-  tcp-state established,originator
-  }
-
-signature sid-840 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI perlshop.cgi access"
-  http /.*[\/\\]perlshop\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-841 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI pfdisplay.cgi access"
-  http /.*[\/\\]pfdisplay\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-842 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI aglimpse access"
-  http /.*[\/\\]aglimpse/
-  tcp-state established,originator
-  }
-
-signature sid-843 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI anform2 access"
-  http /.*[\/\\]AnForm2/
-  tcp-state established,originator
-  }
-
-signature sid-844 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI args.bat access"
-  http /.*[\/\\]args\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1452 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI args.cmd access"
-  http /.*[\/\\]args\.cmd/
-  tcp-state established,originator
-  }
-
-signature sid-845 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI AT-admin.cgi access"
-  http /.*[\/\\]AT-admin\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1453 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI AT-generated.cgi access"
-  http /.*[\/\\]AT-generated\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-846 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bnbform.cgi access"
-  http /.*[\/\\]bnbform\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-847 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI campas access"
-  http /.*[\/\\]campas/
-  tcp-state established,originator
-  }
-
-signature sid-848 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI view-source directory traversal"
-  http /.*[\/\\]view-source/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  }
-
-signature sid-849 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI view-source access"
-  http /.*[\/\\]view-source/
-  tcp-state established,originator
-  }
-
-signature sid-850 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI wais.pl access"
-  http /.*[\/\\]wais\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1454 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI wwwwais access"
-  http /.*[\/\\]wwwwais/
-  tcp-state established,originator
-  }
-
-signature sid-851 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI files.pl access"
-  http /.*[\/\\]files\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-852 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI wguest.exe access"
-  http /.*[\/\\]wguest\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-853 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI wrap access"
-  http /.*[\/\\]wrap/
-  tcp-state established,originator
-  }
-
-signature sid-854 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI classifieds.cgi access"
-  http /.*[\/\\]classifieds\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-856 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI environ.cgi access"
-  http /.*[\/\\]environ\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1647 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI faxsurvey attempt (full path)"
-  http /.*[\/\\]faxsurvey\?[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1609 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI faxsurvey arbitrary file read attempt"
-  http /.*[\/\\]faxsurvey\?cat%20/
-  tcp-state established,originator
-  }
-
-signature sid-857 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI faxsurvey access"
-  http /.*[\/\\]faxsurvey/
-  tcp-state established,originator
-  }
-
-signature sid-858 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI filemail access"
-  http /.*[\/\\]filemail\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-859 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI man.sh access"
-  http /.*[\/\\]man\.sh/
-  tcp-state established,originator
-  }
-
-signature sid-860 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI snork.bat access"
-  http /.*[\/\\]snork\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-861 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI w3-msql access"
-  http /.*[\/\\]w3-msql[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-863 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI day5datacopier.cgi access"
-  http /.*[\/\\]day5datacopier\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-864 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI day5datanotifier.cgi access"
-  http /.*[\/\\]day5datanotifier\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-866 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI post-query access"
-  http /.*[\/\\]post-query/
-  tcp-state established,originator
-  }
-
-signature sid-867 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI visadmin.exe access"
-  http /.*[\/\\]visadmin\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-869 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI dumpenv.pl access"
-  http /.*[\/\\]dumpenv\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1536 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI calendar_admin.pl arbitrary command execution attempt"
-  http /.*[\/\\]calendar_admin\.pl\?config=\|/
-  tcp-state established,originator
-  }
-
-signature sid-1537 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI calendar_admin.pl access"
-  http /.*[\/\\]calendar_admin\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1701 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI calendar-admin.pl access"
-  http /.*[\/\\]calendar-admin\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1455 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI calender.pl access"
-  http /.*[\/\\]calender\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-882 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI calendar access"
-  http /.*[\/\\]calendar/
-  tcp-state established,originator
-  }
-
-signature sid-1457 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI user_update_admin.pl access"
-  http /.*[\/\\]user_update_admin\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1458 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI user_update_passwd.pl access"
-  http /.*[\/\\]user_update_passwd\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-870 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI snorkerz.cmd access"
-  http /.*[\/\\]snorkerz\.cmd/
-  tcp-state established,originator
-  }
-
-signature sid-871 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI survey.cgi access"
-  http /.*[\/\\]survey\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-873 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI scriptalias access"
-  http /.*[\/\\][\/\\][\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-875 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI win-c-sample.exe access"
-  http /.*[\/\\]win-c-sample\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-878 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI w3tvars.pm access"
-  http /.*[\/\\]w3tvars\.pm/
-  tcp-state established,originator
-  }
-
-signature sid-879 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI admin.pl access"
-  http /.*[\/\\]admin\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-880 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI LWGate access"
-  http /.*[\/\\]LWGate/
-  tcp-state established,originator
-  }
-
-signature sid-881 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI archie access"
-  http /.*[\/\\]archie/
-  tcp-state established,originator
-  }
-
-signature sid-883 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI flexform access"
-  http /.*[\/\\]flexform/
-  tcp-state established,originator
-  }
-
-signature sid-1610 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI formmail arbitrary command execution attempt"
-  http /.*[\/\\]formmail/
-  tcp-state established,originator
-  payload /.*%0[aA]/
-  }
-
-signature sid-884 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI formmail access"
-  http /.*[\/\\]formmail/
-  tcp-state established,originator
-  }
-
-signature sid-1762 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI phf arbitrary command execution attempt"
-  http /.*[\/\\]phf/
-  tcp-state established,originator
-  payload /.*[qQ][aA][lL][iI][aA][sS]/
-  payload /.*%0a\//
-  }
-
-signature sid-886 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI phf access"
-  http /.*[\/\\]phf/
-  tcp-state established,originator
-  }
-
-signature sid-887 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI www-sql access"
-  http /.*[\/\\]www-sql/
-  tcp-state established,originator
-  }
-
-signature sid-888 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI wwwadmin.pl access"
-  http /.*[\/\\]wwwadmin\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-889 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ppdscgi.exe access"
-  http /.*[\/\\]ppdscgi\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-890 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI sendform.cgi access"
-  http /.*[\/\\]sendform\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-891 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI upload.pl access"
-  http /.*[\/\\]upload\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-892 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI AnyForm2 access"
-  http /.*[\/\\]AnyForm2/
-  tcp-state established,originator
-  }
-
-signature sid-893 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI MachineInfo access"
-  http /.*[\/\\]MachineInfo/
-  tcp-state established,originator
-  }
-
-signature sid-1531 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-hist.sh attempt"
-  http /.*[\/\\]bb-hist\.sh\?HISTFILE=\.\.[\/\\]\.\./
-  tcp-state established,originator
-  }
-
-signature sid-894 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-hist.sh access"
-  http /.*[\/\\]bb-hist\.sh/
-  tcp-state established,originator
-  }
-
-signature sid-1459 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-histlog.sh access"
-  http /.*[\/\\]bb-histlog\.sh/
-  tcp-state established,originator
-  }
-
-signature sid-1460 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-histsvc.sh access"
-  http /.*[\/\\]bb-histsvc\.sh/
-  tcp-state established,originator
-  }
-
-signature sid-1532 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-hostscv.sh attempt"
-  http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC\?\.\.[\/\\]\.\./
-  tcp-state established,originator
-  }
-
-signature sid-1533 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-hostscv.sh access"
-  http /.*[\/\\]bb-hostsvc\.sh/
-  tcp-state established,originator
-  }
-
-signature sid-1461 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-rep.sh access"
-  http /.*[\/\\]bb-rep\.sh/
-  tcp-state established,originator
-  }
-
-signature sid-1462 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-replog.sh access"
-  http /.*[\/\\]bb-replog\.sh/
-  tcp-state established,originator
-  }
-
-signature sid-895 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI redirect access"
-  http /.*[\/\\]redirect/
-  tcp-state established,originator
-  }
-
-signature sid-1397 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI wayboard attempt"
-  http /.*[\/\\]way-board[\/\\]way-board\.cgi/
-  tcp-state established,originator
-  payload /.*db=/
-  payload /.*\.\.\/\.\./
-  }
-
-signature sid-896 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI way-board access"
-  http /.*[\/\\]way-board/
-  tcp-state established,originator
-  }
-
-signature sid-1222 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI pals-cgi arbitrary file access attempt"
-  http /.*[\/\\]pals-cgi/
-  tcp-state established,originator
-  payload /.*[dD][oO][cC][uU][mM][eE][nN][tT][nN][aA][mM][eE]=/
-  }
-
-signature sid-897 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI pals-cgi access"
-  http /.*[\/\\]pals-cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1572 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI commerce.cgi arbitrary file access attempt"
-  http /.*[\/\\]commerce\.cgi/
-  tcp-state established,originator
-  payload /.*page=/
-  payload /.*\/\.\.\//
-  }
-
-signature sid-898 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI commerce.cgi access"
-  http /.*[\/\\]commerce\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-899 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"
-  http /.*[\/\\]sendtemp\.pl/
-  tcp-state established,originator
-  payload /.*[tT][eE][mM][pP][lL]=/
-  }
-
-signature sid-1702 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Amaya templates sendtemp.pl access"
-  http /.*[\/\\]sendtemp\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-900 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webspirs.cgi directory traversal attempt"
-  http /.*[\/\\]webspirs\.cgi/
-  tcp-state established,originator
-  payload /.*\.\.\/\.\.\//
-  }
-
-signature sid-901 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webspirs.cgi access"
-  http /.*[\/\\]webspirs\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-902 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI tstisapi.dll access"
-  http /.*tstisapi\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1308 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI sendmessage.cgi access"
-  http /.*[\/\\]sendmessage\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1392 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI lastlines.cgi access"
-  http /.*[\/\\]lastlines\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1395 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI zml.cgi attempt"
-  http /.*[\/\\]zml\.cgi/
-  tcp-state established,originator
-  payload /.*file=\.\.\//
-  }
-
-signature sid-1396 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI zml.cgi access"
-  http /.*[\/\\]zml\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1405 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI AHG search.cgi access"
-  http /.*[\/\\]publisher[\/\\]search\.cgi/
-  tcp-state established,originator
-  payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=/
-  }
-
-signature sid-1534 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI agora.cgi attempt"
-  http /.*[\/\\]store[\/\\]agora\.cgi\?cart_id=<SCRIPT>/
-  tcp-state established,originator
-  }
-
-signature sid-1406 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI agora.cgi access"
-  http /.*[\/\\]store[\/\\]agora\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-877 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI rksh access"
-  http /.*[\/\\]rksh/
-  tcp-state established,originator
-  }
-
-signature sid-885 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bash access"
-  http /.*[\/\\]bash/
-  tcp-state established,originator
-  }
-
-signature sid-1648 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI perl.exe command attempt"
-  http /.*[\/\\]perl\.exe\?/
-  tcp-state established,originator
-  }
-
-signature sid-832 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI perl.exe access"
-  http /.*[\/\\]perl\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1649 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI perl command attempt"
-  http /.*[\/\\]perl\?/
-  tcp-state established,originator
-  }
-
-signature sid-1309 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI zsh access"
-  http /.*[\/\\]zsh/
-  tcp-state established,originator
-  }
-
-signature sid-862 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI csh access"
-  http /.*[\/\\]csh/
-  tcp-state established,originator
-  }
-
-signature sid-872 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI tcsh access"
-  http /.*[\/\\]tcsh/
-  tcp-state established,originator
-  }
-
-signature sid-868 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI rsh access"
-  http /.*[\/\\]rsh/
-  tcp-state established,originator
-  }
-
-signature sid-865 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ksh access"
-  http /.*[\/\\]ksh/
-  tcp-state established,originator
-  }
-
-signature sid-1703 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI auktion.cgi directory traversal attempt"
-  http /.*[\/\\]auktion\.cgi/
-  tcp-state established,originator
-  payload /.*[mM][eE][nN][uU][eE]=\.\.\/\.\.\//
-  }
-
-signature sid-1465 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI auktion.cgi access"
-  http /.*[\/\\]auktion\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1573 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cgiforum.pl attempt"
-  http /.*[\/\\]cgiforum\.pl\?thesection=\.\.[\/\\]\.\./
-  tcp-state established,originator
-  }
-
-signature sid-1466 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cgiforum.pl access"
-  http /.*[\/\\]cgiforum\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1574 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI directorypro.cgi attempt"
-  http /.*[\/\\]directorypro\.cgi/
-  tcp-state established,originator
-  payload /.*show=.{1}.*\.\.\/\.\./
-  }
-
-signature sid-1467 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI directorypro.cgi access"
-  http /.*[\/\\]directorypro\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1468 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Web Shopper shopper.cgi attempt"
-  http /.*[\/\\]shopper\.cgi/
-  tcp-state established,originator
-  payload /.*[nN][eE][wW][pP][aA][gG][eE]=\.\.\//
-  }
-
-signature sid-1469 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Web Shopper shopper.cgi access"
-  http /.*[\/\\]shopper\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1470 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI listrec.pl access"
-  http /.*[\/\\]listrec\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1471 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI mailnews.cgi access"
-  http /.*[\/\\]mailnews\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1879 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI book.cgi arbitrary command execution attempt"
-  http /.*[\/\\]book\.cgi/
-  tcp-state established,originator
-  payload /.*[cC][uU][rR][rR][eE][nN][tT]=\|/
-  }
-
-signature sid-1472 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI book.cgi access"
-  http /.*[\/\\]book\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1473 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI newsdesk.cgi access"
-  http /.*[\/\\]newsdesk\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1704 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cal_make.pl directory traversal attempt"
-  http /.*[\/\\]cal_make\.pl/
-  tcp-state established,originator
-  payload /.*[pP]0=\.\.\/\.\.\//
-  }
-
-signature sid-1474 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cal_make.pl access"
-  http /.*[\/\\]cal_make\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1475 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI mailit.pl access"
-  http /.*[\/\\]mailit\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1476 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI sdbsearch.cgi access"
-  http /.*[\/\\]sdbsearch\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1478 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI swc access"
-  http /.*[\/\\]swc/
-  tcp-state established,originator
-  }
-
-signature sid-1479 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ttawebtop.cgi arbitrary file attempt"
-  http /.*[\/\\]ttawebtop\.cgi/
-  tcp-state established,originator
-  payload /.*[pP][gG]=\.\.\//
-  }
-
-signature sid-1480 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ttawebtop.cgi access"
-  http /.*[\/\\]ttawebtop\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1481 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI upload.cgi access"
-  http /.*[\/\\]upload\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1482 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI view_source access"
-  http /.*[\/\\]view_source/
-  tcp-state established,originator
-  }
-
-signature sid-1730 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ustorekeeper.pl directory traversal attempt"
-  http /.*[\/\\]ustorekeeper\.pl/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE]=\.\.\/\.\.\//
-  }
-
-signature sid-1483 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ustorekeeper.pl access"
-  http /.*[\/\\]ustorekeeper\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1606 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI icat access"
-  http /.*[\/\\]icat/
-  tcp-state established,originator
-  }
-
-signature sid-1617 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Bugzilla doeditvotes.cgi access"
-  http /.*[\/\\]doeditvotes\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1600 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI htsearch arbitrary configuration file attempt"
-  http /.*[\/\\]htsearch\?-c/
-  tcp-state established,originator
-  }
-
-signature sid-1601 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI htsearch arbitrary file read attempt"
-  http /.*[\/\\]htsearch\?exclude=`/
-  tcp-state established,originator
-  }
-
-signature sid-1602 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI htsearch access"
-  http /.*[\/\\]htsearch/
-  tcp-state established,originator
-  }
-
-signature sid-1501 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI a1stats a1disp3.cgi directory traversal attempt"
-  http /.*[\/\\]a1disp3\.cgi\?[\/\\]\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1502 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI a1stats a1disp3.cgi access"
-  http /.*[\/\\]a1disp3\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1731 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI a1stats access"
-  http /.*[\/\\]a1stats[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1503 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI admentor admin.asp access"
-  http /.*[\/\\]admentor[\/\\]admin[\/\\]admin\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1505 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI alchemy http server PRN arbitrary command execution attempt"
-  http /.*[\/\\]PRN[\/\\]\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1506 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI alchemy http server NUL arbitrary command execution attempt"
-  http /.*[\/\\]NUL[\/\\]\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1507 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI alibaba.pl arbitrary command execution attempt"
-  http /.*[\/\\]alibaba\.pl\|/
-  tcp-state established,originator
-  }
-
-signature sid-1508 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI alibaba.pl access"
-  http /.*[\/\\]alibaba\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1509 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI AltaVista Intranet Search directory traversal attempt"
-  http /.*[\/\\]query\?mss=\.\./
-  tcp-state established,originator
-  }
-
-signature sid-1510 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI test.bat arbitrary command execution attempt"
-  http /.*[\/\\]test\.bat\|/
-  tcp-state established,originator
-  }
-
-signature sid-1511 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI test.bat access"
-  http /.*[\/\\]test\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1512 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI input.bat arbitrary command execution attempt"
-  http /.*[\/\\]input\.bat\|/
-  tcp-state established,originator
-  }
-
-signature sid-1513 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI input.bat access"
-  http /.*[\/\\]input\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1514 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI input2.bat arbitrary command execution attempt"
-  http /.*[\/\\]input2\.bat\|/
-  tcp-state established,originator
-  }
-
-signature sid-1515 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI input2.bat access"
-  http /.*[\/\\]input2\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1516 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI envout.bat arbitrary command execution attempt"
-  http /.*[\/\\]envout\.bat\|/
-  tcp-state established,originator
-  }
-
-signature sid-1517 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI envout.bat access"
-  http /.*[\/\\]envout\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1705 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI echo.bat arbitrary command execution attempt"
-  http /.*[\/\\]echo\.bat/
-  tcp-state established,originator
-  payload /.*&/
-  }
-
-signature sid-1706 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI echo.bat access"
-  http /.*[\/\\]echo\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1707 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI hello.bat arbitrary command execution attempt"
-  http /.*[\/\\]hello\.bat/
-  tcp-state established,originator
-  payload /.*&/
-  }
-
-signature sid-1708 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI hello.bat access"
-  http /.*[\/\\]hello\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1650 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI tst.bat access"
-  http /.*[\/\\]tst\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1539 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI /cgi-bin/ls access"
-  http /.*[\/\\]cgi-bin[\/\\]ls/
-  tcp-state established,originator
-  }
-
-signature sid-1542 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cgimail access"
-  http /.*[\/\\]cgimail/
-  tcp-state established,originator
-  }
-
-signature sid-1543 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cgiwrap access"
-  http /.*[\/\\]cgiwrap/
-  tcp-state established,originator
-  }
-
-signature sid-1547 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI csSearch.cgi arbitrary command execution attempt"
-  http /.*[\/\\]csSearch\.cgi/
-  tcp-state established,originator
-  payload /.*setup=/
-  payload /.*`.{1}.*`/
-  }
-
-signature sid-1548 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI csSearch.cgi access"
-  http /.*[\/\\]csSearch\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1553 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI /cart/cart.cgi access"
-  http /.*[\/\\]cart[\/\\]cart\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1554 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI dbman db.cgi access"
-  http /.*[\/\\]dbman[\/\\]db\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1555 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI DCShop access"
-  http /.*[\/\\]dcshop/
-  tcp-state established,originator
-  }
-
-signature sid-1556 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI DCShop orders.txt access"
-  http /.*[\/\\]orders[\/\\]orders\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1557 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI DCShop auth_user_file.txt access"
-  http /.*[\/\\]auth_data[\/\\]auth_user_file\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1565 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI eshop.pl arbitrary commane execution attempt"
-  http /.*[\/\\]eshop\.pl\?seite=;/
-  tcp-state established,originator
-  }
-
-signature sid-1566 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI eshop.pl access"
-  http /.*[\/\\]eshop\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1569 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI loadpage.cgi directory traversal attempt"
-  http /.*[\/\\]loadpage\.cgi/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE]=\.\.\//
-  }
-
-signature sid-1570 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI loadpage.cgi access"
-  http /.*[\/\\]loadpage\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1590 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI faqmanager.cgi arbitrary file access attempt"
-  http /.*[\/\\]faqmanager\.cgi\?toc=/
-  http /.*%00/
-  tcp-state established,originator
-  }
-
-signature sid-1591 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI faqmanager.cgi access"
-  http /.*[\/\\]faqmanager\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1592 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI /fcgi-bin/echo.exe access"
-  http /.*[\/\\]fcgi-bin[\/\\]echo\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1628 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI FormHandler.cgi directory traversal attempt attempt"
-  http /.*[\/\\]FormHandler\.cgi/
-  tcp-state established,originator
-  payload /.*[rR][eE][pP][lL][yY]_[mM][eE][sS][sS][aA][gG][eE]_[aA][tT][tT][aA][cC][hH]=/
-  payload /.*\/\.\.\//
-  }
-
-signature sid-1593 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI FormHandler.cgi external site redirection attempt"
-  http /.*[\/\\]FormHandler\.cgi/
-  tcp-state established,originator
-  payload /.*[rR][eE][dD][iI][rR][eE][cC][tT]=[hH][tT][tT][pP]/
-  }
-
-signature sid-1594 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI FormHandler.cgi access"
-  http /.*[\/\\]FormHandler\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1597 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI guestbook.cgi access"
-  http /.*[\/\\]guestbook\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1598 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Home Free search.cgi directory traversal attempt"
-  http /.*[\/\\]search\.cgi/
-  tcp-state established,originator
-  payload /.*[lL][eE][tT][tT][eE][rR]=\.\.\/\.\./
-  }
-
-signature sid-1599 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI search.cgi access"
-  http /.*[\/\\]search\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1651 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI enivorn.pl access"
-  http /.*[\/\\]enivron\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1652 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI campus attempt"
-  http /.*[\/\\]campus\?%0a/
-  tcp-state established,originator
-  }
-
-signature sid-1653 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI campus access"
-  http /.*[\/\\]campus/
-  tcp-state established,originator
-  }
-
-signature sid-1654 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cart32.exe access"
-  http /.*[\/\\]cart32\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1655 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI pfdispaly.cgi arbitrary command execution attempt"
-  http /.*[\/\\]pfdispaly\.cgi\?'/
-  tcp-state established,originator
-  }
-
-signature sid-1656 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI pfdispaly.cgi access"
-  http /.*[\/\\]pfdispaly\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1657 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI pagelog.cgi directory traversal attempt"
-  http /.*[\/\\]pagelog\.cgi/
-  tcp-state established,originator
-  payload /.*[nN][aA][mM][eE]=\.\.\//
-  }
-
-signature sid-1658 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI pagelog.cgi access"
-  http /.*[\/\\]pagelog\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1709 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ad.cgi access"
-  http /.*[\/\\]ad\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1710 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bbs_forum.cgi access"
-  http /.*[\/\\]bbs_forum\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1711 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bsguest.cgi access"
-  http /.*[\/\\]bsguest\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1712 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bslist.cgi access"
-  http /.*[\/\\]bslist\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1713 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cgforum.cgi access"
-  http /.*[\/\\]cgforum\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1714 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI newdesk access"
-  http /.*[\/\\]newdesk/
-  tcp-state established,originator
-  }
-
-signature sid-1715 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI register.cgi access"
-  http /.*[\/\\]register\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1716 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI gbook.cgi access"
-  http /.*[\/\\]gbook\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1717 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI simplestguest.cgi access"
-  http /.*[\/\\]simplestguest\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1718 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI statusconfig.pl access"
-  http /.*[\/\\]statusconfig\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1719 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI talkback.cgi directory traversal attempt"
-  http /.*[\/\\]talkbalk\.cgi/
-  tcp-state established,originator
-  payload /.*[aA][rR][tT][iI][cC][lL][eE]=\.\.\/\.\.\//
-  }
-
-signature sid-1720 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI talkback.cgi access"
-  http /.*[\/\\]talkbalk\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1721 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI adcycle access"
-  http /.*[\/\\]adcycle/
-  tcp-state established,originator
-  }
-
-signature sid-1722 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI MachineInfo access"
-  http /.*[\/\\]MachineInfo/
-  tcp-state established,originator
-  }
-
-signature sid-1723 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI emumail.cgi NULL attempt"
-  http /.*[\/\\]emumail\.cgi/
-  tcp-state established,originator
-  payload /.*[tT][yY][pP][eE]=/
-  payload /.*%00/
-  }
-
-signature sid-1724 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI emumail.cgi access"
-  http /.*[\/\\]emumail\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1642 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI document.d2w access"
-  http /.*[\/\\]document\.d2w/
-  tcp-state established,originator
-  }
-
-signature sid-1643 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI db2www access"
-  http /.*[\/\\]db2www/
-  tcp-state established,originator
-  }
-
-signature sid-1668 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI /cgi-bin/ access"
-  http /.*[\/\\]cgi-bin[\/\\]/
-  tcp-state established,originator
-  payload /.*\/[cC][gG][iI]-[bB][iI][nN]\/ [hH][tT][tT][pP]/
-  }
-
-signature sid-1669 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI /cgi-dos/ access"
-  http /.*[\/\\]cgi-dos[\/\\]/
-  tcp-state established,originator
-  payload /.*\/[cC][gG][iI]-[dD][oO][sS]\/ [hH][tT][tT][pP]/
-  }
-
-signature sid-1051 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI technote main.cgi file directory traversal attempt"
-  http /.*[\/\\]technote[\/\\]main\.cgi/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE][nN][aA][mM][eE]=/
-  payload /.*\.\.\/\.\.\//
-  }
-
-signature sid-1052 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI technote print.cgi directory traversal attempt"
-  http /.*[\/\\]technote[\/\\]print\.cgi/
-  tcp-state established,originator
-  payload /.*[bB][oO][aA][rR][dD]=/
-  payload /.*\.\.\/\.\.\//
-  payload /.*%00/
-  }
-
-signature sid-1053 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ads.cgi command execution attempt"
-  http /.*[\/\\]ads\.cgi/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE]=/
-  payload /.*\.\.\/\.\.\//
-  payload /.*\|/
-  }
-
-signature sid-1088 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI eXtropia webstore directory traversal"
-  http /.*[\/\\]web_store\.cgi/
-  tcp-state established,originator
-  payload /.*page=\.\.\//
-  }
-
-signature sid-1611 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI eXtropia webstore access"
-  http /.*[\/\\]web_store\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1089 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI shopping cart directory traversal"
-  http /.*[\/\\]shop\.cgi/
-  tcp-state established,originator
-  payload /.*page=\.\.\//
-  }
-
-signature sid-1090 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Allaire Pro Web Shell attempt"
-  http /.*[\/\\]authenticate\.cgi\?PASSWORD/
-  tcp-state established,originator
-  payload /.*config\.ini/
-  }
-
-signature sid-1092 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Armada Style Master Index directory traversal"
-  http /.*[\/\\]search\.cgi\?keys/
-  tcp-state established,originator
-  payload /.*catigory=\.\.\//
-  }
-
-signature sid-1093 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"
-  http /.*[\/\\]cached_feed\.cgi/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  }
-
-signature sid-2051 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cached_feed.cgi moreover shopping cart access"
-  http /.*[\/\\]cached_feed\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1097 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Talentsoft Web+ exploit attempt"
-  http /.*[\/\\]webplus\.cgi\?Script=[\/\\]webplus[\/\\]webping[\/\\]webping\.wml/
-  tcp-state established,originator
-  }
-
-signature sid-1106 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Poll-it access"
-  http /.*[\/\\]pollit[\/\\]Poll_It_SSI_v2\.0\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1149 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI count.cgi access"
-  http /.*[\/\\]count\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1865 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webdist.cgi arbitrary command attempt"
-  http /.*[\/\\]webdist\.cgi/
-  tcp-state established,originator
-  payload /.*[dD][iI][sS][tT][lL][oO][cC]=;/
-  }
-
-signature sid-1163 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webdist.cgi access"
-  http /.*[\/\\]webdist\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1172 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bigconf.cgi access"
-  http /.*[\/\\]bigconf\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1174 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI /cgi-bin/jj access"
-  http /.*[\/\\]cgi-bin[\/\\]jj/
-  tcp-state established,originator
-  }
-
-signature sid-1185 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bizdbsearch attempt"
-  http /.*[\/\\]bizdb1-search\.cgi/
-  tcp-state established,originator
-  payload /.*[mM][aA][iI][lL]/
-  }
-
-signature sid-1535 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bizdbsearch access"
-  http /.*[\/\\]bizdb1-search\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1194 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI sojourn.cgi File attempt"
-  http /.*[\/\\]sojourn\.cgi\?cat=/
-  tcp-state established,originator
-  payload /.*%00/
-  }
-
-signature sid-1195 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI sojourn.cgi access"
-  http /.*[\/\\]sojourn\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1196 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI SGI InfoSearch fname attempt"
-  http /.*[\/\\]infosrch\.cgi\?/
-  tcp-state established,originator
-  payload /.*[fF][nN][aA][mM][eE]=/
-  }
-
-signature sid-1727 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI SGI InfoSearch fname access"
-  http /.*[\/\\]infosrch\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1204 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ax-admin.cgi access"
-  http /.*[\/\\]ax-admin\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1205 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI axs.cgi access"
-  http /.*[\/\\]axs\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1206 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cachemgr.cgi access"
-  http /.*[\/\\]cachemgr\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1208 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI responder.cgi access"
-  http /.*[\/\\]responder\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1211 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI web-map.cgi access"
-  http /.*[\/\\]web-map\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1215 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ministats admin access"
-  http /.*[\/\\]ministats[\/\\]admin\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1219 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI dfire.cgi access"
-  http /.*[\/\\]dfire\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1305 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI txt2html.cgi directory traversal attempt"
-  http /.*[\/\\]txt2html\.cgi/
-  tcp-state established,originator
-  payload /.*\/\.\.\/\.\.\/\.\.\/\.\.\//
-  }
-
-signature sid-1304 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI txt2html.cgi access"
-  http /.*[\/\\]txt2html\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1488 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI store.cgi directory traversal attempt"
-  http /.*[\/\\]store\.cgi/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  }
-
-signature sid-1307 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI store.cgi access"
-  http /.*[\/\\]store\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1494 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI SIX webboard generate.cgi attempt"
-  http /.*[\/\\]generate\.cgi/
-  tcp-state established,originator
-  payload /.*content=\.\.\//
-  }
-
-signature sid-1495 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI SIX webboard generate.cgi access"
-  http /.*[\/\\]generate\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1496 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI spin_client.cgi access"
-  http /.*[\/\\]spin_client\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1787 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI csPassword.cgi access"
-  http /.*[\/\\]csPassword\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1788 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI csPassword password.cgi.tmp access"
-  http /.*[\/\\]password\.cgi\.tmp/
-  tcp-state established,originator
-  }
-
-signature sid-1763 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Nortel Contivity cgiproc DOS attempt"
-  http /.*[\/\\]cgiproc\?Nocfile=/
-  tcp-state established,originator
-  }
-
-signature sid-1764 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Nortel Contivity cgiproc DOS attempt"
-  http /.*[\/\\]cgiproc\?\$/
-  tcp-state established,originator
-  }
-
-signature sid-1765 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Nortel Contivity cgiproc access"
-  http /.*[\/\\]cgiproc/
-  tcp-state established,originator
-  }
-
-signature sid-1805 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Oracle reports CGI access"
-  http /.*[\/\\]rwcgi60/
-  tcp-state established,originator
-  payload /.*setauth=/
-  }
-
-signature sid-1822 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI alienform.cgi directory traversal attempt"
-  http /.*[\/\\]alienform\.cgi/
-  tcp-state established,originator
-  payload /.*\.\|\.\/\.\|\./
-  }
-
-signature sid-1823 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI AlienForm af.cgi directory traversal attempt"
-  http /.*[\/\\]af\.cgi/
-  tcp-state established,originator
-  payload /.*\.\|\.\/\.\|\./
-  }
-
-signature sid-1824 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI alienform.cgi access"
-  http /.*[\/\\]alienform\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1825 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI AlienForm af.cgi access"
-  http /.*[\/\\]af\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1868 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8080
-  event "WEB-CGI story.pl arbitrary file read attempt"
-  http /.*[\/\\]story\.pl/
-  tcp-state established,originator
-  payload /.*next=\.\.\//
-  }
-
-signature sid-1869 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8080
-  event "WEB-CGI story.pl access"
-  http /.*[\/\\]story\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1870 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI siteUserMod.cgi access"
-  http /.*[\/\\]\.cobalt[\/\\]siteUserMod[\/\\]siteUserMod\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1875 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cgicso access"
-  http /.*[\/\\]cgicso/
-  tcp-state established,originator
-  }
-
-signature sid-1876 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI nph-publish.cgi access"
-  http /.*[\/\\]nph-publish\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1877 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI printenv access"
-  http /.*[\/\\]printenv/
-  tcp-state established,originator
-  }
-
-signature sid-1878 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI sdbsearch.cgi access"
-  http /.*[\/\\]sdbsearch\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1931 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI rpc-nlog.pl access"
-  http /.*[\/\\]rpc-nlog\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1932 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI rpc-smb.pl access"
-  http /.*[\/\\]rpc-smb\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1933 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cart.cgi access"
-  http /.*[\/\\]cart\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1994 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI vpasswd.cgi access"
-  http /.*[\/\\]vpasswd\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1995 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI alya.cgi access"
-  http /.*[\/\\]alya\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1996 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI viralator.cgi access"
-  http /.*[\/\\]viralator\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-2001 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI smartsearch.cgi access"
-  http /.*[\/\\]smartsearch\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1862 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI mrtg.cgi directory traversal attempt"
-  http /.*[\/\\]mrtg\.cgi/
-  tcp-state established,originator
-  payload /.*cfg=\/\.\.\//
-  }
-
-signature sid-2052 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI overflow.cgi access"
-  http /.*[\/\\]overflow\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1850 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI way-board.cgi access"
-  http /.*[\/\\]way-board\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-2053 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI process_bug.cgi access"
-  http /.*[\/\\]process_bug\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-2054 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI enter_bug.cgi arbitrary command attempt"
-  http /.*[\/\\]enter_bug\.cgi/
-  tcp-state established,originator
-  payload /.*[wW][hH][oO]=.*.{0}.*;/
-  }
-
-signature sid-2055 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI enter_bug.cgi access"
-  http /.*[\/\\]enter_bug\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-2085 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI parse_xml.cgi access"
-  http /.*[\/\\]parse_xml\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-2086 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == 1220
-  event "WEB-CGI streaming server parse_xml.cgi access"
-  tcp-state established,originator
-  payload /.*\/[pP][aA][rR][sS][eE]_[xX][mM][lL]\.[cC][gG][iI]/
-  }
-
-signature sid-2115 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI album.pl access"
-  tcp-state established,originator
-  payload /.*\/[aA][lL][bB][uU][mM]\.[pP][lL]/
-  }
-
-signature sid-2116 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI chipcfg.cgi access"
-  http /.*[\/\\]chipcfg\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-2127 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ikonboard.cgi access"
-  http /.*[\/\\]ikonboard\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-2128 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI swsrv.cgi access"
-  http /.*[\/\\]srsrv\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1233 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  dst-port == http_ports
-  event "WEB-CLIENT Outlook EML access"
-  http /.*\.eml/
-  tcp-state established,originator
-  }
-
-signature sid-1735 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == http_ports
-  event "WEB-CLIENT XMLHttpRequest attempt"
-  tcp-state established,responder
-  payload /.*new XMLHttpRequest\(/
-  payload /.*[fF][iI][lL][eE]:\/\//
-  }
-
-signature sid-1284 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  dst-port == http_ports
-  event "WEB-CLIENT readme.eml download attempt"
-  http /.*[\/\\]readme\.eml/
-  tcp-state established,originator
-  }
-
-signature sid-1290 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == http_ports
-  event "WEB-CLIENT readme.eml autoload attempt"
-  tcp-state established,responder
-  payload /.*[wW][iI][nN][dD][oO][wW]\.[oO][pP][eE][nN]\(\"[rR][eE][aA][dD][mM][eE]\.[eE][mM][lL]\"/
-  }
-
-signature sid-1840 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == http_ports
-  event "WEB-CLIENT Javascript document.domain attempt"
-  tcp-state established,responder
-  payload /.*[dD][oO][cC][uU][mM][eE][nN][tT]\.[dD][oO][mM][aA][iI][nN]\(/
-  }
-
-signature sid-1841 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == http_ports
-  event "WEB-CLIENT Javascript URL host spoofing attempt"
-  tcp-state established,responder
-  payload /.*[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]:\/\//
-  }
-
-signature sid-903 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION cfcache.map access"
-  http /.*[\/\\]cfcache\.map/
-  tcp-state established,originator
-  }
-
-signature sid-904 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION exampleapp application.cfm"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]email[\/\\]application\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-905 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION application.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]publish[\/\\]admin[\/\\]application\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-906 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION getfile.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]email[\/\\]getfile\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-907 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION addcontent.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]publish[\/\\]admin[\/\\]addcontent\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-908 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION administrator access"
-  http /.*[\/\\]cfide[\/\\]administrator[\/\\]index\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-909 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION datasource username attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF]_[sS][eE][tT][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE][uU][sS][eE][rR][nN][aA][mM][eE]\(\)/
-  }
-
-signature sid-910 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION fileexists.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]fileexists\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-911 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION exprcalc access"
-  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]exprcalc\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-912 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION parks access"
-  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]parks[\/\\]detail\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-913 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION cfappman access"
-  http /.*[\/\\]cfappman[\/\\]index\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-914 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION beaninfo access"
-  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]cvbeans[\/\\]beaninfo\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-915 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION evaluate.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]evaluate\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-916 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION getodbcdsn access"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[gG][eE][tT][oO][dD][bB][cC][dD][sS][nN]\(\)/
-  }
-
-signature sid-917 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION db connections flush attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[dD][bB][cC][oO][nN][nN][eE][cC][tT][iI][oO][nN][sS]_[fF][lL][uU][sS][hH]\(\)/
-  }
-
-signature sid-918 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION expeval access"
-  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-919 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION datasource passwordattempt"
-  tcp-state established,originator
-  payload /.*[cC][fF]_[sS][eE][tT][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE][pP][aA][sS][sS][wW][oO][rR][dD]\(\)/
-  }
-
-signature sid-920 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION datasource attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF]_[iI][sS][cC][oO][lL][dD][fF][uU][sS][iI][oO][nN][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE]\(\)/
-  }
-
-signature sid-921 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION admin encrypt attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[eE][nN][cC][rR][yY][pP][tT]\(\)/
-  }
-
-signature sid-922 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION displayfile access"
-  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]displayopenedfile\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-923 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION getodbcin attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[gG][eE][tT][oO][dD][bB][cC][iI][nN][iI]\(\)/
-  }
-
-signature sid-924 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION admin decrypt attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[dD][eE][cC][rR][yY][pP][tT]\(\)/
-  }
-
-signature sid-925 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION mainframeset access"
-  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]mainframeset\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-926 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION set odbc ini attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[sS][eE][tT][oO][dD][bB][cC][iI][nN][iI]\(\)/
-  }
-
-signature sid-927 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION settings refresh attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[sS][eE][tT][tT][iI][nN][gG][sS]_[rR][eE][fF][rR][eE][sS][hH]\(\)/
-  }
-
-signature sid-928 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION exampleapp access"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-929 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION CFUSION_VERIFYMAIL access"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[vV][eE][rR][iI][fF][yY][mM][aA][iI][lL]\(\)/
-  }
-
-signature sid-930 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION snippets attempt"
-  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-931 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION cfmlsyntaxcheck.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]cfmlsyntaxcheck\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-932 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION application.cfm access"
-  http /.*[\/\\]application\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-933 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION onrequestend.cfm access"
-  http /.*[\/\\]onrequestend\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-935 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION startstop DOS access"
-  http /.*[\/\\]cfide[\/\\]administrator[\/\\]startstop\.html/
-  tcp-state established,originator
-  }
-
-signature sid-936 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION gettempdirectory.cfm access "
-  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]gettempdirectory\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-1659 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION sendmail.cfm access"
-  http /.*[\/\\]sendmail\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-1540 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION ?Mode=debug attempt"
-  http /.*Mode=debug/
-  tcp-state established,originator
-  }
-
-signature sid-1248 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE rad fp30reg.dll access"
-  http /.*[\/\\]fp30reg\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1249 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE frontpage rad fp4areg.dll access"
-  http /.*[\/\\]fp4areg\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-937 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE _vti_rpc access"
-  http /.*[\/\\]_vti_rpc/
-  tcp-state established,originator
-  }
-
-signature sid-939 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE posting"
-  http /.*[\/\\]author\.dll/
-  tcp-state established,originator
-  payload /.*[pP][oO][sS][tT]/
-  }
-
-signature sid-940 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE shtml.dll access"
-  http /.*[\/\\]_vti_bin[\/\\]shtml\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-941 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE contents.htm access"
-  http /.*[\/\\]admcgi[\/\\]contents\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-942 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE orders.htm access"
-  http /.*[\/\\]_private[\/\\]orders\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-943 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE fpsrvadm.exe access"
-  http /.*[\/\\]fpsrvadm\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-944 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE fpremadm.exe access"
-  http /.*[\/\\]fpremadm\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-945 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE fpadmin.htm access"
-  http /.*[\/\\]admisapi[\/\\]fpadmin\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-946 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE fpadmcgi.exe access"
-  http /.*[\/\\]scripts[\/\\]Fpadmcgi\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-947 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE orders.txt access"
-  http /.*[\/\\]_private[\/\\]orders\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-948 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE form_results access"
-  http /.*[\/\\]_private[\/\\]form_results\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-949 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE registrations.htm access"
-  http /.*[\/\\]_private[\/\\]registrations\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-950 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE cfgwiz.exe access"
-  http /.*[\/\\]cfgwiz\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-951 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE authors.pwd access"
-  http /.*[\/\\]authors\.pwd/
-  tcp-state established,originator
-  }
-
-signature sid-952 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE author.exe access"
-  http /.*[\/\\]_vti_bin[\/\\]_vti_aut[\/\\]author\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-953 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE administrators.pwd access"
-  http /.*[\/\\]administrators\.pwd/
-  tcp-state established,originator
-  }
-
-signature sid-954 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE form_results.htm access"
-  http /.*[\/\\]_private[\/\\]form_results\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-955 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE access.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]access\.cnf/
-  tcp-state established,originator
-  }
-
-signature sid-956 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE register.txt access"
-  http /.*[\/\\]_private[\/\\]register\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-957 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE registrations.txt access"
-  http /.*[\/\\]_private[\/\\]registrations\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-958 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE service.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]service\.cnf/
-  tcp-state established,originator
-  }
-
-signature sid-959 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE service.pwd"
-  http /.*[\/\\]service\.pwd/
-  tcp-state established,originator
-  }
-
-signature sid-960 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE service.stp access"
-  http /.*[\/\\]_vti_pvt[\/\\]service\.stp/
-  tcp-state established,originator
-  }
-
-signature sid-961 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE services.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]services\.cnf/
-  tcp-state established,originator
-  }
-
-signature sid-962 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE shtml.exe access"
-  http /.*[\/\\]_vti_bin[\/\\]shtml\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-963 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE svcacl.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]svcacl\.cnf/
-  tcp-state established,originator
-  }
-
-signature sid-964 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE users.pwd access"
-  http /.*[\/\\]users\.pwd/
-  tcp-state established,originator
-  }
-
-signature sid-965 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE writeto.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]writeto\.cnf/
-  tcp-state established,originator
-  }
-
-signature sid-966 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE fourdots request"
-  tcp-state established,originator
-  payload /.*\x2e\x2e\x2e\x2e\x2f/
-  }
-
-signature sid-967 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE dvwssr.dll access"
-  http /.*[\/\\]dvwssr\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-968 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE register.htm access"
-  http /.*[\/\\]_private[\/\\]register\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-1288 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE /_vti_bin/ access"
-  http /.*[\/\\]_vti_bin[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1970 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-IIS MDAC Content-Type overflow attempt"
-  http /.*[\/\\]msadcs\.dll/
-  tcp-state established,originator
-  payload /.*Content-Type:[^\x0A]{50}/
-  }
-
-signature sid-1076 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS repost.asp access"
-  http /.*[\/\\]scripts[\/\\]repost\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1806 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS .htr Transfer-Encoding: chunked"
-  http /.*\.htr/
-  tcp-state established,originator
-  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]:/
-  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
-  }
-
-signature sid-1618 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS .asp Transfer-Encoding: chunked"
-  http /.*\.asp/
-  tcp-state established,originator
-  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]:/
-  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
-  }
-
-signature sid-1626 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /StoreCSVS/InstantOrder.asmx request"
-  http /.*[\/\\]StoreCSVS[\/\\]InstantOrder\.asmx/
-  tcp-state established,originator
-  }
-
-signature sid-1750 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS users.xml access"
-  http /.*[\/\\]users\.xml/
-  tcp-state established,originator
-  }
-
-signature sid-1753 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS as_web.exe access"
-  http /.*[\/\\]as_web\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1754 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS as_web4.exe access"
-  http /.*[\/\\]as_web4\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1756 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS NewsPro administration authentication attempt"
-  tcp-state established,originator
-  payload /.*logged,true/
-  }
-
-signature sid-1772 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS pbserver access"
-  http /.*[\/\\]pbserver[\/\\]pbserver\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1660 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS trace.axd access"
-  http /.*[\/\\]trace\.axd/
-  tcp-state established,originator
-  }
-
-signature sid-1484 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /isapi/tstisapi.dll access"
-  http /.*[\/\\]isapi[\/\\]tstisapi\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1485 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS mkilog.exe access"
-  http /.*[\/\\]mkilog\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1486 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ctss.idc access"
-  http /.*[\/\\]ctss\.idc/
-  tcp-state established,originator
-  }
-
-signature sid-1487 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /iisadmpwd/aexp2.htr access"
-  http /.*[\/\\]iisadmpwd[\/\\]aexp2\.htr/
-  tcp-state established,originator
-  }
-
-signature sid-969 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS WebDAV file lock attempt"
-  tcp-state established,originator
-  payload /LOCK /
-  }
-
-signature sid-971 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .printer access"
-  http /.*\.printer/
-  tcp-state established,originator
-  }
-
-signature sid-1243 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .ida attempt"
-  http /.*\.ida\?/
-  tcp-state established,originator
-  }
-
-signature sid-1242 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .ida access"
-  http /.*\.ida/
-  tcp-state established,originator
-  }
-
-signature sid-1244 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .idq attempt"
-  http /.*\.idq\?/
-  tcp-state established,originator
-  }
-
-signature sid-1245 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .idq access"
-  http /.*\.idq/
-  tcp-state established,originator
-  }
-
-signature sid-972 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS %2E-asp access"
-  http /.*%2e\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-973 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS *.idc attempt"
-  http /.*[\/\\]\*\.idc/
-  tcp-state established,originator
-  }
-
-signature sid-974 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS .... access"
-  tcp-state established,originator
-  payload /.*\x2e\x2e\x5c\x2e\x2e/
-  }
-
-signature sid-975 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS .asp::$DATA access"
-  http /.*\.asp\x3a\x3a\$DATA/
-  tcp-state established,originator
-  }
-
-signature sid-976 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS .bat? access"
-  http /.*\.bat\?/
-  tcp-state established,originator
-  }
-
-signature sid-977 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS .cnf access"
-  http /.*\.cnf/
-  tcp-state established,originator
-  }
-
-signature sid-978 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ASP contents view"
-  tcp-state established,originator
-  payload /.*%20/
-  payload /.*&[cC][iI][rR][eE][sS][tT][rR][iI][cC][tT][iI][oO][nN]=[nN][oO][nN][eE]/
-  payload /.*&[cC][iI][hH][iI][lL][iI][tT][eE][tT][yY][pP][eE]=[fF][uU][lL][lL]/
-  }
-
-signature sid-979 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ASP contents view"
-  http /.*\.htw\?CiWebHitsFile/
-  tcp-state established,originator
-  }
-
-signature sid-980 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS CGImail.exe access"
-  http /.*[\/\\]scripts[\/\\]CGImail\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-981 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS unicode directory traversal attempt"
-  tcp-state established,originator
-  payload /.*\/\.\.%[cC]0%[aA][fF]\.\.\//
-  }
-
-signature sid-982 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS unicode directory traversal attempt"
-  tcp-state established,originator
-  payload /.*\/\.\.%[cC]1%1[cC]\.\.\//
-  }
-
-signature sid-983 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS unicode directory traversal attempt"
-  tcp-state established,originator
-  payload /.*\/\.\.%[cC]1%9[cC]\.\.\//
-  }
-
-signature sid-1945 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS unicode directory traversal attempt"
-  tcp-state established,originator
-  payload /.*\/\.\.%255[cC]\.\./
-  }
-
-signature sid-986 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS MSProxy access"
-  http /.*[\/\\]scripts[\/\\]proxy[\/\\]w3proxy\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1725 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS +.htr code fragment attempt"
-  http /.*\+\.htr/
-  tcp-state established,originator
-  }
-
-signature sid-987 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS .htr access"
-  http /.*\.htr/
-  tcp-state established,originator
-  }
-
-signature sid-988 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS SAM Attempt"
-  tcp-state established,originator
-  payload /.*[sS][aA][mM]\._/
-  }
-
-signature sid-989 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS Unicode2.pl script (File permission canonicalization)"
-  http /.*[\/\\]sensepost\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-990 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS _vti_inf access"
-  http /.*_vti_inf\.html/
-  tcp-state established,originator
-  }
-
-signature sid-991 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS achg.htr access"
-  http /.*[\/\\]iisadmpwd[\/\\]achg\.htr/
-  tcp-state established,originator
-  }
-
-signature sid-994 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /scripts/iisadmin/default.htm access"
-  http /.*[\/\\]scripts[\/\\]iisadmin[\/\\]default\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-995 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ism.dll access"
-  http /.*[\/\\]scripts[\/\\]iisadmin[\/\\]ism\.dll\?http[\/\\]dir/
-  tcp-state established,originator
-  }
-
-signature sid-996 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS anot.htr access"
-  http /.*[\/\\]iisadmpwd[\/\\]anot/
-  tcp-state established,originator
-  }
-
-signature sid-997 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS asp-dot attempt"
-  http /.*\.asp\./
-  tcp-state established,originator
-  }
-
-signature sid-998 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS asp-srch attempt"
-  http /.*#filename=\*\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1000 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS bdir.htr access"
-  http /.*[\/\\]bdir\.htr/
-  tcp-state established,originator
-  }
-
-signature sid-1661 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS cmd32.exe access"
-  tcp-state established,originator
-  payload /.*[cC][mM][dD]32\.[eE][xX][eE]/
-  }
-
-signature sid-1002 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS cmd.exe access"
-  tcp-state established,originator
-  payload /.*[cC][mM][dD]\.[eE][xX][eE]/
-  }
-
-signature sid-1003 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS cmd? access"
-  tcp-state established,originator
-  payload /.*\.[cC][mM][dD]\?&/
-  }
-
-signature sid-1007 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS cross-site scripting attempt"
-  http /.*[\/\\]Form_JScript\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1380 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS cross-site scripting attempt"
-  http /.*[\/\\]Form_VBScript\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1008 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS del attempt"
-  tcp-state established,originator
-  payload /.*&[dD][eE][lL]\+\/[sS]\+[cC]\x3a\\\*\.\*/
-  }
-
-signature sid-1009 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS directory listing"
-  http /.*[\/\\]ServerVariables_Jscript\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1010 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS encoding access"
-  tcp-state established,originator
-  payload /.*\x25\x31\x75/
-  }
-
-signature sid-1011 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS exec-src access"
-  tcp-state established,originator
-  payload /.*#[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[eE][xX][eE]/
-  }
-
-signature sid-1012 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS fpcount attempt"
-  http /.*[\/\\]fpcount\.exe/
-  tcp-state established,originator
-  payload /.*[dD][iI][gG][iI][tT][sS]=/
-  }
-
-signature sid-1013 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS fpcount access"
-  http /.*[\/\\]fpcount\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1015 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS getdrvs.exe access"
-  http /.*[\/\\]scripts[\/\\]tools[\/\\]getdrvs\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1016 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS global.asa access"
-  http /.*[\/\\]global\.asa/
-  tcp-state established,originator
-  }
-
-signature sid-1017 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS idc-srch attempt"
-  tcp-state established,originator
-  payload /.*#[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[iI][dD][cC]/
-  }
-
-signature sid-1018 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS iisadmpwd attempt"
-  http /.*[\/\\]iisadmpwd[\/\\]aexp/
-  tcp-state established,originator
-  }
-
-signature sid-1019 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS index server file source code attempt"
-  http /.*\?CiWebHitsFile=[\/\\]/
-  tcp-state established,originator
-  payload /.*&CiRestriction=none&CiHiliteType=Full/
-  }
-
-signature sid-1020 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS isc$data attempt"
-  http /.*\.idc\x3a\x3a\$data/
-  tcp-state established,originator
-  }
-
-signature sid-1021 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ism.dll attempt"
-  http /.*%20%20%20%20%20\.htr/
-  tcp-state established,originator
-  }
-
-signature sid-1022 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS jet vba access"
-  http /.*[\/\\]advworks[\/\\]equipment[\/\\]catalog_type\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1023 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS msadcs.dll access"
-  http /.*[\/\\]msadcs\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1024 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS newdsn.exe access"
-  http /.*[\/\\]scripts[\/\\]tools[\/\\]newdsn\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1025 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS perl access"
-  http /.*[\/\\]scripts[\/\\]perl/
-  tcp-state established,originator
-  }
-
-signature sid-1026 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS perl-browse0a attempt"
-  http /.*%0a\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1027 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS perl-browse20 attempt"
-  http /.*%20\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1029 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS scripts-browse access"
-  http /.*[\/\\]scripts[\/\\]\x20/
-  tcp-state established,originator
-  }
-
-signature sid-1030 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS search97.vts access"
-  http /.*[\/\\]search97\.vts/
-  tcp-state established,originator
-  }
-
-signature sid-1037 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS showcode.asp access"
-  http /.*[\/\\]showcode\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1038 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS site server config access"
-  http /.*[\/\\]adsamples[\/\\]config[\/\\]site\.csc/
-  tcp-state established,originator
-  }
-
-signature sid-1039 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS srch.htm access"
-  http /.*[\/\\]samples[\/\\]isapi[\/\\]srch\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-1040 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS srchadm access"
-  http /.*[\/\\]srchadm/
-  tcp-state established,originator
-  }
-
-signature sid-1041 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS uploadn.asp access"
-  http /.*[\/\\]scripts[\/\\]uploadn\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1042 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS view source via translate header"
-  tcp-state established,originator
-  payload /.*[tT][rR][aA][nN][sS][lL][aA][tT][eE]\x3a [fF]/
-  }
-
-signature sid-1043 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS viewcode.asp access"
-  http /.*[\/\\]viewcode\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1044 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS webhits access"
-  http /.*\.htw/
-  tcp-state established,originator
-  }
-
-signature sid-1726 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS doctodep.btr access"
-  http /.*doctodep\.btr/
-  tcp-state established,originator
-  }
-
-signature sid-1046 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS site/iisamples access"
-  http /.*[\/\\]site[\/\\]iisamples/
-  tcp-state established,originator
-  }
-
-signature sid-1256 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS CodeRed v2 root.exe access"
-  http /.*[\/\\]root\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1283 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS outlook web dos"
-  http /.*[\/\\]exchange[\/\\]LogonFrm\.asp\?/
-  tcp-state established,originator
-  payload /.*[mM][aA][iI][lL][bB][oO][xX]=/
-  payload /.*\x25\x25\x25/
-  }
-
-signature sid-1400 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /scripts/samples/ access"
-  http /.*[\/\\]scripts[\/\\]samples[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1401 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /msadc/samples/ access"
-  http /.*[\/\\]msadc[\/\\]samples[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1402 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS iissamples access"
-  http /.*[\/\\]iissamples[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-970 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS multiple decode attempt"
-  http /.*%5c/
-  http /.*\.\./
-  tcp-state established,originator
-  }
-
-signature sid-993 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS iisadmin access"
-  http /.*[\/\\]iisadmin/
-  tcp-state established,originator
-  }
-
-signature sid-1285 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS msdac access"
-  http /.*[\/\\]msdac[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1286 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS _mem_bin access"
-  http /.*[\/\\]_mem_bin[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1595 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS htimage.exe access"
-  http /.*[\/\\]htimage\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1817 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS MS Site Server default login attempt"
-  http /.*[\/\\]SiteServer[\/\\]Admin[\/\\]knowledge[\/\\]persmbr[\/\\]/
-  tcp-state established,originator
-  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]: [bB][aA][sS][iI][cC] [tT][eE][rR][bB][uU][fF]9[bB][bB][mM]9[uU][eE][wW]1[vV][dD][xX][mM]6[tT][gG][rR][hH][cC][fF][bB][hH][cC]3[nN]3[bB]3[jJ][kK][xX][zZ][eE]=/
-  }
-
-signature sid-1818 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS MS Site Server admin attempt"
-  http /.*[\/\\]Site Server[\/\\]Admin[\/\\]knowledge[\/\\]persmbr[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1075 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS postinfo.asp access"
-  http /.*[\/\\]scripts[\/\\]postinfo\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1567 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /exchange/root.asp attempt"
-  http /.*[\/\\]exchange[\/\\]root\.asp\?acs=anon/
-  tcp-state established,originator
-  }
-
-signature sid-1568 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /exchange/root.asp access"
-  http /.*[\/\\]exchange[\/\\]root\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-2090 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS WEBDAV exploit attempt"
-  tcp-state established,originator
-  payload /.*HTTP\/1\.1\x0aContent-type\x3a text\/xml\x0aHOST\x3a.{1}.*Accept\x3a \x2a\/\x2a\x0aTranslate\x3a f\x0aContent-length\x3a5276\x0a\x0a/
-  }
-
-signature sid-2091 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS WEBDAV nessus safe scan attempt"
-  tcp-state established,originator
-  payload /.*SEARCH \/ HTTP\/1\.1\x0d\x0aHost\x3a.{0,251}\x0d\x0a\x0d\x0a/
-  }
-
-signature sid-2117 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS Battleaxe Forum login.asp access"
-  http /.*myaccount[\/\\]login\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-2129 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS nsiislog.dll access"
-  http /.*[\/\\]nsiislog\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-2130 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS IISProtect siteadmin.asp access"
-  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]SiteAdmin\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-2157 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS IISProtect globaladmin.asp access"
-  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]GlobalAdmin\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-2131 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS IISProtect access"
-  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-2132 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS Synchrologic Email Accelerator userid list access attempt"
-  http /.*[\/\\]en[\/\\]admin[\/\\]aggregate\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-2133 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS MS BizTalk server access"
-  http /.*[\/\\]biztalkhttpreceive\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-2134 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS register.asp access"
-  http /.*[\/\\]register\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1497 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cross site scripting attempt"
-  tcp-state established,originator
-  payload /.*<[sS][cC][rR][iI][pP][tT]>/
-  }
-
-signature sid-1667 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cross site scripting (img src=javascript) attempt"
-  tcp-state established,originator
-  payload /.*[iI][mM][gG] [sS][rR][cC]=[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
-  }
-
-signature sid-1250 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Cisco IOS HTTP configuration attempt"
-  http /.*[\/\\]level[\/\\]/
-  http /.*[\/\\]exec[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1047 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise DOS"
-  tcp-state established,originator
-  payload /REVLOG \/ /
-  }
-
-signature sid-1048 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise directory listing attempt"
-  tcp-state established,originator
-  payload /INDEX /
-  }
-
-signature sid-1050 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC iPlanet GETPROPERTIES attempt"
-  tcp-state established,originator
-  payload /GETPROPERTIES/
-  }
-
-signature sid-1054 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC weblogic view source attempt"
-  http /.*\.js%70/
-  tcp-state established,originator
-  }
-
-signature sid-1055 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat directory traversal attempt"
-  http /.*%00\.jsp/
-  tcp-state established,originator
-  }
-
-signature sid-1056 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat view source attempt"
-  http /.*%252ejsp/
-  tcp-state established,originator
-  }
-
-signature sid-1057 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ftp attempt"
-  tcp-state established,originator
-  payload /.*[fF][tT][pP]\.[eE][xX][eE]/
-  }
-
-signature sid-1058 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC xp_enumdsn attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[eE][nN][uU][mM][dD][sS][nN]/
-  }
-
-signature sid-1059 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC xp_filelist attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[fF][iI][lL][eE][lL][iI][sS][tT]/
-  }
-
-signature sid-1060 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC xp_availablemedia attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[aA][vV][aA][iI][lL][aA][bB][lL][eE][mM][eE][dD][iI][aA]/
-  }
-
-signature sid-1061 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC xp_cmdshell attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[cC][mM][dD][sS][hH][eE][lL][lL]/
-  }
-
-signature sid-1062 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC nc.exe attempt"
-  tcp-state established,originator
-  payload /.*[nN][cC]\.[eE][xX][eE]/
-  }
-
-signature sid-1064 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC wsh attempt"
-  tcp-state established,originator
-  payload /.*[wW][sS][hH]\.[eE][xX][eE]/
-  }
-
-signature sid-1065 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC rcmd attempt"
-  tcp-state established,originator
-  payload /.*[rR][cC][mM][dD]\.[eE][xX][eE]/
-  }
-
-signature sid-1066 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC telnet attempt"
-  tcp-state established,originator
-  payload /.*[tT][eE][lL][nN][eE][tT]\.[eE][xX][eE]/
-  }
-
-signature sid-1067 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC net attempt"
-  tcp-state established,originator
-  payload /.*[nN][eE][tT]\.[eE][xX][eE]/
-  }
-
-signature sid-1068 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC tftp attempt"
-  tcp-state established,originator
-  payload /.*[tT][fF][tT][pP]\.[eE][xX][eE]/
-  }
-
-signature sid-1069 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC xp_regread attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[rR][eE][gG][rR][eE][aA][dD]/
-  }
-
-signature sid-1977 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC xp_regwrite attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[rR][eE][gG][wW][rR][iI][tT][eE]/
-  }
-
-signature sid-1978 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC xp_regdeletekey attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[rR][eE][gG][dD][eE][lL][eE][tT][eE][kK][eE][yY]/
-  }
-
-signature sid-1070 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC WebDAV search access"
-  tcp-state established,originator
-  payload /.{0,1}[sS][eE][aA][rR][cC][hH] /
-  }
-
-signature sid-1071 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .htpasswd access"
-  tcp-state established,originator
-  payload /.*\.[hH][tT][pP][aA][sS][sS][wW][dD]/
-  }
-
-signature sid-1072 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Lotus Domino directory traversal"
-  http /.*\.nsf[\/\\]/
-  http /.*\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1077 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC queryhit.htm access"
-  http /.*[\/\\]samples[\/\\]search[\/\\]queryhit\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-1078 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC counter.exe access"
-  http /.*[\/\\]scripts[\/\\]counter\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1079 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC WebDAV propfind access"
-  tcp-state established,originator
-  payload /.*<[aA]:[pP][rR][oO][pP][fF][iI][nN][dD]/
-  payload /.*[xX][mM][lL][nN][sS]:[aA]=\"[dD][aA][vV]\">/
-  }
-
-signature sid-1080 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC unify eWave ServletExec upload"
-  http /.*[\/\\]servlet[\/\\]com\.unify\.servletexec\.UploadServlet/
-  tcp-state established,originator
-  }
-
-signature sid-1081 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Servers suite DOS"
-  http /.*[\/\\]dsgw[\/\\]bin[\/\\]search\?context=/
-  tcp-state established,originator
-  }
-
-signature sid-1082 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC amazon 1-click cookie theft"
-  tcp-state established,originator
-  payload /.*[rR][eE][fF]%3[cC][sS][cC][rR][iI][pP][tT]%20[lL][aA][nN][gG][uU][aA][gG][eE]%3[dD]%22[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
-  }
-
-signature sid-1083 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC unify eWave ServletExec DOS"
-  http /.*[\/\\]servlet[\/\\]ServletExec/
-  tcp-state established,originator
-  }
-
-signature sid-1084 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Allaire JRUN DOS attempt"
-  http /.*servlet[\/\\]\.\.\.\.\.\.\./
-  tcp-state established,originator
-  }
-
-signature sid-1091 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ICQ Webfront HTTP DOS"
-  http /.*\?\?\?\?\?\?\?\?\?\?/
-  tcp-state established,originator
-  }
-
-signature sid-1095 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Talentsoft Web+ Source Code view access"
-  http /.*[\/\\]webplus\.exe\?script=test\.wml/
-  tcp-state established,originator
-  }
-
-signature sid-1096 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Talentsoft Web+ internal IP Address access"
-  http /.*[\/\\]webplus\.exe\?about/
-  tcp-state established,originator
-  }
-
-signature sid-1098 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC SmartWin CyberOffice Shopping Cart access"
-  http /.*_private[\/\\]shopping_cart\.mdb/
-  tcp-state established,originator
-  }
-
-signature sid-1099 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cybercop scan"
-  http /.*[\/\\]cybercop/
-  tcp-state established,originator
-  }
-
-signature sid-1100 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC L3retriever HTTP Probe"
-  tcp-state established,originator
-  payload /.*User-Agent\x3a Java1\.2\.1\x0d\x0a/
-  }
-
-signature sid-1101 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Webtrends HTTP probe"
-  tcp-state established,originator
-  payload /.*User-Agent\x3a Webtrends Security Analyzer\x0d\x0a/
-  }
-
-signature sid-1102 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Nessus 404 probe"
-  http /.*[\/\\]nessus_is_probing_you_/
-  tcp-state established,originator
-  }
-
-signature sid-1103 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape admin passwd"
-  http /.*[\/\\]admin-serv[\/\\]config[\/\\]admpw/
-  tcp-state established,originator
-  }
-
-signature sid-1105 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC BigBrother access"
-  http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC/
-  tcp-state established,originator
-  }
-
-signature sid-1612 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ftp.pl attempt"
-  http /.*[\/\\]ftp\.pl\?dir=\.\.[\/\\]\.\./
-  tcp-state established,originator
-  }
-
-signature sid-1107 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ftp.pl access"
-  http /.*[\/\\]ftp\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1108 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat server snoop access"
-  http /.*[\/\\]jsp[\/\\]snp[\/\\]/
-  http /.*\.snp/
-  tcp-state established,originator
-  }
-
-signature sid-1109 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ROXEN directory list attempt"
-  http /.*\x2F\x25\x30\x30/
-  tcp-state established,originator
-  }
-
-signature sid-1110 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC apache source.asp file access"
-  http /.*[\/\\]site[\/\\]eg[\/\\]source\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1111 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat server exploit access"
-  http /.*[\/\\]contextAdmin[\/\\]contextAdmin\.html/
-  tcp-state established,originator
-  }
-
-signature sid-1112 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC http directory traversal"
-  tcp-state established,originator
-  payload /.*\.\.\\/
-  }
-
-signature sid-1115 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ICQ webserver DOS"
-  http /.*\.html[\/\\]\.\.\.\.\.\./
-  tcp-state established,originator
-  }
-
-signature sid-1116 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Lotus DelDoc attempt"
-  http /.*\?DeleteDocument/
-  tcp-state established,originator
-  }
-
-signature sid-1117 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Lotus EditDoc attempt"
-  http /.*\?EditDocument/
-  tcp-state established,originator
-  }
-
-signature sid-1118 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ls%20-l"
-  tcp-state established,originator
-  payload /.*[lL][sS]%20-[lL]/
-  }
-
-signature sid-1119 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC mlog.phtml access"
-  http /.*[\/\\]mlog\.phtml/
-  tcp-state established,originator
-  }
-
-signature sid-1120 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC mylog.phtml access"
-  http /.*[\/\\]mylog\.phtml/
-  tcp-state established,originator
-  }
-
-signature sid-1122 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /etc/passwd"
-  tcp-state established,originator
-  payload /.*\/[eE][tT][cC]\/[pP][aA][sS][sS][wW][dD]/
-  }
-
-signature sid-1123 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ?PageServices access"
-  http /.*\?PageServices/
-  tcp-state established,originator
-  }
-
-signature sid-1124 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Ecommerce check.txt access"
-  http /.*[\/\\]config[\/\\]check\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1125 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC webcart access"
-  http /.*[\/\\]webcart[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1126 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC AuthChangeUrl access"
-  http /.*_AuthChangeUrl\?/
-  tcp-state established,originator
-  }
-
-signature sid-1127 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC convert.bas access"
-  http /.*[\/\\]scripts[\/\\]convert\.bas/
-  tcp-state established,originator
-  }
-
-signature sid-1128 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cpshost.dll access"
-  http /.*[\/\\]scripts[\/\\]cpshost\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1129 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .htaccess access"
-  tcp-state established,originator
-  payload /.*\.[hH][tT][aA][cC][cC][eE][sS][sS]/
-  }
-
-signature sid-1130 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .wwwacl access"
-  http /.*\.wwwacl/
-  tcp-state established,originator
-  }
-
-signature sid-1131 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .wwwacl access"
-  http /.*\.www_acl/
-  tcp-state established,originator
-  }
-
-signature sid-1136 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cd.."
-  tcp-state established,originator
-  payload /.*[cC][dD]\.\./
-  }
-
-signature sid-1140 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC guestbook.pl access"
-  http /.*[\/\\]guestbook\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1613 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC handler attempt"
-  http /.*[\/\\]handler/
-  http /.*\|/
-  tcp-state established,originator
-  }
-
-signature sid-1141 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC handler access"
-  http /.*[\/\\]handler/
-  tcp-state established,originator
-  }
-
-signature sid-1142 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /.... access"
-  tcp-state established,originator
-  payload /.*\/\.\.\.\./
-  }
-
-signature sid-1143 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ///cgi-bin access"
-  http /.*[\/\\][\/\\][\/\\]cgi-bin/
-  tcp-state established,originator
-  }
-
-signature sid-1144 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /cgi-bin/// access"
-  http /.*[\/\\]cgi-bin[\/\\][\/\\][\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1145 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /~root access"
-  http /.*[\/\\]~root/
-  tcp-state established,originator
-  }
-
-signature sid-1662 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /~ftp access"
-  http /.*[\/\\]~ftp/
-  tcp-state established,originator
-  }
-
-signature sid-1146 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Ecommerce import.txt access"
-  http /.*[\/\\]config[\/\\]import\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1147 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cat%20 access"
-  tcp-state established,originator
-  payload /.*[cC][aA][tT]%20/
-  }
-
-signature sid-1148 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Ecommerce import.txt access"
-  http /.*[\/\\]orders[\/\\]import\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1150 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino catalog.nsf access"
-  http /.*[\/\\]catalog\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1151 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino domcfg.nsf access"
-  http /.*[\/\\]domcfg\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1152 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino domlog.nsf access"
-  http /.*[\/\\]domlog\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1153 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino log.nsf access"
-  http /.*[\/\\]log\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1154 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino names.nsf access"
-  http /.*[\/\\]names\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1575 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino mab.nsf access"
-  http /.*[\/\\]mab\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1576 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino cersvr.nsf access"
-  http /.*[\/\\]cersvr\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1577 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino setup.nsf access"
-  http /.*[\/\\]setup\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1578 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino statrep.nsf access"
-  http /.*[\/\\]statrep\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1579 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino webadmin.nsf access"
-  http /.*[\/\\]webadmin\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1580 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino events4.nsf access"
-  http /.*[\/\\]events4\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1581 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino ntsync4.nsf access"
-  http /.*[\/\\]ntsync4\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1582 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino collect4.nsf access"
-  http /.*[\/\\]collect4\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1583 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino mailw46.nsf access"
-  http /.*[\/\\]mailw46\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1584 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino bookmark.nsf access"
-  http /.*[\/\\]bookmark\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1585 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino agentrunner.nsf access"
-  http /.*[\/\\]agentrunner\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1586 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino mail.box access"
-  http /.*[\/\\]mail\.box/
-  tcp-state established,originator
-  }
-
-signature sid-1155 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Ecommerce checks.txt access"
-  http /.*[\/\\]orders[\/\\]checks\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1156 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC apache DOS attempt"
-  tcp-state established,originator
-  payload /.*\x2f\x2f\x2f\x2f\x2f\x2f\x2f\x2f/
-  }
-
-signature sid-1157 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape PublishingXpert access"
-  http /.*[\/\\]PSUser[\/\\]PSCOErrPage\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-1158 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC windmail.exe access"
-  http /.*[\/\\]windmail\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1159 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC webplus access"
-  http /.*[\/\\]webplus\?script/
-  tcp-state established,originator
-  }
-
-signature sid-1160 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape dir index wp"
-  http /.*\?wp-/
-  tcp-state established,originator
-  }
-
-signature sid-1162 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cart 32 AdminPwd access"
-  http /.*[\/\\]c32web\.exe[\/\\]ChangeAdminPassword/
-  tcp-state established,originator
-  }
-
-signature sid-1164 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC shopping cart access"
-  http /.*[\/\\]quikstore\.cfg/
-  tcp-state established,originator
-  }
-
-signature sid-1614 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Novell Groupwise gwweb.exe attempt"
-  http /.*[\/\\]GWWEB\.EXE\?HELP=/
-  tcp-state established,originator
-  }
-
-signature sid-1165 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Novell Groupwise gwweb.exe access"
-  tcp-state established,originator
-  payload /.*\/[gG][wW][wW][eE][bB]\.[eE][xX][eE]/
-  }
-
-signature sid-1166 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ws_ftp.ini access"
-  http /.*[\/\\]ws_ftp\.ini/
-  tcp-state established,originator
-  }
-
-signature sid-1167 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC rpm_query access"
-  http /.*[\/\\]rpm_query/
-  tcp-state established,originator
-  }
-
-signature sid-1168 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC mall log order access"
-  http /.*[\/\\]mall_log_files[\/\\]order\.log/
-  tcp-state established,originator
-  }
-
-signature sid-1173 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC architext_query.pl access"
-  http /.*[\/\\]ews[\/\\]architext_query\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1175 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC wwwboard.pl access"
-  http /.*[\/\\]wwwboard\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1176 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC order.log access"
-  http /.*[\/\\]admin_files[\/\\]order\.log/
-  tcp-state established,originator
-  }
-
-signature sid-1177 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-verify-link/
-  tcp-state established,originator
-  }
-
-signature sid-1180 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC get32.exe access"
-  http /.*[\/\\]get32\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1181 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Annex Terminal DOS attempt"
-  http /.*[\/\\]ping\?query=/
-  tcp-state established,originator
-  }
-
-signature sid-1182 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cgitest.exe attempt"
-  http /.*[\/\\]cgitest\.exe\x0d\x0auser/
-  tcp-state established,originator
-  }
-
-signature sid-1587 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cgitest.exe access"
-  http /.*[\/\\]cgitest\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1183 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-cs-dump/
-  tcp-state established,originator
-  }
-
-signature sid-1184 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-ver-info/
-  tcp-state established,originator
-  }
-
-signature sid-1186 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-ver-diff/
-  tcp-state established,originator
-  }
-
-signature sid-1187 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC SalesLogix Eviewer web command attempt"
-  http /.*[\/\\]slxweb\.dll[\/\\]admin\?command=/
-  tcp-state established,originator
-  }
-
-signature sid-1588 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC SalesLogix Eviewer access"
-  http /.*[\/\\]slxweb\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1188 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-start-ver/
-  tcp-state established,originator
-  }
-
-signature sid-1189 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-stop-ver/
-  tcp-state established,originator
-  }
-
-signature sid-1190 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-uncheckout/
-  tcp-state established,originator
-  }
-
-signature sid-1191 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-html-rend/
-  tcp-state established,originator
-  }
-
-signature sid-1381 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Trend Micro OfficeScan attempt"
-  http /.*[\/\\]officescan[\/\\]cgi[\/\\]jdkRqNotify\.exe\?/
-  http /.*domain=/
-  http /.*event=/
-  tcp-state established,originator
-  }
-
-signature sid-1192 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Trend Micro OfficeScan access"
-  http /.*[\/\\]officescan[\/\\]cgi[\/\\]jdkRqNotify\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1193 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC oracle web arbitrary command execution attempt"
-  http /.*[\/\\]ows-bin[\/\\]/
-  http /.*\?&/
-  tcp-state established,originator
-  }
-
-signature sid-1880 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC oracle web application server access"
-  http /.*[\/\\]ows-bin[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1198 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-usr-prop/
-  tcp-state established,originator
-  }
-
-signature sid-1202 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC search.vts access"
-  http /.*[\/\\]search\.vts/
-  tcp-state established,originator
-  }
-
-signature sid-1615 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC htgrep attempt"
-  http /.*[\/\\]htgrep/
-  tcp-state established,originator
-  payload /.*hdr=\//
-  }
-
-signature sid-1207 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC htgrep access"
-  http /.*[\/\\]htgrep/
-  tcp-state established,originator
-  }
-
-signature sid-1209 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .nsconfig access"
-  http /.*[\/\\]\.nsconfig/
-  tcp-state established,originator
-  }
-
-signature sid-1212 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Admin_files access"
-  http /.*[\/\\]admin_files/
-  tcp-state established,originator
-  }
-
-signature sid-1213 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC backup access"
-  http /.*[\/\\]backup/
-  tcp-state established,originator
-  }
-
-signature sid-1214 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC intranet access"
-  http /.*[\/\\]intranet[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1216 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC filemail access"
-  http /.*[\/\\]filemail/
-  tcp-state established,originator
-  }
-
-signature sid-1217 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC plusmail access"
-  http /.*[\/\\]plusmail/
-  tcp-state established,originator
-  }
-
-signature sid-1218 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC adminlogin access"
-  http /.*[\/\\]adminlogin/
-  tcp-state established,originator
-  }
-
-signature sid-1220 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ultraboard access"
-  http /.*[\/\\]ultraboard/
-  tcp-state established,originator
-  }
-
-signature sid-1589 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC musicat empower attempt"
-  http /.*[\/\\]empower\?DB=/
-  tcp-state established,originator
-  }
-
-signature sid-1221 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC musicat empower access"
-  http /.*[\/\\]empower/
-  tcp-state established,originator
-  }
-
-signature sid-1224 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ROADS search.pl attempt"
-  http /.*[\/\\]ROADS[\/\\]cgi-bin[\/\\]search\.pl/
-  tcp-state established,originator
-  payload /.*[fF][oO][rR][mM]=/
-  }
-
-signature sid-1230 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC VirusWall FtpSave access"
-  http /.*[\/\\]FtpSave\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1234 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC VirusWall FtpSaveCSP access"
-  http /.*[\/\\]FtpSaveCSP\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1235 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC VirusWall FtpSaveCVP access"
-  http /.*[\/\\]FtpSaveCVP\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1236 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat sourecode view"
-  http /.*\.js%2570/
-  tcp-state established,originator
-  }
-
-signature sid-1237 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat sourecode view"
-  http /.*\.j%2573p/
-  tcp-state established,originator
-  }
-
-signature sid-1238 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat sourecode view"
-  http /.*\.%256Asp/
-  tcp-state established,originator
-  }
-
-signature sid-1241 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC SWEditServlet directory traversal attempt"
-  http /.*[\/\\]SWEditServlet/
-  tcp-state established,originator
-  payload /.*template=\.\.\/\.\.\/\.\.\//
-  }
-
-signature sid-1259 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC SWEditServlet access"
-  http /.*[\/\\]SWEditServlet/
-  tcp-state established,originator
-  }
-
-signature sid-1139 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC whisker HEAD/./"
-  tcp-state established,originator
-  payload /.*HEAD\/\.\//
-  }
-
-signature sid-1258 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC HP OpenView Manager DOS"
-  http /.*[\/\\]OvCgi[\/\\]OpenView5\.exe\?Context=Snmp&Action=Snmp&Host=&Oid=/
-  tcp-state established,originator
-  }
-
-signature sid-1260 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC long basic authorization string"
-  tcp-state established,originator
-  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]: [bB][aA][sS][iI][cC] [^\x0A]{512}/
-  }
-
-signature sid-1291 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC sml3com access"
-  http /.*[\/\\]graphics[\/\\]sml3com/
-  tcp-state established,originator
-  }
-
-signature sid-1001 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC carbo.dll access"
-  http /.*[\/\\]carbo\.dll/
-  tcp-state established,originator
-  payload /.*[iI][cC][aA][tT][cC][oO][mM][mM][aA][nN][dD]=/
-  }
-
-signature sid-1302 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC console.exe access"
-  http /.*[\/\\]cgi-bin[\/\\]console\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1303 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cs.exe access"
-  http /.*[\/\\]cgi-bin[\/\\]cs\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1113 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC http directory traversal"
-  tcp-state established,originator
-  payload /.*\.\.\//
-  }
-
-signature sid-1375 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC sadmind worm access"
-  tcp-state established,originator
-  payload /.{0,1}GET x HTTP\/1\.0/
-  }
-
-signature sid-1376 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC jrun directory browse attempt"
-  http /.*[\/\\]%3f\.jsp/
-  tcp-state established,originator
-  }
-
-signature sid-1385 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC mod-plsql administration access"
-  http /.*[\/\\]admin_[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1391 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Phorecast remote code execution attempt"
-  tcp-state established,originator
-  payload /.*includedir=/
-  }
-
-signature sid-1403 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC viewcode access"
-  http /.*[\/\\]viewcode/
-  tcp-state established,originator
-  }
-
-signature sid-1404 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC showcode access"
-  http /.*[\/\\]showcode/
-  tcp-state established,originator
-  }
-
-signature sid-1433 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .history access"
-  http /.*[\/\\]\.history/
-  tcp-state established,originator
-  }
-
-signature sid-1434 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .bash_history access"
-  http /.*[\/\\]\.bash_history/
-  tcp-state established,originator
-  }
-
-signature sid-1489 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /~nobody access"
-  http /.*[\/\\]~nobody/
-  tcp-state established,originator
-  }
-
-signature sid-1492 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC RBS ISP /newuser  directory traversal attempt"
-  http /.*[\/\\]newuser\?Image=\.\.[\/\\]\.\./
-  tcp-state established,originator
-  }
-
-signature sid-1493 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC RBS ISP /newuser access"
-  http /.*[\/\\]newuser/
-  tcp-state established,originator
-  }
-
-signature sid-1663 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC *%0a.pl access"
-  http /.*[\/\\]\*%0a\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1664 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC mkplog.exe access"
-  http /.*[\/\\]mkplog\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1665 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC mkilog.exe access"
-  http /.*[\/\\]mkilog\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-509 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC PCCS mysql database admin tool access"
-  tcp-state established,originator
-  payload /.{0,5}[pP][cC][cC][sS][mM][yY][sS][qQ][lL][aA][dD][mM]\/[iI][nN][cC][sS]\/[dD][bB][cC][oO][nN][nN][eE][cC][tT]\.[iI][nN][cC]/
-  }
-
-signature sid-1769 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .DS_Store access"
-  http /.*[\/\\]\.DS_Store/
-  tcp-state established,originator
-  }
-
-signature sid-1770 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .FBCIndex access"
-  http /.*[\/\\]\.FBCIndex/
-  tcp-state established,originator
-  }
-
-signature sid-1500 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ExAir access"
-  http /.*[\/\\]exair[\/\\]search[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1519 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC apache ?M=D directory list attempt"
-  http /.*[\/\\]\?M=D/
-  tcp-state established,originator
-  }
-
-signature sid-1520 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC server-info access"
-  http /.*[\/\\]server-info/
-  tcp-state established,originator
-  }
-
-signature sid-1521 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC server-status access"
-  http /.*[\/\\]server-status/
-  tcp-state established,originator
-  }
-
-signature sid-1522 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ans.pl attempt"
-  http /.*[\/\\]ans\.pl\?p=\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1523 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ans.pl access"
-  http /.*[\/\\]ans\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1524 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC AxisStorpoint CD attempt"
-  http /.*[\/\\]cd[\/\\]\.\.[\/\\]config[\/\\]html[\/\\]cnf_gi\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-1525 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Axis Storpoint CD access"
-  http /.*[\/\\]config[\/\\]html[\/\\]cnf_gi\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-1526 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC basilix sendmail.inc access"
-  http /.*[\/\\]inc[\/\\]sendmail\.inc/
-  tcp-state established,originator
-  }
-
-signature sid-1527 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC basilix mysql.class access"
-  http /.*[\/\\]class[\/\\]mysql\.class/
-  tcp-state established,originator
-  }
-
-signature sid-1528 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC BBoard access"
-  http /.*[\/\\]servlet[\/\\]sunexamples\.BBoardServlet/
-  tcp-state established,originator
-  }
-
-signature sid-1544 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Cisco Catalyst command execution attempt"
-  http /.*[\/\\]exec[\/\\]show[\/\\]config[\/\\]cr/
-  tcp-state established,originator
-  }
-
-signature sid-1546 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Cisco /%% DOS attempt"
-  http /.*[\/\\]%%/
-  tcp-state established,originator
-  }
-
-signature sid-1551 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /CVS/Entries access"
-  http /.*[\/\\]CVS[\/\\]Entries/
-  tcp-state established,originator
-  }
-
-signature sid-1552 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cvsweb version access"
-  http /.*[\/\\]cvsweb[\/\\]version/
-  tcp-state established,originator
-  }
-
-signature sid-1559 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /doc/packages access"
-  http /.*[\/\\]doc[\/\\]packages/
-  tcp-state established,originator
-  }
-
-signature sid-1560 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /doc/ access"
-  http /.*[\/\\]doc[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1561 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ?open access"
-  http /.*\?open/
-  tcp-state established,originator
-  }
-
-signature sid-1563 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC login.htm attempt"
-  http /.*[\/\\]login\.htm\?password=/
-  tcp-state established,originator
-  }
-
-signature sid-1564 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC login.htm access"
-  http /.*[\/\\]login\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-1603 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC DELETE attempt"
-  tcp-state established,originator
-  payload /[dD][eE][lL][eE][tT][eE] /
-  }
-
-signature sid-1670 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /home/ftp access"
-  http /.*[\/\\]home[\/\\]ftp/
-  tcp-state established,originator
-  }
-
-signature sid-1671 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /home/www access"
-  http /.*[\/\\]home[\/\\]www/
-  tcp-state established,originator
-  }
-
-signature sid-1738 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC global.inc access"
-  http /.*[\/\\]global\.inc/
-  tcp-state established,originator
-  }
-
-signature sid-1744 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC SecureSite authentication bypass attempt"
-  tcp-state established,originator
-  payload /.*[sS][eE][cC][uU][rR][eE]_[sS][iI][tT][eE], [oO][kK]/
-  }
-
-signature sid-1757 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC b2 arbitrary command execution attempt"
-  http /.*[\/\\]b2[\/\\]b2-include[\/\\]/
-  tcp-state established,originator
-  payload /.*b2inc/
-  payload /.*http:\/\//
-  }
-
-signature sid-1758 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC b2 access"
-  http /.*[\/\\]b2[\/\\]b2-include[\/\\]/
-  tcp-state established,originator
-  payload /.*b2inc/
-  payload /.*http:\/\//
-  }
-
-signature sid-1766 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC search.dll directory listing attempt"
-  http /.*[\/\\]search\.dll/
-  tcp-state established,originator
-  payload /.*query=%00/
-  }
-
-signature sid-1767 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC search.dll access"
-  http /.*[\/\\]search\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1498 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8181
-  event "WEB-MISC PIX firewall manager directory traversal attempt"
-  http /.*[\/\\]\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1604 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 4080
-  event "WEB-MISC iChat directory traversal attempt"
-  http /.*[\/\\]\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1558 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8080
-  event "WEB-MISC Delegate whois overflow attempt"
-  tcp-state established,originator
-  payload /.*[wW][hH][oO][iI][sS]:\/\//
-  }
-
-signature sid-1518 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8000
-  event "WEB-MISC nstelemetry.adp access"
-  http /.*[\/\\]nstelemetry\.adp/
-  tcp-state established,originator
-  }
-
-signature sid-1132 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 457
-  event "WEB-MISC Netscape Unixware overflow"
-  tcp-state established,originator
-  payload /.*\xeb\x5f\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\x9d/
-  }
-
-signature sid-1199 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 2301
-  event "WEB-MISC Compaq Insight directory traversal"
-  http /.*\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1231 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC VirusWall catinfo access"
-  http /.*[\/\\]catinfo/
-  tcp-state established,originator
-  }
-
-signature sid-1232 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 1812
-  event "WEB-MISC VirusWall catinfo access"
-  http /.*[\/\\]catinfo/
-  tcp-state established,originator
-  }
-
-signature sid-1809 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Apache Chunked-Encoding worm attempt"
-  tcp-state established,originator
-  payload /.*[cC][cC][cC][cC][cC][cC][cC]: [aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA]/
-  }
-
-signature sid-1807 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Transfer-Encoding: chunked"
-  tcp-state established,originator
-  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]:/
-  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
-  }
-
-signature sid-1814 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC CISCO VoIP DOS ATTEMPT"
-  http /.*[\/\\]StreamingStatistics/
-  tcp-state established,originator
-  }
-
-signature sid-1820 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC IBM Net.Commerce orderdspc.d2w access"
-  http /.*[\/\\]ncommerce3[\/\\]ExecMacro[\/\\]orderdspc\.d2w/
-  tcp-state established,originator
-  }
-
-signature sid-1826 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC WEB-INF access"
-  http /.*[\/\\]WEB-INF/
-  tcp-state established,originator
-  }
-
-signature sid-1827 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat servlet mapping cross site scripting attempt"
-  http /.*[\/\\]servlet[\/\\]/
-  http /.*[\/\\]org\.apache\./
-  tcp-state established,originator
-  }
-
-signature sid-1828 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC iPlanet Search directory traversal attempt"
-  http /.*[\/\\]search/
-  tcp-state established,originator
-  payload /.*NS-query-pat=/
-  payload /.*\.\.\/\.\.\//
-  }
-
-signature sid-1829 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat TroubleShooter servlet access"
-  http /.*[\/\\]examples[\/\\]servlet[\/\\]TroubleShooter/
-  tcp-state established,originator
-  }
-
-signature sid-1830 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat SnoopServlet servlet access"
-  http /.*[\/\\]examples[\/\\]servlet[\/\\]SnoopServlet/
-  tcp-state established,originator
-  }
-
-signature sid-1831 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC jigsaw dos attempt"
-  http /.*[\/\\]servlet[\/\\]con/
-  tcp-state established,originator
-  }
-
-signature sid-1835 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Macromedia SiteSpring cross site scripting attempt"
-  http /.*[\/\\]error[\/\\]500error\.jsp/
-  http /.*et=/
-  http /.*<script/
-  tcp-state established,originator
-  }
-
-signature sid-1839 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC mailman cross site scripting attempt"
-  http /.*[\/\\]mailman[\/\\]/
-  http /.*\?/
-  http /.*info=/
-  http /.*<script/
-  tcp-state established,originator
-  }
-
-signature sid-1847 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC webalizer access"
-  http /.*[\/\\]webalizer[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1848 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC webcart-lite access"
-  http /.*[\/\\]webcart-lite[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1849 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC webfind.exe access"
-  http /.*[\/\\]webfind\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1851 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC active.log access"
-  http /.*[\/\\]active\.log/
-  tcp-state established,originator
-  }
-
-signature sid-1852 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC robots.txt access"
-  http /.*[\/\\]robots\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1857 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC robot.txt access"
-  http /.*[\/\\]robot\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1858 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8181
-  event "WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"
-  http /.*[\/\\]pixfir~1[\/\\]how_to_login\.html/
-  tcp-state established,originator
-  }
-
-signature sid-1859 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 9090
-  event "WEB-MISC Sun JavaServer default password login attempt"
-  http /.*[\/\\]servlet[\/\\]admin/
-  tcp-state established,originator
-  payload /.*ae9f86d6beaa3f9ecb9a5b7e072a4138/
-  }
-
-signature sid-1860 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8080
-  event "WEB-MISC Linksys router default password login attempt (:admin)"
-  tcp-state established,originator
-  payload /.*Authorization: Basic OmFkbWlu/
-  }
-
-signature sid-1861 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8080
-  event "WEB-MISC Linksys router default password login attempt (admin:admin)"
-  tcp-state established,originator
-  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]: /
-  payload /.* [bB][aA][sS][iI][cC] /
-  payload /.*YWRtaW46YWRtaW4/
-  }
-
-signature sid-1871 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Oracle XSQLConfig.xml access"
-  http /.*[\/\\]XSQLConfig\.xml/
-  tcp-state established,originator
-  }
-
-signature sid-1872 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Oracle Dynamic Monitoring Services (dms) access"
-  http /.*[\/\\]dms0/
-  tcp-state established,originator
-  }
-
-signature sid-1873 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC globals.jsa access"
-  http /.*[\/\\]globals\.jsa/
-  tcp-state established,originator
-  }
-
-signature sid-1874 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Oracle Java Process Manager access"
-  http /.*[\/\\]oprocmgr-status/
-  tcp-state established,originator
-  }
-
-signature sid-1881 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC bad HTTP/1.1 request, Potentially worm attack"
-  tcp-state established,originator
-  payload /GET \/ HTTP\/1\.1\x0d\x0a\x0d\x0a/
-  }
-
-signature sid-1104 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  payload-size == 1
-  event "WEB-MISC whisker space splice attack"
-  tcp-state established,originator
-  payload /\x20/
-  }
-
-signature sid-1087 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  payload-size < 5
-  event "WEB-MISC whisker tab splice attack"
-  tcp-state established,originator
-  payload /.*\x09/
-  }
-
-signature sid-1808 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC apache chunked encoding memory corruption exploit attempt"
-  tcp-state established,originator
-  payload /.*\xC0\x50\x52\x89\xE1\x50\x51\x52\x50\xB8\x3B\x00\x00\x00\xCD\x80/
-  }
-
-signature sid-1943 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /Carello/add.exe access"
-  http /.*[\/\\]Carello[\/\\]add\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1944 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /ecscripts/ecware.exe access"
-  http /.*[\/\\]ecscripts[\/\\]ecware\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1969 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ion-p access"
-  http /.*[\/\\]ion-p/
-  tcp-state established,originator
-  }
-
-signature sid-1499 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8888
-  event "WEB-MISC SiteScope Service access"
-  http /.*[\/\\]SiteScope[\/\\]cgi[\/\\]go\.exe[\/\\]SiteScope/
-  tcp-state established,originator
-  }
-
-signature sid-1946 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8888
-  event "WEB-MISC answerbook2 admin attempt"
-  http /.*[\/\\]cgi-bin[\/\\]admin[\/\\]admin/
-  tcp-state established,originator
-  }
-
-signature sid-1947 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8888
-  event "WEB-MISC answerbook2 arbitrary command execution attempt"
-  http /.*[\/\\]ab2[\/\\]/
-  tcp-state established,originator
-  payload /.{1}.*;/
-  }
-
-signature sid-1979 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC perl post attempt"
-  http /.*[\/\\]perl[\/\\]/
-  tcp-state established,originator
-  payload /POST/
-  }
-
-signature sid-2056 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC TRACE attempt"
-  tcp-state established,originator
-  payload /TRACE/
-  }
-
-signature sid-2057 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC helpout.exe access"
-  http /.*[\/\\]helpout\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-2058 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC MsmMask.exe attempt"
-  http /.*[\/\\]MsmMask\.exe/
-  tcp-state established,originator
-  payload /.*mask=/
-  }
-
-signature sid-2059 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC MsmMask.exe access"
-  http /.*[\/\\]MsmMask\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-2060 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC DB4Web access"
-  http /.*[\/\\]DB4Web[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-2061 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC Tomcat null byte directory listing attempt"
-  http /.*\x00\.jsp/
-  tcp-state established,originator
-  }
-
-signature sid-2062 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC iPlanet .perf access"
-  http /.*[\/\\]\.perf/
-  tcp-state established,originator
-  }
-
-signature sid-2063 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC Demarc SQL injection attempt"
-  http /.*[\/\\]dm[\/\\]demarc/
-  tcp-state established,originator
-  payload /.*s_key=.*.{0}.*'.{1}.*'.*.{0}.*'/
-  }
-
-signature sid-2064 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC Lotus Notes .csp script source download attempt"
-  http /.*\.csp/
-  tcp-state established,originator
-  payload /.*\.csp\./
-  }
-
-signature sid-2066 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC Lotus Notes .pl script source download attempt"
-  http /.*\.pl/
-  tcp-state established,originator
-  payload /.*\.pl\./
-  }
-
-signature sid-2067 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC Lotus Notes .exe script source download attempt"
-  http /.*\.exe/
-  tcp-state established,originator
-  payload /.*\.exe\./
-  }
-
-signature sid-2068 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC BitKeeper arbitrary command attempt"
-  http /.*[\/\\]diffs[\/\\]/
-  tcp-state established,originator
-  payload /.*'.*.{0}.*\x3b.{1}.*'/
-  }
-
-signature sid-2069 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC chip.ini access"
-  http /.*[\/\\]chip\.ini/
-  tcp-state established,originator
-  }
-
-signature sid-2070 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC post32.exe arbitrary command attempt"
-  http /.*[\/\\]post32\.exe\|/
-  tcp-state established,originator
-  }
-
-signature sid-2071 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC post32.exe access"
-  http /.*[\/\\]post32\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-2072 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC lyris.pl access"
-  http /.*[\/\\]lyris\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-2073 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC globals.pl access"
-  http /.*[\/\\]globals\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-2135 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC philboard.mdb access"
-  http /.*[\/\\]philboard\.mdb/
-  tcp-state established,originator
-  }
-
-signature sid-2136 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC philboard_admin.asp authentication bypass attempt"
-  http /.*[\/\\]philboard_admin\.asp/
-  tcp-state established,originator
-  payload /.*[cC][oO][oO][kK][iI][eE].*.{0}.*philboard_admin=True/
-  }
-
-signature sid-2137 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC philboard_admin.asp access"
-  http /.*[\/\\]philboard_admin\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-2138 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC logicworks.ini access"
-  http /.*[\/\\]logicworks\.ini/
-  tcp-state established,originator
-  }
-
-signature sid-2139 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC /*.shtml access"
-  http /.*[\/\\]\*\.shtml/
-  tcp-state established,originator
-  }
-
-signature sid-2156 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC mod_gzip_status access"
-  http /.*[\/\\]mod_gzip_status/
-  tcp-state established,originator
-  }
-
-signature sid-1774 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP bb_smilies.php access"
-  http /.*[\/\\]bb_smilies\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1423 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP content-disposition memchr overflow"
-  tcp-state established,originator
-  payload /.*Content-Disposition:/
-  payload /.*name=\"\xCC\xCC\xCC\xCC\xCC/
-  }
-
-signature sid-1736 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP squirrel mail spell-check arbitrary command attempt"
-  http /.*[\/\\]squirrelspell[\/\\]modules[\/\\]check_me\.mod\.php/
-  tcp-state established,originator
-  payload /.*[sS][qQ][sS][pP][eE][lL][lL]_[aA][pP][pP]\[/
-  }
-
-signature sid-1737 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP squirrel mail theme arbitrary command attempt"
-  http /.*[\/\\]left_main\.php/
-  tcp-state established,originator
-  payload /.*[cC][mM][dD][dD]=/
-  }
-
-signature sid-1739 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP DNSTools administrator authentication bypass attempt"
-  http /.*[\/\\]dnstools\.php/
-  tcp-state established,originator
-  payload /.*[uU][sS][eE][rR]_[lL][oO][gG][gG][eE][dD]_[iI][nN]=[tT][rR][uU][eE]/
-  payload /.*[uU][sS][eE][rR]_[dD][nN][sS][tT][oO][oO][lL][sS]_[aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR]=[tT][rR][uU][eE]/
-  }
-
-signature sid-1740 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP DNSTools authentication bypass attempt"
-  http /.*[\/\\]dnstools\.php/
-  tcp-state established,originator
-  payload /.*[uU][sS][eE][rR]_[lL][oO][gG][gG][eE][dD]_[iI][nN]=[tT][rR][uU][eE]/
-  }
-
-signature sid-1741 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP DNSTools access"
-  http /.*[\/\\]dnstools\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1742 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Blahz-DNS dostuff.php modify user attempt"
-  http /.*[\/\\]dostuff\.php\?action=modify_user/
-  tcp-state established,originator
-  }
-
-signature sid-1743 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Blahz-DNS dostuff.php access"
-  http /.*[\/\\]dostuff\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1745 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Messagerie supp_membre.php access"
-  http /.*[\/\\]supp_membre\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1773 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP php.exe access"
-  http /.*[\/\\]php\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1815 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP directory.php arbitrary command attempt"
-  http /.*[\/\\]directory\.php/
-  tcp-state established,originator
-  payload /.*dir=/
-  payload /.*;/
-  }
-
-signature sid-1816 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP directory.php access"
-  http /.*[\/\\]directory\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1834 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP PHP-Wiki cross site scripting attempt"
-  http /.*[\/\\]modules\.php\?/
-  http /.*name=Wiki/
-  http /.*<script/
-  tcp-state established,originator
-  }
-
-signature sid-1967 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP phpbb quick-reply.php arbitrary command attempt"
-  http /.*[\/\\]quick-reply\.php/
-  tcp-state established,originator
-  payload /.{1}.*phpbb_root_path=/
-  }
-
-signature sid-1968 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP phpbb quick-reply.php access"
-  http /.*[\/\\]quick-reply\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1997 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP read_body.php access attempt"
-  http /.*[\/\\]read_body\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1998 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP calendar.php access"
-  http /.*[\/\\]calendar\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1999 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP edit_image.php access"
-  http /.*[\/\\]edit_image\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2000 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP readmsg.php access"
-  http /.*[\/\\]readmsg\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2002 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP external include path"
-  http /.*\.php/
-  tcp-state established,originator
-  payload /.*path=http:\/\//
-  }
-
-signature sid-1134 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Phorum admin access"
-  http /.*[\/\\]admin\.php3/
-  tcp-state established,originator
-  }
-
-signature sid-1161 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP piranha passwd.php3 access"
-  http /.*[\/\\]passwd\.php3/
-  tcp-state established,originator
-  }
-
-signature sid-1178 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Phorum read access"
-  http /.*[\/\\]read\.php3/
-  tcp-state established,originator
-  }
-
-signature sid-1179 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Phorum violation access"
-  http /.*[\/\\]violation\.php3/
-  tcp-state established,originator
-  }
-
-signature sid-1197 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Phorum code access"
-  http /.*[\/\\]code\.php3/
-  tcp-state established,originator
-  }
-
-signature sid-1300 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP admin.php file upload attempt"
-  http /.*[\/\\]admin\.php/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE]_[nN][aA][mM][eE]=/
-  }
-
-signature sid-1301 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP admin.php access"
-  http /.*[\/\\]admin\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1407 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP smssend.php access"
-  http /.*[\/\\]smssend\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1399 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP PHP-Nuke remote file include attempt"
-  http /.*index\.php/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE]=[hH][tT][tT][pP]:\/\//
-  }
-
-signature sid-1490 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Phorum /support/common.php attempt"
-  http /.*[\/\\]support[\/\\]common\.php/
-  tcp-state established,originator
-  payload /.*ForumLang=\.\.\//
-  }
-
-signature sid-1491 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Phorum /support/common.php access"
-  http /.*[\/\\]support[\/\\]common\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1137 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Phorum authentication access"
-  tcp-state established,originator
-  payload /.*[pP][hH][pP]_[aA][uU][tT][hH]_[uU][sS][eE][rR]=[bB][oO][oO][gG][iI][eE][mM][aA][nN]/
-  }
-
-signature sid-1085 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP strings overflow"
-  tcp-state established,originator
-  payload /.*\xba\x49\xfe\xff\xff\xf7\xd2\xb9\xbf\xff\xff\xff\xf7\xd1/
-  }
-
-signature sid-1086 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP strings overflow"
-  http /.*\?STRENGUR/
-  tcp-state established,originator
-  }
-
-signature sid-1254 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP PHPLIB remote command attempt"
-  tcp-state established,originator
-  payload /.*_PHPLIB\[libdir\]/
-  }
-
-signature sid-1255 {
-  ip-proto == tcp
-  src-ip == http_servers
-  dst-ip != local_nets
-  dst-port == http_ports
-  event "WEB-PHP PHPLIB remote command attempt"
-  http /.*[\/\\]db_mysql\.inc/
-  tcp-state established,originator
-  }
-
-signature sid-2074 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Mambo uploadimage.php upload php file attempt"
-  http /.*[\/\\]uploadimage\.php/
-  tcp-state established,originator
-  payload /.*userfile_name=.{1}.*\.php/
-  }
-
-signature sid-2075 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Mambo upload.php upload php file attempt"
-  http /.*[\/\\]upload\.php/
-  tcp-state established,originator
-  payload /.*userfile_name=.{1}.*\.php/
-  }
-
-signature sid-2076 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Mambo uploadimage.php access"
-  http /.*[\/\\]uploadimage\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2077 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Mambo upload.php access"
-  http /.*[\/\\]upload\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2078 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP phpBB privmsg.php access"
-  http /.*[\/\\]privmsg\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2140 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP p-news.php access"
-  http /.*[\/\\]p-news\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2141 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP shoutbox.php directory traversal attempt"
-  http /.*[\/\\]shoutbox\.php/
-  tcp-state established,originator
-  payload /.*conf=.*.{0}.*\.\.\//
-  }
-
-signature sid-2142 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP shoutbox.php access"
-  http /.*[\/\\]shoutbox\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2143 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt"
-  http /.*[\/\\]gm-2-b2\.php/
-  tcp-state established,originator
-  payload /.*b2inc=http/
-  }
-
-signature sid-2144 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP b2 cafelog gm-2-b2.php access"
-  http /.*[\/\\]gm-2-b2\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2145 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP TextPortal admin.php default password (admin) attempt"
-  http /.*[\/\\]admin\.php/
-  tcp-state established,originator
-  payload /.*op=admin_enter/
-  payload /.*password=admin/
-  }
-
-signature sid-2146 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP TextPortal admin.php default password (12345) attempt"
-  http /.*[\/\\]admin\.php/
-  tcp-state established,originator
-  payload /.*op=admin_enter/
-  payload /.*password=12345/
-  }
-
-signature sid-2147 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP BLNews objects.inc.php4 remote command execution attempt"
-  http /.*[\/\\]objects\.inc\.php4/
-  tcp-state established,originator
-  payload /.*Server\[path\]=http/
-  }
-
-signature sid-2148 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP BLNews objects.inc.php4 access"
-  http /.*[\/\\]objects\.inc\.php4/
-  tcp-state established,originator
-  }
-
-signature sid-2149 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Turba status.php access"
-  http /.*[\/\\]turba[\/\\]status\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2150 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP ttCMS header.php remote command execution attempt"
-  http /.*[\/\\]admin[\/\\]templates[\/\\]header\.php/
-  tcp-state established,originator
-  payload /.*admin_root=http/
-  }
-
-signature sid-2151 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP ttCMS header.php access"
-  http /.*[\/\\]admin[\/\\]templates[\/\\]header\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2152 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP test.php access"
-  http /.*[\/\\]test\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2153 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP autohtml.php directory traversal attempt"
-  http /.*[\/\\]autohtml\.php/
-  tcp-state established,originator
-  payload /.*name=.*.{0}.*\.\.\/\.\.\//
-  }
-
-signature sid-2154 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP autohtml.php access"
-  http /.*[\/\\]autohtml\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2155 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP ttforum remote command execution attempt"
-  http /.*forum[\/\\]index\.php/
-  tcp-state established,originator
-  payload /.*template=http/
-  }
-
diff --git a/policy/sigs/snort-default.sig b/policy/sigs/snort-default.sig
deleted file mode 100644
index 0e10358824..0000000000
--- a/policy/sigs/snort-default.sig
+++ /dev/null
@@ -1,14888 +0,0 @@
-signature sid-524-a {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 0
-  event "BAD-TRAFFIC tcp port 0 traffic"
-  }
-
-signature sid-524-b {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 0
-  event "BAD-TRAFFIC tcp port 0 traffic"
-  }
-
-signature sid-525-a {
-  ip-proto == udp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 0
-  event "BAD-TRAFFIC udp port 0 traffic"
-  }
-
-signature sid-525-b {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 0
-  event "BAD-TRAFFIC udp port 0 traffic"
-  }
-
-signature sid-526 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  payload-size > 6
-  header tcp[13:1] & 255 == 2
-  event "BAD-TRAFFIC data in TCP SYN packet"
-  }
-
-signature sid-528-a {
-  src-ip == 127.0.0.0/8
-  event "BAD-TRAFFIC loopback traffic"
-  }
-
-signature sid-528-b {
-  dst-ip == 127.0.0.0/8
-  event "BAD-TRAFFIC loopback traffic"
-  }
-
-signature sid-527 {
-  same-ip
-  event "BAD-TRAFFIC same SRC/DST"
-  }
-
-signature sid-523 {
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "BAD-TRAFFIC ip reserved bit set"
-  header ip[6:1] & 224 == 128
-  }
-
-signature sid-1321 {
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "BAD-TRAFFIC 0 ttl"
-  header ip[8:1] == 0
-  }
-
-signature sid-1322 {
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "BAD-TRAFFIC bad frag bits"
-  header ip[6:1] & 224 == 96
-  }
-
-signature sid-1627 {
-  src-ip != local_nets
-  dst-ip == local_nets
-  header ip[9:1] > 134
-  event "BAD-TRAFFIC Unassigned/Reserved IP protocol"
-  }
-
-signature sid-1431 {
-  ip-proto == tcp
-  dst-ip == 232.0.0.0/8,233.0.0.0/8,239.0.0.0/8
-  event "BAD-TRAFFIC syn to multicast address"
-  header tcp[13:1] & 255 == 2
-  }
-
-signature sid-2186 {
-  header ip[9:1] == 53
-  event "BAD-TRAFFIC IP Proto 53 (SWIPE)"
-  }
-
-signature sid-2187 {
-  header ip[9:1] == 55
-  event "BAD-TRAFFIC IP Proto 55 (IP Mobility)"
-  }
-
-signature sid-2188 {
-  header ip[9:1] == 77
-  event "BAD-TRAFFIC IP Proto 77 (Sun ND)"
-  }
-
-signature sid-2189 {
-  header ip[9:1] == 103
-  event "BAD-TRAFFIC IP Proto 103 (PIM)"
-  }
-
-signature sid-1324 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 22
-  event "EXPLOIT ssh CRC32 overflow /bin/sh"
-  tcp-state established,originator
-  payload /.*\/bin\/sh/
-  }
-
-signature sid-1326 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 22
-  event "EXPLOIT ssh CRC32 overflow NOOP"
-  tcp-state established,originator
-  payload /.*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/
-  }
-
-signature sid-1327 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 22
-  event "EXPLOIT ssh CRC32 overflow"
-  tcp-state established,originator
-  payload /\x00\x01\x57\x00\x00\x00\x18/
-  payload /.{7}\xFF\xFF\xFF\xFF\x00\x00/
-  }
-
-signature sid-283 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == 80
-  event "EXPLOIT Netscape 4.7 client overflow"
-  tcp-state established,responder
-  payload /.*\x33\xC9\xB1\x10\x3F\xE9\x06\x51\x3C\xFA\x47\x33\xC0\x50\xF7\xD0\x50/
-  }
-
-signature sid-300 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 2766
-  event "EXPLOIT nlps x86 Solaris overflow"
-  tcp-state established,originator
-  payload /.*\xeb\x23\x5e\x33\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36/
-  }
-
-signature sid-301 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 515
-  event "EXPLOIT LPRng overflow"
-  tcp-state established,originator
-  payload /.*\x43\x07\x89\x5B\x08\x8D\x4B\x08\x89\x43\x0C\xB0\x0B\xCD\x80\x31\xC0\xFE\xC0\xCD\x80\xE8\x94\xFF\xFF\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x0A/
-  }
-
-signature sid-302 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 515
-  event "EXPLOIT Redhat 7.0 lprd overflow"
-  tcp-state established,originator
-  payload /.*\x58\x58\x58\x58\x25\x2E\x31\x37\x32\x75\x25\x33\x30\x30\x24\x6E/
-  }
-
-signature sid-304 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 6373
-  event "EXPLOIT SCO calserver overflow"
-  tcp-state established,originator
-  payload /.*\xeb\x7f\x5d\x55\xfe\x4d\x98\xfe\x4d\x9b/
-  }
-
-signature sid-305 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8080
-  payload-size > 1000
-  event "EXPLOIT delegate proxy overflow"
-  tcp-state established,originator
-  payload /.*[wW][hH][oO][iI][sS]\x3a\/\//
-  }
-
-signature sid-306 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 9090
-  event "EXPLOIT VQServer admin"
-  tcp-state established,originator
-  payload /.*[gG][eE][tT] \/ [hH][tT][tT][pP]\/1\.1/
-  }
-
-signature sid-308 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == 21
-  event "EXPLOIT NextFTP client overflow"
-  tcp-state established,responder
-  payload /.*\xb4\x20\xb4\x21\x8b\xcc\x83\xe9\x04\x8b\x19\x33\xc9\x66\xb9\x10/
-  }
-
-signature sid-309 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  payload-size > 512
-  header tcp[13:1] & 255 == 16
-  event "EXPLOIT sniffit overflow"
-  payload /.*[fF][rR][oO][mM]\x3A\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/
-  }
-
-signature sid-310 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "EXPLOIT x86 windows MailMax overflow"
-  tcp-state established,originator
-  payload /.*\xeb\x45\xeb\x20\x5b\xfc\x33\xc9\xb1\x82\x8b\xf3\x80\x2b/
-  }
-
-signature sid-311 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  dst-port == 80
-  event "EXPLOIT Netscape 4.7 unsucessful overflow"
-  tcp-state established,originator
-  payload /.*\x33\xC9\xB1\x10\x3F\xE9\x06\x51\x3C\xFA\x47\x33\xC0\x50\xF7\xD0\x50/
-  }
-
-signature sid-312 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 123
-  payload-size > 128
-  event "EXPLOIT ntpdx overflow attempt"
-  }
-
-signature sid-313 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 518
-  event "EXPLOIT ntalkd x86 Linux overflow"
-  payload /.*\x01\x03\x00\x00\x00\x00\x00\x01\x00\x02\x02\xe8/
-  }
-
-signature sid-315 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 635
-  event "EXPLOIT x86 Linux mountd overflow"
-  payload /.*\x5e\xb0\x02\x89\x06\xfe\xc8\x89\x46\x04\xb0\x06\x89\x46/
-  }
-
-signature sid-316 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 635
-  event "EXPLOIT x86 Linux mountd overflow"
-  payload /.*\xeb\x56\x5E\x56\x56\x56\x31\xd2\x88\x56\x0b\x88\x56\x1e/
-  }
-
-signature sid-317 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 635
-  event "EXPLOIT x86 Linux mountd overflow"
-  payload /.*\xeb\x40\x5E\x31\xc0\x40\x89\x46\x04\x89\xc3\x40\x89\x06/
-  }
-
-signature sid-1240 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 2224
-  event "EXPLOIT MDBMS overflow"
-  tcp-state established,originator
-  payload /.*\x01\x31\xDB\xCD\x80\xE8\x5B\xFF\xFF\xFF/
-  }
-
-signature sid-1261 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 4242
-  payload-size > 1000
-  event "EXPLOIT AIX pdnsd overflow"
-  tcp-state established,originator
-  payload /.*\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78/
-  payload /.*\x40\x8A\xFF\xC8\x40\x82\xFF\xD8\x3B\x36\xFE\x03\x3B\x76\xFE\x02/
-  }
-
-signature sid-1323 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 4321
-  event "EXPLOIT rwhoisd format string attempt"
-  tcp-state established,originator
-  payload /.*-soa %p/
-  }
-
-signature sid-1398 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 6112
-  event "EXPLOIT CDE dtspcd exploit attempt"
-  tcp-state established,originator
-  payload /.{9}1/
-  payload /.{10}<willnevermatch>/
-  }
-
-signature sid-1751 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 32772
-  dst-port <= 34000
-  payload-size > 720
-  event "EXPLOIT cachefsd buffer overflow attempt"
-  tcp-state established,originator
-  payload /.*\x00\x01\x87\x86\x00\x00\x00\x01\x00\x00\x00\x05/
-  }
-
-signature sid-1894 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 749
-  event "EXPLOIT kadmind buffer overflow attempt"
-  tcp-state established,originator
-  payload /.*\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08/
-  }
-
-signature sid-1895 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 751
-  event "EXPLOIT kadmind buffer overflow attempt"
-  tcp-state established,originator
-  payload /.*\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08/
-  }
-
-signature sid-1896 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 749
-  event "EXPLOIT kadmind buffer overflow attempt"
-  tcp-state established,originator
-  payload /.*\xff\xff\x4b\x41\x44\x4d\x30\x2e\x30\x41\x00\x00\xfb\x03/
-  }
-
-signature sid-1897 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 751
-  event "EXPLOIT kadmind buffer overflow attempt"
-  tcp-state established,originator
-  payload /.*\xff\xff\x4b\x41\x44\x4d\x30\x2e\x30\x41\x00\x00\xfb\x03/
-  }
-
-signature sid-1898 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 749
-  event "EXPLOIT kadmind buffer overflow attempt"
-  tcp-state established,originator
-  payload /.*\x2F\x73\x68\x68\x2F\x2F\x62\x69/
-  }
-
-signature sid-1899 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 751
-  event "EXPLOIT kadmind buffer overflow attempt"
-  tcp-state established,originator
-  payload /.*\x2F\x73\x68\x68\x2F\x2F\x62\x69/
-  }
-
-signature sid-1812 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 22
-  event "EXPLOIT gobbles SSH exploit attempt"
-  tcp-state established,originator
-  payload /.*GOBBLES/
-  }
-
-signature sid-1821 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 515
-  event "EXPLOIT LPD dvips remote command execution attempt"
-  tcp-state established,originator
-  payload /.*psfile=\x22\x60/
-  }
-
-signature sid-1838 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == 22
-  event "EXPLOIT SSH server banner overflow"
-  tcp-state established,responder
-  payload /SSH-[^\x0a]{600}/
-  }
-
-signature sid-307 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 6666
-  dst-port <= 7000
-  event "EXPLOIT CHAT IRC topic overflow"
-  tcp-state established,responder
-  payload /.*\xeb\x4b\x5b\x53\x32\xe4\x83\xc3\x0b\x4b\x88\x23\xb8\x50\x77/
-  }
-
-signature sid-1382 {
-  ip-proto == tcp
-  dst-port >= 6666
-  dst-port <= 7000
-  event "EXPLOIT CHAT IRC Ettercap parse overflow attempt"
-  tcp-state established,originator
-  payload /.*[pP][rR][iI][vV][mM][sS][gG] [nN][iI][cC][kK][sS][eE][rR][vV] [iI][dD][eE][nN][tT][iI][fF][yY][^\x0a]{150}/
-  }
-
-signature sid-292 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "EXPLOIT x86 Linux samba overflow"
-  tcp-state established,originator
-  payload /.*\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2/
-  }
-
-signature sid-613 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == 10101
-  header tcp[8:4] == 0
-  header tcp[13:1] & 255 == 2
-  header ip[8:1] > 220
-  event "SCAN myscan"
-  }
-
-signature sid-616 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 113
-  event "SCAN ident version request"
-  tcp-state established,originator
-  payload /.{0,8}VERSION\x0A/
-  }
-
-signature sid-619 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 80
-  payload-size == 0
-  header tcp[13:1] & 255 == 195
-  event "SCAN cybercop os probe"
-  }
-
-signature sid-618 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 3128
-  event "SCAN Squid Proxy attempt"
-  header tcp[13:1] & 255 == 2
-  }
-
-signature sid-615 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 1080
-  header tcp[13:1] & 255 == 2
-  event "SCAN SOCKS Proxy attempt"
-  }
-
-signature sid-620 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8080
-  event "SCAN Proxy (8080) attempt"
-  header tcp[13:1] & 255 == 2
-  }
-
-signature sid-621 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header tcp[13:1] & 255 == 1
-  event "SCAN FIN"
-  }
-
-signature sid-622 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header tcp[13:1] & 255 == 2
-  header tcp[4:4] == 1958810375
-  event "SCAN ipEye SYN scan"
-  }
-
-signature sid-623 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header tcp[8:4] == 0
-  header tcp[13:1] & 255 == 0
-  header tcp[4:4] == 0
-  event "SCAN NULL"
-  }
-
-signature sid-624 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header tcp[13:1] & 255 == 3
-  event "SCAN SYN FIN"
-  }
-
-signature sid-625 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header tcp[13:1] & 255 == 63
-  event "SCAN XMAS"
-  }
-
-signature sid-1228 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header tcp[13:1] & 255 == 41
-  event "SCAN nmap XMAS"
-  }
-
-signature sid-628 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header tcp[8:4] == 0
-  header tcp[13:1] & 255 == 16
-  event "SCAN nmap TCP"
-  }
-
-signature sid-629 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header tcp[13:1] & 255 == 43
-  event "SCAN nmap fingerprint attempt"
-  }
-
-signature sid-630 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header tcp[13:1] & 255 == 3
-  event "SCAN synscan portscan"
-  header ip[4:2] == 39426
-  }
-
-signature sid-626 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header tcp[13:1] & 255 == 216
-  event "SCAN cybercop os PA12 attempt"
-  payload /AAAAAAAAAAAAAAAA/
-  }
-
-signature sid-627 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header tcp[8:4] == 0
-  header tcp[13:1] & 255 == 227
-  event "SCAN cybercop os SFU12 probe"
-  payload /AAAAAAAAAAAAAAAA/
-  }
-
-signature sid-634 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 10080
-  dst-port <= 10081
-  event "SCAN Amanda client version request"
-  payload /.*[aA][mM][aA][nN][dD][aA]/
-  }
-
-signature sid-635 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 49
-  event "SCAN XTACACS logout"
-  payload /.*\x80\x07\x00\x00\x07\x00\x00\x04\x00\x00\x00\x00\x00/
-  }
-
-signature sid-636 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 7
-  event "SCAN cybercop udp bomb"
-  payload /.*cybercop/
-  }
-
-signature sid-637 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "SCAN Webtrends Scanner UDP Probe"
-  payload /.*\x0Ahelp\x0Aquite\x0A/
-  }
-
-signature sid-1638 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 22
-  event "SCAN SSH Version map attempt"
-  tcp-state established,originator
-  payload /.*[vV][eE][rR][sS][iI][oO][nN]_[mM][aA][pP][pP][eE][rR]/
-  }
-
-signature sid-1917 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 1900
-  event "SCAN UPnP service discover attempt"
-  payload /M-SEARCH /
-  payload /.*ssdp:discover/
-  }
-
-signature sid-1918 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[1:1] == 0
-  header icmp[0:1] == 8
-  event "SCAN SolarWinds IP scan attempt"
-  payload /.*SolarWinds\.Net/
-  }
-
-signature sid-1133 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  header tcp[8:4] == 0
-  header tcp[13:1] & 255 == 11
-  event "SCAN cybercop os probe"
-  payload /AAAAAAAAAAAAAAAA/
-  }
-
-signature sid-320 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 79
-  event "FINGER cmd_rootsh backdoor attempt"
-  tcp-state established,originator
-  payload /.*cmd_rootsh/
-  }
-
-signature sid-321 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 79
-  event "FINGER account enumeration attempt"
-  tcp-state established,originator
-  payload /.*[aA] [bB] [cC] [dD] [eE] [fF]/
-  }
-
-signature sid-322 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 79
-  event "FINGER search query"
-  tcp-state established,originator
-  payload /.*search/
-  }
-
-signature sid-323 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 79
-  event "FINGER root query"
-  tcp-state established,originator
-  payload /.*root/
-  }
-
-signature sid-324 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 79
-  event "FINGER null request"
-  tcp-state established,originator
-  payload /.*\x00/
-  }
-
-signature sid-326 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 79
-  event "FINGER remote command ; execution attempt"
-  tcp-state established,originator
-  payload /.*\x3b/
-  }
-
-signature sid-327 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 79
-  event "FINGER remote command pipe execution attempt"
-  tcp-state established,originator
-  payload /.*\x7c/
-  }
-
-signature sid-328 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 79
-  event "FINGER bomb attempt"
-  tcp-state established,originator
-  payload /.*@@/
-  }
-
-signature sid-330 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 79
-  event "FINGER redirection attempt"
-  tcp-state established,originator
-  payload /.*@/
-  }
-
-signature sid-331 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 79
-  event "FINGER cybercop query"
-  tcp-state established,originator
-  payload /.{0,4}\x0A     /
-  }
-
-signature sid-332 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 79
-  event "FINGER 0 query"
-  tcp-state established,originator
-  payload /.*0/
-  }
-
-signature sid-333 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 79
-  event "FINGER . query"
-  tcp-state established,originator
-  payload /.*\./
-  }
-
-signature sid-1541 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 79
-  event "FINGER version query"
-  tcp-state established,originator
-  payload /.*version/
-  }
-
-signature sid-337 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP CEL overflow attempt"
-  tcp-state established,originator
-  payload /.*[cC][eE][lL] [^\x0a]{100}/
-  }
-
-signature sid-1919 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP CWD overflow attempt"
-  tcp-state established,originator
-  payload /.*[cC][wW][dD] [^\x0a]{100}/
-  }
-
-signature sid-1621 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP CMD overflow attempt"
-  tcp-state established,originator
-  payload /.*[cC][mM][dD] [^\x0a]{100}/
-  }
-
-signature sid-1379 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP STAT overflow attempt"
-  tcp-state established,originator
-  payload /.*[sS][tT][aA][tT] [^\x0a]{100}/
-  }
-
-signature sid-1562 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP SITE CHOWN overflow attempt"
-  tcp-state established,originator
-  payload /.*[sS][iI][tT][eE] /
-  payload /.* [cC][hH][oO][wW][nN] [^\x0a]{100}/
-  }
-
-signature sid-1920 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP SITE NEWER overflow attempt"
-  tcp-state established,originator
-  payload /.*[sS][iI][tT][eE] /
-  payload /.* [nN][eE][wW][eE][rR] [^\x0a]{100}/
-  }
-
-signature sid-1888 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP SITE CPWD overflow attempt"
-  tcp-state established,originator
-  payload /.*[sS][iI][tT][eE] /
-  payload /.* [cC][pP][wW][dD] [^\x0a]{100}/
-  }
-
-signature sid-1971 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP SITE EXEC format string attempt"
-  tcp-state established,originator
-  payload /.*[sS][iI][tT][eE].*.{0}.*[eE][xX][eE][cC] .{1}.*%.{1}.*%/
-  }
-
-signature sid-1529 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP SITE overflow attempt"
-  tcp-state established,originator
-  payload /.*[sS][iI][tT][eE] [^\x0a]{100}/
-  }
-
-signature sid-1734 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP USER overflow attempt"
-  tcp-state established,originator
-  payload /.*[uU][sS][eE][rR] [^\x0a]{100}/
-  }
-
-signature sid-1972 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP PASS overflow attempt"
-  tcp-state established,originator
-  payload /.*[pP][aA][sS][sS] [^\x0a]{100}/
-  }
-
-signature sid-1942 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP RMDIR overflow attempt"
-  tcp-state established,originator
-  payload /.*[rR][mM][dD][iI][rR] [^\x0a]{100}/
-  }
-
-signature sid-1973 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP MKD overflow attempt"
-  tcp-state established,originator
-  payload /.*[mM][kK][dD] [^\x0a]{100}/
-  }
-
-signature sid-1974 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP REST overflow attempt"
-  tcp-state established,originator
-  payload /.*[rR][eE][sS][tT] [^\x0a]{100}/
-  }
-
-signature sid-1975 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP DELE overflow attempt"
-  tcp-state established,originator
-  payload /.*[dD][eE][lL][eE] [^\x0a]{100}/
-  }
-
-signature sid-1976 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP RMD overflow attempt"
-  tcp-state established,originator
-  payload /.*[rR][mM][dD] [^\x0a]{100}/
-  }
-
-signature sid-1623 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP invalid MODE"
-  tcp-state established,originator
-  payload /.*[mM][oO][dD][eE] /
-  payload /.*<willnevermatch>/
-  payload /.*<willnevermatch>/
-  payload /.*<willnevermatch>/
-  payload /.*<willnevermatch>/
-  }
-
-signature sid-1624 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  payload-size == 10
-  event "FTP large PWD command"
-  tcp-state established,originator
-  payload /.*[pP][wW][dD]/
-  }
-
-signature sid-1625 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  payload-size == 10
-  event "FTP large SYST command"
-  tcp-state established,originator
-  payload /.*[sS][yY][sS][tT]/
-  }
-
-signature sid-2125 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP CWD C:\"
-  tcp-state established,originator
-  payload /.*[cC][wW][dD].{1}.*C:\\/
-  }
-
-signature sid-1921 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP SITE ZIPCHK attempt"
-  tcp-state established,originator
-  payload /.*[sS][iI][tT][eE] /
-  payload /.* [zZ][iI][pP][cC][hH][kK] [^\x0a]{100}/
-  }
-
-signature sid-1864 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP SITE NEWER attempt"
-  tcp-state established,originator
-  payload /.*[sS][iI][tT][eE] /
-  payload /.* [nN][eE][wW][eE][rR] /
-  }
-
-signature sid-361 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP site exec"
-  tcp-state established,originator
-  payload /.*[sS][iI][tT][eE] .*.{0}.*[eE][xX][eE][cC] /
-  }
-
-signature sid-1777 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP EXPLOIT STAT * dos attempt"
-  tcp-state established,originator
-  payload /.*[sS][tT][aA][tT].{1}.*\*/
-  }
-
-signature sid-1778 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP EXPLOIT STAT ? dos attempt"
-  tcp-state established,originator
-  payload /.*[sS][tT][aA][tT].{1}.*\?/
-  }
-
-signature sid-362 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP tar parameters"
-  tcp-state established,originator
-  payload /.*\" --[uU][sS][eE]-[cC][oO][mM][pP][rR][eE][sS][sS]-[pP][rR][oO][gG][rR][aA][mM]\" /
-  }
-
-signature sid-336 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP CWD ~root attempt"
-  tcp-state established,originator
-  payload /.*CWD /
-  payload /.* ~[rR][oO][oO][tT]/
-  }
-
-signature sid-1229 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP CWD ..."
-  tcp-state established,originator
-  payload /.*CWD /
-  payload /.* \.\.\./
-  }
-
-signature sid-1672 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP CWD ~<NEWLINE> attempt"
-  tcp-state established,originator
-  payload /.*CWD /
-  payload /.* ~\x0A/
-  }
-
-signature sid-1728 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP CWD ~<CR><NEWLINE> attempt"
-  tcp-state established,originator
-  payload /.*CWD /
-  payload /.* ~\x0D\x0A/
-  }
-
-signature sid-1779 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP CWD .... attempt"
-  tcp-state established,originator
-  payload /.*CWD /
-  payload /.* \.\.\.\./
-  }
-
-signature sid-360 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP serv-u directory transversal"
-  tcp-state established,originator
-  payload /.*\.%20\./
-  }
-
-signature sid-1377 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP wu-ftp bad file completion attempt ["
-  tcp-state established,originator
-  payload /.*~.{1}.*\[/
-  }
-
-signature sid-1378 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP wu-ftp bad file completion attempt {"
-  tcp-state established,originator
-  payload /.*~.{1}.*\{/
-  }
-
-signature sid-1530 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP format string attempt"
-  tcp-state established,originator
-  payload /.*%[pP]/
-  }
-
-signature sid-1622 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP RNFR ././ attempt"
-  tcp-state established,originator
-  payload /.*[rR][nN][fF][rR] /
-  payload /.* \.\/\.\//
-  }
-
-signature sid-1748 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  payload-size > 100
-  event "FTP command overflow attempt"
-  tcp-state established,originator
-  }
-
-signature sid-1992 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP LIST directory traversal attempt"
-  payload /.*LIST.{1}.*\.\..{1}.*\.\./
-  }
-
-signature sid-334 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP .forward"
-  tcp-state established,originator
-  payload /.*\.forward/
-  }
-
-signature sid-335 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP .rhosts"
-  tcp-state established,originator
-  payload /.*\.rhosts/
-  }
-
-signature sid-1927 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP authorized_keys"
-  tcp-state established,originator
-  payload /.*authorized_keys/
-  }
-
-signature sid-356 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP passwd retrieval attempt"
-  tcp-state established,originator
-  payload /.*[rR][eE][tT][rR]/
-  payload /.*passwd/
-  }
-
-signature sid-1928 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP shadow retrieval attempt"
-  tcp-state established,originator
-  payload /.*[rR][eE][tT][rR]/
-  payload /.*shadow/
-  }
-
-signature sid-144 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP ADMw0rm ftp login attempt"
-  tcp-state established,originator
-  payload /.*USER w0rm\x0D\x0A/
-  }
-
-signature sid-353 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP adm scan"
-  tcp-state established,originator
-  payload /.*PASS ddd@\x0a/
-  }
-
-signature sid-354 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP iss scan"
-  tcp-state established,originator
-  payload /.*pass -iss@iss/
-  }
-
-signature sid-355 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP pass wh00t"
-  tcp-state established,originator
-  payload /.*[pP][aA][sS][sS] [wW][hH]00[tT]/
-  }
-
-signature sid-357 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP piss scan"
-  tcp-state established,originator
-  payload /.*pass -cklaus/
-  }
-
-signature sid-358 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP saint scan"
-  tcp-state established,originator
-  payload /.*pass -saint/
-  }
-
-signature sid-359 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 21
-  event "FTP satan scan"
-  tcp-state established,originator
-  payload /.*pass -satan/
-  }
-
-signature sid-1430 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == telnet_servers
-  dst-port == 23
-  event "TELNET Solaris memory mismanagement exploit attempt"
-  tcp-state established,originator
-  payload /.*\xA0\x23\xA0\x10\xAE\x23\x80\x10\xEE\x23\xBF\xEC\x82\x05\xE0\xD6\x90\x25\xE0/
-  }
-
-signature sid-711 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == telnet_servers
-  dst-port == 23
-  event "TELNET SGI telnetd format bug"
-  tcp-state established,originator
-  payload /.*_RLD/
-  payload /.*bin\/sh/
-  }
-
-signature sid-712 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == telnet_servers
-  dst-port == 23
-  event "TELNET ld_library_path"
-  tcp-state established,originator
-  payload /.*ld_library_path/
-  }
-
-signature sid-713 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == telnet_servers
-  dst-port == 23
-  event "TELNET livingston DOS"
-  tcp-state established,originator
-  payload /.*\xff\xf3\xff\xf3\xff\xf3\xff\xf3\xff\xf3/
-  }
-
-signature sid-714 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == telnet_servers
-  dst-port == 23
-  event "TELNET resolv_host_conf"
-  tcp-state established,originator
-  payload /.*resolv_host_conf/
-  }
-
-signature sid-715 {
-  ip-proto == tcp
-  src-ip == telnet_servers
-  dst-ip != local_nets
-  src-port == 23
-  event "TELNET Attempted SU from wrong group"
-  tcp-state established,responder
-  payload /.*[tT][oO] [sS][uU] [rR][oO][oO][tT]/
-  }
-
-signature sid-717 {
-  ip-proto == tcp
-  src-ip == telnet_servers
-  dst-ip != local_nets
-  src-port == 23
-  event "TELNET not on console"
-  tcp-state established,responder
-  payload /.*[nN][oO][tT] [oO][nN] [sS][yY][sS][tT][eE][mM] [cC][oO][nN][sS][oO][lL][eE]/
-  }
-
-signature sid-718 {
-  ip-proto == tcp
-  src-ip == telnet_servers
-  dst-ip != local_nets
-  src-port == 23
-  event "TELNET login incorrect"
-  tcp-state established,responder
-  payload /.*Login incorrect/
-  }
-
-signature sid-719 {
-  ip-proto == tcp
-  src-ip == telnet_servers
-  dst-ip != local_nets
-  src-port == 23
-  event "TELNET root login"
-  tcp-state established,responder
-  payload /.*login: root/
-  }
-
-signature sid-1252 {
-  ip-proto == tcp
-  src-ip == telnet_servers
-  dst-ip != local_nets
-  src-port == 23
-  event "TELNET bsd telnet exploit response"
-  tcp-state established,responder
-  payload /.*\x0D\x0A\[Yes\]\x0D\x0A\xFF\xFE\x08\xFF\xFD\x26/
-  }
-
-signature sid-1253 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == telnet_servers
-  dst-port == 23
-  payload-size > 200
-  event "TELNET bsd exploit client finishing"
-  tcp-state established,responder
-  payload /.{199}\xFF\xF6\xFF\xF6\xFF\xFB\x08\xFF\xF6/
-  }
-
-signature sid-709 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == telnet_servers
-  dst-port == 23
-  event "TELNET 4Dgifts SGI account attempt"
-  tcp-state established,originator
-  payload /.*4Dgifts/
-  }
-
-signature sid-710 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == telnet_servers
-  dst-port == 23
-  event "TELNET EZsetup account attempt"
-  tcp-state established,originator
-  payload /.*OutOfBox/
-  }
-
-signature sid-716 {
-  ip-proto == tcp
-  src-ip == telnet_servers
-  dst-ip != local_nets
-  src-port == 23
-  event "TELNET access"
-  tcp-state established,responder
-  payload /.*\xFF\xFD\x18\xFF\xFD\x1F\xFF\xFD\x23\xFF\xFD\x27\xFF\xFD\x24/
-  }
-
-signature sid-2093 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_test: 4,>,2048,12,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap proxy integer overflow attempt TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0\x00.{3}\x00\x00\x00\x05/
-  }
-
-signature sid-2092 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap proxy integer overflow attempt UDP"
-  # Not supported: byte_test: 4,>,2048,12,relative
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0\x00.{3}\x00\x00\x00\x05/
-  }
-
-signature sid-1922 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  event "RPC portmap proxy attempt TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x05/
-  }
-
-signature sid-1923 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  event "RPC portmap proxy attempt UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x05/
-  }
-
-signature sid-1280 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  event "RPC portmap listing UDP 111"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
-  }
-
-signature sid-598 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  event "RPC portmap listing TCP 111"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
-  }
-
-signature sid-1949 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  event "RPC portmap SET attempt TCP 111"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-1950 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  event "RPC portmap SET attempt UDP 111"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-2014 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  event "RPC portmap UNSET attempt TCP 111"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x02/
-  }
-
-signature sid-2015 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  event "RPC portmap UNSET attempt UDP 111"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x02/
-  }
-
-signature sid-599 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 32771
-  event "RPC portmap listing TCP 32771"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
-  }
-
-signature sid-1281 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 32771
-  event "RPC portmap listing UDP 32771"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
-  }
-
-signature sid-1746 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap cachefsd request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x8B/
-  }
-
-signature sid-1747 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap cachefsd request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x8B/
-  }
-
-signature sid-1732 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rwalld request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA8/
-  }
-
-signature sid-1733 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rwalld request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA8/
-  }
-
-signature sid-575 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap admind request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF7/
-  }
-
-signature sid-1262 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap admind request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF7/
-  }
-
-signature sid-576 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap amountd request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x03/
-  }
-
-signature sid-1263 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap amountd request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x03/
-  }
-
-signature sid-577 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap bootparam request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBA/
-  }
-
-signature sid-1264 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap bootparam request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBA/
-  }
-
-signature sid-580 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap nisd request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\xcc/
-  }
-
-signature sid-1267 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap nisd request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\xcc/
-  }
-
-signature sid-581 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap pcnfsd request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x02\x49\xf1/
-  }
-
-signature sid-1268 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap pcnfsd request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x02\x49\xf1/
-  }
-
-signature sid-582 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rexd request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB1/
-  }
-
-signature sid-1269 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rexd request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB1/
-  }
-
-signature sid-584 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rusers request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA2/
-  }
-
-signature sid-1271 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rusers request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA2/
-  }
-
-signature sid-612 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC rusers query UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA2.{4}\x00\x00\x00\x02/
-  }
-
-signature sid-586 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap selection_svc request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAF/
-  }
-
-signature sid-1273 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap selection_svc request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAF/
-  }
-
-signature sid-587 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap status request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB8/
-  }
-
-signature sid-2016 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap status request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB8/
-  }
-
-signature sid-593 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap snmpXdmi request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x99/
-  }
-
-signature sid-1279 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap snmpXdmi request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x99/
-  }
-
-signature sid-569 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_test: 4,>,1024,20,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC snmpXdmi overflow attempt TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x87\x99.{4}\x00\x00\x01\x01/
-  }
-
-signature sid-2045 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC snmpXdmi overflow attempt UDP"
-  # Not supported: byte_test: 4,>,1024,20,relative
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x87\x99.{4}\x00\x00\x01\x01/
-  }
-
-signature sid-2017 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap espd request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7\x75/
-  }
-
-signature sid-595 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap espd request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7\x75/
-  }
-
-signature sid-1890 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 1024
-  dst-port <= 65535
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC status GHBN format string attack"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02.{0,251}%x %x/
-  }
-
-signature sid-1891 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 1024
-  dst-port <= 65535
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC status GHBN format string attack"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02.{0,251}%x %x/
-  }
-
-signature sid-579 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap mountd request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA5/
-  }
-
-signature sid-1266 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap mountd request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA5/
-  }
-
-signature sid-574 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC mountd TCP export request"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x05/
-  }
-
-signature sid-1924 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC mountd UDP export request"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x05/
-  }
-
-signature sid-1925 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC mountd TCP exportall request"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x06/
-  }
-
-signature sid-1926 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC mountd UDP exportall request"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x06/
-  }
-
-signature sid-1951 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC mountd TCP mount request"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-1952 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC mountd UDP mount request"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-2018 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC mountd TCP dump request"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x02/
-  }
-
-signature sid-2019 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC mountd UDP dump request"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x02/
-  }
-
-signature sid-2020 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC mountd TCP unmount request"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x03/
-  }
-
-signature sid-2021 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC mountd UDP unmount request"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x03/
-  }
-
-signature sid-2022 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC mountd TCP unmountall request"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x04/
-  }
-
-signature sid-2023 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC mountd UDP unmountall request"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x04/
-  }
-
-signature sid-1905 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 500
-  dst-port <= 65535
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC AMD UDP amqproc_mount plog overflow attempt"
-  # Not supported: byte_test: 4,>,512,0,relative
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x07/
-  }
-
-signature sid-1906 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 500
-  dst-port <= 65535
-  # Not supported: byte_test: 4,>,512,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC AMD TCP amqproc_mount plog overflow attempt"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x07/
-  }
-
-signature sid-1953 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 500
-  dst-port <= 65535
-  event "RPC AMD TCP pid request"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x09/
-  }
-
-signature sid-1954 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 500
-  dst-port <= 65535
-  event "RPC AMD UDP pid request"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x09/
-  }
-
-signature sid-1955 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 500
-  dst-port <= 65535
-  event "RPC AMD TCP version request"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x08/
-  }
-
-signature sid-1956 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 500
-  dst-port <= 65535
-  event "RPC AMD UDP version request"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x08/
-  }
-
-signature sid-578 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap cmsd request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xE4/
-  }
-
-signature sid-1265 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap cmsd request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xE4/
-  }
-
-signature sid-1907 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC CMSD UDP CMSD_CREATE buffer overflow attempt"
-  # Not supported: byte_test: 4,>,1024,0,relative
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
-  }
-
-signature sid-1908 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_test: 4,>,1024,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC CMSD TCP CMSD_CREATE buffer overflow attempt"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
-  }
-
-signature sid-2094 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"
-  # Not supported: byte_test: 4,>,1024,20,relative
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
-  }
-
-signature sid-2095 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_test: 4,>,1024,20,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
-  }
-
-signature sid-1909 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_test: 4,>,1000,28,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
-  event "RPC CMSD TCP CMSD_INSERT buffer overflow attempt"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x06/
-  }
-
-signature sid-1910 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
-  event "RPC CMSD udp CMSD_INSERT buffer overflow attempt"
-  # Not supported: byte_test: 4,>,1000,28,relative
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x06/
-  }
-
-signature sid-1272 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap sadmind request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x88/
-  }
-
-signature sid-585 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap sadmind request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x88/
-  }
-
-signature sid-1911 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,124,relative,align,4,20,relative,align
-  event "RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"
-  # Not supported: byte_test: 4,>,512,4,relative
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-1912 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_test: 4,>,512,4,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,124,relative,align,4,20,relative,align
-  event "RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-1957 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC sadmind UDP PING"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x00/
-  }
-
-signature sid-1958 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC sadmind TCP PING"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x00/
-  }
-
-signature sid-583 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rstatd request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA1/
-  }
-
-signature sid-1270 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rstatd request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA1/
-  }
-
-signature sid-1913 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC STATD UDP stat mon_name format string exploit attempt"
-  # Not supported: byte_test: 4,>,100,0,relative
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-1914 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_test: 4,>,100,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC STATD TCP stat mon_name format string exploit attempt"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-1915 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC STATD UDP monitor mon_name format string exploit attempt"
-  # Not supported: byte_test: 4,>,100,0,relative
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02/
-  }
-
-signature sid-1916 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_test: 4,>,100,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC STATD TCP monitor mon_name format string exploit attempt"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02/
-  }
-
-signature sid-1277 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap ypupdated request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBC/
-  }
-
-signature sid-591 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap ypupdated request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBC/
-  }
-
-signature sid-2088 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC ypupdated arbitrary command attempt UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xBC.{4}\x00\x00\x00\x01.{4}.*\|/
-  }
-
-signature sid-2089 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC ypupdated arbitrary command attempt TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xBC.{4}\x00\x00\x00\x01.{4}.*\|/
-  }
-
-signature sid-1959 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap NFS request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA3/
-  }
-
-signature sid-1960 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap NFS request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA3/
-  }
-
-signature sid-1961 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap RQUOTA request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAB/
-  }
-
-signature sid-1962 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap RQUOTA request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAB/
-  }
-
-signature sid-1963 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC RQUOTA getquota overflow attempt UDP"
-  # Not supported: byte_test: 4,>,128,0,relative
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xAB.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-2024 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC RQUOTA getquota overflow attempt TCP"
-  # Not supported: byte_test: 4,>,128,0,relative
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xAB.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-588 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap ttdbserv request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF3/
-  }
-
-signature sid-1274 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap ttdbserv request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF3/
-  }
-
-signature sid-1964 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC tooltalk UDP overflow attempt"
-  # Not supported: byte_test: 4,>,128,0,relative
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xF3.{4}\x00\x00\x00\x07/
-  }
-
-signature sid-1965 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_test: 4,>,128,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC tooltalk TCP overflow attempt"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xF3.{4}\x00\x00\x00\x07/
-  }
-
-signature sid-589 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap yppasswd request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA9/
-  }
-
-signature sid-1275 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap yppasswd request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA9/
-  }
-
-signature sid-2027 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  # Not supported: byte_test: 4,>,64,0,relative
-  event "RPC yppasswd old password overflow attempt UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-2028 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_test: 4,>,64,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC yppasswd old password overflow attempt TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-2025 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
-  event "RPC yppasswd username overflow attempt UDP"
-  # Not supported: byte_test: 4,>,64,0,relative
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-2026 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_test: 4,>,64,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
-  event "RPC yppasswd username overflow attempt TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-2029 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align,4,0,relative,align
-  # Not supported: byte_test: 4,>,64,0,relative
-  event "RPC yppasswd new password overflow attempt UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-2030 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  # Not supported: byte_test: 4,>,64,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align,4,0,relative,align
-  event "RPC yppasswd new password overflow attempt TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-2031 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC yppasswd user update UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-2032 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC yppasswd user update TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-590 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap ypserv request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA4/
-  }
-
-signature sid-1276 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap ypserv request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA4/
-  }
-
-signature sid-2033 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC ypserv maplist request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA4.{4}\x00\x00\x00\x0B/
-  }
-
-signature sid-2034 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC ypserv maplist request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA4.{4}\x00\x00\x00\x0B/
-  }
-
-signature sid-2035 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap network-status-monitor request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x03\x0D\x70/
-  }
-
-signature sid-2036 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap network-status-monitor request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x03\x0D\x70/
-  }
-
-signature sid-2037 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC network-status-monitor mon-callback request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x03\x0D\x70.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-2038 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC network-status-monitor mon-callback request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x03\x0D\x70.{4}\x00\x00\x00\x01/
-  }
-
-signature sid-2079 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap nlockmgr request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB5/
-  }
-
-signature sid-2080 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap nlockmgr request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB5/
-  }
-
-signature sid-2081 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rpc.xfsmd request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7\x68/
-  }
-
-signature sid-2082 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rpc.xfsmd request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7\x68/
-  }
-
-signature sid-2083 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC rpc.xfsmd xfs_export attempt UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x05\xF7\x68.{4}\x00\x00\x00\x0D/
-  }
-
-signature sid-2084 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "RPC rpc.xfsmd xfs_export attempt TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x05\xF7\x68.{4}\x00\x00\x00\x0D/
-  }
-
-signature sid-2005 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap kcms_server request UDP"
-  payload /.{3}\x00\x00\x00\x00/
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x7D/
-  }
-
-signature sid-2006 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap kcms_server request TCP"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x7D/
-  }
-
-signature sid-2007 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 32771
-  dst-port <= 34000
-  # Not supported: byte_jump: 4,20,relative,align,4,4,relative,align
-  event "RPC kcms_server directory traversal attempt"
-  tcp-state established,originator
-  payload /.{7}\x00\x00\x00\x00/
-  payload /.{15}\x00\x01\x87\x7D.*.{0}.*\/\.\.\//
-  }
-
-signature sid-601 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 513
-  event "RSERVICES rlogin LinuxNIS"
-  tcp-state established,originator
-  payload /.*\x3a\x3a\x3a\x3a\x3a\x3a\x3a\x3a\x00\x3a\x3a\x3a\x3a\x3a\x3a\x3a\x3a/
-  }
-
-signature sid-602 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 513
-  event "RSERVICES rlogin bin"
-  tcp-state established,originator
-  payload /.*bin\x00bin\x00/
-  }
-
-signature sid-603 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 513
-  event "RSERVICES rlogin echo++"
-  tcp-state established,originator
-  payload /.*echo \x22 \+ \+ \x22/
-  }
-
-signature sid-604 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 513
-  event "RSERVICES rsh froot"
-  tcp-state established,originator
-  payload /.*-froot\x00/
-  }
-
-signature sid-611 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 513
-  event "RSERVICES rlogin login failure"
-  tcp-state established,responder
-  payload /.*\x01rlogind\x3a Permission denied\./
-  }
-
-signature sid-605 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 513
-  event "RSERVICES rlogin login failure"
-  tcp-state established,responder
-  payload /.*login incorrect/
-  }
-
-signature sid-606 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 513
-  event "RSERVICES rlogin root"
-  tcp-state established,originator
-  payload /.*root\x00root\x00/
-  }
-
-signature sid-607 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 514
-  event "RSERVICES rsh bin"
-  tcp-state established,originator
-  payload /.*bin\x00bin\x00/
-  }
-
-signature sid-608 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 514
-  event "RSERVICES rsh echo + +"
-  tcp-state established,originator
-  payload /.*echo \x22\+ \+\x22/
-  }
-
-signature sid-609 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 514
-  event "RSERVICES rsh froot"
-  tcp-state established,originator
-  payload /.*-froot\x00/
-  }
-
-signature sid-610 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 514
-  event "RSERVICES rsh root"
-  tcp-state established,originator
-  payload /.*root\x00root\x00/
-  }
-
-signature sid-2113 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 512
-  event "RSERVICES rexec username overflow attempt"
-  payload /.{8}.*\x00.*.{0}.*\x00.*.{0}.*\x00/
-  }
-
-signature sid-2114 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 512
-  event "RSERVICES rexec password overflow attempt"
-  payload /.*\x00.{33}.*\x00.*.{0}.*\x00/
-  }
-
-signature sid-268 {
-  src-ip != local_nets
-  dst-ip == local_nets
-  payload-size == 408
-  event "DOS Jolt attack"
-  header ip[6:1] & 224 == 32
-  }
-
-signature sid-270 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "DOS Teardrop attack"
-  header ip[6:1] & 224 == 32
-  header ip[4:2] == 242
-  }
-
-signature sid-271-a {
-  ip-proto == udp
-  src-port == 7
-  dst-port == 19
-  event "DOS UDP echo+chargen bomb"
-  }
-
-signature sid-271-b {
-  ip-proto == udp
-  src-port == 19
-  dst-port == 7
-  event "DOS UDP echo+chargen bomb"
-  }
-
-signature sid-272 {
-  src-ip != local_nets
-  dst-ip == local_nets
-  header ip[9:1] == 2
-  event "DOS IGMP dos attack"
-  header ip[6:1] & 224 == 32
-  payload /\x02\x00/
-  }
-
-signature sid-273 {
-  src-ip != local_nets
-  dst-ip == local_nets
-  header ip[9:1] == 2
-  event "DOS IGMP dos attack"
-  header ip[6:1] & 224 == 32
-  payload /\x00\x00/
-  }
-
-signature sid-274 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 8
-  event "DOS ath"
-  payload /.*\+\+\+[aA][tT][hH]/
-  }
-
-signature sid-275-a {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  header tcp[13:1] & 255 == 2
-  header tcp[4:4] == 6060842
-  event "DOS NAPTHA"
-  header ip[4:2] == 413
-  }
-
-signature sid-275-b {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header tcp[13:1] & 255 == 2
-  header tcp[4:4] == 6060842
-  event "DOS NAPTHA"
-  header ip[4:2] == 413
-  }
-
-signature sid-276 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 7070
-  event "DOS Real Audio Server"
-  tcp-state established,originator
-  payload /.*\xff\xf4\xff\xfd\x06/
-  }
-
-signature sid-277 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 7070
-  event "DOS Real Server template.html"
-  tcp-state established,originator
-  payload /.*\/[vV][iI][eE][wW][sS][oO][uU][rR][cC][eE]\/[tT][eE][mM][pP][lL][aA][tT][eE]\.[hH][tT][mM][lL]\?/
-  }
-
-signature sid-278 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8080
-  event "DOS Real Server template.html"
-  tcp-state established,originator
-  payload /.*\/[vV][iI][eE][wW][sS][oO][uU][rR][cC][eE]\/[tT][eE][mM][pP][lL][aA][tT][eE]\.[hH][tT][mM][lL]\?/
-  }
-
-signature sid-279 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 161
-  payload-size == 0
-  event "DOS Bay/Nortel Nautica Marlin"
-  }
-
-signature sid-281 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 9
-  event "DOS Ascend Route"
-  payload /.{24}.{0,17}\x4e\x41\x4d\x45\x4e\x41\x4d\x45/
-  }
-
-signature sid-282 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 617
-  payload-size > 1445
-  event "DOS arkiea backup"
-  tcp-state established,originator
-  }
-
-signature sid-1257 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 135
-  dst-port <= 139
-  header tcp[13:1] & 255 == 32
-  event "DOS Winnuke attack"
-  }
-
-signature sid-1408 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 3372
-  payload-size > 1023
-  event "DOS MSDTC attempt"
-  tcp-state established,originator
-  }
-
-signature sid-1605 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 6004
-  event "DOS iParty DOS attempt"
-  tcp-state established,originator
-  payload /.*\xFF\xFF\xFF\xFF\xFF\xFF/
-  }
-
-signature sid-1641 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 6789
-  dst-port <= 6790
-  payload-size == 1
-  event "DOS DB2 dos attempt"
-  tcp-state established,originator
-  }
-
-signature sid-1545 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == 80
-  payload-size == 1
-  event "DOS Cisco attempt"
-  tcp-state established,originator
-  payload /\x13/
-  }
-
-signature sid-221 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 8
-  event "DDOS TFN Probe"
-  header ip[4:2] == 678
-  payload /.*1234/
-  }
-
-signature sid-222 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 0
-  event "DDOS tfn2k icmp possible communication"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 0
-  payload /.*AAAAAAAAAA/
-  }
-
-signature sid-223 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 31335
-  event "DDOS Trin00:DaemontoMaster(PONGdetected)"
-  payload /.*PONG/
-  }
-
-signature sid-228 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 0
-  header icmp[0:1] == 0,8
-  header icmp[6:2] == 0
-  event "DDOS TFN client command BE"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 456
-  }
-
-signature sid-230 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 20432
-  event "DDOS shaft client to handler"
-  tcp-state established
-  }
-
-signature sid-231 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 31335
-  event "DDOS Trin00:DaemontoMaster(messagedetected)"
-  payload /.*l44/
-  }
-
-signature sid-232 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 31335
-  event "DDOS Trin00:DaemontoMaster(*HELLO*detected)"
-  payload /.*\*HELLO\*/
-  }
-
-signature sid-233 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 27665
-  event "DDOS Trin00:Attacker to Master default startup password"
-  tcp-state established,originator
-  payload /.*betaalmostdone/
-  }
-
-signature sid-234 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 27665
-  event "DDOS Trin00 Attacker to Master default password"
-  tcp-state established,originator
-  payload /.*gOrave/
-  }
-
-signature sid-235 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 27665
-  event "DDOS Trin00 Attacker to Master default mdie password"
-  tcp-state established,originator
-  payload /.*killme/
-  }
-
-signature sid-237 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 27444
-  event "DDOS Trin00:MastertoDaemon(defaultpassdetected!)"
-  payload /.*l44adsl/
-  }
-
-signature sid-238 {
-  ip-proto == icmp
-  src-ip == local_nets
-  dst-ip != local_nets
-  header icmp[0:1] == 0
-  header icmp[0:1] == 0,8
-  header icmp[6:2] == 0
-  event "DDOS TFN server response"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 123
-  payload /.*shell bound to port/
-  }
-
-signature sid-239 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 18753
-  event "DDOS shaft handler to agent"
-  payload /.*alive tijgu/
-  }
-
-signature sid-240 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 20433
-  event "DDOS shaft agent to handler"
-  payload /.*alive/
-  }
-
-signature sid-241-a {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header tcp[13:1] & 255 == 2
-  header tcp[4:4] == 674711609
-  event "DDOS shaft synflood"
-  }
-
-signature sid-241-b {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  header tcp[13:1] & 255 == 2
-  header tcp[4:4] == 674711609
-  event "DDOS shaft synflood"
-  }
-
-signature sid-243 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 6838
-  event "DDOS mstream agent to handler"
-  payload /.*newserver/
-  }
-
-signature sid-244 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 10498
-  event "DDOS mstream handler to agent"
-  payload /.*stream\//
-  }
-
-signature sid-245 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 10498
-  event "\"DDOS mstream handler ping to agent\" "
-  payload /.*ping/
-  }
-
-signature sid-246 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 10498
-  event "\"DDOS mstream agent pong to handler\" "
-  payload /.*pong/
-  }
-
-signature sid-247 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 12754
-  event "DDOS mstream client to handler"
-  tcp-state established,originator
-  payload /.*>/
-  }
-
-signature sid-248 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 12754
-  event "DDOS mstream handler to client"
-  tcp-state established,responder
-  payload /.*>/
-  }
-
-signature sid-249 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 15104
-  header tcp[13:1] & 255 == 2
-  event "DDOS mstream client to handler"
-  }
-
-signature sid-250 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 15104
-  event "DDOS mstream handler to client"
-  tcp-state established,responder
-  payload /.*>/
-  }
-
-signature sid-251 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 0
-  header icmp[0:1] == 0,8
-  header icmp[6:2] == 0
-  event "DDOS - TFN client command LE"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 51201
-  }
-
-signature sid-224 {
-  ip-proto == icmp
-  src-ip == 3.3.3.3/32
-  dst-ip != local_nets
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht server spoof"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 666
-  }
-
-signature sid-225 {
-  ip-proto == icmp
-  src-ip == local_nets
-  dst-ip != local_nets
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht gag server response"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 669
-  payload /.*sicken/
-  }
-
-signature sid-226 {
-  ip-proto == icmp
-  src-ip == local_nets
-  dst-ip != local_nets
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht server response"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 667
-  payload /.*ficken/
-  }
-
-signature sid-227 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht client spoofworks"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 1000
-  payload /.*spoofworks/
-  }
-
-signature sid-236 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht client check gag"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 668
-  payload /.*gesundheit!/
-  }
-
-signature sid-229 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht client check skillz"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 666
-  payload /.*skillz/
-  }
-
-signature sid-1854-a {
-  ip-proto == icmp
-  src-ip == local_nets
-  dst-ip != local_nets
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht handler->agent (niggahbitch)"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 9015
-  payload /.*niggahbitch/
-  }
-
-signature sid-1854-b {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht handler->agent (niggahbitch)"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 9015
-  payload /.*niggahbitch/
-  }
-
-signature sid-1855-a {
-  ip-proto == icmp
-  src-ip == local_nets
-  dst-ip != local_nets
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht agent->handler (skillz)"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 6666
-  payload /.*skillz/
-  }
-
-signature sid-1855-b {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht agent->handler (skillz)"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 6666
-  payload /.*skillz/
-  }
-
-signature sid-1856-a {
-  ip-proto == icmp
-  src-ip == local_nets
-  dst-ip != local_nets
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht handler->agent (ficken)"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 6667
-  payload /.*ficken/
-  }
-
-signature sid-1856-b {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht handler->agent (ficken)"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 6667
-  payload /.*ficken/
-  }
-
-signature sid-255 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS zone transfer TCP"
-  tcp-state established,originator
-  payload /.{14}.*\x00\x00\xFC/
-  }
-
-signature sid-1948 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS zone transfer UDP"
-  payload /.{13}.*\x00\x00\xFC/
-  }
-
-signature sid-1435 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS named authors attempt"
-  tcp-state established,originator
-  payload /.{11}.*\x07[aA][uU][tT][hH][oO][rR][sS]/
-  payload /.{11}.*\x04[bB][iI][nN][dD]/
-  }
-
-signature sid-256 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS named authors attempt"
-  payload /.{11}.*\x07[aA][uU][tT][hH][oO][rR][sS]/
-  payload /.{11}.*\x04[bB][iI][nN][dD]/
-  }
-
-signature sid-257 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS named version attempt"
-  tcp-state established,originator
-  payload /.{11}.*\x07[vV][eE][rR][sS][iI][oO][nN]/
-  payload /.{11}.*\x04[bB][iI][nN][dD]/
-  }
-
-signature sid-1616 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS named version attempt"
-  payload /.{11}.*\x07[vV][eE][rR][sS][iI][oO][nN]/
-  payload /.{11}.*\x04[bB][iI][nN][dD]/
-  }
-
-signature sid-253 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == 53
-  event "DNS SPOOF query response PTR with TTL: 1 min. and no authority"
-  payload /.*\x85\x80\x00\x01\x00\x01\x00\x00\x00\x00/
-  payload /.*\xc0\x0c\x00\x0c\x00\x01\x00\x00\x00\x3c\x00\x0f/
-  }
-
-signature sid-254 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == 53
-  event "DNS SPOOF query response with ttl: 1 min. and no authority"
-  payload /.*\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00/
-  payload /.*\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x3c\x00\x04/
-  }
-
-signature sid-258 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS EXPLOIT named 8.2->8.2.1"
-  tcp-state established,originator
-  payload /.*\.\.\/\.\.\/\.\.\//
-  }
-
-signature sid-303 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS EXPLOIT named tsig overflow attempt"
-  tcp-state established,originator
-  payload /.*\xAB\xCD\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x01\x20\x20\x20\x20\x02\x61/
-  }
-
-signature sid-314 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS EXPLOIT named tsig overflow attempt"
-  payload /.*\x80\x00\x07\x00\x00\x00\x00\x00\x01\x3F\x00\x01\x02/
-  }
-
-signature sid-259 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS EXPLOIT named overflow (ADM)"
-  tcp-state established,originator
-  payload /.*thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool/
-  }
-
-signature sid-260 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS EXPLOIT named overflow (ADMROCKS)"
-  tcp-state established,originator
-  payload /.*ADMROCKS/
-  }
-
-signature sid-261 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS EXPLOIT named overflow attempt"
-  tcp-state established,originator
-  payload /.*\xCD\x80\xE8\xD7\xFF\xFF\xFF\/bin\/sh/
-  }
-
-signature sid-262 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS EXPLOIT x86 Linux overflow attempt"
-  tcp-state established,originator
-  payload /.*\x31\xc0\xb0\x3f\x31\xdb\xb3\xff\x31\xc9\xcd\x80\x31\xc0/
-  }
-
-signature sid-264 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS EXPLOIT x86 Linux overflow attempt"
-  tcp-state established,originator
-  payload /.*\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x4c\xeb\x4c\x5e\xb0/
-  }
-
-signature sid-265 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS EXPLOIT x86 Linux overflow attempt (ADMv2)"
-  tcp-state established,originator
-  payload /.*\x89\xf7\x29\xc7\x89\xf3\x89\xf9\x89\xf2\xac\x3c\xfe/
-  }
-
-signature sid-266 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS EXPLOIT x86 FreeBSD overflow attempt"
-  tcp-state established,originator
-  payload /.*\xeb\x6e\x5e\xc6\x06\x9a\x31\xc9\x89\x4e\x01\xc6\x46\x05/
-  }
-
-signature sid-267 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 53
-  event "DNS EXPLOIT sparc overflow attempt"
-  tcp-state established,originator
-  payload /.*\x90\x1a\xc0\x0f\x90\x02\x20\x08\x92\x02\x20\x0f\xd0\x23\xbf\xf8/
-  }
-
-signature sid-1941 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP filename overflow attempt"
-  payload /\x00\x01[^\x00]{100}/
-  }
-
-signature sid-1289 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP GET Admin.dll"
-  payload /\x00\x01/
-  payload /.{1}.*[aA][dD][mM][iI][nN]\.[dD][lL][lL]/
-  }
-
-signature sid-1441 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP GET nc.exe"
-  payload /\x00\x01/
-  payload /.{1}.*[nN][cC]\.[eE][xX][eE]/
-  }
-
-signature sid-1442 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP GET shadow"
-  payload /\x00\x01/
-  payload /.{1}.*[sS][hH][aA][dD][oO][wW]/
-  }
-
-signature sid-1443 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP GET passwd"
-  payload /\x00\x01/
-  payload /.{1}.*[pP][aA][sS][sS][wW][dD]/
-  }
-
-signature sid-519 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 69
-  event "TFTP parent directory"
-  payload /.{1}.*\.\./
-  }
-
-signature sid-520 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 69
-  event "TFTP root directory"
-  payload /\x00\x01\//
-  }
-
-signature sid-518 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 69
-  event "TFTP Put"
-  payload /\x00\x02/
-  }
-
-signature sid-1444 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 69
-  event "TFTP Get"
-  payload /\x00\x01/
-  }
-
-signature sid-803 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI HyperSeek hsx.cgi directory traversal attempt"
-  http /.*[\/\\]hsx\.cgi/
-  tcp-state established,originator
-  payload /.*\.\.\/\.\.\/.{1}.*%00/
-  }
-
-signature sid-1607 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI HyperSeek hsx.cgi access"
-  http /.*[\/\\]hsx\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-804 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI SWSoft ASPSeek Overflow attempt"
-  http /.*[\/\\]s\.cgi/
-  tcp-state established,originator
-  payload /.*[tT][mM][pP][lL]=/
-  }
-
-signature sid-805 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webspeed access"
-  http /.*[\/\\]wsisa\.dll[\/\\]WService=/
-  tcp-state established,originator
-  payload /.*[wW][sS][mM][aA][dD][mM][iI][nN]/
-  }
-
-signature sid-806 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI yabb.cgi directory traversal attempt"
-  http /.*[\/\\]YaBB\.pl/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  }
-
-signature sid-1637 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI yabb.cgi access"
-  http /.*[\/\\]YaBB\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-807 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI /wwwboard/passwd.txt access"
-  http /.*[\/\\]wwwboard[\/\\]passwd\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-808 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webdriver access"
-  http /.*[\/\\]webdriver/
-  tcp-state established,originator
-  }
-
-signature sid-809 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI whois_raw.cgi arbitrary command execution attempt"
-  http /.*[\/\\]whois_raw\.cgi\?/
-  tcp-state established,originator
-  payload /.*\x0a/
-  }
-
-signature sid-810 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI whois_raw.cgi access"
-  http /.*[\/\\]whois_raw\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-811 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI websitepro path access"
-  tcp-state established,originator
-  payload /.* \/[hH][tT][tT][pP]\/1\./
-  }
-
-signature sid-812 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webplus version access"
-  http /.*[\/\\]webplus\?about/
-  tcp-state established,originator
-  }
-
-signature sid-813 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webplus directory traversal"
-  http /.*[\/\\]webplus\?script/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  }
-
-signature sid-815 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI websendmail access"
-  http /.*[\/\\]websendmail/
-  tcp-state established,originator
-  }
-
-signature sid-1571 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI dcforum.cgi directory traversal attempt"
-  http /.*[\/\\]dcforum\.cgi/
-  tcp-state established,originator
-  payload /.*forum=\.\.\/\.\./
-  }
-
-signature sid-818 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI dcforum.cgi access"
-  http /.*[\/\\]dcforum\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-817 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI dcboard.cgi invalid user addition attempt"
-  http /.*[\/\\]dcboard\.cgi/
-  tcp-state established,originator
-  payload /.*command=register/
-  payload /.*%7cadmin/
-  }
-
-signature sid-1410 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI dcboard.cgi access"
-  http /.*[\/\\]dcboard\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-819 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI mmstdod.cgi access"
-  http /.*[\/\\]mmstdod\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-820 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI anaconda directory transversal attempt"
-  http /.*[\/\\]apexec\.pl/
-  tcp-state established,originator
-  payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=\.\.\//
-  }
-
-signature sid-821 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI imagemap.exe overflow attempt"
-  http /.*[\/\\]imagemap\.exe\?/
-  tcp-state established,originator
-  }
-
-signature sid-1700 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI imagemap.exe access"
-  http /.*[\/\\]imagemap\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-823 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cvsweb.cgi access"
-  http /.*[\/\\]cvsweb\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-824 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI php.cgi access"
-  http /.*[\/\\]php\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-825 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI glimpse access"
-  http /.*[\/\\]glimpse/
-  tcp-state established,originator
-  }
-
-signature sid-1608 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI htmlscript attempt"
-  http /.*[\/\\]htmlscript\?\.\.[\/\\]\.\./
-  tcp-state established,originator
-  }
-
-signature sid-826 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI htmlscript access"
-  http /.*[\/\\]htmlscript/
-  tcp-state established,originator
-  }
-
-signature sid-827 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI info2www access"
-  http /.*[\/\\]info2www/
-  tcp-state established,originator
-  }
-
-signature sid-828 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI maillist.pl access"
-  http /.*[\/\\]maillist\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-829 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI nph-test-cgi access"
-  http /.*[\/\\]nph-test-cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1451 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI NPH-publish access"
-  http /.*[\/\\]nph-maillist\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-830 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI NPH-publish access"
-  http /.*[\/\\]nph-publish/
-  tcp-state established,originator
-  }
-
-signature sid-833 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI rguest.exe access"
-  http /.*[\/\\]rguest\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-834 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI rwwwshell.pl access"
-  http /.*[\/\\]rwwwshell\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1644 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI test-cgi attempt"
-  http /.*[\/\\]test-cgi[\/\\]\*\?\*/
-  tcp-state established,originator
-  }
-
-signature sid-835 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI test-cgi access"
-  http /.*[\/\\]test-cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1645 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI testcgi access"
-  http /.*[\/\\]testcgi/
-  tcp-state established,originator
-  }
-
-signature sid-1646 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI test.cgi access"
-  http /.*[\/\\]test\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-836 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI textcounter.pl access"
-  http /.*[\/\\]textcounter\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-837 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI uploader.exe access"
-  http /.*[\/\\]uploader\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-838 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webgais access"
-  http /.*[\/\\]webgais/
-  tcp-state established,originator
-  }
-
-signature sid-839 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI finger access"
-  http /.*[\/\\]finger/
-  tcp-state established,originator
-  }
-
-signature sid-840 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI perlshop.cgi access"
-  http /.*[\/\\]perlshop\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-841 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI pfdisplay.cgi access"
-  http /.*[\/\\]pfdisplay\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-842 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI aglimpse access"
-  http /.*[\/\\]aglimpse/
-  tcp-state established,originator
-  }
-
-signature sid-843 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI anform2 access"
-  http /.*[\/\\]AnForm2/
-  tcp-state established,originator
-  }
-
-signature sid-844 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI args.bat access"
-  http /.*[\/\\]args\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1452 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI args.cmd access"
-  http /.*[\/\\]args\.cmd/
-  tcp-state established,originator
-  }
-
-signature sid-845 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI AT-admin.cgi access"
-  http /.*[\/\\]AT-admin\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1453 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI AT-generated.cgi access"
-  http /.*[\/\\]AT-generated\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-846 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bnbform.cgi access"
-  http /.*[\/\\]bnbform\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-847 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI campas access"
-  http /.*[\/\\]campas/
-  tcp-state established,originator
-  }
-
-signature sid-848 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI view-source directory traversal"
-  http /.*[\/\\]view-source/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  }
-
-signature sid-849 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI view-source access"
-  http /.*[\/\\]view-source/
-  tcp-state established,originator
-  }
-
-signature sid-850 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI wais.pl access"
-  http /.*[\/\\]wais\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1454 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI wwwwais access"
-  http /.*[\/\\]wwwwais/
-  tcp-state established,originator
-  }
-
-signature sid-851 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI files.pl access"
-  http /.*[\/\\]files\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-852 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI wguest.exe access"
-  http /.*[\/\\]wguest\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-853 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI wrap access"
-  http /.*[\/\\]wrap/
-  tcp-state established,originator
-  }
-
-signature sid-854 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI classifieds.cgi access"
-  http /.*[\/\\]classifieds\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-856 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI environ.cgi access"
-  http /.*[\/\\]environ\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1647 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI faxsurvey attempt (full path)"
-  http /.*[\/\\]faxsurvey\?[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1609 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI faxsurvey arbitrary file read attempt"
-  http /.*[\/\\]faxsurvey\?cat%20/
-  tcp-state established,originator
-  }
-
-signature sid-857 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI faxsurvey access"
-  http /.*[\/\\]faxsurvey/
-  tcp-state established,originator
-  }
-
-signature sid-858 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI filemail access"
-  http /.*[\/\\]filemail\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-859 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI man.sh access"
-  http /.*[\/\\]man\.sh/
-  tcp-state established,originator
-  }
-
-signature sid-860 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI snork.bat access"
-  http /.*[\/\\]snork\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-861 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI w3-msql access"
-  http /.*[\/\\]w3-msql[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-863 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI day5datacopier.cgi access"
-  http /.*[\/\\]day5datacopier\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-864 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI day5datanotifier.cgi access"
-  http /.*[\/\\]day5datanotifier\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-866 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI post-query access"
-  http /.*[\/\\]post-query/
-  tcp-state established,originator
-  }
-
-signature sid-867 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI visadmin.exe access"
-  http /.*[\/\\]visadmin\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-869 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI dumpenv.pl access"
-  http /.*[\/\\]dumpenv\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1536 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI calendar_admin.pl arbitrary command execution attempt"
-  http /.*[\/\\]calendar_admin\.pl\?config=\|/
-  tcp-state established,originator
-  }
-
-signature sid-1537 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI calendar_admin.pl access"
-  http /.*[\/\\]calendar_admin\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1701 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI calendar-admin.pl access"
-  http /.*[\/\\]calendar-admin\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1455 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI calender.pl access"
-  http /.*[\/\\]calender\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-882 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI calendar access"
-  http /.*[\/\\]calendar/
-  tcp-state established,originator
-  }
-
-signature sid-1457 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI user_update_admin.pl access"
-  http /.*[\/\\]user_update_admin\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1458 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI user_update_passwd.pl access"
-  http /.*[\/\\]user_update_passwd\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-870 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI snorkerz.cmd access"
-  http /.*[\/\\]snorkerz\.cmd/
-  tcp-state established,originator
-  }
-
-signature sid-871 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI survey.cgi access"
-  http /.*[\/\\]survey\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-873 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI scriptalias access"
-  http /.*[\/\\][\/\\][\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-875 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI win-c-sample.exe access"
-  http /.*[\/\\]win-c-sample\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-878 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI w3tvars.pm access"
-  http /.*[\/\\]w3tvars\.pm/
-  tcp-state established,originator
-  }
-
-signature sid-879 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI admin.pl access"
-  http /.*[\/\\]admin\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-880 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI LWGate access"
-  http /.*[\/\\]LWGate/
-  tcp-state established,originator
-  }
-
-signature sid-881 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI archie access"
-  http /.*[\/\\]archie/
-  tcp-state established,originator
-  }
-
-signature sid-883 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI flexform access"
-  http /.*[\/\\]flexform/
-  tcp-state established,originator
-  }
-
-signature sid-1610 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI formmail arbitrary command execution attempt"
-  http /.*[\/\\]formmail/
-  tcp-state established,originator
-  payload /.*%0[aA]/
-  }
-
-signature sid-884 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI formmail access"
-  http /.*[\/\\]formmail/
-  tcp-state established,originator
-  }
-
-signature sid-1762 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI phf arbitrary command execution attempt"
-  http /.*[\/\\]phf/
-  tcp-state established,originator
-  payload /.*[qQ][aA][lL][iI][aA][sS]/
-  payload /.*%0a\//
-  }
-
-signature sid-886 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI phf access"
-  http /.*[\/\\]phf/
-  tcp-state established,originator
-  }
-
-signature sid-887 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI www-sql access"
-  http /.*[\/\\]www-sql/
-  tcp-state established,originator
-  }
-
-signature sid-888 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI wwwadmin.pl access"
-  http /.*[\/\\]wwwadmin\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-889 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ppdscgi.exe access"
-  http /.*[\/\\]ppdscgi\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-890 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI sendform.cgi access"
-  http /.*[\/\\]sendform\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-891 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI upload.pl access"
-  http /.*[\/\\]upload\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-892 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI AnyForm2 access"
-  http /.*[\/\\]AnyForm2/
-  tcp-state established,originator
-  }
-
-signature sid-893 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI MachineInfo access"
-  http /.*[\/\\]MachineInfo/
-  tcp-state established,originator
-  }
-
-signature sid-1531 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-hist.sh attempt"
-  http /.*[\/\\]bb-hist\.sh\?HISTFILE=\.\.[\/\\]\.\./
-  tcp-state established,originator
-  }
-
-signature sid-894 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-hist.sh access"
-  http /.*[\/\\]bb-hist\.sh/
-  tcp-state established,originator
-  }
-
-signature sid-1459 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-histlog.sh access"
-  http /.*[\/\\]bb-histlog\.sh/
-  tcp-state established,originator
-  }
-
-signature sid-1460 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-histsvc.sh access"
-  http /.*[\/\\]bb-histsvc\.sh/
-  tcp-state established,originator
-  }
-
-signature sid-1532 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-hostscv.sh attempt"
-  http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC\?\.\.[\/\\]\.\./
-  tcp-state established,originator
-  }
-
-signature sid-1533 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-hostscv.sh access"
-  http /.*[\/\\]bb-hostsvc\.sh/
-  tcp-state established,originator
-  }
-
-signature sid-1461 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-rep.sh access"
-  http /.*[\/\\]bb-rep\.sh/
-  tcp-state established,originator
-  }
-
-signature sid-1462 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bb-replog.sh access"
-  http /.*[\/\\]bb-replog\.sh/
-  tcp-state established,originator
-  }
-
-signature sid-895 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI redirect access"
-  http /.*[\/\\]redirect/
-  tcp-state established,originator
-  }
-
-signature sid-1397 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI wayboard attempt"
-  http /.*[\/\\]way-board[\/\\]way-board\.cgi/
-  tcp-state established,originator
-  payload /.*db=/
-  payload /.*\.\.\/\.\./
-  }
-
-signature sid-896 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI way-board access"
-  http /.*[\/\\]way-board/
-  tcp-state established,originator
-  }
-
-signature sid-1222 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI pals-cgi arbitrary file access attempt"
-  http /.*[\/\\]pals-cgi/
-  tcp-state established,originator
-  payload /.*[dD][oO][cC][uU][mM][eE][nN][tT][nN][aA][mM][eE]=/
-  }
-
-signature sid-897 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI pals-cgi access"
-  http /.*[\/\\]pals-cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1572 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI commerce.cgi arbitrary file access attempt"
-  http /.*[\/\\]commerce\.cgi/
-  tcp-state established,originator
-  payload /.*page=/
-  payload /.*\/\.\.\//
-  }
-
-signature sid-898 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI commerce.cgi access"
-  http /.*[\/\\]commerce\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-899 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"
-  http /.*[\/\\]sendtemp\.pl/
-  tcp-state established,originator
-  payload /.*[tT][eE][mM][pP][lL]=/
-  }
-
-signature sid-1702 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Amaya templates sendtemp.pl access"
-  http /.*[\/\\]sendtemp\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-900 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webspirs.cgi directory traversal attempt"
-  http /.*[\/\\]webspirs\.cgi/
-  tcp-state established,originator
-  payload /.*\.\.\/\.\.\//
-  }
-
-signature sid-901 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webspirs.cgi access"
-  http /.*[\/\\]webspirs\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-902 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI tstisapi.dll access"
-  http /.*tstisapi\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1308 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI sendmessage.cgi access"
-  http /.*[\/\\]sendmessage\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1392 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI lastlines.cgi access"
-  http /.*[\/\\]lastlines\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1395 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI zml.cgi attempt"
-  http /.*[\/\\]zml\.cgi/
-  tcp-state established,originator
-  payload /.*file=\.\.\//
-  }
-
-signature sid-1396 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI zml.cgi access"
-  http /.*[\/\\]zml\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1405 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI AHG search.cgi access"
-  http /.*[\/\\]publisher[\/\\]search\.cgi/
-  tcp-state established,originator
-  payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=/
-  }
-
-signature sid-1534 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI agora.cgi attempt"
-  http /.*[\/\\]store[\/\\]agora\.cgi\?cart_id=<SCRIPT>/
-  tcp-state established,originator
-  }
-
-signature sid-1406 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI agora.cgi access"
-  http /.*[\/\\]store[\/\\]agora\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-877 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI rksh access"
-  http /.*[\/\\]rksh/
-  tcp-state established,originator
-  }
-
-signature sid-885 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bash access"
-  http /.*[\/\\]bash/
-  tcp-state established,originator
-  }
-
-signature sid-1648 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI perl.exe command attempt"
-  http /.*[\/\\]perl\.exe\?/
-  tcp-state established,originator
-  }
-
-signature sid-832 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI perl.exe access"
-  http /.*[\/\\]perl\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1649 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI perl command attempt"
-  http /.*[\/\\]perl\?/
-  tcp-state established,originator
-  }
-
-signature sid-1309 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI zsh access"
-  http /.*[\/\\]zsh/
-  tcp-state established,originator
-  }
-
-signature sid-862 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI csh access"
-  http /.*[\/\\]csh/
-  tcp-state established,originator
-  }
-
-signature sid-872 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI tcsh access"
-  http /.*[\/\\]tcsh/
-  tcp-state established,originator
-  }
-
-signature sid-868 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI rsh access"
-  http /.*[\/\\]rsh/
-  tcp-state established,originator
-  }
-
-signature sid-865 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ksh access"
-  http /.*[\/\\]ksh/
-  tcp-state established,originator
-  }
-
-signature sid-1703 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI auktion.cgi directory traversal attempt"
-  http /.*[\/\\]auktion\.cgi/
-  tcp-state established,originator
-  payload /.*[mM][eE][nN][uU][eE]=\.\.\/\.\.\//
-  }
-
-signature sid-1465 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI auktion.cgi access"
-  http /.*[\/\\]auktion\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1573 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cgiforum.pl attempt"
-  http /.*[\/\\]cgiforum\.pl\?thesection=\.\.[\/\\]\.\./
-  tcp-state established,originator
-  }
-
-signature sid-1466 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cgiforum.pl access"
-  http /.*[\/\\]cgiforum\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1574 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI directorypro.cgi attempt"
-  http /.*[\/\\]directorypro\.cgi/
-  tcp-state established,originator
-  payload /.*show=.{1}.*\.\.\/\.\./
-  }
-
-signature sid-1467 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI directorypro.cgi access"
-  http /.*[\/\\]directorypro\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1468 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Web Shopper shopper.cgi attempt"
-  http /.*[\/\\]shopper\.cgi/
-  tcp-state established,originator
-  payload /.*[nN][eE][wW][pP][aA][gG][eE]=\.\.\//
-  }
-
-signature sid-1469 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Web Shopper shopper.cgi access"
-  http /.*[\/\\]shopper\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1470 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI listrec.pl access"
-  http /.*[\/\\]listrec\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1471 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI mailnews.cgi access"
-  http /.*[\/\\]mailnews\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1879 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI book.cgi arbitrary command execution attempt"
-  http /.*[\/\\]book\.cgi/
-  tcp-state established,originator
-  payload /.*[cC][uU][rR][rR][eE][nN][tT]=\|/
-  }
-
-signature sid-1472 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI book.cgi access"
-  http /.*[\/\\]book\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1473 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI newsdesk.cgi access"
-  http /.*[\/\\]newsdesk\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1704 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cal_make.pl directory traversal attempt"
-  http /.*[\/\\]cal_make\.pl/
-  tcp-state established,originator
-  payload /.*[pP]0=\.\.\/\.\.\//
-  }
-
-signature sid-1474 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cal_make.pl access"
-  http /.*[\/\\]cal_make\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1475 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI mailit.pl access"
-  http /.*[\/\\]mailit\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1476 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI sdbsearch.cgi access"
-  http /.*[\/\\]sdbsearch\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1478 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI swc access"
-  http /.*[\/\\]swc/
-  tcp-state established,originator
-  }
-
-signature sid-1479 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ttawebtop.cgi arbitrary file attempt"
-  http /.*[\/\\]ttawebtop\.cgi/
-  tcp-state established,originator
-  payload /.*[pP][gG]=\.\.\//
-  }
-
-signature sid-1480 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ttawebtop.cgi access"
-  http /.*[\/\\]ttawebtop\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1481 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI upload.cgi access"
-  http /.*[\/\\]upload\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1482 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI view_source access"
-  http /.*[\/\\]view_source/
-  tcp-state established,originator
-  }
-
-signature sid-1730 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ustorekeeper.pl directory traversal attempt"
-  http /.*[\/\\]ustorekeeper\.pl/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE]=\.\.\/\.\.\//
-  }
-
-signature sid-1483 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ustorekeeper.pl access"
-  http /.*[\/\\]ustorekeeper\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1606 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI icat access"
-  http /.*[\/\\]icat/
-  tcp-state established,originator
-  }
-
-signature sid-1617 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Bugzilla doeditvotes.cgi access"
-  http /.*[\/\\]doeditvotes\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1600 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI htsearch arbitrary configuration file attempt"
-  http /.*[\/\\]htsearch\?-c/
-  tcp-state established,originator
-  }
-
-signature sid-1601 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI htsearch arbitrary file read attempt"
-  http /.*[\/\\]htsearch\?exclude=`/
-  tcp-state established,originator
-  }
-
-signature sid-1602 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI htsearch access"
-  http /.*[\/\\]htsearch/
-  tcp-state established,originator
-  }
-
-signature sid-1501 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI a1stats a1disp3.cgi directory traversal attempt"
-  http /.*[\/\\]a1disp3\.cgi\?[\/\\]\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1502 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI a1stats a1disp3.cgi access"
-  http /.*[\/\\]a1disp3\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1731 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI a1stats access"
-  http /.*[\/\\]a1stats[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1503 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI admentor admin.asp access"
-  http /.*[\/\\]admentor[\/\\]admin[\/\\]admin\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1505 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI alchemy http server PRN arbitrary command execution attempt"
-  http /.*[\/\\]PRN[\/\\]\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1506 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI alchemy http server NUL arbitrary command execution attempt"
-  http /.*[\/\\]NUL[\/\\]\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1507 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI alibaba.pl arbitrary command execution attempt"
-  http /.*[\/\\]alibaba\.pl\|/
-  tcp-state established,originator
-  }
-
-signature sid-1508 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI alibaba.pl access"
-  http /.*[\/\\]alibaba\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1509 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI AltaVista Intranet Search directory traversal attempt"
-  http /.*[\/\\]query\?mss=\.\./
-  tcp-state established,originator
-  }
-
-signature sid-1510 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI test.bat arbitrary command execution attempt"
-  http /.*[\/\\]test\.bat\|/
-  tcp-state established,originator
-  }
-
-signature sid-1511 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI test.bat access"
-  http /.*[\/\\]test\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1512 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI input.bat arbitrary command execution attempt"
-  http /.*[\/\\]input\.bat\|/
-  tcp-state established,originator
-  }
-
-signature sid-1513 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI input.bat access"
-  http /.*[\/\\]input\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1514 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI input2.bat arbitrary command execution attempt"
-  http /.*[\/\\]input2\.bat\|/
-  tcp-state established,originator
-  }
-
-signature sid-1515 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI input2.bat access"
-  http /.*[\/\\]input2\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1516 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI envout.bat arbitrary command execution attempt"
-  http /.*[\/\\]envout\.bat\|/
-  tcp-state established,originator
-  }
-
-signature sid-1517 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI envout.bat access"
-  http /.*[\/\\]envout\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1705 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI echo.bat arbitrary command execution attempt"
-  http /.*[\/\\]echo\.bat/
-  tcp-state established,originator
-  payload /.*&/
-  }
-
-signature sid-1706 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI echo.bat access"
-  http /.*[\/\\]echo\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1707 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI hello.bat arbitrary command execution attempt"
-  http /.*[\/\\]hello\.bat/
-  tcp-state established,originator
-  payload /.*&/
-  }
-
-signature sid-1708 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI hello.bat access"
-  http /.*[\/\\]hello\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1650 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI tst.bat access"
-  http /.*[\/\\]tst\.bat/
-  tcp-state established,originator
-  }
-
-signature sid-1539 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI /cgi-bin/ls access"
-  http /.*[\/\\]cgi-bin[\/\\]ls/
-  tcp-state established,originator
-  }
-
-signature sid-1542 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cgimail access"
-  http /.*[\/\\]cgimail/
-  tcp-state established,originator
-  }
-
-signature sid-1543 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cgiwrap access"
-  http /.*[\/\\]cgiwrap/
-  tcp-state established,originator
-  }
-
-signature sid-1547 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI csSearch.cgi arbitrary command execution attempt"
-  http /.*[\/\\]csSearch\.cgi/
-  tcp-state established,originator
-  payload /.*setup=/
-  payload /.*`.{1}.*`/
-  }
-
-signature sid-1548 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI csSearch.cgi access"
-  http /.*[\/\\]csSearch\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1553 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI /cart/cart.cgi access"
-  http /.*[\/\\]cart[\/\\]cart\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1554 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI dbman db.cgi access"
-  http /.*[\/\\]dbman[\/\\]db\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1555 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI DCShop access"
-  http /.*[\/\\]dcshop/
-  tcp-state established,originator
-  }
-
-signature sid-1556 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI DCShop orders.txt access"
-  http /.*[\/\\]orders[\/\\]orders\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1557 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI DCShop auth_user_file.txt access"
-  http /.*[\/\\]auth_data[\/\\]auth_user_file\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1565 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI eshop.pl arbitrary commane execution attempt"
-  http /.*[\/\\]eshop\.pl\?seite=;/
-  tcp-state established,originator
-  }
-
-signature sid-1566 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI eshop.pl access"
-  http /.*[\/\\]eshop\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1569 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI loadpage.cgi directory traversal attempt"
-  http /.*[\/\\]loadpage\.cgi/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE]=\.\.\//
-  }
-
-signature sid-1570 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI loadpage.cgi access"
-  http /.*[\/\\]loadpage\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1590 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI faqmanager.cgi arbitrary file access attempt"
-  http /.*[\/\\]faqmanager\.cgi\?toc=/
-  http /.*%00/
-  tcp-state established,originator
-  }
-
-signature sid-1591 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI faqmanager.cgi access"
-  http /.*[\/\\]faqmanager\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1592 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI /fcgi-bin/echo.exe access"
-  http /.*[\/\\]fcgi-bin[\/\\]echo\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1628 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI FormHandler.cgi directory traversal attempt attempt"
-  http /.*[\/\\]FormHandler\.cgi/
-  tcp-state established,originator
-  payload /.*[rR][eE][pP][lL][yY]_[mM][eE][sS][sS][aA][gG][eE]_[aA][tT][tT][aA][cC][hH]=/
-  payload /.*\/\.\.\//
-  }
-
-signature sid-1593 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI FormHandler.cgi external site redirection attempt"
-  http /.*[\/\\]FormHandler\.cgi/
-  tcp-state established,originator
-  payload /.*[rR][eE][dD][iI][rR][eE][cC][tT]=[hH][tT][tT][pP]/
-  }
-
-signature sid-1594 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI FormHandler.cgi access"
-  http /.*[\/\\]FormHandler\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1597 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI guestbook.cgi access"
-  http /.*[\/\\]guestbook\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1598 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Home Free search.cgi directory traversal attempt"
-  http /.*[\/\\]search\.cgi/
-  tcp-state established,originator
-  payload /.*[lL][eE][tT][tT][eE][rR]=\.\.\/\.\./
-  }
-
-signature sid-1599 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI search.cgi access"
-  http /.*[\/\\]search\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1651 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI enivorn.pl access"
-  http /.*[\/\\]enivron\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1652 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI campus attempt"
-  http /.*[\/\\]campus\?%0a/
-  tcp-state established,originator
-  }
-
-signature sid-1653 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI campus access"
-  http /.*[\/\\]campus/
-  tcp-state established,originator
-  }
-
-signature sid-1654 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cart32.exe access"
-  http /.*[\/\\]cart32\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1655 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI pfdispaly.cgi arbitrary command execution attempt"
-  http /.*[\/\\]pfdispaly\.cgi\?'/
-  tcp-state established,originator
-  }
-
-signature sid-1656 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI pfdispaly.cgi access"
-  http /.*[\/\\]pfdispaly\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1657 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI pagelog.cgi directory traversal attempt"
-  http /.*[\/\\]pagelog\.cgi/
-  tcp-state established,originator
-  payload /.*[nN][aA][mM][eE]=\.\.\//
-  }
-
-signature sid-1658 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI pagelog.cgi access"
-  http /.*[\/\\]pagelog\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1709 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ad.cgi access"
-  http /.*[\/\\]ad\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1710 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bbs_forum.cgi access"
-  http /.*[\/\\]bbs_forum\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1711 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bsguest.cgi access"
-  http /.*[\/\\]bsguest\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1712 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bslist.cgi access"
-  http /.*[\/\\]bslist\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1713 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cgforum.cgi access"
-  http /.*[\/\\]cgforum\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1714 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI newdesk access"
-  http /.*[\/\\]newdesk/
-  tcp-state established,originator
-  }
-
-signature sid-1715 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI register.cgi access"
-  http /.*[\/\\]register\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1716 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI gbook.cgi access"
-  http /.*[\/\\]gbook\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1717 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI simplestguest.cgi access"
-  http /.*[\/\\]simplestguest\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1718 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI statusconfig.pl access"
-  http /.*[\/\\]statusconfig\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1719 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI talkback.cgi directory traversal attempt"
-  http /.*[\/\\]talkbalk\.cgi/
-  tcp-state established,originator
-  payload /.*[aA][rR][tT][iI][cC][lL][eE]=\.\.\/\.\.\//
-  }
-
-signature sid-1720 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI talkback.cgi access"
-  http /.*[\/\\]talkbalk\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1721 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI adcycle access"
-  http /.*[\/\\]adcycle/
-  tcp-state established,originator
-  }
-
-signature sid-1722 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI MachineInfo access"
-  http /.*[\/\\]MachineInfo/
-  tcp-state established,originator
-  }
-
-signature sid-1723 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI emumail.cgi NULL attempt"
-  http /.*[\/\\]emumail\.cgi/
-  tcp-state established,originator
-  payload /.*[tT][yY][pP][eE]=/
-  payload /.*%00/
-  }
-
-signature sid-1724 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI emumail.cgi access"
-  http /.*[\/\\]emumail\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1642 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI document.d2w access"
-  http /.*[\/\\]document\.d2w/
-  tcp-state established,originator
-  }
-
-signature sid-1643 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI db2www access"
-  http /.*[\/\\]db2www/
-  tcp-state established,originator
-  }
-
-signature sid-1668 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI /cgi-bin/ access"
-  http /.*[\/\\]cgi-bin[\/\\]/
-  tcp-state established,originator
-  payload /.*\/[cC][gG][iI]-[bB][iI][nN]\/ [hH][tT][tT][pP]/
-  }
-
-signature sid-1669 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI /cgi-dos/ access"
-  http /.*[\/\\]cgi-dos[\/\\]/
-  tcp-state established,originator
-  payload /.*\/[cC][gG][iI]-[dD][oO][sS]\/ [hH][tT][tT][pP]/
-  }
-
-signature sid-1051 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI technote main.cgi file directory traversal attempt"
-  http /.*[\/\\]technote[\/\\]main\.cgi/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE][nN][aA][mM][eE]=/
-  payload /.*\.\.\/\.\.\//
-  }
-
-signature sid-1052 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI technote print.cgi directory traversal attempt"
-  http /.*[\/\\]technote[\/\\]print\.cgi/
-  tcp-state established,originator
-  payload /.*[bB][oO][aA][rR][dD]=/
-  payload /.*\.\.\/\.\.\//
-  payload /.*%00/
-  }
-
-signature sid-1053 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ads.cgi command execution attempt"
-  http /.*[\/\\]ads\.cgi/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE]=/
-  payload /.*\.\.\/\.\.\//
-  payload /.*\|/
-  }
-
-signature sid-1088 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI eXtropia webstore directory traversal"
-  http /.*[\/\\]web_store\.cgi/
-  tcp-state established,originator
-  payload /.*page=\.\.\//
-  }
-
-signature sid-1611 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI eXtropia webstore access"
-  http /.*[\/\\]web_store\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1089 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI shopping cart directory traversal"
-  http /.*[\/\\]shop\.cgi/
-  tcp-state established,originator
-  payload /.*page=\.\.\//
-  }
-
-signature sid-1090 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Allaire Pro Web Shell attempt"
-  http /.*[\/\\]authenticate\.cgi\?PASSWORD/
-  tcp-state established,originator
-  payload /.*config\.ini/
-  }
-
-signature sid-1092 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Armada Style Master Index directory traversal"
-  http /.*[\/\\]search\.cgi\?keys/
-  tcp-state established,originator
-  payload /.*catigory=\.\.\//
-  }
-
-signature sid-1093 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"
-  http /.*[\/\\]cached_feed\.cgi/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  }
-
-signature sid-2051 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cached_feed.cgi moreover shopping cart access"
-  http /.*[\/\\]cached_feed\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1097 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Talentsoft Web+ exploit attempt"
-  http /.*[\/\\]webplus\.cgi\?Script=[\/\\]webplus[\/\\]webping[\/\\]webping\.wml/
-  tcp-state established,originator
-  }
-
-signature sid-1106 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Poll-it access"
-  http /.*[\/\\]pollit[\/\\]Poll_It_SSI_v2\.0\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1149 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI count.cgi access"
-  http /.*[\/\\]count\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1865 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webdist.cgi arbitrary command attempt"
-  http /.*[\/\\]webdist\.cgi/
-  tcp-state established,originator
-  payload /.*[dD][iI][sS][tT][lL][oO][cC]=;/
-  }
-
-signature sid-1163 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI webdist.cgi access"
-  http /.*[\/\\]webdist\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1172 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bigconf.cgi access"
-  http /.*[\/\\]bigconf\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1174 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI /cgi-bin/jj access"
-  http /.*[\/\\]cgi-bin[\/\\]jj/
-  tcp-state established,originator
-  }
-
-signature sid-1185 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bizdbsearch attempt"
-  http /.*[\/\\]bizdb1-search\.cgi/
-  tcp-state established,originator
-  payload /.*[mM][aA][iI][lL]/
-  }
-
-signature sid-1535 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI bizdbsearch access"
-  http /.*[\/\\]bizdb1-search\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1194 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI sojourn.cgi File attempt"
-  http /.*[\/\\]sojourn\.cgi\?cat=/
-  tcp-state established,originator
-  payload /.*%00/
-  }
-
-signature sid-1195 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI sojourn.cgi access"
-  http /.*[\/\\]sojourn\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1196 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI SGI InfoSearch fname attempt"
-  http /.*[\/\\]infosrch\.cgi\?/
-  tcp-state established,originator
-  payload /.*[fF][nN][aA][mM][eE]=/
-  }
-
-signature sid-1727 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI SGI InfoSearch fname access"
-  http /.*[\/\\]infosrch\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1204 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ax-admin.cgi access"
-  http /.*[\/\\]ax-admin\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1205 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI axs.cgi access"
-  http /.*[\/\\]axs\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1206 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cachemgr.cgi access"
-  http /.*[\/\\]cachemgr\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1208 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI responder.cgi access"
-  http /.*[\/\\]responder\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1211 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI web-map.cgi access"
-  http /.*[\/\\]web-map\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1215 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ministats admin access"
-  http /.*[\/\\]ministats[\/\\]admin\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1219 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI dfire.cgi access"
-  http /.*[\/\\]dfire\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1305 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI txt2html.cgi directory traversal attempt"
-  http /.*[\/\\]txt2html\.cgi/
-  tcp-state established,originator
-  payload /.*\/\.\.\/\.\.\/\.\.\/\.\.\//
-  }
-
-signature sid-1304 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI txt2html.cgi access"
-  http /.*[\/\\]txt2html\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1488 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI store.cgi directory traversal attempt"
-  http /.*[\/\\]store\.cgi/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  }
-
-signature sid-1307 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI store.cgi access"
-  http /.*[\/\\]store\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1494 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI SIX webboard generate.cgi attempt"
-  http /.*[\/\\]generate\.cgi/
-  tcp-state established,originator
-  payload /.*content=\.\.\//
-  }
-
-signature sid-1495 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI SIX webboard generate.cgi access"
-  http /.*[\/\\]generate\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1496 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI spin_client.cgi access"
-  http /.*[\/\\]spin_client\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1787 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI csPassword.cgi access"
-  http /.*[\/\\]csPassword\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1788 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI csPassword password.cgi.tmp access"
-  http /.*[\/\\]password\.cgi\.tmp/
-  tcp-state established,originator
-  }
-
-signature sid-1763 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Nortel Contivity cgiproc DOS attempt"
-  http /.*[\/\\]cgiproc\?Nocfile=/
-  tcp-state established,originator
-  }
-
-signature sid-1764 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Nortel Contivity cgiproc DOS attempt"
-  http /.*[\/\\]cgiproc\?\$/
-  tcp-state established,originator
-  }
-
-signature sid-1765 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Nortel Contivity cgiproc access"
-  http /.*[\/\\]cgiproc/
-  tcp-state established,originator
-  }
-
-signature sid-1805 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI Oracle reports CGI access"
-  http /.*[\/\\]rwcgi60/
-  tcp-state established,originator
-  payload /.*setauth=/
-  }
-
-signature sid-1822 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI alienform.cgi directory traversal attempt"
-  http /.*[\/\\]alienform\.cgi/
-  tcp-state established,originator
-  payload /.*\.\|\.\/\.\|\./
-  }
-
-signature sid-1823 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI AlienForm af.cgi directory traversal attempt"
-  http /.*[\/\\]af\.cgi/
-  tcp-state established,originator
-  payload /.*\.\|\.\/\.\|\./
-  }
-
-signature sid-1824 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI alienform.cgi access"
-  http /.*[\/\\]alienform\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1825 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI AlienForm af.cgi access"
-  http /.*[\/\\]af\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1868 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8080
-  event "WEB-CGI story.pl arbitrary file read attempt"
-  http /.*[\/\\]story\.pl/
-  tcp-state established,originator
-  payload /.*next=\.\.\//
-  }
-
-signature sid-1869 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8080
-  event "WEB-CGI story.pl access"
-  http /.*[\/\\]story\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1870 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI siteUserMod.cgi access"
-  http /.*[\/\\]\.cobalt[\/\\]siteUserMod[\/\\]siteUserMod\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1875 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cgicso access"
-  http /.*[\/\\]cgicso/
-  tcp-state established,originator
-  }
-
-signature sid-1876 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI nph-publish.cgi access"
-  http /.*[\/\\]nph-publish\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1877 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI printenv access"
-  http /.*[\/\\]printenv/
-  tcp-state established,originator
-  }
-
-signature sid-1878 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI sdbsearch.cgi access"
-  http /.*[\/\\]sdbsearch\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1931 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI rpc-nlog.pl access"
-  http /.*[\/\\]rpc-nlog\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1932 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI rpc-smb.pl access"
-  http /.*[\/\\]rpc-smb\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1933 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI cart.cgi access"
-  http /.*[\/\\]cart\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1994 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI vpasswd.cgi access"
-  http /.*[\/\\]vpasswd\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1995 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI alya.cgi access"
-  http /.*[\/\\]alya\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1996 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI viralator.cgi access"
-  http /.*[\/\\]viralator\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-2001 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI smartsearch.cgi access"
-  http /.*[\/\\]smartsearch\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1862 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI mrtg.cgi directory traversal attempt"
-  http /.*[\/\\]mrtg\.cgi/
-  tcp-state established,originator
-  payload /.*cfg=\/\.\.\//
-  }
-
-signature sid-2052 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI overflow.cgi access"
-  http /.*[\/\\]overflow\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-1850 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI way-board.cgi access"
-  http /.*[\/\\]way-board\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-2053 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI process_bug.cgi access"
-  http /.*[\/\\]process_bug\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-2054 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI enter_bug.cgi arbitrary command attempt"
-  http /.*[\/\\]enter_bug\.cgi/
-  tcp-state established,originator
-  payload /.*[wW][hH][oO]=.*.{0}.*;/
-  }
-
-signature sid-2055 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI enter_bug.cgi access"
-  http /.*[\/\\]enter_bug\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-2085 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI parse_xml.cgi access"
-  http /.*[\/\\]parse_xml\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-2086 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == 1220
-  event "WEB-CGI streaming server parse_xml.cgi access"
-  tcp-state established,originator
-  payload /.*\/[pP][aA][rR][sS][eE]_[xX][mM][lL]\.[cC][gG][iI]/
-  }
-
-signature sid-2115 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI album.pl access"
-  tcp-state established,originator
-  payload /.*\/[aA][lL][bB][uU][mM]\.[pP][lL]/
-  }
-
-signature sid-2116 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI chipcfg.cgi access"
-  http /.*[\/\\]chipcfg\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-2127 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI ikonboard.cgi access"
-  http /.*[\/\\]ikonboard\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-2128 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-CGI swsrv.cgi access"
-  http /.*[\/\\]srsrv\.cgi/
-  tcp-state established,originator
-  }
-
-signature sid-903 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION cfcache.map access"
-  http /.*[\/\\]cfcache\.map/
-  tcp-state established,originator
-  }
-
-signature sid-904 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION exampleapp application.cfm"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]email[\/\\]application\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-905 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION application.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]publish[\/\\]admin[\/\\]application\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-906 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION getfile.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]email[\/\\]getfile\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-907 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION addcontent.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]publish[\/\\]admin[\/\\]addcontent\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-908 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION administrator access"
-  http /.*[\/\\]cfide[\/\\]administrator[\/\\]index\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-909 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION datasource username attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF]_[sS][eE][tT][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE][uU][sS][eE][rR][nN][aA][mM][eE]\(\)/
-  }
-
-signature sid-910 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION fileexists.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]fileexists\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-911 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION exprcalc access"
-  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]exprcalc\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-912 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION parks access"
-  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]parks[\/\\]detail\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-913 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION cfappman access"
-  http /.*[\/\\]cfappman[\/\\]index\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-914 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION beaninfo access"
-  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]cvbeans[\/\\]beaninfo\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-915 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION evaluate.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]evaluate\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-916 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION getodbcdsn access"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[gG][eE][tT][oO][dD][bB][cC][dD][sS][nN]\(\)/
-  }
-
-signature sid-917 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION db connections flush attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[dD][bB][cC][oO][nN][nN][eE][cC][tT][iI][oO][nN][sS]_[fF][lL][uU][sS][hH]\(\)/
-  }
-
-signature sid-918 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION expeval access"
-  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-919 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION datasource passwordattempt"
-  tcp-state established,originator
-  payload /.*[cC][fF]_[sS][eE][tT][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE][pP][aA][sS][sS][wW][oO][rR][dD]\(\)/
-  }
-
-signature sid-920 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION datasource attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF]_[iI][sS][cC][oO][lL][dD][fF][uU][sS][iI][oO][nN][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE]\(\)/
-  }
-
-signature sid-921 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION admin encrypt attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[eE][nN][cC][rR][yY][pP][tT]\(\)/
-  }
-
-signature sid-922 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION displayfile access"
-  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]displayopenedfile\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-923 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION getodbcin attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[gG][eE][tT][oO][dD][bB][cC][iI][nN][iI]\(\)/
-  }
-
-signature sid-924 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION admin decrypt attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[dD][eE][cC][rR][yY][pP][tT]\(\)/
-  }
-
-signature sid-925 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION mainframeset access"
-  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]mainframeset\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-926 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION set odbc ini attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[sS][eE][tT][oO][dD][bB][cC][iI][nN][iI]\(\)/
-  }
-
-signature sid-927 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION settings refresh attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[sS][eE][tT][tT][iI][nN][gG][sS]_[rR][eE][fF][rR][eE][sS][hH]\(\)/
-  }
-
-signature sid-928 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION exampleapp access"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-929 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION CFUSION_VERIFYMAIL access"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[vV][eE][rR][iI][fF][yY][mM][aA][iI][lL]\(\)/
-  }
-
-signature sid-930 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION snippets attempt"
-  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-931 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION cfmlsyntaxcheck.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]cfmlsyntaxcheck\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-932 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION application.cfm access"
-  http /.*[\/\\]application\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-933 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION onrequestend.cfm access"
-  http /.*[\/\\]onrequestend\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-935 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION startstop DOS access"
-  http /.*[\/\\]cfide[\/\\]administrator[\/\\]startstop\.html/
-  tcp-state established,originator
-  }
-
-signature sid-936 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION gettempdirectory.cfm access "
-  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]gettempdirectory\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-1659 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION sendmail.cfm access"
-  http /.*[\/\\]sendmail\.cfm/
-  tcp-state established,originator
-  }
-
-signature sid-1540 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-COLDFUSION ?Mode=debug attempt"
-  http /.*Mode=debug/
-  tcp-state established,originator
-  }
-
-signature sid-1970 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-IIS MDAC Content-Type overflow attempt"
-  http /.*[\/\\]msadcs\.dll/
-  tcp-state established,originator
-  payload /.*Content-Type:[^\x0A]{50}/
-  }
-
-signature sid-1076 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS repost.asp access"
-  http /.*[\/\\]scripts[\/\\]repost\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1806 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS .htr Transfer-Encoding: chunked"
-  http /.*\.htr/
-  tcp-state established,originator
-  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]:/
-  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
-  }
-
-signature sid-1618 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS .asp Transfer-Encoding: chunked"
-  http /.*\.asp/
-  tcp-state established,originator
-  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]:/
-  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
-  }
-
-signature sid-1626 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /StoreCSVS/InstantOrder.asmx request"
-  http /.*[\/\\]StoreCSVS[\/\\]InstantOrder\.asmx/
-  tcp-state established,originator
-  }
-
-signature sid-1750 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS users.xml access"
-  http /.*[\/\\]users\.xml/
-  tcp-state established,originator
-  }
-
-signature sid-1753 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS as_web.exe access"
-  http /.*[\/\\]as_web\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1754 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS as_web4.exe access"
-  http /.*[\/\\]as_web4\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1756 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS NewsPro administration authentication attempt"
-  tcp-state established,originator
-  payload /.*logged,true/
-  }
-
-signature sid-1772 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS pbserver access"
-  http /.*[\/\\]pbserver[\/\\]pbserver\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1660 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS trace.axd access"
-  http /.*[\/\\]trace\.axd/
-  tcp-state established,originator
-  }
-
-signature sid-1484 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /isapi/tstisapi.dll access"
-  http /.*[\/\\]isapi[\/\\]tstisapi\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1485 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS mkilog.exe access"
-  http /.*[\/\\]mkilog\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1486 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ctss.idc access"
-  http /.*[\/\\]ctss\.idc/
-  tcp-state established,originator
-  }
-
-signature sid-1487 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /iisadmpwd/aexp2.htr access"
-  http /.*[\/\\]iisadmpwd[\/\\]aexp2\.htr/
-  tcp-state established,originator
-  }
-
-signature sid-969 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS WebDAV file lock attempt"
-  tcp-state established,originator
-  payload /LOCK /
-  }
-
-signature sid-971 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .printer access"
-  http /.*\.printer/
-  tcp-state established,originator
-  }
-
-signature sid-1243 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .ida attempt"
-  http /.*\.ida\?/
-  tcp-state established,originator
-  }
-
-signature sid-1242 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .ida access"
-  http /.*\.ida/
-  tcp-state established,originator
-  }
-
-signature sid-1244 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .idq attempt"
-  http /.*\.idq\?/
-  tcp-state established,originator
-  }
-
-signature sid-1245 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .idq access"
-  http /.*\.idq/
-  tcp-state established,originator
-  }
-
-signature sid-972 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS %2E-asp access"
-  http /.*%2e\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-973 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS *.idc attempt"
-  http /.*[\/\\]\*\.idc/
-  tcp-state established,originator
-  }
-
-signature sid-974 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS .... access"
-  tcp-state established,originator
-  payload /.*\x2e\x2e\x5c\x2e\x2e/
-  }
-
-signature sid-975 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS .asp::$DATA access"
-  http /.*\.asp\x3a\x3a\$DATA/
-  tcp-state established,originator
-  }
-
-signature sid-976 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS .bat? access"
-  http /.*\.bat\?/
-  tcp-state established,originator
-  }
-
-signature sid-977 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS .cnf access"
-  http /.*\.cnf/
-  tcp-state established,originator
-  }
-
-signature sid-978 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ASP contents view"
-  tcp-state established,originator
-  payload /.*%20/
-  payload /.*&[cC][iI][rR][eE][sS][tT][rR][iI][cC][tT][iI][oO][nN]=[nN][oO][nN][eE]/
-  payload /.*&[cC][iI][hH][iI][lL][iI][tT][eE][tT][yY][pP][eE]=[fF][uU][lL][lL]/
-  }
-
-signature sid-979 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ASP contents view"
-  http /.*\.htw\?CiWebHitsFile/
-  tcp-state established,originator
-  }
-
-signature sid-980 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS CGImail.exe access"
-  http /.*[\/\\]scripts[\/\\]CGImail\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-981 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS unicode directory traversal attempt"
-  tcp-state established,originator
-  payload /.*\/\.\.%[cC]0%[aA][fF]\.\.\//
-  }
-
-signature sid-982 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS unicode directory traversal attempt"
-  tcp-state established,originator
-  payload /.*\/\.\.%[cC]1%1[cC]\.\.\//
-  }
-
-signature sid-983 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS unicode directory traversal attempt"
-  tcp-state established,originator
-  payload /.*\/\.\.%[cC]1%9[cC]\.\.\//
-  }
-
-signature sid-1945 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS unicode directory traversal attempt"
-  tcp-state established,originator
-  payload /.*\/\.\.%255[cC]\.\./
-  }
-
-signature sid-986 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS MSProxy access"
-  http /.*[\/\\]scripts[\/\\]proxy[\/\\]w3proxy\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1725 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS +.htr code fragment attempt"
-  http /.*\+\.htr/
-  tcp-state established,originator
-  }
-
-signature sid-987 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS .htr access"
-  http /.*\.htr/
-  tcp-state established,originator
-  }
-
-signature sid-988 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS SAM Attempt"
-  tcp-state established,originator
-  payload /.*[sS][aA][mM]\._/
-  }
-
-signature sid-989 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS Unicode2.pl script (File permission canonicalization)"
-  http /.*[\/\\]sensepost\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-990 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS _vti_inf access"
-  http /.*_vti_inf\.html/
-  tcp-state established,originator
-  }
-
-signature sid-991 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS achg.htr access"
-  http /.*[\/\\]iisadmpwd[\/\\]achg\.htr/
-  tcp-state established,originator
-  }
-
-signature sid-994 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /scripts/iisadmin/default.htm access"
-  http /.*[\/\\]scripts[\/\\]iisadmin[\/\\]default\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-995 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ism.dll access"
-  http /.*[\/\\]scripts[\/\\]iisadmin[\/\\]ism\.dll\?http[\/\\]dir/
-  tcp-state established,originator
-  }
-
-signature sid-996 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS anot.htr access"
-  http /.*[\/\\]iisadmpwd[\/\\]anot/
-  tcp-state established,originator
-  }
-
-signature sid-997 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS asp-dot attempt"
-  http /.*\.asp\./
-  tcp-state established,originator
-  }
-
-signature sid-998 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS asp-srch attempt"
-  http /.*#filename=\*\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1000 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS bdir.htr access"
-  http /.*[\/\\]bdir\.htr/
-  tcp-state established,originator
-  }
-
-signature sid-1661 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS cmd32.exe access"
-  tcp-state established,originator
-  payload /.*[cC][mM][dD]32\.[eE][xX][eE]/
-  }
-
-signature sid-1002 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS cmd.exe access"
-  tcp-state established,originator
-  payload /.*[cC][mM][dD]\.[eE][xX][eE]/
-  }
-
-signature sid-1003 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS cmd? access"
-  tcp-state established,originator
-  payload /.*\.[cC][mM][dD]\?&/
-  }
-
-signature sid-1007 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS cross-site scripting attempt"
-  http /.*[\/\\]Form_JScript\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1380 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS cross-site scripting attempt"
-  http /.*[\/\\]Form_VBScript\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1008 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS del attempt"
-  tcp-state established,originator
-  payload /.*&[dD][eE][lL]\+\/[sS]\+[cC]\x3a\\\*\.\*/
-  }
-
-signature sid-1009 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS directory listing"
-  http /.*[\/\\]ServerVariables_Jscript\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1010 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS encoding access"
-  tcp-state established,originator
-  payload /.*\x25\x31\x75/
-  }
-
-signature sid-1011 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS exec-src access"
-  tcp-state established,originator
-  payload /.*#[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[eE][xX][eE]/
-  }
-
-signature sid-1012 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS fpcount attempt"
-  http /.*[\/\\]fpcount\.exe/
-  tcp-state established,originator
-  payload /.*[dD][iI][gG][iI][tT][sS]=/
-  }
-
-signature sid-1013 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS fpcount access"
-  http /.*[\/\\]fpcount\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1015 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS getdrvs.exe access"
-  http /.*[\/\\]scripts[\/\\]tools[\/\\]getdrvs\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1016 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS global.asa access"
-  http /.*[\/\\]global\.asa/
-  tcp-state established,originator
-  }
-
-signature sid-1017 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS idc-srch attempt"
-  tcp-state established,originator
-  payload /.*#[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[iI][dD][cC]/
-  }
-
-signature sid-1018 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS iisadmpwd attempt"
-  http /.*[\/\\]iisadmpwd[\/\\]aexp/
-  tcp-state established,originator
-  }
-
-signature sid-1019 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS index server file source code attempt"
-  http /.*\?CiWebHitsFile=[\/\\]/
-  tcp-state established,originator
-  payload /.*&CiRestriction=none&CiHiliteType=Full/
-  }
-
-signature sid-1020 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS isc$data attempt"
-  http /.*\.idc\x3a\x3a\$data/
-  tcp-state established,originator
-  }
-
-signature sid-1021 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS ism.dll attempt"
-  http /.*%20%20%20%20%20\.htr/
-  tcp-state established,originator
-  }
-
-signature sid-1022 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS jet vba access"
-  http /.*[\/\\]advworks[\/\\]equipment[\/\\]catalog_type\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1023 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS msadcs.dll access"
-  http /.*[\/\\]msadcs\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1024 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS newdsn.exe access"
-  http /.*[\/\\]scripts[\/\\]tools[\/\\]newdsn\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1025 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS perl access"
-  http /.*[\/\\]scripts[\/\\]perl/
-  tcp-state established,originator
-  }
-
-signature sid-1026 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS perl-browse0a attempt"
-  http /.*%0a\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1027 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS perl-browse20 attempt"
-  http /.*%20\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1029 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS scripts-browse access"
-  http /.*[\/\\]scripts[\/\\]\x20/
-  tcp-state established,originator
-  }
-
-signature sid-1030 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS search97.vts access"
-  http /.*[\/\\]search97\.vts/
-  tcp-state established,originator
-  }
-
-signature sid-1037 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS showcode.asp access"
-  http /.*[\/\\]showcode\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1038 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS site server config access"
-  http /.*[\/\\]adsamples[\/\\]config[\/\\]site\.csc/
-  tcp-state established,originator
-  }
-
-signature sid-1039 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS srch.htm access"
-  http /.*[\/\\]samples[\/\\]isapi[\/\\]srch\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-1040 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS srchadm access"
-  http /.*[\/\\]srchadm/
-  tcp-state established,originator
-  }
-
-signature sid-1041 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS uploadn.asp access"
-  http /.*[\/\\]scripts[\/\\]uploadn\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1042 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS view source via translate header"
-  tcp-state established,originator
-  payload /.*[tT][rR][aA][nN][sS][lL][aA][tT][eE]\x3a [fF]/
-  }
-
-signature sid-1043 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS viewcode.asp access"
-  http /.*[\/\\]viewcode\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1044 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS webhits access"
-  http /.*\.htw/
-  tcp-state established,originator
-  }
-
-signature sid-1726 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS doctodep.btr access"
-  http /.*doctodep\.btr/
-  tcp-state established,originator
-  }
-
-signature sid-1046 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS site/iisamples access"
-  http /.*[\/\\]site[\/\\]iisamples/
-  tcp-state established,originator
-  }
-
-signature sid-1256 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS CodeRed v2 root.exe access"
-  http /.*[\/\\]root\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1283 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS outlook web dos"
-  http /.*[\/\\]exchange[\/\\]LogonFrm\.asp\?/
-  tcp-state established,originator
-  payload /.*[mM][aA][iI][lL][bB][oO][xX]=/
-  payload /.*\x25\x25\x25/
-  }
-
-signature sid-1400 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /scripts/samples/ access"
-  http /.*[\/\\]scripts[\/\\]samples[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1401 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /msadc/samples/ access"
-  http /.*[\/\\]msadc[\/\\]samples[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1402 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS iissamples access"
-  http /.*[\/\\]iissamples[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-970 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS multiple decode attempt"
-  http /.*%5c/
-  http /.*\.\./
-  tcp-state established,originator
-  }
-
-signature sid-993 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS iisadmin access"
-  http /.*[\/\\]iisadmin/
-  tcp-state established,originator
-  }
-
-signature sid-1285 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS msdac access"
-  http /.*[\/\\]msdac[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1286 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS _mem_bin access"
-  http /.*[\/\\]_mem_bin[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1595 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS htimage.exe access"
-  http /.*[\/\\]htimage\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1817 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS MS Site Server default login attempt"
-  http /.*[\/\\]SiteServer[\/\\]Admin[\/\\]knowledge[\/\\]persmbr[\/\\]/
-  tcp-state established,originator
-  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]: [bB][aA][sS][iI][cC] [tT][eE][rR][bB][uU][fF]9[bB][bB][mM]9[uU][eE][wW]1[vV][dD][xX][mM]6[tT][gG][rR][hH][cC][fF][bB][hH][cC]3[nN]3[bB]3[jJ][kK][xX][zZ][eE]=/
-  }
-
-signature sid-1818 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS MS Site Server admin attempt"
-  http /.*[\/\\]Site Server[\/\\]Admin[\/\\]knowledge[\/\\]persmbr[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1075 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS postinfo.asp access"
-  http /.*[\/\\]scripts[\/\\]postinfo\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1567 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /exchange/root.asp attempt"
-  http /.*[\/\\]exchange[\/\\]root\.asp\?acs=anon/
-  tcp-state established,originator
-  }
-
-signature sid-1568 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS /exchange/root.asp access"
-  http /.*[\/\\]exchange[\/\\]root\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-2090 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS WEBDAV exploit attempt"
-  tcp-state established,originator
-  payload /.*HTTP\/1\.1\x0aContent-type\x3a text\/xml\x0aHOST\x3a.{1}.*Accept\x3a \x2a\/\x2a\x0aTranslate\x3a f\x0aContent-length\x3a5276\x0a\x0a/
-  }
-
-signature sid-2091 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS WEBDAV nessus safe scan attempt"
-  tcp-state established,originator
-  payload /.*SEARCH \/ HTTP\/1\.1\x0d\x0aHost\x3a.{0,251}\x0d\x0a\x0d\x0a/
-  }
-
-signature sid-2117 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS Battleaxe Forum login.asp access"
-  http /.*myaccount[\/\\]login\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-2129 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS nsiislog.dll access"
-  http /.*[\/\\]nsiislog\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-2130 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS IISProtect siteadmin.asp access"
-  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]SiteAdmin\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-2157 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS IISProtect globaladmin.asp access"
-  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]GlobalAdmin\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-2131 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS IISProtect access"
-  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-2132 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS Synchrologic Email Accelerator userid list access attempt"
-  http /.*[\/\\]en[\/\\]admin[\/\\]aggregate\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-2133 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS MS BizTalk server access"
-  http /.*[\/\\]biztalkhttpreceive\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-2134 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-IIS register.asp access"
-  http /.*[\/\\]register\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1248 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE rad fp30reg.dll access"
-  http /.*[\/\\]fp30reg\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1249 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE frontpage rad fp4areg.dll access"
-  http /.*[\/\\]fp4areg\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-937 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE _vti_rpc access"
-  http /.*[\/\\]_vti_rpc/
-  tcp-state established,originator
-  }
-
-signature sid-939 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE posting"
-  http /.*[\/\\]author\.dll/
-  tcp-state established,originator
-  payload /.*[pP][oO][sS][tT]/
-  }
-
-signature sid-940 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE shtml.dll access"
-  http /.*[\/\\]_vti_bin[\/\\]shtml\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-941 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE contents.htm access"
-  http /.*[\/\\]admcgi[\/\\]contents\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-942 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE orders.htm access"
-  http /.*[\/\\]_private[\/\\]orders\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-943 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE fpsrvadm.exe access"
-  http /.*[\/\\]fpsrvadm\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-944 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE fpremadm.exe access"
-  http /.*[\/\\]fpremadm\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-945 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE fpadmin.htm access"
-  http /.*[\/\\]admisapi[\/\\]fpadmin\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-946 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE fpadmcgi.exe access"
-  http /.*[\/\\]scripts[\/\\]Fpadmcgi\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-947 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE orders.txt access"
-  http /.*[\/\\]_private[\/\\]orders\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-948 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE form_results access"
-  http /.*[\/\\]_private[\/\\]form_results\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-949 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE registrations.htm access"
-  http /.*[\/\\]_private[\/\\]registrations\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-950 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE cfgwiz.exe access"
-  http /.*[\/\\]cfgwiz\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-951 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE authors.pwd access"
-  http /.*[\/\\]authors\.pwd/
-  tcp-state established,originator
-  }
-
-signature sid-952 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE author.exe access"
-  http /.*[\/\\]_vti_bin[\/\\]_vti_aut[\/\\]author\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-953 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE administrators.pwd access"
-  http /.*[\/\\]administrators\.pwd/
-  tcp-state established,originator
-  }
-
-signature sid-954 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE form_results.htm access"
-  http /.*[\/\\]_private[\/\\]form_results\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-955 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE access.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]access\.cnf/
-  tcp-state established,originator
-  }
-
-signature sid-956 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE register.txt access"
-  http /.*[\/\\]_private[\/\\]register\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-957 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE registrations.txt access"
-  http /.*[\/\\]_private[\/\\]registrations\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-958 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE service.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]service\.cnf/
-  tcp-state established,originator
-  }
-
-signature sid-959 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE service.pwd"
-  http /.*[\/\\]service\.pwd/
-  tcp-state established,originator
-  }
-
-signature sid-960 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE service.stp access"
-  http /.*[\/\\]_vti_pvt[\/\\]service\.stp/
-  tcp-state established,originator
-  }
-
-signature sid-961 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE services.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]services\.cnf/
-  tcp-state established,originator
-  }
-
-signature sid-962 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE shtml.exe access"
-  http /.*[\/\\]_vti_bin[\/\\]shtml\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-963 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE svcacl.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]svcacl\.cnf/
-  tcp-state established,originator
-  }
-
-signature sid-964 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE users.pwd access"
-  http /.*[\/\\]users\.pwd/
-  tcp-state established,originator
-  }
-
-signature sid-965 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE writeto.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]writeto\.cnf/
-  tcp-state established,originator
-  }
-
-signature sid-966 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE fourdots request"
-  tcp-state established,originator
-  payload /.*\x2e\x2e\x2e\x2e\x2f/
-  }
-
-signature sid-967 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE dvwssr.dll access"
-  http /.*[\/\\]dvwssr\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-968 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE register.htm access"
-  http /.*[\/\\]_private[\/\\]register\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-1288 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-FRONTPAGE /_vti_bin/ access"
-  http /.*[\/\\]_vti_bin[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1497 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cross site scripting attempt"
-  tcp-state established,originator
-  payload /.*<[sS][cC][rR][iI][pP][tT]>/
-  }
-
-signature sid-1667 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cross site scripting (img src=javascript) attempt"
-  tcp-state established,originator
-  payload /.*[iI][mM][gG] [sS][rR][cC]=[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
-  }
-
-signature sid-1250 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Cisco IOS HTTP configuration attempt"
-  http /.*[\/\\]level[\/\\]/
-  http /.*[\/\\]exec[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1047 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise DOS"
-  tcp-state established,originator
-  payload /REVLOG \/ /
-  }
-
-signature sid-1048 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise directory listing attempt"
-  tcp-state established,originator
-  payload /INDEX /
-  }
-
-signature sid-1050 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC iPlanet GETPROPERTIES attempt"
-  tcp-state established,originator
-  payload /GETPROPERTIES/
-  }
-
-signature sid-1054 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC weblogic view source attempt"
-  http /.*\.js%70/
-  tcp-state established,originator
-  }
-
-signature sid-1055 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat directory traversal attempt"
-  http /.*%00\.jsp/
-  tcp-state established,originator
-  }
-
-signature sid-1056 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat view source attempt"
-  http /.*%252ejsp/
-  tcp-state established,originator
-  }
-
-signature sid-1057 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ftp attempt"
-  tcp-state established,originator
-  payload /.*[fF][tT][pP]\.[eE][xX][eE]/
-  }
-
-signature sid-1058 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC xp_enumdsn attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[eE][nN][uU][mM][dD][sS][nN]/
-  }
-
-signature sid-1059 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC xp_filelist attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[fF][iI][lL][eE][lL][iI][sS][tT]/
-  }
-
-signature sid-1060 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC xp_availablemedia attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[aA][vV][aA][iI][lL][aA][bB][lL][eE][mM][eE][dD][iI][aA]/
-  }
-
-signature sid-1061 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC xp_cmdshell attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[cC][mM][dD][sS][hH][eE][lL][lL]/
-  }
-
-signature sid-1062 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC nc.exe attempt"
-  tcp-state established,originator
-  payload /.*[nN][cC]\.[eE][xX][eE]/
-  }
-
-signature sid-1064 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC wsh attempt"
-  tcp-state established,originator
-  payload /.*[wW][sS][hH]\.[eE][xX][eE]/
-  }
-
-signature sid-1065 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC rcmd attempt"
-  tcp-state established,originator
-  payload /.*[rR][cC][mM][dD]\.[eE][xX][eE]/
-  }
-
-signature sid-1066 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC telnet attempt"
-  tcp-state established,originator
-  payload /.*[tT][eE][lL][nN][eE][tT]\.[eE][xX][eE]/
-  }
-
-signature sid-1067 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC net attempt"
-  tcp-state established,originator
-  payload /.*[nN][eE][tT]\.[eE][xX][eE]/
-  }
-
-signature sid-1068 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC tftp attempt"
-  tcp-state established,originator
-  payload /.*[tT][fF][tT][pP]\.[eE][xX][eE]/
-  }
-
-signature sid-1069 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC xp_regread attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[rR][eE][gG][rR][eE][aA][dD]/
-  }
-
-signature sid-1977 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC xp_regwrite attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[rR][eE][gG][wW][rR][iI][tT][eE]/
-  }
-
-signature sid-1978 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC xp_regdeletekey attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[rR][eE][gG][dD][eE][lL][eE][tT][eE][kK][eE][yY]/
-  }
-
-signature sid-1070 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC WebDAV search access"
-  tcp-state established,originator
-  payload /.{0,1}[sS][eE][aA][rR][cC][hH] /
-  }
-
-signature sid-1071 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .htpasswd access"
-  tcp-state established,originator
-  payload /.*\.[hH][tT][pP][aA][sS][sS][wW][dD]/
-  }
-
-signature sid-1072 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Lotus Domino directory traversal"
-  http /.*\.nsf[\/\\]/
-  http /.*\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1077 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC queryhit.htm access"
-  http /.*[\/\\]samples[\/\\]search[\/\\]queryhit\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-1078 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC counter.exe access"
-  http /.*[\/\\]scripts[\/\\]counter\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1079 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC WebDAV propfind access"
-  tcp-state established,originator
-  payload /.*<[aA]:[pP][rR][oO][pP][fF][iI][nN][dD]/
-  payload /.*[xX][mM][lL][nN][sS]:[aA]=\"[dD][aA][vV]\">/
-  }
-
-signature sid-1080 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC unify eWave ServletExec upload"
-  http /.*[\/\\]servlet[\/\\]com\.unify\.servletexec\.UploadServlet/
-  tcp-state established,originator
-  }
-
-signature sid-1081 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Servers suite DOS"
-  http /.*[\/\\]dsgw[\/\\]bin[\/\\]search\?context=/
-  tcp-state established,originator
-  }
-
-signature sid-1082 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC amazon 1-click cookie theft"
-  tcp-state established,originator
-  payload /.*[rR][eE][fF]%3[cC][sS][cC][rR][iI][pP][tT]%20[lL][aA][nN][gG][uU][aA][gG][eE]%3[dD]%22[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
-  }
-
-signature sid-1083 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC unify eWave ServletExec DOS"
-  http /.*[\/\\]servlet[\/\\]ServletExec/
-  tcp-state established,originator
-  }
-
-signature sid-1084 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Allaire JRUN DOS attempt"
-  http /.*servlet[\/\\]\.\.\.\.\.\.\./
-  tcp-state established,originator
-  }
-
-signature sid-1091 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ICQ Webfront HTTP DOS"
-  http /.*\?\?\?\?\?\?\?\?\?\?/
-  tcp-state established,originator
-  }
-
-signature sid-1095 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Talentsoft Web+ Source Code view access"
-  http /.*[\/\\]webplus\.exe\?script=test\.wml/
-  tcp-state established,originator
-  }
-
-signature sid-1096 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Talentsoft Web+ internal IP Address access"
-  http /.*[\/\\]webplus\.exe\?about/
-  tcp-state established,originator
-  }
-
-signature sid-1098 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC SmartWin CyberOffice Shopping Cart access"
-  http /.*_private[\/\\]shopping_cart\.mdb/
-  tcp-state established,originator
-  }
-
-signature sid-1099 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cybercop scan"
-  http /.*[\/\\]cybercop/
-  tcp-state established,originator
-  }
-
-signature sid-1100 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC L3retriever HTTP Probe"
-  tcp-state established,originator
-  payload /.*User-Agent\x3a Java1\.2\.1\x0d\x0a/
-  }
-
-signature sid-1101 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Webtrends HTTP probe"
-  tcp-state established,originator
-  payload /.*User-Agent\x3a Webtrends Security Analyzer\x0d\x0a/
-  }
-
-signature sid-1102 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Nessus 404 probe"
-  http /.*[\/\\]nessus_is_probing_you_/
-  tcp-state established,originator
-  }
-
-signature sid-1103 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape admin passwd"
-  http /.*[\/\\]admin-serv[\/\\]config[\/\\]admpw/
-  tcp-state established,originator
-  }
-
-signature sid-1105 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC BigBrother access"
-  http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC/
-  tcp-state established,originator
-  }
-
-signature sid-1612 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ftp.pl attempt"
-  http /.*[\/\\]ftp\.pl\?dir=\.\.[\/\\]\.\./
-  tcp-state established,originator
-  }
-
-signature sid-1107 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ftp.pl access"
-  http /.*[\/\\]ftp\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1108 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat server snoop access"
-  http /.*[\/\\]jsp[\/\\]snp[\/\\]/
-  http /.*\.snp/
-  tcp-state established,originator
-  }
-
-signature sid-1109 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ROXEN directory list attempt"
-  http /.*\x2F\x25\x30\x30/
-  tcp-state established,originator
-  }
-
-signature sid-1110 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC apache source.asp file access"
-  http /.*[\/\\]site[\/\\]eg[\/\\]source\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-1111 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat server exploit access"
-  http /.*[\/\\]contextAdmin[\/\\]contextAdmin\.html/
-  tcp-state established,originator
-  }
-
-signature sid-1112 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC http directory traversal"
-  tcp-state established,originator
-  payload /.*\.\.\\/
-  }
-
-signature sid-1115 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ICQ webserver DOS"
-  http /.*\.html[\/\\]\.\.\.\.\.\./
-  tcp-state established,originator
-  }
-
-signature sid-1116 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Lotus DelDoc attempt"
-  http /.*\?DeleteDocument/
-  tcp-state established,originator
-  }
-
-signature sid-1117 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Lotus EditDoc attempt"
-  http /.*\?EditDocument/
-  tcp-state established,originator
-  }
-
-signature sid-1118 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ls%20-l"
-  tcp-state established,originator
-  payload /.*[lL][sS]%20-[lL]/
-  }
-
-signature sid-1119 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC mlog.phtml access"
-  http /.*[\/\\]mlog\.phtml/
-  tcp-state established,originator
-  }
-
-signature sid-1120 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC mylog.phtml access"
-  http /.*[\/\\]mylog\.phtml/
-  tcp-state established,originator
-  }
-
-signature sid-1122 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /etc/passwd"
-  tcp-state established,originator
-  payload /.*\/[eE][tT][cC]\/[pP][aA][sS][sS][wW][dD]/
-  }
-
-signature sid-1123 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ?PageServices access"
-  http /.*\?PageServices/
-  tcp-state established,originator
-  }
-
-signature sid-1124 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Ecommerce check.txt access"
-  http /.*[\/\\]config[\/\\]check\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1125 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC webcart access"
-  http /.*[\/\\]webcart[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1126 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC AuthChangeUrl access"
-  http /.*_AuthChangeUrl\?/
-  tcp-state established,originator
-  }
-
-signature sid-1127 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC convert.bas access"
-  http /.*[\/\\]scripts[\/\\]convert\.bas/
-  tcp-state established,originator
-  }
-
-signature sid-1128 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cpshost.dll access"
-  http /.*[\/\\]scripts[\/\\]cpshost\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1129 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .htaccess access"
-  tcp-state established,originator
-  payload /.*\.[hH][tT][aA][cC][cC][eE][sS][sS]/
-  }
-
-signature sid-1130 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .wwwacl access"
-  http /.*\.wwwacl/
-  tcp-state established,originator
-  }
-
-signature sid-1131 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .wwwacl access"
-  http /.*\.www_acl/
-  tcp-state established,originator
-  }
-
-signature sid-1136 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cd.."
-  tcp-state established,originator
-  payload /.*[cC][dD]\.\./
-  }
-
-signature sid-1140 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC guestbook.pl access"
-  http /.*[\/\\]guestbook\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1613 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC handler attempt"
-  http /.*[\/\\]handler/
-  http /.*\|/
-  tcp-state established,originator
-  }
-
-signature sid-1141 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC handler access"
-  http /.*[\/\\]handler/
-  tcp-state established,originator
-  }
-
-signature sid-1142 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /.... access"
-  tcp-state established,originator
-  payload /.*\/\.\.\.\./
-  }
-
-signature sid-1143 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ///cgi-bin access"
-  http /.*[\/\\][\/\\][\/\\]cgi-bin/
-  tcp-state established,originator
-  }
-
-signature sid-1144 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /cgi-bin/// access"
-  http /.*[\/\\]cgi-bin[\/\\][\/\\][\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1145 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /~root access"
-  http /.*[\/\\]~root/
-  tcp-state established,originator
-  }
-
-signature sid-1662 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /~ftp access"
-  http /.*[\/\\]~ftp/
-  tcp-state established,originator
-  }
-
-signature sid-1146 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Ecommerce import.txt access"
-  http /.*[\/\\]config[\/\\]import\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1147 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cat%20 access"
-  tcp-state established,originator
-  payload /.*[cC][aA][tT]%20/
-  }
-
-signature sid-1148 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Ecommerce import.txt access"
-  http /.*[\/\\]orders[\/\\]import\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1150 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino catalog.nsf access"
-  http /.*[\/\\]catalog\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1151 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino domcfg.nsf access"
-  http /.*[\/\\]domcfg\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1152 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino domlog.nsf access"
-  http /.*[\/\\]domlog\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1153 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino log.nsf access"
-  http /.*[\/\\]log\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1154 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino names.nsf access"
-  http /.*[\/\\]names\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1575 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino mab.nsf access"
-  http /.*[\/\\]mab\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1576 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino cersvr.nsf access"
-  http /.*[\/\\]cersvr\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1577 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino setup.nsf access"
-  http /.*[\/\\]setup\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1578 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino statrep.nsf access"
-  http /.*[\/\\]statrep\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1579 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino webadmin.nsf access"
-  http /.*[\/\\]webadmin\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1580 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino events4.nsf access"
-  http /.*[\/\\]events4\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1581 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino ntsync4.nsf access"
-  http /.*[\/\\]ntsync4\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1582 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino collect4.nsf access"
-  http /.*[\/\\]collect4\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1583 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino mailw46.nsf access"
-  http /.*[\/\\]mailw46\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1584 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino bookmark.nsf access"
-  http /.*[\/\\]bookmark\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1585 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino agentrunner.nsf access"
-  http /.*[\/\\]agentrunner\.nsf/
-  tcp-state established,originator
-  }
-
-signature sid-1586 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Domino mail.box access"
-  http /.*[\/\\]mail\.box/
-  tcp-state established,originator
-  }
-
-signature sid-1155 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Ecommerce checks.txt access"
-  http /.*[\/\\]orders[\/\\]checks\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1156 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC apache DOS attempt"
-  tcp-state established,originator
-  payload /.*\x2f\x2f\x2f\x2f\x2f\x2f\x2f\x2f/
-  }
-
-signature sid-1157 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape PublishingXpert access"
-  http /.*[\/\\]PSUser[\/\\]PSCOErrPage\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-1158 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC windmail.exe access"
-  http /.*[\/\\]windmail\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1159 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC webplus access"
-  http /.*[\/\\]webplus\?script/
-  tcp-state established,originator
-  }
-
-signature sid-1160 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape dir index wp"
-  http /.*\?wp-/
-  tcp-state established,originator
-  }
-
-signature sid-1162 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cart 32 AdminPwd access"
-  http /.*[\/\\]c32web\.exe[\/\\]ChangeAdminPassword/
-  tcp-state established,originator
-  }
-
-signature sid-1164 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC shopping cart access"
-  http /.*[\/\\]quikstore\.cfg/
-  tcp-state established,originator
-  }
-
-signature sid-1614 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Novell Groupwise gwweb.exe attempt"
-  http /.*[\/\\]GWWEB\.EXE\?HELP=/
-  tcp-state established,originator
-  }
-
-signature sid-1165 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Novell Groupwise gwweb.exe access"
-  tcp-state established,originator
-  payload /.*\/[gG][wW][wW][eE][bB]\.[eE][xX][eE]/
-  }
-
-signature sid-1166 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ws_ftp.ini access"
-  http /.*[\/\\]ws_ftp\.ini/
-  tcp-state established,originator
-  }
-
-signature sid-1167 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC rpm_query access"
-  http /.*[\/\\]rpm_query/
-  tcp-state established,originator
-  }
-
-signature sid-1168 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC mall log order access"
-  http /.*[\/\\]mall_log_files[\/\\]order\.log/
-  tcp-state established,originator
-  }
-
-signature sid-1173 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC architext_query.pl access"
-  http /.*[\/\\]ews[\/\\]architext_query\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1175 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC wwwboard.pl access"
-  http /.*[\/\\]wwwboard\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1176 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC order.log access"
-  http /.*[\/\\]admin_files[\/\\]order\.log/
-  tcp-state established,originator
-  }
-
-signature sid-1177 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-verify-link/
-  tcp-state established,originator
-  }
-
-signature sid-1180 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC get32.exe access"
-  http /.*[\/\\]get32\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1181 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Annex Terminal DOS attempt"
-  http /.*[\/\\]ping\?query=/
-  tcp-state established,originator
-  }
-
-signature sid-1182 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cgitest.exe attempt"
-  http /.*[\/\\]cgitest\.exe\x0d\x0auser/
-  tcp-state established,originator
-  }
-
-signature sid-1587 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cgitest.exe access"
-  http /.*[\/\\]cgitest\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1183 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-cs-dump/
-  tcp-state established,originator
-  }
-
-signature sid-1184 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-ver-info/
-  tcp-state established,originator
-  }
-
-signature sid-1186 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-ver-diff/
-  tcp-state established,originator
-  }
-
-signature sid-1187 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC SalesLogix Eviewer web command attempt"
-  http /.*[\/\\]slxweb\.dll[\/\\]admin\?command=/
-  tcp-state established,originator
-  }
-
-signature sid-1588 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC SalesLogix Eviewer access"
-  http /.*[\/\\]slxweb\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1188 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-start-ver/
-  tcp-state established,originator
-  }
-
-signature sid-1189 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-stop-ver/
-  tcp-state established,originator
-  }
-
-signature sid-1190 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-uncheckout/
-  tcp-state established,originator
-  }
-
-signature sid-1191 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-html-rend/
-  tcp-state established,originator
-  }
-
-signature sid-1381 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Trend Micro OfficeScan attempt"
-  http /.*[\/\\]officescan[\/\\]cgi[\/\\]jdkRqNotify\.exe\?/
-  http /.*domain=/
-  http /.*event=/
-  tcp-state established,originator
-  }
-
-signature sid-1192 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Trend Micro OfficeScan access"
-  http /.*[\/\\]officescan[\/\\]cgi[\/\\]jdkRqNotify\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1193 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC oracle web arbitrary command execution attempt"
-  http /.*[\/\\]ows-bin[\/\\]/
-  http /.*\?&/
-  tcp-state established,originator
-  }
-
-signature sid-1880 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC oracle web application server access"
-  http /.*[\/\\]ows-bin[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1198 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-usr-prop/
-  tcp-state established,originator
-  }
-
-signature sid-1202 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC search.vts access"
-  http /.*[\/\\]search\.vts/
-  tcp-state established,originator
-  }
-
-signature sid-1615 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC htgrep attempt"
-  http /.*[\/\\]htgrep/
-  tcp-state established,originator
-  payload /.*hdr=\//
-  }
-
-signature sid-1207 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC htgrep access"
-  http /.*[\/\\]htgrep/
-  tcp-state established,originator
-  }
-
-signature sid-1209 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .nsconfig access"
-  http /.*[\/\\]\.nsconfig/
-  tcp-state established,originator
-  }
-
-signature sid-1212 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Admin_files access"
-  http /.*[\/\\]admin_files/
-  tcp-state established,originator
-  }
-
-signature sid-1213 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC backup access"
-  http /.*[\/\\]backup/
-  tcp-state established,originator
-  }
-
-signature sid-1214 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC intranet access"
-  http /.*[\/\\]intranet[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1216 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC filemail access"
-  http /.*[\/\\]filemail/
-  tcp-state established,originator
-  }
-
-signature sid-1217 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC plusmail access"
-  http /.*[\/\\]plusmail/
-  tcp-state established,originator
-  }
-
-signature sid-1218 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC adminlogin access"
-  http /.*[\/\\]adminlogin/
-  tcp-state established,originator
-  }
-
-signature sid-1220 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ultraboard access"
-  http /.*[\/\\]ultraboard/
-  tcp-state established,originator
-  }
-
-signature sid-1589 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC musicat empower attempt"
-  http /.*[\/\\]empower\?DB=/
-  tcp-state established,originator
-  }
-
-signature sid-1221 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC musicat empower access"
-  http /.*[\/\\]empower/
-  tcp-state established,originator
-  }
-
-signature sid-1224 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ROADS search.pl attempt"
-  http /.*[\/\\]ROADS[\/\\]cgi-bin[\/\\]search\.pl/
-  tcp-state established,originator
-  payload /.*[fF][oO][rR][mM]=/
-  }
-
-signature sid-1230 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC VirusWall FtpSave access"
-  http /.*[\/\\]FtpSave\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1234 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC VirusWall FtpSaveCSP access"
-  http /.*[\/\\]FtpSaveCSP\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1235 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC VirusWall FtpSaveCVP access"
-  http /.*[\/\\]FtpSaveCVP\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1236 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat sourecode view"
-  http /.*\.js%2570/
-  tcp-state established,originator
-  }
-
-signature sid-1237 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat sourecode view"
-  http /.*\.j%2573p/
-  tcp-state established,originator
-  }
-
-signature sid-1238 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat sourecode view"
-  http /.*\.%256Asp/
-  tcp-state established,originator
-  }
-
-signature sid-1241 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC SWEditServlet directory traversal attempt"
-  http /.*[\/\\]SWEditServlet/
-  tcp-state established,originator
-  payload /.*template=\.\.\/\.\.\/\.\.\//
-  }
-
-signature sid-1259 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC SWEditServlet access"
-  http /.*[\/\\]SWEditServlet/
-  tcp-state established,originator
-  }
-
-signature sid-1139 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC whisker HEAD/./"
-  tcp-state established,originator
-  payload /.*HEAD\/\.\//
-  }
-
-signature sid-1258 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC HP OpenView Manager DOS"
-  http /.*[\/\\]OvCgi[\/\\]OpenView5\.exe\?Context=Snmp&Action=Snmp&Host=&Oid=/
-  tcp-state established,originator
-  }
-
-signature sid-1260 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC long basic authorization string"
-  tcp-state established,originator
-  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]: [bB][aA][sS][iI][cC] [^\x0A]{512}/
-  }
-
-signature sid-1291 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC sml3com access"
-  http /.*[\/\\]graphics[\/\\]sml3com/
-  tcp-state established,originator
-  }
-
-signature sid-1001 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC carbo.dll access"
-  http /.*[\/\\]carbo\.dll/
-  tcp-state established,originator
-  payload /.*[iI][cC][aA][tT][cC][oO][mM][mM][aA][nN][dD]=/
-  }
-
-signature sid-1302 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC console.exe access"
-  http /.*[\/\\]cgi-bin[\/\\]console\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1303 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cs.exe access"
-  http /.*[\/\\]cgi-bin[\/\\]cs\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1113 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC http directory traversal"
-  tcp-state established,originator
-  payload /.*\.\.\//
-  }
-
-signature sid-1375 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC sadmind worm access"
-  tcp-state established,originator
-  payload /.{0,1}GET x HTTP\/1\.0/
-  }
-
-signature sid-1376 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC jrun directory browse attempt"
-  http /.*[\/\\]%3f\.jsp/
-  tcp-state established,originator
-  }
-
-signature sid-1385 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC mod-plsql administration access"
-  http /.*[\/\\]admin_[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1391 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Phorecast remote code execution attempt"
-  tcp-state established,originator
-  payload /.*includedir=/
-  }
-
-signature sid-1403 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC viewcode access"
-  http /.*[\/\\]viewcode/
-  tcp-state established,originator
-  }
-
-signature sid-1404 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC showcode access"
-  http /.*[\/\\]showcode/
-  tcp-state established,originator
-  }
-
-signature sid-1433 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .history access"
-  http /.*[\/\\]\.history/
-  tcp-state established,originator
-  }
-
-signature sid-1434 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .bash_history access"
-  http /.*[\/\\]\.bash_history/
-  tcp-state established,originator
-  }
-
-signature sid-1489 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /~nobody access"
-  http /.*[\/\\]~nobody/
-  tcp-state established,originator
-  }
-
-signature sid-1492 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC RBS ISP /newuser  directory traversal attempt"
-  http /.*[\/\\]newuser\?Image=\.\.[\/\\]\.\./
-  tcp-state established,originator
-  }
-
-signature sid-1493 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC RBS ISP /newuser access"
-  http /.*[\/\\]newuser/
-  tcp-state established,originator
-  }
-
-signature sid-1663 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC *%0a.pl access"
-  http /.*[\/\\]\*%0a\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1664 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC mkplog.exe access"
-  http /.*[\/\\]mkplog\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1665 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC mkilog.exe access"
-  http /.*[\/\\]mkilog\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-509 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC PCCS mysql database admin tool access"
-  tcp-state established,originator
-  payload /.{0,5}[pP][cC][cC][sS][mM][yY][sS][qQ][lL][aA][dD][mM]\/[iI][nN][cC][sS]\/[dD][bB][cC][oO][nN][nN][eE][cC][tT]\.[iI][nN][cC]/
-  }
-
-signature sid-1769 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .DS_Store access"
-  http /.*[\/\\]\.DS_Store/
-  tcp-state established,originator
-  }
-
-signature sid-1770 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC .FBCIndex access"
-  http /.*[\/\\]\.FBCIndex/
-  tcp-state established,originator
-  }
-
-signature sid-1500 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ExAir access"
-  http /.*[\/\\]exair[\/\\]search[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1519 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC apache ?M=D directory list attempt"
-  http /.*[\/\\]\?M=D/
-  tcp-state established,originator
-  }
-
-signature sid-1520 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC server-info access"
-  http /.*[\/\\]server-info/
-  tcp-state established,originator
-  }
-
-signature sid-1521 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC server-status access"
-  http /.*[\/\\]server-status/
-  tcp-state established,originator
-  }
-
-signature sid-1522 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ans.pl attempt"
-  http /.*[\/\\]ans\.pl\?p=\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1523 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ans.pl access"
-  http /.*[\/\\]ans\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-1524 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC AxisStorpoint CD attempt"
-  http /.*[\/\\]cd[\/\\]\.\.[\/\\]config[\/\\]html[\/\\]cnf_gi\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-1525 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Axis Storpoint CD access"
-  http /.*[\/\\]config[\/\\]html[\/\\]cnf_gi\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-1526 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC basilix sendmail.inc access"
-  http /.*[\/\\]inc[\/\\]sendmail\.inc/
-  tcp-state established,originator
-  }
-
-signature sid-1527 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC basilix mysql.class access"
-  http /.*[\/\\]class[\/\\]mysql\.class/
-  tcp-state established,originator
-  }
-
-signature sid-1528 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC BBoard access"
-  http /.*[\/\\]servlet[\/\\]sunexamples\.BBoardServlet/
-  tcp-state established,originator
-  }
-
-signature sid-1544 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Cisco Catalyst command execution attempt"
-  http /.*[\/\\]exec[\/\\]show[\/\\]config[\/\\]cr/
-  tcp-state established,originator
-  }
-
-signature sid-1546 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Cisco /%% DOS attempt"
-  http /.*[\/\\]%%/
-  tcp-state established,originator
-  }
-
-signature sid-1551 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /CVS/Entries access"
-  http /.*[\/\\]CVS[\/\\]Entries/
-  tcp-state established,originator
-  }
-
-signature sid-1552 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC cvsweb version access"
-  http /.*[\/\\]cvsweb[\/\\]version/
-  tcp-state established,originator
-  }
-
-signature sid-1559 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /doc/packages access"
-  http /.*[\/\\]doc[\/\\]packages/
-  tcp-state established,originator
-  }
-
-signature sid-1560 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /doc/ access"
-  http /.*[\/\\]doc[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1561 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ?open access"
-  http /.*\?open/
-  tcp-state established,originator
-  }
-
-signature sid-1563 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC login.htm attempt"
-  http /.*[\/\\]login\.htm\?password=/
-  tcp-state established,originator
-  }
-
-signature sid-1564 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC login.htm access"
-  http /.*[\/\\]login\.htm/
-  tcp-state established,originator
-  }
-
-signature sid-1603 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC DELETE attempt"
-  tcp-state established,originator
-  payload /[dD][eE][lL][eE][tT][eE] /
-  }
-
-signature sid-1670 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /home/ftp access"
-  http /.*[\/\\]home[\/\\]ftp/
-  tcp-state established,originator
-  }
-
-signature sid-1671 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /home/www access"
-  http /.*[\/\\]home[\/\\]www/
-  tcp-state established,originator
-  }
-
-signature sid-1738 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC global.inc access"
-  http /.*[\/\\]global\.inc/
-  tcp-state established,originator
-  }
-
-signature sid-1744 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC SecureSite authentication bypass attempt"
-  tcp-state established,originator
-  payload /.*[sS][eE][cC][uU][rR][eE]_[sS][iI][tT][eE], [oO][kK]/
-  }
-
-signature sid-1757 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC b2 arbitrary command execution attempt"
-  http /.*[\/\\]b2[\/\\]b2-include[\/\\]/
-  tcp-state established,originator
-  payload /.*b2inc/
-  payload /.*http:\/\//
-  }
-
-signature sid-1758 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC b2 access"
-  http /.*[\/\\]b2[\/\\]b2-include[\/\\]/
-  tcp-state established,originator
-  payload /.*b2inc/
-  payload /.*http:\/\//
-  }
-
-signature sid-1766 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC search.dll directory listing attempt"
-  http /.*[\/\\]search\.dll/
-  tcp-state established,originator
-  payload /.*query=%00/
-  }
-
-signature sid-1767 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC search.dll access"
-  http /.*[\/\\]search\.dll/
-  tcp-state established,originator
-  }
-
-signature sid-1498 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8181
-  event "WEB-MISC PIX firewall manager directory traversal attempt"
-  http /.*[\/\\]\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1604 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 4080
-  event "WEB-MISC iChat directory traversal attempt"
-  http /.*[\/\\]\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1558 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8080
-  event "WEB-MISC Delegate whois overflow attempt"
-  tcp-state established,originator
-  payload /.*[wW][hH][oO][iI][sS]:\/\//
-  }
-
-signature sid-1518 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8000
-  event "WEB-MISC nstelemetry.adp access"
-  http /.*[\/\\]nstelemetry\.adp/
-  tcp-state established,originator
-  }
-
-signature sid-1132 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 457
-  event "WEB-MISC Netscape Unixware overflow"
-  tcp-state established,originator
-  payload /.*\xeb\x5f\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\x9d/
-  }
-
-signature sid-1199 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 2301
-  event "WEB-MISC Compaq Insight directory traversal"
-  http /.*\.\.[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1231 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC VirusWall catinfo access"
-  http /.*[\/\\]catinfo/
-  tcp-state established,originator
-  }
-
-signature sid-1232 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 1812
-  event "WEB-MISC VirusWall catinfo access"
-  http /.*[\/\\]catinfo/
-  tcp-state established,originator
-  }
-
-signature sid-1809 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Apache Chunked-Encoding worm attempt"
-  tcp-state established,originator
-  payload /.*[cC][cC][cC][cC][cC][cC][cC]: [aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA]/
-  }
-
-signature sid-1807 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Transfer-Encoding: chunked"
-  tcp-state established,originator
-  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]:/
-  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
-  }
-
-signature sid-1814 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC CISCO VoIP DOS ATTEMPT"
-  http /.*[\/\\]StreamingStatistics/
-  tcp-state established,originator
-  }
-
-signature sid-1820 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC IBM Net.Commerce orderdspc.d2w access"
-  http /.*[\/\\]ncommerce3[\/\\]ExecMacro[\/\\]orderdspc\.d2w/
-  tcp-state established,originator
-  }
-
-signature sid-1826 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC WEB-INF access"
-  http /.*[\/\\]WEB-INF/
-  tcp-state established,originator
-  }
-
-signature sid-1827 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat servlet mapping cross site scripting attempt"
-  http /.*[\/\\]servlet[\/\\]/
-  http /.*[\/\\]org\.apache\./
-  tcp-state established,originator
-  }
-
-signature sid-1828 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC iPlanet Search directory traversal attempt"
-  http /.*[\/\\]search/
-  tcp-state established,originator
-  payload /.*NS-query-pat=/
-  payload /.*\.\.\/\.\.\//
-  }
-
-signature sid-1829 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat TroubleShooter servlet access"
-  http /.*[\/\\]examples[\/\\]servlet[\/\\]TroubleShooter/
-  tcp-state established,originator
-  }
-
-signature sid-1830 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Tomcat SnoopServlet servlet access"
-  http /.*[\/\\]examples[\/\\]servlet[\/\\]SnoopServlet/
-  tcp-state established,originator
-  }
-
-signature sid-1831 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC jigsaw dos attempt"
-  http /.*[\/\\]servlet[\/\\]con/
-  tcp-state established,originator
-  }
-
-signature sid-1835 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Macromedia SiteSpring cross site scripting attempt"
-  http /.*[\/\\]error[\/\\]500error\.jsp/
-  http /.*et=/
-  http /.*<script/
-  tcp-state established,originator
-  }
-
-signature sid-1839 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC mailman cross site scripting attempt"
-  http /.*[\/\\]mailman[\/\\]/
-  http /.*\?/
-  http /.*info=/
-  http /.*<script/
-  tcp-state established,originator
-  }
-
-signature sid-1847 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC webalizer access"
-  http /.*[\/\\]webalizer[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1848 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC webcart-lite access"
-  http /.*[\/\\]webcart-lite[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-1849 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC webfind.exe access"
-  http /.*[\/\\]webfind\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1851 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC active.log access"
-  http /.*[\/\\]active\.log/
-  tcp-state established,originator
-  }
-
-signature sid-1852 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC robots.txt access"
-  http /.*[\/\\]robots\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1857 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC robot.txt access"
-  http /.*[\/\\]robot\.txt/
-  tcp-state established,originator
-  }
-
-signature sid-1858 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8181
-  event "WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"
-  http /.*[\/\\]pixfir~1[\/\\]how_to_login\.html/
-  tcp-state established,originator
-  }
-
-signature sid-1859 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 9090
-  event "WEB-MISC Sun JavaServer default password login attempt"
-  http /.*[\/\\]servlet[\/\\]admin/
-  tcp-state established,originator
-  payload /.*ae9f86d6beaa3f9ecb9a5b7e072a4138/
-  }
-
-signature sid-1860 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8080
-  event "WEB-MISC Linksys router default password login attempt (:admin)"
-  tcp-state established,originator
-  payload /.*Authorization: Basic OmFkbWlu/
-  }
-
-signature sid-1861 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8080
-  event "WEB-MISC Linksys router default password login attempt (admin:admin)"
-  tcp-state established,originator
-  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]: /
-  payload /.* [bB][aA][sS][iI][cC] /
-  payload /.*YWRtaW46YWRtaW4/
-  }
-
-signature sid-1871 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Oracle XSQLConfig.xml access"
-  http /.*[\/\\]XSQLConfig\.xml/
-  tcp-state established,originator
-  }
-
-signature sid-1872 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Oracle Dynamic Monitoring Services (dms) access"
-  http /.*[\/\\]dms0/
-  tcp-state established,originator
-  }
-
-signature sid-1873 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC globals.jsa access"
-  http /.*[\/\\]globals\.jsa/
-  tcp-state established,originator
-  }
-
-signature sid-1874 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC Oracle Java Process Manager access"
-  http /.*[\/\\]oprocmgr-status/
-  tcp-state established,originator
-  }
-
-signature sid-1881 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC bad HTTP/1.1 request, Potentially worm attack"
-  tcp-state established,originator
-  payload /GET \/ HTTP\/1\.1\x0d\x0a\x0d\x0a/
-  }
-
-signature sid-1104 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  payload-size == 1
-  event "WEB-MISC whisker space splice attack"
-  tcp-state established,originator
-  payload /\x20/
-  }
-
-signature sid-1087 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  payload-size < 5
-  event "WEB-MISC whisker tab splice attack"
-  tcp-state established,originator
-  payload /.*\x09/
-  }
-
-signature sid-1808 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC apache chunked encoding memory corruption exploit attempt"
-  tcp-state established,originator
-  payload /.*\xC0\x50\x52\x89\xE1\x50\x51\x52\x50\xB8\x3B\x00\x00\x00\xCD\x80/
-  }
-
-signature sid-1943 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /Carello/add.exe access"
-  http /.*[\/\\]Carello[\/\\]add\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1944 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC /ecscripts/ecware.exe access"
-  http /.*[\/\\]ecscripts[\/\\]ecware\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1969 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-MISC ion-p access"
-  http /.*[\/\\]ion-p/
-  tcp-state established,originator
-  }
-
-signature sid-1499 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8888
-  event "WEB-MISC SiteScope Service access"
-  http /.*[\/\\]SiteScope[\/\\]cgi[\/\\]go\.exe[\/\\]SiteScope/
-  tcp-state established,originator
-  }
-
-signature sid-1946 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8888
-  event "WEB-MISC answerbook2 admin attempt"
-  http /.*[\/\\]cgi-bin[\/\\]admin[\/\\]admin/
-  tcp-state established,originator
-  }
-
-signature sid-1947 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 8888
-  event "WEB-MISC answerbook2 arbitrary command execution attempt"
-  http /.*[\/\\]ab2[\/\\]/
-  tcp-state established,originator
-  payload /.{1}.*;/
-  }
-
-signature sid-1979 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC perl post attempt"
-  http /.*[\/\\]perl[\/\\]/
-  tcp-state established,originator
-  payload /POST/
-  }
-
-signature sid-2056 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC TRACE attempt"
-  tcp-state established,originator
-  payload /TRACE/
-  }
-
-signature sid-2057 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC helpout.exe access"
-  http /.*[\/\\]helpout\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-2058 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC MsmMask.exe attempt"
-  http /.*[\/\\]MsmMask\.exe/
-  tcp-state established,originator
-  payload /.*mask=/
-  }
-
-signature sid-2059 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC MsmMask.exe access"
-  http /.*[\/\\]MsmMask\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-2060 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC DB4Web access"
-  http /.*[\/\\]DB4Web[\/\\]/
-  tcp-state established,originator
-  }
-
-signature sid-2061 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC Tomcat null byte directory listing attempt"
-  http /.*\x00\.jsp/
-  tcp-state established,originator
-  }
-
-signature sid-2062 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC iPlanet .perf access"
-  http /.*[\/\\]\.perf/
-  tcp-state established,originator
-  }
-
-signature sid-2063 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC Demarc SQL injection attempt"
-  http /.*[\/\\]dm[\/\\]demarc/
-  tcp-state established,originator
-  payload /.*s_key=.*.{0}.*'.{1}.*'.*.{0}.*'/
-  }
-
-signature sid-2064 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC Lotus Notes .csp script source download attempt"
-  http /.*\.csp/
-  tcp-state established,originator
-  payload /.*\.csp\./
-  }
-
-signature sid-2066 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC Lotus Notes .pl script source download attempt"
-  http /.*\.pl/
-  tcp-state established,originator
-  payload /.*\.pl\./
-  }
-
-signature sid-2067 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC Lotus Notes .exe script source download attempt"
-  http /.*\.exe/
-  tcp-state established,originator
-  payload /.*\.exe\./
-  }
-
-signature sid-2068 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC BitKeeper arbitrary command attempt"
-  http /.*[\/\\]diffs[\/\\]/
-  tcp-state established,originator
-  payload /.*'.*.{0}.*\x3b.{1}.*'/
-  }
-
-signature sid-2069 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC chip.ini access"
-  http /.*[\/\\]chip\.ini/
-  tcp-state established,originator
-  }
-
-signature sid-2070 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC post32.exe arbitrary command attempt"
-  http /.*[\/\\]post32\.exe\|/
-  tcp-state established,originator
-  }
-
-signature sid-2071 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC post32.exe access"
-  http /.*[\/\\]post32\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-2072 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC lyris.pl access"
-  http /.*[\/\\]lyris\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-2073 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC globals.pl access"
-  http /.*[\/\\]globals\.pl/
-  tcp-state established,originator
-  }
-
-signature sid-2135 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC philboard.mdb access"
-  http /.*[\/\\]philboard\.mdb/
-  tcp-state established,originator
-  }
-
-signature sid-2136 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC philboard_admin.asp authentication bypass attempt"
-  http /.*[\/\\]philboard_admin\.asp/
-  tcp-state established,originator
-  payload /.*[cC][oO][oO][kK][iI][eE].*.{0}.*philboard_admin=True/
-  }
-
-signature sid-2137 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC philboard_admin.asp access"
-  http /.*[\/\\]philboard_admin\.asp/
-  tcp-state established,originator
-  }
-
-signature sid-2138 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC logicworks.ini access"
-  http /.*[\/\\]logicworks\.ini/
-  tcp-state established,originator
-  }
-
-signature sid-2139 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC /*.shtml access"
-  http /.*[\/\\]\*\.shtml/
-  tcp-state established,originator
-  }
-
-signature sid-2156 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-MISC mod_gzip_status access"
-  http /.*[\/\\]mod_gzip_status/
-  tcp-state established,originator
-  }
-
-signature sid-1233 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  dst-port == http_ports
-  event "WEB-CLIENT Outlook EML access"
-  http /.*\.eml/
-  tcp-state established,originator
-  }
-
-signature sid-1735 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == http_ports
-  event "WEB-CLIENT XMLHttpRequest attempt"
-  tcp-state established,responder
-  payload /.*new XMLHttpRequest\(/
-  payload /.*[fF][iI][lL][eE]:\/\//
-  }
-
-signature sid-1284 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  dst-port == http_ports
-  event "WEB-CLIENT readme.eml download attempt"
-  http /.*[\/\\]readme\.eml/
-  tcp-state established,originator
-  }
-
-signature sid-1290 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == http_ports
-  event "WEB-CLIENT readme.eml autoload attempt"
-  tcp-state established,responder
-  payload /.*[wW][iI][nN][dD][oO][wW]\.[oO][pP][eE][nN]\(\"[rR][eE][aA][dD][mM][eE]\.[eE][mM][lL]\"/
-  }
-
-signature sid-1840 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == http_ports
-  event "WEB-CLIENT Javascript document.domain attempt"
-  tcp-state established,responder
-  payload /.*[dD][oO][cC][uU][mM][eE][nN][tT]\.[dD][oO][mM][aA][iI][nN]\(/
-  }
-
-signature sid-1841 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == http_ports
-  event "WEB-CLIENT Javascript URL host spoofing attempt"
-  tcp-state established,responder
-  payload /.*[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]:\/\//
-  }
-
-signature sid-1774 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP bb_smilies.php access"
-  http /.*[\/\\]bb_smilies\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1423 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP content-disposition memchr overflow"
-  tcp-state established,originator
-  payload /.*Content-Disposition:/
-  payload /.*name=\"\xCC\xCC\xCC\xCC\xCC/
-  }
-
-signature sid-1736 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP squirrel mail spell-check arbitrary command attempt"
-  http /.*[\/\\]squirrelspell[\/\\]modules[\/\\]check_me\.mod\.php/
-  tcp-state established,originator
-  payload /.*[sS][qQ][sS][pP][eE][lL][lL]_[aA][pP][pP]\[/
-  }
-
-signature sid-1737 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP squirrel mail theme arbitrary command attempt"
-  http /.*[\/\\]left_main\.php/
-  tcp-state established,originator
-  payload /.*[cC][mM][dD][dD]=/
-  }
-
-signature sid-1739 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP DNSTools administrator authentication bypass attempt"
-  http /.*[\/\\]dnstools\.php/
-  tcp-state established,originator
-  payload /.*[uU][sS][eE][rR]_[lL][oO][gG][gG][eE][dD]_[iI][nN]=[tT][rR][uU][eE]/
-  payload /.*[uU][sS][eE][rR]_[dD][nN][sS][tT][oO][oO][lL][sS]_[aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR]=[tT][rR][uU][eE]/
-  }
-
-signature sid-1740 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP DNSTools authentication bypass attempt"
-  http /.*[\/\\]dnstools\.php/
-  tcp-state established,originator
-  payload /.*[uU][sS][eE][rR]_[lL][oO][gG][gG][eE][dD]_[iI][nN]=[tT][rR][uU][eE]/
-  }
-
-signature sid-1741 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP DNSTools access"
-  http /.*[\/\\]dnstools\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1742 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Blahz-DNS dostuff.php modify user attempt"
-  http /.*[\/\\]dostuff\.php\?action=modify_user/
-  tcp-state established,originator
-  }
-
-signature sid-1743 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Blahz-DNS dostuff.php access"
-  http /.*[\/\\]dostuff\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1745 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Messagerie supp_membre.php access"
-  http /.*[\/\\]supp_membre\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1773 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP php.exe access"
-  http /.*[\/\\]php\.exe/
-  tcp-state established,originator
-  }
-
-signature sid-1815 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP directory.php arbitrary command attempt"
-  http /.*[\/\\]directory\.php/
-  tcp-state established,originator
-  payload /.*dir=/
-  payload /.*;/
-  }
-
-signature sid-1816 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP directory.php access"
-  http /.*[\/\\]directory\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1834 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP PHP-Wiki cross site scripting attempt"
-  http /.*[\/\\]modules\.php\?/
-  http /.*name=Wiki/
-  http /.*<script/
-  tcp-state established,originator
-  }
-
-signature sid-1967 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP phpbb quick-reply.php arbitrary command attempt"
-  http /.*[\/\\]quick-reply\.php/
-  tcp-state established,originator
-  payload /.{1}.*phpbb_root_path=/
-  }
-
-signature sid-1968 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP phpbb quick-reply.php access"
-  http /.*[\/\\]quick-reply\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1997 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP read_body.php access attempt"
-  http /.*[\/\\]read_body\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1998 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP calendar.php access"
-  http /.*[\/\\]calendar\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1999 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP edit_image.php access"
-  http /.*[\/\\]edit_image\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2000 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP readmsg.php access"
-  http /.*[\/\\]readmsg\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2002 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP external include path"
-  http /.*\.php/
-  tcp-state established,originator
-  payload /.*path=http:\/\//
-  }
-
-signature sid-1134 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Phorum admin access"
-  http /.*[\/\\]admin\.php3/
-  tcp-state established,originator
-  }
-
-signature sid-1161 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP piranha passwd.php3 access"
-  http /.*[\/\\]passwd\.php3/
-  tcp-state established,originator
-  }
-
-signature sid-1178 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Phorum read access"
-  http /.*[\/\\]read\.php3/
-  tcp-state established,originator
-  }
-
-signature sid-1179 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Phorum violation access"
-  http /.*[\/\\]violation\.php3/
-  tcp-state established,originator
-  }
-
-signature sid-1197 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Phorum code access"
-  http /.*[\/\\]code\.php3/
-  tcp-state established,originator
-  }
-
-signature sid-1300 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP admin.php file upload attempt"
-  http /.*[\/\\]admin\.php/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE]_[nN][aA][mM][eE]=/
-  }
-
-signature sid-1301 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP admin.php access"
-  http /.*[\/\\]admin\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1407 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP smssend.php access"
-  http /.*[\/\\]smssend\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1399 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP PHP-Nuke remote file include attempt"
-  http /.*index\.php/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE]=[hH][tT][tT][pP]:\/\//
-  }
-
-signature sid-1490 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Phorum /support/common.php attempt"
-  http /.*[\/\\]support[\/\\]common\.php/
-  tcp-state established,originator
-  payload /.*ForumLang=\.\.\//
-  }
-
-signature sid-1491 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Phorum /support/common.php access"
-  http /.*[\/\\]support[\/\\]common\.php/
-  tcp-state established,originator
-  }
-
-signature sid-1137 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Phorum authentication access"
-  tcp-state established,originator
-  payload /.*[pP][hH][pP]_[aA][uU][tT][hH]_[uU][sS][eE][rR]=[bB][oO][oO][gG][iI][eE][mM][aA][nN]/
-  }
-
-signature sid-1085 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP strings overflow"
-  tcp-state established,originator
-  payload /.*\xba\x49\xfe\xff\xff\xf7\xd2\xb9\xbf\xff\xff\xff\xf7\xd1/
-  }
-
-signature sid-1086 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP strings overflow"
-  http /.*\?STRENGUR/
-  tcp-state established,originator
-  }
-
-signature sid-1254 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP PHPLIB remote command attempt"
-  tcp-state established,originator
-  payload /.*_PHPLIB\[libdir\]/
-  }
-
-signature sid-1255 {
-  ip-proto == tcp
-  src-ip == http_servers
-  dst-ip != local_nets
-  dst-port == http_ports
-  event "WEB-PHP PHPLIB remote command attempt"
-  http /.*[\/\\]db_mysql\.inc/
-  tcp-state established,originator
-  }
-
-signature sid-2074 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Mambo uploadimage.php upload php file attempt"
-  http /.*[\/\\]uploadimage\.php/
-  tcp-state established,originator
-  payload /.*userfile_name=.{1}.*\.php/
-  }
-
-signature sid-2075 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Mambo upload.php upload php file attempt"
-  http /.*[\/\\]upload\.php/
-  tcp-state established,originator
-  payload /.*userfile_name=.{1}.*\.php/
-  }
-
-signature sid-2076 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Mambo uploadimage.php access"
-  http /.*[\/\\]uploadimage\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2077 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Mambo upload.php access"
-  http /.*[\/\\]upload\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2078 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP phpBB privmsg.php access"
-  http /.*[\/\\]privmsg\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2140 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP p-news.php access"
-  http /.*[\/\\]p-news\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2141 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP shoutbox.php directory traversal attempt"
-  http /.*[\/\\]shoutbox\.php/
-  tcp-state established,originator
-  payload /.*conf=.*.{0}.*\.\.\//
-  }
-
-signature sid-2142 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP shoutbox.php access"
-  http /.*[\/\\]shoutbox\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2143 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt"
-  http /.*[\/\\]gm-2-b2\.php/
-  tcp-state established,originator
-  payload /.*b2inc=http/
-  }
-
-signature sid-2144 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP b2 cafelog gm-2-b2.php access"
-  http /.*[\/\\]gm-2-b2\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2145 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP TextPortal admin.php default password (admin) attempt"
-  http /.*[\/\\]admin\.php/
-  tcp-state established,originator
-  payload /.*op=admin_enter/
-  payload /.*password=admin/
-  }
-
-signature sid-2146 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP TextPortal admin.php default password (12345) attempt"
-  http /.*[\/\\]admin\.php/
-  tcp-state established,originator
-  payload /.*op=admin_enter/
-  payload /.*password=12345/
-  }
-
-signature sid-2147 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP BLNews objects.inc.php4 remote command execution attempt"
-  http /.*[\/\\]objects\.inc\.php4/
-  tcp-state established,originator
-  payload /.*Server\[path\]=http/
-  }
-
-signature sid-2148 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP BLNews objects.inc.php4 access"
-  http /.*[\/\\]objects\.inc\.php4/
-  tcp-state established,originator
-  }
-
-signature sid-2149 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP Turba status.php access"
-  http /.*[\/\\]turba[\/\\]status\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2150 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP ttCMS header.php remote command execution attempt"
-  http /.*[\/\\]admin[\/\\]templates[\/\\]header\.php/
-  tcp-state established,originator
-  payload /.*admin_root=http/
-  }
-
-signature sid-2151 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP ttCMS header.php access"
-  http /.*[\/\\]admin[\/\\]templates[\/\\]header\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2152 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP test.php access"
-  http /.*[\/\\]test\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2153 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP autohtml.php directory traversal attempt"
-  http /.*[\/\\]autohtml\.php/
-  tcp-state established,originator
-  payload /.*name=.*.{0}.*\.\.\/\.\.\//
-  }
-
-signature sid-2154 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP autohtml.php access"
-  http /.*[\/\\]autohtml\.php/
-  tcp-state established,originator
-  }
-
-signature sid-2155 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == http_ports
-  event "WEB-PHP ttforum remote command execution attempt"
-  http /.*forum[\/\\]index\.php/
-  tcp-state established,originator
-  payload /.*template=http/
-  }
-
-signature sid-676 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB sp_start_job - program execution"
-  tcp-state established,originator
-  payload /.{31}[sS]\x00[pP]\x00_\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00_\x00[jJ]\x00[oO]\x00[bB]\x00/
-  }
-
-signature sid-677 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB sp_password password change"
-  tcp-state established,originator
-  payload /.*[sS]\x00[pP]\x00_\x00[pP]\x00[aA]\x00[sS]\x00[sS]\x00[wW]\x00[oO]\x00[rR]\x00[dD]\x00/
-  }
-
-signature sid-678 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB sp_delete_alert log file deletion"
-  tcp-state established,originator
-  payload /.*[sS]\x00[pP]\x00_\x00[dD]\x00[eE]\x00[lL]\x00[eE]\x00[tT]\x00[eE]\x00_\x00[aA]\x00[lL]\x00[eE]\x00/
-  }
-
-signature sid-679 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB sp_adduser database user creation"
-  tcp-state established,originator
-  payload /.{31}[sS]\x00[pP]\x00_\x00[aA]\x00[dD]\x00[dD]\x00[uU]\x00[sS]\x00[eE]\x00[rR]\x00/
-  }
-
-signature sid-708 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB xp_enumresultset possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[eE]\x00[nN]\x00[uU]\x00[mM]\x00[rR]\x00[eE]\x00[sS]\x00[uU]\x00[lL]\x00[tT]\x00[sS]\x00[eE]\x00[tT]\x00/
-  }
-
-signature sid-1386 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB raiserror possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[rR]\x00[aA]\x00[iI]\x00[sS]\x00[eE]\x00[rR]\x00[rR]\x00[oO]\x00[rR]\x00/
-  }
-
-signature sid-702 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB xp_displayparamstmt possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[dD]\x00[iI]\x00[sS]\x00[pP]\x00[lL]\x00[aA]\x00[yY]\x00[pP]\x00[aA]\x00[rR]\x00[aA]\x00[mM]\x00[sS]\x00[tT]\x00[mM]\x00[tT]\x00/
-  }
-
-signature sid-703 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[sS]\x00[eE]\x00[tT]\x00[sS]\x00[qQ]\x00[lL]\x00[sS]\x00[eE]\x00[cC]\x00[uU]\x00[rR]\x00[iI]\x00[tT]\x00[yY]\x00/
-  }
-
-signature sid-681 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB xp_cmdshell program execution"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
-  }
-
-signature sid-689 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB xp_reg* registry access"
-  tcp-state established,originator
-  payload /.{31}[xX]\x00[pP]\x00_\x00[rR]\x00[eE]\x00[gG]\x00/
-  }
-
-signature sid-690 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB xp_printstatements possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[sS]\x00[tT]\x00[aA]\x00[tT]\x00[eE]\x00[mM]\x00[eE]\x00[nN]\x00[tT]\x00[sS]\x00/
-  }
-
-signature sid-692 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB shellcode attempt"
-  tcp-state established,originator
-  payload /.*\x39\x20\xd0\x00\x92\x01\xc2\x00\x52\x00\x55\x00\x39\x20\xec\x00/
-  }
-
-signature sid-694 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB shellcode attempt"
-  tcp-state established,originator
-  payload /.*\x48\x00\x25\x00\x78\x00\x77\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x33\x00\xc0\x00\x50\x00\x68\x00\x2e\x00/
-  }
-
-signature sid-695 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB xp_sprintf possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[sS]\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[fF]\x00/
-  }
-
-signature sid-696 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB xp_showcolv possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[sS]\x00[hH]\x00[oO]\x00[wW]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00/
-  }
-
-signature sid-697 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB xp_peekqueue possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[eE]\x00[eE]\x00[kK]\x00[qQ]\x00[uU]\x00[eE]\x00[uU]\x00[eE]\x00/
-  }
-
-signature sid-698 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[oO]\x00[xX]\x00[iI]\x00[eE]\x00[dD]\x00[mM]\x00[eE]\x00[tT]\x00[aA]\x00[dD]\x00[aA]\x00[tT]\x00[aA]\x00/
-  }
-
-signature sid-700 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 139
-  event "MS-SQL/SMB xp_updatecolvbm possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[uU]\x00[pP]\x00[dD]\x00[aA]\x00[tT]\x00[eE]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00[bB]\x00[mM]\x00/
-  }
-
-signature sid-673 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL sp_start_job - program execution"
-  tcp-state established,originator
-  payload /.*[sS]\x00[pP]\x00_\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00_\x00[jJ]\x00[oO]\x00[bB]\x00/
-  }
-
-signature sid-674 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL xp_displayparamstmt possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[dD]\x00[iI]\x00[sS]\x00[pP]\x00[lL]\x00[aA]\x00[yY]\x00[pP]\x00[aA]\x00[rR]\x00[aA]\x00[mM]\x00[sS]\x00[tT]\x00[mM]\x00[tT]/
-  }
-
-signature sid-675 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL xp_setsqlsecurity possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[eE]\x00[tT]\x00[sS]\x00[qQ]\x00[lL]\x00[sS]\x00[eE]\x00[cC]\x00[uU]\x00[rR]\x00[iI]\x00[tT]\x00[yY]\x00/
-  }
-
-signature sid-682 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL xp_enumresultset possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[eE]\x00[nN]\x00[uU]\x00[mM]\x00[rR]\x00[eE]\x00[sS]\x00[uU]\x00[lL]\x00[tT]\x00[sS]\x00[eE]\x00[tT]\x00/
-  }
-
-signature sid-683 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL sp_password - password change"
-  tcp-state established,originator
-  payload /.*[sS]\x00[pP]\x00_\x00[pP]\x00[aA]\x00[sS]\x00[sS]\x00[wW]\x00[oO]\x00[rR]\x00[dD]\x00/
-  }
-
-signature sid-684 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL sp_delete_alert log file deletion"
-  tcp-state established,originator
-  payload /.*[sS]\x00[pP]\x00_\x00[dD]\x00[eE]\x00[lL]\x00[eE]\x00[tT]\x00[eE]\x00_\x00[aA]\x00[lL]\x00[eE]\x00[rR]\x00[tT]\x00/
-  }
-
-signature sid-685 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL sp_adduser - database user creation"
-  tcp-state established,originator
-  payload /.*[sS]\x00[pP]\x00_\x00[aA]\x00[dD]\x00[dD]\x00[uU]\x00[sS]\x00[eE]\x00[rR]\x00/
-  }
-
-signature sid-686 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL xp_reg* - registry access"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[rR]\x00[eE]\x00[gG]\x00/
-  }
-
-signature sid-687 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL xp_cmdshell - program execution"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
-  }
-
-signature sid-691 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL shellcode attempt"
-  tcp-state established,originator
-  payload /.*\x39\x20\xd0\x00\x92\x01\xc2\x00\x52\x00\x55\x00\x39\x20\xec\x00/
-  }
-
-signature sid-693 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL shellcode attempt"
-  tcp-state established,originator
-  payload /.*\x48\x00\x25\x00\x78\x00\x77\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x33\x00\xc0\x00\x50\x00\x68\x00\x2e\x00/
-  }
-
-signature sid-699 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL xp_printstatements possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[sS]\x00[tT]\x00[aA]\x00[tT]\x00[eE]\x00[mM]\x00[eE]\x00[nN]\x00[tT]\x00[sS]\x00/
-  }
-
-signature sid-701 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL xp_updatecolvbm possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[uU]\x00[pP]\x00[dD]\x00[aA]\x00[tT]\x00[eE]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00[bB]\x00[mM]\x00/
-  }
-
-signature sid-704 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL xp_sprintf possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[fF]\x00/
-  }
-
-signature sid-705 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL xp_showcolv possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[hH]\x00[oO]\x00[wW]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00/
-  }
-
-signature sid-706 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL xp_peekqueue possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[eE]\x00[eE]\x00[kK]\x00[qQ]\x00[uU]\x00[eE]\x00[uU]\x00[eE]\x00/
-  }
-
-signature sid-707 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL xp_proxiedmetadata possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[oO]\x00[xX]\x00[iI]\x00[eE]\x00[dD]\x00[mM]\x00[eE]\x00[tT]\x00[aA]\x00[dD]\x00[aA]\x00[tT]\x00[aA]\x00/
-  }
-
-signature sid-1387 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 1433
-  event "MS-SQL raiserror possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[rR]\x00[aA]\x00[iI]\x00[sS]\x00[eE]\x00[rR]\x00[rR]\x00[oO]\x00[rR]\x00/
-  }
-
-signature sid-1759 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 445
-  event "MS-SQL xp_cmdshell program execution (445)"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
-  }
-
-signature sid-688 {
-  ip-proto == tcp
-  src-ip == sql_servers
-  dst-ip != local_nets
-  src-port == 1433
-  event "MS-SQL sa login failed"
-  tcp-state established,responder
-  payload /.*Login failed for user \x27sa\x27/
-  }
-
-signature sid-680 {
-  ip-proto == tcp
-  src-ip == sql_servers
-  dst-ip != local_nets
-  src-port == 139
-  event "MS-SQL/SMB sa login failed"
-  tcp-state established,responder
-  payload /.{82}.*Login failed for user \x27sa\x27/
-  }
-
-signature sid-2003 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 1434
-  event "MS-SQL Worm propagation attempt"
-  payload /\x04/
-  payload /.*\x81\xF1\x03\x01\x04\x9B\x81\xF1\x01/
-  payload /.*sock/
-  payload /.*send/
-  }
-
-signature sid-2004 {
-  ip-proto == udp
-  src-ip == local_nets
-  dst-ip != local_nets
-  dst-port == 1434
-  event "MS-SQL Worm propagation attempt OUTBOUND"
-  payload /\x04/
-  payload /.*\x81\xF1\x03\x01\x04\x9B\x81\xF1/
-  payload /.*sock/
-  payload /.*send/
-  }
-
-signature sid-2049 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 1434
-  event "MS-SQL ping attempt"
-  payload /\x02/
-  }
-
-signature sid-2050 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 1434
-  payload-size > 100
-  event "MS-SQL version overflow attempt"
-  payload /\x04/
-  }
-
-signature sid-1225 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 6000
-  event "X11 MIT Magic Cookie detected"
-  tcp-state established
-  payload /.*MIT-MAGIC-COOKIE-1/
-  }
-
-signature sid-1226 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 6000
-  event "X11 xopen"
-  tcp-state established
-  payload /.*\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00/
-  }
-
-signature sid-465 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 8
-  event "ICMP ISS Pinger"
-  payload /.{0,24}\x49\x53\x53\x50\x4e\x47\x52\x51/
-  }
-
-signature sid-466 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[1:1] == 0
-  header icmp[0:1] == 8
-  event "ICMP L3retriever Ping"
-  payload /ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI/
-  }
-
-signature sid-467 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  payload-size == 20
-  header icmp[0:1] == 8
-  header icmp[0:1] == 0,8
-  header icmp[6:2] == 0
-  event "ICMP Nemesis v1.1 Echo"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 0
-  payload /\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/
-  }
-
-signature sid-469 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  payload-size == 0
-  header icmp[0:1] == 8
-  event "ICMP PING NMAP"
-  }
-
-signature sid-471 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  payload-size == 0
-  header icmp[0:1] == 8
-  header icmp[0:1] == 0,8
-  header icmp[6:2] == 0
-  event "ICMP icmpenum v1.1.1"
-  header ip[4:2] == 666
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 666
-  }
-
-signature sid-472 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[1:1] == 1
-  header icmp[0:1] == 5
-  event "ICMP redirect host"
-  }
-
-signature sid-473 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[1:1] == 0
-  header icmp[0:1] == 5
-  event "ICMP redirect net"
-  }
-
-signature sid-474 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  payload-size == 8
-  header icmp[0:1] == 8
-  event "ICMP superscan echo"
-  payload /\x00\x00\x00\x00\x00\x00\x00\x00/
-  }
-
-signature sid-475 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 0
-  event "ICMP traceroute ipopts"
-  ip-options rr
-  }
-
-signature sid-476 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[1:1] == 0
-  header icmp[0:1] == 8
-  event "ICMP webtrends scanner"
-  payload /.*\x00\x00\x00\x00\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45/
-  }
-
-signature sid-477 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[1:1] == 0
-  header icmp[0:1] == 4
-  event "ICMP Source Quench"
-  }
-
-signature sid-478 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  payload-size == 4
-  header icmp[0:1] == 8
-  header icmp[0:1] == 0,8
-  header icmp[6:2] == 0
-  event "ICMP Broadscan Smurf Scanner"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 0
-  }
-
-signature sid-480 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 8
-  event "ICMP PING speedera"
-  payload /.{0,92}\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f/
-  }
-
-signature sid-481 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 8
-  event "ICMP TJPingPro1.1Build 2 Windows"
-  payload /.{0,16}\x54\x4a\x50\x69\x6e\x67\x50\x72\x6f\x20\x62\x79\x20\x4a\x69\x6d/
-  }
-
-signature sid-482 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 8
-  event "ICMP PING WhatsupGold Windows"
-  payload /.{0,16}\x57\x68\x61\x74\x73\x55\x70\x20\x2d\x20\x41\x20\x4e\x65\x74\x77/
-  }
-
-signature sid-483 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 8
-  event "ICMP PING CyberKit 2.2 Windows"
-  payload /.{0,16}\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa/
-  }
-
-signature sid-484 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  header icmp[0:1] == 8
-  event "ICMP PING Sniffer Pro/NetXRay network scan"
-  payload /.{0,13}\x43\x69\x6e\x63\x6f\x20\x4e\x65\x74\x77\x6f\x72\x6b\x2c\x20\x49\x6e\x63\x2e/
-  }
-
-signature sid-485 {
-  ip-proto == icmp
-  header icmp[1:1] == 13
-  header icmp[0:1] == 3
-  event "ICMP Destination Unreachable (Communication Administratively Prohibited)"
-  }
-
-signature sid-486 {
-  ip-proto == icmp
-  header icmp[1:1] == 10
-  header icmp[0:1] == 3
-  event "ICMP Destination Unreachable (Communication with Destination Host is Administratively Prohibited)"
-  }
-
-signature sid-487 {
-  ip-proto == icmp
-  header icmp[1:1] == 9
-  header icmp[0:1] == 3
-  event "ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited)"
-  }
-
-signature sid-1813 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "ICMP digital island bandwidth query"
-  payload /mailto:ops@digisle\.com/
-  }
-
-signature sid-499 {
-  ip-proto == icmp
-  src-ip != local_nets
-  dst-ip == local_nets
-  payload-size > 800
-  event "ICMP Large ICMP Packet"
-  }
-
-signature sid-1293 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS nimda .eml"
-  tcp-state established,originator
-  payload /.*\x00\.\x00E\x00M\x00L/
-  }
-
-signature sid-1294 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS nimda .nws"
-  tcp-state established,originator
-  payload /.*\x00\.\x00N\x00W\x00S/
-  }
-
-signature sid-1295 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS nimda RICHED20.DLL"
-  tcp-state established,originator
-  payload /.*R\x00I\x00C\x00H\x00E\x00D\x002\x000/
-  }
-
-signature sid-529 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS DOS RFPoison"
-  tcp-state established,originator
-  payload /.*\x5C\x00\x5C\x00\x2A\x00\x53\x00\x4D\x00\x42\x00\x53\x00\x45\x00\x52\x00\x56\x00\x45\x00\x52\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00/
-  }
-
-signature sid-530 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS NT NULL session"
-  tcp-state established,originator
-  payload /.*\x00\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x4E\x00\x54\x00\x20\x00\x31\x00\x33\x00\x38\x00\x31/
-  }
-
-signature sid-1239 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS RFParalyze Attempt"
-  tcp-state established,originator
-  payload /.*BEAVIS/
-  payload /.*yep yep/
-  }
-
-signature sid-532 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS SMB ADMIN$access"
-  tcp-state established,originator
-  payload /.*\\ADMIN\$\x00\x41\x3a\x00/
-  }
-
-signature sid-533 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS SMB C$ access"
-  tcp-state established,originator
-  payload /.*\x5cC\$\x00\x41\x3a\x00/
-  }
-
-signature sid-534 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS SMB CD.."
-  tcp-state established,originator
-  payload /.*\\\.\.\x2f\x00\x00\x00/
-  }
-
-signature sid-535 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS SMB CD..."
-  tcp-state established,originator
-  payload /.*\\\.\.\.\x00\x00\x00/
-  }
-
-signature sid-536 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS SMB D$access"
-  tcp-state established,originator
-  payload /.*\\D\$\x00\x41\x3a\x00/
-  }
-
-signature sid-537 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS SMB IPC$ share access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB\x75/
-  payload /.*\\[iI][pP][cC]\$\x00/
-  }
-
-signature sid-538 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS SMB IPC$ share access (unicode)"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB\x75/
-  payload /.*\x5c\x00[iI]\x00[pP]\x00[cC]\x00\$\x00/
-  }
-
-signature sid-2101 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB\x25/
-  payload /.{42}\x00\x00\x00\x00/
-  }
-
-signature sid-2103 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  # Not supported: byte_test: 2,>,1024,0,relative,little
-  event "NETBIOS SMB trans2open buffer overflow attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xffSMB\x32/
-  payload /.{59}\x00\x14/
-  }
-
-signature sid-2174 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS SMB winreg access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB\xa2/
-  payload /.{84}.*\\[wW][iI][nN][rR][eE][gG]\x00/
-  }
-
-signature sid-2175 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS SMB winreg access (unicode)"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB\xa2/
-  payload /.{84}.*\\\x00[wW]\x00[iI]\x00[nN]\x00[rR]\x00[eE]\x00[gG]\x00/
-  }
-
-signature sid-2176 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS SMB Startup Folder access attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB\x32/
-  payload /.*Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\x00/
-  }
-
-signature sid-2177 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 139
-  event "NETBIOS SMB Startup Folder access attempt (unicode)"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB\x32/
-  payload /.*\\\x00S\x00t\x00a\x00r\x00t\x00 \x00M\x00e\x00n\x00u\x00\\\x00P\x00r\x00o\x00g\x00r\x00a\x00m\x00s\x00\\\x00S\x00t\x00a\x00r\x00t\x00u\x00p/
-  }
-
-signature sid-2190 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 135
-  # Not supported: byte_test: 1,&,1,0,relative
-  event "NETBIOS DCERPC invalid bind attempt"
-  tcp-state established,originator
-  payload /.{0}\x05.{1}\x0b.{21}\x00/
-  }
-
-signature sid-2191 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 445
-  # Not supported: byte_test: 1,&,1,0,relative
-  event "NETBIOS SMB DCERPC invalid bind attempt"
-  tcp-state established,originator
-  payload /.{3}\xFF[sS][mM][bB]\x25.{56}\x26\x00.{5}\x5c\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5c\x00.{2}\x05.{1}\x0b.{21}\x00/
-  }
-
-signature sid-2192 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 135
-  # Not supported: byte_test: 1,&,1,0,relative
-  event "NETBIOS DCERPC ISystemActivator bind attempt"
-  tcp-state established,originator
-  payload /.{0}\x05.{1}\x0b.{29}\xA0\x01\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x46/
-  }
-
-signature sid-2193 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 445
-  # Not supported: byte_test: 1,&,1,0,relative
-  event "NETBIOS SMB DCERPC ISystemActivator bind attempt"
-  tcp-state established,originator
-  payload /.{3}\xFF[sS][mM][bB]\x25.{56}\x26\x00.{5}\x5c\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5c\x00.{0}\x05.{1}\x0b.{29}\xA0\x01\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x46/
-  }
-
-signature sid-2251 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 135
-  # Not supported: byte_test: 1,&,1,0,relative
-  event "NETBIOS DCERPC Remote Activation bind attempt"
-  payload /.{0}\x05.{1}\x0b.{29}\xB8\x4A\x9F\x4D\x1C\x7D\xCF\x11\x86\x1E\x00\x20\xAF\x6E\x7C\x57/
-  }
-
-signature sid-2252 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 445
-  # Not supported: byte_test: 1,&,1,0,relative
-  event "NETBIOS SMB DCERPC Remote Activation bind attempt"
-  tcp-state established,originator
-  payload /.{3}\xFF[sS][mM][bB]\x25.{56}\x26\x00.{5}\x5c\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5c\x00.{0}\x05.{1}\x0b.{29}\xB8\x4A\x9F\x4D\x1C\x7D\xCF\x11\x86\x1E\x00\x20\xAF\x6E\x7C\x57/
-  }
-
-signature sid-500 {
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "MISC source route lssr"
-  ip-options lsrr
-  }
-
-signature sid-501 {
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "MISC source route lssre"
-  ip-options lsrre
-  }
-
-signature sid-502 {
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "MISC source route ssrr"
-  ip-options ssrr 
-  }
-
-signature sid-503 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == 20
-  dst-port >= 0
-  dst-port <= 1023
-  header tcp[13:1] & 255 == 2
-  event "MISC Source Port 20 to <1024"
-  }
-
-signature sid-504 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == 53
-  dst-port >= 0
-  dst-port <= 1023
-  header tcp[13:1] & 255 == 2
-  event "MISC source port 53 to <1024"
-  }
-
-signature sid-505 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 1417
-  event "MISC Insecure TIMBUKTU Password"
-  tcp-state established,originator
-  payload /.{0,13}\x05\x00\x3E/
-  }
-
-signature sid-507 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 5631
-  event "MISC PCAnywhere Attempted Administrator Login"
-  tcp-state established,originator
-  payload /.*ADMINISTRATOR/
-  }
-
-signature sid-508 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 70
-  event "MISC gopher proxy"
-  tcp-state established,originator
-  payload /.*[fF][tT][pP]\x3a/
-  payload /.*@\//
-  }
-
-signature sid-512 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port >= 5631
-  src-port <= 5632
-  event "MISC PCAnywhere Failed Login"
-  tcp-state established,responder
-  payload /.{0,3}Invalid login/
-  }
-
-signature sid-513 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 7161
-  header tcp[13:1] & 255 == 18
-  event "MISC Cisco Catalyst Remote Access"
-  }
-
-signature sid-514 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  dst-port == 27374
-  event "MISC ramen worm"
-  tcp-state established,originator
-  payload /.{0,4}[gG][eE][tT] /
-  }
-
-signature sid-516 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 161
-  event "MISC SNMP NT UserList"
-  payload /.*\x2b\x06\x10\x40\x14\xd1\x02\x19/
-  }
-
-signature sid-517 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 177
-  event "MISC xdmcp query"
-  payload /.*\x00\x01\x00\x03\x00\x01\x00/
-  }
-
-signature sid-1867 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 177
-  event "MISC xdmcp info query"
-  payload /.*\x00\x01\x00\x02\x00\x01\x00/
-  }
-
-signature sid-522 {
-  src-ip != local_nets
-  dst-ip == local_nets
-  header ip[6:1] & 224 == 32
-  payload-size < 25
-  event "MISC Tiny Fragments"
-  }
-
-signature sid-1384 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 1900
-  event "MISC UPnP malformed advertisement"
-  payload /.*[nN][oO][tT][iI][fF][yY] \* /
-  }
-
-signature sid-1388 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 1900
-  event "MISC UPnP Location overflow"
-  payload /.*\x0d[lL][oO][cC][aA][tT][iI][oO][nN]\x3a[^\x0a]{128}/
-  }
-
-signature sid-1393 {
-  ip-proto == tcp
-  src-ip == aim_servers
-  dst-ip == local_nets
-  event "MISC AIM AddGame attempt"
-  tcp-state established,responder
-  payload /.*[aA][iI][mM]:[aA][dD][dD][gG][aA][mM][eE]\?/
-  }
-
-signature sid-1752 {
-  ip-proto == tcp
-  src-ip == aim_servers
-  dst-ip == local_nets
-  event "MISC AIM AddExternalApp attempt"
-  tcp-state established,responder
-  payload /.*[aA][iI][mM]:[aA][dD][dD][eE][xX][tT][eE][rR][nN][aA][lL][aA][pP][pP]\?/
-  }
-
-signature sid-1504 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 7001
-  event "MISC AFS access"
-  payload /.*\x00\x00\x03\xe7\x00\x00\x00\x00\x00\x00\x00\x65\x00\x00\x00\x00\x00\x00\x00\x00\x0d\x05\x00\x00\x00\x00\x00\x00\x00/
-  }
-
-signature sid-1636 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 32000
-  payload-size > 500
-  event "MISC Xtramail Username overflow attempt"
-  tcp-state established,originator
-  payload /.*[uU][sS][eE][rR][nN][aA][mM][eE]: /
-  }
-
-signature sid-1887 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == http_servers
-  dst-port == 443
-  event "MISC OpenSSL Worm traffic"
-  tcp-state established,originator
-  payload /.*[tT][eE][rR][mM]=[xX][tT][eE][rR][mM]/
-  }
-
-signature sid-1889 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == http_servers
-  src-port == 2002
-  dst-port == 2002
-  event "MISC slapper worm admin traffic"
-  payload /\x00\x00\x45\x00\x00\x45\x00\x00\x40\x00/
-  }
-
-signature sid-1447 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 3389
-  event "MISC MS Terminal server request (RDP)"
-  tcp-state established,originator
-  payload /\x03\x00\x00\x0b\x06\xE0\x00\x00\x00\x00\x00/
-  }
-
-signature sid-1448 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 3389
-  event "MISC MS Terminal server request"
-  tcp-state established,originator
-  payload /\x03\x00\x00/
-  payload /.{4}\xe0\x00\x00\x00\x00\x00/
-  }
-
-signature sid-1819 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 2533
-  event "MISC Alcatel PABX 4400 connection attempt"
-  tcp-state established,originator
-  payload /\x00\x01\x43/
-  }
-
-signature sid-1939 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 67
-  # Not supported: byte_test: 1,>,6,2
-  event "MISC bootp hardware address length overflow"
-  payload /\x01/
-  }
-
-signature sid-1940 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 67
-  # Not supported: byte_test: 1,>,7,1
-  event "MISC bootp invalid hardware type"
-  payload /\x01/
-  }
-
-signature sid-2039 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 67
-  event "MISC bootp hostname format string attempt"
-  payload /\x01.{240}.*\x0C.*.{0}.*%.{1}.{0,7}%.{1}.{0,7}%/
-  }
-
-signature sid-1966 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 27155
-  event "MISC GlobalSunTech Access Point Information Disclosure attempt"
-  payload /.*gstsearch/
-  }
-
-signature sid-1987 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 7100
-  payload-size > 512
-  event "MISC xfs overflow attempt"
-  tcp-state established,originator
-  payload /\x42\x00\x02/
-  }
-
-signature sid-2041 {
-  ip-proto == udp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 49
-  event "MISC xtacacs failed login response"
-  payload /\x80\x02.{4}.*\x02/
-  }
-
-signature sid-2043 {
-  ip-proto == udp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 500
-  dst-port == 500
-  event "MISC isakmp login failed"
-  payload /.{16}\x10\x05.{13}\x00\x00\x00\x01\x01\x00\x00\x18/
-  }
-
-signature sid-2047 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 873
-  event "MISC rsyncd module list access"
-  tcp-state established,originator
-  payload /\x23list/
-  }
-
-signature sid-2048 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 873
-  # Not supported: byte_test: 2,>,4000,0
-  event "MISC rsyncd overflow attempt"
-  tcp-state originator
-  payload /.{1}\x00\x00/
-  }
-
-signature sid-2008 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 2401
-  event "MISC CVS invalid user authentication response"
-  tcp-state established,responder
-  payload /.*E Fatal error, aborting\./
-  payload /.*\x3a no such user/
-  }
-
-signature sid-2009 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 2401
-  event "MISC CVS invalid repository response"
-  tcp-state established,responder
-  payload /.*error /
-  payload /.*: no such repository/
-  payload /.*I HATE YOU/
-  }
-
-signature sid-2010 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 2401
-  event "MISC CVS double free exploit attempt response"
-  tcp-state established,responder
-  payload /.*free\(\): warning: chunk is already free/
-  }
-
-signature sid-2011 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 2401
-  event "MISC CVS invalid directory response"
-  tcp-state established,responder
-  payload /.*E protocol error: invalid directory syntax in/
-  }
-
-signature sid-2012 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 2401
-  event "MISC CVS missing cvsroot response"
-  tcp-state established,responder
-  payload /.*E protocol error: Root request missing/
-  }
-
-signature sid-2013 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 2401
-  event "MISC CVS invalid module response"
-  tcp-state established,responder
-  payload /.*cvs server: cannot find module.{1}.*error/
-  }
-
-signature sid-2126 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 1723
-  payload-size > 156
-  event "MISC Microsoft PPTP Start Control Request buffer overflow attempt"
-  tcp-state established,originator
-  payload /.{1}\x00\x01/
-  payload /.{7}\x00\x01/
-  }
-
-signature sid-2158-a {
-  ip-proto == tcp
-  src-port == 179
-  # Not supported: byte_test: 2,<,19,0,relative
-  event "MISC BGP invalid length"
-  payload /.*\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff/
-  }
-
-signature sid-2158-b {
-  ip-proto == tcp
-  dst-port == 179
-  # Not supported: byte_test: 2,<,19,0,relative
-  event "MISC BGP invalid length"
-  payload /.*\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff/
-  }
-
-signature sid-2159-a {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 179
-  event "MISC BGP invalid type (0)"
-  tcp-state established
-  payload /\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff.{2}\x00/
-  }
-
-signature sid-2159-b {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 179
-  event "MISC BGP invalid type (0)"
-  tcp-state established
-  payload /\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff.{2}\x00/
-  }
-
-signature sid-1292 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  event "ATTACK-RESPONSES directory listing"
-  tcp-state established,responder
-  payload /.*Volume Serial Number/
-  }
-
-signature sid-494 {
-  ip-proto == tcp
-  src-ip == http_servers
-  dst-ip != local_nets
-  src-port == http_ports
-  event "ATTACK-RESPONSES command completed"
-  tcp-state established,responder
-  payload /.*[cC][oO][mM][mM][aA][nN][dD] [cC][oO][mM][pP][lL][eE][tT][eE][dD]/
-  }
-
-signature sid-495 {
-  ip-proto == tcp
-  src-ip == http_servers
-  dst-ip != local_nets
-  src-port == http_ports
-  event "ATTACK-RESPONSES command error"
-  tcp-state established,responder
-  payload /.*[bB][aA][dD] [cC][oO][mM][mM][aA][nN][dD] [oO][rR] [fF][iI][lL][eE][nN][aA][mM][eE]/
-  }
-
-signature sid-497 {
-  ip-proto == tcp
-  src-ip == http_servers
-  dst-ip != local_nets
-  src-port == http_ports
-  event "ATTACK-RESPONSES file copied ok"
-  tcp-state established,responder
-  payload /.*1 [fF][iI][lL][eE]\([sS]\) [cC][oO][pP][iI][eE][dD]/
-  }
-
-signature sid-1200 {
-  ip-proto == tcp
-  src-ip == http_servers
-  dst-ip != local_nets
-  src-port == http_ports
-  event "ATTACK-RESPONSES Invalid URL"
-  tcp-state established,responder
-  payload /.*[iI][nN][vV][aA][lL][iI][dD] [uU][rR][lL]/
-  }
-
-signature sid-1666 {
-  ip-proto == tcp
-  src-ip == http_servers
-  dst-ip != local_nets
-  src-port == http_ports
-  event "ATTACK-RESPONSES index of /cgi-bin/ response"
-  tcp-state established,responder
-  payload /.*[iI][nN][dD][eE][xX] [oO][fF] \/[cC][gG][iI]-[bB][iI][nN]\//
-  }
-
-signature sid-1201 {
-  ip-proto == tcp
-  src-ip == http_servers
-  dst-ip != local_nets
-  src-port == http_ports
-  event "ATTACK-RESPONSES 403 Forbidden"
-  tcp-state established,responder
-  payload /HTTP\/1\.1 403/
-  }
-
-signature sid-498 {
-  event "ATTACK-RESPONSES id check returned root"
-  payload /.*uid=0\(root\)/
-  }
-
-signature sid-1882 {
-  src-ip == local_nets
-  dst-ip != local_nets
-  # Not supported: byte_test: 5,<,65537,0,relative,string,5,<,65537,0,relative,string
-  event "ATTACK-RESPONSES id check returned userid"
-  payload /.*uid=.{0}.{0,10} gid=/
-  }
-
-signature sid-1464 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 8002
-  event "ATTACK-RESPONSES oracle one hour install"
-  tcp-state established,responder
-  payload /.*Oracle Applications One-Hour Install/
-  }
-
-signature sid-1900 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 749
-  event "ATTACK-RESPONSES successful kadmind buffer overflow attempt"
-  tcp-state established,responder
-  payload /\*GOBBLE\*/
-  }
-
-signature sid-1901 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 751
-  event "ATTACK-RESPONSES successful kadmind buffer overflow attempt"
-  tcp-state established,responder
-  payload /\*GOBBLE\*/
-  }
-
-signature sid-1810 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 22
-  event "ATTACK-RESPONSES successful gobbles ssh exploit (GOBBLE)"
-  tcp-state established,responder
-  payload /.*\x2aGOBBLE\x2a/
-  }
-
-signature sid-1811 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 22
-  event "ATTACK-RESPONSES successful gobbles ssh exploit (uname)"
-  tcp-state established,responder
-  payload /.*uname/
-  }
-
-signature sid-2104 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 512
-  event "ATTACK-RESPONSES rexec username too long response"
-  tcp-state established,responder
-  payload /username too long/
-  }
-
-signature sid-2123 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port < 21
-  src-port > 23
-  event "ATTACK-RESPONSES Microsoft cmd.exe banner"
-  tcp-state established,responder
-  payload /.*Microsoft Windows.*.{0}.*\(C\) Copyright 1985-.*.{0}.*Microsoft Corp\./
-  }
-
-signature sid-1673 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE EXECUTE_SYSTEM attempt"
-  tcp-state established,originator
-  payload /.*[eE][xX][eE][cC][uU][tT][eE]_[sS][yY][sS][tT][eE][mM]/
-  }
-
-signature sid-1674 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE connect_data(command=version) attempt"
-  tcp-state established,originator
-  payload /.*[cC][oO][nN][nN][eE][cC][tT]_[dD][aA][tT][aA]\([cC][oO][mM][mM][aA][nN][dD]=[vV][eE][rR][sS][iI][oO][nN]\)/
-  }
-
-signature sid-1675 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE misparsed login response"
-  tcp-state established,responder
-  payload /.*[dD][eE][sS][cC][rR][iI][pP][tT][iI][oO][nN]=\(/
-  payload /.*<willnevermatch>/
-  payload /.*<willnevermatch>/
-  }
-
-signature sid-1676 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE select union attempt"
-  tcp-state established,originator
-  payload /.*[sS][eE][lL][eE][cC][tT] /
-  payload /.* [uU][nN][iI][oO][nN] /
-  }
-
-signature sid-1677 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE select like '%' attempt"
-  tcp-state established,originator
-  payload /.* [wW][hH][eE][rR][eE] /
-  payload /.* [lL][iI][kK][eE] '%'/
-  }
-
-signature sid-1678 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE select like \"%\" attempt"
-  tcp-state established,originator
-  payload /.* [wW][hH][eE][rR][eE] /
-  payload /.* [lL][iI][kK][eE] \"%\"/
-  }
-
-signature sid-1679 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE describe attempt"
-  tcp-state established,originator
-  payload /.*[dD][eE][sS][cC][rR][iI][bB][eE] /
-  }
-
-signature sid-1680 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE all_constraints access"
-  tcp-state established,originator
-  payload /.*[aA][lL][lL]_[cC][oO][nN][sS][tT][rR][aA][iI][nN][tT][sS]/
-  }
-
-signature sid-1681 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE all_views access"
-  tcp-state established,originator
-  payload /.*[aA][lL][lL]_[vV][iI][eE][wW][sS]/
-  }
-
-signature sid-1682 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE all_source access"
-  tcp-state established,originator
-  payload /.*[aA][lL][lL]_[sS][oO][uU][rR][cC][eE]/
-  }
-
-signature sid-1683 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE all_tables access"
-  tcp-state established,originator
-  payload /.*[aA][lL][lL]_[tT][aA][bB][lL][eE][sS]/
-  }
-
-signature sid-1684 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE all_tab_columns access"
-  tcp-state established,originator
-  payload /.*[aA][lL][lL]_[tT][aA][bB]_[cC][oO][lL][uU][mM][nN][sS]/
-  }
-
-signature sid-1685 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE all_tab_privs access"
-  tcp-state established,originator
-  payload /.*[aA][lL][lL]_[tT][aA][bB]_[cC][oO][lL][uU][mM][nN][sS]/
-  }
-
-signature sid-1686 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE dba_tablespace access"
-  tcp-state established,originator
-  payload /.*[dD][bB][aA]_[tT][aA][bB][lL][eE][sS][pP][aA][cC][eE]/
-  }
-
-signature sid-1687 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE dba_tables access"
-  tcp-state established,originator
-  payload /.*[dD][bB][aA]_[tT][aA][bB][lL][eE][sS]/
-  }
-
-signature sid-1688 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE user_tablespace access"
-  tcp-state established,originator
-  payload /.*[uU][sS][eE][rR]_[tT][aA][bB][lL][eE][sS][pP][aA][cC][eE]/
-  }
-
-signature sid-1689 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE sys.all_users access"
-  tcp-state established,originator
-  payload /.*[sS][yY][sS]\.[aA][lL][lL]_[uU][sS][eE][rR][sS]/
-  }
-
-signature sid-1690 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE grant attempt"
-  tcp-state established,originator
-  payload /.*[gG][rR][aA][nN][tT] /
-  payload /.* [tT][oO] /
-  }
-
-signature sid-1691 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE ALTER USER attempt"
-  tcp-state established,originator
-  payload /.*[aA][lL][tT][eE][rR] [uU][sS][eE][rR]/
-  payload /.* [iI][dD][eE][nN][tT][iI][fF][iI][eE][dD] [bB][yY] /
-  }
-
-signature sid-1692 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE drop table attempt"
-  tcp-state established,originator
-  payload /.*[dD][rR][oO][pP] [tT][aA][bB][lL][eE]/
-  }
-
-signature sid-1693 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE create table attempt"
-  tcp-state established,originator
-  payload /.*[cC][rR][eE][aA][tT][eE] [tT][aA][bB][lL][eE]/
-  }
-
-signature sid-1694 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE alter table attempt"
-  tcp-state established,originator
-  payload /.*[aA][lL][tT][eE][rR] [tT][aA][bB][lL][eE]/
-  }
-
-signature sid-1695 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE truncate table attempt"
-  tcp-state established,originator
-  payload /.*[tT][rR][uU][nN][cC][aA][tT][eE] [tT][aA][bB][lL][eE]/
-  }
-
-signature sid-1696 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE create database attempt"
-  tcp-state established,originator
-  payload /.*[cC][rR][eE][aA][tT][eE] [dD][aA][tT][aA][bB][aA][sS][eE]/
-  }
-
-signature sid-1697 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == oracle_ports
-  event "ORACLE alter database attempt"
-  tcp-state established,originator
-  payload /.*[aA][lL][tT][eE][rR] [dD][aA][tT][aA][bB][aA][sS][eE]/
-  }
-
-signature sid-1775 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 3306
-  event "MYSQL root login attempt"
-  tcp-state established,originator
-  payload /.*\x0A\x00\x00\x01\x85\x04\x00\x00\x80\x72\x6F\x6F\x74\x00/
-  }
-
-signature sid-1776 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == sql_servers
-  dst-port == 3306
-  event "MYSQL show databases attempt"
-  tcp-state established,originator
-  payload /.*\x0f\x00\x00\x00\x03show databases/
-  }
-
-signature sid-1893 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 161
-  event "SNMP missing community string attempt"
-  payload /.{4}.{0,8}\x04\x00/
-  }
-
-signature sid-1892 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 161
-  event "SNMP null community string attempt"
-  payload /.{4}.{0,7}\x04\x01\x00/
-  }
-
-signature sid-1409 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 161
-  dst-port <= 162
-  event "SNMP community string buffer overflow attempt"
-  payload /.{3}.*\x02\x01\x00\x04\x82\x01\x00/
-  }
-
-signature sid-1422 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port >= 161
-  dst-port <= 162
-  event "SNMP community string buffer overflow attempt (with evasion)"
-  payload /.{6} \x04\x82\x01\x00/
-  }
-
-signature sid-1411 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 161
-  event "SNMP public access udp"
-  payload /.*public/
-  }
-
-signature sid-1412 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 161
-  event "SNMP public access tcp"
-  tcp-state established,originator
-  payload /.*public/
-  }
-
-signature sid-1413 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 161
-  event "SNMP private access udp"
-  payload /.*private/
-  }
-
-signature sid-1414 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 161
-  event "SNMP private access tcp"
-  tcp-state established,originator
-  payload /.*private/
-  }
-
-signature sid-1415 {
-  ip-proto == udp
-  dst-ip == 255.255.255.255
-  dst-port == 161
-  event "SNMP Broadcast request"
-  }
-
-signature sid-1416 {
-  ip-proto == udp
-  dst-ip == 255.255.255.255
-  dst-port == 162
-  event "SNMP broadcast trap"
-  }
-
-signature sid-1417 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 161
-  event "SNMP request udp"
-  }
-
-signature sid-1418 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 161
-  event "SNMP request tcp"
-  }
-
-signature sid-1419 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 162
-  event "SNMP trap udp"
-  }
-
-signature sid-1420 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 162
-  event "SNMP trap tcp"
-  }
-
-signature sid-1421 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 705
-  event "SNMP AgentX/tcp request"
-  }
-
-signature sid-1426 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 161
-  event "SNMP PROTOS test-suite-req-app attempt"
-  payload /.*\x30\x26\x02\x01\x00\x04\x06\x70\x75\x62\x6C\x69\x63\xA0\x19\x02\x01\x00\x02\x01\x00\x02\x01\x00\x30\x0E\x30\x0C\x06\x08\x2B\x06\x01\x02\x01\x01\x05\x00\x05\x00/
-  }
-
-signature sid-1427 {
-  ip-proto == udp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 162
-  event "SNMP PROTOS test-suite-trap-app attempt"
-  payload /.*\x30\x38\x02\x01\x00\x04\x06\x70\x75\x62\x6C\x69\x63\xA4\x2B\x06/
-  }
-
-signature sid-655 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  src-port == 113
-  dst-port == 25
-  event "SMTP sendmail 8.6.9 exploit"
-  tcp-state established,originator
-  payload /.*\x0aD\//
-  }
-
-signature sid-658 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP exchange mime DOS"
-  tcp-state established,originator
-  payload /.*charset = \x22\x22/
-  }
-
-signature sid-659 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP expn decode"
-  tcp-state established,originator
-  payload /.*[eE][xX][pP][nN] [dD][eE][cC][oO][dD][eE]/
-  }
-
-signature sid-660 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP expn root"
-  tcp-state established,originator
-  payload /.*[eE][xX][pP][nN] [rR][oO][oO][tT]/
-  }
-
-signature sid-1450 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP expn *@"
-  tcp-state established,originator
-  payload /.*[eE][xX][pP][nN] \*@/
-  }
-
-signature sid-661 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP majordomo ifs"
-  tcp-state established,originator
-  payload /.*eply-to\x3a a~\.`\/bin\//
-  }
-
-signature sid-662 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP sendmail 5.5.5 exploit"
-  tcp-state established,originator
-  payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3a\x20\x22\x7c/
-  }
-
-signature sid-663 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP rcpt to sed command attempt"
-  tcp-state established,originator
-  payload /.*[rR][cC][pP][tT] [tT][oO]:.*.{0}.*\|.*.{0}.*sed /
-  }
-
-signature sid-664 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP RCPT TO decode attempt"
-  tcp-state established,originator
-  payload /.*[rR][cC][pP][tT] [tT][oO]\x3a [dD][eE][cC][oO][dD][eE]/
-  }
-
-signature sid-665 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP sendmail 5.6.5 exploit"
-  tcp-state established,originator
-  payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3a\x20\x7c\/[uU][sS][rR]\/[uU][cC][bB]\/[tT][aA][iI][lL]/
-  }
-
-signature sid-667 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP sendmail 8.6.10 exploit"
-  tcp-state established,originator
-  payload /.*Croot\x0d\x0aMprog, P=\/bin\//
-  }
-
-signature sid-668 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP sendmail 8.6.10 exploit"
-  tcp-state established,originator
-  payload /.*Croot\x09\x09\x09\x09\x09\x09\x09Mprog,P=\/bin/
-  }
-
-signature sid-669 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP sendmail 8.6.9 exploit"
-  tcp-state established,originator
-  payload /.*\x0aCroot\x0aMprog/
-  }
-
-signature sid-670 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP sendmail 8.6.9 exploit"
-  tcp-state established,originator
-  payload /.*\x0aC\x3adaemon\x0aR/
-  }
-
-signature sid-671 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP sendmail 8.6.9c exploit"
-  tcp-state established,originator
-  payload /.*\x0aCroot\x0d\x0aMprog/
-  }
-
-signature sid-672 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP vrfy decode"
-  tcp-state established,originator
-  payload /.*[vV][rR][fF][yY] [dD][eE][cC][oO][dD][eE]/
-  }
-
-signature sid-1446 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP vrfy root"
-  tcp-state established,originator
-  payload /.*[vV][rR][fF][yY] [rR][oO][oO][tT]/
-  }
-
-signature sid-631 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP ehlo cybercop attempt"
-  tcp-state established,originator
-  payload /.*ehlo cybercop\x0aquit\x0a/
-  }
-
-signature sid-632 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP expn cybercop attempt"
-  tcp-state established,originator
-  payload /.*expn cybercop/
-  }
-
-signature sid-1549 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP HELO overflow attempt"
-  tcp-state established,originator
-  payload /HELO [^\x0a]{500}/
-  }
-
-signature sid-1550 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP ETRN overflow attempt"
-  tcp-state established,originator
-  payload /ETRN [^\x0A]{500}/
-  }
-
-signature sid-2087 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  event "SMTP From comment overflow attempt"
-  tcp-state established,originator
-  payload /.*From:.*.{0}.*<><><><><><><><><><><><><><><><><><><><><><>.{1}.*\(.{1}.*\)/
-  }
-
-signature sid-2183 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == smtp_servers
-  dst-port == 25
-  # Not supported: byte_test: 1,<,256,100,relative
-  event "SMTP Content-Transfer-Encoding overflow attempt"
-  tcp-state established,originator
-  payload /.*Content-Transfer-Encoding:[^\x0a]{100}/
-  }
-
-signature sid-1993 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  # Not supported: byte_test: 5,>,256,0,string,dec,relative
-  event "IMAP login literal buffer overflow attempt"
-  tcp-state established,originator
-  payload /.* LOGIN .*.{0}.* \{/
-  }
-
-signature sid-1842 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  event "IMAP login buffer overflow attempt"
-  tcp-state established,originator
-  payload /.* LOGIN [^\x0a]{100}/
-  }
-
-signature sid-2105 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  # Not supported: byte_test: 5,>,256,0,string,dec,relative
-  event "IMAP authenticate literal overflow attempt"
-  tcp-state established,originator
-  payload /.* [aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE] .*.{0}.*\{/
-  }
-
-signature sid-1844 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  event "IMAP authenticate overflow attempt"
-  tcp-state established,originator
-  payload /.* [aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE] [^\x0a]{100}/
-  }
-
-signature sid-1930 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  # Not supported: byte_test: 5,>,256,0,string,dec,relative
-  event "IMAP auth overflow attempt"
-  tcp-state established,originator
-  payload /.* [aA][uU][tT][hH]/
-  payload /.*\{/
-  }
-
-signature sid-1902 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  # Not supported: byte_test: 5,>,256,0,string,dec,relative
-  event "IMAP lsub literal overflow attempt"
-  payload /.* LSUB \x22.*.{0}.*\x22 \{/
-  }
-
-signature sid-2106 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  event "IMAP lsub overflow attempt"
-  payload /.* LSUB [^\x0a]{100}/
-  }
-
-signature sid-1845 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  # Not supported: byte_test: 5,>,256,0,string,dec,relative
-  event "IMAP list literal overflow attempt"
-  tcp-state established,originator
-  payload /.* LIST \x22.*.{0}.*\x22 \{/
-  }
-
-signature sid-2118 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  event "IMAP list overflow attempt"
-  tcp-state established,originator
-  payload /.* [lL][iI][sS][tT] [^\x0a]{100}/
-  }
-
-signature sid-2119 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  # Not supported: byte_test: 5,>,256,0,string,dec,relative
-  event "IMAP rename literal overflow attempt"
-  tcp-state established,originator
-  payload /.* RENAME \x22.*.{0}.*\x22 \{/
-  }
-
-signature sid-1903 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  event "IMAP rename overflow attempt"
-  tcp-state established,originator
-  payload /.* [rR][eE][nN][aA][mM][eE] [^\x0a]{1024}/
-  }
-
-signature sid-1904 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  event "IMAP find overflow attempt"
-  tcp-state established,originator
-  payload /.* [fF][iI][nN][dD] [^\x0a]{1024}/
-  }
-
-signature sid-1755 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  event "IMAP partial body buffer overflow attempt"
-  tcp-state established,originator
-  payload /.* PARTIAL /
-  payload /.* BODY\[[^\]]{1024}/
-  }
-
-signature sid-2046 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  event "IMAP partial body.peek buffer overflow attempt"
-  tcp-state established,originator
-  payload /.* PARTIAL /
-  payload /.* BODY\.PEEK\[[^\]]{1024}/
-  }
-
-signature sid-2107 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  event "IMAP create buffer overflow attempt"
-  tcp-state established,originator
-  payload /.* CREATE [^\x0a]{1024}/
-  }
-
-signature sid-2120 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 143
-  # Not supported: byte_test: 5,>,256,0,string,dec,relative
-  event "IMAP create literal buffer overflow attempt"
-  tcp-state established,originator
-  payload /.* CREATE.*.{0}.* \{/
-  }
-
-signature sid-1934 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 109
-  event "POP2 FOLD overflow attempt"
-  tcp-state established,originator
-  payload /.*FOLD [^\x0A]{256}/
-  }
-
-signature sid-1935 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 109
-  event "POP2 FOLD arbitrary file attempt"
-  tcp-state established,originator
-  payload /.*FOLD \//
-  }
-
-signature sid-284 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 109
-  event "POP2 x86 Linux overflow"
-  tcp-state established,originator
-  payload /.*\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01/
-  }
-
-signature sid-285 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 109
-  event "POP2 x86 Linux overflow"
-  tcp-state established,originator
-  payload /.*\xff\xff\xff\x2f\x42\x49\x4e\x2f\x53\x48\x00/
-  }
-
-signature sid-2121 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  # Not supported: byte_test: 1,>,0,0,relative,string
-  event "POP3 DELE negative arguement attempt"
-  payload /[dD][eE][lL][eE].{1}.*-/
-  }
-
-signature sid-2122 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  # Not supported: byte_test: 1,>,0,0,relative,string
-  event "POP3 UIDL negative arguement attempt"
-  payload /[uU][iI][dD][lL].{1}.*-/
-  }
-
-signature sid-1866 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 USER overflow attempt"
-  tcp-state established,originator
-  payload /.*[uU][sS][eE][rR][^\x0a]{50}/
-  }
-
-signature sid-2108 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 CAPA overflow attempt"
-  tcp-state established,originator
-  payload /.*[cC][aA][pP][aA][^\x0a]{10}/
-  }
-
-signature sid-2109 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 TOP overflow attempt"
-  tcp-state established,originator
-  payload /.*[tT][oO][pP][^\x0a]{10}/
-  }
-
-signature sid-2110 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 STAT overflow attempt"
-  tcp-state established,originator
-  payload /.*[sS][tT][aA][tT][^\x0a]{10}/
-  }
-
-signature sid-2111 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 DELE overflow attempt"
-  tcp-state established,originator
-  payload /.*[dD][eE][lL][eE][^\x0a]{10}/
-  }
-
-signature sid-2112 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 RSET overflow attempt"
-  tcp-state established,originator
-  payload /.*[rR][sS][eE][tT][^\x0a]{10}/
-  }
-
-signature sid-1936 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 AUTH overflow attempt"
-  tcp-state established,originator
-  payload /.*[aA][uU][tT][hH][^\x0a]{50}/
-  }
-
-signature sid-1937 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 LIST overflow attempt"
-  tcp-state established,originator
-  payload /.*[lL][iI][sS][tT][^\x0a]{50}/
-  }
-
-signature sid-1938 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 XTND overflow attempt"
-  tcp-state established,originator
-  payload /.*[xX][tT][nN][dD][^\x0a]{50}/
-  }
-
-signature sid-1634 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 PASS overflow attempt"
-  tcp-state established,originator
-  payload /.*[pP][aA][sS][sS][^\x0a]{50}/
-  }
-
-signature sid-1635 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 APOP overflow attempt"
-  tcp-state established,originator
-  payload /.*[aA][pP][oO][pP][^\x0a]{256}/
-  }
-
-signature sid-286 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 EXPLOIT x86 BSD overflow"
-  tcp-state established,originator
-  payload /.*\|5e0 e31c 0b03 b8d7 e0e8 9fa 89f9\|/
-  }
-
-signature sid-287 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 EXPLOIT x86 BSD overflow"
-  tcp-state established,originator
-  payload /.*\x68\x5d\x5e\xff\xd5\xff\xd4\xff\xf5\x8b\xf5\x90\x66\x31/
-  }
-
-signature sid-288 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 EXPLOIT x86 Linux overflow"
-  tcp-state established,originator
-  payload /.*\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff\/bin\/sh/
-  }
-
-signature sid-289 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 EXPLOIT x86 SCO overflow"
-  tcp-state established,originator
-  payload /.*\x56\x0e\x31\xc0\xb0\x3b\x8d\x7e\x12\x89\xf9\x89\xf9/
-  }
-
-signature sid-290 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 110
-  event "POP3 EXPLOIT qpopper overflow"
-  tcp-state established,originator
-  payload /.*\xE8\xD9\xFF\xFF\xFF\/bin\/sh/
-  }
-
-signature sid-1792 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  src-port == 119
-  event "NNTP return code buffer overflow attempt"
-  tcp-state established,originator
-  payload /200 [^\x0a]{64}/
-  }
-
-signature sid-1538 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  dst-port == 119
-  event "NNTP AUTHINFO USER overflow attempt"
-  tcp-state established,originator
-  payload /[aA][uU][tT][hH][iI][nN][fF][oO] [uU][sS][eE][rR] [^\x0a]{500}/
-  }
-
-signature sid-1760 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 902
-  event "OTHER-IDS ISS RealSecure 6 event collector connection attempt"
-  tcp-state established,responder
-  payload /.{29}6[iI][sS][sS] [eE][cC][nN][rR][aA] [bB][uU][iI][lL][tT]-[iI][nN] [pP][rR][oO][vV][iI][dD][eE][rR], [sS][tT][rR][oO][nN][gG] [eE][nN][cC][rR][yY][pP][tT][iI][oO][nN]/
-  }
-
-signature sid-1761 {
-  ip-proto == tcp
-  src-ip == local_nets
-  dst-ip != local_nets
-  src-port == 2998
-  event "OTHER-IDS ISS RealSecure 6 daemon connection attempt"
-  tcp-state established,responder
-  payload /.{29}6[iI][sS][sS] [eE][cC][nN][rR][aA] [bB][uU][iI][lL][tT]-[iI][nN] [pP][rR][oO][vV][iI][dD][eE][rR], [sS][tT][rR][oO][nN][gG] [eE][nN][cC][rR][yY][pP][tT][iI][oO][nN]/
-  }
-
-signature sid-1629 {
-  ip-proto == tcp
-  src-ip != local_nets
-  dst-ip == local_nets
-  event "OTHER-IDS SecureNetPro traffic"
-  tcp-state established
-  payload /\x00\x67\x00\x01\x00\x03/
-  }
-
-
diff --git a/policy/sigs/ssl-worm.sig b/policy/sigs/ssl-worm.sig
deleted file mode 100644
index e18f683992..0000000000
--- a/policy/sigs/ssl-worm.sig
+++ /dev/null
@@ -1,38 +0,0 @@
-signature sslworm-probe {
-  header ip[9:1] == 6
-  header ip[16:4] == local_nets
-  header tcp[2:2] == 80
-  payload /.*GET \/ HTTP\/1\.1\x0d\x0a\x0d\x0a/
-  event "Host may have been probed by Apache/SSL worm"
-  }
-
-signature sslworm-vulnerable-probe {
-  requires-signature sslworm-probe
-  eval sslworm_is_server_vulnerable
-  event "Host may have been probed by Apache/SSL worm and is vulnerable"
-  }
-
-signature sslworm-exploit {
-  header ip[9:1] == 6
-  header ip[16:4] == local_nets
-  header tcp[2:2] == 443
-  eval sslworm_has_server_been_probed
-  event "Apache/Worm has tried to exploit host"
-  }
-
-signature sslworm-infection {
-  header ip[9:1] == 17
-  header ip[12:4] == local_nets
-  header udp[0:2] == 2002
-  eval sslworm_has_server_been_exploited 
-  event "Host has been infected by Apache/SSL worm"
-}
-
-signature sslworm-udp2002 {
-  header ip[9:1] == 17
-  header udp[0:2] == 2002
-  header udp[2:2] == 2002
-  event "Hosts may have been infected by Apache/SSL worm"
-  }
-
-
diff --git a/policy/sigs/worm.sig b/policy/sigs/worm.sig
deleted file mode 100644
index 588679c24a..0000000000
--- a/policy/sigs/worm.sig
+++ /dev/null
@@ -1,41 +0,0 @@
-# $Id: worm.sig 47 2004-06-11 07:26:32Z vern $
-
-signature nimda {
-	ip-proto == tcp
-	dst-port == http_ports
-	tcp-state established,originator
-	http /.*\/((MSDAC|scripts)\/root|winnt\/system32)\/.*c\+dir$/
-	event "Nimda"
-}
-
-signature codered1 {
-	ip-proto == tcp
-	dst-port == http_ports
-	tcp-state established,originator
-	http /.*\.id[aq]\?.*NNNNNNNNNNNNN/
-	event "CodeRed 1"
-}
-
-signature codered2 {
-	ip-proto == tcp
-	dst-port == http_ports
-	tcp-state established,originator
-	http /.*\.id[aq]\?.*XXXXXXXXXXXXX/
-	event "CodeRed 2"
-}
-
-# Taken from Snort
-signature slammer {
-	ip-proto == udp
-	dst-port == 1434
-	payload /.*\x81\xf1\x03\x01\x04\x9b\x81\xf1\x01/
-	event "Slammer propagation attempt"
-}
-
-signature witty {
-	# header udp[0:2] == 4000
-	ip-proto == udp
-	src-port == 4000
-	payload /.*insert witty message here/
-	event "Witty propagation attempt"
-}
diff --git a/policy/smb-anonymizer.bro b/policy/smb-anonymizer.bro
deleted file mode 100644
index 1051f8843c..0000000000
--- a/policy/smb-anonymizer.bro
+++ /dev/null
@@ -1,80 +0,0 @@
-# $Id:$
-
-redef rewriting_smb_trace = T;
-
-
-event smb_message(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string)
-	{
-	}
-
-event smb_com_tree_connect_andx(c: connection, hdr: smb_hdr, path: string, service: string)
-	{
-	}
-
-event smb_com_tree_disconnect(c: connection, hdr: smb_hdr)
-	{
-	}
-
-event smb_com_nt_create_andx(c: connection, hdr: smb_hdr, name: string)
-	{
-	}
-
-event smb_com_transaction(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
-	{
-	}
-
-event smb_com_transaction2(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
-	{
-	}
-
-event smb_com_trans_mailslot(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
-	{
-	}
-
-event smb_com_trans_rap(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
-	{
-	}
-
-event smb_com_trans_pipe(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
-	{
-	}
-
-event smb_com_read_andx(c: connection, hdr: smb_hdr, data: string)
-	{
-	}
-
-event smb_com_write_andx(c: connection, hdr: smb_hdr, data: string)
-	{
-	}
-
-event smb_get_dfs_referral(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string)
-	{
-	}
-
-event smb_com_negotiate(c: connection, hdr: smb_hdr)
-	{
-	}
-
-event smb_com_negotiate_response(c: connection, hdr: smb_hdr, dialect_index: count)
-	{
-	}
-
-event smb_com_setup_andx(c: connection, hdr: smb_hdr)
-	{
-	}
-
-event smb_com_generic_andx(c: connection, hdr: smb_hdr)
-	{
-	}
-
-event smb_com_close(c: connection, hdr: smb_hdr)
-	{
-	}
-
-event smb_com_logoff_andx(c: connection, hdr: smb_hdr)
-	{
-	}
-
-event smb_error(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string)
-	{
-	}
diff --git a/policy/smtp-rewriter.bro b/policy/smtp-rewriter.bro
deleted file mode 100644
index be8e726dcc..0000000000
--- a/policy/smtp-rewriter.bro
+++ /dev/null
@@ -1,94 +0,0 @@
-# $Id: smtp-rewriter.bro 4758 2007-08-10 06:49:23Z vern $
-
-@load smtp
-@load mime 	# need mime for content hash
-
-module SMTP;
-
-redef rewriting_smtp_trace = T;
-
-# We want this event handler to execute *after* the one in smtp.bro.
-event smtp_request(c: connection, is_orig: bool, command: string, arg: string)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	local session = smtp_sessions[c$id];
-
-	if ( command != ">" )
-		{
-		if ( command == "." )
-			{
-			# A hack before we have MIME rewriter.
-			# rewrite_smtp_data(c, is_orig, fmt("X-number-of-lines: %d",
-			# 			session$num_lines_in_body));
-			rewrite_smtp_data(c, is_orig, fmt("X-number-of-bytes: %d",
-						session$num_bytes_in_body));
-
-			# Write empty line to avoid MIME analyzer complaints.
-			rewrite_smtp_data(c, is_orig, "");
-			rewrite_smtp_data(c, is_orig, fmt("%s", session$content_hash));
-			}
-
-		if ( command in smtp_legal_cmds )
-			{
-			# Avoid the situation in which we mistake
-			# mail contents for SMTP commands.
-			rewrite_smtp_request(c, is_orig, command, arg);
-			rewrite_push_packet(c, is_orig);
-			}
-		}
-	}
-
-event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
-			msg: string, cont_resp: bool)
-	{
-	if ( ! rewriting_trace() )
-		return;
-
-	rewrite_smtp_reply(c, is_orig, code, msg, cont_resp);
-	}
-
-function starts_with_leading_whitespace(s: string): bool
-	{
-	return /^[ \t]/ in s;
-	}
-
-function rewrite_smtp_header_line(c: connection, is_orig: bool,
-				session: smtp_session_info, line: string)
-	{
-	if ( starts_with_leading_whitespace(line) )
-		{ # a continuing header
-		if ( session$keep_current_header )
-			rewrite_smtp_data(c, is_orig, line);
-		}
-	else
-		{
-		session$keep_current_header = F;
-
-		local pair = split1(line, /:/);
-		if ( length(pair) < 2 )
-			{
-			session$keep_current_header = T;
-			rewrite_smtp_data(c, is_orig, line);
-			}
-		else
-			{
-			local field_name = to_upper(pair[1]);
-
-			# Currently, the MIME analyzer is sensitive to
-			# CONTENT-TYPE and CONTENT_TRANSFER_ENCODING,
-			# so we want to remove these when anonymizing,
-			# because we can't ensure their integrity when
-			# rewriting message bodies.
-			#
-			# To be conservative, however, we strip out *all*
-			# CONTENT-* headers.
-			if ( /^CONTENT-/ !in field_name )
-				{
-				session$keep_current_header = T;
-				rewrite_smtp_data(c, is_orig, line);
-				}
-			}
-		}
-	}
diff --git a/policy/smtp.bro b/policy/smtp.bro
index cddb926456..7baeff9a21 100644
--- a/policy/smtp.bro
+++ b/policy/smtp.bro
@@ -505,15 +505,9 @@ event connection_state_remove(c: connection)
 		}
 	}
 
-global rewrite_smtp_header_line:
-	function(c: connection, is_orig: bool,
-			session: smtp_session_info, line: string);
-
 function smtp_header_line(c: connection, is_orig: bool,
 				session: smtp_session_info, line: string)
 	{
-	if ( rewriting_smtp_trace )
-		rewrite_smtp_header_line(c, is_orig, session, line);
 	}
 
 function smtp_body_line(c: connection, is_orig: bool,
diff --git a/policy/ssl-ciphers.bro b/policy/ssl-ciphers.bro
index 143244d364..3926d591cd 100644
--- a/policy/ssl-ciphers.bro
+++ b/policy/ssl-ciphers.bro
@@ -11,154 +11,223 @@ const SSLv20_CK_IDEA_128_CBC_WITH_MD5 = 0x050080;
 const SSLv20_CK_DES_64_CBC_WITH_MD5 = 0x060040;
 const SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x0700C0;
 
-# --- sslv3x ---
-
-const SSLv3x_NULL_WITH_NULL_NULL  = 0x0000;
-
-# The following CipherSuite definitions require that the server
-# provide an RSA certificate that can be used for key exchange.  The
-# server may request either an RSA or a DSS signature-capable
-# certificate in the certificate request message.
-
-const SSLv3x_RSA_WITH_NULL_MD5 = 0x0001;
-const SSLv3x_RSA_WITH_NULL_SHA = 0x0002;
-const SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003;
-const SSLv3x_RSA_WITH_RC4_128_MD5 = 0x0004;
-const SSLv3x_RSA_WITH_RC4_128_SHA = 0x0005;
-const SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006;
-const SSLv3x_RSA_WITH_IDEA_CBC_SHA = 0x0007;
-const SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008;
-const SSLv3x_RSA_WITH_DES_CBC_SHA = 0x0009;
-const SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A;
-
-# The following CipherSuite definitions are used for
-# server-authenticated (and optionally client-authenticated)
-# Diffie-Hellman.  DH denotes cipher suites in which the server's
-# certificate contains the Diffie-Hellman parameters signed by the
-# certificate authority (CA).  DHE denotes ephemeral Diffie-Hellman,
-# where the Diffie-Hellman parameters are signed by a DSS or RSA
-# certificate, which has been signed by the CA.  The signing
-# algorithm used is specified after the DH or DHE parameter.  In all
-# cases, the client must have the same type of certificate, and must
-# use the Diffie-Hellman parameters chosen by the server.
-
-const SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B;
-const SSLv3x_DH_DSS_WITH_DES_CBC_SHA = 0x000C;
-const SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D;
-const SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E;
-const SSLv3x_DH_RSA_WITH_DES_CBC_SHA = 0x000F;
-const SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010;
-const SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011;
-const SSLv3x_DHE_DSS_WITH_DES_CBC_SHA = 0x0012;
-const SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013;
-const SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014;
-const SSLv3x_DHE_RSA_WITH_DES_CBC_SHA = 0x0015;
-const SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016;
-
-#  The following cipher suites are used for completely anonymous
-#  Diffie-Hellman communications in which neither party is
-#  authenticated.  Note that this mode is vulnerable to
-#  man-in-the-middle attacks and is therefore strongly discouraged.
-
-const SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017;
-const SSLv3x_DH_anon_WITH_RC4_128_MD5 = 0x0018;
-const SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x0019;
-const SSLv3x_DH_anon_WITH_DES_CBC_SHA = 0x001A;
-const SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B;
-
-#   The final cipher suites are for the FORTEZZA token.
-
-const SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C;
-const SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D;
-# This seems to be assigned to a Kerberos cipher in TLS 1.1
-#const SSLv3x_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x001E; 
-
-
-# Following are some newer ciphers defined in RFC 4346 (TLS 1.1)
-
-# Kerberos ciphers
-
-const SSLv3x_KRB5_WITH_DES_CBC_SHA           = 0x001E;
-const SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA      = 0x001F;
-const SSLv3x_KRB5_WITH_RC4_128_SHA           = 0x0020;
-const SSLv3x_KRB5_WITH_IDEA_CBC_SHA          = 0x0021;
-const SSLv3x_KRB5_WITH_DES_CBC_MD5           = 0x0022;
-const SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5      = 0x0023;
-const SSLv3x_KRB5_WITH_RC4_128_MD5           = 0x0024;
-const SSLv3x_KRB5_WITH_IDEA_CBC_MD5          = 0x0025;
-
-# Kerberos export ciphers
-
-const SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026;
-const SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027;
-const SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA     = 0x0028;
-const SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029;
-const SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A;
-const SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5     = 0x002B;
-
-
-# AES ciphers
-
-const SSLv3x_RSA_WITH_AES_128_CBC_SHA        = 0x002F;
-const SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA     = 0x0030;
-const SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA     = 0x0031;
-const SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA    = 0x0032;
-const SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA    = 0x0033;
-const SSLv3x_DH_anon_WITH_AES_128_CBC_SHA    = 0x0034;
-const SSLv3x_RSA_WITH_AES_256_CBC_SHA        = 0x0035;
-const SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA     = 0x0036;
-const SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA     = 0x0037;
-const SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA    = 0x0038;
-const SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA    = 0x0039;
-const SSLv3x_DH_anon_WITH_AES_256_CBC_SHA    = 0x003A;
-
-# Mostly more RFC defined suites
-const TLS_RSA_WITH_CAMELLIA_128_CBC_SHA      = 0x0041; # [RFC4132]
-const TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA   = 0x0042; # [RFC4132]
-const TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA   = 0x0043; # [RFC4132]
-const TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA  = 0x0044; # [RFC4132]
-const TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA  = 0x0045; # [RFC4132]
-const TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA  = 0x0046; # [RFC4132]
-
-# The following are tagged as "Widely Deployed implementation":
-const TLS_ECDH_ECDSA_WITH_NULL_SHA           = 0x0047;
-const TLS_ECDH_ECDSA_WITH_RC4_128_SHA        = 0x0048;
-const TLS_ECDH_ECDSA_WITH_DES_CBC_SHA        = 0x0049;
-const TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA   = 0x004A;
-const TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA    = 0x004B;
-const TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA    = 0x004C;
-const TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5       = 0x0060;
-const TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5   = 0x0061;
-const TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA      = 0x0062;
-const TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA  = 0x0063;
-const TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA       = 0x0064;
-const TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA   = 0x0065;
-const TLS_CK_DHE_DSS_WITH_RC4_128_SHA             = 0x0066;
-
-const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA      = 0x0084; # [RFC4132]
-const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA   = 0x0085; # [RFC4132]
-const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA   = 0x0086; # [RFC4132]
-const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA  = 0x0087; # [RFC4132]
-const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  = 0x0088; # [RFC4132]
-const TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA  = 0x0089; # [RFC4132]
-const TLS_PSK_WITH_RC4_128_SHA               = 0x008A; # [RFC4279]
-const TLS_PSK_WITH_3DES_EDE_CBC_SHA          = 0x008B; # [RFC4279]
-const TLS_PSK_WITH_AES_128_CBC_SHA           = 0x008C; # [RFC4279]
-const TLS_PSK_WITH_AES_256_CBC_SHA           = 0x008D; # [RFC4279]
-const TLS_DHE_PSK_WITH_RC4_128_SHA           = 0x008E; # [RFC4279]
-const TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA      = 0x008F; # [RFC4279]
-const TLS_DHE_PSK_WITH_AES_128_CBC_SHA       = 0x0090; # [RFC4279]
-const TLS_DHE_PSK_WITH_AES_256_CBC_SHA       = 0x0091; # [RFC4279]
-const TLS_RSA_PSK_WITH_RC4_128_SHA           = 0x0092; # [RFC4279]
-const TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA      = 0x0093; # [RFC4279]
-const TLS_RSA_PSK_WITH_AES_128_CBC_SHA       = 0x0094; # [RFC4279]
-const TLS_RSA_PSK_WITH_AES_256_CBC_SHA       = 0x0095; # [RFC4279]
-const TLS_RSA_WITH_SEED_CBC_SHA              = 0x0096; # [RFC4162]
-const TLS_DH_DSS_WITH_SEED_CBC_SHA           = 0x0097; # [RFC4162]
-const TLS_DH_RSA_WITH_SEED_CBC_SHA           = 0x0098; # [RFC4162]
-const TLS_DHE_DSS_WITH_SEED_CBC_SHA          = 0x0099; # [RFC4162]
-const TLS_DHE_RSA_WITH_SEED_CBC_SHA          = 0x009A; # [RFC4162]
-const TLS_DH_anon_WITH_SEED_CBC_SHA          = 0x009B; # [RFC4162]
+# --- TLS ---
+const TLS_NULL_WITH_NULL_NULL = 0x0000;
+const TLS_RSA_WITH_NULL_MD5 = 0x0001;
+const TLS_RSA_WITH_NULL_SHA = 0x0002;
+const TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003;
+const TLS_RSA_WITH_RC4_128_MD5 = 0x0004;
+const TLS_RSA_WITH_RC4_128_SHA = 0x0005;
+const TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006;
+const TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007;
+const TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008;
+const TLS_RSA_WITH_DES_CBC_SHA = 0x0009;
+const TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A;
+const TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B;
+const TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C;
+const TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D;
+const TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E;
+const TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F;
+const TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010;
+const TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011;
+const TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012;
+const TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013;
+const TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014;
+const TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015;
+const TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016;
+const TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017;
+const TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018;
+const TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019;
+const TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A;
+const TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B;
+const SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C;
+const SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D;
+const TLS_KRB5_WITH_DES_CBC_SHA = 0x001E;
+const TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F;
+const TLS_KRB5_WITH_RC4_128_SHA = 0x0020;
+const TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021;
+const TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022;
+const TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023;
+const TLS_KRB5_WITH_RC4_128_MD5 = 0x0024;
+const TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025;
+const TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026;
+const TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027;
+const TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028;
+const TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029;
+const TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A;
+const TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B;
+const TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F;
+const TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030;
+const TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031;
+const TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032;
+const TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033;
+const TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034;
+const TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035;
+const TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036;
+const TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037;
+const TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038;
+const TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039;
+const TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A;
+const TLS_RSA_WITH_NULL_SHA256 = 0x003B;
+const TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C;
+const TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D;
+const TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E;
+const TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F;
+const TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040;
+const TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041;
+const TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042;
+const TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043;
+const TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044;
+const TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045;
+const TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046;
+const TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060;
+const TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061;
+const TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062;
+const TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063;
+const TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064;
+const TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065;
+const TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066;
+const TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067;
+const TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068;
+const TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069;
+const TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A;
+const TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B;
+const TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C;
+const TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D;
+const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084;
+const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085;
+const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086;
+const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087;
+const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088;
+const TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089;
+const TLS_PSK_WITH_RC4_128_SHA = 0x008A;
+const TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B;
+const TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C;
+const TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D;
+const TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E;
+const TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F;
+const TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090;
+const TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091;
+const TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092;
+const TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093;
+const TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094;
+const TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095;
+const TLS_RSA_WITH_SEED_CBC_SHA = 0x0096;
+const TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097;
+const TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098;
+const TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099;
+const TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A;
+const TLS_DH_ANON_WITH_SEED_CBC_SHA = 0x009B;
+const TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C;
+const TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D;
+const TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E;
+const TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F;
+const TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0;
+const TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1;
+const TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2;
+const TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3;
+const TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4;
+const TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5;
+const TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6;
+const TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7;
+const TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8;
+const TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9;
+const TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA;
+const TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB;
+const TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC;
+const TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD;
+const TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE;
+const TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF;
+const TLS_PSK_WITH_NULL_SHA256 = 0x00B0;
+const TLS_PSK_WITH_NULL_SHA384 = 0x00B1;
+const TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2;
+const TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3;
+const TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4;
+const TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5;
+const TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6;
+const TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7;
+const TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8;
+const TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9;
+const TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA;
+const TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB;
+const TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC;
+const TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD;
+const TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE;
+const TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF;
+const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0;
+const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1;
+const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2;
+const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3;
+const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4;
+const TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5;
+const TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001;
+const TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002;
+const TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003;
+const TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004;
+const TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005;
+const TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006;
+const TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007;
+const TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008;
+const TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009;
+const TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A;
+const TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B;
+const TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C;
+const TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D;
+const TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E;
+const TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F;
+const TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010;
+const TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011;
+const TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012;
+const TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013;
+const TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014;
+const TLS_ECDH_ANON_WITH_NULL_SHA = 0xC015;
+const TLS_ECDH_ANON_WITH_RC4_128_SHA = 0xC016;
+const TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA = 0xC017;
+const TLS_ECDH_ANON_WITH_AES_128_CBC_SHA = 0xC018;
+const TLS_ECDH_ANON_WITH_AES_256_CBC_SHA = 0xC019;
+const TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A;
+const TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B;
+const TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C;
+const TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D;
+const TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E;
+const TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F;
+const TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020;
+const TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021;
+const TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022;
+const TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023;
+const TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024;
+const TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025;
+const TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026;
+const TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027;
+const TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028;
+const TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029;
+const TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A;
+const TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B;
+const TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C;
+const TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D;
+const TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E;
+const TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F;
+const TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030;
+const TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031;
+const TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032;
+const TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033;
+const TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034;
+const TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035;
+const TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036;
+const TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037;
+const TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038;
+const TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039;
+const TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A;
+const TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B;
+const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE;
+const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF;
+const SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1;
+const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFE0;
+const SSL_RSA_WITH_RC2_CBC_MD5 = 0xFF80;
+const SSL_RSA_WITH_IDEA_CBC_MD5 = 0xFF81;
+const SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82;
+const SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83;
+const TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF;
 
 
 # Cipher specifications native to TLS can be included in Version 2.0 client
@@ -186,196 +255,218 @@ const ssl_cipher_desc: table[count] of string = {
 		"SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5",
 	[SSLv20_CK_DES_64_CBC_WITH_MD5] = "SSLv20_CK_DES_64_CBC_WITH_MD5",
 
-	# --- sslv3x ---
-	[SSLv3x_NULL_WITH_NULL_NULL] = "SSLv3x_NULL_WITH_NULL_NULL",
-
-	[SSLv3x_RSA_WITH_NULL_MD5] = "SSLv3x_RSA_WITH_NULL_MD5",
-	[SSLv3x_RSA_WITH_NULL_SHA] = "SSLv3x_RSA_WITH_NULL_SHA",
-	[SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5] =
-		"SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5",
-	[SSLv3x_RSA_WITH_RC4_128_MD5] = "SSLv3x_RSA_WITH_RC4_128_MD5",
-	[SSLv3x_RSA_WITH_RC4_128_SHA] = "SSLv3x_RSA_WITH_RC4_128_SHA",
-	[SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5] =
-		"SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
-	[SSLv3x_RSA_WITH_IDEA_CBC_SHA] = "SSLv3x_RSA_WITH_IDEA_CBC_SHA",
-	[SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA] =
-		"SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA",
-	[SSLv3x_RSA_WITH_DES_CBC_SHA] = "SSLv3x_RSA_WITH_DES_CBC_SHA",
-	[SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA] = "SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA",
-
-	[SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA] =
-		"SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
-	[SSLv3x_DH_DSS_WITH_DES_CBC_SHA] = "SSLv3x_DH_DSS_WITH_DES_CBC_SHA",
-	[SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA] =
-		"SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA",
-	[SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA] =
-		"SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
-	[SSLv3x_DH_RSA_WITH_DES_CBC_SHA] = "SSLv3x_DH_RSA_WITH_DES_CBC_SHA",
-	[SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA] =
-		"SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA",
-	[SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] =
-		"SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
-	[SSLv3x_DHE_DSS_WITH_DES_CBC_SHA] = "SSLv3x_DHE_DSS_WITH_DES_CBC_SHA",
-	[SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA] =
-		"SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
-	[SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA] =
-		"SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
-	[SSLv3x_DHE_RSA_WITH_DES_CBC_SHA] = "SSLv3x_DHE_RSA_WITH_DES_CBC_SHA",
-	[SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA] =
-		"SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
-
-	[SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5] =
-		"SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5",
-	[SSLv3x_DH_anon_WITH_RC4_128_MD5] = "SSLv3x_DH_anon_WITH_RC4_128_MD5",
-	[SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA] =
-		"SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
-	[SSLv3x_DH_anon_WITH_DES_CBC_SHA] = "SSLv3x_DH_anon_WITH_DES_CBC_SHA",
-	[SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA] =
-		"SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA",
-
-	[SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA] =
-		"SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA",
-	[SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA] =
-		"SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA",
-	[SSLv3x_KRB5_WITH_DES_CBC_SHA] =
-		"SSLv3x_KRB5_WITH_DES_CBC_SHA",
-	[SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA] =
-		"SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA",
-	[SSLv3x_KRB5_WITH_RC4_128_SHA] =
-		"SSLv3x_KRB5_WITH_RC4_128_SHA",
-	[SSLv3x_KRB5_WITH_IDEA_CBC_SHA] =
-		"SSLv3x_KRB5_WITH_IDEA_CBC_SHA",
-	[SSLv3x_KRB5_WITH_DES_CBC_MD5] =
-		"SSLv3x_KRB5_WITH_DES_CBC_MD5",
-	[SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5] =
-		"SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5",
-	[SSLv3x_KRB5_WITH_RC4_128_MD5] =
-		"SSLv3x_KRB5_WITH_RC4_128_MD5",
-	[SSLv3x_KRB5_WITH_IDEA_CBC_MD5] =
-		"SSLv3x_KRB5_WITH_IDEA_CBC_MD5",
-	[SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA] =
-		"SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
-	[SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA] =
-		"SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
-	[SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA] =
-		"SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA",
-	[SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5] =
-		"SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
-	[SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5] =
-		"SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
-	[SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5] =
-		"SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5",
-	[SSLv3x_RSA_WITH_AES_128_CBC_SHA] =
-		"SSLv3x_RSA_WITH_AES_128_CBC_SHA",
-	[SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA] =
-		"SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA",
-	[SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA] =
-		"SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA",
-	[SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA] =
-		"SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA",
-	[SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA] =
-		"SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA",
-	[SSLv3x_DH_anon_WITH_AES_128_CBC_SHA] =
-		"SSLv3x_DH_anon_WITH_AES_128_CBC_SHA",
-	[SSLv3x_RSA_WITH_AES_256_CBC_SHA] =
-		"SSLv3x_RSA_WITH_AES_256_CBC_SHA",
-	[SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA] =
-		"SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA",
-	[SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA] =
-		"SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA",
-	[SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA] =
-		"SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA",
-	[SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA] =
-		"SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA",
-	[SSLv3x_DH_anon_WITH_AES_256_CBC_SHA] =
-		"SSLv3x_DH_anon_WITH_AES_256_CBC_SHA",
-		
-    [TLS_RSA_WITH_CAMELLIA_128_CBC_SHA] = 
-        "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
-    [TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA] = 
-        "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
-    [TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA] = 
-        "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
-    [TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA] = 
-        "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
-    [TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA] = 
-        "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
-    [TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA] = 
-        "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",
-    [TLS_ECDH_ECDSA_WITH_NULL_SHA] = 
-        "TLS_ECDH_ECDSA_WITH_NULL_SHA",
-    [TLS_ECDH_ECDSA_WITH_RC4_128_SHA] = 
-        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
-    [TLS_ECDH_ECDSA_WITH_DES_CBC_SHA] = 
-        "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA",
-    [TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA] = 
-        "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
-    [TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA] = 
-        "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
-    [TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA] = 
-        "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
-    [TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5] = 
-        "TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5",
-    [TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5] = 
-        "TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5",
-    [TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA] = 
-        "TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA",
-    [TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA] = 
-        "TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA",
-    [TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA] = 
-        "TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA",
-    [TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA] = 
-        "TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",
-    [TLS_CK_DHE_DSS_WITH_RC4_128_SHA] = 
-        "TLS_CK_DHE_DSS_WITH_RC4_128_SHA",
-    [TLS_RSA_WITH_CAMELLIA_256_CBC_SHA] = 
-        "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
-    [TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA] = 
-        "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
-    [TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA] = 
-        "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
-    [TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA] = 
-        "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
-    [TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA] = 
-        "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
-    [TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA] = 
-        "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
-    [TLS_PSK_WITH_RC4_128_SHA] = 
-        "TLS_PSK_WITH_RC4_128_SHA",
-    [TLS_PSK_WITH_3DES_EDE_CBC_SHA] = 
-        "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
-    [TLS_PSK_WITH_AES_128_CBC_SHA] = 
-        "TLS_PSK_WITH_AES_128_CBC_SHA",
-    [TLS_PSK_WITH_AES_256_CBC_SHA] = 
-        "TLS_PSK_WITH_AES_256_CBC_SHA",
-    [TLS_DHE_PSK_WITH_RC4_128_SHA] = 
-        "TLS_DHE_PSK_WITH_RC4_128_SHA",
-    [TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA] = 
-        "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
-    [TLS_DHE_PSK_WITH_AES_128_CBC_SHA] = 
-        "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
-    [TLS_DHE_PSK_WITH_AES_256_CBC_SHA] = 
-        "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
-    [TLS_RSA_PSK_WITH_RC4_128_SHA] = 
-        "TLS_RSA_PSK_WITH_RC4_128_SHA",
-    [TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA] = 
-        "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
-    [TLS_RSA_PSK_WITH_AES_128_CBC_SHA] = 
-        "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
-    [TLS_RSA_PSK_WITH_AES_256_CBC_SHA] = 
-        "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
-    [TLS_RSA_WITH_SEED_CBC_SHA] = 
-        "TLS_RSA_WITH_SEED_CBC_SHA",
-    [TLS_DH_DSS_WITH_SEED_CBC_SHA] = 
-        "TLS_DH_DSS_WITH_SEED_CBC_SHA",
-    [TLS_DH_RSA_WITH_SEED_CBC_SHA] = 
-        "TLS_DH_RSA_WITH_SEED_CBC_SHA",
-    [TLS_DHE_DSS_WITH_SEED_CBC_SHA] = 
-        "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
-    [TLS_DHE_RSA_WITH_SEED_CBC_SHA] = 
-        "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
-    [TLS_DH_anon_WITH_SEED_CBC_SHA] = 
-        "TLS_DH_anon_WITH_SEED_CBC_SHA"
+	# --- TLS ---
+	[TLS_NULL_WITH_NULL_NULL] = "TLS_NULL_WITH_NULL_NULL",
+	[TLS_RSA_WITH_NULL_MD5] = "TLS_RSA_WITH_NULL_MD5",
+	[TLS_RSA_WITH_NULL_SHA] = "TLS_RSA_WITH_NULL_SHA",
+	[TLS_RSA_EXPORT_WITH_RC4_40_MD5] = "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
+	[TLS_RSA_WITH_RC4_128_MD5] = "TLS_RSA_WITH_RC4_128_MD5",
+	[TLS_RSA_WITH_RC4_128_SHA] = "TLS_RSA_WITH_RC4_128_SHA",
+	[TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5] = "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
+	[TLS_RSA_WITH_IDEA_CBC_SHA] = "TLS_RSA_WITH_IDEA_CBC_SHA",
+	[TLS_RSA_EXPORT_WITH_DES40_CBC_SHA] = "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
+	[TLS_RSA_WITH_DES_CBC_SHA] = "TLS_RSA_WITH_DES_CBC_SHA",
+	[TLS_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+	[TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
+	[TLS_DH_DSS_WITH_DES_CBC_SHA] = "TLS_DH_DSS_WITH_DES_CBC_SHA",
+	[TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA] = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
+	[TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
+	[TLS_DH_RSA_WITH_DES_CBC_SHA] = "TLS_DH_RSA_WITH_DES_CBC_SHA",
+	[TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
+	[TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+	[TLS_DHE_DSS_WITH_DES_CBC_SHA] = "TLS_DHE_DSS_WITH_DES_CBC_SHA",
+	[TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA] = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+	[TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+	[TLS_DHE_RSA_WITH_DES_CBC_SHA] = "TLS_DHE_RSA_WITH_DES_CBC_SHA",
+	[TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+	[TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5] = "TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5",
+	[TLS_DH_ANON_WITH_RC4_128_MD5] = "TLS_DH_ANON_WITH_RC4_128_MD5",
+	[TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA",
+	[TLS_DH_ANON_WITH_DES_CBC_SHA] = "TLS_DH_ANON_WITH_DES_CBC_SHA",
+	[TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA] = "TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA",
+	[SSL_FORTEZZA_KEA_WITH_NULL_SHA] = "SSL_FORTEZZA_KEA_WITH_NULL_SHA",
+	[SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA] = "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA",
+	[TLS_KRB5_WITH_DES_CBC_SHA] = "TLS_KRB5_WITH_DES_CBC_SHA",
+	[TLS_KRB5_WITH_3DES_EDE_CBC_SHA] = "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
+	[TLS_KRB5_WITH_RC4_128_SHA] = "TLS_KRB5_WITH_RC4_128_SHA",
+	[TLS_KRB5_WITH_IDEA_CBC_SHA] = "TLS_KRB5_WITH_IDEA_CBC_SHA",
+	[TLS_KRB5_WITH_DES_CBC_MD5] = "TLS_KRB5_WITH_DES_CBC_MD5",
+	[TLS_KRB5_WITH_3DES_EDE_CBC_MD5] = "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
+	[TLS_KRB5_WITH_RC4_128_MD5] = "TLS_KRB5_WITH_RC4_128_MD5",
+	[TLS_KRB5_WITH_IDEA_CBC_MD5] = "TLS_KRB5_WITH_IDEA_CBC_MD5",
+	[TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
+	[TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
+	[TLS_KRB5_EXPORT_WITH_RC4_40_SHA] = "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
+	[TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
+	[TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
+	[TLS_KRB5_EXPORT_WITH_RC4_40_MD5] = "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
+	[TLS_RSA_WITH_AES_128_CBC_SHA] = "TLS_RSA_WITH_AES_128_CBC_SHA",
+	[TLS_DH_DSS_WITH_AES_128_CBC_SHA] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
+	[TLS_DH_RSA_WITH_AES_128_CBC_SHA] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
+	[TLS_DHE_DSS_WITH_AES_128_CBC_SHA] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+	[TLS_DHE_RSA_WITH_AES_128_CBC_SHA] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+	[TLS_DH_ANON_WITH_AES_128_CBC_SHA] = "TLS_DH_ANON_WITH_AES_128_CBC_SHA",
+	[TLS_RSA_WITH_AES_256_CBC_SHA] = "TLS_RSA_WITH_AES_256_CBC_SHA",
+	[TLS_DH_DSS_WITH_AES_256_CBC_SHA] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
+	[TLS_DH_RSA_WITH_AES_256_CBC_SHA] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
+	[TLS_DHE_DSS_WITH_AES_256_CBC_SHA] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+	[TLS_DHE_RSA_WITH_AES_256_CBC_SHA] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+	[TLS_DH_ANON_WITH_AES_256_CBC_SHA] = "TLS_DH_ANON_WITH_AES_256_CBC_SHA",
+	[TLS_RSA_WITH_NULL_SHA256] = "TLS_RSA_WITH_NULL_SHA256",
+	[TLS_RSA_WITH_AES_128_CBC_SHA256] = "TLS_RSA_WITH_AES_128_CBC_SHA256",
+	[TLS_RSA_WITH_AES_256_CBC_SHA256] = "TLS_RSA_WITH_AES_256_CBC_SHA256",
+	[TLS_DH_DSS_WITH_AES_128_CBC_SHA256] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
+	[TLS_DH_RSA_WITH_AES_128_CBC_SHA256] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
+	[TLS_DHE_DSS_WITH_AES_128_CBC_SHA256] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+	[TLS_RSA_WITH_CAMELLIA_128_CBC_SHA] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
+	[TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
+	[TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
+	[TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
+	[TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
+	[TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA",
+	[TLS_RSA_EXPORT1024_WITH_RC4_56_MD5] = "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5",
+	[TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5] = "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5",
+	[TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA] = "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA",
+	[TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA] = "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA",
+	[TLS_RSA_EXPORT1024_WITH_RC4_56_SHA] = "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA",
+	[TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA] = "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",
+	[TLS_DHE_DSS_WITH_RC4_128_SHA] = "TLS_DHE_DSS_WITH_RC4_128_SHA",
+	[TLS_DHE_RSA_WITH_AES_128_CBC_SHA256] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+	[TLS_DH_DSS_WITH_AES_256_CBC_SHA256] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
+	[TLS_DH_RSA_WITH_AES_256_CBC_SHA256] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
+	[TLS_DHE_DSS_WITH_AES_256_CBC_SHA256] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+	[TLS_DHE_RSA_WITH_AES_256_CBC_SHA256] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+	[TLS_DH_ANON_WITH_AES_128_CBC_SHA256] = "TLS_DH_ANON_WITH_AES_128_CBC_SHA256",
+	[TLS_DH_ANON_WITH_AES_256_CBC_SHA256] = "TLS_DH_ANON_WITH_AES_256_CBC_SHA256",
+	[TLS_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
+	[TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
+	[TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
+	[TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
+	[TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
+	[TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA",
+	[TLS_PSK_WITH_RC4_128_SHA] = "TLS_PSK_WITH_RC4_128_SHA",
+	[TLS_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
+	[TLS_PSK_WITH_AES_128_CBC_SHA] = "TLS_PSK_WITH_AES_128_CBC_SHA",
+	[TLS_PSK_WITH_AES_256_CBC_SHA] = "TLS_PSK_WITH_AES_256_CBC_SHA",
+	[TLS_DHE_PSK_WITH_RC4_128_SHA] = "TLS_DHE_PSK_WITH_RC4_128_SHA",
+	[TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
+	[TLS_DHE_PSK_WITH_AES_128_CBC_SHA] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
+	[TLS_DHE_PSK_WITH_AES_256_CBC_SHA] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
+	[TLS_RSA_PSK_WITH_RC4_128_SHA] = "TLS_RSA_PSK_WITH_RC4_128_SHA",
+	[TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
+	[TLS_RSA_PSK_WITH_AES_128_CBC_SHA] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
+	[TLS_RSA_PSK_WITH_AES_256_CBC_SHA] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
+	[TLS_RSA_WITH_SEED_CBC_SHA] = "TLS_RSA_WITH_SEED_CBC_SHA",
+	[TLS_DH_DSS_WITH_SEED_CBC_SHA] = "TLS_DH_DSS_WITH_SEED_CBC_SHA",
+	[TLS_DH_RSA_WITH_SEED_CBC_SHA] = "TLS_DH_RSA_WITH_SEED_CBC_SHA",
+	[TLS_DHE_DSS_WITH_SEED_CBC_SHA] = "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
+	[TLS_DHE_RSA_WITH_SEED_CBC_SHA] = "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
+	[TLS_DH_ANON_WITH_SEED_CBC_SHA] = "TLS_DH_ANON_WITH_SEED_CBC_SHA",
+	[TLS_RSA_WITH_AES_128_GCM_SHA256] = "TLS_RSA_WITH_AES_128_GCM_SHA256",
+	[TLS_RSA_WITH_AES_256_GCM_SHA384] = "TLS_RSA_WITH_AES_256_GCM_SHA384",
+	[TLS_DHE_RSA_WITH_AES_128_GCM_SHA256] = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+	[TLS_DHE_RSA_WITH_AES_256_GCM_SHA384] = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+	[TLS_DH_RSA_WITH_AES_128_GCM_SHA256] = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
+	[TLS_DH_RSA_WITH_AES_256_GCM_SHA384] = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
+	[TLS_DHE_DSS_WITH_AES_128_GCM_SHA256] = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+	[TLS_DHE_DSS_WITH_AES_256_GCM_SHA384] = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
+	[TLS_DH_DSS_WITH_AES_128_GCM_SHA256] = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
+	[TLS_DH_DSS_WITH_AES_256_GCM_SHA384] = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
+	[TLS_DH_ANON_WITH_AES_128_GCM_SHA256] = "TLS_DH_ANON_WITH_AES_128_GCM_SHA256",
+	[TLS_DH_ANON_WITH_AES_256_GCM_SHA384] = "TLS_DH_ANON_WITH_AES_256_GCM_SHA384",
+	[TLS_PSK_WITH_AES_128_GCM_SHA256] = "TLS_PSK_WITH_AES_128_GCM_SHA256",
+	[TLS_PSK_WITH_AES_256_GCM_SHA384] = "TLS_PSK_WITH_AES_256_GCM_SHA384",
+	[TLS_DHE_PSK_WITH_AES_128_GCM_SHA256] = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
+	[TLS_DHE_PSK_WITH_AES_256_GCM_SHA384] = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
+	[TLS_RSA_PSK_WITH_AES_128_GCM_SHA256] = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
+	[TLS_RSA_PSK_WITH_AES_256_GCM_SHA384] = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
+	[TLS_PSK_WITH_AES_128_CBC_SHA256] = "TLS_PSK_WITH_AES_128_CBC_SHA256",
+	[TLS_PSK_WITH_AES_256_CBC_SHA384] = "TLS_PSK_WITH_AES_256_CBC_SHA384",
+	[TLS_PSK_WITH_NULL_SHA256] = "TLS_PSK_WITH_NULL_SHA256",
+	[TLS_PSK_WITH_NULL_SHA384] = "TLS_PSK_WITH_NULL_SHA384",
+	[TLS_DHE_PSK_WITH_AES_128_CBC_SHA256] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
+	[TLS_DHE_PSK_WITH_AES_256_CBC_SHA384] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
+	[TLS_DHE_PSK_WITH_NULL_SHA256] = "TLS_DHE_PSK_WITH_NULL_SHA256",
+	[TLS_DHE_PSK_WITH_NULL_SHA384] = "TLS_DHE_PSK_WITH_NULL_SHA384",
+	[TLS_RSA_PSK_WITH_AES_128_CBC_SHA256] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
+	[TLS_RSA_PSK_WITH_AES_256_CBC_SHA384] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
+	[TLS_RSA_PSK_WITH_NULL_SHA256] = "TLS_RSA_PSK_WITH_NULL_SHA256",
+	[TLS_RSA_PSK_WITH_NULL_SHA384] = "TLS_RSA_PSK_WITH_NULL_SHA384",
+	[TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+	[TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+	[TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+	[TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+	[TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+	[TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256",
+	[TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+	[TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+	[TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+	[TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+	[TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+	[TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256",
+	[TLS_ECDH_ECDSA_WITH_NULL_SHA] = "TLS_ECDH_ECDSA_WITH_NULL_SHA",
+	[TLS_ECDH_ECDSA_WITH_RC4_128_SHA] = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+	[TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+	[TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+	[TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+	[TLS_ECDHE_ECDSA_WITH_NULL_SHA] = "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+	[TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+	[TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+	[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+	[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+	[TLS_ECDH_RSA_WITH_NULL_SHA] = "TLS_ECDH_RSA_WITH_NULL_SHA",
+	[TLS_ECDH_RSA_WITH_RC4_128_SHA] = "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+	[TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+	[TLS_ECDH_RSA_WITH_AES_128_CBC_SHA] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+	[TLS_ECDH_RSA_WITH_AES_256_CBC_SHA] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+	[TLS_ECDHE_RSA_WITH_NULL_SHA] = "TLS_ECDHE_RSA_WITH_NULL_SHA",
+	[TLS_ECDHE_RSA_WITH_RC4_128_SHA] = "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+	[TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+	[TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+	[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+	[TLS_ECDH_ANON_WITH_NULL_SHA] = "TLS_ECDH_ANON_WITH_NULL_SHA",
+	[TLS_ECDH_ANON_WITH_RC4_128_SHA] = "TLS_ECDH_ANON_WITH_RC4_128_SHA",
+	[TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA",
+	[TLS_ECDH_ANON_WITH_AES_128_CBC_SHA] = "TLS_ECDH_ANON_WITH_AES_128_CBC_SHA",
+	[TLS_ECDH_ANON_WITH_AES_256_CBC_SHA] = "TLS_ECDH_ANON_WITH_AES_256_CBC_SHA",
+	[TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA] = "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
+	[TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
+	[TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA] = "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
+	[TLS_SRP_SHA_WITH_AES_128_CBC_SHA] = "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
+	[TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA] = "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
+	[TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA] = "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
+	[TLS_SRP_SHA_WITH_AES_256_CBC_SHA] = "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
+	[TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA] = "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
+	[TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA] = "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
+	[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+	[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+	[TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
+	[TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
+	[TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+	[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+	[TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
+	[TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
+	[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+	[TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+	[TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
+	[TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	[TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+	[TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
+	[TLS_ECDHE_PSK_WITH_RC4_128_SHA] = "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
+	[TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
+	[TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
+	[TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
+	[TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
+	[TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
+	[TLS_ECDHE_PSK_WITH_NULL_SHA] = "TLS_ECDHE_PSK_WITH_NULL_SHA",
+	[TLS_ECDHE_PSK_WITH_NULL_SHA256] = "TLS_ECDHE_PSK_WITH_NULL_SHA256",
+	[TLS_ECDHE_PSK_WITH_NULL_SHA384] = "TLS_ECDHE_PSK_WITH_NULL_SHA384",
+	[SSL_RSA_FIPS_WITH_DES_CBC_SHA] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA",
+	[SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
+	[SSL_RSA_FIPS_WITH_DES_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2",
+	[SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2",
 };
 
 
@@ -385,101 +476,218 @@ const ssl_cipher_desc: table[count] of string = {
 const ssl_cipherset_EXPORT: set[count] = {
 	SSLv20_CK_RC4_128_EXPORT40_WITH_MD5,
 	SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
-	SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5,
-	SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-	SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5,
-	SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
-	SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA,
-	SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA,
-	SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5,
-	SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5,
-	SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5,
+	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
+	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA,
+	TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5,
+	TLS_KRB5_EXPORT_WITH_RC4_40_MD5,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_MD5,
+	TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
+	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
+	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
 };
 
 # --- this set holds all DES ciphers
 const ssl_cipherset_DES: set[count] = {
 	SSLv20_CK_DES_64_CBC_WITH_MD5,
-	SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_RSA_WITH_DES_CBC_SHA,
-	SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_DSS_WITH_DES_CBC_SHA,
-	SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_RSA_WITH_DES_CBC_SHA,
-	SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DHE_DSS_WITH_DES_CBC_SHA,
-	SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DHE_RSA_WITH_DES_CBC_SHA,
-	SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_anon_WITH_DES_CBC_SHA,
-	SSLv3x_KRB5_WITH_DES_CBC_SHA,
-	SSLv3x_KRB5_WITH_DES_CBC_MD5,
-	SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
-	SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5
+	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_RSA_WITH_DES_CBC_SHA,
+	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_DSS_WITH_DES_CBC_SHA,
+	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_RSA_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA,
+	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_ANON_WITH_DES_CBC_SHA,
+	TLS_KRB5_WITH_DES_CBC_SHA,
+	TLS_KRB5_WITH_DES_CBC_MD5,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5,
+	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+	SSL_RSA_FIPS_WITH_DES_CBC_SHA,
+	SSL_RSA_FIPS_WITH_DES_CBC_SHA_2,
 };
 
 
 # --- this set holds all 3DES ciphers
 const ssl_cipherset_3DES: set[count] = {
 	SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5,
-	SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
+	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
+	TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
+	TLS_KRB5_WITH_3DES_EDE_CBC_MD5,
+	TLS_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA,
+	TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
+	TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
+	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2,
 };
 
 # --- this set holds all RC2 ciphers
 const ssl_cipherset_RC2: set[count] = {
 	SSLv20_CK_RC2_128_CBC_WITH_MD5,
 	SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
-	SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-	SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA,
-	SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5
+	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5,
+	TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
 };
 
 # --- this set holds all RC4 ciphers
 const ssl_cipherset_RC4: set[count] = {
 	SSLv20_CK_RC4_128_WITH_MD5,
 	SSLv20_CK_RC4_128_EXPORT40_WITH_MD5,
-	SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5,
-	SSLv3x_RSA_WITH_RC4_128_MD5,
-	SSLv3x_RSA_WITH_RC4_128_SHA,
-	SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5,
-	SSLv3x_DH_anon_WITH_RC4_128_MD5,
-	SSLv3x_KRB5_WITH_RC4_128_SHA,
-	SSLv3x_KRB5_WITH_RC4_128_MD5,
-	SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA,
-	SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5,
+	TLS_RSA_WITH_RC4_128_MD5,
+	TLS_RSA_WITH_RC4_128_SHA,
+	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
+	TLS_DH_ANON_WITH_RC4_128_MD5,
+	TLS_KRB5_WITH_RC4_128_SHA,
+	TLS_KRB5_WITH_RC4_128_MD5,
+	TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
+	TLS_KRB5_EXPORT_WITH_RC4_40_MD5,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_MD5,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
+	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+	TLS_DHE_DSS_WITH_RC4_128_SHA,
+	TLS_PSK_WITH_RC4_128_SHA,
+	TLS_DHE_PSK_WITH_RC4_128_SHA,
+	TLS_RSA_PSK_WITH_RC4_128_SHA,
+	TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+	TLS_ECDH_RSA_WITH_RC4_128_SHA,
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+	TLS_ECDH_ANON_WITH_RC4_128_SHA,
+	TLS_ECDHE_PSK_WITH_RC4_128_SHA,
 };
 
 # --- this set holds all IDEA ciphers
 const ssl_cipherset_IDEA: set[count] = {
 	SSLv20_CK_IDEA_128_CBC_WITH_MD5,
-	SSLv3x_RSA_WITH_IDEA_CBC_SHA,
-	SSLv3x_KRB5_WITH_IDEA_CBC_SHA,
-	SSLv3x_KRB5_WITH_IDEA_CBC_MD5
+	TLS_RSA_WITH_IDEA_CBC_SHA,
+	TLS_KRB5_WITH_IDEA_CBC_SHA,
+	TLS_KRB5_WITH_IDEA_CBC_MD5
 };
 
 # --- this set holds all AES ciphers
 const ssl_cipherset_AES: set[count] = {
-	SSLv3x_RSA_WITH_AES_128_CBC_SHA,
-	SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA,
-	SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA,
-	SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA,
-	SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA,
-	SSLv3x_DH_anon_WITH_AES_128_CBC_SHA,
-	SSLv3x_RSA_WITH_AES_256_CBC_SHA,
-	SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA,
-	SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA,
-	SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA,
-	SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA,
-	SSLv3x_DH_anon_WITH_AES_256_CBC_SHA
+	TLS_RSA_WITH_AES_128_CBC_SHA,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA,
+	TLS_RSA_WITH_AES_256_CBC_SHA,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA,
+	TLS_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_RSA_WITH_AES_256_CBC_SHA256,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA256,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA256,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA256,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA256,
+	TLS_PSK_WITH_AES_128_CBC_SHA,
+	TLS_PSK_WITH_AES_256_CBC_SHA,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
+	TLS_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_DH_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_DH_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+	TLS_DH_DSS_WITH_AES_128_GCM_SHA256,
+	TLS_DH_DSS_WITH_AES_256_GCM_SHA384,
+	TLS_DH_ANON_WITH_AES_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_AES_256_GCM_SHA384,
+	TLS_PSK_WITH_AES_128_GCM_SHA256,
+	TLS_PSK_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+	TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
+	TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
+	TLS_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_PSK_WITH_AES_256_CBC_SHA384,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDH_ANON_WITH_AES_128_CBC_SHA,
+	TLS_ECDH_ANON_WITH_AES_256_CBC_SHA,
+	TLS_SRP_SHA_WITH_AES_128_CBC_SHA,
+	TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
+	TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
+	TLS_SRP_SHA_WITH_AES_256_CBC_SHA,
+	TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
+	TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
 };
diff --git a/policy/ssl.bro b/policy/ssl.bro
index 216abb2d10..6a347a14cc 100644
--- a/policy/ssl.bro
+++ b/policy/ssl.bro
@@ -85,29 +85,28 @@ const myWeakCiphers: set[count] = {
 	SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
 	SSLv20_CK_DES_64_CBC_WITH_MD5,
 
-	SSLv3x_NULL_WITH_NULL_NULL,
-	SSLv3x_RSA_WITH_NULL_MD5,
-	SSLv3x_RSA_WITH_NULL_SHA,
-	SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5,
-	SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-	SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_RSA_WITH_DES_CBC_SHA,
+	TLS_NULL_WITH_NULL_NULL,
+	TLS_RSA_WITH_NULL_MD5,
+	TLS_RSA_WITH_NULL_SHA,
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5,
+	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_RSA_WITH_DES_CBC_SHA,
 
-	SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_DSS_WITH_DES_CBC_SHA,
-	SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_RSA_WITH_DES_CBC_SHA,
-	SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DHE_DSS_WITH_DES_CBC_SHA,
-	SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DHE_RSA_WITH_DES_CBC_SHA,
+	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_DSS_WITH_DES_CBC_SHA,
+	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_RSA_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA,
 
-	SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5,
-	SSLv3x_DH_anon_WITH_RC4_128_MD5,
-	SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_anon_WITH_DES_CBC_SHA,
-	SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA
+	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
+	TLS_DH_ANON_WITH_RC4_128_MD5,
+	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_ANON_WITH_DES_CBC_SHA,
+	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
 };
 
 const x509_ignore_errors: set[int] = {
diff --git a/policy/time-machine/Makefile.am b/policy/time-machine/Makefile.am
deleted file mode 100644
index 49f18b7c72..0000000000
--- a/policy/time-machine/Makefile.am
+++ /dev/null
@@ -1,7 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-tmdir=${datadir}/bro/time-machine
-dist_tm_DATA = \
-	time-machine.bro tm-capture.bro tm-class.bro tm-contents.bro \
-	tm-ftp.bro tm-gap.bro tm-http.bro
-
diff --git a/policy/vlan.bro b/policy/vlan.bro
deleted file mode 100644
index 82fcb75af8..0000000000
--- a/policy/vlan.bro
+++ /dev/null
@@ -1,5 +0,0 @@
-# $Id: vlan.bro 416 2004-09-17 03:52:28Z vern $
-
-redef restrict_filters += { ["vlan"] = "vlan" };
-
-redef encap_hdr_size = 4;
diff --git a/scripts/IP4.pm b/scripts/IP4.pm
deleted file mode 100644
index e920fc8902..0000000000
--- a/scripts/IP4.pm
+++ /dev/null
@@ -1,150 +0,0 @@
-package IP4;
-
-use Exporter;
-@ISA = ('Exporter');
-@EXPORT = ( 'getIPFromString',
-	    'getStringFromIP',
-	    'getMaskFromPrefix',
-	    'getPrefixFromMask',
-	    'isPartOf',
-	    'aggregateSinglesTo'
-            );
-
-use strict;
-my $DEBUG = 0;
-
-sub getIPFromString{
-    my ($net) = @_;
-    my @octets = split (/\./, $net);
-
-    #check ip!
-    foreach my $oct (@octets){
-	if ($oct!~/\d+/ || $oct<0 || $oct > 255){return 0;}
-    }
-
-    my $ip=0;
-    for (my $i = 0; $i < 4; $i++){
-	$ip |= $octets[$i] << ((3-$i)*8);
-    }
-    return $ip;
-}
-
-sub getStringFromIP{
-    my ($net) = @_;
-    my @octets;
-    my $bitmask=0xff;
-    for (my $i = 0; $i<4; $i++){
-	$octets[$i] = ($net & $bitmask);
-	$net >>= 8;
-    }
-    return "$octets[3].$octets[2].$octets[1].$octets[0]";
-}
-
-sub getMaskFromPrefix{
-    my ($pre) = @_;
-
-    #check prefix!
-    if ($pre!~/\d+/ || $pre < 0 || $pre > 32){return 0;}
-
-    my $mask=0;
-    for (my $i = 0; $i < $pre; $i++){
-	$mask |= 1 << (31-$i);
-    }
-    return $mask;
-}
-
-sub getPrefixFromMask{
-    my ($mask) = @_;
-    if ($mask == 0){return 0}; #special case, we would loop forever with this:
-    my $prefix;
-    for ($prefix = 32; !($mask & 1); $prefix--){
-	$mask >>= 1;
-    }
-    return $prefix;
-}
-
-sub isPartOf{
-    my ($iip, $imask, $oip, $omask) = @_;
-    if ($omask > $imask){return 0;} 
-    #if the net which should contain the other is 
-    #smaller we did something wrong!
-
-    return ( (($oip ^ $iip) & $omask) == 0 );
-} 
-
-sub aggregateSinglesTo{
-    #paramters: 
-    #1. reference to array of addresses (will be changed!)
-    #2. refernce to array of masks (will be deleted and changed)
-    #3. max Bits to aggregate to.
-
-    my ($addr, $masks, $bitlimit) = @_;
-    $bitlimit = 32-$bitlimit; #the way it will be used we'll need the inverse 
-    @$addr = sort{$a<=>$b}(@$addr) or return 0;
-    @$masks = ();
-    my $fullmask = getMaskFromPrefix(32);
-    foreach my $dummy (@$addr){push(@$masks, $fullmask);}
-    if ($DEBUG){
-	print STDERR "sorted list before aggregating\n";
-	print STDERR join(" ", map(getStringFromIP($_), @$addr));
-	print STDERR "\n";
-    }
-
-	for (my $i = 0;
-	     $i < (scalar(@$addr) - 1);
-	     $i ++)
-	{
-	    my $lip = $addr->[$i];
-	    my $lmask = $masks->[$i];
-	    my $hip = $addr->[$i + 1];
-	    my $hmask = $masks->[$i + 1];
-
-	    if (isPartOf($hip, $hmask, $lip, $lmask)) { #parameter: (inner, outer)
-		if ($DEBUG){
-		    printf STDERR ("removing %s/%s since it is contained in %s/%s ", 
-				   getStringFromIP($hip), getPrefixFromMask($hmask), 
-				   getStringFromIP($lip), getPrefixFromMask($lmask) );
-		}
-		splice(@$addr, $i + 1, 1);
-		splice(@$masks, $i + 1, 1);
-		-- $i;
-	    }else{
-		my $nb = $lip;
-
-		$nb ^= $hip; #look for first non-matching bit!
-		my $firstdiff=0;
-		while ($nb > 0){
-		    $firstdiff++;
-		    $nb >>= 1;
-		}
-		if ($firstdiff <= $bitlimit){
-		    if ($DEBUG){print STDERR "$firstdiff : ";}
-		    while($firstdiff>0){
-			$firstdiff--;
-			$nb <<= 1;
-			$nb += 1;
-		    }
-		    
-		    my $nm = ~$nb; #negate to get the new (joint) mask
-		    my $na = $lip & $nm;
-		    $addr->[$i] = $na;
-		    $masks->[$i] = $nm;
-		    if ($DEBUG){
-			printf STDERR ("%s to %s/%s (aggregating %s)\n", 
-				       getStringFromIP($lip), getStringFromIP($addr->[$i]), 
-				       getPrefixFromMask($masks->[$i]), getStringFromIP($hip));
-		    }
-		    splice(@$addr, $i + 1, 1);
-		    $i--; #do with the same address again. perhaps it collects even more
-		}
-	    }
-	}
-    if ($DEBUG){
-	print STDERR "sorted list after aggregation\n";
-	print STDERR join(" ", map(getStringFromIP($_), @$addr));
-	print STDERR "\n";
-    }
-    return 1;
-}
-
-1;
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
deleted file mode 100644
index c898010557..0000000000
--- a/scripts/Makefile.am
+++ /dev/null
@@ -1,167 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-bro_bin		= ${prefix}/bin
-bro_logs	= ${prefix}/logs
-bro_etc		= ${prefix}/etc
-bro_site	= ${prefix}/site
-bro_scripts	= ${prefix}/scripts
-bro_reports	= ${prefix}/reports
-bro_perlmods	= ${prefix}/perl
-
-# where to download signatures from.
-SIGHOST=www.bro-ids.org
-
-# whats our name ..
-brohost = @BROHOST@
-
-SUBDIRS = s2b
-
-# these files need to be in the distribution
-EXTRA_DIST = bro.cfg.example  bro_config.in  alert_scores  bro.rc.in \
-	bro.rc-hooks.sh  bro_log_compress.sh  install_cron.sh \
-	local.site.bro.default  localnetMAC.pl.in \
-	mail_notice.sh  mail_reports.sh \
-	make-ftp-safe-vocabulary.awk  IP4.pm signature_scores \
-	perl local.lite.bro \
-	alert_scores signature_scores \
-	bro_log_compress.sh \
-	frontend-mail-reports.sh frontend-site-report.sh push_logs.sh mail_notice.sh
-
-# this cleans up some genereated files
-MOSTLYCLEAN = bro.rc bro.cfg bro_config intern.bro bro_user_id bro_user_id.bak \
-			  localnetMAC.pl local.site.bro
-
-scoredir=$(prefix)/etc
-scriptsdir=$(prefix)/scripts
-
-# just update dist files, not the site file
-# and ask me no questions, I'll tell you no ..
-update: 
-	$(MAKE) install_default_files
-
-# install brolite
-install-brolite: 
-	- $(INSTALL) -d /usr/local/etc/rc.d/
-	$(MAKE) create_dirs
-	
-	$(INSTALL) $(srcdir)/alert_scores $(scoredir)/alert_scores
-	$(INSTALL) $(srcdir)/signature_scores $(scoredir)/signature_scores
-	$(INSTALL) $(srcdir)/bro_log_compress.sh  $(bro_scripts)/bro_log_compress.sh
-	$(INSTALL) $(srcdir)/frontend-mail-reports.sh  $(bro_scripts)/frontend-mail-reports.sh
-	$(INSTALL) $(srcdir)/frontend-site-report.sh  $(bro_scripts)/frontend-site-report.sh
-	$(INSTALL) $(srcdir)/push_logs.sh  $(bro_scripts)/push_logs.sh
-	$(INSTALL) $(srcdir)/mail_notice.sh $(bro_scripts)/mail_notice.sh
-	$(INSTALL) $(srcdir)/s2b/example_bro_files/signatures.sig $(prefix)/site
-	$(INSTALL) $(srcdir)/s2b/bro-include/sig-addendum.sig $(datadir)/bro
-	$(INSTALL) $(srcdir)/s2b/bro-include/sig-functions.bro $(datadir)/bro
-	$(INSTALL) $(srcdir)/s2b/example_bro_files/sig-action.bro $(datadir)/bro
-
-# install perl libraries and executables
-install_perl_scripts:
-	@if ! ${PERL} -e 'exit ($] >= 5.006001)' > /dev/null 2>&1; then \
-		(cd perl && $(PERL) Makefile.PL INSTALLSCRIPT=$(bro_scripts) BROCONFIG=$(prefix)/etc/bro.cfg PREFIX=$(bro_perlmods); $(MAKE) ; $(MAKE) install) ; \
-	else \
-		echo "*************************************************" ; \
-		echo "* Need newer version of perl to install reports *" ; \
-		echo "*    and other supporting perl based tools.     *" ; \
-		echo "*************************************************" ; \
-	fi
-# clean up the mess we made
-uninstall-local:
-	rm -f $(bro_scripts)/mail_reports.sh
-	rm -f $(bro_scripts)/bro_log_compress.sh
-	rm -f $(bro_scripts)/bro_config
-	rm -f $(bro_etc)/bro.rc
-	rm -f $(bro_etc)/bro.cfg
-	rm -f $(bro_etc)/bro.cfg.example
-	rm -f $(prefix)/etc/bro.rc-hooks.sh
-	rm -f  $(prefix)/site/local.site.bro
-	rm -f  $(prefix)/site/${brohost}.bro
-	$(srcdir)/install_cron.sh uninstall
-	-rm -f $(prefix)/etc/bro.rc-hooks.sh.new 
-	-rm -f /usr/local/etc/rc.d/bro.sh
-
-
-# install the stuff to do reports
-reports:
-	$(INSTALL) -d $(bro_scripts)
-	$(INSTALL) -d $(bro_etc)
-	(cd s2b && $(MAKE) all)
-	(cd s2b && $(MAKE) install)
-	@./bro_config
-	$(INSTALL_DATA) bro.cfg  $(bro_etc)/bro.cfg
-	$(INSTALL) $(srcdir)/mail_reports.sh $(bro_scripts)/mail_reports.sh
-	$(INSTALL) $(srcdir)/bro_log_compress.sh $(bro_scripts)/bro_log_compress.sh
-	$(INSTALL) $(srcdir)/frontend-mail-reports.sh $(bro_scripts)/frontend-mail-reports.sh
-	$(INSTALL) $(srcdir)/frontend-site-report.sh $(bro_scripts)/frontend-site-report.sh
-	$(INSTALL) $(srcdir)/push_logs.sh  $(bro_scripts)/push_logs.sh
-	$(MAKE) install_perl_scripts
-
-# update the signature file in $BROHOME/site, don't clobber it!
-update-sigs:
-	@echo "Getting signature file from $(SIGHOST)" 
-	- wget http://$(SIGHOST)/download/signatures.sig -O signatures.sig.new  -o /dev/null 
-	@if [ ! -s signatures.sig.new ] ; then \
-		echo "Error in download. Try again later." ; \
-	else \
-		if [ ! -f $(prefix)/site/signatures.sig ] ; then  \
-			echo "No previous version, installing new version." ; \
-			cp signatures.sig.new $(prefix)/site/signatures.sig ; \
-		else \
-			cp signatures.sig.new $(prefix)/site/signatures.sig.new ; \
-			echo "***********************************************************" ; \
-			echo "A new signature file (signatures.sig.new) has been placed in" ; \
-			echo "$(prefix)/site. Please compare it to your current signatures.sig " ; \
-			echo "and copy it over if there are no significant differences." ; \
-			echo "***********************************************************" ; \
-		fi \
-	fi
-		
-create_dirs:
-	- $(INSTALL) -d $(bro_bin)
-	$(INSTALL) -d $(bro_etc)
-	$(INSTALL) -d $(bro_logs)
-	$(INSTALL) -d $(bro_site)
-	$(INSTALL) -d $(bro_scripts)
-	$(INSTALL) -d $(bro_reports)
-
-# these are files that SHOULD NOT be updated and are site specific
-install_local_files:
-	@if [ ! -f ${bro_site}/local.site.bro ] ; then                \
-		echo "Installing local.site.bro ..." ;                           \
-		if [ ! -f local.site.bro ]; then                      \
-			$(INSTALL_DATA) local.site.bro.default $(bro_site)/local.site.bro ; \
-		else \
-			$(INSTALL_DATA) local.site.bro $(bro_site)/local.site.bro ; \
-		fi \
-	else \
-		if [ -f local.site.bro ]; then                      \
-			$(INSTALL_DATA) local.site.bro $(bro_site)/local.site.bro.new ; \
-		fi \
-	fi
-	@if [ ! -f ${bro_site}/${brohost}.bro ] ; then                 \
-		echo "Installing ${brohost}.bro ..." ;                             \
-		$(INSTALL_DATA) $(srcdir)/local.lite.bro $(bro_site)/${brohost}.bro ;   \
-	else \
-		$(INSTALL_DATA) $(srcdir)/local.lite.bro $(bro_site)/${brohost}.bro.new ;   \
-	fi
-	@if [ ! -f $(prefix)/etc/bro.rc-hooks.sh ] ; then              \
-		$(INSTALL_DATA) $(srcdir)/bro.rc-hooks.sh $(prefix)/etc/bro.rc-hooks.sh ;   \
-	else \
-		$(INSTALL_DATA) $(srcdir)/bro.rc-hooks.sh $(prefix)/etc/bro.rc-hooks.sh.new ; \
-	fi
-
-# Default files that can be installed/reinstalled, not site specific
-install_default_files:
-	$(INSTALL) $(srcdir)/mail_reports.sh $(bro_scripts)/mail_reports.sh
-	$(INSTALL) bro.rc $(prefix)/etc/bro.rc
-	$(INSTALL) bro_config  $(prefix)/scripts/bro_config
-	-$(INSTALL_DATA) bro.cfg  $(bro_etc)/bro.cfg
-	$(INSTALL_DATA) $(srcdir)/bro.cfg.example $(bro_etc)/bro.cfg.example
-	- $(INSTALL) bro.rc /usr/local/etc/rc.d/bro.sh
-	(cd s2b ; $(MAKE) install)
-
-# install cron file
-install_cron:
-	$(srcdir)/install_cron.sh install
-
diff --git a/scripts/README b/scripts/README
deleted file mode 100644
index b51a02af21..0000000000
--- a/scripts/README
+++ /dev/null
@@ -1,29 +0,0 @@
-
-This directory contains scripts to help configure and run bro.
-
-
-bro.cfg.in      This is the bro configuration file
-bro.cfg         This is the bro configuration file with all runtime values set
-
-localnetMAC.pl  Program to figure out your network topology based on a 
-                tcpdump input file.
-IP4.pm          Helper perl module for localnetMac.
-
-brolite.bro     This is the default policy file
-bro.rc	        This is the start/stop script, with all runtime values set
-bro.rc-hooks.sh User level interface into the start and stop events in bro.rc
-bro.rc.in       This si the raw start stop script
-bro_config      This is the script run at 'make install' that sets the 
-                values in bro.cfg
-
-bro_config.in   Raw bro_config script, before pre-processing
-bro.cfg.example Example file of what bro.cfg should look like
-
-intern.bro.default 
-               This is an example of what intern.bro should look like.
-
-mail_reports.sh
-               Shell script to email out reports
-
-make-ftp-safe-vocabulary.awk
-
diff --git a/scripts/alert_scores b/scripts/alert_scores
deleted file mode 100644
index bb2eadf4de..0000000000
--- a/scripts/alert_scores
+++ /dev/null
@@ -1,37 +0,0 @@
-# DESCRIPTION:
-# 
-# This file is used by the report generator to assign scores to
-# certain types of alerts.  Use this file to increase the likelyhood
-# that a certain type of alarm is successful.  The scores listed
-# in this file will be added to any scores derived by the report
-# generator.  The format is -> ALERT_TYPE<white space>SCORE
-#
-# The score derived by the report generator is influenced by certain
-# traffic patterns.  If an alarm is generated and a connection is
-# seen coming from the victim host back to the suspect host this will
-# drive the score past the $ALARM_THRESHOLD.  Also an alarm generated by
-# a host from the internal network will likely produce a score higher
-# than the $ALARM_THRESHOLD.  This functionality only affects alarms
-# which produce an incident.
-#
-# EXAMPLE:
-# Lets assume you have created a custom alert type of 
-# "Employee_Did_Something_Bad".  Lets also assume that this alarm
-# is triggered only under certain conditions and you know the alarm is
-# always correct or of great interest.  To make this always show up in
-# the report set the score to something equal to or higher than the
-# $ALARM_THRESHOLD (default: 100).
-#
-# NOTES:
-#
-# The only alert type that cannot be given a score is
-# "SensitiveSignature".  Instead signatures are given their own
-# scores specified in their meta-data. (still in the works)
-#
-
-TRWAddressSca          40
-WeirdActivit           1
-PortScan               20 
-PasswordGuessing       60
-MultipleSignature      20
-_DEFAULT_              0
diff --git a/scripts/bro.cfg.example b/scripts/bro.cfg.example
deleted file mode 100644
index 8bef983163..0000000000
--- a/scripts/bro.cfg.example
+++ /dev/null
@@ -1,161 +0,0 @@
-# Source file config for running bro
-
-# On a linux system this file will normally exist in /etc/sysconfig
-# and will have the same filename as the RC start script which calls it.
-
-# On a FreeBSD machine this file will normally reside in /usr/local/etc
-# and will have the same filename as the RC start script which calls it.
-
-# The following variables are exported and needed by Bro at runtime
-# These are mostly undocumented. arrrrrr!!!!!!
-# BROLOGS
-# BROHOME
-# BROPATH
-
-# host only format
-BRO_HOSTNAME=`hostname | awk -F. ' { print  } '`
-# FQDN format
-# HOSTNAME=`hostname`
-
-# Directory containing Bro binaries
-BRO_BIN_DIR="${BROHOME}/bin"
-
-# Filename of the Bro start policy
-# START_POLICY="default.bro"
-BRO_START_POLICY="localhost.bro"
-
-# Directory containing Bro logs
-BROLOGS="${BROHOME}/logs"
-export BROLOGS
-
-# Log archive directory
-BRO_LOG_ARCHIVE="${BROHOME}/archive"
-
-# Directory containing Bro signature files
-BRO_SIG_DIR="${BROHOME}/site"
-
-# Bro policy paths
-BROPATH="${BROHOME}/share/bro/site:${BROHOME}/share/bro:${BROHOME}/share/bro/sigs:${BROHOME}/share/bro/time-machine"
-export BROPATH
-
-# Location of site specific policy and configurations
-BROSITE="${BROHOME}/site"
-
-# Location of host specific policy and configurations
-BROHOST="${BROHOME}/host"
-
-# A prefix to use when looking for local policy files to load.
-# BRO_PREFIX="local"
-
-# Location of the Bro executable
-BRO="${BRO_BIN_DIR}/bro"
-
-# Base command line options.
-BRO_ADD_OPTS=" -W"
-# Turn on Bro's Watchdog feature
-BRO_OPTS="${BRO_ADD_OPTS}"
-
-# Interface name to listen on.  The default is to use the busiest one found.
-BRO_CAPTURE_INTERFACE=""
-# Multiple interface should be specified as a space delimited list.
-# Examples: 
-#   CAPTURE_INTERFACE="sk0 sk1 sk5"
-#   CAPTURE_INTERFACE="eth0 eth3"
-#   CAPTURE_INTERFACE="eth0"
-
-# If set to YES and there are any signature files ending with .bro in $SIG_DIR
-# then they will be started with bro.  Set to NO to disable signatures
-# Set to YES to enable bro to run with 'signature matching' on (YES/NO)
-BRO_USE_SIGNATURES=YES
-
-# Shoud a trace (tcpdump) file be created in the log directory (YES/NO)
-BRO_CREATE_TRACE_FILE=NO
-
-# How long to wait during checkpointing after startin a new Bro process and
-# stopping the old one.  This value is in seconds
-BRO_CHECKPOINT_OVERLAP_TIME=20
-
-# Starting time for a report run (0001 is 12:01 am and 1201 is 12:01pm)
-BRO_REPORT_START_TIME=0010
-
-# How often (in hours) to generate an activity report
-BRO_REPORT_INTERVAL=24
-
-# This is the how often to rotate the logs (in hours)
-BRO_LOG_ROTATE_INTERVAL=24
-
-# This is the how often to restart bro (in hours)
-BRO_CHECKPOINT_INTERVAL=24
-
-# The maximum time allowed for a Bro process to cleanup and exit
-# This value is in seconds
-BRO_MAX_SHUTDOWN_TIME=$(( 60 * 60 * 2 ))    # 2 hours
-
-# Use this to enable the init script to autorestart Bro in the event of an
-# unexpected shutdown.  The value should be YES or NO
-BRO_ENABLE_AUTORESTART="YES"
-
-# A value less than 1 means there will be no limit to the number of restarts
-# Maximum times to try to auto-restart Bro before giving up.
-BRO_MAX_RESTART_ATTEMPTS=-1
-
-# Location of the run-time variable directory.  This is normally /var/run/bro
-# and contains the pidfile and other temporal data. 
-BRO_RUNTIME_DIR=""
-
-# Email address for local reports to be mailed to
-BRO_EMAIL_LOCAL="bro@localhost"
-
-# Email address to send from
-BRO_EMAIL_FROM="bro@localhost"
-
-# Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc)
-BRO_EMAIL_EXTERNAL="NO"
-
-# Email address for remote reports to be mailed to
-BRO_EMAIL_REMOTE="BRO-IDS@bro-ids.org"
-
-# User id to install and run Bro under
-BRO_USER_ID="bro"
-
-# Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG)
-BRO_SITE_NAME=""
-
-# Do you want to encrypt email reports (YES/NO)
-BRO_ENCRYPT_EMAIL="NO"
-
-# Location of GPG binary or encrypting email
-BRO_GPG_BIN="/usr/local/bin/gpg"
-
-# Default BPF buffer
-BRO_BPF_BUFSIZE=4194304
-
-# Do BPF bonding
-BRO_BPFBOND_ENABLE="NO"
-# Interfaces to bond
-BRO_BPFBOND_FLAGS="em0 em1"
-
-# diskspace management settings
-# Should I manage diskspace
-BRO_DISKSPACE_ENABLE="YES"
-# percent full to worry about
-BRO_DISKSPACE_PCT=90
-# account watching disk space
-BRO_DISKSPACE_WATCHER="root"
-# days before deleting old logs
-BRO_DAYS_2_DELETION=45
-# days before compressing logs
-BRO_DAYS_2_COMPRESSION=20
-
-# Bulk data capture settings
-# Buld data directory
-BRO_BULK_DIR="${BROHOME}/bulk-trace"
-# Capture filter for bulk data
-BRO_BULK_CAPTURE_FILTER=""
-# days before deleting bulk data
-BRO_BULK_DAYS_2_DELETION=4
-# days before compressing bulk data
-BRO_BULK_DAYS_2_COMPRESSION=2
-# location of sorted log files, needed by Brooery
-BROOERY_LOGS="${BROHOME}/sorted-logs"
-
diff --git a/scripts/bro.rc-hooks.sh b/scripts/bro.rc-hooks.sh
deleted file mode 100644
index ca8d74febd..0000000000
--- a/scripts/bro.rc-hooks.sh
+++ /dev/null
@@ -1,57 +0,0 @@
-
-# $Id: bro.rc-hooks.sh 555 2004-10-22 07:48:30Z rwinslow $
-
-# This script is called by bro.rc at various points during the starting
-# and stopping of Bro.  This is presented as an interface into the start
-# and stop process so that customizations can be made.  Some simple
-# examples are given as defaults.
-
-# As these functions are within the same scope as bro.rc it is possible
-# to alter variables that bro.rc needs to run properly.  It is HIGHLY
-# recommended that this not be done.  If you do it don't ask why it broke
-# because you were already warned.
-
-# These functions should always return true so that bro.rc can complete
-# and exit normally.  If these fail to always return unexpected results
-# may occur.
-
-# Variables which are intended to be available to this script.
-# These are in addition to normal variables in bro.cfg
-# LOG_SUFFIX="string"
-# PID="integer"
-# EXIT_CODE="POSIX exit codes"
-# ERROR_MESSAGE="string"
-# AUTO_RESTART="t|f"
-# START_TIME=`date`
-# END_TIME=`date`
-
-
-post_start_hook() {
-	# Exit code should not be set at this point.  If it is there's a problem.
-	if [ "${EXIT_CODE}x" = 'x' ]; then
-		# example of a successful start
-		true
-	else
-		# example of a failed start
-		false
-	fi
-}
-
-
-post_exit_hook() {
-	if [ "${EXIT_CODE}x" = 'x' ]; then
-		# This was set to null on purpose when messages on exit relate to
-		# operations encountered by bro.rc and not the bro process itself
-		# An example may be notification that bro.rc was sent a TERM
-		# so it therefore shutdown the Bro process it was monitoring
-		true
-	elif [ "${EXIT_CODE}" = '0' ]; then
-		# Bro exited normally
-		true
-	else
-		# Bro failed unexpectedly
-		false
-	fi
-	
-}
-
diff --git a/scripts/bro.rc.in b/scripts/bro.rc.in
deleted file mode 100755
index 3d09b524b5..0000000000
--- a/scripts/bro.rc.in
+++ /dev/null
@@ -1,1098 +0,0 @@
-#!/bin/sh
-
-# $Id: bro.rc.in 4620 2007-07-09 21:23:52Z vern $
-#
-# Start script for running Bro.
-#
-# This will run one instance of Bro.  If there is a need to run more than one
-# instance at a time then copy this script to a new file and change the name
-# to something else.
-#
-# chkconfig: - 57 30
-#
-# description: Bro is a highly customizable intrusion detection system \
-#	developed at Lawrence Berkeley National Labs.
-# processname: bro
-# pidfile: /var/run/bro-lite/pid
-# config: /etc/sysconfig/bro-lite
-#
-# Written by Roger Winslow rwinslow@lbl.gov
-
-# Variables which are exported on a startup and needed by Bro
-# This variable used to be called BRO_ID
-# BRO_LOG_SUFFIX
-
-# For tasks to complete before and after Bro starts please edit the following
-# scripts to suit your needs.  For those of you familiar with dhclient this
-# uses the same idea.
-#  Before Bro starts $BROHOME/etc/bro.rc-hooks.sh
-
-# See the bottom of this script for an explanation of how this all works.
-# I'll try my best to be clear....
-
-prog="bro.rc"
-
-RETVAL=0
-
-# picked up from configure at install time
-BROHOME="@prefix@"
-export BROHOME
-
-# Set the environment.
-source_config="${BROHOME}/etc/bro.cfg"
-
-# Location of bro-hooks.sh script
-bro_hooks="${BROHOME}/etc/bro.rc-hooks.sh"
-
-# Set the full path to this script as called
-if [ `echo ${0} | grep -E "^/"` ]; then
-	this_script="${0}"
-else
-	this_script="`pwd`/${0}"
-fi
-
-# Set the args as passed to this script
-cur_args="$*"
-
-# Load the source config
-if ! [ -f ${source_config} ] || ! . "${source_config}"; then
-	echo "${prog}: Unable to load the source config file at ${source_config}" >&2
-	exit 1
-fi
-
-# Source the bro_hooks script if exists and readable
-if ! [ -f "${bro_hooks}" ] || ! . "${bro_hooks}"; then
-	echo "${prog}: Unable to source the bro.rc-hooks.sh script at ${bro_hooks}" >&2
-fi
-
-syslog_cmd="logger"
-run_dir="${BRO_RUNTIME_DIR}"
-pidfile="${run_dir}/pid"
-start_time_file="${run_dir}/start_time"
-active_log_file="${BROLOGS}/active_log"
-autorestart_file="${run_dir}/autorestart"
-alternate_user_id=${BRO_USER_ID}
-renice_checkpoint_level=15
-time_between_restarts=2
-minimum_mortality_time=60
-
-# Setting DEBUG to 1 will prevent the following
- # forking of the Bro process into the background
- # any autorestart features
- # any bro.rc-hooks.sh functions
- # writing of data to $BRO_RUNTIME_DIR
- # redirection of STDERR and STDOUT to the info file
-DEBUG=0
-
-# Export a few items that Bro needs to run
-export BROLOGS
-export BROPATH
-export BROHOME
-export PATH="${BROHOME}/bro/bin:${BROHOME}/bro/scripts:/usr/local/bin:/usr/local/sbin:${PATH}" 
-
-# Make sure that the $BRO_RUNTIME_DIR exists and is writtable
-if [ ! -d "${BRO_RUNTIME_DIR}" ]; then
-	mkdir "${BRO_RUNTIME_DIR}"
-	if [ "$?" != "0" ]; then
-		echo "${prog}: Failed to create the runtime directory at ${BRO_RUNTIME_DIR}" >&2
-		echo "${prog}: Unable to continue" >&2
-		exit 1
-	fi
-
-	if [ "${alternate_user_id}x" != "x" ] && [ "${alternate_user_id}" != "${USER}" ]; then
-		chown ${alternate_user_id} "${BRO_RUNTIME_DIR}"
-		if [ "$?" != "0" ]; then
-			echo "${prog}: Failed to change owner on runtime directory ${BRO_RUNTIME_DIR}" >&2
-			echo "${prog}: Unable to continue" >&2
-			exit 1
-		fi
-	fi
-fi
-
-start() {
-	# Make a few sanity checks
-	# Make sure the BROLOGS directory is writeable
-	if [ ! -d ${BROLOGS} ] || [ ! -w ${BROLOGS} ]; then
-		echo "${prog}: BROLOGS directory at ${BROLOGS} is not writable." >&2
-		echo "${prog}: Unable to continue" >&2
-		exit 1
-	fi
-
-	# Check to make sure that the Bro executable is at least --x
-	if [ ! -x "${BRO}" ]; then
-		echo "${prog}: Unable to execute the bro binary at ${BRO}" >&2
-		echo "${prog}: Unable to continue" >&2
-		exit 1
-	fi
-
-	# Check to make sure that bro is not already running
-	local pid
-	if [ -f "${pidfile}" ]; then
-		pid=`cat "${pidfile}"`
-
-		if [ "${pid}x" = "x" ]; then
-			cleanup
-		else
-			local _is_running
-			pidisrunning ${pid} "${BRO}"
-			_is_running=$?
-			if [ "${_is_running}" != "0" ]; then
-				cleanup
-			else
-				echo "${prog}: already running with a pid of ${pid}"
-				# errno code for EEXIST = 17
-				return 17
-			fi
-		fi
-	fi
-
-	# Check to make sure that a start policy has been specified
-	if [ "${BRO_START_POLICY}x" = "x" ]; then
-		echo "${prog}: No start policy file specified." >&2
-		echo "${prog}: Unable to continue" >&2
-		return 1
-	fi
-
-	# Change to the BROLOGS directory
-	local _did_cd
-	cd "${BROLOGS}"
-	_did_cd=$?
-
-	if [ "${_did_cd}" != "0" ]; then
-		echo "${prog}: Failed to change to BROLOGS directory at ${BROLOGS}" >&2
-		echo "${prog}: Unable to continue" >&2
-		return 1
-	fi
-
-	# Start Bro
-	local _start_result
-	echo -n "${prog}: Starting "
-
-	# What type of start should be performed
-	if [ "${DEBUG}" = '1' ]; then
-		startbro
-		return
-	elif [ "${AUTO_RESTART}" = 't' ]; then
-		autorestart &
-	else
-		startbro &
-	fi
-
-	sleep 1
-	_start_result=$?
-
-	# Check the return code to see if it started
-	local _failed_check_count
-	_failed_check_count=0
-	if [ "${_start_result}" = '0' ] || [ "${_start_result}x" = 'x' ]; then
-	local _loop_count
-	_loop_count=0
-		while [ ${_loop_count} -lt 12 ]
-		do
-			_loop_count=$(( ${_loop_count} + 1 ))
-			echo -n '.'
-
-			# Sometimes the result from the fork takes a few seconds
-			# Check if was not set yet
-			if [ "${_start_result}x" = 'x' ]; then
-				_start_result=$?
-
-				if [ "${_start_result}x" != 'x' ] && [ "${_start_result}" != '0' ]; then
-					break
-				fi
-			else
-				# Use the status function to see if Bro is still up
-				local _status_result
-				status 2>/dev/null >/dev/null
-				_status_result=$?
-
-				if [ "${_status_result}" != '0' ] || [ "${_start_result}" != '0' ]; then
-					_failed_check_count=$(( ${_failed_check_count} + 1 ))
-					if [ ${_failed_check_count} -gt 11 ]; then
-						_start_result=1
-						break
-					fi
-				fi
-			fi
-			sleep 1
-		done
-	fi
-
-	if [ "${_start_result}" = '0' ]; then
-		echo ". SUCCESS"
-	else
-		echo ". FAILED"
-	fi
-
-	return ${_start_result}
-}
-
-startbro() {
-
-	local cur_date
-	local _already_running
-	local trace_file
-	local cmd_opts
-	local basic_cmd_opts
-	cur_date=`date +%y-%m-%d_%H.%M.%S`
-	BRO_LOG_SUFFIX="${BRO_HOSTNAME}.${cur_date}"
-	export BRO_LOG_SUFFIX
-	trace_file="${BROLOGS}/trace.${BRO_LOG_SUFFIX}"
-	info_log="${BROLOGS}/info.${BRO_LOG_SUFFIX}"
-	cmd_opts="${BRO_OPTS}"
-
-	# Check if Bro is already running
-	status 2>/dev/null >/dev/null
-	_already_running=$?
-	if [ "${_already_running}" = '0' ]; then
-		return 17
-	fi
-
-	# Build the command line.
-	# Should a trace file be created
-	if [ "${BRO_CREATE_TRACE_FILE}" = 'YES' ] || [ "${BRO_CREATE_TRACE_FILE}" = 'yes' ]; then
-		cmd_opts="${cmd_opts} -w ${trace_file}"
-	fi
-
-	# If a specific interface to capture on is specified then add it in
-	# This is a space delimited list
-	if [ "${BRO_CAPTURE_INTERFACE}x" != 'x' ]; then
-		for _intf in ${BRO_CAPTURE_INTERFACE}
-		do
-			cmd_opts="${cmd_opts} -i ${_intf}"
-		done
-	fi
-
-	# Append the Bro policy which to start
-	if [ "${BRO_START_POLICY}x" != 'x' ]; then
-		cmd_opts="${cmd_opts} ${BRO_START_POLICY}"
-	else
-		echo "${prog}: No start policy file specified." >&2
-	fi
-
-	local new_pid
-	local bro_result
-	cd "${BROLOGS}"
-
-	# Check whether DEBUG is set.  If so then keep Bro attached to the shell
-	# and don't fork.
-	if [ "${DEBUG}" != '0' ]; then
-		"${BRO}" ${cmd_opts}
-		return
-	# Run bro.  Redirect STDERR and STDOUT to $info_log
-	else
-		"${BRO}" ${cmd_opts} 2>>"${info_log}" >>"${info_log}" &
-	fi
-
-	bro_result=$?
-	new_pid=$!
-
-	# Check the exit code returned by Bro
-	if [ "${bro_result}" = '0' ] || [ -z "${bro_result}" ]; then
-		local _loop_count
-		_loop_count=0
-		while [ ${_loop_count} -lt 10 ]
-		do
-			_loop_count=$(( ${_loop_count} + 1 ))
-			if [ -f "${info_log}" ]; then
-				if [ "`grep -E '^listening on' ${info_log}`x" != 'x' ]; then
-					break
-				fi
-			fi
-
-			# break now if the process returned a non-zero value
-			if [ "${bro_result}x" != 'x' ] && [ "${bro_result}" != '0' ]; then
-				break
-			fi
-			sleep 1
-		done
-	fi
-
-	# check to make sure that Bro actually started
-	if [ "${new_pid}x" = 'x' ] || [ "${bro_result}" != '0' ]; then
-		false
-	else
-		pidisrunning ${new_pid} "${BRO}"
-		_is_running=$?
-		if [ "${_is_running}" != '0' ]; then
-			bro_result=1
-		fi
-	fi
-
-	if [ "${bro_result}" != '0' ]; then
-		echo "${prog}: Failed to start Bro"
-		if [ -f "${info_log}" ] && [ -s "${info_log}" ]; then
-			cat "${info_log}"
-			ERROR_MESSAGE=`cat "${info_log}"`
-		else
-			ERROR_MESSAGE='Unknown error, no messages recieved on STDERR or STDOUT'
-		fi
-
-		# Call the post_start_hook function
-		LOG_SUFFIX="${BRO_LOG_SUFFIX}"
-		EXIT_CODE=${bro_result}
-
-		"${syslog_cmd}" -t "${prog}" "Bro has failed to start. ${ERROR_MESSAGE}"
-
-		post_start_hook
-
-		return ${bro_result}
-	else
-		"${syslog_cmd}" -t "${prog}" "Bro process (${new_pid}) has started"
-	fi
-
-	# Write the pid out to file
-	echo ${new_pid} > "${pidfile}"
-
-	# Write the active log suffix out to file
-	echo "${BRO_LOG_SUFFIX}" > "${active_log_file}"
-
-	# Write the start date out to file
-	local _start_time
-	_start_time=`date`
-	echo "${_start_time}" > "${start_time_file}"
-
-	# Write the auto-restart status out to file
-	if [ "${AUTO_RESTART}" = 't' ]; then
-		echo "ON" > "${autorestart_file}"
-	else
-		echo "OFF" > "${autorestart_file}"
-	fi
-
-	echo "Bro Version: `\"${BRO}\" -v 2>&1 | awk ' { print $3 } '`" >> "${info_log}"
-	echo "Started with the following command line options: ${cmd_opts}" >> "${info_log}"
-
-	# Get the BPF capture filter
-	local _print_filter
-	local _print_filter_result
-	# Strip out the trace file parameter if it exists
-	basic_cmd_opts=`removetraceopt "${cmd_opts}"`
-	_print_filter=`capturefilter "${basic_cmd_opts}"`
-	_print_filter_result=$?
-	if [ "${_print_filter_result}" = '0' ]; then
-		echo "Capture filter: ${_print_filter}" >> "${info_log}"
-	else
-		echo 'Capture filter: <not available>' >> "${info_log}"
-	fi
-
-	# Call the post_start_hook function
-	LOG_SUFFIX="${BRO_LOG_SUFFIX}"
-	PID=${new_pid}
-	EXIT_CODE=""
-	ERROR_MESSAGE=""
-	START_TIME="${_start_time}"
-	END_TIME=""
-
-	post_start_hook
-
-	local _exitwatch_result
-	exitwatch ${new_pid}
-	_exitwatch_result=$?
-
-	return ${_exitwatch_result}
-}
-
-autorestart() {
-
-	local _cur_restart_count
-	local _max_restart_count
-	local _called_from		# name of function that called autorestart if any
-	local _failed_first_start
-	local _start_res
-	local _minimum_life
-	_minimum_life=$(( `epochtime` + ${minimum_mortality_time} ))
-
-	_called_from="${1}"
-	_cur_restart_count=0
-	_max_restart_count=${BRO_MAX_RESTART_ATTEMPTS}
-
-	# If _max_restart_count is not defined or is less than 1 then
-	# this equats to no restart limit.
-	if [ "${_max_restart_count}x" = 'x' ] || [ ${_max_restart_count} -lt '1' ]; then
-		_cur_restart_count=-2
-		_max_restart_count=-1
-	fi
-
-	# loop and restart bro until told to exit
-	while [ ${_cur_restart_count} -lt ${_max_restart_count} ]
-	do
-		local _cur_epoch_time
-		# startbro will block until Bro exits
-		startbro
-		_start_res=$?
-
-		_cur_epoch_time="`epochtime`"
-
-		if [ "${_start_res}" = '0' ]; then
-			# Bro exited normally due to a planned stop
-			break
-		elif [ "${_start_res}" = '17' ]; then
-			echo "${prog}: Unable to begin autorestart.  Stop the running instance of Bro first." >&2
-			echo "${prog}: Unable to continue" >&2
-			break
-		elif [ ${_cur_epoch_time} -lt ${_minimum_life} ]; then
-			_failed_first_start=1
-			break
-		fi
-
-		# If _max_restart_count is greater than 0 increment _cur_restart_count
-		# otherwise don't because no restart limit has been set.
-		if [ ${_max_restart_count} -gt '0' ]; then
-			_cur_restart_count=$(( ${_cur_restart_count} + 1 ))
-		fi
-
-		sleep ${time_between_restarts}
-		"${syslog_cmd}" -t "${prog}" "Autorestarting Bro due to unexpected exit"
-	done
-
-	# Check why the loop exited
-	if ! [ ${_cur_restart_count} -lt ${_max_restart_count} ]; then
-		# Stop Bro, this will force a cleanup of the run-time directory
-		stopbro 2> /dev/null 1> /dev/null
-		EXIT_CODE=${_start_res}
-		ERROR_MESSAGE="Exceeded maximum autorestart count of ${BRO_MAX_RESTART_ATTEMPTS}. No further attempts will be made to restart Bro"
-		END_TIME=`date`
-
-		# Call the post_exit_hook to report the error
-		post_exit_hook
-
-		return 1
-	elif [ "${_failed_first_start}" = '1' ]; then
-		# Bro failed on the very first start and this was not during a checkpoint.
-		# No further restarts will be attempted.
-		"${syslog_cmd}" -t "${prog}" "Bro process failed on first start attempt.  No further restart attempts will be made."
-		EXIT_CODE=""
-		ERROR_MESSAGE="Failed on first start attempt.  No further restart attempts will be made."
-
-		# Call the post_exit_hook to report the error
-		post_exit_hook
-
-		return ${_start_res}
-	fi
-
-	return 0
-}
-
-
-stopbro() {
-	# Check to see if bro is running
-	local _pid
-	local _bro_is_running
-	local _status_result
-
-	status 2>/dev/null >/dev/null
-	_status_result=$?
-
-	if [ "${_status_result}" = '0' ]; then
-		# try and stop it
-		local _kill_result
-		echo -n "${prog}: Stopping "
-		_pid=`cat "${pidfile}"`
-		_bro_is_running="t"
-
-		cleanup
-		for _i in 1 2; do
-			echo -n '.'
-			sleep 1
-		done
-
-		kill -TERM ${_pid}
-		_kill_result=$?
-		if [ "${_kill_result}" = "0" ]; then
-			true
-		else
-			echo "${prog}: Failed to stop process with pid ${_pid}"
-			return 1
-		fi
-	else
-		_bro_is_running="f"
-		if [ -f "${pidfile}" ]; then
-			cleanup
-		fi
-	fi
-
-	if [ "${_bro_is_running}" = "f" ]; then
-		echo "${prog}: No running process to stop"
-		return 0
-	fi
-
-	# Now see if the process is still hanging around.
-	# Bro can stick around a long time as it writes out logs and writes it's
-	# state info to disk
-	local _is_dead
-	for _i in 1 2 3 4 5 6 7 8 9 10; do
-		_is_dead=""
-		pidisrunning ${_pid} "${BRO}"
-		_is_dead=$?
-		echo -n "."
-		if [ "${_is_dead}" != "0" ]; then
-			break
-		fi
-		sleep 1
-	done
-
-	if [ "${_is_dead}" != "0" ]; then
-		echo " SUCCESS !"
-
-	else
-		echo "${prog}: Process (${_pid}) has still not exited."
-		echo "${prog}: If it has not exited after ${BRO_MAX_SHUTDOWN_TIME} seconds from now it will be forced to exit."
-		# Create a backgound process to watch the terminated Bro
-		# If the process still exists after the BRO_MAX_SHUTDOWN_TIME
-		# then send it a SIG_KILL
-		stopwatch ${_pid} "${BRO}" &
-	fi
-
-	return 0
-}
-
-
-checkpoint() {
-	# Check to make sure bro is already running
-	local _old_pid=""
-	local _old_bro_running
-	local _status_result
-
-	echo "${prog}: Beginning the checkpoint process"
-	status 2>/dev/null >/dev/null
-	_status_result=$?
-
-	if [ "${_status_result}" = '0' ]; then
-		_old_pid=`cat "${pidfile}"`
-		_old_bro_running="t"
-	else
-		_old_bro_running="f"
-	fi
-
-	if [ "${_old_bro_running}" = "f" ]; then
-		cleanup
-		echo "${prog}: No current instance of Bro is running."
-		return 1
-	fi
-
-	echo "${prog}: Starting a new Bro instance."
-	if [ "${_old_bro_running}" = "t" ]; then
-		echo "${prog}: Will wait for ${BRO_CHECKPOINT_OVERLAP_TIME} seconds before stopping the old Bro instance."
-	fi
-
-	# start a new Bro
-	"${syslog_cmd}" -t "${prog}" "Starting the checkpoint process (${_old_pid})"
-	cleanup
-	${this_script} start > /dev/null &
-
-	# Create a background process to stop the old Bro process if
-	# it is still running
-	if [ "${_old_bro_running}" = "t" ]; then
-		{
-			# Renice the old process so it doesn't compete with the new active Bro
-			renice ${renice_checkpoint_level} ${_old_pid} 2> /dev/null 1> /dev/null
-
-			# Sleep for BRO_CHECKPOINT_OVERLAP_TIME
-			sleep ${BRO_CHECKPOINT_OVERLAP_TIME}
-
-			# kill the old bro process
-			kill -TERM ${_old_pid}
-
-			# call the stopwatch function to make sure the old bro process exits
-			# before BRO_MAX_SHUTDOWN_TIME
-			stopwatch ${_old_pid} "${BRO}"
-			"${syslog_cmd}" -t "${prog}" "Checkpoint process complete. Bro process (${_old_pid}) is done"
-		} &
-	fi
-
-	return 0
-}
-
-
-status() {
-	local _pid
-	local _ret_val
-	if [ -f "${pidfile}" ] && [ -f "${start_time_file}" ] && [ "${active_log_file}" ]; then
-		_pid=`cat "${pidfile}" | awk '{ print $1 }'`
-		pidisrunning ${_pid}
-		_ret_val=$?
-		if [ "${_ret_val}" = "0" ]; then
-			true
-		else
-			echo "${prog}: Bro is not running"
-			return 1
-		fi
-	else
-		echo "${prog}: Bro is not running"
-		return 1
-	fi
-
-	local _start_time
-	local _log_suffix
-	local _bro_ver
-	local _autorestart_status
-
-	_start_time=`cat "${start_time_file}"`
-	_log_suffix=`activelogsuffix`
-	_bro_ver=`"${BRO}" -v 2>&1 | awk ' { print $3 } '`
-	_autorestart_status=`cat "${autorestart_file}"`
-	echo "Bro is running (pid: ${_pid})"
-	echo "Autorestart: ${_autorestart_status}"
-	echo "Running since: ${_start_time}"
-	echo "Bro Version: ${_bro_ver}"
-	echo "Active log suffix: ${_log_suffix}"
-
-	return 0
-}
-
-activelogsuffix() {
-	local _log_suffix
-
-	if [ -f "${active_log_file}" ] && [ -r "${active_log_file}" ]; then
-		# ok file exists
-		_log_suffix=`cat "${active_log_file}"`
-		echo -n "${_log_suffix}"
-	else
-		return 1
-	fi
-
-	return 0
-}
-
-
-exitwatch() {
-	# pid number to wait for
-	PID=${1}
-
-	if [ -z ${PID} ]; then
-		echo "${prog}: No pid number passed to function exitwatch" > 2
-		echo "${prog}: Unable to continue" > 2
-		exit 1
-	fi
-
-	# trap some signals
-	# Ignore HUP, QUIT, INT signals
-	trap '' SIGHUP SIGINT SIGQUIT
-	# Call stop if a TERM signal is sent to this ($$) process
-	trap 'stopbro 2>/dev/null >/dev/null; true' SIGTERM
-
-	wait ${PID} 2> /dev/null
-
-	EXIT_CODE=$?
-	END_TIME=`date`
-
-	# Currently Bro does not always exit with the right exit codes
-	# Need to figure out if something besides 0 really happened
-	if [ "${EXIT_CODE}x" = 'x' ]; then
-		# Something evil happened!
-		EXIT_CODE=1
-		false
-	# The following exit codes are expected for a successful exit:
-	# 0, 130, 145
-	# 143 (SIGTERM) and 130 (SIGINT) are returned when wait is interrupted by
-	# a trapped signal.
-	elif [ "${EXIT_CODE}" = '0' ] || \
-		[ "${EXIT_CODE}" = '143' ] || \
-		[ "${EXIT_CODE}" = '130' ]; then
-		if ! [ -f "${pidfile}" ]; then
-			# A normal exit occurred as the pid file has been cleaned up
-			EXIT_CODE=0
-			true
-		else
-			check_pid=`cat "${pidfile}"`
-			if [ "${check_pid}" != "${PID}" ]; then
-				# The PID has changed which means either a restart was forced
-				# or a checkpoint has occurred.  In either case it is
-				# likely that Bro exited correctly
-				true
-			else
-				# Something went wrong with Bro because it exited before the
-				# temporal files were cleaned up
-				EXIT_CODE=1
-				cleanup
-				false
-			fi
-		fi
-	elif [ ! -f "${pidfile}" ] && [ ! -f "${start_time_file}" ]; then
-		# Bro exited with a non-zero value but the exit was planned.
-		# Log the an error message but return a zero exit status as this
-		# was a planned exit.
-		"${syslog_cmd}" -t "${prog}" "Bro process (${PID}) returned a non-zero exit status but the exit was planned."
-		EXIT_CODE=0
-	else
-		# An unexpected exit code was returned by Bro
-		false
-	fi
-
-	# Set the ERROR_MESSAGE to something useful if there was an error
-	if [ "${EXIT_CODE}" != '0' ]; then
-		if [ -f "${info_log}" ] && [ -s "${info_log}" ]; then
-			ERROR_MESSAGE=`tail -2 "${info_log}"`
-		else
-			ERROR_MESSAGE="Unknown error occurred"
-		fi
-
-		"${syslog_cmd}" -t "${prog}" "Bro process (${PID}) exited with a code of ${EXIT_CODE}"
-	else
-		"${syslog_cmd}" -t "${prog}" "Bro process (${PID}) stopped"
-	fi
-
-	# Call the post_exit_hook function
-	post_exit_hook
-
-	# renamed logfiles now that file writing is done.
-	# turned off till sc04 is over
-	# rename_logfiles "${BRO_LOG_SUFFIX}"
-
-	return ${EXIT_CODE}
-}
-
-stopwatch() {
-	# This function is used to run in the background and watch the pid
-	# and command line as returned by ps.  This function should be
-	# forked off as a background process to monitor a terminating Bro
-	# process to make sure that it ends by BRO_MAX_SHUTDOWN_TIME
-
-	local _pid
-	local _cmd_line
-	_pid=${1}
-	_cmd_line="${2}"
-
-	# Make sure that _pid has a value
-	if [ -z ${_pid} ]; then
-		_pid=`cat "${pidfile}"`
-		if [ -z ${_pid} ]; then
-			echo "${prog}: Unable to find a process number to monitor for stopwatch" >&2
-		fi
-		echo "First argument passed to function stopwatch must be a PID greater than zero." >&2
-		return 1
-	fi
-
-	# Make sure that _pid has a value larger than 0
-	if [ "${_pid}" -lt 1 ]; then
-		echo "First argument passed to function stopwatch must be a PID greater than zero." >&2
-		return 1
-	fi
-
-	# Make sure that _cmd_line has a value
-	if [ -z ${_cmd_line} ]; then
-		echo "Second option passed to function stopwatch must be the program name as" >&2
-		echo "specified on the command line when first started." >&2
-	fi
-
-	local _cur_wait
-	local _max_wait
-	local _sleep_time
-	_cur_wait=0
-	_max_wait=${BRO_MAX_SHUTDOWN_TIME}
-	_sleep_time=10
-	while [ "${_cur_wait}" -lt "${_max_wait}" ]
-	do
-		local _res
-		pidisrunning ${_pid} "${_cmd_line}"
-		local _ret_val=$?
-		if [ "${_ret_val}" != "0" ]; then
-			break
-		fi
-		_cur_wait=$(( ${_cur_wait} + ${_sleep_time} ))
-		sleep ${_sleep_time}
-	done
-
-	# Check if the process died on it's own
-	if [ "${_cur_wait}" -ge "${_max_wait}" ]; then
-		# Nope, didn't exit on it's own
-		kill -KILL ${_pid}
-		"${syslog_cmd}" -t "${prog}" "Bro process (${_pid}) exceeded the maximum shutdown time and was forcibly terminated"
-	fi
-
-	return 0
-}
-
-
-runasnonroot() {
-
-	# Check on whether to start as the current user or a different user
-	#
-	# Check if the alternate user has been specified
-	if [ "${alternate_user_id}x" != "x" ]; then
-		# Check if the current username is the same as that in $alternate_user_id
-		if [ "${USER}" = "${alternate_user_id}" ]; then
-			# The alternate is the same as the current, no need to su
-			alternate_user_id=''
-			return 254
-		else
-			# Allow only users with root privelages to use su -
-			if [ -w /etc/passwd ]; then
-				echo "${prog}: Running as non-root user ${alternate_user_id}" >&2
-				su - ${alternate_user_id} -c "${this_script} ${cur_args} < /dev/null"
-			else
-				# Nope, no root privelage
-				alternate_user_id=''
-				echo "$prog: Must have root privileges in order to run as a non-root user" >&2
-				echo "FAILED!" >&2
-				return 1
-			fi
-		fi
-	else
-		# No alternate user specified
-		return 254
-	fi
-
-	return 0
-}
-
-pidisrunning() {
-
-	local _pid
-	local _cmd_line
-	local _running_pid
-
-	_pid=${1}
-	_cmd_line="${2}"	# optional
-
-	if [ `uname | grep "CYGWIN"` ]; then
-		# cygwin ps command
-		if [ -z ${_cmd_line} ]; then
-			_running_pid=`ps -as | awk ' { print $1 } ' | grep ${_pid}`
-		else
-			_running_pid=`ps -as | grep "${_pid}.*${_cmd_line}"`
-		fi
-	else
-		# the rest of *NIX
-		_running_pid=`ps ax -o "pid,command" | grep "${_pid}.*${_cmd_line}" | grep -v "grep ${_pid}.*${_cmd_line}"`
-	fi
-
-	if [ "${_running_pid}x" = 'x' ]; then
-		return 1
-	else
-		return 0
-	fi
-
-}
-
-removetraceopt() {
-	local _cmd_opts
-	local _ret_string
-	local _sed_patt
-
-	_cmd_opts="${1}"
-
-	_sed_patt='/-w/ {
-/-w *\"/ {
-s/ -w *\"[^"]\{1,\}\" */ /
-t
-s/^-w *[^" ]\{1,\} */ /
-}
-t
-/-w *[^ ]\{1,\}/ {
-s/ -w *[^ ]\{1,\} */ /
-t
-s/^-w *[^ ]\{1,\} */ /
-}
-}'
-
-	_ret_string=`echo -n "${cmd_opts}" | sed "${_sed_patt}"`
-
-	echo -n "${_ret_string}"
-	return 0
-}
-
-capturefilter() {
-	local _cmd_opts
-	local _ret_string
-	local _dummy_dir
-	local _cur_log_suffix
-
-	_cmd_opts="${1}"
-	_cmd_opts="${_cmd_opts} print-filter.bro"
-	_dummy_dir="${BROLOGS}/.print-filter"
-
-	mkdir "${_dummy_dir}" 1>/dev/null 2>/dev/null
-	cd "${_dummy_dir}"
-
-	_ret_string=`"${BRO}" ${_cmd_opts} 2>/dev/null`
-
-	cd "${BROLOGS}"
-	rm -rf "${_dummy_dir}"
-
-	if [ "${_ret_string}x" = 'x' ]; then
-		return 1
-	else
-		echo "${_ret_string}"
-		return 0
-	fi
-}
-
-cleanup() {
-
-	rm -f "${pidfile}"
-	rm -f "${active_log_file}"
-	rm -f "${start_time_file}"
-	rm -f "${autorestart_file}"
-	return 0
-}
-
-epochtime() {
-    echo -n "`date +'%s'`"
-}
-
-# Need something more comprehensive but this does fine for now.
-rename_logfiles() {
-    # rename the closed log file passed in as arg ${1} and add
-    # the stop time. The format of the files will now be:
-    # file.host.YY-MM-DD_HH.MM.SS-YY-MM-DD_HH.MM.SS, where the first date
-    # is the start time, and the end date is the time bro was shutdown
-    local _end_time
-    local _cur_log_suffix
-
-	# The start time log suffix is passed in as an argument
-	_cur_log_suffix="${1}"
-
-    # change directory to where we need to do our work
-    cd "${BROLOGS}"
-
-    # If _cur_log_suffix has no value then don't do anything
-    if [ "${_cur_log_suffix}x" = 'x' ]; then
-        #echo "No logs to rename"
-        return 1
-    fi
-    # format the end time once, and use for all the logs
-    _end_time=`date "+%y-%m-%d_%H.%M.%S"`
-
-    # grok out the logs to change, and change them, hope we have lots of disk space
-    filelist=`ls *.${_cur_log_suffix}`
-    for name in ${filelist}; do
-        #echo "Moving ${name} to ${name}-${_end_time}"
-        mv "${name}" "${name}-${_end_time}"
-    done
-
-    return 0
-}
-
-
-# See how we were called.
-case "$1" in
-	status|--status)
-		status
-		;;
-	start|--start|autorestart|--autorestart|stop|--stop|stopwatch|--stopwatch|checkpoint|--checkpoint)
-		# Check on whether to run as non-root
-		runasnonroot
-		_run_non_root_res=$?
-		if [ "${_run_non_root_res}" = "0" ]; then
-			true
-		elif [ "${_run_non_root_res}" = "1" ]; then
-			false
-		else
-			# If it gets here then the script is either running as root or it has
-			# already done an su - to the non-root user.
-			case "$1" in
-				start|--start)
-					# One more command line option is available
-					second_opt="${2}"
-
-					# enable autorestart?
-					AUTO_RESTART="f"
-					if [ "${BRO_ENABLE_AUTORESTART}" = "YES" ] || \
-						[ "${BRO_ENABLE_AUTORESTART}" = "yes" ] || \
-						[ "${second_opt}" = "autorestart" ]; then
-						AUTO_RESTART="t"
-					fi
-
-					# An explicit noautorestart will always disable it
-					if [ "${second_opt}" = "noautorestart" ]; then
-						AUTO_RESTART="f"
-					fi
-
-					start
-					;;
-				startbro|--startbro)
-					startbro
-					;;
-				stop|--stop)
-					stopbro
-					;;
-#				stopwatch|--stopwatch)
-#					stopwatch ${2}
-#					;;
-				checkpoint|--checkpoint)
-					checkpoint
-			esac
-		fi
-		;;
-	*)
-		echo "Usage: ${prog} {start|stop|checkpoint|status}"
-		echo "start has the additional option which can be used to disable/enable "
-		echo "autorestart: "
-		echo "   start [no]autorestart"
-		echo ""
-		exit 1
-esac
-
-exit $?
-
-
-# So how does this thing work and why is it always running when Bro is running?
-
-# bro.rc is the init script which starts, stops, checkpoints, and monitors a
-# running instance of Bro.
-# bro.rc logs it's actions to syslog via the logger command.
-# bro.rc offers users an interface into the starting and stopping of a Bro
-# process via the file $BROHOME/etc/bro.rc-hooks.rc.  This allows for
-# actions to be sent to any custom monitoring or alerting programs the
-# user may wish to use.
-
-
-# There are four command line options available
-# to the user.  Each is covered below with an explanation.
-# 1) start
-#   Start has two additional commands of autorestart and noautorestart which
-#   can be used to enable and disable the autorestart feature.  This feature
-#   is also controlled by setting the variable BRO_ENABLE_AUTORESTART in
-#   to 'YES' or 'NO' bro.cfg.  Any autorestart option given to start on the
-#   command line will override the bro.cfg setting in BRO_ENABLE_AUTORESTART.
-#
-#   'start' does just as it's name implies, it starts a new Bro process.
-#   When autorestart is enabled bro.rc will monitor the Bro process and
-#   restart it if it fails unexpectedly for any reason.  Bro will be restarted
-#   a maximum count as set by BRO_MAX_RESTART_ATTEMPTS in bro.cfg.  If the
-#   BRO_MAX_RESTART_ATTEMPTS count is exceeded then no further restart
-#   attempts will be made and the error will be sent to syslog.
-#
-#   After Bro has started either successfully or unsuccessfully the function
-#   post_start_hook will be called.  (see bro.rc-hooks.sh for more info).
-#
-#   If start is called and Bro is already running this is an error and
-#   the script will return 1.
-#
-#   If Bro starts successfully bro.rc will return 0.
-#
-# 2) stop
-#   Self explantory, stops a running Bro process.  Stop will cleanup the
-#   temporal files such as pid, start_time, etc, send a SIGTERM to the
-#   running instance of Bro, and then if needed call another process to
-#   to watch the exiting process.  If the process has not terminated by
-#   BRO_MAX_SHUTDOWN_TIME seconds then a SIGKILL will be sent to the process
-#   and a message will be sent to syslog.
-#
-# 3) checkpoint
-#   A checkpoint is where a new instance of Bro is started and then the old
-#   one is terminated. (see documentation on when and why this is done).
-#   Essentially what happens is that temporal files are cleaned up, a
-#   new instance of Bro is started, bro.rc thens waits
-#   BRO_CHECKPOINT_OVERLAP_TIME seconds before sending the old Bro process
-#   a SIGTERM.  An exit code of 1 will be returned in the event checkpoint
-#   is called and there is no running Bro process.
-#
-# 4) status
-#   Used to check if Bro is running.  Also outputs the Bro version, the start
-#   time, the current log suffix, and whether autorestart is enabled or not.
-#   If Bro is running the command will return 0 and if Bro is not running the
-#   command will return 1.
-#
-# The detection of when Bro exits is done through the use of the shell
-# builtin 'wait'.  The function exitwatch will wait on the Bro child
-# pif until it exits.  A few tests are run after Bro returns to determine
-# If the exit was expected or unexpected.  An unexpected exit is anytime
-# Bro exits or terminates outside the control of bro.rc.  After the Bro
-# process returns and before bro.rc exits the post_exit_hook will be called.
-#
-# bro.rc traps SIGTERM and ignores SIGHUP.  If SIGTERM is sent to the
-# bro.rc process this will also cause bro.rc to stop the running Bro process
-# it monitors as well.  This is to provide proper behavior in the event of
-# a system reboot or halt.
diff --git a/scripts/bro_config.in b/scripts/bro_config.in
deleted file mode 100755
index c0f057067d..0000000000
--- a/scripts/bro_config.in
+++ /dev/null
@@ -1,1008 +0,0 @@
-#!/bin/sh
-# $Id: bro_config.in 6059 2008-08-14 16:54:16Z robin $
-#
-# default install location for bro 
-# We probably need to sync this with what was used for --prefix
-# on the "configure" command line
-# some machines (i.e. OSX) don't put sbin in the path by default
-PATH=$PATH:/usr/sbin:/sbin
-BROHOME=@prefix@
-# Usage
-Usage="bro_config: [-p prefix] [-d]"
-# Debug mode? 
-Debug=0
-# Am I running as a regular user?
-nonroot=0
-# prompt for everyth
-full=0
-# is there a pw available to us?
-no_pw=0
-# is BRO_USER_ID valid?
-valid_id=0
-# automode: ask any question or use all defaults?
-# used with make distcheck to generate files with
-# out all the questions
-automode=0
-######################################################################
-# figure out what kind of echo to use
-bro_config_echo_settings()
-{
-if [ "`echo -n`" = "-n" ]; then
-    n="";  c="\c"
-else
-    n="-n";     c=""
-fi
-}
-
-######################################################################
-# Got root? Are we root? if not print warning, and limp along
-bro_config_got_root()
-{ 
-    # make a backup of local.site.bro if it exists
-    if [ -f local.site.bro ]; then 
-        echo "Detected an old local.site.bro, saving it to local.site.bro.save"
-        cp local.site.bro local.site.bro.save
-    fi
-
-    if [ `id -ur` -ne 0 ]; then 
-        nonroot=1
-        echo "You need to be root when you run this script for it to"
-        echo "be fully effective. Please login as root and rerun this"
-        echo "script (or the make install that called this script)."
-        echo ""
-        echo "This script will run as a non-root user,  but it will not"
-        echo "be able to tune the system or install system files. "
-        echo "It will only be able to create a bro.cfg file."
-        bro_config_create_local_site_bro
-        #cp local.site.bro.default local.site.bro
-    fi
-}
-######################################################################
-# This creates the default local.site.net 
-######################################################################
-bro_config_create_local_site_bro()
-{
-cat - > local.site.bro << _EOF
-# This file should describe your network configuration.
-# If your local network is a class C, and its network
-# address was 192.168.1.0 and a class B network 
-# with address space 10.1.0.0.
-# Then you would put 192.168.1.0/24 and 10.1.0.0/16 into 
-# this file, telling bro what your local networks are.
-
-@load site
-
-redef local_nets: set[subnet] = {
-    # example of a class C network
-    192.168.1.0/24,
-    # example of a class B network
-    10.1.0.0/16
-};
-
-_EOF
-
-}
-
-######################################################################
-bro_config_nonroot_message()
-{
-    echo "*** You need to hand edit your local networks in the file"
-    echo "*** $BROHOME/site/local.site.bro. Please read the file for an"
-    echo "*** example of what it should look like"
-    echo ""
-}
-######################################################################
-bro_config_get_desc()
-{
-    desc=`grep --before-context=1  "^$1" ${cfgused:-bro.cfg.example} | head -1| sed 's/#//'`
-}
-######################################################################
-bro_config_print_desc()
-{
-    desc=`grep --before-context=1  "^$1" ${cfgused:-bro.cfg.example} | head -1| sed 's/#//'|sed 's/\n//'`
-    echo $desc
-}
-######################################################################
-# what kind of system are we running on.
-bro_config_sys_type()
-{
-    sys=`uname -s`
-    case $sys in
-        Linux*) BRO_SYS_TYPE="LINUX";;
-        Darwin*) BRO_SYS_TYPE="DARWIN";;
-        FreeBSD*) rtype=`uname -r` 
-            case $rtype in 
-                4*) BRO_SYS_TYPE="FREEBSD4";;
-                5*) BRO_SYS_TYPE="FREEBSD5";;
-                6*) BRO_SYS_TYPE="FREEBSD6";;
-            esac;;
-        *) BRO_SYS_TYPE="UNKNOWN";;
-    esac
-}
-######################################################################
-# ok. This should pick the interface with the most traffic on it.
-# not always correct, but a start at least -- 
-bro_config_get_busy_iface()
-{
-    echo -n "Checking interfaces ...."
-
-    # tmp file to hold stuff in
-    touch /tmp/bro_config.tmp.$$
-
-    # grab all the interfaces
-    ifs=`ifconfig -a | grep '^[A-Za-z].*'|cut -d' ' -f1|sed 's/\://' `
-
-    # FreeBSD and Darwin are alike
-    #if [ $BRO_SYS_TYPE = "FREEBSD" -o $BRO_SYS_TYPE = "DARWIN" ]; then
-    if ! [ x$BRO_SYS_TYPE = 'xLINUX' ]; then
-        for iface in $ifs; do
-            stats=`netstat -I $iface|grep -v '^Name'| awk '{print $1, $5}'|sort -k2 -r | head -1`
-            echo "$stats" >> /tmp/bro_config.tmp.$$
-        done
-    fi
-    # its linux
-    if [ "x$BRO_SYS_TYPE" = 'xLINUX' ]; then
-        for iface in $ifs; do
-            stats=`ifconfig $iface|grep 'RX packets'|awk '{print $2}'|sed 's/.*\://'`
-            echo "$ifs $stats" >> /tmp/bro_config.tmp.$$
-        done
-    fi
-
-    if [ -f /tmp/bro_config.tmp.$$ ]; then
-        busy_iface=`cat /tmp/bro_config.tmp.$$ | sort -r -n -k 2 |head -1|awk '{print $1}'`
-        busy_iface2=`cat /tmp/bro_config.tmp.$$ | sort -r -n -k 2 |head -2|tail -1|awk '{print $1}'`
-        rm /tmp/bro_config.tmp.$$
-    else
-        busy_iface=""
-        busy_iface2=""
-    fi
-    echo "Done."
-}
-
-######################################################################
-# prompt for input for a variable
-# $1 name of var
-# $2 defualt value
-# $3 prompt string (if empty get from config file )
-bro_config_input()
-{
-    if [ -z "$1" ] ; then
-        name=""
-    else
-        name=$1
-    fi
-    
-    if [ -z "$2" ] ; then
-        default=""
-    else
-        default=$2
-    fi
-
-    if [ -z "$3" ] ; then 
-        prompt=""
-    else
-        prompt=$3
-    fi
-
-    #empty it out
-    RESP=
-    desc=
-    # if we weren't passed a prompt, get one
-    if [ -z "$prompt" ] ; then 
-        bro_config_get_desc $name
-    else
-        desc=$prompt
-    fi
-    
-    while [ -z "$RESP" ]; do
-        echo $n "$desc [$default] " >&0
-        read RESP
-
-        case "$RESP" in 
-            [Yy]|[Yy][Ee][Ss]) ret="YES"; RESP="YES";;
-            [Nn]|[Nn][Oo] ) ret="NO"; RESP="NO" ;;
-            "") ret=$default ; RESP="$default" ;;
-            *) ret=$RESP;;
-        esac
-    done
-
-    # set back the value
-    eval $1=\$ret
-    eval $name=\$ret
-    return 1
-}
-######################################################################
-# creates the bro.cfg file
-# add in anything you want in the bro.cfg file below
-bro_config_export_vars()
-{
-    # CREATE_TRACE_FILE needs to be YES or NO
-    if [ x$BRO_CREATE_TRACE_FILE != "xYES" ]; then
-        BRO_CREATE_TRACE_FILE="NO"
-    fi
-
-    # BRO_ENCRYPT_EMAIL needs to be YES or NO
-    if [ x$BRO_ENCRYPT_EMAIL != "xYES" ]; then
-        BRO_ENCRYPT_EMAIL="NO"
-    fi
-
-    # don't overwite existing bro.cfg
-    if [ -w bro.cfg ]; then
-        mv bro.cfg bro.cfg.bak
-    fi
-
-    # This is from Roger Winslow --
-cat - > bro.cfg << EOF
-# Source file config for running bro
-
-# Values in this file are shell style variables but make sure that the
-# values are literal strings and not shell expressions.  Other programs
-# read this file as well to determine where the different resources are
-# so if the value is not a literal string then other programming languages
-# won't be able to make sense of it.
-
-# Comments start with "#" characters and will be effective until the 
-# end of the line.  A literal "#" character can be used by escaping it
-# like this -> \#
-
-# Multiline values can be continued with the traditional backslash \
-
-# This file will normally reside in ${BROHOME}/etc
-
-# The following variables are exported and needed by Bro at runtime
-# BROLOGS
-# BROHOME
-# BROPATH
-
-BROHOME=$BROHOME
-export BROHOME
-
-# Hostname to add into log filenames and reports
-BRO_HOSTNAME=`(hostname || uname -n) 2>/dev/null |awk -F.  '{print $1}'`
-# FQDN format
-# BRO_HOSTNAME=`hostname`
-
-# Directory containing Bro binaries
-BRO_BIN_DIR="${BRO_BIN_DIR:-${BROHOME}/bin}"
-
-# Directory containing Bro logs
-BROLOGS="${BROLOGS:-${BROHOME}/logs}"
-export BROLOGS
-
-# Log archive directory
-BRO_LOG_ARCHIVE="${BRO_LOG_ARCHIVE:-${BROHOME}/archive}"
-
-# Bro policy paths
-BROPATH="${BROHOME}/share/bro/site:${BROHOME}/share/bro:${BROHOME}/share/bro/sigs:${BROHOME}/share/bro/time-machine"
-export BROPATH
-
-# Filename of the Bro start policy.  Must be located in one of the directories in \$BROPATH
-BRO_START_POLICY="@BROHOST@.bro"
-
-# Location of site specific policy and configurations
-BROSITE="${BROSITE:-$BROHOME/site}"
-export BROSITE
-
-# A prefix to use when looking for local policy files to load.
-# BRO_PREFIX="local"
-
-# Location of the Bro executable
-BRO="${BRO:-$BRO_BIN_DIR/bro}"
-
-# Base command line options.
-BRO_ADD_OPTS=" -W"
-# Turn on Bro's Watchdog feature
-BRO_OPTS="${BRO_ADD_OPTS}"
-
-# Interface name to listen on.  The default is to use the busiest one found.
-BRO_CAPTURE_INTERFACE="${BRO_CAPTURE_INTERFACE}"
-# Multiple interface should be specified as a space delimited list.
-# Examples: 
-#   CAPTURE_INTERFACE="sk0 sk1 sk5"
-#   CAPTURE_INTERFACE="eth0 eth3"
-#   CAPTURE_INTERFACE="eth0"
-
-# Shoud a trace (tcpdump) file be created in the log directory (YES/NO)
-BRO_CREATE_TRACE_FILE=$BRO_CREATE_TRACE_FILE
-
-# How long to wait during checkpointing after startin a new Bro process and stopping the old one (in seconds).
-BRO_CHECKPOINT_OVERLAP_TIME=20
-
-# Base directory where reports will be stored
-BRO_REPORT_DIR="${BRO_REPORT_DIR:-$BROHOME/reports}"
-export BRO_REPORT_DIR
-
-# Starting time for a report run (0001 is 12:01 am and 1201 is 12:01pm)
-BRO_REPORT_START_TIME=${BRO_REPORT_START_TIME:-0020}
-
-# How often (in hours) to generate an activity report
-BRO_REPORT_INTERVAL=${BRO_REPORT_INTERVAL:-24}
-
-# This is the how often to rotate the logs (in hours)
-BRO_LOG_ROTATE_INTERVAL=24
-
-# This is the how often to checkpoint bro (in hours)
-BRO_CHECKPOINT_INTERVAL=24
-
-# The maximum time allowed for a Bro process to cleanup and exit (in seconds).
-BRO_MAX_SHUTDOWN_TIME=7200    # 2 hours
-
-# Use this to enable the init script to autorestart Bro in the event of an unexpected shutdown (YES/NO)
-BRO_ENABLE_AUTORESTART="YES"
-
-# A value less than 1 means there will be no limit to the number of restarts
-# Maximum times to try to auto-restart Bro before giving up.
-BRO_MAX_RESTART_ATTEMPTS="-1"
-
-# This is normally /var/run/bro and contains the pidfile and other temporal data.
-# Location of the run-time directory.  
-BRO_RUNTIME_DIR="${BRO_RUNTIME_DIR:-${BROHOME}/var}"
-
-# Email address for local reports to be mailed to
-BRO_EMAIL_LOCAL="${BRO_EMAIL_LOCAL:-NO}"
-
-# Email address to send from
-BRO_EMAIL_FROM="${BRO_EMAIL_FROM:-$BRO_EMAIL_LOCAL}"
-
-# Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc)
-BRO_EMAIL_EXTERNAL="${BRO_EMAIL_EXTERNAL:-NO}"
-export BRO_EMAIL_EXTERNAL
-
-# Email address for remote reports to be mailed to
-BRO_EMAIL_REMOTE="${BRO_EMAIL_REMOTE}"
-
-# User id to install and run Bro under
-BRO_USER_ID="${BRO_USER_ID:-brother}"
-
-# Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG)
-BRO_SITE_NAME="${BRO_SITE_NAME}"
-export BRO_SITE_NAME
-
-# Do you want to encrypt email reports (YES/NO)
-BRO_ENCRYPT_EMAIL="${BRO_ENCRYPT_EMAIL}"
-
-# Location of GPG binary for encrypting email
-BRO_GPG_BIN="${BRO_GPG_BIN}"
-
-# Default BPF buffer
-BRO_BPF_BUFSIZE=${BRO_BPF_BUFSIZE:-4194304}
-
-# Do BPF bonding
-BRO_BPFBOND_ENABLE="${BRO_BPFBOND_ENABLE:-NO}"
-
-# Interfaces to bond
-BRO_BPFBOND_FLAGS="${BRO_BPFBOND_FLAGS}"
-
-# diskspace management settings
-# Should I manage diskspace
-BRO_DISKSPACE_ENABLE="${BRO_DISKSPACE_ENABLE:-YES}"
-
-# percent full to worry about
-BRO_DISKSPACE_PCT=${BRO_DISKSPACE_PCT:-90}
-
-# account watching disk space
-BRO_DISKSPACE_WATCHER="${BRO_DISKSPACE_WATCHER:-root}"
-
-# days before deleting old logs
-BRO_DAYS_2_DELETION=${BRO_DAYS_2_DELETION:-45}
-
-# days before compressing logs
-BRO_DAYS_2_COMPRESSION=${BRO_DAYS_2_COMPRESSION:-20}
-
-# Bulk data capture settings
-# Buld data directory
-BRO_BULK_DIR="${BRO_BULK_DIR:-${BROHOME}/bulk-trace}"
-
-# Capture filter for bulk data
-BRO_BULK_CAPTURE_FILTER="${BRO_BULK_CAPTURE_FILTER}"
-
-# days before deleting bulk data
-BRO_BULK_DAYS_2_DELETION=${BRO_BULK_DAYS_2_DELETION:-4}
-
-# days before compressing bulk data
-BRO_BULK_DAYS_2_COMPRESSION=${BRO_BULK_DAYS_2_COMPRESSION:-2}
-
-# location of sorted log files, needed by Brooery
-BROOERY_LOGS="${BROOERY_LOGS:-${BROHOME}/sorted-logs}"
-
-EOF
-}
-
-
-######################################################################
-# run the localnets program
-bro_config_run_localnets()
-{
-    # how long to run tcpdump for ..
-    BRO_DUMP_TIME=20
-
-    bro_check_network="YES"
-    bro_config_input "bro_check_network" $bro_check_network " May I guess your network configuration for you? "
-
-    if [ "$bro_check_network" = "YES" ] ; then 
-        # make sure tcpdump is working ...
-	    echo "Checking network"
-        tcpdump -V > /dev/null  2>&1 
-        state=$?
-        # A little debug info just in case ...
-        if [ $Debug = 1 ]; then
-            echo "State $state Test $test"
-        fi
-        # if we can't run tcpdump, return to configuring 
-        if [ $state -eq 127 ]; then 
-            echo "Can't run tcpdump, please make sure its in your path"
-            return 2
-        fi
-        test=`tcpdump -V 2>&1 | grep version| awk '{print $3}'`
-        # do a one packet capture to check we can use the interface
-        tcpdump -i $BRO_CAPTURE_INTERFACE -n -w /tmp/bro_config.tcpdump.file.$$ -c 1 > /dev/null 2>&1
-        permis=$?
-        if [ $permis -eq 1 ]; then
-            rm /tmp/bro_config.tcpdump.file.$$ 2>&1 > /dev/null
-            echo "Can't run tcpdump, please check your permissions or run as root "
-            return 2
-        fi
-        # lets figure out what we are on
-        echo "Running localnets script to determine the local network range ... " 
-        echo "This will take about $BRO_DUMP_TIME seconds"
-        echo -n "Capturing packets ...."
-
-        # do it quietly in the background
-        tcpdump -n -i $BRO_CAPTURE_INTERFACE -w /tmp/bro_config.tcpdump.file.$$ > /dev/null 2>&1 &
-        pid=$!
-        sleep $BRO_DUMP_TIME
-        echo " done."
-        kill -INT $pid 2>&1 > /dev/null
-        echo -n "Analyzing dump file....."
-        ./localnetMAC.pl -a 16 -r /tmp/bro_config.tcpdump.file.$$  -b local.site.bro 2>&1 > /dev/null
-        rm /tmp/bro_config.tcpdump.file.$$
-        #Yes there is a spelling error in the output
-        echo " done."
-        num=`grep "MAC adresses" local.site.bro | awk '{print $3}'`
-        if [ "$num" -gt 2 ] ; then 
-            echo "You don't appear to be running on a DMZ (found more then two (2) hardware "
-            echo "address. Please edit local.site.bro to reflect your correct network parameters"
-            cp local.site.bro.default local.site.bro
-        else
-            echo "Your network appears to contain the following networks:"
-            for net in ` grep ",$" local.site.bro|sed 's/,//g'`; 
-            do 
-               echo $net; 
-            done
-            echo "Edit local.site.bro by hand if this is not correct" 
-        fi
-    else
-        if [ -f local.site.bro ]; then
-            echo "No previous local.site.bro found. Creating default"
-            bro_config_create_local_site_bro
-            #cp local.site.bro.default local.site.bro
-            echo "Please edit local.site.bro so that it describes your network configuration"
-        fi
-    fi
-}
-
-######################################################################
-# Use pw to create the account adding a group name that is the same
-# as the user id to use. Also create the account in the BROHOME area
-#
-bro_config_add_user()
-{
-
-    # see if user exists already
-    xx=`id $BRO_USER_ID > /dev/null 2>&1`
-    stat=$?
-    if [ $stat -eq 0 ]; then 
-        valid_id=1
-        return 
-    fi
-
-    # Silently check for existance of pw
-    /usr/sbin/pw > /dev/null 2>&1
-    stat=$?
-    if [ $stat -eq 127 ] ; then 
-        echo "/usr/sbin/pw not found, can't add user $BRO_USER to your system"
-        echo "please add $BRO_USER manually to your system."
-        no_pw=1
-        return 1
-    fi
-    echo -n "Should I add the user $BRO_USER_ID to your system? [YES] "
-    read ans
-    if [ -z "$ans" -o x$ans = "xy" -o x$ans = "xyes" -o x$ans = "xY" -o x$ans = "xYES" ] ; then 
-        # add user to group wheel at the same time
-        /usr/sbin/pw useradd $BRO_USER_ID -d $BROHOME -q -n $BRO_USER_ID 
-        result=$?
-        if [ $result -ne 0 ]; then 
-            echo "Error adding user $BRO_USER"
-            echo "Failed command: \"/usr/sbin/pw useradd $BRO_USER_ID -d $BROHOME -q -m -n $BRO_USER_ID \""
-        else
-            echo "Added user $BRO_USER_ID to the system."
-            valid_id=1
-       fi
-   else
-       echo "Not adding user $BRO_USER_ID"
-   fi
-}
-
-
-######################################################################
-bro_config_run_bpf()
-{
-    echo $n "Running bpf script to check if you have enough devices ... "
-    num=`ls -1 /dev/bpf[0-9]*|wc -l`
-    echo "done."
-    echo You have $num bpf devices
-    if [ $num -gt 10 ] ; then 
-        echo "You should have enough devices"
-    else
-        bro_config_get_more_bpf
-    fi
-}
-######################################################################
-
-bro_config_get_more_bpf()
-{
-    RESP=
-    while [ -z "$RESP" ]; do
-        echo $n "Bro recommends more devices, may I create more for you [Y/n] "
-        read RESP
-        case "$RESP" in 
-            [Yy]|[Yy][Ee][Ss]) 
-                echo $n "Creating 32 bpf devices" ; 
-                cd /dev; ./MAKEDEV bpf31 ;;
-            [Nn]|[Nn][Oo]) return 1;;
-            *) echo "Please answer Y or N" ;;
-        esac
-    done
-    echo " Done."
-}
-
-######################################################################
-# If I'm root, I'll be able to read bpf no matter what!
-# so a test of head -1 /dev/bpf0 is meaningless.....
-# So all I can really do is check the that group is 
-# the same as the $BRO_USER_ID and go with that.
-bro_config_chown_bpf()
-{
-    if [ $valid_id -eq 0 ] ; then 
-        echo "$BRO_USER_ID needs to be added to the system and enabled"
-        echo "to read the /dev/bpf devices for bro to work."
-        return 1
-    fi
-    readable=0
-    # grab the group
-    bpf_grp=`ls -al /dev/bpf*|head -1|awk '{print $4}'`
-    # bro user groups
-    user_grp=`id $BRO_USER_ID`
-    #echo "Checking $BRO_USER_ID against $grp"
-    # is it in the same as bro?
-    if echo $user_grp | grep $bpf_grp  2>&1 > /dev/null; then
-        # if so, better make sure its group readable
-        perm=`ls -al /dev/bpf*|head -1| cut -c5`
-        if [ "x$perm" = "xr" ] ; then
-            echo "$BRO_USER_ID can read /dev/bpf devices.... Good"
-            readable=1
-        else
-            readable=0
-        fi
-    else
-        bpf_own=`ls -al /dev/bpf*|head -1|awk '{print $3}'` 
-        if [ "$BRO_USER_ID" = "$bpf_own" ] ; then
-            echo "$BRO_USER_ID can read /dev/bpf devices.... Good"
-            readable=1
-        fi
-    fi
-    if [ $readable -eq 0 ]; then 
-        echo "$BRO_USER_ID can NOT read /dev/bpf devices!"
-        RESP=
-        while [ -z "$RESP" ]; do
-            echo $n "May I make the bfp devices owned by user $BRO_USER_ID ? [Y/n]"
-            read RESP
-            case "$RESP" in 
-                [Yy]|[Yy][Ee][Ss]) 
-                    chown $BRO_USER_ID /dev/bpf* ;
-                    chmod u=rw /dev/bpf* ;;
-                [Nn]|[Nn][Oo]) 
-                    echo "You will need to enable the user $BRO_USER_ID" ;
-                    echo "read access to the /dev/bpf devices." ;
-                    return 1;;
-                *) echo "Please answer Y or N" ;;
-            esac
-        done
-    fi
-}
-
-######################################################################
-bro_config_source()
-{
-    #  source a bro.cfg if it exists, so we know the past default values from the
-    #  last run
-
-    dirs="$BROHOME/etc/bro.cfg $BROHOME/etc/bro.cfg.example `pwd`/bro.cfg"
-    cfgused=
-
-    for cfgfile in $dirs ; do 
-        #echo "checking $cfgfile"
-        if [ -r $cfgfile ] ; then
-            if [ $automode -eq 1 ] ; then
-                break
-            fi
-            RESP=
-            while [ -z "$RESP" ]; do
-                echo "**** Detected previous bro.cfg file *****"
-                echo $n "May I use $cfgfile for defaults? [Y/n]"
-                read RESP
-                case "$RESP" in
-                    [Yy]|[Yy][Ee][Ss])
-                        echo "Sourcing $cfgfile for defaults.";
-                        . $cfgfile;
-                        cfgused=${cfgfile};;
-                    [Nn]|[Nn][Oo])
-                        break;;
-                    *) echo "Please answer Y or N" ;;
-                esac
-            done
-            break
-        fi
-    done
-
-    if [ -z $cfgused ] ; then
-        echo "Using defaults from bro.cfg.example"
-        cfgfile=`pwd`/bro.cfg.example
-        if [ -r $cfgfile ] ; then
-            . `pwd`/bro.cfg.example
-        else
-            echo "No bro.cfg.example found. Using built-in defaults"
-            # generate some defaults
-            if [ -r ./bro.cfg ] ; then 
-                # back up their cfg if exists
-                mv bro.cfg bro.cfg.bak.$$
-            fi
-            bro_config_export_vars
-            mv bro.cfg bro.cfg.example
-            . ./bro.cfg.example
-            if [ -r ./bro.cfg ] ; then 
-                # replace the cfg if exists
-                mv bro.cfg.$$ bro.cfg
-            fi
-
-        fi
-    fi
-}
-
-######################################################################
-# See if we are going to use gpg 
-
-bro_config_gpg_vals()
-{
-    gpg_vals="BRO_GPG_BIN"
-
-    bro_config_input "BRO_ENCRYPT_EMAIL" $BRO_ENCRYPT_EMAIL
-
-    if [ x$BRO_ENCRYPT_EMAIL = "xYES" ]; then 
-        for val in $gpg_vals; do  
-            varname="$`echo $val`"
-            varval=`eval echo $varname` 
-            bro_config_input $val $varval
-        done
-	echo "Make sure to read the manual on how to install GPG keys!"
-    fi
-}
-
-######################################################################
-# snarf some system values and make sure that they are set
-# correctly
-# values that I might need to know: debug.sk_interrupt_mod, 
-# debug.sk_do_packet_timestamps, debug.bpf_bufsize, debug.bpf_maxbufsize
-bro_config_system_parms()
-{
-    
-    if [ "x$BRO_SYS_TYPE" = 'xLINUX' ]; then
-        sysctl -w net.core.rmem_max = 16777216
-        if grep net.core.rmem_max /etc/sysctl.conf 2>&1 > /dev/null ; then
-            echo "ERROR: Can't change value, entry exists in /etc/sysctl.conf!"
-        else
-            echo "net.core.rmem_max = 16777216" >> /etc/sysctl.conf
-        fi
-        return 
-    fi
-
-    # FreeBSD 6 uses differnt var names
-    if [ "x$BRO_SYS_TYPE" = 'xFREEBSD6' ]; then
-        MAXBUF='net.bpf.maxbufsize'
-        BUFSZ='net.bpf.bufsize'
-    else
-        MAXBUF='debug.bpf_maxbufsize'
-        BUFSZ='debug.bpf_bufsize'
-    fi
-
-
-    if [ `sysctl -n $MAXBUF` -lt 8388608 ] ; then
-        bpf_maxbufsize=`sysctl -n $MAXBUF`
-        echo "Current max buffer size for your BPF filter is $bpf_maxbufsize bytes. Bro recommends a max bpf buffer size of 8388608."
-        bro_config_input "bpf_maxbufsize" $bpf_maxbufsize "Please input a new value (or return to keep the current value)"
-        sysctl -w $MAXBUF=$bpf_maxbufsize
-        makepermanent="NO"
-        bro_config_input "makepermanent" $makepermanent "May I make this permanent?  [y/N] "
-        if [ x$makepermanent = "xYES" ] ; then 
-            if grep $MAXBUF /etc/sysctl.conf 2>&1 > /dev/null ; then 
-                echo "ERROR: Can't change value, entry exists in /etc/sysctl.conf!"
-            else
-                echo "$MAXBUF=$bpf_maxbufsize" >> /etc/sysctl.conf
-            fi
-        fi
-    fi
-
-    if [ `sysctl -n $BUFSZ` -lt 4194304 ] ; then
-        bpf_bufsize=`sysctl -n $BUFSZ`
-        echo "Current buffer size of your BPF filter is $bpf_bufsize bytes. Bro recommends a BPF buffer size of 4194304."
-        bro_config_input "bpf_bufsize" $bpf_bufsize "Please input a new value (or return to keep the current value)"
-        sysctl -w $BUFSZ=$bpf_bufsize
-        makepermanent="NO"
-        bro_config_input "makepermanent" $makepermanent "May I make this permanent? [y/N]"
-        if [ x$makepermanent = "xYES" ] ; then 
-            if grep $BUFSZ /etc/sysctl.conf 2>&1 > /dev/null ; then 
-                echo "ERROR: Can't change value, entry exists in /etc/sysctl.conf!"
-            else
-                echo "debug.bpf_bufsize=$bpf_bufsize" >> /etc/sysctl.conf
-            fi
-        fi
-    fi
-}
-
-
-######################################################################
-# Ask if we want to send local/external email reports
-# if so set the local/external email address(es)
-bro_config_email()
-{
-    bro_do_email_local="NO"
-    if [ "$BRO_EMAIL_LOCAL" ] ; then
-       bro_do_email_local="YES"
-    else
-       bro_do_email_local="NO"
-    fi
-    bro_config_input "bro_do_email_local" $bro_do_email_local " Email reports? (YES/no) "
-    if [ x$bro_do_email_local = "xYES" ] ; then
-        bro_config_input "BRO_EMAIL_LOCAL" "$BRO_EMAIL_LOCAL"
-    else
-        BRO_EMAIL_LOCAL=""
-    fi
-
-    # don't ask about emailing remote reports (for now)
-#    bro_config_input "BRO_EMAIL_EXTERNAL" $BRO_EMAIL_EXTERNAL
-#    if [ x$BRO_EMAIL_EXTERNAL = "xYES" ]; then 
-#            bro_config_input "BRO_EMAIL_REMOTE" $BRO_EMAIL_REMOTE
-#    fi
-
-}
-
-######################################################################
-# Try to figure out the site name. host1.fooobar.com becomes
-# foobarcom, and host1 becomes host1. If the hostname isn't set
-# it should default to SOMESITE.
-bro_config_site_name()
-{
-    if [ -z $BRO_SITE_NAME ]; then
-        BRO_SITE_NAME=`hostname|awk -F. '{print $2 $3}'`
-        if [ -z $BRO_SITE_NAME ] ; then 
-            BRO_SITE_NAME="SOMESITE"
-        fi
-    fi
-}
-######################################################################
-# if qutomode is set, just source the example setttings (or guess)
-# and output the files. Then exit! 
-bro_check_automode()
-{
-    if [ ! -z $BRO_AUTOMODE ] ; then
-        echo "Doing automode"
-        automode=1
-        # shouldn't run this as root!
-        nonroot=1
-        bro_config_source
-        bro_config_sys_type
-        if [ -z $BRO_CAPTURE_INTERFACE ]; then
-            bro_config_get_busy_iface
-            BRO_CAPTURE_INTERFACE=$busy_iface
-        fi
-        bro_config_got_root
-        bro_config_site_name
-        # export everything
-        bro_config_export_vars
-        bro_config_export_user
-        echo "Automode finished"
-        exit 0
-    else
-        echo "Automode not enabled"
-    fi
-
-}
-
-######################################################################
-# FREEBSD5 isms (dang devfs bpf)
-#
-bro_config_freebsd_devfs()
-{
-    # see if we've mucked with it before *dang* octothorp!
-    if [ -e /etc/rc.local ] ; then 
-        foo=`grep "BRO BPF PERMISSIONS CHANGES" /etc/rc.local |sed s/#//g`
-        if ! [ -z "$foo" ]; then
-            echo "Looks like /etc/rc.local has already been setup"
-            echo "Not changing /etc/rc.local"
-            return 
-        fi
-        # see if they already have a policy
-        bar=`grep "bpf" /etc/devfs.conf|sed s/#//g`
-        if ! [ -z "$bar" ]; then
-            echo "/etc/devfs.conf has policy for bpf devices already!"
-            echo "Not adding one to /etc/rc.local"
-            return 
-        fi
-
-    fi
-    # make sure brouser has its own group
-    brogroup=`grep ^$BRO_USER_ID /etc/group | awk -F: '{print $3}'`
-    if [ -z $brogroup ] ; then
-        echo "Can't find group for $BRO_USER_ID"
-        echo "Not changing /etc/rc.local"
-        return 
-    fi
-
-    # always make a backup
-    cp /etc/rc.local /etc/rc.local.$$.bak > /dev/null 2>&1 
-
-    # do it 
-cat - >> /etc/rc.local << BAZ
-
-# BRO BPF PERMISSIONS CHANGES
-devfs ruleset 15
-devfs rule add 15 path 'bpf*' mode 660 user $brogroup
-
-BAZ
-
-    echo "Added devfs line to /etc/rc.local"
-}
-######################################################################
-# Give a name for the user id to install everything under
-#
-bro_config_export_user()
-{
-    if [ -w bro_user_id ] ; then
-        mv bro_user_id bro_user_id.bak
-    fi
-
-    if [ -z "$BRO_USER_ID" ]; then
-        BRO_USER_ID=`id -un`
-    fi
-    echo "$BRO_USER_ID" > bro_user_id
-
-}
-######################################################################
-# main program 
-
-
-# check for automode
-# XXX: this may exit the program at this point
-bro_check_automode
-
-while [ $# -ge 1 ]; do
-    case $1 in
-    -p)     shift; BROHOME=$1 ;;
-    -p*)    BROHOME=`echo $1 | cut -c3-`;;
-    -d)     Debug=1;;
-    -f)     full=1;;
-    -*)     echo $Usage; exit 1 ;;
-    esac
-    shift
-done
-
-echo ""
-echo "Running Bro Configuration Utility"
-echo ""
-
-bro_config_echo_settings
-
-do_config="YES"
-bro_config_input "do_config" $do_config "Configure settings in bro.cfg? (YES/no) "
-if [ x$do_config = "xYES" ] ; then
-    echo "Values enclosed in '[ ]'s are the default value set if you hit return."
-else
-    exit
-fi
-
-echo ""
-
-
-# get the old vars first
-bro_config_source
-
-# what system are we running on second
-bro_config_sys_type
-
-# if we aren't root, better not ask the wrong questions ...
-bro_config_got_root
-
-#List of all variables we can set
-#vars="BROHOME BRO_BIN_DIR BRO_LOG_ARCHIVE BROPATH BRO_POLICY_PREFIX BRO BRO_OPTS BRO_USER_ID BRO_CHECKPOINT_INTERVAL BRO_REPORT_INTERVAL BRO_CAPTURE_INTERFACE BRO_EMAIL_LOCAL BRO_EMAIL_REMOTE BRO_CREATE_TRACE_FILE BRO_SITE_NAME BRO_GPG_BIN"
-
-if [ $nonroot -eq 1 ] ; then 
-    BRO_USER_ID=`id -un`
-    vars="BRO_LOG_ARCHIVE BRO_USER_ID BRO_CAPTURE_INTERFACE BRO_SITE_NAME BRO_REPORT_START_TIME BRO_REPORT_INTERVAL"
-else
-    # if this is linux then preset the username to root as it is unlikely that
-    # any patches have been applied to allow non-root users to open devices
-    # for packet capture.
-    if [ "x$BRO_SYS_TYPE" = 'xLINUX' ]; then
-        BRO_USER_ID='root'
-    fi
-    
-    vars="BRO_LOG_ARCHIVE BRO_USER_ID BRO_CAPTURE_INTERFACE BRO_SITE_NAME BRO_REPORT_START_TIME BRO_REPORT_INTERVAL"
-fi
-
-# set the iface to what I think is correct
-# if there is no default
-if [ -z "$BRO_CAPTURE_INTERFACE" ]; then
-    bro_config_get_busy_iface
-    BRO_CAPTURE_INTERFACE=$busy_iface
-fi
-
-# setup the SITE name
-bro_config_site_name
-
-# prompt for all the values
-# NOTE: ${!variable} only works in bash
-for val in $vars;
-do
-    # Grrr, why can't bsd ship with a *real* shell like bash!
-    # can't use bro_config_input $val ${!val}
-    varname="$`echo $val`"
-    varval=`eval echo $varname` 
-    bro_config_input $val $varval
-done
-
-bro_config_email 
-if [ "x$bro_do_email_local" = "xYES" ]; then
-    bro_config_gpg_vals 
-fi
-
-#output all the values (if debug)
-if [ $Debug -eq 1 ]; then
-    for val in $vars;
-    do
-        varname="$`echo $val`"
-        varval=`eval echo $varname` 
-        echo Setting $val to $varval
-    done
-fi
-
-# we can only do the following if we are root
-if [ $nonroot -ne 1 ] ; then 
-    bro_config_add_user
-    # check various system parameters
-    bro_config_system_parms
-    # Linux does not do bpf devices, skip these tests.
-    if [ "x$BRO_SYS_TYPE" = 'xFREEBSD4' ]; then
-        # configure the bpfs before doing the dump :-)
-        bro_config_run_bpf
-        # configure the bpfs to be group readable
-        bro_config_chown_bpf
-    fi
-    if [ "x$BRO_SYS_TYPE" = 'xFREEBSD5' -o "x$BRO_SYS_TYPE" = 'xFREEBSD6' ]; then
-        bro_config_freebsd_devfs
-    fi
-    # if perl doesn't exist, don't bother...
-    if [ "@PERL@" != "" ]; then
-        # run the localnets program
-        bro_config_run_localnets
-    fi
-else
-    bro_config_nonroot_message
-fi
-# create the output file
-bro_config_export_vars
-bro_config_export_user
-echo "Bro Configuration Finished. "
-echo $n "Press any key to now to continue. "
-read RESP
-exit 0
-
diff --git a/scripts/bro_log_compress.sh b/scripts/bro_log_compress.sh
deleted file mode 100755
index 5659e7c7a6..0000000000
--- a/scripts/bro_log_compress.sh
+++ /dev/null
@@ -1,88 +0,0 @@
-#!/bin/sh 
-# very simple script to compress old files and remove older files
-# You will probably want to do something more sophisticated for
-#	a production bro installation (e.g.: Integrate this into
-#	your backup scripts)
-#
-# Note: might want to check current disk space and just exit
-#	if there is lots of space
-#
-#set -x
-
-if [ $BROHOME ] ; then
-  . $BROHOME/etc/bro.cfg
-else
-  # if BROHOME is not set, try default location
-  . /usr/local/bro/etc/bro.cfg
-fi
-
-#echo found BROLOGS in bro.cfg: $BROLOGS
-logdir=$BROLOGS/
-
-if [ ! -d $logdir ] ; then
-    echo "Error: log file directory not found"
-    exit
-fi
-
-Days2deletion=$BRO_DAYS_2_DELETION
-Days2compression=$BRO_DAYS_2_COMPRESSION
-
-echo "Deleting files older than $BRO_DAYS_2_DELETION days, and compressing files older than $BRO_DAYS_2_COMPRESSION days"
-
-echo "Checking directory: $BRO_LOG_ARCHIVE"
-# first delete old archives
-filelist=`find $BRO_LOG_ARCHIVE -type f -mtime +$Days2deletion -print `
-#echo list of files to delete: $filelist
-
-for file in $filelist
-   do
-        echo removing: $file
-	rm -f $file
-   done
-
-# next delete old sorted log files needed by Brooery
-if [ -d $BROOERY_LOGS ] ; then
-   echo "Checking directory: $BROOERY_LOGS"
-   filelist=`find $BROOERY_LOGS -type f -mtime +$Days2deletion -print `
-   #echo list of files to delete: $filelist
-
-   for file in $filelist
-      do
-           echo removing: $file
-	   rm -f $file
-      done
-fi
-
-echo "Checking directory: $logdir"
-# also check for any old stuff in the main log dir (just in case)
-filelist=`find $logdir -type f -mtime +$Days2deletion -print `
-#echo list of files to delete: $filelist
-
-for file in $filelist
-   do
-        echo removing: $file
-	rm -f $file
-   done
-
-#delete core files that are more than 4 days old
-filelist=`find $logdir -name "*core*" -mtime +4 -print `
-for file in $filelist
-   do
-        echo removing: $file
-	rm -f $file
-   done
-
-
-filelist=`find $logdir -type f -mtime +$Days2compression -print `
-#echo list of files to compress: $filelist
-
-for file in $filelist
-   do
-        echo compressing: $file
-	nice gzip $file
-   done
-
-echo Moving compressed files to archive dir: $BRO_LOG_ARCHIVE
-mv $logdir/*.gz $BRO_LOG_ARCHIVE
-echo Done.
-exit
diff --git a/scripts/diskspace.sh b/scripts/diskspace.sh
deleted file mode 100755
index 53b94b526b..0000000000
--- a/scripts/diskspace.sh
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/sh
-# script to check disk space and send email if getting full.
-# constants are in BROHOME/etc/bro.cfg
-
-. $BROHOME/etc/bro.cfg
-
-if [ -n "$diskspace_enable" -a "x$diskspace_enable" != "xNO" ]; then
-	prog="`basename $0 .sh`"
-	t=/tmp/$prog.$$
-	o=$prog.list
-	df -kt ufs | sed -e '1d' -e 's/% / /' | \
-	(while read filesys size used avail pct path ;do
-		if [ "$pct" -ge "$diskspace_pct" ]; then
-			echo "Filesystem $path ($filesys) getting full ($pct%)"
-		fi
-	done) > $t 2>&1
-	if [ -s $t ]; then
-		if [ -f $o ]; then
-			diff $o $t > /dev/null 2>&1
-			# remove temp file if no differences
-			if [ $? = 0 ]; then
-				rm $t
-			else
-				rm $o
-			fi
-		fi
-		if [ -f $t ]; then
-			mail -s "`hostname` disk space report" \
-			    "$diskspace_watcher" < $t
-			/bin/cp $t $o
-		fi
-	else
-		rm -f $o
-	fi
-	rm -f $t
-fi
diff --git a/scripts/frontend-mail-reports.sh b/scripts/frontend-mail-reports.sh
deleted file mode 100644
index 32c419e617..0000000000
--- a/scripts/frontend-mail-reports.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/sh
-#
-# script to check if rsync of logs has finished, and runs site-report.pl
-#
-# usage: frontend-mail-report.sh BroConfigFile
-#
-
-# where are we located
-base=`dirname $0`
-#set up the environment
-if [ $1 ] ; then
-   . $1
-else
-   . $base/../etc/bro.cfg
-fi
-
-echo " "
-echo "`date`: checking if reports are ready to mail:" $BROHOME/logs/MailReports.$BRO_HOSTNAME
-
-# only run if file $BROHOME/logs/MailReports.$BRO_HOSTNAME 
-if [ -e $BROHOME/logs/MailReports.$BRO_HOSTNAME ] ; then
-     echo "Reports ready: Running mail reports script"
-     $BROHOME/scripts/mail_reports.sh $1
-     rm $BROHOME/logs/MailReports.$BRO_HOSTNAME 
-else
-     echo "Reports not ready"
-fi
-
-
diff --git a/scripts/frontend-site-report.sh b/scripts/frontend-site-report.sh
deleted file mode 100644
index 55b6bf72ab..0000000000
--- a/scripts/frontend-site-report.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/sh
-#
-# script to check if rsync of logs has finished, and runs site-report.pl
-#
-# usage: frontend-site-report.sh BroConfigFile
-#
-#set -x
-
-# where are we located
-base=`dirname $0`
-#set up the environment
-if [ $1 ] ; then
-   . $1
-else
-   . $base/../etc/bro.cfg
-fi
-
-echo " "
-echo "`date`: checking if reports are ready to generate:" $BROHOME/logs/DoReports.$BRO_HOSTNAME
-
-# only run if file $BROHOME/logs/DoReports.$BROHOST
-if [ -e $BROHOME/logs/DoReports.$BRO_HOSTNAME ] ; then
-     echo "rsync done: running site report script"
-     rm $BROHOME/logs/DoReports.$BRO_HOSTNAME
-     $BROHOME/scripts/site-report.pl --broconfig $1
-     # create file indicating report is finished
-     echo "creating file" $BROHOME/logs/MailReports.$BRO_HOSTNAME
-     touch $BROHOME/logs/MailReports.$BRO_HOSTNAME
-else
-     echo "rsync not done"
-fi
-
diff --git a/scripts/install_cron.sh b/scripts/install_cron.sh
deleted file mode 100755
index 435a730a6b..0000000000
--- a/scripts/install_cron.sh
+++ /dev/null
@@ -1,111 +0,0 @@
-#!/bin/sh
-
-#install bro into your crontab for checkpointing
-
-# source our cfg or guess at some defaults
-if [ -r ./bro.cfg ] ; then
-    . ./bro.cfg
-else
-    echo "Can't find bro.cfg, not installing crontab"
-    #BRO_REPORT_START_TIME=0000
-    #BROHOME="/usr/local/bro"
-    #BRO_REPORT_INTERVAL=24
-    #BRO_CHECKPOINT_INTERVAL=24
-fi
-
-RPT_MIN=`echo ${BRO_REPORT_START_TIME} | cut -c3-`
-RPT_HR=`echo ${BRO_REPORT_START_TIME} | cut -c1,2`
-RPT_INT=${BRO_REPORT_INTERVAL}
-CHK_INT=${BRO_CHECKPOINT_INTERVAL}
-
-if [ ${CHK_INT} -ge 24 ] ; then 
-    CHK_INT=24
-fi
-
-if [ ${RPT_INT} -ge 24 ] ; then 
-    RPT_INT=24
-fi
-
-create_cron()
-{
-    echo "BROHOME=${BROHOME}" >> /tmp/bro.crontab
-    echo "# checkpoint Bro once a week" >> /tmp/bro.crontab
-    echo "0 0 * * 1 ${BROHOME}/etc/bro.rc --checkpoint" >> /tmp/bro.crontab 
-    #if [ ${CHK_INT} -eq 24 ] ; then 
-    #    echo "0 0 * * 1 ${BROHOME}/etc/bro.rc --checkpoint" >> /tmp/bro.crontab 
-    #else
-    #    echo "0 0/${CHK_INT} * * * ${BROHOME}/etc/bro.rc --checkpoint" >> /tmp/bro.crontab 
-    #fi
-    if [ ${RPT_INT} -eq 24 ] ; then 
-        echo "${RPT_MIN} ${RPT_HR} * * * ( nice -n 19 ${BROHOME}/scripts/site-report.pl )" >> /tmp/bro.crontab 
-    else
-        echo "${RPT_MIN} ${RPT_HR}/${RPT_INT} * * * ( nice -n 19 ${BROHOME}/scripts/site-report.pl )" >> /tmp/bro.crontab 
-    fi
-
-    echo "${RPT_MIN} $((${RPT_HR} + 3)) * * * (${BROHOME}/scripts/mail_reports.sh ${BROHOME}/etc/bro.cfg)" >> /tmp/bro.crontab 
-    echo "0 3 * * * (${BROHOME}/scripts/bro_log_compress.sh)" >> /tmp/bro.crontab 
-
-# insert rsync stuff, commented out, as an example:
-    echo "# If you are process logs on a front end host, add this: " >> /tmp/bro.crontab 
-    echo "#10 3 * * * (${BROHOME}/scripts/push_logs.sh FrontendHost)" >> /tmp/bro.crontab 
-
-    crontab /tmp/bro.crontab 
-    s=$? 
-    if [ $s -ne 0 ] ; then 
-        echo "Can NOT install crontab. Please see crontab.example" 
-        echo "for an example crontab to install" 
-    else 
-        echo "" 
-        echo "New crontab installed." 
-        echo "" 
-    fi 
-    rm /tmp/bro.crontab 
-    echo "" 
-    echo "New crontab installed." 
-    echo "" 
-}
-
-install_cron ()
-{
-    if [ -f /tmp/bro.crontab ] ; then                        
-        rm  /tmp/bro.crontab  
-    fi 
-    if crontab -l > /tmp/bro.crontab ; then 
-        if grep bro.rc /tmp/bro.crontab > /dev/null; then 
-            echo "" 
-            echo "Bro already installed in crontab!" 
-            echo "Not installing a new crontab" 
-            echo "" 
-        else 
-            create_cron
-        fi 
-    else 
-        create_cron
-    fi 
-}
-
-uninstall_cron()
-{
-    pid=$$
-    crontab -l > /tmp/cron.orig.${pid} 2>&1 
-    echo "status = $?"
-    if [ $? -eq 0 ] ; then
-        cat /tmp/cron.orig.${pid} | sed -e '/^.*bro_log_compress.sh)$/d' -e '/^.*etc\/bro.cfg; .\/mail_reports.sh)$/d' -e '/^.*.\/site-report.pl)$/d' -e '/^.*bro.rc --checkpoint$/d' > /tmp/cron.new.${pid}
-    else
-        echo "crontab missing?"
-    fi
-    echo "yes" | crontab -r 
-    crontab /tmp/cron.new.${pid}
-    echo "You can view your new crontab with a 'crontab -l'"
-    echo "Your old crontab is in /tmp/cron.orig.${pid}"
-}
-
-case $1 in
-    install)
-        install_cron
-        ;;
-    uninstall)
-        uninstall_cron
-        ;;
-esac
-exit 0
diff --git a/scripts/intern.bro.default b/scripts/intern.bro.default
deleted file mode 100644
index d40b39a556..0000000000
--- a/scripts/intern.bro.default
+++ /dev/null
@@ -1,15 +0,0 @@
-# This file should describe your network configuration.
-# If your local network is a class C, and its network
-# address was 192.168.1.0 and a class B network 
-# with address space 10.1.0.0.
-# Then you would put 192.168.1.0/24 and 10.1.0.0/16 into 
-# this file, telling bro what your local networks are.
-
-@load site
-
-redef local_nets: set[subnet] = {
-    # example of a class C network
-    192.168.1.0/24,
-    # example of a class B network
-    10.1.0.0/16
-};
diff --git a/scripts/local.lite.bro b/scripts/local.lite.bro
deleted file mode 100644
index 0bdecde13b..0000000000
--- a/scripts/local.lite.bro
+++ /dev/null
@@ -1,30 +0,0 @@
-# $Id: local.lite.bro 1115 2005-03-20 06:51:11Z vern $
-
-# This file is intended for host-specific Bro policy.
-
-# What is host-specific?  It can be anything that is not the default
-# after installation.  This is the place to make tweaks and changes
-# to modify policy to suit your network environment and preferences.
-
-# The following causes Bro to load local.XXX.bro anytime you
-# "@load XXX" (along with first loading XXX.bro).
-#
-@prefixes = local
-
-@load brolite	# root policy which loads all other default policies.
-
-# File generated by the network script for dynamic configuration of
-# the local network subnets.
-@load site
-
-
-# Make any changes to policy starting HERE:
-
-# To run signatures, uncomment the following line.
-# @load brolite-sigs
-
-@ifdef ( use_signatures )
-	# Load Bro signatures.  This is the default file containing Bro
-	# signatures.
-	redef signature_files += "signatures";
-@endif
diff --git a/scripts/local.site.bro.default b/scripts/local.site.bro.default
deleted file mode 100644
index d40b39a556..0000000000
--- a/scripts/local.site.bro.default
+++ /dev/null
@@ -1,15 +0,0 @@
-# This file should describe your network configuration.
-# If your local network is a class C, and its network
-# address was 192.168.1.0 and a class B network 
-# with address space 10.1.0.0.
-# Then you would put 192.168.1.0/24 and 10.1.0.0/16 into 
-# this file, telling bro what your local networks are.
-
-@load site
-
-redef local_nets: set[subnet] = {
-    # example of a class C network
-    192.168.1.0/24,
-    # example of a class B network
-    10.1.0.0/16
-};
diff --git a/scripts/localnetMAC.pl.in b/scripts/localnetMAC.pl.in
deleted file mode 100755
index 76d2e4d8a4..0000000000
--- a/scripts/localnetMAC.pl.in
+++ /dev/null
@@ -1,184 +0,0 @@
-#!@PERL@
-
-##This script assumes that there are a lot more external IP Adresses
-##than internal ones. It associates all IP adresses with a MAC Adress
-##and tracks what MAC adress communicates with what other MAC adress.
-
-use strict;
-use IP4;
-use Getopt::Std;
-
-my $usage="localnetMac.pl -r <dumpfile> or
-localnetMac.pl -t <ascii file>
-options:
-\t-a <aggregate up to bits>
-\t-b <output bro-syntax internal nets to file>
-\t-m do not ignore multicast IP addresses
-\t-v output debug info
-\nInput is taken either from plain or gzip compressed files.
-Input formats:
-\tlibpcap dump file containing ethernet packets
-\tasci file containing <LinkLayerAdr1 LinkLayerAdr2 IPAdr1 IPAdr2> per line
-\nNote: for libpcap inputs currently only ethernet is supported. Other link layer protocols should work if using ascii input.\n";
-
-my %args;
-getopts("a:b:mr:t:v", \%args);
-my $aggto=0;
-my $broout="";
-my $decomp;
-my $multicast = 0;
-my $MCASTMIN=224;
-my $MCASTMAX=239;
-my $debug = 0;
-if (!defined $args{r} and !defined $args{t}){die $usage;}
-if (defined $args{a}){$aggto = $args{a};}
-if (defined $args{b}){$broout=$args{b};}
-if (defined $args{m}){$multicast = 1;}
-if (defined $args{v}){$debug = 1;}
-
-if($args{r}=~/gz$/ or $args{t}=~/gz$/){
-    $decomp = `which zcat`;
-    chomp($decomp);
-    if ($decomp eq ""){
-	$decomp = `which gzcat`;
-	chomp($decomp);
-    }
-    if ($decomp eq ""){
-	die "You need zcat or gzcat in your \$PATH in order to process compressed files\n";
-    }
-}
-
-my $fh;
-if ($args{r} and $args{r}=~/gz$/){
-    open (IN, "$decomp $args{r} |../aux/adtrace/adtrace -|") or die "cannot execute $decomp $args{r} |../aux/adtrace/adtrace - : $!\n";
-    $fh = *IN;
-}elsif($args{r}){
-    open (IN, "../aux/adtrace/adtrace $args{r}|") or die "cannot execute ./adtrace/adtrace $args{r}: $!\n";
-    $fh = *IN;
-}elsif($args{t} and $args{t}=~/gz$/){
-    open (IN, "$decomp $args{t} |") or die "cannot execute $decomp $args{t} | : $!\n";
-    $fh = *IN;
-}elsif($args{t} and $args{t} eq "-"){
-    $fh = *STDIN;
-}else{
-    open (IN, "$args{t}") or die "cannot open $args{t}: $!\n";
-    $fh = *IN;
-}
-
-my %cMacs;
-my %macIP;
-
-#for statistics:
-my $ips=0;
-my $pkt=0;
-
-my $line;
-while ($line=<$fh>){
-    chomp($line);
-    $pkt++;
-    my ($sMac, $dMac, $sIP, $dIP)=split(/ /, $line);
-
-    if (!$multicast and $sIP=~/^(\d+)\./ and $1>=$MCASTMIN and $1<=$MCASTMAX){next;}
-    if (!$multicast and $dIP=~/^(\d+)\./ and $1>=$MCASTMIN and $1<=$MCASTMAX){next;}
-
-    $macIP{$sMac}->{count}++ if (!exists $macIP{$sMac}->{$sIP});    
-    $macIP{$sMac}->{$sIP}++;
-    $macIP{$dMac}->{count}++ if (!exists $macIP{$dMac}->{$dIP});
-    $macIP{$dMac}->{$dIP}++;
-    
-    $cMacs{join(" ", sort($sMac, $dMac))}++;
-
-}
-
-close ($fh);
-
-foreach my $mac (keys %macIP){
-    $ips += $macIP{$mac}->{count};
-}
-
-printf ("observed %d MAC adresses\n", scalar(keys %macIP));
-print (join ("\n", keys %cMacs));
-print "\n";
-print "observed $pkt packets and $ips distinct IP adresses\nLocal IP addresses:\n";
-
-
-if ($broout){
-    open (OUT, "> $broout") or die "cannot open $broout: $!\n";
-    print OUT "### Local Networks automatically generated by localnetMAC.pl ###\n";
-    if ($aggto){
-	print OUT "### NOTE: Internal Networks have been aggregated up to /$aggto networks.\n";
-	print OUT "### NOTE: Therefore it may happen that some external Networks\n";
-	print OUT "### NOTE: are considered local\n";
-    }
-    print OUT "### file generated at ".localtime()." (local system-time)\n";
-    printf OUT ("### observed %d MAC adresses:\n###\t", scalar(keys %macIP));
-    print OUT (join ("\n###\t", keys %cMacs));
-    print OUT "\n";
-    print OUT "### observed $pkt packets and $ips distinct IP adresses\n";
-    print OUT "\n\n";
-    print OUT "\@load site\n\n";
-    print OUT "redef local_nets: set[subnet] = {\n";
-}
-
-foreach my $macPair (keys %cMacs){
-    my ($mac1, $mac2) = split(/ /, $macPair);
-    my %record1;
-    my %record2;
-    my ($smallRec, $bigRec);
-    $record1{mac} = $mac1;
-    $record2{mac} = $mac2;
-    $record1{hash} = $macIP{$mac1};
-    $record2{hash} = $macIP{$mac2};
-    $record1{count} = delete $record1{hash}->{count};
-    $record2{count} = delete $record2{hash}->{count};
-    $record1{masks} = [];
-    $record2{masks} = [];
-
-    if ($debug){
-	print "*** $mac1 ($record1{count}) ***\n";
-	print join("\n", sort keys %{$macIP{$mac1}});
-	print "\n*** $mac1 ($record1{count}) end***\n";
-	print "*** $mac2 ($record2{count}) ***\n";
-	print join("\n", sort keys %{$macIP{$mac2}});
-	print "\n*** $mac2 ($record2{count}) end***\n";
-    }
-
-    my @ips1 = map(getIPFromString($_), keys %{$record1{hash}});
-    $record1{ips} = \@ips1;
-    aggregateSinglesTo($record1{ips}, $record1{masks}, $aggto) if ($aggto);
-    my @ips2 = map(getIPFromString($_), keys %{$record2{hash}} );
-    $record2{ips} = \@ips2;
-    aggregateSinglesTo($record2{ips}, $record2{masks}, $aggto) if ($aggto);
-
-    if (scalar( @{$record1{ips}} ) < scalar( @{$record2{ips}} )){
-	$smallRec = \%record1;
-	$bigRec = \%record2;
-    }else{
-	$smallRec = \%record2;
-	$bigRec = \%record1;
-    }
-    if ($broout){
-	printf OUT ("\t# $smallRec->{mac}: %d(%d) IPs (considered local);\n\t# $bigRec->{mac}: %d(%d) IPs (considered extern)\n", 
-		    scalar( @{$smallRec->{ips}} ),$smallRec->{count}, 
-		    scalar( @{$bigRec->{ips}} ), $bigRec->{count});
-    }
-    printf ("$smallRec->{mac}: %d(%d) IPs (considered local); $bigRec->{mac}: %d(%d) IPs (considered extern)\n", 
-	    scalar( @{$smallRec->{ips}} ),$smallRec->{count},
-	    scalar( @{$bigRec->{ips}} ), $bigRec->{count});
-    @{$smallRec->{ips}} = map( getStringFromIP($_), @{$smallRec->{ips}} );
-    @{$smallRec->{masks}} = map( getPrefixFromMask($_), @{$smallRec->{masks}} );
-    for(my $i = 0; $i <= $#{$smallRec->{ips}}; $i++){
-	if ($smallRec->{masks}->[$i]){
-	    print "$smallRec->{ips}->[$i]/$smallRec->{masks}->[$i]\n";
-	    if ($broout){print OUT "\t $smallRec->{ips}->[$i]/$smallRec->{masks}->[$i],\n";}
-	}else{
-	    print "$smallRec->{ips}->[$i]\n";
-	    if ($broout){print OUT "\t $smallRec->{ips}->[$i]/32,\n";}
-	}
-    }
-}
-
-if ($broout){
-    print OUT "};\n";
-    close(OUT);
-}
diff --git a/scripts/mail_notice.sh b/scripts/mail_notice.sh
deleted file mode 100755
index d2925dd49c..0000000000
--- a/scripts/mail_notice.sh
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/sh
-#
-# This is a sample script to provide basic email notification for
-# notices marked NOTICE_EMAIL .
-#
-# Usage: mail_notice "subject" recipient (optional config path)
-
-notice="/tmp/bro.notice.$$"
-
-# Clean up after ourselves.
-trap "rm -f $notice; exit" 1 2 15
-
-# Where are we located.
-base=`dirname $0`
-
-# Set up the environment.
-if [ $3 ] ; then
-	. $3
-else
-	. $base/../etc/bro.cfg
-fi
-
-echo "From:<$BRO_EMAIL_FROM>" > $notice
-echo "To:<$2>" >> $notice
-echo "Subject: Bro alarm: $1" >> $notice
-
-sendmail <$notice -oi -f $BRO_EMAIL_FROM $2
-rm -f $notice
diff --git a/scripts/mail_reports.sh b/scripts/mail_reports.sh
deleted file mode 100755
index 6e67177677..0000000000
--- a/scripts/mail_reports.sh
+++ /dev/null
@@ -1,81 +0,0 @@
-#!/bin/sh
-#
-# Shell script to mail reports, should be called from
-# crontab
-# $Id: mail_reports.sh 1554 2005-10-24 22:20:26Z tierney $
-#
-# Usage: mail_reports.sh configFile (default config file = ../etc/bro.cfg)
-
-gpg_error=""
-sent_message=""
-tmp_file="/tmp/bro.report.$$"
-
-# Clean up after ourselves.
-trap "rm $tmp_file; exit" 1 2 15
-
-# Where are we located.
-base=`dirname $0`
-
-# Set up the environment.
-if [ $1 ] ; then
-   . $1
-else
-   . $base/../etc/bro.cfg
-fi
-
-for f in /usr/bin/sendmail /usr/sbin/sendmail /usr/lib/sendmail; do
-   if [ -x ${f} ]; then
-	    d="`dirname ${f}`"
-	    PATH="${d}:${PATH}"
-	    export PATH
-   fi
-done
-
-# find the newest report in the report directory
-report=`ls -1t $BRO_REPORT_DIR/$BRO_SITE_NAME*.rpt | head -1`
-report_interval=`grep Report $report | awk '{print $6,"-",$9}'`
-
-# set up temporary report with subject line embedded
-report_subject="Subject: $BRO_HOSTNAME Report: $report_interval"
-
-# and email it
-# if encrypted make sure we have a good (gpg) bin  and keys
-if [ $BRO_ENCRYPT_EMAIL = "YES" ] ; then
-    if [ -x $BRO_GPG_BIN ] ; then
-	for recpt in $BRO_EMAIL_LOCAL ;  do
-	    echo "From: <$BRO_EMAIL_FROM>" > $tmp_file
-	    echo "To: <$recpt>" >> $tmp_file
-	    echo "$report_subject" >> $tmp_file
-	    cat $report | $BRO_GPG_BIN --yes -ea -r $recpt >> $tmp_file
-	    # If the encryption fails, send it unencrypted
-	    if [ $? -ne 0 ] ; then
-		echo "From:<$BRO_EMAIL_FROM>" > $tmp_file
-		echo "To: <$recpt>" >> $tmp_file
-		echo "$report_subject" >> $tmp_file
-		cat $report >> $tmp_file
-	    fi
-	    cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt
-	done
-	sent_message="1"
-	rm $tmp_file
-    else
-	gpg_error="1"
-    fi
-fi
-
-# if there was an error or we are sending unencrypted ...
-if [ -z $sent_message ] ; then
-    for recpt in $BRO_EMAIL_LOCAL ;  do
-	echo "From: <$BRO_EMAIL_FROM>" > $tmp_file
-	echo "To: <$recpt>" >> $tmp_file
-	echo "$report_subject" >> $tmp_file
-	cat $report >> $tmp_file
-	if [ $gpg_error ] ; then
-	    echo "Invalid gpg bin $BRO_GPG_BIN" >> $tmp_file
-	fi
-	cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt
-    done
-    rm  $tmp_file
-fi
-
-exit 0
diff --git a/scripts/make-ftp-safe-vocabulary.awk b/scripts/make-ftp-safe-vocabulary.awk
deleted file mode 100644
index 57c83d3352..0000000000
--- a/scripts/make-ftp-safe-vocabulary.awk
+++ /dev/null
@@ -1,19 +0,0 @@
-# Usage:
-#
-# grep "^word_in_reply" ftp-anon.log |
-# grep -v "ty=ip" |
-# sort -k 3 -k 2 -k 5 -n -r |
-# awk -f make-ftp-safe-vocabulary.awk -
-#
-# grep "^word_in_reply" ftp-anon.log | grep -v "ty=ip" | awk -f make-ftp-safe-vocabulary.awk - | sort
-
-BEGIN	{
-    FS = ",";
-	print "redef safe_ftp_word += {"
-	}
-
-	{
-	printf("# \t%s, \t\t# %s, %s, %s\n", $2, $3, $4, $5);
-	}
-
-END	{ print "};" }
diff --git a/scripts/my-local.bro b/scripts/my-local.bro
deleted file mode 100644
index ab513666fd..0000000000
--- a/scripts/my-local.bro
+++ /dev/null
@@ -1,20 +0,0 @@
-# $Id: my-local.bro 507 2004-10-12 11:43:19Z rwinslow $
-
-# This file is intended for host specific Bro policy.
-
-# What is host specific?  It can be anything that is not the default
-# after installation.  This is the place to make tweaks and changes
-# to modify policy to suite your network environment and preferences.
-
-@load brolite	# root policy which loads all other default policies.
-@load intern	# file generated by the network script for dynamic config
-		# of the local network subnets.
-@load my-site	# local policy file with site specific configurations.
-
-
-
-# Make any changes to policy starting here
-
-# Load Bro rules
-redef signature_files += "s2b-addendum-sigs";
-redef signature_files += "s2b";
diff --git a/scripts/my-site.bro b/scripts/my-site.bro
deleted file mode 100644
index fcc2469969..0000000000
--- a/scripts/my-site.bro
+++ /dev/null
@@ -1,17 +0,0 @@
-# $Id: my-site.bro 506 2004-10-12 11:13:03Z rwinslow $
-
-# This file is intended for site specific Bro policy.
-
-# What is site specific?  For instances in which there are multiple
-# Bro machines or instances running it may be useful to store common
-# configuration data among them.
-
-# Common data may be certain subnets to which attacks should be alerted
-# differently or perhaps certain addresses which you never care about
-# or want to change the notice actions.
-
-# This file is left blank as a place holder.
-
-
-
-
diff --git a/scripts/perl/MANIFEST b/scripts/perl/MANIFEST
deleted file mode 100644
index ebd707e4ae..0000000000
--- a/scripts/perl/MANIFEST
+++ /dev/null
@@ -1,13 +0,0 @@
-lib/Bro/Config.pm
-lib/Bro/Log.pm
-lib/Bro/Log/Alarm.pm
-lib/Bro/Log/Conn.pm
-lib/Bro/Report.pm
-lib/Bro/Report/Alarm.pm
-lib/Bro/Report/Conn.pm
-lib/Bro/Signature.pm
-Makefile.PL
-MANIFEST			This list of files
-README
-script/edit-brorule.pl
-script/site-report.pl
diff --git a/scripts/perl/Makefile.PL b/scripts/perl/Makefile.PL
deleted file mode 100644
index aa5175ca4f..0000000000
--- a/scripts/perl/Makefile.PL
+++ /dev/null
@@ -1,230 +0,0 @@
-require 5.006_001;
-use ExtUtils::MakeMaker;
-use Cwd;
-use strict;
-# See lib/ExtUtils/MakeMaker.pm for details of how to influence
-# the contents of the Makefile that is written.
-
-my @args = @ARGV;
-my @cleaned_args;
-my $scripts_dir = './script';
-my $scripts_list;
-my $brohome = '';
-my $broconfig = '';
-my %extra_args = ( 'BROHOME' => \$brohome, 'BROCONFIG' => \$broconfig, );
-
-# Look for any extra args that are not recognized by MakeMaker.  Use and
-# then omit from the array of the final args to pass to MakeMaker.
-foreach my $arg( @args )
-{
-	$arg =~ m/^(.+)=(.+)/;
-	my $key = $1;
-	my $val = $2;
-	if( exists( $extra_args{$key} ) )
-	{
-		${$extra_args{$key}} = $val;
-	}
-	else
-	{
-		push( @cleaned_args, $arg );
-	}
-}
-
-# If any extra args that are not recognized by MakeMaker existed they are removed
-# by now.
-@_ = @cleaned_args;
-@ARGV = @cleaned_args;
-
-if( ! $brohome )
-{
-	if( exists( $ENV{BROHOME} ) )
-	{
-		$brohome = $ENV{BROHOME};
-	}
-	else
-	{
-		$brohome = '/usr/local/bro';
-	}
-}
-
-if( ! $broconfig )
-{
-	$broconfig = "$brohome/etc/bro.cfg";
-}
-
-
-
-check_prereqs();
-
-$scripts_list = get_exe_list();
-
-foreach my $file( @{$scripts_list} )
-{
-	setbroconfig( $broconfig, $file );
-}
-
-WriteMakefile(
-	'NAME'			=> 'Bro',
-	'DISTNAME'		=> 'Bro-Utilities',
-	'VERSION_FROM'		=> 'lib/Bro/Config.pm', # finds $VERSION
-	'PREREQ_PM'		=> { 'Config::General' => 2.27,
-					'Time::Local' => 0,
-					'Getopt::Long' => 0,
-					'Socket' => 0,
-					},
-	'EXE_FILES'		=> $scripts_list,
-	'dist'		=> {
-		'COMPRESS'	=> 'gzip',
-		'SUFFIX'		=> 'gz'
-	},
-	($] >= 5.005 ?    ## Add these new keywords supported since 5.005
-	('AUTHOR'		=> 'Roger Winslow <rwinslow@lbl.gov>') : ()),
-);
-
-
-sub chk_version
-{
-	no strict qw( refs vars );
-	my($pkg,$wanted,$msg) = @_;
-
-	local($|) = 1;
-	print "Checking for $pkg...";
-
-	eval { my $p; ($p = $pkg . ".pm") =~ s#::#/#g; require $p; };
-
-	print ${"${pkg}::VERSION"} ? "found v" . ${"${pkg}::VERSION"}
-						   : "not found";
-	print "\n";
-	my $vnum = ${"${pkg}::VERSION"} || 0;
-
-	if( $vnum >= $wanted )
-	{
-		print "$pkg is installed\n";
-		return( 1 );
-	}
-	else
-	{
-		return();
-	}
-	
-	use strict;
-}
-
-sub check_prereqs
-{	
-	my $failed_prereq = 0;
-	
-	# Require perl version 5.6.1 or greater
-	eval { require 5.006_001; };
-	if( $@ )
-	{
-		die( "The minimum version of perl required is 5.6.1 (5.006_001).  Please use a different perl binary to install this package.\n" );
-	}
-	
-	if( chk_version( 'Config::General' => '2.27' ) )
-	{
-		# do nothing
-	}
-	else
-	{
-		my $orig_dir = cwd();
-		
-		# Bypass the user prompt for this version
-		# my $confer = prompt( "Config::General is not installed. Would you like to install it now?",
-		#		'yes' );
-		
-		my $confer = 'y';
-		if( $confer =~ m/yes|y/i )
-		{
-			chdir 'ext';
-			unpack_archive( 'Config-General-2.27.tar.gz' );
-			chdir 'Config-General-2.27';
-			print "Installing Config-General-2.27.\n";
-			sleep( 1 );
-			do 'Makefile.PL';
-			if( system( "make; make install" ) == 0 )
-			{
-				print "\n ........... done\n";
-			}
-			else
-			{
-				warn( "Failed to install perl package Config-General-2.27.\n" );
-			}
-			
-			chdir "$orig_dir";
-		}
-	}
-	
-	if( $failed_prereq )
-	{
-		warn( "Failed one or more prerequisite test, unable to continue.\n" );
-		exit( 1 );
-	}
-
-	print "\n";
-}
-
-sub unpack_archive
-{
-	my $_archive = shift || return( undef );
-	
-	system( "gzip -d < $_archive | tar xf -" );
-}
-
-sub get_exe_list
-{
-	my @ret_list;
-	
-	if( ! opendir( DIR, $scripts_dir ) )
-	{
-		warn( "Failed to open the scripts directory at $scripts_dir. Unable to continue.\n" );
-		exit( 1 );
-	}
-	
-	while( my $file = readdir( DIR ) )
-	{
-		if( $file !~ m/^\./ and $file !~ m/^makefile.*/i and
-			-f "$scripts_dir/$file" )
-		{
-			push( @ret_list, "$scripts_dir/$file" );
-		}
-	}
-	closedir( DIR );
-	
-	return( \@ret_list );
-}
-
-sub setbroconfig
-{
-	my $sub_name = 'setbroconfig';
-	
-	my $_broconfig = shift || return( undef );
-	my $_file = shift || return( undef );
-	
-	if( ! open( INFILE, $_file ) )
-	{
-		warn( "$sub_name, Failed to open file $_file for reading.\n" );
-		return( undef );
-	}
-	
-	if( ! open( OUTFILE, ">$_file.in" ) )
-	{
-		warn( "$sub_name, Failed to open file $_file.in for writing.\n" );
-		return( undef );
-	}
-	
-	while( defined( my $line = <INFILE> ) )
-	{
-		$line =~ s/^([[:space:]]*\$DEFAULT_BRO_CONFIG_FILE[[:space:]]*=[[:space:]]*).+(\;.*)$/$1\'$_broconfig\'$2/;
-        $line =~ s/\$DEFAULT_BRO_HOME/$brohome/;
-		print OUTFILE $line;
-	}
-	
-	close( OUTFILE );
-	close( INFILE );
-	
-	system( "mv -f $_file.in $_file" );
-	
-	return( 1 );
-}
-
diff --git a/scripts/perl/README b/scripts/perl/README
deleted file mode 100644
index 082febe528..0000000000
--- a/scripts/perl/README
+++ /dev/null
@@ -1,64 +0,0 @@
-This follows the same mantra as all other perl installers.
-
-
-PURPOSE:
-
-  This will install perl modules, libraries, and scripts that are used
-  for reports, editing signatures, and other useful utilities.
-
-
-DEFINITIONS:
-
-  $(PERL) is the path to the perl binary which you wish to use.
-  $(INSTALL_ROOT) is this directory which contains the Makefile.PL file.
-  BROHOME is the variable found in bro.cfg and defines the start of all
-    things Bro. (default: /usr/local/bro)
-  BROCONFIG is the location of the bro.cfg file.  (default: 
-    /usr/local/bro/etc/bro/cfg)
-
-
-REQUIREMENTS:
-
-  The minimum version of perl required by this installer and it's libraries
-  is 5.6.1 (5.006_001)
-  
-  The following perl modules are required:
-    Socket
-    Time::Local
-    Config::General (included and will install if neccessary)
-    Cwd
-    Getopt::Long
-
-
-INSTALL:
-
-  $(PERL) Makefile.PL (optional args)
-  make
-  make install
-
-
-INSTALLER NOTES:
-
-  For those of you maintaining this installer and/or want to include
-  additional packages to be installed here's how things are setup.
-  
-  $(INSTALL_ROOT)/lib contains perl modules (ending in .pm) and will be
-  installed in the perl site directory.
-  
-  $(INSTALL_ROOT)/script contains executable perl scripts which will be
-  installed in the directory defined by INSTALLSCRIPT.  The bang paths
-  will be automatically changed to the path of the perl binary that was
-  used to run Makefile.PL.  Files placed in here will also be scanned
-  for the variable $DEFAULT_BRO_CONFIG_FILE.  The value will automatically
-  be changed to one of the following in the order listed:
-    arguments passed to Makfile.PL:
-      BROCONFIG  (this is the path to bro.cfg)
-      BROHOME    (this is the path to BROHOME.  etc/bro.cfg will be appended)
-    Environment variable:
-      $BROHOME   (this is the path to BROHOME.  etc/bro.cfg will be appended)
-  
-  $(INSTALL_ROOT)/ext contains gzipped perl modules which are included
-  as a convenience.  These are packages created by other developers and
-  are usually found on cpan.org.  It will be necessary to change Makefile.PL
-  if additional packages are placed in here and they need to be installed.
-  
\ No newline at end of file
diff --git a/scripts/perl/ext/Config-General-2.27.tar.gz b/scripts/perl/ext/Config-General-2.27.tar.gz
deleted file mode 100644
index b6b2ce559a..0000000000
Binary files a/scripts/perl/ext/Config-General-2.27.tar.gz and /dev/null differ
diff --git a/scripts/perl/lib/Bro/Config.pm b/scripts/perl/lib/Bro/Config.pm
deleted file mode 100644
index 0fd6b3342d..0000000000
--- a/scripts/perl/lib/Bro/Config.pm
+++ /dev/null
@@ -1,120 +0,0 @@
-package Bro::Config;
-
-use strict;
-use Config::General;
-require Exporter;
-
-use vars qw( $VERSION
-			$DEBUG
-			@ISA
-			@EXPORT_OK
-			%DEFAULTS
-			$DEFAULT_CONFIG_FILE
-			$BRO_CONFIG );
-
-# $Id: Config.pm 987 2005-01-08 01:04:43Z rwinslow $
-$VERSION = 1.20;
-$DEBUG = 0;
-
-@ISA = ( 'Exporter' );
-@EXPORT_OK = qw( $BRO_CONFIG );
-%DEFAULTS = ( BROHOME => '/usr/local/bro',
-			BRO_POLICY_SUFFIX => '.bro',
-			BRO_SIG_SUFFIX => '.sig',
-			META_DATA_PREFIX => '.',
-			);
-			
-$DEFAULTS{CONFIG_FILE} = $DEFAULTS{BROHOME} . '/etc/bro.cfg';
-
-sub parse
-{
-	my $sub_name = 'parse';
-	
-	my %args = @_;
-	my $config_file;
-	my $brohome;
-	my $conf;
-	my $ret_hash;
-	
-	# Check for a config-path that may override the default
-	if( exists( $args{'File'} ) )
-	{
-		$config_file = $args{'File'};
-	}
-	else
-	{
-		$config_file = $DEFAULT_CONFIG_FILE;
-	}
-	
-	# Check for the existance and readability of the config file
-	if( !( -f $config_file and -r $config_file ) )
-	{
-		warn( __PACKAGE__ . "::$sub_name, The Bro config file at $config_file is not readable\n" );
-		return( undef );
-	}
-	
-	$conf = Config::General->new( -ConfigFile => $config_file,
-						-MergeDuplicateOptions => 1,
-						-AutoTrue => 1,
-					);
-	%{$ret_hash} = $conf->getall;
-	
-	return( $ret_hash );
-}
-
-sub Configure
-{
-	my $sub_name = 'Configure';
-	
-	my %args = @_;
-		
-	if( exists( $args{File} ) )
-	{
-		if( $args{File} !~ m/[\;\|\?\*\&\{\}]/ and $args{File} =~ m/^([[:print:]]+)$/ )
-		{
-			my $clean_name = $1;
-			if( -f $clean_name and -r $clean_name )
-			{
-				$DEFAULT_CONFIG_FILE = $clean_name;
-			}
-			else
-			{
-				warn( __PACKAGE__ . "::$sub_name, Unable to read config file at $clean_name\n" );
-				return( undef );
-			}
-		}
-		else
-		{
-			warn( __PACKAGE__ . "::$sub_name, Filename contains invalid characters\n" );
-			return( undef );
-		}
-	}
-	
-	$BRO_CONFIG = parse();
-	
-	# Set other defaults that have been omitted or don't exist in the config file
-	setdefaults();
-	
-	return( 1 );
-}
-
-sub setdefaults
-{
-	my $sub_name = 'setdefaults';
-	
-	my $override = $_[0] || 0;
-	my @variables_changed;
-	
-	foreach my $key( keys( %DEFAULTS ) )
-	{
-		if( $override or !( exists( $BRO_CONFIG->{$key} ) ) )
-		{
-			$BRO_CONFIG->{$key} = $DEFAULTS{$key};
-			push( @variables_changed, $key )
-		}
-	}
-	
-	return( @variables_changed );
-}
-
-1;
\ No newline at end of file
diff --git a/scripts/perl/lib/Bro/Log.pm b/scripts/perl/lib/Bro/Log.pm
deleted file mode 100644
index ceed5b747d..0000000000
--- a/scripts/perl/lib/Bro/Log.pm
+++ /dev/null
@@ -1,295 +0,0 @@
-package Bro::Log;
-
-require 5.006_001;
-use strict;
-use Bro::Config( '$BRO_CONFIG' );
-use Time::Local;
-
-use vars qw( $VERSION
-			$BROLOGS );
-
-# $Id: Log.pm 2865 2006-04-27 19:09:18Z tierney $
-$VERSION = 1.20;
-
-
-
-# This is the bare minimum format in which the filename must conform
-my $FILENAME_REGEX = qr/^[[:alnum:]]\.(?:log|[[:print:]]\.[[:print:]])/;
-
-# filename produced by Bro running from a trace file
-my $name_trace = qr/^([[:alnum:]]+)\.log$/;
-
-# filename produced from a Bro running on live traffic and currently open
-# or logs that are not rotated or post processed
-my $name_running = qr/^([[:alnum:]]+)	# log name
-				\.	# seperator
-				([^-][[:alnum:]-]*(?:\.[^-][[:alnum:]-])*)	# hostname
-				\.	# seperator
-				([[:digit:]]{2}-[[:digit:]]{2}-[[:digit:]]{2} # date
-				_	# time seperator
-				[[:digit:]]{2}\.[[:digit:]]{2}\.[[:digit:]]{2})	# time
-				$/x;
-
-# filename produced after post processing for things like the GUI.  The 
-# filename contains the log name, hostname, begin epoch time, and end 
-# epoch time.
-my $name_epoch_range = qr/^([[:alnum:]]+)	# log name
-				\.	# seperator
-				([^-][[:alnum:]-]*(?:\.[^-][[:alnum:]-])*)	# hostname
-				\.	# seperator
-				([[:digit:]]{10})	# beginning epoch time
-				-	# seperator
-				([[:digit:]]{10})	# ending epoch time
-				$/x;
-
-my $name_rotate_log = qr/^([[:alnum:]]+)   # log name
-                 \.  # seperator
-                   ([^-][[:alnum:]-]*(?:\.[^-][[:alnum:]-])*)  # hostname
-                   \.	# seperator
-                   ([[:digit:]]{2}-[[:digit:]]{2}-[[:digit:]]{2} # date
-                   _	# time seperator
-                   [[:digit:]]{2}\.[[:digit:]]{2}\.[[:digit:]]{2})	# time
-                   -	# second time seperator
-                   ([[:digit:]]{2}-[[:digit:]]{2}-[[:digit:]]{2} # date
-                   _	# time seperator
-                   [[:digit:]]{2}\.[[:digit:]]{2}\.[[:digit:]]{2})	# time
-                   (\.log)?$/x;
-
-sub activelog
-{
-	my $sub_name = 'activelog';
-
-	my $log_dir = $BRO_CONFIG->{BROLOGS};
-	my $ret_str;
-
-	if( !( defined( $log_dir ) ) )
-	{
-		warn( "no log directory defined\n" );
-		return( undef );
-	}
-
-	if( -f "$log_dir/active_log" )
-	{
-		if( open( I_FILE, "$log_dir/active_log" ) )
-		{
-			if( defined( $ret_str = <I_FILE> ) )
-			{
-				# remove any trailing newlines
-				if( $ret_str !~ m/[[:space]]+$/ )
-				{
-					chomp( $ret_str );
-				}
-				else
-				{
-					return( 0 );
-				}
-			}
-			else
-			{
-				return( 0 );
-			}
-		}
-		else
-		{
-			warn( "Failed to read the active log file at $log_dir/active_log\n" );
-		}
-
-		close( I_FILE );
-	}
-	else
-	{
-		return( 0 );
-	}
-
-	return( $ret_str );
-}
-
-sub loglist
-{
-	my $sub_name = 'log_list';
-
-	my $__log_type = $_[0] || return( undef );
-	my $brologs_dir = $BRO_CONFIG->{BROLOGS};
-	my @ret_list;
-
-	if( opendir( DIR, $brologs_dir ) )
-	{
-		while( defined( my $file_name = readdir( DIR ) ) )
-		{
-			if( my $log_type = ( filenametoepochtime( $file_name ) )[0] )
-			{
-				if( $log_type eq $__log_type )
-				{
-					push( @ret_list, "$brologs_dir/$file_name" );
-				}
-			}
-		}
-	}
-	else
-	{
-		warn( __PACKAGE__ . "::$sub_name, Unable to open the BROLOGS directory\n" );
-		return( undef );
-	}
-
-	closedir( DIR );
-
-	if( wantarray )
-	{
-		return( @ret_list );
-	}
-	else
-	{
-		return( \@ret_list );
-	}
-}
-
-sub filenametoepochtime
-{
-	my $sub_name = 'filenametoepochtime';
-
-	# returns the log name, hostname, start time, and end time
-	# log name will always return.
-	# If any of the other three are not available then return value
-	# will be undef.
-	
-	my $filename = $_[0] || return( undef );
-	my $log_name;
-	my $host_name;
-	my $start_time;
-	my $end_time;
-	
-	if( ! $filename =~ $FILENAME_REGEX )
-	{
-		print "$filename is bad!!\n";
-		return( undef );
-	}
-	
-	# There are several ways in which the filename is formatted.  This
-	# if tree attempts to parse each of those
-	
-	# Log name but no hostname or times.  This can occur when running Bro
-	# from a trace file.
-	if( $filename =~ $name_trace )
-	{
-		$log_name = $1;
-	}
-	# filename contains the log name, hostname, and start time.  This usually
-	# occurs on filenames which are currently being written to or are not
-	# rotated.
-	elsif( my @file_parts = $filename =~ $name_running )
-	{
-		my $start_time_string;
-		( $log_name, $host_name, $start_time_string ) = ( @file_parts );
-		
-		# split up the string so it can be passed to timetoepoch
-		my @parts = $start_time_string =~ m/^([[:digit:]]{2})	# year
-		-	# seperator
-		([[:digit:]]{2})	# month
-		-	# seperator
-		([[:digit:]]{2}) # day
-		_	# time seperator
-		([[:digit:]]{2})	# hour
-		\.	# seperator
-		([[:digit:]]{2})	# minute
-		\.	# seperator
-		([[:digit:]]{2})	# second
-		$/x;
-		
-		if( @parts == 6 )
-		{
-			$start_time = timetoepoch( @parts );
-		}
-		else
-		{
-			return( undef );
-		}
-	}
-	# filename contains the log name, hostname, epoch start time, epoch end time
-	elsif( my @file_parts = $filename =~ $name_epoch_range )
-	{
-		( $log_name, $host_name, $start_time, $end_time ) = @file_parts;
-	}
-    # filename contains the log name, hostname, start time and end time as
-    # strings as put out by rotate logs.
-    # i.e weird.lite3.06-04-27_10.40.53-06-04-27_10.41.12
-    elsif( my @file_parts = $filename =~ $name_rotate_log )
-    {
-        my $start_time_string;
-        my $end_time_string;
-
-        ( $log_name, $host_name, $start_time_string, $end_time_string ) = @file_parts;
-
-	#print "***** $filename: st: $start_time_string, et: $end_time_string\n";
-
-        # look at the start date
-        my @parts = $start_time_string =~ m/^([[:digit:]]{2})	# year
-        -	# seperator
-        ([[:digit:]]{2})	# month
-        -	# seperator
-        ([[:digit:]]{2}) # day
-        _	# time seperator
-        ([[:digit:]]{2})	# hour
-        \.	# seperator
-        ([[:digit:]]{2})	# minute
-        \.	# seperator
-        ([[:digit:]]{2})	# second
-        $/x;
-        $start_time = timetoepoch( @parts );
-
-        # look at the start date
-        @parts = $end_time_string =~ m/^([[:digit:]]{2})	# year
-        -	# seperator
-        ([[:digit:]]{2})	# month
-        -	# seperator
-        ([[:digit:]]{2}) # day
-        _	# time seperator
-        ([[:digit:]]{2})	# hour
-        \.	# seperator
-        ([[:digit:]]{2})	# minute
-        \.	# seperator
-        ([[:digit:]]{2})	# second
-        $/x;
-
-        $end_time = timetoepoch( @parts );
-
-	#print "***** st: $start_time, et: $end_time\n";
-    }
-	else
-	{
-		return( undef );
-	}
-	
-	return( $log_name, $host_name, $start_time, $end_time );
-}
-
-sub timetoepoch
-{
-	my $sub_name = 'timetoepoch';
-	
-	# arguments are in the order
-	# year
-	# month
-	# day
-	# hour
-	# minutes
-	# seconds
-	
-	my $epoch_time;
-	my( $year, $mon, $day, $hour, $min, $sec ) = @_;
-	# The month fed into timelocal is 0 based index
-	if( $mon > 0 )
-	{
-		--$mon;
-	}
-	
-	if( $epoch_time = timelocal($sec,$min,$hour,$day,$mon,$year) )
-	{
-		return( $epoch_time );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-1;
diff --git a/scripts/perl/lib/Bro/Log/Alarm.pm b/scripts/perl/lib/Bro/Log/Alarm.pm
deleted file mode 100644
index d94168dfa5..0000000000
--- a/scripts/perl/lib/Bro/Log/Alarm.pm
+++ /dev/null
@@ -1,694 +0,0 @@
-package Bro::Log::Alarm;
-
-use strict;
-require 5.006_001;
-use strict;
-
-use vars qw( $VERSION
-		%DATA_MAP );
-
-# $Id: Alarm.pm 987 2005-01-08 01:04:43Z rwinslow $
-$VERSION = 1.20;
-
-# Map data descriptions to subroutine names
-%DATA_MAP = ( t => \&timestamp,
-			timestamp => \&timestamp,
-			notice => \&notice_type,
-			notice_type => \&notice_type,
-			notice_act => \&notice_action,
-			notice_action => \&notice_action,
-			event_src => \&event_source,
-			event_source => \&event_source,
-			source_addr => \&source_addr,
-			src_addr => \&source_addr,
-			srcip => \&source_addr,
-			source_ip => \&source_addr,
-			src_port => \&source_port,
-			source_port => \&source_port,
-			destination_addr => \&destination_addr,
-			dst_addr => \&destination_addr,
-			dstip => \&destination_addr,
-			destination_ip => \&destination_addr,
-			dst_port => \&destination_port,
-			destination_port => \&destination_port,
-			user => \&user,
-			filename => \&filename,
-			sigid => \&sigid,
-			method => \&method,
-			URL => \&url,
-			n => \&misc_integer,
-			count => \&misc_integer,
-			return_code => \&misc_integer,
-			msg => \&message,
-			message => \&message,
-			sub_msg => \&sub_message,
-			sub_message => \&sub_message,
-			);
-
-sub new
-{
-	my $sub_name = 'new';
-	
-	# This is the parser for tag based alarm and notice files.
-	my $_log_line;
-	my @_args = @_;
-	my %alarm_parts;
-
-	if( @_args == 1 )
-	{
-		$_log_line = $_args[0];
-	}
-	else
-	{
-		return( undef );
-	}
-
-	# Order of data in array
-	# t = timestamp
-	# no = notice_type
-	# na = notice_action
-	# es = event_src, event_source
-	# sa = source_ip (source address)
-	# sp = source_port
-	# da = destination_ip (destination address)
-	# dp = destination_port
-	# user = user
-	# file = filename or sigid
-	# method = method
-	# url = URL
-	# num = count or number or return_code
-	# msg = message
-	# sub = sub_message
-	# tag = tag
-	
-	# Is this a tag based log line delimited by spaces?
-	if( $_log_line =~ m/^t\=/ )
-	{
-		my $i = 0;
-		my $i2 = 0;
-		my $len = length( $_log_line );
-		my $p_idx = 0;
-		my $buff_pos = 0;
-		my $subtr_len = 0;
-		my @log_parts;
-		
-		for( $i2 = 0; $i2 < $len; ++$i2 )
-		{
-			if( substr( $_log_line, $i2, 1 ) eq ' ' and
-				substr( $_log_line, $p_idx, 1 ) ne "\\" )
-			{
-				if( $subtr_len < 1 )
-				{
-					# Skip over this entry, probably just leading space.
-					# Regardless of what happened there is no useful data.
-				}
-				else
-				{
-					my $tag;
-					my $tag_data;
-					
-					( $tag, $tag_data ) = extracttag( substr( $_log_line, $buff_pos, $subtr_len ) );
-					if( exists( $alarm_parts{$tag} ) )
-					{
-						warn( __PACKAGE__ . "::$sub_name, Found duplicate tag '$tag', in data.  It will be ignored\n" );
-					}
-					else
-					{
-						$alarm_parts{$tag} = $tag_data;
-					}
-				}
-				$subtr_len = 0;
-				$p_idx = $i2 + 1;
-				$buff_pos = $i2 + 1;
-				++$i;
-			}
-			else
-			{
-				++$subtr_len;
-				$p_idx = $i2;				
-			}
-		}
-
-		# Get the last piece of data
-		my $tag;
-		my $tag_data;
-		( $tag, $tag_data ) = extracttag( substr( $_log_line, $buff_pos, $subtr_len ) );
-		
-		# Make sure this is not a duplicate tag.
-		if( exists( $alarm_parts{$tag} ) )
-		{
-			warn( __PACKAGE__ . "::$sub_name, Found duplicate tag '$tag', in data.  It will be ignored\n" );
-		}
-		else
-		{
-			# Remove any trailing newlines
-			chomp( $tag_data );
-			$alarm_parts{$tag} = $tag_data;
-		}
-	}
-	# Is this a colon delimited log line?
-	elsif( $_log_line =~ m/^[[:digit:]]{10}\.[[:digit:]]{6}/ and $_log_line =~ m/\:/ )
-	{
-		my $i = 0;
-		my $i2 = 0;
-		my $len = length( $_log_line );
-		my $p_idx = 0;
-		my $buff_pos = 0;
-		my $subtr_len = 0;
-		my @log_parts;
-		
-		for( $i2 = 0; $i2 < $len; ++$i2 )
-		{
-			if( substr( $_log_line, $i2, 1 ) eq ':' and
-				substr( $_log_line, $p_idx, 1 ) ne "\\" )
-			{
-				if( $subtr_len < 1 )
-				{
-					$log_parts[$i] = '';
-				}
-				else
-				{
-					$log_parts[$i] = substr( $_log_line, $buff_pos, $subtr_len );
-					$log_parts[$i] = unescape_colons( $log_parts[$i] );
-				}
-				$subtr_len = 0;
-				$p_idx = $i2 + 1;
-				$buff_pos = $i2 + 1;
-				++$i;
-			}
-			else
-			{
-				++$subtr_len;
-				$p_idx = $i2;				
-			}
-		}
-
-		# Get the last piece of data
-		$log_parts[$i] = unescape_colons( substr( $_log_line, $buff_pos, $subtr_len ) );
-		
-		# Remove any trailing newline that may have been left on
-		chomp( $log_parts[$i] );
-		
-		$alarm_parts{t} = $log_parts[0];
-		$alarm_parts{no} = $log_parts[1];
-		$alarm_parts{na} = $log_parts[2];
-		$alarm_parts{es} = $log_parts[3];
-		$alarm_parts{sa} = $log_parts[4];
-		$alarm_parts{sp} = $log_parts[5];
-		$alarm_parts{da} = $log_parts[6];
-		$alarm_parts{dp} = $log_parts[7];
-		$alarm_parts{user} = $log_parts[8];
-		$alarm_parts{file} = $log_parts[9];
-		$alarm_parts{method} = $log_parts[10];
-		$alarm_parts{url} = $log_parts[11];
-		$alarm_parts{num} = $log_parts[12];
-		$alarm_parts{msg} = $log_parts[13];
-		$alarm_parts{sub} = $log_parts[14];
-	}
-	else
-	{
-		return( undef );
-	}
-	
-	# Make sure that certain fields have values otherwise the data is invalid
-	if( exists( $alarm_parts{t} ) )
-	{
-		return( \%alarm_parts );
-	}
-	else
-	{
-		return( undef );
-	}
-	
-}
-
-sub unescape
-{
-	my $sub_name = 'unescape';
-	
-	&unescape_spaces;
-}
-
-sub unescape_spaces
-{
-	my $sub_name = 'unescape_spaces';
-	
-	my $data = $_[0];
-	
-	if( ! defined( $data ) )
-	{
-		return( undef );
-	}
-	else
-	{
-		$data =~ s/\\ / /g;
-		$data =~ s/\\\\/\\/g;
-	}
-	
-	return( $data );
-}
-
-sub unescape_colons
-{
-	my $sub_name = 'unescape_colons';
-	
-	my $data = $_[0];
-	
-	if( ! defined( $data ) )
-	{
-		return( undef );
-	}
-	else
-	{
-		$data =~ s/\\:/:/g;
-		$data =~ s/\\\\/\\/g;
-	}
-	
-	return( $data );
-}
-
-sub extracttag
-{
-	my $sub_name = 'extracttag';
-	
-	# Seperate the tag from it's data and return them.  If there is a problem
-	# this sub will return undef.  If a tag has no data then a zero length
-	# string will be returned.
-	
-	my $__data = $_[0];
-	my $ret_tag;
-	my $ret_data;
-	
-	# Seperate out the tag from the data
-	( $ret_tag, $ret_data ) = split( /\=/, $__data, 2 );
-	
-	if( length( $ret_tag ) > 0 )
-	{
-		if( defined( $ret_data ) )
-		{
-			$ret_data = unescape_spaces( $ret_data );
-		}
-		else
-		{
-			$ret_data = '';
-		}
-		
-		return( $ret_tag, $ret_data );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub timestamp
-{
-	my $sub_name = 'timestamp';
-
-	my $data = $_[0];
-	my $format = $_[1];	# Maybe for future expansion.  Just thinking out loud.
-
-	return( $data->{t} );
-}
-
-sub notice_type
-{
-	my $sub_name = 'notice_type';
-
-	my $data = $_[0] || return( undef );
-
-	return( $data->{no} );
-}
-
-sub notice_action
-{
-	my $sub_name = 'notice_action';
-
-	my $data = $_[0] || return( undef );
-
-	return( $data->{na} );
-}
-
-sub event_source
-{
-	my $sub_name = 'event_source';
-
-	my $data = $_[0] || return( undef );
-	
-	if( exists( $data->{es} ) )
-	{
-		return( $data->{es} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub source_addr
-{
-	my $sub_name = 'source_addr';
-
-	my $data = $_[0] || return( undef );
-	
-	if( exists( $data->{sa} ) )
-	{
-		return( $data->{sa} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub source_ip
-{
-	# This is for backwards compatibility and will be removed in the future
-	&source_addr;
-}
-
-sub source_port
-{
-	my $sub_name = 'source_port';
-
-	my $data = $_[0] || return( undef );
-
-	if( exists( $data->{sp} ) )
-	{
-		return( $data->{sp} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub destination_addr
-{
-	my $sub_name = 'destination_addr';
-
-	my $data = $_[0] || return( undef );
-
-	return( $data->{da} );
-}
-
-sub destination_ip
-{
-	# This is for backwards compatibility and will be removed in the future
-	&destination_addr;
-}
-
-sub destination_port
-{
-	my $sub_name = 'destination_port';
-
-	my $data = $_[0] || return( undef );
-	
-	if( exists( $data->{dp} ) )
-	{
-		return( $data->{dp} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub user
-{
-	my $sub_name = 'user';
-
-	my $data = $_[0] || return( undef );
-	
-	if( exists( $data->{user} ) )
-	{
-		return( $data->{user} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub filename
-{
-	my $sub_name = 'filename';
-
-	my $data = $_[0] || return( undef );
-	
-	if( exists( $data->{file} ) )
-	{
-		return( $data->{file} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub sigid
-{
-	my $sub_name = 'sigid';
-	
-	&filename;
-}
-
-sub method
-{
-	my $sub_name = 'method';
-
-	my $data = $_[0] || return( undef );
-
-	if( exists( $data->{method} ) )
-	{
-		return( $data->{method} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub url
-{
-	my $sub_name = 'url';
-
-	my $data = $_[0] || return( undef );
-
-	if( exists( $data->{url} ) )
-	{
-		return( $data->{url} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub misc_integer
-{
-	my $sub_name = 'misc_integer';
-
-	my $data = $_[0] || return( undef );
-
-	if( exists( $data->{num} ) )
-	{
-		return( $data->{num} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub count
-{
-	&misc_integer;
-}
-
-sub return_code
-{
-	&misc_integer;
-}
-
-sub message
-{
-	my $sub_name = 'message';
-
-	my $data = $_[0] || return( undef );
-
-	if( exists( $data->{msg} ) )
-	{
-		return( $data->{msg} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub sub_message
-{
-	my $sub_name = 'sub_message';
-
-	my $data = $_[0] || return( undef );
-
-	if( exists( $data->{sub} ) )
-	{
-		return( $data->{sub} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub tag
-{
-	my $sub_name = 'tag';
-	
-	my $data = $_[0] || return( undef );
-	
-	if( exists( $data->{tag} ) )
-	{
-		return( $data->{tag} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub timerange
-{
-	my $sub_name = 'timerange';
-	# Find the most likely beginning and ending times covered by a given
-	# alarm file.
-
-	my $filename = $_[0];
-	my $start_time = 9999999999;
-	my $end_time = -1;
-	my $f_size = ( stat( $filename ) )[7];
-	
-	if( open( INFILE, $filename ) )
-	{
-		my $s_idx = 0;
-		my $s_no_change = 0;
-
-		# Find the smallest timestamp in the first 1000 lines.
-		while( defined( my $ln = <INFILE> ) and
-			( $s_idx < 1000 ) and
-			( $s_no_change < 20 ) )
-		{
-			if( my $alarm_line = new( $ln ) )
-			{
-				my $w_timestamp = timestamp( $alarm_line );
-				if( $w_timestamp < $start_time )
-				{
-					$start_time = $w_timestamp;
-					$s_no_change = 0;
-				}
-				else
-				{
-					++$s_no_change;
-				}
-			}
-
-			++$s_idx;
-		}
-
-		close( INFILE );
-
-		# Find the largest timestamp in the last 1000 lines
-		# Each connection with a status of "SF" will be counted as one line
-		# Every line will be examined but the "SF" lines are the only ones
-		# that give a good picture as to the time state of the file.
-		if( sysopen( INFILE, $filename, 0 ) )
-		{
-			sysseek( INFILE, $f_size, 0 );
-			my $cur_pos = sysseek( INFILE, 0, 1 );
-			my $nl_pos = $cur_pos;
-			my $line_count = 0;
-			my $e_no_change = 0;
-
-			# Get last 1000 lines
-			while( $line_count < 1000 and $e_no_change < 20 )
-			{
-				my $new_line_found = 0;
-				my $buf;
-				sysread( INFILE, $buf, 1 );
-
-				if( $cur_pos > -1 )
-				{
-					if( $buf eq $/ )
-					{
-						$new_line_found = 1;
-					}
-				}
-				else
-				{
-					# Must have hit the beginning of the file
-					if( $nl_pos > 20 )
-					{
-						$cur_pos = 0;
-						sysseek( INFILE, 0, 0 );
-						$new_line_found = 1;
-					}
-					else
-					{
-						last;
-					}
-				}
-
-				if( $new_line_found )
-				{
-					my $cur_line = '';
-					sysread( INFILE, $cur_line, $nl_pos - $cur_pos );
-					if( my $alarm_line = new( $cur_line ) )
-					{
-						my $w_timestamp = timestamp( $alarm_line );
-						if( $w_timestamp > $end_time )
-						{
-							$end_time = $w_timestamp;
-						}
-						else
-						{
-							++$e_no_change;
-						}
-					}
-					$nl_pos = $cur_pos;
-					++$line_count;
-				}
-				--$cur_pos;
-				if( $cur_pos < 0 )
-				{
-					last;
-				}
-				sysseek( INFILE, $cur_pos, 0 );
-			}
-
-		}
-		else
-		{
-			warn( __PACKAGE__ . "::$sub_name, Unable to open file '$filename' with sysread.\n" );
-			return( undef );
-		}
-
-		close( INFILE );
-	}
-	else
-	{
-		warn( __PACKAGE__ . "::$sub_name, Unable to open file '$filename'.\n" );
-		return( undef );
-	}
-	
-	# Make sure that sane values were found for the start and end times
-	if( $start_time == 9999999999 or $end_time == -1 )
-	{
-		# warn( __PACKAGE__ . "::$sub_name, There was an error determining the start and end ranges.\n" );
-		# warn( "No valid values could be found.\n" );
-		return( undef );
-	}
-	
-	return( $start_time, $end_time );
-}
diff --git a/scripts/perl/lib/Bro/Log/Conn.pm b/scripts/perl/lib/Bro/Log/Conn.pm
deleted file mode 100644
index 69391d55be..0000000000
--- a/scripts/perl/lib/Bro/Log/Conn.pm
+++ /dev/null
@@ -1,773 +0,0 @@
-package Bro::Log::Conn;
-
-require 5.006_001;
-use strict;
-
-use vars qw( $VERSION
-		$NULL_VALUE
-		$DEBUG );
-
-# $Id: Conn.pm 1426 2005-09-30 00:19:18Z rwinslow $
-$VERSION = 1.20;
-$NULL_VALUE = -1;
-$DEBUG = 0;
-
-my $CONN_SPLIT_PATT = ' ';
-# my $CONN_SPLIT_PATT = qr/ /o;
-
-# Map data descriptions to subroutine names
-my %DATA_MAP = ( timestamp => \&timestamp,
-			duration => \&duration,
-			source_ip => \&srcip,
-			srcip => \&srcip,
-			destination_ip => \&dstip,
-			dstip => \&dstip,
-			service => \&service,
-			source_port => \&srcport,
-			srcport => \&srcport,
-			destination_port => \&dstport,
-			dstport => \&dstport,
-			protocol => \&protocol,
-			source_bytes => \&srcbytes,
-			srcbytes => \&srcbytes,
-			destination_bytes => \&srcbytes,
-			dstbytes => \&dstbytes,
-			connection_status => \&connstat,
-			connstat => \&connstat,
-			source_network => \&srcnetwork,
-			srcnetwork => \&srcnetwork,
-			other => \&other,
-			);
-
-sub new
-{
-	my $_log_line = $_[0] || return( undef );	# string ref
-
-	# Order of data in array
-	# 0 = timestamp
-	# 1 = duration
-	# 2 = source ip
-	# 3 = destination ip
-	# 4 = service
-	# 5 = source port
-	# 6 = destination port
-	# 7 = protocol
-	# 8 = source bytes
-	# 9 = destination bytes
-	# 10 = connection status
-	# 11 = source network
-	# 12 = other
-
-	my @log_parts = split( $CONN_SPLIT_PATT, $$_log_line, 13 );
-	if( defined( $log_parts[11] ) )
-	{
-		return( \@log_parts );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub output
-{
-	my $sub_name = 'output';
-
-	my $data = $_[0] || return undef;
-	my $format = $_[1] || '';
-	my @ret_data;
-
-	if( ref( $format ) ne 'ARRAY' )
-	{
-		$format = [ 'timestamp',
-				'duration',
-				'srcip',
-				'dstip',
-				'service',
-				'srcport',
-				'dstport',
-				'protocol',
-				'srcbytes',
-				'dstbytes',
-				'connstat',
-				'srcnetwork',
-				'other',
-				];
-	}
-	
-	my $i = 0;
-	foreach my $key( @{$format} )
-	{
-		if( exists( $DATA_MAP{$key} ) )
-		{
-			$ret_data[$i] = &{$DATA_MAP{$key}}( $data );
-			++$i;
-		}
-		else
-		{
-			return( undef );
-		}
-	}
-	
-	if( wantarray )
-	{
-		return( @ret_data );
-	}
-	else
-	{
-		return( join( ' ', @ret_data ) );
-	}
-}
-
-sub timestamp
-{
-	my $sub_name = 'timestamp';
-	
-	my $data = $_[0] || return( undef );
-	
-	return( $data->[0] );
-}
-
-sub duration
-{
-	my $sub_name = 'duration';
-
-	my $data = $_[0] || return undef;
-	my $arg1 = $_[1] || 0;
-
-	if( $arg1 eq 'raw' )
-	{
-		return( $data->[1] );
-	}
-	elsif( $data->[1] eq '?' and defined( $NULL_VALUE ) )
-	{
-		return( $NULL_VALUE );
-	}
-	else
-	{
-		return( $data->[1] );
-	}
-}
-
-sub source_ip
-{
-	&srcip;
-}
-
-sub srcip
-{
-	my $sub_name = 'srcip';
-
-	return( $_[0]->[2] );
-}
-
-sub destination_ip
-{
-	&dstip;
-}
-
-sub dstip
-{
-	my $sub_name = 'dstip';
-
-	return( $_[0]->[3] );
-}
-
-sub service
-{
-	my $sub_name = 'service';
-
-	return( $_[0]->[4] );
-}
-
-sub source_port
-{
-	&srcport;
-}
-
-sub srcport
-{
-	my $sub_name = 'srcport';
-
-	return( $_[0]->[5] );
-}
-
-sub destination_port
-{
-	&dstport
-}
-
-sub dstport
-{
-	my $sub_name = 'dstport';
-
-	return( $_[0]->[6] );
-}
-
-sub protocol
-{
-	my $sub_name = 'protocol';
-
-	return( $_[0]->[7] );
-}
-
-sub source_bytes
-{
-	&srcbytes;
-}
-
-sub srcbytes
-{
-	my $sub_name = 'srcbytes';
-
-	my $data = $_[0] || return undef;
-	my $arg1 = $_[1] || 0;
-
-	if( $arg1 eq 'raw' )
-	{
-		return( $data->[8] );
-	}
-	elsif( $data->[8] eq '?' and defined( $NULL_VALUE ) )
-	{
-		return( $NULL_VALUE );
-	}
-	elsif( $data->[10] eq 'SF') 
-	{
-		# safest to only count sessions with normal termination
-		return( $data->[8] );
-	}
-	else
-	{
-		return( $NULL_VALUE );
-	}
-}
-
-sub destination_bytes
-{
-	&dstbytes;
-}
-
-sub dstbytes
-{
-	my $sub_name = 'dstbytes';
-
-	my $data = $_[0] || return undef;
-	my $arg1 = $_[1] || 0;
-
-	if( $arg1 eq 'raw' )
-	{
-		return( $data->[9] );
-	}
-	elsif( $data->[9] eq '?' and defined( $NULL_VALUE ) )
-	{
-		return( $NULL_VALUE );
-	}
-	elsif( $data->[10] eq 'SF' )
-	{
-		# safest to only count sessions with normal termination
-		return( $data->[9] );
-	}
-	else
-	{
-		return( $NULL_VALUE );
-	}
-}
-
-sub connstat
-{
-	my $sub_name = 'connstat';
-
-	my $data = $_[0] || return undef;
-	
-	return( $data->[10] );
-}
-
-sub source_network
-{
-	&srcnetwork;
-}
-
-sub srcnetwork
-{
-	my $sub_name = 'srcnetwork';
-
-	my $data = $_[0] || return undef;
-	chomp( $data->[11] );
-	
-	return( $data->[11] );
-}
-
-sub tag
-{
-	my $sub_name = 'tag';
-	
-	my $data = $_[0] || return( undef );
-	my $other_field = $data->[12];
-	my @ret_tag_ids;
-	
-	while( $other_field =~ s/(\@[[:digit:]]+)// )
-	{
-		push( @ret_tag_ids, $1 );
-	}
-	
-	if( @ret_tag_ids > 0 )
-	{
-		if( wantarray )
-		{
-			return( @ret_tag_ids );
-		}
-		else
-		{
-			return( \@ret_tag_ids );
-		}
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub other
-{
-	my $sub_name = 'other';
-
-	my $data = $_[0] || return undef;
-
-	# Remove any newline character at the end
-	chomp( $data->[12] );
-
-	return( $data->[12] );
-}
-
-sub timerange
-{
-	my $sub_name = 'timerange';
-	# Find the most likely beginning and ending times covered by a given
-	# conn file.
-
-	my $filename = $_[0];
-	my $find_start_time = $_[1];
-	my $find_end_time = $_[2];
-	my $start_time = 9999999999;
-	my $end_time = -1;
-	my $max_start_lines = 10000;
-	my $max_end_lines = 10000;
-	my $max_line_length = 5000;
-	my $f_size = ( stat( $filename ) )[7] || 0;
-	my $default_start;
-	my $default_end;
-	
-	if( $DEBUG > 2 )
-	{
-		warn( __PACKAGE__ . "::$sub_name, Filename: $filename\n" );
-	}
-	
-	# If the file is zero size then don't even both continuing
-	if( $f_size < 1 )
-	{
-		if( $DEBUG > 2 )
-		{
-			warn( __PACKAGE__ . "::$sub_name, File is zero size, skipping\n" );
-		}
-		return( undef );
-	}
-	
-	# If $find_start_time and $find_end_time are defined then the the first
-	# line that is greater than or equal to the timestamp in $find_start_time
-	# will be read by seek and then set into $start_pos.
-	# The last line that contains a timestamp less than or equal to 
-	# $find_end_time will be read by seek and then set in $end_pos.
-	eval {
-	local $SIG{ALRM} = sub { die( "Alarm Timeout\n" ) };
-	alarm 90;
-	if( open( INFILE, $filename ) )
-	{
-		my $s_idx = 0;			# start line counter
-		my $s_no_change = 0;	# start no change counter
-		
-		# Set the very first connection timestamp to $default_start
-		while( ! $default_start and defined( my $line = <INFILE> ) )
-		{
-			if( my $conn_line = new( \$line ) )
-			{
-				$default_start = timestamp( $conn_line );
-			}
-		}
-		
-		# Find the smallest timestamp in the first 1000 lines where the
-		# connection is complete (SF) or (REJ) and the duration is less
-		# than .1 seconds
-		while( ( $s_idx < $max_start_lines ) and
-			( $s_no_change < 20 ) and
-			defined( my $ln = <INFILE> ) )
-		{
-			if( my $conn_line = new( \$ln ) )
-			{
-				if( connstat( $conn_line ) =~ m/^(?:SF)|(?:REJ)$/ )
-				{
-					if( duration( $conn_line ) < 0.1 )
-					{
-						my $w_timestamp = timestamp( $conn_line );
-						if( $w_timestamp < $start_time )
-						{
-							$start_time = $w_timestamp;
-							$s_no_change = 0;
-						}
-						else
-						{
-							++$s_no_change;
-						}
-					}
-				}
-			}
-
-			++$s_idx;
-		}
-		
-		close( INFILE );
-		
-		# Find the largest timestamp in the last 20 lines
-		# Each connection with a status of "SF" or "REJ" will be counted as
-		# one line.  Every line will be examined but the "SF" or "REJ"
-		# lines are the only ones that give a good picture as to the time
-		# state of the file.
-		if( sysopen( INFILE, $filename, 0 ) )
-		{
-			sysseek( INFILE, $f_size, 0 );
-			my $cur_pos = sysseek( INFILE, 0, 1 );
-			my $nl_pos = $cur_pos;
-			my $matched_count = 0;
-			my $line_count = 0;
-
-			# Get last 20 lines
-			while( $matched_count < 20 and
-				$line_count < $max_end_lines )
-			{
-				my $new_line_found = 0;
-				my $buf;
-				sysread( INFILE, $buf, 1 );
-
-				if( $cur_pos > -1 )
-				{
-					if( $buf eq $/ )
-					{
-						$new_line_found = 1;
-					}
-				}
-				else
-				{
-					# Must have hit the beginning of the file
-					if( $nl_pos > 20 )	# supress things like blank lines
-					{
-						sysseek( INFILE, 0, 0 );
-						$new_line_found = 1;
-					}
-					else
-					{
-						last;
-					}
-				}
-
-				if( $new_line_found )
-				{
-					my $cur_line = '';
-					++$line_count;
-					# Make sure that the line is not too large
-					# Fix for some funky rsync errors that may occur
-					if( $nl_pos - $cur_pos > $max_line_length )
-					{
-						# WAY too big, just mark new position and ignore
-					}
-					else
-					{
-						sysread( INFILE, $cur_line, $nl_pos - $cur_pos );
-						if( my $conn_line = new( \$cur_line ) )
-						{
-							if( ! $default_end )
-							{
-								$default_end = timestamp( $conn_line );
-							}
-							
-							if( duration( $conn_line ) < 0.1 and duration( $conn_line ) >= 0 )
-							{
-								my $w_timestamp = timestamp( $conn_line );
-								if( $w_timestamp > $end_time )
-								{
-									$end_time = $w_timestamp;
-								}
-							}
-							
-							if( connstat( $conn_line ) =~ m/^(?:SF)|(?:REJ)$/ )
-							{
-								++$matched_count;
-							}
-						}
-					}
-					$nl_pos = $cur_pos;
-				}
-				--$cur_pos;
-				if( $cur_pos < 0 )
-				{
-					last;
-				}
-				sysseek( INFILE, $cur_pos, 0 );
-			}
-		}
-		else
-		{
-			if( $DEBUG > 0 )
-			{
-				warn( __PACKAGE__ . "::$sub_name, Unable to open file '$filename' with sysread.\n" );
-			}
-			return( undef );
-		}
-
-		close( INFILE );
-	}
-	else
-	{
-		if( $DEBUG > 0 )
-		{
-			warn( __PACKAGE__ . "::$sub_name, Unable to open file '$filename'.\n" );
-		}
-		return( undef );
-	}
-	
-	close( INFILE );
-	};
-	
-	alarm 0;
-	
-	# Make sure that $start_time has something other than the filler value.
-	if( $start_time == 9999999999 )
-	{
-		if( $default_start )
-		{
-			$start_time = $default_start;
-			if( $DEBUG > 1 )
-			{
-				warn( __PACKAGE__ . "::$sub_name, No start_time was found, setting to a default of $default_start\n" );
-			}
-		}
-		else
-		{
-			if( $DEBUG > 1 )
-			{
-				warn( __PACKAGE__ . "::$sub_name, No start_time was found and no default_start time was found\n" );
-			}
-		}
-	}
-	
-	# Make sure that $end_time has something other than the filler value.
-	if( $end_time == -1 )
-	{
-		if( $default_end )
-		{
-			$end_time = $default_end;
-			if( $DEBUG > 1 )
-			{
-				warn( __PACKAGE__ . "::$sub_name, No end_time was found, setting to a default of $default_start\n" );
-			}
-		}
-		else
-		{
-			if( $DEBUG > 1 )
-			{
-				warn( __PACKAGE__ . "::$sub_name, No end_time was found and no default_end time was found\n" );
-			}
-		}
-	}
-	
-	if( $DEBUG > 2 )
-	{
-		warn( "  " . __PACKAGE__ . "::$sub_name, Start time: $start_time\n" );
-		warn( "  " . __PACKAGE__ . "::$sub_name, End time: $end_time\n" );
-	}
-	
-	if( $@ )
-	{
-		if( $@ =~ m/Alarm Timeout/ )
-		{
-			if( !( $start_time and $end_time ) )
-			{
-				if( $DEBUG > 0 )
-				{
-					warn( __PACKAGE__ . "::$sub_name, Error occurred in trying to read the file $filename\n" );
-				}
-				return( undef );
-			}
-			else
-			{
-				if( $DEBUG > 0 )
-				{
-					warn( __PACKAGE__ . "::$sub_name, Timed out during file read.  The first and last timestamps have been set as the range of time available\n" );
-				}
-			}
-		}
-		else
-		{
-			warn( $@ );
-			return( undef );
-		}
-	}
-	
-	return( $start_time, $end_time );
-}
-
-sub containstag
-{
-	my $sub_name = 'containstag';
-	
-	my $data = shift || return( undef );
-	my @tags_to_match = @_;
-	my $conn_tags = tag( $data ) || return( 0 );
-	my $matched_tag = 0;
-	
-	OUT_LOOP:
-	{
-		foreach my $tag_to_match( @tags_to_match )
-		{
-			foreach my $tag_id( @{$conn_tags} )
-			{
-				if( $tag_id eq $tag_to_match )
-				{
-					$matched_tag = $tag_id;
-					last OUT_LOOP;
-				}
-			}
-		}
-	}	# end OUT_LOOP
-	
-	return( $matched_tag );
-}
-
-sub startposition
-{
-	my $sub_name = 'startposition';
-	# Find the first file position where $timestamp is greater than or equal to
-	# a timestamp in the file.
-	my $timestamp = $_[0];
-}
-
-sub endposition
-{
-	my $sub_name = 'endposition';
-	# Find the last file position where $timestamp is less than or equal to
-	# a timestamp in a file.
-	my $timestamp = $_[0];
-}
-
-sub connectsucceed
-{
-	my $sub_name = 'connectsucceed';
-	
-	my $data = $_[0] || return( undef );
-	
-	my $S_REGEX = qr/^S/o;
-	my $S123_REGEX = qr/^S[123]$/o;
-	my $connstat = connstat( $data );
-	
-	if( $connstat =~ $S_REGEX )
-	{
-		if( $connstat eq 'SF' )
-		{
-			return( 1 );
-		}
-		elsif( $connstat =~ $S123_REGEX )
-		{
-			if( srcbytes( $data ) > 0 && dstbytes( $data ) > 0 )
-			{
-				return( 1 );
-			}
-			else
-			{
-				return( 0 );
-			}
-		}
-	}
-	else
-	{
-		# connection failed
-		return( 0 );
-	}
-}
-
-sub range
-{
-	my $sub_name = 'range';
-	
-	my $data = $_[0] || return( undef );
-	my $match_time = $_[1];
-	my $error_margin = $_[2];
-	my $start_time;
-	my $end_time;
-	my $duration;
-	
-	# Make sure that the error margin is greater than zero
-	if( !( defined( $error_margin ) and $error_margin > 0 ) )
-	{
-		$error_margin = 0;
-	}
-	
-	$start_time = timestamp( $data );
-	$duration = duration( $data );
-	
-	if( $match_time )
-	{
-		if( $duration < 0 )
-		{
-			$duration = 10;
-		}
-	
-		$end_time = $start_time + $duration + $error_margin;
-		$start_time = $start_time - $error_margin;
-		
-		if( $match_time >= $start_time and
-			$match_time <= $end_time )
-		{
-			return( 1 );
-		}
-		else
-		{
-			return( 0 );
-		}
-	}
-	else
-	{
-		if( $duration > -1 )
-		{
-			$end_time = $start_time + $duration;
-		}
-		
-		return( $start_time, $end_time );
-	}
-}
-
-1;
-
-# The args to Bro::Log::Conn::output are the connection array ref returned by
- # Bro::Log::Conn::new and an optional array ref of what order and fields
- # should be printed.
-
-# EXAMPLE:
- # $array_ref = Bro::Log::Conn::new( $ln );
- # @output_parts = Bro::Log::Conn::output( $array_ref, [ 'srcip', 'dstip', 'timestamp' ] )
- #
- # The available fields are as follows:
- #	timestamp
- #	duration
- #	srcip
- #	dstip
- #	service
- #	srcport
- #	dstport
- #	protocol
- #	srcbytes
- #	dstbytes
- #	connstat
- #	srcnetwork
- #	other
-
-# For convenience any data that is represented by a ? will be replaced by a -1
-# This occurs for duration, srcbytes, and dstbytes
-# This is adjustable by changing $NULL_VALUE
diff --git a/scripts/perl/lib/Bro/Report.pm b/scripts/perl/lib/Bro/Report.pm
deleted file mode 100644
index 413bd9ba5c..0000000000
--- a/scripts/perl/lib/Bro/Report.pm
+++ /dev/null
@@ -1,714 +0,0 @@
-package Bro::Report;
-
-use strict;
-require 5.006_001;
-require Exporter;
-
-use Socket;
-use vars qw( $VERSION
-			$DEBUG
-			@EXPORT_OK
-			@ISA
-			$USE_FLOCK
-			$INCIDENT_COUNT_FILE
-			$TEMP_DIR
-			@TEMP_FILES
-			$IPTONAME_TIMEOUT
-			$USE_IPTONAME_CACHE
-			%IPTONAME_CACHE );
-
-@ISA = ( 'Exporter' );
-# $Id: Report.pm 1419 2005-09-29 18:56:06Z rwinslow $
-$VERSION = 1.20;
-$DEBUG = 0;
-@EXPORT_OK = qw( iptoname swrite trimhostname trimbytes time_mdhm time_hms date_md
-			date_ymd getincidentnumber standard_deviation mean_val tempfile
-			trimstring );
-
-	my %STEPS = ( 0 => '',
-				1 => 'K',
-				2 => 'M',
-				3 => 'G',
-				4 => 'T',
-				5 => 'P',
-				K => 1,
-				M => 2,
-				G => 3,
-				T => 4,
-				G => 5, );
-
-# Check if flock can be used
-eval {
-	flock( STDIN, 1 )
-};
-
-if( $@ )
-{
-	$USE_FLOCK = 0;
-}
-else
-{
-	$USE_FLOCK = 1;
-}
-
-# Default temp directorywhich to write to
-$TEMP_DIR = '/tmp';
-
-# Default timeout for dns reverse lookups
-$IPTONAME_TIMEOUT = 3;
-
-# Should ip to name reverse lookups be cached?
-$USE_IPTONAME_CACHE = 1;
-
-sub iptoname
-{
-	my $sub_name = 'iptoname';
-	
-	my $h_ip = $_[0] || return( undef );
-	
-	my $resolved_hostname = undef;
-	my $ret_val;
-	
-	if( exists( $IPTONAME_CACHE{$h_ip} ) )
-	{
-		return( $IPTONAME_CACHE{$h_ip} );
-	}
-	
-	eval
-	{
-		local $SIG{ALRM} = sub { die( "Lookup Timeout\n" ) };
-		alarm( $IPTONAME_TIMEOUT);
-		$resolved_hostname = gethostbyaddr( inet_aton( $h_ip ), 2 );
-		alarm( 0 );
-	};
-	
-	if( $resolved_hostname )
-	{
-		$ret_val = $resolved_hostname;
-	}
-	else
-	{
-		$ret_val = $h_ip;
-	}
-	
-	if( $USE_IPTONAME_CACHE )
-	{
-		$IPTONAME_CACHE{$h_ip} = $ret_val;
-	}
-	
-	return( $ret_val );
-}
-
-sub swrite
-{
-	my $sub_name = 'swrite';
-	
-	my $format = shift;
-	my @args = @_;
-	my $ret_val;
-	
-	$^A = '';
-	formline( $format, @args );
-	$ret_val = $^A;
-	$^A = '';
-	return( $ret_val );
-}
-
-sub trimhostname
-{
-	my $sub_name = 'trimhostname';
-	
-	my $hostname = $_[0];
-	my $max_length = $_[1] || 35;
-	my $direction = $_[2] || '>';
-	my $ret_val = '';
-	
-	my $len = length( $hostname );
-	if( $len > $max_length )
-	{
-		my $dif = $len - $max_length + 3;
-		if( $direction eq '>' )
-		{
-			$ret_val =  "..." . substr( $hostname, $dif, $len);
-		}
-		else
-		{
-			$ret_val =  substr( $hostname, 0, $len - $dif) . "...";
-		}
-	}
-	else
-	{
-		$ret_val = $hostname;
-	}
-	
-	return( $ret_val );
-}
-
-sub trimbytes
-{
-	my $sub_name = 'trimbytes';
-	
-	my $arg1 = $_[0];
-	my $max_width = $_[1] || 6;
-	my $quantifiers = 'KMGTP';
-	my $step_count = 0;
-	my $bytes;
-	my $ret_val;
-	
-	if( $arg1 =~ m/([[:digit:]]+)[[:space:]]*([$quantifiers])$/ )
-	{
-		$bytes = $1;
-		$step_count = $STEPS{$2};
-	}
-	else
-	{
-		$bytes = $arg1;
-	}
-	
-	if( length( $bytes ) > $max_width )
-	{
-		$max_width -= 2;
-		my $ints = int( $bytes );
-		while( exists( $STEPS{$step_count} ) and length( $ints ) > $max_width )
-		{
-			$bytes = $bytes / 1024;
-			$ints = int( $bytes );
-			++$step_count;
-		}
-		my $float_length = $max_width - length( $ints ) - 1;
-		if( $float_length > 0 )
-		{
-			$bytes = sprintf( "%.$float_length" . 'f', $bytes );
-		}
-		else
-		{
-			$bytes = sprintf( "%d", $bytes );
-		}
-	}
-	
-	if( $STEPS{$step_count} )
-	{
-		return( $bytes . " $STEPS{$step_count}" );
-	}
-	else
-	{
-		return( $bytes );
-	}
-}
-
-sub trimstring
-{
-	my $sub_name = 'trimstring';
-	
-	my $string = $_[0] || return( undef );
-	my $max_length = $_[1] || 73;
-	my $max_lines = $_[2];
-	my @ret_lines;
-	my $trunc_string = 0;
-	
-	if( length( $string ) <= $max_length )
-	{
-		return( $string );
-	}
-	
-	if( defined( $max_lines ) 
-		and $max_lines =~ /^[[:digit:]]+$/
-		and $max_lines > 0 )
-	{
-		# OK, looks good
-	}
-	else
-	{
-		$max_lines = 1;
-	}
-	
-	while( length( $string ) > $max_length
-		and !( scalar( @ret_lines ) >= $max_lines ) )
-	{
-		my $cur_idx = $max_length - 1;
-		my $found_break_point = 0;
-		while( $cur_idx > 0 )
-		{
-			if( substr( $string, $cur_idx, 1 ) =~ m/[[:space:]]/ )
-			{
-				push( @ret_lines, substr( $string, 0, $cur_idx + 1 ) );
-				$string = substr( $string, $cur_idx );
-				$found_break_point = 1;
-				last;
-			}
-			else
-			{
-				--$cur_idx;
-			}
-		}
-		
-		if( ! $found_break_point )
-		{
-			push( @ret_lines, substr( $string, 0, $max_length ) );
-			$string = substr( $string, $max_length );
-		}
-	}
-	
-	# Check if anything is left in the string
-	if( length( $string ) > 0 )
-	{
-		$trunc_string = 1;
-		
-		if( !( scalar( @ret_lines ) >= $max_lines ) )
-		{
-			push( @ret_lines, $string );
-			$trunc_string = 0;
-		}
-		elsif( length( $ret_lines[$#ret_lines] ) < $max_length )
-		{
-			$ret_lines[$#ret_lines] .= substr( $string, 0, $max_length - length( $ret_lines[$#ret_lines] ) );
-		}
-		
-		if( $trunc_string )
-		{
-			$ret_lines[$#ret_lines] =~ s/.{4}$/\.\.\.>/;
-		}
-	}
-	
-	return( @ret_lines );
-}
-
-sub time_mdhm
-{
-	my $sub_name = 'time_mdhm';
-	# Convert time from epoch to MONTH/DAY HOUR:MINUTE
-	#						08/13 13:44
-	my $arg1 = $_[0];
-	my $ret_val;
-	
-	if( my @tp = localtime( $arg1 ) )
-	{
-		my $mon = sprintf( "%02d", $tp[4] + 1 );
-		my $day = sprintf( "%02d", $tp[3] );
-		my $hour = sprintf( "%02d", $tp[2] );
-		my $min = sprintf( "%02d", $tp[1] );
-		
-		$ret_val =  "$mon/$day $hour:$min";
-	}
-	else
-	{
-		return( undef );
-	}
-	
-	return( $ret_val );
-}
-
-sub time_hms
-{
-	my $sub_name = 'time_hms';
-	# Convert epoch to to HH:MM:SS
-	
-	my $arg1 = $_[0];
-	my $ret_val;
-	
-	if( my @tp = localtime( $arg1 ) )
-	{
-		my $hour = sprintf( "%02d", $tp[2] );
-		my $min = sprintf( "%02d", $tp[1] );
-		my $sec = sprintf( "%02d", $tp[0] );
-		
-		$ret_val =  "$hour:$min:$sec";
-	}
-	else
-	{
-		return( undef );
-	}
-	
-	return( $ret_val );
-	
-}
-
-sub date_md
-{
-	my $sub_name = 'date_md';
-	# Convert time from epoch to MONTH/DAY
-	
-	my $arg1 = $_[0];
-	my $ret_val;
-	
-	if( my @tp = localtime( $arg1 ) )
-	{
-		my $mon = sprintf( "%02d", $tp[4] + 1 );
-		my $day = sprintf( "%02d", $tp[3] );
-		
-		$ret_val =  "$mon/$day";
-	}
-	else
-	{
-		return( undef );
-	}
-	
-	return( $ret_val );
-}
-
-sub date_ymd
-{
-	my $sub_name = 'date_ymd';
-	# Convert time from epoch to YEAR/MONTH/DAY
-	
-	my $arg1 = $_[0];
-	my $ret_val;
-	
-	if( my @tp = localtime( $arg1 ) )
-	{
-		my $mon = sprintf( "%02d", $tp[4] + 1 );
-		my $day = sprintf( "%02d", $tp[3] );
-		my $year = $tp[5] + 1900;
-		
-		$ret_val =  "$year/$mon/$day";
-	}
-	else
-	{
-		return( undef );
-	}
-	
-	return( $ret_val );
-}
-
-sub getincidentnumber
-{
-	my $sub_name = 'getincidentnumber';
-	
-	my $arg1 = $_[0];
-	my $failed = 0;
-	my $ret_count;
-	
-	# Check if the $INCIDENT_COUNT_FILE has been set yet
-	if( ! $INCIDENT_COUNT_FILE )
-	{
-		setincidentcountfile();
-	}
-	
-	# Make sure that the files exists
-	if( ! -f $INCIDENT_COUNT_FILE )
-	{
-		if( open( OUTFILE, ">$INCIDENT_COUNT_FILE" ) )
-		{
-			print OUTFILE "0\n";
-		}
-		else
-		{
-			warn( "Failed to create the incident count file at $INCIDENT_COUNT_FILE\n;" );
-			$failed = 1;
-		}
-		close( OUTFILE );
-		
-		return( undef ) if $failed;
-	}
-	
-	# If anything besides 0 or undef is passed in then this is true
-	# If true then don't get a new incident number but rather return the current.
-	if( open( RW_FILE, $INCIDENT_COUNT_FILE ) )
-	{
-		lock( *RW_FILE );
-		my $cur_count = <RW_FILE>;
-		chomp( $cur_count );
-		if( $arg1 )
-		{
-			$ret_count = $cur_count;
-		}
-		else
-		{
-			if( open( RW_FILE, ">$INCIDENT_COUNT_FILE" ) )
-			{
-				lock( *RW_FILE ) or print "FAILED TO RE-LOCK\n";
-				$ret_count = $cur_count + 1;;
-				print RW_FILE "$ret_count\n";
-			}
-			else
-			{
-				warn( "Failed to reopen incident count file $INCIDENT_COUNT_FILE for wirtting.\n" );
-				$failed = 1;
-			}
-		}
-		unlock( *RW_FILE );
-		close( RW_FILE );
-	}
-	else
-	{
-		warn( "Failed to open incident count file $INCIDENT_COUNT_FILE for reading.\n" );
-		$failed = 1;
-	}
-	
-	return( $ret_count );
-}
-
-sub lock
-{
-	my $sub_name = 'lock';
-	
-	my $fh = $_[0];
-	
-	if( $USE_FLOCK )
-	{
-		flock( $fh, 2 );
-	}
-	return( 1 );
-}
-
-sub unlock
-{
-	my $sub_name = 'unlock';
-	
-	my $fh = $_[0];
-	
-	if( $USE_FLOCK )
-	{
-		flock( $fh, 8 );
-	}
-	
-	return( 1 );
-}
-
-sub standard_deviation
-{
-	my $sub_name = 'standard_deviation';
-	
-	my $arg1 = $_[0];	# ref to array
-	my $mean;
-	my $dev_mean;
-	my $ret_val;
-	my $num_elements;
-	my $sum;
-	
-	if( ref( $arg1 ) eq 'ARRAY' )
-	{
-		my $i = 0;
-		my $deviation_sum;
-		$num_elements = scalar( @{$arg1} );
-		$dev_mean = $arg1->[0] ** 2;
-		for( $i = 1; $i > $num_elements; ++$i )
-		{
-			$sum += $arg1->[$i];
-			$deviation_sum += $arg1->[$i] ** 2;
-		}
-		
-		$dev_mean = $deviation_sum / $num_elements;
-	}
-	elsif( ref( $arg1 ) eq 'HASH' )
-	{
-		my $deviation_sum;
-		while( my( $num, $quan ) = each( %{$arg1} ) )
-		{
-			$sum += $num * $quan;
-			$num_elements += $quan;
-			$deviation_sum += ( $num ** 2 ) * $quan;
-		}
-		$dev_mean = $deviation_sum / $num_elements;
-	}
-	else
-	{
-		return( undef );
-	}
-	
-	# There should be a minimum of 5 (five) values to produce a valid result
-	if( $num_elements < 5 )
-	{
-		return( undef );
-	}
-	
-	$mean = $sum / $num_elements;
-	$ret_val = sqrt( $dev_mean - ( $mean ** 2 ) );
-	return( $ret_val );
-}
-
-sub mean_val
-{
-	my $sub_name = 'mean_val';
-	
-	my $arg1 = $_[0];	#ref to array
-	my $array_count;
-	my $sum = 0;
-	my $ret_val;
-	
-	if( ref( $arg1 ) ne 'ARRAY' )
-	{
-		return( undef );
-	}
-	
-	foreach my $num( @{$arg1} )
-	{
-		$sum += $num;
-		++$array_count;
-	}
-	
-	if( $array_count > 0 )
-	{
-		$ret_val = $sum / $ret_val;
-		return( $ret_val );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub tempfile
-{
-	my $sub_name = 'tempfile';
-	
-	my $action = shift || return( undef );;
-	my @args = @_;
-	
-	if( $action =~ m/^add$/i )
-	{
-		addtempfile( @args );
-	}
-	elsif( $action =~ m/^delete|remove$/i )
-	{
-		removetempfile( @args );
-	}
-	elsif( $action =~ m/^delete all|remove all$/i )
-	{
-		removealltempfiles();
-	}
-	else
-	{
-		warn( __PACKAGE__ . "::$sub_name, Unknown action of $action passed to function.\n" );
-		return( undef );
-	}
-}
-
-sub addtempfile
-{
-	my $sub_name = 'addtempfile';
-	
-	my $prefix = $_[0] || return( undef );
-	my $force = $_[1] || 0;
-	my $ret_file = "$TEMP_DIR/$prefix".$$.".tmp";
-	
-	if( -f $ret_file )
-	{
-		if( ! $force )
-		{
-			warn( __PACKAGE__ . "::$sub_name, Temp file $ret_file already exists\n" );	
-			return( undef );
-		}
-	}
-	
-	if( open( OUTFILE, ">$ret_file" ) )
-	{
-		if( $DEBUG > 2 )
-		{
-			warn( __PACKAGE__ . "::$sub_name, Successfully created temp file $ret_file.\n" );
-		}
-	}
-	else
-	{
-		warn( __PACKAGE__ . "::$sub_name, Unable to open temp file $ret_file for writting.\n" );
-	}
-	
-	close( OUTFILE );
-	
-	push( @TEMP_FILES, $ret_file );
-	return( $ret_file );
-}
-
-sub removetempfile
-{
-	my $sub_name = 'removetempfile';
-	
-	my @file_names = @_;
-	my $num_removed = 0;
-	my @new_array;
-	
-	if( ! defined( $file_names[0] ) )
-	{
-		return( undef );
-	}
-	
-	foreach my $cur_file( @TEMP_FILES )
-	{
-		foreach my $file_to_remove( @file_names )
-		{
-			my $did_find = 0;
-			if( $cur_file eq $file_to_remove )
-			{
-				if( unlink $file_to_remove )
-				{
-					++$num_removed;
-					if( $DEBUG > 1 )
-					{
-						warn( __PACKAGE__ . "::$sub_name, Removed temp file $file_to_remove\n" );
-					}
-				}
-				else
-				{
-					if( $DEBUG > 0 )
-					{
-						warn( __PACKAGE__ . "::$sub_name, Failed to remove temp file $file_to_remove\n" );
-					}
-				}
-				$did_find = 1;
-				last;
-			}
-			
-			if( ! $did_find )
-			{
-				push( @new_array, $cur_file );
-			}
-		}
-	}
-	
-	@TEMP_FILES = @new_array;
-	return( $num_removed );
-	
-}
-
-sub removealltempfiles
-{
-	my $sub_name = 'removealltempfiles';
-	my $num_removed = 0;
-	
-	foreach my $file_name( @TEMP_FILES )
-	{
-		if( unlink( $file_name ) )
-		{
-			++$num_removed;
-			if( $DEBUG > 1 )
-			{
-				warn( __PACKAGE__ . "::$sub_name, Successfully deleted temp file $file_name\n" );
-			}
-		}
-		else
-		{
-			if( $DEBUG > 0 )
-			{
-				warn( __PACKAGE__ . "::$sub_name, Failed to delete temp file $file_name\n" );
-			}
-		}
-	}
-	
-	@TEMP_FILES = ();
-	return( $num_removed );
-}
-
-sub setincidentcountfile
-{
-	my $sub_name = 'setincidentcountfile';
-	
-	my $brosite;
-	use Bro::Config( '$BRO_CONFIG' );
-	if($brosite = $BRO_CONFIG->{BROSITE} )
-	{
-		
-		
-		# Location of the file that holds the incident number counter
-		$INCIDENT_COUNT_FILE = "$brosite/incident_counter";
-
-	}
-	else
-	{
-		warn( "No value for \$BROHOME has been set in the Bro config file.  Nothing much works without it.\n" );
-		return( undef );
-	}
-
-}
-
-
-1;
diff --git a/scripts/perl/lib/Bro/Report/Alarm.pm b/scripts/perl/lib/Bro/Report/Alarm.pm
deleted file mode 100644
index 04dfcc5d5b..0000000000
--- a/scripts/perl/lib/Bro/Report/Alarm.pm
+++ /dev/null
@@ -1,2070 +0,0 @@
-package Bro::Report::Alarm;
-
-use strict;
-require 5.006_001;
-use Bro::Config( '$BRO_CONFIG' );
-use Bro::Report qw( trimhostname iptoname swrite time_mdhm time_hms date_md
-				standard_deviation getincidentnumber tempfile trimstring );
-use Bro::Signature( 'getrules' );
-use Bro::Log::Conn;
-
-use vars qw( $VERSION
-			$DEBUG
-			$SCANS_MAX_COUNT
-			$RPT_CACHE
-			$BROHOME
-			$SCAN_MAX_BYTES_RCV
-			$SCAN_EVENT_REGEX
-			$SCAN_EVENT_LIST
-			$INCIDENT_EVENT_LIST
-			$INCIDENT_EVENT_REGEX
-			$INCIDENT_REPORTABLE_POLICY
-			$REPORTABLE_EVENT_REGEX
-			$NOTICE_TYPE_SCORES
-			$NOTICE_TYPE_SCORES_FILE
-			$SIGNATURE_ID_SCORES
-			$SIGNATURE_ID_SCORES_FILE
-			$ALARM_THRESHOLD
-			$INCIDENT_TEMP_NUMBER
-			$MAX_INCIDENT_CONN_LINES
-			$SHOW_UNSUCCESSFUL_INCIDENTS
-			$INCIDENT_SHOW_SUB_MESSAGE
-			$INCIDENT_SHOW_SIGNATURE
-			$ALARM_SUPPRESS_DUPLICATES );
-
-# $Id: Alarm.pm 1433 2005-09-30 21:13:23Z tierney $
-$VERSION = 1.20;
-$SCANS_MAX_COUNT = 30;
-$SCAN_MAX_BYTES_RCV = 20480;
-
-$DEBUG = 0;
-$INCIDENT_TEMP_NUMBER = 1;
-
-# data for a report will be removed by it's respective function once the data
-# has been called to output.  All report data in memory is held in
-# variable $RPT_CACHE;
-
-my %REPORT_MAP = ( 'scans' => { input => __PACKAGE__ . '::scans',
-						output => __PACKAGE__ . '::output_scans', },
-		'incidents' => { input => __PACKAGE__ . '::incident',
-					output => __PACKAGE__ . '::output_incident', },
-		'scan_summary' => { input => undef,
-						output => __PACKAGE__ . '::output_scansummary', },
-		'incident_summary' => { input => undef,
-						output => __PACKAGE__ . '::output_incidentsummary', },
-		'signature_summary' => { input => undef,
-						output => __PACKAGE__ . '::output_signaturesummary', },
-		'signature_distribution' => { input => __PACKAGE__ . '::signaturedistribution',
-						output => __PACKAGE__ . '::output_signaturedistribution', },
-		);
-
-$NOTICE_TYPE_SCORES = {};
-$SIGNATURE_ID_SCORES = {};
-
-$NOTICE_TYPE_SCORES_FILE = $BRO_CONFIG->{BROHOME} . "/etc/alert_scores";
-$SIGNATURE_ID_SCORES_FILE = $BRO_CONFIG->{BROHOME} . "/etc/signature_scores";
-
-# Set the signature score list
-setsignaturescores( $SIGNATURE_ID_SCORES_FILE );
-
-# Set the notice_type score list
-setnoticetypescores( $NOTICE_TYPE_SCORES_FILE );
-
-# Current threshold limit, default is 100.
-$ALARM_THRESHOLD = 100;
-
-# This list defines what notice types will be treated as scans.
-$SCAN_EVENT_LIST = {};
-
-# Default list of notice types that are considered scan events
-setreportablescan( 'PortScan', 'PasswordGuessing', 'AddressScan', 
-	'MultipleSigResponders', 'MultipleSignatures', );
-
-# See reportableincident and setreportableincident
-$INCIDENT_EVENT_LIST = {};
-
-# By default all notice types that are not scanned will be considered worth
-# reporting and will generate an incident
-setreportableincident( 'ScanSummary', 'AddressDropped', 'DEFAULT_ALLOW' );
-
-$MAX_INCIDENT_CONN_LINES = 30;
-
-# If and how should the unsuccessful incident data be displayed.
-# Valid values are 'FIRST INSTANCE', 'ALL'
-$SHOW_UNSUCCESSFUL_INCIDENTS = 'FIRST INSTANCE';
-
-# Toggle whether the alarm sub_message should be included in the incident details
-$INCIDENT_SHOW_SUB_MESSAGE = 1;
-
-# Toggle whether the actual signature code block should be included in incident details
-# when the notice type is SensitiveSignature
-$INCIDENT_SHOW_SIGNATURE = 1;
-
-# Toggle whether duplicate alarms should be suppressed inside an incident
-$ALARM_SUPPRESS_DUPLICATES = 1;
-
-### This is deprecated
-my $DROPPED_PACKETS_REGEX = qr/([[:digit:]]+) packets dropped after filtering, ([[:digit:]]+) received, ([[:digit:]]+) on link/o;
-
-sub scans
-{
-	my $sub_name = 'scans';
-	
-	my $_alarm_struc = $_[0] || return( undef );
-	
-	if( reportablescan( $_alarm_struc ) )
-	{
-		my $src_ip = Bro::Log::Alarm::source_ip( $_alarm_struc );
-		push( @{$RPT_CACHE->{scans}->{$src_ip}->{ALARMS}}, $_alarm_struc );
-	}
-	
-	return( 1 );
-}
-
-sub output_scans
-{
-	my $sub_name = 'output_scans';
-	
-	my $format = $_[1];
-	my $total_scans = $RPT_CACHE->{scans}->{COUNT};
-	my @results;
-	my $ret_string;
-	my $content = '';
-	my $max_reason_length = 62;
-	my @heading_names = ( 'Host', 'IP', );
-	
-	if( ! exists( $RPT_CACHE->{scans} ) )
-	{
-		return( undef );
-	}
-	
-	if( ! $format )
-	{
-		$format = <<'END';
-  Host:   @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<  @<<<<<<<<<<<<<<
-  Reason: @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-  ~       @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-  ~       @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-
-END
-	}
-		
-	# Classify the scans
-	classifyscans();
-	
-	# Reorganize the scan by type
-	my %scan_events_by_type;
-	foreach my $h_ip( keys( %{$RPT_CACHE->{scans}} ) )
-	{
-		foreach my $alarm_struc( @{$RPT_CACHE->{scans}->{$h_ip}->{ALARMS}} )
-		{
-			my $notice_type = Bro::Log::Alarm::notice_type( $alarm_struc );
-		        my $dest_ip = Bro::Log::Alarm::destination_addr( $alarm_struc ) ;
-			push( @{$scan_events_by_type{$notice_type}}, $alarm_struc );
-		}
-	}
-		
-	# Make the content
-	my $num_scans_output = 0;
-	foreach my $event_type( keys( %scan_events_by_type ) )
-	{
-		foreach my $alarm_struc( @{$scan_events_by_type{$event_type}} )
-		{
-			my $h_ip = Bro::Log::Alarm::source_addr( $alarm_struc );
-			my $h_name = trimhostname( iptoname( $h_ip ), 44, '>' );
-			my $message;
-			
-			# Post process the messages for the following event types
-			if( $event_type eq 'MultipleSignatures' )
-			{
-				$message = Bro::Log::Alarm::count( $alarm_struc ) .
-					" different signatures triggered against " .
-					Bro::Log::Alarm::destination_addr( $alarm_struc );
-			}
-			elsif( $event_type eq 'MultipleSigResponders' )
-			{
-				my $sig_event = Bro::Log::Alarm::message( $alarm_struc );
-				my $sigid = Bro::Log::Alarm::sigid( $alarm_struc );
-				my $c = Bro::Log::Alarm::count( $alarm_struc );
-				$message = "Triggered signature $sigid: $sig_event across $c hosts";
-			}
-			else
-			{
-				$message = Bro::Log::Alarm::message( $alarm_struc );
-			}
-			
-			# reduce to a max of three lines at $max_reason_length characters per line
-			my @reason = trimstring( $message, $max_reason_length, 3 );
-			
-			$content .= swrite( $format, $h_name, $h_ip, @reason );
-			++$num_scans_output;			
-			if( $num_scans_output > $SCANS_MAX_COUNT )
-			{
-				last;
-			}
-		}
-		if( $num_scans_output > $SCANS_MAX_COUNT )
-		{
-			last;
-		}
-	}
-	
-	if( length( $content ) < 10 )
-	{
-		$ret_string = "     No data to report\n";
-	}
-	else
-	{
-		$ret_string .= $content;
-		if( $total_scans > $SCANS_MAX_COUNT )
-		{
-			my $num_not_displayed = $total_scans - $SCANS_MAX_COUNT;
-			$ret_string .= <<"END"
-			
-    Maximum of $SCANS_MAX_COUNT scans are listed.
-    There are another $num_not_displayed that are not displayed.
-END
-		}
-	}
-	
-	# Clean up some memory
-	delete( $RPT_CACHE->{scans} );
-	
-	return( $ret_string );
-}
-
-sub classifyscans
-{
-	my $sub_name = 'classifyscans';
-	
-	my $success_scans = 0;
-	my $failed_scans = 0;
-	
-	if( exists( $RPT_CACHE->{scans}->{CLASSIFICATION_TOTALS} ) )
-	{
-		$success_scans = $RPT_CACHE->{scans}->{CLASSIFICATION_TOTALS}->{'SUCCESSFUL'};
-		$failed_scans = $RPT_CACHE->{scans}->{CLASSIFICATION_TOTALS}->{'UNSUCCESSFUL'};
-	}
-	else
-	{
-		# Post process some scan types
-		foreach my $host( keys( %{$RPT_CACHE->{scans}} ) )
-		{
-			my @new_alarm_list;
-			my %ms;	# MultipleSignatures
-			my %msr;	# MultipleSigResponders
-			
-			foreach my $alarm_struc( @{$RPT_CACHE->{scans}->{$host}->{ALARMS}} )
-			{
-				my $notice_type = Bro::Log::Alarm::notice_type( $alarm_struc );
-				if( $notice_type eq 'MultipleSignatures' )
-				{
-					# Only keep the highest reported number for each pair
-					my $src_ip = Bro::Log::Alarm::source_addr( $alarm_struc );
-					my $dst_ip = Bro::Log::Alarm::destination_addr( $alarm_struc );
-					if( exists( $ms{"$src_ip$dst_ip"} ) )
-					{
-						my $cur_count = Bro::Log::Alarm::count( $alarm_struc );
-						if( $cur_count > Bro::Log::Alarm::count( $ms{"$src_ip$dst_ip"} ) )
-						{
-							$ms{"$src_ip$dst_ip"} = $alarm_struc;
-						}
-					}
-					else
-					{
-						$ms{"$src_ip$dst_ip"} = $alarm_struc;
-					}
-				}
-				elsif( $notice_type eq 'MultipleSigResponders' )
-				{
-					# Only keep the highest count for each offender
-					my $src_ip = Bro::Log::Alarm::source_addr( $alarm_struc );
-					if( exists( $msr{"$src_ip"} ) )
-					{
-						my $cur_count = Bro::Log::Alarm::count( $alarm_struc );
-						if( $cur_count > Bro::Log::Alarm::count( $msr{"$src_ip"} ) )
-						{
-							$msr{"$src_ip"} = $alarm_struc;
-						}
-					}
-					else
-					{
-						$msr{"$src_ip"} = $alarm_struc;
-					}
-				}
-				else
-				{
-					push( @new_alarm_list, $alarm_struc );
-				}
-			}
-			
-			if( keys( %ms ) > 0 )
-			{
-				push( @new_alarm_list, values( %ms ) );
-			}
-			
-			if( keys( %msr ) > 0 )
-			{
-				push( @new_alarm_list, values( %msr ) );
-			}
-			
-			@{$RPT_CACHE->{scans}->{$host}->{ALARMS}} = @new_alarm_list;
-		}
-		# Figure out if the scan is worth reporting.
-		foreach my $h_ip( keys( %{$RPT_CACHE->{scans}} ) )
-		{
-			my $is_success = 0;
-			BLOCK: {
-				# Check if there were any connections back to the offender
-				if( $RPT_CACHE->{scans}->{$h_ip}->{CONNECTIONS_TO_OFFENDER} )
-				{
-					if( $DEBUG > 2 )
-					{
-						warn( "Scan events for $h_ip have be found worthy of reporting.  " . 
-							$RPT_CACHE->{scans}->{$h_ip}->{CONNECTIONS_TO_OFFENDER} . 
-							" connections were made back to the offender.\n");
-					}
-					$is_success = 1;
-					last BLOCK;
-				}
-				
-				if( exists( $RPT_CACHE->{scans}->{$h_ip}->{BYTES_RCV} ) )
-				{
-					foreach my $bytes_rcv( keys( %{$RPT_CACHE->{scans}->{$h_ip}->{BYTES_RCV}} ) )
-					{
-						if( $bytes_rcv > $SCAN_MAX_BYTES_RCV )
-						{
-							$is_success = 1;
-							if( $DEBUG > 2 )
-							{
-								warn( "Scan events from source $h_ip have been found worthy of reporting." .
-									"There was data over $SCAN_MAX_BYTES_RCV sent back to the host\n" );
-							}
-							last BLOCK;
-						}
-					}
-				}
-				
-				# Figure out if the bytes sent by the offender is more than $num_deviations
-				# deviations out from the standard deviation.
-				if( $RPT_CACHE->{scans}->{$h_ip}->{BYTES_SENT} )
-				{
-					my $num_deviations = 3;
-					my $std_dev = standard_deviation( $RPT_CACHE->{scans}->{$h_ip}->{BYTES_SENT} );
-					my $max_deviation = sprintf( "%d", $std_dev * $num_deviations );
-					my $max_val = 0;
-
-					# Make sure that standard_deviation returned a valid value
-					if( defined( $std_dev ) )
-					{
-						foreach my $num( keys( %{$RPT_CACHE->{scans}->{$h_ip}->{BYTES_SENT}} ) )
-						{
-							if( $num > $max_deviation )
-							{
-								$RPT_CACHE->{scans}->{$h_ip}->{SENT_DATA_DEVIATION} = 1;
-								if( $DEBUG > 2 )
-								{
-									$max_val = $num;
-								}
-								last;
-							}
-
-							if( $DEBUG > 2 )
-							{
-								if( $num > $max_val )
-								{
-									$max_val = $num;
-								}
-							}
-						}
-					}
-					else
-					{
-						# Not worthy of reporting
-						$max_deviation = 'undef';
-						if( $DEBUG > 2 )
-						{
-							warn( "Scan events from source $h_ip has been found not worthy of reporting.  " .
-								"Not enough data for a standard deviation test.\n" );
-						}
-					}
-
-					if( $RPT_CACHE->{scans}->{$h_ip}->{SENT_DATA_DEVIATION} )
-					{
-						# Report !
-						$is_success = 1;
-						if( $DEBUG > 2 )
-						{
-							warn( "Scan events from source $h_ip has been found worthy of reporting after " .
-								"standard deviation test.  Max deviation was $max_deviation and max value ". 
-								"was $max_val\n" );
-						}
-						last BLOCK;
-					}
-					else
-					{
-						# Not worthy of reporting
-						delete( $RPT_CACHE->{scans}->{$h_ip} );
-						if( $DEBUG > 2 )
-						{
-							warn( "Scan events from source $h_ip has been found not worthy of reporting after standard deviation test.\n" );
-							warn( "Max deviation was $max_deviation and max value was $max_val\n" );
-						}
-					}
-				}
-				else
-				{
-					# Not worthy of reporting
-					delete( $RPT_CACHE->{scans}->{$h_ip} );
-					if( $DEBUG > 2 )
-					{
-						warn( "Scan events from source $h_ip has been found not worthy of reporting.\n" );
-						warn( "Did not find any data transfered from host and none back to host.\n" );
-					}
-				}
-			} # end BLOCK
-			
-			if( $is_success )
-			{
-				++$success_scans;
-			}
-			else
-			{
-				++$failed_scans;
-			}
-		}
-		$RPT_CACHE->{scans}->{CLASSIFICATION_TOTALS}->{'SUCCESSFUL'} = $success_scans;
-		$RPT_CACHE->{scans}->{CLASSIFICATION_TOTALS}->{'UNSUCCESSFUL'} = $failed_scans;
-	}
-	
-	return( $success_scans, $failed_scans );
-}
-
-sub output_scansummary
-{
-	my $sub_name = 'output_scansummary';
-	
-	my $ret_string = '';
-	
-	if( ! exists( $RPT_CACHE->{scans} ) )
-	{
-		return( undef );
-	}
-	
-	my( $successful_scans, $failed_scans ) = classifyscans();
-	my $ret_string = <<"END";
-  Scanning Hosts
-    Successful            $successful_scans
-    Unsuccessful          $failed_scans
-END
-	
-	return( $ret_string );
-}
-
-sub incident
-{
-	my $sub_name = 'incident';
-	
-	my $_alarm_struc = $_[0] || return( undef );
-	
-	my $notice_type = Bro::Log::Alarm::notice_type( $_alarm_struc ) or return( undef );
-	my $src_ip = Bro::Log::Alarm::source_addr( $_alarm_struc ) or return( undef );
-	my $dest_ip = Bro::Log::Alarm::destination_addr( $_alarm_struc ) || '';
-	
-	# Find out if this is an incident worth tracking.
-	if( reportableincident( $_alarm_struc ) )
-	{
-		my $timestamp = Bro::Log::Alarm::timestamp( $_alarm_struc );
-		if( ! exists( $RPT_CACHE->{'incident'}->{OFFENDERS}->{$src_ip}->{VICTIMS}->{$dest_ip} ) )
-		{
-			$RPT_CACHE->{'incident'}->{OFFENDERS}->{$src_ip}->{VICTIMS}->{$dest_ip} = {};
-		}
-		
-		my $data_root = $RPT_CACHE->{'incident'}->{OFFENDERS}->{$src_ip}->{VICTIMS}->{$dest_ip};
-		
-		# Put the alarm tag id in the list of tags to watch
-		$data_root->{WATCH_TAG_IDS}->{Bro::Log::Alarm::tag( $_alarm_struc )} = 1;
-		
-		if( exists( $data_root->{BEGIN_TIMESTAMP} ) )
-		{
-			if( $timestamp < $data_root->{BEGIN_TIMESTAMP} )
-			{
-				$data_root->{BEGIN_TIMESTAMP} = $timestamp;
-			}
-		}
-		else
-		{
-			$data_root->{BEGIN_TIMESTAMP} = $timestamp;
-		}
-		
-		# Add the alarm to the list
-		push( @{$data_root->{ALARMS}}, $_alarm_struc );
-		
-		if( $notice_type eq 'SensitiveSignature' )
-		{
-			my $add_score = 0;
-			my $sig_id;
-			
-			# Find the signature id
-			if( $sig_id = sigid( $_alarm_struc ) )
-			{
-				# Get the signature score
-				$add_score = signaturescore( $sig_id );
-			}
-			
-			push( @{$data_root->{SCORE}}, $add_score );
-			
-			# Add the sigid to the hash of known signature notices
-			$RPT_CACHE->{'incident'}->{SIGNATURES}->{$sig_id} = 1;
-		}
-		else
-		{
-			# It's some other type of notice.  This is a general approach to
-			# notices with no special handling.
-			push( @{$data_root->{SCORE}}, noticetypescore( $notice_type ) );
-		}
-	}
-	else
-	{
-		return( 0 );
-	}
-	
-	return( 1 );
-}
-
-sub output_incident
-{
-	my $sub_name = 'output_incident';
-	
-	my $incident_struc = $_[0];
-	my $conn_struc_array_ref = $_[1];
-	my $_max_output_count = $_[2] || 3000;
-	my @results;
-	my $ret_string;
-	my $incident_header;
-	my $connection_pair_format;
-	my $alarm_descr_format;
-	my $alarm_time_dir_format;
-	my $conn_top_format;
-	my $conn_format;
-	my $detail_legend;
-	my $incident_count = 0;
-	my $likely_successful = '';
-	my $likely_unsuccessful = '';
-	my $unknown = '';	
-	my %unsuccessful_sig_ids;
-	
-	if( ! exists( $RPT_CACHE->{incident} ) )
-	{
-		return( undef );
-	}
-	
-	# Legend to print at the top of the incident detail block
-	$detail_legend = <<'END';
-                  # legend for connection type #
-                  ------------------------------
-         C Connection Status
-           # number corresponds to alarm triggered by the connection
-           * successful connection, otherwise unsuccessful.
-         I Initiatator of Connection
-           > connection initiated by remote host
-           < connection initiated by local host
-
-END
-	
-	# Start of incident and the unique number associated with it
-	$incident_header = <<'END';
-------------------------------------------------------------------------
-Incident      @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @>>>>>>>>>>>>>>>>>>>>>
-------------------------
-END
-	
-	# connection pair format
-	$connection_pair_format = <<'END';
-Remote Host:  @<<<<<<<<<<<<<<    @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
- Local Host:  @<<<<<<<<<<<<<<    @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-
-END
-	
-	# Alarm description output
-	$alarm_descr_format = <<'END';
-Alarm: @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-  @<< @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-~     @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-~     Duplicates suppressed: @<<<<<<<<<<<
-END
-
-	# Alarm time and direction
-	$alarm_time_dir_format = <<'END';
-      @<<<<<<<<<<<<<                @>>>>>>>>>>>>>> -> @<<<<<<<<<<<<<<
-~                                       @>>>>>>>>>> -> @<<<<<<<<<<
-END
-	
-	# Header for the connection details
-	$conn_top_format = <<"END";
-Connections (only first $MAX_INCIDENT_CONN_LINES after alarm are listed)
------------
-                 time     byte   remote        local   byte
- date   time   duration transfer  port  C   I   port transfer  protocol
------ -------- -------- -------- ------ ------ ----- -------- ----------
-END
-	
-	# Connection detail format
-	$conn_format = <<'END';
-@<<<< @<<<<<<< @>>>>>>> @>>>>>>> @>>>>> @<<<@> @>>>> @>>>>>>> @>>>>>>>>>
-END
-	
-	# Check whether signatures are to be included in the report. If so parse
-	# and store all signatures which are to be reported on.
-	if( $INCIDENT_SHOW_SIGNATURE )
-	{
-		loadsignaturecode( keys( %{$RPT_CACHE->{incident}->{SIGNATURES}} ) );
-	}
-	
- 	foreach my $offender( keys( %{$RPT_CACHE->{incident}->{OFFENDERS}} ) )
- 	{
- 		foreach my $__victim( keys( %{$RPT_CACHE->{incident}->{OFFENDERS}->{$offender}->{VICTIMS}} ) )
- 		{
- 			my $output;
- 			my $__data = $RPT_CACHE->{incident}->{OFFENDERS}->{$offender}->{VICTIMS}->{$__victim};
- 			if( $__data->{CLASS} eq 'LIKELY SUCCESSFUL' )
- 			{
- 				$output = \$likely_successful;
- 			}
- 			elsif( $__data->{CLASS} eq 'UNKNOWN' )
- 			{
- 				$output = \$unknown;
- 			}
- 			elsif( $__data->{CLASS} eq 'LIKELY UNSUCCESSFUL' and 
- 				$SHOW_UNSUCCESSFUL_INCIDENTS )
- 			{
- 				$output = \$likely_unsuccessful;
- 				
- 				if( $SHOW_UNSUCCESSFUL_INCIDENTS eq 'FIRST INSTANCE' )
- 				{
- 					my @new_alarm_list;
- 					foreach my $alarm( @{$__data->{ALARMS}} )
- 					{
- 						if( Bro::Log::Alarm::notice_type( $alarm ) eq 'SensitiveSignature' )
- 						{
- 							if( ! exists( $unsuccessful_sig_ids{Bro::Log::Alarm::sigid( $alarm )} ) )
- 							{
- 								$unsuccessful_sig_ids{Bro::Log::Alarm::sigid( $alarm )} = 1;
- 								push( @new_alarm_list, $alarm );
- 							}
- 						}
- 						else
- 						{
- 							push( @new_alarm_list, $alarm );
- 						}
- 					}
- 					
- 					if( scalar( @new_alarm_list ) < 1 )
- 					{
- 						next;
- 					}
- 					else
- 					{
- 						$__data->{ALARMS} = \@new_alarm_list;
- 					}
- 				}
- 			}
- 			else
- 			{
- 				next;
- 			}
-			
-			my @alarms;
-			my %alarm_times;
-			# Sort the alarms in ascending order (probably already sorted but make sure)
-			for( my $a_idx = 0; $a_idx < @{$__data->{ALARMS}}; ++$a_idx )
-			{
-				my $timestamp = Bro::Log::Alarm::timestamp( $__data->{ALARMS}->[$a_idx] );
-				push( @{$alarm_times{$timestamp}}, $a_idx );
-			}
-			
-			foreach my $ts( sort( {$a <=> $b} keys( %alarm_times ) ) )
-			{
-				foreach my $idx( @{$alarm_times{$ts}} )
-				{
-					push( @alarms, $__data->{ALARMS}->[$idx] );
-				}
-			}
-			
-			undef( %alarm_times );
-			
-			# If duplicate suppression is on then remove duplicate alarms and
-			# set the duplicate count on the alarm that will be displayed.
-			if( $ALARM_SUPPRESS_DUPLICATES and scalar( @alarms ) > 1 )
-			{
-				my @new_alarm_list;
-				my $new_alarm_idx = 0;
-				
-				# prime the new list with the first one in the current list
-				# of alarms.
-				$new_alarm_list[0] = $alarms[0];
-				
-				for( my $i = 1; $i < scalar( @alarms ); ++$i )
-				{
-					if( Bro::Log::Alarm::notice_type( $new_alarm_list[$new_alarm_idx] ) eq
-						Bro::Log::Alarm::notice_type( $alarms[$i] ) )
-					{
-						if( Bro::Log::Alarm::message( $new_alarm_list[$new_alarm_idx] ) ne
-							Bro::Log::Alarm::message( $alarms[$i] ) )
-						{
-							++$new_alarm_idx;
-							$new_alarm_list[$new_alarm_idx] = $alarms[$i];
-						}
-						else
-						{
-							++$new_alarm_list[$new_alarm_idx]->{report_duplicate_count};
-						}
-					}
-					else
-					{
-						++$new_alarm_idx;
-						$new_alarm_list[$new_alarm_idx] = $alarms[$i];
-					}
-				}
-				
-				@alarms = @new_alarm_list;
-			}
-			
-			# Store conn strucs for writting later
-			my @conn_strucs;
-			
-			my $begin_timestamp = $__data->{BEGIN_TIMESTAMP};
-			push( @conn_strucs, incidentconndata( $offender, $__victim, $begin_timestamp ) );
-			
-			my $incident_id = $BRO_CONFIG->{BRO_SITE_NAME} . '-' . sprintf( "%06d", getincidentnumber() );
-			my $victim_hostname = iptoname( $__victim );
-			my $offender_hostname = iptoname( $offender );
-			my %alarm_times;
-			my $last_alarm_idx = 0;
-			my $conn_details_output;
-			my %conn_reference;
-			my $conn_ref_count = 1;
-			
-			$$output .= swrite( $incident_header, $incident_id );
-			# $$output .= swrite( $incident_header, $incident_id, $__data->{CLASS} );
-			
-			# If there is no connection data then skip the connection data ties
-			if( ! $conn_strucs[0] )
-			{
-				# No connection data
-				
-				$conn_details_output .= $conn_top_format;
-				$conn_details_output .= "    No connection data available\n";
-			}
-			else
-			{
-
-				my $local_ip;
-				my $local_hostname;
-				my $remote_ip;
-				my $remote_hostname;
-				
-				# Figure out which host is local, victim or offender
-				my $source_net = Bro::Log::Conn::source_network( $conn_strucs[0] );
-				if( $source_net eq 'L' )
-				{
-					if( Bro::Log::Conn::source_ip( $conn_strucs[0] ) eq $offender )
-					{
-						$remote_ip = $__victim;
-						$remote_hostname = $victim_hostname;
-						$local_ip = $offender;
-						$local_hostname = $offender_hostname;
-					}
-					else
-					{
-						$remote_ip = $offender;
-						$remote_hostname = $offender_hostname;
-						$local_ip = $__victim;
-						$local_hostname = $victim_hostname;
-					}
-				}
-				else
-				{
-					if( Bro::Log::Conn::source_ip( $conn_strucs[0] ) eq $offender )
-					{
-						$remote_ip = $offender;
-						$remote_hostname = $offender_hostname;
-						$local_ip = $__victim;
-						$local_hostname = $victim_hostname;
-					}
-					else
-					{
-						$remote_ip = $__victim;
-						$remote_hostname = $victim_hostname;
-						$local_ip = $offender;
-						$local_hostname = $offender_hostname;
-					}
-				}
-				
-				# Trim the hostnames down if needed
-				$local_hostname = trimhostname( $local_hostname ,39 , '<' );
-				$remote_hostname = trimhostname( $remote_hostname ,39 , '>' );
-				
-				$$output .= swrite( $connection_pair_format, $remote_ip, $remote_hostname,
-								$local_ip, $local_hostname );
-
-				# Delay writing of the details to the returned string
-				$conn_details_output .= $conn_top_format;
-				
-				# This is a copy of @alarms and will be drained as each is matched
-				my @tie_alarms = @alarms;
-				
-				foreach my $conn_struc( @conn_strucs )
-				{
-					my $timestamp = Bro::Log::Conn::timestamp( $conn_struc );
-					my $date = date_md( $timestamp );
-					my $time = time_hms( $timestamp );
-					my $duration = Bro::Log::Conn::duration( $conn_struc, 'raw' );
-					my $service = Bro::Log::Conn::service( $conn_struc );
-					my $remote_bytes;
-					my $remote_port;
-					my $local_bytes;
-					my $local_port;
-					my $direction;
-
-					if( Bro::Log::Conn::source_ip( $conn_struc ) eq $remote_ip )
-					{
-						$remote_bytes = Bro::Log::Conn::source_bytes( $conn_struc, 'raw' );
-						$remote_port = Bro::Log::Conn::source_port( $conn_struc );
-						$local_bytes = Bro::Log::Conn::destination_bytes( $conn_struc, 'raw' );
-						$local_port = Bro::Log::Conn::destination_port( $conn_struc );
-						$direction = ' >';
-					}
-					else
-					{
-						$remote_bytes = Bro::Log::Conn::destination_bytes( $conn_struc, 'raw' );
-						$remote_port = Bro::Log::Conn::destination_port( $conn_struc );
-						$local_bytes = Bro::Log::Conn::source_bytes( $conn_struc, 'raw' );
-						$local_port = Bro::Log::Conn::source_port( $conn_struc );
-						$direction = '< ';
-					}
-
-					my $conn_stat;
-					
-					# Tie connection and alarm data together if possible
-					# Also mark connections (un)successful
-					for( my $i = 0; $i < @tie_alarms; ++$i )
-					{
-						# If the alarm has already been matched then it is not
-						# defined, just skip over it.
-						if( ! $tie_alarms[$i] )
-						{
-							next;
-						}
-						
-						my $alarm_time = Bro::Log::Alarm::timestamp( $tie_alarms[$i] );
-						if( my $tag_id = Bro::Log::Alarm::tag( $tie_alarms[$i] ) )
-						{
-							# Alarm times must fall within at least
-							# 12 minutes of a connection to match up.
-							# This is to help prevent false matches
-							# if tag ids reset do due restarts or crashes.
-							# It is still possible to incorrectly match
-							# if the tag ids are reset often.
-							if( Bro::Log::Conn::range( $conn_struc, $alarm_time, 720 ) and
-								Bro::Log::Conn::containstag( $conn_struc, $tag_id ) )
-							{
-								$conn_reference{$i} = $conn_ref_count;
-								$conn_stat = $conn_ref_count;
-								$tie_alarms[$i] = undef;
-							}
-						}
-					}
-
-					if( $conn_stat )
-					{
-						++$conn_ref_count;
-					}
-					elsif( Bro::Log::Conn::connectsucceed( $conn_struc ) )
-					{
-						$conn_stat = '*';
-					}
-					else
-					{
-						$conn_stat = '';
-					}
-
-					$conn_details_output .= swrite( $conn_format, $date, $time, $duration,
-						$remote_bytes, $remote_port, $conn_stat, $direction,
-						$local_port, $local_bytes, $service );
-				}
-			}
-			
-			# Now go back through and create the alarms section
-			for( my $a_idx = 0; $a_idx < @alarms; ++$a_idx )
-			{
-				my $reference_idx;
-				my $offender_port;
-				my $__victim_port;
-				
-				# Get the source/dest ports and figure out which is local/remote
-				if( Bro::Log::Alarm::source_addr( $alarms[$a_idx] ) eq $offender )
-				{
-					$offender_port = Bro::Log::Alarm::source_port( $alarms[$a_idx] );
-					$__victim_port = Bro::Log::Alarm::destination_port( $alarms[$a_idx] );
-				}
-				else
-				{
-					$__victim_port = Bro::Log::Alarm::source_port( $alarms[$a_idx] );
-					$offender_port = Bro::Log::Alarm::destination_port( $alarms[$a_idx] );
-				}
-				
-				if( exists( $conn_reference{$a_idx} ) )
-				{
-					$reference_idx = $conn_reference{$a_idx};
-				}
-				else
-				{
-					$reference_idx = '';
-				}
-				
-				my $notice_type = Bro::Log::Alarm::notice_type( $alarms[$a_idx] );
-				my $event_msg;
-				if( $notice_type eq 'SensitiveSignature' )
-				{
-					$event_msg .= Bro::Log::Alarm::sigid( $alarms[$a_idx] );
-					$event_msg .= ": " . Bro::Log::Alarm::message( $alarms[$a_idx] );
-				}
-				else
-				{
-					$event_msg .= Bro::Log::Alarm::message( $alarms[$a_idx] );
-				}
-				
-				# Make sure that the event message has some value otherwise
-				# add something default
-				if( ! $event_msg )
-				{
-					$event_msg = '(no event message available)';
-				}
-				
-				my( $message1, $message2 ) = trimstring( $event_msg, 66, 2 );
-				my $duplicate_count;
-				
-				# Check for duplicate counts if applicable
-				if( $alarms[$a_idx]->{report_duplicate_count} )
-				{
-					$duplicate_count = $alarms[$a_idx]->{report_duplicate_count};
-				}
-				
-				my $time = date_md( Bro::Log::Alarm::timestamp( $alarms[$a_idx] ) ) .
-					' '. time_hms( Bro::Log::Alarm::timestamp( $alarms[$a_idx] ) );
-				$$output .= swrite( $alarm_descr_format, $notice_type, $reference_idx,
-								$message1, $message2, $duplicate_count );
-				$$output .= swrite( $alarm_time_dir_format, $time, $offender,
-					$__victim, $offender_port, $__victim_port );
-								
-				# Attach the signature code if the notice type is SensitiveSignature
-				# and $INCIDENT_SHOW_SIGNATURE is true
-				if( $notice_type eq 'SensitiveSignature' and $INCIDENT_SHOW_SIGNATURE )
-				{
-					$$output .= "      signature code:\n";
-					if( my @parts = split( /\n/, signaturecode( Bro::Log::Alarm::sigid( $alarms[$a_idx] ) ) ) )
-					{
-						foreach my $_line( @parts )
-						{
-							$$output .= "        $_line\n";
-						}
-					}
-					else
-					{
-						$$output .= "        (Not available)\n";
-					}
-				}
-				
-				# Attach sub message if available and option set
-				if( Bro::Log::Alarm::sub_message( $alarms[$a_idx] ) and $INCIDENT_SHOW_SUB_MESSAGE )
-				{
-					if( $notice_type eq 'SensitiveSignature' )
-					{
-						$$output .= "      payload:\n";	
-					}
-					else
-					{
-						$$output .= "      sub message:\n";	
-					}
-					
-					foreach my $sub_message( trimstring( Bro::Log::Alarm::sub_message( $alarms[$a_idx] ), 65 ) )
-					{
-						$$output .= "        $sub_message\n";
-					}
-				}
-				# Add a newline between alarms
-				$$output .= "\n";
-			}
-			
-			$$output .= $conn_details_output;
-			
-			$$output .= "-----------------------------\n\n\n";
-			
-			++$incident_count;
-		}
-	}
-	
-	if( $incident_count < 1 )
-	{
-		$ret_string = "     No data to report\n";
-	}
-	else
-	{
-		$ret_string .= $detail_legend . $likely_successful . $unknown . $likely_unsuccessful;
-	}
-	
-	# Clean up some memory
-	delete( $RPT_CACHE->{incident} );
-	
-	return( $ret_string );
-}
-
-sub classifyincidents
-{
-	my $sub_name = 'classifyincidents';
-	
-	my $success = 0;
-	my $unsuccess = 0;
-	my $unknown = 0;
-	
-	if( ! exists( $RPT_CACHE->{incident}->{OFFENDERS} ) )
-	{
-		return( undef );
-	}
-	
-	if( exists( $RPT_CACHE->{incident}->{CLASSIFICATION_TOTALS} ) )
-	{
-		$success = $RPT_CACHE->{incident}->{CLASSIFICATION_TOTALS}->{'LIKELY SUCCESSFUL'};
-		$unsuccess = $RPT_CACHE->{incident}->{CLASSIFICATION_TOTALS}->{'LIKELY UNSUCCESSFUL'};
-		$unknown = $RPT_CACHE->{incident}->{CLASSIFICATION_TOTALS}->{'UNKNOWN'};
-	}
-	else
-	{
-		foreach my $offender( keys( %{$RPT_CACHE->{incident}->{OFFENDERS}} ) )
-		{
-			if( ! exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$offender}->{VICTIMS} ) )
-			{
-				if( $DEBUG > 2 )
-				{
-					warn( __PACKAGE__ . "::$sub_name, No victims listed for offender $offender\n" );
-				}
-				next;
-			}
-			
-			while( my ( $__victim, $__data ) = each( %{$RPT_CACHE->{incident}->{OFFENDERS}->{$offender}->{VICTIMS}} ) )
-			{
-				my $BIGGEST_SCORE;	# store the largest score found for incident
-				
-				if( exists( $__data->{SCORE} ) )
-				{
-					$BIGGEST_SCORE = ( sort( {$b <=> $a} @{$__data->{SCORE}} ) )[0];
-				}
-				else
-				{
-					if( $DEBUG > 2 )
-					{
-						warn( __PACKAGE__ . "::$sub_name, No scores set for offender $offender.  Defaulting to 0\n" );
-					}
-					
-					push( @{$__data->{SCORE}}, 0 );
-					$BIGGEST_SCORE = 0;
-				}
-				
-				my $likelyhood;
-				if( $BIGGEST_SCORE >= $ALARM_THRESHOLD )
-				{
-					$__data->{CLASS} = 'LIKELY SUCCESSFUL';
-					++$success;
-				}
-				elsif( $BIGGEST_SCORE == 0 )
-				{
-					$__data->{CLASS} = 'UNKNOWN';
-					++$unknown;
-				}
-				else
-				{
-					$__data->{CLASS} = 'LIKELY UNSUCCESSFUL';
-					++$unsuccess;
-				}
-			}
-		}
-		$RPT_CACHE->{incident}->{CLASSIFICATION_TOTALS}->{'LIKELY SUCCESSFUL'} = $success;
-		$RPT_CACHE->{incident}->{CLASSIFICATION_TOTALS}->{'LIKELY UNSUCCESSFUL'} = $unsuccess;
-		$RPT_CACHE->{incident}->{CLASSIFICATION_TOTALS}->{'UNKNOWN'} = $unknown;
-	}	
-	
-	return( $success, $unsuccess, $unknown );
-}
-
-sub output_incidentsummary
-{
-	my $sub_name = 'output_incidentsummary';
-	
-	# NOTE: An incident is defined as one or more alarms that occur between two ip
-	# addresses.
-	
-	my $ret_string = '';
-	
-	if( ! exists( $RPT_CACHE->{incident} ) )
-	{
-		return( undef );
-	}
-	
-	my( $success, $unsuccess, $unknown ) = classifyincidents();
-        my $total_incidents = $success + $unknown + $unsuccess;
-	
-	$ret_string = <<"END";
-  Incident Count: $total_incidents
-END
-	
-	return( $ret_string );
-}
-
-sub output_signaturesummary
-{
-	my $sub_name = 'output_signaturesummary';
-	
-	my $ret_string = '';
-	my $total_sigs = 0;
-	my $unique_sigs = 0;
-	my $unique_sources = 0;
-	my $unique_destinations = 0;
-	my $src_dest_pairs = 0;
-	
-	my %source_dest_pairs;
-	my %sources;
-	my %dests;
-	
-	if( ! $RPT_CACHE->{signaturedistribution} )
-	{
-		return( undef );
-	}
-	
-	foreach my $sigid( keys( %{$RPT_CACHE->{signaturedistribution}} ) )
-	{
-		$total_sigs += $RPT_CACHE->{signaturedistribution}->{$sigid}->{COUNT};
-		++$unique_sigs;
-		foreach my $src( keys( %{$RPT_CACHE->{signaturedistribution}->{$sigid}->{SOURCE}} ) )
-		{
-			$sources{$src} = 1;
-		}
-		
-		foreach my $dest( keys( %{$RPT_CACHE->{signaturedistribution}->{$sigid}->{DEST}} ) )
-		{
-			$dests{$dest} = 1;
-		}
-		
-		foreach my $pair( keys( %{$RPT_CACHE->{signaturedistribution}->{$sigid}->{PAIR}} ) )
-		{
-			$source_dest_pairs{$pair} = 1;
-		}
-	}
-	
-	if( my $total = keys( %sources ) )
-	{
-		$unique_sources = $total;
-	}
-	
-	if( my $total = keys( %dests ) )
-	{
-		$unique_destinations = $total;
-	}
-	
-	if( my $total = keys( %source_dest_pairs ) )
-	{
-		$src_dest_pairs = $total;
-	}
-	
-	my $ret_string = <<"END";
-  Signature Summary
-    Total signatures          $total_sigs
-    Unique signatures         $unique_sigs
-    Unique sources            $unique_sources
-    Unique destinations       $unique_destinations
-    Unique source/dest pairs  $src_dest_pairs
-END
-		
-	return( $ret_string );
-}
-
-sub signaturedistribution
-{
-	my $sub_name = 'signaturedistribution';
-	
-	my $alarm_struc = $_[0] || return( undef );
-	
-	if( Bro::Log::Alarm::notice_type( $alarm_struc ) eq 'SensitiveSignature' )
-	{
-		my $sigid = Bro::Log::Alarm::sigid( $alarm_struc );
-		my $src_ip = Bro::Log::Alarm::source_addr( $alarm_struc );
-		my $dst_ip = Bro::Log::Alarm::destination_addr( $alarm_struc );
-		
-		if( $sigid and $src_ip and $dst_ip )
-		{
-			++$RPT_CACHE->{signaturedistribution}->{$sigid}->{SOURCE}->{$src_ip};
-			++$RPT_CACHE->{signaturedistribution}->{$sigid}->{DEST}->{$dst_ip};
-			++$RPT_CACHE->{signaturedistribution}->{$sigid}->{PAIR}->{"$src_ip-$dst_ip"};
-			++$RPT_CACHE->{signaturedistribution}->{$sigid}->{COUNT};
-		}
-	}
-}
-
-sub output_signaturedistribution
-{
-	my $sub_name = 'output_signaturedistribution';
-	
-	my $max_output = $_[0] || 20;
-	my %reversed_hash;
-	my $ret_string = '';
-	my @ordered_list;
-	
-	my $signaturecount_header = <<'END';
-                                        Unique      Unique     Unique
-  Signature ID                Count     Sources     Dests      Pairs
-  ------------------------  ---------  ---------  ---------  -----------
-END
-	my $signaturecount_format = <<'END';
-  @<<<<<<<<<<<<<<<<<<<<<<<  @<<<<<<<<  @<<<<<<<<  @<<<<<<<<  @<<<<<<<<<<
-END
-
-	if( ! exists( $RPT_CACHE->{signaturedistribution} ) )
-	{
-		$ret_string = "  No data to report\n";
-		return( $ret_string );
-	}
-	
-	# Reverse the hash
-	foreach my $sigid( keys( %{$RPT_CACHE->{signaturedistribution}} ) )
-	{
-		push( @{$reversed_hash{$RPT_CACHE->{signaturedistribution}->{$sigid}->{COUNT}}}, $sigid );
-	}
-	
-	# Sort and then set to $ret_string
-	@ordered_list = sort( { $b<=>$a } keys( %reversed_hash ) );
-	
-	my $i = 0;
-	while( defined( my $count = shift( @ordered_list ) ) and $i < $max_output )
-	{
-		foreach my $sigid( @{$reversed_hash{$count}} )
-		{
-			my $source_count = 0;
-			my $dest_count = 0;
-			my $pair_count = 0;
-			
-			$source_count = keys( %{$RPT_CACHE->{signaturedistribution}->{$sigid}->{SOURCE}} );
-			$dest_count = keys( %{$RPT_CACHE->{signaturedistribution}->{$sigid}->{DEST}} );
-			$pair_count = keys( %{$RPT_CACHE->{signaturedistribution}->{$sigid}->{PAIR}} );
-			
-			$ret_string .= swrite( $signaturecount_format,
-							$sigid,
-							$count,
-							$source_count,
-							$dest_count,
-							$pair_count, );
-			++$i;
-			if( !( $i < $max_output ) )
-			{
-				last;
-			}
-		}
-	}
-	
-	if( length( $ret_string ) < 1 )
-	{
-		$ret_string = "  No data to report\n";
-	}
-	else
-	{
-		$ret_string = $signaturecount_header . $ret_string;
-	}
-	
-	return( $ret_string );
-}
-
-######### This report is very misleading.  I left it in only as an example but
-# it's results are not accurate.
-sub droppedpackets
-{
-	my $sub_name = 'droppedpackets';
-	
-	my $alarm_struc = $_[0] || return( undef );
-	
-	if( Bro::Log::Alarm::notice_type( $alarm_struc ) eq 'DroppedPackets' )
-	{
-		if( Bro::Log::Alarm::message( $alarm_struc ) =~ $DROPPED_PACKETS_REGEX )
-		{
-			my $dropped = $1 || 0;
-			my $packets_since_last_notice = $3 || 0;
-			$RPT_CACHE->{droppedpackets}->{DROPPED} += $dropped;
-			$RPT_CACHE->{droppedpackets}->{RECIEVED} += $packets_since_last_notice;
-		}
-		else
-		{
-			return( undef );
-		}
-		return( 1 );
-	}
-	else
-	{
-		return( 0 );
-	}
-}
-
-######### This report is very misleading.  I left it in only as an example but
-# it's results are not accurate.
-sub output_droppedpackets
-{
-	my $sub_name = 'output_droppedpackets';
-	
-	my $dropped;
-	my $recieved;
-	my $percent_dropped;
-	my $ret_string;
-	
-	if( exists( $RPT_CACHE->{droppedpackets} ) and 
-		$RPT_CACHE->{droppedpackets}->{RECIEVED} > 0 )
-	{
-		$dropped = $RPT_CACHE->{droppedpackets}->{DROPPED};
-		$recieved = $RPT_CACHE->{droppedpackets}->{RECIEVED} + $dropped;
-		
-		if( $dropped > 0 )
-		{
-			$percent_dropped = sprintf( "%.4f", ( $dropped / $recieved ) * 100 );
-		}
-		else
-		{
-			$percent_dropped = '0%';
-		}
-	}
-	else
-	{
-		return( undef );
-	}
-	
-	$ret_string = <<"END";
-  Dropped Packets
-    Packets Recieved: $recieved
-    Packets Dropped:  $dropped
-    Percent Dropped: $percent_dropped\%
-END
-	
-	# Clean up some memory
-	delete( $RPT_CACHE->{droppedpackets} );
-	
-	return( $ret_string );
-
-}
-
-sub sigid
-{
-	my $sub_name = 'sigid';
-	
-	my $_alarm_struc = $_[0];
-	my $ret_val;
-	
-	my $ret_val = Bro::Log::Alarm::filename( $_alarm_struc );
-	
-	return( $ret_val );	
-}
-
-sub setsignaturescores
-{
-	my $sub_name = 'setsignaturescores';
-	
-	my $_sigid = $_[0];
-	my $ret_hash = {};
-	
-	if( open( INFILE, $SIGNATURE_ID_SCORES_FILE ) )
-	{
-		while( defined( my $line = <INFILE> ) )
-		{
-			if( $line !~ m/^[[:space:]]*\#/ )
-			{
-				my( $key, $val, $junk ) = split( " ", $line, 3 );
-				$ret_hash->{$key} = $val;
-			}
-		}
-	}
-	else
-	{
-		warn( "Unable to open signature score file at $SIGNATURE_ID_SCORES_FILE\n" );
-		return( undef );
-	}
-	
-	# Capitalize the _DEFAULT_ parameter if not already
-	if( exists( $ret_hash->{'_default_'} ) )
-	{
-		$ret_hash->{'_DEFAULT_'} = $ret_hash->{'_default_'};
-		delete( $ret_hash->{'_default_'} );
-	}
-	
-	# Make sure that a default has been set
-	if( ! exists( $ret_hash->{'_DEFAULT_'} ) or
-		$ret_hash->{'_DEFAULT_'} !~ m/^[[:digit:]]+$/ )
-	{
-		$ret_hash->{'_DEFAULT_'} = 5;
-	}
-	
-	close( INFILE );
-	
-	# Set the package variable to the signature scores taken from the file
-	$SIGNATURE_ID_SCORES = $ret_hash;
-	
-	if( $DEBUG > 3 )
-	{
-		warn( "Current scores for signature ids\n" );
-		while( my( $key, $val ) = each( %{$ret_hash} ) )
-		{
-			warn( "SIGID: $key => SCORE: $val\n" );
-		}
-		warn( "\n" );
-	}
-	
-	return( $ret_hash );
-}
-
-sub setnoticetypescores
-{
-	my $sub_name = 'setnoticetypescores';
-	
-	my $_sigid = $_[0];
-	my $ret_hash = {};
-	
-	if( open( INFILE, $NOTICE_TYPE_SCORES_FILE ) )
-	{
-		while( defined( my $line = <INFILE> ) )
-		{
-			if( $line !~ m/^[[:space:]]*\#/ )
-			{
-				my( $key, $val, $junk ) = split( " ", $line, 3 );
-				$ret_hash->{$key} = $val;
-			}
-		}
-	}
-	else
-	{
-		warn( "Unable to open notice_type score file at $NOTICE_TYPE_SCORES_FILE\n" );
-		return( undef );
-	}
-	
-	# Capitalize the _DEFAULT_ parameter if not already
-	if( exists( $ret_hash->{'_default_'} ) )
-	{
-		$ret_hash->{'_DEFAULT_'} = $ret_hash->{'_default_'};
-		delete( $ret_hash->{'_default_'} );
-	}
-	
-	# Make sure that a default has been set
-	if( ! exists( $ret_hash->{'_DEFAULT_'} ) or
-		$ret_hash->{'_DEFAULT_'} !~ m/^[[:digit:]]+$/ )
-	{
-		$ret_hash->{'_DEFAULT_'} = 0;
-	}
-	
-	close( INFILE );
-	
-	# Set the package variable to the signature scores taken from the file
-	$NOTICE_TYPE_SCORES = $ret_hash;
-	
-	if( $DEBUG > 3 )
-	{
-		warn( "Current scores for notice types\n" );
-		while( my( $key, $val ) = each( %{$ret_hash} ) )
-		{
-			warn( "NOTICE_TYPE: $key => SCORE: $val\n" );
-		}
-		warn( "\n" );
-	}
-	
-	return( $ret_hash );
-}
-
-sub signaturescore
-{
-	my $sub_name = 'signaturescore';
-	
-	my $sigid = $_[0] || '_DEFAULT_';
-	my $ret_val;
-	
-	if( exists( $SIGNATURE_ID_SCORES->{$sigid} ) )
-	{
-		$ret_val = $SIGNATURE_ID_SCORES->{$sigid};
-	}
-	else
-	{
-		$ret_val = $SIGNATURE_ID_SCORES->{'_DEFAULT_'};
-	}
-	
-	return( $ret_val );
-}
-
-
-sub noticetypescore
-{
-	my $sub_name = 'noticetypescore';
-	
-	my $notice_type = $_[0] || '_DEFAULT_';
-	my $ret_val;
-	
-	if( exists( $NOTICE_TYPE_SCORES->{$notice_type} ) )
-	{
-		$ret_val = $NOTICE_TYPE_SCORES->{$notice_type};
-	}
-	else
-	{
-		$ret_val = $NOTICE_TYPE_SCORES->{'_DEFAULT_'};
-	}
-	
-	return( $ret_val );
-}
-sub addconndata
-{
-	my $sub_name = 'addconndata';
-	# The purpose of this function is to add additional data to report
-	# parts that can use it.  The data can be used to weight probabilities
-	# or add data to a report.
-	
-	# Filehandle which contains connection data.
-	my $conn_struc = $_[0] || return( undef );	# ref to Bro::Log::Conn struc
-	my $conn_line = $_[1] || return( undef );	# ref to string
-	my $add_override = $_[2];
-	
-	# Scans really only mean something if a successful connection was made
-	# or an annomylous conection out of the scan was made.
-	my $src_ip = Bro::Log::Conn::source_ip( $conn_struc );
-	my $dest_ip = Bro::Log::Conn::destination_ip( $conn_struc );
-	my $service = Bro::Log::Conn::service( $conn_struc );
-	my $success_connect = Bro::Log::Conn::connectsucceed( $conn_struc );
-	my $src_net = Bro::Log::Conn::source_network( $conn_struc );
-	if( exists( $RPT_CACHE->{scans}->{$src_ip} ) and
-		$RPT_CACHE->{scans}->{$src_ip}->{CONNECTIONS_TO_OFFENDER} )
-	{
-		if( $service !~ m/^dns|ident$/ and
-				$src_net eq 'L' and
-				$success_connect )
-		{
-			++$RPT_CACHE->{scans}->{$dest_ip}->{CONNECTIONS_TO_OFFENDER};
-		}
-	}
-	# If a scanner and not a service to ignore and bytes >= 0 then store
-	# the byte count for a post collection standard deviation test.
-	elsif( exists( $RPT_CACHE->{scans}->{$src_ip} ) )
-	{
-		my $src_bytes = Bro::Log::Conn::source_bytes( $conn_struc );
-		my $dest_bytes = Bro::Log::Conn::destination_bytes( $conn_struc );
-		if( $service !~ m/^dns|ident$/ )
-		{
-			if( $src_bytes >= 0 )
-			{
-				++$RPT_CACHE->{scans}->{$src_ip}->{BYTES_SENT}->{$src_bytes};
-				++$RPT_CACHE->{scans}->{$src_ip}->{BYTES_RCV}->{$dest_bytes};
-			}
-		}
-	}
-	# If a scanner is the destination and our local_net is the orginator
-	# of the connection this may be very interesting.
-	elsif( exists( $RPT_CACHE->{scans}->{$dest_ip} ) and
-		$service !~ m/^dns|ident$/ and
-		$src_net eq 'L' )
-	{
-		++$RPT_CACHE->{scans}->{$dest_ip}->{CONNECTIONS_TO_OFFENDER};
-	}
-	
-	# Add connection data to incidents
-	my $offender_address;
-	my $victim_address;
-	if( exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$src_ip} ) )
-	{
-		# Does the connection data contain the victim address
-		if( exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$src_ip}->{VICTIMS}->{$dest_ip} ) )
-		{
-			$offender_address = $src_ip;
-			$victim_address = $dest_ip;
-		}
-	}
-	elsif( exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$dest_ip} ) )
-	{
-		# Does the connection data contain the victim address
-		if( exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$dest_ip}->{VICTIMS}->{$src_ip} ) )
-		{
-			$offender_address = $dest_ip;
-			$victim_address = $src_ip;
-			if( $service !~ m/^dns|ident$/ )
-			{
-				# This means there was a connection from the victim back to the 
-				# offender.  Most likely very interesting.
-				push( @{$RPT_CACHE->{incident}->{OFFENDERS}->{$dest_ip}->{VICTIMS}->{$src_ip}->{SCORE}}, 100 );
-			}
-		}
-	}
-	
-	# If the offender address was found in the connection struc then do a few
-	# more checks on whether to store the data for later retrieval.
-	if( $offender_address )
-	{
-		if( ! $victim_address )
-		{
-			$victim_address = '';
-		}
-		
-		my $temp_fh = $RPT_CACHE->{incident}->{'TEMP_FILE_HANDLE'};
-		my $incident_data;
-		
-		if( exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$offender_address} ) and
-			exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$offender_address}->{VICTIMS}->{$victim_address} ) )
-		{
-			my $data_root = $RPT_CACHE->{incident}->{OFFENDERS}->{$offender_address}->{VICTIMS}->{$victim_address};
-			$incident_data = $RPT_CACHE->{incident}->{OFFENDERS}->{$offender_address}->{VICTIMS}->{$victim_address};
-
-			# Check if there was an explict override set. This currently means
-			# that the tag id in the conn data matches a tag id in an alarm of
-			# interest.
-			
-			if( my $matched_tag =
-				Bro::Log::Conn::containstag( $conn_struc,
-					keys( %{$data_root->{WATCH_TAG_IDS}} ) ) )
-			{
-				delete( $data_root->{WATCH_TAG_IDS}->{$matched_tag} );
-				print $temp_fh $$conn_line;
-				++$incident_data->{CONN_COUNT};
-			}
-			# CONN_COUNT must be > 0.  This means that the tagged alarm has
-			# been added and further conn data should be gathered.
-			# Check if enough conn data has already been gathered for this incident
-			elsif( $incident_data->{CONN_COUNT} > 0 and
-				$incident_data->{CONN_COUNT} < $MAX_INCIDENT_CONN_LINES )
-			{
-				print $temp_fh $$conn_line;
-				++$incident_data->{CONN_COUNT};
-			}
-			# Conn data can be out of order.  If the conn data containing a tag
-			# id has not been encountered then start gathering data that's at
-			# least at or after the first alarm time for an incident.
-			elsif( $incident_data->{CONN_COUNT} < 1 and
-				Bro::Log::Conn::timestamp( $conn_struc ) >= $incident_data->{BEGIN_TIMESTAMP} )
-			{
-				print $temp_fh $$conn_line;
-				++$incident_data->{CONN_COUNT};
-			}
-		}
-	}
-	
-	return( 1 );
-}
-
-sub reportableoffense
-{
-	my $sub_name = 'reportableoffense';
-	
-	my $alarm_struc = $_[0] || return( undef );
-	my $ret_val = 0;
-	
-	if( reportableincident( $alarm_struc ) )
-	{
-		$ret_val = 1;
-	}
-	elsif( reportablescan( $alarm_struc ) )
-	{
-		$ret_val = 1;
-	}
-	
-	return( $ret_val );
-}
-
-sub reportableincident
-{
-	my $sub_name = 'reportableincident';
-	
-	my $alarm_struc = $_[0] || return( undef );
-	my $notice_type = Bro::Log::Alarm::notice_type( $alarm_struc );
-	my $ret_val = 0;
-	
-	if( exists( $INCIDENT_EVENT_LIST->{$notice_type} ) )
-	{
-		if( exists( $INCIDENT_EVENT_LIST->{DEFAULT_IGNORE} ) )
-		{
-			$ret_val = 1;
-		}
-		else
-		{
-			$ret_val = 0;
-		}
-	}
-	elsif( exists( $INCIDENT_EVENT_LIST->{DEFAULT_IGNORE} ) )
-	{
-		$ret_val = 0;
-	}
-	else
-	{
-		$ret_val = 1;
-	}
-	
-	# If it is reportable make sure it is not classified as a scan
-	if( $ret_val and reportablescan( $alarm_struc ) )
-	{
-		$ret_val = 0;
-	}
-	
-	return( $ret_val );
-}
-
-sub setreportableincident
-{
-	my $sub_name = 'setreportableincident';
-	my @incident_list = @_;
-	
-	# If called with one or more parameters then modify the list
-	if( @incident_list > 0 )
-	{
-		foreach my $notice_type( @incident_list )
-		{
-			if( $notice_type eq 'DEFAULT_ALLOW' )
-			{
-				$INCIDENT_EVENT_LIST->{'DEFAULT_ALLOW'} = 1;
-				delete( $INCIDENT_EVENT_LIST->{'DEFAULT_IGNORE'} );
-			}
-			elsif( $notice_type eq 'DEFAULT_IGNORE' )
-			{
-				$INCIDENT_EVENT_LIST->{'DEFAULT_IGNORE'} = 1;
-				delete( $INCIDENT_EVENT_LIST->{'DEFAULT_ALLOW'} )
-			}
-			elsif( $notice_type =~ m/^\-([^[:space:]]+)$/ )
-			{
-				$notice_type = $1;
-				delete( $INCIDENT_EVENT_LIST->{$notice_type} );
-			}
-			elsif( $notice_type =~ m/^\+?([^[:space:]]+)$/ )
-			{
-				$notice_type = $1;
-				$INCIDENT_EVENT_LIST->{$notice_type} = 1;
-			}
-		}
-
-		# Make sure that a default policy has been set
-		if( ! ( exists( $INCIDENT_EVENT_LIST->{'DEFAULT_IGNORE'} ) or
-			exists( $INCIDENT_EVENT_LIST->{'DEFAULT_ALLOW'} ) ) )
-		{
-			$INCIDENT_EVENT_LIST->{'DEFAULT_ALLOW'} = 1;
-		}
-	}
-	
-	# construct the current list contained in the incident event list.
-	# The last element of the list will alway be the current default 
-	# policy of DEFAULT_ALLOW or DEFAULT_IGNORE
-	my %dupe_event_list = %{$INCIDENT_EVENT_LIST};
-	my $default_policy;
-	if( exists( $dupe_event_list{DEFAULT_ALLOW} ) )
-	{
-		$default_policy = 'DEFAULT_ALLOW';
-	}
-	else
-	{
-		$default_policy = 'DEFAULT_IGNORE';
-	}
-	delete( $dupe_event_list{$default_policy} );
-	
-	# Return the list of incident events and the default policy
-	# that will be applied to the list.
-	return( keys( %dupe_event_list ), $default_policy );
-}
-
-sub reportablescan
-{
-	my $sub_name = 'reportablescan';
-	
-	my $alarm_struc = $_[0] || return( undef );
-	my $notice_type = Bro::Log::Alarm::notice_type( $alarm_struc );
-	
-	if( exists( $SCAN_EVENT_LIST->{$notice_type} ) )
-	{
-		return( 1 );
-	}
-	else
-	{
-		return( 0 );
-	}
-}
-
-sub setreportablescan
-{
-	my $sub_name = 'setreportablescan';
-	
-	my @scan_list = @_;
-	
-	# If one or more args are passed then modify the list
-	if( @scan_list > 0 )
-	{
-		foreach my $notice_type( @scan_list )
-		{
-			if( $notice_type =~ m/^\-([^[:space:]]+)$/ )
-			{
-				$notice_type = $1;
-				delete( $SCAN_EVENT_LIST->{$notice_type} );
-			}
-			elsif( $notice_type =~ m/^\+?([^[:space:]]+)$/ )
-			{
-				$notice_type = $1;
-				$SCAN_EVENT_LIST->{$notice_type} = 1;
-			}
-		}
-	}
-	
-	# Return the list of notices types that are considered scans.
-	return( keys( %{$SCAN_EVENT_LIST} ) );
-}
-
-sub tempincidentfile
-{
-	my $sub_name = 'tempincidentfile';
-	
-	my $arg = $_[0];
-	
-	if( $arg eq 'close' )
-	{
-		close( $RPT_CACHE->{incident}->{TEMP_FILE_HANDLE} );
-		delete( $RPT_CACHE->{incident}->{TEMP_FILE_HANDLE} );
-		return( 1 );
-	}
-	
-	if( ! exists( $RPT_CACHE->{incident}->{TEMP_FILE_NAME} ) )
-	{
-		$RPT_CACHE->{incident}->{TEMP_FILE_NAME} = 
-			tempfile( 'add', "incident_conn_data." );
-		
-		if( $DEBUG > 2 )
-		{
-			warn( "Created incident temp file " . $RPT_CACHE->{incident}->{TEMP_FILE_NAME} . "\n" );
-		}
-	}
-	
-	if( exists( $RPT_CACHE->{incident}->{TEMP_FILE_HANDLE} ) )
-	{
-		return( $RPT_CACHE->{incident}->{TEMP_FILE_HANDLE} );
-	}
-	else
-	{
-		if( open( INCTEMPOUT, ">>" .$RPT_CACHE->{incident}->{TEMP_FILE_NAME} ) )
-		{
-			$RPT_CACHE->{incident}->{TEMP_FILE_HANDLE} = \*INCTEMPOUT;
-			return( $RPT_CACHE->{incident}->{TEMP_FILE_HANDLE} );
-		}
-		else
-		{
-			warn( __PACKAGE__ . "::$sub_name, Unable to open temp file " . $RPT_CACHE->{incident}->{TEMP_FILE_NAME} . " for writting\n" );
-			return( undef );
-		}
-	}
-}
-
-sub incidentconndata
-{
-	my $sub_name = 'incidentconndata';
-	
-	my $offender = $_[0] || return( undef );
-	my $victim = $_[1] || return( undef );
-	my $start_time = $_[2] || -1;
-	my $end_time = $_[3] || 9999999999;
-	
-	my @matching_lines;
-	my %times;
-	my $idx = 0;
-	my @ret_strucs;
-	
-	if( ! $RPT_CACHE->{incident}->{TEMP_FILE_NAME} )
-	{
-		warn( "No incident temp file exists.  Unable to add connection data to incidents.\n" );
-		return( undef );
-	}
-	
-	if( open( INFILE, $RPT_CACHE->{incident}->{TEMP_FILE_NAME} ) )
-	{
-		while( defined( my $line = <INFILE> ) and $idx < $MAX_INCIDENT_CONN_LINES )
-		{
-			if( $line =~ m/$victim/ and $line =~ m/$offender/ )
-			{
-				my $conn_struc = Bro::Log::Conn::new( \$line );
-				my( $conn_start, $conn_end ) = Bro::Log::Conn::range( $conn_struc );
-
-				# Conn timestamps can be duplicates, check here for that case.
-				if( exists( $times{$conn_start} ) )
-				{
-					push( @{$matching_lines[$times{$conn_start}]}, $conn_struc );
-				}
-				else
-				{
-					$times{$conn_start} = $idx;
-					
-					push( @{$matching_lines[$idx]}, $conn_struc );
-					++$idx;
-				}
-			}
-		}
-	}
-	else
-	{
-		warn( "Failed to open incident temp file " . $RPT_CACHE->{incident}->{TEMP_FILE_NAME} . " for reading.\n" );
-	}
-	
-	close( INFILE );
-	
-	# Sort the lines in ascending order
-	foreach my $key( sort( {$a <=> $b} keys( %times ) ) )
-	{
-		push( @ret_strucs, @{$matching_lines[$times{$key}]} );
-	}
-	
-	return( @ret_strucs );
-}
-
-
-sub check_incident_struc
-{
-	foreach my $sus( keys( %{$RPT_CACHE->{incident}->{OFFENDERS}} ) )
-	{
-		if( ! $sus )
-		{
-			print "Suspect is undef\n";
-			return( undef );
-		}
-		
-		if( ! $RPT_CACHE->{incident}->{OFFENDERS}->{$sus} )
-		{
-			print "Incident data not defined\n";
-			return( undef );
-		}
-		
-		if( ! exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$sus}->{VICTIMS} ) )
-		{
-			print "No data for VICTIMS\n";
-			return( undef );
-		}
-		
-		print "NEW OFFENDER: $sus\n";
-		foreach my $vic( keys( %{$RPT_CACHE->{incident}->{OFFENDERS}->{$sus}->{VICTIMS}} ) )
-		{
-			if( ! $vic )
-			{
-				print "Victim is not defined\n";
-				return( undef );
-			}
-			print "NEW VICTIM: $vic\n";
-			
-			if( ! $RPT_CACHE->{incident}->{OFFENDERS}->{$sus}->{VICTIMS}->{$vic} )
-			{
-				print "Victim data is not defined\n";
-				return( undef );
-			}
-			
-			foreach my $key( keys( %{$RPT_CACHE->{incident}->{OFFENDERS}->{$sus}->{VICTIMS}->{$vic}} ) )
-			{
-				print "KEY: $key\n";
-			}
-			
-			foreach my $alarm( @{$RPT_CACHE->{incident}->{OFFENDERS}->{$sus}->{VICTIMS}->{$vic}->{ALARMS}} )
-			{
-				print "Message: ". Bro::Log::Alarm::message( $alarm ) ."\n";
-			}
-		}
-		
-		print "     END\n";
-	}
-}
-
-sub availablereports
-{
-	my $sub_name = 'availablereports';
-	
-	my @ret_list = keys( %REPORT_MAP );
-	
-	return( @ret_list );
-}
-
-sub reportinputfunc
-{
-	my $sub_name = 'reportinputfunc';
-	
-	my $report_name = $_[0] || return( undef );
-	
-	if( exists( $REPORT_MAP{$report_name} ) )
-	{
-		return( $REPORT_MAP{$report_name}->{'input'} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub reportoutputfunc
-{
-	my $sub_name = 'reportoutputfunc';
-	
-	my $report_name = $_[0] || return( undef );
-	
-	if( exists( $REPORT_MAP{$report_name} ) )
-	{
-		return( $REPORT_MAP{$report_name}->{'output'} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub loadsignaturecode
-{
-	my $sub_name = 'loadsignaturecode';
-	
-	my @args = @_;
-	my %match_sigs;
-	my @file_list;
-	
-	if( @args > 0 )
-	{
-		# If a list of signatures to find is given then only those will be 
-		  # stored otherwise all signatures will be stored.
-		
-		foreach my $sigid( @args )
-		{
-			$match_sigs{$sigid} = 1;
-		}
-	}
-	
-	if( ! ( @file_list = Bro::Signature::filelist() ) )
-	{
-		warn( __PACKAGE__ . "::$sub_name, Unable to retrieve a list of signature files\n" );
-	}
-	
-	foreach my $file_name( @file_list )
-	{
-		foreach my $sig_obj( getrules( $file_name ) )
-		{
-			my $code_sigid = $sig_obj->sigid();
-			if( !( %match_sigs ) or exists( $match_sigs{$code_sigid} ) )
-			{
-				$RPT_CACHE->{signaturecode}->{$code_sigid} = $sig_obj->output();
-			}
-		}
-	}
-}
-
-sub signaturecode
-{
-	my $sub_name = 'signaturecode';
-	
-	my $sigid = $_[0] || return( undef );
-	
-	# Check on whether the signature block has been found and stored.
-	if( $RPT_CACHE->{signaturecode}->{$sigid} )
-	{
-		return( $RPT_CACHE->{signaturecode}->{$sigid} );
-	}
-	else
-	{
-		return( '' );
-	}
-}
-
-
-1;
diff --git a/scripts/perl/lib/Bro/Report/Conn.pm b/scripts/perl/lib/Bro/Report/Conn.pm
deleted file mode 100644
index cfa6fda635..0000000000
--- a/scripts/perl/lib/Bro/Report/Conn.pm
+++ /dev/null
@@ -1,770 +0,0 @@
-package Bro::Report::Conn;
-
-use strict;
-require 5.006_001;
-use Bro::Report qw( trimhostname iptoname swrite trimbytes );
-use Bro::Log::Conn;
-
-use vars qw( $VERSION
-			$MAX_LOCAL_SERVICE_USERS );
-
-# $Id: Conn.pm 1418 2005-09-29 18:25:09Z tierney $
-$VERSION = 1.20;
-
-$MAX_LOCAL_SERVICE_USERS = 50;
-
-my %REPORT_MAP = ( 'top_sources' => { input => __PACKAGE__ . '::sourcecount',
-							output => __PACKAGE__ . '::output_sourcecount' },
-		'top_destinations' => { input => __PACKAGE__ . '::destcount',
-							output => __PACKAGE__ . '::output_destcount' },
-		'top_services' => { input => __PACKAGE__ . '::servicecount',
-						output => __PACKAGE__ . '::output_servicecount', },
-		'top_local_service_users' => { input => __PACKAGE__ . '::localserviceusers',
-								output => __PACKAGE__ . '::output_localserviceusers', },
-		'success_fail_stats' => { input => __PACKAGE__ . '::successfailcount',
-							output => __PACKAGE__ . '::output_successfailcount', },
-		'byte_transfer_pairs' => { input => __PACKAGE__ . '::bytetransferpairs',
-						output => __PACKAGE__ . '::output_bytetransferpairs', },
-		);
-
-# Memory used in this variable will be deleted by functions which output
-# the values stored for it's respective counting function.
-my $RPT_CACHE;
-
-sub sourcecount
-{
-	my $sub_name = 'sourcecount';
-	
-	# [0] CONN_COUNT
-	# [1] BYTE_COUNT
-	my $_conn_struc = $_[0] || return( undef );
-	my $src_ip = Bro::Log::Conn::source_ip( $_conn_struc ) || return( undef );
-	if( Bro::Log::Conn::connectsucceed( $_conn_struc ) )
-	{
-		my $bytes = Bro::Log::Conn::source_bytes( $_conn_struc );
-		++$RPT_CACHE->{$sub_name}->{$src_ip}->[0];
-		$RPT_CACHE->{$sub_name}->{$src_ip}->[1] += $bytes;
-		return( 1 );
-	}
-	else
-	{
-		return( 0 );
-	}
-}
-
-sub output_sourcecount
-{
-	my $sub_name = 'output_sourcecount';
-	
-	my $_max_output = $_[0] || 20;
-	my $top_format = $_[1];
-	my $format = $_[2];
-	my $conn_sum = 0;
-	my $cnt = 0;
-	my $avg = 0;
-	my $max_hostname_length = 31;
-	my @results;
-	my $ret_string;
-	my @heading_names = ( 'Host', 'IP', 'Bytes', 'Conn. Count' );
-	
-	if( ! $top_format )
-	{
-		$top_format = <<'END'
-  @||||||||||||||||||||||||||||||  @||||||||||||||  @|||||  @|||||||||||
-  -------------------------------  ---------------  ------  ------------
-END
-	}
-	
-	if( ! $format )
-	{
-		$format = <<'END'
-  @>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  @<<<<<<<<<<<<<<  @>>>>>  @>>>>>>>>>>>
-END
-	}
-	
-	# Figure out what the average count is
-	foreach my $count_struc( values( %{$RPT_CACHE->{sourcecount}} ) )
-	{
-		$conn_sum += $count_struc->[0];
-		++$cnt
-	}
-	
-	# If there are no connection counts then bail
-	if( $cnt < 1 )
-	{
-		return( undef );
-	}
-	
-	$avg = $conn_sum / $cnt;
-	
-	# remove anything which is way too small before sorting
-	my $smallest_count = 2;
-	my $percent_of_avg = .1;
-	my $max_sort_size = $_max_output * 2;
-	while( ( $cnt > $max_sort_size ) and ( $percent_of_avg < .3 ) )
-	{
-		while( my( $ip, $struc ) = each( %{$RPT_CACHE->{sourcecount}} ) and $cnt > $max_sort_size )
-		{
-			if( $struc->[0] < $smallest_count )
-			{
-				delete( $RPT_CACHE->{sourcecount}->{$ip} );
-				--$cnt;
-			}
-			$smallest_count = int( $avg * $percent_of_avg );
-		}
-		$percent_of_avg += .1;
-	}
-	
-	# Put the remaining data into a temp hash for sorting
-	my %count_hash;
-	foreach my $ip( keys( %{$RPT_CACHE->{sourcecount}} ) )
-	{
-		# connection count = $RPT_CACHE->{sourcecount}->{$ip}->[0];
-		# byte count = $RPT_CACHE->{sourcecount}->{$ip}->[1];
-		push( @{$count_hash{$RPT_CACHE->{sourcecount}->{$ip}->[0]}},
-			[ $ip, $RPT_CACHE->{sourcecount}->{$ip}->[0], $RPT_CACHE->{sourcecount}->{$ip}->[1] ] );
-	}
-	
-	my $output_cnt = 0;
-	foreach my $num_conn( sort { $b <=> $a } keys( %count_hash ) )
-	{
-		foreach my $struc( @{$count_hash{$num_conn}} )
-		{
-			++$output_cnt;
-			if( $output_cnt > $_max_output )
-			{
-				last;
-			}
-			else
-			{
-				push( @results, $struc );
-			}
-		}
-		if( $output_cnt > $_max_output )
-		{
-			last;
-		}
-	}
-	
-	# clear out memory space
-	delete( $RPT_CACHE->{sourcecount} );
-	
-	# Set the heading
-	$ret_string .= swrite( $top_format, @heading_names );
-	
-	# Write the contents
-	foreach my $line( @results )
-	{
-		my $ip = $line->[0];
-		my $num_conn = $line->[1];
-		my $num_bytes = trimbytes( $line->[2], 5 );
-		my $name = trimhostname( iptoname( $ip ), $max_hostname_length, '>' );
-		$ret_string .= swrite( $format, $name, $ip, $num_bytes, $num_conn );
-	}
-	
-	return( $ret_string );
-}
-
-sub destcount
-{
-	my $sub_name = 'destcount';
-	
-	my $_conn_struc = $_[0] || return( undef );
-	my $dst_ip = Bro::Log::Conn::destination_ip( $_conn_struc ) || return( undef );
-	if( Bro::Log::Conn::connectsucceed( $_conn_struc ) )
-	{
-		my $bytes = Bro::Log::Conn::destination_bytes( $_conn_struc );
-		++$RPT_CACHE->{$sub_name}->{$dst_ip}->[0];
-		$RPT_CACHE->{$sub_name}->{$dst_ip}->[1] += $bytes;
-		return( 1 );
-	}
-	else
-	{
-		return( 0 );
-	}
-}
-
-sub output_destcount
-{
-	my $sub_name = 'output_destcount';
-	
-	my $_max_output = $_[0] || 20;
-	my $top_format = $_[1];
-	my $format = $_[2];
-	my $conn_sum = 0;
-	my $cnt = 0;
-	my $avg = 0;
-	my $max_hostname_length = 31;
-	my @results;
-	my $ret_string;
-	my @heading_names = ( 'Host', 'IP', 'Bytes', 'Conn. Count' );
-	
-	if( ! $top_format )
-	{
-		$top_format = <<'END'
-  @||||||||||||||||||||||||||||||  @||||||||||||||  @|||||  @|||||||||||
-  -------------------------------  ---------------  ------  ------------
-END
-	}
-	
-	if( ! $format )
-	{
-		$format = <<'END'
-  @>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  @<<<<<<<<<<<<<<  @>>>>>  @>>>>>>>>>>>
-END
-	}
-	
-	# Figure out what the average count is
-	foreach my $count_struc( values( %{$RPT_CACHE->{destcount}} ) )
-	{
-		$conn_sum += $count_struc->[0];
-		++$cnt
-	}
-	
-	# If there are no connection counts then bail
-	if( $cnt < 1 )
-	{
-		return( undef );
-	}
-	
-	$avg = $conn_sum / $cnt;
-	
-	# remove anything which is way too small before sorting
-	my $smallest_count = 2;
-	my $percent_of_avg = .1;
-	my $max_sort_size = $_max_output * 2;
-	while( ( $cnt > $max_sort_size ) and ( $percent_of_avg < .3 ) )
-	{
-		while( my( $ip, $struc ) = each( %{$RPT_CACHE->{destcount}} ) and $cnt > $max_sort_size )
-		{
-			if( $struc->[0] < $smallest_count )
-			{
-				delete( $RPT_CACHE->{destcount}->{$ip} );
-				--$cnt;
-			}
-			$smallest_count = int( $avg * $percent_of_avg );
-		}
-		$percent_of_avg += .1;
-	}
-	
-	# Put the remaining data into a temp hash for sorting
-	my %count_hash;
-	foreach my $ip( keys( %{$RPT_CACHE->{destcount}} ) )
-	{
-		# connection count = $RPT_CACHE->{destcount}->{$ip}->{CONN_COUNT};
-		# byte count = $RPT_CACHE->{destcount}->{$ip}->{BYTE_COUNT};
-		push( @{$count_hash{$RPT_CACHE->{destcount}->{$ip}->[0]}},
-			[ $ip, $RPT_CACHE->{destcount}->{$ip}->[0], $RPT_CACHE->{destcount}->{$ip}->[1] ] );
-	}
-	
-	my $output_cnt = 0;
-	foreach my $num_conn( sort { $b <=> $a } keys( %count_hash ) )
-	{
-		foreach my $struc( @{$count_hash{$num_conn}} )
-		{
-			++$output_cnt;
-			if( $output_cnt > $_max_output )
-			{
-				last;
-			}
-			else
-			{
-				push( @results, $struc );
-			}
-		}
-		if( $output_cnt > $_max_output )
-		{
-			last;
-		}
-	}
-	
-	# clear out memory space
-	delete( $RPT_CACHE->{destcount} );
-	
-	# Set the heading
-	$ret_string .= swrite( $top_format, @heading_names );
-	
-	# Write the contents
-	foreach my $line( @results )
-	{
-		my $ip = $line->[0];
-		my $num_conn = $line->[1];
-		my $num_bytes = trimbytes( $line->[2], 5 );
-		my $name = trimhostname( iptoname( $ip ), $max_hostname_length, '>' );
-		$ret_string .= swrite( $format, $name, $ip, $num_bytes, $num_conn );
-	}
-	
-	return( $ret_string );
-}
-
-sub servicecount
-{
-	my $sub_name = 'servicecount';
-	
-	# [0] CONN_COUNT
-	# [1] BYTES_IN
-	# [2] BYTES_OUT
-	
-	my $_conn_struc = $_[0] || return( undef );
-	my $service = Bro::Log::Conn::service( $_conn_struc ) || return( undef );
-	if( Bro::Log::Conn::connectsucceed( $_conn_struc ) )
-	{
-		my $src_bytes = Bro::Log::Conn::source_bytes( $_conn_struc );
-		my $dest_bytes = Bro::Log::Conn::destination_bytes( $_conn_struc );
-		++$RPT_CACHE->{$sub_name}->{$service}->[0];
-		if( Bro::Log::Conn::source_network( $_conn_struc ) eq 'L' )
-		{
-			$RPT_CACHE->{$sub_name}->{$service}->[1] += $dest_bytes;
-			$RPT_CACHE->{$sub_name}->{$service}->[2] += $src_bytes;
-		}
-		else
-		{
-			$RPT_CACHE->{$sub_name}->{$service}->[1] += $src_bytes;
-			$RPT_CACHE->{$sub_name}->{$service}->[2] += $dest_bytes;
-		}
-		return( 1 );
-	}
-	else
-	{
-		return( 0 );
-	}
-}
-
-sub output_servicecount
-{
-	my $sub_name = 'output_servicecount';
-	
-	my $_max_output_count = $_[0] || 20;
-	my $top_format;
-	my $format;
-	my @results;
-	my @heading_names = ( 'Service', 'Conn. Count', '% of Total', 'Bytes In', 'Bytes Out' );
-	my $ret_string;
-	
-	if( ! $top_format )
-	{
-		$top_format = <<'END'
-  @<<<<<<<<<<<  @>>>>>>>>>>>  @>>>>>>>>>  @>>>>>>>>  @>>>>>>>>
-  ------------  ------------  ----------  ---------  ---------
-END
-	}
-	
-	if( ! $format )
-	{
-		$format = <<'END'
-  @<<<<<<<<<<<  @>>>>>>>>>>>  @>>>>>>>>>  @>>>>>>>>  @>>>>>>>>
-END
-	}
-	
-	my %count_hash;
-	my $total_count = 0;
-	while( my( $name, $struc ) = each( %{$RPT_CACHE->{servicecount}} ) )
-	{
-		$total_count += $struc->[0];
-		push( @{$count_hash{$struc->[0]}}, 
-			[ $name, $struc->[1], $struc->[2] ] );
-	}
-	
-	my $ret_count = 0;
-	foreach my $num( sort { $b <=> $a } keys( %count_hash ) )
-	{
-		if( $ret_count < $_max_output_count )
-		{
-			foreach my $struc( @{$count_hash{$num}} )
-			{
-				if( $ret_count < $_max_output_count )
-				{
-					my $avg_of_total = sprintf( "%.2f", $num / $total_count * 100 );
-					my $service = $struc->[0];
-					my $bytes_in = trimbytes( $struc->[1], 5 );
-					my $bytes_out = trimbytes( $struc->[2], 5 );
-					push( @results, [ $service, $num, $avg_of_total, $bytes_in, $bytes_out ] );
-					++$ret_count;
-				}
-				else
-				{
-					last;
-				}
-			}
-		}
-		else
-		{
-			last;
-		}
-	}
-	
-	# Clean up some memory
-	delete( $RPT_CACHE->{servicecount} );
-	
-	# Print the heading
-	$ret_string .= swrite( $top_format, @heading_names );
-	
-	foreach my $line( @results )
-	{
-		$ret_string .= swrite( $format, @{$line} );
-	}
-	
-	return( $ret_string );
-}
-
-sub localserviceusers
-{
-	my $sub_name = 'localserviceusers';
-	
-	my $_conn_struc = $_[0] || return( undef );
-	my $service_name = $_[1] || 'smtp';
-	
-	my $service = Bro::Log::Conn::service( $_conn_struc );
-	
-	if( $service eq $service_name )
-	{
-		my $src_net = Bro::Log::Conn::source_network( $_conn_struc );
-		
-		if( $src_net eq 'L' and Bro::Log::Conn::connectsucceed( $_conn_struc ) )
-		{
-			my $source_ip = Bro::Log::Conn::source_ip( $_conn_struc );
-			++$RPT_CACHE->{$sub_name}->{$service_name}->{$source_ip};
-		}
-	}
-	
-	return( 1 );
-}
-
-sub output_localserviceusers
-{
-	my $sub_name = 'output_localserviceusers';
-	
-	my $service_name = $_[0] || return( undef );
-	my $max_count = $_[1] || $MAX_LOCAL_SERVICE_USERS;
-	my $top_format;
-	my $format;
-	my @results;
-	my $ret_string;
-	my @heading_names = ( 'Hostname', 'IP', 'Conn. Count' );
-	my $total_count = keys( %{$RPT_CACHE->{localserviceusers}->{$service_name}} );
-	my $max_hostname_length = 39;
-	my $actual_count = 0;
-
-	if( ! $top_format )
-	{
-		$top_format = <<'END'
-  @||||||||||||||||||||||||||||||||||||||  @||||||||||||||  @>>>>>>>>>>>
-  ---------------------------------------  ---------------  ------------
-END
-	}
-	
-	if( ! $format )
-	{
-		$format = <<'END'
-  @>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  @<<<<<<<<<<<<<<  @>>>>>>>>>>>
-END
-	}
-	
-	my %count_hash;
-	while( my( $key, $val ) = each( %{$RPT_CACHE->{localserviceusers}->{$service_name}} ) )
-	{
-		push( @{$count_hash{$val}}, $key );
-	}
-	
-	foreach my $num( sort { $b <=> $a } keys( %count_hash ) )
-	{
-		foreach my $ip( @{$count_hash{$num}} )
-		{
-			if( $actual_count + 1 > $max_count )
-			{
-				last;
-			}
-			$results[$actual_count] = [ $ip, $num ];
-			++$actual_count;
-		}
-	}
-	
-	# Clean up some memory usage
-	delete( $RPT_CACHE->{localserviceusers}->{$service_name} );
-	
-	# Set the heading
-	$ret_string .= swrite( $top_format, @heading_names );
-	
-	# Write the contents
-	foreach my $line( @results )
-	{
-		# my $ip = $line->[0];
-		# my $num_conn = $line->[1];
-		my $name = trimhostname( iptoname( $line->[0] ), $max_hostname_length, '>' );
-		$ret_string .= swrite( $format, $name, $line->[0], $line->[1] );
-	}
-	
-	if( $actual_count > 0 )
-	{
-		if( $total_count > $max_count )
-		{
-			my $not_listed = $total_count - $max_count;
-			$ret_string .= <<"END";
-
-  A maximum of $max_count entries are show.
-  There are another $not_listed that are not displayed.
-END
-		}
-	}
-	else
-	{
-		$ret_string = "\n  No data to report for this section\n";
-	}
-	
-	return( $ret_string );
-}
-
-sub successfailcount
-{
-	my $sub_name = 'successfailcount';
-	
-	my $_conn_struc = $_[0] || return( undef );
-	
-	if( Bro::Log::Conn::connectsucceed( $_conn_struc ) )
-	{
-		++$RPT_CACHE->{$sub_name}->{SUCCESS};
-	}
-	else
-	{
-		# connection is failed
-		++$RPT_CACHE->{$sub_name}->{FAIL};
-	}
-}
-
-sub output_successfailcount
-{
-	my $sub_name = 'output_successfailcount';
-	
-	my $format = $_[0];
-	my $ret_string;
-	
-	if( ! $format )
-	{
-		$format = <<'END'
-    Successful:   @<<<<<<<<<<<<<<<
-    Unsuccessful: @<<<<<<<<<<<<<<<
-    Ratio: @<<<<<<
-END
-	}
-	
-	# Success and fail counts must be greater than zero
-	if( $RPT_CACHE->{successfailcount}->{FAIL} < 1 or
-		$RPT_CACHE->{successfailcount}->{SUCCESS} < 1 )
-	{
-		return( 'undef' );
-	}
-	my $ratio = $RPT_CACHE->{successfailcount}->{FAIL} / $RPT_CACHE->{successfailcount}->{SUCCESS};
-	
-	$ret_string = swrite( $format, 
-		$RPT_CACHE->{successfailcount}->{SUCCESS},
-		$RPT_CACHE->{successfailcount}->{FAIL},
-		"1:$ratio" );
-	
-	return( $ret_string );
-}
-
-sub bytetransferpairs
-{
-	my $sub_name = 'bytetransferpairs';
-	
-	# This report can be very memory expensive.  It can also be very processor
-	# intesive as the hash tables can get very large and take longer and 
-	# longer to traverse.
-	
-	my $conn_struc = $_[0] || return( undef );
-	
-	my $local_host;
-	my $remote_host;
-	my $local_bytes;
-	my $remote_bytes;
-	
-	if( Bro::Log::Conn::source_network( $conn_struc ) eq 'L' )
-	{
-		$local_host = Bro::Log::Conn::source_ip( $conn_struc );
-		$remote_host = Bro::Log::Conn::destination_ip( $conn_struc );
-		$local_bytes = Bro::Log::Conn::source_bytes( $conn_struc );
-		$remote_bytes = Bro::Log::Conn::destination_bytes( $conn_struc );
-	}
-	else
-	{
-		$remote_host = Bro::Log::Conn::source_ip( $conn_struc );
-		$local_host = Bro::Log::Conn::destination_ip( $conn_struc );
-		$remote_bytes = Bro::Log::Conn::source_bytes( $conn_struc );
-		$local_bytes = Bro::Log::Conn::destination_bytes( $conn_struc );
-	}
-	
-	if( $local_bytes > 0 and $remote_bytes > 0 )
-	{
-		$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{LOCAL_BYTES} += $local_bytes;
-		$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{REMOTE_BYTES} += $remote_bytes;
-		++$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{CONN_COUNT};
-		return( 1 );
-	}
-	elsif( exists( $RPT_CACHE->{bytetransferpairs}->{$local_host} ) and
-		exists( $RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host} ) )
-	{
-		$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{LOCAL_BYTES} += $local_bytes || 0;
-		$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{REMOTE_BYTES} += $remote_bytes || 0;
-		++$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{CONN_COUNT};
-		return( 1 );
-	}
-	else
-	{
-		return( 0 );
-	}
-}
-
-sub output_bytetransferpairs
-{
-	my $sub_name = 'output_bytetransferpairs';
-        my $max_hostname_length = 22;
-	
-	my $max_output = $_[0] || 20;
-	
-	my $ret_string;
-	my $_base = $RPT_CACHE->{bytetransferpairs};
-	my %reversed_hash;
-	my @ordered_list;
-	my $top_format;
-	my $format;
-	
-	$top_format = <<"END";
-Hot Report - Top $max_output
-                                                    Local      Remote    Conn.
-     Local Host               Remote Host           Bytes      Bytes     Count
------------------------  -----------------------  ---------  ---------  -------
-END
-	
-	$format = <<'END';
-@<<<<<<<<<<<<<<<<<<<<<<  @<<<<<<<<<<<<<<<<<<<<<<  @>>>>>>>>  @>>>>>>>>  @<<<<<<<<
-END
-
-	foreach my $l_host( keys( %{$_base} ) )
-	{
-		foreach my $r_host( keys( %{$_base->{$l_host}} ) )
-		{
-			my $big_bytes;
-			if( $_base->{$l_host}->{$r_host}->{LOCAL_BYTES} > $_base->{$l_host}->{$r_host}->{REMOTE_BYTES} )
-			{
-				$big_bytes = $_base->{$l_host}->{$r_host}->{LOCAL_BYTES};
-			}
-			else
-			{
-				$big_bytes = $_base->{$l_host}->{$r_host}->{REMOTE_BYTES};
-			}
-			
-			push( @{$reversed_hash{$big_bytes}}, { REF => $_base->{$l_host}->{$r_host},
-										LOCAL_HOST => $l_host,
-										REMOTE_HOST => $r_host, } );
-		}
-	}
-	
-	my @ordered_list = sort( { $b<=>$a } keys( %reversed_hash ) );
-	
-	my $i = 0;
-	while( defined( my $key = shift( @ordered_list ) ) and $i < $max_output )
-	{
-		foreach my $data( @{$reversed_hash{$key}} )
-		{
-			my $local_bytes = trimbytes( $data->{REF}->{LOCAL_BYTES}, 6 );
-			my $remote_bytes = trimbytes( $data->{REF}->{REMOTE_BYTES}, 6 );
-			my $conn_count = $data->{REF}->{CONN_COUNT};
-		        my $local_name = trimhostname( iptoname( $data->{LOCAL_HOST} ), $max_hostname_length, '>' );
-		        my $remote_name = trimhostname( iptoname( $data->{REMOTE_HOST} ), $max_hostname_length, '>' );
-			
-			$ret_string .= swrite( $format, 
-						$local_name,
-						$remote_name, 
-						$local_bytes,
-						$remote_bytes,
-						$conn_count );
-			
-			++$i;
-			if( !( $i < $max_output ) )
-			{
-				last;
-			}
-		}
-	}
-	
-	# Free up some memory
-	$_base = undef;
-	%reversed_hash = ();
-	delete( $RPT_CACHE->{bytetransferpairs} );
-	
-	if( length( $ret_string ) < 32 )
-	{
-		$ret_string = $top_format . "  No data to report\n";
-	}
-	else
-	{
-		$ret_string = $top_format . $ret_string . "\n";
-	}
-	
-	return( $ret_string );
-}
-
-sub output_successcount
-{
-	my $sub_name = 'output_successcount';
-	my $ret_val = $RPT_CACHE->{successfailcount}->{SUCCESS};
-	
-	# Clean up some memory
-	delete( $RPT_CACHE->{successfailcount}->{SUCCESS} );
-	
-	return( $ret_val );
-}
-
-sub output_failcount
-{
-	my $sub_name = 'output_failcount';
-	my $ret_val = $RPT_CACHE->{successfailcount}->{FAIL};
-	
-	# Clean up some memory
-	delete( $RPT_CACHE->{successfailcount}->{FAIL} );
-	
-	return( $ret_val );
-}
-
-sub availablereports
-{
-	my $sub_name = 'availablereports';
-	
-	my @ret_list = keys( %REPORT_MAP );
-	
-	return( @ret_list );
-}
-
-sub reportinputfunc
-{
-	my $sub_name = 'reportinputfunc';
-	
-	my $report_name = $_[0] || return( undef );
-	
-	if( exists( $REPORT_MAP{$report_name} ) )
-	{
-		return( $REPORT_MAP{$report_name}->{'input'} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub reportoutputfunc
-{
-	my $sub_name = 'reportoutputfunc';
-	
-	my $report_name = $_[0] || return( undef );
-	
-	if( exists( $REPORT_MAP{$report_name} ) )
-	{
-		return( $REPORT_MAP{$report_name}->{'output'} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-1;
diff --git a/scripts/perl/lib/Bro/Signature.pm b/scripts/perl/lib/Bro/Signature.pm
deleted file mode 100644
index 076c88fbd6..0000000000
--- a/scripts/perl/lib/Bro/Signature.pm
+++ /dev/null
@@ -1,1316 +0,0 @@
-# $Id: Signature.pm 987 2005-01-08 01:04:43Z rwinslow $
-# Read and parse a Bro signature from a string or array reference
-package Bro::Signature;
-
-use strict;
-require 5.006_001;
-use Bro::Config qw( $BRO_CONFIG );
-require Exporter;
-use vars qw( $VERSION
-			@ISA
-			@EXPORT_OK
-			%SKIP_OPT
-			%ACTIONS
-			$DEBUG );
-
-$VERSION = 1.20;
-@EXPORT_OK = qw( findkeyblocks filelist getrules utctimenow );
-@ISA = qw( Exporter );
-$DEBUG = 0;
-
-# These conditions, actions, meta data will be skipped when comparing two
-# signature objects for differences.  Reasons are given.
-%SKIP_OPT = ( 'active' => 1,			# evaluated seperately
-			'__raw_data__' => 1,	# internal data
-			'__value__' => 1,		# internal data
-			'sig_id' => 1,			# not evaluated
-			'.revision' => 1,		# evaluated seperately
-			'.version' => 1,		# evaluated seperately
-			'.location' => 1,		# reserved for editor use as a temporary field
-			);
-
-# Hash of valid actions in a signature.  Currently there is only one.
-%ACTIONS = ( 'event' => 1, );
-
-
-sub new
-{
-	my $sub_name = 'new';
-
-	my $self;
-	my $proto = shift;
-	my $class = ref( $proto ) || $proto;
-	my %args = @_;
-	my $sig_data = {};
-	
-	if( defined( $args{string} ) )
-	{
-		if( !( $sig_data = parsesig( $args{string} ) ) )
-		{
-			return( undef );
-		}
-	}
-	else
-	{
-		warn( __PACKAGE__ . "::$sub_name, Signature must be passed in as a string for now.  Direct" .
-			" object creation is not supported yet\n" );
-		return( undef );
-	}
-
-	$self = $sig_data;
-	bless( $self, $class );
-	
-	if( $DEBUG > 1 )
-	{
-		warn( $self->output() . "\n" );
-	}
-	return( $self );
-
-}
-
-sub parsesig
-{
-	my $sub_name = 'parsesig';
-
-	my $sig_block = shift || return( undef );
-	my $sig_data;
-	my $ret_data = {};
-
-	# Check on the storage of the data
-	if( ref( $sig_block ) eq 'ARRAY' )
-	{
-		$sig_data = join( "\n", @{$sig_block} );
-	}
-	else
-	{
-		# Otherwise it gets treated as a string
-		$sig_data = $sig_block;
-	}
-	
-	# remove any leading or trailing white space
-	$sig_data =~ s/^[[:space:]]*//;
-	$sig_data =~ s/[[:space:]]*$//;
-	
-	my $parse_err = 0;
-
-	if( $sig_data =~
-		m/^signature[[:space:]]+([[:alnum:]_-]+)[[:space:]]*\{[[:space:]\n]+	# signature declaration
-		(.+?)		# signature data
-		[[:space:]]*\}$/xs )	# end of block
-	{
-		my $sig_id = $1;
-		my $sig_options = $2;
-
-		$ret_data->{sig_id} = $sig_id;
-
-		my @raw_data;
-		my $i = 0;
-
-		foreach my $line( split( /\n/, $sig_options ) )
-		{
-			# Each line of the signature is stored in an
-			 # array to maintain the order and any comments.
-			 # The actual data is stored in a hash.
-			 # Access of the data should be done through the methods
-			 # to output the whole signature along with comments.
-
-			# remove any leading spaces
-			$line =~ s/^[[:space:]]*//;
-
-			# Put the line into the raw_data array
-			$raw_data[$i] = $line;
-
-			# Strip any comments from the line
-			$line =~ s/(?:[[:space:]]+|)#.+$//;
-
-			my( $key, $value ) = split( /[[:space:]]+/, $line, 2 );
-			# if there is still data in the line then process
-			if( defined( $value ) )
-			{
-				# Remove any leading spaces
-				$value =~ s/^[[:space:]]*//;
-				# place a reference to the raw_data array for this attribute
-				# set the value for this attribute instance
-				push( @{$ret_data->{$key}}, { 
-						'__raw_data_pos__' => $i,
-						'__value__' => $value, },
-				);
-			}
-
-			++$i;
-		}
-
-		$ret_data->{'__raw_data__'} = \@raw_data;
-	}
-	else
-	{
-		if( $DEBUG > 0 )
-		{
-			warn( __PACKAGE__ . "::$sub_name, Signature read error. Could not find a valid signature block\n" );
-		}
-		$parse_err = 1;
-	}
-
-	if( $parse_err )
-	{
-		return( undef );
-	}
-	else
-	{
-		return( $ret_data );
-	}
-}
-
-sub findkeyblocks
-{
-	my $sub_name = 'findkeyblocks';
-
-	my $string = $_[0];
-	my $keyword = 'signature';
-	my $key_len = length( $keyword );
-	my @ret_blocks;
-	my $block_idx = 0;			# Current idx of the keyword blocks that will be returned
-	my $open_brace_count = 0;	# Number of open braces encountered
-	my $close_brace_count = 0;	# number of close braces encountered
-	my $len = length( $string );	# length of string passed in
-	my $pos_idx = 0;			# current position of substring
-	my $st_blk_pos = 0;			# string position of a new block
-	my $blk_len = 0;			# length of code block
-	my $found_key_start = 0;		# flag that a new keyword block has started
-	my $comment_line = 0;		# flag if comments are in effect
-	my $quoted;			# flag if quoting is active. contents are the quote character
-
-	# make sure the string is of non-zero length.  Add one more so our
-	 # loop below works
-	if( $len > 0 )
-	{
-		++$len;
-	}
-	else
-	{
-		return( undef );
-	}
-
-	# Push a newline onto the front of the string.  This just helps in
-	 # starting the pattern matching.  It's easier than writting a
-	 # bunch more lines of code.
-	$string = "\n" . $string;
-	++$len;
-
-	while( $pos_idx < $len )
-	{
-		# If the two numbers match then a complete block has been found.
-		if( $open_brace_count == $close_brace_count and
-			$open_brace_count > 0 )
-		{
-			$ret_blocks[$block_idx] = substr( $string, $st_blk_pos, $blk_len );
-			
-			if( $DEBUG > 2 )
-			{
-				my $end_pos = $st_blk_pos + $blk_len;
-				warn( __PACKAGE__ . "::$sub_name, Found signature block between bytes $st_blk_pos and $end_pos\n" );
-				warn( $ret_blocks[$block_idx] . "\n" );
-			}
-			
-			++$block_idx;
-			$open_brace_count = 0;
-			$close_brace_count = 0;
-			$found_key_start = 0;
-			$st_blk_pos = $pos_idx;
-			$blk_len = 0;
-		}
-		elsif( $close_brace_count > $open_brace_count )
-		{
-			# Looks like there was a syntax error perhaps the
-			 # file contains a keyword but no valid block
-			 # Reset the counters and backup to $st_blk_pos + 1
-			if( $DEBUG > 0 )
-			{
-				warn( __PACKAGE__ . "::$sub_name, Error in parsing $keyword, found closed brace",
-					" for a block but no open brace at char position $pos_idx\n" );
-			}
-			$open_brace_count = 0;
-			$close_brace_count = 0;
-			$found_key_start = 0;
-			$pos_idx = $st_blk_pos + 1;
-			$st_blk_pos = '';
-			$blk_len = 0;
-			next;
-		}
-
-		# Make sure that substr returns a value
-		if( defined( my $wc = substr( $string, $pos_idx, 1 ) ) )
-		{
-			if( $quoted
-				and $found_key_start )
-			{
-				if( $wc eq $quoted
-					and substr( $string, $pos_idx - 1, 1 ) ne '\\' )
-				{
-					$quoted = undef;
-				}
-			}
-			# check for comment '#' character which is active until the 
-			 # start of a newline
-			elsif( ! $comment_line and 
-				$wc eq '#' and
-				substr( $string, $pos_idx - 1, 1 ) ne '\\' )
-			{
-				$comment_line = 1;
-			}
-			# Check if the comment flag is set
-			elsif( $comment_line )
-			{
-				# If the current character is a newline then reset the comment flag
-				if( $wc =~ m/\n/ )
-				{
-					$comment_line = 0;
-				}
-			}
-			# start this if not currently working in a block and not a comment
-			elsif( ! $found_key_start and ! $comment_line )
-			{
-				# check if the keyword is found 
-				if( $pos_idx + $key_len + 1 < $len
-				and substr( $string, $pos_idx, $key_len ) eq $keyword )
-				{
-					# check to make sure that the keyword is followed by a space
-					if( substr( $string, $pos_idx + $key_len, 1 ) =~
-						m/[[:space:]]/ )
-					{
-						$found_key_start = 1;
-						$st_blk_pos = $pos_idx;
-					}
-				}
-			}
-		# Need to re-think this one at some point though it's not going to kill things
-		  # to leave it out right now.
-		
-		# Check if a nested block has started.
-		#	elsif( $pos_idx + $key_len + 1 < $len
-		#		and $found_key_start
-		#		and substr( $string, $pos_idx, $key_len ) eq $keyword )
-		#	{
-		#		if( substr( $string, $pos_idx + $key_len, 1 ) =~
-		#				m/[[:space:]]/ )
-		#		{
-		#			if( $DEBUG > 0 )
-		#			{
-		#				warn( __PACKAGE__ . "::$sub_name, New $keyword keyword found inside of another $keyword block",
-		#					" at char position $pos_idx\n" );
-		#
-		#				#print "STRING => $string\n";
-		#			}
-		#
-		#			# Reset the search params
-		#			$open_brace_count = 0;
-		#			$close_brace_count = 0;
-		#			$found_key_start = 0;
-		#			++$pos_idx;
-		#			$st_blk_pos = '';
-		#			$blk_len = 0;
-		#			next;
-		#		}
-		#	}
-			elsif( $wc eq '{' and 
-				substr( $string, $pos_idx - 1, 1 ) ne '\\'
-				and substr( $string, $pos_idx + 1, 1 ) =~ m/[[:space:]\n]/ )
-			{
-				++$open_brace_count;
-			}
-			elsif( $wc eq '}' and
-				substr( $string, $pos_idx - 1, 1 ) ne '\\'
-				and substr( $string, $pos_idx - 1, 1 ) =~ m/[[:space:]\n]/ )
-			{
-				++$close_brace_count;
-			}
-			elsif( ! $quoted
-				and ! $comment_line
-				and $found_key_start )
-			{
-				if( $wc eq '"'
-					and substr( $string, $pos_idx - 1, 1 ) ne '\\' )
-				{
-					$quoted = $wc;
-				}
-			}
-			else
-			{
-
-			}
-
-			# Only append chars to the working string if in a $keyword block
-			if( $found_key_start )
-			{
-				++$blk_len;
-			}
-			++$pos_idx;
-		}
-		else
-		{
-			warn( __PACKAGE__ . "::$sub_name, Failed to pull data out using substr at position $pos_idx\n" );
-			++$pos_idx;
-		}
-	}
-
-	if( wantarray )
-	{
-		return( @ret_blocks );
-	}
-	else
-	{
-		return( \@ret_blocks );
-	}
-}
-
-sub addcomment
-{
-	my $sub_name = 'addcomment';
-
-	my $self = shift || return( undef );
-	my $comment = shift || return( undef );
-
-	# Make sure the comment starts with a '#'
-	if( $comment !~ m/^[[:space:]]*#/ )
-	{
-		$comment = '#' . $comment;
-	}
-
-	if( $self->{'__raw_data__'} )
-	{
-		my $next_idx = $#{$self->{'__raw_data__'}} + 1;
-		$self->{'__raw_data__'}->[$next_idx] = $comment;
-	}
-	else
-	{
-		return( undef );
-	}
-
-	return( 1 );
-}
-
-sub option
-{
-	my $sub_name = 'option';
-
-	my $self = shift || return( undef );
-	my $sig_option = shift || return( undef );
-	my $ret_data;
-
-	if( $self->{$sig_option} )
-	{
-		foreach my $data( @{$self->{$sig_option}} )
-		{
-			push( @{$ret_data}, $data->{'__value__'} );
-		}
-	}
-	else
-	{
-		return( undef );
-	}
-
-	if( @{$ret_data} > 1 )
-	{
-		return( @{$ret_data} );
-	}
-	else
-	{
-		return( $ret_data->[0] );
-	}
-}
-
-sub addoption
-{
-	my $sub_name = 'addoption';
-
-	my $self = shift || return( undef );
-	my $option = shift || return( undef );
-	my $option_data = shift || return( undef );
-
-	if( $self->{'__raw_data__'} )
-	{
-		my $next_idx = $#{$self->{'__raw_data__'}} + 1;
-		$self->{'__raw_data__'}->[$next_idx] = $option . ' ' . $option_data;
-		push( @{$self->{$option}}, 
-			{ '__raw_data_pos__' => $next_idx,
-			'__value__' => $option_data, } );
-	}
-	else
-	{
-		return( undef );
-	}
-
-	return( 1 );
-}
-
-sub modoption
-{
-	my $sub_name = 'modoption';
-	
-	# If successful the value which was replaced is returned.
-	# If failure then an undefined value is returned.
-	
-	my $self = shift || return( undef );
-	my $match_option = shift || return( undef );
-	my $new_data = shift || return( undef );
-	my $match_data = shift;	#optional
-	my $replaced_data;
-	
-	if( exists( $self->{$match_option} ) )
-	{				
-		if( @{$self->{$match_option}} > 1 )
-		{
-			# This won't work if $match_data is not defined
-			if( ! defined( $match_data ) )
-			{
-				if( $DEBUG > 0 )
-				{
-					warn( __PACKAGE__ .
-					"::$sub_name, Failed to modify option $match_option.  Data which to match against is required for options with more than one instance.\n" );
-				}
-				return( undef );
-			}
-			
-			foreach my $opt_inst( @{$self->{$match_option}} )
-			{
-				if( $opt_inst->{'__value__'} eq $match_data )
-				{
-					$replaced_data = $opt_inst->{'__value__'};
-					$opt_inst->{'__value__'} = $new_data;
-					$self->{'__raw_data__'}->[$opt_inst->{'__raw_data_pos__'}] = "$match_option $new_data";
-				}
-			}
-		}
-		else
-		{
-			$replaced_data = $self->{$match_option}->[0]->{'__value__'};
-			
-			if( defined( $match_data ) and $match_data ne $replaced_data )
-			{
-				return( undef );
-			}
-			else
-			{
-				$self->{$match_option}->[0]->{'__value__'} = $new_data;
-				$self->{'__raw_data__'}->[$self->{$match_option}->[0]->{'__raw_data_pos__'}] = "$match_option $new_data";
-			}
-		}
-	}
-	else
-	{
-		# no matching option found
-		return( undef );
-	}
-	
-	return( $replaced_data );
-}
-
-sub deloption
-{
-	my $sub_name = 'deloption';
-	# Accepts at a minimum the object and an option to remove
-	# For options that have multivalues the value can be passed in as 
-	 # option_data to remove only the one value from the object.
-	# If an option has multivalues and no option_data is given then all
-	 # options are removed.
-
-
-	my $self = shift || return( undef );
-	my $match_option = shift || return( undef );
-	my $match_data = shift;	#optional
-	my $success = 0;
-	my @raw_data_pos;
-
-	if( defined( $match_data ) )
-	{
-		if( $DEBUG > 4 )
-		{
-			warn( __PACKAGE__ . "::$sub_name, Method $sub_name has been asked to delete option '" .
-				$match_option . "', value '" . $match_data . "'\n" );
-		}
-		# Must match on both the option key and it's value
-		if( exists( $self->{$match_option} ) )
-		{				
-			if( ref( $self->{$match_option} ) eq 'ARRAY' )
-			{
-				if( $DEBUG > 4 )
-				{
-					warn( __PACKAGE__ . "::$sub_name, Found a match on $match_option in signature\n" );
-				}
-
-				my $__found = 0;
-				my @good_data;
-				foreach my $opt_value( @{$self->{$match_option}} )
-				{
-					if( $opt_value->{'__value__'} eq $match_data )
-					{
-						++$__found;
-						$success = 1;
-						push( @raw_data_pos, $opt_value->{'__raw_data_pos__'} );
-					}
-					elsif( defined( my $tt = $opt_value->{'__value__'} ) )
-					{
-						push( @good_data, $opt_value );
-					}
-
-				}
-
-				if( $success )
-				{
-					if( defined( $good_data[0] ) )
-					{
-						# Replace the object's old data with the good data
-						$self->{$match_option} = [ @good_data ];
-					}
-					else
-					{
-						delete $self->{$match_option};
-					}
-				}
-			}
-		}
-	}
-	elsif( exists( $self->{$match_option} ) )
-	{
-		if( $DEBUG > 4 )
-		{
-			warn( __PACKAGE__ . "::$sub_name, Method $sub_name has been asked to delete all data with" .
-				" an option name of $match_option\n" );
-		}
-
-		foreach my $opt_data( @{$self->{$match_option}} )
-		{
-			push( @raw_data_pos, $opt_data->{'__raw_data_pos__'} );
-		}
-		delete $self->{$match_option};
-		$success = 1;
-	}
-
-
-	if( $success )
-	{
-		# cleanup the __raw_data__ storage in the object
-		# get the last index of the __raw_data__ array
-		foreach my $idx( @raw_data_pos )
-		{
-			$self->{'__raw_data__'}->[$idx] = undef;
-		}
-
-		# Delete the 
-	}
-
-	return( $success );
-
-}
-
-sub meta
-{
-	my $sub_name = 'meta';
-	
-	my $self = shift || return( undef );
-	my $meta_name = shift || return( undef );
-	
-	return( $self->option( $BRO_CONFIG->{META_DATA_PREFIX} . $meta_name ) );
-	
-}
-
-sub output
-{
-	my $sub_name = 'output';
-
-	my $self = shift || return( undef );
-	my %args = @_;
-	my $ret_string;
-	my $prefix = '';
-	my $comments = 0;
-
-	# Make a few checks on the signature to make sure it has all the
-	# mandatory parts before outputting.
-	$self->active();
-	
-	# Check on options
-	if( $args{sigprefix} )
-	{
-		$prefix = $args{sigprefix};
-	}
-
-	if( defined( $args{comments} ) )
-	{
-		$comments = $args{comments};
-	}
-	else
-	{
-		$comments = 1;
-	}
-	
-	if( defined( $args{live} ) )
-	{
-		
-	}
-	elsif( defined( $args{meta} ) )
-	{
-		
-	}
-	else
-	{
-		# opening to a Bro signature block
-		$ret_string = 'signature ' . $prefix . $self->{sig_id} . ' {' . "\n";
-
-		if( $comments )
-		{
-			foreach my $line( @{$self->{'__raw_data__'}} )
-			{
-				if( defined( $line ) )
-				{
-					$ret_string = $ret_string . '  ' . $line . "\n";
-				}
-			}
-		}
-		else
-		{
-			while( my( $option, $opt_array ) = each( %{$self} ) )
-			{
-				if( $option ne '__raw_data__' and $option ne 'sig_id' )
-				{
-					foreach my $opt_data( @{$opt_array} )
-					{
-						$ret_string = $ret_string . 
-						'  ' .
-						$option .
-						' ' .
-						$opt_data->{'__value__'} .
-						"\n";
-					}
-				}
-			}
-		}
-
-		# closing of the Bro signature block
-		$ret_string = $ret_string . '}';
-	}
-
-	return( $ret_string );
-}
-
-sub sigid
-{
-	# This is the entire Bro signature id as parsed in from a 
-	 # signature block
-	my $sub_name = 'sigid';
-
-	my $self = shift || return( undef );
-
-	if( $self->{sig_id} )
-	{
-		return( $self->{sig_id} );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub active
-{
-	my $sub_name = 'active';
-	
-	# If passed with an argument then the new value will be set if it is valid.
-	# If the new value is set properly then 2 is returned otherwise return -1
-	# If no args called then 0 returned if value is false and 1 returned if
-	# value is true.
-	
-	my $self = shift || return( undef );
-	my $new_status;
-	
-	if( @_ > 0 )
-	{
-		$new_status = shift;
-		
-		# The default is true, set it now if it doesn't already exist.
-		if( ! defined( $self->option( 'active' ) ) )
-		{
-			$self->addoption( 'active', 'true' );
-		}
-	
-		# Make sure that $new_status contains valid data
-		if( $new_status =~ m/^(?:1|true)$/ )
-		{
-			$new_status = 'true';
-		}
-		elsif( $new_status =~ m/^(?:0|false)$/ )
-		{
-			$new_status = 'false';
-		}
-		else
-		{
-			return( undef );
-		}
-		
-		$self->modoption( 'active', $new_status );
-		return( 2 );
-	}
-	
-	if( ! defined( $self->option( 'active' ) ) or
-		$self->option( 'active' ) eq 'true' )
-	{
-		return( 1 );
-	}
-	else
-	{
-		return( 0 );
-	}
-}
-
-sub version
-{
-	my $sub_name = 'version';
-	
-	my $self = shift || return( undef );
-	
-	my $ver = $self->meta( 'version' );
-	if( defined( $ver ) and $ver =~ m/^[[:digit:]]+$/ )
-	{
-		return( $ver );
-	}
-	else
-	{
-		return( '' );
-	}
-}
-
-sub revision
-{
-	my $sub_name = 'revision';
-	
-	my $self = shift || return( undef );
-	
-	my $rev = $self->meta( 'revision' );
-	if( defined( $rev ) and $rev =~ m/^[[:digit:]]+$/ )
-	{
-		return( $rev );
-	}
-	else
-	{
-		return( '' );
-	}
-}
-
-sub filelist
-{
-	my $sub_name = 'filelist';
-	
-	my @args = @_;	# optional arguments
-	my @file_list;
-	my @signature_dirs;
-	my @extra_sig_dirs;
-	my $sigfile_suffix = $BRO_CONFIG->{BRO_SIG_SUFFIX};
-	
-	# valid modes are add and override, default is add
-	my $extra_dir_mode = 'add';
-	
-	# If there are args figure out what to do with them.
-	if( @args > 0 )
-	{
-		if( $args[0] eq 'mode' )
-		{
-			shift @args;
-			$extra_dir_mode = shift @args;
-		}
-		
-		push( @extra_sig_dirs, @args );
-	}
-	
-	# Verify that a valid mode was specified
-	if( $extra_dir_mode ne 'add' and $extra_dir_mode ne 'override' )
-	{
-		warn( __PACKAGE__ . "::$sub_name, Invalid method of '$extra_dir_mode' set.\n" );
-		return( undef );
-	}
-	
-	if( $extra_dir_mode eq 'override' )
-	{
-		@signature_dirs = @extra_sig_dirs;
-	}
-	elsif( defined( $BRO_CONFIG->{BRO_SIG_DIR} ) or defined( $BRO_CONFIG->{BROPATH} ) )
-	{
-		my $rule_path;
-		
-		# if/else ladder is to allow for backwards compatability and will eventually
-		# be removed.
-		if( defined( $BRO_CONFIG->{BRO_SIG_DIR} ) and defined( $BRO_CONFIG->{BROPATH} ) )
-		{
-			$rule_path = join( ':', $BRO_CONFIG->{BRO_SIG_DIR}, $BRO_CONFIG->{BROPATH} );
-		}
-		elsif( defined( $BRO_CONFIG->{BROPATH} ) )
-		{
-			$rule_path = $BRO_CONFIG->{BROPATH};
-		}
-		else
-		{
-			$rule_path = $BRO_CONFIG->{BRO_SIG_DIR};
-		}
-		
-		if( $rule_path =~ m/:/ )
-		{
-			@signature_dirs = split( /:/, $rule_path );
-		}
-		else
-		{
-			$signature_dirs[0] = $rule_path;
-		}
-		
-		# If mode is add then add the additional directories into @signature_dirs
-		if( $extra_dir_mode eq 'add' )
-		{
-			push( @signature_dirs, @extra_sig_dirs );
-		}
-	}
-		
-	foreach my $sig_dir( @signature_dirs )
-	{
-		if( -d $sig_dir and -r $sig_dir and $sig_dir =~ m/^([[:print:]]+)$/ )
-		{
-			# Taint clean the directory name
-			$sig_dir = $1;
-
-			if( opendir( INDIR, $sig_dir ) )
-			{
-				foreach my $file_name( readdir( INDIR ) )
-				{
-					if( $file_name =~ m/^([[:print:]]+$sigfile_suffix)$/ )
-					{
-						# Taint clean the file name
-						$file_name = $1;
-						push( @file_list, join( '/', $sig_dir, $file_name ) );
-					}
-				}
-			}
-			else
-			{
-				warn( __PACKAGE__ . "::$sub_name, Unable to read directory $sig_dir\n" );
-				next;
-			}
-
-			closedir( INDIR );
-		}
-	}
-	return( @file_list );
-}
-
-sub getrules
-{
-	my $sub_name = 'getrules';
-	# Given a Bro rule file it will return a reference to a list of 
-	# Bro::Signature objects in scalar contents and a regular list
-	# in list context.
-	
-	my $rule_file = shift || return( undef );
-	
-	my $sig_file_data;
-	my @sig_blocks;
-	my @sig_objs;
-
-	if( open( INFILE, $rule_file ) )
-	{
-		local $/ = undef;
-		$sig_file_data = <INFILE>;
-		@sig_blocks = findkeyblocks( $sig_file_data );
-	}
-	else
-	{
-		warn( "Failed to open Bro rule file at $rule_file\n" );
-	}
-
-	close( INFILE );
-
-	# clean up some memory
-	undef $sig_file_data;
-
-	foreach my $sig_block( @sig_blocks )
-	{
-		if( my $rule_obj = Bro::Signature->new( string => $sig_block ) )
-		{
-			push( @sig_objs, $rule_obj );
-		}
-	}
-	
-	if( @sig_objs > 0 )
-	{
-		if( wantarray )
-		{
-			return( @sig_objs );
-		}
-		else
-		{
-			return( \@sig_objs );
-		}
-	}
-}
-
-sub compare
-{
-	my $sub_name = 'compare';
-	# Given two signature objects compare them and return whether they are
-	# the same or if there is difference.
-	# If there are no changes then this returns undef.
-	# Valid return values for changes are:
-	# condition - There is a difference between the conditions ( ex. http, payload, dst-ip, etc. )
-	# action - There is a difference in the actions ( ex. event )
-	# active - There is a difference in the active status ( ex. true, false )
-	# meta - There is a difference in the metadata ( ex. .version, .date-created, etc. )
-	my $first_obj = shift || return( undef );
-	my $second_obj = shift || return( undef );
-	
-	my $meta_prefix = $BRO_CONFIG->{META_DATA_PREFIX};
-	$meta_prefix =~ s/\./\\./g;
-	my $m_p = qr/^$meta_prefix.+/;	# Meta prefix
-	my %f_meta;
-	my %f_cond;
-	my %f_act;
-	my %s_meta;
-	my %s_cond;
-	my %s_act;
-	my %results;
-	
-	# If the version number is different then there is definetly an action
-	# and/or a condition difference
-	if( $first_obj->version() ne $second_obj->version() )
-	{
-		$results{'condition'} = 1;
-	}
-	
-	# Compare the active status
-	if( $first_obj->active() ne $second_obj->active() )
-	{
-		$results{'active'} = 1;
-	}
-	
-	# Seperate out all of the option data from meta data for the first obj
-	foreach my $key( keys( %{$first_obj} ) )
-	{
-		if( exists( $SKIP_OPT{$key} ) )
-		{
-			# Ignore the key
-		}
-		elsif( $key =~ $m_p )
-		{
-			@{$f_meta{$key}} = $first_obj->option( $key );
-		}
-		elsif( exists( $ACTIONS{$key} ) )
-		{
-			@{$f_act{$key}} = $first_obj->option( $key );
-		}
-		else
-		{
-			# the data is part of a condition which is used
-			# by Bro to define how a signature matches.
-			@{$f_cond{$key}} = $first_obj->option( $key );
-		}
-	}
-	
-	# Seperate out all of the option data from meta data for the second obj
-	foreach my $key( keys( %{$second_obj} ) )
-	{
-		if( exists( $SKIP_OPT{$key} ) )
-		{
-			# Ignore the key
-		}
-		elsif( $key =~ $m_p )
-		{
-			@{$s_meta{$key}} = $second_obj->option( $key );
-		}
-		elsif( exists( $ACTIONS{$key} ) )
-		{
-			@{$s_act{$key}} = $second_obj->option( $key );
-		}
-		else
-		{
-			# the data is part of a condition which is used
-			# by Bro to define how a signature matches.
-			@{$s_cond{$key}} = $second_obj->option( $key );
-		}
-	}
-	
-	# Compare the conditions
-	foreach my $key( keys( %f_cond ) )
-	{
-		if( exists( $results{'condition'} ) )
-		{
-			last;
-		}
-		
-		if( exists( $s_cond{$key} ) )
-		{
-			if( @{$f_cond{$key}} != @{$s_cond{$key}} )
-			{
-				$results{'condition'} = 1;
-			}
-		}
-		else
-		{
-			$results{'condition'} = 1;
-		}
-		
-		foreach my $val( @{$f_cond{$key}} )
-		{
-			if( exists( $results{'condition'} ) )
-			{
-				last;
-			}
-			
-			my $did_match = 0;
-			foreach my $val2( @{$s_cond{$key}} )
-			{
-				if( $val eq $val2 )
-				{
-					$did_match = 1;
-					last;
-				}
-			}
-			
-			if( ! $did_match )
-			{
-				$results{'condition'} = 1;
-			}
-		}
-	}
-	foreach my $key( keys( %s_cond ) )
-	{
-		if( exists( $results{'condition'} ) )
-		{
-			last;
-		}
-		
-		if( ! exists( $f_cond{$key} ) )
-		{
-			$results{'condition'} = 1;
-		}
-		
-		foreach my $val( @{$s_cond{$key}} )
-		{
-			if( exists( $results{'condition'} ) )
-			{
-				last;
-			}
-			
-			my $did_match = 0;
-			foreach my $val2( @{$f_cond{$key}} )
-			{
-				if( $val eq $val2 )
-				{
-					$did_match = 1;
-					last;
-				}
-			}
-			
-			if( ! $did_match )
-			{
-				$results{'condition'} = 1;
-			}
-		}
-	}
-	
-	# Compare the actions
-	foreach my $key( keys( %f_act ) )
-	{
-		if( exists( $results{'action'} ) )
-		{
-			last;
-		}
-		
-		if( exists( $s_act{$key} ) )
-		{
-			if( @{$f_act{$key}} != @{$s_act{$key}} )
-			{
-				$results{'action'} = 1;
-			}
-		}
-		else
-		{
-			$results{'action'} = 1;
-		}
-				
-		foreach my $val( @{$f_act{$key}} )
-		{
-			if( exists( $results{'action'} ) )
-			{
-				last;
-			}
-			
-			my $did_match = 0;
-			foreach my $val2( @{$s_act{$key}} )
-			{
-				if( $val eq $val2 )
-				{
-					$did_match = 1;
-					last;
-				}
-			}
-			
-			if( ! $did_match )
-			{
-				$results{'action'} = 1;
-			}
-		}
-	}
-	foreach my $key( keys( %s_act ) )
-	{
-		if( exists( $results{'action'} ) )
-		{
-			last;
-		}
-		
-		if( ! exists( $f_act{$key} ) )
-		{
-			$results{'action'} = 1;
-		}
-		
-		foreach my $val( @{$s_act{$key}} )
-		{
-			if( exists( $results{'action'} ) )
-			{
-				last;
-			}
-			
-			my $did_match = 0;
-			foreach my $val2( @{$f_act{$key}} )
-			{
-				if( $val eq $val2 )
-				{
-					$did_match = 1;
-					last;
-				}
-			}
-			
-			if( ! $did_match )
-			{
-				$results{'action'} = 1;
-			}
-		}
-	}
-	
-	# If the revision numbers are differnet then there is definetly a
-	# meta data difference
-	if( $first_obj->revision() ne $second_obj->revision() )
-	{
-		$results{'meta'} = 1;
-	}
-	
-	# Compare the meta data
-	foreach my $key( keys( %f_meta ) )
-	{
-		if( exists( $results{'meta'} ) )
-		{
-			last;
-		}
-		
-		if( exists( $s_meta{$key} ) )
-		{
-			if( @{$f_meta{$key}} != @{$s_meta{$key}} )
-			{
-				$results{'meta'} = 1;
-			}
-		}
-		else
-		{
-			$results{'meta'} = 1;
-		}
-				
-		foreach my $val( @{$f_meta{$key}} )
-		{
-			if( exists( $results{'meta'} ) )
-			{
-				last;
-			}
-			
-			my $did_match = 0;
-			foreach my $val2( @{$s_meta{$key}} )
-			{
-				if( $val eq $val2 )
-				{
-					$did_match = 1;
-					last;
-				}
-			}
-			
-			if( ! $did_match )
-			{
-				$results{'meta'} = 1;
-			}
-		}
-	}
-	foreach my $key( keys( %s_meta ) )
-	{
-		if( exists( $results{'meta'} ) )
-		{
-			last;
-		}
-		
-		if( ! exists( $f_meta{$key} ) )
-		{
-			$results{'meta'} = 1;
-		}
-		
-		foreach my $val( @{$s_meta{$key}} )
-		{
-			if( exists( $results{'meta'} ) )
-			{
-				last;
-			}
-			
-			my $did_match = 0;
-			foreach my $val2( @{$f_meta{$key}} )
-			{
-				if( $val eq $val2 )
-				{
-					$did_match = 1;
-					last;
-				}
-			}
-			
-			if( ! $did_match )
-			{
-				$results{'meta'} = 1;
-			}
-		}
-	}
-		
-	if( keys( %results ) > 0 )
-	{
-		return( \%results );
-	}
-	else
-	{
-		return( 0 );
-	}
-}
-
-sub utctimenow
-{
-	my $sub_name = 'utctimenow';
-	
-	my @tp = gmtime();
-	
-	my $ret_time = sprintf( "%4d-%02d-%02dT%02d:%02d:%02dZ", 
-					$tp[5] + 1900, $tp[4] + 1, $tp[3], $tp[2], $tp[1], $tp[0] );
-	
-	return( $ret_time );
-}
-
-1;
-
-# List of reserved meta-data keywords for use by signature manipulation tools
-# and the number of instances which may exist in each signature.
-
-# date-created		max: 1
-# version-date		max: 1
-# revision-date	max: 1
-# category		max: unlimited
-# from-file		max: 1		reserved for use during editing, not used in actual signatures
-# version			max: 1		version supplied by signature creator.
-#							This number will be rolled if any of the 
-#							matching content changes, not meta-data.
-# rev			max: 1		This number will be rolled if changes to
-#							meta-data are made.  No matching content
-#							changes.
-# 
\ No newline at end of file
diff --git a/scripts/perl/script/edit-brorule.pl b/scripts/perl/script/edit-brorule.pl
deleted file mode 100755
index 5cba38d381..0000000000
--- a/scripts/perl/script/edit-brorule.pl
+++ /dev/null
@@ -1,1126 +0,0 @@
-#!/usr/bin/perl -w
-
-BEGIN
-{
-	require 5.006_001;
-	use strict;
-	use vars qw( $VERSION
-				$DEBUG
-				$DEFAULT_CONFIG
-				$RFC3339_REGEX
-				$TEMP_DIR_NAME
-				$DEFAULT_BRO_CONFIG_FILE
-				@BRO_RULE_FILES
-				$BRO_CONFIG_FILE );
-	
-	use Getopt::Long;
-	Getopt::Long::Configure ( 'bundling', 'no_getopt_compat', 'pass_through', 'no_ignore_case' );
-	use Bro::Config qw( $BRO_CONFIG );
-	
-	
-	$DEFAULT_BRO_CONFIG_FILE = '/usr/local/bro/etc/bro.cfg';
-	$BRO_CONFIG_FILE = getbroconfigfile() || $DEFAULT_BRO_CONFIG_FILE;
-	Bro::Config::Configure( File => $BRO_CONFIG_FILE );
-	
-	sub getbroconfigfile
-	{
-		my $sub_name = 'getbroconfigfile';
-		
-		my %cmd_line_cfg;
-		
-		GetOptions( \%cmd_line_cfg,
-				'broconfig|b=s' );
-		
-		return( $cmd_line_cfg{broconfig} );
-	}
-}
-
-# $Id: edit-brorule.pl 5222 2008-01-09 20:05:27Z vern $
-$VERSION = 1.20;
-use Time::Local;
-use Bro::Signature qw( findkeyblocks getrules utctimenow );
-
-%{$DEFAULT_CONFIG} = ( temp => '/tmp',
-					editor => 'vi',
-					'require_write' => 0,);
-my $temp_prefix = 'edit-brorule';
-my $config = getconfig();
-my $temp_file = $config->{temp} . '/' . $temp_prefix . $$ . '.tmp';
-
-$RFC3339_REGEX = qr/^([[:digit:]]{4})			# year
-					-([[:digit:]]{2})		# month
-					-([[:digit:]]{2})		# day
-					(?:[Tt ]					# begin time section
-					([[:digit:]]{2})		# hour
-					(?::([[:digit:]]{2})	# minute
-					(?::([[:digit:]]{2}(\.[[:digit:]]{1,2})?)|)|)	# second
-					)?					# end time section
-					([Zz]|([-+][[:digit:]]{2}:[[:digit:]]{2}))?	# timezone offset
-					$/xo;
-
-
-########### Begin main here #################
-
-# Set the list of Bro rule files which will be used
-if( exists( $config->{addpath} ) and $config->{addpath} )
-{
-	@BRO_RULE_FILES = Bro::Signature::filelist( @{$config->{addpath}} );
-}
-elsif( exists( $config->{ruledir} ) and $config->{ruledir} )
-{
-	@BRO_RULE_FILES = Bro::Signature::filelist( mode => 'override', $config->{ruledir} );
-}
-elsif( exists( $config->{rulefile} ) and $config->{rulefile} )
-{
-	@BRO_RULE_FILES = ( $config->{rulefile} );
-}
-else
-{
-	@BRO_RULE_FILES = Bro::Signature::filelist();
-}
-
-# If there are no rule files then no need to continue any further
-if( @BRO_RULE_FILES < 1 )
-{
-	warn( "Unable to find any Bro signature files to edit\n" );
-	exit( 1 );
-}
-
-# If any option which edits a signature is called then the rules files
-# must be writtable.
-if( $config->{require_write} )
-{
-	foreach my $rule_file( @BRO_RULE_FILES )
-	{
-		if( ! -w $rule_file )
-		{
-			warn( "Do not have write access on Bro signature file $rule_file\n" );
-			warn( "Must have write access to continue. Resolve this issue and then try again\n" );
-			exit( 1 );
-		}
-	}
-}
-
-# Check if the temp file already exists.  If so it must be writtable
-if( -f $temp_file and ! -w $temp_file )
-{
-	warn( "Temp file $temp_file already exists and is not writtable.\n" );
-	warn( "Please resolve the problem and try again.\n" );
-	exit( 1 );
-}
-
-
-# How were we called.
-
-# These options will require a temp file for writting.
-if( exists( $config->{disable} ) )
-{
-	changeactivestatus( 'false', @{$config->{disable}} );
-}
-elsif( exists( $config->{enable} ) )
-{
-	changeactivestatus( 'true', @{$config->{enable}} );
-}
-
-if( $config->{edit} )
-{
-	if( ! editbrorule( @{$config->{edit}} ) )
-	{
-		warn( "Failed to edit brorules.  No changes have been made.\n" );
-		exit( 1 );
-	}
-}
-elsif( $config->{add} )
-{
-	if( addbrorule( @{$config->{add}} ) )
-	{
-		print "Rule added successfully\n";
-	}
-}
-
-
-exit( 0 );
-
-
-
-
-
-
-
-
-
-############# Begin subs here ################
-
-sub getconfig
-{
-	my $sub_name = 'getconfig';
-	
-	my $arg1 = shift || $DEFAULT_CONFIG;
-	my %default_config;
-	my %config;
-	my $active_method = '__NULL__';
-	my %clc = ( usage => 0,
-				debug => 0,
-				version => 0,
-				copyright => 0, );
-	
-	if( ref( $arg1 ) eq 'HASH' )
-	{
-		%default_config = %{$arg1};
-	}
-	else
-	{
-		return( undef );
-	}
-	
-	# This is kind of funky.  The subroutine set in '<>' will be called
-	# when an argument unknown to the parser is encountered.  This sub
-	# will handle sucking up lists that can occur after an option.  Where
-	# the list is saved depends upon the option which prefixed the list
-	GetOptions( 'broconfig|b' => \$clc{broconfig},
-			'disable|deactivate' => sub { $active_method = 'disable'; },
-			'<>' => sub { push( @{$clc{$active_method}}, @_ ); },
-			'enable|activate' => sub { $active_method = 'enable'; },
-			'edit|e' => sub { $active_method = 'edit'; },
-			'add|a' => sub { $active_method = 'add'; },
-			'rulefile=s' => \$clc{rulefile},
-			'ruledir=s' => \$clc{ruledir},
-			'addpath' => sub { $active_method = 'addpath'; },
-			'editor=s' => \$clc{editor},
-			'temp|t=s' => \$clc{temp},
-			'usage|help|h' => \$clc{usage},
-			'debug|verbose|d|v:+' => \$clc{debug},
-			'version|V' => \$clc{version},
-			'copyright' => \$clc{copyright}, );
-	
-	# Check for options which will prevent the program from running
-	# any further
-	if( $clc{usage} )
-	{
-		print usage();
-		exit( 0 );
-	}
-	elsif( $clc{version} )
-	{
-		print version();
-		exit( 0 );
-	}
-	elsif( $clc{copyright} )
-	{
-		print copyright();
-		exit( 0 );
-	}
-	else
-	{
-		# just continue on
-	}
-	
-	# Set the location in which to write temp files
-	if( exists( $ENV{TEMP} ) and $ENV{TEMP} )
-	{
-		$config{temp} = $ENV{TEMP};
-	}
-	elsif( exists( $ENV{TMP} ) and $ENV{TMP} )
-	{
-		$config{temp} = $ENV{TMP};
-	}
-	
-	# Set the location of the preferred text editor
-	if( exists( $ENV{EDITOR} ) and $ENV{EDITOR} )
-	{
-		$config{editor} = $ENV{EDITOR};
-	}
-	
-	# Set Debug level
-	$DEBUG = $clc{debug};
-		
-	# Print the list of rules passed to enable.disable
-	if( $DEBUG > 1 )
-	{
-		if( $clc{disable} )
-		{
-			print "List of rules to disable/deactivate: ";
-			print join( ' ', @{$clc{disable}} );
-			print "\n";
-		}
-		
-		if( $clc{enable} )
-		{
-			print "List of rules to enable/activate: ";
-			print join( ' ' , @{$clc{enable}} );
-			print "\n";
-		}
-		
-		if( $clc{edit} )
-		{
-			print "List of rules to edit: ";
-			print join( ' ' , @{$clc{edit}} );
-			print "\n";
-		}
-		
-		if( $clc{addpath} )
-		{
-			print "List of additional directories to search: ";
-			print join( ':', @{$clc{addpath}} );
-			print "\n"
-		}
-		
-		if( $clc{add} )
-		{
-			print "List of arguments passed to add: ";
-			print join( ' ', @{$clc{add}} );
-			print "\n"
-		}
-	}
-	
-	# Any args passed through the command line will override file options
-	while( my( $key, $value ) = each( %clc ) )
-	{
-		if( defined( $value ) )
-		{
-			$config{$key} = $value;
-		}
-	}
-	
-	# Set default values for options that have not already been configured
-	while( my( $key, $value ) = each( %{$arg1} ) )
-	{
-		if( ! exists( $config{$key} ) )
-		{
-			$config{$key} = $value;
-		}
-	}
-	
-	if( checkconfig( \%config ) )
-	{
-		if( $DEBUG > 4 )
-		{
-			warn( "Configuration memory dump:\n" );
-			foreach my $key( keys( %config ) )
-			{
-				print "$key\t=> " . $config{$key} . "\n";
-			}
-			warn( "\n" );
-		}
-		return( \%config );
-	}
-	else
-	{
-		warn( "exiting program\n" );
-		exit( 1 );
-	}
-	
-}
-
-sub checkconfig
-{
-	my $sub_name = 'checkconfig';
-	
-	my $config = shift || return( undef );
-	my $valid_action = 0;
-	my $failed = 0;
-	
-	# Temp directory must exist and be writtable
-	if( -d $config->{temp} )
-	{
-		if( ! -w $config->{temp} )
-		{
-			warn( "Temp directory at " . $config->{temp} . " must be writtable\n" );
-			$failed = 1;
-		}
-	}
-	else
-	{
-		warn( "Temp directory at " . $config->{temp} . " does not exist\n" );
-		$failed = 1;
-	}
-	
-	if( my $verified_editor = seteditor( $config->{editor} ) )
-	{
-		$config->{editor} = $verified_editor;
-	}
-	else
-	{
-		warn( "Could not find absolute path for editor " . $config->{editor} . "\n" );
-		$failed = 1;
-	}
-	
-	# If any of these edit functions are used then set the require-write flag
-	if( $config->{enable} or $config->{disable} or $config->{edit} or
-		$config->{add} )
-	{
-		$config->{require_write} = 1;
-	}
-	
-	# Can't have both enable and disable at the same time.
-	if( ref( $config->{enable} ) eq 'ARRAY' and 
-		ref( $config->{disable} ) eq 'ARRAY' )
-	{
-		warn( "Can not use both --enable and --disable at the same time.\n" );
-		$failed = 1;
-	}
-	
-	# Can't have both add and edit at the same time
-	if( ref( $config->{edit} ) eq 'ARRAY' and
-		ref( $config->{add} ) eq 'ARRAY' )
-	{
-		warn( "Can not use both --edit and --add at the same time.\n" );
-		$failed = 1;
-	}
-	
-	# A valid action must be given
-	if( ! ( $config->{enable} or $config->{disable} or $config->{edit} or
-			$config->{add} ) )
-	{
-		warn( "No action specified.\n" );
-		print usage();
-		exit( 1 );
-	}
-	
-	# Check to make sure that the rule id and the optional file values are sane
-	if( $config->{add} )
-	{
-		my $sigid = $config->{add}->[0];
-		my $file = $config->{add}->[1];
-				
-		if( ! $sigid =~ m/^([[:print:]]+)$/ )
-		{
-			warn( "Error in sig id argument to --add, invalid value.\n" );
-			$failed = 1;
-		}
-		
-		if( $file )
-		{
-			# Taint clean the filename
-			if( $file =~ m/^([[:print:]]+)$/ )
-			{
-				# filename is now taint clean.
-				$config->{add}->[1] = $1;
-				$file = $config->{add}->[1];
-			}
-			else
-			{
-				warn( "Error in file argument to --add, invalid file name.\n" );
-				$failed = 1;
-			}
-			
-			if( ! ( -f $file && -w $file ) )
-			{
-				warn( "Error in file argument to --add, file does not exist or is not writtable.\n" );
-				$failed = 1;
-			}
-		}
-	}
-	
-	if( $failed )
-	{
-		return( 0 );
-	}
-	else
-	{
-		return( 1 );
-	}
-}
-
-sub changeactivestatus
-{
-	my $sub_name = 'changeactivestatus';
-	
-	my $new_status = shift || return( undef );
-	my @id_list = @_;
-	my %match_ids;
-	my $total_num_changes = 0;
-	my $type_of_change = '';
-	
-	# valid values for $new_status are true, false, 0, 1
-	if( $new_status =~ m/^(?:0|false)$/ )
-	{
-		$type_of_change = 'disabled';
-	}
-	elsif( $new_status =~ m/^(?:1|true)$/ )
-	{
-		$type_of_change = 'enabled';
-	}
-	else
-	{
-		warn( "Invalid value '$new_status' passed to function $sub_name.\n" );
-		print usage();
-		return( undef );
-	}
-	
-	foreach my $id( @id_list )
-	{
-		$match_ids{$id} = 1;
-	}
-	
-	foreach my $rule_file( @BRO_RULE_FILES )
-	{
-		my $num_changes = 0;
-		
-		# Open a temp file for writting
-		if( ! open( OUTFILE, ">$temp_file" ) )
-		{
-			warn( "Failed to open temp file $temp_file for writting.\n" );
-			exit( 1 );
-		}
-		
-		foreach $sig_obj( getrules( $rule_file ) )
-		{
-			if( exists( $match_ids{$sig_obj->sigid()} ) )
-			{
-				$sig_obj->active( $new_status );
-				++$num_changes;
-				delete( $match_ids{$sig_obj->sigid()} );
-			}
-			
-			print OUTFILE $sig_obj->output() . "\n\n";
-		}
-		
-		close( OUTFILE );
-		
-		if( $num_changes > 0 )
-		{
-			$total_num_changes += $num_changes;
-			replacefile( $rule_file, $temp_file );
-		}
-		
-		unlink $temp_file;
-	}
-	
-	print "A total of $total_num_changes ids were matched and $type_of_change\n";
-	
-	if( keys( %match_ids ) > 0 )
-	{
-		print "The following ids were not found: ";
-		print join( " ", keys( %match_ids ) ) . "\n";
-	}
-	
-	return( 1 );
-}
-
-sub editbrorule
-{
-	my $sub_name = 'editbrorule';
-	
-	my @args = @_;
-	my %rules_to_edit;
-	my @modified_rules;
-	
-	# {$rule_file}{$sigid}
-	my %rules_by_file;
-	my %new_rules_by_file;
-	my %unmatched_files;
-	my $temp_size;
-	my $temp_mtime;
-	
-	# There must be at least one bro rule to edit
-	if( @args < 1 )
-	{
-		warn( "No Bro rules have been given to edit.\n" );
-		return( undef );
-	}
-	
-	# Put the list of rules to edit in a hash for easier matching
-	foreach my $rule_id( @args )
-	{
-		$rules_to_edit{$rule_id} = 1;
-	}
-	
-	foreach my $rule_file( @BRO_RULE_FILES )
-	{
-		my $num_changes = 0;
-		
-		foreach my $rule_obj( getrules( $rule_file ) )
-		{
-			if( exists( $rules_to_edit{$rule_obj->sigid()} ) )
-			{
-				# If the location option is here for any reason blow
-				# it away before adding the current one.
-				removefilelocation( $rule_obj );
-				
-				# Add in the location from which the rule came
-				addfilelocation( $rule_obj, $rule_file );
-			
-				# Look for duplicate rules.
-				if( exists( $rules_by_file{$rule_file}{$rule_obj->sigid()} ) )
-				{
-					warn( "Duplicate rule found in file $rule_file for rule id " .
-						$rule_obj->sigid() . "\n" );
-				}
-				
-				$rules_by_file{$rule_file}{$rule_obj->sigid()} = $rule_obj;
-			}
-		}
-	}
-	
-	# If no rules to edit were found then bail.
-	if( keys( %rules_by_file ) < 1 )
-	{
-		return( 0 );
-	}
-	
-	if( ! open( OUTFILE, ">$temp_file" ) )
-	{
-		warn( "Failed to open temp file '$temp_file' for writing.\n" );
-		return( undef );
-	}
-	
-	# Output to temp file for user editing.
-	foreach my $rule_file( keys( %rules_by_file ) )
-	{
-		foreach my $rule_obj( values( %{$rules_by_file{$rule_file}} ) )
-		{
-			print OUTFILE $rule_obj->output() . "\n\n";
-		}
-	}
-	
-	close( OUTFILE );
-	
-	# Record the mtime and size of the the current temp file
-	$temp_mtime = ( stat( $temp_file ) )[9];
-	$temp_size = ( stat( $temp_file ) )[7];
-	
-	# Open the external editor. If the editor returns anything but zero
-	# there was an error.
-	if( system( $config->{editor}, $temp_file ) != 0 )
-	{
-		warn( "An unknown error was encountered while using the external editor.\n" );
-		return( undef );
-	}
-	
-	# Check if the temp file has been modified at all.  If no changes then
-	# just cleanup and return.
-	if( ( stat( $temp_file ) )[9] == $temp_mtime and
-		( stat( $temp_file ) )[7] == $temp_size )
-	{
-		unlink $temp_file;
-		return( 1 );
-	}
-	
-	# Put the new rule objects in a hash for easy matching.  Order by
-	# the location option which will also be removed.
-	foreach my $new_rule( getrules( $temp_file ) )
-	{
-		my $rule_file = $new_rule->option( '.location' );
-		# Remove the location option as it only for the editor
-		removefilelocation( $new_rule );
-		
-		$new_rules_by_file{$rule_file}{$new_rule->sigid()} = $new_rule;
-		$unmatched_files{$rule_file} = 1;
-	}
-	
-	# Any rule file name must exist in the list of files which the rules
-	# came from.  In other words, no new signature file will be created.
-	foreach my $cur_rule( @BRO_RULE_FILES )
-	{
-		if( exists( $unmatched_files{$cur_rule} ) )
-		{
-			delete( $unmatched_files{$cur_rule} );
-		}
-	}
-	
-	foreach my $unmatched_file( keys( %unmatched_files ) )
-	{
-		warn( "Bro rule file '$unmatched_file' encountered but was not in the list of" .
-			" Bro rules searched.  All rules with this location will be ignored.\n" );
-		delete( $new_rules_by_file{$unmatched_file} );
-	}
-	
-	# Edit each rule file for which we have data.
-	foreach my $rule_file( keys( %new_rules_by_file ) )
-	{
-		if( ! open( OUTFILE, ">$temp_file" ) )
-		{
-			warn( "Failed to open temp file $temp_file for writing.\n" );
-			return( undef );
-		}
-
-		foreach my $old_rule( getrules( $rule_file ) )
-		{
-			if( exists( $new_rules_by_file{$rule_file}{$old_rule->sigid()} ) )
-			{
-				my $new_rule = $new_rules_by_file{$rule_file}{$old_rule->sigid()};
-				my $compare_res = $old_rule->compare( $new_rule );
-				
-				if( $compare_res )
-				{
-					if( exists( $compare_res->{'meta'} ) )
-					{
-						bumprevision( $new_rule );
-					}
-					
-					if( exists( $compare_res->{'action'} ) or 
-						exists( $compare_res->{'condition'} ) )
-					{
-						bumpversion( $new_rule );
-						resetrevision( $new_rule );
-					}
-					
-					print OUTFILE $new_rule->output() . "\n\n";
-				}
-				else
-				{
-					# No changes
-					print OUTFILE $old_rule->output() . "\n\n";
-				}
-				
-				delete( $new_rules_by_file{$rule_file}{$old_rule->sigid()} );
-			}
-			else
-			{
-				print OUTFILE $old_rule->output() . "\n\n";
-			}
-		}
-
-		close( OUTFILE );
-		
-		delete( $new_rules_by_file{$rule_file} );
-		
-		replacefile( $rule_file, $temp_file );
-	}
-	
-	unlink $temp_file;
-}
-
-sub addbrorule
-{
-	my $sub_name = 'addbrorule';
-	
-	my $rule_id = shift || return( undef );
-	my $rule_file = shift;	# optional
-	
-	my $sig_suffix = $BRO_CONFIG->{BRO_SIG_SUFFIX};
-	my $brosite = $BRO_CONFIG->{BROSITE};
-	my $failed = 0;
-	
-	# If no rule file then grab the first one found in $BROSITE
-	if( ! $rule_file )
-	{
-		if( -d $brosite )
-		{
-			if( ! opendir( DIR, $brosite ) )
-			{
-				warn( "Failed to open $brosite directory $brosite for reading.\n" );
-				return( undef );
-			}
-			
-			while( my $file = readdir( DIR ) )
-			{
-				if( $file =~ m/^[^\.].*$sig_suffix$/ and -f "$brosite/$file" )
-				{
-					$rule_file = "$brosite/$file";
-					last;
-				}
-			}
-			
-			closedir( DIR );
-		}
-		else
-		{
-			warn( "$brosite is either not specified or it is not a directory.\n" );
-			return( undef );
-		}
-		
-		if( ! $rule_file )
-		{
-			warn( "Unable to find a rule file in $brosite to add the new rule to.\n" );
-			return( undef );
-		}
-	}
-	
-	# Read in the rule file and look for a duplicate rule
-	foreach my $rule_obj( getrules( $rule_file ) )
-	{
-		if( $rule_obj->sigid() eq $rule_id )
-		{
-			warn( "Bro rule id $rule_id already exists, edit it or try something else.\n" );
-			return( undef );
-		}
-	}
-	
-	# Create the skeleton of the new rule
-	my $utc_now = utctimenow();
-	my $rule_template = qq~
-signature $rule_id \{
-  active true
-  .date-created $utc_now
-\}
-~;
-	# Create a new rule object and add some default attributes
-	my $new_rule = Bro::Signature->new( string => $rule_template );
-	bumpversion( $new_rule, $utc_now );
-	bumprevision( $new_rule, $utc_now );
-	addfilelocation( $new_rule, $rule_file );
-	
-	TEMP_FILE_OPEN: {
-		# Output the new rule to a temp file for editing
-		if( open( OUTFILE, ">$temp_file" ) )
-		{
-			print OUTFILE $new_rule->output() . "\n\n";
-		}
-		else
-		{
-			warn( "Failed to open temp file '$temp_file' for writing.\n" );
-			$failed = 1;
-			last;
-		}
-
-		close( OUTFILE );
-
-		# Open the external editor. If the editor returns anything but zero
-		# there was an error.
-		if( system( $config->{editor}, $temp_file ) != 0 )
-		{
-			warn( "An unknown error was encountered while using the external editor.\n" );
-			$failed = 1;
-			last;
-		}
-
-		# Read the rule file back in.  Only one rule should be in here.
-		my @temp_rules = getrules( $temp_file );
-		if( @temp_rules > 1 )
-		{
-			warn( "More than one rule was found in the temp file.  Only one rule at a time can be created.\n" );
-			$failed = 1;
-			last;
-		}
-
-		# Make sure that the rule id has not been changed.
-		if( $rule_id ne $temp_rules[0]->sigid() )
-		{
-			warn( "The rule id has been changed, aborting add.\n" );
-			$failed = 1;
-			last;
-		}
-
-		# The file location is put in for convenience.  User modification will be ignored.
-		removefilelocation( $temp_rules[0]->sigid() );
-
-		# Write the new signature out to the bottom of the file
-		if( open( OUTFILE, ">>$rule_file" ) )
-		{
-			print OUTFILE $temp_rules[0]->output() . "\n\n";
-		}
-		else
-		{
-			warn( "Failed to open rule file $rule_file for writing, rule addidtion aborted.\n" );
-			$failed = 1;
-			last;
-		}
-	}	# end TEMP_FILE_OPEN
-	
-	unlink $temp_file;
-	
-	if( $failed )
-	{
-		return( undef );
-	}
-	else
-	{
-		return( 1 );
-	}
-}
-
-sub bumpversion
-{
-	my $sub_name = 'bumpversion';
-	
-	my $self = shift || return( undef );
-	my $new_date = shift;	# optional
-	
-	my $cur_ver = $self->version();
-	
-	# If $new_date was not passed in then set it now.
-	if( ! $new_date )
-	{
-		$new_date = utctimenow();
-	}
-	
-	if( length( $cur_ver ) > 0 )
-	{
-		$self->modoption( '.version', $cur_ver + 1 );
-	}
-	else
-	{
-		$self->addoption( '.version', 1 );
-	}
-	
-	if( ! $self->modoption( '.version-date', $new_date ) )
-	{
-		$self->addoption( '.version-date', $new_date );
-	}
-	
-	return( $self->version() );
-}
-
-sub bumprevision
-{
-	my $sub_name = 'bumprevision';
-	
-	my $self = shift || return( undef );
-	my $new_date = shift;	# optional
-	
-	my $cur_rev = $self->revision();
-	
-	# .version must exist!
-	if( ! $self->option( '.version' ) )
-	{
-		bumpversion( $self, $new_date );
-	}
-	
-	# If $new_date was not passed in then set it now.
-	if( ! $new_date )
-	{
-		$new_date = utctimenow();
-	}
-	
-	if( length( $cur_rev ) > 0 )
-	{
-		$self->modoption( '.revision', $cur_rev + 1 );
-	}
-	else
-	{
-		$self->addoption( '.revision', 1 );
-	}
-	
-	if( ! $self->modoption( '.revision-date', $new_date ) )
-	{
-		$self->addoption( '.revision-date', $new_date );
-	}
-	
-	return( $self->revision() );
-}
-
-sub resetrevision
-{
-	my $sub_name = 'resetrevision';
-	
-	my $self = shift || return( undef );
-	
-	if( ! $self->modoption( '.revision', 1 ) )
-	{
-		bumprevision( $self );
-	}
-	
-	return( $self->revision() );
-}
-
-sub addfilelocation
-{
-	my $sub_name = 'addfilelocation';
-	
-	my $rule_obj = shift || return( undef );
-	my $rule_file = shift || return( undef );
-	
-	# Make sure the obj is of Bro::Signature type
-	if( ref( $rule_obj ) ne 'Bro::Signature' )
-	{
-		warn( "First arg passed to $sub_name is not a Bro::Signature object.\n" );
-		return( undef );
-	}
-	
-	if( $rule_obj->addoption( '.location', $rule_file ) )
-	{
-		return( 1 );
-	}
-	else
-	{
-		warn( "Failed to add file location to Bro rule " . $rule_obj->sigid() . ".\n" );
-		return( undef );
-	}
-}
-
-sub removefilelocation
-{
-	my $sub_name = 'removefilelocation';
-	
-	my $rule_obj = shift || return( undef );
-	
-	# Make sure the obj is of Bro::Signature type
-	if( ref( $rule_obj ) ne 'Bro::Signature' )
-	{
-		warn( "First arg passed to $sub_name is not a Bro::Signature object.\n" );
-		return( undef );
-	}
-	
-	if( $rule_obj->deloption( '.location' ) )
-	{
-		return( 1 );
-	}
-	else
-	{
-		return( 0 );
-	}
-}
-
-sub seteditor
-{
-	my $sub_name = 'seteditor';
-	
-	my $editor = shift || return( undef );
-	my $clean_editor;
-	my @path_list = split( /:/, $ENV{PATH} );
-	
-	if( $editor =~ m/^(\/[[:print:]]+)$/ )
-	{
-		$clean_editor = $1;
-	}
-	else
-	{
-		foreach my $dir_name( @path_list )
-		{
-			my $full_path = "$dir_name/$editor";
-			if( -f $full_path and $full_path =~ m/^(\/[[:print:]]+)$/ )
-			{
-				$clean_editor = $1;
-			}
-		}
-	}
-	
-	# Make sure that the file exists and is executable
-	if( -f $clean_editor and -x $clean_editor )
-	{
-		return( $clean_editor );
-	}
-	else
-	{
-		return( undef );
-	}
-}
-
-sub replacefile
-{
-	my $sub_name = 'replacefile';
-	
-	my $old_file = shift || return( undef );
-	my $new_file = shift || return( undef );
-	my $cp_result;
-	my $_cur_pid = $$;
-	
-	if( system( "cp -f $new_file $old_file.$_cur_pid.tmp" ) == 0 )
-	{
-		if( system( "mv -f $old_file.$_cur_pid.tmp $old_file" ) == 0 )
-		{
-			return( 1 );
-		}
-		else
-		{
-			warn( "Failed to replace $old_file with new file $new_file\n" );
-			return( undef );
-		}
-	}
-	else
-	{
-		warn( "Failed to move new file $new_file to $old_file.$_cur_pid.tmp\n" );
-		return( undef );
-	}
-}
-
-sub normalize_time
-{
-	my $sub_name = 'normalize_time';
-	# change various time formats into a unix epoch time with 6 decimal places
-	
-	my $arg1 = $_[0];
-	my $ret_time;
-	
-	if( $arg1 =~ m/^([[:digit:]]{10}(?:\.[[:digit:]]{1,6})?)$/ )
-	{
-		# Already in the right format.
-		$ret_time = sprintf( "%.6f", $1 );
-	}
-	# RFC 3339 format -> 2004-08-06T19:59:39-07:00
-	elsif( my @time_parts = ( $arg1 =~ $RFC3339_REGEX ) )
-	{
-		my $year = $time_parts[0];
-		my $mon = $time_parts[1];
-		my $day = $time_parts[2];
-		my $hour = $time_parts[3] || 0;
-		my $min = $time_parts[4] || 0;
-		my $sec = $time_parts[5] || 0;
-		my $timezone = $time_parts[6] || undef;
-		
-		# month is zero base indexed
-		if( $mon )
-		{
-			--$mon;
-		}
-		
-		if( $timezone =~ m/^(?:[-+]00:00)|(?:[Zz])$/ )
-		{
-			$ret_time = timegm($sec,$min,$hour,$day,$mon,$year);
-		}
-		else
-		{
-			$ret_time = timelocal($sec,$min,$hour,$day,$mon,$year);
-		}
-	}
-	else
-	{
-		if( $DEBUG > 0 )
-		{
-			warn( "Unknown date format passed to sub $sub_name. Unable to convert time to a unix epoch time\n" );
-		}
-	}
-	
-	return( $ret_time );
-}
-
-sub usage
-{
-	my $sub_name = 'usage';
-	
-	my $usage_text = copyright();
-	$usage_text .= q~
-
-Options passed to the program on the command line 
-Command line reference
-  --disable|--deactivate  List of bro rule ids seperated by spaces to disable
-                          This is mutually exclusive to --enable
-  --enable|--activate     List of bro rule ids seperated by spaces to enable
-                          This is mutually exclusive to --disable
-  --edit|-e               List of bro rule ids to edit. An external editor
-                          will be opened and any changes made by the user will
-                          be intergrated in.
-  --add|-a                Add a new rule.  One rule at a time may be added.
-                          Arguments to follow are the sig id and the file
-                          in which to write the new sig.  If no file argument
-                          is given then the first signature file in $BROSITE
-                          will be used. (example --add test-sig myrules.sig)
-  --rulefile              Restrict edits to only the one filename given.
-  --ruledir               Restrict searches and edits to just one directory.
-  --addpath               Directories to look in for bro rule files. This is
-                          in addition to those already in $BROPATH
-  --broconfig|-b          Alternate location containing Bro configuration data
-  --editor                Location of prefered text editor
-                          (default $EDITOR or vi)
-  --temp                  Alternate directory in which to write temp files
-                          (default $TEMP or $TMP or /tmp)
-  --usage|--help|-h       Summary of command line options
-  --debug|-d              Specify the debug level from 0 to 5. (default: 1)
-  --version               Output the version number to STDOUT
-  --copyright             Output the copyright info to STDOUT
-  
-~;
-	
-	return( $usage_text );
-}
-
-sub version
-{
-	my $sub_name = 'version';
-	
-	return( $VERSION );
-}
-
-sub copyright
-{
-	my $sub_name = 'copyright';
-	
-	my $copyright =
-qq~edit-brorule.pl
-version $VERSION, Copyright (C) 2004 Lawrence Berkeley National Labs, NERSC
-Written by Roger Winslow~;
-	
-	return( $copyright );
-}
diff --git a/scripts/perl/script/site-report.pl b/scripts/perl/script/site-report.pl
deleted file mode 100755
index 3cafad9ec6..0000000000
--- a/scripts/perl/script/site-report.pl
+++ /dev/null
@@ -1,1367 +0,0 @@
-#!/usr/bin/perl
-
-# look for our modules first
-use lib '/usr/local/bro/perl/lib/perl5/site_perl';
-
-# This is all stuff that needs to be set before compile time of other Bro modules
-# because the other modules depend of Bro::Config to be configures properly
-# given that the config file could be something different than the default.
-BEGIN
-{
-	require 5.006_001;
-	use vars qw( $VERSION
-				$DEBUG
-				$DEFAULT_CONFIG
-				$RFC3339_REGEX
-				$TEMP_DIR_NAME
-				$DEFAULT_BRO_CONFIG_FILE
-				$BRO_CONFIG_FILE );
-	
-	use Getopt::Long;
-	Getopt::Long::Configure ( 'bundling', 'no_getopt_compat', 'pass_through', 'no_ignore_case' );
-	use Bro::Config qw( $BRO_CONFIG );
-	
-	
-	$DEFAULT_BRO_CONFIG_FILE = '/usr/local/bro/etc/bro.cfg';
-	$BRO_CONFIG_FILE = getbroconfigfile() || $DEFAULT_BRO_CONFIG_FILE;
-	Bro::Config::Configure( File => $BRO_CONFIG_FILE );
-	
-	sub getbroconfigfile
-	{
-		my $sub_name = 'getbroconfigfile';
-		
-		my %cmd_line_cfg;
-		
-		GetOptions( \%cmd_line_cfg,
-				'broconfig|b=s' );
-		
-		return( $cmd_line_cfg{broconfig} );
-	}
-}
-
-
-use strict;
-use Time::Local;
-use Socket;
-			
-# $Id: site-report.pl 5222 2008-01-09 20:05:27Z vern $
-$VERSION = 1.06;
-$TEMP_DIR_NAME = '.reports.tmp';
-
-# A config file MUST exist in order to continue
-if( $BRO_CONFIG->{BROHOME} )
-{
-	$DEFAULT_CONFIG = $BRO_CONFIG;
-}
-else
-{
-	print usage(), "\n";
-	exit( 1 );
-}
-
-$DEFAULT_CONFIG->{'broconfig'} = $BRO_CONFIG_FILE;
-$DEFAULT_CONFIG->{'report-range'} = 24;
-$DEFAULT_CONFIG->{'report-start'} = 'yesterday';
-$DEFAULT_CONFIG->{'max-hosts'} = 4000;
-$DEFAULT_CONFIG->{'max-alarms'} = 300;
-$DEFAULT_CONFIG->{'history-dir'} = $DEFAULT_CONFIG->{'BRO_HISTORY_DIR'};
-$DEFAULT_CONFIG->{'report'} = $DEFAULT_CONFIG->{'BRO_REPORT_DIR'} . "/" . $DEFAULT_CONFIG->{'BRO_SITE_NAME'} . '.' . time() . ".$$.rpt";
-$DEFAULT_CONFIG->{'temp'} = $DEFAULT_CONFIG->{'BROLOGS'};
-$DEFAULT_CONFIG->{'summary_only'} = 1;
-$DEFAULT_CONFIG->{'debug'} = 1;
-
-
-$RFC3339_REGEX = qr/^([[:digit:]]{4})			# year
-					-([[:digit:]]{2})		# month
-					-([[:digit:]]{2})		# day
-					(?:[Tt ]				# begin time section
-					([[:digit:]]{2})		# hour
-					(?::([[:digit:]]{2})	# minute
-					(?::([[:digit:]]{2}(\.[[:digit:]]{1,2})?)|)|)	# second
-					)?					# end time section
-					([Zz]|([-+][[:digit:]]{2}:[[:digit:]]{2}))?	# timezone offset
-					$/xo;
-
-# sig handlers
-$SIG{INT} = sub
-{
-	warn ("$0: caught INT signal.  Cleaning up...\n" );
-	end_program();
-	warn( "Done!\n" );
-};
-
-$SIG{TERM} = sub
-{
-	warn ("$0: caught TERM signal.  Cleaning up...\n" );
-	end_program();
-	warn( "Done!\n" );
-};
-
-$SIG{HUP} = 'IGNORE';
-
-# hash ref that will contain all config data
-my $config = {};
-
-main();
-
-sub main
-{
-	my $sub_name = 'main';
-	
-	$config = getconfig();
-	
-	# Must set/get the Bro config before loading some of these modules in the event that
-	# a different bro.cfg file is specified.
-	use Bro::Log;
-	use Bro::Log::Conn;
-	use Bro::Report qw( date_ymd time_hms );
-	use Bro::Report::Conn;
-	use Bro::Report::Alarm;
-	use Bro::Log::Alarm;
-	
-	# Check if BRO_SITE_NAME has a value otherwise set a default
-	if( length( $config->{BRO_SITE_NAME} ) < 1 )
-	{
-		$config->{BRO_SITE_NAME} = '_unknown_';
-	}
-
-	my @alarm_ordered_list;
-	my @notice_ordered_list;
-	my @conn_ordered_list;
-
-	my $actual_stats;
-	my $reported_stats;
-
-	# Set the temp file directory
-	$Bro::Report::TEMP_DIR = $config->{'temp'};
-
-	# Get the list of alarm reports the user wants run.  Need to write this part
-	my $alarm_report_input_funcs;
-	my %alarm_report_output_funcs;
-	$alarm_report_input_funcs = 'sub { my $alarm_struc = $_[0] || return( undef );'."\n";
-	foreach my $report_name( Bro::Report::Alarm::availablereports() )
-	{
-		$alarm_report_output_funcs{$report_name} = Bro::Report::Alarm::reportoutputfunc( $report_name );
-		if( my $input_func = Bro::Report::Alarm::reportinputfunc( $report_name ) )
-		{
-			$alarm_report_input_funcs .= $input_func . '( $alarm_struc );' . "\n";
-		}
-	}
-	$alarm_report_input_funcs .= 'undef( $alarm_struc );' . "\n";
-	$alarm_report_input_funcs .= '};'."\n";
-	$alarm_report_input_funcs = eval $alarm_report_input_funcs;
-
-	# Get the list of conn reports the user wants run.  Need to write this part
-	my $conn_report_input_funcs;
-	my %conn_report_output_funcs;
-	$conn_report_input_funcs = 'sub { my $conn_struc = $_[0] || return( undef );'."\n";
-	foreach my $report_name( Bro::Report::Conn::availablereports() )
-	{
-		$conn_report_output_funcs{$report_name} = Bro::Report::Conn::reportoutputfunc( $report_name );
-		if( my $input_func = Bro::Report::Conn::reportinputfunc( $report_name ) )
-		{
-			$conn_report_input_funcs .= $input_func . '( $conn_struc );' . "\n";
-		}
-	}
-	$conn_report_input_funcs .= 'undef( $conn_struc );' . "\n";
-	$conn_report_input_funcs .= '};';
-	$conn_report_input_funcs = eval $conn_report_input_funcs;
-
-	# get a list of alarm files which contain data between the report start 
-	# and end times
-	# Sort ascending
-	{
-		if( $DEBUG > 2 )
-		{
-			warn( "Starting search for alarm files\n" );
-		}
-
-		my @file_list;
-		foreach my $fn( Bro::Log::loglist( 'alarm' ) )
-		{
-			my( $start, $end ) = Bro::Log::Alarm::timerange( $fn );
-			push( @file_list, [ $fn, $start, $end ] );
-
-			if( $DEBUG > 3 )
-			{
-				print "Filename: $fn, Start: $start, End: $end\n";
-			}
-		}
-
-		@alarm_ordered_list = filesinrange( \@file_list, 
-									$config->{'report-start'},
-									$config->{'report-end'} );
-		if( $DEBUG > 2 )
-		{
-			warn( "List of alarm files which are within the time range -> " .
-				join( ', ', @alarm_ordered_list ) . "\n" );
-		}
-
-		if( $DEBUG > 2 )
-		{
-			warn( "Finished search for alarm files\n" );
-		}
-	}
-
-	# get a list of notice files which contain data between the report start 
-	# and end times
-	# Sort ascending
-	{
-		if( $DEBUG > 2 )
-		{
-			warn( "Starting search for notice files\n" );
-		}
-
-		my @file_list;
-		foreach my $fn( Bro::Log::loglist( 'notice' ) )
-		{
-			my( $start, $end ) = Bro::Log::Alarm::timerange( $fn );
-			push( @file_list, [ $fn, $start, $end ] );
-
-			if( $DEBUG > 3 )
-			{
-				print "Filename: $fn, Start: $start, End: $end\n";
-			}
-		}
-
-		@notice_ordered_list = filesinrange( \@file_list, 
-									$config->{'report-start'},
-									$config->{'report-end'} );
-		if( $DEBUG > 2 )
-		{
-			warn( "List of notice files which are within the time range -> " .
-				join( ', ', @notice_ordered_list ) . "\n" );
-		}
-
-		if( $DEBUG > 2 )
-		{
-			warn( "Finished search for notice files\n" );
-		}
-	}
-	
-	# get a list of conn files which contain data between the report start 
-	# and end times
-	# Sort ascending
-	{
-		if( $DEBUG > 2 )
-		{
-			warn( "Starting search for conn files\n" );
-		}
-
-		my @file_list;
-		foreach my $fn( Bro::Log::loglist( 'conn' ) )
-		{
-			my( $start, $end ) = Bro::Log::Conn::timerange( $fn );
-
-			if( defined( $start ) and defined( $end ) )
-			{
-				push( @file_list, [ $fn, $start, $end ] );
-			}
-
-			if( $DEBUG > 3 )
-			{
-				print "Filename: $fn, Start: $start, End: $end\n";
-			}
-		}
-
-
-		@conn_ordered_list = filesinrange( \@file_list, 
-									$config->{'report-start'},
-									$config->{'report-end'} );
-
-		if( $DEBUG > 2 )
-		{
-			warn( "List of connection files which are within the time range -> " .
-				join( ', ', @conn_ordered_list ) . "\n" );
-		}
-
-		if( scalar( @conn_ordered_list ) < 1 )
-		{
-			warn( "No connection data found for the time period specified.\n" );
-			warn( "Unable to create a report.\n" );
-			exit ( 1 );
-		}
-
-		if( $DEBUG > 2 )
-		{
-			warn( "Finshed search for conn files\n" );
-		}
-	}
-
-	my %interesting_addresses;
-	if( @alarm_ordered_list )
-	{
-		if( $DEBUG > 2 )
-		{
-			warn( "Starting processing of alarm files\n" );
-		}
-
-		my $time_out_of_bounds = 0;
-		my $last_timestamp = $config->{'report-start'};
-		foreach my $al_fn( @alarm_ordered_list )
-		{
-			if( open( INFILE, $al_fn ) )
-			{			
-				while( defined( my $ln = <INFILE> ) )
-				{
-					my $alarm_struc = Bro::Log::Alarm::new( $ln );
-					if( ! $alarm_struc )
-					{
-						next;
-					}
-
-					my $timestamp = Bro::Log::Alarm::timestamp( $alarm_struc );
-
-					# Make sure that the file is at least up to the point of the
-					# report-start time
-					if( $timestamp < $config->{'report-start'} )
-					{
-						next;
-					}
-
-					if( $timestamp >= $last_timestamp and
-						$timestamp <= $config->{'report-end'} )
-					{
-						$time_out_of_bounds = 0;
-
-						&$alarm_report_input_funcs( $alarm_struc );
-
-						if( my $src_ip = Bro::Log::Alarm::source_addr( $alarm_struc ) )
-						{
-							if( Bro::Report::Alarm::reportableoffense( $alarm_struc ) )
-							{
-								$interesting_addresses{$src_ip} = 1;
-								if( $DEBUG > 3 )
-								{
-									my $offense = Bro::Log::Alarm::notice_type( $alarm_struc );
-									warn( "Adding $src_ip to interesting list for $offense.\n" );
-								}
-							}
-						}
-						
-						if( $time_out_of_bounds > 0 )
-						{
-							--$time_out_of_bounds;
-						}
-					}
-					else
-					{
-						if( $time_out_of_bounds > 500 )
-						{
-							# Looks like we have reached a point beyond the
-							# report-end time.
-							if( $DEBUG > 3 )
-							{
-								warn( "Read over 500 lines which are beyond the end time of " .
-									$config->{'report-end'} . ". Last read timestamp was $timestamp\n" );
-							}
-							last;
-						}
-						++$time_out_of_bounds;
-						next;
-					}
-					$last_timestamp = $timestamp;
-				}
-			}
-			else
-			{
-
-			}
-			close( INFILE );
-		}
-
-		if( $DEBUG > 2 )
-		{
-			warn( "Finished processing alarm files\n" );
-		}
-	}
-
-	foreach my $conn_file( @conn_ordered_list )
-	{
-		my $found_start = 0;
-		my $found_end = 0;
-
-		if( $DEBUG > 2 )
-		{
-			warn( "Starting processing of conn file $conn_file\n" );
-		}
-
-		# Create and open a temp file for incident conn data to be written to
-		Bro::Report::Alarm::tempincidentfile();
-
-		if( open( INFILE, $conn_file ) )
-		{
-			my $conn_struc;
-			my $timestamp;
-			my $duration;
-
-			# This first loop is for checking if the beginning of the file has been
-			# found.  Once found it will run the next loop.  Should save some time.
-			while( ! $found_start and defined( my $line = <INFILE> ) )
-			{
-				my $within_range = 0;
-				$conn_struc = Bro::Log::Conn::new( \$line ) or next;
-				$timestamp = Bro::Log::Conn::timestamp( $conn_struc ) or next;
-				$duration = Bro::Log::Conn::duration( $conn_struc );
-
-				if( ( $timestamp >= $config->{'report-start'} or
-					$timestamp + $duration >= $config->{'report-start'} ) and
-					$timestamp <= $config->{'report-end'} )
-				{
-					$within_range = 1;
-				}
-
-				if( $within_range )
-				{
-					&$conn_report_input_funcs( $conn_struc );
-
-					my $src_ip = Bro::Log::Conn::source_ip( $conn_struc );
-					if( $interesting_addresses{$src_ip} )
-					{
-						Bro::Report::Alarm::addconndata( $conn_struc, \$line );
-					}
-					else
-					{
-						my $dest_ip = Bro::Log::Conn::destination_ip( $conn_struc );
-						if( $interesting_addresses{$dest_ip} )
-						{
-							Bro::Report::Alarm::addconndata( $conn_struc, \$line );
-						}
-					}
-
-					# Check to see if this is the logical place for connection data
-					# within the time frame to begin.  Even though the start time
-					# may not be greater than the start, anything from this point
-					# forward will have be an active connection during the time range
-					# given.
-					if( $duration >= 0 and $duration < .01 )
-					{
-						$found_start = 1;
-						last;
-					}
-				}
-			}
-
-			while( defined( my $line = <INFILE> ) )
-			{
-				$conn_struc = Bro::Log::Conn::new( \$line ) or next;
-				$timestamp = Bro::Log::Conn::timestamp( $conn_struc ) or next;
-				if( $timestamp <= $config->{'report-end'} )
-				{
-					&$conn_report_input_funcs( $conn_struc );
-
-					my $src_ip = Bro::Log::Conn::source_ip( $conn_struc );
-					if( $interesting_addresses{$src_ip} )
-					{
-						Bro::Report::Alarm::addconndata( $conn_struc, \$line );
-					}
-					else
-					{
-						my $dest_ip = Bro::Log::Conn::destination_ip( $conn_struc );
-						if( $interesting_addresses{$dest_ip} )
-						{
-							Bro::Report::Alarm::addconndata( $conn_struc, \$line );
-						}
-					}
-				}
-			}
-		}
-		else
-		{
-			warn( "Failed to open conn file $conn_file for reading.\n" );
-		}
-
-		Bro::Report::Alarm::tempincidentfile( 'close' );
-		close( INFILE );
-
-		if( $DEBUG > 2 )
-		{
-			warn( "Finished processing conn file\n" );
-		}
-	}
-
-	# Get the data now so the memory is released.
-	my $conn_summ = output_connsummary();
-    my $header;
-    my $incident_summ;
-    my $incident_details;
-    my $system_summ;
-    my $scan_summ;
-    my $signature_distribution;
-
-    if ($DEFAULT_CONFIG->{'summary_only'} == 0)
-    {
-	    # Gather up the different report pieces
-	    $header = output_header();
-	    $incident_summ = output_incidentsummary();
-	    $incident_details = output_incidentdetails();
-	    $system_summ = output_system_summary();
-	    $scan_summ = output_scans();
-	    $signature_distribution = output_signaturedistribution();
-    }
-	my $byte_transfer_pairs = output_bytetransferpairs();
-
-	my $filename = $config->{'report'};
-	print "Generating report file: " . $filename . "\n";
-	if( open( OUTFILE, ">$filename" ) )
-	{
-        if ($DEFAULT_CONFIG->{'summary_only'} == 0)
-        {
-		    writereport( \*OUTFILE, $header, $conn_summ, $byte_transfer_pairs, );
-        } else
-        {
-		    writereport( \*OUTFILE, $header, $incident_summ, 
-					$incident_details, $signature_distribution, 
-					$scan_summ, $conn_summ, $byte_transfer_pairs, );
-        }
-	}
-	else
-	{
-		warn( "Failed to create report file at $filename\n" );
-	}
-	
-	close( OUTFILE );
-
-	end_program();
-
-} # end main
-
-#################################################
-###                                           ###
-###                 Begin Subs                ###
-###                                           ###
-#################################################
-
-
-sub getconfig
-{
-	my $sub_name = 'getconfig';
-	
-	my $arg1 = shift || $DEFAULT_CONFIG;
-	my %default_config;
-	my %cmd_line_cfg;
-	my %config;
-	
-	if( ref( $arg1 ) eq 'HASH' )
-	{
-		%default_config = %{$arg1};
-	}
-	else
-	{
-		return( undef );
-	}
-	
-	GetOptions( \%cmd_line_cfg,
-			'broconfig|b=s',
-			'report-range|r=s',
-			'report-start|s=s',
-			'report-end|e=s',
-			'max-hosts|i=s',
-			'max-alarms|m=s',
-			'history-dir=s',
-			'temp|t=s',
-			'usage|help|h',
-			'debug|verbose|d|v:i',
-			'summary_only|S',
-			'version|V',
-			'copyright', );
-	
-	# Check for options which will prevent the program from running
-	# any further
-	if( $cmd_line_cfg{usage} )
-	{
-		print usage();
-		exit( 0 );
-	}
-	elsif( $cmd_line_cfg{version} )
-	{
-		print version();
-		exit( 0 );
-	}
-	elsif( $cmd_line_cfg{copyright} )
-	{
-		print copyright();
-		exit( 0 );
-	}
-	else
-	{
-		# just continue on
-	}
-	
-	if( ! $cmd_line_cfg{brologs} )
-	{
-		$cmd_line_cfg{broconfig} = $default_config{broconfig};
-	}
-	
-	# Any args passed through the command line will override file options
-	while( my( $key, $value ) = each( %cmd_line_cfg ) )
-	{
-		$config{$key} = $value;
-	}
-	
-	# Set default values for options that have not already been configured
-	while( my( $key, $value ) = each( %{$arg1} ) )
-	{
-		if( ! exists( $config{$key} ) )
-		{
-			$config{$key} = $value;
-		}
-	}
-	
-	# Set Debug level
-	$DEBUG = $config{debug} if exists( $config{debug} );
-		
-	if( checkconfig( \%config ) )
-	{
-		if( $DEBUG > 4 )
-		{
-			warn( "Configuration memory dump:\n" );
-			warn( "\n" );
-		}
-		return( \%config );
-	}
-	else
-	{
-		warn( "exiting program\n" );
-		exit( 1 );
-	}
-	
-}
-
-sub checkconfig
-{
-	my $sub_name = 'checkconfig';
-	
-	my $cfg_hash = shift || return undef;
-	
-	# Check to make sure that broconfig is defined.
-	if( defined( $cfg_hash->{'broconfig'} ) )
-	{
-		# Check to make sure that the config filename has a sane value.
-		if( $cfg_hash->{'broconfig'} !~ m/[*;`{}%]+/ and
-				$cfg_hash->{'broconfig'} =~ m~^([[:print:]]{1,1024}?)/*$~ )
-		{
-			$cfg_hash->{'broconfig'} = $1;
-			if( !( -f $cfg_hash->{'broconfig'} and -r $cfg_hash->{'broconfig'} ) )
-			{
-				warn( "broconfig file '" .$cfg_hash->{'broconfig'} . "' is not a file or can not be opened\n" );
-				return( 0 );
-			}
-		}
-		else
-		{
-			warn( "broconfig filename contains invalid characters or is longer than 1024 bytes\n" );
-			return( 0 );
-		}
-	}
-	else
-	{
-		warn( "No config file specified\n" );
-		return( 0 );
-	}
-	
-	# Check to make sure that start-time is at least one hour less than the current time
-	if( defined( $cfg_hash->{'report-start'} ) )
-	{
-		# time() returns the gm time in epoch.  Add the timezone offset for calculation
-		# purposes only.  The offset will later be subtracted before being set.
-		my $_cur_time = time() + timezoneoffset();
-		my $one_day = 24 * 60 * 60;
-		
-		if( $cfg_hash->{'report-start'} =~ m/yesterday/i )
-		{
-			my $_start_time = int( ( $_cur_time - $one_day ) / $one_day ) * $one_day;
-			
-			# Add some time to the start time.  This helps avoid the small overlap
-			# encountered from a checkpoint and therefore less data to munge over.
-			$_start_time = $_start_time + 30;
-			$cfg_hash->{'report-start'} = $_start_time - timezoneoffset();
-		}
-		elsif( $cfg_hash->{'report-start'} =~ m/today/i )
-		{
-			my $_start_time = int( $_cur_time / $one_day ) * $one_day;
-			$cfg_hash->{'report-start'} = $_start_time - timezoneoffset();
-		}
-		elsif( my $new_time = normalize_time( $cfg_hash->{'report-start'} ) )
-		{
-			$cfg_hash->{'report-start'} = $new_time;
-		}
-		else
-		{
-			warn( "report-start time '" . $cfg_hash->{'report-start'} . "' format is unknown.\n" );
-			return( 0 );
-		}
-		
-		if( $cfg_hash->{'report-start'} < ( time() - 3600 + 1 ) )
-		{
-			# ok
-		}
-		else
-		{
-			warn( "report-start must be at least one hour less than the current time.\n" );
-			return( 0 );
-		}
-		
-		if( $DEBUG > 2 )
-		{
-			warn( "report-start time: " . localtime($cfg_hash->{'report-start'}) .
-				' (' . $cfg_hash->{'report-start'} . ')' . "\n" );
-		}
-	}
-	else
-	{
-		warn( "report-start has not been defined\n" );
-		return( 0 );
-	}
-	
-	# Check to see if report-range was specified and report-end has not value
-	if( defined( $cfg_hash->{'report-range'} ) and ! defined( $cfg_hash->{'report-end'} ) )
-	{
-		if( $cfg_hash->{'report-range'} =~ m/^[[:space:]]*((?:\+\-)?[[:digit:]]+)[[:space:]]*$/ )
-		{
-			$cfg_hash->{'report-range'} = $1;
-			
-			# report-range is given in hours, change to seconds
-			my $_range = $cfg_hash->{'report-range'} * 60 * 60;
-			$cfg_hash->{'report-end'} = $cfg_hash->{'report-start'} + $_range;
-		}
-		else
-		{
-			warn( "report-range argument '" . $cfg_hash->{'report-range'} . "' is unknown.\n" );
-			return( 0 );
-		}
-		
-		if( $cfg_hash->{'report-end'} < ( time() + 1 ) )
-		{
-			# ok
-		}
-		else
-		{
-			warn( "report-range + report-start exceeds the current time\n" );
-			return( 0 );
-		}
-	}
-	
-	# Check to make sure that report-end is no greater than the current time
-	if( defined( $cfg_hash->{'report-end'} ) )
-	{
-		if( ! ( $cfg_hash->{'report-end'} = int( normalize_time( $cfg_hash->{'report-end'} ) ) ) )
-		{
-			warn( "report-end time '" . $cfg_hash->{'report-end'} . "' format is unknown.\n" );
-			return( 0 );
-		}
-		
-		if( $cfg_hash->{'report-end'} < ( time() + 1 ) )
-		{
-			# ok
-		}
-		else
-		{
-			warn( "report-end must be equal to or less than the current time\n" );
-			return( 0 );
-		}
-		
-		if( $DEBUG > 2 )
-		{
-			warn( "report-end time: " . localtime($cfg_hash->{'report-end'}) .
-				' (' . $cfg_hash->{'report-end'} . ')' . "\n" );
-		}
-	}
-	else
-	{
-		warn( "report-end has not been defined\n" );
-		return( 0 );
-	}
-	
-	# Make sure that the report-end is at least one hour more than report-start
-	if( ! ( ( $cfg_hash->{'report-end'} - 3600 ) >= $cfg_hash->{'report-start'} ) )
-	{
-		warn( "There must be at least one hour between the report-start and report-end times.\n" );
-		return( 0 );
-	}
-	
-	# Make sure that max-alarms is a number and greater than 0
-	if( defined( $cfg_hash->{'max-alarms'} ) and 
-		$cfg_hash->{'max-alarms'} =~ m/^[[:digit:]]+$/
-		and $cfg_hash->{'max-alarms'} > 0 )
-	{
-		# ok
-	}
-	else
-	{
-		warn( "Invlaid value given for max-alarms.  Must be an number greater than 0\n" );
-		return( 0 );
-	}
-	
-	# Make sure that max-hosts is a number greater than 0
-	if( defined( $cfg_hash->{'max-hosts'} ) and 
-		$cfg_hash->{'max-hosts'} =~ m/^[[:digit:]]+$/
-		and $cfg_hash->{'max-hosts'} > 0 )
-	{
-		# ok
-	}
-	else
-	{
-		warn( "Invalid value given for max-hosts.  Must be an number greater than 0\n" );
-		return( 0 );
-	}
-	
-	# Make sure the report file can be written to
-	if( exists( $cfg_hash->{BRO_REPORT_DIR} ) )
-	{
-		if( ! -d $cfg_hash->{BRO_REPORT_DIR} )
-		{
-			if( $DEBUG > 0 )
-			{
-				warn( "\$BRO_REPORT_DIR " . $cfg_hash->{BRO_REPORT_DIR} . " is not a directory.\n" );
-			}
-		}
-		elsif( ! -w $cfg_hash->{BRO_REPORT_DIR} )
-		{
-			warn( "\$BRO_REPORT_DIR " . $cfg_hash->{BRO_REPORT_DIR} . " is not writtable.\n" );
-		}
-	}
-	else
-	{
-		if( $DEBUG > 0 )
-		{
-			warn( "\$BRO_REPORT_DIR environment variable has not been set.\n" );
-		}
-	}
-	
-	# Make sure that the temp directory is defined and writtable
-	if( defined( $cfg_hash->{'temp'} ) )
-	{
-		my $full_path = $cfg_hash->{'temp'} . "/$TEMP_DIR_NAME";
-		if( ! -d $cfg_hash->{'temp'} )
-		{
-			warn( "The temp directory at '" . $cfg_hash->{'temp'} . "' either does not exist or is not a directory.\n" );
-			return( 0 );
-		}
-		
-		if( ! -w $cfg_hash->{'temp'} )
-		{
-			warn( "The temp directory at '" . $cfg_hash->{'temp'} . "' is not writtable.\n" );
-			return( 0 );
-		}
-		
-		if( ! -d $full_path )
-		{
-			if( ! mkdir $full_path )
-			{
-				warn( "Unable to create the temp directory '$full_path' inside of '" . $cfg_hash->{'temp'} . "'.\n" );
-				return( 0 );
-			}
-		}
-		
-		if( -w $full_path )
-		{
-			$cfg_hash->{'temp'} = $full_path;
-		}
-		else
-		{
-			warn( "Temp directory at '$full_path' is not writtable.\n" );
-			return( 0 );
-		}
-	}
-	else
-	{
-		warn( "No temp directory has been specified.\n" );
-		return( 0 );
-	}
-	
-	# Check for a history directory (not implemented yet)
-	if( exists( $cfg_hash->{'history-dir'} ) and length( $cfg_hash->{'history-dir'} ) > 0 )
-	{
-		if( -d $cfg_hash->{'history-dir'} )
-		{
-			if( -r $cfg_hash->{'history-dir'} )
-			{
-				$cfg_hash->{'history-dir'} =~ m/^[[:space:]]*(.+?)[[:space:]]*$/;
-				$cfg_hash->{'history-dir'} = $1;
-			}
-			else
-			{
-				if( $DEBUG > 0 )
-				{
-					warn( "Unable to read the history-dir at " . $cfg_hash->{'history-dir'} . "\n" );
-				}
-			}
-		}
-		else
-		{
-			if( $DEBUG > 1 )
-			{
-				warn( "The history directory at " . $cfg_hash->{'history-dir'} . " could not be found\n" );
-			}
-		}
-	}
-	
-	return( 1 );
-}
-
-sub normalize_time
-{
-	my $sub_name = 'normalize_time';
-	# change various time formats into a unix epoch time with 6 decimal places
-	
-	my $arg1 = $_[0];
-	my $ret_time;
-	
-	if( $arg1 =~ m/^([[:digit:]]{10}(?:\.[[:digit:]]{1,6})?)$/ )
-	{
-		# Already in the right format.
-		$ret_time = sprintf( "%.6f", $1 );
-	}
-	# ISO 8601 format -> 2004-08-06T19:59:39-0700
-	elsif( my @time_parts = ( $arg1 =~ $RFC3339_REGEX ) )
-	{
-		my $year = $time_parts[0];
-		my $mon = $time_parts[1];
-		my $day = $time_parts[2];
-		my $hour = $time_parts[3] || 0;
-		my $min = $time_parts[4] || 0;
-		my $sec = $time_parts[5] || 0;
-		my $timezone = $time_parts[6] || undef;
-		
-		# month is zero based indexed
-		if( $mon )
-		{
-			--$mon;
-		}
-		
-		$ret_time = timelocal($sec,$min,$hour,$day,$mon,$year);
-	}
-	else
-	{
-		if( $DEBUG > 0 )
-		{
-			warn( "Unknown date format passed to sub $sub_name. Unable to convert time to a unix epoch time\n" );
-		}
-	}
-	
-	return( $ret_time );
-}
-
-sub filesinrange
-{
-	my $sub_name = 'filesinrange';
-	
-	my $_file_list = $_[0] || return( undef );
-	my $_start = $_[1] || return( undef );
-	my $_end = $_[2] || return( undef );
-	my @ordered_list;
-	my $found_start = 0;
-	my $duration = $_end - $_start;
-	my $found_file_count = 0;
-	my @ret_list;
-	
-	my %time_hash;
-	for( my $i = 0; $i < @{$_file_list}; ++$i )
-	{
-		$time_hash{$_file_list->[$i]->[1]} = $i;
-	}
-	
-	foreach my $ts( sort {$a <=> $b} keys( %time_hash ) )
-	{
-		push( @ordered_list, $time_hash{$ts} );
-	}
-	
-	my $file_count = scalar( @ordered_list );
-	foreach my $idx( @ordered_list )
-	{
-		my $file_name = $_file_list->[$idx]->[0];
-		my $file_start_time = $_file_list->[$idx]->[1];
-		my $file_end_time = $_file_list->[$idx]->[2];
-		
-		if( $found_start )
-		{
-			if( $file_start_time <= $_end )
-			{
-				push( @ret_list, $file_name );
-				++$found_file_count;
-				if( ( $file_end_time - $_start ) > $duration )
-				{
-					last;
-				}
-			}
-			else
-			{
-				last;
-			}
-		}
-		elsif( ( $file_start_time <= $_start and $file_end_time >= $_start )
-			or $file_start_time >= $_start )
-		{
-			$found_start = 1;
-			push( @ret_list, $file_name );
-			++$found_file_count;
-			if( $file_end_time > $_end )
-			{
-				last;
-			}
-		}
-	}
-		
-	if( wantarray )
-	{
-		return( @ret_list );
-	}
-	else
-	{
-		return( \@ret_list );
-	}
-}
-
-sub true
-{
-	my $sub_name = 'true';
-	
-	my $arg = $_[0] || return( 0 );
-	
-	if( $arg =~ m/^1|y(?:es)?|t(?:rue)?$/i )
-	{
-		return( 1 );
-	}
-	else
-	{
-		return( 0 );
-	}
-}
-
-sub false
-{
-	my $sub_name = 'false';
-	
-	my $arg = $_[0];
-	
-	if( $arg =~ m/^0|n(?:o)?|f(?:alse)?$/i )
-	{
-		return( 1 );
-	}
-	else
-	{
-		return( 0 );
-	}
-}
-
-sub output_header
-{
-	my $sub_name = 'output_header';
-	
-	my $ret_string;
-	my $cur_time = localtime();
-	my $start_time = date_ymd( $config->{'report-start'} ) . " " .
-		time_hms( $config->{'report-start'} );
-	my $end_time = date_ymd( $config->{'report-end'} ) . " " .
-		time_hms( $config->{'report-end'} );
-	my $brosite = $config->{BRO_SITE_NAME};
-	
-	$ret_string = <<"END";
-
-Site Report for $brosite, from $start_time to $end_time
-generated on $cur_time
-END
-	
-	return( \$ret_string );
-}
-
-sub output_system_summary
-{
-	my $sub_name = 'output_system_summary';
-	
-	my $ret_string;
-	
-	
-	# Header
-	$ret_string .= <<'END';
-========================================================================
-System Summary
-========================================================================
-END
-	
-	# Dropped packet summary
-	# NOTE: this routine no longer works becase these are now in the 
-	#	notice file, not the alarm file
-	my $dropped_packets = Bro::Report::Alarm::output_droppedpackets();
-$ret_string .= <<"END";
-
-$dropped_packets
-END
-		
-	return( \$ret_string );
-}
-
-sub output_connsummary
-{
-	my $sub_name = 'output_connsummary';
-	
-	my $ret_string = '';
-	
-	# Site success/fail connections
-	my $total_connects = Bro::Report::Conn::output_successfailcount(), "\n";
-	
-	# Top 20 source format
-	my $top_20_sources = Bro::Report::Conn::output_sourcecount( 20 );
-	
-	# Top 20 destination format
-	my $top_20_destinations = Bro::Report::Conn::output_destcount( 20 );
-	
-	# Top 20 service format
-	my $top_20_services = Bro::Report::Conn::output_servicecount( 20 );
-	
-	# Top 20 local email source format
-	my $top_20_local_email = Bro::Report::Conn::output_localserviceusers( 'smtp', 20 );
-	
-	# Header
-	$ret_string .= <<'END';
-========================================================================
-Connection Log Summary
-========================================================================
-END
-
-	# Content
-	$ret_string .= <<"END";
-Site-wide connection statistics
-
-$total_connects
-
-Top 20 Sources
-
-$top_20_sources
-
-Top 20 Destinations
-
-$top_20_destinations
-
-Top 20 Local Email Senders
-
-$top_20_local_email
-
-Top 20 Services
-
-$top_20_services
-END
-	
-	return( \$ret_string );
-
-}
-
-sub output_incidentsummary
-{
-	my $sub_name = 'output_incidentsummary';
-		
-	my $ret_string = '';
-	
-	# Incident Summary Header
-	$ret_string .= <<'END';
-========================================================================
-Summary
-========================================================================
-END
-	
-	if( my $data = Bro::Report::Alarm::output_incidentsummary() )
-	{
-		$ret_string .= $data . "\n";
-	}
-	
-	if( my $data = Bro::Report::Alarm::output_scansummary() )
-	{
-		$ret_string .= $data . "\n";
-	}
-	
-	if( my $data = Bro::Report::Alarm::output_signaturesummary() )
-	{
-		$ret_string .= $data . "\n";
-	}
-	
-	return( \$ret_string );
-}
-
-sub output_incidentdetails
-{
-	my $sub_name = 'output_incidentdetails';
-	
-	my $ret_string = '';
-	
-	# Incident Details Header
-	$ret_string .= <<'END';
-========================================================================
-Incident Details
-========================================================================
-END
-	
-	$ret_string .= Bro::Report::Alarm::output_incident();
-	
-	return( \$ret_string );    
-}
-
-sub output_scans
-{
-	my $sub_name = 'output_scans';
-	
-	my $ret_string;
-	
-	# Header
-	$ret_string .= <<'END';
-========================================================================
-Scans
-========================================================================
-END
-	
-	$ret_string .= Bro::Report::Alarm::output_scans();
-	$ret_string .= "\n";
-	
-	return( \$ret_string );
-}
-
-sub output_signaturedistribution
-{
-	my $sub_name = 'output_signaturedistribution';
-	
-	my $ret_string = '';
-	
-	# Header
-	$ret_string .= <<'END';
-========================================================================
-Signature Distributions
-========================================================================
-END
-
-	if( my $data = Bro::Report::Alarm::output_signaturedistribution( 20 ) )
-	{
-		$ret_string .= $data . "\n";
-	}
-	
-	return( \$ret_string );
-}
-
-sub output_bytetransferpairs
-{
-	my $sub_name = 'output_bytetransferpairs';
-	
-	my $ret_string = '';
-	
-	# Header
-	$ret_string .= <<'END';
-========================================================================
-Byte Transfer Pairs
-========================================================================
-END
-
-	if( my $data = Bro::Report::Conn::output_bytetransferpairs( 20 ) )
-	{
-		$ret_string .= $data . "\n";
-	}
-	
-	return( \$ret_string );
-}
-
-sub writereport
-{
-	my $sub_name = 'writereport';
-	
-	my $fh;
-	if( ref( $_[0] ) eq 'GLOB' or ref( $_[0] ) eq 'IO' )
-	{
-		$fh = shift;
-	}
-	else
-	{
-		$fh = \*STDOUT;
-	}
-	
-	my @args = @_;
-	
-	foreach my $part( @args )
-	{
-		if( !( print $fh $$part ) )
-		{
-			warn( "$sub_name, Unable to print to filehandle\n" );
-			return( undef );
-		}
-	}
-	
-	return( 1 );
-}
-
-
-sub timezoneoffset
-{
-	my $sub_name = 'timezone';
-	
-	my $offset  = sprintf "%.1f", ( timegm( localtime ) - time );
-	
-	return( $offset );
-}
-
-sub usage
-{
-	my $sub_name = 'usage';
-	
-	my $usage_text = copyright();
-	$usage_text = qq~$usage_text
-
-Options passed to the program on the command line 
-Command line reference
-  --broconfig|-b      Alternate location containing Bro configuration data
-  --report-range|-r   Length of time (in hours) from report-start to report
-                      on. This will be overridden by report-end if specified.
-                      (default: 24)
-  --report-start|-s   The start time of the data to report on. See date format
-                      below.  Values of yesterday and today are also
-                      understood and default to to a start time of 00:30 hours
-                      (default: yesterday)
-  --report-end|-e     The end time of the data to report on.  This will
-                      override report-range if specified.
-  --max-hosts|-i
-  --max-alarms|-m     The maximum number of alarms per host to include in a
-                      report (default: 100)
-  --temp              Alternate directory in which to write temp files
-                      (default \$BROHOME/logs)
-  --summary-only|-S   Output Connection Summaries only
-  --usage|--help|-h   Summary of command line options
-  --debug|-d          Specify the debug level from 0 to 5. (default: 1)
-  --version           Output the version number to STDOUT
-  --copyright         Output the copyright info to STDOUT
-  
-  Dates are specified as YEAR-MONTH-DAY"T"HOUR:MINUTE:SECOND
-  Any time period not specified is assumed to be 0
-  ( Examples: 2004-12-26T01:23:00, accurate to seconds field
-              2004-12-26, Is the same as 2004-12-26T00:00:00
-              2004-12-26T13, Is the same as 2004-12-26T13:00:00 )
-~;
-	
-	return( $usage_text );
-}
-
-sub version
-{
-	my $sub_name = 'version';
-	
-	return( $VERSION );
-}
-
-sub copyright
-{
-	my $sub_name = 'copyright';
-	
-	my $copyright =
-qq~s2b.pl
-version $VERSION, Copyright (C) 2004 Lawrence Berkeley National Labs, NERSC
-Written by Roger Winslow~;
-	
-	return( $copyright );
-}
-
-sub end_program
-{
-	my $sub_name = 'cleanup';
-	
-	my $exit_code = shift || 0;
-	
-	# Remove any temp files
-	Bro::Report::tempfile( 'remove all' );
-	
-	exit( $exit_code );
-}
diff --git a/scripts/process_bro_logs.py b/scripts/process_bro_logs.py
deleted file mode 100755
index ed540bf2b4..0000000000
--- a/scripts/process_bro_logs.py
+++ /dev/null
@@ -1,182 +0,0 @@
-#!/usr/bin/env python
-import re
-import os
-import sys
-import time
-import string
-import math
-import getopt
-
-rawlogs=None
-processedlogs=None
-
-# invoke a sed script to remove the last byte from the ips 
-def maskit(file):
-    cmd = "sed -f mask-addr.sed %s > %s.masked" % (file,file)
-    ret = os.system(cmd)
-    if ret != 0:
-        print "error with %s" % cmd
-    cmd = "rm %s" % file
-    ret = os.system(cmd)
-    if ret != 0:
-        print "error with %s" % cmd
-    cmd = "mv %s.masked %s" % (file, file)
-    ret = os.system(cmd)
-    if ret != 0:
-        print "error with %s" % cmd
-
-def get_files(dir, myfilter='.*\.example$', includezero = False):
-    """get all '*.example' files"""
-    SIZE = 6
-    flist=[]
-    files = os.listdir(dir)
-    test = re.compile(myfilter, re.IGNORECASE)
-    files = filter(test.search, files)
-    for f in files:
-        s = os.stat(dir + '/' + f)[SIZE]
-        if s > 0 or includezero:
-            flist.append(f)
-    return flist
-
-def sort_conn(f):
-    # move to new file
-    cmd = "mv %s %s.sortme" % (f,f)
-    ret = os.system(cmd)
-    if ret != 0:
-        print "error with %s" % cmd
-    # sort it
-    cmd = "sort %s.sortme > %s" % (f, f)
-    ret = os.system(cmd)
-    if ret != 0:
-        print "error with %s" % cmd
-    # we can allow a one byte difference (probably newline)
-    if math.fabs(os.stat(f)[6] - size) >= 2:
-        print "Error sizes don't match! %d != %d (%s)" % ( os.stat(f)[6], size, f)
-        sys.exit(1)
-    # remove old file (now called .sortme)
-    cmd = "rm %s" % (f + ".sortme")
-    ret = os.system(cmd)
-    if ret != 0:
-        print "error with %s" % cmd
-
-def move_it(f,fname):
-    # move it on over
-    cmd = "mv %s %s/%s" % ( f, processedlogs, fname )
-    ret = os.system(cmd)
-    if ret != 0:
-        print "error with %s" % cmd
-
-def usage(msg=None):
-    if msg != None:
-        print msg
-    print """process_bro_logs.py -h -l logsdir -r rawlogsdir"""
-    print """    -h             This help message"""
-    print """    -l logsdir     Directory where the logs should end up"""
-    print """    -r rawlogsdir  Directory where the raw logs reside"""
-    sys.exit(1)
-
-####################################################
-# This is the start of the script
-
-
-try:
-    options,prog_args = getopt.getopt(sys.argv[1:],'hl:r:')
-except getopt.GetoptError, E:
-   usage(E)
-
-for opt,val in options:
-  if opt == '-l':
-      processedlogs = val
-  elif opt == '-r':
-      rawlogs = val
-  else:
-      usage()
-
-
-if rawlogs == None or processedlogs == None:
-    usage()
-
-# get to the right place
-os.chdir(rawlogs)
-
-# look for logs that have been split
-fl1 = get_files(rawlogs, 
-    myfilter='^(\w+)\.\w+\.(\d{2})-(\d{2})-(\d{2})[-_](\d{2})[:.](\d{2})[:.](\d{2})\.[0-9]+\.[0-9]+\.[0-9]+$')
-
-for f in fl1:
-    print "Working on split file: ", f
-    # grab times before we mess with it
-    size,atime,mtime,ctime = os.stat(f)[6:10]
-    type,host = string.split(f,'.')[0:2]
-
-    broend = string.split(f, ".")[-2:-1][0]
-
-    # only sort conn files
-    if f[:4] == 'conn':
-        sort_conn(f)
-
-    cmd = 'sync'
-    ret = os.system(cmd)
-    #grab the 2nd timestamp
-    cmd = 'head -2 %s | tail -1' % f
-    if ret != 0:
-        print "error with %s" % cmd
-
-    fo=os.popen(cmd)
-    buf = fo.read()
-    fo.close()
-    brostart = buf.split('.')[:1]
-
-    # sanity check
-    if brostart[0] < 1090000000 or len(brostart[0]) != 10:
-        print "File error! Stopping"
-        sys.exit(1)
-
-    # construct new filenaem
-    fname = "%s.%s.%s-%s" % (type,host,brostart[0],broend)
-
-    # does a file with name already exist?
-    if os.access("%s/%s" % (processedlogs, fname), os.F_OK):
-        print "File %s already exists" % fname
-        print "Skipping %s" % fname
-        continue
-
-    move_it(f,fname)
-    os.utime("%s/%s" % (processedlogs,fname), (mtime,mtime))
-    print "Done with %s" % f
-    # lets not run too fast
-    time.sleep(3)
-    continue
-
-# look for files that haven't been split
-fl2 = get_files(rawlogs, 
-    myfilter='^(\w+)\.\w+\.(\d{2})-(\d{2})-(\d{2})[-_](\d{2})[:.](\d{2})[:.](\d{2})$')
-
-for f in fl2:
-    print "Working on file: ", f
-    # grab times before we mess with it
-    size,atime,mtime,ctime = os.stat(f)[6:10]
-    type,host = string.split(f,'.')[0:2]
-
-    brostart = string.join(string.split(f, ".", 2)[2:])
-    foo = list(time.strptime(brostart, '%Y-%m-%d_%H.%M.%S'))
-
-    # toggle guessing of daylight savings, grrrr
-    foo[-1] = -1
-    bs = time.mktime(foo)
-    fname = "%s.%s.%d-%s" % (type,host,bs,mtime)
-
-    if os.access("%s/%s" % (processedlogs,fname), os.F_OK):
-        print "File %s already exists, skipping" % fname
-        continue
-
-    # sort conn files
-    if f[:4] == 'conn':
-        sort_conn(f)
-
-    move_it(f, fname)
-    os.utime("%s/%s" % (processedlogs,fname), (mtime,mtime))
-    print "Done with %s (%s)" % (fname,f)
-    # lets not overrun things
-    time.sleep(3)
-    continue
diff --git a/scripts/push_logs.sh b/scripts/push_logs.sh
deleted file mode 100644
index f1cbd7dd0e..0000000000
--- a/scripts/push_logs.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-#
-# script to push logs from a bro host to a front end host, including a file "DoReports.HOST" telling
-# the report generation script that the new days logs are ready to process
-#
-# usage: push_logs.sh hostname:path
-#
-
-# where are we located
-base=`dirname $0`
-#set the environment
-. $base/../etc/bro.cfg
-
-nice -n 20 /usr/local/bin/rsync -avzt $BROHOME/logs/ $1
-
-# create and copy file to trigger report generation
-touch /tmp/DoReports.$BRO_HOSTNAME
-/usr/local/bin/rsync -avzt /tmp/DoReports.$BRO_HOSTNAME $1
-
-# and if you need to sort the logs for Brooery, add this:
-#ssh $1 "/usr/local/bro/scripts/log2gui.py -r /usr/local/bro/logs -l /usr/local/bro/sorted-logs"
-
diff --git a/scripts/s2b/Makefile.am b/scripts/s2b/Makefile.am
deleted file mode 100644
index 1853af02e1..0000000000
--- a/scripts/s2b/Makefile.am
+++ /dev/null
@@ -1,3 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-SUBDIRS = bro-include example_bro_files etc bin pm snort_rules2.2
diff --git a/scripts/s2b/README b/scripts/s2b/README
deleted file mode 100644
index a5a7ea2d6e..0000000000
--- a/scripts/s2b/README
+++ /dev/null
@@ -1,74 +0,0 @@
-# quick README
-
-For the purpose of this readme file it is assumed that Bro is already 
-installed and running and you are familiar with the general directory 
-structure.
-
-REQUIREMENTS:
-
-	PERL 5.6.1 or greater
-	Python
-
-
-Copy all of the files in the bro-include directory that end in .bro
-or .sig to your $BROHOME/policy directory.
-
-If you are running multiple versions of PERL or Python and the required 
-version is not running from the default place then you are going to need 
-to change the bang path (example: #!/usr/bin/perl) to whatever is appropriate.
-
-All files created by s2b.pl that are used in a running Bro instance will end 
-with either .bro or .sig.  The recommended place to put these file is under 
-the directory $BROHOME/policy/local as these files can change often and will 
-be tuned to a specific site or network traffic type.
-
-Here are example entries to be added to the Bro policy start script so that 
-the signature preqrequisites get loaded correctly.
-
-	@load software
-	@load signatures
-	@load snort
-	@load sig-functions.bro
-	@load sig-action.bro
-
-On the command line which starts the running Bro process include the 
-following.  It is assumed that the frequently updated signatures.sig and 
-sig-action.bro are put in the directories $BROHOME/site and 
-$BROHOME/policy respectively.  $BRO is the path to the bro binary in use.
-
-	$BRO -s $BROHOME/policy/sig-addendum.sig -s $BROHOME/site/signatures.sig <other command line stuff>
-
-
-# These are just some quick examples
-# Since most of the programs control resides in the --configdir these 
- # commands point to the relative config dir of 'etc/' which is included
- # in the tarball.
-# Change to bin/ and try the following commands
-
-# This PERL program requires PERL 5.6.1 minimum and module Config::General
- # which is included in directory pm/ or it can be downloaded from cpan.org
-
-# Create a new s2b-augment.cfg file
-
-./s2b.pl --mainconfig ../etc/s2b.cfg --configdir ../etc --snortrulesetdir ../snort_rules2.2 --updateaugment --augmentconfig ../etc/s2b-augment.cfg
-
-
-# Create Bro s2b.sig and s2b-siagaction.bro files a remain completely silent outputting no errors if encountered
-
-./s2b.pl --mainconfig ../etc/s2b.cfg --configdir ../etc --snortrulesetdir ../snort_rules2.2 --augmentconfig ../etc/s2b-augment.cfg --debug 0
-
-
-# Create Bro s2b.sig and s2b-sigaction.bro files and print any errors to STDERR.  (default debug level is 1)
-
-./s2b.pl --mainconfig ../etc/s2b.cfg --configdir ../etc --snortrulesetdir ../snort_rules2.2 --augmentconfig ../etc/s2b-augment.cfg --debug 1
-
-
-# Show some usage info
-
-./s2b.pl --help
-
-
-TODO:
-
-   Need to update this readme after the directory structure of Bro has been 
-   finalized.
diff --git a/scripts/s2b/bin/Makefile.am b/scripts/s2b/bin/Makefile.am
deleted file mode 100644
index 4b7604c44e..0000000000
--- a/scripts/s2b/bin/Makefile.am
+++ /dev/null
@@ -1,8 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-# include in the dist for now
-EXTRA_DIST = s2b.pl snort2bro
-
-# OR we can install them on a make install 
-#scriptsdir=$(prefix)/etc
-#dist_scripts_SCRIPTS = s2b.pl snort2bro
diff --git a/scripts/s2b/bin/s2b.pl b/scripts/s2b/bin/s2b.pl
deleted file mode 100755
index cb2be82511..0000000000
--- a/scripts/s2b/bin/s2b.pl
+++ /dev/null
@@ -1,2991 +0,0 @@
-#!/usr/bin/perl -Tw
-
-# s2b.pl
-
-# Read and parse a Bro signature from a string or array reference
-package Bro::Signature;
-{
-	use strict;
-	require 5.006_001;
-	require Exporter;
-	use vars qw( $VERSION
-				@ISA
-				@EXPORT_OK
-				$DEBUG );
-	
-	$VERSION = '1.10';
-	@EXPORT_OK = qw( findkeyblocks );
-	@ISA = qw( Exporter );
-	$DEBUG = 0;
-	
-	sub new
-	{
-		my $sub_name = 'new';
-		
-		my $self;
-		my $proto = shift;
-		my $class = ref( $proto ) || $proto;
-		my %args = @_;
-		my $sig_data = {};
-		
-		if( defined( $args{string} ) )
-		{
-			if( !( $sig_data = parsesig( $args{string} ) ) )
-			{
-				return( undef );
-			}
-		}
-		else
-		{
-			warn( "Signature must be passed in as a string for now.  Direct" .
-				" object creation is not supported yet\n" );
-			return( undef );
-		}
-		
-		$self = $sig_data;
-		bless( $self, $class );
-		return( $self );
-		
-	}
-	
-	sub parsesig
-	{
-		my $sub_name = 'parsesig';
-		
-		my $sig_block = shift || return( undef );
-		my $sig_data;
-		my $ret_data = {};
-		
-		# Check on the storage of the data
-		if( ref( $sig_block ) eq 'ARRAY' )
-		{
-			$sig_data = join( "\n", @{$sig_block} );
-		}
-		else
-		{
-			# Otherwise it gets treated as a string
-			$sig_data = $sig_block;
-		}
-		
-		my $parse_err = 0;
-		
-		if( $sig_data =~
-			m/^signature[[:space:]]+([[:alnum:]_-]{3,})[[:space:]]*\{[[:space:]]*?\n?	# signature declaration
-			(.+?)		# signature data
-			[[:space:]]*\}$/xs )	# end of block
-		{
-			my $sig_id = $1;
-			my $sig_options = $2;
-			
-			$ret_data->{sig_id} = $sig_id;
-			
-			my @raw_data;
-			my $i = 0;
-			
-			foreach my $line( split( /\n/, $sig_options ) )
-			{
-				# Each line of the signature is stored in an
-				 # array to maintain the order and any comments.
-				 # The actual data is stored in a hash.
-				 # Access of the data should be done through the methods
-				 # to output the whole signature along with comments.
-				
-				# remove any leading spaces
-				$line =~ s/^[[:space:]]*//;
-				
-				# Put the line into the raw_data array
-				$raw_data[$i] = $line;
-				
-				# Strip any comments from the line
-				$line =~ s/(?:[[:space:]]+|)#.+$//;
-				
-				my( $key, $value ) = split( /[[:space:]]+/, $line, 2 );
-				# if there is still data in the line then process
-				if( defined( $value ) )
-				{
-					# Remove any leading spaces
-					$value =~ s/^[[:space:]]*//;
-					# place a reference to the raw_data array for this attribute
-					# set the value for this attribute instance
-					push( @{$ret_data->{$key}}, { 
-							'__raw_data_pos__' => $i,
-							'__value__' => $value, },
-					);
-				}
-				
-				++$i;
-			}
-			
-			$ret_data->{'__raw_data__'} = \@raw_data;
-		}
-		else
-		{
-			if( $DEBUG > 0 )
-			{
-				warn( "Signature read error. Could not find a valid signature block\n" );
-			}
-			$parse_err = 1;
-		}
-		
-		if( $parse_err )
-		{
-			return( undef );
-		}
-		else
-		{
-			return( $ret_data );
-		}
-	}
-	
-	sub findkeyblocks
-	{
-		my $sub_name = 'findkeyblocks';
-		
-		my $string = shift;
-		my $keyword = 'signature';
-		my $key_len = length( $keyword );
-		my @ret_blocks;
-		my $block_idx = 0;			# Current idx of the keyword blocks that will be returned
-		my $open_brace_count = 0;	# Number of open braces encountered
-		my $close_brace_count = 0;	# number of close braces encountered
-		my $len = length( $string );	# length of string passed in
-		my $pos_idx = 0;			# current position of substring
-		my $st_blk_pos = 0;			# string position of a new block
-		my $ws = '';				# working string
-		my $found_key_start = 0;		# flag that a new keyword block has started
-		my $comment_line = 0;		# flag if comments are in effect
-		my $quoted;			# flag if quoting is active. contents are the quote character
-		
-		# make sure the string is of non-zero length.  Add one more so our
-		 # loop below works
-		if( $len > 0 )
-		{
-			++$len;
-		}
-		else
-		{
-			return( undef );
-		}
-		
-		# Push a space onto the front of the string.  This just helps in
-		 # starting the pattern matching.  It's easier than writting a
-		 # bunch more lines of code.
-		$string = "\n" . $string;
-		++$len;
-		
-		while( $pos_idx < $len )
-		{
-			# If the two numbers match then a complete block has been found.
-			if( $open_brace_count == $close_brace_count and
-				$open_brace_count > 0 )
-			{
-				$ret_blocks[$block_idx] = $ws;
-				++$block_idx;
-				$open_brace_count = 0;
-				$close_brace_count = 0;
-				$found_key_start = 0;
-				$st_blk_pos = $pos_idx;
-				$ws = '';
-			}
-			elsif( $close_brace_count > $open_brace_count )
-			{
-				# Looks like there was a syntax error perhaps the
-				 # file contains a keyword but no valid block
-				 # Reset the counters and backup to $st_blk_pos + 1
-				if( $DEBUG > 0 )
-				{
-					warn( "Error in parsing $keyword, found closed brace",
-						" for a block but no open brace at char position $pos_idx\n" );
-				}
-				$open_brace_count = 0;
-				$close_brace_count = 0;
-				$found_key_start = 0;
-				$pos_idx = $st_blk_pos + 1;
-				$st_blk_pos = '';
-				$ws = '';
-				next;
-			}
-			
-			# Make sure that substr returns a value
-			if( defined( my $wc = substr( $string, $pos_idx, 1 ) ) )
-			{
-				if( $quoted
-					and $found_key_start )
-				{
-					if( $wc eq $quoted
-						and substr( $string, $pos_idx - 1, 1 ) ne '\\' )
-					{
-						$quoted = undef;
-					}
-				}
-				# check for comment '#' character which is active until the 
-				 # start of a newline
-				elsif( ! $comment_line and 
-					$wc eq '#' and
-					substr( $string, $pos_idx - 1, 1 ) ne '\\' )
-				{
-					$comment_line = 1;
-				}
-				# Check if the comment flag is set
-				elsif( $comment_line )
-				{
-					# If the current character is a newline then reset the comment flag
-					if( $wc =~ m/\n/ )
-					{
-						$comment_line = 0;
-					}
-				}
-				# start this if not currently working in a block and not a comment
-				elsif( ! $found_key_start and ! $comment_line )
-				{
-					# check if the keyword is found 
-					if( $pos_idx + $key_len + 1 < $len
-					and substr( $string, $pos_idx, $key_len ) eq $keyword )
-					{
-						# check to make sure that the keyword is followed by a space
-						if( substr( $string, $pos_idx + $key_len, 1 ) =~
-							m/[[:space:]]/ )
-						{
-							$found_key_start = 1;
-							$st_blk_pos = $pos_idx;
-						}
-					}
-				}
-				elsif( $pos_idx + $key_len + 1 < $len
-					and $found_key_start
-					and substr( $string, $pos_idx, $key_len ) eq $keyword )
-				{
-					if( substr( $string, $pos_idx + $key_len, 1 ) =~
-							m/[[:space:]]/ )
-					{
-						if( $DEBUG > 0 )
-						{
-							warn( "New $keyword keyword found inside of another $keyword block",
-								" at char position $pos_idx\n" );
-							
-							#print "STRING => $string\n";
-						}
-						
-						# Reset the search params
-						$open_brace_count = 0;
-						$close_brace_count = 0;
-						$found_key_start = 0;
-						++$pos_idx;
-						$st_blk_pos = '';
-						$ws = '';
-						next;
-					}
-				}
-				elsif( $wc eq '{' and 
-					substr( $string, $pos_idx - 1, 1 ) ne '\\' )
-				{
-					++$open_brace_count;
-				}
-				elsif( $wc eq '}' and
-					substr( $string, $pos_idx - 1, 1 ) ne '\\' )
-				{
-					++$close_brace_count;
-				}
-				elsif( ! $quoted
-					and ! $comment_line
-					and $found_key_start )
-				{
-					if( $wc eq '"'
-						and substr( $string, $pos_idx - 1, 1 ) ne '\\' )
-					{
-						$quoted = $wc;
-					}
-				}
-				else
-				{
-					
-				}
-				
-				# Only append chars to the working string if in a $keyword block
-				if( $found_key_start )
-				{
-					$ws = $ws . $wc;
-				}
-				++$pos_idx;
-			}
-			else
-			{
-				print "Failed to pull data out using substr at position $pos_idx\n";
-				++$pos_idx;
-			}
-		}
-		
-		if( wantarray )
-		{
-			return( @ret_blocks );
-		}
-		else
-		{
-			return( \@ret_blocks );
-		}
-	}
-	
-	sub addcomment
-	{
-		my $sub_name = 'addcomment';
-		
-		my $self = shift || return( undef );
-		my $comment = shift || return( undef );
-		
-		# Make sure the comment starts with a '#'
-		if( $comment !~ m/^[[:space:]]*#/ )
-		{
-			$comment = '#' . $comment;
-		}
-		
-		if( $self->{'__raw_data__'} )
-		{
-			my $next_idx = $#{$self->{'__raw_data__'}} + 1;
-			$self->{'__raw_data__'}->[$next_idx] = $comment;
-		}
-		else
-		{
-			return( undef );
-		}
-		
-		return( 1 );
-	}
-	
-	sub addoption
-	{
-		my $sub_name = 'addoption';
-		
-		my $self = shift || return( undef );
-		my $option = shift || return( undef );
-		my $option_data = shift || return( undef );
-		
-		if( $self->{'__raw_data__'} )
-		{
-			my $next_idx = $#{$self->{'__raw_data__'}} + 1;
-			$self->{'__raw_data__'}->[$next_idx] = $option . ' ' . $option_data;
-			push( @{$self->{$option}}, 
-				{ '__raw_data_pos__' => $next_idx,
-				'__value__' => $option_data, } );
-		}
-		else
-		{
-			return( undef );
-		}
-		
-		return( 1 );
-	}
-	
-	sub deloption
-	{
-		my $sub_name = 'deloption';
-		# Accepts at a minimum the object and an option to remove
-		# For options that have multivalues the value can be passed in as 
-		 # option_data to remove only the one value from the object.
-		# If an option has multivalues and no option_data is given then all
-		 # options are removed.
-		
-		
-		my $self = shift || return( undef );
-		my $match_option = shift || return( undef );
-		my $match_data = shift;	#optional
-		my $success = 0;
-		my @raw_data_pos;
-				
-		if( defined( $match_data ) )
-		{
-			if( $DEBUG > 4 )
-			{
-				warn( "Method $sub_name has been asked to delete option '" .
-					$match_option . "', value '" . $match_data . "'\n" );
-			}
-			# Must match on both the option key and it's value
-			if( exists( $self->{$match_option} ) )
-			{				
-				if( ref( $self->{$match_option} ) eq 'ARRAY' )
-				{
-					if( $DEBUG > 4 )
-					{
-						warn( "Found a match on $match_option in signature\n" );
-					}
-					
-					my $__found = 0;
-					my @good_data;
-					foreach my $opt_value( @{$self->{$match_option}} )
-					{
-						if( $opt_value->{'__value__'} eq $match_data )
-						{
-							++$__found;
-							$success = 1;
-							push( @raw_data_pos, $opt_value->{'__raw_data_pos__'} );
-						}
-						elsif( defined( my $tt = $opt_value->{'__value__'} ) )
-						{
-							push( @good_data, $opt_value );
-						}
-						
-					}
-					
-					if( $success )
-					{
-						if( defined( $good_data[0] ) )
-						{
-							# Replace the object's old data with the good data
-							$self->{$match_option} = [ @good_data ];
-						}
-						else
-						{
-							delete $self->{$match_option};
-						}
-					}
-				}
-			}
-		}
-		elsif( exists( $self->{$match_option} ) )
-		{
-			if( $DEBUG > 4 )
-			{
-				warn( "Method $sub_name has been asked to delete all data with" .
-					" an option name of $match_option\n" );
-			}
-			
-			foreach my $opt_data( @{$self->{$match_option}} )
-			{
-				push( @raw_data_pos, $opt_data->{'__raw_data_pos__'} );
-			}
-			delete $self->{$match_option};
-			$success = 1;
-		}
-		
-		
-		if( $success )
-		{
-			# cleanup the __raw_data__ storage in the object
-			# get the last index of the __raw_data__ array
-			foreach my $idx( @raw_data_pos )
-			{
-				$self->{'__raw_data__'}->[$idx] = undef;
-			}
-			
-			# Delete the 
-		}
-		
-		return( $success );
-		
-	}
-	
-	sub output
-	{
-		my $sub_name = 'output';
-		
-		my $self = shift || return( undef );
-		my %args = @_;
-		my $ret_string;
-		my $prefix = '';
-		my $comments = 0;
-		
-		# Check on options
-		if( $args{sigprefix} )
-		{
-			$prefix = $args{sigprefix};
-		}
-		
-		if( defined( $args{comments} ) )
-		{
-			$comments = $args{comments};
-		}
-		else
-		{
-			$comments = 1;
-		}
-		
-		# opening to a Bro signature block
-		$ret_string = 'signature ' . $prefix . $self->{sig_id} . ' {' . "\n";
-		
-		if( $comments )
-		{
-			foreach my $line( @{$self->{'__raw_data__'}} )
-			{
-				if( defined( $line ) )
-				{
-					$ret_string = $ret_string . '  ' . $line . "\n";
-				}
-			}
-		}
-		else
-		{
-			while( my( $option, $opt_array ) = each( %{$self} ) )
-			{
-				if( $option ne '__raw_data__' and $option ne 'sig_id' )
-				{
-					foreach my $opt_data( @{$opt_array} )
-					{
-						$ret_string = $ret_string . 
-						'  ' .
-						$option .
-						' ' .
-						$opt_data->{'__value__'} .
-						"\n";
-					}
-				}
-			}
-		}
-		
-		# closing of the Bro signature block
-		$ret_string = $ret_string . '}';
-		
-		return( $ret_string );
-	}
-	
-	sub option
-	{
-		my $sub_name = 'option';
-		
-		my $self = shift || return( undef );
-		my $sig_option = shift || return( undef );
-		my $ret_data;
-		
-		if( $self->{$sig_option} )
-		{
-			foreach my $data( @{$self->{$sig_option}} )
-			{
-				push( @{$ret_data}, $data->{'__value__'} );
-			}
-		}
-		else
-		{
-			return( undef );
-		}
-		
-		if( @{$ret_data} > 1 )
-		{
-			return( @{$ret_data} );
-		}
-		else
-		{
-			return( $ret_data->[0] );
-		}
-	}
-	
-	sub sigid
-	{
-		# This is the entire Bro signature id as parsed in from a 
-		 # signature block
-		my $sub_name = 'sigid';
-		
-		my $self = shift || return( undef );
-		
-		if( $self->{sig_id} )
-		{
-			return( $self->{sig_id} );
-		}
-		else
-		{
-			return( undef );
-		}
-	}
-	
-	sub openportlist
-	{
-		my $sub_name = 'openportlist';
-		
-		my $self = shift || return( undef );
-		
-	}
-};
-
-
-package Bro::S2b::Augment;
-{
-	use strict;
-	require 5.006_001;
-	use Config::General;
-	#require Bro::Signature;
-	
-	use vars qw( $VERSION
-			$DEBUG
-			%VALID_AUGMENT_OPTIONS
-			$QUOTE_PATT );
-	
-	$VERSION = '1.10';
-	
-	%VALID_AUGMENT_OPTIONS = (
-		'active' =>
-			{ fatal => '{1}',
-			msg => "One required with values of T or F",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 0, },
-		'comment' =>
-			{ fatal => '*',
-			msg => "Zero or more allowed, value is plain text",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 0, },
-		'dst-ip' =>
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommended",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'dst-port' =>
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommended",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'src-ip' =>
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommended",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'src-port' =>
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommended",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'ip-proto' =>
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommended",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'eval' =>
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommended",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'ftp' =>
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommended",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'header' =>
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommended",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'http' =>
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommended",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'http-request' =>
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommended",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'http-request-header' =>
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommended",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'http-reply-header' =>
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommended",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'ip-options' =>
-			{ fatal => '?',
-			msg => "One or zero allowed. Not implemented yet.",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'payload' =>
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommened.",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'payload-size' =>
-			{ fatal => '?',
-			msg => 'One or zero allowed.',
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'requires-signature' => 
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommended",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'requires-reverse-signature' =>
-			{ fatal => '*',
-			warn => '{0,10}',
-			msg => "Zero or many with a max of 10 recommended",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'same-ip' =>
-			{ fatal => '?',
-			msg => 'One or zero allowed.',
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		'snort-rule-file' =>
-			{ fatal => '?',
-			msg => "Zero or one allowed, filename from where the Snort rule came from is recommened",
-			no_modify => 1,
-			write_to_cfg => 1,
-			write_to_sig => 0, },
-		'sid-rev' =>
-			{ fatal => '{1}',
-			msg => "One is required.  SID rev number provided in the Snort ruleset file",
-			no_modify => 1,
-			write_to_cfg => 0,
-			write_to_sig => 0, },
-		'sid' =>
-			{ fatal => '{1}',
-			msg => "One is required.  Sid number is provided in the Snort ruleset file",
-			no_modify => 1,
-			write_to_cfg => 0,
-			write_to_sig => 0, },
-		'sigaction' =>
-			{ fatal => '{1}',
-			msg => "One required with a Bro SigAction as a value",
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 0, },
-		'tcp-state' =>
-			{ fatal => '?',
-			msg => 'One or zero allowed.',
-			no_modify => 0,
-			write_to_cfg => 1,
-			write_to_sig => 1, },
-		);
-	
-	$QUOTE_PATT = qr~(?:[=!]{2}|\;|[|]{2}|\"|\>|\<)~;
-	
-	sub new
-	{
-		my $sub_name = 'new';
-		
-		my $self;
-		my $proto = shift;
-		my $class = ref( $proto ) || $proto;
-		my %args = @_;
-		my $augment_objs = [];
-		my $sig_data = {};
-		
-		if( defined( $args{filename} ) )
-		{
-			if( !( $augment_objs = getaugmentconfig( $args{filename} ) ) )
-			{
-				return( undef );
-			}
-			else
-			{
-				return( $augment_objs );
-			}
-		}
-		else
-		{
-			if( validate( \%args ) )
-			{
-				$sig_data = \%args;
-			}
-			else
-			{
-				return( undef );
-			}
-		}
-		
-		$self = $sig_data;
-		bless( $self, $class );
-		return( $self );
-		
-	}
-	
-	sub getaugmentconfig
-	{
-		my $sub_name = 'getaugmentconfig';
-		
-		my $augment_file = shift || undef;
-		my $valid_opts = \%VALID_AUGMENT_OPTIONS;
-		my @ret_arr;
-		my %aug_conf;
-		my $conf;
-		
-		if( -r $augment_file )
-		{
-			$conf = Config::General->new( -ConfigFile => $augment_file,
-							-LowerCaseNames => 1,
-							-MergeDuplicateBlocks => 0,
-							);
-		}
-		else
-		{
-			if( $DEBUG > 0 )
-			{
-				warn( "Error reading augment config at \"$augment_file\".\n" );
-			}
-			return( undef );
-		}
-		
-		%aug_conf = $conf->getall();
-		
-		if( ref( $aug_conf{augment} ) eq 'HASH' )
-		{
-			%aug_conf = %{$aug_conf{augment}}
-		}
-		
-		while( my( $sid_id, $aug_data ) = each( %aug_conf ) )
-		{
-			my( $sid_num, $sid_rev ) = split( /-/, $sid_id, 2 );
-			my $invalid_sid = 0;
-			
-			# The sid_id is represents both the sid number and the rev
-			 # in the form sid-rev, example: 540-2 would have a sid number
-			 # of 540 and an rev of 2
-			
-			if( ref( $aug_data ) eq 'ARRAY' )
-			{
-				if( $DEBUG > 1 )
-				{
-					warn( "SID number $sid_num with rev number $sid_rev has duplicate" .
-					" entries.  Keeping the first instance and removing all others\n" );
-				}
-				
-				my $keep_data = $aug_conf{$sid_id}->[0];
-				$aug_conf{$sid_id} = undef;
-				$aug_conf{$sid_id} = $keep_data;
-			}
-			else
-			{
-				if( my $aug_obj = Bro::S2b::Augment->new( 'sid' => $sid_num,
-										'sid-rev' => $sid_rev,
-										%{$aug_data} ) )
-				{
-					push( @ret_arr, $aug_obj );
-				}
-				else
-				{
-					warn( "Failed to parse sid $sid_num, rev $sid_rev\n" );
-					$invalid_sid = 1;
-				}
-			}
-			
-			if( $invalid_sid )
-			{
-				if( $DEBUG > 0 )
-				{
-					warn( "Snort SID number $sid_num is being ignored\n" );
-				}
-			}
-		}
-		
-		if( $DEBUG > 4 )
-		{
-			warn( "\nMemory dump of augment config file $augment_file\n" );
-			warn( $conf->save_string( \%aug_conf ) . "\n" );
-			warn( "\n" );
-		}
-		
-		if( wantarray )
-		{
-			return( @ret_arr );
-		}
-		else
-		{
-			return( \@ret_arr );
-		}
-	}
-	
-	sub validate
-	{
-		my $sub_name = 'validate';
-		
-		# The hash passed in is in the form
-		 # <snort sid> => <hash ref of augment data>
-		
-		my $aug_data = shift || return( undef );
-		my %ret_hash;
-		my $invalid_sid = 0;
-		my $sid_num = $aug_data->{sid};
-		my $del_data = {};	# hash ref of options that will later be removed from a sig
-		
-		# make sure that the snort sid number is greater than 100
-		if( $sid_num =~ m/^([[:digit:]]+)$/ and $sid_num > 100 )
-		{
-			$sid_num = $1;
-		}
-		
-		# Check for a delete block
-		if( exists( $aug_data->{delete} ) )
-		{
-			$del_data = $aug_data->{delete};
-		}
-		
-		# Check to make sure that the sid contains only valid options.
-		# Each option will be totalled as a string of 1's where each 1
-		# represents one instance of a particular option.
-		# Regular expression contained in %VALID_AUGMENT_OPTIONS for that
-		# option will be evaluated against the quantity found.
-		while( my( $sid_option, $sid_opt_data ) = each( %{$aug_data} ) )
-		{
-			my $option_count;
-			if( defined( $VALID_AUGMENT_OPTIONS{$sid_option} ) )
-			{
-				# OK, all good
-			}
-			elsif( $sid_option eq 'delete' )
-			{
-				next;
-			}
-			else
-			{
-				if( $DEBUG > 0 )
-				{
-					warn( "Option '$sid_option' in augment config" .
-					" for SID number $sid_num is unknown." .
-					"  Option will be ignored\n" );
-				}
-				
-				delete $aug_data->{$sid_option};
-				next;
-			}
-			
-			if( ref( $sid_opt_data ) eq 'HASH' )
-			{
-				foreach( keys( %{$sid_opt_data} ) )
-				{
-					$option_count .= '1';
-				}
-			}
-			elsif( ref( $sid_opt_data ) eq 'ARRAY' )
-			{
-				foreach( @{$sid_opt_data} )
-				{
-					$option_count .= '1';
-				}
-			}
-			else
-			{
-				# Otherwise treat the sid_option as a scalar
-				$option_count = 1;
-			}
-			
-			my $fatal_exp = qr/1$VALID_AUGMENT_OPTIONS{$sid_option}->{fatal}/;
-			if( $option_count =~ m/^$fatal_exp$/ )
-			{
-				# ok
-				if( defined( $VALID_AUGMENT_OPTIONS{$sid_option}->{warn} ) )
-				{
-					my $warn_exp = qr/1$VALID_AUGMENT_OPTIONS{$sid_option}->{warn}/;
-					if( $option_count =~ m/^$warn_exp$/ )
-					{
-						#ok
-					}
-					else
-					{
-						if( $DEBUG > 0 )
-						{
-							warn( "Warning for option '$sid_option' in SID number $sid_num, " .
-							$VALID_AUGMENT_OPTIONS{$sid_option}->{msg} .
-							"\n" );
-						}
-					}
-				}
-			}
-			else
-			{
-				if( $DEBUG > 0 )
-				{
-					warn( "Invalid SID option '$sid_option' in SID number $sid_num, " .
-					$VALID_AUGMENT_OPTIONS{$sid_option}->{msg} .
-					"\n" );
-				}
-				$invalid_sid = 1;
-			}
-		}
-		
-		
-		while( my( $sid_option, $sid_opt_data ) = each( %{$del_data} ) )
-		{
-			if( defined( $VALID_AUGMENT_OPTIONS{$sid_option} ) )
-			{
-				# OK, all good
-			}
-			else
-			{
-				if( $DEBUG > 0 )
-				{
-					warn( "Option '$sid_option' in the delete section of" .
-					" augment config for SID number $sid_num is unknown." .
-					"  Option will be ignored\n" );
-				}
-				
-				delete $aug_data->{delete}->{$sid_option};
-				next;
-			}
-		}
-		
-		if( $invalid_sid )
-		{
-			return( 0 );
-		}
-		else
-		{
-			return( 1 );
-		}
-	}
-	
-	sub augmentbrosig
-	{
-		my $sub_name = 'augmentbrosig';
-		
-		my $self = shift || return( undef );
-		my $bro_sig_obj = shift || return( undef );
-		my $new_bro_sig;
-		my $err = 0;
-		my $del_data = {};
-		
-		# Go through each option in the augment data
-		while( my( $option, $opt_data ) = each( %{$self} )
-			and !( $err ) )
-		{
-			# Is this the delete section of the data
-			if( $option eq 'delete' and ref( $opt_data ) )
-			{
-				$del_data = $opt_data;
-			}
-			# check whether the option is allowed to be exported to 
-			 # a Bro sig
-			elsif( exists( $VALID_AUGMENT_OPTIONS{$option} )
-				and $VALID_AUGMENT_OPTIONS{$option}->{write_to_sig} )
-			{
-				
-				my @data_list;
-				my $remove_before_add = 0;
-				
-				# Check if $opt_data has mutlivalues
-				if( ref( $opt_data ) eq 'ARRAY' )
-				{
-					@data_list = @{$opt_data};
-				}
-				else
-				{
-					if( $VALID_AUGMENT_OPTIONS{$option}->{fatal} eq '?'
-						or $VALID_AUGMENT_OPTIONS{$option}->{fatal} eq '{1}' )
-					{
-						$remove_before_add = 1;
-					}
-					@data_list = ( $opt_data );
-				}
-				
-				foreach my $opt_value( @data_list )
-				{
-					if( $remove_before_add )
-					{
-						$bro_sig_obj->deloption( $option );
-						
-						if( $DEBUG > 2 )
-						{
-							warn( "Augment option $option for sigid " . $self->sigid()
-								. " can only have one instance in a Bro siganture.\n" );
-							warn( "Found a prexisting context for \"$option\" in the Bro signature"
-								. " which will be replaced by the augment data.\n" );
-						}
-					}
-					
-					if( $bro_sig_obj->addoption( $option, $opt_value ) )
-					{
-						# ok
-					}
-					else
-					{
-						if( $DEBUG > 0 )
-						{
-							warn( "Failed to add augment option $option to Bro" .
-								" signature object with sid of " .
-								$bro_sig_obj->sigid . "\n" );
-						}
-						$err = 1;
-						last;
-					}
-				}
-			}
-		}
-		
-		# Loop over the delete section of the data and remove matching
-		 # data from a bro signature.
-		while( my( $opt, $val ) = each( %{$del_data} ) and ! $err )
-		{
-			if( exists( $VALID_AUGMENT_OPTIONS{$opt} )
-				and $VALID_AUGMENT_OPTIONS{$opt}->{write_to_sig} )
-			{
-				my @data_list;
-				
-				# Check if $opt_data has mutlivalues
-				if( ref( $val ) eq 'ARRAY' )
-				{
-					@data_list = @{$val};
-				}
-				elsif( defined( $val ) )
-				{
-					$data_list[0] = $val;
-				}
-				else
-				{
-					next;
-				}
-				
-				foreach my $opt_value( @data_list )
-				{
-					if( $bro_sig_obj->deloption( $opt, $opt_value ) )
-					{
-						# ok
-					}
-					else
-					{
-						if( $DEBUG > 0 )
-						{
-							warn( "Failed to remove augment option '$opt', value '$opt_value'" .
-								" from Bro signature object with sid of " .
-								$bro_sig_obj->sigid() . "\n" );
-						}
-						$err = 1;
-						last;
-					}
-				}
-			}
-		}
-		
-		if( $err )
-		{
-			if( $DEBUG > 0 )
-			{
-				warn( "Unable to apply all options from augment object to the Bro signature\n" );
-			}
-			return( undef );
-		}
-		else
-		{
-			return( $bro_sig_obj );
-		}
-	}
-	
-	sub sid
-	{
-		my $sub_name = 'sid';
-		
-		my $self = shift || return( undef );
-		
-		if( my $sid = $self->{sid} )
-		{
-			return( $sid );
-		}
-		else
-		{
-			return( undef );
-		}
-	}
-	
-	sub rev
-	{
-		my $sub_name = 'rev';
-		
-		my $self = shift || return( undef );
-		
-		if( my $rev = $self->{'sid-rev'} )
-		{
-			return( $rev );
-		}
-		else
-		{
-			return( undef );
-		}
-	}
-	sub sigid
-	{
-		my $sub_name = 'sigid';
-		
-		my $self = shift || return( undef );
-		
-		if( my $rev = $self->{'sid-rev'}
-			and my $sid = $self->{sid} )
-		{
-			return( $sid . '-' . $rev );
-		}
-		else
-		{
-			return( undef );
-		}
-	}
-	
-	sub option
-	{
-		my $sub_name = 'option';
-		
-		my $self = shift || return( undef );
-		my $aug_option = shift || return( undef );
-		my $ret_data;
-		
-		if( $self->{$aug_option} )
-		{
-			if( ( $self->{$aug_option} ) eq 'ARRAY' )
-			{
-				foreach my $data( @{$self->{$aug_option}} )
-				{
-					push( @{$ret_data}, $data );
-				}
-			}
-			else
-			{
-				push( @{$ret_data}, $self->{$aug_option} );
-			}
-		}
-		else
-		{
-			return( undef );
-		}
-		
-		if( @{$ret_data} > 1 )
-		{
-			return( @{$ret_data} );
-		}
-		else
-		{
-			return( $ret_data->[0] );
-		}
-	}
-	
-	sub active
-	{
-		my $sub_name = 'active';
-		
-		my $self = shift || return( undef );
-		my $new_status = shift;
-		my $ret_status = 0;
-		
-		# NOTE, for now the active status is kept as a character value.
-		 # This just makes it easy for importing augment data into objects
-		 # This needs to be changed internally but for now the user doesn't
-		 # know the difference.
-		
-		if( defined( $new_status ) )
-		{
-			if( $new_status =~ m/^(?:t|1)/i )
-			{
-				$self->{active} = 'T';
-			}
-			else
-			{
-				$self->{active} = 'F';
-			}
-		}
-		
-		if( ! exists( $self->{active} ) )
-		{
-			$ret_status = undef;
-		}
-		elsif( $self->{active} =~ m/^t/i )
-		{
-			$ret_status = 1;
-		}
-		
-		return( $ret_status );
-	}
-	
-	sub output
-	{
-		my $sub_name = 'output';
-		
-		my $self = shift || return( undef );
-		my $ret_string = '';
-		my $sid_num;
-		my $sid_rev;
-		
-		if( $sid_num = $self->sid() and $sid_rev = $self->rev() )
-		{
-			# ok
-		}
-		else
-		{
-			return( undef );
-		}
-		
-		my $already_quoted = qr/^\".+\"$/;
-		foreach my $key( sort( keys( %{$self} ) ) )
-		{
-			my $value = $self->{$key};
-			if( $VALID_AUGMENT_OPTIONS{$key}->{write_to_cfg} )
-			{
-				# If the option data has muti values
-				if( ref( $value ) )
-				{
-					foreach my $value_inst( @{$value} )
-					{
-						if( $value_inst =~ $QUOTE_PATT
-							and $value_inst !~ $already_quoted )
-						{
-							$value_inst = '"' . $value_inst . '"';
-						}
-						$ret_string = $ret_string . '  ' . $key . ' ' . $value_inst ."\n";
-					}
-				}
-				# Otherwise the option value is reated as a scalar
-				else
-				{
-					if( $value =~ $QUOTE_PATT
-						and $value !~ $already_quoted )
-					{
-						$value = '"' . $value . '"';
-					}
-					$ret_string = $ret_string . '  ' . $key . ' ' . $value . "\n";
-				}
-			}
-		}
-		
-		if( length( $ret_string ) > 3 )
-		{
-			# prepend the beginning of the augment block
-			$ret_string = "<augment $sid_num-$sid_rev>\n" . $ret_string;
-			
-			# append the closing of the augment block
-			$ret_string = $ret_string . '</augment>';
-			
-			return( $ret_string );
-		}
-		else
-		{
-			return( undef );
-		}
-	}
-	
-	sub merge
-	{
-		my $sub_name = 'merge';
-		# will attempt to merge an augment object together with either a
-		 # valid data strcuture or another augment object.  There is 
-		 # no checking on whether the objects are similar in any way
-		 # only that the data from the source does not cause the target
-		 # to become invalid according to %VALID_AUGMENT_OPTIONS.
-		# If an attempt to add a value exceeds the allowable quantity for 
-		 # a given option then the option from the source object will replace
-		 # the target object's option.  Otherwise the option will just be added
-		 # If a delete block exists then the option that matches will be
-		 # deleted from the target.  A final check will be made after all 
-		 # data has been processed to make sure that the target still conforms 
-		 # to the requirements in %VALID_AUGMENT_OPTIONS.
-		
-		my $self = shift || return( undef );	# Merge to, target
-		my $new_data = shift || return( undef );	# Merge from, source
-		# Make a copy of the object.  The copy will be operated on and once
-		 # all tests have completed it will replace the contents of the 
-		 # original object.
-		my $wo = Bro::S2b::Augment->new( %{$self} );	# Working Object
-		my $del_opts = {};
-		my $failed = 0;
-		
-		while( my( $key, $value ) = each( %{$new_data} ) )
-		{
-			if( $key eq 'delete' )
-			{
-				$del_opts = $value;
-			}
-			else
-			{
-				if( ! $wo->add( $key, $value ) )
-				{
-					# Failed to add in the value
-					if( $DEBUG > 0 )
-					{
-						$failed = 1;
-						warn( "Failed to add option $key to augment object\n" );
-					}
-				}
-			}
-		}
-		
-		while( my( $del_opt, $del_val ) = each( %{$del_opts} ) )
-		{
-			if( ! $wo->del( $del_opt, $del_val ) )
-			{
-				if( $DEBUG > 0 )
-				{
-					$failed = 1;
-					warn( "Failed to delete option $del_opt from object\n" );
-				}
-			}
-		}
-		
-		if( ! validate( $wo ) )
-		{
-			if( $DEBUG > 0 )
-			{
-				warn( "There was an error in validating the merged augment object." .
-				"  No changes made to the original augment object.\n" );
-			}
-			return( undef );
-		}
-		
-		if( ! $failed )
-		{
-			return( $wo );
-		}
-		else
-		{
-			if( $DEBUG > 0 )
-			{
-				warn( "One or more operations failed during an augment merge." .
-				"  Original object has not been modified\n" );
-			}
-			return( undef );
-		}
-	}
-	
-	sub add
-	{
-		my $sub_name = 'add';
-		
-		my $self = shift || return( undef );
-		my $opt = shift || return( undef );
-		my $val = shift;
-		my $cur_contents;
-		my $opt_quan = '';
-		my $eval_quan = $VALID_AUGMENT_OPTIONS{$opt}->{fatal};
-		
-		if( ! $VALID_AUGMENT_OPTIONS{$opt} )
-		{
-			if( $DEBUG > 0 )
-			{
-				warn( "Attempt to merge an unknown option \"$opt\" into an augment object\n" );
-			}
-			return( undef );
-		}
-		
-		if( $VALID_AUGMENT_OPTIONS{$opt}->{no_modify} )
-		{
-			if( $DEBUG > 0 )
-			{
-				warn( "Failed to add option $opt.  Modification is forbidden by configuration\n" );
-			}
-			return( undef );
-		}
-		
-		# figure out what type of value is stored
-		if( exists( $self->{$opt} ) and ref( $self->{$opt} ) eq 'ARRAY' )
-		{
-			my @t1 = @{$self->{$opt}};
-			$cur_contents = \@t1;
-			foreach( @{$cur_contents} )
-			{
-				$opt_quan .= '1';
-			}
-		}
-		else
-		{
-			$cur_contents = $self->{$opt};
-			$opt_quan = '1';
-		}
-		
-		# figure out if we should replace or add
-		# If the allowed option count is a max of one and we have only one option
-		 # to add then this is an overwrite
-		if( $eval_quan eq'?' or $eval_quan eq '{1}' )
-		{
-			if( $opt_quan =~ m/^1|$/ )
-			{
-				$self->{$opt} = $val;
-				if( $DEBUG > 2 )
-				{
-					warn( "Added/replaced option $opt with contents $val\n" );
-				}
-			}
-			else
-			{
-				if( $DEBUG > 0 )
-				{
-					warn( "Tried to add more values to an option than the option type allows.\n" );
-				}
-				return( undef );
-			}
-		}
-		else
-		{
-			$opt_quan .= '1';
-			if( $opt_quan =~ m/^1$eval_quan$/ )
-			{
-				# Check if the data structure is an array, if not change it
-				if( ! exists( $self->{$opt} ) )
-				{
-					$self->{$opt} = [];
-				}
-				elsif( ref( $self->{$opt} ) ne 'ARRAY' )
-				{
-					my $cur_val = $self->{$opt};
-					delete( $self->{$opt} );
-					$self->{$opt}->[0] = $cur_val;
-				}
-				
-				push( @{$self->{$opt}}, $val );
-			}
-			else
-			{
-				if( $DEBUG > 0 )
-				{
-					warn( $VALID_AUGMENT_OPTIONS{$opt}->{msg} . "\n" );
-				}
-				return( undef );
-			}
-		}
-		
-		# Search the delete section of the data and remove any matching entries
-		if( ref( $self->{delete} ) )
-		{
-			# Need to complete later!
-		}
-		
-		return( $self );
-	}
-	
-	sub del
-	{
-		my $sub_name = 'del';
-		
-		my $self = shift || return( undef );
-		my $opt = shift || return( undef );
-		my $opt_val = shift || '';
-		my $opt_quan = '';
-		my $eval_quan = $VALID_AUGMENT_OPTIONS{$opt}->{fatal};
-		
-		if( ! $VALID_AUGMENT_OPTIONS{$opt} )
-		{
-			if( $DEBUG > 0 )
-			{
-				warn( "Attempt to remove an unknown option \"$opt\" from an augment object\n" );
-			}
-			return( undef );
-		}
-		
-		if( $VALID_AUGMENT_OPTIONS{$opt}->{no_modify} )
-		{
-			if( $DEBUG > 0 )
-			{
-				warn( "Failed to delete option $opt.  Modification is forbidden by configuration\n" );
-			}
-			return( undef );
-		}
-		
-		if( ! exists( $self->{$opt} ) )
-		{
-			# no option with the name in $opt exists
-			return( 0 );
-		}
-		elsif( ref( $self->{$opt} ) eq 'ARRAY' )
-		{
-			my @t1 = @{$self->{$opt}};
-			my $cur_contents = \@t1;
-			my $found = 0;
-			my @new_contents;
-			
-			foreach my $cont_inst( @{$cur_contents} )
-			{
-				if( $cont_inst eq $opt_val )
-				{
-					++$found;
-				}
-				else
-				{
-					$opt_quan .= '1';
-					push( @new_contents, $cont_inst );
-				}
-			}
-			
-			if( $found )
-			{
-				if( $opt_quan =~ /^1$eval_quan$/ )
-				{
-					delete( $self->{$opt} );
-					$self->{$opt} = \@new_contents;
-				}
-				else
-				{
-					if( $DEBUG > 0 )
-					{
-						warn( "Removal of option $opt failed." . $VALID_AUGMENT_OPTIONS{$opt}->{msg} . "\n" );
-					}
-					return( undef );
-				}
-			}
-			else
-			{
-				if( $DEBUG > 2 )
-				{
-					warn( "Could not find '$opt' with value '$opt_val' to delete.  No big deal\n" );
-				}
-			}
-		}
-		else
-		{
-			$opt_quan = '';
-			
-			if( $self->{$opt} eq $opt_val )
-			{
-				if( $opt_quan =~ /^1$eval_quan$/ )
-				{
-					delete( $self->{$opt} );
-				}
-				else
-				{
-					if( $DEBUG > 0 ) 
-					{
-						warn( "Removal of option $opt is not allowed," . $VALID_AUGMENT_OPTIONS{$opt}->{msg} . "\n" );
-					}
-					return( undef );
-				}
-			}
-			else
-			{
-				if( $DEBUG > 2 )
-				{
-					warn( "Could not find '$opt' with value '$opt_val' to delete.  No big deal\n" );
-				}
-			}
-		}
-		
-		return( $self );
-	}
-};
-
-
-#####################################################################
-##### s2b.pl	Snort to Bro rule conversion script
-##### Roger Winslow
-#####
-#####################################################################
-
-
-use strict;
-require 5.006_001;	# 5.6.1 minimum is required.
-use Config::General;
-use Getopt::Long;
-Getopt::Long::Configure qw( no_ignore_case no_getopt_compat );
-
-# clear these shell environment variables so Taint mode doesn't complain
-$ENV{PATH} = '';
-$ENV{BASH_ENV} = '';
-$ENV{ENV} = '';
-
-use vars qw( $VERSION
-			%DEFAULT_CONFIG
-			$SNORT_TO_BRO_PROG
-			$DEBUG );
-
-$VERSION = '1.10';
-$DEBUG = 1;
-%DEFAULT_CONFIG = ( configdir => '/usr/local/etc/bro/s2b',
-				mainconfig => 's2b.cfg',
-				augmentconfig => 's2b-augment.cfg',
-				useraugmentconfig => 's2b-user-augment.cfg',
-				sigactiondest => 's2b-sigaction.bro',
-				brosignaturedest => 's2b.sig',
-				sigmapconfig => 's2b-sigmap.cfg',
-				defaultsigaction => 'SIG_LOG',
-				rulesetaugmentconfig => 's2b-ruleset-augment.cfg',
-				sigprefix => 's2b-',
-				snortrulesetdir => './',
-				ignorehostdirection => 1,
-				);
-
-# This is hardcoded until I get to intergrating the Snort conversion into 
- # a PERL program.
-$SNORT_TO_BRO_PROG = './snort2bro';
-
-# Until I can rewrite the python conversion script it will be used for initial conversion
- # make sure it runs before continuing on.
-if( my $result = `$SNORT_TO_BRO_PROG --help 2>&1` )
-{
-	# ok.
-}
-else
-{
-	warn( "Unable to run $SNORT_TO_BRO_PROG.  Check to make sure that the python run" .
-	" path is set correctly in the program.\n" );
-	exit( 1 );
-}
-
-# ref to hash containing all config data
-my $config = {};
-$config = getconfig( \%DEFAULT_CONFIG );
-
-# Build the ruleset exclusion list
-my $ignorerules = {};
-$ignorerules = getignorerules( $config );
-
-# Parse and store the system level augment file
-# An array ref containing Bro::S2b::Augment objects will be returned in 
- # $augment_objects
-my $augment_objects = [];
-if( $augment_objects = Bro::S2b::Augment->new( filename => $config->{augmentconfig} ) )
-{
-	# ok
-}
-else
-{
-	if( $DEBUG > 0 )
-	{
-		warn( "Unable to retrieve any augment data." . 
-			"  This can be expected if the file has not been created yet.\n" );
-		if( ! $config->{updateaugment} )
-		{
-			warn( "Perhaps you have forgotten to run --updateaugment first?\n" );
-		}
-	}
-}
-
-my $snort_rule_files = [];
-$snort_rule_files = getsnortrulefiles( $config->{snortrulesetdir}, $ignorerules );
-
-# Is this a request to update the s2b-augment.cfg file?
-if( $config->{updateaugment} )
-{
-	my $ruleset_based_augment;
-	my $new_augment_data;
-	my $sigmap = {};
-	my %existing_sidrev;
-	
-	# Read and parse the Snort alert classtype to Bro SigAction mappings
-	$sigmap = getsigmap( $config->{sigmapconfig} );
-	
-	# Build a hash of "sid-rev" strings from the existing augment objects
-	 # (if any)
-	foreach my $aug_obj( @{$augment_objects} )
-	{
-		my $key = $aug_obj->sigid();
-		$existing_sidrev{$key} = 1;
-	}
-	
-	# Read and parse the ruleset augment data which is to be included into 
-	 # the augment config based on the Snort ruleset from which they come.
-	if( $config->{rulesetaugmentconfig} )
-	{
-		$ruleset_based_augment = getrulesetaugment( $config->{rulesetaugmentconfig} );
-	}
-	
-	# Build the augment file
-	$new_augment_data = buildaugment( $snort_rule_files, $sigmap ) || [];
-	
-	my @append_aug_list;
-	# Check for new augment objects
-	foreach my $new_aug( @{$new_augment_data} )
-	{
-		if( ! $existing_sidrev{$new_aug->sigid()} )
-		{
-			$new_aug->option( 'snort-rule-file' ) =~ m/([^\/]+)$/;
-			my $aug_snort_rulename = $1;
-			if( exists( $ruleset_based_augment->{$aug_snort_rulename} )  )
-			{
-				if( !(  $new_aug = $new_aug->merge( $ruleset_based_augment->{$aug_snort_rulename} ) ) )
-				{
-					next;
-				}
-			}
-			
-			push( @append_aug_list, $new_aug );
-		}
-	}
-	
-	if( @append_aug_list > 0 )
-	{
-		appendaugment( \@append_aug_list, $config->{augmentconfig} );
-	}
-	
-	if( $DEBUG > 0 )
-	{
-		my $num_aug_blocks = scalar( @append_aug_list );
-		if( $num_aug_blocks > 0 )
-		{
-			warn( "Added a total of $num_aug_blocks new augment data blocks to augment file " . $config->{augmentconfig} . "\n" );
-		}
-		else
-		{
-			warn( "No new augment data found.  Nothing added to augment file " . $config->{augmentconfig} . "\n" );
-		}
-	}
-}
-# Else assume this is a request to build Bro signatures
-else
-{
-	my %sigaction_list;
-	my @active_sigs;
-	
-	# Parse and store the user level augment file
-	# An array ref containing Bro::S2b::Augment objects will be returned in 
-	 # $user_augment_objects
-	my $user_augment_objects = [];
-	if( -r $config->{useraugmentconfig} and
-		$user_augment_objects = Bro::S2b::Augment->new( filename => $config->{useraugmentconfig} ) )
-	{
-		# ok
-	}
-	else
-	{
-		if( $DEBUG > 1 )
-		{
-			warn( "Unable to retrieve any user level augment data." . 
-				"  This is non-fatal and can be expected if the file has not been created yet.\n" );
-		}
-	}
-	
-	# Loop over each user augment object and build an index of sigids
-	my %user_aug_obj_idx;
-	for( my $i=0; $i < scalar( @{$user_augment_objects} ); ++$i )
-	{
-		$user_aug_obj_idx{$user_augment_objects->[$i]->sigid()} = $i;
-	}
-	
-	my $ignore_snort_sids = {};
-	$ignore_snort_sids = getignoresids( $augment_objects );
-
-	# An array ref containing Bro::Signature objects will be returned in
-	 # $converted_snort_rules
-	my $converted_snort_rules = {};
-	$converted_snort_rules = convertfromsnort( $snort_rule_files,
-						$ignore_snort_sids );
-	
-	# Loop over the list of Bro::Signature objects and process each
-	foreach my $sig_obj( @{$converted_snort_rules} )
-	{
-		my $sig_is_active = 0;
-		my $user_aug_obj;
-		my $sig_obj_id = $sig_obj->sigid();
-		my $augment_obj;
-		# Find the corresponding Bro::S2b::Augment object.  The match is found
-		 # by comparing each object's sigid (minus the prefix if any).
-		# I realize at this point that this is a bit of a waste.  I'll work on a
-		 # better indexed version later.
-		foreach my $augment_obj( @{$augment_objects} )
-		{
-			# Compare the sigids and see if they match
-			if( $augment_obj->sigid() eq $sig_obj_id )
-			{
-				# Look for a matching user augment option and put it in
-				 # $user_aug_obj if found.
-				if( exists( $user_aug_obj_idx{$sig_obj_id} ) )
-				{
-					$user_aug_obj = $user_augment_objects->[$user_aug_obj_idx{$sig_obj_id}];
-				}
-				
-				# Determine if the rule is active
-				if( $augment_obj->active() )
-				{
-					$sig_is_active = 1;
-				}
-				if( $user_aug_obj and defined( $user_aug_obj->active() ) )
-				{
-					$sig_is_active = $user_aug_obj->active();
-				}
-				
-				# Skip this instance if the sig is not set to active
-				if( ! $sig_is_active )
-				{
-					# must be inactive. No need to continue processing this 
-					 # signature
-					last;
-				}
-				
-				# Check whether the connection direction information should be 
-				 # ignored.  If so then remove it from the Bro::Signature object.
-				if( $config->{ignorehostdirection} )
-				{
-					if( my $dst_ip = $sig_obj->option( 'dst-ip' ) )
-					{
-						if( $dst_ip =~ m/[[:alpha:]]+/ )
-						{
-							$sig_obj->deloption( 'dst-ip' );
-						}
-					}
-					
-					if( my $src_ip = $sig_obj->option( 'src-ip' ) )
-					{
-						if( $src_ip =~ m/[[:alpha:]]+/ )
-						{
-							$sig_obj->deloption( 'src-ip' );
-						}
-					}
-				}
-
-				# Modify the Bro::Signature object and include the augment data.
-				if( $augment_obj->augmentbrosig( $sig_obj ) )
-				{
-					# If user augment data exists then apply it now
-					if( $user_aug_obj )
-					{
-						$user_aug_obj->augmentbrosig( $sig_obj );
-					}
-					
-					# Determine which sigaction to use, system or user
-					my $cur_sigaction;
-					if( $user_aug_obj and $user_aug_obj->option( 'sigaction' ) )
-					{
-						$cur_sigaction = $user_aug_obj->option( 'sigaction' );
-					}
-					else
-					{
-						$cur_sigaction = $augment_obj->option( 'sigaction' );
-					}
-					
-					# Check if the sigaction is anything other than the default
-					# If so then add it to the hash.
-					if( $cur_sigaction ne $config->{defaultsigaction} )
-					{
-						$sigaction_list{$sig_obj_id} = $cur_sigaction;
-					}
-					
-					# Put the bro signature object into the active list of
-					 # signatures
-					push( @active_sigs, $sig_obj );
-				}
-				else
-				{
-					if( $DEBUG > 0 )
-					{
-						warn( "Failed to augment Bro signature $sig_obj_id\n" );
-					}
-				}
-
-				last;
-			}
-		}
-	}
-		
-	# Write the sigactions to a file or if the file in $config is an empty string 
-	 # then send it to STDOUT
-	if( $config->{sigactiondest} )
-	{
-		if( open( OUTFILE, '>', $config->{sigactiondest} ) )
-		{
-			outputsigactions( \%sigaction_list, \*OUTFILE );
-		}
-		else
-		{
-			warn( "Failed to open file " . $config->{sigactiondest} . " for writing, unable to continue\n" );
-			exit( 1 );
-		}
-		
-		close( OUTFILE );
-	}
-	else
-	{
-		outputsigactions( \%sigaction_list );
-	}
-	
-	
-	# Output the final signatures or if the file in $config is an empty string 
-	 # then send it to STDOUT
-	if( $config->{brosignaturedest} )
-	{
-		if( open( OUTFILE, '>', $config->{brosignaturedest} ) )
-		{
-			outputsigs( \@active_sigs, \*OUTFILE );
-		}
-		else
-		{
-			warn( "Failed to open file " . $config->{brosignaturedest} . " for writing, unable to continue\n" );
-			exit( 1 );
-		}
-		
-		close( OUTFILE );
-	}
-	else
-	{
-		outputsigs( $converted_snort_rules );
-	}
-	
-}
-
-
-exit( 0 );
-
-
-
-#################################################
-#####
-#####  Begin subroutines
-#####
-#################################################
-
-sub getconfig
-{
-	my $sub_name = 'getconfig';
-	
-	my $arg1 = shift || \%DEFAULT_CONFIG;
-	my %default_config;
-	my %cmd_line_cfg;
-	my $main_config_file;
-	my %config;
-	
-	if( ref( $arg1 ) eq 'HASH' )
-	{
-		%default_config = %{$arg1};
-	}
-	else
-	{
-		return( undef );
-	}
-	
-	GetOptions( \%cmd_line_cfg,
-			'configdir=s',
-			'mainconfig=s',
-			'augmentconfig=s',
-			'useraugmentconfig=s',
-			'sigactiondest=s',
-			'brosignaturedest=s',
-			'sigmapconfig=s',
-			'snortrulesetdir=s',
-			'defaultsigaction=s',
-			'ignorehostdirection:s',
-			'rulesetaugmentconfig',
-			'updateaugment',
-			'usage|help|h',
-			'debug|verbose|d|v:i',
-			'version|V',
-			'copyright', );
-	
-	# Check for options which will prevent the program from running
-	# any further
-	if( $cmd_line_cfg{usage} )
-	{
-		print usage();
-		exit( 0 );
-	}
-	elsif( $cmd_line_cfg{version} )
-	{
-		print version();
-		exit( 0 );
-	}
-	elsif( $cmd_line_cfg{copyright} )
-	{
-		print copyright();
-		exit( 0 );
-	}
-	else
-	{
-		# just continue on
-	}
-	
-	if( ! $cmd_line_cfg{mainconfig} )
-	{
-		if( defined( $ARGV[0] ) )
-		{
-			$cmd_line_cfg{mainconfig} = $ARGV[0];
-		}
-		else
-		{
-			$cmd_line_cfg{mainconfig} = $default_config{mainconfig};
-		}
-	}
-	
-	$main_config_file = $cmd_line_cfg{mainconfig};
-
-	my $conf = Config::General->new( -ConfigFile => $main_config_file,
-						-LowerCaseNames => 1,
-						);
-	
-	%config = $conf->getall;
-	$config{'mainconfig'} = $main_config_file;
-	
-	# Any args passed through the command line will override file options
-	while( my( $key, $value ) = each( %cmd_line_cfg ) )
-	{
-		$config{$key} = $value;
-	}
-	
-	# Set default values for options that have not already been configured
-	while( my( $key, $value ) = each( %{$arg1} ) )
-	{
-		if( ! exists( $config{$key} ) )
-		{
-			$config{$key} = $value;
-		}
-	}
-	
-	# Set Debug level
-	$DEBUG = $config{debug} if exists( $config{debug} );
-		
-	if( checkconfig( \%config ) )
-	{
-		if( $DEBUG > 4 )
-		{
-			warn( "Configuration memory dump:\n" );
-			warn( $conf->save_string( \%config ) );
-			warn( "\n" );
-		}
-			return( \%config );
-	}
-	else
-	{
-		warn( "exiting program" );
-		exit( 1 );
-	}
-}
-
-sub checkconfig
-{
-	my $sub_name = 'checkconfig';
-	
-	my $cfg_hash = shift || return undef;
-	
-	# Check to make sure that the config directory is defined.
-	if( defined( $cfg_hash->{'configdir'} ) )
-	{
-		# Check to make sure that the config directory has a sane value.
-		if( $cfg_hash->{configdir} !~ m/[*;`{}%]+/ and
-				$cfg_hash->{configdir} =~ m~^([[:print:]]{1,1024}?)/*$~ )
-		{
-			$cfg_hash->{configdir} = $1;
-			if( !( -d $cfg_hash->{configdir} ) )
-			{
-				warn( "configdir '" .$cfg_hash->{configdir} . "' is not a directory\n" );
-				return( 0 );
-			}
-		}
-		else
-		{
-			warn( "Config directory contains invalid characters or is longer than 1024 bytes\n" );
-			return( 0 );
-		}
-	}
-	else
-	{
-		warn( "No config directory specified\n" );
-		return( 0 );
-	}
-	
-	# Check to make sure that the Snort rule directory is
-	# specified and readable
-	if( defined( $cfg_hash->{snortrulesetdir} ) )
-	{
-		if( -d $cfg_hash->{snortrulesetdir} )
-		{
-			if( ! -r $cfg_hash->{snortrulesetdir} )
-			{
-				warn( "Unable to read directory " . $cfg_hash->{snortrulesetdir} ."\n" );
-				return( 0 );
-			}
-			else
-			{
-				# Strip of any trailing slash on the end
-				$cfg_hash->{snortrulesetdir} =~ m~^([[:print:]]+?)/*$~;
-				$cfg_hash->{snortrulesetdir} = $1;
-			}
-		}
-		else
-		{
-			warn( $cfg_hash->{snortrulesetdir} . " is not a valid directory\n" );
-			return( 0 );
-		}
-	}
-	else
-	{
-		warn( "No snortruleset directory has been specified\n" );
-		return( 0 );
-	}
-	
-	# Check to make sure the sidprefix only conatins alphanumeric and dash characters
-	if( defined( $cfg_hash->{sidprefix} ) )
-	{
-		if( $cfg_hash->{sidprefix} =~ m/^([[:alnum:]-]*)$/ )
-		{
-			$cfg_hash->{sidprefix} = $1;
-		}
-		else
-		{
-			warn( "Invalid charcters in the sidprefix.  May only contain alphanumeric and dash characters\n" );
-			return( 0 );
-		}
-	}
-	else
-	{
-		# else set it to a blank string
-		$cfg_hash->{sidprefix} = '';
-	}
-	
-	# Check to make sure default-sigaction is valid and set otherwise use 
-	 # the default. Need to tie into the Bro config later to thoroughly check this.
-	if( defined( $cfg_hash->{defaultsigaction} ) )
-	{
-		if( $cfg_hash->{defaultsigaction} =~ m/^[[:alnum:]_]+$/ )
-		{
-			# ok
-		}
-		else
-		{
-			warn( "Default Bro SigAction --default-sigaction has invalid characters\n" );
-		}
-	}
-	else
-	{
-		warn( "No default Bro SigAction --default-sigaction has been set\n" );
-		return( undef );
-	}
-	
-	# Check the ignorehostdirection option for values other than true or false
-	if( defined( $cfg_hash->{ignorehostdirection} ) )
-	{
-		if( $cfg_hash->{ignorehostdirection} =~ m/^(?:f|0)/i )
-		{
-			$cfg_hash->{ignorehostdirection} = 0;
-		}
-		elsif( $cfg_hash->{ignorehostdirection} )
-		{
-			$cfg_hash->{ignorehostdirection} = 1;
-		}
-		else
-		{
-			if( $DEBUG > 0 )
-			{
-				warn( "Unknown value of " . $cfg_hash->{ignorehostdirection} .
-				" assigned to option ignorehostdirection, defaulting to true.\n" );
-			}
-			
-			$cfg_hash->{ignorehostdirection} = 1;
-		}
-	}
-	
-	# Check to make sure the sigmap file exists, is readable and > 0 bytes.
-	if( defined( $cfg_hash->{sigmapconfig} ) )
-	{
-		my $fn = $cfg_hash->{configdir} . '/' . $cfg_hash->{sigmapconfig};
-		if( -r $fn and -s $fn )
-		{
-			$fn =~ m/^([[:print:]]+)$/;
-			$cfg_hash->{sigmapconfig} = $1;
-		}
-		else
-		{
-			warn( "sigmapconfig file at '$fn' is not readable or zero length\n" );
-			return( 0 );
-		}
-	}
-	else
-	{
-		if( $cfg_hash->{updateaugment} )
-		{
-			warn( "No sigmapconfig file specified\n" );
-			return( 0 );
-		}
-	}
-	
-	# Check if the augmentconfig option exists and validate it if it does.
-	if( defined( $cfg_hash->{augmentconfig} ) )
-	{
-		my $fn = $cfg_hash->{configdir} . '/' . $cfg_hash->{augmentconfig};
-		$fn =~ m/^([[:print:]]+)$/;
-		$cfg_hash->{augmentconfig} = $1;
-	}
-	
-	# Check if the rulesetaugmentconfig file exists and validate it if it does.
-	if( defined( $cfg_hash->{rulesetaugmentconfig} ) )
-	{
-		my $fn = $cfg_hash->{configdir} . '/' . $cfg_hash->{rulesetaugmentconfig};
-		if( -r $fn and -s $fn )
-		{
-			$fn =~ m/^([[:print:]]+)$/;
-			$cfg_hash->{rulesetaugmentconfig} = $1;
-		}
-		else
-		{
-			warn( "rulesetaugmentconfig file at '$fn' is not readable\n" );
-			return( 0 );
-		}
-	}
-	
-	# Check to make sure that sigactiondest is defined and contains valid characters
-	if( ! $cfg_hash->{updateaugment} )
-	{
-		# {brosignaturedest}
-		if( defined( $cfg_hash->{sigactiondest} ) )
-		{
-			if( $cfg_hash eq '' )
-			{
-				# ok, send to stdout
-				$cfg_hash->{sigactiondest} = '';
-			}
-			elsif( my $fn = canwritefile( $cfg_hash->{sigactiondest} ) )
-			{
-				$cfg_hash->{sigactiondest} = $fn;
-			}
-			else
-			{
-				warn( "No valid --sigactiondest, unable to continue.\n" );
-				return( undef );
-			}
-		}
-		else
-		{
-			warn( "No filename specified for --sigactiondest\n" );
-			return( undef );
-		}
-	}
-	
-	# Check to make sure that brosignaturedest is defined and contains valid characters
-	if( ! $cfg_hash->{updateaugment} )
-	{
-		if( defined( $cfg_hash->{brosignaturedest} ) )
-		{
-			if( $cfg_hash eq '' )
-			{
-				# ok, send to stdout
-				$cfg_hash->{brosignaturedest} = '';
-			}
-			elsif( my $fn = canwritefile( $cfg_hash->{brosignaturedest} ) )
-			{
-				$cfg_hash->{brosignaturedest} = $fn;
-			}
-			else
-			{
-				warn( "No valid --brosignaturedest, unable to continue.\n" );
-				return( undef );
-			}
-		}
-		else
-		{
-			warn( "No filename specified for --brosignaturedest\n" );
-			return( undef );
-		}
-	}
-	
-	return( 1 );
-}
-
-sub getignorerules
-{
-	my $sub_name = 'getignorerules';
-	
-	my $cfg_hash = shift || return( undef );
-	my $ret_hash_ref = {};
-	
-	if( ref( $cfg_hash->{ignoresnortrulesets} ) eq 'HASH' )
-	{
-		foreach my $rule_name( keys( %{$cfg_hash->{ignoresnortrulesets}} ) )
-		{
-			$ret_hash_ref->{$rule_name} = 1;
-		}
-	}
-	elsif( ref( $cfg_hash->{ignoresnortruleset} ) eq 'ARRAY' )
-	{
-		foreach my $rule_name( @{$cfg_hash->{ignoresnortruleset}} )
-		{
-			$ret_hash_ref->{$rule_name} = 1;
-		}
-		
-	}
-	
-	return( $ret_hash_ref );
-}
-
-sub getignoresids
-{
-	my $sub_name = 'getignoresids';
-	
-	# Argument will be a ref to an array of augment objects
-	my $augment_list = shift || return( undef );
-	my $ret_hash_ref = {};
-	
-	if( ref( $augment_list ) eq 'ARRAY' )
-	{
-		foreach my $aug_obj( @{$augment_list} )
-		{
-			if( $aug_obj->active() )
-			{
-				# rule is active
-			}
-			else
-			{
-				# rule is marked as not active
-				my $ignore_sid = $aug_obj->sid();
-				$ret_hash_ref->{$ignore_sid} = 1;
-			}
-		}
-	}
-	else
-	{
-		return( undef );
-	}
-	
-	return( $ret_hash_ref );
-}
-
-sub getsnortrulefiles
-{
-	my $sub_name = 'getsnortrulefiles';
-	
-	my $rules_dir = shift || undef;
-	my $exclusion_hash = shift || {};
-	my @ret_file_list;
-		
-	if( opendir( DIR, $rules_dir ) )
-	{
-		while( my $fn = readdir( DIR ) )
-		{
-			# Make sure that the filename has only sane characters,
-			 # ends with '.rules' , and does not begin with a '.'
-			if( $fn =~ m/^([^.]+[[:print:]]+\.rules)$/ )
-			{
-				# Untaint
-				$fn = $1;
-				
-				# Make sure the file isn't set as ignored in the config
-				if( ! $exclusion_hash->{$fn} )
-				{
-					# expand the filename to it's full path
-					my $full_fn = "$rules_dir/$fn";
-					if( -f $full_fn and -r $full_fn )
-					{
-						push( @ret_file_list, $full_fn );
-						if( $DEBUG > 4 )
-						{
-							warn( "Adding Snort rule file $full_fn to list of rules to convert\n" );
-						}
-					}
-					else
-					{
-						if( $DEBUG > 0 )
-						{
-							warn( "Unable to read Snort rule file $full_fn\n" );
-						}
-						next;
-					}
-				}
-				else
-				{
-					if( $DEBUG > 1 )
-					{
-						warn( "Snort ruleset \'$fn\' is being ignored as specified in the config file\n" );
-					}
-					next;
-				}
-			}
-			else
-			{
-				next;
-			}
-		}
-	}
-	else
-	{
-		warn( "Unable to open Snort ruleset directory for reading at $rules_dir\n" );
-	}
-	
-	return( \@ret_file_list );
-}
-
-sub getsigmap
-{
-	my $sub_name = 'getsigmap';
-	
-	my $sigmapfile = shift || return( undef );
-	my %config;
-	my $conf;
-	
-	if( $conf = Config::General->new( -ConfigFile => $sigmapfile,
-						-LowerCaseNames => 1,
-						-AutoLaunder => 1,
-						-AllowMultiOptions => 'no' ) )
-	{
-		%config = $conf->getall;
-	}
-	else
-	{
-		warn( "Unable to read the sigmapconfig file\n" );
-		return( 0 );
-	}
-	
-	if( $DEBUG > 4 )
-	{
-		warn( "List of default Snort alert classtype to Bro SigAction maps:\n" );
-		while( my( $key, $value ) = each( %config ) )
-		{
-			warn( "'$key' maps to '$value'\n" );
-		}
-	}
-	
-	return( \%config );
-}
-
-sub convertfromsnort
-{
-	my $sub_name = 'convertfromsnort';
-	
-	my $rule_files = shift || return( undef );
-	my $ignore_sids = shift || return( undef );
-	
-	my @converted_rules;
-	
-	foreach my $rule_file( @{$rule_files} )
-	{
-		my $convert = `$SNORT_TO_BRO_PROG 2>/dev/null $rule_file`;
-		if( $DEBUG > 4 )
-		{
-			warn( "SIGNATURES BEGIN for file $rule_file => \n" );
-			warn( $convert || '' . "\n" );
-			warn( "----SIGNATURES END----\n" );
-		}
-		
-		foreach my $sig_block( Bro::Signature::findkeyblocks( $convert ) )
-		{
-			if( ! $sig_block )
-			{
-				next;
-			}
-			
-			if( my $bro_sig_obj = Bro::Signature->new( string => $sig_block ) )
-			{
-				push( @converted_rules, $bro_sig_obj );
-			}
-			else
-			{
-				if( $DEBUG > 0 )
-				{
-					warn( "Failed to create a Bro::Signature for a rule in file $rule_file\n" );
-				}
-			}
-		}
-	}
-		
-	# If successful this returns an array ref of Bro::Signature objects
-	return( \@converted_rules );
-}
-
-sub outputsigactions
-{
-	my $sub_name = 'outputsigactions';
-	
-	my $_sigactions = shift;
-	my $_output_dest = shift || \*STDOUT;
-	
-	# Heading of SigAction table
-	my $tm = scalar( localtime() );
-	print $_output_dest "\# This file was created by s2b.pl on $tm.\n";
-	print $_output_dest "\# This file is dynamically generated each time s2b.pl is" .
-	" run and therefore any \n\# changes done manually will be overwritten.\n\n";
-	print $_output_dest 'redef signature_actions += {' . "\n";
-	
-	while( my( $sigid, $sigaction ) = each( %{$_sigactions} ) )
-	{
-		print $_output_dest '  ["' . 
-			$config->{sigprefix} . 
-			$sigid . 
-			'"] = ' . 
-			$sigaction . 
-			",\n";
-	}
-	
-	# ending of SigAction table
-	print $_output_dest '}; ' . "\n";
-}
-
-sub outputsigs
-{
-	my $sub_name = '';
-	
-	my $_sig_objs = shift;
-	my $_output_dest = shift || \*STDOUT;
-	
-	my $tm = scalar( localtime() );
-	print $_output_dest "\# This file was created by s2b.pl on $tm.\n";
-	print $_output_dest "\# This file is dynamically generated each time s2b.pl is" .
-	" run and therefore any \n\# changes done manually will be overwritten.\n\n";
-	
-	foreach my $sig( @{$_sig_objs} )
-	{
-		print $_output_dest $sig->output( sigprefix => $config->{sigprefix} ), "\n\n";
-	}
-}
-
-sub getrulesetaugment
-{
-	my $sub_name = 'getrulesetaugment';
-	
-	my $raf = shift || return( undef );	# ruleset augment file
-	my $ret_hash;
-	
-	if( $DEBUG > 2 )
-	{
-		warn( "Attempting to parse the ruleset augment file at \'$raf\'\n" );
-	}
-	
-	my $conf = Config::General->new( -ConfigFile => $raf,
-						-LowerCaseNames => 1,
-						);
-	
-	my %config = $conf->getall;
-	
-	while( my( $key, $value ) = each( %config ) )
-	{
-		if( $DEBUG > 2 )
-		{
-			warn( "Looking for augment data for ruleset $key\n" );
-		}
-		
-		if( keys( %{$value} ) > 0 )
-		{
-			while( my( $opt, $opt_val ) = each( %{$value} ) )
-			{
-				$ret_hash->{$key}->{$opt} = $opt_val;
-				if( $DEBUG > 2 )
-				{
-					warn( "  Found option $opt\n" );
-				}
-			}
-		}
-		else
-		{
-			if( $DEBUG > 2 )
-			{
-				warn( "No augment data found\n" );
-			}
-		}
-	}
-	
-	return( $ret_hash );
-}
-
-sub buildaugment
-{
-	my $sub_name = 'buildaugment';
-	
-	my $rulesets = shift || return( undef );
-	my $sigmap = shift || return( undef );
-	my $default_sigaction = shift || $DEFAULT_CONFIG{defaultsigaction};
-	my $ret_aug_objs = {};
-	
-	foreach my $rule_file( @{$rulesets} )
-	{
-		if( open( IN_FILE, $rule_file ) )
-		{
-			my $full_line = '';
-			my $line_num = 0;
-			while( defined( my $line = <IN_FILE> ) )
-			{
-				++$line_num;
-				my $end_of_rule = 0;
-				if( $line =~ m/^[[:space:]]\#/
-					or $line =~ m/^[[:space:]]*$/ )
-				{
-					# ignore this line, it's all comments or whitespace
-					next;
-				}
-				else
-				{
-					if( $line =~ m/^(alert.+)/ )
-					{
-						$line = $1;
-						if( $line =~ m/^(.+?)[[:space:]]*\\[[:space:]]*$/ )
-						{
-							$full_line = join( ' ', $full_line, $1 );
-						}
-						elsif( $full_line )
-						{
-							$full_line = join( ' ', $full_line, $line );
-							$end_of_rule = 1;
-						}
-						else
-						{
-							$full_line = $line;
-							$end_of_rule = 1;
-						}
-					}
-					else
-					{
-						# Snort action is not supported for conversion
-						next;
-					}
-				}
-				
-				if( $end_of_rule )
-				{
-					# Extract the directives section
-					if( $full_line =~ m/\((.+)\)/ )
-					{
-						my $sigaction;
-						my %directive_args;
-						my @new_aug_objs;
-						my $directive_section = $1;
-						my @directives = split( /[[:space:]]*\;[[:space:]]*/, $directive_section );
-						foreach( @directives )
-						{
-							# split the directive name from it's value
-							my( $directive_name, $directive_value ) = split( /:[[:space:]]*/, $_, 2 );
-							if( defined( $directive_name ) and defined( $directive_value ) )
-							{
-								$directive_args{$directive_name} = $directive_value;
-								#print "DIRECTIVE => ", $directive_name;
-								#print ", VALUE => ", $directive_value, "\n";
-							}
-						}
-						
-						# translate the snort event classtype to a Bro SigAction
-						if( $sigmap->{$directive_args{classtype}} )
-						{
-							# ok, found one
-							$sigaction = $sigmap->{$directive_args{classtype}};
-						}
-						else
-						{
-							# Didn't find a mapping, using the default
-							$sigaction = $default_sigaction;
-							
-							if( $DEBUG > 0 )
-							{
-								warn( "No Snort classtype to Bro SigAction mapping found",
-								 " for classtype " . $directive_args{classtype} . " using default",
-								 " of $default_sigaction\n" );
-							}
-						}
-						
-						# create a new augment object with the directive parts
-						 # we are interested in.
-						my $new_aug_obj = Bro::S2b::Augment->new( 
-							'sid' => $directive_args{sid},
-							'snort-rule-file' => $rule_file,
-							'sid-rev' => $directive_args{rev},
-							'comment' => $directive_args{msg},
-							'active' => 'T',
-							'sigaction' => $sigaction,
-							);
-						
-						#print $new_aug_obj->output(), "\n\n";
-						my $new_aug_sigid = $new_aug_obj->sigid();
-						my $new_aug_sid = $new_aug_obj->sid();
-						my $new_aug_rev = $new_aug_obj->rev();
-						if( exists( $ret_aug_objs->{$new_aug_sigid} ) )
-						{
-							if( $DEBUG > 0 )
-							{
-								warn( "Duplicate augment block found for SID number",
-									" $new_aug_sid, rev $new_aug_rev\n" );
-							}
-						}
-						else
-						{
-							$ret_aug_objs->{$new_aug_sigid} = $new_aug_obj;
-						}
-					}
-					else
-					{
-						warn( "Could not find a diretives section for Snort rule in",
-						 " file $rule_file at line $line_num\n" );
-					}
-					
-					$full_line = '';
-					$end_of_rule = 0;
-				}
-			}
-			
-			close( IN_FILE );
-		}
-		else
-		{
-			warn( "Failed to open file $rule_file for reading while trying to",
-				" update the augment file\n" );
-		}
-	}
-	
-	my @ret_vals = values( %{$ret_aug_objs} );
-	
-	return( \@ret_vals );
-}
-
-sub appendaugment
-{
-	my $sub_name = 'appendaugment';
-	
-	my $aug_obj = shift || return( undef );
-	my $filename = shift || return( undef );
-	my @proc_objs;
-	
-	if( ref( $aug_obj ) eq 'ARRAY' )
-	{
-		@proc_objs = @{$aug_obj};
-	}
-	else
-	{
-		$proc_objs[0] = $aug_obj;
-	}
-	
-	if( open( OUTFILE, '>>', $filename ) )
-	{
-		my $tm = scalar( localtime() );
-		print OUTFILE '##########  Start of new augment data created on ' . "$tm\n";
-		foreach my $aug_inst( @proc_objs )
-		{
-			print OUTFILE $aug_inst->output(), "\n\n";
-		}
-		print OUTFILE '##########  End of new augment data created on ' . "$tm\n\n";
-	}
-	else
-	{
-		if( $DEBUG > 0 )
-		{
-			warn( "Unable to open file $filename for writing.\n" );
-		}
-		return( undef );
-	}
-	
-	close( OUTFILE );
-	
-	return( 1 );
-}
-
-
-sub sigidnum
-{
-	# The sidnum is assumed to be the first part before the last '-' 
-	 # and up to but not including '-'
-	 # s2b-123-1   prefix-sidnum-sidrev
-	my $sub_name = 'sigidnum';
-
-	my $sigid = shift || return( undef );
-	my $ret_sid;
-
-	if( $sigid =~ m/([[:digit:]]+)-[[:digit:]]+$/ )
-	{
-		$ret_sid = $1;
-	}
-
-	return( $ret_sid );
-}
-
-sub sigidrev
-{
-	# The sidrev is assumed to be the last part of the sigid after a '-'
-	 # s2b-123-1   prefix-sidnum-sidrev
-	my $sub_name = 'sigidrev';
-
-	my $sigid = shift || return( undef );
-	my $ret_rev;
-
-	if( $sigid =~ m/[[:digit:]]+-([[:digit:]]+)$/ )
-	{
-		$ret_rev = $1;
-	}
-
-	return( $ret_rev );
-}
-
-sub canwritefile
-{
-	my $sub_name = 'canwritefile';
-	
-	my $filename = shift;
-	my $ret_fn;
-	
-	if( $filename =~ m/^([[:print:]]+)$/ )
-	{
-		my $fn = $1;
-		my $dir = $fn;
-		$dir =~ s/[^\/]+$//;
-		if( length( $dir ) < 1 )
-		{
-			$dir = './';
-		}
-
-		# Check to make sure that the file can be created/written to.
-		# Does the file already exist and can be written to
-		if( -w $fn )
-		{
-			# ok.
-			$ret_fn = $fn;
-		}
-		# Is the directory writtable
-		elsif( -d $dir and -w $dir )
-		{
-			# ok.
-			$ret_fn = $fn;
-		}
-		# Blow chunks
-		else
-		{
-			warn( "Unable to create or modify file '$fn'\n" );
-		}
-	}
-	else
-	{
-		warn( "Filename contains non-printable characters and is invalid.\n" );
-	}
-	
-	return( $ret_fn );
-
-}
-
-sub usage
-{
-	my $sub_name = 'usage';
-	
-	my $usage_text = copyright();
-	$usage_text = qq~$usage_text
-
-Options passed to the program on the command line 
-Command line reference
-  --configdir         Directory containing the various configuration files
-  --mainconfig        Main configuration file
-  --augmentconfig     Filename of System Augment Config file
-  --useraugmentconfig Filename of the User Augment Config file
-  --rulesetaugmentconfig
-                      Filename of the Ruleset Augment Config file
-  --sigmapconfig      Filename of Mappings for Snort alert classtype to 
-                      Bro SigAction
-  --brosignaturedest  Filename to write the Bro signatures to
-  --defaultsigaction  Default Bro SigAction 
-  --sigactiondest     Filename to write the SigActions to
-  --snortrulesetdir   Directory containing Snort rules
-  --ignorehostdirection
-                      Ignore Snort connection direction information and
-                      do not include in the Bro signature. default 'true'
-  --updateaugment     Build or update the s2b-augment.cfg file using rulesets
-                      found in --snortrulesdir 
-  --usage|--help|-h   Summary of command line options
-  --debug|-d          Specify the debug level from 0 to 5. default 1
-  --version           Output the version numberto STDOUT
-  --copyright         Output the copyright info to STDOUT
-  
-~;
-	
-	return( $usage_text );
-}
-
-sub version
-{
-	my $sub_name = 'version';
-	
-	return( $VERSION );
-}
-
-sub copyright
-{
-	my $sub_name = 'copyright';
-	
-	my $copyright =
-qq~s2b.pl
-version $VERSION, Copyright (C) 2004 Lawrence Berkeley National Labs, NERSC
-Written by Roger Winslow~;
-	
-	return( $copyright );
-}
-
diff --git a/scripts/s2b/bin/snort2bro b/scripts/s2b/bin/snort2bro
deleted file mode 100755
index 8c88033e81..0000000000
--- a/scripts/s2b/bin/snort2bro
+++ /dev/null
@@ -1,1036 +0,0 @@
-#!/usr/bin/python
-
-import sys
-import re
-import getopt
-import os.path
-import struct
-
-# FIXME: Not all of the implemented Snort options are really tested...
-
-snortcmd       = re.compile( "(preprocessor|include|var|config|alert|log|pass|activate|dynamic|output)\s*:?\s*(.*)" )
-snortrule      = re.compile( "(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+\((.*)\)" )
-snortopt       = re.compile( r"([a-zA-Z_]+)\s*(:\s*(([^;]|(?<=\\);)+)|);" )
-
-snortipre      = "(\d+\.\d+\.\d+\.\d+(/\d+)?)"
-snortip        = re.compile( "(!)?%s" % snortipre )
-snortiplist    = re.compile( "(!)?\[(%s(,%s)*)\]" % ( snortipre,snortipre ) )
-snortport      = re.compile( "(!)?(\d+)" )
-snortportrange = re.compile( "(!)?(\d+)?:(\d+)?" )
-snortval       = re.compile( "([<>=!]?) *(\d+)" )
-snortvalrange  = re.compile( "(\d+)? *- *(\d+)?" )
-snortbytecode  = re.compile( r"\\\|\s*(([a-fA-F0-9]{2}\s*)+)\s*\\\|" ) # "|" are quoted when we do the match
-snorthex       = re.compile( "(..) *" )
-snortquote     = re.compile( r"\\(.)" )
-snortalpha     = re.compile( r"(\\x[a-fA-F0-9]{2}|[A-Za-z])" )
-snortrpc       = re.compile( r"((\d)+|\*) *, *((\d)+|\*) *, *((\d)+|\*)" )
-
-snortsid       = re.compile( "sid: *(\d+)" )
-snortrev       = re.compile( "rev: *(\d+)" )
-
-# Mapping of Snort's variables to Bro's
-#     <snort> -> ( <bro>, <invert> )
-MapVars = {
-    "external_net": ( "local_nets", 1 ),
-    "home_net": ( "local_nets", 0 ),
-    "http_servers": ( "http_servers", 0 ),
-    "http_ports": ( "http_ports", 0 ),
-    "oracle_ports": ( "oracle_ports", 0 ),
-    "smtp_servers": ( "smtp_servers", 0 ),
-    "sql_servers": ( "sql_servers", 0 ),
-    "telnet_servers": ( "telnet_servers", 0 ),
-    "aim_servers": ( "aim_servers", 0 ),
-    "shellcode_ports": ( "non_shellcode_ports", 1 ),
-}
-
-# Mapping of variables to content
-SnortVars = {}
-
-# List of tuples (file,linenr) for all not fully processed input files:
-Inputs = []
-
-# Last input line read
-RawInputLine = ""
-
-# Counts Snort rules without SID
-UnknownCount = 0
-
-# There may be some rules for which it don't make sense to translate them. We ignore them.
-IgnoreSIDs = {}
-
-# Always include these signatures, even if they would be ignored with option -c.
-AlwaysIncludeSIDs = {}
-
-def error( str ):
-    if Inputs:
-        if RawInputLine:
-            print >>sys.stderr, ">>", RawInputLine,
-            if RawInputLine[-1] != "\n":
-                print >>sys.stderr
-        print >>sys.stderr, "Error in %s, line %d: %s" % ( Inputs[0][0].name, Inputs[0][1], str )
-
-    else:
-        print >>sys.stderr, "Error:", str
-    sys.exit( 1 )
-
-def warning( str ):
-    if Inputs:
-        if RawInputLine:
-            print >>sys.stderr, ">>", RawInputLine,
-            if RawInputLine[-1] != "\n":
-                print >>sys.stderr
-        print >>sys.stderr, "Warning in %s, line %d: %s" % ( Inputs[0][0].name, Inputs[0][1], str )
-    else:
-        print >>sys.stderr, "Warning:", str
-
-# Converts Snort-like globs into regexp chars
-def replaceGlobs( str ):
-    # Note that the globs are quoted when we see them here
-    # FIXME: If the original pattern contains a "\?" or "\*" it
-    # will be converted as well.
-    str = str.replace( "\\*", ".*" )
-    str = str.replace( "\\?", "." )
-    return str
-
-# Replaces Snort-like bytecodes by \x.. sequences
-def replaceByteCodes( str ):
-    return snortbytecode.sub( lambda bytecode: snorthex.sub( "\\x\\1", bytecode.group( 1 ) ), str )
-
-# Removes Snort's \ quotations
-def removeQuotes( str ):
-    return snortquote.sub( "\\1", str )
-
-# Quotes all '"'
-def quoteStr( str ):
-    return str.replace( "\"", "\\\"" )
-
-# Translates all alphabetical characters to case-insensitive classes
-def makeCaseInsensitive( str ):
-
-    def replaceby( match ):
-        s = match.group( 1 )
-        # Do not change hex codes
-        if s.startswith( "\\x" ):
-            return s
-        return "[%s%s]" % ( s.lower(), s.upper() )
-
-    str = snortalpha.sub( replaceby , str )
-    return str
-
-# Insert some special variants/character classes for URIs
-#     - "/ -> [/\]"
-def makeURIPattern( str ):
-    str = str.replace( "\\/", "[\\/\\\\]" )
-    return str
-
-# Escapes all regex control characters  so that it can be safely used as a regex
-def escapeCtrl( str ):
-    re = ""
-    for i in str:
-        if "^$|.*+?[](){}/\"\\".find( i ) >= 0:
-            i = "\\" + i
-        re += i
-    return re
-
-# Converts a Snort pattern into a RE
-# If icase==1, constructs an case-insensitive regex.
-# If uri==1, creates some special things for URIs (see above)
-# If glob==1, the pattern is a Snort-like "regex" glob
-# If negate==1, the pattern is negated
-# If neglen>0, it's the number of character which are *not* allowed to match the negated pattern
-#
-# FIXME: We should use a more sophisticated parser here
-#
-def patternToRE( str, icase, uri, globs, negate, neglen ):
-
-    if negate:
-        if patternLength( str ) > 1:
-            warning( "Can\'t negate patterns with more than one character" )
-            return "<willnevermatch>"
-        str = "[^%s]" % replaceByteCodes( escapeCtrl( str ) )
-
-        if neglen > 0:
-            return str + "{%d}" % neglen
-        else:
-            return str + "*"
-
-    str = removeQuotes( str )
-    str = escapeCtrl( str )
-    if globs:
-        str = replaceGlobs( str )
-    str = replaceByteCodes( str )
-
-    if uri:
-        str = makeURIPattern( str )
-
-    if icase:
-        str = makeCaseInsensitive( str )
-
-    return str
-
-# Counts the number chars in the Snort pattern
-def patternLength( str ):
-    str = removeQuotes( str )
-    str = escapeCtrl( str )
-    str = replaceByteCodes( str )
-
-    count = 0
-    esc = 0
-
-    for c in str:
-        if c == "\\" and not esc:
-            esc = 1
-            continue
-
-        if esc and c == "x":
-            count -= 2
-
-        esc = 0
-        count += 1
-
-    return count
-
-# Parse a Snort variable declaration
-def parseVar( decl ):
-    ( key, value ) = decl.split()
-    SnortVars[ "$"+key ] = value
-
-# Perform Snort's variable expansion
-def expandVars( str ):
-    for ( key, value ) in SnortVars.items():
-        str = str.replace( key, value )
-    return str
-
-# Parse Snort's rule options
-def parseRuleOptions( str ):
-
-    options = {}
-
-    m = snortopt.findall( str )
-
-    lastcontent = None
-    depth = distance = negate = nocase = offset = regex = within = -1
-
-    negpattern = -1
-
-#    print str
-
-    for ( b1, b2, b3, b4 ) in m:
-        if b2:
-            val = b3
-            if val[0] == "!":
-                negpattern = 1
-                val = val[1:]
-            if len( val ) >= 2:
-                if val[0] == '"' and val[-1] == '"':
-                    val = val[1:-1]
-        else:
-            val = ""
-
-        # Note that there may be more than one depth/offset per rule.
-        # Each depth/offset/regex affects exactly that content which precedes it.
-        # It's illegal to have a depth/offset/regex before a content.
-        # That is all undocumented.
-        # ... !@#$%^&* ...
-
-        option = b1.lower()
-
-        if option == "content":
-
-            if not lastcontent:
-                lastcontent = val
-                continue
-
-            oldval = val
-            val = ( lastcontent, depth, distance, negate, nocase, offset, regex, within )
-            depth = distance = negate = nocase = offset = regex = within = -1
-            negate = negpattern
-            lastcontent = oldval
-
-        elif option == "depth":
-            depth = int( val )
-            continue
-
-        elif option == "distance":
-            distance = int( val )
-            continue
-
-        elif option == "within":
-            within = int( val )
-            continue
-
-        elif option == "offset":
-            offset = int( val )
-            continue
-
-        elif option == "regex":
-            regex = 1
-            continue
-
-        elif option == "nocase":
-            nocase = 1
-            continue
-
-        try:
-            options[ option ] += [ val ]
-        except LookupError:
-            options[ option ] = [ val ]
-
-    if lastcontent:
-        try:
-            options[ "content" ] += [ ( lastcontent, depth, distance, negate, nocase, offset, regex, within ) ]
-        except LookupError:
-            options[ "content" ] = [ ( lastcontent, depth, distance, negate, nocase, offset, regex, within ) ]
-
-    return options
-
-# Parses a list of IPs in Snort's format
-def parseIP( ip ):
-
-    # See if it's an unexpanded var.
-    if ip.startswith( "$" ):
-        try:
-            ( brovar, neg ) = MapVars[ ip[1:] ]
-            return ( neg, [brovar] )
-        except LookupError:
-            error( "Unknown variable " + ip )
-
-    m = snortip.match( ip )
-    if m:
-        ips = ( m.group( 2 ), )
-    else:
-        m = snortiplist.match( ip )
-        if m:
-            ips = m.group( 2 ).split( "," )
-        else:
-            error( "Can\'t parse IP " + ip )
-
-    if m.group( 1 ) != "!":
-        return( 0, ips )
-    else:
-        return( 1, ips )
-
-# Parses a list of ports in Snort's format
-def parsePort( port ):
-
-    # See if it's an unexpanded var.
-    if port.startswith( "$" ):
-        try:
-            ( brovar, neg ) = MapVars[ port[1:] ]
-            return ( neg, brovar, brovar )
-        except LookupError:
-            error( "Unknown variable " + port )
-
-    m = snortportrange.match( port )
-    if m:
-        try:
-            min = int( m.group( 2 ) )
-        except TypeError:
-            min = 0
-        try:
-            max = int( m.group( 3 ) )
-        except TypeError:
-            max = 65535
-    else:
-        m = snortport.match( port )
-        if m:
-            min = max = int( m.group( 2 ) )
-        else:
-            error( "Can\'t parse port " + port )
-
-    if m.group( 1 ) != "!":
-        return( 0, min, max )
-    else:
-        return( 1, min, max )
-
-######
-
-# Convert the common head of a Snort rule
-def convertHead( prot, srcip, srcport, dstip, dstport ):
-
-    rule = ""
-
-    # Convert IP protocol
-    if prot.lower() != "ip":
-	rule += "  ip-proto == %s\n" % prot.lower()
-
-    # Convert IPs
-    for ( tag, ip ) in ( ( "src-ip", srcip ), ( "dst-ip", dstip ) ):
-        if ip != "any":
-            ( negate, iplist ) = parseIP( ip )
-            if not negate:
-                cmp = "=="
-            else:
-                cmp = "!="
-
-            rule += "  %s %s %s\n" % ( tag, cmp, ",".join( iplist ) )
-
-    # Convert Ports
-    for ( tag, port ) in ( ( "src-port", srcport ), ( "dst-port", dstport ) ):
-        if port != "any":
-            ( negate, min, max ) = parsePort( port )
-            if min == max:
-                if not negate:
-                    cmp = "=="
-                else:
-                    cmp = "!="
-                rule += "  %s %s %s\n" % ( tag, cmp, min )
-            else:
-                if not negate:
-                    cmp1 = ">="
-                    cmp2 = "<="
-                else:
-                    cmp1 = "<"
-                    cmp2 = ">"
-
-                rule += "  %s %s %s\n" % ( tag, cmp1, min )
-                rule += "  %s %s %s\n" % ( tag, cmp2, max )
-
-    return rule
-
-# Converts one of Snort's bit strings (like "A+" for "flags")
-def convertBitSet( str, bitspecs, hdrfield, fieldmask ):
-
-    # Split into flags and mask
-    parts = str.split(",")
-    if len(parts) > 1:
-        ( str, snortmask ) = parts
-        # FIXME: We ignore the mask for now. This would again need some
-        # digging in Snort's source as I don't really understand what they
-        # are doing...
-        
-    # This is not strictly Snort conforming but works as long as the
-    # flag string is not ambigious.
-
-    type = ""
-    mask = 0
-    for c in str:
-        if "+!*".find( c ) >= 0:
-            type = c
-            continue
-        try:
-            mask |= bitspecs[c]
-        except LookupError:
-            error( "Unknown bit in \"%s\"" % str )
-
-    if type == "":
-        # Snort's default is check for equality (undocumented)
-        rule = "  %s & %d == %d\n" % ( hdrfield, fieldmask, mask )
-    if type == "+":
-        rule = "  %s & %d == %d\n" % ( hdrfield, ( mask | fieldmask ), mask )
-    if type == "*":
-        rule = "  %s & %d != 0\n" % ( hdrfield, ( mask | fieldmask ) )
-    if type == "!":
-        rule = "  %s & %d == 0\n" % ( hdrfield, ( mask | fieldmask ) )
-
-    return rule
-
-# Converts a test for a value which may include some range (e.g. "<5", "21-42")
-def convertVal( str, hdrfield ):
-
-    m = snortvalrange.match( str )
-    if m:
-        try:
-            min = int( m.group( 1 ) )
-        except TypeError:
-            min = 0
-        try:
-            max = int( m.group( 2 ) )
-        except TypeError:
-            max = -1
-
-        rule = ""
-        if min > 0:
-            rule += "  %s >= %d\n" % ( hdrfield, min )
-        if min >= 0:
-            rule += "  %s <= %d\n" % ( hdrfield, max )
-        return rule
-
-    m = snortval.match( str )
-    if m:
-        val = int( m.group( 2 ) )
-        cmp = m.group( 1 )
-
-        if cmp == "<" or cmp == ">":
-            return "  %s %s %d\n" % ( hdrfield, cmp, val )
-        if cmp == "!":
-            return "  %s != %d\n" % ( hdrfield, val )
-        if cmp == "" or cmp == "=":
-            return "  %s == %d\n" % ( hdrfield, val )
-
-    error( "Can\'t parse value \"%s\"" % str )
-
-# Convert one value of the RPC triple into a RE
-def convertRPCVal( str ):
-    if str == "*":
-        return "."
-    else:
-        # Convert value to hex pattern in network bye order
-        val = struct.pack( "!I", int( str ) )
-        return ( "\\x%02x" * 4 ) % struct.unpack( "BBBB", val )
-
-# Sanity check to see if the two protocols match
-def checkProt( testprot, option, ruleprot ):
-    if testprot != ruleprot:
-        error( "Option \"%s\" only valid for %s rules" % ( option, testprot.upper() ) )
-
-def convertOptions( options, prot ):
-
-    global IsPayloadRule
-    
-    rule = ""
-    payloads = []
-
-    for ( key, vallist ) in options.items():
-
-        if key == "ack":
-            checkProt( "tcp", key, prot )
-            rule += "  header tcp[8:4] == %d\n" % int( vallist[0] )
-
-        elif key == "classtype":
-            pass
-
-        elif key == "content":
-
-           IsPayloadRule = 1
-           
-           for i in range( len( vallist ) ):
-
-                ( content, depth, distance, negate, nocase, offset, regex, within ) = vallist[i]
-
-                # Special case: If have we have a payload size which equals the size of the pattern,
-                # the payload has to match exactly
-
-                prefix = ".*"
-
-                if "dsize" in options.keys():
-                    try:
-                        if patternLength( content ) == int( options["dsize"][0] ):
-                            prefix = ""
-                    except ValueError:
-                        # dsize is something which contains a range; do nothing as
-                        # it's just an optimization after all
-                        pass
-
-                realdepth = depth;
-                realoffset = offset;
-
-                maxdist = 1
-
-                if depth >= 0:
-                    realdepth -= patternLength( content )
-
-                if offset >= 0:
-                    realoffset -= 1
-                    maxdist = 0
-
-                if offset >= 0 and depth >= 0:
-                    realdepth -= offset
-                    maxdist = 1
-
-                if within >= 0:
-                    realdepth += within - patternLength( content ) + 1
-
-                if distance >= 0:
-                    realoffset += distance + 1
-                    maxdist = 0
-
-                if within >= 0 and distance >= 0:
-                    maxdist = 1
-
-                if realdepth < 0 and realoffset <= 0:
-                    re = prefix
-                else:
-                    re = ""
-
-                if realdepth < 0:
-                    realdepth = -1
-
-                if realoffset > 0:
-                    if maxdist:
-                        re += ".{%d}" % realoffset
-                    else:
-                        re += ".{%d}.*" % realoffset
-                elif realoffset == 0 and not maxdist:
-                        re += ".*"
-
-                if realdepth > 0 and negate < 0:
-                    re += ".{0,%d}" % realdepth
-                    maxdist = 1
-
-                re += patternToRE( content, nocase >= 0, 0, regex >= 0, negate >= 0, realdepth + 1 )
-
-                if distance >= 0 or within >= 0:
-                    try:
-                        payloads[-1] += re
-                    except LookupError:
-                        payloads = [ re ]
-                else:
-                    payloads += [ re ]
-
-                if REFile:
-                    print >>REFile, re
-                if PatternFile:
-                    print >>PatternFile, val
-
-        elif key == "depth":
-            # Ignore it here; we test for it when handling content
-            pass
-
-        elif key == "distance":
-            # Ignore it here; we test for it when handling content
-            pass
-
-        elif key == "dsize":
-            rule += convertVal( vallist[0], "payload-size" )
-            pass
-
-        elif key == "flags":
-            checkProt( "tcp", key, prot )
-
-            TCPFlags =  { "F": 0x01, "S": 0x02, "R": 0x04, "P": 0x08,
-                          "A": 0x10, "U": 0x20, "2": 0x40, "1": 0x80, "0": 0x00 }
-            rule += convertBitSet( "".join( vallist ), TCPFlags, "header tcp[13:1]", 0xff )
-
-        elif key == "flow":
-            checkProt( "tcp", key, prot )
-
-            Flows = { "established" : "established",
-                      "to_server" : "originator",
-                      "to_client" : "responder",
-                      "from_server" : "responder",
-                      "from_client" : "originator",
-                      "stateless" : "stateless"
-                      }
-
-            tcpstate = []
-            for val in vallist:
-                for ( snort, bro ) in Flows.items():
-                    if val.find( snort.lower() ) >= 0:
-                        tcpstate += ( bro, )
-            if tcpstate:
-                rule += "  tcp-state %s\n" % ",".join( tcpstate )
-
-        elif key == "fragbits":
-            FragFlags = { "M": 0x20, "D": 0x40, "R": 0x80 }
-            rule += convertBitSet( "".join( vallist ), FragFlags, "header ip[6:1]", 0xe0 )
-
-        elif key == "icmp_seq":
-            checkProt( "icmp", key, prot )
-            # Check if it's an ECHO or ECHO_REPLY packet
-            # Note Snort's undocumented behaviour: It does check REPLYs
-            # as well, and it does not check the ICMP code
-            rule += "  header icmp[0:1] == 0,8\n"
-            rule += "  header icmp[6:2] == %d\n" % int( vallist[0] )
-
-        elif key == "icmp_id":
-            checkProt( "icmp", key, prot )
-            # Check if it's an ECHO or ECHO_REPLY packet
-            # Note Snort's undocumented behaviour: It does check REPLYs
-            # as well, and it does not check the ICMP code
-            rule += "  header icmp[0:1] == 0,8\n"
-            rule += "  header icmp[4:2] == %d\n" % int( vallist[0] )
-
-        elif key == "icode":
-            checkProt( "icmp", key, prot )
-            rule += "  header icmp[1:1] == %d\n" % int( vallist[0] )
-
-        elif key == "id":
-            rule += "  header ip[4:2] == %d\n" % int( vallist[0] )
-
-        elif key == "ip_proto":
-            rule += convertVal( vallist[0], "header ip[9:1]" )
-
-        elif key == "ipopts":
-            rule += "  ip-options %s\n" % ",".join( vallist ).lower()
-
-        elif key == "itype":
-            checkProt( "icmp", key, prot )
-            rule += "  header icmp[0:1] == %d\n" % int( vallist[0] )
-
-        elif key == "msg":
-            rule += "  event \"%s\"\n" % quoteStr( removeQuotes( " ".join( vallist ) ) )
-
-        elif key == "nocase":
-            # Ignore it here; we test for it when handling content
-            pass
-
-        elif key == "offset":
-            # Ignore it here; we test for it when handling content
-            pass
-
-        elif key == "rawbytes":
-            # We can ignore this as we're always matching raw bytes.
-            pass
-        
-        elif key == "ref":
-            pass
-
-        elif key == "reference":
-            pass
-
-        elif key == "regex":
-            pass
-
-        elif key == "rev":
-            pass
-
-        elif key == "rpc":
-            m = snortrpc.match( vallist[0] )
-            if not m:
-                error( "Can\'t parse RPC values" )
-            ( app, proc, version ) = ( m.group( 1 ), m.group( 3 ), m.group( 5 ) )
-
-            # The Snort rule set has only explicit UDP/TCP rules containg
-            # "rpc" but no general IP rules. So we use the rule type
-            # to decide whether we check for UDP- or TCP-style RPC
-            #
-            # Snort only looks at calls, but not on replies (undocumented)
-            # Snort validates the RPC_MSG_VERSION (undocumented)
-            if prot == "udp":
-                off = 7
-            else:
-                checkProt( "tcp", key, prot )
-                off = 11
-
-            # RPC version == 2, Call == 1 \
-            rule += "  payload /" + ( "." * off ) \
-                    + "\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x01"  \
-                    + convertRPCVal( app ) + convertRPCVal( version ) + convertRPCVal( proc ) \
-                    + "/\n"
-
-        elif key == "sameip":
-            rule += "  same-ip\n"
-
-        elif key == "seq":
-            checkProt( "tcp", key, prot )
-            rule += "  header tcp[4:4] == %d\n" % int( vallist[0] )
-
-        elif key == "sid":
-            pass
-        
-        elif key == "rev":
-            pass
-        
-        elif key == "tag":
-            # In Snort, this capture packets of session/host for later analysis.
-            # Unsupported for now, but we could come up with something similar
-            # by passing it on to set_record_contents(). Doesn't affect the
-            # matching, though.
-            pass
-
-        elif key == "ttl":
-            rule += convertVal( vallist[0], "header ip[8:1]" )
-            pass
-
-        elif key == "uricontent":
-            
-           IsPayloadRule = 1            
-            
-           for val in vallist:
-#                if ALTERNATIVE_PATTERNS:
-#                    re = "(|.*\\r\\n\\r\\n)(GET|HEAD|POST) *[^\\n]*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0 )
-#                else:
-#                    re = "(GET|HEAD|POST) *[^\\n]*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0 )
-#
-#                rule += "  payload /%s/\n" % re
-
-                if ALTERNATIVE_PATTERNS:
-                    re = "(|.*\\r\\n\\r\\n)(GET|HEAD|POST) *[^\\n]*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0, 0, 0 )
-                    rule += "  payload /%s/\n" % re
-                else:
-                    re = ".*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0, 0, 0 )
-                    rule += "  http /%s/\n" % re
-
-
-
-                if REFile:
-                    print >>REFile, re
-                if PatternFile:
-                    print >>PatternFile, val
-
-        elif key == "within":
-            # Ignore it here; we test for it when handling content
-            pass
-
-        else:
-            warning( "Option '%s' not supported currently; ignored" % key )
-            rule += "  # Not supported: %s: %s\n" % ( key, ",".join( vallist ) )
-
-    for p in payloads:
-        rule += "  payload /%s/\n" % p
-
-    return rule
-
-def parseAlert( rule ):
-
-    global UnknownCount
-    global IsPayloadRule
-
-    IsPayloadRule = 0
-    
-    m = snortrule.match( rule )
-    if not m:
-        error( "Can\'t parse alert rule" )
-
-    fields = m.groups()
-
-    ( prot, srcip, srcport, dir, dstip, dstport ) = map( lambda s: s.lower(), fields[0:6] )
-
-    options = parseRuleOptions( fields[6] )
-
-    try:
-        sid = options["sid"][0]
-        rev = options["rev"][0]
-        try:
-            if int( sid ) in  IgnoreSIDs:
-                return
-#            id = "sid-" + sid
-# 2004-06-21, rwinslow, Added rev level for sid
-            id = sid + "-" + rev
-        except ValueError:
-            id = sid
-
-    except LookupError:
-        id = "sid-unknown-%d" % UnknownCount
-        UnknownCount += 1
-
-    try:
-        # Create rules depending on the direction; for "<>" we simply create
-        # two rules
-
-        #if dir == "<>":
-        #    id1 = id + "-a"
-        #    id2 = id + "-b"
-        #else:
-        #    id1 = id2 = id
-				
-				id1 = id2 = id
-				
-				if dir == "<>":
-						rule = "signature %s {\n" % id1
-						rule += convertHead( prot, "any", dstport, "any", srcport )
-						rule += convertOptions( options, prot )
-						
-						if not PAYLOAD_ONLY or IsPayloadRule or id in AlwaysIncludeSIDs:
-							print rule + "  }\n"
-				else:
-						if dir != "->":
-								rule = "signature %s {\n" % id1
-								rule += convertHead( prot, dstip, dstport, srcip, srcport )
-								rule += convertOptions( options, prot )
-								
-								if not PAYLOAD_ONLY or IsPayloadRule or id in AlwaysIncludeSIDs:
-										print rule + "  }\n"
-
-						if dir != "<-":
-								rule = "signature %s {\n" % id2
-								rule += convertHead( prot, srcip, srcport, dstip, dstport )
-								rule += convertOptions( options, prot )
-								
-								if not PAYLOAD_ONLY or IsPayloadRule or id in AlwaysIncludeSIDs:
-										print rule + "  }\n"
-        	
-
-    except LookupError, e:
-        error( "Can\'t convert rule: " + str( e ) )
-
-#### Main
-
-# Use some alternative patterns
-ALTERNATIVE_PATTERNS = 0
-# If PatternFile is a file, all content/uricontent patterns are written to it
-PatternFile = 0
-# If REFile is a file, all REs generated from content/uricontent patterns are written to it
-REFile = 0
-# Directories where to look for include's
-INCPATH = [ "./" ]
-# Only include signatures which match contain payload/uricontent
-# (Exceptions can be defined in AlwaysIncludeSIDs)
-PAYLOAD_ONLY = 0
-
-# Number of Snort rules to output (no conversion to Bro format)
-SnortRules = -1
-
-# Total number of rules
-TotalRules = 0
-
-def openInputFile( filename ):
-
-    for i in INCPATH:
-        try:
-            fullpath =  os.path.join( i, filename )
-            file = open( fullpath )
-            print >>sys.stderr, "Reading", fullpath
-            return file
-        except IOError:
-            pass
-
-    error( "Can\'t find file %s" % filename )
-
-def ReadConfig( file ):
-    
-    try:
-        cfg = open( arg )
-        for line in cfg:
-            
-            line = line.strip()
-            if len( line ) == 0 or line.startswith("#"):
-                continue
-
-            try:
-                ( action, sid ) = line.split()
-                sid = int( sid )
-            except ValueError:
-                print >>sys.stderr, "Warning: illegal format '%s'" % line
-                continue
-            
-            if action == "ignoresid":
-                IgnoreSIDs[sid] = 1
-                
-    except IOError:
-        print >>sys.stderr, "Warning: Can't read config file %s" % arg
-                
-def usage():
-    print >>sys.stderr
-    print >>sys.stderr, "Usage: snort2bro [<options>] [<snort-files>] "
-    print >>sys.stderr
-    print >>sys.stderr, "  Options:"
-    print >>sys.stderr
-    print >>sys.stderr, "    -c <file>: File containing signature in-/excludes"
-    print >>sys.stderr, "    -p       : Only include signatures which match on payload"
-    print >>sys.stderr, "    -I <dir> : Add dir to search path for Snort\'s include statement"
-    print >>sys.stderr
-    print >>sys.stderr, "    -P       : Write all patterns to patterns.txt and "
-    print >>sys.stderr, "               all generared REs to res.txt"
-    print >>sys.stderr, "    -S <n>   : No conversion; just print out one big Snort config file"
-    print >>sys.stderr, "               containing the first <n> rules"
-    print >>sys.stderr, "    -X       : Produce some alternate REs"
-
-    print >>sys.stderr
-    sys.exit( 1 )
-
-try:
-    options, rest = getopt.getopt( sys.argv[1:], "XPI:S:pc:" )
-except:
-    usage()
-
-for( opt, arg ) in options:
-    if opt == "-X":
-        ALTERNATIVE_PATTERNS = 1
-
-    if opt == "-P":
-        PatternFile = open( "patterns.txt", "w" );
-        REFile = open( "res.txt", "w" );
-
-    if opt == "-I":
-        INCPATH += [ arg, ]
-
-    if opt == "-S":
-        SnortRules = int( arg )
-
-    if opt == "-p":
-        PAYLOAD_ONLY = 1
-
-    if opt == "-c":
-        ReadConfig( arg )
-        
-if len( rest ):
-    Inputs = [ ( openInputFile( file ), 0 ) for file in rest ]
-else:
-    Inputs = [ ( sys.stdin, 0 ) ]
-
-continued = False
-
-while Inputs:
-
-    if not continued:
-        line = ""
-    
-    RawInputLine = Inputs[0][0].readline()
-    if not RawInputLine:
-        Inputs = Inputs[1:]
-        continue
-
-    single_line = RawInputLine.strip()
-    
-    # Increase line count
-    Inputs[0] = ( Inputs[0][0], Inputs[0][1] + 1 )
-
-    # Continuation of lines
-    if single_line.endswith("\\"):
-        line += single_line[:-1]
-        continued = True
-        continue
-
-    line += single_line
-    continued = False
-
-    # Empty or comments
-    if not line or line.startswith( '#' ):
-        continue
-            
-    line = expandVars( line )
-
-    m = snortcmd.match( line )
-    if not m:
-        error( "Can\'t parse line " + line )
-
-    cmd = m.group( 1 )
-    args = m.group( 2 )
-
-    if cmd == "include":
-        Inputs = [ ( openInputFile( args ), 0 ) ] + Inputs
-        continue
-
-    if cmd == "var":
-        parseVar( args )
-
-    if cmd == "alert":
-        TotalRules += 1
-
-    if SnortRules >= 0:
-
-        noprint = 0
-
-        if cmd == "alert":
-
-            for i in IgnoreSIDs:
-                m = snortsid.search( args )
-                if m and int( m.group( 1 ) ) == i:
-                    noprint = 1
-                    
-            if SnortRules == 0:
-                noprint = 1
-
-            if not noprint:
-                SnortRules -= 1
-
-        if not noprint:
-            print RawInputLine,
-
-        continue
-
-    if cmd == "var":
-        continue
-
-    if cmd == "alert":
-        parseAlert( args )
-        continue
-
-    if cmd == "output":
-        continue
-
-    if cmd == "preprocessor":
-        continue
-
-    if cmd == "config":
-        # FIXME: Should we convert this to Bro?
-        continue
-
-    warning( "'%s' is not supported yet; line ignored." % cmd )
-
-
-# Options -S returns the number of rules as exit code
-if SnortRules >= 0:
-    print >>sys.stderr, TotalRules
diff --git a/scripts/s2b/bro-include/Makefile.am b/scripts/s2b/bro-include/Makefile.am
deleted file mode 100644
index a76ae0e922..0000000000
--- a/scripts/s2b/bro-include/Makefile.am
+++ /dev/null
@@ -1,4 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-EXTRA_DIST = sig-addendum.sig sig-functions.bro
-
diff --git a/scripts/s2b/bro-include/sig-addendum.sig b/scripts/s2b/bro-include/sig-addendum.sig
deleted file mode 100644
index e2dadc3367..0000000000
--- a/scripts/s2b/bro-include/sig-addendum.sig
+++ /dev/null
@@ -1,408 +0,0 @@
-# these are translations for pcre -> lex/bro
-#
-#       \w AN and _     : [a-zA-Z_]
-#       \W not \w       : [^a-zA-Z_]
-#       \s whitespace   : [\x20\x09\x0b]
-#       \S not \s       : [^\x20\x09\x0b]
-#       \d numeric      : [0-9]
-#       \D not \d       : [^0-9]
-#
-#
-
-# the sig error also will hold for the 3xx and 5xx series also(?)
-# 304 not modified may be a problem here
-
-signature http_error {
-        ip-proto == tcp
-        src-port == http_ports
-        payload /.*HTTP\/1\.. *[3-5][0-9][0-9]/
-        tcp-state established 
-}
-
-signature http_good {
-        ip-proto == tcp
-        src-port == http_ports
-        payload /.*HTTP\/1\.. *2[0-9][0-9]/
-        tcp-state established
-}
-
-signature http_shell_check {
-        ip-proto == tcp
-        src-port == http_ports
-        # this should filter out most typical references to the various shell commands
-        # from man pages and reference guides
-        payload /((ksh)|(rsh)|(zsh)|(csh)|(tcsh)|(sh)|(bash))[a-zA-Z0-9\x2d\x2e\x5f\x2f]/
-        tcp-state established
-}
-
-signature got_http_root {
-        # this is to get around the 'permission denied' == response
-        # == 200 reply problem for /etc/passwd checking
-        # just a sanity check to see if there is some suggestion of success
-        ip-proto == tcp
-        src-port == 80
-        payload /.*root:.*/
-        tcp-state established
-}
-
-# the following sigs should give some idea of the server software type and
-# version.  This assumes that the configuration has not been changed
-
-signature http_apache_server {
-	ip-proto == tcp
-	src-port == http_ports
-	# this should catch *most* apache instances that are normal
-	# in behavior
-	payload /.*\x0aServer: Apache.*/
-	tcp-state established
-}
-
-signature http_apache1_server {
-        ip-proto == tcp
-        src-port == http_ports
-        # this should catch *most* apache instances that are normal
-        # in behavior
-        payload /.*\x0aServer: Apache\/1\..*/
-        tcp-state established
-}
-
-signature http_apache2_server {
-        ip-proto == tcp
-        src-port == http_ports
-        # this should catch *most* apache instances that are normal
-        # in behavior
-        payload /.*\x0aServer: Apache\/2\..*/
-        tcp-state established
-}
-
-signature http_iis_server {
-	ip-proto == tcp
-	src-port == http_ports
-	payload /.*\x0aServer: Microsoft-IIS.*/
-	tcp-state established
-}
-
-signature http_iis4_server {
-        ip-proto == tcp
-        src-port == http_ports
-        payload /.*\x0aServer: Microsoft-IIS\/4\.0.*/
-        tcp-state established
-}
-
-signature http_iis5_server {
-        ip-proto == tcp
-        src-port == http_ports
-        payload /.*\x0aServer: Microsoft-IIS\/\5\.0.*/
-        tcp-state established
-}
-
-signature http_iis6_server {
-        ip-proto == tcp
-        src-port == http_ports
-        payload /.*\x0aServer: Microsoft-IIS\/\6\.0.*/
-        tcp-state established
-}
-
-signature http_cool_dll {
-  ip-proto == tcp
-  dst-port == http_ports
-  payload /.*cool.dll*./
-  }
-
-########################## client section #
-#
-#        "User-Agent: "
-#        payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20/
-#
-#######
-
-signature http_msie_client {
-	ip-proto == tcp
-	dst-port == http_ports
-	# "User-Agent:...... MSIE #"
-	payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{5,30}MSIE\x20[1-9]*./
-	tcp-state established
-}
-
-signature http_real_client {
-	ip-proto == tcp
-	dst-port == http_ports
-	# "User-Agent:.RMA/1.0.(compatible;.RealMedia)"
-	payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x52\x4d\x41\x2f\x31\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x52\x65\x61\x6c\x4d\x65\x64\x69\x61\x29*./
-	tcp-state established
-}
-
-
-signature http_opera_client {
-	ip-proto == tcp
-	dst-port == http_ports
-	# "User-Agent: Opera/6.1"
-	payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a.{3,50}\x4f\x70\x65\x72\x61\x2f.*/
-	tcp-state established
-}
-
-signature http_netscape_client {
-	ip-proto == tcp
-	dst-port == http_ports
-	# "User-Agent: ... Netscape/A
-	payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,90}Netscape\x2f[4-7].*/
-	tcp-state established
-}
-
-signature http_netscape_client4 {
-        ip-proto == tcp
-        dst-port == http_ports
-        # "User-Agent: ... Netscape/A.B
-        payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,90}Netscape\x2f4\x2e[0-9].*/
-        tcp-state established
-}
-
-signature http_netscape_client7 {
-        ip-proto == tcp
-        dst-port == http_ports
-        # "User-Agent: ... Netscape/A.B - note that for Netscape/7 there is no .X subversion
-        payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,90}Netscape\x2f7.*/
-        tcp-state established
-}
-
-signature http_netscape_client8 {
-        ip-proto == tcp
-        dst-port == http_ports
-        # "User-Agent: ... Netscape/A.B
-        payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,90}Netscape\x2f8\x2e[0-9].*/
-        tcp-state established
-}
-
-signature http_moz_client {
-	ip-proto == tcp
-	dst-port == http_ports
-	# "User-Agent: ... rv:A.B ... Gecko/"
-	payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,70}rv\x3a[0-2]\x2e[0-9].{0,30}Gecko\x2f.*/
-	tcp-state established
-}
-
-signature http_old_gecko_client  {
-        ip-proto == tcp
-        dst-port == http_ports
-        # "User-Agent: ... rv:A.B ... Gecko/"
-        payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,70}rv\x3a[0-2]\x2e[0-9].{0,30}Gecko\x2f(2000|2001|2002).*/
-        tcp-state established
-}
-
-## end client sigs ##
-
-
-##  ftp based signatures ##
-
-signature got_ftp_root {
-        ip-proto == tcp
-        src-port == 21
-        payload /.*root:.*/
-        tcp-state established
-}
-
-signature got_tftp_root {
-        # this checks to see if a tftp get /etc/passwd or /etc/shadow
-        # actually returns any data.  we assume that root will always
-        # be in the file
-        ip-proto == udp
-        src-port == 69
-        payload /.*root:.*/
-}
-
-# smtp return code checking
-signature smtp_server_ok {
-        ip-proto == tcp
-        src-port == 25
-        payload /. [2-3][0-9][0-9]../ # 2xx-3xx successful
-        tcp-state established
-}
-
-signature smtp_server_pending {
-        ip-proto == tcp
-        src-port == 25
-        payload /.4[0-9][0-9]../  # 4xx failure, ask sender to try later
-        tcp-state established
-}
-
-signature smtp_server_fail {
-        ip-proto == tcp
-        src-port == 25
-        payload /.5[0-9][0-9]../  # 5xx permanent failure
-        tcp-state established
-}       
-
-# ftp server return code information.  a few assumptions made here
-# in theory '150' is a good return, but I skip it here for simplicity
-signature ftp_server_ok {
-        ip-proto == tcp
-        src-port == 21
-        payload /.2[0-9][0-9]../ # 2xx ok
-        tcp-state established
-}
-
-signature ftp_server_error {
-        ip-proto == tcp
-        src-port == 21
-        payload /.5[0-9][0-9]../ # 5xx fail
-        tcp-state established
-}
-
-# snmp return checker - we ought to expect a non-trivial quantity of data for a
-# successful snmp connection
-signature snmp_userver_ok_return {
-        ip-proto == udp
-        src-port >= 161
-        src-port <= 162
-        payload-size > 10
-}
-
-signature snmp_tserver_ok_return {
-        ip-proto == tcp
-        src-port >= 161
-        src-port <= 162
-        payload-size > 10
-        tcp-state established
-}
-
-signature pop_return_ok {
-        ip-proto == tcp
-        src-port >= 109
-        src-port <= 110
-        payload /.\x2bOK/
-        tcp-state established
-}
-
-signature pop_return_error {
-        ip-proto == tcp
-        src-port >= 109
-        src-port <= 110
-        payload /.\x2dERR/
-        tcp-state established
-}
-
-# this series of sigs is provided by CIAC based on suckit rootkit
-# backdoor traffic.  the 'signature' has only been seen on port 22
-# up till now.
-signature sid-ciac-sk1 {
-  ip-proto == tcp
-  event "CIAC-1 suckit backdoor"
-  payload /.*\xd1\xe4\x22\x07\x57\xd3\xa9\x9a\x5a\xd5\xcc\xc7\x9d\xa1\xd5\xc5\xa6\xf1\x6d\x57/
-  }
- 
-signature sid-ciac-sk2 {
-  ip-proto == tcp
-  event "CIAC-2 suckit backdoor"
-  payload /.*\x7c\x83\x3b\x3f\x8a\x80\x59\xbf\x45\xbd\x5f\xf2\xa3\xc9\x36\x85\xa9\xd1\x15\xc3/
-  }
- 
-signature sid-ciac-sk3 {
-  ip-proto == tcp
-  event "CIAC-3 suckit backdoor"
-  payload /.*\x12\xc4\xf6\x62\x55\xe6\x36\xbd\xe4\x65\xbc\x24\xbe\xb0\x50\xac\xe0\xef\x9a\x4f/
-  }
- 
-signature sid-ciac-sk6 {
-  ip-proto == tcp
-  event "CIAC-6 suckit backdoor"
-  payload /.*\xd2\x9b\xec\xe0\x8c\x09\x28\xcb\x05\x60\x1b\xc5\x59\x34\xab\xbd\x56\xd6\x78\xaa/
-  }
- 
-signature sid-ciac-sk7 {
-  ip-proto == tcp
-  event "CIAC-7 suckit backdoor"
-  payload /.*\xdd\xbd\x4c\x7b\x35\x9a\x89\x88\xf0\x0d\xa8\xf1\x44\x67\x7b\xcd\x18\xf0\xe6\x70/
-  }
- 
-signature sid-ciac-sk10 {
-  ip-proto == tcp
-  event "CIAC-10 suckit backdoor"
-  payload /.*\xe7\xa7\x74\xb8\xb9\xfe\x9a\x6e\x6c\xe1\xd5\xde\x5f\x5c\xd5\x9d\x49\x69\x9a\xba/
-  }
-
-signature sid-ciac-sk11 {
-  ip-proto == tcp
-  event "CIAC-11 suckit backdoor"
-  payload /.*\x4b\x56\xde\x0c\x47\xbf\x12\x9f\xc7\x24\x40\x64\x5c\xfd\xa8\x2b\xaf\x3f\x09\xc7/
-  }
-
-signature sid-ciac-sk12 {
-  ip-proto == tcp
-  event "CIAC-12 suckit backdoor"
-  payload /\xe1\xac\x20\x5a\xda\x5a\xf7\x0c\x17\x24\x8e\xc2\x0e\xa0\x0b\xee\x7a\x77\xe0\x64/
-  }
-
-signature sid-ciac-sk13 {
-  ip-proto == tcp
-  event "CIAC-13 suckit backdoor"
-  payload /\xc9\xe9\x36\xa1\xce\xae\x10\x3c\x32\x81\xac\x9b\x01\x81\x5a\x68\x01\x91\x82\xa4/
-  }
-
-signature sid-ciac-sk14 {
-  ip-proto == tcp
-  event "CIAC-14 suckit backdoor"
-  payload /\x45\x2e\xe5\x01\x80\xb0\x0a\xca\xdb\x16\xa1\x8f\xc6\xcd\x97\x60\x92\x44\x93\x16/
-  }
- 
-signature sid-ciac-7 {
-  ip-proto == tcp
-  event "HXDEF 1.0-0.84 backdoor"
-  payload /.*\x01\x9A\x8C\x66\xAF\xC0\x4A\x11\x9E\x3F\x40\x88\x12\x2C\x3A\x4A\x84\x65\x38\xB0\xB4\x08\x0B\xAF\xDB\xCE\x02\x94\x34\x5F\x22\x00*./
-  }
-
-signature sid-ciac-8 {
-  ip-proto == tcp
-  event "HXDEF 0.73 backdoor"
-  payload /.*\x01\xFE\x3C\x6C\x6A\xFF\x99\xA8\x34\x83\x38\x24\xA1\xA4\xF2\x11\x5A\xD3\x18\x8D\xBC\xC4\x3E\x40\x07\xA4\x28\xD4\x18\x48\xFE\x00*./
-}
-
-signature sid-ciac-modrootme-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  tcp-state established
-  requires-signature ! http_error
-  http /GET root .*/
-}
-
-## end payload 
-
-## misc sigs ##
-signature dest_microsoft_address {
-	dst-ip == 207.46.0.0/16
-}
-
-signature src_microsoft_address {
-	src-ip == 207.46.0.0/16
-}
-
-# experimental phatbot sig
-signature phatbot_sig {
-        ip-proto == tcp
-        dst-port == http_ports
-        http /POST \0x20{1,10}\/ HTTP\/1\.0.*/
-	http /Content-Length: 204800.*/
-        tcp-state established
-	requires-signature ! http_error
-	event "phatbot sig"
-}
-
-signature thinstall_trojan {
-        ip-proto == tcp
-        dst-port == http_ports
-        http /[pP][oO][sS][tT]\x20{1,}\/bi\/servlet\/ThinstallPre/
-        tcp-state established,originator
-        event "ThinstallPre Adware Trojan, personal and machine data theft, successful"
-        # reference: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_REVOP.F&VSect=T
-}
-
-signature bagle-bc {
-	ip-proto == tcp
-	dst-port == http_ports
-	src-ip == local_nets
-	tcp-state established
-	http /[\/][gG]\.[jJ][pP][gG]/
-	event "bagle.bc g.jpg download attempt"
-} 
-
-## end misc ##
-
diff --git a/scripts/s2b/bro-include/sig-functions.bro b/scripts/s2b/bro-include/sig-functions.bro
deleted file mode 100644
index 377b5af395..0000000000
--- a/scripts/s2b/bro-include/sig-functions.bro
+++ /dev/null
@@ -1,278 +0,0 @@
-# series of functions to be used by the signatures
-#
-
-# we see *allot* of odd patch related traffic to and from M$
-const  MS_ADDR_RANGE: set[subnet] &redef;
-redef MS_ADDR_RANGE = { 207.46.0.0/16 };
-
-# the following are all based on the existance of software.bro
-# being loaded
-@ifdef ( software_table )
-function isApache(state: signature_state): bool
-        {
-        local ip = state$conn$id$resp_h;
-
-        if ( ip !in software_table )
-                return F;
-
-        local softset = software_table[ip];
-
-        if ( "Apache" !in softset )
-                return F;
-
-        return T;
-        }
-
-function isApacheLt12(state: signature_state): bool
-        {
-        local ip = state$conn$id$resp_h;
-                                                                                                                                            
-        if ( ip !in software_table )
-                return F;
-                                                                                                                                            
-        local softset = software_table[ip];
-
-        if ( "Apache" !in softset )
-                return F;
-		
-        local safe_version: software_version =
-                [$major = +1, $minor = +2, $minor2 = +0, $addl = ""];
-
-        if ( software_cmp_version(softset["Apache"]$version, safe_version) >= 0 )
-                return F;
- 
-        return T;
-        }
-
-function isApacheLt1322(state: signature_state): bool
-        {
-        local ip = state$conn$id$resp_h;
-                                                                                               
-                                                                                               
-        if ( ip !in software_table )
-                return F;
-                                                                                               
-                                                                                               
-        local softset = software_table[ip];
-        
-        if ( "Apache" !in softset )
-                return F;
-		
-        local safe_version: software_version =
-                [$major = +1, $minor = +3, $minor2 = -22, $addl = ""];
-                                                                                               
-        if ( software_cmp_version(softset["Apache"]$version, safe_version) >= 0 )
-                return F;
-                                                                                               
-        return T;
-        }
-
-function isApacheLt1325(state: signature_state): bool
-        {
-        local ip = state$conn$id$resp_h;
-                                                                                               
-                                                                                               
-        if ( ip !in software_table )
-                return F;
-                                                                                               
-                                                                                               
-        local softset = software_table[ip];
-                                                                                               
-        if ( "Apache" !in softset )
-                return F;
-		
-        local safe_version: software_version =
-                [$major = +1, $minor = +3, $minor2 = -25, $addl = ""];
-                                                                                               
-        if ( software_cmp_version(softset["Apache"]$version, safe_version) >= 0 )
-                return F;
-                                                                                               
-        return T;
-        }
-
-
-
-function isNotApache(state: signature_state): bool
-        {
-        local ip = state$conn$id$resp_h;
- 
-        if ( ip !in software_table )
-                return F;
- 
-        local softset = software_table[ip];
- 
-        if ( "Apache" !in softset )
-                return T;
-
-        return F;
-        }
-
-
-function isIIS(state: signature_state): bool
-        {
-        local ip = state$conn$id$resp_h;
- 
-        if ( ip !in software_table )
-                return F;
- 
-        local softset = software_table[ip];
- 
-        if ( "IIS" !in softset )
-                return F;
-
-        return T;
-        }
-
-function isNotIIS(state: signature_state): bool
-        {
-        local ip = state$conn$id$resp_h;
- 
-        if ( ip !in software_table )
-                return F;
- 
-        local softset = software_table[ip];
- 
-        if ( "IIS" !in softset )
-                return T;
- 
-        return F;
-        }
-
-function isMSIE(state: signature_state): bool
-        {
-        local ip = state$conn$id$resp_h;
- 
-        if ( ip !in software_table )
-                return F;
- 
-        local softset = software_table[ip];
- 
-        if ( "MSIE" !in softset )
-                return F;
- 
-        return T;
-        }
-
-function isNotMSIE(state: signature_state): bool
-        {
-        local ip = state$conn$id$resp_h;
-
-        if ( ip !in software_table )
-                return F;
-
-        local softset = software_table[ip];
-
-        if ( "MSIE" !in softset )
-                return T;
-
-        return F;
-        }
-
-
-function isMozilla(state: signature_state): bool
-        {
-        local ip = state$conn$id$resp_h;
-
-        if ( ip !in software_table )
-                return F;
-
-        local softset = software_table[ip];
-
-        if ( "Mozilla" !in softset )
-                return F;
-
-        return T;
-        }
-
-function isNotMozilla(state: signature_state): bool
-        {
-        local ip = state$conn$id$resp_h;
-
-        if ( ip !in software_table )
-                return F;
-
-        local softset = software_table[ip];
-
-        if ( "Mozilla" !in softset )
-                return T;
-
-        return F;
-        }
-
-function isRealMedia(state: signature_state): bool
-        {
-        local ip = state$conn$id$resp_h;
-
-        if ( ip !in software_table )
-                return F;
-
-        local softset = software_table[ip];
-
-        if ( "Mozilla" !in softset )
-                return F;
-
-        return T;
-        }
-
-
-@endif
-# end of the software.bro related functions
-
-function dataSizeG50(state: signature_state): bool
-	{
-	local size = state$payload_size;
-
-	if ( size < 50 )
-		return F;
-
-	return T;
-	}
-
-function dataSizeG100(state: signature_state): bool
-        {
-        local size = state$payload_size;
-
-        if ( size < 100 )
-                return F;
-
-        return T;
-        }
-
-function dataSizeG150(state: signature_state): bool
-        {
-        local size = state$payload_size;
-
-        if ( size < 150 )
-                return F;
-
-        return T;
-        }
-
-
-function dataSizeG200(state: signature_state): bool
-        {
-        local size = state$payload_size;
-
-        if ( size < 200 )
-                return F;
-
-        return T;
-        }
-
-
-
-function respInMsNet(state: signature_state): bool
-        {
-	local ip = state$conn$id$resp_h;
-
-	return ip in MS_ADDR_RANGE;
-	}
-
-
-function origInMsNet(state: signature_state): bool
-        {
-        local ip = state$conn$id$orig_h;
-                                                                                                                              
-        return ip in MS_ADDR_RANGE;
-        }
-
diff --git a/scripts/s2b/etc/Makefile.am b/scripts/s2b/etc/Makefile.am
deleted file mode 100644
index d7aa5fc19b..0000000000
--- a/scripts/s2b/etc/Makefile.am
+++ /dev/null
@@ -1,8 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-# include in the dist for now
-EXTRA_DIST = s2b-augment.cfg s2b-ruleset-augment.cfg s2b-sigmap.cfg s2b.cfg
-
-# OR we can install them on a make install 
-#scriptsdir=$(prefix)/etc
-#dist_scripts_SCRIPTS = s2b-augment.cfg s2b-ruleset-augment.cfg s2b-sigmap.cfg s2b.cfg
diff --git a/scripts/s2b/etc/s2b-augment.cfg b/scripts/s2b/etc/s2b-augment.cfg
deleted file mode 100644
index d7834f3968..0000000000
--- a/scripts/s2b/etc/s2b-augment.cfg
+++ /dev/null
@@ -1,17162 +0,0 @@
-# $Id: s2b-augment.cfg 797 2004-11-27 20:26:50Z rwinslow $
-
-<augment 1724-6>
-  active T
-  comment WEB-CGI emumail.cgi access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2005-10>
-  active T
-  comment RPC portmap kcms_server request UDP
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1600-6>
-  active T
-  comment WEB-CGI htsearch arbitrary configuration file attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 657-12>
-  active T
-  comment SMTP chameleon overflow
-  comment pcre: /^HELP\s[^\n]{500}/ism
-  payload /((^)|(\n+))[hH][eE][lL][pP][\x20\x09\x0b][^\n]{500}/
-  sigaction SIG_LOG
-  requires-reverse-signature ! smtp_server_fail
-  snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
-  <delete>
-    payload /.*[hH][eE][lL][pP]/
-  </delete>
-</augment>
-
-<augment 1970-6>
-  active T
-  comment WEB-IIS MDAC Content-Type overflow attempt
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 333-8>
-  active T
-  comment FINGER . query
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/finger.rules
-</augment>
-
-<augment 818-10>
-  active T
-  comment WEB-CGI dcforum.cgi access
-  comment "informational only"
-  comment "too general but low occurence"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 683-5>
-  active T
-  comment MS-SQL sp_password - password change
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1503-8>
-  active T
-  comment WEB-CGI admentor admin.asp access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2104-3>
-  active T
-  comment ATTACK-RESPONSES rexec username too long response
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 1588-8>
-  active T
-  comment WEB-MISC SalesLogix Eviewer access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1502-8>
-  active T
-  comment WEB-CGI a1stats a1disp3.cgi access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1426-5>
-  active T
-  comment SNMP PROTOS test-suite-req-app attempt
-  requires-reverse-signature snmp_userver_ok_return
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 2533-5>
-  active T
-  comment "MISC LDAP SSLv3 Server_Hello request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 262-6>
-  active T
-  comment "DNS EXPLOIT x86 Linux overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 1865-4>
-  active T
-  comment "WEB-CGI webdist.cgi arbitrary command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2063-1>
-  active T
-  comment "WEB-MISC Demarc SQL injection attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 937-7>
-  active T
-  comment "WEB-FRONTPAGE _vti_rpc access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 879-7>
-  active T
-  comment "WEB-CGI admin.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1378-14>
-  active T
-  comment "FTP wu-ftp bad file completion attempt {"
-  sigaction SIG_LOG
-  <delete>
-  	payload /.*~.{1}.*\{/
-  </delete>
-  ftp /.{2,} ~.?\{/
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 1107-10>
-  active T
-  comment "WEB-MISC ftp.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2084-8>
-  active T
-  comment "RPC rpc.xfsmd xfs_export attempt TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1729-5>
-  active T
-  comment "CHAT IRC channel join"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 2575-1>
-  active T
-  comment "WEB-PHP Opt-X header.php remote file include attempt"
-  comment pcre: /systempath=(http|https|ftp)/i
-  payload /.*[sS][yY][sS][tT][eE][mM][pP][aA][tT][hH]=([hH][tT]{2}[pP][sS]?)|([fF][tT][pP])/
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-  <delete>
-    payload /.*[sS][yY][sS][tT][eE][mM][pP][aA][tT][hH]=/
-  </delete>
-</augment>
-
-<augment 1000-7>
-  active T
-  comment "WEB-IIS bdir.htr access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1505-7>
-  active T
-  comment "WEB-CGI alchemy http server PRN arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2385-9>
-  active T
-  comment "NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1675-4>
-  active T
-  comment "ORACLE misparsed login response"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/oracle.rules
-</augment>
-
-<augment 1997-3>
-  active T
-  comment "WEB-PHP read_body.php access attempt"
-  comment "java script squirrel mail exploit: just add to signature "
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-  http /.*[fF][rR][oO][mM]\x3a.*\x3cscript\x3e.*document.cookie.*\x3c\x2fscript\x3e/
-</augment>
-
-<augment 1181-8>
-  active T
-  comment "WEB-MISC Annex Terminal DOS attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2411-5>
-  active T
-  comment WEB-MISC Real Server DESCRIBE buffer overflow attempt
-  comment "pcre: /^DESCRIBE\s[^\n]{300}/smi"
-  http "/((^)|(\n+))[dD][eE][sS][cC][rR][iI][bB][eE][\x20\x09\x0b][^\n]{300}/"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  <delete>
-    payload "/.*[dD][eE][sS][cC][rR][iI][bB][eE].{1}.*\.\.\//"
-  </delete>
-</augment>
-
-<augment 1634-11>
-  active T
-  comment POP3 PASS overflow attempt
-  comment "pcre: /^PASS\s[^\n]{50}/smi"
-  payload "/((^)|(\n+))[pP][aA][sS][sS][\x20\x09\x0b][^\n]{50}/"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-  <delete>
-    payload "/.*[pP][aA][sS][sS]/"
-  </delete>
-</augment>
-
-<augment 1960-7>
-  active T
-  comment "RPC portmap NFS request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1334-5>
-  active T
-  comment "WEB-ATTACKS echo command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 393-8>
-  active F
-  comment "ICMP Datagram Conversion Error undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 401-6>
-  active F
-  comment "ICMP Destination Unreachable Network Unreachable"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2143-3>
-  active T
-  comment "WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 461-7>
-  active F
-  comment "ICMP unassigned type 2 undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2081-9>
-  active T
-  comment "RPC portmap rpc.xfsmd request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2103-9>
-  active T
-  comment "NETBIOS SMB trans2open buffer overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 940-7>
-  active T
-  comment "WEB-FRONTPAGE shtml.dll access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 335-5>
-  active T
-  comment "FTP .rhosts"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  ftp /.*\.rhosts/
-  <delete>
-  	payload /.*\.rhosts/
-  </delete>
-</augment>
-
-<augment 2212-6>
-  active T
-  dst-ip == local_nets
-  http /.*[\/\\]imageFolio\.cgi\?.*<script>/
-  comment "WEB-CGI imageFolio.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  <delete>
-  	http /.*[\/\\]imageFolio\.cgi/
-  </delete>
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1231-8>
-  active T
-  comment "WEB-MISC VirusWall catinfo access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1975-6>
-  active T
-  comment FTP DELE overflow attempt
-  comment "pcre: /^DELE\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[dD][eE][lL][eE][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[dD][eE][lL][eE]/"
-  </delete>
-</augment>
-
-<augment 426-7>
-  active F
-  comment "ICMP Parameter Problem Missing a Required Option"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 494-7>
-  active F
-  comment "ATTACK-RESPONSES command completed"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 1473-5>
-  active T
-  comment "WEB-CGI newsdesk.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2026-9>
-  active T
-  comment "RPC yppasswd username overflow attempt TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1392-10>
-  active T
-  comment "WEB-CGI lastlines.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1453-5>
-  active T
-  comment "WEB-CGI AT-generated.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1496-5>
-  active T
-  comment "WEB-CGI spin_client.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1197-6>
-  active T
-  comment "WEB-PHP Phorum code access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1887-3>
-  active T
-  comment "MISC OpenSSL Worm traffic"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 589-8>
-  active T
-  comment "RPC portmap yppasswd request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 533-8>
-  active T
-  comment "NETBIOS SMB C$ share access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2530-3>
-  active T
-  comment "IMAP SSLv3 Server_Hello request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/imap.rules
-</augment>
-
-<augment 1108-10>
-  active T
-  comment "WEB-MISC Tomcat server snoop access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 977-7>
-  active T
-  comment "WEB-IIS .cnf access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1514-9>
-  active T
-  comment "WEB-CGI input2.bat arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 396-6>
-  active F
-  comment "ICMP Destination Unreachable Fragmentation Needed and DF bit was set"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 803-9>
-  active T
-  comment "WEB-CGI HyperSeek hsx.cgi directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1268-12>
-  active T
-  comment "RPC portmap pcnfsd request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2415-7>
-  active T
-  comment "EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1391-7>
-  active T
-  comment "WEB-MISC Phorecast remote code execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2436-2>
-  active F
-  comment "WEB-CLIENT Microsoft wmf metafile access"
-  requires-signature http_msie_client
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-client.rules
-  comment "Informational only"
-</augment>
-
-<augment 1447-11>
-  active T
-  comment "MISC MS Terminal server request RDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 303-11>
-  active T
-  comment "DNS EXPLOIT named tsig overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 1720-4>
-  active T
-  comment "WEB-CGI talkback.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2229-4>
-  active T
-  comment "WEB-PHP viewtopic.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  http /.*[sS][uU][bB][sS][Ss][tT][rR][iI][nN][gG]\x28[uU][sS][eE][rR][pP][aA][sS][sS][wW][oO][rR][dD]*./
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 236-6>
-  active T
-  comment "DDOS Stacheldraht client check gag"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 1023-9>
-  active T
-  comment "WEB-IIS msadcs.dll access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 681-6>
-  active T
-  comment "MS-SQL/SMB xp_cmdshell program execution"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1629-6>
-  active T
-  comment "OTHER-IDS SecureNetPro traffic"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/other-ids.rules
-</augment>
-
-<augment 1200-10>
-  active F
-  comment "ATTACK-RESPONSES Invalid URL"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 2329-6>
-  active T
-  dst-port == 1434
-  dst-ip == local_nets
-  comment "MS-SQL probe response overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 2019-4>
-  active T
-  comment "RPC mountd UDP dump request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 956-6>
-  active T
-  comment "WEB-FRONTPAGE register.txt access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 372-7>
-  active F
-  comment "ICMP PING Delphi-Piette Windows"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1190-6>
-  active T
-  comment "WEB-MISC Netscape Enterprise Server directory view"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 676-6>
-  active T
-  comment "MS-SQL/SMB sp_start_job - program execution"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 2014-5>
-  active T
-  comment "RPC portmap UNSET attempt TCP 111"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 108-6>
-  active T
-  comment "BACKDOOR QAZ Worm Client Login access"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 2056-4>
-  active T
-  comment "WEB-MISC TRACE attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2068-2>
-  active T
-  comment "WEB-MISC BitKeeper arbitrary command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 361-12>
-  active T
-  comment "FTP SITE EXEC attempt"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 586-8>
-  active T
-  comment "RPC portmap selection_svc request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 549-8>
-  active F
-  comment "P2P napster login"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/p2p.rules
-</augment>
-
-<augment 1704-5>
-  active T
-  comment "WEB-CGI cal_make.pl directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1342-5>
-  active T
-  comment "WEB-ATTACKS gcc command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 2520-5>
-  active T
-  comment "WEB-MISC SSLv3 Client_Hello request"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1346-5>
-  active F
-  comment "WEB-ATTACKS cpp command attempt"
-  comment "too general"
-  comment "too many false positives"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 520-5>
-  active T
-  comment "TFTP root directory"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/tftp.rules
-</augment>
-
-<augment 1870-5>
-  active T
-  comment "WEB-CGI siteUserMod.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1864-7>
-  active T
-  comment FTP SITE NEWER attempt
-  comment "pcre: /^SITE\s+NEWER/smi"
-  ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[nN][eE][wW][eE][rR]/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[sS][iI][tT][eE].{1}.*[nN][eE][wW][eE][rR]/"
-  </delete>
-</augment>
-
-<augment 1002-6>
-  active T
-  comment "WEB-IIS cmd.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1823-7>
-  active T
-  dst-ip == local_nets
-  http /.*[\/\\](af|alienform)\.cgi\?.*\.\|\./
-  event "WEB-CGI AlienForm directory traversal attempt"
-  comment "WEB-CGI AlienForm af.cgi directory traversal attempt"
-  requires-reverse-signature ! http_error
-  <delete>
-  	event "WEB-CGI AlienForm af.cgi directory traversal attempt"
-  	http /.*[\/\\]af\.cgi/
-  	payload /.*\.\x7C\.\/\.\x7C\./
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1556-7>
-  active T
-  comment "WEB-CGI DCShop orders.txt access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2263-6>
-  active T
-  comment SMTP SAML FROM sendmail prescan too many addresses overflow
-  comment "pcre: /^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^ ..."
-  payload "/((^)|(\n+))[sS][aA][mM][lL] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
-  sigaction SIG_LOG
-  requires-reverse-signature ! smtp_server_fail
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*[sS][aA][mM][lL] [fF][rR][oO][mM]\x3A/
-  </delete>
-</augment>
-
-<augment 974-10>
-  active T
-  comment "WEB-IIS Directory transversal attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 690-7>
-  active T
-  comment "MS-SQL/SMB xp_printstatements possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1929-5>
-  active F
-  comment "BACKDOOR TCPDUMP/PCAP trojan traffic"
-  comment "Too general.  Ephemeral windows ports match this easily"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 2048-2>
-  active T
-  comment "MISC rsyncd overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 386-5>
-  active F
-  comment "ICMP Address Mask Reply"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1134-7>
-  active T
-  comment "WEB-PHP Phorum admin access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 374-7>
-  active F
-  comment "ICMP PING IP NetMonitor Macintosh"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 309-9>
-  active T
-  comment "EXPLOIT sniffit overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 637-3>
-  active T
-  comment "SCAN Webtrends Scanner UDP Probe"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 978-11>
-  active T
-  comment "WEB-IIS ASP contents view"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1151-5>
-  active T
-  comment "WEB-MISC Domino domcfg.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2311-7>
-  active T
-  comment "NETBIOS SMB-DS DCERPC Workstation Service bind attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1955-6>
-  active T
-  comment "RPC AMD TCP version request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 833-8>
-  active T
-  comment "WEB-CGI rguest.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 883-5>
-  active T
-  comment "WEB-CGI flexform access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 887-6>
-  active T
-  comment "WEB-CGI www-sql access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 588-17>
-  active T
-  comment "RPC portmap ttdbserv request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1952-5>
-  active T
-  comment "RPC mountd UDP mount request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 144-9>
-  active T
-  comment "FTP ADMw0rm ftp login attempt"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 1039-6>
-  active T
-  comment "WEB-IIS srch.htm access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1146-5>
-  active T
-  comment "WEB-MISC Ecommerce import.txt access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 121-5>
-  active F
-  comment "BACKDOOR Infector 1.6 Client to Server Connection Request"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 2119-5>
-  active T
-  comment IMAP rename literal overflow attempt
-  comment  "pcre: /\sRENAME\s[^\n]*?\s\{/smi"
-  payload "/((^)|(\n+))[\x20\x09\x0b][rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  <delete>
-    payload "/.*[rR][eE][nN][aA][mM][eE]/"
-  </delete>
-</augment>
-
-<augment 2424-3>
-  active T
-  comment NNTP sendsys overflow attempt
-  comment "pcre: /^sendsys\x3a[^\n]{21}/smi"
-  payload "/((^)|(\n+))[sS][eE][nN][dD][sS][yY][sS]\x3a[^\n]{21}/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/nntp.rules
-  <delete>
-    payload "/.*[sS][eE][nN][dD][sS][yY][sS]/"
-  </delete>
-</augment>
-
-<augment 370-7>
-  active F
-  comment "ICMP PING BeOS4.x"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1050-7>
-  active T
-  comment "WEB-MISC iPlanet GETPROPERTIES attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 967-11>
-  active T
-  comment "WEB-FRONTPAGE dvwssr.dll access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1487-4>
-  active T
-  comment "WEB-IIS /iisadmpwd/aexp2.htr access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1861-7>
-  active T
-  comment "WEB-MISC Linksys router default username and password login attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2348-6>
-  active T
-  comment "NETBIOS SMB-DS DCERPC print spool bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1259-5>
-  active T
-  comment "WEB-MISC SWEditServlet access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1206-10>
-  active T
-  comment "WEB-CGI cachemgr.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1542-6>
-  active T
-  comment "WEB-CGI cgimail access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2560-2>
-  active T
-  comment "EXPLOIT Oracle Web Cache MOVE overflow attempt"
-  comment pcre: /^MOVE[^s]{432}/sm
-  payload /((^)|(\n+))MOVE[^s]{432}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-  <delete>
-    payload /.*MOVE/
-  </delete>
-</augment>
-
-<augment 944-6>
-  active T
-  comment "WEB-FRONTPAGE fpremadm.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 110-4>
-  active T
-  comment "BACKDOOR netbus getinfo"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 2086-4>
-  active T
-  comment "WEB-CGI streaming server parse_xml.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1721-4>
-  active T
-  comment "WEB-CGI adcycle access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2477-3>
-  active T
-  comment "NETBIOS SMB-DS Create AndX Request winreg unicode attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1663-6>
-  active T
-  comment "WEB-MISC *%0a.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1764-6>
-  active T
-  comment "WEB-CGI Nortel Contivity cgiproc DOS attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1093-10>
-  active T
-  comment "WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 264-6>
-  active T
-  comment "DNS EXPLOIT x86 Linux overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 1859-5>
-  active T
-  comment "WEB-MISC Sun JavaServer default password login attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 804-9>
-  active T
-  comment "WEB-CGI SWSoft ASPSeek Overflow attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1691-3>
-  active T
-  comment "ORACLE ALTER USER attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/oracle.rules
-</augment>
-
-<augment 718-7>
-  active T
-  comment "TELNET login incorrect"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/telnet.rules
-</augment>
-
-<augment 2464-6>
-  active T
-  comment "EXPLOIT EIGRP prefix length overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 448-7>
-  active F
-  comment "ICMP Source Quench undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1189-6>
-  active T
-  comment "WEB-MISC Netscape Enterprise Server directory view"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2248-3>
-  active T
-  comment "WEB-IIS DirectoryListing.asp access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2029-5>
-  active T
-  comment "RPC yppasswd new password overflow attempt UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 865-8>
-  active T
-  comment "WEB-CGI ksh access"
-  requires-reverse-signature ! http_error
-  requires-signature ! http_shell_check
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 921-7>
-  active T
-  comment "WEB-COLDFUSION admin encrypt attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 1205-6>
-  active T
-  comment "WEB-CGI axs.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 841-7>
-  active T
-  comment "WEB-CGI pfdisplay.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2021-4>
-  active T
-  comment "RPC mountd UDP unmount request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 219-6>
-  active T
-  comment "BACKDOOR HidePak backdoor attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 686-5>
-  active T
-  comment "MS-SQL xp_reg* - registry access"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1939-4>
-  active T
-  comment "MISC bootp hardware address length overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 638-5>
-  active T
-  comment "SHELLCODE SGI NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 1828-6>
-  active T
-  comment "WEB-MISC iPlanet Search directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2136-2>
-  active T
-  comment "WEB-MISC philboard_admin.asp authentication bypass attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1645-6>
-  active T
-  comment "WEB-CGI testcgi access"
-  dst-ip == local_nets
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 624-6>
-  active F
-  comment "SCAN SYN FIN"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 290-7>
-  active T
-  comment "POP3 EXPLOIT qpopper overflow"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-</augment>
-
-<augment 640-6>
-  active T
-  comment "SHELLCODE AIX NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 1995-2>
-  active T
-  comment "WEB-CGI alya.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1411-10>
-  active T
-  comment "SNMP public access udp"
-  requires-reverse-signature snmp_userver_ok_return
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 2456-3>
-  active F
-  comment "CHAT Yahoo IM file transfer request"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 1524-9>
-  active T
-  comment "WEB-MISC AxisStorpoint CD attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1661-4>
-  active T
-  comment "WEB-IIS cmd32.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 809-11>
-  active T
-  comment "WEB-CGI whois_raw.cgi arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2386-6>
-  active T
-  comment "WEB-IIS NTLM ASN.1 vulnerability scan attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 272-7>
-  active T
-  comment "DOS IGMP dos attack"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 2301-4>
-  active T
-  comment "WEB-PHP Advanced Poll booth.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2334-2>
-  active T
-  comment FTP Yak! FTP server default account login attempt
-  comment "pcre: /^USER\s+y049575046/smi"
-  payload "/((^)|(\n+))USER[\x20\x09\x0b]+y049575046/"
-  sigaction SIG_LOG
-  requires-reverse-signature ! ftp_server_error
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[uU][sS][eE][rR]/"
-    payload "/.*[yY]049575046/"
-  </delete>
-</augment>
-
-<augment 1402-4>
-  active T
-  comment "WEB-IIS iissamples access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1243-11>
-  active T
-  comment "WEB-IIS ISAPI .ida attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 483-5>
-  active F
-  comment "ICMP PING CyberKit 2.2 Windows"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 480-5>
-  active F
-  comment "ICMP PING speedera"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 316-6>
-  active T
-  comment "EXPLOIT x86 Linux mountd overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2536-3>
-  active T
-  comment "POP3 SSLv3 Server_Hello request"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-</augment>
-
-<augment 618-8>
-  active F
-  comment "SCAN Squid Proxy attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 1085-8>
-  active T
-  comment "WEB-PHP strings overflow"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2557-2>
-  active T
-  comment "EXPLOIT Oracle Web Cache LOCK overflow attempt"
-  comment pcre: /^LOCK[^s]{432}/sm
-  payload /((^)|(\n+))LOCK[^s]{432}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-  <delete>
-    payload /.*LOCK/
-  </delete>
-</augment>
-
-<augment 265-7>
-  active T
-  comment "DNS EXPLOIT x86 Linux overflow attempt ADMv2"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 2446-4>
-  active T
-  comment "EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2453-3>
-  active F
-  comment "CHAT Yahoo IM conference invitation"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 832-11>
-  active T
-  comment "WEB-CGI perl.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1587-12>
-  active T
-  comment "WEB-MISC cgitest.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1575-4>
-  active T
-  comment "WEB-MISC Domino mab.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1555-7>
-  active T
-  dst-ip == local_nets
-  comment "WEB-CGI DCShop access"
-  comment "only important if destination is local_nets"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 647-6>
-  active T
-  comment "SHELLCODE sparc setuid 0"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 2514-7>
-  active T
-  comment "NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1232-8>
-  active T
-  comment "WEB-MISC VirusWall catinfo access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1196-10>
-  active T
-  comment "WEB-CGI SGI InfoSearch fname attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1573-6>
-  active T
-  comment "WEB-CGI cgiforum.pl attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1989-4>
-  active F
-  comment "CHAT MSN file transfer reject"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 2505-7>
-  active T
-  comment "WEB-MISC SSLv3 invalid data version attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1594-10>
-  active T
-  comment "WEB-CGI FormHandler.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 551-7>
-  active F
-  comment "P2P napster download attempt"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/p2p.rules
-</augment>
-
-<augment 2080-6>
-  active T
-  comment "RPC portmap nlockmgr request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1987-6>
-  active T
-  comment "MISC xfs overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 699-7>
-  active T
-  comment "MS-SQL xp_printstatements possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 2459-3>
-  active F
-  comment "CHAT Yahoo IM webcam offer invitation"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 651-8>
-  active T
-  comment "SHELLCODE x86 stealth NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 2486-5>
-  active T
-  comment "DOS ISAKMP invalid identification payload attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 2325-2>
-  active T
-  comment "WEB-IIS VP-ASP ShopDisplayProducts.asp access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1898-8>
-  active T
-  comment "EXPLOIT kadmind buffer overflow attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1215-6>
-  active T
-  comment "WEB-CGI ministats admin access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2545-4>
-  active T
-  comment "EXPLOIT AFP FPLoginExt username buffer overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1162-7>
-  active T
-  comment "WEB-MISC cart 32 AdminPwd access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 576-8>
-  active T
-  comment "RPC portmap amountd request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1714-4>
-  active T
-  comment "WEB-CGI newdesk access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 241-7>
-  active T
-  comment "DDOS shaft synflood"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 382-7>
-  active F
-  comment "ICMP PING Windows"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2235-5>
-  active T
-  comment "WEB-MISC SpamExcp.dll access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 821-12>
-  active T
-  comment "WEB-CGI imagemap.exe overflow attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2207-6>
-  active T
-  comment "WEB-CGI fileseek.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 364-7>
-  active F
-  comment "ICMP IRDP router selection"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 509-6>
-  active T
-  comment "WEB-MISC PCCS mysql database admin tool access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 825-6>
-  active F
-  comment "WEB-CGI glimpse access"
-  comment "informational only"
-  comment "old signature from 06-01-1999"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1443-4>
-  active T
-  comment "TFTP GET passwd"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/tftp.rules
-</augment>
-
-<augment 1228-6>
-  active T
-  comment "SCAN nmap XMAS"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 1460-5>
-  active T
-  comment "WEB-CGI bb-histsvc.sh access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2268-4>
-  active T
-  comment SMTP MAIL FROM sendmail prescan too long addresses overflow
-  comment "pcre: /^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"
-  payload "/((^)|(\n+))[mM][aA][iI][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3A/
-  </delete>
-</augment>
-
-<augment 916-7>
-  active T
-  comment "WEB-COLDFUSION getodbcdsn access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 1547-11>
-  active T
-  comment "WEB-CGI csSearch.cgi arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1845-15>
-  active T
-  comment IMAP list literal overflow attempt
-  comment "pcre: /\sLIST\s[^\n]*?\s\{/smi"
-  payload "/((^)|(\n+))[\x20\x09\x0b][lL][iI][sS][tT][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  <delete>
-    payload "/.*[lL][iI][sS][tT]/"
-  </delete>
-</augment>
-
-<augment 708-8>
-  active T
-  comment "MS-SQL/SMB xp_enumresultset possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 276-5>
-  active T
-  comment "DOS Real Audio Server"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 1599-7>
-  active T
-  comment "WEB-CGI search.cgi access"
-  http /.*[\/\\]search\.cgi\?.*letter\=[^\&]*?\.\.[\\\/]/
-  <delete>
-  	http /.*[\/\\]search\.cgi/
-  </delete>
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2564-4>
-  active T
-  comment "NETBIOS NS lookup short response attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1105-5>
-  active T
-  comment "WEB-MISC BigBrother access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 680-6>
-  active T
-  comment "MS-SQL/SMB sa login failed"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1003-7>
-  active T
-  comment "WEB-IIS cmd? access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1356-5>
-  active T
-  comment "WEB-ATTACKS perl execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 2548-1>
-  active T
-  comment "MISC HP Web JetAdmin setinfo access"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 675-6>
-  active T
-  comment "MS-SQL xp_setsqlsecurity possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 2222-5>
-  active T
-  comment "WEB-CGI nph-exploitscanget.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2218-6>
-  active T
-  dst-ip == local_nets
-  comment "WEB-CGI service.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1658-7>
-  active T
-  comment "WEB-CGI pagelog.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1256-8>
-  active T
-  comment "WEB-IIS CodeRed v2 root.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1813-5>
-  active T
-  comment "ICMP digital island bandwidth query"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 2251-11>
-  active T
-  comment "NETBIOS DCERPC Remote Activation bind attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 422-7>
-  active T
-  comment "ICMP Mobile Registration Reply undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 973-10>
-  active T
-  comment "WEB-IIS *.idc attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1706-7>
-  active T
-  comment "WEB-CGI echo.bat access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1637-7>
-  active F
-  comment "WEB-CGI yabb access"
-  comment "informational only"
-  comment "old signature from 2000"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1748-7>
-  active F
-  comment "FTP command overflow attempt"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 868-9>
-  active T
-  comment "WEB-CGI rsh access"
-  requires-reverse-signature ! http_error
-  requires-signature ! http_shell_check
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 424-7>
-  active T
-  comment "ICMP Mobile Registration Request undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2085-4>
-  active T
-  comment "WEB-CGI parse_xml.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 619-5>
-  active T
-  comment "SCAN cybercop os probe"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 1732-9>
-  active T
-  comment "RPC portmap rwalld request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2403-4>
-  active T
-  comment "NETBIOS SMB Session Setup AndX request unicode username overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 610-5>
-  active T
-  comment "RSERVICES rsh root"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rservices.rules
-</augment>
-
-<augment 1021-11>
-  active T
-  comment "WEB-IIS ism.dll attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1307-9>
-  active T
-  dst-ip == local_nets
-  comment "WEB-CGI store.cgi access"
-  comment "verify application is not vulnerable"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 850-5>
-  active T
-  comment "WEB-CGI wais.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2392-4>
-  active T
-  comment FTP RETR overflow attempt
-  comment "pcre: /^RETR\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[rR][eE][tT][rR][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[rR][eE][tT][rR]/"
-  </delete>
-</augment>
-
-<augment 1053-10>
-  active T
-  comment "WEB-CGI ads.cgi command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 920-7>
-  active T
-  comment "WEB-COLDFUSION datasource attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 1590-7>
-  active T
-  comment "WEB-CGI faqmanager.cgi arbitrary file access attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1755-14>
-  active T
-  comment IMAP partial body buffer overflow attempt
-  comment pcre: /\sPARTIAL.*BODY\[[^\]]{1024}/smi
-  payload "/((^)|(\n+))[\x20\x09\x0b][pP][aA][rR][tT][iI][aA][lL].*[bB][oO][dD][yY]\[[^\]]{1024}/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  <delete>
-    payload "/.*[pP][aA][rR][tT][iI][aA][lL].*.*[bB][oO][dD][yY]\[/"
-  </delete>
-</augment>
-
-<augment 1852-3>
-  active F
-  comment "WEB-MISC robots.txt access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 924-7>
-  active T
-  comment "WEB-COLDFUSION admin decrypt attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 2225-1>
-  active T
-  comment "WEB-CGI gozila.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1125-8>
-  active T
-  comment "WEB-MISC webcart access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 612-6>
-  active T
-  comment "RPC rusers query UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 228-3>
-  active T
-  comment "DDOS TFN client command BE"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 1182-17>
-  active T
-  comment "WEB-MISC cgitest.exe attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 696-7>
-  active T
-  comment "MS-SQL/SMB xp_showcolv possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 356-5>
-  active T
-  comment "FTP passwd retrieval attempt"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  <delete>
-  	payload /.*passwd/
-  </delete>
-  payload /[\x20\x09\x0b\/.]*passwd[\x20\x09\x0b]*$/
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 1251-6>
-  active T
-  comment "INFO TELNET Bad Login"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/info.rules
-</augment>
-
-<augment 704-6>
-  active T
-  comment "MS-SQL xp_sprintf possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 2145-3>
-  active T
-  comment "WEB-PHP TextPortal admin.php default password admin attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 239-2>
-  active T
-  comment "DDOS shaft handler to agent"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 1895-8>
-  active T
-  comment "EXPLOIT kadmind buffer overflow attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2079-6>
-  active T
-  comment "RPC portmap nlockmgr request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 986-6>
-  active T
-  comment "WEB-IIS MSProxy access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 942-6>
-  active T
-  comment "WEB-FRONTPAGE orders.htm access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1458-6>
-  active T
-  comment "WEB-CGI user_update_passwd.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2217-6>
-  active T
-  comment "WEB-CGI printmail.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1752-4>
-  active T
-  comment "MISC AIM AddExternalApp attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 957-6>
-  active T
-  comment "WEB-FRONTPAGE registrations.txt access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 945-6>
-  active T
-  comment "WEB-FRONTPAGE fpadmin.htm access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1572-7>
-  active T
-  comment "WEB-CGI commerce.cgi arbitrary file access attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 261-6>
-  active T
-  comment "DNS EXPLOIT named overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 1068-6>
-  active T
-  comment "WEB-MISC tftp attempt"
-  requires-reverse-signature ! http_error
-  http /.*[tT][fF][tT][pP]\.[eE][xX][eE]/
-  <delete>
-  	payload /.*[tT][fF][tT][pP]\.[eE][xX][eE]/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1326-6>
-  active T
-  comment "EXPLOIT ssh CRC32 overflow NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2537-3>
-  active T
-  comment "POP3 SSLv3 invalid Client_Hello attempt"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-</augment>
-
-<augment 2438-3>
-  active T
-  comment "WEB-CLIENT RealPlayer playlist file URL overflow attempt"
-  comment pcre: /^file\x3a\x2f\x2f[^\n]{400}/smi
-  payload /((^)|(\n+))[fF][iI][lL][eE]\x3a\x2f\x2f[^\n]{400}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-client.rules
-  <delete>
-    payload /.*[fF][iI][lL][eE]\x3A\/\//
-  </delete>
-</augment>
-
-<augment 580-9>
-  active T
-  comment "RPC portmap nisd request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2372-2>
-  active F
-  comment "WEB-PHP Photopost PHP Pro showphoto.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2441-3>
-  active T
-  comment WEB-MISC NetObserve authentication bypass attempt
-  comment pcre: /^Cookie\x3a[^\n]*?login=0/smi
-  http /((^)|(\n+))[cC][oO][oO][kK][iI][eE]\x3a[^\n]*?[lL][oO][gG][iI][nN]=0/
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  <delete>
-    payload /.*[lL][oO][gG][iI][nN]=0/
-    payload /.*[cC][oO][oO][kK][iI][eE]\x3A/
-  </delete>
-</augment>
-
-<augment 653-8>
-  active T
-  comment "SHELLCODE x86 unicode NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 2418-3>
-  active T
-  comment "MISC MS Terminal Server no encryption session initiation attmept"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1664-5>
-  active T
-  comment "WEB-MISC mkplog.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 221-3>
-  active T
-  comment "DDOS TFN Probe"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 2554-2>
-  active T
-  comment "EXPLOIT Oracle Web Cache POST overflow attempt"
-  comment pcre: /^POST[^s]{432}/sm
-  payload /((^)|(\n+))POST[^s]{432}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-  <delete>
-    payload /.*POST/
-  </delete>
-</augment>
-
-<augment 1986-4>
-  active F
-  comment "CHAT MSN file transfer request"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 2300-4>
-  active T
-  comment "WEB-PHP Advanced Poll admin_tpl_new.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1261-10>
-  active T
-  comment "EXPLOIT AIX pdnsd overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1531-6>
-  active T
-  comment "WEB-CGI bb-hist.sh attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 404-6>
-  active F
-  comment "ICMP Destination Unreachable Protocol Unreachable"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2115-2>
-  active T
-  comment "WEB-CGI album.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1598-7>
-  active T
-  comment "WEB-CGI Home Free search.cgi directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1700-8>
-  active F
-  comment "WEB-CGI imagemap.exe access"
-  comment "informational only"
-  comment "old signature from 10-22-1999"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1064-6>
-  active T
-  comment "WEB-MISC wsh attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1882-10>
-  active T
-  comment "ATTACK-RESPONSES id check returned userid"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 1412-13>
-  active T
-  comment "SNMP public access tcp"
-  requires-reverse-signature snmp_userver_ok_return
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 2190-3>
-  active T
-  comment "NETBIOS DCERPC invalid bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 578-8>
-  active T
-  comment "RPC portmap cmsd request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1208-6>
-  active T
-  comment "WEB-CGI responder.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2524-7>
-  active T
-  comment "NETBIOS DCERPC LSASS direct bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 153-5>
-  active T
-  comment "BACKDOOR DonaldDick 1.53 Traffic"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 2495-5>
-  active T
-  comment "NETBIOS SMB DCEPRC ORPCThis request flood attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2053-2>
-  active F
-  comment "WEB-CGI proces_bug.cgi access"
-  comment "informational only"
-  comment "not exploit worthy"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2238-5>
-  active T
-  comment "WEB-MISC WebLogic ConsoleHelp view source attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2324-2>
-  active T
-  comment "WEB-IIS VP-ASP shopsearch.asp access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1409-10>
-  active T
-  comment "SNMP community string buffer overflow attempt"
-  requires-reverse-signature snmp_userver_ok_return
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 2124-3>
-  active T
-  comment "BACKDOOR Remote PC Access connection attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1123-9>
-  active T
-  comment "WEB-MISC ?PageServices access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 591-10>
-  active T
-  comment "RPC portmap ypupdated request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2155-5>
-  active T
-  comment "WEB-PHP ttforum remote file include attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 357-5>
-  active T
-  comment "FTP piss scan"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 622-6>
-  active T
-  comment "SCAN ipEye SYN scan"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 643-7>
-  active F
-  comment "SHELLCODE HP-UX NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 908-8>
-  active T
-  comment "WEB-COLDFUSION administrator access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 106-8>
-  active T
-  comment "BACKDOOR ACKcmdC trojan scan"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 716-10>
-  active F
-  comment "TELNET access"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/telnet.rules
-</augment>
-
-<augment 2401-4>
-  active T
-  comment "NETBIOS SMB Session Setup AndX request username overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1154-5>
-  active T
-  comment "WEB-MISC Domino names.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1046-6>
-  active T
-  comment "WEB-IIS site/iisamples access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2261-4>
-  active T
-  comment SMTP SEND FROM sendmail prescan too many addresses overflow
-  comment "pcre: /^SEND FROM\x3a\s*[^\n]*?<[^\n]* ..."
-  payload "/((^)|(\n+))[sS][eE][nN][dD] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
-  sigaction SIG_LOG
-  requires-reverse-signature ! smtp_server_fail
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*[sS][eE][nN][dD] [fF][rR][oO][mM]\x3A/
-  </delete>
-</augment>
-
-<augment 1998-4>
-  active F
-  comment "WEB-PHP calendar.php access"
-  comment "informational only"
-  comment "too general"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 390-5>
-  active T
-  comment "ICMP Alternate Host Address"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1515-9>
-  active T
-  comment "WEB-CGI input2.bat access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1734-16>
-  active T
-  comment FTP USER overflow attempt
-  comment "pcre: /^USER\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[uU][sS][eE][rR]/"
-  </delete>
-</augment>
-
-<augment 2006-10>
-  active T
-  comment "RPC portmap kcms_server request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1080-13>
-  active T
-  comment "WEB-MISC unify eWave ServletExec upload"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2547-2>
-  active T
-  comment "MISC HP Web JetAdmin remote file upload attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1041-6>
-  active T
-  comment "WEB-IIS uploadn.asp access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2210-5>
-  active T
-  comment "WEB-CGI global.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2183-5>
-  active F
-  comment "Sendmail SMTP Content-Transfer-Encoding overflow attempt"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  comment "Fair amount of false positives, haven't found a way to fill this out to make it more accurate"
-  comment "Released on 2003-03-30"
-</augment>
-
-<augment 1840-5>
-  active T
-  comment "WEB-CLIENT Javascript document.domain attempt"
-  requires-signature http_msie_client
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-client.rules
-</augment>
-
-<augment 1351-5>
-  active T
-  comment "WEB-ATTACKS bin/tclsh execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 806-11>
-  active T
-  comment "WEB-CGI yabb directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1881-6>
-  active T
-  comment "WEB-MISC bad HTTP/1.1 request, Potential worm attack"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1372-5>
-  active T
-  comment "WEB-ATTACKS /etc/shadow access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-  comment "Many false positives are possible"
-  payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW].{1,}root:.*:.*:.*:.*:.*:.*:/
-  <delete>
-  	payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW]/
-  </delete>
-</augment>
-
-<augment 1418-11>
-  active T
-  comment "SNMP request tcp"
-  requires-reverse-signature snmp_tserver_ok_return
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 2230-5>
-  active T
-  comment "WEB-MISC NetGear router default password login attempt admin/password"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1508-5>
-  active T
-  comment "WEB-CGI alibaba.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1760-3>
-  active T
-  comment "OTHER-IDS ISS RealSecure 6 event collector connection attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/other-ids.rules
-</augment>
-
-<augment 1043-7>
-  active T
-  comment "WEB-IIS viewcode.asp access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 678-6>
-  active T
-  comment "MS-SQL/SMB sp_delete_alert log file deletion"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 950-7>
-  active T
-  comment "WEB-FRONTPAGE cfgwiz.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1042-8>
-  active T
-  comment "WEB-IIS view source via translate header"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1444-3>
-  active T
-  comment "TFTP Get"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/tftp.rules
-</augment>
-
-<augment 1582-4>
-  active T
-  comment "WEB-MISC Domino collect4.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1099-6>
-  active T
-  comment "WEB-MISC cybercop scan"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 614-7>
-  active T
-  comment "BACKDOOR hack-a-tack attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 2003-6>
-  active F
-  comment "MS-SQL Worm propagation attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1474-7>
-  active T
-  comment "WEB-CGI cal_make.pl access"
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]cal_make\.pl(\.\.\/){2,}/
-  <delete>
-  	http /.*[\/\\]cal_make\.pl/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 689-6>
-  active T
-  comment "MS-SQL/SMB xp_reg* registry access"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 411-5>
-  active F
-  comment "ICMP IPV6 I-Am-Here"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2382-8>
-  active T
-  comment "NETBIOS SMB NTLMSSP invalid mechtype attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2402-5>
-  active T
-  comment "NETBIOS SMB-DS Session Setup AndX request username overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2573-1>
-  active T
-  comment "WEB-IIS SmarterTools SmarterMail frmCompose.asp access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1212-5>
-  active T
-  comment "WEB-MISC Admin_files access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2243-4>
-  active T
-  comment "WEB-MISC ndcgi.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 642-6>
-  active T
-  comment "SHELLCODE HP-UX NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 2028-5>
-  active T
-  comment "RPC yppasswd old password overflow attempt TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1294-10>
-  active T
-  comment "NETBIOS nimda .nws"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1305-6>
-  active T
-  comment "WEB-CGI txt2html.cgi directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 882-5>
-  active F
-  comment "WEB-CGI calendar access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 994-7>
-  active T
-  comment "WEB-IIS /scripts/iisadmin/default.htm access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 906-7>
-  active T
-  comment "WEB-COLDFUSION getfile.cfm access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 1914-10>
-  active T
-  comment "RPC STATD TCP stat mon_name format string exploit attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1226-4>
-  active T
-  comment "X11 xopen"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/x11.rules
-</augment>
-
-<augment 605-6>
-  active T
-  comment "RSERVICES rlogin login failure"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rservices.rules
-</augment>
-
-<augment 685-5>
-  active T
-  comment "MS-SQL sp_adduser - database user creation"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1740-5>
-  active T
-  comment "WEB-PHP DNSTools authentication bypass attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2318-3>
-  active T
-  comment MISC CVS non-relative path access attempt
-  comment "pcre: m?^Argument\s+/?smi,/^Directory/smiR"
-  payload "/((^)|(\n+))[aA][Rr][Gg][Uu}[Mm][Ee][Nn][Tt][\x20\x09\x0b]]+/"
-  payload "/.*[Dd][Ii][Rr][Ee][Cc][Tt][Oo][Rr][Yy]/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-  <delete>
-    payload "/.*Argument/"
-  </delete>
-</augment>
-
-<augment 185-5>
-  active T
-  comment "BACKDOOR CDK"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1940-3>
-  active T
-  comment "MISC bootp invalid hardware type"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 152-6>
-  active T
-  comment "BACKDOOR BackConstruction 2.1 Connection"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 623-5>
-  active F
-  comment "SCAN NULL"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 1276-14>
-  active T
-  comment "RPC portmap ypserv request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 141-5>
-  active F
-  comment "BACKDOOR HackAttack 1.20 Connect"
-  comment "too many false positives as this is in the Linux ephemeral range"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1415-9>
-  active T
-  comment "SNMP Broadcast request"
-  requires-reverse-signature snmp_userver_ok_return
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 1770-3>
-  active T
-  comment "WEB-MISC .FBCIndex access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1639-6>
-  active T
-  comment "CHAT IRC DCC file transfer request"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 1272-10>
-  active T
-  comment "RPC portmap sadmind request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1640-6>
-  active T
-  comment "CHAT IRC DCC chat request"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 698-8>
-  active T
-  comment "MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 2413-7>
-  active T
-  comment "EXPLOIT ISAKMP delete hash with empty hash attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1430-7>
-  active T
-  comment "TELNET Solaris memory mismanagement exploit attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/telnet.rules
-</augment>
-
-<augment 2200-6>
-  active T
-  comment "WEB-CGI dnewsweb.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1088-9>
-  active T
-  dst-ip == local_nets
-  comment "WEB-CGI eXtropia webstore directory traversal"
-  requires-reverse-signature ! http_error
-  <delete>
-  	http /.*[\/\\]web_store\.cgi/
-  	payload /.*page=\.\.\//
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1263-11>
-  active T
-  comment "RPC portmap amountd request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 354-5>
-  active T
-  comment "FTP iss scan"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 1766-7>
-  active T
-  comment "WEB-MISC search.dll directory listing attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1363-5>
-  active T
-  comment "WEB-ATTACKS X application to remote host attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1386-8>
-  active T
-  comment "MS-SQL/SMB raiserror possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 2211-5>
-  active T
-  comment "WEB-CGI guestserver.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 827-7>
-  active T
-  comment "WEB-CGI info2www access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1595-10>
-  active T
-  comment "WEB-IIS htimage.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1194-8>
-  active T
-  comment "WEB-CGI sojourn.cgi File attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 608-5>
-  active T
-  comment "RSERVICES rsh echo + +"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rservices.rules
-</augment>
-
-<augment 481-5>
-  active T
-  comment "ICMP TJPingPro1.1Build 2 Windows"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 939-6>
-  active T
-  comment "WEB-FRONTPAGE posting"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1610-11>
-  active T
-  comment "WEB-CGI formmail arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-  http /.*[\/\\]formmail{0,5}\?/
-  <delete>
-  	http /.*[\/\\]formmail/
-  </delete>
-</augment>
-
-<augment 2061-4>
-  active T
-  comment "WEB-MISC Tomcat null byte directory listing attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 817-10>
-  active T
-  comment "WEB-CGI dcboard.cgi invalid user addition attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 501-4>
-  active T
-  comment "MISC source route lssre"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 388-5>
-  active T
-  comment "ICMP Address Mask Request"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 625-6>
-  active F
-  comment "SCAN XMAS"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 1193-10>
-  active T
-  comment "WEB-MISC oracle web arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1545-7>
-  active T
-  comment "DOS Cisco attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 2458-3>
-  active F
-  comment "CHAT Yahoo IM successful chat join"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 232-5>
-  active T
-  comment "DDOS Trin00 Daemon to Master *HELLO* message detected"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 1062-6>
-  active T
-  comment "WEB-MISC nc.exe attempt"
-  comment "sig too general - add some clarity.  remove if noise continues"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  http /.*[nN][cC]\.[eE][xX][eE]\x20.{5}/
-  <delete>
-	payload /.*[nN][cC]\.[eE][xX][eE]/
-  </delete>
-</augment>
-
-<augment 935-6>
-  active T
-  comment "WEB-COLDFUSION startstop DOS access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 2376-3>
-  active T
-  comment "EXPLOIT ISAKMP first payload certificate request length overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2180-2>
-  active F
-  comment "P2P BitTorrent announce request"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/p2p.rules
-</augment>
-
-<augment 2443-4>
-  active T
-  comment "EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1856-7>
-  active T
-  comment "DDOS Stacheldraht handler->agent ficken"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 1254-8>
-  active T
-  comment "WEB-PHP PHPLIB remote command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1536-8>
-  active T
-  comment "WEB-CGI calendar_admin.pl arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1224-10>
-  active T
-  comment "WEB-MISC ROADS search.pl attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 853-9>
-  active F
-  comment "WEB-CGI wrap access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-  comment "informational only"
-</augment>
-
-<augment 1433-5>
-  active T
-  comment "WEB-MISC .history access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1157-7>
-  active T
-  comment "WEB-MISC Netscape PublishingXpert access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1269-10>
-  active T
-  comment "RPC portmap rexd request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1048-9>
-  active T
-  comment "WEB-MISC Netscape Enterprise directory listing attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 145-5>
-  active T
-  comment "BACKDOOR GirlFriendaccess"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 641-6>
-  active T
-  comment "SHELLCODE Digital UNIX NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 1394-5>
-  active T
-  comment "SHELLCODE x86 NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 2572-2>
-  active T
-  comment "WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1814-6>
-  active T
-  comment "WEB-MISC CISCO VoIP DOS ATTEMPT"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1343-5>
-  active T
-  comment "WEB-ATTACKS /usr/bin/cc command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 184-6>
-  active F
-  comment "BACKDOOR Q access"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 2227-2>
-  active T
-  comment "WEB-PHP forum_details.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1843-6>
-  active T
-  comment "BACKDOOR trinity connection attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 446-7>
-  active T
-  comment "ICMP SKIP undefined code"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2196-6>
-  active F
-  comment "WEB-CGI catgy.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1534-8>
-  active T
-  comment "WEB-CGI agora.cgi attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1958-5>
-  active T
-  comment "RPC sadmind TCP PING"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 104-7>
-  active T
-  comment "BACKDOOR - Dagger_1.4.0_client_connect"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 2015-5>
-  active T
-  comment "RPC portmap UNSET attempt UDP 111"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1710-4>
-  active T
-  comment "WEB-CGI bbs_forum.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 519-6>
-  active T
-  comment "TFTP parent directory"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/tftp.rules
-</augment>
-
-<augment 1344-5>
-  active T
-  comment "WEB-ATTACKS cc command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1792-8>
-  active T
-  comment NNTP return code buffer overflow attempt
-  comment "pcre: /^200\s[^\n]{64}/smi"
-  payload "/((^)|(\n+))200[\x20\x09\x0b][^\n]{64}/"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/nntp.rules
-  <delete>
-   payload "/.*200/"
-  </delete>
-</augment>
-
-<augment 2481-3>
-  active T
-  comment "NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2467-3>
-  active T
-  comment "NETBIOS SMB D$ share unicode access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 429-6>
-  active T
-  comment "ICMP Photuris Reserved"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1338-6>
-  active T
-  comment "WEB-ATTACKS chown command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-  http /.*\/[cC][hH][oO][wW][nN]([^-a-zA-Z0-9_.]|$)/
-  <delete>
-  	payload /.*\/[cC][hH][oO][wW][nN]/
-  </delete>
-</augment>
-
-<augment 445-5>
-  active T
-  comment "ICMP SKIP"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1511-9>
-  active T
-  comment "WEB-CGI test.bat access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1214-5>
-  active F
-  comment "WEB-MISC intranet access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1222-9>
-  active T
-  comment "WEB-CGI pals-cgi arbitrary file access attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1860-4>
-  active T
-  comment "WEB-MISC Linksys router default password login attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1303-7>
-  active T
-  comment "WEB-MISC cs.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2049-2>
-  active F
-  comment "MS-SQL ping attempt"
-  src-port != 53
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-  comment Informational only
-</augment>
-
-<augment 1422-10>
-  active T
-  comment "SNMP community string buffer overflow attempt with evasion"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 1932-3>
-  active T
-  comment "WEB-CGI rpc-smb.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1455-5>
-  active F
-  comment "WEB-CGI calender.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 292-8>
-  active T
-  comment "EXPLOIT x86 Linux samba overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1678-5>
-  active T
-  comment "ORACLE select like '%' attempt backslash escaped"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/oracle.rules
-</augment>
-
-<augment 157-5>
-  active T
-  comment "BACKDOOR BackConstruction 2.1 Client FTP Open Request"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1633-6>
-  active F
-  comment "CHAT AIM receive message"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 244-3>
-  active T
-  comment "DDOS mstream handler to agent"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 1350-5>
-  active F
-  comment "WEB-ATTACKS python access attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1327-7>
-  active T
-  comment "EXPLOIT ssh CRC32 overflow"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 391-8>
-  active T
-  comment "ICMP Alternate Host Address undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 844-7>
-  active T
-  comment "WEB-CGI args.bat access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2379-3>
-  active T
-  comment "EXPLOIT ISAKMP forth payload certificate request length overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 358-5>
-  active T
-  comment "FTP saint scan"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 719-7>
-  active T
-  comment "TELNET root login"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/telnet.rules
-</augment>
-
-<augment 460-7>
-  active T
-  comment "ICMP unassigned type 2"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1330-5>
-  active T
-  comment "WEB-ATTACKS wget command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-  comment "would like to inspect contents of reply"
-</augment>
-
-<augment 2414-7>
-  active T
-  comment "EXPLOIT ISAKMP initial contact notification without SPI attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1893-4>
-  active F
-  comment "SNMP missing community string attempt"
-  comment "this is related to NT 4.0 unpatched < sp 4, circa '99"
-  requires-reverse-signature snmp_userver_ok_return
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 2093-5>
-  active T
-  comment "RPC portmap proxy integer overflow attempt TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2241-5>
-  active T
-  comment "WEB-MISC cwmail.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1903-8>
-  active T
-  comment IMAP rename overflow attempt
-  comment "pcre: /\sRENAME\s[^\n]{100}/smi"
-  payload "/((^)|(\n+))[\x20\x09\x0b][rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]{100}/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  <delete>
-    payload "/.*[rR][eE][nN][aA][mM][eE]/"
-  </delete>
-</augment>
-
-<augment 2555-2>
-  active T
-  comment "EXPLOIT Oracle Web Cache TRACE overflow attempt"
-  comment pcre: /^TRACE[^s]{432}/sm
-  payload /((^)|(\n+))TRACE[^s]{432}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-  <delete>
-    payload /.*TRACE/
-  </delete>
-</augment>
-
-<augment 961-6>
-  active T
-  comment "WEB-FRONTPAGE services.cnf access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1186-6>
-  active T
-  comment "WEB-MISC Netscape Enterprise Server directory view"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2546-1>
-  active T
-  comment "FTP MDTM overflow attempt"
-  comment pcre: /^MDTM\s[^\n]{100}/smi
-  payload /((^)|(\n+))[mM][dD][tT][mM][\x20\x09\x0b][^\n]{100}/
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload /.*[mM][dD][tT][mM]/
-  </delete>
-</augment>
-
-<augment 1873-4>
-  active T
-  comment "WEB-MISC globals.jsa access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 253-4>
-  active T
-  comment "DNS SPOOF query response PTR with TTL of 1 min. and no authority"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 313-4>
-  active T
-  comment "EXPLOIT ntalkd x86 Linux overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2051-3>
-  active T
-  comment "WEB-CGI cached_feed.cgi moreover shopping cart access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1725-6>
-  active T
-  comment "WEB-IIS +.htr code fragment attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1309-9>
-  active T
-  comment "WEB-CGI zsh access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1221-6>
-  active T
-  comment "WEB-MISC musicat empower access"
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]empower\?DB=.{1,}/
-  <delete>
-  	http /.*[\/\\]empower/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1617-8>
-  active T
-  comment "WEB-CGI Bugzilla doeditvotes.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1091-7>
-  active F
-  comment "WEB-MISC ICQ Webfront HTTP DOS"
-  comment "too general"
-  comment "too many false positives"
-  comment "exploit from year 2000"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1733-9>
-  active T
-  comment "RPC portmap rwalld request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1113-5>
-  active T
-  comment "WEB-MISC http directory traversal"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2050-5>
-  active T
-  comment "MS-SQL version overflow attempt"
-  sigaction SIG_FILE
-  # sigaction SIG_SUMMARY
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1535-7>
-  active T
-  comment "WEB-CGI bizdbsearch access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1776-2>
-  active T
-  comment "MYSQL show databases attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/mysql.rules
-</augment>
-
-<augment 603-5>
-  active T
-  comment "RSERVICES rlogin echo++"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rservices.rules
-</augment>
-
-<augment 1291-8>
-  active T
-  comment "WEB-MISC sml3com access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 485-4>
-  active F
-  comment "ICMP Destination Unreachable Communication Administratively Prohibited"
-  sigaction SIG_FILE
-  # sigaction SIG_SUMMARY
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 1280-9>
-  active T
-  comment "RPC portmap listing UDP 111"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1242-10>
-  active T
-  comment "WEB-IIS ISAPI .ida access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1889-5>
-  active T
-  comment "MISC slapper worm admin traffic"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 870-5>
-  active T
-  comment "WEB-CGI snorkerz.cmd access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1353-5>
-  active T
-  comment "WEB-ATTACKS bin/nasm command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1233-9>
-  active F
-  comment "WEB-CLIENT Outlook EML access"
-  comment "too general"
-  comment "not an exploit"
-  requires-signature http_msie_client
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-client.rules
-</augment>
-
-<augment 2277-4>
-  active T
-  comment "WEB-MISC PeopleSoft PeopleBooks psdoccgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1922-6>
-  active T
-  comment "RPC portmap proxy attempt TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1644-8>
-  active T
-  comment "WEB-CGI test-cgi attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2425-3>
-  active T
-  comment NNTP senduuname overflow attempt
-  comment pcre: /^senduuname\x3a[^\n]{21}/smi
-  payload /((^)|(\n+))[sS][eE][nN][dD][uU][uU][nN][aA][mM][eE]\x3a[^\n]{21}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/nntp.rules
-  <delete>
-    payload /.*[sS][eE][nN][dD][uU][uU][nN][aA][mM][eE]/
-  </delete>
-</augment>
-
-<augment 582-8>
-  active T
-  comment "RPC portmap rexd request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 952-6>
-  active T
-  comment "WEB-FRONTPAGE author.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1709-4>
-  active F
-  comment "WEB-CGI ad.cgi access"
-  comment "rule too general, no details provided to fix"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2047-2>
-  active F
-  comment "MISC rsyncd module list access"
-  comment "informational only, not exploit worthy"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 911-7>
-  active T
-  comment "WEB-COLDFUSION exprcalc access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 2219-6>
-  active T
-  comment "WEB-CGI setpasswd.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1543-12>
-  active F
-  comment "WEB-CGI cgiwrap access"
-  comment "too general to be useful"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1454-6>
-  active T
-  comment "WEB-CGI wwwwais access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 452-7>
-  active F
-  comment "ICMP Timestamp Reply undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2561-2>
-  active T
-  comment "MISC rsync backup-dir directory traversal attempt"
-  comment pcre: /--backup-dir\s+\x2e\x2e\x2f/
-  payload /--backup-dir[\x20\x09\x0b]+\x2e\x2e\x2f/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-  <delete>
-    payload /.*--backup-dir/
-  </delete>
-</augment>
-
-<augment 1216-5>
-  active T
-  comment "WEB-MISC filemail access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2390-4>
-  active T
-  comment FTP STOU overflow attempt
-  comment pcre: /^STOU\s[^\n]{100}/smi
-  eval dataSizeG100
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  payload /((^)|(\n+))[sS][tT][oO][uU][\x20\x09\x0b][^\n]{100}/
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload /.*[sS][tT][oO][uU]/
-  </delete>
-</augment>
-
-<augment 491-8>
-  active T
-  comment "INFO FTP Bad login"
-  comment pcre: /^530\s+(Login|User)/smi
-  ftp /((^)|(\n+))530[\x20\x09\x0b]+([lL][oO][gG][iI][nN]|[uU][sS][eE][rR])/
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/info.rules
-  <delete>
-    payload /.*530 /
-  </delete>
-</augment>
-
-<augment 246-2>
-  active T
-  comment "DDOS mstream agent pong to handler"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 324-5>
-  active T
-  comment "FINGER null request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/finger.rules
-</augment>
-
-<augment 2440-3>
-  active T
-  comment "WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt"
-  comment pcre: /^http\x3a\x2f\x2f[^\n]{400}/smi
-  payload /((^)|(\n+))[hH][tT]{2}[pP]\x3a\x2f\x2f[^\n]{400}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-client.rules
-</augment>
-
-<augment 881-5>
-  active T
-  comment "WEB-CGI archie access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 829-9>
-  active T
-  comment "WEB-CGI nph-test-cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 330-9>
-  active T
-  comment "FINGER redirection attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/finger.rules
-</augment>
-
-<augment 981-9>
-  active T
-  comment "WEB-IIS unicode directory traversal attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 847-7>
-  active T
-  comment "WEB-CGI campas access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1132-6>
-  active T
-  comment "WEB-MISC Netscape Unixware overflow"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2534-3>
-  active T
-  comment "MISC LDAP SSLv3 invalid Client_Hello attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 227-6>
-  active T
-  comment "DDOS Stacheldraht client spoofworks"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 1902-9>
-  active T
-  comment "IMAP lsub literal overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  payload /((^)|(\n+))[\x20\x09\x0b][lL][sS][uU][bB][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/
- <delete>
-	payload /.*[lL][sS][uU][bB]/
- </delete>
-</augment>
-
-<augment 1648-7>
-  active T
-  comment "WEB-CGI perl.exe command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1965-8>
-  active T
-  comment "RPC tooltalk TCP overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1723-7>
-  active T
-  comment "WEB-CGI emumail.cgi NULL attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1147-7>
-  active T
-  comment "WEB-MISC cat%20 access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2240-3>
-  active T
-  comment "WEB-MISC changepw.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1825-6>
-  active F
-  dst-ip == local_nets
-  comment "WEB-CGI AlienForm af.cgi access"
-  comment "informational only"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1529-10>
-  active T
-  comment FTP SITE overflow attempt
-  comment "pcre: /^SITE\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[sS][iI][tT][eE]/"
-  </delete>
-</augment>
-
-<augment 486-4>
-  active F
-  comment "ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 1459-5>
-  active T
-  comment "WEB-CGI bb-histlog.sh access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2213-6>
-  active T
-  comment "WEB-CGI mailfile.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 474-4>
-  active F
-  comment "ICMP superscan echo"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 1383-6>
-  active F
-  comment "P2P Fastrack kazaa/morpheus GET request"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/p2p.rules
-</augment>
-
-<augment 2032-5>
-  active T
-  comment "RPC yppasswd user update TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1267-11>
-  active T
-  comment "RPC portmap nisd request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2308-6>
-  active T
-  comment "NETBIOS SMB DCERPC Workstation Service unicode bind attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 268-4>
-  active T
-  comment "DOS Jolt attack"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 1072-9>
-  active T
-  comment "WEB-MISC Lotus Domino directory traversal"
-  requires-reverse-signature ! http_error
-  http /.*\.nsf[\/\\].*(\.\.\/){1,}.{2,}/
-  <delete>
-  	http /.*\.nsf[\/\\]/
-  	http /.*\.\.[\/\\]/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 613-5>
-  active F
-  comment "SCAN myscan"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 251-3>
-  active T
-  comment "DDOS - TFN client command LE"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 400-7>
-  active F
-  comment "ICMP Destination Unreachable Network Unreachable for Type of Service"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1124-5>
-  active F
-  comment "WEB-MISC Ecommerce check.txt access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1805-4>
-  active T
-  comment "WEB-CGI Oracle reports CGI access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 889-7>
-  active T
-  comment "WEB-CGI ppdscgi.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 432-6>
-  active T
-  comment "ICMP Photuris Valid Security Parameters, But Decryption Failed"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1862-7>
-  active T
-  comment "WEB-CGI mrtg.cgi directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2473-3>
-  active T
-  comment "NETBIOS SMB ADMIN$ share unicode access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 437-6>
-  active F
-  comment "ICMP Redirect for TOS and Network"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 904-7>
-  active T
-  comment "WEB-COLDFUSION exampleapp application.cfm"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 1930-3>
-  active T
-  comment "IMAP auth literal overflow attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/imap.rules
-</augment>
-
-<augment 230-5>
-  active T
-  comment "DDOS shaft client login to handler"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 583-9>
-  active T
-  comment "RPC portmap rstatd request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 837-8>
-  active T
-  comment "WEB-CGI uploader.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1485-4>
-  active T
-  comment "WEB-IIS mkilog.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 536-7>
-  active T
-  comment "NETBIOS SMB D$ share access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1161-9>
-  active T
-  comment "WEB-PHP piranha passwd.php3 access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 648-7>
-  active T
-  comment "SHELLCODE x86 NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 1301-11>
-  active T
-  comment "WEB-PHP admin.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 713-7>
-  active F
-  comment "TELNET livingston DOS"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/telnet.rules
-</augment>
-
-<augment 1286-6>
-  active T
-  comment "WEB-IIS _mem_bin access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1554-9>
-  active T
-  dst-ip == local_nets
-  comment "WEB-CGI dbman db.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1909-10>
-  active T
-  comment "RPC CMSD TCP CMSD_INSERT buffer overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 286-9>
-  active T
-  comment "POP3 EXPLOIT x86 BSD overflow"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-</augment>
-
-<augment 1816-3>
-  active T
-  comment "WEB-PHP directory.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  <delete>
-  	http /.*[\/\\]directory\.php/
-  </delete>
-  http /.*[\/\\]directory\.php[\;\|]{1,}/
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 421-5>
-  active T
-  comment "ICMP Mobile Registration Reply"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1366-5>
-  active T
-  comment "WEB-ATTACKS mail command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 409-7>
-  active F
-  comment "ICMP Echo Reply undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2271-2>
-  active T
-  comment "BACKDOOR FsSniffer connection attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1509-9>
-  active T
-  comment "WEB-CGI AltaVista Intranet Search directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1202-5>
-  active T
-  comment "WEB-MISC search.vts access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2426-3>
-  active T
-  comment NNTP version overflow attempt
-  comment "pcre: /^version\x3a[^\n]{21}/smi"
-  payload "/((^)|(\n+))[vV][eE][rR][sS][iI][oO][nN]\x3a[^\n]{21}/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/nntp.rules
-  <delete>
-    payload "/.*[vV][eE][rR][sS][iI][oO][nN]/"
-  </delete>
-</augment>
-
-<augment 1225-4>
-  active T
-  comment "X11 MIT Magic Cookie detected"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/x11.rules
-</augment>
-
-<augment 1994-3>
-  active T
-  comment "WEB-CGI vpasswd.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 538-10>
-  active T
-  comment "NETBIOS SMB IPC$ share unicode access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2034-7>
-  active T
-  comment "RPC ypserv maplist request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2138-2>
-  active T
-  comment "WEB-MISC logicworks.ini access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1355-5>
-  active T
-  comment "WEB-ATTACKS /usr/bin/perl execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 2022-4>
-  active T
-  comment "RPC mountd TCP unmountall request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1708-7>
-  active T
-  comment "WEB-CGI hello.bat access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 454-7>
-  active F
-  comment "ICMP Timestamp Request undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2279-2>
-  active T
-  comment "WEB-PHP UpdateClasses.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 684-5>
-  active T
-  comment "MS-SQL sp_delete_alert log file deletion"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 922-6>
-  active T
-  comment "WEB-COLDFUSION displayfile access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 1954-5>
-  active T
-  comment "RPC AMD UDP pid request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 323-5>
-  active T
-  comment "FINGER root query"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/finger.rules
-</augment>
-
-<augment 2430-3>
-  active T
-  comment NNTP newgroup overflow attempt
-  comment "pcre: /^newgroup\x3a[^\n]{21}/smi"
-  payload "/((^)|(\n+))[nN][eE][wW][gG][rR][oO][uU][pP]\x3a[^\n]{21}/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/nntp.rules
-  <delete>
-    payload "/.*[nN][eE][wW][gG][rR][oO][uU][pP]/"
-  </delete>
-</augment>
-
-<augment 2432-2>
-  active F
-  comment "NNTP article post without path attempt"
-  comment pcre: ! /^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si
-  comment Negation of a pattern is not supported
-  payload /((^)|(\n+))[tT][aA][kK][eE][tT][hH][iI][sS].*?[pP][aA][tT][hH]\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules2.2/nntp.rules
-  <delete>
-    payload /.*[tT][aA][kK][eE][tT][hH][iI][sS]/
-  </delete>
-</augment>
-
-<augment 903-7>
-  active T
-  comment "WEB-COLDFUSION cfcache.map access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 2460-3>
-  active F
-  comment CHAT Yahoo IM webcam request
-  comment "informational only"
-  comment pcre translate
-  payload "/((^)|(\n+))\x3c([rR][eE][qQ][iI][mM][gG]|[rR][vV][wW][cC][fF][gG])\x3e/"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 1097-6>
-  active T
-  comment "WEB-CGI Talentsoft Web+ exploit attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 406-6>
-  active F
-  comment "ICMP Destination Unreachable Source Route Failed"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 550-8>
-  active F
-  comment "P2P napster new user login"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/p2p.rules
-</augment>
-
-<augment 1371-5>
-  active F
-  comment "WEB-ATTACKS /etc/motd access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-  comment "informational only"
-</augment>
-
-<augment 943-6>
-  active T
-  comment "WEB-FRONTPAGE fpsrvadm.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 852-8>
-  active T
-  comment "WEB-CGI wguest.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 306-9>
-  active F
-  comment "EXPLOIT VQServer admin"
-  comment Too many false positives!!!!!!!!!!!!!!
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 399-6>
-  active F
-  comment "ICMP Destination Unreachable Host Unreachable"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 891-5>
-  active T
-  comment "WEB-CGI upload.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1396-8>
-  active T
-  comment "WEB-CGI zml.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 691-5>
-  active T
-  comment "MS-SQL shellcode attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1255-8>
-  active T
-  comment "WEB-PHP PHPLIB remote command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 910-5>
-  active T
-  comment "WEB-COLDFUSION fileexists.cfm access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 2122-7>
-  active T
-  comment POP3 UIDL negative arguement attempt
-  comment "pcre: /^UIDL\s+-\d/smi"
-  payload "/((^)|(\n+))[uU][iI][dD][lL][\x20\x09\x0b]+-[0-9]/"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-  <delete>
-    payload "/.*[uU][iI][dD][lL]/"
-  </delete>
-</augment>
-
-<augment 1414-11>
-  active T
-  comment "SNMP private access tcp"
-  requires-reverse-signature snmp_tserver_ok_return
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 1288-6>
-  active T
-  comment "WEB-FRONTPAGE /_vti_bin/ access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1354-5>
-  active T
-  comment "WEB-ATTACKS nasm command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 307-9>
-  active T
-  comment "EXPLOIT CHAT IRC topic overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1962-7>
-  active T
-  comment "RPC portmap RQUOTA request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2199-6>
-  active T
-  comment "WEB-CGI multidiff.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1037-10>
-  active T
-  dst-ip == local_nets
-  comment "WEB-IIS showcode.asp access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 463-7>
-  active T
-  comment "ICMP unassigned type 7 undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1510-9>
-  active T
-  comment "WEB-CGI test.bat arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 487-4>
-  active F
-  comment "ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 1365-5>
-  active T
-  comment "WEB-ATTACKS rm command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1576-4>
-  active T
-  comment "WEB-MISC Domino cersvr.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1038-8>
-  active T
-  comment "WEB-IIS site server config access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 377-7>
-  active T
-  comment "ICMP PING Network Toolbox 3 Windows"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 433-8>
-  active T
-  comment "ICMP Photuris undefined code!"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2502-7>
-  active T
-  comment "POP3 SSLv3 invalid data version attempt"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-</augment>
-
-<augment 2375-3>
-  active T
-  comment "BACKDOOR DoomJuice file upload attempt"
-  payload /^\x85\x13<\x9E\xA2/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-  <delete>
-    payload /\x85\x13<\x9E\xA2/
-  </delete>
-</augment>
-
-<augment 1589-4>
-  active T
-  comment "WEB-MISC musicat empower attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2233-5>
-  active T
-  comment "WEB-MISC SFNofitication.dll access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1370-5>
-  active T
-  comment "WEB-ATTACKS /etc/inetd.conf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1651-4>
-  active T
-  comment "WEB-CGI enivorn.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1369-5>
-  active T
-  comment "WEB-ATTACKS /bin/ls command attempt"
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]bin[\/\\]ls[^a-zA-Z0-9_.-]/
-  <delete>
-  	http /.*[\/\\]bin[\/\\]ls/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1468-7>
-  active T
-  comment "WEB-CGI Web Shopper shopper.cgi attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2565-1>
-  active T
-  comment "WEB-PHP modules.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 626-7>
-  active T
-  comment "SCAN cybercop os PA12 attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 1956-5>
-  active F
-  comment "RPC AMD UDP version request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2480-3>
-  active T
-  comment "NETBIOS SMB-DS DCERPC shutdown unicode attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 897-10>
-  active T
-  comment "WEB-CGI pals-cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1158-10>
-  active T
-  comment "WEB-MISC windmail.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 664-13>
-  active T
-  comment SMTP RCPT TO decode attempt
-  comment "pcre: /^rcpt to\:\s+decode/smi"
-  payload "/((^)|(\n+))[rR][cC][pP][tT][\x20\x09\x0b][tT][oO]:[\x20\x09\x0b]+[dD][eE][cC][oO][dD][eE]/"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*rcpt to\x3A.*.*[dD][eE][cC][oO][dD][eE]/
-  </delete>
-</augment>
-
-<augment 2395-3>
-  active T
-  comment "WEB-MISC InteractiveQuery.jsp access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 877-8>
-  active T
-  comment "WEB-CGI rksh access"
-  requires-reverse-signature ! http_error
-  requires-signature ! http_shell_check
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 585-7>
-  active T
-  comment "RPC portmap sadmind request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2368-4>
-  active T
-  comment "WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1512-9>
-  active T
-  comment "WEB-CGI input.bat arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1470-5>
-  active T
-  comment "WEB-CGI listrec.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2500-4>
-  active T
-  comment "MISC LDAP SSLv3 invalid data version attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 245-3>
-  active T
-  comment "DDOS mstream handler ping to agent"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 1407-8>
-  active T
-  comment "WEB-PHP smssend.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1331-5>
-  active T
-  comment "WEB-ATTACKS uname -a command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 2457-2>
-  active F
-  comment "CHAT Yahoo IM message"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 2550-2>
-  active T
-  comment "EXPLOIT winamp XM module name overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1809-9>
-  active T
-  comment "WEB-MISC Apache Chunked-Encoding worm attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1483-9>
-  active T
-  comment "WEB-CGI ustorekeeper.pl access"
-  dst-ip == local_nets
-  requires-reverse-signature ! http_error
-  comment "informational only"
-  comment "verify that application is not vulnerable"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1614-8>
-  active T
-  comment "WEB-MISC Novell Groupwise gwweb.exe attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1480-9>
-  active T
-  comment "WEB-CGI ttawebtop.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 670-7>
-  active T
-  comment "SMTP sendmail 8.6.9 exploit"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 1248-13>
-  active T
-  comment "WEB-FRONTPAGE rad fp30reg.dll access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 2130-5>
-  active T
-  comment "WEB-IIS IISProtect siteadmin.asp access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1380-4>
-  active T
-  comment "WEB-IIS cross-site scripting attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1337-6>
-  active T
-  comment "WEB-ATTACKS chgrp command attempt"
-  requires-reverse-signature ! http_error
-  http /.*\/[cC][hH][gG][rR][pP]([^-a-zA-Z0-9_.]|$)/
-  <delete>
-  	payload /.*\/[cC][hH][gG][rR][pP]/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 2451-3>
-  active F
-  comment "CHAT Yahoo IM voicechat"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 928-5>
-  active T
-  comment "WEB-COLDFUSION exampleapp access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 926-7>
-  active T
-  comment "WEB-COLDFUSION set odbc ini attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 2242-4>
-  active T
-  comment "WEB-MISC ddicgi.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2298-4>
-  active T
-  comment "WEB-PHP Advanced Poll admin_templates.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2118-6>
-  active T
-  comment IMAP list overflow attempt
-  comment "pcre: /\sLIST\s[^\n]{100}/smi"
-  payload "/((^)|(\n+))[\x20\x09\x0b][lL][iI][sS][tT][\x20\x09\x0b][^\n]{100}/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  <delete>
-    payload "/.*[lL][iI][sS][tT]/"
-  </delete>
-</augment>
-
-<augment 1442-4>
-  active T
-  comment "TFTP GET shadow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/tftp.rules
-</augment>
-
-<augment 1250-11>
-  active T
-  comment "WEB-MISC Cisco IOS HTTP configuration attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  comment "would like to inspect contents of reply"
-</augment>
-
-<augment 1996-3>
-  active T
-  comment "WEB-CGI viralator.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 418-7>
-  active F
-  comment "ICMP Information Request undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2478-3>
-  active T
-  comment "NETBIOS SMB-DS DCERPC bind winreg attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1241-5>
-  active T
-  comment "WEB-MISC SWEditServlet directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1971-4>
-  active T
-  comment FTP SITE EXEC format string attempt
-  comment "pcre: /^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"
-  ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[eE][xX][eE][cC][\x20\x09\x0b][^\n]*?%[^\n]*?%/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[sS][iI][tT][eE].*.*[eE][xX][eE][cC]/"
-  </delete>
-</augment>
-
-<augment 2286-2>
-  active T
-  comment "WEB-PHP friends.php access"
-  comment "added details for sql *injection*.  rules differ for"
-  comment "other attacks, but this seems the most dangerous"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-  http /.*[\/\\]friends\.php\x3fadmin\x3d[a-zA-Z0-9]{5,20}.* /
-  <delete>
-  	http /.*[\/\\]friends\.php/
-  </delete>
-</augment>
-
-<augment 1522-10>
-  active T
-  comment "WEB-MISC ans.pl attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2192-8>
-  active T
-  comment "NETBIOS DCERPC ISystemActivator bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1926-6>
-  active T
-  comment "RPC mountd UDP exportall request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1717-4>
-  active T
-  comment "WEB-CGI simplestguest.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2522-7>
-  active F
-  comment "WEB-MISC SSLv3 invalid Client_Hello attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1738-5>
-  active T
-  comment "WEB-MISC global.inc access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2121-8>
-  active T
-  comment POP3 DELE negative arguement attempt
-  comment pcre: /^DELE\s+-\d/smi
-  payload /((^)|(\n+))[dD][eE][lL][eE]+-[0-9]/
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-  <delete>
-    payload "/.*[dD][eE][lL][eE]/"
-  </delete>
-</augment>
-
-<augment 1219-10>
-  active T
-  comment "WEB-CGI dfire.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 834-7>
-  active T
-  comment "WEB-CGI rwwwshell.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1537-6>
-  active T
-  comment "WEB-CGI calendar_admin.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 701-7>
-  active T
-  comment "MS-SQL xp_updatecolvbm possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1163-11>
-  active T
-  comment "WEB-CGI webdist.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1519-8>
-  active T
-  comment "WEB-MISC apache ?M=D directory list attempt"
-  comment "add additional filters"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  http /Content-language:.* /
-  eval isApacheLt1322
-</augment>
-
-<augment 846-8>
-  active T
-  comment "WEB-CGI bnbform.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 412-7>
-  active F
-  comment "ICMP IPV6 I-Am-Here undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 492-8>
-  active F
-  comment "INFO TELNET Bad Login"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/info.rules
-</augment>
-
-<augment 2422-2>
-  active F
-  comment "MULTIMEDIA realplayer .rt playlist download attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/multimedia.rules
-</augment>
-
-<augment 1110-7>
-  active T
-  comment "WEB-MISC apache source.asp file access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1484-5>
-  active T
-  comment "WEB-IIS /isapi/tstisapi.dll access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2476-3>
-  active T
-  comment "NETBIOS SMB-DS Create AndX Request winreg attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 440-7>
-  active F
-  comment "ICMP Reserved for Security Type 19 undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 503-6>
-  active T
-  comment "MISC Source Port 20 to <1024"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 2471-3>
-  active T
-  comment "NETBIOS SMB-DS C$ share access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 458-7>
-  active T
-  comment "ICMP unassigned type 1"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2568-1>
-  active T
-  comment "WEB-CGI Emumail emumail.fcgi access"
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]emumail\.fcgi\?./
-  <delete>
-  	http /.*[\/\\]emumail\.fcgi/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1359-5>
-  active T
-  comment "WEB-ATTACKS ping command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1569-5>
-  active T
-  comment "WEB-CGI loadpage.cgi directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1405-5>
-  active F
-  comment "WEB-CGI AHG search.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 813-9>
-  active T
-  comment "WEB-CGI webplus directory traversal"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 700-8>
-  active T
-  comment "MS-SQL/SMB xp_updatecolvbm possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1078-8>
-  active F
-  comment "WEB-MISC counter.exe access"
-  comment "'99 exploit against iis 4.0, remove"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 866-8>
-  active T
-  comment "WEB-CGI post-query access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 314-9>
-  active T
-  comment "DNS EXPLOIT named tsig overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 2137-2>
-  active T
-  comment "WEB-MISC philboard_admin.asp access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2069-5>
-  active T
-  comment "WEB-MISC chip.ini access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 991-8>
-  active T
-  comment "WEB-IIS achg.htr access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1566-7>
-  active T
-  comment "WEB-CGI eshop.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2116-3>
-  active T
-  comment "WEB-CGI chipcfg.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1872-3>
-  active T
-  comment "WEB-MISC Oracle Dynamic Monitoring Services dms access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1832-7>
-  active F
-  comment "CHAT ICQ forced user addition"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 1399-11>
-  active T
-  comment "WEB-PHP PHP-Nuke remote file include attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  <delete>
-  	payload /.*[fF][iI][lL][eE]=/
-  	http /.*[\/\\]index\.php/
-  </delete>
-  http /.*[\/\\]index\.php.*[fF][iI][lL][eE]=([hH][tT][tT][pP][sS]?|[fF][tT][pP])/
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 954-6>
-  active T
-  comment "WEB-FRONTPAGE form_results.htm access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1736-6>
-  active T
-  comment "WEB-PHP squirrel mail spell-check arbitrary command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1469-5>
-  active T
-  comment "WEB-CGI Web Shopper shopper.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 705-7>
-  active T
-  comment "MS-SQL xp_showcolv possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1177-6>
-  active T
-  comment "WEB-MISC Netscape Enterprise Server directory view"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2521-5>
-  active F
-  comment "WEB-MISC SSLv3 Server_Hello request"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 869-8>
-  active T
-  comment "WEB-CGI dumpenv.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 811-9>
-  active F
-  comment "WEB-CGI websitepro path access"
-  comment "informational only"
-  comment "not exploit worthy"
-  comment "too general"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1769-3>
-  active T
-  comment "WEB-MISC .DS_Store access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 963-6>
-  active T
-  comment "WEB-FRONTPAGE svcacl.cnf access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1137-9>
-  active T
-  comment "WEB-PHP Phorum authentication access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1066-6>
-  active T
-  comment "WEB-MISC telnet attempt"
-  requires-reverse-signature ! http_error
-  http /.*[tT][eE][lL][nN][eE][tT]\.[eE][xX][eE]/
-  <delete>
-  	payload /.*[tT][eE][lL][nN][eE][tT]\.[eE][xX][eE]/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2182-6>
-  active F
-  comment "BACKDOOR typot trojan traffic"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 892-8>
-  active T
-  comment "WEB-CGI AnyForm2 access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2012-2>
-  active T
-  comment "MISC CVS missing cvsroot response"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 2307-5>
-  active T
-  comment WEB-PHP PayPal Storefront arbitrary command execution attempt
-  comment pcre: /page=(http|https|ftp)/i
-  http /[pP][aA][gG][eE]=(http|https|ftp)/
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-  <delete>
-    payload /.*page=/
-  </delete>
-</augment>
-
-<augment 2404-5>
-  active T
-  comment "NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1913-10>
-  active T
-  comment "RPC STATD UDP stat mon_name format string exploit attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2518-10>
-  active T
-  comment "POP3 PCT Client_Hello overflow attempt"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-</augment>
-
-<augment 1945-4>
-  active T
-  comment "WEB-IIS unicode directory traversal attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2493-5>
-  active T
-  comment "NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2517-10>
-  active T
-  comment "IMAP PCT Client_Hello overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-</augment>
-
-<augment 389-7>
-  active F
-  comment "ICMP Address Mask Request undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 443-5>
-  active F
-  comment "ICMP Router Selection"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2563-4>
-  active F
-  comment "NETBIOS NS lookup response name overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2284-3>
-  active T
-  comment "WEB-PHP rolis guestbook remote file include attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 420-7>
-  active F
-  comment "ICMP Mobile Host Redirect undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1917-6>
-  active F
-  comment "SCAN UPnP service discover attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 820-9>
-  active T
-  comment "WEB-CGI anaconda directory transversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1746-11>
-  active T
-  comment "RPC portmap cachefsd request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 414-7>
-  active F
-  comment "ICMP IPV6 Where-Are-You undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 220-6>
-  active F
-  dst-ip == local_nets
-  comment "BACKDOOR HideSource backdoor attempt"
-  comment "old signature from 1997"
-  comment "moved check to hot-ids.bro"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 300-7>
-  active T
-  comment "EXPLOIT nlps x86 Solaris overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 601-6>
-  active T
-  comment "RSERVICES rlogin LinuxNIS"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rservices.rules
-</augment>
-
-<augment 1096-6>
-  active T
-  comment "WEB-MISC Talentsoft Web+ internal IP Address access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2302-4>
-  active T
-  comment "WEB-PHP Advanced Poll poll_ssi.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1570-5>
-  active T
-  dst-ip == local_nets
-  comment "WEB-CGI loadpage.cgi access"
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]loadpage\.cgi\?{1,}\//
-  <delete>
-  	http /.*[\/\\]loadpage\.cgi/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2519-9>
-  active T
-  comment "SMTP Client_Hello overflow attempt"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 885-9>
-  active F
-  comment "WEB-CGI bash access"
-  comment "sig too general, shell check does not keep man pages from triggering this"
-  requires-reverse-signature ! http_error
-  requires-signature ! http_shell_check
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 569-14>
-  active T
-  comment "RPC snmpXdmi overflow attempt TCP"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2378-3>
-  active T
-  comment "EXPLOIT ISAKMP third payload certificate request length overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1674-5>
-  active T
-  comment "ORACLE connect_data remote version detection attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/oracle.rules
-</augment>
-
-<augment 914-5>
-  active T
-  comment "WEB-COLDFUSION beaninfo access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 322-10>
-  active T
-  comment "FINGER search query"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/finger.rules
-</augment>
-
-<augment 365-8>
-  active F
-  comment "ICMP PING undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2191-3>
-  active T
-  comment "NETBIOS SMB DCERPC invalid bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2037-5>
-  active T
-  comment "RPC network-status-monitor mon-callback request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 968-6>
-  active T
-  comment "WEB-FRONTPAGE register.htm access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 901-10>
-  active T
-  comment "WEB-CGI webspirs.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 609-5>
-  active T
-  comment "RSERVICES rsh froot"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rservices.rules
-</augment>
-
-<augment 513-10>
-  active T
-  comment "MISC Cisco Catalyst Remote Access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 457-7>
-  active F
-  comment "ICMP Traceroute undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1067-6>
-  active T
-  comment "WEB-MISC net attempt"
-  requires-reverse-signature ! http_error
-  http /.*[^a-zA-Z0-9_.-][nN][eE][tT]\.[eE][xX][eE]/
-  <delete>
-  	payload /.*[nN][eE][tT]\.[eE][xX][eE]/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 332-8>
-  active T
-  comment "FINGER 0 query"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/finger.rules
-</augment>
-
-<augment 2323-2>
-  active T
-  comment "WEB-CGI quickstore.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 692-6>
-  active T
-  comment "MS-SQL/SMB shellcode attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 851-7>
-  active T
-  comment "WEB-CGI files.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 105-7>
-  active T
-  comment "BACKDOOR - Dagger_1.4.0"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 599-11>
-  active T
-  comment "RPC portmap listing TCP 32771"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1847-8>
-  active F
-  comment "WEB-MISC webalizer access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  comment "informational only"
-</augment>
-
-<augment 1071-6>
-  active T
-  comment "WEB-MISC .htpasswd access"
-  requires-reverse-signature ! http_error
-  http /.*\/\.[hH][tT][pP][aA][sS][sS][wW][dD]/
-  <delete>
-  	payload /.*\.[hH][tT][pP][aA][sS][sS][wW][dD]/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 620-9>
-  active F
-  comment "SCAN Proxy Port 8080 attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 635-3>
-  active T
-  comment "SCAN XTACACS logout"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 1265-9>
-  active T
-  comment "RPC portmap cmsd request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1669-5>
-  active T
-  comment "WEB-CGI /cgi-dos/ access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1949-5>
-  active T
-  comment "RPC portmap SET attempt TCP 111"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1581-4>
-  active T
-  comment "WEB-MISC Domino ntsync4.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2008-4>
-  active T
-  comment "MISC CVS invalid user authentication response"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 431-6>
-  active F
-  comment "ICMP Photuris Valid Security Parameters, But Authentication Failed"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1406-11>
-  active T
-  comment "WEB-CGI agora.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1871-4>
-  active T
-  comment "WEB-MISC Oracle XSQLConfig.xml access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1292-8>
-  active T
-  comment "ATTACK-RESPONSES directory listing"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 109-5>
-  active T
-  comment "BACKDOOR netbus active"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1789-3>
-  active T
-  comment "CHAT IRC dns request"
-  comment "informational only"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 1925-6>
-  active F
-  comment "RPC mountd TCP exportall request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1618-14>
-  active T
-  comment "WEB-IIS .asp chunked Transfer-Encoding"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1501-8>
-  active T
-  comment "WEB-CGI a1stats a1disp3.cgi directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 249-7>
-  active T
-  comment "DDOS mstream client to handler"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 2454-3>
-  active F
-  comment "CHAT Yahoo IM conference logon success"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 2439-3>
-  active T
-  comment "WEB-CLIENT RealPlayer playlist http URL overflow attempt"
-  comment pcre: /^http\x3a\x2f\x2f[^\n]{400}/smi
-  payload /((^)|(\n+))[hH][tT]{2}[pP]\x3a\x2f\x2f[^\n]{400}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-client.rules
-</augment>
-
-<augment 2472-3>
-  active T
-  comment "NETBIOS SMB-DS C$ share unicode access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1070-7>
-  active T
-  comment "WEB-MISC WebDAV search access"
-  requires-signature http_iis_server
-  http /((^)|(\n+))[sS][eE][aA][rR][cC][hH]/
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  # sigaction SIG_SUMMARY
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  <delete>
-    payload /.{0,1}[sS][eE][aA][rR][cC][hH] /
-  </delete>
-</augment>
-
-<augment 283-10>
-  active T
-  comment "EXPLOIT Netscape 4.7 client overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 947-6>
-  active T
-  comment "WEB-FRONTPAGE orders.txt access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 2126-6>
-  active F
-  comment "MISC Microsoft PPTP Start Control Request buffer overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1918-6>
-  active F
-  comment "SCAN SolarWinds IP scan attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 1358-5>
-  active T
-  comment "WEB-ATTACKS traceroute command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 2236-5>
-  active T
-  comment "WEB-MISC spamrule.dll access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 376-7>
-  active F
-  comment "ICMP PING Microsoft Windows"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2335-2>
-  active T
-  comment "FTP RMD / attempt"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 495-7>
-  active T
-  comment "ATTACK-RESPONSES command error"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 2523-6>
-  active F
-  comment "DOS BGP spoofed connection reset attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 1972-10>
-  active T
-  comment FTP PASS overflow attempt
-  comment "pcre: /^PASS\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[pP][aA][sS][sS][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[pP][aA][sS][sS]/"
-  </delete>
-</augment>
-
-<augment 2374-4>
-  active T
-  comment FTP NLST overflow attempt
-  comment "pcre: /^NLST\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[nNlLsStT][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[nN][lL][sS][tT]/"
-  </delete>
-</augment>
-
-<augment 2088-5>
-  active T
-  comment "RPC ypupdated arbitrary command attempt UDP"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 327-8>
-  active T
-  comment "FINGER remote command pipe execution attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/finger.rules
-</augment>
-
-<augment 2535-3>
-  active F
-  comment "POP3 SSLv3 Client_Hello request"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-</augment>
-
-<augment 317-6>
-  active T
-  comment "EXPLOIT x86 Linux mountd overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 856-5>
-  active T
-  comment "WEB-CGI environ.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1527-7>
-  active T
-  comment "WEB-MISC basilix mysql.class access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1065-6>
-  active T
-  comment "WEB-MISC rcmd attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1324-6>
-  active T
-  comment "EXPLOIT ssh CRC32 overflow /bin/sh"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 507-4>
-  active T
-  comment "MISC PCAnywhere Attempted Administrator Login"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 899-8>
-  active T
-  comment "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2337-7>
-  active T
-  comment "TFTP PUT filename overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/tftp.rules
-</augment>
-
-<augment 819-7>
-  active F
-  comment "WEB-CGI mmstdod.cgi access"
-  comment "informational only"
-  comment "old signature from 03-01-2001"
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]smartsearch\.cgi.*\|/
-  <delete>
-  	http /.*[\/\\]smartsearch\.cgi/
-  </delete>
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1743-5>
-  active T
-  comment "WEB-PHP Blahz-DNS dostuff.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1083-6>
-  active T
-  comment "WEB-MISC unify eWave ServletExec DOS"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2228-4>
-  active T
-  comment "WEB-PHP phpMyAdmin db_details_importdocsql.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 979-9>
-  active T
-  comment "WEB-IIS ASP contents view"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1230-8>
-  active T
-  comment "WEB-MISC VirusWall FtpSave access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2377-3>
-  active T
-  comment "EXPLOIT ISAKMP second payload certificate request length overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 905-7>
-  active T
-  comment "WEB-COLDFUSION application.cfm access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 1759-5>
-  active T
-  comment "MS-SQL xp_cmdshell program execution 445"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1585-4>
-  active T
-  comment "WEB-MISC Domino agentrunner.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 965-6>
-  active T
-  comment "WEB-FRONTPAGE writeto.cnf access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 2367-4>
-  active T
-  comment "WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 980-7>
-  active T
-  comment "WEB-IIS CGImail.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2041-2>
-  active T
-  comment "MISC xtacacs failed login response"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1829-5>
-  active T
-  comment "WEB-MISC Tomcat TroubleShooter servlet access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 946-6>
-  active T
-  comment "WEB-FRONTPAGE fpadmcgi.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1593-10>
-  active T
-  comment "WEB-CGI FormHandler.cgi external site redirection attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 473-4>
-  active F
-  comment "ICMP redirect net"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 925-5>
-  active T
-  comment "WEB-COLDFUSION mainframeset access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 1195-8>
-  active T
-  comment "WEB-CGI sojourn.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1899-8>
-  active T
-  comment "EXPLOIT kadmind buffer overflow attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1907-10>
-  active T
-  comment "RPC CMSD UDP CMSD_CREATE buffer overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2203-6>
-  active T
-  comment "WEB-CGI everythingform.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 993-7>
-  active T
-  comment "WEB-IIS iisadmin access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2567-1>
-  active T
-  comment "WEB-CGI Emumail init.emu access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1649-7>
-  active T
-  comment "WEB-CGI perl command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2497-6>
-  active T
-  comment "IMAP SSLv3 invalid data version attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/imap.rules
-</augment>
-
-<augment 2055-2>
-  active F
-  comment "WEB-CGI enter_bug.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-  comment "Informational only"
-</augment>
-
-<augment 1213-5>
-  active T
-  comment "WEB-MISC backup access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1631-6>
-  active F
-  comment "CHAT AIM login"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 466-4>
-  active F
-  comment "ICMP L3retriever Ping"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 917-7>
-  active T
-  comment "WEB-COLDFUSION db connections flush attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 697-8>
-  active T
-  comment "MS-SQL/SMB xp_peekqueue possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1152-5>
-  active T
-  comment "WEB-MISC Domino domlog.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1283-9>
-  active T
-  comment "WEB-IIS outlook web dos"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1462-5>
-  active T
-  comment "WEB-CGI bb-replog.sh access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 805-10>
-  active F
-  comment "WEB-CGI webspeed access"
-  comment "informational only, not exploit worthy"
-  comment "old signature from 2000"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1266-10>
-  active T
-  comment "RPC portmap mountd request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1204-6>
-  active T
-  comment "WEB-CGI ax-admin.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1010-7>
-  active T
-  comment "WEB-IIS encoding access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 482-5>
-  active F
-  comment "ICMP PING WhatsupGold Windows"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 688-6>
-  active T
-  comment "MS-SQL sa login failed"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 890-10>
-  active T
-  comment "WEB-CGI sendform.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 587-8>
-  active T
-  comment "RPC portmap status request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1401-4>
-  active T
-  comment "WEB-IIS /msadc/samples/ access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 355-5>
-  active T
-  comment "FTP pass wh00t"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 405-6>
-  active F
-  comment "ICMP Destination Unreachable Source Host Isolated"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 828-5>
-  active T
-  comment "WEB-CGI maillist.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 238-6>
-  active F
-  comment "DDOS TFN server response"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 2148-4>
-  active T
-  comment "WEB-PHP BLNews objects.inc.php4 access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1103-8>
-  active T
-  comment "WEB-MISC Netscape admin passwd"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2419-2>
-  active F
-  comment "MULTIMEDIA realplayer .ram playlist download attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/multimedia.rules
-</augment>
-
-<augment 410-5>
-  active F
-  comment "ICMP Fragment Reassembly Time Exceeded"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2082-9>
-  active T
-  comment "RPC portmap rpc.xfsmd request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 929-7>
-  active T
-  comment "WEB-COLDFUSION CFUSION_VERIFYMAIL access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 2281-2>
-  active T
-  comment "WEB-PHP Setup.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2226-5>
-  active T
-  comment "WEB-PHP pmachine remote file include attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 413-5>
-  active F
-  comment "ICMP IPV6 Where-Are-You"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 564-7>
-  active F
-  comment "P2P Napster Client Data"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/p2p.rules
-</augment>
-
-<augment 1747-11>
-  active T
-  comment "RPC portmap cachefsd request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 644-5>
-  active T
-  comment "SHELLCODE sparc NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 1375-6>
-  active T
-  comment "WEB-MISC sadmind worm access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1719-4>
-  active T
-  comment "WEB-CGI talkback.cgi directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1507-9>
-  active T
-  comment "WEB-CGI alibaba.pl arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1081-10>
-  active T
-  comment "WEB-MISC Netscape Servers suite DOS"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1943-3>
-  active T
-  comment "WEB-MISC /Carello/add.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1815-4>
-  active T
-  comment "WEB-PHP directory.php arbitrary command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2011-4>
-  active T
-  comment "MISC CVS invalid directory response"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1260-10>
-  active T
-  comment "WEB-MISC long basic authorization string"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1602-6>
-  active T
-  comment "WEB-CGI htsearch access"
-  comment "add sanity checking to sig to reduce noise"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-  <delete>
-	http /.*[\/\\]htsearch/
-  </delete>
-  http /.*[\/\\]htsearch\x3f.*\x3d[\x22\x60].*[\x22\x60].* /
-</augment>
-
-<augment 216-6>
-  active T
-  comment "BACKDOOR MISC Linux rootkit satori attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1891-8>
-  active T
-  comment "RPC status GHBN format string attack"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1526-8>
-  active T
-  comment "WEB-MISC basilix sendmail.inc access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2195-6>
-  active T
-  comment "WEB-CGI alert.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2462-6>
-  active T
-  comment "EXPLOIT IGMP IGAP account overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1220-5>
-  active T
-  comment "WEB-MISC ultraboard access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1854-7>
-  active T
-  comment "DDOS Stacheldraht handler->agent niggahbitch"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 277-5>
-  active F
-  comment "DOS Real Server template.html"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 469-3>
-  active F
-  comment "ICMP PING NMAP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 1532-7>
-  active T
-  comment "WEB-CGI bb-hostscv.sh attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 281-5>
-  active T
-  comment "DOS Ascend Route"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 258-6>
-  active F
-  comment "DNS EXPLOIT named 8.2->8.2.1"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 959-6>
-  active T
-  comment "WEB-FRONTPAGE service.pwd"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 2559-2>
-  active T
-  comment "EXPLOIT Oracle Web Cache COPY overflow attempt"
-  comment pcre: /^COPY[^s]{432}/sm
-  payload /((^)|(\n+))COPY[^s]{432}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-  <delete>
-    payload /.*COPY/
-  </delete>
-</augment>
-
-<augment 2149-1>
-  active T
-  comment "WEB-PHP Turba status.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2237-5>
-  active T
-  comment "WEB-MISC cgiWebupdate.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1084-8>
-  active T
-  comment "WEB-MISC Allaire JRUN DOS attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2073-3>
-  active T
-  comment "WEB-MISC globals.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1374-5>
-  active T
-  comment "WEB-ATTACKS .htgroup access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  <delete>
-  	http /.*\.htgroup/
-  </delete>
-  http /.*\.htgroup[\x20\x09\x0b]*$/
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1128-5>
-  active T
-  comment "WEB-MISC cpshost.dll access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1122-5>
-  active T
-  comment "WEB-MISC /etc/passwd"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  payload /.*\/[eE][tT][cC]\/[pP][aA][sS][sS][wW][dD].{1,}root:x:0:0/
-  <delete>
-  	payload /.*\/[eE][tT][cC]\/[pP][aA][sS][sS][wW][dD]/
-  </delete>
-</augment>
-
-<augment 1012-10>
-  active T
-  comment "WEB-IIS fpcount attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 645-5>
-  active T
-  comment "SHELLCODE sparc NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 1398-10>
-  active T
-  comment "EXPLOIT CDE dtspcd exploit attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2543-3>
-  active F
-  comment "SMTP TLS SSLv3 Server_Hello request"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 2139-5>
-  active T
-  comment "WEB-MISC /*.shtml access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 229-5>
-  active T
-  comment "DDOS Stacheldraht client check skillz"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 373-6>
-  active F
-  comment "ICMP PING Flowpoint2200 or Network Management Software"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 969-5>
-  active T
-  comment "WEB-IIS WebDAV file lock attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1087-8>
-  active T
-  comment "WEB-MISC whisker tab splice attack"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 842-7>
-  active T
-  comment "WEB-CGI aglimpse access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2146-3>
-  active T
-  comment "WEB-PHP TextPortal admin.php default password 12345 attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1866-10>
-  active T
-  comment POP3 USER overflow attempt
-  comment "pcre: /^USER\s[^\n]{50,}/smi"
-  payload "/((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{50,}/"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-  <delete>
-    payload "/.*[uU][sS][eE][rR]/"
-  </delete>
-</augment>
-
-<augment 1906-8>
-  active T
-  comment "RPC AMD TCP amqproc_mount plog overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2175-5>
-  active T
-  comment "NETBIOS SMB winreg unicode access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1699-7>
-  active F
-  comment "P2P Fastrack kazaa/morpheus traffic"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/p2p.rules
-</augment>
-
-<augment 498-6>
-  active T
-  comment "ATTACK-RESPONSES id check returned root"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 976-10>
-  active T
-  comment "WEB-IIS .bat? access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 907-5>
-  active T
-  comment "WEB-COLDFUSION addcontent.cfm access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 2177-4>
-  active T
-  comment "NETBIOS SMB startup folder unicode access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 616-4>
-  active T
-  comment "SCAN ident version request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 2562-3>
-  active T
-  comment "WEB-MISC McAfee ePO file upload attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 183-4>
-  active F
-  comment "BACKDOOR SIGNATURE - Q ICMP"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1472-9>
-  active F
-  comment "WEB-CGI book.cgi access"
-  comment "informational only"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1393-12>
-  active T
-  comment "MISC AIM AddGame attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 893-7>
-  active T
-  comment "WEB-CGI MachineInfo access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 115-5>
-  active T
-  comment "BACKDOOR netbus active"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 2100-2>
-  active T
-  comment "BACKDOOR SubSeven 2.1 Gold server connection response"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 450-8>
-  active F
-  comment "ICMP Time-To-Live Exceeded in Transit undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2087-5>
-  active T
-  comment "Sendmail SMTP From comment overflow attempt"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  payload /.*From\x3A<><><><><><><><><><><><><><><><><><><><><><>.{1}\x28.{1}\x29/
-  <delete>
-  	payload /.*From\x3A.*.*<><><><><><><><><><><><><><><><><><><><><><>.{1}.*\x28.{1}.*\x29/
-  </delete>
-</augment>
-
-<augment 951-10>
-  active T
-  comment "WEB-FRONTPAGE authors.pwd access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1395-8>
-  active T
-  comment "WEB-CGI zml.cgi attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1198-7>
-  active T
-  comment "WEB-MISC Netscape Enterprise Server directory view"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1563-6>
-  active T
-  comment "WEB-MISC login.htm attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1290-10>
-  active F
-  comment "WEB-CLIENT readme.eml autoload attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-client.rules
-</augment>
-
-<augment 2549-1>
-  active T
-  comment "MISC HP Web JetAdmin file write attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1403-5>
-  active T
-  comment "WEB-MISC viewcode access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 966-9>
-  active T
-  comment "WEB-FRONTPAGE .... request"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 843-7>
-  active T
-  comment "WEB-CGI anform2 access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1191-6>
-  active T
-  comment "WEB-MISC Netscape Enterprise Server directory view"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1413-10>
-  active T
-  comment "SNMP private access udp"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 1533-7>
-  active T
-  comment "WEB-CGI bb-hostscv.sh access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1092-7>
-  active T
-  comment "WEB-CGI Armada Style Master Index directory traversal"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 331-10>
-  active T
-  comment "FINGER cybercop query"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/finger.rules
-</augment>
-
-<augment 1577-4>
-  active T
-  comment "WEB-MISC Domino setup.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2496-5>
-  active F
-  comment "NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 471-3>
-  active T
-  comment "ICMP icmpenum v1.1.1"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 2120-3>
-  active T
-  comment IMAP create literal buffer overflow attempt
-  comment pcre: /\sCREATE\s[^\n]*?\s\{/smi
-  payload /((^)|(\n+))[\x20\x09\x0b][cC][rR][eE][aA][tT][eE][\x20\x09\x0b][^\n]*?\s\{/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  <delete>
-    payload /.*[cC][rR][eE][aA][tT][eE]/
-  </delete>
-</augment>
-
-<augment 1436-4>
-  active F
-  comment "MULTIMEDIA Quicktime User Agent access"
-  comment "informational only, not exploit worthy"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/multimedia.rules
-</augment>
-
-<augment 302-6>
-  active T
-  comment "EXPLOIT Redhat 7.0 lprd overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1077-6>
-  active T
-  comment "WEB-MISC queryhit.htm access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 248-4>
-  active F
-  comment "DDOS mstream handler to client"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 1467-7>
-  active T
-  comment "WEB-CGI directorypro.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 867-9>
-  active T
-  comment "WEB-CGI visadmin.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2201-5>
-  active T
-  comment "WEB-CGI download.cgi access"
-  comment "add f=../ to sig for refinement"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-  http /.*[\/\\]download\.cgi.*f\x3d\x2e\x2e\x2f.* /
-  <delete>
-	http /.*[\/\\]download\.cgi/
-  </delete>
-</augment>
-
-<augment 1908-9>
-  active T
-  comment "RPC CMSD TCP CMSD_CREATE buffer overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1357-5>
-  active T
-  comment "WEB-ATTACKS nt admin addition attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1175-10>
-  active T
-  comment "WEB-MISC wwwboard.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1905-8>
-  active T
-  comment "RPC AMD UDP amqproc_mount plog overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1957-5>
-  active T
-  comment "RPC sadmind UDP PING"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1495-6>
-  active T
-  comment "WEB-CGI SIX webboard generate.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1628-10>
-  active T
-  comment "WEB-CGI FormHandler.cgi directory traversal attempt attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1778-4>
-  active T
-  comment "FTP EXPLOIT STAT ? dos attempt"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 2266-4>
-  active T
-  comment SMTP SOML FROM sendmail prescan too long addresses overflow
-  comment pcre: /^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
-  payload /((^)|(\n+))[sS][oO][mM][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*[sS][oO][mM][lL] [fF][rR][oO][mM]\x3A/
-  </delete>
-</augment>
-
-<augment 1293-10>
-  active T
-  comment "NETBIOS nimda .eml"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1446-6>
-  active T
-  comment SMTP vrfy root
-  comment pcre: /^vrfy\s+root/smi
-  payload /((^)|(\n+))[vV][rR][fF][yY][\x20\x09\x0b]+[rR][oO][oO][tT]/
-  sigaction SIG_FILE
-  requires-reverse-signature ! smtp_server_fail
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*[vV][rR][fF][yY].{1}.*[rR][oO][oO][tT]/
-  </delete>
-</augment>
-
-<augment 2384-8>
-  active T
-  comment "NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1119-7>
-  active T
-  comment "WEB-MISC mlog.phtml access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2178-13>
-  active T
-  comment FTP USER format string attempt
-  comment pcre: /^USER\s[^\n]*?%[^\n]*?%/smi
-  ftp /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload /.*[uU][sS][eE][rR]/
-  </delete>
-</augment>
-
-<augment 854-7>
-  active T
-  comment "WEB-CGI classifieds.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2220-6>
-  active T
-  comment "WEB-CGI simplestmail.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 931-6>
-  active T
-  comment "WEB-COLDFUSION cfmlsyntaxcheck.cfm access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 1806-7>
-  active T
-  comment "WEB-IIS .htr chunked Transfer-Encoding"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2492-5>
-  active F
-  comment "NETBIOS SMB DCERPC ISystemActivator bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1715-4>
-  active T
-  comment "WEB-CGI register.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  http /.*[\/\\]register\.cgi/
-  payload /SEND_MAIL/
-  <delete>
-  	http /.*[\/\\]register\.cgi/
-  </delete>
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-  comment "Informational only"
-</augment>
-
-<augment 2574-1>
-  active T
-  comment "FTP RETR format string attempt"
-  comment pcre: /^RETR\s[^\n]*?%[^\n]*?%/smi
-  ftp /((^)|(\n+))[rR][eE][tT][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload /.*[rR][eE][tT][rR]/
-  </delete>
-</augment>
-
-<augment 661-6>
-  active T
-  comment "SMTP majordomo ifs"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 840-7>
-  active T
-  comment "WEB-CGI perlshop.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2209-5>
-  active T
-  comment "WEB-CGI getdoc.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  <delete>
-  	http /.*[\/\\]getdoc\.cgi/
-  </delete>
-  http /.*[\/\\]getdoc\.cgi\?.*form-attachment.*command/
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1289-4>
-  active T
-  comment "TFTP GET Admin.dll"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/tftp.rules
-</augment>
-
-<augment 607-5>
-  active T
-  comment "RSERVICES rsh bin"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rservices.rules
-</augment>
-
-<augment 679-6>
-  active T
-  comment "MS-SQL/SMB sp_adduser database user creation"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 2326-3>
-  active T
-  comment "WEB-IIS sgdynamo.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1702-5>
-  active F
-  comment "WEB-CGI Amaya templates sendtemp.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 915-5>
-  active T
-  comment "WEB-COLDFUSION evaluate.cfm access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 2033-8>
-  active T
-  comment "RPC ypserv maplist request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 835-9>
-  active T
-  comment "WEB-CGI test-cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1333-6>
-  active T
-  comment WEB-ATTACKS id command attempt
-  http /.*;[iI][dD]([;|\x20\x09\x0b]|$)./
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-  <delete>
-    payload /.*\x3B[iI][dD]/
-  </delete>
-</augment>
-
-<augment 826-7>
-  active T
-  comment "WEB-CGI htmlscript access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 159-6>
-  active T
-  comment "BACKDOOR NetMetro File List"
-  dst-ip == local_nets
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1015-6>
-  active T
-  comment "WEB-IIS getdrvs.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1173-5>
-  active T
-  comment "WEB-MISC architext_query.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1104-9>
-  active T
-  comment "WEB-MISC whisker space splice attack"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-
-<augment 353-6>
-  active T
-  comment "FTP adm scan"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 1712-4>
-  active T
-  comment "WEB-CGI bslist.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 362-12>
-  active T
-  comment "FTP tar parameters"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 990-6>
-  active T
-  comment "WEB-IIS _vti_inf access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1668-6>
-  active T
-  comment "WEB-CGI /cgi-bin/ access"
-  comment "under most conditions the root of cgi-bin should never return a list or valid document"
-  comment "tune for site specific"
-  http /.*[\/\\]cgi-bin[\/\\]$/
-  requires-reverse-signature ! http_error
-  <delete>
-  	http /.*[\/\\]cgi-bin[\/\\]/
-  	payload /.*\/[cC][gG][iI]-[bB][iI][nN]\/ [hH][tT][tT][pP]/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2150-7>
-  active T
-  comment "WEB-PHP ttCMS header.php remote file include attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2468-3>
-  active T
-  comment "NETBIOS SMB-DS D$ share access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2013-2>
-  active T
-  comment "MISC CVS invalid module response"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 665-5>
-  active T
-  comment "SMTP sendmail 5.6.5 exploit"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 1550-10>
-  active T
-  comment SMTP ETRN overflow attempt
-  comment pcre: /^ETRN\s[^\n]{500}/smi
-  payload /((^)|(\n+))[eE][tT][rR][nN]][\x20\x09\x0b][^\n]{500}/
-  sigaction SIG_LOG
-  requires-reverse-signature ! smtp_server_fail
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*ETRN/
-  </delete>
-</augment>
-
-<augment 1428-5>
-  active T
-  comment "MULTIMEDIA audio galaxy keepalive"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/multimedia.rules
-</augment>
-
-<augment 2260-5>
-  active T
-  comment SMTP VRFY overflow attempt
-  comment pcre: /^VRFY[^\n]{255,}/smi
-  payload /((^)|(\n+))[vV][rR][fF][yY][^\n]{255,}/
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*[vV][rR][fF][yY]/
-  </delete>
-</augment>
-
-<augment 1024-8>
-  active T
-  comment "WEB-IIS newdsn.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2252-11>
-  active T
-  comment "NETBIOS SMB-DS DCERPC Remote Activation bind attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 848-9>
-  active T
-  comment "WEB-CGI view-source directory traversal"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2296-4>
-  active T
-  comment "WEB-PHP Advanced Poll admin_stats.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1335-5>
-  active T
-  comment "WEB-ATTACKS kill command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 2488-4>
-  active T
-  comment "SMTP WinZip MIME content-disposition buffer overflow"
-  comment pcre: /name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi
-  comment pcre: /name=s*[^\r\n\x3b\s\x2c]{300}/smi
-  payload /[nN][aA][mM][eE]=[^\r\n]*?\.(([mM][iI]]mM])|([uU]{2}[eE])|([uU]{2})|([bB]64)|([bB][hH][xX])|([hH][qQ][xX])|([xX]{2}[eE]))/
-  payload /[nN][aA][mM][eE]=s*[^\r\n\x3b\x20\x09\x0b\x2c]{300}/
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 1660-4>
-  active T
-  comment "WEB-IIS trace.axd access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2018-4>
-  active T
-  comment "RPC mountd TCP dump request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1985-1>
-  active F
-  comment "BACKDOOR Doly 1.5 server response"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1308-5>
-  active T
-  comment "WEB-CGI sendmessage.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1323-6>
-  active F
-  comment "EXPLOIT rwhoisd format string attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1901-10>
-  active T
-  comment "ATTACK-RESPONSES successful kadmind buffer overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 2070-2>
-  active T
-  comment "WEB-MISC post32.exe arbitrary command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1164-10>
-  active T
-  comment "WEB-MISC shopping cart access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 706-7>
-  active T
-  comment "MS-SQL xp_peekqueue possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 392-5>
-  active F
-  comment "ICMP Datagram Conversion Error"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1384-8>
-  active T
-  comment "MISC UPnP malformed advertisement"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 823-6>
-  active F
-  comment "WEB-CGI cvsweb.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-  comment "informational only"
-</augment>
-
-<augment 1156-6>
-  active T
-  comment "WEB-MISC apache DOS attempt"
-  requires-signature ! http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1742-5>
-  active T
-  comment "WEB-PHP Blahz-DNS dostuff.php modify user attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 155-5>
-  active T
-  comment "BACKDOOR NetSphere 1.31.337 access"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1217-7>
-  active T
-  comment "WEB-MISC plusmail access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1969-3>
-  active T
-  comment "WEB-MISC ion-p remote file access"
-  dst-ip == local_nets
-  http /.*[\/\\]ion-p\?.*(c:\\|\.\.\/)/
-  requires-reverse-signature ! http_error
-  <delete>
-  	http /.*[\/\\]ion-p/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2176-4>
-  active T
-  comment "NETBIOS SMB startup folder access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1438-6>
-  active F
-  comment "MULTIMEDIA Windows Media Video download"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/multimedia.rules
-</augment>
-
-<augment 988-7>
-  active T
-  comment "WEB-IIS SAM Attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2541-5>
-  active F
-  comment "SMTP TLS SSLv3 invalid data version attempt"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 983-9>
-  active T
-  comment "WEB-IIS unicode directory traversal attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1950-5>
-  active T
-  comment "RPC portmap SET attempt UDP 111"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1130-5>
-  active T
-  comment "WEB-MISC .wwwacl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1434-5>
-  active T
-  comment "WEB-MISC .bash_history access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 864-7>
-  active T
-  comment "WEB-CGI day5datanotifier.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1118-5>
-  active T
-  comment "WEB-MISC ls%20-l"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2256-3>
-  active T
-  comment "RPC sadmind query with root credentials attempt UDP"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2239-3>
-  active T
-  comment "WEB-MISC redirect.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2570-6>
-  active T
-  comment "WEB-MISC Invalid HTTP Version String"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2542-3>
-  active F
-  comment "SMTP TLS SSLv3 Client_Hello request"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 895-7>
-  active F
-  comment "WEB-CGI redirect access"
-  comment "sig too general for general use"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 654-13>
-  active T
-  comment SMTP RCPT TO overflow
-  comment pcre: /^RCPT TO\s[^\n]{300}/ism
-  payload /((^)|(\n+))[rR][cC][pP][tT] [tT][oO][\x20\x09\x0b][^\n]{300}/
-  sigaction SIG_LOG
-  requires-reverse-signature ! smtp_server_fail
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 2435-2>
-  active F
-  comment "WEB-CLIENT Microsoft emf metafile access"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-client.rules
-  comment "Informational only"
-</augment>
-
-<augment 1516-10>
-  active T
-  comment "WEB-CGI envout.bat arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 260-9>
-  active T
-  comment "DNS EXPLOIT named overflow ADMROCKS"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 2455-3>
-  active F
-  comment "CHAT Yahoo IM conference message"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 312-6>
-  active F
-  comment "EXPLOIT ntpdx overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-  comment "Too general"
-  comment "Better handled by the ntp.bro policy"
-</augment>
-
-<augment 1199-11>
-  active T
-  comment "WEB-MISC Compaq Insight directory traversal"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2327-2>
-  active T
-  comment "WEB-MISC bsml.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2259-5>
-  active T
-  comment SMTP EXPN overflow attempt
-  comment "pcre: /^EXPN[^\n]{255,}/smi"
-  payload "/((^)|(\n+))[eE][xX][pP][nN][^\n]{255,}/"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload "/.*[eE][xX][pP][nN]/"
-  </delete>
-</augment>
-
-<augment 2280-2>
-  active T
-  comment "WEB-PHP Title.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2106-7>
-  active T
-  comment IMAP lsub overflow attempt
-  comment "pcre: /\sLSUB\s[^\n]{100}/smi"
-  payload "/((^)|(\n+))[\x20\x09\x0b][lL][sS][uU][bB][\x20\x09\x0b][^\n]{100}/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  <delete>
-    payload "/.*LSUB/"
-  </delete>
-</augment>
-
-<augment 646-5>
-  active T
-  comment "SHELLCODE sparc NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 1141-10>
-  active F
-  comment "WEB-MISC handler access"
-  comment "Disabled because it is too general"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1273-10>
-  active T
-  comment "RPC portmap selection_svc request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1451-6>
-  active T
-  comment "WEB-CGI NPH-publish access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1701-4>
-  active T
-  comment "WEB-CGI calendar-admin.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1716-6>
-  active T
-  dst-ip == local_nets
-  payload /_MAILTO.*\;/
-  comment "WEB-CGI gbook.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1149-12>
-  active F
-  comment "WEB-CGI count.cgi access"
-  comment "circa '97, remove rule as too general"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 593-18>
-  active T
-  comment "RPC portmap snmpXdmi request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 407-7>
-  active F
-  comment "ICMP Destination Unreachable cndefined code"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1812-5>
-  active T
-  comment "EXPLOIT gobbles SSH exploit attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2002-4>
-  active T
-  comment "WEB-PHP remote include path"
-  comment "add better rule"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-  <delete>
-	http /.*\.php/
-  </delete>
-  http /.*\.php.*[pP][aA][tT][hH]\x3d(http|https|ftp)\x2fi/
-</augment>
-
-<augment 1423-12>
-  active T
-  comment "WEB-PHP content-disposition memchr overflow"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2525-6>
-  active F
-  comment "NETBIOS SMB DCERPC LSASS direct bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 672-6>
-  active T
-  comment SMTP vrfy decode
-  comment "pcre: /^vrfy\s+decode/smi"
-  payload "/((^)|(\n+))[vV][rR][fF][yY][\x20\x09\x0b]+[dD][eE][cC][oO][dD][eE]/"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload "/.*[vV][rR][fF][yY].{1}.*[dD][eE][cC][oO][dD][eE]/"
-  </delete>
-</augment>
-
-<augment 1624-5>
-  active T
-  comment "FTP large PWD command"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 2204-6>
-  active T
-  comment "WEB-CGI ezadmin.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 301-7>
-  active T
-  comment "EXPLOIT LPRng overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2292-4>
-  active T
-  comment "WEB-PHP Advanced Poll admin_logout.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2179-4>
-  active T
-  comment FTP PASS format string attempt
-  comment "pcre: /^PASS\s[^\n]*?%[^\n]*?%/smi"
-  ftp "/((^)|(\n+))[pP][aA][sS][sS]\x20\x09\x0b][^\n]*?%[^\n]*?%/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[pP][aA][sS][sS]/"
-  </delete>
-</augment>
-
-<augment 630-5>
-  active T
-  comment "SCAN synscan portscan"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 147-5>
-  active T
-  comment "BACKDOOR GateCrasher"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 304-9>
-  active F
-  comment "EXPLOIT SCO calserver overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2214-6>
-  active T
-  comment "WEB-CGI mailview.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1727-7>
-  active T
-  comment "WEB-CGI SGI InfoSearch fname access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1641-5>
-  active T
-  comment "DOS DB2 dos attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 1924-6>
-  active T
-  comment "RPC mountd UDP export request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1245-10>
-  active T
-  comment "WEB-IIS ISAPI .idq access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2221-6>
-  active T
-  comment "WEB-CGI ws_mail.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2507-6>
-  active F
-  comment "NETBIOS DCERPC LSASS bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1340-5>
-  active T
-  comment "WEB-ATTACKS tftp command attempt"
-  requires-reverse-signature ! http_error
-  requires-signature ! http_cool_dll
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1476-5>
-  active T
-  comment "WEB-CGI sdbsearch.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2193-9>
-  active T
-  comment "NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1869-5>
-  active T
-  comment "WEB-CGI story.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1165-9>
-  active T
-  comment "WEB-MISC Novell Groupwise gwweb.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2215-6>
-  active T
-  comment "WEB-CGI nsManager.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2267-4>
-  active T
-  comment SMTP MAIL FROM sendmail prescan too many addresses overflow
-  comment "pcre: /^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*? ..."
-  payload "/((^)|(\n+))[mM][aA][iI][lL] [fF][rR][oO][mM]\x3a\x20*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3A/
-  </delete>
-</augment>
-
-<augment 2255-3>
-  active T
-  comment "RPC sadmind query with root credentials attempt TCP"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 703-7>
-  active F
-  comment "MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1211-6>
-  active T
-  comment "WEB-CGI web-map.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2465-3>
-  active T
-  comment "NETBIOS SMB-DS IPC$ share access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1160-11>
-  active T
-  comment "WEB-MISC Netscape dir index wp"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1082-8>
-  active F
-  comment "WEB-MISC amazon 1-click cookie theft"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 909-6>
-  active T
-  comment "WEB-COLDFUSION datasource username attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 1155-5>
-  active T
-  comment "WEB-MISC Ecommerce checks.txt access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2287-4>
-  active T
-  comment "WEB-PHP Advanced Poll admin_comment.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 927-7>
-  active T
-  comment "WEB-COLDFUSION settings refresh attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 378-7>
-  active F
-  comment "ICMP PING Ping-O-MeterWindows"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2544-3>
-  active F
-  comment "SMTP TLS SSLv3 invalid Client_Hello attempt"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 1842-9>
-  active T
-  comment IMAP login buffer overflow attempt
-  comment "pcre: /\sLOGIN\s[^\n]{100}/smi"
-  payload "/((^)|(\n+))[\x20\x09\x0b]LOGIN[\x20\x09\x0b][^\n]{100}/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  <delete>
-    payload "/.*LOGIN/"
-  </delete>
-</augment>
-
-<augment 932-7>
-  active T
-  comment "WEB-COLDFUSION application.cfm access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 499-4>
-  active F
-  comment "ICMP Large ICMP Packet"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 838-9>
-  active T
-  comment "WEB-CGI webgais access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2448-2>
-  active T
-  comment "WEB-MISC setinfo.hts access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 465-3>
-  active T
-  comment "ICMP ISS Pinger"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 674-6>
-  active T
-  comment "MS-SQL xp_displayparamstmt possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 590-12>
-  active T
-  comment "RPC portmap ypserv request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1787-7>
-  active T
-  comment "WEB-CGI csPassword.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1244-10>
-  active T
-  comment "WEB-IIS ISAPI .idq attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 971-7>
-  active T
-  comment "WEB-IIS ISAPI .printer access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1662-5>
-  active T
-  comment "WEB-MISC /~ftp access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1054-7>
-  active T
-  comment WEB-MISC weblogic/tomcat .jsp view source attempt
-  comment "pcre: /^\w+\s+[^\n\s\?]*\.jsp/smi"
-  http "/((^)|(\n+))[a-zA-Z0-9_]+[\x20\x09\x0b]+[^\n\x20\x09\x0b\?]*\.[jJ][sS][pP]/"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  <delete>
-    http "/.*\.jsp/"
-  </delete>
-</augment>
-
-<augment 1737-6>
-  active T
-  comment "WEB-PHP squirrel mail theme arbitrary command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1892-6>
-  active T
-  comment "SNMP null community string attempt"
-  requires-reverse-signature snmp_userver_ok_return
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 2269-4>
-  active T
-  comment SMTP RCPT TO sendmail prescan too many addresses overflow
-  comment "pcre: /^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<"
-  payload "/((^)|(\n+))[rR][cC][pP][tT] [tT][oO]\x3a\x20*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*[rR][cC][pP][tT] [tT][oO]\x3A/
-  </delete>
-</augment>
-
-<augment 1679-4>
-  active F
-  comment "ORACLE describe attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/oracle.rules
-</augment>
-
-<augment 259-7>
-  active T
-  comment "DNS EXPLOIT named overflow ADM"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 415-5>
-  active F
-  comment "ICMP Information Reply"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2045-8>
-  active T
-  comment "RPC snmpXdmi overflow attempt UDP"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2133-5>
-  active T
-  comment "WEB-IIS MS BizTalk server access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2339-2>
-  active T
-  comment "TFTP NULL command attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/tftp.rules
-</augment>
-
-<augment 1819-5>
-  active T
-  comment "MISC Alcatel PABX 4400 connection attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1479-8>
-  active T
-  comment "WEB-CGI ttawebtop.cgi arbitrary file attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 995-10>
-  active T
-  comment "WEB-IIS ism.dll access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1159-10>
-  active T
-  comment "WEB-MISC webplus access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 427-6>
-  active F
-  comment "ICMP Parameter Problem Unspecified Error"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2091-8>
-  active T
-  comment "WEB-IIS WEBDAV nessus safe scan attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1604-6>
-  active F
-  comment "WEB-MISC iChat directory traversal attempt"
-  comment "too general"
-  comment "old signature from 1999"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 381-6>
-  active F
-  comment "ICMP PING Sun Solaris"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1117-6>
-  active T
-  comment "WEB-MISC Lotus EditDoc attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1176-5>
-  active T
-  comment "WEB-MISC order.log access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 677-6>
-  active T
-  comment "MS-SQL/SMB sp_password password change"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 871-7>
-  active T
-  comment "WEB-CGI survey.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2489-2>
-  active T
-  comment "EXPLOIT esignal STREAMQUOTE buffer overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1030-7>
-  active T
-  comment "WEB-IIS search97.vts access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2539-3>
-  active F
-  comment "SMTP SSLv3 Server_Hello request"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 1408-8>
-  active T
-  comment "DOS MSDTC attempt"
-  comment "change payload-size == 1024"
-  payload-size "== 1024"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 1638-5>
-  active T
-  comment "SCAN SSH Version map attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 1133-11>
-  active T
-  comment "SCAN cybercop os probe"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 2057-5>
-  active T
-  comment "WEB-MISC helpout.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1988-3>
-  active F
-  comment "CHAT MSN file transfer accept"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 1625-5>
-  active F
-  comment "FTP large SYST command"
-  comment Too many false positives for normal FTP traffic
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 417-5>
-  active F
-  comment "ICMP Information Request"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1562-11>
-  active T
-  comment FTP SITE CHOWN overflow attempt
-  comment pcre: /^SITE\s+CHOWN\s[^\n]{100}/smi
-  eval dataSizeG100
-  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][hH][oO][wW][nN][\x20\x09\x0b][^\n]{100}/
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload /.*[sS][iI][tT][eE].*.*[cC][hH][oO][wW][nN]/
-  </delete>
-</augment>
-
-<augment 1131-5>
-  active T
-  comment "WEB-MISC .wwwacl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2479-3>
-  active F
-  comment "NETBIOS SMB-DS DCERPC bind winreg unicode attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1849-7>
-  active T
-  comment "WEB-MISC webfind.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 402-7>
-  active F
-  comment "ICMP Destination Unreachable Port Unreachable"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1188-6>
-  active T
-  comment "WEB-MISC Netscape Enterprise Server directory view"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 250-4>
-  active T
-  comment "DDOS mstream handler to client"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 652-9>
-  active T
-  comment "SHELLCODE Linux shellcode"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 1345-5>
-  active T
-  comment "WEB-ATTACKS /usr/bin/cpp command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1218-5>
-  active T
-  comment "WEB-MISC adminlogin access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 627-7>
-  active T
-  comment "SCAN cybercop os SFU12 probe"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 1235-8>
-  active T
-  comment "WEB-MISC VirusWall FtpSaveCVP access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1580-4>
-  active T
-  comment "WEB-MISC Domino events4.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1711-4>
-  active T
-  comment "WEB-CGI bsguest.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1009-4>
-  active T
-  comment "WEB-IIS directory listing"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1544-5>
-  active T
-  comment "WEB-MISC Cisco Catalyst command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1915-9>
-  active T
-  comment "RPC STATD UDP monitor mon_name format string exploit attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2272-4>
-  active T
-  comment FTP LIST integer overflow attempt
-  comment "pcre: /^LIST\s+\x22-W\s+\d+/smi"
-  ftp "/((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b]+\x22-W[\x20\x09\x0b]+[0-9]+/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[lL][iI][sS][tT]/"
-  </delete>
-</augment>
-
-<augment 1948-4>
-  active T
-  comment "DNS zone transfer UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 103-7>
-  active T
-  comment "BACKDOOR subseven 22"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 663-13>
-  active T
-  comment SMTP rcpt to command attempt
-  comment "pcre: /^rcpt\s+to\:\s+[|\x3b]/smi"
-  payload "/((^)|(\n+))[rR][cC][pP][tT][\x20\x09\x0b][tT][oO]:[\x20\x09\x0b]+[|\x3b]/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*[rR][cC][pP][tT] [tT][oO]\x3A/
-  </delete>
-</augment>
-
-<augment 1959-7>
-  active T
-  comment "RPC portmap NFS request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2317-4>
-  active T
-  comment "MISC CVS non-relative path error response"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1140-11>
-  active T
-  comment "WEB-MISC guestbook.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1718-4>
-  active T
-  comment "WEB-CGI statusconfig.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 462-7>
-  active F
-  comment "ICMP unassigned type 7"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 436-6>
-  active F
-  comment "ICMP Redirect for TOS and Host"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 579-8>
-  active T
-  comment "RPC portmap mountd request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 900-11>
-  active F
-  comment "WEB-CGI webspirs.cgi directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 287-6>
-  active T
-  comment "POP3 EXPLOIT x86 BSD overflow"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-</augment>
-
-<augment 1992-5>
-  active T
-  comment "FTP LIST directory traversal attempt"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 1404-5>
-  active F
-  comment "WEB-MISC showcode access"
-  comment "duplicate of 1037"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 575-8>
-  active T
-  comment "RPC portmap admind request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 502-2>
-  active T
-  comment "MISC source route ssrr"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1574-7>
-  active T
-  comment "WEB-CGI directorypro.cgi attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1258-10>
-  active T
-  comment "WEB-MISC HP OpenView Manager DOS"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1827-7>
-  active T
-  comment "WEB-MISC Tomcat servlet mapping cross site scripting attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1008-7>
-  active T
-  comment "WEB-IIS del attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2208-5>
-  active T
-  comment "WEB-CGI fom.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2007-10>
-  active T
-  comment "RPC kcms_server directory traversal attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1174-8>
-  active T
-  comment "WEB-CGI /cgi-bin/jj access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2412-3>
-  active T
-  comment "ATTACK-RESPONSES successful cross site scripting forced download attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 2366-4>
-  active T
-  comment "WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 886-11>
-  active F
-  comment "WEB-CGI phf access"
-  comment "too general a sig, attack circa '99"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1921-5>
-  active T
-  comment FTP SITE ZIPCHK overflow attempt
-  comment pcre: /^SITE\s+ZIPCHK\s[^\n]{100}/smi
-  eval dataSizeG100
-  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[zZ][iI][pP][cC][hH][kK][\x20\x09\x0b][^\n]{100}/
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload /.*[sS][iI][tT][eE].{1}.*[zZ][iI][pP][cC][hH][kK]/
-  </delete>
-</augment>
-
-<augment 1488-8>
-  active T
-  dst-ip == local_nets
-  comment "WEB-CGI store.cgi directory traversal attempt"
-  comment "verify application is not vulnerable"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1150-6>
-  active T
-  comment "WEB-MISC Domino catalog.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 541-9>
-  active F
-  comment "CHAT ICQ access"
-  comment "informational only, not exploit worthy"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 2388-4>
-  active T
-  comment "WEB-CGI streaming server view_broadcast.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 702-8>
-  active T
-  comment "MS-SQL/SMB xp_displayparamstmt possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 2202-6>
-  active T
-  comment "WEB-CGI edit_action.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 972-8>
-  active F
-  comment "WEB-IIS %2E-asp access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 584-11>
-  active T
-  comment "RPC portmap rusers request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2315-6>
-  active T
-  comment "NETBIOS DCERPC Workstation Service direct service bind attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1877-5>
-  active T
-  comment "WEB-CGI printenv access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-  http /.*\/cgi-bin[^\/]*\/printenv/
-  comment "Informational only"
-  <delete>
-  	http /.*[\/\\]printenv/
-  </delete>
-</augment>
-
-<augment 1013-9>
-  active T
-  comment "WEB-IIS fpcount access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 518-6>
-  active T
-  comment "TFTP Put"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/tftp.rules
-</augment>
-
-<augment 860-8>
-  active T
-  comment "WEB-CGI snork.bat access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1999-4>
-  active T
-  comment "WEB-PHP edit_image.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 453-5>
-  active F
-  comment "ICMP Timestamp Request"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 669-8>
-  active F
-  comment "SMTP sendmail 8.6.9 exploit"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 1020-10>
-  active T
-  comment "WEB-IIS isc$data attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2352-7>
-  active F
-  comment "NETBIOS DCERPC ISystemActivator path overflow attempt big endian"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 208-5>
-  active T
-  comment "BACKDOOR PhaseZero Server Active on Network"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1824-6>
-  active F
-  dst-ip == local_nets
-  comment "WEB-CGI alienform.cgi access"
-  comment "informational only"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 574-8>
-  active T
-  comment "RPC mountd TCP export request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1427-4>
-  active T
-  comment "SNMP PROTOS test-suite-trap-app attempt"
-  requires-reverse-signature snmp_userver_ok_return
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 1098-8>
-  active T
-  comment "WEB-MISC SmartWin CyberOffice Shopping Cart access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2159-8>
-  active T
-  comment "MISC BGP invalid type 0"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 807-11>
-  active F
-  comment "WEB-CGI /wwwboard/passwd.txt access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1961-7>
-  active T
-  comment "RPC portmap RQUOTA request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 552-7>
-  active F
-  comment "P2P napster upload request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/p2p.rules
-</augment>
-
-<augment 1022-8>
-  active T
-  comment "WEB-IIS jet vba access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 863-7>
-  active T
-  comment "WEB-CGI day5datacopier.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2054-4>
-  active T
-  comment "WEB-CGI enter_bug.cgi arbitrary command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2450-3>
-  active F
-  comment "CHAT Yahoo IM successful logon"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 1120-8>
-  active T
-  comment "WEB-MISC mylog.phtml access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 710-7>
-  active T
-  comment "TELNET EZsetup account attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/telnet.rules
-</augment>
-
-<augment 416-7>
-  active F
-  comment "ICMP Information Reply undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 875-9>
-  active T
-  comment "WEB-CGI win-c-sample.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1302-7>
-  active T
-  comment "WEB-MISC console.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2020-4>
-  active T
-  comment "RPC mountd TCP unmount request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1090-7>
-  active T
-  comment "WEB-CGI Allaire Pro Web Shell attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2010-4>
-  active T
-  comment "MISC CVS double free exploit attempt response"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1672-10>
-  active T
-  comment FTP CWD ~ attempt
-  comment pcre: /^CWD\s+~/smi
-  ftp /((^)|(\n+))CWD[\x20\x09\x0b]+~/
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload /.*CWD/
-  </delete>
-</augment>
-
-<augment 1051-9>
-  active T
-  comment "WEB-CGI technote main.cgi file directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 898-9>
-  active T
-  comment "WEB-CGI commerce.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1578-4>
-  active F
-  comment "WEB-MISC Domino statrep.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1397-6>
-  active T
-  comment "WEB-CGI wayboard attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 423-5>
-  active F
-  comment "ICMP Mobile Registration Request"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1878-5>
-  active T
-  comment "WEB-CGI sdbsearch.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2030-6>
-  active T
-  comment "RPC yppasswd new password overflow attempt TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 673-5>
-  active T
-  comment "MS-SQL sp_start_job - program execution"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1450-5>
-  active T
-  comment "SMTP expn *@"
-  comment "pcre: /^expn\s+\*@/smi"
-  payload "/((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b]\*@/"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload "/.*[eE][xX][pP][nN]/"
-    payload "/.*\*@/"
-  </delete>
-</augment>
-
-<augment 1106-9>
-  active T
-  comment "WEB-CGI Poll-it access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1844-9>
-  active T
-  comment IMAP authenticate overflow attempt
-  comment "pcre: /\sAUTHENTICATE\s[^\n]{100}/smi"
-  payload "/((^)|(\n+))[\x20\x09\x0b][aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE][\x20\x09\x0b][^\n]{100}/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  <delete>
-    payload "/.*[aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE]/"
-  </delete>
-</augment>
-
-<augment 671-8>
-  active T
-  comment "SMTP sendmail 8.6.9c exploit"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 894-8>
-  active T
-  comment "WEB-CGI bb-hist.sh access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2206-6>
-  active T
-  comment "WEB-CGI ezman.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 375-6>
-  active F
-  comment "ICMP PING LINUX/*BSD"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1148-5>
-  active T
-  comment "WEB-MISC Ecommerce import.txt access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 695-7>
-  active T
-  comment "MS-SQL/SMB xp_sprintf possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 857-10>
-  active T
-  comment "WEB-CGI faxsurvey access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2474-3>
-  active T
-  comment "NETBIOS SMB-DS ADMIN$ share access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1894-8>
-  active T
-  comment "EXPLOIT kadmind buffer overflow attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1011-7>
-  active T
-  comment "WEB-IIS exec-src access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 397-6>
-  active F
-  comment "ICMP Destination Unreachable Host Precedence Violation"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 255-11>
-  active T
-  comment "DNS zone transfer TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 1774-3>
-  active T
-  comment "WEB-PHP bb_smilies.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2501-8>
-  active F
-  comment "POP3 SSLv3 invalid timestamp attempt"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-</augment>
-
-<augment 430-6>
-  active F
-  comment "ICMP Photuris Unknown Security Parameters Index"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 707-8>
-  active T
-  comment "MS-SQL xp_proxiedmetadata possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1332-5>
-  active T
-  comment "WEB-ATTACKS /usr/bin/id command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 667-5>
-  active T
-  comment "SMTP sendmail 8.6.10 exploit"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 2216-6>
-  active T
-  comment "WEB-CGI readmail.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2558-2>
-  active T
-  comment "EXPLOIT Oracle Web Cache MKCOL overflow attempt"
-  comment pcre: /^MKCOL[^s]{432}/sm
-  payload /((^)|(\n+))MKCOL[^s]{432}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-  <delete>
-    payload /.*MKCOL/
-  </delete>
-</augment>
-
-<augment 2205-6>
-  active F
-  dst-ip == local_nets
-  comment "WEB-CGI ezboard.cgi access"
-  comment "Too general"
-  comment "vulnerabilities are too broad"
-  comment "Suggestion: analyze site version of software and test for vulnerability, make any adjustments, and then disable this rule."
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]ezboard\.cgi/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1910-10>
-  active T
-  comment "RPC CMSD udp CMSD_INSERT buffer overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 668-6>
-  active T
-  comment "SMTP sendmail 8.6.10 exploit"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 311-11>
-  active T
-  comment "EXPLOIT Netscape 4.7 unsucessful overflow"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2351-7>
-  active F
-  comment "NETBIOS DCERPC ISystemActivator path overflow attempt little endian"
-  comment "Functions not supported"
-  comment "Better suited to a Bro analizer"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1951-5>
-  active T
-  comment "RPC mountd TCP mount request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1185-10>
-  active T
-  comment "WEB-CGI bizdbsearch attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1608-5>
-  active T
-  comment "WEB-CGI htmlscript attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 278-5>
-  active T
-  comment "DOS Real Server template.html"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 812-9>
-  active F
-  comment "WEB-CGI webplus version access"
-  comment "informational only"
-  comment "old signature from 04-10-2000"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1707-7>
-  active T
-  comment "WEB-CGI hello.bat arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2526-6>
-  active F
-  comment "NETBIOS SMB-DS DCERPC LSASS direct bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1642-7>
-  active T
-  comment "WEB-CGI document.d2w access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1751-5>
-  active T
-  comment "EXPLOIT cachefsd buffer overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1591-6>
-  active T
-  comment "WEB-CGI faqmanager.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1336-5>
-  active T
-  comment "WEB-ATTACKS chmod command attempt"
-  requires-reverse-signature ! http_error
-  http /.*\/[cC][hH][mM][oO][dD]([^-a-zA-Z0-9_.]|$)/
-  <delete>
-  	payload /.*\/[bB][iI][nN]\/[cC][hH][mM][oO][dD]/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1029-7>
-  active T
-  comment "WEB-IIS scripts-browse access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 380-7>
-  active F
-  comment "ICMP PING Seer Windows"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 808-8>
-  active F
-  comment "WEB-CGI webdriver access"
-  comment "informational only"
-  comment "old signature from 12-30-2000"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2410-2>
-  active T
-  comment "WEB-PHP IGeneric Free Shopping Cart page.php access"
-  dst-ip == local_nets
-  http /.*[\/\\]page\.php\?.*script/
-  <delete>
-  	http /.*[\/\\]page\.php/
-  </delete>
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1475-4>
-  active T
-  comment "WEB-CGI mailit.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2151-4>
-  active T
-  comment "WEB-PHP ttCMS header.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_QUIET
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1730-7>
-  active T
-  comment "WEB-CGI ustorekeeper.pl directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 310-8>
-  active T
-  comment "EXPLOIT x86 windows MailMax overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2510-7>
-  active F
-  comment "NETBIOS SMB DCERPC LSASS bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2293-4>
-  active T
-  comment "WEB-PHP Advanced Poll admin_password.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1492-5>
-  active T
-  comment "WEB-MISC RBS ISP /newuser  directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2538-3>
-  active F
-  comment "SMTP SSLv3 Client_Hello request"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 2428-3>
-  active T
-  comment NNTP ihave overflow attempt
-  comment "pcre: /^ihave\x3a[^\n]{21}/smi"
-  payload "/((^)|(\n+))[iI][hH][aA][vV][eE]\x3a[^\n]{21}/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/nntp.rules
-  <delete>
-    payload "/.*[iI][hH][aA][vV][eE]/"
-  </delete>
-</augment>
-
-<augment 1810-9>
-  active T
-  comment "ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 1912-9>
-  active T
-  comment "RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2017-12>
-  active T
-  comment "RPC portmap espd request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 497-8>
-  active T
-  comment "ATTACK-RESPONSES file copied ok"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 1964-8>
-  active T
-  comment "RPC tooltalk UDP overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 936-5>
-  active T
-  comment "WEB-COLDFUSION gettempdirectory.cfm access "
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 505-5>
-  active T
-  comment "MISC Insecure TIMBUKTU Password"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1506-7>
-  active T
-  comment "WEB-CGI alchemy http server NUL arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1923-6>
-  active T
-  comment "RPC portmap proxy attempt UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1390-5>
-  active T
-  comment "SHELLCODE x86 inc ebx NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 2264-4>
-  active T
-  comment SMTP SAML FROM sendmail prescan too long addresses overflow
-  comment "pcre: /^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"
-  payload "/((^)|(\n+))[sS][aA][mM][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*[sS][aA][mM][lL] [fF][rR][oO][mM]\x3A/
-  </delete>
-</augment>
-
-<augment 709-7>
-  active T
-  comment "TELNET 4Dgifts SGI account attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/telnet.rules
-</augment>
-
-<augment 606-5>
-  active T
-  comment "RSERVICES rlogin root"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rservices.rules
-</augment>
-
-<augment 1788-3>
-  active T
-  comment "WEB-CGI csPassword password.cgi.tmp access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2469-3>
-  active T
-  comment "NETBIOS SMB-DS D$ share unicode access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 226-6>
-  active T
-  comment "DDOS Stacheldraht server response"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 1095-6>
-  active T
-  comment "WEB-MISC Talentsoft Web+ Source Code view access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 490-6>
-  active F
-  comment "INFO battle-mail traffic"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/info.rules
-</augment>
-
-<augment 2181-2>
-  active F
-  comment "P2P BitTorrent transfer"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/p2p.rules
-</augment>
-
-<augment 1385-11>
-  active T
-  comment "WEB-MISC mod-plsql administration access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1109-8>
-  active T
-  comment "WEB-MISC ROXEN directory list attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2105-4>
-  active T
-  comment IMAP authenticate literal overflow attempt
-  comment "pcre: /\sAUTHENTICATE\s[^\n]*?\s\{/smi"
-  payload "/((^)|(\n+))[\x20\x09\x0b][aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  <delete>
-    payload "/.*[aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE]/"
-  </delete>
-</augment>
-
-<augment 231-3>
-  active T
-  comment "DDOS Trin00 Daemon to Master message detected"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 1439-5>
-  active F
-  comment "MULTIMEDIA Shoutcast playlist redirection"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/multimedia.rules
-</augment>
-
-<augment 1838-8>
-  active T
-  comment EXPLOIT SSH server banner overflow
-  comment "pcre: /^SSH-\s[^\n]{200}/ism"
-  payload "/((^)|(\n+))[sS][sS][hH]-[\x20\x09\x0b][^\n]{200}/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-  <delete>
-    payload "/.*[sS][sS][hH]-/"
-  </delete>
-</augment>
-
-<augment 1597-7>
-  active F
-  comment "WEB-CGI guestbook.cgi access"
-  comment "too general"
-  comment "informational only"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1858-5>
-  active T
-  comment "WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 449-6>
-  active F
-  comment "ICMP Time-To-Live Exceeded in Transit"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 830-7>
-  active F
-  comment "WEB-CGI NPH-publish access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-  comment "duplicate of 1451-6"
-</augment>
-
-<augment 1349-5>
-  active F
-  comment "WEB-ATTACKS bin/python access attempt"
-  comment "informational only"
-  comment "too general"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1368-6>
-  active T
-  comment "WEB-ATTACKS /bin/ls| command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 2101-9>
-  active T
-  comment "NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2529-3>
-  active F
-  comment "IMAP SSLv3 Client_Hello request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/imap.rules
-</augment>
-
-<augment 2031-5>
-  active T
-  comment "RPC yppasswd user update UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1025-6>
-  active T
-  comment "WEB-IIS perl access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2490-3>
-  active T
-  comment "EXPLOIT esignal SNAPQUOTE buffer overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 810-11>
-  active F
-  comment "WEB-CGI whois_raw.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-  comment "duplicate of 1410"
-</augment>
-
-<augment 2349-5>
-  active F
-  comment "NETBIOS SMB-DS DCERPC enumerate printers request attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2312-2>
-  active T
-  comment "SHELLCODE x86 0x71FB7BAB NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 1166-8>
-  active T
-  comment "WEB-MISC ws_ftp.ini access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 997-6>
-  active T
-  comment "WEB-IIS asp-dot attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2306-4>
-  active T
-  comment WEB-PHP gallery arbitrary command execution attempt
-  comment pcre: /GALLERY_BASEDIR=(http|https|ftp)/i
-  http /.*[gG][aA][lL][lL][eE][rR][yY]_[bB][aA][sS][eE][dD][iI][rR]=(http|https|ftp)/
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-  <delete>
-    payload /.*GALLERY_BASEDIR=/
-  </delete>
-</augment>
-
-<augment 1973-6>
-  active T
-  comment FTP MKD overflow attempt
-  comment pcre: /^MKD\s[^\n]{100}/smi
-  eval dataSizeG100
-  ftp /((^)|(\n+))[mM][kK][dD][\x20\x09\x0b][^\n]{100}/
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload /.*[mM][kK][dD]/
-  </delete>
-</augment>
-
-<augment 1279-14>
-  active T
-  comment "RPC portmap snmpXdmi request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 120-5>
-  active T
-  comment "BACKDOOR Infector 1.6 Server to Client"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 2310-8>
-  active T
-  comment "NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1876-4>
-  active T
-  comment "WEB-CGI nph-publish.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1558-5>
-  active T
-  comment "WEB-MISC Delegate whois overflow attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2396-2>
-  active T
-  comment "WEB-CGI CCBill whereami.cgi arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1757-3>
-  active T
-  comment "WEB-MISC b2 arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1888-8>
-  active T
-  comment FTP SITE CPWD overflow attempt
-  comment "pcre: /^SITE\s+CPWD\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][pP][wW][dD][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[sS][iI][tT][eE].*.*[cC][pP][wW][dD]/"
-  </delete>
-</augment>
-
-<augment 508-7>
-  active T
-  comment "MISC gopher proxy"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 2095-6>
-  active T
-  comment "RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2491-5>
-  active F
-  comment "NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1178-6>
-  active T
-  comment "WEB-PHP Phorum read access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1419-9>
-  active T
-  comment "SNMP trap udp"
-  requires-reverse-signature snmp_userver_ok_return
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 1553-7>
-  active T
-  comment "WEB-CGI /cart/cart.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2288-4>
-  active T
-  comment "WEB-PHP Advanced Poll admin_edit.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 271-4>
-  active T
-  comment "DOS UDP echo+chargen bomb"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 308-8>
-  active T
-  comment "EXPLOIT NextFTP client overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2294-4>
-  active F
-  comment "WEB-PHP Advanced Poll admin_preview.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2035-6>
-  active T
-  comment "RPC portmap network-status-monitor request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2123-2>
-  active T
-  comment "ATTACK-RESPONSES Microsoft cmd.exe banner"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 1234-8>
-  active T
-  comment "WEB-MISC VirusWall FtpSaveCSP access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2147-7>
-  active T
-  comment "WEB-PHP BLNews objects.inc.php4 remote file include attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1381-5>
-  active T
-  comment "WEB-MISC Trend Micro OfficeScan attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 371-7>
-  active F
-  comment "ICMP PING Cisco Type.x"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 522-2>
-  active T
-  comment "MISC Tiny Fragments"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1417-9>
-  active F
-  comment "SNMP request udp"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 639-5>
-  active T
-  comment "SHELLCODE SGI NOOP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 1457-6>
-  active T
-  comment "WEB-CGI user_update_admin.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 334-5>
-  active T
-  comment "FTP .forward"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 1979-4>
-  active F
-  comment "WEB-MISC perl post attempt"
-  comment "too general"
-  comment "perl POST attempts are normal in the real world"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 225-6>
-  active T
-  comment "DDOS Stacheldraht gag server response"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 2291-4>
-  active T
-  comment "WEB-PHP Advanced Poll admin_license.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1851-6>
-  active T
-  comment "WEB-MISC active.log access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1848-5>
-  active T
-  comment "WEB-MISC webcart-lite access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2487-4>
-  active T
-  comment "SMTP WinZip MIME content-type buffer overflow"
-  comment pcre: /name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi
-  comment pcre: /(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi
-  payload /[nN][aA][mM][eE]=[^\r\n]*?\.([mM][iI][mM]|[uU]{2}[eE]?|[bB]64|[bB][hH][xX]|[hH][qQ][xX]|[xX]{2}[eE])/
-  payload /([nN][aA][mM][eE]|[iI][dD]|[nN][uU][mM][bB][eE][rR]|[tT][oO][tT][aA][lL]|[bB][oO][uU][nN][dD][aA][rR][yY])=[\x20\x09\x0b]*[^\r\n\x3b\s\x2c]{300}/
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 2553-2>
-  active T
-  comment "EXPLOIT Oracle Web Cache PUT overflow attempt"
-  comment pcre: /^PUT[^s]{432}/sm
-  payload /((^)|(\n+))PUT[^s]{432}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-  <delete>
-    payload /.*PUT/
-  </delete>
-</augment>
-
-<augment 2009-2>
-  active T
-  src-ip == local_nets
-  comment "MISC CVS invalid repository response"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 459-7>
-  active F
-  comment "ICMP unassigned type 1 undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2437-5>
-  active T
-  comment WEB-CLIENT RealPlayer arbitrary javascript command attempt
-  comment "pcre: /^Content-Type\x3a\s+application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"
-  requires-signature http_real_client
-  http "/((^)|(\n+))[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3a[\x20\x09\x0b][aA][pP][pP][lL][iI][cC][aA][tT][iI][oO][nN]\x2f[sS][mM][iI].*?<[aA][rR][eE][aA][\x20\x09\x0b\n\r]+href=[\x22\x27][fF][iI][lL][eE]\x3ajavascript\x3a/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-client.rules
-  <delete>
-    payload /.*[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3A/
-  </delete>
-</augment>
-
-<augment 1904-7>
-  active T
-  comment "IMAP find overflow attempt"
-  comment pcre: /\sFIND\s[^\n]{100}/smi
-  payload /((^)|(\n+))[\x20\x09\x0b][fF][iI][nN][dD][\x20\x09\x0b][^\n]{100}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  <delete>
-    payload /.*[fF][iI][nN][dD]/
-  </delete>
-</augment>
-
-<augment 1636-8>
-  active T
-  comment MISC Xtramail Username overflow attempt
-  comment pcre: /^Username\:[^\n]{100}/smi
-  payload /((^)|(\n+))[uU][sS][eE][rR][nN][aA][mM][eE]\:[^\n]{100}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-  <delete>
-    payload /.*[uU][sS][eE][rR][nN][aA][mM][eE]\x3A/
-  </delete>
-</augment>
-
-<augment 1790-4>
-  active T
-  comment "CHAT IRC dns response"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 815-9>
-  active F
-  comment "WEB-CGI websendmail access"
-  comment "informational only"
-  comment "old signature from 06-01-1999"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2016-6>
-  active T
-  comment "RPC portmap status request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1493-5>
-  active T
-  comment "WEB-MISC RBS ISP /newuser access"
-  comment "port 8002 needs to be referencd and some ../ needs to be there as well"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  http /.*\x3a8002.*[\/\\]newuser\x3f.*\x2e\x2e[\/\\]/
-  <delete>
-	http /.*[\/\\]newuser/
-  </delete>
-</augment>
-
-<augment 581-9>
-  active T
-  comment "RPC portmap pcnfsd request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 577-13>
-  active F
-  comment "RPC portmap bootparam request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 223-3>
-  active T
-  comment "DDOS Trin00 Daemon to Master PONG message detected"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 305-9>
-  active T
-  comment "EXPLOIT delegate proxy overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2383-9>
-  active T
-  comment "NETBIOS SMB-DS DCERPC NTLMSSP invalid mechtype attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 243-2>
-  active T
-  comment "DDOS mstream agent to handler"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 2072-3>
-  active T
-  dst-ip == local_nets
-  comment "WEB-MISC lyris.pl admin access"
-  requires-reverse-signature ! http_error
-  http /POST.*[\/\\]lyris\.pl/
-  payload /list_admin=T/
-  event "WEB-MISC lyris.pl admin access"
-  <delete>
-  	http /.*[\/\\]lyris\.pl/
-  	event "WEB-MISC lyris.pl access"
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 472-4>
-  active T
-  comment "ICMP redirect host"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 369-6>
-  active F
-  comment "ICMP PING BayRS Router"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2470-3>
-  active T
-  comment "NETBIOS SMB C$ share unicode access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1650-6>
-  active T
-  comment "WEB-CGI tst.bat access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 615-8>
-  active F
-  comment "SCAN SOCKS Proxy attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 1868-5>
-  active T
-  comment "WEB-CGI story.pl arbitrary file read attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 693-5>
-  active T
-  comment "MS-SQL shellcode attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 2052-3>
-  active T
-  comment "WEB-CGI overflow.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1145-7>
-  active T
-  comment "WEB-MISC /~root access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1448-10>
-  active T
-  comment "MISC MS Terminal server request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 266-6>
-  active T
-  comment "DNS EXPLOIT x86 FreeBSD overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 2092-5>
-  active F
-  comment "RPC portmap proxy integer overflow attempt UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-
-<augment 2576-2>
-  active T
-  comment "ORACLE generate_replication_support prefix overflow attempt"
-  comment "pcre: /(package|procedure)_prefix[\s\r\n]*=>[\s\r\n]*('[^']{1000,}|"[^"]{1000,})/Rsmi"
-  payload "/([pP][aA][cC][kK][aA][gG][eE]|[pP][rR][oO][cC][eE][dD][uU][rR][eE])_[pP][rR][eE][fF][iI][xX][\x20\x09\x0b\r\n]*=>[\x20\x09\x0b\r\n]*('[^']{1000,}|"[^"]{1000,})/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/oracle.rules
-</augment>
-
-<augment 2125-8>
-  active T
-  comment "FTP CWD Root directory transversal attempt"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 516-3>
-  active T
-  comment "MISC SNMP NT UserList"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1539-6>
-  active F
-  comment "WEB-CGI /cgi-bin/ls access"
-  comment "too many false positives"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1916-9>
-  active T
-  comment "RPC STATD TCP monitor mon_name format string exploit attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 595-16>
-  active T
-  comment "RPC portmap espd request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 534-6>
-  active T
-  comment "NETBIOS SMB CD.."
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2482-3>
-  active F
-  comment "NETBIOS SMB-DS DCERPC shutdown attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 949-6>
-  active T
-  comment "WEB-FRONTPAGE registrations.htm access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 824-9>
-  active F
-  comment "WEB-CGI php.cgi access"
-  comment "informational only"
-  comment "too general"
-  comment "old signature from 06-01-1999"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2197-7>
-  active T
-  comment "WEB-CGI cvsview2.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 540-11>
-  active F
-  comment "CHAT MSN message"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 1461-5>
-  active T
-  comment "WEB-CGI bb-rep.sh access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 395-6>
-  active F
-  comment "ICMP Destination Unreachable Destination Network Unknown"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1616-6>
-  active F
-  comment "DNS named version attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 1500-6>
-  active T
-  comment "WEB-MISC ExAir access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2262-4>
-  active T
-  comment SMTP SEND FROM sendmail prescan too long addresses overflow
-  comment pcre: /^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
-  payload /((^)|(\n+))[sS][eE][nN][dD] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9\x5f\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*[sS][eE][nN][dD] [fF][rR][oO][mM]\x3A/
-  </delete>
-</augment>
-
-<augment 2504-6>
-  active T
-  comment "SMTP SSLv3 invalid data version attempt"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 2089-5>
-  active T
-  comment "RPC ypupdated arbitrary command attempt TCP"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1513-9>
-  active T
-  comment "WEB-CGI input.bat access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 682-6>
-  active T
-  comment "MS-SQL xp_enumresultset possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 2282-2>
-  active T
-  comment "WEB-PHP GlobalFunctions.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2508-6>
-  active F
-  comment "NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 117-6>
-  active T
-  comment "BACKDOOR Infector.1.x"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 158-5>
-  active T
-  comment "BACKDOOR BackConstruction 2.1 Server FTP Open Reply"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1763-6>
-  active T
-  comment "WEB-CGI Nortel Contivity cgiproc DOS attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1762-4>
-  active T
-  comment "WEB-CGI phf arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1179-7>
-  active T
-  comment "WEB-PHP Phorum violation access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1494-6>
-  active T
-  comment "WEB-CGI SIX webboard generate.cgi attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1834-5>
-  active T
-  comment "WEB-PHP PHP-Wiki cross site scripting attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2475-3>
-  active T
-  comment "NETBIOS SMB-DS ADMIN$ share unicode access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 964-6>
-  active T
-  comment "WEB-FRONTPAGE users.pwd access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 320-9>
-  active T
-  comment "FINGER cmd_rootsh backdoor attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/finger.rules
-</augment>
-
-<augment 878-6>
-  active T
-  comment "WEB-CGI w3tvars.pm access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1452-5>
-  active T
-  comment "WEB-CGI args.cmd access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1101-7>
-  active T
-  comment "WEB-MISC Webtrends HTTP probe"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1441-4>
-  active T
-  comment "TFTP GET nc.exe"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/tftp.rules
-</augment>
-
-<augment 1207-7>
-  active T
-  comment "WEB-MISC htgrep access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1019-8>
-  active T
-  comment "WEB-IIS index server file source code attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1339-5>
-  active T
-  comment "WEB-ATTACKS chsh command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1240-5>
-  active T
-  comment "EXPLOIT MDBMS overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1557-7>
-  active T
-  comment "WEB-CGI DCShop auth_user_file.txt access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1264-13>
-  active T
-  comment "RPC portmap bootparam request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 933-7>
-  active T
-  comment "WEB-COLDFUSION onrequestend.cfm access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 512-4>
-  active T
-  comment "MISC PCAnywhere Failed Login"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1525-9>
-  active T
-  comment "WEB-MISC Axis Storpoint CD access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1348-5>
-  active T
-  comment "WEB-ATTACKS g++ command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_QUIET
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 902-7>
-  active T
-  comment "WEB-CGI tstisapi.dll access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1767-6>
-  active T
-  comment "WEB-MISC search.dll access"
-  comment "requires sambar web server"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  eval isNotIIS
-  eval isNotApache
-</augment>
-
-<augment 1047-9>
-  active T
-  comment "WEB-MISC Netscape Enterprise DOS"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1089-9>
-  active T
-  comment "WEB-CGI shopping cart directory traversal"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 687-5>
-  active T
-  comment "MS-SQL xp_cmdshell - program execution"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 2552-2>
-  active T
-  comment "EXPLOIT Oracle Web Cache HEAD overflow attempt"
-  comment pcre: /^HEAD[^s]{432}/sm
-  payload /((^)|(\n+))HEAD[^s]{432}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 384-5>
-  active F
-  comment "ICMP PING"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 836-7>
-  active T
-  comment "WEB-CGI textcounter.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1722-4>
-  active T
-  comment "WEB-CGI MachineInfo access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 873-8>
-  active F
-  comment "WEB-CGI scriptalias access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 477-2>
-  active F
-  comment "ICMP Source Quench"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 2198-6>
-  active T
-  comment "WEB-CGI cvslog.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 859-7>
-  active T
-  comment "WEB-CGI man.sh access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 662-5>
-  active T
-  comment "SMTP sendmail 5.5.5 exploit"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 441-6>
-  active F
-  comment "ICMP Router Advertisement"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 880-8>
-  active T
-  comment "WEB-CGI LWGate access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1017-8>
-  active T
-  comment "WEB-IIS idc-srch attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 326-9>
-  active T
-  comment "FINGER remote command execution attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/finger.rules
-</augment>
-
-<augment 2234-5>
-  active T
-  comment "WEB-MISC TOP10.dll access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 359-5>
-  active T
-  comment "FTP satan scan"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 2420-2>
-  active F
-  comment "MULTIMEDIA realplayer .rmp playlist download attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/multimedia.rules
-</augment>
-
-<augment 2429-3>
-  active T
-  comment NNTP sendme overflow attempt
-  comment "pcre: /^sendme\x3a[^\n]{21}/smi"
-  payload /((^)|(\n+))[sS][eE][nN][dD][mM][eE]\x3a[^\n]{21}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/nntp.rules
-  <delete>
-    payload /.*[sS][eE][nN][dD][mM][eE]/
-  </delete>
-</augment>
-
-<augment 2513-7>
-  active F
-  comment "NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2427-3>
-  active T
-  comment "NNTP checkgroups overflow attempt"
-  comment pcre: /^checkgroups\x3a[^\n]{21}/smi
-  payload /((^)|(\n+))[cC][hH][eE][cC][kK][gG][rR][oO][uU][pP][sS]\x3a[^\n]{21}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/nntp.rules
-  <delete>
-    payload /.*[cC][hH][eE][cC][kK][gG][rR][oO][uU][pP][sS]/
-  </delete>
-</augment>
-
-<augment 2485-4>
-  active T
-  comment "WEB-CLIENT Nortan antivirus sysmspam.dll load attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-client.rules
-</augment>
-
-<augment 488-4>
-  active F
-  comment "INFO Connection Closed MSG from Port 80"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/info.rules
-</augment>
-
-<augment 2483-3>
-  active F
-  comment "NETBIOS SMB-DS DCERPC shutdown little endian attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2129-9>
-  active T
-  comment "WEB-IIS nsiislog.dll access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1486-4>
-  active T
-  comment "WEB-IIS ctss.idc access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 923-7>
-  active T
-  comment "WEB-COLDFUSION getodbcin attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 2245-5>
-  active T
-  comment "WEB-MISC Webnews.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2370-2>
-  active T
-  comment "WEB-MISC BugPort config.conf file access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_QUIET
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2531-3>
-  active F
-  comment "IMAP SSLv3 invalid Client_Hello attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/imap.rules
-</augment>
-
-<augment 2244-4>
-  active T
-  comment "WEB-MISC VsSetCookie.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1172-10>
-  active T
-  comment "WEB-CGI bigconf.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1168-5>
-  active T
-  comment "WEB-MISC mall log order access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1167-7>
-  active T
-  comment "WEB-MISC rpm_query access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 530-10>
-  active T
-  comment "NETBIOS NT NULL session"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2466-3>
-  active T
-  comment "NETBIOS SMB-DS IPC$ share unicode access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1920-6>
-  active T
-  comment FTP SITE NEWER overflow attempt
-  comment pcre: /^SITE\s+NEWER\s[^\n]{100}/smi
-  eval dataSizeG100
-  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[nN][eE][wW][eE][rR][\x20\x09\x0b][^\n]{100}/
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload /.*[sS][iI][tT][eE].*.*[nN][eE][wW][eE][rR]/
-  </delete>
-</augment>
-
-<augment 1410-9>
-  active T
-  comment "WEB-CGI dcboard.cgi access"
-  comment "too general but low occurence"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1579-4>
-  active T
-  comment "WEB-MISC Domino webadmin.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 403-6>
-  active F
-  comment "ICMP Destination Unreachable Precedence Cutoff in effect"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2389-4>
-  active T
-  comment FTP RNTO overflow attempt
-  comment pcre: /^RNTO\s[^\n]{100}/smi
-  eval dataSizeG100
-  ftp /((^)|(\n+))[rR][nN][tT][oO][\x20\x09\x0b][^\n]{100}/
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload /.*[rR][nN][tT][oO]/
-  </delete>
-</augment>
-
-<augment 2158-5>
-  active F
-  comment "MISC BGP invalid length"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 2417-1>
-  active T
-  comment "FTP format string attempt"
-  comment pcre: /\s+.*?%.*?%/smi
-  ftp /[\x20\x09\x0b]+.*?%.*?%/
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 1275-10>
-  active T
-  comment "RPC portmap yppasswd request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2290-4>
-  active T
-  comment "WEB-PHP Advanced Poll admin_help.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1253-11>
-  active T
-  comment "TELNET bsd exploit client finishing"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/telnet.rules
-</augment>
-
-<augment 2185-7>
-  active T
-  comment "RPC mountd UDP mount path overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 387-7>
-  active F
-  comment "ICMP Address Mask Reply undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 274-5>
-  active T
-  comment "DOS ath"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 1362-5>
-  active T
-  comment "WEB-ATTACKS xterm command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 2423-2>
-  active T
-  comment NNTP article post without path attempt
-  comment pcre: /^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si
-  http /((^)|(\n+))[tT][aA][kK][eE][tT][hH][iI][sS].*?[pP][Aa][Tt][Hh]\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/nntp.rules
-  <delete>
-    http /.*\.rp/
-  </delete>
-</augment>
-
-<augment 1741-5>
-  active T
-  comment "WEB-PHP DNSTools access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1822-7>
-  active F
-  comment "WEB-CGI alienform.cgi directory traversal attempt"
-  comment "merged with s2b-1823-7"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2569-1>
-  active F
-  comment "WEB-MISC cPanel resetpass access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2043-2>
-  active T
-  comment "MISC isakmp login failed"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1586-4>
-  active T
-  comment "WEB-MISC Domino mail.box access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 542-10>
-  active T
-  comment "CHAT IRC nick change"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 1643-6>
-  active F
-  comment "WEB-CGI db2www access"
-  comment "too general to be useful"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2577-2>
-  active F
-  comment "WEB-CLIENT local resource redirection attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-client.rules
-</augment>
-
-<augment 2299-4>
-  active T
-  comment "WEB-PHP Advanced Poll admin_tpl_misc_new.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 275-10>
-  active T
-  comment "DOS NAPTHA"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 1890-8>
-  active T
-  comment "RPC status GHBN format string attack"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1284-10>
-  active T
-  comment "WEB-CLIENT readme.eml download attempt"
-  requires-signature http_msie_client
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-client.rules
-</augment>
-
-<augment 368-6>
-  active F
-  comment "ICMP PING BSDtype"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1735-4>
-  active T
-  comment "WEB-CLIENT XMLHttpRequest attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-client.rules
-</augment>
-
-<augment 379-7>
-  active F
-  comment "ICMP PING Pinger Windows"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1605-6>
-  active T
-  dst-ip == local_nets
-  comment "DOS iParty DOS attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 2094-6>
-  active T
-  comment "RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2540-3>
-  active F
-  comment "SMTP SSLv3 invalid Client_Hello attempt"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 2004-5>
-  active F
-  comment "MS-SQL Worm propagation attempt OUTBOUND"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 2391-4>
-  active T
-  comment FTP APPE overflow attempt
-  comment pcre: /^APPE\s[^\n]{100}/smi
-  eval dataSizeG100
-  payload /((^)|(\n+))[aA][pP][pP][eE][\x20\x09\x0b][^\n]{100}/
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload /.*[aA][pP][pP][eE]/
-  </delete>
-</augment>
-
-<augment 2025-9>
-  active T
-  comment "RPC yppasswd username overflow attempt UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 532-8>
-  active T
-  comment "NETBIOS SMB ADMIN$ share access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2431-3>
-  active T
-  comment NNTP rmgroup overflow attempt
-  comment pcre: /^rmgroup\x3a[^\n]{21}/smi
-  payload /((^)|(\n+))[rR][mM][gG][rR][oO][uU][pP]\x3a[^\n]{21}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/nntp.rules
-  <delete>
-    payload /.*[rR][mM][gG][rR][oO][uU][pP]/
-  </delete>
-</augment>
-
-<augment 162-4>
-  active T
-  comment "BACKDOOR Matrix 2.0 Server access"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1552-4>
-  active T
-  comment "WEB-MISC cvsweb version access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1652-6>
-  active T
-  comment "WEB-CGI campus attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 222-2>
-  active T
-  comment "DDOS tfn2k icmp possible communication"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 1435-6>
-  active T
-  comment "DNS named authors attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 535-6>
-  active T
-  comment "NETBIOS SMB CD..."
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1549-16>
-  active T
-  comment SMTP HELO overflow attempt
-  comment pcre: /^HELO\s[^\n]{500}/smi
-  payload /((^)|(\n+))[hH][eE][lL][oO][\x20\x09\x0b][^\n]{500}/
-  sigaction SIG_LOG
-  requires-reverse-signature ! smtp_server_fail
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*HELO/
-  </delete>
-</augment>
-
-<augment 1613-7>
-  active F
-  dst-ip == local_nets
-  http /[\/]handler.{1,}?\;.{2,}\|/
-  comment "WEB-MISC handler attempt"
-  comment "old IRIX web server vulnerability"
-  requires-reverse-signature ! http_error
-  <delete>
-  	http /.*[\/\\]handler/
-  	http /.*\x7C/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 419-5>
-  active F
-  comment "ICMP Mobile Host Redirect"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 858-7>
-  active T
-  comment "WEB-CGI filemail access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 315-6>
-  active T
-  comment "EXPLOIT x86 Linux mountd overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1523-10>
-  active T
-  comment "WEB-MISC ans.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1726-4>
-  active T
-  comment "WEB-IIS doctodep.btr access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2528-7>
-  active F
-  comment "SMTP TLS PCT Client_Hello overflow attempt"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 884-14>
-  active T
-  comment "WEB-CGI formmail access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-  http /.*[\/\\]formmail{0,5}\?/
-  <delete>
-  	http /.*[\/\\]formmail/
-  </delete>
-</augment>
-
-<augment 1086-12>
-  active T
-  comment "WEB-PHP strings overflow"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1271-14>
-  active T
-  comment "RPC portmap rusers request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1517-9>
-  active T
-  comment "WEB-CGI envout.bat access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1115-7>
-  active T
-  comment "WEB-MISC ICQ webserver DOS"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1919-12>
-  active T
-  comment FTP CWD overflow attempt
-  comment "pcre: /^CWD\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[cC][wW][dD][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[cC][wW][dD]/"
-  </delete>
-</augment>
-
-<augment 1947-4>
-  active T
-  comment "WEB-MISC answerbook2 arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1841-5>
-  active T
-  comment "WEB-CLIENT Javascript URL host spoofing attempt"
-  requires-signature http_old_gecko_client
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-client.rules
-</augment>
-
-<augment 439-6>
-  active F
-  comment "ICMP Reserved for Security Type 19"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2285-2>
-  active T
-  comment "WEB-PHP rolis guestbook access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 996-8>
-  active T
-  comment "WEB-IIS anot.htr access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1571-8>
-  active T
-  comment "WEB-CGI dcforum.cgi directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 478-3>
-  active T
-  comment "ICMP Broadscan Smurf Scanner"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 1880-4>
-  active T
-  comment "WEB-MISC oracle web application server access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1934-6>
-  active T
-  comment POP2 FOLD overflow attempt
-  comment pcre: /^FOLD\s[^\n]{256}/smi
-  payload /((^)|(\n+))[fF][oO][lL][dD][\x20\x09\x0b][^\n]{256}/
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop2.rules
-  <delete>
-    payload /.*FOLD/
-  </delete>
-</augment>
-
-<augment 861-12>
-  active T
-  comment "WEB-CGI w3-msql access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1304-7>
-  active T
-  comment "WEB-CGI txt2html.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 998-7>
-  active T
-  comment "WEB-IIS asp-srch attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 254-4>
-  active T
-  comment "DNS SPOOF query response with TTL of 1 min. and no authority"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 941-6>
-  active T
-  comment "WEB-FRONTPAGE contents.htm access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 611-7>
-  active T
-  comment "RSERVICES rlogin login failure"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rservices.rules
-</augment>
-
-<augment 2421-2>
-  active F
-  comment "MULTIMEDIA realplayer .smi playlist download attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/multimedia.rules
-</augment>
-
-<augment 2313-2>
-  active T
-  comment "SHELLCODE x86 0x71FB7BAB NOOP unicode"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 2511-9>
-  active F
-  comment "NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1538-13>
-  active T
-  comment "NNTP AUTHINFO USER overflow attempt"
-  comment pcre: /^AUTHINFO\s+USER\s[^\n]{200}/smi
-  payload /((^)|(\n+))[aA][uU][tT][hH][iI][nN][fF][oO][\x20\x09\x0b]+[uU][sS][eE][rR][\x20\x09\x0b][^\n]{200}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/nntp.rules
-  <delete>
-    payload /.*[aA][uU][tT][hH][iI][nN][fF][oO].*.*[uU][sS][eE][rR]/
-  </delete>
-</augment>
-
-<augment 1373-6>
-  active T
-  comment "WEB-ATTACKS conf/httpd.conf attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1129-5>
-  active T
-  comment "WEB-MISC .htaccess access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2445-4>
-  active T
-  comment "EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1896-8>
-  active T
-  comment "EXPLOIT kadmind buffer overflow attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2380-3>
-  active T
-  comment "EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2447-4>
-  active T
-  comment "WEB-MISC ServletManager access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1911-10>
-  active T
-  comment "RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2444-4>
-  active T
-  comment "EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 438-9>
-  active F
-  comment "ICMP Redirect undefined code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 500-4>
-  active T
-  comment "MISC source route lssr"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1937-5>
-  active T
-  comment POP3 LIST overflow attempt
-  comment "pcre: /^LIST\s[^\n]{10}/smi"
-  payload "/((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b][^\n]{10}/"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-  <delete>
-    payload "/.*[lL][iI][sS][tT]/"
-  </delete>
-</augment>
-
-<augment 2247-3>
-  active T
-  comment "WEB-IIS UploadScript11.asp access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1060-6>
-  active T
-  comment "WEB-MISC xp_availablemedia attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2184-7>
-  active T
-  comment "RPC mountd TCP mount path overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 385-4>
-  active F
-  comment "ICMP traceroute"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1328-5>
-  active T
-  comment "WEB-ATTACKS ps command attempt"
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]bin[\/\\]ps([^-_a-zA-Z0-9.]|$)/
-  <delete>
-  	http /.*[\/\\]bin[\/\\]ps/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 650-8>
-  active F
-  comment "SHELLCODE x86 setuid 0"
-  sigaction SIG_FILE
-  dst-ip == local_nets
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-  comment "Short binary pattern"
-  comment "Mild suspicion"
-  comment "too many false positives"
-</augment>
-
-<augment 2303-4>
-  active F
-  comment "WEB-PHP Advanced Poll popup.php access"
-  comment "informational only"
-  comment "too general"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 598-12>
-  active T
-  comment "RPC portmap listing TCP 111"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2283-2>
-  active T
-  comment "WEB-PHP DatabaseFunctions.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 408-5>
-  active F
-  comment "ICMP Echo Reply"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2494-5>
-  active F
-  comment "NETBIOS DCEPRC ORPCThis request flood attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 955-6>
-  active T
-  comment "WEB-FRONTPAGE access.cnf access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1560-6>
-  active F
-  comment "WEB-MISC /doc/ access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1853-6>
-  active T
-  comment "BACKDOOR win-trin00 connection attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1052-8>
-  active T
-  comment "WEB-CGI technote print.cgi directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2532-3>
-  active F
-  comment "MISC LDAP SSLv3 Client_Hello request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 1739-6>
-  active T
-  comment "WEB-PHP DNSTools administrator authentication bypass attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 529-7>
-  active T
-  comment "NETBIOS DOS RFPoison"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1941-8>
-  active T
-  comment "TFTP GET filename overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/tftp.rules
-</augment>
-
-<augment 839-7>
-  active F
-  comment "WEB-CGI finger access"
-  comment "informational only"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2027-5>
-  active T
-  comment "RPC yppasswd old password overflow attempt UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 428-7>
-  active F
-  comment "ICMP Parameter Problem undefined Code"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1440-5>
-  active F
-  comment "MULTIMEDIA Icecast playlist redirection"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/multimedia.rules
-</augment>
-
-<augment 1656-4>
-  active T
-  comment "WEB-CGI pfdispaly.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1612-8>
-  active T
-  comment "WEB-MISC ftp.pl attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2038-5>
-  active T
-  comment "RPC network-status-monitor mon-callback request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1136-5>
-  active T
-  comment "WEB-MISC cd.."
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1611-5>
-  active F
-  dst-ip == local_nets
-  comment "WEB-CGI eXtropia webstore access"
-  comment "informational only"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1807-9>
-  active T
-  comment "WEB-MISC Chunked-Encoding transfer attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  eval isApacheLt1322
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1300-7>
-  active T
-  comment "WEB-PHP admin.php file upload attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1953-5>
-  active T
-  comment "RPC AMD TCP pid request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 119-5>
-  active T
-  comment "BACKDOOR Doly 2.0 access"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1057-6>
-  active T
-  comment "WEB-MISC ftp attempt"
-  requires-reverse-signature ! http_error
-  http /.*[fF][tT][pP]\.[eE][xX][eE]/
-  <delete>
-  	payload /.*[fF][tT][pP]\.[eE][xX][eE]/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 337-10>
-  active T
-  comment FTP CEL overflow attempt
-  comment "pcre: /^CEL\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[cC][eE][lL][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[cC][eE][lL]/"
-  </delete>
-</augment>
-
-<augment 2297-4>
-  active T
-  comment "WEB-PHP Advanced Poll admin_templates_misc.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1974-6>
-  active T
-  comment FTP REST overflow attempt
-  comment "pcre: /^REST\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[rR][eE][sS][tT][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[rR][eE][sS][tT]/"
-  </delete>
-</augment>
-
-<augment 1277-9>
-  active T
-  comment "RPC portmap ypupdated request UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 649-8>
-  active T
-  comment "SHELLCODE x86 setgid 0"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-  comment "Short binary pattern"
-  comment "Mild suspicion"
-</augment>
-
-<augment 2023-4>
-  active T
-  comment "RPC mountd UDP unmountall request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2350-7>
-  active F
-  comment "NETBIOS DCERPC ISystemActivator bind accept"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1875-4>
-  active T
-  dst-ip == local_nets
-  comment "WEB-CGI cgicso access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 328-8>
-  active T
-  comment "FINGER bomb attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/finger.rules
-</augment>
-
-<augment 2461-3>
-  active F
-  comment "CHAT Yahoo IM webcam watch"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 1777-4>
-  active T
-  comment "FTP EXPLOIT STAT * dos attempt"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 1963-9>
-  active T
-  comment "RPC RQUOTA getquota overflow attempt UDP"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 862-9>
-  active T
-  comment "WEB-CGI csh access"
-  requires-reverse-signature ! http_error
-  requires-signature ! http_shell_check
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 537-11>
-  active T
-  comment "NETBIOS SMB IPC$ share access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2556-2>
-  active T
-  comment "EXPLOIT Oracle Web Cache DELETE overflow attempt"
-  comment pcre: /^DELETE[^s]{432}/sm
-  payload /((^)|(\n+))DELETE[^s]{432}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 694-6>
-  active T
-  comment "MS-SQL/SMB shellcode attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 1187-12>
-  active T
-  comment "WEB-MISC SalesLogix Eviewer web command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2516-10>
-  active T
-  comment "MISC LDAP PCT Client_Hello overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 161-4>
-  active T
-  comment "BACKDOOR Matrix 2.0 Client connect"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1388-12>
-  active T
-  comment MISC UPnP Location overflow
-  comment pcre: /^Location\:[^\n]{128}/smi
-  payload /((^)|(\n+))[lL][oO][cC][aA][tT][iI][oO][nN]\x3a[^\n]{128}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-  <delete>
-    payload /.*[lL][oO][cC][aA][tT][iI][oO][nN]\x3A/
-  </delete>
-</augment>
-
-<augment 1615-5>
-  active T
-  comment "WEB-MISC htgrep attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2249-3>
-  active T
-  comment "WEB-IIS /pcadmin/login.asp access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1437-5>
-  active F
-  comment "MULTIMEDIA Windows Media audio download"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/multimedia.rules
-</augment>
-
-<augment 146-5>
-  active T
-  comment "BACKDOOR NetSphere access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 2566-1>
-  active T
-  comment "WEB-PHP PHPBB viewforum.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2046-6>
-  active T
-  comment IMAP partial body.peek buffer overflow attempt
-  comment "pcre: /\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"
-  payload "/((^)|(\n+))[\x20\x09\x0b][pP][aA][rR][tT][iI][aA][lL].*[bB][oO][dD][yY]\.[pP][eE][eE][kK]\[[^\]]{1024}/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  <delete>
-    payload "/.*[pP][aA][rR][tT][iI][aA][lL].*.*[bB][oO][dD][yY]\.[pP][eE][eE][kK]\[/"
-  </delete>
-</augment>
-
-<augment 1731-7>
-  active T
-  comment "WEB-CGI a1stats access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 279-3>
-  active T
-  comment "DOS Bay/Nortel Nautica Marlin"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 2571-1>
-  active T
-  comment "WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 425-6>
-  active F
-  comment "ICMP Parameter Problem Bad Length"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1606-6>
-  active F
-  comment "WEB-CGI icat access"
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]icat([^\.][^h][^t][^m]|$)/
-  <delete>
-  	http /.*[\/\\]icat/
-  </delete>
-  sigaction SIG_LOG
-  comment "too many false positives"
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 975-12>
-  active T
-  comment "WEB-IIS Alternate Data streams ASP file access attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 163-8>
-  active T
-  comment "BACKDOOR WinCrash 1.0 Server Active"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 451-5>
-  active F
-  comment "ICMP Timestamp Reply"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 2024-8>
-  active T
-  comment "RPC RQUOTA getquota overflow attempt TCP"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2174-4>
-  active T
-  comment "NETBIOS SMB winreg access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1635-13>
-  active T
-  comment POP3 APOP overflow attempt
-  comment "pcre: /^APOP\s[^\n]{256}/smi"
-  payload "/((^)|(\n+))[aA][pP][oO][pP][\x20\x09\x0b][^\n]{256}/"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-  <delete>
-    payload "/.*[aA][pP][oO][pP]/"
-  </delete>
-</augment>
-
-<augment 394-6>
-  active F
-  comment "ICMP Destination Unreachable Destination Host Unknown"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 475-3>
-  active T
-  comment "ICMP traceroute ipopts"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 2223-5>
-  active F
-  comment "WEB-CGI csNews.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-  comment "Informational only"
-</augment>
-
-<augment 270-6>
-  active T
-  comment "DOS Teardrop attack"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 2231-5>
-  active T
-  comment "WEB-MISC register.dll access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1400-4>
-  active T
-  comment "WEB-IIS /scripts/samples/ access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1184-6>
-  active T
-  comment "WEB-MISC Netscape Enterprise Server directory view"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1839-4>
-  active T
-  comment "WEB-MISC mailman cross site scripting attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1360-5>
-  active T
-  comment "WEB-ATTACKS netcat command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1601-7>
-  active T
-  comment "WEB-CGI htsearch arbitrary file read attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 962-9>
-  active T
-  comment "WEB-FRONTPAGE shtml.exe access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1180-12>
-  active T
-  comment "WEB-MISC get32.exe access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2551-2>
-  active T
-  comment "EXPLOIT Oracle Web Cache GET overflow attempt"
-  comment pcre: /^GET[^s]{432}/sm
-  payload /((^)|(\n+))GET[^s]{432}/
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 514-5>
-  active T
-  comment "MISC ramen worm"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 224-3>
-  active T
-  comment "DDOS Stacheldraht server spoof"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 2316-6>
-  active T
-  comment "NETBIOS DCERPC Workstation Service direct service access attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 247-4>
-  active T
-  comment "DDOS mstream client to handler"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 919-7>
-  active T
-  comment "WEB-COLDFUSION datasource passwordattempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 1835-5>
-  active T
-  comment "WEB-MISC Macromedia SiteSpring cross site scripting attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1758-3>
-  active T
-  comment "WEB-MISC b2 access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 953-7>
-  active T
-  comment "WEB-FRONTPAGE administrators.pwd access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1465-8>
-  active T
-  comment "WEB-CGI auktion.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1367-5>
-  active T
-  comment "WEB-ATTACKS mail command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1421-11>
-  active T
-  comment "SNMP AgentX/tcp request"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 2258-6>
-  active T
-  comment "NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1811-8>
-  active T
-  comment "ATTACK-RESPONSES successful gobbles ssh exploit uname"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 1183-8>
-  active T
-  comment "WEB-MISC Netscape Enterprise Server directory view"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 918-6>
-  active T
-  comment "WEB-COLDFUSION expeval access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
-</augment>
-
-<augment 2515-9>
-  active F
-  comment "WEB-MISC PCT Client_Hello overflow attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1270-11>
-  active T
-  comment "RPC portmap rstatd request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 2512-7>
-  active F
-  comment "NETBIOS SMB-DS DCERPC LSASS bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1347-5>
-  active T
-  comment "WEB-ATTACKS /usr/bin/g++ command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1100-7>
-  active T
-  comment "WEB-MISC L3retriever HTTP Probe"
-  requires-reverse-signature ! http_error
-  sigaction SIG_QUIET
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1127-7>
-  active T
-  comment "WEB-MISC convert.bas access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2340-4>
-  active T
-  comment FTP SITE CHMOD overflow attempt
-  comment "pcre: /^SITE\s+CHMOD\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][hH][mM][oO][dD][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[sS][iI][tT][eE].*.*[cC][hH][mM][oO][dD]/"
-  </delete>
-</augment>
-
-<augment 1504-6>
-  active F
-  comment "MISC AFS access"
-  comment "informational only, not exploit worthy"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 896-11>
-  active T
-  comment "WEB-CGI way-board access"
-  dst-ip == local_nets
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]way-board\?db\=.{2,}\x00/
-  <delete>
-  	http /.*[\/\\]way-board/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1855-7>
-  active T
-  comment "DDOS Stacheldraht agent->handler skillz"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 256-5>
-  active T
-  comment "DNS named authors attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 989-8>
-  active T
-  comment "WEB-IIS Unicode2.pl script File permission canonicalization"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1352-5>
-  active T
-  comment "WEB-ATTACKS tclsh execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1209-5>
-  active T
-  comment "WEB-MISC .nsconfig access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1900-10>
-  active T
-  comment "ATTACK-RESPONSES successful kadmind buffer overflow attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 366-7>
-  active F
-  comment "ICMP PING *NIX"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1361-5>
-  active T
-  comment "WEB-ATTACKS nmap command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 872-9>
-  active T
-  comment "WEB-CGI tcsh access"
-  requires-reverse-signature ! http_error
-  requires-signature ! http_shell_check
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1274-17>
-  active T
-  comment "RPC portmap ttdbserv request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1817-4>
-  active T
-  comment "WEB-IIS MS Site Server default login attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1079-11>
-  active T
-  comment "WEB-MISC WebDAV propfind access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2309-6>
-  active T
-  comment "NETBIOS SMB DCERPC Workstation Service bind attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1657-6>
-  active T
-  comment "WEB-CGI pagelog.cgi directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 982-9>
-  active T
-  comment "WEB-IIS unicode directory traversal attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 845-7>
-  active T
-  comment "WEB-CGI AT-admin.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 849-8>
-  active F
-  comment "WEB-CGI view-source access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules2.2/web-cgi.rules
-</augment>
-
-<augment 655-8>
-  active T
-  comment "SMTP sendmail 8.6.9 exploit"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 2278-6>
-  active T
-  comment "WEB-MISC negative Content-Length attempt"
-  comment pcre: /^Content-Length\x3a\s+-\d+/+/smi
-  http /((^)|(\n+))[cC][oO][nN][tT][eE][nN][tT]-[lL][eE][nN][gG][tT][hH]\x3a[\x20\x09\x0b]+-[0-9]+\/+/
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  <delete>
-    payload /.*[cC][oO][nN][tT][eE][nN][tT]-[lL][eE][nN][gG][tT][hH]\x3A/
-  </delete>
-</augment>
-
-<augment 2265-4>
-  active T
-  comment SMTP SOML FROM sendmail prescan too many addresses overflow
-  comment "pcre: /^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^"
-  payload "/((^)|(\n+))[sS][oO][mM][lL] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*[sS][oO][mM][lL] [fF][rR][oO][mM]\x3A/
-  </delete>
-</augment>
-
-<augment 240-2>
-  active T
-  comment "DDOS shaft agent to handler"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 398-6>
-  active F
-  comment "ICMP Destination Unreachable Host Unreachable for Type of Service"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 888-5>
-  active T
-  comment "WEB-CGI wwwadmin.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 493-5>
-  active F
-  comment "INFO psyBNC access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/info.rules
-</augment>
-
-<augment 948-6>
-  active T
-  comment "WEB-FRONTPAGE form_results access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1489-5>
-  active T
-  comment "WEB-MISC /~nobody access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1713-4>
-  active F
-  comment "WEB-CGI cgforum.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1153-5>
-  active T
-  comment "WEB-MISC Domino log.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1654-4>
-  active T
-  comment "WEB-CGI cart32.exe access"
-  dst-ip == local_nets
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2083-8>
-  active T
-  comment "RPC rpc.xfsmd xfs_export attempt UDP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-
-<augment 960-6>
-  active T
-  comment "WEB-FRONTPAGE service.stp access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1018-9>
-  active T
-  comment "WEB-IIS iisadmpwd attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1257-8>
-  active T
-  comment "DOS Winnuke attack"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 2442-6>
-  active T
-  comment WEB-MISC Quicktime User-Agent buffer overflow attempt
-  comment pcre: /^User-Agent\x3a[^\n]{244,255}/smi
-  http /((^)|(\n+))[uU][sS][eE][rR]-[aA][gG][eE][nN][tT]\x3a[^\n]{244,255}/
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  <delete>
-    payload /.*[uU][sS][eE][rR]-[aA][gG][eE][nN][tT]\x3A/
-  </delete>
-</augment>
-
-<augment 484-4>
-  active T
-  comment "ICMP PING Sniffer Pro/NetXRay network scan"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 1565-8>
-  active T
-  comment "WEB-CGI eshop.pl arbitrary commane execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1016-10>
-  active T
-  comment "WEB-IIS global.asa access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1607-5>
-  active F
-  comment "WEB-CGI HyperSeek hsx.cgi access"
-  comment "informational only"
-  comment "old signature based on NT 4.0 and Linux 2.3x kernel"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 721-7>
-  active F
-  comment "VIRUS OUTBOUND bad file attachment"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/virus.rules
-</augment>
-
-<augment 467-3>
-  active T
-  comment "ICMP Nemesis v1.1 Echo"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 987-12>
-  active T
-  comment "WEB-IIS .htr access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2338-5>
-  active T
-  comment FTP LIST buffer overflow attempt
-  comment "pcre: /^LIST\s[^\n]{100,}/smi"
-  ftp "/((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b][^\n]{100,}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[lL][iI][sS][tT]/"
-  </delete>
-</augment>
-
-<augment 1040-6>
-  active T
-  comment "WEB-IIS srchadm access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2463-6>
-  active T
-  comment "EXPLOIT IGMP IGAP message overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 1192-6>
-  active T
-  comment "WEB-MISC Trend Micro OfficeScan access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1603-5>
-  active T
-  comment "WEB-MISC DELETE attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  <delete>
-	payload /[dD][eE][lL][eE][tT][eE] /
-  </delete>
-  http /.{0,7}[dD][eE][lL][eE][tT][eE] /
-</augment>
-
-<augment 363-7>
-  active F
-  comment "ICMP IRDP router advertisement"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1584-4>
-  active T
-  comment "WEB-MISC Domino bookmark.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1830-5>
-  active T
-  comment "WEB-MISC Tomcat SnoopServlet servlet access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1976-6>
-  active T
-  comment FTP RMD overflow attempt
-  comment "pcre: /^RMD\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[rR][mM][dD][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[rR][mM][dD]/"
-  </delete>
-</augment>
-
-<augment 476-4>
-  active T
-  comment "ICMP webtrends scanner"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/icmp.rules
-</augment>
-
-<augment 602-5>
-  active T
-  comment "RSERVICES rlogin bin"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rservices.rules
-</augment>
-
-<augment 1897-8>
-  active T
-  comment "EXPLOIT kadmind buffer overflow attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 336-10>
-  active T
-  comment FTP CWD ~root attempt
-  comment "pcre: /^CWD\s+~root/smi"
-  payload "/((^)|(\n+))[cC][wW][dD][\x20\x09\x0b]+~[rR][oO][oO][tT]/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[cC][wW][dD].{1}.*~[rR][oO][oO][tT]/"
-  </delete>
-</augment>
-
-<augment 2039-4>
-  active T
-  comment "MISC bootp hostname format string attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 2194-6>
-  active T
-  comment "WEB-CGI CSMailto.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1564-6>
-  active F
-  comment "WEB-MISC login.htm access"
-  comment "this is removed since *any* login.htm will match "
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1341-5>
-  active T
-  comment "WEB-ATTACKS /usr/bin/gcc command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 2295-4>
-  active T
-  comment "WEB-PHP Advanced Poll admin_settings.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2345-4>
-  active T
-  comment "WEB-PHP PhpGedView search.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2509-7>
-  active F
-  comment "NETBIOS SMB DCERPC LSASS unicode bind attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1471-5>
-  active T
-  comment "WEB-CGI mailnews.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2036-6>
-  active T
-  comment "RPC portmap network-status-monitor request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 257-8>
-  active T
-  comment "DNS named version attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 958-6>
-  active T
-  comment "WEB-FRONTPAGE service.cnf access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 2289-4>
-  active T
-  comment "WEB-PHP Advanced Poll admin_embed.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1249-10>
-  active T
-  comment "WEB-FRONTPAGE frontpage rad fp4areg.dll access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
-</augment>
-
-<augment 1583-4>
-  active T
-  comment "WEB-MISC Domino mailw46.nsf access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1775-2>
-  active T
-  comment "MYSQL root login attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/mysql.rules
-</augment>
-
-<augment 1808-6>
-  active T
-  comment "WEB-MISC apache chunked encoding memory corruption exploit attempt"
-  requires-signature ! http_msie_client
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1528-8>
-  active T
-  comment "WEB-MISC BBoard access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2270-4>
-  active T
-  comment SMTP RCPT TO sendmail prescan too long addresses overflow
-  comment "pcre: /^RCPT TO\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"
-  payload "/((^)|(\n+))[rR][cC][pP][tT] [tT][oO]\x3a[\x20\x09\x0b]+[a-zA-Z0-9\x5f\x20\x09\x0b\x40\.]{0,200}\x3b[a-zA-Z0-9\x5f\x20\x09\x0b=x40\.]{200,}\x3b[a-zA-Z0-9\x5f\x20\x09\x0b\x40\.]{0,200}/"
-  sigaction SIG_LOG
-  requires-reverse-signature ! smtp_server_fail
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload /.*[rR][cC][pP][tT] [tT][oO]\x3A/
-  </delete>
-</augment>
-
-<augment 2128-5>
-  active T
-  comment "WEB-CGI swsrv.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1416-9>
-  active T
-  comment "SNMP broadcast trap"
-  requires-reverse-signature snmp_userver_ok_return
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 2387-4>
-  active T
-  comment "WEB-CGI view_broadcast.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 273-7>
-  active T
-  comment "DOS IGMP dos attack"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 2232-5>
-  active T
-  comment "WEB-MISC ContentFilter.dll access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1102-7>
-  active T
-  comment "WEB-MISC Nessus 404 probe"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 456-5>
-  active F
-  comment "ICMP Traceroute"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/icmp-info.rules
-</augment>
-
-<augment 1285-6>
-  active T
-  comment "WEB-IIS msdac access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1548-9>
-  active T
-  comment "WEB-CGI csSearch.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-  eval isApacheLt1325
-</augment>
-
-<augment 1765-6>
-  active T
-  comment "WEB-CGI Nortel Contivity cgiproc access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 712-8>
-  active T
-  comment "TELNET ld_library_path"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/telnet.rules
-</augment>
-
-<augment 1027-8>
-  active T
-  comment "WEB-IIS perl-browse space attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1420-11>
-  active T
-  comment "SNMP trap tcp"
-  requires-reverse-signature snmp_tserver_ok_return
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/snmp.rules
-</augment>
-
-<augment 282-7>
-  active T
-  comment "DOS arkiea backup"
-  sigaction SIG_QUIET
-  snort-rule-file snort_rules/rules2.2/dos.rules
-</augment>
-
-<augment 360-7>
-  active T
-  comment "FTP serv-u directory transversal"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 1705-7>
-  active T
-  comment "WEB-CGI echo.bat arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1821-7>
-  active T
-  comment "EXPLOIT LPD dvips remote command execution attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/exploit.rules
-</augment>
-
-<augment 2452-4>
-  active F
-  comment "CHAT Yahoo IM ping"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 504-6>
-  active T
-  comment "MISC source port 53 to <1024"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 267-5>
-  active T
-  comment "DNS EXPLOIT sparc overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/dns.rules
-</augment>
-
-<augment 1001-7>
-  active T
-  comment "WEB-MISC carbo.dll access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1931-3>
-  active T
-  comment "WEB-CGI rpc-nlog.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1116-6>
-  active T
-  comment "WEB-MISC Lotus DelDoc attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 288-6>
-  active T
-  comment "POP3 EXPLOIT x86 Linux overflow"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-</augment>
-
-<augment 1281-7>
-  active T
-  comment "RPC portmap listing UDP 32771"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 1655-4>
-  active T
-  comment "WEB-CGI pfdispaly.cgi arbitrary command execution attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1262-9>
-  active F
-  comment "RPC portmap admind request TCP"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/rpc.rules
-</augment>
-
-<augment 118-5>
-  active T
-  comment "BACKDOOR SatansBackdoor.2.0.Beta"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1646-5>
-  active T
-  comment "WEB-CGI test.cgi access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 289-6>
-  active T
-  comment "POP3 EXPLOIT x86 SCO overflow"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-</augment>
-
-<augment 2371-2>
-  active T
-  comment "WEB-MISC Sample_showcode.html access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1377-14>
-  active F
-  comment "FTP wu-ftp bad file completion attempt ["
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 1112-6>
-  active F
-  comment "WEB-MISC http directory traversal"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1820-7>
-  active T
-  comment "WEB-MISC IBM Net.Commerce orderdspc.d2w access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1364-5>
-  active T
-  comment "WEB-ATTACKS lsof command attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-attacks.rules
-</augment>
-
-<augment 1026-9>
-  active T
-  comment "WEB-IIS perl-browse newline attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1387-7>
-  active T
-  comment "MS-SQL raiserror possible buffer overflow"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/sql.rules
-</augment>
-
-<augment 2090-8>
-  active T
-  comment "WEB-IIS WEBDAV exploit attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1703-7>
-  active T
-  comment "WEB-CGI auktion.cgi directory traversal attempt"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 2381-5>
-  active T
-  comment WEB-MISC schema overflow attempt
-  comment pcre: /^[^\/]{14,}?\x3a\/\//U
-  http /^[^\/]{14,}?\x3a\/\//
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  <delete>
-    http /.*\x3A[\/\\][\/\\]/
-  </delete>
-</augment>
-
-<augment 1139-7>
-  active T
-  comment "WEB-MISC whisker HEAD/./"
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1432-6>
-  active F
-  comment "P2P GNUTella client request"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/p2p.rules
-</augment>
-
-<augment 2328-3>
-  active T
-  comment "WEB-PHP authentication_index.php access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 631-6>
-  active T
-  comment "SMTP ehlo cybercop attempt"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 621-6>
-  active F
-  comment "SCAN FIN"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 2257-5>
-  active T
-  comment "NETBIOS DCERPC Messenger Service buffer overflow attempt"
-  sigaction SIG_FILE
-  # sigaction SIG_SUMMARY
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 1632-6>
-  active F
-  comment "CHAT AIM send message"
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 1295-9>
-  active T
-  comment "NETBIOS nimda RICHED20.DLL"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/netbios.rules
-</augment>
-
-<augment 2527-3>
-  active F
-  comment "SMTP STARTTLS attempt"
-  requires-reverse-signature ! smtp_server_fail
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-</augment>
-
-<augment 195-5>
-  active T
-  comment "BACKDOOR DeepThroat 3.1 Server Response"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 2117-5>
-  active T
-  comment "WEB-IIS Battleaxe Forum login.asp access"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1252-13>
-  active T
-  comment "TELNET bsd telnet exploit response"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/telnet.rules
-</augment>
-
-<augment 1007-6>
-  active T
-  comment "WEB-IIS cross-site scripting attempt"
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1761-3>
-  active T
-  comment "OTHER-IDS ISS RealSecure 6 daemon connection attempt"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/other-ids.rules
-</augment>
-
-<augment 1942-4>
-  active T
-  comment FTP RMDIR overflow attempt
-  comment "pcre: /^RMDIR\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[rR][mM][dD][iI][rR][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[rR][mM][dD][iI][rR]/"
-  </delete>
-</augment>
-
-<augment 1466-8>
-  active T
-  comment "WEB-CGI cgiforum.pl access"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1481-4>
-  active T
-  comment WEB-CGI upload.cgi access
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 517-1>
-  active T
-  comment MISC xdmcp query
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/misc.rules
-</augment>
-
-<augment 634-2>
-  active T
-  comment SCAN Amanda client version request
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/scan.rules
-</augment>
-
-<augment 2067-2>
-  active F
-  comment WEB-MISC Lotus Notes .exe script source download attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2154-1>
-  active T
-  comment WEB-PHP autohtml.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2144-1>
-  active T
-  comment WEB-PHP b2 cafelog gm-2-b2.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 211-3>
-  active T
-  comment BACKDOOR MISC r00t attempt
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 2406-1>
-  active T
-  comment TELNET APC SmartSlot default admin account attempt
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/telnet.rules
-</augment>
-
-<augment 2314-1>
-  active T
-  comment SHELLCODE x86 0x90 NOOP unicode
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 218-4>
-  active F
-  comment BACKDOOR MISC Solaris 2.5 attempt
-  comment "too general"
-  comment "too many false positives"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 285-6>
-  active T
-  comment POP2 x86 Linux overflow
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop2.rules
-</augment>
-
-<augment 234-2>
-  active T
-  comment DDOS Trin00 Attacker to Master default password
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ddos.rules
-</augment>
-
-<augment 1667-5>
-  active T
-  comment WEB-MISC cross site scripting HTML Image tag set to javascript attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2134-2>
-  active T
-  comment WEB-IIS register.asp access
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2359-2>
-  active T
-  comment WEB-PHP Invision Board ipchat.php file include
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2434-1>
-  active T
-  comment WEB-CGI MDaemon form2raw.cgi access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1061-6>
-  active T
-  comment WEB-MISC xp_cmdshell attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1653-4>
-  active F
-  comment WEB-CGI campus access
-  comment NCSA web server only, depricate sig
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-cgi.rules
-</augment>
-
-<augment 1676-3>
-  active T
-  comment "ORACLE select union attempt"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules2.2/oracle.rules
-</augment>
-
-<augment 1681-3>
-  active T
-  comment "ORACLE all_views access"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules2.2/oracle.rules
-</augment>
-
-<augment 1688-3>
-  active T
-  comment ORACLE user_tablespace access
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/oracle.rules
-</augment>
-
-<augment 2394-1>
-  active F
-  comment WEB-MISC Compaq web-based management agent denial of service attempt
-  comment "too general"
-  comment "too many false positives"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2330-1>
-  active T
-  comment IMAP auth overflow attempt
-  comment "pcre: /AUTH\s[^\n]{100}/smi"
-  payload "/((^)|(\n+))[aA][uU][tT][hH][\x20\x09\x0b][^\n]{100}/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  <delete>
-    payload "/.*[aA][uU][tT][hH]/"
-  </delete>
-</augment>
-
-<augment 107-6>
-  active T
-  comment BACKDOOR subseven DEFCON8 2.1 access
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1424-6>
-  active T
-  comment SHELLCODE x86 0xEB0C NOOP
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/shellcode.rules
-</augment>
-
-<augment 1530-6>
-  active T
-  comment FTP format string attempt
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 1144-5>
-  active T
-  comment WEB-MISC /cgi-bin/// access
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1935-4>
-  active T
-  comment POP2 FOLD arbitrary file attempt
-  comment "pcre: /^FOLD\s+\//smi"
-  payload "/((^)|(\n+))[fF][oO][lL][dD][\x20\x09\x0b]+\//"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop2.rules
-  <delete>
-    payload /.*FOLD/
-  </delete>
-</augment>
-
-<augment 2078-2>
-  active T
-  dst-ip == local_nets
-  comment WEB-PHP phpBB privmsg.php access
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]privmsg\.php.{1,}?[Ff][Oo][Ll][Dd][Ee][Rr]=.{1,}[Mm][Oo][Dd][Ee]=.{1,}[Cc][Oo][Nn][Ff][Ii][Rr][Mm]=[Yy][Ee][Ss]/
-  <delete>
-  	http /.*[\/\\]privmsg\.php/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1991-1>
-  active F
-  comment CHAT MSN login attempt
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/chat.rules
-</augment>
-
-<augment 1622-5>
-  active F
-  comment FTP RNFR ././ attempt
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 1677-3>
-  active T
-  comment ORACLE select like '%' attempt
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/oracle.rules
-</augment>
-
-<augment 2400-1>
-  active T
-  comment WEB-MISC edittag.pl access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1541-4>
-  active T
-  comment FINGER version query
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/finger.rules
-</augment>
-
-<augment 1993-4>
-  active T
-  comment IMAP login literal buffer overflow attempt
-  comment "pcre: /\sLOGIN\s[^\n]*?\s\{/smi"
-  payload "/((^)|(\n+))[lL][oO][gG][iI][nN][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/"
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/imap.rules
-  <delete>
-    payload "/.*[lL][oO][gG][iI][nN]/"
-  </delete>
-</augment>
-
-<augment 2343-1>
-  active T
-  comment FTP STOR overflow attempt
-  comment "pcre: /^STOR\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[sS][tT][oO][rR][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[sS][tT][oO][rR]/"
-  </delete>
-</augment>
-
-<augment 1499-5>
-  active T
-  comment WEB-MISC SiteScope Service access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 2108-3>
-  active T
-  comment POP3 CAPA overflow attempt
-  comment "pcre: /^CAPA\s[^\n]{10}/smi"
-  payload "/((^)|(\n+))[cC][aA][pP][aA][\x20\x09\x0b][^\n]{10}/"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-  <delete>
-    payload "/.*[cC][aA][pP][aA]/"
-  </delete>
-</augment>
-
-<augment 1983-1>
-  active T
-  comment BACKDOOR DeepThroat 3.1 Connection attempt [4120]
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1977-1>
-  active T
-  comment WEB-MISC xp_regwrite attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1754-2>
-  active T
-  comment WEB-IIS as_web4.exe access
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 1927-2>
-  active T
-  comment FTP authorized_keys
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-</augment>
-
-<augment 2075-2>
-  active T
-  comment WEB-PHP Mambo upload.php upload php file attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 1981-1>
-  active T
-  comment BACKDOOR DeepThroat 3.1 Connection attempt [3150]
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 1874-1>
-  active T
-  comment WEB-MISC Oracle Java Process Manager access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 1201-7>
-  active F
-  comment ATTACK-RESPONSES 403 Forbidden
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/attack-responses.rules
-</augment>
-
-<augment 1567-5>
-  active T
-  comment WEB-IIS /exchange/root.asp attempt
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-iis.rules
-</augment>
-
-<augment 2362-2>
-  active T
-  comment WEB-PHP YaBB SE packages.php file include
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2356-2>
-  active T
-  comment WEB-PHP WebChat db_mysql.php file include
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-</augment>
-
-<augment 2142-1>
-  active F
-  comment WEB-PHP shoutbox.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-php.rules
-  comment "Informational only"
-</augment>
-
-<augment 1684-3>
-  active T
-  comment ORACLE all_tab_columns access
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/oracle.rules
-</augment>
-
-<augment 1944-1>
-  active T
-  comment WEB-MISC /ecscripts/ecware.exe access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 212-3>
-  active T
-  comment BACKDOOR MISC rewt attempt
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/backdoor.rules
-</augment>
-
-<augment 2407-1>
-  active F
-  comment WEB-MISC util.pl access
-  comment "too general"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-</augment>
-
-<augment 660-7>
-  active T
-  comment SMTP expn root
-  comment "pcre: /^expn\s+root/smi"
-  payload "/((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b][rR][oO][oO][tT]/"
-  sigaction SIG_FILE
-  requires-reverse-signature ! smtp_server_fail
-  snort-rule-file snort_rules/rules2.2/smtp.rules
-  <delete>
-    payload "/.*[eE][xX][pP][nN]/"
-    payload "/.*[rR][oO][oO][tT]/"
-  </delete>
-</augment>
-
-<augment 1559-5>
-  active F
-  comment WEB-MISC /doc/packages access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/web-misc.rules
-  comment "too many false positives"
-</augment>
-
-<augment 2250-1>
-  active T
-  comment POP3 USER format string attempt
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/pop3.rules
-</augment>
-
-<augment 1229-7>
-  active T
-  comment FTP CWD ...
-  comment "pcre: /^CWD\s[^\n]*?\.\.\./smi"
-  payload "/((^)|(\n+))[cC][wW][dD][\x20\x09\x0b][^\n]*?\.\.\./"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file snort_rules/rules2.2/ftp.rules
-  <delete>
-    payload "/.*[cC][wW][dD].*.*\.\.\./"
-  </delete>
-</augment>
-
-<augment 604-5>
-  active T
-  comment RSERVICES rsh froot
-  sigaction SIG_LOG
-  snort-rule-file snort_rules/rules2.2/rservices.rules
-</augment>
-
-<augment 556-5>
-  active F
-  comment P2P Outbound GNUTella client request
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
-</augment>
-
-<augment 717-6>
-  active T
-  comment TELNET not on console
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/telnet.rules
-</augment>
-
-<augment 1857-3>
-  active F
-  comment WEB-MISC robot.txt access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 2321-1>
-  active T
-  comment WEB-IIS foxweb.exe access
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 1076-6>
-  active T
-  comment WEB-IIS repost.asp access
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 1946-3>
-  active T
-  comment WEB-MISC answerbook2 admin attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 2276-1>
-  active T
-  comment WEB-MISC oracle portal demo access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 658-5>
-  active T
-  comment SMTP exchange mime DOS
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
-</augment>
-
-<augment 659-6>
-  active T
-  comment SMTP expn decode
-  comment "pcre: /^expn\s+decode/smi?"
-  payload "/((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b][dD][eE][cC][oO][dD][eE]/"
-  sigaction SIG_FILE
-  requires-reverse-signature ! smtp_server_fail
-  snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
-  <delete>
-    payload "/.*[eE][xX][pP][nN]/"
-    payload "/.*[dD][eE][cC][oO][dD][eE]/"
-  </delete>
-</augment>
-
-<augment 2409-1>
-  active T
-  comment POP3 APOP USER overflow attempt
-  comment "pcre: /^APOP\s+USER\s[^\n]{256}/smi"
-  payload "/((^)|(\n+))[aA][pP][oO][pP][\x20\x09\x0b]+[uU][sS][eE][rR][\x20\x09\x0b][^\n]{2,56}/"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
-  <delete>
-    payload "/.*[aA][pP][oO][pP]/"
-  </delete>
-</augment>
-
-<augment 1520-6>
-  active T
-  comment WEB-MISC server-info access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 1879-5>
-  active T
-  dst-ip == local_nets
-  http /.*[\/]book.cgi\?.{1,}\|.{2,}\|/
-  comment WEB-CGI book.cgi arbitrary command execution attempt
-  requires-reverse-signature ! http_error
-  <delete>
-  	http /.*[\/\\]book\.cgi/
-  	payload /.*[cC][uU][rR][rR][eE][nN][tT]=\x7C/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
-</augment>
-
-<augment 2342-1>
-  active T
-  comment WEB-PHP DCP-Portal remote file include attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 2304-2>
-  active T
-  comment WEB-PHP files.inc.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 2135-1>
-  active T
-  comment WEB-MISC philboard.mdb access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 2341-1>
-  active T
-  comment WEB-PHP DCP-Portal remote file include attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 1831-3>
-  active T
-  comment WEB-MISC jigsaw dos attempt
-  comment "not iis or apache web server"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-  eval isNotIIS
-  eval isNotApache
-</augment>
-
-<augment 2398-1>
-  active T
-  comment WEB-PHP WAnewsletter newsletter.php file include attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 2354-2>
-  active T
-  comment WEB-PHP IdeaBox notification.php file include
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 930-5>
-  active T
-  comment WEB-COLDFUSION snippets attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
-</augment>
-
-<augment 2156-1>
-  active T
-  comment WEB-MISC mod_gzip_status access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 1329-5>
-  active F
-  comment WEB-ATTACKS ps command attempt
-  comment this sig is *yoo* general to be useful
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-attacks.rules
-</augment>
-
-<augment 1059-6>
-  active T
-  comment WEB-MISC xp_filelist attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 913-5>
-  active T
-  comment WEB-COLDFUSION cfappman access
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
-</augment>
-
-<augment 1670-4>
-  active T
-  comment WEB-MISC /home/ftp access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 2127-1>
-  active T
-  comment WEB-CGI ikonboard.cgi access
-  dst-ip == local_nets
-  payload /Cookie: [^\=]{1,}\=\/[^\x0D\x0A]{2,}\x0D\x0A\x0D\x0A/
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
-</augment>
-
-<augment 1984-1>
-  active T
-  comment BACKDOOR DeepThroat 3.1 Server Response [4120]
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
-</augment>
-
-<augment 1671-4>
-  active F
-  comment WEB-MISC /home/www access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-  comment "Informational only"
-</augment>
-
-<augment 1463-6>
-  active T
-  comment CHAT IRC message
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/chat.rules
-</augment>
-
-<augment 2062-1>
-  active T
-  comment WEB-MISC iPlanet .perf access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 1867-1>
-  active T
-  comment MISC xdmcp info query
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/misc.rules
-</augment>
-
-<augment 2322-1>
-  active T
-  comment WEB-IIS foxweb.dll access
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 1623-6>
-  active T
-  comment FTP invalid MODE
-  comment "pcre: /^MODE\s+[^ABSC]{1}/msi"
-  ftp "/((^)|(\n+))[mM][oO][dD][eE][\x20\x09\x0b]+[^aAbBsScC]{1}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
-  <delete>
-    payload "/.*[mM][oO][dD][eE]/"
-  </delete>
-</augment>
-
-<augment 1666-5>
-  active T
-  comment ATTACK-RESPONSES index of /cgi-bin/ response
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/attack-responses.rules
-</augment>
-
-<augment 1694-3>
-  active T
-  comment ORACLE alter table attempt
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 2319-1>
-  active T
-  comment EXPLOIT ebola PASS overflow attempt
-  comment "pcre: /^USER\s[^\n]{49}/smi"
-  payload "/((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{49}/"
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/exploit.rules
-  <delete>
-    payload "/.*[pP][aA][sS][sS]/"
-  </delete>
-</augment>
-
-<augment 1044-6>
-  active T
-  comment WEB-IIS webhits access
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 214-4>
-  active T
-  comment BACKDOOR MISC Linux rootkit attempt lrkr0x
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
-</augment>
-
-<augment 563-6>
-  active F
-  comment P2P Napster Client Data
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
-</augment>
-
-<augment 2074-2>
-  active T
-  comment WEB-PHP Mambo uploadimage.php upload php file attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 1967-1>
-  active T
-  comment WEB-PHP phpbb quick-reply.php arbitrary command attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 1928-3>
-  active T
-  comment FTP shadow retrieval attempt
-  requires-reverse-signature ! ftp_server_error
-  requires-signature got_ftp_root
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
-</augment>
-
-<augment 1756-2>
-  active T
-  comment WEB-IIS NewsPro administration authentication attempt
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 2059-1>
-  active F
-  dst-ip == local_nets
-  comment WEB-MISC MsmMask.exe access
-  comment "informational only"
-  comment "verify that the application is not vulnerable"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 217-3>
-  active T
-  comment BACKDOOR MISC sm4ck attempt
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
-</augment>
-
-<augment 628-3>
-  active F
-  comment SCAN nmap TCP
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/scan.rules
-</augment>
-
-<augment 2353-2>
-  active T
-  comment WEB-PHP IdeaBox cord.php file include
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 2373-1>
-  active T
-  comment FTP XMKD overflow attempt
-  comment "pcre: /^XMKD\s[^\n]{100}/smi"
-  eval dataSizeG100
-  payload "/((^)|(\n+))[xXmMkKdD][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
-  <delete>
-    payload "/.*[xX][mM][kK][dD]/"
-  </delete>
-</augment>
-
-<augment 711-5>
-  active T
-  comment TELNET SGI telnetd format bug
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/telnet.rules
-</augment>
-
-<augment 1791-2>
-  active F
-  comment BACKDOOR fragroute trojan connection attempt
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
-</augment>
-
-<augment 2071-1>
-  active T
-  comment WEB-MISC post32.exe access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 2152-1>
-  active F
-  comment WEB-PHP test.php access
-  comment "informational only"
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]test\.php(\?.{1,}|$)/
-  <delete>
-  	http /.*[\/\\]test\.php/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 1687-3>
-  active T
-  comment ORACLE dba_tables access
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 714-4>
-  active T
-  comment TELNET resolv_host_conf
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/telnet.rules
-</augment>
-
-<augment 2076-2>
-  active T
-  comment WEB-PHP Mambo uploadimage.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 1058-6>
-  active T
-  comment WEB-MISC xp_enumdsn attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 1773-3>
-  active T
-  comment WEB-PHP php.exe access
-  requires-reverse-signature ! http_error
-  http /.*\/php\/php\.exe\?[cCdD]\:\//
-  <delete>
-  	http /.*[\/\\]php\.exe/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 284-6>
-  active T
-  comment POP2 x86 Linux overflow
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/pop2.rules
-</augment>
-
-<augment 1753-2>
-  active T
-  comment WEB-IIS as_web.exe access
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 1938-4>
-  active T
-  comment POP3 XTND overflow attempt
-  comment pcre: /^XTND\s[^\n]{50}/smi
-  payload /((^)|(\n+))[xX][tT][nN][dD][\x20\x09\x0b][^\n]{50}/
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
-</augment>
-
-<augment 1142-5>
-  active T
-  comment WEB-MISC /.... access
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 2397-2>
-  active T
-  comment WEB-CGI CCBill whereami.cgi access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
-</augment>
-
-<augment 2060-1>
-  active T
-  comment WEB-MISC DB4Web access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 1551-3>
-  active F
-  comment WEB-MISC /CVS/Entries access
-  comment "informational only"
-  comment "not exploit worthy"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 636-1>
-  active T
-  comment SCAN cybercop udp bomb
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/scan.rules
-</augment>
-
-<augment 2346-2>
-  active T
-  comment WEB-PHP myPHPNuke chatheader.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 561-6>
-  active F
-  comment P2P Napster Client Data
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
-</augment>
-
-<augment 2224-1>
-  active T
-  comment WEB-CGI psunami.cgi access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
-</augment>
-
-<augment 2112-3>
-  active T
-  comment POP3 RSET overflow attempt
-  comment "pcre: /^RSET\s[^\n]{10}/smi"
-  payload "/((^)|(\n+))[rR][sS][eE][tT][\x20\x09\x0b][^\n]{10}/"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
-  <delete>
-    payload "/.*[rR][sS][eE][tT]/"
-  </delete>
-</augment>
-
-<augment 209-4>
-  active T
-  comment BACKDOOR w00w00 attempt
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
-</augment>
-
-<augment 1673-3>
-  active T
-  comment ORACLE EXECUTE_SYSTEM attempt
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 2132-2>
-  active T
-  comment WEB-IIS Synchrologic Email Accelerator userid list access attempt
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 2253-3>
-  active T
-  comment SMTP XEXCH50 overflow attempt
-  comment pcre: /^XEXCH50\s+-\d/smi
-  payload /((^)|(\n+))[xX][eE][xX][cC][hH]50[\x20\x09\x0b]+-[0-9]/
-  sigaction SIG_LOG
-  requires-reverse-signature ! smtp_server_fail
-  snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
-  <delete>
-    payload "/.*[xX][eE][xX][cC][hH]50/"
-  </delete>
-</augment>
-
-<augment 2433-1>
-  active T
-  comment WEB-CGI MDaemon form2raw.cgi overflow attempt
-  comment "pcre: /\Wfrom=[^\x3b&\n]{100}/si"
-  http "/[^a-zA-Z0-9_][fF][rR][oO][mM]=[^\x3b&\n]{100}/"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
-  <delete>
-    http "/.*[\/\\]form2raw\.cgi/"
-  </delete>
-</augment>
-
-<augment 210-3>
-  active T
-  comment BACKDOOR attempt
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
-</augment>
-
-<augment 1978-1>
-  active T
-  comment WEB-MISC xp_regdeletekey attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 2364-2>
-  active T
-  comment WEB-PHP Cyboards options_form.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 2360-2>
-  active T
-  comment WEB-PHP myphpPagetool pt_config.inc file include
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 1696-3>
-  active T
-  comment ORACLE create database attempt
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 2332-1>
-  active T
-  comment FTP MKDIR format string attempt
-  comment "pcre: /^MKDIR\s[^\n]*?%[^\n]*?%/smi"
-  ftp "/((^)|(\n+))[mM][kK][dD][iI][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
-  <delete>
-    payload "/.*[mM][kK][dD][iI][rR]/"
-  </delete>
-</augment>
-
-<augment 2358-2>
-  active T
-  comment WEB-PHP Typo3 translations.php file include
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 1744-3>
-  active T
-  comment WEB-MISC SecureSite authentication bypass attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 1686-3>
-  active T
-  comment ORACLE dba_tablespace access
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 1659-3>
-  active T
-  comment WEB-COLDFUSION sendmail.cfm access
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
-</augment>
-
-<augment 2365-2>
-  active T
-  comment WEB-PHP newsPHP Language file include attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 1689-3>
-  active T
-  comment ORACLE sys.all_users access
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 1772-4>
-  active T
-  comment WEB-IIS pbserver access
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 2333-1>
-  active T
-  comment FTP RENAME format string attempt
-  comment "pcre: /^RENAME\s[^\n]*?%[^\n]*?%/smi"
-  ftp "/((^)|(\n+))[rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]*?%[^\n]*?%/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
-  <delete>
-    payload "/.*[rR][eE][nN][aA][mM][eE]/"
-  </delete>
-</augment>
-
-<augment 1518-5>
-  active T
-  comment WEB-MISC nstelemetry.adp access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 715-6>
-  active T
-  comment TELNET Attempted SU from wrong group
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/telnet.rules
-</augment>
-
-<augment 1692-3>
-  active T
-  comment ORACLE drop table attempt
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 2449-1>
-  active T
-  comment FTP ALLO overflow attempt
-  comment "pcre: /^ALLO\s[^\n]{100}/smi"
-  payload "/((^)|(\n+))[aAlLlLoO][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
-  <delete>
-    payload "/.*[aA][lL][lL][oO]/"
-  </delete>
-</augment>
-
-<augment 2066-2>
-  active T
-  comment WEB-MISC Lotus Notes .pl script source download attempt
-  comment "requires lotus notes web server"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-  eval isNotApache
-  eval isNotIIS
-</augment>
-
-<augment 1498-4>
-  active T
-  comment WEB-MISC PIX firewall manager directory traversal attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 1056-6>
-  active F
-  comment WEB-MISC Tomcat view source attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-  comment "Informational only"
-  comment "Too general"
-</augment>
-
-<augment 2344-1>
-  active T
-  comment FTP XCWD overflow attempt
-  comment "pcre: /^XCWD\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[xX][cC][wW][dD][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
-  <delete>
-    payload "/.*[xX][cC][wW][dD]/"
-  </delete>
-</augment>
-
-<augment 237-2>
-  active T
-  comment DDOS Trin00 Master to Daemon default password attempt
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/ddos.rules
-</augment>
-
-<augment 2153-1>
-  active T
-  comment WEB-PHP autohtml.php directory traversal attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 2405-1>
-  active T
-  comment WEB-PHP phptest.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 1075-6>
-  active T
-  comment WEB-IIS postinfo.asp access
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 1568-5>
-  active T
-  comment WEB-IIS /exchange/root.asp access
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 235-2>
-  active T
-  comment DDOS Trin00 Attacker to Master default mdie password
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/ddos.rules
-</augment>
-
-<augment 2110-3>
-  active T
-  comment POP3 STAT overflow attempt
-  comment "pcre: /^STAT\s[^\n]{10}/smi"
-  payload "/((^)|(\n+))[sS][tT][aA][tT][\x20\x09\x0b][^\n]{10}/"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
-  <delete>
-    payload "/.*[sS][tT][aA][tT]/"
-  </delete>
-</augment>
-
-<augment 1968-1>
-  active T
-  comment WEB-PHP phpbb quick-reply.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 213-4>
-  active T
-  comment BACKDOOR MISC Linux rootkit attempt
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
-</augment>
-
-<augment 1143-5>
-  active T
-  comment WEB-MISC ///cgi-bin access
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 2131-2>
-  active T
-  comment WEB-IIS IISProtect access
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 1621-10>
-  active T
-  comment FTP CMD overflow attempt
-  comment "pcre: /^CMD\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[cC][mM][dD][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
-  <delete>
-    payload "/.*[cC][mM][dD]/"
-  </delete>
-</augment>
-
-<augment 2331-2>
-  active T
-  comment WEB-PHP MatrikzGB privilege escalation attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 2001-1>
-  active T
-  comment WEB-CGI smartsearch.cgi access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
-</augment>
-
-<augment 557-6>
-  active F
-  comment P2P GNUTella client request
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
-</augment>
-
-<augment 1239-5>
-  active T
-  comment NETBIOS RFParalyze Attempt
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/netbios.rules
-</augment>
-
-<augment 1980-1>
-  active T
-  comment BACKDOOR DeepThroat 3.1 Connection attempt
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
-</augment>
-
-<augment 2275-2>
-  active T
-  comment SMTP AUTH LOGON brute force attempt
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
-</augment>
-
-<augment 1111-5>
-  active T
-  comment WEB-MISC Tomcat server exploit access
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 1690-3>
-  active T
-  comment ORACLE grant attempt
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 1982-1>
-  active T
-  comment BACKDOOR DeepThroat 3.1 Server Response [3150]
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
-</augment>
-
-<augment 2393-1>
-  active F
-  dst-ip ==local_nets
-  comment "WEB-PHP /_admin access"
-  comment "Lots of false positives are possible as this attack really requires multiple steps to be successful"
-  comment "Suggestion: analyze site and test for vulnerability, make any adjustments, and then disable this rule."
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 2408-1>
-  active F
-  comment WEB-MISC Invision Power Board search.pl access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-  comment "Informational only"
-  comment "Too general"
-</augment>
-
-<augment 629-2>
-  active T
-  comment SCAN nmap fingerprint attempt
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/scan.rules
-</augment>
-
-<augment 1540-5>
-  active F
-  comment WEB-COLDFUSION ?Mode=debug attempt
-  comment "not exploit worthy"
-  comment "informational only"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
-</augment>
-
-<augment 2305-2>
-  active T
-  comment WEB-PHP chatbox.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 2064-2>
-  active T
-  dst-ip == local_nets
-  comment WEB-MISC Lotus Notes .csp script source download attempt
-  comment "verify that the application is not vulnerable"
-  comment "informational only"
-  requires-reverse-signature ! http_error
-  <delete>
-  	payload /.*\.csp\./
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 1592-4>
-  active T
-  comment WEB-CGI /fcgi-bin/echo.exe access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
-</augment>
-
-<augment 1933-1>
-  active F
-  comment WEB-CGI cart.cgi access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
-  comment "Informational only"
-</augment>
-
-<augment 1682-3>
-  active T
-  comment ORACLE all_source access
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 2416-1>
-  active T
-  comment FTP invalid MDTM command attempt
-  comment "pcre: /^MDTM \d+[-+]\D/smi"
-  ftp "/((^)|(\n+))[mMdDtTmM][0-9]+[-+][^0-9]/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
-  <delete>
-    payload "/.*[mM][dD][tT][mM]/"
-  </delete>
-</augment>
-
-<augment 2107-3>
-  active T
-  comment IMAP create buffer overflow attempt
-  comment "pcre: /\sCREATE\s[^\n]{1024}/smi"
-  payload "/((^)|(\n+))[\x20\x09\x0b][cC][rR][eE][aA][tT][eE][\x20\x09\x0b][^\n]{1024}/"
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/imap.rules
-  <delete>
-    payload "/.*CREATE/"
-  </delete>
-</augment>
-
-<augment 1697-3>
-  active T
-  comment ORACLE alter database attempt
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 1491-6>
-  active T
-  comment WEB-PHP Phorum /support/common.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 632-5>
-  active T
-  comment SMTP expn cybercop attempt
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
-</augment>
-
-<augment 2357-2>
-  active T
-  comment WEB-PHP WebChat english.php file include
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 2484-1>
-  active T
-  comment WEB-MISC source.jsp access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 2114-3>
-  active T
-  comment "RSERVICES rexec password overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/rservices.rules
-</augment>
-
-<augment 2113-3>
-  active T
-  dst-ip == local_nets
-  comment "RSERVICES rexec username overflow attempt"
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/rservices.rules
-</augment>
-
-<augment 2246-1>
-  active T
-  comment WEB-MISC webadmin.dll access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 1626-4>
-  active T
-  comment WEB-IIS /StoreCSVS/InstantOrder.asmx request
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 2141-1>
-  active T
-  comment WEB-PHP shoutbox.php directory traversal attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 2157-2>
-  active T
-  comment WEB-IIS IISProtect globaladmin.asp access
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 1683-3>
-  active T
-  comment ORACLE all_tables access
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 1382-9>
-  active T
-  comment EXPLOIT CHAT IRC Ettercap parse overflow attempt
-  comment "pcre: /^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"
-  payload "/((^)|(\n+))[pP][rR][iI][vV][mM][sS][gG][\x20\x09\x0b]+[nN][iI][cC][kK][sS][eE][rR][vV][\x20\x09\x0b]+[iI][dD][eE][nN][tT][iI][fF][yY][\x20\x09\x0b][^\n]{100}/"
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/exploit.rules
-  <delete>
-    payload "/.*[pP][rR][iI][vV][mM][sS][gG]/"
-    payload "/.*[nN][iI][cC][kK][sS][eE][rR][vV]/"
-    payload "/.*[iI][dD][eE][nN][tT][iI][fF][yY]/"
-  </delete>
-</augment>
-
-<augment 215-4>
-  active T
-  comment BACKDOOR MISC Linux rootkit attempt
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
-</augment>
-
-<augment 2363-2>
-  active T
-  comment WEB-PHP Cyboards default_header.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 1850-3>
-  active T
-  comment WEB-CGI way-board.cgi access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
-</augment>
-
-<augment 565-6>
-  active F
-  comment P2P Napster Server Login
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
-</augment>
-
-<augment 1069-6>
-  active T
-  comment WEB-MISC xp_regread attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 233-3>
-  active T
-  comment DDOS Trin00 Attacker to Master default startup password
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/ddos.rules
-</augment>
-
-<augment 1490-6>
-  active T
-  comment WEB-PHP Phorum /support/common.php attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 1693-4>
-  active T
-  comment ORACLE create table attempt
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 2320-1>
-  active T
-  comment EXPLOIT ebola USER overflow attempt
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/exploit.rules
-  <delete>
-	payload /.*[uU][sS][eE][rR]/
-  </delete>
-  payload /((^)|(\n+))[uU][sS][eE][rR][^\x0a]{49}/
-</augment>
-
-<augment 2140-1>
-  active T
-  comment WEB-PHP p-news.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 2000-1>
-  active T
-  comment WEB-PHP readmsg.php access
-  comment "Possible many false positives"
-  commnet "If running this webmail server check version to make sure it's not vulnerable and then disable this signature or adjust the notice action."
-  dst-ip == local_nets
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 489-7>
-  active T
-  comment INFO FTP no password
-  comment "pcre: /^PASS\s*\n/smi"
-  ftp "/((^)|(\n+))[\x20\x09\x0b][pP][aA][sS][sS][\x20\x09\x0b]*\n/"
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/info.rules
-  <delete>
-    payload "/.*[pP][aA][sS][sS]/"
-  </delete>
-</augment>
-
-<augment 1936-4>
-  active T
-  comment POP3 AUTH overflow attempt
-  comment "pcre: /^AUTH\s[^\n]{50}/smi"
-  payload "/((^)|(\n+))[aA][uU][tT][hH][\x20\x09\x0b][^\n]{50}/"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
-  <delete>
-    payload "/.*[aA][uU][tT][hH]/"
-  </delete>
-</augment>
-
-<augment 2361-2>
-  active F
-  comment WEB-PHP news.php file include
-  comment "Too general"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 2058-1>
-  active T
-  comment WEB-MISC MsmMask.exe attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 2355-2>
-  active T
-  comment WEB-PHP Invision Board emailer.php file include
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 1680-3>
-  active T
-  comment ORACLE all_constraints access
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 1826-4>
-  active T
-  comment WEB-MISC WEB-INF access
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]WEB-INF \./.{1,}/
-  <delete>
-  	http /.*[\/\\]WEB-INF/
-  </delete>
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 2077-2>
-  active T
-  comment WEB-PHP Mambo upload.php access
-  comment "very general"
-  comment "only matters if dest is local_nets and then may be too noisy"
-  dst-ip == local_nets
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 1695-3>
-  active T
-  comment ORACLE truncate table attempt
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 1126-6>
-  active T
-  comment WEB-MISC AuthChangeUrl access
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 1464-3>
-  active T
-  comment ATTACK-RESPONSES oracle one hour install
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/attack-responses.rules
-</augment>
-
-<augment 1818-3>
-  active T
-  comment WEB-IIS MS Site Server admin attempt
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 2347-2>
-  active T
-  comment WEB-PHP myPHPNuke partner.php access
-  comment "adjusted sig based on attack example - this may be too limiting"
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-  http /.*\x3d.*\x3cscript\x3e.*document.cookie.*\x3c\x2fscript\x3e/
-</augment>
-
-<augment 1685-4>
-  active T
-  comment ORACLE all_tab_privs access
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
-</augment>
-
-<augment 562-5>
-  active F
-  comment P2P Napster Client Data
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
-</augment>
-
-<augment 1497-6>
-  active T
-  comment WEB-MISC cross site scripting attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 1478-3>
-  active T
-  comment WEB-CGI swc access
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
-</augment>
-
-<augment 1379-7>
-  active T
-  comment FTP STAT overflow attempt
-  comment "pcre: /^STAT\s[^\n]{100}/smi"
-  eval dataSizeG100
-  ftp "/((^)|(\n+))[sS][tT][aA][tT][\x20\x09\x0b][^\n]{100}/"
-  requires-reverse-signature ! ftp_server_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
-  <delete>
-    payload "/.*[sS][tT][aA][tT]/"
-  </delete>
-</augment>
-
-<augment 2399-1>
-  active T
-  comment WEB-PHP WAnewsletter db_type.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 1376-5>
-  active T
-  comment WEB-MISC jrun directory browse attempt
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 912-5>
-  active T
-  comment WEB-COLDFUSION parks access
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
-</augment>
-
-<augment 2369-1>
-  active T
-  comment WEB-MISC ISAPISkeleton.dll access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-</augment>
-
-<augment 1750-3>
-  active T
-  comment WEB-IIS users.xml access
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
-</augment>
-
-<augment 1966-2>
-  active T
-  comment MISC GlobalSunTech Access Point Information Disclosure attempt
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/misc.rules
-</augment>
-
-<augment 321-5>
-  active T
-  comment FINGER account enumeration attempt
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/finger.rules
-</augment>
-
-<augment 1990-1>
-  active F
-  comment CHAT MSN user search
-  comment "informational only"
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/chat.rules
-</augment>
-
-<augment 1482-4>
-  active T
-  comment WEB-CGI view_source access
-  requires-reverse-signature ! http_error
-  sigaction SIG_FILE
-  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
-</augment>
-
-<augment 2109-3>
-  active T
-  comment POP3 TOP overflow attempt
-  comment "pcre: /^TOP\s[^\n]{10}/smi"
-  payload "/((^)|(\n+))[tT][oO][pP][\x20\x09\x0b][^\n]{10}/"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
-  <delete>
-    payload "/.*[tT][oO][pP]/"
-  </delete>
-</augment>
-
-<augment 1745-3>
-  active T
-  comment WEB-PHP Messagerie supp_membre.php access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
-</augment>
-
-<augment 2111-3>
-  active T
-  comment POP3 DELE overflow attempt
-  comment "pcre: /^DELE\s[^\n]{10}/smi"
-  payload "/((^)|(\n+))[dD][eE][lL][eE][\x20\x09\x0b][^\n]{10}/"
-  requires-reverse-signature ! pop_return_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
-  <delete>
-    payload "/.*[dD][eE][lL][eE]/"
-  </delete>
-</augment>
-
-<augment 1521-6>
-  active F
-  comment WEB-MISC server-status access
-  requires-reverse-signature ! http_error
-  sigaction SIG_LOG
-  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
-  comment "Informational only"
-  comment "Could point to a default install or an incorrectly configured Apache server"
-</augment>
-
-<augment http-shell-check>
-  active T
-  comment http_shell_check used for filtering shell reference from man pages
-  sigaction SIG_IGNORE
-</augment>
-
-###############################
-## Augment file compiled on 2004-07-12 from Snort rules dated 2004-07-09
-###############################
-
diff --git a/scripts/s2b/etc/s2b-ruleset-augment.cfg b/scripts/s2b/etc/s2b-ruleset-augment.cfg
deleted file mode 100644
index 627991907c..0000000000
--- a/scripts/s2b/etc/s2b-ruleset-augment.cfg
+++ /dev/null
@@ -1,157 +0,0 @@
-
-<attack-responses.rules>
-</attack-responses.rules>
-
-<backdoor.rules>
-</backdoor.rules>
-
-<bad-traffic.rules>
-</bad-traffic.rules>
-
-<chat.rules>
-</chat.rules>
-
-<ddos.rules>
-</ddos.rules>
-
-<deleted.rules>
-</deleted.rules>
-
-<dns.rules>
-</dns.rules>
-
-<dos.rules>
-</dos.rules>
-
-<experimental.rules>
-</experimental.rules>
-
-<exploit.rules>
-</exploit.rules>
-
-<finger.rules>
-</finger.rules>
-
-<ftp.rules>
-	requires-reverse-signature ! ftp_server_error
-</ftp.rules>
-
-<icmp.rules>
-</icmp.rules>
-
-<imap.rules>
-</imap.rules>
-
-<info.rules>
-</info.rules>
-
-<local.rules>
-</local.rules>
-
-<misc.rules>
-</misc.rules>
-
-<multimedia.rules>
-</multimedia.rules>
-
-<mysql.rules>
-</mysql.rules>
-
-<netbios.notes>
-</netbios.notes>
-
-<netbios.rules>
-</netbios.rules>
-
-<nntp.rules>
-</nntp.rules>
-
-<oracle.rules>
-</oracle.rules>
-
-<other-ids.rules>
-</other-ids.rules>
-
-<p2p.rules>
-</p2p.rules>
-
-<policy.rules>
-</policy.rules>
-
-<pop2.rules>
-	requires-reverse-signature ! pop_return_error
-</pop2.rules>
-
-<pop3.rules>
-	requires-reverse-signature ! pop_return_error
-</pop3.rules>
-
-<porn.rules>
-</porn.rules>
-
-<rpc.rules>
-</rpc.rules>
-
-<rservices.rules>
-</rservices.rules>
-
-<scan.rules>
-</scan.rules>
-
-<shellcode.rules>
-</shellcode.rules>
-
-<smtp.rules>
-	requires-reverse-signature ! smtp_server_fail
-</smtp.rules>
-
-<snmp.rules>
-</snmp.rules>
-
-<sql.rules>
-</sql.rules>
-
-<telnet.rules>
-</telnet.rules>
-
-<tftp.rules>
-</tftp.rules>
-
-<virus.rules>
-</virus.rules>
-
-<web-attacks.rules>
-	requires-reverse-signature ! http_error
-</web-attacks.rules>
-
-<web-cgi.rules>
-	requires-reverse-signature ! http_error
-</web-cgi.rules>
-
-<web-client.rules>
-</web-client.rules>
-
-<web-coldfusion.rules>
-	requires-reverse-signature ! http_error
-</web-coldfusion.rules>
-
-<web-frontpage.rules>
-	requires-reverse-signature ! http_error
-	eval isIIS
-</web-frontpage.rules>
-
-<web-iis.rules>
-	requires-reverse-signature ! http_error
-	eval isIIS
-</web-iis.rules>
-
-<web-misc.rules>
-	requires-reverse-signature ! http_error
-</web-misc.rules>
-
-<web-php.rules>
-	requires-reverse-signature ! http_error
-</web-php.rules>
-
-<x11.rules>
-</x11.rules>
diff --git a/scripts/s2b/etc/s2b-sigmap.cfg b/scripts/s2b/etc/s2b-sigmap.cfg
deleted file mode 100644
index a3ea280763..0000000000
--- a/scripts/s2b/etc/s2b-sigmap.cfg
+++ /dev/null
@@ -1,38 +0,0 @@
-# this table is used to generate the automatic sid-to-sig action table that bro imports
-# the fields here are used as a table translation between snort and bro
-# currently there is no sound reason not to change any of this
-# *do not* make any comment line the same as any snort alert type!!
-
-attempted-admin				SIG_LOG
-attempted-user				SIG_LOG
-shellcode-detect			SIG_FILE
-successful-admin			SIG_LOG
-successful-user				SIG_LOG
-trojan-activity				SIG_LOG
-unsuccessful-user			SIG_FILE
-web-application-attack			SIG_LOG
-attempted-dos				SIG_FILE
-attempted-recon				SIG_FILE
-bad-unknown				SIG_FILE
-denial-of-service			SIG_FILE
-misc-attack				SIG_LOG
-non-standard-protocol			SIG_FILE
-rpc-portmap-decode			SIG_FILE	
-successful-dos				SIG_LOG
-successful-recon-largescale		SIG_LOG	
-successful-recon-limited		SIG_LOG
-suspicious-filename-detect		SIG_LOG
-suspicious-login			SIG_LOG	
-system-call-detect			SIG_LOG
-unusual-client-port-connection		SIG_LOG
-web-application-activity		SIG_LOG
-icmp-event				SIG_FILE
-misc-activity				SIG_LOG
-network-scan				SIG_FILE
-not-suspicious				SIG_QUIET
-protocol-command-decode			SIG_FILE
-string-detect				SIG_LOG
-unknown					SIG_FILE
-policy-violation			SIG_QUIET
-kickass-porn				SIG_QUIET
-default-login-attempt			SIG_LOG
\ No newline at end of file
diff --git a/scripts/s2b/etc/s2b.cfg b/scripts/s2b/etc/s2b.cfg
deleted file mode 100644
index 46b27290b5..0000000000
--- a/scripts/s2b/etc/s2b.cfg
+++ /dev/null
@@ -1,113 +0,0 @@
-# Snort2Bro
-
-# Bro Signature ID prefix
-# May only contain alphanumberic and dash characters
-#
-# sigprefix	s2b-
-##
-
-# Configuration directory
-# 
-# configdir	/usr/local/etc/bro/s2b
-##
-#configdir	/home/rwinslow/projects/s2b
-configdir	./
-
-# Augment Configuration filename
-# 
-# augmentconfig	s2b-augment.cfg
-##
-
-# Ruleset Augment Configuration filename
-# This file contains Bro signature options and contexts which are included
-# into rules based on the ruleset filenames from which they come.  The syntax 
-# rules for this file are the same as s2b-augment.cfg
-# This file is used during augment building only.
-#
-# rulesetaugmentconfig s2b-ruleset-augment.cfg
-##
-
-# User Augment Configuration filename
-# This is the user level augment config file which should be the location in
-# which behavior for individual signatures is controlled.
-#
-# useraugmentconfig s2b-user-augment.cfg
-##
-
-# Bro signature output filename
-# This should probably be a full path name otherwise it will write 
-# to the present working directory
-#
-# brosignaturedest	s2b.sig
-##
-
-# Bro sigaction output filename
-# This should probably be a full path name otherwise it will write to the 
-# present working directory.
-# This file contains mappings of signature id to SigActions which  
-# will be included into a running Bro instance.  These mappings are created 
-# for any Bro signature which uses anything but the default SigAction.
-#
-# sigactiondest	s2b-sigaction.bro
-##
-
-# Debug level
-#
-# debug 0
-##
-
-# sid prefix
-#
-# sigprefix	s2b-
-##
-
-# Mappings for Snort alert classtype to Bro SigAction. 
-#
-# sigmapconfig	s2b-sigmap.cfg
-##
-
-# Snort ruleset directory
-# All files ending in .rules are considered during parsing by default
-#
-# snortrulesetdir	'./'
-##
-
-# Snort rule sets to exclude from conversion
-# Any filename specified here will not even be read by the program
-# There are two different ways to specify the list. Both are listed but only
-# one style may be used.
-#
-#<ignoresnortrulesets>
-#	porn.rules
-#	icmp.rules
-#	experimental.rules
-#	deleted.rules
-#	policy.rules
-#	bad-traffic.rules
-#	info.rules
-#</ignoresnortrulesets>
-##
-
-ignoresnortruleset porn.rules
-#ignoresnortruleset icmp.rules
-ignoresnortruleset experimental.rules
-ignoresnortruleset deleted.rules
-ignoresnortruleset policy.rules
-ignoresnortruleset bad-traffic.rules
-#ignoresnortruleset info.rules
-
-# Default Bro SigAction that will be used for creating the Bro signature 
-# s2b.sig and the Bro SigAction file s2b-sigaction.bro
-#
-# defaultsigaction SIG_LOG
-##
-
-# This option will apply a signature to traffic flowing in either direction.
-# Snort defines two networks, $HOME_NET and $EXTERNAL_NET, for a source
-# and destination pairing.  These two variables will be ignored and not
-# converted if this option is set to true.  The default is set to true.
-# There is one exception.  If the destination or source is a subnet or ip
-# address then it will remain intact.
-# 
-# ignorehostdirection	true
-##
diff --git a/scripts/s2b/example_bro_files/Makefile.am b/scripts/s2b/example_bro_files/Makefile.am
deleted file mode 100644
index d7751ef343..0000000000
--- a/scripts/s2b/example_bro_files/Makefile.am
+++ /dev/null
@@ -1,4 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-EXTRA_DIST = sig-action.bro signatures.sig
-
diff --git a/scripts/s2b/example_bro_files/sig-action.bro b/scripts/s2b/example_bro_files/sig-action.bro
deleted file mode 100644
index b941dd20a9..0000000000
--- a/scripts/s2b/example_bro_files/sig-action.bro
+++ /dev/null
@@ -1,626 +0,0 @@
-# This file was created by s2b.pl on Wed Sep 15 18:34:41 2004.
-# This file is dynamically generated each time s2b.pl is run and therefore any 
-# changes done manually will be overwritten.
-# $Id: sig-action.bro 840 2004-11-30 22:33:48Z jason $
-
-redef signature_actions += {
-  ["s2b-1186-6"] = SIG_FILE,
-  ["s2b-1790-4"] = SIG_FILE,
-  ["s2b-2000-1"] = SIG_FILE,
-  ["s2b-2005-10"] = SIG_FILE,
-  ["s2b-253-4"] = SIG_FILE,
-  ["s2b-2016-6"] = SIG_FILE,
-  ["s2b-581-9"] = SIG_FILE,
-  ["s2b-650-8"] = SIG_FILE,
-  ["s2b-498-6"] = SIG_FILE,
-  ["s2b-333-8"] = SIG_FILE,
-  ["s2b-1143-5"] = SIG_FILE,
-  ["s2b-2314-1"] = SIG_FILE,
-  ["s2b-1126-6"] = SIG_FILE,
-  ["s2b-907-5"] = SIG_FILE,
-  ["s2b-223-3"] = SIG_FILE,
-  ["s2b-818-10"] = SIG_FILE,
-  ["s2b-2177-4"] = SIG_FILE,
-  ["s2b-1482-4"] = SIG_FILE,
-  ["s2b-616-4"] = SIG_FILE,
-  ["s2b-2383-9"] = SIG_FILE,
-  ["s2b-2104-3"] = SIG_FILE,
-  ["s2b-1697-3"] = SIG_FILE,
-  ["s2b-2533-5"] = SIG_FILE,
-  ["s2b-243-2"] = SIG_FILE,
-  ["s2b-1309-9"] = SIG_FILE,
-  ["s2b-472-4"] = SIG_FILE,
-  ["s2b-879-7"] = SIG_FILE,
-  ["s2b-1733-9"] = SIG_FILE,
-  ["s2b-2470-3"] = SIG_FILE,
-  ["s2b-321-5"] = SIG_FILE,
-  ["s2b-1113-5"] = SIG_FILE,
-  ["s2b-893-7"] = SIG_FILE,
-  ["s2b-2050-5"] = SIG_FILE,
-  ["s2b-1776-2"] = SIG_FILE,
-  ["s2b-1868-5"] = SIG_FILE,
-  ["s2b-693-5"] = SIG_FILE,
-  ["s2b-603-5"] = SIG_FILE,
-  ["s2b-2084-8"] = SIG_FILE,
-  ["s2b-1729-5"] = SIG_ALARM,
-  ["s2b-1145-7"] = SIG_FILE,
-  ["s2b-1280-9"] = SIG_FILE,
-  ["s2b-2385-9"] = SIG_FILE,
-  ["s2b-1448-10"] = SIG_FILE,
-  ["s2b-1181-8"] = SIG_FILE,
-  ["s2b-1481-4"] = SIG_FILE,
-  ["s2b-870-5"] = SIG_FILE,
-  ["s2b-1960-7"] = SIG_FILE,
-  ["s2b-2125-8"] = SIG_FILE,
-  ["s2b-843-7"] = SIG_FILE,
-  ["s2b-1922-6"] = SIG_FILE,
-  ["s2b-516-3"] = SIG_FILE,
-  ["s2b-1191-6"] = SIG_FILE,
-  ["s2b-1413-10"] = SIG_FILE,
-  ["s2b-582-8"] = SIG_FILE,
-  ["s2b-331-10"] = SIG_FILE,
-  ["s2b-2081-9"] = SIG_FILE,
-  ["s2b-911-7"] = SIG_FILE,
-  ["s2b-1231-8"] = SIG_FILE,
-  ["s2b-1577-4"] = SIG_FILE,
-  ["s2b-1454-6"] = SIG_FILE,
-  ["s2b-471-3"] = SIG_FILE,
-  ["s2b-1216-5"] = SIG_FILE,
-  ["s2b-595-16"] = SIG_FILE,
-  ["s2b-1473-5"] = SIG_FILE,
-  ["s2b-2026-9"] = SIG_FILE,
-  ["s2b-534-6"] = SIG_FILE,
-  ["s2b-1392-10"] = SIG_FILE,
-  ["s2b-491-8"] = SIG_FILE,
-  ["s2b-1453-5"] = SIG_FILE,
-  ["s2b-324-5"] = SIG_FILE,
-  ["s2b-246-2"] = SIG_FILE,
-  ["s2b-1197-6"] = SIG_FILE,
-  ["s2b-881-5"] = SIG_FILE,
-  ["s2b-589-8"] = SIG_FILE,
-  ["s2b-533-8"] = SIG_FILE,
-  ["s2b-2530-3"] = SIG_FILE,
-  ["s2b-829-9"] = SIG_FILE,
-  ["s2b-1108-10"] = SIG_FILE,
-  ["s2b-1461-5"] = SIG_FILE,
-  ["s2b-867-9"] = SIG_FILE,
-  ["s2b-330-9"] = SIG_FILE,
-  ["s2b-1175-10"] = SIG_FILE,
-  ["s2b-847-7"] = SIG_FILE,
-  ["s2b-1132-6"] = SIG_FILE,
-  ["s2b-1268-12"] = SIG_FILE,
-  ["s2b-2534-3"] = SIG_FILE,
-  ["s2b-2504-6"] = SIG_FILE,
-  ["s2b-227-6"] = SIG_FILE,
-  ["s2b-1648-7"] = SIG_FILE,
-  ["s2b-1447-11"] = SIG_FILE,
-  ["s2b-236-6"] = SIG_FILE,
-  ["s2b-1629-6"] = SIG_FILE,
-  ["s2b-1497-6"] = SIG_FILE,
-  ["s2b-1147-7"] = SIG_FILE,
-  ["s2b-2019-4"] = SIG_FILE,
-  ["s2b-1778-4"] = SIG_FILE,
-  ["s2b-1293-10"] = SIG_FILE,
-  ["s2b-1179-7"] = SIG_FILE,
-  ["s2b-1190-6"] = SIG_FILE,
-  ["s2b-1446-6"] = SIG_FILE,
-  ["s2b-1459-5"] = SIG_FILE,
-  ["s2b-2014-5"] = SIG_FILE,
-  ["s2b-1119-7"] = SIG_FILE,
-  ["s2b-2384-8"] = SIG_FILE,
-  ["s2b-2032-5"] = SIG_FILE,
-  ["s2b-2475-3"] = SIG_FILE,
-  ["s2b-361-12"] = SIG_FILE,
-  ["s2b-1267-11"] = SIG_FILE,
-  ["s2b-586-8"] = SIG_FILE,
-  ["s2b-2520-5"] = SIG_FILE,
-  ["s2b-520-5"] = SIG_FILE,
-  ["s2b-878-6"] = SIG_FILE,
-  ["s2b-268-4"] = SIG_FILE,
-  ["s2b-854-7"] = SIG_FILE,
-  ["s2b-1864-7"] = SIG_FILE,
-  ["s2b-1452-5"] = SIG_FILE,
-  ["s2b-931-6"] = SIG_FILE,
-  ["s2b-251-3"] = SIG_FILE,
-  ["s2b-840-7"] = SIG_FILE,
-  ["s2b-1264-13"] = SIG_FILE,
-  ["s2b-933-7"] = SIG_FILE,
-  ["s2b-512-4"] = SIG_FILE,
-  ["s2b-1348-5"] = SIG_QUIET,
-  ["s2b-1688-3"] = SIG_FILE,
-  ["s2b-902-7"] = SIG_FILE,
-  ["s2b-1134-7"] = SIG_FILE,
-  ["s2b-889-7"] = SIG_FILE,
-  ["s2b-234-2"] = SIG_FILE,
-  ["s2b-915-5"] = SIG_FILE,
-  ["s2b-637-3"] = SIG_FILE,
-  ["s2b-836-7"] = SIG_FILE,
-  ["s2b-2473-3"] = SIG_FILE,
-  ["s2b-2033-8"] = SIG_FILE,
-  ["s2b-1151-5"] = SIG_FILE,
-  ["s2b-835-9"] = SIG_FILE,
-  ["s2b-1955-6"] = SIG_FILE,
-  ["s2b-660-7"] = SIG_FILE,
-  ["s2b-904-7"] = SIG_FILE,
-  ["s2b-826-7"] = SIG_FILE,
-  ["s2b-833-8"] = SIG_FILE,
-  ["s2b-883-5"] = SIG_FILE,
-  ["s2b-1930-3"] = SIG_FILE,
-  ["s2b-887-6"] = SIG_FILE,
-  ["s2b-859-7"] = SIG_FILE,
-  ["s2b-588-17"] = SIG_FILE,
-  ["s2b-1682-3"] = SIG_FILE,
-  ["s2b-230-5"] = SIG_FILE,
-  ["s2b-1952-5"] = SIG_FILE,
-  ["s2b-1173-5"] = SIG_FILE,
-  ["s2b-583-9"] = SIG_FILE,
-  ["s2b-880-8"] = SIG_FILE,
-  ["s2b-1104-9"] = SIG_FILE,
-  ["s2b-1146-5"] = SIG_FILE,
-  ["s2b-837-8"] = SIG_FILE,
-  ["s2b-1694-3"] = SIG_FILE,
-  ["s2b-362-12"] = SIG_FILE,
-  ["s2b-536-7"] = SIG_FILE,
-  ["s2b-1161-9"] = SIG_FILE,
-  ["s2b-648-7"] = SIG_FILE,
-  ["s2b-2468-3"] = SIG_FILE,
-  ["s2b-1301-11"] = SIG_FILE,
-  ["s2b-2348-6"] = SIG_FILE,
-  ["s2b-1259-5"] = SIG_FILE,
-  ["s2b-2370-2"] = SIG_QUIET,
-  ["s2b-1464-3"] = SIG_FILE,
-  ["s2b-1721-4"] = SIG_FILE,
-  ["s2b-1696-3"] = SIG_FILE,
-  ["s2b-2477-3"] = SIG_FILE,
-  ["s2b-1168-5"] = SIG_FILE,
-  ["s2b-1680-3"] = SIG_FILE,
-  ["s2b-848-9"] = SIG_FILE,
-  ["s2b-1366-5"] = SIG_FILE,
-  ["s2b-1167-7"] = SIG_FILE,
-  ["s2b-1202-5"] = SIG_FILE,
-  ["s2b-530-10"] = SIG_FILE,
-  ["s2b-2466-3"] = SIG_FILE,
-  ["s2b-1410-9"] = SIG_FILE,
-  ["s2b-1579-4"] = SIG_FILE,
-  ["s2b-2018-4"] = SIG_FILE,
-  ["s2b-1691-3"] = SIG_FILE,
-  ["s2b-718-7"] = SIG_FILE,
-  ["s2b-2034-7"] = SIG_FILE,
-  ["s2b-538-10"] = SIG_FILE,
-  ["s2b-1189-6"] = SIG_FILE,
-  ["s2b-1308-5"] = SIG_FILE,
-  ["s2b-2029-5"] = SIG_FILE,
-  ["s2b-865-8"] = SIG_FILE,
-  ["s2b-2022-4"] = SIG_FILE,
-  ["s2b-841-7"] = SIG_FILE,
-  ["s2b-2021-4"] = SIG_FILE,
-  ["s2b-1164-10"] = SIG_FILE,
-  ["s2b-1275-10"] = SIG_FILE,
-  ["s2b-1954-5"] = SIG_FILE,
-  ["s2b-323-5"] = SIG_FILE,
-  ["s2b-903-7"] = SIG_FILE,
-  ["s2b-638-5"] = SIG_FILE,
-  ["s2b-274-5"] = SIG_FILE,
-  ["s2b-1156-6"] = SIG_FILE,
-  ["s2b-823-6"] = SIG_FILE,
-  ["s2b-1217-7"] = SIG_FILE,
-  ["s2b-2176-4"] = SIG_FILE,
-  ["s2b-1586-4"] = SIG_FILE,
-  ["s2b-640-6"] = SIG_FILE,
-  ["s2b-1411-10"] = SIG_FILE,
-  ["s2b-275-10"] = SIG_FILE,
-  ["s2b-1239-5"] = SIG_FILE,
-  ["s2b-852-8"] = SIG_FILE,
-  ["s2b-1950-5"] = SIG_FILE,
-  ["s2b-1130-5"] = SIG_FILE,
-  ["s2b-864-7"] = SIG_FILE,
-  ["s2b-2386-6"] = SIG_FILE,
-  ["s2b-1118-5"] = SIG_FILE,
-  ["s2b-891-5"] = SIG_FILE,
-  ["s2b-2570-6"] = SIG_FILE,
-  ["s2b-691-5"] = SIG_FILE,
-  ["s2b-272-7"] = SIG_FILE,
-  ["s2b-910-5"] = SIG_FILE,
-  ["s2b-1414-11"] = SIG_FILE,
-  ["s2b-1867-1"] = SIG_FILE,
-  ["s2b-1962-7"] = SIG_FILE,
-  ["s2b-2025-9"] = SIG_FILE,
-  ["s2b-532-8"] = SIG_FILE,
-  ["s2b-1199-11"] = SIG_FILE,
-  ["s2b-2536-3"] = SIG_FILE,
-  ["s2b-1693-4"] = SIG_FILE,
-  ["s2b-1365-5"] = SIG_FILE,
-  ["s2b-1576-4"] = SIG_FILE,
-  ["s2b-1541-4"] = SIG_FILE,
-  ["s2b-1666-5"] = SIG_FILE,
-  ["s2b-832-11"] = SIG_FILE,
-  ["s2b-2502-7"] = SIG_FILE,
-  ["s2b-646-5"] = SIG_FILE,
-  ["s2b-1575-4"] = SIG_FILE,
-  ["s2b-1142-5"] = SIG_FILE,
-  ["s2b-222-2"] = SIG_FILE,
-  ["s2b-1435-6"] = SIG_FILE,
-  ["s2b-535-6"] = SIG_FILE,
-  ["s2b-1451-6"] = SIG_FILE,
-  ["s2b-1273-10"] = SIG_FILE,
-  ["s2b-2565-1"] = SIG_FILE,
-  ["s2b-858-7"] = SIG_FILE,
-  ["s2b-626-7"] = SIG_FILE,
-  ["s2b-1232-8"] = SIG_FILE,
-  ["s2b-593-18"] = SIG_FILE,
-  ["s2b-672-6"] = SIG_FILE,
-  ["s2b-1624-5"] = SIG_FILE,
-  ["s2b-2480-3"] = SIG_FILE,
-  ["s2b-897-10"] = SIG_FILE,
-  ["s2b-1158-10"] = SIG_FILE,
-  ["s2b-877-8"] = SIG_FILE,
-  ["s2b-585-7"] = SIG_FILE,
-  ["s2b-1271-14"] = SIG_FILE,
-  ["s2b-1115-7"] = SIG_FILE,
-  ["s2b-630-5"] = SIG_FILE,
-  ["s2b-2505-7"] = SIG_FILE,
-  ["s2b-1684-3"] = SIG_FILE,
-  ["s2b-1470-5"] = SIG_FILE,
-  ["s2b-1924-6"] = SIG_FILE,
-  ["s2b-1641-5"] = SIG_FILE,
-  ["s2b-2500-4"] = SIG_FILE,
-  ["s2b-245-3"] = SIG_FILE,
-  ["s2b-2080-6"] = SIG_FILE,
-  ["s2b-233-3"] = SIG_FILE,
-  ["s2b-478-3"] = SIG_FILE,
-  ["s2b-651-8"] = SIG_FILE,
-  ["s2b-2486-5"] = SIG_FILE,
-  ["s2b-861-12"] = SIG_FILE,
-  ["s2b-1476-5"] = SIG_FILE,
-  ["s2b-1614-8"] = SIG_FILE,
-  ["s2b-1898-8"] = SIG_FILE,
-  ["s2b-1165-9"] = SIG_FILE,
-  ["s2b-1869-5"] = SIG_FILE,
-  ["s2b-1480-9"] = SIG_FILE,
-  ["s2b-2193-9"] = SIG_FILE,
-  ["s2b-1162-7"] = SIG_FILE,
-  ["s2b-576-8"] = SIG_FILE,
-  ["s2b-254-4"] = SIG_FILE,
-  ["s2b-611-7"] = SIG_FILE,
-  ["s2b-241-7"] = SIG_FILE,
-  ["s2b-928-5"] = SIG_FILE,
-  ["s2b-2313-2"] = SIG_FILE,
-  ["s2b-2465-3"] = SIG_FILE,
-  ["s2b-1160-11"] = SIG_FILE,
-  ["s2b-1129-5"] = SIG_FILE,
-  ["s2b-1155-5"] = SIG_FILE,
-  ["s2b-1228-6"] = SIG_FILE,
-  ["s2b-489-7"] = SIG_FILE,
-  ["s2b-1460-5"] = SIG_FILE,
-  ["s2b-1896-8"] = SIG_FILE,
-  ["s2b-932-7"] = SIG_FILE,
-  ["s2b-838-9"] = SIG_FILE,
-  ["s2b-500-4"] = SIG_FILE,
-  ["s2b-2478-3"] = SIG_FILE,
-  ["s2b-1971-4"] = SIG_FILE,
-  ["s2b-465-3"] = SIG_FILE,
-  ["s2b-276-5"] = SIG_FILE,
-  ["s2b-1599-7"] = SIG_FILE,
-  ["s2b-1105-5"] = SIG_FILE,
-  ["s2b-2192-8"] = SIG_FILE,
-  ["s2b-590-12"] = SIG_FILE,
-  ["s2b-1926-6"] = SIG_FILE,
-  ["s2b-834-7"] = SIG_FILE,
-  ["s2b-1662-5"] = SIG_FILE,
-  ["s2b-1356-5"] = SIG_FILE,
-  ["s2b-598-12"] = SIG_FILE,
-  ["s2b-1144-5"] = SIG_FILE,
-  ["s2b-1689-3"] = SIG_FILE,
-  ["s2b-846-8"] = SIG_FILE,
-  ["s2b-1110-7"] = SIG_FILE,
-  ["s2b-2476-3"] = SIG_FILE,
-  ["s2b-1813-5"] = SIG_FILE,
-  ["s2b-2339-2"] = SIG_FILE,
-  ["s2b-503-6"] = SIG_FILE,
-  ["s2b-2471-3"] = SIG_FILE,
-  ["s2b-1159-10"] = SIG_FILE,
-  ["s2b-868-9"] = SIG_FILE,
-  ["s2b-619-5"] = SIG_FILE,
-  ["s2b-529-7"] = SIG_FILE,
-  ["s2b-1732-9"] = SIG_FILE,
-  ["s2b-1176-5"] = SIG_FILE,
-  ["s2b-1117-6"] = SIG_FILE,
-  ["s2b-659-6"] = SIG_FILE,
-  ["s2b-2027-5"] = SIG_FILE,
-  ["s2b-850-5"] = SIG_FILE,
-  ["s2b-866-8"] = SIG_FILE,
-  ["s2b-871-7"] = SIG_FILE,
-  ["s2b-1408-8"] = SIG_FILE,
-  ["s2b-1638-5"] = SIG_FILE,
-  ["s2b-1133-11"] = SIG_FILE,
-  ["s2b-2038-5"] = SIG_FILE,
-  ["s2b-1136-5"] = SIG_FILE,
-  ["s2b-1125-8"] = SIG_FILE,
-  ["s2b-612-6"] = SIG_FILE,
-  ["s2b-1131-5"] = SIG_FILE,
-  ["s2b-228-3"] = SIG_FILE,
-  ["s2b-1469-5"] = SIG_FILE,
-  ["s2b-1177-6"] = SIG_FILE,
-  ["s2b-869-8"] = SIG_FILE,
-  ["s2b-1251-6"] = SIG_FILE,
-  ["s2b-1137-9"] = SIG_FILE,
-  ["s2b-239-2"] = SIG_FILE,
-  ["s2b-1953-5"] = SIG_FILE,
-  ["s2b-1188-6"] = SIG_FILE,
-  ["s2b-1895-8"] = SIG_FILE,
-  ["s2b-250-4"] = SIG_FILE,
-  ["s2b-2079-6"] = SIG_FILE,
-  ["s2b-1218-5"] = SIG_FILE,
-  ["s2b-652-9"] = SIG_FILE,
-  ["s2b-1458-6"] = SIG_FILE,
-  ["s2b-892-8"] = SIG_FILE,
-  ["s2b-627-7"] = SIG_FILE,
-  ["s2b-1277-9"] = SIG_FILE,
-  ["s2b-1235-8"] = SIG_FILE,
-  ["s2b-2023-4"] = SIG_FILE,
-  ["s2b-1580-4"] = SIG_FILE,
-  ["s2b-2493-5"] = SIG_FILE,
-  ["s2b-1572-7"] = SIG_FILE,
-  ["s2b-1326-6"] = SIG_FILE,
-  ["s2b-328-8"] = SIG_FILE,
-  ["s2b-2537-3"] = SIG_FILE,
-  ["s2b-1777-4"] = SIG_FILE,
-  ["s2b-862-9"] = SIG_FILE,
-  ["s2b-580-9"] = SIG_FILE,
-  ["s2b-1948-4"] = SIG_FILE,
-  ["s2b-537-11"] = SIG_FILE,
-  ["s2b-1746-11"] = SIG_FILE,
-  ["s2b-601-6"] = SIG_FILE,
-  ["s2b-2418-3"] = SIG_FILE,
-  ["s2b-653-8"] = SIG_FILE,
-  ["s2b-658-5"] = SIG_FILE,
-  ["s2b-221-3"] = SIG_FILE,
-  ["s2b-1959-7"] = SIG_FILE,
-  ["s2b-1674-5"] = SIG_FILE,
-  ["s2b-914-5"] = SIG_FILE,
-  ["s2b-322-10"] = SIG_FILE,
-  ["s2b-1140-11"] = SIG_FILE,
-  ["s2b-146-5"] = SIG_FILE,
-  ["s2b-2191-3"] = SIG_FILE,
-  ["s2b-1692-3"] = SIG_FILE,
-  ["s2b-2566-1"] = SIG_FILE,
-  ["s2b-2037-5"] = SIG_FILE,
-  ["s2b-634-2"] = SIG_FILE,
-  ["s2b-1882-10"] = SIG_FILE,
-  ["s2b-901-10"] = SIG_FILE,
-  ["s2b-279-3"] = SIG_FILE,
-  ["s2b-1412-13"] = SIG_FILE,
-  ["s2b-579-8"] = SIG_FILE,
-  ["s2b-2190-3"] = SIG_FILE,
-  ["s2b-1992-5"] = SIG_FILE,
-  ["s2b-513-10"] = SIG_FILE,
-  ["s2b-578-8"] = SIG_FILE,
-  ["s2b-2524-7"] = SIG_FILE,
-  ["s2b-332-8"] = SIG_FILE,
-  ["s2b-575-8"] = SIG_FILE,
-  ["s2b-502-2"] = SIG_FILE,
-  ["s2b-692-6"] = SIG_FILE,
-  ["s2b-851-7"] = SIG_FILE,
-  ["s2b-599-11"] = SIG_FILE,
-  ["s2b-2174-4"] = SIG_FILE,
-  ["s2b-635-3"] = SIG_FILE,
-  ["s2b-475-3"] = SIG_FILE,
-  ["s2b-1265-9"] = SIG_FILE,
-  ["s2b-235-2"] = SIG_FILE,
-  ["s2b-270-6"] = SIG_FILE,
-  ["s2b-1659-3"] = SIG_FILE,
-  ["s2b-1695-3"] = SIG_FILE,
-  ["s2b-1681-3"] = SIG_FILE,
-  ["s2b-1949-5"] = SIG_FILE,
-  ["s2b-1184-6"] = SIG_FILE,
-  ["s2b-1581-4"] = SIG_FILE,
-  ["s2b-1150-6"] = SIG_FILE,
-  ["s2b-1123-9"] = SIG_FILE,
-  ["s2b-1292-8"] = SIG_FILE,
-  ["s2b-584-11"] = SIG_FILE,
-  ["s2b-591-10"] = SIG_FILE,
-  ["s2b-1360-5"] = SIG_FILE,
-  ["s2b-622-6"] = SIG_FILE,
-  ["s2b-518-6"] = SIG_FILE,
-  ["s2b-860-8"] = SIG_FILE,
-  ["s2b-908-8"] = SIG_FILE,
-  ["s2b-249-7"] = SIG_FILE,
-  ["s2b-1180-12"] = SIG_FILE,
-  ["s2b-2472-3"] = SIG_FILE,
-  ["s2b-1154-5"] = SIG_FILE,
-  ["s2b-1070-7"] = SIG_FILE,
-  ["s2b-574-8"] = SIG_FILE,
-  ["s2b-1478-3"] = SIG_FILE,
-  ["s2b-514-5"] = SIG_FILE,
-  ["s2b-2006-10"] = SIG_FILE,
-  ["s2b-2159-8"] = SIG_FILE,
-  ["s2b-224-3"] = SIG_FILE,
-  ["s2b-1961-7"] = SIG_FILE,
-  ["s2b-247-4"] = SIG_FILE,
-  ["s2b-2335-2"] = SIG_FILE,
-  ["s2b-495-7"] = SIG_FILE,
-  ["s2b-552-7"] = SIG_QUIET,
-  ["s2b-636-1"] = SIG_FILE,
-  ["s2b-863-7"] = SIG_FILE,
-  ["s2b-1685-4"] = SIG_FILE,
-  ["s2b-1367-5"] = SIG_FILE,
-  ["s2b-806-11"] = SIG_FILE,
-  ["s2b-1120-8"] = SIG_FILE,
-  ["s2b-2450-3"] = SIG_FILE,
-  ["s2b-1302-7"] = SIG_FILE,
-  ["s2b-1421-11"] = SIG_FILE,
-  ["s2b-875-9"] = SIG_FILE,
-  ["s2b-913-5"] = SIG_FILE,
-  ["s2b-2020-4"] = SIG_FILE,
-  ["s2b-1418-11"] = SIG_FILE,
-  ["s2b-2230-5"] = SIG_FILE,
-  ["s2b-1183-8"] = SIG_FILE,
-  ["s2b-1672-10"] = SIG_FILE,
-  ["s2b-717-6"] = SIG_FILE,
-  ["s2b-856-5"] = SIG_FILE,
-  ["s2b-1324-6"] = SIG_FILE,
-  ["s2b-1270-11"] = SIG_FILE,
-  ["s2b-632-5"] = SIG_FILE,
-  ["s2b-1444-3"] = SIG_FILE,
-  ["s2b-1582-4"] = SIG_FILE,
-  ["s2b-1127-7"] = SIG_FILE,
-  ["s2b-1100-7"] = SIG_QUIET,
-  ["s2b-614-7"] = SIG_FILE,
-  ["s2b-898-9"] = SIG_FILE,
-  ["s2b-1229-7"] = SIG_FILE,
-  ["s2b-2030-6"] = SIG_FILE,
-  ["s2b-2382-8"] = SIG_FILE,
-  ["s2b-256-5"] = SIG_FILE,
-  ["s2b-1855-7"] = SIG_FILE,
-  ["s2b-894-8"] = SIG_FILE,
-  ["s2b-1209-5"] = SIG_FILE,
-  ["s2b-1148-5"] = SIG_FILE,
-  ["s2b-1230-8"] = SIG_FILE,
-  ["s2b-1212-5"] = SIG_FILE,
-  ["s2b-905-7"] = SIG_FILE,
-  ["s2b-2474-3"] = SIG_FILE,
-  ["s2b-642-6"] = SIG_FILE,
-  ["s2b-1585-4"] = SIG_FILE,
-  ["s2b-872-9"] = SIG_FILE,
-  ["s2b-1894-8"] = SIG_FILE,
-  ["s2b-1294-10"] = SIG_FILE,
-  ["s2b-2028-5"] = SIG_FILE,
-  ["s2b-255-11"] = SIG_FILE,
-  ["s2b-1274-17"] = SIG_FILE,
-  ["s2b-925-5"] = SIG_FILE,
-  ["s2b-237-2"] = SIG_FILE,
-  ["s2b-845-7"] = SIG_FILE,
-  ["s2b-1899-8"] = SIG_FILE,
-  ["s2b-906-7"] = SIG_FILE,
-  ["s2b-1683-3"] = SIG_FILE,
-  ["s2b-1686-3"] = SIG_FILE,
-  ["s2b-311-11"] = SIG_FILE,
-  ["s2b-1951-5"] = SIG_FILE,
-  ["s2b-1226-4"] = SIG_FILE,
-  ["s2b-605-6"] = SIG_FILE,
-  ["s2b-1649-7"] = SIG_FILE,
-  ["s2b-2497-6"] = SIG_FILE,
-  ["s2b-240-2"] = SIG_FILE,
-  ["s2b-278-5"] = SIG_FILE,
-  ["s2b-888-5"] = SIG_FILE,
-  ["s2b-1213-5"] = SIG_FILE,
-  ["s2b-1276-14"] = SIG_FILE,
-  ["s2b-1475-4"] = SIG_FILE,
-  ["s2b-2151-4"] = SIG_QUIET,
-  ["s2b-1676-3"] = SIG_FILE,
-  ["s2b-1415-9"] = SIG_FILE,
-  ["s2b-1272-10"] = SIG_FILE,
-  ["s2b-1153-5"] = SIG_FILE,
-  ["s2b-1152-5"] = SIG_FILE,
-  ["s2b-1640-6"] = SIG_ALARM,
-  ["s2b-1687-3"] = SIG_FILE,
-  ["s2b-1623-6"] = SIG_FILE,
-  ["s2b-2083-8"] = SIG_FILE,
-  ["s2b-1430-7"] = SIG_FILE,
-  ["s2b-1263-11"] = SIG_FILE,
-  ["s2b-2017-12"] = SIG_FILE,
-  ["s2b-1462-5"] = SIG_FILE,
-  ["s2b-1257-8"] = SIG_FILE,
-  ["s2b-497-8"] = SIG_FILE,
-  ["s2b-936-5"] = SIG_FILE,
-  ["s2b-505-5"] = SIG_FILE,
-  ["s2b-1111-5"] = SIG_FILE,
-  ["s2b-1923-6"] = SIG_FILE,
-  ["s2b-1390-5"] = SIG_FILE,
-  ["s2b-467-3"] = SIG_FILE,
-  ["s2b-1266-10"] = SIG_FILE,
-  ["s2b-2469-3"] = SIG_FILE,
-  ["s2b-827-7"] = SIG_FILE,
-  ["s2b-226-6"] = SIG_FILE,
-  ["s2b-1192-6"] = SIG_FILE,
-  ["s2b-688-6"] = SIG_FILE,
-  ["s2b-890-10"] = SIG_FILE,
-  ["s2b-1109-8"] = SIG_FILE,
-  ["s2b-501-4"] = SIG_FILE,
-  ["s2b-231-3"] = SIG_FILE,
-  ["s2b-1584-4"] = SIG_FILE,
-  ["s2b-587-8"] = SIG_FILE,
-  ["s2b-476-4"] = SIG_FILE,
-  ["s2b-1897-8"] = SIG_FILE,
-  ["s2b-336-10"] = SIG_FILE,
-  ["s2b-830-7"] = SIG_FILE,
-  ["s2b-2101-9"] = SIG_FILE,
-  ["s2b-232-5"] = SIG_FILE,
-  ["s2b-828-5"] = SIG_FILE,
-  ["s2b-2031-5"] = SIG_FILE,
-  ["s2b-1471-5"] = SIG_FILE,
-  ["s2b-2036-6"] = SIG_FILE,
-  ["s2b-1856-7"] = SIG_FILE,
-  ["s2b-810-11"] = SIG_FILE,
-  ["s2b-1224-10"] = SIG_FILE,
-  ["s2b-853-9"] = SIG_FILE,
-  ["s2b-257-8"] = SIG_FILE,
-  ["s2b-1269-10"] = SIG_FILE,
-  ["s2b-2312-2"] = SIG_FILE,
-  ["s2b-1166-8"] = SIG_FILE,
-  ["s2b-641-6"] = SIG_FILE,
-  ["s2b-1394-5"] = SIG_FILE,
-  ["s2b-1583-4"] = SIG_FILE,
-  ["s2b-2082-9"] = SIG_FILE,
-  ["s2b-1775-2"] = SIG_FILE,
-  ["s2b-1279-14"] = SIG_FILE,
-  ["s2b-1416-9"] = SIG_FILE,
-  ["s2b-273-7"] = SIG_FILE,
-  ["s2b-1747-11"] = SIG_FILE,
-  ["s2b-644-5"] = SIG_FILE,
-  ["s2b-930-5"] = SIG_FILE,
-  ["s2b-1375-6"] = SIG_FILE,
-  ["s2b-1690-3"] = SIG_FILE,
-  ["s2b-1424-6"] = SIG_FILE,
-  ["s2b-1420-11"] = SIG_FILE,
-  ["s2b-1260-10"] = SIG_FILE,
-  ["s2b-508-7"] = SIG_FILE,
-  ["s2b-282-7"] = SIG_QUIET,
-  ["s2b-2015-5"] = SIG_FILE,
-  ["s2b-1891-8"] = SIG_FILE,
-  ["s2b-360-7"] = SIG_FILE,
-  ["s2b-519-6"] = SIG_FILE,
-  ["s2b-504-6"] = SIG_FILE,
-  ["s2b-1344-5"] = SIG_FILE,
-  ["s2b-1178-6"] = SIG_FILE,
-  ["s2b-1220-5"] = SIG_FILE,
-  ["s2b-1792-8"] = SIG_FILE,
-  ["s2b-1419-9"] = SIG_FILE,
-  ["s2b-1854-7"] = SIG_FILE,
-  ["s2b-2481-3"] = SIG_FILE,
-  ["s2b-2467-3"] = SIG_FILE,
-  ["s2b-1001-7"] = SIG_FILE,
-  ["s2b-1116-6"] = SIG_FILE,
-  ["s2b-271-4"] = SIG_FILE,
-  ["s2b-281-5"] = SIG_FILE,
-  ["s2b-2035-6"] = SIG_FILE,
-  ["s2b-1281-7"] = SIG_FILE,
-  ["s2b-1234-8"] = SIG_FILE,
-  ["s2b-1381-5"] = SIG_FILE,
-  ["s2b-1860-4"] = SIG_FILE,
-  ["s2b-522-2"] = SIG_FILE,
-  ["s2b-912-5"] = SIG_FILE,
-  ["s2b-1128-5"] = SIG_FILE,
-  ["s2b-1677-3"] = SIG_FILE,
-  ["s2b-639-5"] = SIG_FILE,
-  ["s2b-1303-7"] = SIG_FILE,
-  ["s2b-1457-6"] = SIG_FILE,
-  ["s2b-1122-5"] = SIG_FILE,
-  ["s2b-1678-5"] = SIG_FILE,
-  ["s2b-1139-7"] = SIG_FILE,
-  ["s2b-645-5"] = SIG_FILE,
-  ["s2b-631-6"] = SIG_FILE,
-  ["s2b-2257-5"] = SIG_FILE,
-  ["s2b-244-3"] = SIG_FILE,
-  ["s2b-1295-9"] = SIG_FILE,
-  ["s2b-225-6"] = SIG_FILE,
-  ["s2b-1327-7"] = SIG_FILE,
-  ["s2b-844-7"] = SIG_FILE,
-  ["s2b-229-5"] = SIG_FILE,
-  ["s2b-2093-5"] = SIG_FILE,
-  ["s2b-1087-8"] = SIG_FILE,
-  ["s2b-517-1"] = SIG_FILE,
-  ["s2b-1252-13"] = SIG_FILE,
-  ["s2b-842-7"] = SIG_FILE,
-  ["s2b-2175-5"] = SIG_FILE,
-}; 
diff --git a/scripts/s2b/example_bro_files/signatures.sig b/scripts/s2b/example_bro_files/signatures.sig
deleted file mode 100644
index b4f53c24ce..0000000000
--- a/scripts/s2b/example_bro_files/signatures.sig
+++ /dev/null
@@ -1,15805 +0,0 @@
-# This file was created by s2b.pl on Mon Sep 20 13:14:53 2004.
-# This file is dynamically generated each time s2b.pl is run and therefore any 
-# changes done manually will be overwritten.
-# $Id: signatures.sig 840 2004-11-30 22:33:48Z jason $
-
-signature s2b-1292-8 {
-  ip-proto == tcp
-  event "ATTACK-RESPONSES directory listing"
-  tcp-state established,responder
-  payload /.*Volume Serial Number/
-}
-
-signature s2b-495-7 {
-  ip-proto == tcp
-  src-port == http_ports
-  event "ATTACK-RESPONSES command error"
-  tcp-state established,responder
-  payload /.*[bB][aA][dD] [cC][oO][mM][mM][aA][nN][dD] [oO][rR] [fF][iI][lL][eE][nN][aA][mM][eE]/
-}
-
-signature s2b-497-8 {
-  ip-proto == tcp
-  src-port == http_ports
-  event "ATTACK-RESPONSES file copied ok"
-  tcp-state established,responder
-  payload /.*1 [fF][iI][lL][eE]\x28[sS]\x29 [cC][oO][pP][iI][eE][dD]/
-}
-
-signature s2b-1666-5 {
-  ip-proto == tcp
-  src-port == http_ports
-  event "ATTACK-RESPONSES index of /cgi-bin/ response"
-  tcp-state established,responder
-  payload /.*[iI][nN][dD][eE][xX] [oO][fF] \/[cC][gG][iI]-[bB][iI][nN]\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-498-6 {
-  event "ATTACK-RESPONSES id check returned root"
-  payload /.*uid=0\x28root\x29/
-}
-
-signature s2b-1882-10 {
-  # Not supported: byte_test: 5,<,65537,0,relative,string,5,<,65537,0,relative,string
-  event "ATTACK-RESPONSES id check returned userid"
-  payload /.*uid=.{0,10} gid=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1464-3 {
-  ip-proto == tcp
-  src-port == 8002
-  event "ATTACK-RESPONSES oracle one hour install"
-  tcp-state established,responder
-  payload /.*Oracle Applications One-Hour Install/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1900-10 {
-  ip-proto == tcp
-  src-port == 749
-  event "ATTACK-RESPONSES successful kadmind buffer overflow attempt"
-  tcp-state established,responder
-  payload /\*GOBBLE\*/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1901-10 {
-  ip-proto == tcp
-  src-port == 751
-  event "ATTACK-RESPONSES successful kadmind buffer overflow attempt"
-  tcp-state established,responder
-  payload /\*GOBBLE\*/
-}
-
-signature s2b-1810-9 {
-  ip-proto == tcp
-  src-port == 22
-  event "ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE"
-  tcp-state established,responder
-  payload /.*\*GOBBLE\*/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1811-8 {
-  ip-proto == tcp
-  src-port == 22
-  event "ATTACK-RESPONSES successful gobbles ssh exploit uname"
-  tcp-state established,responder
-  payload /.*uname/
-}
-
-signature s2b-2104-3 {
-  ip-proto == tcp
-  src-port == 512
-  event "ATTACK-RESPONSES rexec username too long response"
-  tcp-state established,responder
-  payload /username too long/
-}
-
-signature s2b-2123-2 {
-  ip-proto == tcp
-  src-port < 21
-  src-port > 23
-  event "ATTACK-RESPONSES Microsoft cmd.exe banner"
-  tcp-state established,responder
-  payload /.*Microsoft Windows.*.*\x28C\x29 Copyright 1985-.*.*Microsoft Corp\./
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2412-3 {
-  ip-proto == tcp
-  event "ATTACK-RESPONSES successful cross site scripting forced download attempt"
-  tcp-state established,originator
-  payload /.*\x0AReferer\x3A res\x3A\/C\x3A/
-}
-
-signature s2b-103-7 {
-  ip-proto == tcp
-  src-port == 27374
-  event "BACKDOOR subseven 22"
-  tcp-state established,originator
-  payload /.*\x0D\x0A\[RPL\]002\x0D\x0A/
-}
-
-signature s2b-107-6 {
-  ip-proto == tcp
-  src-port == 16959
-  event "BACKDOOR subseven DEFCON8 2.1 access"
-  tcp-state established,responder
-  payload /.*PWD/
-}
-
-signature s2b-109-5 {
-  ip-proto == tcp
-  src-port >= 12345
-  src-port <= 12346
-  event "BACKDOOR netbus active"
-  tcp-state established,responder
-  payload /.*NetBus/
-}
-
-signature s2b-110-4 {
-  ip-proto == tcp
-  dst-port >= 12345
-  dst-port <= 12346
-  event "BACKDOOR netbus getinfo"
-  tcp-state established,originator
-  payload /.*GetInfo\x0D/
-}
-
-signature s2b-115-5 {
-  ip-proto == tcp
-  src-port == 20034
-  event "BACKDOOR netbus active"
-  tcp-state established,originator
-  payload /.*NetBus/
-}
-
-signature s2b-1980-1 {
-  ip-proto == udp
-  dst-port == 2140
-  event "BACKDOOR DeepThroat 3.1 Connection attempt"
-  payload /00/
-}
-
-signature s2b-195-5 {
-  ip-proto == udp
-  src-port == 2140
-  event "BACKDOOR DeepThroat 3.1 Server Response"
-  payload /.*Ahhhh My Mouth Is Open/
-}
-
-signature s2b-1981-1 {
-  ip-proto == udp
-  dst-port == 3150
-  event "BACKDOOR DeepThroat 3.1 Connection attempt [3150]"
-  payload /00/
-}
-
-signature s2b-1982-1 {
-  ip-proto == udp
-  src-port == 3150
-  event "BACKDOOR DeepThroat 3.1 Server Response [3150]"
-  payload /.*Ahhhh My Mouth Is Open/
-}
-
-signature s2b-1983-1 {
-  ip-proto == udp
-  dst-port == 4120
-  event "BACKDOOR DeepThroat 3.1 Connection attempt [4120]"
-  payload /00/
-}
-
-signature s2b-1984-1 {
-  ip-proto == udp
-  src-port == 4120
-  event "BACKDOOR DeepThroat 3.1 Server Response [4120]"
-  payload /.*Ahhhh My Mouth Is Open/
-}
-
-signature s2b-119-5 {
-  ip-proto == tcp
-  src-port == 6789
-  event "BACKDOOR Doly 2.0 access"
-  tcp-state established,responder
-  payload /.{0,23}Wtzup Use/
-}
-
-signature s2b-104-7 {
-  ip-proto == tcp
-  src-port >= 1024
-  src-port <= 65535
-  dst-port == 2589
-  event "BACKDOOR - Dagger_1.4.0_client_connect"
-  tcp-state established,originator
-  payload /.{0,1}\x0B\x00\x00\x00\x07\x00\x00\x00Connect/
-}
-
-signature s2b-105-7 {
-  ip-proto == tcp
-  src-port == 2589
-  dst-port >= 1024
-  dst-port <= 65535
-  event "BACKDOOR - Dagger_1.4.0"
-  tcp-state established,responder
-  payload /2\x00\x00\x00\x06\x00\x00\x00Drives\x24\x00/
-}
-
-signature s2b-106-8 {
-  ip-proto == tcp
-  src-port == 80
-  dst-port == 1054
-  header tcp[8:4] == 101058054
-  header tcp[13:1] & 255 == 16
-  header tcp[4:4] == 101058054
-  event "BACKDOOR ACKcmdC trojan scan"
-  tcp-state stateless
-}
-
-signature s2b-108-6 {
-  ip-proto == tcp
-  dst-port == 7597
-  event "BACKDOOR QAZ Worm Client Login access"
-  tcp-state established,originator
-  payload /.*qazwsx\.hsq/
-}
-
-signature s2b-117-6 {
-  ip-proto == tcp
-  src-port == 146
-  dst-port >= 1024
-  dst-port <= 65535
-  event "BACKDOOR Infector.1.x"
-  tcp-state established,responder
-  payload /.*WHATISIT/
-}
-
-signature s2b-118-5 {
-  ip-proto == tcp
-  src-port == 666
-  dst-port >= 1024
-  dst-port <= 65535
-  event "BACKDOOR SatansBackdoor.2.0.Beta"
-  tcp-state established,responder
-  payload /.*Remote\x3A You are connected to me\./
-}
-
-signature s2b-120-5 {
-  ip-proto == tcp
-  src-port == 146
-  dst-port >= 1000
-  dst-port <= 1300
-  event "BACKDOOR Infector 1.6 Server to Client"
-  tcp-state established,responder
-  payload /.*WHATISIT/
-}
-
-signature s2b-145-5 {
-  ip-proto == tcp
-  src-port != 80
-  dst-port == 21554
-  event "BACKDOOR GirlFriendaccess"
-  tcp-state established,originator
-  payload /.*Girl/
-}
-
-signature s2b-146-5 {
-  ip-proto == tcp
-  src-port == 30100
-  event "BACKDOOR NetSphere access"
-  tcp-state established,responder
-  payload /.*NetSphere/
-}
-
-signature s2b-147-5 {
-  ip-proto == tcp
-  src-port == 6969
-  event "BACKDOOR GateCrasher"
-  tcp-state established,responder
-  payload /.*GateCrasher/
-}
-
-signature s2b-152-6 {
-  ip-proto == tcp
-  src-port >= 5401
-  src-port <= 5402
-  event "BACKDOOR BackConstruction 2.1 Connection"
-  tcp-state established,responder
-  payload /.*c\x3A\x5C/
-}
-
-signature s2b-153-5 {
-  ip-proto == tcp
-  src-port == 23476
-  event "BACKDOOR DonaldDick 1.53 Traffic"
-  tcp-state established,responder
-  payload /.*pINg/
-}
-
-signature s2b-155-5 {
-  ip-proto == tcp
-  src-port >= 30100
-  src-port <= 30102
-  event "BACKDOOR NetSphere 1.31.337 access"
-  tcp-state established,responder
-  payload /.*NetSphere/
-}
-
-signature s2b-157-5 {
-  ip-proto == tcp
-  dst-port == 666
-  event "BACKDOOR BackConstruction 2.1 Client FTP Open Request"
-  tcp-state established,originator
-  payload /.*FTPON/
-}
-
-signature s2b-158-5 {
-  ip-proto == tcp
-  src-port == 666
-  event "BACKDOOR BackConstruction 2.1 Server FTP Open Reply"
-  tcp-state established,responder
-  payload /.*FTP Port open/
-}
-
-signature s2b-159-6 {
-  ip-proto == tcp
-  dst-port == 5032
-  dst-ip == local_nets
-  event "BACKDOOR NetMetro File List"
-  tcp-state established,originator
-  payload /.*--/
-}
-
-signature s2b-161-4 {
-  ip-proto == udp
-  src-port == 3344
-  dst-port == 3345
-  event "BACKDOOR Matrix 2.0 Client connect"
-  payload /.*activate/
-}
-
-signature s2b-162-4 {
-  ip-proto == udp
-  src-port == 3345
-  dst-port == 3344
-  event "BACKDOOR Matrix 2.0 Server access"
-  payload /.*logged in/
-}
-
-signature s2b-163-8 {
-  ip-proto == tcp
-  src-port == 5714
-  header tcp[13:1] & 255 == 18
-  event "BACKDOOR WinCrash 1.0 Server Active"
-  tcp-state stateless
-  payload /.*\xB4\xB4/
-}
-
-signature s2b-185-5 {
-  ip-proto == tcp
-  dst-port == 79
-  event "BACKDOOR CDK"
-  tcp-state established,originator
-  payload /.{0,9}[yY][pP][iI]0[cC][aA]/
-}
-
-signature s2b-208-5 {
-  ip-proto == tcp
-  src-port == 555
-  event "BACKDOOR PhaseZero Server Active on Network"
-  tcp-state established,responder
-  payload /.*phAse/
-}
-
-signature s2b-209-4 {
-  ip-proto == tcp
-  dst-port == 23
-  event "BACKDOOR w00w00 attempt"
-  tcp-state established,originator
-  payload /.*w00w00/
-}
-
-signature s2b-210-3 {
-  ip-proto == tcp
-  dst-port == 23
-  event "BACKDOOR attempt"
-  tcp-state established,originator
-  payload /.*[bB][aA][cC][kK][dD][oO][oO][rR]/
-}
-
-signature s2b-211-3 {
-  ip-proto == tcp
-  dst-port == 23
-  event "BACKDOOR MISC r00t attempt"
-  tcp-state established,originator
-  payload /.*r00t/
-}
-
-signature s2b-212-3 {
-  ip-proto == tcp
-  dst-port == 23
-  event "BACKDOOR MISC rewt attempt"
-  tcp-state established,originator
-  payload /.*rewt/
-}
-
-signature s2b-213-4 {
-  ip-proto == tcp
-  dst-port == 23
-  event "BACKDOOR MISC Linux rootkit attempt"
-  tcp-state established,originator
-  payload /.*wh00t!/
-}
-
-signature s2b-214-4 {
-  ip-proto == tcp
-  dst-port == 23
-  event "BACKDOOR MISC Linux rootkit attempt lrkr0x"
-  tcp-state established,originator
-  payload /.*lrkr0x/
-}
-
-signature s2b-215-4 {
-  ip-proto == tcp
-  dst-port == 23
-  event "BACKDOOR MISC Linux rootkit attempt"
-  tcp-state established,originator
-  payload /.*[dD]13[hH][hH]\[/
-}
-
-signature s2b-216-6 {
-  ip-proto == tcp
-  dst-port == 23
-  event "BACKDOOR MISC Linux rootkit satori attempt"
-  tcp-state established,originator
-  payload /.*satori/
-}
-
-signature s2b-217-3 {
-  ip-proto == tcp
-  dst-port == 23
-  event "BACKDOOR MISC sm4ck attempt"
-  tcp-state established,originator
-  payload /.*hax0r/
-}
-
-signature s2b-219-6 {
-  ip-proto == tcp
-  dst-port == 23
-  event "BACKDOOR HidePak backdoor attempt"
-  tcp-state established,originator
-  payload /.*StoogR/
-}
-
-signature s2b-614-7 {
-  ip-proto == tcp
-  src-port == 31790
-  dst-port == 31789
-  header tcp[13:1] & 255 == 16
-  event "BACKDOOR hack-a-tack attempt"
-  tcp-state stateless
-  payload /A/
-}
-
-signature s2b-1853-6 {
-  ip-proto == udp
-  dst-port == 35555
-  event "BACKDOOR win-trin00 connection attempt"
-  payload /png \[\]\.\.Ks l44/
-}
-
-signature s2b-1843-6 {
-  ip-proto == tcp
-  dst-port == 33270
-  event "BACKDOOR trinity connection attempt"
-  tcp-state established,originator
-  payload /!@\x23/
-}
-
-signature s2b-2100-2 {
-  ip-proto == tcp
-  event "BACKDOOR SubSeven 2.1 Gold server connection response"
-  tcp-state established,responder
-  payload /connected\. time\/date\x3A .{1}.*version\x3A GOLD 2\.1/
-}
-
-signature s2b-2124-3 {
-  ip-proto == tcp
-  dst-port == 34012
-  event "BACKDOOR Remote PC Access connection attempt"
-  tcp-state established,originator
-  payload /\x28\x00\x01\x00\x04\x00\x00\x00\x00\x00\x00\x00/
-}
-
-signature s2b-2271-2 {
-  ip-proto == tcp
-  event "BACKDOOR FsSniffer connection attempt"
-  tcp-state established,originator
-  payload /.*RemoteNC Control Password\x3A/
-}
-
-signature s2b-2375-3 {
-  ip-proto == tcp
-  dst-port >= 3127
-  dst-port <= 3199
-  event "BACKDOOR DoomJuice file upload attempt"
-  tcp-state established,originator
-  payload /^\x85\x13<\x9E\xA2/
-}
-
-signature s2b-542-10 {
-  ip-proto == tcp
-  dst-port >= 6666
-  dst-port <= 7000
-  event "CHAT IRC nick change"
-  tcp-state established,originator
-  payload /.*NICK /
-}
-
-signature s2b-1639-6 {
-  ip-proto == tcp
-  dst-port >= 6666
-  dst-port <= 7000
-  event "CHAT IRC DCC file transfer request"
-  tcp-state established,originator
-  payload /.*[pP][rR][iI][vV][mM][sS][gG] /
-  payload /.* \x3A\.[dD][cC][cC] [sS][eE][nN][dD]/
-}
-
-signature s2b-1640-6 {
-  ip-proto == tcp
-  dst-port >= 6666
-  dst-port <= 7000
-  event "CHAT IRC DCC chat request"
-  tcp-state established,originator
-  payload /.*[pP][rR][iI][vV][mM][sS][gG] /
-  payload /.* \x3A\.[dD][cC][cC] [cC][hH][aA][tT] [cC][hH][aA][tT]/
-}
-
-signature s2b-1729-5 {
-  ip-proto == tcp
-  dst-port >= 6666
-  dst-port <= 7000
-  event "CHAT IRC channel join"
-  tcp-state established,originator
-  payload /.*[jJ][oO][iI][nN] \x3A \x23/
-}
-
-signature s2b-1463-6 {
-  ip-proto == tcp
-  src-port >= 6666
-  src-port <= 7000
-  event "CHAT IRC message"
-  tcp-state established
-  payload /.*[pP][rR][iI][vV][mM][sS][gG] /
-}
-
-signature s2b-1789-3 {
-  ip-proto == tcp
-  dst-port >= 6666
-  dst-port <= 7000
-  event "CHAT IRC dns request"
-  tcp-state established,originator
-  payload /.*[uU][sS][eE][rR][hH][oO][sS][tT] /
-}
-
-signature s2b-1790-4 {
-  ip-proto == tcp
-  src-port >= 6666
-  src-port <= 7000
-  event "CHAT IRC dns response"
-  tcp-state established,responder
-  payload /.*\x3A/
-  payload /.* 302 /
-  payload /.*=\+/
-}
-
-signature s2b-221-3 {
-  ip-proto == icmp
-  header icmp[0:1] == 8
-  event "DDOS TFN Probe"
-  header ip[4:2] == 678
-  payload /.*1234/
-}
-
-signature s2b-222-2 {
-  ip-proto == icmp
-  header icmp[0:1] == 0
-  event "DDOS tfn2k icmp possible communication"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 0
-  payload /.*AAAAAAAAAA/
-}
-
-signature s2b-223-3 {
-  ip-proto == udp
-  dst-port == 31335
-  event "DDOS Trin00 Daemon to Master PONG message detected"
-  payload /.*PONG/
-}
-
-signature s2b-228-3 {
-  ip-proto == icmp
-  header icmp[0:1] == 0
-  header icmp[0:1] == 0,8
-  header icmp[6:2] == 0
-  event "DDOS TFN client command BE"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 456
-}
-
-signature s2b-230-5 {
-  ip-proto == tcp
-  src-port == 20432
-  event "DDOS shaft client login to handler"
-  tcp-state established,responder
-  payload /.*login\x3A/
-}
-
-signature s2b-239-2 {
-  ip-proto == udp
-  dst-port == 18753
-  event "DDOS shaft handler to agent"
-  payload /.*alive tijgu/
-}
-
-signature s2b-240-2 {
-  ip-proto == udp
-  dst-port == 20433
-  event "DDOS shaft agent to handler"
-  payload /.*alive/
-}
-
-signature s2b-241-7 {
-  ip-proto == tcp
-  header tcp[13:1] & 255 == 2
-  header tcp[4:4] == 674711609
-  event "DDOS shaft synflood"
-  tcp-state stateless
-}
-
-signature s2b-231-3 {
-  ip-proto == udp
-  dst-port == 31335
-  event "DDOS Trin00 Daemon to Master message detected"
-  payload /.*l44/
-}
-
-signature s2b-232-5 {
-  ip-proto == udp
-  dst-port == 31335
-  event "DDOS Trin00 Daemon to Master *HELLO* message detected"
-  payload /.*\*HELLO\*/
-}
-
-signature s2b-233-3 {
-  ip-proto == tcp
-  dst-port == 27665
-  event "DDOS Trin00 Attacker to Master default startup password"
-  tcp-state established,originator
-  payload /.*betaalmostdone/
-}
-
-signature s2b-234-2 {
-  ip-proto == tcp
-  dst-port == 27665
-  event "DDOS Trin00 Attacker to Master default password"
-  tcp-state established,originator
-  payload /.*gOrave/
-}
-
-signature s2b-235-2 {
-  ip-proto == tcp
-  dst-port == 27665
-  event "DDOS Trin00 Attacker to Master default mdie password"
-  tcp-state established,originator
-  payload /.*killme/
-}
-
-signature s2b-237-2 {
-  ip-proto == udp
-  dst-port == 27444
-  event "DDOS Trin00 Master to Daemon default password attempt"
-  payload /.*l44adsl/
-}
-
-signature s2b-243-2 {
-  ip-proto == udp
-  dst-port == 6838
-  event "DDOS mstream agent to handler"
-  payload /.*newserver/
-}
-
-signature s2b-244-3 {
-  ip-proto == udp
-  dst-port == 10498
-  event "DDOS mstream handler to agent"
-  payload /.*stream\//
-}
-
-signature s2b-245-3 {
-  ip-proto == udp
-  dst-port == 10498
-  event "DDOS mstream handler ping to agent"
-  payload /.*ping/
-}
-
-signature s2b-246-2 {
-  ip-proto == udp
-  dst-port == 10498
-  event "DDOS mstream agent pong to handler"
-  payload /.*pong/
-}
-
-signature s2b-247-4 {
-  ip-proto == tcp
-  dst-port == 12754
-  event "DDOS mstream client to handler"
-  tcp-state established,originator
-  payload /.*>/
-}
-
-signature s2b-249-7 {
-  ip-proto == tcp
-  dst-port == 15104
-  header tcp[13:1] & 255 == 2
-  event "DDOS mstream client to handler"
-  tcp-state stateless
-}
-
-signature s2b-250-4 {
-  ip-proto == tcp
-  src-port == 15104
-  event "DDOS mstream handler to client"
-  tcp-state established,responder
-  payload /.*>/
-}
-
-signature s2b-251-3 {
-  ip-proto == icmp
-  header icmp[0:1] == 0
-  header icmp[0:1] == 0,8
-  header icmp[6:2] == 0
-  event "DDOS - TFN client command LE"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 51201
-}
-
-signature s2b-224-3 {
-  ip-proto == icmp
-  src-ip == 3.3.3.3/32
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht server spoof"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 666
-}
-
-signature s2b-225-6 {
-  ip-proto == icmp
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht gag server response"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 669
-  payload /.*sicken/
-}
-
-signature s2b-226-6 {
-  ip-proto == icmp
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht server response"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 667
-  payload /.*ficken/
-}
-
-signature s2b-227-6 {
-  ip-proto == icmp
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht client spoofworks"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 1000
-  payload /.*spoofworks/
-}
-
-signature s2b-236-6 {
-  ip-proto == icmp
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht client check gag"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 668
-  payload /.*gesundheit!/
-}
-
-signature s2b-229-5 {
-  ip-proto == icmp
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht client check skillz"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 666
-  payload /.*skillz/
-}
-
-signature s2b-1854-7 {
-  ip-proto == icmp
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht handler->agent niggahbitch"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 9015
-  payload /.*niggahbitch/
-}
-
-signature s2b-1855-7 {
-  ip-proto == icmp
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht agent->handler skillz"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 6666
-  payload /.*skillz/
-}
-
-signature s2b-1856-7 {
-  ip-proto == icmp
-  header icmp[0:1] == 0
-  event "DDOS Stacheldraht handler->agent ficken"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 6667
-  payload /.*ficken/
-}
-
-signature s2b-255-11 {
-  ip-proto == tcp
-  dst-port == 53
-  event "DNS zone transfer TCP"
-  tcp-state established,originator
-  payload /.{14}.*\x00\x00\xFC/
-}
-
-signature s2b-1948-4 {
-  ip-proto == udp
-  dst-port == 53
-  event "DNS zone transfer UDP"
-  payload /.{13}.*\x00\x00\xFC/
-}
-
-signature s2b-1435-6 {
-  ip-proto == tcp
-  dst-port == 53
-  event "DNS named authors attempt"
-  tcp-state established,originator
-  payload /.{11}.*\x07[aA][uU][tT][hH][oO][rR][sS]/
-  payload /.{11}.*\x04[bB][iI][nN][dD]/
-}
-
-signature s2b-256-5 {
-  ip-proto == udp
-  dst-port == 53
-  event "DNS named authors attempt"
-  payload /.{11}.*\x07[aA][uU][tT][hH][oO][rR][sS]/
-  payload /.{11}.*\x04[bB][iI][nN][dD]/
-}
-
-signature s2b-257-8 {
-  ip-proto == tcp
-  dst-port == 53
-  event "DNS named version attempt"
-  tcp-state established,originator
-  payload /.{11}.*\x07[vV][eE][rR][sS][iI][oO][nN]/
-  payload /.{11}.*\x04[bB][iI][nN][dD]/
-}
-
-signature s2b-253-4 {
-  ip-proto == udp
-  src-port == 53
-  event "DNS SPOOF query response PTR with TTL of 1 min. and no authority"
-  payload /.*\x85\x80\x00\x01\x00\x01\x00\x00\x00\x00/
-  payload /.*\xC0\x0C\x00\x0C\x00\x01\x00\x00\x00<\x00\x0F/
-}
-
-signature s2b-254-4 {
-  ip-proto == udp
-  src-port == 53
-  event "DNS SPOOF query response with TTL of 1 min. and no authority"
-  payload /.*\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00/
-  payload /.*\xC0\x0C\x00\x01\x00\x01\x00\x00\x00<\x00\x04/
-}
-
-signature s2b-303-11 {
-  ip-proto == tcp
-  dst-port == 53
-  event "DNS EXPLOIT named tsig overflow attempt"
-  tcp-state established,originator
-  payload /.*\xAB\xCD\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x01    \x02a/
-}
-
-signature s2b-314-9 {
-  ip-proto == udp
-  dst-port == 53
-  event "DNS EXPLOIT named tsig overflow attempt"
-  payload /.*\x80\x00\x07\x00\x00\x00\x00\x00\x01\?\x00\x01\x02/
-}
-
-signature s2b-259-7 {
-  ip-proto == tcp
-  dst-port == 53
-  event "DNS EXPLOIT named overflow ADM"
-  tcp-state established,originator
-  payload /.*thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool/
-}
-
-signature s2b-260-9 {
-  ip-proto == tcp
-  dst-port == 53
-  event "DNS EXPLOIT named overflow ADMROCKS"
-  tcp-state established,originator
-  payload /.*ADMROCKS/
-}
-
-signature s2b-261-6 {
-  ip-proto == tcp
-  dst-port == 53
-  event "DNS EXPLOIT named overflow attempt"
-  tcp-state established,originator
-  payload /.*\xCD\x80\xE8\xD7\xFF\xFF\xFF\/bin\/sh/
-}
-
-signature s2b-262-6 {
-  ip-proto == tcp
-  dst-port == 53
-  event "DNS EXPLOIT x86 Linux overflow attempt"
-  tcp-state established,originator
-  payload /.*1\xC0\xB0\?1\xDB\xB3\xFF1\xC9\xCD\x801\xC0/
-}
-
-signature s2b-264-6 {
-  ip-proto == tcp
-  dst-port == 53
-  event "DNS EXPLOIT x86 Linux overflow attempt"
-  tcp-state established,originator
-  payload /.*1\xC0\xB0\x02\xCD\x80\x85\xC0uL\xEBL\^\xB0/
-}
-
-signature s2b-265-7 {
-  ip-proto == tcp
-  dst-port == 53
-  event "DNS EXPLOIT x86 Linux overflow attempt ADMv2"
-  tcp-state established,originator
-  payload /.*\x89\xF7\x29\xC7\x89\xF3\x89\xF9\x89\xF2\xAC<\xFE/
-}
-
-signature s2b-266-6 {
-  ip-proto == tcp
-  dst-port == 53
-  event "DNS EXPLOIT x86 FreeBSD overflow attempt"
-  tcp-state established,originator
-  payload /.*\xEBn\^\xC6\x06\x9A1\xC9\x89N\x01\xC6F\x05/
-}
-
-signature s2b-267-5 {
-  ip-proto == tcp
-  dst-port == 53
-  event "DNS EXPLOIT sparc overflow attempt"
-  tcp-state established,originator
-  payload /.*\x90\x1A\xC0\x0F\x90\x02 \x08\x92\x02 \x0F\xD0\x23\xBF\xF8/
-}
-
-signature s2b-268-4 {
-  payload-size == 408
-  event "DOS Jolt attack"
-  header ip[6:1] & 224 == 32
-}
-
-signature s2b-270-6 {
-  ip-proto == udp
-  event "DOS Teardrop attack"
-  header ip[6:1] & 224 == 32
-  header ip[4:2] == 242
-}
-
-signature s2b-271-4 {
-  ip-proto == udp
-  src-port == 7
-  dst-port == 19
-  event "DOS UDP echo+chargen bomb"
-}
-
-signature s2b-272-7 {
-  header ip[9:1] == 2
-  event "DOS IGMP dos attack"
-  header ip[6:1] & 224 == 32
-  payload /\x02\x00/
-}
-
-signature s2b-273-7 {
-  header ip[9:1] == 2
-  event "DOS IGMP dos attack"
-  header ip[6:1] & 224 == 32
-  payload /\x00\x00/
-}
-
-signature s2b-274-5 {
-  ip-proto == icmp
-  header icmp[0:1] == 8
-  event "DOS ath"
-  payload /.*\+\+\+[aA][tT][hH]/
-}
-
-signature s2b-275-10 {
-  ip-proto == tcp
-  header tcp[13:1] & 255 == 2
-  header tcp[4:4] == 6060842
-  event "DOS NAPTHA"
-  tcp-state stateless
-  header ip[4:2] == 413
-}
-
-signature s2b-276-5 {
-  ip-proto == tcp
-  dst-port == 7070
-  event "DOS Real Audio Server"
-  tcp-state established,originator
-  payload /.*\xFF\xF4\xFF\xFD\x06/
-}
-
-signature s2b-278-5 {
-  ip-proto == tcp
-  dst-port == 8080
-  event "DOS Real Server template.html"
-  tcp-state established,originator
-  payload /.*\/[vV][iI][eE][wW][sS][oO][uU][rR][cC][eE]\/[tT][eE][mM][pP][lL][aA][tT][eE]\.[hH][tT][mM][lL]\?/
-}
-
-signature s2b-279-3 {
-  ip-proto == udp
-  dst-port == 161
-  payload-size == 0
-  event "DOS Bay/Nortel Nautica Marlin"
-}
-
-signature s2b-281-5 {
-  ip-proto == udp
-  dst-port == 9
-  event "DOS Ascend Route"
-  payload /.{24}.{0,17}NAMENAME/
-}
-
-signature s2b-282-7 {
-  ip-proto == tcp
-  dst-port == 617
-  payload-size > 1445
-  event "DOS arkiea backup"
-  tcp-state established,originator
-}
-
-signature s2b-1257-8 {
-  ip-proto == tcp
-  dst-port >= 135
-  dst-port <= 139
-  header tcp[13:1] & 255 == 32
-  event "DOS Winnuke attack"
-  tcp-state stateless
-}
-
-signature s2b-1408-8 {
-  ip-proto == tcp
-  dst-port == 3372
-  event "DOS MSDTC attempt"
-  tcp-state established,originator
-  payload-size == 1024
-}
-
-signature s2b-1605-6 {
-  ip-proto == tcp
-  dst-port == 6004
-  dst-ip == local_nets
-  event "DOS iParty DOS attempt"
-  tcp-state established,originator
-  payload /.*\xFF\xFF\xFF\xFF\xFF\xFF/
-}
-
-signature s2b-1641-5 {
-  ip-proto == tcp
-  dst-port >= 6789
-  dst-port <= 6790
-  payload-size == 1
-  event "DOS DB2 dos attempt"
-  tcp-state established,originator
-}
-
-signature s2b-1545-7 {
-  ip-proto == tcp
-  dst-port == 80
-  payload-size == 1
-  event "DOS Cisco attempt"
-  tcp-state established,originator
-  payload /\x13/
-}
-
-signature s2b-2486-5 {
-  ip-proto == udp
-  dst-port == 500
-  # Not supported: byte_test: 2,>,4,30,2,<,8,30
-  event "DOS ISAKMP invalid identification payload attempt"
-  payload /.{15}\x05/
-}
-
-signature s2b-1324-6 {
-  ip-proto == tcp
-  dst-port == 22
-  event "EXPLOIT ssh CRC32 overflow /bin/sh"
-  tcp-state established,originator
-  payload /.*\/bin\/sh/
-}
-
-signature s2b-1326-6 {
-  ip-proto == tcp
-  dst-port == 22
-  event "EXPLOIT ssh CRC32 overflow NOOP"
-  tcp-state established,originator
-  payload /.*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/
-}
-
-signature s2b-1327-7 {
-  ip-proto == tcp
-  dst-port == 22
-  event "EXPLOIT ssh CRC32 overflow"
-  tcp-state established,originator
-  payload /\x00\x01W\x00\x00\x00\x18/
-  payload /.{7}\xFF\xFF\xFF\xFF\x00\x00/
-}
-
-signature s2b-283-10 {
-  ip-proto == tcp
-  src-port == 80
-  event "EXPLOIT Netscape 4.7 client overflow"
-  tcp-state established,responder
-  payload /.*3\xC9\xB1\x10\?\xE9\x06Q<\xFAG3\xC0P\xF7\xD0P/
-}
-
-signature s2b-300-7 {
-  ip-proto == tcp
-  dst-port == 2766
-  event "EXPLOIT nlps x86 Solaris overflow"
-  tcp-state established,originator
-  payload /.*\xEB\x23\^3\xC0\x88F\xFA\x89F\xF5\x896/
-}
-
-signature s2b-301-7 {
-  ip-proto == tcp
-  dst-port == 515
-  event "EXPLOIT LPRng overflow"
-  tcp-state established,originator
-  payload /.*C\x07\x89\[\x08\x8DK\x08\x89C\x0C\xB0\x0B\xCD\x801\xC0\xFE\xC0\xCD\x80\xE8\x94\xFF\xFF\xFF\/bin\/sh\x0A/
-}
-
-signature s2b-302-6 {
-  ip-proto == tcp
-  dst-port == 515
-  event "EXPLOIT Redhat 7.0 lprd overflow"
-  tcp-state established,originator
-  payload /.*XXXX%\.172u%300\x24n/
-}
-
-signature s2b-305-9 {
-  ip-proto == tcp
-  dst-port == 8080
-  payload-size > 1000
-  event "EXPLOIT delegate proxy overflow"
-  tcp-state established,originator
-  payload /.*[wW][hH][oO][iI][sS]\x3A\/\//
-}
-
-signature s2b-308-8 {
-  ip-proto == tcp
-  src-port == 21
-  event "EXPLOIT NextFTP client overflow"
-  tcp-state established,responder
-  payload /.*\xB4 \xB4!\x8B\xCC\x83\xE9\x04\x8B\x193\xC9f\xB9\x10/
-}
-
-signature s2b-309-9 {
-  ip-proto == tcp
-  dst-port == 25
-  payload-size > 512
-  header tcp[13:1] & 255 == 16
-  event "EXPLOIT sniffit overflow"
-  tcp-state stateless
-  payload /.*[fF][rR][oO][mM]\x3A\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/
-}
-
-signature s2b-310-8 {
-  ip-proto == tcp
-  dst-port == 25
-  event "EXPLOIT x86 windows MailMax overflow"
-  tcp-state established,originator
-  payload /.*\xEBE\xEB \[\xFC3\xC9\xB1\x82\x8B\xF3\x80\+/
-}
-
-signature s2b-311-11 {
-  ip-proto == tcp
-  dst-port == 80
-  event "EXPLOIT Netscape 4.7 unsucessful overflow"
-  tcp-state established,originator
-  payload /.*3\xC9\xB1\x10\?\xE9\x06Q<\xFAG3\xC0P\xF7\xD0P/
-}
-
-signature s2b-313-4 {
-  ip-proto == udp
-  dst-port == 518
-  event "EXPLOIT ntalkd x86 Linux overflow"
-  payload /.*\x01\x03\x00\x00\x00\x00\x00\x01\x00\x02\x02\xE8/
-}
-
-signature s2b-315-6 {
-  ip-proto == udp
-  dst-port == 635
-  event "EXPLOIT x86 Linux mountd overflow"
-  payload /.*\^\xB0\x02\x89\x06\xFE\xC8\x89F\x04\xB0\x06\x89F/
-}
-
-signature s2b-316-6 {
-  ip-proto == udp
-  dst-port == 635
-  event "EXPLOIT x86 Linux mountd overflow"
-  payload /.*\xEBV\^VVV1\xD2\x88V\x0B\x88V\x1E/
-}
-
-signature s2b-317-6 {
-  ip-proto == udp
-  dst-port == 635
-  event "EXPLOIT x86 Linux mountd overflow"
-  payload /.*\xEB@\^1\xC0@\x89F\x04\x89\xC3@\x89\x06/
-}
-
-signature s2b-1240-5 {
-  ip-proto == tcp
-  dst-port == 2224
-  event "EXPLOIT MDBMS overflow"
-  tcp-state established,originator
-  payload /.*\x011\xDB\xCD\x80\xE8\[\xFF\xFF\xFF/
-}
-
-signature s2b-1261-10 {
-  ip-proto == tcp
-  dst-port == 4242
-  payload-size > 1000
-  event "EXPLOIT AIX pdnsd overflow"
-  tcp-state established,originator
-  payload /.*\x7F\xFF\xFBx\x7F\xFF\xFBx\x7F\xFF\xFBx\x7F\xFF\xFBx/
-  payload /.*@\x8A\xFF\xC8@\x82\xFF\xD8\x3B6\xFE\x03\x3Bv\xFE\x02/
-}
-
-signature s2b-1398-10 {
-  ip-proto == tcp
-  dst-port == 6112
-  event "EXPLOIT CDE dtspcd exploit attempt"
-  tcp-state established,originator
-  payload /.{9}1/
-  payload /.{10}<willnevermatch>/
-}
-
-signature s2b-1751-5 {
-  ip-proto == tcp
-  dst-port >= 32772
-  dst-port <= 34000
-  payload-size > 720
-  event "EXPLOIT cachefsd buffer overflow attempt"
-  tcp-state established,originator
-  payload /.*\x00\x01\x87\x86\x00\x00\x00\x01\x00\x00\x00\x05/
-}
-
-signature s2b-1894-8 {
-  ip-proto == tcp
-  dst-port == 749
-  event "EXPLOIT kadmind buffer overflow attempt"
-  tcp-state established,originator
-  payload /.*\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08/
-}
-
-signature s2b-1895-8 {
-  ip-proto == tcp
-  dst-port == 751
-  event "EXPLOIT kadmind buffer overflow attempt"
-  tcp-state established,originator
-  payload /.*\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08/
-}
-
-signature s2b-1896-8 {
-  ip-proto == tcp
-  dst-port == 749
-  event "EXPLOIT kadmind buffer overflow attempt"
-  tcp-state established,originator
-  payload /.*\xFF\xFFKADM0\.0A\x00\x00\xFB\x03/
-}
-
-signature s2b-1897-8 {
-  ip-proto == tcp
-  dst-port == 751
-  event "EXPLOIT kadmind buffer overflow attempt"
-  tcp-state established,originator
-  payload /.*\xFF\xFFKADM0\.0A\x00\x00\xFB\x03/
-}
-
-signature s2b-1898-8 {
-  ip-proto == tcp
-  dst-port == 749
-  event "EXPLOIT kadmind buffer overflow attempt"
-  tcp-state established,originator
-  payload /.*\/shh\/\/bi/
-}
-
-signature s2b-1899-8 {
-  ip-proto == tcp
-  dst-port == 751
-  event "EXPLOIT kadmind buffer overflow attempt"
-  tcp-state established,originator
-  payload /.*\/shh\/\/bi/
-}
-
-signature s2b-1812-5 {
-  ip-proto == tcp
-  dst-port == 22
-  event "EXPLOIT gobbles SSH exploit attempt"
-  tcp-state established,originator
-  payload /.*GOBBLES/
-}
-
-signature s2b-1821-7 {
-  ip-proto == tcp
-  dst-port == 515
-  event "EXPLOIT LPD dvips remote command execution attempt"
-  tcp-state established,originator
-  payload /.*psfile=\x22`/
-}
-
-signature s2b-1838-8 {
-  ip-proto == tcp
-  src-port == 22
-  # Not supported: pcre: /^SSH-\s[^\n]{200}/ism
-  event "EXPLOIT SSH server banner overflow"
-  tcp-state established,responder
-  # Not supported: isdataat: 200,relative
-  payload /((^)|(\n+))[sS][sS][hH]-[\x20\x09\x0b][^\n]{200}/
-}
-
-signature s2b-307-9 {
-  ip-proto == tcp
-  dst-port >= 6666
-  dst-port <= 7000
-  event "EXPLOIT CHAT IRC topic overflow"
-  tcp-state established,responder
-  payload /.*\xEBK\[S2\xE4\x83\xC3\x0BK\x88\x23\xB8Pw/
-}
-
-signature s2b-1382-9 {
-  ip-proto == tcp
-  dst-port >= 6666
-  dst-port <= 7000
-  # Not supported: pcre: /^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi
-  event "EXPLOIT CHAT IRC Ettercap parse overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  payload /((^)|(\n+))[pP][rR][iI][vV][mM][sS][gG][\x20\x09\x0b]+[nN][iI][cC][kK][sS][eE][rR][vV][\x20\x09\x0b]+[iI][dD][eE][nN][tT][iI][fF][yY][\x20\x09\x0b][^\n]{100}/
-}
-
-signature s2b-292-8 {
-  ip-proto == tcp
-  dst-port == 139
-  event "EXPLOIT x86 Linux samba overflow"
-  tcp-state established,originator
-  payload /.*\xEB\/_\xEBJ\^\x89\xFB\x89>\x89\xF2/
-}
-
-signature s2b-2319-1 {
-  ip-proto == tcp
-  dst-port == 1655
-  # Not supported: pcre: /^PASS\s[^\n]{49}/smi
-  event "EXPLOIT ebola PASS overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{49}/
-}
-
-signature s2b-2320-1 {
-  ip-proto == tcp
-  dst-port == 1655
-  # Not supported: pcre: /^USER\s[^\n]{49}/smi
-  event "EXPLOIT ebola USER overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[uU][sS][eE][rR][^\x0a]{49}/
-}
-
-signature s2b-2376-3 {
-  ip-proto == udp
-  dst-port == 500
-  # Not supported: byte_test: 4,>,2043,24,2,>,2043,30
-  event "EXPLOIT ISAKMP first payload certificate request length overflow attempt"
-  payload /.{15}\x07/
-}
-
-signature s2b-2377-3 {
-  ip-proto == udp
-  dst-port == 500
-  # Not supported: byte_test: 4,>,2043,24,2,>,2043,-2,relative
-  # Not supported: byte_jump: 2,30
-  event "EXPLOIT ISAKMP second payload certificate request length overflow attempt"
-  payload /.{27}\x07/
-}
-
-signature s2b-2378-3 {
-  ip-proto == udp
-  dst-port == 500
-  # Not supported: byte_test: 4,>,2043,24,2,>,2043,-2,relative
-  # Not supported: byte_jump: 2,30,relative,2,1,relative
-  event "EXPLOIT ISAKMP third payload certificate request length overflow attempt"
-  payload /\x07/
-}
-
-signature s2b-2379-3 {
-  ip-proto == udp
-  dst-port == 500
-  # Not supported: byte_test: 4,>,2043,24,2,>,2043,-2,relative
-  # Not supported: byte_jump: 2,30,relative,2,-2,relative,2,1,relative
-  event "EXPLOIT ISAKMP forth payload certificate request length overflow attempt"
-  payload /\x07/
-}
-
-signature s2b-2380-3 {
-  ip-proto == udp
-  dst-port == 500
-  # Not supported: byte_test: 4,>,2043,24,2,>,2043,-2,relative
-  # Not supported: byte_jump: 2,30,relative,2,-2,relative,2,-2,relative,2,1,relative
-  event "EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"
-  payload /\x07/
-}
-
-signature s2b-2413-7 {
-  ip-proto == udp
-  dst-port == 500
-  event "EXPLOIT ISAKMP delete hash with empty hash attempt"
-  payload /.{15}\x08/
-  payload /.{27}\x0C/
-  payload /.{29}\x00\x04/
-}
-
-signature s2b-2414-7 {
-  ip-proto == udp
-  dst-port == 500
-  event "EXPLOIT ISAKMP initial contact notification without SPI attempt"
-  payload /.{15}\x0B/
-  payload /.{29}\x00\x0C\x00\x00\x00\x01\x01\x00\x06\x02/
-}
-
-signature s2b-2415-7 {
-  ip-proto == udp
-  dst-port == 500
-  # Not supported: byte_jump: 2,30
-  event "EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"
-  payload /.{27}\x0B\x00\x0C\x00\x00\x00\x01\x01\x00`\x02/
-}
-
-signature s2b-2443-4 {
-  ip-proto == udp
-  src-port == 4000
-  # Not supported: byte_test: 1,>,1,12,relative,2,>,128,18,relative,little
-  event "EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"
-  payload /\x05\x00.{5}\x12\x02.*.*\x05\x00.{5}n\x00/
-  payload /.*\x05\x00.{5}\xDE\x03/
-}
-
-signature s2b-2444-4 {
-  ip-proto == udp
-  src-port == 4000
-  # Not supported: byte_jump: 2,18,relative,little
-  event "EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"
-  # Not supported: byte_test: 1,>,1,12,relative,2,>,128,0,relative,little
-  payload /\x05\x00.{5}\x12\x02.*.*\x05\x00.{5}n\x00/
-  payload /.*\x05\x00.{5}\xDE\x03/
-}
-
-signature s2b-2445-4 {
-  ip-proto == udp
-  src-port == 4000
-  # Not supported: byte_test: 2,>,128,0,relative,little,1,>,1,12,relative
-  event "EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"
-  # Not supported: byte_jump: 2,18,relative,little,2,0,relative,little
-  payload /\x05\x00.{5}\x12\x02.*.*\x05\x00.{5}n\x00/
-  payload /.*\x05\x00.{5}\xDE\x03/
-}
-
-signature s2b-2446-4 {
-  ip-proto == udp
-  src-port == 4000
-  # Not supported: byte_jump: 2,0,relative,little,2,18,relative,little,2,0,relative,little
-  event "EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt"
-  # Not supported: byte_test: 2,>,128,0,relative,little,1,>,1,12,relative
-  payload /\x05\x00.{5}\x12\x02.*.*\x05\x00.{5}n\x00/
-  payload /.*\x05\x00.{5}\xDE\x03/
-}
-
-signature s2b-2462-6 {
-  # Not supported: byte_test: 1,>,63,0,1,<,67,0,1,>,16,12
-  header ip[9:1] == 2
-  event "EXPLOIT IGMP IGAP account overflow attempt"
-}
-
-signature s2b-2463-6 {
-  # Not supported: byte_test: 1,>,63,0,1,<,67,0,1,>,64,13
-  header ip[9:1] == 2
-  event "EXPLOIT IGMP IGAP message overflow attempt"
-}
-
-signature s2b-2464-6 {
-  # Not supported: byte_test: 1,>,32,44
-  header ip[9:1] == 88
-  event "EXPLOIT EIGRP prefix length overflow attempt"
-}
-
-signature s2b-2489-2 {
-  ip-proto == tcp
-  dst-port == 80
-  event "EXPLOIT esignal STREAMQUOTE buffer overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 1024,relative
-  payload /.*<[sS][tT][rR][eE][aA][mM][qQ][uU][oO][tT][eE]><willnevermatch>/
-}
-
-signature s2b-2490-3 {
-  ip-proto == tcp
-  dst-port == 80
-  event "EXPLOIT esignal SNAPQUOTE buffer overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 1024,relative
-  payload /.*<[sS][nN][aA][pP][qQ][uU][oO][tT][eE]><willnevermatch>/
-}
-
-signature s2b-2545-4 {
-  ip-proto == tcp
-  dst-port == 548
-  # Not supported: byte_jump: 2,1,relative,2,1,relative
-  event "EXPLOIT AFP FPLoginExt username buffer overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 2,relative
-  payload /\x00\x02.{14}\?/
-  payload /.*[cC][lL][eE][aA][rR][tT][xX][tT] [pP][aA][sS][sS][wW][rR][dD]/
-}
-
-signature s2b-2550-2 {
-  ip-proto == tcp
-  src-port == 80
-  event "EXPLOIT winamp XM module name overflow"
-  tcp-state established,responder
-  # Not supported: isdataat: 20,relative
-  payload /.*[eE][xX][tT][eE][nN][dD][eE][dD] [mM][oO][dD][uU][lL][eE]\x3A[^\x1A]{21}/
-}
-
-signature s2b-2551-2 {
-  ip-proto == tcp
-  dst-port >= 7777
-  dst-port <= 7778
-  # Not supported: pcre: /^GET[^s]{432}/sm
-  event "EXPLOIT Oracle Web Cache GET overflow attempt"
-  tcp-state established,originator
-  payload /.*GET/
-  payload /((^)|(\n+))GET[^s]{432}/
-}
-
-signature s2b-2552-2 {
-  ip-proto == tcp
-  dst-port >= 7777
-  dst-port <= 7778
-  # Not supported: pcre: /^HEAD[^s]{432}/sm
-  event "EXPLOIT Oracle Web Cache HEAD overflow attempt"
-  tcp-state established,originator
-  payload /.*HEAD/
-  payload /((^)|(\n+))HEAD[^s]{432}/
-}
-
-signature s2b-2553-2 {
-  ip-proto == tcp
-  dst-port >= 7777
-  dst-port <= 7778
-  # Not supported: pcre: /^PUT[^s]{432}/sm
-  event "EXPLOIT Oracle Web Cache PUT overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))PUT[^s]{432}/
-}
-
-signature s2b-2554-2 {
-  ip-proto == tcp
-  dst-port >= 7777
-  dst-port <= 7778
-  # Not supported: pcre: /^POST[^s]{432}/sm
-  event "EXPLOIT Oracle Web Cache POST overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))POST[^s]{432}/
-}
-
-signature s2b-2555-2 {
-  ip-proto == tcp
-  dst-port >= 7777
-  dst-port <= 7778
-  # Not supported: pcre: /^TRACE[^s]{432}/sm
-  event "EXPLOIT Oracle Web Cache TRACE overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))TRACE[^s]{432}/
-}
-
-signature s2b-2556-2 {
-  ip-proto == tcp
-  dst-port >= 7777
-  dst-port <= 7778
-  # Not supported: pcre: /^DELETE[^s]{432}/sm
-  event "EXPLOIT Oracle Web Cache DELETE overflow attempt"
-  tcp-state established,originator
-  payload /.*DELETE/
-  payload /((^)|(\n+))DELETE[^s]{432}/
-}
-
-signature s2b-2557-2 {
-  ip-proto == tcp
-  dst-port >= 7777
-  dst-port <= 7778
-  # Not supported: pcre: /^LOCK[^s]{432}/sm
-  event "EXPLOIT Oracle Web Cache LOCK overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))LOCK[^s]{432}/
-}
-
-signature s2b-2558-2 {
-  ip-proto == tcp
-  dst-port >= 7777
-  dst-port <= 7778
-  # Not supported: pcre: /^MKCOL[^s]{432}/sm
-  event "EXPLOIT Oracle Web Cache MKCOL overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))MKCOL[^s]{432}/
-}
-
-signature s2b-2559-2 {
-  ip-proto == tcp
-  dst-port >= 7777
-  dst-port <= 7778
-  # Not supported: pcre: /^COPY[^s]{432}/sm
-  event "EXPLOIT Oracle Web Cache COPY overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))COPY[^s]{432}/
-}
-
-signature s2b-2560-2 {
-  ip-proto == tcp
-  dst-port >= 7777
-  dst-port <= 7778
-  # Not supported: pcre: /^MOVE[^s]{432}/sm
-  event "EXPLOIT Oracle Web Cache MOVE overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))MOVE[^s]{432}/
-}
-
-signature s2b-320-9 {
-  ip-proto == tcp
-  dst-port == 79
-  event "FINGER cmd_rootsh backdoor attempt"
-  tcp-state established,originator
-  payload /.*cmd_rootsh/
-}
-
-signature s2b-321-5 {
-  ip-proto == tcp
-  dst-port == 79
-  event "FINGER account enumeration attempt"
-  tcp-state established,originator
-  payload /.*[aA] [bB] [cC] [dD] [eE] [fF]/
-}
-
-signature s2b-322-10 {
-  ip-proto == tcp
-  dst-port == 79
-  event "FINGER search query"
-  tcp-state established,originator
-  payload /.*search/
-}
-
-signature s2b-323-5 {
-  ip-proto == tcp
-  dst-port == 79
-  event "FINGER root query"
-  tcp-state established,originator
-  payload /.*root/
-}
-
-signature s2b-324-5 {
-  ip-proto == tcp
-  dst-port == 79
-  event "FINGER null request"
-  tcp-state established,originator
-  payload /.*\x00/
-}
-
-signature s2b-326-9 {
-  ip-proto == tcp
-  dst-port == 79
-  event "FINGER remote command execution attempt"
-  tcp-state established,originator
-  payload /.*\x3B/
-}
-
-signature s2b-327-8 {
-  ip-proto == tcp
-  dst-port == 79
-  event "FINGER remote command pipe execution attempt"
-  tcp-state established,originator
-  payload /.*\x7C/
-}
-
-signature s2b-328-8 {
-  ip-proto == tcp
-  dst-port == 79
-  event "FINGER bomb attempt"
-  tcp-state established,originator
-  payload /.*@@/
-}
-
-signature s2b-330-9 {
-  ip-proto == tcp
-  dst-port == 79
-  event "FINGER redirection attempt"
-  tcp-state established,originator
-  payload /.*@/
-}
-
-signature s2b-331-10 {
-  ip-proto == tcp
-  dst-port == 79
-  event "FINGER cybercop query"
-  tcp-state established,originator
-  payload /.{0,4}\x0A     /
-}
-
-signature s2b-332-8 {
-  ip-proto == tcp
-  dst-port == 79
-  event "FINGER 0 query"
-  tcp-state established,originator
-  payload /.*0/
-}
-
-signature s2b-333-8 {
-  ip-proto == tcp
-  dst-port == 79
-  event "FINGER . query"
-  tcp-state established,originator
-  payload /.*\./
-}
-
-signature s2b-1541-4 {
-  ip-proto == tcp
-  dst-port == 79
-  event "FINGER version query"
-  tcp-state established,originator
-  payload /.*version/
-}
-
-signature s2b-2546-1 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^MDTM\s[^\n]{100}/smi
-  event "FTP MDTM overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  payload /((^)|(\n+))[mM][dD][tT][mM][\x20\x09\x0b][^\n]{100}/
-}
-
-signature s2b-2373-1 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^XMKD\s[^\n]{100}/smi
-  event "FTP XMKD overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  payload /((^)|(\n+))[xXmMkKdD][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-2374-4 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^NLST\s[^\n]{100}/smi
-  event "FTP NLST overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[nNlLsStT][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-2449-1 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^ALLO\s[^\n]{100}/smi
-  event "FTP ALLO overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  payload /((^)|(\n+))[aAlLlLoO][\x20\x09\x0b][^\n]{100}/
-}
-
-signature s2b-2389-4 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^RNTO\s[^\n]{100}/smi
-  event "FTP RNTO overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[rR][nN][tT][oO][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-2390-4 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^STOU\s[^\n]{100}/smi
-  event "FTP STOU overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  payload /((^)|(\n+))[sS][tT][oO][uU][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-2391-4 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^APPE\s[^\n]{100}/smi
-  event "FTP APPE overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  payload /((^)|(\n+))[aA][pP][pP][eE][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-2392-4 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^RETR\s[^\n]{100}/smi
-  event "FTP RETR overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[rR][eE][tT][rR][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-2343-1 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^STOR\s[^\n]{100}/smi
-  event "FTP STOR overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[sS][tT][oO][rR][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-337-10 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^CEL\s[^\n]{100}/smi
-  event "FTP CEL overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[cC][eE][lL][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-2344-1 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^XCWD\s[^\n]{100}/smi
-  event "FTP XCWD overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[xX][cC][wW][dD][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1919-12 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^CWD\s[^\n]{100}/smi
-  event "FTP CWD overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[cC][wW][dD][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1621-10 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^CMD\s[^\n]{100}/smi
-  event "FTP CMD overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[cC][mM][dD][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1379-7 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^STAT\s[^\n]{100}/smi
-  event "FTP STAT overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[sS][tT][aA][tT][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-2340-4 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^SITE\s+CHMOD\s[^\n]{100}/smi
-  event "FTP SITE CHMOD overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][hH][mM][oO][dD][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1562-11 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^SITE\s+CHOWN\s[^\n]{100}/smi
-  event "FTP SITE CHOWN overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][hH][oO][wW][nN][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1920-6 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^SITE\s+NEWER\s[^\n]{100}/smi
-  event "FTP SITE NEWER overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[nN][eE][wW][eE][rR][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1888-8 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^SITE\s+CPWD\s[^\n]{100}/smi
-  event "FTP SITE CPWD overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][pP][wW][dD][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1971-4 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi
-  event "FTP SITE EXEC format string attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[eE][xX][eE][cC][\x20\x09\x0b][^\n]*?%[^\n]*?%/
-}
-
-signature s2b-1529-10 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^SITE\s[^\n]{100}/smi
-  event "FTP SITE overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1734-16 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^USER\s[^\n]{100}/smi
-  event "FTP USER overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1972-10 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^PASS\s[^\n]{100}/smi
-  event "FTP PASS overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[pP][aA][sS][sS][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1942-4 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^RMDIR\s[^\n]{100}/smi
-  event "FTP RMDIR overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[rR][mM][dD][iI][rR][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1973-6 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^MKD\s[^\n]{100}/smi
-  event "FTP MKD overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[mM][kK][dD][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1974-6 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^REST\s[^\n]{100}/smi
-  event "FTP REST overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[rR][eE][sS][tT][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1975-6 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^DELE\s[^\n]{100}/smi
-  event "FTP DELE overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[dD][eE][lL][eE][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1976-6 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^RMD\s[^\n]{100}/smi
-  event "FTP RMD overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[rR][mM][dD][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1623-6 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^MODE\s+[^ABSC]{1}/msi
-  event "FTP invalid MODE"
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[mM][oO][dD][eE][\x20\x09\x0b]+[^aAbBsScC]{1}/
-}
-
-signature s2b-1624-5 {
-  ip-proto == tcp
-  dst-port == 21
-  payload-size == 10
-  event "FTP large PWD command"
-  tcp-state established,originator
-  payload /.*[pP][wW][dD]/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-2125-8 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP CWD Root directory transversal attempt"
-  tcp-state established,originator
-  payload /.*[cC][wW][dD].{1}.*C\x3A\x5C/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-1921-5 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^SITE\s+ZIPCHK\s[^\n]{100}/smi
-  event "FTP SITE ZIPCHK overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[zZ][iI][pP][cC][hH][kK][\x20\x09\x0b][^\n]{100}/
-  eval dataSizeG100
-}
-
-signature s2b-1864-7 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^SITE\s+NEWER/smi
-  event "FTP SITE NEWER attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[nN][eE][wW][eE][rR]/
-}
-
-signature s2b-361-12 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^SITE\s+EXEC/smi
-  event "FTP SITE EXEC attempt"
-  tcp-state established,originator
-  payload /.*[sS][iI][tT][eE].*.*[eE][xX][eE][cC]/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-1777-4 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP EXPLOIT STAT * dos attempt"
-  tcp-state established,originator
-  payload /.*[sS][tT][aA][tT].{1}.*\*/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-1778-4 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP EXPLOIT STAT ? dos attempt"
-  tcp-state established,originator
-  payload /.*[sS][tT][aA][tT].{1}.*\?/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-362-12 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP tar parameters"
-  tcp-state established,originator
-  payload /.* --[uU][sS][eE]-[cC][oO][mM][pP][rR][eE][sS][sS]-[pP][rR][oO][gG][rR][aA][mM] /
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-336-10 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^CWD\s+~root/smi
-  event "FTP CWD ~root attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  payload /((^)|(\n+))[cC][wW][dD][\x20\x09\x0b]+~[rR][oO][oO][tT]/
-}
-
-signature s2b-1229-7 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^CWD\s[^\n]*?\.\.\./smi
-  event "FTP CWD ..."
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  payload /((^)|(\n+))[cC][wW][dD][\x20\x09\x0b][^\n]*?\.\.\./
-}
-
-signature s2b-1672-10 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^CWD\s+~/smi
-  event "FTP CWD ~ attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))CWD[\x20\x09\x0b]+~/
-}
-
-signature s2b-360-7 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP serv-u directory transversal"
-  tcp-state established,originator
-  payload /.*\.%20\./
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-1378-14 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP wu-ftp bad file completion attempt {"
-  tcp-state established,originator
-  ftp /.{2,} ~.?\{/
-}
-
-signature s2b-1992-5 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP LIST directory traversal attempt"
-  tcp-state established,originator
-  payload /.*LIST.{1}.*\.\..{1}.*\.\./
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-334-5 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP .forward"
-  tcp-state established,originator
-  payload /.*\.forward/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-335-5 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP .rhosts"
-  tcp-state established,originator
-  ftp /.*\.rhosts/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-1927-2 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP authorized_keys"
-  tcp-state established,originator
-  payload /.*authorized_keys/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-356-5 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP passwd retrieval attempt"
-  tcp-state established,originator
-  payload /.*[rR][eE][tT][rR]/
-  payload /[\x20\x09\x0b\/.]*passwd[\x20\x09\x0b]*$/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-1928-3 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP shadow retrieval attempt"
-  tcp-state established,originator
-  payload /.*[rR][eE][tT][rR]/
-  payload /.*shadow/
-  requires-signature got_ftp_root
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-144-9 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^USER\s+w0rm/smi
-  event "FTP ADMw0rm ftp login attempt"
-  tcp-state established,originator
-  payload /.*[uU][sS][eE][rR].{1}.*[wW]0[rR][mM]/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-353-6 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP adm scan"
-  tcp-state established,originator
-  payload /.*PASS ddd@\x0A/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-354-5 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP iss scan"
-  tcp-state established,originator
-  payload /.*pass -iss@iss/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-355-5 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP pass wh00t"
-  tcp-state established,originator
-  payload /.*[pP][aA][sS][sS] [wW][hH]00[tT]/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-357-5 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP piss scan"
-  tcp-state established,originator
-  payload /.*pass -cklaus/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-358-5 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP saint scan"
-  tcp-state established,originator
-  payload /.*pass -saint/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-359-5 {
-  ip-proto == tcp
-  dst-port == 21
-  event "FTP satan scan"
-  tcp-state established,originator
-  payload /.*pass -satan/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-2178-13 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^USER\s[^\n]*?%[^\n]*?%/smi
-  event "FTP USER format string attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/
-}
-
-signature s2b-2179-4 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^PASS\s[^\n]*?%[^\n]*?%/smi
-  event "FTP PASS format string attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[pP][aA][sS][sS]\x20\x09\x0b][^\n]*?%[^\n]*?%/
-}
-
-signature s2b-2332-1 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^MKDIR\s[^\n]*?%[^\n]*?%/smi
-  event "FTP MKDIR format string attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[mM][kK][dD][iI][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/
-}
-
-signature s2b-2333-1 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^RENAME\s[^\n]*?%[^\n]*?%/smi
-  event "FTP RENAME format string attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]*?%[^\n]*?%/
-}
-
-signature s2b-2338-5 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^LIST\s[^\n]{100,}/smi
-  event "FTP LIST buffer overflow attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b][^\n]{100,}/
-}
-
-signature s2b-2272-4 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^LIST\s+\x22-W\s+\d+/smi
-  event "FTP LIST integer overflow attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b]+\x22-W[\x20\x09\x0b]+[0-9]+/
-}
-
-signature s2b-2334-2 {
-  ip-proto == tcp
-  dst-port == 3535
-  # Not supported: pcre: /^USER\s+y049575046/smi
-  event "FTP Yak! FTP server default account login attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  payload /((^)|(\n+))USER[\x20\x09\x0b]+y049575046/
-}
-
-signature s2b-2335-2 {
-  ip-proto == tcp
-  dst-port == 3535
-  # Not supported: pcre: /^RMD\s+\x2f$/smi
-  event "FTP RMD / attempt"
-  tcp-state established,originator
-  payload /.*[rR][mM][dD]/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-2416-1 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^MDTM \d+[-+]\D/smi
-  event "FTP invalid MDTM command attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[mMdDtTmM][0-9]+[-+][^0-9]/
-}
-
-signature s2b-2417-1 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /\s+.*?%.*?%/smi
-  event "FTP format string attempt"
-  tcp-state established,originator
-  payload /.*%/
-  ftp /[\x20\x09\x0b]+.*?%.*?%/
-  requires-reverse-signature ! ftp_server_error
-}
-
-signature s2b-2574-1 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^RETR\s[^\n]*?%[^\n]*?%/smi
-  event "FTP RETR format string attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! ftp_server_error
-  ftp /((^)|(\n+))[rR][eE][tT][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/
-}
-
-signature s2b-377-7 {
-  ip-proto == icmp
-  header icmp[0:1] == 8
-  event "ICMP PING Network Toolbox 3 Windows"
-  payload /.{0,16}================/
-}
-
-signature s2b-465-3 {
-  ip-proto == icmp
-  header icmp[0:1] == 8
-  event "ICMP ISS Pinger"
-  payload /.{0,24}ISSPNGRQ/
-}
-
-signature s2b-467-3 {
-  ip-proto == icmp
-  payload-size == 20
-  header icmp[0:1] == 8
-  header icmp[0:1] == 0,8
-  header icmp[6:2] == 0
-  event "ICMP Nemesis v1.1 Echo"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 0
-  payload /\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/
-}
-
-signature s2b-471-3 {
-  ip-proto == icmp
-  payload-size == 0
-  header icmp[0:1] == 8
-  header icmp[0:1] == 0,8
-  header icmp[6:2] == 0
-  event "ICMP icmpenum v1.1.1"
-  header ip[4:2] == 666
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 666
-}
-
-signature s2b-472-4 {
-  ip-proto == icmp
-  header icmp[1:1] == 1
-  header icmp[0:1] == 5
-  event "ICMP redirect host"
-}
-
-signature s2b-475-3 {
-  ip-proto == icmp
-  header icmp[0:1] == 0
-  event "ICMP traceroute ipopts"
-  ip-options rr
-}
-
-signature s2b-476-4 {
-  ip-proto == icmp
-  header icmp[1:1] == 0
-  header icmp[0:1] == 8
-  event "ICMP webtrends scanner"
-  payload /.*\x00\x00\x00\x00EEEEEEEEEEEE/
-}
-
-signature s2b-478-3 {
-  ip-proto == icmp
-  payload-size == 4
-  header icmp[0:1] == 8
-  header icmp[0:1] == 0,8
-  header icmp[6:2] == 0
-  event "ICMP Broadscan Smurf Scanner"
-  header icmp[0:1] == 0,8
-  header icmp[4:2] == 0
-}
-
-signature s2b-481-5 {
-  ip-proto == icmp
-  header icmp[0:1] == 8
-  event "ICMP TJPingPro1.1Build 2 Windows"
-  payload /.{0,16}TJPingPro by Jim/
-}
-
-signature s2b-484-4 {
-  ip-proto == icmp
-  header icmp[0:1] == 8
-  event "ICMP PING Sniffer Pro/NetXRay network scan"
-  payload /.{0,13}Cinco Network, Inc\./
-}
-
-signature s2b-1813-5 {
-  ip-proto == icmp
-  event "ICMP digital island bandwidth query"
-  payload /mailto\x3Aops@digisle\.com/
-}
-
-signature s2b-1993-4 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sLOGIN\s[^\n]*?\s\{/smi
-  # Not supported: byte_test: 5,>,256,0,string,dec,relative
-  event "IMAP login literal buffer overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[lL][oO][gG][iI][nN][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/
-}
-
-signature s2b-1842-9 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sLOGIN\s[^\n]{100}/smi
-  event "IMAP login buffer overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  payload /((^)|(\n+))[\x20\x09\x0b]LOGIN[\x20\x09\x0b][^\n]{100}/
-}
-
-signature s2b-2105-4 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sAUTHENTICATE\s[^\n]*?\s\{/smi
-  # Not supported: byte_test: 5,>,256,0,string,dec,relative
-  event "IMAP authenticate literal overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[\x20\x09\x0b][aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/
-}
-
-signature s2b-1844-9 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sAUTHENTICATE\s[^\n]{100}/smi
-  event "IMAP authenticate overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  payload /((^)|(\n+))[\x20\x09\x0b][aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE][\x20\x09\x0b][^\n]{100}/
-}
-
-signature s2b-1930-3 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: byte_test: 5,>,256,0,string,dec,relative
-  event "IMAP auth literal overflow attempt"
-  tcp-state established,originator
-  payload /.* [aA][uU][tT][hH]/
-  payload /.*\{/
-}
-
-signature s2b-2330-1 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /AUTH\s[^\n]{100}/smi
-  event "IMAP auth overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[aA][uU][tT][hH][\x20\x09\x0b][^\n]{100}/
-}
-
-signature s2b-1902-9 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sLSUB\s[^\n]*?\s\{/smi
-  # Not supported: byte_test: 5,>,256,0,string,dec,relative
-  event "IMAP lsub literal overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[\x20\x09\x0b][lL][sS][uU][bB][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/
-}
-
-signature s2b-2106-7 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sLSUB\s[^\n]{100}/smi
-  event "IMAP lsub overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  payload /((^)|(\n+))[\x20\x09\x0b][lL][sS][uU][bB][\x20\x09\x0b][^\n]{100}/
-}
-
-signature s2b-1845-15 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sLIST\s[^\n]*?\s\{/smi
-  # Not supported: byte_test: 5,>,256,0,string,dec,relative
-  event "IMAP list literal overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[\x20\x09\x0b][lL][iI][sS][tT][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/
-}
-
-signature s2b-2118-6 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sLIST\s[^\n]{100}/smi
-  event "IMAP list overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  payload /((^)|(\n+))[\x20\x09\x0b][lL][iI][sS][tT][\x20\x09\x0b][^\n]{100}/
-}
-
-signature s2b-2119-5 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sRENAME\s[^\n]*?\s\{/smi
-  # Not supported: byte_test: 5,>,256,0,string,dec,relative
-  event "IMAP rename literal overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[\x20\x09\x0b][rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/
-}
-
-signature s2b-1903-8 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sRENAME\s[^\n]{100}/smi
-  event "IMAP rename overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  payload /((^)|(\n+))[\x20\x09\x0b][rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]{100}/
-}
-
-signature s2b-1904-7 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sFIND\s[^\n]{100}/smi
-  event "IMAP find overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  payload /((^)|(\n+))[\x20\x09\x0b][fF][iI][nN][dD][\x20\x09\x0b][^\n]{100}/
-}
-
-signature s2b-1755-14 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sPARTIAL.*BODY\[[^\]]{1024}/smi
-  event "IMAP partial body buffer overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[\x20\x09\x0b][pP][aA][rR][tT][iI][aA][lL].*[bB][oO][dD][yY]\[[^\]]{1024}/
-}
-
-signature s2b-2046-6 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi
-  event "IMAP partial body.peek buffer overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[\x20\x09\x0b][pP][aA][rR][tT][iI][aA][lL].*[bB][oO][dD][yY]\.[pP][eE][eE][kK]\[[^\]]{1024}/
-}
-
-signature s2b-2107-3 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sCREATE\s[^\n]{1024}/smi
-  event "IMAP create buffer overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 1024,relative
-  payload /((^)|(\n+))[\x20\x09\x0b][cC][rR][eE][aA][tT][eE][\x20\x09\x0b][^\n]{1024}/
-}
-
-signature s2b-2120-3 {
-  ip-proto == tcp
-  dst-port == 143
-  # Not supported: pcre: /\sCREATE\s*\{/smi
-  # Not supported: byte_test: 5,>,256,0,string,dec,relative
-  event "IMAP create literal buffer overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[\x20\x09\x0b][cC][rR][eE][aA][tT][eE][\x20\x09\x0b][^\n]*?\s\{/
-}
-
-signature s2b-2497-6 {
-  ip-proto == tcp
-  dst-port == 993
-  event "IMAP SSLv3 invalid data version attempt"
-  tcp-state established,originator
-  payload /\x16\x03/
-  payload /.{4}\x01/
-  payload /.{8}[^\x03]*/
-}
-
-signature s2b-2517-10 {
-  ip-proto == tcp
-  dst-port == 993
-  # Not supported: byte_test: 2,>,0,6,2,!,0,8,2,!,16,8,2,>,20,10,2,>,32768,0,relative
-  event "IMAP PCT Client_Hello overflow attempt"
-  tcp-state established,originator
-  payload /.{1}\x01/
-  payload /.{10}\x8F/
-}
-
-signature s2b-2530-3 {
-  ip-proto == tcp
-  src-port == 993
-  # Not supported: flowbits: isset,sslv3.client_hello.request,set,sslv3.server_hello.request,noalert
-  event "IMAP SSLv3 Server_Hello request"
-  tcp-state established,responder
-  payload /\x16\x03/
-  payload /.{4}\x02/
-}
-
-signature s2b-489-7 {
-  ip-proto == tcp
-  dst-port == 21
-  # Not supported: pcre: /^PASS\s*\n/smi
-  event "INFO FTP no password"
-  tcp-state established,originator
-  ftp /((^)|(\n+))[\x20\x09\x0b][pP][aA][sS][sS][\x20\x09\x0b]*\n/
-}
-
-signature s2b-491-8 {
-  ip-proto == tcp
-  src-port == 21
-  # Not supported: pcre: /^530\s+(Login|User)/smi
-  event "INFO FTP Bad login"
-  tcp-state established,responder
-  ftp /((^)|(\n+))530[\x20\x09\x0b]+([lL][oO][gG][iI][nN]|[uU][sS][eE][rR])/
-}
-
-signature s2b-1251-6 {
-  ip-proto == tcp
-  src-port == 23
-  event "INFO TELNET Bad Login"
-  tcp-state established,responder
-  payload /.*[lL][oO][gG][iI][nN] [iI][nN][cC][oO][rR][rR][eE][cC][tT]/
-}
-
-signature s2b-500-4 {
-  event "MISC source route lssr"
-  ip-options lsrr
-}
-
-signature s2b-501-4 {
-  event "MISC source route lssre"
-  ip-options lsrre
-}
-
-signature s2b-502-2 {
-  event "MISC source route ssrr"
-  ip-options ssrr
-}
-
-signature s2b-503-6 {
-  ip-proto == tcp
-  src-port == 20
-  dst-port >= 0
-  dst-port <= 1023
-  header tcp[13:1] & 255 == 2
-  event "MISC Source Port 20 to <1024"
-  tcp-state stateless
-}
-
-signature s2b-504-6 {
-  ip-proto == tcp
-  src-port == 53
-  dst-port >= 0
-  dst-port <= 1023
-  header tcp[13:1] & 255 == 2
-  event "MISC source port 53 to <1024"
-  tcp-state stateless
-}
-
-signature s2b-505-5 {
-  ip-proto == tcp
-  dst-port == 1417
-  event "MISC Insecure TIMBUKTU Password"
-  tcp-state established,originator
-  payload /.{0,13}\x05\x00>/
-}
-
-signature s2b-507-4 {
-  ip-proto == tcp
-  dst-port == 5631
-  event "MISC PCAnywhere Attempted Administrator Login"
-  tcp-state established,originator
-  payload /.*ADMINISTRATOR/
-}
-
-signature s2b-508-7 {
-  ip-proto == tcp
-  dst-port == 70
-  event "MISC gopher proxy"
-  tcp-state established,originator
-  payload /.*[fF][tT][pP]\x3A/
-  payload /.*@\//
-}
-
-signature s2b-512-4 {
-  ip-proto == tcp
-  src-port >= 5631
-  src-port <= 5632
-  event "MISC PCAnywhere Failed Login"
-  tcp-state established,responder
-  payload /.{0,3}Invalid login/
-}
-
-signature s2b-513-10 {
-  ip-proto == tcp
-  src-port == 7161
-  header tcp[13:1] & 255 == 18
-  event "MISC Cisco Catalyst Remote Access"
-  tcp-state stateless
-}
-
-signature s2b-514-5 {
-  ip-proto == tcp
-  dst-port == 27374
-  event "MISC ramen worm"
-  tcp-state established,originator
-  payload /.{0,4}[gG][eE][tT] /
-}
-
-signature s2b-516-3 {
-  ip-proto == udp
-  dst-port == 161
-  event "MISC SNMP NT UserList"
-  payload /.*\+\x06\x10@\x14\xD1\x02\x19/
-}
-
-signature s2b-517-1 {
-  ip-proto == udp
-  dst-port == 177
-  event "MISC xdmcp query"
-  payload /.*\x00\x01\x00\x03\x00\x01\x00/
-}
-
-signature s2b-1867-1 {
-  ip-proto == udp
-  dst-port == 177
-  event "MISC xdmcp info query"
-  payload /.*\x00\x01\x00\x02\x00\x01\x00/
-}
-
-signature s2b-522-2 {
-  header ip[6:1] & 224 == 32
-  payload-size < 25
-  event "MISC Tiny Fragments"
-}
-
-signature s2b-1384-8 {
-  ip-proto == udp
-  dst-port == 1900
-  event "MISC UPnP malformed advertisement"
-  payload /.*[nN][oO][tT][iI][fF][yY] \* /
-}
-
-signature s2b-1388-12 {
-  ip-proto == udp
-  dst-port == 1900
-  # Not supported: pcre: /^Location\:[^\n]{128}/smi
-  event "MISC UPnP Location overflow"
-  payload /((^)|(\n+))[lL][oO][cC][aA][tT][iI][oO][nN]\x3a[^\n]{128}/
-}
-
-signature s2b-1393-12 {
-  ip-proto == tcp
-  event "MISC AIM AddGame attempt"
-  tcp-state established,responder
-  payload /.*[aA][iI][mM]\x3A[aA][dD][dD][gG][aA][mM][eE]\?/
-}
-
-signature s2b-1752-4 {
-  ip-proto == tcp
-  event "MISC AIM AddExternalApp attempt"
-  tcp-state established,responder
-  payload /.*[aA][iI][mM]\x3A[aA][dD][dD][eE][xX][tT][eE][rR][nN][aA][lL][aA][pP][pP]\?/
-}
-
-signature s2b-1636-8 {
-  ip-proto == tcp
-  dst-port == 32000
-  # Not supported: pcre: /^Username\:[^\n]{100}/smi
-  payload-size > 500
-  event "MISC Xtramail Username overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 100,relative
-  payload /((^)|(\n+))[uU][sS][eE][rR][nN][aA][mM][eE]\:[^\n]{100}/
-}
-
-signature s2b-1887-3 {
-  ip-proto == tcp
-  dst-port == 443
-  event "MISC OpenSSL Worm traffic"
-  tcp-state established,originator
-  payload /.*[tT][eE][rR][mM]=[xX][tT][eE][rR][mM]/
-}
-
-signature s2b-1889-5 {
-  ip-proto == udp
-  src-port == 2002
-  dst-port == 2002
-  event "MISC slapper worm admin traffic"
-  payload /\x00\x00E\x00\x00E\x00\x00@\x00/
-}
-
-signature s2b-1447-11 {
-  ip-proto == tcp
-  dst-port == 3389
-  event "MISC MS Terminal server request RDP"
-  tcp-state established,originator
-  payload /\x03\x00\x00\x0B\x06\xE0\x00\x00\x00\x00\x00/
-}
-
-signature s2b-1448-10 {
-  ip-proto == tcp
-  dst-port == 3389
-  event "MISC MS Terminal server request"
-  tcp-state established,originator
-  payload /\x03\x00\x00/
-  payload /.{4}\xE0\x00\x00\x00\x00\x00/
-}
-
-signature s2b-2418-3 {
-  ip-proto == tcp
-  dst-port == 3389
-  event "MISC MS Terminal Server no encryption session initiation attmept"
-  tcp-state established,originator
-  payload /\x03\x00\x01/
-  payload /.{287}\x00/
-}
-
-signature s2b-1819-5 {
-  ip-proto == tcp
-  dst-port == 2533
-  event "MISC Alcatel PABX 4400 connection attempt"
-  tcp-state established,originator
-  payload /\x00\x01C/
-}
-
-signature s2b-1939-4 {
-  ip-proto == udp
-  dst-port == 67
-  # Not supported: byte_test: 1,>,6,2
-  event "MISC bootp hardware address length overflow"
-  payload /\x01/
-}
-
-signature s2b-1940-3 {
-  ip-proto == udp
-  dst-port == 67
-  # Not supported: byte_test: 1,>,7,1
-  event "MISC bootp invalid hardware type"
-  payload /\x01/
-}
-
-signature s2b-2039-4 {
-  ip-proto == udp
-  dst-port == 67
-  event "MISC bootp hostname format string attempt"
-  payload /\x01.{240}.*\x0C.*.*%.{1}.{0,7}%.{1}.{0,7}%/
-}
-
-signature s2b-1966-2 {
-  ip-proto == udp
-  dst-port == 27155
-  event "MISC GlobalSunTech Access Point Information Disclosure attempt"
-  payload /.*gstsearch/
-}
-
-signature s2b-1987-6 {
-  ip-proto == tcp
-  dst-port == 7100
-  payload-size > 512
-  event "MISC xfs overflow attempt"
-  tcp-state established,originator
-  payload /B\x00\x02/
-}
-
-signature s2b-2041-2 {
-  ip-proto == udp
-  src-port == 49
-  event "MISC xtacacs failed login response"
-  payload /\x80\x02.{4}.*\x02/
-}
-
-signature s2b-2043-2 {
-  ip-proto == udp
-  src-port == 500
-  dst-port == 500
-  event "MISC isakmp login failed"
-  payload /.{16}\x10\x05.{13}\x00\x00\x00\x01\x01\x00\x00\x18/
-}
-
-signature s2b-2048-2 {
-  ip-proto == tcp
-  dst-port == 873
-  # Not supported: byte_test: 2,>,4000,0
-  event "MISC rsyncd overflow attempt"
-  tcp-state originator
-  payload /.{1}\x00\x00/
-}
-
-signature s2b-2008-4 {
-  ip-proto == tcp
-  src-port == 2401
-  event "MISC CVS invalid user authentication response"
-  tcp-state established,responder
-  payload /.*E Fatal error, aborting\./
-  payload /.*\x3A no such user/
-}
-
-signature s2b-2009-2 {
-  ip-proto == tcp
-  src-port == 2401
-  src-ip == local_nets
-  event "MISC CVS invalid repository response"
-  tcp-state established,responder
-  payload /.*error /
-  payload /.*\x3A no such repository/
-  payload /.*I HATE YOU/
-}
-
-signature s2b-2010-4 {
-  ip-proto == tcp
-  src-port == 2401
-  event "MISC CVS double free exploit attempt response"
-  tcp-state established,responder
-  payload /.*free\x28\x29\x3A warning\x3A chunk is already free/
-}
-
-signature s2b-2011-4 {
-  ip-proto == tcp
-  src-port == 2401
-  event "MISC CVS invalid directory response"
-  tcp-state established,responder
-  payload /.*E protocol error\x3A invalid directory syntax in/
-}
-
-signature s2b-2012-2 {
-  ip-proto == tcp
-  src-port == 2401
-  event "MISC CVS missing cvsroot response"
-  tcp-state established,responder
-  payload /.*E protocol error\x3A Root request missing/
-}
-
-signature s2b-2013-2 {
-  ip-proto == tcp
-  src-port == 2401
-  event "MISC CVS invalid module response"
-  tcp-state established,responder
-  payload /.*cvs server\x3A cannot find module.{1}.*error/
-}
-
-signature s2b-2317-4 {
-  ip-proto == tcp
-  src-port == 2401
-  event "MISC CVS non-relative path error response"
-  tcp-state established,responder
-  payload /.*E cvs server\x3A warning\x3A cannot make directory CVS in \//
-}
-
-signature s2b-2318-3 {
-  ip-proto == tcp
-  dst-port == 2401
-  # Not supported: pcre: m?^Argument\s+/?smi,/^Directory/smiR
-  event "MISC CVS non-relative path access attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[aA][Rr][Gg][Uu}[Mm][Ee][Nn][Tt][\x20\x09\x0b]]+/
-  payload /.*[Dd][Ii][Rr][Ee][Cc][Tt][Oo][Rr][Yy]/
-}
-
-signature s2b-2159-8 {
-  ip-proto == tcp
-  src-port == 179
-  event "MISC BGP invalid type 0"
-  tcp-state stateless
-  payload /\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF.{2}\x00/
-}
-
-signature s2b-2500-4 {
-  ip-proto == tcp
-  dst-port == 636
-  event "MISC LDAP SSLv3 invalid data version attempt"
-  tcp-state established,originator
-  payload /\x16\x03/
-  payload /.{4}\x01/
-  payload /.{8}[^\x03]*/
-}
-
-signature s2b-2516-10 {
-  ip-proto == tcp
-  dst-port == 639
-  # Not supported: byte_test: 2,>,0,6,2,!,0,8,2,!,16,8,2,>,20,10,2,>,32768,0,relative
-  event "MISC LDAP PCT Client_Hello overflow attempt"
-  tcp-state established,originator
-  payload /.{1}\x01/
-  payload /.{10}\x8F/
-}
-
-signature s2b-2533-5 {
-  ip-proto == tcp
-  src-port == 639
-  # Not supported: flowbits: isset,sslv3.client_hello.request,set,sslv3.server_hello.request,noalert
-  event "MISC LDAP SSLv3 Server_Hello request"
-  tcp-state established,responder
-  payload /\x16\x03/
-  payload /.{4}\x02/
-}
-
-signature s2b-2534-3 {
-  ip-proto == tcp
-  dst-port == 639
-  # Not supported: flowbits: isset,sslv3.server_hello.request
-  event "MISC LDAP SSLv3 invalid Client_Hello attempt"
-  tcp-state established,originator
-  payload /\x16\x03/
-  payload /.{4}\x01/
-}
-
-signature s2b-2547-2 {
-  ip-proto == tcp
-  dst-port == 8000
-  event "MISC HP Web JetAdmin remote file upload attempt"
-  tcp-state established,originator
-  payload /.*\/[pP][lL][uU][gG][iI][nN][sS]\/[hH][pP][jJ][wW][jJ][aA]\/[sS][cC][rR][iI][pP][tT]\/[dD][eE][vV][iI][cC][eE][sS]_[uU][pP][dD][aA][tT][eE]_[pP][rR][iI][nN][tT][eE][rR]_[fF][wW]_[uU][pP][lL][oO][aA][dD]\.[hH][tT][sS]/
-  payload /.*[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3A.*.*[mM][uU][lL][tT][iI][pP][aA][rR][tT]/
-}
-
-signature s2b-2548-1 {
-  ip-proto == tcp
-  dst-port == 8000
-  event "MISC HP Web JetAdmin setinfo access"
-  tcp-state established,originator
-  payload /.*\/[pP][lL][uU][gG][iI][nN][sS]\/[hH][pP][jJ][dD][wW][mM]\/[sS][cC][rR][iI][pP][tT]\/[tT][eE][sS][tT]\/[sS][eE][tT][iI][nN][fF][oO]\.[hH][tT][sS]/
-}
-
-signature s2b-2549-1 {
-  ip-proto == tcp
-  dst-port == 8000
-  event "MISC HP Web JetAdmin file write attempt"
-  tcp-state established,originator
-  payload /.*\/[pP][lL][uU][gG][iI][nN][sS]\/[fF][rR][aA][mM][eE][wW][oO][rR][kK]\/[sS][cC][rR][iI][pP][tT]\/[tT][rR][eE][eE]\.[xX][mM][sS]/
-  payload /.*[wW][rR][iI][tT][eE][tT][oO][fF][iI][lL][eE]/
-}
-
-signature s2b-2561-2 {
-  ip-proto == tcp
-  dst-port == 873
-  # Not supported: pcre: /--backup-dir\s+\x2e\x2e\x2f/
-  event "MISC rsync backup-dir directory traversal attempt"
-  tcp-state established,originator
-  payload /--backup-dir[\x20\x09\x0b]+\x2e\x2e\x2f/
-}
-
-signature s2b-1428-5 {
-  ip-proto == tcp
-  dst-ip == 64.245.58.0/23
-  event "MULTIMEDIA audio galaxy keepalive"
-  tcp-state established
-  payload /E_\x00\x03\x05/
-}
-
-signature s2b-2423-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: flowbits: set,realplayer.playlist,noalert
-  event "MULTIMEDIA realplayer .rp playlist download attempt"
-  tcp-state established,originator
-  http /((^)|(\n+))[tT][aA][kK][eE][tT][hH][iI][sS].*?[pP][Aa][Tt][Hh]\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/
-}
-
-signature s2b-1775-2 {
-  ip-proto == tcp
-  dst-port == 3306
-  event "MYSQL root login attempt"
-  tcp-state established,originator
-  payload /.*\x0A\x00\x00\x01\x85\x04\x00\x00\x80root\x00/
-}
-
-signature s2b-1776-2 {
-  ip-proto == tcp
-  dst-port == 3306
-  event "MYSQL show databases attempt"
-  tcp-state established,originator
-  payload /.*\x0F\x00\x00\x00\x03show databases/
-}
-
-signature s2b-537-11 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: byte_test: 1,<,128,6,relative
-  event "NETBIOS SMB IPC$ share access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[iI][pP][cC]\x24\x00/
-}
-
-signature s2b-538-10 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: byte_test: 1,>,127,6,relative
-  event "NETBIOS SMB IPC$ share unicode access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[iI]\x00[pP]\x00[cC]\x00\x24\x00\x00/
-}
-
-signature s2b-2465-3 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 1,<,128,6,relative
-  event "NETBIOS SMB-DS IPC$ share access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[iI][pP][cC]\x24\x00/
-}
-
-signature s2b-2466-3 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 1,>,127,6,relative
-  event "NETBIOS SMB-DS IPC$ share unicode access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[iI]\x00[pP]\x00[cC]\x00\x24\x00\x00/
-}
-
-signature s2b-536-7 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: byte_test: 1,<,128,6,relative
-  event "NETBIOS SMB D$ share access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[dD]\x24\x00/
-}
-
-signature s2b-2467-3 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: byte_test: 1,>,127,6,relative
-  event "NETBIOS SMB D$ share unicode access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[dD]\x00\x24\x00\x00/
-}
-
-signature s2b-2468-3 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 1,<,128,6,relative
-  event "NETBIOS SMB-DS D$ share access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[dD]\x24\x00/
-}
-
-signature s2b-2469-3 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 1,>,127,6,relative
-  event "NETBIOS SMB-DS D$ share unicode access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[dD]\x00\x24\x00\x00/
-}
-
-signature s2b-533-8 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: byte_test: 1,<,128,6,relative
-  event "NETBIOS SMB C$ share access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[cC]\x24\x00/
-}
-
-signature s2b-2470-3 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: byte_test: 1,>,127,6,relative
-  event "NETBIOS SMB C$ share unicode access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[cC]\x00\x24\x00\x00/
-}
-
-signature s2b-2471-3 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 1,<,128,6,relative
-  event "NETBIOS SMB-DS C$ share access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[cC]\x24\x00/
-}
-
-signature s2b-2472-3 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 1,>,127,6,relative
-  event "NETBIOS SMB-DS C$ share unicode access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[cC]\x00\x24\x00\x00/
-}
-
-signature s2b-532-8 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: byte_test: 1,<,128,6,relative
-  event "NETBIOS SMB ADMIN$ share access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[aA][dD][mM][iI][nN]\x24\x00/
-}
-
-signature s2b-2473-3 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: byte_test: 1,>,127,6,relative
-  event "NETBIOS SMB ADMIN$ share unicode access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[aA]\x00[dD]\x00[mM]\x00[iI]\x00[nN]\x00\x24\x00\x00/
-}
-
-signature s2b-2474-3 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 1,<,128,6,relative
-  event "NETBIOS SMB-DS ADMIN$ share access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[aA][dD][mM][iI][nN]\x24\x00/
-}
-
-signature s2b-2475-3 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 1,>,127,6,relative
-  event "NETBIOS SMB-DS ADMIN$ share unicode access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMBu.{32}.*[aA]\x00[dD]\x00[mM]\x00[iI]\x00[nN]\x00\x24\x00\x00/
-}
-
-signature s2b-2174-4 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS SMB winreg access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB\xA2/
-  payload /.{84}.*\x5C[wW][iI][nN][rR][eE][gG]\x00/
-}
-
-signature s2b-2175-5 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS SMB winreg unicode access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB\xA2/
-  payload /.{84}.*\x5C\x00[wW]\x00[iI]\x00[nN]\x00[rR]\x00[eE]\x00[gG]\x00/
-}
-
-signature s2b-2476-3 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: flowbits: set,smb.winreg.create
-  # Not supported: byte_test: 1,>,127,6,relative
-  event "NETBIOS SMB-DS Create AndX Request winreg attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB\xA2.{79}\x5C[wW][iI][nN][rR][eE][gG]\x00/
-}
-
-signature s2b-2477-3 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: flowbits: set,smb.winreg.create
-  # Not supported: byte_test: 1,>,127,6,relative
-  event "NETBIOS SMB-DS Create AndX Request winreg unicode attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB\xA2.{79}\x5C\x00[wW]\x00[iI]\x00[nN]\x00[rR]\x00[eE]\x00[gG]\x00\x00\x00/
-}
-
-signature s2b-2478-3 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: flowbits: set,smb.dce.bind.winreg,isset,smb.winreg.create
-  # Not supported: byte_test: 1,<,128,6,relative,1,&,16,1,relative
-  event "NETBIOS SMB-DS DCERPC bind winreg attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C[pP][iI][pP][eE]\x5C\x00\x05\x00\x0B.{29}\x01\xD0\x8C3D\x22\xF11\xAA\xAA\x90\x008\x00\x10\x03/
-}
-
-signature s2b-2480-3 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: flowbits: isset,smb.dce.bind.winreg
-  # Not supported: byte_test: 1,>,127,6,relative,1,&,16,1,relative
-  event "NETBIOS SMB-DS DCERPC shutdown unicode attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x00\x00\x05\x00\x00.{19}\x18\x00/
-}
-
-signature s2b-2481-3 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: flowbits: isset,smb.dce.bind.winreg
-  # Not supported: byte_test: 1,>,127,6,relative,1,<,16,1,relative
-  event "NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x00\x00\x05\x00\x00.{19}\x00\x18/
-}
-
-signature s2b-1293-10 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS nimda .eml"
-  tcp-state established,originator
-  payload /.*\x00\.\x00E\x00M\x00L/
-}
-
-signature s2b-1294-10 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS nimda .nws"
-  tcp-state established,originator
-  payload /.*\x00\.\x00N\x00W\x00S/
-}
-
-signature s2b-1295-9 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS nimda RICHED20.DLL"
-  tcp-state established,originator
-  payload /.*R\x00I\x00C\x00H\x00E\x00D\x002\x000/
-}
-
-signature s2b-529-7 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS DOS RFPoison"
-  tcp-state established,originator
-  payload /.*\x5C\x00\x5C\x00\*\x00S\x00M\x00B\x00S\x00E\x00R\x00V\x00E\x00R\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00/
-}
-
-signature s2b-530-10 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS NT NULL session"
-  tcp-state established,originator
-  payload /.*\x00\x00\x00\x00W\x00i\x00n\x00d\x00o\x00w\x00s\x00 \x00N\x00T\x00 \x001\x003\x008\x001/
-}
-
-signature s2b-1239-5 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS RFParalyze Attempt"
-  tcp-state established,originator
-  payload /.*BEAVIS/
-  payload /.*yep yep/
-}
-
-signature s2b-534-6 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS SMB CD.."
-  tcp-state established,originator
-  payload /.*\x5C\.\.\/\x00\x00\x00/
-}
-
-signature s2b-535-6 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS SMB CD..."
-  tcp-state established,originator
-  payload /.*\x5C\.\.\.\x00\x00\x00/
-}
-
-signature s2b-2176-4 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS SMB startup folder access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB2.*.*[dD][oO][cC][uU][mM][eE][nN][tT][sS] [aA][nN][dD] [sS][eE][tT][tT][iI][nN][gG][sS]\x5C[aA][lL][lL] [uU][sS][eE][rR][sS]\x5C[sS][tT][aA][rR][tT] [mM][eE][nN][uU]\x5C[pP][rR][oO][gG][rR][aA][mM][sS]\x5C[sS][tT][aA][rR][tT][uU][pP]\x00/
-}
-
-signature s2b-2177-4 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS SMB startup folder unicode access"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB2.*.*\x5C\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00 \x00[mM]\x00[eE]\x00[nN]\x00[uU]\x00\x5C\x00[pP]\x00[rR]\x00[oO]\x00[gG]\x00[rR]\x00[aA]\x00[mM]\x00[sS]\x00\x5C\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00[uU]\x00[pP]/
-}
-
-signature s2b-2101-9 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB%/
-  payload /.{42}\x00\x00\x00\x00/
-}
-
-signature s2b-2103-9 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: byte_test: 2,>,256,0,relative,little
-  event "NETBIOS SMB trans2open buffer overflow attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFFSMB2/
-  payload /.{59}\x00\x14/
-}
-
-signature s2b-2190-3 {
-  ip-proto == tcp
-  dst-port == 135
-  # Not supported: byte_test: 1,&,1,0,relative
-  event "NETBIOS DCERPC invalid bind attempt"
-  tcp-state established,originator
-  payload /\x05.{1}\x0B.{21}\x00/
-}
-
-signature s2b-2191-3 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 1,&,1,0,relative
-  event "NETBIOS SMB DCERPC invalid bind attempt"
-  tcp-state established,originator
-  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00.{2}\x05.{1}\x0B.{21}\x00/
-}
-
-signature s2b-2192-8 {
-  ip-proto == tcp
-  dst-port == 135
-  # Not supported: flowbits: set,dce.isystemactivator.bind.attempt,noalert
-  event "NETBIOS DCERPC ISystemActivator bind attempt"
-  # Not supported: byte_test: 1,&,1,0,relative
-  tcp-state established,originator
-  payload /\x05.{1}\x0B.{29}\xA0\x01\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00F/
-}
-
-signature s2b-2193-9 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: flowbits: set,dce.isystemactivator.bind.call.attempt
-  event "NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"
-  # Not supported: byte_test: 1,&,1,0,relative
-  tcp-state established,originator
-  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x05.{1}\x0B.{29}\xA0\x01\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00F/
-}
-
-signature s2b-2493-5 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: flowbits: set,dce.isystemactivator.bind.call.attempt
-  event "NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"
-  # Not supported: byte_test: 2,&,1,5,relative,1,&,16,1,relative
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5C\x00P\x00I\x00P\x00E\x00\x5C\x00\x05\x00\x0B.{29}\xA0\x01\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00F/
-}
-
-signature s2b-2251-11 {
-  ip-proto == tcp
-  dst-port == 135
-  # Not supported: byte_test: 1,&,1,0,relative
-  event "NETBIOS DCERPC Remote Activation bind attempt"
-  tcp-state established,originator
-  payload /\x05.{1}\x0B.{29}\xB8J\x9FM\x1C\}\xCF\x11\x86\x1E\x00 \xAFn\x7CW/
-}
-
-signature s2b-2252-11 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 1,&,1,0,relative
-  event "NETBIOS SMB-DS DCERPC Remote Activation bind attempt"
-  tcp-state established,originator
-  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x05.{1}\x0B.{29}\xB8J\x9FM\x1C\}\xCF\x11\x86\x1E\x00 \xAFn\x7CW/
-}
-
-signature s2b-2257-5 {
-  ip-proto == udp
-  dst-port == 135
-  # Not supported: byte_test: 1,>,15,2,relative,4,>,1024,0,little,relative
-  # Not supported: byte_jump: 4,86,little,align,relative,4,8,little,align,relative
-  event "NETBIOS DCERPC Messenger Service buffer overflow attempt"
-  payload /\x04\x00/
-}
-
-signature s2b-2258-6 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 1,>,15,2,relative,4,>,1024,0,little,relative
-  # Not supported: byte_jump: 4,86,little,align,relative,4,8,little,align,relative
-  event "NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"
-  tcp-state established,originator
-  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x04\x00/
-}
-
-signature s2b-2308-6 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: byte_test: 2,&,1,5,relative,1,&,16,1,relative
-  event "NETBIOS SMB DCERPC Workstation Service unicode bind attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5C\x00P\x00I\x00P\x00E\x00\x5C\x00\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/
-}
-
-signature s2b-2309-6 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: byte_test: 2,^,1,5,relative,1,&,16,1,relative
-  event "NETBIOS SMB DCERPC Workstation Service bind attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5CPIPE\x5C\x00\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/
-}
-
-signature s2b-2310-8 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 2,&,1,5,relative,1,&,16,1,relative
-  event "NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5C\x00P\x00I\x00P\x00E\x00\x5C\x00\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/
-}
-
-signature s2b-2311-7 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 2,^,1,5,relative,1,&,16,1,relative
-  event "NETBIOS SMB-DS DCERPC Workstation Service bind attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5CPIPE\x5C\x00\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/
-}
-
-signature s2b-2315-6 {
-  ip-proto == tcp
-  dst-port >= 1024
-  dst-port <= 65535
-  # Not supported: byte_test: 1,&,16,1,relative
-  event "NETBIOS DCERPC Workstation Service direct service bind attempt"
-  tcp-state established,originator
-  payload /\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/
-}
-
-signature s2b-2316-6 {
-  ip-proto == udp
-  dst-port >= 1024
-  dst-port <= 65535
-  # Not supported: byte_test: 1,&,16,2,relative
-  event "NETBIOS DCERPC Workstation Service direct service access attempt"
-  payload /\x04\x00.{22}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/
-}
-
-signature s2b-2348-6 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: flowbits: set,dce.printer.bind,noalert
-  # Not supported: byte_test: 1,&,16,1,relative
-  event "NETBIOS SMB-DS DCERPC print spool bind attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00P\x00I\x00P\x00E\x00\x5C\x00\x00\x00\x05\x00\x0B.{29}xV4\x124\x12\xCD\xAB\xEF\x00\x01\x23Eg\x89\xAB/
-}
-
-signature s2b-2382-8 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS SMB NTLMSSP invalid mechtype attempt"
-  tcp-state established,originator
-  payload /.{3}\xFF[sS][mM][bB][sS]/
-  payload /.{62}`.{1}\x06\x06\+\x06\x01\x05\x05\x02.*.*\x06\x0A\+\x06\x01\x04\x01\x827\x02\x02\x0A.*.*\xA1\x05\x23\x03\x03\x01\x07/
-}
-
-signature s2b-2383-9 {
-  ip-proto == tcp
-  dst-port == 445
-  event "NETBIOS SMB-DS DCERPC NTLMSSP invalid mechtype attempt"
-  tcp-state established,originator
-  payload /.{3}\xFF[sS][mM][bB][sS]/
-  payload /.{62}`.{1}\x06\x06\+\x06\x01\x05\x05\x02.*.*\x06\x0A\+\x06\x01\x04\x01\x827\x02\x02\x0A.*.*\xA1\x05\x23\x03\x03\x01\x07/
-}
-
-signature s2b-2384-8 {
-  ip-proto == tcp
-  dst-port == 139
-  event "NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"
-  tcp-state established,originator
-  payload /.{3}\xFF[sS][mM][bB][sS]/
-  payload /.{62}`.{1}\x00\x00\x00b\x06\x83\x00\x00\x06\+\x06\x01\x05\x05\x02.*.*\x06\x0A\+\x06\x01\x04\x01\x827\x02\x02\x0A.*.*\xA3>0<\xA00/
-}
-
-signature s2b-2385-9 {
-  ip-proto == tcp
-  dst-port == 445
-  event "NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"
-  tcp-state established,originator
-  payload /.{3}\xFF[sS][mM][bB][sS]/
-  payload /.{62}`.{1}\x00\x00\x00b\x06\x83\x00\x00\x06\+\x06\x01\x05\x05\x02.*.*\x06\x0A\+\x06\x01\x04\x01\x827\x02\x02\x0A.*.*\xA3>0<\xA00/
-}
-
-signature s2b-2401-4 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: byte_test: 2,>,322,2,1,<,128,6,relative,2,>,255,8,relative,little
-  event "NETBIOS SMB Session Setup AndX request username overflow attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFF[sS][mM][bB][sS].{42}\x00\x00\x00\x00.{10}[^\x00]{255}/
-}
-
-signature s2b-2402-5 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 2,>,322,2,1,<,128,6,relative,2,>,255,8,relative,little
-  event "NETBIOS SMB-DS Session Setup AndX request username overflow attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFF[sS][mM][bB][sS].{42}\x00\x00\x00\x00.{10}[^\x00]{255}/
-}
-
-signature s2b-2403-4 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: byte_test: 2,>,322,2,1,&,128,6,relative,2,>,255,54,relative,little
-  event "NETBIOS SMB Session Setup AndX request unicode username overflow attempt"
-  tcp-state established,originator
-  payload /.*.*\x00\x00.*.*\x00\x00/
-  payload /\x00/
-  payload /.{3}\xFF[sS][mM][bB][sS].{56}.*\x00.{255}.*\x00\x00.*.*\x00\x00/
-}
-
-signature s2b-2404-5 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: byte_test: 2,>,322,2,1,&,128,6,relative,2,>,255,54,relative,little
-  event "NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"
-  tcp-state established,originator
-  payload /.*.*\x00\x00.*.*\x00\x00/
-  payload /\x00/
-  payload /.{3}\xFF[sS][mM][bB][sS].{56}.*\x00.{255}.*\x00\x00.*.*\x00\x00/
-}
-
-signature s2b-2495-5 {
-  ip-proto == tcp
-  dst-port == 139
-  # Not supported: threshold: type both, track by_dst, count 20, seconds 60
-  # Not supported: flowbits: isset,dce.isystemactivator.bind.call.attempt
-  # Not supported: byte_test: 1,&,1,0,relative
-  event "NETBIOS SMB DCEPRC ORPCThis request flood attempt"
-  tcp-state established,originator
-  payload /\x05.{1}\x00.{21}\x05/
-  payload /.*MEOW/
-}
-
-signature s2b-2524-7 {
-  ip-proto == tcp
-  dst-port == 135
-  # Not supported: flowbits: set,netbios.lsass.bind.attempt,noalert
-  event "NETBIOS DCERPC LSASS direct bind attempt"
-  tcp-state established,originator
-  payload /\x00/
-  payload /.{3}\xFF[sS][mM][bB]/
-  payload /.*\x05.{1}\x0B.{29}j\x28\x199\x0C\xB1\xD0\x11\x9B\xA8\x00\xC0O\xD9\.\xF5/
-}
-
-signature s2b-2514-7 {
-  ip-proto == tcp
-  dst-port == 445
-  # Not supported: flowbits: isset,netbios.lsass.bind.attempt
-  event "NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"
-  tcp-state established,originator
-  payload /.{3}\xFF[sS][mM][bB].{59}.*\x05.{1}\x00.{19}\x09\x00/
-}
-
-signature s2b-2564-4 {
-  ip-proto == udp
-  src-port == 137
-  dst-port == 137
-  # Not supported: byte_test: 1,>,127,2
-  payload-size < 56
-  event "NETBIOS NS lookup short response attempt"
-  payload /.{5}\x00\x01/
-}
-
-signature s2b-1792-8 {
-  ip-proto == tcp
-  src-port == 119
-  # Not supported: pcre: /^200\s[^\n]{64}/smi
-  event "NNTP return code buffer overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 64,relative
-  payload /((^)|(\n+))200[\x20\x09\x0b][^\n]{64}/
-}
-
-signature s2b-1538-13 {
-  ip-proto == tcp
-  dst-port == 119
-  # Not supported: pcre: /^AUTHINFO\s+USER\s[^\n]{200}/smi
-  event "NNTP AUTHINFO USER overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 200,relative
-  payload /((^)|(\n+))[aA][uU][tT][hH][iI][nN][fF][oO][\x20\x09\x0b]+[uU][sS][eE][rR][\x20\x09\x0b][^\n]{200}/
-}
-
-signature s2b-2424-3 {
-  ip-proto == tcp
-  dst-port == 119
-  # Not supported: pcre: /^sendsys\x3a[^\n]{21}/smi
-  event "NNTP sendsys overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[sS][eE][nN][dD][sS][yY][sS]\x3a[^\n]{21}/
-}
-
-signature s2b-2425-3 {
-  ip-proto == tcp
-  dst-port == 119
-  # Not supported: pcre: /^senduuname\x3a[^\n]{21}/smi
-  event "NNTP senduuname overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[sS][eE][nN][dD][uU][uU][nN][aA][mM][eE]\x3a[^\n]{21}/
-}
-
-signature s2b-2426-3 {
-  ip-proto == tcp
-  dst-port == 119
-  # Not supported: pcre: /^version\x3a[^\n]{21}/smi
-  event "NNTP version overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[vV][eE][rR][sS][iI][oO][nN]\x3a[^\n]{21}/
-}
-
-signature s2b-2427-3 {
-  ip-proto == tcp
-  dst-port == 119
-  # Not supported: pcre: /^checkgroups\x3a[^\n]{21}/smi
-  event "NNTP checkgroups overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[cC][hH][eE][cC][kK][gG][rR][oO][uU][pP][sS]\x3a[^\n]{21}/
-}
-
-signature s2b-2428-3 {
-  ip-proto == tcp
-  dst-port == 119
-  # Not supported: pcre: /^ihave\x3a[^\n]{21}/smi
-  event "NNTP ihave overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[iI][hH][aA][vV][eE]\x3a[^\n]{21}/
-}
-
-signature s2b-2429-3 {
-  ip-proto == tcp
-  dst-port == 119
-  # Not supported: pcre: /^sendme\x3a[^\n]{21}/smi
-  event "NNTP sendme overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[sS][eE][nN][dD][mM][eE]\x3a[^\n]{21}/
-}
-
-signature s2b-2430-3 {
-  ip-proto == tcp
-  dst-port == 119
-  # Not supported: pcre: /^newgroup\x3a[^\n]{21}/smi
-  event "NNTP newgroup overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[nN][eE][wW][gG][rR][oO][uU][pP]\x3a[^\n]{21}/
-}
-
-signature s2b-2431-3 {
-  ip-proto == tcp
-  dst-port == 119
-  # Not supported: pcre: /^rmgroup\x3a[^\n]{21}/smi
-  event "NNTP rmgroup overflow attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[rR][mM][gG][rR][oO][uU][pP]\x3a[^\n]{21}/
-}
-
-signature s2b-1673-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE EXECUTE_SYSTEM attempt"
-  tcp-state established,originator
-  payload /.*[eE][xX][eE][cC][uU][tT][eE]_[sS][yY][sS][tT][eE][mM]/
-}
-
-signature s2b-1674-5 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE connect_data remote version detection attempt"
-  tcp-state established,originator
-  payload /.*[cC][oO][nN][nN][eE][cC][tT]_[dD][aA][tT][aA]\x28[cC][oO][mM][mM][aA][nN][dD]=[vV][eE][rR][sS][iI][oO][nN]\x29/
-}
-
-signature s2b-1675-4 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE misparsed login response"
-  tcp-state established,responder
-  payload /.*[dD][eE][sS][cC][rR][iI][pP][tT][iI][oO][nN]=\x28/
-  payload /.*<willnevermatch>/
-  payload /.*<willnevermatch>/
-}
-
-signature s2b-1676-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE select union attempt"
-  tcp-state established,originator
-  payload /.*[sS][eE][lL][eE][cC][tT] /
-  payload /.* [uU][nN][iI][oO][nN] /
-}
-
-signature s2b-1677-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE select like '%' attempt"
-  tcp-state established,originator
-  payload /.* [wW][hH][eE][rR][eE] /
-  payload /.* [lL][iI][kK][eE] '%'/
-}
-
-signature s2b-1678-5 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE select like '%' attempt backslash escaped"
-  tcp-state established,originator
-  payload /.* [wW][hH][eE][rR][eE] /
-  payload /.* [lL][iI][kK][eE] \x22%\x22/
-}
-
-signature s2b-1680-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE all_constraints access"
-  tcp-state established,originator
-  payload /.*[aA][lL][lL]_[cC][oO][nN][sS][tT][rR][aA][iI][nN][tT][sS]/
-}
-
-signature s2b-1681-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE all_views access"
-  tcp-state established,originator
-  payload /.*[aA][lL][lL]_[vV][iI][eE][wW][sS]/
-}
-
-signature s2b-1682-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE all_source access"
-  tcp-state established,originator
-  payload /.*[aA][lL][lL]_[sS][oO][uU][rR][cC][eE]/
-}
-
-signature s2b-1683-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE all_tables access"
-  tcp-state established,originator
-  payload /.*[aA][lL][lL]_[tT][aA][bB][lL][eE][sS]/
-}
-
-signature s2b-1684-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE all_tab_columns access"
-  tcp-state established,originator
-  payload /.*[aA][lL][lL]_[tT][aA][bB]_[cC][oO][lL][uU][mM][nN][sS]/
-}
-
-signature s2b-1685-4 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE all_tab_privs access"
-  tcp-state established,originator
-  payload /.*[aA][lL][lL]_[tT][aA][bB]_[pP][rR][iI][vV][sS]/
-}
-
-signature s2b-1686-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE dba_tablespace access"
-  tcp-state established,originator
-  payload /.*[dD][bB][aA]_[tT][aA][bB][lL][eE][sS][pP][aA][cC][eE]/
-}
-
-signature s2b-1687-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE dba_tables access"
-  tcp-state established,originator
-  payload /.*[dD][bB][aA]_[tT][aA][bB][lL][eE][sS]/
-}
-
-signature s2b-1688-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE user_tablespace access"
-  tcp-state established,originator
-  payload /.*[uU][sS][eE][rR]_[tT][aA][bB][lL][eE][sS][pP][aA][cC][eE]/
-}
-
-signature s2b-1689-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE sys.all_users access"
-  tcp-state established,originator
-  payload /.*[sS][yY][sS]\.[aA][lL][lL]_[uU][sS][eE][rR][sS]/
-}
-
-signature s2b-1690-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE grant attempt"
-  tcp-state established,originator
-  payload /.*[gG][rR][aA][nN][tT] /
-  payload /.* [tT][oO] /
-}
-
-signature s2b-1691-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE ALTER USER attempt"
-  tcp-state established,originator
-  payload /.*[aA][lL][tT][eE][rR] [uU][sS][eE][rR]/
-  payload /.* [iI][dD][eE][nN][tT][iI][fF][iI][eE][dD] [bB][yY] /
-}
-
-signature s2b-1692-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE drop table attempt"
-  tcp-state established,originator
-  payload /.*[dD][rR][oO][pP] [tT][aA][bB][lL][eE]/
-}
-
-signature s2b-1693-4 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE create table attempt"
-  tcp-state established,originator
-  payload /.*[cC][rR][eE][aA][tT][eE] [tT][aA][bB][lL][eE]/
-}
-
-signature s2b-1694-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE alter table attempt"
-  tcp-state established,originator
-  payload /.*[aA][lL][tT][eE][rR] [tT][aA][bB][lL][eE]/
-}
-
-signature s2b-1695-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE truncate table attempt"
-  tcp-state established,originator
-  payload /.*[tT][rR][uU][nN][cC][aA][tT][eE] [tT][aA][bB][lL][eE]/
-}
-
-signature s2b-1696-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE create database attempt"
-  tcp-state established,originator
-  payload /.*[cC][rR][eE][aA][tT][eE] [dD][aA][tT][aA][bB][aA][sS][eE]/
-}
-
-signature s2b-1697-3 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  event "ORACLE alter database attempt"
-  tcp-state established,originator
-  payload /.*[aA][lL][tT][eE][rR] [dD][aA][tT][aA][bB][aA][sS][eE]/
-}
-
-signature s2b-2576-2 {
-  ip-proto == tcp
-  dst-port == oracle_ports
-  # Not supported: pcre: /(package|procedure)_prefix[\s\r\n]*=>[\s\r\n]*('[^']{1000,}|"[^"]{1000,})/Rsmi
-  event "ORACLE generate_replication_support prefix overflow attempt"
-  tcp-state established,originator
-  payload /.*[gG][eE][nN][eE][rR][aA][tT][eE]_[rR][eE][pP][lL][iI][cC][aA][tT][iI][oO][nN]_[sS][uU][pP][pP][oO][rR][tT]/
-  payload /([pP][aA][cC][kK][aA][gG][eE]|[pP][rR][oO][cC][eE][dD][uU][rR][eE])_[pP][rR][eE][fF][iI][xX][\x20\x09\x0b\r\n]*=>[\x20\x09\x0b\r\n]*('[^']{1000,}|"[^"]{1000,})/
-}
-
-signature s2b-1760-3 {
-  ip-proto == tcp
-  src-port == 902
-  event "OTHER-IDS ISS RealSecure 6 event collector connection attempt"
-  tcp-state established,responder
-  payload /.{29}6[iI][sS][sS] [eE][cC][nN][rR][aA] [bB][uU][iI][lL][tT]-[iI][nN] [pP][rR][oO][vV][iI][dD][eE][rR], [sS][tT][rR][oO][nN][gG] [eE][nN][cC][rR][yY][pP][tT][iI][oO][nN]/
-}
-
-signature s2b-1761-3 {
-  ip-proto == tcp
-  src-port == 2998
-  event "OTHER-IDS ISS RealSecure 6 daemon connection attempt"
-  tcp-state established,responder
-  payload /.{29}6[iI][sS][sS] [eE][cC][nN][rR][aA] [bB][uU][iI][lL][tT]-[iI][nN] [pP][rR][oO][vV][iI][dD][eE][rR], [sS][tT][rR][oO][nN][gG] [eE][nN][cC][rR][yY][pP][tT][iI][oO][nN]/
-}
-
-signature s2b-1629-6 {
-  ip-proto == tcp
-  event "OTHER-IDS SecureNetPro traffic"
-  tcp-state established
-  payload /\x00g\x00\x01\x00\x03/
-}
-
-signature s2b-1934-6 {
-  ip-proto == tcp
-  dst-port == 109
-  # Not supported: pcre: /^FOLD\s[^\n]{256}/smi
-  event "POP2 FOLD overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 256,relative
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[fF][oO][lL][dD][\x20\x09\x0b][^\n]{256}/
-}
-
-signature s2b-1935-4 {
-  ip-proto == tcp
-  dst-port == 109
-  # Not supported: pcre: /^FOLD\s+\//smi
-  event "POP2 FOLD arbitrary file attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[fF][oO][lL][dD][\x20\x09\x0b]+\//
-}
-
-signature s2b-284-6 {
-  ip-proto == tcp
-  dst-port == 109
-  event "POP2 x86 Linux overflow"
-  tcp-state established,originator
-  payload /.*\xEB,\[\x89\xD9\x80\xC1\x069\xD9\x7C\x07\x80\x01/
-  requires-reverse-signature ! pop_return_error
-}
-
-signature s2b-285-6 {
-  ip-proto == tcp
-  dst-port == 109
-  event "POP2 x86 Linux overflow"
-  tcp-state established,originator
-  payload /.*\xFF\xFF\xFF\/BIN\/SH\x00/
-  requires-reverse-signature ! pop_return_error
-}
-
-signature s2b-2121-8 {
-  ip-proto == tcp
-  dst-port == 110
-  # Not supported: pcre: /^DELE\s+-\d/smi
-  event "POP3 DELE negative arguement attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[dD][eE][lL][eE]+-[0-9]/
-}
-
-signature s2b-2122-7 {
-  ip-proto == tcp
-  dst-port == 110
-  # Not supported: pcre: /^UIDL\s+-\d/smi
-  event "POP3 UIDL negative arguement attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[uU][iI][dD][lL][\x20\x09\x0b]+-[0-9]/
-}
-
-signature s2b-1866-10 {
-  ip-proto == tcp
-  dst-port == 110
-  # Not supported: pcre: /^USER\s[^\n]{50,}/smi
-  event "POP3 USER overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 50,relative
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{50,}/
-}
-
-signature s2b-2108-3 {
-  ip-proto == tcp
-  dst-port == 110
-  # Not supported: pcre: /^CAPA\s[^\n]{10}/smi
-  event "POP3 CAPA overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 10,relative
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[cC][aA][pP][aA][\x20\x09\x0b][^\n]{10}/
-}
-
-signature s2b-2109-3 {
-  ip-proto == tcp
-  dst-port == 110
-  # Not supported: pcre: /^TOP\s[^\n]{10}/smi
-  event "POP3 TOP overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 10,relative
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[tT][oO][pP][\x20\x09\x0b][^\n]{10}/
-}
-
-signature s2b-2110-3 {
-  ip-proto == tcp
-  dst-port == 110
-  # Not supported: pcre: /^STAT\s[^\n]{10}/smi
-  event "POP3 STAT overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 10,relative
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[sS][tT][aA][tT][\x20\x09\x0b][^\n]{10}/
-}
-
-signature s2b-2111-3 {
-  ip-proto == tcp
-  dst-port == 110
-  # Not supported: pcre: /^DELE\s[^\n]{10}/smi
-  event "POP3 DELE overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 10,relative
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[dD][eE][lL][eE][\x20\x09\x0b][^\n]{10}/
-}
-
-signature s2b-2112-3 {
-  ip-proto == tcp
-  dst-port == 110
-  # Not supported: pcre: /^RSET\s[^\n]{10}/smi
-  event "POP3 RSET overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 10,relative
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[rR][sS][eE][tT][\x20\x09\x0b][^\n]{10}/
-}
-
-signature s2b-1936-4 {
-  ip-proto == tcp
-  dst-port == 110
-  # Not supported: pcre: /^AUTH\s[^\n]{50}/smi
-  event "POP3 AUTH overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 50,relative
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[aA][uU][tT][hH][\x20\x09\x0b][^\n]{50}/
-}
-
-signature s2b-1937-5 {
-  ip-proto == tcp
-  dst-port == 110
-  # Not supported: pcre: /^LIST\s[^\n]{10}/smi
-  event "POP3 LIST overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 10,relative
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b][^\n]{10}/
-}
-
-signature s2b-1938-4 {
-  ip-proto == tcp
-  dst-port == 110
-  # Not supported: pcre: /^XTND\s[^\n]{50}/smi
-  event "POP3 XTND overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 50,relative
-  payload /.*[xX][tT][nN][dD]/
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[xX][tT][nN][dD][\x20\x09\x0b][^\n]{50}/
-}
-
-signature s2b-1634-11 {
-  ip-proto == tcp
-  dst-port == 110
-  # Not supported: pcre: /^PASS\s[^\n]{50}/smi
-  event "POP3 PASS overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 50,relative
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[pP][aA][sS][sS][\x20\x09\x0b][^\n]{50}/
-}
-
-signature s2b-1635-13 {
-  ip-proto == tcp
-  dst-port == 110
-  # Not supported: pcre: /^APOP\s[^\n]{256}/smi
-  event "POP3 APOP overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 256,relative
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[aA][pP][oO][pP][\x20\x09\x0b][^\n]{256}/
-}
-
-signature s2b-286-9 {
-  ip-proto == tcp
-  dst-port == 110
-  event "POP3 EXPLOIT x86 BSD overflow"
-  tcp-state established,originator
-  payload /.*\^\x0E1\xC0\xB0\x3B\x8D~\x0E\x89\xFA\x89\xF9/
-  requires-reverse-signature ! pop_return_error
-}
-
-signature s2b-287-6 {
-  ip-proto == tcp
-  dst-port == 110
-  event "POP3 EXPLOIT x86 BSD overflow"
-  tcp-state established,originator
-  payload /.*h\]\^\xFF\xD5\xFF\xD4\xFF\xF5\x8B\xF5\x90f1/
-  requires-reverse-signature ! pop_return_error
-}
-
-signature s2b-288-6 {
-  ip-proto == tcp
-  dst-port == 110
-  event "POP3 EXPLOIT x86 Linux overflow"
-  tcp-state established,originator
-  payload /.*\xD8@\xCD\x80\xE8\xD9\xFF\xFF\xFF\/bin\/sh/
-  requires-reverse-signature ! pop_return_error
-}
-
-signature s2b-289-6 {
-  ip-proto == tcp
-  dst-port == 110
-  event "POP3 EXPLOIT x86 SCO overflow"
-  tcp-state established,originator
-  payload /.*V\x0E1\xC0\xB0\x3B\x8D~\x12\x89\xF9\x89\xF9/
-  requires-reverse-signature ! pop_return_error
-}
-
-signature s2b-290-7 {
-  ip-proto == tcp
-  dst-port == 110
-  event "POP3 EXPLOIT qpopper overflow"
-  tcp-state established,originator
-  payload /.*\xE8\xD9\xFF\xFF\xFF\/bin\/sh/
-  requires-reverse-signature ! pop_return_error
-}
-
-signature s2b-2250-1 {
-  ip-proto == tcp
-  dst-port == 110
-  event "POP3 USER format string attempt"
-  tcp-state established,originator
-  payload /.*[uU][sS][eE][rR].{1}.*%.{1}.*%/
-  requires-reverse-signature ! pop_return_error
-}
-
-signature s2b-2409-1 {
-  ip-proto == tcp
-  dst-port == 110
-  # Not supported: pcre: /^APOP\s+USER\s[^\n]{256}/smi
-  event "POP3 APOP USER overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 256,relative
-  requires-reverse-signature ! pop_return_error
-  payload /((^)|(\n+))[aA][pP][oO][pP][\x20\x09\x0b]+[uU][sS][eE][rR][\x20\x09\x0b][^\n]{2,56}/
-}
-
-signature s2b-2502-7 {
-  ip-proto == tcp
-  dst-port == 995
-  event "POP3 SSLv3 invalid data version attempt"
-  tcp-state established,originator
-  payload /\x16\x03/
-  payload /.{4}\x01/
-  payload /.{8}[^\x03]*/
-  requires-reverse-signature ! pop_return_error
-}
-
-signature s2b-2518-10 {
-  ip-proto == tcp
-  dst-port == 995
-  # Not supported: byte_test: 2,>,0,6,2,!,0,8,2,!,16,8,2,>,20,10,2,>,32768,0,relative
-  event "PO3 PCT Client_Hello overflow attempt"
-  tcp-state established,originator
-  payload /.{1}\x01/
-  payload /.{10}\x8F/
-  requires-reverse-signature ! pop_return_error
-}
-
-signature s2b-2536-3 {
-  ip-proto == tcp
-  src-port == 995
-  # Not supported: flowbits: isset,sslv3.client_hello.request,set,sslv3.server_hello.request,noalert
-  event "POP3 SSLv3 Server_Hello request"
-  tcp-state established,responder
-  payload /\x16\x03/
-  payload /.{4}\x02/
-  requires-reverse-signature ! pop_return_error
-}
-
-signature s2b-2537-3 {
-  ip-proto == tcp
-  dst-port == 993
-  # Not supported: flowbits: isset,sslv3.server_hello.request
-  event "POP3 SSLv3 invalid Client_Hello attempt"
-  tcp-state established,originator
-  payload /\x16\x03/
-  payload /.{4}\x01/
-  requires-reverse-signature ! pop_return_error
-}
-
-signature s2b-2093-5 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_test: 4,>,2048,12,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap proxy integer overflow attempt TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0\x00.{3}\x00\x00\x00\x05/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1922-6 {
-  ip-proto == tcp
-  dst-port == 111
-  event "RPC portmap proxy attempt TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x05/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1923-6 {
-  ip-proto == udp
-  dst-port == 111
-  event "RPC portmap proxy attempt UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x05/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1280-9 {
-  ip-proto == udp
-  dst-port == 111
-  event "RPC portmap listing UDP 111"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-598-12 {
-  ip-proto == tcp
-  dst-port == 111
-  event "RPC portmap listing TCP 111"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1949-5 {
-  ip-proto == tcp
-  dst-port == 111
-  event "RPC portmap SET attempt TCP 111"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x01/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1950-5 {
-  ip-proto == udp
-  dst-port == 111
-  event "RPC portmap SET attempt UDP 111"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x01/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2014-5 {
-  ip-proto == tcp
-  dst-port == 111
-  event "RPC portmap UNSET attempt TCP 111"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x02/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2015-5 {
-  ip-proto == udp
-  dst-port == 111
-  event "RPC portmap UNSET attempt UDP 111"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x02/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-599-11 {
-  ip-proto == tcp
-  dst-port == 32771
-  event "RPC portmap listing TCP 32771"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1281-7 {
-  ip-proto == udp
-  dst-port == 32771
-  event "RPC portmap listing UDP 32771"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1746-11 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap cachefsd request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x8B/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1747-11 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap cachefsd request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x8B/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1732-9 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rwalld request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA8/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1733-9 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rwalld request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA8/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-575-8 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap admind request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF7/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-576-8 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap amountd request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x03/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1263-11 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap amountd request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x03/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1264-13 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap bootparam request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBA/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-580-9 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap nisd request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\xCC/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1267-11 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap nisd request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\xCC/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-581-9 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap pcnfsd request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x02I\xF1/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1268-12 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap pcnfsd request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x02I\xF1/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-582-8 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rexd request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB1/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1269-10 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rexd request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB1/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-584-11 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rusers request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA2/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1271-14 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rusers request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA2/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-612-6 {
-  ip-proto == udp
-  event "RPC rusers query UDP"
-  payload /.{11}\x00\x01\x86\xA2.{4}\x00\x00\x00\x02/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-586-8 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap selection_svc request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAF/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1273-10 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap selection_svc request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAF/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-587-8 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap status request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB8/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2016-6 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap status request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB8/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-593-18 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap snmpXdmi request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x99/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1279-14 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap snmpXdmi request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x99/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-569-14 {
-  ip-proto == tcp
-  # Not supported: byte_test: 4,>,1024,20,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC snmpXdmi overflow attempt TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x87\x99.{4}\x00\x00\x01\x01/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2045-8 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC snmpXdmi overflow attempt UDP"
-  # Not supported: byte_test: 4,>,1024,20,relative
-  payload /.{11}\x00\x01\x87\x99.{4}\x00\x00\x01\x01/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2017-12 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap espd request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7u/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-595-16 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap espd request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7u/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1890-8 {
-  ip-proto == udp
-  dst-port >= 1024
-  dst-port <= 65535
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC status GHBN format string attack"
-  payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02.{0,251}%x %x/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1891-8 {
-  ip-proto == tcp
-  dst-port >= 1024
-  dst-port <= 65535
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC status GHBN format string attack"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02.{0,251}%x %x/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-579-8 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap mountd request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA5/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1266-10 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap mountd request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA5/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-574-8 {
-  ip-proto == tcp
-  event "RPC mountd TCP export request"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x05/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1924-6 {
-  ip-proto == udp
-  event "RPC mountd UDP export request"
-  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x05/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1926-6 {
-  ip-proto == udp
-  event "RPC mountd UDP exportall request"
-  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x06/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2184-7 {
-  ip-proto == tcp
-  # Not supported: byte_test: 4,>,1023,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC mountd TCP mount path overflow attempt"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA5\x00.{3}\x00\x00\x00\x01/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2185-7 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC mountd UDP mount path overflow attempt"
-  # Not supported: byte_test: 4,>,1023,0,relative
-  payload /.{11}\x00\x01\x86\xA5\x00.{3}\x00\x00\x00\x01/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1951-5 {
-  ip-proto == tcp
-  event "RPC mountd TCP mount request"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x01/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1952-5 {
-  ip-proto == udp
-  event "RPC mountd UDP mount request"
-  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x01/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2018-4 {
-  ip-proto == tcp
-  event "RPC mountd TCP dump request"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x02/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2019-4 {
-  ip-proto == udp
-  event "RPC mountd UDP dump request"
-  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x02/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2020-4 {
-  ip-proto == tcp
-  event "RPC mountd TCP unmount request"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x03/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2021-4 {
-  ip-proto == udp
-  event "RPC mountd UDP unmount request"
-  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x03/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2022-4 {
-  ip-proto == tcp
-  event "RPC mountd TCP unmountall request"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x04/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2023-4 {
-  ip-proto == udp
-  event "RPC mountd UDP unmountall request"
-  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x04/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1905-8 {
-  ip-proto == udp
-  dst-port >= 500
-  dst-port <= 65535
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC AMD UDP amqproc_mount plog overflow attempt"
-  # Not supported: byte_test: 4,>,512,0,relative
-  payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x07/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1906-8 {
-  ip-proto == tcp
-  dst-port >= 500
-  dst-port <= 65535
-  # Not supported: byte_test: 4,>,512,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC AMD TCP amqproc_mount plog overflow attempt"
-  tcp-state established,originator
-  payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x07/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1953-5 {
-  ip-proto == tcp
-  dst-port >= 500
-  dst-port <= 65535
-  event "RPC AMD TCP pid request"
-  tcp-state established,originator
-  payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x09/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1954-5 {
-  ip-proto == udp
-  dst-port >= 500
-  dst-port <= 65535
-  event "RPC AMD UDP pid request"
-  payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x09/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1955-6 {
-  ip-proto == tcp
-  dst-port >= 500
-  dst-port <= 65535
-  event "RPC AMD TCP version request"
-  tcp-state established,originator
-  payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x08/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-578-8 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap cmsd request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xE4/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1265-9 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap cmsd request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xE4/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1907-10 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC CMSD UDP CMSD_CREATE buffer overflow attempt"
-  # Not supported: byte_test: 4,>,1024,0,relative
-  payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1908-9 {
-  ip-proto == tcp
-  # Not supported: byte_test: 4,>,1024,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC CMSD TCP CMSD_CREATE buffer overflow attempt"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2094-6 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"
-  # Not supported: byte_test: 4,>,1024,20,relative
-  payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2095-6 {
-  ip-proto == tcp
-  # Not supported: byte_test: 4,>,1024,20,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1909-10 {
-  ip-proto == tcp
-  # Not supported: byte_test: 4,>,1000,28,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
-  event "RPC CMSD TCP CMSD_INSERT buffer overflow attempt"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x06/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1910-10 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
-  event "RPC CMSD udp CMSD_INSERT buffer overflow attempt"
-  # Not supported: byte_test: 4,>,1000,28,relative
-  payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x06/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1272-10 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap sadmind request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x88/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-585-7 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap sadmind request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x88/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1911-10 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,124,relative,align,4,20,relative,align
-  event "RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"
-  # Not supported: byte_test: 4,>,512,4,relative
-  payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x01/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1912-9 {
-  ip-proto == tcp
-  # Not supported: byte_test: 4,>,512,4,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,124,relative,align,4,20,relative,align
-  event "RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x01/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1957-5 {
-  ip-proto == udp
-  event "RPC sadmind UDP PING"
-  payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x00/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1958-5 {
-  ip-proto == tcp
-  event "RPC sadmind TCP PING"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x00/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-583-9 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rstatd request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA1/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1270-11 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rstatd request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA1/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1913-10 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC STATD UDP stat mon_name format string exploit attempt"
-  # Not supported: byte_test: 4,>,100,0,relative
-  payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x01/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1914-10 {
-  ip-proto == tcp
-  # Not supported: byte_test: 4,>,100,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC STATD TCP stat mon_name format string exploit attempt"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x01/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1915-9 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC STATD UDP monitor mon_name format string exploit attempt"
-  # Not supported: byte_test: 4,>,100,0,relative
-  payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1916-9 {
-  ip-proto == tcp
-  # Not supported: byte_test: 4,>,100,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC STATD TCP monitor mon_name format string exploit attempt"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1277-9 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap ypupdated request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBC/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-591-10 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap ypupdated request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBC/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2088-5 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC ypupdated arbitrary command attempt UDP"
-  payload /.{11}\x00\x01\x86\xBC.{4}\x00\x00\x00\x01.{4}.*\x7C/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2089-5 {
-  ip-proto == tcp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC ypupdated arbitrary command attempt TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xBC.{4}\x00\x00\x00\x01.{4}.*\x7C/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1959-7 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap NFS request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA3/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1960-7 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap NFS request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA3/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1961-7 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap RQUOTA request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAB/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1962-7 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap RQUOTA request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAB/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1963-9 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC RQUOTA getquota overflow attempt UDP"
-  # Not supported: byte_test: 4,>,128,0,relative
-  payload /.{11}\x00\x01\x86\xAB.{4}\x00\x00\x00\x01/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2024-8 {
-  ip-proto == tcp
-  # Not supported: byte_test: 4,>,128,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC RQUOTA getquota overflow attempt TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xAB.{4}\x00\x00\x00\x01/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-588-17 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap ttdbserv request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF3/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1274-17 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap ttdbserv request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF3/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-1964-8 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC tooltalk UDP overflow attempt"
-  # Not supported: byte_test: 4,>,128,0,relative
-  payload /.{11}\x00\x01\x86\xF3.{4}\x00\x00\x00\x07/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1965-8 {
-  ip-proto == tcp
-  # Not supported: byte_test: 4,>,128,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC tooltalk TCP overflow attempt"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xF3.{4}\x00\x00\x00\x07/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-589-8 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap yppasswd request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA9/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1275-10 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap yppasswd request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA9/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2027-5 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  # Not supported: byte_test: 4,>,64,0,relative
-  event "RPC yppasswd old password overflow attempt UDP"
-  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2028-5 {
-  ip-proto == tcp
-  # Not supported: byte_test: 4,>,64,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC yppasswd old password overflow attempt TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2025-9 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
-  event "RPC yppasswd username overflow attempt UDP"
-  # Not supported: byte_test: 4,>,64,0,relative
-  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2026-9 {
-  ip-proto == tcp
-  # Not supported: byte_test: 4,>,64,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
-  event "RPC yppasswd username overflow attempt TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2029-5 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align,4,0,relative,align
-  # Not supported: byte_test: 4,>,64,0,relative
-  event "RPC yppasswd new password overflow attempt UDP"
-  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2030-6 {
-  ip-proto == tcp
-  # Not supported: byte_test: 4,>,64,0,relative
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align,4,0,relative,align
-  event "RPC yppasswd new password overflow attempt TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2031-5 {
-  ip-proto == udp
-  event "RPC yppasswd user update UDP"
-  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2032-5 {
-  ip-proto == tcp
-  event "RPC yppasswd user update TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-590-12 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap ypserv request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA4/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-1276-14 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap ypserv request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA4/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2033-8 {
-  ip-proto == udp
-  event "RPC ypserv maplist request UDP"
-  payload /.{11}\x00\x01\x86\xA4.{4}\x00\x00\x00\x0B/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2034-7 {
-  ip-proto == tcp
-  event "RPC ypserv maplist request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA4.{4}\x00\x00\x00\x0B/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2035-6 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap network-status-monitor request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x03\x0Dp/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2036-6 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap network-status-monitor request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x03\x0Dp/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2037-5 {
-  ip-proto == udp
-  event "RPC network-status-monitor mon-callback request UDP"
-  payload /.{11}\x00\x03\x0Dp.{4}\x00\x00\x00\x01/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2038-5 {
-  ip-proto == tcp
-  event "RPC network-status-monitor mon-callback request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x03\x0Dp.{4}\x00\x00\x00\x01/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2079-6 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap nlockmgr request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB5/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2080-6 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap nlockmgr request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB5/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2081-9 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rpc.xfsmd request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7h/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2082-9 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap rpc.xfsmd request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7h/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2083-8 {
-  ip-proto == udp
-  event "RPC rpc.xfsmd xfs_export attempt UDP"
-  payload /.{11}\x00\x05\xF7h.{4}\x00\x00\x00\x0D/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2084-8 {
-  ip-proto == tcp
-  event "RPC rpc.xfsmd xfs_export attempt TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x05\xF7h.{4}\x00\x00\x00\x0D/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2005-10 {
-  ip-proto == udp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap kcms_server request UDP"
-  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\}/
-  payload /.{3}\x00\x00\x00\x00/
-}
-
-signature s2b-2006-10 {
-  ip-proto == tcp
-  dst-port == 111
-  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
-  event "RPC portmap kcms_server request TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\}/
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2007-10 {
-  ip-proto == tcp
-  dst-port >= 32771
-  dst-port <= 34000
-  # Not supported: byte_jump: 4,20,relative,align,4,4,relative,align
-  event "RPC kcms_server directory traversal attempt"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x87\}.*.*\/\.\.\//
-  payload /.{7}\x00\x00\x00\x00/
-}
-
-signature s2b-2255-3 {
-  ip-proto == tcp
-  # Not supported: byte_jump: 4,8,relative,align
-  event "RPC sadmind query with root credentials attempt TCP"
-  tcp-state established,originator
-  payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00/
-}
-
-signature s2b-2256-3 {
-  ip-proto == udp
-  # Not supported: byte_jump: 4,8,relative,align
-  event "RPC sadmind query with root credentials attempt UDP"
-  payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00/
-}
-
-signature s2b-601-6 {
-  ip-proto == tcp
-  dst-port == 513
-  event "RSERVICES rlogin LinuxNIS"
-  tcp-state established,originator
-  payload /.*\x3A\x3A\x3A\x3A\x3A\x3A\x3A\x3A\x00\x3A\x3A\x3A\x3A\x3A\x3A\x3A\x3A/
-}
-
-signature s2b-602-5 {
-  ip-proto == tcp
-  dst-port == 513
-  event "RSERVICES rlogin bin"
-  tcp-state established,originator
-  payload /.*bin\x00bin\x00/
-}
-
-signature s2b-603-5 {
-  ip-proto == tcp
-  dst-port == 513
-  event "RSERVICES rlogin echo++"
-  tcp-state established,originator
-  payload /.*echo \x22 \+ \+ \x22/
-}
-
-signature s2b-604-5 {
-  ip-proto == tcp
-  dst-port == 513
-  event "RSERVICES rsh froot"
-  tcp-state established,originator
-  payload /.*-froot\x00/
-}
-
-signature s2b-611-7 {
-  ip-proto == tcp
-  src-port == 513
-  event "RSERVICES rlogin login failure"
-  tcp-state established,responder
-  payload /.*\x01rlogind\x3A Permission denied\./
-}
-
-signature s2b-605-6 {
-  ip-proto == tcp
-  src-port == 513
-  event "RSERVICES rlogin login failure"
-  tcp-state established,responder
-  payload /.*login incorrect/
-}
-
-signature s2b-606-5 {
-  ip-proto == tcp
-  dst-port == 513
-  event "RSERVICES rlogin root"
-  tcp-state established,originator
-  payload /.*root\x00root\x00/
-}
-
-signature s2b-607-5 {
-  ip-proto == tcp
-  dst-port == 514
-  event "RSERVICES rsh bin"
-  tcp-state established,originator
-  payload /.*bin\x00bin\x00/
-}
-
-signature s2b-608-5 {
-  ip-proto == tcp
-  dst-port == 514
-  event "RSERVICES rsh echo + +"
-  tcp-state established,originator
-  payload /.*echo \x22\+ \+\x22/
-}
-
-signature s2b-609-5 {
-  ip-proto == tcp
-  dst-port == 514
-  event "RSERVICES rsh froot"
-  tcp-state established,originator
-  payload /.*-froot\x00/
-}
-
-signature s2b-610-5 {
-  ip-proto == tcp
-  dst-port == 514
-  event "RSERVICES rsh root"
-  tcp-state established,originator
-  payload /.*root\x00root\x00/
-}
-
-signature s2b-2113-3 {
-  ip-proto == tcp
-  dst-port == 512
-  dst-ip == local_nets
-  event "RSERVICES rexec username overflow attempt"
-  tcp-state established,originator
-  payload /.{8}.*\x00.*.*\x00.*.*\x00/
-}
-
-signature s2b-2114-3 {
-  ip-proto == tcp
-  dst-port == 512
-  event "RSERVICES rexec password overflow attempt"
-  tcp-state established,originator
-  payload /.*\x00.{33}.*\x00.*.*\x00/
-}
-
-signature s2b-616-4 {
-  ip-proto == tcp
-  dst-port == 113
-  event "SCAN ident version request"
-  tcp-state established,originator
-  payload /.{0,8}VERSION\x0A/
-}
-
-signature s2b-619-5 {
-  ip-proto == tcp
-  dst-port == 80
-  payload-size == 0
-  header tcp[13:1] & 255 == 195
-  event "SCAN cybercop os probe"
-  tcp-state stateless
-}
-
-signature s2b-622-6 {
-  ip-proto == tcp
-  header tcp[13:1] & 255 == 2
-  header tcp[4:4] == 1958810375
-  event "SCAN ipEye SYN scan"
-  tcp-state stateless
-}
-
-signature s2b-1228-6 {
-  ip-proto == tcp
-  header tcp[13:1] & 255 == 41
-  event "SCAN nmap XMAS"
-  tcp-state stateless
-}
-
-signature s2b-630-5 {
-  ip-proto == tcp
-  header tcp[13:1] & 255 == 3
-  event "SCAN synscan portscan"
-  tcp-state stateless
-  header ip[4:2] == 39426
-}
-
-signature s2b-626-7 {
-  ip-proto == tcp
-  header tcp[13:1] & 255 == 216
-  event "SCAN cybercop os PA12 attempt"
-  tcp-state stateless
-  payload /AAAAAAAAAAAAAAAA/
-}
-
-signature s2b-627-7 {
-  ip-proto == tcp
-  header tcp[8:4] == 0
-  header tcp[13:1] & 255 == 227
-  event "SCAN cybercop os SFU12 probe"
-  tcp-state stateless
-  payload /AAAAAAAAAAAAAAAA/
-}
-
-signature s2b-634-2 {
-  ip-proto == udp
-  dst-port >= 10080
-  dst-port <= 10081
-  event "SCAN Amanda client version request"
-  payload /.*[aA][mM][aA][nN][dD][aA]/
-}
-
-signature s2b-635-3 {
-  ip-proto == udp
-  dst-port == 49
-  event "SCAN XTACACS logout"
-  payload /.*\x80\x07\x00\x00\x07\x00\x00\x04\x00\x00\x00\x00\x00/
-}
-
-signature s2b-636-1 {
-  ip-proto == udp
-  dst-port == 7
-  event "SCAN cybercop udp bomb"
-  payload /.*cybercop/
-}
-
-signature s2b-637-3 {
-  ip-proto == udp
-  event "SCAN Webtrends Scanner UDP Probe"
-  payload /.*\x0Ahelp\x0Aquite\x0A/
-}
-
-signature s2b-1638-5 {
-  ip-proto == tcp
-  dst-port == 22
-  event "SCAN SSH Version map attempt"
-  tcp-state established,originator
-  payload /.*[vV][eE][rR][sS][iI][oO][nN]_[mM][aA][pP][pP][eE][rR]/
-}
-
-signature s2b-1133-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  header tcp[8:4] == 0
-  header tcp[13:1] & 255 == 11
-  event "SCAN cybercop os probe"
-  tcp-state stateless
-  payload /AAAAAAAAAAAAAAAA/
-}
-
-signature s2b-647-6 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE sparc setuid 0"
-  payload /.*\x82\x10 \x17\x91\xD0 \x08/
-}
-
-signature s2b-649-8 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE x86 setgid 0"
-  payload /.*\xB0\xB5\xCD\x80/
-}
-
-signature s2b-638-5 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE SGI NOOP"
-  payload /.*\x03\xE0\xF8%\x03\xE0\xF8%\x03\xE0\xF8%\x03\xE0\xF8%/
-}
-
-signature s2b-639-5 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE SGI NOOP"
-  payload /.*\x24\x0F\x124\x24\x0F\x124\x24\x0F\x124\x24\x0F\x124/
-}
-
-signature s2b-640-6 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE AIX NOOP"
-  payload /.*O\xFF\xFB\x82O\xFF\xFB\x82O\xFF\xFB\x82O\xFF\xFB\x82/
-}
-
-signature s2b-641-6 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE Digital UNIX NOOP"
-  payload /.*G\xFF\x04\x1FG\xFF\x04\x1FG\xFF\x04\x1FG\xFF\x04\x1F/
-}
-
-signature s2b-642-6 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE HP-UX NOOP"
-  payload /.*\x08!\x02\x80\x08!\x02\x80\x08!\x02\x80\x08!\x02\x80/
-}
-
-signature s2b-644-5 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE sparc NOOP"
-  payload /.*\x13\xC0\x1C\xA6\x13\xC0\x1C\xA6\x13\xC0\x1C\xA6\x13\xC0\x1C\xA6/
-}
-
-signature s2b-645-5 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE sparc NOOP"
-  payload /.*\x80\x1C@\x11\x80\x1C@\x11\x80\x1C@\x11\x80\x1C@\x11/
-}
-
-signature s2b-646-5 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE sparc NOOP"
-  payload /.*\xA6\x1C\xC0\x13\xA6\x1C\xC0\x13\xA6\x1C\xC0\x13\xA6\x1C\xC0\x13/
-}
-
-signature s2b-648-7 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE x86 NOOP"
-  payload /.{0,114}\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/
-}
-
-signature s2b-651-8 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE x86 stealth NOOP"
-  payload /.*\xEB\x02\xEB\x02\xEB\x02/
-}
-
-signature s2b-653-8 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE x86 unicode NOOP"
-  payload /.*\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00/
-}
-
-signature s2b-652-9 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE Linux shellcode"
-  payload /.*\x90\x90\x90\xE8\xC0\xFF\xFF\xFF\/bin\/sh/
-}
-
-signature s2b-1390-5 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE x86 inc ebx NOOP"
-  payload /.*CCCCCCCCCCCCCCCCCCCCCCCC/
-}
-
-signature s2b-1394-5 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE x86 NOOP"
-  payload /.*aaaaaaaaaaaaaaaaaaaaa/
-}
-
-signature s2b-1424-6 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE x86 0xEB0C NOOP"
-  payload /.*\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C/
-}
-
-signature s2b-2312-2 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE x86 0x71FB7BAB NOOP"
-  payload /.*q\xFB\{\xABq\xFB\{\xABq\xFB\{\xABq\xFB\{\xAB/
-}
-
-signature s2b-2313-2 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE x86 0x71FB7BAB NOOP unicode"
-  payload /.*q\x00\xFB\x00\{\x00\xAB\x00q\x00\xFB\x00\{\x00\xAB\x00q\x00\xFB\x00\{\x00\xAB\x00q\x00\xFB\x00\{\x00\xAB\x00/
-}
-
-signature s2b-2314-1 {
-  src-port != non_shellcode_ports
-  event "SHELLCODE x86 0x90 NOOP unicode"
-  payload /.*\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00/
-}
-
-signature s2b-654-13 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^RCPT TO\s[^\n]{300}/ism
-  event "SMTP RCPT TO overflow"
-  tcp-state established,originator
-  # Not supported: isdataat: 300,relative
-  payload /.*[rR][cC][pP][tT] [tT][oO]\x3A/
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[rR][cC][pP][tT] [tT][oO][\x20\x09\x0b][^\n]{300}/
-}
-
-signature s2b-657-12 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^HELP\s[^\n]{500}/ism
-  event "SMTP chameleon overflow"
-  tcp-state established,originator
-  # Not supported: isdataat: 500,relative
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[hH][eE][lL][pP][\x20\x09\x0b][^\n]{500}/
-}
-
-signature s2b-655-8 {
-  ip-proto == tcp
-  src-port == 113
-  dst-port == 25
-  event "SMTP sendmail 8.6.9 exploit"
-  tcp-state established,originator
-  payload /.*\x0AD\//
-  requires-reverse-signature ! smtp_server_fail
-}
-
-signature s2b-658-5 {
-  ip-proto == tcp
-  dst-port == 25
-  event "SMTP exchange mime DOS"
-  tcp-state established,originator
-  payload /.*charset = \x22\x22/
-}
-
-signature s2b-659-6 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^expn\s+decode/smi
-  event "SMTP expn decode"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b][dD][eE][cC][oO][dD][eE]/
-}
-
-signature s2b-660-7 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^expn\s+root/smi
-  event "SMTP expn root"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b][rR][oO][oO][tT]/
-}
-
-signature s2b-1450-5 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^expn\s+\*@/smi
-  event "SMTP expn *@"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b]\*@/
-}
-
-signature s2b-661-6 {
-  ip-proto == tcp
-  dst-port == 25
-  event "SMTP majordomo ifs"
-  tcp-state established,originator
-  payload /.*eply-to\x3A a~\.`\/bin\//
-  requires-reverse-signature ! smtp_server_fail
-}
-
-signature s2b-662-5 {
-  ip-proto == tcp
-  dst-port == 25
-  event "SMTP sendmail 5.5.5 exploit"
-  tcp-state established,originator
-  payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3A \x22\x7C/
-  requires-reverse-signature ! smtp_server_fail
-}
-
-signature s2b-663-13 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^rcpt\s+to\:\s+[|\x3b]/smi
-  event "SMTP rcpt to command attempt"
-  tcp-state established,originator
-  payload /((^)|(\n+))[rR][cC][pP][tT][\x20\x09\x0b][tT][oO]:[\x20\x09\x0b]+[|\x3b]/
-}
-
-signature s2b-664-13 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^rcpt to\:\s+decode/smi
-  event "SMTP RCPT TO decode attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[rR][cC][pP][tT][\x20\x09\x0b][tT][oO]:[\x20\x09\x0b]+[dD][eE][cC][oO][dD][eE]/
-}
-
-signature s2b-665-5 {
-  ip-proto == tcp
-  dst-port == 25
-  event "SMTP sendmail 5.6.5 exploit"
-  tcp-state established,originator
-  payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3A \x7C\/[uU][sS][rR]\/[uU][cC][bB]\/[tT][aA][iI][lL]/
-  requires-reverse-signature ! smtp_server_fail
-}
-
-signature s2b-667-5 {
-  ip-proto == tcp
-  dst-port == 25
-  event "SMTP sendmail 8.6.10 exploit"
-  tcp-state established,originator
-  payload /.*Croot\x0D\x0AMprog, P=\/bin\//
-  requires-reverse-signature ! smtp_server_fail
-}
-
-signature s2b-668-6 {
-  ip-proto == tcp
-  dst-port == 25
-  event "SMTP sendmail 8.6.10 exploit"
-  tcp-state established,originator
-  payload /.*Croot\x09\x09\x09\x09\x09\x09\x09Mprog,P=\/bin/
-  requires-reverse-signature ! smtp_server_fail
-}
-
-signature s2b-670-7 {
-  ip-proto == tcp
-  dst-port == 25
-  event "SMTP sendmail 8.6.9 exploit"
-  tcp-state established,originator
-  payload /.*\x0AC\x3Adaemon\x0AR/
-  requires-reverse-signature ! smtp_server_fail
-}
-
-signature s2b-671-8 {
-  ip-proto == tcp
-  dst-port == 25
-  event "SMTP sendmail 8.6.9c exploit"
-  tcp-state established,originator
-  payload /.*\x0ACroot\x0D\x0AMprog/
-  requires-reverse-signature ! smtp_server_fail
-}
-
-signature s2b-672-6 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^vrfy\s+decode/smi
-  event "SMTP vrfy decode"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[vV][rR][fF][yY][\x20\x09\x0b]+[dD][eE][cC][oO][dD][eE]/
-}
-
-signature s2b-1446-6 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^vrfy\s+root/smi
-  event "SMTP vrfy root"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[vV][rR][fF][yY][\x20\x09\x0b]+[rR][oO][oO][tT]/
-}
-
-signature s2b-631-6 {
-  ip-proto == tcp
-  dst-port == 25
-  event "SMTP ehlo cybercop attempt"
-  tcp-state established,originator
-  payload /.*ehlo cybercop\x0Aquit\x0A/
-  requires-reverse-signature ! smtp_server_fail
-}
-
-signature s2b-632-5 {
-  ip-proto == tcp
-  dst-port == 25
-  event "SMTP expn cybercop attempt"
-  tcp-state established,originator
-  payload /.*expn cybercop/
-}
-
-signature s2b-1549-16 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^HELO\s[^\n]{500}/smi
-  event "SMTP HELO overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 500,relative
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[hH][eE][lL][oO][\x20\x09\x0b][^\n]{500}/
-}
-
-signature s2b-1550-10 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^ETRN\s[^\n]{500}/smi
-  event "SMTP ETRN overflow attempt"
-  tcp-state established,originator
-  # Not supported: isdataat: 500,relative
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[eE][tT][rR][nN]][\x20\x09\x0b][^\n]{500}/
-}
-
-signature s2b-2087-5 {
-  ip-proto == tcp
-  dst-port == 25
-  event "Sendmail SMTP From comment overflow attempt"
-  tcp-state established,originator
-  payload /.*From\x3A<><><><><><><><><><><><><><><><><><><><><><>.{1}\x28.{1}\x29/
-  requires-reverse-signature ! smtp_server_fail
-}
-
-signature s2b-2253-3 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^XEXCH50\s+-\d/smi
-  event "SMTP XEXCH50 overflow attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[xX][eE][xX][cC][hH]50[\x20\x09\x0b]+-[0-9]/
-}
-
-signature s2b-2259-5 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^EXPN[^\n]{255,}/smi
-  event "SMTP EXPN overflow attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[eE][xX][pP][nN][^\n]{255,}/
-}
-
-signature s2b-2260-5 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^VRFY[^\n]{255,}/smi
-  event "SMTP VRFY overflow attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[vV][rR][fF][yY][^\n]{255,}/
-}
-
-signature s2b-2261-4 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi
-  event "SMTP SEND FROM sendmail prescan too many addresses overflow"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[sS][eE][nN][dD] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</
-}
-
-signature s2b-2262-4 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
-  event "SMTP SEND FROM sendmail prescan too long addresses overflow"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[sS][eE][nN][dD] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9\x5f\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/
-}
-
-signature s2b-2263-6 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi
-  event "SMTP SAML FROM sendmail prescan too many addresses overflow"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[sS][aA][mM][lL] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</
-}
-
-signature s2b-2264-4 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
-  event "SMTP SAML FROM sendmail prescan too long addresses overflow"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[sS][aA][mM][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/
-}
-
-signature s2b-2265-4 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi
-  event "SMTP SOML FROM sendmail prescan too many addresses overflow"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[sS][oO][mM][lL] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</
-}
-
-signature s2b-2266-4 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
-  event "SMTP SOML FROM sendmail prescan too long addresses overflow"
-  tcp-state established,originator
-  payload /((^)|(\n+))[sS][oO][mM][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/
-}
-
-signature s2b-2267-4 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi
-  event "SMTP MAIL FROM sendmail prescan too many addresses overflow"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[mM][aA][iI][lL] [fF][rR][oO][mM]\x3a\x20*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</
-}
-
-signature s2b-2268-4 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
-  event "SMTP MAIL FROM sendmail prescan too long addresses overflow"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[mM][aA][iI][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/
-}
-
-signature s2b-2269-4 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi
-  event "SMTP RCPT TO sendmail prescan too many addresses overflow"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[rR][cC][pP][tT] [tT][oO]\x3a\x20*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</
-}
-
-signature s2b-2270-4 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /^RCPT TO\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
-  event "SMTP RCPT TO sendmail prescan too long addresses overflow"
-  tcp-state established,originator
-  requires-reverse-signature ! smtp_server_fail
-  payload /((^)|(\n+))[rR][cC][pP][tT] [tT][oO]\x3a[\x20\x09\x0b]+[a-zA-Z0-9\x5f\x20\x09\x0b\x40\.]{0,200}\x3b[a-zA-Z0-9\x5f\x20\x09\x0b=x40\.]{200,}\x3b[a-zA-Z0-9\x5f\x20\x09\x0b\x40\.]{0,200}/
-}
-
-signature s2b-2275-2 {
-  ip-proto == tcp
-  src-port == 25
-  # Not supported: threshold: type threshold, track by_dst, count 5, seconds 60
-  event "SMTP AUTH LOGON brute force attempt"
-  tcp-state established,responder
-  payload /.{53}.*[aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][iI][oO][nN] [uU][nN][sS][uU][cC][cC][eE][sS][sS][fF][uU][lL]/
-}
-
-signature s2b-2487-4 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi,/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi
-  event "SMTP WinZip MIME content-type buffer overflow"
-  tcp-state established,originator
-  payload /.*[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3A/
-  requires-reverse-signature ! smtp_server_fail
-  payload /[nN][aA][mM][eE]=[^\r\n]*?\.([mM][iI][mM]|[uU]{2}[eE]?|[bB]64|[bB][hH][xX]|[hH][qQ][xX]|[xX]{2}[eE])/
-  payload /([nN][aA][mM][eE]|[iI][dD]|[nN][uU][mM][bB][eE][rR]|[tT][oO][tT][aA][lL]|[bB][oO][uU][nN][dD][aA][rR][yY])=[\x20\x09\x0b]*[^\r\n\x3b\s\x2c]{300}/
-}
-
-signature s2b-2488-4 {
-  ip-proto == tcp
-  dst-port == 25
-  # Not supported: pcre: /name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi,/name=\s*[^\r\n\x3b\s\x2c]{300}/smi
-  event "SMTP WinZip MIME content-disposition buffer overflow"
-  tcp-state established,originator
-  payload /.*[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3A/
-  payload /.*[cC][oO][nN][tT][eE][nN][tT]-[dD][iI][sS][pP][oO][sS][iI][tT][iI][oO][nN]\x3A/
-  requires-reverse-signature ! smtp_server_fail
-  payload /[nN][aA][mM][eE]=[^\r\n]*?\.(([mM][iI]]mM])|([uU]{2}[eE])|([uU]{2})|([bB]64)|([bB][hH][xX])|([hH][qQ][xX])|([xX]{2}[eE]))/
-  payload /[nN][aA][mM][eE]=s*[^\r\n\x3b\x20\x09\x0b\x2c]{300}/
-}
-
-signature s2b-2504-6 {
-  ip-proto == tcp
-  dst-port == 465
-  event "SMTP SSLv3 invalid data version attempt"
-  tcp-state established,originator
-  payload /\x16\x03/
-  payload /.{4}\x01/
-  payload /.{8}[^\x03]*/
-  requires-reverse-signature ! smtp_server_fail
-}
-
-signature s2b-2519-9 {
-  ip-proto == tcp
-  dst-port == 465
-  # Not supported: byte_test: 2,>,0,6,2,!,0,8,2,!,16,8,2,>,20,10,2,>,32768,0,relative
-  event "SMTP Client_Hello overflow attempt"
-  tcp-state established,originator
-  payload /.{1}\x01/
-  payload /.{10}\x8F/
-  requires-reverse-signature ! smtp_server_fail
-}
-
-signature s2b-1892-6 {
-  ip-proto == udp
-  dst-port == 161
-  event "SNMP null community string attempt"
-  payload /.{4}.{0,7}\x04\x01\x00/
-  requires-reverse-signature snmp_userver_ok_return
-}
-
-signature s2b-1409-10 {
-  ip-proto == udp
-  dst-port >= 161
-  dst-port <= 162
-  event "SNMP community string buffer overflow attempt"
-  payload /.{3}.*\x02\x01\x00\x04\x82\x01\x00/
-  requires-reverse-signature snmp_userver_ok_return
-}
-
-signature s2b-1422-10 {
-  ip-proto == udp
-  dst-port >= 161
-  dst-port <= 162
-  event "SNMP community string buffer overflow attempt with evasion"
-  payload /.{6} \x04\x82\x01\x00/
-}
-
-signature s2b-1411-10 {
-  ip-proto == udp
-  dst-port == 161
-  event "SNMP public access udp"
-  payload /.*public/
-  requires-reverse-signature snmp_userver_ok_return
-}
-
-signature s2b-1412-13 {
-  ip-proto == tcp
-  dst-port == 161
-  event "SNMP public access tcp"
-  tcp-state established,originator
-  payload /.*public/
-  requires-reverse-signature snmp_userver_ok_return
-}
-
-signature s2b-1413-10 {
-  ip-proto == udp
-  dst-port == 161
-  event "SNMP private access udp"
-  payload /.*private/
-}
-
-signature s2b-1414-11 {
-  ip-proto == tcp
-  dst-port == 161
-  event "SNMP private access tcp"
-  tcp-state established,originator
-  payload /.*private/
-  requires-reverse-signature snmp_tserver_ok_return
-}
-
-signature s2b-1415-9 {
-  ip-proto == udp
-  dst-ip == 255.255.255.255
-  dst-port == 161
-  event "SNMP Broadcast request"
-  requires-reverse-signature snmp_userver_ok_return
-}
-
-signature s2b-1416-9 {
-  ip-proto == udp
-  dst-ip == 255.255.255.255
-  dst-port == 162
-  event "SNMP broadcast trap"
-  requires-reverse-signature snmp_userver_ok_return
-}
-
-signature s2b-1418-11 {
-  ip-proto == tcp
-  dst-port == 161
-  event "SNMP request tcp"
-  tcp-state stateless
-  requires-reverse-signature snmp_tserver_ok_return
-}
-
-signature s2b-1419-9 {
-  ip-proto == udp
-  dst-port == 162
-  event "SNMP trap udp"
-  requires-reverse-signature snmp_userver_ok_return
-}
-
-signature s2b-1420-11 {
-  ip-proto == tcp
-  dst-port == 162
-  event "SNMP trap tcp"
-  tcp-state stateless
-  requires-reverse-signature snmp_tserver_ok_return
-}
-
-signature s2b-1421-11 {
-  ip-proto == tcp
-  dst-port == 705
-  event "SNMP AgentX/tcp request"
-  tcp-state stateless
-}
-
-signature s2b-1426-5 {
-  ip-proto == udp
-  dst-port == 161
-  event "SNMP PROTOS test-suite-req-app attempt"
-  payload /.*0&\x02\x01\x00\x04\x06public\xA0\x19\x02\x01\x00\x02\x01\x00\x02\x01\x000\x0E0\x0C\x06\x08\+\x06\x01\x02\x01\x01\x05\x00\x05\x00/
-  requires-reverse-signature snmp_userver_ok_return
-}
-
-signature s2b-1427-4 {
-  ip-proto == udp
-  dst-port == 162
-  event "SNMP PROTOS test-suite-trap-app attempt"
-  payload /.*08\x02\x01\x00\x04\x06public\xA4\+\x06/
-  requires-reverse-signature snmp_userver_ok_return
-}
-
-signature s2b-676-6 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB sp_start_job - program execution"
-  tcp-state established,originator
-  payload /.{31}[sS]\x00[pP]\x00_\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00_\x00[jJ]\x00[oO]\x00[bB]\x00/
-}
-
-signature s2b-677-6 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB sp_password password change"
-  tcp-state established,originator
-  payload /.*[sS]\x00[pP]\x00_\x00[pP]\x00[aA]\x00[sS]\x00[sS]\x00[wW]\x00[oO]\x00[rR]\x00[dD]\x00/
-}
-
-signature s2b-678-6 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB sp_delete_alert log file deletion"
-  tcp-state established,originator
-  payload /.*[sS]\x00[pP]\x00_\x00[dD]\x00[eE]\x00[lL]\x00[eE]\x00[tT]\x00[eE]\x00_\x00[aA]\x00[lL]\x00[eE]\x00/
-}
-
-signature s2b-679-6 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB sp_adduser database user creation"
-  tcp-state established,originator
-  payload /.{31}[sS]\x00[pP]\x00_\x00[aA]\x00[dD]\x00[dD]\x00[uU]\x00[sS]\x00[eE]\x00[rR]\x00/
-}
-
-signature s2b-708-8 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB xp_enumresultset possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[eE]\x00[nN]\x00[uU]\x00[mM]\x00[rR]\x00[eE]\x00[sS]\x00[uU]\x00[lL]\x00[tT]\x00[sS]\x00[eE]\x00[tT]\x00/
-}
-
-signature s2b-1386-8 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB raiserror possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[rR]\x00[aA]\x00[iI]\x00[sS]\x00[eE]\x00[rR]\x00[rR]\x00[oO]\x00[rR]\x00/
-}
-
-signature s2b-702-8 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB xp_displayparamstmt possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[dD]\x00[iI]\x00[sS]\x00[pP]\x00[lL]\x00[aA]\x00[yY]\x00[pP]\x00[aA]\x00[rR]\x00[aA]\x00[mM]\x00[sS]\x00[tT]\x00[mM]\x00[tT]\x00/
-}
-
-signature s2b-681-6 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB xp_cmdshell program execution"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
-}
-
-signature s2b-689-6 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB xp_reg* registry access"
-  tcp-state established,originator
-  payload /.{31}[xX]\x00[pP]\x00_\x00[rR]\x00[eE]\x00[gG]\x00/
-}
-
-signature s2b-690-7 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB xp_printstatements possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[sS]\x00[tT]\x00[aA]\x00[tT]\x00[eE]\x00[mM]\x00[eE]\x00[nN]\x00[tT]\x00[sS]\x00/
-}
-
-signature s2b-692-6 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB shellcode attempt"
-  tcp-state established,originator
-  payload /.*9 \xD0\x00\x92\x01\xC2\x00R\x00U\x009 \xEC\x00/
-}
-
-signature s2b-694-6 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB shellcode attempt"
-  tcp-state established,originator
-  payload /.*H\x00%\x00x\x00w\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x003\x00\xC0\x00P\x00h\x00\.\x00/
-}
-
-signature s2b-695-7 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB xp_sprintf possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[sS]\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[fF]\x00/
-}
-
-signature s2b-696-7 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB xp_showcolv possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[sS]\x00[hH]\x00[oO]\x00[wW]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00/
-}
-
-signature s2b-697-8 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB xp_peekqueue possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[eE]\x00[eE]\x00[kK]\x00[qQ]\x00[uU]\x00[eE]\x00[uU]\x00[eE]\x00/
-}
-
-signature s2b-698-8 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[oO]\x00[xX]\x00[iI]\x00[eE]\x00[dD]\x00[mM]\x00[eE]\x00[tT]\x00[aA]\x00[dD]\x00[aA]\x00[tT]\x00[aA]\x00/
-}
-
-signature s2b-700-8 {
-  ip-proto == tcp
-  dst-port == 139
-  event "MS-SQL/SMB xp_updatecolvbm possible buffer overflow"
-  tcp-state established,originator
-  payload /.{31}.*[xX]\x00[pP]\x00_\x00[uU]\x00[pP]\x00[dD]\x00[aA]\x00[tT]\x00[eE]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00[bB]\x00[mM]\x00/
-}
-
-signature s2b-673-5 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL sp_start_job - program execution"
-  tcp-state established,originator
-  payload /.*[sS]\x00[pP]\x00_\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00_\x00[jJ]\x00[oO]\x00[bB]\x00/
-}
-
-signature s2b-674-6 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL xp_displayparamstmt possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[dD]\x00[iI]\x00[sS]\x00[pP]\x00[lL]\x00[aA]\x00[yY]\x00[pP]\x00[aA]\x00[rR]\x00[aA]\x00[mM]\x00[sS]\x00[tT]\x00[mM]\x00[tT]/
-}
-
-signature s2b-675-6 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL xp_setsqlsecurity possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[eE]\x00[tT]\x00[sS]\x00[qQ]\x00[lL]\x00[sS]\x00[eE]\x00[cC]\x00[uU]\x00[rR]\x00[iI]\x00[tT]\x00[yY]\x00/
-}
-
-signature s2b-682-6 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL xp_enumresultset possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[eE]\x00[nN]\x00[uU]\x00[mM]\x00[rR]\x00[eE]\x00[sS]\x00[uU]\x00[lL]\x00[tT]\x00[sS]\x00[eE]\x00[tT]\x00/
-}
-
-signature s2b-683-5 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL sp_password - password change"
-  tcp-state established,originator
-  payload /.*[sS]\x00[pP]\x00_\x00[pP]\x00[aA]\x00[sS]\x00[sS]\x00[wW]\x00[oO]\x00[rR]\x00[dD]\x00/
-}
-
-signature s2b-684-5 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL sp_delete_alert log file deletion"
-  tcp-state established,originator
-  payload /.*[sS]\x00[pP]\x00_\x00[dD]\x00[eE]\x00[lL]\x00[eE]\x00[tT]\x00[eE]\x00_\x00[aA]\x00[lL]\x00[eE]\x00[rR]\x00[tT]\x00/
-}
-
-signature s2b-685-5 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL sp_adduser - database user creation"
-  tcp-state established,originator
-  payload /.*[sS]\x00[pP]\x00_\x00[aA]\x00[dD]\x00[dD]\x00[uU]\x00[sS]\x00[eE]\x00[rR]\x00/
-}
-
-signature s2b-686-5 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL xp_reg* - registry access"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[rR]\x00[eE]\x00[gG]\x00/
-}
-
-signature s2b-687-5 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL xp_cmdshell - program execution"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
-}
-
-signature s2b-691-5 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL shellcode attempt"
-  tcp-state established,originator
-  payload /.*9 \xD0\x00\x92\x01\xC2\x00R\x00U\x009 \xEC\x00/
-}
-
-signature s2b-693-5 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL shellcode attempt"
-  tcp-state established,originator
-  payload /.*H\x00%\x00x\x00w\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x003\x00\xC0\x00P\x00h\x00\.\x00/
-}
-
-signature s2b-699-7 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL xp_printstatements possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[sS]\x00[tT]\x00[aA]\x00[tT]\x00[eE]\x00[mM]\x00[eE]\x00[nN]\x00[tT]\x00[sS]\x00/
-}
-
-signature s2b-701-7 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL xp_updatecolvbm possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[uU]\x00[pP]\x00[dD]\x00[aA]\x00[tT]\x00[eE]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00[bB]\x00[mM]\x00/
-}
-
-signature s2b-704-6 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL xp_sprintf possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[fF]\x00/
-}
-
-signature s2b-705-7 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL xp_showcolv possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[hH]\x00[oO]\x00[wW]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00/
-}
-
-signature s2b-706-7 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL xp_peekqueue possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[eE]\x00[eE]\x00[kK]\x00[qQ]\x00[uU]\x00[eE]\x00[uU]\x00[eE]\x00/
-}
-
-signature s2b-707-8 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL xp_proxiedmetadata possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[oO]\x00[xX]\x00[iI]\x00[eE]\x00[dD]\x00[mM]\x00[eE]\x00[tT]\x00[aA]\x00[dD]\x00[aA]\x00[tT]\x00[aA]\x00/
-}
-
-signature s2b-1387-7 {
-  ip-proto == tcp
-  dst-port == 1433
-  event "MS-SQL raiserror possible buffer overflow"
-  tcp-state established,originator
-  payload /.*[rR]\x00[aA]\x00[iI]\x00[sS]\x00[eE]\x00[rR]\x00[rR]\x00[oO]\x00[rR]\x00/
-}
-
-signature s2b-1759-5 {
-  ip-proto == tcp
-  dst-port == 445
-  event "MS-SQL xp_cmdshell program execution 445"
-  tcp-state established,originator
-  payload /.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
-}
-
-signature s2b-688-6 {
-  ip-proto == tcp
-  src-port == 1433
-  event "MS-SQL sa login failed"
-  tcp-state established,responder
-  payload /.*Login failed for user 'sa'/
-}
-
-signature s2b-680-6 {
-  ip-proto == tcp
-  src-port == 139
-  event "MS-SQL/SMB sa login failed"
-  tcp-state established,responder
-  payload /.{82}.*Login failed for user 'sa'/
-}
-
-signature s2b-2050-5 {
-  ip-proto == udp
-  dst-port == 1434
-  payload-size > 100
-  event "MS-SQL version overflow attempt"
-  payload /\x04/
-}
-
-signature s2b-2329-6 {
-  ip-proto == udp
-  dst-port == 1434
-  dst-ip == local_nets
-  # Not supported: byte_test: 2,>,512,1
-  event "MS-SQL probe response overflow attempt"
-  # Not supported: isdataat: 512,relative
-  payload /\x05.*.*\x3B[^\x3B]{512}/
-}
-
-signature s2b-1430-7 {
-  ip-proto == tcp
-  dst-port == 23
-  event "TELNET Solaris memory mismanagement exploit attempt"
-  tcp-state established,originator
-  payload /.*\xA0\x23\xA0\x10\xAE\x23\x80\x10\xEE\x23\xBF\xEC\x82\x05\xE0\xD6\x90%\xE0/
-}
-
-signature s2b-711-5 {
-  ip-proto == tcp
-  dst-port == 23
-  event "TELNET SGI telnetd format bug"
-  tcp-state established,originator
-  payload /.*_RLD/
-  payload /.*bin\/sh/
-}
-
-signature s2b-712-8 {
-  ip-proto == tcp
-  dst-port == 23
-  event "TELNET ld_library_path"
-  tcp-state established,originator
-  payload /.*ld_library_path/
-}
-
-signature s2b-714-4 {
-  ip-proto == tcp
-  dst-port == 23
-  event "TELNET resolv_host_conf"
-  tcp-state established,originator
-  payload /.*resolv_host_conf/
-}
-
-signature s2b-715-6 {
-  ip-proto == tcp
-  src-port == 23
-  event "TELNET Attempted SU from wrong group"
-  tcp-state established,responder
-  payload /.*[tT][oO] [sS][uU] [rR][oO][oO][tT]/
-}
-
-signature s2b-717-6 {
-  ip-proto == tcp
-  src-port == 23
-  event "TELNET not on console"
-  tcp-state established,responder
-  payload /.*[nN][oO][tT] [oO][nN] [sS][yY][sS][tT][eE][mM] [cC][oO][nN][sS][oO][lL][eE]/
-}
-
-signature s2b-718-7 {
-  ip-proto == tcp
-  src-port == 23
-  event "TELNET login incorrect"
-  tcp-state established,responder
-  payload /.*Login incorrect/
-}
-
-signature s2b-719-7 {
-  ip-proto == tcp
-  src-port == 23
-  event "TELNET root login"
-  tcp-state established,responder
-  payload /.*login\x3A root/
-}
-
-signature s2b-1252-13 {
-  ip-proto == tcp
-  src-port == 23
-  event "TELNET bsd telnet exploit response"
-  tcp-state established,responder
-  payload /.*\x0D\x0A\[Yes\]\x0D\x0A\xFF\xFE\x08\xFF\xFD&/
-}
-
-signature s2b-1253-11 {
-  ip-proto == tcp
-  dst-port == 23
-  payload-size > 200
-  event "TELNET bsd exploit client finishing"
-  tcp-state established,responder
-  payload /.{199}\xFF\xF6\xFF\xF6\xFF\xFB\x08\xFF\xF6/
-}
-
-signature s2b-709-7 {
-  ip-proto == tcp
-  dst-port == 23
-  event "TELNET 4Dgifts SGI account attempt"
-  tcp-state established,originator
-  payload /.*4Dgifts/
-}
-
-signature s2b-710-7 {
-  ip-proto == tcp
-  dst-port == 23
-  event "TELNET EZsetup account attempt"
-  tcp-state established,originator
-  payload /.*OutOfBox/
-}
-
-signature s2b-2406-1 {
-  ip-proto == tcp
-  dst-port == 23
-  event "TELNET APC SmartSlot default admin account attempt"
-  tcp-state established,originator
-  payload /.*TENmanUFactOryPOWER/
-}
-
-signature s2b-1941-8 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP GET filename overflow attempt"
-  payload /\x00\x01[^\x00]{100}/
-}
-
-signature s2b-2337-7 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP PUT filename overflow attempt"
-  payload /\x00\x02[^\x00]{100}/
-}
-
-signature s2b-1289-4 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP GET Admin.dll"
-  payload /\x00\x01/
-  payload /.{1}.*[aA][dD][mM][iI][nN]\.[dD][lL][lL]/
-}
-
-signature s2b-1441-4 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP GET nc.exe"
-  payload /\x00\x01/
-  payload /.{1}.*[nN][cC]\.[eE][xX][eE]/
-}
-
-signature s2b-1442-4 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP GET shadow"
-  payload /\x00\x01/
-  payload /.{1}.*[sS][hH][aA][dD][oO][wW]/
-}
-
-signature s2b-1443-4 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP GET passwd"
-  payload /\x00\x01/
-  payload /.{1}.*[pP][aA][sS][sS][wW][dD]/
-}
-
-signature s2b-519-6 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP parent directory"
-  payload /.{1}.*\.\./
-}
-
-signature s2b-520-5 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP root directory"
-  payload /\x00\x01\//
-}
-
-signature s2b-518-6 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP Put"
-  payload /\x00\x02/
-}
-
-signature s2b-1444-3 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP Get"
-  payload /\x00\x01/
-}
-
-signature s2b-2339-2 {
-  ip-proto == udp
-  dst-port == 69
-  event "TFTP NULL command attempt"
-  payload /\x00\x00/
-}
-
-signature s2b-1328-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS ps command attempt"
-  http /.*[\/\\]bin[\/\\]ps([^_a-zA-Z0-9.\/-]|$)/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1330-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS wget command attempt"
-  tcp-state established,originator
-  payload /.*[wW][gG][eE][tT]%20/
-  requires-reverse-signature ! http_error
-  # would like to inspect contents of reply
-}
-
-signature s2b-1331-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS uname -a command attempt"
-  tcp-state established,originator
-  payload /.*[uU][nN][aA][mM][eE]%20-[aA]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1332-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS /usr/bin/id command attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[iI][dD]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1333-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS id command attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /.*;[iI][dD]([;|\x20\x09\x0b]|$)./
-}
-
-signature s2b-1334-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS echo command attempt"
-  tcp-state established,originator
-  payload /.*\/[bB][iI][nN]\/[eE][cC][hH][oO]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1335-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS kill command attempt"
-  tcp-state established,originator
-  payload /.*\/[bB][iI][nN]\/[kK][iI][lL][lL]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1336-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS chmod command attempt"
-  tcp-state established,originator
-  http /.*\/[cC][hH][mM][oO][dD]([^-a-zA-Z0-9_.]|$)/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1337-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS chgrp command attempt"
-  tcp-state established,originator
-  http /.*\/[cC][hH][gG][rR][pP]([^-a-zA-Z0-9_.]|$)/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1338-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS chown command attempt"
-  tcp-state established,originator
-  http /.*\/[cC][hH][oO][wW][nN]([^-a-zA-Z0-9_.]|$)/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1339-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS chsh command attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][hH][sS][hH]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1340-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS tftp command attempt"
-  tcp-state established,originator
-  payload /.*[tT][fF][tT][pP]%20/
-  requires-signature ! http_cool_dll
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1341-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS /usr/bin/gcc command attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[gG][cC][cC]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1342-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS gcc command attempt"
-  tcp-state established,originator
-  payload /.*[gG][cC][cC]%20-[oO]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1343-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS /usr/bin/cc command attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][cC]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1344-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS cc command attempt"
-  tcp-state established,originator
-  payload /.*[cC][cC]%20/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1345-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS /usr/bin/cpp command attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][pP][pP]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1347-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS /usr/bin/g++ command attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[gG]\+\+/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1348-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS g++ command attempt"
-  tcp-state established,originator
-  payload /.*[gG]\+\+%20/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1351-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS bin/tclsh execution attempt"
-  tcp-state established,originator
-  payload /.*[bB][iI][nN]\/[tT][cC][lL][sS][hH]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1352-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS tclsh execution attempt"
-  tcp-state established,originator
-  payload /.*[tT][cC][lL][sS][hH]8%20/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1353-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS bin/nasm command attempt"
-  tcp-state established,originator
-  payload /.*[bB][iI][nN]\/[nN][aA][sS][mM]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1354-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS nasm command attempt"
-  tcp-state established,originator
-  payload /.*[nN][aA][sS][mM]%20/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1355-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS /usr/bin/perl execution attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[pP][eE][rR][lL]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1356-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS perl execution attempt"
-  tcp-state established,originator
-  payload /.*[pP][eE][rR][lL]%20/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1357-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS nt admin addition attempt"
-  tcp-state established,originator
-  payload /.*[nN][eE][tT] [lL][oO][cC][aA][lL][gG][rR][oO][uU][pP] [aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR][sS] \/[aA][dD][dD]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1358-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS traceroute command attempt"
-  tcp-state established,originator
-  payload /.*[tT][rR][aA][cC][eE][rR][oO][uU][tT][eE]%20/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1359-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS ping command attempt"
-  tcp-state established,originator
-  payload /.*\/[bB][iI][nN]\/[pP][iI][nN][gG]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1360-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS netcat command attempt"
-  tcp-state established,originator
-  payload /.*[nN][cC]%20/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1361-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS nmap command attempt"
-  tcp-state established,originator
-  payload /.*[nN][mM][aA][pP]%20/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1362-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS xterm command attempt"
-  tcp-state established,originator
-  payload /.*\/[uU][sS][rR]\/[xX]11[rR]6\/[bB][iI][nN]\/[xX][tT][eE][rR][mM]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1363-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS X application to remote host attempt"
-  tcp-state established,originator
-  payload /.*%20-[dD][iI][sS][pP][lL][aA][yY]%20/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1364-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS lsof command attempt"
-  tcp-state established,originator
-  payload /.*[lL][sS][oO][fF]%20/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1365-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS rm command attempt"
-  tcp-state established,originator
-  payload /.*[rR][mM]%20/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1366-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS mail command attempt"
-  tcp-state established,originator
-  payload /.*\/[bB][iI][nN]\/[mM][aA][iI][lL]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1367-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS mail command attempt"
-  tcp-state established,originator
-  payload /.*[mM][aA][iI][lL]%20/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1368-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS /bin/ls| command attempt"
-  http /.*[\/\\]bin[\/\\]ls\x7C/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1369-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS /bin/ls command attempt"
-  http /.*[\/\\]bin[\/\\]ls[^a-zA-Z0-9_.-]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1370-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS /etc/inetd.conf access"
-  tcp-state established,originator
-  payload /.*\/[eE][tT][cC]\/[iI][nN][eE][tT][dD]\.[cC][oO][nN][fF]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1372-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS /etc/shadow access"
-  tcp-state established,originator
-  payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW].{1,}root:/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1373-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS conf/httpd.conf attempt"
-  tcp-state established,originator
-  payload /.*[cC][oO][nN][fF]\/[hH][tT][tT][pP][dD]\.[cC][oO][nN][fF]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1374-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-ATTACKS .htgroup access"
-  http /.*\.htgroup[\x20\x09\x0b]*$/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-803-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI HyperSeek hsx.cgi directory traversal attempt"
-  http /.*[\/\\]hsx\.cgi/
-  tcp-state established,originator
-  payload /.*\.\.\/\.\.\/.{1}.*%00/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-804-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI SWSoft ASPSeek Overflow attempt"
-  http /.*[\/\\]s\.cgi/
-  tcp-state established,originator
-  payload /.*[tT][mM][pP][lL]=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-806-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI yabb directory traversal attempt"
-  http /.*[\/\\]YaBB/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-809-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI whois_raw.cgi arbitrary command execution attempt"
-  http /.*[\/\\]whois_raw\.cgi\?/
-  tcp-state established,originator
-  payload /.*\x0A/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-810-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI whois_raw.cgi access"
-  http /.*[\/\\]whois_raw\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-813-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI webplus directory traversal"
-  http /.*[\/\\]webplus\?script/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1571-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI dcforum.cgi directory traversal attempt"
-  http /.*[\/\\]dcforum\.cgi/
-  tcp-state established,originator
-  payload /.*forum=\.\.\/\.\./
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-817-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI dcboard.cgi invalid user addition attempt"
-  http /.*[\/\\]dcboard\.cgi/
-  tcp-state established,originator
-  payload /.*command=register/
-  payload /.*%7cadmin/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1410-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI dcboard.cgi access"
-  http /.*[\/\\]dcboard\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-820-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI anaconda directory transversal attempt"
-  http /.*[\/\\]apexec\.pl/
-  tcp-state established,originator
-  payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-821-12 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI imagemap.exe overflow attempt"
-  http /.*[\/\\]imagemap\.exe\?/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1608-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI htmlscript attempt"
-  http /.*[\/\\]htmlscript\?\.\.[\/\\]\.\./
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-826-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI htmlscript access"
-  http /.*[\/\\]htmlscript/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-827-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI info2www access"
-  http /.*[\/\\]info2www/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-828-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI maillist.pl access"
-  http /.*[\/\\]maillist\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-829-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI nph-test-cgi access"
-  http /.*[\/\\]nph-test-cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1451-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI NPH-publish access"
-  http /.*[\/\\]nph-maillist\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-833-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI rguest.exe access"
-  http /.*[\/\\]rguest\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-834-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI rwwwshell.pl access"
-  http /.*[\/\\]rwwwshell\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1644-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI test-cgi attempt"
-  http /.*[\/\\]test-cgi[\/\\]\*\?\*/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-835-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI test-cgi access"
-  http /.*[\/\\]test-cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1645-6 {
-  ip-proto == tcp
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-CGI testcgi access"
-  http /.*[\/\\]testcgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1646-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI test.cgi access"
-  http /.*[\/\\]test\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-836-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI textcounter.pl access"
-  http /.*[\/\\]textcounter\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-837-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI uploader.exe access"
-  http /.*[\/\\]uploader\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-838-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI webgais access"
-  http /.*[\/\\]webgais/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-840-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI perlshop.cgi access"
-  http /.*[\/\\]perlshop\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-841-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI pfdisplay.cgi access"
-  http /.*[\/\\]pfdisplay\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-842-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI aglimpse access"
-  http /.*[\/\\]aglimpse/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-843-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI anform2 access"
-  http /.*[\/\\]AnForm2/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-844-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI args.bat access"
-  http /.*[\/\\]args\.bat/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1452-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI args.cmd access"
-  http /.*[\/\\]args\.cmd/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-845-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI AT-admin.cgi access"
-  http /.*[\/\\]AT-admin\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1453-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI AT-generated.cgi access"
-  http /.*[\/\\]AT-generated\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-846-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bnbform.cgi access"
-  http /.*[\/\\]bnbform\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-847-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI campas access"
-  http /.*[\/\\]campas/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-848-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI view-source directory traversal"
-  http /.*[\/\\]view-source/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-850-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI wais.pl access"
-  http /.*[\/\\]wais\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1454-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI wwwwais access"
-  http /.*[\/\\]wwwwais/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-851-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI files.pl access"
-  http /.*[\/\\]files\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-852-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI wguest.exe access"
-  http /.*[\/\\]wguest\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-854-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI classifieds.cgi access"
-  http /.*[\/\\]classifieds\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-856-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI environ.cgi access"
-  http /.*[\/\\]environ\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-857-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI faxsurvey access"
-  http /.*[\/\\]faxsurvey/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-858-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI filemail access"
-  http /.*[\/\\]filemail\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-859-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI man.sh access"
-  http /.*[\/\\]man\.sh/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-860-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI snork.bat access"
-  http /.*[\/\\]snork\.bat/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-861-12 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI w3-msql access"
-  http /.*[\/\\]w3-msql[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-863-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI day5datacopier.cgi access"
-  http /.*[\/\\]day5datacopier\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-864-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI day5datanotifier.cgi access"
-  http /.*[\/\\]day5datanotifier\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-866-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI post-query access"
-  http /.*[\/\\]post-query/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-867-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI visadmin.exe access"
-  http /.*[\/\\]visadmin\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-869-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI dumpenv.pl access"
-  http /.*[\/\\]dumpenv\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1536-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI calendar_admin.pl arbitrary command execution attempt"
-  http /.*[\/\\]calendar_admin\.pl\?config=\x7C/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1537-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI calendar_admin.pl access"
-  http /.*[\/\\]calendar_admin\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1701-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI calendar-admin.pl access"
-  http /.*[\/\\]calendar-admin\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1457-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI user_update_admin.pl access"
-  http /.*[\/\\]user_update_admin\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1458-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI user_update_passwd.pl access"
-  http /.*[\/\\]user_update_passwd\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-870-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI snorkerz.cmd access"
-  http /.*[\/\\]snorkerz\.cmd/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-871-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI survey.cgi access"
-  http /.*[\/\\]survey\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-875-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI win-c-sample.exe access"
-  http /.*[\/\\]win-c-sample\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-878-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI w3tvars.pm access"
-  http /.*[\/\\]w3tvars\.pm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-879-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI admin.pl access"
-  http /.*[\/\\]admin\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-880-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI LWGate access"
-  http /.*[\/\\]LWGate/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-881-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI archie access"
-  http /.*[\/\\]archie/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-883-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI flexform access"
-  http /.*[\/\\]flexform/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1610-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI formmail arbitrary command execution attempt"
-  http /.*[\/\\]formmail{0,5}\?/
-  tcp-state established,originator
-  payload /.*%0[aA]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-884-14 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI formmail access"
-  http /.*[\/\\]formmail{0,5}\?/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1762-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI phf arbitrary command execution attempt"
-  http /.*[\/\\]phf/
-  tcp-state established,originator
-  payload /.*[qQ][aA][lL][iI][aA][sS]/
-  payload /.*%0a\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-887-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI www-sql access"
-  http /.*[\/\\]www-sql/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-888-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI wwwadmin.pl access"
-  http /.*[\/\\]wwwadmin\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-889-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI ppdscgi.exe access"
-  http /.*[\/\\]ppdscgi\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-890-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI sendform.cgi access"
-  http /.*[\/\\]sendform\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-891-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI upload.pl access"
-  http /.*[\/\\]upload\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-892-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI AnyForm2 access"
-  http /.*[\/\\]AnyForm2/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-893-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI MachineInfo access"
-  http /.*[\/\\]MachineInfo/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1531-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bb-hist.sh attempt"
-  http /.*[\/\\]bb-hist\.sh\?HISTFILE=\.\.[\/\\]\.\./
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-894-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bb-hist.sh access"
-  http /.*[\/\\]bb-hist\.sh/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1459-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bb-histlog.sh access"
-  http /.*[\/\\]bb-histlog\.sh/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1460-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bb-histsvc.sh access"
-  http /.*[\/\\]bb-histsvc\.sh/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1532-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bb-hostscv.sh attempt"
-  http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC\?\.\.[\/\\]\.\./
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1533-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bb-hostscv.sh access"
-  http /.*[\/\\]bb-hostsvc\.sh/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1461-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bb-rep.sh access"
-  http /.*[\/\\]bb-rep\.sh/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1462-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bb-replog.sh access"
-  http /.*[\/\\]bb-replog\.sh/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1397-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI wayboard attempt"
-  http /.*[\/\\]way-board[\/\\]way-board\.cgi/
-  tcp-state established,originator
-  payload /.*db=/
-  payload /.*\.\.\/\.\./
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-896-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI way-board access"
-  http /.*[\/\\]way-board\?db\=.{2,}\x00/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1222-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI pals-cgi arbitrary file access attempt"
-  http /.*[\/\\]pals-cgi/
-  tcp-state established,originator
-  payload /.*[dD][oO][cC][uU][mM][eE][nN][tT][nN][aA][mM][eE]=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-897-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI pals-cgi access"
-  http /.*[\/\\]pals-cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1572-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI commerce.cgi arbitrary file access attempt"
-  http /.*[\/\\]commerce\.cgi/
-  tcp-state established,originator
-  payload /.*page=/
-  payload /.*\/\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-898-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI commerce.cgi access"
-  http /.*[\/\\]commerce\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-899-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"
-  http /.*[\/\\]sendtemp\.pl/
-  tcp-state established,originator
-  payload /.*[tT][eE][mM][pP][lL]=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-901-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI webspirs.cgi access"
-  http /.*[\/\\]webspirs\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-902-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI tstisapi.dll access"
-  http /.*tstisapi\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1308-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI sendmessage.cgi access"
-  http /.*[\/\\]sendmessage\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1392-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI lastlines.cgi access"
-  http /.*[\/\\]lastlines\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1395-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI zml.cgi attempt"
-  http /.*[\/\\]zml\.cgi/
-  tcp-state established,originator
-  payload /.*file=\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1396-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI zml.cgi access"
-  http /.*[\/\\]zml\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1534-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI agora.cgi attempt"
-  http /.*[\/\\]store[\/\\]agora\.cgi\?cart_id=<SCRIPT>/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1406-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI agora.cgi access"
-  http /.*[\/\\]store[\/\\]agora\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-877-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI rksh access"
-  http /.*[\/\\]rksh/
-  tcp-state established,originator
-  requires-signature ! http_shell_check
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1648-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI perl.exe command attempt"
-  http /.*[\/\\]perl\.exe\?/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-832-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI perl.exe access"
-  http /.*[\/\\]perl\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1649-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI perl command attempt"
-  http /.*[\/\\]perl\?/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1309-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI zsh access"
-  http /.*[\/\\]zsh/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-862-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI csh access"
-  http /.*[\/\\]csh/
-  tcp-state established,originator
-  requires-signature ! http_shell_check
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-872-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI tcsh access"
-  http /.*[\/\\]tcsh/
-  tcp-state established,originator
-  requires-signature ! http_shell_check
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-868-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI rsh access"
-  http /.*[\/\\]rsh/
-  tcp-state established,originator
-  requires-signature ! http_shell_check
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-865-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI ksh access"
-  http /.*[\/\\]ksh/
-  tcp-state established,originator
-  requires-signature ! http_shell_check
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1703-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI auktion.cgi directory traversal attempt"
-  http /.*[\/\\]auktion\.cgi/
-  tcp-state established,originator
-  payload /.*[mM][eE][nN][uU][eE]=\.\.\/\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1465-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI auktion.cgi access"
-  http /.*[\/\\]auktion\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1573-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI cgiforum.pl attempt"
-  http /.*[\/\\]cgiforum\.pl\?thesection=\.\.[\/\\]\.\./
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1466-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI cgiforum.pl access"
-  http /.*[\/\\]cgiforum\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1574-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI directorypro.cgi attempt"
-  http /.*[\/\\]directorypro\.cgi/
-  tcp-state established,originator
-  payload /.*show=.{1}.*\.\.\/\.\./
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1467-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI directorypro.cgi access"
-  http /.*[\/\\]directorypro\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1468-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Web Shopper shopper.cgi attempt"
-  http /.*[\/\\]shopper\.cgi/
-  tcp-state established,originator
-  payload /.*[nN][eE][wW][pP][aA][gG][eE]=\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1469-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Web Shopper shopper.cgi access"
-  http /.*[\/\\]shopper\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1470-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI listrec.pl access"
-  http /.*[\/\\]listrec\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1471-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI mailnews.cgi access"
-  http /.*[\/\\]mailnews\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1879-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI book.cgi arbitrary command execution attempt"
-  http /.*[\/]book.cgi\?.{1,}\|.{2,}\|/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1473-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI newsdesk.cgi access"
-  http /.*[\/\\]newsdesk\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1704-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI cal_make.pl directory traversal attempt"
-  http /.*[\/\\]cal_make\.pl/
-  tcp-state established,originator
-  payload /.*[pP]0=\.\.\/\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1474-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI cal_make.pl access"
-  http /.*[\/\\]cal_make\.pl.{1,}(\.\.\/){2,}/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1475-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI mailit.pl access"
-  http /.*[\/\\]mailit\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1476-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI sdbsearch.cgi access"
-  http /.*[\/\\]sdbsearch\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1478-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI swc access"
-  http /.*[\/\\]swc/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1479-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI ttawebtop.cgi arbitrary file attempt"
-  http /.*[\/\\]ttawebtop\.cgi/
-  tcp-state established,originator
-  payload /.*[pP][gG]=\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1480-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI ttawebtop.cgi access"
-  http /.*[\/\\]ttawebtop\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1481-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI upload.cgi access"
-  http /.*[\/\\]upload\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1482-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI view_source access"
-  http /.*[\/\\]view_source/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1730-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI ustorekeeper.pl directory traversal attempt"
-  http /.*[\/\\]ustorekeeper\.pl/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE]=\.\.\/\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1483-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI ustorekeeper.pl access"
-  http /.*[\/\\]ustorekeeper\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1617-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Bugzilla doeditvotes.cgi access"
-  http /.*[\/\\]doeditvotes\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1600-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI htsearch arbitrary configuration file attempt"
-  http /.*[\/\\]htsearch\?-c/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1601-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI htsearch arbitrary file read attempt"
-  http /.*[\/\\]htsearch\?exclude=`/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1602-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI htsearch access"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]htsearch\x3f.*\x3d[\x22\x60].*[\x22\x60].* /
-}
-
-signature s2b-1501-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI a1stats a1disp3.cgi directory traversal attempt"
-  http /.*[\/\\]a1disp3\.cgi\?[\/\\]\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1502-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI a1stats a1disp3.cgi access"
-  http /.*[\/\\]a1disp3\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1731-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI a1stats access"
-  http /.*[\/\\]a1stats[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1503-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI admentor admin.asp access"
-  http /.*[\/\\]admentor[\/\\]admin[\/\\]admin\.asp/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1505-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI alchemy http server PRN arbitrary command execution attempt"
-  http /.*[\/\\]PRN[\/\\]\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1506-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI alchemy http server NUL arbitrary command execution attempt"
-  http /.*[\/\\]NUL[\/\\]\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1507-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI alibaba.pl arbitrary command execution attempt"
-  http /.*[\/\\]alibaba\.pl\x7C/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1508-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI alibaba.pl access"
-  http /.*[\/\\]alibaba\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1509-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI AltaVista Intranet Search directory traversal attempt"
-  http /.*[\/\\]query\?mss=\.\./
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1510-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI test.bat arbitrary command execution attempt"
-  http /.*[\/\\]test\.bat\x7C/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1511-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI test.bat access"
-  http /.*[\/\\]test\.bat/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1512-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI input.bat arbitrary command execution attempt"
-  http /.*[\/\\]input\.bat\x7C/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1513-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI input.bat access"
-  http /.*[\/\\]input\.bat/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1514-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI input2.bat arbitrary command execution attempt"
-  http /.*[\/\\]input2\.bat\x7C/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1515-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI input2.bat access"
-  http /.*[\/\\]input2\.bat/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1516-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI envout.bat arbitrary command execution attempt"
-  http /.*[\/\\]envout\.bat\x7C/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1517-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI envout.bat access"
-  http /.*[\/\\]envout\.bat/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1705-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI echo.bat arbitrary command execution attempt"
-  http /.*[\/\\]echo\.bat/
-  tcp-state established,originator
-  payload /.*&/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1706-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI echo.bat access"
-  http /.*[\/\\]echo\.bat/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1707-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI hello.bat arbitrary command execution attempt"
-  http /.*[\/\\]hello\.bat/
-  tcp-state established,originator
-  payload /.*&/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1708-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI hello.bat access"
-  http /.*[\/\\]hello\.bat/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1650-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI tst.bat access"
-  http /.*[\/\\]tst\.bat/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1542-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI cgimail access"
-  http /.*[\/\\]cgimail/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1547-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI csSearch.cgi arbitrary command execution attempt"
-  http /.*[\/\\]csSearch\.cgi/
-  tcp-state established,originator
-  payload /.*setup=/
-  payload /.*`.{1}.*`/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1548-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI csSearch.cgi access"
-  http /.*[\/\\]csSearch\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  eval isApacheLt1325
-}
-
-signature s2b-1553-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI /cart/cart.cgi access"
-  http /.*[\/\\]cart[\/\\]cart\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1554-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI dbman db.cgi access"
-  http /.*[\/\\]dbman[\/\\]db\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1555-7 {
-  ip-proto == tcp
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-CGI DCShop access"
-  http /.*[\/\\]dcshop/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1556-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI DCShop orders.txt access"
-  http /.*[\/\\]orders[\/\\]orders\.txt/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1557-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI DCShop auth_user_file.txt access"
-  http /.*[\/\\]auth_data[\/\\]auth_user_file\.txt/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1565-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI eshop.pl arbitrary commane execution attempt"
-  http /.*[\/\\]eshop\.pl\?seite=\x3B/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1566-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI eshop.pl access"
-  http /.*[\/\\]eshop\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1569-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI loadpage.cgi directory traversal attempt"
-  http /.*[\/\\]loadpage\.cgi/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE]=\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1570-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI loadpage.cgi access"
-  http /.*[\/\\]loadpage\.cgi\?{1,}\//
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1590-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI faqmanager.cgi arbitrary file access attempt"
-  http /.*[\/\\]faqmanager\.cgi\?toc=/
-  http /.*\x00/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1591-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI faqmanager.cgi access"
-  http /.*[\/\\]faqmanager\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1592-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI /fcgi-bin/echo.exe access"
-  http /.*[\/\\]fcgi-bin[\/\\]echo\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1628-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI FormHandler.cgi directory traversal attempt attempt"
-  http /.*[\/\\]FormHandler\.cgi/
-  tcp-state established,originator
-  payload /.*[rR][eE][pP][lL][yY]_[mM][eE][sS][sS][aA][gG][eE]_[aA][tT][tT][aA][cC][hH]=/
-  payload /.*\/\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1593-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI FormHandler.cgi external site redirection attempt"
-  http /.*[\/\\]FormHandler\.cgi/
-  tcp-state established,originator
-  payload /.*[rR][eE][dD][iI][rR][eE][cC][tT]=[hH][tT][tT][pP]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1594-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI FormHandler.cgi access"
-  http /.*[\/\\]FormHandler\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1598-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Home Free search.cgi directory traversal attempt"
-  http /.*[\/\\]search\.cgi/
-  tcp-state established,originator
-  payload /.*[lL][eE][tT][tT][eE][rR]=\.\.\/\.\./
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1599-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI search.cgi access"
-  http /.*[\/\\]search\.cgi\?.*letter\=[^&]*?\.\.[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1651-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI enivorn.pl access"
-  http /.*[\/\\]enivron\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1652-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI campus attempt"
-  http /.*[\/\\]campus\?\x0A/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1654-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI cart32.exe access"
-  http /.*[\/\\]cart32\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1655-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI pfdispaly.cgi arbitrary command execution attempt"
-  http /.*[\/\\]pfdispaly\.cgi\?'/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1656-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI pfdispaly.cgi access"
-  http /.*[\/\\]pfdispaly\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1657-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI pagelog.cgi directory traversal attempt"
-  http /.*[\/\\]pagelog\.cgi/
-  tcp-state established,originator
-  payload /.*[nN][aA][mM][eE]=\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1658-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI pagelog.cgi access"
-  http /.*[\/\\]pagelog\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1710-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bbs_forum.cgi access"
-  http /.*[\/\\]bbs_forum\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1711-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bsguest.cgi access"
-  http /.*[\/\\]bsguest\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1712-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bslist.cgi access"
-  http /.*[\/\\]bslist\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1714-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI newdesk access"
-  http /.*[\/\\]newdesk/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1715-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI register.cgi access"
-  http /.*[\/\\]register\.cgi/
-  payload /SEND_MAIL/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1716-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI gbook.cgi access"
-  http /.*[\/\\]gbook\.cgi/
-  payload /_MAILTO.*\;/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1717-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI simplestguest.cgi access"
-  http /.*[\/\\]simplestguest\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1718-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI statusconfig.pl access"
-  http /.*[\/\\]statusconfig\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1719-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI talkback.cgi directory traversal attempt"
-  http /.*[\/\\]talkbalk\.cgi/
-  tcp-state established,originator
-  payload /.*[aA][rR][tT][iI][cC][lL][eE]=\.\.\/\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1720-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI talkback.cgi access"
-  http /.*[\/\\]talkbalk\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1721-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI adcycle access"
-  http /.*[\/\\]adcycle/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1722-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI MachineInfo access"
-  http /.*[\/\\]MachineInfo/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1723-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI emumail.cgi NULL attempt"
-  http /.*[\/\\]emumail\.cgi/
-  tcp-state established,originator
-  payload /.*[tT][yY][pP][eE]=/
-  payload /.*%00/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1724-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI emumail.cgi access"
-  http /.*[\/\\]emumail\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1642-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI document.d2w access"
-  http /.*[\/\\]document\.d2w/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1668-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI /cgi-bin/ access"
-  http /.*[\/\\]cgi-bin[\/\\]$/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  # under most conditions the root of cgi-bin should never return a list or valid document
-  # tune for site specific
-}
-
-signature s2b-1669-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI /cgi-dos/ access"
-  http /.*[\/\\]cgi-dos[\/\\]/
-  tcp-state established,originator
-  payload /.*\/[cC][gG][iI]-[dD][oO][sS]\/ [hH][tT][tT][pP]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1051-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI technote main.cgi file directory traversal attempt"
-  http /.*[\/\\]technote[\/\\]main\.cgi/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE][nN][aA][mM][eE]=/
-  payload /.*\.\.\/\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1052-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI technote print.cgi directory traversal attempt"
-  http /.*[\/\\]technote[\/\\]print\.cgi/
-  tcp-state established,originator
-  payload /.*[bB][oO][aA][rR][dD]=/
-  payload /.*\.\.\/\.\.\//
-  payload /.*%00/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1053-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI ads.cgi command execution attempt"
-  http /.*[\/\\]ads\.cgi/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE]=/
-  payload /.*\.\.\/\.\.\//
-  payload /.*\x7C/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1088-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI eXtropia webstore directory traversal"
-  http /.*[\/\\]web_store\.cgi\?.*page=\.\.\//
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1089-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI shopping cart directory traversal"
-  http /.*[\/\\]shop\.cgi/
-  tcp-state established,originator
-  payload /.*page=\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1090-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Allaire Pro Web Shell attempt"
-  http /.*[\/\\]authenticate\.cgi\?PASSWORD/
-  tcp-state established,originator
-  payload /.*config\.ini/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1092-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Armada Style Master Index directory traversal"
-  http /.*[\/\\]search\.cgi\?keys/
-  tcp-state established,originator
-  payload /.*catigory=\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1093-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"
-  http /.*[\/\\]cached_feed\.cgi/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2051-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI cached_feed.cgi moreover shopping cart access"
-  http /.*[\/\\]cached_feed\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1097-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Talentsoft Web+ exploit attempt"
-  http /.*[\/\\]webplus\.cgi\?Script=[\/\\]webplus[\/\\]webping[\/\\]webping\.wml/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1106-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Poll-it access"
-  http /.*[\/\\]pollit[\/\\]Poll_It_SSI_v2\.0\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1865-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI webdist.cgi arbitrary command attempt"
-  http /.*[\/\\]webdist\.cgi/
-  tcp-state established,originator
-  payload /.*[dD][iI][sS][tT][lL][oO][cC]=\x3B/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1163-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI webdist.cgi access"
-  http /.*[\/\\]webdist\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1172-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bigconf.cgi access"
-  http /.*[\/\\]bigconf\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1174-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI /cgi-bin/jj access"
-  http /.*[\/\\]cgi-bin[\/\\]jj/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1185-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bizdbsearch attempt"
-  http /.*[\/\\]bizdb1-search\.cgi/
-  tcp-state established,originator
-  payload /.*[mM][aA][iI][lL]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1535-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI bizdbsearch access"
-  http /.*[\/\\]bizdb1-search\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1194-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI sojourn.cgi File attempt"
-  http /.*[\/\\]sojourn\.cgi\?cat=/
-  tcp-state established,originator
-  payload /.*%00/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1195-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI sojourn.cgi access"
-  http /.*[\/\\]sojourn\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1196-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI SGI InfoSearch fname attempt"
-  http /.*[\/\\]infosrch\.cgi\?/
-  tcp-state established,originator
-  payload /.*[fF][nN][aA][mM][eE]=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1727-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI SGI InfoSearch fname access"
-  http /.*[\/\\]infosrch\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1204-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI ax-admin.cgi access"
-  http /.*[\/\\]ax-admin\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1205-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI axs.cgi access"
-  http /.*[\/\\]axs\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1206-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI cachemgr.cgi access"
-  http /.*[\/\\]cachemgr\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1208-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI responder.cgi access"
-  http /.*[\/\\]responder\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1211-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI web-map.cgi access"
-  http /.*[\/\\]web-map\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1215-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI ministats admin access"
-  http /.*[\/\\]ministats[\/\\]admin\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1219-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI dfire.cgi access"
-  http /.*[\/\\]dfire\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1305-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI txt2html.cgi directory traversal attempt"
-  http /.*[\/\\]txt2html\.cgi/
-  tcp-state established,originator
-  payload /.*\/\.\.\/\.\.\/\.\.\/\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1304-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI txt2html.cgi access"
-  http /.*[\/\\]txt2html\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1488-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI store.cgi directory traversal attempt"
-  http /.*[\/\\]store\.cgi/
-  tcp-state established,originator
-  payload /.*\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1307-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI store.cgi access"
-  http /.*[\/\\]store\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1494-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI SIX webboard generate.cgi attempt"
-  http /.*[\/\\]generate\.cgi/
-  tcp-state established,originator
-  payload /.*content=\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1495-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI SIX webboard generate.cgi access"
-  http /.*[\/\\]generate\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1496-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI spin_client.cgi access"
-  http /.*[\/\\]spin_client\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1787-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI csPassword.cgi access"
-  http /.*[\/\\]csPassword\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1788-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI csPassword password.cgi.tmp access"
-  http /.*[\/\\]password\.cgi\.tmp/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1763-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Nortel Contivity cgiproc DOS attempt"
-  http /.*[\/\\]cgiproc\?Nocfile=/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1764-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Nortel Contivity cgiproc DOS attempt"
-  http /.*[\/\\]cgiproc\?\x24/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1765-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Nortel Contivity cgiproc access"
-  http /.*[\/\\]cgiproc/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1805-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Oracle reports CGI access"
-  http /.*[\/\\]rwcgi60/
-  tcp-state established,originator
-  payload /.*setauth=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1823-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI AlienForm af.cgi directory traversal attempt"
-  http /.*[\/\\](af|alienform)\.cgi\?.*\.\|\./
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1868-5 {
-  ip-proto == tcp
-  dst-port == 8080
-  event "WEB-CGI story.pl arbitrary file read attempt"
-  http /.*[\/\\]story\.pl/
-  tcp-state established,originator
-  payload /.*next=\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1869-5 {
-  ip-proto == tcp
-  dst-port == 8080
-  event "WEB-CGI story.pl access"
-  http /.*[\/\\]story\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1870-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI siteUserMod.cgi access"
-  http /.*[\/\\]\.cobalt[\/\\]siteUserMod[\/\\]siteUserMod\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1875-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI cgicso access"
-  http /.*[\/\\]cgicso/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1876-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI nph-publish.cgi access"
-  http /.*[\/\\]nph-publish\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1877-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI printenv access"
-  http /.*\/cgi-bin[^\/]*\/printenv/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1878-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI sdbsearch.cgi access"
-  http /.*[\/\\]sdbsearch\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1931-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI rpc-nlog.pl access"
-  http /.*[\/\\]rpc-nlog\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1932-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI rpc-smb.pl access"
-  http /.*[\/\\]rpc-smb\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1994-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI vpasswd.cgi access"
-  http /.*[\/\\]vpasswd\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1995-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI alya.cgi access"
-  http /.*[\/\\]alya\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1996-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI viralator.cgi access"
-  http /.*[\/\\]viralator\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2001-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI smartsearch.cgi access"
-  http /.*[\/\\]smartsearch\.cgi.*\|/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1862-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI mrtg.cgi directory traversal attempt"
-  http /.*[\/\\]mrtg\.cgi/
-  tcp-state established,originator
-  payload /.*cfg=\/\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2052-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI overflow.cgi access"
-  http /.*[\/\\]overflow\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1850-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI way-board.cgi access"
-  http /.*[\/\\]way-board\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2054-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI enter_bug.cgi arbitrary command attempt"
-  http /.*[\/\\]enter_bug\.cgi/
-  tcp-state established,originator
-  payload /.*[wW][hH][oO]=.*.*\x3B/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2085-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI parse_xml.cgi access"
-  http /.*[\/\\]parse_xml\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2086-4 {
-  ip-proto == tcp
-  dst-port == 1220
-  event "WEB-CGI streaming server parse_xml.cgi access"
-  tcp-state established,originator
-  payload /.*\/[pP][aA][rR][sS][eE]_[xX][mM][lL]\.[cC][gG][iI]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2115-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI album.pl access"
-  tcp-state established,originator
-  payload /.*\/[aA][lL][bB][uU][mM]\.[pP][lL]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2116-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI chipcfg.cgi access"
-  http /.*[\/\\]chipcfg\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2127-1 {
-  ip-proto == tcp
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-CGI ikonboard.cgi access"
-  http /.*[\/\\]ikonboard\.cgi/
-  payload /Cookie: [^\=]{1,}\=\/[^\x0D\x0A]{2,}\x0D\x0A\x0D\x0A/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2128-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI swsrv.cgi access"
-  http /.*[\/\\]srsrv\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2194-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI CSMailto.cgi access"
-  http /.*[\/\\]CSMailto\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2195-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI alert.cgi access"
-  http /.*[\/\\]alert\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2197-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI cvsview2.cgi access"
-  http /.*[\/\\]cvsview2\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2198-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI cvslog.cgi access"
-  http /.*[\/\\]cvslog\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2199-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI multidiff.cgi access"
-  http /.*[\/\\]multidiff\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2200-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI dnewsweb.cgi access"
-  http /.*[\/\\]dnewsweb\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2201-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI download.cgi access"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]download\.cgi.*f\x3d\x2e\x2e\x2f.* /
-}
-
-signature s2b-2202-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI edit_action.cgi access"
-  http /.*[\/\\]edit_action\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2203-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI everythingform.cgi access"
-  http /.*[\/\\]everythingform\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2204-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI ezadmin.cgi access"
-  http /.*[\/\\]ezadmin\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2206-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI ezman.cgi access"
-  http /.*[\/\\]ezman\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2207-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI fileseek.cgi access"
-  http /.*[\/\\]fileseek\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2208-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI fom.cgi access"
-  http /.*[\/\\]fom\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2209-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI getdoc.cgi access"
-  http /.*[\/\\]getdoc\.cgi\?.*form-attachment.*command/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2210-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI global.cgi access"
-  http /.*[\/\\]global\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2211-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI guestserver.cgi access"
-  http /.*[\/\\]guestserver\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2212-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI imageFolio.cgi access"
-  http /.*[\/\\]imageFolio\.cgi\?.*<script>/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2213-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI mailfile.cgi access"
-  http /.*[\/\\]mailfile\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2214-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI mailview.cgi access"
-  http /.*[\/\\]mailview\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2215-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI nsManager.cgi access"
-  http /.*[\/\\]nsManager\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2216-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI readmail.cgi access"
-  http /.*[\/\\]readmail\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2217-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI printmail.cgi access"
-  http /.*[\/\\]printmail\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2218-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-CGI service.cgi access"
-  http /.*[\/\\]service\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2219-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI setpasswd.cgi access"
-  http /.*[\/\\]setpasswd\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2220-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI simplestmail.cgi access"
-  http /.*[\/\\]simplestmail\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2221-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI ws_mail.cgi access"
-  http /.*[\/\\]ws_mail\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2222-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI nph-exploitscanget.cgi access"
-  http /.*[\/\\]nph-exploitscanget\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2224-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI psunami.cgi access"
-  http /.*[\/\\]psunami\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2225-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI gozila.cgi access"
-  http /.*[\/\\]gozila\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2323-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI quickstore.cgi access"
-  http /.*[\/\\]quickstore\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2387-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI view_broadcast.cgi access"
-  http /.*[\/\\]view_broadcast\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2388-4 {
-  ip-proto == tcp
-  dst-port == 1220
-  event "WEB-CGI streaming server view_broadcast.cgi access"
-  http /.*[\/\\]view_broadcast\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2396-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI CCBill whereami.cgi arbitrary command execution attempt"
-  http /.*[\/\\]whereami\.cgi\?g=/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2397-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI CCBill whereami.cgi access"
-  http /.*[\/\\]whereami\.cgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2433-1 {
-  ip-proto == tcp
-  dst-port == 3000
-  # Not supported: pcre: /\Wfrom=[^\x3b&\n]{100}/si
-  event "WEB-CGI MDaemon form2raw.cgi overflow attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /[^a-zA-Z0-9_][fF][rR][oO][mM]=[^\x3b&\n]{100}/
-}
-
-signature s2b-2434-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI MDaemon form2raw.cgi access"
-  tcp-state established,originator
-  payload /.*\/[fF][oO][rR][mM]2[rR][aA][wW]\.[cC][gG][iI]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2567-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Emumail init.emu access"
-  http /.*[\/\\]init\.emu/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2568-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CGI Emumail emumail.fcgi access"
-  http /.*[\/\\]emumail\.fcgi\?./
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1735-4 {
-  ip-proto == tcp
-  src-port == http_ports
-  event "WEB-CLIENT XMLHttpRequest attempt"
-  tcp-state established,responder
-  payload /.*new XMLHttpRequest\x28/
-  payload /.*[fF][iI][lL][eE]\x3A\/\//
-}
-
-signature s2b-1284-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-CLIENT readme.eml download attempt"
-  http /.*[\/\\]readme\.eml/
-  tcp-state established,originator
-  requires-signature http_msie_client
-}
-
-signature s2b-1840-5 {
-  ip-proto == tcp
-  src-port == http_ports
-  event "WEB-CLIENT Javascript document.domain attempt"
-  tcp-state established,responder
-  payload /.*[dD][oO][cC][uU][mM][eE][nN][tT]\.[dD][oO][mM][aA][iI][nN]\x28/
-  requires-signature http_msie_client
-}
-
-signature s2b-1841-5 {
-  ip-proto == tcp
-  src-port == http_ports
-  event "WEB-CLIENT Javascript URL host spoofing attempt"
-  tcp-state established,responder
-  payload /.*[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]\x3A\/\//
-  requires-signature http_old_gecko_client
-}
-
-signature s2b-2437-5 {
-  ip-proto == tcp
-  src-port == http_ports
-  # Not supported: pcre: /^Content-Type\x3a\s+application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi
-  event "WEB-CLIENT RealPlayer arbitrary javascript command attempt"
-  tcp-state established,responder
-  http /((^)|(\n+))[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3a[\x20\x09\x0b][aA][pP][pP][lL][iI][cC][aA][tT][iI][oO][nN]\x2f[sS][mM][iI].*?<[aA][rR][eE][aA][\x20\x09\x0b\n\r]+href=[\x22\x27][fF][iI][lL][eE]\x3ajavascript\x3a/
-  requires-signature http_real_client
-}
-
-signature s2b-2438-3 {
-  ip-proto == tcp
-  src-port == http_ports
-  # Not supported: pcre: /^file\x3a\x2f\x2f[^\n]{400}/smi
-  # Not supported: flowbits: isset,realplayer.playlist
-  event "WEB-CLIENT RealPlayer playlist file URL overflow attempt"
-  tcp-state established,responder
-  payload /((^)|(\n+))[fF][iI][lL][eE]\x3a\x2f\x2f[^\n]{400}/
-}
-
-signature s2b-2439-3 {
-  ip-proto == tcp
-  src-port == http_ports
-  # Not supported: pcre: /^http\x3a\x2f\x2f[^\n]{400}/smi
-  # Not supported: flowbits: isset,realplayer.playlist
-  event "WEB-CLIENT RealPlayer playlist http URL overflow attempt"
-  tcp-state established,responder
-  payload /.*[hH][tT][tT][pP]\x3A\/\//
-  payload /((^)|(\n+))[hH][tT]{2}[pP]\x3a\x2f\x2f[^\n]{400}/
-}
-
-signature s2b-2440-3 {
-  ip-proto == tcp
-  src-port == http_ports
-  # Not supported: pcre: /^http\x3a\x2f\x2f[^\n]{400}/smi
-  # Not supported: flowbits: isset,realplayer.playlist
-  event "WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt"
-  tcp-state established,responder
-  payload /.*[rR][tT][sS][pP]\x3A\/\//
-  payload /((^)|(\n+))[hH][tT]{2}[pP]\x3a\x2f\x2f[^\n]{400}/
-}
-
-signature s2b-2485-4 {
-  ip-proto == tcp
-  src-port == http_ports
-  event "WEB-CLIENT Nortan antivirus sysmspam.dll load attempt"
-  tcp-state established,responder
-  payload /.*[cC][lL][sS][iI][dD]\x3A/
-  payload /.*0534[cC][fF]61-83[cC]5-4765-[bB]19[bB]-45[fF]7[aA]4[eE]135[dD]0/
-}
-
-signature s2b-903-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION cfcache.map access"
-  http /.*[\/\\]cfcache\.map/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-904-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION exampleapp application.cfm"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]email[\/\\]application\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-905-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION application.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]publish[\/\\]admin[\/\\]application\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-906-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION getfile.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]email[\/\\]getfile\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-907-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION addcontent.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]publish[\/\\]admin[\/\\]addcontent\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-908-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION administrator access"
-  http /.*[\/\\]cfide[\/\\]administrator[\/\\]index\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-909-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION datasource username attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF]_[sS][eE][tT][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE][uU][sS][eE][rR][nN][aA][mM][eE]\x28\x29/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-910-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION fileexists.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]fileexists\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-911-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION exprcalc access"
-  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]exprcalc\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-912-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION parks access"
-  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]parks[\/\\]detail\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-913-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION cfappman access"
-  http /.*[\/\\]cfappman[\/\\]index\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-914-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION beaninfo access"
-  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]cvbeans[\/\\]beaninfo\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-915-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION evaluate.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]evaluate\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-916-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION getodbcdsn access"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[gG][eE][tT][oO][dD][bB][cC][dD][sS][nN]\x28\x29/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-917-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION db connections flush attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[dD][bB][cC][oO][nN][nN][eE][cC][tT][iI][oO][nN][sS]_[fF][lL][uU][sS][hH]\x28\x29/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-918-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION expeval access"
-  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-919-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION datasource passwordattempt"
-  tcp-state established,originator
-  payload /.*[cC][fF]_[sS][eE][tT][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE][pP][aA][sS][sS][wW][oO][rR][dD]\x28\x29/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-920-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION datasource attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF]_[iI][sS][cC][oO][lL][dD][fF][uU][sS][iI][oO][nN][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE]\x28\x29/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-921-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION admin encrypt attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[eE][nN][cC][rR][yY][pP][tT]\x28\x29/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-922-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION displayfile access"
-  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]displayopenedfile\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-923-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION getodbcin attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[gG][eE][tT][oO][dD][bB][cC][iI][nN][iI]\x28\x29/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-924-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION admin decrypt attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[dD][eE][cC][rR][yY][pP][tT]\x28\x29/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-925-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION mainframeset access"
-  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]mainframeset\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-926-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION set odbc ini attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[sS][eE][tT][oO][dD][bB][cC][iI][nN][iI]\x28\x29/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-927-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION settings refresh attempt"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[sS][eE][tT][tT][iI][nN][gG][sS]_[rR][eE][fF][rR][eE][sS][hH]\x28\x29/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-928-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION exampleapp access"
-  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-929-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION CFUSION_VERIFYMAIL access"
-  tcp-state established,originator
-  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[vV][eE][rR][iI][fF][yY][mM][aA][iI][lL]\x28\x29/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-930-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION snippets attempt"
-  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-931-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION cfmlsyntaxcheck.cfm access"
-  http /.*[\/\\]cfdocs[\/\\]cfmlsyntaxcheck\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-932-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION application.cfm access"
-  http /.*[\/\\]application\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-933-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION onrequestend.cfm access"
-  http /.*[\/\\]onrequestend\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-935-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION startstop DOS access"
-  http /.*[\/\\]cfide[\/\\]administrator[\/\\]startstop\.html/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-936-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION gettempdirectory.cfm access "
-  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]gettempdirectory\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1659-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-COLDFUSION sendmail.cfm access"
-  http /.*[\/\\]sendmail\.cfm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1248-13 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE rad fp30reg.dll access"
-  http /.*[\/\\]fp30reg\.dll/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1249-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE frontpage rad fp4areg.dll access"
-  http /.*[\/\\]fp4areg\.dll/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-937-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE _vti_rpc access"
-  http /.*[\/\\]_vti_rpc/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-939-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE posting"
-  http /.*[\/\\]author\.dll/
-  tcp-state established,originator
-  payload /.*[pP][oO][sS][tT]/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-940-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE shtml.dll access"
-  http /.*[\/\\]_vti_bin[\/\\]shtml\.dll/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-941-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE contents.htm access"
-  http /.*[\/\\]admcgi[\/\\]contents\.htm/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-942-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE orders.htm access"
-  http /.*[\/\\]_private[\/\\]orders\.htm/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-943-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE fpsrvadm.exe access"
-  http /.*[\/\\]fpsrvadm\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-944-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE fpremadm.exe access"
-  http /.*[\/\\]fpremadm\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-945-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE fpadmin.htm access"
-  http /.*[\/\\]admisapi[\/\\]fpadmin\.htm/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-946-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE fpadmcgi.exe access"
-  http /.*[\/\\]scripts[\/\\]Fpadmcgi\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-947-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE orders.txt access"
-  http /.*[\/\\]_private[\/\\]orders\.txt/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-948-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE form_results access"
-  http /.*[\/\\]_private[\/\\]form_results\.txt/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-949-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE registrations.htm access"
-  http /.*[\/\\]_private[\/\\]registrations\.htm/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-950-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE cfgwiz.exe access"
-  http /.*[\/\\]cfgwiz\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-951-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE authors.pwd access"
-  http /.*[\/\\]authors\.pwd/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-952-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE author.exe access"
-  http /.*[\/\\]_vti_bin[\/\\]_vti_aut[\/\\]author\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-953-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE administrators.pwd access"
-  http /.*[\/\\]administrators\.pwd/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-954-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE form_results.htm access"
-  http /.*[\/\\]_private[\/\\]form_results\.htm/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-955-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE access.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]access\.cnf/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-956-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE register.txt access"
-  http /.*[\/\\]_private[\/\\]register\.txt/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-957-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE registrations.txt access"
-  http /.*[\/\\]_private[\/\\]registrations\.txt/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-958-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE service.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]service\.cnf/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-959-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE service.pwd"
-  http /.*[\/\\]service\.pwd/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-960-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE service.stp access"
-  http /.*[\/\\]_vti_pvt[\/\\]service\.stp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-961-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE services.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]services\.cnf/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-962-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE shtml.exe access"
-  http /.*[\/\\]_vti_bin[\/\\]shtml\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-963-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE svcacl.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]svcacl\.cnf/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-964-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE users.pwd access"
-  http /.*[\/\\]users\.pwd/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-965-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE writeto.cnf access"
-  http /.*[\/\\]_vti_pvt[\/\\]writeto\.cnf/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-966-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE .... request"
-  http /.*\.\.\.\.[\/\\]/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-967-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE dvwssr.dll access"
-  http /.*[\/\\]dvwssr\.dll/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-968-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE register.htm access"
-  http /.*[\/\\]_private[\/\\]register\.htm/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1288-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-FRONTPAGE /_vti_bin/ access"
-  http /.*[\/\\]_vti_bin[\/\\]/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1970-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS MDAC Content-Type overflow attempt"
-  http /.*[\/\\]msadcs\.dll/
-  tcp-state established,originator
-  payload /.*[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3A[^\x0A]{50}/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1076-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS repost.asp access"
-  http /.*[\/\\]scripts[\/\\]repost\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1806-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS .htr chunked Transfer-Encoding"
-  http /.*\.htr/
-  tcp-state established,originator
-  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]\x3A/
-  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1618-14 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS .asp chunked Transfer-Encoding"
-  http /.*\.asp/
-  tcp-state established,originator
-  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]\x3A/
-  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1626-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS /StoreCSVS/InstantOrder.asmx request"
-  http /.*[\/\\]StoreCSVS[\/\\]InstantOrder\.asmx/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1750-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS users.xml access"
-  http /.*[\/\\]users\.xml/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1753-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS as_web.exe access"
-  http /.*[\/\\]as_web\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1754-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS as_web4.exe access"
-  http /.*[\/\\]as_web4\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1756-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS NewsPro administration authentication attempt"
-  tcp-state established,originator
-  payload /.*logged,true/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1772-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS pbserver access"
-  http /.*[\/\\]pbserver[\/\\]pbserver\.dll/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1660-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS trace.axd access"
-  http /.*[\/\\]trace\.axd/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1484-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS /isapi/tstisapi.dll access"
-  http /.*[\/\\]isapi[\/\\]tstisapi\.dll/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1485-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS mkilog.exe access"
-  http /.*[\/\\]mkilog\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1486-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS ctss.idc access"
-  http /.*[\/\\]ctss\.idc/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1487-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS /iisadmpwd/aexp2.htr access"
-  http /.*[\/\\]iisadmpwd[\/\\]aexp2\.htr/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-969-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS WebDAV file lock attempt"
-  tcp-state established,originator
-  payload /LOCK /
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-971-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .printer access"
-  http /.*\.printer/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1243-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .ida attempt"
-  http /.*\.ida\?/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1242-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .ida access"
-  http /.*\.ida/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1244-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .idq attempt"
-  http /.*\.idq\?/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1245-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS ISAPI .idq access"
-  http /.*\.idq/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-973-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS *.idc attempt"
-  http /.*[\/\\]\*\.idc/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-974-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS Directory transversal attempt"
-  tcp-state established,originator
-  payload /.*\.\.\x5C\.\./
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-975-12 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS Alternate Data streams ASP file access attempt"
-  http /.*\.asp\x3A\x3A\x24DATA/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-976-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS .bat? access"
-  http /.*\.bat\?/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-977-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS .cnf access"
-  http /.*\.cnf/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-978-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS ASP contents view"
-  tcp-state established,originator
-  payload /.*%20/
-  payload /.*&[cC][iI][rR][eE][sS][tT][rR][iI][cC][tT][iI][oO][nN]=[nN][oO][nN][eE]/
-  payload /.*&[cC][iI][hH][iI][lL][iI][tT][eE][tT][yY][pP][eE]=[fF][uU][lL][lL]/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-979-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS ASP contents view"
-  http /.*\.htw\?CiWebHitsFile/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-980-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS CGImail.exe access"
-  http /.*[\/\\]scripts[\/\\]CGImail\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-981-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS unicode directory traversal attempt"
-  tcp-state established,originator
-  payload /.*\/\.\.%[cC]0%[aA][fF]\.\.\//
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-982-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS unicode directory traversal attempt"
-  tcp-state established,originator
-  payload /.*\/\.\.%[cC]1%1[cC]\.\.\//
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-983-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS unicode directory traversal attempt"
-  tcp-state established,originator
-  payload /.*\/\.\.%[cC]1%9[cC]\.\.\//
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1945-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS unicode directory traversal attempt"
-  tcp-state established,originator
-  payload /.*\/\.\.%255[cC]\.\./
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-986-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS MSProxy access"
-  http /.*[\/\\]scripts[\/\\]proxy[\/\\]w3proxy\.dll/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1725-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS +.htr code fragment attempt"
-  http /.*\+\.htr/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-987-12 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS .htr access"
-  http /.*\.htr/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-988-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS SAM Attempt"
-  tcp-state established,originator
-  payload /.*[sS][aA][mM]\._/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-989-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS Unicode2.pl script File permission canonicalization"
-  http /.*[\/\\]sensepost\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-990-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS _vti_inf access"
-  http /.*_vti_inf\.html/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-991-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS achg.htr access"
-  http /.*[\/\\]iisadmpwd[\/\\]achg\.htr/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-994-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS /scripts/iisadmin/default.htm access"
-  http /.*[\/\\]scripts[\/\\]iisadmin[\/\\]default\.htm/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-995-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS ism.dll access"
-  http /.*[\/\\]scripts[\/\\]iisadmin[\/\\]ism\.dll\?http[\/\\]dir/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-996-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS anot.htr access"
-  http /.*[\/\\]iisadmpwd[\/\\]anot/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-997-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS asp-dot attempt"
-  http /.*\.asp\./
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-998-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS asp-srch attempt"
-  http /.*\x23filename=\*\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1000-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS bdir.htr access"
-  http /.*[\/\\]bdir\.htr/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1661-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS cmd32.exe access"
-  tcp-state established,originator
-  payload /.*[cC][mM][dD]32\.[eE][xX][eE]/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1002-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS cmd.exe access"
-  tcp-state established,originator
-  payload /.*[cC][mM][dD]\.[eE][xX][eE]/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1003-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS cmd? access"
-  tcp-state established,originator
-  payload /.*\.[cC][mM][dD]\?&/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1007-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS cross-site scripting attempt"
-  http /.*[\/\\]Form_JScript\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1380-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS cross-site scripting attempt"
-  http /.*[\/\\]Form_VBScript\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1008-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS del attempt"
-  tcp-state established,originator
-  payload /.*&[dD][eE][lL]\+\/[sS]\+[cC]\x3A\x5C\*\.\*/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1009-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS directory listing"
-  http /.*[\/\\]ServerVariables_Jscript\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1010-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS encoding access"
-  tcp-state established,originator
-  payload /.*%1u/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1011-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS exec-src access"
-  tcp-state established,originator
-  payload /.*\x23[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[eE][xX][eE]/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1012-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS fpcount attempt"
-  http /.*[\/\\]fpcount\.exe/
-  tcp-state established,originator
-  payload /.*[dD][iI][gG][iI][tT][sS]=/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1013-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS fpcount access"
-  http /.*[\/\\]fpcount\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1015-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS getdrvs.exe access"
-  http /.*[\/\\]scripts[\/\\]tools[\/\\]getdrvs\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1016-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS global.asa access"
-  http /.*[\/\\]global\.asa/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1017-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS idc-srch attempt"
-  tcp-state established,originator
-  payload /.*\x23[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[iI][dD][cC]/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1018-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS iisadmpwd attempt"
-  http /.*[\/\\]iisadmpwd[\/\\]aexp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1019-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS index server file source code attempt"
-  http /.*\?CiWebHitsFile=[\/\\]/
-  tcp-state established,originator
-  payload /.*&CiRestriction=none&CiHiliteType=Full/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1020-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS isc$data attempt"
-  http /.*\.idc\x3A\x3A\x24data/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1021-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS ism.dll attempt"
-  http /.* \.htr/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1022-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS jet vba access"
-  http /.*[\/\\]advworks[\/\\]equipment[\/\\]catalog_type\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1023-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS msadcs.dll access"
-  http /.*[\/\\]msadcs\.dll/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1024-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS newdsn.exe access"
-  http /.*[\/\\]scripts[\/\\]tools[\/\\]newdsn\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1025-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS perl access"
-  http /.*[\/\\]scripts[\/\\]perl/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1026-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS perl-browse newline attempt"
-  http /.*\x0A\.pl/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1027-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS perl-browse space attempt"
-  http /.* \.pl/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1029-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS scripts-browse access"
-  http /.*[\/\\]scripts[\/\\] /
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1030-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS search97.vts access"
-  http /.*[\/\\]search97\.vts/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1037-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-IIS showcode.asp access"
-  http /.*[\/\\]showcode\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1038-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS site server config access"
-  http /.*[\/\\]adsamples[\/\\]config[\/\\]site\.csc/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1039-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS srch.htm access"
-  http /.*[\/\\]samples[\/\\]isapi[\/\\]srch\.htm/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1040-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS srchadm access"
-  http /.*[\/\\]srchadm/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1041-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS uploadn.asp access"
-  http /.*[\/\\]scripts[\/\\]uploadn\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1042-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS view source via translate header"
-  tcp-state established,originator
-  payload /.*[tT][rR][aA][nN][sS][lL][aA][tT][eE]\x3A [fF]/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1043-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS viewcode.asp access"
-  http /.*[\/\\]viewcode\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1044-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS webhits access"
-  http /.*\.htw/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1726-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS doctodep.btr access"
-  http /.*doctodep\.btr/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1046-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS site/iisamples access"
-  http /.*[\/\\]site[\/\\]iisamples/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1256-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS CodeRed v2 root.exe access"
-  http /.*[\/\\]root\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1283-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS outlook web dos"
-  http /.*[\/\\]exchange[\/\\]LogonFrm\.asp\?/
-  tcp-state established,originator
-  payload /.*[mM][aA][iI][lL][bB][oO][xX]=/
-  payload /.*%%%/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1400-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS /scripts/samples/ access"
-  http /.*[\/\\]scripts[\/\\]samples[\/\\]/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1401-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS /msadc/samples/ access"
-  http /.*[\/\\]msadc[\/\\]samples[\/\\]/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1402-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS iissamples access"
-  http /.*[\/\\]iissamples[\/\\]/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-993-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS iisadmin access"
-  http /.*[\/\\]iisadmin/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1285-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS msdac access"
-  http /.*[\/\\]msdac[\/\\]/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1286-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS _mem_bin access"
-  http /.*[\/\\]_mem_bin[\/\\]/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1595-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS htimage.exe access"
-  http /.*[\/\\]htimage\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1817-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS MS Site Server default login attempt"
-  http /.*[\/\\]SiteServer[\/\\]Admin[\/\\]knowledge[\/\\]persmbr[\/\\]/
-  tcp-state established,originator
-  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]\x3A [bB][aA][sS][iI][cC] [tT][eE][rR][bB][uU][fF]9[bB][bB][mM]9[uU][eE][wW]1[vV][dD][xX][mM]6[tT][gG][rR][hH][cC][fF][bB][hH][cC]3[nN]3[bB]3[jJ][kK][xX][zZ][eE]=/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1818-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS MS Site Server admin attempt"
-  http /.*[\/\\]Site Server[\/\\]Admin[\/\\]knowledge[\/\\]persmbr[\/\\]/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1075-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS postinfo.asp access"
-  http /.*[\/\\]scripts[\/\\]postinfo\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1567-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS /exchange/root.asp attempt"
-  http /.*[\/\\]exchange[\/\\]root\.asp\?acs=anon/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1568-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS /exchange/root.asp access"
-  http /.*[\/\\]exchange[\/\\]root\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2090-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS WEBDAV exploit attempt"
-  tcp-state established,originator
-  payload /.*HTTP\/1\.1\x0AContent-type\x3A text\/xml\x0AHOST\x3A.{1}.*Accept\x3A \*\/\*\x0ATranslate\x3A f\x0AContent-length\x3A5276\x0A\x0A/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2091-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS WEBDAV nessus safe scan attempt"
-  tcp-state established,originator
-  payload /.*SEARCH \/ HTTP\/1\.1\x0D\x0AHost\x3A.{0,251}\x0D\x0A\x0D\x0A/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2117-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS Battleaxe Forum login.asp access"
-  http /.*myaccount[\/\\]login\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2129-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS nsiislog.dll access"
-  http /.*[\/\\]nsiislog\.dll/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2130-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS IISProtect siteadmin.asp access"
-  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]SiteAdmin\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2157-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS IISProtect globaladmin.asp access"
-  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]GlobalAdmin\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2131-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS IISProtect access"
-  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2132-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS Synchrologic Email Accelerator userid list access attempt"
-  http /.*[\/\\]en[\/\\]admin[\/\\]aggregate\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2133-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS MS BizTalk server access"
-  http /.*[\/\\]biztalkhttpreceive\.dll/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2134-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS register.asp access"
-  http /.*[\/\\]register\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2247-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS UploadScript11.asp access"
-  http /.*[\/\\]UploadScript11\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2248-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS DirectoryListing.asp access"
-  http /.*[\/\\]DirectoryListing\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2249-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS /pcadmin/login.asp access"
-  http /.*[\/\\]pcadmin[\/\\]login\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2321-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS foxweb.exe access"
-  http /.*[\/\\]foxweb\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2322-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS foxweb.dll access"
-  http /.*[\/\\]foxweb\.dll/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2324-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS VP-ASP shopsearch.asp access"
-  http /.*[\/\\]shopsearch\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2325-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS VP-ASP ShopDisplayProducts.asp access"
-  http /.*[\/\\]ShopDisplayProducts\.asp/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2326-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS sgdynamo.exe access"
-  http /.*[\/\\]sgdynamo\.exe/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2386-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS NTLM ASN.1 vulnerability scan attempt"
-  tcp-state established,originator
-  payload /.*Authorization\x3A Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2571-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"
-  http /.*[\/\\]frmGetAttachment\.aspx/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2572-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"
-  http /.*[\/\\]login\.aspx/
-  tcp-state established,originator
-  # Not supported: isdataat: 980,relative
-  payload /.*[tT][xX][tT][uU][sS][eE][rR][nN][aA][mM][eE]=[^\x0A]{980}/
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2573-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-IIS SmarterTools SmarterMail frmCompose.asp access"
-  http /.*[\/\\]frmCompose\.aspx/
-  tcp-state established,originator
-  requires-signature http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1497-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC cross site scripting attempt"
-  tcp-state established,originator
-  payload /.*<[sS][cC][rR][iI][pP][tT]>/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1667-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC cross site scripting HTML Image tag set to javascript attempt"
-  tcp-state established,originator
-  payload /.*[iI][mM][gG] [sS][rR][cC]=[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1250-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Cisco IOS HTTP configuration attempt"
-  http /.*[\/\\]level[\/\\]/
-  http /.*[\/\\]exec[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  # would like to inspect contents of reply
-}
-
-signature s2b-1047-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise DOS"
-  tcp-state established,originator
-  payload /REVLOG \/ /
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1048-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise directory listing attempt"
-  tcp-state established,originator
-  payload /INDEX /
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1050-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC iPlanet GETPROPERTIES attempt"
-  tcp-state established,originator
-  payload /GETPROPERTIES/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1057-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ftp attempt"
-  tcp-state established,originator
-  http /.*[fF][tT][pP]\.[eE][xX][eE]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1058-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC xp_enumdsn attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[eE][nN][uU][mM][dD][sS][nN]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1059-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC xp_filelist attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[fF][iI][lL][eE][lL][iI][sS][tT]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1060-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC xp_availablemedia attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[aA][vV][aA][iI][lL][aA][bB][lL][eE][mM][eE][dD][iI][aA]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1061-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC xp_cmdshell attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[cC][mM][dD][sS][hH][eE][lL][lL]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1062-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC nc.exe attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /.*[nN][cC]\.[eE][xX][eE]\x20.{5}/
-}
-
-signature s2b-1064-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC wsh attempt"
-  tcp-state established,originator
-  payload /.*[wW][sS][hH]\.[eE][xX][eE]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1065-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC rcmd attempt"
-  tcp-state established,originator
-  payload /.*[rR][cC][mM][dD]\.[eE][xX][eE]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1066-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC telnet attempt"
-  tcp-state established,originator
-  http /.*[tT][eE][lL][nN][eE][tT]\.[eE][xX][eE]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1067-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC net attempt"
-  tcp-state established,originator
-  http /.*[^a-zA-Z0-9_.-][nN][eE][tT]\.[eE][xX][eE]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1068-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC tftp attempt"
-  tcp-state established,originator
-  http /.*[tT][fF][tT][pP]\.[eE][xX][eE]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1069-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC xp_regread attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[rR][eE][gG][rR][eE][aA][dD]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1977-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC xp_regwrite attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[rR][eE][gG][wW][rR][iI][tT][eE]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1978-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC xp_regdeletekey attempt"
-  tcp-state established,originator
-  payload /.*[xX][pP]_[rR][eE][gG][dD][eE][lL][eE][tT][eE][kK][eE][yY]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1070-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC WebDAV search access"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /((^)|(\n+))[sS][eE][aA][rR][cC][hH]/
-  requires-signature http_iis_server
-}
-
-signature s2b-1071-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC .htpasswd access"
-  tcp-state established,originator
-  http /.*\/\.[hH][tT][pP][aA][sS][sS][wW][dD]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1072-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Lotus Domino directory traversal"
-  http /.*\.nsf[\/\\].*(\.\.\/){1,}.{2,}/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1077-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC queryhit.htm access"
-  http /.*[\/\\]samples[\/\\]search[\/\\]queryhit\.htm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1079-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC WebDAV propfind access"
-  tcp-state established,originator
-  payload /.*<[aA]\x3A[pP][rR][oO][pP][fF][iI][nN][dD]/
-  payload /.*[xX][mM][lL][nN][sS]\x3A[aA]=\x22[dD][aA][vV]\x22>/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1080-13 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC unify eWave ServletExec upload"
-  http /.*[\/\\]servlet[\/\\]com\.unify\.servletexec\.UploadServlet/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1081-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape Servers suite DOS"
-  http /.*[\/\\]dsgw[\/\\]bin[\/\\]search\?context=/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1083-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC unify eWave ServletExec DOS"
-  http /.*[\/\\]servlet[\/\\]ServletExec/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1084-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Allaire JRUN DOS attempt"
-  http /.*servlet[\/\\]\.\.\.\.\.\.\./
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1095-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Talentsoft Web+ Source Code view access"
-  http /.*[\/\\]webplus\.exe\?script=test\.wml/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1096-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Talentsoft Web+ internal IP Address access"
-  http /.*[\/\\]webplus\.exe\?about/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1098-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC SmartWin CyberOffice Shopping Cart access"
-  http /.*_private[\/\\]shopping_cart\.mdb/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1099-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC cybercop scan"
-  http /.*[\/\\]cybercop/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1100-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC L3retriever HTTP Probe"
-  tcp-state established,originator
-  payload /.*User-Agent\x3A Java1\.2\.1\x0D\x0A/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1101-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Webtrends HTTP probe"
-  tcp-state established,originator
-  payload /.*User-Agent\x3A Webtrends Security Analyzer\x0D\x0A/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1102-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Nessus 404 probe"
-  http /.*[\/\\]nessus_is_probing_you_/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1103-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape admin passwd"
-  http /.*[\/\\]admin-serv[\/\\]config[\/\\]admpw/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1105-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC BigBrother access"
-  http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1612-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ftp.pl attempt"
-  http /.*[\/\\]ftp\.pl\?dir=\.\.[\/\\]\.\./
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1107-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ftp.pl access"
-  http /.*[\/\\]ftp\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1108-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Tomcat server snoop access"
-  http /.*[\/\\]jsp[\/\\]snp[\/\\]/
-  http /.*\.snp/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1109-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ROXEN directory list attempt"
-  http /.*[\/\\]%00/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1110-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC apache source.asp file access"
-  http /.*[\/\\]site[\/\\]eg[\/\\]source\.asp/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1111-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Tomcat server exploit access"
-  http /.*[\/\\]contextAdmin[\/\\]contextAdmin\.html/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1115-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ICQ webserver DOS"
-  http /.*\.html[\/\\]\.\.\.\.\.\./
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1116-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Lotus DelDoc attempt"
-  http /.*\?DeleteDocument/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1117-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Lotus EditDoc attempt"
-  http /.*\?EditDocument/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1118-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ls%20-l"
-  tcp-state established,originator
-  payload /.*[lL][sS]%20-[lL]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1119-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC mlog.phtml access"
-  http /.*[\/\\]mlog\.phtml/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1120-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC mylog.phtml access"
-  http /.*[\/\\]mylog\.phtml/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1122-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC /etc/passwd"
-  tcp-state established,originator
-  payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW].{1,}root:.*:.*:.*:.*:.*:.*:/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1123-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ?PageServices access"
-  http /.*\?PageServices/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1125-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC webcart access"
-  http /.*[\/\\]webcart[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1126-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC AuthChangeUrl access"
-  http /.*_AuthChangeUrl\?/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1127-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC convert.bas access"
-  http /.*[\/\\]scripts[\/\\]convert\.bas/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1128-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC cpshost.dll access"
-  http /.*[\/\\]scripts[\/\\]cpshost\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1129-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC .htaccess access"
-  tcp-state established,originator
-  payload /.*\.[hH][tT][aA][cC][cC][eE][sS][sS]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1130-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC .wwwacl access"
-  http /.*\.wwwacl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1131-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC .wwwacl access"
-  http /.*\.www_acl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1136-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC cd.."
-  tcp-state established,originator
-  payload /.*[cC][dD]\.\./
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1140-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC guestbook.pl access"
-  http /.*[\/\\]guestbook\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1142-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC /.... access"
-  tcp-state established,originator
-  payload /.*\/\.\.\.\./
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1143-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ///cgi-bin access"
-  http /.*[\/\\][\/\\][\/\\]cgi-bin/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1144-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC /cgi-bin/// access"
-  http /.*[\/\\]cgi-bin[\/\\][\/\\][\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1145-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC /~root access"
-  http /.*[\/\\]~root/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1662-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC /~ftp access"
-  http /.*[\/\\]~ftp/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1146-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Ecommerce import.txt access"
-  http /.*[\/\\]config[\/\\]import\.txt/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1147-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC cat%20 access"
-  tcp-state established,originator
-  payload /.*[cC][aA][tT]%20/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1148-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Ecommerce import.txt access"
-  http /.*[\/\\]orders[\/\\]import\.txt/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1150-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino catalog.nsf access"
-  http /.*[\/\\]catalog\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1151-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino domcfg.nsf access"
-  http /.*[\/\\]domcfg\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1152-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino domlog.nsf access"
-  http /.*[\/\\]domlog\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1153-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino log.nsf access"
-  http /.*[\/\\]log\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1154-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino names.nsf access"
-  http /.*[\/\\]names\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1575-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino mab.nsf access"
-  http /.*[\/\\]mab\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1576-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino cersvr.nsf access"
-  http /.*[\/\\]cersvr\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1577-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino setup.nsf access"
-  http /.*[\/\\]setup\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1579-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino webadmin.nsf access"
-  http /.*[\/\\]webadmin\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1580-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino events4.nsf access"
-  http /.*[\/\\]events4\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1581-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino ntsync4.nsf access"
-  http /.*[\/\\]ntsync4\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1582-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino collect4.nsf access"
-  http /.*[\/\\]collect4\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1583-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino mailw46.nsf access"
-  http /.*[\/\\]mailw46\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1584-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino bookmark.nsf access"
-  http /.*[\/\\]bookmark\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1585-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino agentrunner.nsf access"
-  http /.*[\/\\]agentrunner\.nsf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1586-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Domino mail.box access"
-  http /.*[\/\\]mail\.box/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1155-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Ecommerce checks.txt access"
-  http /.*[\/\\]orders[\/\\]checks\.txt/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1156-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC apache DOS attempt"
-  tcp-state established,originator
-  payload /.*\/\/\/\/\/\/\/\//
-  requires-signature ! http_iis_server
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1157-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape PublishingXpert access"
-  http /.*[\/\\]PSUser[\/\\]PSCOErrPage\.htm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1158-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC windmail.exe access"
-  http /.*[\/\\]windmail\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1159-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC webplus access"
-  http /.*[\/\\]webplus\?script/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1160-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape dir index wp"
-  http /.*\?wp-/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1162-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC cart 32 AdminPwd access"
-  http /.*[\/\\]c32web\.exe[\/\\]ChangeAdminPassword/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1164-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC shopping cart access"
-  http /.*[\/\\]quikstore\.cfg/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1614-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Novell Groupwise gwweb.exe attempt"
-  http /.*[\/\\]GWWEB\.EXE\?HELP=/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1165-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Novell Groupwise gwweb.exe access"
-  tcp-state established,originator
-  payload /.*\/[gG][wW][wW][eE][bB]\.[eE][xX][eE]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1166-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ws_ftp.ini access"
-  http /.*[\/\\]ws_ftp\.ini/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1167-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC rpm_query access"
-  http /.*[\/\\]rpm_query/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1168-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC mall log order access"
-  http /.*[\/\\]mall_log_files[\/\\]order\.log/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1173-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC architext_query.pl access"
-  http /.*[\/\\]ews[\/\\]architext_query\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1175-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC wwwboard.pl access"
-  http /.*[\/\\]wwwboard\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1176-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC order.log access"
-  http /.*[\/\\]admin_files[\/\\]order\.log/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1177-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-verify-link/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1180-12 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC get32.exe access"
-  http /.*[\/\\]get32\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1181-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Annex Terminal DOS attempt"
-  http /.*[\/\\]ping\?query=/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1182-17 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC cgitest.exe attempt"
-  http /.*[\/\\]cgitest\.exe\x0D\x0Auser/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1587-12 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC cgitest.exe access"
-  http /.*[\/\\]cgitest\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1183-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-cs-dump/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1184-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-ver-info/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1186-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-ver-diff/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1187-12 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC SalesLogix Eviewer web command attempt"
-  http /.*[\/\\]slxweb\.dll[\/\\]admin\?command=/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1588-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC SalesLogix Eviewer access"
-  http /.*[\/\\]slxweb\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1188-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-start-ver/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1189-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-stop-ver/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1190-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-uncheckout/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1191-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-html-rend/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1381-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Trend Micro OfficeScan attempt"
-  http /.*[\/\\]officescan[\/\\]cgi[\/\\]jdkRqNotify\.exe\?/
-  http /.*domain=/
-  http /.*event=/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1192-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Trend Micro OfficeScan access"
-  http /.*[\/\\]officescan[\/\\]cgi[\/\\]jdkRqNotify\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1193-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC oracle web arbitrary command execution attempt"
-  http /.*[\/\\]ows-bin[\/\\]/
-  http /.*\?&/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1880-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC oracle web application server access"
-  http /.*[\/\\]ows-bin[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1198-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Netscape Enterprise Server directory view"
-  http /.*\?wp-usr-prop/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1202-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC search.vts access"
-  http /.*[\/\\]search\.vts/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1615-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC htgrep attempt"
-  http /.*[\/\\]htgrep/
-  tcp-state established,originator
-  payload /.*hdr=\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1207-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC htgrep access"
-  http /.*[\/\\]htgrep/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1209-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC .nsconfig access"
-  http /.*[\/\\]\.nsconfig/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1212-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Admin_files access"
-  http /.*[\/\\]admin_files/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1213-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC backup access"
-  http /.*[\/\\]backup/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1216-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC filemail access"
-  http /.*[\/\\]filemail/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1217-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC plusmail access"
-  http /.*[\/\\]plusmail/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1218-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC adminlogin access"
-  http /.*[\/\\]adminlogin/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1220-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ultraboard access"
-  http /.*[\/\\]ultraboard/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1589-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC musicat empower attempt"
-  http /.*[\/\\]empower\?DB=/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1221-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC musicat empower access"
-  http /.*[\/\\]empower\?DB=.{1,}/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1224-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ROADS search.pl attempt"
-  http /.*[\/\\]ROADS[\/\\]cgi-bin[\/\\]search\.pl/
-  tcp-state established,originator
-  payload /.*[fF][oO][rR][mM]=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1230-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC VirusWall FtpSave access"
-  http /.*[\/\\]FtpSave\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1234-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC VirusWall FtpSaveCSP access"
-  http /.*[\/\\]FtpSaveCSP\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1235-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC VirusWall FtpSaveCVP access"
-  http /.*[\/\\]FtpSaveCVP\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1054-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: pcre: /^\w+\s+[^\n\s\?]*\.jsp/smi
-  event "WEB-MISC weblogic/tomcat .jsp view source attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /((^)|(\n+))[a-zA-Z0-9_]+[\x20\x09\x0b]+[^\n\x20\x09\x0b\?]*\.[jJ][sS][pP]/
-}
-
-signature s2b-1241-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC SWEditServlet directory traversal attempt"
-  http /.*[\/\\]SWEditServlet/
-  tcp-state established,originator
-  payload /.*template=\.\.\/\.\.\/\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1259-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC SWEditServlet access"
-  http /.*[\/\\]SWEditServlet/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1139-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC whisker HEAD/./"
-  tcp-state established,originator
-  payload /.*HEAD\/\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1258-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC HP OpenView Manager DOS"
-  http /.*[\/\\]OvCgi[\/\\]OpenView5\.exe\?Context=Snmp&Action=Snmp&Host=&Oid=/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1260-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC long basic authorization string"
-  tcp-state established,originator
-  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]\x3A [bB][aA][sS][iI][cC] [^\x0A]{512}/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1291-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC sml3com access"
-  http /.*[\/\\]graphics[\/\\]sml3com/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1001-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC carbo.dll access"
-  http /.*[\/\\]carbo\.dll/
-  tcp-state established,originator
-  payload /.*[iI][cC][aA][tT][cC][oO][mM][mM][aA][nN][dD]=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1302-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC console.exe access"
-  http /.*[\/\\]cgi-bin[\/\\]console\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1303-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC cs.exe access"
-  http /.*[\/\\]cgi-bin[\/\\]cs\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1113-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC http directory traversal"
-  tcp-state established,originator
-  payload /.*\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1375-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC sadmind worm access"
-  tcp-state established,originator
-  payload /.{0,1}GET x HTTP\/1\.0/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1376-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC jrun directory browse attempt"
-  http /.*[\/\\]\?\.jsp/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1385-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC mod-plsql administration access"
-  http /.*[\/\\]admin_[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1391-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Phorecast remote code execution attempt"
-  tcp-state established,originator
-  payload /.*includedir=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1403-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC viewcode access"
-  http /.*[\/\\]viewcode/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1433-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC .history access"
-  http /.*[\/\\]\.history/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1434-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC .bash_history access"
-  http /.*[\/\\]\.bash_history/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1489-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC /~nobody access"
-  http /.*[\/\\]~nobody/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1492-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC RBS ISP /newuser  directory traversal attempt"
-  http /.*[\/\\]newuser\?Image=\.\.[\/\\]\.\./
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1493-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC RBS ISP /newuser access"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /.*\x3a8002.*[\/\\]newuser\x3f.*\x2e\x2e[\/\\]/
-}
-
-signature s2b-1663-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC *%0a.pl access"
-  http /.*[\/\\]\*\x0A\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1664-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC mkplog.exe access"
-  http /.*[\/\\]mkplog\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-509-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC PCCS mysql database admin tool access"
-  tcp-state established,originator
-  payload /.{0,5}[pP][cC][cC][sS][mM][yY][sS][qQ][lL][aA][dD][mM]\/[iI][nN][cC][sS]\/[dD][bB][cC][oO][nN][nN][eE][cC][tT]\.[iI][nN][cC]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1769-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC .DS_Store access"
-  http /.*[\/\\]\.DS_Store/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1770-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC .FBCIndex access"
-  http /.*[\/\\]\.FBCIndex/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1500-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ExAir access"
-  http /.*[\/\\]exair[\/\\]search[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1519-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC apache ?M=D directory list attempt"
-  http /.*[\/\\]\?M=D/
-  tcp-state established,originator
-  http /Content-language:.* /
-  requires-reverse-signature ! http_error
-  eval isApacheLt1322
-}
-
-signature s2b-1520-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC server-info access"
-  http /.*[\/\\]server-info/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1522-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ans.pl attempt"
-  http /.*[\/\\]ans\.pl\?p=\.\.[\/\\]\.\.[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1523-10 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ans.pl access"
-  http /.*[\/\\]ans\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1524-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC AxisStorpoint CD attempt"
-  http /.*[\/\\]cd[\/\\]\.\.[\/\\]config[\/\\]html[\/\\]cnf_gi\.htm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1525-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Axis Storpoint CD access"
-  http /.*[\/\\]config[\/\\]html[\/\\]cnf_gi\.htm/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1526-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC basilix sendmail.inc access"
-  http /.*[\/\\]inc[\/\\]sendmail\.inc/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1527-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC basilix mysql.class access"
-  http /.*[\/\\]class[\/\\]mysql\.class/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1528-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC BBoard access"
-  http /.*[\/\\]servlet[\/\\]sunexamples\.BBoardServlet/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1544-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Cisco Catalyst command execution attempt"
-  http /.*[\/\\]exec[\/\\]show[\/\\]config[\/\\]cr/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1552-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC cvsweb version access"
-  http /.*[\/\\]cvsweb[\/\\]version/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1563-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC login.htm attempt"
-  http /.*[\/\\]login\.htm\?password=/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1603-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC DELETE attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /.{0,7}[dD][eE][lL][eE][tT][eE] /
-}
-
-signature s2b-1670-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC /home/ftp access"
-  http /.*[\/\\]home[\/\\]ftp/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1738-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC global.inc access"
-  http /.*[\/\\]global\.inc/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1744-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC SecureSite authentication bypass attempt"
-  tcp-state established,originator
-  payload /.*[sS][eE][cC][uU][rR][eE]_[sS][iI][tT][eE], [oO][kK]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1757-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC b2 arbitrary command execution attempt"
-  http /.*[\/\\]b2[\/\\]b2-include[\/\\]/
-  tcp-state established,originator
-  payload /.*b2inc/
-  payload /.*http\x3A\/\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1758-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC b2 access"
-  http /.*[\/\\]b2[\/\\]b2-include[\/\\]/
-  tcp-state established,originator
-  payload /.*b2inc/
-  payload /.*http\x3A\/\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1766-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC search.dll directory listing attempt"
-  http /.*[\/\\]search\.dll/
-  tcp-state established,originator
-  payload /.*query=%00/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1767-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC search.dll access"
-  http /.*[\/\\]search\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  eval isNotIIS
-  eval isNotApache
-}
-
-signature s2b-1498-4 {
-  ip-proto == tcp
-  dst-port == 8181
-  event "WEB-MISC PIX firewall manager directory traversal attempt"
-  tcp-state established,originator
-  payload /.*\/\.\.\/\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1558-5 {
-  ip-proto == tcp
-  dst-port == 8080
-  event "WEB-MISC Delegate whois overflow attempt"
-  tcp-state established,originator
-  payload /.*[wW][hH][oO][iI][sS]\x3A\/\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1518-5 {
-  ip-proto == tcp
-  dst-port == 8000
-  event "WEB-MISC nstelemetry.adp access"
-  tcp-state established,originator
-  payload /.*\/nstelemetry\.adp/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1132-6 {
-  ip-proto == tcp
-  dst-port == 457
-  event "WEB-MISC Netscape Unixware overflow"
-  tcp-state established,originator
-  payload /.*\xEB_\x9A\xFF\xFF\xFF\xFF\x07\xFF\xC3\^1\xC0\x89F\x9D/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1199-11 {
-  ip-proto == tcp
-  dst-port == 2301
-  event "WEB-MISC Compaq Insight directory traversal"
-  tcp-state established,originator
-  payload /.*\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1231-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC VirusWall catinfo access"
-  http /.*[\/\\]catinfo/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1232-8 {
-  ip-proto == tcp
-  dst-port == 1812
-  event "WEB-MISC VirusWall catinfo access"
-  tcp-state established,originator
-  payload /.*\/[cC][aA][tT][iI][nN][fF][oO]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1809-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Apache Chunked-Encoding worm attempt"
-  tcp-state established,originator
-  payload /.*[cC][cC][cC][cC][cC][cC][cC]\x3A [aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1807-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Chunked-Encoding transfer attempt"
-  tcp-state established,originator
-  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]\x3A/
-  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
-  requires-reverse-signature ! http_error
-  eval isApacheLt1322
-}
-
-signature s2b-1814-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC CISCO VoIP DOS ATTEMPT"
-  http /.*[\/\\]StreamingStatistics/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1820-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC IBM Net.Commerce orderdspc.d2w access"
-  http /.*[\/\\]ncommerce3[\/\\]ExecMacro[\/\\]orderdspc\.d2w/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1826-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC WEB-INF access"
-  http /.*[\/\\]WEB-INF \.\/.{1,}/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1827-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Tomcat servlet mapping cross site scripting attempt"
-  http /.*[\/\\]servlet[\/\\]/
-  http /.*[\/\\]org\.apache\./
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1828-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC iPlanet Search directory traversal attempt"
-  http /.*[\/\\]search/
-  tcp-state established,originator
-  payload /.*NS-query-pat=/
-  payload /.*\.\.\/\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1829-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Tomcat TroubleShooter servlet access"
-  http /.*[\/\\]examples[\/\\]servlet[\/\\]TroubleShooter/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1830-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Tomcat SnoopServlet servlet access"
-  http /.*[\/\\]examples[\/\\]servlet[\/\\]SnoopServlet/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1831-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC jigsaw dos attempt"
-  http /.*[\/\\]servlet[\/\\]con/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  eval isNotIIS
-  eval isNotApache
-}
-
-signature s2b-1835-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Macromedia SiteSpring cross site scripting attempt"
-  http /.*[\/\\]error[\/\\]500error\.jsp/
-  http /.*et=/
-  http /.*<script/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1839-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC mailman cross site scripting attempt"
-  http /.*[\/\\]mailman[\/\\]/
-  http /.*\?/
-  http /.*info=/
-  http /.*<script/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1848-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC webcart-lite access"
-  http /.*[\/\\]webcart-lite[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1849-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC webfind.exe access"
-  http /.*[\/\\]webfind\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1851-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC active.log access"
-  http /.*[\/\\]active\.log/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1858-5 {
-  ip-proto == tcp
-  dst-port == 8181
-  event "WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"
-  tcp-state established,originator
-  payload /.*\/pixfir~1\/how_to_login\.html/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1859-5 {
-  ip-proto == tcp
-  dst-port == 9090
-  event "WEB-MISC Sun JavaServer default password login attempt"
-  tcp-state established,originator
-  payload /.*\/servlet\/admin/
-  payload /.*ae9f86d6beaa3f9ecb9a5b7e072a4138/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1860-4 {
-  ip-proto == tcp
-  dst-port == 8080
-  event "WEB-MISC Linksys router default password login attempt"
-  tcp-state established,originator
-  payload /.*Authorization\x3A Basic OmFkbWlu/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1861-7 {
-  ip-proto == tcp
-  dst-port == 8080
-  event "WEB-MISC Linksys router default username and password login attempt"
-  tcp-state established,originator
-  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]\x3A /
-  payload /.* [bB][aA][sS][iI][cC] /
-  payload /.*YWRtaW46YWRtaW4/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2230-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC NetGear router default password login attempt admin/password"
-  tcp-state established,originator
-  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]\x3A /
-  payload /.* [bB][aA][sS][iI][cC] /
-  payload /.*YWRtaW46cGFzc3dvcmQ/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1871-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Oracle XSQLConfig.xml access"
-  http /.*[\/\\]XSQLConfig\.xml/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1872-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Oracle Dynamic Monitoring Services dms access"
-  http /.*[\/\\]dms0/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1873-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC globals.jsa access"
-  http /.*[\/\\]globals\.jsa/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1874-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Oracle Java Process Manager access"
-  http /.*[\/\\]oprocmgr-status/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1881-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC bad HTTP/1.1 request, Potential worm attack"
-  tcp-state established,originator
-  payload /GET \/ HTTP\/1\.1\x0D\x0A\x0D\x0A/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1104-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  payload-size == 1
-  event "WEB-MISC whisker space splice attack"
-  tcp-state established,originator
-  payload / /
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1087-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  payload-size < 5
-  event "WEB-MISC whisker tab splice attack"
-  tcp-state established,originator
-  payload /.*\x09/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1808-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC apache chunked encoding memory corruption exploit attempt"
-  tcp-state established,originator
-  payload /.*\xC0PR\x89\xE1PQRP\xB8\x3B\x00\x00\x00\xCD\x80/
-  requires-signature ! http_msie_client
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1943-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC /Carello/add.exe access"
-  http /.*[\/\\]Carello[\/\\]add\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1944-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC /ecscripts/ecware.exe access"
-  http /.*[\/\\]ecscripts[\/\\]ecware\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1969-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-MISC ion-p remote file access"
-  http /.*[\/\\]ion-p\?.*(c:\\|\.\.\/)/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1499-5 {
-  ip-proto == tcp
-  dst-port == 8888
-  event "WEB-MISC SiteScope Service access"
-  tcp-state established,originator
-  payload /.*\/SiteScope\/cgi\/go\.exe\/SiteScope/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1946-3 {
-  ip-proto == tcp
-  dst-port == 8888
-  event "WEB-MISC answerbook2 admin attempt"
-  tcp-state established,originator
-  payload /.*\/cgi-bin\/admin\/admin/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1947-4 {
-  ip-proto == tcp
-  dst-port == 8888
-  event "WEB-MISC answerbook2 arbitrary command execution attempt"
-  tcp-state established,originator
-  payload /.*\/ab2\/.{1}.*\x3B/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2056-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC TRACE attempt"
-  tcp-state established,originator
-  payload /TRACE/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2057-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC helpout.exe access"
-  http /.*[\/\\]helpout\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2058-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC MsmMask.exe attempt"
-  http /.*[\/\\]MsmMask\.exe/
-  tcp-state established,originator
-  payload /.*mask=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2060-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC DB4Web access"
-  http /.*[\/\\]DB4Web[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2061-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Tomcat null byte directory listing attempt"
-  http /.*\x00\.jsp/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2062-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC iPlanet .perf access"
-  http /.*[\/\\]\.perf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2063-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Demarc SQL injection attempt"
-  http /.*[\/\\]dm[\/\\]demarc/
-  tcp-state established,originator
-  payload /.*s_key=.*.*'.{1}.*'.*.*'/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2064-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-MISC Lotus Notes .csp script source download attempt"
-  http /.*\.csp/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2066-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Lotus Notes .pl script source download attempt"
-  http /.*\.pl/
-  tcp-state established,originator
-  payload /.*\.pl\./
-  requires-reverse-signature ! http_error
-  eval isNotApache
-  eval isNotIIS
-}
-
-signature s2b-2068-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC BitKeeper arbitrary command attempt"
-  http /.*[\/\\]diffs[\/\\]/
-  tcp-state established,originator
-  payload /.*'.*.*\x3B.{1}.*'/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2069-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC chip.ini access"
-  http /.*[\/\\]chip\.ini/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2070-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC post32.exe arbitrary command attempt"
-  http /.*[\/\\]post32\.exe\x7C/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2071-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC post32.exe access"
-  http /.*[\/\\]post32\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2072-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-MISC lyris.pl admin access"
-  http /POST.*[\/\\]lyris\.pl/
-  payload /list_admin=[Tt]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2073-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC globals.pl access"
-  http /.*[\/\\]globals\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2135-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC philboard.mdb access"
-  http /.*[\/\\]philboard\.mdb/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2136-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC philboard_admin.asp authentication bypass attempt"
-  http /.*[\/\\]philboard_admin\.asp/
-  tcp-state established,originator
-  payload /.*[cC][oO][oO][kK][iI][eE].*.*philboard_admin=True/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2137-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC philboard_admin.asp access"
-  http /.*[\/\\]philboard_admin\.asp/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2138-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC logicworks.ini access"
-  http /.*[\/\\]logicworks\.ini/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2139-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC /*.shtml access"
-  http /.*[\/\\]\*\.shtml/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2156-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC mod_gzip_status access"
-  http /.*[\/\\]mod_gzip_status/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2231-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC register.dll access"
-  http /.*[\/\\]register\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2232-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ContentFilter.dll access"
-  http /.*[\/\\]ContentFilter\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2233-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC SFNofitication.dll access"
-  http /.*[\/\\]SFNofitication\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2234-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC TOP10.dll access"
-  http /.*[\/\\]TOP10\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2235-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC SpamExcp.dll access"
-  http /.*[\/\\]SpamExcp\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2236-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC spamrule.dll access"
-  http /.*[\/\\]spamrule\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2237-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC cgiWebupdate.exe access"
-  http /.*[\/\\]cgiWebupdate\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2238-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC WebLogic ConsoleHelp view source attempt"
-  http /.*[\/\\]ConsoleHelp[\/\\]/
-  http /.*\.jsp/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2239-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC redirect.exe access"
-  http /.*[\/\\]redirect\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2240-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC changepw.exe access"
-  http /.*[\/\\]changepw\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2241-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC cwmail.exe access"
-  http /.*[\/\\]cwmail\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2242-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ddicgi.exe access"
-  http /.*[\/\\]ddicgi\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2243-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ndcgi.exe access"
-  http /.*[\/\\]ndcgi\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2244-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC VsSetCookie.exe access"
-  http /.*[\/\\]VsSetCookie\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2245-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Webnews.exe access"
-  http /.*[\/\\]Webnews\.exe/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2246-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC webadmin.dll access"
-  http /.*[\/\\]webadmin\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2276-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC oracle portal demo access"
-  http /.*[\/\\]pls[\/\\]portal[\/\\]PORTAL_DEMO/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2277-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC PeopleSoft PeopleBooks psdoccgi access"
-  http /.*[\/\\]psdoccgi/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2278-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: pcre: /^Content-Length\x3a\s+-\d+/smi
-  event "WEB-MISC negative Content-Length attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /((^)|(\n+))[cC][oO][nN][tT][eE][nN][tT]-[lL][eE][nN][gG][tT][hH]\x3a[\x20\x09\x0b]+-[0-9]+\/+/
-}
-
-signature s2b-2327-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC bsml.pl access"
-  http /.*[\/\\]bsml\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2369-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ISAPISkeleton.dll access"
-  http /.*[\/\\]ISAPISkeleton\.dll/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2370-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC BugPort config.conf file access"
-  http /.*[\/\\]config\.conf/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2371-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Sample_showcode.html access"
-  http /.*[\/\\]Sample_showcode\.html/
-  tcp-state established,originator
-  payload /.*[fF][nN][aA][mM][eE]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2381-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: pcre: /^[^\/]{14,}?\x3a\/\//U
-  event "WEB-MISC schema overflow attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /^[^\/]{14,}?\x3a\/\//
-}
-
-signature s2b-2395-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC InteractiveQuery.jsp access"
-  http /.*[\/\\]InteractiveQuery\.jsp/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2400-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC edittag.pl access"
-  http /.*[\/\\]edittag\.pl/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2411-5 {
-  ip-proto == tcp
-  dst-port == 554
-  # Not supported: pcre: /^DESCRIBE\s[^\n]{300}/smi
-  event "WEB-MISC Real Server DESCRIBE buffer overflow attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /((^)|(\n+))[dD][eE][sS][cC][rR][iI][bB][eE][\x20\x09\x0b][^\n]{300}/
-}
-
-signature s2b-2441-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: pcre: /^Cookie\x3a[^\n]*?login=0/smi
-  event "WEB-MISC NetObserve authentication bypass attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /((^)|(\n+))[cC][oO][oO][kK][iI][eE]\x3a[^\n]*?[lL][oO][gG][iI][nN]=0/
-}
-
-signature s2b-2442-6 {
-  ip-proto == tcp
-  dst-port >= 8000
-  dst-port <= 8001
-  # Not supported: pcre: /^User-Agent\x3a[^\n]{244,255}/smi
-  event "WEB-MISC Quicktime User-Agent buffer overflow attempt"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /((^)|(\n+))[uU][sS][eE][rR]-[aA][gG][eE][nN][tT]\x3a[^\n]{244,255}/
-}
-
-signature s2b-2484-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC source.jsp access"
-  http /.*[\/\\]source\.jsp/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2447-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC ServletManager access"
-  http /.*[\/\\]servlet[\/\\]ServletManager/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2448-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC setinfo.hts access"
-  http /.*[\/\\]setinfo\.hts/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2505-7 {
-  ip-proto == tcp
-  dst-port == 443
-  event "WEB-MISC SSLv3 invalid data version attempt"
-  tcp-state established,originator
-  payload /\x16\x03/
-  payload /.{4}\x01/
-  payload /.{8}[^\x03]*/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2520-5 {
-  ip-proto == tcp
-  dst-port == 443
-  # Not supported: flowbits: isnotset,sslv3.client_hello.request,set,sslv3.client_hello.request,noalert
-  event "WEB-MISC SSLv3 Client_Hello request"
-  tcp-state established,originator
-  payload /\x16\x03/
-  payload /.{4}\x01/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2562-3 {
-  ip-proto == tcp
-  dst-port == 81
-  event "WEB-MISC McAfee ePO file upload attempt"
-  tcp-state established,originator
-  payload /.*\/[sS][pP][iI][pP][eE]\/[rR][eE][pP][lL]_[fF][iI][lL][eE]/
-  payload /.*[cC][oO][mM][mM][aA][nN][dD]=[bB][eE][gG][iI][nN]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2570-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-MISC Invalid HTTP Version String"
-  tcp-state established,originator
-  # Not supported: isdataat: 6,relative
-  payload /.*HTTP\/[^\x0A]{5}/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1774-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP bb_smilies.php access"
-  http /.*[\/\\]bb_smilies\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1423-12 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP content-disposition memchr overflow"
-  tcp-state established,originator
-  payload /.*[cC][oO][nN][tT][eE][nN][tT]-[dD][iI][sS][pP][oO][sS][iI][tT][iI][oO][nN]\x3A/
-  payload /.*name=\x22\xCC\xCC\xCC\xCC\xCC/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1736-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP squirrel mail spell-check arbitrary command attempt"
-  http /.*[\/\\]squirrelspell[\/\\]modules[\/\\]check_me\.mod\.php/
-  tcp-state established,originator
-  payload /.*[sS][qQ][sS][pP][eE][lL][lL]_[aA][pP][pP]\[/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1737-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP squirrel mail theme arbitrary command attempt"
-  http /.*[\/\\]left_main\.php/
-  tcp-state established,originator
-  payload /.*[cC][mM][dD][dD]=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1739-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP DNSTools administrator authentication bypass attempt"
-  http /.*[\/\\]dnstools\.php/
-  tcp-state established,originator
-  payload /.*[uU][sS][eE][rR]_[lL][oO][gG][gG][eE][dD]_[iI][nN]=[tT][rR][uU][eE]/
-  payload /.*[uU][sS][eE][rR]_[dD][nN][sS][tT][oO][oO][lL][sS]_[aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR]=[tT][rR][uU][eE]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1740-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP DNSTools authentication bypass attempt"
-  http /.*[\/\\]dnstools\.php/
-  tcp-state established,originator
-  payload /.*[uU][sS][eE][rR]_[lL][oO][gG][gG][eE][dD]_[iI][nN]=[tT][rR][uU][eE]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1741-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP DNSTools access"
-  http /.*[\/\\]dnstools\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1742-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Blahz-DNS dostuff.php modify user attempt"
-  http /.*[\/\\]dostuff\.php\?action=modify_user/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1743-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Blahz-DNS dostuff.php access"
-  http /.*[\/\\]dostuff\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1745-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Messagerie supp_membre.php access"
-  http /.*[\/\\]supp_membre\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1773-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP php.exe access"
-  http /.*\/php\/php\.exe\?[cCdD]\:\//
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1815-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP directory.php arbitrary command attempt"
-  http /.*[\/\\]directory\.php/
-  tcp-state established,originator
-  payload /.*dir=/
-  payload /.*\x3B/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1816-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP directory.php access"
-  http /.*[\/\\]directory\.php[\;\|]{1,}/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1834-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP PHP-Wiki cross site scripting attempt"
-  http /.*[\/\\]modules\.php\?/
-  http /.*name=Wiki/
-  http /.*<script/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1967-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP phpbb quick-reply.php arbitrary command attempt"
-  http /.*[\/\\]quick-reply\.php/
-  tcp-state established,originator
-  payload /.{1}.*phpbb_root_path=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1968-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP phpbb quick-reply.php access"
-  http /.*[\/\\]quick-reply\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1997-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP read_body.php access attempt"
-  http /.*[\/\\]read_body\.php/
-  tcp-state established,originator
-  http /.*[fF][rR][oO][mM]\x3a.*\x3cscript\x3e.*document.cookie.*\x3c\x2fscript\x3e/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1999-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP edit_image.php access"
-  http /.*[\/\\]edit_image\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2000-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-PHP readmsg.php access"
-  http /.*[\/\\]readmsg\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  # "Possible many false positives"
-  # "If running this webmail server check version to make sure it's not vulnerable and then disable this signature or adjust the notice action."
-}
-
-signature s2b-2002-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: pcre: /page=(http|https|ftp)/i
-  event "WEB-PHP remote include path"
-  tcp-state established,originator
-  payload /.*path=/
-  requires-reverse-signature ! http_error
-  http /.*\.php.*[pP][aA][tT][hH]\x3d(http|https|ftp)\x2fi/
-}
-
-signature s2b-1134-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Phorum admin access"
-  http /.*[\/\\]admin\.php3/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1161-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP piranha passwd.php3 access"
-  http /.*[\/\\]passwd\.php3/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1178-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Phorum read access"
-  http /.*[\/\\]read\.php3/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1179-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Phorum violation access"
-  http /.*[\/\\]violation\.php3/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1197-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Phorum code access"
-  http /.*[\/\\]code\.php3/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1300-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP admin.php file upload attempt"
-  http /.*[\/\\]admin\.php/
-  tcp-state established,originator
-  payload /.*[fF][iI][lL][eE]_[nN][aA][mM][eE]=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1301-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP admin.php access"
-  http /.*[\/\\]admin\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1407-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP smssend.php access"
-  http /.*[\/\\]smssend\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1399-11 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: pcre: /file=(http|https|ftp)/i
-  event "WEB-PHP PHP-Nuke remote file include attempt"
-  http /.*[\/\\]index\.php.*[fF][iI][lL][eE]=([hH][tT][tT][pP][sS]?|[fF][tT][pP])/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1490-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Phorum /support/common.php attempt"
-  http /.*[\/\\]support[\/\\]common\.php/
-  tcp-state established,originator
-  payload /.*ForumLang=\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1491-6 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Phorum /support/common.php access"
-  http /.*[\/\\]support[\/\\]common\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1137-9 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Phorum authentication access"
-  tcp-state established,originator
-  payload /.*[pP][hH][pP]_[aA][uU][tT][hH]_[uU][sS][eE][rR]=[bB][oO][oO][gG][iI][eE][mM][aA][nN]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1085-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP strings overflow"
-  tcp-state established,originator
-  payload /.*\xBAI\xFE\xFF\xFF\xF7\xD2\xB9\xBF\xFF\xFF\xFF\xF7\xD1/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1086-12 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP strings overflow"
-  http /.*\?STRENGUR/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1254-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP PHPLIB remote command attempt"
-  tcp-state established,originator
-  payload /.*_PHPLIB\[libdir\]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-1255-8 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP PHPLIB remote command attempt"
-  http /.*[\/\\]db_mysql\.inc/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2074-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Mambo uploadimage.php upload php file attempt"
-  http /.*[\/\\]uploadimage\.php/
-  tcp-state established,originator
-  payload /.*userfile_name=.{1}.*\.php/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2075-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Mambo upload.php upload php file attempt"
-  http /.*[\/\\]upload\.php/
-  tcp-state established,originator
-  payload /.*userfile_name=.{1}.*\.php/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2076-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Mambo uploadimage.php access"
-  http /.*[\/\\]uploadimage\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2077-2 {
-  ip-proto == tcp
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-PHP Mambo upload.php access"
-  http /.*[\/\\]upload\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2078-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  dst-ip == local_nets
-  event "WEB-PHP phpBB privmsg.php access"
-  http /.*[\/\\]privmsg\.php.{1,}\?[Ff][Oo][Ll][Dd][Ee][Rr]=.{1,}[Mm][Oo][Dd][Ee]=.{1,}[Cc][Oo][Nn][Ff][Ii][Rr][Mm]=[Yy][Ee][Ss]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2140-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP p-news.php access"
-  http /.*[\/\\]p-news\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2141-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP shoutbox.php directory traversal attempt"
-  http /.*[\/\\]shoutbox\.php/
-  tcp-state established,originator
-  payload /.*conf=.*.*\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2143-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: pcre: /b2inc=(http|https|ftp)/i
-  event "WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"
-  http /.*[\/\\]gm-2-b2\.php/
-  tcp-state established,originator
-  payload /.*b2inc=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2144-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP b2 cafelog gm-2-b2.php access"
-  http /.*[\/\\]gm-2-b2\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2145-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP TextPortal admin.php default password admin attempt"
-  http /.*[\/\\]admin\.php/
-  tcp-state established,originator
-  payload /.*op=admin_enter/
-  payload /.*password=admin/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2146-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP TextPortal admin.php default password 12345 attempt"
-  http /.*[\/\\]admin\.php/
-  tcp-state established,originator
-  payload /.*op=admin_enter/
-  payload /.*password=12345/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2147-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: pcre: /Server\x5bpath\x5d=(http|https|ftp)/
-  event "WEB-PHP BLNews objects.inc.php4 remote file include attempt"
-  http /.*[\/\\]objects\.inc\.php4/
-  tcp-state established,originator
-  payload /.*Server\[path\]=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2148-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP BLNews objects.inc.php4 access"
-  http /.*[\/\\]objects\.inc\.php4/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2149-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Turba status.php access"
-  http /.*[\/\\]turba[\/\\]status\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2150-7 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: pcre: /admin_root=(http|https|ftp)/
-  event "WEB-PHP ttCMS header.php remote file include attempt"
-  http /.*[\/\\]admin[\/\\]templates[\/\\]header\.php/
-  tcp-state established,originator
-  payload /.*admin_root=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2151-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP ttCMS header.php access"
-  http /.*[\/\\]admin[\/\\]templates[\/\\]header\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2153-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP autohtml.php directory traversal attempt"
-  http /.*[\/\\]autohtml\.php/
-  tcp-state established,originator
-  payload /.*name=.*.*\.\.\/\.\.\//
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2154-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP autohtml.php access"
-  http /.*[\/\\]autohtml\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2155-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: pcre: /template=(http|https|ftp)/i
-  event "WEB-PHP ttforum remote file include attempt"
-  http /.*forum[\/\\]index\.php/
-  tcp-state established,originator
-  payload /.*template=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2226-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: pcre: /pm_path=(http|https|ftp)/
-  event "WEB-PHP pmachine remote file include attempt"
-  http /.*lib\.inc\.php/
-  tcp-state established,originator
-  payload /.*pm_path=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2227-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP forum_details.php access"
-  http /.*forum_details\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2228-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP phpMyAdmin db_details_importdocsql.php access"
-  http /.*db_details_importdocsql\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2229-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP viewtopic.php access"
-  http /.*viewtopic\.php/
-  tcp-state established,originator
-  http /.*[sS][uU][bB][sS][Ss][tT][rR][iI][nN][gG]\x28[uU][sS][eE][rR][pP][aA][sS][sS][wW][oO][rR][dD]*./
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2279-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP UpdateClasses.php access"
-  http /.*[\/\\]UpdateClasses\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2280-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Title.php access"
-  http /.*[\/\\]Title\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2281-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Setup.php access"
-  http /.*[\/\\]Setup\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2282-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP GlobalFunctions.php access"
-  http /.*[\/\\]GlobalFunctions\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2283-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP DatabaseFunctions.php access"
-  http /.*[\/\\]DatabaseFunctions\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2284-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP rolis guestbook remote file include attempt"
-  http /.*[\/\\]insert\.inc\.php/
-  tcp-state established,originator
-  payload /.*[pP][aA][tT][hH]=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2285-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP rolis guestbook access"
-  http /.*[\/\\]insert\.inc\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2286-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP friends.php access"
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /.*[\/\\]friends\.php\x3fadmin\x3d[a-zA-Z0-9]{5,20}.* /
-}
-
-signature s2b-2287-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll admin_comment.php access"
-  http /.*[\/\\]admin_comment\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2288-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll admin_edit.php access"
-  http /.*[\/\\]admin_edit\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2289-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll admin_embed.php access"
-  http /.*[\/\\]admin_embed\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2290-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll admin_help.php access"
-  http /.*[\/\\]admin_help\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2291-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll admin_license.php access"
-  http /.*[\/\\]admin_license\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2292-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll admin_logout.php access"
-  http /.*[\/\\]admin_logout\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2293-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll admin_password.php access"
-  http /.*[\/\\]admin_password\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2295-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll admin_settings.php access"
-  http /.*[\/\\]admin_settings\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2296-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll admin_stats.php access"
-  http /.*[\/\\]admin_stats\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2297-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll admin_templates_misc.php access"
-  http /.*[\/\\]admin_templates_misc\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2298-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll admin_templates.php access"
-  http /.*[\/\\]admin_templates\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2299-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll admin_tpl_misc_new.php access"
-  http /.*[\/\\]admin_tpl_misc_new\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2300-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll admin_tpl_new.php access"
-  http /.*[\/\\]admin_tpl_new\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2301-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll booth.php access"
-  http /.*[\/\\]booth\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2302-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Advanced Poll poll_ssi.php access"
-  http /.*[\/\\]poll_ssi\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2304-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP files.inc.php access"
-  http /.*[\/\\]files\.inc\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2305-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP chatbox.php access"
-  http /.*[\/\\]chatbox\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2306-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: pcre: /GALLERY_BASEDIR=(http|https|ftp)/i
-  event "WEB-PHP gallery remote file include attempt"
-  http /.*[\/\\]setup[\/\\]/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  http /.*[gG][aA][lL][lL][eE][rR][yY]_[bB][aA][sS][eE][dD][iI][rR]=(http|https|ftp)/
-}
-
-signature s2b-2307-5 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: pcre: /page=(http|https|ftp)/i
-  event "WEB-PHP PayPal Storefront remote file include attemtp"
-  tcp-state established,originator
-  payload /.*do=ext/
-  requires-reverse-signature ! http_error
-  http /[pP][aA][gG][eE]=(http|https|ftp)/
-}
-
-signature s2b-2328-3 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP authentication_index.php access"
-  http /.*[\/\\]authentication_index\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2331-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP MatrikzGB privilege escalation attempt"
-  tcp-state established,originator
-  payload /.*[nN][eE][wW]_[rR][iI][gG][hH][tT][sS]=[aA][dD][mM][iI][nN]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2341-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP DCP-Portal remote file include attempt"
-  http /.*[\/\\]library[\/\\]editor[\/\\]editor\.php/
-  tcp-state established,originator
-  payload /.*[rR][oO][oO][tT]=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2342-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP DCP-Portal remote file include attempt"
-  http /.*[\/\\]library[\/\\]lib\.php/
-  tcp-state established,originator
-  payload /.*[rR][oO][oO][tT]=/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2345-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP PhpGedView search.php access"
-  http /.*[\/\\]search\.php/
-  http /.*action=soundex/
-  http /.*firstname=/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2346-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP myPHPNuke chatheader.php access"
-  http /.*[\/\\]chatheader\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2347-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP myPHPNuke partner.php access"
-  http /.*[\/\\]partner\.php/
-  tcp-state established,originator
-  http /.*\x3d.*\x3cscript\x3e.*document.cookie.*\x3c\x2fscript\x3e/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2353-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP IdeaBox cord.php file include"
-  http /.*[\/\\]index\.php/
-  tcp-state established,originator
-  payload /.*[iI][dD][eE][aA][dD][iI][rR]/
-  payload /.*[cC][oO][rR][dD]\.[pP][hH][pP]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2354-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP IdeaBox notification.php file include"
-  http /.*[\/\\]index\.php/
-  tcp-state established,originator
-  payload /.*[gG][oO][rR][uU][mM][dD][iI][rR]/
-  payload /.*[nN][oO][tT][iI][fF][iI][cC][aA][tT][iI][oO][nN]\.[pP][hH][pP]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2355-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Invision Board emailer.php file include"
-  http /.*[\/\\]ad_member\.php/
-  tcp-state established,originator
-  payload /.*[eE][mM][aA][iI][lL][eE][rR]\.[pP][hH][pP]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2356-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP WebChat db_mysql.php file include"
-  http /.*[\/\\]defines\.php/
-  tcp-state established,originator
-  payload /.*[wW][eE][bB][cC][hH][aA][tT][pP][aA][tT][hH]/
-  payload /.*[dD][bB]_[mM][yY][sS][qQ][lL]\.[pP][hH][pP]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2357-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP WebChat english.php file include"
-  http /.*[\/\\]defines\.php/
-  tcp-state established,originator
-  payload /.*[wW][eE][bB][cC][hH][aA][tT][pP][aA][tT][hH]/
-  payload /.*[eE][nN][gG][lL][iI][sS][hH]\.[pP][hH][pP]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2358-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Typo3 translations.php file include"
-  http /.*[\/\\]translations\.php/
-  tcp-state established,originator
-  payload /.*[oO][nN][lL][yY]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2359-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Invision Board ipchat.php file include"
-  http /.*[\/\\]ipchat\.php/
-  tcp-state established,originator
-  payload /.*[rR][oO][oO][tT]_[pP][aA][tT][hH]/
-  payload /.*[cC][oO][nN][fF]_[gG][lL][oO][bB][aA][lL]\.[pP][hH][pP]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2360-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP myphpPagetool pt_config.inc file include"
-  http /.*[\/\\]doc[\/\\]admin/
-  tcp-state established,originator
-  payload /.*[pP][tT][iI][nN][cC][lL][uU][dD][eE]/
-  payload /.*[pP][tT]_[cC][oO][nN][fF][iI][gG]\.[iI][nN][cC]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2362-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP YaBB SE packages.php file include"
-  http /.*[\/\\]packages\.php/
-  tcp-state established,originator
-  payload /.*[pP][aA][cC][kK][eE][rR]\.[pP][hH][pP]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2363-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Cyboards default_header.php access"
-  http /.*[\/\\]default_header\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2364-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP Cyboards options_form.php access"
-  http /.*[\/\\]options_form\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2365-2 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP newsPHP Language file include attempt"
-  http /.*[\/\\]nphpd\.php/
-  tcp-state established,originator
-  payload /.*[lL][aA][nN][gG][fF][iI][lL][eE]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2366-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt"
-  http /.*[\/\\]authentication_index\.php/
-  tcp-state established,originator
-  payload /.*[pP][gG][vV]_[bB][aA][sS][eE]_[dD][iI][rR][eE][cC][tT][oO][rR][yY]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2367-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt"
-  http /.*[\/\\]functions\.php/
-  tcp-state established,originator
-  payload /.*[pP][gG][vV]_[bB][aA][sS][eE]_[dD][iI][rR][eE][cC][tT][oO][rR][yY]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2368-4 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt"
-  http /.*[\/\\]config_gedcom\.php/
-  tcp-state established,originator
-  payload /.*[pP][gG][vV]_[bB][aA][sS][eE]_[dD][iI][rR][eE][cC][tT][oO][rR][yY]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2398-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP WAnewsletter newsletter.php file include attempt"
-  http /.*newsletter\.php/
-  tcp-state established,originator
-  payload /.*[wW][aA][rR][oO][oO][tT]/
-  payload /.*[sS][tT][aA][rR][tT]\.[pP][hH][pP]/
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2399-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP WAnewsletter db_type.php access"
-  http /.*[\/\\]sql[\/\\]db_type\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2405-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP phptest.php access"
-  http /.*[\/\\]phptest\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2410-2 {
-  ip-proto == tcp
-  dst-ip == local_nets
-  dst-port == http_ports
-  event "WEB-PHP IGeneric Free Shopping Cart page.php access"
-  http /.*[\/\\]page\.php\?.*script/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2565-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP modules.php access"
-  http /.*[\/\\]modules\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2566-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  event "WEB-PHP PHPBB viewforum.php access"
-  http /.*[\/\\]viewforum\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-}
-
-signature s2b-2575-1 {
-  ip-proto == tcp
-  dst-port == http_ports
-  # Not supported: pcre: /systempath=(http|https|ftp)/i
-  event "WEB-PHP Opt-X header.php remote file include attempt"
-  http /.*[\/\\]header\.php/
-  tcp-state established,originator
-  requires-reverse-signature ! http_error
-  payload /.*[sS][yY][sS][tT][eE][mM][pP][aA][tT][hH]=([hH][tT]{2}[pP][sS]?)|([fF][tT][pP])/
-}
-
-signature s2b-1225-4 {
-  ip-proto == tcp
-  dst-port == 6000
-  event "X11 MIT Magic Cookie detected"
-  tcp-state established
-  payload /.*MIT-MAGIC-COOKIE-1/
-}
-
-signature s2b-1226-4 {
-  ip-proto == tcp
-  dst-port == 6000
-  event "X11 xopen"
-  tcp-state established
-  payload /.*l\x00\x0B\x00\x00\x00\x00\x00\x00\x00\x00\x00/
-}
-
diff --git a/scripts/s2b/pm/Config-General-2.26.tar.gz b/scripts/s2b/pm/Config-General-2.26.tar.gz
deleted file mode 100644
index 7de1bbedd4..0000000000
Binary files a/scripts/s2b/pm/Config-General-2.26.tar.gz and /dev/null differ
diff --git a/scripts/s2b/pm/Makefile.am b/scripts/s2b/pm/Makefile.am
deleted file mode 100644
index a8d875b7fa..0000000000
--- a/scripts/s2b/pm/Makefile.am
+++ /dev/null
@@ -1,4 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-# include in the dist 
-EXTRA_DIST = Config-General-2.26.tar.gz
diff --git a/scripts/s2b/snort_rules2.2/Makefile.am b/scripts/s2b/snort_rules2.2/Makefile.am
deleted file mode 100644
index 6328bf1ef8..0000000000
--- a/scripts/s2b/snort_rules2.2/Makefile.am
+++ /dev/null
@@ -1,15 +0,0 @@
-## Process this file with automake to produce Makefile.in
-
-# include in the dist 
-EXTRA_DIST = attack-responses.rules backdoor.rules bad-traffic.rules \
-	cgi-bin.list chat.rules classification.config ddos.rules deleted.rules \
-	dns.rules dos.rules experimental.rules exploit.rules finger.rules \
-	ftp.rules gen-msg.map generators icmp-info.rules icmp.rules imap.rules \
-	info.rules local.rules misc.rules multimedia.rules mysql.rules \
-	netbios.rules nntp.rules oracle.rules other-ids.rules p2p.rules 
-	policy.rules pop2.rules pop3.rules porn.rules reference.config rpc.rules \
-	rservices.rules scan.rules shellcode.rules sid sid-msg.map smtp.rules \
-	snmp.rules snort.conf sql.rules telnet.rules tftp.rules threshold.conf \
-	unicode.map virus.rules web-attacks.rules web-cgi.rules web-client.rules \
-	web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules \
-	web-php.rules x11.rules
diff --git a/scripts/s2b/snort_rules2.2/attack-responses.rules b/scripts/s2b/snort_rules2.2/attack-responses.rules
deleted file mode 100644
index cf7e878d95..0000000000
--- a/scripts/s2b/snort_rules2.2/attack-responses.rules
+++ /dev/null
@@ -1,29 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: attack-responses.rules 91 2004-07-15 08:13:57Z rwinslow $
-# ----------------
-# ATTACK RESPONSES
-# ----------------
-# These signatures are those when they happen, its usually because a machine
-# has been compromised.  These should not false that often and almost always
-# mean a compromise.
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES directory listing"; flow:from_server,established; content:"Volume Serial Number"; classtype:bad-unknown; sid:1292; rev:8;)
-alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command completed"; flow:from_server,established; content:"Command completed"; nocase; classtype:bad-unknown; sid:494; rev:7;)
-alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command error"; flow:from_server,established; content:"Bad command or filename"; nocase; classtype:bad-unknown; sid:495; rev:7;)
-alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES file copied ok"; flow:from_server,established; content:"1 file|28|s|29| copied"; nocase; classtype:bad-unknown; sid:497; rev:8;)
-alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Invalid URL"; flow:from_server,established; content:"Invalid URL"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:1200; rev:10;)
-alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:5;)
-alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES 403 Forbidden"; flow:from_server,established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:7;)
-
-alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:498; rev:6;)
-alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:10;)
-
-alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES oracle one hour install"; flow:from_server,established; content:"Oracle Applications One-Hour Install"; classtype:bad-unknown; sid:1464; rev:3;)
-alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900; rev:10;)
-alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1901; rev:10;)
-alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE"; flow:from_server,established; content:"*GOBBLE*"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:successful-admin; sid:1810; rev:9;)
-alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit uname"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1811; rev:8;)
-alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES rexec username too long response"; flow:from_server,established; content:"username too long"; depth:17; classtype:unsuccessful-user; sid:2104; rev:3;)
-alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:from_server,established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; classtype:successful-user; sid:2412; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/backdoor.rules b/scripts/s2b/snort_rules2.2/backdoor.rules
deleted file mode 100644
index 685e822a7a..0000000000
--- a/scripts/s2b/snort_rules2.2/backdoor.rules
+++ /dev/null
@@ -1,87 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: backdoor.rules 91 2004-07-15 08:13:57Z rwinslow $
-#---------------
-# BACKDOOR RULES
-#---------------
-#
-
-alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flow:to_server,established; content:"|0D 0A|[RPL]002|0D 0A|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; classtype:misc-activity; sid:103; rev:7;)
-alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (msg:"BACKDOOR subseven DEFCON8 2.1 access"; flow:from_server,established; content:"PWD"; classtype:trojan-activity; sid:107; rev:6;)
-
-
-alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:110; rev:4;)
-alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:to_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:115; rev:5;)
-
-# 3150, 4120
-alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt"; content:"00"; depth:2; classtype:misc-activity; sid:1980; rev:1;)
-alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; classtype:misc-activity; sid:195; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [3150]"; content:"00"; depth:2; classtype:misc-activity; sid:1981; rev:1;)
-alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [3150]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; classtype:misc-activity; sid:1982; rev:1;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [4120]"; content:"00"; depth:2; classtype:misc-activity; sid:1983; rev:1;)
-alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [4120]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; classtype:misc-activity; sid:1984; rev:1;)
-
-
-alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; flow:established,from_server; content:"Wtzup Use"; depth:32; reference:arachnids,312; classtype:misc-activity; sid:119; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1094 (msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; content:"Connected."; classtype:trojan-activity; sid:1985; rev:1;)
-
-
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0_client_connect"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:16; reference:arachnids,483; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:104; rev:7;)
-alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flow:from_server,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:105; rev:7;)
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; ack:101058054; flags:A,12; seq:101058054; flow:stateless; reference:arachnids,445; classtype:misc-activity; sid:106; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:108; rev:6;)
-
-
-alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR Infector.1.x"; flow:established,from_server; content:"WHATISIT"; reference:arachnids,315; classtype:misc-activity; sid:117; rev:6;)
-alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; flow:established,from_server; content:"Remote|3A| You are connected to me."; reference:arachnids,316; classtype:misc-activity; sid:118; rev:5;)
-alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR Infector 1.6 Server to Client"; flow:established,from_server; content:"WHATISIT"; classtype:misc-activity; sid:120; rev:5;)
-alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; classtype:misc-activity; sid:121; rev:5;)
-
-alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flow:established,from_server; content:"host"; classtype:misc-activity; sid:141; rev:5;)
-
-alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flow:to_server,established; content:"Girl"; reference:arachnids,98; classtype:misc-activity; sid:145; rev:5;)
-alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flow:established,from_server; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:146; rev:5;)
-alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flow:established,from_server; content:"GateCrasher"; reference:arachnids,99; classtype:misc-activity; sid:147; rev:5;)
-alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flow:established,from_server; content:"c|3A 5C|"; classtype:misc-activity; sid:152; rev:6;)
-alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR DonaldDick 1.53 Traffic"; flow:from_server,established; content:"pINg"; classtype:misc-activity; sid:153; rev:5;)
-alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere 1.31.337 access"; flow:from_server,established; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:155; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; classtype:misc-activity; sid:157; rev:5;)
-alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:from_server,established; content:"FTP Port open"; classtype:misc-activity; sid:158; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR NetMetro File List"; flow:to_server,established; content:"--"; reference:arachnids,79; classtype:misc-activity; sid:159; rev:6;)
-# alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming Traffic"; flags:A+; flow:stateless; reference:arachnids,79; classtype:misc-activity; sid:160; rev:5;)
-alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR Matrix 2.0 Client connect"; content:"activate"; reference:arachnids,83; classtype:misc-activity; sid:161; rev:4;)
-alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR Matrix 2.0 Server access"; content:"logged in"; reference:arachnids,83; classtype:misc-activity; sid:162; rev:4;)
-alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active"; flags:SA,12; flow:stateless; content:"|B4 B4|"; reference:arachnids,36; classtype:misc-activity; sid:163; rev:8;)
-alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - Q ICMP"; dsize:>1; itype:0; reference:arachnids,202; classtype:misc-activity; sid:183; rev:4;)
-alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; dsize:>1; flags:A+; flow:stateless; reference:arachnids,203; classtype:misc-activity; sid:184; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; reference:arachnids,263; classtype:misc-activity; sid:185; rev:5;)
-
-
-alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flow:established,from_server; content:"phAse"; classtype:misc-activity; sid:208; rev:5;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:4;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; classtype:attempted-admin; sid:210; rev:3;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; classtype:attempted-admin; sid:211; rev:3;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; classtype:attempted-admin; sid:212; rev:3;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:4;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; classtype:attempted-admin; sid:214; rev:4;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:4;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:6;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; classtype:attempted-admin; sid:217; rev:3;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; classtype:attempted-user; sid:218; rev:4;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; classtype:misc-activity; sid:219; rev:6;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; classtype:misc-activity; sid:220; rev:6;)
-alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack attempt"; flags:A+; flow:stateless; content:"A"; depth:1; reference:arachnids,314; classtype:attempted-recon; sid:614; rev:7;)
-alert ip any any -> 216.80.99.202 any (msg:"BACKDOOR fragroute trojan connection attempt"; reference:bugtraq,4898; classtype:trojan-activity; sid:1791; rev:2;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"BACKDOOR win-trin00 connection attempt"; content:"png []..Ks l44"; depth:14; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:6;)
-
-
-# NOTES: this string should be within the first 3 bytes of the connection
-alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:6;)
-alert tcp any any -> 212.146.0.34 1963 (msg:"BACKDOOR TCPDUMP/PCAP trojan traffic"; flow:stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:1929; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR SubSeven 2.1 Gold server connection response"; flow:from_server,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; classtype:misc-activity; sid:2100; rev:2;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"BACKDOOR Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; flags:S,12; window:55808; flow:stateless; classtype:trojan-activity; sid:2182; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"BACKDOOR DoomJuice file upload attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/bad-traffic.rules b/scripts/s2b/snort_rules2.2/bad-traffic.rules
deleted file mode 100644
index e093bb5971..0000000000
--- a/scripts/s2b/snort_rules2.2/bad-traffic.rules
+++ /dev/null
@@ -1,26 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: bad-traffic.rules 91 2004-07-15 08:13:57Z rwinslow $
-#------------------
-# BAD TRAFFIC RULES
-#------------------
-# These signatures are representitive of traffic that should never be seen on
-# any network.  None of these signatures include datagram content checking
-# and are extremely quick signatures
-#
-
-alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)
-alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; dsize:>6; flags:S,12; flow:stateless; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:526; rev:9;)
-alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:528; rev:5;)
-alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:523; rev:5;)
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;)
-# linux happens.  Blah
-# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; classtype:misc-activity; sid:1322; rev:7;)
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:1627; rev:3;)
-alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to multicast address"; flags:S+; flow:stateless; classtype:bad-unknown; sid:1431; rev:8;)
-alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2186; rev:3;)
-alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2187; rev:3;)
-alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2188; rev:3;)
-alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2189; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/cgi-bin.list b/scripts/s2b/snort_rules2.2/cgi-bin.list
deleted file mode 100644
index 02da630654..0000000000
--- a/scripts/s2b/snort_rules2.2/cgi-bin.list
+++ /dev/null
@@ -1,16 +0,0 @@
-# (C) Copyright 2001,2002 Brian Caswell, et al.  All rights reserved.
-# $Id: cgi-bin.list 91 2004-07-15 08:13:57Z rwinslow $
-#--------------
-# cgi-bin list
-#--------------
-# if content-list actually worked, this would be our content-list for 
-# the different CGI bin directories we would check for.
-
-"/cgi-bin/"
-"/cgi/"
-"/cgi-local/"
-"/perl/"
-"/mod_perl/"
-"/scripts/"
-"/comps/"
-"/cgi-bin-sdb/"
diff --git a/scripts/s2b/snort_rules2.2/chat.rules b/scripts/s2b/snort_rules2.2/chat.rules
deleted file mode 100644
index e3788cc4e5..0000000000
--- a/scripts/s2b/snort_rules2.2/chat.rules
+++ /dev/null
@@ -1,48 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: chat.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-------------
-# CHAT RULES
-#-------------
-# These signatures look for people using various types of chat programs (for
-# example: AIM, ICQ, and IRC) which may be against corporate policy
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:541; rev:9;)
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"CHAT ICQ forced user addition"; flow:established,to_client; content:"Content-Type|3A| application/x-icq"; nocase; content:"[ICQ User]"; reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation; sid:1832; rev:7;)
-
-alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;)
-alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; distance:0; nocase; content:"text/x-msmsgsinvite"; distance:0; nocase; content:"Application-Name|3A|"; content:"File Transfer"; distance:0; nocase; classtype:policy-violation; sid:1986; rev:4;)
-alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance:0; content:"Invitation-Command|3A|"; content:"ACCEPT"; distance:1; classtype:policy-violation; sid:1988; rev:3;)
-alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer reject"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance:0; content:"Invitation-Command|3A|"; content:"CANCEL"; distance:0; content:"Cancel-Code|3A|"; nocase; content:"REJECT"; distance:0; nocase; classtype:policy-violation; sid:1989; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:1990; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; classtype:policy-violation; sid:1991; rev:1;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC nick change"; flow:to_server,established; content:"NICK "; offset:0; classtype:policy-violation; sid:542; rev:10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC SEND"; nocase; classtype:policy-violation; sid:1639; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC CHAT chat"; nocase; classtype:policy-violation; sid:1640; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel join"; flow:to_server,established; content:"JOIN |3A| |23|"; offset:0; nocase; classtype:policy-violation; sid:1729; rev:5;)
-alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:established; content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC dns request"; flow:to_server,established; content:"USERHOST "; offset:0; nocase; classtype:policy-violation; sid:1789; rev:3;)
-alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CHAT IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; sid:1790; rev:4;)
-
-alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"*|01|"; depth:2; classtype:policy-violation; sid:1631; rev:6;)
-alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM send message"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype:policy-violation; sid:1632; rev:6;)
-alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; classtype:policy-violation; sid:1633; rev:6;)
-
-
-
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; classtype:policy-violation; sid:2450; rev:3;)
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2451; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2452; rev:4;)
-
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2453; rev:3;)
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2454; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2455; rev:3;)
-
-alert tcp any any -> any 5050 (msg:"CHAT Yahoo IM file transfer request"; flow:established; content:"YMSG"; depth:4; nocase; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2456; rev:3;)
-alert tcp any any <> any 5101 (msg:"CHAT Yahoo IM message"; flow:established; content:"YMSG"; depth:4; nocase; classtype:policy-violation; sid:2457; rev:2;)
-
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2458; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM webcam offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2459; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"CHAT Yahoo IM webcam request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; classtype:policy-violation; sid:2460; rev:3;)
-alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"CHAT Yahoo IM webcam watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2461; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/classification.config b/scripts/s2b/snort_rules2.2/classification.config
deleted file mode 100644
index be64a0f561..0000000000
--- a/scripts/s2b/snort_rules2.2/classification.config
+++ /dev/null
@@ -1,66 +0,0 @@
-# $Id: classification.config 91 2004-07-15 08:13:57Z rwinslow $
-# The following includes information for prioritizing rules
-# 
-# Each classification includes a shortname, a description, and a default
-# priority for that classification.
-#
-# This allows alerts to be classified and prioritized.  You can specify
-# what priority each classification has.  Any rule can override the default
-# priority for that rule.
-#
-# Here are a few example rules:
-# 
-#   alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; 
-#	dsize: > 128; classtype:attempted-admin; priority:10;
-#
-#   alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
-#	      content:"expn root"; nocase; classtype:attempted-recon;)
-#
-# The first rule will set its type to "attempted-admin" and override 
-# the default priority for that type to 10.
-#
-# The second rule set its type to "attempted-recon" and set its
-# priority to the default for that type.
-# 
-
-#
-# config classification:shortname,short description,priority
-#
-
-config classification: not-suspicious,Not Suspicious Traffic,3
-config classification: unknown,Unknown Traffic,3
-config classification: bad-unknown,Potentially Bad Traffic, 2
-config classification: attempted-recon,Attempted Information Leak,2
-config classification: successful-recon-limited,Information Leak,2
-config classification: successful-recon-largescale,Large Scale Information Leak,2
-config classification: attempted-dos,Attempted Denial of Service,2
-config classification: successful-dos,Denial of Service,2
-config classification: attempted-user,Attempted User Privilege Gain,1
-config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
-config classification: successful-user,Successful User Privilege Gain,1
-config classification: attempted-admin,Attempted Administrator Privilege Gain,1
-config classification: successful-admin,Successful Administrator Privilege Gain,1
-
-
-# NEW CLASSIFICATIONS
-config classification: rpc-portmap-decode,Decode of an RPC Query,2
-config classification: shellcode-detect,Executable code was detected,1
-config classification: string-detect,A suspicious string was detected,3
-config classification: suspicious-filename-detect,A suspicious filename was detected,2
-config classification: suspicious-login,An attempted login using a suspicious username was detected,2
-config classification: system-call-detect,A system call was detected,2
-config classification: tcp-connection,A TCP connection was detected,4
-config classification: trojan-activity,A Network Trojan was detected, 1
-config classification: unusual-client-port-connection,A client was using an unusual port,2
-config classification: network-scan,Detection of a Network Scan,3
-config classification: denial-of-service,Detection of a Denial of Service Attack,2
-config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
-config classification: protocol-command-decode,Generic Protocol Command Decode,3
-config classification: web-application-activity,access to a potentially vulnerable web application,2
-config classification: web-application-attack,Web Application Attack,1
-config classification: misc-activity,Misc activity,3
-config classification: misc-attack,Misc Attack,2
-config classification: icmp-event,Generic ICMP event,3
-config classification: kickass-porn,SCORE! Get the lotion!,1
-config classification: policy-violation,Potential Corporate Privacy Violation,1
-config classification: default-login-attempt,Attempt to login by a default username and password,2
diff --git a/scripts/s2b/snort_rules2.2/ddos.rules b/scripts/s2b/snort_rules2.2/ddos.rules
deleted file mode 100644
index b32b28328e..0000000000
--- a/scripts/s2b/snort_rules2.2/ddos.rules
+++ /dev/null
@@ -1,51 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: ddos.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-----------
-# DDOS RULES
-#-----------
-
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; id:678; itype:8; content:"1234"; reference:arachnids,443; classtype:attempted-recon; sid:221; rev:3;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:222; rev:2;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master PONG message detected"; content:"PONG"; reference:arachnids,187; classtype:attempted-recon; sid:223; rev:3;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184; classtype:attempted-dos; sid:228; rev:3;)
-
-
-alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client login to handler"; flow:from_server,established; content:"login|3A|"; reference:arachnids,254; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"DDOS shaft handler to agent"; content:"alive tijgu"; reference:arachnids,255; classtype:attempted-dos; sid:239; rev:2;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"DDOS shaft agent to handler"; content:"alive"; reference:arachnids,256; classtype:attempted-dos; sid:240; rev:2;)
-alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flags:S,12; seq:674711609; flow:stateless; reference:arachnids,253; classtype:attempted-dos; sid:241; rev:7;)
-
-
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master message detected"; content:"l44"; reference:arachnids,186; classtype:attempted-dos; sid:231; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master *HELLO* message detected"; content:"*HELLO*"; reference:arachnids,185; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; classtype:attempted-dos; sid:234; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; classtype:bad-unknown; sid:235; rev:2;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:2;)
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS TFN server response"; icmp_id:123; icmp_seq:0; itype:0; content:"shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:6;)
-
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"DDOS mstream agent to handler"; content:"newserver"; classtype:attempted-dos; sid:243; rev:2;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler to agent"; content:"stream/"; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler ping to agent"; content:"ping"; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream agent pong to handler"; content:"pong"; classtype:attempted-dos; sid:246; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; flow:to_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:4;)
-alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:to_client,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flags:S,12; flow:stateless; reference:arachnids,111; reference:cve,2000-0138; classtype:attempted-dos; sid:249; rev:7;)
-alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:from_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:4;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183; classtype:attempted-dos; sid:251; rev:3;)
-
-
-alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:3;)
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; reference:arachnids,195; classtype:attempted-dos; sid:225; rev:6;)
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; reference:arachnids,192; classtype:attempted-dos; sid:227; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; reference:arachnids,194; classtype:attempted-dos; sid:236; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:5;)
-alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:7;)
-alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:7;)
-alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:7;)
diff --git a/scripts/s2b/snort_rules2.2/deleted.rules b/scripts/s2b/snort_rules2.2/deleted.rules
deleted file mode 100644
index a1b595ab7e..0000000000
--- a/scripts/s2b/snort_rules2.2/deleted.rules
+++ /dev/null
@@ -1,399 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: deleted.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-------------
-# DELETED RULES
-#-------------
-# These signatures have been deleted for various reasons, but we are keeping
-# them here for historical purposes.
-
-# Duplicate to 332
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER probe 0 attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:325; rev:4;)
-
-# Duplicate of 512
-alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:511; rev:5;)
-
-# Duplicate of 514
-alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen worm incoming"; flow:established; content:"GET "; depth:8; nocase; reference:arachnids,460; classtype:bad-unknown; sid:506; rev:4;)
-
-# Duplicate of 557
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:558; rev:5;)
-
-# Duplicate of 559
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"P2P Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:559; rev:6;)
-
-# Duplicate of 844
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC O'Reilly args.bat access"; flow:to_server,established; uricontent:"/cgi-dos/args.bat"; nocase; classtype:attempted-recon; sid:1121; rev:5;)
-
-# Yeah, so the one site that was vulnerable to edit.pl aint no more.
-# http://packetstorm.widexs.nl/new-exploits/freestats-cgi.txt
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI edit.pl access"; flow:to_server,established; uricontent:"/edit.pl"; nocase; reference:bugtraq,2713; classtype:attempted-recon; sid:855; rev:6;)
-
-# duplicate of 987
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .htr request"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,4474; reference:cve,2002-0071; reference:nessus,10932; classtype:web-application-activity; sid:1619; rev:8;)
-
-# webmasters suck, so this happens ever so often.  Its really not that bad,
-# so lets disable it.
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC prefix-get //"; flow:to_server,established; uricontent:"get //"; nocase; classtype:attempted-recon; sid:1114; rev:6;)
-
-# dup of 1660
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .NET trace.axd access"; flow:to_server,established; uricontent:"/traace.axd"; nocase; classtype:web-application-attack; sid:1749; rev:4;)
-
-# dup
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet ../../ DOS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/../../../../../../../../../../../"; reference:bugtraq,2282; reference:cve,2001-0252; classtype:web-application-attack; sid:1049; rev:11;)
-
-
-# Falses WAAAYYY too often.
-alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES directory listing"; flow:from_server,established; content:"Directory of"; nocase; classtype:unknown; sid:496; rev:8;)
-
-# Replaced with 1801,1802,1803,1804
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS header field buffer overflow attempt"; flow:to_server,established; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1768; rev:7;)
-
-# duplicate of sid:1673
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:1698; rev:4;)
-
-# Port based only sigs suck, this is why stream4 has flow logs
-alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected"; flow:established; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:5;)
-
-# basically duplicate of 330
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop redirection"; dsize:11; flow:to_server,established; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:329; rev:8;)
-
-# duplicate of 1478
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc attempt"; flow:to_server,established; uricontent:"/swc"; nocase; classtype:attempted-recon; sid:1477; rev:5;)
-
-# duplicate of 1248
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>258; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-attack; sid:1246; rev:14;)
-
-# duplicate of 1249
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>259; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-attack; sid:1247; rev:11;)
-
-# duplicate of 1755
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1780; rev:9;)
-
-# duplicate of 1538
-alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:291; rev:12;)
-
-# This rule looks for the exploit for w3-msql, but very badly
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql solaris x86  access"; flow:to_server,established; uricontent:"/bin/shA-cA/usr/openwin"; nocase; reference:arachnids,211; reference:cve,1999-0276; classtype:attempted-recon; sid:874; rev:7;)
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overfow"; content:"echo netrjs stre"; reference:bugtraq,324; reference:cve,1999-0914; classtype:attempted-admin; sid:318; rev:6;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5;)
-
-
-# duplicate of 109
-alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags:A+; flow:established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:114; rev:5;)
-
-# duplicate of 110
-alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:111; rev:5;)
-
-
-# we have a backorifice preprocessor
-alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags:A+; flow:established; content:"server|3A| BO/"; reference:arachnids,400; classtype:misc-activity; sid:112; rev:6;)
-
-# we have a backorifice preprocessor
-alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:116; rev:5;)
-
-
-
-alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; classtype:misc-activity; sid:164; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:165; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; classtype:misc-activity; sid:166; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32"; reference:arachnids,106; classtype:misc-activity; sid:167; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33"; reference:arachnids,106; classtype:misc-activity; sid:168; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; classtype:misc-activity; sid:169; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110"; reference:arachnids,106; classtype:misc-activity; sid:170; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35"; reference:arachnids,106; classtype:misc-activity; sid:171; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; classtype:misc-activity; sid:172; rev:6;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; classtype:misc-activity; sid:173; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31"; reference:arachnids,106; classtype:misc-activity; sid:174; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; classtype:misc-activity; sid:175; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04"; reference:arachnids,106; classtype:misc-activity; sid:176; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down"; reference:arachnids,106; classtype:misc-activity; sid:177; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21"; reference:arachnids,106; classtype:misc-activity; sid:179; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64"; reference:arachnids,106; classtype:misc-activity; sid:180; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; classtype:misc-activity; sid:181; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; classtype:misc-activity; sid:182; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; classtype:misc-activity; sid:122; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; classtype:misc-activity; sid:124; rev:5;)
-alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving"; reference:arachnids,106; classtype:misc-activity; sid:125; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12"; reference:arachnids,106; classtype:misc-activity; sid:126; rev:5;)
-alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; classtype:misc-activity; sid:127; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; classtype:misc-activity; sid:128; rev:5;)
-alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - "; reference:arachnids,106; classtype:misc-activity; sid:129; rev:5;)
-alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; classtype:misc-activity; sid:130; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130"; reference:arachnids,106; classtype:misc-activity; sid:131; rev:5;)
-alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; classtype:misc-activity; sid:132; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; classtype:misc-activity; sid:133; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17"; reference:arachnids,106; classtype:misc-activity; sid:134; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; classtype:misc-activity; sid:135; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; classtype:misc-activity; sid:136; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911"; reference:arachnids,106; classtype:misc-activity; sid:137; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; classtype:misc-activity; sid:138; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88"; reference:arachnids,106; classtype:misc-activity; sid:140; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content:"40"; reference:arachnids,106; classtype:misc-activity; sid:142; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; classtype:misc-activity; sid:143; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:149; rev:5;)
-alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:150; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; reference:arachnids,106; classtype:misc-activity; sid:151; rev:5;)
-alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; classtype:misc-activity; sid:154; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; classtype:misc-activity; sid:156; rev:5;)
-alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content:"--Ahhhhhhhhhh"; reference:arachnids,405; classtype:misc-activity; sid:113; rev:6;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07"; reference:arachnids,106; classtype:misc-activity; sid:186; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; classtype:misc-activity; sid:187; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38"; reference:arachnids,106; classtype:misc-activity; sid:188; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23"; reference:arachnids,106; classtype:misc-activity; sid:189; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24"; reference:arachnids,106; classtype:misc-activity; sid:190; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; classtype:misc-activity; sid:191; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26"; reference:arachnids,106; classtype:misc-activity; sid:192; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; classtype:misc-activity; sid:193; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; classtype:misc-activity; sid:194; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30"; reference:arachnids,106; classtype:misc-activity; sid:196; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; classtype:misc-activity; sid:197; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; classtype:misc-activity; sid:198; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; classtype:misc-activity; sid:199; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; classtype:misc-activity; sid:200; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15"; reference:arachnids,106; classtype:misc-activity; sid:201; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100"; reference:arachnids,106; classtype:misc-activity; sid:202; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117"; reference:arachnids,106; classtype:misc-activity; sid:203; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118"; reference:arachnids,106; classtype:misc-activity; sid:204; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199"; reference:arachnids,106; classtype:misc-activity; sid:205; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; classtype:misc-activity; sid:206; rev:5;)
-alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; classtype:misc-activity; sid:207; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:arachnids,277; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:252; rev:7;)
-alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:148; rev:5;)
-
-# The following ftp rules look for specific exploits, which are not needed now
-# that initial protocol decoding is available.
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content:"SITE EXEC %020d|7C|%.f%.f|7C 0A|"; depth:32; nocase; reference:arachnids,453; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:338; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content:" |90|1|C0 99|RR|B0 17 CD 80|h|CC|sh"; reference:arachnids,446; reference:bugtraq,2124; reference:cve,2001-0053; classtype:attempted-user; sid:339; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"PWD|0A|/i"; classtype:attempted-admin; sid:340; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"XXXXX/"; classtype:attempted-admin; sid:341; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content:"|90 1B C0 0F 82 10| |17 91 D0| |08|"; reference:arachnids,451; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:342; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content:"1|C0|PPP|B0|~|CD 80|1|DB|1|C0|"; depth:32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:343; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content:"1|C0|1|DB|1|C9 B0|F|CD 80|1|C0|1|DB|"; reference:arachnids,287; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:344; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:arachnids,285; reference:bugtraq,1387; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-recon; sid:346; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"..11venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:349; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|C0|1|DB B0 17 CD 80|1|C0 B0 17 CD 80|"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:350; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|DB 89 D8 B0 17 CD 80 EB|,"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:351; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 EC 04|^|83 C6|p|83 C6 28 D5 E0 C0|"; reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352; rev:6;)
-
-# duplicate of 475
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:455; rev:7;)
-
-
-# not needed thanks to 1964 and 1965
-alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:570; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:571; rev:8;)
-
-# dup of 589
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;)
-# dup of 1275
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; flow:to_server,established; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297; rev:8;)
-
-# dup of 1280
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596; rev:6;)
-
-# dup of 1281
-alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597; rev:6;)
-
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:5;)
-
-# this has been replaced with sid 1905 and 1906
-alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content:"|80 00 04|,L|15|u[|00 00 00 00 00 00 00 02|"; depth:32; reference:arachnids,217; reference:cve,1999-0704; classtype:attempted-admin; sid:573; rev:8;)
-
-# these have been replaced by 1915, 1916, 1914, and 1913
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:7;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:5;)
-
-# duplicate of 1088
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi?page=../.."; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-attack; sid:1094; rev:10;)
-
-
-# these are obsolete
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:293; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89 D8|@|CD 80 E8 C8 FF FF FF|/"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:295; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|4^|8D 1E 89|^|0B|1|D2 89|V|07|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:296; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|5^|80|F|01|0|80|F|02|0|80|F|03|0"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:297; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|8^|89 F3 89 D8 80|F|01| |80|F|02|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:298; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|X^1|DB 83 C3 08 83 C3 02 88|^&"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:6;)
-
-# what is this rule?  we have no idea...
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:4;)
-
-# These have been replaced by better rules (1915,1916,1913,1914)
-alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:592; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:1278; rev:5;)
-
-alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned nobody"; flow:from_server,established; content:"uid="; content:"|28|nobody|29|"; classtype:bad-unknown; sid:1883; rev:5;)
-alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; classtype:bad-unknown; sid:1884; rev:5;)
-alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned http"; flow:from_server,established; content:"uid="; content:"|28|http|29|"; classtype:bad-unknown; sid:1885; rev:5;)
-alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned apache"; flow:from_server,established; content:"uid="; content:"|28|apache|29|"; classtype:bad-unknown; sid:1886; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2102; rev:8;)
-
-# specific example for sid:1549
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT x86 windows CSMMail overflow"; flow:to_server,established; content:"|EB|S|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,895; reference:cve,2000-0042; classtype:attempted-admin; sid:656; rev:8;)
-
-# this is properly caught by sid:527
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; flags:S; id:3868; seq:3868; flow:stateless; reference:bugtraq,2666; reference:cve,1999-0016; classtype:attempted-dos; sid:269; rev:9;)
-
-# duplicate of 1546
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Web DOS attempt"; flow:to_server,established; content:" /%%"; depth:16; reference:arachnids,275; classtype:attempted-dos; sid:1138; rev:7;)
-
-# these are obsoleted by cleaning up 663
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.4.1 exploit"; flow:to_server,established; content:"rcpt to|3A| |7C| sed '1,/^|24|/d'|7C|"; nocase; reference:arachnids,120; classtype:attempted-user; sid:666; rev:7;)
-
-# dup of 588
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:15;)
-# dup of 1274
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:14;)
-
-# these virus rules suck.
-alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; flow:established; content:"Suddlently"; classtype:misc-activity; sid:720; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; flow:established; content:"NAVIDAD.EXE"; nocase; classtype:misc-activity; sid:722; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc-activity; sid:723; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myjuliet.chm"; nocase; classtype:misc-activity; sid:724; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"ble bla"; nocase; classtype:misc-activity; sid:725; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"I Love You"; classtype:misc-activity; sid:726; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Sorry... Hey you !"; classtype:misc-activity; sid:727; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"my picture from shake-beer"; classtype:misc-activity; sid:728; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible QAZ Worm"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:731; rev:7;)
-alert tcp any any -> any 25 (msg:"Virus - Possible QAZ Worm Calling Home"; flow:established; content:"nongmin_cn"; reference:MCAFEE,98775; classtype:misc-activity; sid:733; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Matrix worm"; flow:established; content:"Software provide by [MATRiX]"; nocase; classtype:misc-activity; sid:734; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Matrix has you..."; classtype:misc-activity; sid:735; rev:6;)
-alert tcp any any -> any 25 (msg:"Virus - Successful eurocalculator execution"; flags:PA; flow:established; content:"funguscrack@hotmail.com"; nocase; classtype:misc-activity; sid:736; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible eurocalculator.exe file"; flow:established; content:"filename="; content:"eurocalculator.exe"; nocase; classtype:misc-activity; sid:737; rev:6;)
-alert tcp any any -> any 110 (msg:"Virus - Possible Pikachu Pokemon Virus"; flags:PA; flow:established; content:"Pikachu Pokemon"; reference:MCAFEE,98696; classtype:misc-activity; sid:738; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Triplesix Worm"; flow:established; content:"filename=|22|666TEST.VBS|22|"; nocase; reference:MCAFEE,10389; classtype:misc-activity; sid:739; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; flow:established; content:"filename=|22|tune.vbs|22|"; nocase; reference:MCAFEE,10497; classtype:misc-activity; sid:740; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Market share tipoff"; reference:MCAFEE,10109; classtype:misc-activity; sid:741; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"name =|22|WWIII!"; reference:MCAFEE,10109; classtype:misc-activity; sid:742; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"New Developments"; reference:MCAFEE,10109; classtype:misc-activity; sid:743; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Good Times"; reference:MCAFEE,10109; classtype:misc-activity; sid:744; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Papa Worm"; flow:established; content:"filename=|22|XPASS.XLS|22|"; nocase; reference:MCAFEE,10145; classtype:misc-activity; sid:745; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Freelink Worm"; flow:established; content:"LINKS.VBS"; reference:MCAFEE,10225; classtype:misc-activity; sid:746; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Simbiosis Worm"; flow:established; content:"filename=|22|SETUP.EXE|22|"; nocase; classtype:misc-activity; sid:747; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible BADASS Worm"; flow:established; content:"name =|22|BADASS.EXE|22|"; reference:MCAFEE,10388; classtype:misc-activity; sid:748; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible ExploreZip.B Worm"; flow:established; content:"name =|22|File_zippati.exe|22|"; reference:MCAFEE,10471; classtype:misc-activity; sid:749; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible wscript.KakWorm"; flow:established; content:"filename=|22|KAK.HTA|22|"; nocase; reference:MCAFEE,10509; classtype:misc-activity; sid:751; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus Possible Suppl Worm"; flow:established; content:"filename=|22|Suppl.doc|22|"; nocase; reference:MCAFEE,10361; classtype:misc-activity; sid:752; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; flow:established; content:"filename=|22|THEOBBQ.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:753; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|MONEY.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:754; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible IROK Worm"; flow:established; content:"filename=|22|irok.exe|22|"; nocase; reference:MCAFEE,98552; classtype:misc-activity; sid:755; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Fix2001 Worm"; flow:established; content:"filename=|22|Fix2001.exe|22|"; nocase; reference:MCAFEE,10355; classtype:misc-activity; sid:756; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Y2K Zelu Trojan"; flow:established; content:"filename=|22|Y2K.EXE|22|"; nocase; reference:MCAFEE,10505; classtype:misc-activity; sid:757; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible The_Fly Trojan"; flow:established; content:"filename=|22|THE_FLY.CHM|22|"; nocase; reference:MCAFEE,10478; classtype:misc-activity; sid:758; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|DINHEIRO.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:759; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Passion Worm"; flow:established; content:"filename=|22|ICQ_GREETINGS.EXE|22|"; nocase; reference:MCAFEE,10467; classtype:misc-activity; sid:760; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; flow:established; content:"filename=|22|COOLER3.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:761; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - party.exe"; flow:established; content:"filename=|22|PARTY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:762; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - hog.exe"; flow:established; content:"filename=|22|HOG.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:763; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; flow:established; content:"filename=|22|GOAL1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:764; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; flow:established; content:"filename=|22|PIRATE.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:765; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - video.exe"; flow:established; content:"filename=|22|VIDEO.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:766; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - baby.exe"; flow:established; content:"filename=|22|BABY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:767; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; flow:established; content:"filename=|22|COOLER1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:768; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - boss.exe"; flow:established; content:"filename=|22|BOSS.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:769; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; flow:established; content:"filename=|22|G-ZILLA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:770; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible ToadieE-mail Trojan"; flow:established; content:"filename=|22|Toadie.exe|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:771; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark Trojan"; flow:established; content:"|5C|CoolProgs|5C|"; depth:750; offset:300; reference:MCAFEE,10175; classtype:misc-activity; sid:772; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Happy99 Virus"; flow:established; content:"X-Spanska|3A|Yes"; reference:MCAFEE,10144; classtype:misc-activity; sid:773; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible CheckThis Trojan"; flow:established; content:"name =|22|links.vbs|22|"; classtype:misc-activity; sid:774; rev:5;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Bubbleboy Worm"; flow:established; content:"BubbleBoy is back!"; reference:MCAFEE,10418; classtype:misc-activity; sid:775; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - copier.exe"; flow:established; content:"filename=|22|COPIER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:776; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible MyPics Worm"; flow:established; content:"name =|22|pics4you.exe|22|"; reference:MCAFEE,10467; classtype:misc-activity; sid:777; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Babylonia - X-MAS.exe"; flow:established; content:"name =|22|X-MAS.EXE|22|"; reference:MCAFEE,10461; classtype:misc-activity; sid:778; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; flow:established; content:"filename=|22|GADGET.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:779; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; flow:established; content:"filename=|22|IRNGLANT.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:780; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - casper.exe"; flow:established; content:"filename=|22|CASPER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:781; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; flow:established; content:"filename=|22|FBORFW.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:782; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; flow:established; content:"filename=|22|SADDAM.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:783; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; flow:established; content:"filename=|22|BBOY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:784; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - monica.exe"; flow:established; content:"filename=|22|MONICA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:785; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal.exe"; flow:established; content:"filename=|22|GOAL.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:786; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - panther.exe"; flow:established; content:"filename=|22|PANTHER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:787; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; flow:established; content:"filename=|22|CHESTBURST.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:788; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Common Sense Worm"; flow:established; content:"name =|22|THE_FLY.CHM|22|"; classtype:misc-activity; sid:790; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; flow:established; content:"filename=|22|CUPID2.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:791; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|RESUME1.DOC|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:792; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|Explorer.doc|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:794; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Worm -  txt.vbs file"; flow:established; content:"filename="; content:".txt.vbs"; nocase; classtype:misc-activity; sid:795; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; flow:established; content:"filename="; content:".xls.vbs"; nocase; classtype:misc-activity; sid:796; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; flow:established; content:"filename="; content:".jpg.vbs"; nocase; classtype:misc-activity; sid:797; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Worm -  gif.vbs file"; flow:established; content:"filename="; content:".gif.vbs"; nocase; classtype:misc-activity; sid:798; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; flow:established; content:"filename=|22|TIMOFONICA.TXT.vbs|22|"; nocase; reference:MCAFEE,98674; classtype:misc-activity; sid:799; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|NORMAL.DOT|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:800; rev:7;)
-alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; flow:established; content:"filename="; content:".doc.vbs"; nocase; classtype:misc-activity; sid:801; rev:6;)
-alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - farter.exe"; flow:established; content:"filename=|22|FARTER.EXE|22|"; nocase; reference:MCAFEE,1054; classtype:misc-activity; sid:789; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; dsize:>120; flow:to_server,established; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:4;)
-# pcre makes this not needed
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow with evasion attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-0"; distance:1; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2254; rev:3;)
-
-# historical reference... this used to be here...
-alert tcp any 110 -> any any (msg:"Virus - Possbile Zipped Files Trojan"; flow:established; content:"name =|22|Zipped_Files.EXE|22|"; reference:MCAFEE,10450; classtype:misc-activity; sid:802; rev:7;)
-
-# taken care of by http_inspect now
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS multiple decode attempt"; flow:to_server,established; uricontent:"%5c"; uricontent:".."; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-attack; sid:970; rev:10;)
-
-# better rule for 1054 caused these rules to not be needed
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".js%2570"; nocase; classtype:attempted-recon; sid:1236; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".j%2573p"; nocase; classtype:attempted-recon; sid:1237; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".%256Asp"; nocase; classtype:attempted-recon; sid:1238; rev:6;)
-
-# these rules are dumb.  sid:857 looks for the access, and thats all we can do
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey attempt full path"; flow:to_server,established; uricontent:"/faxsurvey?/"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1647; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey arbitrary file read attempt"; flow:to_server,established; uricontent:"/faxsurvey?cat%20"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1609; rev:7;)
-
-# dup of 2061
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat directory traversal attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; classtype:web-application-attack; sid:1055; rev:9;)
-
-
-
-# squash all of the virus rules into one rule.  go PCRE!
-alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:732; rev:8;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".shs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:7;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".exe|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:4;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".doc|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:4;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vbs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:7;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hta|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:4;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .chm file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".chm|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2163; rev:4;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .reg file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".reg|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2164; rev:4;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .ini file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".ini|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2165; rev:4;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .bat file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".bat|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2166; rev:4;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .diz file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".diz|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2167; rev:4;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .cpp file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".cpp|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2168; rev:4;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .dll file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".dll|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2169; rev:4;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vxd file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vxd|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2170; rev:4;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .sys file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".sys|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2171; rev:4;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .com file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".com|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2172; rev:4;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .scr file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".scr|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:729; rev:7;)
-alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hsq file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hsq|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2173; rev:4;)
-
-# uh, yeah this happens quite a bit.
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?open access"; flow:to_server,established; uricontent:"?open"; nocase; classtype:web-application-activity; sid:1561; rev:5;)
-
-# dup of 1485
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; classtype:web-application-activity; sid:1665; rev:6;)
-
-# dup of 2339
-alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2336; rev:3;)
-
-# these happen.  more research = more better rules
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2503; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2506; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2499; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2498; rev:7;)
-
-
-#nmap is no longer as dumb as it once was...
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:6;)
-
-# dup of 553
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:1449; rev:7;)
-
-# dup of 2417, which is a better rule anyways
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; classtype:attempted-admin; sid:1530; rev:6;)
diff --git a/scripts/s2b/snort_rules2.2/dns.rules b/scripts/s2b/snort_rules2.2/dns.rules
deleted file mode 100644
index 73a2e5b79e..0000000000
--- a/scripts/s2b/snort_rules2.2/dns.rules
+++ /dev/null
@@ -1,35 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: dns.rules 91 2004-07-15 08:13:57Z rwinslow $
-#----------
-# DNS RULES
-#----------
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; classtype:attempted-recon; sid:255; rev:11;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; classtype:attempted-recon; sid:1948; rev:4;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:6;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:8;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:6;)
-
-
-
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:253; rev:4;)
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:254; rev:4;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:6;)
-
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01|    |02|a"; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:303; rev:11;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; classtype:attempted-admin; sid:262; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; classtype:attempted-admin; sid:264; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; classtype:attempted-admin; sid:265; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; classtype:attempted-admin; sid:266; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; classtype:attempted-admin; sid:267; rev:5;)
diff --git a/scripts/s2b/snort_rules2.2/dos.rules b/scripts/s2b/snort_rules2.2/dos.rules
deleted file mode 100644
index ae094cbdf3..0000000000
--- a/scripts/s2b/snort_rules2.2/dos.rules
+++ /dev/null
@@ -1,28 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-# All rights reserved.
-# $Id: dos.rules 91 2004-07-15 08:13:57Z rwinslow $
-#----------
-# DOS RULES
-#----------
-
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:6;)
-alert udp any 19 <> any 7 (msg:"DOS UDP echo+chargen bomb"; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:4;)
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; content:"|02 00|"; depth:2; reference:bugtraq,514; reference:cve,1999-0918; classtype:attempted-dos; sid:272; rev:7;)
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; content:"|00 00|"; depth:2; reference:bugtraq,514; reference:cve,1999-0918; classtype:attempted-dos; sid:273; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; itype:8; content:"+++ath"; nocase; reference:arachnids,264; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:5;)
-alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flags:S; id:413; seq:6060842; flow:stateless; reference:bugtraq,2022; reference:cve,2000-1039; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; classtype:attempted-dos; sid:275; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server"; flow:to_server,established; content:"|FF F4 FF FD 06|"; reference:arachnids,411; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:276; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:277; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; dsize:0; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"DOS Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:arachnids,262; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup"; dsize:>1445; flow:to_server,established; reference:arachnids,261; reference:bugtraq,662; reference:cve,1999-0788; classtype:attempted-dos; sid:282; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"DOS Winnuke attack"; flags:U+; flow:stateless; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; dsize:>1023; flow:to_server,established; reference:bugtraq,4006; reference:cve,2002-0224; classtype:attempted-dos; sid:1408; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"DOS iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; offset:0; reference:bugtraq,6844; reference:cve,1999-1566; classtype:misc-attack; sid:1605; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"DOS DB2 dos attempt"; dsize:1; flow:to_server,established; classtype:denial-of-service; sid:1641; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DOS Cisco attempt"; dsize:1; flow:to_server,established; content:"|13|"; classtype:web-application-attack; sid:1545; rev:7;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:5;)
-alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed connection reset attempt"; flags:RSF*; flow:established; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:6;)
-
diff --git a/scripts/s2b/snort_rules2.2/experimental.rules b/scripts/s2b/snort_rules2.2/experimental.rules
deleted file mode 100644
index efd4462506..0000000000
--- a/scripts/s2b/snort_rules2.2/experimental.rules
+++ /dev/null
@@ -1,12 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: experimental.rules 91 2004-07-15 08:13:57Z rwinslow $
-# ---------------
-# EXPERIMENTAL RULES
-# ---------------
-# These signatures are experimental, new and may trigger way too often.
-#
-# Be forwarned, this is our testing ground.  We put new signatures here for
-# testing before incorporating them into the default signature set.  This is
-# for bleeding edge stuff only.
-#
diff --git a/scripts/s2b/snort_rules2.2/exploit.rules b/scripts/s2b/snort_rules2.2/exploit.rules
deleted file mode 100644
index d6775b459e..0000000000
--- a/scripts/s2b/snort_rules2.2/exploit.rules
+++ /dev/null
@@ -1,78 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: exploit.rules 91 2004-07-15 08:13:57Z rwinslow $
-#--------------
-# EXPLOIT RULES
-#--------------
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:6;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1327; rev:7;)
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,215; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 Solaris overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; reference:bugtraq,2319; classtype:attempted-admin; sid:300; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; classtype:attempted-admin; sid:302; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; dsize:>1000; flow:to_server,established; content:"whois|3A|//"; nocase; reference:arachnids,267; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; reference:cve,2000-0766; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:9;)
-alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"EXPLOIT NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:8;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT sniffit overflow"; dsize:>512; flags:A+; flow:stateless; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; reference:arachnids,273; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:9;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,214; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:11;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:arachnids,492; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:312; rev:6;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 Linux overflow"; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:4;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:6;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:6;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"EXPLOIT MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; reference:bugtraq,1252; reference:cve,2000-0446; classtype:attempted-admin; sid:1240; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT AIX pdnsd overflow"; dsize:>1000; flow:to_server,established; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"EXPLOIT rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:1323; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; dsize:>720; flow:to_server,established; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; classtype:misc-attack; sid:1751; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1812; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22|`"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:7;)
-
-alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:1838; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"EXPLOIT CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:9;)
-alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; nocase; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:1;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:bugtraq,CAN-2004-0164; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:7;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:bugtraq,CAN-2004-0164; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:7;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:bugtraq,CAN-2004-0164; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:7;)
-alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,128,18,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2443; rev:4;)
-alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2444; rev:4;)
-alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"; content:"|05 00|"; depth:2; byte_test:2,>,128,0,relative,little; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2445; rev:4;)
-alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt"; content:"|05 00|"; depth:2; byte_jump:2,0,relative,little; byte_test:2,>,128,0,relative,little; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:4;)
-
-alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve, CAN-2004-0367; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:6;)
-alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve, CAN-2004-0367; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:6;)
-alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve, CAN-2004-0367; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:"<STREAMQUOTE>"; nocase; isdataat:1024,relative; content:!"</STREAMQUOTE>"; within:1054; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2489; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:"<SNAPQUOTE>"; nocase; isdataat:1024,relative; content:!"</SNAPQUOTE>"; within:1052; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2490; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"EXPLOIT AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|"; depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:4;)
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT winamp XM module name overflow"; flow:established,from_server; content:"Extended module|3A|"; nocase; isdataat:20,relative; content:!"|1A|"; within:21; reference:url,www.nextgenss.com/advisories/winampheap.txt; classtype:attempted-user; sid:2550; rev:2;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2551; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2552; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2553; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2554; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2555; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2556; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2557; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2558; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2559; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2560; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/finger.rules b/scripts/s2b/snort_rules2.2/finger.rules
deleted file mode 100644
index 34c1d6e5a2..0000000000
--- a/scripts/s2b/snort_rules2.2/finger.rules
+++ /dev/null
@@ -1,21 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: finger.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-------------
-# FINGER RULES
-#-------------
-#
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; reference:cve,1999-0660; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER search query"; flow:to_server,established; content:"search"; reference:arachnids,375; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER root query"; flow:to_server,established; content:"root"; reference:arachnids,376; classtype:attempted-recon; sid:323; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER null request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:324; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; reference:arachnids,379; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; reference:arachnids,380; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER bomb attempt"; flow:to_server,established; content:"@@"; reference:arachnids,381; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER redirection attempt"; flow:to_server,established; content:"@"; reference:arachnids,251; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop query"; flow:to_server,established; content:"|0A|     "; depth:10; reference:arachnids,132; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER 0 query"; flow:to_server,established; content:"0"; reference:arachnids,131; reference:arachnids,378; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER . query"; flow:to_server,established; content:"."; reference:arachnids,130; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER version query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:1541; rev:4;)
diff --git a/scripts/s2b/snort_rules2.2/ftp.rules b/scripts/s2b/snort_rules2.2/ftp.rules
deleted file mode 100644
index b057fe3b12..0000000000
--- a/scripts/s2b/snort_rules2.2/ftp.rules
+++ /dev/null
@@ -1,100 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: ftp.rules 91 2004-07-15 08:13:57Z rwinslow $
-#----------
-# FTP RULES
-#----------
-
-
-# protocol verification
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; classtype:attempted-admin; sid:2546; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; classtype:attempted-admin; sid:2373; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; classtype:attempted-admin; sid:2374; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:100,relative; pcre:"/^ALLO\s[^\n]{100}/smi"; reference:bugtraq,9953; classtype:attempted-admin; sid:2449; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2389; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2390; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:100,relative; pcre:"/^APPE\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2391; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2392; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:100,relative; pcre:"/^STOR\s[^\n]{100}/smi"; reference:bugtraq,8668; classtype:attempted-admin; sid:2343; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CEL overflow attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL\s[^\n]{100}/smi"; reference:arachnids,257; reference:bugtraq,679; reference:cve,1999-0789; classtype:attempted-admin; sid:337; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD\s[^\n]{100}/smi"; reference:bugtraq,8704; classtype:attempted-admin; sid:2344; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,7950; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2002-0126; classtype:attempted-admin; sid:1919; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1621; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{100}/smi"; reference:bugtraq,10181; reference:bugtraq,9483; reference:nessus,12037; classtype:attempted-admin; sid:2340; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; reference:bugtraq,2120; reference:cve,2001-0065; classtype:attempted-admin; sid:1562; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:1920; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:1888; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; classtype:bad-unknown; sid:1971; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE\s[^\n]{100}/smi"; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER\s[^\n]{100}/smi"; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; classtype:attempted-admin; sid:1734; rev:16;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,2000-1035; reference:cve,2002-0126; classtype:attempted-admin; sid:1972; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1942; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; reference:bugtraq,612; reference:bugtraq,9872; reference:cve,1999-0911; classtype:attempted-admin; sid:1973; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:1974; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:1975; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:1976; rev:6;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flow:to_server,established; content:"MODE"; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; classtype:protocol-command-decode; sid:1623; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large PWD command"; dsize:10; flow:to_server,established; content:"PWD"; nocase; classtype:protocol-command-decode; sid:1624; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large SYST command"; dsize:10; flow:to_server,established; content:"SYST"; nocase; classtype:protocol-command-decode; sid:1625; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD Root directory transversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2125; rev:8;)
-
-
-
-
-# bad ftp commands
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; reference:cve,2000-0040; classtype:attempted-admin; sid:1921; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:7;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; reference:arachnids,317; reference:bugtraq,2241; reference:cve,1999-0080; classtype:bad-unknown; sid:361; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; content:"*"; distance:1; reference:bugtraq,4482; reference:cve,2002-0073; classtype:attempted-dos; sid:1777; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; content:"?"; distance:1; reference:bugtraq,4482; reference:cve,2002-0073; classtype:attempted-dos; sid:1778; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; nocase; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:12;)
-
-# bad directories
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; pcre:"/^CWD\s+~/smi"; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:1672; rev:10;)
-
-# dup of 1672
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~<CR><NEWLINE> attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:1728; rev:6;)
-
-# dup of 1229
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:1779; rev:2;)
-
-# vulnerabilities against specific implementations of ftp
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u directory transversal"; flow:to_server,established; content:".%20."; nocase; reference:bugtraq,2052; reference:cve,2001-0054; classtype:bad-unknown; sid:360; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt ["; flow:to_server,established; content:"~"; content:"["; distance:1; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1377; rev:14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; distance:1; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1378; rev:14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:1622; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow attempt"; dsize:>100; flow:to_server,established,no_stream; reference:bugtraq,4638; reference:cve,2002-0606; classtype:protocol-command-decode; sid:1748; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; content:".."; distance:1; content:".."; distance:1; reference:bugtraq,2618; reference:cve,2001-0680; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:5;)
-
-
-# BAD FILES
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; flow:to_server,established; content:".forward"; reference:arachnids,319; classtype:suspicious-filename-detect; sid:334; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts"; flow:to_server,established; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:335; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP authorized_keys"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:1927; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:3;)
-
-# suspicious login attempts
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; classtype:suspicious-login; sid:144; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; reference:arachnids,332; classtype:suspicious-login; sid:353; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; reference:arachnids,331; classtype:suspicious-login; sid:354; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; reference:arachnids,324; classtype:suspicious-login; sid:355; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; classtype:suspicious-login; sid:357; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP saint scan"; flow:to_server,established; content:"pass -saint"; reference:arachnids,330; classtype:suspicious-login; sid:358; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP satan scan"; flow:to_server,established; content:"pass -satan"; reference:arachnids,329; classtype:suspicious-login; sid:359; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; classtype:misc-attack; sid:2178; rev:13;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; classtype:misc-attack; sid:2179; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKDIR format string attempt"; flow:to_server,established; content:"MKDIR"; nocase; pcre:"/^MKDIR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2332; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; nocase; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2333; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s[^\n]{100,}/smi"; reference:bugtraq,10181; reference:bugtraq,8486; reference:bugtraq,9675; classtype:misc-attack; sid:2338; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2272; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP Yak! FTP server default account login attempt"; flow:to_server,established; content:"USER"; nocase; content:"y049575046"; nocase; pcre:"/^USER\s+y049575046/smi"; reference:bugtraq,9072; classtype:suspicious-login; sid:2334; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP RMD / attempt"; flow:to_server,established; content:"RMD"; nocase; pcre:"/^RMD\s+\x2f$/smi"; reference:bugtraq,9159; classtype:attempted-dos; sid:2335; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; classtype:attempted-admin; sid:2416; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%"; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2417; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; nocase; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9800; classtype:attempted-admin; sid:2574; rev:1;)
diff --git a/scripts/s2b/snort_rules2.2/gen-msg.map b/scripts/s2b/snort_rules2.2/gen-msg.map
deleted file mode 100644
index 02a1d85c5d..0000000000
--- a/scripts/s2b/snort_rules2.2/gen-msg.map
+++ /dev/null
@@ -1,131 +0,0 @@
-# $Id: gen-msg.map 91 2004-07-15 08:13:57Z rwinslow $
-# GENERATORS -> msg map
-# Format: generatorid || alertid || MSG
-
-1 || 1 || snort general alert
-2 || 1 || tag: Tagged Packet
-100 || 1 || spp_portscan: Portscan Detected
-100 || 2 || spp_portscan: Portscan Status
-100 || 3 || spp_portscan: Portscan Ended
-101 || 1 || spp_minfrag: minfrag alert
-102 || 1 || http_decode: Unicode Attack
-102 || 2 || http_decode: CGI NULL Byte Attack
-102 || 3 || http_decode: large method attempted
-102 || 4 || http_decode: missing uri
-102 || 5 || http_decode: double encoding detected
-102 || 6 || http_decode: illegal hex values detected
-102 || 7 || http_decode: overlong character detected
-103 || 1 || spp_defrag: Fragmentation Overflow Detected
-103 || 2 || spp_defrag: Stale Fragments Discarded
-104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded
-104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted
-105 || 1 || spp_bo: Back Orifice Traffic Detected
-106 || 1 || spp_rpc_decode: Fragmented RPC Records
-106 || 2 || spp_rpc_decode: Multiple Records in one packet
-106 || 3 || spp_rpc_decode: Large RPC Record Fragment
-106 || 4 || spp_rpc_decode: Incomplete RPC segment
-110 || 1 || spp_unidecode: CGI NULL Attack
-110 || 2 || spp_unidecode: Directory Traversal
-110 || 3 || spp_unidecode: Unknown Mapping
-110 || 4 || spp_unidecode: Invalid Mapping
-111 || 1 || spp_stream4: Stealth Activity Detected
-111 || 2 || spp_stream4: Evasive Reset Packet
-111 || 3 || spp_stream4: Retransmission
-111 || 4 || spp_stream4: Window Violation
-111 || 5 || spp_stream4: Data on SYN Packet
-111 || 6 || spp_stream4: Full XMAS Stealth Scan
-111 || 7 || spp_stream4: SAPU Stealth Scan
-111 || 8 || spp_stream4: FIN Stealth Scan 
-111 || 9 || spp_stream4: NULL Stealth Scan
-111 || 10 || spp_stream4: NMAP XMAS Stealth Scan
-111 || 11 || spp_stream4: VECNA Stealth Scan
-111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection
-111 || 13 || spp_stream4: SYN FIN Stealth Scan
-111 || 14 || spp_stream4: TCP forward overlap detected
-111 || 15 || spp_stream4: TTL Evasion attempt
-111 || 16 || spp_stream4: Evasive retransmitited data attempt
-111 || 17 || spp_stream4: Evasive retransmitited data with the data split attempt
-111 || 18 || spp_stream4: Multiple acked
-111 || 19 || spp_stream4: Shifting to Emegency Session Mode
-111 || 20 || spp_stream4: Shifting to Suspend Mode
-112 || 1 || spp_arpspoof: Directed ARP Request
-112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC
-112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST
-112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack
-113 || 1 || spp_frag2: Oversized Frag
-113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack
-113 || 3 || spp_frag2: TTL evasion detected
-113 || 4 || spp_frag2: overlap detected
-113 || 5 || spp_frag2: Duplicate first fragments
-113 || 6 || spp_frag2: memcap exceeded
-113 || 7 || spp_frag2: Out of order fragments
-113 || 8 || spp_frag2: IP Options on Fragmented Packet
-113 || 9 || spp_frag2: Shifting to Emegency Session Mode
-113 || 10 || spp_frag2: Shifting to Suspend Mode
-114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected
-114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected
-114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected
-114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected
-115 || 1 || spp_asn1: Indefinite ASN.1 length encoding
-115 || 2 || spp_asn1: Invalid ASN.1 length encoding
-115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow
-115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow
-115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length
-116 || 1 || snort_decoder: Not IPv4 datagram!
-116 || 2 || snort_decoder: WARNING: Not IPv4 datagram!
-116 || 3 || snort_decoder: WARNING: hlen < IP_HEADER_LEN!
-116 || 4 || snort_decoder: Bad IPv4 Options
-116 || 5 || snort_decoder: Truncated IPv4 Options
-116 || 45 || snort_decoder: TCP packet len is smaller than 20 bytes!
-116 || 46 || snort_decoder: TCP Data Offset is less than 5!
-116 || 47 || snort_decoder: TCP Data Offset is longer than payload!
-116 || 54 || snort_decoder: Tcp Options found with bad lengths
-116 || 55 || snort_decoder: Truncated Tcp Options
-116 || 56 || snort_decoder: T/TCP Detected
-116 || 57 || snort_decoder: Obsolete TCP options
-116 || 58 || snort_decoder: Experimental TCP options
-116 || 95 || snort_decoder: Truncated UDP Header!
-116 || 96 || snort_decoder: Invalid UDP header, length field < 8
-116 || 97 || snort_decoder: Short UDP packet, length field > payload length
-116 || 105 || snort_decoder: ICMP Header Truncated!
-116 || 106 || snort_decoder: ICMP Timestamp Header Truncated!
-116 || 107 || snort_decoder: ICMP Address Header Truncated!
-116 || 108 || snort_decoder: Unknown Datagram decoding problem!
-116 || 109 || snort_decoder: Unknown Datagram decoding problem!
-116 || 110 || snort_decoder: Truncated EAP Header!
-116 || 111 || snort_decoder: EAP Key Truncated!
-116 || 112 || snort_decoder: EAP Header Truncated!
-116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected!
-116 || 130 || snort_decoder: WARNING: Bad VLAN Frame!
-116 || 131 || snort_decoder: WARNING: Bad LLC header!
-116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info!
-116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header!
-116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info!
-116 || 140 || snort_decoder: WARNING: Bad Token Ring Header!
-116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header!
-116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header!
-116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header!
-117 || 1 || spp_portscan2: Portscan detected!
-118 || 1 || spp_conversation: Bad IP protocol!
-119 || 1 || http_inspect: ASCII ENCODING
-119 || 2 || http_inspect: DOUBLE DECODING ATTACK
-119 || 3 || http_inspect: U ENCODING
-119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING
-119 || 5 || http_inspect: BASE36 ENCODING
-119 || 6 || http_inspect: UTF-8 ENCODING
-119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING
-119 || 8 || http_inspect: MULTI_SLASH ENCODING
-119 || 9 || http_inspect: IIS BACKSLASH EVASION
-119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL
-119 || 11 || http_inspect: DIRECTORY TRAVERSAL
-119 || 12 || http_inspect: APACHE WHITESPACE (TAB)
-119 || 13 || http_inspect: NON-RFC HTTP DELIMITER
-119 || 14 || http_inspect: NON-RFC DEFINED CHAR
-119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY
-119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING
-119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED
-120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
-121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
-121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
-121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
-121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
diff --git a/scripts/s2b/snort_rules2.2/generators b/scripts/s2b/snort_rules2.2/generators
deleted file mode 100644
index f6ea516d4e..0000000000
--- a/scripts/s2b/snort_rules2.2/generators
+++ /dev/null
@@ -1,37 +0,0 @@
-# Master Registry of Snort Generator Ids
-#
-#
-# This file is used to maintain unique generator ids for files even if
-# the default snort configuration doesn't include some patch that is
-# required for a specific preprocessor to work
-#
-# 
-#
-# Maintainer: Chris Green <cmg@sourcefire.com>
-# 
-# Contact cmg@sourcefire.com for an assignment
-
-rules_subsystem		   1   # Snort Rules Engine
-tag_subsystem		   2   # Tagging Subsystem
-portscan                   100 # Portscan1
-minfrag                    101 # Minfrag [ removed ]
-http_decode                102 # HTTP decode 1/2
-defrag                     103 # First defragmenter [ removed ]
-spade                      104 # SPADE [ not included anymore ]
-bo                         105 # Back Orifice 
-rpc_decode                 106 # RPC Preprocessor
-stream2                    107 # 2nd stream preprocessor [removed] 
-stream3                    108 # 3rd stream preprocessor (AVL nightmare) [ removed ] 
-telnet_neg                 109 # telnet option decoder
-unidecode                  110 # unicode decoder
-stream4                    111 # Stream4 preprocessor
-arpspoof                   112 # Arp Spoof detector
-frag2                      113 # 2nd fragment preprocessor
-fnord                      114 # NOP detector [ removed ]
-asn1                       115 # ASN.1 Validator [ removed ]
-decode                     116 # Snort Internal Decoder
-scan2                      117 # portscan2
-conversation               118 # conversation
-reserved                   119 # TBA
-reserved                   120 # TBA
-snmp                       121 # Andrew Baker's newer SNMP decoder
diff --git a/scripts/s2b/snort_rules2.2/icmp-info.rules b/scripts/s2b/snort_rules2.2/icmp-info.rules
deleted file mode 100644
index 6a73cfc3a8..0000000000
--- a/scripts/s2b/snort_rules2.2/icmp-info.rules
+++ /dev/null
@@ -1,107 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: icmp-info.rules 91 2004-07-15 08:13:57Z rwinslow $
-#--------------
-# ICMP-INFO
-#--------------
-#
-# Description:
-# These rules are standard ICMP traffic.  They include OS pings, as well
-# as normal routing done by ICMP.  There are a number of "catch all" rules
-# that will alert on unknown ICMP types.
-#
-# Potentially "BAD" ICMP rules are included in icmp.rules
-
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router advertisement"; itype:9; reference:arachnids,173; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router selection"; itype:10; reference:arachnids,174; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:366; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; reference:arachnids,152; classtype:misc-activity; sid:368; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; reference:arachnids,438; reference:arachnids,444; classtype:misc-activity; sid:369; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; reference:arachnids,151; classtype:misc-activity; sid:370; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; reference:arachnids,153; classtype:misc-activity; sid:371; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; reference:arachnids,155; classtype:misc-activity; sid:372; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; reference:arachnids,156; classtype:misc-activity; sid:373; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; reference:arachnids,157; classtype:misc-activity; sid:374; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING LINUX/*BSD"; dsize:8; id:13170; itype:8; reference:arachnids,447; classtype:misc-activity; sid:375; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; reference:arachnids,159; classtype:misc-activity; sid:376; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; reference:arachnids,161; classtype:misc-activity; sid:377; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; reference:arachnids,164; classtype:misc-activity; sid:378; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; reference:arachnids,163; classtype:misc-activity; sid:379; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Seer Windows"; itype:8; content:"|88 04|              "; depth:32; reference:arachnids,166; classtype:misc-activity; sid:380; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:381; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; reference:arachnids,169; classtype:misc-activity; sid:382; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute"; itype:8; ttl:1; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:4;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0; itype:8; classtype:misc-activity; sid:384; rev:5;)
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Address Mask Reply"; icode:0; itype:18; classtype:misc-activity; sid:386; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Reply undefined code"; icode:>0; itype:18; classtype:misc-activity; sid:387; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request"; icode:0; itype:17; classtype:misc-activity; sid:388; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request undefined code"; icode:>0; itype:17; classtype:misc-activity; sid:389; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address"; icode:0; itype:6; classtype:misc-activity; sid:390; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address undefined code"; icode:>0; itype:6; classtype:misc-activity; sid:391; rev:8;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error"; icode:0; itype:31; classtype:misc-activity; sid:392; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; classtype:misc-activity; sid:393; rev:8;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Destination Host Unknown"; icode:7; itype:3; classtype:misc-activity; sid:394; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Destination Network Unknown"; icode:6; itype:3; classtype:misc-activity; sid:395; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; classtype:misc-activity; sid:396; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Precedence Violation"; icode:14; itype:3; classtype:misc-activity; sid:397; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; classtype:misc-activity; sid:398; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Unreachable"; icode:1; itype:3; classtype:misc-activity; sid:399; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; classtype:misc-activity; sid:400; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Network Unreachable"; icode:0; itype:3; classtype:misc-activity; sid:401; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Port Unreachable"; icode:3; itype:3; classtype:misc-activity; sid:402; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; classtype:misc-activity; sid:403; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; classtype:misc-activity; sid:404; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; classtype:misc-activity; sid:405; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; classtype:misc-activity; sid:406; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; classtype:misc-activity; sid:407; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:408; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply undefined code"; icode:>0; itype:0; classtype:misc-activity; sid:409; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:410; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here"; icode:0; itype:34; classtype:misc-activity; sid:411; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; classtype:misc-activity; sid:412; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You"; icode:0; itype:33; classtype:misc-activity; sid:413; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; classtype:misc-activity; sid:414; rev:7;)
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply"; icode:0; itype:16; classtype:misc-activity; sid:415; rev:5;)
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply undefined code"; icode:>0; itype:16; classtype:misc-activity; sid:416; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request"; icode:0; itype:15; classtype:misc-activity; sid:417; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request undefined code"; icode:>0; itype:15; classtype:misc-activity; sid:418; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect"; icode:0; itype:32; classtype:misc-activity; sid:419; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; classtype:misc-activity; sid:420; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply"; icode:0; itype:36; classtype:misc-activity; sid:421; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; classtype:misc-activity; sid:422; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request"; icode:0; itype:35; classtype:misc-activity; sid:423; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; classtype:misc-activity; sid:424; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Bad Length"; icode:2; itype:12; classtype:misc-activity; sid:425; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; classtype:misc-activity; sid:426; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; classtype:misc-activity; sid:427; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem undefined Code"; icode:>2; itype:12; classtype:misc-activity; sid:428; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Reserved"; icode:0; itype:40; classtype:misc-activity; sid:429; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; classtype:misc-activity; sid:430; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; classtype:misc-activity; sid:431; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; classtype:misc-activity; sid:432; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris undefined code!"; icode:>3; itype:40; classtype:misc-activity; sid:433; rev:8;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:436; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect for TOS and Network"; icode:2; itype:5; classtype:misc-activity; sid:437; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect undefined code"; icode:>3; itype:5; classtype:misc-activity; sid:438; rev:9;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security Type 19"; icode:0; itype:19; classtype:misc-activity; sid:439; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; classtype:misc-activity; sid:440; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Advertisement"; icode:0; itype:9; reference:arachnids,173; classtype:misc-activity; sid:441; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Selection"; icode:0; itype:10; reference:arachnids,174; classtype:misc-activity; sid:443; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP"; icode:0; itype:39; classtype:misc-activity; sid:445; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP undefined code"; icode:>0; itype:39; classtype:misc-activity; sid:446; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench undefined code"; icode:>0; itype:4; classtype:misc-activity; sid:448; rev:7;)
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:449; rev:6;)
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:450; rev:8;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply"; icode:0; itype:14; classtype:misc-activity; sid:451; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply undefined code"; icode:>0; itype:14; classtype:misc-activity; sid:452; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request"; icode:0; itype:13; classtype:misc-activity; sid:453; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request undefined code"; icode:>0; itype:13; classtype:misc-activity; sid:454; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute"; icode:0; itype:30; classtype:misc-activity; sid:456; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute undefined code"; icode:>0; itype:30; classtype:misc-activity; sid:457; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 1"; icode:0; itype:1; classtype:misc-activity; sid:458; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 1 undefined code"; itype:1; classtype:misc-activity; sid:459; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 2"; icode:0; itype:2; classtype:misc-activity; sid:460; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 2 undefined code"; itype:2; classtype:misc-activity; sid:461; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 7"; icode:0; itype:7; classtype:misc-activity; sid:462; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 7 undefined code"; itype:7; classtype:misc-activity; sid:463; rev:7;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING undefined code"; icode:>0; itype:8; classtype:misc-activity; sid:365; rev:8;)
diff --git a/scripts/s2b/snort_rules2.2/icmp.rules b/scripts/s2b/snort_rules2.2/icmp.rules
deleted file mode 100644
index 87bd70d5c8..0000000000
--- a/scripts/s2b/snort_rules2.2/icmp.rules
+++ /dev/null
@@ -1,35 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: icmp.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-----------
-# ICMP RULES
-#-----------
-#
-# Description:
-# These rules are potentially bad ICMP traffic.  They include most of the
-# ICMP scanning tools and other "BAD" ICMP traffic (Such as redirect host)
-#
-# Other ICMP rules are included in icmp-info.rules
-
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:4;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:467; rev:3;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:471; rev:3;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; classtype:attempted-recon; sid:474; rev:4;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:475; rev:3;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:476; rev:4;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:477; rev:2;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:478; rev:3;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; sid:480; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; reference:arachnids,167; classtype:misc-activity; sid:481; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; reference:arachnids,168; classtype:misc-activity; sid:482; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:misc-activity; sid:483; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; sid:484; rev:4;)
-alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;)
-alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;)
-alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP digital island bandwidth query"; content:"mailto|3A|ops@digisle.com"; depth:22; classtype:misc-activity; sid:1813; rev:5;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)
diff --git a/scripts/s2b/snort_rules2.2/imap.rules b/scripts/s2b/snort_rules2.2/imap.rules
deleted file mode 100644
index 86e7a94b8e..0000000000
--- a/scripts/s2b/snort_rules2.2/imap.rules
+++ /dev/null
@@ -1,41 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: imap.rules 91 2004-07-15 08:13:57Z rwinslow $
-#--------------
-# IMAP RULES
-#--------------
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:1993; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:cve,1999-0005; reference:nessus,10125; classtype:attempted-user; sid:1842; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2105; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:9;)
-
-# auth is an imap2 function and only accepts literal usage
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth literal overflow attempt"; flow:established,to_server; content:" AUTH"; nocase; content:"{"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:1930; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/AUTH\s[^\n]{100}/smi"; reference:bugtraq,8861; classtype:misc-attack; sid:2330; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2106; rev:7;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1845; rev:15;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2118; rev:6;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2119; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1903; rev:8;)
-
-# FIND does not accept a literal command
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1904; rev:7;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1755; rev:14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2046; rev:6;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2107; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2120; rev:3;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login brute force attempt"; flow:to_server,established; content:"LOGIN"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2273; rev:2;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2497; rev:6;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:10;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2529; rev:3;)
-alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"IMAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2530; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2531; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/info.rules b/scripts/s2b/snort_rules2.2/info.rules
deleted file mode 100644
index 31db270b2a..0000000000
--- a/scripts/s2b/snort_rules2.2/info.rules
+++ /dev/null
@@ -1,14 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: info.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-----------
-# INFO RULES
-#-----------
-
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:488; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:489; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INFO battle-mail traffic"; flow:to_server,established; content:"BattleMail"; classtype:unknown; sid:490; rev:6;)
-alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login"; flow:from_server,established; content:"530 "; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:491; rev:8;)
-alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:492; rev:8;)
-alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; classtype:bad-unknown; sid:1251; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; flow:from_server,established; content:"Welcome!psyBNC@lam3rz.de"; classtype:bad-unknown; sid:493; rev:5;)
diff --git a/scripts/s2b/snort_rules2.2/local.rules b/scripts/s2b/snort_rules2.2/local.rules
deleted file mode 100644
index e62b737ac0..0000000000
--- a/scripts/s2b/snort_rules2.2/local.rules
+++ /dev/null
@@ -1,6 +0,0 @@
-# $Id: local.rules 91 2004-07-15 08:13:57Z rwinslow $
-# ----------------
-# LOCAL RULES
-# ----------------
-# This file intentionally does not come with signatures.  Put your local
-# additions here.
diff --git a/scripts/s2b/snort_rules2.2/misc.rules b/scripts/s2b/snort_rules2.2/misc.rules
deleted file mode 100644
index 73b1a3beea..0000000000
--- a/scripts/s2b/snort_rules2.2/misc.rules
+++ /dev/null
@@ -1,94 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: misc.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-----------
-# MISC RULES
-#-----------
-
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0909; classtype:bad-unknown; sid:500; rev:4;)
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; classtype:bad-unknown; sid:501; rev:4;)
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:502; rev:2;)
-alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flags:S,12; flow:stateless; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:6;)
-alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flags:S,12; flow:stateless; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"MISC Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; reference:arachnids,229; classtype:bad-unknown; sid:505; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"MISC gopher proxy"; flow:to_server,established; content:"ftp|3A|"; nocase; content:"@/"; reference:arachnids,409; classtype:bad-unknown; sid:508; rev:7;)
-alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"MISC PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:4;)
-alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA,12; flow:stateless; reference:arachnids,129; reference:bugtraq,705; reference:cve,1999-0430; classtype:bad-unknown; sid:513; rev:10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; reference:arachnids,461; classtype:bad-unknown; sid:514; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"MISC SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; classtype:attempted-recon; sid:516; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; reference:arachnids,476; classtype:attempted-recon; sid:517; rev:1;)
-
-# once we get response, check for content:"|00 01 00|"; offset:0; depth:3;
-alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:1;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet"; dsize:>4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:2;)
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments"; dsize:< 25; fragbits:M; classtype:bad-unknown; sid:522; rev:2;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:1384; rev:8;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"Location|3A|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:1388; rev:12;)
-alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1393; rev:12;)
-alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1752; rev:4;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"MISC AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; dsize:>500; flow:to_server,established; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; classtype:attempted-admin; sid:1636; rev:8;)
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"MISC OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:3;)
-alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:5;)
-
-
-# once we get response, check for content:"|03|"; offset:0; depth:1;
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request RDP"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; reference:bugtraq,3099; reference:cve,2001-0540; classtype:protocol-command-decode; sid:1447; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; reference:bugtraq,3099; reference:cve,2001-0540; classtype:protocol-command-decode; sid:1448; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server no encryption session initiation attmept"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2418; rev:3;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"MISC Alcatel PABX 4400 connection attempt"; flow:established,to_server; content:"|00 01|C"; depth:3; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:4;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; classtype:misc-attack; sid:2039; rev:4;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (msg:"MISC GlobalSunTech Access Point Information Disclosure attempt"; content:"gstsearch"; reference:bugtraq,6100; classtype:misc-activity; sid:1966; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"MISC xfs overflow attempt"; dsize:>512; flow:to_server,established; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:6;)
-
-alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"MISC xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2041; rev:2;)
-alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"MISC isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2043; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2047; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; classtype:misc-activity; sid:2048; rev:2;)
-
-
-# This rule needs some work since you don't have to pass BEGIN and END
-# anywhere near each other.
-#
-#! alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 ( \
-#!   msg:"MISC CVS username overflow attempt"; flow:to_server,established; \
-#!   content:"BEGIN AUTH REQUEST|0A|"; content:!"|0A|END AUTH REQUEST|0A|"; \
-#!   within:255; classtype:misc-attack;)
-
-
-# normally Idon't like using 3a for :, but in this case... I'd like to remove the false positives stemming from someone using anoncvs to checkout snort rules :)
-alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2008; rev:4;)
-alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2009; rev:2;)
-alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2010; rev:4;)
-alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2011; rev:4;)
-alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2012; rev:2;)
-alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2013; rev:2;)
-alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2317; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2318; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; dsize:>156; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; reference:bugtraq,5807; reference:cve,2002-1214; classtype:attempted-admin; sid:2126; rev:6;)
-
-# this rule is specificly not looking for flow, since tcpdump handles lengths wrong
-alert tcp any any <> any 179 (msg:"MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:5;)
-alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; classtype:bad-unknown; sid:2159; rev:8;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:4;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:10;)
-
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2532; rev:3;)
-alert tcp $HOME_NET 639 -> $EXTERNAL_NET any (msg:"MISC LDAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2533; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2534; rev:3;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; nocase; content:"Content-Type|3A|"; nocase; content:"Multipart"; distance:0; nocase; reference:bugtraq,9978; classtype:web-application-activity; sid:2547; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2548; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; classtype:string-detect; sid:2561; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/multimedia.rules b/scripts/s2b/snort_rules2.2/multimedia.rules
deleted file mode 100644
index 6b68fe4f52..0000000000
--- a/scripts/s2b/snort_rules2.2/multimedia.rules
+++ /dev/null
@@ -1,20 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: multimedia.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-------------
-# MULTIMEDIA RULES
-#-------------
-# These signatures look for people using streaming multimedia technologies.
-# Using streaming media may be a violation of corporate policies.
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MULTIMEDIA Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; classtype:policy-violation; sid:1436; rev:4;)
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media audio download"; flow:from_server,established; content:"Content-type|3A| audio/x-ms-wma"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1437; rev:5;)
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1438; rev:6;)
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Shoutcast playlist redirection"; flow:from_server,established; content:"Content-type|3A| audio/x-scpls"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1439; rev:5;)
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Icecast playlist redirection"; flow:from_server,established; content:"Content-type|3A| audio/x-mpegurl"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1440; rev:5;)
-alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|"; depth:5; classtype:misc-activity; sid:1428; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .ram playlist download attempt"; flow:to_server,established; uricontent:".ram"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2419; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rmp playlist download attempt"; flow:to_server,established; uricontent:".rmp"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2420; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .smi playlist download attempt"; flow:to_server,established; uricontent:".smi"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2421; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rt playlist download attempt"; flow:to_server,established; uricontent:".rt"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2422; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rp playlist download attempt"; flow:to_server,established; uricontent:".rp"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2423; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/mysql.rules b/scripts/s2b/snort_rules2.2/mysql.rules
deleted file mode 100644
index c78ffc5bb3..0000000000
--- a/scripts/s2b/snort_rules2.2/mysql.rules
+++ /dev/null
@@ -1,15 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: mysql.rules 91 2004-07-15 08:13:57Z rwinslow $
-#----------
-# MYSQL RULES
-#----------
-#
-# These signatures detect unusual and potentially malicious mysql traffic.
-#
-# These signatures are not enabled by default as they may generate false
-# positive alarms on networks that do mysql development.
-#
-
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/netbios.rules b/scripts/s2b/snort_rules2.2/netbios.rules
deleted file mode 100644
index 31439a5181..0000000000
--- a/scripts/s2b/snort_rules2.2/netbios.rules
+++ /dev/null
@@ -1,150 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: netbios.rules 91 2004-07-15 08:13:57Z rwinslow $
-#--------------
-# NETBIOS RULES
-#--------------
-
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:537; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:538; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2465; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2466; rev:3;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"D|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:536; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"D|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2467; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"D|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2468; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"D|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2469; rev:3;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:533; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2470; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2471; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2472; rev:3;)
-
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"ADMIN|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:532; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2473; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"ADMIN|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2474; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2475; rev:3;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C|winreg|00|"; offset:85; nocase; classtype:protocol-command-decode; sid:2174; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00|"; offset:85; nocase; classtype:protocol-command-decode; sid:2175; rev:5;)
-
-# where did these come from?  I don't know.  lets disable them for real for now
-# and deal with it later...
-### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C|winreg|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;)
-### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Create AndX Request winreg attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"|5C|winreg|00|"; within:8; distance:79; nocase; flowbits:set,smb.winreg.create; classtype:protocol-command-decode; sid:2476; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Create AndX Request winreg unicode attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:79; nocase; flowbits:set,smb.winreg.create; classtype:protocol-command-decode; sid:2477; rev:3;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC bind winreg attempt"; flow:to_server,established; flowbits:set,smb.dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|pipe|5C 00 05 00 0B|"; within:10; distance:5; nocase; byte_test:1,&,16,1,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:isset,smb.winreg.create; classtype:protocol-command-decode; sid:2478; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC bind winreg unicode attempt"; flow:to_server,established; flowbits:set,smb.dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,>,127,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; nocase; byte_test:1,&,16,1,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:isset,smb.winreg.create; classtype:protocol-command-decode; sid:2479; rev:3;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC shutdown unicode attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,>,127,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 00|"; within:17; distance:5; nocase; byte_test:1,&,16,1,relative; content:"|18 00|"; within:2; distance:19; flowbits:isset,smb.dce.bind.winreg; classtype:protocol-command-decode; sid:2480; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,>,127,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 00|"; within:17; distance:5; nocase; byte_test:1,<,16,1,relative; content:"|00 18|"; within:2; distance:19; flowbits:isset,smb.dce.bind.winreg; classtype:protocol-command-decode; sid:2481; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC shutdown attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:5; nocase; byte_test:1,&,16,1,relative; content:"|18 00|"; within:2; distance:19; flowbits:isset,smb.dce.bind.winreg; classtype:protocol-command-decode; sid:2482; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC shutdown little endian attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:5; nocase; byte_test:1,<,16,1,relative; content:"|00 18|"; within:2; distance:19; flowbits:isset,smb.dce.bind.winreg; classtype:protocol-command-decode; sid:2483; rev:3;)
-
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; flow:to_server,established; content:"|00|.|00|E|00|M|00|L"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1293; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; flow:to_server,established; content:"|00|.|00|N|00|W|00|S"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1294; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:529; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; classtype:attempted-recon; sid:1239; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:534; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:535; rev:6;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2176; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2177; rev:4;)
-
-
-
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Samba clientaccess"; flow:to_server,established; content:"|00|Unix|00|Samba"; reference:arachnids,341; classtype:not-suspicious; sid:539; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2101; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2103; rev:9;)
-
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2190; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2191; rev:3;)
-alert tcp $HOME_NET 135 -> $EXTERNAL_NET any (msg:"NETBIOS DCERPC ISystemActivator bind accept"; flow:from_server,established; content:"|05|"; within:1; content:"|0C|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00 00|"; within:2; distance:33; flowbits:isset,dce.isystemactivator.bind.attempt; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2350; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2351; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2352; rev:7;)
-
-
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2192; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2193; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2491; rev:5;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2492; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2493; rev:5;)
-
-
-
-
-
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2251; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2252; rev:11;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2257; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2258; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2308; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2309; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2310; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2311; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2315; rev:6;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2316; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; byte_test:1,&,16,1,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:29; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2348; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; distance:1; content:"|00|"; within:1; distance:1; byte_test:1,&,3,0,relative; content:"|00 00|"; within:2; distance:19; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2349; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechtype attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|06 06|+|06 01 05 05 02|"; within:8; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A1 05 23 03 03 01 07|"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; classtype:attempted-dos; sid:2382; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechtype attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|06 06|+|06 01 05 05 02|"; within:8; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A1 05 23 03 03 01 07|"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; classtype:attempted-dos; sid:2383; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; sid:2384; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; sid:2385; rev:9;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2401; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2402; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2403; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2404; rev:5;)
-
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2494; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2495; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2496; rev:5;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2507; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2524; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; flowbits:isset,netbios.lsass.bind.attempt; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2508; rev:6;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2509; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2510; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2525; rev:6;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2511; rev:9;)
-
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2512; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2526; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2513; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:7;)
-alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:4;)
-alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; reference:bugtraq,10334; reference:bugtraq,10335; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:4;)
diff --git a/scripts/s2b/snort_rules2.2/nntp.rules b/scripts/s2b/snort_rules2.2/nntp.rules
deleted file mode 100644
index 9d4032a848..0000000000
--- a/scripts/s2b/snort_rules2.2/nntp.rules
+++ /dev/null
@@ -1,18 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: nntp.rules 91 2004-07-15 08:13:57Z rwinslow $
-#----------
-# NNTP RULES
-#----------
-
-alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return code buffer overflow attempt"; flow:to_server,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:1792; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-admin; sid:1538; rev:13;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2424; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2425; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2426; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2427; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2428; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2429; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2430; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2431; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2432; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/oracle.rules b/scripts/s2b/snort_rules2.2/oracle.rules
deleted file mode 100644
index 4e4f8947b3..0000000000
--- a/scripts/s2b/snort_rules2.2/oracle.rules
+++ /dev/null
@@ -1,44 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: oracle.rules 91 2004-07-15 08:13:57Z rwinslow $
-#----------
-# ORACLE RULES
-#----------
-#
-# These signatures detect unusual and potentially malicious oracle traffic.
-# These signatures are based from signatures written by Hank Leininger
-# <hlein@progressive-comp.com> for Enterasys's Dragon IDS that he released
-# publicly.
-#
-# These signatures are not enabled by default as they may generate false
-# positive alarms on networks that do oracle development.  If you use an
-# Oracle based web application, you should set the destination port to
-# 80 to catch attackers attempting to exploit your web application.
-#
-
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:1673; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; nocase; classtype:protocol-command-decode; sid:1674; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE misparsed login response"; flow:from_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:1675; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select union attempt"; flow:to_server,established; content:"select "; nocase; content:" union "; nocase; classtype:protocol-command-decode; sid:1676; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt"; flow:to_server,established; content:" where "; nocase; content:" like '%'"; nocase; classtype:protocol-command-decode; sid:1677; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt backslash escaped"; flow:to_server,established; content:" where "; nocase; content:" like |22|%|22|"; nocase; classtype:protocol-command-decode; sid:1678; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE describe attempt"; flow:to_server,established; content:"describe "; nocase; classtype:protocol-command-decode; sid:1679; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_constraints access"; flow:to_server,established; content:"all_constraints"; nocase; classtype:protocol-command-decode; sid:1680; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_views access"; flow:to_server,established; content:"all_views"; nocase; classtype:protocol-command-decode; sid:1681; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_source access"; flow:to_server,established; content:"all_source"; nocase; classtype:protocol-command-decode; sid:1682; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tables access"; flow:to_server,established; content:"all_tables"; nocase; classtype:protocol-command-decode; sid:1683; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_columns access"; flow:to_server,established; content:"all_tab_columns"; nocase; classtype:protocol-command-decode; sid:1684; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_privs access"; flow:to_server,established; content:"all_tab_privs"; nocase; classtype:protocol-command-decode; sid:1685; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tablespace access"; flow:to_server,established; content:"dba_tablespace"; nocase; classtype:protocol-command-decode; sid:1686; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tables access"; flow:to_server,established; content:"dba_tables"; nocase; classtype:protocol-command-decode; sid:1687; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user_tablespace access"; flow:to_server,established; content:"user_tablespace"; nocase; classtype:protocol-command-decode; sid:1688; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.all_users access"; flow:to_server,established; content:"sys.all_users"; nocase; classtype:protocol-command-decode; sid:1689; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant attempt"; flow:to_server,established; content:"grant "; nocase; content:" to "; nocase; classtype:protocol-command-decode; sid:1690; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ALTER USER attempt"; flow:to_server,established; content:"alter user"; nocase; content:" identified by "; nocase; classtype:protocol-command-decode; sid:1691; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop table attempt"; flow:to_server,established; content:"drop table"; nocase; classtype:protocol-command-decode; sid:1692; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create table attempt"; flow:to_server,established; content:"create table"; nocase; classtype:protocol-command-decode; sid:1693; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter table attempt"; flow:to_server,established; content:"alter table"; nocase; classtype:protocol-command-decode; sid:1694; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE truncate table attempt"; flow:to_server,established; content:"truncate table"; nocase; classtype:protocol-command-decode; sid:1695; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create database attempt"; flow:to_server,established; content:"create database"; nocase; classtype:protocol-command-decode; sid:1696; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter database attempt"; flow:to_server,established; content:"alter database"; nocase; classtype:protocol-command-decode; sid:1697; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE generate_replication_support prefix overflow attempt"; flow:to_server,established; content:"generate_replication_support"; nocase; pcre:"/(package|procedure)_prefix[\s\r\n]*=>[\s\r\n]*('[^']{1000,}|"[^"]{1000,})/Rsmi"; classtype:attempted-user; sid:2576; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/other-ids.rules b/scripts/s2b/snort_rules2.2/other-ids.rules
deleted file mode 100644
index ead2e6bcb2..0000000000
--- a/scripts/s2b/snort_rules2.2/other-ids.rules
+++ /dev/null
@@ -1,22 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: other-ids.rules 91 2004-07-15 08:13:57Z rwinslow $
-# ---------------
-# OTHER-IDS RULES
-# ---------------
-# These signatures look for uses of other IDSs.
-#
-# These signatures serve two purposes.
-#  1) If you are "IDS GUY" for a company, and someone else sets up an IDS
-#     without letting you know, thats bad.
-#  2) If you are "pen-tester", this is a good way to find out what IDS
-#     systems your target is using after you have gained access to their
-#     network.
-#
-
-
-alert tcp $HOME_NET 902 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 event collector connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1760; rev:3;)
-alert tcp $HOME_NET 2998 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 daemon connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1761; rev:3;)
-
-# To limit false positives, limit to the default port of 975
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OTHER-IDS SecureNetPro traffic"; flow:established; content:"|00|g|00 01 00 03|"; depth:6; classtype:bad-unknown; sid:1629; rev:6;)
diff --git a/scripts/s2b/snort_rules2.2/p2p.rules b/scripts/s2b/snort_rules2.2/p2p.rules
deleted file mode 100644
index ea3fcbba19..0000000000
--- a/scripts/s2b/snort_rules2.2/p2p.rules
+++ /dev/null
@@ -1,25 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: p2p.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-------------
-# P2P RULES
-#-------------
-# These signatures look for usage of P2P protocols, which are usually
-# against corporate policy
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login"; flow:to_server,established; content:"|00 02 00|"; depth:3; offset:1; classtype:policy-violation; sid:549; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster new user login"; flow:to_server,established; content:"|00 06 00|"; depth:3; offset:1; classtype:policy-violation; sid:550; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flow:to_server,established; content:"|00 CB 00|"; depth:3; offset:1; classtype:policy-violation; sid:551; rev:7;)
-alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"P2P napster upload request"; flow:from_server,established; content:"|00|_|02|"; depth:3; offset:1; classtype:policy-violation; sid:552; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:1432; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:556; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:557; rev:6;)
-alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:561; rev:6;)
-alert tcp $HOME_NET any <> $EXTERNAL_NET 7777 (msg:"P2P Napster Client Data"; flow:to_server,established; content:".mp3"; nocase; classtype:policy-violation; sid:562; rev:5;)
-alert tcp $HOME_NET any <> $EXTERNAL_NET 6666 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:563; rev:6;)
-alert tcp $HOME_NET any <> $EXTERNAL_NET 5555 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:564; rev:7;)
-alert tcp $HOME_NET any <> $EXTERNAL_NET 8875 (msg:"P2P Napster Server Login"; flow:established; content:"anon@napster.com"; classtype:policy-violation; sid:565; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack kazaa/morpheus GET request"; flow:to_server,established; content:"GET "; depth:4; reference:url,www.kazaa.com; reference:url,www.musiccity.com/technology.htm; classtype:policy-violation; sid:1383; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Fastrack kazaa/morpheus traffic"; flow:to_server,established; content:"GET"; depth:3; content:"UserAgent|3A| KazaaClient"; reference:url,www.kazaa.com; classtype:policy-violation; sid:1699; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent announce request"; flow:to_server,established; content:"GET"; depth:4; content:"/announce"; distance:1; content:"info_hash="; offset:4; content:"event=started"; offset:4; classtype:policy-violation; sid:2180; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6889 (msg:"P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; classtype:policy-violation; sid:2181; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/policy.rules b/scripts/s2b/snort_rules2.2/policy.rules
deleted file mode 100644
index 457e18f5ea..0000000000
--- a/scripts/s2b/snort_rules2.2/policy.rules
+++ /dev/null
@@ -1,40 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: policy.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-------------
-# POLICY RULES
-#-------------
-#
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+(anonymous|ftp)/smi"; classtype:misc-activity; sid:553; rev:7;)
-
-alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY WinGate telnet server response"; flow:from_server,established; content:"WinGate>"; reference:arachnids,366; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:8;)
-
-
-# we have started to see multiple versions of this beyond 003.003, so we have
-# expanded this signature to take that into account.
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;)
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"POLICY PCAnywhere server response"; content:"ST"; depth:2; reference:arachnids,239; classtype:misc-activity; sid:566; rev:4;)
-alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:8;)
-alert ip 63.251.224.177 any -> $HOME_NET any (msg:"POLICY poll.gotomypc.com access"; reference:url,www.gotomypc.com/help2.tmpl; classtype:misc-activity; sid:1429; rev:2;)
-
-# NOTES: This signature would be better off using uricontent, and having the
-# http decoder looking at 5800 and 5802, but that is on by default
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:4;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:1445; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:543; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:544; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD  ' possible warez site"; flow:to_server,established; content:"CWD  "; depth:5; nocase; classtype:misc-activity; sid:546; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD  ' possible warez site"; flow:to_Server,established; content:"MKD  "; depth:5; nocase; classtype:misc-activity; sid:547; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; classtype:misc-activity; sid:548; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:545; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:554; rev:6;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; classtype:attempted-admin; sid:2044; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY xtacacs login attempt"; content:"|80 01|"; depth:2; content:"|00|"; distance:4; classtype:misc-activity; sid:2040; rev:3;)
-alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY xtacacs accepted login response"; content:"|80 02|"; depth:2; content:"|01|"; distance:4; classtype:misc-activity; sid:2042; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:1771; rev:6;)
diff --git a/scripts/s2b/snort_rules2.2/pop2.rules b/scripts/s2b/snort_rules2.2/pop2.rules
deleted file mode 100644
index 303cd1608a..0000000000
--- a/scripts/s2b/snort_rules2.2/pop2.rules
+++ /dev/null
@@ -1,11 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: pop2.rules 91 2004-07-15 08:13:57Z rwinslow $
-#--------------
-# POP2 RULES
-#--------------
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:established,to_server; isdataat:256,relative; content:"FOLD"; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; classtype:attempted-admin; sid:1934; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:established,to_server; pcre:"/^FOLD\s+\//smi"; content:"FOLD"; classtype:misc-attack; sid:1935; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|EB|,[|89 D9 80 C1 06|9|D9 7C 07 80 01|"; classtype:attempted-admin; sid:284; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|FF FF FF|/BIN/SH|00|"; classtype:attempted-admin; sid:285; rev:6;)
diff --git a/scripts/s2b/snort_rules2.2/pop3.rules b/scripts/s2b/snort_rules2.2/pop3.rules
deleted file mode 100644
index 678eddd7a2..0000000000
--- a/scripts/s2b/snort_rules2.2/pop3.rules
+++ /dev/null
@@ -1,42 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: pop3.rules 91 2004-07-15 08:13:57Z rwinslow $
-#--------------
-# POP3 RULES
-#--------------
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative arguement attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; classtype:misc-attack; sid:2121; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative arguement attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; reference:bugtraq,6053; reference:cve,2002-1539; classtype:misc-attack; sid:2122; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50,}/smi"; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2108; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2109; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2110; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2111; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2112; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1936; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; classtype:attempted-admin; sid:1937; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1938; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:13;)
-
-# bsd-qpopper.c
-# overflow in the reading of a line in qpopper
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; classtype:attempted-admin; sid:286; rev:9;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:287; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:288; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; classtype:attempted-admin; sid:289; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; classtype:attempted-admin; sid:290; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; content:"%"; distance:1; content:"%"; distance:1; reference:bugtraq,7667; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute force attempt"; flow:to_server,established; content:"USER"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2274; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2409; rev:1;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:7;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"PO3 PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:10;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2535; rev:3;)
-alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2536; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2537; rev:3;)
-
diff --git a/scripts/s2b/snort_rules2.2/porn.rules b/scripts/s2b/snort_rules2.2/porn.rules
deleted file mode 100644
index e565722457..0000000000
--- a/scripts/s2b/snort_rules2.2/porn.rules
+++ /dev/null
@@ -1,36 +0,0 @@
-# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: porn.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-------------
-# PORN RULES
-#-------------
-#
-
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.erotica"; flow:to_client,established; content:"alt.binaries.pictures.erotica"; nocase; classtype:kickass-porn; sid:1836; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:kickass-porn; sid:1837; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN free XXX"; content:"FREE XXX"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1310; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore anal"; content:"hardcore anal"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1311; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude cheerleader"; content:"nude cheerleader"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1312; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN up skirt"; content:"up skirt"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1313; rev:5;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN young teen"; content:"young teen"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1314; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hot young sex"; content:"hot young sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1315; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck fuck fuck"; content:"fuck fuck fuck"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1316; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN anal sex"; content:"anal sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1317; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore rape"; content:"hardcore rape"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1318; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN real snuff"; content:"real snuff"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1319; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck movies"; content:"fuck movies"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1320; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN dildo"; content:"dildo"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1781; rev:1;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nipple clamp"; content:"nipple"; nocase; content:"clamp"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1782; rev:1;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN oral sex"; content:"oral sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1783; rev:1;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude celeb"; content:"nude celeb"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1784; rev:1;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN voyeur"; content:"voyeur"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1785; rev:1;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN raw sex"; content:"raw sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1786; rev:1;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fetish"; content:"fetish"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1793; rev:1;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN masturbation"; content:"masturbat"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1794; rev:1;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN ejaculation"; content:"ejaculat"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1795; rev:1;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin"; content:"virgin "; nocase; flow:to_client,established; classtype:kickass-porn; sid:1796; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN BDSM"; content:"BDSM"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1797; rev:1;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN erotica"; content:"erotic"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1798; rev:1;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fisting"; content:"fisting"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1799; rev:1;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN naked lesbians"; content:"naked lesbians"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1833; rev:1;)
-
diff --git a/scripts/s2b/snort_rules2.2/reference.config b/scripts/s2b/snort_rules2.2/reference.config
deleted file mode 100644
index f60eeaf726..0000000000
--- a/scripts/s2b/snort_rules2.2/reference.config
+++ /dev/null
@@ -1,14 +0,0 @@
-# $Id: reference.config 91 2004-07-15 08:13:57Z rwinslow $
-# The following defines URLs for the references found in the rules
-#
-# config reference: system URL
-
-config reference: bugtraq   http://www.securityfocus.com/bid/ 
-config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
-config reference: arachNIDS http://www.whitehats.com/info/IDS
-
-# Note, this one needs a suffix as well.... lets add that in a bit.
-config reference: McAfee    http://vil.nai.com/vil/content/v_
-config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
-config reference: url       http://
-
diff --git a/scripts/s2b/snort_rules2.2/rpc.rules b/scripts/s2b/snort_rules2.2/rpc.rules
deleted file mode 100644
index c5ab37e07c..0000000000
--- a/scripts/s2b/snort_rules2.2/rpc.rules
+++ /dev/null
@@ -1,219 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: rpc.rules 91 2004-07-15 08:13:57Z rwinslow $
-#----------
-# RPC RULES
-#----------
-
-
-# portmap specific stuff.
-
-## bleck.  Not happy about this.  because of the non-rule ordering foo, I'm
-## checking the first byte in the version, which should always be 0.  When we
-## alert multiple times on a packet, I'll put these rules back to:
-##   content:"|0a 01 86 a0|"; offset:16; depth:4; content:"|00 00 00 05|";
-##    distance:4; within:4;
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2093; rev:5;)
-# this rule makes me not happy as well.  see above.
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2092; rev:5;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1922; rev:6;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1923; rev:6;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:1280; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1949; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1950; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2015; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:11;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:7;)
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:1746; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:1747; rev:11;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1732; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1733; rev:9;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262; rev:9;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:576; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:1263; rev:11;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:577; rev:13;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:1264; rev:13;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:1267; rev:11;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:1268; rev:12;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:1269; rev:10;)
-
-
-# rusers
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:1271; rev:14;)
-# XXX - Need to find out if rusers exists on TCP and if so, implement one of
-# these for TCP...
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:6;)
-
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:1273; rev:10;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2016; rev:6;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:18;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:14;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:14;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt UDP"; content:"|00 01 87 99|"; depth:4; offset:12; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:8;)
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:16;)
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:1890; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:1891; rev:8;)
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,13; classtype:rpc-portmap-decode; sid:1266; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:8;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:1925; rev:6;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,26; classtype:attempted-recon; sid:1926; rev:6;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2184; rev:7;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount path overflow attempt"; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2185; rev:7;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:1951; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:1952; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2018; rev:4;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP dump request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2019; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2020; rev:4;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2021; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2022; rev:4;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmountall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2023; rev:4;)
-
-
-# amd
-alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1905; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1906; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1953; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1954; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1955; rev:6;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1956; rev:5;)
-
-# cmsd
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:9;)
-
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1907; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1908; rev:9;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2094; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2095; rev:6;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:10;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:10;)
-
-
-# sadmind
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:1272; rev:10;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:7;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1911; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1912; rev:9;)
-
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:5;)
-
-
-# statd
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:1270; rev:11;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1913; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1914; rev:10;)
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1915; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1916; rev:9;)
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591; rev:10;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:misc-attack; sid:2088; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:misc-attack; sid:2089; rev:5;)
-
-# NFS
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1959; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1960; rev:7;)
-
-
-# rquota
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1961; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1962; rev:7;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:1963; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 AB|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2024; rev:8;)
-
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:17;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:17;)
-
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:1964; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:1965; rev:8;)
-
-# not sure what this rule is looking for, other than the procedure 15
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth:32; offset:16; reference:arachnids,241; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:9;)
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:1275; rev:10;)
-
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2027; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2028; rev:5;)
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2025; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2026; rev:9;)
-
-
-
-# XXX - These need re-verified
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2029; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2030; rev:6;)
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2031; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2032; rev:5;)
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:14;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request UDP"; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2033; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:Cve,CAN-2002-1232; reference:bugtraq,5914; reference:bugtraq,6016; classtype:rpc-portmap-decode; sid:2034; rev:7;)
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2035; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2036; rev:6;)
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request UDP"; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2037; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2038; rev:5;)
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2079; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2080; rev:6;)
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2081; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2082; rev:9;)
-
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2083; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2084; rev:8;)
-
-
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:10;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2255; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt UDP"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2256; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/rservices.rules b/scripts/s2b/snort_rules2.2/rservices.rules
deleted file mode 100644
index d570ad3b57..0000000000
--- a/scripts/s2b/snort_rules2.2/rservices.rules
+++ /dev/null
@@ -1,20 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: rservices.rules 91 2004-07-15 08:13:57Z rwinslow $
-#----------------
-# RSERVICES RULES
-#----------------
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; classtype:bad-unknown; sid:601; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:602; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:603; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:604; rev:5;)
-alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flow:from_server,established; content:"|01|rlogind|3A| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:611; rev:7;)
-alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:605; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:606; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:607; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:608; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:609; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:610; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2113; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; sid:2114; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/scan.rules b/scripts/s2b/snort_rules2.2/scan.rules
deleted file mode 100644
index 2460971d64..0000000000
--- a/scripts/s2b/snort_rules2.2/scan.rules
+++ /dev/null
@@ -1,36 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: scan.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-----------
-# SCAN RULES
-#-----------
-# These signatures are representitive of network scanners.  These include
-# port scanning, ip mapping, and various application scanners.
-#
-# NOTE: This does NOT include web scanners such as whisker.  Those are
-# in web*
-#
-
-alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; ack:0; flags:S; ttl:>220; flow:stateless; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; dsize:0; flags:SF12; flow:stateless; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:618; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:620; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags:F,12; flow:stateless; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flags:S; seq:1958810375; flow:stateless; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; ack:0; flags:0; seq:0; flow:stateless; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; flags:SF,12; flow:stateless; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flags:SRAFPU,12; flow:stateless; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flags:FPU,12; flow:stateless; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; flags:SF; id:39426; flow:stateless; reference:arachnids,441; classtype:attempted-recon; sid:630; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; flags:PA12; flow:stateless; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; ack:0; flags:SFU12; flow:stateless; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:7;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda client version request"; content:"Amanda"; nocase; classtype:attempted-recon; sid:634; rev:2;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"SCAN XTACACS logout"; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; reference:arachnids,408; classtype:bad-unknown; sid:635; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp bomb"; content:"cybercop"; reference:arachnids,363; classtype:bad-unknown; sid:636; rev:1;)
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; reference:arachnids,308; classtype:attempted-recon; sid:637; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:1917; rev:6;)
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; classtype:network-scan; sid:1918; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; ack:0; flags:SFP; flow:stateless; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:11;)
diff --git a/scripts/s2b/snort_rules2.2/shellcode.rules b/scripts/s2b/snort_rules2.2/shellcode.rules
deleted file mode 100644
index 8958879ef7..0000000000
--- a/scripts/s2b/snort_rules2.2/shellcode.rules
+++ /dev/null
@@ -1,36 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: shellcode.rules 91 2004-07-15 08:13:57Z rwinslow $
-# ---------------
-# SHELLCODE RULES
-# ---------------
-# These signatures are based on shellcode that is common ammong multiple
-# publicly available exploits.
-#
-# Because these signatures check ALL traffic for shellcode, these signatures
-# are disabled by default.  There is a LARGE performance hit by enabling
-# these signatures.
-#
-
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:647; rev:6;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:649; rev:8;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:650; rev:8;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:638; rev:5;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:639; rev:5;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:640; rev:6;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:641; rev:6;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:642; rev:6;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:643; rev:7;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:644; rev:5;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:645; rev:5;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:646; rev:5;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:7;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:651; rev:8;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:653; rev:8;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:652; rev:9;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:1390; rev:5;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 NOOP"; content:"aaaaaaaaaaaaaaaaaaaaa"; classtype:shellcode-detect; sid:1394; rev:5;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:6;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2312; rev:2;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2313; rev:2;)
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2314; rev:1;)
diff --git a/scripts/s2b/snort_rules2.2/sid b/scripts/s2b/snort_rules2.2/sid
deleted file mode 100644
index 5f6201b867..0000000000
--- a/scripts/s2b/snort_rules2.2/sid
+++ /dev/null
@@ -1,2 +0,0 @@
-# $Id: sid 91 2004-07-15 08:13:57Z rwinslow $
-2577
diff --git a/scripts/s2b/snort_rules2.2/sid-msg.map b/scripts/s2b/snort_rules2.2/sid-msg.map
deleted file mode 100644
index afc9d6069b..0000000000
--- a/scripts/s2b/snort_rules2.2/sid-msg.map
+++ /dev/null
@@ -1,2431 +0,0 @@
-# $Id: sid-msg.map 91 2004-07-15 08:13:57Z rwinslow $
-# Format: SID || MSG || Optional References || Optional References ...
-# SID -> MSG map
-
-103 || BACKDOOR subseven 22 || url,www.hackfix.org/subseven/ || arachnids,485
-104 || BACKDOOR - Dagger_1.4.0_client_connect || url,www.tlsecurity.net/backdoor/Dagger.1.4.html || arachnids,483
-105 || BACKDOOR - Dagger_1.4.0 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html || arachnids,484
-106 || BACKDOOR ACKcmdC trojan scan || arachnids,445
-107 || BACKDOOR subseven DEFCON8 2.1 access
-108 || BACKDOOR QAZ Worm Client Login access || MCAFEE,98775
-109 || BACKDOOR netbus active || arachnids,401
-110 || BACKDOOR netbus getinfo || arachnids,403
-111 || BACKDOOR netbus getinfo || arachnids,403
-112 || BACKDOOR BackOrifice access || arachnids,400
-113 || BACKDOOR DeepThroat access || arachnids,405
-114 || BACKDOOR netbus active || arachnids,401
-115 || BACKDOOR netbus active || arachnids,401
-116 || BACKDOOR BackOrifice access || arachnids,399
-117 || BACKDOOR Infector.1.x || arachnids,315
-118 || BACKDOOR SatansBackdoor.2.0.Beta || arachnids,316
-119 || BACKDOOR Doly 2.0 access || arachnids,312
-120 || BACKDOOR Infector 1.6 Server to Client
-121 || BACKDOOR Infector 1.6 Client to Server Connection Request
-122 || BACKDOOR DeepThroat 3.1 System Info Client Request || arachnids,106
-124 || BACKDOOR DeepThroat 3.1 FTP Status Client Request || arachnids,106
-125 || BACKDOOR DeepThroat 3.1 E-Mail Info From Server || arachnids,106
-126 || BACKDOOR DeepThroat 3.1 E-Mail Info Client Request || arachnids,106
-127 || BACKDOOR DeepThroat 3.1 Server Status From Server || arachnids,106
-128 || BACKDOOR DeepThroat 3.1 Server Status Client Request || arachnids,106
-129 || BACKDOOR DeepThroat 3.1 Drive Info From Server || arachnids,106
-130 || BACKDOOR DeepThroat 3.1 System Info From Server || arachnids,106
-131 || BACKDOOR DeepThroat 3.1 Drive Info Client Request || arachnids,106
-132 || BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server || arachnids,106
-133 || BACKDOOR DeepThroat 3.1 Cached Passwords Client Request || arachnids,106
-134 || BACKDOOR DeepThroat 3.1 RAS Passwords Client Request || arachnids,106
-135 || BACKDOOR DeepThroat 3.1 Server Password Change Client Request || arachnids,106
-136 || BACKDOOR DeepThroat 3.1 Server Password Remove Client Request || arachnids,106
-137 || BACKDOOR DeepThroat 3.1 Rehash Client Request || arachnids,106
-138 || BACKDOOR DeepThroat 3.1 Server Rehash Client Request || arachnids,106
-140 || BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request || arachnids,106
-141 || BACKDOOR HackAttack 1.20 Connect
-142 || BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request || arachnids,106
-143 || BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request || arachnids,106
-144 || FTP ADMw0rm ftp login attempt || arachnids,01
-145 || BACKDOOR GirlFriendaccess || arachnids,98
-146 || BACKDOOR NetSphere access || arachnids,76
-147 || BACKDOOR GateCrasher || arachnids,99
-148 || BACKDOOR DeepThroat 3.1 Keylogger Active on Network || arachnids,106
-149 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106
-150 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106
-151 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106
-152 || BACKDOOR BackConstruction 2.1 Connection
-153 || BACKDOOR DonaldDick 1.53 Traffic
-154 || BACKDOOR DeepThroat 3.1 Wrong Password || arachnids,106
-155 || BACKDOOR NetSphere 1.31.337 access || arachnids,76
-156 || BACKDOOR DeepThroat 3.1 Visible Window List Client Request || arachnids,106
-157 || BACKDOOR BackConstruction 2.1 Client FTP Open Request
-158 || BACKDOOR BackConstruction 2.1 Server FTP Open Reply
-159 || BACKDOOR NetMetro File List || arachnids,79
-160 || BACKDOOR NetMetro Incoming Traffic || arachnids,79
-161 || BACKDOOR Matrix 2.0 Client connect || arachnids,83
-162 || BACKDOOR Matrix 2.0 Server access || arachnids,83
-163 || BACKDOOR WinCrash 1.0 Server Active || arachnids,36
-164 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106
-165 || BACKDOOR DeepThroat 3.1 Keylogger on Server ON || arachnids,106
-166 || BACKDOOR DeepThroat 3.1 Show Picture Client Request || arachnids,106
-167 || BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request || arachnids,106
-168 || BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request || arachnids,106
-169 || BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request || arachnids,106
-170 || BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request || arachnids,106
-171 || BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request || arachnids,106
-172 || BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request || arachnids,106
-173 || BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request || arachnids,106
-174 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106
-175 || BACKDOOR DeepThroat 3.1 Resolution Change Client Request || arachnids,106
-176 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106
-177 || BACKDOOR DeepThroat 3.1 Keylogger on Server OFF || arachnids,106
-179 || BACKDOOR DeepThroat 3.1 FTP Server Port Client Request || arachnids,106
-180 || BACKDOOR DeepThroat 3.1 Process List Client request || arachnids,106
-181 || BACKDOOR DeepThroat 3.1 Close Port Scan Client Request || arachnids,106
-182 || BACKDOOR DeepThroat 3.1 Registry Add Client Request || arachnids,106
-183 || BACKDOOR SIGNATURE - Q ICMP || arachnids,202
-184 || BACKDOOR Q access || arachnids,203
-185 || BACKDOOR CDK || arachnids,263
-186 || BACKDOOR DeepThroat 3.1 Monitor on/off Client Request || arachnids,106
-187 || BACKDOOR DeepThroat 3.1 Delete File Client Request || arachnids,106
-188 || BACKDOOR DeepThroat 3.1 Kill Window Client Request || arachnids,106
-189 || BACKDOOR DeepThroat 3.1 Disable Window Client Request || arachnids,106
-190 || BACKDOOR DeepThroat 3.1 Enable Window Client Request || arachnids,106
-191 || BACKDOOR DeepThroat 3.1 Change Window Title Client Request || arachnids,106
-192 || BACKDOOR DeepThroat 3.1 Hide Window Client Request || arachnids,106
-193 || BACKDOOR DeepThroat 3.1 Show Window Client Request || arachnids,106
-194 || BACKDOOR DeepThroat 3.1 Send Text to Window Client Request || arachnids,106
-195 || BACKDOOR DeepThroat 3.1 Server Response || arachnids,106
-196 || BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request || arachnids,106
-197 || BACKDOOR DeepThroat 3.1 Create Directory Client Request || arachnids,106
-198 || BACKDOOR DeepThroat 3.1 All Window List Client Request || arachnids,106
-199 || BACKDOOR DeepThroat 3.1 Play Sound Client Request || arachnids,106
-200 || BACKDOOR DeepThroat 3.1 Run Program Normal Client Request || arachnids,106
-201 || BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request || arachnids,106
-202 || BACKDOOR DeepThroat 3.1 Get NET File Client Request || arachnids,106
-203 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106
-204 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106
-205 || BACKDOOR DeepThroat 3.1 HUP Modem Client Request || arachnids,106
-206 || BACKDOOR DeepThroat 3.1 CD ROM Open Client Request || arachnids,106
-207 || BACKDOOR DeepThroat 3.1 CD ROM Close Client Request || arachnids,106
-208 || BACKDOOR PhaseZero Server Active on Network
-209 || BACKDOOR w00w00 attempt || arachnids,510
-210 || BACKDOOR attempt
-211 || BACKDOOR MISC r00t attempt
-212 || BACKDOOR MISC rewt attempt
-213 || BACKDOOR MISC Linux rootkit attempt
-214 || BACKDOOR MISC Linux rootkit attempt lrkr0x
-215 || BACKDOOR MISC Linux rootkit attempt
-216 || BACKDOOR MISC Linux rootkit satori attempt || arachnids,516
-217 || BACKDOOR MISC sm4ck attempt
-218 || BACKDOOR MISC Solaris 2.5 attempt
-219 || BACKDOOR HidePak backdoor attempt
-220 || BACKDOOR HideSource backdoor attempt
-221 || DDOS TFN Probe || arachnids,443
-222 || DDOS tfn2k icmp possible communication || arachnids,425
-223 || DDOS Trin00 Daemon to Master PONG message detected || arachnids,187
-224 || DDOS Stacheldraht server spoof || arachnids,193
-225 || DDOS Stacheldraht gag server response || arachnids,195
-226 || DDOS Stacheldraht server response || arachnids,191
-227 || DDOS Stacheldraht client spoofworks || arachnids,192
-228 || DDOS TFN client command BE || arachnids,184
-229 || DDOS Stacheldraht client check skillz || arachnids,190
-230 || DDOS shaft client login to handler || url,security.royans.net/info/posts/bugtraq_ddos3.shtml || arachnids,254
-231 || DDOS Trin00 Daemon to Master message detected || arachnids,186
-232 || DDOS Trin00 Daemon to Master *HELLO* message detected || url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm || arachnids,185
-233 || DDOS Trin00 Attacker to Master default startup password || arachnids,197
-234 || DDOS Trin00 Attacker to Master default password
-235 || DDOS Trin00 Attacker to Master default mdie password
-236 || DDOS Stacheldraht client check gag || arachnids,194
-237 || DDOS Trin00 Master to Daemon default password attempt || arachnids,197
-238 || DDOS TFN server response || arachnids,182
-239 || DDOS shaft handler to agent || arachnids,255
-240 || DDOS shaft agent to handler || arachnids,256
-241 || DDOS shaft synflood || arachnids,253
-243 || DDOS mstream agent to handler
-244 || DDOS mstream handler to agent || cve,2000-0138
-245 || DDOS mstream handler ping to agent || cve,2000-0138
-246 || DDOS mstream agent pong to handler
-247 || DDOS mstream client to handler || cve,2000-0138
-248 || DDOS mstream handler to client || cve,2000-0138
-249 || DDOS mstream client to handler || cve,2000-0138 || arachnids,111
-250 || DDOS mstream handler to client || cve,2000-0138
-251 || DDOS - TFN client command LE || arachnids,183
-252 || DNS named iquery attempt || url,www.rfc-editor.org/rfc/rfc1035.txt || cve,1999-0009 || bugtraq,134 || arachnids,277
-253 || DNS SPOOF query response PTR with TTL of 1 min. and no authority
-254 || DNS SPOOF query response with TTL of 1 min. and no authority
-255 || DNS zone transfer TCP || cve,1999-0532 || arachnids,212
-256 || DNS named authors attempt || nessus,10728 || arachnids,480
-257 || DNS named version attempt || nessus,10028 || arachnids,278
-258 || DNS EXPLOIT named 8.2->8.2.1 || cve,1999-0833 || bugtraq,788
-259 || DNS EXPLOIT named overflow ADM || cve,1999-0833 || bugtraq,788
-260 || DNS EXPLOIT named overflow ADMROCKS || url,www.cert.org/advisories/CA-1999-14.html || cve,1999-0833 || bugtraq,788
-261 || DNS EXPLOIT named overflow attempt || url,www.cert.org/advisories/CA-1998-05.html
-262 || DNS EXPLOIT x86 Linux overflow attempt
-264 || DNS EXPLOIT x86 Linux overflow attempt
-265 || DNS EXPLOIT x86 Linux overflow attempt ADMv2
-266 || DNS EXPLOIT x86 FreeBSD overflow attempt
-267 || DNS EXPLOIT sparc overflow attempt
-268 || DOS Jolt attack || cve,1999-0345
-269 || DOS Land attack || cve,1999-0016 || bugtraq,2666
-270 || DOS Teardrop attack || url,www.cert.org/advisories/CA-1997-28.html || nessus,10279 || cve,1999-0015 || bugtraq,124
-271 || DOS UDP echo+chargen bomb || cve,1999-0635 || cve,1999-0103
-272 || DOS IGMP dos attack || cve,1999-0918 || bugtraq,514
-273 || DOS IGMP dos attack || cve,1999-0918 || bugtraq,514
-274 || DOS ath || cve,1999-1228 || arachnids,264
-275 || DOS NAPTHA || url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx || url,www.cert.org/advisories/CA-2000-21.html || url,razor.bindview.com/publish/advisories/adv_NAPTHA.html || cve,2000-1039 || bugtraq,2022
-276 || DOS Real Audio Server || cve,2000-0474 || bugtraq,1288 || arachnids,411
-277 || DOS Real Server template.html || cve,2000-0474 || bugtraq,1288
-278 || DOS Real Server template.html || cve,2000-0474 || bugtraq,1288
-279 || DOS Bay/Nortel Nautica Marlin || cve,2000-0221 || bugtraq,1009
-281 || DOS Ascend Route || cve,1999-0060 || bugtraq,714 || arachnids,262
-282 || DOS arkiea backup || cve,1999-0788 || bugtraq,662 || arachnids,261
-283 || EXPLOIT Netscape 4.7 client overflow || cve,2000-1187 || cve,1999-1189 || bugtraq,822 || arachnids,215
-284 || POP2 x86 Linux overflow
-285 || POP2 x86 Linux overflow
-286 || POP3 EXPLOIT x86 BSD overflow || cve,1999-0006 || bugtraq,133
-287 || POP3 EXPLOIT x86 BSD overflow
-288 || POP3 EXPLOIT x86 Linux overflow
-289 || POP3 EXPLOIT x86 SCO overflow
-290 || POP3 EXPLOIT qpopper overflow || cve,1999-0822 || bugtraq,830
-291 || NNTP Cassandra Overflow || cve,2000-0341 || bugtraq,1156 || arachnids,274
-292 || EXPLOIT x86 Linux samba overflow || cve,1999-0811 || cve,1999-0182 || bugtraq,536 || bugtraq,1816
-293 || IMAP EXPLOIT overflow
-295 || IMAP EXPLOIT x86 linux overflow || cve,1999-0005 || bugtraq,130
-296 || IMAP EXPLOIT x86 linux overflow || cve,1999-0005 || bugtraq,130
-297 || IMAP EXPLOIT x86 linux overflow || cve,1999-0005 || bugtraq,130
-298 || IMAP EXPLOIT x86 linux overflow || cve,1999-0005 || bugtraq,130
-299 || IMAP EXPLOIT x86 linux overflow || cve, CVE-1999-0005 || bugtraq,130
-300 || EXPLOIT nlps x86 Solaris overflow || bugtraq,2319
-301 || EXPLOIT LPRng overflow || cve,2000-0917 || bugtraq,1712
-302 || EXPLOIT Redhat 7.0 lprd overflow
-303 || DNS EXPLOIT named tsig overflow attempt || cve,2001-0010 || bugtraq,2302 || arachnids,482
-304 || EXPLOIT SCO calserver overflow || cve,2000-0306 || bugtraq,2353
-305 || EXPLOIT delegate proxy overflow || cve,2000-0165 || bugtraq,808 || arachnids,267
-306 || EXPLOIT VQServer admin || url,www.vqsoft.com/vq/server/docs/other/control.html || cve,2000-0766 || bugtraq,1610
-307 || EXPLOIT CHAT IRC topic overflow || cve,1999-0672 || bugtraq,573
-308 || EXPLOIT NextFTP client overflow || cve,1999-0671 || bugtraq,572
-309 || EXPLOIT sniffit overflow || cve,2000-0343 || bugtraq,1158 || arachnids,273
-310 || EXPLOIT x86 windows MailMax overflow || cve,1999-0404 || bugtraq,2312
-311 || EXPLOIT Netscape 4.7 unsucessful overflow || cve,2000-1187 || cve,1999-1189 || bugtraq,822 || arachnids,214
-312 || EXPLOIT ntpdx overflow attempt || cve,2001-0414 || bugtraq,2540 || arachnids,492
-313 || EXPLOIT ntalkd x86 Linux overflow || bugtraq,210
-314 || DNS EXPLOIT named tsig overflow attempt || cve,2001-0010 || bugtraq,2303
-315 || EXPLOIT x86 Linux mountd overflow || cve,1999-0002 || bugtraq,121
-316 || EXPLOIT x86 Linux mountd overflow || cve,1999-0002 || bugtraq,121
-317 || EXPLOIT x86 Linux mountd overflow || cve,1999-0002 || bugtraq,121
-318 || EXPLOIT bootp x86 bsd overfow || cve,1999-0914 || bugtraq,324
-319 || EXPLOIT bootp x86 linux overflow || cve,1999-0799 || cve,1999-0798 || cve,1999-0389
-320 || FINGER cmd_rootsh backdoor attempt || url,www.sans.org/y2k/fingerd.htm || url,www.sans.org/y2k/TFN_toolkit.htm || nessus,10070 || cve,1999-0660
-321 || FINGER account enumeration attempt || nessus,10788
-322 || FINGER search query || cve,1999-0259 || arachnids,375
-323 || FINGER root query || arachnids,376
-324 || FINGER null request || arachnids,377
-325 || FINGER probe 0 attempt || arachnids,378
-326 || FINGER remote command execution attempt || cve,1999-0150 || bugtraq,974 || arachnids,379
-327 || FINGER remote command pipe execution attempt || cve,1999-0152 || bugtraq,2220 || arachnids,380
-328 || FINGER bomb attempt || cve,1999-0106 || arachnids,381
-329 || FINGER cybercop redirection || arachnids,11
-330 || FINGER redirection attempt || nessus,10073 || cve,1999-0105 || arachnids,251
-331 || FINGER cybercop query || cve,1999-0612 || arachnids,132
-332 || FINGER 0 query || nessus,10069 || cve,1999-0197 || arachnids,378 || arachnids,131
-333 || FINGER . query || nessus,10072 || cve,1999-0198 || arachnids,130
-334 || FTP .forward || arachnids,319
-335 || FTP .rhosts || arachnids,328
-336 || FTP CWD ~root attempt || cve,1999-0082 || arachnids,318
-337 || FTP CEL overflow attempt || cve,1999-0789 || bugtraq,679 || arachnids,257
-338 || FTP EXPLOIT format string || cve,2000-0573 || bugtraq,1387 || arachnids,453
-339 || FTP EXPLOIT OpenBSD x86 ftpd || cve,2001-0053 || bugtraq,2124 || arachnids,446
-340 || FTP EXPLOIT overflow
-341 || FTP EXPLOIT overflow
-342 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8 || cve,2000-0573 || bugtraq,1387 || arachnids,451
-343 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD || cve,2000-0573 || bugtraq,1387 || arachnids,228
-344 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux || cve,2000-0573 || bugtraq,1387 || arachnids,287
-345 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic || nessus,10452 || cve,2000-0573 || bugtraq,1387 || arachnids,285
-346 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check || cve,2000-0573 || bugtraq,1387 || arachnids,286
-348 || FTP EXPLOIT wu-ftpd 2.6.0 || bugtraq,1387 || arachnids,440
-349 || FTP EXPLOIT MKD overflow || cve,1999-0368 || bugtraq,2242 || bugtraq,113
-350 || FTP EXPLOIT x86 linux overflow || cve,1999-0368 || bugtraq,2242 || bugtraq,113
-351 || FTP EXPLOIT x86 linux overflow || cve,1999-0368 || bugtraq,2242 || bugtraq,113
-352 || FTP EXPLOIT x86 linux overflow || cve, CVE-1999-0368 || bugtraq, 113
-353 || FTP adm scan || arachnids,332
-354 || FTP iss scan || arachnids,331
-355 || FTP pass wh00t || arachnids,324
-356 || FTP passwd retrieval attempt || arachnids,213
-357 || FTP piss scan
-358 || FTP saint scan || arachnids,330
-359 || FTP satan scan || arachnids,329
-360 || FTP serv-u directory transversal || cve,2001-0054 || bugtraq,2052
-361 || FTP SITE EXEC attempt || cve,1999-0080 || bugtraq,2241 || arachnids,317
-362 || FTP tar parameters || cve,1999-0997 || cve,1999-0202 || bugtraq,2240 || arachnids,134
-363 || ICMP IRDP router advertisement || cve,1999-0875 || bugtraq,578 || arachnids,173
-364 || ICMP IRDP router selection || cve,1999-0875 || bugtraq,578 || arachnids,174
-365 || ICMP PING undefined code
-366 || ICMP PING *NIX
-368 || ICMP PING BSDtype || arachnids,152
-369 || ICMP PING BayRS Router || arachnids,444 || arachnids,438
-370 || ICMP PING BeOS4.x || arachnids,151
-371 || ICMP PING Cisco Type.x || arachnids,153
-372 || ICMP PING Delphi-Piette Windows || arachnids,155
-373 || ICMP PING Flowpoint2200 or Network Management Software || arachnids,156
-374 || ICMP PING IP NetMonitor Macintosh || arachnids,157
-375 || ICMP PING LINUX/*BSD || arachnids,447
-376 || ICMP PING Microsoft Windows || arachnids,159
-377 || ICMP PING Network Toolbox 3 Windows || arachnids,161
-378 || ICMP PING Ping-O-MeterWindows || arachnids,164
-379 || ICMP PING Pinger Windows || arachnids,163
-380 || ICMP PING Seer Windows || arachnids,166
-381 || ICMP PING Sun Solaris || arachnids,448
-382 || ICMP PING Windows || arachnids,169
-384 || ICMP PING
-385 || ICMP traceroute || arachnids,118
-386 || ICMP Address Mask Reply
-387 || ICMP Address Mask Reply undefined code
-388 || ICMP Address Mask Request
-389 || ICMP Address Mask Request undefined code
-390 || ICMP Alternate Host Address
-391 || ICMP Alternate Host Address undefined code
-392 || ICMP Datagram Conversion Error
-393 || ICMP Datagram Conversion Error undefined code
-394 || ICMP Destination Unreachable Destination Host Unknown
-395 || ICMP Destination Unreachable Destination Network Unknown
-396 || ICMP Destination Unreachable Fragmentation Needed and DF bit was set
-397 || ICMP Destination Unreachable Host Precedence Violation
-398 || ICMP Destination Unreachable Host Unreachable for Type of Service
-399 || ICMP Destination Unreachable Host Unreachable
-400 || ICMP Destination Unreachable Network Unreachable for Type of Service
-401 || ICMP Destination Unreachable Network Unreachable
-402 || ICMP Destination Unreachable Port Unreachable
-403 || ICMP Destination Unreachable Precedence Cutoff in effect
-404 || ICMP Destination Unreachable Protocol Unreachable
-405 || ICMP Destination Unreachable Source Host Isolated
-406 || ICMP Destination Unreachable Source Route Failed
-407 || ICMP Destination Unreachable cndefined code
-408 || ICMP Echo Reply
-409 || ICMP Echo Reply undefined code
-410 || ICMP Fragment Reassembly Time Exceeded
-411 || ICMP IPV6 I-Am-Here
-412 || ICMP IPV6 I-Am-Here undefined code
-413 || ICMP IPV6 Where-Are-You
-414 || ICMP IPV6 Where-Are-You undefined code
-415 || ICMP Information Reply
-416 || ICMP Information Reply undefined code
-417 || ICMP Information Request
-418 || ICMP Information Request undefined code
-419 || ICMP Mobile Host Redirect
-420 || ICMP Mobile Host Redirect undefined code
-421 || ICMP Mobile Registration Reply
-422 || ICMP Mobile Registration Reply undefined code
-423 || ICMP Mobile Registration Request
-424 || ICMP Mobile Registration Request undefined code
-425 || ICMP Parameter Problem Bad Length
-426 || ICMP Parameter Problem Missing a Required Option
-427 || ICMP Parameter Problem Unspecified Error
-428 || ICMP Parameter Problem undefined Code
-429 || ICMP Photuris Reserved
-430 || ICMP Photuris Unknown Security Parameters Index
-431 || ICMP Photuris Valid Security Parameters, But Authentication Failed
-432 || ICMP Photuris Valid Security Parameters, But Decryption Failed
-433 || ICMP Photuris undefined code!
-436 || ICMP Redirect for TOS and Host
-437 || ICMP Redirect for TOS and Network
-438 || ICMP Redirect undefined code
-439 || ICMP Reserved for Security Type 19
-440 || ICMP Reserved for Security Type 19 undefined code
-441 || ICMP Router Advertisement || arachnids,173
-443 || ICMP Router Selection || arachnids,174
-445 || ICMP SKIP
-446 || ICMP SKIP undefined code
-448 || ICMP Source Quench undefined code
-449 || ICMP Time-To-Live Exceeded in Transit
-450 || ICMP Time-To-Live Exceeded in Transit undefined code
-451 || ICMP Timestamp Reply
-452 || ICMP Timestamp Reply undefined code
-453 || ICMP Timestamp Request
-454 || ICMP Timestamp Request undefined code
-455 || ICMP Traceroute ipopts || arachnids,238
-456 || ICMP Traceroute
-457 || ICMP Traceroute undefined code
-458 || ICMP unassigned type 1
-459 || ICMP unassigned type 1 undefined code
-460 || ICMP unassigned type 2
-461 || ICMP unassigned type 2 undefined code
-462 || ICMP unassigned type 7
-463 || ICMP unassigned type 7 undefined code
-465 || ICMP ISS Pinger || arachnids,158
-466 || ICMP L3retriever Ping || arachnids,311
-467 || ICMP Nemesis v1.1 Echo || arachnids,449
-469 || ICMP PING NMAP || arachnids,162
-471 || ICMP icmpenum v1.1.1 || arachnids,450
-472 || ICMP redirect host || cve,1999-0265 || arachnids,135
-473 || ICMP redirect net || cve,1999-0265 || arachnids,199
-474 || ICMP superscan echo
-475 || ICMP traceroute ipopts || arachnids,238
-476 || ICMP webtrends scanner || arachnids,307
-477 || ICMP Source Quench
-478 || ICMP Broadscan Smurf Scanner
-480 || ICMP PING speedera
-481 || ICMP TJPingPro1.1Build 2 Windows || arachnids,167
-482 || ICMP PING WhatsupGold Windows || arachnids,168
-483 || ICMP PING CyberKit 2.2 Windows || arachnids,154
-484 || ICMP PING Sniffer Pro/NetXRay network scan
-485 || ICMP Destination Unreachable Communication Administratively Prohibited
-486 || ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited
-487 || ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited
-488 || INFO Connection Closed MSG from Port 80
-489 || INFO FTP no password || arachnids,322
-490 || INFO battle-mail traffic
-491 || INFO FTP Bad login
-492 || INFO TELNET Bad Login
-493 || INFO psyBNC access
-494 || ATTACK-RESPONSES command completed
-495 || ATTACK-RESPONSES command error
-496 || ATTACK RESPONSES directory listing
-497 || ATTACK-RESPONSES file copied ok
-498 || ATTACK-RESPONSES id check returned root
-499 || ICMP Large ICMP Packet || arachnids,246
-500 || MISC source route lssr || cve,1999-0909 || bugtraq,646 || arachnids,418
-501 || MISC source route lssre || cve,1999-0909 || bugtraq,646 || arachnids,420
-502 || MISC source route ssrr || arachnids,422
-503 || MISC Source Port 20 to <1024 || arachnids,06
-504 || MISC source port 53 to <1024 || arachnids,07
-505 || MISC Insecure TIMBUKTU Password || arachnids,229
-506 || MISC ramen worm incoming || arachnids,460
-507 || MISC PCAnywhere Attempted Administrator Login
-508 || MISC gopher proxy || arachnids,409
-509 || WEB-MISC PCCS mysql database admin tool access || arachnids,300
-510 || POLICY HP JetDirect LCD modification attempt || bugtraq,2245 || arachnids,302
-511 || MISC Invalid PCAnywhere Login
-512 || MISC PCAnywhere Failed Login || arachnids,240
-513 || MISC Cisco Catalyst Remote Access || cve,1999-0430 || bugtraq,705 || arachnids,129
-514 || MISC ramen worm || arachnids,461
-516 || MISC SNMP NT UserList
-517 || MISC xdmcp query || arachnids,476
-518 || TFTP Put || cve,1999-0183 || arachnids,148
-519 || TFTP parent directory || cve,2002-1209 || cve,1999-0183 || arachnids,137
-520 || TFTP root directory || cve,1999-0183 || arachnids,138
-521 || MISC Large UDP Packet || arachnids,247
-522 || MISC Tiny Fragments
-523 || BAD-TRAFFIC ip reserved bit set
-524 || BAD-TRAFFIC tcp port 0 traffic
-525 || BAD-TRAFFIC udp port 0 traffic || nessus,10074 || cve,1999-0675 || bugtraq,576
-526 || BAD-TRAFFIC data in TCP SYN packet || url,www.cert.org/incident_notes/IN-99-07.html
-527 || BAD-TRAFFIC same SRC/DST || url,www.cert.org/advisories/CA-1997-28.html || cve,1999-0016 || bugtraq,2666
-528 || BAD-TRAFFIC loopback traffic || url,rr.sans.org/firewall/egress.php
-529 || NETBIOS DOS RFPoison || arachnids,454
-530 || NETBIOS NT NULL session || cve,2000-0347 || bugtraq,1163 || arachnids,204
-532 || NETBIOS SMB ADMIN$ share access
-533 || NETBIOS SMB C$ share access
-534 || NETBIOS SMB CD.. || arachnids,338
-535 || NETBIOS SMB CD... || arachnids,337
-536 || NETBIOS SMB D$ share access
-537 || NETBIOS SMB IPC$ share access
-538 || NETBIOS SMB IPC$ share unicode access
-539 || NETBIOS Samba clientaccess || arachnids,341
-540 || CHAT MSN message
-541 || CHAT ICQ access
-542 || CHAT IRC nick change
-543 || POLICY FTP 'STOR 1MB' possible warez site
-544 || POLICY FTP 'RETR 1MB' possible warez site
-545 || POLICY FTP 'CWD / ' possible warez site
-546 || POLICY FTP 'CWD  ' possible warez site
-547 || POLICY FTP 'MKD  ' possible warez site
-548 || POLICY FTP 'MKD .' possible warez site
-549 || P2P napster login
-550 || P2P napster new user login
-551 || P2P napster download attempt
-552 || P2P napster upload request
-553 || POLICY FTP anonymous login attempt
-554 || POLICY FTP 'MKD / ' possible warez site
-555 || POLICY WinGate telnet server response || cve,1999-0657 || arachnids,366
-556 || P2P Outbound GNUTella client request
-557 || P2P GNUTella client request
-558 || INFO Outbound GNUTella client request
-559 || P2P Inbound GNUTella client request
-560 || POLICY VNC server response
-561 || P2P Napster Client Data
-562 || P2P Napster Client Data
-563 || P2P Napster Client Data
-564 || P2P Napster Client Data
-565 || P2P Napster Server Login
-566 || POLICY PCAnywhere server response || arachnids,239
-567 || POLICY SMTP relaying denied || url,mail-abuse.org/tsi/ar-fix.html || arachnids,249
-568 || POLICY HP JetDirect LCD modification attempt || bugtraq,2245 || arachnids,302
-569 || RPC snmpXdmi overflow attempt TCP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0236 || bugtraq,2417
-570 || RPC EXPLOIT ttdbserv solaris overflow || url,www.cert.org/advisories/CA-2001-27.html || cve,1999-0003 || bugtraq,122 || arachnids,242
-571 || RPC EXPLOIT ttdbserv Solaris overflow || url,www.cert.org/advisories/CA-2001-27.html || cve,1999-0003 || bugtraq,122 || arachnids,242
-572 || RPC DOS ttdbserv Solaris || cve,1999-0003 || bugtraq,122 || arachnids,241
-573 || RPC AMD Overflow || cve,1999-0704 || arachnids,217
-574 || RPC mountd TCP export request || arachnids,26
-575 || RPC portmap admind request UDP || arachnids,18
-576 || RPC portmap amountd request UDP || arachnids,19
-577 || RPC portmap bootparam request UDP || cve,1999-0647 || arachnids,16
-578 || RPC portmap cmsd request UDP || arachnids,17
-579 || RPC portmap mountd request UDP || arachnids,13
-580 || RPC portmap nisd request UDP || arachnids,21
-581 || RPC portmap pcnfsd request UDP || arachnids,22
-582 || RPC portmap rexd request UDP || arachnids,23
-583 || RPC portmap rstatd request UDP || arachnids,10
-584 || RPC portmap rusers request UDP || cve,1999-0626 || arachnids,133
-585 || RPC portmap sadmind request UDP || arachnids,20
-586 || RPC portmap selection_svc request UDP || arachnids,25
-587 || RPC portmap status request UDP || arachnids,15
-588 || RPC portmap ttdbserv request UDP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0717 || cve,1999-1075 || cve,1999-0687 || cve,1999-0003 || bugtraq,3382 || bugtraq,122 || arachnids,24
-589 || RPC portmap yppasswd request UDP || arachnids,14
-590 || RPC portmap ypserv request UDP || cve,2002-1232 || cve,2000-1043 || cve,2000-1042 || bugtraq,6016 || bugtraq,5914 || arachnids,12
-591 || RPC portmap ypupdated request TCP || arachnids,125
-592 || RPC rstatd query || arachnids,9
-593 || RPC portmap snmpXdmi request TCP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0236 || bugtraq,2417
-595 || RPC portmap espd request TCP || cve,2001-0331 || bugtraq,2714
-596 || RPC portmap listing || arachnids,429
-597 || RPC portmap listing || arachnids,429
-598 || RPC portmap listing TCP 111 || arachnids,428
-599 || RPC portmap listing TCP 32771 || arachnids,429
-600 || RPC EXPLOIT statdx || arachnids,442
-601 || RSERVICES rlogin LinuxNIS
-602 || RSERVICES rlogin bin || arachnids,384
-603 || RSERVICES rlogin echo++ || arachnids,385
-604 || RSERVICES rsh froot || arachnids,387
-605 || RSERVICES rlogin login failure || arachnids,393
-606 || RSERVICES rlogin root || arachnids,389
-607 || RSERVICES rsh bin || arachnids,390
-608 || RSERVICES rsh echo + + || arachnids,388
-609 || RSERVICES rsh froot || arachnids,387
-610 || RSERVICES rsh root || arachnids,391
-611 || RSERVICES rlogin login failure || arachnids,392
-612 || RPC rusers query UDP || cve,1999-0626
-613 || SCAN myscan || arachnids,439
-614 || BACKDOOR hack-a-tack attempt || arachnids,314
-615 || SCAN SOCKS Proxy attempt || url,help.undernet.org/proxyscan/
-616 || SCAN ident version request || arachnids,303
-617 || SCAN ssh-research-scanner
-618 || SCAN Squid Proxy attempt
-619 || SCAN cybercop os probe || arachnids,146
-620 || SCAN Proxy Port 8080 attempt
-621 || SCAN FIN || arachnids,27
-622 || SCAN ipEye SYN scan || arachnids,236
-623 || SCAN NULL || arachnids,4
-624 || SCAN SYN FIN || arachnids,198
-625 || SCAN XMAS || arachnids,144
-626 || SCAN cybercop os PA12 attempt || arachnids,149
-627 || SCAN cybercop os SFU12 probe || arachnids,150
-628 || SCAN nmap TCP || arachnids,28
-629 || SCAN nmap fingerprint attempt || arachnids,05
-630 || SCAN synscan portscan || arachnids,441
-631 || SMTP ehlo cybercop attempt || arachnids,372
-632 || SMTP expn cybercop attempt || arachnids,371
-634 || SCAN Amanda client version request
-635 || SCAN XTACACS logout || arachnids,408
-636 || SCAN cybercop udp bomb || arachnids,363
-637 || SCAN Webtrends Scanner UDP Probe || arachnids,308
-638 || SHELLCODE SGI NOOP || arachnids,356
-639 || SHELLCODE SGI NOOP || arachnids,357
-640 || SHELLCODE AIX NOOP
-641 || SHELLCODE Digital UNIX NOOP || arachnids,352
-642 || SHELLCODE HP-UX NOOP || arachnids,358
-643 || SHELLCODE HP-UX NOOP || arachnids,359
-644 || SHELLCODE sparc NOOP || arachnids,345
-645 || SHELLCODE sparc NOOP || arachnids,353
-646 || SHELLCODE sparc NOOP || arachnids,355
-647 || SHELLCODE sparc setuid 0 || arachnids,282
-648 || SHELLCODE x86 NOOP || arachnids,181
-649 || SHELLCODE x86 setgid 0 || arachnids,284
-650 || SHELLCODE x86 setuid 0 || arachnids,436
-651 || SHELLCODE x86 stealth NOOP || arachnids,291
-652 || SHELLCODE Linux shellcode || arachnids,343
-653 || SHELLCODE x86 unicode NOOP
-654 || SMTP RCPT TO overflow || cve,2001-0260 || bugtraq,9696 || bugtraq,2283
-655 || SMTP sendmail 8.6.9 exploit || cve,1999-0204 || bugtraq,2311 || arachnids,140
-656 || SMTP EXPLOIT x86 windows CSMMail overflow || cve,2000-0042 || bugtraq,895
-657 || SMTP chameleon overflow || cve,1999-0261 || bugtraq,2387 || arachnids,266
-658 || SMTP exchange mime DOS
-659 || SMTP expn decode || arachnids,32
-660 || SMTP expn root || arachnids,31
-661 || SMTP majordomo ifs || cve,1999-0208 || arachnids,143
-662 || SMTP sendmail 5.5.5 exploit || arachnids,119
-663 || SMTP rcpt to command attempt || cve,1999-0095 || bugtraq,1 || arachnids,172
-664 || SMTP RCPT TO decode attempt || cve,1999-0203 || bugtraq,2308 || arachnids,121
-665 || SMTP sendmail 5.6.5 exploit || arachnids,122
-666 || SMTP sendmail 8.4.1 exploit || arachnids,120
-667 || SMTP sendmail 8.6.10 exploit || arachnids,123
-668 || SMTP sendmail 8.6.10 exploit || arachnids,124
-669 || SMTP sendmail 8.6.9 exploit || cve,1999-0204 || bugtraq,2311 || arachnids,142
-670 || SMTP sendmail 8.6.9 exploit || cve,1999-0204 || bugtraq,2311 || arachnids,139
-671 || SMTP sendmail 8.6.9c exploit || cve,1999-0204 || bugtraq,2311 || arachnids,141
-672 || SMTP vrfy decode || arachnids,373
-673 || MS-SQL sp_start_job - program execution
-674 || MS-SQL xp_displayparamstmt possible buffer overflow || cve,2000-1081 || bugtraq,2030
-675 || MS-SQL xp_setsqlsecurity possible buffer overflow || bugtraq,2043
-676 || MS-SQL/SMB sp_start_job - program execution
-677 || MS-SQL/SMB sp_password password change
-678 || MS-SQL/SMB sp_delete_alert log file deletion
-679 || MS-SQL/SMB sp_adduser database user creation
-680 || MS-SQL/SMB sa login failed
-681 || MS-SQL/SMB xp_cmdshell program execution
-682 || MS-SQL xp_enumresultset possible buffer overflow
-683 || MS-SQL sp_password - password change
-684 || MS-SQL sp_delete_alert log file deletion
-685 || MS-SQL sp_adduser - database user creation
-686 || MS-SQL xp_reg* - registry access
-687 || MS-SQL xp_cmdshell - program execution
-688 || MS-SQL sa login failed
-689 || MS-SQL/SMB xp_reg* registry access
-690 || MS-SQL/SMB xp_printstatements possible buffer overflow || cve,2000-1086 || bugtraq,2041
-691 || MS-SQL shellcode attempt
-692 || MS-SQL/SMB shellcode attempt
-693 || MS-SQL shellcode attempt
-694 || MS-SQL/SMB shellcode attempt
-695 || MS-SQL/SMB xp_sprintf possible buffer overflow || bugtraq,1204
-696 || MS-SQL/SMB xp_showcolv possible buffer overflow || bugtraq,2038
-697 || MS-SQL/SMB xp_peekqueue possible buffer overflow || cve,2000-1085 || bugtraq,2040
-698 || MS-SQL/SMB xp_proxiedmetadata possible buffer overflow || cve,2000-1087 || bugtraq,2042
-699 || MS-SQL xp_printstatements possible buffer overflow || cve,2000-1086 || bugtraq,2041
-700 || MS-SQL/SMB xp_updatecolvbm possible buffer overflow || cve,2000-1084 || bugtraq,2039
-701 || MS-SQL xp_updatecolvbm possible buffer overflow || cve,2000-1084 || bugtraq,2039
-702 || MS-SQL/SMB xp_displayparamstmt possible buffer overflow || cve,2000-1081 || bugtraq,2030
-703 || MS-SQL/SMB xp_setsqlsecurity possible buffer overflow || bugtraq,2043
-704 || MS-SQL xp_sprintf possible buffer overflow || bugtraq,1204
-705 || MS-SQL xp_showcolv possible buffer overflow || cve,2000-1083 || bugtraq,2038
-706 || MS-SQL xp_peekqueue possible buffer overflow || cve,2000-1085 || bugtraq,2040
-707 || MS-SQL xp_proxiedmetadata possible buffer overflow || cve,2000-1087 || cve,1999-0287 || bugtraq,2024
-708 || MS-SQL/SMB xp_enumresultset possible buffer overflow || cve,2000-1082 || bugtraq,2031
-709 || TELNET 4Dgifts SGI account attempt || cve,1999-0501
-710 || TELNET EZsetup account attempt || cve,1999-0501
-711 || TELNET SGI telnetd format bug || arachnids,304
-712 || TELNET ld_library_path || cve,1999-0073 || bugtraq,459 || arachnids,367
-713 || TELNET livingston DOS || arachnids,370
-714 || TELNET resolv_host_conf || arachnids,369
-715 || TELNET Attempted SU from wrong group
-716 || TELNET access || cve,1999-0619 || arachnids,08
-717 || TELNET not on console || arachnids,365
-718 || TELNET login incorrect || arachnids,127
-719 || TELNET root login
-720 || Virus - SnowWhite Trojan Incoming
-721 || VIRUS OUTBOUND bad file attachment
-722 || Virus - Possible NAVIDAD Worm
-723 || Virus - Possible MyRomeo Worm
-724 || Virus - Possible MyRomeo Worm
-725 || Virus - Possible MyRomeo Worm
-726 || Virus - Possible MyRomeo Worm
-727 || Virus - Possible MyRomeo Worm
-728 || Virus - Possible MyRomeo Worm
-729 || VIRUS OUTBOUND .scr file attachment
-730 || VIRUS OUTBOUND .shs file attachment
-731 || Virus - Possible QAZ Worm || MCAFEE,98775
-732 || Virus - Possible QAZ Worm Infection || MCAFEE,98775
-733 || Virus - Possible QAZ Worm Calling Home || MCAFEE,98775
-734 || Virus - Possible Matrix worm
-735 || Virus - Possible MyRomeo Worm
-736 || Virus - Successful eurocalculator execution
-737 || Virus - Possible eurocalculator.exe file
-738 || Virus - Possible Pikachu Pokemon Virus || MCAFEE,98696
-739 || Virus - Possible Triplesix Worm || MCAFEE,10389
-740 || Virus - Possible Tune.vbs || MCAFEE,10497
-741 || Virus - Possible NAIL Worm || MCAFEE,10109
-742 || Virus - Possible NAIL Worm || MCAFEE,10109
-743 || Virus - Possible NAIL Worm || MCAFEE,10109
-744 || Virus - Possible NAIL Worm || MCAFEE,10109
-745 || Virus - Possible Papa Worm || MCAFEE,10145
-746 || Virus - Possible Freelink Worm || MCAFEE,10225
-747 || Virus - Possible Simbiosis Worm
-748 || Virus - Possible BADASS Worm || MCAFEE,10388
-749 || Virus - Possible ExploreZip.B Worm || MCAFEE,10471
-751 || Virus - Possible wscript.KakWorm || MCAFEE,10509
-752 || Virus Possible Suppl Worm || MCAFEE,10361
-753 || Virus - Possible NewApt.Worm - theobbq.exe || MCAFEE,10540
-754 || Virus - Possible Word Macro - VALE || MCAFEE,10502
-755 || Virus - Possible IROK Worm || MCAFEE,98552
-756 || Virus - Possible Fix2001 Worm || MCAFEE,10355
-757 || Virus - Possible Y2K Zelu Trojan || MCAFEE,10505
-758 || Virus - Possible The_Fly Trojan || MCAFEE,10478
-759 || Virus - Possible Word Macro - VALE || MCAFEE,10502
-760 || Virus - Possible Passion Worm || MCAFEE,10467
-761 || Virus - Possible NewApt.Worm - cooler3.exe || MCAFEE,10540
-762 || Virus - Possible NewApt.Worm - party.exe || MCAFEE,10540
-763 || Virus - Possible NewApt.Worm - hog.exe || MCAFEE,10540
-764 || Virus - Possible NewApt.Worm - goal1.exe || MCAFEE,10540
-765 || Virus - Possible NewApt.Worm - pirate.exe || MCAFEE,10540
-766 || Virus - Possible NewApt.Worm - video.exe || MCAFEE,10540
-767 || Virus - Possible NewApt.Worm - baby.exe || MCAFEE,10540
-768 || Virus - Possible NewApt.Worm - cooler1.exe || MCAFEE,10540
-769 || Virus - Possible NewApt.Worm - boss.exe || MCAFEE,10540
-770 || Virus - Possible NewApt.Worm - g-zilla.exe || MCAFEE,10540
-771 || Virus - Possible ToadieE-mail Trojan || MCAFEE,10540
-772 || Virus - Possible PrettyPark Trojan || MCAFEE,10175
-773 || Virus - Possible Happy99 Virus || MCAFEE,10144
-774 || Virus - Possible CheckThis Trojan
-775 || Virus - Possible Bubbleboy Worm || MCAFEE,10418
-776 || Virus - Possible NewApt.Worm - copier.exe || MCAFEE,10540
-777 || Virus - Possible MyPics Worm || MCAFEE,10467
-778 || Virus - Possible Babylonia - X-MAS.exe || MCAFEE,10461
-779 || Virus - Possible NewApt.Worm - gadget.exe || MCAFEE,10540
-780 || Virus - Possible NewApt.Worm - irnglant.exe || MCAFEE,10540
-781 || Virus - Possible NewApt.Worm - casper.exe || MCAFEE,10540
-782 || Virus - Possible NewApt.Worm - fborfw.exe || MCAFEE,10540
-783 || Virus - Possible NewApt.Worm - saddam.exe || MCAFEE,10540
-784 || Virus - Possible NewApt.Worm - bboy.exe || MCAFEE,10540
-785 || Virus - Possible NewApt.Worm - monica.exe || MCAFEE,10540
-786 || Virus - Possible NewApt.Worm - goal.exe || MCAFEE,10540
-787 || Virus - Possible NewApt.Worm - panther.exe || MCAFEE,10540
-788 || Virus - Possible NewApt.Worm - chestburst.exe || MCAFEE,10540
-789 || Virus - Possible NewApt.Worm - farter.exe || MCAFEE,1054
-790 || Virus - Possible Common Sense Worm
-791 || Virus - Possible NewApt.Worm - cupid2.exe || MCAFEE,10540
-792 || Virus - Possible Resume Worm || MCAFEE,98661
-793 || VIRUS OUTBOUND .vbs file attachment
-794 || Virus - Possible Resume Worm || MCAFEE,98661
-795 || Virus - Possible Worm -  txt.vbs file
-796 || Virus - Possible Worm - xls.vbs file
-797 || Virus - Possible Worm - jpg.vbs file
-798 || Virus - Possible Worm -  gif.vbs file
-799 || Virus - Possible Timofonica Worm || MCAFEE,98674
-800 || Virus - Possible Resume Worm || MCAFEE,98661
-801 || Virus - Possible Worm - doc.vbs file
-802 || Virus - Possbile Zipped Files Trojan || MCAFEE,10450
-803 || WEB-CGI HyperSeek hsx.cgi directory traversal attempt || cve,2001-0253 || bugtraq,2314
-804 || WEB-CGI SWSoft ASPSeek Overflow attempt || cve,2001-0476 || bugtraq,2492
-805 || WEB-CGI webspeed access || nessus,10304 || cve,2000-0127 || bugtraq,969 || arachnids,467
-806 || WEB-CGI yabb directory traversal attempt || cve,2000-0853 || bugtraq,1668 || arachnids,462
-807 || WEB-CGI /wwwboard/passwd.txt access || nessus,10321 || cve,1999-0954 || cve,1999-0953 || bugtraq,649 || arachnids,463
-808 || WEB-CGI webdriver access || nessus,10592 || bugtraq,2166 || arachnids,473
-809 || WEB-CGI whois_raw.cgi arbitrary command execution attempt || nessus,10306 || cve,1999-1063 || bugtraq,304 || arachnids,466
-810 || WEB-CGI whois_raw.cgi access || nessus,10306 || cve,1999-1063 || bugtraq,304 || arachnids,466
-811 || WEB-CGI websitepro path access || cve,2000-0066 || bugtraq,932 || arachnids,468
-812 || WEB-CGI webplus version access || cve,2000-0282 || bugtraq,1102 || arachnids,470
-813 || WEB-CGI webplus directory traversal || cve,2000-0282 || bugtraq,1102 || arachnids,471
-815 || WEB-CGI websendmail access || nessus,10301 || cve,1999-0196 || bugtraq,2077 || arachnids,469
-817 || WEB-CGI dcboard.cgi invalid user addition attempt || nessus,10583 || cve,2001-0527 || bugtraq,2728
-818 || WEB-CGI dcforum.cgi access || nessus,10583 || cve,2001-0527 || bugtraq,2728
-819 || WEB-CGI mmstdod.cgi access || cve,2001-0021
-820 || WEB-CGI anaconda directory transversal attempt || cve,2001-0308 || cve,2000-0975 || bugtraq,2388 || bugtraq,2338
-821 || WEB-CGI imagemap.exe overflow attempt || nessus,10122 || cve,1999-0951 || bugtraq,739 || arachnids,412
-823 || WEB-CGI cvsweb.cgi access || cve,2000-0670 || bugtraq,1469
-824 || WEB-CGI php.cgi access || cve,1999-0238 || bugtraq,2250 || arachnids,232
-825 || WEB-CGI glimpse access || bugtraq,2026
-826 || WEB-CGI htmlscript access || cve,1999-0264 || bugtraq,2001
-827 || WEB-CGI info2www access || cve,1999-0266 || bugtraq,1995
-828 || WEB-CGI maillist.pl access
-829 || WEB-CGI nph-test-cgi access || nessus,10165 || cve,1999-0045 || bugtraq,686 || arachnids,224
-830 || WEB-CGI NPH-publish access || cve,1999-1177
-832 || WEB-CGI perl.exe access || url,www.cert.org/advisories/CA-1996-11.html || nessus,10173 || cve,1999-0509 || arachnids,219
-833 || WEB-CGI rguest.exe access || cve,1999-0467 || cve,1999-0287 || bugtraq,2024
-834 || WEB-CGI rwwwshell.pl access || url,www.itsecurity.com/papers/p37.htm
-835 || WEB-CGI test-cgi access || nessus,10282 || cve,1999-0070 || bugtraq,2003 || arachnids,218
-836 || WEB-CGI textcounter.pl access || cve,1999-1479
-837 || WEB-CGI uploader.exe access || nessus,10291 || cve,1999-0177
-838 || WEB-CGI webgais access || nessus,10300 || cve,1999-0176 || bugtraq,2058 || arachnids,472
-839 || WEB-CGI finger access || nessus,10071 || cve,1999-0612 || arachnids,221
-840 || WEB-CGI perlshop.cgi access || cve,1999-1374
-841 || WEB-CGI pfdisplay.cgi access || cve,1999-0270 || bugtraq,64
-842 || WEB-CGI aglimpse access || nessus,10095 || cve,1999-0147 || bugtraq,2026
-843 || WEB-CGI anform2 access || cve,1999-0066 || arachnids,225
-844 || WEB-CGI args.bat access || cve,1999-1374
-845 || WEB-CGI AT-admin.cgi access || cve,1999-1072
-846 || WEB-CGI bnbform.cgi access || cve,1999-0937 || bugtraq,2147
-847 || WEB-CGI campas access || cve,1999-0146 || bugtraq,1975
-848 || WEB-CGI view-source directory traversal || cve,1999-0174 || bugtraq,8883 || bugtraq,2251
-849 || WEB-CGI view-source access || cve,1999-0174 || bugtraq,8883 || bugtraq,2251
-850 || WEB-CGI wais.pl access
-851 || WEB-CGI files.pl access || cve,1999-1081
-852 || WEB-CGI wguest.exe access || cve,1999-0467 || cve,1999-0287 || bugtraq,2024
-853 || WEB-CGI wrap access || nessus,10317 || cve,1999-0149 || bugtraq,373 || arachnids,234
-854 || WEB-CGI classifieds.cgi access || cve,1999-0934 || bugtraq,2020
-855 || WEB-CGI edit.pl access || bugtraq,2713
-856 || WEB-CGI environ.cgi access
-857 || WEB-CGI faxsurvey access || nessus,10067 || cve,1999-0262 || bugtraq,2056
-858 || WEB-CGI filemail access || cve,1999-1154
-859 || WEB-CGI man.sh access || cve,1999-1179
-860 || WEB-CGI snork.bat access || cve,2000-0169 || bugtraq,1053 || arachnids,220
-861 || WEB-CGI w3-msql access || nessus,10296 || cve,2000-0012 || cve,1999-0753 || cve,1999-0276 || bugtraq,898 || bugtraq,591 || arachnids,210
-862 || WEB-CGI csh access || url,www.cert.org/advisories/CA-1996-11.html || cve,1999-0509
-863 || WEB-CGI day5datacopier.cgi access || cve,1999-1232
-864 || WEB-CGI day5datanotifier.cgi access || cve,1999-1232
-865 || WEB-CGI ksh access || url,www.cert.org/advisories/CA-1996-11.html || cve,1999-0509
-866 || WEB-CGI post-query access || cve,2001-0291 || bugtraq,6752
-867 || WEB-CGI visadmin.exe access || nessus,10295 || cve,1999-1970 || cve,1999-0970 || bugtraq,1808
-868 || WEB-CGI rsh access || url,www.cert.org/advisories/CA-1996-11.html || cve,1999-0509
-869 || WEB-CGI dumpenv.pl access || nessus,10060 || cve,1999-1178
-870 || WEB-CGI snorkerz.cmd access
-871 || WEB-CGI survey.cgi access || cve,1999-0936 || bugtraq,1817
-872 || WEB-CGI tcsh access || url,www.cert.org/advisories/CA-1996-11.html || cve,1999-0509
-873 || WEB-CGI scriptalias access || cve,1999-0236 || bugtraq,2300 || arachnids,227
-874 || WEB-CGI w3-msql solaris x86  access || cve,1999-0276 || arachnids,211
-875 || WEB-CGI win-c-sample.exe access || nessus,10008 || cve,1999-0178 || bugtraq,2078 || arachnids,231
-877 || WEB-CGI rksh access || url,www.cert.org/advisories/CA-1996-11.html || cve,1999-0509
-878 || WEB-CGI w3tvars.pm access
-879 || WEB-CGI admin.pl access || url,online.securityfocus.com/archive/1/249355 || bugtraq,3839
-880 || WEB-CGI LWGate access || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm || url,www.netspace.org/~dwb/lwgate/lwgate-history.html
-881 || WEB-CGI archie access
-882 || WEB-CGI calendar access
-883 || WEB-CGI flexform access || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm
-884 || WEB-CGI formmail access || nessus,10782 || nessus,10076 || cve,2000-0411 || cve,1999-0172 || bugtraq,2079 || bugtraq,1187 || arachnids,226
-885 || WEB-CGI bash access || url,www.cert.org/advisories/CA-1996-11.html || cve,1999-0509
-886 || WEB-CGI phf access || cve,1999-0067 || bugtraq,629 || arachnids,128
-887 || WEB-CGI www-sql access || url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2
-888 || WEB-CGI wwwadmin.pl access
-889 || WEB-CGI ppdscgi.exe access || url,online.securityfocus.com/archive/1/16878 || bugtraq,491
-890 || WEB-CGI sendform.cgi access || url,www.scn.org/help/sendform.txt || cve,2002-0710 || bugtraq,5286
-891 || WEB-CGI upload.pl access
-892 || WEB-CGI AnyForm2 access || cve,1999-0066 || bugtraq,719
-893 || WEB-CGI MachineInfo access || cve,1999-1067
-894 || WEB-CGI bb-hist.sh access || nessus,10025 || cve,1999-1462 || bugtraq,142
-895 || WEB-CGI redirect access || cve,2000-0382 || bugtraq,1179
-896 || WEB-CGI way-board access || nessus,10610 || cve,2001-0214 || bugtraq,2370
-897 || WEB-CGI pals-cgi access || nessus,10611 || cve,2001-0217 || cve,2001-0216 || bugtraq,2372
-898 || WEB-CGI commerce.cgi access || nessus,10612 || cve,2001-0210 || bugtraq,2361
-899 || WEB-CGI Amaya templates sendtemp.pl directory traversal attempt || cve,2001-0272 || bugtraq,2504
-900 || WEB-CGI webspirs.cgi directory traversal attempt || nessus,10616 || cve,2001-0211 || bugtraq,2362
-901 || WEB-CGI webspirs.cgi access || nessus,10616 || cve,2001-0211 || bugtraq,2362
-902 || WEB-CGI tstisapi.dll access || cve,2001-0302
-903 || WEB-COLDFUSION cfcache.map access || cve,2000-0057 || bugtraq,917
-904 || WEB-COLDFUSION exampleapp application.cfm || cve,2000-0189 || bugtraq,1021
-905 || WEB-COLDFUSION application.cfm access || cve,2000-0189 || bugtraq,1021
-906 || WEB-COLDFUSION getfile.cfm access || cve,1999-0800 || bugtraq,229
-907 || WEB-COLDFUSION addcontent.cfm access
-908 || WEB-COLDFUSION administrator access || cve,2000-0538 || bugtraq,1314
-909 || WEB-COLDFUSION datasource username attempt || bugtraq,550
-910 || WEB-COLDFUSION fileexists.cfm access || bugtraq,550
-911 || WEB-COLDFUSION exprcalc access || cve,1999-0455 || bugtraq,550 || bugtraq,115
-912 || WEB-COLDFUSION parks access || bugtraq,550
-913 || WEB-COLDFUSION cfappman access || bugtraq,550
-914 || WEB-COLDFUSION beaninfo access || bugtraq,550
-915 || WEB-COLDFUSION evaluate.cfm access || bugtraq,550
-916 || WEB-COLDFUSION getodbcdsn access || bugtraq,550
-917 || WEB-COLDFUSION db connections flush attempt || bugtraq,550
-918 || WEB-COLDFUSION expeval access || cve,1999-0477 || bugtraq,550
-919 || WEB-COLDFUSION datasource passwordattempt || bugtraq,550
-920 || WEB-COLDFUSION datasource attempt || bugtraq,550
-921 || WEB-COLDFUSION admin encrypt attempt || bugtraq,550
-922 || WEB-COLDFUSION displayfile access || bugtraq,550
-923 || WEB-COLDFUSION getodbcin attempt || bugtraq,550
-924 || WEB-COLDFUSION admin decrypt attempt || bugtraq,550
-925 || WEB-COLDFUSION mainframeset access || bugtraq,550
-926 || WEB-COLDFUSION set odbc ini attempt || bugtraq,550
-927 || WEB-COLDFUSION settings refresh attempt || bugtraq,550
-928 || WEB-COLDFUSION exampleapp access
-929 || WEB-COLDFUSION CFUSION_VERIFYMAIL access || bugtraq,550
-930 || WEB-COLDFUSION snippets attempt || bugtraq,550
-931 || WEB-COLDFUSION cfmlsyntaxcheck.cfm access || bugtraq,550
-932 || WEB-COLDFUSION application.cfm access || cve,2000-0189 || bugtraq,550 || arachnids,268
-933 || WEB-COLDFUSION onrequestend.cfm access || cve,2000-0189 || bugtraq,550 || arachnids,269
-935 || WEB-COLDFUSION startstop DOS access || bugtraq,247
-936 || WEB-COLDFUSION gettempdirectory.cfm access  || bugtraq,550
-937 || WEB-FRONTPAGE _vti_rpc access || bugtraq,2144
-939 || WEB-FRONTPAGE posting
-940 || WEB-FRONTPAGE shtml.dll access || arachnids,292
-941 || WEB-FRONTPAGE contents.htm access
-942 || WEB-FRONTPAGE orders.htm access
-943 || WEB-FRONTPAGE fpsrvadm.exe access
-944 || WEB-FRONTPAGE fpremadm.exe access
-945 || WEB-FRONTPAGE fpadmin.htm access
-946 || WEB-FRONTPAGE fpadmcgi.exe access
-947 || WEB-FRONTPAGE orders.txt access
-948 || WEB-FRONTPAGE form_results access
-949 || WEB-FRONTPAGE registrations.htm access
-950 || WEB-FRONTPAGE cfgwiz.exe access
-951 || WEB-FRONTPAGE authors.pwd access || nessus,10078 || cve,1999-0386 || bugtraq,989
-952 || WEB-FRONTPAGE author.exe access
-953 || WEB-FRONTPAGE administrators.pwd access || bugtraq,1205
-954 || WEB-FRONTPAGE form_results.htm access
-955 || WEB-FRONTPAGE access.cnf access
-956 || WEB-FRONTPAGE register.txt access
-957 || WEB-FRONTPAGE registrations.txt access
-958 || WEB-FRONTPAGE service.cnf access
-959 || WEB-FRONTPAGE service.pwd || bugtraq,1205
-960 || WEB-FRONTPAGE service.stp access
-961 || WEB-FRONTPAGE services.cnf access
-962 || WEB-FRONTPAGE shtml.exe access || nessus,10405 || cve,2000-0709 || cve,2000-0413 || bugtraq,1608 || bugtraq,1174
-963 || WEB-FRONTPAGE svcacl.cnf access
-964 || WEB-FRONTPAGE users.pwd access
-965 || WEB-FRONTPAGE writeto.cnf access
-966 || WEB-FRONTPAGE .... request || cve,2000-0153 || cve,1999-0386 || bugtraq,989 || arachnids,248
-967 || WEB-FRONTPAGE dvwssr.dll access || url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx || cve,2000-0260 || bugtraq,1109 || bugtraq,1108 || arachnids,271
-968 || WEB-FRONTPAGE register.htm access
-969 || WEB-IIS WebDAV file lock attempt || bugtraq,2736
-970 || WEB-IIS multiple decode attempt || cve,2001-0333 || bugtraq,2708
-971 || WEB-IIS ISAPI .printer access || cve,2001-0241 || bugtraq,2674 || arachnids,533
-972 || WEB-IIS %2E-asp access || cve,1999-0253 || bugtraq,1814
-973 || WEB-IIS *.idc attempt || cve,2000-0661 || cve,1999-0874 || bugtraq,1448
-974 || WEB-IIS Directory transversal attempt || cve,1999-0229 || bugtraq,2218
-975 || WEB-IIS Alternate Data streams ASP file access attempt || url,support.microsoft.com/default.aspx?scid=kb\ || nessus,10362 || cve,1999-0278 || bugtraq,149
-976 || WEB-IIS .bat? access || url,support.microsoft.com/support/kb/articles/Q155/0/56.asp || url,support.microsoft.com/support/kb/articles/Q148/1/88.asp || cve,1999-0233 || bugtraq,2023
-977 || WEB-IIS .cnf access
-978 || WEB-IIS ASP contents view || nessus,10356 || cve,2000-0302 || bugtraq,1084
-979 || WEB-IIS ASP contents view || cve,2000-0942 || bugtraq,1861
-980 || WEB-IIS CGImail.exe access || cve,2000-0726 || bugtraq,1623
-981 || WEB-IIS unicode directory traversal attempt || cve,2000-0884 || bugtraq,1806
-982 || WEB-IIS unicode directory traversal attempt || cve,2000-0884 || bugtraq,1806
-983 || WEB-IIS unicode directory traversal attempt || cve,2000-0884 || bugtraq,1806
-984 || WEB-IIS JET VBA access || cve,1999-0874 || bugtraq,307
-985 || WEB-IIS JET VBA access || cve,1999-0874 || bugtraq,286
-986 || WEB-IIS MSProxy access
-987 || WEB-IIS .htr access || cve,2000-0630 || bugtraq,1488
-988 || WEB-IIS SAM Attempt || url,www.ciac.org/ciac/bulletins/h-45.shtml
-989 || WEB-IIS Unicode2.pl script File permission canonicalization
-990 || WEB-IIS _vti_inf access
-991 || WEB-IIS achg.htr access || cve,1999-0407 || bugtraq,2110
-992 || WEB-IIS adctest.asp access
-993 || WEB-IIS iisadmin access
-994 || WEB-IIS /scripts/iisadmin/default.htm access
-995 || WEB-IIS ism.dll access || cve,2000-0630 || cve,1999-1538 || bugtraq,189
-996 || WEB-IIS anot.htr access || cve,1999-0407 || bugtraq,2110
-997 || WEB-IIS asp-dot attempt
-998 || WEB-IIS asp-srch attempt
-999 || WEB-IIS bdir access
-1000 || WEB-IIS bdir.htr access
-1001 || WEB-MISC carbo.dll access || cve,1999-1069 || bugtraq,2126
-1002 || WEB-IIS cmd.exe access
-1003 || WEB-IIS cmd? access
-1004 || WEB-IIS codebrowser Exair access || cve,1999-0815 || cve,1999-0499
-1005 || WEB-IIS codebrowser SDK access || cve,1999-0736 || bugtraq,167
-1007 || WEB-IIS cross-site scripting attempt
-1008 || WEB-IIS del attempt
-1009 || WEB-IIS directory listing
-1010 || WEB-IIS encoding access || arachnids,200
-1011 || WEB-IIS exec-src access
-1012 || WEB-IIS fpcount attempt || cve,1999-1376 || bugtraq,2252
-1013 || WEB-IIS fpcount access || cve,1999-1376 || bugtraq,2252
-1015 || WEB-IIS getdrvs.exe access
-1016 || WEB-IIS global.asa access || nessus,10491 || cve,2000-0778
-1017 || WEB-IIS idc-srch attempt || cve,1999-0874
-1018 || WEB-IIS iisadmpwd attempt || cve,2000-0304 || bugtraq,2110 || bugtraq,1191
-1019 || WEB-IIS index server file source code attempt
-1020 || WEB-IIS isc$data attempt || cve,1999-0874 || bugtraq,307
-1021 || WEB-IIS ism.dll attempt || cve,2000-0457 || bugtraq,1193
-1022 || WEB-IIS jet vba access || cve,1999-0874 || bugtraq,286
-1023 || WEB-IIS msadcs.dll access || cve,1999-1011 || bugtraq,529
-1024 || WEB-IIS newdsn.exe access || nessus,10360 || cve,1999-0191 || bugtraq,1818
-1025 || WEB-IIS perl access
-1026 || WEB-IIS perl-browse newline attempt || bugtraq,6833
-1027 || WEB-IIS perl-browse space attempt || bugtraq,6833
-1028 || WEB-IIS query.asp access || cve,1999-0449 || bugtraq,193
-1029 || WEB-IIS scripts-browse access
-1030 || WEB-IIS search97.vts access || bugtraq,162
-1031 || WEB-IIS /SiteServer/Publishing/viewcode.asp access || nessus,10576
-1032 || WEB-IIS showcode access || nessus,10576
-1033 || WEB-IIS showcode access || nessus,10576
-1034 || WEB-IIS showcode access || nessus,10576
-1035 || WEB-IIS showcode access || nessus,10576
-1036 || WEB-IIS showcode access || nessus,10576
-1037 || WEB-IIS showcode.asp access || nessus,10007 || cve,1999-0736 || bugtraq,167
-1038 || WEB-IIS site server config access || cve,1999-1520 || bugtraq,256
-1039 || WEB-IIS srch.htm access
-1040 || WEB-IIS srchadm access
-1041 || WEB-IIS uploadn.asp access
-1042 || WEB-IIS view source via translate header || bugtraq,1578 || arachnids,305
-1043 || WEB-IIS viewcode.asp access || nessus,10576
-1044 || WEB-IIS webhits access || arachnids,237
-1045 || WEB-IIS Unauthorized IP Access Attempt
-1046 || WEB-IIS site/iisamples access
-1047 || WEB-MISC Netscape Enterprise DOS || cve,2001-0251 || bugtraq,2294
-1048 || WEB-MISC Netscape Enterprise directory listing attempt || cve,2001-0250 || bugtraq,2285
-1049 || WEB-MISC iPlanet ../../ DOS attempt || cve,2001-0252 || bugtraq,2282
-1050 || WEB-MISC iPlanet GETPROPERTIES attempt
-1051 || WEB-CGI technote main.cgi file directory traversal attempt || cve,2001-0075 || bugtraq,2156
-1052 || WEB-CGI technote print.cgi directory traversal attempt || cve,2001-0075 || bugtraq,2156
-1053 || WEB-CGI ads.cgi command execution attempt || cve,2001-0025 || bugtraq,2103
-1054 || WEB-MISC weblogic/tomcat .jsp view source attempt || bugtraq,2527
-1055 || WEB-MISC Tomcat directory traversal attempt || bugtraq,2518
-1056 || WEB-MISC Tomcat view source attempt || bugtraq,2527
-1057 || WEB-MISC ftp attempt
-1058 || WEB-MISC xp_enumdsn attempt
-1059 || WEB-MISC xp_filelist attempt
-1060 || WEB-MISC xp_availablemedia attempt
-1061 || WEB-MISC xp_cmdshell attempt
-1062 || WEB-MISC nc.exe attempt
-1064 || WEB-MISC wsh attempt
-1065 || WEB-MISC rcmd attempt
-1066 || WEB-MISC telnet attempt
-1067 || WEB-MISC net attempt
-1068 || WEB-MISC tftp attempt
-1069 || WEB-MISC xp_regread attempt
-1070 || WEB-MISC WebDAV search access || arachnids,474
-1071 || WEB-MISC .htpasswd access
-1072 || WEB-MISC Lotus Domino directory traversal || cve,2001-0009 || bugtraq,2173
-1073 || WEB-MISC webhits.exe access
-1075 || WEB-IIS postinfo.asp access
-1076 || WEB-IIS repost.asp access || nessus,10372
-1077 || WEB-MISC queryhit.htm access
-1078 || WEB-MISC counter.exe access || cve,1999-1030 || bugtraq,267
-1079 || WEB-MISC WebDAV propfind access || cve,2000-0869 || bugtraq,1656
-1080 || WEB-MISC unify eWave ServletExec upload || cve,2000-1025 || cve,2000-1024 || bugtraq,1876 || bugtraq,1868
-1081 || WEB-MISC Netscape Servers suite DOS || cve,2000-1025 || bugtraq,1868
-1082 || WEB-MISC amazon 1-click cookie theft || cve,2000-0439 || bugtraq,1194
-1083 || WEB-MISC unify eWave ServletExec DOS
-1084 || WEB-MISC Allaire JRUN DOS attempt || bugtraq,2337
-1085 || WEB-PHP strings overflow || bugtraq,802 || arachnids,431
-1086 || WEB-PHP strings overflow || cve,2000-0967 || bugtraq,1786 || arachnids,430
-1087 || WEB-MISC whisker tab splice attack || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html || arachnids,415
-1088 || WEB-CGI eXtropia webstore directory traversal || cve,2000-1005 || bugtraq,1774
-1089 || WEB-CGI shopping cart directory traversal || cve,2000-0921 || bugtraq,1777
-1090 || WEB-CGI Allaire Pro Web Shell attempt
-1091 || WEB-MISC ICQ Webfront HTTP DOS
-1092 || WEB-CGI Armada Style Master Index directory traversal
-1093 || WEB-CGI cached_feed.cgi moreover shopping cart directory traversal || cve,2000-0906 || bugtraq,1762
-1094 || WEB-CGI webstore directory traversal || cve,2000-1005 || bugtraq,1774
-1095 || WEB-MISC Talentsoft Web+ Source Code view access || bugtraq,1722
-1096 || WEB-MISC Talentsoft Web+ internal IP Address access || bugtraq,1720
-1097 || WEB-CGI Talentsoft Web+ exploit attempt || bugtraq,1725
-1098 || WEB-MISC SmartWin CyberOffice Shopping Cart access || cve,2000-0925 || bugtraq,1734
-1099 || WEB-MISC cybercop scan || arachnids,374
-1100 || WEB-MISC L3retriever HTTP Probe || arachnids,310
-1101 || WEB-MISC Webtrends HTTP probe || arachnids,309
-1102 || WEB-MISC Nessus 404 probe || arachnids,301
-1103 || WEB-MISC Netscape admin passwd || bugtraq,1579
-1104 || WEB-MISC whisker space splice attack || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html || arachnids,296
-1105 || WEB-MISC BigBrother access
-1106 || WEB-CGI Poll-it access || cve,2000-0590 || bugtraq,1431
-1107 || WEB-MISC ftp.pl access || nessus,10467 || cve,2000-0674 || bugtraq,1471
-1108 || WEB-MISC Tomcat server snoop access || cve,2000-0760 || bugtraq,1532
-1109 || WEB-MISC ROXEN directory list attempt || cve,2000-0671 || bugtraq,1510
-1110 || WEB-MISC apache source.asp file access || cve,2000-0628 || bugtraq,1457
-1111 || WEB-MISC Tomcat server exploit access
-1112 || WEB-MISC http directory traversal || arachnids,298
-1113 || WEB-MISC http directory traversal || arachnids,297
-1114 || WEB-MISC prefix-get //
-1115 || WEB-MISC ICQ webserver DOS || cve,1999-0474
-1116 || WEB-MISC Lotus DelDoc attempt
-1117 || WEB-MISC Lotus EditDoc attempt || url,www.securiteam.com/exploits/5NP080A1RE.html
-1118 || WEB-MISC ls%20-l
-1119 || WEB-MISC mlog.phtml access || cve,1999-0346 || cve,1999-0068 || bugtraq,713
-1120 || WEB-MISC mylog.phtml access || cve,1999-0346 || cve,1999-0068 || bugtraq,713
-1121 || WEB-MISC O'Reilly args.bat access
-1122 || WEB-MISC /etc/passwd
-1123 || WEB-MISC ?PageServices access || cve,1999-0269 || bugtraq,7621 || bugtraq,1063
-1124 || WEB-MISC Ecommerce check.txt access
-1125 || WEB-MISC webcart access || nessus,10298 || cve,1999-0610
-1126 || WEB-MISC AuthChangeUrl access
-1127 || WEB-MISC convert.bas access || cve,1999-0175 || bugtraq,2025
-1128 || WEB-MISC cpshost.dll access
-1129 || WEB-MISC .htaccess access
-1130 || WEB-MISC .wwwacl access
-1131 || WEB-MISC .wwwacl access
-1132 || WEB-MISC Netscape Unixware overflow || arachnids,180
-1133 || SCAN cybercop os probe || arachnids,145
-1134 || WEB-PHP Phorum admin access || bugtraq,2271 || arachnids,205
-1136 || WEB-MISC cd..
-1137 || WEB-PHP Phorum authentication access || bugtraq,2274 || arachnids,206
-1138 || WEB-MISC Cisco Web DOS attempt || arachnids,275
-1139 || WEB-MISC whisker HEAD/./ || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
-1140 || WEB-MISC guestbook.pl access || nessus,10099 || cve,1999-1053 || cve,1999-0237 || bugtraq,776 || arachnids,228
-1141 || WEB-MISC handler access || nessus,10100 || cve,1999-0148 || bugtraq,380 || arachnids,235
-1142 || WEB-MISC /.... access
-1143 || WEB-MISC ///cgi-bin access
-1144 || WEB-MISC /cgi-bin/// access
-1145 || WEB-MISC /~root access
-1146 || WEB-MISC Ecommerce import.txt access
-1147 || WEB-MISC cat%20 access || cve,1999-0039 || bugtraq,374
-1148 || WEB-MISC Ecommerce import.txt access
-1149 || WEB-CGI count.cgi access || nessus,10049 || cve,1999-0021 || bugtraq,128
-1150 || WEB-MISC Domino catalog.nsf access
-1151 || WEB-MISC Domino domcfg.nsf access
-1152 || WEB-MISC Domino domlog.nsf access
-1153 || WEB-MISC Domino log.nsf access
-1154 || WEB-MISC Domino names.nsf access
-1155 || WEB-MISC Ecommerce checks.txt access
-1156 || WEB-MISC apache DOS attempt
-1157 || WEB-MISC Netscape PublishingXpert access || cve,2000-1196
-1158 || WEB-MISC windmail.exe access || nessus,10365 || cve,2000-0242 || bugtraq,1073 || arachnids,465
-1159 || WEB-MISC webplus access || cve,2000-1005 || bugtraq,1725 || bugtraq,1722 || bugtraq,1720 || bugtraq,1174
-1160 || WEB-MISC Netscape dir index wp || cve,2000-0236 || bugtraq,1063 || arachnids,270
-1161 || WEB-PHP piranha passwd.php3 access || cve,2000-0322 || bugtraq,1149 || arachnids,272
-1162 || WEB-MISC cart 32 AdminPwd access || cve,2000-0429 || bugtraq,1153
-1163 || WEB-CGI webdist.cgi access || nessus,10299 || cve,1999-0039 || bugtraq,374
-1164 || WEB-MISC shopping cart access || cve,2000-1188 || cve,1999-0607 || bugtraq,2049 || bugtraq,1983
-1165 || WEB-MISC Novell Groupwise gwweb.exe access || nessus,10877 || cve,1999-1006 || cve,1999-1005 || bugtraq,879
-1166 || WEB-MISC ws_ftp.ini access || cve,1999-1078 || bugtraq,547
-1167 || WEB-MISC rpm_query access || cve,2000-0192 || bugtraq,1036
-1168 || WEB-MISC mall log order access
-1171 || WEB-MISC whisker HEAD with large datagram || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
-1172 || WEB-CGI bigconf.cgi access || nessus,10027 || cve,1999-1550 || bugtraq,778
-1173 || WEB-MISC architext_query.pl access
-1174 || WEB-CGI /cgi-bin/jj access || cve,1999-0260 || bugtraq,2002
-1175 || WEB-MISC wwwboard.pl access || cve,1999-0954 || cve,1999-0930 || bugtraq,649 || bugtraq,1795
-1176 || WEB-MISC order.log access
-1177 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
-1178 || WEB-PHP Phorum read access || arachnids,208
-1179 || WEB-PHP Phorum violation access || bugtraq,2272 || arachnids,209
-1180 || WEB-MISC get32.exe access || nessus,10013 || cve,1999-0885 || bugtraq,770 || bugtraq,1485 || arachnids,258
-1181 || WEB-MISC Annex Terminal DOS attempt || cve,1999-1070 || arachnids,260
-1182 || WEB-MISC cgitest.exe attempt || nessus,10623 || nessus,10040 || cve,2002-0128 || cve,2000-0521 || bugtraq,3885 || bugtraq,1313 || arachnids,265
-1183 || WEB-MISC Netscape Enterprise Server directory view || cve,2000-0236 || bugtraq,1063
-1184 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
-1185 || WEB-CGI bizdbsearch attempt || cve,2000-0287 || bugtraq,1104
-1186 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
-1187 || WEB-MISC SalesLogix Eviewer web command attempt || cve,2000-0289 || cve,2000-0278 || bugtraq,1089 || bugtraq,1078
-1188 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
-1189 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
-1190 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
-1191 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
-1192 || WEB-MISC Trend Micro OfficeScan access || bugtraq,1057
-1193 || WEB-MISC oracle web arbitrary command execution attempt || nessus,10348 || cve,2000-0169 || bugtraq,1053
-1194 || WEB-CGI sojourn.cgi File attempt || cve,2000-0180 || bugtraq,1052
-1195 || WEB-CGI sojourn.cgi access || cve,2000-0180 || bugtraq,1052
-1196 || WEB-CGI SGI InfoSearch fname attempt || cve,2000-0207 || bugtraq,1031 || arachnids,290
-1197 || WEB-PHP Phorum code access || arachnids,207
-1198 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
-1199 || WEB-MISC Compaq Insight directory traversal || cve,1999-0771 || bugtraq,282 || arachnids,244
-1200 || ATTACK-RESPONSES Invalid URL || url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx
-1201 || ATTACK-RESPONSES 403 Forbidden
-1202 || WEB-MISC search.vts access
-1204 || WEB-CGI ax-admin.cgi access
-1205 || WEB-CGI axs.cgi access
-1206 || WEB-CGI cachemgr.cgi access || nessus,10034 || cve,1999-0710 || bugtraq,2059
-1207 || WEB-MISC htgrep access || cve,2000-0832
-1208 || WEB-CGI responder.cgi access
-1209 || WEB-MISC .nsconfig access
-1211 || WEB-CGI web-map.cgi access
-1212 || WEB-MISC Admin_files access
-1213 || WEB-MISC backup access
-1214 || WEB-MISC intranet access
-1215 || WEB-CGI ministats admin access
-1216 || WEB-MISC filemail access
-1217 || WEB-MISC plusmail access || cve,2000-0074 || bugtraq,2653
-1218 || WEB-MISC adminlogin access
-1219 || WEB-CGI dfire.cgi access || cve,1999-0913 || bugtraq,564 || bugtraq,0564
-1220 || WEB-MISC ultraboard access
-1221 || WEB-MISC musicat empower access
-1222 || WEB-CGI pals-cgi arbitrary file access attempt || nessus,10611 || cve,2001-0217 || bugtraq,2372
-1224 || WEB-MISC ROADS search.pl attempt || nessus,10627 || cve,2001-0215 || bugtraq,2371
-1225 || X11 MIT Magic Cookie detected || arachnids,396
-1226 || X11 xopen || arachnids,395
-1227 || X11 outbound client connection detected || arachnids,126
-1228 || SCAN nmap XMAS || arachnids,30
-1229 || FTP CWD ... || bugtraq,9237
-1230 || WEB-MISC VirusWall FtpSave access || nessus,10733 || cve,2001-0432 || bugtraq,2808
-1231 || WEB-MISC VirusWall catinfo access || nessus,10650 || cve,2001-0432 || bugtraq,2808 || bugtraq,2579
-1232 || WEB-MISC VirusWall catinfo access || nessus,10650 || cve,2001-0432 || bugtraq,2808 || bugtraq,2579
-1233 || WEB-CLIENT Outlook EML access
-1234 || WEB-MISC VirusWall FtpSaveCSP access || nessus,10733 || cve,2001-0432 || bugtraq,2808
-1235 || WEB-MISC VirusWall FtpSaveCVP access || nessus,10733 || cve,2001-0432 || bugtraq,2808
-1236 || WEB-MISC Tomcat sourecode view
-1237 || WEB-MISC Tomcat sourecode view
-1238 || WEB-MISC Tomcat sourecode view
-1239 || NETBIOS RFParalyze Attempt
-1240 || EXPLOIT MDBMS overflow || cve,2000-0446 || bugtraq,1252
-1241 || WEB-MISC SWEditServlet directory traversal attempt
-1242 || WEB-IIS ISAPI .ida access || cve,2000-0071 || bugtraq,1065 || arachnids,552
-1243 || WEB-IIS ISAPI .ida attempt || cve,2000-0071 || bugtraq,1065 || arachnids,552
-1244 || WEB-IIS ISAPI .idq attempt || cve,2000-0071 || bugtraq,1065 || arachnids,553
-1245 || WEB-IIS ISAPI .idq access || cve,2000-0071 || bugtraq,1065 || arachnids,553
-1246 || WEB-FRONTPAGE rad overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx || cve,2001-0341 || bugtraq,2906 || arachnids,555
-1247 || WEB-FRONTPAGE rad overflow attempt || cve,2001-0341 || bugtraq,2906
-1248 || WEB-FRONTPAGE rad fp30reg.dll access || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx || cve,2001-0341 || bugtraq,2906 || arachnids,555
-1249 || WEB-FRONTPAGE frontpage rad fp4areg.dll access || cve,2001-0341 || bugtraq,2906
-1250 || WEB-MISC Cisco IOS HTTP configuration attempt || cve,2001-0537 || bugtraq,2936
-1251 || INFO TELNET Bad Login
-1252 || TELNET bsd telnet exploit response || cve,2001-0554 || bugtraq,3064
-1253 || TELNET bsd exploit client finishing || cve,2001-0554 || bugtraq,3064
-1254 || WEB-PHP PHPLIB remote command attempt || cve,2001-1370 || bugtraq,3079
-1255 || WEB-PHP PHPLIB remote command attempt || cve,2001-1370 || bugtraq,3079
-1256 || WEB-IIS CodeRed v2 root.exe access || url,www.cert.org/advisories/CA-2001-19.html
-1257 || DOS Winnuke attack || cve,1999-0153 || bugtraq,2010
-1258 || WEB-MISC HP OpenView Manager DOS || cve,2001-0552 || bugtraq,2845
-1259 || WEB-MISC SWEditServlet access
-1260 || WEB-MISC long basic authorization string || cve,2001-1067 || bugtraq,3230
-1261 || EXPLOIT AIX pdnsd overflow || cve,1999-0745 || bugtraq,590 || bugtraq,3237
-1262 || RPC portmap admind request TCP || arachnids,18
-1263 || RPC portmap amountd request TCP || arachnids,19
-1264 || RPC portmap bootparam request TCP || cve,1999-0647 || arachnids,16
-1265 || RPC portmap cmsd request TCP || arachnids,17
-1266 || RPC portmap mountd request TCP || arachnids,13
-1267 || RPC portmap nisd request TCP || arachnids,21
-1268 || RPC portmap pcnfsd request TCP || arachnids,22
-1269 || RPC portmap rexd request TCP || arachnids,23
-1270 || RPC portmap rstatd request TCP || arachnids,10
-1271 || RPC portmap rusers request TCP || cve,1999-0626 || arachnids,133
-1272 || RPC portmap sadmind request TCP || arachnids,20
-1273 || RPC portmap selection_svc request TCP || arachnids,25
-1274 || RPC portmap ttdbserv request TCP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0717 || cve,1999-1075 || cve,1999-0687 || cve,1999-0003 || bugtraq,3382 || bugtraq,122 || arachnids,24
-1275 || RPC portmap yppasswd request TCP || arachnids,14
-1276 || RPC portmap ypserv request TCP || cve,2002-1232 || cve,2000-1043 || cve,2000-1042 || bugtraq,6016 || bugtraq,5914 || arachnids,12
-1277 || RPC portmap ypupdated request UDP || arachnids,125
-1278 || RPC rstatd query || arachnids,9
-1279 || RPC portmap snmpXdmi request UDP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0236 || bugtraq,2417
-1280 || RPC portmap listing UDP 111 || arachnids,428
-1281 || RPC portmap listing UDP 32771 || arachnids,429
-1282 || RPC EXPLOIT statdx || arachnids,442
-1283 || WEB-IIS outlook web dos || bugtraq,3223
-1284 || WEB-CLIENT readme.eml download attempt || url,www.cert.org/advisories/CA-2001-26.html
-1285 || WEB-IIS msdac access
-1286 || WEB-IIS _mem_bin access
-1287 || WEB-IIS scripts access
-1288 || WEB-FRONTPAGE /_vti_bin/ access
-1289 || TFTP GET Admin.dll || url,www.cert.org/advisories/CA-2001-26.html
-1290 || WEB-CLIENT readme.eml autoload attempt || url,www.cert.org/advisories/CA-2001-26.html
-1291 || WEB-MISC sml3com access || cve,2001-0740 || bugtraq,2721
-1292 || ATTACK-RESPONSES directory listing
-1293 || NETBIOS nimda .eml || url,www.f-secure.com/v-descs/nimda.shtml
-1294 || NETBIOS nimda .nws || url,www.f-secure.com/v-descs/nimda.shtml
-1295 || NETBIOS nimda RICHED20.DLL || url,www.f-secure.com/v-descs/nimda.shtml
-1296 || RPC portmap request yppasswdd || bugtraq,2763
-1297 || RPC portmap request yppasswdd || bugtraq,2763
-1298 || RPC portmap tooltalk request TCP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0717 || cve,1999-1075 || cve,1999-0687 || cve,1999-0003 || bugtraq,3382
-1299 || RPC portmap tooltalk request UDP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0717 || cve,1999-1075 || cve,1999-0687 || cve,1999-0003 || bugtraq,3382
-1300 || WEB-PHP admin.php file upload attempt || cve,2001-1032 || bugtraq,3361
-1301 || WEB-PHP admin.php access || cve,2001-1032 || bugtraq,9270 || bugtraq,7532 || bugtraq,3361
-1302 || WEB-MISC console.exe access || cve,2001-1252 || bugtraq,3375
-1303 || WEB-MISC cs.exe access || cve,2001-1252 || bugtraq,3375
-1304 || WEB-CGI txt2html.cgi access
-1305 || WEB-CGI txt2html.cgi directory traversal attempt
-1306 || WEB-CGI store.cgi product directory traversal attempt || cve,2001-0305 || bugtraq,2385
-1307 || WEB-CGI store.cgi access || nessus,10639 || cve,2001-0305 || bugtraq,2385
-1308 || WEB-CGI sendmessage.cgi access
-1309 || WEB-CGI zsh access || url,www.cert.org/advisories/CA-1996-11.html || cve,1999-0509
-1310 || PORN free XXX
-1311 || PORN hardcore anal
-1312 || PORN nude cheerleader
-1313 || PORN up skirt
-1314 || PORN young teen
-1315 || PORN hot young sex
-1316 || PORN fuck fuck fuck
-1317 || PORN anal sex
-1318 || PORN hardcore rape
-1319 || PORN real snuff
-1320 || PORN fuck movies
-1321 || BAD-TRAFFIC 0 ttl || url,www.isi.edu/in-notes/rfc1122.txt || url,support.microsoft.com/default.aspx?scid=kb\
-1322 || BAD-TRAFFIC bad frag bits
-1323 || EXPLOIT rwhoisd format string attempt || cve,2001-0838 || bugtraq,3474
-1324 || EXPLOIT ssh CRC32 overflow /bin/sh || cve,2001-0572 || cve,2001-0144 || bugtraq,2347
-1325 || EXPLOIT ssh CRC32 overflow filler || cve,2001-0572 || cve,2001-0144 || bugtraq,2347
-1326 || EXPLOIT ssh CRC32 overflow NOOP || cve,2001-0572 || cve,2001-0144 || bugtraq,2347
-1327 || EXPLOIT ssh CRC32 overflow || cve,2001-0572 || cve,2001-0144 || bugtraq,2347
-1328 || WEB-ATTACKS ps command attempt
-1329 || WEB-ATTACKS /bin/ps command attempt
-1330 || WEB-ATTACKS wget command attempt
-1331 || WEB-ATTACKS uname -a command attempt
-1332 || WEB-ATTACKS /usr/bin/id command attempt
-1333 || WEB-ATTACKS id command attempt
-1334 || WEB-ATTACKS echo command attempt
-1335 || WEB-ATTACKS kill command attempt
-1336 || WEB-ATTACKS chmod command attempt
-1337 || WEB-ATTACKS chgrp command attempt
-1338 || WEB-ATTACKS chown command attempt
-1339 || WEB-ATTACKS chsh command attempt
-1340 || WEB-ATTACKS tftp command attempt
-1341 || WEB-ATTACKS /usr/bin/gcc command attempt
-1342 || WEB-ATTACKS gcc command attempt
-1343 || WEB-ATTACKS /usr/bin/cc command attempt
-1344 || WEB-ATTACKS cc command attempt
-1345 || WEB-ATTACKS /usr/bin/cpp command attempt
-1346 || WEB-ATTACKS cpp command attempt
-1347 || WEB-ATTACKS /usr/bin/g++ command attempt
-1348 || WEB-ATTACKS g++ command attempt
-1349 || WEB-ATTACKS bin/python access attempt
-1350 || WEB-ATTACKS python access attempt
-1351 || WEB-ATTACKS bin/tclsh execution attempt
-1352 || WEB-ATTACKS tclsh execution attempt
-1353 || WEB-ATTACKS bin/nasm command attempt
-1354 || WEB-ATTACKS nasm command attempt
-1355 || WEB-ATTACKS /usr/bin/perl execution attempt
-1356 || WEB-ATTACKS perl execution attempt
-1357 || WEB-ATTACKS nt admin addition attempt
-1358 || WEB-ATTACKS traceroute command attempt
-1359 || WEB-ATTACKS ping command attempt
-1360 || WEB-ATTACKS netcat command attempt
-1361 || WEB-ATTACKS nmap command attempt
-1362 || WEB-ATTACKS xterm command attempt
-1363 || WEB-ATTACKS X application to remote host attempt
-1364 || WEB-ATTACKS lsof command attempt
-1365 || WEB-ATTACKS rm command attempt
-1366 || WEB-ATTACKS mail command attempt
-1367 || WEB-ATTACKS mail command attempt
-1368 || WEB-ATTACKS /bin/ls| command attempt
-1369 || WEB-ATTACKS /bin/ls command attempt
-1370 || WEB-ATTACKS /etc/inetd.conf access
-1371 || WEB-ATTACKS /etc/motd access
-1372 || WEB-ATTACKS /etc/shadow access
-1373 || WEB-ATTACKS conf/httpd.conf attempt
-1374 || WEB-ATTACKS .htgroup access
-1375 || WEB-MISC sadmind worm access || url,www.cert.org/advisories/CA-2001-11.html
-1376 || WEB-MISC jrun directory browse attempt || bugtraq,3592
-1377 || FTP wu-ftp bad file completion attempt [ || cve,2001-0886 || cve,2001-0550 || bugtraq,3707 || bugtraq,3581
-1378 || FTP wu-ftp bad file completion attempt { || cve,2001-0886 || cve,2001-0550 || bugtraq,3707 || bugtraq,3581
-1379 || FTP STAT overflow attempt || url,labs.defcom.com/adv/2001/def-2001-31.txt
-1380 || WEB-IIS cross-site scripting attempt
-1381 || WEB-MISC Trend Micro OfficeScan attempt || bugtraq,1057
-1382 || EXPLOIT CHAT IRC Ettercap parse overflow attempt || url,www.bugtraq.org/dev/GOBBLES-12.txt
-1383 || P2P Fastrack kazaa/morpheus GET request || url,www.musiccity.com/technology.htm || url,www.kazaa.com
-1384 || MISC UPnP malformed advertisement || url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx || cve,2001-0877 || cve,2001-0876 || bugtraq,3723
-1385 || WEB-MISC mod-plsql administration access || nessus,10849 || cve,2001-1217 || cve,2001-1216 || bugtraq,3727 || bugtraq,3726
-1386 || MS-SQL/SMB raiserror possible buffer overflow || cve,2001-0542 || bugtraq,3733
-1387 || MS-SQL raiserror possible buffer overflow || cve,2001-0542 || bugtraq,3733
-1388 || MISC UPnP Location overflow || cve,2001-0876 || bugtraq,3723
-1389 || WEB-MISC viewcode.jse access || bugtraq,3715
-1390 || SHELLCODE x86 inc ebx NOOP
-1391 || WEB-MISC Phorecast remote code execution attempt || cve,2001-1049 || bugtraq,3388
-1392 || WEB-CGI lastlines.cgi access || cve,2001-1206 || cve,2001-1205 || bugtraq,3755 || bugtraq,3754
-1393 || MISC AIM AddGame attempt || url,www.w00w00.org/files/w00aimexp/ || cve,2002-0005 || bugtraq,3769
-1394 || SHELLCODE x86 NOOP
-1395 || WEB-CGI zml.cgi attempt || cve,2001-1209 || bugtraq,3759
-1396 || WEB-CGI zml.cgi access || cve,2001-1209 || bugtraq,3759
-1397 || WEB-CGI wayboard attempt || cve,2001-0214 || bugtraq,2370
-1398 || EXPLOIT CDE dtspcd exploit attempt || url,www.cert.org/advisories/CA-2002-01.html || cve,2001-0803 || bugtraq,3517
-1399 || WEB-PHP PHP-Nuke remote file include attempt || cve,2002-0206 || bugtraq,3889
-1400 || WEB-IIS /scripts/samples/ access
-1401 || WEB-IIS /msadc/samples/ access
-1402 || WEB-IIS iissamples access
-1403 || WEB-MISC viewcode access
-1404 || WEB-MISC showcode access
-1405 || WEB-CGI AHG search.cgi access || bugtraq,3985
-1406 || WEB-CGI agora.cgi access || nessus,10836 || cve,2002-0215 || cve,2001-1199 || bugtraq,3976 || bugtraq,3702
-1407 || WEB-PHP smssend.php access || cve,2002-0220 || bugtraq,3982
-1408 || DOS MSDTC attempt || cve,2002-0224 || bugtraq,4006
-1409 || SNMP community string buffer overflow attempt || url,www.cert.org/advisories/CA-2002-03.html || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
-1410 || WEB-CGI dcboard.cgi access || nessus,10583 || cve,2001-0527 || bugtraq,2728
-1411 || SNMP public access udp || cve,2002-0013 || cve,2002-0012 || cve,1999-0517 || bugtraq,4089 || bugtraq,4088 || bugtraq,2112
-1412 || SNMP public access tcp || cve,2002-0013 || cve,2002-0012 || cve,1999-0517 || bugtraq,7212 || bugtraq,4089 || bugtraq,4088 || bugtraq,2112
-1413 || SNMP private access udp || cve,2002-0013 || cve,2002-0012 || bugtraq,7212 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
-1414 || SNMP private access tcp || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
-1415 || SNMP Broadcast request || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
-1416 || SNMP broadcast trap || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
-1417 || SNMP request udp || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
-1418 || SNMP request tcp || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
-1419 || SNMP trap udp || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
-1420 || SNMP trap tcp || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
-1421 || SNMP AgentX/tcp request || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
-1422 || SNMP community string buffer overflow attempt with evasion || url,www.cert.org/advisories/CA-2002-03.html || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
-1423 || WEB-PHP content-disposition memchr overflow || cve,2002-0081 || bugtraq,4183
-1424 || SHELLCODE x86 0xEB0C NOOP
-1425 || WEB-PHP content-disposition || cve,2002-0081 || bugtraq,4183
-1426 || SNMP PROTOS test-suite-req-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html
-1427 || SNMP PROTOS test-suite-trap-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html
-1428 || MULTIMEDIA audio galaxy keepalive
-1429 || POLICY poll.gotomypc.com access || url,www.gotomypc.com/help2.tmpl
-1430 || TELNET Solaris memory mismanagement exploit attempt
-1431 || BAD-TRAFFIC syn to multicast address
-1432 || P2P GNUTella client request
-1433 || WEB-MISC .history access
-1434 || WEB-MISC .bash_history access
-1435 || DNS named authors attempt || nessus,10728 || arachnids,480
-1436 || MULTIMEDIA Quicktime User Agent access
-1437 || MULTIMEDIA Windows Media audio download
-1438 || MULTIMEDIA Windows Media Video download
-1439 || MULTIMEDIA Shoutcast playlist redirection
-1440 || MULTIMEDIA Icecast playlist redirection
-1441 || TFTP GET nc.exe
-1442 || TFTP GET shadow
-1443 || TFTP GET passwd
-1444 || TFTP Get
-1445 || POLICY FTP file_id.diz access possible warez site
-1446 || SMTP vrfy root
-1447 || MISC MS Terminal server request RDP || cve,2001-0540 || bugtraq,3099
-1448 || MISC MS Terminal server request || cve,2001-0540 || bugtraq,3099
-1449 || POLICY FTP anonymous ftp login attempt
-1450 || SMTP expn *@ || cve,1999-1200
-1451 || WEB-CGI NPH-publish access || cve,2001-0400 || bugtraq,2563
-1452 || WEB-CGI args.cmd access || cve,1999-1374
-1453 || WEB-CGI AT-generated.cgi access || cve,1999-1072
-1454 || WEB-CGI wwwwais access || nessus,10597 || cve,2001-0223
-1455 || WEB-CGI calender.pl access || cve,2000-0432
-1456 || WEB-CGI calender_admin.pl access || cve,2000-0432
-1457 || WEB-CGI user_update_admin.pl access || cve,2000-0627 || bugtraq,1486
-1458 || WEB-CGI user_update_passwd.pl access || cve,2000-0627 || bugtraq,1486
-1459 || WEB-CGI bb-histlog.sh access || cve,1999-1462 || bugtraq,142
-1460 || WEB-CGI bb-histsvc.sh access || cve,1999-1462 || bugtraq,142
-1461 || WEB-CGI bb-rep.sh access || cve,1999-1462 || bugtraq,142
-1462 || WEB-CGI bb-replog.sh access || cve,1999-1462 || bugtraq,142
-1463 || CHAT IRC message
-1464 || ATTACK-RESPONSES oracle one hour install
-1465 || WEB-CGI auktion.cgi access || nessus,10638 || cve,2001-0212 || bugtraq,2367
-1466 || WEB-CGI cgiforum.pl access || nessus,10552 || cve,2000-1171 || bugtraq,1963
-1467 || WEB-CGI directorypro.cgi access || cve,2001-0780 || bugtraq,2793
-1468 || WEB-CGI Web Shopper shopper.cgi attempt || cve,2000-0922 || bugtraq,1776
-1469 || WEB-CGI Web Shopper shopper.cgi access || cve,2000-0922 || bugtraq,1776
-1470 || WEB-CGI listrec.pl access || cve,2001-0997
-1471 || WEB-CGI mailnews.cgi access || cve,2001-0271
-1472 || WEB-CGI book.cgi access || nessus,10721 || cve,2001-1114 || bugtraq,3178
-1473 || WEB-CGI newsdesk.cgi access || cve,2001-0232
-1474 || WEB-CGI cal_make.pl access || cve,2001-0463 || bugtraq,2663
-1475 || WEB-CGI mailit.pl access
-1476 || WEB-CGI sdbsearch.cgi access || cve,2001-1130
-1477 || WEB-CGI swc attempt
-1478 || WEB-CGI swc access
-1479 || WEB-CGI ttawebtop.cgi arbitrary file attempt || nessus,10696 || cve,2001-0805 || bugtraq,2890
-1480 || WEB-CGI ttawebtop.cgi access || nessus,10696 || cve,2001-0805 || bugtraq,2890
-1481 || WEB-CGI upload.cgi access || nessus,10290
-1482 || WEB-CGI view_source access || nessus,10294
-1483 || WEB-CGI ustorekeeper.pl access || nessus,10646 || cve,2001-0466
-1484 || WEB-IIS /isapi/tstisapi.dll access || cve,2001-0302 || bugtraq,2381
-1485 || WEB-IIS mkilog.exe access
-1486 || WEB-IIS ctss.idc access
-1487 || WEB-IIS /iisadmpwd/aexp2.htr access
-1488 || WEB-CGI store.cgi directory traversal attempt || nessus,10639 || cve,2001-0305 || bugtraq,2385
-1489 || WEB-MISC /~nobody access
-1490 || WEB-PHP Phorum /support/common.php attempt
-1491 || WEB-PHP Phorum /support/common.php access
-1492 || WEB-MISC RBS ISP /newuser  directory traversal attempt
-1493 || WEB-MISC RBS ISP /newuser access
-1494 || WEB-CGI SIX webboard generate.cgi attempt || cve,2001-1115 || bugtraq,3175
-1495 || WEB-CGI SIX webboard generate.cgi access || cve,2001-1115 || bugtraq,3175
-1496 || WEB-CGI spin_client.cgi access
-1497 || WEB-MISC cross site scripting attempt
-1498 || WEB-MISC PIX firewall manager directory traversal attempt
-1499 || WEB-MISC SiteScope Service access || nessus,10778
-1500 || WEB-MISC ExAir access || cve,1999-0449 || bugtraq,193
-1501 || WEB-CGI a1stats a1disp3.cgi directory traversal attempt || nessus,10669 || cve,2001-0561 || bugtraq,2705
-1502 || WEB-CGI a1stats a1disp3.cgi access || nessus,10669 || cve,2001-0561 || bugtraq,2705
-1503 || WEB-CGI admentor admin.asp access || url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html || nessus,10880 || cve,2002-0308 || bugtraq,4152
-1504 || MISC AFS access || nessus,10441
-1505 || WEB-CGI alchemy http server PRN arbitrary command execution attempt || cve,2001-0871 || bugtraq,3599
-1506 || WEB-CGI alchemy http server NUL arbitrary command execution attempt || cve,2001-0871 || bugtraq,3599
-1507 || WEB-CGI alibaba.pl arbitrary command execution attempt || nessus,10013 || cve,1999-0885
-1508 || WEB-CGI alibaba.pl access || cve ,CAN-1999-0885
-1509 || WEB-CGI AltaVista Intranet Search directory traversal attempt || nessus,10015 || cve,2000-0039 || bugtraq,896
-1510 || WEB-CGI test.bat arbitrary command execution attempt || nessus,10016 || cve,1999-0947 || bugtraq,762
-1511 || WEB-CGI test.bat access || nessus,10016 || cve,1999-0947 || bugtraq,762
-1512 || WEB-CGI input.bat arbitrary command execution attempt || nessus,10016 || cve,1999-0947 || bugtraq,762
-1513 || WEB-CGI input.bat access || nessus,10016 || cve,1999-0947 || bugtraq,762
-1514 || WEB-CGI input2.bat arbitrary command execution attempt || nessus,10016 || cve,1999-0947 || bugtraq,762
-1515 || WEB-CGI input2.bat access || nessus,10016 || cve,1999-0947 || bugtraq,762
-1516 || WEB-CGI envout.bat arbitrary command execution attempt || nessus,10016 || cve,1999-0947 || bugtraq,762
-1517 || WEB-CGI envout.bat access || nessus,10016 || cve,1999-0947 || bugtraq,762
-1518 || WEB-MISC nstelemetry.adp access
-1519 || WEB-MISC apache ?M=D directory list attempt || cve,2001-0731 || bugtraq,3009
-1520 || WEB-MISC server-info access || url,httpd.apache.org/docs/mod/mod_info.html
-1521 || WEB-MISC server-status access || url,httpd.apache.org/docs/mod/mod_info.html
-1522 || WEB-MISC ans.pl attempt || nessus,10875 || cve,2002-0307 || cve,2002-0306 || bugtraq,4149 || bugtraq,4147
-1523 || WEB-MISC ans.pl access || nessus,10875 || cve,2002-0307 || cve,2002-0306 || bugtraq,4149 || bugtraq,4147
-1524 || WEB-MISC AxisStorpoint CD attempt || nessus,10023 || cve,2000-0191 || bugtraq,1025
-1525 || WEB-MISC Axis Storpoint CD access || nessus,10023 || cve,2000-0191 || bugtraq,1025
-1526 || WEB-MISC basilix sendmail.inc access || nessus,10601 || cve,2001-1044
-1527 || WEB-MISC basilix mysql.class access || nessus,10601 || cve,2001-1044
-1528 || WEB-MISC BBoard access || nessus,10507 || cve,2000-0629 || bugtraq,1459
-1529 || FTP SITE overflow attempt || cve,2001-0770 || cve,2001-0755 || cve,1999-0838
-1530 || FTP format string attempt
-1531 || WEB-CGI bb-hist.sh attempt || nessus,10025 || cve,1999-1462 || bugtraq,142
-1532 || WEB-CGI bb-hostscv.sh attempt || nessus,10460 || cve,2000-0638 || bugtraq,1455
-1533 || WEB-CGI bb-hostscv.sh access || nessus,10460 || cve,2000-0638 || bugtraq,1455
-1534 || WEB-CGI agora.cgi attempt || nessus,10836 || cve,2002-0215 || cve,2001-1199 || bugtraq,3976 || bugtraq,3702
-1535 || WEB-CGI bizdbsearch access || cve,2000-0287 || bugtraq,1104
-1536 || WEB-CGI calendar_admin.pl arbitrary command execution attempt || cve,2000-0432
-1537 || WEB-CGI calendar_admin.pl access || cve,2000-0432
-1538 || NNTP AUTHINFO USER overflow attempt || cve,2000-0341 || bugtraq,1156 || arachnids,274
-1539 || WEB-CGI /cgi-bin/ls access || cve,2000-0079 || bugtraq,936
-1540 || WEB-COLDFUSION ?Mode=debug attempt
-1541 || FINGER version query
-1542 || WEB-CGI cgimail access || cve,2000-0726
-1543 || WEB-CGI cgiwrap access || nessus,10041 || cve,2001-0987 || cve,2000-0431 || cve,1999-1530 || bugtraq,777 || bugtraq,3084 || bugtraq,1238
-1544 || WEB-MISC Cisco Catalyst command execution attempt || cve,2000-0945 || bugtraq,1846
-1545 || DOS Cisco attempt
-1546 || WEB-MISC Cisco /%% DOS attempt || cve,2000-0380 || bugtraq,1154
-1547 || WEB-CGI csSearch.cgi arbitrary command execution attempt || nessus,10924 || cve,2002-0495 || bugtraq,4368
-1548 || WEB-CGI csSearch.cgi access || nessus,10924 || cve,2002-0495 || bugtraq,4368
-1549 || SMTP HELO overflow attempt || nessus,11674 || nessus,10324 || cve,2000-0042 || bugtraq,895 || bugtraq,7726
-1550 || SMTP ETRN overflow attempt || cve,2000-0490 || bugtraq,1297
-1551 || WEB-MISC /CVS/Entries access
-1552 || WEB-MISC cvsweb version access || cve,2000-0670
-1553 || WEB-CGI /cart/cart.cgi access || cve,2000-0252 || bugtraq,1115
-1554 || WEB-CGI dbman db.cgi access || nessus,10403 || cve,2000-0381 || bugtraq,1178
-1555 || WEB-CGI DCShop access || cve,2001-0821 || bugtraq,2889
-1556 || WEB-CGI DCShop orders.txt access || cve,2001-0821 || bugtraq,2889
-1557 || WEB-CGI DCShop auth_user_file.txt access || cve,2001-0821 || bugtraq,2889
-1558 || WEB-MISC Delegate whois overflow attempt || cve,2000-0165
-1559 || WEB-MISC /doc/packages access
-1560 || WEB-MISC /doc/ access || cve,1999-0678 || bugtraq,318
-1561 || WEB-MISC ?open access
-1562 || FTP SITE CHOWN overflow attempt || cve,2001-0065 || bugtraq,2120
-1563 || WEB-MISC login.htm attempt || cve,1999-1533 || bugtraq,665
-1564 || WEB-MISC login.htm access || cve,1999-1533 || bugtraq,665
-1565 || WEB-CGI eshop.pl arbitrary commane execution attempt || cve,2001-1014 || bugtraq,3340
-1566 || WEB-CGI eshop.pl access || cve,2001-1014 || bugtraq,3340
-1567 || WEB-IIS /exchange/root.asp attempt
-1568 || WEB-IIS /exchange/root.asp access
-1569 || WEB-CGI loadpage.cgi directory traversal attempt
-1570 || WEB-CGI loadpage.cgi access
-1571 || WEB-CGI dcforum.cgi directory traversal attempt || cve,2001-0437 || cve,2001-0436 || bugtraq,2611
-1572 || WEB-CGI commerce.cgi arbitrary file access attempt || nessus,10612 || cve,2001-0210 || bugtraq,2361
-1573 || WEB-CGI cgiforum.pl attempt || nessus,10552 || cve,2000-1171 || bugtraq,1963
-1574 || WEB-CGI directorypro.cgi attempt || cve,2001-0780 || bugtraq,2793
-1575 || WEB-MISC Domino mab.nsf access
-1576 || WEB-MISC Domino cersvr.nsf access
-1577 || WEB-MISC Domino setup.nsf access
-1578 || WEB-MISC Domino statrep.nsf access
-1579 || WEB-MISC Domino webadmin.nsf access
-1580 || WEB-MISC Domino events4.nsf access
-1581 || WEB-MISC Domino ntsync4.nsf access
-1582 || WEB-MISC Domino collect4.nsf access
-1583 || WEB-MISC Domino mailw46.nsf access
-1584 || WEB-MISC Domino bookmark.nsf access
-1585 || WEB-MISC Domino agentrunner.nsf access
-1586 || WEB-MISC Domino mail.box access
-1587 || WEB-MISC cgitest.exe access || nessus,10623 || nessus,10040 || cve,2002-0128 || cve,2000-0521 || bugtraq,3885 || bugtraq,1313 || arachnids,265
-1588 || WEB-MISC SalesLogix Eviewer access || cve,2000-0289 || cve,2000-0278 || bugtraq,1089 || bugtraq,1078
-1589 || WEB-MISC musicat empower attempt
-1590 || WEB-CGI faqmanager.cgi arbitrary file access attempt || nessus,10837 || bugtraq,3810
-1591 || WEB-CGI faqmanager.cgi access || nessus,10837 || bugtraq,3810
-1592 || WEB-CGI /fcgi-bin/echo.exe access || nessus,10838
-1593 || WEB-CGI FormHandler.cgi external site redirection attempt || nessus,10075 || cve,1999-1050 || bugtraq,799 || bugtraq,798
-1594 || WEB-CGI FormHandler.cgi access || nessus,10075 || cve,1999-1050 || bugtraq,799 || bugtraq,798
-1595 || WEB-IIS htimage.exe access || nessus,10376 || cve,2000-0256 || cve,2000-0122 || bugtraq,964 || bugtraq,1117
-1597 || WEB-CGI guestbook.cgi access || nessus,10098 || cve,1999-0237
-1598 || WEB-CGI Home Free search.cgi directory traversal attempt || cve,2000-0054 || bugtraq,921
-1599 || WEB-CGI search.cgi access || cve,2000-0054 || bugtraq,921
-1600 || WEB-CGI htsearch arbitrary configuration file attempt || cve,2000-0208
-1601 || WEB-CGI htsearch arbitrary file read attempt || cve,2000-0208 || bugtraq,1026
-1602 || WEB-CGI htsearch access || cve,2000-0208
-1603 || WEB-MISC DELETE attempt
-1604 || WEB-MISC iChat directory traversal attempt || cve,1999-0897
-1605 || DOS iParty DOS attempt || cve,1999-1566 || bugtraq,6844
-1606 || WEB-CGI icat access || cve,1999-1069
-1607 || WEB-CGI HyperSeek hsx.cgi access || cve,2001-0253 || bugtraq,2314
-1608 || WEB-CGI htmlscript attempt || cve,1999-0264 || bugtraq,2001
-1609 || WEB-CGI faxsurvey arbitrary file read attempt || nessus,10067 || cve,1999-0262 || bugtraq,2056
-1610 || WEB-CGI formmail arbitrary command execution attempt || nessus,10782 || nessus,10076 || cve,2000-0411 || cve,1999-0172 || bugtraq,2079 || bugtraq,1187 || arachnids,226
-1611 || WEB-CGI eXtropia webstore access || cve,2000-1005 || bugtraq,1774
-1612 || WEB-MISC ftp.pl attempt || nessus,10467 || cve,2000-0674 || bugtraq,1471
-1613 || WEB-MISC handler attempt || nessus,10100 || cve,1999-0148 || bugtraq,380 || arachnids,235
-1614 || WEB-MISC Novell Groupwise gwweb.exe attempt || nessus,10877 || cve,1999-1006 || cve,1999-1005 || bugtraq,879
-1615 || WEB-MISC htgrep attempt || cve,2000-0832
-1616 || DNS named version attempt || nessus,10028 || arachnids,278
-1617 || WEB-CGI Bugzilla doeditvotes.cgi access || cve,2002-0011 || bugtraq,3800
-1618 || WEB-IIS .asp chunked Transfer-Encoding || nessus,10932 || cve,2002-0079 || cve,2002-0071 || bugtraq,4485 || bugtraq,4474
-1619 || EXPERIMENTAL WEB-IIS .htr request || nessus,10932 || cve,2002-0071 || bugtraq,4474
-1620 || BAD TRAFFIC Non-Standard IP protocol
-1621 || FTP CMD overflow attempt
-1622 || FTP RNFR ././ attempt
-1623 || FTP invalid MODE
-1624 || FTP large PWD command
-1625 || FTP large SYST command
-1626 || WEB-IIS /StoreCSVS/InstantOrder.asmx request
-1627 || BAD-TRAFFIC Unassigned/Reserved IP protocol || url,www.iana.org/assignments/protocol-numbers
-1628 || WEB-CGI FormHandler.cgi directory traversal attempt attempt || nessus,10075 || cve,1999-1050 || bugtraq,799 || bugtraq,798
-1629 || OTHER-IDS SecureNetPro traffic
-1631 || CHAT AIM login
-1632 || CHAT AIM send message
-1633 || CHAT AIM receive message
-1634 || POP3 PASS overflow attempt || nessus,10325 || cve,1999-1511
-1635 || POP3 APOP overflow attempt || nessus,10559 || cve,2000-0841 || cve,2000-0840 || bugtraq,1652
-1636 || MISC Xtramail Username overflow attempt || cve,1999-1511 || bugtraq,791
-1637 || WEB-CGI yabb access || cve,2000-0853 || bugtraq,1668 || arachnids,462
-1638 || SCAN SSH Version map attempt
-1639 || CHAT IRC DCC file transfer request
-1640 || CHAT IRC DCC chat request
-1641 || DOS DB2 dos attempt
-1642 || WEB-CGI document.d2w access || cve,2000-1110 || bugtraq,2017
-1643 || WEB-CGI db2www access || cve,2000-0677
-1644 || WEB-CGI test-cgi attempt || nessus,10282 || cve,1999-0070 || bugtraq,2003 || arachnids,218
-1645 || WEB-CGI testcgi access || nessus,11610 || bugtraq,7214
-1646 || WEB-CGI test.cgi access
-1647 || WEB-CGI faxsurvey attempt full path || nessus,10067 || cve,1999-0262 || bugtraq,2056
-1648 || WEB-CGI perl.exe command attempt || url,www.cert.org/advisories/CA-1996-11.html || nessus,10173 || cve,1999-0509 || arachnids,219
-1649 || WEB-CGI perl command attempt || url,www.cert.org/advisories/CA-1996-11.html || nessus,10173 || cve,1999-0509 || arachnids,219
-1650 || WEB-CGI tst.bat access || nessus,10013 || cve,1999-0885 || bugtraq,770
-1651 || WEB-CGI enivorn.pl access
-1652 || WEB-CGI campus attempt || bugtraq,1975
-1653 || WEB-CGI campus access || bugtraq,1975
-1654 || WEB-CGI cart32.exe access
-1655 || WEB-CGI pfdispaly.cgi arbitrary command execution attempt
-1656 || WEB-CGI pfdispaly.cgi access
-1657 || WEB-CGI pagelog.cgi directory traversal attempt || nessus,10591 || cve,2000-0940 || bugtraq,1864
-1658 || WEB-CGI pagelog.cgi access || nessus,10591 || cve,2000-0940 || bugtraq,1864
-1659 || WEB-COLDFUSION sendmail.cfm access
-1660 || WEB-IIS trace.axd access
-1661 || WEB-IIS cmd32.exe access
-1662 || WEB-MISC /~ftp access
-1663 || WEB-MISC *%0a.pl access
-1664 || WEB-MISC mkplog.exe access
-1665 || WEB-MISC mkilog.exe access
-1666 || ATTACK-RESPONSES index of /cgi-bin/ response || nessus,10039
-1667 || WEB-MISC cross site scripting HTML Image tag set to javascript attempt
-1668 || WEB-CGI /cgi-bin/ access
-1669 || WEB-CGI /cgi-dos/ access
-1670 || WEB-MISC /home/ftp access
-1671 || WEB-MISC /home/www access
-1672 || FTP CWD ~ attempt || cve,2001-0421 || bugtraq,9215 || bugtraq,2601
-1673 || ORACLE EXECUTE_SYSTEM attempt
-1674 || ORACLE connect_data remote version detection attempt
-1675 || ORACLE misparsed login response
-1676 || ORACLE select union attempt
-1677 || ORACLE select like '%' attempt
-1678 || ORACLE select like '%' attempt backslash escaped
-1679 || ORACLE describe attempt
-1680 || ORACLE all_constraints access
-1681 || ORACLE all_views access
-1682 || ORACLE all_source access
-1683 || ORACLE all_tables access
-1684 || ORACLE all_tab_columns access
-1685 || ORACLE all_tab_privs access
-1686 || ORACLE dba_tablespace access
-1687 || ORACLE dba_tables access
-1688 || ORACLE user_tablespace access
-1689 || ORACLE sys.all_users access
-1690 || ORACLE grant attempt
-1691 || ORACLE ALTER USER attempt
-1692 || ORACLE drop table attempt
-1693 || ORACLE create table attempt
-1694 || ORACLE alter table attempt
-1695 || ORACLE truncate table attempt
-1696 || ORACLE create database attempt
-1697 || ORACLE alter database attempt
-1698 || ORACLE execute_system attempt
-1699 || P2P Fastrack kazaa/morpheus traffic || url,www.kazaa.com
-1700 || WEB-CGI imagemap.exe access || nessus,10122 || cve,1999-0951 || bugtraq,739 || arachnids,412
-1701 || WEB-CGI calendar-admin.pl access || bugtraq,1215
-1702 || WEB-CGI Amaya templates sendtemp.pl access || cve,2001-0272 || bugtraq,2504
-1703 || WEB-CGI auktion.cgi directory traversal attempt || nessus,10638 || cve,2001-0212 || bugtraq,2367
-1704 || WEB-CGI cal_make.pl directory traversal attempt || cve,2001-0463 || bugtraq,2663
-1705 || WEB-CGI echo.bat arbitrary command execution attempt || nessus,10246 || cve,2000-0213 || bugtraq,1002
-1706 || WEB-CGI echo.bat access || nessus,10246 || cve,2000-0213 || bugtraq,1002
-1707 || WEB-CGI hello.bat arbitrary command execution attempt || nessus,10246 || cve,2000-0213 || bugtraq,1002
-1708 || WEB-CGI hello.bat access || nessus,10246 || cve,2000-0213 || bugtraq,1002
-1709 || WEB-CGI ad.cgi access
-1710 || WEB-CGI bbs_forum.cgi access
-1711 || WEB-CGI bsguest.cgi access
-1712 || WEB-CGI bslist.cgi access
-1713 || WEB-CGI cgforum.cgi access
-1714 || WEB-CGI newdesk access
-1715 || WEB-CGI register.cgi access
-1716 || WEB-CGI gbook.cgi access || cve,2000-1131 || bugtraq,1940
-1717 || WEB-CGI simplestguest.cgi access
-1718 || WEB-CGI statusconfig.pl access
-1719 || WEB-CGI talkback.cgi directory traversal attempt
-1720 || WEB-CGI talkback.cgi access
-1721 || WEB-CGI adcycle access
-1722 || WEB-CGI MachineInfo access
-1723 || WEB-CGI emumail.cgi NULL attempt || cve,2002-1526 || bugtraq,5824
-1724 || WEB-CGI emumail.cgi access || cve,2002-1526 || bugtraq,5824
-1725 || WEB-IIS +.htr code fragment attempt || cve,2000-0630 || bugtraq,1488
-1726 || WEB-IIS doctodep.btr access
-1727 || WEB-CGI SGI InfoSearch fname access || cve,2000-0207 || bugtraq,1031 || arachnids,290
-1728 || FTP CWD ~<CR><NEWLINE> attempt || cve,2001-0421 || bugtraq,2601
-1729 || CHAT IRC channel join
-1730 || WEB-CGI ustorekeeper.pl directory traversal attempt || nessus,10645 || cve,2001-0466
-1731 || WEB-CGI a1stats access || nessus,10669 || cve,2001-0561 || bugtraq,2705
-1732 || RPC portmap rwalld request UDP
-1733 || RPC portmap rwalld request TCP
-1734 || FTP USER overflow attempt || cve,2002-0126 || cve,2001-0826 || cve,2001-0794 || cve,2000-1194 || cve,2000-1035 || cve,2000-0943 || cve,2000-0656 || cve,2000-0479 || bugtraq,4638 || bugtraq,1690 || bugtraq,1504 || bugtraq,1227
-1735 || WEB-CLIENT XMLHttpRequest attempt
-1736 || WEB-PHP squirrel mail spell-check arbitrary command attempt || bugtraq,3952
-1737 || WEB-PHP squirrel mail theme arbitrary command attempt || cve,2002-0516 || bugtraq,4385
-1738 || WEB-MISC global.inc access || cve,2002-0614 || bugtraq,4612
-1739 || WEB-PHP DNSTools administrator authentication bypass attempt || cve,2002-0613 || bugtraq,4617
-1740 || WEB-PHP DNSTools authentication bypass attempt || cve,2002-0613 || bugtraq,4617
-1741 || WEB-PHP DNSTools access || cve,2002-0613 || bugtraq,4617
-1742 || WEB-PHP Blahz-DNS dostuff.php modify user attempt || cve,2002-0599 || bugtraq,4618
-1743 || WEB-PHP Blahz-DNS dostuff.php access || cve,2002-0599 || bugtraq,4618
-1744 || WEB-MISC SecureSite authentication bypass attempt || bugtraq,4621
-1745 || WEB-PHP Messagerie supp_membre.php access || bugtraq,4635
-1746 || RPC portmap cachefsd request UDP || cve,2002-0084 || cve,2002-0033 || bugtraq,4674
-1747 || RPC portmap cachefsd request TCP || cve,2002-0084 || cve,2002-0033 || bugtraq,4674
-1748 || FTP command overflow attempt || cve,2002-0606 || bugtraq,4638
-1749 || EXPERIMENTAL WEB-IIS .NET trace.axd access
-1750 || WEB-IIS users.xml access
-1751 || EXPLOIT cachefsd buffer overflow attempt || cve,2002-0084 || bugtraq,4631
-1752 || MISC AIM AddExternalApp attempt || url,www.w00w00.org/files/w00aimexp/
-1753 || WEB-IIS as_web.exe access || bugtraq,4670
-1754 || WEB-IIS as_web4.exe access || bugtraq,4670
-1755 || IMAP partial body buffer overflow attempt || cve,2002-0379 || bugtraq,4713
-1756 || WEB-IIS NewsPro administration authentication attempt
-1757 || WEB-MISC b2 arbitrary command execution attempt
-1758 || WEB-MISC b2 access
-1759 || MS-SQL xp_cmdshell program execution 445
-1760 || OTHER-IDS ISS RealSecure 6 event collector connection attempt
-1761 || OTHER-IDS ISS RealSecure 6 daemon connection attempt
-1762 || WEB-CGI phf arbitrary command execution attempt || cve,1999-0067 || bugtraq,629 || arachnids,128
-1763 || WEB-CGI Nortel Contivity cgiproc DOS attempt || nessus,10160 || cve,2000-0064 || cve,2000-0063 || bugtraq,938
-1764 || WEB-CGI Nortel Contivity cgiproc DOS attempt || nessus,10160 || cve,2000-0064 || cve,2000-0063 || bugtraq,938
-1765 || WEB-CGI Nortel Contivity cgiproc access || nessus,10160 || cve,2000-0064 || cve,2000-0063 || bugtraq,938
-1766 || WEB-MISC search.dll directory listing attempt || nessus,10514 || cve,2000-0835 || bugtraq,1684
-1767 || WEB-MISC search.dll access || nessus,10514 || cve,2000-0835 || bugtraq,1684
-1768 || WEB-IIS header field buffer overflow attempt || cve,2002-0150 || bugtraq,4476
-1769 || WEB-MISC .DS_Store access || url,www.macintouch.com/mosxreaderreports46.html
-1770 || WEB-MISC .FBCIndex access || url,www.securiteam.com/securitynews/5LP0O005FS.html
-1771 || POLICY IPSec PGPNet connection attempt
-1772 || WEB-IIS pbserver access || url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx
-1773 || WEB-PHP php.exe access || url,www.securitytracker.com/alerts/2002/Jan/1003104.html
-1774 || WEB-PHP bb_smilies.php access || url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html
-1775 || MYSQL root login attempt
-1776 || MYSQL show databases attempt
-1777 || FTP EXPLOIT STAT * dos attempt || cve,2002-0073 || bugtraq,4482
-1778 || FTP EXPLOIT STAT ? dos attempt || cve,2002-0073 || bugtraq,4482
-1779 || FTP CWD .... attempt || bugtraq,4884
-1780 || IMAP EXPLOIT partial body overflow attempt || cve,2002-0379 || bugtraq,4713
-1781 || PORN dildo
-1782 || PORN nipple clamp
-1783 || PORN oral sex
-1784 || PORN nude celeb
-1785 || PORN voyeur
-1786 || PORN raw sex
-1787 || WEB-CGI csPassword.cgi access || cve,2002-0918 || cve,2002-0917 || bugtraq,4889 || bugtraq,4887 || bugtraq,4886 || bugtraq,4885
-1788 || WEB-CGI csPassword password.cgi.tmp access || cve,2002-0920 || bugtraq,4889
-1789 || CHAT IRC dns request
-1790 || CHAT IRC dns response
-1791 || BACKDOOR fragroute trojan connection attempt || bugtraq,4898
-1792 || NNTP return code buffer overflow attempt || cve,2002-0909 || bugtraq,4900
-1793 || PORN fetish
-1794 || PORN masturbation
-1795 || PORN ejaculation
-1796 || PORN virgin
-1797 || PORN BDSM
-1798 || PORN erotica
-1799 || PORN fisting
-1800 || VIRUS Klez Incoming
-1801 || WEB-IIS .asp HTTP header buffer overflow attempt || cve,2002-0150 || bugtraq,4476
-1802 || WEB-IIS .asa HTTP header buffer overflow attempt || cve,2002-0150 || bugtraq,4476
-1803 || WEB-IIS .cer HTTP header buffer overflow attempt || cve,2002-0150 || bugtraq,4476
-1804 || WEB-IIS .cdx HTTP header buffer overflow attempt || cve,2002-0150 || bugtraq,4476
-1805 || WEB-CGI Oracle reports CGI access || cve,2002-0947 || bugtraq,4848
-1806 || WEB-IIS .htr chunked Transfer-Encoding || cve,2002-0364 || bugtraq,5003 || bugtraq,4855
-1807 || WEB-MISC Chunked-Encoding transfer attempt || cve,2002-0392 || cve,2002-0079 || cve,2002-0071 || bugtraq,5033 || bugtraq,4485 || bugtraq,4474
-1808 || WEB-MISC apache chunked encoding memory corruption exploit attempt || cve,2002-0392 || bugtraq,5033
-1809 || WEB-MISC Apache Chunked-Encoding worm attempt || cve,2002-0392 || cve,2002-0079 || cve,2002-0071 || bugtraq,5033 || bugtraq,4485 || bugtraq,4474
-1810 || ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE || cve,2002-0639 || cve,2002-0390 || bugtraq,5093
-1811 || ATTACK-RESPONSES successful gobbles ssh exploit uname || cve,2002-0639 || cve,2002-0390 || bugtraq,5093
-1812 || EXPLOIT gobbles SSH exploit attempt || cve,2002-0639 || cve,2002-0390 || bugtraq,5093
-1813 || ICMP digital island bandwidth query
-1814 || WEB-MISC CISCO VoIP DOS ATTEMPT || cve,2002-0882 || bugtraq,4798 || bugtraq,4794
-1815 || WEB-PHP directory.php arbitrary command attempt || cve,2002-0434 || bugtraq,4278
-1816 || WEB-PHP directory.php access || cve,2002-0434 || bugtraq,4278
-1817 || WEB-IIS MS Site Server default login attempt || nessus,11018
-1818 || WEB-IIS MS Site Server admin attempt || nessus,11018
-1819 || MISC Alcatel PABX 4400 connection attempt || nessus,11019
-1820 || WEB-MISC IBM Net.Commerce orderdspc.d2w access || nessus,11020 || cve,2001-0319 || bugtraq,2350
-1821 || EXPLOIT LPD dvips remote command execution attempt || nessus,11023 || cve,2001-1002 || bugtraq,3241
-1822 || WEB-CGI alienform.cgi directory traversal attempt || nessus,11027 || cve,2002-0934 || bugtraq,4983
-1823 || WEB-CGI AlienForm af.cgi directory traversal attempt || nessus,11027 || cve,2002-0934 || bugtraq,4983
-1824 || WEB-CGI alienform.cgi access || nessus,11027 || cve,2002-0934 || bugtraq,4983
-1825 || WEB-CGI AlienForm af.cgi access || nessus,11027 || cve,2002-0934 || bugtraq,4983
-1826 || WEB-MISC WEB-INF access || nessus,11037
-1827 || WEB-MISC Tomcat servlet mapping cross site scripting attempt || nessus,11041 || cve,2002-0682 || bugtraq,5193
-1828 || WEB-MISC iPlanet Search directory traversal attempt || nessus,11043 || cve,2002-1042 || bugtraq,5191
-1829 || WEB-MISC Tomcat TroubleShooter servlet access || nessus,11046 || bugtraq,4575
-1830 || WEB-MISC Tomcat SnoopServlet servlet access || nessus,11046 || bugtraq,4575
-1831 || WEB-MISC jigsaw dos attempt || nessus,11047
-1832 || CHAT ICQ forced user addition || cve,2001-1305 || bugtraq,3226
-1833 || PORN naked lesbians
-1834 || WEB-PHP PHP-Wiki cross site scripting attempt || cve,2002-1070 || bugtraq,5254
-1835 || WEB-MISC Macromedia SiteSpring cross site scripting attempt || cve,2002-1027 || bugtraq,5249
-1836 || PORN alt.binaries.pictures.erotica
-1837 || PORN alt.binaries.pictures.tinygirls
-1838 || EXPLOIT SSH server banner overflow || cve,2002-1059 || bugtraq,5287
-1839 || WEB-MISC mailman cross site scripting attempt || cve,2002-0855 || bugtraq,5298
-1840 || WEB-CLIENT Javascript document.domain attempt || bugtraq,5346
-1841 || WEB-CLIENT Javascript URL host spoofing attempt || bugtraq,5293
-1842 || IMAP login buffer overflow attempt || nessus,10125 || cve,1999-0005
-1843 || BACKDOOR trinity connection attempt || nessus,10501 || cve,2000-0138
-1844 || IMAP authenticate overflow attempt || nessus,10292 || cve,1999-0042
-1845 || IMAP list literal overflow attempt || nessus,10374 || cve,2000-0284 || bugtraq,1110
-1846 || POLICY vncviewer Java applet download attempt || nessus,10758
-1847 || WEB-MISC webalizer access || nessus,10816 || cve,2001-0835 || cve,1999-0643 || bugtraq,3473
-1848 || WEB-MISC webcart-lite access || nessus,10298 || cve,1999-0610
-1849 || WEB-MISC webfind.exe access || nessus,10475 || cve,2000-0622 || bugtraq,1487
-1850 || WEB-CGI way-board.cgi access || nessus,10610
-1851 || WEB-MISC active.log access || nessus,10470 || cve,2000-0642 || bugtraq,1497
-1852 || WEB-MISC robots.txt access || nessus,10302
-1853 || BACKDOOR win-trin00 connection attempt || nessus,10307 || cve,2000-0138
-1854 || DDOS Stacheldraht handler->agent niggahbitch || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis
-1855 || DDOS Stacheldraht agent->handler skillz || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis
-1856 || DDOS Stacheldraht handler->agent ficken || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis
-1857 || WEB-MISC robot.txt access || nessus,10302
-1858 || WEB-MISC CISCO PIX Firewall Manager directory traversal attempt || nessus,10819 || cve,1999-0158 || bugtraq,691
-1859 || WEB-MISC Sun JavaServer default password login attempt || nessus,10995 || cve,1999-0508
-1860 || WEB-MISC Linksys router default password login attempt || nessus,10999
-1861 || WEB-MISC Linksys router default username and password login attempt || nessus,10999
-1862 || WEB-CGI mrtg.cgi directory traversal attempt || nessus,11001 || cve,2002-0232 || bugtraq,4017
-1864 || FTP SITE NEWER attempt || nessus,10319 || cve,1999-0880
-1865 || WEB-CGI webdist.cgi arbitrary command attempt || nessus,10299 || cve,1999-0039 || bugtraq,374
-1866 || POP3 USER overflow attempt || nessus,10311 || cve,1999-0494 || bugtraq,789
-1867 || MISC xdmcp info query || nessus,10891
-1868 || WEB-CGI story.pl arbitrary file read attempt || nessus,10817 || cve,2001-0804 || bugtraq,3028
-1869 || WEB-CGI story.pl access || nessus,10817 || cve,2001-0804 || bugtraq,3028
-1870 || WEB-CGI siteUserMod.cgi access || nessus,10253 || cve,2000-0117 || bugtraq,951
-1871 || WEB-MISC Oracle XSQLConfig.xml access || nessus,10855 || cve,2002-0568 || bugtraq,4290
-1872 || WEB-MISC Oracle Dynamic Monitoring Services dms access || nessus,10848
-1873 || WEB-MISC globals.jsa access || nessus,10850 || cve,2002-0562 || bugtraq,4034
-1874 || WEB-MISC Oracle Java Process Manager access || nessus,10851
-1875 || WEB-CGI cgicso access || nessus,10780 || nessus,10779 || bugtraq,6141
-1876 || WEB-CGI nph-publish.cgi access || nessus,10164 || cve,1999-1177
-1877 || WEB-CGI printenv access || nessus,10503 || cve,2000-0868 || bugtraq,1658
-1878 || WEB-CGI sdbsearch.cgi access || nessus,10503 || cve,2000-0868 || bugtraq,1658
-1879 || WEB-CGI book.cgi arbitrary command execution attempt || nessus,10721 || cve,2001-1114 || bugtraq,3178
-1880 || WEB-MISC oracle web application server access || nessus,10348 || cve,2000-0169 || bugtraq,1053
-1881 || WEB-MISC bad HTTP/1.1 request, Potentially worm attack || url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html
-1882 || ATTACK-RESPONSES id check returned userid
-1883 || ATTACK-RESPONSES id check returned nobody
-1884 || ATTACK-RESPONSES id check returned web
-1885 || ATTACK-RESPONSES id check returned http
-1886 || ATTACK-RESPONSES id check returned apache
-1887 || MISC OpenSSL Worm traffic || url,www.cert.org/advisories/CA-2002-27.html
-1888 || FTP SITE CPWD overflow attempt || cve,2002-0826 || bugtraq,5427
-1889 || MISC slapper worm admin traffic || url,www.cert.org/advisories/CA-2002-27.html || url,isc.incidents.org/analysis.html?id=167
-1890 || RPC status GHBN format string attack || cve,2000-0666 || bugtraq,1480
-1891 || RPC status GHBN format string attack || cve,2000-0666 || bugtraq,1480
-1892 || SNMP null community string attempt || cve,1999-0517 || bugtraq,8974 || bugtraq,2112
-1893 || SNMP missing community string attempt || cve,1999-0517 || bugtraq,2112
-1894 || EXPLOIT kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
-1895 || EXPLOIT kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
-1896 || EXPLOIT kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
-1897 || EXPLOIT kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
-1898 || EXPLOIT kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
-1899 || EXPLOIT kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
-1900 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
-1901 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
-1902 || IMAP lsub literal overflow attempt || nessus,10374 || cve,2000-0284 || bugtraq,1110
-1903 || IMAP rename overflow attempt || nessus,10374 || cve,2000-0284 || bugtraq,1110
-1904 || IMAP find overflow attempt || nessus,10374 || cve,2000-0284 || bugtraq,1110
-1905 || RPC AMD UDP amqproc_mount plog overflow attempt || cve,1999-0704 || bugtraq,614
-1906 || RPC AMD TCP amqproc_mount plog overflow attempt || cve,1999-0704 || bugtraq,614
-1907 || RPC CMSD UDP CMSD_CREATE buffer overflow attempt || cve,1999-0696 || bugtraq,524
-1908 || RPC CMSD TCP CMSD_CREATE buffer overflow attempt || cve,1999-0696 || bugtraq,524
-1909 || RPC CMSD TCP CMSD_INSERT buffer overflow attempt || url,www.cert.org/advisories/CA-99-08-cmsd.html || cve,1999-0696
-1910 || RPC CMSD udp CMSD_INSERT buffer overflow attempt || url,www.cert.org/advisories/CA-99-08-cmsd.html || cve,1999-0696
-1911 || RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || cve,1999-0977 || bugtraq,866 || bugtraq,0866
-1912 || RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || cve,1999-0977 || bugtraq,866 || bugtraq,0866
-1913 || RPC STATD UDP stat mon_name format string exploit attempt || cve,2000-0666 || bugtraq,1480
-1914 || RPC STATD TCP stat mon_name format string exploit attempt || cve,2000-0666 || bugtraq,1480
-1915 || RPC STATD UDP monitor mon_name format string exploit attempt || cve,2000-0666 || bugtraq,1480
-1916 || RPC STATD TCP monitor mon_name format string exploit attempt || cve,2000-0666 || bugtraq,1480
-1917 || SCAN UPnP service discover attempt
-1918 || SCAN SolarWinds IP scan attempt
-1919 || FTP CWD overflow attempt || cve,2002-0126 || cve,2000-1194 || cve,2000-1035 || bugtraq,7950 || bugtraq,1690 || bugtraq,1227
-1920 || FTP SITE NEWER overflow attempt || cve,1999-0800 || bugtraq,229
-1921 || FTP SITE ZIPCHK overflow attempt || cve,2000-0040
-1922 || RPC portmap proxy attempt TCP
-1923 || RPC portmap proxy attempt UDP
-1924 || RPC mountd UDP export request || arachnids,26
-1925 || RPC mountd TCP exportall request || arachnids,26
-1926 || RPC mountd UDP exportall request || arachnids,26
-1927 || FTP authorized_keys
-1928 || FTP shadow retrieval attempt
-1929 || BACKDOOR TCPDUMP/PCAP trojan traffic || url,hlug.fscker.com
-1930 || IMAP auth literal overflow attempt || cve,1999-0005
-1931 || WEB-CGI rpc-nlog.pl access || cve,1999-1278
-1932 || WEB-CGI rpc-smb.pl access || cve,1999-1278
-1933 || WEB-CGI cart.cgi access
-1934 || POP2 FOLD overflow attempt || cve,1999-0920 || bugtraq,283
-1935 || POP2 FOLD arbitrary file attempt
-1936 || POP3 AUTH overflow attempt
-1937 || POP3 LIST overflow attempt || cve,2000-0096 || bugtraq,948
-1938 || POP3 XTND overflow attempt
-1939 || MISC bootp hardware address length overflow || cve,1999-0798
-1940 || MISC bootp invalid hardware type || cve,1999-0798
-1941 || TFTP GET filename overflow attempt || cve,2002-0813 || bugtraq,5328
-1942 || FTP RMDIR overflow attempt
-1943 || WEB-MISC /Carello/add.exe access || cve,2000-0396 || bugtraq,1245
-1944 || WEB-MISC /ecscripts/ecware.exe access
-1945 || WEB-IIS unicode directory traversal attempt || cve,2000-0884 || bugtraq,1806
-1946 || WEB-MISC answerbook2 admin attempt
-1947 || WEB-MISC answerbook2 arbitrary command execution attempt
-1948 || DNS zone transfer UDP || cve,1999-0532 || arachnids,212
-1949 || RPC portmap SET attempt TCP 111
-1950 || RPC portmap SET attempt UDP 111
-1951 || RPC mountd TCP mount request
-1952 || RPC mountd UDP mount request
-1953 || RPC AMD TCP pid request
-1954 || RPC AMD UDP pid request
-1955 || RPC AMD TCP version request
-1956 || RPC AMD UDP version request
-1957 || RPC sadmind UDP PING || bugtraq,866
-1958 || RPC sadmind TCP PING || bugtraq,866
-1959 || RPC portmap NFS request UDP
-1960 || RPC portmap NFS request TCP
-1961 || RPC portmap RQUOTA request UDP
-1962 || RPC portmap RQUOTA request TCP
-1963 || RPC RQUOTA getquota overflow attempt UDP || cve,1999-0974 || bugtraq,864
-1964 || RPC tooltalk UDP overflow attempt || cve,1999-0003 || bugtraq,122
-1965 || RPC tooltalk TCP overflow attempt || cve,1999-0003 || bugtraq,122
-1966 || MISC GlobalSunTech Access Point Information Disclosure attempt || bugtraq,6100
-1967 || WEB-PHP phpbb quick-reply.php arbitrary command attempt || bugtraq,6173
-1968 || WEB-PHP phpbb quick-reply.php access || bugtraq,6173
-1969 || WEB-MISC ion-p access || cve,2002-1559 || bugtraq,6091
-1970 || WEB-IIS MDAC Content-Type overflow attempt || url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337 || cve,2002-1142 || bugtraq,6214
-1971 || FTP SITE EXEC format string attempt
-1972 || FTP PASS overflow attempt || cve,2002-0126 || cve,2000-1035 || bugtraq,9285 || bugtraq,8601 || bugtraq,3884 || bugtraq,1690
-1973 || FTP MKD overflow attempt || cve,1999-0911 || bugtraq,9872 || bugtraq,612
-1974 || FTP REST overflow attempt || cve,2001-0826 || bugtraq,2972
-1975 || FTP DELE overflow attempt || cve,2001-0826 || bugtraq,2972
-1976 || FTP RMD overflow attempt || cve,2001-0826 || bugtraq,2972
-1977 || WEB-MISC xp_regwrite attempt
-1978 || WEB-MISC xp_regdeletekey attempt
-1979 || WEB-MISC perl post attempt || nessus,11158 || cve,2002-1436 || bugtraq,5520
-1980 || BACKDOOR DeepThroat 3.1 Connection attempt
-1981 || BACKDOOR DeepThroat 3.1 Connection attempt [3150]
-1982 || BACKDOOR DeepThroat 3.1 Server Response [3150] || arachnids,106
-1983 || BACKDOOR DeepThroat 3.1 Connection attempt [4120]
-1984 || BACKDOOR DeepThroat 3.1 Server Response [4120] || arachnids,106
-1985 || BACKDOOR Doly 1.5 server response
-1986 || CHAT MSN file transfer request
-1987 || MISC xfs overflow attempt || nessus,11188 || cve,2002-1317 || bugtraq,6241
-1988 || CHAT MSN file transfer accept
-1989 || CHAT MSN file transfer reject
-1990 || CHAT MSN user search
-1991 || CHAT MSN login attempt
-1992 || FTP LIST directory traversal attempt || nessus,11112 || cve,2001-0680 || bugtraq,2618
-1993 || IMAP login literal buffer overflow attempt || bugtraq,6298
-1994 || WEB-CGI vpasswd.cgi access || nessus,11165 || bugtraq,6038
-1995 || WEB-CGI alya.cgi access || nessus,11118
-1996 || WEB-CGI viralator.cgi access || nessus,11107 || cve,2001-0849
-1997 || WEB-PHP read_body.php access attempt || cve,2002-1341 || bugtraq,6302
-1998 || WEB-PHP calendar.php access || nessus,11179 || bugtraq,9353 || bugtraq,5820
-1999 || WEB-PHP edit_image.php access || nessus,11104 || cve,2001-1020 || bugtraq,3288
-2000 || WEB-PHP readmsg.php access || nessus,11073
-2001 || WEB-CGI smartsearch.cgi access
-2002 || WEB-PHP remote include path
-2003 || MS-SQL Worm propagation attempt || url,vil.nai.com/vil/content/v_99992.htm || cve,2002-0649 || bugtraq,5311 || bugtraq,5310
-2004 || MS-SQL Worm propagation attempt OUTBOUND || url,vil.nai.com/vil/content/v_99992.htm || cve,2002-0649 || bugtraq,5311 || bugtraq,5310
-2005 || RPC portmap kcms_server request UDP || url,www.kb.cert.org/vuls/id/850785 || cve,2003-0027 || bugtraq,6665
-2006 || RPC portmap kcms_server request TCP || url,www.kb.cert.org/vuls/id/850785 || cve,2003-0027 || bugtraq,6665
-2007 || RPC kcms_server directory traversal attempt || url,www.kb.cert.org/vuls/id/850785 || cve,2003-0027 || bugtraq,6665
-2008 || MISC CVS invalid user authentication response
-2009 || MISC CVS invalid repository response
-2010 || MISC CVS double free exploit attempt response || cve,2003-0015 || bugtraq,6650
-2011 || MISC CVS invalid directory response || cve,2003-0015 || bugtraq,6650
-2012 || MISC CVS missing cvsroot response
-2013 || MISC CVS invalid module response
-2014 || RPC portmap UNSET attempt TCP 111 || bugtraq,1892
-2015 || RPC portmap UNSET attempt UDP 111 || bugtraq,1892
-2016 || RPC portmap status request TCP || arachnids,15
-2017 || RPC portmap espd request UDP || cve,2001-0331 || bugtraq,2714
-2018 || RPC mountd TCP dump request
-2019 || RPC mountd UDP dump request
-2020 || RPC mountd TCP unmount request
-2021 || RPC mountd UDP unmount request
-2022 || RPC mountd TCP unmountall request
-2023 || RPC mountd UDP unmountall request
-2024 || RPC RQUOTA getquota overflow attempt TCP || cve,1999-0974 || bugtraq,864
-2025 || RPC yppasswd username overflow attempt UDP || cve,2001-0779 || bugtraq,2763
-2026 || RPC yppasswd username overflow attempt TCP || cve,2001-0779 || bugtraq,2763
-2027 || RPC yppasswd old password overflow attempt UDP
-2028 || RPC yppasswd old password overflow attempt TCP
-2029 || RPC yppasswd new password overflow attempt UDP
-2030 || RPC yppasswd new password overflow attempt TCP
-2031 || RPC yppasswd user update UDP
-2032 || RPC yppasswd user update TCP
-2033 || RPC ypserv maplist request UDP || cve,2002-1232 || bugtraq,6016 || bugtraq,5914
-2034 || RPC ypserv maplist request TCP || bugtraq,6016 || bugtraq,5914 || Cve,CAN-2002-1232
-2035 || RPC portmap network-status-monitor request UDP
-2036 || RPC portmap network-status-monitor request TCP
-2037 || RPC network-status-monitor mon-callback request UDP
-2038 || RPC network-status-monitor mon-callback request TCP
-2039 || MISC bootp hostname format string attempt || cve,2002-0702 || bugtraq,4701
-2040 || POLICY xtacacs login attempt
-2041 || MISC xtacacs failed login response
-2042 || POLICY xtacacs accepted login response
-2043 || MISC isakmp login failed
-2044 || POLICY PPTP Start Control Request attempt
-2045 || RPC snmpXdmi overflow attempt UDP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0236 || bugtraq,2417
-2046 || IMAP partial body.peek buffer overflow attempt || cve,2002-0379 || bugtraq,4713
-2047 || MISC rsyncd module list access
-2048 || MISC rsyncd overflow attempt
-2049 || MS-SQL ping attempt || nessus,10674
-2050 || MS-SQL version overflow attempt || nessus,10674 || cve,2002-0649 || bugtraq,5310
-2051 || WEB-CGI cached_feed.cgi moreover shopping cart access || cve,2000-0906 || bugtraq,1762
-2052 || WEB-CGI overflow.cgi access || url,www.cert.org/advisories/CA-2002-35.html || nessus,11190
-2053 || WEB-CGI process_bug.cgi access || cve,2002-0008
-2054 || WEB-CGI enter_bug.cgi arbitrary command attempt || cve,2002-0008
-2055 || WEB-CGI enter_bug.cgi access || cve,2002-0008
-2056 || WEB-MISC TRACE attempt || url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf || nessus,11213 || bugtraq,9561
-2057 || WEB-MISC helpout.exe access || nessus,11162 || cve,2002-1169 || bugtraq,6002
-2058 || WEB-MISC MsmMask.exe attempt || nessus,11163
-2059 || WEB-MISC MsmMask.exe access || nessus,11163
-2060 || WEB-MISC DB4Web access || nessus,11180
-2061 || WEB-MISC Tomcat null byte directory listing attempt || cve,2003-0042 || bugtraq,6721 || bugtraq,2518
-2062 || WEB-MISC iPlanet .perf access
-2063 || WEB-MISC Demarc SQL injection attempt
-2064 || WEB-MISC Lotus Notes .csp script source download attempt
-2065 || WEB-MISC Lotus Notes .csp script source download attempt
-2066 || WEB-MISC Lotus Notes .pl script source download attempt
-2067 || WEB-MISC Lotus Notes .exe script source download attempt
-2068 || WEB-MISC BitKeeper arbitrary command attempt || bugtraq,6588
-2069 || WEB-MISC chip.ini access || cve,2001-0771 || cve,2001-0749 || bugtraq,2775 || bugtraq,2755
-2070 || WEB-MISC post32.exe arbitrary command attempt || bugtraq,1485
-2071 || WEB-MISC post32.exe access || bugtraq,1485
-2072 || WEB-MISC lyris.pl access || cve,2000-0758 || bugtraq,1584
-2073 || WEB-MISC globals.pl access || cve,2001-0330 || bugtraq,2671
-2074 || WEB-PHP Mambo uploadimage.php upload php file attempt || bugtraq,6572
-2075 || WEB-PHP Mambo upload.php upload php file attempt || bugtraq,6572
-2076 || WEB-PHP Mambo uploadimage.php access || bugtraq,6572
-2077 || WEB-PHP Mambo upload.php access || bugtraq,6572
-2078 || WEB-PHP phpBB privmsg.php access || bugtraq,6634
-2079 || RPC portmap nlockmgr request UDP || cve,2000-0508 || bugtraq,1372
-2080 || RPC portmap nlockmgr request TCP || cve,2000-0508 || bugtraq,1372
-2081 || RPC portmap rpc.xfsmd request UDP || cve,2002-0359 || bugtraq,5075 || bugtraq,5072
-2082 || RPC portmap rpc.xfsmd request TCP || cve,2002-0359 || bugtraq,5075 || bugtraq,5072
-2083 || RPC rpc.xfsmd xfs_export attempt UDP || cve,2002-0359 || bugtraq,5075 || bugtraq,5072
-2084 || RPC rpc.xfsmd xfs_export attempt TCP || cve,2002-0359 || bugtraq,5075 || bugtraq,5072
-2085 || WEB-CGI parse_xml.cgi access || cve,2003-0054 || bugtraq,6960
-2086 || WEB-CGI streaming server parse_xml.cgi access || cve,2003-0054 || bugtraq,6960
-2087 || SMTP From comment overflow attempt || url,www.kb.cert.org/vuls/id/398025 || cve,2002-1337
-2088 || RPC ypupdated arbitrary command attempt UDP
-2089 || RPC ypupdated arbitrary command attempt TCP
-2090 || WEB-IIS WEBDAV exploit attempt || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx || cve,2003-0109 || bugtraq,7716 || bugtraq,7116
-2091 || WEB-IIS WEBDAV nessus safe scan attempt || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx || nessus,11413 || nessus,11412 || cve,2003-0109 || bugtraq,7116
-2092 || RPC portmap proxy integer overflow attempt UDP || cve,2003-0028 || bugtraq,7123
-2093 || RPC portmap proxy integer overflow attempt TCP || cve,2003-0028 || bugtraq,7123
-2094 || RPC CMSD UDP CMSD_CREATE array buffer overflow attempt || cve,2002-0391 || bugtraq,5356
-2095 || RPC CMSD TCP CMSD_CREATE array buffer overflow attempt || cve,2002-0391 || bugtraq,5356
-2100 || BACKDOOR SubSeven 2.1 Gold server connection response
-2101 || NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx || url,www.corest.com/common/showdoc.php?idx=262 || cve,2002-0724 || bugtraq,5556
-2102 || NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx || url,www.corest.com/common/showdoc.php?idx=262 || cve,2002-0724 || bugtraq,5556
-2103 || NETBIOS SMB trans2open buffer overflow attempt || url,www.digitaldefense.net/labs/advisories/DDI-1013.txt || cve,2003-0201 || bugtraq,7294
-2104 || ATTACK-RESPONSES rexec username too long response
-2105 || IMAP authenticate literal overflow attempt || nessus,10292 || cve,1999-0042
-2106 || IMAP lsub overflow attempt || nessus,10374 || cve,2000-0284 || bugtraq,1110
-2107 || IMAP create buffer overflow attempt || bugtraq,7446
-2108 || POP3 CAPA overflow attempt
-2109 || POP3 TOP overflow attempt
-2110 || POP3 STAT overflow attempt
-2111 || POP3 DELE overflow attempt
-2112 || POP3 RSET overflow attempt
-2113 || RSERVICES rexec username overflow attempt
-2114 || RSERVICES rexec password overflow attempt
-2115 || WEB-CGI album.pl access || bugtraq,7444
-2116 || WEB-CGI chipcfg.cgi access || cve,2001-1341 || bugtraq,2767
-2117 || WEB-IIS Battleaxe Forum login.asp access || cve,2003-0215 || bugtraq,7416
-2118 || IMAP list overflow attempt || nessus,10374 || cve,2000-0284 || bugtraq,1110
-2119 || IMAP rename literal overflow attempt || nessus,10374 || cve,2000-0284 || bugtraq,1110
-2120 || IMAP create literal buffer overflow attempt || bugtraq,7446
-2121 || POP3 DELE negative arguement attempt || cve,2002-1539 || bugtraq,7445 || bugtraq,6053
-2122 || POP3 UIDL negative arguement attempt || cve,2002-1539 || bugtraq,6053
-2123 || ATTACK-RESPONSES Microsoft cmd.exe banner || nessus,11633
-2124 || BACKDOOR Remote PC Access connection attempt || nessus,11673
-2125 || FTP CWD Root directory transversal attempt || nessus,11677 || cve,2003-0392 || bugtraq,7674
-2126 || MISC Microsoft PPTP Start Control Request buffer overflow attempt || cve,2002-1214 || bugtraq,5807
-2127 || WEB-CGI ikonboard.cgi access || nessus,11605 || bugtraq,7361
-2128 || WEB-CGI swsrv.cgi access || nessus,11608 || cve,2003-0217 || bugtraq,7510
-2129 || WEB-IIS nsiislog.dll access || url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx || nessus,11664 || cve,2003-0349 || bugtraq,8035
-2130 || WEB-IIS IISProtect siteadmin.asp access || nessus,11662 || cve,2003-0377 || bugtraq,7675
-2131 || WEB-IIS IISProtect access || nessus,11661
-2132 || WEB-IIS Synchrologic Email Accelerator userid list access attempt || nessus,11657
-2133 || WEB-IIS MS BizTalk server access || nessus,11638 || cve,2003-0118 || cve,2003-0117 || bugtraq,7470 || bugtraq,7469
-2134 || WEB-IIS register.asp access || nessus,11621
-2135 || WEB-MISC philboard.mdb access || nessus,11682
-2136 || WEB-MISC philboard_admin.asp authentication bypass attempt || nessus,11675 || bugtraq,7739
-2137 || WEB-MISC philboard_admin.asp access || nessus,11675 || bugtraq,7739
-2138 || WEB-MISC logicworks.ini access || nessus,11639 || bugtraq,6996
-2139 || WEB-MISC /*.shtml access || nessus,11604 || cve,2000-0683 || bugtraq,1517
-2140 || WEB-PHP p-news.php access || nessus,11669
-2141 || WEB-PHP shoutbox.php directory traversal attempt || nessus,11668
-2142 || WEB-PHP shoutbox.php access || nessus,11668
-2143 || WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt || nessus,11667
-2144 || WEB-PHP b2 cafelog gm-2-b2.php access || nessus,11667
-2145 || WEB-PHP TextPortal admin.php default password admin attempt || nessus,11660 || bugtraq,7673
-2146 || WEB-PHP TextPortal admin.php default password 12345 attempt || nessus,11660 || bugtraq,7673
-2147 || WEB-PHP BLNews objects.inc.php4 remote file include attempt || nessus,11647 || cve,2003-0394 || bugtraq,7677
-2148 || WEB-PHP BLNews objects.inc.php4 access || nessus,11647 || cve,2003-0394 || bugtraq,7677
-2149 || WEB-PHP Turba status.php access || nessus,11646
-2150 || WEB-PHP ttCMS header.php remote file include attempt || nessus,11636 || bugtraq,7625 || bugtraq,7543 || bugtraq,7542
-2151 || WEB-PHP ttCMS header.php access || nessus,11636 || bugtraq,7625 || bugtraq,7543 || bugtraq,7542
-2152 || WEB-PHP test.php access || nessus,11617
-2153 || WEB-PHP autohtml.php directory traversal attempt || nessus,11630
-2154 || WEB-PHP autohtml.php access || nessus,11630
-2155 || WEB-PHP ttforum remote file include attempt || nessus,11615 || bugtraq,7543 || bugtraq,7542
-2156 || WEB-MISC mod_gzip_status access || nessus,11685
-2157 || WEB-IIS IISProtect globaladmin.asp access || nessus,11661
-2158 || MISC BGP invalid length || url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575
-2159 || MISC BGP invalid type 0
-2160 || VIRUS OUTBOUND .exe file attachment
-2161 || VIRUS OUTBOUND .doc file attachment
-2162 || VIRUS OUTBOUND .hta file attachment
-2163 || VIRUS OUTBOUND .chm file attachment
-2164 || VIRUS OUTBOUND .reg file attachment
-2165 || VIRUS OUTBOUND .ini file attachment
-2166 || VIRUS OUTBOUND .bat file attachment
-2167 || VIRUS OUTBOUND .diz file attachment
-2168 || VIRUS OUTBOUND .cpp file attachment
-2169 || VIRUS OUTBOUND .dll file attachment
-2170 || VIRUS OUTBOUND .vxd file attachment
-2171 || VIRUS OUTBOUND .sys file attachment
-2172 || VIRUS OUTBOUND .com file attachment
-2173 || VIRUS OUTBOUND .hsq file attachment
-2174 || NETBIOS SMB winreg access
-2175 || NETBIOS SMB winreg unicode access
-2176 || NETBIOS SMB startup folder access
-2177 || NETBIOS SMB startup folder unicode access
-2178 || FTP USER format string attempt || cve,2004-0277 || bugtraq,9800 || bugtraq,9600 || bugtraq,9402 || bugtraq,9262 || bugtraq,7776 || bugtraq,7474
-2179 || FTP PASS format string attempt || bugtraq,9800 || bugtraq,9262 || bugtraq,7474
-2180 || P2P BitTorrent announce request
-2181 || P2P BitTorrent transfer
-2182 || BACKDOOR typot trojan traffic
-2183 || SMTP Content-Transfer-Encoding overflow attempt || url,www.cert.org/advisories/CA-2003-12.html || cve,2003-0161
-2184 || RPC mountd TCP mount path overflow attempt || nessus,11800 || cve,2003-0252 || bugtraq,8179
-2185 || RPC mountd UDP mount path overflow attempt || nessus,11800 || cve,2003-0252 || bugtraq,8179
-2186 || BAD-TRAFFIC IP Proto 53 SWIPE || cve,2003-0567 || bugtraq,8211
-2187 || BAD-TRAFFIC IP Proto 55 IP Mobility || cve,2003-0567 || bugtraq,8211
-2188 || BAD-TRAFFIC IP Proto 77 Sun ND || cve,2003-0567 || bugtraq,8211
-2189 || BAD-TRAFFIC IP Proto 103 PIM || cve,2003-0567 || bugtraq,8211
-2190 || NETBIOS DCERPC invalid bind attempt
-2191 || NETBIOS SMB DCERPC invalid bind attempt
-2192 || NETBIOS DCERPC ISystemActivator bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx || cve,2003-0352 || bugtraq,8205
-2193 || NETBIOS SMB-DS DCERPC ISystemActivator bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx || cve,2003-0352 || bugtraq,8205
-2194 || WEB-CGI CSMailto.cgi access || nessus,11748 || cve,2002-0749 || bugtraq,6265 || bugtraq,4579
-2195 || WEB-CGI alert.cgi access || nessus,11748 || cve,2002-0346 || bugtraq,4579 || bugtraq,4211
-2196 || WEB-CGI catgy.cgi access || nessus,11748 || cve,2001-1212 || bugtraq,4579 || bugtraq,3714
-2197 || WEB-CGI cvsview2.cgi access || nessus,11748 || cve,2003-0153 || bugtraq,5517 || bugtraq,4579
-2198 || WEB-CGI cvslog.cgi access || nessus,11748 || cve,2003-0153 || bugtraq,5517 || bugtraq,4579
-2199 || WEB-CGI multidiff.cgi access || nessus,11748 || cve,2003-0153 || bugtraq,5517 || bugtraq,4579
-2200 || WEB-CGI dnewsweb.cgi access || nessus,11748 || cve,2000-0423 || bugtraq,4579 || bugtraq,1172
-2201 || WEB-CGI download.cgi access || nessus,11748 || cve,1999-1377 || bugtraq,4579
-2202 || WEB-CGI edit_action.cgi access || nessus,11748 || cve,2001-1196 || bugtraq,4579 || bugtraq,3698
-2203 || WEB-CGI everythingform.cgi access || nessus,11748 || cve,2001-0023 || bugtraq,4579 || bugtraq,2101
-2204 || WEB-CGI ezadmin.cgi access || nessus,11748 || cve,2002-0263 || bugtraq,4579 || bugtraq,4068
-2205 || WEB-CGI ezboard.cgi access || nessus,11748 || cve,2002-0263 || bugtraq,4579 || bugtraq,4068
-2206 || WEB-CGI ezman.cgi access || nessus,11748 || cve,2002-0263 || bugtraq,4579 || bugtraq,4068
-2207 || WEB-CGI fileseek.cgi access || nessus,11748 || cve,2002-0611 || bugtraq,6784 || bugtraq,4579
-2208 || WEB-CGI fom.cgi access || nessus,11748 || cve,2002-0230 || bugtraq,4579
-2209 || WEB-CGI getdoc.cgi access || nessus,11748 || cve,2000-0288 || bugtraq,4579
-2210 || WEB-CGI global.cgi access || nessus,11748 || cve,2000-0952 || bugtraq,4579
-2211 || WEB-CGI guestserver.cgi access || nessus,11748 || cve,2001-0180 || bugtraq,4579
-2212 || WEB-CGI imageFolio.cgi access || nessus,11748 || cve,2002-1334 || bugtraq,6265 || bugtraq,4579
-2213 || WEB-CGI mailfile.cgi access || nessus,11748 || cve,2000-0977 || bugtraq,4579 || bugtraq,1807
-2214 || WEB-CGI mailview.cgi access || nessus,11748 || cve,2000-0526 || bugtraq,4579 || bugtraq,1335
-2215 || WEB-CGI nsManager.cgi access || nessus,11748 || cve,2000-1023 || bugtraq,4579 || bugtraq,1710
-2216 || WEB-CGI readmail.cgi access || nessus,11748 || cve,2001-1283 || bugtraq,4579 || bugtraq,3427
-2217 || WEB-CGI printmail.cgi access || nessus,11748 || cve,2001-1283 || bugtraq,4579 || bugtraq,3427
-2218 || WEB-CGI service.cgi access || nessus,11748 || cve,2002-0346 || bugtraq,4579 || bugtraq,4211
-2219 || WEB-CGI setpasswd.cgi access || nessus,11748 || cve,2001-0133 || bugtraq,4579 || bugtraq,2212
-2220 || WEB-CGI simplestmail.cgi access || nessus,11748 || cve,2001-0022 || bugtraq,4579 || bugtraq,2106
-2221 || WEB-CGI ws_mail.cgi access || nessus,11748 || cve,2001-1343 || bugtraq,4579 || bugtraq,2861
-2222 || WEB-CGI nph-exploitscanget.cgi access || nessus,11740 || cve,2003-0434 || bugtraq,7912 || bugtraq,7911 || bugtraq,7910
-2223 || WEB-CGI csNews.cgi access || nessus,11726 || cve,2002-0923 || bugtraq,4994
-2224 || WEB-CGI psunami.cgi access || nessus,11750 || bugtraq,6607
-2225 || WEB-CGI gozila.cgi access || nessus,11773
-2226 || WEB-PHP pmachine remote file include attempt || nessus,11739 || bugtraq,7919
-2227 || WEB-PHP forum_details.php access || nessus,11760 || bugtraq,7933
-2228 || WEB-PHP phpMyAdmin db_details_importdocsql.php access || nessus,11761 || bugtraq,7965 || bugtraq,7962
-2229 || WEB-PHP viewtopic.php access || nessus,11767 || cve,2003-0486 || bugtraq,7979
-2230 || WEB-MISC NetGear router default password login attempt admin/password || nessus,11737
-2231 || WEB-MISC register.dll access || nessus,11747 || cve,2001-0958 || bugtraq,3327
-2232 || WEB-MISC ContentFilter.dll access || nessus,11747 || cve,2001-0958 || bugtraq,3327
-2233 || WEB-MISC SFNofitication.dll access || nessus,11747 || cve,2001-0958 || bugtraq,3327
-2234 || WEB-MISC TOP10.dll access || nessus,11747 || cve,2001-0958 || bugtraq,3327
-2235 || WEB-MISC SpamExcp.dll access || nessus,11747 || cve,2001-0958 || bugtraq,3327
-2236 || WEB-MISC spamrule.dll access || nessus,11747 || cve,2001-0958 || bugtraq,3327
-2237 || WEB-MISC cgiWebupdate.exe access || nessus,11722 || cve,2001-1150 || bugtraq,3216
-2238 || WEB-MISC WebLogic ConsoleHelp view source attempt || nessus,11724 || cve,2000-0682 || bugtraq,1518
-2239 || WEB-MISC redirect.exe access || cve,2000-0401 || bugtraq,1256
-2240 || WEB-MISC changepw.exe access || cve,2000-0401 || bugtraq,1256
-2241 || WEB-MISC cwmail.exe access || nessus,11727 || cve,2002-0273 || bugtraq,4093
-2242 || WEB-MISC ddicgi.exe access || nessus,11728 || cve,2000-0826 || bugtraq,1657
-2243 || WEB-MISC ndcgi.exe access || nessus,11730 || cve,2001-0922
-2244 || WEB-MISC VsSetCookie.exe access || nessus,11731 || cve,2002-0236 || bugtraq,3784
-2245 || WEB-MISC Webnews.exe access || nessus,11732 || cve,2002-0290 || bugtraq,4124
-2246 || WEB-MISC webadmin.dll access || nessus,11771
-2247 || WEB-IIS UploadScript11.asp access || cve,2001-0938
-2248 || WEB-IIS DirectoryListing.asp access || cve,2001-0938
-2249 || WEB-IIS /pcadmin/login.asp access || nessus,11785 || bugtraq,8103
-2250 || POP3 USER format string attempt || nessus,11742 || bugtraq,7667
-2251 || NETBIOS DCERPC Remote Activation bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx || cve,2003-0715 || cve,2003-0605 || cve,2003-0528 || bugtraq,8458 || bugtraq,8234
-2252 || NETBIOS SMB-DS DCERPC Remote Activation bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx || cve,2003-0715 || cve,2003-0605 || cve,2003-0528 || bugtraq,8458 || bugtraq,8234
-2253 || SMTP XEXCH50 overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx
-2254 || SMTP XEXCH50 overflow with evasion attempt || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx
-2255 || RPC sadmind query with root credentials attempt TCP
-2256 || RPC sadmind query with root credentials attempt UDP
-2257 || NETBIOS DCERPC Messenger Service buffer overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx || cve,2003-0717 || bugtraq,8826
-2258 || NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx || cve,2003-0717 || bugtraq,8826
-2259 || SMTP EXPN overflow attempt || cve,2003-0161 || cve,2002-1337 || bugtraq,7230 || bugtraq,6991
-2260 || SMTP VRFY overflow attempt || cve,2003-0161 || cve,2002-1337 || bugtraq,7230 || bugtraq,6991
-2261 || SMTP SEND FROM sendmail prescan too many addresses overflow || cve,2002-1337 || bugtraq,6991
-2262 || SMTP SEND FROM sendmail prescan too long addresses overflow || cve,2003-0161 || bugtraq,7230
-2263 || SMTP SAML FROM sendmail prescan too many addresses overflow || cve,2002-1337 || bugtraq,6991
-2264 || SMTP SAML FROM sendmail prescan too long addresses overflow || cve,2003-0161 || bugtraq,7230
-2265 || SMTP SOML FROM sendmail prescan too many addresses overflow || cve,2002-1337 || bugtraq,6991
-2266 || SMTP SOML FROM sendmail prescan too long addresses overflow || cve,2003-0161 || bugtraq,7230
-2267 || SMTP MAIL FROM sendmail prescan too many addresses overflow || cve,2002-1337 || bugtraq,6991
-2268 || SMTP MAIL FROM sendmail prescan too long addresses overflow || cve,2003-0161 || bugtraq,7230
-2269 || SMTP RCPT TO sendmail prescan too many addresses overflow || cve,2002-1337 || bugtraq,6991
-2270 || SMTP RCPT TO sendmail prescan too long addresses overflow || cve,2003-0161 || bugtraq,7230
-2271 || BACKDOOR FsSniffer connection attempt || nessus,11854
-2272 || FTP LIST integer overflow attempt || cve,2003-0854 || cve,2003-0853 || bugtraq,8875
-2273 || IMAP login brute force attempt
-2274 || POP3 login brute force attempt
-2275 || SMTP AUTH LOGON brute force attempt
-2276 || WEB-MISC oracle portal demo access || nessus,11918
-2277 || WEB-MISC PeopleSoft PeopleBooks psdoccgi access || cve,2003-0627 || cve,2003-0626 || bugtraq,9038 || bugtraq,9037
-2278 || WEB-MISC negative Content-Length attempt || cve,2004-0095 || bugtraq,9576 || bugtraq,9476 || bugtraq,9098
-2279 || WEB-PHP UpdateClasses.php access || bugtraq,9057
-2280 || WEB-PHP Title.php access || bugtraq,9057
-2281 || WEB-PHP Setup.php access || bugtraq,9057
-2282 || WEB-PHP GlobalFunctions.php access || bugtraq,9057
-2283 || WEB-PHP DatabaseFunctions.php access || bugtraq,9057
-2284 || WEB-PHP rolis guestbook remote file include attempt || bugtraq,9057
-2285 || WEB-PHP rolis guestbook access || bugtraq,9057
-2286 || WEB-PHP friends.php access || bugtraq,9088
-2287 || WEB-PHP Advanced Poll admin_comment.php access || nessus,11487 || bugtraq,8890
-2288 || WEB-PHP Advanced Poll admin_edit.php access || nessus,11487 || bugtraq,8890
-2289 || WEB-PHP Advanced Poll admin_embed.php access || nessus,11487 || bugtraq,8890
-2290 || WEB-PHP Advanced Poll admin_help.php access || nessus,11487 || bugtraq,8890
-2291 || WEB-PHP Advanced Poll admin_license.php access || nessus,11487 || bugtraq,8890
-2292 || WEB-PHP Advanced Poll admin_logout.php access || nessus,11487 || bugtraq,8890
-2293 || WEB-PHP Advanced Poll admin_password.php access || nessus,11487 || bugtraq,8890
-2294 || WEB-PHP Advanced Poll admin_preview.php access || nessus,11487 || bugtraq,8890
-2295 || WEB-PHP Advanced Poll admin_settings.php access || nessus,11487 || bugtraq,8890
-2296 || WEB-PHP Advanced Poll admin_stats.php access || nessus,11487 || bugtraq,8890
-2297 || WEB-PHP Advanced Poll admin_templates_misc.php access || nessus,11487 || bugtraq,8890
-2298 || WEB-PHP Advanced Poll admin_templates.php access || nessus,11487 || bugtraq,8890
-2299 || WEB-PHP Advanced Poll admin_tpl_misc_new.php access || nessus,11487 || bugtraq,8890
-2300 || WEB-PHP Advanced Poll admin_tpl_new.php access || nessus,11487 || bugtraq,8890
-2301 || WEB-PHP Advanced Poll booth.php access || nessus,11487 || bugtraq,8890
-2302 || WEB-PHP Advanced Poll poll_ssi.php access || nessus,11487 || bugtraq,8890
-2303 || WEB-PHP Advanced Poll popup.php access || nessus,11487 || bugtraq,8890
-2304 || WEB-PHP files.inc.php access || bugtraq,8910
-2305 || WEB-PHP chatbox.php access || bugtraq,8930
-2306 || WEB-PHP gallery remote file include attempt || nessus,11876 || bugtraq,8814
-2307 || WEB-PHP PayPal Storefront remote file include attemtp || nessus,11873 || bugtraq,8791
-2308 || NETBIOS SMB DCERPC Workstation Service unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx || cve,2003-0812 || bugtraq,9011
-2309 || NETBIOS SMB DCERPC Workstation Service bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx || cve,2003-0812 || bugtraq,9011
-2310 || NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx || cve,2003-0812 || bugtraq,9011
-2311 || NETBIOS SMB-DS DCERPC Workstation Service bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx || cve,2003-0812 || bugtraq,9011
-2312 || SHELLCODE x86 0x71FB7BAB NOOP
-2313 || SHELLCODE x86 0x71FB7BAB NOOP unicode
-2314 || SHELLCODE x86 0x90 NOOP unicode
-2315 || NETBIOS DCERPC Workstation Service direct service bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx || cve,2003-0812 || bugtraq,9011
-2316 || NETBIOS DCERPC Workstation Service direct service access attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx || cve,2003-0812 || bugtraq,9011
-2317 || MISC CVS non-relative path error response || cve,2003-0977 || bugtraq,9178
-2318 || MISC CVS non-relative path access attempt || cve,2003-0977 || bugtraq,9178
-2319 || EXPLOIT ebola PASS overflow attempt || bugtraq,9156
-2320 || EXPLOIT ebola USER overflow attempt || bugtraq,9156
-2321 || WEB-IIS foxweb.exe access || nessus,11939
-2322 || WEB-IIS foxweb.dll access || nessus,11939
-2323 || WEB-CGI quickstore.cgi access || nessus,11975 || bugtraq,9282
-2324 || WEB-IIS VP-ASP shopsearch.asp access || nessus,11942 || bugtraq,9134 || bugtraq,9133
-2325 || WEB-IIS VP-ASP ShopDisplayProducts.asp access || nessus,11942 || bugtraq,9134 || bugtraq,9133
-2326 || WEB-IIS sgdynamo.exe access || nessus,11955 || cve,2002-0375 || bugtraq,4720
-2327 || WEB-MISC bsml.pl access || nessus,11973 || bugtraq,9311
-2328 || WEB-PHP authentication_index.php access || nessus,11982 || cve,2004-0032
-2329 || MS-SQL probe response overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx || cve,2003-0903 || bugtraq,9407
-2330 || IMAP auth overflow attempt || bugtraq,8861
-2331 || WEB-PHP MatrikzGB privilege escalation attempt || bugtraq,8430
-2332 || FTP MKDIR format string attempt || bugtraq,9262
-2333 || FTP RENAME format string attempt || bugtraq,9262
-2334 || FTP Yak! FTP server default account login attempt || bugtraq,9072
-2335 || FTP RMD / attempt || bugtraq,9159
-2336 || TFTP NULL command attempt || bugtraq,7575
-2337 || TFTP PUT filename overflow attempt || cve,2003-0380 || bugtraq,8505 || bugtraq,7819
-2338 || FTP LIST buffer overflow attempt || bugtraq,9675 || bugtraq,8486 || bugtraq,10181
-2339 || TFTP NULL command attempt || bugtraq,7575
-2340 || FTP SITE CHMOD overflow attempt || nessus,12037 || bugtraq,9483 || bugtraq,10181
-2341 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525
-2342 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525
-2343 || FTP STOR overflow attempt || bugtraq,8668
-2344 || FTP XCWD overflow attempt || bugtraq,8704
-2345 || WEB-PHP PhpGedView search.php access || cve,2004-0032 || bugtraq,9369
-2346 || WEB-PHP myPHPNuke chatheader.php access || bugtraq,6544
-2347 || WEB-PHP myPHPNuke partner.php access || bugtraq,6544
-2348 || NETBIOS SMB-DS DCERPC print spool bind attempt
-2349 || NETBIOS SMB-DS DCERPC enumerate printers request attempt
-2350 || NETBIOS DCERPC ISystemActivator bind accept || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx || cve,2003-0352 || bugtraq,8205
-2351 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx || cve,2003-0352 || bugtraq,8205
-2352 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx || cve,2003-0352 || bugtraq,8205
-2353 || WEB-PHP IdeaBox cord.php file include || bugtraq,7488
-2354 || WEB-PHP IdeaBox notification.php file include || bugtraq,7488
-2355 || WEB-PHP Invision Board emailer.php file include || bugtraq,7204
-2356 || WEB-PHP WebChat db_mysql.php file include || bugtraq,7000
-2357 || WEB-PHP WebChat english.php file include || bugtraq,7000
-2358 || WEB-PHP Typo3 translations.php file include || bugtraq,6984
-2359 || WEB-PHP Invision Board ipchat.php file include || bugtraq,6976
-2360 || WEB-PHP myphpPagetool pt_config.inc file include || bugtraq,6744
-2361 || WEB-PHP news.php file include || bugtraq,6674
-2362 || WEB-PHP YaBB SE packages.php file include || bugtraq,6663
-2363 || WEB-PHP Cyboards default_header.php access || bugtraq,6597
-2364 || WEB-PHP Cyboards options_form.php access || bugtraq,6597
-2365 || WEB-PHP newsPHP Language file include attempt || bugtraq,8488
-2366 || WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt || cve,2004-0030 || bugtraq,9368
-2367 || WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt || cve,2004-0030 || bugtraq,9368
-2368 || WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt || cve,2004-0030 || bugtraq,9368
-2369 || WEB-MISC ISAPISkeleton.dll access || bugtraq,9516
-2370 || WEB-MISC BugPort config.conf file access || bugtraq,9542
-2371 || WEB-MISC Sample_showcode.html access || bugtraq,9555
-2372 || WEB-PHP Photopost PHP Pro showphoto.php access || bugtraq,9557
-2373 || FTP XMKD overflow attempt || bugtraq,7909
-2374 || FTP NLST overflow attempt || bugtraq,9675 || bugtraq,7909 || bugtraq,10184
-2375 || BACKDOOR DoomJuice file upload attempt || url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html
-2376 || EXPLOIT ISAKMP first payload certificate request length overflow attempt || cve,2004-0040 || bugtraq,9582
-2377 || EXPLOIT ISAKMP second payload certificate request length overflow attempt || cve,2004-0040 || bugtraq,9582
-2378 || EXPLOIT ISAKMP third payload certificate request length overflow attempt || cve,2004-0040 || bugtraq,9582
-2379 || EXPLOIT ISAKMP forth payload certificate request length overflow attempt || cve,2004-0040 || bugtraq,9582
-2380 || EXPLOIT ISAKMP fifth payload certificate request length overflow attempt || cve,2004-0040 || bugtraq,9582
-2381 || WEB-MISC schema overflow attempt || cve,2004-0039 || bugtraq,9581
-2382 || NETBIOS SMB NTLMSSP invalid mechtype attempt || nessus,12052 || cve,2003-0818 || bugtraq,9635 || bugtraq,9633
-2383 || NETBIOS SMB-DS DCERPC NTLMSSP invalid mechtype attempt || nessus,12052 || cve,2003-0818 || bugtraq,9635 || bugtraq,9633
-2384 || NETBIOS SMB NTLMSSP invalid mechlistMIC attempt || nessus,12054 || nessus,12052 || cve,2003-0818 || bugtraq,9635 || bugtraq,9633
-2385 || NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt || nessus,12054 || nessus,12052 || cve,2003-0818 || bugtraq,9635 || bugtraq,9633
-2386 || WEB-IIS NTLM ASN.1 vulnerability scan attempt || nessus,12055 || nessus,12052 || cve,2003-0818 || bugtraq,9635 || bugtraq,9633
-2387 || WEB-CGI view_broadcast.cgi access || cve,2003-0422 || bugtraq,8257
-2388 || WEB-CGI streaming server view_broadcast.cgi access || cve,2003-0422 || bugtraq,8257
-2389 || FTP RNTO overflow attempt || cve,2003-0466 || bugtraq,8315
-2390 || FTP STOU overflow attempt || cve,2003-0466 || bugtraq,8315
-2391 || FTP APPE overflow attempt || cve,2003-0466 || bugtraq,8315
-2392 || FTP RETR overflow attempt || cve,2003-0466 || bugtraq,8315
-2393 || WEB-PHP /_admin access || nessus,12032 || bugtraq,9537
-2394 || WEB-MISC Compaq web-based management agent denial of service attempt || bugtraq,8014
-2395 || WEB-MISC InteractiveQuery.jsp access || cve,2003-0624 || bugtraq,8938
-2396 || WEB-CGI CCBill whereami.cgi arbitrary command execution attempt || bugtraq,8095
-2397 || WEB-CGI CCBill whereami.cgi access || bugtraq,8095
-2398 || WEB-PHP WAnewsletter newsletter.php file include attempt || bugtraq,6965
-2399 || WEB-PHP WAnewsletter db_type.php access || bugtraq,6964
-2400 || WEB-MISC edittag.pl access || bugtraq,6675
-2401 || NETBIOS SMB Session Setup AndX request username overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040226.html || bugtraq,9752
-2402 || NETBIOS SMB-DS Session Setup AndX request username overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040226.html || bugtraq,9752
-2403 || NETBIOS SMB Session Setup AndX request unicode username overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040226.html || bugtraq,9752
-2404 || NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040226.html || bugtraq,9752
-2405 || WEB-PHP phptest.php access || bugtraq,9737
-2406 || TELNET APC SmartSlot default admin account attempt || bugtraq,9681
-2407 || WEB-MISC util.pl access || bugtraq,9748
-2408 || WEB-MISC Invision Power Board search.pl access || bugtraq,9766
-2409 || POP3 APOP USER overflow attempt || bugtraq,9794
-2410 || WEB-PHP IGeneric Free Shopping Cart page.php access || bugtraq,9773
-2411 || WEB-MISC Real Server DESCRIBE buffer overflow attempt || url,www.service.real.com/help/faq/security/rootexploit091103.html || bugtraq,8476
-2412 || ATTACK-RESPONSES successful cross site scripting forced download attempt
-2413 || EXPLOIT ISAKMP delete hash with empty hash attempt || cve,2004-0164 || bugtraq,CAN-2004-0164 || bugtraq,9417 || bugtraq,9416
-2414 || EXPLOIT ISAKMP initial contact notification without SPI attempt || cve,2004-0164 || bugtraq,CAN-2004-0164 || bugtraq,9417 || bugtraq,9416
-2415 || EXPLOIT ISAKMP second payload initial contact notification without SPI attempt || cve,2004-0164 || bugtraq,CAN-2004-0164 || bugtraq,9417 || bugtraq,9416
-2416 || FTP invalid MDTM command attempt
-2417 || FTP format string attempt
-2418 || MISC MS Terminal Server no encryption session initiation attmept || url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx
-2419 || MULTIMEDIA realplayer .ram playlist download attempt
-2420 || MULTIMEDIA realplayer .rmp playlist download attempt
-2421 || MULTIMEDIA realplayer .smi playlist download attempt
-2422 || MULTIMEDIA realplayer .rt playlist download attempt
-2423 || MULTIMEDIA realplayer .rp playlist download attempt
-2424 || NNTP sendsys overflow attempt || cve,2004-00045 || bugtraq,9382
-2425 || NNTP senduuname overflow attempt || cve,2004-00045 || bugtraq,9382
-2426 || NNTP version overflow attempt || cve,2004-00045 || bugtraq,9382
-2427 || NNTP checkgroups overflow attempt || cve,2004-00045 || bugtraq,9382
-2428 || NNTP ihave overflow attempt || cve,2004-00045 || bugtraq,9382
-2429 || NNTP sendme overflow attempt || cve,2004-00045 || bugtraq,9382
-2430 || NNTP newgroup overflow attempt || cve,2004-00045 || bugtraq,9382
-2431 || NNTP rmgroup overflow attempt || cve,2004-00045 || bugtraq,9382
-2432 || NNTP article post without path attempt
-2433 || WEB-CGI MDaemon form2raw.cgi overflow attempt || bugtraq,9317
-2434 || WEB-CGI MDaemon form2raw.cgi access || bugtraq,9317
-2435 || WEB-CLIENT Microsoft emf metafile access || bugtraq,9707
-2436 || WEB-CLIENT Microsoft wmf metafile access || bugtraq,9707
-2437 || WEB-CLIENT RealPlayer arbitrary javascript command attempt || cve,2003-0726 || bugtraq,9738 || bugtraq,8453
-2438 || WEB-CLIENT RealPlayer playlist file URL overflow attempt || bugtraq,9579
-2439 || WEB-CLIENT RealPlayer playlist http URL overflow attempt || bugtraq,9579
-2440 || WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt || bugtraq,9579
-2441 || WEB-MISC NetObserve authentication bypass attempt || bugtraq,9319
-2442 || WEB-MISC Quicktime User-Agent buffer overflow attempt || cve,2004-0169 || bugtraq,9735
-2443 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
-2444 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
-2445 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
-2446 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
-2447 || WEB-MISC ServletManager access || nessus,12122 || cve,2001-1195 || bugtraq,3697
-2448 || WEB-MISC setinfo.hts access || nessus,12120 || bugtraq,9973
-2449 || FTP ALLO overflow attempt || bugtraq,9953
-2450 || CHAT Yahoo IM successful logon
-2451 || CHAT Yahoo IM voicechat
-2452 || CHAT Yahoo IM ping
-2453 || CHAT Yahoo IM conference invitation
-2454 || CHAT Yahoo IM conference logon success
-2455 || CHAT Yahoo IM conference message
-2456 || CHAT Yahoo IM file transfer request
-2457 || CHAT Yahoo IM message
-2458 || CHAT Yahoo IM successful chat join
-2459 || CHAT Yahoo IM webcam offer invitation
-2460 || CHAT Yahoo IM webcam request
-2461 || CHAT Yahoo IM webcam watch
-2462 || EXPLOIT IGMP IGAP account overflow attempt || cve,2004-0367 || cve,2004-0176 || cve, CAN-2004-0367 || bugtraq,9952
-2463 || EXPLOIT IGMP IGAP message overflow attempt || cve,2004-0367 || cve,2004-0176 || cve, CAN-2004-0367 || bugtraq,9952
-2464 || EXPLOIT EIGRP prefix length overflow attempt || cve,2004-0367 || cve,2004-0176 || cve, CAN-2004-0367 || bugtraq,9952
-2465 || NETBIOS SMB-DS IPC$ share access
-2466 || NETBIOS SMB-DS IPC$ share unicode access
-2467 || NETBIOS SMB D$ share unicode access
-2468 || NETBIOS SMB-DS D$ share access
-2469 || NETBIOS SMB-DS D$ share unicode access
-2470 || NETBIOS SMB C$ share unicode access
-2471 || NETBIOS SMB-DS C$ share access
-2472 || NETBIOS SMB-DS C$ share unicode access
-2473 || NETBIOS SMB ADMIN$ share unicode access
-2474 || NETBIOS SMB-DS ADMIN$ share access
-2475 || NETBIOS SMB-DS ADMIN$ share unicode access
-2476 || NETBIOS SMB-DS Create AndX Request winreg attempt
-2477 || NETBIOS SMB-DS Create AndX Request winreg unicode attempt
-2478 || NETBIOS SMB-DS DCERPC bind winreg attempt
-2479 || NETBIOS SMB-DS DCERPC bind winreg unicode attempt
-2480 || NETBIOS SMB-DS DCERPC shutdown unicode attempt
-2481 || NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt
-2482 || NETBIOS SMB-DS DCERPC shutdown attempt
-2483 || NETBIOS SMB-DS DCERPC shutdown little endian attempt
-2484 || WEB-MISC source.jsp access || nessus,12119
-2485 || WEB-CLIENT Nortan antivirus sysmspam.dll load attempt || cve,2004-0363 || bugtraq,9916
-2486 || DOS ISAKMP invalid identification payload attempt || cve,2004-0184 || bugtraq,10004
-2487 || SMTP WinZip MIME content-type buffer overflow || bugtraq,9758
-2488 || SMTP WinZip MIME content-disposition buffer overflow || bugtraq,9758
-2489 || EXPLOIT esignal STREAMQUOTE buffer overflow attempt || bugtraq,9978
-2490 || EXPLOIT esignal SNAPQUOTE buffer overflow attempt || bugtraq,9978
-2491 || NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0813 || bugtraq,8811
-2492 || NETBIOS SMB DCERPC ISystemActivator bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0813 || bugtraq,8811
-2493 || NETBIOS SMB DCERPC ISystemActivator unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0813 || bugtraq,8811
-2494 || NETBIOS DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0813 || bugtraq,8811
-2495 || NETBIOS SMB DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0813 || bugtraq,8811
-2496 || NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0813 || bugtraq,8811
-2497 || IMAP SSLv3 invalid data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
-2498 || IMAP SSLv3 invalid timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
-2499 || MISC LDAP SSLv3 invalid timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
-2500 || MISC LDAP SSLv3 invalid data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
-2501 || POP3 SSLv3 invalid timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
-2502 || POP3 SSLv3 invalid data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
-2503 || SMTP SSLv3 invalid timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
-2504 || SMTP SSLv3 invalid data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
-2505 || WEB-MISC SSLv3 invalid data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
-2506 || WEB-MISC SSLv3 invalid timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
-2507 || NETBIOS DCERPC LSASS bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
-2508 || NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
-2509 || NETBIOS SMB DCERPC LSASS unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
-2510 || NETBIOS SMB DCERPC LSASS bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
-2511 || NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
-2512 || NETBIOS SMB-DS DCERPC LSASS bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
-2513 || NETBIOS SMB-DS DCERPC LSASS unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
-2514 || NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
-2515 || WEB-MISC PCT Client_Hello overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0719 || bugtraq,10116
-2516 || MISC LDAP PCT Client_Hello overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0719 || bugtraq,10116
-2517 || IMAP PCT Client_Hello overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0719 || bugtraq,10116
-2518 || PO3 PCT Client_Hello overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0719 || bugtraq,10116
-2519 || SMTP Client_Hello overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0719 || bugtraq,10116
-2520 || WEB-MISC SSLv3 Client_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2521 || WEB-MISC SSLv3 Server_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2522 || WEB-MISC SSLv3 invalid Client_Hello attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2523 || DOS BGP spoofed connection reset attempt || url,www.uniras.gov.uk/vuls/2004/236929/index.htm || cve,2004-0230 || bugtraq,10183
-2524 || NETBIOS DCERPC LSASS direct bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
-2525 || NETBIOS SMB DCERPC LSASS direct bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
-2526 || NETBIOS SMB-DS DCERPC LSASS direct bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
-2527 || SMTP STARTTLS attempt
-2528 || SMTP TLS PCT Client_Hello overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0719 || bugtraq,10116
-2529 || IMAP SSLv3 Client_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2530 || IMAP SSLv3 Server_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2531 || IMAP SSLv3 invalid Client_Hello attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2532 || MISC LDAP SSLv3 Client_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2533 || MISC LDAP SSLv3 Server_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2534 || MISC LDAP SSLv3 invalid Client_Hello attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2535 || POP3 SSLv3 Client_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2536 || POP3 SSLv3 Server_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2537 || POP3 SSLv3 invalid Client_Hello attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2538 || SMTP SSLv3 Client_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2539 || SMTP SSLv3 Server_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2540 || SMTP SSLv3 invalid Client_Hello attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2541 || SMTP TLS SSLv3 invalid data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
-2542 || SMTP TLS SSLv3 Client_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2543 || SMTP TLS SSLv3 Server_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2544 || SMTP TLS SSLv3 invalid Client_Hello attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
-2545 || EXPLOIT AFP FPLoginExt username buffer overflow attempt || url,www.atstake.com/research/advisories/2004/a050304-1.txt || cve,2004-0430 || bugtraq,10271
-2546 || FTP MDTM overflow attempt || bugtraq,9751
-2547 || MISC HP Web JetAdmin remote file upload attempt || bugtraq,9978
-2548 || MISC HP Web JetAdmin setinfo access || bugtraq,9972
-2549 || MISC HP Web JetAdmin file write attempt || bugtraq,9973
-2550 || EXPLOIT winamp XM module name overflow || url,www.nextgenss.com/advisories/winampheap.txt
-2551 || EXPLOIT Oracle Web Cache GET overflow attempt || cve,2004-0385 || bugtraq,9868
-2552 || EXPLOIT Oracle Web Cache HEAD overflow attempt || cve,2004-0385 || bugtraq,9868
-2553 || EXPLOIT Oracle Web Cache PUT overflow attempt || cve,2004-0385 || bugtraq,9868
-2554 || EXPLOIT Oracle Web Cache POST overflow attempt || cve,2004-0385 || bugtraq,9868
-2555 || EXPLOIT Oracle Web Cache TRACE overflow attempt || cve,2004-0385 || bugtraq,9868
-2556 || EXPLOIT Oracle Web Cache DELETE overflow attempt || cve,2004-0385 || bugtraq,9868
-2557 || EXPLOIT Oracle Web Cache LOCK overflow attempt || cve,2004-0385 || bugtraq,9868
-2558 || EXPLOIT Oracle Web Cache MKCOL overflow attempt || cve,2004-0385 || bugtraq,9868
-2559 || EXPLOIT Oracle Web Cache COPY overflow attempt || cve,2004-0385 || bugtraq,9868
-2560 || EXPLOIT Oracle Web Cache MOVE overflow attempt || cve,2004-0385 || bugtraq,9868
-2561 || MISC rsync backup-dir directory traversal attempt || cve,2004-0426 || bugtraq,10247
-2562 || WEB-MISC McAfee ePO file upload attempt || cve,2004-0038 || bugtraq,10200
-2563 || NETBIOS NS lookup response name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040512A.html || cve,2004-0445 || cve,2004-0444 || bugtraq,10334 || bugtraq,10333
-2564 || NETBIOS NS lookup short response attempt || url,www.eeye.com/html/Research/Advisories/AD20040512C.html || cve,2004-0445 || cve,2004-0444 || bugtraq,10335 || bugtraq,10334
-2565 || WEB-PHP modules.php access || bugtraq,9879
-2566 || WEB-PHP PHPBB viewforum.php access || bugtraq,9866
-2567 || WEB-CGI Emumail init.emu access || bugtraq,9861
-2568 || WEB-CGI Emumail emumail.fcgi access || bugtraq,9861
-2569 || WEB-MISC cPanel resetpass access || bugtraq,9848
-2570 || WEB-MISC Invalid HTTP Version String || nessus,11593 || bugtraq,9809
-2571 || WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access || bugtraq,9805
-2572 || WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt || bugtraq,9805
-2573 || WEB-IIS SmarterTools SmarterMail frmCompose.asp access || bugtraq,9805
-2574 || FTP RETR format string attempt || bugtraq,9800
-2575 || WEB-PHP Opt-X header.php remote file include attempt || bugtraq,9732
-2576 || ORACLE generate_replication_support prefix overflow attempt
-2577 || WEB-CLIENT local resource redirection attempt || url,www.kb.cert.org/vuls/id/713878 || cve,2004-0549
diff --git a/scripts/s2b/snort_rules2.2/smtp.rules b/scripts/s2b/snort_rules2.2/smtp.rules
deleted file mode 100644
index 80d522d5c7..0000000000
--- a/scripts/s2b/snort_rules2.2/smtp.rules
+++ /dev/null
@@ -1,68 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: smtp.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-----------
-# SMTP RULES
-#-----------
-
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:654; rev:13;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; reference:arachnids,266; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:12;)
-alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:8;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP exchange mime DOS"; flow:to_server,established; content:"charset = |22 22|"; classtype:attempted-dos; sid:658; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; classtype:attempted-recon; sid:659; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; classtype:attempted-recon; sid:660; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; reference:arachnids,143; reference:cve,1999-0208; classtype:attempted-admin; sid:661; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|"; nocase; reference:arachnids,119; classtype:attempted-admin; sid:662; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; pcre:"/^rcpt\s+to\:\s+[|\x3b]/smi"; reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:13;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|"; content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s+decode/smi"; reference:arachnids,121; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:13;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail"; nocase; reference:arachnids,122; classtype:attempted-user; sid:665; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/"; reference:arachnids,123; classtype:attempted-user; sid:667; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin"; reference:arachnids,124; classtype:attempted-user; sid:668; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog"; reference:arachnids,142; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:8;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R"; reference:arachnids,139; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog"; reference:arachnids,141; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:8;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; classtype:attempted-recon; sid:672; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:1446; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:631; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:632; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO"; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:16;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; reference:bugtraq,1297; reference:cve,2000-0490; classtype:attempted-admin; sid:1550; rev:10;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; content:"From|3A|"; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"|28|"; distance:1; content:"|29|"; distance:1; reference:cve,2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding|3A|"; isdataat:100,relative; content:!"|0A|"; within:100; reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2253; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; pcre:"/^EXPN[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; pcre:"/^VRFY[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:5;)
-
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2261; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2262; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2263; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2264; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2265; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2266; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2267; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2268; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too many addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2269; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2270; rev:4;)
-alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:2;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-type buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; classtype:attempted-user; sid:2487; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-disposition buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3A|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; classtype:attempted-user; sid:2488; rev:4;)
-
-
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:6;)
-
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:9;)
-
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2538; rev:3;)
-alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2539; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2540; rev:3;)
-
-
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP STARTTLS attempt"; flow:to_server,established; content:"STARTTLS|0D 0A|"; within:10; flowbits:set,starttls.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2527; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2541; rev:5;)
-
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2528; rev:7;)
-
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isset,starttls.attempt; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2542; rev:3;)
-alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP TLS SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2543; rev:3;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2544; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/snmp.rules b/scripts/s2b/snort_rules2.2/snmp.rules
deleted file mode 100644
index 6ec526f1f5..0000000000
--- a/scripts/s2b/snort_rules2.2/snmp.rules
+++ /dev/null
@@ -1,24 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: snmp.rules 91 2004-07-15 08:13:57Z rwinslow $
-# ---------------
-# SNMP RULES
-# ---------------
-#
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string attempt"; content:"|04 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:4;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:6;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:10;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt with evasion"; content:" |04 82 01 00|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:10;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access udp"; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:13;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access udp"; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:11;)
-alert udp any any -> 255.255.255.255 161 (msg:"SNMP Broadcast request"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:9;)
-alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:9;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:11;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SNMP AgentX/tcp request"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:11;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:4;)
diff --git a/scripts/s2b/snort_rules2.2/snort.conf b/scripts/s2b/snort_rules2.2/snort.conf
deleted file mode 100644
index 205d4b6625..0000000000
--- a/scripts/s2b/snort_rules2.2/snort.conf
+++ /dev/null
@@ -1,617 +0,0 @@
-#--------------------------------------------------
-#   http://www.snort.org     Snort 2.1.0 Ruleset
-#     Contact: snort-sigs@lists.sourceforge.net
-#--------------------------------------------------
-# $Id: snort.conf 91 2004-07-15 08:13:57Z rwinslow $
-#
-###################################################
-# This file contains a sample snort configuration. 
-# You can take the following steps to create your own custom configuration:
-#
-#  1) Set the network variables for your network
-#  2) Configure preprocessors
-#  3) Configure output plugins
-#  4) Customize your rule set
-#
-###################################################
-# Step #1: Set the network variables:
-#
-# You must change the following variables to reflect your local network. The
-# variable is currently setup for an RFC 1918 address space.
-#
-# You can specify it explicitly as: 
-#
-# var HOME_NET 10.1.1.0/24
-#
-# or use global variable $<interfacename>_ADDRESS which will be always
-# initialized to IP address and netmask of the network interface which you run
-# snort at.  Under Windows, this must be specified as
-# $(<interfacename>_ADDRESS), such as:
-# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
-#
-# var HOME_NET $eth0_ADDRESS
-#
-# You can specify lists of IP addresses for HOME_NET
-# by separating the IPs with commas like this:
-#
-# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
-#
-# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
-#
-# or you can specify the variable to be any IP address
-# like this:
-
-var HOME_NET any
-
-# Set up the external network addresses as well.  A good start may be "any"
-var EXTERNAL_NET any
-
-# Configure your server lists.  This allows snort to only look for attacks to
-# systems that have a service up.  Why look for HTTP attacks if you are not
-# running a web server?  This allows quick filtering based on IP addresses
-# These configurations MUST follow the same configuration scheme as defined
-# above for $HOME_NET.  
-
-# List of DNS servers on your network 
-var DNS_SERVERS $HOME_NET
-
-# List of SMTP servers on your network
-var SMTP_SERVERS $HOME_NET
-
-# List of web servers on your network
-var HTTP_SERVERS $HOME_NET
-
-# List of sql servers on your network 
-var SQL_SERVERS $HOME_NET
-
-# List of telnet servers on your network
-var TELNET_SERVERS $HOME_NET
-
-# List of snmp servers on your network
-var SNMP_SERVERS $HOME_NET
-
-# Configure your service ports.  This allows snort to look for attacks destined
-# to a specific application only on the ports that application runs on.  For
-# example, if you run a web server on port 8081, set your HTTP_PORTS variable
-# like this:
-#
-# var HTTP_PORTS 8081
-#
-# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
-# We will adding support for a real list of ports in the future.
-
-# Ports you run web servers on
-#
-# Please note:  [80,8080] does not work.
-# If you wish to define multiple HTTP ports,
-# 
-## var HTTP_PORTS 80 
-## include somefile.rules 
-## var HTTP_PORTS 8080
-## include somefile.rules 
-var HTTP_PORTS 80
-
-# Ports you want to look for SHELLCODE on.
-var SHELLCODE_PORTS !80
-
-# Ports you do oracle attacks on
-var ORACLE_PORTS 1521
-
-# other variables
-# 
-# AIM servers.  AOL has a habit of adding new AIM servers, so instead of
-# modifying the signatures when they do, we add them to this list of servers.
-var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
-
-# Path to your rules files (this can be a relative path)
-var RULE_PATH ../rules
-
-# Configure the snort decoder
-# ============================
-#
-# Snort's decoder will alert on lots of things such as header
-# truncation or options of unusual length or infrequently used tcp options
-#
-#
-# Stop generic decode events:
-#
-# config disable_decode_alerts
-#
-# Stop Alerts on experimental TCP options
-#
-# config disable_tcpopt_experimental_alerts
-#
-# Stop Alerts on obsolete TCP options
-#
-# config disable_tcpopt_obsolete_alerts
-#
-# Stop Alerts on T/TCP alerts
-#
-# In snort 2.0.1 and above, this only alerts when a TCP option is detected
-# that shows T/TCP being actively used on the network.  If this is normal
-# behavior for your network, disable the next option.
-#
-# config disable_tcpopt_ttcp_alerts
-#
-# Stop Alerts on all other TCPOption type events:
-#
-# config disable_tcpopt_alerts
-#
-# Stop Alerts on invalid ip options
-#
-# config disable_ipopt_alerts
-
-# Configure the detection engine
-# ===============================
-#
-# Use a different pattern matcher in case you have a machine with very limited
-# resources:
-#
-# config detection: search-method lowmem
-
-###################################################
-# Step #2: Configure preprocessors
-#
-# General configuration for preprocessors is of 
-# the form
-# preprocessor <name_of_processor>: <configuration_options>
-
-# Configure Flow tracking module
-# -------------------------------
-#
-# The Flow tracking module is meant to start unifying the state keeping
-# mechanisms of snort into a single place. Right now, only a portscan detector
-# is implemented but in the long term,  many of the stateful subsystems of
-# snort will be migrated over to becoming flow plugins. This must be enabled
-# for flow-portscan to work correctly.
-#
-# See README.flow for additional information
-#
-preprocessor flow: stats_interval 0 hash 2
-
-# frag2: IP defragmentation support
-# -------------------------------
-# This preprocessor performs IP defragmentation.  This plugin will also detect
-# people launching fragmentation attacks (usually DoS) against hosts.  No
-# arguments loads the default configuration of the preprocessor, which is a 60
-# second timeout and a 4MB fragment buffer. 
-
-# The following (comma delimited) options are available for frag2
-#    timeout [seconds] - sets the number of [seconds] that an unfinished 
-#                        fragment will be kept around waiting for completion,
-#                        if this time expires the fragment will be flushed
-#    memcap [bytes] - limit frag2 memory usage to [number] bytes
-#                      (default:  4194304)
-#
-#    min_ttl [number] - minimum ttl to accept
-# 
-#    ttl_limit [number] - difference of ttl to accept without alerting
-#                         will cause false positves with router flap
-# 
-# Frag2 uses Generator ID 113 and uses the following SIDS 
-# for that GID:
-#  SID     Event description
-# -----   -------------------
-#   1       Oversized fragment (reassembled frag > 64k bytes)
-#   2       Teardrop-type attack
-
-preprocessor frag2
-
-# stream4: stateful inspection/stream reassembly for Snort
-#----------------------------------------------------------------------
-# Use in concert with the -z [all|est] command line switch to defeat stick/snot
-# against TCP rules.  Also performs full TCP stream reassembly, stateful
-# inspection of TCP streams, etc.  Can statefully detect various portscan
-# types, fingerprinting, ECN, etc.
-
-# stateful inspection directive
-# no arguments loads the defaults (timeout 30, memcap 8388608)
-# options (options are comma delimited):
-#   detect_scans - stream4 will detect stealth portscans and generate alerts
-#                  when it sees them when this option is set
-#   detect_state_problems - detect TCP state problems, this tends to be very
-#                           noisy because there are a lot of crappy ip stack
-#                           implementations out there
-#
-#   disable_evasion_alerts - turn off the possibly noisy mitigation of
-#                            overlapping sequences.
-#
-#
-#   min_ttl [number]       - set a minium ttl that snort will accept to
-#                            stream reassembly
-#
-#   ttl_limit [number]     - differential of the initial ttl on a session versus
-#                             the normal that someone may be playing games.
-#                             Routing flap may cause lots of false positives.
-# 
-#   keepstats [machine|binary] - keep session statistics, add "machine" to 
-#                         get them in a flat format for machine reading, add
-#                         "binary" to get them in a unified binary output 
-#                         format
-#   noinspect - turn off stateful inspection only
-#   timeout [number] - set the session timeout counter to [number] seconds,
-#                      default is 30 seconds
-#   memcap [number] - limit stream4 memory usage to [number] bytes
-#   log_flushed_streams - if an event is detected on a stream this option will
-#                         cause all packets that are stored in the stream4
-#                         packet buffers to be flushed to disk.  This only 
-#                         works when logging in pcap mode!
-#
-# Stream4 uses Generator ID 111 and uses the following SIDS 
-# for that GID:
-#  SID     Event description
-# -----   -------------------
-#   1       Stealth activity
-#   2       Evasive RST packet
-#   3       Evasive TCP packet retransmission
-#   4       TCP Window violation
-#   5       Data on SYN packet
-#   6       Stealth scan: full XMAS
-#   7       Stealth scan: SYN-ACK-PSH-URG
-#   8       Stealth scan: FIN scan
-#   9       Stealth scan: NULL scan
-#   10      Stealth scan: NMAP XMAS scan
-#   11      Stealth scan: Vecna scan
-#   12      Stealth scan: NMAP fingerprint scan stateful detect
-#   13      Stealth scan: SYN-FIN scan
-#   14      TCP forward overlap
-
-preprocessor stream4: disable_evasion_alerts
-
-# tcp stream reassembly directive
-# no arguments loads the default configuration 
-#   Only reassemble the client,
-#   Only reassemble the default list of ports (See below),  
-#   Give alerts for "bad" streams
-#
-# Available options (comma delimited):
-#   clientonly - reassemble traffic for the client side of a connection only
-#   serveronly - reassemble traffic for the server side of a connection only
-#   both - reassemble both sides of a session
-#   noalerts - turn off alerts from the stream reassembly stage of stream4
-#   ports [list] - use the space separated list of ports in [list], "all" 
-#                  will turn on reassembly for all ports, "default" will turn
-#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
-#                  and 513
-
-preprocessor stream4_reassemble
-
-# http_inspect: normalize and detect HTTP traffic and protocol anomalies
-#
-# lots of options available here. See doc/README.http_inspect.
-# unicode.map should be wherever your snort.conf lives, or given
-# a full path to where snort can find it.
-preprocessor http_inspect: global \
-    iis_unicode_map unicode.map 1252 
-
-preprocessor http_inspect_server: server default \
-    profile all ports { 80 8080 8180 } oversize_dir_length 500
-
-#
-#  Example unqiue server configuration
-#
-#preprocessor http_inspect_server: server 1.1.1.1 \
-#    ports { 80 3128 8080 } \
-#    flow_depth 0 \
-#    ascii no \
-#    double_decode yes \
-#    non_rfc_char { 0x00 } \
-#    chunk_length 500000 \
-#    non_strict \
-#    oversize_dir_length 300 \
-#    no_alerts
-
-
-# rpc_decode: normalize RPC traffic
-# ---------------------------------
-# RPC may be sent in alternate encodings besides the usual 4-byte encoding
-# that is used by default. This plugin takes the port numbers that RPC
-# services are running on as arguments - it is assumed that the given ports
-# are actually running this type of service. If not, change the ports or turn
-# it off.
-# The RPC decode preprocessor uses generator ID 106
-#
-# arguments: space separated list
-# alert_fragments - alert on any rpc fragmented TCP data
-# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
-# no_alert_large_fragments - don't alert when the fragmented
-#                            sizes exceed the current packet size
-# no_alert_incomplete - don't alert when a single segment
-#                       exceeds the current packet size
-
-preprocessor rpc_decode: 111 32771
-
-# bo: Back Orifice detector
-# -------------------------
-# Detects Back Orifice traffic on the network.  Takes no arguments in 2.0.
-# 
-# The Back Orifice detector uses Generator ID 105 and uses the 
-# following SIDS for that GID:
-#  SID     Event description
-# -----   -------------------
-#   1       Back Orifice traffic detected
-
-preprocessor bo
-
-# telnet_decode: Telnet negotiation string normalizer
-# ---------------------------------------------------
-# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
-# traffic.  It works in much the same way as the http_decode preprocessor,
-# searching for traffic that breaks up the normal data stream of a protocol and
-# replacing it with a normalized representation of that traffic so that the
-# "content" pattern matching keyword can work without requiring modifications.
-# This preprocessor requires no arguments.
-# Portscan uses Generator ID 109 and does not generate any SID currently.
-
-preprocessor telnet_decode
-
-# Flow-Portscan: detect a variety of portscans
-# ---------------------------------------
-# Note:  The Flow preprocessor (above) must first be enabled for Flow-Portscan to
-# work.
-#
-# This module detects portscans based off of flow creation in the flow
-# preprocessors.  The goal is to catch catch one->many hosts and one->many
-# ports scans.
-#
-# Flow-Portscan has numerous options available, please read
-# README.flow-portscan for help configuring this option. 
-
-# Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:
-#  SID     Event description
-# -----   -------------------
-#   1       flow-portscan: Fixed Scale Scanner Limit Exceeded
-#   2       flow-portscan: Sliding Scale Scanner Limit Exceeded 
-#   3       flow-portscan: Fixed Scale Talker Limit Exceeded
-#   4	    flow-portscan: Sliding Scale Talker Limit Exceeded
-
-# preprocessor flow-portscan: \
-#	talker-sliding-scale-factor 0.50 \
-#	talker-fixed-threshold 30 \
-#	talker-sliding-threshold 30 \
-#	talker-sliding-window 20 \
-#	talker-fixed-window 30 \
-#	scoreboard-rows-talker 30000 \
-#	server-watchnet [10.2.0.0/30] \
-#	server-ignore-limit 200 \
-#	server-rows 65535 \
-#	server-learning-time 14400 \
-#	server-scanner-limit 4 \
-#	scanner-sliding-window 20 \
-#	scanner-sliding-scale-factor 0.50 \
-#	scanner-fixed-threshold 15 \
-#	scanner-sliding-threshold 40 \
-#	scanner-fixed-window 15 \
-#	scoreboard-rows-scanner 30000 \
-#	src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
-#	dst-ignore-net [10.0.0.0/30] \
-#	alert-mode once \
-#	output-mode msg \
-#	tcp-penalties on
-
-# arpspoof
-#----------------------------------------
-# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
-# unicast ARP requests, and specific ARP mapping monitoring.  To make use of
-# this preprocessor you must specify the IP and hardware address of hosts on
-# the same layer 2 segment as you.  Specify one host IP MAC combo per line.
-# Also takes a "-unicast" option to turn on unicast ARP request detection. 
-# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
-
-#  SID     Event description
-# -----   -------------------
-#   1       Unicast ARP request
-#   2       Etherframe ARP mismatch (src)
-#   3       Etherframe ARP mismatch (dst)
-#   4       ARP cache overwrite attack
-
-#preprocessor arpspoof
-#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
-
-
-# Performance Statistics
-# ----------------------
-# Documentation for this is provided in the Snort Manual.  You should read it.
-# It is included in the release distribution as doc/snort_manual.pdf
-# 
-# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
-
-####################################################################
-# Step #3: Configure output plugins
-#
-# Uncomment and configure the output plugins you decide to use.  General
-# configuration for output plugins is of the form:
-#
-# output <name_of_plugin>: <configuration_options>
-#
-# alert_syslog: log alerts to syslog
-# ----------------------------------
-# Use one or more syslog facilities as arguments.  Win32 can also optionally
-# specify a particular hostname/port.  Under Win32, the default hostname is
-# '127.0.0.1', and the default port is 514.
-#
-# [Unix flavours should use this format...]
-# output alert_syslog: LOG_AUTH LOG_ALERT
-#
-# [Win32 can use any of these formats...]
-# output alert_syslog: LOG_AUTH LOG_ALERT
-# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
-# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
-
-# log_tcpdump: log packets in binary tcpdump format
-# -------------------------------------------------
-# The only argument is the output file name.
-#
-# output log_tcpdump: tcpdump.log
-
-# database: log to a variety of databases
-# ---------------------------------------
-# See the README.database file for more information about configuring
-# and using this plugin.
-#
-# output database: log, mysql, user=root password=test dbname=db host=localhost
-# output database: alert, postgresql, user=snort dbname=snort
-# output database: log, odbc, user=snort dbname=snort
-# output database: log, mssql, dbname=snort user=snort password=test
-# output database: log, oracle, dbname=snort user=snort password=test
-
-# unified: Snort unified binary format alerting and logging
-# -------------------------------------------------------------
-# The unified output plugin provides two new formats for logging and generating
-# alerts from Snort, the "unified" format.  The unified format is a straight
-# binary format for logging data out of Snort that is designed to be fast and
-# efficient.  Used with barnyard (the new alert/log processor), most of the
-# overhead for logging and alerting to various slow storage mechanisms such as
-# databases or the network can now be avoided.  
-#
-# Check out the spo_unified.h file for the data formats.
-#
-# Two arguments are supported.
-#    filename - base filename to write to (current time_t is appended)
-#    limit    - maximum size of spool file in MB (default: 128)
-#
-# output alert_unified: filename snort.alert, limit 128
-# output log_unified: filename snort.log, limit 128
-
-# You can optionally define new rule types and associate one or more output
-# plugins specifically to that type.
-#
-# This example will create a type that will log to just tcpdump.
-# ruletype suspicious
-# {
-#   type log
-#   output log_tcpdump: suspicious.log
-# }
-#
-# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
-# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
-#
-# This example will create a rule type that will log to syslog and a mysql
-# database:
-# ruletype redalert
-# {
-#   type alert
-#   output alert_syslog: LOG_AUTH LOG_ALERT
-#   output database: log, mysql, user=snort dbname=snort host=localhost
-# }
-#
-# EXAMPLE RULE FOR REDALERT RULETYPE:
-# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
-#   (msg:"Someone is being LEET"; flags:A+;)
-
-#
-# Include classification & priority settings
-#
-
-include classification.config
-
-#
-# Include reference systems
-#
-
-include reference.config
-
-####################################################################
-# Step #4: Customize your rule set
-#
-# Up to date snort rules are available at http://www.snort.org
-#
-# The snort web site has documentation about how to write your own custom snort
-# rules.
-#
-# The rules included with this distribution generate alerts based on on
-# suspicious activity. Depending on your network environment, your security
-# policies, and what you consider to be suspicious, some of these rules may
-# either generate false positives ore may be detecting activity you consider to
-# be acceptable; therefore, you are encouraged to comment out rules that are
-# not applicable in your environment.
-#
-# The following individuals contributed many of rules in this distribution.
-#
-# Credits:
-#   Ron Gula <rgula@securitywizards.com> of Network Security Wizards
-#   Max Vision <vision@whitehats.com>
-#   Martin Markgraf <martin@mail.du.gtn.com>
-#   Fyodor Yarochkin <fygrave@tigerteam.net>
-#   Nick Rogness <nick@rapidnet.com>
-#   Jim Forster <jforster@rapidnet.com>
-#   Scott McIntyre <scott@whoi.edu>
-#   Tom Vandepoel <Tom.Vandepoel@ubizen.com>
-#   Brian Caswell <bmc@snort.org>
-#   Zeno <admin@cgisecurity.com>
-#   Ryan Russell <ryan@securityfocus.com>
-
-
-
-#=========================================
-# Include all relevant rulesets here 
-# 
-# The following rulesets are disabled by default:
-#
-#   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
-#   chat, multimedia, and p2p
-#            
-# These rules are either site policy specific or require tuning in order to not
-# generate false positive alerts in most enviornments.
-# 
-# Please read the specific include file for more information and
-# README.alert_order for how rule ordering affects how alerts are triggered.
-#=========================================
-
-include $RULE_PATH/local.rules
-include $RULE_PATH/bad-traffic.rules
-include $RULE_PATH/exploit.rules
-include $RULE_PATH/scan.rules
-include $RULE_PATH/finger.rules
-include $RULE_PATH/ftp.rules
-include $RULE_PATH/telnet.rules
-include $RULE_PATH/rpc.rules
-include $RULE_PATH/rservices.rules
-include $RULE_PATH/dos.rules
-include $RULE_PATH/ddos.rules
-include $RULE_PATH/dns.rules
-include $RULE_PATH/tftp.rules
-
-include $RULE_PATH/web-cgi.rules
-include $RULE_PATH/web-coldfusion.rules
-include $RULE_PATH/web-iis.rules
-include $RULE_PATH/web-frontpage.rules
-include $RULE_PATH/web-misc.rules
-include $RULE_PATH/web-client.rules
-include $RULE_PATH/web-php.rules
-
-include $RULE_PATH/sql.rules
-include $RULE_PATH/x11.rules
-include $RULE_PATH/icmp.rules
-include $RULE_PATH/netbios.rules
-include $RULE_PATH/misc.rules
-include $RULE_PATH/attack-responses.rules
-include $RULE_PATH/oracle.rules
-include $RULE_PATH/mysql.rules
-include $RULE_PATH/snmp.rules
-
-include $RULE_PATH/smtp.rules
-include $RULE_PATH/imap.rules
-include $RULE_PATH/pop2.rules
-include $RULE_PATH/pop3.rules
-
-include $RULE_PATH/nntp.rules
-include $RULE_PATH/other-ids.rules
-# include $RULE_PATH/web-attacks.rules
-# include $RULE_PATH/backdoor.rules
-# include $RULE_PATH/shellcode.rules
-# include $RULE_PATH/policy.rules
-# include $RULE_PATH/porn.rules
-# include $RULE_PATH/info.rules
-# include $RULE_PATH/icmp-info.rules
- include $RULE_PATH/virus.rules
-# include $RULE_PATH/chat.rules
-# include $RULE_PATH/multimedia.rules
-# include $RULE_PATH/p2p.rules
-include $RULE_PATH/experimental.rules
-
-# Include any thresholding or suppression commands. See threshold.conf in the
-# <snort src>/etc directory for details. Commands don't necessarily need to be
-# contained in this conf, but a separate conf makes it easier to maintain them. 
-# Uncomment if needed.
-# include threshold.conf
diff --git a/scripts/s2b/snort_rules2.2/sql.rules b/scripts/s2b/snort_rules2.2/sql.rules
deleted file mode 100644
index 3e6994e4d4..0000000000
--- a/scripts/s2b/snort_rules2.2/sql.rules
+++ /dev/null
@@ -1,51 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: sql.rules 91 2004-07-15 08:13:57Z rwinslow $
-#----------
-# SQL RULES
-#----------
-
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:676; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:677; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; classtype:attempted-user; sid:678; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:679; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; classtype:attempted-user; sid:708; rev:8;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32; nocase; reference:bugtraq,3733; reference:cve,2001-0542; classtype:attempted-user; sid:1386; rev:8;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; classtype:attempted-user; sid:702; rev:8;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; classtype:attempted-user; sid:703; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; classtype:attempted-user; sid:681; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:689; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; classtype:attempted-user; sid:690; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:692; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:attempted-user; sid:694; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; classtype:attempted-user; sid:695; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; classtype:attempted-user; sid:696; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; classtype:attempted-user; sid:697; rev:8;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; classtype:attempted-user; sid:698; rev:8;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; classtype:attempted-user; sid:700; rev:8;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; classtype:attempted-user; sid:673; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; classtype:attempted-user; sid:674; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; classtype:attempted-user; sid:675; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; classtype:attempted-user; sid:682; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:683; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; classtype:attempted-user; sid:684; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; classtype:attempted-user; sid:685; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; classtype:attempted-user; sid:686; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:687; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:691; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; sid:693; rev:5;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; classtype:attempted-user; sid:699; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; classtype:attempted-user; sid:701; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; classtype:attempted-user; sid:704; rev:6;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; classtype:attempted-user; sid:705; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; classtype:attempted-user; sid:706; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; classtype:attempted-user; sid:707; rev:8;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase; reference:bugtraq,3733; reference:cve,2001-0542; classtype:attempted-user; sid:1387; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"MS-SQL xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:1759; rev:5;)
-alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; classtype:unsuccessful-user; sid:688; rev:6;)
-alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"MS-SQL/SMB sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; classtype:attempted-user; sid:680; rev:6;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:6;)
-alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL ping attempt"; content:"|02|"; depth:1; reference:nessus,10674; classtype:misc-activity; sid:2049; rev:2;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL version overflow attempt"; dsize:>100; content:"|04|"; depth:1; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674; classtype:misc-activity; sid:2050; rev:5;)
-alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2329; rev:6;)
diff --git a/scripts/s2b/snort_rules2.2/telnet.rules b/scripts/s2b/snort_rules2.2/telnet.rules
deleted file mode 100644
index a07b395e3b..0000000000
--- a/scripts/s2b/snort_rules2.2/telnet.rules
+++ /dev/null
@@ -1,27 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: telnet.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-------------
-# TELNET RULES
-#-------------
-#
-# These signatures are based on various telnet exploits and unpassword
-# protected accounts.
-#
-
-
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET Solaris memory mismanagement exploit attempt"; flow:to_server,established; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90|%|E0|"; classtype:shellcode-detect; sid:1430; rev:7;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; content:"bin/sh"; reference:arachnids,304; classtype:attempted-admin; sid:711; rev:5;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; reference:arachnids,367; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:8;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; rawbytes; reference:arachnids,370; classtype:attempted-dos; sid:713; rev:7;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; reference:arachnids,369; classtype:attempted-admin; sid:714; rev:4;)
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET Attempted SU from wrong group"; flow:from_server,established; content:"to su root"; nocase; classtype:attempted-admin; sid:715; rev:6;)
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET not on console"; flow:from_server,established; content:"not on system console"; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:6;)
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect"; flow:from_server,established; content:"Login incorrect"; reference:arachnids,127; classtype:bad-unknown; sid:718; rev:7;)
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; flow:from_server,established; content:"login|3A| root"; classtype:suspicious-login; sid:719; rev:7;)
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET bsd telnet exploit response"; flow:from_server,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; classtype:attempted-admin; sid:1252; rev:13;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET bsd exploit client finishing"; dsize:>200; flow:to_client,established; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; classtype:successful-admin; sid:1253; rev:11;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; reference:cve,1999-0501; classtype:suspicious-login; sid:709; rev:7;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; reference:cve,1999-0501; classtype:suspicious-login; sid:710; rev:7;)
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; reference:bugtraq,9681; classtype:suspicious-login; sid:2406; rev:1;)
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; classtype:not-suspicious; sid:716; rev:10;)
diff --git a/scripts/s2b/snort_rules2.2/tftp.rules b/scripts/s2b/snort_rules2.2/tftp.rules
deleted file mode 100644
index 63d86fa8f3..0000000000
--- a/scripts/s2b/snort_rules2.2/tftp.rules
+++ /dev/null
@@ -1,24 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: tftp.rules 91 2004-07-15 08:13:57Z rwinslow $
-#-----------
-# TFTP RULES
-#-----------
-#
-# These signatures are based on TFTP traffic.  These include malicious files
-# that are distributed via TFTP.
-#
-# The last two signatures refer to generic GET and PUT via TFTP, which is
-# generally frowned upon on most networks, but may be used in some enviornments
-
-alert udp any any -> any 69 (msg:"TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:1941; rev:8;)
-alert udp any any -> any 69 (msg:"TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2337; rev:7;)
-alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:4;)
-alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:1441; rev:4;)
-alert udp any any -> any 69 (msg:"TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:1442; rev:4;)
-alert udp any any -> any 69 (msg:"TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:1443; rev:4;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:".."; offset:2; reference:arachnids,137; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:519; rev:6;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root directory"; content:"|00 01|/"; depth:3; reference:arachnids,138; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:5;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00 02|"; depth:2; reference:arachnids,148; reference:cve,1999-0183; classtype:bad-unknown; sid:518; rev:6;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;)
-alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/threshold.conf b/scripts/s2b/snort_rules2.2/threshold.conf
deleted file mode 100644
index 8799b80d42..0000000000
--- a/scripts/s2b/snort_rules2.2/threshold.conf
+++ /dev/null
@@ -1,61 +0,0 @@
-# Configure Thresholding and Suppression
-# ======================================
-#
-# Thresholding:
-#
-# This feature is used to reduce the number of logged alerts for noisy rules.
-# This can be tuned to significantly reduce false alarms, and it can also be
-# used to write a newer breed of rules. Thresholding commands limit the number
-# of times a particular event is logged during a specified time interval.
-# There are 3 types of thresholding:
-#
-#        1) Limit
-#           Alert on the 1st M events during the time interval, then ignore
-#           events
-#           for the rest of the time interval.
-#        2) Threshold
-#           Alert every M times we see this event during the time interval.
-#        3) Both
-#           Alert once per time interval after seeing M occurrences of the
-#           event,
-#           then ignore any additional events during the time interval.
-#
-# Threshold commands are formatted as:
-# threshold gen_id gen-id, sig_id sig-id, type limit|threshold|both, track
-# by_src|by_dst, count n , seconds m
-#
-# Limit to logging 1 event per 60 seconds
-# threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds
-# 60
-
-# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
-# each rule (rules are gen_id 1).
-# threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60
-
-# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
-# any alert for any event generator
-# threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
-#
-# Thresholding does not need to be a stand-alone command, and can instead be
-# written directly into a rule. Please see README.thresholding for more
-# information on thresholding.
-#
-# Suppression:
-#
-# Suppression commands are standalone commands that reference generators and
-# sids and IP addresses via a CIDR block. This allows a rule to be completely
-# suppressed, or suppressed when the causitive traffic is going to or comming
-# from a specific IP or group of IP addresses.
-#
-#  Suppress this event completely
-#
-# suppress gen_id 1, sig_id 1852
-#
-#  Suppress this event from this IP
-#
-# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
-#
-#  Suppress this event to this CIDR block
-#
-# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24
-
diff --git a/scripts/s2b/snort_rules2.2/unicode.map b/scripts/s2b/snort_rules2.2/unicode.map
deleted file mode 100644
index 99eaba72c2..0000000000
--- a/scripts/s2b/snort_rules2.2/unicode.map
+++ /dev/null
@@ -1,104 +0,0 @@
-# Windows Version: 5.00.2195
-# OEM codepage: 437
-# ACP codepage: 1252
-
-# INSTALLED CODEPAGES
-10000 (MAC - Roman)
-
-
-10079 (MAC - Icelandic)
-
-
-1250  (ANSI - Central Europe)
-00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-1251  (ANSI - Cyrillic)
-00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-1252  (ANSI - Latin I)
-0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-1253  (ANSI - Greek)
-00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-1254  (ANSI - Turkish)
-00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-1255  (ANSI - Hebrew)
-0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-1256  (ANSI - Arabic)
-00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-1257  (ANSI - Baltic)
-ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-1258  (ANSI/OEM - Viet Nam)
-ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-#INVALID CODEPAGE: 1361
-20127 (US-ASCII)
-00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-20261 (T.61)
-f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f 
-
-20866 (Russian - KOI8)
-00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 
-
-28591 (ISO 8859-1 Latin I)
-0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-28592 (ISO 8859-2 Central Europe)
-00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-#INVALID CODEPAGE: 28595
-#INVALID CODEPAGE: 28597
-28605 (ISO 8859-15 Latin 9)
-00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-37    (IBM EBCDIC - U.S./Canada)
-0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f 
-
-437   (OEM - United States)
-00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-500   (IBM EBCDIC - International)
-0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 
-
-850   (OEM - Multilingual Latin I)
-0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-860   (OEM - Portuguese)
-00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 
-
-861   (OEM - Icelandic)
-00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 
-
-863   (OEM - Canadian French)
-00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 
-
-865   (OEM - Nordic)
-00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07 
-
-874   (ANSI/OEM - Thai)
-00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
-
-932   (ANSI/OEM - Japanese Shift-JIS)
-00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 
-
-936   (ANSI/OEM - Simplified Chinese GBK)
-00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74 
-
-949   (ANSI/OEM - Korean)
-00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c 
-
-950   (ANSI/OEM - Traditional Chinese Big5)
-00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 
-
-65000 (UTF-7)
-
-
-65001 (UTF-8)
-
-
diff --git a/scripts/s2b/snort_rules2.2/virus.rules b/scripts/s2b/snort_rules2.2/virus.rules
deleted file mode 100644
index 7ee1ad0a8f..0000000000
--- a/scripts/s2b/snort_rules2.2/virus.rules
+++ /dev/null
@@ -1,20 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: virus.rules 91 2004-07-15 08:13:57Z rwinslow $
-#------------
-# VIRUS RULES
-#------------
-#
-# We don't care about virus rules anymore.  BUT, you people won't stop asking
-# us for virus rules.  So... here ya go.
-#
-# There is now one rule that looks for any of the following attachment types:
-#
-#   ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll, dot, emf,
-#   eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde, mdw, msi, msp,
-#   nws, ocx, pif, pl, pm, pot, pps, ppt, reg, rtf, scr, shs, swf, sys, vb,
-#   vbe, vbs, vcf, vxd, wmd, wmf, wms, wmz, wpd, wpm, wps, wpz, wsc, wsf, wsh,
-#   xls, xlt, xlw
-#
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[stw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; rev:7;)
diff --git a/scripts/s2b/snort_rules2.2/web-attacks.rules b/scripts/s2b/snort_rules2.2/web-attacks.rules
deleted file mode 100644
index 538017a02a..0000000000
--- a/scripts/s2b/snort_rules2.2/web-attacks.rules
+++ /dev/null
@@ -1,60 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: web-attacks.rules 91 2004-07-15 08:13:57Z rwinslow $
-# ----------------
-# WEB ATTACKS
-# ----------------
-# These signatures are generic signatures that will catch common commands
-# used to exploit form variable vulnerabilities.  These signatures should
-# not false very often.
-#
-# Please email example PCAP log dumps to snort-sigs@lists.sourceforge.net
-# if you find one of these signatures to be too false possitive.
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; classtype:web-application-attack; sid:1328; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ps command attempt"; flow:to_server,established; uricontent:"ps%20"; nocase; classtype:web-application-attack; sid:1329; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS wget command attempt"; flow:to_server,established; content:"wget%20"; nocase; classtype:web-application-attack; sid:1330; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS uname -a command attempt"; flow:to_server,established; content:"uname%20-a"; nocase; classtype:web-application-attack; sid:1331; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; nocase; classtype:web-application-attack; sid:1332; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS id command attempt"; flow:to_server,established; content:"|3B|id"; nocase; classtype:web-application-attack; sid:1333; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; classtype:web-application-attack; sid:1334; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS kill command attempt"; flow:to_server,established; content:"/bin/kill"; nocase; classtype:web-application-attack; sid:1335; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chmod command attempt"; flow:to_server,established; content:"/bin/chmod"; nocase; classtype:web-application-attack; sid:1336; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chgrp command attempt"; flow:to_server,established; content:"/chgrp"; nocase; classtype:web-application-attack; sid:1337; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chown command attempt"; flow:to_server,established; content:"/chown"; nocase; classtype:web-application-attack; sid:1338; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chsh command attempt"; flow:to_server,established; content:"/usr/bin/chsh"; nocase; classtype:web-application-attack; sid:1339; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:1340; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/gcc command attempt"; flow:to_server,established; content:"/usr/bin/gcc"; nocase; classtype:web-application-attack; sid:1341; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS gcc command attempt"; flow:to_server,established; content:"gcc%20-o"; nocase; classtype:web-application-attack; sid:1342; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cc command attempt"; flow:to_server,established; content:"/usr/bin/cc"; nocase; classtype:web-application-attack; sid:1343; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cc command attempt"; flow:to_server,established; content:"cc%20"; nocase; classtype:web-application-attack; sid:1344; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cpp command attempt"; flow:to_server,established; content:"/usr/bin/cpp"; nocase; classtype:web-application-attack; sid:1345; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cpp command attempt"; flow:to_server,established; content:"cpp%20"; nocase; classtype:web-application-attack; sid:1346; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/g++ command attempt"; flow:to_server,established; content:"/usr/bin/g++"; nocase; classtype:web-application-attack; sid:1347; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS g++ command attempt"; flow:to_server,established; content:"g++%20"; nocase; classtype:web-application-attack; sid:1348; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/python access attempt"; flow:to_server,established; content:"bin/python"; nocase; classtype:web-application-attack; sid:1349; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS python access attempt"; flow:to_server,established; content:"python%20"; nocase; classtype:web-application-attack; sid:1350; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/tclsh execution attempt"; flow:to_server,established; content:"bin/tclsh"; nocase; classtype:web-application-attack; sid:1351; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tclsh execution attempt"; flow:to_server,established; content:"tclsh8%20"; nocase; classtype:web-application-attack; sid:1352; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/nasm command attempt"; flow:to_server,established; content:"bin/nasm"; nocase; classtype:web-application-attack; sid:1353; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nasm command attempt"; flow:to_server,established; content:"nasm%20"; nocase; classtype:web-application-attack; sid:1354; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; nocase; classtype:web-application-attack; sid:1355; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS perl execution attempt"; flow:to_server,established; content:"perl%20"; nocase; classtype:web-application-attack; sid:1356; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nt admin addition attempt"; flow:to_server,established; content:"net localgroup administrators /add"; nocase; classtype:web-application-attack; sid:1357; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS traceroute command attempt"; flow:to_server,established; content:"traceroute%20"; nocase; classtype:web-application-attack; sid:1358; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ping command attempt"; flow:to_server,established; content:"/bin/ping"; nocase; classtype:web-application-attack; sid:1359; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat command attempt"; flow:to_server,established; content:"nc%20"; nocase; classtype:web-application-attack; sid:1360; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nmap command attempt"; flow:to_server,established; content:"nmap%20"; nocase; classtype:web-application-attack; sid:1361; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS xterm command attempt"; flow:to_server,established; content:"/usr/X11R6/bin/xterm"; nocase; classtype:web-application-attack; sid:1362; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS X application to remote host attempt"; flow:to_server,established; content:"%20-display%20"; nocase; classtype:web-application-attack; sid:1363; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS lsof command attempt"; flow:to_server,established; content:"lsof%20"; nocase; classtype:web-application-attack; sid:1364; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; flow:to_server,established; content:"rm%20"; nocase; classtype:web-application-attack; sid:1365; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"/bin/mail"; nocase; classtype:web-application-attack; sid:1366; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"mail%20"; nocase; classtype:web-application-attack; sid:1367; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls| command attempt"; flow:to_server,established; uricontent:"/bin/ls|7C|"; nocase; classtype:web-application-attack; sid:1368; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls command attempt"; flow:to_server,established; uricontent:"/bin/ls"; nocase; classtype:web-application-attack; sid:1369; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; nocase; classtype:web-application-activity; sid:1370; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; classtype:web-application-activity; sid:1371; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; nocase; classtype:web-application-activity; sid:1372; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS conf/httpd.conf attempt"; flow:to_server,established; content:"conf/httpd.conf"; nocase; classtype:web-application-activity; sid:1373; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS .htgroup access"; flow:to_server,established; uricontent:".htgroup"; nocase; classtype:web-application-activity; sid:1374; rev:5;)
diff --git a/scripts/s2b/snort_rules2.2/web-cgi.rules b/scripts/s2b/snort_rules2.2/web-cgi.rules
deleted file mode 100644
index 2ce715d20c..0000000000
--- a/scripts/s2b/snort_rules2.2/web-cgi.rules
+++ /dev/null
@@ -1,372 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: web-cgi.rules 91 2004-07-15 08:13:57Z rwinslow $
-#--------------
-# WEB-CGI RULES
-#--------------
-#
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/hsx.cgi"; content:"../../"; content:"%00"; distance:1; reference:bugtraq,2314; reference:cve,2001-0253; classtype:web-application-attack; sid:803; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi access"; flow:to_server,established; uricontent:"/hsx.cgi"; reference:bugtraq,2314; reference:cve,2001-0253; classtype:web-application-activity; sid:1607; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SWSoft ASPSeek Overflow attempt"; flow:to_server,established; uricontent:"/s.cgi"; nocase; content:"tmpl="; reference:bugtraq,2492; reference:cve,2001-0476; classtype:web-application-attack; sid:804; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspeed access"; flow:to_server,established; uricontent:"/wsisa.dll/WService="; nocase; content:"WSMadmin"; nocase; reference:arachnids,467; reference:bugtraq,969; reference:cve,2000-0127; reference:nessus,10304; classtype:attempted-user; sid:805; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb directory traversal attempt"; flow:to_server,established; uricontent:"/YaBB"; nocase; content:"../"; reference:arachnids,462; reference:bugtraq,1668; reference:cve,2000-0853; classtype:attempted-recon; sid:806; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb access"; flow:to_server,established; uricontent:"/YaBB"; nocase; reference:arachnids,462; reference:bugtraq,1668; reference:cve,2000-0853; classtype:attempted-recon; sid:1637; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /wwwboard/passwd.txt access"; flow:to_server,established; uricontent:"/wwwboard/passwd.txt"; nocase; reference:arachnids,463; reference:bugtraq,649; reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon; sid:807; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdriver access"; flow:to_server,established; uricontent:"/webdriver"; nocase; reference:arachnids,473; reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/whois_raw.cgi?"; content:"|0A|"; reference:arachnids,466; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:web-application-attack; sid:809; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw.cgi access"; flow:to_server,established; uricontent:"/whois_raw.cgi"; reference:arachnids,466; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon; sid:810; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websitepro path access"; flow:to_server,established; content:" /HTTP/1."; nocase; reference:arachnids,468; reference:bugtraq,932; reference:cve,2000-0066; classtype:attempted-recon; sid:811; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus version access"; flow:to_server,established; uricontent:"/webplus?about"; nocase; reference:arachnids,470; reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon; sid:812; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus directory traversal"; flow:to_server,established; uricontent:"/webplus?script"; nocase; content:"../"; reference:arachnids,471; reference:bugtraq,1102; reference:cve,2000-0282; classtype:web-application-attack; sid:813; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websendmail access"; flow:to_server,established; uricontent:"/websendmail"; nocase; reference:arachnids,469; reference:bugtraq,2077; reference:cve,1999-0196; reference:nessus,10301; classtype:attempted-recon; sid:815; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/dcforum.cgi"; content:"forum=../.."; reference:bugtraq,2611; reference:cve,2001-0436; reference:cve,2001-0437; classtype:web-application-attack; sid:1571; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi access"; flow:to_server,established; uricontent:"/dcforum.cgi"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:818; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi invalid user addition attempt"; flow:to_server,established; uricontent:"/dcboard.cgi"; content:"command=register"; content:"%7cadmin"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:web-application-attack; sid:817; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi access"; flow:to_server,established; uricontent:"/dcboard.cgi"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:1410; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mmstdod.cgi access"; flow:to_server,established; uricontent:"/mmstdod.cgi"; nocase; reference:cve,2001-0021; classtype:attempted-recon; sid:819; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anaconda directory transversal attempt"; flow:to_server,established; uricontent:"/apexec.pl"; content:"template=../"; nocase; reference:bugtraq,2338; reference:bugtraq,2388; reference:cve,2000-0975; reference:cve,2001-0308; classtype:web-application-attack; sid:820; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe overflow attempt"; flow:to_server,established; uricontent:"/imagemap.exe?"; nocase; reference:arachnids,412; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-attack; sid:821; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe access"; flow:to_server,established; uricontent:"/imagemap.exe"; nocase; reference:arachnids,412; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-activity; sid:1700; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsweb.cgi access"; flow:to_server,established; uricontent:"/cvsweb.cgi"; nocase; reference:bugtraq,1469; reference:cve,2000-0670; classtype:attempted-recon; sid:823; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI php.cgi access"; flow:to_server,established; uricontent:"/php.cgi"; nocase; reference:arachnids,232; reference:bugtraq,2250; reference:cve,1999-0238; classtype:attempted-recon; sid:824; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI glimpse access"; flow:to_server,established; uricontent:"/glimpse"; nocase; reference:bugtraq,2026; classtype:attempted-recon; sid:825; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript attempt"; flow:to_server,established; uricontent:"/htmlscript?../.."; nocase; reference:bugtraq,2001; reference:cve,1999-0264; classtype:web-application-attack; sid:1608; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript access"; flow:to_server,established; uricontent:"/htmlscript"; nocase; reference:bugtraq,2001; reference:cve,1999-0264; classtype:attempted-recon; sid:826; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI info2www access"; flow:to_server,established; uricontent:"/info2www"; nocase; reference:bugtraq,1995; reference:cve,1999-0266; classtype:attempted-recon; sid:827; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI maillist.pl access"; flow:to_server,established; uricontent:"/maillist.pl"; nocase; classtype:attempted-recon; sid:828; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-test-cgi access"; flow:to_server,established; uricontent:"/nph-test-cgi"; nocase; reference:arachnids,224; reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165; classtype:attempted-recon; sid:829; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flow:to_server,established; uricontent:"/nph-maillist.pl"; nocase; reference:bugtraq,2563; reference:cve,2001-0400; classtype:attempted-recon; sid:1451; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flow:to_server,established; uricontent:"/nph-publish"; nocase; reference:cve,1999-1177; classtype:attempted-recon; sid:830; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rguest.exe access"; flow:to_server,established; uricontent:"/rguest.exe"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:833; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rwwwshell.pl access"; flow:to_server,established; uricontent:"/rwwwshell.pl"; nocase; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi attempt"; flow:to_server,established; uricontent:"/test-cgi/*?*"; nocase; reference:arachnids,218; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:web-application-attack; sid:1644; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi access"; flow:to_server,established; uricontent:"/test-cgi"; nocase; reference:arachnids,218; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:attempted-recon; sid:835; rev:9;)
-# testcgi is *one* of many scripts to look for.  this *ALSO* triggers on testcgi.exe.
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI testcgi access"; flow:to_server,established; uricontent:"/testcgi"; nocase; reference:bugtraq,7214; reference:nessus,11610; classtype:web-application-activity; sid:1645; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.cgi access"; flow:to_server,established; uricontent:"/test.cgi"; nocase; classtype:web-application-activity; sid:1646; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI textcounter.pl access"; flow:to_server,established; uricontent:"/textcounter.pl"; nocase; reference:cve,1999-1479; classtype:attempted-recon; sid:836; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI uploader.exe access"; flow:to_server,established; uricontent:"/uploader.exe"; nocase; reference:cve,1999-0177; reference:nessus,10291; classtype:attempted-recon; sid:837; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webgais access"; flow:to_server,established; uricontent:"/webgais"; nocase; reference:arachnids,472; reference:bugtraq,2058; reference:cve,1999-0176; reference:nessus,10300; classtype:attempted-recon; sid:838; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI finger access"; flow:to_server,established; uricontent:"/finger"; nocase; reference:arachnids,221; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perlshop.cgi access"; flow:to_server,established; uricontent:"/perlshop.cgi"; nocase; reference:cve,1999-1374; classtype:attempted-recon; sid:840; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdisplay.cgi access"; flow:to_server,established; uricontent:"/pfdisplay.cgi"; nocase; reference:bugtraq,64; reference:cve,1999-0270; classtype:attempted-recon; sid:841; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI aglimpse access"; flow:to_server,established; uricontent:"/aglimpse"; nocase; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:842; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anform2 access"; flow:to_server,established; uricontent:"/AnForm2"; nocase; reference:arachnids,225; reference:cve,1999-0066; classtype:attempted-recon; sid:843; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.bat access"; flow:to_server,established; uricontent:"/args.bat"; nocase; reference:cve,1999-1374; classtype:attempted-recon; sid:844; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.cmd access"; flow:to_server,established; uricontent:"/args.cmd"; nocase; reference:cve,1999-1374; classtype:attempted-recon; sid:1452; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-admin.cgi access"; flow:to_server,established; uricontent:"/AT-admin.cgi"; nocase; reference:cve,1999-1072; classtype:attempted-recon; sid:845; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-generated.cgi access"; flow:to_server,established; uricontent:"/AT-generated.cgi"; nocase; reference:cve,1999-1072; classtype:attempted-recon; sid:1453; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bnbform.cgi access"; flow:to_server,established; uricontent:"/bnbform.cgi"; nocase; reference:bugtraq,2147; reference:cve,1999-0937; classtype:attempted-recon; sid:846; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campas access"; flow:to_server,established; uricontent:"/campas"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; classtype:attempted-recon; sid:847; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source directory traversal"; flow:to_server,established; uricontent:"/view-source"; nocase; content:"../"; nocase; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:web-application-attack; sid:848; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source access"; flow:to_server,established; uricontent:"/view-source"; nocase; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:attempted-recon; sid:849; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wais.pl access"; flow:to_server,established; uricontent:"/wais.pl"; nocase; classtype:attempted-recon; sid:850; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwwais access"; flow:to_server,established; uricontent:"/wwwwais"; nocase; reference:cve,2001-0223; reference:nessus,10597; classtype:attempted-recon; sid:1454; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI files.pl access"; flow:to_server,established; uricontent:"/files.pl"; nocase; reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wguest.exe access"; flow:to_server,established; uricontent:"/wguest.exe"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:852; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wrap access"; flow:to_server,established; uricontent:"/wrap"; reference:arachnids,234; reference:bugtraq,373; reference:cve,1999-0149; reference:nessus,10317; classtype:attempted-recon; sid:853; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI classifieds.cgi access"; flow:to_server,established; uricontent:"/classifieds.cgi"; nocase; reference:bugtraq,2020; reference:cve,1999-0934; classtype:attempted-recon; sid:854; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI environ.cgi access"; flow:to_server,established; uricontent:"/environ.cgi"; nocase; classtype:attempted-recon; sid:856; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey access"; flow:to_server,established; uricontent:"/faxsurvey"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-activity; sid:857; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI filemail access"; flow:to_server,established; uricontent:"/filemail.pl"; nocase; reference:cve,1999-1154; classtype:attempted-recon; sid:858; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI man.sh access"; flow:to_server,established; uricontent:"/man.sh"; nocase; reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snork.bat access"; flow:to_server,established; uricontent:"/snork.bat"; nocase; reference:arachnids,220; reference:bugtraq,1053; reference:cve,2000-0169; classtype:attempted-recon; sid:860; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql access"; flow:to_server,established; uricontent:"/w3-msql/"; nocase; reference:arachnids,210; reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon; sid:861; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datacopier.cgi access"; flow:to_server,established; uricontent:"/day5datacopier.cgi"; nocase; reference:cve,1999-1232; classtype:attempted-recon; sid:863; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datanotifier.cgi access"; flow:to_server,established; uricontent:"/day5datanotifier.cgi"; nocase; reference:cve,1999-1232; classtype:attempted-recon; sid:864; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI post-query access"; flow:to_server,established; uricontent:"/post-query"; nocase; reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon; sid:866; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI visadmin.exe access"; flow:to_server,established; uricontent:"/visadmin.exe"; nocase; reference:bugtraq,1808; reference:cve,1999-0970; reference:cve,1999-1970; reference:nessus,10295; classtype:attempted-recon; sid:867; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dumpenv.pl access"; flow:to_server,established; uricontent:"/dumpenv.pl"; nocase; reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon; sid:869; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl arbitrary command execution attempt"; flow:to_server,established; uricontent:"/calendar_admin.pl?config=|7C|"; reference:cve,2000-0432; classtype:web-application-attack; sid:1536; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl access"; flow:to_server,established; uricontent:"/calendar_admin.pl"; reference:cve,2000-0432; classtype:web-application-activity; sid:1537; rev:6;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calender_admin.pl access"; flow:to_server,established; uricontent:"/calender_admin.pl"; nocase; reference:cve,2000-0432; classtype:attempted-recon; sid:1456; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; uricontent:"/calendar-admin.pl"; nocase; reference:bugtraq,1215; classtype:web-application-activity; sid:1701; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calender.pl access"; flow:to_server,established; uricontent:"/calender.pl"; nocase; reference:cve,2000-0432; classtype:attempted-recon; sid:1455; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar access"; flow:to_server,established; uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_admin.pl access"; flow:to_server,established; uricontent:"/user_update_admin.pl"; nocase; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1457; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_passwd.pl access"; flow:to_server,established; uricontent:"/user_update_passwd.pl"; nocase; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1458; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snorkerz.cmd access"; flow:to_server,established; uricontent:"/snorkerz.cmd"; nocase; classtype:attempted-recon; sid:870; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI survey.cgi access"; flow:to_server,established; uricontent:"/survey.cgi"; nocase; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI scriptalias access"; flow:to_server,established; uricontent:"///"; reference:arachnids,227; reference:bugtraq,2300; reference:cve,1999-0236; classtype:attempted-recon; sid:873; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI win-c-sample.exe access"; flow:to_server,established; uricontent:"/win-c-sample.exe"; nocase; reference:arachnids,231; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3tvars.pm access"; flow:to_server,established; uricontent:"/w3tvars.pm"; nocase; classtype:attempted-recon; sid:878; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admin.pl access"; flow:to_server,established; uricontent:"/admin.pl"; nocase; reference:bugtraq,3839; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI LWGate access"; flow:to_server,established; uricontent:"/LWGate"; nocase; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI archie access"; flow:to_server,established; uricontent:"/archie"; nocase; classtype:attempted-recon; sid:881; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI flexform access"; flow:to_server,established; uricontent:"/flexform"; nocase; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail arbitrary command execution attempt"; flow:to_server,established; uricontent:"/formmail"; nocase; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:1610; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail access"; flow:to_server,established; uricontent:"/formmail"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:884; rev:14;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf arbitrary command execution attempt"; flow:to_server,established; uricontent:"/phf"; nocase; content:"QALIAS"; nocase; content:"%0a/"; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-attack; sid:1762; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf access"; flow:to_server,established; uricontent:"/phf"; nocase; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI www-sql access"; flow:to_server,established; uricontent:"/www-sql"; nocase; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwadmin.pl access"; flow:to_server,established; uricontent:"/wwwadmin.pl"; nocase; classtype:attempted-recon; sid:888; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ppdscgi.exe access"; flow:to_server,established; uricontent:"/ppdscgi.exe"; nocase; reference:bugtraq,491; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendform.cgi access"; flow:to_server,established; uricontent:"/sendform.cgi"; nocase; reference:bugtraq,5286; reference:cve,2002-0710; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.pl access"; flow:to_server,established; uricontent:"/upload.pl"; nocase; classtype:attempted-recon; sid:891; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AnyForm2 access"; flow:to_server,established; uricontent:"/AnyForm2"; nocase; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; sid:892; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo"; nocase; reference:cve,1999-1067; classtype:attempted-recon; sid:893; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh attempt"; flow:to_server,established; uricontent:"/bb-hist.sh?HISTFILE=../.."; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:web-application-attack; sid:1531; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh access"; flow:to_server,established; uricontent:"/bb-hist.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:894; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histlog.sh access"; flow:to_server,established; uricontent:"/bb-histlog.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1459; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histsvc.sh access"; flow:to_server,established; uricontent:"/bb-histsvc.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1460; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh attempt"; flow:to_server,established; uricontent:"/bb-hostsvc.sh?HOSTSVC?../.."; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-attack; sid:1532; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh access"; flow:to_server,established; uricontent:"/bb-hostsvc.sh"; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-activity; sid:1533; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-rep.sh access"; flow:to_server,established; uricontent:"/bb-rep.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1461; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-replog.sh access"; flow:to_server,established; uricontent:"/bb-replog.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1462; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI redirect access"; flow:to_server,established; uricontent:"/redirect"; nocase; reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon; sid:895; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wayboard attempt"; flow:to_server,established; uricontent:"/way-board/way-board.cgi"; content:"db="; content:"../.."; nocase; reference:bugtraq,2370; reference:cve,2001-0214; classtype:web-application-attack; sid:1397; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board access"; flow:to_server,established; uricontent:"/way-board"; nocase; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-activity; sid:896; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; content:"documentName="; reference:bugtraq,2372; reference:cve,2001-0217; reference:nessus,10611; classtype:web-application-attack; sid:1222; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi access"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217; reference:nessus,10611; classtype:attempted-recon; sid:897; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/commerce.cgi"; content:"page="; content:"/../"; nocase; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:1572; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi access"; flow:to_server,established; uricontent:"/commerce.cgi"; nocase; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:898; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; content:"templ="; nocase; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-attack; sid:899; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl access"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-activity; sid:1702; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; content:"../../"; nocase; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi access"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tstisapi.dll access"; flow:to_server,established; uricontent:"tstisapi.dll"; nocase; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendmessage.cgi access"; flow:to_server,established; uricontent:"/sendmessage.cgi"; nocase; classtype:attempted-recon; sid:1308; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI lastlines.cgi access"; flow:to_server,established; uricontent:"/lastlines.cgi"; nocase; reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205; reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi attempt"; flow:to_server,established; uricontent:"/zml.cgi"; content:"file=../"; reference:bugtraq,3759; reference:cve,2001-1209; classtype:web-application-activity; sid:1395; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi access"; flow:to_server,established; uricontent:"/zml.cgi"; reference:bugtraq,3759; reference:cve,2001-1209; classtype:web-application-activity; sid:1396; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AHG search.cgi access"; flow:to_server,established; uricontent:"/publisher/search.cgi"; nocase; content:"template="; nocase; reference:bugtraq,3985; classtype:web-application-activity; sid:1405; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI agora.cgi attempt"; flow:to_server,established; uricontent:"/store/agora.cgi?cart_id=<SCRIPT>"; nocase; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-attack; sid:1534; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI agora.cgi access"; flow:to_server,established; uricontent:"/store/agora.cgi"; nocase; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-activity; sid:1406; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rksh access"; flow:to_server,established; uricontent:"/rksh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:877; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bash access"; flow:to_server,established; uricontent:"/bash"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; sid:885; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl.exe command attempt"; flow:to_server,established; uricontent:"/perl.exe?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1648; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl.exe access"; flow:to_server,established; uricontent:"/perl.exe"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:832; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl command attempt"; flow:to_server,established; uricontent:"/perl?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1649; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zsh access"; flow:to_server,established; uricontent:"/zsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1309; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csh access"; flow:to_server,established; uricontent:"/csh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:862; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tcsh access"; flow:to_server,established; uricontent:"/tcsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:872; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rsh access"; flow:to_server,established; uricontent:"/rsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:868; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ksh access"; flow:to_server,established; uricontent:"/ksh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:865; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI auktion.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/auktion.cgi"; nocase; content:"menue=../../"; nocase; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-attack; sid:1703; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI auktion.cgi access"; flow:to_server,established; uricontent:"/auktion.cgi"; nocase; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-activity; sid:1465; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiforum.pl attempt"; flow:to_server,established; uricontent:"/cgiforum.pl?thesection=../.."; nocase; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-attack; sid:1573; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiforum.pl access"; flow:to_server,established; uricontent:"/cgiforum.pl"; nocase; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-activity; sid:1466; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI directorypro.cgi attempt"; flow:to_server,established; uricontent:"/directorypro.cgi"; content:"show="; content:"../.."; distance:1; nocase; reference:bugtraq,2793; reference:cve,2001-0780; classtype:web-application-attack; sid:1574; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI directorypro.cgi access"; flow:to_server,established; uricontent:"/directorypro.cgi"; nocase; reference:bugtraq,2793; reference:cve,2001-0780; classtype:web-application-activity; sid:1467; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Web Shopper shopper.cgi attempt"; flow:to_server,established; uricontent:"/shopper.cgi"; nocase; content:"newpage=../"; nocase; reference:bugtraq,1776; reference:cve,2000-0922; classtype:web-application-attack; sid:1468; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Web Shopper shopper.cgi access"; flow:to_server,established; uricontent:"/shopper.cgi"; nocase; reference:bugtraq,1776; reference:cve,2000-0922; classtype:attempted-recon; sid:1469; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI listrec.pl access"; flow:to_server,established; uricontent:"/listrec.pl"; nocase; reference:cve,2001-0997; classtype:attempted-recon; sid:1470; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailnews.cgi access"; flow:to_server,established; uricontent:"/mailnews.cgi"; nocase; reference:cve,2001-0271; classtype:attempted-recon; sid:1471; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI book.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/book.cgi"; nocase; content:"current=|7C|"; nocase; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-attack; sid:1879; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI book.cgi access"; flow:to_server,established; uricontent:"/book.cgi"; nocase; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-activity; sid:1472; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI newsdesk.cgi access"; flow:to_server,established; uricontent:"/newsdesk.cgi"; nocase; reference:cve,2001-0232; classtype:attempted-recon; sid:1473; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cal_make.pl directory traversal attempt"; flow:to_server,established; uricontent:"/cal_make.pl"; nocase; content:"p0=../../"; nocase; reference:bugtraq,2663; reference:cve,2001-0463; classtype:web-application-attack; sid:1704; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cal_make.pl access"; flow:to_server,established; uricontent:"/cal_make.pl"; nocase; reference:bugtraq,2663; reference:cve,2001-0463; classtype:web-application-activity; sid:1474; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailit.pl access"; flow:to_server,established; uricontent:"/mailit.pl"; nocase; classtype:attempted-recon; sid:1475; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sdbsearch.cgi access"; flow:to_server,established; uricontent:"/sdbsearch.cgi"; nocase; reference:cve,2001-1130; classtype:attempted-recon; sid:1476; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc access"; flow:to_server,established; uricontent:"/swc"; nocase; classtype:attempted-recon; sid:1478; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ttawebtop.cgi arbitrary file attempt"; flow:to_server,established; uricontent:"/ttawebtop.cgi"; nocase; content:"pg=../"; nocase; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:web-application-attack; sid:1479; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ttawebtop.cgi access"; flow:to_server,established; uricontent:"/ttawebtop.cgi"; nocase; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:attempted-recon; sid:1480; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.cgi access"; flow:to_server,established; uricontent:"/upload.cgi"; nocase; reference:nessus,10290; classtype:attempted-recon; sid:1481; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view_source access"; flow:to_server,established; uricontent:"/view_source"; nocase; reference:nessus,10294; classtype:attempted-recon; sid:1482; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ustorekeeper.pl directory traversal attempt"; flow:to_server,established; uricontent:"/ustorekeeper.pl"; nocase; content:"file=../../"; nocase; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-attack; sid:1730; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ustorekeeper.pl access"; flow:to_server,established; uricontent:"/ustorekeeper.pl"; nocase; reference:cve,2001-0466; reference:nessus,10646; classtype:web-application-activity; sid:1483; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI icat access"; flow:to_server,established; uricontent:"/icat"; reference:cve,1999-1069; classtype:web-application-activity; sid:1606; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Bugzilla doeditvotes.cgi access"; flow:to_server,established; uricontent:"/doeditvotes.cgi"; reference:bugtraq,3800; reference:cve,2002-0011; classtype:web-application-activity; sid:1617; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch arbitrary configuration file attempt"; flow:to_server,established; uricontent:"/htsearch?-c"; nocase; reference:cve,2000-0208; classtype:web-application-attack; sid:1600; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch arbitrary file read attempt"; flow:to_server,established; uricontent:"/htsearch?exclude=`"; nocase; reference:bugtraq,1026; reference:cve,2000-0208; classtype:web-application-attack; sid:1601; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch access"; flow:to_server,established; uricontent:"/htsearch"; nocase; reference:cve,2000-0208; classtype:web-application-activity; sid:1602; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats a1disp3.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/a1disp3.cgi?/../../"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-attack; sid:1501; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats a1disp3.cgi access"; flow:to_server,established; uricontent:"/a1disp3.cgi"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1502; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats access"; flow:to_server,established; uricontent:"/a1stats/"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1731; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admentor admin.asp access"; flow:to_server,established; uricontent:"/admentor/admin/admin.asp"; reference:bugtraq,4152; reference:cve,2002-0308; reference:nessus,10880; reference:url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html; classtype:web-application-activity; sid:1503; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alchemy http server PRN arbitrary command execution attempt"; flow:to_server,established; uricontent:"/PRN/../../"; reference:bugtraq,3599; reference:cve,2001-0871; classtype:web-application-activity; sid:1505; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alchemy http server NUL arbitrary command execution attempt"; flow:to_server,established; uricontent:"/NUL/../../"; reference:bugtraq,3599; reference:cve,2001-0871; classtype:web-application-activity; sid:1506; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alibaba.pl arbitrary command execution attempt"; flow:to_server,established; uricontent:"/alibaba.pl|7C|"; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-attack; sid:1507; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alibaba.pl access"; flow:to_server,established; uricontent:"/alibaba.pl"; reference:cve ,CAN-1999-0885; classtype:web-application-activity; sid:1508; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AltaVista Intranet Search directory traversal attempt"; flow:to_server,established; uricontent:"/query?mss=.."; reference:bugtraq,896; reference:cve,2000-0039; reference:nessus,10015; classtype:web-application-attack; sid:1509; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/test.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1510; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.bat access"; flow:to_server,established; uricontent:"/test.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1511; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/input.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1512; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input.bat access"; flow:to_server,established; uricontent:"/input.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1513; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input2.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/input2.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1514; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input2.bat access"; flow:to_server,established; uricontent:"/input2.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1515; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI envout.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/envout.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1516; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI envout.bat access"; flow:to_server,established; uricontent:"/envout.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1517; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI echo.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/echo.bat"; content:"&"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1705; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI echo.bat access"; flow:to_server,established; uricontent:"/echo.bat"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1706; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI hello.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/hello.bat"; content:"&"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1707; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI hello.bat access"; flow:to_server,established; uricontent:"/hello.bat"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1708; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tst.bat access"; flow:to_server,established; uricontent:"/tst.bat"; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-activity; sid:1650; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ls access"; flow:to_server,established; uricontent:"/cgi-bin/ls"; nocase; reference:bugtraq,936; reference:cve,2000-0079; classtype:web-application-activity; sid:1539; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgimail access"; flow:to_server,established; uricontent:"/cgimail"; nocase; reference:cve,2000-0726; classtype:web-application-activity; sid:1542; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiwrap access"; flow:to_server,established; uricontent:"/cgiwrap"; nocase; reference:bugtraq,1238; reference:bugtraq,3084; reference:bugtraq,777; reference:cve,1999-1530; reference:cve,2000-0431; reference:cve,2001-0987; reference:nessus,10041; classtype:web-application-activity; sid:1543; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csSearch.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/csSearch.cgi"; content:"setup="; content:"`"; content:"`"; distance:1; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-attack; sid:1547; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csSearch.cgi access"; flow:to_server,established; uricontent:"/csSearch.cgi"; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-activity; sid:1548; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cart/cart.cgi access"; flow:to_server,established; uricontent:"/cart/cart.cgi"; reference:bugtraq,1115; reference:cve,2000-0252; classtype:web-application-activity; sid:1553; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dbman db.cgi access"; flow:to_server,established; uricontent:"/dbman/db.cgi"; reference:bugtraq,1178; reference:cve,2000-0381; reference:nessus,10403; classtype:web-application-activity; sid:1554; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop access"; flow:to_server,established; uricontent:"/dcshop"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1555; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop orders.txt access"; flow:to_server,established; uricontent:"/orders/orders.txt"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1556; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop auth_user_file.txt access"; flow:to_server,established; uricontent:"/auth_data/auth_user_file.txt"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1557; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eshop.pl arbitrary commane execution attempt"; flow:to_server,established; uricontent:"/eshop.pl?seite=|3B|"; nocase; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-attack; sid:1565; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eshop.pl access"; flow:to_server,established; uricontent:"/eshop.pl"; nocase; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-activity; sid:1566; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI loadpage.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/loadpage.cgi"; content:"file=../"; nocase; classtype:web-application-attack; sid:1569; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI loadpage.cgi access"; flow:to_server,established; uricontent:"/loadpage.cgi"; nocase; classtype:web-application-activity; sid:1570; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faqmanager.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/faqmanager.cgi?toc="; uricontent:"|00|"; nocase; reference:bugtraq,3810; reference:nessus,10837; classtype:web-application-attack; sid:1590; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faqmanager.cgi access"; flow:to_server,established; uricontent:"/faqmanager.cgi"; nocase; reference:bugtraq,3810; reference:nessus,10837; classtype:web-application-activity; sid:1591; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /fcgi-bin/echo.exe access"; flow:to_server,established; uricontent:"/fcgi-bin/echo.exe"; nocase; reference:nessus,10838; classtype:web-application-activity; sid:1592; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi directory traversal attempt attempt"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; content:"reply_message_attach="; nocase; content:"/../"; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1628; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi external site redirection attempt"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; content:"redirect=http"; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1593; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi access"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-activity; sid:1594; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI guestbook.cgi access"; flow:to_server,established; uricontent:"/guestbook.cgi"; nocase; reference:cve,1999-0237; reference:nessus,10098; classtype:web-application-activity; sid:1597; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Home Free search.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/search.cgi"; content:"letter=../.."; nocase; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-attack; sid:1598; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI search.cgi access"; flow:to_server,established; uricontent:"/search.cgi"; nocase; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-activity; sid:1599; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enivorn.pl access"; flow:to_server,established; uricontent:"/enivron.pl"; nocase; classtype:web-application-activity; sid:1651; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus attempt"; flow:to_server,established; uricontent:"/campus?|0A|"; nocase; reference:bugtraq,1975; classtype:web-application-attack; sid:1652; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus access"; flow:to_server,established; uricontent:"/campus"; nocase; reference:bugtraq,1975; classtype:web-application-activity; sid:1653; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cart32.exe access"; flow:to_server,established; uricontent:"/cart32.exe"; nocase; classtype:web-application-activity; sid:1654; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdispaly.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/pfdispaly.cgi?'"; nocase; classtype:web-application-attack; sid:1655; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdispaly.cgi access"; flow:to_server,established; uricontent:"/pfdispaly.cgi"; nocase; classtype:web-application-activity; sid:1656; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pagelog.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/pagelog.cgi"; nocase; content:"name=../"; nocase; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1657; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pagelog.cgi access"; flow:to_server,established; uricontent:"/pagelog.cgi"; nocase; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1658; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ad.cgi access"; flow:to_server,established; uricontent:"/ad.cgi"; nocase; classtype:web-application-activity; sid:1709; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bbs_forum.cgi access"; flow:to_server,established; uricontent:"/bbs_forum.cgi"; nocase; classtype:web-application-activity; sid:1710; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bsguest.cgi access"; flow:to_server,established; uricontent:"/bsguest.cgi"; nocase; classtype:web-application-activity; sid:1711; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bslist.cgi access"; flow:to_server,established; uricontent:"/bslist.cgi"; nocase; classtype:web-application-activity; sid:1712; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgforum.cgi access"; flow:to_server,established; uricontent:"/cgforum.cgi"; nocase; classtype:web-application-activity; sid:1713; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI newdesk access"; flow:to_server,established; uricontent:"/newdesk"; nocase; classtype:web-application-activity; sid:1714; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI register.cgi access"; flow:to_server,established; uricontent:"/register.cgi"; nocase; classtype:web-application-activity; sid:1715; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gbook.cgi access"; flow:to_server,established; uricontent:"/gbook.cgi"; nocase; reference:bugtraq,1940; reference:cve,2000-1131; classtype:web-application-activity; sid:1716; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI simplestguest.cgi access"; flow:to_server,established; uricontent:"/simplestguest.cgi"; nocase; classtype:web-application-activity; sid:1717; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI statusconfig.pl access"; flow:to_server,established; uricontent:"/statusconfig.pl"; nocase; classtype:web-application-activity; sid:1718; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI talkback.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/talkbalk.cgi"; nocase; content:"article=../../"; nocase; classtype:web-application-attack; sid:1719; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI talkback.cgi access"; flow:to_server,established; uricontent:"/talkbalk.cgi"; nocase; classtype:web-application-activity; sid:1720; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI adcycle access"; flow:to_server,established; uricontent:"/adcycle"; nocase; classtype:web-application-activity; sid:1721; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo"; nocase; classtype:web-application-activity; sid:1722; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi NULL attempt"; flow:to_server,established; uricontent:"/emumail.cgi"; content:"type="; nocase; content:"%00"; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1723; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi access"; flow:to_server,established; uricontent:"/emumail.cgi"; nocase; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1724; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI document.d2w access"; flow:to_server,established; uricontent:"/document.d2w"; reference:bugtraq,2017; reference:cve,2000-1110; classtype:web-application-activity; sid:1642; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI db2www access"; flow:to_server,established; uricontent:"/db2www"; reference:cve,2000-0677; classtype:web-application-activity; sid:1643; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ access"; flow:to_server,established; uricontent:"/cgi-bin/"; content:"/cgi-bin/ HTTP"; nocase; classtype:web-application-attack; sid:1668; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-dos/ access"; flow:to_server,established; uricontent:"/cgi-dos/"; content:"/cgi-dos/ HTTP"; nocase; classtype:web-application-attack; sid:1669; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI technote main.cgi file directory traversal attempt"; flow:to_server,established; uricontent:"/technote/main.cgi"; nocase; content:"filename="; nocase; content:"../../"; reference:bugtraq,2156; reference:cve,2001-0075; classtype:web-application-attack; sid:1051; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI technote print.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/technote/print.cgi"; nocase; content:"board="; nocase; content:"../../"; content:"%00"; reference:bugtraq,2156; reference:cve,2001-0075; classtype:web-application-attack; sid:1052; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ads.cgi command execution attempt"; flow:to_server,established; uricontent:"/ads.cgi"; nocase; content:"file="; nocase; content:"../../"; content:"|7C|"; reference:bugtraq,2103; reference:cve,2001-0025; classtype:web-application-attack; sid:1053; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eXtropia webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi"; content:"page=../"; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-attack; sid:1088; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eXtropia webstore access"; flow:to_server,established; uricontent:"/web_store.cgi"; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-activity; sid:1611; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI shopping cart directory traversal"; flow:to_server,established; uricontent:"/shop.cgi"; content:"page=../"; reference:bugtraq,1777; reference:cve,2000-0921; classtype:web-application-attack; sid:1089; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Allaire Pro Web Shell attempt"; flow:to_server,established; uricontent:"/authenticate.cgi?PASSWORD"; content:"config.ini"; classtype:web-application-attack; sid:1090; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Armada Style Master Index directory traversal"; flow:to_server,established; uricontent:"/search.cgi?keys"; content:"catigory=../"; classtype:web-application-attack; sid:1092; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"; flow:to_server,established; uricontent:"/cached_feed.cgi"; content:"../"; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-attack; sid:1093; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart access"; flow:to_server,established; uricontent:"/cached_feed.cgi"; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-activity; sid:2051; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Talentsoft Web+ exploit attempt"; flow:to_server,established; uricontent:"/webplus.cgi?Script=/webplus/webping/webping.wml"; reference:bugtraq,1725; classtype:web-application-attack; sid:1097; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Poll-it access"; flow:to_server,established; uricontent:"/pollit/Poll_It_SSI_v2.0.cgi"; nocase; reference:bugtraq,1431; reference:cve,2000-0590; classtype:web-application-activity; sid:1106; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI count.cgi access"; flow:to_server,established; uricontent:"/count.cgi"; nocase; reference:bugtraq,128; reference:cve,1999-0021; reference:nessus,10049; classtype:web-application-activity; sid:1149; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdist.cgi arbitrary command attempt"; flow:to_server,established; uricontent:"/webdist.cgi"; nocase; content:"distloc=|3B|"; nocase; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-attack; sid:1865; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdist.cgi access"; flow:to_server,established; uricontent:"/webdist.cgi"; nocase; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-activity; sid:1163; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bigconf.cgi access"; flow:to_server,established; uricontent:"/bigconf.cgi"; nocase; reference:bugtraq,778; reference:cve,1999-1550; reference:nessus,10027; classtype:web-application-activity; sid:1172; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/jj access"; flow:to_server,established; uricontent:"/cgi-bin/jj"; nocase; reference:bugtraq,2002; reference:cve,1999-0260; classtype:web-application-activity; sid:1174; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bizdbsearch attempt"; flow:to_server,established; uricontent:"/bizdb1-search.cgi"; nocase; content:"mail"; nocase; reference:bugtraq,1104; reference:cve,2000-0287; classtype:web-application-attack; sid:1185; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bizdbsearch access"; flow:to_server,established; uricontent:"/bizdb1-search.cgi"; nocase; reference:bugtraq,1104; reference:cve,2000-0287; classtype:web-application-activity; sid:1535; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sojourn.cgi File attempt"; flow:to_server,established; uricontent:"/sojourn.cgi?cat="; content:"%00"; nocase; reference:bugtraq,1052; reference:cve,2000-0180; classtype:web-application-attack; sid:1194; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sojourn.cgi access"; flow:to_server,established; uricontent:"/sojourn.cgi"; nocase; reference:bugtraq,1052; reference:cve,2000-0180; classtype:web-application-activity; sid:1195; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SGI InfoSearch fname attempt"; flow:to_server,established; uricontent:"/infosrch.cgi?"; content:"fname="; nocase; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-attack; sid:1196; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SGI InfoSearch fname access"; flow:to_server,established; uricontent:"/infosrch.cgi"; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:1727; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ax-admin.cgi access"; flow:to_server,established; uricontent:"/ax-admin.cgi"; classtype:web-application-activity; sid:1204; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI axs.cgi access"; flow:to_server,established; uricontent:"/axs.cgi"; classtype:web-application-activity; sid:1205; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cachemgr.cgi access"; flow:to_server,established; uricontent:"/cachemgr.cgi"; reference:bugtraq,2059; reference:cve,1999-0710; reference:nessus,10034; classtype:web-application-activity; sid:1206; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI responder.cgi access"; flow:to_server,established; uricontent:"/responder.cgi"; classtype:web-application-activity; sid:1208; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI web-map.cgi access"; flow:to_server,established; uricontent:"/web-map.cgi"; classtype:web-application-activity; sid:1211; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ministats admin access"; flow:to_server,established; uricontent:"/ministats/admin.cgi"; nocase; classtype:web-application-activity; sid:1215; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dfire.cgi access"; flow:to_server,established; uricontent:"/dfire.cgi"; nocase; reference:bugtraq,0564; reference:bugtraq,564; reference:cve,1999-0913; classtype:web-application-activity; sid:1219; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI txt2html.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/txt2html.cgi"; nocase; content:"/../../../../"; classtype:web-application-attack; sid:1305; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI txt2html.cgi access"; flow:to_server,established; uricontent:"/txt2html.cgi"; nocase; classtype:web-application-activity; sid:1304; rev:7;)
-# do we really need two of these?
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi product directory traversal attempt"; flow:to_server,established; uricontent:"/store.cgi"; nocase; content:"product="; content:"../.."; reference:bugtraq,2385; reference:cve,2001-0305; classtype:web-application-attack; sid:1306; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/store.cgi"; nocase; content:"../"; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-attack; sid:1488; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi access"; flow:to_server,established; uricontent:"/store.cgi"; nocase; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-activity; sid:1307; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SIX webboard generate.cgi attempt"; flow:to_server,established; uricontent:"/generate.cgi"; content:"content=../"; reference:bugtraq,3175; reference:cve,2001-1115; classtype:web-application-attack; sid:1494; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SIX webboard generate.cgi access"; flow:to_server,established; uricontent:"/generate.cgi"; reference:bugtraq,3175; reference:cve,2001-1115; classtype:web-application-activity; sid:1495; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI spin_client.cgi access"; flow:to_server,established; uricontent:"/spin_client.cgi"; classtype:web-application-activity; sid:1496; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csPassword.cgi access"; flow:to_server,established; uricontent:"/csPassword.cgi"; reference:bugtraq,4885; reference:bugtraq,4886; reference:bugtraq,4887; reference:bugtraq,4889; reference:cve,2002-0917; reference:cve,2002-0918; classtype:web-application-activity; sid:1787; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csPassword password.cgi.tmp access"; flow:to_server,established; uricontent:"/password.cgi.tmp"; reference:bugtraq,4889; reference:cve,2002-0920; classtype:web-application-activity; sid:1788; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; uricontent:"/cgiproc?Nocfile="; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1763; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; uricontent:"/cgiproc?|24|"; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1764; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc access"; flow:to_server,established; uricontent:"/cgiproc"; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-activity; sid:1765; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Oracle reports CGI access"; flow:to_server,established; uricontent:"/rwcgi60"; content:"setauth="; reference:bugtraq,4848; reference:cve,2002-0947; classtype:web-application-activity; sid:1805; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alienform.cgi directory traversal attempt"; flow:established,to_server; uricontent:"/alienform.cgi"; content:".|7C|./.|7C|."; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1822; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AlienForm af.cgi directory traversal attempt"; flow:established,to_server; uricontent:"/af.cgi"; content:".|7C|./.|7C|."; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1823; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alienform.cgi access"; flow:established,to_server; uricontent:"/alienform.cgi"; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1824; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AlienForm af.cgi access"; flow:established,to_server; uricontent:"/af.cgi"; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1825; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-CGI story.pl arbitrary file read attempt"; flow:to_server,established; uricontent:"/story.pl"; content:"next=../"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1868; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-CGI story.pl access"; flow:to_server,established; uricontent:"/story.pl"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1869; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI siteUserMod.cgi access"; flow:to_server,established; uricontent:"/.cobalt/siteUserMod/siteUserMod.cgi"; reference:bugtraq,951; reference:cve,2000-0117; reference:nessus,10253; classtype:web-application-activity; sid:1870; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgicso access"; flow:to_server,established; uricontent:"/cgicso"; reference:bugtraq,6141; reference:nessus,10779; reference:nessus,10780; classtype:web-application-activity; sid:1875; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-publish.cgi access"; flow:to_server,established; uricontent:"/nph-publish.cgi"; reference:cve,1999-1177; reference:nessus,10164; classtype:web-application-activity; sid:1876; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI printenv access"; flow:to_server,established; uricontent:"/printenv"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10503; classtype:web-application-activity; sid:1877; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sdbsearch.cgi access"; flow:to_server,established; uricontent:"/sdbsearch.cgi"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10503; classtype:web-application-activity; sid:1878; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rpc-nlog.pl access"; flow:to_server,established; uricontent:"/rpc-nlog.pl"; reference:cve,1999-1278; classtype:web-application-activity; sid:1931; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rpc-smb.pl access"; flow:to_server,established; uricontent:"/rpc-smb.pl"; reference:cve,1999-1278; classtype:web-application-activity; sid:1932; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cart.cgi access"; flow:to_server,established; uricontent:"/cart.cgi"; classtype:web-application-activity; sid:1933; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI vpasswd.cgi access"; flow:to_server,established; uricontent:"/vpasswd.cgi"; reference:bugtraq,6038; reference:nessus,11165; classtype:web-application-activity; sid:1994; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alya.cgi access"; flow:to_server,established; uricontent:"/alya.cgi"; reference:nessus,11118; classtype:web-application-activity; sid:1995; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI viralator.cgi access"; flow:to_server,established; uricontent:"/viralator.cgi"; reference:cve,2001-0849; reference:nessus,11107; classtype:web-application-activity; sid:1996; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI smartsearch.cgi access"; flow:to_server,established; uricontent:"/smartsearch.cgi"; classtype:web-application-activity; sid:2001; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mrtg.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/mrtg.cgi"; content:"cfg=/../"; reference:bugtraq,4017; reference:cve,2002-0232; reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI overflow.cgi access"; flow:to_server,established; uricontent:"/overflow.cgi"; reference:nessus,11190; reference:url,www.cert.org/advisories/CA-2002-35.html; classtype:web-application-activity; sid:2052; rev:3;)
-
-# NOTES: this signature looks for someone accessing the web application
-# "way-board.cgi".  This application allows attackers to view arbitrary
-# files that are readable with the privilages of the web server.
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board.cgi access"; flow:to_server,established; uricontent:"/way-board.cgi"; nocase; reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:3;)
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI process_bug.cgi access"; flow:to_server,established; uricontent:"/process_bug.cgi"; nocase; reference:cve,2002-0008; classtype:web-application-activity; sid:2053; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi arbitrary command attempt"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; content:"who="; content:"|3B|"; distance:0; reference:cve,2002-0008; classtype:web-application-attack; sid:2054; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi access"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; reference:cve,2002-0008; classtype:web-application-activity; sid:2055; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI parse_xml.cgi access"; flow:to_server,established; uricontent:"/parse_xml.cgi"; nocase; reference:bugtraq,6960; reference:cve,2003-0054; classtype:web-application-activity; sid:2085; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 (msg:"WEB-CGI streaming server parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi"; nocase; reference:bugtraq,6960; reference:cve,2003-0054; classtype:web-application-activity; sid:2086; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI album.pl access"; flow:to_server,established; content:"/album.pl"; nocase; reference:bugtraq,7444; classtype:web-application-activity; sid:2115; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI chipcfg.cgi access"; flow:to_server,established; uricontent:"/chipcfg.cgi"; nocase; reference:bugtraq,2767; reference:cve,2001-1341; classtype:web-application-activity; sid:2116; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ikonboard.cgi access"; flow:to_server,established; uricontent:"/ikonboard.cgi"; nocase; reference:bugtraq,7361; reference:nessus,11605; classtype:web-application-activity; sid:2127; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swsrv.cgi access"; flow:to_server,established; uricontent:"/srsrv.cgi"; nocase; reference:bugtraq,7510; reference:cve,2003-0217; reference:nessus,11608; classtype:web-application-activity; sid:2128; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CSMailto.cgi access"; flow:to_server,established; uricontent:"/CSMailto.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-0749; reference:nessus,11748; classtype:web-application-activity; sid:2194; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alert.cgi access"; flow:to_server,established; uricontent:"/alert.cgi"; nocase; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2195; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI catgy.cgi access"; flow:to_server,established; uricontent:"/alert.cgi"; nocase; reference:bugtraq,3714; reference:bugtraq,4579; reference:cve,2001-1212; reference:nessus,11748; classtype:web-application-activity; sid:2196; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsview2.cgi access"; flow:to_server,established; uricontent:"/cvsview2.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2197; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvslog.cgi access"; flow:to_server,established; uricontent:"/cvslog.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2198; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI multidiff.cgi access"; flow:to_server,established; uricontent:"/multidiff.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2199; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dnewsweb.cgi access"; flow:to_server,established; uricontent:"/dnewsweb.cgi"; nocase; reference:bugtraq,1172; reference:bugtraq,4579; reference:cve,2000-0423; reference:nessus,11748; classtype:web-application-activity; sid:2200; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI download.cgi access"; flow:to_server,established; uricontent:"/download.cgi"; nocase; reference:bugtraq,4579; reference:cve,1999-1377; reference:nessus,11748; classtype:web-application-activity; sid:2201; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI edit_action.cgi access"; flow:to_server,established; uricontent:"/edit_action.cgi"; nocase; reference:bugtraq,3698; reference:bugtraq,4579; reference:cve,2001-1196; reference:nessus,11748; classtype:web-application-activity; sid:2202; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI everythingform.cgi access"; flow:to_server,established; uricontent:"/everythingform.cgi"; nocase; reference:bugtraq,2101; reference:bugtraq,4579; reference:cve,2001-0023; reference:nessus,11748; classtype:web-application-activity; sid:2203; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezadmin.cgi access"; flow:to_server,established; uricontent:"/ezadmin.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2204; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezboard.cgi access"; flow:to_server,established; uricontent:"/ezboard.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2205; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezman.cgi access"; flow:to_server,established; uricontent:"/ezman.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2206; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI fileseek.cgi access"; flow:to_server,established; uricontent:"/fileseek.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6784; reference:cve,2002-0611; reference:nessus,11748; classtype:web-application-activity; sid:2207; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI fom.cgi access"; flow:to_server,established; uricontent:"/fom.cgi"; nocase; reference:bugtraq,4579; reference:cve,2002-0230; reference:nessus,11748; classtype:web-application-activity; sid:2208; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI getdoc.cgi access"; flow:to_server,established; uricontent:"/getdoc.cgi"; nocase; reference:bugtraq,4579; reference:cve,2000-0288; reference:nessus,11748; classtype:web-application-activity; sid:2209; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI global.cgi access"; flow:to_server,established; uricontent:"/global.cgi"; nocase; reference:bugtraq,4579; reference:cve,2000-0952; reference:nessus,11748; classtype:web-application-activity; sid:2210; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI guestserver.cgi access"; flow:to_server,established; uricontent:"/guestserver.cgi"; nocase; reference:bugtraq,4579; reference:cve,2001-0180; reference:nessus,11748; classtype:web-application-activity; sid:2211; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imageFolio.cgi access"; flow:to_server,established; uricontent:"/imageFolio.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-1334; reference:nessus,11748; classtype:web-application-activity; sid:2212; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailfile.cgi access"; flow:to_server,established; uricontent:"/mailfile.cgi"; nocase; reference:bugtraq,1807; reference:bugtraq,4579; reference:cve,2000-0977; reference:nessus,11748; classtype:web-application-activity; sid:2213; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailview.cgi access"; flow:to_server,established; uricontent:"/mailview.cgi"; nocase; reference:bugtraq,1335; reference:bugtraq,4579; reference:cve,2000-0526; reference:nessus,11748; classtype:web-application-activity; sid:2214; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nsManager.cgi access"; flow:to_server,established; uricontent:"/nsManager.cgi"; nocase; reference:bugtraq,1710; reference:bugtraq,4579; reference:cve,2000-1023; reference:nessus,11748; classtype:web-application-activity; sid:2215; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI readmail.cgi access"; flow:to_server,established; uricontent:"/readmail.cgi"; nocase; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2216; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI printmail.cgi access"; flow:to_server,established; uricontent:"/printmail.cgi"; nocase; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2217; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI service.cgi access"; flow:to_server,established; uricontent:"/service.cgi"; nocase; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2218; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI setpasswd.cgi access"; flow:to_server,established; uricontent:"/setpasswd.cgi"; nocase; reference:bugtraq,2212; reference:bugtraq,4579; reference:cve,2001-0133; reference:nessus,11748; classtype:web-application-activity; sid:2219; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI simplestmail.cgi access"; flow:to_server,established; uricontent:"/simplestmail.cgi"; nocase; reference:bugtraq,2106; reference:bugtraq,4579; reference:cve,2001-0022; reference:nessus,11748; classtype:web-application-activity; sid:2220; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ws_mail.cgi access"; flow:to_server,established; uricontent:"/ws_mail.cgi"; nocase; reference:bugtraq,2861; reference:bugtraq,4579; reference:cve,2001-1343; reference:nessus,11748; classtype:web-application-activity; sid:2221; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-exploitscanget.cgi access"; flow:to_server,established; uricontent:"/nph-exploitscanget.cgi"; nocase; reference:bugtraq,7910; reference:bugtraq,7911; reference:bugtraq,7912; reference:cve,2003-0434; reference:nessus,11740; classtype:web-application-activity; sid:2222; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csNews.cgi access"; flow:to_server,established; uricontent:"/csNews.cgi"; nocase; reference:bugtraq,4994; reference:cve,2002-0923; reference:nessus,11726; classtype:web-application-activity; sid:2223; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI psunami.cgi access"; flow:to_server,established; uricontent:"/psunami.cgi"; nocase; reference:bugtraq,6607; reference:nessus,11750; classtype:web-application-activity; sid:2224; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gozila.cgi access"; flow:to_server,established; uricontent:"/gozila.cgi"; nocase; reference:nessus,11773; classtype:web-application-activity; sid:2225; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI quickstore.cgi access"; flow:to_server,established; uricontent:"/quickstore.cgi"; nocase; reference:bugtraq,9282; reference:nessus,11975; classtype:web-application-activity; sid:2323; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view_broadcast.cgi access"; flow:to_server,established; uricontent:"/view_broadcast.cgi"; nocase; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2387; rev:4;)
-# when we get por lists... merge this with 2387...
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 (msg:"WEB-CGI streaming server view_broadcast.cgi access"; flow:to_server,established; uricontent:"/view_broadcast.cgi"; nocase; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2388; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CCBill whereami.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/whereami.cgi?g="; nocase; reference:bugtraq,8095; classtype:web-application-attack; sid:2396; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CCBill whereami.cgi access"; flow:to_server,established; uricontent:"/whereami.cgi"; nocase; reference:bugtraq,8095; classtype:web-application-activity; sid:2397; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3000 (msg:"WEB-CGI MDaemon form2raw.cgi overflow attempt"; flow:to_server,established; uricontent:"/form2raw.cgi"; nocase; pcre:"/\Wfrom=[^\x3b&\n]{100}/si"; reference:bugtraq,9317; classtype:web-application-attack; sid:2433; rev:1;)
-# the prevous rule looks for the attack, but we still want to catch the
-# scanners.  if we had port lists, this rule would be HTTP_PORTS and 3000
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MDaemon form2raw.cgi access"; flow:to_server,established; content:"/form2raw.cgi"; nocase; reference:bugtraq,9317; classtype:web-application-activity; sid:2434; rev:1;)
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail init.emu access"; flow:to_server,established; uricontent:"/init.emu"; nocase; reference:bugtraq,9861; classtype:web-application-activity; sid:2567; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail emumail.fcgi access"; flow:to_server,established; uricontent:"/emumail.fcgi"; nocase; reference:bugtraq,9861; classtype:web-application-activity; sid:2568; rev:1;)
diff --git a/scripts/s2b/snort_rules2.2/web-client.rules b/scripts/s2b/snort_rules2.2/web-client.rules
deleted file mode 100644
index e34d5472b9..0000000000
--- a/scripts/s2b/snort_rules2.2/web-client.rules
+++ /dev/null
@@ -1,25 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: web-client.rules 91 2004-07-15 08:13:57Z rwinslow $
-#---------------
-# WEB-CLIENT RULES
-#---------------
-#
-# These signatures look for two things:
-# * bad things coming from our users
-# * attacks against our web users
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Outlook EML access"; flow:from_client,established; uricontent:".eml"; classtype:attempted-user; sid:1233; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft emf metafile access"; flow:from_client,established; uricontent:".emf"; reference:bugtraq,9707; classtype:attempted-user; sid:2435; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft wmf metafile access"; flow:from_client,established; uricontent:".wmf"; reference:bugtraq,9707; classtype:attempted-user; sid:2436; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; classtype:web-application-attack; sid:1735; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT readme.eml download attempt"; flow:from_client,established; uricontent:"/readme.eml"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:10;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT readme.eml autoload attempt"; flow:to_client,established; content:"window.open|28 22|readme.eml|22|"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1290; rev:10;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain|28|"; nocase; reference:bugtraq,5346; classtype:attempted-user; sid:1840; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript URL host spoofing attempt"; flow:to_client,established; content:"javascript|3A|//"; nocase; reference:bugtraq,5293; classtype:attempted-user; sid:1841; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s+application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"; reference:bugtraq,8453; reference:bugtraq,9738; reference:cve,2003-0726; classtype:attempted-user; sid:2437; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist file URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; classtype:attempted-user; sid:2438; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist http URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; classtype:attempted-user; sid:2439; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; classtype:attempted-user; sid:2440; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Nortan antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3A|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2485; rev:4;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT local resource redirection attempt"; flow:to_client,established; content:"Location|3a|"; nocase; pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2577; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/web-coldfusion.rules b/scripts/s2b/snort_rules2.2/web-coldfusion.rules
deleted file mode 100644
index 72925c3775..0000000000
--- a/scripts/s2b/snort_rules2.2/web-coldfusion.rules
+++ /dev/null
@@ -1,43 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: web-coldfusion.rules 91 2004-07-15 08:13:57Z rwinslow $
-#---------------------
-# WEB-COLDFUSION RULES
-#---------------------
-#
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfcache.map access"; flow:to_server,established; uricontent:"/cfcache.map"; nocase; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp application.cfm"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:904; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:905; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getfile.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-recon; sid:906; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION addcontent.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; nocase; classtype:attempted-recon; sid:907; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION administrator access"; flow:to_server,established; uricontent:"/cfide/administrator/index.cfm"; nocase; reference:bugtraq,1314; reference:cve,2000-0538; classtype:attempted-recon; sid:908; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:909; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION fileexists.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/fileexists.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:910; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exprcalc access"; flow:to_server,established; uricontent:"/cfdocs/expeval/exprcalc.cfm"; nocase; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; classtype:attempted-recon; sid:911; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION parks access"; flow:to_server,established; uricontent:"/cfdocs/examples/parks/detail.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:912; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfappman access"; flow:to_server,established; uricontent:"/cfappman/index.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:913; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION beaninfo access"; flow:to_server,established; uricontent:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:914; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION evaluate.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/evaluate.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:915; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:916; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:917; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION expeval access"; flow:to_server,established; uricontent:"/cfdocs/expeval/"; nocase; reference:bugtraq,550; reference:cve,1999-0477; classtype:attempted-user; sid:918; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:919; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:920; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:921; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION displayfile access"; flow:to_server,established; uricontent:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:922; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:923; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:924; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION mainframeset access"; flow:to_server,established; uricontent:"/cfdocs/examples/mainframeset.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:925; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:926; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:927; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/"; nocase; classtype:attempted-recon; sid:928; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; nocase; reference:bugtraq,550; classtype:attempted-user; sid:929; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION snippets attempt"; flow:to_server,established; uricontent:"/cfdocs/snippets/"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:930; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfmlsyntaxcheck.cfm access"; flow:to_server,established; uricontent:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:931; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/application.cfm"; nocase; reference:arachnids,268; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION onrequestend.cfm access"; flow:to_server,established; uricontent:"/onrequestend.cfm"; nocase; reference:arachnids,269; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION startstop DOS access"; flow:to_server,established; uricontent:"/cfide/administrator/startstop.html"; nocase; reference:bugtraq,247; classtype:web-application-attack; sid:935; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION gettempdirectory.cfm access "; flow:to_server,established; uricontent:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:936; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION sendmail.cfm access"; flow:to_server,established; uricontent:"/sendmail.cfm"; nocase; classtype:attempted-recon; sid:1659; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION ?Mode=debug attempt"; flow:to_server,established; uricontent:"Mode=debug"; nocase; classtype:web-application-activity; sid:1540; rev:5;)
diff --git a/scripts/s2b/snort_rules2.2/web-frontpage.rules b/scripts/s2b/snort_rules2.2/web-frontpage.rules
deleted file mode 100644
index 3588cc6c8d..0000000000
--- a/scripts/s2b/snort_rules2.2/web-frontpage.rules
+++ /dev/null
@@ -1,41 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: web-frontpage.rules 91 2004-07-15 08:13:57Z rwinslow $
-#--------------------
-# WEB-FRONTPAGE RULES
-#--------------------
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad fp30reg.dll access"; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-activity; sid:1248; rev:13;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE frontpage rad fp4areg.dll access"; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-activity; sid:1249; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_rpc access"; flow:to_server,established; uricontent:"/_vti_rpc"; nocase; reference:bugtraq,2144; classtype:web-application-activity; sid:937; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE posting"; flow:to_server,established; content:"POST"; uricontent:"/author.dll"; nocase; classtype:web-application-activity; sid:939; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.dll access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.dll"; nocase; reference:arachnids,292; classtype:web-application-activity; sid:940; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE contents.htm access"; flow:to_server,established; uricontent:"/admcgi/contents.htm"; nocase; classtype:web-application-activity; sid:941; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.htm access"; flow:to_server,established; uricontent:"/_private/orders.htm"; nocase; classtype:web-application-activity; sid:942; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpsrvadm.exe access"; flow:to_server,established; uricontent:"/fpsrvadm.exe"; nocase; classtype:web-application-activity; sid:943; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpremadm.exe access"; flow:to_server,established; uricontent:"/fpremadm.exe"; nocase; classtype:web-application-activity; sid:944; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmin.htm access"; flow:to_server,established; uricontent:"/admisapi/fpadmin.htm"; nocase; classtype:web-application-activity; sid:945; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmcgi.exe access"; flow:to_server,established; uricontent:"/scripts/Fpadmcgi.exe"; nocase; classtype:web-application-activity; sid:946; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.txt access"; flow:to_server,established; uricontent:"/_private/orders.txt"; nocase; classtype:web-application-activity; sid:947; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results access"; flow:to_server,established; uricontent:"/_private/form_results.txt"; nocase; classtype:web-application-activity; sid:948; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.htm access"; flow:to_server,established; uricontent:"/_private/registrations.htm"; nocase; classtype:web-application-activity; sid:949; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE cfgwiz.exe access"; flow:to_server,established; uricontent:"/cfgwiz.exe"; nocase; classtype:web-application-activity; sid:950; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE authors.pwd access"; flow:to_server,established; uricontent:"/authors.pwd"; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE author.exe access"; flow:to_server,established; uricontent:"/_vti_bin/_vti_aut/author.exe"; nocase; classtype:web-application-activity; sid:952; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE administrators.pwd access"; flow:to_server,established; uricontent:"/administrators.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results.htm access"; flow:to_server,established; uricontent:"/_private/form_results.htm"; nocase; classtype:web-application-activity; sid:954; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE access.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/access.cnf"; nocase; classtype:web-application-activity; sid:955; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.txt access"; flow:to_server,established; uricontent:"/_private/register.txt"; nocase; classtype:web-application-activity; sid:956; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.txt access"; flow:to_server,established; uricontent:"/_private/registrations.txt"; nocase; classtype:web-application-activity; sid:957; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/service.cnf"; nocase; classtype:web-application-activity; sid:958; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.pwd"; flow:to_server,established; uricontent:"/service.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.stp access"; flow:to_server,established; uricontent:"/_vti_pvt/service.stp"; nocase; classtype:web-application-activity; sid:960; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE services.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/services.cnf"; nocase; classtype:web-application-activity; sid:961; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.exe access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.exe"; nocase; reference:bugtraq,1174; reference:bugtraq,1608; reference:cve,2000-0413; reference:cve,2000-0709; reference:nessus,10405; classtype:web-application-activity; sid:962; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE svcacl.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/svcacl.cnf"; nocase; classtype:web-application-activity; sid:963; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE users.pwd access"; flow:to_server,established; uricontent:"/users.pwd"; nocase; classtype:web-application-activity; sid:964; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE writeto.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/writeto.cnf"; nocase; classtype:web-application-activity; sid:965; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE .... request"; flow:to_server,established; uricontent:"..../"; nocase; reference:arachnids,248; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; classtype:web-application-attack; sid:966; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE dvwssr.dll access"; flow:to_server,established; uricontent:"/dvwssr.dll"; nocase; reference:arachnids,271; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx; classtype:web-application-activity; sid:967; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.htm access"; flow:to_server,established; uricontent:"/_private/register.htm"; nocase; classtype:web-application-activity; sid:968; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE /_vti_bin/ access"; flow:to_server,established; uricontent:"/_vti_bin/"; nocase; classtype:web-application-activity; sid:1288; rev:6;)
diff --git a/scripts/s2b/snort_rules2.2/web-iis.rules b/scripts/s2b/snort_rules2.2/web-iis.rules
deleted file mode 100644
index d33cd58dbc..0000000000
--- a/scripts/s2b/snort_rules2.2/web-iis.rules
+++ /dev/null
@@ -1,152 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: web-iis.rules 91 2004-07-15 08:13:57Z rwinslow $
-#--------------
-# WEB-IIS RULES
-#--------------
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; content:"Content-Type|3A|"; nocase; content:!"|0A|"; within:50; reference:bugtraq,6214; reference:cve,2002-1142; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; classtype:web-application-attack; sid:1970; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS repost.asp access"; flow:to_server,established; uricontent:"/scripts/repost.asp"; nocase; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr chunked Transfer-Encoding"; flow:to_server,established; uricontent:".htr"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; nocase; reference:bugtraq,4855; reference:bugtraq,5003; reference:cve,2002-0364; classtype:web-application-attack; sid:1806; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp chunked Transfer-Encoding"; flow:to_server,established; uricontent:".asp"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:cve,2002-0071; reference:cve,2002-0079; reference:nessus,10932; classtype:web-application-attack; sid:1618; rev:14;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /StoreCSVS/InstantOrder.asmx request"; flow:to_server,established; uricontent:"/StoreCSVS/InstantOrder.asmx"; nocase; classtype:web-application-activity; sid:1626; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS users.xml access"; flow:to_server,established; uricontent:"/users.xml"; nocase; classtype:web-application-activity; sid:1750; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web.exe access"; flow:to_server,established; uricontent:"/as_web.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1753; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web4.exe access"; flow:to_server,established; uricontent:"/as_web4.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1754; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NewsPro administration authentication attempt"; flow:to_server,established; content:"logged,true"; classtype:web-application-activity; sid:1756; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS pbserver access"; flow:to_server,established; uricontent:"/pbserver/pbserver.dll"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx; classtype:web-application-activity; sid:1772; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS trace.axd access"; flow:to_server,established; uricontent:"/trace.axd"; nocase; classtype:web-application-activity; sid:1660; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /isapi/tstisapi.dll access"; flow:to_server,established; uricontent:"/isapi/tstisapi.dll"; nocase; reference:bugtraq,2381; reference:cve,2001-0302; classtype:web-application-activity; sid:1484; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; classtype:web-application-activity; sid:1485; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ctss.idc access"; flow:to_server,established; uricontent:"/ctss.idc"; nocase; classtype:web-application-activity; sid:1486; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/aexp2.htr"; classtype:web-application-activity; sid:1487; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK "; depth:5; reference:bugtraq,2736; classtype:web-application-activity; sid:969; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .printer access"; flow:to_server,established; uricontent:".printer"; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; classtype:web-application-activity; sid:971; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida attempt"; flow:to_server,established; uricontent:".ida?"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:1243; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida access"; flow:to_server,established; uricontent:".ida"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq attempt"; flow:to_server,established; uricontent:".idq?"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:1244; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq access"; flow:to_server,established; uricontent:".idq"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS %2E-asp access"; flow:to_server,established; content:"%2easp"; nocase; reference:bugtraq,1814; reference:cve,1999-0253; classtype:web-application-activity; sid:972; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS *.idc attempt"; flow:to_server,established; uricontent:"/*.idc"; nocase; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:10;)
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Directory transversal attempt"; flow:to_server,established; content:"..|5C|.."; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; uricontent:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806; classtype:web-application-attack; sid:975; rev:12;)
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat? access"; flow:to_server,established; uricontent:".bat?"; nocase; reference:bugtraq,2023; reference:cve,1999-0233; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cnf access"; flow:to_server,established; uricontent:".cnf"; nocase; classtype:web-application-activity; sid:977; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full"; nocase; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; classtype:web-application-attack; sid:978; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; uricontent:".htw?CiWebHitsFile"; reference:bugtraq,1861; reference:cve,2000-0942; classtype:web-application-attack; sid:979; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CGImail.exe access"; flow:to_server,established; uricontent:"/scripts/CGImail.exe"; nocase; reference:bugtraq,1623; reference:cve,2000-0726; classtype:web-application-activity; sid:980; rev:7;)
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; sid:981; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; sid:982; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; sid:983; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; sid:1945; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/ctguestb.idc"; nocase; reference:bugtraq,307; reference:cve,1999-0874; classtype:web-application-activity; sid:984; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/details.idc"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MSProxy access"; flow:to_server,established; uricontent:"/scripts/proxy/w3proxy.dll"; nocase; classtype:web-application-activity; sid:986; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS +.htr code fragment attempt"; flow:to_server,established; uricontent:"+.htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; classtype:web-application-attack; sid:1725; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr access"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; classtype:web-application-activity; sid:987; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SAM Attempt"; flow:to_server,established; content:"sam._"; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:988; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Unicode2.pl script File permission canonicalization"; flow:to_server,established; uricontent:"/sensepost.exe"; nocase; classtype:web-application-activity; sid:989; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS _vti_inf access"; flow:to_server,established; uricontent:"_vti_inf.html"; nocase; classtype:web-application-activity; sid:990; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS achg.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/achg.htr"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS adctest.asp access"; flow:to_server,established; uricontent:"/msadc/samples/adctest.asp"; nocase; classtype:web-application-activity; sid:992; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; uricontent:"/scripts/iisadmin/default.htm"; nocase; classtype:web-application-attack; sid:994; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll access"; flow:to_server,established; uricontent:"/scripts/iisadmin/ism.dll?http/dir"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack; sid:995; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS anot.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/anot"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-dot attempt"; flow:to_server,established; uricontent:".asp."; nocase; classtype:web-application-attack; sid:997; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-srch attempt"; flow:to_server,established; uricontent:"|23|filename=*.asp"; nocase; classtype:web-application-attack; sid:998; rev:7;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir access"; flow:to_server,established; uricontent:"/scripts/iisadmin/bdir.htr"; nocase; classtype:web-application-activity; sid:999; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir.htr access"; flow:to_server,established; uricontent:"/bdir.htr"; nocase; classtype:web-application-activity; sid:1000; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:1661; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; classtype:web-application-attack; sid:1003; rev:7;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser Exair access"; flow:to_server,established; uricontent:"/iissamples/exair/howitworks/codebrws.asp"; nocase; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser SDK access"; flow:to_server,established; uricontent:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_JScript.asp"; nocase; classtype:web-application-attack; sid:1007; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_VBScript.asp"; nocase; classtype:web-application-attack; sid:1380; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; nocase; classtype:web-application-attack; sid:1008; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS directory listing"; flow:to_server,established; uricontent:"/ServerVariables_Jscript.asp"; nocase; classtype:web-application-attack; sid:1009; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS encoding access"; flow:to_server,established; content:"%1u"; reference:arachnids,200; classtype:web-application-activity; sid:1010; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe"; nocase; classtype:web-application-activity; sid:1011; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount attempt"; flow:to_server,established; uricontent:"/fpcount.exe"; content:"Digits="; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount access"; flow:to_server,established; uricontent:"/fpcount.exe"; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS getdrvs.exe access"; flow:to_server,established; uricontent:"/scripts/tools/getdrvs.exe"; nocase; classtype:web-application-activity; sid:1015; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS global.asa access"; flow:to_server,established; uricontent:"/global.asa"; nocase; reference:cve,2000-0778; reference:nessus,10491; classtype:web-application-activity; sid:1016; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc"; nocase; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmpwd attempt"; flow:to_server,established; uricontent:"/iisadmpwd/aexp"; nocase; reference:bugtraq,1191; reference:bugtraq,2110; reference:cve,2000-0304; classtype:web-application-attack; sid:1018; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS index server file source code attempt"; flow:to_server,established; uricontent:"?CiWebHitsFile=/"; content:"&CiRestriction=none&CiHiliteType=Full"; classtype:web-application-attack; sid:1019; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS isc$data attempt"; flow:to_server,established; uricontent:".idc|3A 3A 24|data"; nocase; reference:bugtraq,307; reference:cve,1999-0874; classtype:web-application-attack; sid:1020; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll attempt"; flow:to_server,established; uricontent:" .htr"; nocase; reference:bugtraq,1193; reference:cve,2000-0457; classtype:web-application-attack; sid:1021; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS jet vba access"; flow:to_server,established; uricontent:"/advworks/equipment/catalog_type.asp"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:1022; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msadcs.dll access"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; reference:bugtraq,529; reference:cve,1999-1011; classtype:web-application-activity; sid:1023; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS newdsn.exe access"; flow:to_server,established; uricontent:"/scripts/tools/newdsn.exe"; nocase; reference:bugtraq,1818; reference:cve,1999-0191; reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl access"; flow:to_server,established; uricontent:"/scripts/perl"; nocase; classtype:web-application-activity; sid:1025; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse newline attempt"; flow:to_server,established; uricontent:"|0A|.pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1026; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse space attempt"; flow:to_server,established; uricontent:" .pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1027; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS query.asp access"; flow:to_server,established; uricontent:"/issamples/query.asp"; nocase; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1028; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts-browse access"; flow:to_server,established; uricontent:"/scripts/ "; nocase; classtype:web-application-attack; sid:1029; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS search97.vts access"; flow:to_server,established; uricontent:"/search97.vts"; reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:7;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /SiteServer/Publishing/viewcode.asp access"; flow:to_server,established; uricontent:"/SiteServer/Publishing/viewcode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1031; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1032; rev:7;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1033; rev:7;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1034; rev:7;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1035; rev:7;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1036; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode.asp access"; flow:to_server,established; uricontent:"/showcode.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; classtype:web-application-activity; sid:1037; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site server config access"; flow:to_server,established; uricontent:"/adsamples/config/site.csc"; nocase; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-application-activity; sid:1038; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srch.htm access"; flow:to_server,established; uricontent:"/samples/isapi/srch.htm"; nocase; classtype:web-application-activity; sid:1039; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srchadm access"; flow:to_server,established; uricontent:"/srchadm"; nocase; classtype:web-application-activity; sid:1040; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS uploadn.asp access"; flow:to_server,established; uricontent:"/scripts/uploadn.asp"; nocase; classtype:web-application-activity; sid:1041; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; nocase; reference:arachnids,305; reference:bugtraq,1578; classtype:web-application-activity; sid:1042; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS viewcode.asp access"; flow:to_server,established; uricontent:"/viewcode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS webhits access"; flow:to_server,established; uricontent:".htw"; reference:arachnids,237; classtype:web-application-activity; sid:1044; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS doctodep.btr access"; flow:to_server,established; uricontent:"doctodep.btr"; classtype:web-application-activity; sid:1726; rev:4;)
-# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-IIS Unauthorized IP Access Attempt"; flow:to_server,established; content:"403"; content:"Forbidden|3A|"; classtype:web-application-attack; sid:1045; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site/iisamples access"; flow:to_server,established; uricontent:"/site/iisamples"; nocase; classtype:web-application-activity; sid:1046; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS outlook web dos"; flow:to_server,established; uricontent:"/exchange/LogonFrm.asp?"; nocase; content:"mailbox="; nocase; content:"%%%"; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/samples/ access"; flow:to_server,established; uricontent:"/scripts/samples/"; nocase; classtype:web-application-attack; sid:1400; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /msadc/samples/ access"; flow:to_server,established; uricontent:"/msadc/samples/"; nocase; classtype:web-application-attack; sid:1401; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iissamples access"; flow:to_server,established; uricontent:"/iissamples/"; nocase; classtype:web-application-attack; sid:1402; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmin access"; flow:to_server,established; uricontent:"/iisadmin"; nocase; classtype:web-application-attack; sid:993; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msdac access"; flow:to_server,established; uricontent:"/msdac/"; nocase; classtype:web-application-activity; sid:1285; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS _mem_bin access"; flow:to_server,established; uricontent:"/_mem_bin/"; nocase; classtype:web-application-activity; sid:1286; rev:6;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts access"; flow:to_server,established; uricontent:"/scripts/"; nocase; classtype:web-application-activity; sid:1287; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS htimage.exe access"; flow:to_server,established; uricontent:"/htimage.exe"; nocase; reference:bugtraq,1117; reference:bugtraq,964; reference:cve,2000-0122; reference:cve,2000-0256; reference:nessus,10376; classtype:web-application-activity; sid:1595; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server default login attempt"; flow:to_server,established; uricontent:"/SiteServer/Admin/knowledge/persmbr/"; nocase; content:"Authorization|3A| Basic TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE="; reference:nessus,11018; classtype:web-application-attack; sid:1817; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server admin attempt"; flow:to_server,established; uricontent:"/Site Server/Admin/knowledge/persmbr/"; nocase; reference:nessus,11018; classtype:web-application-attack; sid:1818; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS postinfo.asp access"; flow:to_server,established; uricontent:"/scripts/postinfo.asp"; nocase; classtype:web-application-activity; sid:1075; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp attempt"; flow:to_server,established; uricontent:"/exchange/root.asp?acs=anon"; nocase; classtype:web-application-attack; sid:1567; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp access"; flow:to_server,established; uricontent:"/exchange/root.asp"; nocase; classtype:web-application-activity; sid:1568; rev:5;)
-
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asa HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asa"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1802; rev:7;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cer HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cer"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1803; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cdx HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cdx"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1804; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asp"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1801; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2090; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2091; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Battleaxe Forum login.asp access"; flow:to_server,established; uricontent:"myaccount/login.asp"; nocase; reference:bugtraq,7416; reference:cve,2003-0215; classtype:web-application-activity; sid:2117; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS nsiislog.dll access"; flow:to_server,established; uricontent:"/nsiislog.dll"; nocase; reference:bugtraq,8035; reference:cve,2003-0349; reference:nessus,11664; reference:url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx; classtype:web-application-activity; sid:2129; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect siteadmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/SiteAdmin.asp"; nocase; reference:bugtraq,7675; reference:cve,2003-0377; reference:nessus,11662; classtype:web-application-activity; sid:2130; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect globaladmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/GlobalAdmin.asp"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2157; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect access"; flow:to_server,established; uricontent:"/iisprotect/admin/"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2131; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Synchrologic Email Accelerator userid list access attempt"; flow:to_server,established; uricontent:"/en/admin/aggregate.asp"; nocase; reference:nessus,11657; classtype:web-application-activity; sid:2132; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS BizTalk server access"; flow:to_server,established; uricontent:"/biztalkhttpreceive.dll"; nocase; reference:bugtraq,7469; reference:bugtraq,7470; reference:cve,2003-0117; reference:cve,2003-0118; reference:nessus,11638; classtype:web-application-activity; sid:2133; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS register.asp access"; flow:to_server,established; uricontent:"/register.asp"; nocase; reference:nessus,11621; classtype:web-application-activity; sid:2134; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS UploadScript11.asp access"; flow:to_server,established; uricontent:"/UploadScript11.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2247; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS DirectoryListing.asp access"; flow:to_server,established; uricontent:"/DirectoryListing.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2248; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /pcadmin/login.asp access"; flow:to_server,established; uricontent:"/pcadmin/login.asp"; nocase; reference:bugtraq,8103; reference:nessus,11785; classtype:web-application-activity; sid:2249; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.exe access"; flow:to_server,established; uricontent:"/foxweb.exe"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2321; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.dll access"; flow:to_server,established; uricontent:"/foxweb.dll"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2322; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP shopsearch.asp access"; flow:to_server,established; uricontent:"/shopsearch.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2324; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP ShopDisplayProducts.asp access"; flow:to_server,established; uricontent:"/ShopDisplayProducts.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2325; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS sgdynamo.exe access"; flow:to_server,established; uricontent:"/sgdynamo.exe"; nocase; reference:bugtraq,4720; reference:cve,2002-0375; reference:nessus,11955; classtype:web-application-activity; sid:2326; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; classtype:attempted-dos; sid:2386; rev:6;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"; flow:to_server,established; uricontent:"/frmGetAttachment.aspx"; nocase; reference:bugtraq,9805; classtype:web-application-activity; sid:2571; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"; flow:to_server,established; uricontent:"/login.aspx"; nocase; content:"txtusername="; isdataat:980,relative; content:!"|0A|"; within:980; nocase; reference:bugtraq,9805; classtype:web-application-attack; sid:2572; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmCompose.asp access"; flow:to_server,established; uricontent:"/frmCompose.aspx"; reference:bugtraq,9805; classtype:web-application-activity; sid:2573; rev:1;)
diff --git a/scripts/s2b/snort_rules2.2/web-misc.rules b/scripts/s2b/snort_rules2.2/web-misc.rules
deleted file mode 100644
index 2614b61f09..0000000000
--- a/scripts/s2b/snort_rules2.2/web-misc.rules
+++ /dev/null
@@ -1,406 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: web-misc.rules 91 2004-07-15 08:13:57Z rwinslow $
-#---------------
-# WEB-MISC RULES
-#---------------
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting attempt"; flow:to_server,established; content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting HTML Image tag set to javascript attempt"; flow:to_server,established; content:"img src=javascript"; nocase; classtype:web-application-attack; sid:1667; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco IOS HTTP configuration attempt"; flow:to_server,established; uricontent:"/level/"; uricontent:"/exec/"; reference:bugtraq,2936; reference:cve,2001-0537; classtype:web-application-attack; sid:1250; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise DOS"; flow:to_server,established; content:"REVLOG / "; depth:9; reference:bugtraq,2294; reference:cve,2001-0251; classtype:web-application-attack; sid:1047; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise directory listing attempt"; flow:to_server,established; content:"INDEX "; depth:6; reference:bugtraq,2285; reference:cve,2001-0250; classtype:web-application-attack; sid:1048; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet GETPROPERTIES attempt"; flow:to_server,established; content:"GETPROPERTIES"; depth:13; classtype:web-application-attack; sid:1050; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat view source attempt"; flow:to_server,established; uricontent:"%252ejsp"; reference:bugtraq,2527; classtype:web-application-attack; sid:1056; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp attempt"; flow:to_server,established; content:"ftp.exe"; nocase; classtype:web-application-activity; sid:1057; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:1058; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:1059; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:1060; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:1061; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nc.exe attempt"; flow:to_server,established; content:"nc.exe"; nocase; classtype:web-application-activity; sid:1062; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC wsh attempt"; flow:to_server,established; content:"wsh.exe"; nocase; classtype:web-application-activity; sid:1064; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC rcmd attempt"; flow:to_server,established; content:"rcmd.exe"; nocase; classtype:web-application-activity; sid:1065; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC telnet attempt"; flow:to_server,established; content:"telnet.exe"; nocase; classtype:web-application-activity; sid:1066; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC net attempt"; flow:to_server,established; content:"net.exe"; nocase; classtype:web-application-activity; sid:1067; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tftp attempt"; flow:to_server,established; content:"tftp.exe"; nocase; classtype:web-application-activity; sid:1068; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:1069; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite"; nocase; classtype:web-application-activity; sid:1977; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regdeletekey attempt"; flow:to_server,established; content:"xp_regdeletekey"; nocase; classtype:web-application-activity; sid:1978; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV search access"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; reference:arachnids,474; classtype:web-application-activity; sid:1070; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:1071; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus Domino directory traversal"; flow:to_server,established; uricontent:".nsf/"; uricontent:"../"; nocase; reference:bugtraq,2173; reference:cve,2001-0009; classtype:web-application-attack; sid:1072; rev:9;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webhits.exe access"; flow:to_server,established; uricontent:"/scripts/samples/search/webhits.exe"; nocase; classtype:web-application-activity; sid:1073; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC queryhit.htm access"; flow:to_server,established; uricontent:"/samples/search/queryhit.htm"; nocase; classtype:web-application-activity; sid:1077; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC counter.exe access"; flow:to_server,established; uricontent:"/counter.exe"; nocase; reference:bugtraq,267; reference:cve,1999-1030; classtype:web-application-activity; sid:1078; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV propfind access"; flow:to_server,established; content:"<a|3A|propfind"; nocase; content:"xmlns|3A|a=|22|DAV|22|>"; nocase; reference:bugtraq,1656; reference:cve,2000-0869; classtype:web-application-activity; sid:1079; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC unify eWave ServletExec upload"; flow:to_server,established; uricontent:"/servlet/com.unify.servletexec.UploadServlet"; nocase; reference:bugtraq,1868; reference:bugtraq,1876; reference:cve,2000-1024; reference:cve,2000-1025; classtype:web-application-attack; sid:1080; rev:13;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Servers suite DOS"; flow:to_server,established; uricontent:"/dsgw/bin/search?context="; nocase; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-attack; sid:1081; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC amazon 1-click cookie theft"; flow:to_server,established; content:"ref%3Cscript%20language%3D%22Javascript"; nocase; reference:bugtraq,1194; reference:cve,2000-0439; classtype:web-application-attack; sid:1082; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC unify eWave ServletExec DOS"; flow:to_server,established; uricontent:"/servlet/ServletExec"; classtype:web-application-activity; sid:1083; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRUN DOS attempt"; flow:to_server,established; uricontent:"servlet/......."; nocase; reference:bugtraq,2337; classtype:web-application-attack; sid:1084; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ICQ Webfront HTTP DOS"; flow:to_server,established; uricontent:"??????????"; classtype:web-application-attack; sid:1091; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Talentsoft Web+ Source Code view access"; flow:to_server,established; uricontent:"/webplus.exe?script=test.wml"; reference:bugtraq,1722; classtype:web-application-attack; sid:1095; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Talentsoft Web+ internal IP Address access"; flow:to_server,established; uricontent:"/webplus.exe?about"; reference:bugtraq,1720; classtype:web-application-activity; sid:1096; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SmartWin CyberOffice Shopping Cart access"; flow:to_server,established; uricontent:"_private/shopping_cart.mdb"; reference:bugtraq,1734; reference:cve,2000-0925; classtype:web-application-attack; sid:1098; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cybercop scan"; flow:to_server,established; uricontent:"/cybercop"; nocase; reference:arachnids,374; classtype:web-application-activity; sid:1099; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC L3retriever HTTP Probe"; flow:to_server,established; content:"User-Agent|3A| Java1.2.1|0D 0A|"; reference:arachnids,310; classtype:web-application-activity; sid:1100; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; reference:arachnids,309; classtype:web-application-activity; sid:1101; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Nessus 404 probe"; flow:to_server,established; uricontent:"/nessus_is_probing_you_"; depth:32; reference:arachnids,301; classtype:web-application-attack; sid:1102; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape admin passwd"; flow:to_server,established; uricontent:"/admin-serv/config/admpw"; nocase; reference:bugtraq,1579; classtype:web-application-attack; sid:1103; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BigBrother access"; flow:to_server,established; uricontent:"/bb-hostsvc.sh?HOSTSVC"; nocase; classtype:attempted-recon; sid:1105; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp.pl attempt"; flow:to_server,established; uricontent:"/ftp.pl?dir=../.."; nocase; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-attack; sid:1612; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp.pl access"; flow:to_server,established; uricontent:"/ftp.pl"; nocase; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-activity; sid:1107; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server snoop access"; flow:to_server,established; uricontent:"/jsp/snp/"; uricontent:".snp"; reference:bugtraq,1532; reference:cve,2000-0760; classtype:attempted-recon; sid:1108; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ROXEN directory list attempt"; flow:to_server,established; uricontent:"/%00"; reference:bugtraq,1510; reference:cve,2000-0671; classtype:attempted-recon; sid:1109; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache source.asp file access"; flow:to_server,established; uricontent:"/site/eg/source.asp"; nocase; reference:bugtraq,1457; reference:cve,2000-0628; classtype:attempted-recon; sid:1110; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server exploit access"; flow:to_server,established; uricontent:"/contextAdmin/contextAdmin.html"; nocase; classtype:attempted-recon; sid:1111; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content:"..|5C|"; reference:arachnids,298; classtype:attempted-recon; sid:1112; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ICQ webserver DOS"; flow:to_server,established; uricontent:".html/......"; nocase; reference:cve,1999-0474; classtype:attempted-dos; sid:1115; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus DelDoc attempt"; flow:to_server,established; uricontent:"?DeleteDocument"; nocase; classtype:attempted-recon; sid:1116; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus EditDoc attempt"; flow:to_server,established; uricontent:"?EditDocument"; nocase; reference:url,www.securiteam.com/exploits/5NP080A1RE.html; classtype:attempted-recon; sid:1117; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:1118; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mlog.phtml access"; flow:to_server,established; uricontent:"/mlog.phtml"; nocase; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1119; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mylog.phtml access"; flow:to_server,established; uricontent:"/mylog.phtml"; nocase; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1120; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /etc/passwd"; flow:to_server,established; content:"/etc/passwd"; nocase; classtype:attempted-recon; sid:1122; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?PageServices access"; flow:to_server,established; uricontent:"?PageServices"; nocase; reference:bugtraq,1063; reference:bugtraq,7621; reference:cve,1999-0269; classtype:attempted-recon; sid:1123; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce check.txt access"; flow:to_server,established; uricontent:"/config/check.txt"; nocase; classtype:attempted-recon; sid:1124; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webcart access"; flow:to_server,established; uricontent:"/webcart/"; nocase; reference:cve,1999-0610; reference:nessus,10298; classtype:attempted-recon; sid:1125; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC AuthChangeUrl access"; flow:to_server,established; uricontent:"_AuthChangeUrl?"; nocase; classtype:attempted-recon; sid:1126; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC convert.bas access"; flow:to_server,established; uricontent:"/scripts/convert.bas"; nocase; reference:bugtraq,2025; reference:cve,1999-0175; classtype:attempted-recon; sid:1127; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cpshost.dll access"; flow:to_server,established; uricontent:"/scripts/cpshost.dll"; nocase; classtype:attempted-recon; sid:1128; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htaccess access"; flow:to_server,established; content:".htaccess"; nocase; classtype:attempted-recon; sid:1129; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .wwwacl access"; flow:to_server,established; uricontent:".wwwacl"; nocase; classtype:attempted-recon; sid:1130; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .wwwacl access"; flow:to_server,established; uricontent:".www_acl"; nocase; classtype:attempted-recon; sid:1131; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cd.."; flow:to_server,established; content:"cd.."; nocase; classtype:attempted-recon; sid:1136; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC guestbook.pl access"; flow:to_server,established; uricontent:"/guestbook.pl"; nocase; reference:arachnids,228; reference:bugtraq,776; reference:cve,1999-0237; reference:cve,1999-1053; reference:nessus,10099; classtype:attempted-recon; sid:1140; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC handler attempt"; flow:to_server,established; uricontent:"/handler"; uricontent:"|7C|"; nocase; reference:arachnids,235; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-attack; sid:1613; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC handler access"; flow:to_server,established; uricontent:"/handler"; nocase; reference:arachnids,235; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-activity; sid:1141; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /.... access"; flow:to_server,established; content:"/...."; classtype:attempted-recon; sid:1142; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; rawbytes; classtype:attempted-recon; sid:1143; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; rawbytes; classtype:attempted-recon; sid:1144; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~root access"; flow:to_server,established; uricontent:"/~root"; nocase; classtype:attempted-recon; sid:1145; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~ftp access"; flow:to_server,established; uricontent:"/~ftp"; nocase; classtype:attempted-recon; sid:1662; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce import.txt access"; flow:to_server,established; uricontent:"/config/import.txt"; nocase; classtype:attempted-recon; sid:1146; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cat%20 access"; flow:to_server,established; content:"cat%20"; nocase; reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce import.txt access"; flow:to_server,established; uricontent:"/orders/import.txt"; nocase; classtype:attempted-recon; sid:1148; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino catalog.nsf access"; flow:to_server,established; uricontent:"/catalog.nsf"; nocase; classtype:attempted-recon; sid:1150; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino domcfg.nsf access"; flow:to_server,established; uricontent:"/domcfg.nsf"; nocase; classtype:attempted-recon; sid:1151; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino domlog.nsf access"; flow:to_server,established; uricontent:"/domlog.nsf"; nocase; classtype:attempted-recon; sid:1152; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino log.nsf access"; flow:to_server,established; uricontent:"/log.nsf"; nocase; classtype:attempted-recon; sid:1153; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino names.nsf access"; flow:to_server,established; uricontent:"/names.nsf"; nocase; classtype:attempted-recon; sid:1154; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mab.nsf access"; flow:to_server,established; uricontent:"/mab.nsf"; nocase; classtype:attempted-recon; sid:1575; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino cersvr.nsf access"; flow:to_server,established; uricontent:"/cersvr.nsf"; nocase; classtype:attempted-recon; sid:1576; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino setup.nsf access"; flow:to_server,established; uricontent:"/setup.nsf"; nocase; classtype:attempted-recon; sid:1577; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino statrep.nsf access"; flow:to_server,established; uricontent:"/statrep.nsf"; nocase; classtype:attempted-recon; sid:1578; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino webadmin.nsf access"; flow:to_server,established; uricontent:"/webadmin.nsf"; nocase; classtype:attempted-recon; sid:1579; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino events4.nsf access"; flow:to_server,established; uricontent:"/events4.nsf"; nocase; classtype:attempted-recon; sid:1580; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino ntsync4.nsf access"; flow:to_server,established; uricontent:"/ntsync4.nsf"; nocase; classtype:attempted-recon; sid:1581; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino collect4.nsf access"; flow:to_server,established; uricontent:"/collect4.nsf"; nocase; classtype:attempted-recon; sid:1582; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mailw46.nsf access"; flow:to_server,established; uricontent:"/mailw46.nsf"; nocase; classtype:attempted-recon; sid:1583; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino bookmark.nsf access"; flow:to_server,established; uricontent:"/bookmark.nsf"; nocase; classtype:attempted-recon; sid:1584; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino agentrunner.nsf access"; flow:to_server,established; uricontent:"/agentrunner.nsf"; nocase; classtype:attempted-recon; sid:1585; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mail.box access"; flow:to_server,established; uricontent:"/mail.box"; nocase; classtype:attempted-recon; sid:1586; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce checks.txt access"; flow:to_server,established; uricontent:"/orders/checks.txt"; nocase; classtype:attempted-recon; sid:1155; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache DOS attempt"; flow:to_server,established; content:"////////"; classtype:attempted-dos; sid:1156; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape PublishingXpert access"; flow:to_server,established; uricontent:"/PSUser/PSCOErrPage.htm"; nocase; reference:cve,2000-1196; classtype:web-application-activity; sid:1157; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC windmail.exe access"; flow:to_server,established; uricontent:"/windmail.exe"; nocase; reference:arachnids,465; reference:bugtraq,1073; reference:cve,2000-0242; reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webplus access"; flow:to_server,established; uricontent:"/webplus?script"; nocase; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; reference:cve,2000-1005; classtype:attempted-recon; sid:1159; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape dir index wp"; flow:to_server,established; uricontent:"?wp-"; nocase; reference:arachnids,270; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1160; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cart 32 AdminPwd access"; flow:to_server,established; uricontent:"/c32web.exe/ChangeAdminPassword"; nocase; reference:bugtraq,1153; reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC shopping cart access"; flow:to_server,established; uricontent:"/quikstore.cfg"; nocase; reference:bugtraq,1983; reference:bugtraq,2049; reference:cve,1999-0607; reference:cve,2000-1188; classtype:attempted-recon; sid:1164; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe attempt"; flow:to_server,established; uricontent:"/GWWEB.EXE?HELP="; nocase; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1614; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE"; nocase; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ws_ftp.ini access"; flow:to_server,established; uricontent:"/ws_ftp.ini"; nocase; reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon; sid:1166; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC rpm_query access"; flow:to_server,established; uricontent:"/rpm_query"; nocase; reference:bugtraq,1036; reference:cve,2000-0192; classtype:attempted-recon; sid:1167; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mall log order access"; flow:to_server,established; uricontent:"/mall_log_files/order.log"; nocase; classtype:attempted-recon; sid:1168; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC architext_query.pl access"; flow:to_server,established; uricontent:"/ews/architext_query.pl"; nocase; classtype:attempted-recon; sid:1173; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC wwwboard.pl access"; flow:to_server,established; uricontent:"/wwwboard.pl"; nocase; reference:bugtraq,1795; reference:bugtraq,649; reference:cve,1999-0930; reference:cve,1999-0954; classtype:attempted-recon; sid:1175; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC order.log access"; flow:to_server,established; uricontent:"/admin_files/order.log"; nocase; classtype:attempted-recon; sid:1176; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-verify-link"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1177; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC get32.exe access"; flow:to_server,established; uricontent:"/get32.exe"; nocase; reference:arachnids,258; reference:bugtraq,1485; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:attempted-recon; sid:1180; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Annex Terminal DOS attempt"; flow:to_server,established; uricontent:"/ping?query="; reference:arachnids,260; reference:cve,1999-1070; classtype:attempted-dos; sid:1181; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgitest.exe attempt"; flow:to_server,established; uricontent:"/cgitest.exe|0D 0A|user"; nocase; reference:arachnids,265; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; classtype:web-application-attack; sid:1182; rev:17;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgitest.exe access"; flow:to_server,established; uricontent:"/cgitest.exe"; nocase; reference:arachnids,265; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; classtype:web-application-activity; sid:1587; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-cs-dump"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1183; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-ver-info"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1184; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-ver-diff"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1186; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SalesLogix Eviewer web command attempt"; flow:to_server,established; uricontent:"/slxweb.dll/admin?command="; nocase; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-attack; sid:1187; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SalesLogix Eviewer access"; flow:to_server,established; uricontent:"/slxweb.dll"; nocase; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-activity; sid:1588; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-start-ver"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1188; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-stop-ver"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1189; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-uncheckout"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1190; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-html-rend"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1191; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Trend Micro OfficeScan attempt"; flow:to_server,established; uricontent:"/officescan/cgi/jdkRqNotify.exe?"; nocase; uricontent:"domain="; nocase; uricontent:"event="; nocase; reference:bugtraq,1057; classtype:attempted-recon; sid:1381; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Trend Micro OfficeScan access"; flow:to_server,established; uricontent:"/officescan/cgi/jdkRqNotify.exe"; nocase; reference:bugtraq,1057; classtype:attempted-recon; sid:1192; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle web arbitrary command execution attempt"; flow:to_server,established; uricontent:"/ows-bin/"; nocase; uricontent:"?&"; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle web application server access"; flow:to_server,established; uricontent:"/ows-bin/"; nocase; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-activity; sid:1880; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-usr-prop"; nocase; reference:bugtraq,1063; classtype:web-application-attack; sid:1198; rev:7;)
-
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.vts access"; flow:to_server,established; uricontent:"/search.vts"; classtype:attempted-recon; sid:1202; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC htgrep attempt"; flow:to_server,established; uricontent:"/htgrep"; content:"hdr=/"; reference:cve,2000-0832; classtype:web-application-attack; sid:1615; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC htgrep access"; flow:to_server,established; uricontent:"/htgrep"; reference:cve,2000-0832; classtype:web-application-activity; sid:1207; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .nsconfig access"; flow:to_server,established; uricontent:"/.nsconfig"; classtype:attempted-recon; sid:1209; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Admin_files access"; flow:to_server,established; uricontent:"/admin_files"; nocase; classtype:attempted-recon; sid:1212; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC backup access"; flow:to_server,established; uricontent:"/backup"; nocase; classtype:attempted-recon; sid:1213; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC intranet access"; flow:to_server,established; uricontent:"/intranet/"; nocase; classtype:attempted-recon; sid:1214; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC filemail access"; flow:to_server,established; uricontent:"/filemail"; nocase; classtype:attempted-recon; sid:1216; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC plusmail access"; flow:to_server,established; uricontent:"/plusmail"; nocase; reference:bugtraq,2653; reference:cve,2000-0074; classtype:attempted-recon; sid:1217; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC adminlogin access"; flow:to_server,established; uricontent:"/adminlogin"; nocase; classtype:attempted-recon; sid:1218; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ultraboard access"; flow:to_server,established; uricontent:"/ultraboard"; nocase; classtype:attempted-recon; sid:1220; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC musicat empower attempt"; flow:to_server,established; uricontent:"/empower?DB="; nocase; classtype:web-application-attack; sid:1589; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC musicat empower access"; flow:to_server,established; uricontent:"/empower"; nocase; classtype:web-application-activity; sid:1221; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ROADS search.pl attempt"; flow:to_server,established; uricontent:"/ROADS/cgi-bin/search.pl"; content:"form="; nocase; reference:bugtraq,2371; reference:cve,2001-0215; reference:nessus,10627; classtype:attempted-recon; sid:1224; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSave access"; flow:to_server,established; uricontent:"/FtpSave.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1230; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSaveCSP access"; flow:to_server,established; uricontent:"/FtpSaveCSP.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1234; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSaveCVP access"; flow:to_server,established; uricontent:"/FtpSaveCVP.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1235; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC weblogic/tomcat .jsp view source attempt"; flow:to_server,established; uricontent:".jsp"; nocase; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi"; reference:bugtraq,2527; classtype:web-application-attack; sid:1054; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SWEditServlet directory traversal attempt"; flow:to_server,established; uricontent:"/SWEditServlet"; content:"template=../../../"; classtype:attempted-user; sid:1241; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SWEditServlet access"; flow:to_server,established; uricontent:"/SWEditServlet"; classtype:attempted-recon; sid:1259; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1139; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC HP OpenView Manager DOS"; flow:to_server,established; uricontent:"/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid="; nocase; reference:bugtraq,2845; reference:cve,2001-0552; classtype:misc-activity; sid:1258; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC long basic authorization string"; flow:to_server,established; content:"Authorization|3A| Basic "; nocase; content:!"|0A|"; within:512; reference:bugtraq,3230; reference:cve,2001-1067; classtype:attempted-dos; sid:1260; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sml3com access"; flow:to_server,established; uricontent:"/graphics/sml3com"; reference:bugtraq,2721; reference:cve,2001-0740; classtype:web-application-activity; sid:1291; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC carbo.dll access"; flow:to_server,established; uricontent:"/carbo.dll"; content:"icatcommand="; nocase; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC console.exe access"; flow:to_server,established; uricontent:"/cgi-bin/console.exe"; nocase; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1302; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cs.exe access"; flow:to_server,established; uricontent:"/cgi-bin/cs.exe"; nocase; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1303; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content:"../"; reference:arachnids,297; classtype:attempted-recon; sid:1113; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sadmind worm access"; flow:to_server,established; content:"GET x HTTP/1.0"; depth:15; reference:url,www.cert.org/advisories/CA-2001-11.html; classtype:attempted-recon; sid:1375; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC jrun directory browse attempt"; flow:to_server,established; uricontent:"/?.jsp"; reference:bugtraq,3592; classtype:web-application-attack; sid:1376; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mod-plsql administration access"; flow:to_server,established; uricontent:"/admin_/"; reference:bugtraq,3726; reference:bugtraq,3727; reference:cve,2001-1216; reference:cve,2001-1217; reference:nessus,10849; classtype:web-application-activity; sid:1385; rev:11;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC viewcode.jse access"; flow:to_server,established; uricontent:"/viewcode.jse"; reference:bugtraq,3715; classtype:web-application-activity; sid:1389; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorecast remote code execution attempt"; flow:to_server,established; content:"includedir="; reference:bugtraq,3388; reference:cve,2001-1049; classtype:web-application-attack; sid:1391; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC viewcode access"; flow:to_server,established; uricontent:"/viewcode"; classtype:web-application-attack; sid:1403; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC showcode access"; flow:to_server,established; uricontent:"/showcode"; classtype:web-application-attack; sid:1404; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .history access"; flow:to_server,established; uricontent:"/.history"; classtype:web-application-attack; sid:1433; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .bash_history access"; flow:to_server,established; uricontent:"/.bash_history"; classtype:web-application-attack; sid:1434; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~nobody access"; flow:to_server,established; uricontent:"/~nobody"; classtype:web-application-attack; sid:1489; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser  directory traversal attempt"; flow:to_server,established; uricontent:"/newuser?Image=../.."; classtype:web-application-attack; sid:1492; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser access"; flow:to_server,established; uricontent:"/newuser"; classtype:web-application-activity; sid:1493; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC *%0a.pl access"; flow:to_server,established; uricontent:"/*|0A|.pl"; nocase; classtype:web-application-attack; sid:1663; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkplog.exe access"; flow:to_server,established; uricontent:"/mkplog.exe"; nocase; classtype:web-application-activity; sid:1664; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PCCS mysql database admin tool access"; flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc"; depth:36; nocase; reference:arachnids,300; classtype:web-application-attack; sid:509; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .DS_Store access"; flow:to_server,established; uricontent:"/.DS_Store"; reference:url,www.macintouch.com/mosxreaderreports46.html; classtype:web-application-activity; sid:1769; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .FBCIndex access"; flow:to_server,established; uricontent:"/.FBCIndex"; reference:url,www.securiteam.com/securitynews/5LP0O005FS.html; classtype:web-application-activity; sid:1770; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ExAir access"; flow:to_server,established; uricontent:"/exair/search/"; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1500; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache ?M=D directory list attempt"; flow:to_server,established; uricontent:"/?M=D"; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:1519; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-info access"; flow:to_server,established; uricontent:"/server-info"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-status access"; flow:to_server,established; uricontent:"/server-status"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ans.pl attempt"; flow:to_server,established; uricontent:"/ans.pl?p=../../"; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-attack; sid:1522; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ans.pl access"; flow:to_server,established; uricontent:"/ans.pl"; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-activity; sid:1523; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC AxisStorpoint CD attempt"; flow:to_server,established; uricontent:"/cd/../config/html/cnf_gi.htm"; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-attack; sid:1524; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Axis Storpoint CD access"; flow:to_server,established; uricontent:"/config/html/cnf_gi.htm"; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-activity; sid:1525; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC basilix sendmail.inc access"; flow:to_server,established; uricontent:"/inc/sendmail.inc"; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1526; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC basilix mysql.class access"; flow:to_server,established; uricontent:"/class/mysql.class"; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1527; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BBoard access"; flow:to_server,established; uricontent:"/servlet/sunexamples.BBoardServlet"; reference:bugtraq,1459; reference:cve,2000-0629; reference:nessus,10507; classtype:web-application-activity; sid:1528; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Catalyst command execution attempt"; flow:to_server,established; uricontent:"/exec/show/config/cr"; nocase; reference:bugtraq,1846; reference:cve,2000-0945; classtype:web-application-activity; sid:1544; rev:5;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco /%% DOS attempt"; flow:to_server,established; uricontent:"/%%"; reference:bugtraq,1154; reference:cve,2000-0380; classtype:web-application-attack; sid:1546; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /CVS/Entries access"; flow:to_server,established; uricontent:"/CVS/Entries"; classtype:web-application-activity; sid:1551; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cvsweb version access"; flow:to_server,established; uricontent:"/cvsweb/version"; reference:cve,2000-0670; classtype:web-application-activity; sid:1552; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/packages access"; flow:to_server,established; uricontent:"/doc/packages"; nocase; classtype:web-application-activity; sid:1559; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/ access"; flow:to_server,established; uricontent:"/doc/"; nocase; reference:bugtraq,318; reference:cve,1999-0678; classtype:web-application-activity; sid:1560; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC login.htm attempt"; flow:to_server,established; uricontent:"/login.htm?password="; nocase; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1563; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC login.htm access"; flow:to_server,established; uricontent:"/login.htm"; nocase; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1564; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC DELETE attempt"; flow:to_server,established; content:"DELETE "; depth:7; nocase; classtype:web-application-activity; sid:1603; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /home/ftp access"; flow:to_server,established; uricontent:"/home/ftp"; nocase; classtype:web-application-activity; sid:1670; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /home/www access"; flow:to_server,established; uricontent:"/home/www"; nocase; classtype:web-application-activity; sid:1671; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC global.inc access"; flow:to_server,established; uricontent:"/global.inc"; nocase; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:1738; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SecureSite authentication bypass attempt"; flow:to_server,established; content:"secure_site, ok"; nocase; reference:bugtraq,4621; classtype:web-application-attack; sid:1744; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC b2 arbitrary command execution attempt"; flow:to_server,established; uricontent:"/b2/b2-include/"; content:"b2inc"; content:"http|3A|//"; classtype:web-application-attack; sid:1757; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC b2 access"; flow:to_server,established; uricontent:"/b2/b2-include/"; content:"b2inc"; content:"http|3A|//"; classtype:web-application-attack; sid:1758; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.dll directory listing attempt"; flow:to_server,established; uricontent:"/search.dll"; content:"query=%00"; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-attack; sid:1766; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.dll access"; flow:to_server,established; uricontent:"/search.dll"; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-activity; sid:1767; rev:6;)
-
-
-# The following signatures are for non-standard ports.  When ports lists work,
-# then these will be converted to use HTTP_PORTS & HTTP_SERVERS
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"WEB-MISC PIX firewall manager directory traversal attempt"; flow:to_server,established; content:"/../../"; classtype:web-application-attack; sid:1498; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"WEB-MISC iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:cve,1999-0897; classtype:web-application-activity; sid:1604; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Delegate whois overflow attempt"; flow:to_server,established; content:"whois|3A|//"; nocase; reference:cve,2000-0165; classtype:web-application-activity; sid:1558; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"WEB-MISC nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; classtype:web-application-activity; sid:1518; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"WEB-MISC Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; reference:arachnids,180; classtype:attempted-recon; sid:1132; rev:6;)
-
-# uricontent would be nice, but we can't be sure we are running http decoding
-# on 2301.  oh for rna integration...
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"WEB-MISC Compaq Insight directory traversal"; flow:to_server,established; content:"../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:11;)
-
-
-# when we get real ports list, we will merge these sigs.  so for now, keep the
-# message the same.
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall catinfo access"; flow:to_server,established; uricontent:"/catinfo"; nocase; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1231; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"WEB-MISC VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; nocase; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1232; rev:8;)
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"CCCCCCC|3A| AAAAAAAAAAAAAAAAAAA"; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:1809; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Chunked-Encoding transfer attempt"; flow:to_server,established; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:1807; rev:9;)
-
-
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC CISCO VoIP DOS ATTEMPT"; flow:to_server,established; uricontent:"/StreamingStatistics"; reference:bugtraq,4794; reference:bugtraq,4798; reference:cve,2002-0882; classtype:misc-attack; sid:1814; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC IBM Net.Commerce orderdspc.d2w access"; flow:established,to_server; uricontent:"/ncommerce3/ExecMacro/orderdspc.d2w"; reference:bugtraq,2350; reference:cve,2001-0319; reference:nessus,11020; classtype:web-application-activity; sid:1820; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WEB-INF access"; flow:established,to_server; uricontent:"/WEB-INF"; nocase; reference:nessus,11037; classtype:web-application-activity; sid:1826; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat servlet mapping cross site scripting attempt"; flow:established,to_server; uricontent:"/servlet/"; uricontent:"/org.apache."; reference:bugtraq,5193; reference:cve,2002-0682; reference:nessus,11041; classtype:web-application-attack; sid:1827; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet Search directory traversal attempt"; flow:established,to_server; uricontent:"/search"; content:"NS-query-pat="; content:"../../"; reference:bugtraq,5191; reference:cve,2002-1042; reference:nessus,11043; classtype:web-application-attack; sid:1828; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat TroubleShooter servlet access"; flow:established,to_server; uricontent:"/examples/servlet/TroubleShooter"; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:1829; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat SnoopServlet servlet access"; flow:established,to_server; uricontent:"/examples/servlet/SnoopServlet"; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:1830; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC jigsaw dos attempt"; flow:established,to_server; uricontent:"/servlet/con"; reference:nessus,11047; classtype:web-application-attack; sid:1831; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Macromedia SiteSpring cross site scripting attempt"; flow:established,to_server; uricontent:"/error/500error.jsp"; nocase; uricontent:"et="; uricontent:"<script"; nocase; reference:bugtraq,5249; reference:cve,2002-1027; classtype:web-application-attack; sid:1835; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mailman cross site scripting attempt"; flow:established,to_server; uricontent:"/mailman/"; nocase; uricontent:"?"; uricontent:"info="; uricontent:"<script"; nocase; reference:bugtraq,5298; reference:cve,2002-0855; classtype:web-application-attack; sid:1839; rev:4;)
-
-
-
-# NOTES: this signature looks for access to common webalizer output directories.
-# Webalizer is a http server log reporting program.  By allowing anyone on the
-# internet to view the web access logs, attackers can gain information about
-# your customers that probably should not be made public.  webalizer had cross
-# site scripting bugs prior to version 2.01-09.
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webalizer access"; flow:established,to_server; uricontent:"/webalizer/"; nocase; reference:bugtraq,3473; reference:cve,1999-0643; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:1847; rev:8;)
-
-
-# NOTES: this signature looks for someone accessing the directory webcart-lite.
-# webcart-lite allows users to access world readable plain text customer
-# information databases.  To correct this issue, users should make the
-# data directories and databases not world readable, move the files outside of
-# WEBROOT if possible, and verify that a compromise of customer information has
-# not occured.
-# SIMILAR RULES: sid:1125
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webcart-lite access"; flow:to_server,established; uricontent:"/webcart-lite/"; nocase; reference:cve,1999-0610; reference:nessus,10298; classtype:web-application-activity; sid:1848; rev:5;)
-
-
-# NOTES: this signature looks for someone accessing the web application
-# "webfind.exe".  This application has a buffer overflow in the keywords
-# argument.  An attacker can use this vulnerability to execute arbitrary
-# code on the web server.
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webfind.exe access"; flow:to_server,established; uricontent:"/webfind.exe"; nocase; reference:bugtraq,1487; reference:cve,2000-0622; reference:nessus,10475; classtype:web-application-activity; sid:1849; rev:7;)
-
-# NOTES: this signature looks for someone accessing the file "active.log" via
-# a web server.  By allowing anyone on the internet to view the web access
-# logs, attackers can gain information about your customers that probably
-# should not be made public.
-#
-# This logfile is made available from the WebActive webserver.  This webserver
-# is no longer maintained and should be replaced with an actively maintained
-# webserver.  If converting to another webserver is not possible, remove read
-# access to this file.
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC active.log access"; flow:to_server,established; uricontent:"/active.log"; nocase; reference:bugtraq,1497; reference:cve,2000-0642; reference:nessus,10470; classtype:web-application-activity; sid:1851; rev:6;)
-
-
-
-# NOTES: this signature looks for someone accessing the file "robots.txt" via
-# web server.  This file is used to make web spider agents (including search
-# engines) more efficient.  robots.txt is often used to inform a web spider
-# which directories that the spider should ignore because the content may be
-# dynamic or restricted.  An attacker can use this information to gain insite
-# into directories that may have been deemed sensitive.
-#
-# Verify that the robots.txt does not include any sensitive information.
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robot.txt access"; flow:to_server,established; uricontent:"/robot.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1857; rev:3;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"; flow:to_server,established; content:"/pixfir~1/how_to_login.html"; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:misc-attack; sid:1858; rev:5;)
-
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"WEB-MISC Sun JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; reference:cve,1999-0508; reference:nessus,10995; classtype:default-login-attempt; sid:1859; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default password login attempt"; flow:to_server,established; content:"Authorization|3A| Basic OmFkbWlu"; reference:nessus,10999; classtype:default-login-attempt; sid:1860; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default username and password login attempt"; flow:to_server,established; content:"Authorization|3A| "; nocase; content:" Basic "; nocase; content:"YWRtaW46YWRtaW4"; reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A| "; nocase; content:" Basic "; nocase; content:"YWRtaW46cGFzc3dvcmQ"; reference:nessus,11737; classtype:default-login-attempt; sid:2230; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle XSQLConfig.xml access"; flow:to_server,established; uricontent:"/XSQLConfig.xml"; reference:bugtraq,4290; reference:cve,2002-0568; reference:nessus,10855; classtype:web-application-activity; sid:1871; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle Dynamic Monitoring Services dms access"; flow:to_server,established; uricontent:"/dms0"; reference:nessus,10848; classtype:web-application-activity; sid:1872; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC globals.jsa access"; flow:to_server,established; uricontent:"/globals.jsa"; reference:bugtraq,4034; reference:cve,2002-0562; reference:nessus,10850; classtype:web-application-activity; sid:1873; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle Java Process Manager access"; flow:to_server,established; uricontent:"/oprocmgr-status"; reference:nessus,10851; classtype:web-application-activity; sid:1874; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bad HTTP/1.1 request, Potentially worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0D 0A 0D 0A|"; depth:18; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:6;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker HEAD with large datagram"; dsize:>512; flow:to_server,established,no_stream; content:"HEAD"; depth:4; nocase; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1171; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker space splice attack"; dsize:1; flow:to_server,established; content:" "; reference:arachnids,296; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1104; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker tab splice attack"; dsize:<5; flow:to_server,established; content:"|09|"; reference:arachnids,415; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1087; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:1808; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /Carello/add.exe access"; flow:to_server,established; uricontent:"/Carello/add.exe"; nocase; reference:bugtraq,1245; reference:cve,2000-0396; classtype:web-application-activity; sid:1943; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /ecscripts/ecware.exe access"; flow:to_server,established; uricontent:"/ecscripts/ecware.exe"; nocase; classtype:web-application-activity; sid:1944; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ion-p access"; flow:to_server,established; uricontent:"/ion-p"; nocase; reference:bugtraq,6091; reference:cve,2002-1559; classtype:web-application-activity; sid:1969; rev:3;)
-
-# uricontent would be nice, but we can't be sure we are running http decoding
-# on 8888.  oh for rna integration...
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC SiteScope Service access"; flow:to_server,established; content:"/SiteScope/cgi/go.exe/SiteScope"; reference:nessus,10778; classtype:web-application-activity; sid:1499; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; classtype:web-application-activity; sid:1946; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"|3B|"; distance:1; classtype:web-application-attack; sid:1947; rev:4;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC perl post attempt"; flow:to_server,established; content:"POST"; depth:4; uricontent:"/perl/"; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:1979; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC TRACE attempt"; flow:to_server,established; content:"TRACE"; depth:5; reference:bugtraq,9561; reference:nessus,11213; reference:url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf; classtype:web-application-attack; sid:2056; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC helpout.exe access"; flow:to_server,established; uricontent:"/helpout.exe"; reference:bugtraq,6002; reference:cve,2002-1169; reference:nessus,11162; classtype:web-application-activity; sid:2057; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe attempt"; flow:to_server,established; uricontent:"/MsmMask.exe"; content:"mask="; reference:nessus,11163; classtype:web-application-attack; sid:2058; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe access"; flow:to_server,established; uricontent:"/MsmMask.exe"; reference:nessus,11163; classtype:web-application-activity; sid:2059; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC DB4Web access"; flow:to_server,established; uricontent:"/DB4Web/"; reference:nessus,11180; classtype:web-application-activity; sid:2060; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Tomcat null byte directory listing attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; classtype:web-application-attack; sid:2061; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC iPlanet .perf access"; flow:to_server,established; uricontent:"/.perf"; classtype:web-application-activity; sid:2062; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Demarc SQL injection attempt"; flow:to_server,established; uricontent:"/dm/demarc"; content:"s_key="; content:"'"; distance:0; content:"'"; distance:1; content:"'"; distance:0; classtype:web-application-activity; sid:2063; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp"; content:".csp"; content:"."; within:1; classtype:web-application-attack; sid:2064; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp."; classtype:web-application-attack; sid:2065; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .pl script source download attempt"; flow:to_server,established; uricontent:".pl"; content:".pl"; content:"."; within:1; classtype:web-application-attack; sid:2066; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .exe script source download attempt"; flow:to_server,established; uricontent:".exe"; content:".exe"; content:"."; within:1; classtype:web-application-attack; sid:2067; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC BitKeeper arbitrary command attempt"; flow:to_server,established; uricontent:"/diffs/"; content:"'"; content:"|3B|"; distance:0; content:"'"; distance:1; reference:bugtraq,6588; classtype:web-application-attack; sid:2068; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC chip.ini access"; flow:to_server,established; uricontent:"/chip.ini"; reference:bugtraq,2755; reference:bugtraq,2775; reference:cve,2001-0749; reference:cve,2001-0771; classtype:web-application-activity; sid:2069; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe arbitrary command attempt"; flow:to_server,established; uricontent:"/post32.exe|7C|"; reference:bugtraq,1485; classtype:web-application-attack; sid:2070; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe access"; flow:to_server,established; uricontent:"/post32.exe"; reference:bugtraq,1485; classtype:web-application-activity; sid:2071; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC lyris.pl access"; flow:to_server,established; uricontent:"/lyris.pl"; reference:bugtraq,1584; reference:cve,2000-0758; classtype:web-application-activity; sid:2072; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC globals.pl access"; flow:to_server,established; uricontent:"/globals.pl"; reference:bugtraq,2671; reference:cve,2001-0330; classtype:web-application-activity; sid:2073; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard.mdb access"; flow:to_server,established; uricontent:"/philboard.mdb"; reference:nessus,11682; classtype:web-application-activity; sid:2135; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard_admin.asp authentication bypass attempt"; flow:to_server,established; uricontent:"/philboard_admin.asp"; content:"Cookie"; nocase; content:"philboard_admin=True"; distance:0; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-attack; sid:2136; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard_admin.asp access"; flow:to_server,established; uricontent:"/philboard_admin.asp"; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-activity; sid:2137; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC logicworks.ini access"; flow:to_server,established; uricontent:"/logicworks.ini"; reference:bugtraq,6996; reference:nessus,11639; classtype:web-application-activity; sid:2138; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC /*.shtml access"; flow:to_server,established; uricontent:"/*.shtml"; reference:bugtraq,1517; reference:cve,2000-0683; reference:nessus,11604; classtype:web-application-activity; sid:2139; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC mod_gzip_status access"; flow:to_server,established; uricontent:"/mod_gzip_status"; reference:nessus,11685; classtype:web-application-activity; sid:2156; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC register.dll access"; flow:to_server,established; uricontent:"/register.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2231; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ContentFilter.dll access"; flow:to_server,established; uricontent:"/ContentFilter.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2232; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SFNofitication.dll access"; flow:to_server,established; uricontent:"/SFNofitication.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2233; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC TOP10.dll access"; flow:to_server,established; uricontent:"/TOP10.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2234; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SpamExcp.dll access"; flow:to_server,established; uricontent:"/SpamExcp.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2235; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC spamrule.dll access"; flow:to_server,established; uricontent:"/spamrule.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2236; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgiWebupdate.exe access"; flow:to_server,established; uricontent:"/cgiWebupdate.exe"; nocase; reference:bugtraq,3216; reference:cve,2001-1150; reference:nessus,11722; classtype:web-application-activity; sid:2237; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebLogic ConsoleHelp view source attempt"; flow:to_server,established; uricontent:"/ConsoleHelp/"; nocase; uricontent:".jsp"; nocase; reference:bugtraq,1518; reference:cve,2000-0682; reference:nessus,11724; classtype:web-application-attack; sid:2238; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC redirect.exe access"; flow:to_server,established; uricontent:"/redirect.exe"; nocase; reference:bugtraq,1256; reference:cve,2000-0401; classtype:web-application-activity; sid:2239; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC changepw.exe access"; flow:to_server,established; uricontent:"/changepw.exe"; nocase; reference:bugtraq,1256; reference:cve,2000-0401; classtype:web-application-activity; sid:2240; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cwmail.exe access"; flow:to_server,established; uricontent:"/cwmail.exe"; nocase; reference:bugtraq,4093; reference:cve,2002-0273; reference:nessus,11727; classtype:web-application-activity; sid:2241; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ddicgi.exe access"; flow:to_server,established; uricontent:"/ddicgi.exe"; nocase; reference:bugtraq,1657; reference:cve,2000-0826; reference:nessus,11728; classtype:web-application-activity; sid:2242; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ndcgi.exe access"; flow:to_server,established; uricontent:"/ndcgi.exe"; nocase; reference:cve,2001-0922; reference:nessus,11730; classtype:web-application-activity; sid:2243; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VsSetCookie.exe access"; flow:to_server,established; uricontent:"/VsSetCookie.exe"; nocase; reference:bugtraq,3784; reference:cve,2002-0236; reference:nessus,11731; classtype:web-application-activity; sid:2244; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Webnews.exe access"; flow:to_server,established; uricontent:"/Webnews.exe"; nocase; reference:bugtraq,4124; reference:cve,2002-0290; reference:nessus,11732; classtype:web-application-activity; sid:2245; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webadmin.dll access"; flow:to_server,established; uricontent:"/webadmin.dll"; nocase; reference:nessus,11771; classtype:web-application-activity; sid:2246; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle portal demo access"; flow:to_server,established; uricontent:"/pls/portal/PORTAL_DEMO"; nocase; reference:nessus,11918; classtype:web-application-activity; sid:2276; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PeopleSoft PeopleBooks psdoccgi access"; flow:to_server,established; uricontent:"/psdoccgi"; nocase; reference:bugtraq,9037; reference:bugtraq,9038; reference:cve,2003-0626; reference:cve,2003-0627; classtype:web-application-activity; sid:2277; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC negative Content-Length attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s+-\d+/smi"; reference:bugtraq,9098; reference:bugtraq,9476; reference:bugtraq,9576; reference:cve,2004-0095; classtype:misc-attack; sid:2278; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bsml.pl access"; flow:to_server,established; uricontent:"/bsml.pl"; nocase; reference:bugtraq,9311; reference:nessus,11973; classtype:web-application-activity; sid:2327; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ISAPISkeleton.dll access"; flow:to_server,established; uricontent:"/ISAPISkeleton.dll"; nocase; reference:bugtraq,9516; classtype:web-application-activity; sid:2369; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BugPort config.conf file access"; flow:to_server,established; uricontent:"/config.conf"; nocase; reference:bugtraq,9542; classtype:attempted-recon; sid:2370; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Sample_showcode.html access"; flow:to_server,established; uricontent:"/Sample_showcode.html"; nocase; content:"fname"; reference:bugtraq,9555; classtype:web-application-activity; sid:2371; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC schema overflow attempt"; flow:to_server,established; uricontent:"|3A|//"; pcre:"/^[^\/]{14,}?\x3a\/\//U"; reference:bugtraq,9581; reference:cve,2004-0039; classtype:attempted-admin; sid:2381; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"WEB-MISC Compaq web-based management agent denial of service attempt"; flow:to_server,established; content:"<!"; depth:75; content:">"; within:50; reference:bugtraq,8014; classtype:web-application-attack; sid:2394; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC InteractiveQuery.jsp access"; flow:to_server,established; uricontent:"/InteractiveQuery.jsp"; nocase; reference:bugtraq,8938; reference:cve,2003-0624; classtype:web-application-activity; sid:2395; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC edittag.pl access"; flow:to_server,established; uricontent:"/edittag.pl"; nocase; reference:bugtraq,6675; classtype:web-application-activity; sid:2400; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC util.pl access"; flow:to_server,established; uricontent:"/util.pl"; nocase; reference:bugtraq,9748; classtype:web-application-activity; sid:2407; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Invision Power Board search.pl access"; flow:to_server,established; uricontent:"/search.pl"; content:"st="; nocase; reference:bugtraq,9766; classtype:web-application-activity; sid:2408; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 554 (msg:"WEB-MISC Real Server DESCRIBE buffer overflow attempt"; flow:to_server,established; content:"DESCRIBE"; nocase; content:"../"; distance:1; pcre:"/^DESCRIBE\s[^\n]{300}/smi"; reference:bugtraq,8476; reference:url,www.service.real.com/help/faq/security/rootexploit091103.html; classtype:web-application-attack; sid:2411; rev:5;)
-
-# YES, the contents are logically backwards as to how the contents are seen on
-# the wire.  snort picks up the first of the longest pattern.  login=0 happens
-# MUCH less than Cookie.  so we do this for speed.
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC NetObserve authentication bypass attempt"; flow:to_server,established; content:"login=0"; nocase; content:"Cookie|3A|"; nocase; pcre:"/^Cookie\x3a[^\n]*?login=0/smi"; reference:bugtraq,9319; classtype:web-application-attack; sid:2441; rev:3;)
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000:8001 (msg:"WEB-MISC Quicktime User-Agent buffer overflow attempt"; flow:to_server,established; content:"User-Agent|3A|"; nocase; pcre:"/^User-Agent\x3a[^\n]{244,255}/smi"; reference:bugtraq,9735; reference:cve,2004-0169; classtype:web-application-attack; sid:2442; rev:6;)
-
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC source.jsp access"; flow:to_server,established; uricontent:"/source.jsp"; nocase; reference:nessus,12119; classtype:web-application-activity; sid:2484; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ServletManager access"; flow:to_server,established; uricontent:"/servlet/ServletManager"; nocase; reference:bugtraq,3697; reference:cve,2001-1195; reference:nessus,12122; classtype:web-application-activity; sid:2447; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC setinfo.hts access"; flow:to_server,established; uricontent:"/setinfo.hts"; nocase; reference:bugtraq,9973; reference:nessus,12120; classtype:web-application-activity; sid:2448; rev:2;)
-
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2505; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2520; rev:5;)
-alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2521; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2522; rev:7;)
-
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2515; rev:9;)
-
-# one of these days, we will have port lists...
-alert tcp $EXTERNAL_NET any -> $HOME_NET 81 (msg:"WEB-MISC McAfee ePO file upload attempt"; flow:to_server,established; content:"/spipe/repl_file"; nocase; content:"Command=BEGIN"; nocase; reference:bugtraq,10200; reference:cve,2004-0038; classtype:attempted-admin; sid:2562; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cPanel resetpass access"; flow:to_server,established; uricontent:"/resetpass"; nocase; reference:bugtraq,9848; classtype:web-application-activity; sid:2569; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Invalid HTTP Version String"; flow:to_server,established; content:"HTTP/"; isdataat:6,relative; content:!"|0A|"; within:5; reference:bugtraq,9809; reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:6;)
diff --git a/scripts/s2b/snort_rules2.2/web-php.rules b/scripts/s2b/snort_rules2.2/web-php.rules
deleted file mode 100644
index de9b4c68ee..0000000000
--- a/scripts/s2b/snort_rules2.2/web-php.rules
+++ /dev/null
@@ -1,142 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: web-php.rules 91 2004-07-15 08:13:57Z rwinslow $
-#--------------
-# WEB-PHP RULES
-#--------------
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP bb_smilies.php access"; flow:to_server,established; uricontent:"/bb_smilies.php"; nocase; reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"name=|22 CC CC CC CC CC|"; reference:bugtraq,4183; reference:cve,2002-0081; classtype:web-application-attack; sid:1423; rev:12;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"form-data|3B|"; reference:bugtraq,4183; reference:cve,2002-0081; classtype:web-application-attack; sid:1425; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail spell-check arbitrary command attempt"; flow:to_server,established; uricontent:"/squirrelspell/modules/check_me.mod.php"; nocase; content:"SQSPELL_APP["; nocase; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail theme arbitrary command attempt"; flow:to_server,established; uricontent:"/left_main.php"; nocase; content:"cmdd="; reference:bugtraq,4385; reference:cve,2002-0516; classtype:web-application-attack; sid:1737; rev:6;)
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools administrator authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1739; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1740; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools access"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-activity; sid:1741; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php modify user attempt"; flow:to_server,established; uricontent:"/dostuff.php?action=modify_user"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-attack; sid:1742; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php access"; flow:to_server,established; uricontent:"/dostuff.php"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-activity; sid:1743; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Messagerie supp_membre.php access"; flow:to_server,established; uricontent:"/supp_membre.php"; nocase; reference:bugtraq,4635; classtype:web-application-activity; sid:1745; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP php.exe access"; flow:to_server,established; uricontent:"/php.exe"; nocase; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:3;)
-
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php arbitrary command attempt"; flow:to_server,established; uricontent:"/directory.php"; content:"dir="; content:"|3B|"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1815; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php access"; flow:to_server,established; uricontent:"/directory.php"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1816; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Wiki cross site scripting attempt"; flow:established,to_server; uricontent:"/modules.php?"; uricontent:"name=Wiki"; nocase; uricontent:"<script"; nocase; reference:bugtraq,5254; reference:cve,2002-1070; classtype:web-application-attack; sid:1834; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php arbitrary command attempt"; flow:established,to_server; uricontent:"/quick-reply.php"; content:"phpbb_root_path="; distance:1; reference:bugtraq,6173; classtype:web-application-attack; sid:1967; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php access"; flow:established,to_server; uricontent:"/quick-reply.php"; reference:bugtraq,6173; classtype:web-application-activity; sid:1968; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP read_body.php access attempt"; flow:established,to_server; uricontent:"/read_body.php"; reference:bugtraq,6302; reference:cve,2002-1341; classtype:web-application-activity; sid:1997; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP calendar.php access"; flow:established,to_server; uricontent:"/calendar.php"; reference:bugtraq,5820; reference:bugtraq,9353; reference:nessus,11179; classtype:web-application-activity; sid:1998; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP edit_image.php access"; flow:established,to_server; uricontent:"/edit_image.php"; reference:bugtraq,3288; reference:cve,2001-1020; reference:nessus,11104; classtype:web-application-activity; sid:1999; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP readmsg.php access"; flow:established,to_server; uricontent:"/readmsg.php"; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:1;)
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP remote include path"; flow:established,to_server; uricontent:".php"; content:"path="; pcre:"/page=(http|https|ftp)/i"; classtype:web-application-attack; sid:2002; rev:4;)
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum admin access"; flow:to_server,established; uricontent:"/admin.php3"; nocase; reference:arachnids,205; reference:bugtraq,2271; classtype:attempted-recon; sid:1134; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP piranha passwd.php3 access"; flow:to_server,established; uricontent:"/passwd.php3"; reference:arachnids,272; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum read access"; flow:to_server,established; uricontent:"/read.php3"; nocase; reference:arachnids,208; classtype:attempted-recon; sid:1178; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum violation access"; flow:to_server,established; uricontent:"/violation.php3"; nocase; reference:arachnids,209; reference:bugtraq,2272; classtype:attempted-recon; sid:1179; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum code access"; flow:to_server,established; uricontent:"/code.php3"; nocase; reference:arachnids,207; classtype:attempted-recon; sid:1197; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php file upload attempt"; flow:to_server,established; uricontent:"/admin.php"; nocase; content:"file_name="; reference:bugtraq,3361; reference:cve,2001-1032; classtype:attempted-admin; sid:1300; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270; reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP smssend.php access"; flow:to_server,established; uricontent:"/smssend.php"; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"file="; pcre:"/file=(http|https|ftp)/i"; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:11;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php attempt"; flow:to_server,established; uricontent:"/support/common.php"; content:"ForumLang=../"; classtype:web-application-attack; sid:1490; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php access"; flow:to_server,established; uricontent:"/support/common.php"; classtype:web-application-attack; sid:1491; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; nocase; reference:arachnids,206; reference:bugtraq,2274; classtype:attempted-recon; sid:1137; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; reference:arachnids,431; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; uricontent:"?STRENGUR"; reference:arachnids,430; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1254; rev:8;)
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; uricontent:"/db_mysql.inc"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; uricontent:"/uploadimage.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2074; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php upload php file attempt"; flow:to_server,established; uricontent:"/upload.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2075; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php access"; flow:to_server,established; uricontent:"/uploadimage.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2076; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php access"; flow:to_server,established; uricontent:"/upload.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2077; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpBB privmsg.php access"; flow:to_server,established; uricontent:"/privmsg.php"; reference:bugtraq,6634; classtype:web-application-activity; sid:2078; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP p-news.php access"; flow:to_server,established; uricontent:"/p-news.php"; reference:nessus,11669; classtype:web-application-activity; sid:2140; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php directory traversal attempt"; flow:to_server,established; uricontent:"/shoutbox.php"; content:"conf="; content:"../"; distance:0; reference:nessus,11668; classtype:web-application-attack; sid:2141; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php access"; flow:to_server,established; uricontent:"/shoutbox.php"; reference:nessus,11668; classtype:web-application-activity; sid:2142; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established; uricontent:"/gm-2-b2.php"; content:"b2inc="; pcre:"/b2inc=(http|https|ftp)/i"; reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php access"; flow:to_server,established; uricontent:"/gm-2-b2.php"; reference:nessus,11667; classtype:web-application-activity; sid:2144; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password admin attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=admin"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2145; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password 12345 attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=12345"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2146; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established; uricontent:"/objects.inc.php4"; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(http|https|ftp)/"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-attack; sid:2147; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 access"; flow:to_server,established; uricontent:"/objects.inc.php4"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-activity; sid:2148; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Turba status.php access"; flow:to_server,established; uricontent:"/turba/status.php"; reference:nessus,11646; classtype:web-application-activity; sid:2149; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php remote file include attempt"; flow:to_server,established; uricontent:"/admin/templates/header.php"; content:"admin_root="; pcre:"/admin_root=(http|https|ftp)/"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-attack; sid:2150; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php access"; flow:to_server,established; uricontent:"/admin/templates/header.php"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-activity; sid:2151; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP test.php access"; flow:to_server,established; uricontent:"/test.php"; reference:nessus,11617; classtype:web-application-activity; sid:2152; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php directory traversal attempt"; flow:to_server,established; uricontent:"/autohtml.php"; content:"name="; content:"../../"; distance:0; reference:nessus,11630; classtype:web-application-attack; sid:2153; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php access"; flow:to_server,established; uricontent:"/autohtml.php"; reference:nessus,11630; classtype:web-application-activity; sid:2154; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttforum remote file include attempt"; flow:to_server,established; uricontent:"forum/index.php"; content:"template="; pcre:"/template=(http|https|ftp)/i"; reference:bugtraq,7542; reference:bugtraq,7543; reference:nessus,11615; classtype:web-application-attack; sid:2155; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP pmachine remote file include attempt"; flow:to_server,established; uricontent:"lib.inc.php"; content:"pm_path="; pcre:"/pm_path=(http|https|ftp)/"; reference:bugtraq,7919; reference:nessus,11739; classtype:web-application-attack; sid:2226; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP forum_details.php access"; flow:to_server,established; uricontent:"forum_details.php"; reference:bugtraq,7933; reference:nessus,11760; classtype:web-application-attack; sid:2227; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established; uricontent:"db_details_importdocsql.php"; reference:bugtraq,7962; reference:bugtraq,7965; reference:nessus,11761; classtype:web-application-attack; sid:2228; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP viewtopic.php access"; flow:to_server,established; uricontent:"viewtopic.php"; reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP UpdateClasses.php access"; flow:to_server,established; uricontent:"/UpdateClasses.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2279; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Title.php access"; flow:to_server,established; uricontent:"/Title.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2280; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Setup.php access"; flow:to_server,established; uricontent:"/Setup.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2281; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP GlobalFunctions.php access"; flow:to_server,established; uricontent:"/GlobalFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2282; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DatabaseFunctions.php access"; flow:to_server,established; uricontent:"/DatabaseFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2283; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook remote file include attempt"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; content:"path="; reference:bugtraq,9057; classtype:web-application-attack; sid:2284; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook access"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2285; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP friends.php access"; flow:to_server,established; uricontent:"/friends.php"; nocase; reference:bugtraq,9088; classtype:web-application-activity; sid:2286; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_comment.php access"; flow:to_server,established; uricontent:"/admin_comment.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2287; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_edit.php access"; flow:to_server,established; uricontent:"/admin_edit.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2288; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_embed.php access"; flow:to_server,established; uricontent:"/admin_embed.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2289; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_help.php access"; flow:to_server,established; uricontent:"/admin_help.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2290; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_license.php access"; flow:to_server,established; uricontent:"/admin_license.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2291; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_logout.php access"; flow:to_server,established; uricontent:"/admin_logout.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2292; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_password.php access"; flow:to_server,established; uricontent:"/admin_password.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2293; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_preview.php access"; flow:to_server,established; uricontent:"/admin_preview.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2294; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_settings.php access"; flow:to_server,established; uricontent:"/admin_settings.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2295; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_stats.php access"; flow:to_server,established; uricontent:"/admin_stats.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2296; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates_misc.php access"; flow:to_server,established; uricontent:"/admin_templates_misc.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2297; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates.php access"; flow:to_server,established; uricontent:"/admin_templates.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2298; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_misc_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_misc_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2299; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2300; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll booth.php access"; flow:to_server,established; uricontent:"/booth.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2301; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll poll_ssi.php access"; flow:to_server,established; uricontent:"/poll_ssi.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2302; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll popup.php access"; flow:to_server,established; uricontent:"/popup.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2303; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP files.inc.php access"; flow:to_server,established; uricontent:"/files.inc.php"; nocase; reference:bugtraq,8910; classtype:web-application-activity; sid:2304; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP chatbox.php access"; flow:to_server,established; uricontent:"/chatbox.php"; nocase; reference:bugtraq,8930; classtype:web-application-activity; sid:2305; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery remote file include attempt"; flow:to_server,established; uricontent:"/setup/"; content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:bugtraq,8814; reference:nessus,11876; classtype:web-application-attack; sid:2306; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote file include attemtp"; flow:to_server,established; content:"do=ext"; content:"page="; pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP authentication_index.php access"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; reference:cve,2004-0032; reference:nessus,11982; classtype:web-application-activity; sid:2328; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; nocase; reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/editor/editor.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/lib.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView search.php access"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"action=soundex"; nocase; uricontent:"firstname="; nocase; reference:bugtraq,9369; reference:cve,2004-0032; classtype:web-application-activity; sid:2345; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke chatheader.php access"; flow:to_server,established; uricontent:"/chatheader.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2346; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke partner.php access"; flow:to_server,established; uricontent:"/partner.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2347; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox cord.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"ideaDir"; nocase; content:"cord.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2353; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox notification.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"gorumDir"; nocase; content:"notification.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2354; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board emailer.php file include"; flow:to_server,established; uricontent:"/ad_member.php"; nocase; content:"emailer.php"; nocase; reference:bugtraq,7204; classtype:web-application-activity; sid:2355; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat db_mysql.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"db_mysql.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2356; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat english.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"english.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2357; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Typo3 translations.php file include"; flow:to_server,established; uricontent:"/translations.php"; nocase; content:"ONLY"; nocase; reference:bugtraq,6984; classtype:web-application-attack; sid:2358; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board ipchat.php file include"; flow:to_server,established; uricontent:"/ipchat.php"; nocase; content:"root_path"; nocase; content:"conf_global.php"; nocase; reference:bugtraq,6976; classtype:web-application-attack; sid:2359; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myphpPagetool pt_config.inc file include"; flow:to_server,established; uricontent:"/doc/admin"; nocase; content:"ptinclude"; nocase; content:"pt_config.inc"; nocase; reference:bugtraq,6744; classtype:web-application-attack; sid:2360; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP news.php file include"; flow:to_server,established; uricontent:"/news.php"; nocase; content:"template"; nocase; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP YaBB SE packages.php file include"; flow:to_server,established; uricontent:"/packages.php"; nocase; content:"packer.php"; nocase; reference:bugtraq,6663; classtype:web-application-attack; sid:2362; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards default_header.php access"; flow:to_server,established; uricontent:"/default_header.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2363; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards options_form.php access"; flow:to_server,established; uricontent:"/options_form.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2364; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP newsPHP Language file include attempt"; flow:to_server,established; uricontent:"/nphpd.php"; nocase; content:"LangFile"; nocase; reference:bugtraq,8488; classtype:web-application-activity; sid:2365; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2366; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/functions.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2367; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/config_gedcom.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2368; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Photopost PHP Pro showphoto.php access"; flow:to_server,established; uricontent:"/showphoto.php"; nocase; reference:bugtraq,9557; classtype:web-application-activity; sid:2372; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP /_admin access"; flow:to_server,established; uricontent:"/_admin/"; nocase; reference:bugtraq,9537; reference:nessus,12032; classtype:web-application-activity; sid:2393; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter newsletter.php file include attempt"; flow:to_server,established; uricontent:"newsletter.php"; nocase; content:"waroot"; nocase; content:"start.php"; nocase; reference:bugtraq,6965; classtype:web-application-attack; sid:2398; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter db_type.php access"; flow:to_server,established; uricontent:"/sql/db_type.php"; nocase; reference:bugtraq,6964; classtype:web-application-activity; sid:2399; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phptest.php access"; flow:to_server,established; uricontent:"/phptest.php"; nocase; reference:bugtraq,9737; classtype:web-application-activity; sid:2405; rev:1;)
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IGeneric Free Shopping Cart page.php access"; flow:to_server,established; uricontent:"/page.php"; nocase; reference:bugtraq,9773; classtype:web-application-activity; sid:2410; rev:2;)
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP modules.php access"; flow:to_server,established; uricontent:"/modules.php"; nocase; reference:bugtraq,9879; classtype:web-application-activity; sid:2565; rev:1;)
-
-
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPBB viewforum.php access"; flow:to_server,established; uricontent:"/viewforum.php"; nocase; reference:bugtraq,9866; classtype:web-application-activity; sid:2566; rev:1;)
-
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Opt-X header.php remote file include attempt"; flow:to_server,established; uricontent:"/header.php"; nocase; content:"systempath="; pcre:"/systempath=(http|https|ftp)/i"; reference:bugtraq,9732; classtype:web-application-attack; sid:2575; rev:1;)
diff --git a/scripts/s2b/snort_rules2.2/x11.rules b/scripts/s2b/snort_rules2.2/x11.rules
deleted file mode 100644
index 4647b99966..0000000000
--- a/scripts/s2b/snort_rules2.2/x11.rules
+++ /dev/null
@@ -1,9 +0,0 @@
-# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
-#    All rights reserved.
-# $Id: x11.rules 91 2004-07-15 08:13:57Z rwinslow $
-#----------
-# X11 RULES
-#----------
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:4;)
diff --git a/scripts/signature_scores b/scripts/signature_scores
deleted file mode 100644
index b49bdccec0..0000000000
--- a/scripts/signature_scores
+++ /dev/null
@@ -1,11 +0,0 @@
-sid-ciac-0	100
-sid-ciac-1	100
-sid-ciac-2	100
-sid-ciac-3	100
-sid-ciac-4	100
-sid-ciac-5	100
-sid-ciac-6	100
-sid-ciac-7	100
-sid-ciac-8	100
-bagle-bc	100
-_DEFAULT_		5
diff --git a/scripts/snort2bro/snort2bro b/scripts/snort2bro/snort2bro
deleted file mode 100644
index 237c8c9423..0000000000
--- a/scripts/snort2bro/snort2bro
+++ /dev/null
@@ -1,1023 +0,0 @@
-#! /usr/bin/env python
-#
-# $Header$
-
-import sys
-import re
-import getopt
-import os.path
-import struct
-
-# FIXME: Not all of the implemented Snort options are really tested...
-
-snortcmd       = re.compile( "(preprocessor|include|var|config|alert|log|pass|activate|dynamic|output)\s*:?\s*(.*)" )
-snortrule      = re.compile( "(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+\((.*)\)" )
-snortopt       = re.compile( r"([a-zA-Z_]+)\s*(:\s*(([^;]|(?<=\\);)+)|);" )
-
-snortipre      = "(\d+\.\d+\.\d+\.\d+(/\d+)?)"
-snortip        = re.compile( "(!)?%s" % snortipre )
-snortiplist    = re.compile( "(!)?\[(%s(,%s)*)\]" % ( snortipre,snortipre ) )
-snortport      = re.compile( "(!)?(\d+)" )
-snortportrange = re.compile( "(!)?(\d+)?:(\d+)?" )
-snortval       = re.compile( "([<>=!]?) *(\d+)" )
-snortvalrange  = re.compile( "(\d+)? *- *(\d+)?" )
-snortbytecode  = re.compile( r"\\\|\s*(([a-fA-F0-9]{2}\s*)+)\s*\\\|" ) # "|" are quoted when we do the match
-snorthex       = re.compile( "(..) *" )
-snortquote     = re.compile( r"\\(.)" )
-snortalpha     = re.compile( r"(\\x[a-fA-F0-9]{2}|[A-Za-z])" )
-snortrpc       = re.compile( r"((\d)+|\*) *, *((\d)+|\*) *, *((\d)+|\*)" )
-
-snortsid       = re.compile( "sid: *(\d+)" )
-
-# Mapping of Snort's variables to Bro's
-#     <snort> -> ( <bro>, <invert> )
-MapVars = {
-    "external_net": ( "local_nets", 1 ),
-    "home_net": ( "local_nets", 0 ),
-    "http_servers": ( "http_servers", 0 ),
-    "http_ports": ( "http_ports", 0 ),
-    "oracle_ports": ( "oracle_ports", 0 ),
-    "smtp_servers": ( "smtp_servers", 0 ),
-    "sql_servers": ( "sql_servers", 0 ),
-    "telnet_servers": ( "telnet_servers", 0 ),
-    "aim_servers": ( "aim_servers", 0 ),
-    "shellcode_ports": ( "non_shellcode_ports", 1 ),
-}
-
-# Mapping of variables to content
-SnortVars = {}
-
-# List of tuples (file,linenr) for all not fully processed input files:
-Inputs = []
-
-# Last input line read
-RawInputLine = ""
-
-# Counts Snort rules without SID
-UnknownCount = 0
-
-# There may be some rules for which it don't make sense to translate them. We ignore them.
-IgnoreSIDs = {}
-
-# Always include these signatures, even if they would be ignored with option -c.
-AlwaysIncludeSIDs = {}
-
-def error( str ):
-    if Inputs:
-        if RawInputLine:
-            print >>sys.stderr, ">>", RawInputLine,
-            if RawInputLine[-1] != "\n":
-                print >>sys.stderr
-        print >>sys.stderr, "Error in %s, line %d: %s" % ( Inputs[0][0].name, Inputs[0][1], str )
-
-    else:
-        print >>sys.stderr, "Error:", str
-    sys.exit( 1 )
-
-def warning( str ):
-    if Inputs:
-        if RawInputLine:
-            print >>sys.stderr, ">>", RawInputLine,
-            if RawInputLine[-1] != "\n":
-                print >>sys.stderr
-        print >>sys.stderr, "Warning in %s, line %d: %s" % ( Inputs[0][0].name, Inputs[0][1], str )
-    else:
-        print >>sys.stderr, "Warning:", str
-
-# Converts Snort-like globs into regexp chars
-def replaceGlobs( str ):
-    # Note that the globs are quoted when we see them here
-    # FIXME: If the original pattern contains a "\?" or "\*" it
-    # will be converted as well.
-    str = str.replace( "\\*", ".*" )
-    str = str.replace( "\\?", "." )
-    return str
-
-# Replaces Snort-like bytecodes by \x.. sequences
-def replaceByteCodes( str ):
-    return snortbytecode.sub( lambda bytecode: snorthex.sub( "\\x\\1", bytecode.group( 1 ) ), str )
-
-# Removes Snort's \ quotations
-def removeQuotes( str ):
-    return snortquote.sub( "\\1", str )
-
-# Quotes all '"'
-def quoteStr( str ):
-    return str.replace( "\"", "\\\"" )
-
-# Translates all alphabetical characters to case-insensitive classes
-def makeCaseInsensitive( str ):
-
-    def replaceby( match ):
-        s = match.group( 1 )
-        # Do not change hex codes
-        if s.startswith( "\\x" ):
-            return s
-        return "[%s%s]" % ( s.lower(), s.upper() )
-
-    str = snortalpha.sub( replaceby , str )
-    return str
-
-# Insert some special variants/character classes for URIs
-#     - "/ -> [/\]"
-def makeURIPattern( str ):
-    str = str.replace( "\\/", "[\\/\\\\]" )
-    return str
-
-# Escapes all regex control characters  so that it can be safely used as a regex
-def escapeCtrl( str ):
-    re = ""
-    for i in str:
-        if "^$|.*+?[](){}/\"\\".find( i ) >= 0:
-            i = "\\" + i
-        re += i
-    return re
-
-# Converts a Snort pattern into a RE
-# If icase==1, constructs an case-insensitive regex.
-# If uri==1, creates some special things for URIs (see above)
-# If glob==1, the pattern is a Snort-like "regex" glob
-# If negate==1, the pattern is negated
-# If neglen>0, it's the number of character which are *not* allowed to match the negated pattern
-#
-# FIXME: We should use a more sophisticated parser here
-#
-def patternToRE( str, icase, uri, globs, negate, neglen ):
-
-    if negate:
-        if patternLength( str ) > 1:
-            warning( "Can\'t negate patterns with more than one character" )
-            return "<willnevermatch>"
-        str = "[^%s]" % replaceByteCodes( escapeCtrl( str ) )
-
-        if neglen > 0:
-            return str + "{%d}" % neglen
-        else:
-            return str + "*"
-
-    str = removeQuotes( str )
-    str = escapeCtrl( str )
-    if globs:
-        str = replaceGlobs( str )
-    str = replaceByteCodes( str )
-
-    if uri:
-        str = makeURIPattern( str )
-
-    if icase:
-        str = makeCaseInsensitive( str )
-
-    return str
-
-# Counts the number chars in the Snort pattern
-def patternLength( str ):
-    str = removeQuotes( str )
-    str = escapeCtrl( str )
-    str = replaceByteCodes( str )
-
-    count = 0
-    esc = 0
-
-    for c in str:
-        if c == "\\" and not esc:
-            esc = 1
-            continue
-
-        if esc and c == "x":
-            count -= 2
-
-        esc = 0
-        count += 1
-
-    return count
-
-# Parse a Snort variable declaration
-def parseVar( decl ):
-    ( key, value ) = decl.split()
-    SnortVars[ "$"+key ] = value
-
-# Perform Snort's variable expansion
-def expandVars( str ):
-    for ( key, value ) in SnortVars.items():
-        str = str.replace( key, value )
-    return str
-
-# Parse Snort's rule options
-def parseRuleOptions( str ):
-
-    options = {}
-
-    m = snortopt.findall( str )
-
-    lastcontent = None
-    depth = distance = negate = nocase = offset = regex = within = -1
-
-    negpattern = -1
-
-#    print str
-
-    for ( b1, b2, b3, b4 ) in m:
-        if b2:
-            val = b3
-            if val[0] == "!":
-                negpattern = 1
-                val = val[1:]
-            if len( val ) >= 2:
-                if val[0] == '"' and val[-1] == '"':
-                    val = val[1:-1]
-        else:
-            val = ""
-
-        # Note that there may be more than one depth/offset per rule.
-        # Each depth/offset/regex affects exactly that content which precedes it.
-        # It's illegal to have a depth/offset/regex before a content.
-        # That is all undocumented.
-        # ... !@#$%^&* ...
-
-        option = b1.lower()
-
-        if option == "content":
-
-            if not lastcontent:
-                lastcontent = val
-                continue
-
-            oldval = val
-            val = ( lastcontent, depth, distance, negate, nocase, offset, regex, within )
-            depth = distance = negate = nocase = offset = regex = within = -1
-            negate = negpattern
-            lastcontent = oldval
-
-        elif option == "depth":
-            depth = int( val )
-            continue
-
-        elif option == "distance":
-            distance = int( val )
-            continue
-
-        elif option == "within":
-            within = int( val )
-            continue
-
-        elif option == "offset":
-            offset = int( val )
-            continue
-
-        elif option == "regex":
-            regex = 1
-            continue
-
-        elif option == "nocase":
-            nocase = 1
-            continue
-
-        try:
-            options[ option ] += [ val ]
-        except LookupError:
-            options[ option ] = [ val ]
-
-    if lastcontent:
-        try:
-            options[ "content" ] += [ ( lastcontent, depth, distance, negate, nocase, offset, regex, within ) ]
-        except LookupError:
-            options[ "content" ] = [ ( lastcontent, depth, distance, negate, nocase, offset, regex, within ) ]
-
-    return options
-
-# Parses a list of IPs in Snort's format
-def parseIP( ip ):
-
-    # See if it's an unexpanded var.
-    if ip.startswith( "$" ):
-        try:
-            ( brovar, neg ) = MapVars[ ip[1:] ]
-            return ( neg, [brovar] )
-        except LookupError:
-            error( "Unknown variable " + ip )
-
-    m = snortip.match( ip )
-    if m:
-        ips = ( m.group( 2 ), )
-    else:
-        m = snortiplist.match( ip )
-        if m:
-            ips = m.group( 2 ).split( "," )
-        else:
-            error( "Can\'t parse IP " + ip )
-
-    if m.group( 1 ) != "!":
-        return( 0, ips )
-    else:
-        return( 1, ips )
-
-# Parses a list of ports in Snort's format
-def parsePort( port ):
-
-    # See if it's an unexpanded var.
-    if port.startswith( "$" ):
-        try:
-            ( brovar, neg ) = MapVars[ port[1:] ]
-            return ( neg, brovar, brovar )
-        except LookupError:
-            error( "Unknown variable " + port )
-
-    m = snortportrange.match( port )
-    if m:
-        try:
-            min = int( m.group( 2 ) )
-        except TypeError:
-            min = 0
-        try:
-            max = int( m.group( 3 ) )
-        except TypeError:
-            max = 65535
-    else:
-        m = snortport.match( port )
-        if m:
-            min = max = int( m.group( 2 ) )
-        else:
-            error( "Can\'t parse port " + port )
-
-    if m.group( 1 ) != "!":
-        return( 0, min, max )
-    else:
-        return( 1, min, max )
-
-######
-
-# Convert the common head of a Snort rule
-def convertHead( prot, srcip, srcport, dstip, dstport ):
-
-    rule = ""
-
-    # Convert IP protocol
-    if prot.lower() != "ip":
-	rule += "  ip-proto == %s\n" % prot.lower()
-
-    # Convert IPs
-    for ( tag, ip ) in ( ( "src-ip", srcip ), ( "dst-ip", dstip ) ):
-        if ip != "any":
-            ( negate, iplist ) = parseIP( ip )
-            if not negate:
-                cmp = "=="
-            else:
-                cmp = "!="
-
-            rule += "  %s %s %s\n" % ( tag, cmp, ",".join( iplist ) )
-
-    # Convert Ports
-    for ( tag, port ) in ( ( "src-port", srcport ), ( "dst-port", dstport ) ):
-        if port != "any":
-            ( negate, min, max ) = parsePort( port )
-            if min == max:
-                if not negate:
-                    cmp = "=="
-                else:
-                    cmp = "!="
-                rule += "  %s %s %s\n" % ( tag, cmp, min )
-            else:
-                if not negate:
-                    cmp1 = ">="
-                    cmp2 = "<="
-                else:
-                    cmp1 = "<"
-                    cmp2 = ">"
-
-                rule += "  %s %s %s\n" % ( tag, cmp1, min )
-                rule += "  %s %s %s\n" % ( tag, cmp2, max )
-
-    return rule
-
-# Converts one of Snort's bit strings (like "A+" for "flags")
-def convertBitSet( str, bitspecs, hdrfield, fieldmask ):
-
-    # Split into flags and mask
-    parts = str.split(",")
-    if len(parts) > 1:
-        ( str, snortmask ) = parts
-        # FIXME: We ignore the mask for now. This would again need some
-        # digging in Snort's source as I don't really understand what they
-        # are doing...
-        
-    # This is not strictly Snort conforming but works as long as the
-    # flag string is not ambigious.
-
-    type = ""
-    mask = 0
-    for c in str:
-        if "+!*".find( c ) >= 0:
-            type = c
-            continue
-        try:
-            mask |= bitspecs[c]
-        except LookupError:
-            error( "Unknown bit in \"%s\"" % str )
-
-    if type == "":
-        # Snort's default is check for equality (undocumented)
-        rule = "  %s & %d == %d\n" % ( hdrfield, fieldmask, mask )
-    if type == "+":
-        rule = "  %s & %d == %d\n" % ( hdrfield, ( mask | fieldmask ), mask )
-    if type == "*":
-        rule = "  %s & %d != 0\n" % ( hdrfield, ( mask | fieldmask ) )
-    if type == "!":
-        rule = "  %s & %d == 0\n" % ( hdrfield, ( mask | fieldmask ) )
-
-    return rule
-
-# Converts a test for a value which may include some range (e.g. "<5", "21-42")
-def convertVal( str, hdrfield ):
-
-    m = snortvalrange.match( str )
-    if m:
-        try:
-            min = int( m.group( 1 ) )
-        except TypeError:
-            min = 0
-        try:
-            max = int( m.group( 2 ) )
-        except TypeError:
-            max = -1
-
-        rule = ""
-        if min > 0:
-            rule += "  %s >= %d\n" % ( hdrfield, min )
-        if min >= 0:
-            rule += "  %s <= %d\n" % ( hdrfield, max )
-        return rule
-
-    m = snortval.match( str )
-    if m:
-        val = int( m.group( 2 ) )
-        cmp = m.group( 1 )
-
-        if cmp == "<" or cmp == ">":
-            return "  %s %s %d\n" % ( hdrfield, cmp, val )
-        if cmp == "!":
-            return "  %s != %d\n" % ( hdrfield, val )
-        if cmp == "" or cmp == "=":
-            return "  %s == %d\n" % ( hdrfield, val )
-
-    error( "Can\'t parse value \"%s\"" % str )
-
-# Convert one value of the RPC triple into a RE
-def convertRPCVal( str ):
-    if str == "*":
-        return "."
-    else:
-        # Convert value to hex pattern in network bye order
-        val = struct.pack( "!I", int( str ) )
-        return ( "\\x%02x" * 4 ) % struct.unpack( "BBBB", val )
-
-# Sanity check to see if the two protocols match
-def checkProt( testprot, option, ruleprot ):
-    if testprot != ruleprot:
-        error( "Option \"%s\" only valid for %s rules" % ( option, testprot.upper() ) )
-
-def convertOptions( options, prot ):
-
-    global IsPayloadRule
-    
-    rule = ""
-    payloads = []
-
-    for ( key, vallist ) in options.items():
-
-        if key == "ack":
-            checkProt( "tcp", key, prot )
-            rule += "  header tcp[8:4] == %d\n" % int( vallist[0] )
-
-        elif key == "classtype":
-            pass
-
-        elif key == "content":
-
-           IsPayloadRule = 1
-           
-           for i in range( len( vallist ) ):
-
-                ( content, depth, distance, negate, nocase, offset, regex, within ) = vallist[i]
-
-                # Special case: If have we have a payload size which equals the size of the pattern,
-                # the payload has to match exactly
-
-                prefix = ".*"
-
-                if "dsize" in options.keys():
-                    try:
-                        if patternLength( content ) == int( options["dsize"][0] ):
-                            prefix = ""
-                    except ValueError:
-                        # dsize is something which contains a range; do nothing as
-                        # it's just an optimization after all
-                        pass
-
-                realdepth = depth;
-                realoffset = offset;
-
-                maxdist = 1
-
-                if depth >= 0:
-                    realdepth -= patternLength( content )
-
-                if offset >= 0:
-                    realoffset -= 1
-                    maxdist = 0
-
-                if offset >= 0 and depth >= 0:
-                    realdepth -= offset
-                    maxdist = 1
-
-                if within >= 0:
-                    realdepth += within - patternLength( content ) + 1
-
-                if distance >= 0:
-                    realoffset += distance + 1
-                    maxdist = 0
-
-                if within >= 0 and distance >= 0:
-                    maxdist = 1
-
-                if realdepth < 0 and realoffset <= 0:
-                    re = prefix
-                else:
-                    re = ""
-
-                if realdepth < 0:
-                    realdepth = -1
-
-                if realoffset > 0:
-                    if maxdist:
-                        re += ".{%d}" % realoffset
-                    else:
-                        re += ".{%d}.*" % realoffset
-                elif realoffset == 0 and not maxdist:
-                        re += ".*"
-
-                if realdepth > 0 and negate < 0:
-                    re += ".{0,%d}" % realdepth
-                    maxdist = 1
-
-                re += patternToRE( content, nocase >= 0, 0, regex >= 0, negate >= 0, realdepth + 1 )
-
-                if distance >= 0 or within >= 0:
-                    try:
-                        payloads[-1] += re
-                    except LookupError:
-                        payloads = [ re ]
-                else:
-                    payloads += [ re ]
-
-                if REFile:
-                    print >>REFile, re
-                if PatternFile:
-                    print >>PatternFile, val
-
-        elif key == "depth":
-            # Ignore it here; we test for it when handling content
-            pass
-
-        elif key == "distance":
-            # Ignore it here; we test for it when handling content
-            pass
-
-        elif key == "dsize":
-            rule += convertVal( vallist[0], "payload-size" )
-            pass
-
-        elif key == "flags":
-            checkProt( "tcp", key, prot )
-
-            TCPFlags =  { "F": 0x01, "S": 0x02, "R": 0x04, "P": 0x08,
-                          "A": 0x10, "U": 0x20, "2": 0x40, "1": 0x80, "0": 0x00 }
-            rule += convertBitSet( "".join( vallist ), TCPFlags, "header tcp[13:1]", 0xff )
-
-        elif key == "flow":
-            checkProt( "tcp", key, prot )
-
-            Flows = { "established" : "established",
-                      "to_server" : "originator",
-                      "to_client" : "responder",
-                      "from_server" : "responder",
-                      "from_client" : "originator",
-                      "state_less" : "state_less"
-                      }
-
-            tcpstate = []
-            for val in vallist:
-                for ( snort, bro ) in Flows.items():
-                    if val.find( snort.lower() ) >= 0:
-                        tcpstate += ( bro, )
-            if tcpstate:
-                rule += "  tcp-state %s\n" % ",".join( tcpstate )
-
-        elif key == "fragbits":
-            FragFlags = { "M": 0x20, "D": 0x40, "R": 0x80 }
-            rule += convertBitSet( "".join( vallist ), FragFlags, "header ip[6:1]", 0xe0 )
-
-        elif key == "icmp_seq":
-            checkProt( "icmp", key, prot )
-            # Check if it's an ECHO or ECHO_REPLY packet
-            # Note Snort's undocumented behaviour: It does check REPLYs
-            # as well, and it does not check the ICMP code
-            rule += "  header icmp[0:1] == 0,8\n"
-            rule += "  header icmp[6:2] == %d\n" % int( vallist[0] )
-
-        elif key == "icmp_id":
-            checkProt( "icmp", key, prot )
-            # Check if it's an ECHO or ECHO_REPLY packet
-            # Note Snort's undocumented behaviour: It does check REPLYs
-            # as well, and it does not check the ICMP code
-            rule += "  header icmp[0:1] == 0,8\n"
-            rule += "  header icmp[4:2] == %d\n" % int( vallist[0] )
-
-        elif key == "icode":
-            checkProt( "icmp", key, prot )
-            rule += "  header icmp[1:1] == %d\n" % int( vallist[0] )
-
-        elif key == "id":
-            rule += "  header ip[4:2] == %d\n" % int( vallist[0] )
-
-        elif key == "ip_proto":
-            rule += convertVal( vallist[0], "header ip[9:1]" )
-
-        elif key == "ipopts":
-            rule += "  ip-options %s\n" % ",".join( vallist ).lower()
-
-        elif key == "itype":
-            checkProt( "icmp", key, prot )
-            rule += "  header icmp[0:1] == %d\n" % int( vallist[0] )
-
-        elif key == "msg":
-            rule += "  event \"%s\"\n" % quoteStr( removeQuotes( " ".join( vallist ) ) )
-
-        elif key == "nocase":
-            # Ignore it here; we test for it when handling content
-            pass
-
-        elif key == "offset":
-            # Ignore it here; we test for it when handling content
-            pass
-
-        elif key == "rawbytes":
-            # We can ignore this as we're always matching raw bytes.
-            pass
-        
-        elif key == "ref":
-            pass
-
-        elif key == "reference":
-            pass
-
-        elif key == "regex":
-            pass
-
-        elif key == "rev":
-            pass
-
-        elif key == "rpc":
-            m = snortrpc.match( vallist[0] )
-            if not m:
-                error( "Can\'t parse RPC values" )
-            ( app, proc, version ) = ( m.group( 1 ), m.group( 3 ), m.group( 5 ) )
-
-            # The Snort rule set has only explicit UDP/TCP rules containg
-            # "rpc" but no general IP rules. So we use the rule type
-            # to decide whether we check for UDP- or TCP-style RPC
-            #
-            # Snort only looks at calls, but not on replies (undocumented)
-            # Snort validates the RPC_MSG_VERSION (undocumented)
-            if prot == "udp":
-                off = 7
-            else:
-                checkProt( "tcp", key, prot )
-                off = 11
-
-            # RPC version == 2, Call == 1 \
-            rule += "  payload /" + ( "." * off ) \
-                    + "\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x01"  \
-                    + convertRPCVal( app ) + convertRPCVal( version ) + convertRPCVal( proc ) \
-                    + "/\n"
-
-        elif key == "sameip":
-            rule += "  same-ip\n"
-
-        elif key == "seq":
-            checkProt( "tcp", key, prot )
-            rule += "  header tcp[4:4] == %d\n" % int( vallist[0] )
-
-        elif key == "sid":
-            pass
-        
-        elif key == "tag":
-            # In Snort, this capture packets of session/host for later analysis.
-            # Unsupported for now, but we could come up with something similar
-            # by passing it on to set_record_contents(). Doesn't affect the
-            # matching, though.
-            pass
-
-        elif key == "ttl":
-            rule += convertVal( vallist[0], "header ip[8:1]" )
-            pass
-
-        elif key == "uricontent":
-            
-           IsPayloadRule = 1            
-            
-           for val in vallist:
-#                if ALTERNATIVE_PATTERNS:
-#                    re = "(|.*\\r\\n\\r\\n)(GET|HEAD|POST) *[^\\n]*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0 )
-#                else:
-#                    re = "(GET|HEAD|POST) *[^\\n]*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0 )
-#
-#                rule += "  payload /%s/\n" % re
-
-                if ALTERNATIVE_PATTERNS:
-                    re = "(|.*\\r\\n\\r\\n)(GET|HEAD|POST) *[^\\n]*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0, 0, 0 )
-                    rule += "  payload /%s/\n" % re
-                else:
-                    re = ".*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0, 0, 0 )
-                    rule += "  http /%s/\n" % re
-
-
-
-                if REFile:
-                    print >>REFile, re
-                if PatternFile:
-                    print >>PatternFile, val
-
-        elif key == "within":
-            # Ignore it here; we test for it when handling content
-            pass
-
-        else:
-            warning( "Option '%s' not supported currently; ignored" % key )
-            rule += "  # Not supported: %s: %s\n" % ( key, ",".join( vallist ) )
-
-    for p in payloads:
-        rule += "  payload /%s/\n" % p
-
-    return rule
-
-def parseAlert( rule ):
-
-    global UnknownCount
-    global IsPayloadRule
-
-    IsPayloadRule = 0
-    
-    m = snortrule.match( rule )
-    if not m:
-        error( "Can\'t parse alert rule" )
-
-    fields = m.groups()
-
-    ( prot, srcip, srcport, dir, dstip, dstport ) = map( lambda s: s.lower(), fields[0:6] )
-
-    options = parseRuleOptions( fields[6] )
-
-    try:
-        sid = options["sid"][0]
-        try:
-            if int( sid ) in  IgnoreSIDs:
-                return
-            id = "sid-" + sid
-        except ValueError:
-            id = sid
-
-    except LookupError:
-        id = "sid-unknown-%d" % UnknownCount
-        UnknownCount += 1
-
-    try:
-        # Create rules depending on the direction; for "<>" we simply create
-        # two rules
-
-        if dir == "<>":
-            id1 = id + "-a"
-            id2 = id + "-b"
-        else:
-            id1 = id2 = id
-
-        if dir != "->":
-            rule = "signature %s {\n" % id1
-            rule += convertHead( prot, dstip, dstport, srcip, srcport )
-            rule += convertOptions( options, prot )
-            
-            if not PAYLOAD_ONLY or IsPayloadRule or id in AlwaysIncludeSIDs:
-                print rule + "  }\n"
-
-        if dir != "<-":
-            rule = "signature %s {\n" % id2
-            rule += convertHead( prot, srcip, srcport, dstip, dstport )
-            rule += convertOptions( options, prot )
-            
-            if not PAYLOAD_ONLY or IsPayloadRule or id in AlwaysIncludeSIDs:
-                print rule + "  }\n"
-
-    except LookupError, e:
-        error( "Can\'t convert rule: " + str( e ) )
-
-#### Main
-
-# Use some alternative patterns
-ALTERNATIVE_PATTERNS = 0
-# If PatternFile is a file, all content/uricontent patterns are written to it
-PatternFile = 0
-# If REFile is a file, all REs generated from content/uricontent patterns are written to it
-REFile = 0
-# Directories where to look for include's
-INCPATH = [ "./" ]
-# Only include signatures which match contain payload/uricontent
-# (Exceptions can be defined in AlwaysIncludeSIDs)
-PAYLOAD_ONLY = 0
-
-# Number of Snort rules to output (no conversion to Bro format)
-SnortRules = -1
-
-# Total number of rules
-TotalRules = 0
-
-def openInputFile( filename ):
-
-    for i in INCPATH:
-        try:
-            fullpath =  os.path.join( i, filename )
-            file = open( fullpath )
-            print >>sys.stderr, "Reading", fullpath
-            return file
-        except IOError:
-            pass
-
-    error( "Can\'t find file %s" % filename )
-
-def ReadConfig( file ):
-    
-    try:
-        cfg = open( arg )
-        for line in cfg:
-            
-            line = line.strip()
-            if len( line ) == 0 or line.startswith("#"):
-                continue
-
-            try:
-                ( action, sid ) = line.split()
-                sid = int( sid )
-            except ValueError:
-                print >>sys.stderr, "Warning: illegal format '%s'" % line
-                continue
-            
-            if action == "ignore":
-                IgnoreSIDs[sid] = 1
-
-            if action == "include":
-                AlwaysIncludeSIDs[sid] = 1
-                
-    except IOError:
-        print >>sys.stderr, "Warning: Can't read config file %s" % arg
-                
-def usage():
-    print >>sys.stderr
-    print >>sys.stderr, "Usage: snort2bro [<options>] [<snort-files>] "
-    print >>sys.stderr
-    print >>sys.stderr, "  Options:"
-    print >>sys.stderr
-    print >>sys.stderr, "    -c <file>: File containing signature in-/excludes"
-    print >>sys.stderr, "    -p       : Only include signatures which match on payload"
-    print >>sys.stderr, "    -I <dir> : Add dir to search path for Snort\'s include statement"
-    print >>sys.stderr
-    print >>sys.stderr, "    -P       : Write all patterns to patterns.txt and "
-    print >>sys.stderr, "               all generared REs to res.txt"
-    print >>sys.stderr, "    -S <n>   : No conversion; just print out one big Snort config file"
-    print >>sys.stderr, "               containing the first <n> rules"
-    print >>sys.stderr, "    -X       : Produce some alternate REs"
-
-    print >>sys.stderr
-    sys.exit( 1 )
-
-try:
-    options, rest = getopt.getopt( sys.argv[1:], "XPI:S:pc:" )
-except:
-    usage()
-
-for( opt, arg ) in options:
-    if opt == "-X":
-        ALTERNATIVE_PATTERNS = 1
-
-    if opt == "-P":
-        PatternFile = open( "patterns.txt", "w" );
-        REFile = open( "res.txt", "w" );
-
-    if opt == "-I":
-        INCPATH += [ arg, ]
-
-    if opt == "-S":
-        SnortRules = int( arg )
-
-    if opt == "-p":
-        PAYLOAD_ONLY = 1
-
-    if opt == "-c":
-        ReadConfig( arg )
-        
-if len( rest ):
-    Inputs = [ ( openInputFile( file ), 0 ) for file in rest ]
-else:
-    Inputs = [ ( sys.stdin, 0 ) ]
-
-continued = False
-
-while Inputs:
-
-    if not continued:
-        line = ""
-    
-    RawInputLine = Inputs[0][0].readline()
-    if not RawInputLine:
-        Inputs = Inputs[1:]
-        continue
-
-    single_line = RawInputLine.strip()
-    
-    # Increase line count
-    Inputs[0] = ( Inputs[0][0], Inputs[0][1] + 1 )
-
-    # Continuation of lines
-    if single_line.endswith("\\"):
-        line += single_line[:-1]
-        continued = True
-        continue
-
-    line += single_line
-    continued = False
-
-    # Empty or comments
-    if not line or line.startswith( '#' ):
-        continue
-            
-    line = expandVars( line )
-
-    m = snortcmd.match( line )
-    if not m:
-        error( "Can\'t parse line " + line )
-
-    cmd = m.group( 1 )
-    args = m.group( 2 )
-
-    if cmd == "include":
-        Inputs = [ ( openInputFile( args ), 0 ) ] + Inputs
-        continue
-
-    if cmd == "var":
-        parseVar( args )
-
-    if cmd == "alert":
-        TotalRules += 1
-
-    if SnortRules >= 0:
-
-        noprint = 0
-
-        if cmd == "alert":
-
-            for i in IgnoreSIDs:
-                m = snortsid.search( args )
-                if m and int( m.group( 1 ) ) == i:
-                    noprint = 1
-                    
-            if SnortRules == 0:
-                noprint = 1
-
-            if not noprint:
-                SnortRules -= 1
-
-        if not noprint:
-            print RawInputLine,
-
-        continue
-
-    if cmd == "var":
-        continue
-
-    if cmd == "alert":
-        parseAlert( args )
-        continue
-
-    if cmd == "output":
-        continue
-
-    if cmd == "preprocessor":
-        continue
-
-    if cmd == "config":
-        # FIXME: Should we convert this to Bro?
-        continue
-
-    warning( "'%s' is not supported yet; line ignored." % cmd )
-
-
-# Options -S returns the number of rules as exit code
-if SnortRules >= 0:
-    print >>sys.stderr, TotalRules
diff --git a/scripts/snort2bro/snort2bro.cfg b/scripts/snort2bro/snort2bro.cfg
deleted file mode 100644
index 8f929c7b5b..0000000000
--- a/scripts/snort2bro/snort2bro.cfg
+++ /dev/null
@@ -1,15 +0,0 @@
-# $Id: snort2bro.cfg 80 2004-07-14 20:15:50Z jason $
-#
-# An example of an input file to use with snort2bro's -c <file> option.
-#
-# Format:
-#        ignore <sid>       Always skip this signature.
-#        include <sid>      Always include this signature.
-
-# sid-526 BAD TRAFFIC data in TCP SYN packet 
-ignore	526 
-
-# sid-623 matches a null-flags stealth scan.  Include it even
-# if we build with -p, since it doesn't tend to generate any
-# false positives.
-include	623
diff --git a/scripts/spot-trace b/scripts/spot-trace
deleted file mode 100755
index ac8a8f6c73..0000000000
--- a/scripts/spot-trace
+++ /dev/null
@@ -1,146 +0,0 @@
-#!/usr/bin/perl
-require 5.002;
-use Cwd;
-use File::Basename;
-use Getopt::Std;
-
-$ENV{'PATH'} = "/bin:/usr/bin:/usr/local/sbin";
-
-my($req_file, $req_name, $req_path, $req_filter);
-my($trace_number, $trace_pid, $trace_path, $trace_filter);
-
-getopts('kqPF') or die __FILE__, " [-kqPF] [<path>]<name> [<filter>]\n";
-$req_file = shift or die "missing argument: <name>\n",
-                         __FILE__, " [-kqPF] [<path>]<name> [<filter>]\n";
-($req_name, $req_path) = fileparse($req_file);
-if ($req_name ne $req_file) {
-  chdir $req_path;
-  $req_path = cwd."/";
-} else {
-  $req_path = "";
-}
-$req_filter = join " ", @ARGV;
-
-($trace_number, $trace_pid, $trace_path, $trace_filter) = scan_ps($req_name);
-
-if ($trace_number) {
-  if ($opt_k) {
-    kill('TERM', $trace_pid) or
-      die __FILE__, ": couldn't kill ", $trace_pid, "\n";
-    $opt_q or print STDERR "killed ", $trace_pid, "\n";
-    exit;
-  }
-  $req_path = $trace_path unless ($req_path);
-  if ($req_path ne $trace_path) {
-    if ($opt_P) {
-      $opt_q or print STDERR "changing path from: ", $trace_path,
-                             "\nto: ", $req_path, "\n";
-    } else {
-      die __FILE__, ": paths don't match\n",
-          $req_path, " != ", $trace_path, "\n";
-    }
-  }
-  $req_filter = $trace_filter unless ($req_filter);
-  if ($req_filter ne $trace_filter) {
-    if ($opt_F) {
-      $opt_q or print STDERR "changing filter from:\n", $trace_filter,
-                             "\nto:\n", $req_filter, "\n";
-    } else {
-      die __FILE__, ": filters don't match\n",
-          $req_filter, "\n!=\n", $trace_filter, "\n";
-    }
-  }
-  start_trace($req_path, $req_name, ++$trace_number, $req_filter);
-  kill('TERM', $trace_pid) or
-    die __FILE__, ": couldn't kill ", $trace_pid, "\n";
-} else {
-  die __FILE__, ": no such trace as ", $req_name, "\n" if ($opt_k);
-  $req_path = cwd."/" unless ($req_path);
-  $req_filter or die __FILE__, ": no filter specified\n";
-  start_trace($req_path, $req_name, 1, $req_filter);
-}
-
-# scan_ps <trace name>
-#   returns (<trace number>, <trace PID>, <trace path>, <trace filter>)
-#
-#   runs ps looking for a trace running with the given name.  If none is
-#   found <trace number> returns 0.  Otherwise the process info is
-#   returned.  If mor than one trace with the given name are found, the
-#   program terminates with an error.
-#
-sub scan_ps {
-  my($trace_name) = @_;
-
-  my($trace_number, $trace_filter, $trace_pid, $trace_path);
-  my($ps_pid, $ps_tt, $ps_stat, $ps_time,
-     $ps_cmd, $ps_cmd1, $ps_cmd2, $ps_cmd3, $ps_cmd4, $ps_filter);
-  my($ps_name, $ps_path, $ps_suffix);
-  
-  open PS, "ps -axww |" or die __FILE__, ": can't run ps\n";
-  while (<PS>) {
-    ($ps_pid, $ps_tt, $ps_stat, $ps_time,
-     $ps_cmd, $ps_cmd1, $ps_cmd2, $ps_cmd3, $ps_cmd4, $ps_cmd5, $ps_cmd6, $ps_filter) =
-       split(" ", $_, 12);
-    if ($ps_cmd eq "tcpdump" && $ps_cmd3 eq "-w" &&
-        $ps_cmd5 eq "-s" && $ps_cmd6 == "8192") {
-      $ps_cmd6 = 0;
-      ($ps_name, $ps_path, $ps_suffix) = fileparse($ps_cmd4, '-\d+\.trace');
-      if ($ps_name eq $trace_name && $ps_suffix =~ /-(\d+)\.trace/) {
-        if ($trace_pid) {
-          die __FILE__, ": more than one $trace_name trace running\n";
-        }
-        $trace_number = $1;
-        $trace_filter = $ps_filter;
-        chomp $trace_filter;
-        $trace_pid = $ps_pid;
-        $trace_path = $ps_path;
-      }
-    }
-  }
-  return ($trace_number, $trace_pid, $trace_path, $trace_filter);
-}
-
-# start_trace <path>, <name>, <number>, <filter>
-#
-#   fork off a new process running this trace.  Nothing is returned.
-#   Any failure terminates the program.
-#
-sub start_trace {
-  my($path, $name, $number, $filter) = @_;
-
-  my($pid);
-
-  $number = next_file($path, $name, $number, ".trace", ".out");
-  $opt_q or print STDERR "starting ", $path.$name."-".$number, "\n";
-  if ($pid = fork) {
-    sleep 3;
-    unless ($opt_q) {
-      open OUTFILE, $path.$name."-".$number.".out" or
-        die __FILE__, ": no ", $path.$name."-".$number.".out\n";
-      print <OUTFILE>;
-      close OUTFILE;
-    }
-    return;
-  } elsif (defined $pid) {
-    exec "/bin/sh", "-c", "tcpdump -i em0 -w ".$path.$name."-".$number.".trace -s 8192 '".$filter.
-         "' > ".$path.$name."-".$number.".out 2>&1 &";
-    die __FILE__, ": couldn't exec\n";
-  } else {
-    die __FILE__, ": couldn't fork\n";
-  }
-}
-
-# next_file <path>, <name>, <number>, <suffix>...
-#   returns <number>
-#
-#   searches for a number (beginning with the target number) for which
-#   no files of the form <path><name>-<number><suffix> exists.
-#   As many suffixes as needed can be passed in.  The resulting number
-#   is returned.
-#
-sub next_file {
-  my($path, $name, $number, @suffixes) = @_;
-
-  ++$number until grep (-e $path.$name."-".$number.$_, @suffixes) == 0;
-  return $number;
-}
diff --git a/scripts/start-capture-all b/scripts/start-capture-all
deleted file mode 100755
index b45f23c078..0000000000
--- a/scripts/start-capture-all
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/csh -f
-#
-# usage start-capture-all filename
-#
-#  e.g.: start-capture-all /usr/local/bro/bulk-trace/bulk
-#
-# this will generate a trace with file name filename-N
-#
-# note: if you run this script repeatedly with the same filename, 
-# spot-trace will kill the old instance, and start a new 
-# instance with file filename-N+1
-#
-
-# capture everything
-spot-trace $* all 'tcp and udp'
-
-# capture everything but HTTP
-#spot-trace $* all 'not tcp port 80'
-
diff --git a/shtool b/shtool
deleted file mode 100755
index 4c1a7396fd..0000000000
--- a/shtool
+++ /dev/null
@@ -1,716 +0,0 @@
-#!/bin/sh
-##
-##  GNU shtool -- The GNU Portable Shell Tool
-##  Copyright (c) 1994-2000 Ralf S. Engelschall <rse@engelschall.com>
-##
-##  See http://www.gnu.org/software/shtool/ for more information.
-##  See ftp://ftp.gnu.org/gnu/shtool/ for latest version.
-##
-##  Version 1.4.9 (16-Apr-2000)
-##  Ingredients: 3/17 available modules
-##
-
-##
-##  This program is free software; you can redistribute it and/or modify
-##  it under the terms of the GNU General Public License as published by
-##  the Free Software Foundation; either version 2 of the License, or
-##  (at your option) any later version.
-##
-##  This program is distributed in the hope that it will be useful,
-##  but WITHOUT ANY WARRANTY; without even the implied warranty of
-##  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-##  General Public License for more details.
-##
-##  You should have received a copy of the GNU General Public License
-##  along with this program; if not, write to the Free Software
-##  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
-##  USA, or contact Ralf S. Engelschall <rse@engelschall.com>.
-##
-##  Notice: Given that you include this file verbatim into your own
-##  source tree, you are justified in saying that it remains separate
-##  from your package, and that this way you are simply just using GNU
-##  shtool. So, in this situation, there is no requirement that your
-##  package itself is licensed under the GNU General Public License in
-##  order to take advantage of GNU shtool.
-##
-
-##
-##  Usage: shtool [<options>] [<cmd-name> [<cmd-options>] [<cmd-args>]]
-##
-##  Available commands:
-##    echo       Print string with optional construct expansion
-##    install    Install a program, script or datafile
-##    mkdir      Make one or more directories
-##
-##  Not available commands (because module was not built-in):
-##    mdate      Pretty-print modification time of a file or dir
-##    table      Pretty-print a field-separated list as a table
-##    prop       Display progress with a running propeller
-##    move       Move files with simultaneous substitution
-##    mkln       Make link with calculation of relative paths
-##    mkshadow   Make a shadow tree through symbolic links
-##    fixperm    Fix file permissions inside a source tree
-##    tarball    Roll distribution tarballs
-##    guessos    Simple operating system guesser
-##    arx        Extended archive command
-##    slo        Separate linker options by library class
-##    scpp       Sharing C Pre-Processor
-##    version    Generate and maintain a version information file
-##    path       Deal with program paths
-##
-
-if [ $# -eq 0 ]; then
-    echo "$0:Error: invalid command line" 1>&2
-    echo "$0:Hint:  run \`$0 -h' for usage" 1>&2
-    exit 1
-fi
-if [ ".$1" = ".-h" -o ".$1" = ".--help" ]; then
-    echo "This is GNU shtool, version 1.4.9 (16-Apr-2000)"
-    echo "Copyright (c) 1994-2000 Ralf S. Engelschall <rse@engelschall.com>"
-    echo "Report bugs to <bug-shtool@gnu.org>"
-    echo ''
-    echo "Usage: shtool [<options>] [<cmd-name> [<cmd-options>] [<cmd-args>]]" 
-    echo ''
-    echo 'Available global <options>:'
-    echo '  -v, --version   display shtool version information'
-    echo '  -h, --help      display shtool usage help page (this one)'
-    echo '  -d, --debug     display shell trace information'
-    echo ''
-    echo 'Available <cmd-name> [<cmd-options>] [<cmd-args>]:'
-    echo '  echo     [-n] [-e] [<str> ...]'
-    echo '  install  [-v] [-t] [-c] [-C] [-s] [-m<mode>] [-o<owner>] [-g<group>]'
-    echo '           [-e<ext>] <file> <path>'
-    echo '  mkdir    [-t] [-f] [-p] [-m<mode>] <dir> [<dir> ...]'
-    echo ''
-    echo 'Not available <cmd-name> (because module was not built-in):'
-    echo '  mdate    [-n] [-z] [-s] [-d] [-f<str>] [-o<spec>] <path>'
-    echo '  table    [-F<sep>] [-w<width>] [-c<cols>] [-s<strip>] <str><sep><str>...'
-    echo '  prop     [-p<str>]'
-    echo '  move     [-v] [-t] [-e] [-p] <src-file> <dst-file>'
-    echo '  mkln     [-t] [-f] [-s] <src-path> [<src-path> ...] <dst-path>'
-    echo '  mkshadow [-v] [-t] [-a] <src-dir> <dst-dir>'
-    echo '  fixperm  [-v] [-t] <path> [<path> ...]'
-    echo '  tarball  [-t] [-v] [-o <tarball>] [-c <prog>] [-d <dir>] [-u'
-    echo '           <user>] [-g <group>] [-e <pattern>] <path> [<path> ...]'
-    echo '  guessos  '
-    echo '  arx      [-t] [-C<cmd>] <op> <archive> [<file> ...]'
-    echo '  slo      [-p<str>] -- -L<dir> -l<lib> [-L<dir> -l<lib> ...]'
-    echo '  scpp     [-v] [-p] [-f<filter>] [-o<ofile>] [-t<tfile>] [-M<mark>]'
-    echo '           [-D<dname>] [-C<cname>] <file> [<file> ...]'
-    echo '  version  [-l<lang>] [-n<name>] [-p<prefix>] [-s<version>] [-i<knob>]'
-    echo '           [-d<type>] <file>'
-    echo '  path     [-s] [-r] [-d] [-b] [-m] [-p<path>] <str> [<str> ...]'
-    echo ''
-    exit 0
-fi
-if [ ".$1" = ".-v" -o ".$1" = ."--version" ]; then
-    echo "GNU shtool 1.4.9 (16-Apr-2000)"
-    exit 0
-fi
-if [ ".$1" = ".-d" -o ".$1" = ."--debug" ]; then
-    shift
-    set -x
-fi
-name=`echo "$0" | sed -e 's;.*/\([^/]*\)$;\1;' -e 's;-sh$;;' -e 's;\.sh$;;'`
-case "$name" in
-    echo|install|mkdir )
-        #   implicit tool command selection
-        tool="$name"
-        ;;
-    * )
-        #   explicit tool command selection
-        tool="$1"
-        shift
-        ;;
-esac
-arg_spec=""
-opt_spec=""
-gen_tmpfile=no
-
-##
-##  DISPATCH INTO SCRIPT PROLOG
-##
-
-case $tool in
-    echo )
-        str_tool="echo"
-        str_usage="[-n] [-e] [<str> ...]"
-        arg_spec="0+"
-        opt_spec="n.e."
-        opt_n=no
-        opt_e=no
-        ;;
-    install )
-        str_tool="install"
-        str_usage="[-v] [-t] [-c] [-C] [-s] [-m<mode>] [-o<owner>] [-g<group>] [-e<ext>] <file> <path>"
-        arg_spec="2="
-        opt_spec="v.t.c.C.s.m:o:g:e:"
-        opt_v=no
-        opt_t=no
-        opt_c=no
-        opt_C=no
-        opt_s=no
-        opt_m=""
-        opt_o=""
-        opt_g=""
-        opt_e=""
-        ;;
-    mkdir )
-        str_tool="mkdir"
-        str_usage="[-t] [-f] [-p] [-m<mode>] <dir> [<dir> ...]"
-        arg_spec="1+"
-        opt_spec="t.f.p.m:"
-        opt_t=no
-        opt_f=no
-        opt_p=no
-        opt_m=""
-        ;;
-    -* )
-        echo "$0:Error: unknown option \`$tool'" 2>&1
-        echo "$0:Hint:  run \`$0 -h' for usage" 2>&1
-        exit 1
-        ;;
-    * )
-        echo "$0:Error: unknown command \`$tool'" 2>&1
-        echo "$0:Hint:  run \`$0 -h' for usage" 2>&1
-        exit 1
-        ;;
-esac
-
-##
-##  COMMON UTILITY CODE
-##
-
-#   determine name of tool
-if [ ".$tool" != . ]; then
-    #   used inside shtool script
-    toolcmd="$0 $tool"
-    toolcmdhelp="shtool $tool"
-    msgprefix="shtool:$tool"
-else
-    #   used as standalone script
-    toolcmd="$0"
-    toolcmdhelp="sh $0"
-    msgprefix="$str_tool"
-fi
-
-#   parse argument specification string
-eval `echo $arg_spec |\
-      sed -e 's/^\([0-9]*\)\([+=]\)/arg_NUMS=\1; arg_MODE=\2/'`
-
-#   parse option specification string
-eval `echo h.$opt_spec |\
-      sed -e 's/\([a-zA-Z0-9]\)\([.:+]\)/opt_MODE_\1=\2;/g'`
-
-#   interate over argument line
-opt_PREV=''
-while [ $# -gt 0 ]; do
-    #   special option stops processing
-    if [ ".$1" = ".--" ]; then
-        shift
-        break
-    fi
-
-    #   determine option and argument
-    opt_ARG_OK=no
-    if [ ".$opt_PREV" != . ]; then
-        #   merge previous seen option with argument
-        opt_OPT="$opt_PREV"
-        opt_ARG="$1"
-        opt_ARG_OK=yes
-        opt_PREV=''
-    else
-        #   split argument into option and argument
-        case "$1" in
-            -[a-zA-Z0-9]*)
-                eval `echo "x$1" |\
-                      sed -e 's/^x-\([a-zA-Z0-9]\)/opt_OPT="\1";/' \
-                          -e 's/";\(.*\)$/"; opt_ARG="\1"/'`
-                ;;
-            -[a-zA-Z0-9])
-                opt_OPT=`echo "x$1" | cut -c3-`
-                opt_ARG=''
-                ;;
-            *)
-                break
-                ;;
-        esac
-    fi
-
-    #   eat up option
-    shift
-
-    #   determine whether option needs an argument
-    eval "opt_MODE=\$opt_MODE_${opt_OPT}"
-    if [ ".$opt_ARG" = . -a ".$opt_ARG_OK" != .yes ]; then
-        if [ ".$opt_MODE" = ".:" -o ".$opt_MODE" = ".+" ]; then
-            opt_PREV="$opt_OPT"
-            continue
-        fi
-    fi
-
-    #   process option
-    case $opt_MODE in
-        '.' )
-            #   boolean option
-            eval "opt_${opt_OPT}=yes"
-            ;;
-        ':' )
-            #   option with argument (multiple occurances override)
-            eval "opt_${opt_OPT}=\"\$opt_ARG\""
-            ;;
-        '+' )
-            #   option with argument (multiple occurances append)
-            eval "opt_${opt_OPT}=\"\$opt_${opt_OPT} \$opt_ARG\""
-            ;;
-        * )
-            echo "$msgprefix:Error: unknown option: \`-$opt_OPT'" 1>&2
-            echo "$msgprefix:Hint:  run \`$toolcmdhelp -h' or \`man shtool' for details" 1>&2
-            exit 1
-            ;;
-    esac
-done
-if [ ".$opt_PREV" != . ]; then
-    echo "$msgprefix:Error: missing argument to option \`-$opt_PREV'" 1>&2
-    echo "$msgprefix:Hint:  run \`$toolcmdhelp -h' or \`man shtool' for details" 1>&2
-    exit 1
-fi
-
-#   process help option
-if [ ".$opt_h" = .yes ]; then
-    echo "Usage: $toolcmdhelp $str_usage"
-    exit 0
-fi
-
-#   complain about incorrect number of arguments
-case $arg_MODE in
-    '=' )
-        if [ $# -ne $arg_NUMS ]; then
-            echo "$msgprefix:Error: invalid number of arguments (exactly $arg_NUMS expected)" 1>&2
-            echo "$msgprefix:Hint:  run \`$toolcmd -h' or \`man shtool' for details" 1>&2
-            exit 1
-        fi
-        ;;
-    '+' )
-        if [ $# -lt $arg_NUMS ]; then
-            echo "$msgprefix:Error: invalid number of arguments (at least $arg_NUMS expected)" 1>&2
-            echo "$msgprefix:Hint:  run \`$toolcmd -h' or \`man shtool' for details" 1>&2
-            exit 1
-        fi
-        ;;
-esac
-
-#   establish a temporary file on request
-if [ ".$gen_tmpfile" = .yes ]; then
-    if [ ".$TMPDIR" != . ]; then
-        tmpdir="$TMPDIR"
-    elif [ ".$TEMPDIR" != . ]; then
-        tmpdir="$TEMPDIR"
-    else
-        tmpdir="/tmp"
-    fi
-    tmpfile="$tmpdir/.shtool.$$"
-    rm -f $tmpfile >/dev/null 2>&1
-    touch $tmpfile
-fi
-
-##
-##  DISPATCH INTO SCRIPT BODY
-##
-
-case $tool in
-
-echo )
-    ##
-    ##  echo -- Print string with optional construct expansion
-    ##  Copyright (c) 1998-2000 Ralf S. Engelschall <rse@engelschall.com>
-    ##  Originally written for WML as buildinfo
-    ##
-    
-    text="$*"
-    
-    #   check for broken escape sequence expansion
-    seo=''
-    bytes=`echo '\1' | wc -c | awk '{ printf("%s", $1); }'`
-    if [ ".$bytes" != .3 ]; then
-        bytes=`echo -E '\1' | wc -c | awk '{ printf("%s", $1); }'`
-        if [ ".$bytes" = .3 ]; then
-            seo='-E'
-        fi
-    fi
-    
-    #   check for existing -n option (to suppress newline)
-    minusn=''
-    bytes=`echo -n 123 2>/dev/null | wc -c | awk '{ printf("%s", $1); }'`
-    if [ ".$bytes" = .3 ]; then
-        minusn='-n'
-    fi
-    
-    #   determine terminal bold sequence
-    term_bold='' 
-    term_norm=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[Bb]'`" != . ]; then
-        case $TERM in
-            #   for the most important terminal types we directly know the sequences
-            xterm|xterm*|vt220|vt220*)
-                term_bold=`awk 'BEGIN { printf("%c%c%c%c", 27, 91, 49, 109); }' </dev/null 2>/dev/null`
-                term_norm=`awk 'BEGIN { printf("%c%c%c", 27, 91, 109); }' </dev/null 2>/dev/null`
-                ;;
-            vt100|vt100*)
-                term_bold=`awk 'BEGIN { printf("%c%c%c%c%c%c", 27, 91, 49, 109, 0, 0); }' </dev/null 2>/dev/null`
-                term_norm=`awk 'BEGIN { printf("%c%c%c%c%c", 27, 91, 109, 0, 0); }' </dev/null 2>/dev/null`
-                ;;
-            #   for all others, we try to use a possibly existing `tput' or `tcout' utility
-            * )
-                paths=`echo $PATH | sed -e 's/:/ /g'`
-                for tool in tput tcout; do
-                    for dir in $paths; do
-                        if [ -r "$dir/$tool" ]; then
-                            for seq in bold md smso; do # 'smso' is last
-                                bold="`$dir/$tool $seq 2>/dev/null`"
-                                if [ ".$bold" != . ]; then
-                                    term_bold="$bold"
-                                    break
-                                fi
-                            done
-                            if [ ".$term_bold" != . ]; then
-                                for seq in sgr0 me rmso reset; do # 'reset' is last
-                                    norm="`$dir/$tool $seq 2>/dev/null`"
-                                    if [ ".$norm" != . ]; then
-                                        term_norm="$norm"
-                                        break
-                                    fi
-                                done
-                            fi
-                            break
-                        fi
-                    done
-                    if [ ".$term_bold" != . -a ".$term_norm" != . ]; then
-                        break;
-                    fi
-                done
-                ;;
-        esac
-        if [ ".$term_bold" = . -o ".$term_norm" = . ]; then
-            echo "$msgprefix:Warning: unable to determine terminal sequence for bold mode" 1>&2
-        fi
-    fi
-    
-    #   determine user name
-    username=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[uU]'`" != . ]; then
-        username="$LOGNAME"
-        if [ ".$username" = . ]; then
-            username="$USER"
-            if [ ".$username" = . ]; then
-                username="`(whoami) 2>/dev/null |\
-                           awk '{ printf("%s", $1); }'`"
-                if [ ".$username" = . ]; then
-                    username="`(who am i) 2>/dev/null |\
-                               awk '{ printf("%s", $1); }'`"
-                    if [ ".$username" = . ]; then
-                        username='unknown'
-                    fi
-                fi
-            fi
-        fi
-    fi
-    
-    #   determine user id
-    userid=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%U'`" != . ]; then
-        userid="`(id -u) 2>/dev/null`"
-        if [ ".$userid" = . ]; then
-            str="`(id) 2>/dev/null`"
-            if [ ".`echo $str | grep '^uid[ 	]*=[ 	]*[0-9]*('`" != . ]; then
-                userid=`echo $str | sed -e 's/^uid[ 	]*=[ 	]*//' -e 's/(.*//'`
-            fi
-            if [ ".$userid" = . ]; then
-                userid=`egrep "^${username}:" /etc/passwd 2>/dev/null | \
-                        sed -e 's/[^:]*:[^:]*://' -e 's/:.*$//'`
-                if [ ".$userid" = . ]; then
-                    userid=`(ypcat passwd) 2>/dev/null |
-                            egrep "^${username}:" | \
-                            sed -e 's/[^:]*:[^:]*://' -e 's/:.*$//'`
-                    if [ ".$userid" = . ]; then
-                        userid='?'
-                    fi
-                fi
-            fi
-        fi
-    fi
-    
-    #   determine host name
-    hostname=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%h'`" != . ]; then
-        hostname="`(uname -n) 2>/dev/null |\
-                   awk '{ printf("%s", $1); }'`"
-        if [ ".$hostname" = . ]; then
-            hostname="`(hostname) 2>/dev/null |\
-                       awk '{ printf("%s", $1); }'`"
-            if [ ".$hostname" = . ]; then
-                hostname='unknown'
-            fi
-        fi
-        case $hostname in
-            *.* )
-                domainname=".`echo $hostname | cut -d. -f2-`"
-                hostname="`echo $hostname | cut -d. -f1`"
-                ;;
-        esac
-    fi
-    
-    #   determine domain name
-    domainname=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%d'`" != . ]; then
-        if [ ".$domainname" = . ]; then
-            if [ -f /etc/resolv.conf ]; then
-                domainname="`egrep '^[ 	]*domain' /etc/resolv.conf | head -1 |\
-                             sed -e 's/.*domain//' \
-                                 -e 's/^[ 	]*//' -e 's/^ *//' -e 's/^	*//' \
-                                 -e 's/^\.//' -e 's/^/./' |\
-                             awk '{ printf("%s", $1); }'`"
-                if [ ".$domainname" = . ]; then
-                    domainname="`egrep '^[ 	]*search' /etc/resolv.conf | head -1 |\
-                                 sed -e 's/.*search//' \
-                                     -e 's/^[ 	]*//' -e 's/^ *//' -e 's/^	*//' \
-                                     -e 's/ .*//' -e 's/	.*//' \
-                                     -e 's/^\.//' -e 's/^/./' |\
-                                 awk '{ printf("%s", $1); }'`"
-                fi
-            fi
-        fi
-    fi
-    
-    #   determine current time
-    time_day=''
-    time_month=''
-    time_year=''
-    time_monthname=''
-    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[DMYm]'`" != . ]; then
-        time_day=`date '+%d'`
-        time_month=`date '+%m'`
-        time_year=`date '+%Y' 2>/dev/null`
-        if [ ".$time_year" = . ]; then
-            time_year=`date '+%y'`
-            case $time_year in
-                [5-9][0-9]) time_year="19$time_year" ;;
-                [0-4][0-9]) time_year="20$time_year" ;;
-            esac
-        fi
-        case $time_month in
-            1|01) time_monthname='Jan' ;;
-            2|02) time_monthname='Feb' ;;
-            3|03) time_monthname='Mar' ;;
-            4|04) time_monthname='Apr' ;;
-            5|05) time_monthname='May' ;;
-            6|06) time_monthname='Jun' ;;
-            7|07) time_monthname='Jul' ;;
-            8|08) time_monthname='Aug' ;;
-            9|09) time_monthname='Sep' ;;
-              10) time_monthname='Oct' ;;
-              11) time_monthname='Nov' ;;
-              12) time_monthname='Dec' ;;
-        esac
-    fi
-    
-    #   expand special ``%x'' constructs
-    if [ ".$opt_e" = .yes ]; then
-        text=`echo $seo "$text" |\
-              sed -e "s/%B/${term_bold}/g" \
-                  -e "s/%b/${term_norm}/g" \
-                  -e "s/%u/${username}/g" \
-                  -e "s/%U/${userid}/g" \
-                  -e "s/%h/${hostname}/g" \
-                  -e "s/%d/${domainname}/g" \
-                  -e "s/%D/${time_day}/g" \
-                  -e "s/%M/${time_month}/g" \
-                  -e "s/%Y/${time_year}/g" \
-                  -e "s/%m/${time_monthname}/g" 2>/dev/null`
-    fi
-    
-    #   create output
-    if [ .$opt_n = .no ]; then
-        echo $seo "$text"
-    else
-        #   the harder part: echo -n is best, because
-        #   awk may complain about some \xx sequences.
-        if [ ".$minusn" != . ]; then
-            echo $seo $minusn "$text"
-        else
-            echo dummy | awk '{ printf("%s", TEXT); }' TEXT="$text"
-        fi
-    fi
-    ;;
-
-install )
-    ##
-    ##  install -- Install a program, script or datafile
-    ##  Copyright (c) 1997-2000 Ralf S. Engelschall <rse@engelschall.com>
-    ##  Originally written for shtool
-    ##
-    
-    src="$1"
-    dst="$2"
-    
-    #  If destination is a directory, append the input filename
-    if [ -d $dst ]; then
-        dst=`echo "$dst" | sed -e 's:/$::'`
-        dstfile=`echo "$src" | sed -e 's;.*/\([^/]*\)$;\1;'`
-        dst="$dst/$dstfile"
-    fi
-    
-    #  Add a possible extension to src and dst
-    if [ ".$opt_e" != . ]; then
-        src="$src$opt_e"
-        dst="$dst$opt_e"
-    fi
-    
-    #  Check for correct arguments
-    if [ ".$src" = ".$dst" ]; then
-        echo "$msgprefix:Error: source and destination are the same" 1>&2
-        exit 1
-    fi
-    
-    #  Make a temp file name in the destination directory
-    dstdir=`echo $dst | sed -e 's;[^/]*$;;' -e 's;\(.\)/$;\1;' -e 's;^$;.;'`
-    dsttmp="$dstdir/#INST@$$#"
-    
-    #  Verbosity
-    if [ ".$opt_v" = .yes ]; then
-        echo "$src -> $dst" 1>&2
-    fi
-    
-    #  Copy or move the file name to the temp name
-    #  (because we might be not allowed to change the source)
-    if [ ".$opt_C" = .yes ]; then
-        opt_c=yes
-    fi
-    if [ ".$opt_c" = .yes ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "cp $src $dsttmp" 1>&2
-        fi
-        cp $src $dsttmp || exit $?
-    else
-        if [ ".$opt_t" = .yes ]; then
-            echo "mv $src $dsttmp" 1>&2
-        fi
-        mv $src $dsttmp || exit $?
-    fi
-    
-    #  Adjust the target file
-    #  (we do chmod last to preserve setuid bits)
-    if [ ".$opt_s" = .yes ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "strip $dsttmp" 1>&2
-        fi
-        strip $dsttmp || exit $?
-    fi
-    if [ ".$opt_o" != . ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "chown $opt_o $dsttmp" 1>&2
-        fi
-        chown $opt_o $dsttmp || exit $?
-    fi
-    if [ ".$opt_g" != . ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "chgrp $opt_g $dsttmp" 1>&2
-        fi
-        chgrp $opt_g $dsttmp || exit $?
-    fi
-    if [ ".$opt_m" != . ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "chmod $opt_m $dsttmp" 1>&2
-        fi
-        chmod $opt_m $dsttmp || exit $?
-    fi
-    
-    #   Determine whether to do a quick install
-    #   (has to be done _after_ the strip was already done)
-    quick=no
-    if [ ".$opt_C" = .yes ]; then
-        if [ -r $dst ]; then
-            if cmp -s $src $dst; then
-                quick=yes
-            fi
-        fi
-    fi
-    
-    #   Finally install the file to the real destination
-    if [ $quick = yes ]; then
-        if [ ".$opt_t" = .yes ]; then
-            echo "rm -f $dsttmp" 1>&2
-        fi
-        rm -f $dsttmp
-    else
-        if [ ".$opt_t" = .yes ]; then
-            echo "rm -f $dst && mv $dsttmp $dst" 1>&2
-        fi
-        rm -f $dst && mv $dsttmp $dst
-    fi
-    ;;
-
-mkdir )
-    ##
-    ##  mkdir -- Make one or more directories
-    ##  Copyright (c) 1996-2000 Ralf S. Engelschall <rse@engelschall.com>
-    ##  Originally written for public domain by Noah Friedman <friedman@prep.ai.mit.edu>
-    ##  Cleaned up and enhanced for shtool
-    ##
-    
-    errstatus=0
-    for p in ${1+"$@"}; do
-        #   if the directory already exists...
-        if [ -d "$p" ]; then
-            if [ ".$opt_f" = .no ] && [ ".$opt_p" = .no ]; then
-                echo "$msgprefix:Error: directory already exists: $p" 1>&2
-                errstatus=1
-                break
-            else
-                continue
-            fi
-        fi
-        #   if the directory has to be created...
-        if [ ".$opt_p" = .no ]; then
-            if [ ".$opt_t" = .yes ]; then
-                echo "mkdir $p" 1>&2
-            fi
-            mkdir $p || errstatus=$?
-        else
-            #   the smart situation
-            set fnord `echo ":$p" |\
-                       sed -e 's/^:\//%/' \
-                           -e 's/^://' \
-                           -e 's/\// /g' \
-                           -e 's/^%/\//'`
-            shift
-            pathcomp=''
-            for d in ${1+"$@"}; do
-                pathcomp="$pathcomp$d"
-                case "$pathcomp" in
-                    -* ) pathcomp="./$pathcomp" ;;
-                esac
-                if [ ! -d "$pathcomp" ]; then
-                    if [ ".$opt_t" = .yes ]; then
-                        echo "mkdir $pathcomp" 1>&2
-                    fi
-                    mkdir $pathcomp || errstatus=$?
-                    if [ ".$opt_m" != . ]; then
-                        if [ ".$opt_t" = .yes ]; then
-                            echo "chmod $opt_m $pathcomp" 1>&2
-                        fi
-                        chmod $opt_m $pathcomp || errstatus=$?
-                    fi
-                fi
-                pathcomp="$pathcomp/"
-            done
-        fi
-    done
-    exit $errstatus
-    ;;
-
-esac
-
-exit 0
-
-##EOF##
diff --git a/src/ARP.h b/src/ARP.h
index e815c038d9..c7765eb9a9 100644
--- a/src/ARP.h
+++ b/src/ARP.h
@@ -13,9 +13,9 @@
 #include <net/if_arp.h>
 #ifdef HAVE_NET_ETHERNET_H
 #include <net/ethernet.h>
-#elif HAVE_SYS_ETHERNET_H
+#elif defined(HAVE_SYS_ETHERNET_H)
 #include <sys/ethernet.h>
-#elif HAVE_NETINET_IF_ETHER_H
+#elif defined(HAVE_NETINET_IF_ETHER_H)
 #include <netinet/if_ether.h>
 #endif
 
diff --git a/src/Active.cc b/src/Active.cc
deleted file mode 100644
index c7193de089..0000000000
--- a/src/Active.cc
+++ /dev/null
@@ -1,218 +0,0 @@
-// $Id: Active.cc 1282 2005-09-07 17:02:02Z vern $
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <arpa/inet.h>
-
-#include <map>
-
-#include "Active.h"
-#include "util.h"
-#include "Dict.h"
-
-declare(PDict,string);
-typedef PDict(string) MachineMap;
-declare(PDict,MachineMap);
-typedef PDict(MachineMap) ActiveMap;
-declare(PDict,NumericData);
-typedef PDict(NumericData) ActiveMapNumeric;
-
-static ActiveMap active_map;
-static ActiveMapNumeric active_map_numeric;
-
-static MachineMap default_values;
-static NumericData default_values_numeric;
-
-static bool map_was_loaded = false;
-
-bool get_map_result(uint32 ip_addr, const char* key, string& result)
-	{
-	const MachineMap* machine_map;
-#ifndef ACTIVE_MAPPING
-	machine_map = &default_values;
-#else
-	HashKey machinekey(ip_addr);
-	machine_map = active_map.Lookup(&machinekey);
-
-	if ( ! machine_map )
-		machine_map = &default_values;
-#endif
-	HashKey mapkey(key);
-	string* entry = machine_map->Lookup(&mapkey);
-	if ( ! entry )
-		{
-		entry = default_values.Lookup(&mapkey);
-		}
-
-	if ( ! entry )
-		{
-		internal_error("Unknown active mapping entry requested: %s", key);
-		return false;
-		}
-
-	result = *entry;
-
-	return true;
-	}
-
-bool get_map_result(uint32 ip_addr, const NumericData*& result)
-	{
-#ifndef ACTIVE_MAPPING
-	result = &default_values_numeric;
-	return true;
-#endif
-	HashKey machinekey(&ip_addr, 1);
-	NumericData* entry = active_map_numeric.Lookup(&machinekey);
-
-	if ( ! entry )
-		result = &default_values_numeric;
-	else
-		result = entry;
-
-	return true;
-	}
-
-
-char* chop (char* s)
-	{
-	s[strlen(s) - 1] = 0;
-	return s;
-	}
-
-map < const char *, ReassemblyPolicy, ltstr > reassem_names;
-
-// Remember to index the table with IP address in network order!
-bool load_mapping_table(const char* map_file)
-	{
-	reassem_names["BSD"] = RP_BSD;
-	reassem_names["linux"] = RP_LINUX;
-	reassem_names["last"] = RP_LAST;
-	reassem_names["first"] = RP_FIRST;
-
-	// Default values are read in from AM file under IP address 0.0.0.0
-	default_values.Insert(new HashKey("accepts_rst_outside_window"),
-			      new string("no"));
-	default_values.Insert(new HashKey("accepts_rst_in_window"),
-			      new string("yes"));
-	default_values.Insert(new HashKey("accepts_rst_in_sequence"),
-			      new string("yes"));
-	default_values.Insert(new HashKey("mtu"),
-			      new string("0"));
-
-	default_values_numeric.path_MTU = 0;   // 0 = unknown
-	default_values_numeric.hops = 0;       // 0 = unknown;
-	default_values_numeric.ip_reassem = RP_UNKNOWN;
-	default_values_numeric.tcp_reassem = RP_UNKNOWN;
-	default_values_numeric.accepts_rst_in_window = true;
-	default_values_numeric.accepts_rst_outside_window = false;
-
-
-	if ( map_file && strlen(map_file) )
-		{
-		FILE* f = fopen(map_file, "r");
-		if ( ! f )
-			return false;
-
-		char buf[512];
-		if ( ! fgets(buf, sizeof(buf), f) )
-			error("Error reading mapping file.\n");
-
-		int num_fields = atoi(buf);
-
-		string* field_names = new string[num_fields];
-		for ( int i = 0; i < num_fields; ++i )
-			{
-			if ( ! fgets(buf, sizeof(buf), f) )
-				error("Error reading mapping file.\n");
-			field_names[i] = chop(buf);
-			}
-
-		if ( ! fgets(buf, sizeof(buf), f) )
-			error("Error reading mapping file.\n");
-
-		int num_machines = atoi(buf);
-
-		for ( int j = 0; j < num_machines; ++j )
-			{ // read ip address, parse it
-			if ( ! fgets(buf, sizeof(buf), f) )
-				error("Error reading mapping file.\n");
-
-			uint32 ip;
-			in_addr in;
-			if ( ! inet_aton(chop(buf), &in) )
-				error("Error reading mapping file.\n");
-
-			ip = in.s_addr;
-
-			MachineMap* newmap;
-			NumericData* newnumeric;
-
-			if ( ip ) // ip = 0.0.0.0 = default values
-				{
-				newmap = new MachineMap;
-				newnumeric = new NumericData;
-				}
-			else
-				{
-				newmap = &default_values;
-				newnumeric = &default_values_numeric;
-				}
-
-			for ( int i = 0; i < num_fields; ++i )
-				{
-				if ( ! fgets(buf, sizeof(buf), f) )
-					error("Error reading mapping file.\n");
-
-				string fname = field_names[i];
-
-				chop(buf);
-
-				// Don't try to parse an unknown value ("").
-				if ( streq(buf, "") )
-					continue;
-
-				HashKey mapkey(fname.c_str());
-				newmap->Insert(&mapkey, new string(buf));
-
-				if ( fname == "mtu" )
-					newnumeric->path_MTU = atoi(buf);
-
-				else if ( fname == "hops" )
-					newnumeric->hops = atoi(buf);
-
-				else if ( fname == "tcp_segment_overlap" )
-					newnumeric->tcp_reassem = reassem_names[buf];
-
-				else if ( fname == "overlap_policy" )
-					newnumeric->ip_reassem = reassem_names[buf];
-
-				else if ( fname == "accepts_rst_in_window" )
-					newnumeric->accepts_rst_in_window = streq(buf, "yes");
-
-				else if ( fname == "accepts_rst_outside_window" )
-					newnumeric->accepts_rst_outside_window = streq(buf, "yes");
-
-				else if ( fname == "accepts_rst_in_sequence" )
-					newnumeric->accepts_rst_in_sequence = streq(buf, "yes");
-
-				else
-					warn("unrecognized mapping file tag:", fname.c_str());
-				}
-
-			HashKey machinekey(&ip, 1);
-			active_map.Insert(&machinekey, newmap);
-			active_map_numeric.Insert(&machinekey, newnumeric);
-			}
-
-		delete [] field_names;
-		}
-
-	map_was_loaded = true;
-
-	return true;
-	}
diff --git a/src/Active.h b/src/Active.h
deleted file mode 100644
index 72ea06c084..0000000000
--- a/src/Active.h
+++ /dev/null
@@ -1,44 +0,0 @@
-// $Id: Active.h 80 2004-07-14 20:15:50Z jason $
-
-#ifndef active_h
-#define active_h
-
-#include <string>
-using namespace std;
-
-#include "util.h"
-
-enum ReassemblyPolicy {
-	RP_UNKNOWN,
-	RP_BSD,	// Left-trim to equal or lower offset frags
-	RP_LINUX,	// Left-trim to strictly lower offset frags
-	RP_FIRST,	// Accept only new (no previous value) octets
-	RP_LAST	// Accept all
-};
-
-struct NumericData {
-	ReassemblyPolicy ip_reassem;
-	ReassemblyPolicy tcp_reassem;
-	unsigned short path_MTU;	// 0 = unknown
-	unsigned char hops;	// 0 = unknown
-	bool accepts_rst_in_window;
-	bool accepts_rst_outside_window;
-	bool accepts_rst_in_sequence;
-};
-
-// Return value is whether or not there was a known result for that
-// machine (actually, IP address in network order); if not, a default
-// is returned. Note that the map data is a string in all cases: the
-// numeric form is more efficient and is to be preferred ordinarily.
-bool get_map_result(uint32 ip_addr, const char* key, string& result);
-
-// Basically a special case of get_map_result(), but returns numbers
-// directly for efficiency reasons, since these are frequently
-// looked up. ### Perhaps a better generic mechanism is in order.
-bool get_map_result(uint32 ip_addr, const NumericData*& result);
-
-// Reads in AM data from the specified file (basically [IP, policy] tuples)
-// Should be called at initialization time.
-bool load_mapping_table(const char* map_file);
-
-#endif
diff --git a/src/Analyzer.cc b/src/Analyzer.cc
index 14eaff20c1..ace543544f 100644
--- a/src/Analyzer.cc
+++ b/src/Analyzer.cc
@@ -37,6 +37,7 @@
 #include "SSLProxy.h"
 #include "SSL-binpac.h"
 #include "Syslog-binpac.h"
+#include "ConnSizeAnalyzer.h"
 
 // Keep same order here as in AnalyzerTag definition!
 const Analyzer::Config Analyzer::analyzer_configs[] = {
@@ -58,6 +59,9 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 	{ AnalyzerTag::ICMP_Echo, "ICMP_ECHO",
 		ICMP_Echo_Analyzer::InstantiateAnalyzer,
 		ICMP_Echo_Analyzer::Available, 0, false },
+	{ AnalyzerTag::ICMP_Redir, "ICMP_REDIR",
+		ICMP_Redir_Analyzer::InstantiateAnalyzer,
+		ICMP_Redir_Analyzer::Available, 0, false },
 
 	{ AnalyzerTag::TCP, "TCP", TCP_Analyzer::InstantiateAnalyzer,
 		TCP_Analyzer::Available, 0, false },
@@ -114,10 +118,8 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 		SMTP_Analyzer::Available, 0, false },
 	{ AnalyzerTag::SSH, "SSH", SSH_Analyzer::InstantiateAnalyzer,
 		SSH_Analyzer::Available, 0, false },
-#ifdef USE_OPENSSL
 	{ AnalyzerTag::SSL, "SSL", SSLProxy_Analyzer::InstantiateAnalyzer,
 		SSLProxy_Analyzer::Available, 0, false },
-#endif
 	{ AnalyzerTag::Telnet, "TELNET", Telnet_Analyzer::InstantiateAnalyzer,
 		Telnet_Analyzer::Available, 0, false },
 
@@ -157,6 +159,9 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 	{ AnalyzerTag::TCPStats, "TCPSTATS",
 		TCPStats_Analyzer::InstantiateAnalyzer,
 		TCPStats_Analyzer::Available, 0, false },
+	{ AnalyzerTag::ConnSize, "CONNSIZE", 
+		ConnSize_Analyzer::InstantiateAnalyzer,
+		ConnSize_Analyzer::Available, 0, false },
 
 	{ AnalyzerTag::Contents, "CONTENTS", 0, 0, 0, false },
 	{ AnalyzerTag::ContentLine, "CONTENTLINE", 0, 0, 0, false },
@@ -171,9 +176,7 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 	{ AnalyzerTag::Contents_SMB, "CONTENTS_SMB", 0, 0, 0, false },
 	{ AnalyzerTag::Contents_RPC, "CONTENTS_RPC", 0, 0, 0, false },
 	{ AnalyzerTag::Contents_NFS, "CONTENTS_NFS", 0, 0, 0, false },
-#ifdef USE_OPENSSL
 	{ AnalyzerTag::Contents_SSL, "CONTENTS_SSL", 0, 0, 0, false },
-#endif
 };
 
 AnalyzerTimer::~AnalyzerTimer()
@@ -759,15 +762,6 @@ void Analyzer::FlipRoles()
 	resp_supporters = tmp;
 	}
 
-int Analyzer::RewritingTrace()
-	{
-	LOOP_OVER_CHILDREN(i)
-		if ( (*i)->RewritingTrace() )
-			return 1;
-
-	return 0;
-	}
-
 void Analyzer::ProtocolConfirmation()
 	{
 	if ( protocol_confirmed )
@@ -869,6 +863,12 @@ unsigned int Analyzer::MemoryAllocation() const
 	return mem;
 	}
 
+void Analyzer::UpdateConnVal(RecordVal *conn_val)
+	{
+	LOOP_OVER_CHILDREN(i)
+		(*i)->UpdateConnVal(conn_val);
+	}
+
 void SupportAnalyzer::ForwardPacket(int len, const u_char* data, bool is_orig,
 					int seq, const IP_Hdr* ip, int caplen)
 	{
@@ -912,17 +912,10 @@ void SupportAnalyzer::ForwardUndelivered(int seq, int len, bool is_orig)
 		Parent()->Undelivered(seq, len, is_orig);
 	}
 
-TransportLayerAnalyzer::~TransportLayerAnalyzer()
-	{
-	delete rewriter;
-	}
 
 void TransportLayerAnalyzer::Done()
 	{
 	Analyzer::Done();
-
-	if ( rewriter )
-		rewriter->Done();
 	}
 
 void TransportLayerAnalyzer::SetContentsFile(unsigned int /* direction */,
@@ -937,14 +930,6 @@ BroFile* TransportLayerAnalyzer::GetContentsFile(unsigned int /* direction */) c
 	return 0;
 	}
 
-void TransportLayerAnalyzer::SetTraceRewriter(Rewriter* r)
-	{
-	if ( rewriter )
-		rewriter->Done();
-	delete rewriter;
-	rewriter = r;
-	}
-
 void TransportLayerAnalyzer::PacketContents(const u_char* data, int len)
 	{
 	if ( packet_contents && len > 0 )
diff --git a/src/Analyzer.h b/src/Analyzer.h
index 83c5a5c7d7..c889dc6b2f 100644
--- a/src/Analyzer.h
+++ b/src/Analyzer.h
@@ -225,12 +225,15 @@ public:
 	virtual void ProtocolViolation(const char* reason,
 					const char* data = 0, int len = 0);
 
-	// Returns true if the analyzer or one of its children is rewriting
-	// the trace.
-	virtual int RewritingTrace();
-
 	virtual unsigned int MemoryAllocation() const;
 
+	// Called whenever the connection value needs to be updated. Per
+	// default, this method will be called for each analyzer in the tree.
+	// Analyzers can use this method to attach additional data to the
+	// connections. A call to BuildConnVal will in turn trigger a call to
+	// UpdateConnVal. 
+	virtual void UpdateConnVal(RecordVal *conn_val);
+
 	// The following methods are proxies: calls are directly forwarded
 	// to the connection instance.  These are for convenience only,
 	// allowing us to reuse more of the old analyzer code unchanged.
@@ -367,12 +370,9 @@ private:
 class TransportLayerAnalyzer : public Analyzer {
 public:
 	TransportLayerAnalyzer(AnalyzerTag::Tag tag, Connection* conn)
-		: Analyzer(tag, conn)	{ pia = 0; rewriter = 0; }
-
-	virtual ~TransportLayerAnalyzer();
+		: Analyzer(tag, conn)	{ pia = 0; }
 
 	virtual void Done();
-	virtual void UpdateEndpointVal(RecordVal* endp, int is_orig) = 0;
 	virtual bool IsReuse(double t, const u_char* pkt) = 0;
 
 	virtual void SetContentsFile(unsigned int direction, BroFile* f);
@@ -381,11 +381,6 @@ public:
 	void SetPIA(PIA* arg_PIA)	{ pia = arg_PIA; }
 	PIA* GetPIA() const		{ return pia; }
 
-	Rewriter* TraceRewriter()	{ return rewriter; }
-
-	// Takes ownership.
-	void SetTraceRewriter(Rewriter* r);
-
 	// Raises packet_contents event.
 	void PacketContents(const u_char* data, int len);
 
@@ -394,7 +389,6 @@ protected:
 
 private:
 	PIA* pia;
-	Rewriter* rewriter;
 };
 
 #endif
diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h
index 06f5d636dc..2ea752036e 100644
--- a/src/AnalyzerTags.h
+++ b/src/AnalyzerTags.h
@@ -22,16 +22,16 @@ namespace AnalyzerTag {
 		PIA_TCP, PIA_UDP,
 
 		// Transport-layer analyzers.
-		ICMP, ICMP_TimeExceeded, ICMP_Unreachable, ICMP_Echo, TCP, UDP,
+		ICMP,
+		ICMP_TimeExceeded, ICMP_Unreachable, ICMP_Echo, ICMP_Redir,
+		TCP, UDP,
 
 		// Application-layer analyzers (hand-written).
 		BitTorrent, BitTorrentTracker,
 		DCE_RPC, DNS, Finger, FTP, Gnutella, HTTP, Ident, IRC,
 		Login, NCP, NetbiosSSN, NFS, NTP, POP3, Portmapper, Rlogin,
 		RPC, Rsh, SMB, SMTP, SSH,
-#ifdef USE_OPENSSL
 		SSL,
-#endif
 		Telnet,
 
 		// Application-layer analyzers, binpac-generated.
@@ -40,14 +40,14 @@ namespace AnalyzerTag {
 
 		// Other
 		File, Backdoor, InterConn, SteppingStone, TCPStats,
+		ConnSize,
+
 
 		// Support-analyzers
 		Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP,
 		Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh,
 		Contents_DCE_RPC, Contents_SMB, Contents_RPC, Contents_NFS,
-#ifdef USE_OPENSSL
 		Contents_SSL,
-#endif
 		// End-marker.
 		LastAnalyzer
 	};
diff --git a/src/Anon.cc b/src/Anon.cc
index 36e5e05b86..2f44a6cddc 100644
--- a/src/Anon.cc
+++ b/src/Anon.cc
@@ -17,7 +17,7 @@ AnonymizeIPAddr* ip_anonymizer[NUM_ADDR_ANONYMIZATION_METHODS] = {0};
 
 static uint32 rand32()
 	{
-	return ((random() & 0xffff) << 16) | (random() & 0xffff);
+	return ((bro_random() & 0xffff) << 16) | (bro_random() & 0xffff);
 	}
 
 // From tcpdpriv.
diff --git a/src/Attr.cc b/src/Attr.cc
index 5a83d0501b..73685ec8fa 100644
--- a/src/Attr.cc
+++ b/src/Attr.cc
@@ -7,6 +7,7 @@
 #include "Attr.h"
 #include "Expr.h"
 #include "Serializer.h"
+#include "LogMgr.h"
 
 const char* attr_name(attr_tag t)
 	{
@@ -18,7 +19,7 @@ const char* attr_name(attr_tag t)
 		"&persistent", "&synchronized", "&postprocessor",
 		"&encrypt", "&match", "&disable_print_hook",
 		"&raw_output", "&mergeable", "&priority",
-		"&group", "(&tracked)",
+		"&group", "&log", "(&tracked)",
 	};
 
 	return attr_names[int(t)];
@@ -49,6 +50,37 @@ void Attr::Describe(ODesc* d) const
 		}
 	}
 
+void Attr::DescribeReST(ODesc* d) const
+	{
+	d->Add(":bro:attr:`");
+	AddTag(d);
+	d->Add("`");
+
+	if ( expr )
+		{
+		d->SP();
+		d->Add("=");
+		d->SP();
+
+		if ( expr->Type()->Tag() == TYPE_FUNC )
+			d->Add(":bro:type:`func`");
+
+		else if ( expr->Type()->Tag() == TYPE_ENUM )
+			{
+			d->Add(":bro:enum:`");
+			expr->Describe(d);
+			d->Add("`");
+			}
+
+		else
+			{
+			d->Add("``");
+			expr->Describe(d);
+			d-> Add("``");
+			}
+		}
+	}
+
 void Attr::AddTag(ODesc* d) const
 	{
 	if ( d->IsBinary() )
@@ -57,10 +89,11 @@ void Attr::AddTag(ODesc* d) const
 		d->Add(attr_name(Tag()));
 	}
 
-Attributes::Attributes(attr_list* a, BroType* t)
+Attributes::Attributes(attr_list* a, BroType* t, bool arg_in_record)
 	{
 	attrs = new attr_list(a->length());
 	type = t->Ref();
+	in_record = arg_in_record;
 
 	SetLocationInfo(&start_location, &end_location);
 
@@ -161,6 +194,17 @@ void Attributes::Describe(ODesc* d) const
 		}
 	}
 
+void Attributes::DescribeReST(ODesc* d) const
+	{
+	loop_over_list(*attrs, i)
+		{
+		if ( i > 0 )
+			d->Add(" ");
+
+		(*attrs)[i]->DescribeReST(d);
+		}
+	}
+
 void Attributes::CheckAttr(Attr* a)
 	{
 	switch ( a->Tag() ) {
@@ -199,27 +243,72 @@ void Attributes::CheckAttr(Attr* a)
 		{
 		BroType* atype = a->AttrExpr()->Type();
 
-		if ( type->Tag() != TYPE_TABLE || type->IsSet() )
+		if ( type->Tag() != TYPE_TABLE || (type->IsSet() && ! in_record) )
 			{
-			if ( ! same_type(atype, type) )
-				a->AttrExpr()->Error("&default value has inconsistent type", type);
-			break;
+			if ( same_type(atype, type) )
+				// Ok.
+				break;
+
+			// Record defaults may be promotable.
+			if ( (type->Tag() == TYPE_RECORD && atype->Tag() == TYPE_RECORD &&
+			      record_promotion_compatible(atype->AsRecordType(),
+							  type->AsRecordType())) )
+				// Ok.
+				break;
+
+			a->AttrExpr()->Error("&default value has inconsistent type", type);
 			}
 
 		TableType* tt = type->AsTableType();
+		BroType* ytype = tt->YieldType();
 
-		if ( ! same_type(atype, tt->YieldType()) )
+		if ( ! in_record )
 			{
-			// It can still be a default function.
-			if ( atype->Tag() == TYPE_FUNC )
+			// &default applies to the type itself.
+			if ( ! same_type(atype, ytype) )
 				{
-				FuncType* f = atype->AsFuncType();
-				if ( ! f->CheckArgs(tt->IndexTypes()) ||
-				     ! same_type(f->YieldType(), tt->YieldType()) )
-					Error("&default function type clash");
+				// It can still be a default function.
+				if ( atype->Tag() == TYPE_FUNC )
+					{
+					FuncType* f = atype->AsFuncType();
+					if ( ! f->CheckArgs(tt->IndexTypes()) ||
+					     ! same_type(f->YieldType(), ytype) )
+						Error("&default function type clash");
+
+					// Ok.
+					break;
+					}
+
+				// Table defaults may be promotable.
+				if ( (ytype->Tag() == TYPE_RECORD && atype->Tag() == TYPE_RECORD &&
+				      record_promotion_compatible(atype->AsRecordType(),
+								  ytype->AsRecordType())) )
+					// Ok.
+					break;
+
+				Error("&default value has inconsistent type 2");
 				}
-			else
-				Error("&default value has inconsistent type");
+
+			// Ok.
+			break;
+			}
+
+		else
+			{
+			// &default applies to record field.
+
+			if ( same_type(atype, type) ||
+			     (atype->Tag() == TYPE_TABLE && atype->AsTableType()->IsUnspecifiedTable()) )
+				// Ok.
+				break;
+
+			// Table defaults may be promotable.
+			if ( (ytype->Tag() == TYPE_RECORD && atype->Tag() == TYPE_RECORD &&
+			      record_promotion_compatible(atype->AsRecordType(), ytype->AsRecordType())) )
+				// Ok.
+				break;
+
+			Error("&default value has inconsistent type");
 			}
 		}
 		break;
@@ -316,10 +405,12 @@ void Attributes::CheckAttr(Attr* a)
 	case ATTR_GROUP:
 		if ( type->Tag() != TYPE_FUNC ||
 		     ! type->AsFuncType()->IsEvent() )
-			{
 			Error("&group only applicable to events");
-			break;
-			}
+		break;
+
+	case ATTR_LOG:
+		if ( ! LogVal::IsCompatibleType(type) )
+			Error("&log applied to a type that cannot be logged");
 		break;
 
 	default:
@@ -327,6 +418,41 @@ void Attributes::CheckAttr(Attr* a)
 	}
 	}
 
+bool Attributes::operator==(const Attributes& other) const
+	{
+	if ( ! attrs )
+		return other.attrs;
+
+	if ( ! other.attrs )
+		return false;
+
+	loop_over_list(*attrs, i)
+		{
+		Attr* a = (*attrs)[i];
+		Attr* o = other.FindAttr(a->Tag());
+
+		if ( ! o )
+			return false;
+
+		if ( ! (*a == *o) )
+			return false;
+		}
+
+	loop_over_list(*other.attrs, j)
+		{
+		Attr* o = (*other.attrs)[j];
+		Attr* a = FindAttr(o->Tag());
+
+		if ( ! a )
+			return false;
+
+		if ( ! (*a == *o) )
+			return false;
+		}
+
+	return true;
+	}
+
 bool Attributes::Serialize(SerialInfo* info) const
 	{
 	return SerialObj::Serialize(info);
diff --git a/src/Attr.h b/src/Attr.h
index 73fb101841..bdde98b4a7 100644
--- a/src/Attr.h
+++ b/src/Attr.h
@@ -35,6 +35,7 @@ typedef enum {
 	ATTR_MERGEABLE,
 	ATTR_PRIORITY,
 	ATTR_GROUP,
+	ATTR_LOG,
 	ATTR_TRACKED,	// hidden attribute, tracked by NotifierRegistry
 #define NUM_ATTRS (int(ATTR_TRACKED) + 1)
 } attr_tag;
@@ -51,6 +52,21 @@ public:
 		{ return tag == ATTR_REDEF || tag == ATTR_OPTIONAL; }
 
 	void Describe(ODesc* d) const;
+	void DescribeReST(ODesc* d) const;
+
+	bool operator==(const Attr& other) const
+		{
+		if ( tag != other.tag )
+			return false;
+
+		if ( expr || other.expr )
+			// If any has an expression and they aren't the same object, we
+			// declare them unequal, as we can't really find out if the two
+			// expressions are equivalent.
+			return (expr == other.expr);
+
+		return true;
+		}
 
 protected:
 	void AddTag(ODesc* d) const;
@@ -62,7 +78,7 @@ protected:
 // Manages a collection of attributes.
 class Attributes : public BroObj {
 public:
-	Attributes(attr_list* a, BroType* t);
+	Attributes(attr_list* a, BroType* t, bool in_record);
 	~Attributes();
 
 	void AddAttr(Attr* a);
@@ -73,12 +89,15 @@ public:
 	void RemoveAttr(attr_tag t);
 
 	void Describe(ODesc* d) const;
+	void DescribeReST(ODesc* d) const;
 
 	attr_list* Attrs()	{ return attrs; }
 
 	bool Serialize(SerialInfo* info) const;
 	static Attributes* Unserialize(UnserialInfo* info);
 
+	bool operator==(const Attributes& other) const;
+
 protected:
 	Attributes()	{ type = 0; attrs = 0; }
 	void CheckAttr(Attr* attr);
@@ -87,6 +106,7 @@ protected:
 
 	BroType* type;
 	attr_list* attrs;
+	bool in_record;
 };
 
 #endif
diff --git a/src/BitTorrentTracker.cc b/src/BitTorrentTracker.cc
index be72a17d26..aaf925f196 100644
--- a/src/BitTorrentTracker.cc
+++ b/src/BitTorrentTracker.cc
@@ -8,13 +8,8 @@
 #include <sys/types.h>
 #include <regex.h>
 
-#ifdef USE_INT64
-# define FMT_INT "%lld"
-# define FMT_UINT "%llu"
-#else
-# define FMT_INT "%d"
-# define FMT_UINT "%u"
-#endif
+# define FMT_INT "%" PRId64
+# define FMT_UINT "%" PRIu64
 
 static TableType* bt_tracker_headers = 0;
 static RecordType* bittorrent_peer;
diff --git a/src/BroDoc.cc b/src/BroDoc.cc
new file mode 100644
index 0000000000..6958e645cb
--- /dev/null
+++ b/src/BroDoc.cc
@@ -0,0 +1,363 @@
+#include <cstdio>
+#include <cstdarg>
+#include <string>
+#include <list>
+#include <algorithm>
+
+#include "BroDoc.h"
+#include "BroDocObj.h"
+
+BroDoc::BroDoc(const std::string& sourcename)
+	{
+#ifdef DEBUG
+	fprintf(stdout, "Documenting source: %s\n", sourcename.c_str());
+#endif
+	source_filename = sourcename.substr(sourcename.find_last_of('/') + 1);
+
+	size_t ext_pos = source_filename.find_last_of('.');
+	std::string ext = source_filename.substr(ext_pos + 1);
+
+	if ( ext_pos == std::string::npos || ext != "bro" )
+		{
+		if ( source_filename != "bro.init" && source_filename != "<stdin>" )
+			{
+			fprintf(stderr,
+				"Warning: documenting file without .bro extension: %s\n",
+				sourcename.c_str());
+			}
+		else
+			{
+			// Force the reST documentation file to be "bro.init.rst".
+			ext_pos = std::string::npos;
+			}
+		}
+
+	reST_filename = source_filename.substr(0, ext_pos);
+	reST_filename += ".rst";
+	reST_file = fopen(reST_filename.c_str(), "w");
+
+	if ( ! reST_file )
+		fprintf(stderr, "Failed to open %s", reST_filename.c_str());
+#ifdef DEBUG
+	else
+		fprintf(stdout, "Created reST document: %s\n", reST_filename.c_str());
+#endif
+	}
+
+BroDoc::~BroDoc()
+	{
+	if ( reST_file && fclose( reST_file ) )
+		fprintf(stderr, "Failed to close %s", reST_filename.c_str());
+
+	FreeBroDocObjPtrList(all);
+	}
+
+void BroDoc::AddImport(const std::string& s)
+	{
+	size_t ext_pos = s.find_last_of('.');
+
+	if ( ext_pos == std::string::npos )
+		imports.push_back(s);
+	else
+		imports.push_back(s.substr(0, ext_pos));
+	}
+
+void BroDoc::SetPacketFilter(const std::string& s)
+	{
+	packet_filter = s;
+	size_t pos1 = s.find("{\n");
+	size_t pos2 = s.find("}");
+
+	if ( pos1 != std::string::npos && pos2 != std::string::npos )
+		packet_filter = s.substr(pos1 + 2, pos2 - 2);
+
+	bool has_non_whitespace = false;
+
+	for ( std::string::const_iterator it = packet_filter.begin();
+		it != packet_filter.end(); ++it )
+		{
+		if ( *it != ' ' && *it != '\t' && *it != '\n' && *it != '\r' )
+			{
+			has_non_whitespace = true;
+			break;
+			}
+		}
+
+	if ( ! has_non_whitespace )
+		packet_filter.clear();
+	}
+
+void BroDoc::AddPortAnalysis(const std::string& analyzer,
+			const std::string& ports)
+	{
+	std::string reST_string = analyzer + "::\n" + ports + "\n\n";
+	port_analysis.push_back(reST_string);
+	}
+
+void BroDoc::WriteDocFile() const
+	{
+	WriteToDoc(".. Automatically generated.  Do not edit.\n\n");
+
+	WriteSectionHeading(source_filename.c_str(), '=');
+
+	WriteToDoc("\n:download:`Original Source File <%s>`\n\n",
+		source_filename.c_str());
+
+	WriteSectionHeading("Overview", '-');
+	WriteStringList("%s\n", "%s\n\n", summary);
+
+	if ( ! imports.empty() )
+		{
+		WriteToDoc(":Imports: ");
+		std::list<std::string>::const_iterator it;
+		for ( it = imports.begin(); it != imports.end(); ++it )
+			{
+			if ( it != imports.begin() )
+				WriteToDoc(", ");
+
+			WriteToDoc(":doc:`%s </policy/%s>`", it->c_str(), it->c_str());
+			}
+		WriteToDoc("\n");
+		}
+
+	WriteToDoc("\n");
+
+	WriteInterface("Summary", '~', '#', true, true);
+
+	if ( ! modules.empty() )
+		{
+		WriteSectionHeading("Namespaces", '~');
+		WriteStringList(".. bro:namespace:: %s\n", modules);
+		WriteToDoc("\n");
+		}
+
+	if ( ! notices.empty() )
+		WriteBroDocObjList(notices, "Notices", '~');
+
+	WriteInterface("Public Interface", '-', '~', true, false);
+
+	if ( ! port_analysis.empty() )
+		{
+		WriteSectionHeading("Port Analysis", '-');
+		WriteToDoc(":ref:`More Information <common_port_analysis_doc>`\n\n");
+		WriteStringList("%s", port_analysis);
+		}
+
+	if ( ! packet_filter.empty() )
+		{
+		WriteSectionHeading("Packet Filter", '-');
+		WriteToDoc(":ref:`More Information <common_packet_filter_doc>`\n\n");
+		WriteToDoc("Filters added::\n\n");
+		WriteToDoc("%s\n", packet_filter.c_str());
+		}
+
+	BroDocObjList::const_iterator it;
+	bool hasPrivateIdentifiers = false;
+
+	for ( it = all.begin(); it != all.end(); ++it )
+		{
+		if ( ! IsPublicAPI(*it) )
+			{
+			hasPrivateIdentifiers = true;
+			break;
+			}
+		}
+
+	if ( hasPrivateIdentifiers )
+		WriteInterface("Private Interface", '-', '~', false, false);
+	}
+
+void BroDoc::WriteInterface(const char* heading, char underline,
+			char sub, bool isPublic, bool isShort) const
+	{
+	WriteSectionHeading(heading, underline);
+	WriteBroDocObjList(options, isPublic, "Options", sub, isShort);
+	WriteBroDocObjList(constants, isPublic, "Constants", sub, isShort);
+	WriteBroDocObjList(state_vars, isPublic, "State Variables", sub, isShort);
+	WriteBroDocObjList(types, isPublic, "Types", sub, isShort);
+	WriteBroDocObjList(events, isPublic, "Events", sub, isShort);
+	WriteBroDocObjList(functions, isPublic, "Functions", sub, isShort);
+	WriteBroDocObjList(redefs, isPublic, "Redefinitions", sub, isShort);
+	}
+
+void BroDoc::WriteStringList(const char* format, const char* last_format,
+			const std::list<std::string>& l) const
+	{
+	if ( l.empty() )
+		{
+		WriteToDoc("\n");
+		return;
+		}
+
+	std::list<std::string>::const_iterator it;
+	std::list<std::string>::const_iterator last = l.end();
+	last--;
+
+	for ( it = l.begin(); it != last; ++it )
+		WriteToDoc(format, it->c_str());
+
+	WriteToDoc(last_format, last->c_str());
+	}
+
+void BroDoc::WriteBroDocObjTable(const BroDocObjList& l) const
+	{
+	int max_id_col = 0;
+	int max_com_col = 0;
+	BroDocObjList::const_iterator it;
+
+	for ( it = l.begin(); it != l.end(); ++it )
+		{
+		int c = (*it)->ColumnSize();
+
+		if ( c > max_id_col )
+			max_id_col = c;
+
+		c = (*it)->LongestShortDescLen();
+
+		if ( c > max_com_col )
+			max_com_col = c;
+		}
+
+	// Start table.
+	WriteRepeatedChar('=', max_id_col);
+	WriteToDoc(" ");
+
+	if ( max_com_col == 0 )
+		WriteToDoc("=");
+	else
+		WriteRepeatedChar('=', max_com_col);
+
+	WriteToDoc("\n");
+
+	for ( it = l.begin(); it != l.end(); ++it )
+		{
+		if ( it != l.begin() )
+			WriteToDoc("\n\n");
+		(*it)->WriteReSTCompact(reST_file, max_id_col);
+		}
+
+	// End table.
+	WriteToDoc("\n");
+	WriteRepeatedChar('=', max_id_col);
+	WriteToDoc(" ");
+
+	if ( max_com_col == 0 )
+		WriteToDoc("=");
+	else
+		WriteRepeatedChar('=', max_com_col);
+
+	WriteToDoc("\n\n");
+	}
+
+void BroDoc::WriteBroDocObjList(const BroDocObjList& l, bool wantPublic,
+			const char* heading, char underline, bool isShort) const
+	{
+	if ( l.empty() )
+		return;
+
+	BroDocObjList::const_iterator it;
+	bool (*f_ptr)(const BroDocObj* o) = 0;
+
+	if ( wantPublic )
+		f_ptr = IsPublicAPI;
+	else
+		f_ptr = IsPrivateAPI;
+
+	it = std::find_if(l.begin(), l.end(), f_ptr);
+
+	if ( it == l.end() )
+		return;
+
+	WriteSectionHeading(heading, underline);
+
+	BroDocObjList filtered_list;
+
+	while ( it != l.end() )
+		{
+		filtered_list.push_back(*it);
+		it = find_if(++it, l.end(), f_ptr);
+		}
+
+	if ( isShort )
+		WriteBroDocObjTable(filtered_list);
+	else
+		WriteBroDocObjList(filtered_list);
+	}
+
+void BroDoc::WriteBroDocObjList(const BroDocObjMap& m, bool wantPublic,
+			const char* heading, char underline, bool isShort) const
+	{
+	BroDocObjMap::const_iterator it;
+	BroDocObjList l;
+
+	for ( it = m.begin(); it != m.end(); ++it )
+		l.push_back(it->second);
+
+	WriteBroDocObjList(l, wantPublic, heading, underline, isShort);
+	}
+
+void BroDoc::WriteBroDocObjList(const BroDocObjList& l, const char* heading,
+			char underline) const
+	{
+	WriteSectionHeading(heading, underline);
+	WriteBroDocObjList(l);
+	}
+
+void BroDoc::WriteBroDocObjList(const BroDocObjList& l) const
+	{
+	for ( BroDocObjList::const_iterator it = l.begin(); it != l.end(); ++it )
+		(*it)->WriteReST(reST_file);
+	}
+
+void BroDoc::WriteBroDocObjList(const BroDocObjMap& m, const char* heading,
+			char underline) const
+	{
+	BroDocObjMap::const_iterator it;
+	BroDocObjList l;
+
+	for ( it = m.begin(); it != m.end(); ++it )
+		l.push_back(it->second);
+
+	WriteBroDocObjList(l, heading, underline);
+	}
+
+void BroDoc::WriteToDoc(const char* format, ...) const
+	{
+	va_list argp;
+	va_start(argp, format);
+	vfprintf(reST_file, format, argp);
+	va_end(argp);
+	}
+
+void BroDoc::WriteSectionHeading(const char* heading, char underline) const
+	{
+	WriteToDoc("%s\n", heading);
+	WriteRepeatedChar(underline, strlen(heading));
+	WriteToDoc("\n");
+	}
+
+void BroDoc::WriteRepeatedChar(char c, size_t n) const
+	{
+	for ( size_t i = 0; i < n; ++i )
+		WriteToDoc("%c", c);
+	}
+
+void BroDoc::FreeBroDocObjPtrList(BroDocObjList& l)
+	{
+	for ( BroDocObjList::const_iterator it = l.begin(); it != l.end(); ++it )
+		delete *it;
+
+	l.clear();
+	}
+
+void BroDoc::AddFunction(BroDocObj* o)
+	{
+	BroDocObjMap::const_iterator it = functions.find(o->Name());
+	if ( it == functions.end() )
+		{
+		functions[o->Name()] = o;
+		all.push_back(o);
+		}
+	else
+		functions[o->Name()]->Combine(o);
+	}
diff --git a/src/BroDoc.h b/src/BroDoc.h
new file mode 100644
index 0000000000..4538f5616e
--- /dev/null
+++ b/src/BroDoc.h
@@ -0,0 +1,362 @@
+#ifndef brodoc_h
+#define brodoc_h
+
+#include <cstdio>
+#include <cstdarg>
+#include <string>
+#include <list>
+
+#include "BroDocObj.h"
+
+/**
+ * This class is used to gather all data relevant to the automatic generation
+ * of a reStructuredText (reST) document from a given Bro script.
+ */
+class BroDoc {
+public:
+	/**
+	 * BroDoc constructor
+	 * Given a Bro script, opens new file in the current working directory
+	 * that will contain reST documentation generated from the parsing
+	 * of the Bro script.  The new reST file will be named similar to
+	 * the filename of the Bro script that generates it, except any
+	 * ".bro" file extension is stripped and ".rst" takes it place.
+	 * If the filename doesn't end in ".bro", then ".rst" is just appended.
+	 * @param sourcename The name of the Bro script for which to generate
+	 *        documentation.  May contain a path.
+	 */
+	BroDoc(const std::string& sourcename);
+
+	/**
+	 * BroDoc destructor
+	 * Closes the file that was opened by the constructor and frees up
+	 * memory taken by BroDocObj objects.
+	 */
+	virtual ~BroDoc();
+
+	/**
+	 * Write out full reST documentation for the Bro script that was parsed.
+	 * BroDoc's default implementation of this function will care
+	 * about whether declarations made in the Bro script are part of
+	 * the public versus private interface (whether things are declared in
+	 * the export section).
+	 */
+	virtual void WriteDocFile() const;
+
+	/**
+	 * Schedules some summarizing text to be output directly into the reST doc.
+	 * This should be called whenever the scanner sees a line in the Bro script
+	 * starting with "##!"
+	 * @param s The summary text to add to the reST doc.
+	 */
+	void AddSummary(const std::string& s)	{ summary.push_back(s); }
+
+	/**
+	 * Schedules an import (@load) to be documented.
+	 * If the script being loaded has a .bro suffix, it is internally stripped.
+	 * This should be called whenever the scanner sees an @load.
+	 * @param s The name of the imported script.
+	 */
+	void AddImport(const std::string& s);
+
+	/**
+	 * Schedules a namespace (module) to be documented.
+	 * This should be called whenever the parser sees a TOK_MODULE.
+	 * @param s The namespace (module) identifier's name.
+	 */
+	void AddModule(const std::string& s)	{ modules.push_back(s); }
+
+	/**
+	 * Sets the way the script changes the "capture_filters" table.
+	 * This is determined by the scanner checking for changes to
+	 * the "capture_filters" table after each of Bro's input scripts
+	 * (given as command line arguments to Bro) are finished being parsed.
+	 * @param s The value "capture_filters" as given by TableVal::Describe()
+	 */
+	void SetPacketFilter(const std::string& s);
+
+	/**
+	 * Schedules documentation of a given set of ports being associated
+	 * with a particular analyzer as a result of the current script
+	 * being loaded -- the way the "dpd_config" table is changed.
+	 * @param analyzer An analyzer that changed the "dpd_config" table.
+	 * @param ports The set of ports assigned to the analyzer in table.
+	 */
+	void AddPortAnalysis(const std::string& analyzer, const std::string& ports);
+
+	/**
+	 * Schedules documentation of a script option.  An option is
+	 * defined as any variable in the script that is declared 'const'
+	 * and has the '&redef' attribute.
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script option and
+	 *        also any associated comments about it.
+	 */
+	void AddOption(const BroDocObj* o)
+		{
+		options.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Schedules documentation of a script constant.  An option is
+	 * defined as any variable in the script that is declared 'const'
+	 * and does *not* have the '&redef' attribute.
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script constant and
+	 *        also any associated comments about it.
+	 */
+	void AddConstant(const BroDocObj* o)
+		{
+		constants.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Schedules documentation of a script state variable.  A state variable
+	 * is defined as any variable in the script that is declared 'global'
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script state variable
+	 *        and also any associated comments about it.
+	 */
+	void AddStateVar(const BroDocObj* o)
+		{
+		state_vars.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Schedules documentation of a type declared by the script.
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script option and
+	 *        also any associated comments about it.
+	 */
+	void AddType(const BroDocObj* o)
+		{
+		types.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Schedules documentation of a Notice (enum redef) declared by script
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the Notice and also
+	 *        any associated comments about it.
+	 */
+	void AddNotice(const BroDocObj* o)
+		{
+		notices.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Schedules documentation of an event declared by the script.
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script event and
+	 *        also any associated comments about it.
+	 */
+	void AddEvent(const BroDocObj* o)
+		{
+		events.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Schedules documentation of a function declared by the script.
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script function and
+	 *        also any associated comments about it.
+	 */
+	void AddFunction(BroDocObj* o);
+
+	/**
+	 * Schedules documentation of a redef done by the script
+	 * @param o A pointer to a BroDocObj which contains the internal
+	 *        Bro language representation of the script identifier
+	 *        that was redefined and also any associated comments.
+	 */
+	void AddRedef(const BroDocObj* o)
+		{
+		redefs.push_back(o);
+		all.push_back(o);
+		}
+
+	/**
+	 * Gets the name of the Bro script source file for which reST
+	 * documentation is being generated.
+	 * @return A char* to the start of the source file's name.
+	 */
+	const char* GetSourceFileName() const
+		{
+		return source_filename.c_str();
+		}
+
+	/**
+	 * Gets the name of the generated reST documentation file.
+	 * @return A char* to the start of the generated reST file's name.
+	 */
+	const char* GetOutputFileName() const
+		{
+		return reST_filename.c_str();
+		}
+
+protected:
+	FILE* reST_file;
+	std::string reST_filename;
+	std::string source_filename;
+	std::string packet_filter;
+
+	std::list<std::string> modules;
+	std::list<std::string> summary;
+	std::list<std::string> imports;
+	std::list<std::string> port_analysis;
+
+	typedef std::list<const BroDocObj*> BroDocObjList;
+	typedef std::map<std::string, BroDocObj*> BroDocObjMap;
+
+	BroDocObjList options;
+	BroDocObjList constants;
+	BroDocObjList state_vars;
+	BroDocObjList types;
+	BroDocObjList notices;
+	BroDocObjList events;
+	BroDocObjMap functions;
+	BroDocObjList redefs;
+
+	BroDocObjList all;
+
+	/**
+	 * Writes out a list of strings to the reST document.
+	 * If the list is empty, prints a newline character.
+	 * @param format A printf style format string for elements of the list
+	 *        except for the last one in the list
+	 * @param last_format A printf style format string to use for the last
+	 *        element of the list
+	 * @param l A reference to a list of strings
+	 */
+	void WriteStringList(const char* format, const char* last_format,
+			const std::list<std::string>& l) const;
+
+	/**
+	 * @see WriteStringList(const char*, const char*,
+	 *                      const std::list<std::string>&>)
+	 */
+	void WriteStringList(const char* format,
+			const std::list<std::string>& l) const
+		{
+		WriteStringList(format, format, l);
+		}
+
+
+	/**
+	 * Writes out a table of BroDocObj's to the reST document
+	 * @param l A list of BroDocObj pointers
+	 */
+	void WriteBroDocObjTable(const BroDocObjList& l) const;
+
+	/**
+	 * Writes out a list of BroDocObj objects to the reST document
+	 * @param l A list of BroDocObj pointers
+	 * @param wantPublic If true, filter out objects that are not declared
+	 *        in the global scope.  If false, filter out those that are in
+	 *        the global scope.
+	 * @param heading The title of the section to create in the reST doc.
+	 * @param underline The character to use to underline the reST
+	 *        section heading.
+	 * @param isShort Whether to write the full documentation or a "short"
+	 *        version (a single sentence)
+	 */
+	void WriteBroDocObjList(const BroDocObjList& l, bool wantPublic,
+			const char* heading, char underline,
+			bool isShort) const;
+
+	/**
+	 * Wraps the BroDocObjMap into a BroDocObjList and the writes that list
+	 * to the reST document
+	 * @see WriteBroDocObjList(const BroDocObjList&, bool, const char*, char,
+	        bool)
+	 */
+	void WriteBroDocObjList(const BroDocObjMap& m, bool wantPublic,
+			const char* heading, char underline,
+			bool isShort) const;
+
+	/**
+	 * Writes out a list of BroDocObj objects to the reST document
+	 * @param l A list of BroDocObj pointers
+	 * @param heading The title of the section to create in the reST doc.
+	 * @param underline The character to use to underline the reST
+	 *        section heading.
+	 */
+	void WriteBroDocObjList(const BroDocObjList& l, const char* heading,
+			char underline) const;
+
+	/**
+	 * Writes out a list of BroDocObj objects to the reST document
+	 * @param l A list of BroDocObj pointers
+	 */
+	void WriteBroDocObjList(const BroDocObjList& l) const;
+
+	/**
+	 * Wraps the BroDocObjMap into a BroDocObjList and the writes that list
+	 * to the reST document
+	 * @see WriteBroDocObjList(const BroDocObjList&, const char*, char)
+	 */
+	void WriteBroDocObjList(const BroDocObjMap& m, const char* heading,
+			char underline) const;
+
+	/**
+	 * A wrapper to fprintf() that always uses the reST document
+	 * for the FILE* argument.
+	 * @param format A printf style format string.
+	 */
+	void WriteToDoc(const char* format, ...) const;
+
+	/**
+	 * Writes out a reST section heading
+	 * @param heading The title of the heading to create
+	 * @param underline The character to use to underline the section title
+	 *        within the reST document
+	 */
+	void WriteSectionHeading(const char* heading, char underline) const;
+
+	/**
+	 * Writes out given number of characters to reST document
+	 * @param c the character to write
+	 * @param n the number of characters to write
+	 */
+	void WriteRepeatedChar(char c, size_t n) const;
+
+	/**
+	 * Writes out the reST for either the script's public or private interface
+	 * @param heading The title of the interfaces section heading
+	 * @param underline The underline character to use for the interface
+	 *        section
+	 * @param subunderline The underline character to use for interface
+	 *        sub-sections
+	 * @param isPublic Whether to write out the public or private script
+	 *        interface
+	 * @param isShort Whether to write out the full documentation or a "short"
+	 *        description (a single sentence)
+	 */
+	void WriteInterface(const char* heading, char underline, char subunderline,
+			bool isPublic, bool isShort) const;
+private:
+
+	/**
+	 * Frees memory allocated to BroDocObj's objects in a given list.
+	 * @param a reference to a list of BroDocObj pointers
+	 */
+	void FreeBroDocObjPtrList(BroDocObjList& l);
+
+	static bool IsPublicAPI(const BroDocObj* o)
+		{
+		return o->IsPublicAPI();
+		}
+
+	static bool IsPrivateAPI(const BroDocObj* o)
+		{
+		return ! o->IsPublicAPI();
+		}
+};
+
+#endif
diff --git a/src/BroDocObj.cc b/src/BroDocObj.cc
new file mode 100644
index 0000000000..d9fe16632b
--- /dev/null
+++ b/src/BroDocObj.cc
@@ -0,0 +1,168 @@
+#include <cstdio>
+#include <string>
+#include <list>
+#include "ID.h"
+#include "BroDocObj.h"
+
+BroDocObj::BroDocObj(const ID* id, std::list<std::string>*& reST,
+			bool is_fake)
+	{
+	broID = id;
+	reST_doc_strings = reST;
+	reST = 0;
+	is_fake_id = is_fake;
+	use_role = 0;
+	FormulateShortDesc();
+	}
+
+BroDocObj::~BroDocObj()
+	{
+	if ( reST_doc_strings )
+		delete reST_doc_strings;
+
+	if ( is_fake_id )
+		delete broID;
+	}
+
+void BroDocObj::WriteReSTCompact(FILE* file, int max_col) const
+	{
+	ODesc desc;
+	desc.SetQuotes(1);
+	broID->DescribeReSTShort(&desc);
+
+	fprintf(file, "%s", desc.Description());
+
+	std::list<std::string>::const_iterator it;
+
+	for ( it = short_desc.begin(); it != short_desc.end(); ++it )
+		{
+		int start_col;
+
+		if ( it == short_desc.begin() )
+			start_col = max_col - desc.Len() + 1;
+		else
+			{
+			start_col = max_col + 1;
+			fprintf(file, "\n");
+			}
+
+		for ( int i = 0; i < start_col; ++i )
+			fprintf(file, " ");
+
+		fprintf(file, "%s", it->c_str());
+		}
+	}
+
+int BroDocObj::LongestShortDescLen() const
+	{
+	size_t max = 0;
+
+	std::list<std::string>::const_iterator it;
+
+	for ( it = short_desc.begin(); it != short_desc.end(); ++it )
+		{
+		if ( it->size() > max )
+			max = it->size();
+		}
+
+	return max;
+	}
+
+void BroDocObj::FormulateShortDesc()
+	{
+	if ( ! reST_doc_strings )
+		return;
+
+	short_desc.clear();
+	std::list<std::string>::const_iterator it;
+
+	for ( it = reST_doc_strings->begin();
+		it != reST_doc_strings->end(); ++it )
+		{
+		// The short description stops at the first sentence or the
+		// first empty comment.
+		size_t end = it->find_first_of(".");
+
+		if ( end == string::npos )
+			{
+			std::string::const_iterator s;
+			bool empty = true;
+
+			for ( s = it->begin(); s != it->end(); ++s )
+				{
+				if ( *s != ' ' && *s != '\t' && *s != '\n' && *s != '\r' )
+					{
+					empty = false;
+					short_desc.push_back(*it);
+					break;
+					}
+				}
+			
+			if ( empty )
+				break;
+			}
+		else
+			{
+			short_desc.push_back(it->substr(0, end + 1));
+			break;
+			}
+		}
+	}
+
+void BroDocObj::WriteReST(FILE* file) const
+	{
+	int indent_spaces = 3;
+	ODesc desc;
+	desc.SetIndentSpaces(indent_spaces);
+	desc.SetQuotes(1);
+
+	broID->DescribeReST(&desc, use_role);
+
+	fprintf(file, "%s", desc.Description());
+
+	if ( HasDocumentation() )
+		{
+		fprintf(file, "\n");
+		std::list<std::string>::const_iterator it;
+
+		for ( it = reST_doc_strings->begin();
+			it != reST_doc_strings->end(); ++it)
+			{
+			for ( int i = 0; i < indent_spaces; ++i )
+				fprintf(file, " ");
+
+			fprintf(file, "%s\n", it->c_str());
+			}
+		}
+
+	fprintf(file, "\n");
+	}
+
+int BroDocObj::ColumnSize() const
+	{
+	ODesc desc;
+	desc.SetQuotes(1);
+	broID->DescribeReSTShort(&desc);
+	return desc.Len();
+	}
+
+bool BroDocObj::IsPublicAPI() const
+	{
+	return (broID->Scope() == SCOPE_GLOBAL) ||
+		(broID->Scope() == SCOPE_MODULE && broID->IsExport());
+	}
+
+void BroDocObj::Combine(const BroDocObj* o)
+	{
+	if ( o->reST_doc_strings )
+		{
+		if ( ! reST_doc_strings )
+			reST_doc_strings = new std::list<std::string>();
+
+		reST_doc_strings->splice(reST_doc_strings->end(),
+			*(o->reST_doc_strings));
+		}
+
+	delete o;
+	FormulateShortDesc();
+	}
diff --git a/src/BroDocObj.h b/src/BroDocObj.h
new file mode 100644
index 0000000000..0ad96afa86
--- /dev/null
+++ b/src/BroDocObj.h
@@ -0,0 +1,123 @@
+#ifndef brodocobj_h
+#define brodocobj_h
+
+#include <cstdio>
+#include <string>
+#include <list>
+
+#include "ID.h"
+
+/**
+ * This class wraps a Bro script identifier, providing methods relevant
+ * to automatic generation of reStructuredText (reST) documentation for it.
+ */
+class BroDocObj {
+public:
+	/**
+	 * BroDocObj constructor
+	 * @param id a pointer to an identifier that is to be documented
+	 * @param reST a reference to a pointer of a list of strings that
+	 *        represent the reST documentation for the ID.  The pointer
+	 *        will be set to 0 after this constructor finishes.
+	 * @param is_fake whether the ID* is a dummy just for doc purposes
+	 */
+	BroDocObj(const ID* id, std::list<std::string>*& reST,
+			bool is_fake = false);
+
+	/**
+	 * BroDocObj destructor
+	 * Deallocates the memory associated with the list of reST strings
+	 */
+	~BroDocObj();
+
+	/**
+	 * Writes the reST representation of this object which includes
+	 * 1) a reST friendly description of the ID
+	 * 2) "##" or "##<" stylized comments.
+	 *    Anything after these style of comments is inserted as-is into
+	 *    the reST document.
+	 * @param file The (already opened) file to write the reST to.
+	 */
+	void WriteReST(FILE* file) const;
+
+	/**
+	 * Writes a compact version of the ID and associated documentation
+	 * for insertion into a table.
+	 * @param file The (already opened) file to write the reST to.
+	 * @param max_col The maximum length of the first table column
+	 */
+	void WriteReSTCompact(FILE* file, int max_col) const;
+
+	/**
+	 * @return the column size required by the reST representation of the ID
+	 */
+	int ColumnSize() const;
+
+	/**
+	 * Check whether this documentation is part of the public API.  In
+	 * other words, this means that the identifier is declared as part of
+	 * the global scope (has GLOBAL namespace or is exported from another
+	 * namespace).
+	 * @return true if the identifier is part of the script's public API
+	 */
+	bool IsPublicAPI() const;
+
+	/**
+	 * Return whether this object has documentation (## comments)
+	 * @return true if the ID has comments associated with it
+	 */
+	bool HasDocumentation() const
+		{
+		return reST_doc_strings && reST_doc_strings->size() > 0;
+		}
+
+	/**
+	 * @return whether this object will use reST role (T) or directive (F)
+	 * notation for the wrapped identifier.  Roles are usually used
+	 * for cross-referencing.
+	 */
+	bool UseRole() const	{ return use_role; }
+
+	/**
+	 * @param b whether this object will use reST role (T) or directive (F)
+	 * notation for the wrapped identifier.  Roles are usually used
+	 * for cross-referencing.
+	 */
+	void SetRole(bool b)	{ use_role = b; }
+
+	/**
+	 * Append any reST documentation strings in a given BroDocObj to this
+	 * object's list and then delete the given BroDocObj
+	 * @param o a pointer to a BroDocObj to subsume
+	 */
+	void Combine(const BroDocObj* o);
+
+	/**
+	 * @return the name of the wrapped identifier
+	 */
+	const char* Name() const	{ return broID->Name(); }
+
+	/**
+	 * @return the longest string element of the short description's list of
+	 *         strings
+	 */
+	int LongestShortDescLen() const;
+
+protected:
+	std::list<std::string>* reST_doc_strings;
+	std::list<std::string> short_desc;
+	const ID* broID;
+	bool is_fake_id; /**< Whether the ID* is a dummy just for doc purposes */
+	bool use_role; /**< Whether to use a reST role or directive for the ID */
+
+	/**
+	 * Set the short_desc member to be a subset of reST_doc_strings.
+	 * Specifically, short_desc will be everything in reST_doc_strings
+	 * up until the first period or first empty string list element found.
+	 */
+	void FormulateShortDesc();
+
+private:
+};
+
+#endif
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
new file mode 100644
index 0000000000..bcf15db597
--- /dev/null
+++ b/src/CMakeLists.txt
@@ -0,0 +1,439 @@
+include_directories(${CMAKE_CURRENT_SOURCE_DIR}
+                    ${CMAKE_CURRENT_BINARY_DIR}
+)
+
+configure_file(version.c.in ${CMAKE_CURRENT_BINARY_DIR}/version.c)
+
+# This creates a custom command to transform a bison output file (inFile)
+# into outFile in order to avoid symbol conflicts:
+# - replaces instances of 'yylex' in inFile with yylexPrefix
+# - replaces instances of 'yy' in inFile with yyPrefix
+# - deletes instances of 'extern char.*getenv' in inFile
+# - writes results to outFile and adds it to list TRANSFORMED_BISON_OUTPUTS
+macro(REPLACE_YY_PREFIX_TARGET inFile outFile yylexPrefix yyPrefix)
+    set(args "'/extern char.*getenv/d")
+    set(args "${args}\;s/yylex/${yylexPrefix}lex/")
+    set(args "${args}\;s/yy/${yyPrefix}/g'" < ${inFile} > ${outFile})
+    add_custom_command(OUTPUT ${outFile}
+                       COMMAND ${SED_EXE}
+                       ARGS ${args}
+                       DEPENDS ${inFile}
+                       COMMENT "[sed] replacing stuff in ${inFile}"
+    )
+    list(APPEND TRANSFORMED_BISON_OUTPUTS ${outFile})
+endmacro(REPLACE_YY_PREFIX_TARGET)
+
+########################################################################
+## Create targets to generate parser and scanner code
+
+set(BISON_FLAGS "--debug")
+
+# BIF parser/scanner
+bison_target(BIFParser builtin-func.y
+             ${CMAKE_CURRENT_BINARY_DIR}/bif_parse.cc
+             HEADER ${CMAKE_CURRENT_BINARY_DIR}/bif_parse.h
+             VERBOSE ${CMAKE_CURRENT_BINARY_DIR}/bif_parse.output
+             COMPILE_FLAGS "${BISON_FLAGS}")
+flex_target(BIFScanner builtin-func.l ${CMAKE_CURRENT_BINARY_DIR}/bif_lex.cc)
+add_flex_bison_dependency(BIFScanner BIFParser)
+
+# Rule parser/scanner
+bison_target(RuleParser rule-parse.y
+             ${CMAKE_CURRENT_BINARY_DIR}/rup.cc
+             HEADER ${CMAKE_CURRENT_BINARY_DIR}/rup.h
+             VERBOSE ${CMAKE_CURRENT_BINARY_DIR}/rule_parse.output
+             COMPILE_FLAGS "${BISON_FLAGS}")
+replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/rup.cc
+                         ${CMAKE_CURRENT_BINARY_DIR}/rule-parse.cc
+                         rules_ rules_)
+replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/rup.h
+                         ${CMAKE_CURRENT_BINARY_DIR}/rule-parse.h
+                         rules_ rules_)
+flex_target(RuleScanner rule-scan.l ${CMAKE_CURRENT_BINARY_DIR}/rule-scan.cc
+            COMPILE_FLAGS "-Prules_")
+
+# RE parser/scanner
+bison_target(REParser re-parse.y
+             ${CMAKE_CURRENT_BINARY_DIR}/rep.cc
+             HEADER ${CMAKE_CURRENT_BINARY_DIR}/re-parse.h
+             VERBOSE ${CMAKE_CURRENT_BINARY_DIR}/re_parse.output
+             COMPILE_FLAGS "${BISON_FLAGS}")
+replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/rep.cc
+                         ${CMAKE_CURRENT_BINARY_DIR}/re-parse.cc
+                         re_ RE_)
+flex_target(REScanner re-scan.l ${CMAKE_CURRENT_BINARY_DIR}/re-scan.cc
+            COMPILE_FLAGS "-Pre_")
+add_flex_bison_dependency(REScanner REParser)
+
+# Parser/Scanner
+bison_target(Parser parse.y
+             ${CMAKE_CURRENT_BINARY_DIR}/p.cc
+             HEADER ${CMAKE_CURRENT_BINARY_DIR}/broparse.h
+             VERBOSE ${CMAKE_CURRENT_BINARY_DIR}/parse.output
+             COMPILE_FLAGS "${BISON_FLAGS}")
+replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/p.cc
+                         ${CMAKE_CURRENT_BINARY_DIR}/parse.cc
+                         bro yy)
+flex_target(Scanner scan.l ${CMAKE_CURRENT_BINARY_DIR}/scan.cc
+            COMPILE_FLAGS "-Pbro")
+
+########################################################################
+## bifcl (BIF compiler) target
+
+set(bifcl_SRCS
+   ${BISON_BIFParser_INPUT}
+   ${FLEX_BIFScanner_INPUT}
+   ${BISON_BIFParser_OUTPUTS}
+   ${FLEX_BIFScanner_OUTPUTS}
+   bif_arg.cc
+   module_util.cc
+   bif_arg.h
+   module_util.h
+)
+
+add_executable(bifcl ${bifcl_SRCS})
+
+target_link_libraries(bifcl)
+
+########################################################################
+## bifcl-dependent targets
+
+# A macro to define a command that uses the BIF compiler to produce
+# C++ segments and Bro language declarations from .bif file
+# The outputs are appended to list ALL_BIF_OUTPUTS
+# Outputs that should be installed are appended to INSTALL_BIF_OUTPUTS
+macro(BIF_TARGET bifInput)
+    get_bif_output_files(${bifInput} bifOutputs)
+    add_custom_command(OUTPUT ${bifOutputs}
+                       COMMAND bifcl
+                       ARGS ${CMAKE_CURRENT_SOURCE_DIR}/${bifInput} || (rm -f ${bifOutputs} && exit 1)
+                       DEPENDS ${bifInput}
+                       DEPENDS bifcl
+                       COMMENT "[BIFCL] Processing ${bifInput}"
+    )
+    list(APPEND ALL_BIF_OUTPUTS ${bifOutputs})
+    list(APPEND INSTALL_BIF_OUTPUTS
+         ${CMAKE_CURRENT_BINARY_DIR}/${bifInput}.bro)
+endmacro(BIF_TARGET)
+
+# returns a list of output files that bifcl will produce
+# for given input file in ${outputFileVar}
+macro(GET_BIF_OUTPUT_FILES inputFile outputFileVar)
+    set(${outputFileVar}
+        ${inputFile}.bro
+        ${inputFile}.func_def
+        ${inputFile}.func_h
+        ${inputFile}.func_init
+        ${inputFile}.netvar_def
+        ${inputFile}.netvar_h
+        ${inputFile}.netvar_init
+    )
+endmacro(GET_BIF_OUTPUT_FILES)
+
+set(BIF_SRCS
+    bro.bif
+    logging.bif
+    event.bif
+    const.bif
+    types.bif
+    strings.bif
+)
+
+foreach (bift ${BIF_SRCS})
+    bif_target(${bift})
+endforeach ()
+
+########################################################################
+## BinPAC-dependent targets
+
+set(BINPAC_AUXSRC
+    binpac.pac
+    bro.pac
+    binpac_bro.h
+)
+
+# A macro to define a command that uses the BinPac compiler to
+# produce C++ code that implements a protocol parser/analyzer
+# The outputs of the command are appended to list ALL_BINPAC_OUTPUTS
+# All arguments to this macro are appended to list ALL_BINPAC_INPUTS
+macro(BINPAC_TARGET pacFile)
+    get_filename_component(basename ${pacFile} NAME_WE)
+    add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.h
+                              ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.cc
+                       COMMAND ${BinPAC_EXE}
+                       ARGS -q -d ${CMAKE_CURRENT_BINARY_DIR}
+                            -I ${CMAKE_CURRENT_SOURCE_DIR}
+                            ${CMAKE_CURRENT_SOURCE_DIR}/${pacFile}
+                       DEPENDS ${BinPAC_EXE} ${pacFile}
+                               ${BINPAC_AUXSRC} ${ARGN}
+                       COMMENT "[BINPAC] Processing ${pacFile}"
+    )
+    list(APPEND ALL_BINPAC_INPUTS ${ARGV})
+    list(APPEND ALL_BINPAC_OUTPUTS
+         ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.h
+         ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.cc) 
+endmacro(BINPAC_TARGET)
+
+binpac_target(binpac-lib.pac)
+binpac_target(binpac_bro-lib.pac)
+binpac_target(bittorrent.pac
+    bittorrent-protocol.pac bittorrent-analyzer.pac)
+binpac_target(dce_rpc.pac
+    dce_rpc-protocol.pac dce_rpc-analyzer.pac epmapper.pac)
+binpac_target(dce_rpc_simple.pac
+    dce_rpc-protocol.pac epmapper.pac)
+binpac_target(dhcp.pac
+    dhcp-protocol.pac dhcp-analyzer.pac)
+binpac_target(dns.pac
+    dns-protocol.pac dns-analyzer.pac)
+binpac_target(dns_tcp.pac
+    dns.pac)
+binpac_target(http.pac
+    http-protocol.pac http-analyzer.pac)
+binpac_target(ncp.pac)
+binpac_target(netflow.pac
+    netflow-protocol.pac netflow-analyzer.pac)
+binpac_target(rpc.pac
+    rpc-analyzer.pac portmap-analyzer.pac)
+binpac_target(smb.pac
+    smb-protocol.pac smb-pipe.pac smb-mailslot.pac)
+binpac_target(ssl.pac
+    ssl-defs.pac ssl-protocol.pac ssl-analyzer.pac)
+binpac_target(ssl-record-layer.pac
+    ssl-defs.pac ssl.pac)
+
+########################################################################
+## bro target
+
+# This macro stores associated headers for any C/C++ source files given
+# as arguments (past _var) as a list in the CMake variable named "_var".
+macro(COLLECT_HEADERS _var)
+    foreach (src ${ARGN})
+        get_filename_component(ext ${src} EXT)
+        if (${ext} STREQUAL ".cc" OR ${ext} STREQUAL ".c")
+            get_filename_component(base ${src} NAME_WE)
+            get_filename_component(dir ${src} PATH)
+            if (NOT "${dir}")
+                set(dir ${CMAKE_CURRENT_SOURCE_DIR})
+            endif ()
+            set(header "${dir}/${base}.h")
+            if (EXISTS ${header})
+                list(APPEND ${_var} ${header})
+            endif ()
+        endif ()
+    endforeach ()
+endmacro(COLLECT_HEADERS _var)
+
+# define a command that's used to run the make_dbg_constants.pl script
+# building the bro binary depends on the outputs of this script
+add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h
+                          ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdInfoConstants.cc
+                   COMMAND ${PERL_EXECUTABLE}
+                   ARGS ${CMAKE_CURRENT_SOURCE_DIR}/make_dbg_constants.pl
+                        ${CMAKE_CURRENT_SOURCE_DIR}/DebugCmdInfoConstants.in
+                   DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/make_dbg_constants.pl
+                           ${CMAKE_CURRENT_SOURCE_DIR}/DebugCmdInfoConstants.in
+                   COMMENT "[Perl] Processing debug commands"
+                   WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+)
+
+set(dns_SRCS nb_dns.c)
+set_source_files_properties(nb_dns.c PROPERTIES COMPILE_FLAGS
+                            -fno-strict-aliasing)
+
+set(openssl_SRCS
+    X509.cc
+    SSLCiphers.cc
+    SSLInterpreter.cc
+    SSLProxy.cc
+    SSLv2.cc
+    SSLv3.cc
+    SSLv3Automaton.cc
+)
+
+if (USE_NMALLOC)
+    set(malloc_SRCS malloc.c)
+endif ()
+
+set(bro_SRCS
+    ${CMAKE_CURRENT_BINARY_DIR}/version.c
+    ${BIF_SRCS}
+    ${ALL_BIF_OUTPUTS}
+    ${BINPAC_AUXSRC}
+    ${ALL_BINPAC_INPUTS}
+    ${ALL_BINPAC_OUTPUTS}
+    ${TRANSFORMED_BISON_OUTPUTS}
+    ${FLEX_RuleScanner_OUTPUTS}
+    ${FLEX_RuleScanner_INPUT}
+    ${BISON_RuleParser_INPUT}
+    ${FLEX_REScanner_OUTPUTS}
+    ${FLEX_REScanner_INPUT}
+    ${BISON_REParser_INPUT}
+    ${FLEX_Scanner_OUTPUTS}
+    ${FLEX_Scanner_INPUT}
+    ${BISON_Parser_INPUT}
+    ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h
+    main.cc
+    net_util.cc
+    util.cc
+    module_util.cc
+    Analyzer.cc
+    Anon.cc
+    ARP.cc
+    Attr.cc
+    BackDoor.cc
+    Base64.cc
+    BitTorrent.cc
+    BitTorrentTracker.cc
+    BPF_Program.cc
+    BroDoc.cc
+    BroDocObj.cc
+    BroString.cc
+    CCL.cc
+    ChunkedIO.cc
+    CompHash.cc
+    Conn.cc
+    ConnCompressor.cc
+    ConnSizeAnalyzer.cc
+    ContentLine.cc
+    DCE_RPC.cc
+    DFA.cc
+    DHCP-binpac.cc
+    DNS.cc
+    DNS-binpac.cc
+    DNS_Mgr.cc
+    DbgBreakpoint.cc
+    DbgHelp.cc
+    DbgWatch.cc
+    Debug.cc
+    DebugCmds.cc
+    DebugLogger.cc
+    Desc.cc
+    Dict.cc
+    Discard.cc
+    DPM.cc
+    EquivClass.cc
+    Event.cc
+    EventHandler.cc
+    EventLauncher.cc
+    EventRegistry.cc
+    Expr.cc
+    FTP.cc
+    File.cc
+    FileAnalyzer.cc
+    Finger.cc
+    FlowSrc.cc
+    Frag.cc
+    Frame.cc
+    Func.cc
+    Gnutella.cc
+    HTTP.cc
+    HTTP-binpac.cc
+    Hash.cc
+    ICMP.cc
+    ID.cc
+    Ident.cc
+    IntSet.cc
+    InterConn.cc
+    IOSource.cc
+    IRC.cc
+    List.cc
+    Logger.cc
+    LogMgr.cc
+    LogWriter.cc
+    LogWriterAscii.cc
+    Login.cc
+    MIME.cc
+    NCP.cc
+    NFA.cc
+    NFS.cc
+    NTP.cc
+    NVT.cc
+    Net.cc
+    NetVar.cc
+    NetbiosSSN.cc
+    Obj.cc
+    OSFinger.cc
+    PacketFilter.cc
+    PacketSort.cc
+    PersistenceSerializer.cc
+    PktSrc.cc
+    PIA.cc
+    PolicyFile.cc
+    POP3.cc
+    Portmap.cc
+    PrefixTable.cc
+    PriorityQueue.cc
+    Queue.cc
+    RandTest.cc
+    RE.cc
+    RPC.cc
+    Reassem.cc
+    RemoteSerializer.cc
+    Rlogin.cc
+    RSH.cc
+    Rule.cc
+    RuleAction.cc
+    RuleCondition.cc
+    RuleMatcher.cc
+    ScriptAnaly.cc
+    SmithWaterman.cc
+    SMB.cc
+    SMTP.cc
+    SSH.cc
+    SSL-binpac.cc
+    Scope.cc
+    SerializationFormat.cc
+    SerialObj.cc
+    Serializer.cc
+    Sessions.cc
+    StateAccess.cc
+    Stats.cc
+    SteppingStone.cc
+    Stmt.cc
+    TCP.cc
+    TCP_Endpoint.cc
+    TCP_Reassembler.cc
+    Telnet.cc
+    Timer.cc
+    Traverse.cc
+    Trigger.cc
+    Type.cc
+    UDP.cc
+    Val.cc
+    Var.cc
+    XDR.cc
+    ZIP.cc
+    bsd-getopt-long.c
+    cq.c
+    md5.c
+    patricia.c
+    setsignal.c
+    PacketDumper.cc
+    strsep.c
+    ${dns_SRCS}
+    ${malloc_SRCS}
+    ${openssl_SRCS}
+)
+
+collect_headers(bro_HEADERS ${bro_SRCS})
+
+add_definitions(-DPOLICYDEST="${POLICYDIR}")
+
+add_executable(bro ${bro_SRCS} ${bro_HEADERS})
+
+set(brolibs
+    ${BinPAC_LIBRARY}
+    ${PCAP_LIBRARY}
+    ${OpenSSL_LIBRARIES}
+    ${BIND_LIBRARY}
+    ${OPTLIBS}
+)
+
+target_link_libraries(bro ${brolibs})
+
+install(TARGETS bro DESTINATION bin)
+install(FILES ${INSTALL_BIF_OUTPUTS} DESTINATION ${POLICYDIR})
+
+set(BRO_EXE bro
+    CACHE STRING "Bro executable binary" FORCE)
diff --git a/src/ChunkedIO.cc b/src/ChunkedIO.cc
index 7eb2158184..9ca8f23508 100644
--- a/src/ChunkedIO.cc
+++ b/src/ChunkedIO.cc
@@ -7,6 +7,9 @@
 #include <sys/time.h>
 #include <netinet/in.h>
 #include <assert.h>
+#include <openssl/ssl.h>
+
+#include <algorithm>
 
 #include "config.h"
 #include "ChunkedIO.h"
@@ -139,7 +142,7 @@ bool ChunkedIOFd::Write(Chunk* chunk)
 	{
 #ifdef DEBUG
 	DBG_LOG(DBG_CHUNKEDIO, "write of size %d [%s]",
-		chunk->len, fmt_bytes(chunk->data, min(20, chunk->len)));
+		chunk->len, fmt_bytes(chunk->data, min((uint32)20, chunk->len)));
 #endif
 
 	// Reject if our queue of pending chunks is way too large. Otherwise,
@@ -165,13 +168,13 @@ bool ChunkedIOFd::Write(Chunk* chunk)
 
 	// We have to split it up.
 	char* p = chunk->data;
-	unsigned long left = chunk->len;
+	uint32 left = chunk->len;
 
 	while ( left )
 		{
 		Chunk* part = new Chunk;
 
-		part->len = min(BUFFER_SIZE - sizeof(uint32), left);
+		part->len = min<uint32>(BUFFER_SIZE - sizeof(uint32), left);
 		part->data = new char[part->len];
 		memcpy(part->data, p, part->len);
 		left -= part->len;
@@ -426,7 +429,7 @@ bool ChunkedIOFd::Read(Chunk** chunk, bool may_block)
 				(*chunk)->len & ~FLAG_PARTIAL,
 				(*chunk)->len & FLAG_PARTIAL ? "(P) " : "",
 				fmt_bytes((*chunk)->data,
-						min(20, (*chunk)->len)));
+						min((uint32)20, (*chunk)->len)));
 #endif
 
 	if ( ! ((*chunk)->len & FLAG_PARTIAL) )
@@ -650,11 +653,6 @@ void ChunkedIOFd::Stats(char* buffer, int length)
 	ChunkedIO::Stats(buffer + i, length - i);
 	}
 
-
-#ifdef USE_OPENSSL
-
-#include <openssl/ssl.h>
-
 SSL_CTX* ChunkedIOSSL::ctx;
 
 ChunkedIOSSL::ChunkedIOSSL(int arg_socket, bool arg_server)
@@ -1174,8 +1172,6 @@ void ChunkedIOSSL::Stats(char* buffer, int length)
 	ChunkedIO::Stats(buffer + i, length - i);
 	}
 
-#endif	/* USE_OPENSSL */
-
 #ifdef HAVE_LIBZ
 
 bool CompressedChunkedIO::Init()
diff --git a/src/ChunkedIO.h b/src/ChunkedIO.h
index 393f6c8d5d..516f0f7ddc 100644
--- a/src/ChunkedIO.h
+++ b/src/ChunkedIO.h
@@ -11,6 +11,13 @@
 
 #include <list>
 
+#ifdef NEED_KRB5_H
+# include <krb5.h>
+#endif 
+
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
 class CompressedChunkedIO;
 
 // #define DEBUG_COMMUNICATION 10
@@ -214,17 +221,7 @@ private:
 	pid_t pid;
 };
 
-#ifdef USE_OPENSSL
-
-#ifdef NEED_KRB5_H
-# include <krb5.h>
-#endif 
-
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-
 // Chunked I/O using an SSL connection.
-
 class ChunkedIOSSL : public ChunkedIO {
 public:
 	// Argument is an open socket and a flag indicating whether we are the
@@ -287,8 +284,6 @@ private:
 	static SSL_CTX* ctx;
 };
 
-#endif	/* USE_OPENSSL */
-
 #ifdef HAVE_LIBZ
 
 #include <zlib.h>
diff --git a/src/CompHash.cc b/src/CompHash.cc
index 2e0870303c..69b3d9c38d 100644
--- a/src/CompHash.cc
+++ b/src/CompHash.cc
@@ -65,11 +65,22 @@ CompositeHash::~CompositeHash()
 
 // Computes the piece of the hash for Val*, returning the new kp.
 char* CompositeHash::SingleValHash(int type_check, char* kp0,
-					BroType* bt, Val* v) const
+				   BroType* bt, Val* v, bool optional) const
 	{
 	char* kp1 = 0;
 	InternalTypeTag t = bt->InternalType();
 
+	if ( optional )
+		{
+		// Add a marker saying whether the optional field is set.
+		char* kp = AlignAndPadType<char>(kp0);
+		*kp = ( v ? 1 : 0);
+		kp0 = reinterpret_cast<char*>(kp+1);
+
+		if ( ! v ) 
+			return kp0;
+		}
+
 	if ( type_check )
 		{
 		InternalTypeTag vt = v->Type()->InternalType();
@@ -163,12 +174,16 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0,
 			for ( int i = 0; i < num_fields; ++i )
 				{
 				Val* rv_i = rv->Lookup(i);
-				if ( ! rv_i )
+
+				Attributes* a = rt->FieldDecl(i)->attrs;
+				bool optional = (a && a->FindAttr(ATTR_OPTIONAL));
+
+				if ( ! (rv_i || optional) )
 					return 0;
 
 				if ( ! (kp = SingleValHash(type_check, kp,
 							   rt->FieldType(i),
-							   rv_i)) )
+							   rv_i, optional)) )
 					return 0;
 				}
 
@@ -248,7 +263,7 @@ HashKey* CompositeHash::ComputeHash(const Val* v, int type_check) const
 	char* kp = k;
 	loop_over_list(*tl, i)
 		{
-		kp = SingleValHash(type_check, kp, (*tl)[i], (*vl)[i]);
+		kp = SingleValHash(type_check, kp, (*tl)[i], (*vl)[i], false);
 		if ( ! kp )
 			return 0;
 		}
@@ -315,10 +330,13 @@ HashKey* CompositeHash::ComputeSingletonHash(const Val* v, int type_check) const
 	}
 
 int CompositeHash::SingleTypeKeySize(BroType* bt, const Val* v,
-					int type_check, int sz) const
+				     int type_check, int sz, bool optional) const
 	{
 	InternalTypeTag t = bt->InternalType();
 
+	if ( optional )
+		sz = SizeAlign(sz, sizeof(char));
+
 	if ( type_check && v )
 		{
 		InternalTypeTag vt = v->Type()->InternalType();
@@ -369,9 +387,12 @@ int CompositeHash::SingleTypeKeySize(BroType* bt, const Val* v,
 
 			for ( int i = 0; i < num_fields; ++i )
 				{
+				Attributes* a = rt->FieldDecl(i)->attrs;
+				bool optional = (a && a->FindAttr(ATTR_OPTIONAL));
+
 				sz = SingleTypeKeySize(rt->FieldType(i),
-							rv ? rv->Lookup(i) : 0,
-							type_check, sz);
+						       rv ? rv->Lookup(i) : 0,
+						       type_check, sz, optional);
 				if ( ! sz )
 					return 0;
 				}
@@ -386,7 +407,7 @@ int CompositeHash::SingleTypeKeySize(BroType* bt, const Val* v,
 
 	case TYPE_INTERNAL_STRING:
 		if ( ! v )
-			return 0;
+			return optional ? sz : 0;
 
 		// Factor in length field.
 		sz = SizeAlign(sz, sizeof(int));
@@ -418,7 +439,7 @@ int CompositeHash::ComputeKeySize(const Val* v, int type_check) const
 	loop_over_list(*tl, i)
 		{
 		sz = SingleTypeKeySize((*tl)[i], v ? v->AsListVal()->Index(i) : 0,
-				       type_check, sz);
+				       type_check, sz, false);
 		if ( ! sz )
 			return 0;
 		}
@@ -495,20 +516,20 @@ ListVal* CompositeHash::RecoverVals(const HashKey* k) const
 	loop_over_list(*tl, i)
 		{
 		Val* v;
-		kp = RecoverOneVal(k, kp, k_end, (*tl)[i], v);
+		kp = RecoverOneVal(k, kp, k_end, (*tl)[i], v, false);
 		ASSERT(v);
 		l->Append(v);
 		}
 
 	if ( kp != k_end )
-		internal_error("under-ran key in CompositeHash::DescribeKey");
+		internal_error("under-ran key in CompositeHash::DescribeKey %ld", k_end - kp);
 
 	return l;
 	}
 
 const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 					 const char* const k_end, BroType* t,
-					 Val*& pval) const
+					 Val*& pval, bool optional) const
 	{
 	// k->Size() == 0 for a single empty string.
 	if ( kp0 >= k_end && k->Size() > 0 )
@@ -516,9 +537,20 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 
 	TypeTag tag = t->Tag();
 	InternalTypeTag it = t->InternalType();
-
 	const char* kp1 = 0;
 
+	if ( optional )
+		{
+		const char* kp = AlignType<char>(kp0);
+		kp0 = kp1 = reinterpret_cast<const char*>(kp+1);
+
+		if ( ! *kp )
+			{
+			pval = 0;
+			return kp0;
+			}
+		}
+
 	switch ( it ) {
 	case TYPE_INTERNAL_INT:
 		{
@@ -647,9 +679,13 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 			for ( i = 0; i < num_fields; ++i )
 				{
 				Val* v;
+
+				Attributes* a = rt->FieldDecl(i)->attrs;
+				bool optional = (a && a->FindAttr(ATTR_OPTIONAL));
+
 				kp = RecoverOneVal(k, kp, k_end,
-				                   rt->FieldType(i), v);
-				if ( ! v )
+				                   rt->FieldType(i), v, optional);
+				if ( ! (v || optional) )
 					{
 					internal_error("didn't recover expected number of fields from HashKey");
 					pval = 0;
diff --git a/src/CompHash.h b/src/CompHash.h
index a0632e1bfe..d3bde770b8 100644
--- a/src/CompHash.h
+++ b/src/CompHash.h
@@ -29,8 +29,8 @@ protected:
 
 	// Computes the piece of the hash for Val*, returning the new kp.
 	// Used as a helper for ComputeHash in the non-singleton case.
-	char* SingleValHash(int type_check, char* kp,
-				BroType* bt, Val* v) const;
+	char* SingleValHash(int type_check, char* kp, BroType* bt, Val* v,
+			    bool optional) const;
 
 	// Recovers just one Val of possibly many; called from RecoverVals.
 	// Upon return, pval will point to the recovered Val of type t.
@@ -38,7 +38,7 @@ protected:
 	// upon errors, so there is no return value for invalid input.
 	const char* RecoverOneVal(const HashKey* k,
 				  const char* kp, const char* const k_end,
-				  BroType* t, Val*& pval) const;
+				  BroType* t, Val*& pval, bool optional) const;
 
 	// Rounds the given pointer up to the nearest multiple of the
 	// given size, if not already a multiple.
@@ -77,7 +77,7 @@ protected:
 	int ComputeKeySize(const Val* v = 0, int type_check = 1) const;
 
 	int SingleTypeKeySize(BroType*, const Val*,
-				int type_check, int sz) const;
+			      int type_check, int sz, bool optional) const;
 
 	TypeList* type;
 	char* key;	// space for composite key
diff --git a/src/Conn.cc b/src/Conn.cc
index 50afe41d0c..8ef756b134 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -152,7 +152,6 @@ Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id)
 	proto = TRANSPORT_UNKNOWN;
 
 	conn_val = 0;
-	orig_endp = resp_endp = 0;
 	login_conn = 0;
 
 	is_active = 1;
@@ -182,6 +181,8 @@ Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id)
 	TimerMgr::Tag* tag = current_iosrc->GetCurrentTag();
 	conn_timer_mgr = tag ? new TimerMgr::Tag(*tag) : 0;
 
+	uid = 0; // Will set later.
+
 	if ( conn_timer_mgr )
 		{
 		++external_connections;
@@ -215,6 +216,56 @@ Connection::~Connection()
 		--external_connections;
 	}
 
+uint64 Connection::uid_counter = 0;
+uint64 Connection::uid_instance = 0;
+
+uint64 Connection::CalculateNextUID()
+	{
+	if ( uid_instance == 0 )
+		{
+		// This is the first time we need a UID.
+
+		if ( ! have_random_seed() )
+			{
+			// If we don't need deterministic output (as
+			// indicated by a set seed), we calculate the
+			// instance ID by hashing something likely to be
+			// globally unique.
+			struct {
+				char hostname[128];
+				struct timeval time;
+				pid_t pid;
+				int rnd;
+			} unique;
+
+			gethostname(unique.hostname, 128);
+			unique.hostname[sizeof(unique.hostname)-1] = '\0';
+			gettimeofday(&unique.time, 0);
+			unique.pid = getpid();
+			unique.rnd = bro_random();
+
+			uid_instance = HashKey::HashBytes(&unique, sizeof(unique));
+			++uid_instance; // Now it's larger than zero.
+			}
+
+		else
+			// Generate determistic UIDs.
+			uid_instance = 1;
+		}
+
+	// Now calculate the unique ID for this connection.
+	struct {
+		uint64 counter;
+		hash_t instance;
+	} key;
+
+	key.counter = ++uid_counter;
+	key.instance = uid_instance;
+
+	uint64_t h = HashKey::HashBytes(&key, sizeof(key));
+	return h;
+	}
+
 void Connection::Done()
 	{
 	finished = 1;
@@ -346,14 +397,15 @@ RecordVal* Connection::BuildConnVal()
 		id_val->Assign(1, new PortVal(ntohs(orig_port), prot_type));
 		id_val->Assign(2, new AddrVal(resp_addr));
 		id_val->Assign(3, new PortVal(ntohs(resp_port), prot_type));
+
 		conn_val->Assign(0, id_val);
 
-		orig_endp = new RecordVal(endpoint);
+		RecordVal *orig_endp = new RecordVal(endpoint);
 		orig_endp->Assign(0, new Val(0, TYPE_COUNT));
 		orig_endp->Assign(1, new Val(0, TYPE_COUNT));
 		conn_val->Assign(1, orig_endp);
 
-		resp_endp = new RecordVal(endpoint);
+		RecordVal *resp_endp = new RecordVal(endpoint);
 		resp_endp->Assign(0, new Val(0, TYPE_COUNT));
 		resp_endp->Assign(1, new Val(0, TYPE_COUNT));
 		conn_val->Assign(2, resp_endp);
@@ -363,13 +415,16 @@ RecordVal* Connection::BuildConnVal()
 		conn_val->Assign(6, new StringVal(""));	// addl
 		conn_val->Assign(7, new Val(0, TYPE_COUNT));	// hot
 		conn_val->Assign(8, new StringVal(""));	// history
+
+		if ( ! uid )
+			uid = CalculateNextUID();
+
+		char tmp[20];
+		conn_val->Assign(9, new StringVal(uitoa_n(uid, tmp, sizeof(tmp), 62)));
 		}
 
 	if ( root_analyzer )
-		{
-		root_analyzer->UpdateEndpointVal(orig_endp, 1);
-		root_analyzer->UpdateEndpointVal(resp_endp, 0);
-		}
+		root_analyzer->UpdateConnVal(conn_val);
 
 	conn_val->Assign(3, new Val(start_time, TYPE_TIME));	// ###
 	conn_val->Assign(4, new Val(last_time - start_time, TYPE_INTERVAL));
@@ -744,10 +799,6 @@ void Connection::FlipRoles()
 	resp_port = orig_port;
 	orig_port = tmp_port;
 
-	RecordVal* tmp_rc = resp_endp;
-	resp_endp = orig_endp;
-	orig_endp = tmp_rc;
-
 	Unref(conn_val);
 	conn_val = 0;
 
@@ -755,16 +806,6 @@ void Connection::FlipRoles()
 		root_analyzer->FlipRoles();
 	}
 
-int Connection::RewritingTrace()
-	{
-	return root_analyzer ? root_analyzer->RewritingTrace() : 0;
-	}
-
-Rewriter* Connection::TraceRewriter() const
-	{
-	return root_analyzer ? root_analyzer->TraceRewriter() : 0;
-	}
-
 unsigned int Connection::MemoryAllocation() const
 	{
 	return padded_sizeof(*this)
@@ -853,8 +894,6 @@ bool Connection::DoSerialize(SerialInfo* info) const
 			return false;
 
 	SERIALIZE_OPTIONAL(conn_val);
-	SERIALIZE_OPTIONAL(orig_endp);
-	SERIALIZE_OPTIONAL(resp_endp);
 
 	// FIXME: RuleEndpointState not yet serializable.
 	// FIXME: Analyzers not yet serializable.
@@ -918,10 +957,6 @@ bool Connection::DoUnserialize(UnserialInfo* info)
 
 	UNSERIALIZE_OPTIONAL(conn_val,
 			(RecordVal*) Val::Unserialize(info, connection_type));
-	UNSERIALIZE_OPTIONAL(orig_endp,
-			(RecordVal*) Val::Unserialize(info, endpoint));
-	UNSERIALIZE_OPTIONAL(resp_endp,
-			(RecordVal*) Val::Unserialize(info, endpoint));
 
 	int iproto;
 
diff --git a/src/Conn.h b/src/Conn.h
index bbe3c2b3f6..8a178d783a 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -23,7 +23,6 @@ class RuleHdrTest;
 class Specific_RE_Matcher;
 class TransportLayerAnalyzer;
 class RuleEndpointState;
-class Rewriter;
 
 typedef enum {
 	NUL_IN_LINE,
@@ -135,17 +134,6 @@ public:
 
 	TransportProto ConnTransport() const { return proto; }
 
-	// If we are rewriting the trace of the connection, then we do
-	// not record original packets. We are rewriting if at least one,
-	// then the analyzer is rewriting.
-	int RewritingTrace();
-
-	// If we are rewriting trace, we need a handle to the rewriter.
-	// Returns 0 if not rewriting.  (Note that if multiple analyzers
-	// want to rewrite, only one of them is returned.  It's undefined
-	// which one.)
-	Rewriter* TraceRewriter() const;
-
 	// True if we should record subsequent packets (either headers or
 	// in their entirety, depending on record_contents).  We still
 	// record subsequent SYN/FIN/RST, regardless of how this is set.
@@ -313,7 +301,12 @@ public:
 			::operator delete(((char*) ptr) - 4);
 		}
 
+	void SetUID(uint64 arg_uid)	 { uid = arg_uid; }
+
+	static uint64 CalculateNextUID();
+
 protected:
+
 	Connection()	{ persistent = 0; }
 
 	// Add the given timer to expire at time t.  If do_expire
@@ -345,8 +338,6 @@ protected:
 	double start_time, last_time;
 	double inactivity_timeout;
 	RecordVal* conn_val;
-	RecordVal* orig_endp;
-	RecordVal* resp_endp;
 	LoginConn* login_conn;	// either nil, or this
 	int suppress_event;	// suppress certain events to once per conn.
 
@@ -370,6 +361,11 @@ protected:
 
 	TransportLayerAnalyzer* root_analyzer;
 	PIA* primary_PIA;
+
+	uint64 uid;	// Globally unique connection ID.
+
+	static uint64 uid_counter;	// Counter for uids.
+	static uint64 uid_instance;	// Instance ID, computed once.
 };
 
 class ConnectionTimer : public Timer {
diff --git a/src/ConnCompressor.cc b/src/ConnCompressor.cc
index f38c0dcb89..e6428aeebe 100644
--- a/src/ConnCompressor.cc
+++ b/src/ConnCompressor.cc
@@ -4,6 +4,7 @@
 
 #include "ConnCompressor.h"
 #include "Event.h"
+#include "ConnSizeAnalyzer.h"
 #include "net_util.h"
 
 // The basic model of the compressor is to wait for an answer before
@@ -46,8 +47,10 @@
 //   by the compressor. Matching would require significant additional state
 //   w/o being very helpful.
 //
-// - Trace rewriting doesn't work if the compressor is turned on (this is
-//   not a conceptual problem, but simply not implemented).
+// - If use_conn_size_analyzer is True, the reported counts for bytes and
+//   packets may not account for some packets/data that is part of those
+//   packets which the connection compressor handles. The error, if any, will
+//   however be small.
 
 
 #ifdef DEBUG
@@ -237,7 +240,7 @@ Connection* ConnCompressor::NextPacket(double t, HashKey* key, const IP_Hdr* ip,
 	else if ( addr_eq(ip->SrcAddr(), SrcAddr(pending)) &&
 		  tp->th_sport == SrcPort(pending) )
 		// Another packet from originator.
-		tc = NextFromOrig(pending, t, key, tp);
+		tc = NextFromOrig(pending, t, key, ip, tp);
 
 	else
 		// A reply.
@@ -332,11 +335,15 @@ Connection* ConnCompressor::FirstFromOrig(double t, HashKey* key,
 	}
 
 Connection* ConnCompressor::NextFromOrig(PendingConn* pending, double t,
-						HashKey* key, const tcphdr* tp)
+						HashKey* key, const IP_Hdr* ip,
+						const tcphdr* tp)
 	{
 	// Another packet from the same host without seeing an answer so far.
 	DBG_LOG(DBG_COMPRESSOR, "%s same again", fmt_conn_id(pending));
 
+	++pending->num_pkts;
+	++pending->num_bytes_ip += ip->PayloadLen();
+
 	// New window scale overrides old - not great, this is a (subtle)
 	// evasion opportunity.
 	if ( TCP_Analyzer::ParseTCPOptions(tp, parse_tcp_options, 0, 0,
@@ -391,26 +398,6 @@ Connection* ConnCompressor::NextFromOrig(PendingConn* pending, double t,
 			{
 			if ( (tp->th_flags & TH_ACK) && ! pending->ACK )
 				Weird(pending, t, "repeated_SYN_with_ack");
-			else
-				{
-				// We adjust the start-time. Unfortunately
-				// this means that we have to create a new
-				// PendingConn as all of them need to be
-				// monotonically increasing in time. This
-				// leads to some inconsistencies with TCP.cc,
-				// as by doing this we basically restart our
-				// attempt_timer.
-
-				pending = MoveState(t, pending);
-
-				// Removing is necessary because the key
-				// will be destroyed at some point.
-				conns.Remove(&pending->key, sizeof(pending->key),
-						pending->hash, true);
-				conns.Dictionary::Insert(&pending->key,
-					sizeof(pending->key), pending->hash,
-					MakeMapPtr(pending), 0);
-				}
 			}
 
 		else
@@ -544,6 +531,8 @@ Connection* ConnCompressor::Instantiate(HashKey* key, PendingConn* pending)
 		return 0;
 		}
 
+	new_conn->SetUID(pending->uid);
+
 	DBG_LOG(DBG_COMPRESSOR, "%s instantiated", fmt_conn_id(pending));
 
 	++sizes.connections;
@@ -631,6 +620,9 @@ void ConnCompressor::PktHdrToPendingConn(double time, const HashKey* key,
 	c->FIN = (tp->th_flags & TH_FIN) != 0;
 	c->RST = (tp->th_flags & TH_RST) != 0;
 	c->ACK = (tp->th_flags & TH_ACK) != 0;
+	c->uid = Connection::CalculateNextUID();
+	c->num_bytes_ip = ip->TotalLen();
+	c->num_pkts = 1;
 	c->invalid = 0;
 
 	if ( TCP_Analyzer::ParseTCPOptions(tp, parse_tcp_options, 0, 0, c) < 0 )
@@ -715,17 +707,6 @@ uint8 ConnCompressor::MakeFlags(const PendingConn* c) const
 	return tcp_flags;
 	}
 
-ConnCompressor::PendingConn* ConnCompressor::MoveState(double time,
-							PendingConn* c)
-	{
-	PendingConn* nc = MakeNewState(time);
-	memcpy(nc, c, sizeof(PendingConn));
-	c->invalid = 1;
-	nc->time = time;
-	++sizes.pending_in_mem;
-	return nc;
-	}
-
 ConnCompressor::PendingConn* ConnCompressor::MakeNewState(double t)
 	{
 	// See if there is enough space in the current block.
@@ -882,8 +863,23 @@ void ConnCompressor::Event(const PendingConn* pending, double t,
 							TRANSPORT_TCP));
 			orig_endp->Assign(0, new Val(orig_size, TYPE_COUNT));
 			orig_endp->Assign(1, new Val(orig_state, TYPE_COUNT));
+
+			if ( ConnSize_Analyzer::Available() )
+				{
+				orig_endp->Assign(2, new Val(pending->num_pkts, TYPE_COUNT));
+				orig_endp->Assign(3, new Val(pending->num_bytes_ip, TYPE_COUNT));
+				}
+			else
+				{
+				orig_endp->Assign(2, new Val(0, TYPE_COUNT));
+				orig_endp->Assign(3, new Val(0, TYPE_COUNT));
+				}
+
+
 			resp_endp->Assign(0, new Val(0, TYPE_COUNT));
 			resp_endp->Assign(1, new Val(resp_state, TYPE_COUNT));
+			resp_endp->Assign(2, new Val(0, TYPE_COUNT));
+			resp_endp->Assign(3, new Val(0, TYPE_COUNT));
 			}
 		else
 			{
@@ -893,10 +889,26 @@ void ConnCompressor::Event(const PendingConn* pending, double t,
 			id_val->Assign(2, new AddrVal(SrcAddr(pending)));
 			id_val->Assign(3, new PortVal(ntohs(SrcPort(pending)),
 							TRANSPORT_TCP));
+
 			orig_endp->Assign(0, new Val(0, TYPE_COUNT));
 			orig_endp->Assign(1, new Val(resp_state, TYPE_COUNT));
+			orig_endp->Assign(2, new Val(0, TYPE_COUNT));
+			orig_endp->Assign(3, new Val(0, TYPE_COUNT));
+
 			resp_endp->Assign(0, new Val(orig_size, TYPE_COUNT));
 			resp_endp->Assign(1, new Val(orig_state, TYPE_COUNT));
+
+			if ( ConnSize_Analyzer::Available() )
+				{
+				resp_endp->Assign(2, new Val(pending->num_pkts, TYPE_COUNT));
+				resp_endp->Assign(3, new Val(pending->num_bytes_ip, TYPE_COUNT));
+				}
+			else
+				{
+				resp_endp->Assign(2, new Val(0, TYPE_COUNT));
+				resp_endp->Assign(3, new Val(0, TYPE_COUNT));
+				}
+
 			DBG_LOG(DBG_COMPRESSOR, "%s swapped direction", fmt_conn_id(pending));
 			}
 
@@ -911,6 +923,9 @@ void ConnCompressor::Event(const PendingConn* pending, double t,
 		conn_val->Assign(7, new Val(0, TYPE_COUNT));	// hot
 		conn_val->Assign(8, new StringVal(""));	// history
 
+		char tmp[20]; // uid.
+		conn_val->Assign(9, new StringVal(uitoa_n(pending->uid, tmp, sizeof(tmp), 62)));
+
 		conn_val->SetOrigin(0);
 		}
 
diff --git a/src/ConnCompressor.h b/src/ConnCompressor.h
index f0069024a2..040a120ba9 100644
--- a/src/ConnCompressor.h
+++ b/src/ConnCompressor.h
@@ -97,6 +97,11 @@ public:
 		uint32 ack;
 		hash_t hash;
 		uint16 window;
+		uint64 uid;
+
+		// The following are set if use_conn_size_analyzer is T.
+		uint16 num_pkts;
+		uint16 num_bytes_ip;
 	};
 
 private:
@@ -118,8 +123,8 @@ private:
 					const IP_Hdr* ip, const tcphdr* tp);
 
 	// Called for more packets from the orginator w/o seeing a response.
-	Connection* NextFromOrig(PendingConn* pending,
-				double t, HashKey* key, const tcphdr* tp);
+	Connection* NextFromOrig(PendingConn* pending, double t, HashKey* key,
+					const IP_Hdr* ip, const tcphdr* tp);
 
 	// Called for the first response packet. Instantiates a Connection.
 	Connection* Response(PendingConn* pending, double t, HashKey* key,
@@ -138,10 +143,6 @@ private:
 	// Fakes a TCP packet based on the available information.
 	const IP_Hdr* PendingConnToPacket(const PendingConn* c);
 
-	// For changing the timestamp of PendingConn - allocates a new one,
-	// sets the given time, and copies all other data from old.
-	PendingConn* MoveState(double time, PendingConn* old);
-
 	// Construct a TCP-flags byte.
 	uint8 MakeFlags(const PendingConn* c) const;
 
diff --git a/src/ConnSizeAnalyzer.cc b/src/ConnSizeAnalyzer.cc
new file mode 100644
index 0000000000..c98a9f6827
--- /dev/null
+++ b/src/ConnSizeAnalyzer.cc
@@ -0,0 +1,90 @@
+// $Id$
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+// See ConnSize.h for more extensive comments.
+
+
+#include "ConnSizeAnalyzer.h"
+#include "TCP.h"
+
+
+
+ConnSize_Analyzer::ConnSize_Analyzer(Connection* c)
+: Analyzer(AnalyzerTag::ConnSize, c)
+	{
+	}
+
+
+ConnSize_Analyzer::~ConnSize_Analyzer()
+	{
+	}
+
+void ConnSize_Analyzer::Init()
+	{
+	Analyzer::Init();
+
+	orig_bytes = 0;
+	orig_pkts = 0;
+	resp_bytes = 0;
+	resp_pkts = 0;
+	}
+
+void ConnSize_Analyzer::Done()
+	{
+	Analyzer::Done();
+	}
+
+void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
+
+	if ( is_orig )
+		{
+		orig_bytes += ip->TotalLen();
+		orig_pkts ++;
+		}
+	else
+		{
+		resp_bytes += ip->TotalLen();
+		resp_pkts ++;
+		}
+	}
+
+void ConnSize_Analyzer::UpdateConnVal(RecordVal *conn_val)
+	{
+	// RecordType *connection_type is decleared in NetVar.h
+	int orig_endp_idx = connection_type->FieldOffset("orig");
+	int resp_endp_idx = connection_type->FieldOffset("resp");
+	RecordVal *orig_endp = conn_val->Lookup(orig_endp_idx)->AsRecordVal();
+	RecordVal *resp_endp = conn_val->Lookup(resp_endp_idx)->AsRecordVal();
+
+	// endpoint is the RecordType from NetVar.h
+	// TODO: or orig_endp->Type()->AsRecordVal()->FieldOffset()
+	int pktidx = endpoint->FieldOffset("num_pkts");
+	int bytesidx = endpoint->FieldOffset("num_bytes_ip");
+
+	// TODO: error handling?
+	orig_endp->Assign(pktidx, new Val(orig_pkts, TYPE_COUNT));
+	orig_endp->Assign(bytesidx, new Val(orig_bytes, TYPE_COUNT));
+	resp_endp->Assign(pktidx, new Val(resp_pkts, TYPE_COUNT));
+	resp_endp->Assign(bytesidx, new Val(resp_bytes, TYPE_COUNT));
+
+	Analyzer::UpdateConnVal(conn_val);
+	}
+
+
+void ConnSize_Analyzer::FlipRoles()
+	{
+	Analyzer::FlipRoles();
+	uint64_t tmp;
+
+	tmp = orig_bytes;
+	orig_bytes = resp_bytes;
+	resp_bytes = tmp;
+
+	tmp = orig_pkts;
+	orig_pkts = resp_pkts;
+	resp_pkts = tmp;
+	}
+
diff --git a/src/ConnSizeAnalyzer.h b/src/ConnSizeAnalyzer.h
new file mode 100644
index 0000000000..38446b0763
--- /dev/null
+++ b/src/ConnSizeAnalyzer.h
@@ -0,0 +1,41 @@
+// $Id$
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+
+#ifndef CONNSTATS_H
+#define CONNSTATS_H
+
+#include "Analyzer.h"
+#include "NetVar.h"
+
+
+class ConnSize_Analyzer : public Analyzer {
+public:
+	ConnSize_Analyzer(Connection* c);
+	virtual ~ConnSize_Analyzer();
+
+	virtual void Init();
+	virtual void Done();
+
+	// from Analyzer.h
+	virtual void UpdateConnVal(RecordVal *conn_val);
+	virtual void FlipRoles();
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new ConnSize_Analyzer(conn); }
+
+	static bool Available()	{ return BifConst::use_conn_size_analyzer ; }
+
+protected:
+	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+
+	uint64_t orig_bytes;
+	uint64_t resp_bytes;
+	uint64_t orig_pkts;
+	uint64_t resp_pkts;
+};
+
+#endif
diff --git a/src/ContentLine.cc b/src/ContentLine.cc
index 6dd772a0f8..4ab5d0358e 100644
--- a/src/ContentLine.cc
+++ b/src/ContentLine.cc
@@ -120,7 +120,7 @@ void ContentLine_Analyzer::EndpointEOF(bool is_orig)
 		DeliverStream(1, (const u_char*) "\n", is_orig);
 	}
 
-void ContentLine_Analyzer::SetPlainDelivery(int length)
+void ContentLine_Analyzer::SetPlainDelivery(int64_t length)
 	{
 	if ( length < 0 )
 		internal_error("negative length for plain delivery");
@@ -154,7 +154,7 @@ void ContentLine_Analyzer::DoDeliver(int len, const u_char* data)
 
 		if ( plain_delivery_length > 0 )
 			{
-			int deliver_plain = min(plain_delivery_length, len);
+			int deliver_plain = min(plain_delivery_length, (int64_t)len);
 
 			last_char = 0; // clear last_char
 			plain_delivery_length -= deliver_plain;
@@ -179,7 +179,7 @@ void ContentLine_Analyzer::DoDeliver(int len, const u_char* data)
 		if ( seq < seq_to_skip )
 			{
 			// Skip rest of the data and return
-			int skip_len = seq_to_skip - seq;
+			int64_t skip_len = seq_to_skip - seq;
 			if ( skip_len > len )
 				skip_len = len;
 
@@ -310,7 +310,7 @@ void ContentLine_Analyzer::CheckNUL()
 		}
 	}
 
-void ContentLine_Analyzer::SkipBytesAfterThisLine(int length)
+void ContentLine_Analyzer::SkipBytesAfterThisLine(int64_t length)
 	{
 	// This is a little complicated because Bro has to handle
 	// both CR and CRLF as a line break. When a line is delivered,
@@ -326,7 +326,7 @@ void ContentLine_Analyzer::SkipBytesAfterThisLine(int length)
 		SkipBytes(length);
 	}
 
-void ContentLine_Analyzer::SkipBytes(int length)
+void ContentLine_Analyzer::SkipBytes(int64_t length)
 	{
 	skip_pending = 0;
 	seq_to_skip = SeqDelivered() + length;
diff --git a/src/ContentLine.h b/src/ContentLine.h
index fe18ae9f95..25482ecc2f 100644
--- a/src/ContentLine.h
+++ b/src/ContentLine.h
@@ -44,16 +44,16 @@ public:
 	// mode for next <length> bytes.  Plain-delivery data is also passed
 	// via DeliverStream() and can differentiated by calling
 	// IsPlainDelivery().
-	void SetPlainDelivery(int length);
-	int GetPlainDeliveryLength() const	{ return plain_delivery_length; }
+	void SetPlainDelivery(int64_t length);
+	int64_t GetPlainDeliveryLength() const	{ return plain_delivery_length; }
 	bool IsPlainDelivery()			{ return is_plain; }
 
 	// Skip <length> bytes after this line.
 	// Can be used to skip HTTP data for performance considerations.
-	void SkipBytesAfterThisLine(int length);
-	void SkipBytes(int length);
+	void SkipBytesAfterThisLine(int64_t length);
+	void SkipBytes(int64_t length);
 
-	bool IsSkippedContents(int seq, int length)
+	bool IsSkippedContents(int64_t seq, int64_t length)
 		{ return seq + length <= seq_to_skip; }
 
 protected:
@@ -71,26 +71,26 @@ protected:
 	void CheckNUL();
 
 	// Returns the sequence number delivered so far.
-	int SeqDelivered() const	{ return seq_delivered_in_lines; }
+	int64_t SeqDelivered() const	{ return seq_delivered_in_lines; }
 
 	u_char* buf;	// where we build up the body of the request
 	int offset;	// where we are in buf
 	int buf_len;	// how big buf is, total
 	unsigned int last_char;	// last (non-option) character scanned
 
-	int seq;	// last seq number
-	int seq_to_skip;
+	int64_t seq;	// last seq number
+	int64_t seq_to_skip;
 
 	// Seq delivered up to through NewLine() -- it is adjusted
 	// *before* NewLine() is called.
-	int seq_delivered_in_lines;
+	int64_t seq_delivered_in_lines;
 
 	// Number of bytes to be skipped after this line. See
 	// comments in SkipBytesAfterThisLine().
-	int skip_pending;
+	int64_t skip_pending;
 
 	// Remaining bytes to deliver plain.
-	int plain_delivery_length;
+	int64_t plain_delivery_length;
 	int is_plain;
 
 	// Don't deliver further data.
diff --git a/src/DCE_RPC.cc b/src/DCE_RPC.cc
index fe163f2632..c44b100aa5 100644
--- a/src/DCE_RPC.cc
+++ b/src/DCE_RPC.cc
@@ -82,10 +82,10 @@ UUID::UUID(const char* str)
 		}
 
 	if ( i != 16 )
-		internal_error(fmt("invalid UUID string: %s", str));
+		internal_error("invalid UUID string: %s", str);
 	}
 
-typedef map<UUID, BroEnum::dce_rpc_if_id> uuid_map_t;
+typedef map<UUID, BifEnum::dce_rpc_if_id> uuid_map_t;
 
 static uuid_map_t& well_known_uuid_map()
 	{
@@ -95,7 +95,7 @@ static uuid_map_t& well_known_uuid_map()
 	if ( initialized )
 		return the_map;
 
-	using namespace BroEnum;
+	using namespace BifEnum;
 
 	the_map[UUID("e1af8308-5d1f-11c9-91a4-08002b14a0fa")] = DCE_RPC_epmapper;
 
@@ -186,14 +186,14 @@ DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b)
 	else
 		fragmented = 0;
 
-	ptype = (BroEnum::dce_rpc_ptype) bytes[2];
+	ptype = (BifEnum::dce_rpc_ptype) bytes[2];
 	frag_len = extract_uint16(LittleEndian(), bytes + 8);
 	}
 
 DCE_RPC_Session::DCE_RPC_Session(Analyzer* a)
 : analyzer(a),
   if_uuid("00000000-0000-0000-0000-000000000000"),
-  if_id(BroEnum::DCE_RPC_unknown_if)
+  if_id(BifEnum::DCE_RPC_unknown_if)
 	{
 	opnum = -1;
 	}
@@ -234,7 +234,7 @@ void DCE_RPC_Session::DeliverPDU(int is_orig, int len, const u_char* data)
 		val_list* vl = new val_list;
 		vl->append(analyzer->BuildConnVal());
 		vl->append(new Val(is_orig, TYPE_BOOL));
-		vl->append(new EnumVal(data[2], enum_dce_rpc_ptype));
+		vl->append(new EnumVal(data[2], BifType::Enum::dce_rpc_ptype));
 		vl->append(new StringVal(len, (const char*) data));
 
 		analyzer->ConnectionEvent(dce_rpc_message, vl);
@@ -286,7 +286,7 @@ void DCE_RPC_Session::DeliverBind(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu
 			// conn->Weird(fmt("Unknown DCE_RPC interface %s",
 			// 		if_uuid.to_string()));
 #endif
-			if_id = BroEnum::DCE_RPC_unknown_if;
+			if_id = BifEnum::DCE_RPC_unknown_if;
 			}
 		else
 			if_id = uuid_it->second;
@@ -296,7 +296,7 @@ void DCE_RPC_Session::DeliverBind(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu
 			val_list* vl = new val_list;
 			vl->append(analyzer->BuildConnVal());
 			vl->append(new StringVal(if_uuid.to_string()));
-			// vl->append(new EnumVal(if_id, enum_dce_rpc_if_id));
+			// vl->append(new EnumVal(if_id, BifType::Enum::dce_rpc_if_id));
 
 			analyzer->ConnectionEvent(dce_rpc_bind, vl);
 			}
@@ -321,7 +321,7 @@ void DCE_RPC_Session::DeliverRequest(const binpac::DCE_RPC_Simple::DCE_RPC_PDU*
 		}
 
 	switch ( if_id ) {
-	case BroEnum::DCE_RPC_epmapper:
+	case BifEnum::DCE_RPC_epmapper:
 		DeliverEpmapperRequest(pdu, req);
 		break;
 
@@ -345,7 +345,7 @@ void DCE_RPC_Session::DeliverResponse(const binpac::DCE_RPC_Simple::DCE_RPC_PDU*
 		}
 
 	switch ( if_id ) {
-	case BroEnum::DCE_RPC_epmapper:
+	case BifEnum::DCE_RPC_epmapper:
 		DeliverEpmapperResponse(pdu, resp);
 		break;
 
diff --git a/src/DCE_RPC.h b/src/DCE_RPC.h
index 4e13443148..a856599b19 100644
--- a/src/DCE_RPC.h
+++ b/src/DCE_RPC.h
@@ -91,7 +91,7 @@ class DCE_RPC_Header {
 public:
 	DCE_RPC_Header(Analyzer* a, const u_char* bytes);
 
-	BroEnum::dce_rpc_ptype PTYPE() const	{ return ptype; }
+	BifEnum::dce_rpc_ptype PTYPE() const	{ return ptype; }
 	int FragLen() const		{ return frag_len; }
 	int LittleEndian() const	{ return bytes[4] >> 4; }
 	bool Fragmented() const		{ return fragmented; }
@@ -102,7 +102,7 @@ public:
 protected:
 	Analyzer* analyzer;
 	const u_char* bytes;
-	BroEnum::dce_rpc_ptype ptype;
+	BifEnum::dce_rpc_ptype ptype;
 	int frag_len;
 	bool fragmented;
 };
@@ -138,7 +138,7 @@ protected:
 
 	Analyzer* analyzer;
 	UUID if_uuid;
-	BroEnum::dce_rpc_if_id if_id;
+	BifEnum::dce_rpc_if_id if_id;
 	int opnum;
 	struct {
 		dce_rpc_endpoint_addr addr;
diff --git a/src/DFA.cc b/src/DFA.cc
index 57ea87335e..43e719f24a 100644
--- a/src/DFA.cc
+++ b/src/DFA.cc
@@ -21,11 +21,10 @@ DFA_State::DFA_State(int arg_state_num, const EquivClass* ec,
 	nfa_states = arg_nfa_states;
 	accept = arg_accept;
 	mark = 0;
-	lock = 0;
 
 	SymPartition(ec);
 
-	xtions = new DFA_State_Handle*[num_sym];
+	xtions = new DFA_State*[num_sym];
 
 	for ( int i = 0; i < num_sym; ++i )
 		xtions[i] = DFA_UNCOMPUTED_STATE_PTR;
@@ -33,31 +32,14 @@ DFA_State::DFA_State(int arg_state_num, const EquivClass* ec,
 
 DFA_State::~DFA_State()
 	{
-	for ( int i = 0; i < num_sym; ++i )
-		{
-		DFA_State_Handle* s = xtions[i];
-		if ( s && s != DFA_UNCOMPUTED_STATE_PTR )
-			StateUnref(s);
-		}
-
 	delete [] xtions;
 	delete nfa_states;
 	delete accept;
 	delete meta_ec;
 	}
 
-void DFA_State::AddXtion(int sym, DFA_State_Handle* next_state)
+void DFA_State::AddXtion(int sym, DFA_State* next_state)
 	{
-	// The order is important here: first StateRef() the new,
-	// then StateUnref() the old.  Otherwise, we may get a problem
-	// if both are equal.
-
-	if ( next_state )
-		StateRef(next_state);
-
-	if ( xtions[sym] && xtions[sym] != DFA_UNCOMPUTED_STATE_PTR )
-		StateUnref(xtions[sym]);
-
 	xtions[sym] = next_state;
 	}
 
@@ -94,14 +76,10 @@ void DFA_State::SymPartition(const EquivClass* ec)
 	meta_ec->BuildECs();
 	}
 
-DFA_State_Handle* DFA_State::ComputeXtion(int sym, DFA_Machine* machine)
+DFA_State* DFA_State::ComputeXtion(int sym, DFA_Machine* machine)
 	{
-	// Make sure we will not expire...
-	assert(IsLocked());
-
 	int equiv_sym = meta_ec->EquivRep(sym);
-	if ( xtions[equiv_sym] != DFA_UNCOMPUTED_STATE_PTR &&
-	     StateIsValid(xtions[equiv_sym]) )
+	if ( xtions[equiv_sym] != DFA_UNCOMPUTED_STATE_PTR )
 		{
 		AddXtion(sym, xtions[equiv_sym]);
 		return xtions[sym];
@@ -109,7 +87,7 @@ DFA_State_Handle* DFA_State::ComputeXtion(int sym, DFA_Machine* machine)
 
 	const EquivClass* ec = machine->EC();
 
-	DFA_State_Handle* next_d;
+	DFA_State* next_d;
 
 	NFA_state_list* ns = SymFollowSet(equiv_sym, ec);
 	if ( ns->length() > 0 )
@@ -211,10 +189,10 @@ void DFA_State::ClearMarks()
 
 		for ( int i = 0; i < num_sym; ++i )
 			{
-			DFA_State_Handle* s = xtions[i];
+			DFA_State* s = xtions[i];
 
 			if ( s && s != DFA_UNCOMPUTED_STATE_PTR )
-				(*xtions[i])->ClearMarks();
+				xtions[i]->ClearMarks();
 			}
 		}
 	}
@@ -243,7 +221,7 @@ void DFA_State::Dump(FILE* f, DFA_Machine* m)
 	int num_trans = 0;
 	for ( int sym = 0; sym < num_sym; ++sym )
 		{
-		DFA_State_Handle* s = xtions[sym];
+		DFA_State* s = xtions[sym];
 
 		if ( ! s )
 			continue;
@@ -271,7 +249,7 @@ void DFA_State::Dump(FILE* f, DFA_Machine* m)
 		else
 			fprintf(f, "%stransition on %s to state %d",
 				++num_trans == 1 ? "\t" : "\n\t", xbuf,
-				(*s)->StateNum());
+				s->StateNum());
 
 		sym = i - 1;
 		}
@@ -283,10 +261,10 @@ void DFA_State::Dump(FILE* f, DFA_Machine* m)
 
 	for ( int sym = 0; sym < num_sym; ++sym )
 		{
-		DFA_State_Handle* s = xtions[sym];
+		DFA_State* s = xtions[sym];
 
 		if ( s && s != DFA_UNCOMPUTED_STATE_PTR )
-			(*s)->Dump(f, m);
+			s->Dump(f, m);
 		}
 	}
 
@@ -294,7 +272,7 @@ void DFA_State::Stats(unsigned int* computed, unsigned int* uncomputed)
 	{
 	for ( int sym = 0; sym < num_sym; ++sym )
 		{
-		DFA_State_Handle* s = xtions[sym];
+		DFA_State* s = xtions[sym];
 
 		if ( s == DFA_UNCOMPUTED_STATE_PTR )
 			(*uncomputed)++;
@@ -313,11 +291,9 @@ unsigned int DFA_State::Size()
 		+ (centry ? padded_sizeof(CacheEntry) : 0);
 	}
 
-
 DFA_State_Cache::DFA_State_Cache(int arg_maxsize)
 	{
 	maxsize = arg_maxsize;
-	head = tail = 0;
 	hits = misses = 0;
 	}
 
@@ -328,13 +304,12 @@ DFA_State_Cache::~DFA_State_Cache()
 	while ( (e = (CacheEntry*) states.NextEntry(i)) )
 		{
 		assert(e->state);
-		StateInvalidate(e->state);
 		delete e->hash;
 		delete e;
 		}
 	}
 
-DFA_State_Handle* DFA_State_Cache::Lookup(const NFA_state_list& nfas,
+DFA_State* DFA_State_Cache::Lookup(const NFA_state_list& nfas,
 						HashKey** hash)
 	{
 	// We assume that state ID's don't exceed 10 digits, plus
@@ -380,100 +355,24 @@ DFA_State_Handle* DFA_State_Cache::Lookup(const NFA_state_list& nfas,
 	delete *hash;
 	*hash = 0;
 
-	MoveToFront(e);
-
 	return e->state;
 	}
 
-DFA_State_Handle* DFA_State_Cache::Insert(DFA_State* state, HashKey* hash)
+DFA_State* DFA_State_Cache::Insert(DFA_State* state, HashKey* hash)
 	{
 	CacheEntry* e;
 
-#ifdef EXPIRE_DFA_STATES
-	if ( states.Length() == maxsize )
-		{
-		// Remove oldest unlocked entry.
-		for ( e = tail; e; e = e->prev )
-			if ( ! (*e->state)->lock )
-				break;
-		if ( e )
-			Remove(e);
-		}
-#endif
-
 	e = new CacheEntry;
 
-#ifdef EXPIRE_DFA_STATES
-	// Insert as head.
-	e->state = new DFA_State_Handle(state);
-	e->state->state->centry = e;
-#else
 	e->state = state;
 	e->state->centry = e;
-#endif
 	e->hash = hash;
-	e->prev = 0;
-	e->next = head;
-	if ( head )
-		head->prev = e;
-	head = e;
-	if ( ! tail )
-		tail = e;
 
 	states.Insert(hash, e);
 
 	return e->state;
 	}
 
-void DFA_State_Cache::Remove(CacheEntry* e)
-	{
-	if ( e == head )
-		{
-		head = e->next;
-		if ( head )
-			head->prev = 0;
-		}
-	else
-		e->prev->next = e->next;
-
-	if ( e == tail )
-		{
-		tail = e->prev;
-		if ( tail )
-			tail->next = 0;
-		}
-	else
-		e->next->prev = e->prev;
-
-	states.Remove(e->hash);
-
-	assert(e->state);
-	StateInvalidate(e->state);
-	delete e->hash;
-	delete e;
-	}
-
-void DFA_State_Cache::MoveToFront(CacheEntry* e)
-	{
-	++hits;
-
-	if ( e->prev )
-		{
-		e->prev->next = e->next;
-
-		if ( e->next )
-			e->next->prev = e->prev;
-		else
-			tail = e->prev;
-
-		e->prev = 0;
-		e->next = head;
-
-		head->prev = e;
-		head = e;
-		}
-	}
-
 void DFA_State_Cache::GetStats(Stats* s)
 	{
 	s->dfa_states = 0;
@@ -490,9 +389,9 @@ void DFA_State_Cache::GetStats(Stats* s)
 	while ( (e = (CacheEntry*) states.NextEntry(i)) )
 		{
 		++s->dfa_states;
-		s->nfa_states += (*e->state)->NFAStateNum();
-		(*e->state)->Stats(&s->computed, &s->uncomputed);
-		s->mem += pad_size((*e->state)->Size()) + padded_sizeof(*e->state);
+		s->nfa_states += e->state->NFAStateNum();
+		e->state->Stats(&s->computed, &s->uncomputed);
+		s->mem += pad_size(e->state->Size()) + padded_sizeof(*e->state);
 		}
 	}
 
@@ -514,9 +413,6 @@ DFA_Machine::DFA_Machine(NFA_Machine* n, EquivClass* arg_ec)
 		{
 		NFA_state_list* state_set = epsilon_closure(ns);
 		(void) StateSetToDFA_State(state_set, start_state, ec);
-
-		StateRef(start_state);
-		StateLock(start_state);
 		}
 	else
 		start_state = 0; // Jam
@@ -524,12 +420,6 @@ DFA_Machine::DFA_Machine(NFA_Machine* n, EquivClass* arg_ec)
 
 DFA_Machine::~DFA_Machine()
 	{
-	if ( start_state )
-		{
-		StateUnlock(start_state);
-		StateUnref(start_state);
-		}
-
 	delete dfa_state_cache;
 	Unref(nfa);
 	}
@@ -541,8 +431,8 @@ void DFA_Machine::Describe(ODesc* d) const
 
 void DFA_Machine::Dump(FILE* f)
 	{
-	(*start_state)->Dump(f, this);
-	(*start_state)->ClearMarks();
+	start_state->Dump(f, this);
+	start_state->ClearMarks();
 	}
 
 void DFA_Machine::DumpStats(FILE* f)
@@ -571,12 +461,11 @@ unsigned int DFA_Machine::MemoryAllocation() const
 	}
 
 int DFA_Machine::StateSetToDFA_State(NFA_state_list* state_set,
-				DFA_State_Handle*& d, const EquivClass* ec)
+				DFA_State*& d, const EquivClass* ec)
 	{
 	HashKey* hash;
 	d = dfa_state_cache->Lookup(*state_set, &hash);
 
-	assert((! d) || StateIsValid(d));
 	if ( d )
 		return 0;
 
diff --git a/src/DFA.h b/src/DFA.h
index 6bf9fd640b..6fa4d85f0d 100644
--- a/src/DFA.h
+++ b/src/DFA.h
@@ -8,57 +8,12 @@
 
 #include <assert.h>
 
-// It's possible to use a fixed size cache of computed states for each DFA.
-// If the number of DFA states reaches the given limit, old states are expired
-// on a least-recently-used basis. This may impact the performance significantly
-// if expired states have to be recalculated regularly, but it limits the
-// amount of memory taken by a DFA.
-//
-// Enable by configuring with --with-expire-dfa-states.
-
 class DFA_State;
 
-// The cache marks expired states as invalid.
-#define DFA_INVALID_STATE_PTR ((DFA_State*) -1)
-
 // Transitions to the uncomputed state indicate that we haven't yet
 // computed the state to go to.
 #define DFA_UNCOMPUTED_STATE -2
-#define DFA_UNCOMPUTED_STATE_PTR ((DFA_State_Handle*) DFA_UNCOMPUTED_STATE)
-
-#ifdef EXPIRE_DFA_STATES
-
-class DFA_State_Handle {
-public:
-	// The reference counting keeps track of this *handle* (not the state).
-	void Ref()	{ assert(state); ++refcount; }
-	void Unref()
-		{
-		if ( --refcount == 0 )
-			delete this;
-		}
-
-	inline void Invalidate();
-	bool IsValid() const		{ return state != DFA_INVALID_STATE_PTR; }
-
-	DFA_State* State() const	{ return state; }
-	DFA_State* operator->() const	{ return state; }
-
-protected:
-	friend class DFA_State_Cache;
-
-	DFA_State_Handle(DFA_State* arg_state)
-		{ state = arg_state; refcount = 1; }
-
-	inline ~DFA_State_Handle();
-
-	DFA_State* state;
-	int refcount;
-};
-
-#else
-typedef DFA_State DFA_State_Handle;
-#endif
+#define DFA_UNCOMPUTED_STATE_PTR ((DFA_State*) DFA_UNCOMPUTED_STATE)
 
 #include "NFA.h"
 
@@ -76,9 +31,9 @@ public:
 
 	int StateNum() const		{ return state_num; }
 	int NFAStateNum() const		{ return nfa_states->length(); }
-	void AddXtion(int sym, DFA_State_Handle* next_state);
+	void AddXtion(int sym, DFA_State* next_state);
 
-	inline DFA_State_Handle* Xtion(int sym, DFA_Machine* machine);
+	inline DFA_State* Xtion(int sym, DFA_Machine* machine);
 
 	const AcceptingSet* Accept() const	{ return accept; }
 	void SymPartition(const EquivClass* ec);
@@ -98,43 +53,29 @@ public:
 	void Stats(unsigned int* computed, unsigned int* uncomputed);
 	unsigned int Size();
 
-	// Locking a state will keep it from expiring from a cache.
-	void Lock()	{ ++lock; }
-	void Unlock()	{ --lock; }
-
-#ifdef EXPIRE_DFA_STATES
-	bool IsLocked()	{ return lock != 0; }
-#else
-	bool IsLocked()	{ return true; }
-	DFA_State* operator->(){ return this; }
-#endif
-
 protected:
 	friend class DFA_State_Cache;
 
-	DFA_State_Handle* ComputeXtion(int sym, DFA_Machine* machine);
+	DFA_State* ComputeXtion(int sym, DFA_Machine* machine);
 	void AppendIfNew(int sym, int_list* sym_list);
 
 	int state_num;
 	int num_sym;
 
-	DFA_State_Handle** xtions;
+	DFA_State** xtions;
 
 	AcceptingSet* accept;
 	NFA_state_list* nfa_states;
 	EquivClass* meta_ec;	// which ec's make same transition
 	DFA_State* mark;
-	int lock;
 	CacheEntry* centry;
 
 	static unsigned int transition_counter;	// see Xtion()
 };
 
 struct CacheEntry {
-	DFA_State_Handle* state;
+	DFA_State* state;
 	HashKey* hash;
-	CacheEntry* next;
-	CacheEntry* prev;
 };
 
 class DFA_State_Cache {
@@ -143,13 +84,11 @@ public:
 	~DFA_State_Cache();
 
 	// If the caller stores the handle, it has to call Ref() on it.
-	DFA_State_Handle* Lookup(const NFA_state_list& nfa_states,
+	DFA_State* Lookup(const NFA_state_list& nfa_states,
 					HashKey** hash);
 
 	// Takes ownership of both; hash is the one returned by Lookup().
-	DFA_State_Handle* Insert(DFA_State* state, HashKey* hash);
-
-	void MoveToFront(DFA_State* state)	{ MoveToFront(state->centry); }
+	DFA_State* Insert(DFA_State* state, HashKey* hash);
 
 	int NumEntries() const	{ return states.Length(); }
 
@@ -168,9 +107,6 @@ public:
 	void GetStats(Stats* s);
 
 private:
-	void Remove(CacheEntry* e);
-	void MoveToFront(CacheEntry* e);
-
 	int maxsize;
 
 	int hits;	// Statistics
@@ -180,10 +116,6 @@ private:
 
 	// Hash indexed by NFA states (MD5s of them, actually).
 	PDict(CacheEntry) states;
-
-	// List in LRU order.
-	CacheEntry* head;
-	CacheEntry* tail;
 };
 
 declare(PList,DFA_State);
@@ -196,7 +128,7 @@ public:
 			int* acc_array);
 	~DFA_Machine();
 
-	DFA_State_Handle* StartState() const	{ return start_state; }
+	DFA_State* StartState() const	{ return start_state; }
 
 	int NumStates() const	{ return dfa_state_cache->NumEntries(); }
 
@@ -217,74 +149,18 @@ protected:
 	int state_count;
 
 	// The state list has to be sorted according to IDs.
-	int StateSetToDFA_State(NFA_state_list* state_set, DFA_State_Handle*& d,
+	int StateSetToDFA_State(NFA_state_list* state_set, DFA_State*& d,
 				const EquivClass* ec);
 	const EquivClass* EC() const	{ return ec; }
 
 	EquivClass* ec;	// equivalence classes corresponding to NFAs
-	DFA_State_Handle* start_state;
+	DFA_State* start_state;
 	DFA_State_Cache* dfa_state_cache;
 
 	NFA_Machine* nfa;
 };
 
-#ifdef EXPIRE_DFA_STATES
-
-inline DFA_State_Handle* DFA_State::Xtion(int sym, DFA_Machine* machine)
-	{
-	Lock();
-
-	// This is just a clumsy form of sampling... Instead of moving
-	// the state to the front of our LRU cache on each transition (which
-	// would be quite often) we just do it on every nth transition
-	// (counted across all DFA states). This is based on the observation
-	// that a very few of all states are used most of time.
-	// (currently n=10000; should it be configurable?)
-	if ( transition_counter++ % 10000 == 0 )
-		machine->Cache()->MoveToFront(this);
-
-	DFA_State_Handle* h;
-
-	if ( xtions[sym] == DFA_UNCOMPUTED_STATE_PTR ||
-	     (xtions[sym] && ! xtions[sym]->IsValid()) )
-		h = ComputeXtion(sym, machine);
-	else
-		h = xtions[sym];
-
-	Unlock();
-
-	return h;
-	}
-
-inline DFA_State_Handle::~DFA_State_Handle()
-	{
-	if ( state != DFA_INVALID_STATE_PTR )
-		delete state;
-	}
-
-inline void DFA_State_Handle::Invalidate()
-	{
-	assert(state!=DFA_INVALID_STATE_PTR);
-	delete state;
-	state = DFA_INVALID_STATE_PTR;
-	Unref();
-	}
-
-// Not nice but helps avoiding some overhead in the non-expiration case.
-static inline void StateLock(DFA_State_Handle* s)	{ s->State()->Lock(); }
-static inline void StateUnlock(DFA_State_Handle* s)	{ s->State()->Unlock(); }
-static inline void StateRef(DFA_State_Handle* s)	{ s->Ref(); }
-static inline void StateUnref(DFA_State_Handle* s)	{ s->Unref(); }
-static inline void StateInvalidate(DFA_State_Handle* s)	{ s->Invalidate(); }
-
-static inline bool StateIsValid(DFA_State_Handle* s)
-	{
-	return ! s || s->IsValid();
-	}
-
-#else
-
-inline DFA_State_Handle* DFA_State::Xtion(int sym, DFA_Machine* machine)
+inline DFA_State* DFA_State::Xtion(int sym, DFA_Machine* machine)
 	{
 	if ( xtions[sym] == DFA_UNCOMPUTED_STATE_PTR )
 		return ComputeXtion(sym, machine);
@@ -292,13 +168,4 @@ inline DFA_State_Handle* DFA_State::Xtion(int sym, DFA_Machine* machine)
 		return xtions[sym];
 	}
 
-static inline void StateLock(DFA_State_Handle* s)	{ }
-static inline void StateUnlock(DFA_State_Handle* s)	{ }
-static inline void StateRef(DFA_State_Handle* s)	{ }
-static inline void StateUnref(DFA_State_Handle* s)	{ }
-static inline void StateInvalidate(DFA_State_Handle* s)	{ }
-static inline bool StateIsValid(DFA_State_Handle* s)	{ return true; }
-
-#endif
-
 #endif
diff --git a/src/DNS.cc b/src/DNS.cc
index 1391794261..ad1b4cb716 100644
--- a/src/DNS.cc
+++ b/src/DNS.cc
@@ -13,8 +13,6 @@
 #include "DNS.h"
 #include "Sessions.h"
 #include "Event.h"
-#include "DNS_Rewriter.h"
-#include "TCP_Rewriter.h"
 
 DNS_Interpreter::DNS_Interpreter(Analyzer* arg_analyzer)
 	{
@@ -1134,11 +1132,6 @@ DNS_Analyzer::~DNS_Analyzer()
 
 void DNS_Analyzer::Init()
 	{
-	if ( transformed_pkt_dump && RewritingTrace() &&
-	     Conn()->ConnTransport() == TRANSPORT_UDP )
-		Conn()->GetRootAnalyzer()->SetTraceRewriter(
-			new DNS_Rewriter(this, transformed_pkt_dump_MTU,
-			transformed_pkt_dump));
 	}
 
 void DNS_Analyzer::Done()
@@ -1196,5 +1189,3 @@ void DNS_Analyzer::ExpireTimer(double t)
 		ADD_ANALYZER_TIMER(&DNS_Analyzer::ExpireTimer,
 				t + dns_session_timeout, 1, TIMER_DNS_EXPIRE);
 	}
-
-#include "dns-rw.bif.func_def"
diff --git a/src/DNS.h b/src/DNS.h
index 6a68bf5dbd..ca9261c008 100644
--- a/src/DNS.h
+++ b/src/DNS.h
@@ -265,11 +265,6 @@ public:
 	virtual void Done();
 	virtual void ConnectionClosed(TCP_Endpoint* endpoint,
 					TCP_Endpoint* peer, int gen_event);
-	virtual int RewritingTrace()
-		{
-		return rewriting_dns_trace ||
-			TCP_ApplicationAnalyzer::RewritingTrace();
-		}
 
 	void ExpireTimer(double t);
 
diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc
index c205b1f829..742ff00b8f 100644
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@@ -6,11 +6,11 @@
 
 #include <sys/types.h>
 #include <sys/socket.h>
-#if TIME_WITH_SYS_TIME
+#ifdef TIME_WITH_SYS_TIME
 # include <sys/time.h>
 # include <time.h>
 #else
-# if HAVE_SYS_TIME_H
+# ifdef HAVE_SYS_TIME_H
 #  include <sys/time.h>
 # else
 #  include <time.h>
@@ -53,9 +53,7 @@ public:
 	const char* ReqHost() const	{ return host; }
 	uint32 ReqAddr() const		{ return addr; }
 
-#ifdef HAVE_NB_DNS
 	int MakeRequest(nb_dns_info* nb_dns);
-#endif
 	int RequestPending() const	{ return request_pending; }
 	void RequestDone()	{ request_pending = 0; }
 
@@ -66,7 +64,6 @@ protected:
 	int request_pending;
 };
 
-#ifdef HAVE_NB_DNS
 int DNS_Mgr_Request::MakeRequest(nb_dns_info* nb_dns)
 	{
 	if ( ! nb_dns )
@@ -80,7 +77,6 @@ int DNS_Mgr_Request::MakeRequest(nb_dns_info* nb_dns)
 	else
 		return nb_dns_addr_request(nb_dns, addr, (void*) this, err) >= 0;
 	}
-#endif
 
 class DNS_Mapping {
 public:
@@ -350,13 +346,11 @@ DNS_Mgr::DNS_Mgr(DNS_MgrMode arg_mode)
 	host_mappings.SetDeleteFunc(DNS_Mgr_mapping_delete_func);
 	addr_mappings.SetDeleteFunc(DNS_Mgr_mapping_delete_func);
 
-#ifdef HAVE_NB_DNS
 	char err[NB_DNS_ERRSIZE];
 	nb_dns = nb_dns_init(err);
 
 	if ( ! nb_dns )
 		warn(fmt("problem initializing NB-DNS: %s", err));
-#endif
 
 	dns_mapping_valid = dns_mapping_unverified = dns_mapping_new_name =
 		dns_mapping_lost_name = dns_mapping_name_changed =
@@ -372,10 +366,8 @@ DNS_Mgr::DNS_Mgr(DNS_MgrMode arg_mode)
 
 DNS_Mgr::~DNS_Mgr()
 	{
-#ifdef HAVE_NB_DNS
 	if ( nb_dns )
 		nb_dns_finish(nb_dns);
-#endif
 
 	delete [] cache_name;
 	delete [] dir;
@@ -410,14 +402,12 @@ bool DNS_Mgr::Init()
 
 	did_init = 1;
 
-#ifdef HAVE_NB_DNS
 	io_sources.Register(this, true);
 
 	// We never set idle to false, having the main loop only calling us from
 	// time to time. If we're issuing more DNS requests than we can handle
 	// in this way, we are having problems anyway ...
 	idle = true;
-#endif
 
 	return true;
 	}
@@ -531,7 +521,6 @@ void DNS_Mgr::Resolve()
 
 	int i;
 
-#ifdef HAVE_NB_DNS
 	int first_req = 0;
 	int num_pending = min(requests.length(), MAX_PENDING_REQUESTS);
 	int last_req = num_pending - 1;
@@ -597,7 +586,6 @@ void DNS_Mgr::Resolve()
 				--num_pending;
 			}
 		}
-#endif
 
 	// All done with the list of requests.
 	for ( i = requests.length() - 1; i >= 0; --i )
@@ -860,7 +848,6 @@ TableVal* DNS_Mgr::LookupNameInCache(string name)
 	return d->AddrsSet();
 	}
 
-#ifdef HAVE_NB_DNS
 void DNS_Mgr::AsyncLookupAddr(dns_mgr_addr_type host, LookupCallback* callback)
 	{
 	if ( ! did_init )
@@ -956,13 +943,10 @@ void DNS_Mgr::IssueAsyncRequests()
 		++asyncs_pending;
 		}
 	}
-#endif
 
 void  DNS_Mgr::GetFds(int* read, int* write, int* except)
 	{
-#ifdef HAVE_NB_DNS
 	*read = nb_dns_fd(nb_dns);
-#endif
 	}
 
 double DNS_Mgr::NextTimestamp(double* network_time)
@@ -971,7 +955,6 @@ double DNS_Mgr::NextTimestamp(double* network_time)
 	return asyncs_timeouts.size() ? timer_mgr->Time() : -1.0;
 	}
 
-#ifdef HAVE_NB_DNS
 void DNS_Mgr::CheckAsyncAddrRequest(dns_mgr_addr_type addr, bool timeout)
 	{
 	// Note that this code is a mirror of that for CheckAsyncHostRequest.
@@ -1030,13 +1013,9 @@ void DNS_Mgr::CheckAsyncHostRequest(const char* host, bool timeout)
 		// eventually times out.
 		}
 	}
-#endif
 
 void  DNS_Mgr::Process()
 	{
-#ifndef HAVE_NB_DNS
-	internal_error("DNS_Mgr::Process(): should never be reached");
-#else
 
 	while ( asyncs_timeouts.size() > 0 )
 		{
@@ -1084,9 +1063,8 @@ void  DNS_Mgr::Process()
 
 		IssueAsyncRequests();
 		}
-#endif
 	}
-#ifdef HAVE_NB_DNS
+
 int DNS_Mgr::AnswerAvailable(int timeout)
 	{
 	int fd = nb_dns_fd(nb_dns);
@@ -1116,4 +1094,3 @@ int DNS_Mgr::AnswerAvailable(int timeout)
 
 	return status;
 	}
-#endif
diff --git a/src/DNS_Mgr.h b/src/DNS_Mgr.h
index 7431f7d987..580eae92f1 100644
--- a/src/DNS_Mgr.h
+++ b/src/DNS_Mgr.h
@@ -79,10 +79,8 @@ public:
 		virtual void Timeout() = 0;
 	};
 
-#ifdef HAVE_NB_DNS
 	void AsyncLookupAddr(dns_mgr_addr_type host, LookupCallback* callback);
 	void AsyncLookupName(string name, LookupCallback* callback);
-#endif
 
 protected:
 	friend class LookupCallback;
@@ -102,7 +100,6 @@ protected:
 	void LoadCache(FILE* f);
 	void Save(FILE* f, PDict(DNS_Mapping)& m);
 
-#ifdef HAVE_NB_DNS
 	// Selects on the fd to see if there is an answer available (timeout is
 	// secs). Returns 0 on timeout, -1 on EINTR, and 1 if answer is ready.
 	int AnswerAvailable(int timeout);
@@ -115,8 +112,6 @@ protected:
 	void CheckAsyncAddrRequest(dns_mgr_addr_type addr, bool timeout);
 	void CheckAsyncHostRequest(const char* host, bool timeout);
 
-#endif
-
 	// IOSource interface.
 	virtual void GetFds(int* read, int* write, int* except);
 	virtual double NextTimestamp(double* network_time);
diff --git a/src/DNS_Rewriter.cc b/src/DNS_Rewriter.cc
deleted file mode 100644
index 15a7fc1570..0000000000
--- a/src/DNS_Rewriter.cc
+++ /dev/null
@@ -1,587 +0,0 @@
-// $Id:$
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-
-#include "NetVar.h"
-#include "DNS.h"
-#include "Val.h"
-#include "TCP.h"
-#include "Anon.h"
-#include "DNS_Rewriter.h"
-
-DNS_Rewriter::DNS_Rewriter(Analyzer* analyzer, int arg_MTU,
-				PacketDumper* dumper)
-: UDP_Rewriter(analyzer, arg_MTU, dumper)
-	{
-	pkt_size = 0;
-	current_pkt_id = 0;
-
-	pkt = new u_char[DNS_PKT_SIZE + DNS_HDR_SIZE];
-	}
-
-void DNS_Rewriter::DnsCopyHeader(Val* msg)
-	{
-	// New header - reset packet size.
-	pkt_size = 0;
-
-	// Move msg->AsRecordVal() to a RecordVal* to optimize.
-	const RecordVal* msg_rec = msg->AsRecordVal();
-	int id = msg_rec->Lookup(0)->AsCount();
-	int opcode = msg_rec->Lookup(1)->AsCount();
-	int rcode = msg_rec->Lookup(2)->AsCount();
-	int QR = msg_rec->Lookup(3)->AsBool();
-	int AA = msg_rec->Lookup(4)->AsBool();
-	int TC = msg_rec->Lookup(5)->AsBool();
-	int RD = msg_rec->Lookup(6)->AsBool();
-	int RA = msg_rec->Lookup(7)->AsBool();
-	int Z = msg_rec->Lookup(8)->AsCount();
-	int qdcount = msg_rec->Lookup(9)->AsCount();
-	int ancount = msg_rec->Lookup(10)->AsCount();
-	int nscount = msg_rec->Lookup(11)->AsCount();
-	int arcount = msg_rec->Lookup(12)->AsCount();
-
-	current_pkt_id = id;
-
-	// Set the DNS flags.
-	uint16 flags = (QR << 15) | (AA << 10) | (TC << 9) |
-			(RD << 8) | (RA << 7) | (Z << 4);
-
-	flags |= rcode | (opcode << 11);
-
-	(void) WriteShortVal(id);
-	(void) WriteShortVal(flags);
-	(void) WriteShortVal(qdcount);
-	(void) WriteShortVal(ancount);
-	(void) WriteShortVal(nscount);
-	(void) WriteShortVal(arcount);
-
-	// We've finished the header.
-	pkt_size = DNS_HDR_SIZE;
-
-	// Assign all the pointers for dn_comp().
-	dpp = dn_ptrs;
-	*dpp++ = pkt;
-	*dpp++ = 0;
-
-	last_dn_ptr = dn_ptrs + sizeof dn_ptrs / sizeof dn_ptrs[0];
-	}
-
-int DNS_Rewriter::DnsCopyQuery(Val* val)
-	{
-	const RecordVal* val_rec = val->AsRecordVal();
-
-	// int type = val_rec->Lookup(0)->AsCount();
-
-	const BroString* query = val_rec->Lookup(1)->AsString();
-	int atype = val_rec->Lookup(2)->AsCount();
-	int aclass = val_rec->Lookup(3)->AsCount();
-
-	return DnsCopyQuery(query, atype, aclass);
-	}
-
-// Copy the question part of the query into memory.
-// Return the number of bytes that the query string compressed to.
-int DNS_Rewriter::DnsCopyQuery(const BroString* query, uint32 qtype,
-				uint32 qclass)
-	{
-	int len = query->Len();
-	int psize = pkt_size;
-
-	// Encode the query string.
-	const char* dname = (char*) query->Bytes();
-	len = dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
-			dn_ptrs, last_dn_ptr);
-
-	// Can't encode in less than 2 bytes, or about to overwrite.
-	if ( len < 1 || pkt_size + len + 4 > DNS_PKT_SIZE )
-		{
-		warn("dn_comp couldn't encode name into packet");
-		return 0;
-		}
-
-	pkt_size += len;
-
-	// Set type.
-	if ( ! WriteShortVal(qtype) )
-		{
-		pkt_size = psize;
-		return 0;
-		}
-
-	// Set class.
-	if ( ! WriteShortVal(qclass) )
-		{
-		pkt_size = psize;
-		return 0;
-		}
-
-	return len;
-	}
-
-
-// PTR, NS and CNAME are all the same.
-void DNS_Rewriter::DnsCopyPTR(Val* ans, const BroString* name)
-	{
-	DnsCopyCNAME(ans, name);
-	}
-
-// Copy an NS RR into the packet.
-void DNS_Rewriter::DnsCopyNS( Val* ans, const BroString* name)
-	{
-	DnsCopyCNAME(ans, name);
-	}
-
-// Copy an A RR into the packet.
-void DNS_Rewriter::DnsCopyA(Val* ans, uint32 addr)
-	{
-	int psize = pkt_size;
-
-	// Put query part into packet.
-	int len = DnsCopyQuery(ans);
-
-	if ( ! len )
-		return;
-
-	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
-	if ( ! WriteDoubleAsInt(TTL) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Now we put in how long the resource data is (A rec is always 4).
-	if ( ! WriteShortVal(4) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Stick in the address (already in network byte order).
-	if ( ! WriteVal(uint32(ntohl(addr))) )
-		{
-		pkt_size = psize;
-		return;
-		}
-	}
-
-// Copy an AAAA RR into the packet.
-void DNS_Rewriter::DnsCopyAAAA(Val* ans, addr_type addr, const BroString* addrstr)
-	{
-	int psize = pkt_size;
-
-
-	// Put query part into packet.
-	int len = DnsCopyQuery(ans);
-	if ( ! len || pkt_size + 6 > DNS_PKT_SIZE )
-		return;
-
-	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
-	if ( ! WriteDoubleAsInt(TTL))
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Now we put in how long the resource data is (AAAA rec is always 16).
-	if ( ! WriteShortVal(16) )
-		{
-		pkt_size = psize;
-		return;
-		}
-#ifdef BROv6
-	if ( ! WriteVal(addr) )
-		{
-		pkt_size = psize;
-		return;
-		}
-#else
-	uint32 addr_copy[4];
-	char* addr_tmp = addrstr->Render(BroString::ESC_NONE);
-	inet_pton(AF_INET6, addr_tmp, addr_copy);
-
-	if ( ! WriteVal(addr_copy) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	delete addr_tmp;
-#endif
-
-	}
-
-// Copy a CNAME RR into the packet.
-void DNS_Rewriter::DnsCopyCNAME(Val* ans, const BroString* name)
-	{
-	int psize = pkt_size;
-
-	// Put query part into packet.
-	int len = DnsCopyQuery(ans);
-	if ( ! len || pkt_size + 6 > DNS_PKT_SIZE )
-		return;
-
-	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
-	if ( ! WriteDoubleAsInt(TTL))
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Resource length (domain name length in packet).
-	// Have to skip till it's encoded, remember this spot.
-	u_char* resource_len = pkt + pkt_size;
-	pkt_size += 2;
-
-	// Encode the domain name.
-	const char* dname = (char*) name->CheckString();
-	len = dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
-			dn_ptrs, last_dn_ptr);
-
-	if ( len < 1 )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	pkt_size += len;
-
-	// Now we put in how long the name was to encode.
-	uint16 net_rdlen = htons(short(len));
-	memcpy(resource_len, &net_rdlen, sizeof(uint16));
-	}
-
-// Copy a CNAME RR into the packet.
-void DNS_Rewriter::DnsCopyTXT(Val* ans, const BroString* name)
-	{
-	int psize = pkt_size;
-
-	// Put query part into packet.
-	int len = DnsCopyQuery(ans);
-	if ( ! len || pkt_size + 6 > DNS_PKT_SIZE )
-		return;
-
-	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
-	if ( ! WriteDoubleAsInt(TTL))
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	if ( ! WriteShortVal(name->Len()+1))
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	if ( ! WriteVal(uint8(name->Len())))
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	if ( ! WriteVal(name))
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	}
-
-// Copy an MX RR into the packet.
-void DNS_Rewriter::DnsCopyMX(Val* ans, const BroString* name, uint32 preference)
-	{
-	int psize = pkt_size;
-
-	// Put query part into packet.
-	int len = DnsCopyQuery(ans);
-
-	if ( ! len || pkt_size + len + 6 > DNS_PKT_SIZE )
-		{
-		warn("DnsCopyMX: packet too large");
-		return;
-		}
-
-	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
-	if ( ! WriteDoubleAsInt(TTL) )
-		{
-		pkt_size = psize;
-		warn("DnsCopyMX: packet too large");
-		return;
-		}
-
-	// Resource length (domain name length in packet).
-	// Have to skip till it's, remember this spot.
-	u_char* resource_len = pkt + pkt_size;
-	pkt_size += 2;
-
-	if ( ! WriteShortVal(preference))
-		{
-		pkt_size = psize;
-		warn("DnsCopyMX: packet too large");
-		return;
-		}
-
-	// Encode the domain name.
-	const char* dname = (char*) name->CheckString();
-	len += dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
-			dn_ptrs, last_dn_ptr);
-
-	if ( len < 1 )
-		{
-		pkt_size = psize;
-		warn("DnsCopyMX: packet too large");
-		return;
-		}
-
-	pkt_size += len;
-
-	// 2 bytes for the preference size above.
-	len += 2;
-
-	// Now we put in how long the name was to encode.
-	uint16 net_rdlen = htons(short(len));
-	memcpy(resource_len, &net_rdlen, sizeof(uint16));
-	}
-
-// Copy an SOA RR into the packet.
-void DNS_Rewriter::DnsCopySOA(Val* ans, Val* soa)
-	{
-	u_char* resource_len;
-	int resource_offset = 0;
-	int psize = pkt_size;
-
-	const RecordVal* soa_rec = soa->AsRecordVal();
-
-	const BroString* mname = soa_rec->Lookup(0)->AsString();
-	const BroString* rname = soa_rec->Lookup(1)->AsString();
-	uint32 serial = soa_rec->Lookup(2)->AsCount();
-	double refresh = soa_rec->Lookup(3)->AsInterval();
-	double retry = soa_rec->Lookup(4)->AsInterval();
-	double expire = soa_rec->Lookup(5)->AsInterval();
-	double minimum = soa_rec->Lookup(6)->AsInterval();
-
-	// Put query part into packet.
-	int len = DnsCopyQuery(ans);
-
-	if ( ! len || len + 6 > DNS_PKT_SIZE )
-		return;
-
-	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
-	if ( ! WriteDoubleAsInt(TTL) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Resource length: have to skip till it's encoded.
-	// Remember this spot and offset.
-	resource_len = pkt + pkt_size;
-	pkt_size += 2;
-
-	// Start counting from here (after rdlength).
-	resource_offset = pkt_size;
-
-	// Encode the domain name.
-	const char* dname = (char*) mname->CheckString();
-	len = dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
-			dn_ptrs, last_dn_ptr);
-
-	if ( len < 1 )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	pkt_size += len;
-
-	// Encode the domain name.
-	dname = (char*) rname->CheckString();
-	len = dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
-			dn_ptrs, last_dn_ptr);
-	if ( len < 1 )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	pkt_size += len;
-
-	if ( ! WriteVal(serial) || ! WriteDoubleAsInt(refresh) ||
-	     ! WriteDoubleAsInt(retry) || ! WriteDoubleAsInt(expire) ||
-	     ! WriteDoubleAsInt(minimum) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Now we put in how long this packet was.
-	uint16 net_rdlen = htons(short(pkt_size - resource_offset));
-	memcpy(resource_len, &net_rdlen, sizeof(uint16));
-	}
-
-void DNS_Rewriter::DnsCopyEDNSaddl(Val* ans)
-	{
-	const RecordVal* ans_rec = ans->AsRecordVal();
-
-	int ans_type = ans_rec->Lookup(0)->AsCount();
-	// BroString* query_name = ans_rec->Lookup(1)->AsString();
-	int atype = ans_rec->Lookup(2)->AsCount();
-	int aclass = ans_rec->Lookup(3)->AsCount();
-	int return_error = ans_rec->Lookup(4)->AsCount();
-	int version = ans_rec->Lookup(5)->AsCount();
-	int z = ans_rec->Lookup(6)->AsCount();
-	double ttl = ans_rec->Lookup(7)->AsInterval();
-	int is_query = ans_rec->Lookup(8)->AsCount();
-
-	int rcode = return_error;
-	int ecode = 0;
-
-	int psize = pkt_size;
-
-	if ( return_error > 0xff )
-		{
-		rcode &= 0xff;
-		ecode = return_error >> 8;
-		}
-
-	// Stick the version onto the ecode.
-	ecode = (ecode << 8) | version;
-
-	// Write fixed part of OPT RR
-	// Name '0'.
-	memset(pkt + pkt_size, 0, 1);
-	++pkt_size;
-
-	// Type (either 29 or 41).
-	if ( ! WriteShortVal(atype) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// UDP playload size
-	if ( ! WriteShortVal(aclass) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Extended rcode + version.
-	if ( ! WriteShortVal(ecode) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Z field.
-	if ( ! WriteShortVal(z) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Data length (XXX:for now its zero!).
-	if ( ! WriteShortVal(0) )
-		{
-		pkt_size = psize;
-		return;
-		}
-
-	// Don't write data (XXX:we don't have it!).
-	}
-
-// Does this packet match the current packet being worked on?
-int DNS_Rewriter::DnsPktMatch(Val* msg)
-	{
-	return msg->AsRecordVal()->Lookup(0)->AsInt() == current_pkt_id;
-	}
-
-// Supports copying of TXT values.
-int DNS_Rewriter::WriteVal(const BroString* val)
-	{
-	int n = val->Len();
-
-        if ( pkt_size + n > DNS_PKT_SIZE )
-		{
-		warn("WriteVal: couldn't write data into packet");
-		return 0;
-		}
-
-        char* new_val = val->Render(BroString::ESC_NONE);
-        memcpy(pkt + pkt_size, new_val, n);
-        pkt_size += n;
-
-        delete[] new_val;
-
-        return n;
-	}
-
-int DNS_Rewriter::WriteVal(const uint32* val)
-	{
-	if ( pkt_size + 16 > DNS_PKT_SIZE )
-		{
-		warn("WriteVal: couldn't write data into packet");
-		return 0;
-		}
-
-	memcpy(pkt + pkt_size, &val[0], sizeof(uint32)); pkt_size += 4;
-	memcpy(pkt + pkt_size, &val[1], sizeof(uint32)); pkt_size += 4;
-	memcpy(pkt + pkt_size, &val[2], sizeof(uint32)); pkt_size += 4;
-	memcpy(pkt + pkt_size, &val[3], sizeof(uint32)); pkt_size += 4;
-
-	return sizeof(uint32) * 4;
-	}
-
-// Write a 32 bit value given in host order to the packet.
-int DNS_Rewriter::WriteVal(uint32 val)
-	{
-	if ( pkt_size + 4 > DNS_PKT_SIZE )
-		{
-		warn("WriteVal: couldn't write data into packet");
-		return 0;
-		}
-
-	uint32 net_val = htonl(val);
-	memcpy(pkt + pkt_size, &net_val, sizeof(uint32));
-	pkt_size += 4;
-
-	return sizeof(uint32);
-	}
-
-// Write a 16 bit value given in host order to the packet.
-int DNS_Rewriter::WriteVal(uint16 val)
-	{
-	if ( pkt_size + 2 > DNS_PKT_SIZE )
-		{
-		warn("WriteShortVal: couldn't write data into packet");
-		return 0;
-		}
-
-	uint16 net_val = htons(val);
-	memcpy(pkt + pkt_size, &net_val, sizeof(uint16));
-	pkt_size += 2;
-
-	return sizeof(uint16);
-	}
-
-// Write a 8 bit value given in host order to the packet.
-int DNS_Rewriter::WriteVal(uint8 val)
-	{
-	if ( pkt_size + 1 > DNS_PKT_SIZE )
-		{
-		warn("WriteVal: couldn't write data into packet");
-		return 0;
-		}
-
-	memcpy(pkt + pkt_size, &val, sizeof(uint8));
-	pkt_size += sizeof(uint8);
-
-	return sizeof(uint8);
-	}
diff --git a/src/DNS_Rewriter.h b/src/DNS_Rewriter.h
deleted file mode 100644
index 1a106b6f55..0000000000
--- a/src/DNS_Rewriter.h
+++ /dev/null
@@ -1,70 +0,0 @@
-// $Id:$
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#ifndef dns_rewriter_h
-#define dns_rewriter_h
-
-#include "UDP.h"
-#include "UDP_Rewriter.h"
-#include "Rewriter.h"
-
-#define DNS_HDR_SIZE 12
-
-// DNS packets size. 512 is the *normal* size, but some packets are bigger
-// than this, and the anonymization process can expand packets, so we
-// pad this way out.
-#define DNS_PKT_SIZE (512*4)
-
-class DNS_Rewriter: public UDP_Rewriter {
-public:
-	DNS_Rewriter(Analyzer* analyzer, int arg_MTU, PacketDumper* dumper);
-	virtual ~DNS_Rewriter()	{ delete pkt;}
-
-	void DnsCopyHeader(Val* val);
-
-	int DnsCopyQuery(const BroString* query, uint32 qtype, uint32 qclass);
-	int DnsCopyQuery(Val* val);
-
-	void DnsCopyNS(Val* ans, const BroString* name);
-	void DnsCopyPTR(Val* ans, const BroString* name);
-	void DnsCopyCNAME(Val* ans, const BroString* name);
-	void DnsCopyTXT(Val* ans, const BroString* name);
-	void DnsCopyA(Val* ans, uint32 addr);
-
-	// AAAA is weird, because the address is an IPv4 type.
-	// If we don't have IPv6, and if it's IPv6, it's a pointer
-	// to valid data.
-	void DnsCopyAAAA(Val* ans, addr_type addr, const BroString* addrstr);
-
-	void DnsCopyMX(Val* ans, const BroString* name, uint32 preference);
-	void DnsCopySOA(Val* ans, Val* soa);
-	void DnsCopyEDNSaddl(Val* ans);
-
-	int DnsPktMatch(Val* val);
-	const u_char* Packet() const	{ return pkt; }
-	int PacketSize() const	{ return pkt_size; }
-	void SetOrig( int orig )	{ is_orig = orig; }
-	int IsOrig()			{ return is_orig; }
-
-	int WriteDoubleAsInt(double d)	{ return WriteVal(uint32(d)); }
-	int WriteShortVal(uint16 val)	{ return WriteVal(uint16(val)); }
-	int WriteVal(uint32 val);
-	int WriteVal(uint16 val);
-	int WriteVal(uint8 val);
-	int WriteVal(const uint32* val);
-	int WriteVal(const BroString* val);
-
-private:
-	u_char* pkt;		// the DNS packet
-	int pkt_size;		// size of the packet
-	int current_pkt_id;	// current ID (sanity checking)
-
-	int is_orig;
-
-	u_char* dn_ptrs[30];	// pointer to names in DNS packet
-	u_char** dpp;		// points to current position in DNS packet
-	u_char** last_dn_ptr;	// points to last entry in dn_ptrs
-};
-
-#endif
diff --git a/src/DPM.cc b/src/DPM.cc
index 35111a38fa..95c219182e 100644
--- a/src/DPM.cc
+++ b/src/DPM.cc
@@ -10,6 +10,7 @@
 #include "BackDoor.h"
 #include "InterConn.h"
 #include "SteppingStone.h"
+#include "ConnSizeAnalyzer.h"
 
 
 ExpectedConn::ExpectedConn(const uint32* _orig, const uint32* _resp,
@@ -189,6 +190,8 @@ bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
 					const u_char* data)
 	{
 	TCP_Analyzer* tcp = 0;
+	UDP_Analyzer* udp = 0;
+	ICMP_Analyzer* icmp = 0;
 	TransportLayerAnalyzer* root = 0;
 	AnalyzerTag::Tag expected = AnalyzerTag::Error;
 	analyzer_map* ports = 0;
@@ -206,7 +209,7 @@ bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
 		break;
 
 	case TRANSPORT_UDP:
-		root = new UDP_Analyzer(conn);
+		root = udp = new UDP_Analyzer(conn);
 		pia = new PIA_UDP(conn);
 		expected = GetExpected(proto, conn);
 		ports = &udp_ports;
@@ -221,15 +224,23 @@ bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
 		case ICMP_ECHOREPLY:
 			if ( ICMP_Echo_Analyzer::Available() )
 				{
-				root = new ICMP_Echo_Analyzer(conn);
+				root = icmp = new ICMP_Echo_Analyzer(conn);
 				DBG_DPD(conn, "activated ICMP Echo analyzer");
 				}
 			break;
 
+		case ICMP_REDIRECT:
+			if ( ICMP_Redir_Analyzer::Available() )
+				{
+				root = new ICMP_Redir_Analyzer(conn);
+				DBG_DPD(conn, "activated ICMP Redir analyzer");
+				}
+			break;
+
 		case ICMP_UNREACH:
 			if ( ICMP_Unreachable_Analyzer::Available() )
 				{
-				root = new ICMP_Unreachable_Analyzer(conn);
+				root = icmp = new ICMP_Unreachable_Analyzer(conn);
 				DBG_DPD(conn, "activated ICMP Unreachable analyzer");
 				}
 			break;
@@ -237,14 +248,14 @@ bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
 		case ICMP_TIMXCEED:
 			if ( ICMP_TimeExceeded_Analyzer::Available() )
 				{
-				root = new ICMP_TimeExceeded_Analyzer(conn);
+				root = icmp = new ICMP_TimeExceeded_Analyzer(conn);
 				DBG_DPD(conn, "activated ICMP Time Exceeded analyzer");
 				}
 			break;
 		}
 
 		if ( ! root )
-			root = new ICMP_Analyzer(conn);
+			root = icmp = new ICMP_Analyzer(conn);
 
 		analyzed = true;
 		break;
@@ -363,6 +374,16 @@ bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
 		// we cannot add it as a normal child.
 		if ( TCPStats_Analyzer::Available() )
 			tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn));
+
+		// Add ConnSize analyzer. Needs to see packets, not stream.
+		if ( ConnSize_Analyzer::Available() )
+			tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn));
+		}
+
+	else
+		{
+		if ( ConnSize_Analyzer::Available() )
+			root->AddChildAnalyzer(new ConnSize_Analyzer(conn), false);
 		}
 
 	if ( pia )
@@ -381,7 +402,7 @@ bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
 	if ( expected != AnalyzerTag::Error  )
 		conn->Event(expected_connection_seen, 0,
 				new Val(expected, TYPE_COUNT));
-	
+
 	return true;
 	}
 
diff --git a/src/Debug.cc b/src/Debug.cc
index da67c941e4..272d6739ae 100644
--- a/src/Debug.cc
+++ b/src/Debug.cc
@@ -343,7 +343,7 @@ vector<ParseLocationRec> parse_location_string(const string& s)
 				plr.type = plrUnknown;
 
 			FILE* throwaway = search_for_file(filename.c_str(), "bro",
-								&full_filename);
+								&full_filename, true);
 			if ( ! throwaway )
 				{
 				debug_msg("No such policy file: %s.\n", filename.c_str());
diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc
index 9ab0bde380..3c9dbad363 100644
--- a/src/DebugLogger.cc
+++ b/src/DebugLogger.cc
@@ -17,6 +17,7 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = {
 	{ "compressor", 0, false }, {"string", 0, false },
 	{ "notifiers", 0, false },  { "main-loop", 0, false },
 	{ "dpd", 0, false }, { "tm", 0, false },
+	{ "logging", 0, false }
 };
 
 DebugLogger::DebugLogger(const char* filename)
diff --git a/src/DebugLogger.h b/src/DebugLogger.h
index 3d8c1ac83f..49c875a5c4 100644
--- a/src/DebugLogger.h
+++ b/src/DebugLogger.h
@@ -20,11 +20,12 @@ enum DebugStream {
 	DBG_STATE,	// StateAccess logging
 	DBG_CHUNKEDIO,	// ChunkedIO logging
 	DBG_COMPRESSOR,	// Connection compressor
-	DBG_STRING,     // String code
-	DBG_NOTIFIERS,   // Notifiers (see StateAccess.h)
+	DBG_STRING,	// String code
+	DBG_NOTIFIERS,	// Notifiers (see StateAccess.h)
 	DBG_MAINLOOP,	// Main IOSource loop
 	DBG_DPD,	// Dynamic application detection framework
-	DBG_TM,	// Time-machine packet input via Brocolli
+	DBG_TM,		// Time-machine packet input via Brocolli
+	DBG_LOGGING,	// Logging streams
 
 	NUM_DBGS // Has to be last
 };
diff --git a/src/Desc.cc b/src/Desc.cc
index 0a494bcd9c..c15a461bb2 100644
--- a/src/Desc.cc
+++ b/src/Desc.cc
@@ -41,6 +41,9 @@ ODesc::ODesc(desc_type t, BroFile* arg_f)
 	want_quotes = 0;
 	do_flush = 1;
 	include_stats = 0;
+	indent_with_spaces = 0;
+	escape = 0;
+	escape_len = 0;
 	}
 
 ODesc::~ODesc()
@@ -54,6 +57,12 @@ ODesc::~ODesc()
 		free(base);
 	}
 
+void ODesc::SetEscape(const char* arg_escape, int len)
+	{
+	escape = arg_escape;
+	escape_len = len;
+	}
+
 void ODesc::PushIndent()
 	{
 	++indent_level;
@@ -67,6 +76,12 @@ void ODesc::PopIndent()
 	NL();
 	}
 
+void ODesc::PopIndentNoNL()
+	{
+	if ( --indent_level < 0 )
+		internal_error("ODesc::PopIndent underflow");
+	}
+
 void ODesc::Add(const char* s, int do_indent)
 	{
 	unsigned int n = strlen(s);
@@ -105,7 +120,6 @@ void ODesc::Add(uint32 u)
 		}
 	}
 
-#ifdef USE_INT64
 void ODesc::Add(int64 i)
 	{
 	if ( IsBinary() )
@@ -113,7 +127,7 @@ void ODesc::Add(int64 i)
 	else
 		{
 		char tmp[256];
-		sprintf(tmp, "%lld", i);
+		sprintf(tmp, "%" PRId64, i);
 		Add(tmp);
 		}
 	}
@@ -125,11 +139,10 @@ void ODesc::Add(uint64 u)
 	else
 		{
 		char tmp[256];
-		sprintf(tmp, "%llu", u);
+		sprintf(tmp, "%" PRIu64, u);
 		Add(tmp);
 		}
 	}
-#endif
 
 void ODesc::Add(double d)
 	{
@@ -181,12 +194,87 @@ void ODesc::AddBytes(const BroString* s)
 
 void ODesc::Indent()
 	{
-	for ( int i = 0; i < indent_level; ++i )
-		Add("\t", 0);
+	if ( indent_with_spaces > 0 )
+		{
+		for ( int i = 0; i < indent_level; ++i )
+			for ( int j = 0; j < indent_with_spaces; ++j )
+				Add(" ", 0);
+		}
+	else
+		{
+		for ( int i = 0; i < indent_level; ++i )
+			Add("\t", 0);
+		}
 	}
 
+static const char hex_chars[] = "0123456789abcdef";
+
+static const char* find_first_unprintable(ODesc* d, const char* bytes, unsigned int n)
+	{
+	if ( d->IsBinary() )
+		return 0;
+
+	while ( n-- )
+		{
+		if ( ! isprint(*bytes) )
+			return bytes;
+		++bytes;
+		}
+
+	return 0;
+	}
 
 void ODesc::AddBytes(const void* bytes, unsigned int n)
+	{
+	const char* s = (const char*) bytes;
+	const char* e = (const char*) bytes + n;
+
+	while ( s < e )
+		{
+		const char* t1 = escape ? (const char*) memchr(s, escape[0], e - s) : e;
+		const char* t2 = find_first_unprintable(this, s, t1 ? e - t1 : e - s);
+
+		if ( t2 && (t2 < t1 || ! t1) )
+			{
+			AddBytesRaw(s, t2 - s);
+
+			char hex[6] = "\\x00";
+			hex[2] = hex_chars[((*t2) & 0xf0) >> 4];
+			hex[3] = hex_chars[(*t2) & 0x0f];
+			AddBytesRaw(hex, sizeof(hex));
+
+			s = t2 + 1;
+			continue;
+			}
+
+		if ( ! escape )
+			break;
+
+		if ( ! t1 )
+			break;
+
+		if ( memcmp(t1, escape, escape_len) != 0 )
+			break;
+
+		AddBytesRaw(s, t1 - s);
+
+		for ( int i = 0; i < escape_len; ++i )
+			{
+			char hex[5] = "\\x00";
+			hex[2] = hex_chars[((*t1) & 0xf0) >> 4];
+			hex[3] = hex_chars[(*t1) & 0x0f];
+			AddBytesRaw(hex, sizeof(hex));
+			++t1;
+			}
+
+		s = t1;
+		}
+
+	if ( s < e )
+		AddBytesRaw(s, e - s);
+	}
+
+void ODesc::AddBytesRaw(const void* bytes, unsigned int n)
 	{
 	if ( n == 0 )
 		return;
diff --git a/src/Desc.h b/src/Desc.h
index de09f12be4..f6e2756efc 100644
--- a/src/Desc.h
+++ b/src/Desc.h
@@ -49,18 +49,23 @@ public:
 
 	void SetFlush(int arg_do_flush)	{ do_flush = arg_do_flush; }
 
+	// The string passed in must remain valid as long as this object lives.
+	void SetEscape(const char* escape, int len);
+
 	void PushIndent();
 	void PopIndent();
+	void PopIndentNoNL();
 	int GetIndentLevel() const	{ return indent_level; }
 
+	int IndentSpaces() const	{ return indent_with_spaces; }
+	void SetIndentSpaces(int i)	{ indent_with_spaces = i; }
+
 	void Add(const char* s, int do_indent=1);
 	void AddN(const char* s, int len)	{ AddBytes(s, len); }
 	void Add(int i);
 	void Add(uint32 u);
-#ifdef USE_INT64
 	void Add(int64 i);
 	void Add(uint64 u);
-#endif
 	void Add(double d);
 
 	// Add s as a counted string.
@@ -95,6 +100,9 @@ public:
 				Add("\n", 0);
 			}
 
+	// Bypasses the escaping enabled via SetEscape().
+	void AddRaw(const char* s, int len)	{ AddBytesRaw(s, len); }
+
 	// Returns the description as a string.
 	const char* Description() const		{ return (const char*) base; }
 
@@ -117,6 +125,7 @@ protected:
 	void Indent();
 
 	void AddBytes(const void* bytes, unsigned int n);
+	void AddBytesRaw(const void* bytes, unsigned int n);
 
 	// Make buffer big enough for n bytes beyond bufp.
 	void Grow(unsigned int n);
@@ -130,6 +139,9 @@ protected:
 	unsigned int offset;	// where we are in the buffer
 	unsigned int size;	// size of buffer in bytes
 
+	int escape_len;	// number of bytes in to escape sequence
+	const char* escape;	// bytes to escape on output
+
 	BroFile* f;	// or the file we're using.
 
 	int indent_level;
@@ -137,6 +149,7 @@ protected:
 	int want_quotes;
 	int do_flush;
 	int include_stats;
+	int indent_with_spaces;
 };
 
 #endif
diff --git a/src/Event.cc b/src/Event.cc
index b5dd589f43..f761cc4d08 100644
--- a/src/Event.cc
+++ b/src/Event.cc
@@ -120,9 +120,6 @@ void EventMgr::Drain()
 
 	// Note: we might eventually need a general way to specify things to
 	// do after draining events.
-	extern void flush_rewriter_packet();
-	flush_rewriter_packet();
-
 	draining = false;
 
 	// We evaluate Triggers here. While this is somewhat unrelated to event
diff --git a/src/EventHandler.cc b/src/EventHandler.cc
index 9df18ab007..9cc5306c9c 100644
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@@ -23,6 +23,11 @@ EventHandler::~EventHandler()
 	delete [] group;
 	}
 
+EventHandler::operator bool() const
+	{
+	return enabled && ((local && local->HasBodies()) || receivers.length());
+	}
+
 FuncType* EventHandler::FType()
 	{
 	if ( type )
diff --git a/src/EventHandler.h b/src/EventHandler.h
index de4d1a1458..4320134d50 100644
--- a/src/EventHandler.h
+++ b/src/EventHandler.h
@@ -34,8 +34,7 @@ public:
 	void Call(val_list* vl, bool no_remote = false);
 
 	// Returns true if there is at least one local or remote handler.
-	operator  bool() const
-		{ return enabled && (local || receivers.length()); }
+	operator  bool() const;
 
 	void SetUsed()          { used = true; }
 	bool Used()             { return used; }
diff --git a/src/Expr.cc b/src/Expr.cc
index 77466f2a55..c3589facca 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -284,7 +284,7 @@ Val* NameExpr::Eval(Frame* f) const
 	Val* v;
 
 	if ( id->AsType() )
-		RunTime("cannot evaluate type name");
+		return new Val(id->AsType(), true);
 
 	if ( id->IsGlobal() )
 		v = id->ID_Val();
@@ -494,8 +494,7 @@ Val* UnaryExpr::Eval(Frame* f) const
 		VectorVal* v_op = v->AsVectorVal();
 		VectorVal* result = new VectorVal(Type()->AsVectorType());
 
-		for ( unsigned int i = VECTOR_MIN;
-		      i < v_op->Size() + VECTOR_MIN; ++i )
+		for ( unsigned int i = 0; i < v_op->Size(); ++i )
 			{
 			Val* v_i = v_op->Lookup(i);
 			result->Assign(i, v_i ? Fold(v_i) : 0, this);
@@ -633,8 +632,7 @@ Val* BinaryExpr::Eval(Frame* f) const
 
 		VectorVal* v_result = new VectorVal(Type()->AsVectorType());
 
-		for ( unsigned int i = VECTOR_MIN;
-		      i < v_op1->Size() + VECTOR_MIN; ++i )
+		for ( unsigned int i = 0; i < v_op1->Size(); ++i )
 			{
 			if ( v_op1->Lookup(i) && v_op2->Lookup(i) )
 				v_result->Assign(i,
@@ -656,8 +654,7 @@ Val* BinaryExpr::Eval(Frame* f) const
 		VectorVal* vv = (is_vec1 ? v1 : v2)->AsVectorVal();
 		VectorVal* v_result = new VectorVal(Type()->AsVectorType());
 
-		for ( unsigned int i = VECTOR_MIN;
-		      i < vv->Size() + VECTOR_MIN; ++i )
+		for ( unsigned int i = 0; i < vv->Size(); ++i )
 			{
 			Val* vv_i = vv->Lookup(i);
 			if ( vv_i )
@@ -1063,8 +1060,7 @@ Val* IncrExpr::Eval(Frame* f) const
 	if ( is_vector(v) )
 		{
 		VectorVal* v_vec = v->AsVectorVal();
-		for ( unsigned int i = VECTOR_MIN;
-		      i < v_vec->Size() + VECTOR_MIN; ++i )
+		for ( unsigned int i = 0; i < v_vec->Size(); ++i )
 			{
 			Val* elt = v_vec->Lookup(i);
 			if ( elt )
@@ -1941,7 +1937,7 @@ Val* BoolExpr::Eval(Frame* f) const
 			{
 			result = new VectorVal(Type()->AsVectorType());
 			result->Resize(vector_v->Size());
-			result->AssignRepeat(VECTOR_MIN, result->Size(),
+			result->AssignRepeat(0, result->Size(),
 						scalar_v, this);
 			}
 		else
@@ -1970,8 +1966,7 @@ Val* BoolExpr::Eval(Frame* f) const
 	VectorVal* result = new VectorVal(Type()->AsVectorType());
 	result->Resize(vec_v1->Size());
 
-	for ( unsigned int i = VECTOR_MIN;
-	      i < vec_v1->Size() + VECTOR_MIN; ++i )
+	for ( unsigned int i = 0; i < vec_v1->Size(); ++i )
 		{
 		Val* op1 = vec_v1->Lookup(i);
 		Val* op2 = vec_v2->Lookup(i);
@@ -2353,7 +2348,7 @@ Val* CondExpr::Eval(Frame* f) const
 	VectorVal* result = new VectorVal(Type()->AsVectorType());
 	result->Resize(cond->Size());
 
-	for ( unsigned int i = VECTOR_MIN; i < cond->Size() + VECTOR_MIN; ++i )
+	for ( unsigned int i = 0; i < cond->Size(); ++i )
 		{
 		Val* local_cond = cond->Lookup(i);
 		if ( local_cond )
@@ -2497,12 +2492,7 @@ AssignExpr::AssignExpr(Expr* arg_op1, Expr* arg_op2, int arg_is_init,
 bool AssignExpr::TypeCheck()
 	{
 	TypeTag bt1 = op1->Type()->Tag();
-	if ( IsVector(bt1) )
-		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
-
 	TypeTag bt2 = op2->Type()->Tag();
-	if ( IsVector(bt2) )
-		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
 
 	if ( bt1 == TYPE_LIST && bt2 == TYPE_ANY )
 		// This is ok because we cannot explicitly declare lists on
@@ -2531,16 +2521,42 @@ bool AssignExpr::TypeCheck()
 		return true;
 		}
 
+	if ( bt1 == TYPE_VECTOR && bt2 == bt1 &&
+	     op2->Type()->AsVectorType()->IsUnspecifiedVector() )
+		{
+		op2 = new VectorCoerceExpr(op2, op1->Type()->AsVectorType());
+		return true;
+		}
+
+	if ( op1->Type()->Tag() == TYPE_RECORD &&
+	     op2->Type()->Tag() == TYPE_RECORD )
+		{
+		if ( same_type(op1->Type(), op2->Type()) )
+			{
+			RecordType* rt1 = op1->Type()->AsRecordType();
+			RecordType* rt2 = op2->Type()->AsRecordType();
+
+			// Make sure the attributes match as well.
+			for ( int i = 0; i < rt1->NumFields(); ++i )
+				{
+				const TypeDecl* td1 = rt1->FieldDecl(i);
+				const TypeDecl* td2 = rt2->FieldDecl(i);
+
+				if ( same_attrs(td1->attrs, td2->attrs) )
+					// Everything matches.
+					return true;
+				}
+			}
+
+		// Need to coerce.
+		op2 = new RecordCoerceExpr(op2, op1->Type()->AsRecordType());
+		return true;
+		}
+
 	if ( ! same_type(op1->Type(), op2->Type()) )
 		{
-		if ( op1->Type()->Tag() == TYPE_RECORD &&
-		     op2->Type()->Tag() == TYPE_RECORD )
-			op2 = new RecordCoerceExpr(op2, op1->Type()->AsRecordType());
-		else
-			{
-			ExprError("type clash in assignment");
-			return false;
-			}
+		ExprError("type clash in assignment");
+		return false;
 		}
 
 	return true;
@@ -2611,7 +2627,6 @@ Val* AssignExpr::Eval(Frame* f) const
 	if ( v )
 		{
 		op1->Assign(f, v);
-		//### op1->SetAttribs();
 		return val ? val->Ref() : v->Ref();
 		}
 	else
@@ -2931,8 +2946,7 @@ Val* IndexExpr::Eval(Frame* f) const
 				return 0;
 				}
 
-			for ( unsigned int i = VECTOR_MIN;
-			      i < v_v2->Size() + VECTOR_MIN; ++i )
+			for ( unsigned int i = 0; i < v_v2->Size(); ++i )
 				{
 				if ( v_v2->Lookup(i)->AsBool() )
 					v_result->Assign(v_result->Size() + 1, v_v1->Lookup(i), this);
@@ -2944,8 +2958,7 @@ Val* IndexExpr::Eval(Frame* f) const
 			// S does, i.e., by excluding those elements.
 			// Probably only do this if *all* are negative.
 			v_result->Resize(v_v2->Size());
-			for ( unsigned int i = VECTOR_MIN;
-			      i < v_v2->Size() + VECTOR_MIN; ++i )
+			for ( unsigned int i = 0; i < v_v2->Size(); ++i )
 				v_result->Assign(i, v_v1->Lookup(v_v2->Lookup(i)->CoerceToInt()), this);
 			}
 		}
@@ -3062,13 +3075,6 @@ FieldExpr::FieldExpr(Expr* arg_op, const char* arg_field_name)
 	if ( IsError() )
 		return;
 
-	if ( streq(arg_field_name, "attr") )
-		{
-		field = -1;
-		SetType(op->Type()->AttributesType()->Ref());
-		return;
-		}
-
 	if ( ! IsRecord(op->Type()->Tag()) )
 		ExprError("not a record");
 	else
@@ -3100,18 +3106,18 @@ Expr* FieldExpr::Simplify(SimplifyType simp_type)
 	return this;
 	}
 
+int FieldExpr::CanDel() const
+	{
+	return td->FindAttr(ATTR_DEFAULT) || td->FindAttr(ATTR_OPTIONAL);
+	}
+
 void FieldExpr::Assign(Frame* f, Val* v, Opcode opcode)
 	{
-	if ( IsError() || ! v )
+	if ( IsError() )
 		return;
 
 	if ( field < 0 )
-		{
-		Val* lhs = op->Eval(f);
-		lhs->SetAttribs(v->AsRecordVal());
-		Unref(lhs);
-		return;
-		}
+		ExprError("no such field in record");
 
 	Val* op_v = op->Eval(f);
 	if ( op_v )
@@ -3122,11 +3128,13 @@ void FieldExpr::Assign(Frame* f, Val* v, Opcode opcode)
 		}
 	}
 
+void FieldExpr::Delete(Frame* f)
+	{
+	Assign(f, 0, OP_ASSIGN_IDX);
+	}
+
 Val* FieldExpr::Fold(Val* v) const
 	{
-	if ( field < 0 )
-		return v->GetAttribs(true)->Ref();
-
 	Val* result = v->AsRecordVal()->Lookup(field);
 	if ( result )
 		return result->Ref();
@@ -3179,24 +3187,20 @@ bool FieldExpr::DoUnserialize(UnserialInfo* info)
 	return td != 0;
 	}
 
-HasFieldExpr::HasFieldExpr(Expr* arg_op, const char* arg_field_name,
-			   bool arg_is_attr)
+HasFieldExpr::HasFieldExpr(Expr* arg_op, const char* arg_field_name)
 : UnaryExpr(EXPR_HAS_FIELD, arg_op)
 	{
 	field_name = arg_field_name;
-	is_attr = arg_is_attr;
 	field = 0;
 
 	if ( IsError() )
 		return;
 
-	if ( ! is_attr && ! IsRecord(op->Type()->Tag()) )
+	if ( ! IsRecord(op->Type()->Tag()) )
 		ExprError("not a record");
 	else
 		{
-		RecordType* rt = is_attr ?
-					op->Type()->AttributesType() :
-					op->Type()->AsRecordType();
+		RecordType* rt = op->Type()->AsRecordType();
 		field = rt->FieldOffset(field_name);
 
 		if ( field < 0 )
@@ -3215,10 +3219,7 @@ Val* HasFieldExpr::Fold(Val* v) const
 	{
 	RecordVal* rec_to_look_at;
 
-	if ( is_attr )
-		rec_to_look_at = v->GetAttribs(false);
-	else
-		rec_to_look_at = v->AsRecordVal();
+	rec_to_look_at = v->AsRecordVal();
 
 	if ( ! rec_to_look_at )
 		return new Val(0, TYPE_BOOL);
@@ -3235,12 +3236,7 @@ void HasFieldExpr::ExprDescribe(ODesc* d) const
 	op->Describe(d);
 
 	if ( d->IsReadable() )
-		{
-		if ( is_attr )
-			d->Add("?$$");
-		else
-			d->Add("?$");
-		}
+		d->Add("?$");
 
 	if ( IsError() )
 		d->Add("<error>");
@@ -3255,13 +3251,17 @@ IMPLEMENT_SERIAL(HasFieldExpr, SER_HAS_FIELD_EXPR);
 bool HasFieldExpr::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_HAS_FIELD_EXPR, UnaryExpr);
-	return SERIALIZE(is_attr) && SERIALIZE(field_name) && SERIALIZE(field);
+
+	// Serialize the former "bool is_attr" first for backwards compatibility.
+	return SERIALIZE(false) && SERIALIZE(field_name) && SERIALIZE(field);
 	}
 
 bool HasFieldExpr::DoUnserialize(UnserialInfo* info)
 	{
 	DO_UNSERIALIZE(UnaryExpr);
-	return UNSERIALIZE(&is_attr) && UNSERIALIZE_STR(&field_name, 0) && UNSERIALIZE(&field);
+	// Unserialize the former "bool is_attr" first for backwards compatibility.
+	bool not_used;
+	return UNSERIALIZE(&not_used) && UNSERIALIZE_STR(&field_name, 0) && UNSERIALIZE(&field);
 	}
 
 RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
@@ -3314,48 +3314,12 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
 
 Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const
 	{
-	if ( ! aggr )
-		aggr = new RecordVal(const_cast<RecordType*>(t->AsRecordType()));
+	RecordVal* rv = Eval(0)->AsRecordVal();
+	RecordVal* ar = rv->CoerceTo(t->AsRecordType(), aggr);
 
-	if ( record_promotion_compatible(t->AsRecordType(), Type()->AsRecordType()) )
+	if ( ar )
 		{
-		RecordVal* ar = aggr->AsRecordVal();
-		RecordType* ar_t = aggr->Type()->AsRecordType();
-
-		RecordVal* rv = Eval(0)->AsRecordVal();
-		RecordType* rv_t = rv->Type()->AsRecordType();
-
-		int i;
-		for ( i = 0; i < rv_t->NumFields(); ++i )
-			{
-			int t_i = ar_t->FieldOffset(rv_t->FieldName(i));
-
-			if ( t_i < 0 )
-				{
-				char buf[512];
-				safe_snprintf(buf, sizeof(buf),
-					      "orphan field \"%s\" in initialization",
-					      rv_t->FieldName(i));
-				Error(buf);
-				break;
-				}
-
-			else
-				ar->Assign(t_i, rv->Lookup(i)->Ref());
-			}
-
-		for ( i = 0; i < ar_t->NumFields(); ++i )
-			if ( ! ar->Lookup(i) &&
-			     ! ar_t->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) )
-				{
-				char buf[512];
-				safe_snprintf(buf, sizeof(buf),
-					      "non-optional field \"%s\" missing in initialization", ar_t->FieldName(i));
-				Error(buf);
-				}
-
 		Unref(rv);
-
 		return ar;
 		}
 
@@ -3424,7 +3388,7 @@ TableConstructorExpr::TableConstructorExpr(ListExpr* constructor_list,
 			SetError("values in table(...) constructor do not specify a table");
 		}
 
-	attrs = arg_attrs ? new Attributes(arg_attrs, type) : 0;
+	attrs = arg_attrs ? new Attributes(arg_attrs, type, false) : 0;
 	}
 
 Val* TableConstructorExpr::Eval(Frame* f) const
@@ -3490,7 +3454,7 @@ SetConstructorExpr::SetConstructorExpr(ListExpr* constructor_list,
 	else if ( type->Tag() != TYPE_TABLE || ! type->AsTableType()->IsSet() )
 		SetError("values in set(...) constructor do not specify a set");
 
-	attrs = arg_attrs ? new Attributes(arg_attrs, type) : 0;
+	attrs = arg_attrs ? new Attributes(arg_attrs, type, false) : 0;
 	}
 
 Val* SetConstructorExpr::Eval(Frame* f) const
@@ -3507,8 +3471,6 @@ Val* SetConstructorExpr::Eval(Frame* f) const
 		aggr->Assign(element, 0);
 		}
 
-	aggr->AsTableVal()->SetAttrs(attrs);
-
 	return aggr;
 	}
 
@@ -3549,6 +3511,13 @@ VectorConstructorExpr::VectorConstructorExpr(ListExpr* constructor_list)
 	if ( IsError() )
 		return;
 
+	if ( constructor_list->Exprs().length() == 0 )
+		{
+		// vector().
+		SetType(new ::VectorType(base_type(TYPE_ANY)));
+		return;
+		}
+
 	BroType* t = merge_type_list(constructor_list);
 	if ( t )
 		{
@@ -3575,9 +3544,9 @@ Val* VectorConstructorExpr::Eval(Frame* f) const
 		{
 		Expr* e = exprs[i];
 		Val* v = e->Eval(f);
-		if ( ! vec->Assign(i + VECTOR_MIN, v, e) )
+		if ( ! vec->Assign(i, v, e) )
 			{
-			Error(fmt("type mismatch at index %d", i + VECTOR_MIN), e);
+			Error(fmt("type mismatch at index %d", i), e);
 			return 0;
 			}
 		}
@@ -3599,9 +3568,9 @@ Val* VectorConstructorExpr::InitVal(const BroType* t, Val* aggr) const
 		Expr* e = exprs[i];
 		Val* v = check_and_promote(e->Eval(0), vt, 1);
 
-		if ( ! v || ! vec->Assign(i + VECTOR_MIN, v, e) )
+		if ( ! v || ! vec->Assign(i, v, e) )
 			{
-			Error(fmt("initialization type mismatch at index %d", i + VECTOR_MIN), e);
+			Error(fmt("initialization type mismatch at index %d", i), e);
 			return 0;
 			}
 		}
@@ -3960,7 +3929,7 @@ Val* ArithCoerceExpr::Fold(Val* v) const
 
 	VectorVal* vv = v->AsVectorVal();
 	VectorVal* result = new VectorVal(Type()->AsVectorType());
-	for ( unsigned int i = VECTOR_MIN; i < vv->Size() + VECTOR_MIN; ++i )
+	for ( unsigned int i = 0; i < vv->Size(); ++i )
 		{
 		Val* elt = vv->Lookup(i);
 		if ( elt )
@@ -4020,15 +3989,8 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r)
 			{
 			int t_i = t_r->FieldOffset(sub_r->FieldName(i));
 			if ( t_i < 0 )
-				{
-				// Same as in RecordConstructorExpr::InitVal.
-				char buf[512];
-				safe_snprintf(buf, sizeof(buf),
-					      "orphan record field \"%s\"",
-					      sub_r->FieldName(i));
-				Error(buf);
+				// Orphane field in rhs, that's ok.
 				continue;
-				}
 
 			BroType* sub_t_i = sub_r->FieldType(i);
 			BroType* sup_t_i = t_r->FieldType(t_i);
@@ -4073,7 +4035,23 @@ Val* RecordCoerceExpr::Fold(Val* v) const
 	for ( int i = 0; i < map_size; ++i )
 		{
 		if ( map[i] >= 0 )
-			val->Assign(i, rv->Lookup(map[i])->Ref());
+			{
+			Val* rhs = rv->Lookup(map[i]);
+			if ( ! rhs )
+				{
+				const Attr* def = rv->Type()->AsRecordType()->FieldDecl(
+					map[i])->FindAttr(ATTR_DEFAULT);
+
+				if ( def )
+					rhs = def->AttrExpr()->Eval(0);
+				}
+
+			if ( rhs )
+				rhs = rhs->Ref();
+
+			assert(rhs || Type()->AsRecordType()->FieldDecl(i)->FindAttr(ATTR_OPTIONAL));
+			val->Assign(i, rhs);
+			}
 		else
 			val->Assign(i, 0);
 		}
@@ -4158,6 +4136,50 @@ bool TableCoerceExpr::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
 
+VectorCoerceExpr::VectorCoerceExpr(Expr* op, VectorType* v)
+: UnaryExpr(EXPR_VECTOR_COERCE, op)
+	{
+	if ( IsError() )
+		return;
+
+	SetType(v->Ref());
+
+	if ( Type()->Tag() != TYPE_VECTOR )
+		ExprError("coercion to non-vector");
+
+	else if ( op->Type()->Tag() != TYPE_VECTOR )
+		ExprError("coercion of non-vector to vector");
+	}
+
+
+VectorCoerceExpr::~VectorCoerceExpr()
+	{
+	}
+
+Val* VectorCoerceExpr::Fold(Val* v) const
+	{
+	VectorVal* vv = v->AsVectorVal();
+
+	if ( vv->Size() > 0 )
+		Internal("coercion of non-empty vector");
+
+	return new VectorVal(Type()->Ref()->AsVectorType());
+	}
+
+IMPLEMENT_SERIAL(VectorCoerceExpr, SER_VECTOR_COERCE_EXPR);
+
+bool VectorCoerceExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_VECTOR_COERCE_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool VectorCoerceExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
 FlattenExpr::FlattenExpr(Expr* arg_op)
 : UnaryExpr(EXPR_FLATTEN, arg_op)
 	{
@@ -5024,9 +5046,9 @@ Val* ListExpr::InitVal(const BroType* t, Val* aggr) const
 			{
 			Expr* e = exprs[i];
 			Val* v = e->Eval(0);
-			if ( ! vec->Assign(i + VECTOR_MIN, v, e) )
+			if ( ! vec->Assign(i, v, e) )
 				{
-				e->Error(fmt("type mismatch at index %d",  i + VECTOR_MIN));
+				e->Error(fmt("type mismatch at index %d", i));
 				return 0;
 				}
 
@@ -5334,27 +5356,52 @@ int check_and_promote_expr(Expr*& e, BroType* t)
 		return 1;
 		}
 
-	else if ( ! same_type(t, et) )
+	if ( t->Tag() == TYPE_RECORD && et->Tag() == TYPE_RECORD )
 		{
-		if ( t->Tag() == TYPE_RECORD && et->Tag() == TYPE_RECORD )
-			{
-			RecordType* t_r = t->AsRecordType();
-			RecordType* et_r = et->AsRecordType();
+		RecordType* t_r = t->AsRecordType();
+		RecordType* et_r = et->AsRecordType();
 
-			if ( record_promotion_compatible(t_r, et_r) )
+		if ( same_type(t, et) )
+			{
+			// Make sure the attributes match as well.
+			for ( int i = 0; i < t_r->NumFields(); ++i )
 				{
-				e = new RecordCoerceExpr(e, t_r);
-				return 1;
+				const TypeDecl* td1 = t_r->FieldDecl(i);
+				const TypeDecl* td2 = et_r->FieldDecl(i);
+
+				if ( same_attrs(td1->attrs, td2->attrs) )
+					// Everything matches perfectly.
+					return 1;
 				}
 			}
 
-		else if ( t->Tag() == TYPE_TABLE && et->Tag() == TYPE_TABLE &&
+		if ( record_promotion_compatible(t_r, et_r) )
+			{
+			e = new RecordCoerceExpr(e, t_r);
+			return 1;
+			}
+
+		t->Error("incompatible record types", e);
+		return 0;
+		}
+
+
+	if ( ! same_type(t, et) )
+		{
+		if ( t->Tag() == TYPE_TABLE && et->Tag() == TYPE_TABLE &&
 			  et->AsTableType()->IsUnspecifiedTable() )
 			{
 			e = new TableCoerceExpr(e, t->AsTableType());
 			return 1;
 			}
 
+		if ( t->Tag() == TYPE_VECTOR && et->Tag() == TYPE_VECTOR &&
+		     et->AsVectorType()->IsUnspecifiedVector() )
+			{
+			e = new VectorCoerceExpr(e, t->AsVectorType());
+			return 1;
+			}
+
 		t->Error("type clash", e);
 		return 0;
 		}
diff --git a/src/Expr.h b/src/Expr.h
index c078d4651c..0f6ee67106 100644
--- a/src/Expr.h
+++ b/src/Expr.h
@@ -40,7 +40,10 @@ typedef enum {
 	EXPR_CALL,
 	EXPR_EVENT,
 	EXPR_SCHEDULE,
-	EXPR_ARITH_COERCE, EXPR_RECORD_COERCE, EXPR_TABLE_COERCE,
+	EXPR_ARITH_COERCE,
+	EXPR_RECORD_COERCE,
+	EXPR_TABLE_COERCE,
+	EXPR_VECTOR_COERCE,
 	EXPR_SIZE,
 	EXPR_FLATTEN,
 #define NUM_EXPRS (int(EXPR_FLATTEN) + 1)
@@ -685,8 +688,11 @@ public:
 
 	int Field() const	{ return field; }
 
+	int CanDel() const;
+
 	Expr* Simplify(SimplifyType simp_type);
 	void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN);
+	void Delete(Frame* f);
 
 	Expr* MakeLvalue();
 
@@ -709,7 +715,7 @@ protected:
 // "rec?$$attrname" is true if the attribute attrname is not nil.
 class HasFieldExpr : public UnaryExpr {
 public:
-	HasFieldExpr(Expr* op, const char* field_name, bool is_attr);
+	HasFieldExpr(Expr* op, const char* field_name);
 	~HasFieldExpr();
 
 protected:
@@ -895,6 +901,20 @@ protected:
 	DECLARE_SERIAL(TableCoerceExpr);
 };
 
+class VectorCoerceExpr : public UnaryExpr {
+public:
+	VectorCoerceExpr(Expr* op, VectorType* v);
+	~VectorCoerceExpr();
+
+protected:
+	friend class Expr;
+	VectorCoerceExpr()	{ }
+
+	Val* Fold(Val* v) const;
+
+	DECLARE_SERIAL(VectorCoerceExpr);
+};
+
 // An internal operator for flattening array indices that are records
 // into a list of individual values.
 class FlattenExpr : public UnaryExpr {
diff --git a/src/FTP.cc b/src/FTP.cc
index 79eb872d79..3dcf5722d8 100644
--- a/src/FTP.cc
+++ b/src/FTP.cc
@@ -10,7 +10,6 @@
 #include "FTP.h"
 #include "NVT.h"
 #include "Event.h"
-#include "TCP_Rewriter.h"
 
 FTP_Analyzer::FTP_Analyzer(Connection* conn)
 : TCP_ApplicationAnalyzer(AnalyzerTag::FTP, conn)
@@ -169,5 +168,3 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 	ConnectionEvent(f, vl);
 	}
 
-
-#include "ftp-rw.bif.func_def"
diff --git a/src/FTP.h b/src/FTP.h
index f5d60fdf3b..c50d463b65 100644
--- a/src/FTP.h
+++ b/src/FTP.h
@@ -14,11 +14,6 @@ public:
 
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual int RewritingTrace()
-		{
-		return rewriting_ftp_trace ||
-			TCP_ApplicationAnalyzer::RewritingTrace();
-		}
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{
diff --git a/src/File.cc b/src/File.cc
index d72c67b4ef..a94b8706e7 100644
--- a/src/File.cc
+++ b/src/File.cc
@@ -5,11 +5,11 @@
 #include "config.h"
 
 #include <sys/types.h>
-#if TIME_WITH_SYS_TIME
+#ifdef TIME_WITH_SYS_TIME
 # include <sys/time.h>
 # include <time.h>
 #else
-# if HAVE_SYS_TIME_H
+# ifdef HAVE_SYS_TIME_H
 #  include <sys/time.h>
 # else
 #  include <time.h>
@@ -195,10 +195,9 @@ bool BroFile::Open(FILE* file)
 	InstallRotateTimer();
 
 	if ( ! f )
-		{
 		f = fopen(name, access);
-		SetBuf(buffered);
-		}
+
+	SetBuf(buffered);
 
 	if ( f )
 		{
@@ -217,11 +216,8 @@ bool BroFile::Open(FILE* file)
 		return false;
 		}
 
-	val_list* vl = new val_list;
-	Ref(this);
-	vl->append(new Val(this));
-	Event* event = new ::Event(::file_opened, vl);
-	mgr.Dispatch(event, true);
+	RaiseOpenEvent();
+
 	return true;
 	}
 
@@ -233,10 +229,7 @@ BroFile::~BroFile()
 
 	delete [] name;
 	delete [] access;
-
-#ifdef USE_OPENSSL
 	delete [] cipher_buffer;
-#endif
 
 #ifdef USE_PERFTOOLS
 	heap_checker->UnIgnoreObject(this);
@@ -257,12 +250,9 @@ void BroFile::Init()
 	print_hook = true;
 	raw_output = false;
 	t = 0;
-
-#ifdef USE_OPENSSL
 	pub_key = 0;
 	cipher_ctx = 0;
 	cipher_buffer = 0;
-#endif
 
 #ifdef USE_PERFTOOLS
 	heap_checker->IgnoreObject(this);
@@ -305,6 +295,7 @@ FILE* BroFile::BringIntoCache()
 		return f;
 		}
 
+	RaiseOpenEvent();
 	UpdateFileSize();
 
 	if ( fseek(f, position, SEEK_SET) < 0 )
@@ -348,9 +339,7 @@ int BroFile::Close()
 	if ( ! is_open )
 		return 1;
 
-#ifdef USE_OPENSSL
 	FinishEncrypt();
-#endif
 
 	// Do not close stdout/stderr.
 	if ( f == stdout || f == stderr )
@@ -640,19 +629,6 @@ void BroFile::CloseCachedFiles()
 		}
 	}
 
-#ifndef USE_OPENSSL
-
-void BroFile::InitEncrypt(const char* keyfile)
-	{
-	if ( keyfile )
-		{
-		error("file encryption requested, but OpenSSL support not compiled in.");
-		Close();
-		}
-	}
-
-#else
-
 void BroFile::InitEncrypt(const char* keyfile)
 	{
 	if ( ! (pub_key || keyfile) )
@@ -716,14 +692,12 @@ void BroFile::InitEncrypt(const char* keyfile)
 	int buf_size = MIN_BUFFER_SIZE + EVP_CIPHER_block_size(cipher_type);
 	cipher_buffer = new unsigned char[buf_size];
 	}
-#endif
 
 void BroFile::FinishEncrypt()
 	{
 	if ( ! is_open )
 		return;
 
-#ifdef USE_OPENSSL
 	if ( ! pub_key )
 		return;
 
@@ -742,7 +716,6 @@ void BroFile::FinishEncrypt()
 		delete cipher_ctx;
 		cipher_ctx = 0;
 		}
-#endif
 	}
 
 
@@ -757,13 +730,12 @@ int BroFile::Write(const char* data, int len)
 	if ( ! len )
 		len = strlen(data);
 
-#ifdef USE_OPENSSL
 	if ( cipher_ctx )
 		{
 		while ( len )
 			{
 			int outl;
-			int inl = min(MIN_BUFFER_SIZE, len);
+			int inl = min(+MIN_BUFFER_SIZE, len);
 
 			if ( ! EVP_SealUpdate(cipher_ctx, cipher_buffer, &outl,
 						(unsigned char*)data, inl) )
@@ -789,7 +761,6 @@ int BroFile::Write(const char* data, int len)
 
 		return 1;
 		}
-#endif
 
 	len = fwrite(data, 1, len, f);
 	if ( len <= 0 )
@@ -809,6 +780,18 @@ int BroFile::Write(const char* data, int len)
 	return true;
 	}
 
+void BroFile::RaiseOpenEvent()
+	{
+	if ( ! ::file_opened )
+		return;
+
+	val_list* vl = new val_list;
+	Ref(this);
+	vl->append(new Val(this));
+	Event* event = new ::Event(::file_opened, vl);
+	mgr.Dispatch(event, true);
+	}
+
 void BroFile::UpdateFileSize()
 	{
 	struct stat s;
diff --git a/src/File.h b/src/File.h
index aa76b665b6..dad0d6da8b 100644
--- a/src/File.h
+++ b/src/File.h
@@ -10,7 +10,6 @@
 #include "Obj.h"
 #include "Attr.h"
 
-#ifdef USE_OPENSSL
 # ifdef NEED_KRB5_H
 #  include <krb5.h>
 # endif // NEED_KRB5_H
@@ -19,7 +18,6 @@ extern "C" {
 # include "openssl/pem.h"
 # include "openssl/err.h"
 }
-#endif
 
 class BroType;
 class RotateTimer;
@@ -114,6 +112,9 @@ protected:
 	// Stats the file to get its current size.
 	void UpdateFileSize();
 
+	// Raises a file_opened event.
+	void RaiseOpenEvent();
+
 	// Initialize encryption with the given public key.
 	void InitEncrypt(const char* keyfile);
 	// Finalize encryption.
@@ -149,13 +150,11 @@ protected:
 	static double default_rotation_interval;
 	static double default_rotation_size;
 
-#ifdef USE_OPENSSL
 	EVP_PKEY* pub_key;
 	EVP_CIPHER_CTX* cipher_ctx;
 
 	static const int MIN_BUFFER_SIZE = 1024;
 	unsigned char* cipher_buffer;
-#endif
 
 };
 
diff --git a/src/FileAnalyzer.cc b/src/FileAnalyzer.cc
index 91645334ad..7f9e0b2c2d 100644
--- a/src/FileAnalyzer.cc
+++ b/src/FileAnalyzer.cc
@@ -7,10 +7,6 @@ magic_t File_Analyzer::magic = 0;
 magic_t File_Analyzer::magic_mime = 0;
 #endif
 
-#ifdef HAVE_LIBCLAMAV
-struct cl_node* File_Analyzer::clam_root = 0;
-#endif
-
 File_Analyzer::File_Analyzer(Connection* conn)
 : TCP_ApplicationAnalyzer(AnalyzerTag::File, conn)
 	{
@@ -23,11 +19,6 @@ File_Analyzer::File_Analyzer(Connection* conn)
 		InitMagic(&magic_mime, MAGIC_MIME);
 		}
 #endif
-
-#ifdef HAVE_LIBCLAMAV
-	if ( ! clam_root )
-		InitClamAV();
-#endif
 	}
 
 void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
@@ -74,19 +65,6 @@ void File_Analyzer::Identify()
 	vl->append(new StringVal(descr ? descr : "<unknown>"));
 	vl->append(new StringVal(mime ? mime : "<unknown>"));
 	ConnectionEvent(file_transferred, vl);
-
-#ifdef HAVE_LIBCLAMAV
-	const char* virname;
-	int ret = cl_scanbuff(buffer, buffer_len, &virname, clam_root);
-
-	if ( ret == CL_VIRUS )
-		{
-		val_list* vl = new val_list;
-		vl->append(BuildConnVal());
-		vl->append(new StringVal(virname));
-		ConnectionEvent(file_virus, vl);
-		}
-#endif
 	}
 
 #ifdef HAVE_LIBMAGIC
@@ -105,27 +83,3 @@ void File_Analyzer::InitMagic(magic_t* magic, int flags)
 		}
 	}
 #endif
-
-#ifdef HAVE_LIBCLAMAV
-void File_Analyzer::InitClamAV()
-	{
-	unsigned int sigs;
-	int ret = cl_loaddbdir(cl_retdbdir(), &clam_root, &sigs);
-
-	if ( ret )
-		{
-		error(fmt("can't load ClamAV database: %s", cl_perror(ret)));
-		clam_root = 0;
-		return;
-		}
-
-	ret = cl_build(clam_root);
-	if ( ret )
-		{
-		error(fmt("can't init ClamAV database: %s", cl_perror(ret)));
-		cl_free(clam_root);
-		clam_root = 0;
-		return;
-		}
-	}
-#endif
diff --git a/src/FileAnalyzer.h b/src/FileAnalyzer.h
index a978181d57..f343547210 100644
--- a/src/FileAnalyzer.h
+++ b/src/FileAnalyzer.h
@@ -11,10 +11,6 @@
 #include <magic.h>
 #endif
 
-#ifdef HAVE_LIBCLAMAV
-#include <clamav.h>
-#endif
-
 class File_Analyzer : public TCP_ApplicationAnalyzer {
 public:
 	File_Analyzer(Connection* conn);
@@ -43,11 +39,6 @@ protected:
 	static magic_t magic;
 	static magic_t magic_mime;
 #endif
-
-#ifdef HAVE_LIBCLAMAV
-	static void InitClamAV();
-	static struct cl_node *clam_root;
-#endif
 };
 
 #endif
diff --git a/src/Finger.cc b/src/Finger.cc
index 3f617b1c05..9a0fda8985 100644
--- a/src/Finger.cc
+++ b/src/Finger.cc
@@ -9,7 +9,6 @@
 #include "NetVar.h"
 #include "Finger.h"
 #include "Event.h"
-#include "TCP_Rewriter.h"
 #include "ContentLine.h"
 
 Finger_Analyzer::Finger_Analyzer(Connection* conn)
@@ -42,7 +41,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 
 	if ( is_orig )
 		{
-		
+
 		if ( ! finger_request )
 			return;
 
@@ -87,5 +86,3 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 		ConnectionEvent(finger_reply, vl);
 		}
 	}
-
-#include "finger-rw.bif.func_def"
diff --git a/src/Finger.h b/src/Finger.h
index 92fc5e6f82..98738765a3 100644
--- a/src/Finger.h
+++ b/src/Finger.h
@@ -17,8 +17,6 @@ public:
 	virtual void Done();
 	// Line-based input.
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual int RewritingTrace()
-		{ return rewriting_finger_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new Finger_Analyzer(conn); }
diff --git a/src/FlowSrc.cc b/src/FlowSrc.cc
index e97ad8eb25..4f94d7e4a8 100644
--- a/src/FlowSrc.cc
+++ b/src/FlowSrc.cc
@@ -12,6 +12,7 @@
 #include "FlowSrc.h"
 #include "Net.h"
 #include "netflow_pac.h"
+#include <errno.h>
 
 FlowSrc::FlowSrc()
 	{ // TODO: v9.
@@ -28,10 +29,8 @@ FlowSrc::~FlowSrc()
 
 void FlowSrc::GetFds(int* read, int* write, int* except)
 	{
-#ifdef USE_SELECT_LOOP
 	if ( selectable_fd >= 0 )
 		*read = selectable_fd;
-#endif
 	}
 
 double FlowSrc::NextTimestamp(double* network_time)
diff --git a/src/Func.cc b/src/Func.cc
index 0657cfa2c4..0f34da58a5 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -6,11 +6,11 @@
 
 #include <sys/types.h>
 #include <sys/stat.h>
-#if TIME_WITH_SYS_TIME
+#ifdef TIME_WITH_SYS_TIME
 # include <sys/time.h>
 # include <time.h>
 #else
-# if HAVE_SYS_TIME_H
+# ifdef HAVE_SYS_TIME_H
 #  include <sys/time.h>
 # else
 #  include <time.h>
@@ -239,11 +239,15 @@ BroFunc::BroFunc(ID* arg_id, Stmt* arg_body, id_list* aggr_inits,
 : Func(BRO_FUNC)
 	{
 	id = arg_id;
-	Body b;
-	b.stmts = AddInits(arg_body, aggr_inits);
-	b.priority = 0;
-	bodies.push_back(b);
 	frame_size = arg_frame_size;
+
+	if ( arg_body )
+		{
+		Body b;
+		b.stmts = AddInits(arg_body, aggr_inits);
+		b.priority = 0;
+		bodies.push_back(b);
+		}
 	}
 
 BroFunc::~BroFunc()
@@ -267,6 +271,13 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 #ifdef PROFILE_BRO_FUNCTIONS
 	DEBUG_MSG("Function: %s\n", id->Name());
 #endif
+	if ( ! bodies.size() ) 
+		{
+		// Can only happen for events.
+		assert(IsEvent());
+		return 0 ;
+		}
+
 	SegmentProfiler(segment_logger, location);
 	Frame* f = new Frame(frame_size, this, args);
 
@@ -496,7 +507,12 @@ void builtin_run_time(const char* msg, BroObj* arg)
 		run_time(msg, arg);
 	}
 
+#include "bro.bif.func_h"
+#include "logging.bif.func_h"
+#include "strings.bif.func_h"
+
 #include "bro.bif.func_def"
+#include "logging.bif.func_def"
 #include "strings.bif.func_def"
 
 void init_builtin_funcs()
@@ -508,22 +524,15 @@ void init_builtin_funcs()
 	gap_info = internal_type("gap_info")->AsRecordType();
 
 #include "bro.bif.func_init"
-
-#include "common-rw.bif.func_init"
-#include "finger-rw.bif.func_init"
-#include "ftp-rw.bif.func_init"
-#include "http-rw.bif.func_init"
-#include "ident-rw.bif.func_init"
-#include "smtp-rw.bif.func_init"
+#include "logging.bif.func_init"
 #include "strings.bif.func_init"
-#include "dns-rw.bif.func_init"
 
 	did_builtin_init = true;
 	}
 
 bool check_built_in_call(BuiltinFunc* f, CallExpr* call)
 	{
-	if ( f->TheFunc() != bro_fmt )
+	if ( f->TheFunc() != BifFunc::bro_fmt )
 		return true;
 
 	const expr_list& args = call->Args()->Exprs();
diff --git a/src/Func.h b/src/Func.h
index f82b9ee539..b6cfab893b 100644
--- a/src/Func.h
+++ b/src/Func.h
@@ -15,6 +15,7 @@ class FuncType;
 class Stmt;
 class Frame;
 class ID;
+class CallExpr;
 
 class Func : public BroObj {
 public:
@@ -36,7 +37,8 @@ public:
 			{ return priority > other.priority; } // reverse sort
 	};
 
-	virtual const vector<Body>& GetBodies() const	{ return bodies; }
+	const vector<Body>& GetBodies() const	{ return bodies; }
+	bool HasBodies() const	{ return bodies.size(); }
 
 	// virtual Val* Call(ListExpr* args) const = 0;
 	virtual Val* Call(val_list* args, Frame* parent = 0) const = 0;
diff --git a/src/Gnutella.cc b/src/Gnutella.cc
index 01a10f2969..5b1a2e39e8 100644
--- a/src/Gnutella.cc
+++ b/src/Gnutella.cc
@@ -238,7 +238,7 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
 		vl->append(new StringVal(p->payload));
 		vl->append(new Val(p->payload_len, TYPE_COUNT));
 		vl->append(new Val((p->payload_len <
-				    min(p->msg_len, GNUTELLA_MAX_PAYLOAD)),
+				    min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD)),
 				   TYPE_BOOL));
 		vl->append(new Val((p->payload_left == 0), TYPE_BOOL));
 
diff --git a/src/Gnutella.h b/src/Gnutella.h
index 74aed4523f..c390f418f4 100644
--- a/src/Gnutella.h
+++ b/src/Gnutella.h
@@ -29,7 +29,7 @@ public:
 	u_char msg_type;
 	u_char msg_ttl;
 	char payload[GNUTELLA_MAX_PAYLOAD];
-	int payload_len;
+	unsigned int payload_len;
 	unsigned int payload_left;
 };
 
diff --git a/src/H3.h b/src/H3.h
index aeb0c0f38d..2a5368a93d 100644
--- a/src/H3.h
+++ b/src/H3.h
@@ -52,8 +52,8 @@
 //     together to get the same result as hashing the full string.
 // Any number of hash functions can be created by creating new instances of H3,
 //     with the same or different template parameters.  The hash function is
-//     randomly generated using random(); you must call srandom() before the
-//     H3 constructor if you wish to seed it.
+//     randomly generated using bro_random(); you must call init_random_seed()
+//     before the H3 constructor if you wish to seed it.
 
 
 #ifndef H3_H
@@ -96,7 +96,7 @@ H3<T,N>::H3()
 	bit_lookup[bit] = 0;
 	for (size_t i = 0; i < sizeof(T)/2; i++) {
 	    // assume random() returns at least 16 random bits
-	    bit_lookup[bit] = (bit_lookup[bit] << 16) | (random() & 0xFFFF);
+	    bit_lookup[bit] = (bit_lookup[bit] << 16) | (bro_random() & 0xFFFF);
 	}
     }
 
diff --git a/src/HTTP.cc b/src/HTTP.cc
index 0cccf75103..0c7e8e70e6 100644
--- a/src/HTTP.cc
+++ b/src/HTTP.cc
@@ -12,20 +12,23 @@
 #include "HTTP.h"
 #include "Event.h"
 #include "MIME.h"
-#include "TCP_Rewriter.h"
 
 const bool DEBUG_http = false;
 
+// The EXPECT_*_NOTHING states are used to prevent further parsing. Used if a
+// message was interrupted. 
 enum {
 	EXPECT_REQUEST_LINE,
 	EXPECT_REQUEST_MESSAGE,
 	EXPECT_REQUEST_TRAILER,
+	EXPECT_REQUEST_NOTHING,
 };
 
 enum {
 	EXPECT_REPLY_LINE,
 	EXPECT_REPLY_MESSAGE,
 	EXPECT_REPLY_TRAILER,
+	EXPECT_REPLY_NOTHING,
 };
 
 HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity, int arg_expect_body)
@@ -223,11 +226,11 @@ void HTTP_Entity::DeliverBodyClear(int len, const char* data, int trailing_CRLF)
 
 // Returns 1 if the undelivered bytes are completely within the body,
 // otherwise returns 0.
-int HTTP_Entity::Undelivered(int len)
+int HTTP_Entity::Undelivered(int64_t len)
 	{
 	if ( DEBUG_http )
 		{
-		DEBUG_MSG("Content gap %d, expect_data_length %d\n",
+		DEBUG_MSG("Content gap %" PRId64", expect_data_length %" PRId64 "\n",
 			  len, expect_data_length);
 		}
 
@@ -280,7 +283,7 @@ void HTTP_Entity::SubmitData(int len, const char* buf)
 		MIME_Entity::SubmitData(len, buf);
 	}
 
-void HTTP_Entity::SetPlainDelivery(int length)
+void HTTP_Entity::SetPlainDelivery(int64_t length)
 	{
 	ASSERT(length >= 0);
 	ASSERT(length == 0 || ! in_header);
@@ -299,7 +302,7 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h)
 		data_chunk_t vt = h->get_value_token();
 		if ( ! is_null_data_chunk(vt) )
 			{
-			int n;
+			int64_t n;
 			if ( atoi_n(vt.length, vt.data, 0, 10, n) )
 				content_length = n;
 			else
@@ -406,7 +409,7 @@ void HTTP_Entity::SubmitAllHeaders()
 
 HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer,
 				ContentLine_Analyzer* arg_cl, bool arg_is_orig,
-				int expect_body, int init_header_length)
+				int expect_body, int64_t init_header_length)
 : MIME_Message (arg_analyzer)
 	{
 	analyzer = arg_analyzer;
@@ -474,7 +477,7 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
 		}
 	}
 
-int HTTP_Message::Undelivered(int len)
+int HTTP_Message::Undelivered(int64_t len)
 	{
 	if ( ! top_level )
 		return 0;
@@ -625,11 +628,11 @@ void HTTP_Message::SubmitEvent(int event_type, const char* detail)
 	MyHTTP_Analyzer()->HTTP_Event(category, detail);
 	}
 
-void HTTP_Message::SetPlainDelivery(int length)
+void HTTP_Message::SetPlainDelivery(int64_t length)
 	{
 	content_line->SetPlainDelivery(length);
 
-	if ( length > 0 && skip_http_data )
+	if ( length > 0 && BifConst::skip_http_data )
 		content_line->SkipBytesAfterThisLine(length);
 
 	if ( ! data_buffer )
@@ -698,7 +701,7 @@ void HTTP_Message::DeliverEntityData()
 	total_buffer_size = 0;
 	}
 
-int HTTP_Message::InitBuffer(int length)
+int HTTP_Message::InitBuffer(int64_t length)
 	{
 	if ( length <= 0 )
 		return 0;
@@ -851,7 +854,23 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 					HTTP_Event("crud_trailing_HTTP_request",
 						   new_string_val(line, end_of_line));
 				else
-					ProtocolViolation("not a http request line");
+					{
+					// We do see HTTP requests with a
+					// trailing EOL that's not accounted
+					// for by the content-length. This
+					// will lead to a call to this method
+					// with len==0 while we are expecting
+					// a new request. Since HTTP servers
+					// handle such requests gracefully,
+					// we should do so as well. 
+					if ( len == 0 )
+					    Weird("empty_http_request");
+					else 
+						{
+						ProtocolViolation("not a http request line");
+						request_state = EXPECT_REQUEST_NOTHING;
+						}
+					}
 				}
 			break;
 
@@ -861,6 +880,9 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 
 		case EXPECT_REQUEST_TRAILER:
 			break;
+
+		case EXPECT_REQUEST_NOTHING:
+			break;
 		}
 		}
 	else
@@ -873,6 +895,8 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 
 				if ( unanswered_requests.empty() )
 					Weird("unmatched_HTTP_reply");
+				else
+					ProtocolConfirmation();
 
 				reply_state = EXPECT_REPLY_MESSAGE;
 				reply_ongoing = 1;
@@ -884,8 +908,11 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 						ExpectReplyMessageBody(),
 						len);
 				}
-		    else
+			else
+				{
 				ProtocolViolation("not a http reply line");
+				reply_state = EXPECT_REPLY_NOTHING;
+				}
 
 			break;
 
@@ -895,6 +922,9 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 
 		case EXPECT_REPLY_TRAILER:
 			break;
+
+		case EXPECT_REPLY_NOTHING:
+			break;
 		}
 		}
 	}
@@ -1042,6 +1072,7 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 		// HTTP methods for distributed authoring.
 		"PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT",
 		"COPY", "MOVE", "LOCK", "UNLOCK",
+		"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
 
 		"SEARCH",
 
@@ -1256,7 +1287,10 @@ void HTTP_Analyzer::RequestMade(const int interrupted, const char* msg)
 
 	num_request_lines = 0;
 
-	request_state = EXPECT_REQUEST_LINE;
+	if ( interrupted )
+		request_state = EXPECT_REQUEST_NOTHING;
+	else 
+		request_state = EXPECT_REQUEST_LINE;
 	}
 
 void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
@@ -1285,7 +1319,10 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
 		reply_reason_phrase = 0;
 		}
 
-	reply_state = EXPECT_REPLY_LINE;
+	if ( interrupted )
+		reply_state = EXPECT_REPLY_NOTHING;
+	else
+		reply_state = EXPECT_REPLY_LINE;
 	}
 
 void HTTP_Analyzer::RequestClash(Val* /* clash_val */)
@@ -1596,7 +1633,7 @@ void HTTP_Analyzer::HTTP_MessageDone(int is_orig, HTTP_Message* /* message */)
 	}
 
 void HTTP_Analyzer::InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message,
-		bool is_orig, int expect_body, int init_header_length)
+		bool is_orig, int expect_body, int64_t init_header_length)
 	{
 	if ( message )
 		{
@@ -1718,5 +1755,3 @@ BroString* unescape_URI(const u_char* line, const u_char* line_end,
 
 	return new BroString(1, decoded_URI, URI_p - decoded_URI);
 	}
-
-#include "http-rw.bif.func_def"
diff --git a/src/HTTP.h b/src/HTTP.h
index 2faa1791d1..4d621fa526 100644
--- a/src/HTTP.h
+++ b/src/HTTP.h
@@ -39,9 +39,9 @@ public:
 
 	void EndOfData();
 	void Deliver(int len, const char* data, int trailing_CRLF);
-	int Undelivered(int len);
-	int BodyLength() const 		{ return body_length; }
-	int HeaderLength() const 	{ return header_length; }
+	int Undelivered(int64_t len);
+	int64_t BodyLength() const 		{ return body_length; }
+	int64_t HeaderLength() const 	{ return header_length; }
 	void SkipBody() 		{ deliver_body = 0; }
 
 protected:
@@ -50,11 +50,11 @@ protected:
 
 	HTTP_Message* http_message;
 	int chunked_transfer_state;
-	int content_length;
-	int expect_data_length;
+	int64_t content_length;
+	int64_t expect_data_length;
 	int expect_body;
-	int body_length;
-	int header_length;
+	int64_t body_length;
+	int64_t header_length;
 	int deliver_body;
 	enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding;
 #ifdef HAVE_LIBZ
@@ -68,7 +68,7 @@ protected:
 
 	void SubmitData(int len, const char* buf);
 
-	void SetPlainDelivery(int length);
+	void SetPlainDelivery(int64_t length);
 
 	void SubmitHeader(MIME_Header* h);
 	void SubmitAllHeaders();
@@ -94,12 +94,12 @@ enum {
 class HTTP_Message : public MIME_Message {
 public:
 	HTTP_Message(HTTP_Analyzer* analyzer, ContentLine_Analyzer* cl,
-			 bool is_orig, int expect_body, int init_header_length);
+			 bool is_orig, int expect_body, int64_t init_header_length);
 	~HTTP_Message();
 	void Done(const int interrupted, const char* msg);
 	void Done() { Done(0, "message ends normally"); }
 
-	int Undelivered(int len);
+	int Undelivered(int64_t len);
 
 	void BeginEntity(MIME_Entity* /* entity */);
 	void EndEntity(MIME_Entity* entity);
@@ -111,7 +111,7 @@ public:
 	void SubmitEvent(int event_type, const char* detail);
 
 	void SubmitTrailingHeaders(MIME_HeaderList& /* hlist */);
-	void SetPlainDelivery(int length);
+	void SetPlainDelivery(int64_t length);
 	void SkipEntityData();
 
 	HTTP_Analyzer* MyHTTP_Analyzer() const
@@ -135,16 +135,16 @@ protected:
 
 	double start_time;
 
-	int body_length;	// total length of entity bodies
-	int header_length;	// total length of headers, including the request/reply line
+	int64_t body_length;	// total length of entity bodies
+	int64_t header_length;	// total length of headers, including the request/reply line
 
 	// Total length of content gaps that are "successfully" skipped.
 	// Note: this might NOT include all content gaps!
-	int content_gap_length;
+	int64_t content_gap_length;
 
 	HTTP_Entity* current_entity;
 
-	int InitBuffer(int length);
+	int InitBuffer(int64_t length);
 	void DeliverEntityData();
 
 	Val* BuildMessageStat(const int interrupted, const char* msg);
@@ -169,8 +169,6 @@ public:
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual void Undelivered(int seq, int len, bool orig);
-	virtual int RewritingTrace()
-		{ return rewriting_http_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
 
 	// Overriden from TCP_ApplicationAnalyzer
 	virtual void EndpointEOF(bool is_orig);
@@ -193,7 +191,7 @@ protected:
 	int HTTP_ReplyLine(const char* line, const char* end_of_line);
 
 	void InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig,
-				int expect_body, int init_header_length);
+				int expect_body, int64_t init_header_length);
 
 	const char* PrefixMatch(const char* line, const char* end_of_line,
 				const char* prefix);
diff --git a/src/Hash.cc b/src/Hash.cc
index 47216a8d9d..ffabe36f83 100644
--- a/src/Hash.cc
+++ b/src/Hash.cc
@@ -21,202 +21,14 @@
 
 #include "Hash.h"
 
-// Define *one* of the following as the universal hash function family to use.
-
-// #define USE_DIETZFELBINGER	// TwoWise
-#define USE_H3
-// #define USE_UHASH_CW
-// #define USE_UMAC_NH
-
-int hash_cnt_all = 0, hash_cnt_uhash = 0;
-
-#if defined(USE_DIETZFELBINGER)
-
-#include "TwoWise.h"
-const TwoWise* two_wise = 0;
-
-#elif defined(USE_H3)
-
 #include "H3.h"
 const H3<hash_t, UHASH_KEY_SIZE>* h3;
 
-#elif defined(USE_UHASH_CW)
-
-// The Carter-Wegman family of universal hash functions.
-// f(x) = (sum(a_i * x_i) mod p) mod N
-// where p is a prime number between N and 2N.
-// Here N = 2^32.
-
-class UHashCW {
-	typedef uint32 word_t;
-public:
-	UHashCW(int arg_max_key_size)
-		{
-		max_num_words = (arg_max_key_size + sizeof(word_t) - 1) /
-				sizeof(word_t);
-
-		a = new word_t[max_num_words + 1];
-		x = new word_t[max_num_words + 1];
-
-		for ( int i = 0; i < max_num_words + 1; ++i )
-			a[i] = rand32bit();
-
-		b = rand64bit();
-		}
-
-	~UHashCW()
-		{
-		delete [] a;
-		delete [] x;
-		}
-
-	uint32 hash(int len, const u_char* data) const
-		{
-		int xlen = (len + sizeof(word_t) - 1) / sizeof(word_t);
-		ASSERT(xlen <= max_num_words);
-
-		x[xlen] = 0;
-		x[xlen-1] = 0;	// pad with 0
-
-		memcpy(static_cast<void *>(x), data, len);
-
-		uint64 h = b;
-		for ( int i = 0; i < xlen; ++i )
-			h += (static_cast<uint64>(x[i]) * a[i]);
-
-		h += static_cast<uint64>(len) * a[xlen];
-
-		// h = h % kPrime
-		//
-		// Here we use a trick given that h is a Mersenne prime:
-		//
-		// Let K = 2^61. Let h = a * K + b.
-		// Thus, h = a * (K-1) + (a + b).
-
-		h = (h & kPrime) + (h >> 61);
-		if ( h >= kPrime )
-			h -= kPrime;
-
-		// h = h % 2^32
-		return static_cast<uint32>(0xffffffffUL & h);
-		}
-
-protected:
-	static const uint64 kPrime = (static_cast<uint64>(1) << 61) - 1;
-
-	int max_num_words;
-	word_t* a;
-	uint64 b;
-	word_t* x;
-};
-
-const UHashCW* uhash_cw = 0;
-
-#elif defined(USE_UMAC_NH)
-
-// Use the NH hash function proposed in UMAC.
-// (See http://www.cs.ucdavis.edu/~rogaway/umac/)
-//
-// Essentially, it is computed as:
-//
-//	H = (x_0 +_16 k_0) * (x_1 +_16 k_1) +
-//		(x_2 +_16 k_2) * (x_3 +_16 k_3) + ...
-//
-// where {k_i} are keys for universal hashing,
-// {x_i} are data words, and +_16 means plus mod 2^16.
-//
-// This is faster than UHASH_CW because no modulo operation
-// is needed.  But note that it is 2^-16 universal, while the
-// other universal functions are (almost) 2^-32 universal.
-//
-// Note: UMAC now has a code release under a BSD-like license, and we may want
-// to consider using it instead of our home-grown code.
-
-#ifndef DEBUG
-#error "UMAC/NH is experimental code."
-#endif
-
-class UMacNH {
-	// NH uses 16-bit words
-	typedef uint16 word_t;
-public:
-	UMacNH(int arg_max_key_size)
-		{
-		max_num_words = (arg_max_key_size + sizeof(word_t) - 1) /
-				sizeof(word_t);
-
-		// Make max_num_words 2n+1
-		if ( max_num_words % 2 == 0 )
-			++max_num_words;
-
-		a = new word_t[max_num_words + 1];
-		x = new word_t[max_num_words + 1];
-
-		for ( int i = 0; i < max_num_words + 1; ++i )
-			a[i] = rand16bit();
-		}
-
-	~UMacNH()
-		{
-		delete [] a;
-		delete [] x;
-		}
-
-	uint32 hash(int len, const u_char* data) const
-		{
-		int xlen = (len + sizeof(word_t) - 1) / sizeof(word_t);
-		if ( xlen % 2 == 0 )
-			++xlen;
-
-		ASSERT(xlen <= max_num_words);
-
-		x[xlen] = len;
-		x[xlen-1] = 0;	// pad with 0
-		if ( xlen >= 2 )
-			x[xlen-2] = 0;
-
-		memcpy(static_cast<void *>(x), data, len);
-
-		uint32 h = 0;
-		for ( int i = 0; i <= xlen; i += 2 )
-			h += (static_cast<uint32>(x[i] + a[i]) *
-			      static_cast<uint32>(x[i+1] + a[i+1]));
-
-		return h;
-		}
-
-protected:
-	int max_num_words;
-	word_t* a;
-	word_t* x;
-};
-
-const UMacNH* umac_nh = 0;
-
-#else
-
-#ifdef DEBUG
-#error "No universal hash function is used."
-#endif
-
-#endif
-
 void init_hash_function()
 	{
 	// Make sure we have already called init_random_seed().
 	ASSERT(hmac_key_set);
-
-	// Both Dietzfelbinger and H3 use random() to generate keys
-	// -- is it strong enough?
-#if defined(USE_DIETZFELBINGER)
-	two_wise = new TwoWise((UHASH_KEY_SIZE + 3) >> 2);
-#elif defined(USE_H3)
 	h3 = new H3<hash_t, UHASH_KEY_SIZE>();
-#elif defined(USE_UHASH_CW)
-	uhash_cw = new UHashCW(UHASH_KEY_SIZE);
-#elif defined(USE_UMAC_NH)
-	umac_nh = new UMacNH(UHASH_KEY_SIZE);
-#endif
 	}
 
 HashKey::HashKey(bro_int_t i)
@@ -237,8 +49,6 @@ HashKey::HashKey(bro_uint_t u)
 	is_our_dynamic = 0;
 	}
 
-#ifdef USE_INT64
-
 HashKey::HashKey(uint32 u)
 	{
 	key_u.u32 = u;
@@ -248,8 +58,6 @@ HashKey::HashKey(uint32 u)
 	is_our_dynamic = 0;
 	}
 
-#endif // USE_INT64
-
 HashKey::HashKey(const uint32 u[], int n)
 	{
 	size = n * sizeof(u[0]);
@@ -358,24 +166,11 @@ void* HashKey::CopyKey(const void* k, int s) const
 
 hash_t HashKey::HashBytes(const void* bytes, int size)
 	{
-	++hash_cnt_all;
-
 	if ( size <= UHASH_KEY_SIZE )
 		{
 		const uint8* b = reinterpret_cast<const uint8*>(bytes);
-		++hash_cnt_uhash;
-#if defined(USE_DIETZFELBINGER)
-		return two_wise->Hash(size, b);
-#elif defined(USE_H3)
 		// H3 doesn't check if size is zero
 		return ( size == 0 ) ? 0 : (*h3)(bytes, size);
-#elif defined(USE_UHASH_CW)
-		return uhash_cw->hash(size, b);
-#elif defined(USE_UMAC_NH)
-		return umac_nh->hash(size, b);
-#else
-		--hash_cnt_uhash;
-#endif
 		}
 
 	// Fall back to HMAC/MD5 for longer data (which is usually rare).
diff --git a/src/Hash.h b/src/Hash.h
index 5ed41b05e9..d9659b442a 100644
--- a/src/Hash.h
+++ b/src/Hash.h
@@ -11,7 +11,7 @@
 
 #define UHASH_KEY_SIZE 32
 
-typedef unsigned int hash_t;
+typedef uint64 hash_t;
 
 typedef enum {
 	HASH_KEY_INT,
@@ -24,9 +24,7 @@ class HashKey {
 public:
 	HashKey(bro_int_t i);
 	HashKey(bro_uint_t u);
-#ifdef USE_INT64
 	HashKey(uint32 u);
-#endif
 	HashKey(const uint32 u[], int n);
 	HashKey(double d);
 	HashKey(const void* p);
@@ -78,9 +76,7 @@ protected:
 
 	union {
 		bro_int_t i;
-#ifdef USE_INT64
 		uint32 u32;
-#endif
 		double d;
 		const void* p;
 	} key_u;
@@ -90,7 +86,6 @@ protected:
 	int size, hash;
 };
 
-extern int hash_cnt_all, hash_cnt_uhash;
 extern void init_hash_function();
 
 #endif
diff --git a/src/ICMP.cc b/src/ICMP.cc
index d73a9a781e..95169cd518 100644
--- a/src/ICMP.cc
+++ b/src/ICMP.cc
@@ -79,6 +79,9 @@ void ICMP_Analyzer::DeliverPacket(int arg_len, const u_char* data,
 
 	NextICMP(current_timestamp, icmpp, len, caplen, data);
 
+	if ( caplen >= len )
+		ForwardPacket(len, data, is_orig, seq, ip, caplen);
+
 	if ( rule_matcher )
 		matcher_state.Match(Rule::PAYLOAD, data, len, is_orig,
 					false, false, true);
@@ -252,6 +255,20 @@ void ICMP_Analyzer::Describe(ODesc* d) const
 	d->Add(dotted_addr(Conn()->RespAddr()));
 	}
 
+void ICMP_Analyzer::UpdateConnVal(RecordVal *conn_val)
+	{
+	int orig_endp_idx = connection_type->FieldOffset("orig");
+	int resp_endp_idx = connection_type->FieldOffset("resp");
+	RecordVal *orig_endp = conn_val->Lookup(orig_endp_idx)->AsRecordVal();
+	RecordVal *resp_endp = conn_val->Lookup(resp_endp_idx)->AsRecordVal();
+
+	UpdateEndpointVal(orig_endp, 1);
+	UpdateEndpointVal(resp_endp, 0);
+
+	// Call children's UpdateConnVal
+	Analyzer::UpdateConnVal(conn_val);
+	}
+
 void ICMP_Analyzer::UpdateEndpointVal(RecordVal* endp, int is_orig)
 	{
 	Conn()->EnableStatusUpdateTimer();
@@ -304,6 +321,24 @@ void ICMP_Echo_Analyzer::NextICMP(double t, const struct icmp* icmpp, int len,
 	ConnectionEvent(f, vl);
 	}
 
+ICMP_Redir_Analyzer::ICMP_Redir_Analyzer(Connection* c)
+: ICMP_Analyzer(AnalyzerTag::ICMP_Redir, c)
+	{
+	}
+
+void ICMP_Redir_Analyzer::NextICMP(double t, const struct icmp* icmpp, int len,
+					 int caplen, const u_char*& data)
+	{
+	uint32 addr = ntohl(icmpp->icmp_hun.ih_void);
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(BuildICMPVal());
+	vl->append(new AddrVal(htonl(addr)));
+
+	ConnectionEvent(icmp_redirect, vl);
+	}
+
 
 void ICMP_Context_Analyzer::NextICMP(double t, const struct icmp* icmpp,
 				int len, int caplen, const u_char*& data)
diff --git a/src/ICMP.h b/src/ICMP.h
index 43921f1aac..62b859beba 100644
--- a/src/ICMP.h
+++ b/src/ICMP.h
@@ -18,6 +18,8 @@ class ICMP_Analyzer : public TransportLayerAnalyzer {
 public:
 	ICMP_Analyzer(Connection* conn);
 
+	virtual void UpdateConnVal(RecordVal *conn_val);
+
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new ICMP_Analyzer(conn); }
 
@@ -30,7 +32,6 @@ protected:
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
 					int seq, const IP_Hdr* ip, int caplen);
-	virtual void UpdateEndpointVal(RecordVal* endp, int is_orig);
 	virtual bool IsReuse(double t, const u_char* pkt);
 	virtual unsigned int MemoryAllocation() const;
 
@@ -52,6 +53,9 @@ protected:
 	int request_len, reply_len;
 
 	RuleMatcherState matcher_state;
+
+private:
+	void UpdateEndpointVal(RecordVal* endp, int is_orig);
 };
 
 class ICMP_Echo_Analyzer : public ICMP_Analyzer {
@@ -70,6 +74,22 @@ protected:
 	                      int len, int caplen, const u_char*& data);
 };
 
+class ICMP_Redir_Analyzer : public ICMP_Analyzer {
+public:
+	ICMP_Redir_Analyzer(Connection* conn);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new ICMP_Redir_Analyzer(conn); }
+
+	static bool Available()	{ return icmp_redirect; }
+
+protected:
+	ICMP_Redir_Analyzer()	{ }
+
+	virtual void NextICMP(double t, const struct icmp* icmpp,
+	                      int len, int caplen, const u_char*& data);
+};
+
 class ICMP_Context_Analyzer : public ICMP_Analyzer {
 public:
 	ICMP_Context_Analyzer(AnalyzerTag::Tag tag, Connection* conn)
diff --git a/src/ID.cc b/src/ID.cc
index c908a8c3c4..eac4f4e916 100644
--- a/src/ID.cc
+++ b/src/ID.cc
@@ -235,6 +235,25 @@ void ID::UpdateValAttrs()
 				}
 			}
 		}
+
+	if ( Type()->Tag() == TYPE_RECORD )
+		{
+		Attr* attr = attrs->FindAttr(ATTR_LOG);
+		if ( attr )
+			{
+			// Apply &log to all record fields.
+			RecordType* rt = Type()->AsRecordType();
+			for ( int i = 0; i < rt->NumFields(); ++i )
+				{
+				TypeDecl* fd = rt->FieldDecl(i);
+
+				if ( ! fd->attrs )
+					fd->attrs = new Attributes(new attr_list, rt->FieldType(i), true);
+
+				fd->attrs->AddAttr(new Attr(ATTR_LOG));
+				}
+			}
+		}
 	}
 
 void ID::AddAttrs(Attributes* a)
@@ -607,6 +626,135 @@ void ID::DescribeExtended(ODesc* d) const
 		}
 	}
 
+void ID::DescribeReSTShort(ODesc* d) const
+	{
+	if ( is_type )
+		d->Add(":bro:type:`");
+	else
+		d->Add(":bro:id:`");
+
+	d->Add(name);
+	d->Add("`");
+
+	if ( type )
+		{
+		d->Add(": ");
+		d->Add(":bro:type:`");
+
+		if ( ! is_type && type->GetTypeID() )
+			d->Add(type->GetTypeID());
+		else
+			{
+			TypeTag t = type->Tag();
+
+			switch ( t ) {
+			case TYPE_TABLE:
+				d->Add(type->IsSet() ? "set" : type_name(t));
+				break;
+
+			case TYPE_FUNC:
+				d->Add(type->AsFuncType()->IsEvent() ? "event" : type_name(t));
+				break;
+
+			default:
+				d->Add(type_name(t));
+			}
+			}
+
+		d->Add("`");
+		}
+
+	if ( attrs )
+		{
+		d->SP();
+		attrs->DescribeReST(d);
+		}
+	}
+
+void ID::DescribeReST(ODesc* d, bool is_role) const
+	{
+	if ( is_role )
+		{
+		if ( is_type )
+			d->Add(":bro:type:`");
+		else
+			d->Add(":bro:id:`");
+		d->Add(name);
+		d->Add("`");
+		}
+	else
+		{
+		if ( is_type )
+			d->Add(".. bro:type:: ");
+		else
+			d->Add(".. bro:id:: ");
+		d->Add(name);
+		}
+
+	d->PushIndent();
+	d->NL();
+
+	if ( type )
+		{
+		d->Add(":Type: ");
+
+		if ( ! is_type && type->GetTypeID() )
+			{
+			d->Add(":bro:type:`");
+			d->Add(type->GetTypeID());
+			d->Add("`");
+			}
+		else
+			type->DescribeReST(d);
+
+		d->NL();
+		}
+
+	if ( attrs )
+		{
+		d->Add(":Attributes: ");
+		attrs->DescribeReST(d);
+		d->NL();
+		}
+
+	if ( val && type &&
+		type->Tag() != TYPE_FUNC &&
+		type->InternalType() != TYPE_INTERNAL_VOID )
+		{
+		d->Add(":Default:");
+
+		if ( type->InternalType() == TYPE_INTERNAL_OTHER )
+			{
+			switch ( type->Tag() ) {
+			case TYPE_TABLE:
+				if ( val->AsTable()->Length() == 0 )
+					{
+					d->Add(" ``{}``");
+					d->NL();
+					break;
+					}
+				// Fall-through.
+
+			default:
+				d->NL();
+				d->NL();
+				d->Add("::");
+				d->NL();
+				d->PushIndent();
+				val->DescribeReST(d);
+				d->PopIndent();
+			}
+			}
+
+		else
+			{
+			d->SP();
+			val->DescribeReST(d);
+			d->NL();
+			}
+		}
+	}
+
 #ifdef DEBUG
 void ID::UpdateValID()
 	{
diff --git a/src/ID.h b/src/ID.h
index f576232b0e..49d844ebc3 100644
--- a/src/ID.h
+++ b/src/ID.h
@@ -84,6 +84,9 @@ public:
 	void Describe(ODesc* d) const;
 	// Adds type and value to description.
 	void DescribeExtended(ODesc* d) const;
+	// Produces a description that's reST-ready.
+	void DescribeReST(ODesc* d, bool is_role=false) const;
+	void DescribeReSTShort(ODesc* d) const;
 
 	bool Serialize(SerialInfo* info) const;
 	static ID* Unserialize(UnserialInfo* info);
diff --git a/src/Ident.cc b/src/Ident.cc
index d98c8891df..dba42f9ed4 100644
--- a/src/Ident.cc
+++ b/src/Ident.cc
@@ -9,7 +9,6 @@
 #include "NetVar.h"
 #include "Ident.h"
 #include "Event.h"
-#include "TCP_Rewriter.h"
 
 Ident_Analyzer::Ident_Analyzer(Connection* conn)
 : TCP_ApplicationAnalyzer(AnalyzerTag::Ident, conn)
@@ -245,6 +244,3 @@ void Ident_Analyzer::BadReply(int length, const char* line)
 		did_bad_reply = 1;
 		}
 	}
-
-#include "ident-rw.bif.func_def"
-
diff --git a/src/Ident.h b/src/Ident.h
index 63bc64f560..c87e98c6d4 100644
--- a/src/Ident.h
+++ b/src/Ident.h
@@ -14,11 +14,6 @@ public:
 	virtual void Done();
 
 	virtual void DeliverStream(int length, const u_char* data, bool is_orig);
-	virtual int RewritingTrace()
-		{
-		return rewriting_ident_trace ||
-			TCP_ApplicationAnalyzer::RewritingTrace();
-		}
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new Ident_Analyzer(conn); }
diff --git a/src/LogMgr.cc b/src/LogMgr.cc
new file mode 100644
index 0000000000..834829591a
--- /dev/null
+++ b/src/LogMgr.cc
@@ -0,0 +1,1428 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <algorithm>
+
+#include "LogMgr.h"
+#include "Event.h"
+#include "EventHandler.h"
+#include "NetVar.h"
+#include "Net.h"
+
+#include "LogWriterAscii.h"
+
+// Structure describing a log writer type.
+struct LogWriterDefinition {
+	bro_int_t type;			// The type.
+	const char *name;		// Descriptive name for error messages.
+	bool (*init)();			// An optional one-time initialization function.
+	LogWriter* (*factory)();	// A factory function creating instances.
+};
+
+// Static table defining all availabel log writers.
+LogWriterDefinition log_writers[] = {
+	{ BifEnum::Log::WRITER_ASCII, "Ascii", 0, LogWriterAscii::Instantiate },
+
+	// End marker, don't touch.
+	{ BifEnum::Log::WRITER_DEFAULT, "None", 0, (LogWriter* (*)())0 }
+};
+
+struct LogMgr::Filter {
+	string name;
+	EnumVal* id;
+	Func* pred;
+	Func* path_func;
+	string path;
+	Val* path_val;
+	EnumVal* writer;
+	bool local;
+	bool remote;
+
+	int num_fields;
+	LogField** fields;
+
+	// Vector indexed by field number. Each element is a list of record
+	// indices defining a path leading to the value across potential
+	// sub-records.
+	vector<list<int> > indices;
+
+	~Filter();
+};
+
+struct LogMgr::WriterInfo {
+	EnumVal* type;
+	double open_time;
+	Timer* rotation_timer;
+	LogWriter *writer;
+	};
+
+struct LogMgr::Stream {
+ 	EnumVal* id;
+	bool enabled;
+	string name;
+	RecordType* columns;
+	EventHandlerPtr event;
+	list<Filter*> filters;
+
+	typedef pair<int, string> WriterPathPair;
+
+	typedef map<WriterPathPair, WriterInfo*> WriterMap;
+
+	WriterMap writers;	// Writers indexed by id/path pair.
+
+	~Stream();
+	};
+
+bool LogField::Read(SerializationFormat* fmt)
+	{
+	int t;
+
+	bool success = (fmt->Read(&name, "name") && fmt->Read(&t, "type"));
+	type = (TypeTag) t;
+
+	return success;
+	}
+
+bool LogField::Write(SerializationFormat* fmt) const
+	{
+	return (fmt->Write(name, "name") && fmt->Write((int)type, "type"));
+	}
+
+LogVal::~LogVal()
+	{
+	if ( (type == TYPE_ENUM || type == TYPE_STRING || type == TYPE_FILE)
+	     && present )
+		delete val.string_val;
+
+	if ( type == TYPE_TABLE && present )
+		{
+		for ( int i = 0; i < val.set_val.size; i++ )
+			delete val.set_val.vals[i];
+
+		delete [] val.set_val.vals;
+		}
+
+	if ( type == TYPE_VECTOR && present )
+		{
+		for ( int i = 0; i < val.vector_val.size; i++ )
+			delete val.vector_val.vals[i];
+
+		delete [] val.vector_val.vals;
+		}
+	}
+
+bool LogVal::IsCompatibleType(BroType* t, bool atomic_only)
+	{
+	if ( ! t )
+		return false;
+
+	switch ( t->Tag() )	{
+	case TYPE_BOOL:
+	case TYPE_INT:
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+	case TYPE_PORT:
+	case TYPE_SUBNET:
+	case TYPE_NET:
+	case TYPE_ADDR:
+	case TYPE_DOUBLE:
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+	case TYPE_ENUM:
+	case TYPE_STRING:
+	case TYPE_FILE:
+		return true;
+
+	case TYPE_RECORD:
+		return ! atomic_only;
+
+	case TYPE_TABLE:
+		{
+		if ( atomic_only )
+			return false;
+
+		if ( ! t->IsSet() )
+			return false;
+
+		return IsCompatibleType(t->AsSetType()->Indices()->PureType());
+		}
+
+	case TYPE_VECTOR:
+		{
+		if ( atomic_only )
+			return false;
+
+		return IsCompatibleType(t->AsVectorType()->YieldType());
+		}
+
+	default:
+		return false;
+	}
+
+	return false;
+	}
+
+bool LogVal::Read(SerializationFormat* fmt)
+	{
+	int ty;
+
+	if ( ! (fmt->Read(&ty, "type") && fmt->Read(&present, "present")) )
+		return false;
+
+	type = (TypeTag)(ty);
+
+	if ( ! present )
+		return true;
+
+	switch ( type ) {
+	case TYPE_BOOL:
+	case TYPE_INT:
+		return fmt->Read(&val.int_val, "int");
+
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+	case TYPE_PORT:
+		return fmt->Read(&val.uint_val, "uint");
+
+	case TYPE_SUBNET:
+		{
+		uint32 net[4];
+		if ( ! (fmt->Read(&net[0], "net0") &&
+			fmt->Read(&net[1], "net1") &&
+			fmt->Read(&net[2], "net2") &&
+			fmt->Read(&net[3], "net3") &&
+			fmt->Read(&val.subnet_val.width, "width")) )
+			return false;
+
+#ifdef BROv6
+		val.subnet_val.net[0] = net[0];
+		val.subnet_val.net[1] = net[1];
+		val.subnet_val.net[2] = net[2];
+		val.subnet_val.net[3] = net[3];
+#else
+		val.subnet_val.net = net[0];
+#endif
+		return true;
+		}
+
+	case TYPE_NET:
+	case TYPE_ADDR:
+		{
+		uint32 addr[4];
+		if ( ! (fmt->Read(&addr[0], "addr0") &&
+			fmt->Read(&addr[1], "addr1") &&
+			fmt->Read(&addr[2], "addr2") &&
+			fmt->Read(&addr[3], "addr3")) )
+			return false;
+
+		val.addr_val[0] = addr[0];
+#ifdef BROv6
+		val.addr_val[1] = addr[1];
+		val.addr_val[2] = addr[2];
+		val.addr_val[3] = addr[3];
+#endif
+		return true;
+		}
+
+	case TYPE_DOUBLE:
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+		return fmt->Read(&val.double_val, "double");
+
+	case TYPE_ENUM:
+	case TYPE_STRING:
+	case TYPE_FILE:
+		{
+		val.string_val = new string;
+		return fmt->Read(val.string_val, "string");
+		}
+
+	case TYPE_TABLE:
+		{
+		if ( ! fmt->Read(&val.set_val.size, "set_size") )
+			return false;
+
+		val.set_val.vals = new LogVal* [val.set_val.size];
+
+		for ( int i = 0; i < val.set_val.size; ++i )
+			{
+			val.set_val.vals[i] = new LogVal;
+
+			if ( ! val.set_val.vals[i]->Read(fmt) )
+				return false;
+			}
+
+		return true;
+		}
+
+	case TYPE_VECTOR:
+		{
+		if ( ! fmt->Read(&val.vector_val.size, "vector_size") )
+			return false;
+
+		val.vector_val.vals = new LogVal* [val.vector_val.size];
+
+		for ( int i = 0; i < val.vector_val.size; ++i )
+			{
+			val.vector_val.vals[i] = new LogVal;
+
+			if ( ! val.vector_val.vals[i]->Read(fmt) )
+				return false;
+			}
+
+		return true;
+		}
+
+	default:
+		internal_error("unsupported type %s in LogVal::Write", type_name(type));
+	}
+
+	return false;
+	}
+
+bool LogVal::Write(SerializationFormat* fmt) const
+	{
+	if ( ! (fmt->Write((int)type, "type") &&
+		fmt->Write(present, "present")) )
+		return false;
+
+	if ( ! present )
+		return true;
+
+	switch ( type ) {
+	case TYPE_BOOL:
+	case TYPE_INT:
+		return fmt->Write(val.int_val, "int");
+
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+	case TYPE_PORT:
+		return fmt->Write(val.uint_val, "uint");
+
+	case TYPE_SUBNET:
+		{
+		uint32 net[4];
+#ifdef BROv6
+		net[0] = val.subnet_val.net[0];
+		net[1] = val.subnet_val.net[1];
+		net[2] = val.subnet_val.net[2];
+		net[3] = val.subnet_val.net[3];
+#else
+		net[0] = val.subnet_val.net;
+		net[1] = net[2] = net[3] = 0;
+#endif
+		return fmt->Write(net[0], "net0") &&
+			fmt->Write(net[1], "net1") &&
+			fmt->Write(net[2], "net2") &&
+			fmt->Write(net[3], "net3") &&
+			fmt->Write(val.subnet_val.width, "width");
+		}
+
+	case TYPE_NET:
+	case TYPE_ADDR:
+		{
+		uint32 addr[4];
+		addr[0] = val.addr_val[0];
+#ifdef BROv6
+		addr[1] = val.addr_val[1];
+		addr[2] = val.addr_val[2];
+		addr[3] = val.addr_val[3];
+#else
+		addr[1] = addr[2] = addr[3] = 0;
+#endif
+		return fmt->Write(addr[0], "addr0") &&
+			fmt->Write(addr[1], "addr1") &&
+			fmt->Write(addr[2], "addr2") &&
+			fmt->Write(addr[3], "addr3");
+		}
+
+	case TYPE_DOUBLE:
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+		return fmt->Write(val.double_val, "double");
+
+	case TYPE_ENUM:
+	case TYPE_STRING:
+	case TYPE_FILE:
+		return fmt->Write(*val.string_val, "string");
+
+	case TYPE_TABLE:
+		{
+		if ( ! fmt->Write(val.set_val.size, "set_size") )
+			return false;
+
+		for ( int i = 0; i < val.set_val.size; ++i )
+			{
+			if ( ! val.set_val.vals[i]->Write(fmt) )
+				return false;
+			}
+
+		return true;
+		}
+
+	case TYPE_VECTOR:
+		{
+		if ( ! fmt->Write(val.vector_val.size, "vector_size") )
+			return false;
+
+		for ( int i = 0; i < val.vector_val.size; ++i )
+			{
+			if ( ! val.vector_val.vals[i]->Write(fmt) )
+				return false;
+			}
+
+		return true;
+		}
+
+	default:
+		internal_error("unsupported type %s in LogVal::REad", type_name(type));
+	}
+
+	return false;
+	}
+
+LogMgr::Filter::~Filter()
+	{
+	for ( int i = 0; i < num_fields; ++i )
+		delete fields[i];
+
+	Unref(path_val);
+	}
+
+LogMgr::Stream::~Stream()
+	{
+	Unref(columns);
+
+	for ( WriterMap::iterator i = writers.begin(); i != writers.end(); i++ )
+		{
+		WriterInfo* winfo = i->second;
+
+		if ( winfo->rotation_timer )
+			timer_mgr->Cancel(winfo->rotation_timer);
+
+		Unref(winfo->type);
+
+		delete winfo->writer;
+		delete i->second;
+		}
+
+	for ( list<Filter*>::iterator f = filters.begin(); f != filters.end(); ++f )
+		delete *f;
+	}
+
+LogMgr::LogMgr()
+	{
+	}
+
+LogMgr::~LogMgr()
+	{
+	for ( vector<Stream *>::iterator s = streams.begin(); s != streams.end(); ++s )
+		delete *s;
+	}
+
+LogMgr::Stream* LogMgr::FindStream(EnumVal* id)
+	{
+	unsigned int idx = id->AsEnum();
+
+	if ( idx >= streams.size() || ! streams[idx] )
+		return 0;
+
+	return streams[idx];
+	}
+
+void LogMgr::RemoveDisabledWriters(Stream* stream)
+	{
+	list<Stream::WriterPathPair> disabled;
+
+	for ( Stream::WriterMap::iterator j = stream->writers.begin(); j != stream->writers.end(); j++ )
+		{
+		if ( j->second->writer->Disabled() )
+			{
+			delete j->second;
+			disabled.push_back(j->first);
+			}
+		}
+
+	for ( list<Stream::WriterPathPair>::iterator j = disabled.begin(); j != disabled.end(); j++ )
+		stream->writers.erase(*j);
+	}
+
+bool LogMgr::CreateStream(EnumVal* id, RecordVal* sval)
+	{
+	RecordType* rtype = sval->Type()->AsRecordType();
+
+	if ( ! same_type(rtype, BifType::Record::Log::Stream, 0) )
+		{
+		run_time("sval argument not of right type");
+		return false;
+		}
+
+	RecordType* columns = sval->Lookup(rtype->FieldOffset("columns"))
+		->AsType()->AsTypeType()->Type()->AsRecordType();
+
+	bool log_attr_present = false;
+
+	for ( int i = 0; i < columns->NumFields(); i++ )
+		{
+		if ( ! (columns->FieldDecl(i)->FindAttr(ATTR_LOG)) )
+		    continue;
+
+		if ( ! LogVal::IsCompatibleType(columns->FieldType(i)) )
+			{
+			run_time("type of field '%s' is not support for logging output",
+				 columns->FieldName(i));
+
+			return false;
+			}
+
+		log_attr_present = true;
+		}
+
+	if ( ! log_attr_present )
+		{
+		run_time("logged record type does not have any &log attributes");
+		return false;
+		}
+
+	Val* event_val = sval->Lookup(rtype->FieldOffset("ev"));
+	Func* event = event_val ? event_val->AsFunc() : 0;
+
+	if ( event )
+		{
+		// Make sure the event is prototyped as expected.
+		FuncType* etype = event->FType()->AsFuncType();
+
+		if ( ! etype->IsEvent() )
+			{
+			run_time("stream event is a function, not an event");
+			return false;
+			}
+
+		const type_list* args = etype->ArgTypes()->Types();
+
+		if ( args->length() != 1 )
+			{
+			run_time("stream event must take a single argument");
+			return false;
+			}
+
+		if ( ! same_type((*args)[0], columns) )
+			{
+			run_time("stream event's argument type does not match column record type");
+			return new Val(0, TYPE_BOOL);
+			}
+		}
+
+	// Make sure the vector has an entries for all streams up to the one
+	// given.
+
+	unsigned int idx = id->AsEnum();
+
+	while ( idx >= streams.size() )
+		streams.push_back(0);
+
+	if ( streams[idx] )
+		// We already know this one, delete the previous definition.
+		delete streams[idx];
+
+	// Create new stream.
+	streams[idx] = new Stream;
+	streams[idx]->id = id->Ref()->AsEnumVal();
+	streams[idx]->enabled = true;
+	streams[idx]->name = id->Type()->AsEnumType()->Lookup(idx);
+	streams[idx]->event = event ? event_registry->Lookup(event->GetID()->Name()) : 0;
+	streams[idx]->columns = columns->Ref()->AsRecordType();
+
+	DBG_LOG(DBG_LOGGING, "Created new logging stream '%s', raising event %s",
+		streams[idx]->name.c_str(), event ? streams[idx]->event->Name() : "<none>");
+
+	return true;
+	}
+
+bool LogMgr::EnableStream(EnumVal* id)
+	{
+	Stream* stream = FindStream(id);
+
+	if ( ! stream )
+		return false;
+
+	if ( stream->enabled )
+		return true;
+
+	stream->enabled = true;
+
+	DBG_LOG(DBG_LOGGING, "Reenabled logging stream '%s'", stream->name.c_str());
+	return true;
+	}
+
+bool LogMgr::DisableStream(EnumVal* id)
+	{
+	Stream* stream = FindStream(id);
+
+	if ( ! stream )
+		return false;
+
+	if ( ! stream->enabled )
+		return true;
+
+	stream->enabled = false;
+
+	DBG_LOG(DBG_LOGGING, "Disabled logging stream '%s'", stream->name.c_str());
+	return true;
+	}
+
+// Helper for recursive record field unrolling.
+bool LogMgr::TraverseRecord(Stream* stream, Filter* filter, RecordType* rt,
+			    TableVal* include, TableVal* exclude, string path, list<int> indices)
+	{
+	for ( int i = 0; i < rt->NumFields(); ++i )
+		{
+		BroType* t = rt->FieldType(i);
+
+		// Ignore if &log not specified.
+		if ( ! rt->FieldDecl(i)->FindAttr(ATTR_LOG) )
+			continue;
+
+		list<int> new_indices = indices;
+		new_indices.push_back(i);
+
+		// Build path name.
+		string new_path;
+
+		if ( ! path.size() )
+			new_path = rt->FieldName(i);
+		else
+			new_path = path + "." + rt->FieldName(i);
+
+		if ( t->InternalType() == TYPE_INTERNAL_OTHER )
+			{
+			if ( t->Tag() == TYPE_RECORD )
+				{
+				// Recurse.
+				if ( ! TraverseRecord(stream, filter,
+						      t->AsRecordType(),
+						      include,
+						      exclude,
+						      new_path,
+						      new_indices) )
+					return false;
+
+				continue;
+				}
+
+			else if ( t->Tag() == TYPE_TABLE &&
+				  t->AsTableType()->IsSet() )
+				{
+				// That's ok, we handle it below.
+				}
+
+			else if ( t->Tag() == TYPE_VECTOR )
+				{
+				// That's ok, we handle it below.
+				}
+
+			else if ( t->Tag() == TYPE_FILE )
+				{
+				// That's ok, we handle it below.
+				}
+
+			else
+				{
+				run_time("unsupported field type for log column");
+				return false;
+				}
+			}
+
+		// If include fields are specified, only include if explicitly listed.
+		if ( include )
+			{
+			StringVal* new_path_val = new StringVal(new_path.c_str());
+			bool result = include->Lookup(new_path_val);
+
+			Unref(new_path_val);
+
+			if ( ! result )
+				continue;
+			}
+
+		// If exclude fields are specified, do not only include if listed.
+		if ( exclude )
+			{
+			StringVal* new_path_val = new StringVal(new_path.c_str());
+			bool result = exclude->Lookup(new_path_val);
+
+			Unref(new_path_val);
+
+			if ( result )
+				continue;
+			}
+
+		// Alright, we want this field.
+
+		filter->indices.push_back(new_indices);
+
+		filter->fields = (LogField**)
+			realloc(filter->fields,
+				sizeof(LogField) * ++filter->num_fields);
+
+		if ( ! filter->fields )
+			{
+			run_time("out of memory in add_filter");
+			return false;
+			}
+
+		LogField* field = new LogField();
+		field->name = new_path;
+		field->type = t->Tag();
+		filter->fields[filter->num_fields - 1] = field;
+		}
+
+	return true;
+	}
+
+bool LogMgr::AddFilter(EnumVal* id, RecordVal* fval)
+	{
+	RecordType* rtype = fval->Type()->AsRecordType();
+
+	if ( ! same_type(rtype, BifType::Record::Log::Filter, 0) )
+		{
+		run_time("filter argument not of right type");
+		return false;
+		}
+
+	Stream* stream = FindStream(id);
+	if ( ! stream )
+		return false;
+
+	// Find the right writer type.
+	int idx = rtype->FieldOffset("writer");
+	EnumVal* writer = fval->LookupWithDefault(idx)->AsEnumVal();
+
+	// Create a new Filter instance.
+
+	Val* name = fval->LookupWithDefault(rtype->FieldOffset("name"));
+	Val* pred = fval->LookupWithDefault(rtype->FieldOffset("pred"));
+	Val* path_func = fval->LookupWithDefault(rtype->FieldOffset("path_func"));
+	Val* log_local = fval->LookupWithDefault(rtype->FieldOffset("log_local"));
+	Val* log_remote = fval->LookupWithDefault(rtype->FieldOffset("log_remote"));
+
+	Filter* filter = new Filter;
+	filter->name = name->AsString()->CheckString();
+	filter->id = id->Ref()->AsEnumVal();
+	filter->pred = pred ? pred->AsFunc() : 0;
+	filter->path_func = path_func ? path_func->AsFunc() : 0;
+	filter->writer = writer->Ref()->AsEnumVal();
+	filter->local = log_local->AsBool();
+	filter->remote = log_remote->AsBool();
+
+	Unref(name);
+	Unref(pred);
+	Unref(path_func);
+	Unref(log_local);
+	Unref(log_remote);
+
+	// Build the list of fields that the filter wants included, including
+	// potentially rolling out fields.
+	Val* include = fval->Lookup(rtype->FieldOffset("include"));
+	Val* exclude = fval->Lookup(rtype->FieldOffset("exclude"));
+
+	filter->num_fields = 0;
+	filter->fields = 0;
+	if ( ! TraverseRecord(stream, filter, stream->columns,
+			      include ? include->AsTableVal() : 0,
+			      exclude ? exclude->AsTableVal() : 0,
+			      "", list<int>()) )
+		return false;
+
+	// Get the path for the filter.
+	Val* path_val = fval->Lookup(rtype->FieldOffset("path"));
+
+	if ( path_val )
+		{
+		filter->path = path_val->AsString()->CheckString();
+		filter->path_val = path_val->Ref();
+		}
+
+	else
+		{
+		// If no path is given, use the Stream ID's namespace as the default
+		// if it has one, and it ID itself otherwise.
+		const char* s = stream->name.c_str();
+		const char* e = strstr(s, "::");
+
+		if ( ! e )
+			e = s + strlen(s);
+
+		string path(s, e);
+		std::transform(path.begin(), path.end(), path.begin(), ::tolower);
+
+		filter->path = path;
+		filter->path_val = new StringVal(path.c_str());
+		}
+
+	// Remove any filter with the same name we might already have.
+	RemoveFilter(id, filter->name);
+
+	// Add the new one.
+	stream->filters.push_back(filter);
+
+#ifdef DEBUG
+	ODesc desc;
+	writer->Describe(&desc);
+
+	DBG_LOG(DBG_LOGGING, "Created new filter '%s' for stream '%s'",
+		filter->name.c_str(), stream->name.c_str());
+
+	DBG_LOG(DBG_LOGGING, "   writer    : %s", desc.Description());
+	DBG_LOG(DBG_LOGGING, "   path      : %s", filter->path.c_str());
+	DBG_LOG(DBG_LOGGING, "   path_func : %s", (filter->path_func ? "set" : "not set"));
+	DBG_LOG(DBG_LOGGING, "   pred      : %s", (filter->pred ? "set" : "not set"));
+
+	for ( int i = 0; i < filter->num_fields; i++ )
+		{
+		LogField* field = filter->fields[i];
+		DBG_LOG(DBG_LOGGING, "   field %10s: %s",
+			field->name.c_str(), type_name(field->type));
+		}
+#endif
+
+	return true;
+	}
+
+bool LogMgr::RemoveFilter(EnumVal* id, StringVal* name)
+	{
+	return RemoveFilter(id, name->AsString()->CheckString());
+	}
+
+bool LogMgr::RemoveFilter(EnumVal* id, string name)
+	{
+	Stream* stream = FindStream(id);
+	if ( ! stream )
+		return false;
+
+	for ( list<Filter*>::iterator i = stream->filters.begin();
+	      i != stream->filters.end(); ++i )
+		{
+		if ( (*i)->name == name )
+			{
+			Filter* filter = *i;
+			stream->filters.erase(i);
+			DBG_LOG(DBG_LOGGING, "Removed filter '%s' from stream '%s'",
+				filter->name.c_str(), stream->name.c_str());
+			delete filter;
+			return true;
+			}
+		}
+
+	// If we don't find the filter, we don't treat that as an error.
+	DBG_LOG(DBG_LOGGING, "No filter '%s' for removing from stream '%s'",
+		name.c_str(), stream->name.c_str());
+
+	return true;
+	}
+
+bool LogMgr::Write(EnumVal* id, RecordVal* columns)
+	{
+	bool error = false;
+
+	Stream* stream = FindStream(id);
+	if ( ! stream )
+		return false;
+
+	if ( ! stream->enabled )
+		return true;
+
+	columns = columns->CoerceTo(stream->columns);
+
+	if ( ! columns )
+		{
+		run_time("incompatible log record type");
+		return false;
+		}
+
+	// Raise the log event.
+	if ( stream->event )
+		{
+		val_list* vl = new val_list(1);
+		vl->append(columns->Ref());
+		mgr.QueueEvent(stream->event, vl, SOURCE_LOCAL);
+		}
+
+	// Send to each of our filters.
+	for ( list<Filter*>::iterator i = stream->filters.begin();
+	      i != stream->filters.end(); ++i )
+		{
+		Filter* filter = *i;
+		string path = filter->path;
+
+		if ( filter->pred )
+			{
+			// See whether the predicates indicates that we want
+			// to log this record.
+			val_list vl(1);
+			vl.append(columns->Ref());
+			Val* v = filter->pred->Call(&vl);
+			int result = v->AsBool();
+			Unref(v);
+
+			if ( ! result )
+				continue;
+			}
+
+		if ( filter->path_func )
+			{
+			val_list vl(2);
+			vl.append(id->Ref());
+			vl.append(filter->path_val->Ref());
+			Val* v = filter->path_func->Call(&vl);
+
+			if ( ! v->Type()->Tag() == TYPE_STRING )
+				{
+				run_time("path_func did not return string");
+				Unref(v);
+				return false;
+				}
+
+			path = v->AsString()->CheckString();
+
+#ifdef DEBUG
+			DBG_LOG(DBG_LOGGING, "Path function for filter '%s' on stream '%s' return '%s'",
+				filter->name.c_str(), stream->name.c_str(), path.c_str());
+#endif
+			}
+
+		// See if we already have a writer for this path.
+		Stream::WriterMap::iterator w =
+			stream->writers.find(Stream::WriterPathPair(filter->writer->AsEnum(), path));
+
+		LogWriter* writer = 0;
+
+		if ( w != stream->writers.end() )
+			// We have a writer already.
+			writer = w->second->writer;
+
+		else
+			{
+			// No, need to create one.
+
+			// Copy the fields for LogWriter::Init() as it will take
+			// ownership.
+			LogField** arg_fields = new LogField*[filter->num_fields];
+
+			for ( int j = 0; j < filter->num_fields; ++j )
+				arg_fields[j] = new LogField(*filter->fields[j]);
+
+			if ( filter->local )
+				{
+				writer = CreateWriter(stream->id, filter->writer,
+						      path, filter->num_fields,
+						      arg_fields);
+
+				if ( ! writer )
+					{
+					Unref(columns);
+					return false;
+					}
+				}
+
+			if ( filter->remote )
+				remote_serializer->SendLogCreateWriter(stream->id,
+								       filter->writer,
+								       path,
+								       filter->num_fields,
+								       arg_fields);
+			}
+
+		// Alright, can do the write now.
+
+		LogVal** vals = RecordToFilterVals(stream, filter, columns);
+
+		if ( filter->remote )
+			remote_serializer->SendLogWrite(stream->id,
+							filter->writer,
+							path,
+							filter->num_fields,
+							vals);
+
+		if ( filter->local && ! writer->Write(filter->num_fields, vals) )
+			error = true;
+
+#ifdef DEBUG
+		DBG_LOG(DBG_LOGGING, "Wrote record to filter '%s' on stream '%s'",
+			filter->name.c_str(), stream->name.c_str());
+#endif
+		}
+
+	Unref(columns);
+
+	if ( error )
+		RemoveDisabledWriters(stream);
+
+	return true;
+	}
+
+LogVal* LogMgr::ValToLogVal(Val* val, BroType* ty)
+	{
+	if ( ! ty )
+		ty = val->Type();
+
+	if ( ! val )
+		return new LogVal(ty->Tag(), false);
+
+	LogVal* lval = new LogVal(ty->Tag());
+
+	switch ( lval->type ) {
+	case TYPE_BOOL:
+	case TYPE_INT:
+		lval->val.int_val = val->InternalInt();
+		break;
+
+	case TYPE_ENUM:
+		{
+		const char* s =
+			val->Type()->AsEnumType()->Lookup(val->InternalInt());
+
+		lval->val.string_val = new string(s);
+		break;
+		}
+
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+		lval->val.uint_val = val->InternalUnsigned();
+		break;
+
+	case TYPE_PORT:
+		lval->val.uint_val = val->AsPortVal()->Port();
+		break;
+
+	case TYPE_SUBNET:
+		lval->val.subnet_val = *val->AsSubNet();
+		break;
+
+	case TYPE_NET:
+	case TYPE_ADDR:
+		{
+		addr_type t = val->AsAddr();
+#ifdef BROv6
+		copy_addr(t, lval->val.addr_val);
+#else
+		copy_addr(&t, lval->val.addr_val);
+#endif
+		break;
+		}
+
+	case TYPE_DOUBLE:
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+		lval->val.double_val = val->InternalDouble();
+		break;
+
+	case TYPE_STRING:
+		{
+		const BroString* s = val->AsString();
+		lval->val.string_val =
+			new string((const char*) s->Bytes(), s->Len());
+		break;
+		}
+
+	case TYPE_FILE:
+		{
+		const BroFile* f = val->AsFile();
+		lval->val.string_val = new string(f->Name());
+		break;
+		}
+
+	case TYPE_TABLE:
+		{
+		ListVal* set = val->AsTableVal()->ConvertToPureList();
+		lval->val.set_val.size = set->Length();
+		lval->val.set_val.vals = new LogVal* [lval->val.set_val.size];
+
+		for ( int i = 0; i < lval->val.set_val.size; i++ )
+			lval->val.set_val.vals[i] = ValToLogVal(set->Index(i));
+
+		break;
+		}
+
+	case TYPE_VECTOR:
+		{
+		VectorVal* vec = val->AsVectorVal();
+		lval->val.vector_val.size = vec->Size();
+		lval->val.vector_val.vals =
+			new LogVal* [lval->val.vector_val.size];
+
+		for ( int i = 0; i < lval->val.vector_val.size; i++ )
+			{
+			lval->val.vector_val.vals[i] =
+				ValToLogVal(vec->Lookup(i),
+					    vec->Type()->YieldType());
+			}
+
+		break;
+		}
+
+	default:
+		internal_error("unsupported type for log_write");
+	}
+
+	return lval;
+	}
+
+LogVal** LogMgr::RecordToFilterVals(Stream* stream, Filter* filter,
+				    RecordVal* columns)
+	{
+	LogVal** vals = new LogVal*[filter->num_fields];
+
+	for ( int i = 0; i < filter->num_fields; ++i )
+		{
+		TypeTag type = TYPE_ERROR;
+		Val* val = columns;
+
+		// For each field, first find the right value, which can
+		// potentially be nested inside other records.
+		list<int>& indices = filter->indices[i];
+
+		for ( list<int>::iterator j = indices.begin(); j != indices.end(); ++j )
+			{
+			type = val->Type()->AsRecordType()->FieldType(*j)->Tag();
+			val = val->AsRecordVal()->Lookup(*j);
+
+			if ( ! val )
+				{
+				// Value, or any of its parents, is not set.
+				vals[i] = new LogVal(type, false);
+				break;
+				}
+			}
+
+		if ( val )
+			vals[i] = ValToLogVal(val);
+		}
+
+	return vals;
+	}
+
+LogWriter* LogMgr::CreateWriter(EnumVal* id, EnumVal* writer, string path,
+				int num_fields, LogField** fields)
+	{
+	Stream* stream = FindStream(id);
+
+	if ( ! stream )
+		// Don't know this stream.
+		return false;
+
+	Stream::WriterMap::iterator w =
+		stream->writers.find(Stream::WriterPathPair(writer->AsEnum(), path));
+
+	if ( w != stream->writers.end() )
+		// If we already have a writer for this. That's fine, we just
+		// return it.
+		return w->second->writer;
+
+	// Need to instantiate a new writer.
+
+	LogWriterDefinition* ld = log_writers;
+
+	while ( true )
+		{
+		if ( ld->type == BifEnum::Log::WRITER_DEFAULT )
+			{
+			run_time("unknow writer when creating writer");
+			return 0;
+			}
+
+		if ( ld->type == writer->AsEnum() )
+			break;
+
+		if ( ! ld->factory )
+			// Oops, we can't instantiate this guy.
+			return 0;
+
+		// If the writer has an init function, call it.
+		if ( ld->init )
+			{
+			if ( (*ld->init)() )
+				// Clear the init function so that we won't
+				// call it again later.
+				ld->init = 0;
+			else
+				// Init failed, disable by deleting factory
+				// function.
+				ld->factory = 0;
+
+			DBG_LOG(DBG_LOGGING, "failed to init writer class %s",
+				ld->name);
+
+			return false;
+			}
+
+		++ld;
+		}
+
+	assert(ld->factory);
+	LogWriter* writer_obj = (*ld->factory)();
+
+	if ( ! writer_obj->Init(path, num_fields, fields) )
+		{
+		DBG_LOG(DBG_LOGGING, "failed to init instance of writer %s",
+			ld->name);
+
+		return 0;
+		}
+
+	WriterInfo* winfo = new WriterInfo;
+	winfo->type = writer->Ref()->AsEnumVal();
+	winfo->writer = writer_obj;
+	winfo->open_time = network_time;
+	winfo->rotation_timer = 0;
+	InstallRotationTimer(winfo);
+
+	stream->writers.insert(
+		Stream::WriterMap::value_type(Stream::WriterPathPair(writer->AsEnum(), path),
+		winfo));
+
+	return writer_obj;
+	}
+
+bool LogMgr::Write(EnumVal* id, EnumVal* writer, string path, int num_fields,
+		   LogVal** vals)
+	{
+	Stream* stream = FindStream(id);
+
+	if ( ! stream )
+		{
+		// Don't know this stream.
+#ifdef DEBUG
+		ODesc desc;
+		id->Describe(&desc);
+		DBG_LOG(DBG_LOGGING, "unknown stream %s in LogMgr::Write()",
+			desc.Description());
+#endif
+		return false;
+		}
+
+	if ( ! stream->enabled )
+		return true;
+
+	Stream::WriterMap::iterator w =
+		stream->writers.find(Stream::WriterPathPair(writer->AsEnum(), path));
+
+	if ( w == stream->writers.end() )
+		{
+		// Don't know this writer.
+#ifdef DEBUG
+		ODesc desc;
+		id->Describe(&desc);
+		DBG_LOG(DBG_LOGGING, "unknown writer %s in LogMgr::Write()",
+			desc.Description());
+#endif
+		return false;
+		}
+
+	bool success = w->second->writer->Write(num_fields, vals);
+
+	DBG_LOG(DBG_LOGGING,
+		"Wrote pre-filtered record to path '%s' on stream '%s' [%s]",
+		path.c_str(), stream->name.c_str(), (success ? "ok" : "error"));
+
+	return success;
+	}
+
+void LogMgr::SendAllWritersTo(RemoteSerializer::PeerID peer)
+	{
+	for ( vector<Stream *>::iterator s = streams.begin(); s != streams.end(); ++s )
+		{
+		Stream* stream = (*s);
+
+		if ( ! stream )
+			continue;
+
+		for ( Stream::WriterMap::iterator i = stream->writers.begin();
+		      i != stream->writers.end(); i++ )
+			{
+			LogWriter* writer = i->second->writer;
+			EnumVal writer_val(i->first.first, BifType::Enum::Log::Writer);
+			remote_serializer->SendLogCreateWriter(peer, (*s)->id,
+							       &writer_val,
+							       i->first.second,
+							       writer->NumFields(),
+							       writer->Fields());
+			}
+		}
+	}
+
+bool LogMgr::SetBuf(EnumVal* id, bool enabled)
+	{
+	Stream* stream = FindStream(id);
+	if ( ! stream )
+		return false;
+
+	for ( Stream::WriterMap::iterator i = stream->writers.begin();
+	      i != stream->writers.end(); i++ )
+		i->second->writer->SetBuf(enabled);
+
+	RemoveDisabledWriters(stream);
+
+	return true;
+	}
+
+bool LogMgr::Flush(EnumVal* id)
+	{
+	Stream* stream = FindStream(id);
+	if ( ! stream )
+		return false;
+
+	if ( ! stream->enabled )
+		return true;
+
+	for ( Stream::WriterMap::iterator i = stream->writers.begin();
+	      i != stream->writers.end(); i++ )
+		i->second->writer->Flush();
+
+	RemoveDisabledWriters(stream);
+
+	return true;
+	}
+
+void LogMgr::Error(LogWriter* writer, const char* msg)
+	{
+	run_time(fmt("error with writer for %s: %s",
+		     writer->Path().c_str(), msg));
+	}
+
+// Timer which on dispatching rotates the filter.
+class RotationTimer : public Timer {
+public:
+	RotationTimer(double t, LogMgr::WriterInfo* arg_winfo, bool arg_rotate)
+		: Timer(t, TIMER_ROTATE)
+			{
+			winfo = arg_winfo;
+			rotate = arg_rotate;
+			}
+
+	~RotationTimer();
+
+	void Dispatch(double t, int is_expire);
+
+protected:
+	LogMgr::WriterInfo* winfo;
+	bool rotate;
+};
+
+RotationTimer::~RotationTimer()
+	{
+	if ( winfo->rotation_timer == this )
+		winfo->rotation_timer = 0;
+	}
+
+void RotationTimer::Dispatch(double t, int is_expire)
+	{
+	winfo->rotation_timer = 0;
+
+	if ( rotate )
+		log_mgr->Rotate(winfo);
+
+	if ( ! is_expire )
+		{
+		winfo->open_time = network_time;
+		log_mgr->InstallRotationTimer(winfo);
+		}
+	}
+
+RecordVal* LogMgr::LookupRotationControl(EnumVal* writer, string path)
+	{
+	TableVal* rc = BifConst::Log::rotation_control->AsTableVal();
+
+	ListVal* index = new ListVal(TYPE_ANY);
+	index->Append(writer->Ref());
+	index->Append(new StringVal(path.c_str()));
+
+	Val* r = rc->Lookup(index);
+	assert(r);
+
+	Unref(index);
+
+	return r->AsRecordVal();
+	}
+
+void LogMgr::InstallRotationTimer(WriterInfo* winfo)
+	{
+	if ( terminating )
+		return;
+
+	if ( winfo->rotation_timer )
+		{
+		timer_mgr->Cancel(winfo->rotation_timer);
+		winfo->rotation_timer = 0;
+		}
+
+	RecordVal* rc =
+		LookupRotationControl(winfo->type, winfo->writer->Path());
+
+	int idx = rc->Type()->AsRecordType()->FieldOffset("interv");
+	double rotation_interval = rc->LookupWithDefault(idx)->AsInterval();
+
+	if ( rotation_interval )
+		{
+		// When this is called for the first time, network_time can still be
+		// zero. If so, we set a timer which fires immediately but doesn't
+		// rotate when it expires.
+		if ( ! network_time )
+			winfo->rotation_timer = new RotationTimer(1, winfo, false);
+		else
+			{
+			if ( ! winfo->open_time )
+				winfo->open_time = network_time;
+
+			const char* base_time = log_rotate_base_time ?
+				log_rotate_base_time->AsString()->CheckString() : 0;
+
+			double delta_t =
+				calc_next_rotate(rotation_interval, base_time);
+
+			winfo->rotation_timer =
+				new RotationTimer(network_time + delta_t, winfo, true);
+			}
+
+		timer_mgr->Add(winfo->rotation_timer);
+
+		DBG_LOG(DBG_LOGGING, "Scheduled rotation timer for %s to %.6f",
+			winfo->writer->Path().c_str(), winfo->rotation_timer->Time());
+		}
+	}
+
+void LogMgr::Rotate(WriterInfo* winfo)
+	{
+	DBG_LOG(DBG_LOGGING, "Rotating %s at %.6f",
+		winfo->writer->Path().c_str(), network_time);
+
+	// Create the RotationInfo record.
+	RecordVal* info = new RecordVal(BifType::Record::Log::RotationInfo);
+	info->Assign(0, winfo->type->Ref());
+	info->Assign(1, new StringVal(winfo->writer->Path().c_str()));
+	info->Assign(2, new Val(winfo->open_time, TYPE_TIME));
+	info->Assign(3, new Val(network_time, TYPE_TIME));
+
+	// Call the function building us the new path.
+
+	Func* rotation_path_func =
+		internal_func("Log::default_rotation_path_func");
+
+	RecordVal* rc =
+		LookupRotationControl(winfo->type, winfo->writer->Path());
+
+	int idx = rc->Type()->AsRecordType()->FieldOffset("postprocessor");
+
+	string rotation_postprocessor =
+		rc->LookupWithDefault(idx)->AsString()->CheckString();
+
+	val_list vl(1);
+	vl.append(info);
+	Val* result = rotation_path_func->Call(&vl);
+	string new_path = result->AsString()->CheckString();
+	Unref(result);
+
+	winfo->writer->Rotate(new_path, rotation_postprocessor,
+			      winfo->open_time, network_time, terminating);
+	}
+
+
diff --git a/src/LogMgr.h b/src/LogMgr.h
new file mode 100644
index 0000000000..ce4de1ab5d
--- /dev/null
+++ b/src/LogMgr.h
@@ -0,0 +1,133 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+// A class managing log writers and filters.
+
+#ifndef LOGMGR_H
+#define LOGMGR_H
+
+#include "Val.h"
+#include "EventHandler.h"
+#include "RemoteSerializer.h"
+
+class SerializationFormat;
+
+// Description of a log field.
+struct LogField {
+	string name;
+	TypeTag type;
+
+	LogField()	{ }
+	LogField(const LogField& other)
+		: name(other.name), type(other.type)	{ }
+
+	// (Un-)serialize.
+	bool Read(SerializationFormat* fmt);
+	bool Write(SerializationFormat* fmt) const;
+};
+
+// Values as logged by a writer.
+struct LogVal {
+	TypeTag type;
+	bool present; // False for unset fields.
+
+	// The following union is a subset of BroValUnion, including only the
+	// types we can log directly.
+	struct set_t { bro_int_t size; LogVal** vals; };
+	typedef set_t vec_t;
+
+	union _val {
+		bro_int_t int_val;
+		bro_uint_t uint_val;
+		uint32 addr_val[NUM_ADDR_WORDS];
+		subnet_type subnet_val;
+		double double_val;
+		string* string_val;
+		set_t set_val;
+		vec_t vector_val;
+	} val;
+
+	LogVal(TypeTag arg_type = TYPE_ERROR, bool arg_present = true)
+		: type(arg_type), present(arg_present)	{}
+	~LogVal();
+
+	// (Un-)serialize.
+	bool Read(SerializationFormat* fmt);
+	bool Write(SerializationFormat* fmt) const;
+
+	// Returns true if the type can be logged the framework. If
+	// `atomic_only` is true, will not permit composite types.
+	static bool IsCompatibleType(BroType* t, bool atomic_only=false);
+
+private:
+	LogVal(const LogVal& other)	{ }
+};
+
+class LogWriter;
+class RemoteSerializer;
+class RotationTimer;
+
+class LogMgr {
+public:
+	LogMgr();
+	~LogMgr();
+
+	// These correspond to the BiFs visible on the scripting layer. The
+	// actual BiFs just forward here.
+	bool CreateStream(EnumVal* id, RecordVal* stream);
+	bool EnableStream(EnumVal* id);
+	bool DisableStream(EnumVal* id);
+	bool AddFilter(EnumVal* id, RecordVal* filter);
+	bool RemoveFilter(EnumVal* id, StringVal* name);
+	bool RemoveFilter(EnumVal* id, string name);
+	bool Write(EnumVal* id, RecordVal* columns);
+	bool SetBuf(EnumVal* id, bool enabled);	// Adjusts all writers.
+	bool Flush(EnumVal* id);		// Flushes all writers..
+
+protected:
+	friend class LogWriter;
+	friend class RemoteSerializer;
+	friend class RotationTimer;
+
+	//// Function also used by the RemoteSerializer.
+
+	// Takes ownership of fields.
+	LogWriter* CreateWriter(EnumVal* id, EnumVal* writer, string path,
+				int num_fields, LogField** fields);
+
+	// Takes ownership of values..
+	bool Write(EnumVal* id, EnumVal* writer, string path,
+		   int num_fields, LogVal** vals);
+
+	// Announces all instantiated writers to peer.
+	void SendAllWritersTo(RemoteSerializer::PeerID peer);
+
+	//// Functions safe to use by writers.
+
+	// Reports an error for the given writer.
+	void Error(LogWriter* writer, const char* msg);
+
+private:
+	struct Filter;
+	struct Stream;
+	struct WriterInfo;
+
+	bool TraverseRecord(Stream* stream, Filter* filter, RecordType* rt,
+			    TableVal* include, TableVal* exclude, string path, list<int> indices);
+
+	LogVal** RecordToFilterVals(Stream* stream, Filter* filter,
+				    RecordVal* columns);
+
+	LogVal* ValToLogVal(Val* val, BroType* ty = 0);
+	Stream* FindStream(EnumVal* id);
+	void RemoveDisabledWriters(Stream* stream);
+	void InstallRotationTimer(WriterInfo* winfo);
+	void Rotate(WriterInfo* info);
+	RecordVal* LookupRotationControl(EnumVal* writer, string path);
+	Filter* FindFilter(EnumVal* id, StringVal* filter);
+
+	vector<Stream *> streams;	// Indexed by stream enum.
+};
+
+extern LogMgr* log_mgr;
+
+#endif
diff --git a/src/LogWriter.cc b/src/LogWriter.cc
new file mode 100644
index 0000000000..6e12e3a6ed
--- /dev/null
+++ b/src/LogWriter.cc
@@ -0,0 +1,188 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "util.h"
+#include "LogWriter.h"
+
+LogWriter::LogWriter()
+	{
+	buf = 0;
+	buf_len = 1024;
+	buffering = true;
+	disabled = false;
+	}
+
+LogWriter::~LogWriter()
+	{
+	if ( buf )
+		free(buf);
+
+	delete [] fields;
+	}
+
+bool LogWriter::Init(string arg_path, int arg_num_fields,
+		     const LogField* const * arg_fields)
+	{
+	path = arg_path;
+	num_fields = arg_num_fields;
+	fields = arg_fields;
+
+	if ( ! DoInit(arg_path, arg_num_fields, arg_fields) )
+		{
+		disabled = true;
+		return false;
+		}
+
+	return true;
+	}
+
+bool LogWriter::Write(int arg_num_fields, LogVal** vals)
+	{
+	// Double-check that the arguments match. If we get this from remote,
+	// something might be mixed up.
+	if ( num_fields != arg_num_fields )
+		{
+		DBG_LOG(DBG_LOGGING, "Number of fields don't match in LogWriter::Write() (%d vs. %d)",
+			arg_num_fields, num_fields);
+
+		return false;
+		}
+
+	for ( int i = 0; i < num_fields; ++i )
+		{
+		if ( vals[i]->type != fields[i]->type )
+			{
+			DBG_LOG(DBG_LOGGING, "Field type doesn't match in LogWriter::Write() (%d vs. %d)",
+				vals[i]->type, fields[i]->type);
+			return false;
+			}
+		}
+
+	bool result = DoWrite(num_fields, fields, vals);
+
+	DeleteVals(vals);
+
+	if ( ! result )
+		disabled = true;
+
+	return result;
+	}
+
+bool LogWriter::SetBuf(bool enabled)
+	{
+	if ( enabled == buffering )
+		// No change.
+		return true;
+
+	buffering = enabled;
+
+	if ( ! DoSetBuf(enabled) )
+		{
+		disabled = true;
+		return false;
+		}
+
+	return true;
+	}
+
+bool LogWriter::Rotate(string rotated_path, string postprocessor, double open,
+		       double close, bool terminating)
+	{
+	if ( ! DoRotate(rotated_path, postprocessor, open, close, terminating) )
+		{
+		disabled = true;
+		return false;
+		}
+
+	return true;
+	}
+
+bool LogWriter::Flush()
+	{
+	if ( ! DoFlush() )
+		{
+		disabled = true;
+		return false;
+		}
+
+	return true;
+	}
+
+void LogWriter::Finish()
+	{
+	DoFinish();
+	}
+
+const char* LogWriter::Fmt(const char* format, ...)
+	{
+	if ( ! buf )
+		buf = (char*) malloc(buf_len);
+
+	va_list al;
+	va_start(al, format);
+	int n = safe_vsnprintf(buf, buf_len, format, al);
+	va_end(al);
+
+	if ( (unsigned int) n >= buf_len )
+		{ // Not enough room, grow the buffer.
+		buf_len = n + 32;
+		buf = (char*) realloc(buf, buf_len);
+
+		// Is it portable to restart?
+		va_start(al, format);
+		n = safe_vsnprintf(buf, buf_len, format, al);
+		va_end(al);
+		}
+
+	return buf;
+	}
+
+void LogWriter::Error(const char *msg)
+	{
+	log_mgr->Error(this, msg);
+	}
+
+void LogWriter::DeleteVals(LogVal** vals)
+	{
+	for ( int i = 0; i < num_fields; i++ )
+		delete vals[i];
+	}
+
+bool LogWriter::RunPostProcessor(string fname, string postprocessor,
+				 string old_name, double open, double close,
+				 bool terminating)
+	{
+	// This function operates in a way that is backwards-compatible with
+	// the old Bro log rotation scheme.
+
+	if ( ! postprocessor.size() )
+		return true;
+
+	const char* const fmt = "%y-%m-%d_%H.%M.%S";
+
+	struct tm tm1;
+	struct tm tm2;
+
+	time_t tt1 = (time_t)open;
+	time_t tt2 = (time_t)close;
+
+	localtime_r(&tt1, &tm1);
+	localtime_r(&tt2, &tm2);
+
+	char buf1[128];
+	char buf2[128];
+
+	strftime(buf1, sizeof(buf1), fmt, &tm1);
+	strftime(buf2, sizeof(buf2), fmt, &tm2);
+
+	string cmd = postprocessor;
+	cmd += " " + fname;
+	cmd += " " + old_name;
+	cmd += " " + string(buf1);
+	cmd += " " + string(buf2);
+	cmd += " " + string(terminating ? "1" : "0");
+	cmd += " &";
+
+	system(cmd.c_str());
+
+	return true;
+	}
diff --git a/src/LogWriter.h b/src/LogWriter.h
new file mode 100644
index 0000000000..8dcd05a67f
--- /dev/null
+++ b/src/LogWriter.h
@@ -0,0 +1,188 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+// Interface API for a log writer backend. The LogMgr creates a separate
+// writer instance of pair of (writer type, output path).
+//
+// Note thay classes derived from LogWriter must be fully thread-safe and not
+// use any non-thread-safe Bro functionality (which includes almost
+// everything ...). In particular, do not use fmt() but LogWriter::Fmt()!.
+//
+// The one exception to this rule is the constructor: it is guaranteed to be
+// executed inside the main thread and can thus in particular access global
+// script variables.
+
+#ifndef LOGWRITER_H
+#define LOGWRITER_H
+
+#include "LogMgr.h"
+#include "BroString.h"
+
+class LogWriter {
+public:
+	LogWriter();
+	virtual ~LogWriter();
+
+	//// Interface methods to interact with the writer. Note that these
+	//// methods are not necessarily thread-safe and must be called only
+	//// from the main thread (which will typically mean only from the
+	//// LogMgr). In particular, they must not be called from the
+	//// writer's derived implementation.
+
+	// One-time initialization of the writer to define the logged fields.
+	// Interpretation of "path" is left to the writer, and will be
+	// corresponding the value configured on the script-level.
+	// 
+	// Returns false if an error occured, in which case the writer must
+	// not be used further.
+	//
+	// The new instance takes ownership of "fields", and will delete them
+	// when done.
+	bool Init(string path, int num_fields, const LogField* const * fields);
+
+	// Writes one log entry. The method takes ownership of "vals" and
+	// will return immediately after queueing the write request, which is
+	// potentially before output has actually been written out.
+	//
+	// num_fields and the types of the LogVals must match what was passed
+	// to Init().
+	//
+	// Returns false if an error occured, in which case the writer must
+	// not be used any further.
+	bool Write(int num_fields, LogVal** vals);
+
+	// Sets the buffering status for the writer, if the writer supports
+	// that. (If not, it will be ignored).
+	bool SetBuf(bool enabled);
+
+	// Flushes any currently buffered output, if the writer supports 
+	// that. (If not, it will be ignored).
+	bool Flush();
+
+	// Triggers rotation, if the writer supports that. (If not, it will
+	// be ignored).
+	bool Rotate(string rotated_path, string postprocessor, double open,
+		    double close, bool terminating);
+
+	// Finishes writing to this logger regularly. Must not be called if
+	// an error has been indicated earlier. After calling this, no
+	// further writing must be performed.
+	void Finish();
+
+	//// Thread-safe methods that may be called from the writer
+	//// implementation.
+
+	// The following methods return the information as passed to Init().
+	const string Path() const	{ return path; }
+	int NumFields() const	{ return num_fields; }
+	const LogField* const * Fields() const	{ return fields; }
+
+protected:
+
+	// Methods for writers to override. If any of these returs false, it
+	// will be assumed that a fatal error has occured that prevents the
+	// writer from further operation. It will then be disabled and
+	// deleted. When return false, the writer should also report the
+	// error via Error(). Note that even if a writer does not support the
+	// functionality for one these methods (like rotation), it must still
+	// return true if that is not to be considered a fatal error.
+	//
+	// Called once for initialization of the writer.
+	virtual bool DoInit(string path, int num_fields,
+			    const LogField* const * fields) = 0;
+
+	// Called once per log entry to record.
+	virtual bool DoWrite(int num_fields, const LogField* const * fields,
+			     LogVal** vals) = 0;
+
+	// Called when the buffering status for this writer is changed. If
+	// buffering is disabled, the writer should attempt to write out
+	// information as quickly as possible even if doing so may have a
+	// performance impact. If enabled (which is the default), it may
+	// buffer data as helpful and write it out later in a way optimized
+	// for performance. The current buffering state can be queried via
+	// IsBuf().
+	//
+	// A writer may ignore buffering changes if it doesn't fit with its
+	// semantics (but must still return true in that case).
+	virtual bool DoSetBuf(bool enabled) = 0;
+
+	// Called to flush any currently buffered output.
+	//
+	// A writer may ignore flush requests if it doesn't fit with its
+	// semantics (but must still return true in that case).
+	virtual bool DoFlush() = 0;
+
+	// Called when a log output is to be rotated. Most directly this only
+	// applies to writers writing into files, which should then close the
+	// current file and open a new one.  However, a writer may also
+	// trigger other apppropiate actions if semantics are similar.
+	//
+	// "rotate_path" reflects the path to where the rotated output is to
+	// be moved, with specifics depending on the writer. It should
+	// generally be interpreted in a way consistent with that of "path"
+	// as passed into DoInit(). As an example, for file-based output, 
+	// "rotate_path" could be the original filename extended with a
+	// timestamp indicating the time of the rotation.
+
+	// "postprocessor" is the name of a command to execute on the rotated
+	// file. If empty, no postprocessing should take place; if given but
+	// the writer doesn't support postprocessing, it can be ignored (but
+	// the method must still return true in that case).
+
+	// "open" and "close" are the network time's when the *current* file
+	// was opened and closed, respectively.
+	//
+	// "terminating" indicated whether the rotation request occurs due
+	// the main Bro prcoess terminating (and not because we've reach a
+	// regularly scheduled time for rotation).
+	//
+	// A writer may ignore rotation requests if it doesn't fit with its
+	// semantics (but must still return true in that case).
+	virtual bool DoRotate(string rotated_path, string postprocessor,
+			      double open, double close, bool terminating) = 0;
+
+	// Called once on termination. Not called when any of the other
+	// methods has previously signaled an error, i.e., executing this
+	// method signals a regular shutdown of the writer.
+	virtual void DoFinish() = 0;
+
+	//// Methods for writers to use. These are thread-safe.
+
+	// A thread-safe version of fmt().
+	const char* Fmt(const char* format, ...);
+
+	// Returns the current buffering state.
+	bool IsBuf()	{ return buffering; }
+
+	// Reports an error to the user.
+	void Error(const char *msg);
+
+	// Runs a post-processor on the given file. Parameters correspond to
+	// those of DoRotate(). 
+	bool RunPostProcessor(string fname, string postprocessor,
+			      string old_name, double open, double close,
+			      bool terminating);
+
+private:
+	friend class LogMgr;
+
+	// When an error occurs, we call this method to set a flag marking
+	// the writer as disabled. The LogMgr will check the flag later and
+	// remove the writer.
+	bool Disabled()	{ return disabled; }
+
+	// Deletes the values as passed into Write().
+	void DeleteVals(LogVal** vals);
+
+	string path;
+	int num_fields;
+	const LogField* const * fields;
+	bool buffering;
+	bool disabled;
+
+	// For implementing Fmt().
+	char* buf;
+	unsigned int buf_len;
+};
+
+#endif
diff --git a/src/LogWriterAscii.cc b/src/LogWriterAscii.cc
new file mode 100644
index 0000000000..d831960a3c
--- /dev/null
+++ b/src/LogWriterAscii.cc
@@ -0,0 +1,266 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <string>
+#include <errno.h>
+
+#include "LogWriterAscii.h"
+#include "NetVar.h"
+
+LogWriterAscii::LogWriterAscii()
+	{
+	file = 0;
+
+	output_to_stdout = BifConst::LogAscii::output_to_stdout;
+	include_header = BifConst::LogAscii::include_header;
+
+	separator_len = BifConst::LogAscii::separator->Len();
+	separator = new char[separator_len];
+	memcpy(separator, BifConst::LogAscii::separator->Bytes(),
+	       separator_len);
+
+	set_separator_len = BifConst::LogAscii::set_separator->Len();
+	set_separator = new char[set_separator_len];
+	memcpy(set_separator, BifConst::LogAscii::set_separator->Bytes(),
+	       set_separator_len);
+
+	empty_field_len = BifConst::LogAscii::empty_field->Len();
+	empty_field = new char[empty_field_len];
+	memcpy(empty_field, BifConst::LogAscii::empty_field->Bytes(),
+	       empty_field_len);
+
+	unset_field_len = BifConst::LogAscii::unset_field->Len();
+	unset_field = new char[unset_field_len];
+	memcpy(unset_field, BifConst::LogAscii::unset_field->Bytes(),
+	       unset_field_len);
+
+	header_prefix_len = BifConst::LogAscii::header_prefix->Len();
+	header_prefix = new char[header_prefix_len];
+	memcpy(header_prefix, BifConst::LogAscii::header_prefix->Bytes(),
+	       header_prefix_len);
+
+	}
+
+LogWriterAscii::~LogWriterAscii()
+	{
+	if ( file )
+		fclose(file);
+
+	delete [] separator;
+	delete [] set_separator;
+	delete [] empty_field;
+	delete [] unset_field;
+	delete [] header_prefix;
+	}
+
+bool LogWriterAscii::DoInit(string path, int num_fields,
+			    const LogField* const * fields)
+	{
+	if ( output_to_stdout )
+		path = "/dev/stdout";
+
+	fname = IsSpecial(path) ? path : path + ".log";
+
+	if ( ! (file = fopen(fname.c_str(), "w")) )
+		{
+		Error(Fmt("cannot open %s: %s", fname.c_str(),
+			  strerror(errno)));
+
+		return false;
+		}
+
+	if ( include_header )
+		{
+		if ( fwrite(header_prefix, header_prefix_len, 1, file) != 1 )
+			goto write_error;
+
+		for ( int i = 0; i < num_fields; i++ )
+			{
+			if ( i > 0 &&
+			     fwrite(separator, separator_len, 1, file) != 1 )
+				goto write_error;
+
+			const LogField* field = fields[i];
+
+			if ( fputs(field->name.c_str(), file) == EOF )
+				goto write_error;
+			}
+
+		if ( fputc('\n', file) == EOF )
+			goto write_error;
+		}
+
+	return true;
+
+write_error:
+	Error(Fmt("error writing to %s: %s", fname.c_str(), strerror(errno)));
+	return false;
+	}
+
+bool LogWriterAscii::DoFlush()
+	{
+	fflush(file);
+	return true;
+	}
+
+void LogWriterAscii::DoFinish()
+	{
+	}
+
+bool LogWriterAscii::DoWriteOne(ODesc* desc, LogVal* val, const LogField* field)
+	{
+	if ( ! val->present )
+		{
+		desc->AddN(unset_field, unset_field_len);
+		return true;
+		}
+
+	switch ( val->type ) {
+
+	case TYPE_BOOL:
+		desc->Add(val->val.int_val ? "T" : "F");
+		break;
+
+	case TYPE_INT:
+		desc->Add(val->val.int_val);
+		break;
+
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+	case TYPE_PORT:
+		desc->Add(val->val.uint_val);
+		break;
+
+	case TYPE_SUBNET:
+		desc->Add(dotted_addr(val->val.subnet_val.net));
+		desc->Add("/");
+		desc->Add(val->val.subnet_val.width);
+		break;
+
+	case TYPE_NET:
+	case TYPE_ADDR:
+		desc->Add(dotted_addr(val->val.addr_val));
+		break;
+
+	case TYPE_DOUBLE:
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+		desc->Add(val->val.double_val);
+	break;
+
+	case TYPE_ENUM:
+	case TYPE_STRING:
+	case TYPE_FILE:
+		{
+		int size = val->val.string_val->size();
+		if ( size )
+			desc->AddN(val->val.string_val->data(), val->val.string_val->size());
+		else
+			desc->AddN(empty_field, empty_field_len);
+		break;
+		}
+
+	case TYPE_TABLE:
+		{
+		if ( ! val->val.set_val.size )
+			{
+			desc->AddN(empty_field, empty_field_len);
+			break;
+			}
+
+		for ( int j = 0; j < val->val.set_val.size; j++ )
+			{
+			if ( j > 0 )
+				desc->AddN(set_separator, set_separator_len);
+
+			if ( ! DoWriteOne(desc, val->val.set_val.vals[j], field) )
+				return false;
+			}
+
+		break;
+		}
+
+	case TYPE_VECTOR:
+		{
+		if ( ! val->val.vector_val.size )
+			{
+			desc->AddN(empty_field, empty_field_len);
+			break;
+			}
+
+		for ( int j = 0; j < val->val.vector_val.size; j++ )
+			{
+			if ( j > 0 )
+				desc->AddN(set_separator, set_separator_len);
+
+			if ( ! DoWriteOne(desc, val->val.vector_val.vals[j], field) )
+				return false;
+			}
+
+		break;
+		}
+
+	default:
+		Error(Fmt("unsupported field format %d for %s", val->type,
+			  field->name.c_str()));
+		return false;
+	}
+
+	return true;
+	}
+
+bool LogWriterAscii::DoWrite(int num_fields, const LogField* const * fields,
+			     LogVal** vals)
+	{
+	ODesc desc(DESC_READABLE);
+	desc.SetEscape(separator, separator_len);
+
+	for ( int i = 0; i < num_fields; i++ )
+		{
+		if ( i > 0 )
+			desc.AddRaw(separator, separator_len);
+
+		if ( ! DoWriteOne(&desc, vals[i], fields[i]) )
+			return false;
+		}
+
+	desc.AddRaw("\n", 1);
+
+	if ( fwrite(desc.Bytes(), desc.Len(), 1, file) != 1 )
+		{
+		Error(Fmt("error writing to %s: %s", fname.c_str(), strerror(errno)));
+		return false;
+		}
+
+	if ( IsBuf() )
+		fflush(file);
+
+	return true;
+	}
+
+bool LogWriterAscii::DoRotate(string rotated_path, string postprocessor, double open,
+			      double close, bool terminating)
+	{
+	if ( IsSpecial(Path()) )
+		// Don't rotate special files.
+		return true;
+
+	fclose(file);
+
+	string nname = rotated_path + ".log";
+	rename(fname.c_str(), nname.c_str());
+
+	if ( postprocessor.size() &&
+	     ! RunPostProcessor(nname, postprocessor, fname.c_str(),
+				open, close, terminating) )
+		return false;
+
+	return DoInit(Path(), NumFields(), Fields());
+	}
+
+bool LogWriterAscii::DoSetBuf(bool enabled)
+	{
+	// Nothing to do.
+	return true;
+	}
+
+
diff --git a/src/LogWriterAscii.h b/src/LogWriterAscii.h
new file mode 100644
index 0000000000..fecbd9e94c
--- /dev/null
+++ b/src/LogWriterAscii.h
@@ -0,0 +1,55 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+// Log writer for delimiter-separated ASCII logs.
+
+#ifndef LOGWRITERASCII_H
+#define LOGWRITERASCII_H
+
+#include "LogWriter.h"
+
+class LogWriterAscii : public LogWriter {
+public:
+	LogWriterAscii();
+	~LogWriterAscii();
+
+	static LogWriter* Instantiate()	{ return new LogWriterAscii; }
+
+protected:
+	virtual bool DoInit(string path, int num_fields,
+			    const LogField* const * fields);
+	virtual bool DoWrite(int num_fields, const LogField* const * fields,
+			     LogVal** vals);
+	virtual bool DoSetBuf(bool enabled);
+	virtual bool DoRotate(string rotated_path, string postprocessr,
+			      double open, double close, bool terminating);
+	virtual bool DoFlush();
+	virtual void DoFinish();
+
+private:
+	bool IsSpecial(string path) 	{ return path.find("/dev/") == 0; }
+	bool DoWriteOne(ODesc* desc, LogVal* val, const LogField* field);
+
+	FILE* file;
+	string fname;
+
+	// Options set from the script-level.
+	bool output_to_stdout;
+	bool include_header;
+
+	char* separator;
+	int separator_len;
+
+	char* set_separator;
+	int set_separator_len;
+
+	char* empty_field;
+	int empty_field_len;
+
+	char* unset_field;
+	int unset_field_len;
+
+	char* header_prefix;
+	int header_prefix_len;
+};
+
+#endif
diff --git a/src/Logger.h b/src/Logger.h
index 0c3f0d1ed7..6512776550 100644
--- a/src/Logger.h
+++ b/src/Logger.h
@@ -1,5 +1,3 @@
-// $Id: Logger.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef logger_h
diff --git a/src/Login.h b/src/Login.h
index 4bcecb0634..b186cc52d2 100644
--- a/src/Login.h
+++ b/src/Login.h
@@ -1,5 +1,3 @@
-// $Id: Login.h 6219 2008-10-01 05:39:07Z vern $
-//
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #ifndef login_h
diff --git a/src/Makefile.am b/src/Makefile.am
deleted file mode 100644
index d620f02856..0000000000
--- a/src/Makefile.am
+++ /dev/null
@@ -1,415 +0,0 @@
-## Process this file with automake to produce Makefile.in
-#
-#  Copyright (c) 1997-2005
-#	The Regents of the University of California.  All rights reserved.
-#
-#  Redistribution and use in source and binary forms, with or without
-#  modification, are permitted provided that: (1) source code distributions
-#  retain the above copyright notice and this paragraph in its entirety, (2)
-#  distributions including binary code include the above copyright notice and
-#  this paragraph in its entirety in the documentation or other materials
-#  provided with the distribution, and (3) all advertising materials mentioning
-#  features or use of this software display the following acknowledgement:
-#  ``This product includes software developed by the University of California,
-#  Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
-#  the University nor the names of its contributors may be used to endorse
-#  or promote products derived from this software without specific prior
-#  written permission.
-#  THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
-#  WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
-#  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
-#
-#  $Id: Makefile.am 6588 2009-02-17 00:02:53Z vern $
-#
-#
-
-noinst_PROGRAMS = bifcl
-bin_PROGRAMS = bro
-
-bifcl_SOURCES = bif_lex.cc bif_parse.cc bif_arg.cc
-
-BINPAC_SRC = binpac-lib.pac binpac_bro-lib.pac bittorrent.pac \
-	dce_rpc.pac dce_rpc_simple.pac dhcp.pac dns.pac \
-	dns_tcp.pac http.pac ncp.pac netflow.pac rpc.pac smb.pac \
-	ssl.pac ssl-record-layer.pac syslog.pac
-
-BINPAC_H = $(BINPAC_SRC:.pac=_pac.h)
-BINPAC_CC = $(BINPAC_SRC:.pac=_pac.cc)
-BINPAC_AUXSRC = binpac.pac bro.pac binpac_bro.h
-
-BINPAC_RPC_AUXSRC = \
-	bittorrent-protocol.pac bittorrent-analyzer.pac \
-	dce_rpc-analyzer.pac dce_rpc-protocol.pac \
-	dhcp-analyzer.pac dhcp-protocol.pac \
-	dns-analyzer.pac dns-protocol.pac \
-	epmapper.pac \
-	http-analyzer.pac http-protocol.pac http.pac \
-	netflow-protocol.pac netflow-analyzer.pac \
-	portmap-protocol.pac portmap-analyzer.pac \
-	rpc-protocol.pac rpc-analyzer.pac \
-	smb-protocol.pac smb-mailslot.pac smb-pipe.pac \
-	ssl.pac ssl-analyzer.pac ssl-defs.pac \
-	ssl-protocol.pac ssl-record-layer.pac \
-	syslog.pac syslog-protocol.pac syslog-analyzer.pac
-
-BINPAC = @BINPAC@
-BINPAC_FLAGS = -d $(top_builddir)/src -I $(srcdir)
-LIBBINPAC = $(top_builddir)/aux/binpac/lib/libbinpac.a
-LIBBINPAC_LIBS = -L$(top_builddir)/aux/binpac/lib -lbinpac
-
-# File locking helper to synchronize targets in parallel builds
-LOCK_FILE = $(top_builddir)/aux/scripts/lock_file
-
-# List all optionally built source files here.
-EXTRA_bro_SOURCES = X509.cc SSLCiphers.cc SSLInterpreter.cc SSLProxy.cc \
-	SSLv2.cc SSLv3.cc SSLv3Automaton.cc nb_dns.c malloc.c
-
-if USE_NBDNS
-dns_srcs = nb_dns.c
-endif
-
-if USE_OPENSSL
-openssl_srcs = X509.cc SSLCiphers.cc SSLInterpreter.cc SSLProxy.cc \
-	SSLv2.cc SSLv3.cc SSLv3Automaton.cc
-endif
-
-# this is much faster on FreeBSD
-if USE_NMALLOC
-malloc_srcs = malloc.c
-endif
-
-# Forces libedit, bifcl and all generated files to be done first.
-# NOTE: Order does matter here, bifcl needs to be before the generated files
-# to be correct, the generated files should depend on bifcl, but this causes
-# the whole tree to be rebuilt in some cases.
-#
-# Binpac handling: the main .pac files are explicitly listed in BINPAC_SRC,
-# with implicit lists for the corresponding _pac.cc/_pac.h files. We do not
-# list the _pac.cc files in bro_SOURCES, since then they'd become part of
-# DISTFILES and distcheck would try to build them before binpac exists.
-# (This would still work on a previously built tree, but not on a fresh
-# checkout.)  To mark the _pac.cc/_pac.h files as sources and ensure the
-# resulting object files are linked in, we use nodist_bro_SOURCES. Finally,
-# to ensure they're built first, we also list the _pac.cc files in
-# BUILT_SOURCES. --cpk
-#
-BUILT_SOURCES = bifcl $(BIF_FUNC_H) \
-	DebugCmdInfoConstants.cc DebugCmdConstants.h \
-	$(BINPAC_CC)
-
-EXTRA_DIST = $(BIFS) SMB_COM.def SMTP_cmd.def \
-	POP3_cmd.def bif_type.def builtin-func.y parse.y re-parse.y rule-parse.y \
-	make_parser.pl make_dbg_constants.pl parse.in scan.l \
-	re-scan.l rule-scan.l builtin-func.l DebugCmdInfoConstants.in \
-	$(BINPAC_SRC) $(BINPAC_AUXSRC) $(BINPAC_RPC_AUXSRC)
-
-nodist_bro_SOURCES = $(BINPAC_CC) $(BINPAC_H)
-
-bro_SOURCES = \
-	main.cc net_util.cc util.cc \
-	parse.cc scan.cc re-parse.cc re-scan.cc rule-parse.cc rule-scan.cc \
-	Active.cc Analyzer.cc Anon.cc ARP.cc Attr.cc \
-	BackDoor.cc Base64.cc BitTorrent.cc BitTorrentTracker.cc \
-	BPF_Program.cc BroString.cc \
-	CCL.cc ChunkedIO.cc CompHash.cc Conn.cc ConnCompressor.cc \
-	ContentLine.cc DCE_RPC.cc DFA.cc \
-	DHCP-binpac.cc DNS.cc DNS-binpac.cc DNS_Mgr.cc \
-	DbgBreakpoint.cc DbgHelp.cc DbgWatch.cc Debug.cc \
-	DebugCmds.cc DebugLogger.cc Desc.cc Dict.cc Discard.cc DPM.cc \
-	EquivClass.cc Event.cc EventHandler.cc EventLauncher.cc \
-	EventRegistry.cc \
-	Expr.cc FTP.cc File.cc FileAnalyzer.cc Finger.cc FlowSrc.cc Frag.cc \
-	Frame.cc Func.cc Gnutella.cc HTTP.cc HTTP-binpac.cc Hash.cc ICMP.cc \
-	ID.cc Ident.cc IntSet.cc InterConn.cc IOSource.cc IRC.cc \
-	List.cc Logger.cc Login.cc MIME.cc \
-	NCP.cc NFA.cc NFS.cc NTP.cc NVT.cc Net.cc NetVar.cc \
-	NetbiosSSN.cc Obj.cc OSFinger.cc \
-	PacketFilter.cc PacketSort.cc PersistenceSerializer.cc \
-	PktDagSrc.cc PktSrc.cc PIA.cc \
-	PolicyFile.cc POP3.cc Portmap.cc PrefixTable.cc PriorityQueue.cc \
-	Queue.cc RE.cc RPC.cc Reassem.cc RemoteSerializer.cc Rlogin.cc RSH.cc \
-	Rule.cc RuleAction.cc RuleCondition.cc RuleMatcher.cc \
-	ScriptAnaly.cc SmithWaterman.cc SMB.cc SMTP.cc \
-	SSH.cc SSL-binpac.cc Syslog-binpac.cc \
-	Scope.cc SerializationFormat.cc SerialObj.cc Serializer.cc \
-	Sessions.cc StateAccess.cc Stats.cc SteppingStone.cc Stmt.cc \
-	TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc TCP_Rewriter.cc \
-	Telnet.cc Timer.cc Traverse.cc Trigger.cc TwoWise.cc Type.cc UDP.cc \
-	Val.cc Var.cc XDR.cc ZIP.cc \
-	bsd-getopt-long.c cq.c md5.c patricia.c setsignal.c version.c \
-	UDP_Rewriter.cc DNS_Rewriter.cc PacketDumper.cc Rewriter.cc \
-	strsep.c $(dns_srcs) $(malloc_srcs) $(openssl_srcs)
-
-noinst_HEADERS = Active.h Analyzer.h AnalyzerTags.h Anon.h ARP.h Attr.h \
-	BPF_Program.h BackDoor.h Base64.h BitTorrent.h BitTorrentTracker.h \
-	BroList.h BroString.h \
-	CCL.h ChunkedIO.h CompHash.h Conn.h ConnCompressor.h ContentLine.h \
-	Continuation.h DCE_RPC.h DFA.h \
-	DHCP-binpac.h DNS.h DNS-binpac.h DNS_Mgr.h \
-	DbgBreakpoint.h DbgDisplay.h DbgWatch.h Debug.h \
-	DebugCmds.h DebugLogger.h Desc.h Dict.h DPM.h \
-	Discard.h EquivClass.h Event.h EventHandler.h EventLauncher.h \
-	EventRegistry.h Expr.h FTP.h File.h FileAnalyzer.h \
-	Finger.h FlowSrc.h Frag.h Frame.h Func.h Gnutella.h \
-	H3.h HTTP.h HTTP-binpac.h Hash.h ICMP.h ID.h IP.h Ident.h \
-	IntSet.h InterConn.h IOSource.h IRC.h List.h Logger.h \
-	Login.h MIME.h NCP.h NFA.h NFS.h NTP.h NVT.h Net.h NetVar.h \
-	NetbiosSSN.h Obj.h OSFinger.h Op.h \
-	PacketFilter.h PacketSort.h PersistenceSerializer.h \
-	PktDagSrc.h PktSrc.h PIA.h \
-	PolicyFile.h POP3.h Portmap.h PrefixTable.h PriorityQueue.h \
-	Queue.h RE.h \
-	RPC.h Reassem.h RemoteSerializer.h Rlogin.h RSH.h Rule.h RuleAction.h \
-	RuleCondition.h RuleMatcher.h \
-	ScriptAnaly.h SmithWaterman.h SMB.h SMTP.h \
-	SSL-binpac.h SSH.h SSLCiphers.h SSLDefines.h \
-	SSLInterpreter.h SSLProxy.h SSLv2.h SSLv3.h SSLv3Automaton.h Scope.h \
-	SerialInfo.h SerialObj.h SerialTypes.h \
-	SerializationFormat.h Serializer.h Sessions.h StateAccess.h \
-	Stats.h SteppingStone.h Stmt.h StmtEnums.h Syslog-binpac.h \
-	TCP.h TCP_Endpoint.h TCP_Reassembler.h TCP_Rewriter.h Telnet.h Timer.h \
-	Traverse.h TraverseTypes.h Trigger.h TwoWise.h Type.h UDP.h \
-	Val.h Var.h X509.h XDR.h ZIP.h \
-	bif_arg.h bif_parse.h broparse.h bsd-getopt-long.h cq.h input.h md5.h \
-	nb_dns.h net_util.h patricia.h re-parse.h rule-parse.h \
-	UDP_Rewriter.h DNS_Rewriter.h PacketDumper.h Rewriter.h \
-	setsignal.h util.h
-
-bro_LDADD = $(LIBIDMEF_LIBS) @LIBS@ -lm $(LIBBINPAC_LIBS)
-
-# Files we generate locally that need to be removed with make distclean,
-# mostly to keep distcheck happy.
-# 
-DISTCLEANFILES = DebugCmdInfoConstants.cc DebugCmdConstants.h \
-	DebugCmdConstants.cc DebugCmdConstants.h \
-	$(BINPAC_CC) $(BINPAC_H) $(BIF_BRO) y.output bif_lex.cc \
-	bif_parse.h bif_parse.cc parse.y scan.cc parse.cc broparse.h \
-	re-parse.cc re-parse.h re-scan.cc rule-parse.cc rule-parse.h \
-	rule-scan.cc version.c
-
-# Files created in the src dir.
-MOSTLYCLEANFILES = $(BIF_FUNC_H) $(BIF_FUNC_DEF) $(BIF_FUNC_INIT) \
-		   $(BIF_NETVAR_H) $(BIF_NETVAR_DEF) $(BIF_NETVAR_INIT) \
-		   $(BRO_BIF) \
-		   $(BINPAC_H) $(BINPAC_CC) \
-		   $(DISTCLEANFILES)
-
-POLICYDEST=${datadir}/bro
-
-CCOPT = @V_CCOPT@ -W -Wall -Wno-unused
-INCLS = @V_INCLS@
-
-YFLAGS = -d -t -v
-
-# Should use AM_ vars, but automake 1.5 errors out.
-#AM_LDFLAGS = @LDFLAGS@ 
-LDFLAGS = @LDFLAGS@
-
-#AM_CFLAGS = -I. -I.. -I$(top_srcdir)/src -I$(srcdir) -I$(top_builddir)
-AM_CFLAGS = -I. -I$(top_srcdir)/aux/binpac/lib -I$(top_srcdir)/src -I$(srcdir) -I$(top_builddir)
-
-#AM_CPPFLAGS = $(AM_CFLAGS) $(LIBIDMEF_INCL) $(INCLS) $(CCOPT) -I/usr/include
-AM_CPPFLAGS = $(AM_CFLAGS) $(LIBIDMEF_INCL) $(INCLS) $(CCOPT)
-
-BIFCL = ./bifcl
-BIFS =	bro.bif event.bif const.bif \
-	common-rw.bif finger-rw.bif ident-rw.bif \
-	dns-rw.bif ftp-rw.bif smtp-rw.bif http-rw.bif strings.bif \
-	smb-rw.bif
-
-BIF_FUNC_H = $(BIFS:.bif=.bif.func_h)
-BIF_FUNC_DEF = $(BIFS:.bif=.bif.func_def)
-BIF_FUNC_INIT = $(BIFS:.bif=.bif.func_init)
-BIF_NETVAR_H = $(BIFS:.bif=.bif.netvar_h)
-BIF_NETVAR_DEF = $(BIFS:.bif=.bif.netvar_def)
-BIF_NETVAR_INIT = $(BIFS:.bif=.bif.netvar_init)
-
-BIF_BRO = $(BIFS:.bif=.bif.bro)
-
-
-BIFOBJ = bif_arg.o bif_lex.o bif_parse.o
-BIFCLEAN = bifcl $(BIFOBJ) $(BIF_FUNC_DEF) $(BIF_NETVAR_DEF) policy/*.bif.bro
-
-PRIV = priv
-
-opt:
-	@$(MAKE) $(MFLAGS) CCOPT="`echo $(CCOPT) | sed -e 's/-O2//;s/$$/ -O3/'`"
-
-debug: 
-	@$(MAKE) $(MFLAGS) CCOPT="`echo $(CCOPT) | sed -e 's/-O2/-O0/g;s/$$/ -g -Wall -DDEBUG/'`"
-
-profile:
-	@$(MAKE) $(MFLAGS) CCOPT="`echo $(CCOPT) | sed -e 's/$$/ -O0 -pg/'`" LDFLAGS="`echo $(LDFLAGS) | sed -e 's/$$/ -pg/'`"
-
-mpatrol:
-	@$(MAKE) $(MFLAGS) LIBS="`echo $(LIBS) | sed -e 's/$$/ -lmpatrol/'`"
-
-version.c: $(top_srcdir)/VERSION
-	@rm -f $@
-	sed -e 's/.*/char version[] = "&";/' $(top_srcdir)/VERSION > $@
-
-DebugCmdInfoConstants.cc DebugCmdInfoConstants.h: DebugCmdInfoConstants.in
-	perl $(srcdir)/make_dbg_constants.pl $(srcdir)/DebugCmdInfoConstants.in
-
-DebugCmdConstants.cc DebugCmdConstants.h: DebugCmdInfoConstants.in
-	perl $(srcdir)/make_dbg_constants.pl $(srcdir)/DebugCmdInfoConstants.in
-
-# Should these be moved to $(destdir)/policy?
-finger-rw.bif.func_h finger-rw.bif.func_def finger-rw.bif.func_init: finger-rw.bif $(BIFCL)
-	$(BIFCL) $(srcdir)/finger-rw.bif
-	@cp finger-rw.bif.bro ../policy/
-
-ftp-rw.bif.func_h ftp-rw.bif.func_def ftp-rw.bif.func_init: ftp-rw.bif $(BIFCL)
-	$(BIFCL) $(srcdir)/ftp-rw.bif
-	@cp ftp-rw.bif.bro ../policy/
-
-smb-rw.bif.func_h smb-rw.bif.func_def smb-rw.bif.func_init: smb-rw.bif $(BIFCL)
-	$(BIFCL) $(srcdir)/smb-rw.bif
-	@cp smb-rw.bif.bro ../policy/
-
-dns-rw.bif.func_h dns-rw.bif.func_def dns-rw.bif.func_init: dns-rw.bif $(BIFCL)
-	$(BIFCL) $(srcdir)/dns-rw.bif
-	@cp dns-rw.bif.bro ../policy/
-
-bro.bif.func_h bro.bif.func_def bro.bif.func_init: bro.bif $(BIFCL)
-	$(BIFCL) $(srcdir)/bro.bif
-	@cp bro.bif.bro ../policy/
-
-ident-rw.bif.func_h ident-rw.bif.func_def ident-rw.bif.func_init: ident-rw.bif $(BIFCL)
-	$(BIFCL) $(srcdir)/ident-rw.bif
-	@cp ident-rw.bif.bro ../policy/
-
-event.bif.func_h event.bif.netvar_h event.bif.netvar_def event.bif.netvar_init: event.bif $(BIFCL)
-	$(BIFCL) $(srcdir)/event.bif
-	@cp event.bif.bro ../policy/
-
-const.bif.func_h const.bif.netvar_h const.bif.netvar_def const.bif.netvar_init: const.bif $(BIFCL)
-	$(BIFCL) $(srcdir)/const.bif
-	@cp const.bif.bro ../policy/
-
-binpac-lib_pac.h binpac-lib_pac.cc: binpac-lib.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) $(LIBBINPAC)
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/binpac-lib.pac
-
-binpac_bro-lib_pac.h binpac_bro-lib_pac.cc: binpac_bro-lib.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR)
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/binpac_bro-lib.pac
-
-bittorrent_pac.h bittorrent_pac.cc: bittorrent.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) bittorrent-protocol.pac bittorrent-analyzer.pac
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/bittorrent.pac
-
-dce_rpc_pac.h dce_rpc_pac.cc: dce_rpc.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) dce_rpc-protocol.pac dce_rpc-analyzer.pac
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/dce_rpc.pac
-
-dce_rpc_simple_pac.h dce_rpc_simple_pac.cc: dce_rpc_simple.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) dce_rpc-protocol.pac
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/dce_rpc_simple.pac
-
-dhcp_pac.h dhcp_pac.cc: dhcp.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) dhcp-protocol.pac dhcp-analyzer.pac
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/dhcp.pac
-
-dns_pac.h dns_pac.cc: dns.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) dns-protocol.pac dns-analyzer.pac
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/dns.pac
-
-dns_tcp_pac.h dns_tcp_pac.cc: dns_tcp.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR)
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/dns_tcp.pac
-
-http_pac.h http_pac.cc: http.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) http-protocol.pac http-analyzer.pac
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/http.pac
-
-ncp_pac.h ncp_pac.cc: ncp.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR)
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/ncp.pac
-
-netflow_pac.h netflow_pac.cc: netflow.pac netflow-protocol.pac netflow-analyzer.pac Event.h $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR)
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/netflow.pac
-
-rpc_pac.h rpc_pac.cc: rpc.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) $(BINPAC_RPC_AUXSRC)
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/rpc.pac
-
-smb_pac.h smb_pac.cc: smb.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) smb-protocol.pac smb-mailslot.pac smb-pipe.pac
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/smb.pac
-
-ssl_pac.h ssl_pac.cc: ssl.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) ssl-protocol.pac ssl-analyzer.pac
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/ssl.pac
-
-ssl-record-layer_pac.h ssl-record-layer_pac.cc: ssl-record-layer.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR)
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/ssl-record-layer.pac
-
-syslog_pac.h syslog_pac.cc: syslog.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) syslog-protocol.pac syslog-analyzer.pac
-	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/syslog.pac
-
-
-patricia.o: patricia.c patricia.h
-	$(CC) $(CFLAGS) -c $(srcdir)/patricia.c
-
-smtp-rw.bif.func_h smtp-rw.bif.func_def smtp-rw.bif.func_init: smtp-rw.bif $(BIFCL)
-	$(BIFCL) $(srcdir)/smtp-rw.bif
-	@cp smtp-rw.bif.bro ../policy/
-
-http-rw.bif.func_h http-rw.bif.func_def http-rw.bif.func_init: http-rw.bif $(BIFCL)
-	$(BIFCL) $(srcdir)/http-rw.bif
-	@cp http-rw.bif.bro ../policy/
-
-common-rw.bif.func_h common-rw.bif.func_def common-rw.bif.func_init: common-rw.bif $(BIFCL)
-	$(BIFCL) $(srcdir)/common-rw.bif
-	@cp common-rw.bif.bro ../policy/
-
-strings.bif.func_h strings.bif.func_def strings.bif.func_init: strings.bif $(BIFCL)
-	$(BIFCL) $(srcdir)/strings.bif
-	@cp strings.bif.bro ../policy/
-
-broparse.h parse.cc: parse.y
-	$(LOCK_FILE) lock broparse || exit; \
-	test -e broparse.h && ( $(LOCK_FILE) unlock broparse; exit 0; ); \
-	$(YACC) $(YFLAGS) -o p.c parse.y; \
-	sed '/extern char.*getenv/d;s/yylex/brolex/' <p.c >parse.cc; \
-	mv p.h broparse.h; \
-	rm p.c; \
-	$(LOCK_FILE) unlock broparse
-
-parse.y: parse.in make_parser.pl
-	@rm -f parse.y
-	perl -w $(srcdir)/make_parser.pl $(srcdir) $(top_builddir)/src "$(YACC)"
-	chmod -w parse.y
-
-scan.cc: scan.l broparse.h
-	$(LEX) $(LFLAGS) -Pbro -oscan.cc $(srcdir)/scan.l
-
-bif_lex.cc: builtin-func.l bif_parse.h
-	$(LEX) -o$@ $(srcdir)/builtin-func.l
-
-re-parse.h re-parse.cc: re-parse.y
-	$(LOCK_FILE) lock reparse || exit; \
-	test -e re-parse.h && ( $(LOCK_FILE) unlock reparse; exit 0; ); \
-	$(YACC) $(YFLAGS) -o rep.c $(srcdir)/re-parse.y; \
-	sed '/extern char.*getenv/d;s/yylex/re_lex/;s/yy/RE_/g' <rep.c >re-parse.cc; \
-	mv rep.h re-parse.h; \
-	rm rep.c; \
-	$(LOCK_FILE) unlock reparse
-
-re-scan.cc: re-scan.l
-	$(LEX) $(LFLAGS) -Pre_ -ore-scan.cc $(srcdir)/re-scan.l
-
-rule-parse.h rule-parse.cc: rule-parse.y
-	$(LOCK_FILE) lock ruleparse || exit; \
-	test -e rule-parse.h && ( $(LOCK_FILE) unlock ruleparse; exit 0; ); \
-	$(YACC) $(YFLAGS) -o rup.c $(srcdir)/rule-parse.y; \
-	sed '/extern char.*getenv/d;s/yylex/rules_lex/;s/yy/rules_/g' <rup.c >rule-parse.cc; \
-	sed '/extern char.*getenv/d;s/yylex/rules_lex/;s/yy/rules_/g' <rup.h >rule-parse.h; \
-	rm rup.c rup.h; \
-	$(LOCK_FILE) unlock ruleparse
-
-rule-scan.cc: rule-scan.l
-	$(LEX) $(LFLAGS) -Prules_ -orule-scan.cc $(srcdir)/rule-scan.l
-
-bif_parse.h bif_parse.cc: builtin-func.y bif_arg.h bif_type.def
-	$(LOCK_FILE) lock bifparse || exit; \
-	test -e bif_parse.h && ( $(LOCK_FILE) unlock bifparse; exit 0; ); \
-	$(YACC) $(YFLAGS) -o bf.c $(top_srcdir)/src/builtin-func.y; \
-	mv bf.h bif_parse.h; \
-	mv bf.c bif_parse.cc; \
-	$(LOCK_FILE) unlock bifparse
-
-# Need this rule because of the POLICYDEST.
-util.o: util.cc util.h
-	$(CXX) $(AM_CPPFLAGS) -DPOLICYDEST=\"$(POLICYDEST)\" -c $(srcdir)/util.cc
-
-CHANGES: $(top_srcdir)/VERSION
-	@echo "You need to update CHANGES"
diff --git a/src/Net.cc b/src/Net.cc
index 73b02aa141..d9171d2ce1 100644
--- a/src/Net.cc
+++ b/src/Net.cc
@@ -5,11 +5,11 @@
 #include "config.h"
 
 #include <sys/types.h>
-#if TIME_WITH_SYS_TIME
+#ifdef TIME_WITH_SYS_TIME
 # include <sys/time.h>
 # include <time.h>
 #else
-# if HAVE_SYS_TIME_H
+# ifdef HAVE_SYS_TIME_H
 #  include <sys/time.h>
 # else
 #  include <time.h>
@@ -28,16 +28,11 @@
 #include "Var.h"
 #include "Logger.h"
 #include "Net.h"
-#include "TCP_Rewriter.h"
 #include "Anon.h"
 #include "PacketSort.h"
 #include "Serializer.h"
 #include "PacketDumper.h"
 
-#ifdef USE_DAG
-#include "PktDagSrc.h"
-#endif
-
 extern "C" {
 #include "setsignal.h"
 };
@@ -51,19 +46,11 @@ PList(PktSrc) pkt_srcs;
 // FIXME: We should really merge PktDumper and PacketDumper.
 // It's on my to-do [Robin].
 PktDumper* pkt_dumper = 0;
-PktDumper* pkt_transformed_dumper = 0;
-
-// For trace of rewritten packets
-PacketDumper* transformed_pkt_dump = 0;
-// For trace of original packets from selected connections
-PacketDumper* source_pkt_dump = 0;
-int transformed_pkt_dump_MTU = 1514;
 
 int reading_live = 0;
 int reading_traces = 0;
 int have_pending_timers = 0;
 double pseudo_realtime = 0.0;
-char* user_pcap_filter = 0;
 bool using_communication = false;
 
 double network_time = 0.0;	// time according to last packet timestamp
@@ -166,9 +153,8 @@ RETSIGTYPE watchdog(int /* signo */)
 
 void net_init(name_list& interfaces, name_list& readfiles, 
 	      name_list& netflows, name_list& flowfiles,
-	        const char* writefile, const char* transformed_writefile,
-	        const char* filter, const char* secondary_filter,
-		int do_watchdog)
+	        const char* writefile, const char* filter,
+			const char* secondary_filter, int do_watchdog)
 	{
 	init_net_var();
 
@@ -243,12 +229,7 @@ void net_init(name_list& interfaces, name_list& readfiles,
 		for ( int i = 0; i < interfaces.length(); ++i )
 			{
 			PktSrc* ps;
-#ifdef USE_DAG
-			if ( strncmp(interfaces[i], "dag", 3) == 0 )
-				ps = new PktDagSrc(interfaces[i], filter);
-			else
-#endif
-				ps = new PktInterfaceSrc(interfaces[i], filter);
+			ps = new PktInterfaceSrc(interfaces[i], filter);
 
 			if ( ! ps->IsOpen() )
 				{
@@ -265,14 +246,8 @@ void net_init(name_list& interfaces, name_list& readfiles,
 			if ( secondary_filter )
 				{
 				PktSrc* ps;
-#ifdef USE_DAG
-				if ( strncmp(interfaces[i], "dag", 3) == 0 )
-					ps = new PktDagSrc(interfaces[i],
-						filter, TYPE_FILTER_SECONDARY);
-				else
-#endif
-					ps = new PktInterfaceSrc(interfaces[i],
-						filter, TYPE_FILTER_SECONDARY);
+				ps = new PktInterfaceSrc(interfaces[i],
+					filter, TYPE_FILTER_SECONDARY);
 
 				if ( ! ps->IsOpen() )
 					{
@@ -335,37 +310,7 @@ void net_init(name_list& interfaces, name_list& readfiles,
 			id->SetVal(new StringVal(writefile));
 		}
 
-	if ( transformed_writefile )
-		{
-		pkt_transformed_dumper = new PktDumper(transformed_writefile);
-		if ( pkt_transformed_dumper->IsError() )
-			{
-			fprintf(stderr, "%s: can't open trace transformation write file \"%s\" - %s\n",
-				prog, writefile,
-				pkt_transformed_dumper->ErrorMsg());
-			exit(1);
-			}
-
-		transformed_pkt_dump =
-			new PacketDumper(pkt_transformed_dumper->PcapDumper());
-
-		// If both -A and -w are specified, -A will be the transformed
-		// trace file and -w will be the source packet trace file.
-		// Otherwise the packets will go to the same file.
-		if ( pkt_dumper )
-			source_pkt_dump =
-				new PacketDumper(pkt_dumper->PcapDumper());
-		}
-
-	else if ( pkt_dumper )
-		transformed_pkt_dump =
-			new PacketDumper(pkt_dumper->PcapDumper());
-
-	if ( anonymize_ip_addr )
-		init_ip_addr_anonymizers();
-	else
-		for ( int i = 0; i < NUM_ADDR_ANONYMIZATION_METHODS; ++i )
-			ip_anonymizer[i] = 0;
+	init_ip_addr_anonymizers();
 
 	if ( packet_sort_window > 0 )
 		packet_sorter = new PacketSortGlobalPQ();
@@ -421,7 +366,7 @@ void net_packet_dispatch(double t, const struct pcap_pkthdr* hdr,
 		if ( load_freq == 0 )
 			load_freq = uint32(0xffffffff) / uint32(load_sample_freq);
 
-		if ( uint32(random() & 0xffffffff) < load_freq )
+		if ( uint32(bro_random() & 0xffffffff) < load_freq )
 			{
 			// Drain the queued timer events so they're not
 			// charged against this sample.
@@ -642,7 +587,6 @@ void net_finish(int drain_events)
 		}
 
 	delete pkt_dumper;
-	delete pkt_transformed_dumper;
 
 	// fprintf(stderr, "uhash: %d/%d\n", hash_cnt_uhash, hash_cnt_all);
 
@@ -663,11 +607,6 @@ void net_delete()
 	delete sessions;
 	delete packet_sorter;
 
-	// Can't put this in net_finish() because packets might be
-	// dumped when connections are deleted.
-	if ( transformed_pkt_dump )
-		delete transformed_pkt_dump;
-
 	for ( int i = 0; i < NUM_ADDR_ANONYMIZATION_METHODS; ++i )
 		delete ip_anonymizer[i];
 	}
diff --git a/src/Net.h b/src/Net.h
index 87c0ce2499..16d36791d2 100644
--- a/src/Net.h
+++ b/src/Net.h
@@ -15,9 +15,8 @@
 
 extern void net_init(name_list& interfaces, name_list& readfiles,
 		name_list& netflows, name_list& flowfiles,
-		const char* writefile, const char* transformed_writefile,
-		const char* filter, const char* secondary_filter,
-		int do_watchdog);
+		const char* writefile, const char* filter,
+		const char* secondary_filter, int do_watchdog);
 extern void net_run();
 extern void net_get_final_stats();
 extern void net_finish(int drain_events);
@@ -59,9 +58,6 @@ extern int have_pending_timers;
 // is the speedup (1 = real-time, 0.5 = half real-time, etc.).
 extern double pseudo_realtime;
 
-// Pcap filter supplied by the user on the command line (if any).
-extern char* user_pcap_filter;
-
 // When we started processing the current packet and corresponding event
 // queue.
 extern double processing_start_time;
@@ -91,7 +87,6 @@ declare(PList,PktSrc);
 extern PList(PktSrc) pkt_srcs;
 
 extern PktDumper* pkt_dumper;	// where to save packets
-extern PktDumper* pkt_transformed_dumper;
 
 extern char* writefile;
 
diff --git a/src/NetVar.cc b/src/NetVar.cc
index 2c817fdc17..506aad59d9 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -126,6 +126,8 @@ TableType* smb_negotiate;
 
 RecordType* geo_location;
 
+RecordType* entropy_test_result;
+
 TableType* dhcp_router_list;
 RecordType* dhcp_msg;
 
@@ -258,8 +260,12 @@ int record_all_packets;
 RecordType* script_id;
 TableType* id_table;
 
+StringVal* cmd_line_bpf_filter;
+
 #include "const.bif.netvar_def"
+#include "types.bif.netvar_def"
 #include "event.bif.netvar_def"
+#include "logging.bif.netvar_def"
 
 void init_event_handlers()
 	{
@@ -295,7 +301,7 @@ void init_general_global_var()
 	ssl_passphrase = internal_val("ssl_passphrase")->AsStringVal();
 
 	packet_filter_default = opt_internal_int("packet_filter_default");
-	
+
 	sig_max_group_size = opt_internal_int("sig_max_group_size");
 	enable_syslog = opt_internal_int("enable_syslog");
 
@@ -309,11 +315,16 @@ void init_general_global_var()
 	trace_output_file = internal_val("trace_output_file")->AsStringVal();
 
 	record_all_packets = opt_internal_int("record_all_packets");
+
+	cmd_line_bpf_filter =
+		internal_val("cmd_line_bpf_filter")->AsStringVal();
 	}
 
 void init_net_var()
 	{
 #include "const.bif.netvar_init"
+#include "types.bif.netvar_init"
+#include "logging.bif.netvar_init"
 
 	conn_id = internal_type("conn_id")->AsRecordType();
 	endpoint = internal_type("endpoint")->AsRecordType();
@@ -460,6 +471,8 @@ void init_net_var()
 
 	geo_location = internal_type("geo_location")->AsRecordType();
 
+	entropy_test_result = internal_type("entropy_test_result")->AsRecordType();
+
 	dhcp_router_list = internal_type("dhcp_router_list")->AsTableType();
 	dhcp_msg = internal_type("dhcp_msg")->AsRecordType();
 
diff --git a/src/NetVar.h b/src/NetVar.h
index 904bccdb77..a178ab6874 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -133,6 +133,8 @@ extern TableType* smb_negotiate;
 
 extern RecordType* geo_location;
 
+extern RecordType* entropy_test_result;
+
 extern TableType* dhcp_router_list;
 extern RecordType* dhcp_msg;
 
@@ -262,6 +264,8 @@ extern int record_all_packets;
 extern RecordType* script_id;
 extern TableType* id_table;
 
+extern StringVal* cmd_line_bpf_filter;
+
 // Initializes globals that don't pertain to network/event analysis.
 extern void init_general_global_var();
 
@@ -269,6 +273,8 @@ extern void init_event_handlers();
 extern void init_net_var();
 
 #include "const.bif.netvar_h"
+#include "types.bif.netvar_h"
 #include "event.bif.netvar_h"
+#include "logging.bif.netvar_h"
 
 #endif
diff --git a/src/OSFinger.cc b/src/OSFinger.cc
index 8d3d2057bf..f7b4903700 100644
--- a/src/OSFinger.cc
+++ b/src/OSFinger.cc
@@ -295,7 +295,7 @@ void OSFingerprint::load_config(const char* file)
   uint32 ln=0;
   char buf[MAXLINE];
   char* p;
-  FILE* c = search_for_file( file, "osf", 0);
+  FILE* c = search_for_file( file, "osf", 0, false);
 
   if (!c)
     {
diff --git a/src/POP3.cc b/src/POP3.cc
index 4f1f2a5ea7..5d38b4c3d1 100644
--- a/src/POP3.cc
+++ b/src/POP3.cc
@@ -576,9 +576,11 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 	if ( multiLine == true )
 		{
 		bool terminator =
-			length > 1 && line[0] == '.' &&
-			(line[1] == '\n' ||
-			 (length > 2 && line[1] == '\r' && line[2] == '\n'));
+			line[0] == '.' &&
+			(length == 1 ||
+			 (length > 1 &&
+			  (line[1] == '\n' ||
+			  (length > 2 && line[1] == '\r' && line[2] == '\n'))));
 
 		if ( terminator )
 			{
diff --git a/src/PacketDumper.h b/src/PacketDumper.h
index bc22dda41e..b0d5943b36 100644
--- a/src/PacketDumper.h
+++ b/src/PacketDumper.h
@@ -41,8 +41,4 @@ struct ltipid {
 typedef set<IP_ID, ltipid> IP_IDSet;
 uint16 NextIP_ID(const uint32 src_addr, const uint16 id);
 
-extern PacketDumper* transformed_pkt_dump;
-extern PacketDumper* source_pkt_dump;
-extern int transformed_pkt_dump_MTU;
-
 #endif
diff --git a/src/PacketFilter.cc b/src/PacketFilter.cc
index 7ff97fac46..fa88350713 100644
--- a/src/PacketFilter.cc
+++ b/src/PacketFilter.cc
@@ -102,5 +102,5 @@ bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip,
 			return false;
 		}
 
-	return uint32(random()) < f.probability;
+	return uint32(bro_random()) < f.probability;
 	}
diff --git a/src/PersistenceSerializer.cc b/src/PersistenceSerializer.cc
index f31fdb4d88..96e1686e74 100644
--- a/src/PersistenceSerializer.cc
+++ b/src/PersistenceSerializer.cc
@@ -348,9 +348,6 @@ bool PersistenceSerializer::RunSerialization(SerialStatus* status)
 			status->conn_cookie = status->conns->InitForIteration();
 			status->conns->MakeRobustCookie(status->conn_cookie);
 			}
-
-		if ( status->info.may_suspend )
-			bro_logger->Log("Starting incremental serialization...");
 		}
 
 	else if ( cont->ChildSuspended() )
@@ -480,9 +477,6 @@ bool PersistenceSerializer::RunSerialization(SerialStatus* status)
 			}
 		}
 
-	if ( status->info.may_suspend )
-		bro_logger->Log("Finished incremental serialization.");
-
 	delete status;
 	return ret;
 	}
diff --git a/src/PktDagSrc.cc b/src/PktDagSrc.cc
deleted file mode 100644
index 1a5c6573de..0000000000
--- a/src/PktDagSrc.cc
+++ /dev/null
@@ -1,294 +0,0 @@
-// $Id: PktDagSrc.cc 6909 2009-09-10 19:42:19Z vern $
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "config.h"
-
-#ifdef USE_DAG
-
-extern "C" {
-#include <dagapi.h>
-#include <pcap.h>
-}
-#include <errno.h>
-
-#include <set>
-#include <string>
-
-#include "PktDagSrc.h"
-
-// Length of ERF Header before Ethernet header.
-#define DAG_ETH_ERFLEN 18
-
-static set<string> used_interfaces;
-
-PktDagSrc::PktDagSrc(const char* arg_interface, const char* filter,
-			PktSrc_Filter_Type ft)
-: PktSrc()
-	{
-	interface = copy_string(fmt("/dev/%s", arg_interface));
-	fd = -1;
-	closed = true;
-
-	if ( used_interfaces.find(interface) != used_interfaces.end() )
-		{
-		Error("DAG interface already in use, can't be used multiple times");
-		return;
-		}
-
-
-	// We only support Ethernet.
-	hdr_size = 14;
-	datalink = DLT_EN10MB;
-	filter_type = ft;
-	netmask = 0xffffff00;	// XXX does this make sense?
-
-	current_filter = 0;
-
-	// We open a dummy pcap file to get access to pcap data structures.
-	// Ideally, Bro's PktSrc would be less dependent on pcap ...
-
-	pd = pcap_open_dead(datalink, snaplen);
-	if ( ! pd )
-		{
-		// Note: errno not trustworthy, for example it's sometimes
-		// set by malloc inside pcap_open_dead().
-		Error("pcap_open_dead");
-		return;
-		}
-
-	fd = dag_open(interface);
-
-	// XXX Currently, the DAG fd is not selectable :-(.
-	selectable_fd = -1;
-
-	if ( fd < 0 )
-		{
-		Error("dag_open");
-		return;
-		}
-
-	int dag_recordtype = dag_linktype(fd);
-	if ( dag_recordtype < TYPE_MIN || dag_recordtype > TYPE_MAX )
-		{
-		Error("dag_linktype");
-		return;
-		}
-
-	if ( dag_recordtype != TYPE_ETH )
-		{
-		sprintf(errbuf, "unsupported DAG link type 0x%x", dag_recordtype);
-		return;
-		}
-
-	// long= is needed to prevent the DAG card from truncating jumbo frames.
-	char* dag_configure_string =
-		copy_string(fmt("slen=%d varlen long=%d",
-				snaplen, snaplen > 1500 ? snaplen : 1500));
-
-	fprintf(stderr, "Configuring %s with options \"%s\"...\n",
-		interface, dag_configure_string);
-
-	if ( dag_configure(fd, dag_configure_string) < 0 )
-		{
-		Error("dag_configure");
-		delete [] dag_configure_string;
-		return;
-		}
-
-	delete [] dag_configure_string;
-
-	if ( dag_attach_stream(fd, stream_num, 0, EXTRA_WINDOW_SIZE) < 0 )
-		{
-		Error("dag_attach_stream");
-		return;
-		}
-
-	if ( dag_start_stream(fd, stream_num) < 0 )
-		{
-		Error("dag_start_stream");
-		return;
-		}
-
-	struct timeval maxwait, poll;
-	maxwait.tv_sec = 0;	// arbitrary due to mindata == 0
-	maxwait.tv_usec = 0;
-	poll.tv_sec = 0;	// don't wait until more data arrives.
-	poll.tv_usec = 0;
-
-	// mindata == 0 for non-blocking.
-	if ( dag_set_stream_poll(fd, stream_num, 0, &maxwait, &poll) < 0 )
-		{
-		Error("dag_set_stream_poll");
-		return;
-		}
-
-	closed = false;
-
-	if ( PrecompileFilter(0, filter) && SetFilter(0) )
-		fprintf(stderr, "listening on DAG card on %s\n", interface);
-
-	stats.link = stats.received = stats.dropped = 0;
-	}
-
-PktDagSrc::~PktDagSrc()
-	{
-	}
-
-
-void PktDagSrc::Close()
-	{
-	if ( fd >= 0 )
-		{
-		PktSrc::Close();
-		dag_stop_stream(fd, stream_num);
-		dag_detach_stream(fd, stream_num);
-		dag_close(fd);
-		fd = -1;
-		}
-
-	closed = true;
-	used_interfaces.erase(interface);
-	}
-
-int PktDagSrc::ExtractNextPacket()
-	{
-	unsigned link_count = 0;	// # packets on link for this call
-
-	// As we can't use select() on the fd, we always have to pretend
-	// we're busy (in fact this is probably even true; otherwise
-	// we shouldn't be using such expensive monitoring hardware!).
-	idle = false;
-
-	struct bpf_insn* fcode = current_filter->bf_insns;
-	if ( ! fcode )
-		{
-		run_time("filter code not valid when extracting DAG packet");
-		return 0;
-		}
-
-	dag_record_t* r = 0;
-
-	do
-		{
-		r = (dag_record_t*) dag_rx_stream_next_record(fd, 0);
-
-		if ( ! r )
-			{
-			data = last_data = 0;	// make dataptr invalid
-
-			if ( errno != EAGAIN )
-				{
-				run_time(fmt("dag_rx_stream_next_record: %s",
-						strerror(errno)));
-				Close();
-				return 0;
-				}
-
-			else
-				{ // gone dry
-				idle = true;
-				return 0;
-				}
-			}
-
-		// Return after 20 unwanted packets on the link.
-		if ( ++link_count > 20 )
-			{
-			data = last_data = 0;
-			return 0;
-			}
-
-		hdr.len = ntohs(r->wlen);
-		hdr.caplen = ntohs(r->rlen) - DAG_ETH_ERFLEN;
-
-		// Locate start of the Ethernet header.
-		data = last_data = (const u_char*) r->rec.eth.dst;
-
-		++stats.link;
-		// lctr_sum += ntohs(r->lctr);
-		stats.dropped += ntohs(r->lctr);
-		}
-	while ( ! bpf_filter(fcode, (u_char*) data, hdr.len, hdr.caplen) );
-
-	++stats.received;
-
-	// Timestamp conversion taken from DAG programming manual.
-	unsigned long long lts = r->ts;
-	hdr.ts.tv_sec = lts >> 32;
-	lts = ((lts & 0xffffffffULL) * 1000 * 1000);
-	lts += (lts & 0x80000000ULL) << 1;
-	hdr.ts.tv_usec = lts >> 32;
-	if ( hdr.ts.tv_usec >= 1000000 )
-		{
-		hdr.ts.tv_usec -= 1000000;
-		hdr.ts.tv_sec += 1;
-		}
-
-	next_timestamp = hdr.ts.tv_sec + double(hdr.ts.tv_usec) / 1e6;
-
-	return 1;
-	}
-
-void PktDagSrc::GetFds(int* read, int* write, int* except)
-	{
-	// We don't have a selectable fd, but we take the opportunity to
-	// reset our idle flag if we have data now.
-	if ( ! data )
-		ExtractNextPacket();
-	}
-
-void PktDagSrc::Statistics(Stats* s)
-	{
-	s->received = stats.received;
-	s->dropped = stats.dropped;
-	s->link = stats.link + stats.dropped;
-	}
-
-int PktDagSrc::SetFilter(int index)
-	{
-	// We don't want load-level filters for the secondary path.
-	if ( filter_type == TYPE_FILTER_SECONDARY && index > 0 )
-		return 1;
-
-	HashKey* hash = new HashKey(HashKey(bro_int_t(index)));
-	BPF_Program* code = filters.Lookup(hash);
-	delete hash;
-
-	if ( ! code )
-		{
-		sprintf(errbuf, "No precompiled pcap filter for index %d",
-				index);
-		return 0;
-		}
-
-	current_filter = code->GetProgram();
-
-	// Reset counters.
-	stats.received = stats.dropped = stats.link = 0;
-
-	return 1;
-	}
-
-int PktDagSrc::SetNewFilter(const char* filter)
-	{
-	bpf_program* code = 0;
-
-	if ( pcap_compile(pd, code, (char*) filter, 1, netmask) < 0 )
-		{
-		snprintf(errbuf, sizeof(errbuf), "pcap_compile(%s): %s",
-				filter, pcap_geterr(pd));
-		errbuf[sizeof(errbuf) - 1] = '\0';
-		return 0;
-		}
-
-	current_filter = code;
-	return 1;
-	}
-
-void PktDagSrc::Error(const char *s)
-	{
-	snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", s, strerror(errno));
-	Close();
-	}
-#endif
diff --git a/src/PktDagSrc.h b/src/PktDagSrc.h
deleted file mode 100644
index c7ea49e106..0000000000
--- a/src/PktDagSrc.h
+++ /dev/null
@@ -1,54 +0,0 @@
-// $Id: PktDagSrc.h 6219 2008-10-01 05:39:07Z vern $
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-//
-// Support for Endace's DAG interface card.
-//
-// Caveats:
-//    - No support for hardware-side filtering yet.
-//    - No support for secondary filter path yet.
-//    - No support for other media than Ethernet.
-//    - Mutex should be per interface
-//    - No support for multiple rx streams
-
-#ifndef PKTDAGSRC_H
-#define PKTDAGSRC_H
-
-#ifdef USE_DAG
-
-extern int snaplen;
-
-#include "PktSrc.h"
-
-class PktDagSrc : public PktSrc {
-public:
-	PktDagSrc(const char* interface, const char* filter,
-			PktSrc_Filter_Type ft = TYPE_FILTER_NORMAL);
-	virtual ~PktDagSrc();
-
-	// PktSrc interface:
-	virtual void Statistics(Stats* stats);
-	virtual int SetFilter(int index);
-	virtual int SetNewFilter(const char* filter);
-
-protected:
-	virtual int ExtractNextPacket();
-	virtual void GetFds(int* read, int* write, int* except);
-	virtual void Close();
-
-	void Error(const char* str);
-
-	static const unsigned int EXTRA_WINDOW_SIZE = 4 * 1024 * 1024;
-	static const int stream_num = 0;	// use receive stream 0
-
-	// Unfortunaly the DAG API has some problems with locking streams,
-	// so we do our own checks to ensure we don't use more than one
-	// stream.   In particular, the secondary filter won't work.
-	static int mutex;
-
-	int fd;
-	bpf_program* current_filter;
-};
-#endif
-
-#endif
diff --git a/src/PktSrc.cc b/src/PktSrc.cc
index bd92982722..d1f5eafba3 100644
--- a/src/PktSrc.cc
+++ b/src/PktSrc.cc
@@ -65,10 +65,8 @@ void PktSrc::GetFds(int* read, int* write, int* except)
 		return;
 		}
 
-#ifdef USE_SELECT_LOOP
 	if ( selectable_fd >= 0 )
 		*read = selectable_fd;
-#endif
 	}
 
 int PktSrc::ExtractNextPacket()
@@ -90,11 +88,7 @@ int PktSrc::ExtractNextPacket()
 	if ( ! first_timestamp )
 		first_timestamp = next_timestamp;
 
-#ifdef USE_SELECT_LOOP
 	idle = (data == 0);
-#else
-	idle = false;
-#endif
 
 	if ( data )
 		++stats.received;
@@ -187,16 +181,98 @@ void PktSrc::Process()
 
 	current_timestamp = next_timestamp;
 
+	int pkt_hdr_size = hdr_size;
+
+	// Unfortunately some packets on the link might have MPLS labels
+	// while others don't. That means we need to ask the link-layer if
+	// labels are in place.
+	bool have_mpls = false;
+
+	int protocol = 0;
+
+	switch ( datalink ) {
+	case DLT_NULL:
+		{
+		protocol = (data[3] << 24) + (data[2] << 16) + (data[1] << 8) + data[0];
+
+		if ( protocol != AF_INET && protocol != AF_INET6 )
+			{
+			sessions->Weird("non_ip_packet_in_null_transport", &hdr, data);
+			data = 0;
+			return;
+			}
+
+		break;
+		}
+
+	case DLT_EN10MB:
+		{
+		// Get protocol being carried from the ethernet frame.
+		protocol = (data[12] << 8) + data[13];
+
+		// MPLS carried over the ethernet frame.
+		if ( protocol == 0x8847 )
+			have_mpls = true;
+
+		// VLAN carried over ethernet frame.
+		else if ( protocol == 0x8100 )
+			{
+			data += get_link_header_size(datalink);
+			data += 4; // Skip the vlan header
+			pkt_hdr_size = 0;
+			}
+
+		break;
+		}
+
+	case DLT_PPP_SERIAL:
+		{
+		// Get PPP protocol.
+		protocol = (data[2] << 8) + data[3];
+
+		if ( protocol == 0x0281 )
+			// MPLS Unicast
+			have_mpls = true;
+
+		else if ( protocol != 0x0021 && protocol != 0x0057 )
+			{
+			// Neither IPv4 nor IPv6.
+			sessions->Weird("non_ip_packet_in_ppp_encapsulation", &hdr, data);
+			data = 0;
+			return;
+			}
+		break;
+		}
+	}
+
+	if ( have_mpls )
+		{
+		// Remove the data link layer
+		data += get_link_header_size(datalink);
+
+		// Denote a header size of zero before the IP header
+		pkt_hdr_size = 0;
+
+		// Skip the MPLS label stack.
+		bool end_of_stack = false;
+
+		while ( ! end_of_stack )
+			{
+			end_of_stack = *(data + 2) & 0x01;
+			data += 4;
+			}
+		}
+
 	if ( pseudo_realtime )
 		{
 		current_pseudo = CheckPseudoTime();
-		net_packet_arrival(current_pseudo, &hdr, data, hdr_size, this);
+		net_packet_arrival(current_pseudo, &hdr, data, pkt_hdr_size, this);
 		if ( ! first_wallclock )
 			first_wallclock = current_time(true);
 		}
 
 	else
-		net_packet_arrival(current_timestamp, &hdr, data, hdr_size, this);
+		net_packet_arrival(current_timestamp, &hdr, data, pkt_hdr_size, this);
 
 	data = 0;
 	}
@@ -370,16 +446,12 @@ PktInterfaceSrc::PktInterfaceSrc(const char* arg_interface, const char* filter,
 		netmask = 0xffffff00;
 		}
 
-#ifdef USE_SELECT_LOOP
 	// We use the smallest time-out possible to return almost immediately if
 	// no packets are available. (We can't use set_nonblocking() as it's
 	// broken on FreeBSD: even when select() indicates that we can read
 	// something, we may get nothing if the store buffer hasn't filled up
 	// yet.)
 	pd = pcap_open_live(interface, snaplen, 1, 1, tmp_errbuf);
-#else
-	pd = pcap_open_live(interface, snaplen, 1, PCAP_TIMEOUT, tmp_errbuf);
-#endif
 
 	if ( ! pd )
 		{
@@ -394,8 +466,6 @@ PktInterfaceSrc::PktInterfaceSrc(const char* arg_interface, const char* filter,
 	fprintf(stderr, "pcap bufsize = %d\n", ((struct pcap *) pd)->bufsize);
 #endif
 
-#ifdef USE_SELECT_LOOP
-
 #ifdef HAVE_LINUX
 	if ( pcap_setnonblock(pd, 1, tmp_errbuf) < 0 )
 		{
@@ -407,11 +477,15 @@ PktInterfaceSrc::PktInterfaceSrc(const char* arg_interface, const char* filter,
 		}
 #endif
 	selectable_fd = pcap_fileno(pd);
-#endif
 
 	if ( PrecompileFilter(0, filter) && SetFilter(0) )
 		{
 		SetHdrSize();
+
+		if ( closed )
+			// Couldn't get header size.
+			return;
+
 		fprintf(stderr, "listening on %s\n", interface);
 		}
 	else
@@ -437,7 +511,6 @@ PktFileSrc::PktFileSrc(const char* arg_readfile, const char* filter,
 			// Unknown link layer type.
 			return;
 
-#ifdef USE_SELECT_LOOP
 		// We don't put file sources into non-blocking mode as
 		// otherwise we would not be able to identify the EOF
 		// via next_packet().
@@ -446,7 +519,6 @@ PktFileSrc::PktFileSrc(const char* arg_readfile, const char* filter,
 
 		if ( selectable_fd < 0 )
 			internal_error("OS does not support selectable pcap fd");
-#endif
 		}
 	else
 		closed = true;
@@ -662,6 +734,9 @@ int get_link_header_size(int dl)
 		return 16;
 #endif
 
+	case DLT_PPP_SERIAL:	// PPP_SERIAL
+		return 4;
+
 	case DLT_RAW:
 		return 0;
 	}
diff --git a/src/Portmap.cc b/src/Portmap.cc
index af9383297f..bcf52daf4e 100644
--- a/src/Portmap.cc
+++ b/src/Portmap.cc
@@ -288,7 +288,7 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, int status, Val* r
 		}
 	else
 		{
-		vl->append(new EnumVal(status, enum_rpc_status));
+		vl->append(new EnumVal(status, BifType::Enum::rpc_status));
 		if ( request )
 			vl->append(request);
 		}
diff --git a/src/PrefixTable.cc b/src/PrefixTable.cc
index e654b8440e..b3313c82e5 100644
--- a/src/PrefixTable.cc
+++ b/src/PrefixTable.cc
@@ -99,8 +99,8 @@ void* PrefixTable::Lookup(const Val* value, bool exact) const
 		break;
 
 	default:
-		internal_error(fmt("Wrong index type %d for PrefixTable",
-					value->Type()->Tag()));
+		internal_error("Wrong index type %d for PrefixTable",
+		               value->Type()->Tag());
 		return 0;
 	}
 	}
diff --git a/src/RE.cc b/src/RE.cc
index 19cc5737aa..73584c14d1 100644
--- a/src/RE.cc
+++ b/src/RE.cc
@@ -211,8 +211,8 @@ int Specific_RE_Matcher::MatchAll(const u_char* bv, int n)
 		// matched is empty.
 		return n == 0;
 
-	DFA_State_Handle* d = dfa->StartState();
-	d = (*d)->Xtion(ecs[SYM_BOL], dfa);
+	DFA_State* d = dfa->StartState();
+	d = d->Xtion(ecs[SYM_BOL], dfa);
 
 	while ( d )
 		{
@@ -220,13 +220,13 @@ int Specific_RE_Matcher::MatchAll(const u_char* bv, int n)
 			break;
 
 		int ec = ecs[*(bv++)];
-		d = (*d)->Xtion(ec, dfa);
+		d = d->Xtion(ec, dfa);
 		}
 
 	if ( d )
-		d = (*d)->Xtion(ecs[SYM_EOL], dfa);
+		d = d->Xtion(ecs[SYM_EOL], dfa);
 
-	return d && (*d)->Accept() != 0;
+	return d && d->Accept() != 0;
 	}
 
 
@@ -236,26 +236,26 @@ int Specific_RE_Matcher::Match(const u_char* bv, int n)
 		// An empty pattern matches anything.
 		return 1;
 
-	DFA_State_Handle* d = dfa->StartState();
+	DFA_State* d = dfa->StartState();
 
-	d = (*d)->Xtion(ecs[SYM_BOL], dfa);
+	d = d->Xtion(ecs[SYM_BOL], dfa);
 	if ( ! d ) return 0;
 
 	for ( int i = 0; i < n; ++i )
 		{
 		int ec = ecs[bv[i]];
-		d = (*d)->Xtion(ec, dfa);
+		d = d->Xtion(ec, dfa);
 		if ( ! d )
 			break;
 
-		if ( (*d)->Accept() )
+		if ( d->Accept() )
 			return i + 1;
 		}
 
 	if ( d )
 		{
-		d = (*d)->Xtion(ecs[SYM_EOL], dfa);
-		if ( d && (*d)->Accept() )
+		d = d->Xtion(ecs[SYM_EOL], dfa);
+		if ( d && d->Accept() )
 			return n > 0 ? n : 1;	// we can't return 0 here for match...
 		}
 
@@ -268,12 +268,6 @@ void Specific_RE_Matcher::Dump(FILE* f)
 	dfa->Dump(f);
 	}
 
-RE_Match_State::~RE_Match_State()
-	{
-	if ( current_state )
-		StateUnref(current_state);
-	}
-
 bool RE_Match_State::Match(const u_char* bv, int n,
 				bool bol, bool eol, bool clear)
 	{
@@ -289,9 +283,8 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 		// Initialize state and copy the accepting states of the start
 		// state into the acceptance set.
 		current_state = dfa->StartState();
-		StateRef(current_state);
 
-		const AcceptingSet* ac = (*current_state)->Accept();
+		const AcceptingSet* ac = current_state->Accept();
 		if ( ac )
 			{
 			loop_over_list(*ac, i)
@@ -303,20 +296,11 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 		}
 
 	else if ( clear )
-		{
-		if ( current_state )
-			StateUnref(current_state);
-
 		current_state = dfa->StartState();
-		StateRef(current_state);
-		}
 
 	if ( ! current_state )
 		return false;
 
-	else
-		(*current_state)->Unlock();
-
 	current_pos = 0;
 
 	int old_matches = accepted.length();
@@ -334,7 +318,7 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 		else
 			ec = ecs[*(bv++)];
 
-		DFA_State_Handle* next_state = (*current_state)->Xtion(ec,dfa);
+		DFA_State* next_state = current_state->Xtion(ec,dfa);
 
 		if ( ! next_state )
 			{
@@ -342,9 +326,9 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 			break;
 			}
 
-		if ( (*next_state)->Accept() )
+		if ( next_state->Accept() )
 			{
-			const AcceptingSet* ac = (*next_state)->Accept();
+			const AcceptingSet* ac = next_state->Accept();
 			loop_over_list(*ac, i)
 				{
 				if ( ! accepted.is_member((*ac)[i]) )
@@ -357,15 +341,9 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 
 		++current_pos;
 
-		StateRef(next_state);
-		StateUnref(current_state);
 		current_state = next_state;
 		}
 
-	// Make sure our state doesn't expire until we return.
-	if ( current_state )
-		(*current_state)->Lock();
-
 	return accepted.length() != old_matches;
 	}
 
@@ -377,31 +355,31 @@ int Specific_RE_Matcher::LongestMatch(const u_char* bv, int n)
 
 	// Use -1 to indicate no match.
 	int last_accept = -1;
-	DFA_State_Handle* d = dfa->StartState();
+	DFA_State* d = dfa->StartState();
 
-	d = (*d)->Xtion(ecs[SYM_BOL], dfa);
+	d = d->Xtion(ecs[SYM_BOL], dfa);
 	if ( ! d )
 		return -1;
 
-	if ( (*d)->Accept() )
+	if ( d->Accept() )
 		last_accept = 0;
 
 	for ( int i = 0; i < n; ++i )
 		{
 		int ec = ecs[bv[i]];
-		d = (*d)->Xtion(ec, dfa);
+		d = d->Xtion(ec, dfa);
 
 		if ( ! d )
 			break;
 
-		if ( (*d)->Accept() )
+		if ( d->Accept() )
 			last_accept = i + 1;
 		}
 
 	if ( d )
 		{
-		d = (*d)->Xtion(ecs[SYM_EOL], dfa);
-		if ( d && (*d)->Accept() )
+		d = d->Xtion(ecs[SYM_EOL], dfa);
+		if ( d && d->Accept() )
 			return n;
 		}
 
diff --git a/src/RE.h b/src/RE.h
index 08da19c495..f46f835649 100644
--- a/src/RE.h
+++ b/src/RE.h
@@ -19,6 +19,7 @@ class NFA_Machine;
 class DFA_Machine;
 class Specific_RE_Matcher;
 class RE_Matcher;
+class DFA_State;
 
 declare(PDict,char);
 declare(PDict,CCL);
@@ -126,13 +127,6 @@ protected:
 	AcceptingSet* accepted;
 };
 
-#ifdef EXPIRE_DFA_STATES
-	class DFA_State_Handle;
-#else
-	class DFA_State;
-	typedef DFA_State DFA_State_Handle;
-#endif
-
 class RE_Match_State {
 public:
 	RE_Match_State(Specific_RE_Matcher* matcher)
@@ -143,8 +137,6 @@ public:
 		current_state = 0;
 		}
 
-	~RE_Match_State();
-
 	const AcceptingSet* Accepted() const	{ return &accepted; }
 	const int_list* MatchPositions() const	{ return &match_pos; }
 
@@ -169,7 +161,7 @@ protected:
 
 	AcceptingSet accepted;
 	int_list match_pos;
-	DFA_State_Handle* current_state;
+	DFA_State* current_state;
 	int current_pos;
 };
 
diff --git a/src/RPC.cc b/src/RPC.cc
index 278f8bfee5..ef9a925fea 100644
--- a/src/RPC.cc
+++ b/src/RPC.cc
@@ -137,14 +137,14 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 		if ( ! buf )
 			return 0;
 
-		uint32 status = BroEnum::RPC_UNKNOWN_ERROR;
+		uint32 status = BifEnum::RPC_UNKNOWN_ERROR;
 
 		if ( reply_stat == RPC_MSG_ACCEPTED )
 			{
 			(void) skip_XDR_opaque_auth(buf, n);
 			uint32 accept_stat = extract_XDR_uint32(buf, n);
 
-			// The first members of BroEnum::RPC_* correspond
+			// The first members of BifEnum::RPC_* correspond
 			// to accept_stat.
 			if ( accept_stat <= RPC_SYSTEM_ERR )
 				status = accept_stat;
@@ -171,7 +171,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 			if ( reject_stat == RPC_MISMATCH )
 				{
 				// Note that RPC_MISMATCH == 0 == RPC_SUCCESS.
-				status = BroEnum::RPC_VERS_MISMATCH;
+				status = BifEnum::RPC_VERS_MISMATCH;
 
 				(void) extract_XDR_uint32(buf, n);
 				(void) extract_XDR_uint32(buf, n);
@@ -182,7 +182,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 
 			else if ( reject_stat == RPC_AUTH_ERROR )
 				{
-				status = BroEnum::RPC_AUTH_ERROR;
+				status = BifEnum::RPC_AUTH_ERROR;
 
 				(void) extract_XDR_uint32(buf, n);
 				if ( ! buf )
@@ -191,7 +191,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 
 			else
 				{
-				status = BroEnum::RPC_UNKNOWN_ERROR;
+				status = BifEnum::RPC_UNKNOWN_ERROR;
 				Weird("bad_RPC");
 				}
 			}
@@ -264,7 +264,7 @@ void RPC_Interpreter::Timeout()
 
 	while ( (c = calls.NextEntry(cookie)) )
 		{
-		RPC_Event(c, BroEnum::RPC_TIMEOUT, 0);
+		RPC_Event(c, BifEnum::RPC_TIMEOUT, 0);
 		if ( c->IsValidCall() )
 			{
 			const u_char* buf;
@@ -276,7 +276,7 @@ void RPC_Interpreter::Timeout()
 			else
 				{
 				Event(event, c->TakeRequestVal(),
-					BroEnum::RPC_TIMEOUT, reply);
+					BifEnum::RPC_TIMEOUT, reply);
 				}
 			}
 		}
diff --git a/src/RandTest.cc b/src/RandTest.cc
new file mode 100644
index 0000000000..638cc6c765
--- /dev/null
+++ b/src/RandTest.cc
@@ -0,0 +1,132 @@
+/*
+	Apply various randomness tests to a stream of bytes
+
+		by John Walker  --  September 1996
+			http://www.fourmilab.ch/random
+
+		This software is in the public domain. Permission to use, copy, modify,
+		and distribute this software and its documentation for any purpose and
+		without fee is hereby granted, without any conditions or restrictions.
+		This software is provided “as is” without express or implied warranty.
+
+	Modified for Bro by Seth Hall - July 2010
+*/
+
+#include <RandTest.h>
+
+RandTest::RandTest()
+	{
+	totalc = 0;
+	mp = 0;
+	sccfirst = 1;
+	inmont = mcount = 0;
+	cexp = montex = montey = montepi = sccu0 = scclast = scct1 = scct2 = scct3 = 0.0;
+
+	for (int i = 0; i < 256; i++)
+		{
+		ccount[i] = 0;
+		}
+	}
+
+void RandTest::add(void *buf, int bufl)
+	{
+	unsigned char *bp = (unsigned char*)buf;
+	int oc;
+
+	while (bufl-- > 0)
+		{
+		oc = *bp++;
+		ccount[oc]++;   /* Update counter for this bin */
+		totalc++;
+
+		/* Update inside / outside circle counts for Monte Carlo
+ 		   computation of PI */
+		monte[mp++] = oc;  /* Save character for Monte Carlo */
+		if (mp >= RT_MONTEN)  /* Calculate every RT_MONTEN character */
+			{
+			mp = 0;
+			mcount++;
+			montex = 0;
+			montey = 0;
+			for (int mj=0; mj < RT_MONTEN/2; mj++)
+				{
+				montex = (montex * 256.0) + monte[mj];
+				montey = (montey * 256.0) + monte[(RT_MONTEN / 2) + mj];
+				}
+			if (montex*montex + montey*montey <= RT_INCIRC)
+				{
+				inmont++;
+				}
+			}
+
+		/* Update calculation of serial correlation coefficient */
+		if (sccfirst)
+			{
+			sccfirst = 0;
+			scclast = 0;
+			sccu0 = oc;
+			}
+		else
+			{
+			scct1 = scct1 + scclast * oc;
+			}
+
+		scct2 = scct2 + oc;
+		scct3 = scct3 + (oc * oc);
+		scclast = oc;
+		oc <<= 1;
+		}
+	}
+
+void RandTest::end(double *r_ent, double *r_chisq,
+                   double *r_mean, double *r_montepicalc, double *r_scc)
+	{
+	int i;
+	double ent, chisq, scc, datasum;
+	ent = 0.0; chisq = 0.0; scc = 0.0; datasum = 0.0;
+	double prob[256];    /* Probabilities per bin for entropy */
+
+	/* Complete calculation of serial correlation coefficient */
+	scct1 = scct1 + scclast * sccu0;
+	scct2 = scct2 * scct2;
+	scc = totalc * scct3 - scct2;
+	if (scc == 0.0)
+	   scc = -100000;
+	else
+	   scc = (totalc * scct1 - scct2) / scc;
+
+	/* Scan bins and calculate probability for each bin and
+	   Chi-Square distribution.  The probability will be reused
+	   in the entropy calculation below.  While we're at it,
+	   we sum of all the data which will be used to compute the
+	   mean. */
+	cexp = totalc / 256.0;  /* Expected count per bin */
+	for (i = 0; i < 256; i++)
+		{
+		double a = ccount[i] - cexp;
+
+		prob[i] = ((double) ccount[i]) / totalc;
+		chisq += (a * a) / cexp;
+		datasum += ((double) i) * ccount[i];
+		}
+
+	/* Calculate entropy */
+	for (i = 0; i < 256; i++)
+		{
+		if (prob[i] > 0.0)
+			{
+			ent += prob[i] * rt_log2(1 / prob[i]);
+			}
+		}
+
+	/* Calculate Monte Carlo value for PI from percentage of hits
+	   within the circle */
+	montepi = 4.0 * (((double) inmont) / mcount);
+
+	/* Return results through arguments */
+	*r_ent = ent;
+	*r_chisq = chisq;
+	*r_mean = datasum / totalc;
+	*r_montepicalc = montepi;
+	*r_scc = scc;
+	}
diff --git a/src/RandTest.h b/src/RandTest.h
new file mode 100644
index 0000000000..a4f551b602
--- /dev/null
+++ b/src/RandTest.h
@@ -0,0 +1,34 @@
+#include <math.h>
+
+#define log2of10 3.32192809488736234787
+/*  RT_LOG2  --  Calculate log to the base 2  */
+static double rt_log2(double x)
+{
+    return log2of10 * log10(x);
+}
+
+#define RT_MONTEN 6  /* Bytes used as Monte Carlo
+                        co-ordinates. This should be no more
+                        bits than the mantissa of your "double"
+                        floating point type. */
+
+// RT_INCIRC = pow(pow(256.0, (double) (RT_MONTEN / 2)) - 1, 2.0);
+#define RT_INCIRC 281474943156225.0
+
+class RandTest {
+	public:
+		RandTest();
+		void add(void *buf, int bufl);
+		void end(double *r_ent, double *r_chisq, double *r_mean,
+		         double *r_montepicalc, double *r_scc);
+
+	private:
+		long ccount[256];  /* Bins to count occurrences of values */
+		long totalc;       /* Total bytes counted */
+		int mp;
+		int sccfirst;
+		unsigned int monte[RT_MONTEN];
+		long inmont, mcount;
+		double cexp, montex, montey, montepi,
+		       sccu0, scclast, scct1, scct2, scct3;
+	};
diff --git a/src/Reassem.cc b/src/Reassem.cc
index c6ec6a3420..8970c23f61 100644
--- a/src/Reassem.cc
+++ b/src/Reassem.cc
@@ -48,15 +48,8 @@ Reassembler::Reassembler(int init_seq, const uint32* ip_addr,
 	{
 	blocks = last_block = 0;
 	trim_seq = last_reassem_seq = init_seq;
-
-	const NumericData* host_profile;
-	get_map_result(ip_addr[0], host_profile);	// breaks for IPv6
-
-	policy = (arg_type == REASSEM_TCP) ?
-			host_profile->tcp_reassem : host_profile->ip_reassem;
 	}
 
-
 Reassembler::~Reassembler()
 	{
 	ClearBlocks();
@@ -195,8 +188,10 @@ void Reassembler::Describe(ODesc* d) const
 	d->Add("reassembler");
 	}
 
-void Reassembler::Undelivered(int /* up_to_seq */)
+void Reassembler::Undelivered(int up_to_seq)
 	{
+	// TrimToSeq() expects this.
+	last_reassem_seq = up_to_seq;
 	}
 
 DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
@@ -241,67 +236,7 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
 		return new_b;
 		}
 
-	// The blocks overlap.
-
-#ifdef ACTIVE_MAPPING
-	if ( policy != RP_UNKNOWN )
-		{
-		if ( seq_delta(seq, b->seq) < 0 )
-			{ // The new block has a prefix that comes before b.
-			int prefix_len = seq_delta(b->seq, seq);
-			new_b = new DataBlock(data, prefix_len, seq, b->prev, b);
-			if ( b == blocks )
-				blocks = new_b;
-
-			data += prefix_len;
-			seq += prefix_len;
-			}
-
-		if ( policy == RP_LAST ||
-			     // After handling the prefix block, BSD takes the rest
-		     (policy == RP_BSD && new_b) ||
-			     // Similar, but overwrite for same seq number
-		     (policy == RP_LINUX && (new_b || seq == b->seq)) )
-			{
-			DataBlock* bprev = b->prev;
-			bool b_was_first = b == blocks;
-			while ( b && b->upper <= upper )
-				{
-				DataBlock* next = b->next;
-				delete b;
-				b = next;
-				}
-
-			new_b = new DataBlock(data, upper - seq, seq, bprev, b);
-			if ( b_was_first )
-				blocks = new_b;
-
-			// Trim the next block as needed.
-			if ( b && seq_delta(new_b->upper, b->seq) > 0 )
-				{
-				DataBlock* next_b =
-					new DataBlock(&b->block[upper - b->seq],
-							b->upper - upper, upper,
-							new_b, b->next);
-				if ( b == last_block )
-					last_block = next_b;
-
-				delete b;
-				}
-			}
-
-		else
-			{ // handle the piece that sticks out past b
-			new_b = b;
-			int len = upper - b->upper;
-			if ( len > 0 )
-				new_b = AddAndCheck(b, b->upper, upper, &data[b->upper - seq]);
-			}
-		}
-	else
-		{
-#endif
-	// Default behavior - complain about overlaps.
+	// The blocks overlap, complain.
 	if ( seq_delta(seq, b->seq) < 0 )
 		{
 		// The new block has a prefix that comes before b.
@@ -336,10 +271,6 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
 			(void) AddAndCheck(b, seq, upper, data);
 		}
 
-#ifdef ACTIVE_MAPPING
-		}	// else branch, for RP_UNKNOWN behavior
-#endif
-
 	if ( new_b->prev == last_block )
 		last_block = new_b;
 
@@ -363,7 +294,7 @@ bool Reassembler::DoSerialize(SerialInfo* info) const
 	// I'm not sure if it makes sense to actually save the buffered data.
 	// For now, we just remember the seq numbers so that we don't get
 	// complaints about missing content.
-	return SERIALIZE(trim_seq) && SERIALIZE(int(policy));
+	return SERIALIZE(trim_seq) && SERIALIZE(int(0));
 	}
 
 bool Reassembler::DoUnserialize(UnserialInfo* info)
@@ -372,11 +303,10 @@ bool Reassembler::DoUnserialize(UnserialInfo* info)
 
 	blocks = last_block = 0;
 
-	int p;
-	if ( ! UNSERIALIZE(&trim_seq) || ! UNSERIALIZE(&p) )
+	int dummy; // For backwards compatibility.
+	if ( ! UNSERIALIZE(&trim_seq) || ! UNSERIALIZE(&dummy) )
 		return false;
 
-	policy = ReassemblyPolicy(p);
 	last_reassem_seq = trim_seq;
 
 	return  true;
diff --git a/src/Reassem.h b/src/Reassem.h
index 0200f8577b..1563732180 100644
--- a/src/Reassem.h
+++ b/src/Reassem.h
@@ -5,13 +5,12 @@
 #ifndef reassem_h
 #define reassem_h
 
-#include "Active.h"
 #include "Obj.h"
 
 class DataBlock {
 public:
 	DataBlock(const u_char* data, int size, int seq,
-			DataBlock* next, DataBlock* prev);
+			DataBlock* prev, DataBlock* next);
 
 	~DataBlock();
 
@@ -74,8 +73,6 @@ protected:
 	int last_reassem_seq;
 	int trim_seq;	// how far we've trimmed
 
-	ReassemblyPolicy policy;
-
 	static unsigned int total_size;
 };
 
diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index 203bcd04f5..6f33a33bca 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -161,11 +161,11 @@
 #include <stdarg.h>
 
 #include "config.h"
-#if TIME_WITH_SYS_TIME
+#ifdef TIME_WITH_SYS_TIME
 # include <sys/time.h>
 # include <time.h>
 #else
-# if HAVE_SYS_TIME_H
+# ifdef HAVE_SYS_TIME_H
 #  include <sys/time.h>
 # else
 #  include <time.h>
@@ -173,6 +173,8 @@
 #endif
 #include <sys/resource.h>
 
+#include <algorithm>
+
 #include "RemoteSerializer.h"
 #include "Func.h"
 #include "EventRegistry.h"
@@ -183,6 +185,7 @@
 #include "Sessions.h"
 #include "File.h"
 #include "Conn.h"
+#include "LogMgr.h"
 
 extern "C" {
 #include "setsignal.h"
@@ -190,7 +193,7 @@ extern "C" {
 
 // Gets incremented each time there's an incompatible change
 // to the communication internals.
-static const unsigned short PROTOCOL_VERSION = 0x06;
+static const unsigned short PROTOCOL_VERSION = 0x07;
 
 static const char MSG_NONE = 0x00;
 static const char MSG_VERSION = 0x01;
@@ -216,9 +219,12 @@ static const char MSG_SYNC_POINT = 0x14;
 static const char MSG_TERMINATE = 0x15;
 static const char MSG_DEBUG_DUMP = 0x16;
 static const char MSG_REMOTE_PRINT = 0x17;
+static const char MSG_LOG_CREATE_WRITER = 0x18;
+static const char MSG_LOG_WRITE = 0x19;
+static const char MSG_REQUEST_LOGS = 0x20;
 
 // Update this one whenever adding a new ID:
-static const char MSG_ID_MAX = MSG_REMOTE_PRINT;
+static const char MSG_ID_MAX = MSG_REQUEST_LOGS;
 
 static const uint32 FINAL_SYNC_POINT = /* UINT32_MAX */ 4294967295U;
 
@@ -226,6 +232,9 @@ static const uint32 FINAL_SYNC_POINT = /* UINT32_MAX */ 4294967295U;
 static const int PRINT_BUFFER_SIZE = 10 * 1024;
 static const int SOCKBUF_SIZE = 1024 * 1024;
 
+// Buffer size for remote-log data.
+static const int LOG_BUFFER_SIZE = 50 * 1024;
+
 struct ping_args {
 	uint32 seq;
 	double time1; // Round-trip time parent1<->parent2
@@ -303,6 +312,9 @@ static const char* msgToStr(int msg)
 	MSG_STR(MSG_TERMINATE)
 	MSG_STR(MSG_DEBUG_DUMP)
 	MSG_STR(MSG_REMOTE_PRINT)
+	MSG_STR(MSG_LOG_CREATE_WRITER)
+	MSG_STR(MSG_LOG_WRITE)
+	MSG_STR(MSG_REQUEST_LOGS)
 	default:
 		return "UNKNOWN_MSG";
 	}
@@ -469,7 +481,10 @@ static inline bool is_peer_msg(int msg)
 		msg == MSG_CAPS ||
 		msg == MSG_COMPRESS ||
 		msg == MSG_SYNC_POINT ||
-		msg == MSG_REMOTE_PRINT;
+		msg == MSG_REMOTE_PRINT ||
+		msg == MSG_LOG_CREATE_WRITER ||
+		msg == MSG_LOG_WRITE ||
+		msg == MSG_REQUEST_LOGS;
 	}
 
 bool RemoteSerializer::IsConnectedPeer(PeerID id)
@@ -544,6 +559,36 @@ void RemoteSerializer::Init()
 	initialized = 1;
 	}
 
+void RemoteSerializer::SetSocketBufferSize(int fd, int opt, const char *what, int size, int verbose)
+	{
+	int defsize = 0;
+	socklen_t len = sizeof(defsize);
+
+	if ( getsockopt(fd, SOL_SOCKET, opt, (void *)&defsize, &len) < 0 )
+		{
+		if ( verbose )
+			Log(LogInfo, fmt("warning: cannot get socket buffer size (%s): %s", what, strerror(errno)));
+		return;
+		}
+
+	for ( int trysize = size; trysize > defsize; trysize -= 1024 )
+		{
+		if ( setsockopt(fd, SOL_SOCKET, opt, &trysize, sizeof(trysize)) >= 0 )
+			{
+			if ( verbose )
+			    {
+			    if ( trysize == size )
+				    Log(LogInfo, fmt("raised pipe's socket buffer size from %dK to %dK", defsize / 1024, trysize / 1024));
+			    else
+				    Log(LogInfo, fmt("raised pipe's socket buffer size from %dK to %dK (%dK was requested)", defsize / 1024, trysize / 1024, size / 1024));
+			    }
+			return;
+			}
+		}
+
+	Log(LogInfo, fmt("warning: cannot increase %s socket buffer size from %dK (%dK was requested)", what, defsize / 1024, size / 1024));
+	}
+
 void RemoteSerializer::Fork()
 	{
 	if ( child_pid )
@@ -562,25 +607,11 @@ void RemoteSerializer::Fork()
 		return;
 		}
 
-	int bufsize;
-	socklen_t len = sizeof(bufsize);
-
-	if ( getsockopt(pipe[0], SOL_SOCKET, SO_SNDBUF, &bufsize, &len ) < 0 )
-		Log(LogInfo, fmt("warning: cannot get socket buffer size: %s", strerror(errno)));
-	else
-		Log(LogInfo, fmt("pipe's socket buffer size is %d, setting to %d", bufsize, SOCKBUF_SIZE));
-
-	bufsize = SOCKBUF_SIZE;
-
-	if ( setsockopt(pipe[0], SOL_SOCKET, SO_SNDBUF,
-			&bufsize, sizeof(bufsize) ) < 0 ||
-	     setsockopt(pipe[0], SOL_SOCKET, SO_RCVBUF,
-			&bufsize, sizeof(bufsize) ) < 0 ||
-	     setsockopt(pipe[1], SOL_SOCKET, SO_SNDBUF,
-			&bufsize, sizeof(bufsize) ) < 0 ||
-	     setsockopt(pipe[1], SOL_SOCKET, SO_RCVBUF,
-			&bufsize, sizeof(bufsize) ) < 0 )
-		Log(LogInfo, fmt("warning: cannot set socket buffer size to %dK: %s", bufsize / 1024, strerror(errno)));
+	// Try to increase the size of the socket send and receive buffers.
+	SetSocketBufferSize(pipe[0], SO_SNDBUF, "SO_SNDBUF", SOCKBUF_SIZE, 1);
+	SetSocketBufferSize(pipe[0], SO_RCVBUF, "SO_RCVBUF", SOCKBUF_SIZE, 0);
+	SetSocketBufferSize(pipe[1], SO_SNDBUF, "SO_SNDBUF", SOCKBUF_SIZE, 0);
+	SetSocketBufferSize(pipe[1], SO_RCVBUF, "SO_RCVBUF", SOCKBUF_SIZE, 0);
 
 	child_pid = 0;
 
@@ -681,13 +712,14 @@ bool RemoteSerializer::CloseConnection(Peer* peer)
 	if ( peer->suspended_processing )
 		{
 		net_continue_processing();
-		current_peer->suspended_processing = false;
+		peer->suspended_processing = false;
 		}
 
 	if ( peer->state == Peer::CLOSING )
 		return true;
 
 	FlushPrintBuffer(peer);
+	FlushLogBuffer(peer);
 
 	Log(LogInfo, "closing connection", peer);
 
@@ -722,6 +754,31 @@ bool RemoteSerializer::RequestSync(PeerID id, bool auth)
 	return true;
 	}
 
+bool RemoteSerializer::RequestLogs(PeerID id)
+	{
+	if ( ! using_communication )
+		return true;
+
+	Peer* peer = LookupPeer(id, true);
+	if ( ! peer )
+		{
+		run_time(fmt("unknown peer id %d for request logs", int(id)));
+		return false;
+		}
+
+	if ( peer->phase != Peer::HANDSHAKE )
+		{
+		run_time(fmt("can't request logs from peer; wrong phase %d",
+			     peer->phase));
+		return false;
+		}
+
+	if ( ! SendToChild(MSG_REQUEST_LOGS, peer, 0) )
+		return false;
+
+	return true;
+	}
+
 bool RemoteSerializer::RequestEvents(PeerID id, RE_Matcher* pattern)
 	{
 	if ( ! using_communication )
@@ -823,14 +880,9 @@ bool RemoteSerializer::SendCall(SerialInfo* info, PeerID id,
 	if ( ! peer )
 		return false;
 
-	// Do not send events back to originating peer.
-	if ( current_peer == peer )
-		return true;
-
 	return SendCall(info, peer, name, vl);
 	}
 
-
 bool RemoteSerializer::SendCall(SerialInfo* info, Peer* peer,
 					const char* name, val_list* vl)
 	{
@@ -1170,14 +1222,6 @@ bool RemoteSerializer::Listen(addr_type ip, uint16 port, bool expect_ssl)
 	if ( ! using_communication )
 		return true;
 
-#ifndef USE_OPENSSL
-	if ( expect_ssl )
-		{
-		Error("listening for SSL connections requested, but SSL support is not compiled in");
-		return false;
-		}
-#endif
-
 	if ( ! initialized )
 		internal_error("remote serializer not initialized");
 
@@ -1440,6 +1484,7 @@ bool RemoteSerializer::Poll(bool may_block)
 		case MSG_PHASE_DONE:
 		case MSG_TERMINATE:
 		case MSG_DEBUG_DUMP:
+		case MSG_REQUEST_LOGS:
 			{
 			// No further argument chunk.
 			msgstate = TYPE;
@@ -1462,6 +1507,8 @@ bool RemoteSerializer::Poll(bool may_block)
 		case MSG_LOG:
 		case MSG_SYNC_POINT:
 		case MSG_REMOTE_PRINT:
+		case MSG_LOG_CREATE_WRITER:
+		case MSG_LOG_WRITE:
 			{
 			// One further argument chunk.
 			msgstate = ARGS;
@@ -1513,13 +1560,13 @@ bool RemoteSerializer::DoMessage()
 		{
 		// We shut the connection to this peer down,
 		// so we ignore all further messages.
-		DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%d",
+		DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%" PRI_SOURCE_ID,
 					msgToStr(current_msgtype),
 					current_peer ? current_peer->id : 0));
 		return true;
 		}
 
-	DEBUG_COMM(fmt("parent: %s from child; peer is #%d",
+	DEBUG_COMM(fmt("parent: %s from child; peer is #%" PRI_SOURCE_ID,
 			msgToStr(current_msgtype),
 			current_peer ? current_peer->id : 0));
 
@@ -1598,6 +1645,15 @@ bool RemoteSerializer::DoMessage()
 	case MSG_REMOTE_PRINT:
 		return ProcessRemotePrint();
 
+	case MSG_LOG_CREATE_WRITER:
+		return ProcessLogCreateWriter();
+
+	case MSG_LOG_WRITE:
+		return ProcessLogWrite();
+
+	case MSG_REQUEST_LOGS:
+		return ProcessRequestLogs();
+
 	default:
 		DEBUG_COMM(fmt("unexpected msg type: %d",
 					int(current_msgtype)));
@@ -1614,6 +1670,12 @@ void RemoteSerializer::PeerDisconnected(Peer* peer)
 	{
 	assert(peer);
 
+	if ( peer->suspended_processing )
+		{
+		net_continue_processing();
+		peer->suspended_processing = false;
+		}
+
 	if ( peer->state == Peer::CLOSED || peer->state == Peer::INIT )
 		return;
 
@@ -1654,6 +1716,7 @@ void RemoteSerializer::PeerConnected(Peer* peer)
 	peer->cache_out->Clear();
 	peer->our_runtime = int(current_time(true) - bro_start_time);
 	peer->sync_point = 0;
+	peer->logs_requested = false;
 
 	if ( ! SendCMsgToChild(MSG_VERSION, peer) )
 		return;
@@ -1716,6 +1779,7 @@ RemoteSerializer::Peer* RemoteSerializer::AddPeer(uint32 ip, uint16 port,
 	peer->orig = false;
 	peer->accept_state = false;
 	peer->send_state = false;
+	peer->logs_requested = false;
 	peer->caps = 0;
 	peer->comp_level = 0;
 	peer->suspended_processing = false;
@@ -1726,6 +1790,8 @@ RemoteSerializer::Peer* RemoteSerializer::AddPeer(uint32 ip, uint16 port,
 	peer->sync_point = 0;
 	peer->print_buffer = 0;
 	peer->print_buffer_used = 0;
+	peer->log_buffer = 0;
+	peer->log_buffer_used = 0;
 
 	peers.append(peer);
 	Log(LogInfo, "added peer", peer);
@@ -1744,6 +1810,12 @@ void RemoteSerializer::UnregisterHandlers(Peer* peer)
 
 void RemoteSerializer::RemovePeer(Peer* peer)
 	{
+	if ( peer->suspended_processing )
+		{
+		net_continue_processing();
+		peer->suspended_processing = false;
+		}
+
 	peers.remove(peer);
 	UnregisterHandlers(peer);
 
@@ -1752,6 +1824,7 @@ void RemoteSerializer::RemovePeer(Peer* peer)
 	int id = peer->id;
 	Unref(peer->val);
 	delete [] peer->print_buffer;
+	delete [] peer->log_buffer;
 	delete peer->cache_in;
 	delete peer->cache_out;
 	delete peer;
@@ -1837,10 +1910,9 @@ bool RemoteSerializer::EnterPhaseRunning(Peer* peer)
 	if ( in_sync == peer )
 		in_sync = 0;
 
-	current_peer->phase = Peer::RUNNING;
+	peer->phase = Peer::RUNNING;
 	Log(LogInfo, "phase: running", peer);
-
-	RaiseEvent(remote_connection_handshake_done, current_peer);
+	RaiseEvent(remote_connection_handshake_done, peer);
 
 	if ( remote_trace_sync_interval )
 		{
@@ -1946,6 +2018,19 @@ bool RemoteSerializer::ProcessRequestSyncMsg()
 	return true;
 	}
 
+bool RemoteSerializer::ProcessRequestLogs()
+	{
+	if ( ! current_peer )
+		return false;
+
+	Log(LogInfo, "peer requested logs", current_peer);
+
+	current_peer->logs_requested = true;
+	current_peer->log_buffer = new char[LOG_BUFFER_SIZE];
+	current_peer->log_buffer_used = 0;
+	return true;
+	}
+
 bool RemoteSerializer::ProcessPhaseDone()
 	{
 	switch ( current_peer->phase ) {
@@ -2004,12 +2089,14 @@ bool RemoteSerializer::HandshakeDone(Peer* peer)
 			return false;
 #endif
 
-	if ( ! (current_peer->caps & Peer::PID_64BIT) )
-		Log(LogInfo, "peer does not support 64bit PIDs; using compatibility mode", current_peer);
+	if ( ! (peer->caps & Peer::PID_64BIT) )
+		Log(LogInfo, "peer does not support 64bit PIDs; using compatibility mode", peer);
 
-	if ( (current_peer->caps & Peer::NEW_CACHE_STRATEGY) )
-		Log(LogInfo, "peer supports keep-in-cache; using that",
-			current_peer);
+	if ( (peer->caps & Peer::NEW_CACHE_STRATEGY) )
+		Log(LogInfo, "peer supports keep-in-cache; using that", peer);
+
+	if ( peer->logs_requested )
+		log_mgr->SendAllWritersTo(peer->id);
 
 	if ( peer->sync_requested != Peer::NONE )
 		{
@@ -2026,7 +2113,7 @@ bool RemoteSerializer::HandshakeDone(Peer* peer)
 			{
 			Log(LogError, "misconfiguration: authoritative state on both sides",
 				current_peer);
-			CloseConnection(current_peer);
+			CloseConnection(peer);
 			return false;
 			}
 
@@ -2309,12 +2396,12 @@ bool RemoteSerializer::SendPrintHookEvent(BroFile* f, const char* txt)
 		if ( ! fname )
 			continue; // not a managed file.
 
-		int len = strlen(txt);
+		size_t len = strlen(txt);
 
 		// We cut off everything after the max buffer size.  That
 		// makes the code a bit easier, and we shouldn't have such
 		// long lines anyway.
-		len = min(len, PRINT_BUFFER_SIZE - strlen(fname) - 2);
+		len = min<size_t>(len, PRINT_BUFFER_SIZE - strlen(fname) - 2);
 
 		// If there's not enough space in the buffer, flush it.
 
@@ -2364,6 +2451,260 @@ bool RemoteSerializer::ProcessRemotePrint()
 	return true;
 	}
 
+bool RemoteSerializer::SendLogCreateWriter(EnumVal* id, EnumVal* writer, string path, int num_fields, const LogField* const * fields)
+	{
+	loop_over_list(peers, i)
+		{
+		SendLogCreateWriter(peers[i]->id, id, writer, path, num_fields, fields);
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::SendLogCreateWriter(PeerID peer_id, EnumVal* id, EnumVal* writer, string path, int num_fields, const LogField* const * fields)
+	{
+	SetErrorDescr("logging");
+
+	ChunkedIO::Chunk* c = 0;
+
+	Peer* peer = LookupPeer(peer_id, true);
+	if ( ! peer )
+		return false;
+
+	if ( peer->phase != Peer::HANDSHAKE && peer->phase != Peer::RUNNING )
+		return false;
+
+	BinarySerializationFormat fmt;
+
+	fmt.StartWrite();
+
+	bool success = fmt.Write(id->AsEnum(), "id") &&
+		fmt.Write(writer->AsEnum(), "writer") &&
+		fmt.Write(path, "path") &&
+		fmt.Write(num_fields, "num_fields");
+
+	if ( ! success )
+		goto error;
+
+	for ( int i = 0; i < num_fields; i++ )
+		{
+		if ( ! fields[i]->Write(&fmt) )
+			goto error;
+		}
+
+	c = new ChunkedIO::Chunk;
+	c->len = fmt.EndWrite(&c->data);
+
+	if ( ! SendToChild(MSG_LOG_CREATE_WRITER, peer, 0) )
+		goto error;
+
+	if ( ! SendToChild(c) )
+		goto error;
+
+	return true;
+
+error:
+	FatalError(io->Error());
+	return false;
+	}
+
+bool RemoteSerializer::SendLogWrite(EnumVal* id, EnumVal* writer, string path, int num_fields, const LogVal* const * vals)
+	{
+	loop_over_list(peers, i)
+		{
+		SendLogWrite(peers[i], id, writer, path, num_fields, vals);
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::SendLogWrite(Peer* peer, EnumVal* id, EnumVal* writer, string path, int num_fields, const LogVal* const * vals)
+	{
+	if ( peer->phase != Peer::HANDSHAKE && peer->phase != Peer::RUNNING )
+		return false;
+
+	if ( ! peer->logs_requested )
+		return false;
+
+	assert(peer->log_buffer);
+
+	// Serialize the log record entry.
+
+	BinarySerializationFormat fmt;
+
+	fmt.StartWrite();
+
+	bool success = fmt.Write(id->AsEnum(), "id") &&
+		fmt.Write(writer->AsEnum(), "writer") &&
+		fmt.Write(path, "path") &&
+		fmt.Write(num_fields, "num_fields");
+
+	if ( ! success )
+		goto error;
+
+	for ( int i = 0; i < num_fields; i++ )
+		{
+		if ( ! vals[i]->Write(&fmt) )
+			goto error;
+		}
+
+	// Ok, we have the binary data now.
+	char* data;
+	int len;
+
+	len = fmt.EndWrite(&data);
+
+	// Do we have enough space in the buffer? If not, flush first.
+	if ( len > (LOG_BUFFER_SIZE - peer->log_buffer_used) )
+		FlushLogBuffer(peer);
+
+	// If the data is actually larger than our complete buffer, just send it out.
+	if ( len > LOG_BUFFER_SIZE )
+		return SendToChild(MSG_LOG_WRITE, peer, data, len);
+
+	// Now we have space in the buffer, copy it into there.
+	memcpy(peer->log_buffer + peer->log_buffer_used, data, len);
+	peer->log_buffer_used += len;
+	assert(peer->log_buffer_used <= LOG_BUFFER_SIZE);
+
+	FlushLogBuffer(peer);
+	return false;
+
+error:
+	FatalError(io->Error());
+	return false;
+	}
+
+bool RemoteSerializer::FlushLogBuffer(Peer* p)
+	{
+	if ( p->state == Peer::CLOSING )
+		return false;
+
+	if ( ! p->log_buffer )
+		return true;
+
+	SendToChild(MSG_LOG_WRITE, p, p->log_buffer, p->log_buffer_used);
+
+	p->log_buffer = new char[LOG_BUFFER_SIZE];
+	p->log_buffer_used = 0;
+	return true;
+	}
+
+bool RemoteSerializer::ProcessLogCreateWriter()
+	{
+	if ( current_peer->state == Peer::CLOSING )
+		return false;
+
+	assert(current_args);
+
+	EnumVal* id_val = 0;
+	EnumVal* writer_val = 0;
+	LogField** fields = 0;
+
+	BinarySerializationFormat fmt;
+	fmt.StartRead(current_args->data, current_args->len);
+
+	int id, writer;
+	string path;
+	int num_fields;
+
+	bool success = fmt.Read(&id, "id") &&
+		fmt.Read(&writer, "writer") &&
+		fmt.Read(&path, "path") &&
+		fmt.Read(&num_fields, "num_fields");
+
+	if ( ! success )
+		goto error;
+
+	fields = new LogField* [num_fields];
+
+	for ( int i = 0; i < num_fields; i++ )
+		{
+		fields[i] = new LogField;
+		if ( ! fields[i]->Read(&fmt) )
+			goto error;
+		}
+
+	fmt.EndRead();
+
+	id_val = new EnumVal(id, BifType::Enum::Log::ID);
+	writer_val = new EnumVal(writer, BifType::Enum::Log::Writer);
+
+	if ( ! log_mgr->CreateWriter(id_val, writer_val, path, num_fields, fields) )
+		goto error;
+
+	Unref(id_val);
+	Unref(writer_val);
+
+	return true;
+
+error:
+	Unref(id_val);
+	Unref(writer_val);
+
+	Error("write error for creating writer");
+	return false;
+	}
+
+bool RemoteSerializer::ProcessLogWrite()
+	{
+	if ( current_peer->state == Peer::CLOSING )
+		return false;
+
+	assert(current_args);
+
+	BinarySerializationFormat fmt;
+	fmt.StartRead(current_args->data, current_args->len);
+
+	while ( fmt.BytesRead() != (int)current_args->len )
+		{
+		// Unserialize one entry.
+		EnumVal* id_val = 0;
+		EnumVal* writer_val = 0;
+		LogVal** vals = 0;
+
+		int id, writer;
+		string path;
+		int num_fields;
+
+		bool success = fmt.Read(&id, "id") &&
+			fmt.Read(&writer, "writer") &&
+			fmt.Read(&path, "path") &&
+			fmt.Read(&num_fields, "num_fields");
+
+		if ( ! success )
+			goto error;
+
+		vals = new LogVal* [num_fields];
+
+		for ( int i = 0; i < num_fields; i++ )
+			{
+			vals[i] = new LogVal;
+			if ( ! vals[i]->Read(&fmt) )
+				goto error;
+			}
+
+		id_val = new EnumVal(id, BifType::Enum::Log::ID);
+		writer_val = new EnumVal(writer, BifType::Enum::Log::Writer);
+
+		success = log_mgr->Write(id_val, writer_val, path, num_fields, vals);
+
+		Unref(id_val);
+		Unref(writer_val);
+
+		if ( ! success )
+			goto error;
+
+		}
+
+	fmt.EndRead();
+
+	return true;
+
+error:
+	Error("write error for log entry");
+	return false;
+	}
 
 void RemoteSerializer::GotEvent(const char* name, double time,
 				EventHandlerPtr event, val_list* args)
@@ -2606,7 +2947,7 @@ bool RemoteSerializer::SendCMsgToChild(char msg_type, Peer* peer)
 
 bool RemoteSerializer::SendToChild(char type, Peer* peer, char* str, int len)
 	{
-	DEBUG_COMM(fmt("parent: (->child) %s (#%d, %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str));
+	DEBUG_COMM(fmt("parent: (->child) %s (#%" PRI_SOURCE_ID ", %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str));
 
 	if ( ! child_pid )
 		return false;
@@ -2630,7 +2971,7 @@ bool RemoteSerializer::SendToChild(char type, Peer* peer, int nargs, ...)
 
 #ifdef DEBUG
 	va_start(ap, nargs);
-	DEBUG_COMM(fmt("parent: (->child) %s (#%d,%s)",
+	DEBUG_COMM(fmt("parent: (->child) %s (#%" PRI_SOURCE_ID ",%s)",
 			msgToStr(type), peer ? peer->id : PEER_NONE, fmt_uint32s(nargs, ap)));
 	va_end(ap);
 #endif
@@ -2711,7 +3052,7 @@ void RemoteSerializer::InternalCommError(const char* msg)
 #ifdef DEBUG_COMMUNICATION
 	DumpDebugData();
 #else
-	internal_error(msg);
+	internal_error("%s", msg);
 #endif
 	}
 
@@ -2941,7 +3282,7 @@ void SocketComm::Run()
 		struct timeval small_timeout;
 		small_timeout.tv_sec = 0;
 		small_timeout.tv_usec =
-			io->CanWrite() || io->CanRead() ? 10 : 10000;
+			io->CanWrite() || io->CanRead() ? 1 : 10;
 
 		int a = select(max_fd + 1, &fd_read, &fd_write, &fd_except,
 				&small_timeout);
@@ -3035,6 +3376,7 @@ bool SocketComm::ProcessParentMessage()
 		case MSG_TERMINATE:
 		case MSG_PHASE_DONE:
 		case MSG_DEBUG_DUMP:
+		case MSG_REQUEST_LOGS:
 			{
 			// No further argument chunk.
 			parent_msgstate = TYPE;
@@ -3054,6 +3396,8 @@ bool SocketComm::ProcessParentMessage()
 		case MSG_CAPS:
 		case MSG_SYNC_POINT:
 		case MSG_REMOTE_PRINT:
+		case MSG_LOG_CREATE_WRITER:
+		case MSG_LOG_WRITE:
 			{
 			// One further argument chunk.
 			parent_msgstate = ARGS;
@@ -3061,7 +3405,7 @@ bool SocketComm::ProcessParentMessage()
 			}
 
 		default:
-			internal_error(fmt("unknown msg type %d", parent_msgtype));
+			internal_error("unknown msg type %d", parent_msgtype);
 			return true;
 		}
 
@@ -3154,18 +3498,6 @@ bool SocketComm::DoParentMessage()
 		return true;
 		}
 
-	case MSG_PHASE_DONE:
-		{
-		// No argument block follows.
-		if ( parent_peer && parent_peer->connected )
-			{
-			DEBUG_COMM("child: forwarding with MSG_PHASE_DONE to peer");
-			if ( ! SendToPeer(parent_peer, MSG_PHASE_DONE, 0) )
-				return false;
-			}
-		return true;
-		}
-
 	case MSG_LISTEN:
 		return ProcessListen();
 
@@ -3193,6 +3525,20 @@ bool SocketComm::DoParentMessage()
 		return ForwardChunkToPeer();
 		}
 
+	case MSG_PHASE_DONE:
+	case MSG_REQUEST_LOGS:
+		{
+		// No argument block follows.
+		if ( parent_peer && parent_peer->connected )
+			{
+			DEBUG_COMM(fmt("child: forwarding %s to peer", msgToStr(parent_msgtype)));
+			if ( ! SendToPeer(parent_peer, parent_msgtype, 0) )
+				return false;
+			}
+
+		return true;
+		}
+
 	case MSG_REQUEST_EVENTS:
 	case MSG_REQUEST_SYNC:
 	case MSG_SERIAL:
@@ -3201,6 +3547,8 @@ bool SocketComm::DoParentMessage()
 	case MSG_CAPS:
 	case MSG_SYNC_POINT:
 	case MSG_REMOTE_PRINT:
+	case MSG_LOG_CREATE_WRITER:
+	case MSG_LOG_WRITE:
 		assert(parent_args);
 		return ForwardChunkToPeer();
 
@@ -3231,7 +3579,7 @@ bool SocketComm::ForwardChunkToPeer()
 		{
 #ifdef DEBUG
 		if ( parent_peer )
-			DEBUG_COMM(fmt("child: not connected to #%d", parent_id));
+			DEBUG_COMM(fmt("child: not connected to #%" PRI_SOURCE_ID, parent_id));
 #endif
 		}
 
@@ -3250,8 +3598,7 @@ bool SocketComm::ProcessConnectTo()
 	peer->retry = ntohl(args[3]);
 	peer->ssl = ntohl(args[4]);
 
-	Connect(peer);
-	return true;
+	return Connect(peer);
 	}
 
 bool SocketComm::ProcessListen()
@@ -3314,11 +3661,12 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 
 		CMsg* msg = (CMsg*) c->data;
 
-		DEBUG_COMM(fmt("child: %s from peer #%d",
+		DEBUG_COMM(fmt("child: %s from peer #%" PRI_SOURCE_ID,
 				msgToStr(msg->Type()), peer->id));
 
 		switch ( msg->Type() ) {
 		case MSG_PHASE_DONE:
+		case MSG_REQUEST_LOGS:
 			// No further argument block.
 			DEBUG_COMM("child: forwarding with 0 args to parent");
 			if ( ! SendToParent(msg->Type(), peer, 0) )
@@ -3375,6 +3723,8 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 	case MSG_CAPS:
 	case MSG_SYNC_POINT:
 	case MSG_REMOTE_PRINT:
+	case MSG_LOG_CREATE_WRITER:
+	case MSG_LOG_WRITE:
 		{
 		// Messages with one further argument block which we simply
 		// forward to our parent.
@@ -3481,13 +3831,7 @@ bool SocketComm::Connect(Peer* peer)
 		{
 		if ( peer->ssl )
 			{
-#ifdef USE_OPENSSL
 			peer->io = new ChunkedIOSSL(sockfd, false);
-#else
-			run_time("SSL connection requested, but SSL support not compiled in");
-			CloseConnection(peer, false);
-			return 0;
-#endif
 			}
 		else
 			peer->io = new ChunkedIOFd(sockfd, "child->peer");
@@ -3495,7 +3839,7 @@ bool SocketComm::Connect(Peer* peer)
 		if ( ! peer->io->Init() )
 			{
 			Error(fmt("can't init peer io: %s",
-					peer->io->Error()), peer);
+					peer->io->Error()), false);
 			return 0;
 			}
 		}
@@ -3575,6 +3919,7 @@ bool SocketComm::Listen(uint32 ip, uint16 port, bool expect_ssl)
 	if ( bind(*listen_fd, (sockaddr*) &server, sizeof(server)) < 0 )
 		{
 		Error(fmt("can't bind to port %d, %s", port, strerror(errno)));
+		close(*listen_fd);
 		*listen_fd = -1;
 
 		if ( errno == EADDRINUSE )
@@ -3621,20 +3966,15 @@ bool SocketComm::AcceptConnection(int fd)
 	peer->ssl = (fd == listen_fd_ssl);
 	peer->compressor = false;
 
-#ifdef USE_OPENSSL
 	if ( peer->ssl )
 		peer->io = new ChunkedIOSSL(clientfd, true);
 	else
 		peer->io = new ChunkedIOFd(clientfd, "child->peer");
-#else
-	assert(! peer->ssl);
-	peer->io = new ChunkedIOFd(clientfd, "child->peer");
-#endif
 
 	if ( ! peer->io->Init() )
 		{
 		Error(fmt("can't init peer io: %s",
-				  peer->io->Error()), peer);
+				  peer->io->Error()), false);
 		return false;
 		}
 
@@ -3802,7 +4142,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, const char* str, int len)
 #ifdef DEBUG
 	// str  may already by constructed with fmt()
 	const char* tmp = copy_string(str);
-	DEBUG_COMM(fmt("child: (->parent) %s (#%d, %s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, tmp));
+	DEBUG_COMM(fmt("child: (->parent) %s (#%" PRI_SOURCE_ID ", %s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, tmp));
 	delete [] tmp;
 #endif
 	if ( sendToIO(io, type, peer ? peer->id : RemoteSerializer::PEER_NONE,
@@ -3821,7 +4161,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, int nargs, ...)
 
 #ifdef DEBUG
 	va_start(ap,nargs);
-	DEBUG_COMM(fmt("child: (->parent) %s (#%d,%s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, fmt_uint32s(nargs, ap)));
+	DEBUG_COMM(fmt("child: (->parent) %s (#%" PRI_SOURCE_ID ",%s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, fmt_uint32s(nargs, ap)));
 	va_end(ap);
 #endif
 
@@ -3857,7 +4197,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, const char* str, int len)
 #ifdef DEBUG
 	// str  may already by constructed with fmt()
 	const char* tmp = copy_string(str);
-	DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", msgToStr(type), peer->id, tmp));
+	DEBUG_COMM(fmt("child: (->peer) %s to #%" PRI_SOURCE_ID " (%s)", msgToStr(type), peer->id, tmp));
 	delete [] tmp;
 #endif
 
@@ -3876,7 +4216,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...)
 
 #ifdef DEBUG
 	va_start(ap,nargs);
-	DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)",
+	DEBUG_COMM(fmt("child: (->peer) %s to #%" PRI_SOURCE_ID " (%s)",
 			msgToStr(type), peer->id, fmt_uint32s(nargs, ap)));
 	va_end(ap);
 #endif
@@ -3897,7 +4237,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...)
 
 bool SocketComm::SendToPeer(Peer* peer, ChunkedIO::Chunk* c)
 	{
-	DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%d", c->len, peer->id));
+	DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%" PRI_SOURCE_ID, c->len, peer->id));
 	if ( ! sendToIO(peer->io, c) )
 		{
 		Error(fmt("child: write error %s", io->Error()), peer);
diff --git a/src/RemoteSerializer.h b/src/RemoteSerializer.h
index a84a0619fa..20886544c6 100644
--- a/src/RemoteSerializer.h
+++ b/src/RemoteSerializer.h
@@ -16,6 +16,8 @@
 // FIXME: Change this to network byte order
 
 class IncrementalSendTimer;
+class LogField;
+class LogVal;
 
 // This class handles the communication done in Bro's main loop.
 class RemoteSerializer : public Serializer, public IOSource {
@@ -42,6 +44,9 @@ public:
 	// the peer right after the handshake.
 	bool RequestSync(PeerID peer, bool auth);
 
+	// Requests logs from the remote side.
+	bool RequestLogs(PeerID id);
+
 	// Sets flag whether we're accepting state from this peer
 	// (default: yes).
 	bool SetAcceptState(PeerID peer, bool accept);
@@ -92,6 +97,15 @@ public:
 	// Broadcast remote print.
 	bool SendPrintHookEvent(BroFile* f, const char* txt);
 
+	// Send a request to create a writer on a remote side.
+	bool SendLogCreateWriter(PeerID peer, EnumVal* id, EnumVal* writer, string path, int num_fields, const LogField* const * fields);
+
+	// Broadcasts a request to create a writer.
+	bool SendLogCreateWriter(EnumVal* id, EnumVal* writer, string path, int num_fields, const LogField* const * fields);
+
+	// Broadcast a log entry to everybody interested.
+	bool SendLogWrite(EnumVal* id, EnumVal* writer, string path, int num_fields, const LogVal* const * vals);
+
 	// Synchronzizes time with all connected peers. Returns number of
 	// current sync-point, or -1 on error.
 	uint32 SendSyncPoint();
@@ -205,6 +219,7 @@ protected:
 		bool accept_state;	// True if we accept state from peer.
 		bool send_state; // True if we're supposed to initially sent our state.
 		int comp_level; // Compression level.
+		bool logs_requested; // True if the peer has requested logs.
 
 		// True if this peer triggered a net_suspend_processing().
 		bool suspended_processing;
@@ -217,6 +232,8 @@ protected:
 		uint32 sync_point;	// Highest sync-point received so far
 		char* print_buffer;	// Buffer for remote print or null.
 		int print_buffer_used;	// Number of bytes used in buffer.
+		char* log_buffer;	// Buffer for remote log or null.
+		int log_buffer_used;	// Number of bytes used in buffer.
 	};
 
 	// Shuts down remote serializer.
@@ -255,6 +272,9 @@ protected:
 	bool ProcessCapsMsg();
 	bool ProcessSyncPointMsg();
 	bool ProcessRemotePrint();
+	bool ProcessLogCreateWriter();
+	bool ProcessLogWrite();
+	bool ProcessRequestLogs();
 
 	Peer* AddPeer(uint32 ip, uint16 port, PeerID id = PEER_NONE);
 	Peer* LookupPeer(PeerID id, bool only_if_connected);
@@ -282,11 +302,13 @@ protected:
 	bool SendID(SerialInfo* info, Peer* peer, const ID& id);
 	bool SendCapabilities(Peer* peer);
 	bool SendPacket(SerialInfo* info, Peer* peer, const Packet& p);
+	bool SendLogWrite(Peer* peer, EnumVal* id, EnumVal* writer, string path, int num_fields, const LogVal* const * vals);
 
 	void UnregisterHandlers(Peer* peer);
 	void RaiseEvent(EventHandlerPtr event, Peer* peer, const char* arg = 0);
 	bool EnterPhaseRunning(Peer* peer);
 	bool FlushPrintBuffer(Peer* p);
+	bool FlushLogBuffer(Peer* p);
 
 	void ChildDied();
 	void InternalCommError(const char* msg);
@@ -297,6 +319,8 @@ protected:
 	bool SendToChild(char type, Peer* peer, int nargs, ...); // can send uints32 only
 	bool SendToChild(ChunkedIO::Chunk* c);
 
+	void SetSocketBufferSize(int fd, int opt, const char *what, int size, int verbose);
+
 private:
 	enum { TYPE, ARGS } msgstate;	// current state of reading comm.
 	Peer* current_peer;
diff --git a/src/Rewriter.cc b/src/Rewriter.cc
deleted file mode 100644
index bfdb289de9..0000000000
--- a/src/Rewriter.cc
+++ /dev/null
@@ -1,35 +0,0 @@
-// $Id:$
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "TCP_Rewriter.h"
-#include "UDP_Rewriter.h"
-
-// The following two are called from .bif's to obtain handle of Rewriter.
-Rewriter* get_trace_rewriter(Val* conn_val)
-	{
-	Connection* conn = (Connection*) conn_val->AsRecordVal()->GetOrigin();
-	return get_trace_rewriter(conn);
-	}
-
-Rewriter* get_trace_rewriter(Connection* conn)
-	{
-	if ( ! conn ||
-	     (conn->ConnTransport() != TRANSPORT_TCP &&
-	      conn->ConnTransport() != TRANSPORT_UDP) )
-		internal_error("connection for the trace rewriter does not exist");
-
-	Rewriter* rewriter = conn->TraceRewriter();
-	if ( rewriter )
-		return rewriter;
-
-	if ( ! transformed_pkt_dump )
-		return 0;	// okay if we don't have an output file
-
-	else if ( ! conn->RewritingTrace() )
-		builtin_run_time("flag rewriting_..._trace is not set properly");
-	else
-		internal_error("trace rewriter not initialized");
-
-	return 0;
-	}
diff --git a/src/Rewriter.h b/src/Rewriter.h
deleted file mode 100644
index 91c36557ab..0000000000
--- a/src/Rewriter.h
+++ /dev/null
@@ -1,51 +0,0 @@
-// $Id:$
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#ifndef rewriter_h
-#define rewriter_h
-
-class TracePacket;
-
-class Rewriter {
-public:
-	virtual ~Rewriter()	{};
-
-	virtual void Done()	{};
-
-	virtual void WriteData(int is_orig, int len, const u_char* data) = 0;
-	virtual void WriteData(int is_orig, const char* data) = 0;
-	virtual void WriteData(int is_orig, int len, const char* data) = 0;
-	virtual void WriteData(int is_orig, const BroString* str) = 0;
-
-	virtual void Push(int is_orig) = 0;
-
-	virtual void AbortPackets(int apply_to_future) = 0;
-	virtual void CommitPackets(int apply_to_future) = 0;
-
-	virtual unsigned int ReserveSlot() = 0;
-	virtual int SeekSlot(unsigned int slot) = 0;
-	virtual int ReturnFromSlot() = 0;
-	virtual int ReleaseSlot(unsigned int slot) = 0;
-
-	// Needed by all rewriters.
-	virtual TracePacket* CurrentPacket() const = 0;
-	virtual TracePacket* RewritePacket() const = 0;
-
-	// Whether to not anonymize client/server IP addresses.
-	virtual int LeaveAddrInTheClear(int is_orig) = 0;
-};
-
-extern Rewriter* get_trace_rewriter(Val* conn_val);
-extern Rewriter* get_trace_rewriter(Connection* conn);
-
-// This is the actual packet.
-class TracePacket {
-public:
-	virtual ~TracePacket()	{ }
-
-	virtual RecordVal* PacketVal() = 0;
-	virtual double TimeStamp() const = 0;
-};
-
-#endif
diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
index 02eef0aad9..2a0246d121 100644
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@@ -195,7 +195,7 @@ bool RuleMatcher::ReadFiles(const name_list& files)
 
 	for ( int i = 0; i < files.length(); ++i )
 		{
-		rules_in = search_for_file( files[i], "sig", 0);
+		rules_in = search_for_file( files[i], "sig", 0, false);
 		if ( ! rules_in )
 			{
 			error("Can't open signature file", files[i]);
diff --git a/src/SMB.cc b/src/SMB.cc
index 7ee6986d3d..e33c7ac73a 100644
--- a/src/SMB.cc
+++ b/src/SMB.cc
@@ -166,7 +166,7 @@ void SMB_Session::Deliver(int is_orig, int len, const u_char* data)
 			const u_char* tmp = data_start + next;
 			if ( data_start + next < data + body.length() )
 				{
-				Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %d", next, data + body.length() - data_start));
+				Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %" PRIuPTR, next, data + body.length() - data_start));
 				break;
 				}
 
@@ -480,8 +480,8 @@ int SMB_Session::ParseTreeConnectAndx(binpac::SMB::SMB_header const& hdr,
 	r->Assign(0, new Val(req.flags(), TYPE_COUNT));
 	r->Assign(1, new StringVal(req.password_length(),
 					(const char*) req.password()));
-	r->Assign(3, new StringVal(path));
-	r->Assign(4, new StringVal(service));
+	r->Assign(2, new StringVal(path));
+	r->Assign(3, new StringVal(service));
 
 	if ( strstr_n(norm_path->Len(), norm_path->Bytes(), 5,
 		      (const u_char*) "\\IPC$") != -1 )
diff --git a/src/SMB.h b/src/SMB.h
index d41ef7f9e0..408fa91068 100644
--- a/src/SMB.h
+++ b/src/SMB.h
@@ -206,8 +206,6 @@ public:
 			DCE_RPC_Session::any_dce_rpc_event();
 		}
 
-	int RewritingTrace()	{ return rewriting_smb_trace; }
-
 protected:
 	SMB_Session* smb_session;
 	Contents_SMB* o_smb;
diff --git a/src/SMTP.cc b/src/SMTP.cc
index f16dc8ae2e..f6396bafa6 100644
--- a/src/SMTP.cc
+++ b/src/SMTP.cc
@@ -10,7 +10,6 @@
 #include "SMTP.h"
 #include "Event.h"
 #include "ContentLine.h"
-#include "TCP_Rewriter.h"
 
 #undef SMTP_CMD_DEF
 #define SMTP_CMD_DEF(cmd)	#cmd,
@@ -885,5 +884,3 @@ void SMTP_Analyzer::EndData()
 		mail = 0;
 		}
 	}
-
-#include "smtp-rw.bif.func_def"
diff --git a/src/SMTP.h b/src/SMTP.h
index 6e3ad6cc29..69a5bc3e24 100644
--- a/src/SMTP.h
+++ b/src/SMTP.h
@@ -46,8 +46,6 @@ public:
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual void ConnectionFinished(int half_finished);
 	virtual void Undelivered(int seq, int len, bool orig);
-	virtual int RewritingTrace()
-		{ return rewriting_smtp_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
 
 	void SkipData()	{ skip_data = 1; }	// skip delivery of data lines
 
diff --git a/src/SSL-binpac.cc b/src/SSL-binpac.cc
index 73f2852aa7..551861aaee 100644
--- a/src/SSL-binpac.cc
+++ b/src/SSL-binpac.cc
@@ -71,10 +71,5 @@ void SSL_Analyzer_binpac::generate_warnings()
 	if ( ssl_store_key_material )
 		warn_("storage of key material (ssl_store_key_material) not supported");
 
-#ifndef USE_OPENSSL
-	if ( ssl_verify_certificates )
-		warn_("verification of certificates (ssl_verify_certificates) not supported due to non-existing OpenSSL support");
-#endif
-
 	warnings_generated = true;
 	}
diff --git a/src/SSLCiphers.cc b/src/SSLCiphers.cc
index 1eaf3898e2..267e8998e3 100644
--- a/src/SSLCiphers.cc
+++ b/src/SSLCiphers.cc
@@ -319,52 +319,52 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
 		168,
 		160
 	},
-	{ TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
+	{ TLS_DH_anon_EXPORT_WITH_RC4_40_MD5,
 		SSL_CIPHER_TYPE_STREAM,
 		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
 		SSL_CIPHER_RC4,
 		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_DH_ANON_EXPORT,
+		SSL_KEY_EXCHANGE_DH_anon_EXPORT,
 		0,
 		40,
 		128
 	},
-	{ TLS_DH_ANON_WITH_RC4_128_MD5,
+	{ TLS_DH_anon_WITH_RC4_128_MD5,
 		SSL_CIPHER_TYPE_STREAM,
 		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
 		SSL_CIPHER_RC4,
 		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_DH_ANON,
+		SSL_KEY_EXCHANGE_DH_anon,
 		0,
 		128,
 		128
 	},
-	{ TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+	{ TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
 		SSL_CIPHER_TYPE_BLOCK,
 		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
 		SSL_CIPHER_DES40,
 		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
+		SSL_KEY_EXCHANGE_DH_anon,
 		0,
 		40,
 		160
 	},
-	{ TLS_DH_ANON_WITH_DES_CBC_SHA,
+	{ TLS_DH_anon_WITH_DES_CBC_SHA,
 		SSL_CIPHER_TYPE_BLOCK,
 		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
 		SSL_CIPHER_DES,
 		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
+		SSL_KEY_EXCHANGE_DH_anon,
 		0,
 		56,
 		160
 	},
-	{ TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
+	{ TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
 		SSL_CIPHER_TYPE_BLOCK,
 		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
 		SSL_CIPHER_3DES,
 		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
+		SSL_KEY_EXCHANGE_DH_anon,
 		0,
 		168,
 		160
@@ -389,16 +389,48 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
 		96,
 		160
 	},
-	{ SSL_FORTEZZA_KEA_WITH_RC4_128_SHA,
-		SSL_CIPHER_TYPE_STREAM,
-		SSL_FLAG_SSLv30,
-		SSL_CIPHER_RC4,
-		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_FORTEZZA_KEA,
+	
+	{ SSL_RSA_WITH_RC2_CBC_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_RC2,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		56,
+		160
+	},
+	{ SSL_RSA_WITH_IDEA_CBC_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_IDEA,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
 		0,
 		128,
 		160
 	},
+	{ SSL_RSA_WITH_DES_CBC_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_DES,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		56,
+		160
+	},
+	{ SSL_RSA_WITH_3DES_EDE_CBC_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_3DES,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		168,
+		160
+	},
+	
 	// --- special SSLv3 FIPS ciphers
 	{ SSL_RSA_FIPS_WITH_DES_CBC_SHA,
 		SSL_CIPHER_TYPE_BLOCK,
@@ -522,12 +554,12 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
 		128,
 		160
 	},
-	{ TLS_DH_ANON_WITH_AES_128_CBC_SHA,
+	{ TLS_DH_anon_WITH_AES_128_CBC_SHA,
 		SSL_CIPHER_TYPE_BLOCK,
 		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
 		SSL_CIPHER_AES,
 		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
+		SSL_KEY_EXCHANGE_DH_anon,
 		0,
 		128,
 		160
@@ -582,16 +614,459 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
 		256,
 		160
 	},
-	{ TLS_DH_ANON_WITH_AES_256_CBC_SHA,
+	{ TLS_DH_anon_WITH_AES_256_CBC_SHA,
 		SSL_CIPHER_TYPE_BLOCK,
 		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
 		SSL_CIPHER_AES,
 		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
+		SSL_KEY_EXCHANGE_DH_anon,
 		0,
 		256,
 		160
-	}
+	},
+	{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_DSS,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_DSS,
+		0,
+		128,
+		160
+	},
+	{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_anon,
+		0,
+		128,
+		160
+	},
+	{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_DSS,
+		0,
+		256,
+		160
+	},
+	{ TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_RSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_DSS,
+		0,
+		256,
+		160
+	},
+	{ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_RSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_anon,
+		0,
+		256,
+		160
+	},
+	{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_ECDSA,
+		0,
+		168,
+		160
+	},
+	{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_ECDSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_ECDSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_ECDSA,
+		0,
+		0,
+		160
+	},
+	{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_ECDSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_RSA,
+		0,
+		168,
+		160
+	},
+	{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_RSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_ECDHE_RSA_WITH_NULL_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_RSA,
+		0,
+		0,
+		160
+	},
+	{ TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_ECDSA,
+		0,
+		168,
+		160
+	},
+	{ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_ECDSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_ECDSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_ECDH_ECDSA_WITH_NULL_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_ECDSA,
+		0,
+		0,
+		160
+	},
+	{ TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_ECDSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_RSA,
+		0,
+		168,
+		160
+	},
+	{ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_RSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_ECDH_RSA_WITH_NULL_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_RSA,
+		0,
+		0,
+		160
+	},
+	{ TLS_ECDH_RSA_WITH_RC4_128_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_anon,
+		0,
+		168,
+		160
+	},
+	{ TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_anon,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_anon,
+		0,
+		256,
+		160
+	},
+	{ TLS_ECDH_anon_WITH_NULL_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_anon,
+		0,
+		0,
+		160
+	},
+	{ TLS_ECDH_anon_WITH_RC4_128_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_anon,
+		0,
+		128,
+		160
+	},
+	{ TLS_RSA_WITH_SEED_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_SEED,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_DSS_WITH_SEED_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_SEED,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_DSS,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_RSA_WITH_SEED_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_SEED,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DHE_DSS_WITH_SEED_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_SEED,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_DSS,
+		0,
+		128,
+		160
+	},
+	{ TLS_DHE_RSA_WITH_SEED_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_SEED,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_anon_WITH_SEED_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_SEED,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_anon,
+		0,
+		128,
+		160
+	},
+	
+	{ TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
+		SSL_CIPHER_TYPE_NULL,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_NULL,
+		SSL_KEY_EXCHANGE_NULL,
+		0,
+		0,
+		0
+	},
+	
+	
 };
 
 const uint SSL_CipherSpecs_Count =
diff --git a/src/SSLCiphers.h b/src/SSLCiphers.h
index 389c4d1992..12b3ecc0aa 100644
--- a/src/SSLCiphers.h
+++ b/src/SSLCiphers.h
@@ -12,14 +12,14 @@
  */
 enum SSLv2_CipherSpec {
 	// --- standard SSLv2 ciphers
-	SSL_CK_RC4_128_WITH_MD5              = 0x010080,
-	SSL_CK_RC4_128_EXPORT40_WITH_MD5     = 0x020080,
-	SSL_CK_RC2_128_CBC_WITH_MD5          = 0x030080,
-	SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080,
-	SSL_CK_IDEA_128_CBC_WITH_MD5         = 0x050080,
-	SSL_CK_DES_64_CBC_WITH_MD5           = 0x060040,
-	SSL_CK_DES_192_EDE3_CBC_WITH_MD5     = 0x0700C0,
-	SSL_CK_RC4_64_WITH_MD5		     = 0x080080
+	SSL_CK_RC4_128_WITH_MD5                  = 0x010080,
+	SSL_CK_RC4_128_EXPORT40_WITH_MD5         = 0x020080,
+	SSL_CK_RC2_128_CBC_WITH_MD5              = 0x030080,
+	SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5     = 0x040080,
+	SSL_CK_IDEA_128_CBC_WITH_MD5             = 0x050080,
+	SSL_CK_DES_64_CBC_WITH_MD5               = 0x060040,
+	SSL_CK_DES_192_EDE3_CBC_WITH_MD5         = 0x0700C0,
+	SSL_CK_RC4_64_WITH_MD5                   = 0x080080
 };
 
 
@@ -28,60 +28,245 @@ enum SSLv2_CipherSpec {
  */
 enum SSL3_1_CipherSpec {
 	// --- standard SSLv3x ciphers
-	TLS_NULL_WITH_NULL_NULL                = 0x0000,
-	TLS_RSA_WITH_NULL_MD5                  = 0x0001,
-	TLS_RSA_WITH_NULL_SHA                  = 0x0002,
-	TLS_RSA_EXPORT_WITH_RC4_40_MD5         = 0x0003,
-	TLS_RSA_WITH_RC4_128_MD5               = 0x0004,
-	TLS_RSA_WITH_RC4_128_SHA               = 0x0005,
-	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5     = 0x0006,
-	TLS_RSA_WITH_IDEA_CBC_SHA              = 0x0007,
-	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA      = 0x0008,
-	TLS_RSA_WITH_DES_CBC_SHA               = 0x0009,
-	TLS_RSA_WITH_3DES_EDE_CBC_SHA          = 0x000A,
-	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA   = 0x000B,
-	TLS_DH_DSS_WITH_DES_CBC_SHA            = 0x000C,
-	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA       = 0x000D,
-	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA   = 0x000E,
-	TLS_DH_RSA_WITH_DES_CBC_SHA            = 0x000F,
-	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA       = 0x0010,
-	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA  = 0x0011,
-	TLS_DHE_DSS_WITH_DES_CBC_SHA           = 0x0012,
-	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA      = 0x0013,
-	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  = 0x0014,
-	TLS_DHE_RSA_WITH_DES_CBC_SHA           = 0x0015,
-	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA      = 0x0016,
-	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5     = 0x0017,
-	TLS_DH_ANON_WITH_RC4_128_MD5           = 0x0018,
-	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA  = 0x0019,
-	TLS_DH_ANON_WITH_DES_CBC_SHA           = 0x001A,
-	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA      = 0x001B,
-	// --- special SSLv3 ciphers
-	SSL_FORTEZZA_KEA_WITH_NULL_SHA         = 0x001C,
-	SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D,
-	SSL_FORTEZZA_KEA_WITH_RC4_128_SHA      = 0x001E,
-	// --- special SSLv3 FIPS ciphers
-	SSL_RSA_FIPS_WITH_DES_CBC_SHA		   = 0xFEFE,
-	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA	   = 0XFEFF,
-	// --- new 56 bit export ciphers
-	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     = 0x0062,
-	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      = 0x0064,
-	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063,
-	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  = 0x0065,
-	TLS_DHE_DSS_WITH_RC4_128_SHA            = 0x0066,
+	TLS_NULL_WITH_NULL_NULL                  = 0x0000,
+	TLS_RSA_WITH_NULL_MD5                    = 0x0001,
+	TLS_RSA_WITH_NULL_SHA                    = 0x0002,
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5           = 0x0003,
+	TLS_RSA_WITH_RC4_128_MD5                 = 0x0004,
+	TLS_RSA_WITH_RC4_128_SHA                 = 0x0005,
+	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5       = 0x0006,
+	TLS_RSA_WITH_IDEA_CBC_SHA                = 0x0007,
+	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA        = 0x0008,
+	TLS_RSA_WITH_DES_CBC_SHA                 = 0x0009,
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA            = 0x000A,
+	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA     = 0x000B,
+	TLS_DH_DSS_WITH_DES_CBC_SHA              = 0x000C,
+	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA         = 0x000D,
+	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA     = 0x000E,
+	TLS_DH_RSA_WITH_DES_CBC_SHA              = 0x000F,
+	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA         = 0x0010,
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA    = 0x0011,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA             = 0x0012,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA        = 0x0013,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA    = 0x0014,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA             = 0x0015,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        = 0x0016,
+	TLS_DH_anon_EXPORT_WITH_RC4_40_MD5       = 0x0017,
+	TLS_DH_anon_WITH_RC4_128_MD5             = 0x0018,
+	TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA    = 0x0019,
+	TLS_DH_anon_WITH_DES_CBC_SHA             = 0x001A,
+	TLS_DH_anon_WITH_3DES_EDE_CBC_SHA        = 0x001B,
+	// --- special SSLv3 ciphers            
+	SSL_FORTEZZA_KEA_WITH_NULL_SHA           = 0x001C,
+	SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA   = 0x001D,
+	//SSL_FORTEZZA_KEA_WITH_RC4_128_SHA        = 0x001E,
+	// -- RFC 2712 (ciphers not fully described in SSLCiphers.cc)
+	TLS_KRB5_WITH_DES_CBC_SHA                = 0x001E,
+	TLS_KRB5_WITH_3DES_EDE_CBC_SHA           = 0x001F,
+	TLS_KRB5_WITH_RC4_128_SHA                = 0x0020,
+	TLS_KRB5_WITH_IDEA_CBC_SHA               = 0x0021,
+	TLS_KRB5_WITH_DES_CBC_MD5                = 0x0022,
+	TLS_KRB5_WITH_3DES_EDE_CBC_MD5           = 0x0023,
+	TLS_KRB5_WITH_RC4_128_MD5                = 0x0024,
+	TLS_KRB5_WITH_IDEA_CBC_MD5               = 0x0025,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA      = 0x0026,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA      = 0x0027,
+	TLS_KRB5_EXPORT_WITH_RC4_40_SHA          = 0x0028,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5      = 0x0029,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5      = 0x002A,
+	TLS_KRB5_EXPORT_WITH_RC4_40_MD5          = 0x002B,
+	
 	// --- new AES ciphers
-	TLS_RSA_WITH_AES_128_CBC_SHA      = 0x002F,
-	TLS_DH_DSS_WITH_AES_128_CBC_SHA   = 0x0030,
-	TLS_DH_RSA_WITH_AES_128_CBC_SHA   = 0x0031,
-	TLS_DHE_DSS_WITH_AES_128_CBC_SHA  = 0x0032,
-	TLS_DHE_RSA_WITH_AES_128_CBC_SHA  = 0x0033,
-	TLS_DH_ANON_WITH_AES_128_CBC_SHA  = 0x0034,
-	TLS_RSA_WITH_AES_256_CBC_SHA      = 0x0035,
-	TLS_DH_DSS_WITH_AES_256_CBC_SHA   = 0x0036,
-	TLS_DH_RSA_WITH_AES_256_CBC_SHA   = 0x0037,
-	TLS_DHE_DSS_WITH_AES_256_CBC_SHA  = 0x0038,
-	TLS_DHE_RSA_WITH_AES_256_CBC_SHA  = 0x0039,
-	TLS_DH_ANON_WITH_AES_256_CBC_SHA  = 0x003A
+	TLS_RSA_WITH_AES_128_CBC_SHA             = 0x002F,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA          = 0x0030,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA          = 0x0031,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA         = 0x0032,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA         = 0x0033,
+	TLS_DH_anon_WITH_AES_128_CBC_SHA         = 0x0034,
+	TLS_RSA_WITH_AES_256_CBC_SHA             = 0x0035,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA          = 0x0036,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA          = 0x0037,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA         = 0x0038,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA         = 0x0039,
+	TLS_DH_anon_WITH_AES_256_CBC_SHA         = 0x003A,
+	TLS_RSA_WITH_NULL_SHA256                 = 0x003B,
+	TLS_RSA_WITH_AES_128_CBC_SHA256          = 0x003C,
+	TLS_RSA_WITH_AES_256_CBC_SHA256          = 0x003D,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA256       = 0x003E,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA256       = 0x003F,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256      = 0x0040,
+	// -- RFC 4132
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA        = 0x0041,
+	TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA     = 0x0042,
+	TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA     = 0x0043,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA    = 0x0044,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA    = 0x0045,
+	TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA    = 0x0046,
+	// -- Non-RFC.  Widely deployed implementation (ciphers not fully described in SSLCiphers.cc)
+	TLS_RSA_EXPORT1024_WITH_RC4_56_MD5       = 0x0060,
+	TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5   = 0x0061,
+	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA      = 0x0062,
+	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA  = 0x0063,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA       = 0x0064,
+	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA   = 0x0065,
+	TLS_DHE_DSS_WITH_RC4_128_SHA             = 0x0066,
+	// -- RFC 5246 (ciphers not fully described in SSLCiphers.cc)
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      = 0x0067,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA256       = 0x0068,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA256       = 0x0069,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256      = 0x006A,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      = 0x006B,
+	TLS_DH_anon_WITH_AES_128_CBC_SHA256      = 0x006C,
+	TLS_DH_anon_WITH_AES_256_CBC_SHA256      = 0x006D,
+	// -- RFC 5932
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA        = 0x0084,
+	TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA     = 0x0085,
+	TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA     = 0x0086,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA    = 0x0087,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA    = 0x0088,
+	TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA    = 0x0089,
+	// -- RFC 4279 (ciphers not fully described in SSLCiphers.cc)
+	TLS_PSK_WITH_RC4_128_SHA                 = 0x008A,
+	TLS_PSK_WITH_3DES_EDE_CBC_SHA            = 0x008B,
+	TLS_PSK_WITH_AES_128_CBC_SHA             = 0x008C,
+	TLS_PSK_WITH_AES_256_CBC_SHA             = 0x008D,
+	TLS_DHE_PSK_WITH_RC4_128_SHA             = 0x008E,
+	TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA        = 0x008F,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA         = 0x0090,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA         = 0x0091,
+	TLS_RSA_PSK_WITH_RC4_128_SHA             = 0x0092,
+	TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA        = 0x0093,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA         = 0x0094,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA         = 0x0095,
+	// -- RFC 4162
+	TLS_RSA_WITH_SEED_CBC_SHA                = 0x0096,
+	TLS_DH_DSS_WITH_SEED_CBC_SHA             = 0x0097,
+	TLS_DH_RSA_WITH_SEED_CBC_SHA             = 0x0098,
+	TLS_DHE_DSS_WITH_SEED_CBC_SHA            = 0x0099,
+	TLS_DHE_RSA_WITH_SEED_CBC_SHA            = 0x009A,
+	TLS_DH_anon_WITH_SEED_CBC_SHA            = 0x009B,
+	// -- RFC 5288 (ciphers not fully described in SSLCiphers.cc)
+	TLS_RSA_WITH_AES_128_GCM_SHA256          = 0x009C,
+	TLS_RSA_WITH_AES_256_GCM_SHA384          = 0x009D,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256      = 0x009E,
+	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384      = 0x009F,
+	TLS_DH_RSA_WITH_AES_128_GCM_SHA256       = 0x00A0,
+	TLS_DH_RSA_WITH_AES_256_GCM_SHA384       = 0x00A1,
+	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256      = 0x00A2,
+	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384      = 0x00A3,
+	TLS_DH_DSS_WITH_AES_128_GCM_SHA256       = 0x00A4,
+	TLS_DH_DSS_WITH_AES_256_GCM_SHA384       = 0x00A5,
+	TLS_DH_anon_WITH_AES_128_GCM_SHA256      = 0x00A6,
+	TLS_DH_anon_WITH_AES_256_GCM_SHA384      = 0x00A7,
+    // -- RFC 5487 (ciphers not fully described in SSLCiphers.cc)
+	TLS_PSK_WITH_AES_128_GCM_SHA256          = 0x00A8,
+	TLS_PSK_WITH_AES_256_GCM_SHA384          = 0x00A9,
+	TLS_DHE_PSK_WITH_AES_128_GCM_SHA256      = 0x00AA,
+	TLS_DHE_PSK_WITH_AES_256_GCM_SHA384      = 0x00AB,
+	TLS_RSA_PSK_WITH_AES_128_GCM_SHA256      = 0x00AC,
+	TLS_RSA_PSK_WITH_AES_256_GCM_SHA384      = 0x00AD,
+	TLS_PSK_WITH_AES_128_CBC_SHA256          = 0x00AE,
+	TLS_PSK_WITH_AES_256_CBC_SHA384          = 0x00AF,
+	TLS_PSK_WITH_NULL_SHA256                 = 0x00B0,
+	TLS_PSK_WITH_NULL_SHA384                 = 0x00B1,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA256      = 0x00B2,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA384      = 0x00B3,
+	TLS_DHE_PSK_WITH_NULL_SHA256             = 0x00B4,
+	TLS_DHE_PSK_WITH_NULL_SHA384             = 0x00B5,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA256      = 0x00B6,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA384      = 0x00B7,
+	TLS_RSA_PSK_WITH_NULL_SHA256             = 0x00B8,
+	TLS_RSA_PSK_WITH_NULL_SHA384             = 0x00B9,
+	// -- RFC 5932 (ciphers not fully described in SSLCiphers.cc)
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256     = 0x00BA,
+	TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256  = 0x00BB,
+	TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256  = 0x00BC,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE,
+	TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF,
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256     = 0x00C0,
+	TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256  = 0x00C1,
+	TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256  = 0x00C2,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4,
+	TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5,
+	// -- RFC 4492
+	TLS_ECDH_ECDSA_WITH_NULL_SHA             = 0xC001,
+	TLS_ECDH_ECDSA_WITH_RC4_128_SHA          = 0xC002,
+	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA     = 0xC003,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA      = 0xC004,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA      = 0xC005,
+	TLS_ECDHE_ECDSA_WITH_NULL_SHA            = 0xC006,
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA         = 0xC007,
+	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA    = 0xC008,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA     = 0xC009,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA     = 0xC00A,
+	TLS_ECDH_RSA_WITH_NULL_SHA               = 0xC00B,
+	TLS_ECDH_RSA_WITH_RC4_128_SHA            = 0xC00C,
+	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA       = 0xC00D,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA        = 0xC00E,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA        = 0xC00F,
+	TLS_ECDHE_RSA_WITH_NULL_SHA              = 0xC010,
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA           = 0xC011,
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA      = 0xC012,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA       = 0xC013,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA       = 0xC014,
+	TLS_ECDH_anon_WITH_NULL_SHA              = 0xC015,
+	TLS_ECDH_anon_WITH_RC4_128_SHA           = 0xC016,
+	TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA      = 0xC017,
+	TLS_ECDH_anon_WITH_AES_128_CBC_SHA       = 0xC018,
+	TLS_ECDH_anon_WITH_AES_256_CBC_SHA       = 0xC019,
+	// -- RFC 5054 (ciphers not fully described in SSLCiphers.cc)
+	TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA        = 0xC01A,
+	TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA    = 0xC01B,
+	TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA    = 0xC01C,
+	TLS_SRP_SHA_WITH_AES_128_CBC_SHA         = 0xC01D,
+	TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA     = 0xC01E,
+	TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA     = 0xC01F,
+	TLS_SRP_SHA_WITH_AES_256_CBC_SHA         = 0xC020,
+	TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA     = 0xC021,
+	TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA     = 0xC022,
+	// -- RFC 5289 (ciphers not fully described in SSLCiphers.cc)
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  = 0xC023,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  = 0xC024,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256   = 0xC025,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384   = 0xC026,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256    = 0xC027,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    = 0xC028,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256     = 0xC029,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384     = 0xC02A,
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  = 0xC02B,
+	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  = 0xC02C,
+	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256   = 0xC02D,
+	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384   = 0xC02E,
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    = 0xC02F,
+	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    = 0xC030,
+	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256     = 0xC031,
+	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384     = 0xC032,
+	// -- RFC 5489 (ciphers not fully described in SSLCiphers.cc)
+	TLS_ECDHE_PSK_WITH_RC4_128_SHA           = 0xC033,
+	TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA      = 0xC034,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA       = 0xC035,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA       = 0xC036,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256    = 0xC037,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384    = 0xC038,
+	TLS_ECDHE_PSK_WITH_NULL_SHA              = 0xC039,
+	TLS_ECDHE_PSK_WITH_NULL_SHA256           = 0xC03A,
+	TLS_ECDHE_PSK_WITH_NULL_SHA384           = 0xC03B,
+	
+	// --- special SSLv3 FIPS ciphers
+	SSL_RSA_FIPS_WITH_DES_CBC_SHA            = 0xFEFE,
+	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA       = 0xFEFF,
+	SSL_RSA_FIPS_WITH_DES_CBC_SHA_2          = 0xFFE1,
+	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2     = 0xFFE0,
+
+	// Tags for SSL 2 cipher kinds which are not specified for SSL 3. 
+	SSL_RSA_WITH_RC2_CBC_MD5                 = 0xFF80,
+	SSL_RSA_WITH_IDEA_CBC_MD5                = 0xFF81,
+	SSL_RSA_WITH_DES_CBC_MD5                 = 0xFF82,
+	SSL_RSA_WITH_3DES_EDE_CBC_MD5            = 0xFF83,
+	
+	TLS_EMPTY_RENEGOTIATION_INFO_SCSV        = 0x00FF,
 };
 
 enum SSL_CipherType {
@@ -99,7 +284,9 @@ enum SSL_BulkCipherAlgorithm {
 	SSL_CIPHER_DES40,
 	SSL_CIPHER_FORTEZZA,
 	SSL_CIPHER_IDEA,
-	SSL_CIPHER_AES
+	SSL_CIPHER_AES,
+	SSL_CIPHER_CAMELLIA,
+	SSL_CIPHER_SEED,
 };
 
 enum SSL_MACAlgorithm {
@@ -121,12 +308,18 @@ enum SSL_KeyExchangeAlgorithm {
 	SSL_KEY_EXCHANGE_DHE_DSS_EXPORT,
 	SSL_KEY_EXCHANGE_DHE_RSA,
 	SSL_KEY_EXCHANGE_DHE_RSA_EXPORT,
-	SSL_KEY_EXCHANGE_DH_ANON,
-	SSL_KEY_EXCHANGE_DH_ANON_EXPORT,
+	SSL_KEY_EXCHANGE_DH_anon,
+	SSL_KEY_EXCHANGE_DH_anon_EXPORT,
 	SSL_KEY_EXCHANGE_FORTEZZA_KEA,
 	// --- new 56 bit export ciphers
 	SSL_KEY_EXCHANGE_RSA_EXPORT1024,
-	SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024
+	SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024,
+	// -- Elliptic Curve key change algorithms (rfc4492)
+	SSL_KEY_EXCHANGE_ECDH_ECDSA,
+	SSL_KEY_EXCHANGE_ECDHE_ECDSA,
+	SSL_KEY_EXCHANGE_ECDH_RSA,
+	SSL_KEY_EXCHANGE_ECDHE_RSA,
+	SSL_KEY_EXCHANGE_ECDH_anon,
 };
 
 #if 0
diff --git a/src/SSLInterpreter.cc b/src/SSLInterpreter.cc
index 0f12915ef5..7e185c9e7f 100644
--- a/src/SSLInterpreter.cc
+++ b/src/SSLInterpreter.cc
@@ -3,9 +3,7 @@
 #include "SSLInterpreter.h"
 #include "SSLv2.h"
 
-#ifdef USE_OPENSSL
 #include "X509.h"
-#endif
 
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -173,17 +171,12 @@ void SSL_Interpreter::analyzeCertificate(SSL_InterpreterEndpoint* s,
 		int invalid = 0;
 		switch ( type ) {
 		case SSLv2_CT_X509_CERTIFICATE:
-#ifdef USE_OPENSSL
 			if ( ! isChain )
 				invalid = X509_Cert::verify(s->GetProxyEndpoint(),
 							pCert, certLength);
 			else
 				invalid = X509_Cert::verifyChain(s->GetProxyEndpoint(),
 							data, length);
-#else
-			proxy->Weak("SSL: Could not verify certificate (missing OpenSSL support)!");
-			invalid = 0;
-#endif
 			break;
 
 		default:
diff --git a/src/SSLProxy.cc b/src/SSLProxy.cc
index a0cf73b8fb..85fd29898f 100644
--- a/src/SSLProxy.cc
+++ b/src/SSLProxy.cc
@@ -174,7 +174,6 @@ bool SSL_RecordBuilder::addSegment(const u_char* data, int length)
 			if ( ! computeExpectedSize(data, length) )
 				return false;
 
-			// Insert weird here replacing assert.
 			if ( neededSize > expectedSize )
 				{
 				sslEndpoint->Weird("SSL_RecordBuilder::addSegment neededSize > expectedSize");
@@ -277,8 +276,7 @@ bool SSL_RecordBuilder::addSegment(const u_char* data, int length)
 		else if ( currentSize + length < expectedSize )
 			{ // another (middle) segment
 			if ( length <= MIN_FRAGMENT_SIZE )
-				sslEndpoint->Parent()->Weird( "SSLProxy: Excessive small TCP Segment!" );
-
+				sslEndpoint->Parent()->Weird("SSLProxy: Excessive small TCP Segment!");
 			addData(data, length);
 			break;
 			}
diff --git a/src/SSLv3.cc b/src/SSLv3.cc
index 4d89f27ad8..bebc7a076f 100644
--- a/src/SSLv3.cc
+++ b/src/SSLv3.cc
@@ -195,7 +195,7 @@ void SSLv3_Interpreter::printStats()
 	printf( "SSLv3x:\n" );
 	printf( "Note: Because handshake messages may be coalesced into a \n");
 	printf( "      single SSLv3x record, the number of total messages for SSLv3x plus \n");
-	printf( "      the number of total records seen for SSLv2 won't match \n");
+	printf( "      the number of total records seen for SSLv3 won't match \n");
 	printf( "      SSLProxy_Analyzer::totalRecords! \n");
 	printf( "total connections			= %u\n", totalConnections );
 	printf( "opened connections (complete handshake)	= %u\n", openedConnections );
@@ -383,84 +383,71 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
 
 		case SSL3_1_CERTIFICATE:
 			{
-			if ( rec->length >= 3 )
+			const u_char* pData = rec->data;
+			uint32 certListLength =
+				uint32((pData[4] << 16) |
+				       pData[5] << 8) | pData[6];
+			
+			// Sum of all cert sizes has to match
+			// certListLength.
+			uint tempLength = 0;
+			uint certCount = 0;
+			while ( tempLength < certListLength )
 				{
-				const u_char* pData = rec->data;
-				uint32 certListLength =
-					uint32((pData[4] << 16) |
-					       pData[5] << 8) | pData[6];
-
-				// Size consistency checks.
-				if ( certListLength + 3 != uint32(rec->length) )
+				if ( tempLength + 3 <= certListLength )
 					{
-					if ( rec->endp->IsOrig() )
-						Weird("SSLv3x: Corrupt length field in client certificate list!");
-					else
-						Weird("SSLv3x: Corrupt length field in server certificate list!");
-					return;
-					}
-
-				// Sum of all cert sizes has to match
-				// certListLength.
-				uint tempLength = 0;
-				uint certCount = 0;
-				while ( tempLength < certListLength )
-					{
-					if ( tempLength + 3 <= certListLength )
-						{
-						++certCount;
-						uint32 certLength =
-							uint32((pData[tempLength + 7] << 16) | pData[tempLength + 8] << 8) | pData[tempLength + 9];
-						tempLength += certLength + 3;
-						}
-					else
-						{
-						Weird("SSLv3x: Corrupt length field in certificate list!");
-						return;
-						}
-					}
-
-				if ( tempLength > certListLength )
-					{
-					Weird("SSLv3x: sum of size of certificates doesn't match size of certificate chain");
-					return;
-					}
-
-				SSL_InterpreterEndpoint* pEp =
-					(SSL_InterpreterEndpoint*) rec->endp;
-
-				if ( certCount == 0 )
-					{ // we don't have a certificate...
-					if ( rec->endp->IsOrig() )
-						{
-						Weird("SSLv3x: Client certificate is missing!");
-						break;
-						}
-					else
-						{
-						Weird("SSLv3x: Server certificate is missing!");
-						break;
-						}
-					}
-
-				if ( certCount > 1 )
-					{ // we have a chain
-					analyzeCertificate(pEp,
-						rec->data + 7,
-						certListLength, 1, true);
+					++certCount;
+					uint32 certLength =
+						uint32((pData[tempLength + 7] << 16) | pData[tempLength + 8] << 8) | pData[tempLength + 9];
+					tempLength += certLength + 3;
 					}
 				else
 					{
-					// We have a single certificate.
-					// FIXME.
-					analyzeCertificate(pEp,
-						rec->data + 10,
-						certListLength-3, 1, false);
+					Weird("SSLv3x: Corrupt length field in certificate list!");
+					return;
 					}
+				}
 
+			if ( tempLength > certListLength )
+				{
+				Weird("SSLv3x: sum of size of certificates doesn't match size of certificate chain");
+				return;
+				}
+
+			SSL_InterpreterEndpoint* pEp =
+				(SSL_InterpreterEndpoint*) rec->endp;
+
+			if ( certCount == 0 )
+				{ 
+				// we don't have a certificate, but this is valid
+				// according to RFC2246
+				if ( rec->endp->IsOrig() )
+					{
+					Weird("SSLv3x: Client certificate is missing!");
+					break;
+					}
+				else
+					{
+					Weird("SSLv3x: Server certificate is missing!");
+					break;
+					}
+				}
+
+			if ( certCount > 1 )
+				{ // we have a chain
+				analyzeCertificate(pEp,
+					rec->data + 7,
+					certListLength, 1, true);
 				}
 			else
-				Weird("SSLv3x: Certificate record too small!" );
+				{
+				// We have a single certificate.
+				// FIXME.
+				analyzeCertificate(pEp,
+					rec->data + 10,
+					certListLength-3, 1, false);
+				}
+
 			break;
 			}
 
@@ -554,7 +541,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
 					}
 				else
 					{
-					if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 )
+					if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 )
 						{
 						if ( rec->length < 2 )
 							{
@@ -595,11 +582,11 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
 			switch (cipherSuite)
 				{
 				case TLS_NULL_WITH_NULL_NULL:
-				case TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5:
-				case TLS_DH_ANON_WITH_RC4_128_MD5:
-				case TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA:
-				case TLS_DH_ANON_WITH_DES_CBC_SHA:
-				case TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA:
+				case TLS_DH_anon_EXPORT_WITH_RC4_40_MD5:
+				case TLS_DH_anon_WITH_RC4_128_MD5:
+				case TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA:
+				case TLS_DH_anon_WITH_DES_CBC_SHA:
+				case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
 					{
 					Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!");
 					break;
@@ -618,7 +605,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
 				break;
 				}
 
-			if ( pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT )
+			if ( pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_anon || pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT )
 				Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!");
 
 			// FIXME: Insert weird checks!
@@ -654,7 +641,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
 					}
 				else
 					{
-					if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 )
+					if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 )
 						{
 						if ( rec->length < 2 )
 							{
@@ -938,14 +925,6 @@ TableVal* SSLv3_Interpreter::analyzeCiphers(const SSLv3_Endpoint* s, int length,
 	{
 	int is_orig = (SSL_InterpreterEndpoint*) s == orig;
 
-	if ( length > ssl_max_cipherspec_size )
-		{
-		if ( is_orig )
-			Weird("SSLv2: Client has CipherSpecs > ssl_max_cipherspec_size");
-		else
-			Weird("SSLv2: Server has CipherSpecs > ssl_max_cipherspec_size");
-		}
-
 	const u_char* pCipher = data;
 	SSL_CipherSpec* pCipherSuiteTemp = 0;
 	uint16 cipherSuite;
@@ -1236,16 +1215,6 @@ SSLv3_HandshakeRecord::SSLv3_HandshakeRecord(const u_char* data, int len,
 				uint16 version, SSLv3_Endpoint const* e)
 : SSLv3_Record(data, len, version, e)
 	{
-	// Weird-check for minimum handshake length header.
-	if ( len < 4 )
-		{
-		e->Interpreter()->Weird("SSLv3x: Handshake-header-length too small!");
-		type = 255;
-		length = 0;
-		next = 0;
-		return;
-		}
-
 	// Don't analyze encrypted client handshake messages.
 	if ( e->IsOrig() &&
 	     ((SSLv3_Interpreter*) e->Interpreter())->change_cipher_client_seen &&
@@ -1270,7 +1239,10 @@ SSLv3_HandshakeRecord::SSLv3_HandshakeRecord(const u_char* data, int len,
 
 	type = uint8(*(this->data));
 	length = ExtractInt24(data, len, 1);
-	if ( length + 4 < len )
+	
+	if ( length == 0 ) // this is a special case to deal with 0 length certs
+		next = 0;
+	else if ( length + 4 < len )
 		next = new SSLv3_HandshakeRecord(data + length + 4,
 					len - (length + 4), version, e);
 	else if ( length + 4 > len )
@@ -1328,7 +1300,9 @@ int SSLv3_HandshakeRecord::checkClientHello()
 	     version != SSLProxy_Analyzer::SSLv31 )
 		endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Client hello!");
 
-	uint8 sessionIDLength = uint8(data[38]);
+	uint16 offset = 38;
+	uint8 sessionIDLength = uint8(data[offset]);
+	offset += (1 + sessionIDLength);
 	if ( sessionIDLength > 32 )
 		{
 		endp->Interpreter()->Weird("SSLv3x: SessionID too long in Client hello!");
@@ -1336,29 +1310,38 @@ int SSLv3_HandshakeRecord::checkClientHello()
 		}
 
 	uint16 cipherSuiteLength =
-		uint16(data[39 + sessionIDLength] << 8 ) |
-		data[40 + sessionIDLength];
-
+		uint16(data[offset] << 8) | data[offset+1];
+	offset += (2 + cipherSuiteLength);
 	if ( cipherSuiteLength < 2 )
 		endp->Interpreter()->Weird("SSLv3x: CipherSuite length too small!");
 
-	if ( cipherSuiteLength + sessionIDLength + 41 > recordLength )
+	if ( offset > recordLength )
 		{
 		endp->Interpreter()->Weird("SSLv3x: Client hello too small, corrupt length fields!");
 		return 0;
 		}
 
-	uint8 compressionMethodLength =
-		uint8(data[41 + sessionIDLength + cipherSuiteLength]);
-
+	uint8 compressionMethodLength = uint8(data[offset]);
+	offset += (1 + compressionMethodLength);
 	if ( compressionMethodLength < 1 )
 		endp->Interpreter()->Weird("SSLv3x: CompressionMethod length too small!");
 
-	if ( sessionIDLength + cipherSuiteLength +
-	     compressionMethodLength + 38 != length )
+	if ( offset < length )
 		{
-		endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Client hello!");
-		return 0;
+		uint16 sslExtensionsLength =
+			uint16(data[offset] << 8) | data[offset+1];
+		offset += 2;
+		if ( sslExtensionsLength < 4 )
+			endp->Interpreter()->Weird("SSLv3x: Extensions length too small!");
+
+		// TODO: extract SSL extensions here
+
+		offset += sslExtensionsLength;
+		if ( offset != length+4 )
+			{
+			endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Client hello!");
+			return 0;
+			}
 		}
 
 	return 1;
@@ -1377,16 +1360,33 @@ int SSLv3_HandshakeRecord::checkServerHello()
 	     version != SSLProxy_Analyzer::SSLv31 )
 		endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Server hello!");
 
-	uint8 sessionIDLength = uint8(data[38]);
+	uint16 offset = 38;
+	uint8 sessionIDLength = uint8(data[offset]);
 	if ( sessionIDLength > 32 )
 		{
 		endp->Interpreter()->Weird("SSLv3x: SessionID too long in Server hello!");
 		return 0;
 		}
+	offset += (1 + sessionIDLength);
 
-	if ( (sessionIDLength + 38) != length )
+	offset += 3; // account for cipher and compression method
+	if ( offset < length )
 		{
-		endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Server hello!");
+		uint16 sslExtensionsLength =
+			uint16(data[offset] << 8) | data[offset+1];
+		offset += 2;
+		if ( sslExtensionsLength < 4 )
+			endp->Interpreter()->Weird("SSLv3x: Extensions length too small!");
+
+		// TODO: extract SSL extensions here
+		offset += sslExtensionsLength;
+
+		if ( offset != length+4 )
+			{
+			endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Server hello!");
+			return 0;
+			}
+
 		return 0;
 		}
 
diff --git a/src/Scope.cc b/src/Scope.cc
index f8fa9f4883..c9b12c356c 100644
--- a/src/Scope.cc
+++ b/src/Scope.cc
@@ -11,45 +11,6 @@
 static scope_list scopes;
 static Scope* top_scope;
 
-extern const char* GLOBAL_MODULE_NAME = "GLOBAL";
-
-
-// Returns it without trailing "::".
-string extract_module_name(const char* name)
-	{
-	string module_name = name;
-	string::size_type pos = module_name.rfind("::");
-
-	if ( pos == string::npos )
-		return string(GLOBAL_MODULE_NAME);
-
-	module_name.erase(pos);
-
-	return module_name;
-	}
-
-string normalized_module_name(const char* module_name)
-	{
-	int mod_len;
-	if ( (mod_len = strlen(module_name)) >= 2 &&
-	     ! strcmp(module_name + mod_len - 2, "::") )
-		mod_len -= 2;
-
-	return string(module_name, mod_len);
-	}
-
-string make_full_var_name(const char* module_name, const char* var_name)
-	{
-	if ( ! module_name || streq(module_name, GLOBAL_MODULE_NAME) ||
-	     strstr(var_name, "::") )
-		return string(var_name);
-
-	string full_name = normalized_module_name(module_name);
-	full_name += "::";
-	full_name += var_name;
-
-	return full_name;
-	}
 
 Scope::Scope(ID* id)
 	{
@@ -152,9 +113,11 @@ TraversalCode Scope::Traverse(TraversalCallback* cb) const
 	}
 
 
-ID* lookup_ID(const char* name, const char* curr_module, bool no_global)
+ID* lookup_ID(const char* name, const char* curr_module, bool no_global,
+	      bool same_module_only)
 	{
 	string fullname = make_full_var_name(curr_module, name);
+
 	string ID_module = extract_module_name(fullname.c_str());
 	bool need_export = ID_module != GLOBAL_MODULE_NAME &&
 				ID_module != curr_module;
@@ -173,7 +136,8 @@ ID* lookup_ID(const char* name, const char* curr_module, bool no_global)
 			}
 		}
 
-	if ( ! no_global )
+	if ( ! no_global && (strcmp(GLOBAL_MODULE_NAME, curr_module) == 0 ||
+			     ! same_module_only) )
 		{
 		string globalname = make_full_var_name(GLOBAL_MODULE_NAME, name);
 		ID* id = global_scope()->Lookup(globalname.c_str());
diff --git a/src/Scope.h b/src/Scope.h
index 19b37ef600..1ed8d6da42 100644
--- a/src/Scope.h
+++ b/src/Scope.h
@@ -11,6 +11,7 @@
 #include "Obj.h"
 #include "BroList.h"
 #include "TraverseTypes.h"
+#include "module_util.h"
 
 class ID;
 class BroType;
@@ -59,20 +60,12 @@ protected:
 	id_list* inits;
 };
 
-extern const char* GLOBAL_MODULE_NAME;
-
-extern string extract_module_name(const char* name);
-extern string normalized_module_name(const char* module_name); // w/o ::
-
-// Concatenates module_name::var_name unless var_name is already fully
-// qualified, in which case it is returned unmodified.
-extern string make_full_var_name(const char* module_name, const char* var_name);
 
 extern bool in_debug;
 
 // If no_global is true, don't search in the default "global" namespace.
 extern ID* lookup_ID(const char* name, const char* module,
-			bool no_global = false);
+		     bool no_global = false, bool same_module_only=false);
 extern ID* install_ID(const char* name, const char* module_name,
 			bool is_global, bool is_export);
 
diff --git a/src/SerialObj.h b/src/SerialObj.h
index 9c02b21e5b..4a12d53fe6 100644
--- a/src/SerialObj.h
+++ b/src/SerialObj.h
@@ -330,6 +330,29 @@ public:
 		dst = 0;	\
 	}
 
+#define UNSERIALIZE_OPTIONAL_STR_DEL(dst, del)	\
+	{	\
+	bool has_it;	\
+	if ( ! info->s->Read(&has_it, "has_" #dst) )	\
+		{	\
+		delete del;	\
+		return 0;	\
+		}	\
+	\
+	if ( has_it )	\
+		{	\
+		info->s->Read(&dst, 0, "has_" #dst);	\
+		if ( ! dst )	\
+			{	\
+			delete del;	\
+			return 0;	\
+			}	\
+		}	\
+	\
+	else	\
+		dst = 0;	\
+	}
+
 #define UNSERIALIZE_OPTIONAL_STATIC(dst, unserialize, del)	\
 	{	\
 	bool has_it;	\
diff --git a/src/SerialTypes.h b/src/SerialTypes.h
index a33b026fae..4f9ab4585b 100644
--- a/src/SerialTypes.h
+++ b/src/SerialTypes.h
@@ -146,6 +146,7 @@ SERIAL_EXPR(TABLE_CONSTRUCTOR_EXPR, 40)
 SERIAL_EXPR(SET_CONSTRUCTOR_EXPR, 41)
 SERIAL_EXPR(VECTOR_CONSTRUCTOR_EXPR, 42)
 SERIAL_EXPR(TABLE_COERCE_EXPR, 43)
+SERIAL_EXPR(VECTOR_COERCE_EXPR, 44)
 
 #define SERIAL_STMT(name, val) SERIAL_CONST(name, val, STMT)
 SERIAL_STMT(STMT, 1)
diff --git a/src/SerializationFormat.cc b/src/SerializationFormat.cc
index d49233ec92..b9b3da5fef 100644
--- a/src/SerializationFormat.cc
+++ b/src/SerializationFormat.cc
@@ -21,6 +21,7 @@ void SerializationFormat::StartRead(char* data, uint32 arg_len)
 	input = data;
 	input_len = arg_len;
 	input_pos = 0;
+	bytes_read = 0;
 	}
 
 void SerializationFormat::EndRead()
@@ -64,6 +65,8 @@ bool SerializationFormat::ReadData(void* b, size_t count)
 
 	memcpy(b, input + input_pos, count);
 	input_pos += count;
+	bytes_read += count;
+
 	return true;
 	}
 
@@ -214,6 +217,20 @@ bool BinarySerializationFormat::Read(char** str, int* len, const char* tag)
 	return true;
 	}
 
+bool BinarySerializationFormat::Read(string* v, const char* tag)
+	{
+	char* buffer;
+	int len;
+
+	if ( ! Read(&buffer, &len, tag) )
+		return false;
+
+	*v = string(buffer, len);
+
+	delete [] buffer;
+	return true;
+	}
+
 bool BinarySerializationFormat::Write(char v, const char* tag)
 	{
 	DBG_LOG(DBG_SERIAL, "Write char %s [%s]", fmt_bytes(&v, 1), tag);
@@ -278,6 +295,11 @@ bool BinarySerializationFormat::Write(const char* s, const char* tag)
 	return Write(s, strlen(s), tag);
 	}
 
+bool BinarySerializationFormat::Write(const string& s, const char* tag)
+	{
+	return Write(s.data(), s.size(), tag);
+	}
+
 bool BinarySerializationFormat::WriteOpenTag(const char* tag)
 	{
 	return true;
@@ -362,6 +384,12 @@ bool XMLSerializationFormat::Read(char** str, int* len, const char* tag)
 	return false;
 	}
 
+bool XMLSerializationFormat::Read(string* s, const char* tag)
+	{
+	internal_error("no reading of xml");
+	return false;
+	}
+
 bool XMLSerializationFormat::Write(char v, const char* tag)
 	{
 	return WriteElem(tag, "char", &v, 1);
@@ -369,25 +397,25 @@ bool XMLSerializationFormat::Write(char v, const char* tag)
 
 bool XMLSerializationFormat::Write(uint16 v, const char* tag)
 	{
-	const char* tmp = fmt("%u", v);
+	const char* tmp = fmt("%" PRIu16, v);
 	return WriteElem(tag, "uint16", tmp, strlen(tmp));
 	}
 
 bool XMLSerializationFormat::Write(uint32 v, const char* tag)
 	{
-	const char* tmp = fmt("%u", v);
+	const char* tmp = fmt("%"PRIu32, v);
 	return WriteElem(tag, "uint32", tmp, strlen(tmp));
 	}
 
 bool XMLSerializationFormat::Write(uint64 v, const char* tag)
 	{
-	const char* tmp = fmt("%llu", v);
+	const char* tmp = fmt("%"PRIu64, v);
 	return WriteElem(tag, "uint64", tmp, strlen(tmp));
 	}
 
 bool XMLSerializationFormat::Write(int64 v, const char* tag)
 	{
-	const char* tmp = fmt("%lld", v);
+	const char* tmp = fmt("%"PRId64, v);
 	return WriteElem(tag, "int64", tmp, strlen(tmp));
 	}
 
@@ -416,6 +444,11 @@ bool XMLSerializationFormat::Write(const char* s, const char* tag)
 	return WriteElem(tag, "string", s, strlen(s));
 	}
 
+bool XMLSerializationFormat::Write(const string& s, const char* tag)
+	{
+	return WriteElem(tag, "string", s.data(), s.size());
+	}
+
 bool XMLSerializationFormat::WriteOpenTag(const char* tag)
 	{
 	return WriteData("<", 1) && WriteData(tag, strlen(tag) && WriteData(">", 1));
diff --git a/src/SerializationFormat.h b/src/SerializationFormat.h
index 8127343274..b9c7ec1549 100644
--- a/src/SerializationFormat.h
+++ b/src/SerializationFormat.h
@@ -5,6 +5,10 @@
 #ifndef SERIALIZATION_FORMAT
 #define SERIALIZATION_FORMAT
 
+#include <string>
+
+using namespace std;
+
 #include "util.h"
 
 // Abstract base class.
@@ -25,6 +29,10 @@ public:
 	virtual bool Read(char* v, const char* tag) = 0;
 	virtual bool Read(bool* v, const char* tag) = 0;
 	virtual bool Read(double* d, const char* tag) = 0;
+	virtual bool Read(string* s, const char* tag) = 0;
+
+	// Returns number of raw bytes read since last call to StartRead().
+	int BytesRead() const	{ return bytes_read; }
 
 	// Passes ownership of string.
 	virtual bool Read(char** str, int* len, const char* tag) = 0;
@@ -43,6 +51,7 @@ public:
 	virtual bool Write(double d, const char* tag) = 0;
 	virtual bool Write(const char* s, const char* tag) = 0;
 	virtual bool Write(const char* buf, int len, const char* tag) = 0;
+	virtual bool Write(const string& s, const char* tag) = 0;
 
 	virtual bool WriteOpenTag(const char* tag) = 0;
 	virtual bool WriteCloseTag(const char* tag) = 0;
@@ -65,6 +74,7 @@ protected:
 	uint32 input_pos;
 
 	int bytes_written;
+	int bytes_read;
 };
 
 class BinarySerializationFormat : public SerializationFormat {
@@ -81,6 +91,7 @@ public:
 	virtual bool Read(bool* v, const char* tag);
 	virtual bool Read(double* d, const char* tag);
 	virtual bool Read(char** str, int* len, const char* tag);
+	virtual bool Read(string* s, const char* tag);
 	virtual bool Write(int v, const char* tag);
 	virtual bool Write(uint16 v, const char* tag);
 	virtual bool Write(uint32 v, const char* tag);
@@ -91,6 +102,7 @@ public:
 	virtual bool Write(double d, const char* tag);
 	virtual bool Write(const char* s, const char* tag);
 	virtual bool Write(const char* buf, int len, const char* tag);
+	virtual bool Write(const string& s, const char* tag);
 	virtual bool WriteOpenTag(const char* tag);
 	virtual bool WriteCloseTag(const char* tag);
 	virtual bool WriteSeparator();
@@ -112,6 +124,7 @@ public:
 	virtual bool Write(double d, const char* tag);
 	virtual bool Write(const char* s, const char* tag);
 	virtual bool Write(const char* buf, int len, const char* tag);
+	virtual bool Write(const string& s, const char* tag);
 	virtual bool WriteOpenTag(const char* tag);
 	virtual bool WriteCloseTag(const char* tag);
 	virtual bool WriteSeparator();
@@ -126,6 +139,7 @@ public:
 	virtual bool Read(bool* v, const char* tag);
 	virtual bool Read(double* d, const char* tag);
 	virtual bool Read(char** str, int* len, const char* tag);
+	virtual bool Read(string* s, const char* tag);
 
 private:
 	// Encodes non-printable characters.
diff --git a/src/Serializer.h b/src/Serializer.h
index c8f9284b53..dde5c564e6 100644
--- a/src/Serializer.h
+++ b/src/Serializer.h
@@ -122,7 +122,7 @@ protected:
 
 	// This will be increased whenever there is an incompatible change
 	// in the data format.
-	static const uint32 DATA_FORMAT_VERSION = 18;
+	static const uint32 DATA_FORMAT_VERSION = 19;
 
 	ChunkedIO* io;
 
diff --git a/src/Sessions.cc b/src/Sessions.cc
index fd443d4dcc..881a6c171d 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -15,7 +15,6 @@
 #include "Timer.h"
 #include "NetVar.h"
 #include "Sessions.h"
-#include "Active.h"
 #include "OSFinger.h"
 
 #include "ICMP.h"
@@ -201,7 +200,7 @@ void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr,
 		//
 		// Should we discourage the use of encap_hdr_size for UDP
 		// tunnneling?  It is probably better handled by enabling
-		// parse_udp_tunnels instead of specifying a fixed
+		// BifConst::parse_udp_tunnels instead of specifying a fixed
 		// encap_hdr_size.
 		if ( udp_tunnel_port > 0 )
 			{
@@ -221,14 +220,14 @@ void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr,
 			}
 
 		else
-			// Blanket encapsulation (e.g., for VLAN).
+			// Blanket encapsulation
 			hdr_size += encap_hdr_size;
 		}
 
 	// Check IP packets encapsulated through UDP tunnels.
 	// Specifying a udp_tunnel_port is optional but recommended (to avoid
 	// the cost of checking every UDP packet).
-	else if ( parse_udp_tunnels && ip_data && ip_hdr->ip_p == IPPROTO_UDP )
+	else if ( BifConst::parse_udp_tunnels && ip_data && ip_hdr->ip_p == IPPROTO_UDP )
 		{
 		const struct udphdr* udp_hdr =
 			reinterpret_cast<const struct udphdr*>(ip_data);
@@ -465,37 +464,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		return;
 		}
 
-	// Check for TTL/MTU problems from Active Mapping
-#ifdef ACTIVE_MAPPING
-	const NumericData* numeric = 0;
-	if ( ip4 )
-		{
-		get_map_result(ip4->ip_dst.s_addr, numeric);
-
-		if ( numeric->hops && ip4->ip_ttl < numeric->hops )
-			{
-			debug_msg("Packet destined for %s had ttl %d but there are %d hops to host.\n",
-			inet_ntoa(ip4->ip_dst), ip4->ip_ttl, numeric->hops);
-			return;
-			}
-		}
-#endif
-
 	FragReassembler* f = 0;
 	uint32 frag_field = ip_hdr->FragField();
 
-#ifdef ACTIVE_MAPPING
-	if ( ip4 && numeric && numeric->path_MTU && (frag_field & IP_DF) )
-		{
-		if ( htons(ip4->ip_len) > numeric->path_MTU )
-			{
-			debug_msg("Packet destined for %s has DF flag but its size %d is greater than pmtu of %d\n",
-			inet_ntoa(ip4->ip_dst), htons(ip4->ip_len), numeric->path_MTU);
-			return;
-			}
-		}
-#endif
-
 	if ( (frag_field & 0x3fff) != 0 )
 		{
 		dump_this_packet = 1;	// always record fragments
@@ -661,13 +632,6 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 				record_packet, record_content,
 			        hdr, pkt, hdr_size);
 
-	// Override content record setting according to
-	// flags set by the policy script.
-	if ( dump_original_packets_if_not_rewriting )
-		record_packet = record_content = 1;
-	if ( dump_selected_source_packets )
-		record_packet = record_content = 0;
-
 	if ( f )
 		{
 		// Above we already recorded the fragment in its entirety.
@@ -675,7 +639,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		Remove(f);	// ###
 		}
 
-	else if ( record_packet && ! conn->RewritingTrace() )
+	else if ( record_packet )
 		{
 		if ( record_content )
 			dump_this_packet = 1;	// save the whole thing
@@ -1354,7 +1318,7 @@ void NetSessions::Internal(const char* msg, const struct pcap_pkthdr* hdr,
 				const u_char* pkt)
 	{
 	DumpPacket(hdr, pkt);
-	internal_error(msg);
+	internal_error("%s", msg);
 	}
 
 void NetSessions::Weird(const char* name,
diff --git a/src/StateAccess.cc b/src/StateAccess.cc
index 17f702f07e..74481a155a 100644
--- a/src/StateAccess.cc
+++ b/src/StateAccess.cc
@@ -935,7 +935,7 @@ void NotifierRegistry::Register(ID* id, NotifierRegistry::Notifier* notifier)
 		attr_list* a = new attr_list;
 		Attr* attr = new Attr(ATTR_TRACKED);
 		a->append(attr);
-		id->SetAttrs(new Attributes(a, id->Type()));
+		id->SetAttrs(new Attributes(a, id->Type(), false));
 		Unref(attr);
 		}
 
diff --git a/src/TCP.cc b/src/TCP.cc
index ec84df9720..ea9d31e7a0 100644
--- a/src/TCP.cc
+++ b/src/TCP.cc
@@ -2,13 +2,11 @@
 //
 // See the file "COPYING" in the main distribution directory for copyright.
 
-
-#include "Active.h"
+#include "NetVar.h"
 #include "PIA.h"
 #include "File.h"
 #include "TCP.h"
 #include "TCP_Reassembler.h"
-#include "TCP_Rewriter.h"
 #include "OSFinger.h"
 #include "Event.h"
 
@@ -48,23 +46,12 @@ TCP_Analyzer::TCP_Analyzer(Connection* conn)
 	finished = 0;
 	reassembling = 0;
 	first_packet_seen = 0;
-	src_pkt_writer = 0;
 
 	orig = new TCP_Endpoint(this, 1);
 	resp = new TCP_Endpoint(this, 0);
 
 	orig->SetPeer(resp);
 	resp->SetPeer(orig);
-
-	if ( dump_selected_source_packets )
-		{
-		if ( source_pkt_dump )
-			src_pkt_writer =
-				new TCP_SourcePacketWriter(this, source_pkt_dump);
-		else if ( transformed_pkt_dump )
-			src_pkt_writer =
-				new TCP_SourcePacketWriter(this, transformed_pkt_dump);
-		}
 	}
 
 TCP_Analyzer::~TCP_Analyzer()
@@ -74,7 +61,6 @@ TCP_Analyzer::~TCP_Analyzer()
 
 	delete orig;
 	delete resp;
-	delete src_pkt_writer;
 	}
 
 void TCP_Analyzer::Init()
@@ -82,12 +68,6 @@ void TCP_Analyzer::Init()
 	Analyzer::Init();
 	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
 		(*i)->Init();
-
-	// Can't put this in construction because RewritingTrace() is virtual.
-	if ( transformed_pkt_dump && Conn()->RewritingTrace() )
-		SetTraceRewriter(new TCP_Rewriter(this, transformed_pkt_dump,
-						transformed_pkt_dump_MTU,
-						requires_trace_commitment));
 	}
 
 void TCP_Analyzer::Done()
@@ -412,49 +392,6 @@ bool TCP_Analyzer::ProcessRST(double t, TCP_Endpoint* endpoint,
 	else if ( endpoint->RST_cnt == 0 )
 		++endpoint->RST_cnt;	// Remember we've seen a RST
 
-#ifdef ACTIVE_MAPPING
-//		if ( peer->state == TCP_ENDPOINT_INACTIVE )
-//		    debug_msg("rst while inactive\n"); // ### Cold-start: what to do?
-//		else
-
-	const NumericData* AM_policy;
-	get_map_result(ip->DstAddr4(), AM_policy);
-
-	if ( base_seq == endpoint->AckSeq() )
-		;	 // everyone should accept a RST in sequence
-
-	else if ( endpoint->window == 0 )
-		; // ### Cold Start: we don't know the window,
-		  // so just go along for now
-
-	else
-		{
-		uint32 right_edge = endpoint->AckSeq() +
-			(endpoint->window << endpoint->window_scale);
-
-		if ( base_seq < right_edge  )
-			{
-			if ( ! AM_policy->accepts_rst_in_window )
-				{
-#if 0
-				debug_msg("Machine does not accept RST merely in window; ignoring. t=%.6f,base=%u, ackseq=%u, window=%hd \n",
-					network_time, base_seq, endpoint->AckSeq(), window);
-#endif
-				return false;
-				}
-			}
-
-		else if ( ! AM_policy->accepts_rst_outside_window )
-			{
-#if 0
-			debug_msg("Machine does not accept RST outside window; ignoring. t=%.6f,base=%u, ackseq=%u, window=%hd \n",
-				network_time, base_seq, endpoint->AckSeq(), window);
-#endif
-			return false;
-			}
-		}
-#endif
-
 	if ( len > 0 )
 		{
 		// This now happens often enough that it's
@@ -737,7 +674,7 @@ void TCP_Analyzer::UpdateInactiveState(double t,
 			{
 			endpoint->SetState(TCP_ENDPOINT_PARTIAL);
 			Conn()->EnableStatusUpdateTimer();
-			
+
 			if ( peer->state == TCP_ENDPOINT_PARTIAL )
 				// We've seen both sides of a partial
 				// connection, report it.
@@ -985,9 +922,6 @@ int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
 	int need_contents = endpoint->DataSent(t, data_seq,
 					len, caplen, data, ip, tp);
 
-	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
-		(*i)->NextPacket(len, data, is_orig, data_seq, ip, caplen);
-
 	return need_contents;
 	}
 
@@ -1091,16 +1025,6 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 	     tcp_hdr_len <= uint32(caplen) )
 		ParseTCPOptions(tp, TCPOptionEvent, this, is_orig, 0);
 
-	if ( TraceRewriter() && current_hdr )
-		{
-		TCP_Rewriter* r = (TCP_Rewriter*) TraceRewriter();
-		r->NextPacket(is_orig, t, current_hdr, current_pkt,
-				current_hdr_size, ip->IP4_Hdr(), tp);
-		}
-
-	if ( src_pkt_writer && current_hdr )
-		src_pkt_writer->NextPacket(current_hdr, current_pkt);
-
 	if ( DEBUG_tcp_data_sent )
 		{
 		DEBUG_MSG("%.6f before DataSent: len=%d caplen=%d skip=%d\n",
@@ -1126,6 +1050,12 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 
 	CheckRecording(need_contents, flags);
 
+	// Handle child_packet analyzers.  Note: This happens *after* the
+	// packet has been processed and the TCP state updated.
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->NextPacket(len, data, is_orig,
+				base_seq - endpoint->StartSeq(), ip, caplen);
+
 	if ( ! reassembling )
 		ForwardPacket(len, data, is_orig,
 				base_seq - endpoint->StartSeq(), ip, caplen);
@@ -1155,11 +1085,25 @@ void TCP_Analyzer::FlipRoles()
 	resp->is_orig = !resp->is_orig;
 	}
 
-void TCP_Analyzer::UpdateEndpointVal(RecordVal* endp, int is_orig)
+void TCP_Analyzer::UpdateConnVal(RecordVal *conn_val)
 	{
-	TCP_Endpoint* s = is_orig ? orig : resp;
-	endp->Assign(0, new Val(s->Size(), TYPE_COUNT));
-	endp->Assign(1, new Val(int(s->state), TYPE_COUNT));
+	int orig_endp_idx = connection_type->FieldOffset("orig");
+	int resp_endp_idx = connection_type->FieldOffset("resp");
+
+	RecordVal *orig_endp_val = conn_val->Lookup(orig_endp_idx)->AsRecordVal();
+	RecordVal *resp_endp_val = conn_val->Lookup(resp_endp_idx)->AsRecordVal();
+
+	orig_endp_val->Assign(0, new Val(orig->Size(), TYPE_COUNT));
+	orig_endp_val->Assign(1, new Val(int(orig->state), TYPE_COUNT));
+	resp_endp_val->Assign(0, new Val(resp->Size(), TYPE_COUNT));
+	resp_endp_val->Assign(1, new Val(int(resp->state), TYPE_COUNT));
+
+	// Call children's UpdateConnVal
+	Analyzer::UpdateConnVal(conn_val);
+
+	// Have to do packet_children ourselves.
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->UpdateConnVal(conn_val);
 	}
 
 Val* TCP_Analyzer::BuildSYNPacketVal(int is_orig, const IP_Hdr* ip,
@@ -1801,8 +1745,6 @@ void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
 	LOOP_OVER_CONST_CHILDREN(i)
 		static_cast<TCP_ApplicationAnalyzer*>(*i)->EndpointEOF(endp->IsOrig());
 
-	TraceRewriterEOF(endp);
-
 	if ( close_deferred )
 		{
 		if ( DataPending(endp->Endpoint()) )
@@ -1820,25 +1762,6 @@ void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
 		}
 	}
 
-void TCP_Analyzer::TraceRewriterEOF(TCP_Reassembler* endp)
-	{
-	const analyzer_list& children(GetChildren());
-	LOOP_OVER_CONST_CHILDREN(i)
-		static_cast<TCP_ApplicationAnalyzer*>(*i)->TraceRewriterEOF(endp->IsOrig());
-
-	TCP_Rewriter* r = (TCP_Rewriter*) TraceRewriter();
-	if ( r )
-		{
-		// Add a FIN packet if there is one in the original trace.
-		int FIN_cnt = endp->IsOrig() ?
-				endp->GetTCPAnalyzer()->Orig()->FIN_cnt :
-				endp->GetTCPAnalyzer()->Resp()->FIN_cnt;
-
-		if ( FIN_cnt > 0 )
-			r->ScheduleFIN(endp->IsOrig());
-		}
-	}
-
 void TCP_Analyzer::PacketWithRST()
 	{
 	const analyzer_list& children(GetChildren());
@@ -1955,13 +1878,6 @@ void TCP_ApplicationAnalyzer::EndpointEOF(bool is_orig)
 		static_cast<TCP_SupportAnalyzer*>(sa)->EndpointEOF(is_orig);
 	}
 
-void TCP_ApplicationAnalyzer::TraceRewriterEOF(bool is_orig)
-	{
-	SupportAnalyzer* sa = is_orig ? orig_supporters : resp_supporters;
-	for ( ; sa; sa = sa->Sibling() )
-		static_cast<TCP_SupportAnalyzer*>(sa)->TraceRewriterEOF(is_orig);
-	}
-
 void TCP_ApplicationAnalyzer::ConnectionClosed(TCP_Endpoint* endpoint,
 					TCP_Endpoint* peer, int gen_event)
 	{
@@ -2090,7 +2006,7 @@ int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
 	int seq_delta = top_seq - max_top_seq;
 	if ( seq_delta <= 0 )
 		{
-		if ( ! ignore_keep_alive_rexmit || len > 1 || data_in_flight > 0 )
+		if ( ! BifConst::ignore_keep_alive_rexmit || len > 1 || data_in_flight > 0 )
 			{
 			++num_rxmit;
 			num_rxmit_bytes += len;
diff --git a/src/TCP.h b/src/TCP.h
index d7faae6a3d..1db8c1ed68 100644
--- a/src/TCP.h
+++ b/src/TCP.h
@@ -7,7 +7,6 @@
 
 #include "Analyzer.h"
 #include "TCP.h"
-#include "Rewriter.h"
 #include "PacketDumper.h"
 
 // We define two classes here:
@@ -18,8 +17,6 @@
 class PIA_TCP;
 class TCP_ApplicationAnalyzer;
 class TCP_Reassembler;
-class TCP_Rewriter;
-class TCP_SourcePacketWriter;
 
 class TCP_Flags {
 public:
@@ -75,14 +72,14 @@ public:
 	virtual void SetContentsFile(unsigned int direction, BroFile* f);
 	virtual BroFile* GetContentsFile(unsigned int direction) const;
 
-	TCP_SourcePacketWriter* SourcePacketWriter() const
-		{ return src_pkt_writer; }
-
 	// Callback to process a TCP option.
 	typedef int (*proc_tcp_option_t)(unsigned int opt, unsigned int optlen,
 			const u_char* option, TCP_Analyzer* analyzer,
 			bool is_orig, void* cookie);
 
+	// From Analyzer.h
+	virtual void UpdateConnVal(RecordVal *conn_val);
+
 	// Needs to be static because it's passed as a pointer-to-function
 	// rather than pointer-to-member-function.
 	static int ParseTCPOptions(const struct tcphdr* tcp,
@@ -106,7 +103,6 @@ protected:
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual void Undelivered(int seq, int len, bool orig);
 	virtual void FlipRoles();
-	virtual void UpdateEndpointVal(RecordVal* endp, int is_orig);
 	virtual bool IsReuse(double t, const u_char* pkt);
 
 	// Returns the TCP header pointed to by data (which we assume is
@@ -220,7 +216,6 @@ protected:
 	void ConnDeleteTimer(double t)	{ Conn()->DeleteTimer(t); }
 
 	void EndpointEOF(TCP_Reassembler* endp);
-	void TraceRewriterEOF(TCP_Reassembler* endp);
 	void ConnectionClosed(TCP_Endpoint* endpoint,
 					TCP_Endpoint* peer, int gen_event);
 	void ConnectionFinished(int half_finished);
@@ -247,8 +242,6 @@ private:
 
 	analyzer_list packet_children;
 
-	TCP_SourcePacketWriter* src_pkt_writer;
-
 	unsigned int first_packet_seen: 2;
 	unsigned int reassembling: 1;
 	unsigned int is_partial: 1;
@@ -288,7 +281,6 @@ public:
 
 	// The given endpoint's data delivery is complete.
 	virtual void EndpointEOF(bool is_orig);
-	virtual void TraceRewriterEOF(bool is_orig);
 
 	// Called whenever an end enters TCP_ENDPOINT_CLOSED or
 	// TCP_ENDPOINT_RESET.  If gen_event is true and the connection
@@ -332,7 +324,6 @@ public:
 
 	// These are passed on from TCP_Analyzer.
 	virtual void EndpointEOF(bool is_orig)	{ }
-	virtual void TraceRewriterEOF(bool is_orig)	{ }
 	virtual void ConnectionClosed(TCP_Endpoint* endpoint,
 					TCP_Endpoint* peer, int gen_event) 	{ }
 	virtual void ConnectionFinished(int half_finished)	{ }
diff --git a/src/TCP_Endpoint.cc b/src/TCP_Endpoint.cc
index 826c7f5636..a5d19ad82d 100644
--- a/src/TCP_Endpoint.cc
+++ b/src/TCP_Endpoint.cc
@@ -5,7 +5,6 @@
 #include "Net.h"
 #include "NetVar.h"
 #include "TCP.h"
-#include "TCP_Rewriter.h"
 #include "TCP_Reassembler.h"
 #include "Sessions.h"
 #include "Event.h"
@@ -161,8 +160,6 @@ bro_int_t TCP_Endpoint::Size() const
 	{
 	bro_int_t size;
 
-#ifdef USE_INT64
-
 	uint64 last_seq_64 = (uint64(last_seq_high) << 32) | last_seq;
 	uint64 ack_seq_64 = (uint64(ack_seq_high) << 32) | ack_seq;
 	if ( last_seq_64 > ack_seq_64 )
@@ -170,26 +167,6 @@ bro_int_t TCP_Endpoint::Size() const
 	else
 		size = ack_seq_64 - start_seq;
 
-#else
-
-	if ( seq_delta(last_seq, ack_seq) > 0 || ack_seq == start_seq + 1 )
-		// Either last_seq corresponds to more data sent than we've
-		// seen ack'd, or we haven't seen any data ack'd (in which
-		// case we should trust last_seq anyway).  This last test
-		// matters for the case in which the connection has
-		// transferred > 2 GB of data, in which case we will find
-		// seq_delta(last_seq, ack_seq) < 0 even if ack_seq
-		// corresponds to no data transferred.
-		size = last_seq - start_seq;
-
-	else
-		// It could be that ack_seq > last_seq, if we've seen an
-		// ack for the connection (say in a FIN) without seeing
-		// the corresponding data.
-		size = ack_seq - start_seq;
-
-#endif
-
 	// Don't include SYN octet in sequence space.  For partial connections
 	// (no SYN seen), we're still careful to adjust start_seq as though
 	// there was an initial SYN octet, because if we don't then the
diff --git a/src/TCP_Reassembler.cc b/src/TCP_Reassembler.cc
index c6adec2294..f7611a46e1 100644
--- a/src/TCP_Reassembler.cc
+++ b/src/TCP_Reassembler.cc
@@ -4,11 +4,17 @@
 #include "TCP_Reassembler.h"
 #include "TCP.h"
 #include "TCP_Endpoint.h"
-#include "TCP_Rewriter.h"
 
 // Only needed for gap_report events.
 #include "Event.h"
 
+// Note, sequence numbers are relative. I.e., they start with 1.
+
+// TODO: The Reassembler should start using 64 bit ints for keeping track of
+// sequence numbers; currently they become negative once 2GB are exceeded.
+//
+// See #348 for more information.
+
 const bool DEBUG_tcp_contents = false;
 const bool DEBUG_tcp_connection_close = false;
 const bool DEBUG_tcp_match_undelivered = false;
@@ -35,7 +41,9 @@ TCP_Reassembler::TCP_Reassembler(Analyzer* arg_dst_analyzer,
 	deliver_tcp_contents = 0;
 	skip_deliveries = 0;
 	did_EOF = 0;
+#ifdef ENABLE_SEQ_TO_SKIP
 	seq_to_skip = 0;
+#endif
 	in_delivery = false;
 
 	if ( tcp_contents )
@@ -120,7 +128,7 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 	TCP_Endpoint* endpoint = endp;
 	TCP_Endpoint* peer = endpoint->peer;
 
-	if ( up_to_seq <= 2 && tcp_analyzer->IsPartial() )
+	if ( up_to_seq <= 2 && tcp_analyzer->IsPartial() ) {
 		// Since it was a partial connection, we faked up its
 		// initial sequence numbers as though we'd seen a SYN.
 		// We've now received the first ack and are getting a
@@ -129,7 +137,16 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		// (if up_to_seq is 2).  The latter can occur when the
 		// first packet we saw instantiating the partial connection
 		// was a keep-alive.  So, in either case, just ignore it.
-		return;
+
+		// TODO: Don't we need to update last_reassm_seq ????
+		if ( up_to_seq >=0 )
+			// Since seq are currently only 32 bit signed
+			// integers, they will become negative if a
+			// connection has more than 2GB of data. Remove the
+			// above if and always return here, once we're using
+			// 64 bit ints
+			return;
+	}
 
 #if 0
 	if ( endpoint->FIN_cnt > 0 )
@@ -144,16 +161,17 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 
 	if ( DEBUG_tcp_contents )
 		{
-		DEBUG_MSG("%.6f Undelivered: up_to_seq=%d, last_reassm=%d, "
+		DEBUG_MSG("%.6f Undelivered: is_orig=%d up_to_seq=%d, last_reassm=%d, "
 		          "endp: FIN_cnt=%d, RST_cnt=%d, "
 		          "peer: FIN_cnt=%d, RST_cnt=%d\n",
-		          network_time, up_to_seq, last_reassem_seq,
+		          network_time, is_orig, up_to_seq, last_reassem_seq,
 		          endpoint->FIN_cnt, endpoint->RST_cnt,
 		          peer->FIN_cnt, peer->RST_cnt);
 		}
 
 	if ( seq_delta(up_to_seq, last_reassem_seq) <= 0 )
-		return;
+		// This should never happen.
+		internal_error("Calling Undelivered for data that has already been delivered (or has already been marked as undelivered");
 
 	if ( last_reassem_seq == 1 &&
 	     (endpoint->FIN_cnt > 0 || endpoint->RST_cnt > 0 ||
@@ -166,10 +184,6 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		// one for filtered traces, and may fail, for example, when
 		// the SYN packet carries data.
 		//
-		// Note, this check will confuse the EOF checker (and cause a
-		// missing FIN in the rewritten trace) when the content gap
-		// in the middle is discovered only after the FIN packet.
-
 		// Skip the undelivered part without reporting to the endpoint.
 		skip_deliveries = 1;
 		}
@@ -177,9 +191,9 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		{
 		if ( DEBUG_tcp_contents )
 			{
-			DEBUG_MSG("%.6f Undelivered: seq=%d, len=%d, "
+			DEBUG_MSG("%.6f Undelivered: is_orig=%d, seq=%d, len=%d, "
 					  "skip_deliveries=%d\n",
-					  network_time, last_reassem_seq,
+					  network_time, is_orig, last_reassem_seq,
 					  seq_delta(up_to_seq, last_reassem_seq),
 					  skip_deliveries);
 			}
@@ -216,11 +230,6 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 				dst_analyzer->ConnectionEvent(content_gap, vl);
 				}
 
-			TCP_Rewriter* r = (TCP_Rewriter*)
-				dst_analyzer->Conn()->TraceRewriter();
-			if ( r )
-				r->ContentGap(is_orig, len);
-
 			if ( type == Direct )
 				dst_analyzer->NextUndelivered(last_reassem_seq,
 								len, is_orig);
@@ -376,7 +385,7 @@ void TCP_Reassembler::BlockInserted(DataBlock* start_block)
 void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, int n)
 	{
 	if ( DEBUG_tcp_contents )
-		DEBUG_MSG("%.6f TCP contents overlap: %d\n", network_time,  n);
+		DEBUG_MSG("%.6f TCP contents overlap: %d is_orig=%d\n", network_time,  n, is_orig);
 
 	if ( rexmit_inconsistency &&
 	     memcmp((const void*) b1, (const void*) b2, n) &&
@@ -419,8 +428,8 @@ int TCP_Reassembler::DataSent(double t, int seq, int len,
 
 	if ( DEBUG_tcp_contents )
 		{
-		DEBUG_MSG("%.6f DataSent: seq=%d upper=%d ack=%d\n",
-		          network_time, seq, upper_seq, ack);
+		DEBUG_MSG("%.6f DataSent: is_orig=%d seq=%d upper=%d ack=%d\n",
+		          network_time, is_orig, seq, upper_seq, ack);
 		}
 
 	if ( skip_deliveries )
@@ -477,8 +486,7 @@ void TCP_Reassembler::AckReceived(int seq)
 		// Zero, or negative in sequence-space terms.  Nothing to do.
 		return;
 
-	bool test_active =
-	     ! skip_deliveries && ! tcp_analyzer->Skipping() &&
+	bool test_active = ! skip_deliveries && ! tcp_analyzer->Skipping() &&
 	     endp->state == TCP_ENDPOINT_ESTABLISHED &&
 	     endp->peer->state == TCP_ENDPOINT_ESTABLISHED;
 
@@ -569,6 +577,7 @@ void TCP_Reassembler::CheckEOF()
 
 void TCP_Reassembler::DeliverBlock(int seq, int len, const u_char* data)
 	{
+#ifdef ENABLE_SEQ_TO_SKIP
 	if ( seq_delta(seq + len, seq_to_skip) <= 0 )
 		return;
 
@@ -579,6 +588,7 @@ void TCP_Reassembler::DeliverBlock(int seq, int len, const u_char* data)
 		data += to_skip;
 		seq = seq_to_skip;
 		}
+#endif
 
 	if ( deliver_tcp_contents )
 		{
@@ -603,11 +613,13 @@ void TCP_Reassembler::DeliverBlock(int seq, int len, const u_char* data)
 	in_delivery = true;
 	Deliver(seq, len, data);
 	in_delivery = false;
-
+#ifdef ENABLE_SEQ_TO_SKIP
 	if ( seq_delta(seq + len, seq_to_skip) < 0 )
 		SkipToSeq(seq_to_skip);
+#endif
 	}
 
+#ifdef ENABLE_SEQ_TO_SKIP
 void TCP_Reassembler::SkipToSeq(int seq)
 	{
 	if ( seq_delta(seq, seq_to_skip) > 0 )
@@ -617,6 +629,7 @@ void TCP_Reassembler::SkipToSeq(int seq)
 			TrimToSeq(seq);
 		}
 	}
+#endif
 
 int TCP_Reassembler::DataPending() const
 	{
diff --git a/src/TCP_Reassembler.h b/src/TCP_Reassembler.h
index 3e8426c9fb..772c5f6f9c 100644
--- a/src/TCP_Reassembler.h
+++ b/src/TCP_Reassembler.h
@@ -6,6 +6,13 @@
 #include "Reassem.h"
 #include "TCP_Endpoint.h"
 
+// The skip_to_seq feature does not work correctly with connections >2GB due
+// to use of 32 bit signed ints (see comments in TCP_Reassembler.cc) Since
+// it's not used by any analyzer or policy script we disable it. Could be
+// added back in once we start using 64bit integers.
+//
+// #define ENABLE_SEQ_TO_SKIP
+
 class BroFile;
 class Connection;
 class TCP_Analyzer;
@@ -60,9 +67,11 @@ public:
 
 	void MatchUndelivered(int up_to_seq = -1);
 
+#ifdef ENABLE_SEQ_TO_SKIP
 	// Skip up to seq, as if there's a content gap.
 	// Can be used to skip HTTP data for performance considerations.
 	void SkipToSeq(int seq);
+#endif
 
 	int DataSent(double t, int seq, int len, const u_char* data,
 			bool replaying=true);
@@ -85,9 +94,10 @@ public:
 	const TCP_Endpoint* Endpoint() const	{ return endp; }
 
 	int IsOrig() const	{ return endp->IsOrig(); }
-
+#ifdef ENABLE_SEQ_TO_SKIP
 	bool IsSkippedContents(int seq, int length) const
 		{ return seq + length <= seq_to_skip; }
+#endif
 
 private:
 	TCP_Reassembler()	{ }
@@ -110,7 +120,9 @@ private:
 	unsigned int did_EOF:1;
 	unsigned int skip_deliveries:1;
 
+#ifdef ENABLE_SEQ_TO_SKIP
 	int seq_to_skip;
+#endif
 	bool in_delivery;
 
 	BroFile* record_contents_file;	// file on which to reassemble contents
diff --git a/src/TCP_Rewriter.cc b/src/TCP_Rewriter.cc
deleted file mode 100644
index 3a8ca8b7b6..0000000000
--- a/src/TCP_Rewriter.cc
+++ /dev/null
@@ -1,1575 +0,0 @@
-// $Id: TCP_Rewriter.cc 6008 2008-07-23 00:24:22Z vern $
-
-//  Overview of TCP trace rewriter:
-//
-//  1. Timestamp: Consider every packet arrival at a certain endpoint
-//  in the original trace as a tick for the endpoint; a packet will be
-//  dumped into the new trace (possibly with different content) in the
-//  tick (enforced by flush_rewriter_packet). When the user writes data
-//  into the new trace, the packet will carry a timestamp of the
-//  current tick, or the next tick if data is generated between
-//  ticks. Users may also choose to Push data, in which case the packet
-//  carries a timestamp of current network time. This gives us the
-//  'freshness' of timestamps.
-//
-//  2. Ordering of contents: user may choose to push contents in order
-//  to enforce ordering of contents between two directions, however,
-//  contents MIGHT be already dumped BEFORE they are pushed, once they
-//  are written into the trace. (similar to PUSH in TCP)
-//
-//  3. Acknowledgements: when a packet is dumped at a time when there
-//  is no corresponding packet in the original trace, an articial
-//  acknowledgement is generated from the peer with the same
-//  timestamp. This guarantees that additional packets will have
-//  acknowledgements. For those packets dumped at 'ticks', there
-//  should be corresponding acknowledgement packets in the original
-//  trace already, so we do not generate further artificial
-//  acknowledgement packets.
-//
-//  4. SYN, RST, FIN: SYN/RST packets in the new trace do not carry
-//  payloads -- additional packets may be generated for payloads. FIN
-//  packets are generated only when user calls ScheduleFIN, which by
-//  default corresponds to the moment that contents of the flow is
-//  completely delivered, which is usually when the FIN appears in the
-//  original trace. Change: now we will try to allow SYN/RST packets
-//  to carry payloads if they originally do.
-
-#include "config.h"
-
-#include <assert.h>
-#include <stdlib.h>
-
-#include "Event.h"
-#include "Net.h"
-#include "TCP_Rewriter.h"
-
-#define MSG_PREFIX	"TCP trace rewriter: "
-#define DEBUG_MSG_A(x...)
-// #define DEBUG_MSG_A	DEBUG_MSG
-
-static IP_IDSet* ip_id_set = 0;	// <IP, IP-ID> pairs in the output trace
-int num_packets_held, num_packets_cleaned;
-
-TCP_TracePacket::TCP_TracePacket(TCP_Rewriter* arg_trace_rewriter,
-				 int arg_packet_seq, double t, int arg_is_orig,
-				 const struct pcap_pkthdr* arg_hdr,
-				 int MTU, int initial_size)
-	{
-	trace_rewriter = arg_trace_rewriter;
-	pcap_hdr = *arg_hdr;
-	packet_seq = arg_packet_seq;
-	timestamp = t;
-	is_orig = arg_is_orig;
-	mtu = MTU;
-	pkt = new u_char[initial_size];
-	buffer_size = initial_size;
-
-	buffer_offset = 0;
-	ip_offset = tcp_offset = data_offset = -1;
-	reuse = 0;
-	FIN_scheduled = 0;
-	on_hold = 0;
-	seq_gap = 0;
-	packet_val = 0;
-	packet_val = PacketVal();
-	has_reserved_slot = 0;
-	predicted_as_empty_place_holder = 0;
-	}
-
-TCP_TracePacket::~TCP_TracePacket()
-	{
-	packet_val->SetOrigin(0);
-	Unref(packet_val);
-	if ( pkt )
-		delete [] pkt;
-	}
-
-int TCP_TracePacket::AppendLinkHeader(const u_char* chunk, int len)
-	{
-	if ( ip_offset >= 0 && ip_offset != buffer_offset )
-		internal_error(MSG_PREFIX "link header must be appended before IP header");
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	ip_offset = buffer_offset;
-	return 1;
-	}
-
-int TCP_TracePacket::AppendIPHeader(const u_char* chunk, int len)
-	{
-	if ( tcp_offset >= 0 && tcp_offset != buffer_offset )
-		internal_error(MSG_PREFIX "IP header must be appended before tcp header");
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	tcp_offset = buffer_offset;
-	return 1;
-	}
-
-int TCP_TracePacket::AppendTCPHeader(const u_char* chunk, int len)
-	{
-	if ( data_offset >= 0 && data_offset != buffer_offset )
-		internal_error(MSG_PREFIX "tcp header must be appended before payload");
-
-	if ( tcp_offset == buffer_offset )
-		{ // first TCP header chunk
-		int extra = (tcp_offset - ip_offset) % 4;
-		if ( extra )
-			{
-			DEBUG_MSG(MSG_PREFIX "padding IP header");
-			if ( ! AppendIPHeader(0, 4 - extra) )
-				return 0;
-			}
-		}
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	data_offset = buffer_offset;
-	return 1;
-	}
-
-int TCP_TracePacket::AppendData(const u_char* chunk, int len)
-	{
-	// All headers must be appended before any data.
-	ASSERT(ip_offset >= 0 && tcp_offset >= 0 && data_offset >= 0);
-
-	if ( data_offset == buffer_offset )
-		{ // first data chunk
-		int extra = (data_offset - tcp_offset) % 4;
-		if ( extra )
-			{
-			DEBUG_MSG(MSG_PREFIX "%.6f padding tcp header -- original header range: %d - %d\n",
-					network_time, tcp_offset, data_offset);
-			if ( ! AppendTCPHeader(0, 4 - extra) )
-				return 0;
-			}
-		}
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	return 1;
-	}
-
-int TCP_TracePacket::Append(const u_char* chunk, int len)
-	{
-	if ( buffer_offset + len > buffer_size )
-		{
-		if ( buffer_offset + len > mtu )
-			return 0;
-
-		u_char* tmp = new u_char[mtu];
-		for ( int i = 0 ; i < buffer_size; ++i )
-			tmp[i] = pkt[i];
-
-		delete [] pkt;
-		pkt = tmp;
-		buffer_size = mtu;
-		}
-
-	ASSERT(buffer_offset + len <= buffer_size);
-
-	if ( chunk )
-		{
-		if ( pkt + buffer_offset != chunk )
-			memcpy(pkt + buffer_offset, chunk, len);
-		}
-	else
-		// Fill with 0.
-		memset(pkt + buffer_offset, 0, len);
-
-	buffer_offset += len;
-	return 1;
-	}
-
-uint32 TCP_TracePacket::GetSeq() const
-	{
-	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
-	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
-
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-	return ntohl(tp->th_seq);
-	}
-
-void TCP_TracePacket::SetSeq(uint32 seq)
-	{
-	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
-	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
-
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-	tp->th_seq = htonl(seq);
-	}
-
-uint32 TCP_TracePacket::GetAck() const
-	{
-	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
-	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
-
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-	return ntohl(tp->th_ack);
-	}
-
-void TCP_TracePacket::SetAck(uint32 ack)
-	{
-	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
-	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
-
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-	tp->th_ack = htonl(ack);
-	}
-
-int TCP_TracePacket::GetTCP_Flag(int which) const
-	{
-	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
-	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
-
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-	return tp->th_flags & which;
-	}
-
-void TCP_TracePacket::SetTCP_Flag(int which, int value)
-	{
-	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
-	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
-
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-
-	if ( value )
-		tp->th_flags |= which;
-	else
-		tp->th_flags &= (~which);
-	}
-
-int TCP_TracePacket::PayloadLength() const
-	{
-	if ( data_offset < 0 )
-		return 0;
-
-	return buffer_offset - data_offset;
-	}
-
-int TCP_TracePacket::SeqLength() const
-	{
-	int len = PayloadLength();
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-
-	if ( tp->th_flags & TH_SYN )
-		++len;
-
-	if ( tp->th_flags & TH_FIN )
-		++len;
-
-	return len;
-	}
-
-int TCP_TracePacket::Finish(struct pcap_pkthdr*& hdr,
-			    const u_char*& arg_pkt, int& length,
-			    ipaddr32_t anon_src, ipaddr32_t anon_dst)
-	{
-	// Set length fields in headers and compute checksums.
-	if ( tcp_offset < ip_offset + int(sizeof(struct ip)) ||
-	     data_offset < tcp_offset + int(sizeof(struct tcphdr)) )
-		return 0;
-
-	struct ip* ip = (struct ip*) (pkt + ip_offset);
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-
-	// TCP header.
-	ASSERT((data_offset - tcp_offset) % 4 == 0);
-
-	tp->th_off = (data_offset - tcp_offset) >> 2;
-	tp->th_x2 = 0;
-
-	// Shall we instead let URG flag&point stay?
-	// tp->th_flags &= (~TH_URG);	// set URG to 0
-	// tp->th_urp = 0;		// clear urgent pointer
-
-	// Fix IP addresses before computing the TCP checksum
-	if ( anonymize_ip_addr )
-		{
-		ip->ip_src.s_addr = anon_src;
-		ip->ip_dst.s_addr = anon_dst;
-		}
-
-	tp->th_sum = 0;
-	tp->th_sum = 0xffff - tcp_checksum(ip, tp, PayloadLength());
-
-	// IP header.
-
-	// What to do with ip_id? One way is to choose a pseudo-random
-	// number as the new id. We try to keep the original ID unless
-	// it would cause a conflict, in which case we increment the
-	// ID till there is no conflict.
-	//
-	// This is too expensive -- and ID conflicts do not really
-	// matter because there will never be fragmentation.
-	// Fix: just keep the original ID.
-	// ip->ip_id = NextIP_ID(ip->ip_src.s_addr, ip->ip_id);
-
-	ASSERT((tcp_offset - ip_offset) % 4 == 0);
-	ip->ip_hl = (tcp_offset - ip_offset) >> 2;
-	ip->ip_len = htons(buffer_offset - ip_offset);
-	ip->ip_off = 0;		// DF = 0, MF = 0, offset = 0
-	ip->ip_sum = 0;
-	ip->ip_sum = 0xffff - ones_complement_checksum((const void*) ip, tcp_offset - ip_offset, 0);
-
-	// Link level header:
-	// Question: what to do with the link level header? Currently we just
-	// keep the original header, even though the length field can
-	// be incorrect. ###
-
-	if ( timestamp < trace_rewriter->RewritePacket()->TimeStamp() )
-		// For out of order rewriting.
-		timestamp = trace_rewriter->RewritePacket()->TimeStamp();
-
-	// The below works around a potential type incompatibility
-	// on systems where pcap's timeval is different from the
-	// system-wide one. --cpk
-	//
-	timeval tv_tmp = double_to_timeval(timestamp);
-	pcap_hdr.ts.tv_sec = tv_tmp.tv_sec;
-	pcap_hdr.ts.tv_usec = tv_tmp.tv_usec;
-	pcap_hdr.caplen = pcap_hdr.len = buffer_offset;
-
-	hdr = &pcap_hdr;
-	arg_pkt = pkt;
-	length = buffer_offset;
-
-	return 1;
-	}
-
-void TCP_TracePacket::Reuse()
-	{
-	reuse = 1;
-
-	timestamp = trace_rewriter->RewritePacket()->TimeStamp();
-
-	// Question 1: Shall we keep TCP options in the header? Note
-	// that the TCP header of a packet is sometimes replicated in
-	// the rewritten trace (because we reuse headers). When an
-	// option have idempotent semantics, it is safe to keep the
-	// option; otherwise we should include the option only in the
-	// first one among replicated copies. Currently we keep
-	// options for simplicity and wait for things to happen. ###
-
-	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
-	tp->th_flags = 0;
-
-	// Clear all TCP options.
-	unsigned int prev_data_offset = data_offset;
-	buffer_offset = data_offset = tcp_offset + sizeof(struct tcphdr);
-	if ( prev_data_offset - tcp_offset > sizeof(*tp) )
-		TCP_Analyzer::ParseTCPOptions(tp,
-					TCP_Rewriter::RewriteTCPOption,
-					trace_rewriter->Analyzer(), is_orig, this);
-	}
-
-RecordVal* TCP_TracePacket::PacketVal()
-	{
-	if ( ! packet_val )
-		{
-		packet_val = new RecordVal(packet_type);
-		packet_val->Assign(0, TraceRewriter()->Analyzer()->BuildConnVal());
-		packet_val->Assign(1, new Val(IsOrig(), TYPE_BOOL));
-		packet_val->Assign(2, new Val(PacketSeq(), TYPE_COUNT));
-		packet_val->Assign(3, new Val(TimeStamp(), TYPE_TIME));
-		packet_val->SetOrigin(this);
-		}
-	else
-		Ref(packet_val);
-
-	return packet_val;
-	}
-
-uint16 NextIP_ID(const uint32 src_addr, const uint16 id)
-	{
-	if ( ip_id_set == 0 )
-		ip_id_set = new IP_IDSet();
-
-	IP_ID ipid;
-	ipid.ip = src_addr;
-	ipid.id = id;
-
-	while ( ip_id_set->find(ipid) != ip_id_set->end() )
-		{
-		ipid.id = (ipid.id + 1) & 0xffff;
-
-		if ( ipid.id == id )
-			{ // clear all entries of the IP
-			IP_ID first_id, last_id;
-			first_id.ip = last_id.ip = src_addr;
-			first_id.id = 0; last_id.id = 0xffff;
-			ip_id_set->erase(ip_id_set->find(first_id),
-						ip_id_set->find(last_id));
-			}
-		}
-
-	ip_id_set->insert(ipid);
-
-	return uint16(ipid.id & 0xffff);
-	}
-
-TCP_RewriterEndpoint::TCP_RewriterEndpoint(TCP_Rewriter* arg_rewriter)
-	{
-	rewriter = arg_rewriter;
-	next_packet = 0;
-	endp = 0;
-	established = 0;
-	end_of_data = 0;
-	peer = 0;
-	last_ack = 0;
-	last_packet_time = -1;
-	please_flush = 0;
-	flushed = 1;
-	flush_scheduled = 0;
-	there_is_a_gap = 0;
-	}
-
-TCP_RewriterEndpoint::~TCP_RewriterEndpoint()
-	{
-	if ( ! prolog.empty() )
-		{
-		if ( ! next_packet )
-			Weird(MSG_PREFIX "end point has data, but hasn't got any packet till destruction.");
-		else
-			internal_error(MSG_PREFIX "prolog should've been purged on the very first packet.");
-
-		while ( ! prolog.empty() )
-			{
-			delete prolog.front();
-			prolog.pop();
-			}
-		}
-
-	if ( ! end_of_data && next_packet && ! next_packet->IsEmpty() )
-		Weird(fmt(MSG_PREFIX "end of data missing before deleting the connection: %.6f",
-			  next_packet->TimeStamp()));
-
-	if ( next_packet )
-		Unref(next_packet);
-	}
-
-void TCP_RewriterEndpoint::Init()
-	{
-	// This cannot be put into the constructor because it requires
-	// existence of the peer.
-	peer = rewriter->GetPeer(this);
-	}
-
-// NextPacket sets 'ticks' of packet dumping according to packet
-// arrival in the original sequence.
-void TCP_RewriterEndpoint::NextPacket(TCP_TracePacket* p)
-	{
-	please_flush = 1;
-	flushed = 0;
-	last_packet_time = p->TimeStamp();
-
-	if ( ! endp )
-		endp = rewriter->GetEndpoint(this);
-
-	if ( endp->state == TCP_ENDPOINT_ESTABLISHED )
-		established = 1;
-
-	if ( ! next_packet || p->GetTCP_Flag(TH_SYN) )
-		{
-		if ( ! p->GetTCP_Flag(TH_SYN | TH_RST) &&
-		     ! rewriter->Analyzer()->IsPartial() )
-			Weird(MSG_PREFIX "first packet is not SYN or RST");
-
-		start_seq = next_seq = p->GetSeq();
-		}
-
-	SetNextPacket(p);
-	ScheduleFlush();
-	}
-
-void TCP_RewriterEndpoint::WriteData(int len, const u_char* data)
-	{
-	if ( end_of_data & (END_BY_FIN | END_BY_RST) )
-		Weird(MSG_PREFIX "write after end of data");
-
-	if ( ! next_packet )
-		{
-		// Till anybody really wants to use the prolog ...
-		run_time(fmt("pushing %d bytes into prolog", len));
-		prolog.push(new BroString(data, len, 0));
-		}
-	else
-		{
-		// Originally we did not send data along with SYN or RST.
-		// if ( next_packet->GetTCP_Flag(TH_SYN | TH_RST) )
-		//	internal_error("SYN/RST packet not immediately flushed");
-
-		// Question: shall we send data along with the ACK in the
-		// connection's three way handshake? Here it may do so.
-
-		DoWriteData(len, data);
-
-		if ( please_flush )
-			ScheduleFlush();
-		}
-	}
-
-void TCP_RewriterEndpoint::SkipGap(int len)
-	{
-	next_seq += len;
-	there_is_a_gap = 1;
-
-	if ( next_packet )
-		next_packet->SetSeqGap(0);
-	}
-
-void TCP_RewriterEndpoint::Push()
-	{
-	if ( ! next_packet )
-		return;
-
-	next_packet->SetTCP_Flag(TH_PUSH, 1);
-	PushPacket();
-	}
-
-void TCP_RewriterEndpoint::ReqAck()
-	{
-	if ( ! next_packet )
-		return;
-
-	PushPacket();
-	}
-
-void TCP_RewriterEndpoint::Flush()
-	{
-	if ( ! next_packet || next_packet->OnHold() )
-		// This may happen after the code change in
-		// TCP_Connection::NextPacket -- not every packet
-		// reaches the TCP rewriter.  Also, do not dump a packet
-		// on hold -- the packet will be flushed later.
-		// internal_error(MSG_PREFIX "flush before packet arrival");
-		return;
-
-	DEBUG_MSG_A("preparing to flush packet %d (%.6f)\n", next_packet->PacketSeq(), next_packet->TimeStamp());
-	if ( next_packet->FINScheduled() )
-		GenerateFIN();
-
-	if ( please_flush )
-		{
-		DEBUG_MSG_A("Flush packet %d (%.6f)\n", next_packet->PacketSeq(), next_packet->TimeStamp());
-		PushPacket();
-		}
-
-	if ( ! next_packet->IsEmpty() )
-		{
-		internal_error(MSG_PREFIX "packet is not empty after flushing");
-		}
-
-	flush_scheduled = 0;
-	}
-
-void TCP_RewriterEndpoint::ScheduleFlush()
-	{
-	if ( ! flush_scheduled )
-		{
-		schedule_flush(this);
-		flush_scheduled = 1;
-		DEBUG_MSG_A("%.6f flush scheduled for packet %d (%.6f)\n", network_time, next_packet->PacketSeq(), next_packet->TimeStamp());
-		}
-	}
-
-void TCP_RewriterEndpoint::GenerateFIN()
-	{
-	if ( end_of_data & END_BY_FIN )
-		return;
-
-	DEBUG_MSG_A("FIN at %.6f\n", next_packet->TimeStamp());
-	end_of_data |= END_BY_FIN;
-
-	if ( ! next_packet )
-		// Weird(MSG_PREFIX "FIN before packet arrival");
-		internal_error(MSG_PREFIX "FIN before packet arrival");
-	else
-		{
-		next_packet->ScheduleFIN(0);
-		next_packet->SetTCP_Flag(TH_FIN, 1);
-		please_flush = 1;
-		}
-	}
-
-void TCP_RewriterEndpoint::Reset(int self)
-	{
-	DEBUG_MSG_A("%.6f end by RST (empty = %d)\n", network_time, next_packet ? next_packet->IsEmpty() : -1);
-	if ( self )
-		end_of_data |= END_BY_RST;
-	else
-		end_of_data |= END_BY_PEER_RST;
-	}
-
-void TCP_RewriterEndpoint::SetNextPacket(TCP_TracePacket* p)
-	{
-	if ( next_packet )
-		{
-		if ( ! next_packet->IsEmpty() || next_packet->OnHold() )
-			internal_error(MSG_PREFIX "next packet (%.6f) arrives before the previous packet (%.6f) is flushed", p->TimeStamp(), next_packet->TimeStamp());
-			// PushPacket();
-
-		Unref(next_packet);
-		}
-
-	next_packet = p;
-
-	if ( next_packet->SeqGap() > 0 )
-		peer->SkipGap(next_packet->SeqGap());
-
-	// next_packet->SetTCP_Flag(TH_PUSH, 0);
-
-	// Do not send FIN at this moment because FIN may arrive out
-	// of order -- wait till all contents are delivered
-	next_packet->SetTCP_Flag(TH_FIN, 0);
-
-	if ( ! prolog.empty() )
-		{
-		// Do not put prolog into SYN/RST packets
-		if ( next_packet->GetTCP_Flag(TH_SYN | TH_RST) )
-			PushPacket();
-		PurgeProlog();
-		}
-	}
-
-void TCP_RewriterEndpoint::PurgeProlog()
-	{
-	while ( ! prolog.empty() )
-		{
-		BroString* s = prolog.front();
-		WriteData(s->Len(), s->Bytes());
-		prolog.pop();
-		delete s;
-		}
-	}
-
-void TCP_RewriterEndpoint::DoWriteData(int len, const u_char* data)
-	{
-	ASSERT(next_packet);
-
-	while ( len > 0 )
-		{
-		int left = next_packet->Space();
-
-		if ( ! left )
-			{
-			PushPacket();
-			left = next_packet->Space();
-			}
-
-		if ( left > len )
-			left = len;
-
-		if ( ! next_packet->AppendData(data, left) )
-			ASSERT(0);
-
-		data += left;
-		len -= left;
-		please_flush = 1;
-		}
-	}
-
-int TCP_RewriterEndpoint::IsPlaceHolderPacket(TCP_TracePacket* p)
-	{
-	return p->SeqLength() == 0 &&
-	       ! p->GetTCP_Flag(TH_SYN | TH_RST | TH_FIN | TH_URG ) &&
-	       ! (p->GetTCP_Flag(TH_ACK) && p->GetAck() > last_ack);
-	}
-
-void TCP_RewriterEndpoint::PushPacket()
-	{
-	if ( ! next_packet )
-		{
-		internal_error(MSG_PREFIX "cannot push packet before packet arrival");
-		return;
-		}
-
-	// Set sequence number ...
-	next_packet->SetSeq(next_seq);
-	int seq_len = next_packet->SeqLength();
-
-	next_seq += seq_len;
-
-	// ... and acknowledge peer's recently dumped packet.
-	if ( next_packet->GetTCP_Flag(TH_SYN | TH_RST) &&
-	     ! next_packet->GetTCP_Flag(TH_ACK) )
-		{
-		next_packet->SetTCP_Flag(TH_ACK, 0);
-		next_packet->SetAck(0);
-		}
-	else
-		{
-		next_packet->SetTCP_Flag(TH_ACK, 1);
-		if ( peer->HasPacket() )
-			next_packet->SetAck(peer->NextSeq());
-		}
-
-	int RST = next_packet->GetTCP_Flag(TH_RST);
-
-#if 0
-	// With the feature of reserve_rewrite_slot, packet dumping can
-	// be delayed.
-
-	// Enforce the order of timestamps; but delayed FIN is OK
-	// when there is a gap.
-	if ( next_packet->TimeStamp() < network_time &&
-	     ! (next_packet->GetTCP_Flag(TH_FIN) && there_is_a_gap) )
-		{
-		Weird(MSG_PREFIX "delayed packet");
-		Weird(fmt(MSG_PREFIX "packet time %.6f, dumping time %.6f\n",
-			 next_packet->TimeStamp(), network_time));
-		}
-#endif
-
-	if ( ! IsPlaceHolderPacket(next_packet) ||
-	     ! omit_rewrite_place_holder )
-		{
-		if ( next_packet->PredictedAsEmptyPlaceHolder() )
-			{
-			DEBUG_MSG("The packet to dump (%.6f, %d, %d, %s%s%s%s, %u > %u) was predicted to be an empty place holder.",
-				next_packet->TimeStamp(), next_packet->SeqLength(), next_packet->PayloadLength(),
-				next_packet->GetTCP_Flag(TH_SYN) ? "S" : "",
-				next_packet->GetTCP_Flag(TH_RST) ? "R" : "",
-				next_packet->GetTCP_Flag(TH_FIN) ? "F" : "",
-				next_packet->GetTCP_Flag(TH_URG) ? "U" : "",
-				next_packet->GetAck(), last_ack);
-			}
-
-		rewriter->DumpPacket(this, next_packet);
-		}
-
-	if ( next_packet->GetTCP_Flag(TH_ACK) &&
-	     next_packet->GetAck() > last_ack )
-		last_ack = next_packet->GetAck();
-
-	// Reuse the packet headers.
-	next_packet->Reuse();
-
-	if ( ! next_packet->FINScheduled() )
-		{
-		please_flush = 0;
-		if ( ! next_packet->IsEmpty() )
-			internal_error("should have been cleared");
-		}
-
-	if ( RST )
-		{
-		Reset(1);	// itself ...
-		peer->Reset(0); // ... and peer
-		return;
-		}
-
-	// Question: do we need to request an ACK? Yes, if the packet
-	// is an artificially generated packet.
-	if ( seq_len > 0 &&
-	     next_packet->TimeStamp() < rewriter->RewritePacket()->TimeStamp() )
-		peer->ReqAck();
-	}
-
-void TCP_RewriterEndpoint::Weird(const char* name) const
-	{
-#ifdef DEBUG_BRO
-	rewriter->Weird(name);
-#endif
-	}
-
-TCP_Rewriter::TCP_Rewriter(TCP_Analyzer* arg_analyzer, PacketDumper* arg_dumper,
-				int arg_MTU, int arg_wait_for_commitment)
-	{
-	analyzer = arg_analyzer;
-	dumper = arg_dumper;
-	MTU = arg_MTU;
-	wait_for_commitment = arg_wait_for_commitment;
-	discard_packets = 0;	// till AbortPackets(1);
-
-	packets_rewritten = 0;
-	next_packet_seq = 0;
-	pending_content_gap = 0;
-
-	orig = new TCP_RewriterEndpoint(this);
-	resp = new TCP_RewriterEndpoint(this);
-
-	orig->Init();
-	resp->Init();
-
-	anon_addr[0] = anon_addr[1] = 0;
-
-	if ( anonymize_ip_addr )
-		{
-		anon_addr[0] = anonymize_ip(to_v4_addr(analyzer->Conn()->OrigAddr()),
-						ORIG_ADDR);
-		anon_addr[1] = anonymize_ip(to_v4_addr(analyzer->Conn()->RespAddr()),
-						RESP_ADDR);
-		}
-
-	holding_packets = 0;
-	current_packet = next_packet = 0;
-
-	current_slot = first_slot = last_slot = 0;
-	highest_slot_number = 0;
-	answered[0] = answered[1] = 0;
-	}
-
-void TCP_Rewriter::Done()
-	{
-	// The wrap-up work needs to be done *after* event processing,
-	// therefore we schedule a funeral to be held right before
-	// packets are flushed.
-	schedule_funeral(this);
-	}
-
-void TCP_Rewriter::Funeral()
-	{
-	if ( ! uncommited_packet_queue.empty() )
-		{
-		warn(fmt(MSG_PREFIX
-			 "rewriter gets neither commit or abort, "
-			 "and %d packets will be discarded",
-			 int(uncommited_packet_queue.size())));
-		AbortPackets(0);
-		}
-
-	if ( ! slot_queue.empty() )
-		{
-		run_time("reserved slots are not completely released at the end of rewriter %s", analyzer->Conn());
-		for ( slot_map_t::iterator it = reserved_slots.begin();
-			it != reserved_slots.end();
-			++it )
-			{
-			TCP_RewriteSlot* slot = it->second;
-			run_time(fmt("unreleased slot: %d", slot->Number()));
-			}
-
-		while ( ! slot_queue.empty() )
-			{
-			TCP_RewriteSlot* slot = slot_queue.front();
-			slot_queue.pop_front();
-			slot->Dump();
-			delete slot;
-			}
-
-		reserved_slots.clear();
-		ReleasePacketsOnHold();
-		}
-
-	if ( ! packets_on_hold.empty() )
-		{
-		run_time("packets on hold at the end of rewriter %s", analyzer->Conn());
-		ReleasePacketsOnHold();
-		// And release the last one.
-		Endp(next_packet->IsOrig())->Flush();
-		}
-	}
-
-TCP_Rewriter::~TCP_Rewriter()
-	{
-	delete orig;
-	delete resp;
-	}
-
-void TCP_Rewriter::NextPacket(int is_orig, double t,
-			      const struct pcap_pkthdr* pcap_hdr,
-			      const u_char* pcap_pkt, int hdr_size,
-			      const struct ip* ip,
-			      const struct tcphdr* tp)
-	{
-	unsigned int ip_hdr_len = ip->ip_hl * 4;
-	unsigned int tcp_hdr_len = tp->th_off * 4;
-
-	TCP_TracePacket* p =
-		new TCP_TracePacket(this, ++next_packet_seq, t,
-					is_orig, pcap_hdr, MTU,
-					hdr_size + ip_hdr_len + tcp_hdr_len);
-
-	if ( ! p->AppendLinkHeader(pcap_pkt, hdr_size) )
-		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
-
-	if ( ! p->AppendIPHeader((const u_char*)ip, sizeof(*ip)) )
-		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
-
-	if ( ip_hdr_len > sizeof(*ip) )
-		{
-		// TODO: re-write IP options.
-		}
-
-	if ( ! p->AppendTCPHeader((const u_char*)tp, sizeof(*tp)) )
-		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
-
-	// Rewrite TCP options.
-	if ( tcp_hdr_len > sizeof(*tp) )
-		TCP_Analyzer::ParseTCPOptions(tp, RewriteTCPOption,
-						analyzer, is_orig, p);
-
-	// Pad the TCP header.
-	p->AppendData(0, 0);
-
-	// Before setting current_packet to p, first clean up empty
-	// place holders to save memory space.
-	if ( omit_rewrite_place_holder && holding_packets )
-		CleanUpEmptyPlaceHolders();
-
-	current_packet = p;
-
-	if ( pending_content_gap )
-		{
-		// A packet triggers a content gap only in the other
-		// direction.
-		if ( current_packet->IsOrig() )
-			pending_content_gap = -pending_content_gap;
-
-		if ( pending_content_gap < 0 )
-			internal_error("content gap out of sync with packet");
-
-		current_packet->SetSeqGap(pending_content_gap);
-		pending_content_gap = 0;
-		}
-
-	if ( current_slot )
-		add_slot();
-
-	if ( ! holding_packets )
-		{
-		next_packet = p;
-		Endp(is_orig)->NextPacket(p);
-		}
-	else
-		{
-		DEBUG_MSG_A("packet %d (%.6f) on hold\n",
-				p->PacketSeq(), p->TimeStamp());
-		packets_on_hold.push_back(p);
-		++num_packets_held;
-		}
-	}
-
-void TCP_Rewriter::ContentGap(int is_orig, int len)
-	{
-	if ( is_orig )
-		pending_content_gap = len;
-	else
-		pending_content_gap = -len;
-	}
-
-void TCP_Rewriter::ScheduleFIN(int is_orig)
-	{
-	if ( current_packet && current_packet->IsOrig() == is_orig )
-		current_packet->ScheduleFIN();
-
-	// Otherwise just ignore the FIN.
-	// Endp(is_orig)->ScheduleFIN();
-	}
-
-void TCP_Rewriter::WriteData(int is_orig, int len, const u_char* data)
-	{
-	if ( ! current_slot )
-		DoWriteData(is_orig, len, data);
-	else
-		current_slot->WriteData(is_orig, len, data);
-	}
-
-void TCP_Rewriter::DoWriteData(int is_orig, int len, const u_char* data)
-	{
-	if ( is_orig != next_packet->IsOrig() )
-		{
-		// Weird(fmt("%.6f rewriting packet on the opposite direction", network_time));
-		}
-
-	Endp(is_orig)->WriteData(len, data);
-	}
-
-void TCP_Rewriter::Push(int is_orig)
-	{
-	Endp(is_orig)->Push();
-	}
-
-void TCP_Rewriter::DumpPacket(TCP_RewriterEndpoint* endp, TCP_TracePacket* p)
-	{
-	struct pcap_pkthdr* hdr;
-	const u_char* pkt;
-	int length;
-	ipaddr32_t anon_src, anon_dst;		// anonymized IP addresses
-
-	if ( discard_packets )
-		return;
-
-	if ( endp == orig )
-		{
-		anon_src = anon_addr[0];
-		anon_dst = anon_addr[1];
-		}
-	else
-		{
-		anon_src = anon_addr[1];
-		anon_dst = anon_addr[0];
-		}
-
-	if ( p->Finish(hdr, pkt, length, anon_src, anon_dst) )
-		{
-		DEBUG_MSG_A("Packet %d (%.6f) dumped at %.6f\n", p->PacketSeq(), p->TimeStamp(), network_time);
-		++packets_rewritten;
-
-		if ( ! wait_for_commitment )
-			dumper->DumpPacket(hdr, pkt, length);
-		else
-			{
-			char* b = new char[sizeof(struct pcap_pkthdr) + length];
-			uncommited_packet_queue.push(b);
-
-			memcpy(b, hdr, sizeof(struct pcap_pkthdr));
-
-			b += sizeof(struct pcap_pkthdr);
-			memcpy(b, pkt, length);
-			}
-		}
-	else
-		internal_error(MSG_PREFIX "ill formed packet for dumping");
-	}
-
-void TCP_Rewriter::ReleaseNextPacket()
-	{
-	if ( packets_on_hold.empty() )
-		{
-		internal_error("there is no packet on hold to release");
-		return;
-		}
-
-	next_packet->SetOnHold(0);
-	Endp(next_packet->IsOrig())->Flush();
-	packets_on_hold.pop_front();
-
-	if ( ! packets_on_hold.empty() )
-		{
-		next_packet = packets_on_hold.front();
-		Endp(next_packet->IsOrig())->NextPacket(next_packet);
-		}
-	else
-		next_packet = 0;
-	}
-
-void TCP_Rewriter::HoldPacket(TCP_TracePacket* p)
-	{
-	if ( ! next_packet )
-		{
-		internal_error("should not try to hold a packet before packet arrival");
-		return;
-		}
-
-	holding_packets = 1;
-
-	while ( next_packet && next_packet->PacketSeq() < p->PacketSeq() )
-		ReleaseNextPacket();
-
-	if ( ! next_packet ||
-	     next_packet->PacketSeq() != p->PacketSeq() )
-		{
-		internal_error("packet sequence not found for hold_packet: %d",
-		    p->PacketSeq());
-		return;
-		}
-
-	next_packet->SetOnHold(1);
-	if ( packets_on_hold.empty() )
-		{
-		packets_on_hold.push_back(next_packet);
-		++num_packets_held;
-		answered[0] = answered[1] = 0;
-		}
-	}
-
-void TCP_Rewriter::ReleasePacketsOnHold()
-	{
-	holding_packets = 0;
-	if ( packets_on_hold.empty() )
-		return;
-
-	while ( packets_on_hold.size() > 1 )
-		ReleaseNextPacket();
-
-	next_packet->SetOnHold(0);
-	packets_on_hold.pop_front();
-	}
-
-void TCP_Rewriter::AbortPackets(int apply_to_future)
-	{
-	while ( ! uncommited_packet_queue.empty() )
-		{
-		char* p = uncommited_packet_queue.front();
-		uncommited_packet_queue.pop();
-		delete [] p;
-		}
-
-	if ( apply_to_future )
-		discard_packets = 1;
-	}
-
-void TCP_Rewriter::CommitPackets(int apply_to_future)
-	{
-	while ( ! uncommited_packet_queue.empty() )
-		{
-		struct pcap_pkthdr* hdr =
-			(struct pcap_pkthdr*) uncommited_packet_queue.front();
-
-		uncommited_packet_queue.pop();
-
-		dumper->DumpPacket(hdr,
-				((u_char*)hdr) + sizeof(struct pcap_pkthdr),
-				int((hdr->caplen)));
-
-		delete [] (char*) hdr;
-		}
-
-	if ( apply_to_future )
-		{ // dump all future packets immediately
-		wait_for_commitment = 0;
-		discard_packets = 0;
-		}
-	}
-
-void TCP_Rewriter::CleanUpEmptyPlaceHolders()
-	{
-	if ( ! last_slot )
-		return;
-
-	if ( last_slot->Packet() != current_packet )
-		internal_error("Mismatch: last_slot->packet != current_packet");
-
-	if ( packets_on_hold.empty() ||
-	     packets_on_hold.back() != current_packet )
-		internal_error("Mismatch: packets_on_hold.back() != current_packet");
-
-	int is_orig = current_packet->IsOrig() ? 1 : 0;
-
-	if ( current_packet->SeqGap() > 0 )
-		// This packet signals a sequence gap (on the opposite flow).
-		answered[is_orig] = 0;
-
-	// Is the current packet an empty placeholder packet?
-	int current_packet_is_empty =
-		last_slot->isEmpty() &&
-		current_packet->SeqLength() == 0 &&
-		! current_packet->GetTCP_Flag(TH_SYN|TH_RST|TH_FIN|TH_URG) &&
-		! current_packet->HasReservedSlot();
-
-	if ( current_packet_is_empty )
-		{
-		if ( answered[is_orig] )
-			{
-// #define DO_NOT_CLEAN_UP_ONLY_PREDICT
-#ifdef DO_NOT_CLEAN_UP_ONLY_PREDICT
-			// for debugging
-			current_packet->PredictAsEmptyPlaceHolder();
-#else
-			++num_packets_cleaned;
-			packets_on_hold.pop_back();
-			Unref(current_packet);
-			current_packet = 0;
-			slot_queue.pop_back();
-			delete last_slot;
-			last_slot = slot_queue.back();
-#endif
-			}
-		}
-	else
-		// Current packet may not be empty ...
-		answered[1 - is_orig] = 0;
-
-	answered[is_orig] = 1;
-	}
-
-int TCP_Rewriter::LeaveAddrInTheClear(int is_orig)
-	{
-	if ( packets_rewritten > 0 )
-		return 0;
-
-	if ( is_orig )
-		anon_addr[0] = to_v4_addr(analyzer->Conn()->OrigAddr());
-	else
-		anon_addr[1] = to_v4_addr(analyzer->Conn()->RespAddr());
-
-	return 1;
-	}
-
-TCP_Endpoint* TCP_Rewriter::GetEndpoint(TCP_RewriterEndpoint* endp)
-	{
-	if ( endp == orig )
-		return analyzer->Orig();
-	else
-		return analyzer->Resp();
-	}
-
-TCP_RewriterEndpoint* TCP_Rewriter::GetPeer(TCP_RewriterEndpoint* endp)
-	{
-	if ( endp == orig )
-		return resp;
-
-	else if ( endp == resp )
-		return orig;
-
-	else
-		return 0;
-	}
-
-#define KEEP_ORIG	1
-#define REUSE_OPT	1
-#define TO_NOP		0
-#define MAX_TCP_OPTION_REWRITING	9
-
-struct TCPOptionRewriting {
-	int keep_orig;
-	int reuse;
-} tcp_option_rewriting[MAX_TCP_OPTION_REWRITING] = {
-	//  0        -    End of Option List                 [RFC793]
-	{KEEP_ORIG, REUSE_OPT},
-
-	//  1        -    No-Operation                       [RFC793]
-	{KEEP_ORIG, REUSE_OPT},
-
-	//  2        4    Maximum Segment Size               [RFC793]
-	{KEEP_ORIG, REUSE_OPT},
-
-	//  3        3    WSOPT - Window Scale              [RFC1323]
-	{KEEP_ORIG, REUSE_OPT},
-
-	//  4        2    SACK Permitted                    [RFC2018]
-	{KEEP_ORIG, REUSE_OPT},
-
-	//  5        N    SACK                              [RFC2018]
-	{TO_NOP, TO_NOP},
-
-	//  6        6    Echo (obsoleted by option 8)      [RFC1072]
-	{TO_NOP, TO_NOP},
-
-	//  7        6    Echo Reply (obsoleted by option 8)[RFC1072]
-	{TO_NOP, TO_NOP},
-
-	//  8       10    TSOPT - Time Stamp Option         [RFC1323]
-	{KEEP_ORIG, REUSE_OPT},
-
-	// ** the rest is left for future work **
-	//  9        2    Partial Order Connection Permitted[RFC1693]
-	// 10        3    Partial Order Service Profile     [RFC1693]
-	// 11             CC                                [RFC1644]
-	// 12             CC.NEW                            [RFC1644]
-	// 13             CC.ECHO                           [RFC1644]
-	// 14         3   TCP Alternate Checksum Request    [RFC1146]
-	// 15         N   TCP Alternate Checksum Data       [RFC1146]
-	// 16             Skeeter                           [Knowles]
-	// 17             Bubba                             [Knowles]
-	// 18         3   Trailer Checksum Option    [Subbu & Monroe]
-	// 19        18   MD5 Signature Option              [RFC2385]
-	// 20             SCPS Capabilities                   [Scott]
-	// 21		Selective Negative Acknowledgements [Scott]
-	// 22		Record Boundaries                   [Scott]
-	// 23		Corruption experienced              [Scott]
-	// 24		SNAP				 [Sukonnik]
-	// 25		Unassigned (released 12/18/00)
-	// 26             TCP Compression Filter           [Bellovin]
-};
-
-int TCP_Rewriter::RewriteTCPOption(unsigned int opt, unsigned int optlen,
-				const u_char* option, TCP_Analyzer* analyzer,
-				bool is_orig, void* cookie)
-	{
-	TCP_TracePacket* p = (TCP_TracePacket*) cookie;
-
-	if ( opt < MAX_TCP_OPTION_REWRITING &&
-	     ( (! p->IsReuse() && tcp_option_rewriting[opt].keep_orig) ||
-	       (p->IsReuse() && tcp_option_rewriting[opt].reuse) ) )
-		// copy/reuse the TCP option
-		p->AppendTCPHeader(option, optlen);
-
-	else
-		{ // replace it with nop
-		static const u_char nop[16] = {
-			1, 1, 1, 1,  1, 1, 1, 1,  1, 1, 1, 1,  1, 1, 1, 1
-		};
-
-		while ( optlen > 0 )
-			{
-			int k = optlen > 16 ? 16 : optlen;
-			p->AppendTCPHeader(nop, k);
-			optlen -= k;
-			}
-		}
-
-	return 0;
-	}
-
-TCP_RewriteSlot* TCP_Rewriter::add_slot()
-	{
-	++highest_slot_number;
-
-	DEBUG_MSG_A("add slot %u\n", highest_slot_number);
-
-	last_slot = current_slot =
-		new TCP_RewriteSlot(current_packet, highest_slot_number);
-
-	slot_queue.push_back(current_slot);
-
-	return current_slot;
-	}
-
-TCP_RewriteSlot* TCP_Rewriter::find_slot(unsigned int slot)
-	{
-	// DEBUG_MSG_A("%d slots reserved\n", reserved_slots.size());
-	slot_map_t::iterator it = reserved_slots.find(slot);
-	if ( it == reserved_slots.end() )
-		return 0;
-
-	return it->second;
-	}
-
-unsigned int TCP_Rewriter::ReserveSlot()
-	{
-	if ( ! current_packet )
-		{
-		run_time("cannot reserve a rewrite slot before packet arrival");
-		return 0;
-		}
-
-	if ( ! current_slot )
-		{
-		first_slot = add_slot();
-		HoldPacket(current_packet);
-		}
-
-	if ( current_slot != last_slot )
-		{
-		run_time("cannot reserve a slot within a reserved slot");
-		return 0;
-		}
-
-	int slot_number = current_slot->Number();
-	DEBUG_MSG_A("reserved slot %d\n", slot_number);
-
-	reserved_slots[slot_number] = current_slot;
-	add_slot();
-	current_packet->AddReservedSlot();
-
-	return slot_number;
-	}
-
-int TCP_Rewriter::SeekSlot(unsigned int slot)
-	{
-	TCP_RewriteSlot* s = find_slot(slot);
-	if ( ! s )
-		return 0;
-
-	current_slot = s;
-	return 1;
-	}
-
-int TCP_Rewriter::ReturnFromSlot()
-	{
-	current_slot = last_slot;
-	return 1;
-	}
-
-int TCP_Rewriter::ReleaseSlot(unsigned int slot)
-	{
-	slot_map_t::iterator it = reserved_slots.find(slot);
-	if ( it == reserved_slots.end() )
-		{
-		run_time(fmt("cannot find slot %u", slot));
-		return 0;
-		}
-
-	TCP_RewriteSlot* s = it->second;
-	reserved_slots.erase(it);
-
-	if ( s == current_slot )
-		ReturnFromSlot();
-
-	DEBUG_MSG_A("release slot %u, slot [%u, %u]\n", s->Number(), first_slot->Number(), last_slot->Number());
-	if ( s == first_slot )
-		{
-		do	// release slots till we get to the next *reserved* slot
-			{
-			DEBUG_MSG_A("dump slot %d %.6f\n", first_slot->Number(), first_slot->Packet()->TimeStamp());
-
-			first_slot->Dump();
-			slot_queue.pop_front();
-			delete first_slot;
-
-			if ( slot_queue.empty() )
-				{
-				first_slot = last_slot = current_slot = 0;
-				DEBUG_MSG_A("release all packets on hold\n");
-				ReleasePacketsOnHold();
-				break;
-				}
-
-			first_slot = slot_queue.front();
-			HoldPacket(first_slot->Packet());
-			DEBUG_MSG_A("move on to packet %d (%.6f)\n", first_slot->Packet()->PacketSeq(), first_slot->Packet()->TimeStamp());
-			}
-		while ( ! find_slot(first_slot->Number()) );
-		}
-
-	return 1;
-	}
-
-TCP_RewriteSlot::TCP_RewriteSlot(TCP_TracePacket* p, unsigned int number)
-	{
-	packet = p;
-	slot_number = number;
-	rewriter = packet->TraceRewriter();
-	}
-
-void TCP_RewriteSlot::WriteData(int is_orig, int len, const u_char* data)
-	{
-	if ( is_orig != packet->IsOrig() )
-		{
-		run_time("writing data to a slot of wrong direction %s",
-			rewriter->analyzer->Conn());
-
-		BroString* tmp = new BroString(data, len, 1);
-		char* tmp_s = tmp->Render();
-		run_time(fmt("further info: dir = %s, len = %d, data = \"%s\"",
-				is_orig ? "orig" : "resp", len, tmp_s));
-		delete tmp_s;
-		delete tmp;
-		return;
-		}
-
-	BroString* s = new BroString((const u_char*) data, len, 1);
-	buf.push(s);
-	}
-
-void TCP_RewriteSlot::Dump()
-	{
-	while ( ! buf.empty() )
-		{
-		BroString* s = buf.front();
-		buf.pop();
-		DEBUG_MSG_A("dump: \"%s\"\n", s->Bytes());
-		rewriter->DoWriteData(packet->IsOrig(), s->Len(), s->Bytes());
-		delete s;
-		}
-	}
-
-static std::queue<TCP_Rewriter*> rewriter_funerals;
-static std::queue<TCP_RewriterEndpoint*> rewriters_to_flush;
-
-void schedule_funeral(TCP_Rewriter* rewriter)
-	{
-	Ref(rewriter->Analyzer()->Conn());
-	rewriter_funerals.push(rewriter);
-	}
-
-void schedule_flush(TCP_RewriterEndpoint* endp)
-	{
-	Ref(endp->Analyzer()->Conn());
-	rewriters_to_flush.push(endp);
-	}
-
-void flush_rewriter_packet()
-	{
-	while ( ! rewriter_funerals.empty() )
-		{
-		TCP_Rewriter* rewriter = rewriter_funerals.front();
-		rewriter_funerals.pop();
-		rewriter->Funeral();
-		Unref(rewriter->Analyzer()->Conn());
-		}
-
-	while ( ! rewriters_to_flush.empty() )
-		{
-		TCP_RewriterEndpoint* endp = rewriters_to_flush.front();
-		rewriters_to_flush.pop();
-
-		if ( endp )
-			{
-			endp->Flush();
-			Unref(endp->Analyzer()->Conn());
-			}
-		}
-
-	if ( mgr.HasEvents() )
-		internal_error("flushing packets generates additional events!");
-	}
-
-TCP_SourcePacket::TCP_SourcePacket(const struct pcap_pkthdr* pcap_hdr, const u_char* pcap_pkt)
-	{
-	hdr = *pcap_hdr;
-	if ( pcap_pkt )
-		{
-		pkt = new u_char[hdr.caplen];
-		memcpy(pkt, pcap_pkt, hdr.caplen);
-		}
-	else
-		{
-		hdr.caplen = 0;
-		pkt = 0;
-		}
-	}
-
-TCP_SourcePacket::~TCP_SourcePacket()
-	{
-	delete [] pkt;
-	}
-
-TCP_SourcePacketWriter::TCP_SourcePacketWriter(TCP_Analyzer* analyzer, PacketDumper* arg_dumper)
-	{
-	dumper = arg_dumper;
-	}
-
-TCP_SourcePacketWriter::~TCP_SourcePacketWriter()
-	{
-	// By default discard all packets of the connection
-	// if they are not explicitly dumped.
-	Purge(false);
-	}
-
-void TCP_SourcePacketWriter::NextPacket(const struct pcap_pkthdr* pcap_hdr,
-					const u_char* pcap_pkt)
-	{
-	source_packets.push(new TCP_SourcePacket(pcap_hdr, pcap_pkt));
-	}
-
-void TCP_SourcePacketWriter::Purge(bool dump)
-	{
-	while ( ! source_packets.empty() )
-		{
-		TCP_SourcePacket* p = source_packets.front();
-		if ( dump )
-			dumper->DumpPacket(p->Hdr(), p->Pkt(), p->Len());
-		source_packets.pop();
-		delete p;
-		}
-	}
-
-void TCP_SourcePacketWriter::Dump()
-	{
-	Purge(true);
-	}
-
-void TCP_SourcePacketWriter::Abort()
-	{
-	Purge(false);
-	}
-
-TCP_SourcePacketWriter* get_src_pkt_writer(TCP_Analyzer* analyzer)
-	{
-	if ( ! analyzer || analyzer->Conn()->ConnTransport() != TRANSPORT_TCP )
-		internal_error("connection for the trace rewriter does not exist");
-
-	TCP_SourcePacketWriter* writer = analyzer->SourcePacketWriter();
-	if ( ! writer )
-		{
-		if ( ! pkt_dumper )
-			return 0;	// don't complain if no output file
-		else if ( ! dump_selected_source_packets )
-			builtin_run_time("flag dump_source_packets is not set");
-		else
-			internal_error("source packet writer not initialized");
-		}
-
-	return writer;
-	}
-
-
-#include "common-rw.bif.func_def"
diff --git a/src/TCP_Rewriter.h b/src/TCP_Rewriter.h
deleted file mode 100644
index 27bf6a15fe..0000000000
--- a/src/TCP_Rewriter.h
+++ /dev/null
@@ -1,401 +0,0 @@
-// $Id: TCP_Rewriter.h 6916 2009-09-24 20:48:36Z vern $
-
-#ifndef tcp_rewriter_h
-#define tcp_rewriter_h
-
-#include <queue>
-#include <set>
-using namespace std;
-
-#include <pcap.h>
-
-#include "Val.h"
-#include "TCP.h"
-#include "Anon.h"
-#include "Analyzer.h"
-
-#include "PacketDumper.h"
-#include "Rewriter.h"
-
-class TCP_Rewriter;
-
-class TCP_TracePacket : public BroObj, virtual public TracePacket {
-public:
-	TCP_TracePacket(TCP_Rewriter* trace_rewriter,
-			int packet_seq, double t, int is_orig,
-			const struct pcap_pkthdr* hdr,
-			int MTU, int initial_size);
-	~TCP_TracePacket();
-
-	int AppendLinkHeader(const u_char* chunk, int len);
-	int AppendIPHeader(const u_char* chunk, int len);
-	int AppendTCPHeader(const u_char* chunk, int len);
-	int AppendData(const u_char* chunk, int len);
-
-	// Finish() is called before dumping the packet. It sets length
-	// fields and computes checksums in TCP/IP headers.
-	int Finish(struct pcap_pkthdr*& hdr, const u_char*& pkt, int& length,
-		   ipaddr32_t anon_src, ipaddr32_t anon_dst);
-
-	void Reuse();
-	int IsReuse() const	{ return reuse; }
-
-	double TimeStamp() const	{ return timestamp; }
-	int IsOrig() const	{ return is_orig; }
-
-	const struct pcap_pkthdr* Header() const	{ return &pcap_hdr; }
-
-	const u_char* Buffer() const	{ return pkt; }
-	int Length() const	{ return buffer_offset; }
-
-	// Note that Space() does not depend on buffer_size, but depends on MTU.
-	int Space() const		{ return mtu - buffer_offset; }
-	int IsEmpty() const
-		{ return SeqLength() == 0 && ! GetTCP_Flag(TH_RST); }
-
-	uint32 GetSeq() const;
-	void SetSeq(uint32 seq);
-
-	uint32 GetAck() const;
-	void SetAck(uint32 ack);
-
-	int GetTCP_Flag(int which) const;
-	void SetTCP_Flag(int which, int value);
-
-	int SeqLength() const;
-	int PayloadLength() const;
-
-	int FINScheduled() const	{ return FIN_scheduled; }
-	void ScheduleFIN(int fin = 1)	{ FIN_scheduled = fin; }
-
-	int OnHold() const	{ return on_hold; }
-	void SetOnHold(int x)	{ on_hold = x; }
-
-	int HasReservedSlot() const	{ return has_reserved_slot; }
-	void AddReservedSlot()		{ ++has_reserved_slot; }
-
-	int PredictedAsEmptyPlaceHolder() const
-		{ return predicted_as_empty_place_holder; }
-	void PredictAsEmptyPlaceHolder()
-		{ predicted_as_empty_place_holder = 1; }
-
-	// Whether the ACK on this packet confirms a content gap on
-	// the opposite direction.
-	int SeqGap() const	{ return seq_gap; }
-	void SetSeqGap(int len)	{ seq_gap = len; }
-
-	int PacketSeq() const		{ return packet_seq; }
-	TCP_Rewriter* TraceRewriter() const	{ return trace_rewriter; }
-
-	RecordVal* PacketVal();
-	void Describe(ODesc* d) const	{ packet_val->Describe(d); }
-
-protected:
-	int Append(const u_char* chunk, int len);
-
-	RecordVal* packet_val;
-	TCP_Rewriter* trace_rewriter;
-	double timestamp;
-	int packet_seq;
-	int is_orig;
-	struct pcap_pkthdr pcap_hdr;
-	int mtu;
-	u_char* pkt;	// of maximal length MTU
-	int ip_offset, tcp_offset, data_offset;
-	int buffer_size;
-	int buffer_offset;
-	int reuse;	// whether it is an artificially replicated packet
-	int FIN_scheduled;
-	int on_hold;	// do not dump it in Flush()
-	int seq_gap;
-	int has_reserved_slot;
-	int predicted_as_empty_place_holder;
-};
-
-// How a unidirectional flow ends.
-#define	END_BY_FIN	1
-#define	END_BY_RST	2
-#define	END_BY_PEER_RST	4
-
-class TCP_RewriterEndpoint {
-public:
-	TCP_RewriterEndpoint(TCP_Rewriter* rewriter);
-	~TCP_RewriterEndpoint();
-
-	void Init();
-
-	// A packet that contains a TCP segment.
-	void NextPacket(TCP_TracePacket* p);
-	void WriteData(int len, const u_char* data);
-	void SkipGap(int len);
-
-	void Push();
-	void ReqAck();
-	void Flush();
-	void Reset(int self);
-
-	uint32 NextSeq() const	{ return next_seq; }
-	int HasPacket() const	{ return next_packet != 0; }
-	inline TCP_Analyzer* Analyzer() const;
-
-protected:
-	TCP_Rewriter* rewriter;		// TCP rewriter for the connection
-	TCP_RewriterEndpoint* peer;	// the peer TCP rewriter endpoint
-	TCP_Endpoint* endp;		// the corresponding TCP endpoint
-
-	TCP_TracePacket* next_packet;
-	std::queue<BroString*> prolog;
-
-	double last_packet_time;
-	uint32 start_seq;	// start seq -- sent in SYN
-	uint32 next_seq;	// seq of next packet
-	uint32 last_ack;	// last acknowledgement seq
-
-	int please_flush;
-	int flush_scheduled;
-	int flushed;
-	int established;
-	int end_of_data;	// is it really useful?
-	int there_is_a_gap;
-
-	// Move onto the next packet header.
-	void SetNextPacket(TCP_TracePacket* p);
-
-	void PurgeProlog();
-
-	// Pour data into the current packet (next_packet).
-	void DoWriteData(int len, const u_char* data);
-
-	// Push the current packet (next_packet) to dumper.
-	void PushPacket();
-
-	// Please flush this endpoint after draining events.
-	void ScheduleFlush();
-
-	void GenerateFIN();
-
-	// Whether the packet is a "place holder" packet, i.e. it's
-	// harmless to omit the packet (except missing the timestamp
-	// it contains).
-	int IsPlaceHolderPacket(TCP_TracePacket* p);
-
-	void Weird(const char* name) const;
-};
-
-class TCP_RewriteSlot {
-public:
-	TCP_RewriteSlot(TCP_TracePacket* p, unsigned int slot_number);
-
-	void WriteData(int is_orig, int len, const u_char* data);
-
-	void Dump();
-
-	unsigned int Number() const	{ return slot_number; }
-	TCP_TracePacket* Packet() const	{ return packet; }
-
-	bool isEmpty() const	{ return buf.empty(); }
-protected:
-	TCP_Rewriter* rewriter;
-	TCP_TracePacket* packet;
-	unsigned int slot_number;
-	std::queue<BroString*> buf;
-};
-
-class TCP_Rewriter : public Rewriter {
-public:
-	TCP_Rewriter(TCP_Analyzer* analyzer, PacketDumper* dumper, int MTU,
-			int wait_for_commitment = 0);
-	virtual ~TCP_Rewriter();
-	virtual void Done();
-	void Funeral();
-
-	// Phase 1 methods: called in packet processing.
-
-	// A TCP/IP packet.
-	void NextPacket(int is_orig, double t,
-			const struct pcap_pkthdr* pcap_hdr,
-			const u_char* pcap_pkt,	// link level header
-			int hdr_size,		// link level header size
-			const struct ip* ip,
-			const struct tcphdr* tp);
-	void ContentGap(int is_orig, int len);
-	void ScheduleFIN(int is_orig);
-
-
-	// Phase 2 methods: called in event processing.
-
-	void WriteData(int is_orig, int len, const u_char* data);
-	void WriteData(int is_orig, const char* data)
-		{ WriteData(is_orig, strlen(data), data); }
-	void WriteData(int is_orig, int len, const char* data)
-		{ WriteData(is_orig, len, (const u_char*) data); }
-	void WriteData(int is_orig, const BroString* str)
-		{ WriteData(is_orig, str->Len(), str->Bytes()); }
-	void WriteData(int is_orig, StringVal* str)
-		{ WriteData(is_orig, str->AsString()); }
-	void Push(int is_orig);
-
-	// When wait_for_commitment = 1, packets are not dumped until
-	//   CommitPackets().
-	// When apply_to_future = 1, the same decision holds for future
-	//   packets as well.
-	//
-	// Regarding why AbortPackets() takes an apply_to_future flag:
-	//
-	//	The model is that there can be multiple commit/abort stages
-	//	during the course of a connection.  At the end of each
-	//	stage, a commit or abort decision is made for packets
-	//	generated during the stage.  A possible scenario is that
-	//	user may want to delete a middle part of a conversation
-	//	while keeping the parts before and after intact, and cannot
-	//	make the decision until the end of the middle part.
-
-	void AbortPackets(int apply_to_future);
-	void CommitPackets(int apply_to_future);
-
-	unsigned int ReserveSlot();
-	int SeekSlot(unsigned int slot);
-	int ReturnFromSlot();
-	int ReleaseSlot(unsigned int slot);
-
-	// Do not anonymize client/server IP address
-	int LeaveAddrInTheClear(int is_orig);
-
-
-	// Phase 3 methods: called in flushing after events.
-	// (None, because flushing is done through accessing endpoints directly.)
-
-	// Other methods.
-
-	void DumpPacket(TCP_RewriterEndpoint* endp, TCP_TracePacket* p);
-
-	void Weird(const char* name) const	{ analyzer->Weird(name); }
-	TCP_Analyzer* Analyzer() const	{ return analyzer; }
-
-	TCP_Endpoint* GetEndpoint(TCP_RewriterEndpoint* endp);
-	TCP_RewriterEndpoint* GetPeer(TCP_RewriterEndpoint* endp);
-
-	TracePacket* CurrentPacket() const	{ return current_packet; }
-	TracePacket* RewritePacket() const	{ return next_packet; }
-
-	// Needs to be static because it's passed as a pointer-to-function
-	// rather than pointer-to-member-function.
-	static int RewriteTCPOption(unsigned int opt, unsigned int optlen,
-				const u_char* option, TCP_Analyzer* analyzer,
-				bool is_orig, void* cookie);
-
-protected:
-	// Under normal circumstances, we always rewrite into the
-	// "current packet" of the connection. However, sometimes we'd
-	// want to look a few packets ahead before deciding what to
-	// rewrite, in which case we may use {hold,release}_packet to
-	// specify the packet we are writing to.
-
-	// rewrite_packet (next_packet) always equals to
-	// current_packet under *normal mode*. hold_packet(p) dumps
-	// all packets *before* p, fixes rewrite_packet at p and turns
-	// the connection into *look-ahead* mode. Under look-ahead
-	// mode, release_packet(c) dumps all packets of on hold
-	// connection and makes the connection returns to normal mode
-	// so that rewrite_packet changes along with current_packet.
-
-	// When a packet is held, it is illegal to write to packets on
-	// the other half of the connection.
-
-	// Release next_packet
-	void ReleaseNextPacket();
-
-	// Hold packet p and release all packets before p.
-	void HoldPacket(TCP_TracePacket* p);
-
-	// Release all packets on hold and dump all the packets except
-	// the last one, which will be flushed at the end of the event.
-	void ReleasePacketsOnHold();
-
-	void CleanUpEmptyPlaceHolders();
-	void DoWriteData(int is_orig, int len, const u_char* data);
-
-	TCP_RewriterEndpoint* Endp(int is_orig) const
-		{ return is_orig ? orig : resp; }
-
-	TCP_Analyzer* analyzer;
-	PacketDumper* dumper;
-	TCP_RewriterEndpoint* orig;
-	TCP_RewriterEndpoint* resp;
-	int MTU;
-	int wait_for_commitment;
-	int discard_packets;
-	std::queue<char*> uncommited_packet_queue;
-	int next_packet_seq;
-	int packets_rewritten;
-	ipaddr32_t anon_addr[2];
-	int pending_content_gap;
-
-	TCP_TracePacket* current_packet;
-	TCP_TracePacket* next_packet;
-	std::deque<TCP_TracePacket*> packets_on_hold;
-	int holding_packets;
-
-	TCP_RewriteSlot* current_slot;
-	TCP_RewriteSlot* first_slot;
-	TCP_RewriteSlot* last_slot;
-	std::deque<TCP_RewriteSlot*> slot_queue;
-	typedef map<unsigned int, TCP_RewriteSlot*> slot_map_t;
-	slot_map_t reserved_slots;
-	int highest_slot_number;
-
-	TCP_RewriteSlot* add_slot();
-	TCP_RewriteSlot* find_slot(unsigned int slot);
-
-	friend class TCP_RewriteSlot;
-	int answered[2];
-};
-
-inline TCP_Analyzer* TCP_RewriterEndpoint::Analyzer() const
-	{
-	return rewriter->Analyzer();
-	}
-
-// "Please flush the rewriter endpoint after event processing."
-extern void schedule_flush(TCP_RewriterEndpoint* endp);
-
-// "Please call rewriter->Funeral() after event processing."
-extern void schedule_funeral(TCP_Rewriter* rewriter);
-
-extern void flush_rewriter_packet();
-
-class TCP_SourcePacket {
-public:
-	TCP_SourcePacket(const struct pcap_pkthdr* pcap_hdr, const u_char* pcap_pkt);
-	~TCP_SourcePacket();
-
-	int Len() const	{ return hdr.caplen; }
-	const u_char* Pkt() const	{ return pkt; }
-	const struct pcap_pkthdr* Hdr() const	{ return &hdr; }
-
-protected:
-	struct pcap_pkthdr hdr;
-	u_char* pkt;
-};
-
-// Write selected original packets to the trace
-class TCP_SourcePacketWriter {
-public:
-	TCP_SourcePacketWriter(TCP_Analyzer* /* analyzer */,
-				PacketDumper* arg_dumper);
-	~TCP_SourcePacketWriter();
-
-	void NextPacket(const struct pcap_pkthdr* pcap_hdr,
-				const u_char* pcap_pkt);
-	void Dump();
-	void Abort();
-
-protected:
-	PacketDumper* dumper;
-	std::queue<TCP_SourcePacket*> source_packets;
-	void Purge(bool dump);
-};
-
-extern TCP_SourcePacketWriter* get_src_pkt_writer(TCP_Analyzer* analyzer);
-
-#endif
diff --git a/src/Trigger.cc b/src/Trigger.cc
index c9e236f1fa..e71c19732b 100644
--- a/src/Trigger.cc
+++ b/src/Trigger.cc
@@ -130,11 +130,17 @@ Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts,
 
 	Val* timeout = arg_timeout ? arg_timeout->ExprVal() : 0;
 
+	// Make sure we don't get deleted if somebody calls a method like
+	// Timeout() while evaluating the trigger. 
+	Ref(this);
+
 	if ( ! Eval() && timeout )
 		{
 		timer = new TriggerTimer(timeout->AsInterval(), this);
 		timer_mgr->Add(timer);
 		}
+
+	Unref(this);
 	}
 
 Trigger::~Trigger()
diff --git a/src/TwoWise.cc b/src/TwoWise.cc
deleted file mode 100644
index af86b1db71..0000000000
--- a/src/TwoWise.cc
+++ /dev/null
@@ -1,59 +0,0 @@
-/* -*-  Mode:C++; c-basic-offset:8; tab-width:8; indent-tabs-mode:t -*- */
-// $Id: TwoWise.cc 1386 2005-09-14 21:42:13Z vern $
-//
-// Implementation of 2-wise independent hash functions.  Contributed
-// by Yin Zhang.
-//
-
-#include <stdlib.h>
-
-#include "TwoWise.h"
-
-TwoWise::TwoWise(int arg_dim)
-	{
-	dim = arg_dim;
-	int n = dim > 2 ? dim : 2;
-
-	a = new uint64[n];
-	b = new uint64[n];
-	c = new uint32[n];
-
-	for ( int i = 0; i < n; ++i )
-		{
-		a[i] = rand64bit() & ~(1ULL);
-		b[i] = rand64bit() & ~(1ULL);
-		c[i] = 0;
-		}
-
-	a0 = a[0];
-	b0 = b[0];
-	a1 = a[1];
-	b1 = b[1];
-	}
-
-TwoWise::~TwoWise()
-	{
-	delete[] a;
-	delete[] b;
-	delete[] c;
-	}
-
-void TwoWise::TestSpeed(uint32 N)
-	{
-	uint32 x = 0, i;
-
-	double start_time = current_time();
-	for ( i = 0; i < N; ++i )
-		x ^= Hash(i);
-	double end_time = current_time();
-	double time0 = end_time - start_time;
-
-	start_time = current_time();
-	for ( i = 0; i < N; ++i )
-		x ^= Hash(i, i);
-	end_time = current_time();
-	double time1 = end_time - start_time;
-
-	fprintf(stderr, "time0=%.6f time1=%.6f x=%u\n",
-		time0, time1, x);
-	}
diff --git a/src/TwoWise.h b/src/TwoWise.h
deleted file mode 100644
index 08b8f8944a..0000000000
--- a/src/TwoWise.h
+++ /dev/null
@@ -1,92 +0,0 @@
-/* -*-  Mode:C++; c-basic-offset:8; tab-width:8; indent-tabs-mode:t -*- */
-// $Id: TwoWise.h 2809 2006-04-23 20:26:07Z vern $
-//
-// Implementation of 2-wise independent hash functions.  Contributed
-// by Yin Zhang.
-//
-
-#ifndef twowise_h
-#define twowise_h
-
-#include "util.h"
-
-typedef union {
-	uint64 as_int64;
-	uint32 as_int32s[2];
-	uint32 as_int16s[4];
-} int64views;
-
-#ifdef WORDS_BIGENDIAN
-#define TOP32BITS(h) h.as_int32s[0]
-#else
-#define TOP32BITS(h) h.as_int32s[1]
-#endif
-
-typedef union {
-	uint32 as_int32;
-	uint16 as_int16s[2];
-	uint16 as_int8s[4];
-} int32views;
-
-class TwoWise {
-public:
-	TwoWise(int dim = 0);
-	~TwoWise();
-
-	uint32 Hash(uint32 k) const
-		{
-		int64views h;
-		h.as_int64 = a0*k + b0;
-		return TOP32BITS(h);
-		}
-
-	uint32 Hash(uint32 k0, uint32 k1) const
-		{
-		int64views h;
-		h.as_int64 = (a0*k0+b0) ^ (a1*k1+b1);
-		return TOP32BITS(h);
-		}
-
-	uint32 Hash(const uint32* k) const
-		{
-		int64views h;
-		h.as_int64 = (a0*k[0]+b0);
-
-		for ( int i = 1; i < dim; ++i )
-			h.as_int64 ^= (a[i]*k[i] + b[i]);
-
-		return TOP32BITS(h);
-		}
-
-	uint32 Hash(int size, const uint8* data) const
-		{
-		if ( size == 0 )
-			return 0;
-
-		// Copy data to c to resolve any potential alignment problem.
-		int num_words = (size + 3) >> 2;
-		c[num_words - 1] = 0;	// pad with 0
-		memcpy(c, data, size);
-
-		int64views h;
-		h.as_int64 = (a0*c[0]+b0);
-
-		for ( int i = 1; i < num_words; ++i )
-			h.as_int64 ^= (a[i]*c[i] + b[i]);
-
-		return TOP32BITS(h);
-		}
-
-	void TestSpeed(uint32 N = 1000000);
-
-private:
-
-	// Coefficients in Dietzfelbinger scheme.
-	uint64 a0, b0, a1, b1;	// for 1-d and 2-d case
-	uint64 *a, *b;		// for N-d case
-	uint32 *c;
-
-	int dim;
-};
-
-#endif // twowise_h
diff --git a/src/Type.cc b/src/Type.cc
index 1f5c22d58b..6e87a1f83a 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -10,19 +10,11 @@
 #include "Scope.h"
 #include "Serializer.h"
 
-RecordType* init_global_attrs();
+#include <string>
+#include <list>
+#include <map>
 
-bool in_global_attr_decl = false;
-RecordType* global_attributes_type = init_global_attrs();
-
-RecordType* init_global_attrs()
-	{
-	in_global_attr_decl = true;
-	RecordType* rt = new RecordType(new type_decl_list);
-	in_global_attr_decl = false;
-	rt->MakeGlobalAttributeType();
-	return rt;
-	}
+extern int generate_documentation;
 
 const char* type_name(TypeTag t)
 	{
@@ -41,6 +33,7 @@ const char* type_name(TypeTag t)
 		"func",
 		"file",
 		"vector",
+		"type",
 		"error",
 	};
 
@@ -58,7 +51,7 @@ BroType::BroType(TypeTag t, bool arg_base_type)
 	tag = t;
 	is_network_order = 0;
 	base_type = arg_base_type;
-	is_global_attributes_type = false;
+	type_id = 0;
 
 	switch ( tag ) {
 	case TYPE_VOID:
@@ -110,6 +103,7 @@ BroType::BroType(TypeTag t, bool arg_base_type)
 	case TYPE_FUNC:
 	case TYPE_FILE:
 	case TYPE_VECTOR:
+	case TYPE_TYPE:
 		internal_tag = TYPE_INTERNAL_OTHER;
 		break;
 
@@ -118,28 +112,12 @@ BroType::BroType(TypeTag t, bool arg_base_type)
 		break;
 	}
 
-	// Kind of hacky; we don't want an error while we're defining
-	// the global attrs!
-	if ( in_global_attr_decl )
-		{
-		attributes_type = 0;
-		return;
-		}
-
-	if ( ! global_attributes_type )
-		SetError();
-	else
-		attributes_type = global_attributes_type;
 	}
 
-bool BroType::SetAttributesType(type_decl_list* attr_types)
+BroType::~BroType()
 	{
-	TypeList* global = new TypeList();
-	global->Append(global_attributes_type);
-
-	attributes_type = refine_type(global, attr_types)->AsRecordType();
-
-	return (attributes_type != 0);
+	if ( type_id )
+		delete [] type_id;
 	}
 
 int BroType::MatchesIndex(ListExpr*& /* index */) const
@@ -176,6 +154,13 @@ void BroType::Describe(ODesc* d) const
 		}
 	}
 
+void BroType::DescribeReST(ODesc* d) const
+	{
+	d->Add(":bro:type:`");
+	d->Add(type_name(Tag()));
+	d->Add("`");
+	}
+
 void BroType::SetError()
 	{
 	tag = TYPE_ERROR;
@@ -232,8 +217,9 @@ BroType* BroType::Unserialize(UnserialInfo* info, TypeTag want)
 	if ( ! t )
 		return 0;
 
-	// For base types, we return our current instance.
-	if ( t->base_type )
+	// For base types, we return our current instance
+	// if not in "documentation mode".
+	if ( t->base_type && ! generate_documentation )
 		{
 		BroType* t2 = ::base_type(TypeTag(t->tag));
 		Unref(t);
@@ -241,16 +227,6 @@ BroType* BroType::Unserialize(UnserialInfo* info, TypeTag want)
 		return t2;
 		}
 
-	// For the global_attribute_type, we also return our current instance.
-	if ( t->is_global_attributes_type )
-		{
-		BroType* t2 = global_attributes_type;
-		Unref(t);
-		t2->Ref();
-		assert(t2);
-		return t2;
-		}
-
 	assert(t);
 	return t;
 	}
@@ -267,10 +243,20 @@ bool BroType::DoSerialize(SerialInfo* info) const
 		return false;
 
 	if ( ! (SERIALIZE(is_network_order) && SERIALIZE(base_type) &&
-		SERIALIZE(is_global_attributes_type)) )
+		// Serialize the former "bool is_global_attributes_type" for
+		// backwards compatibility.
+		SERIALIZE(false)) )
 		return false;
 
-	SERIALIZE_OPTIONAL(attributes_type);
+	// Likewise, serialize the former optional "RecordType* attributes_type"
+	// for backwards compatibility.
+	void* null = NULL;
+	SERIALIZE(null);
+
+	if ( generate_documentation )
+		{
+		SERIALIZE_OPTIONAL_STR(type_id);
+		}
 
 	info->s->WriteCloseTag("Type");
 
@@ -288,13 +274,24 @@ bool BroType::DoUnserialize(UnserialInfo* info)
 	tag = (TypeTag) c1;
 	internal_tag = (InternalTypeTag) c2;
 
+	bool not_used;
+
 	if ( ! (UNSERIALIZE(&is_network_order) && UNSERIALIZE(&base_type)
-			&& UNSERIALIZE(&is_global_attributes_type)) )
+			// Unerialize the former "bool is_global_attributes_type" for
+			// backwards compatibility.
+			&& UNSERIALIZE(&not_used)) )
 		return 0;
 
-	BroType* type;
-	UNSERIALIZE_OPTIONAL(type, BroType::Unserialize(info, TYPE_RECORD));
-	attributes_type = (RecordType*) type;
+	BroType* not_used_either;
+
+	// Likewise, unserialize the former optional "RecordType*
+	// attributes_type" for backwards compatibility.
+	UNSERIALIZE_OPTIONAL(not_used_either, BroType::Unserialize(info, TYPE_RECORD));
+
+	if ( generate_documentation )
+		{
+		UNSERIALIZE_OPTIONAL_STR(type_id);
+		}
 
 	return true;
 	}
@@ -449,6 +446,52 @@ void IndexType::Describe(ODesc* d) const
 		}
 	}
 
+void IndexType::DescribeReST(ODesc* d) const
+	{
+	d->Add(":bro:type:`");
+
+	if ( IsSet() )
+		d->Add("set");
+	else
+		d->Add(type_name(Tag()));
+
+	d->Add("` ");
+	d->Add("[");
+
+	loop_over_list(*IndexTypes(), i)
+		{
+		if ( i > 0 )
+			d->Add(", ");
+
+		const BroType* t = (*IndexTypes())[i];
+
+		if ( t->GetTypeID() )
+			{
+			d->Add(":bro:type:`");
+			d->Add(t->GetTypeID());
+			d->Add("`");
+			}
+		else
+			t->DescribeReST(d);
+		}
+
+	d->Add("]");
+
+	if ( yield_type )
+		{
+		d->Add(" of ");
+
+		if ( yield_type->GetTypeID() )
+			{
+			d->Add(":bro:type:`");
+			d->Add(yield_type->GetTypeID());
+			d->Add("`");
+			}
+		else
+			yield_type->DescribeReST(d);
+		}
+	}
+
 bool IndexType::IsSubNetIndex() const
 	{
 	const type_list* types = indices->Types();
@@ -683,6 +726,30 @@ void FuncType::Describe(ODesc* d) const
 		}
 	}
 
+void FuncType::DescribeReST(ODesc* d) const
+	{
+	d->Add(":bro:type:`");
+	d->Add(is_event ? "event" : "function");
+	d->Add("`");
+	d->Add(" (");
+	args->DescribeFieldsReST(d, true);
+	d->Add(")");
+
+	if ( yield )
+		{
+		d->AddSP(" :");
+
+		if ( yield->GetTypeID() )
+			{
+			d->Add(":bro:type:`");
+			d->Add(yield->GetTypeID());
+			d->Add("`");
+			}
+		else
+			yield->DescribeReST(d);
+		}
+	}
+
 IMPLEMENT_SERIAL(FuncType, SER_FUNC_TYPE);
 
 bool FuncType::DoSerialize(SerialInfo* info) const
@@ -716,14 +783,11 @@ bool FuncType::DoUnserialize(UnserialInfo* info)
 	return UNSERIALIZE(&is_event);
 	}
 
-TypeDecl::TypeDecl(BroType* t, const char* i, attr_list* arg_attrs)
+TypeDecl::TypeDecl(BroType* t, const char* i, attr_list* arg_attrs, bool in_record)
 	{
 	type = t;
-	attrs = arg_attrs ? new Attributes(arg_attrs, t) : 0;
+	attrs = arg_attrs ? new Attributes(arg_attrs, t, in_record) : 0;
 	id = i;
-
-	if ( in_global_attr_decl && ! attrs->FindAttr(ATTR_DEFAULT) )
-		error("global attribute types must have default values");
 	}
 
 TypeDecl::~TypeDecl()
@@ -740,7 +804,10 @@ bool TypeDecl::Serialize(SerialInfo* info) const
 
 	SERIALIZE_OPTIONAL(attrs);
 
-	return type->Serialize(info) && SERIALIZE(id);
+	if ( ! (type->Serialize(info) && SERIALIZE(id)) )
+		return false;
+
+	return true;
 	}
 
 TypeDecl* TypeDecl::Unserialize(UnserialInfo* info)
@@ -759,6 +826,58 @@ TypeDecl* TypeDecl::Unserialize(UnserialInfo* info)
 	return t;
 	}
 
+void TypeDecl::DescribeReST(ODesc* d) const
+	{
+	d->Add(id);
+	d->Add(": ");
+
+	if ( type->GetTypeID() )
+		{
+		d->Add(":bro:type:`");
+		d->Add(type->GetTypeID());
+		d->Add("`");
+		}
+	else
+		type->DescribeReST(d);
+
+	if ( attrs )
+		{
+		d->SP();
+		attrs->DescribeReST(d);
+		}
+	}
+
+CommentedTypeDecl::CommentedTypeDecl(BroType* t, const char* i,
+			attr_list* attrs, bool in_record, std::list<std::string>* cmnt_list)
+	: TypeDecl(t, i, attrs, in_record)
+	{
+	comments = cmnt_list;
+	}
+
+CommentedTypeDecl::~CommentedTypeDecl()
+	{
+	if ( comments ) delete comments;
+	}
+
+void CommentedTypeDecl::DescribeReST(ODesc* d) const
+	{
+	TypeDecl::DescribeReST(d);
+
+	if ( comments )
+		{
+		d->PushIndent();
+		std::list<std::string>::const_iterator i;
+
+		for ( i = comments->begin(); i != comments->end(); ++i)
+			{
+			if ( i != comments->begin() ) d->NL();
+			d->Add(i->c_str());
+			}
+
+		d->PopIndentNoNL();
+		}
+	}
+
 RecordField::RecordField(int arg_base, int arg_offset, int arg_total_offset)
 	{
 	base = arg_base;
@@ -775,7 +894,7 @@ RecordType::RecordType(type_decl_list* arg_types) : BroType(TYPE_RECORD)
 	}
 
 RecordType::RecordType(TypeList* arg_base, type_decl_list* refinements)
-: BroType(TYPE_RECORD)
+	: BroType(TYPE_RECORD)
 	{
 	if ( refinements )
 		arg_base->Append(new RecordType(refinements));
@@ -785,6 +904,8 @@ RecordType::RecordType(TypeList* arg_base, type_decl_list* refinements)
 
 void RecordType::Init(TypeList* arg_base)
 	{
+	assert(false);  // Is this ever used?
+
 	base = arg_base;
 
 	if ( ! base )
@@ -794,9 +915,11 @@ void RecordType::Init(TypeList* arg_base)
 	types = 0;
 
 	type_list* t = base->Types();
+
 	loop_over_list(*t, i)
 		{
 		BroType* ti = (*t)[i];
+
 		if ( ti->Tag() != TYPE_RECORD )
 			(*t)[i]->Error("non-record in base type list");
 
@@ -806,6 +929,7 @@ void RecordType::Init(TypeList* arg_base)
 		for ( int j = 0; j < n; ++j )
 			{
 			const TypeDecl* tdij = rti->FieldDecl(j);
+
 			if ( fields->Lookup(tdij->id) )
 				{
 				error("duplicate field", tdij->id);
@@ -813,6 +937,7 @@ void RecordType::Init(TypeList* arg_base)
 				}
 
 			RecordField* rf = new RecordField(i, j, fields->Length());
+
 			if ( fields->Insert(tdij->id, rf) )
 				Internal("duplicate field when constructing record");
 			}
@@ -827,6 +952,7 @@ RecordType::~RecordType()
 		{
 		loop_over_list(*types, i)
 			delete (*types)[i];
+
 		delete types;
 		}
 
@@ -937,6 +1063,53 @@ void RecordType::Describe(ODesc* d) const
 		}
 	}
 
+void RecordType::DescribeReST(ODesc* d) const
+	{
+	d->Add(":bro:type:`record`");
+	d->NL();
+	DescribeFieldsReST(d, false);
+	}
+
+const char* RecordType::AddFields(type_decl_list* others, attr_list* attr)
+	{
+	assert(types);
+
+	bool log = false;
+
+	if ( attr )
+		{
+		loop_over_list(*attr, j)
+			{
+			if ( (*attr)[j]->Tag() == ATTR_LOG )
+				log = true;
+			}
+		}
+
+	loop_over_list(*others, i)
+		{
+		TypeDecl* td = (*others)[i];
+
+		if ( ! td->FindAttr(ATTR_DEFAULT) &&
+		     ! td->FindAttr(ATTR_OPTIONAL) )
+			return "extension field must be &optional or have &default";
+
+		if ( log )
+			{
+			if ( ! td->attrs )
+				td->attrs = new Attributes(new attr_list, td->type, true);
+
+			td->attrs->AddAttr(new Attr(ATTR_LOG));
+			}
+
+		types->append(td);
+		}
+
+	delete others;
+
+	num_fields = types->length();
+	return 0;
+	}
+
 void RecordType::DescribeFields(ODesc* d) const
 	{
 	if ( d->IsReadable() )
@@ -976,6 +1149,31 @@ void RecordType::DescribeFields(ODesc* d) const
 		}
 	}
 
+void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
+	{
+	if ( ! func_args )
+		d->PushIndent();
+
+	for ( int i = 0; i < num_fields; ++i )
+		{
+		if ( i > 0 )
+			{
+			if ( func_args )
+				d->Add(", ");
+			else
+				{
+				d->NL();
+				d->NL();
+				}
+			}
+
+		FieldDecl(i)->DescribeReST(d);
+		}
+
+	if ( ! func_args )
+		d->PopIndentNoNL();
+	}
+
 IMPLEMENT_SERIAL(RecordType, SER_RECORD_TYPE)
 
 bool RecordType::DoSerialize(SerialInfo* info) const
@@ -1121,10 +1319,9 @@ bool FileType::DoUnserialize(UnserialInfo* info)
 	return yield != 0;
 	}
 
-EnumType::EnumType(bool arg_is_export)
+EnumType::EnumType()
 : BroType(TYPE_ENUM)
 	{
-	is_export = arg_is_export;
 	counter = 0;
 	}
 
@@ -1134,9 +1331,75 @@ EnumType::~EnumType()
 		delete [] iter->first;
 	}
 
-int EnumType::AddName(const string& module_name, const char* name)
+CommentedEnumType::~CommentedEnumType()
 	{
-	ID* id = lookup_ID(name, module_name.c_str());
+	for ( CommentMap::iterator iter = comments.begin(); iter != comments.end(); ++iter )
+		{
+		delete [] iter->first;
+		delete iter->second;
+		}
+	}
+
+// Note, we use error() here (not Error()) to include the current script
+// location in the error message, rather than the one where the type was
+// originally defined.
+void EnumType::AddName(const string& module_name, const char* name, bool is_export)
+	{
+	/* implicit, auto-increment */
+	if ( counter < 0)
+		{
+		error("cannot mix explicit enumerator assignment and implicit auto-increment");
+		SetError();
+		return;
+		}
+	AddNameInternal(module_name, name, counter, is_export);
+	counter++;
+	}
+
+void EnumType::AddName(const string& module_name, const char* name, bro_int_t val, bool is_export)
+	{
+	/* explicit value specified */
+	if ( counter > 0 )
+		{
+		error("cannot mix explicit enumerator assignment and implicit auto-increment");
+		SetError();
+		return;
+		}
+	counter = -1;
+	AddNameInternal(module_name, name, val, is_export);
+	}
+
+void CommentedEnumType::AddComment(const string& module_name, const char* name,
+                                   std::list<std::string>* new_comments)
+	{
+	if ( ! new_comments )
+		return;
+
+	string fullname = make_full_var_name(module_name.c_str(), name);
+
+	CommentMap::iterator it = comments.find(fullname.c_str());
+
+	if ( it == comments.end() )
+		comments[copy_string(fullname.c_str())] = new_comments;
+	else
+		{
+		comments[fullname.c_str()]->splice(comments[fullname.c_str()]->end(),
+			*new_comments);
+		delete new_comments;
+		}
+	}
+
+void EnumType::AddNameInternal(const string& module_name, const char* name, bro_int_t val, bool is_export)
+	{
+	ID *id;
+	if ( Lookup(val) )
+		{
+		error("enumerator value in enumerated type definition already exists");
+		SetError();
+		return;
+		}
+
+	id = lookup_ID(name, module_name.c_str());
 	if ( ! id )
 		{
 		id = install_ID(name, module_name.c_str(), true, is_export);
@@ -1145,31 +1408,22 @@ int EnumType::AddName(const string& module_name, const char* name)
 		}
 	else
 		{
-		debug_msg("identifier already exists: %s\n", name);
-		return -1;
+		error("identifier or enumerator value in enumerated type definition already exists");
+		SetError();
+		return;
 		}
 
 	string fullname = make_full_var_name(module_name.c_str(), name);
-	names[copy_string(fullname.c_str())] = counter;
-	return counter++;
+	names[copy_string(fullname.c_str())] = val;
 	}
 
-int EnumType::AddNamesFrom(const string& module_name, EnumType* et)
+void CommentedEnumType::AddNameInternal(const string& module_name, const char* name, bro_int_t val, bool is_export)
 	{
-	int last_added = counter;
-	for ( NameMap::iterator iter = et->names.begin();
-	      iter != et->names.end(); ++iter )
-		{
-		ID* id = lookup_ID(iter->first, module_name.c_str());
-		id->SetType(this->Ref());
-		names[copy_string(id->Name())] = counter;
-		last_added = counter++;
-		}
-
-	return last_added;
+	string fullname = make_full_var_name(module_name.c_str(), name);
+	names[copy_string(fullname.c_str())] = val;
 	}
 
-int EnumType::Lookup(const string& module_name, const char* name)
+bro_int_t EnumType::Lookup(const string& module_name, const char* name)
 	{
 	NameMap::iterator pos =
 		names.find(make_full_var_name(module_name.c_str(), name).c_str());
@@ -1180,7 +1434,7 @@ int EnumType::Lookup(const string& module_name, const char* name)
 		return pos->second;
 	}
 
-const char* EnumType::Lookup(int value)
+const char* EnumType::Lookup(bro_int_t value)
 	{
 	for ( NameMap::iterator iter = names.begin();
 	      iter != names.end(); ++iter )
@@ -1190,15 +1444,60 @@ const char* EnumType::Lookup(int value)
 	return 0;
 	}
 
+void CommentedEnumType::DescribeReST(ODesc* d) const
+	{
+	// create temporary, reverse name map so that enums can be documented
+	// in ascending order of their actual integral value instead of by name
+	typedef std::map< bro_int_t, const char* > RevNameMap;
+	RevNameMap rev;
+	for ( NameMap::const_iterator it = names.begin(); it != names.end(); ++it )
+		rev[it->second] = it->first;
+
+	d->Add(":bro:type:`");
+	d->Add(type_name(Tag()));
+	d->Add("`");
+	d->PushIndent();
+	d->NL();
+
+	for ( RevNameMap::const_iterator it = rev.begin(); it != rev.end(); ++it )
+		{
+		if ( it != rev.begin() )
+			{
+			d->NL();
+			d->NL();
+			}
+
+		d->Add(".. bro:enum:: ");
+		d->AddSP(it->second);
+		d->Add(GetTypeID());
+
+		CommentMap::const_iterator cmnt_it = comments.find(it->second);
+		if ( cmnt_it != comments.end() )
+			{
+			d->PushIndent();
+			d->NL();
+			std::list<std::string>::const_iterator i;
+			const std::list<std::string>* cmnt_list = cmnt_it->second;
+			for ( i = cmnt_list->begin(); i != cmnt_list->end(); ++i)
+				{
+				if ( i != cmnt_list->begin() ) d->NL();
+				d->Add(i->c_str());
+				}
+			d->PopIndentNoNL();
+			}
+		}
+	d->PopIndentNoNL();
+	}
+
 IMPLEMENT_SERIAL(EnumType, SER_ENUM_TYPE);
 
 bool EnumType::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_ENUM_TYPE, BroType);
 
-	// I guess we don't really need both ...
 	if ( ! (SERIALIZE(counter) && SERIALIZE((unsigned int) names.size()) &&
-		SERIALIZE(is_export)) )
+		// Dummy boolean for backwards compatibility.
+		SERIALIZE(false)) )
 		return false;
 
 	for ( NameMap::const_iterator iter = names.begin();
@@ -1216,15 +1515,17 @@ bool EnumType::DoUnserialize(UnserialInfo* info)
 	DO_UNSERIALIZE(BroType);
 
 	unsigned int len;
+	bool dummy;
 	if ( ! UNSERIALIZE(&counter) ||
 	     ! UNSERIALIZE(&len) ||
-	     ! UNSERIALIZE(&is_export) )
+	     // Dummy boolean for backwards compatibility.
+	     ! UNSERIALIZE(&dummy) )
 		return false;
 
 	while ( len-- )
 		{
 		const char* name;
-		int val;
+		bro_int_t val;
 		if ( ! (UNSERIALIZE_STR(&name, 0) && UNSERIALIZE(&val)) )
 			return false;
 
@@ -1263,6 +1564,11 @@ int VectorType::MatchesIndex(ListExpr*& index) const
 				MATCHES_INDEX_SCALAR : DOES_NOT_MATCH_INDEX;
 	}
 
+bool VectorType::IsUnspecifiedVector() const
+	{
+	return yield_type->Tag() == TYPE_ANY;
+	}
+
 IMPLEMENT_SERIAL(VectorType, SER_VECTOR_TYPE);
 
 bool VectorType::DoSerialize(SerialInfo* info) const
@@ -1336,7 +1642,9 @@ static int is_init_compat(const BroType* t1, const BroType* t2)
 
 int same_type(const BroType* t1, const BroType* t2, int is_init)
 	{
-	if ( t1 == t2 )
+	if ( t1 == t2 ||
+	     t1->Tag() == TYPE_ANY ||
+	     t2->Tag() == TYPE_ANY )
 		return 1;
 
 	t1 = flatten_type(t1);
@@ -1463,12 +1771,26 @@ int same_type(const BroType* t1, const BroType* t2, int is_init)
 	case TYPE_FILE:
 		return same_type(t1->YieldType(), t2->YieldType(), is_init);
 
+	case TYPE_TYPE:
+		return same_type(t1, t2, is_init);
+
 	case TYPE_UNION:
 		error("union type in same_type()");
 	}
 	return 0;
 	}
 
+int same_attrs(const Attributes* a1, const Attributes* a2)
+	{
+	if ( ! a1 )
+		return (a2 == 0);
+
+	if ( ! a2 )
+		return (a1 == 0);
+
+	return (*a1 == *a2);
+	}
+
 int record_promotion_compatible(const RecordType* /* super_rec */,
 				const RecordType* /* sub_rec */)
 	{
@@ -1540,6 +1862,7 @@ int is_assignable(BroType* t)
 	case TYPE_VECTOR:
 	case TYPE_FILE:
 	case TYPE_TABLE:
+	case TYPE_TYPE:
 		return 1;
 
 	case TYPE_VOID:
@@ -1607,6 +1930,7 @@ BroType* merge_types(const BroType* t1, const BroType* t2)
 	case TYPE_ADDR:
 	case TYPE_NET:
 	case TYPE_SUBNET:
+	case TYPE_BOOL:
 	case TYPE_ANY:
 	case TYPE_ERROR:
 		return base_type(tg1);
diff --git a/src/Type.h b/src/Type.h
index 7778fabc1e..b8cb7e2aa5 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -6,6 +6,7 @@
 #define type_h
 
 #include <string>
+#include <list>
 #include <map>
 
 #include "Obj.h"
@@ -31,6 +32,7 @@ typedef enum {
 	TYPE_FUNC,
 	TYPE_FILE,
 	TYPE_VECTOR,
+	TYPE_TYPE,
 	TYPE_ERROR
 #define NUM_TYPES (int(TYPE_ERROR) + 1)
 } TypeTag;
@@ -59,9 +61,7 @@ class ListExpr;
 class EnumType;
 class Serializer;
 class VectorType;
-
-extern bool in_global_attr_decl;
-extern RecordType* global_attributes_type;
+class TypeType;
 
 const int DOES_NOT_MATCH_INDEX = 0;
 const int MATCHES_INDEX_SCALAR = 1;
@@ -70,19 +70,11 @@ const int MATCHES_INDEX_VECTOR = 2;
 class BroType : public BroObj {
 public:
 	BroType(TypeTag tag, bool base_type = false);
+	~BroType();
 
 	TypeTag Tag() const		{ return tag; }
 	InternalTypeTag InternalType() const	{ return internal_tag; }
 
-	// Type for the attributes (metadata) on this type.
-	RecordType* AttributesType()
-		{
-		if ( ! attributes_type )
-			attributes_type = global_attributes_type;
-		return attributes_type;
-		}
-	bool SetAttributesType(type_decl_list* attr_types);
-
 	// Whether it's stored in network order.
 	int IsNetworkOrder() const	{ return is_network_order; }
 
@@ -163,6 +155,7 @@ public:
 		CHECK_TYPE_TAG(TYPE_SUBNET, "BroType::AsSubNetType");
 		return (const SubNetType*) this;
 		}
+
 	SubNetType* AsSubNetType()
 		{
 		CHECK_TYPE_TAG(TYPE_SUBNET, "BroType::AsSubNetType");
@@ -204,6 +197,18 @@ public:
 		return (VectorType*) this;
 		}
 
+	const TypeType* AsTypeType() const
+	        {
+		CHECK_TYPE_TAG(TYPE_TYPE, "BroType::AsTypeType");
+		return (TypeType*) this;
+		}
+
+	TypeType* AsTypeType()
+	        {
+		CHECK_TYPE_TAG(TYPE_TYPE, "BroType::AsTypeType");
+		return (TypeType*) this;
+		}
+
 	int IsSet() const
 		{
 		return tag == TYPE_TABLE && (YieldType() == 0);
@@ -211,17 +216,19 @@ public:
 
 	BroType* Ref()		{ ::Ref(this); return this; }
 
-	void MakeGlobalAttributeType()	{ is_global_attributes_type = true; }
-
 	virtual void Describe(ODesc* d) const;
+	virtual void DescribeReST(ODesc* d) const;
 
 	virtual unsigned MemoryAllocation() const;
 
 	bool Serialize(SerialInfo* info) const;
 	static BroType* Unserialize(UnserialInfo* info, TypeTag want = TYPE_ANY);
 
+	void SetTypeID(const char* id)	{ type_id = id; }
+	const char* GetTypeID() const	{ return type_id; }
+
 protected:
-	BroType()	{ attributes_type = 0; }
+	BroType()	{ type_id = 0; }
 
 	void SetError();
 
@@ -232,8 +239,10 @@ private:
 	InternalTypeTag internal_tag;
 	bool is_network_order;
 	bool base_type;
-	bool is_global_attributes_type;
-	RecordType* attributes_type;
+
+	// This type_id field is only used by the documentation framework to
+	// track the names of declared types.
+	const char* type_id;
 };
 
 class TypeList : public BroType {
@@ -289,6 +298,7 @@ public:
 	BroType* YieldType();
 
 	void Describe(ODesc* d) const;
+	void DescribeReST(ODesc* d) const;
 
 	// Returns true if this table is solely indexed by subnet.
 	bool IsSubNetIndex() const;
@@ -363,6 +373,7 @@ public:
 	ID* GetReturnValueID() const;
 
 	void Describe(ODesc* d) const;
+	void DescribeReST(ODesc* d) const;
 
 protected:
 	FuncType()	{ args = 0; arg_types = 0; yield = 0; return_value = 0; }
@@ -375,10 +386,23 @@ protected:
 	ID* return_value;
 };
 
+class TypeType : public BroType {
+public:
+	TypeType(BroType* t) : BroType(TYPE_TYPE)	{ type = t->Ref(); }
+	~TypeType()	{ Unref(type); }
+
+	BroType* Type()	{ return type; }
+
+protected:
+	TypeType()	{}
+
+	BroType* type;
+};
+
 class TypeDecl {
 public:
-	TypeDecl(BroType* t, const char* i, attr_list* attrs = 0);
-	~TypeDecl();
+	TypeDecl(BroType* t, const char* i, attr_list* attrs = 0, bool in_record = false);
+	virtual ~TypeDecl();
 
 	const Attr* FindAttr(attr_tag a) const
 		{ return attrs ? attrs->FindAttr(a) : 0; }
@@ -386,11 +410,24 @@ public:
 	bool Serialize(SerialInfo* info) const;
 	static TypeDecl* Unserialize(UnserialInfo* info);
 
+	virtual void DescribeReST(ODesc* d) const;
+
 	BroType* type;
 	Attributes* attrs;
 	const char* id;
 };
 
+class CommentedTypeDecl : public TypeDecl {
+public:
+	CommentedTypeDecl(BroType* t, const char* i, attr_list* attrs = 0,
+			bool in_record = false, std::list<std::string>* cmnt_list = 0);
+	virtual ~CommentedTypeDecl();
+
+	void DescribeReST(ODesc* d) const;
+
+	std::list<std::string>* comments;
+};
+
 class RecordField {
 public:
 	RecordField(int arg_base, int arg_offset, int arg_total_offset);
@@ -419,14 +456,22 @@ public:
 	// Given an offset, returns the field's name.
 	const char* FieldName(int field) const;
 
+	type_decl_list* Types() { return types; }
+
 	// Given an offset, returns the field's TypeDecl.
 	const TypeDecl* FieldDecl(int field) const;
 	TypeDecl* FieldDecl(int field);
 
 	int NumFields() const			{ return num_fields; }
 
+	// Returns 0 if all is ok, otherwise a pointer to an error message.
+	// Takes ownership of list.
+	const char* AddFields(type_decl_list* types, attr_list* attr);
+
 	void Describe(ODesc* d) const;
+	void DescribeReST(ODesc* d) const;
 	void DescribeFields(ODesc* d) const;
+	void DescribeFieldsReST(ODesc* d, bool func_args) const;
 
 protected:
 	RecordType() { fields = 0; base = 0; types = 0; }
@@ -468,31 +513,59 @@ protected:
 
 class EnumType : public BroType {
 public:
-	EnumType(bool arg_is_export);
+	EnumType();
 	~EnumType();
 
-	// The value of this name is next counter value, which is returned.
-	// A return value of -1 means that the identifier already existed
-	// (and thus could not be used).
-	int AddName(const string& module_name, const char* name);
+	// The value of this name is next internal counter value, starting
+	// with zero. The internal counter is incremented.
+	void AddName(const string& module_name, const char* name, bool is_export);
 
-	// Add in names from the suppled EnumType; the return value is
-	// the value of the last enum added.
-	int AddNamesFrom(const string& module_name, EnumType* et);
+	// The value of this name is set to val. Once a value has been
+	// explicitly assigned using this method, no further names can be
+	// added that aren't likewise explicitly initalized.
+	void AddName(const string& module_name, const char* name, bro_int_t val, bool is_export);
 
 	// -1 indicates not found.
-	int Lookup(const string& module_name, const char* name);
-	const char* Lookup(int value); // Returns 0 if not found
+	bro_int_t Lookup(const string& module_name, const char* name);
+	const char* Lookup(bro_int_t value); // Returns 0 if not found
 
 protected:
-	EnumType()	{}
-
 	DECLARE_SERIAL(EnumType)
 
-	typedef std::map< const char*, int, ltstr > NameMap;
+	virtual void AddNameInternal(const string& module_name,
+			const char* name, bro_int_t val, bool is_export);
+
+	typedef std::map< const char*, bro_int_t, ltstr > NameMap;
 	NameMap names;
-	int counter;
-	bool is_export;
+
+	// The counter is initialized to 0 and incremented on every implicit
+	// auto-increment name that gets added (thus its > 0 if
+	// auto-increment is used).  Once an explicit value has been
+	// specified, the counter is set to -1. This way counter can be used
+	// as a flag to prevent mixing of auto-increment and explicit
+	// enumerator specifications.
+	bro_int_t counter;
+};
+
+class CommentedEnumType: public EnumType {
+public:
+	CommentedEnumType() {}
+	~CommentedEnumType();
+
+	void DescribeReST(ODesc* d) const;
+	void AddComment(const string& module_name, const char* name,
+			std::list<std::string>* comments);
+
+protected:
+	// This overriden method does not install the given ID name into a
+	// scope and it also does not do any kind of checking that the
+	// provided name already exists.
+	void AddNameInternal(const string& module_name, const char* name,
+			bro_int_t val, bool is_export);
+
+	// Comments are only filled when in "documentation mode".
+	typedef std::map< const char*, std::list<std::string>*, ltstr > CommentMap;
+	CommentMap comments;
 };
 
 class VectorType : public BroType {
@@ -503,6 +576,10 @@ public:
 
 	int MatchesIndex(ListExpr*& index) const;
 
+	// Returns true if this table type is "unspecified", which is what one
+	// gets using an empty "vector()" constructor.
+	bool IsUnspecifiedVector() const;
+
 protected:
 	VectorType()	{ yield_type = 0; }
 
@@ -525,6 +602,9 @@ inline BroType* error_type()	{ return base_type(TYPE_ERROR); }
 // test is done in the context of an initialization.
 extern int same_type(const BroType* t1, const BroType* t2, int is_init=0);
 
+// True if the two attribute lists are equivalent.
+extern int same_attrs(const Attributes* a1, const Attributes* a2);
+
 // Returns true if the record sub_rec can be promoted to the record
 // super_rec.
 extern int record_promotion_compatible(const RecordType* super_rec,
diff --git a/src/UDP.cc b/src/UDP.cc
index fc697bf105..21d5b96945 100644
--- a/src/UDP.cc
+++ b/src/UDP.cc
@@ -7,7 +7,6 @@
 #include "Net.h"
 #include "NetVar.h"
 #include "UDP.h"
-#include "UDP_Rewriter.h"
 
 UDP_Analyzer::UDP_Analyzer(Connection* conn)
 : TransportLayerAnalyzer(AnalyzerTag::UDP, conn)
@@ -25,9 +24,6 @@ UDP_Analyzer::~UDP_Analyzer()
 
 void UDP_Analyzer::Init()
 	{
-	if ( transformed_pkt_dump && RewritingTrace() )
-		SetTraceRewriter(new UDP_Rewriter(this, transformed_pkt_dump_MTU,
-					transformed_pkt_dump));
 	}
 
 void UDP_Analyzer::Done()
@@ -164,17 +160,22 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 
 	if ( caplen >= len )
 		ForwardPacket(len, data, is_orig, seq, ip, caplen);
+	}
 
-	if ( TraceRewriter() && current_hdr )
-		((UDP_Rewriter*) TraceRewriter())->NextPacket(is_orig,
-					current_timestamp, current_hdr, current_pkt,
-					current_hdr_size, ip->IP4_Hdr(), up);
+void UDP_Analyzer::UpdateConnVal(RecordVal *conn_val)
+	{
+	int orig_endp_idx = connection_type->FieldOffset("orig");
+	int resp_endp_idx = connection_type->FieldOffset("resp");
+	RecordVal *orig_endp = conn_val->Lookup(orig_endp_idx)->AsRecordVal();
+	RecordVal *resp_endp = conn_val->Lookup(resp_endp_idx)->AsRecordVal();
 
-#if 0
-		// XXX: needs to be implemented fully!
-	if ( src_pkt_writer && current_hdr )
-		src_pkt_writer->NextPacket(current_hdr, current_pkt);
-#endif
+	orig_endp = conn_val->Lookup(orig_endp_idx)->AsRecordVal();
+	resp_endp = conn_val->Lookup(resp_endp_idx)->AsRecordVal();
+	UpdateEndpointVal(orig_endp, 1);
+	UpdateEndpointVal(resp_endp, 0);
+
+	// Call children's UpdateConnVal
+	Analyzer::UpdateConnVal(conn_val);
 	}
 
 void UDP_Analyzer::UpdateEndpointVal(RecordVal* endp, int is_orig)
diff --git a/src/UDP.h b/src/UDP.h
index 6666be998a..b04c5e3ef0 100644
--- a/src/UDP.h
+++ b/src/UDP.h
@@ -6,9 +6,6 @@
 #define udp_h
 
 #include "Analyzer.h"
-#include "Rewriter.h"
-
-class UDP_Rewriter;
 
 typedef enum {
 	UDP_INACTIVE,	// no packet seen
@@ -22,25 +19,25 @@ public:
 
 	virtual void Init();
 
+	virtual void UpdateConnVal(RecordVal *conn_val);
+
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new UDP_Analyzer(conn); }
 
 	static bool Available() { return true; }
 
-	// -- XXX -- only want to return yes if the protocol flag is
-	//  on similar to TCP. (e.g. FTP_Connection etc.) /mc
-	int RewritingTrace() const	{ return 0; }
-
 protected:
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
 					int seq, const IP_Hdr* ip, int caplen);
-	virtual void UpdateEndpointVal(RecordVal* endp, int is_orig);
 	virtual bool IsReuse(double t, const u_char* pkt);
 	virtual unsigned int MemoryAllocation() const;
 
 	bro_int_t request_len, reply_len;
 
+private:
+	void UpdateEndpointVal(RecordVal* endp, int is_orig);
+
 #define HIST_ORIG_DATA_PKT 0x1
 #define HIST_RESP_DATA_PKT 0x2
 #define HIST_ORIG_CORRUPT_PKT 0x4
diff --git a/src/UDP_Rewriter.cc b/src/UDP_Rewriter.cc
deleted file mode 100644
index 967f2087f1..0000000000
--- a/src/UDP_Rewriter.cc
+++ /dev/null
@@ -1,362 +0,0 @@
-// $Id:$
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-
-#include "config.h"
-
-#include <assert.h>
-#include <stdlib.h>
-
-#include "Event.h"
-#include "Net.h"
-#include "UDP_Rewriter.h"
-
-#define MSG_PREFIX	"UDP trace rewriter: "
-#define DEBUG_MSG_A(x...)
-// #define DEBUG_MSG_A	DEBUG_MSG
-
-
-UDP_Rewriter::UDP_Rewriter(Analyzer* arg_analyzer, int arg_MTU,
-				PacketDumper* arg_dumper)
-	{
-	analyzer = arg_analyzer;
-	MTU = arg_MTU;
-	dumper = arg_dumper;
-	packets_rewritten = 0;
-	current_packet = next_packet = 0;
-
-	if ( anonymize_ip_addr )
-		{
-		anon_addr[0] = anonymize_ip(to_v4_addr(analyzer->Conn()->OrigAddr()),
-						ORIG_ADDR);
-		anon_addr[1] = anonymize_ip(to_v4_addr(analyzer->Conn()->RespAddr()),
-						RESP_ADDR);
-		}
-	else
-		anon_addr[0] = anon_addr[1] = 0;
-	}
-
-void UDP_Rewriter::Done()
-	{
-	}
-
-UDP_Rewriter::~UDP_Rewriter()
-	{
-	delete current_packet;
-	}
-
-void UDP_Rewriter::WriteData(int is_orig, int len, const u_char* data)
-	{
-	DoWriteData(is_orig, len, data);
-	}
-
-void UDP_Rewriter::DoWriteData(int is_orig, int len, const u_char* data)
-	{
- 	struct pcap_pkthdr* hdr;
-	int length = len;
-	ipaddr32_t src = 0, dst = 0;
-
-	current_packet->AppendData(data,len);
-	// Mark data to be written.
-	current_packet->SetModified();
-	}
-
-// Compose the packet so it can be written.
-// Compute UDP/IP checksums, lengths, addresses.
-int UDP_TracePacket::BuildPacket(struct pcap_pkthdr*& hdr,
-				const u_char*& arg_pkt, int& length,
-				ipaddr32_t anon_src, ipaddr32_t anon_dst)
-	{
-	struct ip* ip = (struct ip*) (pkt + ip_offset);
-	struct udphdr* up = (struct udphdr*) (pkt + udp_offset);
-	uint32 sum = 0;
-
-	// Fix IP addresses before computing the UDP checksum
-	if ( anonymize_ip_addr )
-		{
-		ip->ip_src.s_addr = anon_src;
-		ip->ip_dst.s_addr = anon_dst;
-		}
-
-	// Create the IP header.
-	ip->ip_off = 0;
-	ip->ip_sum = 0;
-	ip->ip_hl = (udp_offset - ip_offset) >> 2;
-	ip->ip_len = htons(buffer_offset - ip_offset);
-	ip->ip_off = 0;	// DF = 0, MF = 0, offset = 0
-	ip->ip_sum = 0;
-	ip->ip_sum = 0xffff - ones_complement_checksum((const void*) ip,
-						(udp_offset-ip_offset), sum);
-
-	pcap_hdr.caplen = pcap_hdr.len = buffer_offset;
-
-	hdr = &pcap_hdr;
-	arg_pkt = pkt;
-	length = buffer_offset;
-
-	// Create the UDP header.
-	up->uh_ulen = htons(buffer_offset - udp_offset);
-	up->uh_sum = 0;
-	up->uh_sum = 0xffff - udp_checksum(ip, up, buffer_offset - udp_offset);
-
-	// Create the pcap header.
-	//
-	// The below works around a potential type incompatibility
-	// on systems where pcap's timeval is different from the
-	// system-wide one. --cpk
-	//
-	timeval tv_tmp = double_to_timeval(timestamp);
-	pcap_hdr.ts.tv_sec = tv_tmp.tv_sec;
-	pcap_hdr.ts.tv_usec = tv_tmp.tv_usec;
-	pcap_hdr.caplen = pcap_hdr.len = buffer_offset;
-
-	hdr = &pcap_hdr;
-	arg_pkt = pkt;
-	length = buffer_offset;
-
-	return 1;
-	}
-
-void UDP_Rewriter::NextPacket(int is_orig, double t,
-				const struct pcap_pkthdr* pcap_hdr,
-				const u_char* pcap_pkt, int hdr_size,
-				const struct ip* ip, const struct udphdr* up)
-	{
-	unsigned int ip_hdr_len = ip->ip_hl * 4;
-
-	// Cache the packet ....
-	UDP_TracePacket* p = new UDP_TracePacket(this, t, is_orig,
-				pcap_hdr, /*MTU */ 1024,
-				hdr_size + ip_hdr_len + sizeof(struct udphdr));
-
-	if ( ! p->AppendLinkHeader(pcap_pkt, hdr_size) )
-		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
-
-	if ( ! p->AppendIPHeader((const u_char*) ip, sizeof(*ip)) )
-		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
-
-	if ( ! p->AppendUDPHeader((const u_char*) up, sizeof(*up)) )
-		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
-
-	// We only ever use one packet in UDP.
-	// ### This is potentially a leak.
-	next_packet = current_packet = p;
-	}
-
-void UDP_Rewriter::Push(int)
-	{
-	internal_error("UDP_Rewriter::Push not implemented");
-	}
-
-void UDP_Rewriter::AbortPackets(int)
-	{
-	internal_error("UDP_Rewriter::AbortPackets not implemented");
-	}
-
-unsigned int UDP_Rewriter::ReserveSlot()
-	{
-	internal_error("UDP_Rewriter::ReserveSlot not implemented");
-	return 0;
-	}
-
-int UDP_Rewriter::SeekSlot(unsigned int)
-	{
-	internal_error("UDP_Rewriter::SeekSlot not implemented");
-	return 0;
-	}
-
-int UDP_Rewriter::ReturnFromSlot()
-	{
-	internal_error("UDP_Rewriter::ReturnFromSlot not implemented");
-	return 0;
-	}
-int UDP_Rewriter::ReleaseSlot(unsigned int)
-	{
-	internal_error("UDP_Rewriter::ReleaseSlot not implemented");
-	return 0;
-	}
-
-int UDP_Rewriter::LeaveAddrInTheClear(int is_orig)
-	{
-	internal_error("UDP_Rewriter::LeaveAddrInTheClear not implemented");
-	return 0;
-	}
-
-void UDP_Rewriter::CommitPackets(int commit)
-	{
-	if ( current_packet && current_packet->IsModified() )
-		{
-		ipaddr32_t anon_src = 0, anon_dst = 0;
-
-		if ( current_packet->IsOrig() )
-			{
-			anon_src = anon_addr[0];
-			anon_dst = anon_addr[1];
-			}
-		else
-			{
-			anon_src = anon_addr[1];
-			anon_dst = anon_addr[0];
-			}
-
-		struct pcap_pkthdr* hdr;
-		const u_char* pkt;
-		int len;
-		current_packet->BuildPacket(hdr, pkt, len, anon_src, anon_dst);
-
-		dumper->DumpPacket(hdr, pkt, hdr->caplen);
-		}
-
-	delete current_packet;
-	next_packet = current_packet = 0;
-
-	++packets_rewritten;
-	}
-
-UDP_TracePacket::UDP_TracePacket(UDP_Rewriter* arg_trace_rewriter,
-					double t, int arg_is_orig,
-					const struct pcap_pkthdr* arg_hdr,
-					int MTU, int initial_size)
-	{
-	trace_rewriter = arg_trace_rewriter;
-	pcap_hdr = *arg_hdr;
-	// packet_seq = arg_packet_seq;
-	timestamp = t;
-	is_orig = arg_is_orig;
-	mtu = MTU;
-	buffer_size = initial_size;
-	buffer_offset = 0;
-
-	pkt = new u_char[buffer_size];
-
-	ip_offset = udp_offset = data_offset = -1;
-
-	reuse = 0;
-	on_hold = 0;
-	modified = 0;
-	seq_gap = 0;
-
-	packet_val = 0;
-	packet_val = PacketVal();
-	}
-
-UDP_TracePacket::~UDP_TracePacket()
-	{
-	packet_val->SetOrigin(0);
-	Unref(packet_val);
-	delete [] pkt;
-	}
-
-RecordVal* UDP_TracePacket::PacketVal()
-	{
-	if ( packet_val )
-		Ref(packet_val);
-	else
-		{
-		packet_val = new RecordVal(packet_type);
-		packet_val->Assign(0, TraceRewriter()->GetAnalyzer()->BuildConnVal());
-		packet_val->Assign(1, new Val(IsOrig(), TYPE_BOOL));
-		packet_val->Assign(2, new Val(TimeStamp(), TYPE_TIME));
-		packet_val->SetOrigin(this);
-		}
-
-	return packet_val;
-	}
-
-int UDP_TracePacket::AppendLinkHeader(const u_char* chunk, int len)
-	{
-	if ( ip_offset >= 0 && ip_offset != buffer_offset )
-		internal_error(MSG_PREFIX "link header must be appended before IP header");
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	ip_offset = buffer_offset;
-	return 1;
-	}
-
-int UDP_TracePacket::AppendIPHeader(const u_char* chunk, int len)
-	{
-	if ( udp_offset >= 0 && udp_offset != buffer_offset )
-		internal_error(MSG_PREFIX "IP header must be appended before udp header");
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	udp_offset = buffer_offset;
-	return 1;
-	}
-
-int UDP_TracePacket::AppendUDPHeader(const u_char* chunk, int len)
-	{
-	if ( data_offset >= 0 && data_offset != buffer_offset )
-		internal_error(MSG_PREFIX "tcp header must be appended before payload");
-
-	if ( udp_offset == buffer_offset )
-		{ // first UDP header chunk
-		int extra = (udp_offset - ip_offset) % 4;
-		if ( extra )
-			{
-			DEBUG_MSG(MSG_PREFIX "padding IP header");
-			if ( ! AppendIPHeader(0, 4 - extra) )
-				return 0;
-			}
-		}
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	data_offset = buffer_offset;
-	return 1;
-	}
-
-int UDP_TracePacket::AppendData(const u_char* chunk, int len)
-	{
-	// All headers must be appended before any data.
-	ASSERT(ip_offset >= 0 && udp_offset >= 0 && data_offset >= 0);
-
-	if ( data_offset == buffer_offset )
-		{ // first data chunk
-		int extra = (data_offset - udp_offset) % 4;
-		if ( extra )
-			{
-			if ( ! AppendUDPHeader(0, 4 - extra) )
-				return 0;
-			}
-		}
-
-	if ( ! Append(chunk, len) )
-		return 0;
-
-	return 1;
-	}
-
-int UDP_TracePacket::Append(const u_char* chunk, int len)
-	{
-	if ( buffer_offset + len > buffer_size )
-		{
-		if ( buffer_offset + len > mtu )
-			return 0;
-
-		u_char* tmp = new u_char[mtu];
-		for ( int i = 0 ; i < buffer_size; ++i )
-			tmp[i] = pkt[i];
-
-		delete [] pkt;
-		pkt = tmp;
-		buffer_size = mtu;
-		}
-
-	ASSERT(buffer_offset + len <= buffer_size);
-
-	if ( chunk )
-		memcpy(pkt + buffer_offset, chunk, len);
-	else
-		// Fill with 0.
-		memset(pkt + buffer_offset, 0, len);
-
-	buffer_offset += len;
-
-	return 1;
-	}
diff --git a/src/UDP_Rewriter.h b/src/UDP_Rewriter.h
deleted file mode 100644
index 5fdfd9e5c1..0000000000
--- a/src/UDP_Rewriter.h
+++ /dev/null
@@ -1,138 +0,0 @@
-// $Id:$
-//
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#ifndef udp_rewriter_h
-#define udp_rewriter_h
-
-using namespace std;
-
-#include <queue>
-#include <set>
-
-#include <pcap.h>
-
-#include "Val.h"
-#include "UDP.h"
-#include "Anon.h"
-#include "Rewriter.h"
-#include "PacketDumper.h"
-
-class UDP_TracePacket : public BroObj, virtual public TracePacket {
-public:
-	UDP_TracePacket(UDP_Rewriter* trace_rewriter, double t, int is_orig,
-		    const struct pcap_pkthdr* hdr, int MTU, int initial_size);
-	~UDP_TracePacket();
-
-	int AppendLinkHeader(const u_char* chunk, int len);
-	int AppendIPHeader(const u_char* chunk, int len);
-	int AppendUDPHeader(const u_char* chunk, int len);
-	int AppendData(const u_char* chunk, int len);
-
-	void Reuse();
-	int IsReuse() const	{ return reuse; }
-
-	double TimeStamp() const	{ return timestamp; }
-	int IsOrig() const	{ return is_orig; }
-
-	const struct pcap_pkthdr* Header() const	{ return &pcap_hdr; }
-
-	const u_char* Buffer() const	{ return pkt; }
-	int Length() const	{ return buffer_offset; }
-
-	// Note that Space() does not depend on buffer_size, but depends on MTU.
-	int Space() const	{ return mtu - buffer_offset; }
-
-	void Describe(ODesc* d) const	{ packet_val->Describe(d); }
-	RecordVal* PacketVal();
-	UDP_Rewriter* TraceRewriter() const	{ return trace_rewriter;}
-
-	// has the packet been written to?
-	int IsModified() const	{ return modified; }
-	void SetModified()		{ modified = 1; }
-
-	// BuildPacket() is called before dumping the packet. It sets length
-	// fields and computes checksums in UDP/IP headers.
-	int BuildPacket(struct pcap_pkthdr*& hdr, const u_char*& arg_pkt,
-			int& length, ipaddr32_t anon_src, ipaddr32_t anon_dst);
-
-private:
-	int Append(const u_char* chunk, int len);
-
-	RecordVal* packet_val;
-	UDP_Rewriter* trace_rewriter;
-	double timestamp;
-	int packet_seq;
-	int is_orig;
-	struct pcap_pkthdr pcap_hdr;
-	int mtu;
-	u_char* pkt;	// of maximal length MTU
-	int ip_offset, udp_offset, data_offset;
-	int buffer_size;
-	int buffer_offset;
-	int reuse;	// whether it is an artificially replicated packet
-	int on_hold;	// do not dump it in Flush()
-	int seq_gap;
-	int modified;
-};
-
-class UDP_Rewriter: public Rewriter {
-public:
-	UDP_Rewriter(Analyzer* analyzer, int arg_MTU, PacketDumper* dumper);
-
-	virtual ~UDP_Rewriter();
-
-	void Done();
-
-	// these are the virt funcs in Rewriter....
-	void WriteData(int is_orig, int len, const u_char* data);
-
-	void WriteData(int is_orig, const char* data)
-		{ WriteData(is_orig, strlen(data), data); }
-
-	void WriteData(int is_orig, int len, const char* data)
-		{ WriteData(is_orig, len, (const u_char*) data); }
-
-	void WriteData(int is_orig, const BroString* str)
-		{ WriteData(is_orig, str->Len(), str->Bytes()); }
-
-	Analyzer* GetAnalyzer() const	{ return analyzer; }
-
-	// Not need for udp, but declared in the virtual
-	// and might be useful
-	void Push(int);
-	void AbortPackets(int);
-	void CommitPackets(int);
-	unsigned int ReserveSlot();
-	int SeekSlot(unsigned int);
-	int ReturnFromSlot();
-	int ReleaseSlot(unsigned int);
-
-	TracePacket* CurrentPacket() const	{ return current_packet; };
-	TracePacket* RewritePacket() const	{ return next_packet; };
-
-	// A UDP/IP packet.
-	void NextPacket(int is_orig, double t,
-			const struct pcap_pkthdr* pcap_hdr,
-			const u_char* pcap_pkt,	// link level header
-			int hdr_size,		// link level header size
-			const struct ip* ip, const struct udphdr* tp);
-
-	// Do not anonymize client/server IP address.
-	int LeaveAddrInTheClear(int is_orig);
-
-protected:
-	void DoWriteData(int is_orig, int len, const u_char* data);
-
-	Analyzer* analyzer;
-	PacketDumper* dumper;
-
-	int packets_rewritten;
-	int MTU;
-	ipaddr32_t anon_addr[2];
-
-	UDP_TracePacket* current_packet;
-	UDP_TracePacket* next_packet;
-};
-
-#endif
diff --git a/src/Val.cc b/src/Val.cc
index 91c0159158..e0ba8df9bf 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -414,15 +414,6 @@ bool Val::DoUnserialize(UnserialInfo* info)
 	return false;
 	}
 
-RecordVal* Val::GetAttribs(bool instantiate)
-	{
-	if ( ! instantiate || attribs )
-		return attribs;
-
-	attribs = new RecordVal(type->AttributesType());
-	return attribs;
-	}
-
 int Val::IsZero() const
 	{
 	switch ( type->InternalType() ) {
@@ -524,7 +515,12 @@ Val* Val::SizeVal() const
 	{
 	switch ( type->InternalType() ) {
 	case TYPE_INTERNAL_INT:
-		return new Val(abs(val.int_val), TYPE_COUNT);
+		// Return abs value. However abs() only works on ints and llabs
+		// doesn't work on Mac OS X 10.5. So we do it by hand
+		if ( val.int_val < 0 )
+			return new Val(-val.int_val, TYPE_COUNT);
+		else
+			return new Val(val.int_val, TYPE_COUNT);
 
 	case TYPE_INTERNAL_UNSIGNED:
 		return new Val(val.uint_val, TYPE_COUNT);
@@ -578,6 +574,11 @@ void Val::Describe(ODesc* d) const
 		Val::ValDescribe(d);
 	}
 
+void Val::DescribeReST(ODesc* d) const
+	{
+	ValDescribeReST(d);
+	}
+
 void Val::ValDescribe(ODesc* d) const
 	{
 	if ( d->IsReadable() && type->Tag() == TYPE_BOOL )
@@ -619,6 +620,20 @@ void Val::ValDescribe(ODesc* d) const
 	}
 	}
 
+void Val::ValDescribeReST(ODesc* d) const
+	{
+	switch ( type->InternalType() ) {
+	case TYPE_INTERNAL_OTHER:
+		Describe(d);
+		break;
+
+	default:
+		d->Add("``");
+		ValDescribe(d);
+		d->Add("``");
+	}
+	}
+
 MutableVal::~MutableVal()
 	{
 	for ( list<ID*>::iterator i = aliases.begin(); i != aliases.end(); ++i )
@@ -1738,7 +1753,7 @@ void TableVal::CheckExpireAttr(attr_tag at)
 			a->AttrExpr()->Error("value of timeout not fixed");
 			return;
 			}
-		
+
 		expire_time = timeout->AsInterval();
 
 		if ( timer )
@@ -2027,7 +2042,23 @@ Val* TableVal::Default(Val* index)
 		return 0;
 
 	if ( ! def_val )
-		def_val = def_attr->AttrExpr()->Eval(0);
+		{
+		BroType* ytype = Type()->YieldType();
+		BroType* dtype = def_attr->AttrExpr()->Type();
+
+		if ( dtype->Tag() == TYPE_RECORD && ytype->Tag() == TYPE_RECORD &&
+		     ! same_type(dtype, ytype) &&
+		     record_promotion_compatible(dtype->AsRecordType(),
+						 ytype->AsRecordType()) )
+			{
+			Expr* coerce = new RecordCoerceExpr(def_attr->AttrExpr(), ytype->AsRecordType());
+			def_val = coerce->Eval(0);
+			Unref(coerce);
+			}
+
+		else
+			def_val = def_attr->AttrExpr()->Eval(0);
+		}
 
 	if ( ! def_val )
 		{
@@ -2835,7 +2866,7 @@ RecordVal::RecordVal(RecordType* t) : MutableVal(t)
 			else if ( tag == TYPE_TABLE )
 				def = new TableVal(type->AsTableType(), a);
 
-			else if ( t->Tag() == TYPE_VECTOR )
+			else if ( tag == TYPE_VECTOR )
 				def = new VectorVal(type->AsVectorType());
 			}
 
@@ -2852,7 +2883,7 @@ RecordVal::~RecordVal()
 
 void RecordVal::Assign(int field, Val* new_val, Opcode op)
 	{
-	if ( Lookup(field) &&
+	if ( new_val && Lookup(field) &&
 	     record_type->FieldType(field)->Tag() == TYPE_TABLE &&
 	     new_val->AsTableVal()->FindAttr(ATTR_MERGEABLE) )
 		{
@@ -2897,6 +2928,84 @@ Val* RecordVal::Lookup(int field) const
 	return (*AsRecord())[field];
 	}
 
+Val* RecordVal::LookupWithDefault(int field) const
+	{
+	Val* val = (*AsRecord())[field];
+
+	if ( val )
+		return val->Ref();
+
+	// Check for &default.
+	const Attr* def_attr =
+		record_type->FieldDecl(field)->attrs->FindAttr(ATTR_DEFAULT);
+
+	return def_attr ? def_attr->AttrExpr()->Eval(0) : 0;
+	}
+
+RecordVal* RecordVal::CoerceTo(const RecordType* t, Val* aggr) const
+	{
+	if ( ! record_promotion_compatible(t->AsRecordType(), Type()->AsRecordType()) )
+		return 0;
+
+	if ( ! aggr )
+		aggr = new RecordVal(const_cast<RecordType*>(t->AsRecordType()));
+
+	RecordVal* ar = aggr->AsRecordVal();
+	RecordType* ar_t = aggr->Type()->AsRecordType();
+
+	const RecordType* rv_t = Type()->AsRecordType();
+
+	int i;
+	for ( i = 0; i < rv_t->NumFields(); ++i )
+		{
+		int t_i = ar_t->FieldOffset(rv_t->FieldName(i));
+
+		if ( t_i < 0 )
+			{
+			char buf[512];
+			safe_snprintf(buf, sizeof(buf),
+					"orphan field \"%s\" in initialization",
+					rv_t->FieldName(i));
+			Error(buf);
+			break;
+			}
+
+		if ( ar_t->FieldType(t_i)->Tag() == TYPE_RECORD
+				&& ! same_type(ar_t->FieldType(t_i), Lookup(i)->Type()) )
+			{
+			Expr* rhs = new ConstExpr(Lookup(i)->Ref());
+			Expr* e = new RecordCoerceExpr(rhs, ar_t->FieldType(t_i)->AsRecordType());
+			ar->Assign(t_i, e->Eval(0));
+			continue;
+			}
+
+		ar->Assign(t_i, Lookup(i)->Ref());
+		}
+
+	for ( i = 0; i < ar_t->NumFields(); ++i )
+		if ( ! ar->Lookup(i) &&
+			 ! ar_t->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) )
+			{
+			char buf[512];
+			safe_snprintf(buf, sizeof(buf),
+					"non-optional field \"%s\" missing in initialization", ar_t->FieldName(i));
+			Error(buf);
+			}
+
+	return ar;
+	}
+
+RecordVal* RecordVal::CoerceTo(RecordType* t)
+	{
+	if ( same_type(Type(), t) )
+		{
+		this->Ref();
+		return this;
+		}
+
+	return CoerceTo(t, 0);
+	}
+
 void RecordVal::Describe(ODesc* d) const
 	{
 	const val_list* vl = AsRecord();
@@ -2933,6 +3042,34 @@ void RecordVal::Describe(ODesc* d) const
 		d->Add("]");
 	}
 
+void RecordVal::DescribeReST(ODesc* d) const
+	{
+	const val_list* vl = AsRecord();
+	int n = vl->length();
+
+	d->Add("{");
+	d->PushIndent();
+
+	loop_over_list(*vl, i)
+		{
+		if ( i > 0 )
+			d->NL();
+
+		d->Add(record_type->FieldName(i));
+		d->Add("=");
+
+		Val* v = (*vl)[i];
+
+		if ( v )
+			v->Describe(d);
+		else
+			d->Add("<uninitialized>");
+		}
+
+	d->PopIndent();
+	d->Add("}");
+	}
+
 IMPLEMENT_SERIAL(RecordVal, SER_RECORD_VAL);
 
 bool RecordVal::DoSerialize(SerialInfo* info) const
@@ -3094,15 +3231,6 @@ bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
 		return false;
 		}
 
-	if ( index == 0 || index > (1 << 30) )
-		{
-		if ( assigner )
-			assigner->Error(fmt("index (%d) must be positive",
-						index));
-		Unref(element);
-		return true;	// true = "no fatal error"
-		}
-
 	BroType* yt = Type()->AsVectorType()->YieldType();
 
 	if ( yt && yt->Tag() == TYPE_TABLE &&
@@ -3117,7 +3245,7 @@ bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
 				Val* ival = new Val(index, TYPE_COUNT);
 				StateAccess::Log(new StateAccess(OP_ASSIGN_IDX,
 						this, ival, element,
-						(*val.vector_val)[index - 1]));
+						(*val.vector_val)[index]));
 				Unref(ival);
 				}
 
@@ -3127,10 +3255,10 @@ bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
 			}
 		}
 
-	if ( index <= val.vector_val->size() )
-		Unref((*val.vector_val)[index - 1]);
+	if ( index < val.vector_val->size() )
+		Unref((*val.vector_val)[index]);
 	else
-		val.vector_val->resize(index);
+		val.vector_val->resize(index + 1);
 
 	if ( LoggingAccess() && op != OP_NONE )
 		{
@@ -3141,14 +3269,14 @@ bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
 
 		StateAccess::Log(new StateAccess(op == OP_INCR ?
 				OP_INCR_IDX : OP_ASSIGN_IDX,
-				this, ival, element, (*val.vector_val)[index - 1]));
+				this, ival, element, (*val.vector_val)[index]));
 		Unref(ival);
 		}
 
 	// Note: we do *not* Ref() the element, if any, at this point.
 	// AssignExpr::Eval() already does this; other callers must remember
 	// to do it similarly.
-	(*val.vector_val)[index - 1] = element;
+	(*val.vector_val)[index] = element;
 
 	Modified();
 	return true;
@@ -3157,7 +3285,7 @@ bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
 bool VectorVal::AssignRepeat(unsigned int index, unsigned int how_many,
 				Val* element, const Expr* assigner)
 	{
-	ResizeAtLeast(index + how_many - 1);
+	ResizeAtLeast(index + how_many);
 
 	for ( unsigned int i = index; i < index + how_many; ++i )
 		if ( ! Assign(i, element, assigner) )
@@ -3169,10 +3297,10 @@ bool VectorVal::AssignRepeat(unsigned int index, unsigned int how_many,
 
 Val* VectorVal::Lookup(unsigned int index) const
 	{
-	if ( index == 0 || index > val.vector_val->size() )
+	if ( index >= val.vector_val->size() )
 		return 0;
 
-	return (*val.vector_val)[index - 1];
+	return (*val.vector_val)[index];
 	}
 
 unsigned int VectorVal::Resize(unsigned int new_num_elements)
@@ -3261,7 +3389,7 @@ bool VectorVal::DoUnserialize(UnserialInfo* info)
 		{
 		Val* v;
 		UNSERIALIZE_OPTIONAL(v, Val::Unserialize(info, TYPE_ANY));
-		Assign(i + VECTOR_MIN, v, 0);
+		Assign(i, v, 0);
 		}
 
 	return true;
@@ -3297,6 +3425,10 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
 	TypeTag t_tag = t->Tag();
 	TypeTag v_tag = vt->Tag();
 
+	// More thought definitely needs to go into this.
+	if ( t_tag == TYPE_ANY || v_tag == TYPE_ANY )
+		return v;
+
 	if ( ! EitherArithmetic(t_tag, v_tag) ||
 	     /* allow sets as initializers */
 	     (is_init && v_tag == TYPE_TABLE) )
diff --git a/src/Val.h b/src/Val.h
index 925015c9c1..76edea5429 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -39,6 +39,7 @@ class TableVal;
 class RecordVal;
 class ListVal;
 class StringVal;
+class EnumVal;
 class MutableVal;
 
 class StateAccess;
@@ -87,7 +88,7 @@ public:
 #endif
 		}
 
-	Val(int i, TypeTag t)
+	Val(int32 i, TypeTag t)
 		{
 		val.int_val = bro_int_t(i);
 		type = base_type(t);
@@ -97,17 +98,7 @@ public:
 #endif
 		}
 
-	Val(long i, TypeTag t)
-		{
-		val.int_val = bro_int_t(i);
-		type = base_type(t);
-		attribs = 0;
-#ifdef DEBUG
-		bound_id = 0;
-#endif
-		}
-
-	Val(unsigned int u, TypeTag t)
+	Val(uint32 u, TypeTag t)
 		{
 		val.uint_val = bro_uint_t(u);
 		type = base_type(t);
@@ -117,17 +108,6 @@ public:
 #endif
 		}
 
-	Val(unsigned long u, TypeTag t)
-		{
-		val.uint_val = bro_uint_t(u);
-		type = base_type(t);
-		attribs = 0;
-#ifdef DEBUG
-		bound_id = 0;
-#endif
-		}
-
-#ifdef USE_INT64
 	Val(int64 i, TypeTag t)
 		{
 		val.int_val = i;
@@ -147,7 +127,6 @@ public:
 		bound_id = 0;
 #endif
 		}
-#endif // USE_INT64
 
 	Val(double d, TypeTag t)
 		{
@@ -165,6 +144,15 @@ public:
 	// class has ref'd it.
 	Val(BroFile* f);
 
+	Val(BroType* t, bool type_type) // Extra arg to differentiate from protected version.
+		{
+		type = new TypeType(t->Ref());
+		attribs = 0;
+#ifdef DEBUG
+		bound_id = 0;
+#endif
+		}
+
 	Val()
 		{
 		val.int_val = 0;
@@ -180,13 +168,6 @@ public:
 	Val* Ref()			{ ::Ref(this); return this; }
 	virtual Val* Clone() const;
 
-	RecordVal* GetAttribs(bool instantiate);
-	void SetAttribs(RecordVal* arg_attribs)
-		{
-		Unref((Val*) attribs);
-		attribs = arg_attribs;
-		}
-
 	int IsZero() const;
 	int IsOne() const;
 
@@ -254,6 +235,12 @@ public:
 		return &val.subnet_val;
 		}
 
+	BroType* AsType() const
+		{
+		CHECK_TAG(type->Tag(), TYPE_TYPE, "Val::Type", type_name)
+		return type;
+		}
+
 	// ... in network byte order
 	const addr_type AsAddr() const
 		{
@@ -304,6 +291,7 @@ public:
 	CONVERTER(TYPE_LIST, ListVal*, AsListVal)
 	CONVERTER(TYPE_STRING, StringVal*, AsStringVal)
 	CONVERTER(TYPE_VECTOR, VectorVal*, AsVectorVal)
+	CONVERTER(TYPE_ENUM, EnumVal*, AsEnumVal)
 
 #define CONST_CONVERTER(tag, ctype, name) \
 	const ctype name() const \
@@ -342,6 +330,7 @@ public:
 		}
 
 	void Describe(ODesc* d) const;
+	virtual void DescribeReST(ODesc* d) const;
 
 	bool Serialize(SerialInfo* info) const;
 	static Val* Unserialize(UnserialInfo* info, TypeTag type = TYPE_ANY)
@@ -376,6 +365,7 @@ protected:
 		}
 
 	virtual void ValDescribe(ODesc* d) const;
+	virtual void ValDescribeReST(ODesc* d) const;
 
 	Val(TypeTag t)
 		{
@@ -921,7 +911,8 @@ public:
 		{ return new Val(record_type->NumFields(), TYPE_COUNT); }
 
 	void Assign(int field, Val* new_val, Opcode op = OP_ASSIGN);
-	Val* Lookup(int field) const;
+	Val* Lookup(int field) const;	// Does not Ref() value.
+	Val* LookupWithDefault(int field) const;	// Does Ref() value.
 
 	void Describe(ODesc* d) const;
 
@@ -930,7 +921,19 @@ public:
 	void SetOrigin(BroObj* o)	{ origin = o; }
 	BroObj* GetOrigin() const	{ return origin; }
 
+	// Returns a new value representing the value coerced to the given
+	// type. If coercion is not possible, returns 0. The non-const
+	// version may return the current value ref'ed if its type matches
+	// directly.
+	//
+	// *aggr* is optional; if non-zero, we add to it. See
+	// Expr::InitVal(). We leave it out in the non-const version to make
+	// the choice unambigious.
+	RecordVal* CoerceTo(const RecordType* other, Val* aggr) const;
+	RecordVal* CoerceTo(RecordType* other);
+
 	unsigned int MemoryAllocation() const;
+	void DescribeReST(ODesc* d) const;
 
 protected:
 	friend class Val;
@@ -966,9 +969,6 @@ protected:
 };
 
 
-// The minimum index for vectors (0 or 1).
-const int VECTOR_MIN = 1;
-
 class VectorVal : public MutableVal {
 public:
 	VectorVal(VectorType* t);
diff --git a/src/Var.cc b/src/Var.cc
index b107156b3a..00ac734c0a 100644
--- a/src/Var.cc
+++ b/src/Var.cc
@@ -12,6 +12,8 @@
 #include "RemoteSerializer.h"
 #include "EventRegistry.h"
 
+extern int generate_documentation;
+
 static Val* init_val(Expr* init, const BroType* t, Val* aggr)
 	{
 	return init->InitVal(t, aggr);
@@ -107,7 +109,7 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init,
 	id->SetType(t);
 
 	if ( attr )
-		id->AddAttrs(new Attributes(attr, t));
+		id->AddAttrs(new Attributes(attr, t, false));
 
 	if ( id->FindAttr(ATTR_PERSISTENT) || id->FindAttr(ATTR_SYNCHRONIZED) )
 		{
@@ -170,6 +172,16 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init,
 		}
 
 	id->UpdateValAttrs();
+
+	if ( t && t->Tag() == TYPE_FUNC && t->AsFuncType()->IsEvent() )
+		{
+		// For events, add a function value (without any body) here so that
+		// we can later access the ID even if no implementations have been
+		// defined.
+		Func* f = new BroFunc(id, 0, 0, 0);
+		id->SetVal(new Val(f));
+		id->SetConst();
+		}
 	}
 
 
@@ -217,11 +229,65 @@ extern Expr* add_and_assign_local(ID* id, Expr* init, Val* val)
 
 void add_type(ID* id, BroType* t, attr_list* attr, int /* is_event */)
 	{
-	id->SetType(t);
+	BroType* tnew = t;
+
+	// In "documentation mode", we'd like to to be able to associate
+	// an identifier name with a declared type.  Dealing with declared
+	// types that are "aliases" to a builtin type requires that the BroType
+	// is cloned before setting the identifier name that resolves to it.
+	// And still this is not enough to document cases where the declared type
+	// is an alias for another declared type -- but that's not a natural/common
+	// practice.  If documenting that corner case is desired, one way
+	// is to add an ID* to class ID that tracks aliases and set it here if
+	// t->GetTypeID() is true.
+	if ( generate_documentation )
+		{
+		switch ( t->Tag() ) {
+		// Only "shallow" copy types that may contain records because
+		// we want to be able to see additions to the original record type's
+		// list of fields
+		case TYPE_RECORD:
+			tnew = new RecordType(t->AsRecordType()->Types());
+			break;
+		case TYPE_TABLE:
+			tnew = new TableType(t->AsTableType()->Indices(),
+			                     t->AsTableType()->YieldType());
+			break;
+		case TYPE_VECTOR:
+			tnew = new VectorType(t->AsVectorType()->YieldType());
+			break;
+		case TYPE_FUNC:
+			tnew = new FuncType(t->AsFuncType()->Args(),
+			                    t->AsFuncType()->YieldType(),
+			                    t->AsFuncType()->IsEvent());
+			break;
+		default:
+			SerializationFormat* form = new BinarySerializationFormat();
+			form->StartWrite();
+			CloneSerializer ss(form);
+			SerialInfo sinfo(&ss);
+			sinfo.cache = false;
+
+			t->Serialize(&sinfo);
+			char* data;
+			uint32 len = form->EndWrite(&data);
+			form->StartRead(data, len);
+
+			UnserialInfo uinfo(&ss);
+			uinfo.cache = false;
+			tnew = t->Unserialize(&uinfo);
+
+			delete [] data;
+		}
+
+		tnew->SetTypeID(copy_string(id->Name()));
+		}
+
+	id->SetType(tnew);
 	id->MakeType();
 
 	if ( attr )
-		id->SetAttrs(new Attributes(attr, t));
+		id->SetAttrs(new Attributes(attr, tnew, false));
 	}
 
 void begin_func(ID* id, const char* module_name, function_flavor flavor,
@@ -343,6 +409,18 @@ Val* internal_val(const char* name)
 	return id->ID_Val();
 	}
 
+Val* internal_const_val(const char* name)
+	{
+	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);
+	if ( ! id )
+		internal_error("internal variable %s missing", name);
+
+	if ( ! id->IsConst() )
+		internal_error("internal variable %s is not constant", name);
+
+	return id->ID_Val();
+	}
+
 Val* opt_internal_val(const char* name)
 	{
 	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);
diff --git a/src/Var.h b/src/Var.h
index 3be8ecc079..f1cbcda87b 100644
--- a/src/Var.h
+++ b/src/Var.h
@@ -27,6 +27,7 @@ extern void begin_func(ID* id, const char* module_name, function_flavor flavor,
 extern void end_func(Stmt* body, attr_list* attrs = 0);
 
 extern Val* internal_val(const char* name);
+extern Val* internal_const_val(const char* name); // internal error if not const
 extern Val* opt_internal_val(const char* name);	// returns nil if not defined
 extern double opt_internal_double(const char* name);
 extern bro_int_t opt_internal_int(const char* name);
diff --git a/src/X509.cc b/src/X509.cc
index c8975cc581..9de73d2a9d 100644
--- a/src/X509.cc
+++ b/src/X509.cc
@@ -192,7 +192,7 @@ int X509_Cert::verifyChain(Contents_SSL* e, const u_char* data, uint32 len)
 	// but in chain format).
 
 	// Init the stack.
-	STACK_OF(X509)* untrustedCerts = sk_new_null();
+	STACK_OF(X509)* untrustedCerts = sk_X509_new_null();
 	if ( ! untrustedCerts )
 		{
 		// Internal error allocating stack of untrusted certs.
@@ -233,7 +233,7 @@ int X509_Cert::verifyChain(Contents_SSL* e, const u_char* data, uint32 len)
 		else
 			// The remaining certificates (if any) are put into
 			// the list of untrusted certificates
-			sk_push(untrustedCerts, (char*) pTemp);
+			sk_X509_push(untrustedCerts, pTemp);
 
 		tempLength += certLength + 3;
 		}
@@ -259,7 +259,7 @@ int X509_Cert::verifyChain(Contents_SSL* e, const u_char* data, uint32 len)
 	// Free the stack, incuding. contents.
 
 	// FIXME: could this break Bro's memory tracking?
-	sk_pop_free(untrustedCerts, free);
+	sk_X509_pop_free(untrustedCerts, X509_free);
 
 	return ret;
 	}
diff --git a/src/XDR.cc b/src/XDR.cc
index 4e6a05ff10..bea34b575e 100644
--- a/src/XDR.cc
+++ b/src/XDR.cc
@@ -17,13 +17,13 @@ uint32 extract_XDR_uint32(const u_char*& buf, int& len)
 		return 0;
 		}
 
-	uint32 bits32 = XDR_aligned(buf) ? *(uint32*) buf :
-		((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
+	// Takes care of alignment and endianess differences. 
+	uint32 bits32 = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3];
 
 	buf += 4;
 	len -= 4;
 
-	return ntohl(bits32);
+	return bits32;
 	}
 
 double extract_XDR_uint64_as_double(const u_char*& buf, int& len)
diff --git a/src/XDR.h b/src/XDR.h
index 070e13ee6c..047acd90f5 100644
--- a/src/XDR.h
+++ b/src/XDR.h
@@ -10,11 +10,6 @@
 
 #include "util.h"
 
-inline int XDR_aligned(const u_char* buf)
-	{
-	return (((unsigned long) buf) & 0x3) == 0;
-	}
-
 extern uint32 extract_XDR_uint32(const u_char*& buf, int& len);
 extern double extract_XDR_uint64_as_double(const u_char*& buf, int& len);
 extern double extract_XDR_time(const u_char*& buf, int& len);
diff --git a/src/bif_arg.cc b/src/bif_arg.cc
index 2befed495a..5900c117eb 100644
--- a/src/bif_arg.cc
+++ b/src/bif_arg.cc
@@ -24,7 +24,6 @@ static struct {
 };
 
 extern const char* arg_list_name;
-extern set<string> enum_types;
 
 BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, int arg_type)
 	{
@@ -45,9 +44,6 @@ BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, const char* arg_type_str)
 			type = i;
 			type_str = "";
 			}
-
-	if ( enum_types.find(type_str) != enum_types.end() )
-		type = TYPE_ENUM;
 	}
 
 void BuiltinFuncArg::PrintBro(FILE* fp)
@@ -75,21 +71,11 @@ void BuiltinFuncArg::PrintCArg(FILE* fp, int n)
 	{
 	const char* ctype = builtin_func_arg_type[type].c_type;
 	char buf[1024];
-	if ( type == TYPE_ENUM )
-		{
-		snprintf(buf, sizeof(buf),
-			builtin_func_arg_type[type].c_type, type_str);
-		ctype = buf;
-		}
 
 	fprintf(fp, "%s %s", ctype, name);
 	}
 
 void BuiltinFuncArg::PrintBroValConstructor(FILE* fp)
 	{
-	if ( type == TYPE_ENUM )
-		fprintf(fp, builtin_func_arg_type[type].constructor,
-			name, type_str);
-	else
-		fprintf(fp, builtin_func_arg_type[type].constructor, name);
+	fprintf(fp, builtin_func_arg_type[type].constructor, name);
 	}
diff --git a/src/bif_type.def b/src/bif_type.def
index 94e12997e8..84179be1c3 100644
--- a/src/bif_type.def
+++ b/src/bif_type.def
@@ -22,5 +22,4 @@ DEFINE_BIF_TYPE(TYPE_STRING, 	"string", "string", "StringVal*", 	"%s->AsStringVa
 // DEFINE_BIF_TYPE(TYPE_STRING, 	"string", "string", "BroString*", 	"%s->AsString()",	"new StringVal(%s)")
 DEFINE_BIF_TYPE(TYPE_SUBNET, 	"subnet", "subnet", "SubNetVal*", 	"%s->AsSubNetVal()",	"%s")
 DEFINE_BIF_TYPE(TYPE_TIME, 	"time", "time", "double", 		"%s->AsTime()", 	"new Val(%s, TYPE_TIME)")
-DEFINE_BIF_TYPE(TYPE_ENUM, 	"", "", "BroEnum::%s", 			"%s->InternalInt()",	"new EnumVal(%s, enum_%s)")
 DEFINE_BIF_TYPE(TYPE_OTHER, 	"", "", "Val*", 			"%s", 			"%s")
diff --git a/src/bittorrent-analyzer.pac b/src/bittorrent-analyzer.pac
index f159588f0b..7e8678b7de 100644
--- a/src/bittorrent-analyzer.pac
+++ b/src/bittorrent-analyzer.pac
@@ -64,7 +64,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		handshake_ok = true;
 		if ( ::bittorrent_peer_handshake )
 			{
-			bro_event_bittorrent_peer_handshake(
+			BifEvent::generate_bittorrent_peer_handshake(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -82,7 +82,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_keep_alive )
 			{
-			bro_event_bittorrent_peer_keep_alive(
+			BifEvent::generate_bittorrent_peer_keep_alive(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -95,7 +95,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_choke )
 			{
-			bro_event_bittorrent_peer_choke(
+			BifEvent::generate_bittorrent_peer_choke(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -108,7 +108,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_unchoke )
 			{
-			bro_event_bittorrent_peer_unchoke(
+			BifEvent::generate_bittorrent_peer_unchoke(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -121,7 +121,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_interested )
 			{
-			bro_event_bittorrent_peer_interested(
+			BifEvent::generate_bittorrent_peer_interested(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -134,7 +134,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_not_interested )
 			{
-			bro_event_bittorrent_peer_not_interested(
+			BifEvent::generate_bittorrent_peer_not_interested(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -147,7 +147,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_have )
 			{
-			bro_event_bittorrent_peer_have(
+			BifEvent::generate_bittorrent_peer_have(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -161,7 +161,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_bitfield )
 			{
-			bro_event_bittorrent_peer_bitfield(
+			BifEvent::generate_bittorrent_peer_bitfield(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -176,7 +176,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_request )
 			{
-			bro_event_bittorrent_peer_request(
+			BifEvent::generate_bittorrent_peer_request(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -191,7 +191,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_piece )
 			{
-			bro_event_bittorrent_peer_piece(
+			BifEvent::generate_bittorrent_peer_piece(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -206,7 +206,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_cancel )
 			{
-			bro_event_bittorrent_peer_cancel(
+			BifEvent::generate_bittorrent_peer_cancel(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -220,7 +220,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_port )
 			{
-			bro_event_bittorrent_peer_port(
+			BifEvent::generate_bittorrent_peer_port(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -234,7 +234,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_unknown )
 			{
-			bro_event_bittorrent_peer_unknown(
+			BifEvent::generate_bittorrent_peer_unknown(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
diff --git a/src/bro.bif b/src/bro.bif
index a4111bb041..014120828e 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -222,25 +222,15 @@ static void do_fmt(const char*& fmt, Val* v, ODesc* d)
 					u = ntohl(uint32(u));
 				}
 
-#ifdef USE_INT64
 			snprintf(fmt_buf, sizeof(fmt_buf), "%%%s%s", num_fmt,
 					*fmt == 'd' ? "llu" : "llx");
-#else
-			snprintf(fmt_buf, sizeof(fmt_buf), "%%%s%c", num_fmt,
-					*fmt == 'd' ? 'u' : 'x');
-#endif
 			snprintf(out_buf, sizeof(out_buf), fmt_buf, u);
 			}
 
 		else
 			{
-#ifdef USE_INT64
 			snprintf(fmt_buf, sizeof(fmt_buf), "%%%s%s", num_fmt,
 					*fmt == 'd' ? "lld" : "llx");
-#else
-			snprintf(fmt_buf, sizeof(fmt_buf), "%%%s%c", num_fmt,
-					*fmt == 'd' ? 'd' : 'x');
-#endif
 			snprintf(out_buf, sizeof(out_buf), fmt_buf,
 					v->CoerceToInt());
 			}
@@ -370,6 +360,26 @@ function cat%(...%): string
 	return new StringVal(s);
 	%}
 
+function record_type_to_vector%(rt: string%): string_vec
+	%{
+	VectorVal* result =
+		new VectorVal(internal_type("string_vec")->AsVectorType());
+
+	RecordType *type = internal_type(rt->CheckString())->AsRecordType();
+
+	if ( type )
+		{
+		for ( int i = 0; i < type->NumFields(); ++i )
+			{
+			StringVal* val = new StringVal(type->FieldName(i));
+			result->Assign(i+1, val, 0);
+			}
+		}
+
+	return result;
+	%}
+
+
 function cat_sep%(sep: string, def: string, ...%): string
 	%{
 	ODesc d;
@@ -476,15 +486,15 @@ function to_count%(str: string%): count
 	%{
 	const char* s = str->CheckString();
 	char* end_s;
-
-	long l = strtol(s, &end_s, 10);
-	uint32 u = uint32(l);
-
-#if 0
+	
+	uint64 u = (uint64) strtoll(s, &end_s, 10);
+	
 	if ( s[0] == '\0' || end_s[0] != '\0' )
-		builtin_run_time("bad conversion to count", @ARGS@[0]);
-#endif
-
+    	{
+		builtin_run_time("bad conversion to count", @ARG@[0]);
+        u = 0;
+        }
+	
 	return new Val(u, TYPE_COUNT);
 	%}
 
@@ -546,6 +556,17 @@ function to_addr%(ip: string%): addr
 	delete [] s;
 	return ret;
 	%}
+	
+function count_to_v4_addr%(ip: count%): addr
+	%{
+	if ( ip > 4294967295 )
+		{
+		builtin_run_time("conversion of non-IPv4 count to addr", @ARG@[0]);
+		return new AddrVal(uint32(0));
+		}
+	
+	return new AddrVal(htonl(uint32(ip)));
+	%}
 
 # Interprets the first 4 bytes of 'b' as an IPv4 address in network order.
 function raw_bytes_to_v4_addr%(b: string%): addr
@@ -1339,17 +1360,26 @@ function decode_netbios_name%(name: string%): string
 		}
 
 	for ( i = 0; i < 15; ++i )
-		if ( isalnum(buf[i]) || ispunct(buf[i]) )
+		{
+		if ( isalnum(buf[i]) || ispunct(buf[i]) ||
+		     // \x01\x02 is seen in at least one case as the first two bytes.
+		     // I think that any \x01 and \x02 should always be passed through.
+		     buf[i] < 3 )
 			result[i] = buf[i];
 		else
 			break;
-
-	// The last byte denotes the name type.
-	snprintf(result + i, sizeof(result) - i, "<%02x>", buf[15]);
+		}
 
 	return new StringVal(result);
 	%}
 
+function decode_netbios_name_type%(name: string%): count
+	%{
+	const u_char* s = name->Bytes();
+	char return_val = ((toupper(s[30]) - 'A') << 4) + (toupper(s[31]) - 'A');
+	return new Val(return_val, TYPE_COUNT);
+	%}
+
 %%{
 #include "HTTP.h"
 
@@ -1375,12 +1405,17 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any
 		{
 		Analyzer* ha = c->FindAnalyzer(id);
 
-		if ( ha->GetTag() == AnalyzerTag::HTTP )
-			static_cast<HTTP_Analyzer*>(ha)->SkipEntityData(is_orig);
+		if ( ha )
+			{
+			if ( ha->GetTag() == AnalyzerTag::HTTP )
+				static_cast<HTTP_Analyzer*>(ha)->SkipEntityData(is_orig);
+			else
+				run_time("non-HTTP analyzer associated with connection record");
+			}
 		else
-			run_time("non-HTTP analyzer associated with connection record");
-		}
+			run_time("could not find analyzer for skip_http_entity_data");
 
+		}
 	else
 		run_time("no analyzer associated with connection record");
 
@@ -1592,21 +1627,6 @@ function global_ids%(%): id_table
 	return ids;
 	%}
 
-%%{
-#include "TCP_Rewriter.h"
-
-// Trace rewriting functions.
-class PacketDumper;
-extern PacketDumper* transformed_pkt_dump;
-extern void commit_trace(Val* conn_val, int commit, int future);
-%%}
-
-# True if we're rewriting (anonymizing), false otherwise.
-function rewriting_trace%(%): bool
-	%{
-	return new Val(transformed_pkt_dump != 0, TYPE_BOOL);
-	%}
-
 %%{
 #include "Anon.h"
 %%}
@@ -1735,7 +1755,7 @@ function md5_hmac%(...%): string
 %%{
 static map<BroString, md5_state_s> md5_states;
 
-BroString* convert_md5_index_to_string(Val* index)
+BroString* convert_index_to_string(Val* index)
 	{
 	ODesc d;
 	index->Describe(&d);
@@ -1745,7 +1765,7 @@ BroString* convert_md5_index_to_string(Val* index)
 
 function md5_hash_init%(index: any%): bool
 	%{
-	BroString* s = convert_md5_index_to_string(index);
+	BroString* s = convert_index_to_string(index);
 	int status = 0;
 
 	if ( md5_states.count(*s) < 1 )
@@ -1762,7 +1782,7 @@ function md5_hash_init%(index: any%): bool
 
 function md5_hash_update%(index: any, data: string%): bool
 	%{
-	BroString* s = convert_md5_index_to_string(index);
+	BroString* s = convert_index_to_string(index);
 	int status = 0;
 
 	if ( md5_states.count(*s) > 0 )
@@ -1777,7 +1797,7 @@ function md5_hash_update%(index: any, data: string%): bool
 
 function md5_hash_finish%(index: any%): string
 	%{
-	BroString* s = convert_md5_index_to_string(index);
+	BroString* s = convert_index_to_string(index);
 	StringVal* printable_digest;
 
 	if ( md5_states.count(*s) > 0 )
@@ -1858,15 +1878,15 @@ function uuid_to_string%(uuid: string%): string
 	%}
 
 
-# The following functions are attempts to convert strings into
-# patterns at run-time. These attempts were later *abandoned* because
-# NFA and DFA cannot be cleanly deallocated.
+# The following functions convert strings into patterns at run-time. As the
+# computed NFAs and DFAs cannot be cleanly deallocated (at least for now),
+# they can only be used at initialization time.
 
 function merge_pattern%(p1: pattern, p2: pattern%): pattern
 	%{
-	if ( reading_live )
+	if ( bro_start_network_time != 0.0 )
 		{
-		builtin_run_time("should not call merge_pattern while reading live traffic");
+		builtin_run_time("merge_pattern can only be called at init time");
 		return 0;
 		}
 
@@ -1910,9 +1930,9 @@ function convert_for_pattern%(s: string%): string
 
 function string_to_pattern%(s: string, convert: bool%): pattern
 	%{
-	if ( reading_live )
+	if ( bro_start_network_time != 0.0 )
 		{
-		builtin_run_time("should not call merge_pattern while reading live traffic");
+		builtin_run_time("string_to_pattern can only be called at init time");
 		return 0;
 		}
 
@@ -1959,9 +1979,14 @@ function precompile_pcap_filter%(id: PcapFilterID, s: string%): bool
 # Install precompiled pcap filter.
 function install_pcap_filter%(id: PcapFilterID%): bool
 	%{
-	// Don't allow the script-level to change the filter when
-	// the user has specified one on the command line.
-	if ( user_pcap_filter )
+	ID* user_filter = global_scope()->Lookup("cmd_line_bpf_filter");
+
+	if ( ! user_filter )
+		internal_error("global cmd_line_bpf_filter not defined");
+
+	if ( user_filter->ID_Val()->AsStringVal()->Len() )
+		// Don't allow the script-level to change the filter when
+		// the user has specified one on the command line.
 		return new Val(0, TYPE_BOOL);
 
 	bool success = true;
@@ -2095,6 +2120,12 @@ function request_remote_sync%(p: event_peer, auth: bool%) : bool
 	return new Val(remote_serializer->RequestSync(id, auth), TYPE_BOOL);
 	%}
 
+function request_remote_logs%(p: event_peer%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->RequestLogs(id), TYPE_BOOL);
+	%}
+
 function set_accept_state%(p: event_peer, accept: bool%) : bool
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
@@ -2364,7 +2395,7 @@ function any_set%(v: any%) : bool
 		}
 
 	VectorVal* vv = v->AsVectorVal();
-	for ( unsigned int i = VECTOR_MIN; i < vv->Size() + VECTOR_MIN; ++i )
+	for ( unsigned int i = 0; i < vv->Size(); ++i )
 		if ( vv->Lookup(i) && vv->Lookup(i)->AsBool() )
 			return new Val(true, TYPE_BOOL);
 
@@ -2382,7 +2413,7 @@ function all_set%(v: any%) : bool
 		}
 
 	VectorVal* vv = v->AsVectorVal();
-	for ( unsigned int i = VECTOR_MIN; i < vv->Size() + VECTOR_MIN; ++i )
+	for ( unsigned int i = 0; i < vv->Size(); ++i )
 		if ( ! vv->Lookup(i) || ! vv->Lookup(i)->AsBool() )
 			return new Val(false, TYPE_BOOL);
 
@@ -2565,8 +2596,8 @@ function order%(v: any, ...%) : index_vec
 	// adjusting indices as we do so.
 	for ( i = 0; i < n; ++i )
 		{
-		int ind = ind_vv[i] + VECTOR_MIN;
-		result_v->Assign(i + VECTOR_MIN, new Val(ind, TYPE_COUNT), 0);
+		int ind = ind_vv[i];
+		result_v->Assign(i, new Val(ind, TYPE_COUNT), 0);
 		}
 
 	return result_v;
@@ -2818,11 +2849,7 @@ private:
 # function result.  Therefore, they can only be called inside a when-condition.
 function lookup_addr%(host: addr%) : string
 	%{
-#ifndef HAVE_NB_DNS
-	run_time("lookup_addr(): not configured for asynchronous DNS lookups");
-	return new StringVal("<error>");
-#else
-	// FIXME: Is should be easy to adapt the function to synchronous
+	// FIXME: It should be easy to adapt the function to synchronous
 	// lookups if we're reading a trace.
 	Trigger* trigger = frame->GetTrigger();
 
@@ -2838,8 +2865,18 @@ function lookup_addr%(host: addr%) : string
 #ifdef BROv6
 	if ( ! is_v4_addr(host) )
 		{
-		builtin_run_time("lookup_addr() only supports IPv4 addresses");
-		return new StringVal("<ipv6-address>");
+		// FIXME: This is a temporary work-around until we get this
+		// fixed. We warn the user once, and always trigger a timeout.
+		// Ticket #355 records the problem.
+		static bool warned = false;
+		if ( ! warned )
+			{
+			warn("lookup_addr() only supports IPv4 addresses currently");
+			warned = true;
+			}
+
+		trigger->Timeout();
+		return 0;
 		}
 
 	dns_mgr->AsyncLookupAddr(to_v4_addr(host),
@@ -2849,15 +2886,10 @@ function lookup_addr%(host: addr%) : string
 			new LookupHostCallback(trigger, frame->GetCall(), true));
 #endif
 	return 0;
-#endif
 	%}
 
 function lookup_hostname%(host: string%) : addr_set
 	%{
-#ifndef HAVE_NB_DNS
-	run_time("lookup_hostname(): not configured for asynchronous DNS lookups");
-	return new StringVal("<error>");
-#else
 	// FIXME: Is should be easy to adapt the function to synchronous
 	// lookups if we're reading a trace.
 	Trigger* trigger = frame->GetTrigger();
@@ -2874,7 +2906,6 @@ function lookup_hostname%(host: string%) : addr_set
 	dns_mgr->AsyncLookupName(host->CheckString(),
 			new LookupHostCallback(trigger, frame->GetCall(), false));
 	return 0;
-#endif
 	%}
 
 # Stop Bro's packet processing.
@@ -3028,7 +3059,7 @@ function lookup_location%(a: addr%) : geo_location
 #ifdef GEOIP_COUNTRY_EDITION_V6
 	if ( geoip_v6 && ! is_v4_addr(a) )
 		gir = GeoIP_record_by_ipnum_v6(geoip_v6, geoipv6_t(a));
-	else 
+	else
 #endif
 	if ( geoip && is_v4_addr(a) )
 		{
@@ -3075,7 +3106,13 @@ function lookup_location%(a: addr%) : geo_location
 		}
 
 #else
-	builtin_run_time("Bro was not configured for GeoIP support");
+	static int missing_geoip_reported = 0;
+
+	if ( ! missing_geoip_reported )
+		{
+		builtin_run_time("Bro was not configured for GeoIP support");
+		missing_geoip_reported = 1;
+		}
 #endif
 
 	// We can get here even if we have GeoIP support if we weren't
@@ -3116,7 +3153,7 @@ function lookup_asn%(a: addr%) : count
 			gir = GeoIP_name_by_ipnum_v6(geoip_asn, geoipv6_t(a));
 		else
 #endif
-		if ( is_v4_addr(a) ) 
+		if ( is_v4_addr(a) )
 			{
 			uint32 addr = to_v4_addr(a);
 			gir = GeoIP_name_by_ipnum(geoip_asn, ntohl(addr));
@@ -3128,12 +3165,18 @@ function lookup_asn%(a: addr%) : count
 
 	if ( gir )
 		{
-		// Move the pointer +2 so we don't return 
+		// Move the pointer +2 so we don't return
 		// the first two characters: "AS".
 		return new Val(atoi(gir+2), TYPE_COUNT);
 		}
 #else
-	builtin_run_time("Bro was not configured for GeoIP ASN support");
+	static int missing_geoip_reported = 0;
+
+	if ( ! missing_geoip_reported )
+		{
+		builtin_run_time("Bro was not configured for GeoIP ASN support");
+		missing_geoip_reported = 1;
+		}
 #endif
 
 	// We can get here even if we have GeoIP support, if we weren't
@@ -3216,3 +3259,92 @@ function disable_event_group%(group: string%) : any
 	event_registry->EnableGroup(group->CheckString(), false);
 	return 0;
 	%}
+
+
+%%{
+#include <RandTest.h>
+static map<BroString, RandTest*> entropy_states;
+%%}
+
+function find_entropy%(data: string%): entropy_test_result
+	%{
+	double montepi, scc, ent, mean, chisq;
+	montepi = scc = ent = mean = chisq = 0.0;
+	RecordVal* ent_result = new RecordVal(entropy_test_result);
+	RandTest *rt = new RandTest();
+
+	rt->add((char*) data->Bytes(), data->Len());
+	rt->end(&ent, &chisq, &mean, &montepi, &scc);
+	delete rt;
+
+	ent_result->Assign(0, new Val(ent,     TYPE_DOUBLE));
+	ent_result->Assign(1, new Val(chisq,   TYPE_DOUBLE));
+	ent_result->Assign(2, new Val(mean,    TYPE_DOUBLE));
+	ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE));
+	ent_result->Assign(4, new Val(scc,     TYPE_DOUBLE));
+	return ent_result;
+	%}
+
+function entropy_test_init%(index: any%): bool
+	%{
+	BroString* s = convert_index_to_string(index);
+	int status = 0;
+
+	if ( entropy_states.count(*s) < 1 )
+		{
+		entropy_states[*s] = new RandTest();
+		status = 1;
+		}
+
+	delete s;
+	return new Val(status, TYPE_BOOL);
+	%}
+
+function entropy_test_add%(index: any, data: string%): bool
+	%{
+	BroString* s = convert_index_to_string(index);
+	int status = 0;
+
+	if ( entropy_states.count(*s) > 0 )
+		{
+		entropy_states[*s]->add((char*) data->Bytes(), data->Len());
+		status = 1;
+		}
+
+	delete s;
+	return new Val(status, TYPE_BOOL);
+	%}
+
+function entropy_test_finish%(index: any%): entropy_test_result
+	%{
+	BroString* s = convert_index_to_string(index);
+	double montepi, scc, ent, mean, chisq;
+	montepi = scc = ent = mean = chisq = 0.0;
+	RecordVal* ent_result = new RecordVal(entropy_test_result);
+
+	if ( entropy_states.count(*s) > 0 )
+		{
+		RandTest *rt = entropy_states[*s];
+		rt->end(&ent, &chisq, &mean, &montepi, &scc);
+		entropy_states.erase(*s);
+		delete rt;
+		}
+
+	ent_result->Assign(0, new Val(ent,     TYPE_DOUBLE));
+	ent_result->Assign(1, new Val(chisq,   TYPE_DOUBLE));
+	ent_result->Assign(2, new Val(mean,    TYPE_DOUBLE));
+	ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE));
+	ent_result->Assign(4, new Val(scc,     TYPE_DOUBLE));
+
+	delete s;
+	return ent_result;
+	%}
+
+function bro_has_ipv6%(%) : bool
+    %{
+#ifdef BROv6
+	return new Val(1, TYPE_BOOL);
+#else
+	return new Val(0, TYPE_BOOL);
+#endif
+    %}
diff --git a/src/builtin-func.l b/src/builtin-func.l
index ca7923b852..9e69adc69d 100644
--- a/src/builtin-func.l
+++ b/src/builtin-func.l
@@ -2,6 +2,7 @@
 // $Id: builtin-func.l 6015 2008-07-23 05:42:37Z vern $
 
 #include <string.h>
+#include <unistd.h>
 #include "bif_arg.h"
 #include "bif_parse.h"
 
@@ -27,8 +28,15 @@ int check_c_mode(int t)
 %}
 
 WS	[ \t]+
-ID	[A-Za-z_][A-Za-z_0-9]*
+ /* Note, bifcl only accepts a single "::" in IDs while the policy
+    layer acceptes multiple. (But the policy layer doesn't have 
+	a hierachy. */
+IDCOMPONENT [A-Za-z_][A-Za-z_0-9]*
+ID	{IDCOMPONENT}(::{IDCOMPONENT})?
 ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
+DEC [[:digit:]]+
+HEX	[0-9a-fA-F]+
+
 
 %option nodefault
 
@@ -60,24 +68,34 @@ ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 "%)"		return check_c_mode(TOK_RPP);
 "..."		return check_c_mode(TOK_VAR_ARG);
 "function"	return check_c_mode(TOK_FUNCTION);
-"rewriter"	return check_c_mode(TOK_REWRITER);
 "event"		return check_c_mode(TOK_EVENT);
 "const"		return check_c_mode(TOK_CONST);
 "enum"		return check_c_mode(TOK_ENUM);
-"declare"	return check_c_mode(TOK_DECLARE);
+"type"		return check_c_mode(TOK_TYPE);
+"record"	return check_c_mode(TOK_RECORD);
+"set"		return check_c_mode(TOK_SET);
+"table"		return check_c_mode(TOK_TABLE);
+"vector"	return check_c_mode(TOK_VECTOR);
+"module"    return check_c_mode(TOK_MODULE);
 
 "@ARG@"		return TOK_ARG;
 "@ARGS@"	return TOK_ARGS;
 "@ARGC@"	return TOK_ARGC;
 
-"@WRITE@"	return TOK_WRITE;
-"@PUSH@"	return TOK_PUSH;
-"@EOF@"		return TOK_EOF;
-"@TRACE@"	return TOK_TRACE;
-
 "T"	yylval.val = 1; return TOK_BOOL;
 "F"	yylval.val = 0; return TOK_BOOL;
 
+{DEC}	{
+	yylval.str = copy_string(yytext);
+	return TOK_INT;
+	}
+
+"0x"{HEX} {
+	yylval.str = copy_string(yytext);
+	return TOK_INT;
+	}
+
+
 {ID}	{
 	yylval.str = copy_string(yytext);
 	return TOK_ID;
@@ -120,13 +138,20 @@ int yywrap()
 extern int yyparse();
 char* input_filename = 0;
 
-FILE* fp_bro_init;
-FILE* fp_func_def;
-FILE* fp_func_h;
-FILE* fp_func_init;
-FILE* fp_netvar_h;
-FILE* fp_netvar_def;
-FILE* fp_netvar_init;
+FILE* fp_bro_init = 0;
+FILE* fp_func_def = 0;
+FILE* fp_func_h = 0;
+FILE* fp_func_init = 0;
+FILE* fp_netvar_h = 0;
+FILE* fp_netvar_def = 0;
+FILE* fp_netvar_init = 0;
+
+void remove_file(const char *surfix);
+void err_exit(void);
+FILE* open_output_file(const char* surfix);
+void close_if_open(FILE **fpp);
+void close_all_output_files(void);
+
 
 FILE* open_output_file(const char* surfix)
 	{
@@ -137,12 +162,13 @@ FILE* open_output_file(const char* surfix)
 	if ( (fp = fopen(fn, "w")) == NULL )
 		{
 		fprintf(stderr, "Error: cannot open file: %s\n", fn);
-		exit(1);
+		err_exit();
 		}
 
 	return fp;
 	}
 
+
 int main(int argc, char* argv[])
 	{
 	for ( int i = 1; i < argc; i++ )
@@ -156,6 +182,7 @@ int main(int argc, char* argv[])
 		if ( (fp_input = fopen(input_filename, "r")) == NULL )
 			{
 			fprintf(stderr, "Error: cannot open file: %s\n", input_filename);
+			/* no output files open. can simply exit */
 			exit(1);
 			}
 
@@ -174,12 +201,48 @@ int main(int argc, char* argv[])
 		yyparse();
 
 		fclose(fp_input);
-		fclose(fp_bro_init);
-		fclose(fp_func_h);
-		fclose(fp_func_def);
-		fclose(fp_func_init);
-		fclose(fp_netvar_h);
-		fclose(fp_netvar_def);
-		fclose(fp_netvar_init);
+		close_all_output_files();
+
 		}
 	}
+
+void close_if_open(FILE **fpp)
+	{
+	if (*fpp)
+		fclose(*fpp);
+	*fpp = NULL;
+	}
+
+void close_all_output_files(void)
+	{
+	close_if_open(&fp_bro_init);
+	close_if_open(&fp_func_h);
+	close_if_open(&fp_func_def);
+	close_if_open(&fp_func_init);
+	close_if_open(&fp_netvar_h);
+	close_if_open(&fp_netvar_def);
+	close_if_open(&fp_netvar_init);
+	}
+
+void remove_file(const char *surfix)
+	{
+	char fn[1024];
+
+	snprintf(fn, sizeof(fn), "%s.%s", input_filename, surfix);
+	unlink(fn);
+	}
+
+void err_exit(void) 
+	{
+	close_all_output_files();
+	/* clean up. remove all output files we've generated so far */
+	remove_file("bro");
+	remove_file("func_h");
+	remove_file("func_def");
+	remove_file("func_init");
+	remove_file("netvar_h");
+	remove_file("netvar_def");
+	remove_file("netvar_init");
+	exit(1);
+	}
+
diff --git a/src/builtin-func.y b/src/builtin-func.y
index 268288bc39..4f97135ab5 100644
--- a/src/builtin-func.y
+++ b/src/builtin-func.y
@@ -9,6 +9,10 @@ using namespace std;
 #include <stdio.h>
 #include <stdlib.h>
 
+#include "module_util.h"
+
+using namespace std;
+
 extern int line_number;
 extern char* input_filename;
 
@@ -23,53 +27,153 @@ extern FILE* fp_netvar_def;
 extern FILE* fp_netvar_init;
 
 int in_c_code = 0;
+string current_module = GLOBAL_MODULE_NAME;
 int definition_type;
-const char* bro_prefix;
-const char* c_prefix;
+string type_name;
+
 
 enum {
 	C_SEGMENT_DEF,
 	FUNC_DEF,
-	REWRITER_DEF,
 	EVENT_DEF,
+	TYPE_DEF,
+	CONST_DEF,
 };
 
-void set_definition_type(int type)
+// Holds the name of a declared object (function, enum, record type, event,
+// etc. and information about namespaces, etc.
+struct decl_struct {
+	string module_name;
+	string bare_name; // name without module or namespace
+	string c_namespace_start; // "opening" namespace for use in netvar_*
+	string c_namespace_end;   // closing "}" for all the above namespaces
+	string c_fullname; // fully qualified name (namespace::....) for use in netvar_init
+	string bro_fullname; // fully qualified bro name, for netvar (and lookup_ID())
+	string bro_name;  // the name as we read it from input. What we write into the .bro file
+
+	// special cases for events. Events have an EventHandlerPtr
+	// and a generate_* function. This name is for the generate_* function
+	string generate_bare_name;
+	string generate_c_fullname;
+	string generate_c_namespace_start;
+	string generate_c_namespace_end;
+} decl;
+
+void set_definition_type(int type, const char *arg_type_name)
 	{
 	definition_type = type;
-	switch ( type ) {
-	case FUNC_DEF:
-		bro_prefix = "";
-		c_prefix = "bro_";
+	if ( type == TYPE_DEF && arg_type_name )
+		type_name = string(arg_type_name);
+	else
+		type_name = "";
+	}
+
+void set_decl_name(const char *name)
+	{
+	decl.bare_name = extract_var_name(name);
+
+	// make_full_var_name prepends the correct module, if any
+	// then we can extract the module name again.
+	string varname = make_full_var_name(current_module.c_str(), name);
+	decl.module_name = extract_module_name(varname.c_str());
+
+	decl.c_namespace_start = "";
+	decl.c_namespace_end = "";
+	decl.c_fullname = "";
+	decl.bro_fullname = "";
+	decl.bro_name = "";
+
+	decl.generate_c_fullname = "";
+	decl.generate_bare_name = string("generate_") + decl.bare_name;
+	decl.generate_c_namespace_start = "";
+	decl.generate_c_namespace_end = "";
+
+	switch ( definition_type ) {
+	case TYPE_DEF:
+		decl.c_namespace_start = "namespace BifType { namespace " + type_name + "{ ";
+		decl.c_namespace_end = " } }";
+		decl.c_fullname = "BifType::" + type_name + "::";
 		break;
 
-	case REWRITER_DEF:
-		bro_prefix = "rewrite_";
-		c_prefix = "bro_rewrite_";
+	case CONST_DEF:
+		decl.c_namespace_start = "namespace BifConst { ";
+		decl.c_namespace_end = " } ";
+		decl.c_fullname = "BifConst::";
+		break;
+
+	case FUNC_DEF:
+		decl.c_namespace_start = "namespace BifFunc { ";
+		decl.c_namespace_end = " } ";
+		decl.c_fullname = "BifFunc::";
 		break;
 
 	case EVENT_DEF:
-		bro_prefix = "";
-		c_prefix = "bro_event_";
+		decl.c_namespace_start = "";
+		decl.c_namespace_end = "";
+		decl.c_fullname = "::";  // need this for namespace qualified events due do event_c_body
+		decl.generate_c_namespace_start = "namespace BifEvent { ";
+		decl.generate_c_namespace_end = " } ";
+		decl.generate_c_fullname = "BifEvent::";
 		break;
 
-	case C_SEGMENT_DEF:
+	default:
 		break;
 	}
+
+	if ( decl.module_name != GLOBAL_MODULE_NAME )
+		{
+		decl.c_namespace_start += "namespace " + decl.module_name + " { ";
+		decl.c_namespace_end += string(" }");
+		decl.c_fullname += decl.module_name + "::";
+		decl.bro_fullname += decl.module_name + "::";
+
+		decl.generate_c_namespace_start  += "namespace " + decl.module_name + " { ";
+		decl.generate_c_namespace_end += " } ";
+		decl.generate_c_fullname += decl.module_name + "::";
+		}
+
+	decl.bro_fullname += decl.bare_name;
+	if ( definition_type == FUNC_DEF )
+		decl.bare_name = string("bro_") + decl.bare_name;
+
+	decl.c_fullname += decl.bare_name;
+	decl.bro_name += name;
+	decl.generate_c_fullname += decl.generate_bare_name;
+
 	}
 
 const char* arg_list_name = "BiF_ARGS";
-const char* trace_rewriter_name = "trace_rewriter";
 
 #include "bif_arg.h"
 
-extern const char* decl_name;
+/* Map bif/bro type names to C types for use in const declaration */
+static struct {
+	const char* bif_type;
+	const char* bro_type;
+	const char* c_type;
+	const char* accessor;
+	const char* constructor;
+} builtin_types[] = {
+#define DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor) \
+	{bif_type, bro_type, c_type, accessor, constructor},
+#include "bif_type.def"
+#undef DEFINE_BIF_TYPE
+};
+
+int get_type_index(const char *type_name)
+	{
+	for ( int i = 0; builtin_types[i].bif_type[0] != '\0'; ++i )
+		{
+		if ( strcmp(builtin_types[i].bif_type, type_name) == 0 )
+			return i;
+		}
+		return TYPE_OTHER;
+	}
+
+
 int var_arg; // whether the number of arguments is variable
 std::vector<BuiltinFuncArg*> args;
 
-// enum types declared by "declare enum <id>"
-set<string> enum_types;
-
 extern int yyerror(const char[]);
 extern int yywarn(const char msg[]);
 extern int yylex();
@@ -90,9 +194,15 @@ char* concat(const char* str1, const char* str2)
 	}
 
 // Print the bro_event_* function prototype in C++, without the ending ';'
-void print_event_c_prototype(FILE *fp)
+void print_event_c_prototype(FILE *fp, bool is_header)
 	{
-	fprintf(fp, "void %s%s(Analyzer* analyzer%s", c_prefix, decl_name,
+	if ( is_header )
+		fprintf(fp, "%s void %s(Analyzer* analyzer%s",
+			decl.generate_c_namespace_start.c_str(), decl.generate_bare_name.c_str(),
+			args.size() ? ", " : "" );
+	else
+		fprintf(fp, "void %s(Analyzer* analyzer%s",
+			decl.generate_c_fullname.c_str(),
 			args.size() ? ", " : "" );
 	for ( int i = 0; i < (int) args.size(); ++i )
 		{
@@ -101,6 +211,10 @@ void print_event_c_prototype(FILE *fp)
 		args[i]->PrintCArg(fp, i);
 		}
 	fprintf(fp, ")");
+	if ( is_header )
+		fprintf(fp, "; %s\n", decl.generate_c_namespace_end.c_str());
+	else
+		fprintf(fp, "\n");
 	}
 
 // Print the bro_event_* function body in C++.
@@ -109,9 +223,9 @@ void print_event_c_body(FILE *fp)
 	fprintf(fp, "\t{\n");
 	fprintf(fp, "\t// Note that it is intentional that here we do not\n");
 	fprintf(fp, "\t// check if %s is NULL, which should happen *before*\n",
-		decl_name);
-	fprintf(fp, "\t// bro_event_%s is called to avoid unnecessary Val\n",
-		decl_name);
+		decl.c_fullname.c_str());
+	fprintf(fp, "\t// %s is called to avoid unnecessary Val\n",
+		decl.generate_c_fullname.c_str());
 	fprintf(fp, "\t// allocation.\n");
 	fprintf(fp, "\n");
 
@@ -141,7 +255,7 @@ void print_event_c_body(FILE *fp)
 
 	fprintf(fp, "\n");
 	fprintf(fp, "\tmgr.QueueEvent(%s, vl, SOURCE_LOCAL, analyzer->GetID(), timer_mgr",
-		decl_name);
+		decl.c_fullname.c_str());
 
 	if ( connection_arg )
 		// Pass the connection to the EventMgr as the "cookie"
@@ -149,20 +263,21 @@ void print_event_c_body(FILE *fp)
 
 	fprintf(fp, ");\n");
 	fprintf(fp, "\t} // event generation\n");
+	//fprintf(fp, "%s // end namespace\n", decl.generate_c_namespace_end.c_str());
 	}
 %}
 
 %token TOK_LPP TOK_RPP TOK_LPB TOK_RPB TOK_LPPB TOK_RPPB TOK_VAR_ARG
 %token TOK_BOOL
-%token TOK_FUNCTION TOK_REWRITER TOK_EVENT TOK_CONST TOK_ENUM TOK_DECLARE
-%token TOK_WRITE TOK_PUSH TOK_EOF TOK_TRACE
+%token TOK_FUNCTION TOK_EVENT TOK_CONST TOK_ENUM
+%token TOK_TYPE TOK_RECORD TOK_SET TOK_VECTOR TOK_TABLE TOK_MODULE
 %token TOK_ARGS TOK_ARG TOK_ARGC
 %token TOK_ID TOK_ATTR TOK_CSTR TOK_LF TOK_WS TOK_COMMENT
-%token TOK_ATOM TOK_C_TOKEN
+%token TOK_ATOM TOK_INT TOK_C_TOKEN
 
 %left ',' ':'
 
-%type <str> TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR opt_ws
+%type <str> TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws
 %type <val> TOK_ATOM TOK_BOOL
 
 %union	{
@@ -172,8 +287,21 @@ void print_event_c_body(FILE *fp)
 
 %%
 
+builtin_lang:	definitions
+			{
+			fprintf(fp_bro_init, "} # end of export section\n");
+			fprintf(fp_bro_init, "module %s;\n", GLOBAL_MODULE_NAME);
+			}
+
+
+
 definitions:	definitions definition opt_ws
-			{ fprintf(fp_func_def, "%s", $3); }
+			{
+			if ( in_c_code )
+				fprintf(fp_func_def, "%s", $3);
+			else
+				fprintf(fp_bro_init, "%s", $3);
+			}
 	|	opt_ws
 			{
 			int n = 1024 + strlen(input_filename);
@@ -191,63 +319,104 @@ definitions:	definitions definition opt_ws
 			fprintf(fp_netvar_h, "// %s\n\n", auto_gen_comment);
 			fprintf(fp_netvar_init, "// %s\n\n", auto_gen_comment);
 
-			fprintf(fp_func_def, "%s", $1);
+			fprintf(fp_bro_init, "%s", $1);
+			fprintf(fp_bro_init, "export {\n");
 			}
 	;
 
 definition:	event_def
 	|	func_def
-	|	rewriter_def
 	|	c_code_segment
 	|	enum_def
 	|	const_def
-	|	declare_def
+	|	type_def
+	|   module_def
 	;
 
-declare_def:	TOK_DECLARE opt_ws TOK_ENUM opt_ws TOK_ID opt_ws ';'
+
+module_def:	TOK_MODULE opt_ws TOK_ID opt_ws ';'
 			{
-			enum_types.insert($5);
+			current_module = string($3);
+			fprintf(fp_bro_init, "module %s;\n", $3);
 			}
+
+	 // XXX: Add the netvar glue so that the event engine knows about
+	 // the type. One still has to define the type in bro.init.
+	 // Would be nice, if we could just define the record type here
+	 // and then copy to the .bif.bro file, but type declarations in
+	 // Bro can be quite powerful. Don't know whether it's worth it
+	 // extend the bif-language to be able to handle that all....
+	 // Or we just support a simple form of record type definitions
+	 // TODO: add other types (tables, sets)
+type_def:	TOK_TYPE opt_ws TOK_ID opt_ws ':' opt_ws type_def_types opt_ws ';'
+			{
+			set_decl_name($3);
+
+			fprintf(fp_netvar_h, "%s extern %sType * %s; %s\n",
+				decl.c_namespace_start.c_str(), type_name.c_str(),
+				decl.bare_name.c_str(), decl.c_namespace_end.c_str());
+			fprintf(fp_netvar_def, "%s %sType * %s; %s\n",
+				decl.c_namespace_start.c_str(), type_name.c_str(),
+				decl.bare_name.c_str(), decl.c_namespace_end.c_str());
+			fprintf(fp_netvar_init,
+				"\t%s = internal_type(\"%s\")->As%sType();\n",
+				decl.c_fullname.c_str(), decl.bro_fullname.c_str(),
+				type_name.c_str());
+			}
+	;
+
+type_def_types: TOK_RECORD
+			{ set_definition_type(TYPE_DEF, "Record"); }
+	| TOK_SET
+			{ set_definition_type(TYPE_DEF, "Set"); }
+	| TOK_VECTOR
+			{ set_definition_type(TYPE_DEF, "Vector"); }
+	| TOK_TABLE
+			{ set_definition_type(TYPE_DEF, "Table"); }
 	;
 
 event_def:	event_prefix opt_ws plain_head opt_attr end_of_head ';'
 			{
-			print_event_c_prototype(fp_func_h);
-			fprintf(fp_func_h, ";\n");
-			print_event_c_prototype(fp_func_def);
-			fprintf(fp_func_def, "\n");
+			print_event_c_prototype(fp_func_h, true);
+			print_event_c_prototype(fp_func_def, false);
 			print_event_c_body(fp_func_def);
 			}
-	;
 
 func_def:	func_prefix opt_ws typed_head end_of_head body
 	;
 
-rewriter_def:	rewriter_prefix opt_ws plain_head end_of_head body
-	;
-
 enum_def:	enum_def_1 enum_list TOK_RPB
 			{
 			// First, put an end to the enum type decl.
 			fprintf(fp_bro_init, "};\n");
-			fprintf(fp_netvar_h, "}; }\n");
+			if ( decl.module_name != GLOBAL_MODULE_NAME )
+				fprintf(fp_netvar_h, "}; } }\n");
+			else
+				fprintf(fp_netvar_h, "}; }\n");
 
 			// Now generate the netvar's.
-			fprintf(fp_netvar_h,
-				"extern EnumType* enum_%s;\n", decl_name);
-			fprintf(fp_netvar_def,
-				"EnumType* enum_%s;\n", decl_name);
+			fprintf(fp_netvar_h, "%s extern EnumType * %s; %s\n",
+				decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
+			fprintf(fp_netvar_def, "%s EnumType * %s; %s\n",
+				decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 			fprintf(fp_netvar_init,
-				"\tenum_%s = internal_type(\"%s\")->AsEnumType();\n",
-				decl_name, decl_name);
+				"\t%s = internal_type(\"%s\")->AsEnumType();\n",
+				decl.c_fullname.c_str(), decl.bro_fullname.c_str());
 			}
 	;
 
 enum_def_1:	TOK_ENUM opt_ws TOK_ID opt_ws TOK_LPB opt_ws
 			{
-			decl_name = $3;
-			fprintf(fp_bro_init, "type %s: enum %s{%s", $3, $4, $6);
-			fprintf(fp_netvar_h, "namespace BroEnum { ");
+			set_definition_type(TYPE_DEF, "Enum");
+			set_decl_name($3);
+			fprintf(fp_bro_init, "type %s: enum %s{%s", decl.bro_name.c_str(), $4, $6);
+
+			// this is the namespace were the enumerators are defined, not where
+			// the type is defined.
+			// We don't support fully qualified names as enumerators. Use a module name
+			fprintf(fp_netvar_h, "namespace BifEnum { ");
+			if ( decl.module_name != GLOBAL_MODULE_NAME )
+				fprintf(fp_netvar_h, "namespace %s { ", decl.module_name.c_str());
 			fprintf(fp_netvar_h, "enum %s {\n", $3);
 			}
 	;
@@ -257,33 +426,41 @@ enum_list:	enum_list TOK_ID opt_ws ',' opt_ws
 			fprintf(fp_bro_init, "%s%s,%s", $2, $3, $5);
 			fprintf(fp_netvar_h, "\t%s,\n", $2);
 			}
+	| 		enum_list TOK_ID opt_ws '=' opt_ws TOK_INT opt_ws ',' opt_ws
+			{
+			fprintf(fp_bro_init, "%s = %s%s,%s", $2, $6, $7, $9);
+			fprintf(fp_netvar_h, "\t%s = %s,\n", $2, $6);
+			}
 	|	/* nothing */
 	;
 
-const_def:	const_def_1 const_init opt_attr ';'
-			{
-			fprintf(fp_bro_init, ";\n");
-			fprintf(fp_netvar_h, "extern int %s;\n", decl_name);
-			fprintf(fp_netvar_def, "int %s;\n", decl_name);
-			fprintf(fp_netvar_init, "\t%s = internal_val(\"%s\")->AsBool();\n",
-				decl_name, decl_name);
-			}
-	;
 
-const_def_1:	TOK_CONST opt_ws TOK_ID opt_ws
+const_def:	TOK_CONST opt_ws TOK_ID opt_ws ':' opt_ws TOK_ID opt_ws ';'
 			{
-			decl_name = $3;
-			fprintf(fp_bro_init, "const%s", $2);
-			fprintf(fp_bro_init, "%s: bool%s", $3, $4);
-			}
-	;
+			set_definition_type(CONST_DEF, 0);
+			set_decl_name($3);
+			int typeidx = get_type_index($7);
+			char accessor[1024];
+
+			snprintf(accessor, sizeof(accessor), builtin_types[typeidx].accessor, "");
+
+
+			fprintf(fp_netvar_h, "%s extern %s %s; %s\n",
+					decl.c_namespace_start.c_str(),
+					builtin_types[typeidx].c_type, decl.bare_name.c_str(),
+					decl.c_namespace_end.c_str());
+			fprintf(fp_netvar_def, "%s %s %s; %s\n",
+					decl.c_namespace_start.c_str(),
+					builtin_types[typeidx].c_type, decl.bare_name.c_str(),
+					decl.c_namespace_end.c_str());
+			fprintf(fp_netvar_init, "\t%s = internal_const_val(\"%s\")%s;\n",
+				decl.c_fullname.c_str(), decl.bro_fullname.c_str(),
+				accessor);
+			}
 
-opt_const_init:	/* nothing */
-	|	const_init
-	;
 
 /* Currently support only boolean and string values */
-const_init:	'=' opt_ws TOK_BOOL opt_ws
+opt_attr_init:	'=' opt_ws TOK_BOOL opt_ws
 			{
 			fprintf(fp_bro_init, "=%s%c%s", $2, ($3) ? 'T' : 'F', $4);
 			}
@@ -293,19 +470,15 @@ const_init:	'=' opt_ws TOK_BOOL opt_ws
 
 opt_attr:	/* nothing */
 	|	opt_attr TOK_ATTR { fprintf(fp_bro_init, "%s", $2); }
-		opt_ws opt_const_init
+		opt_ws opt_attr_init
 	;
 
 func_prefix:	TOK_FUNCTION
-			{ set_definition_type(FUNC_DEF); }
-	;
-
-rewriter_prefix: TOK_REWRITER
-			{ set_definition_type(REWRITER_DEF); }
+			{ set_definition_type(FUNC_DEF, 0); }
 	;
 
 event_prefix:	TOK_EVENT
-			{ set_definition_type(EVENT_DEF); }
+			{ set_definition_type(EVENT_DEF, 0); }
 	;
 
 end_of_head:	/* nothing */
@@ -325,12 +498,9 @@ plain_head:	head_1 args arg_end opt_ws
 				fprintf(fp_bro_init, "va_args: any");
 			else
 				{
-				if ( definition_type == REWRITER_DEF )
-					fprintf(fp_bro_init, "c: connection");
-
 				for ( int i = 0; i < (int) args.size(); ++i )
 					{
-					if ( i > 0 || definition_type == REWRITER_DEF )
+					if ( i > 0 )
 						fprintf(fp_bro_init, ", ");
 					args[i]->PrintBro(fp_bro_init);
 					}
@@ -346,9 +516,9 @@ plain_head:	head_1 args arg_end opt_ws
 head_1:		TOK_ID opt_ws arg_begin
 			{
 			const char* method_type = 0;
-			decl_name = $1;
+			set_decl_name($1);
 
-			if ( definition_type == FUNC_DEF || definition_type == REWRITER_DEF )
+			if ( definition_type == FUNC_DEF )
 				{
 				method_type = "function";
 				print_line_directive(fp_func_def);
@@ -358,40 +528,37 @@ head_1:		TOK_ID opt_ws arg_begin
 
 			if ( method_type )
 				fprintf(fp_bro_init,
-					"global %s%s: %s%s(",
-					bro_prefix, decl_name, method_type, $2);
+					"global %s: %s%s(",
+					decl.bro_name.c_str(), method_type, $2);
 
-			if ( definition_type == FUNC_DEF || definition_type == REWRITER_DEF )
+			if ( definition_type == FUNC_DEF )
 				{
 				fprintf(fp_func_init,
-					"\textern Val* %s%s(Frame* frame, val_list*);\n",
-					c_prefix, decl_name);
-
-				fprintf(fp_func_init,
-					"\t(void) new BuiltinFunc(%s%s, \"%s%s\", 0);\n",
-					c_prefix, decl_name, bro_prefix, decl_name);
+					"\t(void) new BuiltinFunc(%s, \"%s\", 0);\n",
+					decl.c_fullname.c_str(), decl.bro_fullname.c_str());
 
 				fprintf(fp_func_h,
-					"extern Val* %s%s(Frame* frame, val_list*);\n",
-					c_prefix, decl_name);
+					"%sextern Val* %s(Frame* frame, val_list*);%s\n",
+					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 
 				fprintf(fp_func_def,
-					"Val* %s%s(Frame* frame, val_list* %s)",
-					c_prefix, decl_name, arg_list_name);
+					"Val* %s(Frame* frame, val_list* %s)",
+					decl.c_fullname.c_str(), arg_list_name);
 				}
 			else if ( definition_type == EVENT_DEF )
 				{
+				// TODO: add namespace for events here
 				fprintf(fp_netvar_h,
-					"extern EventHandlerPtr %s;\n",
-					decl_name);
+					"%sextern EventHandlerPtr %s; %s\n",
+					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 
 				fprintf(fp_netvar_def,
-					"EventHandlerPtr %s;\n",
-					decl_name);
+					"%sEventHandlerPtr %s; %s\n",
+					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 
 				fprintf(fp_netvar_init,
 					"\t%s = internal_handler(\"%s\");\n",
-					decl_name, decl_name);
+					decl.c_fullname.c_str(), decl.bro_fullname.c_str());
 
 				// C++ prototypes of bro_event_* functions will
 				// be generated later.
@@ -437,7 +604,7 @@ return_type:	':' opt_ws TOK_ID opt_ws
 
 body:		body_start c_body body_end
 			{
-			fprintf(fp_func_def, " // end of %s\n", decl_name);
+			fprintf(fp_func_def, " // end of %s\n", decl.c_fullname.c_str());
 			print_line_directive(fp_func_def);
 			}
 	;
@@ -459,11 +626,6 @@ body_start:	TOK_LPB c_code_begin
 			int argc = args.size();
 
 			fprintf(fp_func_def, "{");
-			if ( definition_type == REWRITER_DEF )
-				{
-				implicit_arg = 1;
-				++argc;
-				}
 
 			if ( argc > 0 || ! var_arg )
 				fprintf(fp_func_def, "\n");
@@ -474,7 +636,7 @@ body_start:	TOK_LPB c_code_begin
 				fprintf(fp_func_def, "\t\t{\n");
 				fprintf(fp_func_def,
 					"\t\trun_time(\"%s() takes exactly %d argument(s)\");\n",
-					decl_name, argc);
+					decl.bro_fullname.c_str(), argc);
 				fprintf(fp_func_def, "\t\treturn 0;\n");
 				fprintf(fp_func_def, "\t\t}\n");
 				}
@@ -484,20 +646,11 @@ body_start:	TOK_LPB c_code_begin
 				fprintf(fp_func_def, "\t\t{\n");
 				fprintf(fp_func_def,
 					"\t\trun_time(\"%s() takes at least %d argument(s)\");\n",
-					decl_name, argc);
+					decl.bro_fullname.c_str(), argc);
 				fprintf(fp_func_def, "\t\treturn 0;\n");
 				fprintf(fp_func_def, "\t\t}\n");
 				}
 
-			if ( definition_type == REWRITER_DEF )
-				{
-				fprintf(fp_func_def,
-					"\tRewriter* %s = get_trace_rewriter((*%s)[0]);\n",
-					trace_rewriter_name,
-					arg_list_name);
-				fprintf(fp_func_def, "\tif ( ! trace_rewriter )\n");
-				fprintf(fp_func_def, "\t\treturn 0;\n");
-				}
 			for ( int i = 0; i < (int) args.size(); ++i )
 				args[i]->PrintCDef(fp_func_def, i + implicit_arg);
 			print_line_directive(fp_func_def);
@@ -506,8 +659,6 @@ body_start:	TOK_LPB c_code_begin
 
 body_end:	TOK_RPB c_code_end
 			{
-			if ( definition_type == REWRITER_DEF )
-				fprintf(fp_func_def, "\n\treturn 0;\n");
 			fprintf(fp_func_def, "}");
 			}
 	;
@@ -531,18 +682,13 @@ c_atom:		TOK_ID
 			{ fprintf(fp_func_def, "%s", arg_list_name); }
 	|	TOK_ARGC
 			{ fprintf(fp_func_def, "%s->length()", arg_list_name); }
-	|	TOK_TRACE
-			{ fprintf(fp_func_def, "%s", trace_rewriter_name); }
-	|	TOK_WRITE
-			{ fprintf(fp_func_def, "%s->WriteData", trace_rewriter_name); }
-	|	TOK_PUSH
-			{ fprintf(fp_func_def, "%s->Push", trace_rewriter_name); }
-	|	TOK_EOF
-			{ fprintf(fp_func_def, "%s->EndOfData", trace_rewriter_name); }
 	|	TOK_CSTR
 			{ fprintf(fp_func_def, "%s", $1); }
 	|	TOK_ATOM
 			{ fprintf(fp_func_def, "%c", $1); }
+	|	TOK_INT
+			{ fprintf(fp_func_def, "%s", $1); }
+
 	;
 
 opt_ws:		opt_ws TOK_WS
@@ -554,7 +700,12 @@ opt_ws:		opt_ws TOK_WS
 			if ( in_c_code )
 				$$ = concat($1, $2);
 			else
-				$$ = $1;
+				if ( $2[1] == '#' )
+					// This is a special type of comment that is used to
+					// generate bro script documentation, so pass it through.
+					$$ = concat($1, $2);
+				else
+					$$ = $1;
 			}
 	|	/* empty */
 			{ $$ = ""; }
@@ -565,7 +716,7 @@ opt_ws:		opt_ws TOK_WS
 extern char* yytext;
 extern char* input_filename;
 extern int line_number;
-const char* decl_name;
+void err_exit(void);
 
 void print_msg(const char msg[])
 	{
@@ -605,7 +756,6 @@ int yyerror(const char msg[])
 	{
 	print_msg(msg);
 
-	abort();
-	exit(1);
+	err_exit();
 	return 0;
 	}
diff --git a/src/common-rw.bif b/src/common-rw.bif
deleted file mode 100644
index 6554c4355d..0000000000
--- a/src/common-rw.bif
+++ /dev/null
@@ -1,107 +0,0 @@
-%%{
-#include "TCP_Rewriter.h"
-%%}
-
-rewriter commit_trace%(commit: bool, future: bool%)
-	%{
-	if ( commit )
-		@TRACE@->CommitPackets(future);
-	else
-		@TRACE@->AbortPackets(future);
-	%}
-
-rewriter push_packet%(is_orig: bool%)
-	%{
-	@PUSH@(is_orig);
-	%}
-
-rewriter leave_addr_in_the_clear%(is_orig: bool%)
-	%{
-	if ( ! @TRACE@->LeaveAddrInTheClear(is_orig) )
-		builtin_run_time("cannot leave IP address in the clear"
-			" (probably because some packets have already been rewritten before this call)");
-	%}
-
-function current_packet%(c: connection%): packet
-	%{
-	Rewriter* rewriter = get_trace_rewriter(c);
-	if ( ! rewriter )
-		{
-		builtin_run_time("current_packet is not supported without specifying an output file");
-		return 0;
-		}
-
-	return rewriter->CurrentPacket()->PacketVal();	
-	%}
-
-function current_rewrite_packet%(c: connection%): packet
-	%{
-	Rewriter* rewriter = get_trace_rewriter(c);
-	if ( ! rewriter )
-		{
-		builtin_run_time("current_rewrite_packet is not supported without specifying an output file");
-		return 0;
-		}
-
-	return rewriter->RewritePacket()->PacketVal();
-	%}
-
-# Reserve a slot in the current packet of the trace so that the
-# slot can be filled later by seeking to it.
-function reserve_rewrite_slot%(c: connection%): count
-	%{
-	Rewriter* rewriter = get_trace_rewriter(c);
-	if ( ! rewriter )
-		return new Val(0, TYPE_COUNT);
-
-	unsigned int slot = rewriter->ReserveSlot();
-	if ( slot == 0 )
-		builtin_run_time("reserve_rewrite_slot returning 0");
-
-	return new Val(slot, TYPE_COUNT);
-	%}
-
-# Seek to a previously reserved slot so that rewrites afterwards
-# will go into the slot instead of the current packet.
-function seek_rewrite_slot%(c: connection, slot: count%): any
-	%{
-	Rewriter* rewriter = get_trace_rewriter(c);
-	if ( ! rewriter->SeekSlot(slot) )
-		builtin_run_time("cannot seek the rewrite slot");
-
-	return 0;
-	%}
-
-# Return from any reserved slot to bring the rewrite pointer back to
-# the current packet.
-function return_from_rewrite_slot%(c: connection%): any
-	%{
-	Rewriter* rewriter = get_trace_rewriter(c);
-	rewriter->ReturnFromSlot();
-	return 0;
-	%}
-
-# Release a rewrite slot and dump the slot to the trace (it cannot be
-# seek'd again). If the rewrite pointer is currently at the slot, it
-# will return to the current packet.
-function release_rewrite_slot%(c: connection, slot: count%): any
-	%{
-	Rewriter* rewriter = get_trace_rewriter(c);
-	rewriter->ReleaseSlot(slot);
-	return 0;
-	%}
-
-# Dump original packets on the connection up to this point to the
-# output trace, if any.
-function dump_packets_of_connection%(c: connection%): any
-	%{
-	Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP);
-	if ( ! tc )
-		run_time("connection does not have TCP analyzer");
-
-	TCP_SourcePacketWriter* pkt_writer = get_src_pkt_writer((TCP_Analyzer*) tc);
-	if ( pkt_writer )
-		pkt_writer->Dump();
-
-	return 0;
-	%}
diff --git a/src/const.bif b/src/const.bif
index 2c4f2d1f1c..e51028c742 100644
--- a/src/const.bif
+++ b/src/const.bif
@@ -1,97 +1,9 @@
 # $Id: const.bif 3929 2007-01-14 00:37:59Z vern $
 
-# Some connections (e.g., SSH) retransmit the acknowledged last
-# byte to keep the connection alive. If ignore_keep_alive_rexmit
-# is set to T, such retransmissions will be excluded in the rexmit
-# counter in conn_stats.
-const ignore_keep_alive_rexmit = F &redef;
+# Documentation and default values for these are located in policy/bro.dif.
 
-# Skip HTTP data portions for performance considerations (the skipped
-# portion will not go through TCP reassembly).
-const skip_http_data = F &redef;
+const ignore_keep_alive_rexmit: bool;
+const skip_http_data: bool;
+const parse_udp_tunnels: bool;
+const use_conn_size_analyzer: bool;
 
-# Whether the analysis engine parses IP packets encapsulated in
-# UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro.
-const parse_udp_tunnels = F &redef;
-
-# Whether a commitment is required before writing the transformed
-# trace for a connection into the dump file.
-const requires_trace_commitment = F &redef;
-
-# Whether IP address anonymization is enabled.
-const anonymize_ip_addr = F &redef;
-
-# Whether to omit place holder packets when rewriting.
-const omit_rewrite_place_holder = T &redef;
-
-# Whether trace of various protocols is being rewritten.
-const rewriting_http_trace = F &redef;
-const rewriting_smtp_trace = F &redef;
-const rewriting_ftp_trace = F &redef;
-const rewriting_ident_trace = F &redef;
-const rewriting_finger_trace = F &redef;
-const rewriting_dns_trace = F &redef;
-const rewriting_smb_trace = F &redef;
-
-# Whether we dump selected original packets to the output trace.
-const dump_selected_source_packets = F &redef;
-
-# If true, we dump original packets to the output trace *if and only if*
-# the connection is not rewritten; if false, the policy script can decide
-# whether to dump a particular connection by calling dump_packets_of_connection.
-#
-# NOTE: DO NOT SET THIS TO TRUE WHEN ANONYMIZING A TRACE! 
-# (TODO: this variable should be disabled when using '-A' option)
-const dump_original_packets_if_not_rewriting = F &redef;
-
-enum dce_rpc_ptype %{
-	DCE_RPC_REQUEST,
-	DCE_RPC_PING,
-	DCE_RPC_RESPONSE,
-	DCE_RPC_FAULT,
-	DCE_RPC_WORKING,
-	DCE_RPC_NOCALL,
-	DCE_RPC_REJECT,
-	DCE_RPC_ACK,
-	DCE_RPC_CL_CANCEL,
-	DCE_RPC_FACK,
-	DCE_RPC_CANCEL_ACK,
-	DCE_RPC_BIND,
-	DCE_RPC_BIND_ACK,
-	DCE_RPC_BIND_NAK,
-	DCE_RPC_ALTER_CONTEXT,
-	DCE_RPC_ALTER_CONTEXT_RESP,
-	DCE_RPC_SHUTDOWN,
-	DCE_RPC_CO_CANCEL,
-	DCE_RPC_ORPHANED,
-%}
-
-enum dce_rpc_if_id %{
-	DCE_RPC_unknown_if,
-	DCE_RPC_epmapper,
-	DCE_RPC_lsarpc,
-	DCE_RPC_lsa_ds,
-	DCE_RPC_mgmt,
-	DCE_RPC_netlogon,
-	DCE_RPC_samr,
-	DCE_RPC_srvsvc,
-	DCE_RPC_spoolss,
-	DCE_RPC_drs,
-	DCE_RPC_winspipe,
-	DCE_RPC_wkssvc,
-	DCE_RPC_oxid,
-	DCE_RPC_ISCMActivator,
-%}
-
-enum rpc_status %{
-	RPC_SUCCESS,
-	RPC_PROG_UNAVAIL,
-	RPC_PROG_MISMATCH,
-	RPC_PROC_UNAVAIL,
-	RPC_GARBAGE_ARGS,
-	RPC_SYSTEM_ERR,
-	RPC_TIMEOUT,
-	RPC_VERS_MISMATCH,
-	RPC_AUTH_ERROR,
-	RPC_UNKNOWN_ERROR,
-%}
diff --git a/src/cq.c b/src/cq.c
index 63e4275369..b669dabd35 100644
--- a/src/cq.c
+++ b/src/cq.c
@@ -570,8 +570,8 @@ cq_debugbucket(register struct cq_handle *hp,
 			bp2 = hp->buckets + PRI2BUCKET(hp, bp->pri);
 			if (bp2 != buckets) {
 				fprintf(stderr,
-				    "%f in wrong bucket! (off by %d)\n",
-				    bp->pri, bp2 - buckets);
+				    "%f in wrong bucket! (off by %ld)\n",
+				    bp->pri, (long)(bp2 - buckets));
 				cq_dump(hp);
 				abort();
 			}
diff --git a/src/dce_rpc-analyzer.pac b/src/dce_rpc-analyzer.pac
index 8f412401f7..353c9f3795 100644
--- a/src/dce_rpc-analyzer.pac
+++ b/src/dce_rpc-analyzer.pac
@@ -88,7 +88,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 					bind_elems.p_cont_elem[i].abstract_syntax.if_uuid};
 
 				// Queue the event
-				bro_event_dce_rpc_bind(
+				BifEvent::generate_dce_rpc_bind(
 					${connection.bro_analyzer},
 					${connection.bro_analyzer}->Conn(),
 					bytestring_to_val(${if_uuid}));
@@ -106,7 +106,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 		%{
 		if ( dce_rpc_request )
 			{
-			bro_event_dce_rpc_request(
+			BifEvent::generate_dce_rpc_request(
 				${connection.bro_analyzer},
 				${connection.bro_analyzer}->Conn(),
 				${req.opnum},
@@ -124,7 +124,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 		%{
 		if ( dce_rpc_response )
 			{
-			bro_event_dce_rpc_response(
+			BifEvent::generate_dce_rpc_response(
 				${connection.bro_analyzer},
 				${connection.bro_analyzer}->Conn(),
 				${connection}->get_cont_id_opnum_map(${resp.p_cont_id}),
diff --git a/src/dce_rpc.pac b/src/dce_rpc.pac
index 0aa689b532..58c2250c26 100644
--- a/src/dce_rpc.pac
+++ b/src/dce_rpc.pac
@@ -8,5 +8,5 @@ analyzer DCE_RPC withcontext {
 	flow: DCE_RPC_Flow;
 };
 
-%include "dce_rpc-protocol.pac"
-%include "dce_rpc-analyzer.pac"
+%include dce_rpc-protocol.pac
+%include dce_rpc-analyzer.pac
diff --git a/src/dhcp-analyzer.pac b/src/dhcp-analyzer.pac
index 4bebc0ba4f..ef8b888330 100644
--- a/src/dhcp-analyzer.pac
+++ b/src/dhcp-analyzer.pac
@@ -91,31 +91,31 @@ flow DHCP_Flow(is_orig: bool) {
 		switch ( type )
 		{
 		case DHCPDISCOVER:
-			bro_event_dhcp_discover(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_discover(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref(), req_addr);
 			break;
 
 		case DHCPREQUEST:
-			bro_event_dhcp_request(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_request(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dhcp_msg_val_->Ref(), req_addr, serv_addr);
 			break;
 
 		case DHCPDECLINE:
-			bro_event_dhcp_decline(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_decline(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
 
 		case DHCPRELEASE:
-			bro_event_dhcp_release(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_release(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
 
 		case DHCPINFORM:
-			bro_event_dhcp_inform(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_inform(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
@@ -204,21 +204,21 @@ flow DHCP_Flow(is_orig: bool) {
 
 		switch ( type ) {
 		case DHCPOFFER:
-			bro_event_dhcp_offer(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_offer(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref(), subnet_mask,
 					router_list, lease, serv_addr);
 			break;
 
 		case DHCPACK:
-			bro_event_dhcp_ack(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_ack(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref(), subnet_mask,
 					router_list, lease, serv_addr);
 			break;
 
 		case DHCPNAK:
-			bro_event_dhcp_nak(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_nak(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
diff --git a/src/dns-analyzer.pac b/src/dns-analyzer.pac
index 2e9a6496c3..72bda3165f 100644
--- a/src/dns-analyzer.pac
+++ b/src/dns-analyzer.pac
@@ -124,7 +124,7 @@ flow DNS_Flow
 
 		if ( msg->header()->qr() == 0 )
 			{
-			bro_event_dns_request(
+			BifEvent::generate_dns_request(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dns_msg_val_->Ref(),
@@ -137,7 +137,7 @@ flow DNS_Flow
 		          msg->header()->nscount() == 0 &&
 		          msg->header()->arcount() == 0 )
 			{
-			bro_event_dns_rejected(
+			BifEvent::generate_dns_rejected(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dns_msg_val_->Ref(),
@@ -253,7 +253,7 @@ flow DNS_Flow
 			// above fixes for BROv6, we can probably now introduce
 			// their own events.  (It's not clear A6 is needed -
 			// do we actually encounter it in practice?)
-			bro_event_dns_A_reply(connection()->bro_analyzer(),
+			BifEvent::generate_dns_A_reply(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dns_msg_val_->Ref(), build_dns_answer(rr), addr);
 			break;
@@ -261,7 +261,7 @@ flow DNS_Flow
 		case TYPE_NS:
 			if ( dns_NS_reply )
 				{
-				bro_event_dns_NS_reply(connection()->bro_analyzer(),
+				BifEvent::generate_dns_NS_reply(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
 					build_dns_answer(rr),
@@ -272,7 +272,7 @@ flow DNS_Flow
 		case TYPE_CNAME:
 			if ( dns_CNAME_reply )
 				{
-				bro_event_dns_CNAME_reply(
+				BifEvent::generate_dns_CNAME_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@@ -284,7 +284,7 @@ flow DNS_Flow
 		case TYPE_SOA:
 			if ( dns_SOA_reply )
 				{
-				bro_event_dns_SOA_reply(
+				BifEvent::generate_dns_SOA_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@@ -296,7 +296,7 @@ flow DNS_Flow
 		case TYPE_PTR:
 			if ( dns_PTR_reply )
 				{
-				bro_event_dns_PTR_reply(
+				BifEvent::generate_dns_PTR_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@@ -308,7 +308,7 @@ flow DNS_Flow
 		case TYPE_MX:
 			if ( dns_MX_reply )
 				{
-				bro_event_dns_MX_reply(
+				BifEvent::generate_dns_MX_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@@ -321,7 +321,7 @@ flow DNS_Flow
 		case TYPE_EDNS:
 			if ( dns_EDNS_addl )
 				{
-				bro_event_dns_EDNS_addl(
+				BifEvent::generate_dns_EDNS_addl(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
diff --git a/src/dns-rw.bif b/src/dns-rw.bif
deleted file mode 100644
index 07e03172c0..0000000000
--- a/src/dns-rw.bif
+++ /dev/null
@@ -1,99 +0,0 @@
-# $Id: dns-rw.bif,v 1.1.2.6 2006/01/11 21:20:09 jason Exp $
-
-# This is called for every message - snake out the header.
-rewriter dns_message%(is_orig: bool, msg: dns_msg, len: count%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->SetOrig(is_orig);
-	dnsrewriter->DnsCopyHeader(msg);
-	%}
-
-# Rewrite an DNS request.
-rewriter dns_request%(query: string, msg: dns_msg, qtype: count, qclass: count%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyQuery(query->AsString(), qtype, qclass);
-	%}
-
-# Called for every reply, contains the query part.
-rewriter dns_reply_question%(msg: dns_msg,
-				qname: string, qtype: count, qclass: count%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyQuery(qname->AsString(), qtype, qclass);
-	%}
-
-
-# Rewrite an DNS NS reply.
-rewriter dns_NS_reply%(msg: dns_msg, dns_ans: dns_answer, name: string%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyNS(dns_ans, name->AsString());
-	%}
-
-
-rewriter dns_A_reply%(msg: dns_msg, ans: dns_answer, a: addr%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-#ifdef BROv6
-	dnsrewriter->DnsCopyA(ans, to_v4_addr(a));
-#else
-	dnsrewriter->DnsCopyA(ans, a);
-#endif
-	%}
-
-rewriter dns_AAAA_reply%(msg: dns_msg, ans: dns_answer, a: addr, astr: string%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyAAAA(ans, a, astr->AsString());
-	%}
-
-rewriter dns_CNAME_reply%(msg: dns_msg, ans: dns_answer, name: string%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyCNAME(ans, name->AsString());
-	%}
-
-rewriter dns_TXT_reply%(msg: dns_msg, ans: dns_answer, content: string%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyTXT(ans, content->AsString());
-	%}
-
-rewriter dns_PTR_reply%(msg: dns_msg, ans: dns_answer, name: string%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyPTR(ans, name->AsString());
-	%}
-
-rewriter dns_MX_reply%(msg: dns_msg, ans: dns_answer,
-			name: string, preference: count%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyMX(ans, name->AsString(), preference);
-	%}
-
-rewriter dns_SOA_reply%(msg: dns_msg, ans: dns_answer, soa: dns_soa%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopySOA(ans, soa);
-	%}
-
-rewriter dns_EDNS_addl%(msg: dns_msg, ans: dns_edns_additional%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-	dnsrewriter->DnsCopyEDNSaddl(ans);
-	%}
-
-
-# Call this at end of processing a DNS packet.
-rewriter dns_end%(commit: bool%)
-	%{
-	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
-
-	// We have been building the packet in the DNS rewriter, now
-	// write the whole packet here at once, then commit it.
-	@WRITE@(dnsrewriter->IsOrig(), dnsrewriter->PacketSize(),
-		(const u_char*) dnsrewriter->Packet());
-	@TRACE@->CommitPackets(commit);
-	%}
diff --git a/src/event.bif b/src/event.bif
index ce5bd16c03..d38963d8d1 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -1,10 +1,5 @@
 # $Id: event.bif 6942 2009-11-16 03:54:08Z vern $
 
-# Declare to bifcl the following types as enum types.
-declare enum dce_rpc_ptype;
-declare enum dce_rpc_if_id;
-declare enum rpc_status;
-
 event bro_init%(%);
 event bro_done%(%);
 
@@ -57,6 +52,7 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count,
 event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
 event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
 event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
+event icmp_redirect%(c: connection, icmp: icmp_conn, a: addr%);
 event net_stats_update%(t: time, ns: net_stats%);
 event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
 event conn_weird%(name: string, c: connection%);
diff --git a/src/finger-rw.bif b/src/finger-rw.bif
deleted file mode 100644
index a32d9b30c6..0000000000
--- a/src/finger-rw.bif
+++ /dev/null
@@ -1,22 +0,0 @@
-# Write a finger request to trace.
-rewriter finger_request %(full: bool, username: string, hostpart: string%)
-	%{
-	const int is_orig = 1;
-	if ( full )
-		@WRITE@(is_orig, "/W ");
-	@WRITE@(is_orig, username->AsString());
-	if ( hostpart->Len() > 0 )
-		{
-		@WRITE@(is_orig, "@");
-		@WRITE@(is_orig, hostpart->AsString());
-		}
-	@WRITE@(is_orig, "\r\n");
-	%}
-
-# Write a finger reply to trace.
-rewriter finger_reply %(reply: string%)
-	%{
-	const int is_orig = 0;
-	@WRITE@(is_orig, reply->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
diff --git a/src/ftp-rw.bif b/src/ftp-rw.bif
deleted file mode 100644
index f12931ab28..0000000000
--- a/src/ftp-rw.bif
+++ /dev/null
@@ -1,27 +0,0 @@
-# Rewrite an FTP request.
-rewriter ftp_request%(command: string, arg: string%)
-	%{
-	const int is_orig = 1;
-	@WRITE@(is_orig, command->AsString());
-	if ( command->Len() > 0 && arg->Len() > 0 )
-		@WRITE@(is_orig, " ");
-	@WRITE@(is_orig, arg->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
-
-# Rewrite an FTP reply.
-rewriter ftp_reply%(code: count, msg: string, cont_resp: bool%)
-	%{
-	const int is_orig = 0;
-
-	if ( code > 0 )
-		{
-		@WRITE@(is_orig, fmt("%03lu", (unsigned long) code));
-		if ( cont_resp )
-			@WRITE@(is_orig, "-");
-		else
-			@WRITE@(is_orig, " ");
-		}
-	@WRITE@(is_orig, msg->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
diff --git a/src/http-analyzer.pac b/src/http-analyzer.pac
index 38402a9d67..c1a4dd7b26 100644
--- a/src/http-analyzer.pac
+++ b/src/http-analyzer.pac
@@ -84,7 +84,7 @@ flow HTTP_Flow(is_orig: bool) {
 		if ( ::http_request )
 			{
 			bytestring unescaped_uri = unescape_uri(uri);
-			bro_event_http_request(connection()->bro_analyzer(),
+			BifEvent::generate_http_request(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				bytestring_to_val(method),
 				bytestring_to_val(uri),
@@ -103,7 +103,7 @@ flow HTTP_Flow(is_orig: bool) {
 		%{
 		if ( ::http_reply )
 			{
-			bro_event_http_reply(connection()->bro_analyzer(),
+			BifEvent::generate_http_reply(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				bytestring_to_val(${vers.vers_str}), code,
 				bytestring_to_val(reason));
@@ -205,7 +205,7 @@ flow HTTP_Flow(is_orig: bool) {
 
 		if ( ::http_header )
 			{
-			bro_event_http_header(connection()->bro_analyzer(),
+			BifEvent::generate_http_header(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
 				bytestring_to_val(name)->ToUpper(),
@@ -236,7 +236,7 @@ flow HTTP_Flow(is_orig: bool) {
 		%{
 		if ( ::http_all_headers )
 			{
-			bro_event_http_all_headers(connection()->bro_analyzer(),
+			BifEvent::generate_http_all_headers(connection()->bro_analyzer(),
 						connection()->bro_analyzer()->Conn(),
 						is_orig(),
 						build_http_headers_val());
@@ -263,7 +263,7 @@ flow HTTP_Flow(is_orig: bool) {
 		msg_start_time_ = network_time();
 		if ( ::http_begin_entity )
 			{
-			bro_event_http_begin_entity(connection()->bro_analyzer(),
+			BifEvent::generate_http_begin_entity(connection()->bro_analyzer(),
 							connection()->bro_analyzer()->Conn(), is_orig());
 			}
 		%}
@@ -295,13 +295,13 @@ flow HTTP_Flow(is_orig: bool) {
 
 		if ( ::http_end_entity )
 			{
-			bro_event_http_end_entity(connection()->bro_analyzer(),
+			BifEvent::generate_http_end_entity(connection()->bro_analyzer(),
 							connection()->bro_analyzer()->Conn(), is_orig());
 			}
 
 		if ( ::http_message_done )
 			{
-			bro_event_http_message_done(connection()->bro_analyzer(),
+			BifEvent::generate_http_message_done(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					is_orig(), build_http_message_stat());
 			}
diff --git a/src/http-rw.bif b/src/http-rw.bif
deleted file mode 100644
index c839dcaf2a..0000000000
--- a/src/http-rw.bif
+++ /dev/null
@@ -1,61 +0,0 @@
-%%{
-#include "HTTP.h"
-
-BroString* encode_URI(BroString* URI)
-	{
-	byte_vec encoded_URI = new unsigned char[URI->Len() * 3 + 1];
-	byte_vec end_of_URI = URI->Bytes() + URI->Len();
-
-	byte_vec q = encoded_URI;
-	for ( byte_vec p = URI->Bytes(); p < end_of_URI; ++p )
-		{
-		if ( is_reserved_URI_char(*p) ||
-		     is_unreserved_URI_char(*p) || *p == '%' )
-			*q++ = *p;
-		else
-			escape_URI_char(*p, q);
-		}
-	*q = '\0';
-	return new BroString(1, encoded_URI, q - encoded_URI);
-	}
-%%}
-
-rewriter http_request%(method: string, URI: string, version: string%)
-	%{
-	const int is_orig = 1;
-
-	@WRITE@(is_orig, method->AsString());
-	@WRITE@(is_orig, " ");
-
-	@WRITE@(is_orig, URI->AsString());
-
-	@WRITE@(is_orig, " HTTP/");
-	@WRITE@(is_orig, version->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
-
-rewriter http_reply%(version: string, code: count, reason: string%)
-	%{
-	const int is_orig = 0;
-
-	@WRITE@(is_orig, "HTTP/");
-	@WRITE@(is_orig, version->AsString());
-	@WRITE@(is_orig, " ");
-	@WRITE@(is_orig, fmt("%lu", (unsigned long) code));
-	@WRITE@(is_orig, " ");
-	@WRITE@(is_orig, reason->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
-
-rewriter http_header%(is_orig: bool, name: string, value: string%)
-	%{
-	@WRITE@(is_orig, name->AsString());
-	@WRITE@(is_orig, ":");
-	@WRITE@(is_orig, value->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
-
-rewriter http_data%(is_orig: bool, data: string%)
-	%{
-	@WRITE@(is_orig, data->AsString());
-	%}
diff --git a/src/ident-rw.bif b/src/ident-rw.bif
deleted file mode 100644
index 290cbe6b34..0000000000
--- a/src/ident-rw.bif
+++ /dev/null
@@ -1,23 +0,0 @@
-rewriter ident_request %(lport: port, rport: port%)
-	%{
-	const int is_orig = 1;
-	@WRITE@(is_orig, fmt("%u, %u\r\n", rport->Port(), lport->Port()));
-	%}
-
-rewriter ident_reply %(lport: port, rport: port, sys_str: string, id_str: string%)
-	%{
-	const int is_orig = 0;
-	@WRITE@(is_orig, fmt("%u, %u : USERID : ", rport->Port(), lport->Port()));
-	@WRITE@(is_orig, sys_str->AsString());
-	@WRITE@(is_orig, " : ");
-	@WRITE@(is_orig, id_str->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
-
-rewriter ident_error %(lport: port, rport: port, msg_str: string%)
-	%{ 
-	const int is_orig = 0;
-	@WRITE@(is_orig, fmt("%u, %u : ERROR : ", rport->Port(), lport->Port()));
-	@WRITE@(is_orig, msg_str->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
diff --git a/src/input.h b/src/input.h
index 004d366748..5ef64f4a60 100644
--- a/src/input.h
+++ b/src/input.h
@@ -30,6 +30,8 @@ extern void do_atifdef(const char* id);
 extern void do_atifndef(const char* id);
 extern void do_atelse();
 extern void do_atendif();
+extern void do_doc_token_start();
+extern void do_doc_token_stop();
 
 extern int line_number;
 extern const char* filename;
diff --git a/src/logging.bif b/src/logging.bif
new file mode 100644
index 0000000000..0e48633d5a
--- /dev/null
+++ b/src/logging.bif
@@ -0,0 +1,76 @@
+# Internal functions and types used by the logging framework.
+
+module Log;
+
+%%{
+#include "LogMgr.h"
+#include "NetVar.h"
+%%}
+
+type Filter: record;
+type Stream: record;
+type RotationInfo: record;
+type RotationControl: record;
+
+const Log::rotation_control: RotationControl;
+
+function Log::__create_stream%(id: Log::ID, stream: Log::Stream%) : bool
+	%{
+	bool result = log_mgr->CreateStream(id->AsEnumVal(), stream->AsRecordVal());
+	return new Val(result, TYPE_BOOL);
+	%}
+
+function Log::__enable_stream%(id: Log::ID%) : bool
+	%{
+	bool result = log_mgr->EnableStream(id->AsEnumVal());
+	return new Val(result, TYPE_BOOL);
+	%}
+
+function Log::__disable_stream%(id: Log::ID%) : bool
+	%{
+	bool result = log_mgr->DisableStream(id->AsEnumVal());
+	return new Val(result, TYPE_BOOL);
+	%}
+
+function Log::__add_filter%(id: Log::ID, filter: Log::Filter%) : bool
+	%{
+	bool result = log_mgr->AddFilter(id->AsEnumVal(), filter->AsRecordVal());
+	return new Val(result, TYPE_BOOL);
+	%}
+
+function Log::__remove_filter%(id: Log::ID, name: string%) : bool
+	%{
+	bool result = log_mgr->RemoveFilter(id->AsEnumVal(), name);
+	return new Val(result, TYPE_BOOL);
+	%}
+
+function Log::__write%(id: Log::ID, columns: any%) : bool
+	%{
+	bool result = log_mgr->Write(id->AsEnumVal(), columns->AsRecordVal());
+	return new Val(result, TYPE_BOOL);
+	%}
+
+function Log::__set_buf%(id: Log::ID, buffered: bool%): bool
+	%{
+	bool result = log_mgr->SetBuf(id->AsEnumVal(), buffered);
+	return new Val(result, TYPE_BOOL);
+	%}
+
+function Log::__flush%(id: Log::ID%): bool
+	%{
+	bool result = log_mgr->Flush(id->AsEnumVal());
+	return new Val(result, TYPE_BOOL);
+	%}
+
+# Options for the ASCII writer.
+
+module LogAscii;
+
+const output_to_stdout: bool;
+const include_header: bool;
+const header_prefix: string;
+const separator: string;
+const set_separator: string;
+const empty_field: string;
+const unset_field: string;
+
diff --git a/src/main.cc b/src/main.cc
index 21b8166267..70a1d8e4e9 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -8,6 +8,8 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <signal.h>
+#include <string.h>
+#include <list>
 #ifdef HAVE_GETOPT_H
 #include <getopt.h>
 #endif
@@ -18,13 +20,10 @@ extern "C" {
 }
 #endif
 
-#ifdef USE_OPENSSL
 extern "C" void OPENSSL_add_all_algorithms_conf(void);
-#endif
 
 #include "bsd-getopt-long.h"
 #include "input.h"
-#include "Active.h"
 #include "ScriptAnaly.h"
 #include "DNS_Mgr.h"
 #include "Frame.h"
@@ -32,6 +31,7 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void);
 #include "Event.h"
 #include "File.h"
 #include "Logger.h"
+#include "LogMgr.h"
 #include "Net.h"
 #include "NetVar.h"
 #include "Var.h"
@@ -48,6 +48,7 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void);
 #include "Stats.h"
 #include "ConnCompressor.h"
 #include "DPM.h"
+#include "BroDoc.h"
 
 #include "binpac_bro.h"
 
@@ -73,6 +74,7 @@ name_list prefixes;
 DNS_Mgr* dns_mgr;
 TimerMgr* timer_mgr;
 Logger* bro_logger;
+LogMgr* log_mgr;
 Func* alarm_hook = 0;
 Stmt* stmts;
 EventHandlerPtr bro_signal = 0;
@@ -93,6 +95,7 @@ int optimize = 0;
 int do_notice_analysis = 0;
 int rule_bench = 0;
 int print_loaded_scripts = 0;
+int generate_documentation = 0;
 SecondaryPath* secondary_path = 0;
 ConnCompressor* conn_compressor = 0;
 extern char version[];
@@ -102,6 +105,8 @@ char* proc_status_file = 0;
 
 int FLAGS_use_binpac = false;
 
+extern std::list<BroDoc*> docs_generated;
+
 // Keep copy of command line
 int bro_argc;
 char** bro_argv;
@@ -124,14 +129,19 @@ const char* bro_version()
 #endif
 	}
 
+const char* bro_dns_fake()
+	{
+	if ( ! getenv("BRO_DNS_FAKE") )
+		return "off";
+	else 
+		return "on";
+	}
+
 void usage()
 	{
 	fprintf(stderr, "bro version %s\n", bro_version());
 	fprintf(stderr, "usage: %s [options] [file ...]\n", prog);
 	fprintf(stderr, "    <file>                         | policy file, or read stdin\n");
-#ifdef ACTIVE_MAPPING
-	fprintf(stderr, "    -a|--active-mapping <mapfile>  | use active mapping results\n");
-#endif
 	fprintf(stderr, "    -d|--debug-policy              | activate policy file debugging\n");
 	fprintf(stderr, "    -e|--exec <bro code>           | augment loaded policies by given code\n");
 	fprintf(stderr, "    -f|--filter <filter>           | tcpdump filter\n");
@@ -139,6 +149,7 @@ void usage()
 	fprintf(stderr, "    -h|--help|-?                   | command line help\n");
 	fprintf(stderr, "    -i|--iface <interface>         | read from given interface\n");
 	fprintf(stderr, "    -l|--print-scripts             | print all loaded scripts\n");
+	fprintf(stderr, "    -Z|--doc-scripts               | generate documentation for all loaded scripts\n");
 	fprintf(stderr, "    -p|--prefix <prefix>           | add given prefix to policy file resolution\n");
 	fprintf(stderr, "    -r|--readfile <readfile>       | read from given tcpdump file\n");
 	fprintf(stderr, "    -y|--flowfile <file>[=<ident>] | read from given flow file\n");
@@ -149,7 +160,6 @@ void usage()
 	fprintf(stderr, "    -v|--version                   | print version and exit\n");
 	fprintf(stderr, "    -x|--print-state <file.bst>    | print contents of state file\n");
 	fprintf(stderr, "    -z|--analyze <analysis>        | run the specified policy file analysis\n");
-	fprintf(stderr, "    -A|--transfile <writefile>     | write transformed trace to given tcpdump file\n");
 #ifdef DEBUG
 	fprintf(stderr, "    -B|--debug <dbgstreams>        | Enable debugging output for selected streams\n");
 #endif
@@ -186,6 +196,8 @@ void usage()
 
 	fprintf(stderr, "    $BROPATH                       | file search path (%s)\n", bro_path());
 	fprintf(stderr, "    $BRO_PREFIXES                  | prefix list (%s)\n", bro_prefixes());
+	fprintf(stderr, "    $BRO_DNS_FAKE                  | disable DNS lookups (%s)\n", bro_dns_fake());
+	fprintf(stderr, "    $BRO_SEED_FILE                 | file to load seeds from (not set)\n");
 
 	exit(1);
 	}
@@ -282,6 +294,7 @@ void terminate_bro()
 	delete conn_compressor;
 	delete remote_serializer;
 	delete dpm;
+	delete log_mgr;
 	}
 
 void termination_signal()
@@ -335,12 +348,12 @@ int main(int argc, char** argv)
 	name_list netflows;
 	name_list flow_files;
 	name_list rule_files;
-	char* transformed_writefile = 0;
 	char* bst_file = 0;
 	char* id_name = 0;
 	char* events_file = 0;
-	char* seed_load_file = 0;
+	char* seed_load_file = getenv("BRO_SEED_FILE");
 	char* seed_save_file = 0;
+	char* user_pcap_filter = 0;
 	int seed = 0;
 	int dump_cfg = false;
 	int to_xml = 0;
@@ -357,6 +370,7 @@ int main(int argc, char** argv)
 		{"help",		no_argument,		0,	'h'},
 		{"iface",		required_argument,	0,	'i'},
 		{"print-scripts",	no_argument,		0,	'l'},
+		{"doc-scripts",		no_argument,		0,	'Z'},
 		{"prefix",		required_argument,	0,	'p'},
 		{"readfile",		required_argument,	0,	'r'},
 		{"flowfile",		required_argument,	0,	'y'},
@@ -367,7 +381,6 @@ int main(int argc, char** argv)
 		{"version",		no_argument,		0,	'v'},
 		{"print-state",		required_argument,	0,	'x'},
 		{"analyze",		required_argument,	0,	'z'},
-		{"transfile",		required_argument,	0,	'A'},
 		{"no-checksums",	no_argument,		0,	'C'},
 		{"dfa-cache",		required_argument,	0,	'D'},
 		{"force-dns",		no_argument,		0,	'F'},
@@ -385,9 +398,6 @@ int main(int argc, char** argv)
 		{"print-id",		required_argument,	0,	'I'},
 		{"status-file",		required_argument,	0,	'U'},
 
-#ifdef	ACTIVE_MAPPING
-		{"active-mapping",	no_argument,		0,	'a'},
-#endif
 #ifdef	DEBUG
 		{"debug",		required_argument,	0,	'B'},
 #endif
@@ -408,17 +418,13 @@ int main(int argc, char** argv)
 
 	enum DNS_MgrMode dns_type = DNS_DEFAULT;
 
-#ifdef HAVE_NB_DNS
 	dns_type = getenv("BRO_DNS_FAKE") ? DNS_FAKE : DNS_DEFAULT;
-#else
-	dns_type = DNS_FAKE;
-#endif
 
 	RETSIGTYPE (*oldhandler)(int);
 
 	prog = argv[0];
 
-	prefixes.append("");	// "" = "no prefix"
+	prefixes.append(strdup(""));	// "" = "no prefix"
 
 	char* p = getenv("BRO_PREFIXES");
 	if ( p )
@@ -437,7 +443,7 @@ int main(int argc, char** argv)
 	opterr = 0;
 
 	char opts[256];
-	safe_strncpy(opts, "A:a:B:D:e:f:I:i:K:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGHLOPSWdghlv",
+	safe_strncpy(opts, "B:D:e:f:I:i:K:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGHLOPSWdghlvZ",
 		     sizeof(opts));
 
 #ifdef USE_PERFTOOLS
@@ -447,16 +453,6 @@ int main(int argc, char** argv)
 	int op;
 	while ( (op = getopt_long(argc, argv, opts, long_opts, &long_optsind)) != EOF )
 		switch ( op ) {
-		case 'a':
-#ifdef ACTIVE_MAPPING
-			fprintf(stderr, "Using active mapping file %s.\n", optarg);
-			active_file = optarg;
-#else
-			fprintf(stderr, "Bro not compiled for active mapping.\n");
-			exit(1);
-#endif
-			break;
-
 		case 'd':
 			fprintf(stderr, "Policy file debugging ON.\n");
 			g_policy_debug = true;
@@ -517,10 +513,6 @@ int main(int argc, char** argv)
 				}
 			break;
 
-		case 'A':
-			transformed_writefile = optarg;
-			break;
-
 		case 'C':
 			override_ignore_checksums = 1;
 			break;
@@ -630,6 +622,10 @@ int main(int argc, char** argv)
 			break;
 #endif
 
+		case 'Z':
+			generate_documentation = 1;
+			break;
+
 #ifdef USE_IDMEF
 		case 'n':
 			fprintf(stderr, "Using IDMEF XML DTD from %s\n", optarg);
@@ -663,7 +659,6 @@ int main(int argc, char** argv)
 	// DEBUG_MSG("HMAC key: %s\n", md5_digest_print(shared_hmac_md5_key));
 	init_hash_function();
 
-#ifdef USE_OPENSSL
 	ERR_load_crypto_strings();
 	OPENSSL_add_all_algorithms_conf();
 	SSL_library_init();
@@ -672,7 +667,6 @@ int main(int argc, char** argv)
 	// FIXME: On systems that don't provide /dev/urandom, OpenSSL doesn't
 	// seed the PRNG. We should do this here (but at least Linux, FreeBSD
 	// and Solaris provide /dev/urandom).
-#endif
 
 	if ( (interfaces.length() > 0 || netflows.length() > 0) && 
 	     (read_files.length() > 0 || flow_files.length() > 0 ))
@@ -707,13 +701,6 @@ int main(int argc, char** argv)
 			add_input_file(argv[optind++]);
 		}
 
-	if ( ! load_mapping_table(active_file.c_str()) )
-		{
-		fprintf(stderr, "Could not load active mapping file %s\n",
-			active_file.c_str());
-		exit(1);
-		}
-
 	dns_mgr = new DNS_Mgr(dns_type);
 
 	// It would nice if this were configurable.  This is similar to the
@@ -723,7 +710,8 @@ int main(int argc, char** argv)
 
 	persistence_serializer = new PersistenceSerializer();
 	remote_serializer = new RemoteSerializer();
-	event_registry = new EventRegistry;
+	event_registry = new EventRegistry();
+	log_mgr = new LogMgr();
 
 	if ( events_file )
 		event_player = new EventPlayer(events_file);
@@ -760,6 +748,16 @@ int main(int argc, char** argv)
 
 	init_general_global_var();
 
+	if ( user_pcap_filter )
+		{
+		ID* id = global_scope()->Lookup("cmd_line_bpf_filter");
+
+		if ( ! id )
+			internal_error("global cmd_line_bpf_filter not defined");
+
+		id->SetVal(new StringVal(user_pcap_filter));
+		}
+
 	// Parse rule files defined on the script level.
 	char* script_rule_files =
 		copy_string(internal_val("signature_files")->AsString()->CheckString());
@@ -817,8 +815,7 @@ int main(int argc, char** argv)
 
 	if ( dns_type != DNS_PRIME )
 		net_init(interfaces, read_files, netflows, flow_files,
-			writefile, transformed_writefile,
-			user_pcap_filter ? user_pcap_filter : "tcp or udp",
+			writefile, "tcp or udp or icmp",
 			secondary_path->Filter(), do_watchdog);
 
 	if ( ! reading_traces )
@@ -978,6 +975,20 @@ int main(int argc, char** argv)
 
 	mgr.Drain();
 
+	if ( generate_documentation )
+		{
+		std::list<BroDoc*>::iterator it;
+
+		for ( it = docs_generated.begin(); it != docs_generated.end(); ++it )
+			(*it)->WriteDocFile();
+
+		for ( it = docs_generated.begin(); it != docs_generated.end(); ++it )
+			delete *it;
+
+		terminate_bro();
+		return 0;
+		}
+
 	have_pending_timers = ! reading_traces && timer_mgr->Size() > 0;
 
 	if ( io_sources.Size() > 0 || have_pending_timers )
diff --git a/src/make_parser.pl b/src/make_parser.pl
deleted file mode 100644
index 63cb432ed6..0000000000
--- a/src/make_parser.pl
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# Generate the yacc/bison grammar file parse.y from parse.in
-#
-# Importantly, it will eliminate the dependence on the internal location stack
-# if it is not supported.
-#
-
-use strict;
-
-
-# figure out which yacc-like thing is used
-# ### Kind of a hack since it uses the Makefile
-
-my $srcdir = $ARGV[0];
-my $builddir = $ARGV[1];
-my $yacc = $ARGV[2];
-
-my $is_bison = ($yacc =~ /bison/);
-
-if ($is_bison)
-  {
-    system ("cp $srcdir/parse.in $builddir/parse.y") == 0 or die "Could not make parse.y: $!\n";
-  }
-else
-  {
-    make_parser();
-  }
-
-
-sub make_parser
-{
-  open PARSE_OUT, ">$builddir/parse.y" or die "Could not open $builddir/parse.y: $!";
-  open PARSE_IN, "$srcdir/parse.in" or die "Could not open $srcdir/parse.in: $!";
-
-  while (<PARSE_IN>)
-    {
-      $_ =~ s/\@\d+/GetCurrentLocation\(\)/g;
-      print PARSE_OUT $_;
-    }
-
-  # yylloc needs to be non-extern for non-bison systems, so stick it here
-  print PARSE_OUT "\n/* Non-extern yylloc needed for non-bison system */\n",
-    "YYLTYPE yylloc;\n"
-}
diff --git a/src/module_util.cc b/src/module_util.cc
new file mode 100644
index 0000000000..d9aa1af645
--- /dev/null
+++ b/src/module_util.cc
@@ -0,0 +1,62 @@
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <string>
+#include <string.h>
+#include "module_util.h"
+
+static int streq(const char* s1, const char* s2)
+	{
+	return ! strcmp(s1, s2);
+	}
+
+// Returns it without trailing "::".
+string extract_module_name(const char* name)
+	{
+	string module_name = name;
+	string::size_type pos = module_name.rfind("::");
+
+	if ( pos == string::npos )
+		return string(GLOBAL_MODULE_NAME);
+
+	module_name.erase(pos);
+
+	return module_name;
+	}
+
+string extract_var_name(const char *name)
+	{
+	string var_name = name;
+	string::size_type pos = var_name.rfind("::");
+
+	if ( pos == string::npos )
+		return var_name;
+
+	if ( pos + 2 > var_name.size() )
+		return string("");
+
+	return var_name.substr(pos+2);
+	}
+
+string normalized_module_name(const char* module_name)
+	{
+	int mod_len;
+	if ( (mod_len = strlen(module_name)) >= 2 &&
+	     streq(module_name + mod_len - 2, "::") )
+		mod_len -= 2;
+
+	return string(module_name, mod_len);
+	}
+
+string make_full_var_name(const char* module_name, const char* var_name)
+	{
+	if ( ! module_name || streq(module_name, GLOBAL_MODULE_NAME) ||
+	     strstr(var_name, "::") )
+		return string(var_name);
+
+	string full_name = normalized_module_name(module_name);
+	full_name += "::";
+	full_name += var_name;
+
+	return full_name;
+	}
diff --git a/src/module_util.h b/src/module_util.h
new file mode 100644
index 0000000000..4f957f2958
--- /dev/null
+++ b/src/module_util.h
@@ -0,0 +1,17 @@
+//
+// These functions are used by both Bro and bifcl.
+//
+
+#include <string>
+
+using namespace std;
+
+static const char* GLOBAL_MODULE_NAME = "GLOBAL";
+
+extern string extract_module_name(const char* name);
+extern string extract_var_name(const char* name);
+extern string normalized_module_name(const char* module_name); // w/o ::
+
+// Concatenates module_name::var_name unless var_name is already fully
+// qualified, in which case it is returned unmodified.
+extern string make_full_var_name(const char* module_name, const char* var_name);
diff --git a/src/nb_dns.c b/src/nb_dns.c
index c2092a8b5b..5033aadad4 100644
--- a/src/nb_dns.c
+++ b/src/nb_dns.c
@@ -103,7 +103,7 @@ static int _nb_dns_cmpsockaddr(struct sockaddr *, struct sockaddr *, char *);
 static char *
 my_strerror(int errnum)
 {
-#if HAVE_STRERROR
+#ifdef HAVE_STRERROR
 	extern char *strerror(int);
 	return strerror(errnum);
 #else
diff --git a/src/net_util.cc b/src/net_util.cc
index e49d575fa0..f1cd9a335f 100644
--- a/src/net_util.cc
+++ b/src/net_util.cc
@@ -37,8 +37,7 @@ int tcp_checksum(const struct ip* ip, const struct tcphdr* tp, int len)
 	{
 	// ### Note, this is only correct for IPv4.  This routine is only
 	// used by the connection compressor (which we turn off for IPv6
-	// traffic) and trace rewriting (which currently doesn't support
-	// IPv6 either).
+	// traffic).
 
 	int tcp_len = tp->th_off * 4 + len;
 	uint32 sum;
@@ -97,7 +96,9 @@ int udp6_checksum(const struct ip6_hdr* ip6, const struct udphdr* up, int len)
 	sum = ones_complement_checksum((void*) ip6->ip6_src.s6_addr, 16, sum);
 	sum = ones_complement_checksum((void*) ip6->ip6_dst.s6_addr, 16, sum);
 
-	sum = ones_complement_checksum((void*) &len, 4, sum);
+	uint32 l = htonl(len);
+	sum = ones_complement_checksum((void*) &l, 4, sum);
+
 	uint32 addl_pseudo = htons(IPPROTO_UDP);
 	sum = ones_complement_checksum((void*) &addl_pseudo, 4, sum);
 	sum = ones_complement_checksum((void*) up, len, sum);
diff --git a/src/net_util.h b/src/net_util.h
index 4628fa0014..25b6b293fc 100644
--- a/src/net_util.h
+++ b/src/net_util.h
@@ -14,15 +14,10 @@
 #include <netinet/in_systm.h>
 #include <arpa/inet.h>
 
-#ifdef LINUX
-	/* sigh */
-#define source uh_sport 
-#define dest uh_dport 
-#define len uh_ulen   
-#define check uh_sum
-#endif
-
 #include <netinet/ip.h>
+#ifdef HAVE_LINUX
+#define __FAVOR_BSD
+#endif
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
 #include <netinet/ip_icmp.h>
diff --git a/src/netflow.pac b/src/netflow.pac
index 8d1e87a1f9..8484d5fd11 100644
--- a/src/netflow.pac
+++ b/src/netflow.pac
@@ -2,6 +2,7 @@
 # Code written by Bernhard Ager (2007).
 
 %extern{
+#include "net_util.h"
 #include "Event.h"
 extern RecordType* conn_id;
 %}
diff --git a/src/parse.in b/src/parse.y
similarity index 67%
rename from src/parse.in
rename to src/parse.y
index b0bb39f0ea..8b3f8d64c8 100644
--- a/src/parse.in
+++ b/src/parse.y
@@ -3,12 +3,14 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 %}
 
+%expect 85
+
 %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ALARM TOK_ANY
 %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF
 %token TOK_BOOL TOK_BREAK TOK_CASE TOK_CONST
 %token TOK_CONSTANT TOK_COPY TOK_COUNT TOK_COUNTER TOK_DEFAULT TOK_DELETE
 %token TOK_DOUBLE TOK_ELSE TOK_ENUM TOK_EVENT TOK_EXPORT TOK_FILE TOK_FOR
-%token TOK_FUNCTION TOK_GLOBAL TOK_GLOBAL_ATTR TOK_ID TOK_IF TOK_INT
+%token TOK_FUNCTION TOK_GLOBAL TOK_ID TOK_IF TOK_INT
 %token TOK_INTERVAL TOK_LIST TOK_LOCAL TOK_MODULE TOK_MATCH TOK_NET
 %token TOK_NEXT TOK_OF TOK_PATTERN TOK_PATTERN_TEXT
 %token TOK_PORT TOK_PRINT TOK_RECORD TOK_REDEF
@@ -22,10 +24,12 @@
 %token TOK_ATTR_EXPIRE_CREATE TOK_ATTR_EXPIRE_READ TOK_ATTR_EXPIRE_WRITE
 %token TOK_ATTR_PERSISTENT TOK_ATTR_SYNCHRONIZED
 %token TOK_ATTR_DISABLE_PRINT_HOOK TOK_ATTR_RAW_OUTPUT TOK_ATTR_MERGEABLE
-%token TOK_ATTR_PRIORITY TOK_ATTR_GROUP
+%token TOK_ATTR_PRIORITY TOK_ATTR_GROUP TOK_ATTR_LOG
 
 %token TOK_DEBUG
 
+%token TOK_DOC TOK_POST_DOC
+
 %left ',' '|'
 %right '=' TOK_ADD_TO TOK_REMOVE_FROM
 %right '?' ':' TOK_USING
@@ -39,8 +43,9 @@
 %right '!'
 %left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR
 
-%type <str> TOK_ID TOK_PATTERN_TEXT single_pattern
-%type <id> local_id global_id event_id global_or_event_id resolve_id begin_func
+%type <str> TOK_ID TOK_PATTERN_TEXT single_pattern TOK_DOC TOK_POST_DOC
+%type <str_l> opt_doc_list opt_post_doc_list
+%type <id> local_id global_id def_global_id event_id global_or_event_id resolve_id begin_func
 %type <id_l> local_id_list
 %type <ic> init_class
 %type <expr> opt_init
@@ -49,11 +54,11 @@
 %type <expr> expr init anonymous_function
 %type <event_expr> event
 %type <stmt> stmt stmt_list func_body for_head
-%type <type> type opt_type refined_type enum_id_list
+%type <type> type opt_type refined_type enum_body
 %type <func_type> func_hdr func_params
 %type <type_l> type_list
 %type <type_decl> type_decl formal_args_decl
-%type <type_decl_l> type_decl_list formal_args_decl_list opt_attr_attr
+%type <type_decl_l> type_decl_list formal_args_decl_list
 %type <record> formal_args
 %type <list> expr_list opt_expr_list
 %type <c_case> case
@@ -73,6 +78,15 @@
 #include "DNS.h"
 #include "RE.h"
 #include "Scope.h"
+#include "BroDoc.h"
+#include "BroDocObj.h"
+
+#include <list>
+#include <string>
+
+extern BroDoc* current_reST_doc;
+extern int generate_documentation;
+extern std::list<std::string>* reST_doc_comments;
 
 YYLTYPE GetCurrentLocation();
 extern int yyerror(const char[]);
@@ -98,14 +112,90 @@ extern Expr* g_curr_debug_expr;
 
 Expr* bro_this = 0;
 int in_init = 0;
+int in_record = 0;
 bool in_debug = false;
 bool resolving_global_ID = false;
+bool defining_global_ID = false;
 
 ID* func_id = 0;
+EnumType *cur_enum_type = 0;
+CommentedEnumType *cur_enum_type_doc = 0;
+const char* cur_enum_elem_id = 0;
+
+type_decl_list* fake_type_decl_list = 0;
+TypeDecl* last_fake_type_decl = 0;
+
+static void parser_new_enum (void)
+	{
+	/* Starting a new enum definition. */
+	assert(cur_enum_type == NULL);
+	cur_enum_type = new EnumType();
+
+	// For documentation purposes, a separate type object is created
+	// in order to avoid overlap that can be caused by redefs.
+	if ( generate_documentation )
+		cur_enum_type_doc = new CommentedEnumType();
+	}
+
+static void parser_redef_enum (ID *id)
+	{
+	/* Redef an enum. id points to the enum to be redefined.
+	   Let cur_enum_type point to it. */
+	assert(cur_enum_type == NULL);
+	if ( ! id->Type() )
+		id->Error("unknown identifier");
+	else
+		{
+		cur_enum_type = id->Type()->AsEnumType();
+		if ( ! cur_enum_type )
+			id->Error("not an enum");
+		}
+
+	if ( generate_documentation )
+		cur_enum_type_doc = new CommentedEnumType();
+	}
+
+static void add_enum_comment (std::list<std::string>* comments)
+	{
+	cur_enum_type_doc->AddComment(current_module, cur_enum_elem_id, comments);
+	}
+
+static ID* create_dummy_id (ID* id, BroType* type)
+	{
+	ID* fake_id = new ID(copy_string(id->Name()), (IDScope) id->Scope(),
+	                     is_export);
+
+	fake_id->SetType(type);
+
+	if ( id->AsType() )
+		{
+		type->SetTypeID(copy_string(id->Name()));
+		fake_id->MakeType();
+		}
+
+	return fake_id;
+	}
+
+static std::list<std::string>* concat_opt_docs (std::list<std::string>* pre,
+                                                std::list<std::string>* post)
+	{
+	if ( ! pre && ! post ) return 0;
+
+	if ( pre && ! post ) return pre;
+
+	if ( ! pre && post ) return post;
+
+	pre->splice(pre->end(), *post);
+	delete post;
+
+	return pre;
+	}
+
 %}
 
 %union {
 	char* str;
+	std::list<std::string>* str_l;
 	ID* id;
 	id_list* id_l;
 	init_class ic;
@@ -376,6 +466,12 @@ expr:
 				$$ = $2;
 			}
 
+	|	'[' ']'
+			{
+			// We interpret this as an empty record constructor.
+			$$ = new RecordConstructorExpr(new ListExpr);
+			}
+
 
 	|	TOK_RECORD '(' expr_list ')'
 			{
@@ -417,13 +513,7 @@ expr:
 	|	expr TOK_HAS_FIELD TOK_ID
 			{
 			set_location(@1, @3);
-			$$ = new HasFieldExpr($1, $3, false);
-			}
-
-	|	expr TOK_HAS_ATTR TOK_ID
-			{
-			set_location(@1, @3);
-			$$ = new HasFieldExpr($1, $3, true);
+			$$ = new HasFieldExpr($1, $3);
 			}
 
 	|	anonymous_function
@@ -526,11 +616,6 @@ opt_expr_list:
 		{ $$ = new ListExpr(); }
 	;
 
-opt_comma:
-		','
-	|
-	;
-
 pattern:
 		pattern '|' single_pattern
 			{
@@ -550,24 +635,93 @@ single_pattern:
 			{ $$ = $3; }
 	;
 
-enum_id_list:
-		TOK_ID
+enum_body:
+		enum_body_list opt_post_doc_list
 			{
-			set_location(@1);
+			$$ = cur_enum_type;
 
-			EnumType* et = new EnumType(is_export);
-			if ( et->AddName(current_module, $1) < 0 )
-				error("identifier in enumerated type definition already exists");
-			$$ = et;
+			if ( generate_documentation )
+				{
+				add_enum_comment($2);
+				cur_enum_elem_id = 0;
+				}
+
+			cur_enum_type = NULL;
 			}
 
-	|	enum_id_list ',' TOK_ID
+	|	enum_body_list ',' opt_post_doc_list
 			{
-			set_location(@1, @3);
+			$$ = cur_enum_type;
 
-			if ( $1->AsEnumType()->AddName(current_module, $3) < 1 )
-				error("identifier in enumerated type definition already exists");
-			$$ = $1;
+			if ( generate_documentation )
+				{
+				add_enum_comment($3);
+				cur_enum_elem_id = 0;
+				}
+
+			cur_enum_type = NULL;
+			}
+	;
+
+enum_body_list:
+		enum_body_elem opt_post_doc_list
+			{
+			if ( generate_documentation )
+				add_enum_comment($2);
+			}
+
+	|	enum_body_list ',' opt_post_doc_list
+			{
+			if ( generate_documentation )
+				add_enum_comment($3);
+			} enum_body_elem
+;
+
+enum_body_elem:
+		/* TODO: We could also define this as TOK_ID '=' expr, (or
+		   TOK_ID '=' = TOK_ID) so that we can return more descriptive
+		   error messages if someboy tries to use constant variables as
+		   enumerator.
+		*/
+		opt_doc_list TOK_ID '=' TOK_CONSTANT
+			{
+			set_location(@2, @4);
+			assert(cur_enum_type);
+
+			if ( $4->Type()->Tag() != TYPE_COUNT )
+				error("enumerator is not a count constant");
+			else
+				cur_enum_type->AddName(current_module, $2, $4->InternalUnsigned(), is_export);
+
+			if ( generate_documentation )
+				{
+				cur_enum_type_doc->AddName(current_module, $2, $4->InternalUnsigned(), is_export);
+				cur_enum_elem_id = $2;
+				add_enum_comment($1);
+				}
+			}
+
+	|	opt_doc_list TOK_ID '=' '-' TOK_CONSTANT
+			{
+			/* We only accept counts as enumerator, but we want to return a nice
+			   error message if users triy to use a negative integer (will also
+			   catch other cases, but that's fine.)
+			*/
+			error("enumerator is not a count constant");
+			}
+
+	|	opt_doc_list TOK_ID
+			{
+			set_location(@2);
+			assert(cur_enum_type);
+			cur_enum_type->AddName(current_module, $2, is_export);
+
+			if ( generate_documentation )
+				{
+				cur_enum_type_doc->AddName(current_module, $2, is_export);
+				cur_enum_elem_id = $2;
+				add_enum_comment($1);
+				}
 			}
 	;
 
@@ -659,10 +813,15 @@ type:
 				$$ = new SetType($3, 0);
 				}
 
-	|	TOK_RECORD '{' type_decl_list '}'
+	|	TOK_RECORD '{'
+			{ ++in_record; do_doc_token_start(); }
+		type_decl_list
+			{ --in_record; }
+		'}'
 				{
-				set_location(@1, @4);
-				$$ = new RecordType($3);
+				do_doc_token_stop();
+				set_location(@1, @5);
+				$$ = new RecordType($4);
 				}
 
 	|	TOK_UNION '{' type_list '}'
@@ -672,10 +831,12 @@ type:
 				$$ = 0;
 				}
 
-	|	TOK_ENUM '{' enum_id_list opt_comma '}'
+	|	TOK_ENUM '{' { set_location(@1); parser_new_enum(); do_doc_token_start(); } enum_body '}'
 				{
-				set_location(@1, @4);
-				$$ = $3;
+				do_doc_token_stop();
+				set_location(@1, @5);
+				$4->UpdateLocationEndInfo(@5);
+				$$ = $4;
 				}
 
 	|	TOK_LIST
@@ -750,16 +911,47 @@ type_list:
 
 type_decl_list:
 		type_decl_list type_decl
-			{ $1->append($2); }
+			{
+			$1->append($2);
+
+			if ( generate_documentation && last_fake_type_decl )
+				{
+				fake_type_decl_list->append(last_fake_type_decl);
+				last_fake_type_decl = 0;
+				}
+			}
 	|
-			{ $$ = new type_decl_list(); }
+			{
+			$$ = new type_decl_list();
+
+			if ( generate_documentation )
+				fake_type_decl_list = new type_decl_list();
+			}
 	;
 
 type_decl:
-		TOK_ID ':' type opt_attr ';'
+		opt_doc_list TOK_ID ':' type opt_attr ';' opt_post_doc_list
 			{
-			set_location(@1, @5);
-			$$ = new TypeDecl($3, $1, $4);
+			set_location(@2, @6);
+
+			if ( generate_documentation )
+				{
+				// TypeDecl ctor deletes the attr list, so make a copy
+				attr_list* a = $5;
+				attr_list* a_copy = 0;
+
+				if ( a )
+					{
+					a_copy = new attr_list;
+					loop_over_list(*a, i)
+						a_copy->append((*a)[i]);
+					}
+
+				last_fake_type_decl = new CommentedTypeDecl(
+					$4, $2, a_copy, (in_record > 0), concat_opt_docs($1, $7));
+				}
+
+			$$ = new TypeDecl($4, $2, $5, (in_record > 0));
 			}
 	;
 
@@ -791,51 +983,169 @@ formal_args_decl:
 
 decl:
 		TOK_MODULE TOK_ID ';'
-			{ current_module = $2; }
+			{
+			current_module = $2;
+
+			if ( generate_documentation )
+				current_reST_doc->AddModule(current_module);
+			}
 
 	|	TOK_EXPORT '{' { is_export = true; } decl_list '}'
 			{ is_export = false; }
 
-	|	TOK_GLOBAL global_id opt_type init_class opt_init opt_attr ';'
-			{ add_global($2, $3, $4, $5, $6, VAR_REGULAR); }
+	|	TOK_GLOBAL def_global_id opt_type init_class opt_init opt_attr ';'
+			{
+			add_global($2, $3, $4, $5, $6, VAR_REGULAR);
 
-	|	TOK_CONST global_id opt_type init_class opt_init opt_attr ';'
-			{ add_global($2, $3, $4, $5, $6, VAR_CONST); }
+			if ( generate_documentation )
+				{
+				ID* id = $2;
+				if ( id->Type()->Tag() == TYPE_FUNC )
+					{
+					if ( id->Type()->AsFuncType()->IsEvent() )
+						current_reST_doc->AddEvent(
+							new BroDocObj(id, reST_doc_comments));
+					else
+						current_reST_doc->AddFunction(
+							new BroDocObj(id, reST_doc_comments));
+					}
+
+				else
+					{
+					current_reST_doc->AddStateVar(
+						new BroDocObj(id, reST_doc_comments));
+					}
+				}
+			}
+
+	|	TOK_CONST def_global_id opt_type init_class opt_init opt_attr ';'
+			{
+			add_global($2, $3, $4, $5, $6, VAR_CONST);
+
+			if ( generate_documentation )
+				{
+				if ( $2->FindAttr(ATTR_REDEF) )
+					current_reST_doc->AddOption(
+						new BroDocObj($2, reST_doc_comments));
+				else
+					current_reST_doc->AddConstant(
+						new BroDocObj($2, reST_doc_comments));
+				}
+			}
 
 	|	TOK_REDEF global_id opt_type init_class opt_init opt_attr ';'
-			{ add_global($2, $3, $4, $5, $6, VAR_REDEF); }
-
-	|       TOK_REDEF TOK_ENUM global_id TOK_ADD_TO
-		'{' enum_id_list opt_comma '}' ';'
 			{
+			add_global($2, $3, $4, $5, $6, VAR_REDEF);
+
+			if ( generate_documentation &&
+				! streq("capture_filters", $2->Name()) &&
+				! streq("dpd_config", $2->Name()) )
+				{
+				ID* fake_id = create_dummy_id($2, $2->Type());
+				BroDocObj* o = new BroDocObj(fake_id, reST_doc_comments, true);
+				o->SetRole(true);
+				current_reST_doc->AddRedef(o);
+				}
+			}
+
+	|	TOK_REDEF TOK_ENUM global_id TOK_ADD_TO
+		'{' { parser_redef_enum($3); do_doc_token_start(); } enum_body '}' ';'
+			{
+			do_doc_token_stop();
+
+			if ( generate_documentation )
+				{
+				ID* fake_id = create_dummy_id($3, cur_enum_type_doc);
+				cur_enum_type_doc = 0;
+				BroDocObj* o = new BroDocObj(fake_id, reST_doc_comments, true);
+				o->SetRole(true);
+
+				if ( streq(fake_id->Name(), "Notice" ) )
+					current_reST_doc->AddNotice(o);
+				else
+					current_reST_doc->AddRedef(o);
+				}
+			}
+
+	|	TOK_REDEF TOK_RECORD global_id TOK_ADD_TO
+			'{' { do_doc_token_start(); } type_decl_list '}' opt_attr ';'
+			{
+			do_doc_token_stop();
+
 			if ( ! $3->Type() )
 				$3->Error("unknown identifier");
 			else
 				{
-				EnumType* add_to = $3->Type()->AsEnumType();
+				RecordType* add_to = $3->Type()->AsRecordType();
 				if ( ! add_to )
-					$3->Error("not an enum");
+					$3->Error("not a record type");
 				else
-					add_to->AddNamesFrom(current_module,
-							     $6->AsEnumType());
+					{
+					const char* error = add_to->AddFields($7, $9);
+					if ( error )
+						$3->Error(error);
+					else if ( generate_documentation )
+						{
+						if ( fake_type_decl_list )
+							{
+							BroType* fake_record =
+								new RecordType(fake_type_decl_list);
+							ID* fake = create_dummy_id($3, fake_record);
+							fake_type_decl_list = 0;
+							BroDocObj* o =
+								new BroDocObj(fake, reST_doc_comments, true);
+							o->SetRole(true);
+							current_reST_doc->AddRedef(o);
+							}
+						else
+							{
+							fprintf(stderr, "Warning: doc mode did not process "
+								"record extension for '%s', CommentedTypeDecl"
+								"list unavailable.\n", $3->Name());
+							}
+						}
+					}
 				}
 			}
 
-	|	TOK_TYPE global_id ':' refined_type opt_attr opt_attr_attr ';'
+	|	TOK_TYPE global_id ':' refined_type opt_attr ';'
 			{
 			add_type($2, $4, $5, 0);
-			if ( $6 )
-				$2->AsType()->SetAttributesType($6);
-			}
 
-	|	TOK_GLOBAL_ATTR ':' { in_global_attr_decl = true; }
-		'{' type_decl_list '}' ';' { in_global_attr_decl = false; }
-			{
-			global_attributes_type = new RecordType($5);
+			if ( generate_documentation )
+				{
+				TypeTag t = $2->AsType()->Tag();
+				if ( t == TYPE_ENUM && cur_enum_type_doc )
+					{
+					ID* fake = create_dummy_id($2, cur_enum_type_doc);
+					cur_enum_type_doc = 0;
+					current_reST_doc->AddType(
+						new BroDocObj(fake, reST_doc_comments, true));
+					}
+
+				else if ( t == TYPE_RECORD && fake_type_decl_list )
+					{
+					BroType* fake_record = new RecordType(fake_type_decl_list);
+					ID* fake = create_dummy_id($2, fake_record);
+					fake_type_decl_list = 0;
+					current_reST_doc->AddType(
+						new BroDocObj(fake, reST_doc_comments, true));
+					}
+
+				else
+					current_reST_doc->AddType(
+						new BroDocObj($2, reST_doc_comments));
+				}
 			}
 
 	|	TOK_EVENT event_id ':' refined_type opt_attr ';'
-			{ add_type($2, $4, $5, 1); }
+			{
+			add_type($2, $4, $5, 1);
+
+			if ( generate_documentation )
+				current_reST_doc->AddEvent(
+					new BroDocObj($2, reST_doc_comments));
+			}
 
 	|	func_hdr func_body
 			{ }
@@ -856,25 +1166,24 @@ conditional:
 			{ do_atelse(); }
 	;
 
-opt_attr_attr:
-		TOK_ATTR_ATTR '=' '{' type_decl_list '}'
-			{ $$ = $4; }
-	|
-			{ $$ = 0; }
-	;
-
 func_hdr:
-		TOK_FUNCTION global_id func_params
+		TOK_FUNCTION def_global_id func_params
 			{
 			begin_func($2, current_module.c_str(),
-				   FUNC_FLAVOR_FUNCTION, 0, $3);
+				FUNC_FLAVOR_FUNCTION, 0, $3);
 			$$ = $3;
+			if ( generate_documentation )
+				current_reST_doc->AddFunction(
+					new BroDocObj($2, reST_doc_comments));
 			}
 	|	TOK_EVENT event_id func_params
 			{
 			begin_func($2, current_module.c_str(),
 				   FUNC_FLAVOR_EVENT, 0, $3);
 			$$ = $3;
+			if ( generate_documentation )
+				current_reST_doc->AddEvent(
+					new BroDocObj($2, reST_doc_comments));
 			}
 	|	TOK_REDEF TOK_EVENT event_id func_params
 			{
@@ -1008,6 +1317,8 @@ attr:
 			{ $$ = new Attr(ATTR_PRIORITY, $3); }
 	|	TOK_ATTR_GROUP '=' expr
 			{ $$ = new Attr(ATTR_GROUP, $3); }
+	|	TOK_ATTR_LOG
+			{ $$ = new Attr(ATTR_LOG); }
 	;
 
 stmt:
@@ -1246,6 +1557,11 @@ global_id:
 		{ $$ = $2; }
 	;
 
+def_global_id:
+	{ defining_global_ID = 1; } global_id { defining_global_ID = 0; } 
+		{ $$ = $2; }
+	;
+
 event_id:
 	{ resolving_global_ID = 0; } global_or_event_id
 		{ $$ = $2; }
@@ -1256,7 +1572,7 @@ global_or_event_id:
 			{
 			set_location(@1);
 
-			$$ = lookup_ID($1, current_module.c_str(), false);
+			$$ = lookup_ID($1, current_module.c_str(), false, defining_global_ID);
 			if ( $$ )
 				{
 				if ( ! $$->IsGlobal() )
@@ -1270,7 +1586,7 @@ global_or_event_id:
 				const char* module_name =
 					resolving_global_ID ?
 						current_module.c_str() : 0;
-					
+
 				$$ = install_ID($1, module_name,
 						true, is_export);
 				}
@@ -1283,17 +1599,53 @@ resolve_id:
 			{
 			set_location(@1);
 			$$ = lookup_ID($1, current_module.c_str());
+
 			if ( ! $$ )
 				error("identifier not defined:", $1);
+
 			delete [] $1;
 			}
 	;
 
+opt_post_doc_list:
+		opt_post_doc_list TOK_POST_DOC
+			{
+			$1->push_back($2);
+			$$ = $1;
+			}
+	|
+		TOK_POST_DOC
+			{
+			$$ = new std::list<std::string>();
+			$$->push_back($1);
+			delete [] $1;
+			}
+	|
+			{ $$ = 0; }
+	;
+
+opt_doc_list:
+		opt_doc_list TOK_DOC
+			{
+			$1->push_back($2);
+			$$ = $1;
+			}
+	|
+		TOK_DOC
+			{
+			$$ = new std::list<std::string>();
+			$$->push_back($1);
+			delete [] $1;
+			}
+	|
+			{ $$ = 0; }
+	;
+
 %%
 
 int yyerror(const char msg[])
 	{
-	char* msgbuf = new char[strlen(msg) + strlen(last_tok) + 64];
+	char* msgbuf = new char[strlen(msg) + strlen(last_tok) + 128];
 
 	if ( last_tok[0] == '\n' )
 		sprintf(msgbuf, "%s, on previous line", msg);
@@ -1302,6 +1654,10 @@ int yyerror(const char msg[])
 	else
 		sprintf(msgbuf, "%s, at or near \"%s\"", msg, last_tok);
 
+	if ( generate_documentation )
+		strcat(msgbuf, "\nDocumentation mode is enabled: "
+		       "remember to check syntax of ## style comments\n");
+
 	error(msgbuf);
 
 	return 0;
diff --git a/src/patricia.c b/src/patricia.c
index c9d271803c..8e40cb5ef6 100644
--- a/src/patricia.c
+++ b/src/patricia.c
@@ -1027,7 +1027,7 @@ lookup_then_remove (patricia_tree_t *tree, char *string)
 {
     patricia_node_t *node;
 
-    if (node = try_search_exact (tree, string))
+    if ( (node = try_search_exact(tree, string)) )
         patricia_remove (tree, node);
 }
 
diff --git a/src/portmap-analyzer.pac b/src/portmap-analyzer.pac
index 546be2e9cc..a7b64ada5d 100644
--- a/src/portmap-analyzer.pac
+++ b/src/portmap-analyzer.pac
@@ -79,6 +79,10 @@ function PortmapBuildDumpVal(params: PortmapDumpResults): BroVal
 
 	for ( int i = 0; i < params->size(); ++i )
 		{
+		// The last element has cont()!=1 and this element doesn't contain a
+		// mapping.
+		if ((*params)[i]->cont() != 1)
+			continue;
 		Val* m = PortmapBuildMappingVal((*params)[i]->mapping());
 		Val* index = new Val(i + 1, TYPE_COUNT);
 		mappings->Assign(index, m);
@@ -96,23 +100,23 @@ refine connection RPC_Conn += {
 
 		switch ( call->proc() ) {
 		case PMAPPROC_NULL:
-			bro_event_pm_request_null(bro_analyzer(), bro_analyzer()->Conn());
+			BifEvent::generate_pm_request_null(bro_analyzer(), bro_analyzer()->Conn());
 			break;
 
 		case PMAPPROC_SET:
-			bro_event_pm_request_set(bro_analyzer(),
+			BifEvent::generate_pm_request_set(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				call->call_val(), results->set());
 			break;
 
 		case PMAPPROC_UNSET:
-			bro_event_pm_request_unset(bro_analyzer(),
+			BifEvent::generate_pm_request_unset(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				call->call_val(), results->unset());
 			break;
 
 		case PMAPPROC_GETPORT:
-			bro_event_pm_request_getport(bro_analyzer(),
+			BifEvent::generate_pm_request_getport(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				call->call_val(),
 				PortmapBuildPortVal(results->getport(),
@@ -120,13 +124,13 @@ refine connection RPC_Conn += {
 			break;
 
 		case PMAPPROC_DUMP:
-			bro_event_pm_request_dump(bro_analyzer(),
+			BifEvent::generate_pm_request_dump(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				PortmapBuildDumpVal(results->dump()));
 			break;
 
 		case PMAPPROC_CALLIT:
-			bro_event_pm_request_callit(bro_analyzer(),
+			BifEvent::generate_pm_request_callit(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				call->call_val(),
 				new PortVal(results->callit()->port(),
@@ -145,37 +149,37 @@ function PortmapCallFailed(connection: RPC_Conn,
 			call: RPC_Call,
 			status: EnumRPCStatus): bool
 	%{
-	// BroEnum::rpc_status st = static_cast<BroEnum::rpc_status>(status);
-	BroEnum::rpc_status st = (BroEnum::rpc_status) status;
+	// BifEnum::rpc_status st = static_cast<BifEnum::rpc_status>(status);
+	Val *st = new EnumVal(status, BifType::Enum::rpc_status);
 
 	switch ( call->proc() ) {
 	case PMAPPROC_NULL:
-		bro_event_pm_attempt_null(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_null(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st);
 		break;
 
 	case PMAPPROC_SET:
-		bro_event_pm_attempt_set(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_set(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st, call->call_val());
 		break;
 
 	case PMAPPROC_UNSET:
-		bro_event_pm_attempt_unset(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_unset(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st, call->call_val());
 		break;
 
 	case PMAPPROC_GETPORT:
-		bro_event_pm_attempt_getport(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_getport(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st, call->call_val());
 		break;
 
 	case PMAPPROC_DUMP:
-		bro_event_pm_attempt_dump(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_dump(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st);
 		break;
 
 	case PMAPPROC_CALLIT:
-		bro_event_pm_attempt_callit(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_callit(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st, call->call_val());
 		break;
 
diff --git a/src/portmap-protocol.pac b/src/portmap-protocol.pac
index d9f3e5be97..65a478fb2d 100644
--- a/src/portmap-protocol.pac
+++ b/src/portmap-protocol.pac
@@ -68,6 +68,7 @@ type PortmapDumpEntry = record {
 	};
 };
 
+# The final element that has cont!=1 will be included in the array.
 type PortmapDumpResults = PortmapDumpEntry[] &until($element.cont != 1);
 
 type PortmapCallItResults = record {
diff --git a/src/rpc-analyzer.pac b/src/rpc-analyzer.pac
index 6c455f7028..86ac81b857 100644
--- a/src/rpc-analyzer.pac
+++ b/src/rpc-analyzer.pac
@@ -157,7 +157,7 @@ flow RPC_Flow (is_orig: bool) {
 			return false;
 			}
 
-		bro_event_rpc_call(connection()->bro_analyzer(),
+		BifEvent::generate_rpc_call(connection()->bro_analyzer(),
 		                   connection()->bro_analyzer()->Conn(),
 		                   call->prog(),
 		                   call->vers(),
diff --git a/src/scan.l b/src/scan.l
index 0d479dc44e..da038e1c77 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -15,11 +15,17 @@
 #include "Debug.h"
 #include "PolicyFile.h"
 #include "broparse.h"
+#include "BroDoc.h"
+#include "Analyzer.h"
+#include "AnalyzerTags.h"
 
 #include <stack>
+#include <list>
+#include <string>
 
 extern YYLTYPE yylloc;	// holds start line and column of token
 extern int print_loaded_scripts;
+extern int generate_documentation;
 
 int nwarn = 0;
 int nerr = 0;
@@ -28,13 +34,13 @@ int nruntime = 0;
 // Track the @if... depth.
 ptr_compat_int current_depth = 0;
 
-declare(List,ptr_compat_int);
-typedef List(ptr_compat_int) int_list;
 int_list if_stack;
 
 int line_number = 1;
 int include_level = 0;
 const char* filename = 0;
+BroDoc* current_reST_doc = 0;
+static BroDoc* last_reST_doc = 0;
 
 char last_tok[128];
 
@@ -50,6 +56,33 @@ char last_tok[128];
 // Files we have already scanned (or are in the process of scanning).
 static PList(char) files_scanned;
 
+// reST documents that we've created (or have at least opened so far).
+std::list<BroDoc*> docs_generated;
+
+// reST comments (those starting with ##) seen so far.
+std::list<std::string>* reST_doc_comments = 0;
+
+// Print current contents of reST_doc_comments list to stderr.
+void print_current_reST_doc_comments();
+
+// Delete the reST_doc_comments list object.
+void clear_reST_doc_comments();
+
+// Adds changes to capture_filter to the current script's reST documentation.
+static void check_capture_filter_changes();
+
+// Adds changes to dpd_config to the current script's reST documentation.
+static void check_dpd_config_changes();
+
+static const char* canon_doc_comment(const char* comment)
+	{
+	// "##Text" and "## Text" are treated the same in order to be able
+	// to still preserve indentation level, but not unintentionally
+	// signify an indentation level for all the text when using
+	// the "## Text" style.
+	return ( comment[0] == ' ' ) ? comment + 1 : comment;
+	}
+
 class FileInfo {
 public:
 	FileInfo(string restore_module = "");
@@ -60,6 +93,7 @@ public:
 	const char* name;
 	int line;
 	int level;
+	BroDoc* doc;
 };
 
 // A stack of input buffers we're scanning.  file_stack[len-1] is the
@@ -87,6 +121,7 @@ static void report_file();
 
 %x RE
 %x IGNORE
+%s DOC
 
 OWS	[ \t]*
 WS	[ \t]+
@@ -102,11 +137,75 @@ ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 
 %%
 
+##!.* {
+	// Add this format of comments to the script documentation's "summary".
+	if ( generate_documentation )
+		current_reST_doc->AddSummary(canon_doc_comment(yytext + 3));
+	}
+
+<DOC>##<.* {
+	yylval.str = copy_string(canon_doc_comment(yytext + 3));
+	return TOK_POST_DOC;
+}
+
+<DOC>##.* {
+	if ( yytext[2] != '#' )
+		{
+		yylval.str = copy_string(canon_doc_comment(yytext + 2));
+		return TOK_DOC;
+		}
+}
+
+##{OWS}{ID}:.* {
+	if ( generate_documentation )
+		{
+		// Comment is documenting either a function parameter or return type,
+		// so appropriate reST markup substitutions are automatically made
+		// in order to distinguish them from other comments.
+		const char* id_start = skip_whitespace(yytext + 2);
+		size_t id_len = strcspn(id_start, ":");
+		char* id_name = new char[id_len + 1];
+		strncpy(id_name, id_start, id_len);
+		id_name[id_len] = '\0';
+		const char* comment = id_start + id_len + 1;
+
+		std::string doc;
+
+		if ( streq(id_name, "Returns") )
+			doc.append(":returns:").append(comment);
+		else
+			doc.append(":param ").append(id_name).append(":").append(comment);
+
+		if ( ! reST_doc_comments )
+			reST_doc_comments = new std::list<std::string>();
+
+		// always insert a blank line so that this param/return markup
+		// 1) doesn't show up in the summary section in the case that it's
+		//    the first comment for the function/event
+		// 2) has a blank line between it and non-field-list reST markup,
+		//    which is required for correct HTML rendering by Sphinx
+		reST_doc_comments->push_back("");
+		reST_doc_comments->push_back(doc);
+
+		delete [] id_name;
+		}
+}
+
+##.* {
+	if ( generate_documentation && (yytext[2] != '#') )
+		{
+		if ( ! reST_doc_comments )
+			reST_doc_comments = new std::list<std::string>();
+
+		reST_doc_comments->push_back(canon_doc_comment(yytext + 2));
+		}
+}
+
 #.*	/* eat comments */
 
 {WS}	/* eat whitespace */
 
-<INITIAL,IGNORE>\n	{
+<INITIAL,IGNORE,DOC>\n	{
 			report_file();
 			++line_number;
 			++yylloc.first_line;
@@ -151,9 +250,7 @@ file	return TOK_FILE;
 for	return TOK_FOR;
 function	return TOK_FUNCTION;
 global	return TOK_GLOBAL;
-global_attr	return TOK_GLOBAL_ATTR;
 "?$"	return TOK_HAS_FIELD;
-"?$$"	return TOK_HAS_ATTR;
 if	return TOK_IF;
 in	return TOK_IN;
 "!"{OWS}in/[^A-Za-z0-9]	return TOK_NOT_IN;	/* don't confuse w "! infoo"! */
@@ -198,6 +295,7 @@ when	return TOK_WHEN;
 &encrypt	return TOK_ATTR_ENCRYPT;
 &expire_func	return TOK_ATTR_EXPIRE_FUNC;
 &group		return TOK_ATTR_GROUP;
+&log		return TOK_ATTR_LOG;
 &mergeable	return TOK_ATTR_MERGEABLE;
 &optional	return TOK_ATTR_OPTIONAL;
 &persistent	return TOK_ATTR_PERSISTENT;
@@ -213,6 +311,18 @@ when	return TOK_WHEN;
 
 @load{WS}{FILE}	{
 	const char* new_file = skip_whitespace(yytext + 5);	// Skip "@load".
+	if ( generate_documentation )
+		{
+		current_reST_doc->AddImport(new_file);
+
+		if ( reST_doc_comments )
+			{
+			fprintf(stderr, "Warning: unconsumed reST documentation is being "
+					"discarded before doing '@load %s' in %s:\n",
+					 new_file, current_reST_doc->GetSourceFileName());
+			clear_reST_doc_comments();
+			}
+		}
 	(void) load_files_with_prefix(new_file);
 	}
 
@@ -266,10 +376,10 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 	}
 
 {D}		{
- 		// TODO: check if we can use strtoull instead of atol, 
+ 		// TODO: check if we can use strtoull instead of atol,
 		// and similarly for {HEX}.
-		RET_CONST(new Val(static_cast<unsigned int>(atol(yytext)), 
-			  TYPE_COUNT))		
+		RET_CONST(new Val(static_cast<unsigned int>(atol(yytext)),
+			  TYPE_COUNT))
 		}
 {FLOAT}		RET_CONST(new Val(atof(yytext), TYPE_DOUBLE))
 
@@ -447,8 +557,7 @@ static int load_files_with_prefix(const char* orig_file)
 			else
 				strcpy(new_filename, file);
 
-			f = search_for_file(new_filename, "bro", &full_filename);
-
+			f = search_for_file(new_filename, "bro", &full_filename, true);
 			delete [] new_filename;
 			}
 
@@ -498,6 +607,12 @@ static int load_files_with_prefix(const char* orig_file)
 			// Don't delete the old filename - it's pointed to by
 			// every BroObj created when parsing it.
 			yylloc.filename = filename = full_filename;
+
+			if ( generate_documentation )
+				{
+				current_reST_doc = new BroDoc(full_filename);
+				docs_generated.push_back(current_reST_doc);
+				}
 			}
 
 		else
@@ -591,6 +706,18 @@ void do_atendif()
 	--current_depth;
 	}
 
+void do_doc_token_start()
+	{
+	if ( generate_documentation )
+	    BEGIN(DOC);
+	}
+
+void do_doc_token_stop()
+	{
+	if ( generate_documentation )
+	    BEGIN(INITIAL);
+	}
+
 // Be careful to never delete things from this list, as the strings
 // are referred to (in order to save the locations of tokens and statements,
 // for error reporting and debugging).
@@ -657,6 +784,9 @@ int yywrap()
 	// Stack is now empty.
 	while ( input_files.length() > 0 )
 		{
+		check_capture_filter_changes();
+		check_dpd_config_changes();
+
 		if ( load_files_with_prefix(input_files[0]) )
 			{
 			// Don't delete the filename - it's pointed to by
@@ -670,6 +800,9 @@ int yywrap()
 		(void) input_files.remove_nth(0);
 		}
 
+	check_capture_filter_changes();
+	check_dpd_config_changes();
+
 	// Add redef statements for any X=Y command line parameters.
 	if ( params.size() > 0 )
 		{
@@ -733,6 +866,9 @@ int yywrap()
 		return 0;
 		}
 
+	if ( generate_documentation )
+		clear_reST_doc_comments();
+
 	// Otherwise, we are done.
 	return 1;
 	}
@@ -744,6 +880,7 @@ FileInfo::FileInfo(string arg_restore_module)
 	name = ::filename;
 	line = ::line_number;
 	level = ::include_level;
+	doc = ::current_reST_doc;
 	}
 
 FileInfo::~FileInfo()
@@ -755,6 +892,8 @@ FileInfo::~FileInfo()
 	yylloc.filename = filename = name;
 	yylloc.first_line = yylloc.last_line = line_number = line;
 	include_level = level;
+	last_reST_doc = current_reST_doc;
+	current_reST_doc = doc;
 
 	if ( restore_module != "" )
 		current_module = restore_module;
@@ -781,3 +920,93 @@ static void report_file()
 	files_reported.append(copy_string(filename));
 	}
 
+static void check_capture_filter_changes()
+	{
+	if ( ! generate_documentation )
+	    return;
+
+	// Lookup the "capture_filters" identifier, if it has any defined
+	// value, add it to the script's reST documentation, and finally
+	// clear the table so it doesn't taint the documentation for
+	// subsequent scripts.
+
+	ID* capture_filters = global_scope()->Lookup("capture_filters");
+
+	if ( capture_filters )
+		{
+		ODesc desc;
+		desc.SetIndentSpaces(4);
+		capture_filters->ID_Val()->Describe(&desc);
+		last_reST_doc->SetPacketFilter(desc.Description());
+		capture_filters->ID_Val()->AsTableVal()->RemoveAll();
+		}
+	}
+
+static void check_dpd_config_changes()
+	{
+	if ( ! generate_documentation )
+		return;
+
+	// Lookup the "dpd_config" identifier, if it has any defined value,
+	// add it to the script's documentation, and clear the table so that
+	// it doesn't taint the documentation for subsequent scripts.
+	ID* dpd_config = global_scope()->Lookup("dpd_config");
+	if ( ! dpd_config )
+		return;
+
+	TableVal* dpd_table = dpd_config->ID_Val()->AsTableVal();
+	ListVal* dpd_list = dpd_table->ConvertToList();
+
+	for ( int i = 0; i < dpd_list->Length(); ++i )
+		{
+		Val* key = dpd_list->Index(i);
+		if ( ! key )
+			continue;
+
+		Val* v = dpd_table->Lookup(key);
+		if ( ! v )
+			continue;
+
+		int tag = key->AsListVal()->Index(0)->AsCount();
+		ODesc valdesc;
+		valdesc.SetIndentSpaces(4);
+		valdesc.PushIndent();
+		v->Describe(&valdesc);
+
+		if ( tag < AnalyzerTag::Error || tag > AnalyzerTag::LastAnalyzer )
+			{
+			fprintf(stderr, "Warning: skipped bad analyzer tag: %i\n", tag);
+			continue;
+			}
+
+		last_reST_doc->AddPortAnalysis(
+			Analyzer::GetTagName((AnalyzerTag::Tag)tag),
+			valdesc.Description());
+		}
+
+	dpd_table->RemoveAll();
+	}
+
+void print_current_reST_doc_comments()
+	{
+	if ( ! reST_doc_comments )
+		return;
+
+	std::list<std::string>::iterator it;
+
+	for ( it = reST_doc_comments->begin(); it != reST_doc_comments->end(); ++it )
+		fprintf(stderr, "##%s\n", it->c_str());
+	}
+
+void clear_reST_doc_comments()
+	{
+	if ( ! reST_doc_comments )
+		return;
+
+	fprintf(stderr, "Warning: %lu unconsumed reST comments:\n",
+			reST_doc_comments->size());
+
+	print_current_reST_doc_comments();
+	delete reST_doc_comments;
+	reST_doc_comments = 0;
+	}
diff --git a/src/smb-rw.bif b/src/smb-rw.bif
deleted file mode 100644
index 49cfeeaa24..0000000000
--- a/src/smb-rw.bif
+++ /dev/null
@@ -1,16 +0,0 @@
-rewriter smb_header%(is_orig: bool, hdr: smb_hdr%)
-	%{
-	const int is_orig = 0;
-
-	@WRITE@(is_orig, 1, "\xff");
-	@WRITE@(is_orig, 3, "SMB");
-	@WRITE@(is_orig, 1, hdr->command);
-	@WRITE@(is_orig, 4, hdr->error);
-	@WRITE@(is_orig, 1, hdr->flags);
-	@WRITE@(is_orig, 2, hdr->flags2);
-	@WRITE@(is_orig, 6, "\x0\x0\x0\x0\x0\x0");
-	@WRITE@(is_orig, 6, "\x0\x0\x0\x0\x0\x0");
-	@WRITE@(is_orig, 2, hdr->tid);
-	@WRITE@(is_orig, 2, hdr->pid);
-	@WRITE@(is_orig, 2, hdr->mid);
-	%}
diff --git a/src/smtp-rw.bif b/src/smtp-rw.bif
deleted file mode 100644
index a74ce776c2..0000000000
--- a/src/smtp-rw.bif
+++ /dev/null
@@ -1,45 +0,0 @@
-rewriter smtp_request%(is_orig: bool, command: string, arg: string%)
-	%{
-	if ( command->Len() > 0 )
-		{
-		u_char ch = command->Bytes()[0];
-
-		if ( isalpha(ch) )
-			{ // Do not dump artificial commands: ">", ".", "***"
-			@WRITE@(is_orig, command->AsString());
-			@WRITE@(is_orig, 1, " ");
-			}
-		}
-
-	@WRITE@(is_orig, arg->AsString());
-	@WRITE@(is_orig, 2, "\r\n");
-	%}
-
-rewriter smtp_reply%(is_orig: bool, code: count, msg: string, cont_resp: bool%)
-	%{
-	const char* str = fmt("%lu", (unsigned long) code);
-	int len = strlen(str);
-
-	@WRITE@(is_orig, len, str);
-
-	if ( cont_resp )
-		@WRITE@(is_orig, "-");
-	else
-		@WRITE@(is_orig, " ");
-
-	@WRITE@(is_orig, msg->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
-
-# Since SMTP data is delivered by lines ending with CRLF, this
-# function takes a line without the trailing CRLF and dumps the string
-# followed by CRLF. If you want to dump multiple lines, please dump
-# them one at a time (without trailing CRLF's).
-rewriter smtp_data%(is_orig: bool, data: string%)
-	%{
-	if ( data->Len() > 0 && data->Bytes()[0] == '.')
-		@WRITE@(is_orig, ".");
-
-	@WRITE@(is_orig, data->AsString());
-	@WRITE@(is_orig, "\r\n");
-	%}
diff --git a/src/ssl-analyzer.pac b/src/ssl-analyzer.pac
index bbebdc0fa3..9c899ff2b6 100644
--- a/src/ssl-analyzer.pac
+++ b/src/ssl-analyzer.pac
@@ -10,11 +10,9 @@
 
 #include "util.h"
 
-#ifdef USE_OPENSSL
 #include <openssl/x509.h>
 #include <openssl/x509_vfy.h>
 #include "X509.h"
-#endif
 %}
 
 
@@ -27,14 +25,11 @@
 			}
 	};
 
-#ifdef USE_OPENSSL
 	void free_X509(void *);
 	X509* d2i_X509_binpac(X509** px, const uint8** in, int len);
-#endif
 	%}
 
 %code{
-#ifdef USE_OPENSSL
 	void free_X509(void* cert)
 		{
 		X509_free((X509*) cert);
@@ -48,8 +43,6 @@
 		return d2i_X509(px, (u_char**) in, len);
 #endif
 		}
-
-#endif
 %}
 
 
@@ -123,10 +116,8 @@ refine analyzer SSLAnalyzer += {
 		version_ = -1;
 		cipher_ = -1;
 
-#ifdef USE_OPENSSL
 		if ( ! X509_Cert::bInited )
 			X509_Cert::init();
-#endif
 	%}
 
 	%eof{
@@ -172,12 +163,10 @@ refine analyzer SSLAnalyzer += {
 
 	function certificate_error(err_num : int) : void
 		%{
-#ifdef USE_OPENSSL
 		StringVal* err_str =
 			new StringVal(X509_verify_cert_error_string(err_num));
-		bro_event_ssl_X509_error(bro_analyzer_, bro_analyzer_->Conn(),
+		BifEvent::generate_ssl_X509_error(bro_analyzer_, bro_analyzer_->Conn(),
 						err_num, err_str);
-#endif
 		%}
 
 	function proc_change_cipher_spec(msg : ChangeCipherSpec) : bool
@@ -200,7 +189,7 @@ refine analyzer SSLAnalyzer += {
 
 	function proc_alert(level : int, description : int) : bool
 		%{
-		bro_event_ssl_conn_alert(bro_analyzer_, bro_analyzer_->Conn(),
+		BifEvent::generate_ssl_conn_alert(bro_analyzer_, bro_analyzer_->Conn(),
 						current_record_version_, level,
 						description);
 		return true;
@@ -228,7 +217,7 @@ refine analyzer SSLAnalyzer += {
 			Unref(ciph);
 			}
 
-		bro_event_ssl_conn_attempt(bro_analyzer_, bro_analyzer_->Conn(),
+		BifEvent::generate_ssl_conn_attempt(bro_analyzer_, bro_analyzer_->Conn(),
 						version, cipher_table);
 
 		if ( ssl_compare_cipherspecs )
@@ -263,7 +252,7 @@ refine analyzer SSLAnalyzer += {
 			Unref(ciph);
 			}
 
-		bro_event_ssl_conn_server_reply(bro_analyzer_,
+		BifEvent::generate_ssl_conn_server_reply(bro_analyzer_,
 						bro_analyzer_->Conn(),
 						version_, chosen_ciphers);
 
@@ -274,10 +263,10 @@ refine analyzer SSLAnalyzer += {
 			TableVal* tv = to_table_val(session_id);
 			if ( client_session_id_ &&
 			     *client_session_id_ == *session_id )
-				bro_event_ssl_conn_reused(bro_analyzer_,
+				BifEvent::generate_ssl_conn_reused(bro_analyzer_,
 						bro_analyzer_->Conn(), tv);
 			else
-				bro_event_ssl_session_insertion(bro_analyzer_,
+				BifEvent::generate_ssl_session_insertion(bro_analyzer_,
 						bro_analyzer_->Conn(), tv);
 
 			delete ciphers;
@@ -288,13 +277,13 @@ refine analyzer SSLAnalyzer += {
 			if ( client_session_id_ )
 				{
 				TableVal* tv = to_table_val(client_session_id_);
-				bro_event_ssl_conn_reused(bro_analyzer_,
+				BifEvent::generate_ssl_conn_reused(bro_analyzer_,
 						bro_analyzer_->Conn(), tv);
 				}
 
 			// We don't know the chosen cipher, as there is
 			// no session storage.
-			bro_event_ssl_conn_established(bro_analyzer_,
+			BifEvent::generate_ssl_conn_established(bro_analyzer_,
 							bro_analyzer_->Conn(),
 							version_, 0xffffffff);
 			delete ciphers;
@@ -327,11 +316,10 @@ refine analyzer SSLAnalyzer += {
 		if ( certificates->size() == 0 )
 			return true;
 
-		bro_event_ssl_certificate_seen(bro_analyzer_,
+		BifEvent::generate_ssl_certificate_seen(bro_analyzer_,
 						bro_analyzer_->Conn(),
 						! current_record_is_orig_);
 
-#ifdef USE_OPENSSL
 		const bytestring& cert = (*certificates)[0];
 		const uint8* data = cert.data();
 
@@ -353,7 +341,7 @@ refine analyzer SSLAnalyzer += {
 		pX509Cert->Assign(1, new StringVal(tmp));
 		pX509Cert->Assign(2, new AddrVal(bro_analyzer_->Conn()->OrigAddr()));
 
-		bro_event_ssl_certificate(bro_analyzer_, bro_analyzer_->Conn(),
+		BifEvent::generate_ssl_certificate(bro_analyzer_, bro_analyzer_->Conn(),
 					pX509Cert, current_record_is_orig_);
 
 		if ( X509_get_ext_count(pCert) > 0 )
@@ -373,7 +361,7 @@ refine analyzer SSLAnalyzer += {
 				Unref(index);
 				}
 
-			bro_event_process_X509_extensions(bro_analyzer_,
+			BifEvent::generate_process_X509_extensions(bro_analyzer_,
 						bro_analyzer_->Conn(), x509ex);
 			}
 
@@ -382,7 +370,7 @@ refine analyzer SSLAnalyzer += {
 			STACK_OF(X509)* untrusted_certs = 0;
 			if ( certificates->size() > 1 )
 				{
-				untrusted_certs = sk_new_null();
+				untrusted_certs = sk_X509_new_null();
 				if ( ! untrusted_certs )
 					{
 					// X509_V_ERR_OUT_OF_MEM;
@@ -405,7 +393,7 @@ refine analyzer SSLAnalyzer += {
 						return false;
 						}
 
-					sk_push(untrusted_certs, (char*) pTemp);
+					sk_X509_push(untrusted_certs, pTemp);
 					}
 				}
 
@@ -417,11 +405,10 @@ refine analyzer SSLAnalyzer += {
 				certificate_error(csc.error);
 			X509_STORE_CTX_cleanup(&csc);
 
-			sk_pop_free(untrusted_certs, free_X509);
+			sk_X509_pop_free(untrusted_certs, X509_free);
 			}
 
 		X509_free(pCert);
-#endif
 	return true;
 		%}
 
@@ -455,7 +442,7 @@ refine analyzer SSLAnalyzer += {
 				state_label(old_state_).c_str()));
 
 		check_cipher(cipher);
-		bro_event_ssl_conn_established(bro_analyzer_,
+		BifEvent::generate_ssl_conn_established(bro_analyzer_,
 				bro_analyzer_->Conn(), version_, cipher);
 
 		return true;
@@ -496,7 +483,7 @@ refine analyzer SSLAnalyzer += {
 		if ( state_ == STATE_CONN_ESTABLISHED &&
 		     old_state_ == STATE_COMM_ENCRYPTED )
 			{
-			bro_event_ssl_conn_established(bro_analyzer_,
+			BifEvent::generate_ssl_conn_established(bro_analyzer_,
 							bro_analyzer_->Conn(),
 							version_, cipher_);
 			}
diff --git a/src/strings.bif b/src/strings.bif
index 6044813476..f10dc412f3 100644
--- a/src/strings.bif
+++ b/src/strings.bif
@@ -135,12 +135,32 @@ function sort_string_array%(a: string_array%): string_array
 	vs_to_string_array(vs, b, 1, n);
 	return b;
 	%}
+	
+function join_string_vec%(vec: string_vec, sep: string%): string
+	%{
+	ODesc d;
+	VectorVal *v = vec->AsVectorVal();
+
+	for ( unsigned i = 0; i < v->Size(); ++i )
+		{
+		if ( i > 0 )
+			d.Add(sep->CheckString(), 0);
+
+		v->Lookup(i+1)->Describe(&d);
+		}
+
+	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
+	s->SetUseFreeToDelete(true);
+
+	return new StringVal(s);
+	%}
+
 
 function edit%(arg_s: string, arg_edit_char: string%): string
 	%{
 	if ( arg_edit_char->Len() != 1 )
 		builtin_run_time("not exactly one edit character", @ARG@[1]);
-	
+
 	const u_char* s = arg_s->Bytes();
 	const u_char* edit_s = arg_edit_char->Bytes();
 
@@ -150,7 +170,7 @@ function edit%(arg_s: string, arg_edit_char: string%): string
 	u_char* new_s = new u_char[n+1];
 	int ind = 0;
 
-	for ( int i=0; i<n; ++i )
+	for ( int i = 0; i < n; ++i )
 		{
 		if ( s[i] == edit_c )
 			{ // Delete last character
@@ -204,31 +224,32 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep,
 	if ( other_sep && other_sep->Size() > 0 )
 		other_strings = other_sep->ConvertToPureList();
 
-	// Currently let us assume that str is NUL-terminated. In
-	// the future we expect to change this by giving RE_Matcher a
-	// const char* segment.
-
 	const u_char* s = str_val->Bytes();
 	int n = str_val->Len();
 	const u_char* end_of_s = s + n;
 	int num = 0;
 	int num_sep = 0;
-	
-	int offset = 0;
 
-	while ( n > 0 )
+	int offset = 0;
+	while ( n >= 0 )
 		{
 		offset = 0;
 		// Find next match offset.
-		int end_of_match;
+		int end_of_match = 0;
 		while ( n > 0 &&
-		        (end_of_match = re->MatchPrefix(&s[offset], n)) <= 0 )
+		        (end_of_match = re->MatchPrefix(s + offset, n)) <= 0 )
 			{
-			// Move on to next character.
+			// Move on to next byte.
 			++offset;
 			--n;
 			}
-		
+
+		if ( max_num_sep && num_sep >= max_num_sep )
+			{
+			offset = end_of_s - s;
+			n=0;
+			}
+
 		Val* ind = new Val(++num, TYPE_COUNT);
 		a->Assign(ind, new StringVal(offset, (const char*) s));
 		Unref(ind);
@@ -243,19 +264,17 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep,
 			a->Assign(ind, new StringVal(end_of_match, (const char*) s+offset));
 			Unref(ind);
 			}
-		
-		++num_sep;
+
 		if ( max_num_sep && num_sep >= max_num_sep )
 			break;
-		
-		offset += end_of_match;
+
+		++num_sep;
+
 		n -= end_of_match;
-		s += offset;
-		
+		s += offset + end_of_match;;
+
 		if ( s > end_of_s )
-			{
 			internal_error("RegMatch in split goes beyond the string");
-			}
 		}
 
 	if ( other_strings )
@@ -468,7 +487,7 @@ function to_lower%(str: string%): string
 	char* lower_s = new char[n];
 	char* ls = lower_s;
 
-	for (int i=0; i<n; ++i)
+	for ( int i = 0; i < n; ++i)
 		{
 		if ( isascii(s[i]) && isupper(s[i]) )
 			*ls++ = tolower(s[i]);
@@ -485,8 +504,8 @@ function to_upper%(str: string%): string
 	int n = str->Len();
 	char* upper_s = new char[n];
 	char* us = upper_s;
-	
-	for (int i=0; i<n; ++i)
+
+	for ( int i = 0; i < n; ++i)
 		{
 		if ( isascii(s[i]) && islower(s[i]) )
 			*us++ = toupper(s[i]);
@@ -595,22 +614,23 @@ function strip%(str: string%): string
 		return new StringVal(new BroString(s, n, 1));
 
 	const u_char* sp = s;
-	// Move a pointer to the end of the string
-	const u_char* e = &sp[n-1];
+
+	// Move a pointer from the end of the string.
+	const u_char* e = sp + n - 1;
 	while ( e > sp && isspace(*e) )
 		--e;
 
-	// Move the pointer for the beginning of the string
-	while ( isspace(*sp) )
+	// Move the pointer for the beginning of the string.
+	while ( isspace(*sp) && sp <= e )
 		++sp;
 
-	return new StringVal(new BroString(sp, e-sp+1, 1));
+	return new StringVal(new BroString(sp, (e - sp + 1), 1));
 	%}
 
 function string_fill%(len: int, source: string%): string
 	%{
 	const u_char* src = source->Bytes();
-	int n = source->Len();
+	int64_t n = source->Len();
 	char* dst = new char[len];
 
 	for ( int i = 0; i < len; i += n )
@@ -627,12 +647,12 @@ function string_fill%(len: int, source: string%): string
 #
 function str_shell_escape%(source: string%): string
 	%{
-	uint j = 0;
+	unsigned j = 0;
 	const u_char* src = source->Bytes();
-	uint n = source->Len();
+	unsigned n = source->Len();
 	byte_vec dst = new u_char[n * 2 + 1];
 
-	for ( uint i = 0; i < n; ++i )
+	for ( unsigned i = 0; i < n; ++i )
 		{
 		switch ( src[i] ) {
 		case '`': case '"': case '\\': case '$':
diff --git a/src/types.bif b/src/types.bif
new file mode 100644
index 0000000000..4496e444a1
--- /dev/null
+++ b/src/types.bif
@@ -0,0 +1,63 @@
+
+enum dce_rpc_ptype %{
+	DCE_RPC_REQUEST,
+	DCE_RPC_PING,
+	DCE_RPC_RESPONSE,
+	DCE_RPC_FAULT,
+	DCE_RPC_WORKING,
+	DCE_RPC_NOCALL,
+	DCE_RPC_REJECT,
+	DCE_RPC_ACK,
+	DCE_RPC_CL_CANCEL,
+	DCE_RPC_FACK,
+	DCE_RPC_CANCEL_ACK,
+	DCE_RPC_BIND,
+	DCE_RPC_BIND_ACK,
+	DCE_RPC_BIND_NAK,
+	DCE_RPC_ALTER_CONTEXT,
+	DCE_RPC_ALTER_CONTEXT_RESP,
+	DCE_RPC_SHUTDOWN,
+	DCE_RPC_CO_CANCEL,
+	DCE_RPC_ORPHANED,
+%}
+
+enum dce_rpc_if_id %{
+	DCE_RPC_unknown_if,
+	DCE_RPC_epmapper,
+	DCE_RPC_lsarpc,
+	DCE_RPC_lsa_ds,
+	DCE_RPC_mgmt,
+	DCE_RPC_netlogon,
+	DCE_RPC_samr,
+	DCE_RPC_srvsvc,
+	DCE_RPC_spoolss,
+	DCE_RPC_drs,
+	DCE_RPC_winspipe,
+	DCE_RPC_wkssvc,
+	DCE_RPC_oxid,
+	DCE_RPC_ISCMActivator,
+%}
+
+enum rpc_status %{
+	RPC_SUCCESS,
+	RPC_PROG_UNAVAIL,
+	RPC_PROG_MISMATCH,
+	RPC_PROC_UNAVAIL,
+	RPC_GARBAGE_ARGS,
+	RPC_SYSTEM_ERR,
+	RPC_TIMEOUT,
+	RPC_VERS_MISMATCH,
+	RPC_AUTH_ERROR,
+	RPC_UNKNOWN_ERROR,
+%}
+
+module Log;
+
+enum Writer %{
+	WRITER_DEFAULT,
+	WRITER_ASCII,
+%}
+
+enum ID %{
+	Unknown,
+%}
diff --git a/src/util.cc b/src/util.cc
index 0e49600cc2..3d69c981be 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -4,11 +4,11 @@
 
 #include "config.h"
 
-#if TIME_WITH_SYS_TIME
+#ifdef TIME_WITH_SYS_TIME
 # include <sys/time.h>
 # include <time.h>
 #else
-# if HAVE_SYS_TIME_H
+# ifdef HAVE_SYS_TIME_H
 #  include <sys/time.h>
 # else
 #  include <time.h>
@@ -295,9 +295,9 @@ char* strcasestr(const char* s, const char* find)
 	}
 #endif
 
-int atoi_n(int len, const char* s, const char** end, int base, int& result)
+template<class T> int atoi_n(int len, const char* s, const char** end, int base, T& result)
 	{
-	int n = 0;
+	T n = 0;
 	int neg = 0;
 
 	if ( len > 0 && *s == '-' )
@@ -340,6 +340,32 @@ int atoi_n(int len, const char* s, const char** end, int base, int& result)
 	return 1;
 	}
 
+// Instantiate the ones we need.
+template int atoi_n<int>(int len, const char* s, const char** end, int base, int& result);
+template int atoi_n<int64_t>(int len, const char* s, const char** end, int base, int64_t& result);
+
+char* uitoa_n(uint64 value, char* str, int n, int base)
+	{
+	static char dig[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
+
+	int i = 0;
+	uint64 v;
+	char* p, *q;
+	char c;
+
+	v = value;
+
+	do {
+		str[i++] = dig[v % base];
+		v /= base;
+	} while ( v && i < n - 1 );
+
+	str[i] = '\0';
+
+	return str;
+	}
+
+
 int strstr_n(const int big_len, const u_char* big,
 		const int little_len, const u_char* little)
 	{
@@ -573,6 +599,17 @@ static bool write_random_seeds(const char* write_file, uint32 seed,
 	return true;
 	}
 
+static bool bro_rand_determistic = false;
+static unsigned int bro_rand_state = 0;
+
+static void bro_srand(unsigned int seed, bool deterministic)
+	{
+	bro_rand_state = seed;
+	bro_rand_determistic = deterministic;
+
+	srand(seed);
+	}
+
 void init_random_seed(uint32 seed, const char* read_file, const char* write_file)
 	{
 	static const int bufsiz = 16;
@@ -633,9 +670,11 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file
 				seed = (seed << 1) | (seed >> 31);
 				}
 			}
+		else
+			seeds_done = true;
 		}
 
-	srandom(seed);
+	bro_srand(seed, seeds_done);
 
 	if ( ! hmac_key_set )
 		{
@@ -648,6 +687,30 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file
 				write_file);
 	}
 
+bool have_random_seed()
+	{
+	return bro_rand_determistic;
+	}
+
+long int bro_random()
+	{
+	if ( ! bro_rand_determistic )
+		return random(); // Use system PRNG.
+
+	// Use our own simple linear congruence PRNG to make sure we are
+	// predictable across platforms.
+	const long int m = 2147483647;
+	const long int a = 16807;
+	const long int q = m / a;
+	const long int r = m % a;
+
+	bro_rand_state = a * ( bro_rand_state % q ) - r * ( bro_rand_state / q );
+
+	if ( bro_rand_state <= 0 )
+		bro_rand_state += m;
+
+	return bro_rand_state;
+	}
 
 // Returns a 64-bit random string.
 uint64 rand64bit()
@@ -656,7 +719,7 @@ uint64 rand64bit()
 	int i;
 
 	for ( i = 1; i <= 4; ++i )
-		base = (base<<16) | random();
+		base = (base<<16) | bro_random();
 	return base;
 	}
 
@@ -776,9 +839,9 @@ const char* bro_path()
 	{
 	const char* path = getenv("BROPATH");
 	if ( ! path )
-		path = ".:policy:policy/sigs:policy/time-machine:"
+		path = ".:"
 			POLICYDEST ":"
-			POLICYDEST "/sigs:" 
+			POLICYDEST "/sigs:"
 			POLICYDEST "/time-machine:"
 			POLICYDEST "/site";
 
@@ -805,21 +868,45 @@ const char* bro_prefixes()
 	return p;
 	}
 
-FILE* open_file(const char* filename, const char** full_filename)
+static const char* PACKAGE_LOADER = "__load__.bro";
+
+// If filename is pointing to a directory that contains a file called
+// PACKAGE_LOADER, returns the files path. Otherwise returns filename itself.
+// In both cases, the returned string is newly allocated.
+static const char* check_for_dir(const char* filename, bool load_pkgs)
 	{
+	if ( load_pkgs && is_dir(filename) )
+		{
+		char init_filename_buf[1024];
+		safe_snprintf(init_filename_buf, sizeof(init_filename_buf),
+			      "%s/%s", filename, PACKAGE_LOADER);
+
+		if ( access(init_filename_buf, R_OK) == 0 )
+			return copy_string(init_filename_buf);
+		}
+
+	return copy_string(filename);
+	}
+
+FILE* open_file(const char* filename, const char** full_filename, bool load_pkgs)
+	{
+	filename = check_for_dir(filename, load_pkgs);
+
 	if ( full_filename )
 		*full_filename = copy_string(filename);
 
 	FILE* f = fopen(filename, "r");
 
+	delete [] filename;
+
 	return f;
 	}
 
 FILE* search_for_file(const char* filename, const char* ext,
-			const char** full_filename)
+			const char** full_filename, bool load_pkgs)
 	{
 	if ( filename[0] == '/' || filename[0] == '.' )
-		return open_file(filename, full_filename);
+		return open_file(filename, full_filename, load_pkgs);
 
 	char path[1024], full_filename_buf[1024];
 	safe_strncpy(path, bro_path(), sizeof(path));
@@ -842,13 +929,12 @@ FILE* search_for_file(const char* filename, const char* ext,
 				"%s/%s.%s", dir_beginning, filename, ext);
 		if ( access(full_filename_buf, R_OK) == 0 &&
 		     ! is_dir(full_filename_buf) )
-			return open_file(full_filename_buf, full_filename);
+			return open_file(full_filename_buf, full_filename, load_pkgs);
 
 		safe_snprintf(full_filename_buf, sizeof(full_filename_buf),
 				"%s/%s", dir_beginning, filename);
-		if ( access(full_filename_buf, R_OK) == 0 &&
-		      ! is_dir(full_filename_buf) )
-			return open_file(full_filename_buf, full_filename);
+		if ( access(full_filename_buf, R_OK) == 0 )
+			return open_file(full_filename_buf, full_filename, load_pkgs);
 
 		dir_beginning = ++dir_ending;
 		}
diff --git a/src/util.h b/src/util.h
index 96aeb761e1..a288ed30c8 100644
--- a/src/util.h
+++ b/src/util.h
@@ -11,6 +11,11 @@
 #include <stdarg.h>
 #include "config.h"
 
+// Expose C99 functionality from inttypes.h, which would otherwise not be
+// available in C++.
+#define __STDC_FORMAT_MACROS
+#include <inttypes.h>
+
 #if __STDC__
 #define myattribute __attribute__
 #else
@@ -39,30 +44,20 @@
 extern HeapLeakChecker* heap_checker;
 #endif
 
-typedef unsigned long long int uint64;
-typedef unsigned int uint32;
-typedef unsigned short uint16;
-typedef unsigned char uint8;
-typedef long long int int64;
+#include <stdint.h>
 
-#ifdef USE_INT64
-	typedef int64 bro_int_t;
-	typedef uint64 bro_uint_t;
-#else
-	typedef int bro_int_t;
-	typedef uint32 bro_uint_t;
-// #	error "USE_INT64 not defined!"
-#endif
+typedef uint64_t uint64;
+typedef uint32_t uint32;
+typedef uint16_t uint16;
+typedef uint8_t uint8;
 
-#if SIZEOF_LONG_LONG == 8
-typedef unsigned long long uint64;
-typedef long long int64;
-#elif SIZEOF_LONG_INT == 8
-typedef unsigned long int uint64;
-typedef long int int64;
-#else
-# error "Couldn't reliably identify 64-bit type. Please report to bro@bro-ids.org."
-#endif
+typedef int64_t int64;
+typedef int32_t int32;
+typedef int16_t int16;
+typedef int8_t int8;
+
+typedef int64 bro_int_t;
+typedef uint64 bro_uint_t;
 
 // "ptr_compat_uint" and "ptr_compat_int" are (un)signed integers of
 // pointer size. They can be cast safely to a pointer, e.g. in Lists,
@@ -71,9 +66,13 @@ typedef long int int64;
 #if SIZEOF_VOID_P == 8
 typedef uint64 ptr_compat_uint;
 typedef int64 ptr_compat_int;
+#define PRI_PTR_COMPAT_INT PRId64 // Format to use with printf.
+#define PRI_PTR_COMPAT_UINT PRIu64
 #elif SIZEOF_VOID_P == 4
 typedef uint32 ptr_compat_uint;
-typedef int ptr_compat_int;
+typedef int32 ptr_compat_int;
+#define PRI_PTR_COMPAT_INT PRId32
+#define PRI_PTR_COMPAT_UINT PRIu32
 #else
 # error "Unusual pointer size. Please report to bro@bro-ids.org."
 #endif
@@ -111,8 +110,8 @@ extern int strcasecmp_n(int s_len, const char* s, const char* t);
 extern char* strcasestr(const char* s, const char* find);
 #endif
 extern const char* strpbrk_n(size_t len, const char* s, const char* charset);
-extern int atoi_n(int len, const char* s, const char** end,
-			int base, int& result);
+template<class T> int atoi_n(int len, const char* s, const char** end, int base, T& result);
+extern char* uitoa_n(uint64 value, char* str, int n, int base);
 int strstr_n(const int big_len, const unsigned char* big,
 		const int little_len, const unsigned char* little);
 extern int fputs(int len, const char* s, FILE* fp);
@@ -141,7 +140,7 @@ extern void hmac_md5(size_t size, const unsigned char* bytes,
 
 extern const char* md5_digest_print(const unsigned char digest[16]);
 
-// Initializes RNGs for random() and MD5 usage.  If seed is given, then
+// Initializes RNGs for bro_random() and MD5 usage.  If seed is given, then
 // it is used (to provide determinism).  If load_file is given, the seeds
 // (both random & MD5) are loaded from that file.  This takes precedence
 // over the "seed" argument.  If write_file is given, the seeds are written
@@ -150,10 +149,15 @@ extern const char* md5_digest_print(const unsigned char digest[16]);
 extern void init_random_seed(uint32 seed, const char* load_file,
 				const char* write_file);
 
-extern uint64 rand64bit();
+// Returns true if the user explicitly set a seed via init_random_seed();
+extern bool have_random_seed();
 
-#define UHASH_KEY_SIZE	32
-extern uint8 uhash_key[UHASH_KEY_SIZE];
+// Replacement for the system random(), to which is normally falls back
+// except when a seed has been given. In that case, we use our own
+// predictable PRNG.
+long int bro_random();
+
+extern uint64 rand64bit();
 
 // Each event source that may generate events gets an internally unique ID.
 // This is always LOCAL for a local Bro. For remote event sources, it gets
@@ -164,6 +168,7 @@ extern uint8 uhash_key[UHASH_KEY_SIZE];
 // the obvious places (like Event.h or RemoteSerializer.h)
 
 typedef ptr_compat_uint SourceID;
+#define PRI_SOURCE_ID PRI_PTR_COMPAT_UINT
 static const SourceID SOURCE_LOCAL = 0;
 
 class BroObj;
@@ -185,7 +190,7 @@ extern int int_list_cmp(const void* v1, const void* v2);
 extern const char* bro_path();
 extern const char* bro_prefixes();
 extern FILE* search_for_file(const char* filename, const char* ext,
-	const char** full_filename);
+	const char** full_filename, bool load_pkgs);
 
 // Renames the given file to a new temporary name, and opens a new file with
 // the original name. Returns new file or NULL on error. Inits rotate_info if
@@ -228,16 +233,6 @@ extern struct timeval double_to_timeval(double t);
 // Return > 0 if tv_a > tv_b, 0 if equal, < 0 if tv_a < tv_b.
 extern int time_compare(struct timeval* tv_a, struct timeval* tv_b);
 
-inline int min(int a, int b)
-	{
-	return a < b ? a : b;
-	}
-
-inline int max(int a, int b)
-	{
-	return a > b ? a : b;
-	}
-
 // For now, don't use hash_maps - they're not fully portable.
 #if 0
 // Use for hash_map's string keys.
diff --git a/src/version.c.in b/src/version.c.in
new file mode 100644
index 0000000000..86c4b16f24
--- /dev/null
+++ b/src/version.c.in
@@ -0,0 +1 @@
+char version[] = "@VERSION@";
diff --git a/testing/btest/.gitignore b/testing/btest/.gitignore
new file mode 100644
index 0000000000..d36977dc47
--- /dev/null
+++ b/testing/btest/.gitignore
@@ -0,0 +1 @@
+.tmp
diff --git a/testing/btest/Baseline/BiFs.count_to_addr/out b/testing/btest/Baseline/BiFs.count_to_addr/out
new file mode 100644
index 0000000000..1254fd94f1
--- /dev/null
+++ b/testing/btest/Baseline/BiFs.count_to_addr/out
@@ -0,0 +1,4 @@
+0.0.0.1
+48.21.133.122
+255.255.255.255
+0.0.0.0
diff --git a/testing/btest/Baseline/analyzers.conn-size-cc/conn.log b/testing/btest/Baseline/analyzers.conn-size-cc/conn.log
new file mode 100644
index 0000000000..2f703cbcd6
--- /dev/null
+++ b/testing/btest/Baseline/analyzers.conn-size-cc/conn.log
@@ -0,0 +1,5 @@
+1128727430.350788 ? 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? S0 X 1 60 0 0 cc=1
+1144876538.705610 5.921003 169.229.147.203 239.255.255.253 other 49370 427 udp 147 ? S0 X 3 231 0 0
+1144876599.397603 0.815763 192.150.186.169 194.64.249.244 http 53063 80 tcp 377 445 SF X 6 677 5 713
+1144876709.032670 9.000191 169.229.147.43 239.255.255.253 other 49370 427 udp 196 ? S0 X 4 308 0 0
+1144876697.068273 0.000650 192.150.186.169 192.150.186.15 icmp-unreach 3 3 icmp 56 ? OTH X 2 112 0 0
diff --git a/testing/btest/Baseline/analyzers.conn-size/conn.log b/testing/btest/Baseline/analyzers.conn-size/conn.log
new file mode 100644
index 0000000000..8129bc37f8
--- /dev/null
+++ b/testing/btest/Baseline/analyzers.conn-size/conn.log
@@ -0,0 +1,5 @@
+1128727430.350788 ? 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? S0 X 1 60 0 0
+1144876538.705610 5.921003 169.229.147.203 239.255.255.253 other 49370 427 udp 147 ? S0 X 3 231 0 0
+1144876599.397603 0.815763 192.150.186.169 194.64.249.244 http 53063 80 tcp 377 445 SF X 6 697 5 713
+1144876709.032670 9.000191 169.229.147.43 239.255.255.253 other 49370 427 udp 196 ? S0 X 4 308 0 0
+1144876697.068273 0.000650 192.150.186.169 192.150.186.15 icmp-unreach 3 3 icmp 56 ? OTH X 2 112 0 0
diff --git a/testing/btest/Baseline/bifs.count_to_addr/out b/testing/btest/Baseline/bifs.count_to_addr/out
new file mode 100644
index 0000000000..1254fd94f1
--- /dev/null
+++ b/testing/btest/Baseline/bifs.count_to_addr/out
@@ -0,0 +1,4 @@
+0.0.0.1
+48.21.133.122
+255.255.255.255
+0.0.0.0
diff --git a/testing/btest/Baseline/bifs.netbios-functions/out b/testing/btest/Baseline/bifs.netbios-functions/out
new file mode 100644
index 0000000000..d849dbff71
--- /dev/null
+++ b/testing/btest/Baseline/bifs.netbios-functions/out
@@ -0,0 +1,8 @@
+MARTIN
+3
+WORKGROUP
+27
+ISATAP
+0
+^A^B__MSBROWSE__^B
+1
diff --git a/testing/btest/Baseline/bifs.string_splitting/out b/testing/btest/Baseline/bifs.string_splitting/out
new file mode 100644
index 0000000000..8514916834
--- /dev/null
+++ b/testing/btest/Baseline/bifs.string_splitting/out
@@ -0,0 +1,13 @@
+{
+[2] = Testing Test (http://www.example.com),
+[1] = X-Mailer
+}
+{
+[2] = =,
+[4] = =,
+[6] = =,
+[7] =  D,
+[1] = A ,
+[5] =  C ,
+[3] =  B 
+}
diff --git a/testing/btest/Baseline/core.conn-id/counts b/testing/btest/Baseline/core.conn-id/counts
new file mode 100644
index 0000000000..a8fa06e1be
--- /dev/null
+++ b/testing/btest/Baseline/core.conn-id/counts
@@ -0,0 +1 @@
+62
diff --git a/testing/btest/Baseline/core.conn-id/output b/testing/btest/Baseline/core.conn-id/output
new file mode 100644
index 0000000000..3f7256278e
--- /dev/null
+++ b/testing/btest/Baseline/core.conn-id/output
@@ -0,0 +1,78 @@
+[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
+[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
diff --git a/testing/btest/Baseline/core.conn-id/output.cc b/testing/btest/Baseline/core.conn-id/output.cc
new file mode 100644
index 0000000000..f03a74f541
--- /dev/null
+++ b/testing/btest/Baseline/core.conn-id/output.cc
@@ -0,0 +1,80 @@
+[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
+[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
diff --git a/testing/btest/Baseline/core.conn-id/output.cc2 b/testing/btest/Baseline/core.conn-id/output.cc2
new file mode 100644
index 0000000000..3f7256278e
--- /dev/null
+++ b/testing/btest/Baseline/core.conn-id/output.cc2
@@ -0,0 +1,78 @@
+[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
+[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
diff --git a/testing/btest/Baseline/core.load-pkg/output b/testing/btest/Baseline/core.load-pkg/output
new file mode 100644
index 0000000000..01c77289d2
--- /dev/null
+++ b/testing/btest/Baseline/core.load-pkg/output
@@ -0,0 +1,14 @@
+loading /home/robin/bro/master/policy/bro.init
+   loading /home/robin/bro/master/build/src/const.bif.bro
+   loading /home/robin/bro/master/build/src/types.bif.bro
+   loading /home/robin/bro/master/build/src/strings.bif.bro
+   loading /home/robin/bro/master/build/src/bro.bif.bro
+   loading /home/robin/bro/master/policy/logging.bro
+      loading /home/robin/bro/master/build/src/logging.bif.bro
+   loading /home/robin/bro/master/policy/logging-ascii.bro
+   loading /home/robin/bro/master/build/src/event.bif.bro
+   loading /home/robin/bro/master/policy/pcap.bro
+   loading /home/robin/bro/master/policy/server-ports.bro
+loading ./foo/test.bro
+loading ./foo/__load__.bro
+Foo loaded
diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log
new file mode 100644
index 0000000000..fc0008ea13
--- /dev/null
+++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log
@@ -0,0 +1 @@
+1128727435.450898 1.733303 141.42.64.125 125.190.109.199 http 56730 80 tcp 98 9417 SF X
diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv4/output b/testing/btest/Baseline/core.print-bpf-filters-ipv4/output
new file mode 100644
index 0000000000..2b517e8666
--- /dev/null
+++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/output
@@ -0,0 +1,4 @@
+not ip6
+not ip6
+(not ip6) and (tcp[13] & 7 != 0)
+port 42
diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv6/conn.log b/testing/btest/Baseline/core.print-bpf-filters-ipv6/conn.log
new file mode 100644
index 0000000000..fc0008ea13
--- /dev/null
+++ b/testing/btest/Baseline/core.print-bpf-filters-ipv6/conn.log
@@ -0,0 +1 @@
+1128727435.450898 1.733303 141.42.64.125 125.190.109.199 http 56730 80 tcp 98 9417 SF X
diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv6/output b/testing/btest/Baseline/core.print-bpf-filters-ipv6/output
new file mode 100644
index 0000000000..56189b3d9f
--- /dev/null
+++ b/testing/btest/Baseline/core.print-bpf-filters-ipv6/output
@@ -0,0 +1,4 @@
+ip or not ip
+ip or not ip
+tcp[13] & 7 != 0
+port 42
diff --git a/testing/btest/Baseline/core.vlan-mpls/conn.log b/testing/btest/Baseline/core.vlan-mpls/conn.log
new file mode 100644
index 0000000000..229842e24f
--- /dev/null
+++ b/testing/btest/Baseline/core.vlan-mpls/conn.log
@@ -0,0 +1,3 @@
+952109346.874907 2.102560 10.1.2.1 10.34.0.1 telnet 11001 23 tcp 25 ? SH X cc=1
+1128727435.450898 1.733303 141.42.64.125 125.190.109.199 http 56730 80 tcp 98 9417 SF X
+1278600802.069419 0.004152 10.20.80.1 10.0.0.15 http 50343 80 tcp 9 3429 SF X
diff --git a/testing/btest/Baseline/doc.autogen-reST-enums/autogen-reST-enums.rst b/testing/btest/Baseline/doc.autogen-reST-enums/autogen-reST-enums.rst
new file mode 100644
index 0000000000..519ed708d5
--- /dev/null
+++ b/testing/btest/Baseline/doc.autogen-reST-enums/autogen-reST-enums.rst
@@ -0,0 +1,99 @@
+.. Automatically generated.  Do not edit.
+
+autogen-reST-enums.bro
+======================
+
+:download:`Original Source File <autogen-reST-enums.bro>`
+
+Overview
+--------
+
+
+Summary
+~~~~~~~
+Types
+#####
+======================================= ======================================
+:bro:type:`TestEnum1`: :bro:type:`enum` There's tons of ways an enum can look.
+
+:bro:type:`TestEnum2`: :bro:type:`enum` The final comma is optional
+======================================= ======================================
+
+Redefinitions
+#############
+======================================= =======================
+:bro:type:`TestEnum1`: :bro:type:`enum` redefs should also work
+
+:bro:type:`TestEnum1`: :bro:type:`enum` now with a comma
+======================================= =======================
+
+Public Interface
+----------------
+Types
+~~~~~
+.. bro:type:: TestEnum1
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: ONE TestEnum1
+
+         like this
+
+      .. bro:enum:: TWO TestEnum1
+
+         or like this
+
+      .. bro:enum:: THREE TestEnum1
+
+         multiple
+         comments
+         and even
+         more comments
+
+   There's tons of ways an enum can look...
+
+.. bro:type:: TestEnum2
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: A TestEnum2
+
+         like this
+
+      .. bro:enum:: B TestEnum2
+
+         or like this
+
+      .. bro:enum:: C TestEnum2
+
+         multiple
+         comments
+         and even
+         more comments
+
+   The final comma is optional
+
+Redefinitions
+~~~~~~~~~~~~~
+:bro:type:`TestEnum1`
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: FOUR TestEnum1
+
+         adding another
+         value
+
+   redefs should also work
+
+:bro:type:`TestEnum1`
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: FIVE TestEnum1
+
+         adding another
+         value
+
+   now with a comma
+
diff --git a/testing/btest/Baseline/doc.autogen-reST-example/example.rst b/testing/btest/Baseline/doc.autogen-reST-example/example.rst
new file mode 100644
index 0000000000..516b7b51aa
--- /dev/null
+++ b/testing/btest/Baseline/doc.autogen-reST-example/example.rst
@@ -0,0 +1,348 @@
+.. Automatically generated.  Do not edit.
+
+example.bro
+===========
+
+:download:`Original Source File <example.bro>`
+
+Overview
+--------
+This is an example script that demonstrates how to document.  Comments
+of the form ``##!`` are for the script summary.  The contents of
+these comments are transferred directly into the auto-generated
+`reStructuredText <http://docutils.sourceforge.net/rst.html>`_
+(reST) document's summary section.
+
+.. tip:: You can embed directives and roles within ``##``-stylized comments.
+
+A script's logging information has to be documented manually as minimally
+shown below.  Note that references may not always be possible (e.g.
+anonymous filter functions) and a script may not need to document
+each of "columns", "event", "filter" depending on exactly what it's doing.
+
+**Logging Stream ID:** :bro:enum:`Example::EXAMPLE`
+    :Columns:    :bro:type:`Example::Info`
+    :Event:      :bro:id:`Example::log_example`
+    :Filter:     ``example-filter``
+        uses :bro:id:`Example::filter_func` to determine whether to
+        exclude the ``ts`` field
+
+:Author: Jon Siwek <jsiwek@ncsa.illinois.edu>
+
+:Imports: :doc:`notice </policy/notice>`
+
+Summary
+~~~~~~~
+Options
+#######
+============================================================================ ======================================
+:bro:id:`Example::an_option`: :bro:type:`set` :bro:attr:`&redef`             add documentation for "an_option" here
+
+:bro:id:`Example::option_with_init`: :bro:type:`interval` :bro:attr:`&redef`
+============================================================================ ======================================
+
+State Variables
+###############
+=========================================================================== =======================================
+:bro:id:`Example::a_var`: :bro:type:`bool`                                  put some documentation for "a_var" here
+
+:bro:id:`Example::var_with_attr`: :bro:type:`count` :bro:attr:`&persistent`
+
+:bro:id:`Example::var_without_explicit_type`: :bro:type:`string`
+=========================================================================== =======================================
+
+Types
+#####
+====================================================== ==========================================================
+:bro:type:`Example::SimpleEnum`: :bro:type:`enum`      documentation for "SimpleEnum"
+                                                       goes here.
+
+:bro:type:`Example::SimpleRecord`: :bro:type:`record`  general documentation for a type "SimpleRecord"
+                                                       goes here.
+
+:bro:type:`Example::ComplexRecord`: :bro:type:`record` general documentation for a type "ComplexRecord" goes here
+
+:bro:type:`Example::Info`: :bro:type:`record`          An example record to be used with a logging stream.
+====================================================== ==========================================================
+
+Events
+######
+================================================= =============================================================
+:bro:id:`Example::an_event`: :bro:type:`event`    Summarize "an_event" here.
+
+:bro:id:`Example::log_example`: :bro:type:`event` This is a declaration of an example event that can be used in
+                                                  logging streams and is raised once for each log entry.
+
+:bro:id:`bro_init`: :bro:type:`event`
+================================================= =============================================================
+
+Functions
+#########
+=============================================== =======================================
+:bro:id:`Example::a_function`: :bro:type:`func` Summarize purpose of "a_function" here.
+=============================================== =======================================
+
+Redefinitions
+#############
+===================================================== ========================================
+:bro:type:`Log::ID`: :bro:type:`enum`
+
+:bro:type:`Example::SimpleEnum`: :bro:type:`enum`     document the "SimpleEnum" redef here
+
+:bro:type:`Example::SimpleRecord`: :bro:type:`record` document the record extension redef here
+===================================================== ========================================
+
+Namespaces
+~~~~~~~~~~
+.. bro:namespace:: Example
+
+Notices
+~~~~~~~
+:bro:type:`Notice`
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: Example::Notice_One Notice
+
+         any number of this type of comment
+         will document "Notice_One"
+
+      .. bro:enum:: Example::Notice_Two Notice
+
+         any number of this type of comment
+         will document "Notice_Two"
+
+      .. bro:enum:: Example::Notice_Three Notice
+
+      .. bro:enum:: Example::Notice_Four Notice
+
+Public Interface
+----------------
+Options
+~~~~~~~
+.. bro:id:: Example::an_option
+
+   :Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`addr`, :bro:type:`string`]
+   :Attributes: :bro:attr:`&redef`
+   :Default: ``{}``
+
+   add documentation for "an_option" here
+
+.. bro:id:: Example::option_with_init
+
+   :Type: :bro:type:`interval`
+   :Attributes: :bro:attr:`&redef`
+   :Default: ``10.0 msecs``
+
+State Variables
+~~~~~~~~~~~~~~~
+.. bro:id:: Example::a_var
+
+   :Type: :bro:type:`bool`
+
+   put some documentation for "a_var" here
+
+.. bro:id:: Example::var_with_attr
+
+   :Type: :bro:type:`count`
+   :Attributes: :bro:attr:`&persistent`
+
+.. bro:id:: Example::var_without_explicit_type
+
+   :Type: :bro:type:`string`
+   :Default: ``"this works"``
+
+Types
+~~~~~
+.. bro:type:: Example::SimpleEnum
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: Example::ONE Example::SimpleEnum
+
+         and more specific info for "ONE"
+         can span multiple lines
+
+      .. bro:enum:: Example::TWO Example::SimpleEnum
+
+         or more info like this for "TWO"
+         can span multiple lines
+
+      .. bro:enum:: Example::THREE Example::SimpleEnum
+
+   documentation for "SimpleEnum"
+   goes here.
+
+.. bro:type:: Example::SimpleRecord
+
+   :Type: :bro:type:`record`
+
+      field1: :bro:type:`count`
+         counts something
+
+      field2: :bro:type:`bool`
+         toggles something
+
+   general documentation for a type "SimpleRecord"
+   goes here.
+
+.. bro:type:: Example::ComplexRecord
+
+   :Type: :bro:type:`record`
+
+      field1: :bro:type:`count`
+         counts something
+
+      field2: :bro:type:`bool`
+         toggles something
+
+      field3: :bro:type:`Example::SimpleRecord`
+
+      msg: :bro:type:`string` :bro:attr:`&default` = ``"blah"`` :bro:attr:`&optional`
+         attributes are self-documenting
+
+   general documentation for a type "ComplexRecord" goes here
+
+.. bro:type:: Example::Info
+
+   :Type: :bro:type:`record`
+
+      ts: :bro:type:`time` :bro:attr:`&log`
+
+      uid: :bro:type:`string` :bro:attr:`&log`
+
+      status: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
+
+   An example record to be used with a logging stream.
+
+Events
+~~~~~~
+.. bro:id:: Example::an_event
+
+   :Type: :bro:type:`event` (name: :bro:type:`string`)
+
+   Summarize "an_event" here.
+   Give more details about "an_event" here.
+   
+   :param name: describe the argument here
+
+.. bro:id:: Example::log_example
+
+   :Type: :bro:type:`event` (rec: :bro:type:`Example::Info`)
+
+   This is a declaration of an example event that can be used in
+   logging streams and is raised once for each log entry.
+
+.. bro:id:: bro_init
+
+   :Type: :bro:type:`event` ()
+
+Functions
+~~~~~~~~~
+.. bro:id:: Example::a_function
+
+   :Type: :bro:type:`function` (tag: :bro:type:`string`, msg: :bro:type:`string`) : :bro:type:`string`
+
+   Summarize purpose of "a_function" here.
+   Give more details about "a_function" here.
+   Separating the documentation of the params/return values with
+   empty comments is optional, but improves readability of script.
+   
+   
+   :param tag: function arguments can be described
+        like this
+   
+   :param msg: another param
+   
+   
+   :returns: describe the return type here
+
+Redefinitions
+~~~~~~~~~~~~~
+:bro:type:`Log::ID`
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: Example::EXAMPLE Log::ID
+
+:bro:type:`Example::SimpleEnum`
+
+   :Type: :bro:type:`enum`
+
+      .. bro:enum:: Example::FOUR Example::SimpleEnum
+
+         and some documentation for "FOUR"
+
+      .. bro:enum:: Example::FIVE Example::SimpleEnum
+
+         also "FIVE" for good measure
+
+   document the "SimpleEnum" redef here
+
+:bro:type:`Example::SimpleRecord`
+
+   :Type: :bro:type:`record`
+
+      field_ext: :bro:type:`string` :bro:attr:`&optional`
+         document the extending field here
+         (or here)
+
+   document the record extension redef here
+
+Port Analysis
+-------------
+:ref:`More Information <common_port_analysis_doc>`
+
+SSL::
+
+    [ports={
+        443/tcp,
+        562/tcp
+    }]
+
+Packet Filter
+-------------
+:ref:`More Information <common_packet_filter_doc>`
+
+Filters added::
+
+    [ssl] = tcp port 443,
+    [nntps] = tcp port 562
+
+Private Interface
+-----------------
+State Variables
+~~~~~~~~~~~~~~~
+.. bro:id:: Example::example_ports
+
+   :Type: :bro:type:`set` [:bro:type:`port`]
+   :Attributes: :bro:attr:`&redef`
+   :Default:
+
+   ::
+
+      {
+         443/tcp,
+         562/tcp
+      }
+
+Types
+~~~~~
+.. bro:type:: Example::PrivateRecord
+
+   :Type: :bro:type:`record`
+
+      field1: :bro:type:`bool`
+
+      field2: :bro:type:`count`
+
+Functions
+~~~~~~~~~
+.. bro:id:: Example::filter_func
+
+   :Type: :bro:type:`function` (rec: :bro:type:`Example::Info`) : :bro:type:`bool`
+
+.. bro:id:: Example::function_without_proto
+
+   :Type: :bro:type:`function` (tag: :bro:type:`string`) : :bro:type:`string`
+
diff --git a/testing/btest/Baseline/doc.autogen-reST-records/autogen-reST-records.rst b/testing/btest/Baseline/doc.autogen-reST-records/autogen-reST-records.rst
new file mode 100644
index 0000000000..f43232f5ea
--- /dev/null
+++ b/testing/btest/Baseline/doc.autogen-reST-records/autogen-reST-records.rst
@@ -0,0 +1,52 @@
+.. Automatically generated.  Do not edit.
+
+autogen-reST-records.bro
+========================
+
+:download:`Original Source File <autogen-reST-records.bro>`
+
+Overview
+--------
+
+
+Summary
+~~~~~~~
+Types
+#####
+============================================ ============================================================
+:bro:type:`SimpleRecord`: :bro:type:`record`
+
+:bro:type:`TestRecord`: :bro:type:`record`   Here's the ways records and record fields can be documented.
+============================================ ============================================================
+
+Public Interface
+----------------
+Types
+~~~~~
+.. bro:type:: SimpleRecord
+
+   :Type: :bro:type:`record`
+
+      field1: :bro:type:`bool`
+
+      field2: :bro:type:`count`
+
+.. bro:type:: TestRecord
+
+   :Type: :bro:type:`record`
+
+      A: :bro:type:`count`
+         document ``A``
+
+      B: :bro:type:`bool`
+         document ``B``
+
+      C: :bro:type:`SimpleRecord`
+         and now ``C``
+         is a declared type
+
+      D: :bro:type:`set` [:bro:type:`count`, :bro:type:`bool`]
+         sets/tables should show the index types
+
+   Here's the ways records and record fields can be documented.
+
diff --git a/testing/btest/Baseline/doc.autogen-reST-type-aliases/autogen-reST-type-aliases.rst b/testing/btest/Baseline/doc.autogen-reST-type-aliases/autogen-reST-type-aliases.rst
new file mode 100644
index 0000000000..b24d7a01ab
--- /dev/null
+++ b/testing/btest/Baseline/doc.autogen-reST-type-aliases/autogen-reST-type-aliases.rst
@@ -0,0 +1,61 @@
+.. Automatically generated.  Do not edit.
+
+autogen-reST-type-aliases.bro
+=============================
+
+:download:`Original Source File <autogen-reST-type-aliases.bro>`
+
+Overview
+--------
+
+
+Summary
+~~~~~~~
+State Variables
+###############
+======================================= =======================================================
+:bro:id:`a`: :bro:type:`TypeAlias`      But this should reference a type of ``TypeAlias``.
+
+:bro:id:`b`: :bro:type:`OtherTypeAlias` And this should reference a type of ``OtherTypeAlias``.
+======================================= =======================================================
+
+Types
+#####
+============================================ ==========================================================================
+:bro:type:`TypeAlias`: :bro:type:`bool`      This is just an alias for a builtin type ``bool``.
+
+:bro:type:`OtherTypeAlias`: :bro:type:`bool` We decided that creating alias "chains" might not be so useful to document
+                                             so this type just creates a cross reference to ``bool``.
+============================================ ==========================================================================
+
+Public Interface
+----------------
+State Variables
+~~~~~~~~~~~~~~~
+.. bro:id:: a
+
+   :Type: :bro:type:`TypeAlias`
+
+   But this should reference a type of ``TypeAlias``.
+
+.. bro:id:: b
+
+   :Type: :bro:type:`OtherTypeAlias`
+
+   And this should reference a type of ``OtherTypeAlias``.
+
+Types
+~~~~~
+.. bro:type:: TypeAlias
+
+   :Type: :bro:type:`bool`
+
+   This is just an alias for a builtin type ``bool``.
+
+.. bro:type:: OtherTypeAlias
+
+   :Type: :bro:type:`bool`
+
+   We decided that creating alias "chains" might not be so useful to document
+   so this type just creates a cross reference to ``bool``.
+
diff --git a/testing/btest/Baseline/istate.base/events b/testing/btest/Baseline/istate.base/events
new file mode 100644
index 0000000000..fbb3c23f28
--- /dev/null
+++ b/testing/btest/Baseline/istate.base/events
@@ -0,0 +1,33 @@
+Event [1301452424.097552] connection_pending([id=[orig_h=141.42.64.125, orig_p=56729/tcp, resp_h=125.190.109.199, resp_p=12345/tcp], orig=[size=0, state=1], resp=[size=0, state=6], start_time=1301452418.93139, duration=0.182432889938354, service={}, addl="", hot=0, history="Sr"])
+Event [1301452424.097552] connection_state_remove([id=[orig_h=141.42.64.125, orig_p=56729/tcp, resp_h=125.190.109.199, resp_p=12345/tcp], orig=[size=0, state=1], resp=[size=0, state=6], start_time=1301452418.93139, duration=0.182432889938354, service={}, addl="", hot=0, history="Sr"])
+Event [1301452424.099251] new_connection([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=1], resp=[size=0, state=0], start_time=1301452424.0315, duration=0.0, service={}, addl="cc=1", hot=0, history=""])
+Event [1301452424.280556] connection_established([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.182510137557983, service={}, addl="", hot=0, history="Sh"])
+Event [1301452424.280556] protocol_confirmation([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="", hot=0, history="ShAD"]165)
+Event [1301452424.282557] http_request([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="", hot=0, history="ShAD"]"GET""/""/""1.0")
+Event [1301452424.282557] http_begin_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1", hot=0, history="ShAD"]T)
+Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"USER-AGENT""Wget/1.10")
+Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"ACCEPT""*/*")
+Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"HOST""www.icir.org")
+Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"CONNECTION""Keep-Alive")
+Event [1301452424.284421] http_content_type([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"TEXT""PLAIN")
+Event [1301452424.284421] http_end_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T)
+Event [1301452424.284421] http_message_done([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T[start=1301452424.21479, interrupted=F, finish_msg="message ends normally", body_length=0, content_gap_length=0, header_length=86])
+Event [1301452424.465561] http_reply([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1", hot=0, history="ShADd"]"1.1"200"OK")
+Event [1301452424.465561] http_begin_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F)
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"DATE""Fri, 07 Oct 2005 23:23:55 GMT")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"SERVER""Apache/1.3.33 (Unix)")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"LAST-MODIFIED""Fri, 07 Oct 2005 16:23:01 GMT")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"ETAG"""2c96c-23aa-4346a0e5"")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"ACCEPT-RANGES""bytes")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONTENT-LENGTH""9130")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"KEEP-ALIVE""timeout=15, max=100")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONNECTION""Keep-Alive")
+Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONTENT-TYPE""text/html")
+Event [1301452424.465561] http_content_type([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"TEXT""HTML")
+Event [1301452424.648565] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=5792, state=4], start_time=1301452424.0315, duration=0.551820039749146, service={}, addl="%events-send-1", hot=0, history="ShADd"]F4096"<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"^J"http://www.w3.org/TR/REC-html40/loose.dtd">^J<HEAD><TITLE>ICIR</TITLE></HEAD>^J<BODY bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#b20000">^J<img src=icir.gif alt="ICIR"><br>^J<p>^JICIR (The ICSI Center for Internet Research)^Jis a ^Jnon-profit^Jresearch institute at^J<a href="http://www.icsi.berkeley.edu">ICSI</a>^Jin ^J<a href="http://dir.yahoo.com/Regional/U_S__States/California/Cities/Berkeley/">Berkeley</a>, ^JCalifornia.<br>^JFor the three years from 1999 to 2001 we were named^JACIRI, the AT&T Center for Internet Research at ICSI, ^Jand were funded by <a href="http://www.att.com">AT&amp;T</a>.<br>^J^JThe goals of ICIR are to:^J<ul>^J<li>Pursue research on the Internet architecture and related networking issues,^J<li>^JParticipate actively in the research (<a href="http://www.acm.org/sigcomm/">SIGCOMM</a> and <a href="http://www.irtf.org/">IRTF</a>) and^Jstandards (<a href="http://www.ietf.org/">IETF</a>) communities,^J<li> Bridge the gap between the Internet research community and commercial ^Jinterests by providing a neutral forum where topics of mutual technical ^Jinterest can be addressed.^J</ul>^J<p>^J<!--^JICIR is now ^J<a href="jobs.html">^Jhiring</a> for both postdoctoral positions and summer interns.^J-->^J<hr>^J^J<DIV ALIGN="CENTER">^J^J<table width="100%" cellspacing=16 cellpadding=0>^J^J<tr>^J<td width="35%" valign=top>^J^J<h2>^JPeople^J</h2>^J<ul>^J<li>^J<a href="./shenker/">^JScott Shenker</a>, Group Leader<br> ^J<li><a href="http://www.icir.org/mallman/">Mark Allman</a>^J<li>^J<a href="./floyd/">Sally Floyd</a>^J<!--^J<li><a href="http://www.isi.edu/~govindan/">Ramesh Govindan</a>^J-->^J<li>^J<a href="./karp/papers.html">^JRichard Karp</a>  ^J<!-- (also with the ^J<a href="http://www.icsi.berkeley.edu/Theory/">ICSI Theory Group</a>, ^J<a href="http://www.msri.org/">MSRI</a>, and^J<a href="http://www.cs.berkeley.edu/">UC Berkeley</a>) -->^J<li>^J<a href="./vern/">^JVern Paxson</a>  ^J<li>^J<a href="http://www.icir.org/robin/">^JRobin Sommer</a>^J<li>^J<a href="http://www.cs.berkeley.edu/~nweaver/">^JNicholas Weaver</a>^J<li>^J<a href="http://www.icsi.berkeley.edu/~zhao/">^JJerry Zhao</a>^J<!-- </ul> &nbsp; &nbsp;<b>Group Members</b> <ul> -->^J<li><b><a href="pastvisitors.html">Past Group Members</a></b>,^J<br>including:^J<ul>^J<li>^J<a href="http://www.cs.ucl.ac.uk/staff/M.Handley/">^JMark Handley</a> (UCL)^J<li><a href="./kohler/">Eddie Kohler</a> (UCLA)^J</ul>^J<li><b>Affiliated <a href="http://www.xorp.org/">Xorp</a>^JResearchers</b>:^J  <ul>^J  <li><a href="./jcardona/">Javier Cardona</a>^J  <li><a href="./atanu/">Atanu Ghosh</a> ^J  <li><a href="./hodson/">Orion Hodson</a>^J  <li><a href="./pavlin/">Pavlin Radoslavov</a> ^J  <li><a href="http://www.iet.unipi.it/~luigi">Luigi Rizzo</a>^J  <li><a href="http://people.freebsd.org/~bms/">Bruce Simpson</a>^J</ul>^J<li><b>Affiliated UCB Researchers</b>:^J  <ul>^J  <li><a href="http://www.cs.berkeley.edu/~christos/">Christos Papadimitriou</a>^J  <li><a href="http://www.cs.berkeley.edu/~istoica/">Ion Stoica</a>^J  </ul>^J<li><b>Visitors</b>:^J  <ul>^J  <li><a href="http://grid.sjtu.edu.cn/teachers/dengqn/dengqn.htm">Professor Quin-Ni Deng</a>^J<!--^J  from Shanghai Jiaotong University^J-->^J  <li>Teemu Koponen^J<!--^J  , Helsinki Institute for Information Technology^J-->^J  </ul>^J<!--^J<li><a href="pastvisitors.html">Other researchers</a>^J-->^J<a name=Visitors></a>^J<li><b>Interns:</b>^J<ul>^J<li>Juan Caballero^J<li><a href="http://www.stanford.edu/~casado/">Martin Casado</a>^J<li><a href="http://www.cs.rice.edu/~scrosby/">Scott Crosby</a>^J<li><a href="http://bnrg.cs.berkeley.edu/~wdc/">Weidong Cui</a>^J<li><a href="http://www.cs.berkeley.edu/~chema">Chema Gonzalez</a>^J<li>Halldor Isak Gylfason^J<li><a href="http://www.cl.cam.ac.uk/~cpk25/">Christian Kreibich</a>^J<li><a href="http://www.cs.ucsd.edu/~braghava">Barath Raghavan</a>^J<!--^J<li><a href="newinterns.html">New Interns:</a> ^J-->^J</ul>^J<li><b>Undergraduate Interns:</b>^J<ul>^J<li>Michael Hoisie^J<li>Arthur Wayne Liao^J<li>Christopher Portka^J</ul>^J<li><b><a href="pastvisitors.html">Past Visitors and Interns:</a></b>^J</ul>^J^J</td>^J<td width="30%" vali")
+Event [1301452424.689566] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=8688, state=4], start_time=1301452424.0315, duration=0.552114009857178, service={}, addl="%events-send-1", hot=0, history="ShADd"]F4096"gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<li><a href="./rfcs.html">^JRFCs</a> with ICIR authors.^J<li>^J<a href="./internetdrafts.html">^JInternet drafts</a> with ICIR authors, 3/2004 ^J(or <a href="http://www.rfc-editor.org/idsearch.html">search</a>^Jthe current list).^J<!--^Jfor "Shenker OR Floyd OR Allman OR Paxson".^J(or the ^J<a^Jhref="^Jhttp://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=%28Author%3A+Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler%29&caseflag=on&wordflag=off&errorflag=0&maxlineflag=50&maxresultflag=1000&descflag=on&sort=by-NML&verbose=on&maxobjflag=25">current list</a>.)^J^Jhttp://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=(Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler)&descflag=on">current list</a>).^J-->^J<!--^Jfrom the ^J<a href="http://search.ietf.org/search/brokers/internet-drafts/query.html">^JInternet-Drafts Search Engine</a>).^J-->^J<li>Papers by ^J<a href="./shenker/papers.html">Scott Shenker</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Scott%20w/2%20Shenker%20or%20S%20w/2%20Shenker&co=Citations">RI</a>),^J^J<a href="./mallman/papers/">Mark Allman</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Mark%20w/2%20Allman%20or%20S%20w/2%20Allman&co=Citations">RI</a>),^J^J<a href="./floyd/papers.html">Sally Floyd</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Sally%20w/2%20Floyd%20or%20S%20w/2%20Floyd&co=Citations">RI</a>),^J^J<a href="./karp/papers.html">Richard Karp</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Richard%20w/2%20Karp%20or%20R%20w/2%20Karp&co=Citations">RI</a>),^J<a href="./kohler/pubs/">Eddie Kohler</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=eddie%20w/2%20kohler%20or%20e%20w/2%20kohler&co=Citations">RI</a>),^J<a href="./vern/papers.html">Vern Paxson</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Vern%20w/2%20Paxson%20or%20V%20w/2%20Paxson&co=Citations">RI</a>).^J<li>The <a href="http://citeseer.ist.psu.edu/">^JResearchIndex</a> (RI) and the ^J<a href="http://citeseer.ist.psu.edu/cs">Search</a>^Jand ^J<a href="http://citeseer.ist.psu.edu/Networking/">^JNetworking</a> pages. ^J</ul>^J^J<h2>^JProjects ^J</h2>^J<ul>^J<li>^J<a href="./vern/bro-info.html">Bro</a>^J(detecting network intruders). ^J<li>The <a href="http://www.isi.edu/newarch/">NewArch</a> Project:^JFuture-Generation Internet Architecture.^J<LI>The <a href="http://www.isi.edu/nsnam/ns/">NS</a>^Jnetwork simulator.^J<li> <a href="./tbit/">TBIT</a>^J(TCP Behavior Identification Tool).^J<li> <a href="http://www.xorp.org/">Xorp</a>^J(Extensible Open Router Platform).^J<li>^J<a href="./funded_projects.html">^JOther Funded Projects</a>.^J<li>^J<a href="./research.html">^JAdditional Research Links</a>.^J</ul>^J^J^J</td>^J^J<td width="35%" valign=top>^J    ^J<h2>Research</h2>^J&nbsp; &nbsp;<b>Transport and Congestion</b>^J<ul>^J<li>^J<a href="./kohler/dcp/">DCCP</a>^J(Datagram Congestion Control Protocol).^J<li>^J<a href="./floyd/ecn.html">ECN</a>^J(Explicit Congestion Notification).^J<li>^J<a href="http://www.ietf.org/html.charters/intserv-charter.html">^JIntegrated services</a>.^J<li>^J<a href="./floyd/red.html">RED</a> ^Jqueue management, and^J<a href="./red-pd/">RED-PD</a>.^J<li>^J<a href="./floyd/hstcp.html">HighSpeed TCP</a>.^J<li>^J<a^Jhref="http://www.ietf.cnri.reston.va.us/html.charters/OLD/tcpimpl-charter.html">^JTCP Implementation</a>.^J<li>^JReordering-Robust TCP ^J(<a href="./bkarp/RR-TCP/">RR-TCP</a>).^J<li>TCP^J<a href="./floyd/sacks.html">SACK</a> ^J(Selective Acknowledgment).^J<li>^J<a href="./tfrc/">TFRC</a> ^J(TCP-Friendly Rate Control).^J</ul>^J^J&nbsp; &nbsp;<b>Traffic and Topology</b>^J<ul>^J<LI>^J<a href="http://idmaps.eecs.umich.edu/">IDMaps</a> ^J(Internet Distance Mapping).^J<LI>The <a href="http://www.acm.org/sigcomm/ITA/">^JInternet Traffic Archive</a>.^J<li>^J<a href="http://www-net.cs.umass.edu/minc/">MINC</a>^J(Multicast-based Inference of Network-internal Characteristics).^J<li>^J<a href="http://www.psc.edu/networking/nimi/">NIMI</a>^J(N")
+Event [1301452424.832570] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=1301452424.0315, duration=0.73563814163208, service={}, addl="%events-send-1", hot=0, history="ShADd"]F938"ational Internet Measurement Infrastructure).^J</ul>^J^J<h2>^J<a href="./collaborators.html">^JCollaborators</a>^J</h2>^J^J<!--^J&nbsp; &nbsp;<b>Multicast and Multimedia</b>^J<ul>^J<LI><A href="/malloc/">MALLOC</a>^J(Multicast Address Allocation).^J<LI><a href="http://www.cs.columbia.edu/~hgs/sip/">SIP</a>^J(Session Initiation Protocol).^J<li> <a href="yoid"> Yoid</a> (host-based content distribution). ^J</ul>^J-->^J^J</td>^J^J</tr>^J</table>^J</DIV>^J^J<hr>^J<h2>Information for <a href="./abouticir.html">visitors</a> and <a href="/sysdocs/">local users</a>.</h2>^J<hr>^JLast modified: June 2004. <a href="./COPYRIGHTS">Copyright notice</a>.^J<a href="http://web.archive.org/web/*/http://www.aciri.org/">^JOlder versions</a> of this web page, in its ACIRI incarnation..^J<BR>^JFor more information about this server, mail <I>www@aciri.org</I>.  ^J<BR>^JTo report <a href="scanning.html">unusual activity</a> by any of our hosts, mail <I>abuse@aciri.org</I>.^J</BODY>^J")
+Event [1301452424.832570] http_end_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=1301452424.0315, duration=0.73563814163208, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F)
+Event [1301452424.832570] http_message_done([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=1301452424.0315, duration=0.73563814163208, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F[start=1301452424.39883, interrupted=F, finish_msg="message ends normally", body_length=9130, content_gap_length=0, header_length=265])
+Event [1301452424.990539] net_done(1301452424.99054)
+Event [1301452424.990539] bro_done()
diff --git a/testing/btest/Baseline/istate.base/receiver.conn.log b/testing/btest/Baseline/istate.base/receiver.conn.log
new file mode 100644
index 0000000000..6827ed1fee
--- /dev/null
+++ b/testing/btest/Baseline/istate.base/receiver.conn.log
@@ -0,0 +1 @@
+1301452418.931393 0.182433 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? REJ X
diff --git a/testing/btest/Baseline/istate.base/receiver.http.log b/testing/btest/Baseline/istate.base/receiver.http.log
new file mode 100644
index 0000000000..74400b15d5
--- /dev/null
+++ b/testing/btest/Baseline/istate.base/receiver.http.log
@@ -0,0 +1,18 @@
+1301452424.282557 %events-rcv-1 start 141.42.64.125:56730 > 125.190.109.199:80
+1301452424.284421 %events-rcv-1 > USER-AGENT: Wget/1.10
+1301452424.284421 %events-rcv-1 > ACCEPT: */*
+1301452424.284421 %events-rcv-1 > HOST: www.icir.org
+1301452424.284421 %events-rcv-1 > CONNECTION: Keep-Alive
+1301452424.465561 %events-rcv-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
+1301452424.465561 %events-rcv-1 < SERVER: Apache/1.3.33 (Unix)
+1301452424.465561 %events-rcv-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
+1301452424.465561 %events-rcv-1 < ETAG: "2c96c-23aa-4346a0e5"
+1301452424.465561 %events-rcv-1 < ACCEPT-RANGES: bytes
+1301452424.465561 %events-rcv-1 < CONTENT-LENGTH: 9130
+1301452424.465561 %events-rcv-1 < KEEP-ALIVE: timeout=15, max=100
+1301452424.465561 %events-rcv-1 < CONNECTION: Keep-Alive
+1301452424.465561 %events-rcv-1 < CONTENT-TYPE: text/html
+1301452424.648565 %events-rcv-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
+1301452424.689566 %events-rcv-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
+1301452424.832570 %events-rcv-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
+1301452424.832570 %events-rcv-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/btest/Baseline/istate.base/sender.conn.log b/testing/btest/Baseline/istate.base/sender.conn.log
new file mode 100644
index 0000000000..1735dbd63e
--- /dev/null
+++ b/testing/btest/Baseline/istate.base/sender.conn.log
@@ -0,0 +1,2 @@
+1301452418.931393 0.182433 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? REJ X
+1301452424.031503 ? 141.42.64.125 125.190.109.199 http 56730 80 tcp 98 9417 S1 X %events-send-1
diff --git a/testing/btest/Baseline/istate.base/sender.http.log b/testing/btest/Baseline/istate.base/sender.http.log
new file mode 100644
index 0000000000..b5aed6501a
--- /dev/null
+++ b/testing/btest/Baseline/istate.base/sender.http.log
@@ -0,0 +1,18 @@
+1301452424.214794 %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80
+1301452424.214794 %events-send-1 > USER-AGENT: Wget/1.10
+1301452424.214794 %events-send-1 > ACCEPT: */*
+1301452424.214794 %events-send-1 > HOST: www.icir.org
+1301452424.214794 %events-send-1 > CONNECTION: Keep-Alive
+1301452424.398834 %events-send-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
+1301452424.398834 %events-send-1 < SERVER: Apache/1.3.33 (Unix)
+1301452424.398834 %events-send-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
+1301452424.398834 %events-send-1 < ETAG: "2c96c-23aa-4346a0e5"
+1301452424.398834 %events-send-1 < ACCEPT-RANGES: bytes
+1301452424.398834 %events-send-1 < CONTENT-LENGTH: 9130
+1301452424.398834 %events-send-1 < KEEP-ALIVE: timeout=15, max=100
+1301452424.398834 %events-send-1 < CONNECTION: Keep-Alive
+1301452424.398834 %events-send-1 < CONTENT-TYPE: text/html
+1301452424.583323 %events-send-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
+1301452424.583617 %events-send-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
+1301452424.767141 %events-send-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
+1301452424.767141 %events-send-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/btest/Baseline/istate.broccoli/bro.log b/testing/btest/Baseline/istate.broccoli/bro.log
new file mode 100644
index 0000000000..eeebe944ef
--- /dev/null
+++ b/testing/btest/Baseline/istate.broccoli/bro.log
@@ -0,0 +1,3 @@
+ping received, seq 0, 1303093042.542125 at src, 1303093042.583423 at dest, 
+ping received, seq 1, 1303093043.543167 at src, 1303093043.544026 at dest, 
+ping received, seq 2, 1303093044.544115 at src, 1303093044.545008 at dest, 
diff --git a/testing/istate/base/broccoli-ping/stdout.log b/testing/btest/Baseline/istate.broccoli/broccoli.log
similarity index 60%
rename from testing/istate/base/broccoli-ping/stdout.log
rename to testing/btest/Baseline/istate.broccoli/broccoli.log
index 6174e6cce8..faa3960273 100644
--- a/testing/istate/base/broccoli-ping/stdout.log
+++ b/testing/btest/Baseline/istate.broccoli/broccoli.log
@@ -1,5 +1,3 @@
 pong event from 127.0.0.1: seq=0, 
 pong event from 127.0.0.1: seq=1, 
 pong event from 127.0.0.1: seq=2, 
-pong event from 127.0.0.1: seq=3, 
-pong event from 127.0.0.1: seq=4, 
diff --git a/testing/btest/Baseline/istate.events/receiver.http.log b/testing/btest/Baseline/istate.events/receiver.http.log
new file mode 100644
index 0000000000..b0ca7b5583
--- /dev/null
+++ b/testing/btest/Baseline/istate.events/receiver.http.log
@@ -0,0 +1,18 @@
+1301459542.533110 %events-rcv-1 start 141.42.64.125:56730 > 125.190.109.199:80
+1301459542.533110 %events-rcv-1 > USER-AGENT: Wget/1.10
+1301459542.533110 %events-rcv-1 > ACCEPT: */*
+1301459542.533110 %events-rcv-1 > HOST: www.icir.org
+1301459542.533110 %events-rcv-1 > CONNECTION: Keep-Alive
+1301459542.717115 %events-rcv-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
+1301459542.717115 %events-rcv-1 < SERVER: Apache/1.3.33 (Unix)
+1301459542.717115 %events-rcv-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
+1301459542.717115 %events-rcv-1 < ETAG: "2c96c-23aa-4346a0e5"
+1301459542.717115 %events-rcv-1 < ACCEPT-RANGES: bytes
+1301459542.717115 %events-rcv-1 < CONTENT-LENGTH: 9130
+1301459542.717115 %events-rcv-1 < KEEP-ALIVE: timeout=15, max=100
+1301459542.717115 %events-rcv-1 < CONNECTION: Keep-Alive
+1301459542.717115 %events-rcv-1 < CONTENT-TYPE: text/html
+1301459542.901119 %events-rcv-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
+1301459542.941139 %events-rcv-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
+1301459543.085124 %events-rcv-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
+1301459543.085124 %events-rcv-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/btest/Baseline/istate.events/sender.http.log b/testing/btest/Baseline/istate.events/sender.http.log
new file mode 100644
index 0000000000..47f6130fdf
--- /dev/null
+++ b/testing/btest/Baseline/istate.events/sender.http.log
@@ -0,0 +1,18 @@
+1301459542.463895 %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80
+1301459542.463895 %events-send-1 > USER-AGENT: Wget/1.10
+1301459542.463895 %events-send-1 > ACCEPT: */*
+1301459542.463895 %events-send-1 > HOST: www.icir.org
+1301459542.463895 %events-send-1 > CONNECTION: Keep-Alive
+1301459542.647935 %events-send-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
+1301459542.647935 %events-send-1 < SERVER: Apache/1.3.33 (Unix)
+1301459542.647935 %events-send-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
+1301459542.647935 %events-send-1 < ETAG: "2c96c-23aa-4346a0e5"
+1301459542.647935 %events-send-1 < ACCEPT-RANGES: bytes
+1301459542.647935 %events-send-1 < CONTENT-LENGTH: 9130
+1301459542.647935 %events-send-1 < KEEP-ALIVE: timeout=15, max=100
+1301459542.647935 %events-send-1 < CONNECTION: Keep-Alive
+1301459542.647935 %events-send-1 < CONTENT-TYPE: text/html
+1301459542.832424 %events-send-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
+1301459542.832718 %events-send-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
+1301459543.016242 %events-send-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
+1301459543.016242 %events-send-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/istate/base/persistence-write/vars.log b/testing/btest/Baseline/istate.persistence/vars.read.log
similarity index 76%
rename from testing/istate/base/persistence-write/vars.log
rename to testing/btest/Baseline/istate.persistence/vars.read.log
index 9a7d2c771e..a141deb9a8 100644
--- a/testing/istate/base/persistence-write/vars.log
+++ b/testing/btest/Baseline/istate.persistence/vars.read.log
@@ -7,26 +7,26 @@ Hallihallo
 131.159
 42.0 secs
 {
-[1] = qwerty,
-[2] = uiop
+[2] = uiop,
+[1] = qwerty
 }
 file "test" of string
 /^?(12345)$?/
 {
-3,
-5,
+2,
 4,
 1,
-2
+5,
+3
 }
 {
-[3, GHI] = 103,
 [2, DEF] = 102,
+[3, GHI] = 103,
 [1, ABC] = 101
 }
 {
-[12345] = /^?(12345)$?/,
-[12346] = /^?(12345)$?/
+[12346] = /^?(12345)$?/,
+[12345] = /^?(12345)$?/
 }
 42/udp
 [1, 2, 3]
diff --git a/testing/istate/base/persistence-read/vars.log b/testing/btest/Baseline/istate.persistence/vars.write.log
similarity index 76%
rename from testing/istate/base/persistence-read/vars.log
rename to testing/btest/Baseline/istate.persistence/vars.write.log
index 9a7d2c771e..a141deb9a8 100644
--- a/testing/istate/base/persistence-read/vars.log
+++ b/testing/btest/Baseline/istate.persistence/vars.write.log
@@ -7,26 +7,26 @@ Hallihallo
 131.159
 42.0 secs
 {
-[1] = qwerty,
-[2] = uiop
+[2] = uiop,
+[1] = qwerty
 }
 file "test" of string
 /^?(12345)$?/
 {
-3,
-5,
+2,
 4,
 1,
-2
+5,
+3
 }
 {
-[3, GHI] = 103,
 [2, DEF] = 102,
+[3, GHI] = 103,
 [1, ABC] = 101
 }
 {
-[12345] = /^?(12345)$?/,
-[12346] = /^?(12345)$?/
+[12346] = /^?(12345)$?/,
+[12345] = /^?(12345)$?/
 }
 42/udp
 [1, 2, 3]
diff --git a/testing/istate/base/python-bro/stdout.log b/testing/btest/Baseline/istate.pybroccoli/bro..stdout
similarity index 84%
rename from testing/istate/base/python-bro/stdout.log
rename to testing/btest/Baseline/istate.pybroccoli/bro..stdout
index bdfea5e4d7..6b74681745 100644
--- a/testing/istate/base/python-bro/stdout.log
+++ b/testing/btest/Baseline/istate.pybroccoli/bro..stdout
@@ -1,7 +1,7 @@
 ==== atomic
 -10
 2
-xxxxxxxxxx.xxxxxx
+1304213412.67992
 2.0 mins
 F
 1.5
diff --git a/testing/istate/base/python-script/stdout.log b/testing/btest/Baseline/istate.pybroccoli/python..stdout.filtered
similarity index 82%
rename from testing/istate/base/python-script/stdout.log
rename to testing/btest/Baseline/istate.pybroccoli/python..stdout.filtered
index 5af3e6a47e..39ef913c17 100644
--- a/testing/istate/base/python-script/stdout.log
+++ b/testing/btest/Baseline/istate.pybroccoli/python..stdout.filtered
@@ -1,7 +1,7 @@
 ==== atomic a 1 ====
--4 -4
+-4L -4
 42 42
-xxxxxxxxxx.xxxxxx xxxxxxxxxx.xxxxxx
+1304213412.7213531 1304213412.72
 60.0 60.0
 True True
 3.1400000000000001 3.14
@@ -11,9 +11,9 @@ True True
 'X.X.X' X.X.X
 'X.X.X' 22.33.44.0/24
 ==== atomic a 2 ====
--10 -10
+-10L -10
 2 2
-xxxxxxxxxx.xxxxxx xxxxxxxxxx.xxxxxx
+1304213412.6799209 1304213412.68
 120.0 120.0
 False False
 1.5 1.5
@@ -23,9 +23,9 @@ False False
 'X.X.X' X.X.X
 'X.X.X' 192.168.0.0/16
 ==== atomic b 2 ====
--10 -10
+-10L -10
 <broccoli.count instance at > 2
-<broccoli.time instance at > xxxxxxxxxx.xxxxxx
+<broccoli.time instance at > 1304213412.68
 <broccoli.interval instance at > 120.0
 False False
 1.5 1.5
@@ -36,9 +36,9 @@ False False
 <broccoli.net instance at > 192.168.0.0/16
 ==== record 1 ====
 <broccoli.record instance at >
-42 42
+42L 42
 '6.6.7.7' 6.6.7.7
 ==== record 2 ====
 <broccoli.record instance at >
-99 99
+99L 99
 '3.4.5.1' 3.4.5.1
diff --git a/testing/istate/base/sync-rcv/vars.log b/testing/btest/Baseline/istate.sync/receiver.vars.log
similarity index 64%
rename from testing/istate/base/sync-rcv/vars.log
rename to testing/btest/Baseline/istate.sync/receiver.vars.log
index 428ac7929d..124c162579 100644
--- a/testing/istate/base/sync-rcv/vars.log
+++ b/testing/btest/Baseline/istate.sync/receiver.vars.log
@@ -7,28 +7,28 @@ Jodel
 192.150.186
 42.0 secs
 {
-[3] = asdfg1,
-[1] = asdfg2
+[1] = asdfg2,
+[3] = asdfg1
 }
 file "test2" of string
 /^?(abbcdefgh)$?/
 {
-3,
-5,
-6,
+2,
 4,
-2
+6,
+5,
+3
 }
 {
+[2, DEF] = 103,
 [3, GHI] = 103,
-[4, JKL] = 104,
-[2, DEF] = 103
+[4, JKL] = 104
 }
 {
-[12345] = /^?(12345)$?/,
+[12346] = /^?(12345)$?/,
 [6767] = /^?(QWERTZ)$?/,
-[12346] = /^?(12345)$?/
+[12345] = /^?(12345)$?/
 }
 6667/tcp
 [2, 20, 3, 4]
-[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666]
+[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
diff --git a/testing/istate/base/sync-send/vars.log b/testing/btest/Baseline/istate.sync/sender.vars.log
similarity index 64%
rename from testing/istate/base/sync-send/vars.log
rename to testing/btest/Baseline/istate.sync/sender.vars.log
index 428ac7929d..124c162579 100644
--- a/testing/istate/base/sync-send/vars.log
+++ b/testing/btest/Baseline/istate.sync/sender.vars.log
@@ -7,28 +7,28 @@ Jodel
 192.150.186
 42.0 secs
 {
-[3] = asdfg1,
-[1] = asdfg2
+[1] = asdfg2,
+[3] = asdfg1
 }
 file "test2" of string
 /^?(abbcdefgh)$?/
 {
-3,
-5,
-6,
+2,
 4,
-2
+6,
+5,
+3
 }
 {
+[2, DEF] = 103,
 [3, GHI] = 103,
-[4, JKL] = 104,
-[2, DEF] = 103
+[4, JKL] = 104
 }
 {
-[12345] = /^?(12345)$?/,
+[12346] = /^?(12345)$?/,
 [6767] = /^?(QWERTZ)$?/,
-[12346] = /^?(12345)$?/
+[12345] = /^?(12345)$?/
 }
 6667/tcp
 [2, 20, 3, 4]
-[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666]
+[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
diff --git a/testing/btest/Baseline/language.cross-product-init/output b/testing/btest/Baseline/language.cross-product-init/output
new file mode 100644
index 0000000000..95794f9179
--- /dev/null
+++ b/testing/btest/Baseline/language.cross-product-init/output
@@ -0,0 +1,6 @@
+{
+[bar, 1.2.0.0/19] ,
+[foo, 5.6.0.0/21] ,
+[bar, 5.6.0.0/21] ,
+[foo, 1.2.0.0/19] 
+}
diff --git a/testing/btest/Baseline/language.delete-field-set/output b/testing/btest/Baseline/language.delete-field-set/output
new file mode 100644
index 0000000000..ccf6dbc793
--- /dev/null
+++ b/testing/btest/Baseline/language.delete-field-set/output
@@ -0,0 +1 @@
+[a=<uninitialized>, b=<uninitialized>, c=<uninitialized>]
diff --git a/testing/btest/Baseline/language.delete-field/output b/testing/btest/Baseline/language.delete-field/output
new file mode 100644
index 0000000000..12d04d02d3
--- /dev/null
+++ b/testing/btest/Baseline/language.delete-field/output
@@ -0,0 +1,4 @@
+a: 20
+20
+a: not set
+5
diff --git a/testing/btest/Baseline/language.enum-scope/output b/testing/btest/Baseline/language.enum-scope/output
new file mode 100644
index 0000000000..f2ad6c76f0
--- /dev/null
+++ b/testing/btest/Baseline/language.enum-scope/output
@@ -0,0 +1 @@
+c
diff --git a/testing/btest/Baseline/language.match-test/output b/testing/btest/Baseline/language.match-test/output
new file mode 100644
index 0000000000..5ee7ba029d
--- /dev/null
+++ b/testing/btest/Baseline/language.match-test/output
@@ -0,0 +1,3 @@
+default
+it's big
+it's really big
diff --git a/testing/btest/Baseline/language.match-test2/output b/testing/btest/Baseline/language.match-test2/output
new file mode 100644
index 0000000000..0cfbf08886
--- /dev/null
+++ b/testing/btest/Baseline/language.match-test2/output
@@ -0,0 +1 @@
+2
diff --git a/testing/btest/Baseline/language.next-test/output b/testing/btest/Baseline/language.next-test/output
new file mode 100644
index 0000000000..db9ce4efa4
--- /dev/null
+++ b/testing/btest/Baseline/language.next-test/output
@@ -0,0 +1,8 @@
+0
+1
+1
+MIDDLE
+0
+0
+1
+THE END
diff --git a/testing/btest/Baseline/language.rare-events/output b/testing/btest/Baseline/language.rare-events/output
new file mode 100644
index 0000000000..1de3641284
--- /dev/null
+++ b/testing/btest/Baseline/language.rare-events/output
@@ -0,0 +1 @@
+1106953531.452525 DroppedPackets 2 packets dropped after filtering, 1109 received, 10000 on link
diff --git a/testing/btest/Baseline/language.rec-comp-init/output b/testing/btest/Baseline/language.rec-comp-init/output
new file mode 100644
index 0000000000..fedb9177c7
--- /dev/null
+++ b/testing/btest/Baseline/language.rec-comp-init/output
@@ -0,0 +1,5 @@
+[a={
+
+}, b={
+
+}, c=[]]
diff --git a/testing/btest/Baseline/language.rec-nested-opt/output b/testing/btest/Baseline/language.rec-nested-opt/output
new file mode 100644
index 0000000000..e41358b71d
--- /dev/null
+++ b/testing/btest/Baseline/language.rec-nested-opt/output
@@ -0,0 +1,3 @@
+{
+[Wget/1.9+cvs-stable (Red Hat modified)] = [name=Wget, version=[major=1, minor=9, addl=+cvs], host=0.0.0.0, ts=0.0]
+}
diff --git a/testing/btest/Baseline/language.rec-of-tbl/output b/testing/btest/Baseline/language.rec-of-tbl/output
new file mode 100644
index 0000000000..f7c06f0b63
--- /dev/null
+++ b/testing/btest/Baseline/language.rec-of-tbl/output
@@ -0,0 +1,3 @@
+[a={
+[5] = 3
+}]
diff --git a/testing/btest/Baseline/language.rec-table-default/output b/testing/btest/Baseline/language.rec-table-default/output
new file mode 100644
index 0000000000..a1531d06ee
--- /dev/null
+++ b/testing/btest/Baseline/language.rec-table-default/output
@@ -0,0 +1,14 @@
+{
+[foo] = T
+}
+{
+
+}
+{
+A,
+B,
+C
+}
+{
+
+}
diff --git a/testing/btest/Baseline/language.record-extension/output b/testing/btest/Baseline/language.record-extension/output
new file mode 100644
index 0000000000..1e38084e0c
--- /dev/null
+++ b/testing/btest/Baseline/language.record-extension/output
@@ -0,0 +1,2 @@
+[a=21, b=<uninitialized>, c=42, d=<uninitialized>]
+[a=21, b=<uninitialized>, c=42, d=XXX]
diff --git a/testing/btest/Baseline/language.record-recursive-coercion/output b/testing/btest/Baseline/language.record-recursive-coercion/output
new file mode 100644
index 0000000000..37c916713f
--- /dev/null
+++ b/testing/btest/Baseline/language.record-recursive-coercion/output
@@ -0,0 +1 @@
+[major=4, minor=4, minor2=<uninitialized>, addl=<uninitialized>]
diff --git a/testing/btest/Baseline/language.record-ref-assign/output b/testing/btest/Baseline/language.record-ref-assign/output
new file mode 100644
index 0000000000..4caf2f8fa8
--- /dev/null
+++ b/testing/btest/Baseline/language.record-ref-assign/output
@@ -0,0 +1 @@
+XXX, XXX
diff --git a/testing/btest/Baseline/language.sizeof/output b/testing/btest/Baseline/language.sizeof/output
new file mode 100644
index 0000000000..0c1f3448c6
--- /dev/null
+++ b/testing/btest/Baseline/language.sizeof/output
@@ -0,0 +1,17 @@
+Address 1.2.3.4: 16909060
+Boolean T: 1
+Count 10: 10
+Double -1.23: 1.230000
+Enum ENUM3: 2
+File 21.000000
+Function add_interface: 2
+Integer -10: 10
+Interval -5.0 secs: 5.000000
+Net 192.168.0: 65536.000000
+Port 80/tcp: 65616
+Record [i=10, j=<uninitialized>, k=<uninitialized>]: 3
+Set: 3
+String 'Hello': 5
+Subnet 192.168.0.0/24: 256.000000
+Table 2
+Vector [Hello, , , , World]: 5
diff --git a/testing/btest/Baseline/language.smith-waterman-test/output b/testing/btest/Baseline/language.smith-waterman-test/output
new file mode 100644
index 0000000000..b0d0d33526
--- /dev/null
+++ b/testing/btest/Baseline/language.smith-waterman-test/output
@@ -0,0 +1,32 @@
+abcdefgh - ijklmnop:
+AAAabcefghij - lmnopAAAqrst:
+tok 1: AAA (0/5, T)
+abcAAAefghij - lmnopAAAqrst:
+tok 1: AAA (3/5, T)
+abcefghijAAA - lmnopAAAqrst:
+tok 1: AAA (9/5, T)
+xxxAAAyyy - AAAaAAAbAAA:
+tok 1: AAA (3/0, T)
+tok 2: AAA (3/4, T)
+tok 3: AAA (3/8, T)
+AAAaAAAbAAA - xxxAAAyyy:
+tok 1: AAA (0/3, T)
+tok 2: AAA (4/3, T)
+tok 3: AAA (8/3, T)
+xxCDyABzCDyABzz - ABCD:
+tok 1: CD (2/2, T)
+tok 2: AB (5/0, T)
+tok 3: CD (8/2, F)
+tok 4: AB (11/0, T)
+ABCD - xxCDyABzCDyABzz:
+tok 1: CD (2/2, T)
+tok 2: AB (0/5, T)
+tok 3: CD (2/8, F)
+tok 4: AB (0/11, T)
+Cache-control: no-cache^M^JAccept: - Accept-: deflate^M^JAccept-: Accept-:
+tok 1: Accept (27/0, T)
+tok 2: e^M^JAccept (22/15, T)
+tok 3: Accept (27/29, T)
+xxAAxxAAxx - yyyyyAAyyyyy:
+tok 1: AA (2/5, T)
+tok 2: AA (6/5, T)
diff --git a/testing/btest/Baseline/language.strings/output b/testing/btest/Baseline/language.strings/output
new file mode 100644
index 0000000000..525ce64916
--- /dev/null
+++ b/testing/btest/Baseline/language.strings/output
@@ -0,0 +1,25 @@
+Input string: broisaveryneatids
+
+String splitting
+----------------
+Splitting 'broisaveryneatids' at 6 points...
+bro
+is
+a
+very
+neat
+ids
+
+Substrings
+----------
+3@0: bro
+5@2: roisa
+7@4: isavery
+10@10: yneatids
+
+Finding strings
+---------------
+isa: 4
+very: 7
+ids: 15
+nono: 0
diff --git a/testing/btest/Baseline/language.vector-coerce-expr/output b/testing/btest/Baseline/language.vector-coerce-expr/output
new file mode 100644
index 0000000000..baabf9d89d
--- /dev/null
+++ b/testing/btest/Baseline/language.vector-coerce-expr/output
@@ -0,0 +1,4 @@
+[]
+[1, 2, 3]
+[T, F, T]
+[]
diff --git a/testing/btest/Baseline/language.wrong-delete-field/output b/testing/btest/Baseline/language.wrong-delete-field/output
new file mode 100644
index 0000000000..8d965362f1
--- /dev/null
+++ b/testing/btest/Baseline/language.wrong-delete-field/output
@@ -0,0 +1 @@
+/da/home/robin/bro/master/testing/btest/.tmp/language.wrong-delete-field/wrong-delete-field.bro, line 10 (delete x$a): error, illegal delete statement
diff --git a/testing/btest/Baseline/language.wrong-record-extension/output b/testing/btest/Baseline/language.wrong-record-extension/output
new file mode 100644
index 0000000000..144a065f59
--- /dev/null
+++ b/testing/btest/Baseline/language.wrong-record-extension/output
@@ -0,0 +1 @@
+ error, extension field must be &optional or have &default
diff --git a/testing/btest/Baseline/logging.adapt-filter/ssh-new-default.log b/testing/btest/Baseline/logging.adapt-filter/ssh-new-default.log
new file mode 100644
index 0000000000..469f2d1991
--- /dev/null
+++ b/testing/btest/Baseline/logging.adapt-filter/ssh-new-default.log
@@ -0,0 +1,3 @@
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1299718503.40319	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1299718503.40319	1.2.3.4	1234	2.3.4.5	80	failure	US
diff --git a/testing/btest/Baseline/logging.ascii-binary/ssh.log b/testing/btest/Baseline/logging.ascii-binary/ssh.log
new file mode 100644
index 0000000000..84a2cc609e
Binary files /dev/null and b/testing/btest/Baseline/logging.ascii-binary/ssh.log differ
diff --git a/testing/btest/Baseline/logging.ascii-empty/output b/testing/btest/Baseline/logging.ascii-empty/output
new file mode 100644
index 0000000000..d377ca15d7
--- /dev/null
+++ b/testing/btest/Baseline/logging.ascii-empty/output
@@ -0,0 +1,6 @@
+PREFIX<>t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b
+1299718506.56593|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET
+1299718506.56593|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET
+1299718506.56593|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET
+1299718506.56593|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET
+1299718506.56593|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T
diff --git a/testing/btest/Baseline/logging.ascii-escape/ssh.log b/testing/btest/Baseline/logging.ascii-escape/ssh.log
new file mode 100644
index 0000000000..aa08625281
Binary files /dev/null and b/testing/btest/Baseline/logging.ascii-escape/ssh.log differ
diff --git a/testing/btest/Baseline/logging.ascii-options/output b/testing/btest/Baseline/logging.ascii-options/output
new file mode 100644
index 0000000000..33a922cc2b
--- /dev/null
+++ b/testing/btest/Baseline/logging.ascii-options/output
@@ -0,0 +1,5 @@
+1299718506.38074|1.2.3.4|1234|2.3.4.5|80|success|unknown
+1299718506.38074|1.2.3.4|1234|2.3.4.5|80|failure|US
+1299718506.38074|1.2.3.4|1234|2.3.4.5|80|failure|UK
+1299718506.38074|1.2.3.4|1234|2.3.4.5|80|success|BR
+1299718506.38074|1.2.3.4|1234|2.3.4.5|80|failure|MX
diff --git a/testing/btest/Baseline/logging.attr-extend/ssh.log b/testing/btest/Baseline/logging.attr-extend/ssh.log
new file mode 100644
index 0000000000..d543af3a43
--- /dev/null
+++ b/testing/btest/Baseline/logging.attr-extend/ssh.log
@@ -0,0 +1,2 @@
+# status	country	a1	b1	b2
+success	unknown	1	3	4
diff --git a/testing/btest/Baseline/logging.attr/ssh.log b/testing/btest/Baseline/logging.attr/ssh.log
new file mode 100644
index 0000000000..c4355d2fd5
--- /dev/null
+++ b/testing/btest/Baseline/logging.attr/ssh.log
@@ -0,0 +1,6 @@
+# status	country
+success	unknown
+failure	US
+failure	UK
+success	BR
+failure	MX
diff --git a/testing/btest/Baseline/logging.empty-event/ssh.log b/testing/btest/Baseline/logging.empty-event/ssh.log
new file mode 100644
index 0000000000..7f21430ea7
--- /dev/null
+++ b/testing/btest/Baseline/logging.empty-event/ssh.log
@@ -0,0 +1,6 @@
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1299809561.67372	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1299809561.67372	1.2.3.4	1234	2.3.4.5	80	failure	US
+1299809561.67372	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1299809561.67372	1.2.3.4	1234	2.3.4.5	80	success	BR
+1299809561.67372	1.2.3.4	1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/logging.events/output b/testing/btest/Baseline/logging.events/output
new file mode 100644
index 0000000000..c3dbf607a6
--- /dev/null
+++ b/testing/btest/Baseline/logging.events/output
@@ -0,0 +1,2 @@
+[t=1299718502.96511, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp], status=success, country=<uninitialized>]
+[t=1299718502.96511, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp], status=failure, country=US]
diff --git a/testing/btest/Baseline/logging.exclude/ssh.log b/testing/btest/Baseline/logging.exclude/ssh.log
new file mode 100644
index 0000000000..4defa5ced1
--- /dev/null
+++ b/testing/btest/Baseline/logging.exclude/ssh.log
@@ -0,0 +1,6 @@
+# id.orig_p	id.resp_h	id.resp_p	status	country
+1234	2.3.4.5	80	success	unknown
+1234	2.3.4.5	80	failure	US
+1234	2.3.4.5	80	failure	UK
+1234	2.3.4.5	80	success	BR
+1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/logging.file/ssh.log b/testing/btest/Baseline/logging.file/ssh.log
new file mode 100644
index 0000000000..49115ab1df
--- /dev/null
+++ b/testing/btest/Baseline/logging.file/ssh.log
@@ -0,0 +1,2 @@
+# t	f
+1303098703.62603	Foo.log
diff --git a/testing/btest/Baseline/logging.include/ssh.log b/testing/btest/Baseline/logging.include/ssh.log
new file mode 100644
index 0000000000..881704257e
--- /dev/null
+++ b/testing/btest/Baseline/logging.include/ssh.log
@@ -0,0 +1,6 @@
+# t	id.orig_h
+1303064007.48299	1.2.3.4
+1303064007.48299	1.2.3.4
+1303064007.48299	1.2.3.4
+1303064007.48299	1.2.3.4
+1303064007.48299	1.2.3.4
diff --git a/testing/btest/Baseline/logging.path-func/output b/testing/btest/Baseline/logging.path-func/output
new file mode 100644
index 0000000000..25e4ca6696
--- /dev/null
+++ b/testing/btest/Baseline/logging.path-func/output
@@ -0,0 +1,13 @@
+static-prefix-0.log
+static-prefix-1.log
+static-prefix-2.log
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1299718503.05867	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1299718503.05867	1.2.3.4	1234	2.3.4.5	80	success	BR
+1299718503.05867	1.2.3.4	1234	2.3.4.5	80	failure	MX3
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1299718503.05867	1.2.3.4	1234	2.3.4.5	80	failure	US
+1299718503.05867	1.2.3.4	1234	2.3.4.5	80	failure	MX
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1299718503.05867	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1299718503.05867	1.2.3.4	1234	2.3.4.5	80	failure	MX2
diff --git a/testing/btest/Baseline/logging.pred/ssh.failure.log b/testing/btest/Baseline/logging.pred/ssh.failure.log
new file mode 100644
index 0000000000..c46990dc65
--- /dev/null
+++ b/testing/btest/Baseline/logging.pred/ssh.failure.log
@@ -0,0 +1,2 @@
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1299718503.16177	1.2.3.4	1234	2.3.4.5	80	failure	US
diff --git a/testing/btest/Baseline/logging.pred/ssh.success.log b/testing/btest/Baseline/logging.pred/ssh.success.log
new file mode 100644
index 0000000000..c6adcd86aa
--- /dev/null
+++ b/testing/btest/Baseline/logging.pred/ssh.success.log
@@ -0,0 +1,2 @@
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1299718503.16177	1.2.3.4	1234	2.3.4.5	80	success	-
diff --git a/testing/btest/Baseline/logging.remote-types/receiver.ssh.log b/testing/btest/Baseline/logging.remote-types/receiver.ssh.log
new file mode 100644
index 0000000000..9a203f1bac
--- /dev/null
+++ b/testing/btest/Baseline/logging.remote-types/receiver.ssh.log
@@ -0,0 +1,2 @@
+# b	i	e	c	p	sn	n	a	d	t	iv	s	sc	ss	se	vc	ve
+T	-42	SSH::SSH	21	123	10.0.0.0/24	10.0.0.0	1.2.3.4	3.14	1303580757.69082	100.0	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY
diff --git a/testing/btest/Baseline/logging.remote/sender.ssh.failure.log b/testing/btest/Baseline/logging.remote/sender.ssh.failure.log
new file mode 100644
index 0000000000..ce48f547f6
--- /dev/null
+++ b/testing/btest/Baseline/logging.remote/sender.ssh.failure.log
@@ -0,0 +1,4 @@
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1303580768.27075	1.2.3.4	1234	2.3.4.5	80	failure	US
+1303580768.27075	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1303580768.27075	1.2.3.4	1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/logging.remote/sender.ssh.log b/testing/btest/Baseline/logging.remote/sender.ssh.log
new file mode 100644
index 0000000000..eb392df781
--- /dev/null
+++ b/testing/btest/Baseline/logging.remote/sender.ssh.log
@@ -0,0 +1,6 @@
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1303580768.27075	1.2.3.4	1234	2.3.4.5	80	success	-
+1303580768.27075	1.2.3.4	1234	2.3.4.5	80	failure	US
+1303580768.27075	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1303580768.27075	1.2.3.4	1234	2.3.4.5	80	success	BR
+1303580768.27075	1.2.3.4	1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/logging.remote/sender.ssh.success.log b/testing/btest/Baseline/logging.remote/sender.ssh.success.log
new file mode 100644
index 0000000000..3861250477
--- /dev/null
+++ b/testing/btest/Baseline/logging.remote/sender.ssh.success.log
@@ -0,0 +1,3 @@
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1303580768.27075	1.2.3.4	1234	2.3.4.5	80	success	-
+1303580768.27075	1.2.3.4	1234	2.3.4.5	80	success	BR
diff --git a/testing/btest/Baseline/logging.remove/ssh.failure.log b/testing/btest/Baseline/logging.remove/ssh.failure.log
new file mode 100644
index 0000000000..ddbacda28e
--- /dev/null
+++ b/testing/btest/Baseline/logging.remove/ssh.failure.log
@@ -0,0 +1,3 @@
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1299718503.28253	1.2.3.4	1234	2.3.4.5	80	failure	US
+1299718503.28253	1.2.3.4	1234	2.3.4.5	80	failure	UK
diff --git a/testing/btest/Baseline/logging.remove/ssh.log b/testing/btest/Baseline/logging.remove/ssh.log
new file mode 100644
index 0000000000..123e8e3a87
--- /dev/null
+++ b/testing/btest/Baseline/logging.remove/ssh.log
@@ -0,0 +1,4 @@
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1299718503.28253	1.2.3.4	1234	2.3.4.5	80	failure	US
+1299718503.28253	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1299718503.28253	1.2.3.4	1234	2.3.4.5	80	failure	BR
diff --git a/testing/btest/Baseline/logging.rotate-custom/out b/testing/btest/Baseline/logging.rotate-custom/out
new file mode 100644
index 0000000000..c87445cff5
--- /dev/null
+++ b/testing/btest/Baseline/logging.rotate-custom/out
@@ -0,0 +1,83 @@
+2nd test2-11-03-07_03.00.05.log test2.log 11-03-07_03.00.05 11-03-07_03.59.55 0
+1st test-11-03-07_03.00.05.log test.log 11-03-07_03.00.05 11-03-07_04.00.05 0
+2nd test2-11-03-07_03.59.55.log test2.log 11-03-07_03.59.55 11-03-07_04.00.05 0
+2nd test2-11-03-07_04.00.05.log test2.log 11-03-07_04.00.05 11-03-07_04.59.55 0
+1st test-11-03-07_04.00.05.log test.log 11-03-07_04.00.05 11-03-07_05.00.05 0
+2nd test2-11-03-07_04.59.55.log test2.log 11-03-07_04.59.55 11-03-07_05.00.05 0
+2nd test2-11-03-07_05.00.05.log test2.log 11-03-07_05.00.05 11-03-07_05.59.55 0
+1st test-11-03-07_05.00.05.log test.log 11-03-07_05.00.05 11-03-07_06.00.05 0
+2nd test2-11-03-07_05.59.55.log test2.log 11-03-07_05.59.55 11-03-07_06.00.05 0
+2nd test2-11-03-07_06.00.05.log test2.log 11-03-07_06.00.05 11-03-07_06.59.55 0
+1st test-11-03-07_06.00.05.log test.log 11-03-07_06.00.05 11-03-07_07.00.05 0
+2nd test2-11-03-07_06.59.55.log test2.log 11-03-07_06.59.55 11-03-07_07.00.05 0
+2nd test2-11-03-07_07.00.05.log test2.log 11-03-07_07.00.05 11-03-07_07.59.55 0
+1st test-11-03-07_07.00.05.log test.log 11-03-07_07.00.05 11-03-07_08.00.05 0
+2nd test2-11-03-07_07.59.55.log test2.log 11-03-07_07.59.55 11-03-07_08.00.05 0
+2nd test2-11-03-07_08.00.05.log test2.log 11-03-07_08.00.05 11-03-07_08.59.55 0
+1st test-11-03-07_08.00.05.log test.log 11-03-07_08.00.05 11-03-07_09.00.05 0
+2nd test2-11-03-07_08.59.55.log test2.log 11-03-07_08.59.55 11-03-07_09.00.05 0
+2nd test2-11-03-07_09.00.05.log test2.log 11-03-07_09.00.05 11-03-07_09.59.55 0
+1st test-11-03-07_09.00.05.log test.log 11-03-07_09.00.05 11-03-07_10.00.05 0
+2nd test2-11-03-07_09.59.55.log test2.log 11-03-07_09.59.55 11-03-07_10.00.05 0
+2nd test2-11-03-07_10.00.05.log test2.log 11-03-07_10.00.05 11-03-07_10.59.55 0
+1st test-11-03-07_10.00.05.log test.log 11-03-07_10.00.05 11-03-07_11.00.05 0
+2nd test2-11-03-07_10.59.55.log test2.log 11-03-07_10.59.55 11-03-07_11.00.05 0
+2nd test2-11-03-07_11.00.05.log test2.log 11-03-07_11.00.05 11-03-07_11.59.55 0
+1st test-11-03-07_11.00.05.log test.log 11-03-07_11.00.05 11-03-07_12.00.05 0
+2nd test2-11-03-07_11.59.55.log test2.log 11-03-07_11.59.55 11-03-07_12.00.05 0
+2nd test2-11-03-07_12.00.05.log test2.log 11-03-07_12.00.05 11-03-07_12.59.55 0
+1st test-11-03-07_12.00.05.log test.log 11-03-07_12.00.05 11-03-07_12.59.55 1
+2nd test2-11-03-07_12.59.55.log test2.log 11-03-07_12.59.55 11-03-07_12.59.55 1
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+1299466805.0	10.0.0.1	20	10.0.0.2	1024
+1299470395.0	10.0.0.2	20	10.0.0.3	0
+1299470405.0	10.0.0.1	20	10.0.0.2	1025
+1299473995.0	10.0.0.2	20	10.0.0.3	1
+1299474005.0	10.0.0.1	20	10.0.0.2	1026
+1299477595.0	10.0.0.2	20	10.0.0.3	2
+1299477605.0	10.0.0.1	20	10.0.0.2	1027
+1299481195.0	10.0.0.2	20	10.0.0.3	3
+1299481205.0	10.0.0.1	20	10.0.0.2	1028
+1299484795.0	10.0.0.2	20	10.0.0.3	4
+1299484805.0	10.0.0.1	20	10.0.0.2	1029
+1299488395.0	10.0.0.2	20	10.0.0.3	5
+1299488405.0	10.0.0.1	20	10.0.0.2	1030
+1299491995.0	10.0.0.2	20	10.0.0.3	6
+1299492005.0	10.0.0.1	20	10.0.0.2	1031
+1299495595.0	10.0.0.2	20	10.0.0.3	7
+1299495605.0	10.0.0.1	20	10.0.0.2	1032
+1299499195.0	10.0.0.2	20	10.0.0.3	8
+1299499205.0	10.0.0.1	20	10.0.0.2	1033
+1299502795.0	10.0.0.2	20	10.0.0.3	9
+> test-11-03-07_03.00.05.log
+> test-11-03-07_04.00.05.log
+> test-11-03-07_05.00.05.log
+> test-11-03-07_06.00.05.log
+> test-11-03-07_07.00.05.log
+> test-11-03-07_08.00.05.log
+> test-11-03-07_09.00.05.log
+> test-11-03-07_10.00.05.log
+> test-11-03-07_11.00.05.log
+> test-11-03-07_12.00.05.log
+> test.log
+> test2-11-03-07_03.00.05.log
+> test2-11-03-07_03.59.55.log
+> test2-11-03-07_04.00.05.log
+> test2-11-03-07_04.59.55.log
+> test2-11-03-07_05.00.05.log
+> test2-11-03-07_05.59.55.log
+> test2-11-03-07_06.00.05.log
+> test2-11-03-07_06.59.55.log
+> test2-11-03-07_07.00.05.log
+> test2-11-03-07_07.59.55.log
+> test2-11-03-07_08.00.05.log
+> test2-11-03-07_08.59.55.log
+> test2-11-03-07_09.00.05.log
+> test2-11-03-07_09.59.55.log
+> test2-11-03-07_10.00.05.log
+> test2-11-03-07_10.59.55.log
+> test2-11-03-07_11.00.05.log
+> test2-11-03-07_11.59.55.log
+> test2-11-03-07_12.00.05.log
+> test2-11-03-07_12.59.55.log
+> test2.log
diff --git a/testing/btest/Baseline/logging.rotate/out b/testing/btest/Baseline/logging.rotate/out
new file mode 100644
index 0000000000..e8d327584e
--- /dev/null
+++ b/testing/btest/Baseline/logging.rotate/out
@@ -0,0 +1,50 @@
+test-11-03-07_03.00.05.log test.log 11-03-07_03.00.05 11-03-07_04.00.05 0
+test-11-03-07_04.00.05.log test.log 11-03-07_04.00.05 11-03-07_05.00.05 0
+test-11-03-07_05.00.05.log test.log 11-03-07_05.00.05 11-03-07_06.00.05 0
+test-11-03-07_06.00.05.log test.log 11-03-07_06.00.05 11-03-07_07.00.05 0
+test-11-03-07_07.00.05.log test.log 11-03-07_07.00.05 11-03-07_08.00.05 0
+test-11-03-07_08.00.05.log test.log 11-03-07_08.00.05 11-03-07_09.00.05 0
+test-11-03-07_09.00.05.log test.log 11-03-07_09.00.05 11-03-07_10.00.05 0
+test-11-03-07_10.00.05.log test.log 11-03-07_10.00.05 11-03-07_11.00.05 0
+test-11-03-07_11.00.05.log test.log 11-03-07_11.00.05 11-03-07_12.00.05 0
+test-11-03-07_12.00.05.log test.log 11-03-07_12.00.05 11-03-07_12.59.55 1
+> test-11-03-07_03.00.05.log
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+1299466805.0	10.0.0.1	20	10.0.0.2	1024
+1299470395.0	10.0.0.2	20	10.0.0.3	0
+> test-11-03-07_04.00.05.log
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+1299470405.0	10.0.0.1	20	10.0.0.2	1025
+1299473995.0	10.0.0.2	20	10.0.0.3	1
+> test-11-03-07_05.00.05.log
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+1299474005.0	10.0.0.1	20	10.0.0.2	1026
+1299477595.0	10.0.0.2	20	10.0.0.3	2
+> test-11-03-07_06.00.05.log
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+1299477605.0	10.0.0.1	20	10.0.0.2	1027
+1299481195.0	10.0.0.2	20	10.0.0.3	3
+> test-11-03-07_07.00.05.log
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+1299481205.0	10.0.0.1	20	10.0.0.2	1028
+1299484795.0	10.0.0.2	20	10.0.0.3	4
+> test-11-03-07_08.00.05.log
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+1299484805.0	10.0.0.1	20	10.0.0.2	1029
+1299488395.0	10.0.0.2	20	10.0.0.3	5
+> test-11-03-07_09.00.05.log
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+1299488405.0	10.0.0.1	20	10.0.0.2	1030
+1299491995.0	10.0.0.2	20	10.0.0.3	6
+> test-11-03-07_10.00.05.log
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+1299492005.0	10.0.0.1	20	10.0.0.2	1031
+1299495595.0	10.0.0.2	20	10.0.0.3	7
+> test-11-03-07_11.00.05.log
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+1299495605.0	10.0.0.1	20	10.0.0.2	1032
+1299499195.0	10.0.0.2	20	10.0.0.3	8
+> test-11-03-07_12.00.05.log
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
+1299499205.0	10.0.0.1	20	10.0.0.2	1033
+1299502795.0	10.0.0.2	20	10.0.0.3	9
diff --git a/testing/btest/Baseline/logging.stdout/output b/testing/btest/Baseline/logging.stdout/output
new file mode 100644
index 0000000000..4c73aed8e4
--- /dev/null
+++ b/testing/btest/Baseline/logging.stdout/output
@@ -0,0 +1,6 @@
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1299718506.28824	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1299718506.28824	1.2.3.4	1234	2.3.4.5	80	failure	US
+1299718506.28824	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1299718506.28824	1.2.3.4	1234	2.3.4.5	80	success	BR
+1299718506.28824	1.2.3.4	1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/logging.test-logging/ssh.log b/testing/btest/Baseline/logging.test-logging/ssh.log
new file mode 100644
index 0000000000..82523b7c13
--- /dev/null
+++ b/testing/btest/Baseline/logging.test-logging/ssh.log
@@ -0,0 +1,6 @@
+# t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+1299718506.1313	1.2.3.4	1234	2.3.4.5	80	success	unknown
+1299718506.1313	1.2.3.4	1234	2.3.4.5	80	failure	US
+1299718506.1313	1.2.3.4	1234	2.3.4.5	80	failure	UK
+1299718506.1313	1.2.3.4	1234	2.3.4.5	80	success	BR
+1299718506.1313	1.2.3.4	1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/logging.types/ssh.log b/testing/btest/Baseline/logging.types/ssh.log
new file mode 100644
index 0000000000..02e5b69579
--- /dev/null
+++ b/testing/btest/Baseline/logging.types/ssh.log
@@ -0,0 +1,2 @@
+# b	i	e	c	p	sn	n	a	d	t	iv	s	sc	ss	se	vc	ve
+T	-42	SSH::SSH	21	123	10.0.0.0/24	10.0.0.0	1.2.3.4	3.14	1304093423.61814	100.0	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY
diff --git a/testing/btest/Baseline/logging.vec/ssh.log b/testing/btest/Baseline/logging.vec/ssh.log
new file mode 100644
index 0000000000..1602f7d1c0
--- /dev/null
+++ b/testing/btest/Baseline/logging.vec/ssh.log
@@ -0,0 +1,2 @@
+# vec
+-,2,-,-,5
diff --git a/testing/btest/Baseline/policy.known-hosts-test/.stderr b/testing/btest/Baseline/policy.known-hosts-test/.stderr
new file mode 100644
index 0000000000..171bb7a83b
--- /dev/null
+++ b/testing/btest/Baseline/policy.known-hosts-test/.stderr
@@ -0,0 +1,34 @@
+weird: 1300475167.097012 non_IPv4_packet
+1300475168.652003 weird: bad_TCP_checksum
+1300475168.784020 weird: bad_TCP_checksum
+1300475168.853899 weird: bad_UDP_checksum
+1300475168.854378 weird: bad_UDP_checksum
+1300475168.854837 weird: bad_UDP_checksum
+1300475168.857956 weird: bad_UDP_checksum
+1300475168.858306 weird: bad_UDP_checksum
+1300475168.858713 weird: bad_UDP_checksum
+1300475168.891644 weird: bad_UDP_checksum
+1300475168.892037 weird: bad_UDP_checksum
+1300475168.892414 weird: bad_UDP_checksum
+1300475168.893988 weird: bad_UDP_checksum
+1300475168.894422 weird: bad_UDP_checksum
+1300475168.894787 weird: bad_UDP_checksum
+1300475168.901749 weird: bad_UDP_checksum
+1300475168.902195 weird: bad_UDP_checksum
+1300475168.916018 weird: bad_TCP_checksum
+1300475168.916183 weird: bad_TCP_checksum
+1300475168.918358 weird: bad_TCP_checksum
+1300475168.952296 weird: bad_TCP_checksum
+1300475168.952307 weird: bad_TCP_checksum
+1300475168.954820 weird: bad_TCP_checksum
+1300475168.962687 weird: bad_TCP_checksum
+1300475168.975934 weird: bad_TCP_checksum
+1300475168.976436 weird: bad_TCP_checksum
+1300475168.979264 weird: bad_TCP_checksum
+1300475169.014593 weird: bad_TCP_checksum
+1300475169.014619 weird: bad_TCP_checksum
+1300475169.014927 weird: bad_TCP_checksum
+weird: 1300475171.675372 non_IPv4_packet
+weird: 1300475171.775468 non_IPv4_packet
+weird: 1300475173.116749 non_IPv4_packet
+weird: 1300475173.216550 non_IPv4_packet
diff --git a/AUTHORS b/testing/btest/Baseline/policy.known-hosts-test/.stdout
similarity index 100%
rename from AUTHORS
rename to testing/btest/Baseline/policy.known-hosts-test/.stdout
diff --git a/testing/btest/Baseline/policy.known-hosts-test/KNOWN_HOSTS b/testing/btest/Baseline/policy.known-hosts-test/KNOWN_HOSTS
new file mode 100644
index 0000000000..992d3455b6
--- /dev/null
+++ b/testing/btest/Baseline/policy.known-hosts-test/KNOWN_HOSTS
@@ -0,0 +1,5 @@
+ts	address
+1300475168.78384	141.142.220.118	
+1300475168.78384	208.80.152.118	
+1300475168.91594	208.80.152.3	
+1300475168.96263	208.80.152.2	
diff --git a/testing/btest/Baseline/policy.known-services-test/.stderr b/testing/btest/Baseline/policy.known-services-test/.stderr
new file mode 100644
index 0000000000..edd7910864
--- /dev/null
+++ b/testing/btest/Baseline/policy.known-services-test/.stderr
@@ -0,0 +1,12472 @@
+964800422.434095 weird: spontaneous_FIN
+964800422.434173 weird: spontaneous_FIN
+964800422.434243 weird: spontaneous_FIN
+964800422.445760 weird: spontaneous_FIN
+964800422.445848 weird: spontaneous_FIN
+964800422.445922 weird: spontaneous_FIN
+964800422.445989 weird: spontaneous_FIN
+964800422.446064 weird: spontaneous_FIN
+964800422.446138 weird: spontaneous_FIN
+964800422.446216 weird: spontaneous_FIN
+964800422.446287 weird: spontaneous_FIN
+964800422.446365 weird: spontaneous_FIN
+964800422.446438 weird: spontaneous_FIN
+964800422.446510 weird: spontaneous_FIN
+964800422.446582 weird: spontaneous_FIN
+964800422.446651 weird: spontaneous_FIN
+964800422.446723 weird: spontaneous_FIN
+964800422.446792 weird: spontaneous_FIN
+964800422.446863 weird: spontaneous_FIN
+964800422.446933 weird: spontaneous_FIN
+964800422.447006 weird: spontaneous_FIN
+964800422.447079 weird: spontaneous_FIN
+964800422.447153 weird: spontaneous_FIN
+964800422.447228 weird: spontaneous_FIN
+964800422.447301 weird: spontaneous_FIN
+964800422.447386 weird: spontaneous_FIN
+964800422.447470 weird: spontaneous_FIN
+964800422.447551 weird: spontaneous_FIN
+964800422.447629 weird: spontaneous_FIN
+964800422.447710 weird: spontaneous_FIN
+964800422.447788 weird: spontaneous_FIN
+964800422.447866 weird: spontaneous_FIN
+964800422.447945 weird: spontaneous_FIN
+964800422.448022 weird: spontaneous_FIN
+964800422.448099 weird: spontaneous_FIN
+964800422.448177 weird: spontaneous_FIN
+964800422.448259 weird: spontaneous_FIN
+964800422.448335 weird: spontaneous_FIN
+964800422.448408 weird: spontaneous_FIN
+964800422.448482 weird: spontaneous_FIN
+964800422.448559 weird: spontaneous_FIN
+964800422.448637 weird: spontaneous_FIN
+964800422.448712 weird: spontaneous_FIN
+964800422.448787 weird: spontaneous_FIN
+964800422.448862 weird: spontaneous_FIN
+964800422.448934 weird: spontaneous_FIN
+964800422.449006 weird: spontaneous_FIN
+964800422.449075 weird: spontaneous_FIN
+964800422.449141 weird: spontaneous_FIN
+964800422.449209 weird: spontaneous_FIN
+964800422.449280 weird: spontaneous_FIN
+964800422.449354 weird: spontaneous_FIN
+964800422.449427 weird: spontaneous_FIN
+964800422.449501 weird: spontaneous_FIN
+964800422.449576 weird: spontaneous_FIN
+964800422.449648 weird: spontaneous_FIN
+964800422.449721 weird: spontaneous_FIN
+964800422.449793 weird: spontaneous_FIN
+964800422.449865 weird: spontaneous_FIN
+964800422.449938 weird: spontaneous_FIN
+964800422.450010 weird: spontaneous_FIN
+964800422.450083 weird: spontaneous_FIN
+964800422.450156 weird: spontaneous_FIN
+964800422.450234 weird: spontaneous_FIN
+964800422.450311 weird: spontaneous_FIN
+964800422.450386 weird: spontaneous_FIN
+964800422.450458 weird: spontaneous_FIN
+964800422.450532 weird: spontaneous_FIN
+964800422.450608 weird: spontaneous_FIN
+964800422.450686 weird: spontaneous_FIN
+964800422.450758 weird: spontaneous_FIN
+964800422.450834 weird: spontaneous_FIN
+964800422.544034 weird: spontaneous_FIN
+964800422.544112 weird: spontaneous_FIN
+964800422.544185 weird: spontaneous_FIN
+964800422.544253 weird: spontaneous_FIN
+964800422.544322 weird: spontaneous_FIN
+964800422.544392 weird: spontaneous_FIN
+964800422.544466 weird: spontaneous_FIN
+964800422.544537 weird: spontaneous_FIN
+964800422.544613 weird: spontaneous_FIN
+964800422.544690 weird: spontaneous_FIN
+964800422.544765 weird: spontaneous_FIN
+964800422.544834 weird: spontaneous_FIN
+964800422.544909 weird: spontaneous_FIN
+964800422.544985 weird: spontaneous_FIN
+964800422.545057 weird: spontaneous_FIN
+964800422.545131 weird: spontaneous_FIN
+964800422.545205 weird: spontaneous_FIN
+964800422.545280 weird: spontaneous_FIN
+964800422.545360 weird: spontaneous_FIN
+964800422.545435 weird: spontaneous_FIN
+964800422.545514 weird: spontaneous_FIN
+964800422.545593 weird: spontaneous_FIN
+964800422.545671 weird: spontaneous_FIN
+964800422.545755 weird: spontaneous_FIN
+964800422.545833 weird: spontaneous_FIN
+964800422.545916 weird: spontaneous_FIN
+964800422.546002 weird: spontaneous_FIN
+964800422.546082 weird: spontaneous_FIN
+964800422.546172 weird: spontaneous_FIN
+964800422.546260 weird: spontaneous_FIN
+964800422.546345 weird: spontaneous_FIN
+964800422.546431 weird: spontaneous_FIN
+964800422.546518 weird: spontaneous_FIN
+964800422.546600 weird: spontaneous_FIN
+964800422.546688 weird: spontaneous_FIN
+964800422.546772 weird: spontaneous_FIN
+964800422.546857 weird: spontaneous_FIN
+964800422.546935 weird: spontaneous_FIN
+964800422.547021 weird: spontaneous_FIN
+964800422.547110 weird: spontaneous_FIN
+964800422.547193 weird: spontaneous_FIN
+964800422.547272 weird: spontaneous_FIN
+964800422.547346 weird: spontaneous_FIN
+964800422.547423 weird: spontaneous_FIN
+964800422.547499 weird: spontaneous_FIN
+964800422.547578 weird: spontaneous_FIN
+964800422.547829 weird: spontaneous_FIN
+964800422.547992 weird: spontaneous_FIN
+964800422.548156 weird: spontaneous_FIN
+964800422.548322 weird: spontaneous_FIN
+964800422.548486 weird: spontaneous_FIN
+964800422.548652 weird: spontaneous_FIN
+964800422.548818 weird: spontaneous_FIN
+964800422.548983 weird: spontaneous_FIN
+964800422.549147 weird: spontaneous_FIN
+964800422.549311 weird: spontaneous_FIN
+964800422.549315 weird: spontaneous_FIN
+964800422.549337 weird: spontaneous_FIN
+964800422.549345 weird: spontaneous_FIN
+964800422.549350 weird: spontaneous_FIN
+964800422.549355 weird: spontaneous_FIN
+964800422.549359 weird: spontaneous_FIN
+964800422.549365 weird: spontaneous_FIN
+964800422.549370 weird: spontaneous_FIN
+964800422.549375 weird: spontaneous_FIN
+964800422.549380 weird: spontaneous_FIN
+964800422.549385 weird: spontaneous_FIN
+964800422.549390 weird: spontaneous_FIN
+964800422.549395 weird: spontaneous_FIN
+964800422.549427 weird: spontaneous_FIN
+964800422.549499 weird: spontaneous_FIN
+964800422.549582 weird: spontaneous_FIN
+964800422.644083 weird: spontaneous_FIN
+964800422.644166 weird: spontaneous_FIN
+964800422.644236 weird: spontaneous_FIN
+964800422.644304 weird: spontaneous_FIN
+964800422.644371 weird: spontaneous_FIN
+964800422.644438 weird: spontaneous_FIN
+964800422.644512 weird: spontaneous_FIN
+964800422.644587 weird: spontaneous_FIN
+964800422.644822 weird: spontaneous_FIN
+964800422.644996 weird: spontaneous_FIN
+964800422.645163 weird: spontaneous_FIN
+964800422.645327 weird: spontaneous_FIN
+964800422.645492 weird: spontaneous_FIN
+964800422.645658 weird: spontaneous_FIN
+964800422.645823 weird: spontaneous_FIN
+964800422.645987 weird: spontaneous_FIN
+964800422.646152 weird: spontaneous_FIN
+964800422.646316 weird: spontaneous_FIN
+964800422.646480 weird: spontaneous_FIN
+964800422.646645 weird: spontaneous_FIN
+964800422.646650 weird: spontaneous_FIN
+964800422.646671 weird: spontaneous_FIN
+964800422.646677 weird: spontaneous_FIN
+964800422.646682 weird: spontaneous_FIN
+964800422.646688 weird: spontaneous_FIN
+964800422.646693 weird: spontaneous_FIN
+964800422.646698 weird: spontaneous_FIN
+964800422.646703 weird: spontaneous_FIN
+964800422.646708 weird: spontaneous_FIN
+964800422.646713 weird: spontaneous_FIN
+964800422.646718 weird: spontaneous_FIN
+964800422.646723 weird: spontaneous_FIN
+964800422.646727 weird: spontaneous_FIN
+964800422.646732 weird: spontaneous_FIN
+964800422.646738 weird: spontaneous_FIN
+964800422.646742 weird: spontaneous_FIN
+964800422.646774 weird: spontaneous_FIN
+964800422.646847 weird: spontaneous_FIN
+964800422.646928 weird: spontaneous_FIN
+964800422.647004 weird: spontaneous_FIN
+964800422.647085 weird: spontaneous_FIN
+964800422.647163 weird: spontaneous_FIN
+964800422.647240 weird: spontaneous_FIN
+964800422.647319 weird: spontaneous_FIN
+964800422.647391 weird: spontaneous_FIN
+964800422.647462 weird: spontaneous_FIN
+964800422.647535 weird: spontaneous_FIN
+964800422.647607 weird: spontaneous_FIN
+964800422.647680 weird: spontaneous_FIN
+964800422.647747 weird: spontaneous_FIN
+964800422.647818 weird: spontaneous_FIN
+964800422.647892 weird: spontaneous_FIN
+964800422.647964 weird: spontaneous_FIN
+964800422.648035 weird: spontaneous_FIN
+964800422.648105 weird: spontaneous_FIN
+964800422.648180 weird: spontaneous_FIN
+964800422.648252 weird: spontaneous_FIN
+964800422.648325 weird: spontaneous_FIN
+964800422.648399 weird: spontaneous_FIN
+964800422.648473 weird: spontaneous_FIN
+964800422.648548 weird: spontaneous_FIN
+964800422.648620 weird: spontaneous_FIN
+964800422.648694 weird: spontaneous_FIN
+964800422.648767 weird: spontaneous_FIN
+964800422.648844 weird: spontaneous_FIN
+964800422.648922 weird: spontaneous_FIN
+964800422.648998 weird: spontaneous_FIN
+964800422.649075 weird: spontaneous_FIN
+964800422.649140 weird: spontaneous_FIN
+964800422.649221 weird: spontaneous_FIN
+964800422.649295 weird: spontaneous_FIN
+964800422.649373 weird: spontaneous_FIN
+964800422.744052 weird: spontaneous_FIN
+964800422.744135 weird: spontaneous_FIN
+964800422.744209 weird: spontaneous_FIN
+964800422.744282 weird: spontaneous_FIN
+964800422.744352 weird: spontaneous_FIN
+964800422.744427 weird: spontaneous_FIN
+964800422.744499 weird: spontaneous_FIN
+964800422.744732 weird: spontaneous_FIN
+964800422.744904 weird: spontaneous_FIN
+964800422.745069 weird: spontaneous_FIN
+964800422.745233 weird: spontaneous_FIN
+964800422.745399 weird: spontaneous_FIN
+964800422.745564 weird: spontaneous_FIN
+964800422.745730 weird: spontaneous_FIN
+964800422.745735 weird: spontaneous_FIN
+964800422.745756 weird: spontaneous_FIN
+964800422.745761 weird: spontaneous_FIN
+964800422.745766 weird: spontaneous_FIN
+964800422.745771 weird: spontaneous_FIN
+964800422.745776 weird: spontaneous_FIN
+964800422.745780 weird: spontaneous_FIN
+964800422.745786 weird: spontaneous_FIN
+964800422.745791 weird: spontaneous_FIN
+964800422.745796 weird: spontaneous_FIN
+964800422.745870 weird: spontaneous_FIN
+964800422.745956 weird: spontaneous_FIN
+964800422.746035 weird: spontaneous_FIN
+964800422.746116 weird: spontaneous_FIN
+964800422.746201 weird: spontaneous_FIN
+964800422.746286 weird: spontaneous_FIN
+964800422.746368 weird: spontaneous_FIN
+964800422.746447 weird: spontaneous_FIN
+964800422.746528 weird: spontaneous_FIN
+964800422.746613 weird: spontaneous_FIN
+964800422.746690 weird: spontaneous_FIN
+964800422.746771 weird: spontaneous_FIN
+964800422.746849 weird: spontaneous_FIN
+964800422.746929 weird: spontaneous_FIN
+964800422.747014 weird: spontaneous_FIN
+964800422.747096 weird: spontaneous_FIN
+964800422.747338 weird: spontaneous_FIN
+964800422.747503 weird: spontaneous_FIN
+964800422.747668 weird: spontaneous_FIN
+964800422.747832 weird: spontaneous_FIN
+964800422.747997 weird: spontaneous_FIN
+964800422.748161 weird: spontaneous_FIN
+964800422.748327 weird: spontaneous_FIN
+964800422.748490 weird: spontaneous_FIN
+964800422.748655 weird: spontaneous_FIN
+964800422.748820 weird: spontaneous_FIN
+964800422.748984 weird: spontaneous_FIN
+964800422.749148 weird: spontaneous_FIN
+964800422.749153 weird: spontaneous_FIN
+964800422.749173 weird: spontaneous_FIN
+964800422.749179 weird: spontaneous_FIN
+964800422.749183 weird: spontaneous_FIN
+964800422.749188 weird: spontaneous_FIN
+964800422.749193 weird: spontaneous_FIN
+964800422.749198 weird: spontaneous_FIN
+964800422.749204 weird: spontaneous_FIN
+964800422.749209 weird: spontaneous_FIN
+964800422.749214 weird: spontaneous_FIN
+964800422.749219 weird: spontaneous_FIN
+964800422.749225 weird: spontaneous_FIN
+964800422.749230 weird: spontaneous_FIN
+964800422.749235 weird: spontaneous_FIN
+964800422.749240 weird: spontaneous_FIN
+964800422.749294 weird: spontaneous_FIN
+964800422.749374 weird: spontaneous_FIN
+964800422.749451 weird: spontaneous_FIN
+964800422.749533 weird: spontaneous_FIN
+964800422.749623 weird: spontaneous_FIN
+964800422.844149 weird: spontaneous_FIN
+964800422.844234 weird: spontaneous_FIN
+964800422.844304 weird: spontaneous_FIN
+964800422.844377 weird: spontaneous_FIN
+964800422.844440 weird: spontaneous_FIN
+964800422.844511 weird: spontaneous_FIN
+964800422.844583 weird: spontaneous_FIN
+964800422.844657 weird: spontaneous_FIN
+964800422.844732 weird: spontaneous_FIN
+964800422.844806 weird: spontaneous_FIN
+964800422.844876 weird: spontaneous_FIN
+964800422.844950 weird: spontaneous_FIN
+964800422.845021 weird: spontaneous_FIN
+964800422.845096 weird: spontaneous_FIN
+964800422.845170 weird: spontaneous_FIN
+964800422.845403 weird: spontaneous_FIN
+964800422.845569 weird: spontaneous_FIN
+964800422.845734 weird: spontaneous_FIN
+964800422.845899 weird: spontaneous_FIN
+964800422.846064 weird: spontaneous_FIN
+964800422.846228 weird: spontaneous_FIN
+964800422.846394 weird: spontaneous_FIN
+964800422.846559 weird: spontaneous_FIN
+964800422.846723 weird: spontaneous_FIN
+964800422.846890 weird: spontaneous_FIN
+964800422.847055 weird: spontaneous_FIN
+964800422.847219 weird: spontaneous_FIN
+964800422.847386 weird: spontaneous_FIN
+964800422.847553 weird: spontaneous_FIN
+964800422.847559 weird: spontaneous_FIN
+964800422.847580 weird: spontaneous_FIN
+964800422.847585 weird: spontaneous_FIN
+964800422.847590 weird: spontaneous_FIN
+964800422.847595 weird: spontaneous_FIN
+964800422.847600 weird: spontaneous_FIN
+964800422.847605 weird: spontaneous_FIN
+964800422.847610 weird: spontaneous_FIN
+964800422.847615 weird: spontaneous_FIN
+964800422.847620 weird: spontaneous_FIN
+964800422.847626 weird: spontaneous_FIN
+964800422.847631 weird: spontaneous_FIN
+964800422.847636 weird: spontaneous_FIN
+964800422.847641 weird: spontaneous_FIN
+964800422.847646 weird: spontaneous_FIN
+964800422.847651 weird: spontaneous_FIN
+964800422.847656 weird: spontaneous_FIN
+964800422.847661 weird: spontaneous_FIN
+964800422.847696 weird: spontaneous_FIN
+964800422.847765 weird: spontaneous_FIN
+964800422.847834 weird: spontaneous_FIN
+964800422.847910 weird: spontaneous_FIN
+964800422.847973 weird: spontaneous_FIN
+964800422.848041 weird: spontaneous_FIN
+964800422.848116 weird: spontaneous_FIN
+964800422.848181 weird: spontaneous_FIN
+964800422.848250 weird: spontaneous_FIN
+964800422.848323 weird: spontaneous_FIN
+964800422.848397 weird: spontaneous_FIN
+964800422.848467 weird: spontaneous_FIN
+964800422.848538 weird: spontaneous_FIN
+964800422.848604 weird: spontaneous_FIN
+964800422.848676 weird: spontaneous_FIN
+964800422.848751 weird: spontaneous_FIN
+964800422.848827 weird: spontaneous_FIN
+964800422.848903 weird: spontaneous_FIN
+964800422.848968 weird: spontaneous_FIN
+964800422.849041 weird: spontaneous_FIN
+964800422.849113 weird: spontaneous_FIN
+964800422.849186 weird: spontaneous_FIN
+964800422.849253 weird: spontaneous_FIN
+964800422.849321 weird: spontaneous_FIN
+964800422.849397 weird: spontaneous_FIN
+964800422.934046 weird: spontaneous_FIN
+964800422.934128 weird: spontaneous_FIN
+964800422.934206 weird: spontaneous_FIN
+964800422.934284 weird: spontaneous_FIN
+964800422.934362 weird: spontaneous_FIN
+964800422.934438 weird: spontaneous_FIN
+964800422.934513 weird: spontaneous_FIN
+964800422.934587 weird: spontaneous_FIN
+964800422.934666 weird: spontaneous_FIN
+964800422.934748 weird: spontaneous_FIN
+964800422.934820 weird: spontaneous_FIN
+964800422.934900 weird: spontaneous_FIN
+964800422.934970 weird: spontaneous_FIN
+964800422.935045 weird: spontaneous_FIN
+964800422.935120 weird: spontaneous_FIN
+964800422.935193 weird: spontaneous_FIN
+964800422.935270 weird: spontaneous_FIN
+964800422.935358 weird: spontaneous_FIN
+964800422.935427 weird: spontaneous_FIN
+964800422.935501 weird: spontaneous_FIN
+964800422.935583 weird: spontaneous_FIN
+964800422.935666 weird: spontaneous_FIN
+964800422.935749 weird: spontaneous_FIN
+964800422.935826 weird: spontaneous_FIN
+964800422.936073 weird: spontaneous_FIN
+964800422.936237 weird: spontaneous_FIN
+964800422.936242 weird: spontaneous_FIN
+964800422.936265 weird: spontaneous_FIN
+964800422.936271 weird: spontaneous_FIN
+964800422.936345 weird: spontaneous_FIN
+964800422.936426 weird: spontaneous_FIN
+964800422.936506 weird: spontaneous_FIN
+964800422.936591 weird: spontaneous_FIN
+964800422.936669 weird: spontaneous_FIN
+964800422.936753 weird: spontaneous_FIN
+964800422.936839 weird: spontaneous_FIN
+964800422.936915 weird: spontaneous_FIN
+964800422.936995 weird: spontaneous_FIN
+964800422.937086 weird: spontaneous_FIN
+964800422.937174 weird: spontaneous_FIN
+964800422.937252 weird: spontaneous_FIN
+964800422.937328 weird: spontaneous_FIN
+964800422.937413 weird: spontaneous_FIN
+964800422.937487 weird: spontaneous_FIN
+964800422.937562 weird: spontaneous_FIN
+964800422.937639 weird: spontaneous_FIN
+964800422.937716 weird: spontaneous_FIN
+964800422.937797 weird: spontaneous_FIN
+964800422.937870 weird: spontaneous_FIN
+964800422.937949 weird: spontaneous_FIN
+964800422.938027 weird: spontaneous_FIN
+964800422.938103 weird: spontaneous_FIN
+964800422.938179 weird: spontaneous_FIN
+964800422.938258 weird: spontaneous_FIN
+964800422.938330 weird: spontaneous_FIN
+964800422.938404 weird: spontaneous_FIN
+964800422.938481 weird: spontaneous_FIN
+964800422.938551 weird: spontaneous_FIN
+964800422.938627 weird: spontaneous_FIN
+964800422.938698 weird: spontaneous_FIN
+964800422.938772 weird: spontaneous_FIN
+964800422.938848 weird: spontaneous_FIN
+964800422.938920 weird: spontaneous_FIN
+964800422.938992 weird: spontaneous_FIN
+964800422.939070 weird: spontaneous_FIN
+964800422.939145 weird: spontaneous_FIN
+964800422.939220 weird: spontaneous_FIN
+964800422.939296 weird: spontaneous_FIN
+964800422.939373 weird: spontaneous_FIN
+964800422.939451 weird: spontaneous_FIN
+964800422.939525 weird: spontaneous_FIN
+964800422.939607 weird: spontaneous_FIN
+964800423.034134 weird: spontaneous_FIN
+964800423.034207 weird: spontaneous_FIN
+964800423.034280 weird: spontaneous_FIN
+964800423.034351 weird: spontaneous_FIN
+964800423.034421 weird: spontaneous_FIN
+964800423.034493 weird: spontaneous_FIN
+964800423.034566 weird: spontaneous_FIN
+964800423.034642 weird: spontaneous_FIN
+964800423.034719 weird: spontaneous_FIN
+964800423.034798 weird: spontaneous_FIN
+964800423.034874 weird: spontaneous_FIN
+964800423.034946 weird: spontaneous_FIN
+964800423.035014 weird: spontaneous_FIN
+964800423.035083 weird: spontaneous_FIN
+964800423.035153 weird: spontaneous_FIN
+964800423.035237 weird: spontaneous_FIN
+964800423.035289 weird: spontaneous_FIN
+964800423.035354 weird: spontaneous_FIN
+964800423.035420 weird: spontaneous_FIN
+964800423.035490 weird: spontaneous_FIN
+964800423.035557 weird: spontaneous_FIN
+964800423.035629 weird: spontaneous_FIN
+964800423.035697 weird: spontaneous_FIN
+964800423.035764 weird: spontaneous_FIN
+964800423.035837 weird: spontaneous_FIN
+964800423.035912 weird: spontaneous_FIN
+964800423.035987 weird: spontaneous_FIN
+964800423.036059 weird: spontaneous_FIN
+964800423.036133 weird: spontaneous_FIN
+964800423.036209 weird: spontaneous_FIN
+964800423.036281 weird: spontaneous_FIN
+964800423.036354 weird: spontaneous_FIN
+964800423.036434 weird: spontaneous_FIN
+964800423.036507 weird: spontaneous_FIN
+964800423.036581 weird: spontaneous_FIN
+964800423.036657 weird: spontaneous_FIN
+964800423.036742 weird: spontaneous_FIN
+964800423.036824 weird: spontaneous_FIN
+964800423.036899 weird: spontaneous_FIN
+964800423.036978 weird: spontaneous_FIN
+964800423.037055 weird: spontaneous_FIN
+964800423.037126 weird: spontaneous_FIN
+964800423.037204 weird: spontaneous_FIN
+964800423.037286 weird: spontaneous_FIN
+964800423.037355 weird: spontaneous_FIN
+964800423.037431 weird: spontaneous_FIN
+964800423.037500 weird: spontaneous_FIN
+964800423.037576 weird: spontaneous_FIN
+964800423.037648 weird: spontaneous_FIN
+964800423.037721 weird: spontaneous_FIN
+964800423.037794 weird: spontaneous_FIN
+964800423.037872 weird: spontaneous_FIN
+964800423.037947 weird: spontaneous_FIN
+964800423.038021 weird: spontaneous_FIN
+964800423.038094 weird: spontaneous_FIN
+964800423.038166 weird: spontaneous_FIN
+964800423.038239 weird: spontaneous_FIN
+964800423.038310 weird: spontaneous_FIN
+964800423.038384 weird: spontaneous_FIN
+964800423.038454 weird: spontaneous_FIN
+964800423.038528 weird: spontaneous_FIN
+964800423.038604 weird: spontaneous_FIN
+964800423.038679 weird: spontaneous_FIN
+964800423.038753 weird: spontaneous_FIN
+964800423.038834 weird: spontaneous_FIN
+964800423.038911 weird: spontaneous_FIN
+964800423.038983 weird: spontaneous_FIN
+964800423.039056 weird: spontaneous_FIN
+964800423.039129 weird: spontaneous_FIN
+964800423.039202 weird: spontaneous_FIN
+964800423.039277 weird: spontaneous_FIN
+964800423.039349 weird: spontaneous_FIN
+964800423.124059 weird: spontaneous_FIN
+964800423.124128 weird: spontaneous_FIN
+964800423.124205 weird: spontaneous_FIN
+964800423.124279 weird: spontaneous_FIN
+964800423.124353 weird: spontaneous_FIN
+964800423.124431 weird: spontaneous_FIN
+964800423.124507 weird: spontaneous_FIN
+964800423.124581 weird: spontaneous_FIN
+964800423.124660 weird: spontaneous_FIN
+964800423.124738 weird: spontaneous_FIN
+964800423.124814 weird: spontaneous_FIN
+964800423.124899 weird: spontaneous_FIN
+964800423.124966 weird: spontaneous_FIN
+964800423.125040 weird: spontaneous_FIN
+964800423.125114 weird: spontaneous_FIN
+964800423.125190 weird: spontaneous_FIN
+964800423.125264 weird: spontaneous_FIN
+964800423.125337 weird: spontaneous_FIN
+964800423.125416 weird: spontaneous_FIN
+964800423.125493 weird: spontaneous_FIN
+964800423.125577 weird: spontaneous_FIN
+964800423.125652 weird: spontaneous_FIN
+964800423.125730 weird: spontaneous_FIN
+964800423.125812 weird: spontaneous_FIN
+964800423.125893 weird: spontaneous_FIN
+964800423.125969 weird: spontaneous_FIN
+964800423.126046 weird: spontaneous_FIN
+964800423.126129 weird: spontaneous_FIN
+964800423.126206 weird: spontaneous_FIN
+964800423.126294 weird: spontaneous_FIN
+964800423.126377 weird: spontaneous_FIN
+964800423.126462 weird: spontaneous_FIN
+964800423.126543 weird: spontaneous_FIN
+964800423.126626 weird: spontaneous_FIN
+964800423.126703 weird: spontaneous_FIN
+964800423.126778 weird: spontaneous_FIN
+964800423.126858 weird: spontaneous_FIN
+964800423.126936 weird: spontaneous_FIN
+964800423.127016 weird: spontaneous_FIN
+964800423.127097 weird: spontaneous_FIN
+964800423.127176 weird: spontaneous_FIN
+964800423.127251 weird: spontaneous_FIN
+964800423.127326 weird: spontaneous_FIN
+964800423.127398 weird: spontaneous_FIN
+964800423.127478 weird: spontaneous_FIN
+964800423.127549 weird: spontaneous_FIN
+964800423.127622 weird: spontaneous_FIN
+964800423.127699 weird: spontaneous_FIN
+964800423.127776 weird: spontaneous_FIN
+964800423.127852 weird: spontaneous_FIN
+964800423.127930 weird: spontaneous_FIN
+964800423.128011 weird: spontaneous_FIN
+964800423.128088 weird: spontaneous_FIN
+964800423.128183 weird: spontaneous_FIN
+964800423.128259 weird: spontaneous_FIN
+964800423.128342 weird: spontaneous_FIN
+964800423.128417 weird: spontaneous_FIN
+964800423.128495 weird: spontaneous_FIN
+964800423.128573 weird: spontaneous_FIN
+964800423.128655 weird: spontaneous_FIN
+964800423.128733 weird: spontaneous_FIN
+964800423.128809 weird: spontaneous_FIN
+964800423.128887 weird: spontaneous_FIN
+964800423.128964 weird: spontaneous_FIN
+964800423.129041 weird: spontaneous_FIN
+964800423.129120 weird: spontaneous_FIN
+964800423.129195 weird: spontaneous_FIN
+964800423.129272 weird: spontaneous_FIN
+964800423.129350 weird: spontaneous_FIN
+964800423.129427 weird: spontaneous_FIN
+964800423.129505 weird: spontaneous_FIN
+964800423.129586 weird: spontaneous_FIN
+964800423.194316 weird: unsolicited_SYN_response
+964800423.224103 weird: spontaneous_FIN
+964800423.224183 weird: spontaneous_FIN
+964800423.224254 weird: spontaneous_FIN
+964800423.224328 weird: spontaneous_FIN
+964800423.224402 weird: spontaneous_FIN
+964800423.224470 weird: spontaneous_FIN
+964800423.224539 weird: spontaneous_FIN
+964800423.224616 weird: spontaneous_FIN
+964800423.224692 weird: spontaneous_FIN
+964800423.224763 weird: spontaneous_FIN
+964800423.224835 weird: spontaneous_FIN
+964800423.224906 weird: spontaneous_FIN
+964800423.224974 weird: spontaneous_FIN
+964800423.225044 weird: spontaneous_FIN
+964800423.225113 weird: spontaneous_FIN
+964800423.225185 weird: spontaneous_FIN
+964800423.225255 weird: spontaneous_FIN
+964800423.225325 weird: spontaneous_FIN
+964800423.225398 weird: spontaneous_FIN
+964800423.225468 weird: spontaneous_FIN
+964800423.225542 weird: spontaneous_FIN
+964800423.225612 weird: spontaneous_FIN
+964800423.225682 weird: spontaneous_FIN
+964800423.225752 weird: spontaneous_FIN
+964800423.225825 weird: spontaneous_FIN
+964800423.225904 weird: spontaneous_FIN
+964800423.225980 weird: spontaneous_FIN
+964800423.226061 weird: spontaneous_FIN
+964800423.226139 weird: spontaneous_FIN
+964800423.226223 weird: spontaneous_FIN
+964800423.226301 weird: spontaneous_FIN
+964800423.226381 weird: spontaneous_FIN
+964800423.226459 weird: spontaneous_FIN
+964800423.226532 weird: spontaneous_FIN
+964800423.226611 weird: spontaneous_FIN
+964800423.226690 weird: spontaneous_FIN
+964800423.226766 weird: spontaneous_FIN
+964800423.226844 weird: spontaneous_FIN
+964800423.226916 weird: spontaneous_FIN
+964800423.226995 weird: spontaneous_FIN
+964800423.227071 weird: spontaneous_FIN
+964800423.227149 weird: spontaneous_FIN
+964800423.227227 weird: spontaneous_FIN
+964800423.227300 weird: spontaneous_FIN
+964800423.227376 weird: spontaneous_FIN
+964800423.227449 weird: spontaneous_FIN
+964800423.227521 weird: spontaneous_FIN
+964800423.227596 weird: spontaneous_FIN
+964800423.227670 weird: spontaneous_FIN
+964800423.227744 weird: spontaneous_FIN
+964800423.227819 weird: spontaneous_FIN
+964800423.227891 weird: spontaneous_FIN
+964800423.227965 weird: spontaneous_FIN
+964800423.228047 weird: spontaneous_FIN
+964800423.228121 weird: spontaneous_FIN
+964800423.228193 weird: spontaneous_FIN
+964800423.228267 weird: spontaneous_FIN
+964800423.228346 weird: spontaneous_FIN
+964800423.228422 weird: spontaneous_FIN
+964800423.228496 weird: spontaneous_FIN
+964800423.228572 weird: spontaneous_FIN
+964800423.228646 weird: spontaneous_FIN
+964800423.228723 weird: spontaneous_FIN
+964800423.228795 weird: spontaneous_FIN
+964800423.228877 weird: spontaneous_FIN
+964800423.228956 weird: spontaneous_FIN
+964800423.229023 weird: spontaneous_FIN
+964800423.229096 weird: spontaneous_FIN
+964800423.229171 weird: spontaneous_FIN
+964800423.229246 weird: spontaneous_FIN
+964800423.229318 weird: spontaneous_FIN
+964800423.229396 weird: spontaneous_FIN
+964800423.324055 weird: spontaneous_FIN
+964800423.324128 weird: spontaneous_FIN
+964800423.324203 weird: spontaneous_FIN
+964800423.324279 weird: spontaneous_FIN
+964800423.324351 weird: spontaneous_FIN
+964800423.324425 weird: spontaneous_FIN
+964800423.324501 weird: spontaneous_FIN
+964800423.324574 weird: spontaneous_FIN
+964800423.324649 weird: spontaneous_FIN
+964800423.324729 weird: spontaneous_FIN
+964800423.324804 weird: spontaneous_FIN
+964800423.324881 weird: spontaneous_FIN
+964800423.324958 weird: spontaneous_FIN
+964800423.325032 weird: spontaneous_FIN
+964800423.325107 weird: spontaneous_FIN
+964800423.325182 weird: spontaneous_FIN
+964800423.325256 weird: spontaneous_FIN
+964800423.325328 weird: spontaneous_FIN
+964800423.325411 weird: spontaneous_FIN
+964800423.325492 weird: spontaneous_FIN
+964800423.325571 weird: spontaneous_FIN
+964800423.325652 weird: spontaneous_FIN
+964800423.325734 weird: spontaneous_FIN
+964800423.325819 weird: spontaneous_FIN
+964800423.325898 weird: spontaneous_FIN
+964800423.325980 weird: spontaneous_FIN
+964800423.326068 weird: spontaneous_FIN
+964800423.326146 weird: spontaneous_FIN
+964800423.326225 weird: spontaneous_FIN
+964800423.326310 weird: spontaneous_FIN
+964800423.326396 weird: spontaneous_FIN
+964800423.326478 weird: spontaneous_FIN
+964800423.326556 weird: spontaneous_FIN
+964800423.326636 weird: spontaneous_FIN
+964800423.326719 weird: spontaneous_FIN
+964800423.326803 weird: spontaneous_FIN
+964800423.326881 weird: spontaneous_FIN
+964800423.326960 weird: spontaneous_FIN
+964800423.327042 weird: spontaneous_FIN
+964800423.327125 weird: spontaneous_FIN
+964800423.327207 weird: spontaneous_FIN
+964800423.327284 weird: spontaneous_FIN
+964800423.327361 weird: spontaneous_FIN
+964800423.327437 weird: spontaneous_FIN
+964800423.327512 weird: spontaneous_FIN
+964800423.327586 weird: spontaneous_FIN
+964800423.327663 weird: spontaneous_FIN
+964800423.327740 weird: spontaneous_FIN
+964800423.327816 weird: spontaneous_FIN
+964800423.327890 weird: spontaneous_FIN
+964800423.327964 weird: spontaneous_FIN
+964800423.328044 weird: spontaneous_FIN
+964800423.328124 weird: spontaneous_FIN
+964800423.328202 weird: spontaneous_FIN
+964800423.328281 weird: spontaneous_FIN
+964800423.328356 weird: spontaneous_FIN
+964800423.328435 weird: spontaneous_FIN
+964800423.328512 weird: spontaneous_FIN
+964800423.328589 weird: spontaneous_FIN
+964800423.328668 weird: spontaneous_FIN
+964800423.328744 weird: spontaneous_FIN
+964800423.328820 weird: spontaneous_FIN
+964800423.328898 weird: spontaneous_FIN
+964800423.328975 weird: spontaneous_FIN
+964800423.329052 weird: spontaneous_FIN
+964800423.329130 weird: spontaneous_FIN
+964800423.329205 weird: spontaneous_FIN
+964800423.329281 weird: spontaneous_FIN
+964800423.329360 weird: spontaneous_FIN
+964800423.329433 weird: spontaneous_FIN
+964800423.329647 weird: spontaneous_FIN
+964800423.329791 weird: spontaneous_FIN
+964800423.424116 weird: spontaneous_FIN
+964800423.424198 weird: spontaneous_FIN
+964800423.424277 weird: spontaneous_FIN
+964800423.424342 weird: spontaneous_FIN
+964800423.424409 weird: spontaneous_FIN
+964800423.424479 weird: spontaneous_FIN
+964800423.424550 weird: spontaneous_FIN
+964800423.424627 weird: spontaneous_FIN
+964800423.424701 weird: spontaneous_FIN
+964800423.424776 weird: spontaneous_FIN
+964800423.424845 weird: spontaneous_FIN
+964800423.424923 weird: spontaneous_FIN
+964800423.424992 weird: spontaneous_FIN
+964800423.425062 weird: spontaneous_FIN
+964800423.425132 weird: spontaneous_FIN
+964800423.425205 weird: spontaneous_FIN
+964800423.425279 weird: spontaneous_FIN
+964800423.425348 weird: spontaneous_FIN
+964800423.425422 weird: spontaneous_FIN
+964800423.425490 weird: spontaneous_FIN
+964800423.425564 weird: spontaneous_FIN
+964800423.425637 weird: spontaneous_FIN
+964800423.425709 weird: spontaneous_FIN
+964800423.425784 weird: spontaneous_FIN
+964800423.425856 weird: spontaneous_FIN
+964800423.425934 weird: spontaneous_FIN
+964800423.426010 weird: spontaneous_FIN
+964800423.426085 weird: spontaneous_FIN
+964800423.426159 weird: spontaneous_FIN
+964800423.426234 weird: spontaneous_FIN
+964800423.426307 weird: spontaneous_FIN
+964800423.426386 weird: spontaneous_FIN
+964800423.426464 weird: spontaneous_FIN
+964800423.426539 weird: spontaneous_FIN
+964800423.426618 weird: spontaneous_FIN
+964800423.426696 weird: spontaneous_FIN
+964800423.426774 weird: spontaneous_FIN
+964800423.426851 weird: spontaneous_FIN
+964800423.426927 weird: spontaneous_FIN
+964800423.427001 weird: spontaneous_FIN
+964800423.427082 weird: spontaneous_FIN
+964800423.427157 weird: spontaneous_FIN
+964800423.427234 weird: spontaneous_FIN
+964800423.427308 weird: spontaneous_FIN
+964800423.427378 weird: spontaneous_FIN
+964800423.427451 weird: spontaneous_FIN
+964800423.427520 weird: spontaneous_FIN
+964800423.427590 weird: spontaneous_FIN
+964800423.427661 weird: spontaneous_FIN
+964800423.427730 weird: spontaneous_FIN
+964800423.427798 weird: spontaneous_FIN
+964800423.427868 weird: spontaneous_FIN
+964800423.427937 weird: spontaneous_FIN
+964800423.428006 weird: spontaneous_FIN
+964800423.428076 weird: spontaneous_FIN
+964800423.428145 weird: spontaneous_FIN
+964800423.428213 weird: spontaneous_FIN
+964800423.428283 weird: spontaneous_FIN
+964800423.428352 weird: spontaneous_FIN
+964800423.428420 weird: spontaneous_FIN
+964800423.428495 weird: spontaneous_FIN
+964800423.428564 weird: spontaneous_FIN
+964800423.428637 weird: spontaneous_FIN
+964800423.428709 weird: spontaneous_FIN
+964800423.428780 weird: spontaneous_FIN
+964800423.428855 weird: spontaneous_FIN
+964800423.429009 weird: spontaneous_FIN
+964800423.429156 weird: spontaneous_FIN
+964800423.429303 weird: spontaneous_FIN
+964800423.429445 weird: spontaneous_FIN
+964800423.429589 weird: spontaneous_FIN
+964800423.429596 weird: spontaneous_FIN
+964800423.524059 weird: spontaneous_FIN
+964800423.524127 weird: spontaneous_FIN
+964800423.524210 weird: spontaneous_FIN
+964800423.524280 weird: spontaneous_FIN
+964800423.524354 weird: spontaneous_FIN
+964800423.524432 weird: spontaneous_FIN
+964800423.524505 weird: spontaneous_FIN
+964800423.524578 weird: spontaneous_FIN
+964800423.524655 weird: spontaneous_FIN
+964800423.524736 weird: spontaneous_FIN
+964800423.524814 weird: spontaneous_FIN
+964800423.524888 weird: spontaneous_FIN
+964800423.524964 weird: spontaneous_FIN
+964800423.525039 weird: spontaneous_FIN
+964800423.525114 weird: spontaneous_FIN
+964800423.525186 weird: spontaneous_FIN
+964800423.525263 weird: spontaneous_FIN
+964800423.525336 weird: spontaneous_FIN
+964800423.525409 weird: spontaneous_FIN
+964800423.525489 weird: spontaneous_FIN
+964800423.525569 weird: spontaneous_FIN
+964800423.525649 weird: spontaneous_FIN
+964800423.525727 weird: spontaneous_FIN
+964800423.525806 weird: spontaneous_FIN
+964800423.525891 weird: spontaneous_FIN
+964800423.525972 weird: spontaneous_FIN
+964800423.526051 weird: spontaneous_FIN
+964800423.526133 weird: spontaneous_FIN
+964800423.526211 weird: spontaneous_FIN
+964800423.526289 weird: spontaneous_FIN
+964800423.526369 weird: spontaneous_FIN
+964800423.526451 weird: spontaneous_FIN
+964800423.526530 weird: spontaneous_FIN
+964800423.526608 weird: spontaneous_FIN
+964800423.526685 weird: spontaneous_FIN
+964800423.526762 weird: spontaneous_FIN
+964800423.526842 weird: spontaneous_FIN
+964800423.526918 weird: spontaneous_FIN
+964800423.526997 weird: spontaneous_FIN
+964800423.527076 weird: spontaneous_FIN
+964800423.527153 weird: spontaneous_FIN
+964800423.527232 weird: spontaneous_FIN
+964800423.527310 weird: spontaneous_FIN
+964800423.527382 weird: spontaneous_FIN
+964800423.527458 weird: spontaneous_FIN
+964800423.527531 weird: spontaneous_FIN
+964800423.527608 weird: spontaneous_FIN
+964800423.527681 weird: spontaneous_FIN
+964800423.527758 weird: spontaneous_FIN
+964800423.527834 weird: spontaneous_FIN
+964800423.527909 weird: spontaneous_FIN
+964800423.527986 weird: spontaneous_FIN
+964800423.528064 weird: spontaneous_FIN
+964800423.528143 weird: spontaneous_FIN
+964800423.528220 weird: spontaneous_FIN
+964800423.528299 weird: spontaneous_FIN
+964800423.528376 weird: spontaneous_FIN
+964800423.528458 weird: spontaneous_FIN
+964800423.528542 weird: spontaneous_FIN
+964800423.528626 weird: spontaneous_FIN
+964800423.528703 weird: spontaneous_FIN
+964800423.528778 weird: spontaneous_FIN
+964800423.528858 weird: spontaneous_FIN
+964800423.528944 weird: spontaneous_FIN
+964800423.529024 weird: spontaneous_FIN
+964800423.529105 weird: spontaneous_FIN
+964800423.529185 weird: spontaneous_FIN
+964800423.529261 weird: spontaneous_FIN
+964800423.529339 weird: spontaneous_FIN
+964800423.529418 weird: spontaneous_FIN
+964800423.529498 weird: spontaneous_FIN
+964800423.529580 weird: spontaneous_FIN
+964800423.624101 weird: spontaneous_FIN
+964800423.624168 weird: spontaneous_FIN
+964800423.624240 weird: spontaneous_FIN
+964800423.624310 weird: spontaneous_FIN
+964800423.624381 weird: spontaneous_FIN
+964800423.624452 weird: spontaneous_FIN
+964800423.624523 weird: spontaneous_FIN
+964800423.624597 weird: spontaneous_FIN
+964800423.624671 weird: spontaneous_FIN
+964800423.624741 weird: spontaneous_FIN
+964800423.624813 weird: spontaneous_FIN
+964800423.624885 weird: spontaneous_FIN
+964800423.624952 weird: spontaneous_FIN
+964800423.625023 weird: spontaneous_FIN
+964800423.625097 weird: spontaneous_FIN
+964800423.625168 weird: spontaneous_FIN
+964800423.625240 weird: spontaneous_FIN
+964800423.625307 weird: spontaneous_FIN
+964800423.625375 weird: spontaneous_FIN
+964800423.625446 weird: spontaneous_FIN
+964800423.625521 weird: spontaneous_FIN
+964800423.625594 weird: spontaneous_FIN
+964800423.625664 weird: spontaneous_FIN
+964800423.625737 weird: spontaneous_FIN
+964800423.625817 weird: spontaneous_FIN
+964800423.625902 weird: spontaneous_FIN
+964800423.625986 weird: spontaneous_FIN
+964800423.626062 weird: spontaneous_FIN
+964800423.626141 weird: spontaneous_FIN
+964800423.626223 weird: spontaneous_FIN
+964800423.626306 weird: spontaneous_FIN
+964800423.626391 weird: spontaneous_FIN
+964800423.626473 weird: spontaneous_FIN
+964800423.626548 weird: spontaneous_FIN
+964800423.626623 weird: spontaneous_FIN
+964800423.626700 weird: spontaneous_FIN
+964800423.626779 weird: spontaneous_FIN
+964800423.626853 weird: spontaneous_FIN
+964800423.626927 weird: spontaneous_FIN
+964800423.627006 weird: spontaneous_FIN
+964800423.627086 weird: spontaneous_FIN
+964800423.627163 weird: spontaneous_FIN
+964800423.627238 weird: spontaneous_FIN
+964800423.627314 weird: spontaneous_FIN
+964800423.627384 weird: spontaneous_FIN
+964800423.627458 weird: spontaneous_FIN
+964800423.627533 weird: spontaneous_FIN
+964800423.627603 weird: spontaneous_FIN
+964800423.627676 weird: spontaneous_FIN
+964800423.627748 weird: spontaneous_FIN
+964800423.627815 weird: spontaneous_FIN
+964800423.627890 weird: spontaneous_FIN
+964800423.627970 weird: spontaneous_FIN
+964800423.628044 weird: spontaneous_FIN
+964800423.628118 weird: spontaneous_FIN
+964800423.628187 weird: spontaneous_FIN
+964800423.628260 weird: spontaneous_FIN
+964800423.628331 weird: spontaneous_FIN
+964800423.628399 weird: spontaneous_FIN
+964800423.628469 weird: spontaneous_FIN
+964800423.628538 weird: spontaneous_FIN
+964800423.628606 weird: spontaneous_FIN
+964800423.628679 weird: spontaneous_FIN
+964800423.628750 weird: spontaneous_FIN
+964800423.628822 weird: spontaneous_FIN
+964800423.628891 weird: spontaneous_FIN
+964800423.628960 weird: spontaneous_FIN
+964800423.629030 weird: spontaneous_FIN
+964800423.629098 weird: spontaneous_FIN
+964800423.629167 weird: spontaneous_FIN
+964800423.629237 weird: spontaneous_FIN
+964800423.629310 weird: spontaneous_FIN
+964800423.724045 weird: spontaneous_FIN
+964800423.724125 weird: spontaneous_FIN
+964800423.724200 weird: spontaneous_FIN
+964800423.724273 weird: spontaneous_FIN
+964800423.724346 weird: spontaneous_FIN
+964800423.724420 weird: spontaneous_FIN
+964800423.724492 weird: spontaneous_FIN
+964800423.724563 weird: spontaneous_FIN
+964800423.724639 weird: spontaneous_FIN
+964800423.724720 weird: spontaneous_FIN
+964800423.724791 weird: spontaneous_FIN
+964800423.724865 weird: spontaneous_FIN
+964800423.724938 weird: spontaneous_FIN
+964800423.725010 weird: spontaneous_FIN
+964800423.725081 weird: spontaneous_FIN
+964800423.725154 weird: spontaneous_FIN
+964800423.725224 weird: spontaneous_FIN
+964800423.725295 weird: spontaneous_FIN
+964800423.725367 weird: spontaneous_FIN
+964800423.725440 weird: spontaneous_FIN
+964800423.725519 weird: spontaneous_FIN
+964800423.725594 weird: spontaneous_FIN
+964800423.725671 weird: spontaneous_FIN
+964800423.725748 weird: spontaneous_FIN
+964800423.725828 weird: spontaneous_FIN
+964800423.725910 weird: spontaneous_FIN
+964800423.725989 weird: spontaneous_FIN
+964800423.726070 weird: spontaneous_FIN
+964800423.726145 weird: spontaneous_FIN
+964800423.726366 weird: spontaneous_FIN
+964800423.726514 weird: spontaneous_FIN
+964800423.726660 weird: spontaneous_FIN
+964800423.726806 weird: spontaneous_FIN
+964800423.726952 weird: spontaneous_FIN
+964800423.727096 weird: spontaneous_FIN
+964800423.727241 weird: spontaneous_FIN
+964800423.727402 weird: spontaneous_FIN
+964800423.727550 weird: spontaneous_FIN
+964800423.727555 weird: spontaneous_FIN
+964800423.727702 weird: spontaneous_FIN
+964800423.727708 weird: spontaneous_FIN
+964800423.727713 weird: spontaneous_FIN
+964800423.727718 weird: spontaneous_FIN
+964800423.727723 weird: spontaneous_FIN
+964800423.727729 weird: spontaneous_FIN
+964800423.727735 weird: spontaneous_FIN
+964800423.727741 weird: spontaneous_FIN
+964800423.727746 weird: spontaneous_FIN
+964800423.727751 weird: spontaneous_FIN
+964800423.727823 weird: spontaneous_FIN
+964800423.727899 weird: spontaneous_FIN
+964800423.727981 weird: spontaneous_FIN
+964800423.728072 weird: spontaneous_FIN
+964800423.728158 weird: spontaneous_FIN
+964800423.728239 weird: spontaneous_FIN
+964800423.728318 weird: spontaneous_FIN
+964800423.728400 weird: spontaneous_FIN
+964800423.728478 weird: spontaneous_FIN
+964800423.728559 weird: spontaneous_FIN
+964800423.728637 weird: spontaneous_FIN
+964800423.728718 weird: spontaneous_FIN
+964800423.728796 weird: spontaneous_FIN
+964800423.728878 weird: spontaneous_FIN
+964800423.728952 weird: spontaneous_FIN
+964800423.729035 weird: spontaneous_FIN
+964800423.729111 weird: spontaneous_FIN
+964800423.729188 weird: spontaneous_FIN
+964800423.729269 weird: spontaneous_FIN
+964800423.729350 weird: spontaneous_FIN
+964800423.729424 weird: spontaneous_FIN
+964800423.729501 weird: spontaneous_FIN
+964800423.729581 weird: spontaneous_FIN
+964800423.824117 weird: spontaneous_FIN
+964800423.824193 weird: spontaneous_FIN
+964800423.824268 weird: spontaneous_FIN
+964800423.824335 weird: spontaneous_FIN
+964800423.824401 weird: spontaneous_FIN
+964800423.824469 weird: spontaneous_FIN
+964800423.824539 weird: spontaneous_FIN
+964800423.824619 weird: spontaneous_FIN
+964800423.824693 weird: spontaneous_FIN
+964800423.824761 weird: spontaneous_FIN
+964800423.824835 weird: spontaneous_FIN
+964800423.824914 weird: spontaneous_FIN
+964800423.824981 weird: spontaneous_FIN
+964800423.825049 weird: spontaneous_FIN
+964800423.825122 weird: spontaneous_FIN
+964800423.825198 weird: spontaneous_FIN
+964800423.825273 weird: spontaneous_FIN
+964800423.825343 weird: spontaneous_FIN
+964800423.825416 weird: spontaneous_FIN
+964800423.836951 weird: spontaneous_FIN
+964800423.837035 weird: spontaneous_FIN
+964800423.837107 weird: spontaneous_FIN
+964800423.837182 weird: spontaneous_FIN
+964800423.837252 weird: spontaneous_FIN
+964800423.837330 weird: spontaneous_FIN
+964800423.837410 weird: spontaneous_FIN
+964800423.837486 weird: spontaneous_FIN
+964800423.837564 weird: spontaneous_FIN
+964800423.837644 weird: spontaneous_FIN
+964800423.837729 weird: spontaneous_FIN
+964800423.837812 weird: spontaneous_FIN
+964800423.837891 weird: spontaneous_FIN
+964800423.837971 weird: spontaneous_FIN
+964800423.838051 weird: spontaneous_FIN
+964800423.838132 weird: spontaneous_FIN
+964800423.838213 weird: spontaneous_FIN
+964800423.838294 weird: spontaneous_FIN
+964800423.838373 weird: spontaneous_FIN
+964800423.838452 weird: spontaneous_FIN
+964800423.838533 weird: spontaneous_FIN
+964800423.838615 weird: spontaneous_FIN
+964800423.838693 weird: spontaneous_FIN
+964800423.838776 weird: spontaneous_FIN
+964800423.838856 weird: spontaneous_FIN
+964800423.838929 weird: spontaneous_FIN
+964800423.839004 weird: spontaneous_FIN
+964800423.839082 weird: spontaneous_FIN
+964800423.839148 weird: spontaneous_FIN
+964800423.839218 weird: spontaneous_FIN
+964800423.839291 weird: spontaneous_FIN
+964800423.839367 weird: spontaneous_FIN
+964800423.839446 weird: spontaneous_FIN
+964800423.839519 weird: spontaneous_FIN
+964800423.839600 weird: spontaneous_FIN
+964800423.839669 weird: spontaneous_FIN
+964800423.839744 weird: spontaneous_FIN
+964800423.839817 weird: spontaneous_FIN
+964800423.839889 weird: spontaneous_FIN
+964800423.839964 weird: spontaneous_FIN
+964800423.840034 weird: spontaneous_FIN
+964800423.840106 weird: spontaneous_FIN
+964800423.840182 weird: spontaneous_FIN
+964800423.840256 weird: spontaneous_FIN
+964800423.840326 weird: spontaneous_FIN
+964800423.840404 weird: spontaneous_FIN
+964800423.840485 weird: spontaneous_FIN
+964800423.840557 weird: spontaneous_FIN
+964800423.840771 weird: spontaneous_FIN
+964800423.840920 weird: spontaneous_FIN
+964800423.840927 weird: spontaneous_FIN
+964800423.840933 weird: spontaneous_FIN
+964800423.840938 weird: spontaneous_FIN
+964800423.934031 weird: spontaneous_FIN
+964800423.934112 weird: spontaneous_FIN
+964800423.934184 weird: spontaneous_FIN
+964800423.934255 weird: spontaneous_FIN
+964800423.934328 weird: spontaneous_FIN
+964800423.934403 weird: spontaneous_FIN
+964800423.934476 weird: spontaneous_FIN
+964800423.934548 weird: spontaneous_FIN
+964800423.934626 weird: spontaneous_FIN
+964800423.934703 weird: spontaneous_FIN
+964800423.934775 weird: spontaneous_FIN
+964800423.934848 weird: spontaneous_FIN
+964800423.934982 weird: spontaneous_FIN
+964800423.935002 weird: spontaneous_FIN
+964800423.935077 weird: spontaneous_FIN
+964800423.935152 weird: spontaneous_FIN
+964800423.935228 weird: spontaneous_FIN
+964800423.935303 weird: spontaneous_FIN
+964800423.935382 weird: spontaneous_FIN
+964800423.935457 weird: spontaneous_FIN
+964800423.935535 weird: spontaneous_FIN
+964800423.935618 weird: spontaneous_FIN
+964800423.935695 weird: spontaneous_FIN
+964800423.935777 weird: spontaneous_FIN
+964800423.935860 weird: spontaneous_FIN
+964800423.935941 weird: spontaneous_FIN
+964800423.936027 weird: spontaneous_FIN
+964800423.936114 weird: spontaneous_FIN
+964800423.936197 weird: spontaneous_FIN
+964800423.936284 weird: spontaneous_FIN
+964800423.936372 weird: spontaneous_FIN
+964800423.936457 weird: spontaneous_FIN
+964800423.936542 weird: spontaneous_FIN
+964800423.936624 weird: spontaneous_FIN
+964800423.936705 weird: spontaneous_FIN
+964800423.936783 weird: spontaneous_FIN
+964800423.936862 weird: spontaneous_FIN
+964800423.936943 weird: spontaneous_FIN
+964800423.937025 weird: spontaneous_FIN
+964800423.937110 weird: spontaneous_FIN
+964800423.937186 weird: spontaneous_FIN
+964800423.937264 weird: spontaneous_FIN
+964800423.937343 weird: spontaneous_FIN
+964800423.937424 weird: spontaneous_FIN
+964800423.937497 weird: spontaneous_FIN
+964800423.937572 weird: spontaneous_FIN
+964800423.937651 weird: spontaneous_FIN
+964800423.937730 weird: spontaneous_FIN
+964800423.937809 weird: spontaneous_FIN
+964800423.937885 weird: spontaneous_FIN
+964800423.937961 weird: spontaneous_FIN
+964800423.938035 weird: spontaneous_FIN
+964800423.938116 weird: spontaneous_FIN
+964800423.938196 weird: spontaneous_FIN
+964800423.938275 weird: spontaneous_FIN
+964800423.938345 weird: spontaneous_FIN
+964800423.938424 weird: spontaneous_FIN
+964800423.938504 weird: spontaneous_FIN
+964800423.938581 weird: spontaneous_FIN
+964800423.938658 weird: spontaneous_FIN
+964800423.938733 weird: spontaneous_FIN
+964800423.938807 weird: spontaneous_FIN
+964800423.938883 weird: spontaneous_FIN
+964800423.938957 weird: spontaneous_FIN
+964800423.939034 weird: spontaneous_FIN
+964800423.939113 weird: spontaneous_FIN
+964800423.939189 weird: spontaneous_FIN
+964800423.939265 weird: spontaneous_FIN
+964800423.939342 weird: spontaneous_FIN
+964800423.939419 weird: spontaneous_FIN
+964800423.939498 weird: spontaneous_FIN
+964800423.939580 weird: spontaneous_FIN
+964800424.034102 weird: spontaneous_FIN
+964800424.034188 weird: spontaneous_FIN
+964800424.034262 weird: spontaneous_FIN
+964800424.034333 weird: spontaneous_FIN
+964800424.034408 weird: spontaneous_FIN
+964800424.034478 weird: spontaneous_FIN
+964800424.034548 weird: spontaneous_FIN
+964800424.034622 weird: spontaneous_FIN
+964800424.034696 weird: spontaneous_FIN
+964800424.034767 weird: spontaneous_FIN
+964800424.034837 weird: spontaneous_FIN
+964800424.034917 weird: spontaneous_FIN
+964800424.034977 weird: spontaneous_FIN
+964800424.035050 weird: spontaneous_FIN
+964800424.035119 weird: spontaneous_FIN
+964800424.035190 weird: spontaneous_FIN
+964800424.035263 weird: spontaneous_FIN
+964800424.035331 weird: spontaneous_FIN
+964800424.035398 weird: spontaneous_FIN
+964800424.035472 weird: spontaneous_FIN
+964800424.035540 weird: spontaneous_FIN
+964800424.035608 weird: spontaneous_FIN
+964800424.035677 weird: spontaneous_FIN
+964800424.035747 weird: spontaneous_FIN
+964800424.035820 weird: spontaneous_FIN
+964800424.035894 weird: spontaneous_FIN
+964800424.035969 weird: spontaneous_FIN
+964800424.036043 weird: spontaneous_FIN
+964800424.036116 weird: spontaneous_FIN
+964800424.036193 weird: spontaneous_FIN
+964800424.036271 weird: spontaneous_FIN
+964800424.036347 weird: spontaneous_FIN
+964800424.036425 weird: spontaneous_FIN
+964800424.036502 weird: spontaneous_FIN
+964800424.036582 weird: spontaneous_FIN
+964800424.036667 weird: spontaneous_FIN
+964800424.036748 weird: spontaneous_FIN
+964800424.036826 weird: spontaneous_FIN
+964800424.036905 weird: spontaneous_FIN
+964800424.036987 weird: spontaneous_FIN
+964800424.037073 weird: spontaneous_FIN
+964800424.037150 weird: spontaneous_FIN
+964800424.037229 weird: spontaneous_FIN
+964800424.037304 weird: spontaneous_FIN
+964800424.037383 weird: spontaneous_FIN
+964800424.037456 weird: spontaneous_FIN
+964800424.037531 weird: spontaneous_FIN
+964800424.037604 weird: spontaneous_FIN
+964800424.037676 weird: spontaneous_FIN
+964800424.037756 weird: spontaneous_FIN
+964800424.037831 weird: spontaneous_FIN
+964800424.037910 weird: spontaneous_FIN
+964800424.037986 weird: spontaneous_FIN
+964800424.038060 weird: spontaneous_FIN
+964800424.038138 weird: spontaneous_FIN
+964800424.038212 weird: spontaneous_FIN
+964800424.038290 weird: spontaneous_FIN
+964800424.038367 weird: spontaneous_FIN
+964800424.038442 weird: spontaneous_FIN
+964800424.038513 weird: spontaneous_FIN
+964800424.038586 weird: spontaneous_FIN
+964800424.038658 weird: spontaneous_FIN
+964800424.038735 weird: spontaneous_FIN
+964800424.038810 weird: spontaneous_FIN
+964800424.038883 weird: spontaneous_FIN
+964800424.038956 weird: spontaneous_FIN
+964800424.039026 weird: spontaneous_FIN
+964800424.124048 weird: spontaneous_FIN
+964800424.124132 weird: spontaneous_FIN
+964800424.124211 weird: spontaneous_FIN
+964800424.124288 weird: spontaneous_FIN
+964800424.124361 weird: spontaneous_FIN
+964800424.124437 weird: spontaneous_FIN
+964800424.124513 weird: spontaneous_FIN
+964800424.124582 weird: spontaneous_FIN
+964800424.124659 weird: spontaneous_FIN
+964800424.124739 weird: spontaneous_FIN
+964800424.124812 weird: spontaneous_FIN
+964800424.124883 weird: spontaneous_FIN
+964800424.124957 weird: spontaneous_FIN
+964800424.125030 weird: spontaneous_FIN
+964800424.125106 weird: spontaneous_FIN
+964800424.125179 weird: spontaneous_FIN
+964800424.125253 weird: spontaneous_FIN
+964800424.125327 weird: spontaneous_FIN
+964800424.125403 weird: spontaneous_FIN
+964800424.125479 weird: spontaneous_FIN
+964800424.125563 weird: spontaneous_FIN
+964800424.125642 weird: spontaneous_FIN
+964800424.125725 weird: spontaneous_FIN
+964800424.125811 weird: spontaneous_FIN
+964800424.125896 weird: spontaneous_FIN
+964800424.125979 weird: spontaneous_FIN
+964800424.126065 weird: spontaneous_FIN
+964800424.126149 weird: spontaneous_FIN
+964800424.126237 weird: spontaneous_FIN
+964800424.126323 weird: spontaneous_FIN
+964800424.126410 weird: spontaneous_FIN
+964800424.126498 weird: spontaneous_FIN
+964800424.126584 weird: spontaneous_FIN
+964800424.126669 weird: spontaneous_FIN
+964800424.126755 weird: spontaneous_FIN
+964800424.126842 weird: spontaneous_FIN
+964800424.126925 weird: spontaneous_FIN
+964800424.127008 weird: spontaneous_FIN
+964800424.127096 weird: spontaneous_FIN
+964800424.127185 weird: spontaneous_FIN
+964800424.127266 weird: spontaneous_FIN
+964800424.127347 weird: spontaneous_FIN
+964800424.127423 weird: spontaneous_FIN
+964800424.127500 weird: spontaneous_FIN
+964800424.127575 weird: spontaneous_FIN
+964800424.127655 weird: spontaneous_FIN
+964800424.127735 weird: spontaneous_FIN
+964800424.127816 weird: spontaneous_FIN
+964800424.127893 weird: spontaneous_FIN
+964800424.127968 weird: spontaneous_FIN
+964800424.128046 weird: spontaneous_FIN
+964800424.128126 weird: spontaneous_FIN
+964800424.128206 weird: spontaneous_FIN
+964800424.128286 weird: spontaneous_FIN
+964800424.128360 weird: spontaneous_FIN
+964800424.128435 weird: spontaneous_FIN
+964800424.128510 weird: spontaneous_FIN
+964800424.128586 weird: spontaneous_FIN
+964800424.128664 weird: spontaneous_FIN
+964800424.128740 weird: spontaneous_FIN
+964800424.128812 weird: spontaneous_FIN
+964800424.128888 weird: spontaneous_FIN
+964800424.128965 weird: spontaneous_FIN
+964800424.129040 weird: spontaneous_FIN
+964800424.129112 weird: spontaneous_FIN
+964800424.129188 weird: spontaneous_FIN
+964800425.052649 weird: spontaneous_FIN
+964800426.864054 weird: spontaneous_RST
+964800426.864094 weird: spontaneous_RST
+964800426.864115 weird: spontaneous_RST
+964800426.864137 weird: spontaneous_RST
+964800426.864160 weird: spontaneous_RST
+964800428.254218 weird: spontaneous_FIN
+964800428.254286 weird: spontaneous_FIN
+964800428.254352 weird: spontaneous_FIN
+964800428.254419 weird: spontaneous_FIN
+964800428.254489 weird: spontaneous_FIN
+964800428.254567 weird: spontaneous_FIN
+964800428.254638 weird: spontaneous_FIN
+964800428.254720 weird: spontaneous_FIN
+964800428.254798 weird: spontaneous_FIN
+964800428.254871 weird: spontaneous_FIN
+964800428.254941 weird: spontaneous_FIN
+964800428.255011 weird: spontaneous_FIN
+964800428.255081 weird: spontaneous_FIN
+964800428.255155 weird: spontaneous_FIN
+964800428.255228 weird: spontaneous_FIN
+964800428.255299 weird: spontaneous_FIN
+964800428.334040 weird: spontaneous_FIN
+964800428.334121 weird: spontaneous_FIN
+964800428.334197 weird: spontaneous_FIN
+964800428.334268 weird: spontaneous_FIN
+964800428.334340 weird: spontaneous_FIN
+964800428.334416 weird: spontaneous_FIN
+964800428.334489 weird: spontaneous_FIN
+964800428.334567 weird: spontaneous_FIN
+964800428.334646 weird: spontaneous_FIN
+964800428.334722 weird: spontaneous_FIN
+964800428.334797 weird: spontaneous_FIN
+964800428.334875 weird: spontaneous_FIN
+964800428.334948 weird: spontaneous_FIN
+964800428.335023 weird: spontaneous_FIN
+964800428.335097 weird: spontaneous_FIN
+964800428.335173 weird: spontaneous_FIN
+964800428.335247 weird: spontaneous_FIN
+964800428.335321 weird: spontaneous_FIN
+964800428.424077 weird: spontaneous_FIN
+964800428.424160 weird: spontaneous_FIN
+964800428.424236 weird: spontaneous_FIN
+964800428.424306 weird: spontaneous_FIN
+964800428.424372 weird: spontaneous_FIN
+964800428.424438 weird: spontaneous_FIN
+964800428.424507 weird: spontaneous_FIN
+964800428.424584 weird: spontaneous_FIN
+964800428.424656 weird: spontaneous_FIN
+964800428.424735 weird: spontaneous_FIN
+964800428.424811 weird: spontaneous_FIN
+964800428.424884 weird: spontaneous_FIN
+964800428.424954 weird: spontaneous_FIN
+964800428.425023 weird: spontaneous_FIN
+964800428.425096 weird: spontaneous_FIN
+964800428.425167 weird: spontaneous_FIN
+964800428.425240 weird: spontaneous_FIN
+964800428.425311 weird: spontaneous_FIN
+964800428.514042 weird: spontaneous_FIN
+964800428.514125 weird: spontaneous_FIN
+964800428.514203 weird: spontaneous_FIN
+964800428.514276 weird: spontaneous_FIN
+964800428.514347 weird: spontaneous_FIN
+964800428.514417 weird: spontaneous_FIN
+964800428.514492 weird: spontaneous_FIN
+964800428.514567 weird: spontaneous_FIN
+964800428.514646 weird: spontaneous_FIN
+964800428.514723 weird: spontaneous_FIN
+964800428.514801 weird: spontaneous_FIN
+964800428.514880 weird: spontaneous_FIN
+964800428.514954 weird: spontaneous_FIN
+964800428.515029 weird: spontaneous_FIN
+964800428.515104 weird: spontaneous_FIN
+964800428.515178 weird: spontaneous_FIN
+964800428.515256 weird: spontaneous_FIN
+964800428.515327 weird: spontaneous_FIN
+964800428.594059 weird: spontaneous_FIN
+964800428.594136 weird: spontaneous_FIN
+964800428.594210 weird: spontaneous_FIN
+964800428.594276 weird: spontaneous_FIN
+964800428.594344 weird: spontaneous_FIN
+964800428.594408 weird: spontaneous_FIN
+964800428.594478 weird: spontaneous_FIN
+964800428.594561 weird: spontaneous_FIN
+964800428.594632 weird: spontaneous_FIN
+964800428.594712 weird: spontaneous_FIN
+964800428.594786 weird: spontaneous_FIN
+964800428.594862 weird: spontaneous_FIN
+964800428.594938 weird: spontaneous_FIN
+964800428.595001 weird: spontaneous_FIN
+964800428.595072 weird: spontaneous_FIN
+964800428.595144 weird: spontaneous_FIN
+964800428.595219 weird: spontaneous_FIN
+964800428.595289 weird: spontaneous_FIN
+964800428.674044 weird: spontaneous_FIN
+964800428.674131 weird: spontaneous_FIN
+964800428.674202 weird: spontaneous_FIN
+964800428.674274 weird: spontaneous_FIN
+964800428.674346 weird: spontaneous_FIN
+964800428.674421 weird: spontaneous_FIN
+964800428.674495 weird: spontaneous_FIN
+964800428.674572 weird: spontaneous_FIN
+964800428.674651 weird: spontaneous_FIN
+964800428.674726 weird: spontaneous_FIN
+964800428.674802 weird: spontaneous_FIN
+964800428.674879 weird: spontaneous_FIN
+964800428.674953 weird: spontaneous_FIN
+964800428.675031 weird: spontaneous_FIN
+964800428.675102 weird: spontaneous_FIN
+964800428.675174 weird: spontaneous_FIN
+964800428.675250 weird: spontaneous_FIN
+964800428.675322 weird: spontaneous_FIN
+964800428.754062 weird: spontaneous_FIN
+964800428.754139 weird: spontaneous_FIN
+964800428.754215 weird: spontaneous_FIN
+964800428.754281 weird: spontaneous_FIN
+964800428.754346 weird: spontaneous_FIN
+964800428.754412 weird: spontaneous_FIN
+964800428.754485 weird: spontaneous_FIN
+964800428.754560 weird: spontaneous_FIN
+964800428.754632 weird: spontaneous_FIN
+964800428.754712 weird: spontaneous_FIN
+964800428.754786 weird: spontaneous_FIN
+964800428.754858 weird: spontaneous_FIN
+964800428.754929 weird: spontaneous_FIN
+964800428.754999 weird: spontaneous_FIN
+964800428.755064 weird: spontaneous_FIN
+964800428.755139 weird: spontaneous_FIN
+964800428.755214 weird: spontaneous_FIN
+964800428.755285 weird: spontaneous_FIN
+964800428.834049 weird: spontaneous_FIN
+964800428.845564 weird: spontaneous_FIN
+964800428.845656 weird: spontaneous_FIN
+964800428.845731 weird: spontaneous_FIN
+964800428.845802 weird: spontaneous_FIN
+964800428.845878 weird: spontaneous_FIN
+964800428.845951 weird: spontaneous_FIN
+964800428.846026 weird: spontaneous_FIN
+964800428.846105 weird: spontaneous_FIN
+964800428.846181 weird: spontaneous_FIN
+964800428.846256 weird: spontaneous_FIN
+964800428.846334 weird: spontaneous_FIN
+964800428.846411 weird: spontaneous_FIN
+964800428.846489 weird: spontaneous_FIN
+964800428.846566 weird: spontaneous_FIN
+964800428.846644 weird: spontaneous_FIN
+964800428.846726 weird: spontaneous_FIN
+964800428.846802 weird: spontaneous_FIN
+964800428.924062 weird: spontaneous_FIN
+964800428.924144 weird: spontaneous_FIN
+964800428.924217 weird: spontaneous_FIN
+964800428.924284 weird: spontaneous_FIN
+964800428.924353 weird: spontaneous_FIN
+964800428.924417 weird: spontaneous_FIN
+964800428.924488 weird: spontaneous_FIN
+964800428.924565 weird: spontaneous_FIN
+964800428.924633 weird: spontaneous_FIN
+964800428.924713 weird: spontaneous_FIN
+964800428.924786 weird: spontaneous_FIN
+964800428.924859 weird: spontaneous_FIN
+964800428.924928 weird: spontaneous_FIN
+964800428.924997 weird: spontaneous_FIN
+964800428.925067 weird: spontaneous_FIN
+964800428.925139 weird: spontaneous_FIN
+964800428.925211 weird: spontaneous_FIN
+964800428.925282 weird: spontaneous_FIN
+964800429.004047 weird: spontaneous_FIN
+964800429.004126 weird: spontaneous_FIN
+964800429.004198 weird: spontaneous_FIN
+964800429.004269 weird: spontaneous_FIN
+964800429.004342 weird: spontaneous_FIN
+964800429.004414 weird: spontaneous_FIN
+964800429.004487 weird: spontaneous_FIN
+964800429.004561 weird: spontaneous_FIN
+964800429.004639 weird: spontaneous_FIN
+964800429.004716 weird: spontaneous_FIN
+964800429.004790 weird: spontaneous_FIN
+964800429.004868 weird: spontaneous_FIN
+964800429.004943 weird: spontaneous_FIN
+964800429.005018 weird: spontaneous_FIN
+964800429.005093 weird: spontaneous_FIN
+964800429.005165 weird: spontaneous_FIN
+964800429.005239 weird: spontaneous_FIN
+964800429.005311 weird: spontaneous_FIN
+964800429.084052 weird: spontaneous_FIN
+964800429.084128 weird: spontaneous_FIN
+964800429.084203 weird: spontaneous_FIN
+964800429.084269 weird: spontaneous_FIN
+964800429.084336 weird: spontaneous_FIN
+964800429.084402 weird: spontaneous_FIN
+964800429.084469 weird: spontaneous_FIN
+964800429.084547 weird: spontaneous_FIN
+964800429.084616 weird: spontaneous_FIN
+964800429.084697 weird: spontaneous_FIN
+964800429.084772 weird: spontaneous_FIN
+964800429.084843 weird: spontaneous_FIN
+964800429.084914 weird: spontaneous_FIN
+964800429.084992 weird: spontaneous_FIN
+964800429.085054 weird: spontaneous_FIN
+964800429.085124 weird: spontaneous_FIN
+964800429.085197 weird: spontaneous_FIN
+964800429.085268 weird: spontaneous_FIN
+964800429.164049 weird: spontaneous_FIN
+964800429.164132 weird: spontaneous_FIN
+964800429.164204 weird: spontaneous_FIN
+964800429.164275 weird: spontaneous_FIN
+964800429.164348 weird: spontaneous_FIN
+964800429.164422 weird: spontaneous_FIN
+964800429.164497 weird: spontaneous_FIN
+964800429.164572 weird: spontaneous_FIN
+964800429.164650 weird: spontaneous_FIN
+964800429.164727 weird: spontaneous_FIN
+964800429.164805 weird: spontaneous_FIN
+964800429.164885 weird: spontaneous_FIN
+964800429.164958 weird: spontaneous_FIN
+964800429.165034 weird: spontaneous_FIN
+964800429.165109 weird: spontaneous_FIN
+964800429.165182 weird: spontaneous_FIN
+964800429.165259 weird: spontaneous_FIN
+964800429.165333 weird: spontaneous_FIN
+964800429.254061 weird: spontaneous_FIN
+964800429.254139 weird: spontaneous_FIN
+964800429.254217 weird: spontaneous_FIN
+964800429.254286 weird: spontaneous_FIN
+964800429.254353 weird: spontaneous_FIN
+964800429.254420 weird: spontaneous_FIN
+964800429.254493 weird: spontaneous_FIN
+964800429.254565 weird: spontaneous_FIN
+964800429.254639 weird: spontaneous_FIN
+964800429.254712 weird: spontaneous_FIN
+964800429.254785 weird: spontaneous_FIN
+964800429.254859 weird: spontaneous_FIN
+964800429.254934 weird: spontaneous_FIN
+964800429.254999 weird: spontaneous_FIN
+964800429.255071 weird: spontaneous_FIN
+964800429.255145 weird: spontaneous_FIN
+964800429.255220 weird: spontaneous_FIN
+964800429.255290 weird: spontaneous_FIN
+964800429.344059 weird: spontaneous_FIN
+964800429.344129 weird: spontaneous_FIN
+964800429.344204 weird: spontaneous_FIN
+964800429.344276 weird: spontaneous_FIN
+964800429.344350 weird: spontaneous_FIN
+964800429.344425 weird: spontaneous_FIN
+964800429.344498 weird: spontaneous_FIN
+964800429.344572 weird: spontaneous_FIN
+964800429.344648 weird: spontaneous_FIN
+964800429.344727 weird: spontaneous_FIN
+964800429.344801 weird: spontaneous_FIN
+964800429.344877 weird: spontaneous_FIN
+964800429.344950 weird: spontaneous_FIN
+964800429.345026 weird: spontaneous_FIN
+964800429.345101 weird: spontaneous_FIN
+964800429.345174 weird: spontaneous_FIN
+964800429.345249 weird: spontaneous_FIN
+964800429.345320 weird: spontaneous_FIN
+964800429.424056 weird: spontaneous_FIN
+964800429.424130 weird: spontaneous_FIN
+964800429.424205 weird: spontaneous_FIN
+964800429.424273 weird: spontaneous_FIN
+964800429.424340 weird: spontaneous_FIN
+964800429.424405 weird: spontaneous_FIN
+964800429.424474 weird: spontaneous_FIN
+964800429.424547 weird: spontaneous_FIN
+964800429.424620 weird: spontaneous_FIN
+964800429.424691 weird: spontaneous_FIN
+964800429.424759 weird: spontaneous_FIN
+964800429.424831 weird: spontaneous_FIN
+964800429.424900 weird: spontaneous_FIN
+964800429.424971 weird: spontaneous_FIN
+964800429.425038 weird: spontaneous_FIN
+964800429.425112 weird: spontaneous_FIN
+964800429.425187 weird: spontaneous_FIN
+964800429.425255 weird: spontaneous_FIN
+964800429.504046 weird: spontaneous_FIN
+964800429.504130 weird: spontaneous_FIN
+964800429.504205 weird: spontaneous_FIN
+964800429.504276 weird: spontaneous_FIN
+964800429.504348 weird: spontaneous_FIN
+964800429.504421 weird: spontaneous_FIN
+964800429.504495 weird: spontaneous_FIN
+964800429.504567 weird: spontaneous_FIN
+964800429.504645 weird: spontaneous_FIN
+964800429.504722 weird: spontaneous_FIN
+964800429.504796 weird: spontaneous_FIN
+964800429.504871 weird: spontaneous_FIN
+964800429.504944 weird: spontaneous_FIN
+964800429.505023 weird: spontaneous_FIN
+964800429.505096 weird: spontaneous_FIN
+964800429.505169 weird: spontaneous_FIN
+964800429.505243 weird: spontaneous_FIN
+964800429.505315 weird: spontaneous_FIN
+964800429.584059 weird: spontaneous_FIN
+964800429.584136 weird: spontaneous_FIN
+964800429.584209 weird: spontaneous_FIN
+964800429.584277 weird: spontaneous_FIN
+964800429.584342 weird: spontaneous_FIN
+964800429.584407 weird: spontaneous_FIN
+964800429.584479 weird: spontaneous_FIN
+964800429.584553 weird: spontaneous_FIN
+964800429.584632 weird: spontaneous_FIN
+964800429.584706 weird: spontaneous_FIN
+964800429.584783 weird: spontaneous_FIN
+964800429.584859 weird: spontaneous_FIN
+964800429.584929 weird: spontaneous_FIN
+964800429.585005 weird: spontaneous_FIN
+964800429.585073 weird: spontaneous_FIN
+964800429.585149 weird: spontaneous_FIN
+964800429.585226 weird: spontaneous_FIN
+964800429.585299 weird: spontaneous_FIN
+964800429.664049 weird: spontaneous_FIN
+964800429.664132 weird: spontaneous_FIN
+964800429.664207 weird: spontaneous_FIN
+964800429.664279 weird: spontaneous_FIN
+964800429.664352 weird: spontaneous_FIN
+964800429.664426 weird: spontaneous_FIN
+964800429.664509 weird: spontaneous_FIN
+964800429.664594 weird: spontaneous_FIN
+964800429.664680 weird: spontaneous_FIN
+964800429.664762 weird: spontaneous_FIN
+964800429.664837 weird: spontaneous_FIN
+964800429.664917 weird: spontaneous_FIN
+964800429.665000 weird: spontaneous_FIN
+964800429.665070 weird: spontaneous_FIN
+964800429.665146 weird: spontaneous_FIN
+964800429.665224 weird: spontaneous_FIN
+964800429.665300 weird: spontaneous_FIN
+964800429.665375 weird: spontaneous_FIN
+964800429.744075 weird: spontaneous_FIN
+964800429.744154 weird: spontaneous_FIN
+964800429.744231 weird: spontaneous_FIN
+964800429.744303 weird: spontaneous_FIN
+964800429.744370 weird: spontaneous_FIN
+964800429.744437 weird: spontaneous_FIN
+964800429.744508 weird: spontaneous_FIN
+964800429.744582 weird: spontaneous_FIN
+964800429.744655 weird: spontaneous_FIN
+964800429.744725 weird: spontaneous_FIN
+964800429.744798 weird: spontaneous_FIN
+964800429.744874 weird: spontaneous_FIN
+964800429.744945 weird: spontaneous_FIN
+964800429.745019 weird: spontaneous_FIN
+964800429.745093 weird: spontaneous_FIN
+964800429.745165 weird: spontaneous_FIN
+964800429.745240 weird: spontaneous_FIN
+964800429.745312 weird: spontaneous_FIN
+964800429.824052 weird: spontaneous_FIN
+964800429.824134 weird: spontaneous_FIN
+964800429.824207 weird: spontaneous_FIN
+964800429.824281 weird: spontaneous_FIN
+964800429.824353 weird: spontaneous_FIN
+964800429.824427 weird: spontaneous_FIN
+964800429.824502 weird: spontaneous_FIN
+964800429.824579 weird: spontaneous_FIN
+964800429.824657 weird: spontaneous_FIN
+964800429.824738 weird: spontaneous_FIN
+964800429.824813 weird: spontaneous_FIN
+964800429.824892 weird: spontaneous_FIN
+964800429.824968 weird: spontaneous_FIN
+964800429.825043 weird: spontaneous_FIN
+964800429.825120 weird: spontaneous_FIN
+964800429.825195 weird: spontaneous_FIN
+964800429.825273 weird: spontaneous_FIN
+964800429.825347 weird: spontaneous_FIN
+964800429.904068 weird: spontaneous_FIN
+964800429.904144 weird: spontaneous_FIN
+964800429.904218 weird: spontaneous_FIN
+964800429.904287 weird: spontaneous_FIN
+964800429.904353 weird: spontaneous_FIN
+964800429.904420 weird: spontaneous_FIN
+964800429.904494 weird: spontaneous_FIN
+964800429.904570 weird: spontaneous_FIN
+964800429.904644 weird: spontaneous_FIN
+964800429.904715 weird: spontaneous_FIN
+964800429.904787 weird: spontaneous_FIN
+964800429.904861 weird: spontaneous_FIN
+964800429.904932 weird: spontaneous_FIN
+964800429.905005 weird: spontaneous_FIN
+964800429.905075 weird: spontaneous_FIN
+964800429.905149 weird: spontaneous_FIN
+964800429.905225 weird: spontaneous_FIN
+964800429.905296 weird: spontaneous_FIN
+964800429.994070 weird: spontaneous_FIN
+964800429.994159 weird: spontaneous_FIN
+964800429.994239 weird: spontaneous_FIN
+964800429.994314 weird: spontaneous_FIN
+964800429.994392 weird: spontaneous_FIN
+964800429.994467 weird: spontaneous_FIN
+964800429.994542 weird: spontaneous_FIN
+964800429.994618 weird: spontaneous_FIN
+964800429.994695 weird: spontaneous_FIN
+964800429.994777 weird: spontaneous_FIN
+964800429.994852 weird: spontaneous_FIN
+964800429.994931 weird: spontaneous_FIN
+964800429.995012 weird: spontaneous_FIN
+964800429.995085 weird: spontaneous_FIN
+964800429.995160 weird: spontaneous_FIN
+964800429.995233 weird: spontaneous_FIN
+964800429.995312 weird: spontaneous_FIN
+964800429.995388 weird: spontaneous_FIN
+964800430.074071 weird: spontaneous_FIN
+964800430.074149 weird: spontaneous_FIN
+964800430.074225 weird: spontaneous_FIN
+964800430.074294 weird: spontaneous_FIN
+964800430.074361 weird: spontaneous_FIN
+964800430.074429 weird: spontaneous_FIN
+964800430.074501 weird: spontaneous_FIN
+964800430.074575 weird: spontaneous_FIN
+964800430.074650 weird: spontaneous_FIN
+964800430.074721 weird: spontaneous_FIN
+964800430.074795 weird: spontaneous_FIN
+964800430.074869 weird: spontaneous_FIN
+964800430.074939 weird: spontaneous_FIN
+964800430.075011 weird: spontaneous_FIN
+964800430.075082 weird: spontaneous_FIN
+964800430.075156 weird: spontaneous_FIN
+964800430.075232 weird: spontaneous_FIN
+964800430.075304 weird: spontaneous_FIN
+964800430.154051 weird: spontaneous_FIN
+964800430.154134 weird: spontaneous_FIN
+964800430.154210 weird: spontaneous_FIN
+964800430.154284 weird: spontaneous_FIN
+964800430.154357 weird: spontaneous_FIN
+964800430.154434 weird: spontaneous_FIN
+964800430.154508 weird: spontaneous_FIN
+964800430.154585 weird: spontaneous_FIN
+964800430.154664 weird: spontaneous_FIN
+964800430.154744 weird: spontaneous_FIN
+964800430.154821 weird: spontaneous_FIN
+964800430.154900 weird: spontaneous_FIN
+964800430.154976 weird: spontaneous_FIN
+964800430.155054 weird: spontaneous_FIN
+964800430.155131 weird: spontaneous_FIN
+964800430.155205 weird: spontaneous_FIN
+964800430.155281 weird: spontaneous_FIN
+964800430.155359 weird: spontaneous_FIN
+964800430.234094 weird: spontaneous_FIN
+964800430.234309 weird: spontaneous_FIN
+964800430.234456 weird: spontaneous_FIN
+964800430.234617 weird: spontaneous_FIN
+964800430.234764 weird: spontaneous_FIN
+964800430.234911 weird: spontaneous_FIN
+964800430.235069 weird: spontaneous_FIN
+964800430.235215 weird: spontaneous_FIN
+964800430.235362 weird: spontaneous_FIN
+964800430.235505 weird: spontaneous_FIN
+964800430.235648 weird: spontaneous_FIN
+964800430.235790 weird: spontaneous_FIN
+964800430.235795 weird: spontaneous_FIN
+964800430.235965 weird: spontaneous_FIN
+964800430.235971 weird: spontaneous_FIN
+964800430.235975 weird: spontaneous_FIN
+964800430.235980 weird: spontaneous_FIN
+964800430.235986 weird: spontaneous_FIN
+964800430.314054 weird: spontaneous_FIN
+964800430.314137 weird: spontaneous_FIN
+964800430.314214 weird: spontaneous_FIN
+964800430.314290 weird: spontaneous_FIN
+964800430.314364 weird: spontaneous_FIN
+964800430.314439 weird: spontaneous_FIN
+964800430.314514 weird: spontaneous_FIN
+964800430.314590 weird: spontaneous_FIN
+964800430.314670 weird: spontaneous_FIN
+964800430.314747 weird: spontaneous_FIN
+964800430.314824 weird: spontaneous_FIN
+964800430.314904 weird: spontaneous_FIN
+964800430.314980 weird: spontaneous_FIN
+964800430.315056 weird: spontaneous_FIN
+964800430.315129 weird: spontaneous_FIN
+964800430.315203 weird: spontaneous_FIN
+964800430.315278 weird: spontaneous_FIN
+964800430.315353 weird: spontaneous_FIN
+964800430.394072 weird: spontaneous_FIN
+964800430.394149 weird: spontaneous_FIN
+964800430.394225 weird: spontaneous_FIN
+964800430.394292 weird: spontaneous_FIN
+964800430.394355 weird: spontaneous_FIN
+964800430.394420 weird: spontaneous_FIN
+964800430.394488 weird: spontaneous_FIN
+964800430.394566 weird: spontaneous_FIN
+964800430.394634 weird: spontaneous_FIN
+964800430.394718 weird: spontaneous_FIN
+964800430.394792 weird: spontaneous_FIN
+964800430.394862 weird: spontaneous_FIN
+964800430.394934 weird: spontaneous_FIN
+964800430.395014 weird: spontaneous_FIN
+964800430.395071 weird: spontaneous_FIN
+964800430.395144 weird: spontaneous_FIN
+964800430.395218 weird: spontaneous_FIN
+964800430.395294 weird: spontaneous_FIN
+964800430.474051 weird: spontaneous_FIN
+964800430.474133 weird: spontaneous_FIN
+964800430.474205 weird: spontaneous_FIN
+964800430.474277 weird: spontaneous_FIN
+964800430.474348 weird: spontaneous_FIN
+964800430.474420 weird: spontaneous_FIN
+964800430.474493 weird: spontaneous_FIN
+964800430.474568 weird: spontaneous_FIN
+964800430.474646 weird: spontaneous_FIN
+964800430.474722 weird: spontaneous_FIN
+964800430.474798 weird: spontaneous_FIN
+964800430.474874 weird: spontaneous_FIN
+964800430.474947 weird: spontaneous_FIN
+964800430.475022 weird: spontaneous_FIN
+964800430.475098 weird: spontaneous_FIN
+964800430.475169 weird: spontaneous_FIN
+964800430.475245 weird: spontaneous_FIN
+964800430.475315 weird: spontaneous_FIN
+964800430.554063 weird: spontaneous_FIN
+964800430.554142 weird: spontaneous_FIN
+964800430.554216 weird: spontaneous_FIN
+964800430.554283 weird: spontaneous_FIN
+964800430.554347 weird: spontaneous_FIN
+964800430.554412 weird: spontaneous_FIN
+964800430.554482 weird: spontaneous_FIN
+964800430.554559 weird: spontaneous_FIN
+964800430.554629 weird: spontaneous_FIN
+964800430.554710 weird: spontaneous_FIN
+964800430.554785 weird: spontaneous_FIN
+964800430.554859 weird: spontaneous_FIN
+964800430.554928 weird: spontaneous_FIN
+964800430.554999 weird: spontaneous_FIN
+964800430.555072 weird: spontaneous_FIN
+964800430.555141 weird: spontaneous_FIN
+964800430.555215 weird: spontaneous_FIN
+964800430.555284 weird: spontaneous_FIN
+964800430.634053 weird: spontaneous_FIN
+964800430.634135 weird: spontaneous_FIN
+964800430.634208 weird: spontaneous_FIN
+964800430.634281 weird: spontaneous_FIN
+964800430.634354 weird: spontaneous_FIN
+964800430.634429 weird: spontaneous_FIN
+964800430.634503 weird: spontaneous_FIN
+964800430.634579 weird: spontaneous_FIN
+964800430.634658 weird: spontaneous_FIN
+964800430.634735 weird: spontaneous_FIN
+964800430.634812 weird: spontaneous_FIN
+964800430.634891 weird: spontaneous_FIN
+964800430.634966 weird: spontaneous_FIN
+964800430.635041 weird: spontaneous_FIN
+964800430.635115 weird: spontaneous_FIN
+964800430.635186 weird: spontaneous_FIN
+964800430.635262 weird: spontaneous_FIN
+964800430.635336 weird: spontaneous_FIN
+964800430.724069 weird: spontaneous_FIN
+964800430.724149 weird: spontaneous_FIN
+964800430.724224 weird: spontaneous_FIN
+964800430.724292 weird: spontaneous_FIN
+964800430.724356 weird: spontaneous_FIN
+964800430.724420 weird: spontaneous_FIN
+964800430.724488 weird: spontaneous_FIN
+964800430.724563 weird: spontaneous_FIN
+964800430.724634 weird: spontaneous_FIN
+964800430.724714 weird: spontaneous_FIN
+964800430.724787 weird: spontaneous_FIN
+964800430.724859 weird: spontaneous_FIN
+964800430.724929 weird: spontaneous_FIN
+964800430.725001 weird: spontaneous_FIN
+964800430.725070 weird: spontaneous_FIN
+964800430.725141 weird: spontaneous_FIN
+964800430.725215 weird: spontaneous_FIN
+964800430.725286 weird: spontaneous_FIN
+964800430.804057 weird: spontaneous_FIN
+964800430.804141 weird: spontaneous_FIN
+964800430.804217 weird: spontaneous_FIN
+964800430.804288 weird: spontaneous_FIN
+964800430.804359 weird: spontaneous_FIN
+964800430.804432 weird: spontaneous_FIN
+964800430.804506 weird: spontaneous_FIN
+964800430.804582 weird: spontaneous_FIN
+964800430.804661 weird: spontaneous_FIN
+964800430.804737 weird: spontaneous_FIN
+964800430.804811 weird: spontaneous_FIN
+964800430.804891 weird: spontaneous_FIN
+964800430.804965 weird: spontaneous_FIN
+964800430.805038 weird: spontaneous_FIN
+964800430.805115 weird: spontaneous_FIN
+964800430.805188 weird: spontaneous_FIN
+964800430.805264 weird: spontaneous_FIN
+964800430.805336 weird: spontaneous_FIN
+964800430.884066 weird: spontaneous_FIN
+964800430.884144 weird: spontaneous_FIN
+964800430.884218 weird: spontaneous_FIN
+964800430.884286 weird: spontaneous_FIN
+964800430.884352 weird: spontaneous_FIN
+964800430.884420 weird: spontaneous_FIN
+964800430.884491 weird: spontaneous_FIN
+964800430.884568 weird: spontaneous_FIN
+964800430.884639 weird: spontaneous_FIN
+964800430.884720 weird: spontaneous_FIN
+964800430.884797 weird: spontaneous_FIN
+964800430.884868 weird: spontaneous_FIN
+964800430.884937 weird: spontaneous_FIN
+964800430.885016 weird: spontaneous_FIN
+964800430.885079 weird: spontaneous_FIN
+964800430.885151 weird: spontaneous_FIN
+964800430.885227 weird: spontaneous_FIN
+964800430.885295 weird: spontaneous_FIN
+964800430.964058 weird: spontaneous_FIN
+964800430.964139 weird: spontaneous_FIN
+964800430.964216 weird: spontaneous_FIN
+964800430.964291 weird: spontaneous_FIN
+964800430.964366 weird: spontaneous_FIN
+964800430.964439 weird: spontaneous_FIN
+964800430.964512 weird: spontaneous_FIN
+964800430.964586 weird: spontaneous_FIN
+964800430.964667 weird: spontaneous_FIN
+964800430.964744 weird: spontaneous_FIN
+964800430.964819 weird: spontaneous_FIN
+964800430.964897 weird: spontaneous_FIN
+964800430.964970 weird: spontaneous_FIN
+964800430.965047 weird: spontaneous_FIN
+964800430.965123 weird: spontaneous_FIN
+964800430.965196 weird: spontaneous_FIN
+964800430.965271 weird: spontaneous_FIN
+964800430.965344 weird: spontaneous_FIN
+964800431.022627 weird: spontaneous_FIN
+964800431.044072 weird: spontaneous_FIN
+964800431.044152 weird: spontaneous_FIN
+964800431.044228 weird: spontaneous_FIN
+964800431.044295 weird: spontaneous_FIN
+964800431.044361 weird: spontaneous_FIN
+964800431.044426 weird: spontaneous_FIN
+964800431.044495 weird: spontaneous_FIN
+964800431.044571 weird: spontaneous_FIN
+964800431.044642 weird: spontaneous_FIN
+964800431.044721 weird: spontaneous_FIN
+964800431.044795 weird: spontaneous_FIN
+964800431.044868 weird: spontaneous_FIN
+964800431.044939 weird: spontaneous_FIN
+964800431.045006 weird: spontaneous_FIN
+964800431.045078 weird: spontaneous_FIN
+964800431.045151 weird: spontaneous_FIN
+964800431.045225 weird: spontaneous_FIN
+964800431.045298 weird: spontaneous_FIN
+964800431.124056 weird: spontaneous_FIN
+964800431.124141 weird: spontaneous_FIN
+964800431.124215 weird: spontaneous_FIN
+964800431.124285 weird: spontaneous_FIN
+964800431.124358 weird: spontaneous_FIN
+964800431.124431 weird: spontaneous_FIN
+964800431.124504 weird: spontaneous_FIN
+964800431.124579 weird: spontaneous_FIN
+964800431.124659 weird: spontaneous_FIN
+964800431.124735 weird: spontaneous_FIN
+964800431.124811 weird: spontaneous_FIN
+964800431.124888 weird: spontaneous_FIN
+964800431.124961 weird: spontaneous_FIN
+964800431.125034 weird: spontaneous_FIN
+964800431.125110 weird: spontaneous_FIN
+964800431.125182 weird: spontaneous_FIN
+964800431.125258 weird: spontaneous_FIN
+964800431.125327 weird: spontaneous_FIN
+964800431.204071 weird: spontaneous_FIN
+964800431.204147 weird: spontaneous_FIN
+964800431.204222 weird: spontaneous_FIN
+964800431.204286 weird: spontaneous_FIN
+964800431.204353 weird: spontaneous_FIN
+964800431.204419 weird: spontaneous_FIN
+964800431.204489 weird: spontaneous_FIN
+964800431.204567 weird: spontaneous_FIN
+964800431.204639 weird: spontaneous_FIN
+964800431.204719 weird: spontaneous_FIN
+964800431.204795 weird: spontaneous_FIN
+964800431.204865 weird: spontaneous_FIN
+964800431.204938 weird: spontaneous_FIN
+964800431.205009 weird: spontaneous_FIN
+964800431.205081 weird: spontaneous_FIN
+964800431.205154 weird: spontaneous_FIN
+964800431.205226 weird: spontaneous_FIN
+964800431.205295 weird: spontaneous_FIN
+964800431.284058 weird: spontaneous_FIN
+964800431.284140 weird: spontaneous_FIN
+964800431.284214 weird: spontaneous_FIN
+964800431.284286 weird: spontaneous_FIN
+964800431.284359 weird: spontaneous_FIN
+964800431.284433 weird: spontaneous_FIN
+964800431.284508 weird: spontaneous_FIN
+964800431.284587 weird: spontaneous_FIN
+964800431.284667 weird: spontaneous_FIN
+964800431.284745 weird: spontaneous_FIN
+964800431.284820 weird: spontaneous_FIN
+964800431.284898 weird: spontaneous_FIN
+964800431.284973 weird: spontaneous_FIN
+964800431.285050 weird: spontaneous_FIN
+964800431.285127 weird: spontaneous_FIN
+964800431.285201 weird: spontaneous_FIN
+964800431.285276 weird: spontaneous_FIN
+964800431.285347 weird: spontaneous_FIN
+964800431.364075 weird: spontaneous_FIN
+964800431.364155 weird: spontaneous_FIN
+964800431.364229 weird: spontaneous_FIN
+964800431.364298 weird: spontaneous_FIN
+964800431.364362 weird: spontaneous_FIN
+964800431.364429 weird: spontaneous_FIN
+964800431.364497 weird: spontaneous_FIN
+964800431.364576 weird: spontaneous_FIN
+964800431.364647 weird: spontaneous_FIN
+964800431.364729 weird: spontaneous_FIN
+964800431.364805 weird: spontaneous_FIN
+964800431.364878 weird: spontaneous_FIN
+964800431.364949 weird: spontaneous_FIN
+964800431.365026 weird: spontaneous_FIN
+964800431.365089 weird: spontaneous_FIN
+964800431.365160 weird: spontaneous_FIN
+964800431.365234 weird: spontaneous_FIN
+964800431.365306 weird: spontaneous_FIN
+964800431.444060 weird: spontaneous_FIN
+964800431.444148 weird: spontaneous_FIN
+964800431.444222 weird: spontaneous_FIN
+964800431.444298 weird: spontaneous_FIN
+964800431.444371 weird: spontaneous_FIN
+964800431.444446 weird: spontaneous_FIN
+964800431.444520 weird: spontaneous_FIN
+964800431.444595 weird: spontaneous_FIN
+964800431.444673 weird: spontaneous_FIN
+964800431.444748 weird: spontaneous_FIN
+964800431.444826 weird: spontaneous_FIN
+964800431.444904 weird: spontaneous_FIN
+964800431.444978 weird: spontaneous_FIN
+964800431.445054 weird: spontaneous_FIN
+964800431.445130 weird: spontaneous_FIN
+964800431.445204 weird: spontaneous_FIN
+964800431.445280 weird: spontaneous_FIN
+964800431.445357 weird: spontaneous_FIN
+964800431.524081 weird: spontaneous_FIN
+964800431.524161 weird: spontaneous_FIN
+964800431.524237 weird: spontaneous_FIN
+964800431.524303 weird: spontaneous_FIN
+964800431.524369 weird: spontaneous_FIN
+964800431.524436 weird: spontaneous_FIN
+964800431.524509 weird: spontaneous_FIN
+964800431.524587 weird: spontaneous_FIN
+964800431.524657 weird: spontaneous_FIN
+964800431.524738 weird: spontaneous_FIN
+964800431.524815 weird: spontaneous_FIN
+964800431.524888 weird: spontaneous_FIN
+964800431.524956 weird: spontaneous_FIN
+964800431.525029 weird: spontaneous_FIN
+964800431.525101 weird: spontaneous_FIN
+964800431.525171 weird: spontaneous_FIN
+964800431.525245 weird: spontaneous_FIN
+964800431.525318 weird: spontaneous_FIN
+964800431.604063 weird: spontaneous_FIN
+964800431.604145 weird: spontaneous_FIN
+964800431.604218 weird: spontaneous_FIN
+964800431.604290 weird: spontaneous_FIN
+964800431.604363 weird: spontaneous_FIN
+964800431.604434 weird: spontaneous_FIN
+964800431.604507 weird: spontaneous_FIN
+964800431.604580 weird: spontaneous_FIN
+964800431.604662 weird: spontaneous_FIN
+964800431.604739 weird: spontaneous_FIN
+964800431.604814 weird: spontaneous_FIN
+964800431.604893 weird: spontaneous_FIN
+964800431.604965 weird: spontaneous_FIN
+964800431.605040 weird: spontaneous_FIN
+964800431.605115 weird: spontaneous_FIN
+964800431.605188 weird: spontaneous_FIN
+964800431.605267 weird: spontaneous_FIN
+964800431.605340 weird: spontaneous_FIN
+964800431.684114 weird: spontaneous_FIN
+964800431.684196 weird: spontaneous_FIN
+964800431.684271 weird: spontaneous_FIN
+964800431.684338 weird: spontaneous_FIN
+964800431.684406 weird: spontaneous_FIN
+964800431.684471 weird: spontaneous_FIN
+964800431.684541 weird: spontaneous_FIN
+964800431.684619 weird: spontaneous_FIN
+964800431.684689 weird: spontaneous_FIN
+964800431.684770 weird: spontaneous_FIN
+964800431.684845 weird: spontaneous_FIN
+964800431.684916 weird: spontaneous_FIN
+964800431.684989 weird: spontaneous_FIN
+964800431.685057 weird: spontaneous_FIN
+964800431.685128 weird: spontaneous_FIN
+964800431.685200 weird: spontaneous_FIN
+964800431.685274 weird: spontaneous_FIN
+964800431.685349 weird: spontaneous_FIN
+964800431.764061 weird: spontaneous_FIN
+964800431.764143 weird: spontaneous_FIN
+964800431.764216 weird: spontaneous_FIN
+964800431.764288 weird: spontaneous_FIN
+964800431.764363 weird: spontaneous_FIN
+964800431.764435 weird: spontaneous_FIN
+964800431.764509 weird: spontaneous_FIN
+964800431.764585 weird: spontaneous_FIN
+964800431.764666 weird: spontaneous_FIN
+964800431.764742 weird: spontaneous_FIN
+964800431.764820 weird: spontaneous_FIN
+964800431.764898 weird: spontaneous_FIN
+964800431.764971 weird: spontaneous_FIN
+964800431.765047 weird: spontaneous_FIN
+964800431.765125 weird: spontaneous_FIN
+964800431.765198 weird: spontaneous_FIN
+964800431.765274 weird: spontaneous_FIN
+964800431.765342 weird: spontaneous_FIN
+964800431.844077 weird: spontaneous_FIN
+964800431.844153 weird: spontaneous_FIN
+964800431.844227 weird: spontaneous_FIN
+964800431.844294 weird: spontaneous_FIN
+964800431.844361 weird: spontaneous_FIN
+964800431.844425 weird: spontaneous_FIN
+964800431.844495 weird: spontaneous_FIN
+964800431.844571 weird: spontaneous_FIN
+964800431.844643 weird: spontaneous_FIN
+964800431.844723 weird: spontaneous_FIN
+964800431.844798 weird: spontaneous_FIN
+964800431.844869 weird: spontaneous_FIN
+964800431.844941 weird: spontaneous_FIN
+964800431.845012 weird: spontaneous_FIN
+964800431.845082 weird: spontaneous_FIN
+964800431.845156 weird: spontaneous_FIN
+964800431.845228 weird: spontaneous_FIN
+964800431.845299 weird: spontaneous_FIN
+964800431.924062 weird: spontaneous_FIN
+964800431.924144 weird: spontaneous_FIN
+964800431.924217 weird: spontaneous_FIN
+964800431.924289 weird: spontaneous_FIN
+964800431.924362 weird: spontaneous_FIN
+964800431.924434 weird: spontaneous_FIN
+964800431.924509 weird: spontaneous_FIN
+964800431.924582 weird: spontaneous_FIN
+964800431.924660 weird: spontaneous_FIN
+964800431.924735 weird: spontaneous_FIN
+964800431.924811 weird: spontaneous_FIN
+964800431.924890 weird: spontaneous_FIN
+964800431.924960 weird: spontaneous_FIN
+964800431.925038 weird: spontaneous_FIN
+964800431.925109 weird: spontaneous_FIN
+964800431.925182 weird: spontaneous_FIN
+964800431.925256 weird: spontaneous_FIN
+964800431.925329 weird: spontaneous_FIN
+964800432.004074 weird: spontaneous_FIN
+964800432.004146 weird: spontaneous_FIN
+964800432.004223 weird: spontaneous_FIN
+964800432.004287 weird: spontaneous_FIN
+964800432.004358 weird: spontaneous_FIN
+964800432.004425 weird: spontaneous_FIN
+964800432.004495 weird: spontaneous_FIN
+964800432.004570 weird: spontaneous_FIN
+964800432.004642 weird: spontaneous_FIN
+964800432.004722 weird: spontaneous_FIN
+964800432.004797 weird: spontaneous_FIN
+964800432.004867 weird: spontaneous_FIN
+964800432.004937 weird: spontaneous_FIN
+964800432.005008 weird: spontaneous_FIN
+964800432.005076 weird: spontaneous_FIN
+964800432.005145 weird: spontaneous_FIN
+964800432.005218 weird: spontaneous_FIN
+964800432.005289 weird: spontaneous_FIN
+964800432.084062 weird: spontaneous_FIN
+964800432.084145 weird: spontaneous_FIN
+964800432.084222 weird: spontaneous_FIN
+964800432.084296 weird: spontaneous_FIN
+964800432.084370 weird: spontaneous_FIN
+964800432.084444 weird: spontaneous_FIN
+964800432.084518 weird: spontaneous_FIN
+964800432.084593 weird: spontaneous_FIN
+964800432.084670 weird: spontaneous_FIN
+964800432.084746 weird: spontaneous_FIN
+964800432.084821 weird: spontaneous_FIN
+964800432.084898 weird: spontaneous_FIN
+964800432.084972 weird: spontaneous_FIN
+964800432.085047 weird: spontaneous_FIN
+964800432.085121 weird: spontaneous_FIN
+964800432.085193 weird: spontaneous_FIN
+964800432.085269 weird: spontaneous_FIN
+964800432.085340 weird: spontaneous_FIN
+964800432.164079 weird: spontaneous_FIN
+964800432.164154 weird: spontaneous_FIN
+964800432.164227 weird: spontaneous_FIN
+964800432.164294 weird: spontaneous_FIN
+964800432.164363 weird: spontaneous_FIN
+964800432.164430 weird: spontaneous_FIN
+964800432.164500 weird: spontaneous_FIN
+964800432.164578 weird: spontaneous_FIN
+964800432.164648 weird: spontaneous_FIN
+964800432.164728 weird: spontaneous_FIN
+964800432.164801 weird: spontaneous_FIN
+964800432.164874 weird: spontaneous_FIN
+964800432.164942 weird: spontaneous_FIN
+964800432.165012 weird: spontaneous_FIN
+964800432.165084 weird: spontaneous_FIN
+964800432.165153 weird: spontaneous_FIN
+964800432.165228 weird: spontaneous_FIN
+964800432.165300 weird: spontaneous_FIN
+964800432.244062 weird: spontaneous_FIN
+964800432.244144 weird: spontaneous_FIN
+964800432.244217 weird: spontaneous_FIN
+964800432.244290 weird: spontaneous_FIN
+964800432.244363 weird: spontaneous_FIN
+964800432.244434 weird: spontaneous_FIN
+964800432.244507 weird: spontaneous_FIN
+964800432.244580 weird: spontaneous_FIN
+964800432.244660 weird: spontaneous_FIN
+964800432.244735 weird: spontaneous_FIN
+964800432.244812 weird: spontaneous_FIN
+964800432.244888 weird: spontaneous_FIN
+964800432.244962 weird: spontaneous_FIN
+964800432.245040 weird: spontaneous_FIN
+964800432.245110 weird: spontaneous_FIN
+964800432.245181 weird: spontaneous_FIN
+964800432.245257 weird: spontaneous_FIN
+964800432.245328 weird: spontaneous_FIN
+964800432.334078 weird: spontaneous_FIN
+964800432.334157 weird: spontaneous_FIN
+964800432.334232 weird: spontaneous_FIN
+964800432.334301 weird: spontaneous_FIN
+964800432.334368 weird: spontaneous_FIN
+964800432.334434 weird: spontaneous_FIN
+964800432.334503 weird: spontaneous_FIN
+964800432.334582 weird: spontaneous_FIN
+964800432.334653 weird: spontaneous_FIN
+964800432.334732 weird: spontaneous_FIN
+964800432.334808 weird: spontaneous_FIN
+964800432.334880 weird: spontaneous_FIN
+964800432.334953 weird: spontaneous_FIN
+964800432.335024 weird: spontaneous_FIN
+964800432.335095 weird: spontaneous_FIN
+964800432.335170 weird: spontaneous_FIN
+964800432.335244 weird: spontaneous_FIN
+964800432.335322 weird: spontaneous_FIN
+964800432.393658 weird: spontaneous_RST
+964800432.393697 weird: spontaneous_RST
+964800432.424076 weird: spontaneous_FIN
+964800432.424160 weird: spontaneous_FIN
+964800432.424232 weird: spontaneous_FIN
+964800432.424305 weird: spontaneous_FIN
+964800432.424380 weird: spontaneous_FIN
+964800432.424456 weird: spontaneous_FIN
+964800432.424530 weird: spontaneous_FIN
+964800432.424608 weird: spontaneous_FIN
+964800432.424691 weird: spontaneous_FIN
+964800432.424767 weird: spontaneous_FIN
+964800432.424842 weird: spontaneous_FIN
+964800432.424919 weird: spontaneous_FIN
+964800432.424993 weird: spontaneous_FIN
+964800432.425070 weird: spontaneous_FIN
+964800432.425147 weird: spontaneous_FIN
+964800432.425226 weird: spontaneous_FIN
+964800432.425307 weird: spontaneous_FIN
+964800432.425384 weird: spontaneous_FIN
+964800432.504091 weird: spontaneous_FIN
+964800432.504176 weird: spontaneous_FIN
+964800432.504259 weird: spontaneous_FIN
+964800432.504327 weird: spontaneous_FIN
+964800432.504396 weird: spontaneous_FIN
+964800432.504463 weird: spontaneous_FIN
+964800432.504538 weird: spontaneous_FIN
+964800432.504609 weird: spontaneous_FIN
+964800432.504685 weird: spontaneous_FIN
+964800432.504757 weird: spontaneous_FIN
+964800432.504830 weird: spontaneous_FIN
+964800432.504903 weird: spontaneous_FIN
+964800432.504974 weird: spontaneous_FIN
+964800432.505044 weird: spontaneous_FIN
+964800432.505112 weird: spontaneous_FIN
+964800432.505187 weird: spontaneous_FIN
+964800432.505259 weird: spontaneous_FIN
+964800432.505329 weird: spontaneous_FIN
+964800432.584072 weird: spontaneous_FIN
+964800432.584154 weird: spontaneous_FIN
+964800432.584228 weird: spontaneous_FIN
+964800432.584299 weird: spontaneous_FIN
+964800432.584372 weird: spontaneous_FIN
+964800432.584447 weird: spontaneous_FIN
+964800432.584522 weird: spontaneous_FIN
+964800432.584598 weird: spontaneous_FIN
+964800432.584674 weird: spontaneous_FIN
+964800432.584752 weird: spontaneous_FIN
+964800432.584835 weird: spontaneous_FIN
+964800432.584962 weird: spontaneous_FIN
+964800432.585045 weird: spontaneous_FIN
+964800432.585108 weird: spontaneous_FIN
+964800432.585179 weird: spontaneous_FIN
+964800432.585246 weird: spontaneous_FIN
+964800432.585324 weird: spontaneous_FIN
+964800432.585393 weird: spontaneous_FIN
+964800432.664091 weird: spontaneous_FIN
+964800432.664174 weird: spontaneous_FIN
+964800432.664249 weird: spontaneous_FIN
+964800432.664316 weird: spontaneous_FIN
+964800432.664386 weird: spontaneous_FIN
+964800432.664456 weird: spontaneous_FIN
+964800432.664521 weird: spontaneous_FIN
+964800432.664591 weird: spontaneous_FIN
+964800432.664664 weird: spontaneous_FIN
+964800432.664735 weird: spontaneous_FIN
+964800432.664808 weird: spontaneous_FIN
+964800432.664878 weird: spontaneous_FIN
+964800432.664950 weird: spontaneous_FIN
+964800432.665022 weird: spontaneous_FIN
+964800432.665091 weird: spontaneous_FIN
+964800432.665164 weird: spontaneous_FIN
+964800432.665235 weird: spontaneous_FIN
+964800432.665305 weird: spontaneous_FIN
+964800432.744077 weird: spontaneous_FIN
+964800432.744155 weird: spontaneous_FIN
+964800432.744224 weird: spontaneous_FIN
+964800432.744294 weird: spontaneous_FIN
+964800432.744364 weird: spontaneous_FIN
+964800432.744435 weird: spontaneous_FIN
+964800432.744506 weird: spontaneous_FIN
+964800432.744586 weird: spontaneous_FIN
+964800432.744666 weird: spontaneous_FIN
+964800432.744742 weird: spontaneous_FIN
+964800432.744822 weird: spontaneous_FIN
+964800432.744902 weird: spontaneous_FIN
+964800432.744976 weird: spontaneous_FIN
+964800432.745050 weird: spontaneous_FIN
+964800432.745119 weird: spontaneous_FIN
+964800432.745190 weird: spontaneous_FIN
+964800432.745268 weird: spontaneous_FIN
+964800432.745339 weird: spontaneous_FIN
+964800432.824076 weird: spontaneous_FIN
+964800432.824161 weird: spontaneous_FIN
+964800432.824236 weird: spontaneous_FIN
+964800432.824303 weird: spontaneous_FIN
+964800432.824372 weird: spontaneous_FIN
+964800432.824442 weird: spontaneous_FIN
+964800432.824510 weird: spontaneous_FIN
+964800432.824583 weird: spontaneous_FIN
+964800432.824658 weird: spontaneous_FIN
+964800432.824728 weird: spontaneous_FIN
+964800432.824800 weird: spontaneous_FIN
+964800432.824870 weird: spontaneous_FIN
+964800432.824942 weird: spontaneous_FIN
+964800432.825012 weird: spontaneous_FIN
+964800432.825082 weird: spontaneous_FIN
+964800432.825154 weird: spontaneous_FIN
+964800432.825226 weird: spontaneous_FIN
+964800432.825301 weird: spontaneous_FIN
+964800432.904071 weird: spontaneous_FIN
+964800432.904150 weird: spontaneous_FIN
+964800432.904219 weird: spontaneous_FIN
+964800432.904290 weird: spontaneous_FIN
+964800432.904361 weird: spontaneous_FIN
+964800432.904432 weird: spontaneous_FIN
+964800432.904506 weird: spontaneous_FIN
+964800432.904580 weird: spontaneous_FIN
+964800432.904655 weird: spontaneous_FIN
+964800432.904729 weird: spontaneous_FIN
+964800432.904805 weird: spontaneous_FIN
+964800432.904880 weird: spontaneous_FIN
+964800432.904957 weird: spontaneous_FIN
+964800432.905029 weird: spontaneous_FIN
+964800432.905102 weird: spontaneous_FIN
+964800432.905173 weird: spontaneous_FIN
+964800432.905252 weird: spontaneous_FIN
+964800432.905327 weird: spontaneous_FIN
+964800432.984084 weird: spontaneous_FIN
+964800432.984166 weird: spontaneous_FIN
+964800432.984239 weird: spontaneous_FIN
+964800432.984310 weird: spontaneous_FIN
+964800432.984380 weird: spontaneous_FIN
+964800432.984448 weird: spontaneous_FIN
+964800432.984516 weird: spontaneous_FIN
+964800432.984589 weird: spontaneous_FIN
+964800432.984664 weird: spontaneous_FIN
+964800432.984738 weird: spontaneous_FIN
+964800432.984811 weird: spontaneous_FIN
+964800432.984880 weird: spontaneous_FIN
+964800433.064081 weird: spontaneous_FIN
+964800433.064168 weird: spontaneous_FIN
+964800433.064241 weird: spontaneous_FIN
+964800433.064312 weird: spontaneous_FIN
+964800433.064388 weird: spontaneous_FIN
+964800433.064462 weird: spontaneous_FIN
+964800433.064539 weird: spontaneous_FIN
+964800433.064611 weird: spontaneous_FIN
+964800433.064687 weird: spontaneous_FIN
+964800433.064761 weird: spontaneous_FIN
+964800434.264113 weird: spontaneous_FIN
+964800434.264192 weird: spontaneous_FIN
+964800434.264353 weird: spontaneous_FIN
+964800434.264569 weird: spontaneous_FIN
+964800434.264677 weird: spontaneous_FIN
+964800434.264810 weird: spontaneous_FIN
+964800434.265004 weird: spontaneous_FIN
+964800434.265089 weird: spontaneous_FIN
+964800434.265243 weird: spontaneous_FIN
+964800434.265449 weird: spontaneous_FIN
+964800434.265536 weird: spontaneous_FIN
+964800434.265697 weird: spontaneous_FIN
+964800434.265897 weird: spontaneous_FIN
+964800434.266002 weird: spontaneous_FIN
+964800434.266149 weird: spontaneous_FIN
+964800434.266361 weird: spontaneous_FIN
+964800434.266445 weird: spontaneous_FIN
+964800434.266616 weird: spontaneous_FIN
+964800434.266835 weird: spontaneous_FIN
+964800434.266928 weird: spontaneous_FIN
+964800434.267095 weird: spontaneous_FIN
+964800434.267312 weird: spontaneous_FIN
+964800434.267389 weird: spontaneous_FIN
+964800434.267540 weird: spontaneous_FIN
+964800434.267743 weird: spontaneous_FIN
+964800434.267825 weird: spontaneous_FIN
+964800434.267984 weird: spontaneous_FIN
+964800434.268191 weird: spontaneous_FIN
+964800434.268274 weird: spontaneous_FIN
+964800434.268445 weird: spontaneous_FIN
+964800434.268657 weird: spontaneous_FIN
+964800434.268735 weird: spontaneous_FIN
+964800434.268895 weird: spontaneous_FIN
+964800434.269105 weird: spontaneous_FIN
+964800434.269190 weird: spontaneous_FIN
+964800434.269364 weird: spontaneous_FIN
+964800434.269603 weird: spontaneous_FIN
+964800434.269703 weird: spontaneous_FIN
+964800434.269875 weird: spontaneous_FIN
+964800434.270101 weird: spontaneous_FIN
+964800434.270184 weird: spontaneous_FIN
+964800434.270370 weird: spontaneous_FIN
+964800434.270602 weird: spontaneous_FIN
+964800434.270686 weird: spontaneous_FIN
+964800434.270852 weird: spontaneous_FIN
+964800434.271061 weird: spontaneous_FIN
+964800434.271140 weird: spontaneous_FIN
+964800434.271296 weird: spontaneous_FIN
+964800434.271494 weird: spontaneous_FIN
+964800434.271579 weird: spontaneous_FIN
+964800434.271737 weird: spontaneous_FIN
+964800434.271945 weird: spontaneous_FIN
+964800434.272022 weird: spontaneous_FIN
+964800434.272185 weird: spontaneous_FIN
+964800434.272384 weird: spontaneous_FIN
+964800434.272465 weird: spontaneous_FIN
+964800434.272625 weird: spontaneous_FIN
+964800434.272824 weird: spontaneous_FIN
+964800434.272909 weird: spontaneous_FIN
+964800434.273060 weird: spontaneous_FIN
+964800434.273275 weird: spontaneous_FIN
+964800434.273409 weird: spontaneous_FIN
+964800434.273521 weird: spontaneous_FIN
+964800434.273725 weird: spontaneous_FIN
+964800434.273810 weird: spontaneous_FIN
+964800434.364130 weird: spontaneous_FIN
+964800434.364214 weird: spontaneous_FIN
+964800434.364386 weird: spontaneous_FIN
+964800434.364519 weird: spontaneous_FIN
+964800434.364717 weird: spontaneous_FIN
+964800434.364791 weird: spontaneous_FIN
+964800434.364937 weird: spontaneous_FIN
+964800434.365131 weird: spontaneous_FIN
+964800434.365214 weird: spontaneous_FIN
+964800434.365362 weird: spontaneous_FIN
+964800434.365576 weird: spontaneous_FIN
+964800434.365682 weird: spontaneous_FIN
+964800434.365823 weird: spontaneous_FIN
+964800434.366029 weird: spontaneous_FIN
+964800434.366111 weird: spontaneous_FIN
+964800434.366271 weird: spontaneous_FIN
+964800434.366466 weird: spontaneous_FIN
+964800434.366551 weird: spontaneous_FIN
+964800434.366707 weird: spontaneous_FIN
+964800434.366896 weird: spontaneous_FIN
+964800434.367006 weird: spontaneous_FIN
+964800434.367140 weird: spontaneous_FIN
+964800434.367346 weird: spontaneous_FIN
+964800434.367431 weird: spontaneous_FIN
+964800434.367607 weird: spontaneous_FIN
+964800434.367859 weird: spontaneous_FIN
+964800434.367956 weird: spontaneous_FIN
+964800434.368129 weird: spontaneous_FIN
+964800434.368371 weird: spontaneous_FIN
+964800434.368451 weird: spontaneous_FIN
+964800434.368627 weird: spontaneous_FIN
+964800434.368842 weird: spontaneous_FIN
+964800434.368917 weird: spontaneous_FIN
+964800434.369070 weird: spontaneous_FIN
+964800434.369279 weird: spontaneous_FIN
+964800434.369361 weird: spontaneous_FIN
+964800434.369512 weird: spontaneous_FIN
+964800434.369710 weird: spontaneous_FIN
+964800434.369792 weird: spontaneous_FIN
+964800434.369953 weird: spontaneous_FIN
+964800434.370159 weird: spontaneous_FIN
+964800434.370242 weird: spontaneous_FIN
+964800434.370395 weird: spontaneous_FIN
+964800434.370593 weird: spontaneous_FIN
+964800434.370672 weird: spontaneous_FIN
+964800434.370826 weird: spontaneous_FIN
+964800434.371030 weird: spontaneous_FIN
+964800434.371133 weird: spontaneous_FIN
+964800434.371267 weird: spontaneous_FIN
+964800434.371365 weird: spontaneous_FIN
+964800434.371650 weird: spontaneous_FIN
+964800434.371823 weird: spontaneous_FIN
+964800434.371908 weird: spontaneous_FIN
+964800434.372066 weird: spontaneous_FIN
+964800434.372272 weird: spontaneous_FIN
+964800434.372349 weird: spontaneous_FIN
+964800434.372500 weird: spontaneous_FIN
+964800434.372700 weird: spontaneous_FIN
+964800434.372780 weird: spontaneous_FIN
+964800434.372931 weird: spontaneous_FIN
+964800434.373141 weird: spontaneous_FIN
+964800434.373222 weird: spontaneous_FIN
+964800434.373377 weird: spontaneous_FIN
+964800434.373592 weird: spontaneous_FIN
+964800434.373678 weird: spontaneous_FIN
+964800434.373839 weird: spontaneous_FIN
+964800434.374088 weird: spontaneous_FIN
+964800434.374186 weird: spontaneous_FIN
+964800434.374357 weird: spontaneous_FIN
+964800434.464120 weird: spontaneous_FIN
+964800434.464198 weird: spontaneous_FIN
+964800434.464350 weird: spontaneous_FIN
+964800434.464561 weird: spontaneous_FIN
+964800434.464671 weird: spontaneous_FIN
+964800434.464801 weird: spontaneous_FIN
+964800434.464998 weird: spontaneous_FIN
+964800434.465106 weird: spontaneous_FIN
+964800434.465238 weird: spontaneous_FIN
+964800434.465456 weird: spontaneous_FIN
+964800434.465539 weird: spontaneous_FIN
+964800434.465694 weird: spontaneous_FIN
+964800434.465900 weird: spontaneous_FIN
+964800434.465984 weird: spontaneous_FIN
+964800434.466144 weird: spontaneous_FIN
+964800434.466346 weird: spontaneous_FIN
+964800434.466430 weird: spontaneous_FIN
+964800434.466595 weird: spontaneous_FIN
+964800434.466807 weird: spontaneous_FIN
+964800434.466889 weird: spontaneous_FIN
+964800434.467055 weird: spontaneous_FIN
+964800434.467267 weird: spontaneous_FIN
+964800434.467350 weird: spontaneous_FIN
+964800434.467507 weird: spontaneous_FIN
+964800434.467717 weird: spontaneous_FIN
+964800434.467801 weird: spontaneous_FIN
+964800434.467966 weird: spontaneous_FIN
+964800434.468225 weird: spontaneous_FIN
+964800434.468303 weird: spontaneous_FIN
+964800434.468454 weird: spontaneous_FIN
+964800434.468656 weird: spontaneous_FIN
+964800434.468733 weird: spontaneous_FIN
+964800434.468888 weird: spontaneous_FIN
+964800434.469043 weird: spontaneous_FIN
+964800434.469202 weird: spontaneous_FIN
+964800434.469325 weird: spontaneous_FIN
+964800434.469550 weird: spontaneous_FIN
+964800434.469633 weird: spontaneous_FIN
+964800434.469825 weird: spontaneous_FIN
+964800434.470044 weird: spontaneous_FIN
+964800434.470141 weird: spontaneous_FIN
+964800434.470314 weird: spontaneous_FIN
+964800434.470546 weird: spontaneous_FIN
+964800434.470634 weird: spontaneous_FIN
+964800434.470800 weird: spontaneous_FIN
+964800434.471329 weird: spontaneous_FIN
+964800434.471494 weird: spontaneous_FIN
+964800434.471995 weird: spontaneous_FIN
+964800434.472338 weird: spontaneous_FIN
+964800434.472503 weird: spontaneous_FIN
+964800434.473692 weird: spontaneous_FIN
+964800434.474355 weird: spontaneous_FIN
+964800434.474522 weird: spontaneous_FIN
+964800434.475022 weird: spontaneous_FIN
+964800434.475539 weird: spontaneous_FIN
+964800434.475703 weird: spontaneous_FIN
+964800434.476358 weird: spontaneous_FIN
+964800434.476869 weird: spontaneous_FIN
+964800434.477357 weird: spontaneous_FIN
+964800434.477688 weird: spontaneous_FIN
+964800434.478341 weird: spontaneous_FIN
+964800434.478503 weird: spontaneous_FIN
+964800434.478996 weird: spontaneous_FIN
+964800434.479649 weird: spontaneous_FIN
+964800434.479812 weird: spontaneous_FIN
+964800434.480302 weird: spontaneous_FIN
+964800434.480796 weird: spontaneous_FIN
+964800434.481124 weird: spontaneous_FIN
+964800434.481451 weird: spontaneous_FIN
+964800434.482104 weird: spontaneous_FIN
+964800434.482267 weird: spontaneous_FIN
+964800434.482757 weird: spontaneous_FIN
+964800434.483250 weird: spontaneous_FIN
+964800434.564123 weird: spontaneous_FIN
+964800434.564205 weird: spontaneous_FIN
+964800434.564374 weird: spontaneous_FIN
+964800434.564505 weird: spontaneous_FIN
+964800434.564712 weird: spontaneous_FIN
+964800434.564788 weird: spontaneous_FIN
+964800434.564945 weird: spontaneous_FIN
+964800434.565147 weird: spontaneous_FIN
+964800434.565228 weird: spontaneous_FIN
+964800434.565376 weird: spontaneous_FIN
+964800434.565578 weird: spontaneous_FIN
+964800434.565660 weird: spontaneous_FIN
+964800434.565823 weird: spontaneous_FIN
+964800434.566021 weird: spontaneous_FIN
+964800434.566100 weird: spontaneous_FIN
+964800434.566249 weird: spontaneous_FIN
+964800434.566443 weird: spontaneous_FIN
+964800434.566523 weird: spontaneous_FIN
+964800434.566672 weird: spontaneous_FIN
+964800434.566877 weird: spontaneous_FIN
+964800434.566958 weird: spontaneous_FIN
+964800434.567108 weird: spontaneous_FIN
+964800434.567299 weird: spontaneous_FIN
+964800434.567384 weird: spontaneous_FIN
+964800434.567573 weird: spontaneous_FIN
+964800434.567794 weird: spontaneous_FIN
+964800434.567892 weird: spontaneous_FIN
+964800434.568051 weird: spontaneous_FIN
+964800434.568280 weird: spontaneous_FIN
+964800434.568378 weird: spontaneous_FIN
+964800434.568547 weird: spontaneous_FIN
+964800434.568751 weird: spontaneous_FIN
+964800434.568828 weird: spontaneous_FIN
+964800434.568980 weird: spontaneous_FIN
+964800434.569178 weird: spontaneous_FIN
+964800434.569258 weird: spontaneous_FIN
+964800434.569413 weird: spontaneous_FIN
+964800434.569618 weird: spontaneous_FIN
+964800434.569701 weird: spontaneous_FIN
+964800434.569854 weird: spontaneous_FIN
+964800434.570054 weird: spontaneous_FIN
+964800434.570137 weird: spontaneous_FIN
+964800434.570297 weird: spontaneous_FIN
+964800434.570489 weird: spontaneous_FIN
+964800434.570571 weird: spontaneous_FIN
+964800434.570727 weird: spontaneous_FIN
+964800434.570924 weird: spontaneous_FIN
+964800434.571010 weird: spontaneous_FIN
+964800434.571174 weird: spontaneous_FIN
+964800434.571399 weird: spontaneous_FIN
+964800434.571498 weird: spontaneous_FIN
+964800434.571660 weird: spontaneous_FIN
+964800434.571888 weird: spontaneous_FIN
+964800434.572000 weird: spontaneous_FIN
+964800434.572063 weird: spontaneous_FIN
+964800434.572222 weird: spontaneous_FIN
+964800434.572448 weird: spontaneous_FIN
+964800434.572532 weird: spontaneous_FIN
+964800434.572701 weird: spontaneous_FIN
+964800434.572920 weird: spontaneous_FIN
+964800434.573004 weird: spontaneous_FIN
+964800434.573172 weird: spontaneous_FIN
+964800434.573387 weird: spontaneous_FIN
+964800434.573469 weird: spontaneous_FIN
+964800434.573631 weird: spontaneous_FIN
+964800434.573851 weird: spontaneous_FIN
+964800434.573933 weird: spontaneous_FIN
+964800434.574122 weird: spontaneous_FIN
+964800434.574372 weird: spontaneous_FIN
+964800434.574455 weird: spontaneous_FIN
+964800434.574631 weird: spontaneous_FIN
+964800434.574857 weird: spontaneous_FIN
+964800434.574943 weird: spontaneous_FIN
+964800434.575114 weird: spontaneous_FIN
+964800434.575329 weird: spontaneous_FIN
+964800434.575409 weird: spontaneous_FIN
+964800434.575576 weird: spontaneous_FIN
+964800434.674133 weird: spontaneous_FIN
+964800434.674229 weird: spontaneous_FIN
+964800434.674398 weird: spontaneous_FIN
+964800434.674624 weird: spontaneous_FIN
+964800434.674734 weird: spontaneous_FIN
+964800434.674858 weird: spontaneous_FIN
+964800434.675071 weird: spontaneous_FIN
+964800434.675169 weird: spontaneous_FIN
+964800434.675251 weird: spontaneous_FIN
+964800434.675404 weird: spontaneous_FIN
+964800434.675599 weird: spontaneous_FIN
+964800434.675701 weird: spontaneous_FIN
+964800434.675847 weird: spontaneous_FIN
+964800434.676042 weird: spontaneous_FIN
+964800434.676130 weird: spontaneous_FIN
+964800434.676280 weird: spontaneous_FIN
+964800434.676476 weird: spontaneous_FIN
+964800434.676558 weird: spontaneous_FIN
+964800434.676716 weird: spontaneous_FIN
+964800434.676914 weird: spontaneous_FIN
+964800434.676996 weird: spontaneous_FIN
+964800434.677159 weird: spontaneous_FIN
+964800434.677364 weird: spontaneous_FIN
+964800434.677443 weird: spontaneous_FIN
+964800434.677612 weird: spontaneous_FIN
+964800434.677821 weird: spontaneous_FIN
+964800434.677901 weird: spontaneous_FIN
+964800434.678065 weird: spontaneous_FIN
+964800434.678289 weird: spontaneous_FIN
+964800434.678368 weird: spontaneous_FIN
+964800434.678539 weird: spontaneous_FIN
+964800434.678751 weird: spontaneous_FIN
+964800434.678827 weird: spontaneous_FIN
+964800434.678994 weird: spontaneous_FIN
+964800434.679210 weird: spontaneous_FIN
+964800434.679285 weird: spontaneous_FIN
+964800434.679456 weird: spontaneous_FIN
+964800434.679683 weird: spontaneous_FIN
+964800434.679797 weird: spontaneous_FIN
+964800434.679929 weird: spontaneous_FIN
+964800434.680138 weird: spontaneous_FIN
+964800434.680258 weird: spontaneous_FIN
+964800434.680397 weird: spontaneous_FIN
+964800434.680620 weird: spontaneous_FIN
+964800434.680703 weird: spontaneous_FIN
+964800434.680889 weird: spontaneous_FIN
+964800434.681095 weird: spontaneous_FIN
+964800434.681190 weird: spontaneous_FIN
+964800434.681354 weird: spontaneous_FIN
+964800434.681585 weird: spontaneous_FIN
+964800434.681660 weird: spontaneous_FIN
+964800434.681826 weird: spontaneous_FIN
+964800434.682049 weird: spontaneous_FIN
+964800434.682126 weird: spontaneous_FIN
+964800434.682292 weird: spontaneous_FIN
+964800434.682496 weird: spontaneous_FIN
+964800434.682582 weird: spontaneous_FIN
+964800434.682742 weird: spontaneous_FIN
+964800434.682942 weird: spontaneous_FIN
+964800434.683022 weird: spontaneous_FIN
+964800434.683182 weird: spontaneous_FIN
+964800434.683384 weird: spontaneous_FIN
+964800434.683462 weird: spontaneous_FIN
+964800434.683619 weird: spontaneous_FIN
+964800434.683818 weird: spontaneous_FIN
+964800434.683902 weird: spontaneous_FIN
+964800434.684143 weird: spontaneous_FIN
+964800434.684374 weird: spontaneous_FIN
+964800434.684450 weird: spontaneous_FIN
+964800434.684609 weird: spontaneous_FIN
+964800434.684828 weird: spontaneous_FIN
+964800434.684912 weird: spontaneous_FIN
+964800434.685085 weird: spontaneous_FIN
+964800434.685273 weird: spontaneous_FIN
+964800434.685356 weird: spontaneous_FIN
+964800434.685522 weird: spontaneous_FIN
+964800434.685747 weird: spontaneous_FIN
+964800434.685832 weird: spontaneous_FIN
+964800434.686005 weird: spontaneous_FIN
+964800434.686233 weird: spontaneous_FIN
+964800434.686313 weird: spontaneous_FIN
+964800434.784136 weird: spontaneous_FIN
+964800434.784219 weird: spontaneous_FIN
+964800434.784395 weird: spontaneous_FIN
+964800434.784534 weird: spontaneous_FIN
+964800434.784727 weird: spontaneous_FIN
+964800434.784806 weird: spontaneous_FIN
+964800434.784959 weird: spontaneous_FIN
+964800434.785158 weird: spontaneous_FIN
+964800434.785240 weird: spontaneous_FIN
+964800434.785411 weird: spontaneous_FIN
+964800434.785657 weird: spontaneous_FIN
+964800434.785733 weird: spontaneous_FIN
+964800434.785883 weird: spontaneous_FIN
+964800434.786087 weird: spontaneous_FIN
+964800434.786174 weird: spontaneous_FIN
+964800434.786334 weird: spontaneous_FIN
+964800434.786536 weird: spontaneous_FIN
+964800434.786616 weird: spontaneous_FIN
+964800434.786772 weird: spontaneous_FIN
+964800434.786973 weird: spontaneous_FIN
+964800434.787058 weird: spontaneous_FIN
+964800434.787218 weird: spontaneous_FIN
+964800434.787445 weird: spontaneous_FIN
+964800434.787526 weird: spontaneous_FIN
+964800434.787698 weird: spontaneous_FIN
+964800434.787927 weird: spontaneous_FIN
+964800434.788013 weird: spontaneous_FIN
+964800434.788200 weird: spontaneous_FIN
+964800434.788429 weird: spontaneous_FIN
+964800434.788541 weird: spontaneous_FIN
+964800434.788683 weird: spontaneous_FIN
+964800434.788834 weird: spontaneous_FIN
+964800434.789079 weird: spontaneous_FIN
+964800434.789265 weird: spontaneous_FIN
+964800434.789348 weird: spontaneous_FIN
+964800434.789512 weird: spontaneous_FIN
+964800434.789721 weird: spontaneous_FIN
+964800434.789799 weird: spontaneous_FIN
+964800434.789959 weird: spontaneous_FIN
+964800434.790168 weird: spontaneous_FIN
+964800434.790250 weird: spontaneous_FIN
+964800434.790415 weird: spontaneous_FIN
+964800434.790620 weird: spontaneous_FIN
+964800434.790703 weird: spontaneous_FIN
+964800434.790852 weird: spontaneous_FIN
+964800434.791051 weird: spontaneous_FIN
+964800434.791131 weird: spontaneous_FIN
+964800434.791291 weird: spontaneous_FIN
+964800434.791509 weird: spontaneous_FIN
+964800434.791591 weird: spontaneous_FIN
+964800434.791752 weird: spontaneous_FIN
+964800434.791970 weird: spontaneous_FIN
+964800434.792050 weird: spontaneous_FIN
+964800434.792208 weird: spontaneous_FIN
+964800434.792416 weird: spontaneous_FIN
+964800434.792513 weird: spontaneous_FIN
+964800434.792668 weird: spontaneous_FIN
+964800434.792881 weird: spontaneous_FIN
+964800434.792966 weird: spontaneous_FIN
+964800434.793131 weird: spontaneous_FIN
+964800434.793342 weird: spontaneous_FIN
+964800434.793422 weird: spontaneous_FIN
+964800434.793588 weird: spontaneous_FIN
+964800444.965500 weird: baroque_SYN
+964800444.966119 weird: spontaneous_FIN
+964800448.828993 weird: spontaneous_FIN
+964800450.784603 weird: spontaneous_FIN
+964800451.375687 weird: spontaneous_FIN
+964800455.972346 weird: spontaneous_FIN
+964800460.691333 weird: data_after_reset
+964800460.882450 weird: data_after_reset
+964800461.282399 weird: data_after_reset
+964800461.371887 weird: spontaneous_FIN
+964800462.082309 weird: data_after_reset
+964800463.682135 weird: data_after_reset
+964800466.660580 weird: spontaneous_FIN
+964800467.449130 weird: bad_ICMP_checksum
+964800467.449361 weird: bad_ICMP_checksum
+964800467.449618 weird: bad_ICMP_checksum
+964800467.450881 weird: bad_ICMP_checksum
+964800467.451124 weird: bad_ICMP_checksum
+964800467.451917 weird: bad_ICMP_checksum
+964800468.728574 weird: bad_ICMP_checksum
+964800469.688564 weird: bad_ICMP_checksum
+964800470.648585 weird: bad_ICMP_checksum
+964800471.609011 weird: bad_ICMP_checksum
+964800471.931997 weird: spontaneous_FIN
+964800472.135373 weird: baroque_SYN
+964800472.135678 weird: spontaneous_FIN
+964800472.568625 weird: bad_ICMP_checksum
+964800473.572810 weird: bad_ICMP_checksum
+964800474.528721 weird: bad_ICMP_checksum
+964800475.488903 weird: bad_ICMP_checksum
+964800476.448807 weird: bad_ICMP_checksum
+964800477.112079 weird: spontaneous_FIN
+964800477.728739 weird: bad_ICMP_checksum
+964800478.440675 weird: spontaneous_FIN
+964800478.668948 weird: bad_ICMP_checksum
+964800479.628815 weird: bad_ICMP_checksum
+964800480.544655 weird: bad_ICMP_checksum
+964800481.518712 weird: bad_ICMP_checksum
+964800482.124565 weird: spontaneous_FIN
+964800482.479088 weird: bad_ICMP_checksum
+964800483.164742 weird: connection_originator_SYN_ack
+964800483.184343 weird: spontaneous_FIN
+964800483.204344 weird: spontaneous_FIN
+964800483.759068 weird: bad_ICMP_checksum
+964800484.718942 weird: bad_ICMP_checksum
+964800485.679163 weird: bad_ICMP_checksum
+964800486.639056 weird: bad_ICMP_checksum
+964800487.332714 weird: spontaneous_FIN
+964800487.599116 weird: bad_ICMP_checksum
+964800488.559035 weird: bad_ICMP_checksum
+964800489.519234 weird: bad_ICMP_checksum
+964800490.479132 weird: bad_ICMP_checksum
+964800491.439510 weird: bad_ICMP_checksum
+964800492.662261 weird: spontaneous_FIN
+964800492.719249 weird: bad_ICMP_checksum
+964800493.679113 weird: bad_ICMP_checksum
+964800494.639368 weird: bad_ICMP_checksum
+964800495.599197 weird: bad_ICMP_checksum
+964800496.559379 weird: bad_ICMP_checksum
+964800497.519254 weird: bad_ICMP_checksum
+964800497.684759 weird: spontaneous_FIN
+964800498.479478 weird: bad_ICMP_checksum
+964800499.439309 weird: bad_ICMP_checksum
+964800500.719315 weird: bad_ICMP_checksum
+964800500.967186 weird: spontaneous_FIN
+964800501.679546 weird: bad_ICMP_checksum
+964800501.936549 weird: baroque_SYN
+964800501.939644 weird: spontaneous_FIN
+964800502.639388 weird: bad_ICMP_checksum
+964800502.872929 weird: spontaneous_FIN
+964800503.071990 weird: spontaneous_FIN
+964800503.599578 weird: bad_ICMP_checksum
+964800504.559386 weird: bad_ICMP_checksum
+964800505.519573 weird: bad_ICMP_checksum
+964800506.451349 weird: bad_ICMP_checksum
+964800507.729471 weird: bad_ICMP_checksum
+964800508.132566 weird: spontaneous_FIN
+964800508.679733 weird: bad_ICMP_checksum
+964800509.632398 weird: bad_ICMP_checksum
+964800509.941475 weird: spontaneous_FIN
+964800509.941578 weird: spontaneous_FIN
+964800509.941667 weird: spontaneous_FIN
+964800509.941752 weird: spontaneous_FIN
+964800509.941835 weird: spontaneous_FIN
+964800509.941920 weird: spontaneous_FIN
+964800509.942003 weird: spontaneous_FIN
+964800509.942090 weird: spontaneous_FIN
+964800509.942171 weird: spontaneous_FIN
+964800509.942252 weird: spontaneous_FIN
+964800509.942335 weird: spontaneous_FIN
+964800510.024577 weird: spontaneous_FIN
+964800510.024660 weird: spontaneous_FIN
+964800510.024733 weird: spontaneous_FIN
+964800510.024808 weird: spontaneous_FIN
+964800510.024885 weird: spontaneous_FIN
+964800510.024967 weird: spontaneous_FIN
+964800510.025095 weird: spontaneous_FIN
+964800510.025177 weird: spontaneous_FIN
+964800510.025251 weird: spontaneous_FIN
+964800510.025328 weird: spontaneous_FIN
+964800510.025463 weird: spontaneous_FIN
+964800510.025552 weird: spontaneous_FIN
+964800510.025630 weird: spontaneous_FIN
+964800510.025715 weird: spontaneous_FIN
+964800510.104584 weird: spontaneous_FIN
+964800510.104675 weird: spontaneous_FIN
+964800510.104750 weird: spontaneous_FIN
+964800510.104824 weird: spontaneous_FIN
+964800510.104895 weird: spontaneous_FIN
+964800510.104968 weird: spontaneous_FIN
+964800510.105036 weird: spontaneous_FIN
+964800510.105109 weird: spontaneous_FIN
+964800510.105188 weird: spontaneous_FIN
+964800510.105261 weird: spontaneous_FIN
+964800510.105332 weird: spontaneous_FIN
+964800510.105410 weird: spontaneous_FIN
+964800510.105486 weird: spontaneous_FIN
+964800510.105563 weird: spontaneous_FIN
+964800510.105636 weird: spontaneous_FIN
+964800510.105712 weird: spontaneous_FIN
+964800510.105793 weird: spontaneous_FIN
+964800510.105929 weird: spontaneous_FIN
+964800510.184584 weird: spontaneous_FIN
+964800510.184676 weird: spontaneous_FIN
+964800510.184746 weird: spontaneous_FIN
+964800510.184823 weird: spontaneous_FIN
+964800510.184896 weird: spontaneous_FIN
+964800510.184972 weird: spontaneous_FIN
+964800510.185098 weird: spontaneous_FIN
+964800510.185182 weird: spontaneous_FIN
+964800510.185262 weird: spontaneous_FIN
+964800510.185384 weird: spontaneous_FIN
+964800510.185460 weird: spontaneous_FIN
+964800510.185532 weird: spontaneous_FIN
+964800510.185605 weird: spontaneous_FIN
+964800510.185677 weird: spontaneous_FIN
+964800510.185749 weird: spontaneous_FIN
+964800510.185823 weird: spontaneous_FIN
+964800510.185899 weird: spontaneous_FIN
+964800510.185977 weird: spontaneous_FIN
+964800510.186061 weird: spontaneous_FIN
+964800510.186143 weird: spontaneous_FIN
+964800510.186224 weird: spontaneous_FIN
+964800510.284581 weird: spontaneous_FIN
+964800510.284670 weird: spontaneous_FIN
+964800510.284752 weird: spontaneous_FIN
+964800510.284833 weird: spontaneous_FIN
+964800510.284912 weird: spontaneous_FIN
+964800510.284990 weird: spontaneous_FIN
+964800510.285072 weird: spontaneous_FIN
+964800510.285150 weird: spontaneous_FIN
+964800510.285226 weird: spontaneous_FIN
+964800510.285307 weird: spontaneous_FIN
+964800510.285383 weird: spontaneous_FIN
+964800510.285464 weird: spontaneous_FIN
+964800510.285544 weird: spontaneous_FIN
+964800510.285622 weird: spontaneous_FIN
+964800510.285701 weird: spontaneous_FIN
+964800510.285777 weird: spontaneous_FIN
+964800510.285852 weird: spontaneous_FIN
+964800510.285927 weird: spontaneous_FIN
+964800510.364589 weird: spontaneous_FIN
+964800510.364671 weird: spontaneous_FIN
+964800510.364743 weird: spontaneous_FIN
+964800510.364816 weird: spontaneous_FIN
+964800510.364891 weird: spontaneous_FIN
+964800510.364966 weird: spontaneous_FIN
+964800510.365102 weird: spontaneous_FIN
+964800510.365181 weird: spontaneous_FIN
+964800510.365254 weird: spontaneous_FIN
+964800510.365329 weird: spontaneous_FIN
+964800510.365452 weird: spontaneous_FIN
+964800510.365531 weird: spontaneous_FIN
+964800510.365708 weird: spontaneous_FIN
+964800510.365846 weird: spontaneous_FIN
+964800510.365934 weird: spontaneous_FIN
+964800510.366006 weird: spontaneous_FIN
+964800510.444584 weird: spontaneous_FIN
+964800510.444667 weird: spontaneous_FIN
+964800510.444734 weird: spontaneous_FIN
+964800510.444810 weird: spontaneous_FIN
+964800510.444882 weird: spontaneous_FIN
+964800510.444959 weird: spontaneous_FIN
+964800510.445032 weird: spontaneous_FIN
+964800510.445167 weird: spontaneous_FIN
+964800510.445245 weird: spontaneous_FIN
+964800510.445319 weird: spontaneous_FIN
+964800510.445394 weird: spontaneous_FIN
+964800510.445516 weird: spontaneous_FIN
+964800510.445591 weird: spontaneous_FIN
+964800510.445665 weird: spontaneous_FIN
+964800510.445739 weird: spontaneous_FIN
+964800510.445814 weird: spontaneous_FIN
+964800510.445886 weird: spontaneous_FIN
+964800510.445966 weird: spontaneous_FIN
+964800510.446041 weird: spontaneous_FIN
+964800510.524588 weird: spontaneous_FIN
+964800510.524671 weird: spontaneous_FIN
+964800510.524745 weird: spontaneous_FIN
+964800510.524819 weird: spontaneous_FIN
+964800510.524894 weird: spontaneous_FIN
+964800510.524963 weird: spontaneous_FIN
+964800510.525038 weird: spontaneous_FIN
+964800510.525114 weird: spontaneous_FIN
+964800510.525185 weird: spontaneous_FIN
+964800510.525268 weird: spontaneous_FIN
+964800510.525402 weird: spontaneous_FIN
+964800510.525549 weird: spontaneous_FIN
+964800510.525729 weird: spontaneous_FIN
+964800510.525809 weird: spontaneous_FIN
+964800510.525882 weird: spontaneous_FIN
+964800510.525954 weird: spontaneous_FIN
+964800510.526024 weird: spontaneous_FIN
+964800510.526105 weird: spontaneous_FIN
+964800510.526187 weird: spontaneous_FIN
+964800510.526263 weird: spontaneous_FIN
+964800510.526341 weird: spontaneous_FIN
+964800510.526425 weird: spontaneous_FIN
+964800510.526503 weird: spontaneous_FIN
+964800510.589810 weird: bad_ICMP_checksum
+964800510.624593 weird: spontaneous_FIN
+964800510.624684 weird: spontaneous_FIN
+964800510.624758 weird: spontaneous_FIN
+964800510.624829 weird: spontaneous_FIN
+964800510.624901 weird: spontaneous_FIN
+964800510.624969 weird: spontaneous_FIN
+964800510.625040 weird: spontaneous_FIN
+964800510.625109 weird: spontaneous_FIN
+964800510.625181 weird: spontaneous_FIN
+964800510.625255 weird: spontaneous_FIN
+964800510.625331 weird: spontaneous_FIN
+964800510.625410 weird: spontaneous_FIN
+964800510.625481 weird: spontaneous_FIN
+964800510.625558 weird: spontaneous_FIN
+964800510.625632 weird: spontaneous_FIN
+964800510.625707 weird: spontaneous_FIN
+964800510.625783 weird: spontaneous_FIN
+964800510.625859 weird: spontaneous_FIN
+964800510.625932 weird: spontaneous_FIN
+964800510.626004 weird: spontaneous_FIN
+964800510.626079 weird: spontaneous_FIN
+964800510.626152 weird: spontaneous_FIN
+964800510.626233 weird: spontaneous_FIN
+964800510.626309 weird: spontaneous_FIN
+964800510.626387 weird: spontaneous_FIN
+964800510.626462 weird: spontaneous_FIN
+964800510.724590 weird: spontaneous_FIN
+964800510.724686 weird: spontaneous_FIN
+964800510.724764 weird: spontaneous_FIN
+964800510.724838 weird: spontaneous_FIN
+964800510.724910 weird: spontaneous_FIN
+964800510.724984 weird: spontaneous_FIN
+964800510.725055 weird: spontaneous_FIN
+964800510.725127 weird: spontaneous_FIN
+964800510.725205 weird: spontaneous_FIN
+964800510.725353 weird: spontaneous_FIN
+964800510.725467 weird: spontaneous_FIN
+964800510.725605 weird: spontaneous_FIN
+964800510.725678 weird: spontaneous_FIN
+964800510.725752 weird: spontaneous_FIN
+964800510.725825 weird: spontaneous_FIN
+964800510.725898 weird: spontaneous_FIN
+964800510.725977 weird: spontaneous_FIN
+964800510.726058 weird: spontaneous_FIN
+964800510.726138 weird: spontaneous_FIN
+964800510.726223 weird: spontaneous_FIN
+964800510.726298 weird: spontaneous_FIN
+964800510.726377 weird: spontaneous_FIN
+964800510.726454 weird: spontaneous_FIN
+964800510.824594 weird: spontaneous_FIN
+964800510.824684 weird: spontaneous_FIN
+964800510.824766 weird: spontaneous_FIN
+964800510.824846 weird: spontaneous_FIN
+964800510.824928 weird: spontaneous_FIN
+964800510.825022 weird: spontaneous_FIN
+964800510.825103 weird: spontaneous_FIN
+964800510.825186 weird: spontaneous_FIN
+964800510.825264 weird: spontaneous_FIN
+964800510.825346 weird: spontaneous_FIN
+964800510.825429 weird: spontaneous_FIN
+964800510.825513 weird: spontaneous_FIN
+964800510.825590 weird: spontaneous_FIN
+964800510.825670 weird: spontaneous_FIN
+964800510.825750 weird: spontaneous_FIN
+964800510.825832 weird: spontaneous_FIN
+964800510.825911 weird: spontaneous_FIN
+964800510.825993 weird: spontaneous_FIN
+964800510.826074 weird: spontaneous_FIN
+964800510.826153 weird: spontaneous_FIN
+964800510.826239 weird: spontaneous_FIN
+964800510.826378 weird: spontaneous_FIN
+964800510.826520 weird: spontaneous_FIN
+964800510.826752 weird: spontaneous_FIN
+964800510.826895 weird: spontaneous_FIN
+964800510.826979 weird: spontaneous_FIN
+964800510.827061 weird: spontaneous_FIN
+964800510.924602 weird: spontaneous_FIN
+964800510.924690 weird: spontaneous_FIN
+964800510.924787 weird: spontaneous_FIN
+964800510.924862 weird: spontaneous_FIN
+964800510.924940 weird: spontaneous_FIN
+964800510.925018 weird: spontaneous_FIN
+964800510.925100 weird: spontaneous_FIN
+964800510.925184 weird: spontaneous_FIN
+964800510.925255 weird: spontaneous_FIN
+964800510.925338 weird: spontaneous_FIN
+964800510.925421 weird: spontaneous_FIN
+964800510.925503 weird: spontaneous_FIN
+964800510.925581 weird: spontaneous_FIN
+964800510.925659 weird: spontaneous_FIN
+964800511.004590 weird: spontaneous_FIN
+964800511.004672 weird: spontaneous_FIN
+964800511.004745 weird: spontaneous_FIN
+964800511.004817 weird: spontaneous_FIN
+964800511.004898 weird: spontaneous_FIN
+964800511.004979 weird: spontaneous_FIN
+964800511.005058 weird: spontaneous_FIN
+964800511.005136 weird: spontaneous_FIN
+964800511.005219 weird: spontaneous_FIN
+964800511.005305 weird: spontaneous_FIN
+964800511.005400 weird: spontaneous_FIN
+964800511.005544 weird: spontaneous_FIN
+964800511.005687 weird: spontaneous_FIN
+964800511.084597 weird: spontaneous_FIN
+964800511.084686 weird: spontaneous_FIN
+964800511.084768 weird: spontaneous_FIN
+964800511.084847 weird: spontaneous_FIN
+964800511.084922 weird: spontaneous_FIN
+964800511.085007 weird: spontaneous_FIN
+964800511.085091 weird: spontaneous_FIN
+964800511.085170 weird: spontaneous_FIN
+964800511.085251 weird: spontaneous_FIN
+964800511.085328 weird: spontaneous_FIN
+964800511.085416 weird: spontaneous_FIN
+964800511.085556 weird: spontaneous_FIN
+964800511.085720 weird: spontaneous_FIN
+964800511.085828 weird: spontaneous_FIN
+964800511.097763 weird: spontaneous_FIN
+964800511.097868 weird: spontaneous_FIN
+964800511.194607 weird: spontaneous_FIN
+964800511.194696 weird: spontaneous_FIN
+964800511.194767 weird: spontaneous_FIN
+964800511.194843 weird: spontaneous_FIN
+964800511.194919 weird: spontaneous_FIN
+964800511.195010 weird: spontaneous_FIN
+964800511.195144 weird: spontaneous_FIN
+964800511.195230 weird: spontaneous_FIN
+964800511.195308 weird: spontaneous_FIN
+964800511.195439 weird: spontaneous_FIN
+964800511.195527 weird: spontaneous_FIN
+964800511.195604 weird: spontaneous_FIN
+964800511.195729 weird: spontaneous_FIN
+964800511.195868 weird: spontaneous_FIN
+964800511.195954 weird: spontaneous_FIN
+964800511.196043 weird: spontaneous_FIN
+964800511.196128 weird: spontaneous_FIN
+964800511.196207 weird: spontaneous_FIN
+964800511.196288 weird: spontaneous_FIN
+964800511.274598 weird: spontaneous_FIN
+964800511.274694 weird: spontaneous_FIN
+964800511.274771 weird: spontaneous_FIN
+964800511.274853 weird: spontaneous_FIN
+964800511.274935 weird: spontaneous_FIN
+964800511.275017 weird: spontaneous_FIN
+964800511.275158 weird: spontaneous_FIN
+964800511.275236 weird: spontaneous_FIN
+964800511.275311 weird: spontaneous_FIN
+964800511.275387 weird: spontaneous_FIN
+964800511.275465 weird: spontaneous_FIN
+964800511.275544 weird: spontaneous_FIN
+964800511.275621 weird: spontaneous_FIN
+964800511.275700 weird: spontaneous_FIN
+964800511.275783 weird: spontaneous_FIN
+964800511.275863 weird: spontaneous_FIN
+964800511.275942 weird: spontaneous_FIN
+964800511.276017 weird: spontaneous_FIN
+964800511.276098 weird: spontaneous_FIN
+964800511.276179 weird: spontaneous_FIN
+964800511.276254 weird: spontaneous_FIN
+964800511.276337 weird: spontaneous_FIN
+964800511.276415 weird: spontaneous_FIN
+964800511.364592 weird: spontaneous_FIN
+964800511.364677 weird: spontaneous_FIN
+964800511.364757 weird: spontaneous_FIN
+964800511.364834 weird: spontaneous_FIN
+964800511.364909 weird: spontaneous_FIN
+964800511.364997 weird: spontaneous_FIN
+964800511.365136 weird: spontaneous_FIN
+964800511.365215 weird: spontaneous_FIN
+964800511.365296 weird: spontaneous_FIN
+964800511.365375 weird: spontaneous_FIN
+964800511.365452 weird: spontaneous_FIN
+964800511.365537 weird: spontaneous_FIN
+964800511.365616 weird: spontaneous_FIN
+964800511.365695 weird: spontaneous_FIN
+964800511.365769 weird: spontaneous_FIN
+964800511.365846 weird: spontaneous_FIN
+964800511.365976 weird: spontaneous_FIN
+964800511.366059 weird: spontaneous_FIN
+964800511.366146 weird: spontaneous_FIN
+964800511.366231 weird: spontaneous_FIN
+964800511.366449 weird: spontaneous_FIN
+964800511.368155 weird: spontaneous_FIN
+964800511.454597 weird: spontaneous_FIN
+964800511.454683 weird: spontaneous_FIN
+964800511.454764 weird: spontaneous_FIN
+964800511.454846 weird: spontaneous_FIN
+964800511.454924 weird: spontaneous_FIN
+964800511.455003 weird: spontaneous_FIN
+964800511.455139 weird: spontaneous_FIN
+964800511.455226 weird: spontaneous_FIN
+964800511.455313 weird: spontaneous_FIN
+964800511.455391 weird: spontaneous_FIN
+964800511.455529 weird: spontaneous_FIN
+964800511.455608 weird: spontaneous_FIN
+964800511.455686 weird: spontaneous_FIN
+964800511.534587 weird: spontaneous_FIN
+964800511.534672 weird: spontaneous_FIN
+964800511.534748 weird: spontaneous_FIN
+964800511.534828 weird: spontaneous_FIN
+964800511.534905 weird: spontaneous_FIN
+964800511.534992 weird: spontaneous_FIN
+964800511.535131 weird: spontaneous_FIN
+964800511.535216 weird: spontaneous_FIN
+964800511.535296 weird: spontaneous_FIN
+964800511.535433 weird: spontaneous_FIN
+964800511.535521 weird: spontaneous_FIN
+964800511.535597 weird: spontaneous_FIN
+964800511.535679 weird: spontaneous_FIN
+964800511.535754 weird: spontaneous_FIN
+964800511.535832 weird: spontaneous_FIN
+964800511.535913 weird: spontaneous_FIN
+964800511.535995 weird: spontaneous_FIN
+964800511.549586 weird: bad_ICMP_checksum
+964800511.634593 weird: spontaneous_FIN
+964800511.634680 weird: spontaneous_FIN
+964800511.634754 weird: spontaneous_FIN
+964800511.634838 weird: spontaneous_FIN
+964800511.634923 weird: spontaneous_FIN
+964800511.635002 weird: spontaneous_FIN
+964800511.635146 weird: spontaneous_FIN
+964800511.635225 weird: spontaneous_FIN
+964800511.635302 weird: spontaneous_FIN
+964800511.635392 weird: spontaneous_FIN
+964800511.635518 weird: spontaneous_FIN
+964800511.635609 weird: spontaneous_FIN
+964800511.635689 weird: spontaneous_FIN
+964800511.635773 weird: spontaneous_FIN
+964800511.635854 weird: spontaneous_FIN
+964800511.635938 weird: spontaneous_FIN
+964800511.636019 weird: spontaneous_FIN
+964800511.636103 weird: spontaneous_FIN
+964800511.636184 weird: spontaneous_FIN
+964800511.636268 weird: spontaneous_FIN
+964800511.724593 weird: spontaneous_FIN
+964800511.724681 weird: spontaneous_FIN
+964800511.724753 weird: spontaneous_FIN
+964800511.724826 weird: spontaneous_FIN
+964800511.724906 weird: spontaneous_FIN
+964800511.724983 weird: spontaneous_FIN
+964800511.725062 weird: spontaneous_FIN
+964800511.725139 weird: spontaneous_FIN
+964800511.725213 weird: spontaneous_FIN
+964800511.725292 weird: spontaneous_FIN
+964800511.725377 weird: spontaneous_FIN
+964800511.725514 weird: spontaneous_FIN
+964800511.725594 weird: spontaneous_FIN
+964800511.725674 weird: spontaneous_FIN
+964800511.725885 weird: spontaneous_FIN
+964800511.726038 weird: spontaneous_FIN
+964800511.726122 weird: spontaneous_FIN
+964800511.726200 weird: spontaneous_FIN
+964800511.726328 weird: spontaneous_FIN
+964800511.726413 weird: spontaneous_FIN
+964800511.726587 weird: spontaneous_FIN
+964800511.726751 weird: spontaneous_FIN
+964800511.726904 weird: spontaneous_FIN
+964800511.726994 weird: spontaneous_FIN
+964800511.824599 weird: spontaneous_FIN
+964800511.824688 weird: spontaneous_FIN
+964800511.824765 weird: spontaneous_FIN
+964800511.824844 weird: spontaneous_FIN
+964800511.824915 weird: spontaneous_FIN
+964800511.824994 weird: spontaneous_FIN
+964800511.825065 weird: spontaneous_FIN
+964800511.825133 weird: spontaneous_FIN
+964800511.825206 weird: spontaneous_FIN
+964800511.825283 weird: spontaneous_FIN
+964800511.825428 weird: spontaneous_FIN
+964800511.825521 weird: spontaneous_FIN
+964800511.825643 weird: spontaneous_FIN
+964800511.825727 weird: spontaneous_FIN
+964800511.825815 weird: spontaneous_FIN
+964800511.825905 weird: spontaneous_FIN
+964800511.825989 weird: spontaneous_FIN
+964800511.826071 weird: spontaneous_FIN
+964800511.826158 weird: spontaneous_FIN
+964800511.826296 weird: spontaneous_FIN
+964800511.826377 weird: spontaneous_FIN
+964800511.826462 weird: spontaneous_FIN
+964800511.826546 weird: spontaneous_FIN
+964800511.826627 weird: spontaneous_FIN
+964800511.826709 weird: spontaneous_FIN
+964800511.826799 weird: spontaneous_FIN
+964800511.826884 weird: spontaneous_FIN
+964800511.826967 weird: spontaneous_FIN
+964800511.924606 weird: spontaneous_FIN
+964800511.924696 weird: spontaneous_FIN
+964800511.924778 weird: spontaneous_FIN
+964800511.924853 weird: spontaneous_FIN
+964800511.924928 weird: spontaneous_FIN
+964800511.925012 weird: spontaneous_FIN
+964800511.925092 weird: spontaneous_FIN
+964800511.925166 weird: spontaneous_FIN
+964800511.925247 weird: spontaneous_FIN
+964800511.925327 weird: spontaneous_FIN
+964800511.925411 weird: spontaneous_FIN
+964800511.925568 weird: spontaneous_FIN
+964800511.925753 weird: spontaneous_FIN
+964800511.925844 weird: spontaneous_FIN
+964800511.925931 weird: spontaneous_FIN
+964800511.926017 weird: spontaneous_FIN
+964800511.926094 weird: spontaneous_FIN
+964800511.926175 weird: spontaneous_FIN
+964800511.926256 weird: spontaneous_FIN
+964800511.926335 weird: spontaneous_FIN
+964800511.926464 weird: spontaneous_FIN
+964800511.926547 weird: spontaneous_FIN
+964800511.926625 weird: spontaneous_FIN
+964800511.926701 weird: spontaneous_FIN
+964800511.926781 weird: spontaneous_FIN
+964800511.926858 weird: spontaneous_FIN
+964800511.926936 weird: spontaneous_FIN
+964800511.927017 weird: spontaneous_FIN
+964800511.927096 weird: spontaneous_FIN
+964800511.927174 weird: spontaneous_FIN
+964800511.927255 weird: spontaneous_FIN
+964800512.024603 weird: spontaneous_FIN
+964800512.024693 weird: spontaneous_FIN
+964800512.024772 weird: spontaneous_FIN
+964800512.024851 weird: spontaneous_FIN
+964800512.024927 weird: spontaneous_FIN
+964800512.025002 weird: spontaneous_FIN
+964800512.025079 weird: spontaneous_FIN
+964800512.025156 weird: spontaneous_FIN
+964800512.025232 weird: spontaneous_FIN
+964800512.025310 weird: spontaneous_FIN
+964800512.025395 weird: spontaneous_FIN
+964800512.025477 weird: spontaneous_FIN
+964800512.025555 weird: spontaneous_FIN
+964800512.025633 weird: spontaneous_FIN
+964800512.025710 weird: spontaneous_FIN
+964800512.025789 weird: spontaneous_FIN
+964800512.025868 weird: spontaneous_FIN
+964800512.025951 weird: spontaneous_FIN
+964800512.026032 weird: spontaneous_FIN
+964800512.026118 weird: spontaneous_FIN
+964800512.026204 weird: spontaneous_FIN
+964800512.026294 weird: spontaneous_FIN
+964800512.026380 weird: spontaneous_FIN
+964800512.026459 weird: spontaneous_FIN
+964800512.124598 weird: spontaneous_FIN
+964800512.124687 weird: spontaneous_FIN
+964800512.124764 weird: spontaneous_FIN
+964800512.124842 weird: spontaneous_FIN
+964800512.124919 weird: spontaneous_FIN
+964800512.124992 weird: spontaneous_FIN
+964800512.125130 weird: spontaneous_FIN
+964800512.204612 weird: spontaneous_FIN
+964800512.204700 weird: spontaneous_FIN
+964800512.204774 weird: spontaneous_FIN
+964800512.204850 weird: spontaneous_FIN
+964800512.204930 weird: spontaneous_FIN
+964800512.205001 weird: spontaneous_FIN
+964800512.205074 weird: spontaneous_FIN
+964800512.205147 weird: spontaneous_FIN
+964800512.205224 weird: spontaneous_FIN
+964800512.205304 weird: spontaneous_FIN
+964800512.284596 weird: spontaneous_FIN
+964800512.284682 weird: spontaneous_FIN
+964800512.284760 weird: spontaneous_FIN
+964800512.284836 weird: spontaneous_FIN
+964800512.284911 weird: spontaneous_FIN
+964800512.284985 weird: spontaneous_FIN
+964800512.285118 weird: spontaneous_FIN
+964800512.285197 weird: spontaneous_FIN
+964800512.285273 weird: spontaneous_FIN
+964800512.285399 weird: spontaneous_FIN
+964800512.285513 weird: spontaneous_FIN
+964800512.285658 weird: spontaneous_FIN
+964800512.285732 weird: spontaneous_FIN
+964800512.374597 weird: spontaneous_FIN
+964800512.374680 weird: spontaneous_FIN
+964800512.374753 weird: spontaneous_FIN
+964800512.374828 weird: spontaneous_FIN
+964800512.374908 weird: spontaneous_FIN
+964800512.374998 weird: spontaneous_FIN
+964800512.375125 weird: spontaneous_FIN
+964800512.375203 weird: spontaneous_FIN
+964800512.375274 weird: spontaneous_FIN
+964800512.375352 weird: spontaneous_FIN
+964800512.375489 weird: spontaneous_FIN
+964800512.375663 weird: spontaneous_FIN
+964800512.375774 weird: spontaneous_FIN
+964800512.375881 weird: spontaneous_FIN
+964800512.375959 weird: spontaneous_FIN
+964800512.376037 weird: spontaneous_FIN
+964800512.376111 weird: spontaneous_FIN
+964800512.464598 weird: spontaneous_FIN
+964800512.464686 weird: spontaneous_FIN
+964800512.464757 weird: spontaneous_FIN
+964800512.464830 weird: spontaneous_FIN
+964800512.464905 weird: spontaneous_FIN
+964800512.464979 weird: spontaneous_FIN
+964800512.465114 weird: spontaneous_FIN
+964800512.465194 weird: spontaneous_FIN
+964800512.465266 weird: spontaneous_FIN
+964800512.465343 weird: spontaneous_FIN
+964800512.465469 weird: spontaneous_FIN
+964800512.465603 weird: spontaneous_FIN
+964800512.465725 weird: spontaneous_FIN
+964800512.465800 weird: spontaneous_FIN
+964800512.465877 weird: spontaneous_FIN
+964800512.465955 weird: spontaneous_FIN
+964800512.466032 weird: spontaneous_FIN
+964800512.466109 weird: spontaneous_FIN
+964800512.466187 weird: spontaneous_FIN
+964800512.466267 weird: spontaneous_FIN
+964800512.466346 weird: spontaneous_FIN
+964800512.489837 weird: bad_ICMP_checksum
+964800512.564601 weird: spontaneous_FIN
+964800512.564691 weird: spontaneous_FIN
+964800512.564771 weird: spontaneous_FIN
+964800512.564857 weird: spontaneous_FIN
+964800512.564933 weird: spontaneous_FIN
+964800512.565006 weird: spontaneous_FIN
+964800512.565135 weird: spontaneous_FIN
+964800512.565217 weird: spontaneous_FIN
+964800512.565290 weird: spontaneous_FIN
+964800512.565368 weird: spontaneous_FIN
+964800512.565491 weird: spontaneous_FIN
+964800512.565569 weird: spontaneous_FIN
+964800512.565708 weird: spontaneous_FIN
+964800512.565829 weird: spontaneous_FIN
+964800512.565908 weird: spontaneous_FIN
+964800512.565989 weird: spontaneous_FIN
+964800512.566068 weird: spontaneous_FIN
+964800512.566149 weird: spontaneous_FIN
+964800512.566224 weird: spontaneous_FIN
+964800512.566305 weird: spontaneous_FIN
+964800512.566386 weird: spontaneous_FIN
+964800512.566463 weird: spontaneous_FIN
+964800512.566542 weird: spontaneous_FIN
+964800512.566625 weird: spontaneous_FIN
+964800512.664607 weird: spontaneous_FIN
+964800512.664694 weird: spontaneous_FIN
+964800512.664772 weird: spontaneous_FIN
+964800512.664850 weird: spontaneous_FIN
+964800512.664929 weird: spontaneous_FIN
+964800512.665029 weird: spontaneous_FIN
+964800512.665150 weird: spontaneous_FIN
+964800512.665236 weird: spontaneous_FIN
+964800512.665313 weird: spontaneous_FIN
+964800512.665443 weird: spontaneous_FIN
+964800512.665523 weird: spontaneous_FIN
+964800512.665699 weird: spontaneous_FIN
+964800512.665784 weird: spontaneous_FIN
+964800512.665856 weird: spontaneous_FIN
+964800512.665934 weird: spontaneous_FIN
+964800512.666012 weird: spontaneous_FIN
+964800512.744602 weird: spontaneous_FIN
+964800512.744692 weird: spontaneous_FIN
+964800512.744770 weird: spontaneous_FIN
+964800512.744843 weird: spontaneous_FIN
+964800512.744918 weird: spontaneous_FIN
+964800512.744993 weird: spontaneous_FIN
+964800512.745138 weird: spontaneous_FIN
+964800512.745219 weird: spontaneous_FIN
+964800512.745302 weird: spontaneous_FIN
+964800512.745425 weird: spontaneous_FIN
+964800512.745504 weird: spontaneous_FIN
+964800512.745580 weird: spontaneous_FIN
+964800512.745722 weird: spontaneous_FIN
+964800512.745840 weird: spontaneous_FIN
+964800512.745927 weird: spontaneous_FIN
+964800512.746037 weird: spontaneous_FIN
+964800512.746121 weird: spontaneous_FIN
+964800512.746193 weird: spontaneous_FIN
+964800512.746267 weird: spontaneous_FIN
+964800512.746384 weird: spontaneous_FIN
+964800512.824604 weird: spontaneous_FIN
+964800512.824687 weird: spontaneous_FIN
+964800512.824765 weird: spontaneous_FIN
+964800512.824843 weird: spontaneous_FIN
+964800512.824918 weird: spontaneous_FIN
+964800512.824993 weird: spontaneous_FIN
+964800512.825127 weird: spontaneous_FIN
+964800512.825212 weird: spontaneous_FIN
+964800512.825293 weird: spontaneous_FIN
+964800512.825377 weird: spontaneous_FIN
+964800512.825496 weird: spontaneous_FIN
+964800512.825640 weird: spontaneous_FIN
+964800512.825799 weird: spontaneous_FIN
+964800512.825878 weird: spontaneous_FIN
+964800512.825953 weird: spontaneous_FIN
+964800512.826032 weird: spontaneous_FIN
+964800512.826109 weird: spontaneous_FIN
+964800512.826188 weird: spontaneous_FIN
+964800512.826315 weird: spontaneous_FIN
+964800512.826391 weird: spontaneous_FIN
+964800512.826468 weird: spontaneous_FIN
+964800512.826547 weird: spontaneous_FIN
+964800512.826629 weird: spontaneous_FIN
+964800512.826710 weird: spontaneous_FIN
+964800512.924602 weird: spontaneous_FIN
+964800512.924687 weird: spontaneous_FIN
+964800512.924767 weird: spontaneous_FIN
+964800512.924843 weird: spontaneous_FIN
+964800512.924919 weird: spontaneous_FIN
+964800512.924995 weird: spontaneous_FIN
+964800512.925127 weird: spontaneous_FIN
+964800512.925201 weird: spontaneous_FIN
+964800512.925275 weird: spontaneous_FIN
+964800512.925399 weird: spontaneous_FIN
+964800512.925482 weird: spontaneous_FIN
+964800512.925556 weird: spontaneous_FIN
+964800512.925631 weird: spontaneous_FIN
+964800512.925706 weird: spontaneous_FIN
+964800512.925785 weird: spontaneous_FIN
+964800512.925859 weird: spontaneous_FIN
+964800512.925969 weird: spontaneous_FIN
+964800512.926258 weird: spontaneous_FIN
+964800512.926414 weird: spontaneous_FIN
+964800512.926493 weird: spontaneous_FIN
+964800512.926573 weird: spontaneous_FIN
+964800512.926654 weird: spontaneous_FIN
+964800512.926740 weird: spontaneous_FIN
+964800512.926829 weird: spontaneous_FIN
+964800512.927003 weird: spontaneous_FIN
+964800512.927096 weird: spontaneous_FIN
+964800512.927177 weird: spontaneous_FIN
+964800513.008586 weird: spontaneous_FIN
+964800513.008670 weird: spontaneous_FIN
+964800513.008751 weird: spontaneous_FIN
+964800513.008822 weird: spontaneous_FIN
+964800513.008898 weird: spontaneous_FIN
+964800513.008981 weird: spontaneous_FIN
+964800513.009117 weird: spontaneous_FIN
+964800513.009202 weird: spontaneous_FIN
+964800513.009281 weird: spontaneous_FIN
+964800513.009416 weird: spontaneous_FIN
+964800513.009494 weird: spontaneous_FIN
+964800513.009570 weird: spontaneous_FIN
+964800513.009644 weird: spontaneous_FIN
+964800513.009718 weird: spontaneous_FIN
+964800513.009790 weird: spontaneous_FIN
+964800513.009869 weird: spontaneous_FIN
+964800513.009989 weird: spontaneous_FIN
+964800513.010071 weird: spontaneous_FIN
+964800513.010148 weird: spontaneous_FIN
+964800513.010222 weird: spontaneous_FIN
+964800513.010295 weird: spontaneous_FIN
+964800513.010370 weird: spontaneous_FIN
+964800513.010443 weird: spontaneous_FIN
+964800513.010518 weird: spontaneous_FIN
+964800513.010594 weird: spontaneous_FIN
+964800513.010669 weird: spontaneous_FIN
+964800513.010746 weird: spontaneous_FIN
+964800513.010823 weird: spontaneous_FIN
+964800513.010896 weird: spontaneous_FIN
+964800513.010973 weird: spontaneous_FIN
+964800513.011046 weird: spontaneous_FIN
+964800513.104600 weird: spontaneous_FIN
+964800513.104688 weird: spontaneous_FIN
+964800513.104764 weird: spontaneous_FIN
+964800513.104848 weird: spontaneous_FIN
+964800513.104922 weird: spontaneous_FIN
+964800513.104998 weird: spontaneous_FIN
+964800513.105075 weird: spontaneous_FIN
+964800513.105158 weird: spontaneous_FIN
+964800513.105236 weird: spontaneous_FIN
+964800513.105315 weird: spontaneous_FIN
+964800513.105393 weird: spontaneous_FIN
+964800513.105538 weird: spontaneous_FIN
+964800513.105619 weird: spontaneous_FIN
+964800513.105703 weird: spontaneous_FIN
+964800513.105830 weird: spontaneous_FIN
+964800513.105919 weird: spontaneous_FIN
+964800513.106034 weird: spontaneous_FIN
+964800513.106114 weird: spontaneous_FIN
+964800513.106188 weird: spontaneous_FIN
+964800513.106260 weird: spontaneous_FIN
+964800513.106335 weird: spontaneous_FIN
+964800513.106406 weird: spontaneous_FIN
+964800513.106479 weird: spontaneous_FIN
+964800513.106553 weird: spontaneous_FIN
+964800513.106621 weird: spontaneous_FIN
+964800513.106697 weird: spontaneous_FIN
+964800513.106769 weird: spontaneous_FIN
+964800513.106847 weird: spontaneous_FIN
+964800513.106920 weird: spontaneous_FIN
+964800513.106992 weird: spontaneous_FIN
+964800513.107064 weird: spontaneous_FIN
+964800513.107139 weird: spontaneous_FIN
+964800513.107211 weird: spontaneous_FIN
+964800513.107286 weird: spontaneous_FIN
+964800513.107359 weird: spontaneous_FIN
+964800513.204615 weird: spontaneous_FIN
+964800513.204702 weird: spontaneous_FIN
+964800513.204781 weird: spontaneous_FIN
+964800513.204859 weird: spontaneous_FIN
+964800513.204934 weird: spontaneous_FIN
+964800513.205008 weird: spontaneous_FIN
+964800513.205084 weird: spontaneous_FIN
+964800513.205159 weird: spontaneous_FIN
+964800513.205303 weird: spontaneous_FIN
+964800513.205380 weird: spontaneous_FIN
+964800513.205455 weird: spontaneous_FIN
+964800513.205531 weird: spontaneous_FIN
+964800513.205602 weird: spontaneous_FIN
+964800513.205675 weird: spontaneous_FIN
+964800513.205748 weird: spontaneous_FIN
+964800513.205824 weird: spontaneous_FIN
+964800513.205945 weird: spontaneous_FIN
+964800513.206033 weird: spontaneous_FIN
+964800513.206110 weird: spontaneous_FIN
+964800513.206188 weird: spontaneous_FIN
+964800513.206266 weird: spontaneous_FIN
+964800513.206343 weird: spontaneous_FIN
+964800513.206418 weird: spontaneous_FIN
+964800513.206498 weird: spontaneous_FIN
+964800513.206572 weird: spontaneous_FIN
+964800513.206646 weird: spontaneous_FIN
+964800513.206725 weird: spontaneous_FIN
+964800513.206805 weird: spontaneous_FIN
+964800513.206882 weird: spontaneous_FIN
+964800513.304617 weird: spontaneous_FIN
+964800513.304706 weird: spontaneous_FIN
+964800513.304787 weird: spontaneous_FIN
+964800513.304867 weird: spontaneous_FIN
+964800513.304939 weird: spontaneous_FIN
+964800513.305016 weird: spontaneous_FIN
+964800513.305164 weird: spontaneous_FIN
+964800513.305248 weird: spontaneous_FIN
+964800513.305327 weird: spontaneous_FIN
+964800513.305409 weird: spontaneous_FIN
+964800513.305492 weird: spontaneous_FIN
+964800513.305619 weird: spontaneous_FIN
+964800513.305695 weird: spontaneous_FIN
+964800513.305775 weird: spontaneous_FIN
+964800513.344695 weird: spontaneous_FIN
+964800513.384602 weird: spontaneous_FIN
+964800513.384691 weird: spontaneous_FIN
+964800513.384769 weird: spontaneous_FIN
+964800513.384844 weird: spontaneous_FIN
+964800513.384923 weird: spontaneous_FIN
+964800513.385008 weird: spontaneous_FIN
+964800513.385088 weird: spontaneous_FIN
+964800513.449625 weird: bad_ICMP_checksum
+964800513.464623 weird: spontaneous_FIN
+964800513.464716 weird: spontaneous_FIN
+964800513.464795 weird: spontaneous_FIN
+964800513.464877 weird: spontaneous_FIN
+964800513.464951 weird: spontaneous_FIN
+964800513.465033 weird: spontaneous_FIN
+964800513.465171 weird: spontaneous_FIN
+964800513.465254 weird: spontaneous_FIN
+964800513.465337 weird: spontaneous_FIN
+964800513.465466 weird: spontaneous_FIN
+964800513.544603 weird: spontaneous_FIN
+964800513.544686 weird: spontaneous_FIN
+964800513.544756 weird: spontaneous_FIN
+964800513.544828 weird: spontaneous_FIN
+964800513.544904 weird: spontaneous_FIN
+964800513.544979 weird: spontaneous_FIN
+964800513.545118 weird: spontaneous_FIN
+964800513.545194 weird: spontaneous_FIN
+964800513.545269 weird: spontaneous_FIN
+964800513.545345 weird: spontaneous_FIN
+964800513.545475 weird: spontaneous_FIN
+964800513.545549 weird: spontaneous_FIN
+964800513.545625 weird: spontaneous_FIN
+964800513.624601 weird: spontaneous_FIN
+964800513.624694 weird: spontaneous_FIN
+964800513.624772 weird: spontaneous_FIN
+964800513.624853 weird: spontaneous_FIN
+964800513.624929 weird: spontaneous_FIN
+964800513.625003 weird: spontaneous_FIN
+964800513.625136 weird: spontaneous_FIN
+964800513.625217 weird: spontaneous_FIN
+964800513.625293 weird: spontaneous_FIN
+964800513.625376 weird: spontaneous_FIN
+964800513.625458 weird: spontaneous_FIN
+964800513.625580 weird: spontaneous_FIN
+964800513.625659 weird: spontaneous_FIN
+964800513.625730 weird: spontaneous_FIN
+964800513.625806 weird: spontaneous_FIN
+964800513.625880 weird: spontaneous_FIN
+964800513.625951 weird: spontaneous_FIN
+964800513.704602 weird: spontaneous_FIN
+964800513.704693 weird: spontaneous_FIN
+964800513.704767 weird: spontaneous_FIN
+964800513.704840 weird: spontaneous_FIN
+964800513.704913 weird: spontaneous_FIN
+964800513.704989 weird: spontaneous_FIN
+964800513.705063 weird: spontaneous_FIN
+964800513.705143 weird: spontaneous_FIN
+964800513.705222 weird: spontaneous_FIN
+964800513.705307 weird: spontaneous_FIN
+964800513.705451 weird: spontaneous_FIN
+964800513.705639 weird: spontaneous_FIN
+964800513.705785 weird: spontaneous_FIN
+964800513.705863 weird: spontaneous_FIN
+964800513.705936 weird: spontaneous_FIN
+964800513.706009 weird: spontaneous_FIN
+964800513.706084 weird: spontaneous_FIN
+964800513.706160 weird: spontaneous_FIN
+964800513.706233 weird: spontaneous_FIN
+964800513.706306 weird: spontaneous_FIN
+964800513.706381 weird: spontaneous_FIN
+964800513.804615 weird: spontaneous_FIN
+964800513.804701 weird: spontaneous_FIN
+964800513.804784 weird: spontaneous_FIN
+964800513.804866 weird: spontaneous_FIN
+964800513.804945 weird: spontaneous_FIN
+964800513.805024 weird: spontaneous_FIN
+964800513.805105 weird: spontaneous_FIN
+964800513.805182 weird: spontaneous_FIN
+964800513.805255 weird: spontaneous_FIN
+964800513.805331 weird: spontaneous_FIN
+964800513.805406 weird: spontaneous_FIN
+964800513.805479 weird: spontaneous_FIN
+964800513.805555 weird: spontaneous_FIN
+964800513.805702 weird: spontaneous_FIN
+964800513.805782 weird: spontaneous_FIN
+964800513.805853 weird: spontaneous_FIN
+964800513.805925 weird: spontaneous_FIN
+964800513.805997 weird: spontaneous_FIN
+964800513.806077 weird: spontaneous_FIN
+964800513.806152 weird: spontaneous_FIN
+964800513.806228 weird: spontaneous_FIN
+964800513.806302 weird: spontaneous_FIN
+964800513.806375 weird: spontaneous_FIN
+964800513.806448 weird: spontaneous_FIN
+964800513.904613 weird: spontaneous_FIN
+964800513.904703 weird: spontaneous_FIN
+964800513.904780 weird: spontaneous_FIN
+964800513.904856 weird: spontaneous_FIN
+964800513.904934 weird: spontaneous_FIN
+964800513.905007 weird: spontaneous_FIN
+964800513.905147 weird: spontaneous_FIN
+964800513.905225 weird: spontaneous_FIN
+964800513.905297 weird: spontaneous_FIN
+964800513.905433 weird: spontaneous_FIN
+964800513.905514 weird: spontaneous_FIN
+964800513.905593 weird: spontaneous_FIN
+964800513.905671 weird: spontaneous_FIN
+964800513.905747 weird: spontaneous_FIN
+964800513.905827 weird: spontaneous_FIN
+964800513.905904 weird: spontaneous_FIN
+964800513.905984 weird: spontaneous_FIN
+964800513.906064 weird: spontaneous_FIN
+964800514.004609 weird: spontaneous_FIN
+964800514.004704 weird: spontaneous_FIN
+964800514.004777 weird: spontaneous_FIN
+964800514.004852 weird: spontaneous_FIN
+964800514.004929 weird: spontaneous_FIN
+964800514.005019 weird: spontaneous_FIN
+964800514.005139 weird: spontaneous_FIN
+964800514.005224 weird: spontaneous_FIN
+964800514.005301 weird: spontaneous_FIN
+964800514.005389 weird: spontaneous_FIN
+964800514.005520 weird: spontaneous_FIN
+964800514.005693 weird: spontaneous_FIN
+964800514.005774 weird: spontaneous_FIN
+964800514.005845 weird: spontaneous_FIN
+964800514.005919 weird: spontaneous_FIN
+964800514.005992 weird: spontaneous_FIN
+964800514.006064 weird: spontaneous_FIN
+964800514.006138 weird: spontaneous_FIN
+964800514.006212 weird: spontaneous_FIN
+964800514.006282 weird: spontaneous_FIN
+964800514.006356 weird: spontaneous_FIN
+964800514.006476 weird: spontaneous_FIN
+964800514.104604 weird: spontaneous_FIN
+964800514.104686 weird: spontaneous_FIN
+964800514.104759 weird: spontaneous_FIN
+964800514.104836 weird: spontaneous_FIN
+964800514.104913 weird: spontaneous_FIN
+964800514.105001 weird: spontaneous_FIN
+964800514.105133 weird: spontaneous_FIN
+964800514.105214 weird: spontaneous_FIN
+964800514.105296 weird: spontaneous_FIN
+964800514.105379 weird: spontaneous_FIN
+964800514.105497 weird: spontaneous_FIN
+964800514.105571 weird: spontaneous_FIN
+964800514.105641 weird: spontaneous_FIN
+964800514.105711 weird: spontaneous_FIN
+964800514.105781 weird: spontaneous_FIN
+964800514.105856 weird: spontaneous_FIN
+964800514.105927 weird: spontaneous_FIN
+964800514.105999 weird: spontaneous_FIN
+964800514.106070 weird: spontaneous_FIN
+964800514.106140 weird: spontaneous_FIN
+964800514.184672 weird: spontaneous_FIN
+964800514.184774 weird: spontaneous_FIN
+964800514.184849 weird: spontaneous_FIN
+964800514.184930 weird: spontaneous_FIN
+964800514.185013 weird: spontaneous_FIN
+964800514.185095 weird: spontaneous_FIN
+964800514.185173 weird: spontaneous_FIN
+964800514.185248 weird: spontaneous_FIN
+964800514.185328 weird: spontaneous_FIN
+964800514.185416 weird: spontaneous_FIN
+964800514.185556 weird: spontaneous_FIN
+964800514.185685 weird: spontaneous_FIN
+964800514.185760 weird: spontaneous_FIN
+964800514.185833 weird: spontaneous_FIN
+964800514.185905 weird: spontaneous_FIN
+964800514.185982 weird: spontaneous_FIN
+964800514.186056 weird: spontaneous_FIN
+964800514.186126 weird: spontaneous_FIN
+964800514.186197 weird: spontaneous_FIN
+964800514.186277 weird: spontaneous_FIN
+964800514.186342 weird: spontaneous_FIN
+964800514.186416 weird: spontaneous_FIN
+964800514.186488 weird: spontaneous_FIN
+964800514.186563 weird: spontaneous_FIN
+964800514.284618 weird: spontaneous_FIN
+964800514.284704 weird: spontaneous_FIN
+964800514.284787 weird: spontaneous_FIN
+964800514.284861 weird: spontaneous_FIN
+964800514.284934 weird: spontaneous_FIN
+964800514.285012 weird: spontaneous_FIN
+964800514.285084 weird: spontaneous_FIN
+964800514.285228 weird: spontaneous_FIN
+964800514.285316 weird: spontaneous_FIN
+964800514.285398 weird: spontaneous_FIN
+964800514.285476 weird: spontaneous_FIN
+964800514.285551 weird: spontaneous_FIN
+964800514.285633 weird: spontaneous_FIN
+964800514.285755 weird: spontaneous_FIN
+964800514.285885 weird: spontaneous_FIN
+964800514.285970 weird: spontaneous_FIN
+964800514.286039 weird: spontaneous_FIN
+964800514.286110 weird: spontaneous_FIN
+964800514.286184 weird: spontaneous_FIN
+964800514.286260 weird: spontaneous_FIN
+964800514.286328 weird: spontaneous_FIN
+964800514.286401 weird: spontaneous_FIN
+964800514.286475 weird: spontaneous_FIN
+964800514.286548 weird: spontaneous_FIN
+964800514.286622 weird: spontaneous_FIN
+964800514.286696 weird: spontaneous_FIN
+964800514.286772 weird: spontaneous_FIN
+964800514.374621 weird: spontaneous_FIN
+964800514.374712 weird: spontaneous_FIN
+964800514.374792 weird: spontaneous_FIN
+964800514.374872 weird: spontaneous_FIN
+964800514.374956 weird: spontaneous_FIN
+964800514.375041 weird: spontaneous_FIN
+964800514.375198 weird: spontaneous_FIN
+964800514.375280 weird: spontaneous_FIN
+964800514.375364 weird: spontaneous_FIN
+964800514.375538 weird: spontaneous_FIN
+964800514.375619 weird: spontaneous_FIN
+964800514.375689 weird: spontaneous_FIN
+964800514.375757 weird: spontaneous_FIN
+964800514.375827 weird: spontaneous_FIN
+964800514.375901 weird: spontaneous_FIN
+964800514.375971 weird: spontaneous_FIN
+964800514.376046 weird: spontaneous_FIN
+964800514.376119 weird: spontaneous_FIN
+964800514.376191 weird: spontaneous_FIN
+964800514.376262 weird: spontaneous_FIN
+964800514.376333 weird: spontaneous_FIN
+964800514.376405 weird: spontaneous_FIN
+964800514.376481 weird: spontaneous_FIN
+964800514.376558 weird: spontaneous_FIN
+964800514.464639 weird: spontaneous_FIN
+964800514.464734 weird: spontaneous_FIN
+964800514.464812 weird: spontaneous_FIN
+964800514.464894 weird: spontaneous_FIN
+964800514.464976 weird: spontaneous_FIN
+964800514.465059 weird: spontaneous_FIN
+964800514.465215 weird: spontaneous_FIN
+964800514.465300 weird: spontaneous_FIN
+964800514.465388 weird: spontaneous_FIN
+964800514.465473 weird: spontaneous_FIN
+964800514.465551 weird: spontaneous_FIN
+964800514.465629 weird: spontaneous_FIN
+964800514.544616 weird: spontaneous_FIN
+964800514.544703 weird: spontaneous_FIN
+964800514.544776 weird: spontaneous_FIN
+964800514.544855 weird: spontaneous_FIN
+964800514.544932 weird: spontaneous_FIN
+964800514.545019 weird: spontaneous_FIN
+964800514.545161 weird: spontaneous_FIN
+964800514.624610 weird: spontaneous_FIN
+964800514.624698 weird: spontaneous_FIN
+964800514.624771 weird: spontaneous_FIN
+964800514.624846 weird: spontaneous_FIN
+964800514.624922 weird: spontaneous_FIN
+964800514.625003 weird: spontaneous_FIN
+964800514.625084 weird: spontaneous_FIN
+964800514.625167 weird: spontaneous_FIN
+964800514.625244 weird: spontaneous_FIN
+964800514.625322 weird: spontaneous_FIN
+964800514.704605 weird: spontaneous_FIN
+964800514.704694 weird: spontaneous_FIN
+964800514.704768 weird: spontaneous_FIN
+964800514.704845 weird: spontaneous_FIN
+964800514.704922 weird: spontaneous_FIN
+964800514.705000 weird: spontaneous_FIN
+964800514.705134 weird: spontaneous_FIN
+964800514.705214 weird: spontaneous_FIN
+964800514.705291 weird: spontaneous_FIN
+964800514.705370 weird: spontaneous_FIN
+964800514.705497 weird: spontaneous_FIN
+964800514.705571 weird: spontaneous_FIN
+964800514.705647 weird: spontaneous_FIN
+964800514.705726 weird: spontaneous_FIN
+964800514.709629 weird: bad_ICMP_checksum
+964800514.784609 weird: spontaneous_FIN
+964800514.784696 weird: spontaneous_FIN
+964800514.784772 weird: spontaneous_FIN
+964800514.784849 weird: spontaneous_FIN
+964800514.784923 weird: spontaneous_FIN
+964800514.785005 weird: spontaneous_FIN
+964800514.785149 weird: spontaneous_FIN
+964800514.785231 weird: spontaneous_FIN
+964800514.785307 weird: spontaneous_FIN
+964800514.785388 weird: spontaneous_FIN
+964800514.785508 weird: spontaneous_FIN
+964800514.785645 weird: spontaneous_FIN
+964800514.785814 weird: spontaneous_FIN
+964800514.785917 weird: spontaneous_FIN
+964800514.786002 weird: spontaneous_FIN
+964800514.786125 weird: spontaneous_FIN
+964800514.786241 weird: spontaneous_FIN
+964800514.864611 weird: spontaneous_FIN
+964800514.864692 weird: spontaneous_FIN
+964800514.864769 weird: spontaneous_FIN
+964800514.864847 weird: spontaneous_FIN
+964800514.864924 weird: spontaneous_FIN
+964800514.864997 weird: spontaneous_FIN
+964800514.865133 weird: spontaneous_FIN
+964800514.865219 weird: spontaneous_FIN
+964800514.865299 weird: spontaneous_FIN
+964800514.865433 weird: spontaneous_FIN
+964800514.865514 weird: spontaneous_FIN
+964800514.865635 weird: spontaneous_FIN
+964800514.865770 weird: spontaneous_FIN
+964800514.865852 weird: spontaneous_FIN
+964800514.865929 weird: spontaneous_FIN
+964800514.866006 weird: spontaneous_FIN
+964800514.866080 weird: spontaneous_FIN
+964800514.866156 weird: spontaneous_FIN
+964800514.866229 weird: spontaneous_FIN
+964800514.866306 weird: spontaneous_FIN
+964800514.866379 weird: spontaneous_FIN
+964800514.954608 weird: spontaneous_FIN
+964800514.954691 weird: spontaneous_FIN
+964800514.954768 weird: spontaneous_FIN
+964800514.954856 weird: spontaneous_FIN
+964800514.954940 weird: spontaneous_FIN
+964800514.955026 weird: spontaneous_FIN
+964800514.955165 weird: spontaneous_FIN
+964800514.955247 weird: spontaneous_FIN
+964800514.955325 weird: spontaneous_FIN
+964800514.955404 weird: spontaneous_FIN
+964800514.955525 weird: spontaneous_FIN
+964800514.955600 weird: spontaneous_FIN
+964800514.955670 weird: spontaneous_FIN
+964800514.955791 weird: spontaneous_FIN
+964800514.955872 weird: spontaneous_FIN
+964800514.955944 weird: spontaneous_FIN
+964800514.956015 weird: spontaneous_FIN
+964800514.956087 weird: spontaneous_FIN
+964800514.956158 weird: spontaneous_FIN
+964800514.956231 weird: spontaneous_FIN
+964800514.956302 weird: spontaneous_FIN
+964800514.956371 weird: spontaneous_FIN
+964800514.956443 weird: spontaneous_FIN
+964800514.956520 weird: spontaneous_FIN
+964800515.054616 weird: spontaneous_FIN
+964800515.054697 weird: spontaneous_FIN
+964800515.054773 weird: spontaneous_FIN
+964800515.054865 weird: spontaneous_FIN
+964800515.054953 weird: spontaneous_FIN
+964800515.055036 weird: spontaneous_FIN
+964800515.055117 weird: spontaneous_FIN
+964800515.055203 weird: spontaneous_FIN
+964800515.055281 weird: spontaneous_FIN
+964800515.055413 weird: spontaneous_FIN
+964800515.055491 weird: spontaneous_FIN
+964800515.055565 weird: spontaneous_FIN
+964800515.055637 weird: spontaneous_FIN
+964800515.055708 weird: spontaneous_FIN
+964800515.055777 weird: spontaneous_FIN
+964800515.134752 weird: spontaneous_FIN
+964800515.134847 weird: spontaneous_FIN
+964800515.134925 weird: spontaneous_FIN
+964800515.135007 weird: spontaneous_FIN
+964800515.135088 weird: spontaneous_FIN
+964800515.135171 weird: spontaneous_FIN
+964800515.135319 weird: spontaneous_FIN
+964800515.135399 weird: spontaneous_FIN
+964800515.135530 weird: spontaneous_FIN
+964800515.135614 weird: spontaneous_FIN
+964800515.214679 weird: spontaneous_FIN
+964800515.214790 weird: spontaneous_FIN
+964800515.214871 weird: spontaneous_FIN
+964800515.214952 weird: spontaneous_FIN
+964800515.215036 weird: spontaneous_FIN
+964800515.215118 weird: spontaneous_FIN
+964800515.215265 weird: spontaneous_FIN
+964800515.215346 weird: spontaneous_FIN
+964800515.215474 weird: spontaneous_FIN
+964800515.215549 weird: spontaneous_FIN
+964800515.215702 weird: spontaneous_FIN
+964800515.215803 weird: spontaneous_FIN
+964800515.215873 weird: spontaneous_FIN
+964800515.304617 weird: spontaneous_FIN
+964800515.304698 weird: spontaneous_FIN
+964800515.304767 weird: spontaneous_FIN
+964800515.304845 weird: spontaneous_FIN
+964800515.304922 weird: spontaneous_FIN
+964800515.304999 weird: spontaneous_FIN
+964800515.305078 weird: spontaneous_FIN
+964800515.305221 weird: spontaneous_FIN
+964800515.305301 weird: spontaneous_FIN
+964800515.305376 weird: spontaneous_FIN
+964800515.305451 weird: spontaneous_FIN
+964800515.305585 weird: spontaneous_FIN
+964800515.305667 weird: spontaneous_FIN
+964800515.305740 weird: spontaneous_FIN
+964800515.305811 weird: spontaneous_FIN
+964800515.305884 weird: spontaneous_FIN
+964800515.305958 weird: spontaneous_FIN
+964800515.384612 weird: spontaneous_FIN
+964800515.384699 weird: spontaneous_FIN
+964800515.384782 weird: spontaneous_FIN
+964800515.384855 weird: spontaneous_FIN
+964800515.384929 weird: spontaneous_FIN
+964800515.385006 weird: spontaneous_FIN
+964800515.385086 weird: spontaneous_FIN
+964800515.385163 weird: spontaneous_FIN
+964800515.385293 weird: spontaneous_FIN
+964800515.385372 weird: spontaneous_FIN
+964800515.385491 weird: spontaneous_FIN
+964800515.385567 weird: spontaneous_FIN
+964800515.385641 weird: spontaneous_FIN
+964800515.385712 weird: spontaneous_FIN
+964800515.385781 weird: spontaneous_FIN
+964800515.385851 weird: spontaneous_FIN
+964800515.385922 weird: spontaneous_FIN
+964800515.385994 weird: spontaneous_FIN
+964800515.386066 weird: spontaneous_FIN
+964800515.386142 weird: spontaneous_FIN
+964800515.386216 weird: spontaneous_FIN
+964800515.484605 weird: spontaneous_FIN
+964800515.484692 weird: spontaneous_FIN
+964800515.484773 weird: spontaneous_FIN
+964800515.484854 weird: spontaneous_FIN
+964800515.484934 weird: spontaneous_FIN
+964800515.485021 weird: spontaneous_FIN
+964800515.485163 weird: spontaneous_FIN
+964800515.485252 weird: spontaneous_FIN
+964800515.485326 weird: spontaneous_FIN
+964800515.485401 weird: spontaneous_FIN
+964800515.485524 weird: spontaneous_FIN
+964800515.485598 weird: spontaneous_FIN
+964800515.485772 weird: spontaneous_FIN
+964800515.485856 weird: spontaneous_FIN
+964800515.485930 weird: spontaneous_FIN
+964800515.486001 weird: spontaneous_FIN
+964800515.486073 weird: spontaneous_FIN
+964800515.564622 weird: spontaneous_FIN
+964800515.564709 weird: spontaneous_FIN
+964800515.564782 weird: spontaneous_FIN
+964800515.564860 weird: spontaneous_FIN
+964800515.564937 weird: spontaneous_FIN
+964800515.565010 weird: spontaneous_FIN
+964800515.565151 weird: spontaneous_FIN
+964800515.565235 weird: spontaneous_FIN
+964800515.565314 weird: spontaneous_FIN
+964800515.565395 weird: spontaneous_FIN
+964800515.565472 weird: spontaneous_FIN
+964800515.644608 weird: spontaneous_FIN
+964800515.644689 weird: spontaneous_FIN
+964800515.644763 weird: spontaneous_FIN
+964800515.644848 weird: spontaneous_FIN
+964800515.644931 weird: spontaneous_FIN
+964800515.645014 weird: spontaneous_FIN
+964800515.645145 weird: spontaneous_FIN
+964800515.645229 weird: spontaneous_FIN
+964800515.645309 weird: spontaneous_FIN
+964800515.645433 weird: spontaneous_FIN
+964800515.645509 weird: spontaneous_FIN
+964800515.645584 weird: spontaneous_FIN
+964800515.645656 weird: spontaneous_FIN
+964800515.645728 weird: spontaneous_FIN
+964800515.669896 weird: bad_ICMP_checksum
+964800515.724611 weird: spontaneous_FIN
+964800515.724704 weird: spontaneous_FIN
+964800515.724778 weird: spontaneous_FIN
+964800515.724859 weird: spontaneous_FIN
+964800515.724935 weird: spontaneous_FIN
+964800515.725014 weird: spontaneous_FIN
+964800515.725093 weird: spontaneous_FIN
+964800515.725169 weird: spontaneous_FIN
+964800515.725242 weird: spontaneous_FIN
+964800515.725319 weird: spontaneous_FIN
+964800515.725445 weird: spontaneous_FIN
+964800515.725524 weird: spontaneous_FIN
+964800515.725698 weird: spontaneous_FIN
+964800515.725812 weird: spontaneous_FIN
+964800515.725890 weird: spontaneous_FIN
+964800515.725962 weird: spontaneous_FIN
+964800515.726085 weird: spontaneous_FIN
+964800515.726167 weird: spontaneous_FIN
+964800515.804628 weird: spontaneous_FIN
+964800515.804712 weird: spontaneous_FIN
+964800515.804784 weird: spontaneous_FIN
+964800515.804858 weird: spontaneous_FIN
+964800515.804932 weird: spontaneous_FIN
+964800515.805015 weird: spontaneous_FIN
+964800515.805146 weird: spontaneous_FIN
+964800515.805224 weird: spontaneous_FIN
+964800515.805302 weird: spontaneous_FIN
+964800515.805390 weird: spontaneous_FIN
+964800515.805555 weird: spontaneous_FIN
+964800515.805635 weird: spontaneous_FIN
+964800515.805705 weird: spontaneous_FIN
+964800515.805778 weird: spontaneous_FIN
+964800515.805850 weird: spontaneous_FIN
+964800515.805924 weird: spontaneous_FIN
+964800515.805994 weird: spontaneous_FIN
+964800515.806065 weird: spontaneous_FIN
+964800515.806138 weird: spontaneous_FIN
+964800515.806208 weird: spontaneous_FIN
+964800515.806277 weird: spontaneous_FIN
+964800515.904632 weird: spontaneous_FIN
+964800515.904727 weird: spontaneous_FIN
+964800515.904807 weird: spontaneous_FIN
+964800515.904888 weird: spontaneous_FIN
+964800515.904963 weird: spontaneous_FIN
+964800515.905038 weird: spontaneous_FIN
+964800515.905164 weird: spontaneous_FIN
+964800515.905242 weird: spontaneous_FIN
+964800515.905321 weird: spontaneous_FIN
+964800515.905442 weird: spontaneous_FIN
+964800515.905571 weird: spontaneous_FIN
+964800515.905649 weird: spontaneous_FIN
+964800515.905720 weird: spontaneous_FIN
+964800515.905789 weird: spontaneous_FIN
+964800515.905862 weird: spontaneous_FIN
+964800515.905935 weird: spontaneous_FIN
+964800515.906008 weird: spontaneous_FIN
+964800515.906079 weird: spontaneous_FIN
+964800515.906152 weird: spontaneous_FIN
+964800515.906222 weird: spontaneous_FIN
+964800515.906301 weird: spontaneous_FIN
+964800515.906363 weird: spontaneous_FIN
+964800515.906436 weird: spontaneous_FIN
+964800515.906508 weird: spontaneous_FIN
+964800515.906579 weird: spontaneous_FIN
+964800516.016044 weird: spontaneous_FIN
+964800516.016138 weird: spontaneous_FIN
+964800516.016213 weird: spontaneous_FIN
+964800516.016304 weird: spontaneous_FIN
+964800516.016378 weird: spontaneous_FIN
+964800516.016463 weird: spontaneous_FIN
+964800516.016607 weird: spontaneous_FIN
+964800516.016686 weird: spontaneous_FIN
+964800516.016771 weird: spontaneous_FIN
+964800516.016907 weird: spontaneous_FIN
+964800516.016986 weird: spontaneous_FIN
+964800516.017058 weird: spontaneous_FIN
+964800516.017132 weird: spontaneous_FIN
+964800516.017200 weird: spontaneous_FIN
+964800516.017271 weird: spontaneous_FIN
+964800516.017343 weird: spontaneous_FIN
+964800516.114622 weird: spontaneous_FIN
+964800516.114718 weird: spontaneous_FIN
+964800516.114800 weird: spontaneous_FIN
+964800516.114888 weird: spontaneous_FIN
+964800516.114971 weird: spontaneous_FIN
+964800516.115054 weird: spontaneous_FIN
+964800516.194601 weird: spontaneous_FIN
+964800516.194681 weird: spontaneous_FIN
+964800516.194754 weird: spontaneous_FIN
+964800516.194831 weird: spontaneous_FIN
+964800516.194909 weird: spontaneous_FIN
+964800516.274614 weird: spontaneous_FIN
+964800516.274708 weird: spontaneous_FIN
+964800516.274783 weird: spontaneous_FIN
+964800516.274867 weird: spontaneous_FIN
+964800516.274941 weird: spontaneous_FIN
+964800516.275021 weird: spontaneous_FIN
+964800516.275099 weird: spontaneous_FIN
+964800516.275174 weird: spontaneous_FIN
+964800516.354621 weird: spontaneous_FIN
+964800516.354703 weird: spontaneous_FIN
+964800516.354781 weird: spontaneous_FIN
+964800516.354859 weird: spontaneous_FIN
+964800516.354934 weird: spontaneous_FIN
+964800516.355010 weird: spontaneous_FIN
+964800516.355140 weird: spontaneous_FIN
+964800516.355222 weird: spontaneous_FIN
+964800516.355297 weird: spontaneous_FIN
+964800516.355415 weird: spontaneous_FIN
+964800516.355543 weird: spontaneous_FIN
+964800516.434624 weird: spontaneous_FIN
+964800516.434693 weird: spontaneous_FIN
+964800516.434770 weird: spontaneous_FIN
+964800516.434848 weird: spontaneous_FIN
+964800516.434922 weird: spontaneous_FIN
+964800516.434999 weird: spontaneous_FIN
+964800516.435071 weird: spontaneous_FIN
+964800516.435206 weird: spontaneous_FIN
+964800516.435285 weird: spontaneous_FIN
+964800516.435361 weird: spontaneous_FIN
+964800516.435436 weird: spontaneous_FIN
+964800516.435510 weird: spontaneous_FIN
+964800516.435633 weird: spontaneous_FIN
+964800516.435708 weird: spontaneous_FIN
+964800516.435776 weird: spontaneous_FIN
+964800516.514626 weird: spontaneous_FIN
+964800516.514707 weird: spontaneous_FIN
+964800516.514780 weird: spontaneous_FIN
+964800516.514880 weird: spontaneous_FIN
+964800516.514952 weird: spontaneous_FIN
+964800516.515053 weird: spontaneous_FIN
+964800516.515090 weird: spontaneous_FIN
+964800516.515161 weird: spontaneous_FIN
+964800516.515245 weird: spontaneous_FIN
+964800516.515321 weird: spontaneous_FIN
+964800516.515395 weird: spontaneous_FIN
+964800516.515468 weird: spontaneous_FIN
+964800516.515545 weird: spontaneous_FIN
+964800516.515673 weird: spontaneous_FIN
+964800516.515799 weird: spontaneous_FIN
+964800516.515929 weird: spontaneous_FIN
+964800516.516064 weird: spontaneous_FIN
+964800516.516150 weird: spontaneous_FIN
+964800516.594622 weird: spontaneous_FIN
+964800516.594713 weird: spontaneous_FIN
+964800516.594796 weird: spontaneous_FIN
+964800516.594870 weird: spontaneous_FIN
+964800516.594948 weird: spontaneous_FIN
+964800516.595026 weird: spontaneous_FIN
+964800516.595100 weird: spontaneous_FIN
+964800516.595177 weird: spontaneous_FIN
+964800516.595257 weird: spontaneous_FIN
+964800516.595338 weird: spontaneous_FIN
+964800516.595417 weird: spontaneous_FIN
+964800516.595491 weird: spontaneous_FIN
+964800516.595567 weird: spontaneous_FIN
+964800516.595640 weird: spontaneous_FIN
+964800516.595717 weird: spontaneous_FIN
+964800516.595844 weird: spontaneous_FIN
+964800516.595920 weird: spontaneous_FIN
+964800516.595992 weird: spontaneous_FIN
+964800516.596067 weird: spontaneous_FIN
+964800516.596139 weird: spontaneous_FIN
+964800516.596211 weird: spontaneous_FIN
+964800516.631681 weird: bad_ICMP_checksum
+964800516.684664 weird: spontaneous_FIN
+964800516.684761 weird: spontaneous_FIN
+964800516.684837 weird: spontaneous_FIN
+964800516.684918 weird: spontaneous_FIN
+964800516.684997 weird: spontaneous_FIN
+964800516.685075 weird: spontaneous_FIN
+964800516.685157 weird: spontaneous_FIN
+964800516.685233 weird: spontaneous_FIN
+964800516.685309 weird: spontaneous_FIN
+964800516.685450 weird: spontaneous_FIN
+964800516.685530 weird: spontaneous_FIN
+964800516.685601 weird: spontaneous_FIN
+964800516.685674 weird: spontaneous_FIN
+964800516.685745 weird: spontaneous_FIN
+964800516.685817 weird: spontaneous_FIN
+964800516.685884 weird: spontaneous_FIN
+964800516.685953 weird: spontaneous_FIN
+964800516.686024 weird: spontaneous_FIN
+964800516.686096 weird: spontaneous_FIN
+964800516.686167 weird: spontaneous_FIN
+964800516.686236 weird: spontaneous_FIN
+964800516.686314 weird: spontaneous_FIN
+964800516.686375 weird: spontaneous_FIN
+964800516.686445 weird: spontaneous_FIN
+964800516.686577 weird: spontaneous_FIN
+964800516.784627 weird: spontaneous_FIN
+964800516.784712 weird: spontaneous_FIN
+964800516.784791 weird: spontaneous_FIN
+964800516.784862 weird: spontaneous_FIN
+964800516.784935 weird: spontaneous_FIN
+964800516.785011 weird: spontaneous_FIN
+964800516.785160 weird: spontaneous_FIN
+964800516.785241 weird: spontaneous_FIN
+964800516.785330 weird: spontaneous_FIN
+964800516.785455 weird: spontaneous_FIN
+964800516.785588 weird: spontaneous_FIN
+964800516.785666 weird: spontaneous_FIN
+964800516.785738 weird: spontaneous_FIN
+964800516.785808 weird: spontaneous_FIN
+964800516.864619 weird: spontaneous_FIN
+964800516.864709 weird: spontaneous_FIN
+964800516.864779 weird: spontaneous_FIN
+964800516.864858 weird: spontaneous_FIN
+964800516.864933 weird: spontaneous_FIN
+964800516.865008 weird: spontaneous_FIN
+964800516.865139 weird: spontaneous_FIN
+964800516.865218 weird: spontaneous_FIN
+964800516.865289 weird: spontaneous_FIN
+964800516.865407 weird: spontaneous_FIN
+964800516.865537 weird: spontaneous_FIN
+964800516.865618 weird: spontaneous_FIN
+964800516.865687 weird: spontaneous_FIN
+964800516.944618 weird: spontaneous_FIN
+964800516.944702 weird: spontaneous_FIN
+964800516.944771 weird: spontaneous_FIN
+964800516.944842 weird: spontaneous_FIN
+964800516.944916 weird: spontaneous_FIN
+964800516.944993 weird: spontaneous_FIN
+964800516.945130 weird: spontaneous_FIN
+964800516.945205 weird: spontaneous_FIN
+964800516.945279 weird: spontaneous_FIN
+964800516.945356 weird: spontaneous_FIN
+964800516.945478 weird: spontaneous_FIN
+964800516.945601 weird: spontaneous_FIN
+964800516.945681 weird: spontaneous_FIN
+964800516.945753 weird: spontaneous_FIN
+964800516.945823 weird: spontaneous_FIN
+964800516.945892 weird: spontaneous_FIN
+964800517.024623 weird: spontaneous_FIN
+964800517.024717 weird: spontaneous_FIN
+964800517.024790 weird: spontaneous_FIN
+964800517.024868 weird: spontaneous_FIN
+964800517.024939 weird: spontaneous_FIN
+964800517.025015 weird: spontaneous_FIN
+964800517.025089 weird: spontaneous_FIN
+964800517.025219 weird: spontaneous_FIN
+964800517.025304 weird: spontaneous_FIN
+964800517.025381 weird: spontaneous_FIN
+964800517.025453 weird: spontaneous_FIN
+964800517.025568 weird: spontaneous_FIN
+964800517.025672 weird: spontaneous_FIN
+964800517.025839 weird: spontaneous_FIN
+964800517.025937 weird: spontaneous_FIN
+964800517.026008 weird: spontaneous_FIN
+964800517.026132 weird: spontaneous_FIN
+964800517.026215 weird: spontaneous_FIN
+964800517.026285 weird: spontaneous_FIN
+964800517.026356 weird: spontaneous_FIN
+964800517.104621 weird: spontaneous_FIN
+964800517.104710 weird: spontaneous_FIN
+964800517.104782 weird: spontaneous_FIN
+964800517.104854 weird: spontaneous_FIN
+964800517.104931 weird: spontaneous_FIN
+964800517.105009 weird: spontaneous_FIN
+964800517.105091 weird: spontaneous_FIN
+964800517.105165 weird: spontaneous_FIN
+964800517.105245 weird: spontaneous_FIN
+964800517.105323 weird: spontaneous_FIN
+964800517.105458 weird: spontaneous_FIN
+964800517.105540 weird: spontaneous_FIN
+964800517.105616 weird: spontaneous_FIN
+964800517.105693 weird: spontaneous_FIN
+964800517.105764 weird: spontaneous_FIN
+964800517.105833 weird: spontaneous_FIN
+964800517.105904 weird: spontaneous_FIN
+964800517.105973 weird: spontaneous_FIN
+964800517.106040 weird: spontaneous_FIN
+964800517.184625 weird: spontaneous_FIN
+964800517.184705 weird: spontaneous_FIN
+964800517.184778 weird: spontaneous_FIN
+964800517.184854 weird: spontaneous_FIN
+964800517.184932 weird: spontaneous_FIN
+964800517.185006 weird: spontaneous_FIN
+964800517.185141 weird: spontaneous_FIN
+964800517.185219 weird: spontaneous_FIN
+964800517.185296 weird: spontaneous_FIN
+964800517.185369 weird: spontaneous_FIN
+964800517.185492 weird: spontaneous_FIN
+964800517.185613 weird: spontaneous_FIN
+964800517.185691 weird: spontaneous_FIN
+964800517.185768 weird: spontaneous_FIN
+964800517.185839 weird: spontaneous_FIN
+964800517.185907 weird: spontaneous_FIN
+964800517.185975 weird: spontaneous_FIN
+964800517.186050 weird: spontaneous_FIN
+964800517.186124 weird: spontaneous_FIN
+964800517.186194 weird: spontaneous_FIN
+964800517.186267 weird: spontaneous_FIN
+964800517.186339 weird: spontaneous_FIN
+964800517.284623 weird: spontaneous_FIN
+964800517.284711 weird: spontaneous_FIN
+964800517.284791 weird: spontaneous_FIN
+964800517.284879 weird: spontaneous_FIN
+964800517.284962 weird: spontaneous_FIN
+964800517.285044 weird: spontaneous_FIN
+964800517.285183 weird: spontaneous_FIN
+964800517.285260 weird: spontaneous_FIN
+964800517.285332 weird: spontaneous_FIN
+964800517.285458 weird: spontaneous_FIN
+964800517.285533 weird: spontaneous_FIN
+964800517.285610 weird: spontaneous_FIN
+964800517.285685 weird: spontaneous_FIN
+964800517.285756 weird: spontaneous_FIN
+964800517.285831 weird: spontaneous_FIN
+964800517.285903 weird: spontaneous_FIN
+964800517.285976 weird: spontaneous_FIN
+964800517.286052 weird: spontaneous_FIN
+964800517.286126 weird: spontaneous_FIN
+964800517.286198 weird: spontaneous_FIN
+964800517.286273 weird: spontaneous_FIN
+964800517.286343 weird: spontaneous_FIN
+964800517.286417 weird: spontaneous_FIN
+964800517.286490 weird: spontaneous_FIN
+964800517.286563 weird: spontaneous_FIN
+964800517.286639 weird: spontaneous_FIN
+964800517.374638 weird: spontaneous_FIN
+964800517.374730 weird: spontaneous_FIN
+964800517.374807 weird: spontaneous_FIN
+964800517.374890 weird: spontaneous_FIN
+964800517.374971 weird: spontaneous_FIN
+964800517.375054 weird: spontaneous_FIN
+964800517.375133 weird: spontaneous_FIN
+964800517.375210 weird: spontaneous_FIN
+964800517.375288 weird: spontaneous_FIN
+964800517.375376 weird: spontaneous_FIN
+964800517.375522 weird: spontaneous_FIN
+964800517.375599 weird: spontaneous_FIN
+964800517.375682 weird: spontaneous_FIN
+964800517.454624 weird: spontaneous_FIN
+964800517.454704 weird: spontaneous_FIN
+964800517.454774 weird: spontaneous_FIN
+964800517.454856 weird: spontaneous_FIN
+964800517.454937 weird: spontaneous_FIN
+964800517.455016 weird: spontaneous_FIN
+964800517.455171 weird: spontaneous_FIN
+964800517.534618 weird: spontaneous_FIN
+964800517.534695 weird: spontaneous_FIN
+964800517.534767 weird: spontaneous_FIN
+964800517.534846 weird: spontaneous_FIN
+964800517.534923 weird: spontaneous_FIN
+964800517.535003 weird: spontaneous_FIN
+964800517.535084 weird: spontaneous_FIN
+964800517.535229 weird: spontaneous_FIN
+964800517.535313 weird: spontaneous_FIN
+964800517.535387 weird: spontaneous_FIN
+964800517.609976 weird: bad_ICMP_checksum
+964800517.614619 weird: spontaneous_FIN
+964800517.614702 weird: spontaneous_FIN
+964800517.614773 weird: spontaneous_FIN
+964800517.614849 weird: spontaneous_FIN
+964800517.614925 weird: spontaneous_FIN
+964800517.615006 weird: spontaneous_FIN
+964800517.615084 weird: spontaneous_FIN
+964800517.615155 weird: spontaneous_FIN
+964800517.615288 weird: spontaneous_FIN
+964800517.615360 weird: spontaneous_FIN
+964800517.615436 weird: spontaneous_FIN
+964800517.615508 weird: spontaneous_FIN
+964800517.615577 weird: spontaneous_FIN
+964800517.615649 weird: spontaneous_FIN
+964800517.704628 weird: spontaneous_FIN
+964800517.704719 weird: spontaneous_FIN
+964800517.704791 weird: spontaneous_FIN
+964800517.704865 weird: spontaneous_FIN
+964800517.704944 weird: spontaneous_FIN
+964800517.705020 weird: spontaneous_FIN
+964800517.705093 weird: spontaneous_FIN
+964800517.705169 weird: spontaneous_FIN
+964800517.705326 weird: spontaneous_FIN
+964800517.705451 weird: spontaneous_FIN
+964800517.705535 weird: spontaneous_FIN
+964800517.705604 weird: spontaneous_FIN
+964800517.705674 weird: spontaneous_FIN
+964800517.705744 weird: spontaneous_FIN
+964800517.705821 weird: spontaneous_FIN
+964800517.705945 weird: spontaneous_FIN
+964800517.706027 weird: spontaneous_FIN
+964800517.784619 weird: spontaneous_FIN
+964800517.784747 weird: spontaneous_FIN
+964800517.784783 weird: spontaneous_FIN
+964800517.784850 weird: spontaneous_FIN
+964800517.784924 weird: spontaneous_FIN
+964800517.784999 weird: spontaneous_FIN
+964800517.785077 weird: spontaneous_FIN
+964800517.785156 weird: spontaneous_FIN
+964800517.785232 weird: spontaneous_FIN
+964800517.785378 weird: spontaneous_FIN
+964800517.785461 weird: spontaneous_FIN
+964800517.785534 weird: spontaneous_FIN
+964800517.785606 weird: spontaneous_FIN
+964800517.785676 weird: spontaneous_FIN
+964800517.785744 weird: spontaneous_FIN
+964800517.785815 weird: spontaneous_FIN
+964800517.785886 weird: spontaneous_FIN
+964800517.864634 weird: spontaneous_FIN
+964800517.864716 weird: spontaneous_FIN
+964800517.864790 weird: spontaneous_FIN
+964800517.864866 weird: spontaneous_FIN
+964800517.864941 weird: spontaneous_FIN
+964800517.865017 weird: spontaneous_FIN
+964800517.865159 weird: spontaneous_FIN
+964800517.865236 weird: spontaneous_FIN
+964800517.865310 weird: spontaneous_FIN
+964800517.865436 weird: spontaneous_FIN
+964800517.865510 weird: spontaneous_FIN
+964800517.865584 weird: spontaneous_FIN
+964800517.865656 weird: spontaneous_FIN
+964800517.865726 weird: spontaneous_FIN
+964800517.865798 weird: spontaneous_FIN
+964800517.866006 weird: spontaneous_FIN
+964800517.866186 weird: spontaneous_FIN
+964800517.866336 weird: spontaneous_FIN
+964800517.866409 weird: spontaneous_FIN
+964800517.866483 weird: spontaneous_FIN
+964800517.944628 weird: spontaneous_FIN
+964800517.944713 weird: spontaneous_FIN
+964800517.944787 weird: spontaneous_FIN
+964800517.944868 weird: spontaneous_FIN
+964800517.944945 weird: spontaneous_FIN
+964800517.945018 weird: spontaneous_FIN
+964800517.945151 weird: spontaneous_FIN
+964800517.945230 weird: spontaneous_FIN
+964800517.945315 weird: spontaneous_FIN
+964800517.945436 weird: spontaneous_FIN
+964800517.945509 weird: spontaneous_FIN
+964800517.945577 weird: spontaneous_FIN
+964800517.945652 weird: spontaneous_FIN
+964800517.945722 weird: spontaneous_FIN
+964800517.945793 weird: spontaneous_FIN
+964800517.945862 weird: spontaneous_FIN
+964800517.945934 weird: spontaneous_FIN
+964800517.946005 weird: spontaneous_FIN
+964800517.946073 weird: spontaneous_FIN
+964800517.946142 weird: spontaneous_FIN
+964800517.946217 weird: spontaneous_FIN
+964800517.946286 weird: spontaneous_FIN
+964800517.946360 weird: spontaneous_FIN
+964800517.946430 weird: spontaneous_FIN
+964800518.044636 weird: spontaneous_FIN
+964800518.044711 weird: spontaneous_FIN
+964800518.044782 weird: spontaneous_FIN
+964800518.044861 weird: spontaneous_FIN
+964800518.044938 weird: spontaneous_FIN
+964800518.045061 weird: spontaneous_FIN
+964800518.045167 weird: spontaneous_FIN
+964800518.045256 weird: spontaneous_FIN
+964800518.045337 weird: spontaneous_FIN
+964800518.295686 weird: spontaneous_FIN
+964800518.375278 weird: spontaneous_FIN
+964800518.375360 weird: spontaneous_FIN
+964800518.375433 weird: spontaneous_FIN
+964800518.375505 weird: spontaneous_FIN
+964800518.375575 weird: spontaneous_FIN
+964800518.375648 weird: spontaneous_FIN
+964800518.464647 weird: spontaneous_FIN
+964800518.464733 weird: spontaneous_FIN
+964800518.464809 weird: spontaneous_FIN
+964800518.464886 weird: spontaneous_FIN
+964800518.464966 weird: spontaneous_FIN
+964800518.465052 weird: spontaneous_FIN
+964800518.465126 weird: spontaneous_FIN
+964800518.465202 weird: spontaneous_FIN
+964800518.465279 weird: spontaneous_FIN
+964800518.465357 weird: spontaneous_FIN
+964800518.465432 weird: spontaneous_FIN
+964800518.465506 weird: spontaneous_FIN
+964800518.465576 weird: spontaneous_FIN
+964800518.465648 weird: spontaneous_FIN
+964800518.522586 weird: spontaneous_FIN
+964800518.544632 weird: spontaneous_FIN
+964800518.544716 weird: spontaneous_FIN
+964800518.544795 weird: spontaneous_FIN
+964800518.544877 weird: spontaneous_FIN
+964800518.544954 weird: spontaneous_FIN
+964800518.545036 weird: spontaneous_FIN
+964800518.545118 weird: spontaneous_FIN
+964800518.545193 weird: spontaneous_FIN
+964800518.545269 weird: spontaneous_FIN
+964800518.545346 weird: spontaneous_FIN
+964800518.545421 weird: spontaneous_FIN
+964800518.545493 weird: spontaneous_FIN
+964800518.545563 weird: spontaneous_FIN
+964800518.545633 weird: spontaneous_FIN
+964800518.545704 weird: spontaneous_FIN
+964800518.549768 weird: bad_ICMP_checksum
+964800518.624635 weird: spontaneous_FIN
+964800518.624721 weird: spontaneous_FIN
+964800518.704611 weird: spontaneous_FIN
+964800519.024847 weird: spontaneous_FIN
+964800519.024920 weird: spontaneous_FIN
+964800519.104863 weird: spontaneous_FIN
+964800519.104939 weird: spontaneous_FIN
+964800519.499892 weird: bad_ICMP_checksum
+964800520.459726 weird: bad_ICMP_checksum
+964800521.739751 weird: bad_ICMP_checksum
+964800522.699952 weird: bad_ICMP_checksum
+964800523.659798 weird: bad_ICMP_checksum
+964800523.742641 weird: spontaneous_FIN
+964800524.619992 weird: bad_ICMP_checksum
+964800524.699280 weird: spontaneous_FIN
+964800525.579888 weird: bad_ICMP_checksum
+964800526.540059 weird: bad_ICMP_checksum
+964800527.033662 weird: spontaneous_RST
+964800527.499887 weird: bad_ICMP_checksum
+964800528.460140 weird: bad_ICMP_checksum
+964800528.825170 weird: spontaneous_FIN
+964800529.571208 weird: data_after_reset
+964800529.740127 weird: bad_ICMP_checksum
+964800529.764830 weird: data_after_reset
+964800530.164785 weird: data_after_reset
+964800530.699962 weird: bad_ICMP_checksum
+964800530.964697 weird: data_after_reset
+964800531.660170 weird: bad_ICMP_checksum
+964800532.564519 weird: data_after_reset
+964800532.620005 weird: bad_ICMP_checksum
+964800533.580362 weird: bad_ICMP_checksum
+964800533.982781 weird: spontaneous_FIN
+964800534.540043 weird: bad_ICMP_checksum
+964800535.500254 weird: bad_ICMP_checksum
+964800536.264020 weird: spontaneous_FIN
+964800536.460088 weird: bad_ICMP_checksum
+964800537.740118 weird: bad_ICMP_checksum
+964800538.700334 weird: bad_ICMP_checksum
+964800539.053438 weird: spontaneous_FIN
+964800539.660156 weird: bad_ICMP_checksum
+964800540.224097 weird: data_after_reset
+964800540.420703 weird: data_after_reset
+964800540.620379 weird: bad_ICMP_checksum
+964800540.820584 weird: data_after_reset
+964800540.957711 weird: baroque_SYN
+964800540.957832 weird: spontaneous_FIN
+964800541.580250 weird: bad_ICMP_checksum
+964800541.620592 weird: data_after_reset
+964800541.671365 weird: spontaneous_FIN
+964800542.540473 weird: bad_ICMP_checksum
+964800543.500251 weird: bad_ICMP_checksum
+964800544.068769 weird: spontaneous_FIN
+964800544.460469 weird: bad_ICMP_checksum
+964800545.440289 weird: bad_ICMP_checksum
+964800546.720358 weird: bad_ICMP_checksum
+964800547.680554 weird: bad_ICMP_checksum
+964800547.754819 weird: baroque_SYN
+964800547.754932 weird: spontaneous_FIN
+964800548.640378 weird: bad_ICMP_checksum
+964800549.143504 weird: spontaneous_FIN
+964800549.600531 weird: bad_ICMP_checksum
+964800550.560411 weird: bad_ICMP_checksum
+964800551.510664 weird: bad_ICMP_checksum
+964800551.731327 weird: baroque_SYN
+964800551.732835 weird: spontaneous_FIN
+964800552.470464 weird: bad_ICMP_checksum
+964800553.004650 weird: baroque_SYN
+964800553.004767 weird: spontaneous_FIN
+964800553.143856 weird: baroque_SYN
+964800553.143962 weird: spontaneous_FIN
+964800553.720526 weird: bad_ICMP_checksum
+964800554.203581 weird: spontaneous_FIN
+964800554.660732 weird: bad_ICMP_checksum
+964800555.620533 weird: bad_ICMP_checksum
+964800556.290717 weird: bad_ICMP_checksum
+964800556.290765 weird: bad_ICMP_checksum
+964800556.290798 weird: bad_ICMP_checksum
+964800556.290829 weird: bad_ICMP_checksum
+964800556.291005 weird: bad_ICMP_checksum
+964800556.291035 weird: bad_ICMP_checksum
+964800556.580671 weird: bad_ICMP_checksum
+964800556.605310 weird: connection_originator_SYN_ack
+964800556.624866 weird: spontaneous_FIN
+964800556.644927 weird: spontaneous_FIN
+964800557.297929 weird: baroque_SYN
+964800557.312496 weird: bad_ICMP_checksum
+964800557.313133 weird: spontaneous_FIN
+964800557.313649 weird: bad_ICMP_checksum
+964800557.540568 weird: bad_ICMP_checksum
+964800557.541769 weird: bad_ICMP_checksum
+964800558.392719 weird: baroque_SYN
+964800558.392822 weird: spontaneous_FIN
+964800558.500712 weird: bad_ICMP_checksum
+964800558.844585 weird: bad_ICMP_checksum
+964800558.844939 weird: bad_ICMP_checksum
+964800559.433397 weird: bad_ICMP_checksum
+964800559.460653 weird: bad_ICMP_checksum
+964800560.420906 weird: bad_ICMP_checksum
+964800560.740639 weird: bad_ICMP_checksum
+964800561.366471 weird: bad_ICMP_checksum
+964800561.701105 weird: bad_ICMP_checksum
+964800562.545617 weird: spontaneous_FIN
+964800562.660728 weird: bad_ICMP_checksum
+964800563.286658 weird: bad_ICMP_checksum
+964800563.620888 weird: bad_ICMP_checksum
+964800564.072812 weird: baroque_SYN
+964800564.072916 weird: spontaneous_FIN
+964800564.580737 weird: bad_ICMP_checksum
+964800564.580842 weird: bad_ICMP_checksum
+964800565.526321 weird: bad_ICMP_checksum
+964800565.540875 weird: bad_ICMP_checksum
+964800566.484104 weird: bad_ICMP_checksum
+964800566.506274 weird: bad_ICMP_checksum
+964800567.440964 weird: bad_ICMP_checksum
+964800567.448914 weird: bad_ICMP_checksum
+964800567.864249 weird: spontaneous_FIN
+964800568.390956 weird: bad_ICMP_checksum
+964800568.602706 weird: bad_ICMP_checksum
+964800569.356524 weird: bad_ICMP_checksum
+964800569.560982 weird: bad_ICMP_checksum
+964800570.287366 weird: bad_ICMP_checksum
+964800570.520859 weird: bad_ICMP_checksum
+964800571.360661 weird: spontaneous_FIN
+964800571.461071 weird: bad_ICMP_checksum
+964800571.550624 weird: bad_ICMP_checksum
+964800572.496064 weird: bad_ICMP_checksum
+964800572.741056 weird: bad_ICMP_checksum
+964800573.143829 weird: spontaneous_FIN
+964800573.291815 weird: baroque_SYN
+964800573.293891 weird: spontaneous_FIN
+964800573.476638 weird: bad_ICMP_checksum
+964800573.476781 weird: bad_ICMP_checksum
+964800573.476932 weird: bad_ICMP_checksum
+964800573.477180 weird: bad_ICMP_checksum
+964800573.477411 weird: bad_ICMP_checksum
+964800573.477648 weird: bad_ICMP_checksum
+964800573.477884 weird: bad_ICMP_checksum
+964800573.700930 weird: bad_ICMP_checksum
+964800574.419018 weird: bad_ICMP_checksum
+964800574.661104 weird: bad_ICMP_checksum
+964800574.750114 weird: bad_ICMP_checksum
+964800575.385981 weird: bad_ICMP_checksum
+964800575.620975 weird: bad_ICMP_checksum
+964800575.710093 weird: bad_ICMP_checksum
+964800576.329429 weird: baroque_SYN
+964800576.344096 weird: bad_ICMP_checksum
+964800576.345573 weird: spontaneous_FIN
+964800576.581216 weird: bad_ICMP_checksum
+964800576.670041 weird: bad_ICMP_checksum
+964800577.295913 weird: bad_ICMP_checksum
+964800577.541017 weird: bad_ICMP_checksum
+964800577.630051 weird: bad_ICMP_checksum
+964800578.501184 weird: bad_ICMP_checksum
+964800578.555516 weird: spontaneous_FIN
+964800578.575875 weird: bad_ICMP_checksum
+964800579.461049 weird: bad_ICMP_checksum
+964800579.545843 weird: bad_ICMP_checksum
+964800580.515833 weird: bad_ICMP_checksum
+964800580.741099 weird: bad_ICMP_checksum
+964800581.269812 weird: bad_ICMP_checksum
+964800581.269910 weird: bad_ICMP_checksum
+964800581.270092 weird: bad_ICMP_checksum
+964800581.469089 weird: bad_ICMP_checksum
+964800581.701262 weird: bad_ICMP_checksum
+964800582.661127 weird: bad_ICMP_checksum
+964800583.366294 weird: bad_ICMP_checksum
+964800583.621351 weird: bad_ICMP_checksum
+964800583.703924 weird: spontaneous_FIN
+964800584.581226 weird: bad_ICMP_checksum
+964800585.541356 weird: bad_ICMP_checksum
+964800585.585629 weird: bad_ICMP_checksum
+964800586.501211 weird: bad_ICMP_checksum
+964800586.522091 weird: bad_ICMP_checksum
+964800587.269645 weird: bad_ICMP_checksum
+964800587.269741 weird: bad_ICMP_checksum
+964800587.269996 weird: bad_ICMP_checksum
+964800587.270091 weird: bad_ICMP_checksum
+964800587.270345 weird: bad_ICMP_checksum
+964800587.270440 weird: bad_ICMP_checksum
+964800587.426354 weird: baroque_SYN
+964800587.431182 weird: spontaneous_FIN
+964800587.441999 weird: bad_ICMP_checksum
+964800587.541379 weird: bad_ICMP_checksum
+964800588.391106 weird: bad_ICMP_checksum
+964800588.501272 weird: bad_ICMP_checksum
+964800588.804089 weird: spontaneous_FIN
+964800589.345467 weird: bad_ICMP_checksum
+964800589.461496 weird: bad_ICMP_checksum
+964800590.295471 weird: bad_ICMP_checksum
+964800590.421669 weird: bad_ICMP_checksum
+964800591.575425 weird: bad_ICMP_checksum
+964800591.701386 weird: bad_ICMP_checksum
+964800592.661525 weird: bad_ICMP_checksum
+964800593.489858 weird: bad_ICMP_checksum
+964800593.621398 weird: bad_ICMP_checksum
+964800593.906118 weird: spontaneous_FIN
+964800594.472035 weird: spontaneous_FIN
+964800594.472132 weird: spontaneous_FIN
+964800594.472209 weird: spontaneous_FIN
+964800594.472501 weird: spontaneous_FIN
+964800594.472586 weird: spontaneous_FIN
+964800594.472699 weird: spontaneous_FIN
+964800594.472912 weird: spontaneous_FIN
+964800594.472997 weird: spontaneous_FIN
+964800594.473081 weird: spontaneous_FIN
+964800594.473294 weird: spontaneous_FIN
+964800594.473381 weird: spontaneous_FIN
+964800594.555131 weird: spontaneous_FIN
+964800594.555223 weird: spontaneous_FIN
+964800594.555304 weird: spontaneous_FIN
+964800594.555382 weird: spontaneous_FIN
+964800594.555567 weird: spontaneous_FIN
+964800594.555821 weird: spontaneous_FIN
+964800594.555905 weird: spontaneous_FIN
+964800594.555988 weird: spontaneous_FIN
+964800594.556205 weird: spontaneous_FIN
+964800594.556288 weird: spontaneous_FIN
+964800594.556371 weird: spontaneous_FIN
+964800594.556587 weird: spontaneous_FIN
+964800594.556668 weird: spontaneous_FIN
+964800594.556757 weird: spontaneous_FIN
+964800594.581659 weird: bad_ICMP_checksum
+964800594.645231 weird: spontaneous_FIN
+964800594.645327 weird: spontaneous_FIN
+964800594.645405 weird: spontaneous_FIN
+964800594.645670 weird: spontaneous_FIN
+964800594.645760 weird: spontaneous_FIN
+964800594.645938 weird: spontaneous_FIN
+964800594.646047 weird: spontaneous_FIN
+964800594.646178 weird: spontaneous_FIN
+964800594.646305 weird: spontaneous_FIN
+964800594.646445 weird: spontaneous_FIN
+964800594.646569 weird: spontaneous_FIN
+964800594.646694 weird: spontaneous_FIN
+964800594.646820 weird: spontaneous_FIN
+964800594.646944 weird: spontaneous_FIN
+964800594.647069 weird: spontaneous_FIN
+964800594.647193 weird: spontaneous_FIN
+964800594.647310 weird: spontaneous_FIN
+964800594.647433 weird: spontaneous_FIN
+964800594.735300 weird: spontaneous_FIN
+964800594.735397 weird: spontaneous_FIN
+964800594.735516 weird: spontaneous_FIN
+964800594.735727 weird: spontaneous_FIN
+964800594.735813 weird: spontaneous_FIN
+964800594.735953 weird: spontaneous_FIN
+964800594.736068 weird: spontaneous_FIN
+964800594.736192 weird: spontaneous_FIN
+964800594.736322 weird: spontaneous_FIN
+964800594.736462 weird: spontaneous_FIN
+964800594.736573 weird: spontaneous_FIN
+964800594.736699 weird: spontaneous_FIN
+964800594.736840 weird: spontaneous_FIN
+964800594.736964 weird: spontaneous_FIN
+964800594.737087 weird: spontaneous_FIN
+964800594.737227 weird: spontaneous_FIN
+964800594.737352 weird: spontaneous_FIN
+964800594.737490 weird: spontaneous_FIN
+964800594.737611 weird: spontaneous_FIN
+964800594.737737 weird: spontaneous_FIN
+964800594.737861 weird: spontaneous_FIN
+964800594.737983 weird: spontaneous_FIN
+964800594.815153 weird: spontaneous_FIN
+964800594.815247 weird: spontaneous_FIN
+964800594.815436 weird: spontaneous_FIN
+964800594.815541 weird: spontaneous_FIN
+964800594.815775 weird: spontaneous_FIN
+964800594.815860 weird: spontaneous_FIN
+964800594.815999 weird: spontaneous_FIN
+964800594.816108 weird: spontaneous_FIN
+964800594.816235 weird: spontaneous_FIN
+964800594.816362 weird: spontaneous_FIN
+964800594.816500 weird: spontaneous_FIN
+964800594.816623 weird: spontaneous_FIN
+964800594.816744 weird: spontaneous_FIN
+964800594.816869 weird: spontaneous_FIN
+964800594.816995 weird: spontaneous_FIN
+964800594.817121 weird: spontaneous_FIN
+964800594.817248 weird: spontaneous_FIN
+964800594.817373 weird: spontaneous_FIN
+964800594.817511 weird: spontaneous_FIN
+964800594.817627 weird: spontaneous_FIN
+964800594.817750 weird: spontaneous_FIN
+964800594.817874 weird: spontaneous_FIN
+964800594.817996 weird: spontaneous_FIN
+964800594.818117 weird: spontaneous_FIN
+964800594.818241 weird: spontaneous_FIN
+964800594.901870 weird: spontaneous_FIN
+964800594.901955 weird: spontaneous_FIN
+964800594.902041 weird: spontaneous_FIN
+964800594.902273 weird: spontaneous_FIN
+964800594.902358 weird: spontaneous_FIN
+964800594.902444 weird: spontaneous_FIN
+964800594.902661 weird: spontaneous_FIN
+964800594.902743 weird: spontaneous_FIN
+964800594.902931 weird: spontaneous_FIN
+964800594.903030 weird: spontaneous_FIN
+964800594.903154 weird: spontaneous_FIN
+964800594.903277 weird: spontaneous_FIN
+964800594.903400 weird: spontaneous_FIN
+964800594.903540 weird: spontaneous_FIN
+964800594.903660 weird: spontaneous_FIN
+964800594.903786 weird: spontaneous_FIN
+964800594.903912 weird: spontaneous_FIN
+964800594.904135 weird: spontaneous_FIN
+964800594.904228 weird: spontaneous_FIN
+964800594.904366 weird: spontaneous_FIN
+964800594.904482 weird: spontaneous_FIN
+964800594.904607 weird: spontaneous_FIN
+964800594.904726 weird: spontaneous_FIN
+964800594.904861 weird: spontaneous_FIN
+964800594.904978 weird: spontaneous_FIN
+964800594.905162 weird: spontaneous_FIN
+964800594.905270 weird: spontaneous_FIN
+964800594.905408 weird: spontaneous_FIN
+964800594.905519 weird: spontaneous_FIN
+964800594.985326 weird: spontaneous_FIN
+964800594.985420 weird: spontaneous_FIN
+964800594.985544 weird: spontaneous_FIN
+964800594.985741 weird: spontaneous_FIN
+964800594.985828 weird: spontaneous_FIN
+964800594.985960 weird: spontaneous_FIN
+964800594.986079 weird: spontaneous_FIN
+964800594.986192 weird: spontaneous_FIN
+964800594.986319 weird: spontaneous_FIN
+964800594.986443 weird: spontaneous_FIN
+964800594.986567 weird: spontaneous_FIN
+964800594.986690 weird: spontaneous_FIN
+964800594.986817 weird: spontaneous_FIN
+964800594.986942 weird: spontaneous_FIN
+964800594.987084 weird: spontaneous_FIN
+964800594.987207 weird: spontaneous_FIN
+964800594.987332 weird: spontaneous_FIN
+964800594.987459 weird: spontaneous_FIN
+964800594.987581 weird: spontaneous_FIN
+964800594.987705 weird: spontaneous_FIN
+964800594.987827 weird: spontaneous_FIN
+964800594.987943 weird: spontaneous_FIN
+964800594.988069 weird: spontaneous_FIN
+964800594.988193 weird: spontaneous_FIN
+964800594.988315 weird: spontaneous_FIN
+964800594.988440 weird: spontaneous_FIN
+964800594.988563 weird: spontaneous_FIN
+964800594.988685 weird: spontaneous_FIN
+964800594.988825 weird: spontaneous_FIN
+964800594.988993 weird: spontaneous_FIN
+964800594.989109 weird: spontaneous_FIN
+964800594.989285 weird: spontaneous_FIN
+964800594.989412 weird: spontaneous_FIN
+964800595.075234 weird: spontaneous_FIN
+964800595.075332 weird: spontaneous_FIN
+964800595.075409 weird: spontaneous_FIN
+964800595.075637 weird: spontaneous_FIN
+964800595.075752 weird: spontaneous_FIN
+964800595.075878 weird: spontaneous_FIN
+964800595.076005 weird: spontaneous_FIN
+964800595.076134 weird: spontaneous_FIN
+964800595.076276 weird: spontaneous_FIN
+964800595.076411 weird: spontaneous_FIN
+964800595.076506 weird: spontaneous_FIN
+964800595.076673 weird: spontaneous_FIN
+964800595.076780 weird: spontaneous_FIN
+964800595.076909 weird: spontaneous_FIN
+964800595.077032 weird: spontaneous_FIN
+964800595.077198 weird: spontaneous_FIN
+964800595.077317 weird: spontaneous_FIN
+964800595.077439 weird: spontaneous_FIN
+964800595.077584 weird: spontaneous_FIN
+964800595.077676 weird: spontaneous_FIN
+964800595.077848 weird: spontaneous_FIN
+964800595.077969 weird: spontaneous_FIN
+964800595.078092 weird: spontaneous_FIN
+964800595.078220 weird: spontaneous_FIN
+964800595.078358 weird: spontaneous_FIN
+964800595.078480 weird: spontaneous_FIN
+964800595.078601 weird: spontaneous_FIN
+964800595.078723 weird: spontaneous_FIN
+964800595.078845 weird: spontaneous_FIN
+964800595.078970 weird: spontaneous_FIN
+964800595.079092 weird: spontaneous_FIN
+964800595.079214 weird: spontaneous_FIN
+964800595.079331 weird: spontaneous_FIN
+964800595.079451 weird: spontaneous_FIN
+964800595.079576 weird: spontaneous_FIN
+964800595.079700 weird: spontaneous_FIN
+964800595.079842 weird: spontaneous_FIN
+964800595.165160 weird: spontaneous_FIN
+964800595.165251 weird: spontaneous_FIN
+964800595.165365 weird: spontaneous_FIN
+964800595.165572 weird: spontaneous_FIN
+964800595.165660 weird: spontaneous_FIN
+964800595.165787 weird: spontaneous_FIN
+964800595.165914 weird: spontaneous_FIN
+964800595.166043 weird: spontaneous_FIN
+964800595.166174 weird: spontaneous_FIN
+964800595.166315 weird: spontaneous_FIN
+964800595.166438 weird: spontaneous_FIN
+964800595.166869 weird: spontaneous_FIN
+964800595.167041 weird: spontaneous_FIN
+964800595.167374 weird: spontaneous_FIN
+964800595.167721 weird: spontaneous_FIN
+964800595.167891 weird: spontaneous_FIN
+964800595.168224 weird: spontaneous_FIN
+964800595.168555 weird: spontaneous_FIN
+964800595.168891 weird: spontaneous_FIN
+964800595.168902 weird: spontaneous_FIN
+964800595.169073 weird: spontaneous_FIN
+964800595.169405 weird: spontaneous_FIN
+964800595.169905 weird: spontaneous_FIN
+964800595.170237 weird: spontaneous_FIN
+964800595.170404 weird: spontaneous_FIN
+964800595.170739 weird: spontaneous_FIN
+964800595.171064 weird: spontaneous_FIN
+964800595.171391 weird: spontaneous_FIN
+964800595.171558 weird: spontaneous_FIN
+964800595.171885 weird: spontaneous_FIN
+964800595.172210 weird: spontaneous_FIN
+964800595.172536 weird: spontaneous_FIN
+964800595.172863 weird: spontaneous_FIN
+964800595.173189 weird: spontaneous_FIN
+964800595.173357 weird: spontaneous_FIN
+964800595.173700 weird: spontaneous_FIN
+964800595.174025 weird: spontaneous_FIN
+964800595.174192 weird: spontaneous_FIN
+964800595.174518 weird: spontaneous_FIN
+964800595.174844 weird: spontaneous_FIN
+964800595.175011 weird: spontaneous_FIN
+964800595.256567 weird: spontaneous_FIN
+964800595.256655 weird: spontaneous_FIN
+964800595.256727 weird: spontaneous_FIN
+964800595.256959 weird: spontaneous_FIN
+964800595.257059 weird: spontaneous_FIN
+964800595.257207 weird: spontaneous_FIN
+964800595.257322 weird: spontaneous_FIN
+964800595.257452 weird: spontaneous_FIN
+964800595.257580 weird: spontaneous_FIN
+964800595.257691 weird: spontaneous_FIN
+964800595.257819 weird: spontaneous_FIN
+964800595.257943 weird: spontaneous_FIN
+964800595.258083 weird: spontaneous_FIN
+964800595.258207 weird: spontaneous_FIN
+964800595.258331 weird: spontaneous_FIN
+964800595.258471 weird: spontaneous_FIN
+964800595.258600 weird: spontaneous_FIN
+964800595.258725 weird: spontaneous_FIN
+964800595.258849 weird: spontaneous_FIN
+964800595.258978 weird: spontaneous_FIN
+964800595.259101 weird: spontaneous_FIN
+964800595.259225 weird: spontaneous_FIN
+964800595.259348 weird: spontaneous_FIN
+964800595.259474 weird: spontaneous_FIN
+964800595.259600 weird: spontaneous_FIN
+964800595.259724 weird: spontaneous_FIN
+964800595.259851 weird: spontaneous_FIN
+964800595.259992 weird: spontaneous_FIN
+964800595.260119 weird: spontaneous_FIN
+964800595.260342 weird: spontaneous_FIN
+964800595.260436 weird: spontaneous_FIN
+964800595.260692 weird: spontaneous_FIN
+964800595.260786 weird: spontaneous_FIN
+964800595.261023 weird: spontaneous_FIN
+964800595.261115 weird: spontaneous_FIN
+964800595.261372 weird: spontaneous_FIN
+964800595.261468 weird: spontaneous_FIN
+964800595.261731 weird: spontaneous_FIN
+964800595.261824 weird: spontaneous_FIN
+964800595.262062 weird: spontaneous_FIN
+964800595.262156 weird: spontaneous_FIN
+964800595.262418 weird: spontaneous_FIN
+964800595.262514 weird: spontaneous_FIN
+964800595.262754 weird: spontaneous_FIN
+964800595.262869 weird: spontaneous_FIN
+964800595.345259 weird: spontaneous_FIN
+964800595.345355 weird: spontaneous_FIN
+964800595.345565 weird: spontaneous_FIN
+964800595.345653 weird: spontaneous_FIN
+964800595.345785 weird: spontaneous_FIN
+964800595.345910 weird: spontaneous_FIN
+964800595.346035 weird: spontaneous_FIN
+964800595.346176 weird: spontaneous_FIN
+964800595.346299 weird: spontaneous_FIN
+964800595.346422 weird: spontaneous_FIN
+964800595.346546 weird: spontaneous_FIN
+964800595.346624 weird: spontaneous_FIN
+964800595.346759 weird: spontaneous_FIN
+964800595.346879 weird: spontaneous_FIN
+964800595.347002 weird: spontaneous_FIN
+964800595.347124 weird: spontaneous_FIN
+964800595.347251 weird: spontaneous_FIN
+964800595.347375 weird: spontaneous_FIN
+964800595.347500 weird: spontaneous_FIN
+964800595.347624 weird: spontaneous_FIN
+964800595.347746 weird: spontaneous_FIN
+964800595.347887 weird: spontaneous_FIN
+964800595.348017 weird: spontaneous_FIN
+964800595.348147 weird: spontaneous_FIN
+964800595.348276 weird: spontaneous_FIN
+964800595.348420 weird: spontaneous_FIN
+964800595.348545 weird: spontaneous_FIN
+964800595.348670 weird: spontaneous_FIN
+964800595.348797 weird: spontaneous_FIN
+964800595.348923 weird: spontaneous_FIN
+964800595.349065 weird: spontaneous_FIN
+964800595.349192 weird: spontaneous_FIN
+964800595.349312 weird: spontaneous_FIN
+964800595.349453 weird: spontaneous_FIN
+964800595.349570 weird: spontaneous_FIN
+964800595.349695 weird: spontaneous_FIN
+964800595.349817 weird: spontaneous_FIN
+964800595.349940 weird: spontaneous_FIN
+964800595.350064 weird: spontaneous_FIN
+964800595.350207 weird: spontaneous_FIN
+964800595.350331 weird: spontaneous_FIN
+964800595.350456 weird: spontaneous_FIN
+964800595.350584 weird: spontaneous_FIN
+964800595.350709 weird: spontaneous_FIN
+964800595.350854 weird: spontaneous_FIN
+964800595.350981 weird: spontaneous_FIN
+964800595.351109 weird: spontaneous_FIN
+964800595.351253 weird: spontaneous_FIN
+964800595.351377 weird: spontaneous_FIN
+964800595.445255 weird: spontaneous_FIN
+964800595.445361 weird: spontaneous_FIN
+964800595.445442 weird: spontaneous_FIN
+964800595.445652 weird: spontaneous_FIN
+964800595.445739 weird: spontaneous_FIN
+964800595.445900 weird: spontaneous_FIN
+964800595.446008 weird: spontaneous_FIN
+964800595.446138 weird: spontaneous_FIN
+964800595.446282 weird: spontaneous_FIN
+964800595.446407 weird: spontaneous_FIN
+964800595.446534 weird: spontaneous_FIN
+964800595.446664 weird: spontaneous_FIN
+964800595.446791 weird: spontaneous_FIN
+964800595.446931 weird: spontaneous_FIN
+964800595.447052 weird: spontaneous_FIN
+964800595.447178 weird: spontaneous_FIN
+964800595.447321 weird: spontaneous_FIN
+964800595.447429 weird: spontaneous_FIN
+964800595.447595 weird: spontaneous_FIN
+964800595.447708 weird: spontaneous_FIN
+964800595.447832 weird: spontaneous_FIN
+964800595.447955 weird: spontaneous_FIN
+964800595.448081 weird: spontaneous_FIN
+964800595.448220 weird: spontaneous_FIN
+964800595.448344 weird: spontaneous_FIN
+964800595.448484 weird: spontaneous_FIN
+964800595.448608 weird: spontaneous_FIN
+964800595.448733 weird: spontaneous_FIN
+964800595.448859 weird: spontaneous_FIN
+964800595.448987 weird: spontaneous_FIN
+964800595.449112 weird: spontaneous_FIN
+964800595.449255 weird: spontaneous_FIN
+964800595.449380 weird: spontaneous_FIN
+964800595.449506 weird: spontaneous_FIN
+964800595.449632 weird: spontaneous_FIN
+964800595.449763 weird: spontaneous_FIN
+964800595.449908 weird: spontaneous_FIN
+964800595.450034 weird: spontaneous_FIN
+964800595.450162 weird: spontaneous_FIN
+964800595.450300 weird: spontaneous_FIN
+964800595.450423 weird: spontaneous_FIN
+964800595.450566 weird: spontaneous_FIN
+964800595.450690 weird: spontaneous_FIN
+964800595.450819 weird: spontaneous_FIN
+964800595.450959 weird: spontaneous_FIN
+964800595.451070 weird: spontaneous_FIN
+964800595.451196 weird: spontaneous_FIN
+964800595.451318 weird: spontaneous_FIN
+964800595.451442 weird: spontaneous_FIN
+964800595.451566 weird: spontaneous_FIN
+964800595.451704 weird: spontaneous_FIN
+964800595.451827 weird: spontaneous_FIN
+964800595.533346 weird: spontaneous_FIN
+964800595.533436 weird: spontaneous_FIN
+964800595.533522 weird: spontaneous_FIN
+964800595.533687 weird: spontaneous_FIN
+964800595.533867 weird: spontaneous_FIN
+964800595.533994 weird: spontaneous_FIN
+964800595.534126 weird: spontaneous_FIN
+964800595.534249 weird: spontaneous_FIN
+964800595.534382 weird: spontaneous_FIN
+964800595.534515 weird: spontaneous_FIN
+964800595.534633 weird: spontaneous_FIN
+964800595.534758 weird: spontaneous_FIN
+964800595.534892 weird: spontaneous_FIN
+964800595.535070 weird: spontaneous_FIN
+964800595.535185 weird: spontaneous_FIN
+964800595.535321 weird: spontaneous_FIN
+964800595.535446 weird: spontaneous_FIN
+964800595.535571 weird: spontaneous_FIN
+964800595.535696 weird: spontaneous_FIN
+964800595.535826 weird: spontaneous_FIN
+964800595.535951 weird: spontaneous_FIN
+964800595.536087 weird: spontaneous_FIN
+964800595.536212 weird: spontaneous_FIN
+964800595.536333 weird: spontaneous_FIN
+964800595.536470 weird: spontaneous_FIN
+964800595.536592 weird: spontaneous_FIN
+964800595.536723 weird: spontaneous_FIN
+964800595.536870 weird: spontaneous_FIN
+964800595.537007 weird: spontaneous_FIN
+964800595.537127 weird: spontaneous_FIN
+964800595.537255 weird: spontaneous_FIN
+964800595.537383 weird: spontaneous_FIN
+964800595.537518 weird: spontaneous_FIN
+964800595.537641 weird: spontaneous_FIN
+964800595.537761 weird: spontaneous_FIN
+964800595.537886 weird: spontaneous_FIN
+964800595.538020 weird: spontaneous_FIN
+964800595.538148 weird: spontaneous_FIN
+964800595.538272 weird: spontaneous_FIN
+964800595.538398 weird: spontaneous_FIN
+964800595.538528 weird: spontaneous_FIN
+964800595.538640 weird: spontaneous_FIN
+964800595.538770 weird: spontaneous_FIN
+964800595.538911 weird: spontaneous_FIN
+964800595.539036 weird: spontaneous_FIN
+964800595.539165 weird: spontaneous_FIN
+964800595.539309 weird: spontaneous_FIN
+964800595.539425 weird: spontaneous_FIN
+964800595.539554 weird: spontaneous_FIN
+964800595.539698 weird: spontaneous_FIN
+964800595.539824 weird: spontaneous_FIN
+964800595.539970 weird: spontaneous_FIN
+964800595.540092 weird: spontaneous_FIN
+964800595.540213 weird: spontaneous_FIN
+964800595.540290 weird: spontaneous_FIN
+964800595.540454 weird: spontaneous_FIN
+964800595.541427 weird: bad_ICMP_checksum
+964800595.626008 weird: spontaneous_FIN
+964800595.626107 weird: spontaneous_FIN
+964800595.626187 weird: spontaneous_FIN
+964800595.626273 weird: spontaneous_FIN
+964800595.626512 weird: spontaneous_FIN
+964800595.626592 weird: spontaneous_FIN
+964800595.626754 weird: spontaneous_FIN
+964800595.626862 weird: spontaneous_FIN
+964800595.626989 weird: spontaneous_FIN
+964800595.627117 weird: spontaneous_FIN
+964800595.627244 weird: spontaneous_FIN
+964800595.627388 weird: spontaneous_FIN
+964800595.627505 weird: spontaneous_FIN
+964800595.627630 weird: spontaneous_FIN
+964800595.627759 weird: spontaneous_FIN
+964800595.627901 weird: spontaneous_FIN
+964800595.628024 weird: spontaneous_FIN
+964800595.628147 weird: spontaneous_FIN
+964800595.628289 weird: spontaneous_FIN
+964800595.628507 weird: spontaneous_FIN
+964800595.628593 weird: spontaneous_FIN
+964800595.628729 weird: spontaneous_FIN
+964800595.628855 weird: spontaneous_FIN
+964800595.628977 weird: spontaneous_FIN
+964800595.629114 weird: spontaneous_FIN
+964800595.629223 weird: spontaneous_FIN
+964800595.629348 weird: spontaneous_FIN
+964800595.629476 weird: spontaneous_FIN
+964800595.629604 weird: spontaneous_FIN
+964800595.629730 weird: spontaneous_FIN
+964800595.629861 weird: spontaneous_FIN
+964800595.629987 weird: spontaneous_FIN
+964800595.630113 weird: spontaneous_FIN
+964800595.630233 weird: spontaneous_FIN
+964800595.630359 weird: spontaneous_FIN
+964800595.630542 weird: spontaneous_FIN
+964800595.630661 weird: spontaneous_FIN
+964800595.630792 weird: spontaneous_FIN
+964800595.630920 weird: spontaneous_FIN
+964800595.631043 weird: spontaneous_FIN
+964800595.631167 weird: spontaneous_FIN
+964800595.631311 weird: spontaneous_FIN
+964800595.631433 weird: spontaneous_FIN
+964800595.631556 weird: spontaneous_FIN
+964800595.631680 weird: spontaneous_FIN
+964800595.631804 weird: spontaneous_FIN
+964800595.631930 weird: spontaneous_FIN
+964800595.632055 weird: spontaneous_FIN
+964800595.632183 weird: spontaneous_FIN
+964800595.632312 weird: spontaneous_FIN
+964800595.632442 weird: spontaneous_FIN
+964800595.632572 weird: spontaneous_FIN
+964800595.632699 weird: spontaneous_FIN
+964800595.632827 weird: spontaneous_FIN
+964800595.632952 weird: spontaneous_FIN
+964800595.633077 weird: spontaneous_FIN
+964800595.633203 weird: spontaneous_FIN
+964800595.633322 weird: spontaneous_FIN
+964800595.633448 weird: spontaneous_FIN
+964800595.633569 weird: spontaneous_FIN
+964800595.725241 weird: spontaneous_FIN
+964800595.725339 weird: spontaneous_FIN
+964800595.737019 weird: spontaneous_FIN
+964800595.737122 weird: spontaneous_FIN
+964800595.737303 weird: spontaneous_FIN
+964800595.737419 weird: spontaneous_FIN
+964800595.737542 weird: spontaneous_FIN
+964800595.737669 weird: spontaneous_FIN
+964800595.737798 weird: spontaneous_FIN
+964800595.737924 weird: spontaneous_FIN
+964800595.738052 weird: spontaneous_FIN
+964800595.738194 weird: spontaneous_FIN
+964800595.738319 weird: spontaneous_FIN
+964800595.738442 weird: spontaneous_FIN
+964800595.738566 weird: spontaneous_FIN
+964800595.738705 weird: spontaneous_FIN
+964800595.738828 weird: spontaneous_FIN
+964800595.738952 weird: spontaneous_FIN
+964800595.739081 weird: spontaneous_FIN
+964800595.739223 weird: spontaneous_FIN
+964800595.739349 weird: spontaneous_FIN
+964800595.739457 weird: spontaneous_FIN
+964800595.739584 weird: spontaneous_FIN
+964800595.739706 weird: spontaneous_FIN
+964800595.739829 weird: spontaneous_FIN
+964800595.739954 weird: spontaneous_FIN
+964800595.740077 weird: spontaneous_FIN
+964800595.740244 weird: spontaneous_FIN
+964800595.740366 weird: spontaneous_FIN
+964800595.740489 weird: spontaneous_FIN
+964800595.740618 weird: spontaneous_FIN
+964800595.740746 weird: spontaneous_FIN
+964800595.740882 weird: spontaneous_FIN
+964800595.741005 weird: spontaneous_FIN
+964800595.741131 weird: spontaneous_FIN
+964800595.741258 weird: spontaneous_FIN
+964800595.741386 weird: spontaneous_FIN
+964800595.741514 weird: spontaneous_FIN
+964800595.741642 weird: spontaneous_FIN
+964800595.741828 weird: spontaneous_FIN
+964800595.741952 weird: spontaneous_FIN
+964800595.742095 weird: spontaneous_FIN
+964800595.742218 weird: spontaneous_FIN
+964800595.742361 weird: spontaneous_FIN
+964800595.742484 weird: spontaneous_FIN
+964800595.742682 weird: spontaneous_FIN
+964800595.742779 weird: spontaneous_FIN
+964800595.743031 weird: spontaneous_FIN
+964800595.743122 weird: spontaneous_FIN
+964800595.743371 weird: spontaneous_FIN
+964800595.743520 weird: spontaneous_FIN
+964800595.743571 weird: spontaneous_FIN
+964800595.743821 weird: spontaneous_FIN
+964800595.743906 weird: spontaneous_FIN
+964800595.744075 weird: spontaneous_FIN
+964800595.744183 weird: spontaneous_FIN
+964800595.744313 weird: spontaneous_FIN
+964800595.744441 weird: spontaneous_FIN
+964800595.744569 weird: spontaneous_FIN
+964800595.744779 weird: spontaneous_FIN
+964800595.744877 weird: spontaneous_FIN
+964800595.745153 weird: spontaneous_FIN
+964800595.745244 weird: spontaneous_FIN
+964800595.745498 weird: spontaneous_FIN
+964800595.835321 weird: spontaneous_FIN
+964800595.835417 weird: spontaneous_FIN
+964800595.835531 weird: spontaneous_FIN
+964800595.835735 weird: spontaneous_FIN
+964800595.835819 weird: spontaneous_FIN
+964800595.835976 weird: spontaneous_FIN
+964800595.836080 weird: spontaneous_FIN
+964800595.836207 weird: spontaneous_FIN
+964800595.836334 weird: spontaneous_FIN
+964800595.836458 weird: spontaneous_FIN
+964800595.836575 weird: spontaneous_FIN
+964800595.836702 weird: spontaneous_FIN
+964800595.836830 weird: spontaneous_FIN
+964800595.836958 weird: spontaneous_FIN
+964800595.837101 weird: spontaneous_FIN
+964800595.837226 weird: spontaneous_FIN
+964800595.837394 weird: spontaneous_FIN
+964800595.837509 weird: spontaneous_FIN
+964800595.837668 weird: spontaneous_FIN
+964800595.837792 weird: spontaneous_FIN
+964800595.837931 weird: spontaneous_FIN
+964800595.838051 weird: spontaneous_FIN
+964800595.838178 weird: spontaneous_FIN
+964800595.838319 weird: spontaneous_FIN
+964800595.838441 weird: spontaneous_FIN
+964800595.838568 weird: spontaneous_FIN
+964800595.838682 weird: spontaneous_FIN
+964800595.838821 weird: spontaneous_FIN
+964800595.838947 weird: spontaneous_FIN
+964800595.839057 weird: spontaneous_FIN
+964800595.839183 weird: spontaneous_FIN
+964800595.839308 weird: spontaneous_FIN
+964800595.839433 weird: spontaneous_FIN
+964800595.839557 weird: spontaneous_FIN
+964800595.839681 weird: spontaneous_FIN
+964800595.839808 weird: spontaneous_FIN
+964800595.839938 weird: spontaneous_FIN
+964800595.840064 weird: spontaneous_FIN
+964800595.840196 weird: spontaneous_FIN
+964800595.840340 weird: spontaneous_FIN
+964800595.840456 weird: spontaneous_FIN
+964800595.840578 weird: spontaneous_FIN
+964800595.840701 weird: spontaneous_FIN
+964800595.840825 weird: spontaneous_FIN
+964800595.840949 weird: spontaneous_FIN
+964800595.841073 weird: spontaneous_FIN
+964800595.841213 weird: spontaneous_FIN
+964800595.841331 weird: spontaneous_FIN
+964800595.841456 weird: spontaneous_FIN
+964800595.841580 weird: spontaneous_FIN
+964800595.841710 weird: spontaneous_FIN
+964800595.841912 weird: spontaneous_FIN
+964800595.842006 weird: spontaneous_FIN
+964800595.842238 weird: spontaneous_FIN
+964800595.842333 weird: spontaneous_FIN
+964800595.842554 weird: spontaneous_FIN
+964800595.842649 weird: spontaneous_FIN
+964800595.842879 weird: spontaneous_FIN
+964800595.842969 weird: spontaneous_FIN
+964800595.843200 weird: spontaneous_FIN
+964800595.843294 weird: spontaneous_FIN
+964800595.843538 weird: spontaneous_FIN
+964800595.843631 weird: spontaneous_FIN
+964800595.843868 weird: spontaneous_FIN
+964800595.843962 weird: spontaneous_FIN
+964800595.844209 weird: spontaneous_FIN
+964800595.844304 weird: spontaneous_FIN
+964800595.844536 weird: spontaneous_FIN
+964800595.925253 weird: spontaneous_FIN
+964800595.925350 weird: spontaneous_FIN
+964800595.925424 weird: spontaneous_FIN
+964800595.925681 weird: spontaneous_FIN
+964800595.925763 weird: spontaneous_FIN
+964800595.925931 weird: spontaneous_FIN
+964800595.926038 weird: spontaneous_FIN
+964800595.926268 weird: spontaneous_FIN
+964800595.926285 weird: spontaneous_FIN
+964800595.926334 weird: spontaneous_FIN
+964800595.926520 weird: spontaneous_FIN
+964800595.926707 weird: spontaneous_FIN
+964800595.926818 weird: spontaneous_FIN
+964800595.926945 weird: spontaneous_FIN
+964800595.927087 weird: spontaneous_FIN
+964800595.927202 weird: spontaneous_FIN
+964800595.927323 weird: spontaneous_FIN
+964800595.927447 weird: spontaneous_FIN
+964800595.927569 weird: spontaneous_FIN
+964800595.927693 weird: spontaneous_FIN
+964800595.927816 weird: spontaneous_FIN
+964800595.927938 weird: spontaneous_FIN
+964800595.928062 weird: spontaneous_FIN
+964800595.928186 weird: spontaneous_FIN
+964800595.928310 weird: spontaneous_FIN
+964800595.928437 weird: spontaneous_FIN
+964800595.928595 weird: spontaneous_FIN
+964800595.928701 weird: spontaneous_FIN
+964800595.928874 weird: spontaneous_FIN
+964800595.928988 weird: spontaneous_FIN
+964800595.929113 weird: spontaneous_FIN
+964800595.929238 weird: spontaneous_FIN
+964800595.929367 weird: spontaneous_FIN
+964800595.929566 weird: spontaneous_FIN
+964800595.929674 weird: spontaneous_FIN
+964800595.929852 weird: spontaneous_FIN
+964800595.929978 weird: spontaneous_FIN
+964800595.930101 weird: spontaneous_FIN
+964800595.930227 weird: spontaneous_FIN
+964800595.930368 weird: spontaneous_FIN
+964800595.930493 weird: spontaneous_FIN
+964800595.930637 weird: spontaneous_FIN
+964800595.930759 weird: spontaneous_FIN
+964800595.930901 weird: spontaneous_FIN
+964800595.931026 weird: spontaneous_FIN
+964800595.931150 weird: spontaneous_FIN
+964800595.931293 weird: spontaneous_FIN
+964800595.931437 weird: spontaneous_FIN
+964800595.931561 weird: spontaneous_FIN
+964800595.931706 weird: spontaneous_FIN
+964800595.931827 weird: spontaneous_FIN
+964800595.931950 weird: spontaneous_FIN
+964800595.932074 weird: spontaneous_FIN
+964800595.932201 weird: spontaneous_FIN
+964800595.932327 weird: spontaneous_FIN
+964800595.932764 weird: spontaneous_FIN
+964800595.933098 weird: spontaneous_FIN
+964800595.933430 weird: spontaneous_FIN
+964800595.933760 weird: spontaneous_FIN
+964800595.934093 weird: spontaneous_FIN
+964800595.934425 weird: spontaneous_FIN
+964800595.934757 weird: spontaneous_FIN
+964800595.934926 weird: spontaneous_FIN
+964800595.934936 weird: spontaneous_FIN
+964800595.934946 weird: spontaneous_FIN
+964800595.935272 weird: spontaneous_FIN
+964800595.935597 weird: spontaneous_FIN
+964800595.935923 weird: spontaneous_FIN
+964800595.936090 weird: spontaneous_FIN
+964800595.936416 weird: spontaneous_FIN
+964800595.936742 weird: spontaneous_FIN
+964800595.937067 weird: spontaneous_FIN
+964800596.020982 weird: spontaneous_FIN
+964800596.021078 weird: spontaneous_FIN
+964800596.021154 weird: spontaneous_FIN
+964800596.021390 weird: spontaneous_FIN
+964800596.021474 weird: spontaneous_FIN
+964800596.021636 weird: spontaneous_FIN
+964800596.021743 weird: spontaneous_FIN
+964800596.021874 weird: spontaneous_FIN
+964800596.021996 weird: spontaneous_FIN
+964800596.022118 weird: spontaneous_FIN
+964800596.022246 weird: spontaneous_FIN
+964800596.022387 weird: spontaneous_FIN
+964800596.022510 weird: spontaneous_FIN
+964800596.022634 weird: spontaneous_FIN
+964800596.022774 weird: spontaneous_FIN
+964800596.022902 weird: spontaneous_FIN
+964800596.023043 weird: spontaneous_FIN
+964800596.023187 weird: spontaneous_FIN
+964800596.023275 weird: spontaneous_FIN
+964800596.023445 weird: spontaneous_FIN
+964800596.023555 weird: spontaneous_FIN
+964800596.023685 weird: spontaneous_FIN
+964800596.023810 weird: spontaneous_FIN
+964800596.023957 weird: spontaneous_FIN
+964800596.024074 weird: spontaneous_FIN
+964800596.024199 weird: spontaneous_FIN
+964800596.024326 weird: spontaneous_FIN
+964800596.024454 weird: spontaneous_FIN
+964800596.024587 weird: spontaneous_FIN
+964800596.024707 weird: spontaneous_FIN
+964800596.024839 weird: spontaneous_FIN
+964800596.024956 weird: spontaneous_FIN
+964800596.025140 weird: spontaneous_FIN
+964800596.025251 weird: spontaneous_FIN
+964800596.025377 weird: spontaneous_FIN
+964800596.025501 weird: spontaneous_FIN
+964800596.025642 weird: spontaneous_FIN
+964800596.025761 weird: spontaneous_FIN
+964800596.025846 weird: spontaneous_FIN
+964800596.026016 weird: spontaneous_FIN
+964800596.026130 weird: spontaneous_FIN
+964800596.026254 weird: spontaneous_FIN
+964800596.026393 weird: spontaneous_FIN
+964800596.026509 weird: spontaneous_FIN
+964800596.026632 weird: spontaneous_FIN
+964800596.026756 weird: spontaneous_FIN
+964800596.026884 weird: spontaneous_FIN
+964800596.027028 weird: spontaneous_FIN
+964800596.027149 weird: spontaneous_FIN
+964800596.027274 weird: spontaneous_FIN
+964800596.027418 weird: spontaneous_FIN
+964800596.027541 weird: spontaneous_FIN
+964800596.027678 weird: spontaneous_FIN
+964800596.027800 weird: spontaneous_FIN
+964800596.027922 weird: spontaneous_FIN
+964800596.028064 weird: spontaneous_FIN
+964800596.028188 weird: spontaneous_FIN
+964800596.028297 weird: spontaneous_FIN
+964800596.028425 weird: spontaneous_FIN
+964800596.028554 weird: spontaneous_FIN
+964800596.028729 weird: spontaneous_FIN
+964800596.028910 weird: spontaneous_FIN
+964800596.029031 weird: spontaneous_FIN
+964800596.029252 weird: spontaneous_FIN
+964800596.029360 weird: spontaneous_FIN
+964800596.029571 weird: spontaneous_FIN
+964800596.029678 weird: spontaneous_FIN
+964800596.029901 weird: spontaneous_FIN
+964800596.030007 weird: spontaneous_FIN
+964800596.030231 weird: spontaneous_FIN
+964800596.030347 weird: spontaneous_FIN
+964800596.030602 weird: spontaneous_FIN
+964800596.030699 weird: spontaneous_FIN
+964800596.030936 weird: spontaneous_FIN
+964800596.031030 weird: spontaneous_FIN
+964800596.031291 weird: spontaneous_FIN
+964800596.120457 weird: spontaneous_FIN
+964800596.120556 weird: spontaneous_FIN
+964800596.120637 weird: spontaneous_FIN
+964800596.120760 weird: spontaneous_FIN
+964800596.120969 weird: spontaneous_FIN
+964800596.121056 weird: spontaneous_FIN
+964800596.121202 weird: spontaneous_FIN
+964800596.121313 weird: spontaneous_FIN
+964800596.121441 weird: spontaneous_FIN
+964800596.121564 weird: spontaneous_FIN
+964800596.121708 weird: spontaneous_FIN
+964800596.121827 weird: spontaneous_FIN
+964800596.121951 weird: spontaneous_FIN
+964800596.122127 weird: spontaneous_FIN
+964800596.122235 weird: spontaneous_FIN
+964800596.122360 weird: spontaneous_FIN
+964800596.122487 weird: spontaneous_FIN
+964800596.122608 weird: spontaneous_FIN
+964800596.122729 weird: spontaneous_FIN
+964800596.122853 weird: spontaneous_FIN
+964800596.122981 weird: spontaneous_FIN
+964800596.123102 weird: spontaneous_FIN
+964800596.123339 weird: spontaneous_FIN
+964800596.123420 weird: spontaneous_FIN
+964800596.123581 weird: spontaneous_FIN
+964800596.123676 weird: spontaneous_FIN
+964800596.123817 weird: spontaneous_FIN
+964800596.123925 weird: spontaneous_FIN
+964800596.124050 weird: spontaneous_FIN
+964800596.124165 weird: spontaneous_FIN
+964800596.124292 weird: spontaneous_FIN
+964800596.124414 weird: spontaneous_FIN
+964800596.124535 weird: spontaneous_FIN
+964800596.124660 weird: spontaneous_FIN
+964800596.124785 weird: spontaneous_FIN
+964800596.124910 weird: spontaneous_FIN
+964800596.125123 weird: spontaneous_FIN
+964800596.125205 weird: spontaneous_FIN
+964800596.125368 weird: spontaneous_FIN
+964800596.125478 weird: spontaneous_FIN
+964800596.125605 weird: spontaneous_FIN
+964800596.125734 weird: spontaneous_FIN
+964800596.125872 weird: spontaneous_FIN
+964800596.125993 weird: spontaneous_FIN
+964800596.126114 weird: spontaneous_FIN
+964800596.126235 weird: spontaneous_FIN
+964800596.126357 weird: spontaneous_FIN
+964800596.126480 weird: spontaneous_FIN
+964800596.126647 weird: spontaneous_FIN
+964800596.126761 weird: spontaneous_FIN
+964800596.126899 weird: spontaneous_FIN
+964800596.127024 weird: spontaneous_FIN
+964800596.127205 weird: spontaneous_FIN
+964800596.127318 weird: spontaneous_FIN
+964800596.127457 weird: spontaneous_FIN
+964800596.127578 weird: spontaneous_FIN
+964800596.127700 weird: spontaneous_FIN
+964800596.127827 weird: spontaneous_FIN
+964800596.127993 weird: spontaneous_FIN
+964800596.128116 weird: spontaneous_FIN
+964800596.128244 weird: spontaneous_FIN
+964800596.128372 weird: spontaneous_FIN
+964800596.128512 weird: spontaneous_FIN
+964800596.128633 weird: spontaneous_FIN
+964800596.128754 weird: spontaneous_FIN
+964800596.128877 weird: spontaneous_FIN
+964800596.129001 weird: spontaneous_FIN
+964800596.129124 weird: spontaneous_FIN
+964800596.129292 weird: spontaneous_FIN
+964800596.129409 weird: spontaneous_FIN
+964800596.129544 weird: spontaneous_FIN
+964800596.129664 weird: spontaneous_FIN
+964800596.129789 weird: spontaneous_FIN
+964800596.129913 weird: spontaneous_FIN
+964800596.130037 weird: spontaneous_FIN
+964800596.130181 weird: spontaneous_FIN
+964800596.130302 weird: spontaneous_FIN
+964800596.130422 weird: spontaneous_FIN
+964800596.130563 weird: spontaneous_FIN
+964800596.130680 weird: spontaneous_FIN
+964800596.215247 weird: spontaneous_FIN
+964800596.215341 weird: spontaneous_FIN
+964800596.215464 weird: spontaneous_FIN
+964800596.215639 weird: spontaneous_FIN
+964800596.215750 weird: spontaneous_FIN
+964800596.215873 weird: spontaneous_FIN
+964800596.216013 weird: spontaneous_FIN
+964800596.216140 weird: spontaneous_FIN
+964800596.216250 weird: spontaneous_FIN
+964800596.216378 weird: spontaneous_FIN
+964800596.216458 weird: spontaneous_FIN
+964800596.216614 weird: spontaneous_FIN
+964800596.216720 weird: spontaneous_FIN
+964800596.216851 weird: spontaneous_FIN
+964800596.216976 weird: spontaneous_FIN
+964800596.217103 weird: spontaneous_FIN
+964800596.217244 weird: spontaneous_FIN
+964800596.217361 weird: spontaneous_FIN
+964800596.217485 weird: spontaneous_FIN
+964800596.217610 weird: spontaneous_FIN
+964800596.217739 weird: spontaneous_FIN
+964800596.217881 weird: spontaneous_FIN
+964800596.218007 weird: spontaneous_FIN
+964800596.218123 weird: spontaneous_FIN
+964800596.218248 weird: spontaneous_FIN
+964800596.218374 weird: spontaneous_FIN
+964800596.218515 weird: spontaneous_FIN
+964800596.218701 weird: spontaneous_FIN
+964800596.218823 weird: spontaneous_FIN
+964800596.218967 weird: spontaneous_FIN
+964800596.219111 weird: spontaneous_FIN
+964800596.219200 weird: spontaneous_FIN
+964800596.219381 weird: spontaneous_FIN
+964800596.219490 weird: spontaneous_FIN
+964800596.219615 weird: spontaneous_FIN
+964800596.219743 weird: spontaneous_FIN
+964800596.219884 weird: spontaneous_FIN
+964800596.220006 weird: spontaneous_FIN
+964800596.220129 weird: spontaneous_FIN
+964800596.220272 weird: spontaneous_FIN
+964800596.220407 weird: spontaneous_FIN
+964800596.220521 weird: spontaneous_FIN
+964800596.220688 weird: spontaneous_FIN
+964800596.220804 weird: spontaneous_FIN
+964800596.220946 weird: spontaneous_FIN
+964800596.221074 weird: spontaneous_FIN
+964800596.221204 weird: spontaneous_FIN
+964800596.221333 weird: spontaneous_FIN
+964800596.221458 weird: spontaneous_FIN
+964800596.221582 weird: spontaneous_FIN
+964800596.221709 weird: spontaneous_FIN
+964800596.221834 weird: spontaneous_FIN
+964800596.221971 weird: spontaneous_FIN
+964800596.222093 weird: spontaneous_FIN
+964800596.222219 weird: spontaneous_FIN
+964800596.222346 weird: spontaneous_FIN
+964800596.222468 weird: spontaneous_FIN
+964800596.222606 weird: spontaneous_FIN
+964800596.222732 weird: spontaneous_FIN
+964800596.222876 weird: spontaneous_FIN
+964800596.223001 weird: spontaneous_FIN
+964800596.223125 weird: spontaneous_FIN
+964800596.223268 weird: spontaneous_FIN
+964800596.223392 weird: spontaneous_FIN
+964800596.223533 weird: spontaneous_FIN
+964800596.223658 weird: spontaneous_FIN
+964800596.223782 weird: spontaneous_FIN
+964800596.223909 weird: spontaneous_FIN
+964800596.224037 weird: spontaneous_FIN
+964800596.224253 weird: spontaneous_FIN
+964800596.224343 weird: spontaneous_FIN
+964800596.224465 weird: spontaneous_FIN
+964800596.224652 weird: spontaneous_FIN
+964800596.224768 weird: spontaneous_FIN
+964800596.224970 weird: spontaneous_FIN
+964800596.225103 weird: spontaneous_FIN
+964800596.225233 weird: spontaneous_FIN
+964800596.225378 weird: spontaneous_FIN
+964800596.225520 weird: spontaneous_FIN
+964800596.225650 weird: spontaneous_FIN
+964800596.225781 weird: spontaneous_FIN
+964800596.225909 weird: spontaneous_FIN
+964800596.226048 weird: spontaneous_FIN
+964800596.293525 weird: bad_ICMP_checksum
+964800596.313467 weird: spontaneous_FIN
+964800596.313575 weird: spontaneous_FIN
+964800596.313666 weird: spontaneous_FIN
+964800596.313876 weird: spontaneous_FIN
+964800596.313969 weird: spontaneous_FIN
+964800596.314171 weird: spontaneous_FIN
+964800596.314269 weird: spontaneous_FIN
+964800596.314458 weird: spontaneous_FIN
+964800596.314559 weird: spontaneous_FIN
+964800596.314740 weird: spontaneous_FIN
+964800596.314852 weird: spontaneous_FIN
+964800596.315093 weird: spontaneous_FIN
+964800596.315189 weird: spontaneous_FIN
+964800596.315358 weird: spontaneous_FIN
+964800596.315478 weird: spontaneous_FIN
+964800596.315607 weird: spontaneous_FIN
+964800596.315739 weird: spontaneous_FIN
+964800596.315868 weird: spontaneous_FIN
+964800596.315995 weird: spontaneous_FIN
+964800596.316128 weird: spontaneous_FIN
+964800596.316251 weird: spontaneous_FIN
+964800596.316384 weird: spontaneous_FIN
+964800596.316505 weird: spontaneous_FIN
+964800596.316635 weird: spontaneous_FIN
+964800596.316780 weird: spontaneous_FIN
+964800596.316906 weird: spontaneous_FIN
+964800596.317032 weird: spontaneous_FIN
+964800596.317147 weird: spontaneous_FIN
+964800596.317272 weird: spontaneous_FIN
+964800596.317396 weird: spontaneous_FIN
+964800596.317516 weird: spontaneous_FIN
+964800596.317895 weird: spontaneous_FIN
+964800596.318067 weird: spontaneous_FIN
+964800596.318400 weird: spontaneous_FIN
+964800596.318734 weird: spontaneous_FIN
+964800596.319064 weird: spontaneous_FIN
+964800596.319396 weird: spontaneous_FIN
+964800596.319727 weird: spontaneous_FIN
+964800596.320062 weird: spontaneous_FIN
+964800596.320391 weird: spontaneous_FIN
+964800596.320726 weird: spontaneous_FIN
+964800596.320896 weird: spontaneous_FIN
+964800596.321062 weird: spontaneous_FIN
+964800596.321231 weird: spontaneous_FIN
+964800596.321567 weird: spontaneous_FIN
+964800596.321919 weird: spontaneous_FIN
+964800596.322250 weird: spontaneous_FIN
+964800596.322583 weird: spontaneous_FIN
+964800596.322914 weird: spontaneous_FIN
+964800596.323247 weird: spontaneous_FIN
+964800596.323417 weird: spontaneous_FIN
+964800596.323749 weird: spontaneous_FIN
+964800596.324080 weird: spontaneous_FIN
+964800596.324250 weird: spontaneous_FIN
+964800596.324584 weird: spontaneous_FIN
+964800596.324915 weird: spontaneous_FIN
+964800596.325242 weird: spontaneous_FIN
+964800596.325567 weird: spontaneous_FIN
+964800596.325893 weird: spontaneous_FIN
+964800596.326060 weird: spontaneous_FIN
+964800596.326227 weird: spontaneous_FIN
+964800596.326236 weird: spontaneous_FIN
+964800596.326563 weird: spontaneous_FIN
+964800596.326890 weird: spontaneous_FIN
+964800596.327057 weird: spontaneous_FIN
+964800596.327382 weird: spontaneous_FIN
+964800596.327560 weird: spontaneous_FIN
+964800596.327886 weird: spontaneous_FIN
+964800596.328212 weird: spontaneous_FIN
+964800596.328379 weird: spontaneous_FIN
+964800596.328706 weird: spontaneous_FIN
+964800596.328875 weird: spontaneous_FIN
+964800596.329201 weird: spontaneous_FIN
+964800596.329525 weird: spontaneous_FIN
+964800596.329865 weird: spontaneous_FIN
+964800596.330190 weird: spontaneous_FIN
+964800596.330357 weird: spontaneous_FIN
+964800596.330682 weird: spontaneous_FIN
+964800596.331007 weird: spontaneous_FIN
+964800596.331174 weird: spontaneous_FIN
+964800596.331340 weird: spontaneous_FIN
+964800596.331666 weird: spontaneous_FIN
+964800596.331991 weird: spontaneous_FIN
+964800596.332157 weird: spontaneous_FIN
+964800596.332482 weird: spontaneous_FIN
+964800596.332807 weird: spontaneous_FIN
+964800596.332975 weird: spontaneous_FIN
+964800596.413143 weird: spontaneous_FIN
+964800596.413237 weird: spontaneous_FIN
+964800596.413314 weird: spontaneous_FIN
+964800596.413521 weird: spontaneous_FIN
+964800596.413609 weird: spontaneous_FIN
+964800596.413753 weird: spontaneous_FIN
+964800596.413876 weird: spontaneous_FIN
+964800596.413999 weird: spontaneous_FIN
+964800596.414124 weird: spontaneous_FIN
+964800596.414256 weird: spontaneous_FIN
+964800596.414384 weird: spontaneous_FIN
+964800596.414509 weird: spontaneous_FIN
+964800596.414637 weird: spontaneous_FIN
+964800596.414766 weird: spontaneous_FIN
+964800596.414914 weird: spontaneous_FIN
+964800596.415115 weird: spontaneous_FIN
+964800596.415198 weird: spontaneous_FIN
+964800596.415430 weird: spontaneous_FIN
+964800596.415525 weird: spontaneous_FIN
+964800596.415692 weird: spontaneous_FIN
+964800596.415798 weird: spontaneous_FIN
+964800596.415921 weird: spontaneous_FIN
+964800596.416046 weird: spontaneous_FIN
+964800596.416172 weird: spontaneous_FIN
+964800596.416313 weird: spontaneous_FIN
+964800596.416435 weird: spontaneous_FIN
+964800596.416609 weird: spontaneous_FIN
+964800596.416717 weird: spontaneous_FIN
+964800596.416846 weird: spontaneous_FIN
+964800596.416976 weird: spontaneous_FIN
+964800596.417116 weird: spontaneous_FIN
+964800596.417242 weird: spontaneous_FIN
+964800596.417359 weird: spontaneous_FIN
+964800596.417481 weird: spontaneous_FIN
+964800596.417650 weird: spontaneous_FIN
+964800596.417833 weird: spontaneous_FIN
+964800596.417947 weird: spontaneous_FIN
+964800596.418080 weird: spontaneous_FIN
+964800596.418199 weird: spontaneous_FIN
+964800596.418328 weird: spontaneous_FIN
+964800596.418471 weird: spontaneous_FIN
+964800596.418594 weird: spontaneous_FIN
+964800596.418719 weird: spontaneous_FIN
+964800596.418901 weird: spontaneous_FIN
+964800596.419015 weird: spontaneous_FIN
+964800596.419193 weird: spontaneous_FIN
+964800596.419301 weird: spontaneous_FIN
+964800596.419443 weird: spontaneous_FIN
+964800596.419566 weird: spontaneous_FIN
+964800596.419695 weird: spontaneous_FIN
+964800596.419821 weird: spontaneous_FIN
+964800596.419953 weird: spontaneous_FIN
+964800596.420098 weird: spontaneous_FIN
+964800596.420224 weird: spontaneous_FIN
+964800596.420369 weird: spontaneous_FIN
+964800596.420492 weird: spontaneous_FIN
+964800596.420635 weird: spontaneous_FIN
+964800596.420756 weird: spontaneous_FIN
+964800596.420897 weird: spontaneous_FIN
+964800596.421020 weird: spontaneous_FIN
+964800596.421186 weird: spontaneous_FIN
+964800596.421308 weird: spontaneous_FIN
+964800596.421435 weird: spontaneous_FIN
+964800596.421561 weird: spontaneous_FIN
+964800596.421704 weird: spontaneous_FIN
+964800596.421825 weird: spontaneous_FIN
+964800596.421952 weird: spontaneous_FIN
+964800596.422076 weird: spontaneous_FIN
+964800596.422206 weird: spontaneous_FIN
+964800596.422386 weird: spontaneous_FIN
+964800596.422495 weird: spontaneous_FIN
+964800596.422620 weird: spontaneous_FIN
+964800596.422746 weird: spontaneous_FIN
+964800596.422875 weird: spontaneous_FIN
+964800596.423018 weird: spontaneous_FIN
+964800596.423141 weird: spontaneous_FIN
+964800596.423267 weird: spontaneous_FIN
+964800596.423352 weird: spontaneous_FIN
+964800596.423527 weird: spontaneous_FIN
+964800596.423636 weird: spontaneous_FIN
+964800596.423774 weird: spontaneous_FIN
+964800596.423898 weird: spontaneous_FIN
+964800596.424020 weird: spontaneous_FIN
+964800596.424143 weird: spontaneous_FIN
+964800596.424271 weird: spontaneous_FIN
+964800596.424406 weird: spontaneous_FIN
+964800596.424538 weird: spontaneous_FIN
+964800596.424659 weird: spontaneous_FIN
+964800596.424840 weird: spontaneous_FIN
+964800596.424976 weird: spontaneous_FIN
+964800596.425150 weird: spontaneous_FIN
+964800596.501612 weird: bad_ICMP_checksum
+964800596.515437 weird: spontaneous_FIN
+964800596.515543 weird: spontaneous_FIN
+964800596.515621 weird: spontaneous_FIN
+964800596.515743 weird: spontaneous_FIN
+964800596.515953 weird: spontaneous_FIN
+964800596.516157 weird: spontaneous_FIN
+964800596.516266 weird: spontaneous_FIN
+964800596.516393 weird: spontaneous_FIN
+964800596.516520 weird: spontaneous_FIN
+964800596.516684 weird: spontaneous_FIN
+964800596.516794 weird: spontaneous_FIN
+964800596.516940 weird: spontaneous_FIN
+964800596.517057 weird: spontaneous_FIN
+964800596.517200 weird: spontaneous_FIN
+964800596.517312 weird: spontaneous_FIN
+964800596.517459 weird: spontaneous_FIN
+964800596.517583 weird: spontaneous_FIN
+964800596.517726 weird: spontaneous_FIN
+964800596.517850 weird: spontaneous_FIN
+964800596.517974 weird: spontaneous_FIN
+964800596.518117 weird: spontaneous_FIN
+964800596.518242 weird: spontaneous_FIN
+964800596.518366 weird: spontaneous_FIN
+964800596.518496 weird: spontaneous_FIN
+964800596.518624 weird: spontaneous_FIN
+964800596.518753 weird: spontaneous_FIN
+964800596.518868 weird: spontaneous_FIN
+964800596.518997 weird: spontaneous_FIN
+964800596.519119 weird: spontaneous_FIN
+964800596.519241 weird: spontaneous_FIN
+964800596.519363 weird: spontaneous_FIN
+964800596.519486 weird: spontaneous_FIN
+964800596.519608 weird: spontaneous_FIN
+964800596.519729 weird: spontaneous_FIN
+964800596.519853 weird: spontaneous_FIN
+964800596.519992 weird: spontaneous_FIN
+964800596.520114 weird: spontaneous_FIN
+964800596.520258 weird: spontaneous_FIN
+964800596.520379 weird: spontaneous_FIN
+964800596.520506 weird: spontaneous_FIN
+964800596.520630 weird: spontaneous_FIN
+964800596.520757 weird: spontaneous_FIN
+964800596.520885 weird: spontaneous_FIN
+964800596.521016 weird: spontaneous_FIN
+964800596.521096 weird: spontaneous_FIN
+964800596.521265 weird: spontaneous_FIN
+964800596.521378 weird: spontaneous_FIN
+964800596.521520 weird: spontaneous_FIN
+964800596.521700 weird: spontaneous_FIN
+964800596.521823 weird: spontaneous_FIN
+964800596.521963 weird: spontaneous_FIN
+964800596.522085 weird: spontaneous_FIN
+964800596.522210 weird: spontaneous_FIN
+964800596.522353 weird: spontaneous_FIN
+964800596.522477 weird: spontaneous_FIN
+964800596.522601 weird: spontaneous_FIN
+964800596.522723 weird: spontaneous_FIN
+964800596.522847 weird: spontaneous_FIN
+964800596.522970 weird: spontaneous_FIN
+964800596.523092 weird: spontaneous_FIN
+964800596.523216 weird: spontaneous_FIN
+964800596.523340 weird: spontaneous_FIN
+964800596.523480 weird: spontaneous_FIN
+964800596.523604 weird: spontaneous_FIN
+964800596.523771 weird: spontaneous_FIN
+964800596.523884 weird: spontaneous_FIN
+964800596.524025 weird: spontaneous_FIN
+964800596.524149 weird: spontaneous_FIN
+964800596.524283 weird: spontaneous_FIN
+964800596.524368 weird: spontaneous_FIN
+964800596.524539 weird: spontaneous_FIN
+964800596.524718 weird: spontaneous_FIN
+964800596.524844 weird: spontaneous_FIN
+964800596.524975 weird: spontaneous_FIN
+964800596.525192 weird: spontaneous_FIN
+964800596.525278 weird: spontaneous_FIN
+964800596.525391 weird: spontaneous_FIN
+964800596.525579 weird: spontaneous_FIN
+964800596.525690 weird: spontaneous_FIN
+964800596.525852 weird: spontaneous_FIN
+964800596.525966 weird: spontaneous_FIN
+964800596.526110 weird: spontaneous_FIN
+964800596.526223 weird: spontaneous_FIN
+964800596.526370 weird: spontaneous_FIN
+964800596.526493 weird: spontaneous_FIN
+964800596.526620 weird: spontaneous_FIN
+964800596.526746 weird: spontaneous_FIN
+964800596.526871 weird: spontaneous_FIN
+964800596.526996 weird: spontaneous_FIN
+964800596.527136 weird: spontaneous_FIN
+964800596.527264 weird: spontaneous_FIN
+964800596.527375 weird: spontaneous_FIN
+964800596.527513 weird: spontaneous_FIN
+964800596.527629 weird: spontaneous_FIN
+964800596.527771 weird: spontaneous_FIN
+964800596.615252 weird: spontaneous_FIN
+964800596.615357 weird: spontaneous_FIN
+964800596.615437 weird: spontaneous_FIN
+964800596.615527 weird: spontaneous_FIN
+964800596.615763 weird: spontaneous_FIN
+964800596.615843 weird: spontaneous_FIN
+964800596.615980 weird: spontaneous_FIN
+964800596.616093 weird: spontaneous_FIN
+964800596.616221 weird: spontaneous_FIN
+964800596.616349 weird: spontaneous_FIN
+964800596.616475 weird: spontaneous_FIN
+964800596.616604 weird: spontaneous_FIN
+964800596.616731 weird: spontaneous_FIN
+964800596.616857 weird: spontaneous_FIN
+964800596.616985 weird: spontaneous_FIN
+964800596.617099 weird: spontaneous_FIN
+964800596.617227 weird: spontaneous_FIN
+964800596.617349 weird: spontaneous_FIN
+964800596.617478 weird: spontaneous_FIN
+964800596.617604 weird: spontaneous_FIN
+964800596.617732 weird: spontaneous_FIN
+964800596.617859 weird: spontaneous_FIN
+964800596.617991 weird: spontaneous_FIN
+964800596.618116 weird: spontaneous_FIN
+964800596.618247 weird: spontaneous_FIN
+964800596.618387 weird: spontaneous_FIN
+964800596.618511 weird: spontaneous_FIN
+964800596.618636 weird: spontaneous_FIN
+964800596.618762 weird: spontaneous_FIN
+964800596.618889 weird: spontaneous_FIN
+964800596.619029 weird: spontaneous_FIN
+964800596.619145 weird: spontaneous_FIN
+964800596.619275 weird: spontaneous_FIN
+964800596.619412 weird: spontaneous_FIN
+964800596.619544 weird: spontaneous_FIN
+964800596.619975 weird: spontaneous_FIN
+964800596.620308 weird: spontaneous_FIN
+964800596.620477 weird: spontaneous_FIN
+964800596.620810 weird: spontaneous_FIN
+964800596.621140 weird: spontaneous_FIN
+964800596.621312 weird: spontaneous_FIN
+964800596.621645 weird: spontaneous_FIN
+964800596.621815 weird: spontaneous_FIN
+964800596.622145 weird: spontaneous_FIN
+964800596.622477 weird: spontaneous_FIN
+964800596.622648 weird: spontaneous_FIN
+964800596.622981 weird: spontaneous_FIN
+964800596.623311 weird: spontaneous_FIN
+964800596.623644 weird: spontaneous_FIN
+964800596.623976 weird: spontaneous_FIN
+964800596.624149 weird: spontaneous_FIN
+964800596.624478 weird: spontaneous_FIN
+964800596.624813 weird: spontaneous_FIN
+964800596.624984 weird: spontaneous_FIN
+964800596.625314 weird: spontaneous_FIN
+964800596.625648 weird: spontaneous_FIN
+964800596.625980 weird: spontaneous_FIN
+964800596.626149 weird: spontaneous_FIN
+964800596.626484 weird: spontaneous_FIN
+964800596.626671 weird: spontaneous_FIN
+964800596.627004 weird: spontaneous_FIN
+964800596.627334 weird: spontaneous_FIN
+964800596.627504 weird: spontaneous_FIN
+964800596.627852 weird: spontaneous_FIN
+964800596.628182 weird: spontaneous_FIN
+964800596.628345 weird: spontaneous_FIN
+964800596.628676 weird: spontaneous_FIN
+964800596.628838 weird: spontaneous_FIN
+964800596.629170 weird: spontaneous_FIN
+964800596.629495 weird: spontaneous_FIN
+964800596.629506 weird: spontaneous_FIN
+964800596.629673 weird: spontaneous_FIN
+964800596.629998 weird: spontaneous_FIN
+964800596.630324 weird: spontaneous_FIN
+964800596.630649 weird: spontaneous_FIN
+964800596.630816 weird: spontaneous_FIN
+964800596.631142 weird: spontaneous_FIN
+964800596.631304 weird: spontaneous_FIN
+964800596.631635 weird: spontaneous_FIN
+964800596.631798 weird: spontaneous_FIN
+964800596.632128 weird: spontaneous_FIN
+964800596.632452 weird: spontaneous_FIN
+964800596.632620 weird: spontaneous_FIN
+964800596.632945 weird: spontaneous_FIN
+964800596.633270 weird: spontaneous_FIN
+964800596.633436 weird: spontaneous_FIN
+964800596.633761 weird: spontaneous_FIN
+964800596.634086 weird: spontaneous_FIN
+964800596.634426 weird: spontaneous_FIN
+964800596.634594 weird: spontaneous_FIN
+964800596.634761 weird: spontaneous_FIN
+964800596.635086 weird: spontaneous_FIN
+964800596.635410 weird: spontaneous_FIN
+964800596.635737 weird: spontaneous_FIN
+964800596.635904 weird: spontaneous_FIN
+964800596.636228 weird: spontaneous_FIN
+964800596.636395 weird: spontaneous_FIN
+964800596.636720 weird: spontaneous_FIN
+964800596.637044 weird: spontaneous_FIN
+964800596.716116 weird: spontaneous_FIN
+964800596.716121 weird: spontaneous_FIN
+964800596.716162 weird: spontaneous_FIN
+964800596.716414 weird: spontaneous_FIN
+964800596.716497 weird: spontaneous_FIN
+964800596.716665 weird: spontaneous_FIN
+964800596.716767 weird: spontaneous_FIN
+964800596.716895 weird: spontaneous_FIN
+964800596.717023 weird: spontaneous_FIN
+964800596.717165 weird: spontaneous_FIN
+964800596.717286 weird: spontaneous_FIN
+964800596.717455 weird: spontaneous_FIN
+964800596.717567 weird: spontaneous_FIN
+964800596.717707 weird: spontaneous_FIN
+964800596.717831 weird: spontaneous_FIN
+964800596.717957 weird: spontaneous_FIN
+964800596.718099 weird: spontaneous_FIN
+964800596.718220 weird: spontaneous_FIN
+964800596.718353 weird: spontaneous_FIN
+964800596.718496 weird: spontaneous_FIN
+964800596.718619 weird: spontaneous_FIN
+964800596.718762 weird: spontaneous_FIN
+964800596.718886 weird: spontaneous_FIN
+964800596.719009 weird: spontaneous_FIN
+964800596.719132 weird: spontaneous_FIN
+964800596.719258 weird: spontaneous_FIN
+964800596.719387 weird: spontaneous_FIN
+964800596.719528 weird: spontaneous_FIN
+964800596.719645 weird: spontaneous_FIN
+964800596.719772 weird: spontaneous_FIN
+964800596.719902 weird: spontaneous_FIN
+964800596.720010 weird: spontaneous_FIN
+964800596.720176 weird: spontaneous_FIN
+964800596.720288 weird: spontaneous_FIN
+964800596.720407 weird: spontaneous_FIN
+964800596.720529 weird: spontaneous_FIN
+964800596.720655 weird: spontaneous_FIN
+964800596.720778 weird: spontaneous_FIN
+964800596.720904 weird: spontaneous_FIN
+964800596.721032 weird: spontaneous_FIN
+964800596.721171 weird: spontaneous_FIN
+964800596.721293 weird: spontaneous_FIN
+964800596.721416 weird: spontaneous_FIN
+964800596.721540 weird: spontaneous_FIN
+964800596.721666 weird: spontaneous_FIN
+964800596.721810 weird: spontaneous_FIN
+964800596.721934 weird: spontaneous_FIN
+964800596.722075 weird: spontaneous_FIN
+964800596.722200 weird: spontaneous_FIN
+964800596.722369 weird: spontaneous_FIN
+964800596.722510 weird: spontaneous_FIN
+964800596.722637 weird: spontaneous_FIN
+964800596.722805 weird: spontaneous_FIN
+964800596.722934 weird: spontaneous_FIN
+964800596.723043 weird: spontaneous_FIN
+964800596.723185 weird: spontaneous_FIN
+964800596.723308 weird: spontaneous_FIN
+964800596.723433 weird: spontaneous_FIN
+964800596.723574 weird: spontaneous_FIN
+964800596.723698 weird: spontaneous_FIN
+964800596.723825 weird: spontaneous_FIN
+964800596.723970 weird: spontaneous_FIN
+964800596.724096 weird: spontaneous_FIN
+964800596.724244 weird: spontaneous_FIN
+964800596.724374 weird: spontaneous_FIN
+964800596.724516 weird: spontaneous_FIN
+964800596.724638 weird: spontaneous_FIN
+964800596.724762 weird: spontaneous_FIN
+964800596.725008 weird: spontaneous_FIN
+964800596.725112 weird: spontaneous_FIN
+964800596.725277 weird: spontaneous_FIN
+964800596.725399 weird: spontaneous_FIN
+964800596.725523 weird: spontaneous_FIN
+964800596.725664 weird: spontaneous_FIN
+964800596.725787 weird: spontaneous_FIN
+964800596.725929 weird: spontaneous_FIN
+964800596.726052 weird: spontaneous_FIN
+964800596.726176 weird: spontaneous_FIN
+964800596.726304 weird: spontaneous_FIN
+964800596.726446 weird: spontaneous_FIN
+964800596.726571 weird: spontaneous_FIN
+964800596.726692 weird: spontaneous_FIN
+964800596.726820 weird: spontaneous_FIN
+964800596.726961 weird: spontaneous_FIN
+964800596.727086 weird: spontaneous_FIN
+964800596.727213 weird: spontaneous_FIN
+964800596.727355 weird: spontaneous_FIN
+964800596.727482 weird: spontaneous_FIN
+964800596.727610 weird: spontaneous_FIN
+964800596.727754 weird: spontaneous_FIN
+964800596.727895 weird: spontaneous_FIN
+964800596.728033 weird: spontaneous_FIN
+964800596.728177 weird: spontaneous_FIN
+964800596.728314 weird: spontaneous_FIN
+964800596.728455 weird: spontaneous_FIN
+964800596.728582 weird: spontaneous_FIN
+964800596.728710 weird: spontaneous_FIN
+964800596.728836 weird: spontaneous_FIN
+964800596.729008 weird: spontaneous_FIN
+964800596.729121 weird: spontaneous_FIN
+964800596.729244 weird: spontaneous_FIN
+964800596.729367 weird: spontaneous_FIN
+964800596.729507 weird: spontaneous_FIN
+964800596.818974 weird: spontaneous_FIN
+964800596.819065 weird: spontaneous_FIN
+964800596.819282 weird: spontaneous_FIN
+964800596.819371 weird: spontaneous_FIN
+964800596.819550 weird: spontaneous_FIN
+964800596.819664 weird: spontaneous_FIN
+964800596.819788 weird: spontaneous_FIN
+964800596.819926 weird: spontaneous_FIN
+964800596.820049 weird: spontaneous_FIN
+964800596.820178 weird: spontaneous_FIN
+964800596.820320 weird: spontaneous_FIN
+964800596.820443 weird: spontaneous_FIN
+964800596.820570 weird: spontaneous_FIN
+964800596.820695 weird: spontaneous_FIN
+964800596.820819 weird: spontaneous_FIN
+964800596.820943 weird: spontaneous_FIN
+964800596.821063 weird: spontaneous_FIN
+964800596.821302 weird: spontaneous_FIN
+964800596.821381 weird: spontaneous_FIN
+964800596.821539 weird: spontaneous_FIN
+964800596.821645 weird: spontaneous_FIN
+964800596.821774 weird: spontaneous_FIN
+964800596.821898 weird: spontaneous_FIN
+964800596.822025 weird: spontaneous_FIN
+964800596.822155 weird: spontaneous_FIN
+964800596.822284 weird: spontaneous_FIN
+964800596.822408 weird: spontaneous_FIN
+964800596.822551 weird: spontaneous_FIN
+964800596.822675 weird: spontaneous_FIN
+964800596.822807 weird: spontaneous_FIN
+964800596.822951 weird: spontaneous_FIN
+964800596.823075 weird: spontaneous_FIN
+964800596.823201 weird: spontaneous_FIN
+964800596.823330 weird: spontaneous_FIN
+964800596.823459 weird: spontaneous_FIN
+964800596.823600 weird: spontaneous_FIN
+964800596.823723 weird: spontaneous_FIN
+964800596.823847 weird: spontaneous_FIN
+964800596.823971 weird: spontaneous_FIN
+964800596.824096 weird: spontaneous_FIN
+964800596.824246 weird: spontaneous_FIN
+964800596.824367 weird: spontaneous_FIN
+964800596.824517 weird: spontaneous_FIN
+964800596.824638 weird: spontaneous_FIN
+964800596.824776 weird: spontaneous_FIN
+964800596.824895 weird: spontaneous_FIN
+964800596.825114 weird: spontaneous_FIN
+964800596.825199 weird: spontaneous_FIN
+964800596.825304 weird: spontaneous_FIN
+964800596.825508 weird: spontaneous_FIN
+964800596.825595 weird: spontaneous_FIN
+964800596.825766 weird: spontaneous_FIN
+964800596.825889 weird: spontaneous_FIN
+964800596.826012 weird: spontaneous_FIN
+964800596.826136 weird: spontaneous_FIN
+964800596.826279 weird: spontaneous_FIN
+964800596.826404 weird: spontaneous_FIN
+964800596.826527 weird: spontaneous_FIN
+964800596.826649 weird: spontaneous_FIN
+964800596.826772 weird: spontaneous_FIN
+964800596.826899 weird: spontaneous_FIN
+964800596.827038 weird: spontaneous_FIN
+964800596.827160 weird: spontaneous_FIN
+964800596.827283 weird: spontaneous_FIN
+964800596.827412 weird: spontaneous_FIN
+964800596.827548 weird: spontaneous_FIN
+964800596.827670 weird: spontaneous_FIN
+964800596.827850 weird: spontaneous_FIN
+964800596.827964 weird: spontaneous_FIN
+964800596.828102 weird: spontaneous_FIN
+964800596.828224 weird: spontaneous_FIN
+964800596.828348 weird: spontaneous_FIN
+964800596.828479 weird: spontaneous_FIN
+964800596.828619 weird: spontaneous_FIN
+964800596.828725 weird: spontaneous_FIN
+964800596.828850 weird: spontaneous_FIN
+964800596.828978 weird: spontaneous_FIN
+964800596.829106 weird: spontaneous_FIN
+964800596.829272 weird: spontaneous_FIN
+964800596.829389 weird: spontaneous_FIN
+964800597.461476 weird: bad_ICMP_checksum
+964800597.531033 weird: bad_ICMP_checksum
+964800598.421656 weird: bad_ICMP_checksum
+964800598.449518 weird: spontaneous_FIN
+964800598.483465 weird: bad_ICMP_checksum
+964800598.994113 weird: spontaneous_FIN
+964800599.270322 weird: spontaneous_FIN
+964800604.074186 weird: spontaneous_FIN
+964800604.181874 weird: bad_ICMP_checksum
+964800604.182079 weird: bad_ICMP_checksum
+964800604.182225 weird: bad_ICMP_checksum
+964800604.182414 weird: bad_ICMP_checksum
+964800604.182567 weird: bad_ICMP_checksum
+964800604.344975 weird: bad_ICMP_checksum
+964800604.345015 weird: bad_ICMP_checksum
+964800604.345048 weird: bad_ICMP_checksum
+964800604.345075 weird: bad_ICMP_checksum
+964800604.345128 weird: bad_ICMP_checksum
+964800604.345374 weird: bad_ICMP_checksum
+964800604.501637 weird: bad_ICMP_checksum
+964800605.561799 weird: bad_ICMP_checksum
+964800605.612716 weird: bad_ICMP_checksum
+964800606.521683 weird: bad_ICMP_checksum
+964800606.545722 weird: bad_ICMP_checksum
+964800607.481964 weird: bad_ICMP_checksum
+964800607.482115 weird: bad_ICMP_checksum
+964800608.406331 weird: bad_ICMP_checksum
+964800608.441725 weird: bad_ICMP_checksum
+964800609.106153 weird: spontaneous_FIN
+964800609.642920 weird: bad_ICMP_checksum
+964800609.722008 weird: bad_ICMP_checksum
+964800610.582014 weird: bad_ICMP_checksum
+964800610.682038 weird: bad_ICMP_checksum
+964800611.510967 weird: bad_ICMP_checksum
+964800611.641801 weird: bad_ICMP_checksum
+964800612.441355 weird: bad_ICMP_checksum
+964800612.601999 weird: bad_ICMP_checksum
+964800613.366240 weird: bad_ICMP_checksum
+964800613.561936 weird: bad_ICMP_checksum
+964800614.234326 weird: spontaneous_FIN
+964800614.312815 weird: bad_ICMP_checksum
+964800614.318648 weird: bad_ICMP_checksum
+964800614.327987 weird: bad_ICMP_checksum
+964800614.338017 weird: bad_ICMP_checksum
+964800614.348402 weird: bad_ICMP_checksum
+964800614.359341 weird: bad_ICMP_checksum
+964800614.522053 weird: bad_ICMP_checksum
+964800614.622452 weird: bad_ICMP_checksum
+964800615.481909 weird: bad_ICMP_checksum
+964800615.582247 weird: bad_ICMP_checksum
+964800615.874413 weird: bad_ICMP_checksum
+964800616.442169 weird: bad_ICMP_checksum
+964800616.531160 weird: bad_ICMP_checksum
+964800617.466281 weird: bad_ICMP_checksum
+964800617.722277 weird: bad_ICMP_checksum
+964800618.414576 weird: bad_ICMP_checksum
+964800618.666650 weird: bad_ICMP_checksum
+964800619.304700 weird: spontaneous_FIN
+964800619.367057 weird: bad_ICMP_checksum
+964800619.622229 weird: bad_ICMP_checksum
+964800620.582076 weird: bad_ICMP_checksum
+964800620.624553 weird: bad_ICMP_checksum
+964800620.964612 weird: spontaneous_FIN
+964800621.547606 weird: bad_ICMP_checksum
+964800621.574413 weird: bad_ICMP_checksum
+964800622.492100 weird: bad_ICMP_checksum
+964800622.537098 weird: bad_ICMP_checksum
+964800622.591301 weird: spontaneous_RST
+964800623.268602 weird: bad_ICMP_checksum
+964800623.268692 weird: bad_ICMP_checksum
+964800623.268874 weird: bad_ICMP_checksum
+964800623.268970 weird: bad_ICMP_checksum
+964800623.269065 weird: bad_ICMP_checksum
+964800623.269540 weird: bad_ICMP_checksum
+964800623.452427 weird: bad_ICMP_checksum
+964800623.514395 weird: bad_ICMP_checksum
+964800624.396321 weird: spontaneous_FIN
+964800624.504311 weird: bad_ICMP_checksum
+964800624.732337 weird: bad_ICMP_checksum
+964800625.464298 weird: bad_ICMP_checksum
+964800625.692125 weird: bad_ICMP_checksum
+964800626.424242 weird: bad_ICMP_checksum
+964800626.652340 weird: bad_ICMP_checksum
+964800627.354213 weird: bad_ICMP_checksum
+964800627.466174 weird: spontaneous_FIN
+964800627.466314 weird: spontaneous_FIN
+964800627.466443 weird: spontaneous_FIN
+964800627.599975 weird: bad_ICMP_checksum
+964800628.584177 weird: bad_ICMP_checksum
+964800628.635752 weird: baroque_SYN
+964800628.640612 weird: bad_ICMP_checksum
+964800628.644546 weird: spontaneous_FIN
+964800629.544643 weird: bad_ICMP_checksum
+964800629.605533 weird: spontaneous_FIN
+964800630.369868 weird: bad_ICMP_checksum
+964800630.485261 weird: bad_ICMP_checksum
+964800631.353056 weird: spontaneous_FIN
+964800631.464109 weird: bad_ICMP_checksum
+964800632.404814 weird: bad_ICMP_checksum
+964800633.007882 weird: spontaneous_FIN
+964800633.007955 weird: spontaneous_FIN
+964800633.334016 weird: bad_ICMP_checksum
+964800633.481613 weird: SYN_after_reset
+964800634.017231 weird: data_after_reset
+964800634.193335 weird: baroque_SYN
+964800634.194232 weird: spontaneous_FIN
+964800634.795607 weird: spontaneous_FIN
+964800634.957935 weird: spontaneous_FIN
+964800635.391456 weird: spontaneous_RST
+964800635.533950 weird: bad_ICMP_checksum
+964800636.492559 weird: bad_ICMP_checksum
+964800637.463897 weird: bad_ICMP_checksum
+964800638.423843 weird: bad_ICMP_checksum
+964800638.928189 weird: spontaneous_FIN
+964800638.928655 weird: spontaneous_FIN
+964800639.375043 weird: bad_ICMP_checksum
+964800639.997906 weird: spontaneous_FIN
+964800640.333750 weird: bad_ICMP_checksum
+964800641.592758 weird: bad_ICMP_checksum
+964800642.958184 weird: spontaneous_FIN
+964800643.502672 weird: bad_ICMP_checksum
+964800645.135741 weird: spontaneous_FIN
+964800645.391497 weird: bad_ICMP_checksum
+964800645.698637 weird: window_recision
+964800645.740880 weird: bad_ICMP_checksum
+964800645.750682 weird: bad_ICMP_checksum
+964800645.760682 weird: bad_ICMP_checksum
+964800645.770716 weird: bad_ICMP_checksum
+964800645.780716 weird: bad_ICMP_checksum
+964800645.790742 weird: bad_ICMP_checksum
+964800646.632887 weird: bad_ICMP_checksum
+964800647.574391 weird: bad_ICMP_checksum
+964800648.136574 weird: bad_ICMP_checksum
+964800648.144057 weird: bad_ICMP_checksum
+964800648.537554 weird: bad_ICMP_checksum
+964800648.737355 weird: bad_ICMP_checksum
+964800648.766079 weird: data_after_reset
+964800648.961656 weird: data_after_reset
+964800649.502831 weird: bad_ICMP_checksum
+964800650.016529 weird: bad_ICMP_checksum
+964800650.235800 weird: spontaneous_FIN
+964800650.463466 weird: bad_ICMP_checksum
+964800650.742504 weird: bad_ICMP_checksum
+964800650.768445 weird: spontaneous_FIN
+964800650.768544 weird: spontaneous_FIN
+964800651.420658 weird: bad_ICMP_checksum
+964800652.373355 weird: bad_ICMP_checksum
+964800652.700136 weird: bad_ICMP_checksum
+964800653.222991 weird: bad_ICMP_checksum
+964800653.331139 weird: bad_ICMP_checksum
+964800653.731753 weird: bad_ICMP_checksum
+964800654.564513 weird: bad_ICMP_checksum
+964800655.093447 weird: bad_ICMP_checksum
+964800655.487939 weird: spontaneous_FIN
+964800655.523270 weird: bad_ICMP_checksum
+964800655.734286 weird: bad_ICMP_checksum
+964800656.483224 weird: bad_ICMP_checksum
+964800657.423198 weird: bad_ICMP_checksum
+964800657.736978 weird: bad_ICMP_checksum
+964800657.749621 weird: bad_ICMP_checksum
+964800658.376401 weird: bad_ICMP_checksum
+964800658.758389 weird: bad_ICMP_checksum
+964800658.958711 weird: spontaneous_FIN
+964800659.430082 weird: data_after_reset
+964800659.620459 weird: data_after_reset
+964800659.621558 weird: bad_ICMP_checksum
+964800660.020414 weird: data_after_reset
+964800660.130278 weird: bad_ICMP_checksum
+964800660.573095 weird: bad_ICMP_checksum
+964800660.655908 weird: spontaneous_FIN
+964800660.731001 weird: bad_ICMP_checksum
+964800660.991652 weird: spontaneous_RST
+964800661.275279 weird: data_after_reset
+964800661.440262 weird: data_after_reset
+964800661.503055 weird: bad_ICMP_checksum
+964800661.667896 weird: spontaneous_FIN
+964800661.732414 weird: bad_ICMP_checksum
+964800662.460049 weird: bad_ICMP_checksum
+964800662.948422 weird: FIN_after_reset
+964800663.044194 weird: bad_ICMP_checksum
+964800663.389125 weird: bad_ICMP_checksum
+964800663.735100 weird: bad_ICMP_checksum
+964800665.167270 weird: bad_ICMP_checksum
+964800665.584196 weird: bad_ICMP_checksum
+964800665.737816 weird: bad_ICMP_checksum
+964800665.756012 weird: spontaneous_FIN
+964800666.512880 weird: bad_ICMP_checksum
+964800666.729203 weird: bad_ICMP_checksum
+964800667.466368 weird: bad_ICMP_checksum
+964800668.081037 weird: bad_ICMP_checksum
+964800668.422816 weird: bad_ICMP_checksum
+964800668.594418 weird: baroque_SYN
+964800668.595697 weird: spontaneous_FIN
+964800668.731920 weird: bad_ICMP_checksum
+964800669.362829 weird: bad_ICMP_checksum
+964800670.203985 weird: bad_ICMP_checksum
+964800670.593374 weird: bad_ICMP_checksum
+964800670.734603 weird: bad_ICMP_checksum
+964800670.771572 weird: spontaneous_FIN
+964800671.267206 weird: bad_ICMP_checksum
+964800671.267299 weird: bad_ICMP_checksum
+964800671.267581 weird: bad_ICMP_checksum
+964800671.267678 weird: bad_ICMP_checksum
+964800671.267774 weird: bad_ICMP_checksum
+964800671.267869 weird: bad_ICMP_checksum
+964800671.512899 weird: bad_ICMP_checksum
+964800671.736043 weird: bad_ICMP_checksum
+964800672.222756 weird: spontaneous_FIN
+964800672.222773 weird: spontaneous_FIN
+964800672.222790 weird: spontaneous_FIN
+964800672.222880 weird: spontaneous_FIN
+964800672.222950 weird: spontaneous_FIN
+964800672.223019 weird: spontaneous_FIN
+964800672.223093 weird: spontaneous_FIN
+964800672.223164 weird: spontaneous_FIN
+964800672.223236 weird: spontaneous_FIN
+964800672.223303 weird: spontaneous_FIN
+964800672.223373 weird: spontaneous_FIN
+964800672.305587 weird: spontaneous_FIN
+964800672.305670 weird: spontaneous_FIN
+964800672.305741 weird: spontaneous_FIN
+964800672.317264 weird: spontaneous_FIN
+964800672.317352 weird: spontaneous_FIN
+964800672.317422 weird: spontaneous_FIN
+964800672.317493 weird: spontaneous_FIN
+964800672.317564 weird: spontaneous_FIN
+964800672.317636 weird: spontaneous_FIN
+964800672.317708 weird: spontaneous_FIN
+964800672.317775 weird: spontaneous_FIN
+964800672.395581 weird: spontaneous_FIN
+964800672.395656 weird: spontaneous_FIN
+964800672.395723 weird: spontaneous_FIN
+964800672.395788 weird: spontaneous_FIN
+964800672.395852 weird: spontaneous_FIN
+964800672.395919 weird: spontaneous_FIN
+964800672.395987 weird: spontaneous_FIN
+964800672.396057 weird: spontaneous_FIN
+964800672.396128 weird: spontaneous_FIN
+964800672.396197 weird: spontaneous_FIN
+964800672.396265 weird: spontaneous_FIN
+964800672.450493 weird: bad_ICMP_checksum
+964800672.475577 weird: spontaneous_FIN
+964800672.475653 weird: spontaneous_FIN
+964800672.475724 weird: spontaneous_FIN
+964800672.475794 weird: spontaneous_FIN
+964800672.475863 weird: spontaneous_FIN
+964800672.475933 weird: spontaneous_FIN
+964800672.476004 weird: spontaneous_FIN
+964800672.476074 weird: spontaneous_FIN
+964800672.476144 weird: spontaneous_FIN
+964800672.476212 weird: spontaneous_FIN
+964800672.476281 weird: spontaneous_FIN
+964800672.555584 weird: spontaneous_FIN
+964800672.555657 weird: spontaneous_FIN
+964800672.555723 weird: spontaneous_FIN
+964800672.555787 weird: spontaneous_FIN
+964800672.555852 weird: spontaneous_FIN
+964800672.555916 weird: spontaneous_FIN
+964800672.555983 weird: spontaneous_FIN
+964800672.556051 weird: spontaneous_FIN
+964800672.556120 weird: spontaneous_FIN
+964800672.556185 weird: spontaneous_FIN
+964800672.556254 weird: spontaneous_FIN
+964800672.632033 weird: spontaneous_FIN
+964800672.632111 weird: spontaneous_FIN
+964800672.632178 weird: spontaneous_FIN
+964800672.632244 weird: spontaneous_FIN
+964800672.632310 weird: spontaneous_FIN
+964800672.632379 weird: spontaneous_FIN
+964800672.632449 weird: spontaneous_FIN
+964800672.632519 weird: spontaneous_FIN
+964800672.632587 weird: spontaneous_FIN
+964800672.632652 weird: spontaneous_FIN
+964800672.632722 weird: spontaneous_FIN
+964800672.725588 weird: spontaneous_FIN
+964800672.725665 weird: spontaneous_FIN
+964800672.725734 weird: spontaneous_FIN
+964800672.725804 weird: spontaneous_FIN
+964800672.725869 weird: spontaneous_FIN
+964800672.725935 weird: spontaneous_FIN
+964800672.726005 weird: spontaneous_FIN
+964800672.726075 weird: spontaneous_FIN
+964800672.726143 weird: spontaneous_FIN
+964800672.726211 weird: spontaneous_FIN
+964800672.726278 weird: spontaneous_FIN
+964800672.805589 weird: spontaneous_FIN
+964800672.805666 weird: spontaneous_FIN
+964800672.805735 weird: spontaneous_FIN
+964800672.805806 weird: spontaneous_FIN
+964800672.805873 weird: spontaneous_FIN
+964800672.805944 weird: spontaneous_FIN
+964800672.806013 weird: spontaneous_FIN
+964800672.806084 weird: spontaneous_FIN
+964800672.806155 weird: spontaneous_FIN
+964800672.806223 weird: spontaneous_FIN
+964800672.806290 weird: spontaneous_FIN
+964800672.885576 weird: spontaneous_FIN
+964800672.885651 weird: spontaneous_FIN
+964800672.885715 weird: spontaneous_FIN
+964800672.885782 weird: spontaneous_FIN
+964800672.885847 weird: spontaneous_FIN
+964800672.885913 weird: spontaneous_FIN
+964800672.885982 weird: spontaneous_FIN
+964800672.886052 weird: spontaneous_FIN
+964800672.886123 weird: spontaneous_FIN
+964800672.886190 weird: spontaneous_FIN
+964800672.886258 weird: spontaneous_FIN
+964800672.975612 weird: spontaneous_FIN
+964800672.975698 weird: spontaneous_FIN
+964800672.975772 weird: spontaneous_FIN
+964800672.975843 weird: spontaneous_FIN
+964800672.975914 weird: spontaneous_FIN
+964800672.975986 weird: spontaneous_FIN
+964800672.976058 weird: spontaneous_FIN
+964800672.976129 weird: spontaneous_FIN
+964800672.976199 weird: spontaneous_FIN
+964800672.976268 weird: spontaneous_FIN
+964800672.976337 weird: spontaneous_FIN
+964800673.055591 weird: spontaneous_FIN
+964800673.055664 weird: spontaneous_FIN
+964800673.055728 weird: spontaneous_FIN
+964800673.055795 weird: spontaneous_FIN
+964800673.055861 weird: spontaneous_FIN
+964800673.055930 weird: spontaneous_FIN
+964800673.056001 weird: spontaneous_FIN
+964800673.056072 weird: spontaneous_FIN
+964800673.056144 weird: spontaneous_FIN
+964800673.056216 weird: spontaneous_FIN
+964800673.056290 weird: spontaneous_FIN
+964800673.117908 weird: bad_ICMP_checksum
+964800673.136721 weird: spontaneous_FIN
+964800673.136795 weird: spontaneous_FIN
+964800673.136865 weird: spontaneous_FIN
+964800673.136935 weird: spontaneous_FIN
+964800673.137002 weird: spontaneous_FIN
+964800673.137073 weird: spontaneous_FIN
+964800673.137142 weird: spontaneous_FIN
+964800673.137212 weird: spontaneous_FIN
+964800673.137282 weird: spontaneous_FIN
+964800673.137354 weird: spontaneous_FIN
+964800673.137439 weird: spontaneous_FIN
+964800673.225622 weird: spontaneous_FIN
+964800673.225703 weird: spontaneous_FIN
+964800673.225772 weird: spontaneous_FIN
+964800673.225838 weird: spontaneous_FIN
+964800673.225901 weird: spontaneous_FIN
+964800673.225968 weird: spontaneous_FIN
+964800673.226035 weird: spontaneous_FIN
+964800673.226104 weird: spontaneous_FIN
+964800673.226176 weird: spontaneous_FIN
+964800673.226243 weird: spontaneous_FIN
+964800673.226311 weird: spontaneous_FIN
+964800673.305595 weird: spontaneous_FIN
+964800673.305674 weird: spontaneous_FIN
+964800673.305742 weird: spontaneous_FIN
+964800673.305810 weird: spontaneous_FIN
+964800673.305880 weird: spontaneous_FIN
+964800673.305951 weird: spontaneous_FIN
+964800673.306026 weird: spontaneous_FIN
+964800673.306095 weird: spontaneous_FIN
+964800673.306166 weird: spontaneous_FIN
+964800673.306236 weird: spontaneous_FIN
+964800673.306304 weird: spontaneous_FIN
+964800673.395618 weird: spontaneous_FIN
+964800673.395698 weird: spontaneous_FIN
+964800673.395766 weird: spontaneous_FIN
+964800673.395832 weird: spontaneous_FIN
+964800673.395896 weird: spontaneous_FIN
+964800673.395961 weird: spontaneous_FIN
+964800673.396030 weird: spontaneous_FIN
+964800673.396101 weird: spontaneous_FIN
+964800673.396170 weird: spontaneous_FIN
+964800673.396236 weird: spontaneous_FIN
+964800673.396307 weird: spontaneous_FIN
+964800673.412699 weird: bad_ICMP_checksum
+964800673.475641 weird: spontaneous_FIN
+964800673.475730 weird: spontaneous_FIN
+964800673.475804 weird: spontaneous_FIN
+964800673.475878 weird: spontaneous_FIN
+964800673.475946 weird: spontaneous_FIN
+964800673.476014 weird: spontaneous_FIN
+964800673.476083 weird: spontaneous_FIN
+964800673.476152 weird: spontaneous_FIN
+964800673.476220 weird: spontaneous_FIN
+964800673.476292 weird: spontaneous_FIN
+964800673.476363 weird: spontaneous_FIN
+964800673.565597 weird: spontaneous_FIN
+964800673.565670 weird: spontaneous_FIN
+964800673.565734 weird: spontaneous_FIN
+964800673.565799 weird: spontaneous_FIN
+964800673.565863 weird: spontaneous_FIN
+964800673.565930 weird: spontaneous_FIN
+964800673.565995 weird: spontaneous_FIN
+964800673.566065 weird: spontaneous_FIN
+964800673.566134 weird: spontaneous_FIN
+964800673.566201 weird: spontaneous_FIN
+964800673.566265 weird: spontaneous_FIN
+964800673.655606 weird: spontaneous_FIN
+964800673.655688 weird: spontaneous_FIN
+964800673.655755 weird: spontaneous_FIN
+964800673.655827 weird: spontaneous_FIN
+964800673.655896 weird: spontaneous_FIN
+964800673.655963 weird: spontaneous_FIN
+964800673.656032 weird: spontaneous_FIN
+964800673.656101 weird: spontaneous_FIN
+964800673.656171 weird: spontaneous_FIN
+964800673.656241 weird: spontaneous_FIN
+964800673.656311 weird: spontaneous_FIN
+964800673.728665 weird: bad_ICMP_checksum
+964800673.735599 weird: spontaneous_FIN
+964800673.735678 weird: spontaneous_FIN
+964800673.735744 weird: spontaneous_FIN
+964800673.735815 weird: spontaneous_FIN
+964800673.735879 weird: spontaneous_FIN
+964800673.735946 weird: spontaneous_FIN
+964800673.736012 weird: spontaneous_FIN
+964800673.736085 weird: spontaneous_FIN
+964800673.736156 weird: spontaneous_FIN
+964800673.736222 weird: spontaneous_FIN
+964800673.736290 weird: spontaneous_FIN
+964800673.825583 weird: spontaneous_FIN
+964800673.825657 weird: spontaneous_FIN
+964800673.825726 weird: spontaneous_FIN
+964800673.825793 weird: spontaneous_FIN
+964800673.825861 weird: spontaneous_FIN
+964800673.825930 weird: spontaneous_FIN
+964800673.826002 weird: spontaneous_FIN
+964800673.826070 weird: spontaneous_FIN
+964800673.826143 weird: spontaneous_FIN
+964800673.826209 weird: spontaneous_FIN
+964800673.826277 weird: spontaneous_FIN
+964800673.905599 weird: spontaneous_FIN
+964800673.905670 weird: spontaneous_FIN
+964800673.905735 weird: spontaneous_FIN
+964800673.905799 weird: spontaneous_FIN
+964800673.905866 weird: spontaneous_FIN
+964800673.905934 weird: spontaneous_FIN
+964800673.906007 weird: spontaneous_FIN
+964800673.906077 weird: spontaneous_FIN
+964800673.906148 weird: spontaneous_FIN
+964800673.906218 weird: spontaneous_FIN
+964800673.906286 weird: spontaneous_FIN
+964800673.985586 weird: spontaneous_FIN
+964800673.985660 weird: spontaneous_FIN
+964800673.985733 weird: spontaneous_FIN
+964800673.985801 weird: spontaneous_FIN
+964800673.985871 weird: spontaneous_FIN
+964800673.985945 weird: spontaneous_FIN
+964800673.986016 weird: spontaneous_FIN
+964800673.986085 weird: spontaneous_FIN
+964800673.986157 weird: spontaneous_FIN
+964800673.986228 weird: spontaneous_FIN
+964800673.986294 weird: spontaneous_FIN
+964800674.075600 weird: spontaneous_FIN
+964800674.075674 weird: spontaneous_FIN
+964800674.075741 weird: spontaneous_FIN
+964800674.075807 weird: spontaneous_FIN
+964800674.075875 weird: spontaneous_FIN
+964800674.075943 weird: spontaneous_FIN
+964800674.076012 weird: spontaneous_FIN
+964800674.076083 weird: spontaneous_FIN
+964800674.076150 weird: spontaneous_FIN
+964800674.076218 weird: spontaneous_FIN
+964800674.076285 weird: spontaneous_FIN
+964800674.165588 weird: spontaneous_FIN
+964800674.165667 weird: spontaneous_FIN
+964800674.165734 weird: spontaneous_FIN
+964800674.165803 weird: spontaneous_FIN
+964800674.165869 weird: spontaneous_FIN
+964800674.165938 weird: spontaneous_FIN
+964800674.166008 weird: spontaneous_FIN
+964800674.166081 weird: spontaneous_FIN
+964800674.166149 weird: spontaneous_FIN
+964800674.166223 weird: spontaneous_FIN
+964800674.166293 weird: spontaneous_FIN
+964800674.245590 weird: spontaneous_FIN
+964800674.245663 weird: spontaneous_FIN
+964800674.245727 weird: spontaneous_FIN
+964800674.245793 weird: spontaneous_FIN
+964800674.245861 weird: spontaneous_FIN
+964800674.245923 weird: spontaneous_FIN
+964800674.245990 weird: spontaneous_FIN
+964800674.246059 weird: spontaneous_FIN
+964800674.246128 weird: spontaneous_FIN
+964800674.246193 weird: spontaneous_FIN
+964800674.246258 weird: spontaneous_FIN
+964800674.274952 weird: baroque_SYN
+964800674.276723 weird: spontaneous_FIN
+964800674.325589 weird: spontaneous_FIN
+964800674.325667 weird: spontaneous_FIN
+964800674.325738 weird: spontaneous_FIN
+964800674.325807 weird: spontaneous_FIN
+964800674.325876 weird: spontaneous_FIN
+964800674.325948 weird: spontaneous_FIN
+964800674.326019 weird: spontaneous_FIN
+964800674.326088 weird: spontaneous_FIN
+964800674.326159 weird: spontaneous_FIN
+964800674.326227 weird: spontaneous_FIN
+964800674.326293 weird: spontaneous_FIN
+964800674.355345 weird: bad_ICMP_checksum
+964800674.405597 weird: spontaneous_FIN
+964800674.405669 weird: spontaneous_FIN
+964800674.405735 weird: spontaneous_FIN
+964800674.405803 weird: spontaneous_FIN
+964800674.405868 weird: spontaneous_FIN
+964800674.405933 weird: spontaneous_FIN
+964800674.406003 weird: spontaneous_FIN
+964800674.406075 weird: spontaneous_FIN
+964800674.406146 weird: spontaneous_FIN
+964800674.406212 weird: spontaneous_FIN
+964800674.406278 weird: spontaneous_FIN
+964800674.449198 weird: spontaneous_FIN
+964800674.449298 weird: spontaneous_FIN
+964800674.485588 weird: spontaneous_FIN
+964800674.485663 weird: spontaneous_FIN
+964800674.485732 weird: spontaneous_FIN
+964800674.485800 weird: spontaneous_FIN
+964800674.485867 weird: spontaneous_FIN
+964800674.485935 weird: spontaneous_FIN
+964800674.486005 weird: spontaneous_FIN
+964800674.486074 weird: spontaneous_FIN
+964800674.486146 weird: spontaneous_FIN
+964800674.486214 weird: spontaneous_FIN
+964800674.486283 weird: spontaneous_FIN
+964800674.565605 weird: spontaneous_FIN
+964800674.565673 weird: spontaneous_FIN
+964800674.565743 weird: spontaneous_FIN
+964800674.565808 weird: spontaneous_FIN
+964800674.565871 weird: spontaneous_FIN
+964800674.565935 weird: spontaneous_FIN
+964800674.566002 weird: spontaneous_FIN
+964800674.566072 weird: spontaneous_FIN
+964800674.566141 weird: spontaneous_FIN
+964800674.566206 weird: spontaneous_FIN
+964800674.566271 weird: spontaneous_FIN
+964800674.645588 weird: spontaneous_FIN
+964800674.645664 weird: spontaneous_FIN
+964800674.645731 weird: spontaneous_FIN
+964800674.645798 weird: spontaneous_FIN
+964800674.645866 weird: spontaneous_FIN
+964800674.645936 weird: spontaneous_FIN
+964800674.646005 weird: spontaneous_FIN
+964800674.646076 weird: spontaneous_FIN
+964800674.646144 weird: spontaneous_FIN
+964800674.646211 weird: spontaneous_FIN
+964800674.646278 weird: spontaneous_FIN
+964800674.725600 weird: spontaneous_FIN
+964800674.725676 weird: spontaneous_FIN
+964800674.725744 weird: spontaneous_FIN
+964800674.725808 weird: spontaneous_FIN
+964800674.725871 weird: spontaneous_FIN
+964800674.725937 weird: spontaneous_FIN
+964800674.726006 weird: spontaneous_FIN
+964800674.726077 weird: spontaneous_FIN
+964800674.726146 weird: spontaneous_FIN
+964800674.726213 weird: spontaneous_FIN
+964800674.726280 weird: spontaneous_FIN
+964800674.811956 weird: spontaneous_FIN
+964800674.812032 weird: spontaneous_FIN
+964800674.812102 weird: spontaneous_FIN
+964800674.812171 weird: spontaneous_FIN
+964800674.812239 weird: spontaneous_FIN
+964800674.812309 weird: spontaneous_FIN
+964800674.812382 weird: spontaneous_FIN
+964800674.812456 weird: spontaneous_FIN
+964800674.812529 weird: spontaneous_FIN
+964800674.812606 weird: spontaneous_FIN
+964800674.812668 weird: spontaneous_FIN
+964800674.895600 weird: spontaneous_FIN
+964800674.895674 weird: spontaneous_FIN
+964800674.895745 weird: spontaneous_FIN
+964800674.895813 weird: spontaneous_FIN
+964800674.895876 weird: spontaneous_FIN
+964800674.895942 weird: spontaneous_FIN
+964800674.896009 weird: spontaneous_FIN
+964800674.896078 weird: spontaneous_FIN
+964800674.896148 weird: spontaneous_FIN
+964800674.896212 weird: spontaneous_FIN
+964800674.896277 weird: spontaneous_FIN
+964800674.975591 weird: spontaneous_FIN
+964800674.975670 weird: spontaneous_FIN
+964800674.975739 weird: spontaneous_FIN
+964800674.975805 weird: spontaneous_FIN
+964800674.975872 weird: spontaneous_FIN
+964800674.975941 weird: spontaneous_FIN
+964800674.976010 weird: spontaneous_FIN
+964800674.976080 weird: spontaneous_FIN
+964800674.976150 weird: spontaneous_FIN
+964800674.976217 weird: spontaneous_FIN
+964800674.976289 weird: spontaneous_FIN
+964800675.065605 weird: spontaneous_FIN
+964800675.065678 weird: spontaneous_FIN
+964800675.065750 weird: spontaneous_FIN
+964800675.065813 weird: spontaneous_FIN
+964800675.065879 weird: spontaneous_FIN
+964800675.065943 weird: spontaneous_FIN
+964800675.066014 weird: spontaneous_FIN
+964800675.066081 weird: spontaneous_FIN
+964800675.066150 weird: spontaneous_FIN
+964800675.066216 weird: spontaneous_FIN
+964800675.066281 weird: spontaneous_FIN
+964800675.145585 weird: spontaneous_FIN
+964800675.145658 weird: spontaneous_FIN
+964800675.145730 weird: spontaneous_FIN
+964800675.145799 weird: spontaneous_FIN
+964800675.145871 weird: spontaneous_FIN
+964800675.145942 weird: spontaneous_FIN
+964800675.146015 weird: spontaneous_FIN
+964800675.146086 weird: spontaneous_FIN
+964800675.146163 weird: spontaneous_FIN
+964800675.146226 weird: spontaneous_FIN
+964800675.146294 weird: spontaneous_FIN
+964800675.225606 weird: spontaneous_FIN
+964800675.225683 weird: spontaneous_FIN
+964800675.225750 weird: spontaneous_FIN
+964800675.225815 weird: spontaneous_FIN
+964800675.225878 weird: spontaneous_FIN
+964800675.225942 weird: spontaneous_FIN
+964800675.226008 weird: spontaneous_FIN
+964800675.226078 weird: spontaneous_FIN
+964800675.226145 weird: spontaneous_FIN
+964800675.226215 weird: spontaneous_FIN
+964800675.226281 weird: spontaneous_FIN
+964800675.240808 weird: bad_ICMP_checksum
+964800675.306698 weird: spontaneous_FIN
+964800675.306702 weird: spontaneous_FIN
+964800675.306870 weird: spontaneous_FIN
+964800675.307034 weird: spontaneous_FIN
+964800675.307196 weird: spontaneous_FIN
+964800675.307376 weird: spontaneous_FIN
+964800675.307538 weird: spontaneous_FIN
+964800675.307701 weird: spontaneous_FIN
+964800675.307864 weird: spontaneous_FIN
+964800675.308026 weird: spontaneous_FIN
+964800675.308195 weird: spontaneous_FIN
+964800675.381871 weird: spontaneous_FIN
+964800675.381946 weird: spontaneous_FIN
+964800675.382012 weird: spontaneous_FIN
+964800675.382076 weird: spontaneous_FIN
+964800675.382139 weird: spontaneous_FIN
+964800675.382203 weird: spontaneous_FIN
+964800675.382269 weird: spontaneous_FIN
+964800675.382340 weird: spontaneous_FIN
+964800675.382408 weird: spontaneous_FIN
+964800675.382473 weird: spontaneous_FIN
+964800675.382539 weird: spontaneous_FIN
+964800675.475592 weird: spontaneous_FIN
+964800675.475669 weird: spontaneous_FIN
+964800675.475735 weird: spontaneous_FIN
+964800675.475803 weird: spontaneous_FIN
+964800675.475870 weird: spontaneous_FIN
+964800675.475939 weird: spontaneous_FIN
+964800675.476010 weird: spontaneous_FIN
+964800675.476080 weird: spontaneous_FIN
+964800675.476152 weird: spontaneous_FIN
+964800675.476219 weird: spontaneous_FIN
+964800675.476288 weird: spontaneous_FIN
+964800675.555624 weird: spontaneous_FIN
+964800675.555705 weird: spontaneous_FIN
+964800675.555773 weird: spontaneous_FIN
+964800675.555838 weird: spontaneous_FIN
+964800675.555903 weird: spontaneous_FIN
+964800675.555968 weird: spontaneous_FIN
+964800675.556038 weird: spontaneous_FIN
+964800675.556108 weird: spontaneous_FIN
+964800675.556176 weird: spontaneous_FIN
+964800675.556244 weird: spontaneous_FIN
+964800675.556311 weird: spontaneous_FIN
+964800675.602553 weird: bad_ICMP_checksum
+964800675.645602 weird: spontaneous_FIN
+964800675.645840 weird: spontaneous_FIN
+964800675.646004 weird: spontaneous_FIN
+964800675.646172 weird: spontaneous_FIN
+964800675.646338 weird: spontaneous_FIN
+964800675.646500 weird: spontaneous_FIN
+964800675.646663 weird: spontaneous_FIN
+964800675.646825 weird: spontaneous_FIN
+964800675.646988 weird: spontaneous_FIN
+964800675.646993 weird: spontaneous_FIN
+964800675.647156 weird: spontaneous_FIN
+964800675.725632 weird: spontaneous_FIN
+964800675.725713 weird: spontaneous_FIN
+964800675.725781 weird: spontaneous_FIN
+964800675.725848 weird: spontaneous_FIN
+964800675.725912 weird: spontaneous_FIN
+964800675.725978 weird: spontaneous_FIN
+964800675.726048 weird: spontaneous_FIN
+964800675.726120 weird: spontaneous_FIN
+964800675.726192 weird: spontaneous_FIN
+964800675.726262 weird: spontaneous_FIN
+964800675.726327 weird: spontaneous_FIN
+964800675.761460 weird: bad_ICMP_checksum
+964800675.805603 weird: spontaneous_FIN
+964800675.805679 weird: spontaneous_FIN
+964800675.805750 weird: spontaneous_FIN
+964800675.805820 weird: spontaneous_FIN
+964800675.805888 weird: spontaneous_FIN
+964800675.805959 weird: spontaneous_FIN
+964800675.806028 weird: spontaneous_FIN
+964800675.806098 weird: spontaneous_FIN
+964800675.806168 weird: spontaneous_FIN
+964800675.806235 weird: spontaneous_FIN
+964800675.806303 weird: spontaneous_FIN
+964800675.844740 weird: spontaneous_FIN
+964800675.895626 weird: spontaneous_FIN
+964800675.895708 weird: spontaneous_FIN
+964800675.895776 weird: spontaneous_FIN
+964800675.895843 weird: spontaneous_FIN
+964800675.895908 weird: spontaneous_FIN
+964800675.895973 weird: spontaneous_FIN
+964800675.896040 weird: spontaneous_FIN
+964800675.896112 weird: spontaneous_FIN
+964800675.896183 weird: spontaneous_FIN
+964800675.896251 weird: spontaneous_FIN
+964800675.896317 weird: spontaneous_FIN
+964800675.985620 weird: spontaneous_FIN
+964800675.985704 weird: spontaneous_FIN
+964800675.985774 weird: spontaneous_FIN
+964800675.985845 weird: spontaneous_FIN
+964800675.985915 weird: spontaneous_FIN
+964800675.985984 weird: spontaneous_FIN
+964800675.986056 weird: spontaneous_FIN
+964800675.986125 weird: spontaneous_FIN
+964800675.986198 weird: spontaneous_FIN
+964800675.986269 weird: spontaneous_FIN
+964800675.986338 weird: spontaneous_FIN
+964800676.065608 weird: spontaneous_FIN
+964800676.065681 weird: spontaneous_FIN
+964800676.065749 weird: spontaneous_FIN
+964800676.065814 weird: spontaneous_FIN
+964800676.065879 weird: spontaneous_FIN
+964800676.065942 weird: spontaneous_FIN
+964800676.066008 weird: spontaneous_FIN
+964800676.066079 weird: spontaneous_FIN
+964800676.066148 weird: spontaneous_FIN
+964800676.066214 weird: spontaneous_FIN
+964800676.066279 weird: spontaneous_FIN
+964800676.145598 weird: spontaneous_FIN
+964800676.145676 weird: spontaneous_FIN
+964800676.145746 weird: spontaneous_FIN
+964800676.145815 weird: spontaneous_FIN
+964800676.145884 weird: spontaneous_FIN
+964800676.145953 weird: spontaneous_FIN
+964800676.146024 weird: spontaneous_FIN
+964800676.146093 weird: spontaneous_FIN
+964800676.146161 weird: spontaneous_FIN
+964800676.146225 weird: spontaneous_FIN
+964800676.146292 weird: spontaneous_FIN
+964800676.235629 weird: spontaneous_FIN
+964800676.235710 weird: spontaneous_FIN
+964800676.235775 weird: spontaneous_FIN
+964800676.235841 weird: spontaneous_FIN
+964800676.235906 weird: spontaneous_FIN
+964800676.235969 weird: spontaneous_FIN
+964800676.236039 weird: spontaneous_FIN
+964800676.236112 weird: spontaneous_FIN
+964800676.236183 weird: spontaneous_FIN
+964800676.236250 weird: spontaneous_FIN
+964800676.236317 weird: spontaneous_FIN
+964800676.325603 weird: spontaneous_FIN
+964800676.325683 weird: spontaneous_FIN
+964800676.325750 weird: spontaneous_FIN
+964800676.325819 weird: spontaneous_FIN
+964800676.325888 weird: spontaneous_FIN
+964800676.325958 weird: spontaneous_FIN
+964800676.326030 weird: spontaneous_FIN
+964800676.326099 weird: spontaneous_FIN
+964800676.326170 weird: spontaneous_FIN
+964800676.326237 weird: spontaneous_FIN
+964800676.326306 weird: spontaneous_FIN
+964800676.415629 weird: spontaneous_FIN
+964800676.415709 weird: spontaneous_FIN
+964800676.415779 weird: spontaneous_FIN
+964800676.415845 weird: spontaneous_FIN
+964800676.415908 weird: spontaneous_FIN
+964800676.415974 weird: spontaneous_FIN
+964800676.416042 weird: spontaneous_FIN
+964800676.416115 weird: spontaneous_FIN
+964800676.416183 weird: spontaneous_FIN
+964800676.416249 weird: spontaneous_FIN
+964800676.416317 weird: spontaneous_FIN
+964800676.474792 weird: baroque_SYN
+964800676.475402 weird: spontaneous_FIN
+964800676.505624 weird: spontaneous_FIN
+964800676.505707 weird: spontaneous_FIN
+964800676.505774 weird: spontaneous_FIN
+964800676.505844 weird: spontaneous_FIN
+964800676.505913 weird: spontaneous_FIN
+964800676.505981 weird: spontaneous_FIN
+964800676.506052 weird: spontaneous_FIN
+964800676.506121 weird: spontaneous_FIN
+964800676.506192 weird: spontaneous_FIN
+964800676.506259 weird: spontaneous_FIN
+964800676.506327 weird: spontaneous_FIN
+964800676.585614 weird: spontaneous_FIN
+964800676.585689 weird: spontaneous_FIN
+964800676.585755 weird: spontaneous_FIN
+964800676.585821 weird: spontaneous_FIN
+964800676.585885 weird: spontaneous_FIN
+964800676.585951 weird: spontaneous_FIN
+964800676.586018 weird: spontaneous_FIN
+964800676.586093 weird: spontaneous_FIN
+964800676.586164 weird: spontaneous_FIN
+964800676.586233 weird: spontaneous_FIN
+964800676.586300 weird: spontaneous_FIN
+964800676.665638 weird: spontaneous_FIN
+964800676.665721 weird: spontaneous_FIN
+964800676.665793 weird: spontaneous_FIN
+964800676.665860 weird: spontaneous_FIN
+964800676.665928 weird: spontaneous_FIN
+964800676.665999 weird: spontaneous_FIN
+964800676.666067 weird: spontaneous_FIN
+964800676.666139 weird: spontaneous_FIN
+964800676.666208 weird: spontaneous_FIN
+964800676.666275 weird: spontaneous_FIN
+964800676.666344 weird: spontaneous_FIN
+964800676.755618 weird: spontaneous_FIN
+964800676.755694 weird: spontaneous_FIN
+964800676.755760 weird: spontaneous_FIN
+964800676.755829 weird: spontaneous_FIN
+964800676.755895 weird: spontaneous_FIN
+964800676.755960 weird: spontaneous_FIN
+964800676.756029 weird: spontaneous_FIN
+964800676.756104 weird: spontaneous_FIN
+964800676.756173 weird: spontaneous_FIN
+964800676.756239 weird: spontaneous_FIN
+964800676.756306 weird: spontaneous_FIN
+964800676.775468 weird: bad_ICMP_checksum
+964800676.845623 weird: spontaneous_FIN
+964800676.845707 weird: spontaneous_FIN
+964800676.845779 weird: spontaneous_FIN
+964800676.845849 weird: spontaneous_FIN
+964800676.845918 weird: spontaneous_FIN
+964800676.845986 weird: spontaneous_FIN
+964800676.846059 weird: spontaneous_FIN
+964800676.846127 weird: spontaneous_FIN
+964800676.846201 weird: spontaneous_FIN
+964800676.846266 weird: spontaneous_FIN
+964800676.846335 weird: spontaneous_FIN
+964800676.935620 weird: spontaneous_FIN
+964800676.935699 weird: spontaneous_FIN
+964800676.935768 weird: spontaneous_FIN
+964800676.935834 weird: spontaneous_FIN
+964800676.935900 weird: spontaneous_FIN
+964800676.935968 weird: spontaneous_FIN
+964800676.936039 weird: spontaneous_FIN
+964800676.936113 weird: spontaneous_FIN
+964800676.936186 weird: spontaneous_FIN
+964800676.936254 weird: spontaneous_FIN
+964800676.936321 weird: spontaneous_FIN
+964800677.015595 weird: spontaneous_FIN
+964800677.015669 weird: spontaneous_FIN
+964800677.015743 weird: spontaneous_FIN
+964800677.015811 weird: spontaneous_FIN
+964800677.015878 weird: spontaneous_FIN
+964800677.015948 weird: spontaneous_FIN
+964800677.016019 weird: spontaneous_FIN
+964800677.016093 weird: spontaneous_FIN
+964800677.016163 weird: spontaneous_FIN
+964800677.016228 weird: spontaneous_FIN
+964800677.016296 weird: spontaneous_FIN
+964800677.097164 weird: spontaneous_FIN
+964800677.097243 weird: spontaneous_FIN
+964800677.097313 weird: spontaneous_FIN
+964800677.097382 weird: spontaneous_FIN
+964800677.097446 weird: spontaneous_FIN
+964800677.097512 weird: spontaneous_FIN
+964800677.097579 weird: spontaneous_FIN
+964800677.097652 weird: spontaneous_FIN
+964800677.097722 weird: spontaneous_FIN
+964800677.097789 weird: spontaneous_FIN
+964800677.097856 weird: spontaneous_FIN
+964800677.173246 weird: spontaneous_FIN
+964800677.173328 weird: spontaneous_FIN
+964800677.173398 weird: spontaneous_FIN
+964800677.173471 weird: spontaneous_FIN
+964800677.173541 weird: spontaneous_FIN
+964800677.173610 weird: spontaneous_FIN
+964800677.173681 weird: spontaneous_FIN
+964800677.173750 weird: spontaneous_FIN
+964800677.173818 weird: spontaneous_FIN
+964800677.173885 weird: spontaneous_FIN
+964800677.173954 weird: spontaneous_FIN
+964800677.255618 weird: spontaneous_FIN
+964800677.255697 weird: spontaneous_FIN
+964800677.255764 weird: spontaneous_FIN
+964800677.255832 weird: spontaneous_FIN
+964800677.255894 weird: spontaneous_FIN
+964800677.255961 weird: spontaneous_FIN
+964800677.256028 weird: spontaneous_FIN
+964800677.256099 weird: spontaneous_FIN
+964800677.256170 weird: spontaneous_FIN
+964800677.256235 weird: spontaneous_FIN
+964800677.256302 weird: spontaneous_FIN
+964800677.335626 weird: spontaneous_FIN
+964800677.335708 weird: spontaneous_FIN
+964800677.335779 weird: spontaneous_FIN
+964800677.335848 weird: spontaneous_FIN
+964800677.335916 weird: spontaneous_FIN
+964800677.335987 weird: spontaneous_FIN
+964800677.336057 weird: spontaneous_FIN
+964800677.336126 weird: spontaneous_FIN
+964800677.336194 weird: spontaneous_FIN
+964800677.336262 weird: spontaneous_FIN
+964800677.336330 weird: spontaneous_FIN
+964800677.415618 weird: spontaneous_FIN
+964800677.415691 weird: spontaneous_FIN
+964800677.415758 weird: spontaneous_FIN
+964800677.415827 weird: spontaneous_FIN
+964800677.415891 weird: spontaneous_FIN
+964800677.415959 weird: spontaneous_FIN
+964800677.416027 weird: spontaneous_FIN
+964800677.416103 weird: spontaneous_FIN
+964800677.416171 weird: spontaneous_FIN
+964800677.416237 weird: spontaneous_FIN
+964800677.416305 weird: spontaneous_FIN
+964800677.462542 weird: bad_ICMP_checksum
+964800677.495624 weird: spontaneous_FIN
+964800677.495704 weird: spontaneous_FIN
+964800677.495774 weird: spontaneous_FIN
+964800677.495844 weird: spontaneous_FIN
+964800677.495914 weird: spontaneous_FIN
+964800677.495984 weird: spontaneous_FIN
+964800677.496056 weird: spontaneous_FIN
+964800677.496128 weird: spontaneous_FIN
+964800677.496198 weird: spontaneous_FIN
+964800677.496268 weird: spontaneous_FIN
+964800677.496337 weird: spontaneous_FIN
+964800677.585630 weird: spontaneous_FIN
+964800677.585703 weird: spontaneous_FIN
+964800677.585773 weird: spontaneous_FIN
+964800677.585837 weird: spontaneous_FIN
+964800677.585902 weird: spontaneous_FIN
+964800677.585967 weird: spontaneous_FIN
+964800677.586036 weird: spontaneous_FIN
+964800677.586106 weird: spontaneous_FIN
+964800677.586176 weird: spontaneous_FIN
+964800677.586241 weird: spontaneous_FIN
+964800677.586307 weird: spontaneous_FIN
+964800677.675607 weird: spontaneous_FIN
+964800677.675686 weird: spontaneous_FIN
+964800677.675754 weird: spontaneous_FIN
+964800677.675822 weird: spontaneous_FIN
+964800677.675890 weird: spontaneous_FIN
+964800677.675958 weird: spontaneous_FIN
+964800677.676027 weird: spontaneous_FIN
+964800677.676096 weird: spontaneous_FIN
+964800677.676165 weird: spontaneous_FIN
+964800677.676234 weird: spontaneous_FIN
+964800677.676302 weird: spontaneous_FIN
+964800677.765770 weird: spontaneous_FIN
+964800677.765860 weird: spontaneous_FIN
+964800677.765931 weird: spontaneous_FIN
+964800677.766002 weird: spontaneous_FIN
+964800677.766069 weird: spontaneous_FIN
+964800677.766135 weird: spontaneous_FIN
+964800677.766205 weird: spontaneous_FIN
+964800677.766275 weird: spontaneous_FIN
+964800677.766343 weird: spontaneous_FIN
+964800677.766409 weird: spontaneous_FIN
+964800677.766478 weird: spontaneous_FIN
+964800677.855646 weird: spontaneous_FIN
+964800677.855736 weird: spontaneous_FIN
+964800677.855807 weird: spontaneous_FIN
+964800677.855882 weird: spontaneous_FIN
+964800677.855955 weird: spontaneous_FIN
+964800677.856029 weird: spontaneous_FIN
+964800677.856101 weird: spontaneous_FIN
+964800677.856172 weird: spontaneous_FIN
+964800677.856245 weird: spontaneous_FIN
+964800677.856317 weird: spontaneous_FIN
+964800677.856387 weird: spontaneous_FIN
+964800677.935612 weird: spontaneous_FIN
+964800677.935686 weird: spontaneous_FIN
+964800677.935751 weird: spontaneous_FIN
+964800677.935815 weird: spontaneous_FIN
+964800677.935879 weird: spontaneous_FIN
+964800677.935947 weird: spontaneous_FIN
+964800677.936023 weird: spontaneous_FIN
+964800677.936095 weird: spontaneous_FIN
+964800677.936163 weird: spontaneous_FIN
+964800677.936230 weird: spontaneous_FIN
+964800677.936295 weird: spontaneous_FIN
+964800678.025611 weird: spontaneous_FIN
+964800678.025693 weird: spontaneous_FIN
+964800678.025759 weird: spontaneous_FIN
+964800678.025828 weird: spontaneous_FIN
+964800678.025901 weird: spontaneous_FIN
+964800678.025980 weird: spontaneous_FIN
+964800678.026058 weird: spontaneous_FIN
+964800678.026139 weird: spontaneous_FIN
+964800678.026210 weird: spontaneous_FIN
+964800678.026280 weird: spontaneous_FIN
+964800678.026347 weird: spontaneous_FIN
+964800678.105628 weird: spontaneous_FIN
+964800678.105701 weird: spontaneous_FIN
+964800678.105768 weird: spontaneous_FIN
+964800678.105834 weird: spontaneous_FIN
+964800678.105900 weird: spontaneous_FIN
+964800678.105963 weird: spontaneous_FIN
+964800678.106033 weird: spontaneous_FIN
+964800678.106104 weird: spontaneous_FIN
+964800678.106173 weird: spontaneous_FIN
+964800678.106243 weird: spontaneous_FIN
+964800678.106308 weird: spontaneous_FIN
+964800678.154715 weird: bad_ICMP_checksum
+964800678.184247 weird: spontaneous_FIN
+964800678.184325 weird: spontaneous_FIN
+964800678.184396 weird: spontaneous_FIN
+964800678.184464 weird: spontaneous_FIN
+964800678.184536 weird: spontaneous_FIN
+964800678.184607 weird: spontaneous_FIN
+964800678.184676 weird: spontaneous_FIN
+964800678.184747 weird: spontaneous_FIN
+964800678.184816 weird: spontaneous_FIN
+964800678.184886 weird: spontaneous_FIN
+964800678.184953 weird: spontaneous_FIN
+964800678.265622 weird: spontaneous_FIN
+964800678.265692 weird: spontaneous_FIN
+964800678.265755 weird: spontaneous_FIN
+964800678.265821 weird: spontaneous_FIN
+964800678.265885 weird: spontaneous_FIN
+964800678.265951 weird: spontaneous_FIN
+964800678.266021 weird: spontaneous_FIN
+964800678.266094 weird: spontaneous_FIN
+964800678.266162 weird: spontaneous_FIN
+964800678.266230 weird: spontaneous_FIN
+964800678.266295 weird: spontaneous_FIN
+964800678.345607 weird: spontaneous_FIN
+964800678.345686 weird: spontaneous_FIN
+964800678.345755 weird: spontaneous_FIN
+964800678.345826 weird: spontaneous_FIN
+964800678.345900 weird: spontaneous_FIN
+964800678.345973 weird: spontaneous_FIN
+964800678.346046 weird: spontaneous_FIN
+964800678.346116 weird: spontaneous_FIN
+964800678.346186 weird: spontaneous_FIN
+964800678.346257 weird: spontaneous_FIN
+964800678.346325 weird: spontaneous_FIN
+964800678.412506 weird: bad_ICMP_checksum
+964800678.425643 weird: spontaneous_FIN
+964800678.425726 weird: spontaneous_FIN
+964800678.425795 weird: spontaneous_FIN
+964800678.425865 weird: spontaneous_FIN
+964800678.425934 weird: spontaneous_FIN
+964800678.426003 weird: spontaneous_FIN
+964800678.426073 weird: spontaneous_FIN
+964800678.426143 weird: spontaneous_FIN
+964800678.426215 weird: spontaneous_FIN
+964800678.426285 weird: spontaneous_FIN
+964800678.426353 weird: spontaneous_FIN
+964800678.515618 weird: spontaneous_FIN
+964800678.515696 weird: spontaneous_FIN
+964800678.515770 weird: spontaneous_FIN
+964800678.515842 weird: spontaneous_FIN
+964800678.515916 weird: spontaneous_FIN
+964800678.515987 weird: spontaneous_FIN
+964800678.516055 weird: spontaneous_FIN
+964800678.516125 weird: spontaneous_FIN
+964800678.516197 weird: spontaneous_FIN
+964800678.516268 weird: spontaneous_FIN
+964800678.516339 weird: spontaneous_FIN
+964800678.595624 weird: spontaneous_FIN
+964800678.595699 weird: spontaneous_FIN
+964800678.595763 weird: spontaneous_FIN
+964800678.595831 weird: spontaneous_FIN
+964800678.595894 weird: spontaneous_FIN
+964800678.595958 weird: spontaneous_FIN
+964800678.596027 weird: spontaneous_FIN
+964800678.596096 weird: spontaneous_FIN
+964800678.596168 weird: spontaneous_FIN
+964800678.596236 weird: spontaneous_FIN
+964800678.596303 weird: spontaneous_FIN
+964800678.623896 weird: baroque_SYN
+964800678.685653 weird: spontaneous_FIN
+964800678.685736 weird: spontaneous_FIN
+964800678.685803 weird: spontaneous_FIN
+964800678.685875 weird: spontaneous_FIN
+964800678.685948 weird: spontaneous_FIN
+964800678.686019 weird: spontaneous_FIN
+964800678.686091 weird: spontaneous_FIN
+964800678.686162 weird: spontaneous_FIN
+964800678.686235 weird: spontaneous_FIN
+964800678.686307 weird: spontaneous_FIN
+964800678.686377 weird: spontaneous_FIN
+964800678.735446 weird: bad_ICMP_checksum
+964800678.765630 weird: spontaneous_FIN
+964800678.765704 weird: spontaneous_FIN
+964800678.765840 weird: spontaneous_FIN
+964800678.765845 weird: spontaneous_FIN
+964800678.765897 weird: spontaneous_FIN
+964800678.765964 weird: spontaneous_FIN
+964800678.766034 weird: spontaneous_FIN
+964800678.766103 weird: spontaneous_FIN
+964800678.766172 weird: spontaneous_FIN
+964800678.766238 weird: spontaneous_FIN
+964800678.766303 weird: spontaneous_FIN
+964800678.845623 weird: spontaneous_FIN
+964800678.845707 weird: spontaneous_FIN
+964800678.845783 weird: spontaneous_FIN
+964800678.845855 weird: spontaneous_FIN
+964800678.845924 weird: spontaneous_FIN
+964800678.845994 weird: spontaneous_FIN
+964800678.846063 weird: spontaneous_FIN
+964800678.846134 weird: spontaneous_FIN
+964800678.846208 weird: spontaneous_FIN
+964800678.846284 weird: spontaneous_FIN
+964800678.846352 weird: spontaneous_FIN
+964800678.935630 weird: spontaneous_FIN
+964800678.935701 weird: spontaneous_FIN
+964800678.935772 weird: spontaneous_FIN
+964800678.935838 weird: spontaneous_FIN
+964800678.935907 weird: spontaneous_FIN
+964800678.935977 weird: spontaneous_FIN
+964800678.936044 weird: spontaneous_FIN
+964800678.936116 weird: spontaneous_FIN
+964800678.936185 weird: spontaneous_FIN
+964800678.936249 weird: spontaneous_FIN
+964800678.936314 weird: spontaneous_FIN
+964800679.025621 weird: spontaneous_FIN
+964800679.025698 weird: spontaneous_FIN
+964800679.025765 weird: spontaneous_FIN
+964800679.025834 weird: spontaneous_FIN
+964800679.025906 weird: spontaneous_FIN
+964800679.025975 weird: spontaneous_FIN
+964800679.026042 weird: spontaneous_FIN
+964800679.026114 weird: spontaneous_FIN
+964800679.026188 weird: spontaneous_FIN
+964800679.026260 weird: spontaneous_FIN
+964800679.026328 weird: spontaneous_FIN
+964800679.115627 weird: spontaneous_FIN
+964800679.115701 weird: spontaneous_FIN
+964800679.115767 weird: spontaneous_FIN
+964800679.115831 weird: spontaneous_FIN
+964800679.115894 weird: spontaneous_FIN
+964800679.115958 weird: spontaneous_FIN
+964800679.116025 weird: spontaneous_FIN
+964800679.116094 weird: spontaneous_FIN
+964800679.116164 weird: spontaneous_FIN
+964800679.116231 weird: spontaneous_FIN
+964800679.116297 weird: spontaneous_FIN
+964800679.205619 weird: spontaneous_FIN
+964800679.205698 weird: spontaneous_FIN
+964800679.205769 weird: spontaneous_FIN
+964800679.205839 weird: spontaneous_FIN
+964800679.205911 weird: spontaneous_FIN
+964800679.205982 weird: spontaneous_FIN
+964800679.206053 weird: spontaneous_FIN
+964800679.206126 weird: spontaneous_FIN
+964800679.206197 weird: spontaneous_FIN
+964800679.206270 weird: spontaneous_FIN
+964800679.206337 weird: spontaneous_FIN
+964800679.285619 weird: spontaneous_FIN
+964800679.285688 weird: spontaneous_FIN
+964800679.285754 weird: spontaneous_FIN
+964800679.285816 weird: spontaneous_FIN
+964800679.285879 weird: spontaneous_FIN
+964800679.285942 weird: spontaneous_FIN
+964800679.286011 weird: spontaneous_FIN
+964800679.286081 weird: spontaneous_FIN
+964800679.286148 weird: spontaneous_FIN
+964800679.286215 weird: spontaneous_FIN
+964800679.286277 weird: spontaneous_FIN
+964800679.352432 weird: bad_ICMP_checksum
+964800679.375618 weird: spontaneous_FIN
+964800679.375698 weird: spontaneous_FIN
+964800679.375765 weird: spontaneous_FIN
+964800679.375833 weird: spontaneous_FIN
+964800679.375903 weird: spontaneous_FIN
+964800679.375971 weird: spontaneous_FIN
+964800679.376040 weird: spontaneous_FIN
+964800679.376110 weird: spontaneous_FIN
+964800679.376178 weird: spontaneous_FIN
+964800679.376247 weird: spontaneous_FIN
+964800679.376313 weird: spontaneous_FIN
+964800679.455628 weird: spontaneous_FIN
+964800679.455703 weird: spontaneous_FIN
+964800679.455766 weird: spontaneous_FIN
+964800679.455830 weird: spontaneous_FIN
+964800679.455894 weird: spontaneous_FIN
+964800679.455957 weird: spontaneous_FIN
+964800679.456025 weird: spontaneous_FIN
+964800679.456093 weird: spontaneous_FIN
+964800679.456160 weird: spontaneous_FIN
+964800679.456225 weird: spontaneous_FIN
+964800679.456291 weird: spontaneous_FIN
+964800679.545623 weird: spontaneous_FIN
+964800679.545699 weird: spontaneous_FIN
+964800679.545768 weird: spontaneous_FIN
+964800679.545838 weird: spontaneous_FIN
+964800679.545906 weird: spontaneous_FIN
+964800679.545976 weird: spontaneous_FIN
+964800679.546048 weird: spontaneous_FIN
+964800679.546115 weird: spontaneous_FIN
+964800679.546187 weird: spontaneous_FIN
+964800679.546259 weird: spontaneous_FIN
+964800679.546326 weird: spontaneous_FIN
+964800679.635630 weird: spontaneous_FIN
+964800679.635701 weird: spontaneous_FIN
+964800679.635767 weird: spontaneous_FIN
+964800679.635835 weird: spontaneous_FIN
+964800679.635898 weird: spontaneous_FIN
+964800679.635965 weird: spontaneous_FIN
+964800679.636033 weird: spontaneous_FIN
+964800679.636104 weird: spontaneous_FIN
+964800679.636173 weird: spontaneous_FIN
+964800679.636239 weird: spontaneous_FIN
+964800679.636303 weird: spontaneous_FIN
+964800679.715621 weird: spontaneous_FIN
+964800679.715702 weird: spontaneous_FIN
+964800679.715773 weird: spontaneous_FIN
+964800679.715846 weird: spontaneous_FIN
+964800679.715919 weird: spontaneous_FIN
+964800679.715989 weird: spontaneous_FIN
+964800679.716057 weird: spontaneous_FIN
+964800679.716128 weird: spontaneous_FIN
+964800679.716197 weird: spontaneous_FIN
+964800679.716267 weird: spontaneous_FIN
+964800679.716334 weird: spontaneous_FIN
+964800679.795641 weird: spontaneous_FIN
+964800679.795721 weird: spontaneous_FIN
+964800679.795785 weird: spontaneous_FIN
+964800679.795851 weird: spontaneous_FIN
+964800679.795917 weird: spontaneous_FIN
+964800679.795980 weird: spontaneous_FIN
+964800679.796053 weird: spontaneous_FIN
+964800679.796124 weird: spontaneous_FIN
+964800679.796193 weird: spontaneous_FIN
+964800679.796264 weird: spontaneous_FIN
+964800679.796333 weird: spontaneous_FIN
+964800679.875619 weird: spontaneous_FIN
+964800679.875698 weird: spontaneous_FIN
+964800679.875770 weird: spontaneous_FIN
+964800679.875838 weird: spontaneous_FIN
+964800679.875909 weird: spontaneous_FIN
+964800679.875978 weird: spontaneous_FIN
+964800679.876046 weird: spontaneous_FIN
+964800679.876117 weird: spontaneous_FIN
+964800679.876188 weird: spontaneous_FIN
+964800679.876257 weird: spontaneous_FIN
+964800679.876324 weird: spontaneous_FIN
+964800679.955629 weird: spontaneous_FIN
+964800679.955703 weird: spontaneous_FIN
+964800679.955768 weird: spontaneous_FIN
+964800679.955832 weird: spontaneous_FIN
+964800679.955895 weird: spontaneous_FIN
+964800679.955958 weird: spontaneous_FIN
+964800679.956029 weird: spontaneous_FIN
+964800679.956098 weird: spontaneous_FIN
+964800679.956164 weird: spontaneous_FIN
+964800679.956230 weird: spontaneous_FIN
+964800679.956293 weird: spontaneous_FIN
+964800680.035623 weird: spontaneous_FIN
+964800680.035702 weird: spontaneous_FIN
+964800680.035770 weird: spontaneous_FIN
+964800680.035841 weird: spontaneous_FIN
+964800680.035915 weird: spontaneous_FIN
+964800680.035985 weird: spontaneous_FIN
+964800680.036058 weird: spontaneous_FIN
+964800680.036131 weird: spontaneous_FIN
+964800680.036201 weird: spontaneous_FIN
+964800680.036272 weird: spontaneous_FIN
+964800680.036340 weird: spontaneous_FIN
+964800680.125641 weird: spontaneous_FIN
+964800680.125716 weird: spontaneous_FIN
+964800680.125783 weird: spontaneous_FIN
+964800680.125848 weird: spontaneous_FIN
+964800680.137407 weird: spontaneous_FIN
+964800680.137496 weird: spontaneous_FIN
+964800680.137564 weird: spontaneous_FIN
+964800680.137631 weird: spontaneous_FIN
+964800680.137698 weird: spontaneous_FIN
+964800680.137762 weird: spontaneous_FIN
+964800680.137829 weird: spontaneous_FIN
+964800680.218929 weird: spontaneous_FIN
+964800680.219009 weird: spontaneous_FIN
+964800680.219080 weird: spontaneous_FIN
+964800680.219148 weird: spontaneous_FIN
+964800680.219215 weird: spontaneous_FIN
+964800680.219287 weird: spontaneous_FIN
+964800680.219356 weird: spontaneous_FIN
+964800680.219427 weird: spontaneous_FIN
+964800680.219499 weird: spontaneous_FIN
+964800680.219570 weird: spontaneous_FIN
+964800680.219639 weird: spontaneous_FIN
+964800680.280296 weird: bad_ICMP_checksum
+964800680.295637 weird: spontaneous_FIN
+964800680.295713 weird: spontaneous_FIN
+964800680.295783 weird: spontaneous_FIN
+964800680.295847 weird: spontaneous_FIN
+964800680.295911 weird: spontaneous_FIN
+964800680.295981 weird: spontaneous_FIN
+964800680.296054 weird: spontaneous_FIN
+964800680.296123 weird: spontaneous_FIN
+964800680.296188 weird: spontaneous_FIN
+964800680.296256 weird: spontaneous_FIN
+964800680.296323 weird: spontaneous_FIN
+964800680.375626 weird: spontaneous_FIN
+964800680.375706 weird: spontaneous_FIN
+964800680.375776 weird: spontaneous_FIN
+964800680.375845 weird: spontaneous_FIN
+964800680.375911 weird: spontaneous_FIN
+964800680.375982 weird: spontaneous_FIN
+964800680.376050 weird: spontaneous_FIN
+964800680.376122 weird: spontaneous_FIN
+964800680.376193 weird: spontaneous_FIN
+964800680.376263 weird: spontaneous_FIN
+964800680.376330 weird: spontaneous_FIN
+964800680.465634 weird: spontaneous_FIN
+964800680.465713 weird: spontaneous_FIN
+964800680.465780 weird: spontaneous_FIN
+964800680.465843 weird: spontaneous_FIN
+964800680.465905 weird: spontaneous_FIN
+964800680.465974 weird: spontaneous_FIN
+964800680.466044 weird: spontaneous_FIN
+964800680.466112 weird: spontaneous_FIN
+964800680.466178 weird: spontaneous_FIN
+964800680.466242 weird: spontaneous_FIN
+964800680.466308 weird: spontaneous_FIN
+964800680.545635 weird: spontaneous_FIN
+964800680.545719 weird: spontaneous_FIN
+964800680.545791 weird: spontaneous_FIN
+964800680.545861 weird: spontaneous_FIN
+964800680.545926 weird: spontaneous_FIN
+964800680.546000 weird: spontaneous_FIN
+964800680.546069 weird: spontaneous_FIN
+964800680.546142 weird: spontaneous_FIN
+964800680.546213 weird: spontaneous_FIN
+964800680.546283 weird: spontaneous_FIN
+964800680.546356 weird: spontaneous_FIN
+964800680.608181 weird: bad_ICMP_checksum
+964800680.625645 weird: spontaneous_FIN
+964800680.625723 weird: spontaneous_FIN
+964800680.625785 weird: spontaneous_FIN
+964800680.625849 weird: spontaneous_FIN
+964800680.625914 weird: spontaneous_FIN
+964800680.625981 weird: spontaneous_FIN
+964800680.626054 weird: spontaneous_FIN
+964800680.626121 weird: spontaneous_FIN
+964800680.626187 weird: spontaneous_FIN
+964800680.626252 weird: spontaneous_FIN
+964800680.626318 weird: spontaneous_FIN
+964800680.705643 weird: spontaneous_FIN
+964800680.705724 weird: spontaneous_FIN
+964800680.705793 weird: spontaneous_FIN
+964800680.705862 weird: spontaneous_FIN
+964800680.705931 weird: spontaneous_FIN
+964800680.706003 weird: spontaneous_FIN
+964800680.706070 weird: spontaneous_FIN
+964800680.706144 weird: spontaneous_FIN
+964800680.706215 weird: spontaneous_FIN
+964800680.706289 weird: spontaneous_FIN
+964800680.706361 weird: spontaneous_FIN
+964800680.728208 weird: bad_ICMP_checksum
+964800680.795660 weird: spontaneous_FIN
+964800680.795742 weird: spontaneous_FIN
+964800680.795810 weird: spontaneous_FIN
+964800680.795878 weird: spontaneous_FIN
+964800680.795947 weird: spontaneous_FIN
+964800680.796020 weird: spontaneous_FIN
+964800680.796088 weird: spontaneous_FIN
+964800680.796156 weird: spontaneous_FIN
+964800680.796222 weird: spontaneous_FIN
+964800680.796290 weird: spontaneous_FIN
+964800680.796357 weird: spontaneous_FIN
+964800680.885635 weird: spontaneous_FIN
+964800680.885716 weird: spontaneous_FIN
+964800680.885788 weird: spontaneous_FIN
+964800680.885859 weird: spontaneous_FIN
+964800680.885928 weird: spontaneous_FIN
+964800680.886002 weird: spontaneous_FIN
+964800680.886072 weird: spontaneous_FIN
+964800680.886146 weird: spontaneous_FIN
+964800680.886218 weird: spontaneous_FIN
+964800680.886290 weird: spontaneous_FIN
+964800680.886360 weird: spontaneous_FIN
+964800680.914649 weird: spontaneous_FIN
+964800680.975438 weird: spontaneous_FIN
+964800680.975511 weird: spontaneous_FIN
+964800680.975602 weird: spontaneous_FIN
+964800680.975671 weird: spontaneous_FIN
+964800680.975737 weird: spontaneous_FIN
+964800680.975805 weird: spontaneous_FIN
+964800680.975877 weird: spontaneous_FIN
+964800680.975945 weird: spontaneous_FIN
+964800680.976012 weird: spontaneous_FIN
+964800680.976075 weird: spontaneous_FIN
+964800680.976140 weird: spontaneous_FIN
+964800681.065637 weird: spontaneous_FIN
+964800681.065719 weird: spontaneous_FIN
+964800681.065789 weird: spontaneous_FIN
+964800681.065860 weird: spontaneous_FIN
+964800681.065928 weird: spontaneous_FIN
+964800681.066000 weird: spontaneous_FIN
+964800681.066067 weird: spontaneous_FIN
+964800681.066138 weird: spontaneous_FIN
+964800681.066209 weird: spontaneous_FIN
+964800681.066278 weird: spontaneous_FIN
+964800681.066347 weird: spontaneous_FIN
+964800681.155651 weird: spontaneous_FIN
+964800681.155725 weird: spontaneous_FIN
+964800681.155790 weird: spontaneous_FIN
+964800681.155857 weird: spontaneous_FIN
+964800681.155923 weird: spontaneous_FIN
+964800681.155991 weird: spontaneous_FIN
+964800681.156062 weird: spontaneous_FIN
+964800681.156131 weird: spontaneous_FIN
+964800681.156196 weird: spontaneous_FIN
+964800681.156261 weird: spontaneous_FIN
+964800681.156325 weird: spontaneous_FIN
+964800681.235644 weird: spontaneous_FIN
+964800681.235724 weird: spontaneous_FIN
+964800681.235795 weird: spontaneous_FIN
+964800681.235863 weird: spontaneous_FIN
+964800681.235930 weird: spontaneous_FIN
+964800681.236000 weird: spontaneous_FIN
+964800681.236072 weird: spontaneous_FIN
+964800681.236141 weird: spontaneous_FIN
+964800681.236211 weird: spontaneous_FIN
+964800681.236287 weird: spontaneous_FIN
+964800681.236356 weird: spontaneous_FIN
+964800681.325649 weird: spontaneous_FIN
+964800681.325725 weird: spontaneous_FIN
+964800681.325790 weird: spontaneous_FIN
+964800681.325857 weird: spontaneous_FIN
+964800681.325921 weird: spontaneous_FIN
+964800681.325988 weird: spontaneous_FIN
+964800681.326063 weird: spontaneous_FIN
+964800681.326132 weird: spontaneous_FIN
+964800681.326198 weird: spontaneous_FIN
+964800681.326264 weird: spontaneous_FIN
+964800681.326329 weird: spontaneous_FIN
+964800681.415638 weird: spontaneous_FIN
+964800681.415714 weird: spontaneous_FIN
+964800681.415785 weird: spontaneous_FIN
+964800681.415853 weird: spontaneous_FIN
+964800681.415921 weird: spontaneous_FIN
+964800681.415992 weird: spontaneous_FIN
+964800681.416060 weird: spontaneous_FIN
+964800681.416133 weird: spontaneous_FIN
+964800681.416202 weird: spontaneous_FIN
+964800681.416273 weird: spontaneous_FIN
+964800681.416340 weird: spontaneous_FIN
+964800681.495272 weird: spontaneous_FIN
+964800681.495346 weird: spontaneous_FIN
+964800681.495413 weird: spontaneous_FIN
+964800681.495479 weird: spontaneous_FIN
+964800681.495570 weird: spontaneous_FIN
+964800681.495637 weird: spontaneous_FIN
+964800681.495709 weird: spontaneous_FIN
+964800681.495780 weird: spontaneous_FIN
+964800681.495848 weird: spontaneous_FIN
+964800681.495912 weird: spontaneous_FIN
+964800681.495979 weird: spontaneous_FIN
+964800681.572388 weird: spontaneous_FIN
+964800681.572464 weird: spontaneous_FIN
+964800681.572536 weird: spontaneous_FIN
+964800681.572605 weird: spontaneous_FIN
+964800681.572675 weird: spontaneous_FIN
+964800681.572743 weird: spontaneous_FIN
+964800681.572814 weird: spontaneous_FIN
+964800681.572886 weird: spontaneous_FIN
+964800681.572958 weird: spontaneous_FIN
+964800681.573029 weird: spontaneous_FIN
+964800681.573096 weird: spontaneous_FIN
+964800681.655650 weird: spontaneous_FIN
+964800681.655723 weird: spontaneous_FIN
+964800681.655791 weird: spontaneous_FIN
+964800681.655855 weird: spontaneous_FIN
+964800681.655920 weird: spontaneous_FIN
+964800681.655988 weird: spontaneous_FIN
+964800681.656060 weird: spontaneous_FIN
+964800681.656127 weird: spontaneous_FIN
+964800681.656195 weird: spontaneous_FIN
+964800681.656261 weird: spontaneous_FIN
+964800681.656329 weird: spontaneous_FIN
+964800681.735646 weird: spontaneous_FIN
+964800681.735727 weird: spontaneous_FIN
+964800681.735796 weird: spontaneous_FIN
+964800681.735864 weird: spontaneous_FIN
+964800681.735933 weird: spontaneous_FIN
+964800681.736003 weird: spontaneous_FIN
+964800681.736073 weird: spontaneous_FIN
+964800681.736143 weird: spontaneous_FIN
+964800681.736216 weird: spontaneous_FIN
+964800681.736293 weird: spontaneous_FIN
+964800681.736364 weird: spontaneous_FIN
+964800681.825666 weird: spontaneous_FIN
+964800681.825744 weird: spontaneous_FIN
+964800681.825813 weird: spontaneous_FIN
+964800681.825882 weird: spontaneous_FIN
+964800681.825950 weird: spontaneous_FIN
+964800681.826021 weird: spontaneous_FIN
+964800681.826090 weird: spontaneous_FIN
+964800681.826158 weird: spontaneous_FIN
+964800681.826225 weird: spontaneous_FIN
+964800681.826293 weird: spontaneous_FIN
+964800681.826360 weird: spontaneous_FIN
+964800681.905639 weird: spontaneous_FIN
+964800681.905717 weird: spontaneous_FIN
+964800681.905790 weird: spontaneous_FIN
+964800681.905864 weird: spontaneous_FIN
+964800681.905937 weird: spontaneous_FIN
+964800681.906005 weird: spontaneous_FIN
+964800681.906075 weird: spontaneous_FIN
+964800681.906145 weird: spontaneous_FIN
+964800681.906217 weird: spontaneous_FIN
+964800681.906289 weird: spontaneous_FIN
+964800681.906358 weird: spontaneous_FIN
+964800681.985655 weird: spontaneous_FIN
+964800681.985729 weird: spontaneous_FIN
+964800681.985800 weird: spontaneous_FIN
+964800681.985865 weird: spontaneous_FIN
+964800681.985931 weird: spontaneous_FIN
+964800681.985998 weird: spontaneous_FIN
+964800681.986071 weird: spontaneous_FIN
+964800681.986140 weird: spontaneous_FIN
+964800681.986211 weird: spontaneous_FIN
+964800681.986277 weird: spontaneous_FIN
+964800681.986343 weird: spontaneous_FIN
+964800682.075646 weird: spontaneous_FIN
+964800682.075724 weird: spontaneous_FIN
+964800682.075794 weird: spontaneous_FIN
+964800682.075861 weird: spontaneous_FIN
+964800682.075931 weird: spontaneous_FIN
+964800682.075999 weird: spontaneous_FIN
+964800682.076068 weird: spontaneous_FIN
+964800682.076138 weird: spontaneous_FIN
+964800682.076208 weird: spontaneous_FIN
+964800682.076279 weird: spontaneous_FIN
+964800682.076349 weird: spontaneous_FIN
+964800682.165653 weird: spontaneous_FIN
+964800682.165730 weird: spontaneous_FIN
+964800682.165797 weird: spontaneous_FIN
+964800682.165861 weird: spontaneous_FIN
+964800682.165925 weird: spontaneous_FIN
+964800682.165990 weird: spontaneous_FIN
+964800682.166064 weird: spontaneous_FIN
+964800682.166131 weird: spontaneous_FIN
+964800682.166196 weird: spontaneous_FIN
+964800682.166259 weird: spontaneous_FIN
+964800682.166325 weird: spontaneous_FIN
+964800682.245642 weird: spontaneous_FIN
+964800682.245721 weird: spontaneous_FIN
+964800682.245790 weird: spontaneous_FIN
+964800682.245858 weird: spontaneous_FIN
+964800682.245926 weird: spontaneous_FIN
+964800682.245995 weird: spontaneous_FIN
+964800682.246064 weird: spontaneous_FIN
+964800682.246135 weird: spontaneous_FIN
+964800682.246205 weird: spontaneous_FIN
+964800682.246275 weird: spontaneous_FIN
+964800682.246343 weird: spontaneous_FIN
+964800682.335686 weird: spontaneous_FIN
+964800682.335766 weird: spontaneous_FIN
+964800682.335836 weird: spontaneous_FIN
+964800682.335905 weird: spontaneous_FIN
+964800682.335974 weird: spontaneous_FIN
+964800682.336041 weird: spontaneous_FIN
+964800682.336113 weird: spontaneous_FIN
+964800682.336182 weird: spontaneous_FIN
+964800682.336250 weird: spontaneous_FIN
+964800682.336318 weird: spontaneous_FIN
+964800682.336384 weird: spontaneous_FIN
+964800682.415650 weird: spontaneous_FIN
+964800682.415727 weird: spontaneous_FIN
+964800682.415801 weird: spontaneous_FIN
+964800682.415874 weird: spontaneous_FIN
+964800682.415946 weird: spontaneous_FIN
+964800682.416015 weird: spontaneous_FIN
+964800682.416084 weird: spontaneous_FIN
+964800682.416154 weird: spontaneous_FIN
+964800682.416225 weird: spontaneous_FIN
+964800682.416295 weird: spontaneous_FIN
+964800682.416364 weird: spontaneous_FIN
+964800682.463998 weird: baroque_SYN
+964800682.465262 weird: spontaneous_FIN
+964800682.483541 weird: bad_ICMP_checksum
+964800682.505657 weird: spontaneous_FIN
+964800682.505732 weird: spontaneous_FIN
+964800682.505796 weird: spontaneous_FIN
+964800682.505859 weird: spontaneous_FIN
+964800682.505923 weird: spontaneous_FIN
+964800682.505989 weird: spontaneous_FIN
+964800682.506062 weird: spontaneous_FIN
+964800682.506131 weird: spontaneous_FIN
+964800682.506198 weird: spontaneous_FIN
+964800682.506262 weird: spontaneous_FIN
+964800682.506326 weird: spontaneous_FIN
+964800682.585646 weird: spontaneous_FIN
+964800682.585726 weird: spontaneous_FIN
+964800682.585795 weird: spontaneous_FIN
+964800682.585862 weird: spontaneous_FIN
+964800682.585933 weird: spontaneous_FIN
+964800682.586001 weird: spontaneous_FIN
+964800682.586068 weird: spontaneous_FIN
+964800682.586141 weird: spontaneous_FIN
+964800682.586213 weird: spontaneous_FIN
+964800682.586283 weird: spontaneous_FIN
+964800682.586351 weird: spontaneous_FIN
+964800682.670909 weird: bad_ICMP_checksum
+964800682.675683 weird: spontaneous_FIN
+964800682.675758 weird: spontaneous_FIN
+964800682.675826 weird: spontaneous_FIN
+964800682.675893 weird: spontaneous_FIN
+964800682.675957 weird: spontaneous_FIN
+964800682.676023 weird: spontaneous_FIN
+964800682.676094 weird: spontaneous_FIN
+964800682.676162 weird: spontaneous_FIN
+964800682.676227 weird: spontaneous_FIN
+964800682.676294 weird: spontaneous_FIN
+964800682.676359 weird: spontaneous_FIN
+964800682.755655 weird: spontaneous_FIN
+964800682.755735 weird: spontaneous_FIN
+964800682.755804 weird: spontaneous_FIN
+964800682.755873 weird: spontaneous_FIN
+964800682.755942 weird: spontaneous_FIN
+964800682.756010 weird: spontaneous_FIN
+964800682.756080 weird: spontaneous_FIN
+964800682.756151 weird: spontaneous_FIN
+964800682.756222 weird: spontaneous_FIN
+964800682.756294 weird: spontaneous_FIN
+964800682.756365 weird: spontaneous_FIN
+964800682.835688 weird: spontaneous_FIN
+964800682.835774 weird: spontaneous_FIN
+964800682.835848 weird: spontaneous_FIN
+964800682.835920 weird: spontaneous_FIN
+964800682.836012 weird: spontaneous_FIN
+964800682.836094 weird: spontaneous_FIN
+964800682.836164 weird: spontaneous_FIN
+964800682.836235 weird: spontaneous_FIN
+964800682.836303 weird: spontaneous_FIN
+964800682.836372 weird: spontaneous_FIN
+964800682.836439 weird: spontaneous_FIN
+964800682.915653 weird: spontaneous_FIN
+964800682.915741 weird: spontaneous_FIN
+964800682.915825 weird: spontaneous_FIN
+964800682.915903 weird: spontaneous_FIN
+964800682.915971 weird: spontaneous_FIN
+964800682.916041 weird: spontaneous_FIN
+964800682.916110 weird: spontaneous_FIN
+964800682.916182 weird: spontaneous_FIN
+964800682.916253 weird: spontaneous_FIN
+964800682.916324 weird: spontaneous_FIN
+964800682.916392 weird: spontaneous_FIN
+964800683.005668 weird: spontaneous_FIN
+964800683.005745 weird: spontaneous_FIN
+964800683.005811 weird: spontaneous_FIN
+964800683.005879 weird: spontaneous_FIN
+964800683.005945 weird: spontaneous_FIN
+964800683.006012 weird: spontaneous_FIN
+964800683.006084 weird: spontaneous_FIN
+964800683.006154 weird: spontaneous_FIN
+964800683.006221 weird: spontaneous_FIN
+964800683.006285 weird: spontaneous_FIN
+964800683.006352 weird: spontaneous_FIN
+964800683.085650 weird: spontaneous_FIN
+964800683.085732 weird: spontaneous_FIN
+964800683.085803 weird: spontaneous_FIN
+964800683.085870 weird: spontaneous_FIN
+964800683.085941 weird: spontaneous_FIN
+964800683.086008 weird: spontaneous_FIN
+964800683.086077 weird: spontaneous_FIN
+964800683.086146 weird: spontaneous_FIN
+964800683.086218 weird: spontaneous_FIN
+964800683.086289 weird: spontaneous_FIN
+964800683.086357 weird: spontaneous_FIN
+964800683.175662 weird: spontaneous_FIN
+964800683.175739 weird: spontaneous_FIN
+964800683.175810 weird: spontaneous_FIN
+964800683.175872 weird: spontaneous_FIN
+964800683.175938 weird: spontaneous_FIN
+964800683.176003 weird: spontaneous_FIN
+964800683.176076 weird: spontaneous_FIN
+964800683.176144 weird: spontaneous_FIN
+964800683.176210 weird: spontaneous_FIN
+964800683.176274 weird: spontaneous_FIN
+964800683.176341 weird: spontaneous_FIN
+964800683.191565 weird: bad_ICMP_checksum
+964800683.265658 weird: spontaneous_FIN
+964800683.265742 weird: spontaneous_FIN
+964800683.265814 weird: spontaneous_FIN
+964800683.265886 weird: spontaneous_FIN
+964800683.265954 weird: spontaneous_FIN
+964800683.266025 weird: spontaneous_FIN
+964800683.266098 weird: spontaneous_FIN
+964800683.266166 weird: spontaneous_FIN
+964800683.266233 weird: spontaneous_FIN
+964800683.266306 weird: spontaneous_FIN
+964800683.266376 weird: spontaneous_FIN
+964800683.345666 weird: spontaneous_FIN
+964800683.345740 weird: spontaneous_FIN
+964800683.345807 weird: spontaneous_FIN
+964800683.345873 weird: spontaneous_FIN
+964800683.345941 weird: spontaneous_FIN
+964800683.346008 weird: spontaneous_FIN
+964800683.346081 weird: spontaneous_FIN
+964800683.346153 weird: spontaneous_FIN
+964800683.346220 weird: spontaneous_FIN
+964800683.346286 weird: spontaneous_FIN
+964800683.346355 weird: spontaneous_FIN
+964800683.425181 weird: spontaneous_FIN
+964800683.425262 weird: spontaneous_FIN
+964800683.425334 weird: spontaneous_FIN
+964800683.425402 weird: spontaneous_FIN
+964800683.425473 weird: spontaneous_FIN
+964800683.425569 weird: spontaneous_FIN
+964800683.425641 weird: spontaneous_FIN
+964800683.425712 weird: spontaneous_FIN
+964800683.425783 weird: spontaneous_FIN
+964800683.425856 weird: spontaneous_FIN
+964800683.425926 weird: spontaneous_FIN
+964800683.442278 weird: bad_ICMP_checksum
+964800683.515664 weird: spontaneous_FIN
+964800683.515743 weird: spontaneous_FIN
+964800683.515813 weird: spontaneous_FIN
+964800683.515877 weird: spontaneous_FIN
+964800683.515946 weird: spontaneous_FIN
+964800683.516015 weird: spontaneous_FIN
+964800683.516088 weird: spontaneous_FIN
+964800683.516159 weird: spontaneous_FIN
+964800683.516226 weird: spontaneous_FIN
+964800683.516295 weird: spontaneous_FIN
+964800683.516362 weird: spontaneous_FIN
+964800683.595654 weird: spontaneous_FIN
+964800683.595733 weird: spontaneous_FIN
+964800683.595804 weird: spontaneous_FIN
+964800683.595874 weird: spontaneous_FIN
+964800683.595947 weird: spontaneous_FIN
+964800683.596016 weird: spontaneous_FIN
+964800683.596089 weird: spontaneous_FIN
+964800683.596162 weird: spontaneous_FIN
+964800683.596234 weird: spontaneous_FIN
+964800683.596313 weird: spontaneous_FIN
+964800683.596387 weird: spontaneous_FIN
+964800683.675672 weird: spontaneous_FIN
+964800683.675749 weird: spontaneous_FIN
+964800683.675814 weird: spontaneous_FIN
+964800683.675879 weird: spontaneous_FIN
+964800683.675949 weird: spontaneous_FIN
+964800683.676016 weird: spontaneous_FIN
+964800683.676089 weird: spontaneous_FIN
+964800683.676158 weird: spontaneous_FIN
+964800683.676224 weird: spontaneous_FIN
+964800683.676290 weird: spontaneous_FIN
+964800683.676354 weird: spontaneous_FIN
+964800683.732317 weird: bad_ICMP_checksum
+964800683.765658 weird: spontaneous_FIN
+964800683.765738 weird: spontaneous_FIN
+964800683.765809 weird: spontaneous_FIN
+964800683.765879 weird: spontaneous_FIN
+964800683.765949 weird: spontaneous_FIN
+964800683.766017 weird: spontaneous_FIN
+964800683.766089 weird: spontaneous_FIN
+964800683.766160 weird: spontaneous_FIN
+964800683.766232 weird: spontaneous_FIN
+964800683.766304 weird: spontaneous_FIN
+964800683.766378 weird: spontaneous_FIN
+964800683.845675 weird: spontaneous_FIN
+964800683.845754 weird: spontaneous_FIN
+964800683.845818 weird: spontaneous_FIN
+964800683.845885 weird: spontaneous_FIN
+964800683.845950 weird: spontaneous_FIN
+964800683.846019 weird: spontaneous_FIN
+964800683.846089 weird: spontaneous_FIN
+964800683.846156 weird: spontaneous_FIN
+964800683.846225 weird: spontaneous_FIN
+964800683.846292 weird: spontaneous_FIN
+964800683.846356 weird: spontaneous_FIN
+964800683.925659 weird: spontaneous_FIN
+964800683.925742 weird: spontaneous_FIN
+964800683.925810 weird: spontaneous_FIN
+964800683.925879 weird: spontaneous_FIN
+964800683.925947 weird: spontaneous_FIN
+964800683.926017 weird: spontaneous_FIN
+964800683.926088 weird: spontaneous_FIN
+964800683.926158 weird: spontaneous_FIN
+964800683.926230 weird: spontaneous_FIN
+964800683.926304 weird: spontaneous_FIN
+964800683.926376 weird: spontaneous_FIN
+964800684.005664 weird: spontaneous_FIN
+964800684.005740 weird: spontaneous_FIN
+964800684.005808 weird: spontaneous_FIN
+964800684.005876 weird: spontaneous_FIN
+964800684.005941 weird: spontaneous_FIN
+964800684.006008 weird: spontaneous_FIN
+964800684.006083 weird: spontaneous_FIN
+964800684.006150 weird: spontaneous_FIN
+964800684.006216 weird: spontaneous_FIN
+964800684.006284 weird: spontaneous_FIN
+964800684.006349 weird: spontaneous_FIN
+964800684.085658 weird: spontaneous_FIN
+964800684.085736 weird: spontaneous_FIN
+964800684.085815 weird: spontaneous_FIN
+964800684.085878 weird: spontaneous_FIN
+964800684.085950 weird: spontaneous_FIN
+964800684.086060 weird: spontaneous_FIN
+964800684.086118 weird: spontaneous_FIN
+964800684.086167 weird: spontaneous_FIN
+964800684.086239 weird: spontaneous_FIN
+964800684.086309 weird: spontaneous_FIN
+964800684.086380 weird: spontaneous_FIN
+964800684.165670 weird: spontaneous_FIN
+964800684.165745 weird: spontaneous_FIN
+964800684.165810 weird: spontaneous_FIN
+964800684.165878 weird: spontaneous_FIN
+964800684.165941 weird: spontaneous_FIN
+964800684.166008 weird: spontaneous_FIN
+964800684.166079 weird: spontaneous_FIN
+964800684.166147 weird: spontaneous_FIN
+964800684.166213 weird: spontaneous_FIN
+964800684.166280 weird: spontaneous_FIN
+964800684.166345 weird: spontaneous_FIN
+964800684.245659 weird: spontaneous_FIN
+964800684.245740 weird: spontaneous_FIN
+964800684.245809 weird: spontaneous_FIN
+964800684.245874 weird: spontaneous_FIN
+964800684.245943 weird: spontaneous_FIN
+964800684.246011 weird: spontaneous_FIN
+964800684.246081 weird: spontaneous_FIN
+964800684.246151 weird: spontaneous_FIN
+964800684.246223 weird: spontaneous_FIN
+964800684.246292 weird: spontaneous_FIN
+964800684.246361 weird: spontaneous_FIN
+964800684.326954 weird: spontaneous_FIN
+964800684.327027 weird: spontaneous_FIN
+964800684.327093 weird: spontaneous_FIN
+964800684.327160 weird: spontaneous_FIN
+964800684.327225 weird: spontaneous_FIN
+964800684.327290 weird: spontaneous_FIN
+964800684.327363 weird: spontaneous_FIN
+964800684.327432 weird: spontaneous_FIN
+964800684.327499 weird: spontaneous_FIN
+964800684.327564 weird: spontaneous_FIN
+964800684.327630 weird: spontaneous_FIN
+964800684.415660 weird: spontaneous_FIN
+964800684.415741 weird: spontaneous_FIN
+964800684.415809 weird: spontaneous_FIN
+964800684.415878 weird: spontaneous_FIN
+964800684.415947 weird: spontaneous_FIN
+964800684.416014 weird: spontaneous_FIN
+964800684.416083 weird: spontaneous_FIN
+964800684.416158 weird: spontaneous_FIN
+964800684.416231 weird: spontaneous_FIN
+964800684.416305 weird: spontaneous_FIN
+964800684.416375 weird: spontaneous_FIN
+964800684.495361 weird: spontaneous_FIN
+964800684.495444 weird: spontaneous_FIN
+964800684.495511 weird: spontaneous_FIN
+964800684.495814 weird: spontaneous_FIN
+964800684.495819 weird: spontaneous_FIN
+964800684.495848 weird: spontaneous_FIN
+964800684.495913 weird: spontaneous_FIN
+964800684.495978 weird: spontaneous_FIN
+964800684.496046 weird: spontaneous_FIN
+964800684.496110 weird: spontaneous_FIN
+964800684.496174 weird: spontaneous_FIN
+964800684.575667 weird: spontaneous_FIN
+964800684.575750 weird: spontaneous_FIN
+964800684.575819 weird: spontaneous_FIN
+964800684.575890 weird: spontaneous_FIN
+964800684.575960 weird: spontaneous_FIN
+964800684.576031 weird: spontaneous_FIN
+964800684.576100 weird: spontaneous_FIN
+964800684.576168 weird: spontaneous_FIN
+964800684.576238 weird: spontaneous_FIN
+964800684.576309 weird: spontaneous_FIN
+964800684.576379 weird: spontaneous_FIN
+964800684.655670 weird: spontaneous_FIN
+964800684.655748 weird: spontaneous_FIN
+964800684.655813 weird: spontaneous_FIN
+964800684.655878 weird: spontaneous_FIN
+964800684.655945 weird: spontaneous_FIN
+964800684.656013 weird: spontaneous_FIN
+964800684.656081 weird: spontaneous_FIN
+964800684.656149 weird: spontaneous_FIN
+964800684.656214 weird: spontaneous_FIN
+964800684.656280 weird: spontaneous_FIN
+964800684.656344 weird: spontaneous_FIN
+964800684.745663 weird: spontaneous_FIN
+964800684.745743 weird: spontaneous_FIN
+964800684.745815 weird: spontaneous_FIN
+964800684.745887 weird: spontaneous_FIN
+964800684.745958 weird: spontaneous_FIN
+964800684.746028 weird: spontaneous_FIN
+964800684.746100 weird: spontaneous_FIN
+964800684.746169 weird: spontaneous_FIN
+964800684.746237 weird: spontaneous_FIN
+964800684.746311 weird: spontaneous_FIN
+964800684.746385 weird: spontaneous_FIN
+964800684.825677 weird: spontaneous_FIN
+964800684.825755 weird: spontaneous_FIN
+964800684.825825 weird: spontaneous_FIN
+964800684.825891 weird: spontaneous_FIN
+964800684.825960 weird: spontaneous_FIN
+964800684.826026 weird: spontaneous_FIN
+964800684.826096 weird: spontaneous_FIN
+964800684.826164 weird: spontaneous_FIN
+964800684.826229 weird: spontaneous_FIN
+964800684.826294 weird: spontaneous_FIN
+964800684.826360 weird: spontaneous_FIN
+964800684.905656 weird: spontaneous_FIN
+964800684.905736 weird: spontaneous_FIN
+964800684.905807 weird: spontaneous_FIN
+964800684.905877 weird: spontaneous_FIN
+964800684.905948 weird: spontaneous_FIN
+964800684.906018 weird: spontaneous_FIN
+964800684.906091 weird: spontaneous_FIN
+964800684.906161 weird: spontaneous_FIN
+964800684.906230 weird: spontaneous_FIN
+964800684.906301 weird: spontaneous_FIN
+964800684.906372 weird: spontaneous_FIN
+964800684.985670 weird: spontaneous_FIN
+964800684.985744 weird: spontaneous_FIN
+964800684.985813 weird: spontaneous_FIN
+964800684.985877 weird: spontaneous_FIN
+964800684.985946 weird: spontaneous_FIN
+964800684.986011 weird: spontaneous_FIN
+964800684.986083 weird: spontaneous_FIN
+964800684.986149 weird: spontaneous_FIN
+964800684.986214 weird: spontaneous_FIN
+964800684.986280 weird: spontaneous_FIN
+964800684.986346 weird: spontaneous_FIN
+964800685.065665 weird: spontaneous_FIN
+964800685.065743 weird: spontaneous_FIN
+964800685.065816 weird: spontaneous_FIN
+964800685.065888 weird: spontaneous_FIN
+964800685.065958 weird: spontaneous_FIN
+964800685.066024 weird: spontaneous_FIN
+964800685.066095 weird: spontaneous_FIN
+964800685.066162 weird: spontaneous_FIN
+964800685.066231 weird: spontaneous_FIN
+964800685.066303 weird: spontaneous_FIN
+964800685.066373 weird: spontaneous_FIN
+964800685.155672 weird: spontaneous_FIN
+964800685.155747 weird: spontaneous_FIN
+964800685.155813 weird: spontaneous_FIN
+964800685.155880 weird: spontaneous_FIN
+964800685.155948 weird: spontaneous_FIN
+964800685.156013 weird: spontaneous_FIN
+964800685.156082 weird: spontaneous_FIN
+964800685.156150 weird: spontaneous_FIN
+964800685.156216 weird: spontaneous_FIN
+964800685.156278 weird: spontaneous_FIN
+964800685.156341 weird: spontaneous_FIN
+964800685.235665 weird: spontaneous_FIN
+964800685.235744 weird: spontaneous_FIN
+964800685.235817 weird: spontaneous_FIN
+964800685.235888 weird: spontaneous_FIN
+964800685.235958 weird: spontaneous_FIN
+964800685.236026 weird: spontaneous_FIN
+964800685.236100 weird: spontaneous_FIN
+964800685.236165 weird: spontaneous_FIN
+964800685.236237 weird: spontaneous_FIN
+964800685.236311 weird: spontaneous_FIN
+964800685.236384 weird: spontaneous_FIN
+964800685.325677 weird: spontaneous_FIN
+964800685.325752 weird: spontaneous_FIN
+964800685.325821 weird: spontaneous_FIN
+964800685.325886 weird: spontaneous_FIN
+964800685.325954 weird: spontaneous_FIN
+964800685.326020 weird: spontaneous_FIN
+964800685.326088 weird: spontaneous_FIN
+964800685.326155 weird: spontaneous_FIN
+964800685.326220 weird: spontaneous_FIN
+964800685.326285 weird: spontaneous_FIN
+964800685.326349 weird: spontaneous_FIN
+964800685.405671 weird: spontaneous_FIN
+964800685.405778 weird: spontaneous_FIN
+964800685.405848 weird: spontaneous_FIN
+964800685.405920 weird: spontaneous_FIN
+964800685.405991 weird: spontaneous_FIN
+964800685.406059 weird: spontaneous_FIN
+964800685.406131 weird: spontaneous_FIN
+964800685.406201 weird: spontaneous_FIN
+964800685.406271 weird: spontaneous_FIN
+964800685.406342 weird: spontaneous_FIN
+964800685.406415 weird: spontaneous_FIN
+964800685.485669 weird: spontaneous_FIN
+964800685.485749 weird: spontaneous_FIN
+964800685.485812 weird: spontaneous_FIN
+964800685.485877 weird: spontaneous_FIN
+964800685.485945 weird: spontaneous_FIN
+964800685.486011 weird: spontaneous_FIN
+964800685.486084 weird: spontaneous_FIN
+964800685.486147 weird: spontaneous_FIN
+964800685.486214 weird: spontaneous_FIN
+964800685.486277 weird: spontaneous_FIN
+964800685.486344 weird: spontaneous_FIN
+964800685.565668 weird: spontaneous_FIN
+964800685.565747 weird: spontaneous_FIN
+964800685.565820 weird: spontaneous_FIN
+964800685.565890 weird: spontaneous_FIN
+964800685.565962 weird: spontaneous_FIN
+964800685.566029 weird: spontaneous_FIN
+964800685.566100 weird: spontaneous_FIN
+964800685.566169 weird: spontaneous_FIN
+964800685.566236 weird: spontaneous_FIN
+964800685.566310 weird: spontaneous_FIN
+964800685.566381 weird: spontaneous_FIN
+964800685.645676 weird: spontaneous_FIN
+964800685.645756 weird: spontaneous_FIN
+964800685.645824 weird: spontaneous_FIN
+964800685.645889 weird: spontaneous_FIN
+964800685.645957 weird: spontaneous_FIN
+964800685.646023 weird: spontaneous_FIN
+964800685.646091 weird: spontaneous_FIN
+964800685.646157 weird: spontaneous_FIN
+964800685.646223 weird: spontaneous_FIN
+964800685.646287 weird: spontaneous_FIN
+964800685.646352 weird: spontaneous_FIN
+964800685.723114 weird: spontaneous_FIN
+964800685.723195 weird: spontaneous_FIN
+964800685.723262 weird: spontaneous_FIN
+964800685.723366 weird: spontaneous_FIN
+964800685.723441 weird: spontaneous_FIN
+964800685.723508 weird: spontaneous_FIN
+964800685.723579 weird: spontaneous_FIN
+964800685.723648 weird: spontaneous_FIN
+964800685.723717 weird: spontaneous_FIN
+964800685.723790 weird: spontaneous_FIN
+964800685.723863 weird: spontaneous_FIN
+964800685.815687 weird: spontaneous_FIN
+964800685.815762 weird: spontaneous_FIN
+964800685.815829 weird: spontaneous_FIN
+964800685.815895 weird: spontaneous_FIN
+964800685.815964 weird: spontaneous_FIN
+964800685.816031 weird: spontaneous_FIN
+964800685.816102 weird: spontaneous_FIN
+964800685.816169 weird: spontaneous_FIN
+964800685.816235 weird: spontaneous_FIN
+964800685.816302 weird: spontaneous_FIN
+964800685.816367 weird: spontaneous_FIN
+964800685.895661 weird: spontaneous_FIN
+964800685.895739 weird: spontaneous_FIN
+964800685.895812 weird: spontaneous_FIN
+964800685.895882 weird: spontaneous_FIN
+964800685.895952 weird: spontaneous_FIN
+964800685.896020 weird: spontaneous_FIN
+964800685.896091 weird: spontaneous_FIN
+964800685.896160 weird: spontaneous_FIN
+964800685.896230 weird: spontaneous_FIN
+964800685.896303 weird: spontaneous_FIN
+964800685.896375 weird: spontaneous_FIN
+964800685.899223 weird: spontaneous_FIN
+964800685.975675 weird: spontaneous_FIN
+964800685.975748 weird: spontaneous_FIN
+964800685.975815 weird: spontaneous_FIN
+964800685.975880 weird: spontaneous_FIN
+964800685.975948 weird: spontaneous_FIN
+964800685.976014 weird: spontaneous_FIN
+964800685.976083 weird: spontaneous_FIN
+964800685.976151 weird: spontaneous_FIN
+964800685.976216 weird: spontaneous_FIN
+964800685.976280 weird: spontaneous_FIN
+964800685.976346 weird: spontaneous_FIN
+964800686.055670 weird: spontaneous_FIN
+964800686.055749 weird: spontaneous_FIN
+964800686.055819 weird: spontaneous_FIN
+964800686.055887 weird: spontaneous_FIN
+964800686.055957 weird: spontaneous_FIN
+964800686.056023 weird: spontaneous_FIN
+964800686.056094 weird: spontaneous_FIN
+964800686.056161 weird: spontaneous_FIN
+964800686.056230 weird: spontaneous_FIN
+964800686.056304 weird: spontaneous_FIN
+964800686.056377 weird: spontaneous_FIN
+964800686.135680 weird: spontaneous_FIN
+964800686.135758 weird: spontaneous_FIN
+964800686.135824 weird: spontaneous_FIN
+964800686.135891 weird: spontaneous_FIN
+964800686.135960 weird: spontaneous_FIN
+964800686.136027 weird: spontaneous_FIN
+964800686.136095 weird: spontaneous_FIN
+964800686.136164 weird: spontaneous_FIN
+964800686.136230 weird: spontaneous_FIN
+964800686.136297 weird: spontaneous_FIN
+964800686.136365 weird: spontaneous_FIN
+964800686.225673 weird: spontaneous_FIN
+964800686.225753 weird: spontaneous_FIN
+964800686.225826 weird: spontaneous_FIN
+964800686.225897 weird: spontaneous_FIN
+964800686.225968 weird: spontaneous_FIN
+964800686.226040 weird: spontaneous_FIN
+964800686.226113 weird: spontaneous_FIN
+964800686.226182 weird: spontaneous_FIN
+964800686.226253 weird: spontaneous_FIN
+964800686.226327 weird: spontaneous_FIN
+964800686.226401 weird: spontaneous_FIN
+964800686.305684 weird: spontaneous_FIN
+964800686.305757 weird: spontaneous_FIN
+964800686.305824 weird: spontaneous_FIN
+964800686.305891 weird: spontaneous_FIN
+964800686.305962 weird: spontaneous_FIN
+964800686.306031 weird: spontaneous_FIN
+964800686.306101 weird: spontaneous_FIN
+964800686.306168 weird: spontaneous_FIN
+964800686.306232 weird: spontaneous_FIN
+964800686.306298 weird: spontaneous_FIN
+964800686.306365 weird: spontaneous_FIN
+964800686.385672 weird: spontaneous_FIN
+964800686.385755 weird: spontaneous_FIN
+964800686.385827 weird: spontaneous_FIN
+964800686.385901 weird: spontaneous_FIN
+964800686.385970 weird: spontaneous_FIN
+964800686.386037 weird: spontaneous_FIN
+964800686.386107 weird: spontaneous_FIN
+964800686.386174 weird: spontaneous_FIN
+964800686.386241 weird: spontaneous_FIN
+964800686.386314 weird: spontaneous_FIN
+964800686.386385 weird: spontaneous_FIN
+964800686.465684 weird: spontaneous_FIN
+964800686.465759 weird: spontaneous_FIN
+964800686.465826 weird: spontaneous_FIN
+964800686.465893 weird: spontaneous_FIN
+964800686.465964 weird: spontaneous_FIN
+964800686.466033 weird: spontaneous_FIN
+964800686.466106 weird: spontaneous_FIN
+964800686.466174 weird: spontaneous_FIN
+964800686.466243 weird: spontaneous_FIN
+964800686.466308 weird: spontaneous_FIN
+964800686.466379 weird: spontaneous_FIN
+964800686.545675 weird: spontaneous_FIN
+964800686.545755 weird: spontaneous_FIN
+964800686.545829 weird: spontaneous_FIN
+964800686.545901 weird: spontaneous_FIN
+964800686.545974 weird: spontaneous_FIN
+964800686.546047 weird: spontaneous_FIN
+964800686.546120 weird: spontaneous_FIN
+964800686.546189 weird: spontaneous_FIN
+964800686.546259 weird: spontaneous_FIN
+964800686.546337 weird: spontaneous_FIN
+964800686.546417 weird: spontaneous_FIN
+964800686.635695 weird: spontaneous_FIN
+964800686.635771 weird: spontaneous_FIN
+964800686.635839 weird: spontaneous_FIN
+964800686.635906 weird: spontaneous_FIN
+964800686.635975 weird: spontaneous_FIN
+964800686.636044 weird: spontaneous_FIN
+964800686.636114 weird: spontaneous_FIN
+964800686.636183 weird: spontaneous_FIN
+964800686.636249 weird: spontaneous_FIN
+964800686.636316 weird: spontaneous_FIN
+964800686.636383 weird: spontaneous_FIN
+964800686.725682 weird: spontaneous_FIN
+964800686.725764 weird: spontaneous_FIN
+964800686.725835 weird: spontaneous_FIN
+964800686.725909 weird: spontaneous_FIN
+964800686.725983 weird: spontaneous_FIN
+964800686.726053 weird: spontaneous_FIN
+964800686.726127 weird: spontaneous_FIN
+964800686.726197 weird: spontaneous_FIN
+964800686.726266 weird: spontaneous_FIN
+964800686.726338 weird: spontaneous_FIN
+964800686.726412 weird: spontaneous_FIN
+964800686.805705 weird: spontaneous_FIN
+964800686.805785 weird: spontaneous_FIN
+964800686.805852 weird: spontaneous_FIN
+964800686.805917 weird: spontaneous_FIN
+964800686.805986 weird: spontaneous_FIN
+964800686.806054 weird: spontaneous_FIN
+964800686.806122 weird: spontaneous_FIN
+964800686.806191 weird: spontaneous_FIN
+964800686.806258 weird: spontaneous_FIN
+964800686.806325 weird: spontaneous_FIN
+964800686.806392 weird: spontaneous_FIN
+964800686.895674 weird: spontaneous_FIN
+964800686.895755 weird: spontaneous_FIN
+964800686.895828 weird: spontaneous_FIN
+964800686.895899 weird: spontaneous_FIN
+964800686.895970 weird: spontaneous_FIN
+964800686.896039 weird: spontaneous_FIN
+964800686.896112 weird: spontaneous_FIN
+964800686.896182 weird: spontaneous_FIN
+964800686.896252 weird: spontaneous_FIN
+964800686.896326 weird: spontaneous_FIN
+964800686.896398 weird: spontaneous_FIN
+964800686.975687 weird: spontaneous_FIN
+964800686.975762 weird: spontaneous_FIN
+964800686.975833 weird: spontaneous_FIN
+964800686.975899 weird: spontaneous_FIN
+964800686.975969 weird: spontaneous_FIN
+964800686.976038 weird: spontaneous_FIN
+964800686.976108 weird: spontaneous_FIN
+964800686.976175 weird: spontaneous_FIN
+964800686.976243 weird: spontaneous_FIN
+964800686.976310 weird: spontaneous_FIN
+964800686.976379 weird: spontaneous_FIN
+964800687.065676 weird: spontaneous_FIN
+964800687.065757 weird: spontaneous_FIN
+964800687.065826 weird: spontaneous_FIN
+964800687.065897 weird: spontaneous_FIN
+964800687.065967 weird: spontaneous_FIN
+964800687.066037 weird: spontaneous_FIN
+964800687.066111 weird: spontaneous_FIN
+964800687.066181 weird: spontaneous_FIN
+964800687.066250 weird: spontaneous_FIN
+964800687.066327 weird: spontaneous_FIN
+964800687.066404 weird: spontaneous_FIN
+964800687.145702 weird: spontaneous_FIN
+964800687.145784 weird: spontaneous_FIN
+964800687.145851 weird: spontaneous_FIN
+964800687.145919 weird: spontaneous_FIN
+964800687.145990 weird: spontaneous_FIN
+964800687.146063 weird: spontaneous_FIN
+964800687.146131 weird: spontaneous_FIN
+964800687.146200 weird: spontaneous_FIN
+964800687.146270 weird: spontaneous_FIN
+964800687.146336 weird: spontaneous_FIN
+964800687.146402 weird: spontaneous_FIN
+964800687.225680 weird: spontaneous_FIN
+964800687.225763 weird: spontaneous_FIN
+964800687.225841 weird: spontaneous_FIN
+964800687.225915 weird: spontaneous_FIN
+964800687.225986 weird: spontaneous_FIN
+964800687.226057 weird: spontaneous_FIN
+964800687.226129 weird: spontaneous_FIN
+964800687.226200 weird: spontaneous_FIN
+964800687.226275 weird: spontaneous_FIN
+964800687.226347 weird: spontaneous_FIN
+964800687.226422 weird: spontaneous_FIN
+964800687.305699 weird: spontaneous_FIN
+964800687.305777 weird: spontaneous_FIN
+964800687.305847 weird: spontaneous_FIN
+964800687.305914 weird: spontaneous_FIN
+964800687.305983 weird: spontaneous_FIN
+964800687.306055 weird: spontaneous_FIN
+964800687.306124 weird: spontaneous_FIN
+964800687.306194 weird: spontaneous_FIN
+964800687.306264 weird: spontaneous_FIN
+964800687.306331 weird: spontaneous_FIN
+964800687.306398 weird: spontaneous_FIN
+964800687.395719 weird: spontaneous_FIN
+964800687.395809 weird: spontaneous_FIN
+964800687.395881 weird: spontaneous_FIN
+964800687.395954 weird: spontaneous_FIN
+964800687.396027 weird: spontaneous_FIN
+964800687.396100 weird: spontaneous_FIN
+964800687.396173 weird: spontaneous_FIN
+964800687.396246 weird: spontaneous_FIN
+964800687.396320 weird: spontaneous_FIN
+964800687.396397 weird: spontaneous_FIN
+964800687.396477 weird: spontaneous_FIN
+964800687.475729 weird: spontaneous_FIN
+964800687.475814 weird: spontaneous_FIN
+964800687.475884 weird: spontaneous_FIN
+964800687.475956 weird: spontaneous_FIN
+964800687.476024 weird: spontaneous_FIN
+964800687.476094 weird: spontaneous_FIN
+964800687.476167 weird: spontaneous_FIN
+964800687.476237 weird: spontaneous_FIN
+964800687.476312 weird: spontaneous_FIN
+964800687.476384 weird: spontaneous_FIN
+964800687.476460 weird: spontaneous_FIN
+964800687.555699 weird: spontaneous_FIN
+964800687.555789 weird: spontaneous_FIN
+964800687.555867 weird: spontaneous_FIN
+964800687.555946 weird: spontaneous_FIN
+964800687.556019 weird: spontaneous_FIN
+964800687.556094 weird: spontaneous_FIN
+964800687.556169 weird: spontaneous_FIN
+964800687.556246 weird: spontaneous_FIN
+964800687.556327 weird: spontaneous_FIN
+964800687.556407 weird: spontaneous_FIN
+964800687.556490 weird: spontaneous_FIN
+964800687.635701 weird: spontaneous_FIN
+964800687.635775 weird: spontaneous_FIN
+964800687.635841 weird: spontaneous_FIN
+964800687.635909 weird: spontaneous_FIN
+964800687.635978 weird: spontaneous_FIN
+964800687.636046 weird: spontaneous_FIN
+964800687.636114 weird: spontaneous_FIN
+964800687.636182 weird: spontaneous_FIN
+964800687.636250 weird: spontaneous_FIN
+964800687.636315 weird: spontaneous_FIN
+964800687.636378 weird: spontaneous_FIN
+964800687.715704 weird: spontaneous_FIN
+964800687.715786 weird: spontaneous_FIN
+964800687.715858 weird: spontaneous_FIN
+964800687.715932 weird: spontaneous_FIN
+964800687.716001 weird: spontaneous_FIN
+964800687.716070 weird: spontaneous_FIN
+964800687.716142 weird: spontaneous_FIN
+964800687.716212 weird: spontaneous_FIN
+964800687.716283 weird: spontaneous_FIN
+964800687.716357 weird: spontaneous_FIN
+964800687.716429 weird: spontaneous_FIN
+964800687.795699 weird: spontaneous_FIN
+964800687.795778 weird: spontaneous_FIN
+964800687.795843 weird: spontaneous_FIN
+964800687.795913 weird: spontaneous_FIN
+964800687.795978 weird: spontaneous_FIN
+964800687.796050 weird: spontaneous_FIN
+964800687.796118 weird: spontaneous_FIN
+964800687.796188 weird: spontaneous_FIN
+964800687.796256 weird: spontaneous_FIN
+964800687.796327 weird: spontaneous_FIN
+964800687.796392 weird: spontaneous_FIN
+964800687.875673 weird: spontaneous_FIN
+964800687.875750 weird: spontaneous_FIN
+964800687.875823 weird: spontaneous_FIN
+964800687.875894 weird: spontaneous_FIN
+964800687.875961 weird: spontaneous_FIN
+964800687.887466 weird: spontaneous_FIN
+964800687.887549 weird: spontaneous_FIN
+964800687.887622 weird: spontaneous_FIN
+964800687.887696 weird: spontaneous_FIN
+964800687.887770 weird: spontaneous_FIN
+964800687.887844 weird: spontaneous_FIN
+964800687.965694 weird: spontaneous_FIN
+964800687.965772 weird: spontaneous_FIN
+964800687.965838 weird: spontaneous_FIN
+964800687.965904 weird: spontaneous_FIN
+964800687.965968 weird: spontaneous_FIN
+964800687.966037 weird: spontaneous_FIN
+964800687.966107 weird: spontaneous_FIN
+964800687.966175 weird: spontaneous_FIN
+964800687.966242 weird: spontaneous_FIN
+964800687.966310 weird: spontaneous_FIN
+964800687.966378 weird: spontaneous_FIN
+964800688.055683 weird: spontaneous_FIN
+964800688.055769 weird: spontaneous_FIN
+964800688.055844 weird: spontaneous_FIN
+964800688.055915 weird: spontaneous_FIN
+964800688.055987 weird: spontaneous_FIN
+964800688.056059 weird: spontaneous_FIN
+964800688.056130 weird: spontaneous_FIN
+964800688.056201 weird: spontaneous_FIN
+964800688.056273 weird: spontaneous_FIN
+964800688.056344 weird: spontaneous_FIN
+964800688.056416 weird: spontaneous_FIN
+964800688.135694 weird: spontaneous_FIN
+964800688.135770 weird: spontaneous_FIN
+964800688.135840 weird: spontaneous_FIN
+964800688.135906 weird: spontaneous_FIN
+964800688.135974 weird: spontaneous_FIN
+964800688.136044 weird: spontaneous_FIN
+964800688.136113 weird: spontaneous_FIN
+964800688.136186 weird: spontaneous_FIN
+964800688.136250 weird: spontaneous_FIN
+964800688.136317 weird: spontaneous_FIN
+964800688.136384 weird: spontaneous_FIN
+964800688.225684 weird: spontaneous_FIN
+964800688.225765 weird: spontaneous_FIN
+964800688.225837 weird: spontaneous_FIN
+964800688.225907 weird: spontaneous_FIN
+964800688.225976 weird: spontaneous_FIN
+964800688.226045 weird: spontaneous_FIN
+964800688.226115 weird: spontaneous_FIN
+964800688.226185 weird: spontaneous_FIN
+964800688.226257 weird: spontaneous_FIN
+964800688.226332 weird: spontaneous_FIN
+964800688.226404 weird: spontaneous_FIN
+964800688.315692 weird: spontaneous_FIN
+964800688.315771 weird: spontaneous_FIN
+964800688.315841 weird: spontaneous_FIN
+964800688.315907 weird: spontaneous_FIN
+964800688.315973 weird: spontaneous_FIN
+964800688.316047 weird: spontaneous_FIN
+964800688.316116 weird: spontaneous_FIN
+964800688.316182 weird: spontaneous_FIN
+964800688.316250 weird: spontaneous_FIN
+964800688.316315 weird: spontaneous_FIN
+964800688.316382 weird: spontaneous_FIN
+964800688.395678 weird: spontaneous_FIN
+964800688.395757 weird: spontaneous_FIN
+964800688.395830 weird: spontaneous_FIN
+964800688.395901 weird: spontaneous_FIN
+964800688.395967 weird: spontaneous_FIN
+964800688.396039 weird: spontaneous_FIN
+964800688.396109 weird: spontaneous_FIN
+964800688.396182 weird: spontaneous_FIN
+964800688.396259 weird: spontaneous_FIN
+964800688.396332 weird: spontaneous_FIN
+964800688.396406 weird: spontaneous_FIN
+964800688.485713 weird: spontaneous_FIN
+964800688.485795 weird: spontaneous_FIN
+964800688.485861 weird: spontaneous_FIN
+964800688.485929 weird: spontaneous_FIN
+964800688.485997 weird: spontaneous_FIN
+964800688.486069 weird: spontaneous_FIN
+964800688.486139 weird: spontaneous_FIN
+964800688.486207 weird: spontaneous_FIN
+964800688.486276 weird: spontaneous_FIN
+964800688.486342 weird: spontaneous_FIN
+964800688.486409 weird: spontaneous_FIN
+964800688.565688 weird: spontaneous_FIN
+964800688.565771 weird: spontaneous_FIN
+964800688.565845 weird: spontaneous_FIN
+964800688.565918 weird: spontaneous_FIN
+964800688.565986 weird: spontaneous_FIN
+964800688.566056 weird: spontaneous_FIN
+964800688.566127 weird: spontaneous_FIN
+964800688.566199 weird: spontaneous_FIN
+964800688.566269 weird: spontaneous_FIN
+964800688.566342 weird: spontaneous_FIN
+964800688.566417 weird: spontaneous_FIN
+964800688.645702 weird: spontaneous_FIN
+964800688.645779 weird: spontaneous_FIN
+964800688.645845 weird: spontaneous_FIN
+964800688.645916 weird: spontaneous_FIN
+964800688.645983 weird: spontaneous_FIN
+964800688.646056 weird: spontaneous_FIN
+964800688.646124 weird: spontaneous_FIN
+964800688.646195 weird: spontaneous_FIN
+964800688.646261 weird: spontaneous_FIN
+964800688.646330 weird: spontaneous_FIN
+964800688.646396 weird: spontaneous_FIN
+964800688.735691 weird: spontaneous_FIN
+964800688.735771 weird: spontaneous_FIN
+964800688.735844 weird: spontaneous_FIN
+964800688.735916 weird: spontaneous_FIN
+964800688.735985 weird: spontaneous_FIN
+964800688.736056 weird: spontaneous_FIN
+964800688.736126 weird: spontaneous_FIN
+964800688.736196 weird: spontaneous_FIN
+964800688.736266 weird: spontaneous_FIN
+964800688.736340 weird: spontaneous_FIN
+964800688.736412 weird: spontaneous_FIN
+964800688.815702 weird: spontaneous_FIN
+964800688.815782 weird: spontaneous_FIN
+964800688.815846 weird: spontaneous_FIN
+964800688.815914 weird: spontaneous_FIN
+964800688.815983 weird: spontaneous_FIN
+964800688.816051 weird: spontaneous_FIN
+964800688.816121 weird: spontaneous_FIN
+964800688.816188 weird: spontaneous_FIN
+964800688.816254 weird: spontaneous_FIN
+964800688.816321 weird: spontaneous_FIN
+964800688.816386 weird: spontaneous_FIN
+964800688.895682 weird: spontaneous_FIN
+964800688.895761 weird: spontaneous_FIN
+964800688.895833 weird: spontaneous_FIN
+964800688.895904 weird: spontaneous_FIN
+964800688.895971 weird: spontaneous_FIN
+964800688.896040 weird: spontaneous_FIN
+964800688.896111 weird: spontaneous_FIN
+964800688.896181 weird: spontaneous_FIN
+964800688.896250 weird: spontaneous_FIN
+964800688.896320 weird: spontaneous_FIN
+964800688.896392 weird: spontaneous_FIN
+964800688.975697 weird: spontaneous_FIN
+964800688.975774 weird: spontaneous_FIN
+964800688.975837 weird: spontaneous_FIN
+964800688.975905 weird: spontaneous_FIN
+964800688.975974 weird: spontaneous_FIN
+964800688.976045 weird: spontaneous_FIN
+964800688.976114 weird: spontaneous_FIN
+964800688.976182 weird: spontaneous_FIN
+964800688.976247 weird: spontaneous_FIN
+964800688.976314 weird: spontaneous_FIN
+964800688.976379 weird: spontaneous_FIN
+964800689.055692 weird: spontaneous_FIN
+964800689.055773 weird: spontaneous_FIN
+964800689.055845 weird: spontaneous_FIN
+964800689.055918 weird: spontaneous_FIN
+964800689.055985 weird: spontaneous_FIN
+964800689.056056 weird: spontaneous_FIN
+964800689.056125 weird: spontaneous_FIN
+964800689.056195 weird: spontaneous_FIN
+964800689.056265 weird: spontaneous_FIN
+964800689.056337 weird: spontaneous_FIN
+964800689.056410 weird: spontaneous_FIN
+964800689.135692 weird: spontaneous_FIN
+964800689.135763 weird: spontaneous_FIN
+964800689.135829 weird: spontaneous_FIN
+964800689.135895 weird: spontaneous_FIN
+964800689.135964 weird: spontaneous_FIN
+964800689.136033 weird: spontaneous_FIN
+964800689.136103 weird: spontaneous_FIN
+964800689.136169 weird: spontaneous_FIN
+964800689.136236 weird: spontaneous_FIN
+964800689.136301 weird: spontaneous_FIN
+964800689.136364 weird: spontaneous_FIN
+964800689.225696 weird: spontaneous_FIN
+964800689.225780 weird: spontaneous_FIN
+964800689.225850 weird: spontaneous_FIN
+964800689.225922 weird: spontaneous_FIN
+964800689.225992 weird: spontaneous_FIN
+964800689.226064 weird: spontaneous_FIN
+964800689.226135 weird: spontaneous_FIN
+964800689.226204 weird: spontaneous_FIN
+964800689.226278 weird: spontaneous_FIN
+964800689.226353 weird: spontaneous_FIN
+964800689.226425 weird: spontaneous_FIN
+964800689.305698 weird: spontaneous_FIN
+964800689.305774 weird: spontaneous_FIN
+964800689.305844 weird: spontaneous_FIN
+964800689.305911 weird: spontaneous_FIN
+964800689.305980 weird: spontaneous_FIN
+964800689.306050 weird: spontaneous_FIN
+964800689.306120 weird: spontaneous_FIN
+964800689.306185 weird: spontaneous_FIN
+964800689.306252 weird: spontaneous_FIN
+964800689.306318 weird: spontaneous_FIN
+964800689.306385 weird: spontaneous_FIN
+964800689.385678 weird: spontaneous_FIN
+964800689.385758 weird: spontaneous_FIN
+964800689.385831 weird: spontaneous_FIN
+964800689.385904 weird: spontaneous_FIN
+964800689.385973 weird: spontaneous_FIN
+964800689.386041 weird: spontaneous_FIN
+964800689.386112 weird: spontaneous_FIN
+964800689.386180 weird: spontaneous_FIN
+964800689.386251 weird: spontaneous_FIN
+964800689.386322 weird: spontaneous_FIN
+964800689.386395 weird: spontaneous_FIN
+964800689.465698 weird: spontaneous_FIN
+964800689.465762 weird: spontaneous_FIN
+964800689.465829 weird: spontaneous_FIN
+964800689.465894 weird: spontaneous_FIN
+964800689.465964 weird: spontaneous_FIN
+964800689.466031 weird: spontaneous_FIN
+964800689.466100 weird: spontaneous_FIN
+964800689.466169 weird: spontaneous_FIN
+964800689.466237 weird: spontaneous_FIN
+964800689.466305 weird: spontaneous_FIN
+964800689.466368 weird: spontaneous_FIN
+964800689.555696 weird: spontaneous_FIN
+964800689.555780 weird: spontaneous_FIN
+964800689.555849 weird: spontaneous_FIN
+964800689.555922 weird: spontaneous_FIN
+964800689.555990 weird: spontaneous_FIN
+964800689.556059 weird: spontaneous_FIN
+964800689.556131 weird: spontaneous_FIN
+964800689.556201 weird: spontaneous_FIN
+964800689.556272 weird: spontaneous_FIN
+964800689.556346 weird: spontaneous_FIN
+964800689.556418 weird: spontaneous_FIN
+964800689.635706 weird: spontaneous_FIN
+964800689.635782 weird: spontaneous_FIN
+964800689.635851 weird: spontaneous_FIN
+964800689.635919 weird: spontaneous_FIN
+964800689.635985 weird: spontaneous_FIN
+964800689.636056 weird: spontaneous_FIN
+964800689.636125 weird: spontaneous_FIN
+964800689.636193 weird: spontaneous_FIN
+964800689.636261 weird: spontaneous_FIN
+964800689.636327 weird: spontaneous_FIN
+964800689.636393 weird: spontaneous_FIN
+964800689.725696 weird: spontaneous_FIN
+964800689.725778 weird: spontaneous_FIN
+964800689.725853 weird: spontaneous_FIN
+964800689.725927 weird: spontaneous_FIN
+964800689.725996 weird: spontaneous_FIN
+964800689.726067 weird: spontaneous_FIN
+964800689.726137 weird: spontaneous_FIN
+964800689.726208 weird: spontaneous_FIN
+964800689.726279 weird: spontaneous_FIN
+964800689.726353 weird: spontaneous_FIN
+964800689.726425 weird: spontaneous_FIN
+964800689.805716 weird: spontaneous_FIN
+964800689.805791 weird: spontaneous_FIN
+964800689.805860 weird: spontaneous_FIN
+964800689.805923 weird: spontaneous_FIN
+964800689.805992 weird: spontaneous_FIN
+964800689.806062 weird: spontaneous_FIN
+964800689.806131 weird: spontaneous_FIN
+964800689.806199 weird: spontaneous_FIN
+964800689.806265 weird: spontaneous_FIN
+964800689.806331 weird: spontaneous_FIN
+964800689.806397 weird: spontaneous_FIN
+964800689.885686 weird: spontaneous_FIN
+964800689.885767 weird: spontaneous_FIN
+964800689.885840 weird: spontaneous_FIN
+964800689.885910 weird: spontaneous_FIN
+964800689.885980 weird: spontaneous_FIN
+964800689.886049 weird: spontaneous_FIN
+964800689.886120 weird: spontaneous_FIN
+964800689.886187 weird: spontaneous_FIN
+964800689.886256 weird: spontaneous_FIN
+964800689.886328 weird: spontaneous_FIN
+964800689.886401 weird: spontaneous_FIN
+964800689.965703 weird: spontaneous_FIN
+964800689.965778 weird: spontaneous_FIN
+964800689.965842 weird: spontaneous_FIN
+964800689.965910 weird: spontaneous_FIN
+964800689.965980 weird: spontaneous_FIN
+964800689.966050 weird: spontaneous_FIN
+964800689.966115 weird: spontaneous_FIN
+964800689.966181 weird: spontaneous_FIN
+964800689.966252 weird: spontaneous_FIN
+964800689.966317 weird: spontaneous_FIN
+964800689.966382 weird: spontaneous_FIN
+964800690.045698 weird: spontaneous_FIN
+964800690.045775 weird: spontaneous_FIN
+964800690.045848 weird: spontaneous_FIN
+964800690.045918 weird: spontaneous_FIN
+964800690.045986 weird: spontaneous_FIN
+964800690.046056 weird: spontaneous_FIN
+964800690.046125 weird: spontaneous_FIN
+964800690.046194 weird: spontaneous_FIN
+964800690.046263 weird: spontaneous_FIN
+964800690.046335 weird: spontaneous_FIN
+964800690.046408 weird: spontaneous_FIN
+964800690.135710 weird: spontaneous_FIN
+964800690.135785 weird: spontaneous_FIN
+964800690.135852 weird: spontaneous_FIN
+964800690.135921 weird: spontaneous_FIN
+964800690.135989 weird: spontaneous_FIN
+964800690.136058 weird: spontaneous_FIN
+964800690.136125 weird: spontaneous_FIN
+964800690.136192 weird: spontaneous_FIN
+964800690.136257 weird: spontaneous_FIN
+964800690.136323 weird: spontaneous_FIN
+964800690.136389 weird: spontaneous_FIN
+964800690.225697 weird: spontaneous_FIN
+964800690.225778 weird: spontaneous_FIN
+964800690.225851 weird: spontaneous_FIN
+964800690.225919 weird: spontaneous_FIN
+964800690.225988 weird: spontaneous_FIN
+964800690.226059 weird: spontaneous_FIN
+964800690.226130 weird: spontaneous_FIN
+964800690.226200 weird: spontaneous_FIN
+964800690.226271 weird: spontaneous_FIN
+964800690.226344 weird: spontaneous_FIN
+964800690.226415 weird: spontaneous_FIN
+964800690.305703 weird: spontaneous_FIN
+964800690.305775 weird: spontaneous_FIN
+964800690.305842 weird: spontaneous_FIN
+964800690.305910 weird: spontaneous_FIN
+964800690.305982 weird: spontaneous_FIN
+964800690.306048 weird: spontaneous_FIN
+964800690.306113 weird: spontaneous_FIN
+964800690.306183 weird: spontaneous_FIN
+964800690.306250 weird: spontaneous_FIN
+964800690.306314 weird: spontaneous_FIN
+964800690.306381 weird: spontaneous_FIN
+964800690.385689 weird: spontaneous_FIN
+964800690.385768 weird: spontaneous_FIN
+964800690.385842 weird: spontaneous_FIN
+964800690.385911 weird: spontaneous_FIN
+964800690.385978 weird: spontaneous_FIN
+964800690.386045 weird: spontaneous_FIN
+964800690.386114 weird: spontaneous_FIN
+964800690.386185 weird: spontaneous_FIN
+964800690.386258 weird: spontaneous_FIN
+964800690.386327 weird: spontaneous_FIN
+964800690.386397 weird: spontaneous_FIN
+964800690.465703 weird: spontaneous_FIN
+964800690.465777 weird: spontaneous_FIN
+964800690.465840 weird: spontaneous_FIN
+964800690.465909 weird: spontaneous_FIN
+964800690.465980 weird: spontaneous_FIN
+964800690.466049 weird: spontaneous_FIN
+964800690.466115 weird: spontaneous_FIN
+964800690.466180 weird: spontaneous_FIN
+964800690.466247 weird: spontaneous_FIN
+964800690.466311 weird: spontaneous_FIN
+964800690.466375 weird: spontaneous_FIN
+964800690.545700 weird: spontaneous_FIN
+964800690.545777 weird: spontaneous_FIN
+964800690.545849 weird: spontaneous_FIN
+964800690.545919 weird: spontaneous_FIN
+964800690.545989 weird: spontaneous_FIN
+964800690.546057 weird: spontaneous_FIN
+964800690.546126 weird: spontaneous_FIN
+964800690.546196 weird: spontaneous_FIN
+964800690.546266 weird: spontaneous_FIN
+964800690.546339 weird: spontaneous_FIN
+964800690.546412 weird: spontaneous_FIN
+964800690.635709 weird: spontaneous_FIN
+964800690.635784 weird: spontaneous_FIN
+964800690.635850 weird: spontaneous_FIN
+964800690.635919 weird: spontaneous_FIN
+964800690.635987 weird: spontaneous_FIN
+964800690.636059 weird: spontaneous_FIN
+964800690.636124 weird: spontaneous_FIN
+964800690.636192 weird: spontaneous_FIN
+964800690.636261 weird: spontaneous_FIN
+964800690.636326 weird: spontaneous_FIN
+964800690.636396 weird: spontaneous_FIN
+964800690.725700 weird: spontaneous_FIN
+964800690.725780 weird: spontaneous_FIN
+964800690.725854 weird: spontaneous_FIN
+964800690.725927 weird: spontaneous_FIN
+964800690.725999 weird: spontaneous_FIN
+964800690.726071 weird: spontaneous_FIN
+964800690.726143 weird: spontaneous_FIN
+964800690.726214 weird: spontaneous_FIN
+964800690.726284 weird: spontaneous_FIN
+964800690.726356 weird: spontaneous_FIN
+964800690.726428 weird: spontaneous_FIN
+964800690.805719 weird: spontaneous_FIN
+964800690.805797 weird: spontaneous_FIN
+964800690.805861 weird: spontaneous_FIN
+964800690.805933 weird: spontaneous_FIN
+964800690.805999 weird: spontaneous_FIN
+964800690.806068 weird: spontaneous_FIN
+964800690.806133 weird: spontaneous_FIN
+964800690.806199 weird: spontaneous_FIN
+964800690.806267 weird: spontaneous_FIN
+964800690.806332 weird: spontaneous_FIN
+964800690.806399 weird: spontaneous_FIN
+964800690.885692 weird: spontaneous_FIN
+964800690.885770 weird: spontaneous_FIN
+964800690.885841 weird: spontaneous_FIN
+964800690.885911 weird: spontaneous_FIN
+964800690.885978 weird: spontaneous_FIN
+964800690.886048 weird: spontaneous_FIN
+964800690.886118 weird: spontaneous_FIN
+964800690.886188 weird: spontaneous_FIN
+964800690.886258 weird: spontaneous_FIN
+964800690.886330 weird: spontaneous_FIN
+964800690.886401 weird: spontaneous_FIN
+964800690.959715 weird: spontaneous_FIN
+964800690.965699 weird: spontaneous_FIN
+964800690.965775 weird: spontaneous_FIN
+964800690.965838 weird: spontaneous_FIN
+964800690.965905 weird: spontaneous_FIN
+964800690.965974 weird: spontaneous_FIN
+964800690.966043 weird: spontaneous_FIN
+964800690.966108 weird: spontaneous_FIN
+964800690.966173 weird: spontaneous_FIN
+964800690.966240 weird: spontaneous_FIN
+964800690.966304 weird: spontaneous_FIN
+964800690.966372 weird: spontaneous_FIN
+964800691.015249 weird: spontaneous_FIN
+964800691.045704 weird: spontaneous_FIN
+964800691.045783 weird: spontaneous_FIN
+964800691.045856 weird: spontaneous_FIN
+964800691.045926 weird: spontaneous_FIN
+964800691.045993 weird: spontaneous_FIN
+964800691.046062 weird: spontaneous_FIN
+964800691.046135 weird: spontaneous_FIN
+964800691.046206 weird: spontaneous_FIN
+964800691.046277 weird: spontaneous_FIN
+964800691.046350 weird: spontaneous_FIN
+964800691.046425 weird: spontaneous_FIN
+964800691.135715 weird: spontaneous_FIN
+964800691.135788 weird: spontaneous_FIN
+964800691.135852 weird: spontaneous_FIN
+964800691.135918 weird: spontaneous_FIN
+964800691.135989 weird: spontaneous_FIN
+964800691.136059 weird: spontaneous_FIN
+964800691.136125 weird: spontaneous_FIN
+964800691.136191 weird: spontaneous_FIN
+964800691.136259 weird: spontaneous_FIN
+964800691.136322 weird: spontaneous_FIN
+964800691.136390 weird: spontaneous_FIN
+964800691.215707 weird: spontaneous_FIN
+964800691.215790 weird: spontaneous_FIN
+964800691.215862 weird: spontaneous_FIN
+964800691.215932 weird: spontaneous_FIN
+964800691.216001 weird: spontaneous_FIN
+964800691.216071 weird: spontaneous_FIN
+964800691.216141 weird: spontaneous_FIN
+964800691.216211 weird: spontaneous_FIN
+964800691.216281 weird: spontaneous_FIN
+964800691.216354 weird: spontaneous_FIN
+964800691.216429 weird: spontaneous_FIN
+964800691.295706 weird: spontaneous_FIN
+964800691.295782 weird: spontaneous_FIN
+964800691.295849 weird: spontaneous_FIN
+964800691.295946 weird: spontaneous_FIN
+964800691.296018 weird: spontaneous_FIN
+964800691.296090 weird: spontaneous_FIN
+964800691.296161 weird: spontaneous_FIN
+964800691.296231 weird: spontaneous_FIN
+964800691.296300 weird: spontaneous_FIN
+964800691.296366 weird: spontaneous_FIN
+964800691.296433 weird: spontaneous_FIN
+964800691.375698 weird: spontaneous_FIN
+964800691.375776 weird: spontaneous_FIN
+964800691.375848 weird: spontaneous_FIN
+964800691.375916 weird: spontaneous_FIN
+964800691.375984 weird: spontaneous_FIN
+964800691.376056 weird: spontaneous_FIN
+964800691.376131 weird: spontaneous_FIN
+964800691.376207 weird: spontaneous_FIN
+964800691.376274 weird: spontaneous_FIN
+964800691.376346 weird: spontaneous_FIN
+964800691.376417 weird: spontaneous_FIN
+964800691.465715 weird: spontaneous_FIN
+964800691.465793 weird: spontaneous_FIN
+964800691.465860 weird: spontaneous_FIN
+964800691.465927 weird: spontaneous_FIN
+964800691.465995 weird: spontaneous_FIN
+964800691.466064 weird: spontaneous_FIN
+964800691.466131 weird: spontaneous_FIN
+964800691.466197 weird: spontaneous_FIN
+964800691.466264 weird: spontaneous_FIN
+964800691.466329 weird: spontaneous_FIN
+964800691.466396 weird: spontaneous_FIN
+964800691.555704 weird: spontaneous_FIN
+964800691.555815 weird: spontaneous_FIN
+964800691.555890 weird: spontaneous_FIN
+964800691.555958 weird: spontaneous_FIN
+964800691.556028 weird: spontaneous_FIN
+964800691.556098 weird: spontaneous_FIN
+964800691.556169 weird: spontaneous_FIN
+964800691.556239 weird: spontaneous_FIN
+964800691.556310 weird: spontaneous_FIN
+964800691.556381 weird: spontaneous_FIN
+964800691.556453 weird: spontaneous_FIN
+964800691.645711 weird: spontaneous_FIN
+964800691.645789 weird: spontaneous_FIN
+964800691.645853 weird: spontaneous_FIN
+964800691.645924 weird: spontaneous_FIN
+964800691.645993 weird: spontaneous_FIN
+964800691.646064 weird: spontaneous_FIN
+964800691.646132 weird: spontaneous_FIN
+964800691.646198 weird: spontaneous_FIN
+964800691.646264 weird: spontaneous_FIN
+964800691.646330 weird: spontaneous_FIN
+964800691.646397 weird: spontaneous_FIN
+964800691.725709 weird: spontaneous_FIN
+964800691.725792 weird: spontaneous_FIN
+964800691.725865 weird: spontaneous_FIN
+964800691.725936 weird: spontaneous_FIN
+964800691.726005 weird: spontaneous_FIN
+964800691.726075 weird: spontaneous_FIN
+964800691.726144 weird: spontaneous_FIN
+964800691.726213 weird: spontaneous_FIN
+964800691.726283 weird: spontaneous_FIN
+964800691.726355 weird: spontaneous_FIN
+964800691.726426 weird: spontaneous_FIN
+964800691.805721 weird: spontaneous_FIN
+964800691.805798 weird: spontaneous_FIN
+964800691.805861 weird: spontaneous_FIN
+964800691.805930 weird: spontaneous_FIN
+964800691.806000 weird: spontaneous_FIN
+964800691.806072 weird: spontaneous_FIN
+964800691.806139 weird: spontaneous_FIN
+964800691.806202 weird: spontaneous_FIN
+964800691.806271 weird: spontaneous_FIN
+964800691.806337 weird: spontaneous_FIN
+964800691.806403 weird: spontaneous_FIN
+964800691.885696 weird: spontaneous_FIN
+964800691.885773 weird: spontaneous_FIN
+964800691.885847 weird: spontaneous_FIN
+964800691.885914 weird: spontaneous_FIN
+964800691.885984 weird: spontaneous_FIN
+964800691.886053 weird: spontaneous_FIN
+964800691.886124 weird: spontaneous_FIN
+964800691.886194 weird: spontaneous_FIN
+964800691.886265 weird: spontaneous_FIN
+964800691.886337 weird: spontaneous_FIN
+964800691.886408 weird: spontaneous_FIN
+964800691.965706 weird: spontaneous_FIN
+964800691.965778 weird: spontaneous_FIN
+964800691.965842 weird: spontaneous_FIN
+964800691.965912 weird: spontaneous_FIN
+964800691.965980 weird: spontaneous_FIN
+964800691.966049 weird: spontaneous_FIN
+964800691.966112 weird: spontaneous_FIN
+964800691.966178 weird: spontaneous_FIN
+964800691.966245 weird: spontaneous_FIN
+964800691.966311 weird: spontaneous_FIN
+964800691.966379 weird: spontaneous_FIN
+964800692.055706 weird: spontaneous_FIN
+964800692.055786 weird: spontaneous_FIN
+964800692.055859 weird: spontaneous_FIN
+964800692.055930 weird: spontaneous_FIN
+964800692.055998 weird: spontaneous_FIN
+964800692.056067 weird: spontaneous_FIN
+964800692.056140 weird: spontaneous_FIN
+964800692.056210 weird: spontaneous_FIN
+964800692.056280 weird: spontaneous_FIN
+964800692.056353 weird: spontaneous_FIN
+964800692.056427 weird: spontaneous_FIN
+964800692.145826 weird: spontaneous_FIN
+964800692.145900 weird: spontaneous_FIN
+964800692.145966 weird: spontaneous_FIN
+964800692.146036 weird: spontaneous_FIN
+964800692.146104 weird: spontaneous_FIN
+964800692.146172 weird: spontaneous_FIN
+964800692.146239 weird: spontaneous_FIN
+964800692.146306 weird: spontaneous_FIN
+964800692.146373 weird: spontaneous_FIN
+964800692.146442 weird: spontaneous_FIN
+964800692.146510 weird: spontaneous_FIN
+964800692.225714 weird: spontaneous_FIN
+964800692.225792 weird: spontaneous_FIN
+964800692.225859 weird: spontaneous_FIN
+964800692.225932 weird: spontaneous_FIN
+964800692.226001 weird: spontaneous_FIN
+964800692.226068 weird: spontaneous_FIN
+964800692.226135 weird: spontaneous_FIN
+964800692.226204 weird: spontaneous_FIN
+964800692.226271 weird: spontaneous_FIN
+964800692.226340 weird: spontaneous_FIN
+964800692.226410 weird: spontaneous_FIN
+964800692.305717 weird: spontaneous_FIN
+964800692.305790 weird: spontaneous_FIN
+964800692.305861 weird: spontaneous_FIN
+964800692.305932 weird: spontaneous_FIN
+964800692.306007 weird: spontaneous_FIN
+964800692.306078 weird: spontaneous_FIN
+964800692.306149 weird: spontaneous_FIN
+964800692.306215 weird: spontaneous_FIN
+964800692.306281 weird: spontaneous_FIN
+964800692.306346 weird: spontaneous_FIN
+964800692.306412 weird: spontaneous_FIN
+964800692.391778 weird: spontaneous_FIN
+964800692.391857 weird: spontaneous_FIN
+964800692.391934 weird: spontaneous_FIN
+964800692.392008 weird: spontaneous_FIN
+964800692.392085 weird: spontaneous_FIN
+964800692.392160 weird: spontaneous_FIN
+964800692.392235 weird: spontaneous_FIN
+964800692.392307 weird: spontaneous_FIN
+964800692.392376 weird: spontaneous_FIN
+964800692.392447 weird: spontaneous_FIN
+964800692.392519 weird: spontaneous_FIN
+964800692.485724 weird: spontaneous_FIN
+964800692.485798 weird: spontaneous_FIN
+964800692.485867 weird: spontaneous_FIN
+964800692.485937 weird: spontaneous_FIN
+964800692.486006 weird: spontaneous_FIN
+964800692.486073 weird: spontaneous_FIN
+964800692.486142 weird: spontaneous_FIN
+964800692.486208 weird: spontaneous_FIN
+964800692.486274 weird: spontaneous_FIN
+964800692.486343 weird: spontaneous_FIN
+964800692.486412 weird: spontaneous_FIN
+964800692.565709 weird: spontaneous_FIN
+964800692.565791 weird: spontaneous_FIN
+964800692.565862 weird: spontaneous_FIN
+964800692.565935 weird: spontaneous_FIN
+964800692.566009 weird: spontaneous_FIN
+964800692.566076 weird: spontaneous_FIN
+964800692.566142 weird: spontaneous_FIN
+964800692.566214 weird: spontaneous_FIN
+964800692.566281 weird: spontaneous_FIN
+964800692.566381 weird: spontaneous_FIN
+964800692.566453 weird: spontaneous_FIN
+964800692.655720 weird: spontaneous_FIN
+964800692.655792 weird: spontaneous_FIN
+964800692.655882 weird: spontaneous_FIN
+964800692.655929 weird: spontaneous_FIN
+964800692.655998 weird: spontaneous_FIN
+964800692.656069 weird: spontaneous_FIN
+964800692.656137 weird: spontaneous_FIN
+964800692.656205 weird: spontaneous_FIN
+964800692.656270 weird: spontaneous_FIN
+964800692.656336 weird: spontaneous_FIN
+964800692.656404 weird: spontaneous_FIN
+964800692.745714 weird: spontaneous_FIN
+964800692.745792 weird: spontaneous_FIN
+964800692.745861 weird: spontaneous_FIN
+964800692.745936 weird: spontaneous_FIN
+964800692.746008 weird: spontaneous_FIN
+964800692.746080 weird: spontaneous_FIN
+964800692.746150 weird: spontaneous_FIN
+964800692.746220 weird: spontaneous_FIN
+964800692.746289 weird: spontaneous_FIN
+964800692.746361 weird: spontaneous_FIN
+964800692.746433 weird: spontaneous_FIN
+964800692.825732 weird: spontaneous_FIN
+964800692.825813 weird: spontaneous_FIN
+964800692.825881 weird: spontaneous_FIN
+964800692.825951 weird: spontaneous_FIN
+964800692.826018 weird: spontaneous_FIN
+964800692.826081 weird: spontaneous_FIN
+964800692.826146 weird: spontaneous_FIN
+964800692.826253 weird: spontaneous_FIN
+964800692.826322 weird: spontaneous_FIN
+964800692.826388 weird: spontaneous_FIN
+964800692.826455 weird: spontaneous_FIN
+964800692.905701 weird: spontaneous_FIN
+964800692.905780 weird: spontaneous_FIN
+964800692.905851 weird: spontaneous_FIN
+964800692.905926 weird: spontaneous_FIN
+964800692.905998 weird: spontaneous_FIN
+964800692.906066 weird: spontaneous_FIN
+964800692.906137 weird: spontaneous_FIN
+964800692.906207 weird: spontaneous_FIN
+964800692.906276 weird: spontaneous_FIN
+964800692.906346 weird: spontaneous_FIN
+964800692.906416 weird: spontaneous_FIN
+964800692.985723 weird: spontaneous_FIN
+964800692.985795 weird: spontaneous_FIN
+964800692.985863 weird: spontaneous_FIN
+964800692.985933 weird: spontaneous_FIN
+964800692.986003 weird: spontaneous_FIN
+964800692.986067 weird: spontaneous_FIN
+964800692.986136 weird: spontaneous_FIN
+964800692.986207 weird: spontaneous_FIN
+964800692.986275 weird: spontaneous_FIN
+964800692.986343 weird: spontaneous_FIN
+964800692.986410 weird: spontaneous_FIN
+964800693.065716 weird: spontaneous_FIN
+964800693.065796 weird: spontaneous_FIN
+964800693.065864 weird: spontaneous_FIN
+964800693.065935 weird: spontaneous_FIN
+964800693.066004 weird: spontaneous_FIN
+964800693.066072 weird: spontaneous_FIN
+964800693.066140 weird: spontaneous_FIN
+964800693.066210 weird: spontaneous_FIN
+964800693.066281 weird: spontaneous_FIN
+964800693.066356 weird: spontaneous_FIN
+964800693.066426 weird: spontaneous_FIN
+964800693.145726 weird: spontaneous_FIN
+964800693.145804 weird: spontaneous_FIN
+964800693.145873 weird: spontaneous_FIN
+964800693.145945 weird: spontaneous_FIN
+964800693.146015 weird: spontaneous_FIN
+964800693.146079 weird: spontaneous_FIN
+964800693.146146 weird: spontaneous_FIN
+964800693.146214 weird: spontaneous_FIN
+964800693.146279 weird: spontaneous_FIN
+964800693.146349 weird: spontaneous_FIN
+964800693.146410 weird: spontaneous_FIN
+964800693.225704 weird: spontaneous_FIN
+964800693.225783 weird: spontaneous_FIN
+964800693.225852 weird: spontaneous_FIN
+964800693.225926 weird: spontaneous_FIN
+964800693.225994 weird: spontaneous_FIN
+964800693.226062 weird: spontaneous_FIN
+964800693.226130 weird: spontaneous_FIN
+964800693.226198 weird: spontaneous_FIN
+964800693.226266 weird: spontaneous_FIN
+964800693.226339 weird: spontaneous_FIN
+964800693.226413 weird: spontaneous_FIN
+964800693.305723 weird: spontaneous_FIN
+964800693.305792 weird: spontaneous_FIN
+964800693.305860 weird: spontaneous_FIN
+964800693.305930 weird: spontaneous_FIN
+964800693.305999 weird: spontaneous_FIN
+964800693.306064 weird: spontaneous_FIN
+964800693.306131 weird: spontaneous_FIN
+964800693.306199 weird: spontaneous_FIN
+964800693.306266 weird: spontaneous_FIN
+964800693.306337 weird: spontaneous_FIN
+964800693.306402 weird: spontaneous_FIN
+964800693.386446 weird: spontaneous_FIN
+964800693.386527 weird: spontaneous_FIN
+964800693.386599 weird: spontaneous_FIN
+964800693.386672 weird: spontaneous_FIN
+964800693.386741 weird: spontaneous_FIN
+964800693.386808 weird: spontaneous_FIN
+964800693.386877 weird: spontaneous_FIN
+964800693.386946 weird: spontaneous_FIN
+964800693.387013 weird: spontaneous_FIN
+964800693.387081 weird: spontaneous_FIN
+964800693.387152 weird: spontaneous_FIN
+964800693.475739 weird: spontaneous_FIN
+964800693.475818 weird: spontaneous_FIN
+964800693.475888 weird: spontaneous_FIN
+964800693.475959 weird: spontaneous_FIN
+964800693.476029 weird: spontaneous_FIN
+964800693.476097 weird: spontaneous_FIN
+964800693.476165 weird: spontaneous_FIN
+964800693.476235 weird: spontaneous_FIN
+964800693.476304 weird: spontaneous_FIN
+964800693.476369 weird: spontaneous_FIN
+964800693.476436 weird: spontaneous_FIN
+964800693.555715 weird: spontaneous_FIN
+964800693.555795 weird: spontaneous_FIN
+964800693.555863 weird: spontaneous_FIN
+964800693.555937 weird: spontaneous_FIN
+964800693.556004 weird: spontaneous_FIN
+964800693.556070 weird: spontaneous_FIN
+964800693.556136 weird: spontaneous_FIN
+964800693.556209 weird: spontaneous_FIN
+964800693.556281 weird: spontaneous_FIN
+964800693.556349 weird: spontaneous_FIN
+964800693.556422 weird: spontaneous_FIN
+964800693.645724 weird: spontaneous_FIN
+964800693.645797 weird: spontaneous_FIN
+964800693.645866 weird: spontaneous_FIN
+964800693.645934 weird: spontaneous_FIN
+964800693.646004 weird: spontaneous_FIN
+964800693.646068 weird: spontaneous_FIN
+964800693.646133 weird: spontaneous_FIN
+964800693.646200 weird: spontaneous_FIN
+964800693.646264 weird: spontaneous_FIN
+964800693.646329 weird: spontaneous_FIN
+964800693.646393 weird: spontaneous_FIN
+964800693.725716 weird: spontaneous_FIN
+964800693.725792 weird: spontaneous_FIN
+964800693.725862 weird: spontaneous_FIN
+964800693.725936 weird: spontaneous_FIN
+964800693.726006 weird: spontaneous_FIN
+964800693.726076 weird: spontaneous_FIN
+964800693.726146 weird: spontaneous_FIN
+964800693.726219 weird: spontaneous_FIN
+964800693.726288 weird: spontaneous_FIN
+964800693.726356 weird: spontaneous_FIN
+964800693.726427 weird: spontaneous_FIN
+964800693.805737 weird: spontaneous_FIN
+964800693.805812 weird: spontaneous_FIN
+964800693.805880 weird: spontaneous_FIN
+964800693.805949 weird: spontaneous_FIN
+964800693.806018 weird: spontaneous_FIN
+964800693.806082 weird: spontaneous_FIN
+964800693.806150 weird: spontaneous_FIN
+964800693.806216 weird: spontaneous_FIN
+964800693.806282 weird: spontaneous_FIN
+964800693.806351 weird: spontaneous_FIN
+964800693.806418 weird: spontaneous_FIN
+964800693.895726 weird: spontaneous_FIN
+964800693.895807 weird: spontaneous_FIN
+964800693.895878 weird: spontaneous_FIN
+964800693.895953 weird: spontaneous_FIN
+964800693.896024 weird: spontaneous_FIN
+964800693.896093 weird: spontaneous_FIN
+964800693.896161 weird: spontaneous_FIN
+964800693.896232 weird: spontaneous_FIN
+964800693.896302 weird: spontaneous_FIN
+964800693.896371 weird: spontaneous_FIN
+964800693.896442 weird: spontaneous_FIN
+964800693.985729 weird: spontaneous_FIN
+964800693.985804 weird: spontaneous_FIN
+964800693.985873 weird: spontaneous_FIN
+964800693.985943 weird: spontaneous_FIN
+964800693.986017 weird: spontaneous_FIN
+964800693.986086 weird: spontaneous_FIN
+964800693.986154 weird: spontaneous_FIN
+964800693.986222 weird: spontaneous_FIN
+964800693.986289 weird: spontaneous_FIN
+964800693.986359 weird: spontaneous_FIN
+964800693.986426 weird: spontaneous_FIN
+964800694.075721 weird: spontaneous_FIN
+964800694.075804 weird: spontaneous_FIN
+964800694.075873 weird: spontaneous_FIN
+964800694.075946 weird: spontaneous_FIN
+964800694.076015 weird: spontaneous_FIN
+964800694.076084 weird: spontaneous_FIN
+964800694.076153 weird: spontaneous_FIN
+964800694.076224 weird: spontaneous_FIN
+964800694.076292 weird: spontaneous_FIN
+964800694.076364 weird: spontaneous_FIN
+964800694.076438 weird: spontaneous_FIN
+964800694.155724 weird: spontaneous_FIN
+964800694.155799 weird: spontaneous_FIN
+964800694.155868 weird: spontaneous_FIN
+964800694.155937 weird: spontaneous_FIN
+964800694.156007 weird: spontaneous_FIN
+964800694.156074 weird: spontaneous_FIN
+964800694.156141 weird: spontaneous_FIN
+964800694.156211 weird: spontaneous_FIN
+964800694.156278 weird: spontaneous_FIN
+964800694.156348 weird: spontaneous_FIN
+964800694.156414 weird: spontaneous_FIN
+964800694.235712 weird: spontaneous_FIN
+964800694.235792 weird: spontaneous_FIN
+964800694.235859 weird: spontaneous_FIN
+964800694.235932 weird: spontaneous_FIN
+964800694.236003 weird: spontaneous_FIN
+964800694.236070 weird: spontaneous_FIN
+964800694.236138 weird: spontaneous_FIN
+964800694.236207 weird: spontaneous_FIN
+964800694.236275 weird: spontaneous_FIN
+964800694.236342 weird: spontaneous_FIN
+964800694.236414 weird: spontaneous_FIN
+964800694.315722 weird: spontaneous_FIN
+964800694.315795 weird: spontaneous_FIN
+964800694.315860 weird: spontaneous_FIN
+964800694.315929 weird: spontaneous_FIN
+964800694.316000 weird: spontaneous_FIN
+964800694.316065 weird: spontaneous_FIN
+964800694.316132 weird: spontaneous_FIN
+964800694.316200 weird: spontaneous_FIN
+964800694.316266 weird: spontaneous_FIN
+964800694.316337 weird: spontaneous_FIN
+964800694.316402 weird: spontaneous_FIN
+964800694.391904 weird: spontaneous_FIN
+964800694.391984 weird: spontaneous_FIN
+964800694.392053 weird: spontaneous_FIN
+964800694.392127 weird: spontaneous_FIN
+964800694.392196 weird: spontaneous_FIN
+964800694.392263 weird: spontaneous_FIN
+964800694.392332 weird: spontaneous_FIN
+964800694.392401 weird: spontaneous_FIN
+964800694.392468 weird: spontaneous_FIN
+964800694.392541 weird: spontaneous_FIN
+964800694.392613 weird: spontaneous_FIN
+964800694.485735 weird: spontaneous_FIN
+964800694.485810 weird: spontaneous_FIN
+964800694.485880 weird: spontaneous_FIN
+964800694.485950 weird: spontaneous_FIN
+964800694.486020 weird: spontaneous_FIN
+964800694.486086 weird: spontaneous_FIN
+964800694.486152 weird: spontaneous_FIN
+964800694.486217 weird: spontaneous_FIN
+964800694.486282 weird: spontaneous_FIN
+964800694.486351 weird: spontaneous_FIN
+964800694.486418 weird: spontaneous_FIN
+964800694.565715 weird: spontaneous_FIN
+964800694.565794 weird: spontaneous_FIN
+964800694.565862 weird: spontaneous_FIN
+964800694.565932 weird: spontaneous_FIN
+964800694.565999 weird: spontaneous_FIN
+964800694.566069 weird: spontaneous_FIN
+964800694.566139 weird: spontaneous_FIN
+964800694.566209 weird: spontaneous_FIN
+964800694.566279 weird: spontaneous_FIN
+964800694.566349 weird: spontaneous_FIN
+964800694.566420 weird: spontaneous_FIN
+964800694.645717 weird: spontaneous_FIN
+964800694.645788 weird: spontaneous_FIN
+964800694.645854 weird: spontaneous_FIN
+964800694.645924 weird: spontaneous_FIN
+964800694.645994 weird: spontaneous_FIN
+964800694.646059 weird: spontaneous_FIN
+964800694.646126 weird: spontaneous_FIN
+964800694.646190 weird: spontaneous_FIN
+964800694.646255 weird: spontaneous_FIN
+964800694.725711 weird: spontaneous_FIN
+964800694.725792 weird: spontaneous_FIN
+964800694.725861 weird: spontaneous_FIN
+964800694.725932 weird: spontaneous_FIN
+964800694.726002 weird: spontaneous_FIN
+964800694.726073 weird: spontaneous_FIN
+964800694.726141 weird: spontaneous_FIN
+964800694.726209 weird: spontaneous_FIN
+964800694.726282 weird: spontaneous_FIN
+964800696.215354 weird: spontaneous_FIN
+964800701.449317 weird: spontaneous_FIN
+964800706.645456 weird: spontaneous_FIN
+964800709.120433 weird: spontaneous_RST
+964800711.765516 weird: spontaneous_FIN
+964800716.768236 weird: spontaneous_FIN
+964800718.458372 weird: spontaneous_FIN
+964800722.016159 weird: spontaneous_FIN
+964800727.186323 weird: spontaneous_FIN
+964800727.753871 weird: baroque_SYN
+964800729.393724 weird: spontaneous_FIN
+964800732.457668 weird: spontaneous_FIN
+964800734.714117 weird: baroque_SYN
+964800734.714235 weird: spontaneous_FIN
+964800740.962042 weird: spontaneous_FIN
+964800741.639518 weird: baroque_SYN
+964800741.639647 weird: spontaneous_FIN
+964800743.952472 weird: baroque_SYN
+964800745.592245 weird: spontaneous_FIN
+964800748.689325 weird: baroque_SYN
+964800748.689444 weird: spontaneous_FIN
+964800760.010936 weird: baroque_SYN
+964800761.650789 weird: spontaneous_FIN
+964800770.043302 weird: spontaneous_FIN
+964800770.043319 weird: spontaneous_FIN
+964800770.043337 weird: spontaneous_FIN
+964800770.043407 weird: spontaneous_FIN
+964800770.043477 weird: spontaneous_FIN
+964800770.043546 weird: spontaneous_FIN
+964800770.043618 weird: spontaneous_FIN
+964800770.043687 weird: spontaneous_FIN
+964800770.043756 weird: spontaneous_FIN
+964800770.043826 weird: spontaneous_FIN
+964800770.043896 weird: spontaneous_FIN
+964800770.126205 weird: spontaneous_FIN
+964800770.126285 weird: spontaneous_FIN
+964800770.126353 weird: spontaneous_FIN
+964800770.126420 weird: spontaneous_FIN
+964800770.126492 weird: spontaneous_FIN
+964800770.126563 weird: spontaneous_FIN
+964800770.126634 weird: spontaneous_FIN
+964800770.126705 weird: spontaneous_FIN
+964800770.126777 weird: spontaneous_FIN
+964800770.126847 weird: spontaneous_FIN
+964800770.126916 weird: spontaneous_FIN
+964800770.206211 weird: spontaneous_FIN
+964800770.206284 weird: spontaneous_FIN
+964800770.206350 weird: spontaneous_FIN
+964800770.206414 weird: spontaneous_FIN
+964800770.206479 weird: spontaneous_FIN
+964800770.206549 weird: spontaneous_FIN
+964800770.206622 weird: spontaneous_FIN
+964800770.206685 weird: spontaneous_FIN
+964800770.206749 weird: spontaneous_FIN
+964800770.206814 weird: spontaneous_FIN
+964800770.206878 weird: spontaneous_FIN
+964800770.296196 weird: spontaneous_FIN
+964800770.296268 weird: spontaneous_FIN
+964800770.296335 weird: spontaneous_FIN
+964800770.296403 weird: spontaneous_FIN
+964800770.296471 weird: spontaneous_FIN
+964800770.296539 weird: spontaneous_FIN
+964800770.296609 weird: spontaneous_FIN
+964800770.296678 weird: spontaneous_FIN
+964800770.296750 weird: spontaneous_FIN
+964800770.296819 weird: spontaneous_FIN
+964800770.296889 weird: spontaneous_FIN
+964800770.386220 weird: spontaneous_FIN
+964800770.386292 weird: spontaneous_FIN
+964800770.386359 weird: spontaneous_FIN
+964800770.386429 weird: spontaneous_FIN
+964800770.386494 weird: spontaneous_FIN
+964800770.386564 weird: spontaneous_FIN
+964800770.386631 weird: spontaneous_FIN
+964800770.386695 weird: spontaneous_FIN
+964800770.386763 weird: spontaneous_FIN
+964800770.386829 weird: spontaneous_FIN
+964800770.386896 weird: spontaneous_FIN
+964800770.466206 weird: spontaneous_FIN
+964800770.466278 weird: spontaneous_FIN
+964800770.466345 weird: spontaneous_FIN
+964800770.466413 weird: spontaneous_FIN
+964800770.466479 weird: spontaneous_FIN
+964800770.466549 weird: spontaneous_FIN
+964800770.466617 weird: spontaneous_FIN
+964800770.466685 weird: spontaneous_FIN
+964800770.466758 weird: spontaneous_FIN
+964800770.466827 weird: spontaneous_FIN
+964800770.466896 weird: spontaneous_FIN
+964800770.556206 weird: spontaneous_FIN
+964800770.556276 weird: spontaneous_FIN
+964800770.556343 weird: spontaneous_FIN
+964800770.556408 weird: spontaneous_FIN
+964800770.556478 weird: spontaneous_FIN
+964800770.556546 weird: spontaneous_FIN
+964800770.556613 weird: spontaneous_FIN
+964800770.556681 weird: spontaneous_FIN
+964800770.556745 weird: spontaneous_FIN
+964800770.556810 weird: spontaneous_FIN
+964800770.556876 weird: spontaneous_FIN
+964800770.646202 weird: spontaneous_FIN
+964800770.646275 weird: spontaneous_FIN
+964800770.646342 weird: spontaneous_FIN
+964800770.646410 weird: spontaneous_FIN
+964800770.646479 weird: spontaneous_FIN
+964800770.646549 weird: spontaneous_FIN
+964800770.646618 weird: spontaneous_FIN
+964800770.646687 weird: spontaneous_FIN
+964800770.646759 weird: spontaneous_FIN
+964800770.646827 weird: spontaneous_FIN
+964800770.646895 weird: spontaneous_FIN
+964800770.723029 weird: spontaneous_FIN
+964800770.723100 weird: spontaneous_FIN
+964800770.723165 weird: spontaneous_FIN
+964800770.723231 weird: spontaneous_FIN
+964800770.723301 weird: spontaneous_FIN
+964800770.723370 weird: spontaneous_FIN
+964800770.723436 weird: spontaneous_FIN
+964800770.723500 weird: spontaneous_FIN
+964800770.723565 weird: spontaneous_FIN
+964800770.723631 weird: spontaneous_FIN
+964800770.723696 weird: spontaneous_FIN
+964800770.816203 weird: spontaneous_FIN
+964800770.816279 weird: spontaneous_FIN
+964800770.816346 weird: spontaneous_FIN
+964800770.816416 weird: spontaneous_FIN
+964800770.816484 weird: spontaneous_FIN
+964800770.816554 weird: spontaneous_FIN
+964800770.816623 weird: spontaneous_FIN
+964800770.816690 weird: spontaneous_FIN
+964800770.816758 weird: spontaneous_FIN
+964800770.816829 weird: spontaneous_FIN
+964800770.816900 weird: spontaneous_FIN
+964800770.896212 weird: spontaneous_FIN
+964800770.896282 weird: spontaneous_FIN
+964800770.896349 weird: spontaneous_FIN
+964800770.896415 weird: spontaneous_FIN
+964800770.896479 weird: spontaneous_FIN
+964800770.896550 weird: spontaneous_FIN
+964800770.896622 weird: spontaneous_FIN
+964800770.896688 weird: spontaneous_FIN
+964800770.896754 weird: spontaneous_FIN
+964800770.896822 weird: spontaneous_FIN
+964800770.908337 weird: spontaneous_FIN
+964800770.996205 weird: spontaneous_FIN
+964800770.996276 weird: spontaneous_FIN
+964800770.996342 weird: spontaneous_FIN
+964800770.996412 weird: spontaneous_FIN
+964800770.996480 weird: spontaneous_FIN
+964800770.996548 weird: spontaneous_FIN
+964800770.996619 weird: spontaneous_FIN
+964800770.996689 weird: spontaneous_FIN
+964800770.996759 weird: spontaneous_FIN
+964800770.996835 weird: spontaneous_FIN
+964800770.996914 weird: spontaneous_FIN
+964800771.076225 weird: spontaneous_FIN
+964800771.076296 weird: spontaneous_FIN
+964800771.076357 weird: spontaneous_FIN
+964800771.076426 weird: spontaneous_FIN
+964800771.076495 weird: spontaneous_FIN
+964800771.076564 weird: spontaneous_FIN
+964800771.076631 weird: spontaneous_FIN
+964800771.076694 weird: spontaneous_FIN
+964800771.076761 weird: spontaneous_FIN
+964800771.076829 weird: spontaneous_FIN
+964800771.076896 weird: spontaneous_FIN
+964800771.166218 weird: spontaneous_FIN
+964800771.166290 weird: spontaneous_FIN
+964800771.166358 weird: spontaneous_FIN
+964800771.166426 weird: spontaneous_FIN
+964800771.166497 weird: spontaneous_FIN
+964800771.166570 weird: spontaneous_FIN
+964800771.166641 weird: spontaneous_FIN
+964800771.166712 weird: spontaneous_FIN
+964800771.166786 weird: spontaneous_FIN
+964800771.166855 weird: spontaneous_FIN
+964800771.166926 weird: spontaneous_FIN
+964800771.246221 weird: spontaneous_FIN
+964800771.246291 weird: spontaneous_FIN
+964800771.246358 weird: spontaneous_FIN
+964800771.246425 weird: spontaneous_FIN
+964800771.246492 weird: spontaneous_FIN
+964800771.246561 weird: spontaneous_FIN
+964800771.246629 weird: spontaneous_FIN
+964800771.246694 weird: spontaneous_FIN
+964800771.246759 weird: spontaneous_FIN
+964800771.246825 weird: spontaneous_FIN
+964800771.246894 weird: spontaneous_FIN
+964800771.326195 weird: spontaneous_FIN
+964800771.326271 weird: spontaneous_FIN
+964800771.326336 weird: spontaneous_FIN
+964800771.326406 weird: spontaneous_FIN
+964800771.326476 weird: spontaneous_FIN
+964800771.326548 weird: spontaneous_FIN
+964800771.326618 weird: spontaneous_FIN
+964800771.326690 weird: spontaneous_FIN
+964800771.326762 weird: spontaneous_FIN
+964800771.326832 weird: spontaneous_FIN
+964800771.326905 weird: spontaneous_FIN
+964800771.406226 weird: spontaneous_FIN
+964800771.406295 weird: spontaneous_FIN
+964800771.406364 weird: spontaneous_FIN
+964800771.406433 weird: spontaneous_FIN
+964800771.406501 weird: spontaneous_FIN
+964800771.406569 weird: spontaneous_FIN
+964800771.406637 weird: spontaneous_FIN
+964800771.406703 weird: spontaneous_FIN
+964800771.406772 weird: spontaneous_FIN
+964800771.406839 weird: spontaneous_FIN
+964800771.406908 weird: spontaneous_FIN
+964800771.496204 weird: spontaneous_FIN
+964800771.496279 weird: spontaneous_FIN
+964800771.496345 weird: spontaneous_FIN
+964800771.496413 weird: spontaneous_FIN
+964800771.496483 weird: spontaneous_FIN
+964800771.496553 weird: spontaneous_FIN
+964800771.496621 weird: spontaneous_FIN
+964800771.496691 weird: spontaneous_FIN
+964800771.496763 weird: spontaneous_FIN
+964800771.496834 weird: spontaneous_FIN
+964800771.496904 weird: spontaneous_FIN
+964800771.585007 weird: spontaneous_FIN
+964800771.585079 weird: spontaneous_FIN
+964800771.585148 weird: spontaneous_FIN
+964800771.585218 weird: spontaneous_FIN
+964800771.585290 weird: spontaneous_FIN
+964800771.585360 weird: spontaneous_FIN
+964800771.585427 weird: spontaneous_FIN
+964800771.585497 weird: spontaneous_FIN
+964800771.585564 weird: spontaneous_FIN
+964800771.585633 weird: spontaneous_FIN
+964800771.585700 weird: spontaneous_FIN
+964800771.676209 weird: spontaneous_FIN
+964800771.676285 weird: spontaneous_FIN
+964800771.676354 weird: spontaneous_FIN
+964800771.676425 weird: spontaneous_FIN
+964800771.676496 weird: spontaneous_FIN
+964800771.676567 weird: spontaneous_FIN
+964800771.676634 weird: spontaneous_FIN
+964800771.676708 weird: spontaneous_FIN
+964800771.676784 weird: spontaneous_FIN
+964800771.676856 weird: spontaneous_FIN
+964800771.676931 weird: spontaneous_FIN
+964800771.756226 weird: spontaneous_FIN
+964800771.756302 weird: spontaneous_FIN
+964800771.756373 weird: spontaneous_FIN
+964800771.756442 weird: spontaneous_FIN
+964800771.756513 weird: spontaneous_FIN
+964800771.756582 weird: spontaneous_FIN
+964800771.756652 weird: spontaneous_FIN
+964800771.756720 weird: spontaneous_FIN
+964800771.756789 weird: spontaneous_FIN
+964800771.756858 weird: spontaneous_FIN
+964800771.756923 weird: spontaneous_FIN
+964800771.836209 weird: spontaneous_FIN
+964800771.836287 weird: spontaneous_FIN
+964800771.836358 weird: spontaneous_FIN
+964800771.836425 weird: spontaneous_FIN
+964800771.836496 weird: spontaneous_FIN
+964800771.836569 weird: spontaneous_FIN
+964800771.836639 weird: spontaneous_FIN
+964800771.836711 weird: spontaneous_FIN
+964800771.836781 weird: spontaneous_FIN
+964800771.836850 weird: spontaneous_FIN
+964800771.836920 weird: spontaneous_FIN
+964800771.926222 weird: spontaneous_FIN
+964800771.926293 weird: spontaneous_FIN
+964800771.926361 weird: spontaneous_FIN
+964800771.926432 weird: spontaneous_FIN
+964800771.926498 weird: spontaneous_FIN
+964800771.926563 weird: spontaneous_FIN
+964800771.926633 weird: spontaneous_FIN
+964800771.926701 weird: spontaneous_FIN
+964800771.926766 weird: spontaneous_FIN
+964800771.926833 weird: spontaneous_FIN
+964800771.926897 weird: spontaneous_FIN
+964800772.007838 weird: spontaneous_FIN
+964800772.007994 weird: spontaneous_FIN
+964800772.008166 weird: spontaneous_FIN
+964800772.008370 weird: spontaneous_FIN
+964800772.008541 weird: spontaneous_FIN
+964800772.008689 weird: spontaneous_FIN
+964800772.008760 weird: spontaneous_FIN
+964800772.008835 weird: spontaneous_FIN
+964800772.008908 weird: spontaneous_FIN
+964800772.008977 weird: spontaneous_FIN
+964800772.009048 weird: spontaneous_FIN
+964800772.086231 weird: spontaneous_FIN
+964800772.086300 weird: spontaneous_FIN
+964800772.086365 weird: spontaneous_FIN
+964800772.086431 weird: spontaneous_FIN
+964800772.086498 weird: spontaneous_FIN
+964800772.086565 weird: spontaneous_FIN
+964800772.086629 weird: spontaneous_FIN
+964800772.086700 weird: spontaneous_FIN
+964800772.086768 weird: spontaneous_FIN
+964800772.086835 weird: spontaneous_FIN
+964800772.086901 weird: spontaneous_FIN
+964800772.162719 weird: spontaneous_FIN
+964800772.162795 weird: spontaneous_FIN
+964800772.162860 weird: spontaneous_FIN
+964800772.162932 weird: spontaneous_FIN
+964800772.163000 weird: spontaneous_FIN
+964800772.163069 weird: spontaneous_FIN
+964800772.163138 weird: spontaneous_FIN
+964800772.163205 weird: spontaneous_FIN
+964800772.163274 weird: spontaneous_FIN
+964800772.163343 weird: spontaneous_FIN
+964800772.163413 weird: spontaneous_FIN
+964800772.246220 weird: spontaneous_FIN
+964800772.246292 weird: spontaneous_FIN
+964800772.246359 weird: spontaneous_FIN
+964800772.246426 weird: spontaneous_FIN
+964800772.246490 weird: spontaneous_FIN
+964800772.246557 weird: spontaneous_FIN
+964800772.246622 weird: spontaneous_FIN
+964800772.246693 weird: spontaneous_FIN
+964800772.246758 weird: spontaneous_FIN
+964800772.246825 weird: spontaneous_FIN
+964800772.246892 weird: spontaneous_FIN
+964800772.326242 weird: spontaneous_FIN
+964800772.326318 weird: spontaneous_FIN
+964800772.326386 weird: spontaneous_FIN
+964800772.326456 weird: spontaneous_FIN
+964800772.326523 weird: spontaneous_FIN
+964800772.326592 weird: spontaneous_FIN
+964800772.326662 weird: spontaneous_FIN
+964800772.326730 weird: spontaneous_FIN
+964800772.326798 weird: spontaneous_FIN
+964800772.326866 weird: spontaneous_FIN
+964800772.326936 weird: spontaneous_FIN
+964800772.416231 weird: spontaneous_FIN
+964800772.416303 weird: spontaneous_FIN
+964800772.416368 weird: spontaneous_FIN
+964800772.416436 weird: spontaneous_FIN
+964800772.416502 weird: spontaneous_FIN
+964800772.416570 weird: spontaneous_FIN
+964800772.416635 weird: spontaneous_FIN
+964800772.416702 weird: spontaneous_FIN
+964800772.416768 weird: spontaneous_FIN
+964800772.416836 weird: spontaneous_FIN
+964800772.416902 weird: spontaneous_FIN
+964800772.506208 weird: spontaneous_FIN
+964800772.506283 weird: spontaneous_FIN
+964800772.506352 weird: spontaneous_FIN
+964800772.506419 weird: spontaneous_FIN
+964800772.506485 weird: spontaneous_FIN
+964800772.506554 weird: spontaneous_FIN
+964800772.506621 weird: spontaneous_FIN
+964800772.506688 weird: spontaneous_FIN
+964800772.506756 weird: spontaneous_FIN
+964800772.506824 weird: spontaneous_FIN
+964800772.506894 weird: spontaneous_FIN
+964800772.594262 weird: spontaneous_FIN
+964800772.594331 weird: spontaneous_FIN
+964800772.594397 weird: spontaneous_FIN
+964800772.594464 weird: spontaneous_FIN
+964800772.594526 weird: spontaneous_FIN
+964800772.594594 weird: spontaneous_FIN
+964800772.594659 weird: spontaneous_FIN
+964800772.594728 weird: spontaneous_FIN
+964800772.594795 weird: spontaneous_FIN
+964800772.594861 weird: spontaneous_FIN
+964800772.594929 weird: spontaneous_FIN
+964800772.677873 weird: spontaneous_FIN
+964800772.678025 weird: spontaneous_FIN
+964800772.678196 weird: spontaneous_FIN
+964800772.678352 weird: spontaneous_FIN
+964800772.678538 weird: spontaneous_FIN
+964800772.678706 weird: spontaneous_FIN
+964800772.678876 weird: spontaneous_FIN
+964800772.679081 weird: spontaneous_FIN
+964800772.679178 weird: spontaneous_FIN
+964800772.679254 weird: spontaneous_FIN
+964800772.679327 weird: spontaneous_FIN
+964800772.756235 weird: spontaneous_FIN
+964800772.756307 weird: spontaneous_FIN
+964800772.756372 weird: spontaneous_FIN
+964800772.756440 weird: spontaneous_FIN
+964800772.756506 weird: spontaneous_FIN
+964800772.756576 weird: spontaneous_FIN
+964800772.756641 weird: spontaneous_FIN
+964800772.756706 weird: spontaneous_FIN
+964800772.756776 weird: spontaneous_FIN
+964800772.756840 weird: spontaneous_FIN
+964800772.756908 weird: spontaneous_FIN
+964800772.836205 weird: spontaneous_FIN
+964800772.836277 weird: spontaneous_FIN
+964800772.836346 weird: spontaneous_FIN
+964800772.836423 weird: spontaneous_FIN
+964800772.836484 weird: spontaneous_FIN
+964800772.836553 weird: spontaneous_FIN
+964800772.836620 weird: spontaneous_FIN
+964800772.836687 weird: spontaneous_FIN
+964800772.836778 weird: spontaneous_FIN
+964800772.836822 weird: spontaneous_FIN
+964800772.836888 weird: spontaneous_FIN
+964800772.916219 weird: spontaneous_FIN
+964800772.916287 weird: spontaneous_FIN
+964800772.916353 weird: spontaneous_FIN
+964800772.916417 weird: spontaneous_FIN
+964800772.916483 weird: spontaneous_FIN
+964800772.916547 weird: spontaneous_FIN
+964800772.916613 weird: spontaneous_FIN
+964800772.916680 weird: spontaneous_FIN
+964800772.916744 weird: spontaneous_FIN
+964800772.916809 weird: spontaneous_FIN
+964800772.916877 weird: spontaneous_FIN
+964800773.006215 weird: spontaneous_FIN
+964800773.006284 weird: spontaneous_FIN
+964800773.006351 weird: spontaneous_FIN
+964800773.006420 weird: spontaneous_FIN
+964800773.006488 weird: spontaneous_FIN
+964800773.006554 weird: spontaneous_FIN
+964800773.006622 weird: spontaneous_FIN
+964800773.006690 weird: spontaneous_FIN
+964800773.006760 weird: spontaneous_FIN
+964800773.006825 weird: spontaneous_FIN
+964800773.006892 weird: spontaneous_FIN
+964800773.086229 weird: spontaneous_FIN
+964800773.086298 weird: spontaneous_FIN
+964800773.086363 weird: spontaneous_FIN
+964800773.086429 weird: spontaneous_FIN
+964800773.086496 weird: spontaneous_FIN
+964800773.086563 weird: spontaneous_FIN
+964800773.086626 weird: spontaneous_FIN
+964800773.086693 weird: spontaneous_FIN
+964800773.086760 weird: spontaneous_FIN
+964800773.086823 weird: spontaneous_FIN
+964800773.086892 weird: spontaneous_FIN
+964800773.169963 weird: spontaneous_FIN
+964800773.170034 weird: spontaneous_FIN
+964800773.170102 weird: spontaneous_FIN
+964800773.170178 weird: spontaneous_FIN
+964800773.170238 weird: spontaneous_FIN
+964800773.170306 weird: spontaneous_FIN
+964800773.170374 weird: spontaneous_FIN
+964800773.170443 weird: spontaneous_FIN
+964800773.170510 weird: spontaneous_FIN
+964800773.170577 weird: spontaneous_FIN
+964800773.170646 weird: spontaneous_FIN
+964800773.256224 weird: spontaneous_FIN
+964800773.256292 weird: spontaneous_FIN
+964800773.256356 weird: spontaneous_FIN
+964800773.256421 weird: spontaneous_FIN
+964800773.256488 weird: spontaneous_FIN
+964800773.256552 weird: spontaneous_FIN
+964800773.256617 weird: spontaneous_FIN
+964800773.256684 weird: spontaneous_FIN
+964800773.256745 weird: spontaneous_FIN
+964800773.256810 weird: spontaneous_FIN
+964800773.256880 weird: spontaneous_FIN
+964800773.336211 weird: spontaneous_FIN
+964800773.336283 weird: spontaneous_FIN
+964800773.336351 weird: spontaneous_FIN
+964800773.336417 weird: spontaneous_FIN
+964800773.336485 weird: spontaneous_FIN
+964800773.336552 weird: spontaneous_FIN
+964800773.336619 weird: spontaneous_FIN
+964800773.336689 weird: spontaneous_FIN
+964800773.336759 weird: spontaneous_FIN
+964800773.336824 weird: spontaneous_FIN
+964800773.336890 weird: spontaneous_FIN
+964800773.412854 weird: spontaneous_FIN
+964800773.412924 weird: spontaneous_FIN
+964800773.412989 weird: spontaneous_FIN
+964800773.413055 weird: spontaneous_FIN
+964800773.413120 weird: spontaneous_FIN
+964800773.413187 weird: spontaneous_FIN
+964800773.413251 weird: spontaneous_FIN
+964800773.413319 weird: spontaneous_FIN
+964800773.413381 weird: spontaneous_FIN
+964800773.413448 weird: spontaneous_FIN
+964800773.413520 weird: spontaneous_FIN
+964800773.496215 weird: spontaneous_FIN
+964800773.496288 weird: spontaneous_FIN
+964800773.496354 weird: spontaneous_FIN
+964800773.496420 weird: spontaneous_FIN
+964800773.496489 weird: spontaneous_FIN
+964800773.496558 weird: spontaneous_FIN
+964800773.496626 weird: spontaneous_FIN
+964800773.496694 weird: spontaneous_FIN
+964800773.496761 weird: spontaneous_FIN
+964800773.496828 weird: spontaneous_FIN
+964800773.496897 weird: spontaneous_FIN
+964800773.586226 weird: spontaneous_FIN
+964800773.586296 weird: spontaneous_FIN
+964800773.586359 weird: spontaneous_FIN
+964800773.586430 weird: spontaneous_FIN
+964800773.586489 weird: spontaneous_FIN
+964800773.586554 weird: spontaneous_FIN
+964800773.586620 weird: spontaneous_FIN
+964800773.586684 weird: spontaneous_FIN
+964800773.586749 weird: spontaneous_FIN
+964800773.586814 weird: spontaneous_FIN
+964800773.586885 weird: spontaneous_FIN
+964800773.674582 weird: spontaneous_FIN
+964800773.674653 weird: spontaneous_FIN
+964800773.674719 weird: spontaneous_FIN
+964800773.674788 weird: spontaneous_FIN
+964800773.674854 weird: spontaneous_FIN
+964800773.674922 weird: spontaneous_FIN
+964800773.674991 weird: spontaneous_FIN
+964800773.675060 weird: spontaneous_FIN
+964800773.675132 weird: spontaneous_FIN
+964800773.675199 weird: spontaneous_FIN
+964800773.675266 weird: spontaneous_FIN
+964800773.750857 weird: spontaneous_FIN
+964800773.750926 weird: spontaneous_FIN
+964800773.751000 weird: spontaneous_FIN
+964800773.751097 weird: spontaneous_FIN
+964800773.751167 weird: spontaneous_FIN
+964800773.751233 weird: spontaneous_FIN
+964800773.751307 weird: spontaneous_FIN
+964800773.751402 weird: spontaneous_FIN
+964800773.751472 weird: spontaneous_FIN
+964800773.751542 weird: spontaneous_FIN
+964800773.751652 weird: spontaneous_FIN
+964800773.846224 weird: spontaneous_FIN
+964800773.846299 weird: spontaneous_FIN
+964800773.846367 weird: spontaneous_FIN
+964800773.846437 weird: spontaneous_FIN
+964800773.846508 weird: spontaneous_FIN
+964800773.846579 weird: spontaneous_FIN
+964800773.846651 weird: spontaneous_FIN
+964800773.846723 weird: spontaneous_FIN
+964800773.846792 weird: spontaneous_FIN
+964800773.846859 weird: spontaneous_FIN
+964800773.846931 weird: spontaneous_FIN
+964800773.926228 weird: spontaneous_FIN
+964800773.926297 weird: spontaneous_FIN
+964800773.926363 weird: spontaneous_FIN
+964800773.926429 weird: spontaneous_FIN
+964800773.926493 weird: spontaneous_FIN
+964800773.926560 weird: spontaneous_FIN
+964800773.926628 weird: spontaneous_FIN
+964800773.926695 weird: spontaneous_FIN
+964800773.926761 weird: spontaneous_FIN
+964800773.926826 weird: spontaneous_FIN
+964800773.926894 weird: spontaneous_FIN
+964800774.016219 weird: spontaneous_FIN
+964800774.016289 weird: spontaneous_FIN
+964800774.016357 weird: spontaneous_FIN
+964800774.016426 weird: spontaneous_FIN
+964800774.016495 weird: spontaneous_FIN
+964800774.016564 weird: spontaneous_FIN
+964800774.016634 weird: spontaneous_FIN
+964800774.016705 weird: spontaneous_FIN
+964800774.016772 weird: spontaneous_FIN
+964800774.016837 weird: spontaneous_FIN
+964800774.016907 weird: spontaneous_FIN
+964800774.106095 weird: spontaneous_FIN
+964800774.106191 weird: spontaneous_FIN
+964800774.106259 weird: spontaneous_FIN
+964800774.106326 weird: spontaneous_FIN
+964800774.106394 weird: spontaneous_FIN
+964800774.106461 weird: spontaneous_FIN
+964800774.106530 weird: spontaneous_FIN
+964800774.106596 weird: spontaneous_FIN
+964800774.106665 weird: spontaneous_FIN
+964800774.106732 weird: spontaneous_FIN
+964800774.106801 weird: spontaneous_FIN
+964800774.196221 weird: spontaneous_FIN
+964800774.196294 weird: spontaneous_FIN
+964800774.196363 weird: spontaneous_FIN
+964800774.196431 weird: spontaneous_FIN
+964800774.196501 weird: spontaneous_FIN
+964800774.196572 weird: spontaneous_FIN
+964800774.196643 weird: spontaneous_FIN
+964800774.196711 weird: spontaneous_FIN
+964800774.196782 weird: spontaneous_FIN
+964800774.196850 weird: spontaneous_FIN
+964800774.196921 weird: spontaneous_FIN
+964800774.286230 weird: spontaneous_FIN
+964800774.286299 weird: spontaneous_FIN
+964800774.286364 weird: spontaneous_FIN
+964800774.286430 weird: spontaneous_FIN
+964800774.286496 weird: spontaneous_FIN
+964800774.286562 weird: spontaneous_FIN
+964800774.286631 weird: spontaneous_FIN
+964800774.286697 weird: spontaneous_FIN
+964800774.286764 weird: spontaneous_FIN
+964800774.286831 weird: spontaneous_FIN
+964800774.286897 weird: spontaneous_FIN
+964800774.376227 weird: spontaneous_FIN
+964800774.376301 weird: spontaneous_FIN
+964800774.376371 weird: spontaneous_FIN
+964800774.376440 weird: spontaneous_FIN
+964800774.376510 weird: spontaneous_FIN
+964800774.376578 weird: spontaneous_FIN
+964800774.376648 weird: spontaneous_FIN
+964800774.376719 weird: spontaneous_FIN
+964800774.376786 weird: spontaneous_FIN
+964800774.376855 weird: spontaneous_FIN
+964800774.376923 weird: spontaneous_FIN
+964800774.465520 weird: spontaneous_FIN
+964800774.465589 weird: spontaneous_FIN
+964800774.465654 weird: spontaneous_FIN
+964800774.465720 weird: spontaneous_FIN
+964800774.465786 weird: spontaneous_FIN
+964800774.465855 weird: spontaneous_FIN
+964800774.465921 weird: spontaneous_FIN
+964800774.465988 weird: spontaneous_FIN
+964800774.466054 weird: spontaneous_FIN
+964800774.466144 weird: spontaneous_FIN
+964800774.466214 weird: spontaneous_FIN
+964800774.556235 weird: spontaneous_FIN
+964800774.556316 weird: spontaneous_FIN
+964800774.556386 weird: spontaneous_FIN
+964800774.556457 weird: spontaneous_FIN
+964800774.556526 weird: spontaneous_FIN
+964800774.556597 weird: spontaneous_FIN
+964800774.556668 weird: spontaneous_FIN
+964800774.556738 weird: spontaneous_FIN
+964800774.556806 weird: spontaneous_FIN
+964800774.556875 weird: spontaneous_FIN
+964800774.556944 weird: spontaneous_FIN
+964800774.646229 weird: spontaneous_FIN
+964800774.646298 weird: spontaneous_FIN
+964800774.646364 weird: spontaneous_FIN
+964800774.646429 weird: spontaneous_FIN
+964800774.646493 weird: spontaneous_FIN
+964800774.646561 weird: spontaneous_FIN
+964800774.646629 weird: spontaneous_FIN
+964800774.646697 weird: spontaneous_FIN
+964800774.646761 weird: spontaneous_FIN
+964800774.646828 weird: spontaneous_FIN
+964800774.646894 weird: spontaneous_FIN
+964800774.729139 weird: spontaneous_FIN
+964800774.729311 weird: spontaneous_FIN
+964800774.729478 weird: spontaneous_FIN
+964800774.729556 weird: spontaneous_FIN
+964800774.729627 weird: spontaneous_FIN
+964800774.729734 weird: spontaneous_FIN
+964800774.729810 weird: spontaneous_FIN
+964800774.729881 weird: spontaneous_FIN
+964800774.730000 weird: spontaneous_FIN
+964800774.730081 weird: spontaneous_FIN
+964800774.730153 weird: spontaneous_FIN
+964800774.806254 weird: spontaneous_FIN
+964800774.806327 weird: spontaneous_FIN
+964800774.806394 weird: spontaneous_FIN
+964800774.806462 weird: spontaneous_FIN
+964800774.806533 weird: spontaneous_FIN
+964800774.806599 weird: spontaneous_FIN
+964800774.806671 weird: spontaneous_FIN
+964800774.806739 weird: spontaneous_FIN
+964800774.806803 weird: spontaneous_FIN
+964800774.806870 weird: spontaneous_FIN
+964800774.806935 weird: spontaneous_FIN
+964800774.896239 weird: spontaneous_FIN
+964800774.896324 weird: spontaneous_FIN
+964800774.896391 weird: spontaneous_FIN
+964800774.896463 weird: spontaneous_FIN
+964800774.896528 weird: spontaneous_FIN
+964800774.896599 weird: spontaneous_FIN
+964800774.896673 weird: spontaneous_FIN
+964800774.896737 weird: spontaneous_FIN
+964800774.896806 weird: spontaneous_FIN
+964800774.896873 weird: spontaneous_FIN
+964800774.897001 weird: spontaneous_FIN
+964800774.986240 weird: spontaneous_FIN
+964800774.986308 weird: spontaneous_FIN
+964800774.986376 weird: spontaneous_FIN
+964800774.986444 weird: spontaneous_FIN
+964800774.986510 weird: spontaneous_FIN
+964800774.986575 weird: spontaneous_FIN
+964800774.986646 weird: spontaneous_FIN
+964800774.986714 weird: spontaneous_FIN
+964800774.986779 weird: spontaneous_FIN
+964800774.986843 weird: spontaneous_FIN
+964800774.986907 weird: spontaneous_FIN
+964800775.067972 weird: spontaneous_FIN
+964800775.068114 weird: spontaneous_FIN
+964800775.068265 weird: spontaneous_FIN
+964800775.068437 weird: spontaneous_FIN
+964800775.068600 weird: spontaneous_FIN
+964800775.068674 weird: spontaneous_FIN
+964800775.068742 weird: spontaneous_FIN
+964800775.068815 weird: spontaneous_FIN
+964800775.068885 weird: spontaneous_FIN
+964800775.068959 weird: spontaneous_FIN
+964800775.069027 weird: spontaneous_FIN
+964800775.146242 weird: spontaneous_FIN
+964800775.146318 weird: spontaneous_FIN
+964800775.146383 weird: spontaneous_FIN
+964800775.146449 weird: spontaneous_FIN
+964800775.146517 weird: spontaneous_FIN
+964800775.146584 weird: spontaneous_FIN
+964800775.146652 weird: spontaneous_FIN
+964800775.146719 weird: spontaneous_FIN
+964800775.146787 weird: spontaneous_FIN
+964800775.146851 weird: spontaneous_FIN
+964800775.146918 weird: spontaneous_FIN
+964800775.236226 weird: spontaneous_FIN
+964800775.236300 weird: spontaneous_FIN
+964800775.236369 weird: spontaneous_FIN
+964800775.236440 weird: spontaneous_FIN
+964800775.236510 weird: spontaneous_FIN
+964800775.236580 weird: spontaneous_FIN
+964800775.236647 weird: spontaneous_FIN
+964800775.236716 weird: spontaneous_FIN
+964800775.236783 weird: spontaneous_FIN
+964800775.236855 weird: spontaneous_FIN
+964800775.236922 weird: spontaneous_FIN
+964800775.326237 weird: spontaneous_FIN
+964800775.326308 weird: spontaneous_FIN
+964800775.326375 weird: spontaneous_FIN
+964800775.326442 weird: spontaneous_FIN
+964800775.326508 weird: spontaneous_FIN
+964800775.326576 weird: spontaneous_FIN
+964800775.326642 weird: spontaneous_FIN
+964800775.326711 weird: spontaneous_FIN
+964800775.326779 weird: spontaneous_FIN
+964800775.326845 weird: spontaneous_FIN
+964800775.326912 weird: spontaneous_FIN
+964800775.412598 weird: spontaneous_FIN
+964800775.412670 weird: spontaneous_FIN
+964800775.412742 weird: spontaneous_FIN
+964800775.412810 weird: spontaneous_FIN
+964800775.412880 weird: spontaneous_FIN
+964800775.412949 weird: spontaneous_FIN
+964800775.413017 weird: spontaneous_FIN
+964800775.413086 weird: spontaneous_FIN
+964800775.413156 weird: spontaneous_FIN
+964800775.413228 weird: spontaneous_FIN
+964800775.413297 weird: spontaneous_FIN
+964800775.506236 weird: spontaneous_FIN
+964800775.506307 weird: spontaneous_FIN
+964800775.506374 weird: spontaneous_FIN
+964800775.506441 weird: spontaneous_FIN
+964800775.506505 weird: spontaneous_FIN
+964800775.506573 weird: spontaneous_FIN
+964800775.506637 weird: spontaneous_FIN
+964800775.506704 weird: spontaneous_FIN
+964800775.506773 weird: spontaneous_FIN
+964800775.506837 weird: spontaneous_FIN
+964800775.506903 weird: spontaneous_FIN
+964800775.596231 weird: spontaneous_FIN
+964800775.596306 weird: spontaneous_FIN
+964800775.596376 weird: spontaneous_FIN
+964800775.596446 weird: spontaneous_FIN
+964800775.596515 weird: spontaneous_FIN
+964800775.596584 weird: spontaneous_FIN
+964800775.596651 weird: spontaneous_FIN
+964800775.596720 weird: spontaneous_FIN
+964800775.596791 weird: spontaneous_FIN
+964800775.596860 weird: spontaneous_FIN
+964800775.596929 weird: spontaneous_FIN
+964800775.676240 weird: spontaneous_FIN
+964800775.676312 weird: spontaneous_FIN
+964800775.676380 weird: spontaneous_FIN
+964800775.676443 weird: spontaneous_FIN
+964800775.676509 weird: spontaneous_FIN
+964800775.676580 weird: spontaneous_FIN
+964800775.676646 weird: spontaneous_FIN
+964800775.676716 weird: spontaneous_FIN
+964800775.676785 weird: spontaneous_FIN
+964800775.676849 weird: spontaneous_FIN
+964800775.676917 weird: spontaneous_FIN
+964800775.766255 weird: spontaneous_FIN
+964800775.766335 weird: spontaneous_FIN
+964800775.766407 weird: spontaneous_FIN
+964800775.766478 weird: spontaneous_FIN
+964800775.766548 weird: spontaneous_FIN
+964800775.766621 weird: spontaneous_FIN
+964800775.766693 weird: spontaneous_FIN
+964800775.766764 weird: spontaneous_FIN
+964800775.766834 weird: spontaneous_FIN
+964800775.766905 weird: spontaneous_FIN
+964800775.766977 weird: spontaneous_FIN
+964800775.856245 weird: spontaneous_FIN
+964800775.856316 weird: spontaneous_FIN
+964800775.856384 weird: spontaneous_FIN
+964800775.856450 weird: spontaneous_FIN
+964800775.856517 weird: spontaneous_FIN
+964800775.856589 weird: spontaneous_FIN
+964800775.856656 weird: spontaneous_FIN
+964800775.856728 weird: spontaneous_FIN
+964800775.856793 weird: spontaneous_FIN
+964800775.856859 weird: spontaneous_FIN
+964800775.856924 weird: spontaneous_FIN
+964800775.936230 weird: spontaneous_FIN
+964800775.936303 weird: spontaneous_FIN
+964800775.936374 weird: spontaneous_FIN
+964800775.936445 weird: spontaneous_FIN
+964800775.936515 weird: spontaneous_FIN
+964800775.936592 weird: spontaneous_FIN
+964800775.936667 weird: spontaneous_FIN
+964800775.936743 weird: spontaneous_FIN
+964800775.936812 weird: spontaneous_FIN
+964800775.936881 weird: spontaneous_FIN
+964800775.936948 weird: spontaneous_FIN
+964800776.016246 weird: spontaneous_FIN
+964800776.016318 weird: spontaneous_FIN
+964800776.016387 weird: spontaneous_FIN
+964800776.016451 weird: spontaneous_FIN
+964800776.016517 weird: spontaneous_FIN
+964800776.016583 weird: spontaneous_FIN
+964800776.016649 weird: spontaneous_FIN
+964800776.016716 weird: spontaneous_FIN
+964800776.016783 weird: spontaneous_FIN
+964800776.016849 weird: spontaneous_FIN
+964800776.016916 weird: spontaneous_FIN
+964800776.106240 weird: spontaneous_FIN
+964800776.106314 weird: spontaneous_FIN
+964800776.106382 weird: spontaneous_FIN
+964800776.106455 weird: spontaneous_FIN
+964800776.106525 weird: spontaneous_FIN
+964800776.106596 weird: spontaneous_FIN
+964800776.106670 weird: spontaneous_FIN
+964800776.106741 weird: spontaneous_FIN
+964800776.106808 weird: spontaneous_FIN
+964800776.106878 weird: spontaneous_FIN
+964800776.106946 weird: spontaneous_FIN
+964800776.196251 weird: spontaneous_FIN
+964800776.196326 weird: spontaneous_FIN
+964800776.196393 weird: spontaneous_FIN
+964800776.196460 weird: spontaneous_FIN
+964800776.196528 weird: spontaneous_FIN
+964800776.196596 weird: spontaneous_FIN
+964800776.196665 weird: spontaneous_FIN
+964800776.196734 weird: spontaneous_FIN
+964800776.196801 weird: spontaneous_FIN
+964800776.196868 weird: spontaneous_FIN
+964800776.196935 weird: spontaneous_FIN
+964800776.282677 weird: spontaneous_FIN
+964800776.282753 weird: spontaneous_FIN
+964800776.282822 weird: spontaneous_FIN
+964800776.282892 weird: spontaneous_FIN
+964800776.282965 weird: spontaneous_FIN
+964800776.283035 weird: spontaneous_FIN
+964800776.283104 weird: spontaneous_FIN
+964800776.283172 weird: spontaneous_FIN
+964800776.283241 weird: spontaneous_FIN
+964800776.283313 weird: spontaneous_FIN
+964800776.283381 weird: spontaneous_FIN
+964800776.376263 weird: spontaneous_FIN
+964800776.376339 weird: spontaneous_FIN
+964800776.376405 weird: spontaneous_FIN
+964800776.376472 weird: spontaneous_FIN
+964800776.376538 weird: spontaneous_FIN
+964800776.376609 weird: spontaneous_FIN
+964800776.376677 weird: spontaneous_FIN
+964800776.376742 weird: spontaneous_FIN
+964800776.376811 weird: spontaneous_FIN
+964800776.376880 weird: spontaneous_FIN
+964800776.376950 weird: spontaneous_FIN
+964800776.466238 weird: spontaneous_FIN
+964800776.466312 weird: spontaneous_FIN
+964800776.466381 weird: spontaneous_FIN
+964800776.466450 weird: spontaneous_FIN
+964800776.466521 weird: spontaneous_FIN
+964800776.466590 weird: spontaneous_FIN
+964800776.466659 weird: spontaneous_FIN
+964800776.466728 weird: spontaneous_FIN
+964800776.466796 weird: spontaneous_FIN
+964800776.466867 weird: spontaneous_FIN
+964800776.466940 weird: spontaneous_FIN
+964800776.552161 weird: spontaneous_FIN
+964800776.552231 weird: spontaneous_FIN
+964800776.552296 weird: spontaneous_FIN
+964800776.552362 weird: spontaneous_FIN
+964800776.552429 weird: spontaneous_FIN
+964800776.552495 weird: spontaneous_FIN
+964800776.552561 weird: spontaneous_FIN
+964800776.552628 weird: spontaneous_FIN
+964800776.552697 weird: spontaneous_FIN
+964800776.552764 weird: spontaneous_FIN
+964800776.552834 weird: spontaneous_FIN
+964800776.644263 weird: spontaneous_FIN
+964800776.644339 weird: spontaneous_FIN
+964800776.644407 weird: spontaneous_FIN
+964800776.644476 weird: spontaneous_FIN
+964800776.644545 weird: spontaneous_FIN
+964800776.644615 weird: spontaneous_FIN
+964800776.644682 weird: spontaneous_FIN
+964800776.644750 weird: spontaneous_FIN
+964800776.644819 weird: spontaneous_FIN
+964800776.644892 weird: spontaneous_FIN
+964800776.644960 weird: spontaneous_FIN
+964800776.728086 weird: spontaneous_FIN
+964800776.728241 weird: spontaneous_FIN
+964800776.728391 weird: spontaneous_FIN
+964800776.728563 weird: spontaneous_FIN
+964800776.728716 weird: spontaneous_FIN
+964800776.728870 weird: spontaneous_FIN
+964800776.729043 weird: spontaneous_FIN
+964800776.729215 weird: spontaneous_FIN
+964800776.729353 weird: spontaneous_FIN
+964800776.729426 weird: spontaneous_FIN
+964800776.729495 weird: spontaneous_FIN
+964800776.806256 weird: spontaneous_FIN
+964800776.806333 weird: spontaneous_FIN
+964800776.806399 weird: spontaneous_FIN
+964800776.806465 weird: spontaneous_FIN
+964800776.806534 weird: spontaneous_FIN
+964800776.806604 weird: spontaneous_FIN
+964800776.806675 weird: spontaneous_FIN
+964800776.806744 weird: spontaneous_FIN
+964800776.806814 weird: spontaneous_FIN
+964800776.806880 weird: spontaneous_FIN
+964800776.806950 weird: spontaneous_FIN
+964800776.886239 weird: spontaneous_FIN
+964800776.886306 weird: spontaneous_FIN
+964800776.886371 weird: spontaneous_FIN
+964800776.886435 weird: spontaneous_FIN
+964800776.886505 weird: spontaneous_FIN
+964800776.886569 weird: spontaneous_FIN
+964800776.886635 weird: spontaneous_FIN
+964800776.886703 weird: spontaneous_FIN
+964800776.886770 weird: spontaneous_FIN
+964800776.886834 weird: spontaneous_FIN
+964800776.886899 weird: spontaneous_FIN
+964800776.966235 weird: spontaneous_FIN
+964800776.966310 weird: spontaneous_FIN
+964800776.966376 weird: spontaneous_FIN
+964800776.966443 weird: spontaneous_FIN
+964800776.966511 weird: spontaneous_FIN
+964800776.966579 weird: spontaneous_FIN
+964800776.966648 weird: spontaneous_FIN
+964800776.966716 weird: spontaneous_FIN
+964800776.966786 weird: spontaneous_FIN
+964800776.966853 weird: spontaneous_FIN
+964800776.966917 weird: spontaneous_FIN
+964800777.056249 weird: spontaneous_FIN
+964800777.056317 weird: spontaneous_FIN
+964800777.056383 weird: spontaneous_FIN
+964800777.056448 weird: spontaneous_FIN
+964800777.056515 weird: spontaneous_FIN
+964800777.056580 weird: spontaneous_FIN
+964800777.056646 weird: spontaneous_FIN
+964800777.056713 weird: spontaneous_FIN
+964800777.056780 weird: spontaneous_FIN
+964800777.056846 weird: spontaneous_FIN
+964800777.056914 weird: spontaneous_FIN
+964800777.144875 weird: spontaneous_FIN
+964800777.144952 weird: spontaneous_FIN
+964800777.145024 weird: spontaneous_FIN
+964800777.145092 weird: spontaneous_FIN
+964800777.145163 weird: spontaneous_FIN
+964800777.145234 weird: spontaneous_FIN
+964800777.145306 weird: spontaneous_FIN
+964800777.145376 weird: spontaneous_FIN
+964800777.145445 weird: spontaneous_FIN
+964800777.145516 weird: spontaneous_FIN
+964800777.145585 weird: spontaneous_FIN
+964800777.236248 weird: spontaneous_FIN
+964800777.236320 weird: spontaneous_FIN
+964800777.236387 weird: spontaneous_FIN
+964800777.236451 weird: spontaneous_FIN
+964800777.236520 weird: spontaneous_FIN
+964800777.236584 weird: spontaneous_FIN
+964800777.236651 weird: spontaneous_FIN
+964800777.236718 weird: spontaneous_FIN
+964800777.236781 weird: spontaneous_FIN
+964800777.236848 weird: spontaneous_FIN
+964800777.236917 weird: spontaneous_FIN
+964800777.327083 weird: spontaneous_FIN
+964800777.327168 weird: spontaneous_FIN
+964800777.327239 weird: spontaneous_FIN
+964800777.327307 weird: spontaneous_FIN
+964800777.327378 weird: spontaneous_FIN
+964800777.327447 weird: spontaneous_FIN
+964800777.327520 weird: spontaneous_FIN
+964800777.327589 weird: spontaneous_FIN
+964800777.327658 weird: spontaneous_FIN
+964800777.327725 weird: spontaneous_FIN
+964800777.327797 weird: spontaneous_FIN
+964800777.412617 weird: spontaneous_FIN
+964800777.412689 weird: spontaneous_FIN
+964800777.412756 weird: spontaneous_FIN
+964800777.412820 weird: spontaneous_FIN
+964800777.412889 weird: spontaneous_FIN
+964800777.412954 weird: spontaneous_FIN
+964800777.413022 weird: spontaneous_FIN
+964800777.413089 weird: spontaneous_FIN
+964800777.413152 weird: spontaneous_FIN
+964800777.413217 weird: spontaneous_FIN
+964800777.413285 weird: spontaneous_FIN
+964800777.506249 weird: spontaneous_FIN
+964800777.506325 weird: spontaneous_FIN
+964800777.506392 weird: spontaneous_FIN
+964800777.506459 weird: spontaneous_FIN
+964800777.506527 weird: spontaneous_FIN
+964800777.506596 weird: spontaneous_FIN
+964800777.506670 weird: spontaneous_FIN
+964800777.506737 weird: spontaneous_FIN
+964800777.506807 weird: spontaneous_FIN
+964800777.506876 weird: spontaneous_FIN
+964800777.506946 weird: spontaneous_FIN
+964800777.596254 weird: spontaneous_FIN
+964800777.596322 weird: spontaneous_FIN
+964800777.596388 weird: spontaneous_FIN
+964800777.596456 weird: spontaneous_FIN
+964800777.596527 weird: spontaneous_FIN
+964800777.596589 weird: spontaneous_FIN
+964800777.596656 weird: spontaneous_FIN
+964800777.596724 weird: spontaneous_FIN
+964800777.596787 weird: spontaneous_FIN
+964800777.596854 weird: spontaneous_FIN
+964800777.596922 weird: spontaneous_FIN
+964800777.686291 weird: spontaneous_FIN
+964800777.686368 weird: spontaneous_FIN
+964800777.686436 weird: spontaneous_FIN
+964800777.686503 weird: spontaneous_FIN
+964800777.686573 weird: spontaneous_FIN
+964800777.686641 weird: spontaneous_FIN
+964800777.686713 weird: spontaneous_FIN
+964800777.686781 weird: spontaneous_FIN
+964800777.686850 weird: spontaneous_FIN
+964800777.686920 weird: spontaneous_FIN
+964800777.686989 weird: spontaneous_FIN
+964800777.776265 weird: spontaneous_FIN
+964800777.776337 weird: spontaneous_FIN
+964800777.776404 weird: spontaneous_FIN
+964800777.776468 weird: spontaneous_FIN
+964800777.776538 weird: spontaneous_FIN
+964800777.776604 weird: spontaneous_FIN
+964800777.776671 weird: spontaneous_FIN
+964800777.776741 weird: spontaneous_FIN
+964800777.776804 weird: spontaneous_FIN
+964800777.776873 weird: spontaneous_FIN
+964800777.776943 weird: spontaneous_FIN
+964800777.866250 weird: spontaneous_FIN
+964800777.866324 weird: spontaneous_FIN
+964800777.866392 weird: spontaneous_FIN
+964800777.866459 weird: spontaneous_FIN
+964800777.866526 weird: spontaneous_FIN
+964800777.866594 weird: spontaneous_FIN
+964800777.866667 weird: spontaneous_FIN
+964800777.866736 weird: spontaneous_FIN
+964800777.866806 weird: spontaneous_FIN
+964800777.866872 weird: spontaneous_FIN
+964800777.866939 weird: spontaneous_FIN
+964800777.956255 weird: spontaneous_FIN
+964800777.956326 weird: spontaneous_FIN
+964800777.956393 weird: spontaneous_FIN
+964800777.956458 weird: spontaneous_FIN
+964800777.956527 weird: spontaneous_FIN
+964800777.956590 weird: spontaneous_FIN
+964800777.956657 weird: spontaneous_FIN
+964800777.956724 weird: spontaneous_FIN
+964800777.956789 weird: spontaneous_FIN
+964800777.956855 weird: spontaneous_FIN
+964800777.956922 weird: spontaneous_FIN
+964800778.046249 weird: spontaneous_FIN
+964800778.046324 weird: spontaneous_FIN
+964800778.046390 weird: spontaneous_FIN
+964800778.046458 weird: spontaneous_FIN
+964800778.046527 weird: spontaneous_FIN
+964800778.046595 weird: spontaneous_FIN
+964800778.046668 weird: spontaneous_FIN
+964800778.046737 weird: spontaneous_FIN
+964800778.046807 weird: spontaneous_FIN
+964800778.046876 weird: spontaneous_FIN
+964800778.046944 weird: spontaneous_FIN
+964800778.136284 weird: spontaneous_FIN
+964800778.136360 weird: spontaneous_FIN
+964800778.136427 weird: spontaneous_FIN
+964800778.136493 weird: spontaneous_FIN
+964800778.136561 weird: spontaneous_FIN
+964800778.136626 weird: spontaneous_FIN
+964800778.136693 weird: spontaneous_FIN
+964800778.136762 weird: spontaneous_FIN
+964800778.136830 weird: spontaneous_FIN
+964800778.136897 weird: spontaneous_FIN
+964800778.136965 weird: spontaneous_FIN
+964800778.226219 weird: spontaneous_FIN
+964800778.226294 weird: spontaneous_FIN
+964800778.226362 weird: spontaneous_FIN
+964800778.226428 weird: spontaneous_FIN
+964800778.226495 weird: spontaneous_FIN
+964800778.226563 weird: spontaneous_FIN
+964800778.226635 weird: spontaneous_FIN
+964800778.226703 weird: spontaneous_FIN
+964800778.226773 weird: spontaneous_FIN
+964800778.226840 weird: spontaneous_FIN
+964800778.226907 weird: spontaneous_FIN
+964800778.316282 weird: spontaneous_FIN
+964800778.316358 weird: spontaneous_FIN
+964800778.316426 weird: spontaneous_FIN
+964800778.316491 weird: spontaneous_FIN
+964800778.316559 weird: spontaneous_FIN
+964800778.316623 weird: spontaneous_FIN
+964800778.316690 weird: spontaneous_FIN
+964800778.316758 weird: spontaneous_FIN
+964800778.316824 weird: spontaneous_FIN
+964800778.316890 weird: spontaneous_FIN
+964800778.316956 weird: spontaneous_FIN
+964800778.400021 weird: spontaneous_FIN
+964800778.400197 weird: spontaneous_FIN
+964800778.400362 weird: spontaneous_FIN
+964800778.400467 weird: spontaneous_FIN
+964800778.400540 weird: spontaneous_FIN
+964800778.400616 weird: spontaneous_FIN
+964800778.400679 weird: spontaneous_FIN
+964800778.400749 weird: spontaneous_FIN
+964800778.400822 weird: spontaneous_FIN
+964800778.400890 weird: spontaneous_FIN
+964800778.400962 weird: spontaneous_FIN
+964800778.476292 weird: spontaneous_FIN
+964800778.476368 weird: spontaneous_FIN
+964800778.476437 weird: spontaneous_FIN
+964800778.476504 weird: spontaneous_FIN
+964800778.476572 weird: spontaneous_FIN
+964800778.476639 weird: spontaneous_FIN
+964800778.476710 weird: spontaneous_FIN
+964800778.476774 weird: spontaneous_FIN
+964800778.476842 weird: spontaneous_FIN
+964800778.476906 weird: spontaneous_FIN
+964800778.476973 weird: spontaneous_FIN
+964800778.566327 weird: spontaneous_FIN
+964800778.566419 weird: spontaneous_FIN
+964800778.566491 weird: spontaneous_FIN
+964800778.566566 weird: spontaneous_FIN
+964800778.566638 weird: spontaneous_FIN
+964800778.566711 weird: spontaneous_FIN
+964800778.566782 weird: spontaneous_FIN
+964800778.566855 weird: spontaneous_FIN
+964800778.566925 weird: spontaneous_FIN
+964800778.566997 weird: spontaneous_FIN
+964800778.567071 weird: spontaneous_FIN
+964800778.656266 weird: spontaneous_FIN
+964800778.656341 weird: spontaneous_FIN
+964800778.656410 weird: spontaneous_FIN
+964800778.656475 weird: spontaneous_FIN
+964800778.656544 weird: spontaneous_FIN
+964800778.656611 weird: spontaneous_FIN
+964800778.656675 weird: spontaneous_FIN
+964800778.656745 weird: spontaneous_FIN
+964800778.656810 weird: spontaneous_FIN
+964800778.656876 weird: spontaneous_FIN
+964800778.656943 weird: spontaneous_FIN
+964800778.746263 weird: spontaneous_FIN
+964800778.746339 weird: spontaneous_FIN
+964800778.746407 weird: spontaneous_FIN
+964800778.746478 weird: spontaneous_FIN
+964800778.746550 weird: spontaneous_FIN
+964800778.746620 weird: spontaneous_FIN
+964800778.746691 weird: spontaneous_FIN
+964800778.746762 weird: spontaneous_FIN
+964800778.746832 weird: spontaneous_FIN
+964800778.746901 weird: spontaneous_FIN
+964800778.746974 weird: spontaneous_FIN
+964800778.836269 weird: spontaneous_FIN
+964800778.836342 weird: spontaneous_FIN
+964800778.836410 weird: spontaneous_FIN
+964800778.836479 weird: spontaneous_FIN
+964800778.836547 weird: spontaneous_FIN
+964800778.836616 weird: spontaneous_FIN
+964800778.836681 weird: spontaneous_FIN
+964800778.836749 weird: spontaneous_FIN
+964800778.836815 weird: spontaneous_FIN
+964800778.836883 weird: spontaneous_FIN
+964800778.836950 weird: spontaneous_FIN
+964800778.916245 weird: spontaneous_FIN
+964800778.916318 weird: spontaneous_FIN
+964800778.916387 weird: spontaneous_FIN
+964800778.916459 weird: spontaneous_FIN
+964800778.916529 weird: spontaneous_FIN
+964800778.916600 weird: spontaneous_FIN
+964800778.916670 weird: spontaneous_FIN
+964800778.916738 weird: spontaneous_FIN
+964800778.916807 weird: spontaneous_FIN
+964800778.916877 weird: spontaneous_FIN
+964800778.916945 weird: spontaneous_FIN
+964800779.017839 weird: spontaneous_FIN
+964800779.017930 weird: spontaneous_FIN
+964800779.017998 weird: spontaneous_FIN
+964800779.018066 weird: spontaneous_FIN
+964800779.018135 weird: spontaneous_FIN
+964800779.018205 weird: spontaneous_FIN
+964800779.018275 weird: spontaneous_FIN
+964800779.018343 weird: spontaneous_FIN
+964800779.018412 weird: spontaneous_FIN
+964800779.018481 weird: spontaneous_FIN
+964800779.018552 weird: spontaneous_FIN
+964800779.096262 weird: spontaneous_FIN
+964800779.096337 weird: spontaneous_FIN
+964800779.096406 weird: spontaneous_FIN
+964800779.096475 weird: spontaneous_FIN
+964800779.096545 weird: spontaneous_FIN
+964800779.096613 weird: spontaneous_FIN
+964800779.096682 weird: spontaneous_FIN
+964800779.096753 weird: spontaneous_FIN
+964800779.096820 weird: spontaneous_FIN
+964800779.096893 weird: spontaneous_FIN
+964800779.096963 weird: spontaneous_FIN
+964800779.186271 weird: spontaneous_FIN
+964800779.186345 weird: spontaneous_FIN
+964800779.186415 weird: spontaneous_FIN
+964800779.186483 weird: spontaneous_FIN
+964800779.186550 weird: spontaneous_FIN
+964800779.186620 weird: spontaneous_FIN
+964800779.186685 weird: spontaneous_FIN
+964800779.186753 weird: spontaneous_FIN
+964800779.186820 weird: spontaneous_FIN
+964800779.186888 weird: spontaneous_FIN
+964800779.186957 weird: spontaneous_FIN
+964800779.266257 weird: spontaneous_FIN
+964800779.266330 weird: spontaneous_FIN
+964800779.266400 weird: spontaneous_FIN
+964800779.266470 weird: spontaneous_FIN
+964800779.266539 weird: spontaneous_FIN
+964800779.266611 weird: spontaneous_FIN
+964800779.266682 weird: spontaneous_FIN
+964800779.266751 weird: spontaneous_FIN
+964800779.266819 weird: spontaneous_FIN
+964800779.266890 weird: spontaneous_FIN
+964800779.266958 weird: spontaneous_FIN
+964800779.346268 weird: spontaneous_FIN
+964800779.346342 weird: spontaneous_FIN
+964800779.346407 weird: spontaneous_FIN
+964800779.346475 weird: spontaneous_FIN
+964800779.346544 weird: spontaneous_FIN
+964800779.346612 weird: spontaneous_FIN
+964800779.346677 weird: spontaneous_FIN
+964800779.346741 weird: spontaneous_FIN
+964800779.346810 weird: spontaneous_FIN
+964800779.346877 weird: spontaneous_FIN
+964800779.346943 weird: spontaneous_FIN
+964800779.426258 weird: spontaneous_FIN
+964800779.426333 weird: spontaneous_FIN
+964800779.426400 weird: spontaneous_FIN
+964800779.426467 weird: spontaneous_FIN
+964800779.426537 weird: spontaneous_FIN
+964800779.426605 weird: spontaneous_FIN
+964800779.426674 weird: spontaneous_FIN
+964800779.426743 weird: spontaneous_FIN
+964800779.426812 weird: spontaneous_FIN
+964800779.426884 weird: spontaneous_FIN
+964800779.426950 weird: spontaneous_FIN
+964800779.516265 weird: spontaneous_FIN
+964800779.516338 weird: spontaneous_FIN
+964800779.516405 weird: spontaneous_FIN
+964800779.516473 weird: spontaneous_FIN
+964800779.516541 weird: spontaneous_FIN
+964800779.516609 weird: spontaneous_FIN
+964800779.516675 weird: spontaneous_FIN
+964800779.516743 weird: spontaneous_FIN
+964800779.516810 weird: spontaneous_FIN
+964800779.516878 weird: spontaneous_FIN
+964800779.516946 weird: spontaneous_FIN
+964800779.593921 weird: spontaneous_FIN
+964800779.593994 weird: spontaneous_FIN
+964800779.594061 weird: spontaneous_FIN
+964800779.594132 weird: spontaneous_FIN
+964800779.594200 weird: spontaneous_FIN
+964800779.594270 weird: spontaneous_FIN
+964800779.594340 weird: spontaneous_FIN
+964800779.594410 weird: spontaneous_FIN
+964800779.594479 weird: spontaneous_FIN
+964800779.594551 weird: spontaneous_FIN
+964800779.594620 weird: spontaneous_FIN
+964800779.676266 weird: spontaneous_FIN
+964800779.676340 weird: spontaneous_FIN
+964800779.676407 weird: spontaneous_FIN
+964800779.676476 weird: spontaneous_FIN
+964800779.676544 weird: spontaneous_FIN
+964800779.676613 weird: spontaneous_FIN
+964800779.676678 weird: spontaneous_FIN
+964800779.676744 weird: spontaneous_FIN
+964800779.676814 weird: spontaneous_FIN
+964800779.676883 weird: spontaneous_FIN
+964800779.676950 weird: spontaneous_FIN
+964800779.756262 weird: spontaneous_FIN
+964800779.756338 weird: spontaneous_FIN
+964800779.756406 weird: spontaneous_FIN
+964800779.756475 weird: spontaneous_FIN
+964800779.756546 weird: spontaneous_FIN
+964800779.756616 weird: spontaneous_FIN
+964800779.756685 weird: spontaneous_FIN
+964800779.756757 weird: spontaneous_FIN
+964800779.756828 weird: spontaneous_FIN
+964800779.756901 weird: spontaneous_FIN
+964800779.756971 weird: spontaneous_FIN
+964800779.836563 weird: spontaneous_FIN
+964800779.836643 weird: spontaneous_FIN
+964800779.836717 weird: spontaneous_FIN
+964800779.836826 weird: spontaneous_FIN
+964800779.836900 weird: spontaneous_FIN
+964800779.836967 weird: spontaneous_FIN
+964800779.837081 weird: spontaneous_FIN
+964800779.837157 weird: spontaneous_FIN
+964800779.837226 weird: spontaneous_FIN
+964800779.837350 weird: spontaneous_FIN
+964800779.837428 weird: spontaneous_FIN
+964800779.916268 weird: spontaneous_FIN
+964800779.916345 weird: spontaneous_FIN
+964800779.916418 weird: spontaneous_FIN
+964800779.916490 weird: spontaneous_FIN
+964800779.916557 weird: spontaneous_FIN
+964800779.916627 weird: spontaneous_FIN
+964800779.916697 weird: spontaneous_FIN
+964800779.916765 weird: spontaneous_FIN
+964800779.916835 weird: spontaneous_FIN
+964800779.916905 weird: spontaneous_FIN
+964800779.916978 weird: spontaneous_FIN
+964800780.006279 weird: spontaneous_FIN
+964800780.006352 weird: spontaneous_FIN
+964800780.006419 weird: spontaneous_FIN
+964800780.006486 weird: spontaneous_FIN
+964800780.006554 weird: spontaneous_FIN
+964800780.006620 weird: spontaneous_FIN
+964800780.006684 weird: spontaneous_FIN
+964800780.006755 weird: spontaneous_FIN
+964800780.006822 weird: spontaneous_FIN
+964800780.006891 weird: spontaneous_FIN
+964800780.006959 weird: spontaneous_FIN
+964800780.096268 weird: spontaneous_FIN
+964800780.096348 weird: spontaneous_FIN
+964800780.096414 weird: spontaneous_FIN
+964800780.096483 weird: spontaneous_FIN
+964800780.096550 weird: spontaneous_FIN
+964800780.096622 weird: spontaneous_FIN
+964800780.096690 weird: spontaneous_FIN
+964800780.096758 weird: spontaneous_FIN
+964800780.096828 weird: spontaneous_FIN
+964800780.096897 weird: spontaneous_FIN
+964800780.096966 weird: spontaneous_FIN
+964800780.186274 weird: spontaneous_FIN
+964800780.186347 weird: spontaneous_FIN
+964800780.186414 weird: spontaneous_FIN
+964800780.186481 weird: spontaneous_FIN
+964800780.186550 weird: spontaneous_FIN
+964800780.186614 weird: spontaneous_FIN
+964800780.186681 weird: spontaneous_FIN
+964800780.186750 weird: spontaneous_FIN
+964800780.186815 weird: spontaneous_FIN
+964800780.186883 weird: spontaneous_FIN
+964800780.186952 weird: spontaneous_FIN
+964800780.276287 weird: spontaneous_FIN
+964800780.276371 weird: spontaneous_FIN
+964800780.276443 weird: spontaneous_FIN
+964800780.276514 weird: spontaneous_FIN
+964800780.276580 weird: spontaneous_FIN
+964800780.276650 weird: spontaneous_FIN
+964800780.276723 weird: spontaneous_FIN
+964800780.276791 weird: spontaneous_FIN
+964800780.276860 weird: spontaneous_FIN
+964800780.276929 weird: spontaneous_FIN
+964800780.276998 weird: spontaneous_FIN
+964800780.366321 weird: spontaneous_FIN
+964800780.366405 weird: spontaneous_FIN
+964800780.366475 weird: spontaneous_FIN
+964800780.366544 weird: spontaneous_FIN
+964800780.366612 weird: spontaneous_FIN
+964800780.366680 weird: spontaneous_FIN
+964800780.366751 weird: spontaneous_FIN
+964800780.366819 weird: spontaneous_FIN
+964800780.366892 weird: spontaneous_FIN
+964800780.366959 weird: spontaneous_FIN
+964800780.367029 weird: spontaneous_FIN
+964800780.446265 weird: spontaneous_FIN
+964800780.446344 weird: spontaneous_FIN
+964800780.446412 weird: spontaneous_FIN
+964800780.446483 weird: spontaneous_FIN
+964800780.446551 weird: spontaneous_FIN
+964800780.446623 weird: spontaneous_FIN
+964800780.446692 weird: spontaneous_FIN
+964800780.446760 weird: spontaneous_FIN
+964800780.446829 weird: spontaneous_FIN
+964800780.446897 weird: spontaneous_FIN
+964800780.446965 weird: spontaneous_FIN
+964800780.529062 weird: spontaneous_FIN
+964800780.529134 weird: spontaneous_FIN
+964800780.529199 weird: spontaneous_FIN
+964800780.529264 weird: spontaneous_FIN
+964800780.529330 weird: spontaneous_FIN
+964800780.529397 weird: spontaneous_FIN
+964800780.529462 weird: spontaneous_FIN
+964800780.529530 weird: spontaneous_FIN
+964800780.529597 weird: spontaneous_FIN
+964800780.529664 weird: spontaneous_FIN
+964800780.529733 weird: spontaneous_FIN
+964800780.616266 weird: spontaneous_FIN
+964800780.616345 weird: spontaneous_FIN
+964800780.616413 weird: spontaneous_FIN
+964800780.616484 weird: spontaneous_FIN
+964800780.616552 weird: spontaneous_FIN
+964800780.616622 weird: spontaneous_FIN
+964800780.616693 weird: spontaneous_FIN
+964800780.616762 weird: spontaneous_FIN
+964800780.616831 weird: spontaneous_FIN
+964800780.616899 weird: spontaneous_FIN
+964800780.616968 weird: spontaneous_FIN
+964800780.706280 weird: spontaneous_FIN
+964800780.706356 weird: spontaneous_FIN
+964800780.706425 weird: spontaneous_FIN
+964800780.706492 weird: spontaneous_FIN
+964800780.706557 weird: spontaneous_FIN
+964800780.706624 weird: spontaneous_FIN
+964800780.706689 weird: spontaneous_FIN
+964800780.706758 weird: spontaneous_FIN
+964800780.706826 weird: spontaneous_FIN
+964800780.706895 weird: spontaneous_FIN
+964800780.706962 weird: spontaneous_FIN
+964800780.796266 weird: spontaneous_FIN
+964800780.796343 weird: spontaneous_FIN
+964800780.796410 weird: spontaneous_FIN
+964800780.796478 weird: spontaneous_FIN
+964800780.796546 weird: spontaneous_FIN
+964800780.796615 weird: spontaneous_FIN
+964800780.796684 weird: spontaneous_FIN
+964800780.796752 weird: spontaneous_FIN
+964800780.796819 weird: spontaneous_FIN
+964800780.796888 weird: spontaneous_FIN
+964800780.796958 weird: spontaneous_FIN
+964800780.876276 weird: spontaneous_FIN
+964800780.876354 weird: spontaneous_FIN
+964800780.876427 weird: spontaneous_FIN
+964800780.876496 weird: spontaneous_FIN
+964800780.876562 weird: spontaneous_FIN
+964800780.876629 weird: spontaneous_FIN
+964800780.876694 weird: spontaneous_FIN
+964800780.876763 weird: spontaneous_FIN
+964800780.876830 weird: spontaneous_FIN
+964800780.876901 weird: spontaneous_FIN
+964800780.876968 weird: spontaneous_FIN
+964800780.956262 weird: spontaneous_FIN
+964800780.956345 weird: spontaneous_FIN
+964800780.956421 weird: spontaneous_FIN
+964800780.956496 weird: spontaneous_FIN
+964800780.956563 weird: spontaneous_FIN
+964800780.956632 weird: spontaneous_FIN
+964800780.956699 weird: spontaneous_FIN
+964800780.956770 weird: spontaneous_FIN
+964800780.956839 weird: spontaneous_FIN
+964800780.956910 weird: spontaneous_FIN
+964800780.956980 weird: spontaneous_FIN
+964800781.032655 weird: spontaneous_FIN
+964800781.032724 weird: spontaneous_FIN
+964800781.032791 weird: spontaneous_FIN
+964800781.032858 weird: spontaneous_FIN
+964800781.032925 weird: spontaneous_FIN
+964800781.032992 weird: spontaneous_FIN
+964800781.033057 weird: spontaneous_FIN
+964800781.033128 weird: spontaneous_FIN
+964800781.033195 weird: spontaneous_FIN
+964800781.033263 weird: spontaneous_FIN
+964800781.033330 weird: spontaneous_FIN
+964800781.116270 weird: spontaneous_FIN
+964800781.116348 weird: spontaneous_FIN
+964800781.116414 weird: spontaneous_FIN
+964800781.116483 weird: spontaneous_FIN
+964800781.116551 weird: spontaneous_FIN
+964800781.116619 weird: spontaneous_FIN
+964800781.116687 weird: spontaneous_FIN
+964800781.116756 weird: spontaneous_FIN
+964800781.116824 weird: spontaneous_FIN
+964800781.116893 weird: spontaneous_FIN
+964800781.116964 weird: spontaneous_FIN
+964800781.196282 weird: spontaneous_FIN
+964800781.196354 weird: spontaneous_FIN
+964800781.196421 weird: spontaneous_FIN
+964800781.196485 weird: spontaneous_FIN
+964800781.196552 weird: spontaneous_FIN
+964800781.196622 weird: spontaneous_FIN
+964800781.196687 weird: spontaneous_FIN
+964800781.196758 weird: spontaneous_FIN
+964800781.196826 weird: spontaneous_FIN
+964800781.196894 weird: spontaneous_FIN
+964800781.196961 weird: spontaneous_FIN
+964800781.286274 weird: spontaneous_FIN
+964800781.286351 weird: spontaneous_FIN
+964800781.286419 weird: spontaneous_FIN
+964800781.286490 weird: spontaneous_FIN
+964800781.286557 weird: spontaneous_FIN
+964800781.286627 weird: spontaneous_FIN
+964800781.286698 weird: spontaneous_FIN
+964800781.286766 weird: spontaneous_FIN
+964800781.286835 weird: spontaneous_FIN
+964800781.286903 weird: spontaneous_FIN
+964800781.286977 weird: spontaneous_FIN
+964800781.376286 weird: spontaneous_FIN
+964800781.376357 weird: spontaneous_FIN
+964800781.376423 weird: spontaneous_FIN
+964800781.376493 weird: spontaneous_FIN
+964800781.376555 weird: spontaneous_FIN
+964800781.376622 weird: spontaneous_FIN
+964800781.376688 weird: spontaneous_FIN
+964800781.376759 weird: spontaneous_FIN
+964800781.376826 weird: spontaneous_FIN
+964800781.376896 weird: spontaneous_FIN
+964800781.376963 weird: spontaneous_FIN
+964800781.458157 weird: spontaneous_FIN
+964800781.458254 weird: spontaneous_FIN
+964800781.458324 weird: spontaneous_FIN
+964800781.458391 weird: spontaneous_FIN
+964800781.458460 weird: spontaneous_FIN
+964800781.458531 weird: spontaneous_FIN
+964800781.458600 weird: spontaneous_FIN
+964800781.458670 weird: spontaneous_FIN
+964800781.458740 weird: spontaneous_FIN
+964800781.458813 weird: spontaneous_FIN
+964800781.458885 weird: spontaneous_FIN
+964800781.537218 weird: spontaneous_FIN
+964800781.537291 weird: spontaneous_FIN
+964800781.537357 weird: spontaneous_FIN
+964800781.537422 weird: spontaneous_FIN
+964800781.537494 weird: spontaneous_FIN
+964800781.537564 weird: spontaneous_FIN
+964800781.537634 weird: spontaneous_FIN
+964800781.537705 weird: spontaneous_FIN
+964800781.537769 weird: spontaneous_FIN
+964800781.537841 weird: spontaneous_FIN
+964800781.537906 weird: spontaneous_FIN
+964800781.626271 weird: spontaneous_FIN
+964800781.626346 weird: spontaneous_FIN
+964800781.626416 weird: spontaneous_FIN
+964800781.626484 weird: spontaneous_FIN
+964800781.626553 weird: spontaneous_FIN
+964800781.626620 weird: spontaneous_FIN
+964800781.626693 weird: spontaneous_FIN
+964800781.626762 weird: spontaneous_FIN
+964800781.626832 weird: spontaneous_FIN
+964800781.626901 weird: spontaneous_FIN
+964800781.626969 weird: spontaneous_FIN
+964800781.664431 weird: spontaneous_FIN
+964800781.716288 weird: spontaneous_FIN
+964800781.716360 weird: spontaneous_FIN
+964800781.716423 weird: spontaneous_FIN
+964800781.716491 weird: spontaneous_FIN
+964800781.716560 weird: spontaneous_FIN
+964800781.716626 weird: spontaneous_FIN
+964800781.716693 weird: spontaneous_FIN
+964800781.716761 weird: spontaneous_FIN
+964800781.716829 weird: spontaneous_FIN
+964800781.716898 weird: spontaneous_FIN
+964800781.716964 weird: spontaneous_FIN
+964800781.798103 weird: spontaneous_FIN
+964800781.798174 weird: spontaneous_FIN
+964800781.798242 weird: spontaneous_FIN
+964800781.798310 weird: spontaneous_FIN
+964800781.798379 weird: spontaneous_FIN
+964800781.798448 weird: spontaneous_FIN
+964800781.798518 weird: spontaneous_FIN
+964800781.798586 weird: spontaneous_FIN
+964800781.798654 weird: spontaneous_FIN
+964800781.798727 weird: spontaneous_FIN
+964800781.798802 weird: spontaneous_FIN
+964800781.886287 weird: spontaneous_FIN
+964800781.886359 weird: spontaneous_FIN
+964800781.886423 weird: spontaneous_FIN
+964800781.886491 weird: spontaneous_FIN
+964800781.886557 weird: spontaneous_FIN
+964800781.886629 weird: spontaneous_FIN
+964800781.886702 weird: spontaneous_FIN
+964800781.886770 weird: spontaneous_FIN
+964800781.886839 weird: spontaneous_FIN
+964800781.886904 weird: spontaneous_FIN
+964800781.886973 weird: spontaneous_FIN
+964800781.966261 weird: spontaneous_FIN
+964800781.966333 weird: spontaneous_FIN
+964800781.966402 weird: spontaneous_FIN
+964800781.966471 weird: spontaneous_FIN
+964800781.966543 weird: spontaneous_FIN
+964800781.966668 weird: spontaneous_FIN
+964800781.966750 weird: spontaneous_FIN
+964800781.966818 weird: spontaneous_FIN
+964800781.966889 weird: spontaneous_FIN
+964800781.966958 weird: spontaneous_FIN
+964800781.967030 weird: spontaneous_FIN
+964800782.056284 weird: spontaneous_FIN
+964800782.056355 weird: spontaneous_FIN
+964800782.056421 weird: spontaneous_FIN
+964800782.056487 weird: spontaneous_FIN
+964800782.056558 weird: spontaneous_FIN
+964800782.056627 weird: spontaneous_FIN
+964800782.056694 weird: spontaneous_FIN
+964800782.056761 weird: spontaneous_FIN
+964800782.056830 weird: spontaneous_FIN
+964800782.056896 weird: spontaneous_FIN
+964800782.056962 weird: spontaneous_FIN
+964800782.136373 weird: spontaneous_FIN
+964800782.136448 weird: spontaneous_FIN
+964800782.136516 weird: spontaneous_FIN
+964800782.136586 weird: spontaneous_FIN
+964800782.136658 weird: spontaneous_FIN
+964800782.136728 weird: spontaneous_FIN
+964800782.136796 weird: spontaneous_FIN
+964800782.136866 weird: spontaneous_FIN
+964800782.136935 weird: spontaneous_FIN
+964800782.137002 weird: spontaneous_FIN
+964800782.137070 weird: spontaneous_FIN
+964800782.226290 weird: spontaneous_FIN
+964800782.226365 weird: spontaneous_FIN
+964800782.226432 weird: spontaneous_FIN
+964800782.226500 weird: spontaneous_FIN
+964800782.226567 weird: spontaneous_FIN
+964800782.226633 weird: spontaneous_FIN
+964800782.226701 weird: spontaneous_FIN
+964800782.226765 weird: spontaneous_FIN
+964800782.226833 weird: spontaneous_FIN
+964800782.226902 weird: spontaneous_FIN
+964800782.226966 weird: spontaneous_FIN
+964800782.316272 weird: spontaneous_FIN
+964800782.316345 weird: spontaneous_FIN
+964800782.316412 weird: spontaneous_FIN
+964800782.316481 weird: spontaneous_FIN
+964800782.316550 weird: spontaneous_FIN
+964800782.316619 weird: spontaneous_FIN
+964800782.316685 weird: spontaneous_FIN
+964800782.316758 weird: spontaneous_FIN
+964800782.316825 weird: spontaneous_FIN
+964800782.316895 weird: spontaneous_FIN
+964800782.316962 weird: spontaneous_FIN
+964800782.406302 weird: spontaneous_FIN
+964800782.406377 weird: spontaneous_FIN
+964800782.406444 weird: spontaneous_FIN
+964800782.406512 weird: spontaneous_FIN
+964800782.406579 weird: spontaneous_FIN
+964800782.406647 weird: spontaneous_FIN
+964800782.406714 weird: spontaneous_FIN
+964800782.406781 weird: spontaneous_FIN
+964800782.406850 weird: spontaneous_FIN
+964800782.406920 weird: spontaneous_FIN
+964800782.406987 weird: spontaneous_FIN
+964800782.496281 weird: spontaneous_FIN
+964800782.496354 weird: spontaneous_FIN
+964800782.496422 weird: spontaneous_FIN
+964800782.496493 weird: spontaneous_FIN
+964800782.496560 weird: spontaneous_FIN
+964800782.496628 weird: spontaneous_FIN
+964800782.496695 weird: spontaneous_FIN
+964800782.496766 weird: spontaneous_FIN
+964800782.496835 weird: spontaneous_FIN
+964800782.496904 weird: spontaneous_FIN
+964800782.496972 weird: spontaneous_FIN
+964800782.576291 weird: spontaneous_FIN
+964800782.576360 weird: spontaneous_FIN
+964800782.576427 weird: spontaneous_FIN
+964800782.576494 weird: spontaneous_FIN
+964800782.576561 weird: spontaneous_FIN
+964800782.576628 weird: spontaneous_FIN
+964800782.576695 weird: spontaneous_FIN
+964800782.576762 weird: spontaneous_FIN
+964800782.576829 weird: spontaneous_FIN
+964800782.576898 weird: spontaneous_FIN
+964800782.576961 weird: spontaneous_FIN
+964800782.666279 weird: spontaneous_FIN
+964800782.666354 weird: spontaneous_FIN
+964800782.666422 weird: spontaneous_FIN
+964800782.666491 weird: spontaneous_FIN
+964800782.666561 weird: spontaneous_FIN
+964800782.666629 weird: spontaneous_FIN
+964800782.666699 weird: spontaneous_FIN
+964800782.666771 weird: spontaneous_FIN
+964800782.666839 weird: spontaneous_FIN
+964800782.666908 weird: spontaneous_FIN
+964800782.666977 weird: spontaneous_FIN
+964800782.746286 weird: spontaneous_FIN
+964800782.746361 weird: spontaneous_FIN
+964800782.746424 weird: spontaneous_FIN
+964800782.746493 weird: spontaneous_FIN
+964800782.746559 weird: spontaneous_FIN
+964800782.746626 weird: spontaneous_FIN
+964800782.746693 weird: spontaneous_FIN
+964800782.746759 weird: spontaneous_FIN
+964800782.746824 weird: spontaneous_FIN
+964800782.746894 weird: spontaneous_FIN
+964800782.746956 weird: spontaneous_FIN
+964800782.828989 weird: spontaneous_FIN
+964800782.829149 weird: spontaneous_FIN
+964800782.829299 weird: spontaneous_FIN
+964800782.829465 weird: spontaneous_FIN
+964800782.829635 weird: spontaneous_FIN
+964800782.829843 weird: spontaneous_FIN
+964800782.829997 weird: spontaneous_FIN
+964800782.830222 weird: spontaneous_FIN
+964800782.830406 weird: spontaneous_FIN
+964800782.830538 weird: spontaneous_FIN
+964800782.830657 weird: spontaneous_FIN
+964800782.906302 weird: spontaneous_FIN
+964800782.906375 weird: spontaneous_FIN
+964800782.906442 weird: spontaneous_FIN
+964800782.906510 weird: spontaneous_FIN
+964800782.906577 weird: spontaneous_FIN
+964800782.906646 weird: spontaneous_FIN
+964800782.906717 weird: spontaneous_FIN
+964800782.906783 weird: spontaneous_FIN
+964800782.906849 weird: spontaneous_FIN
+964800782.906915 weird: spontaneous_FIN
+964800782.906981 weird: spontaneous_FIN
+964800782.986277 weird: spontaneous_FIN
+964800782.986351 weird: spontaneous_FIN
+964800782.986419 weird: spontaneous_FIN
+964800782.986487 weird: spontaneous_FIN
+964800782.986558 weird: spontaneous_FIN
+964800782.986627 weird: spontaneous_FIN
+964800782.986700 weird: spontaneous_FIN
+964800782.986770 weird: spontaneous_FIN
+964800782.986837 weird: spontaneous_FIN
+964800782.986907 weird: spontaneous_FIN
+964800782.986973 weird: spontaneous_FIN
+964800783.066284 weird: spontaneous_FIN
+964800783.066357 weird: spontaneous_FIN
+964800783.066423 weird: spontaneous_FIN
+964800783.066490 weird: spontaneous_FIN
+964800783.066555 weird: spontaneous_FIN
+964800783.066624 weird: spontaneous_FIN
+964800783.066692 weird: spontaneous_FIN
+964800783.066758 weird: spontaneous_FIN
+964800783.066824 weird: spontaneous_FIN
+964800783.066889 weird: spontaneous_FIN
+964800783.066952 weird: spontaneous_FIN
+964800783.156274 weird: spontaneous_FIN
+964800783.156348 weird: spontaneous_FIN
+964800783.156416 weird: spontaneous_FIN
+964800783.156482 weird: spontaneous_FIN
+964800783.156551 weird: spontaneous_FIN
+964800783.156619 weird: spontaneous_FIN
+964800783.156690 weird: spontaneous_FIN
+964800783.156761 weird: spontaneous_FIN
+964800783.156829 weird: spontaneous_FIN
+964800783.156897 weird: spontaneous_FIN
+964800783.156965 weird: spontaneous_FIN
+964800783.233842 weird: spontaneous_FIN
+964800783.233912 weird: spontaneous_FIN
+964800783.233978 weird: spontaneous_FIN
+964800783.234045 weird: spontaneous_FIN
+964800783.234112 weird: spontaneous_FIN
+964800783.234211 weird: spontaneous_FIN
+964800783.234311 weird: spontaneous_FIN
+964800783.234377 weird: spontaneous_FIN
+964800783.234444 weird: spontaneous_FIN
+964800783.234547 weird: spontaneous_FIN
+964800783.234620 weird: spontaneous_FIN
+964800783.316281 weird: spontaneous_FIN
+964800783.316358 weird: spontaneous_FIN
+964800783.316426 weird: spontaneous_FIN
+964800783.316495 weird: spontaneous_FIN
+964800783.316564 weird: spontaneous_FIN
+964800783.316634 weird: spontaneous_FIN
+964800783.316702 weird: spontaneous_FIN
+964800783.316774 weird: spontaneous_FIN
+964800783.316845 weird: spontaneous_FIN
+964800783.316919 weird: spontaneous_FIN
+964800783.316988 weird: spontaneous_FIN
+964800783.396289 weird: spontaneous_FIN
+964800783.396361 weird: spontaneous_FIN
+964800783.396430 weird: spontaneous_FIN
+964800783.396495 weird: spontaneous_FIN
+964800783.396559 weird: spontaneous_FIN
+964800783.396628 weird: spontaneous_FIN
+964800783.396696 weird: spontaneous_FIN
+964800783.396763 weird: spontaneous_FIN
+964800783.396825 weird: spontaneous_FIN
+964800783.396892 weird: spontaneous_FIN
+964800783.396959 weird: spontaneous_FIN
+964800783.479586 weird: spontaneous_FIN
+964800783.479661 weird: spontaneous_FIN
+964800783.479730 weird: spontaneous_FIN
+964800783.479799 weird: spontaneous_FIN
+964800783.479868 weird: spontaneous_FIN
+964800783.479938 weird: spontaneous_FIN
+964800783.480007 weird: spontaneous_FIN
+964800783.480076 weird: spontaneous_FIN
+964800783.480147 weird: spontaneous_FIN
+964800783.480220 weird: spontaneous_FIN
+964800783.480290 weird: spontaneous_FIN
+964800783.556335 weird: spontaneous_FIN
+964800783.556410 weird: spontaneous_FIN
+964800783.556478 weird: spontaneous_FIN
+964800783.556588 weird: spontaneous_FIN
+964800783.556657 weird: spontaneous_FIN
+964800783.556721 weird: spontaneous_FIN
+964800783.556832 weird: spontaneous_FIN
+964800783.556907 weird: spontaneous_FIN
+964800783.556970 weird: spontaneous_FIN
+964800783.557034 weird: spontaneous_FIN
+964800783.557141 weird: spontaneous_FIN
+964800783.636282 weird: spontaneous_FIN
+964800783.636355 weird: spontaneous_FIN
+964800783.636423 weird: spontaneous_FIN
+964800783.636495 weird: spontaneous_FIN
+964800783.636564 weird: spontaneous_FIN
+964800783.636634 weird: spontaneous_FIN
+964800783.636705 weird: spontaneous_FIN
+964800783.636773 weird: spontaneous_FIN
+964800783.636840 weird: spontaneous_FIN
+964800783.636909 weird: spontaneous_FIN
+964800783.636980 weird: spontaneous_FIN
+964800783.716293 weird: spontaneous_FIN
+964800783.716369 weird: spontaneous_FIN
+964800783.716434 weird: spontaneous_FIN
+964800783.716499 weird: spontaneous_FIN
+964800783.716563 weird: spontaneous_FIN
+964800783.716630 weird: spontaneous_FIN
+964800783.716697 weird: spontaneous_FIN
+964800783.716764 weird: spontaneous_FIN
+964800783.716827 weird: spontaneous_FIN
+964800783.716889 weird: spontaneous_FIN
+964800783.716954 weird: spontaneous_FIN
+964800783.806284 weird: spontaneous_FIN
+964800783.806359 weird: spontaneous_FIN
+964800783.806427 weird: spontaneous_FIN
+964800783.806498 weird: spontaneous_FIN
+964800783.806566 weird: spontaneous_FIN
+964800783.806634 weird: spontaneous_FIN
+964800783.806705 weird: spontaneous_FIN
+964800783.806772 weird: spontaneous_FIN
+964800783.806840 weird: spontaneous_FIN
+964800783.806908 weird: spontaneous_FIN
+964800783.806977 weird: spontaneous_FIN
+964800783.886342 weird: spontaneous_FIN
+964800783.886424 weird: spontaneous_FIN
+964800783.886525 weird: spontaneous_FIN
+964800783.886598 weird: spontaneous_FIN
+964800783.886667 weird: spontaneous_FIN
+964800783.886732 weird: spontaneous_FIN
+964800783.886834 weird: spontaneous_FIN
+964800783.886902 weird: spontaneous_FIN
+964800783.886967 weird: spontaneous_FIN
+964800783.887044 weird: spontaneous_FIN
+964800783.887145 weird: spontaneous_FIN
+964800783.966284 weird: spontaneous_FIN
+964800783.966357 weird: spontaneous_FIN
+964800783.966432 weird: spontaneous_FIN
+964800783.966503 weird: spontaneous_FIN
+964800783.966572 weird: spontaneous_FIN
+964800783.966639 weird: spontaneous_FIN
+964800783.966707 weird: spontaneous_FIN
+964800783.966778 weird: spontaneous_FIN
+964800783.966846 weird: spontaneous_FIN
+964800783.966919 weird: spontaneous_FIN
+964800783.966990 weird: spontaneous_FIN
+964800784.055283 weird: spontaneous_FIN
+964800784.055356 weird: spontaneous_FIN
+964800784.055421 weird: spontaneous_FIN
+964800784.055486 weird: spontaneous_FIN
+964800784.055550 weird: spontaneous_FIN
+964800784.055613 weird: spontaneous_FIN
+964800784.055678 weird: spontaneous_FIN
+964800784.055746 weird: spontaneous_FIN
+964800784.055809 weird: spontaneous_FIN
+964800784.055877 weird: spontaneous_FIN
+964800784.055945 weird: spontaneous_FIN
+964800784.146283 weird: spontaneous_FIN
+964800784.146357 weird: spontaneous_FIN
+964800784.146430 weird: spontaneous_FIN
+964800784.146500 weird: spontaneous_FIN
+964800784.146570 weird: spontaneous_FIN
+964800784.146637 weird: spontaneous_FIN
+964800784.146704 weird: spontaneous_FIN
+964800784.146771 weird: spontaneous_FIN
+964800784.146838 weird: spontaneous_FIN
+964800784.146906 weird: spontaneous_FIN
+964800784.146975 weird: spontaneous_FIN
+964800784.228270 weird: spontaneous_FIN
+964800784.228434 weird: spontaneous_FIN
+964800784.228573 weird: spontaneous_FIN
+964800784.228710 weird: spontaneous_FIN
+964800784.228851 weird: spontaneous_FIN
+964800784.229035 weird: spontaneous_FIN
+964800784.229241 weird: spontaneous_FIN
+964800784.229395 weird: spontaneous_FIN
+964800784.229546 weird: spontaneous_FIN
+964800784.229619 weird: spontaneous_FIN
+964800784.229687 weird: spontaneous_FIN
+964800784.306298 weird: spontaneous_FIN
+964800784.306373 weird: spontaneous_FIN
+964800784.306443 weird: spontaneous_FIN
+964800784.306511 weird: spontaneous_FIN
+964800784.306578 weird: spontaneous_FIN
+964800784.306644 weird: spontaneous_FIN
+964800784.306715 weird: spontaneous_FIN
+964800784.306788 weird: spontaneous_FIN
+964800784.306851 weird: spontaneous_FIN
+964800784.306918 weird: spontaneous_FIN
+964800784.306991 weird: spontaneous_FIN
+964800784.396293 weird: spontaneous_FIN
+964800784.396364 weird: spontaneous_FIN
+964800784.396429 weird: spontaneous_FIN
+964800784.396493 weird: spontaneous_FIN
+964800784.396557 weird: spontaneous_FIN
+964800784.396623 weird: spontaneous_FIN
+964800784.396687 weird: spontaneous_FIN
+964800784.396753 weird: spontaneous_FIN
+964800784.396817 weird: spontaneous_FIN
+964800784.396883 weird: spontaneous_FIN
+964800784.396949 weird: spontaneous_FIN
+964800784.486286 weird: spontaneous_FIN
+964800784.486360 weird: spontaneous_FIN
+964800784.486430 weird: spontaneous_FIN
+964800784.486497 weird: spontaneous_FIN
+964800784.486565 weird: spontaneous_FIN
+964800784.486634 weird: spontaneous_FIN
+964800784.486746 weird: spontaneous_FIN
+964800784.486816 weird: spontaneous_FIN
+964800784.486886 weird: spontaneous_FIN
+964800784.486957 weird: spontaneous_FIN
+964800784.487027 weird: spontaneous_FIN
+964800784.576301 weird: spontaneous_FIN
+964800784.576374 weird: spontaneous_FIN
+964800784.576442 weird: spontaneous_FIN
+964800784.576513 weird: spontaneous_FIN
+964800784.576578 weird: spontaneous_FIN
+964800784.576646 weird: spontaneous_FIN
+964800784.576714 weird: spontaneous_FIN
+964800784.576780 weird: spontaneous_FIN
+964800784.576851 weird: spontaneous_FIN
+964800784.576919 weird: spontaneous_FIN
+964800784.576987 weird: spontaneous_FIN
+964800784.666291 weird: spontaneous_FIN
+964800784.666367 weird: spontaneous_FIN
+964800784.666438 weird: spontaneous_FIN
+964800784.666508 weird: spontaneous_FIN
+964800784.666578 weird: spontaneous_FIN
+964800784.666650 weird: spontaneous_FIN
+964800784.666720 weird: spontaneous_FIN
+964800784.666790 weird: spontaneous_FIN
+964800784.666863 weird: spontaneous_FIN
+964800784.666934 weird: spontaneous_FIN
+964800784.667010 weird: spontaneous_FIN
+964800784.756307 weird: spontaneous_FIN
+964800784.756381 weird: spontaneous_FIN
+964800784.756448 weird: spontaneous_FIN
+964800784.756517 weird: spontaneous_FIN
+964800784.756584 weird: spontaneous_FIN
+964800784.756651 weird: spontaneous_FIN
+964800784.756717 weird: spontaneous_FIN
+964800784.756781 weird: spontaneous_FIN
+964800784.756850 weird: spontaneous_FIN
+964800784.756916 weird: spontaneous_FIN
+964800784.756983 weird: spontaneous_FIN
+964800784.836465 weird: spontaneous_FIN
+964800784.836548 weird: spontaneous_FIN
+964800784.836619 weird: spontaneous_FIN
+964800784.836689 weird: spontaneous_FIN
+964800784.836758 weird: spontaneous_FIN
+964800784.836828 weird: spontaneous_FIN
+964800784.836898 weird: spontaneous_FIN
+964800784.836968 weird: spontaneous_FIN
+964800784.837040 weird: spontaneous_FIN
+964800784.837111 weird: spontaneous_FIN
+964800784.837184 weird: spontaneous_FIN
+964800784.916361 weird: spontaneous_FIN
+964800784.916431 weird: spontaneous_FIN
+964800784.916556 weird: spontaneous_FIN
+964800784.916627 weird: spontaneous_FIN
+964800784.916692 weird: spontaneous_FIN
+964800784.916759 weird: spontaneous_FIN
+964800784.916866 weird: spontaneous_FIN
+964800784.916935 weird: spontaneous_FIN
+964800784.917001 weird: spontaneous_FIN
+964800784.917099 weird: spontaneous_FIN
+964800784.917192 weird: spontaneous_FIN
+964800785.006289 weird: spontaneous_FIN
+964800785.006363 weird: spontaneous_FIN
+964800785.006431 weird: spontaneous_FIN
+964800785.006501 weird: spontaneous_FIN
+964800785.006571 weird: spontaneous_FIN
+964800785.006642 weird: spontaneous_FIN
+964800785.006713 weird: spontaneous_FIN
+964800785.006783 weird: spontaneous_FIN
+964800785.006853 weird: spontaneous_FIN
+964800785.006922 weird: spontaneous_FIN
+964800785.006993 weird: spontaneous_FIN
+964800785.096299 weird: spontaneous_FIN
+964800785.096368 weird: spontaneous_FIN
+964800785.096435 weird: spontaneous_FIN
+964800785.096502 weird: spontaneous_FIN
+964800785.096569 weird: spontaneous_FIN
+964800785.096633 weird: spontaneous_FIN
+964800785.096698 weird: spontaneous_FIN
+964800785.096765 weird: spontaneous_FIN
+964800785.096831 weird: spontaneous_FIN
+964800785.096896 weird: spontaneous_FIN
+964800785.096967 weird: spontaneous_FIN
+964800785.186289 weird: spontaneous_FIN
+964800785.186362 weird: spontaneous_FIN
+964800785.186430 weird: spontaneous_FIN
+964800785.186500 weird: spontaneous_FIN
+964800785.186570 weird: spontaneous_FIN
+964800785.186640 weird: spontaneous_FIN
+964800785.186711 weird: spontaneous_FIN
+964800785.186781 weird: spontaneous_FIN
+964800785.186849 weird: spontaneous_FIN
+964800785.186919 weird: spontaneous_FIN
+964800785.186990 weird: spontaneous_FIN
+964800785.266309 weird: spontaneous_FIN
+964800785.266380 weird: spontaneous_FIN
+964800785.266447 weird: spontaneous_FIN
+964800785.266515 weird: spontaneous_FIN
+964800785.266585 weird: spontaneous_FIN
+964800785.266654 weird: spontaneous_FIN
+964800785.266720 weird: spontaneous_FIN
+964800785.266789 weird: spontaneous_FIN
+964800785.266856 weird: spontaneous_FIN
+964800785.266921 weird: spontaneous_FIN
+964800785.266986 weird: spontaneous_FIN
+964800785.356289 weird: spontaneous_FIN
+964800785.356363 weird: spontaneous_FIN
+964800785.356433 weird: spontaneous_FIN
+964800785.356503 weird: spontaneous_FIN
+964800785.356572 weird: spontaneous_FIN
+964800785.356644 weird: spontaneous_FIN
+964800785.356715 weird: spontaneous_FIN
+964800785.356785 weird: spontaneous_FIN
+964800785.356853 weird: spontaneous_FIN
+964800785.356924 weird: spontaneous_FIN
+964800785.356993 weird: spontaneous_FIN
+964800785.446305 weird: spontaneous_FIN
+964800785.446377 weird: spontaneous_FIN
+964800785.446443 weird: spontaneous_FIN
+964800785.446510 weird: spontaneous_FIN
+964800785.446574 weird: spontaneous_FIN
+964800785.446641 weird: spontaneous_FIN
+964800785.446707 weird: spontaneous_FIN
+964800785.446774 weird: spontaneous_FIN
+964800785.446841 weird: spontaneous_FIN
+964800785.446911 weird: spontaneous_FIN
+964800785.446976 weird: spontaneous_FIN
+964800785.536292 weird: spontaneous_FIN
+964800785.536368 weird: spontaneous_FIN
+964800785.536437 weird: spontaneous_FIN
+964800785.536508 weird: spontaneous_FIN
+964800785.536578 weird: spontaneous_FIN
+964800785.536649 weird: spontaneous_FIN
+964800785.536720 weird: spontaneous_FIN
+964800785.536791 weird: spontaneous_FIN
+964800785.536861 weird: spontaneous_FIN
+964800785.536929 weird: spontaneous_FIN
+964800785.536999 weird: spontaneous_FIN
+964800785.616421 weird: spontaneous_FIN
+964800785.616491 weird: spontaneous_FIN
+964800785.616587 weird: spontaneous_FIN
+964800785.616680 weird: spontaneous_FIN
+964800785.616746 weird: spontaneous_FIN
+964800785.616811 weird: spontaneous_FIN
+964800785.616928 weird: spontaneous_FIN
+964800785.617001 weird: spontaneous_FIN
+964800785.617070 weird: spontaneous_FIN
+964800785.617148 weird: spontaneous_FIN
+964800785.617254 weird: spontaneous_FIN
+964800785.706299 weird: spontaneous_FIN
+964800785.706378 weird: spontaneous_FIN
+964800785.706448 weird: spontaneous_FIN
+964800785.706520 weird: spontaneous_FIN
+964800785.706590 weird: spontaneous_FIN
+964800785.706660 weird: spontaneous_FIN
+964800785.706728 weird: spontaneous_FIN
+964800785.706800 weird: spontaneous_FIN
+964800785.706878 weird: spontaneous_FIN
+964800785.706955 weird: spontaneous_FIN
+964800785.707035 weird: spontaneous_FIN
+964800785.786314 weird: spontaneous_FIN
+964800785.786386 weird: spontaneous_FIN
+964800785.786451 weird: spontaneous_FIN
+964800785.786517 weird: spontaneous_FIN
+964800785.786584 weird: spontaneous_FIN
+964800785.786647 weird: spontaneous_FIN
+964800785.786713 weird: spontaneous_FIN
+964800785.786780 weird: spontaneous_FIN
+964800785.786844 weird: spontaneous_FIN
+964800785.786909 weird: spontaneous_FIN
+964800785.786973 weird: spontaneous_FIN
+964800785.871860 weird: spontaneous_FIN
+964800785.871933 weird: spontaneous_FIN
+964800785.872003 weird: spontaneous_FIN
+964800785.872070 weird: spontaneous_FIN
+964800785.872137 weird: spontaneous_FIN
+964800785.872203 weird: spontaneous_FIN
+964800785.872272 weird: spontaneous_FIN
+964800785.872340 weird: spontaneous_FIN
+964800785.872408 weird: spontaneous_FIN
+964800785.872479 weird: spontaneous_FIN
+964800785.872548 weird: spontaneous_FIN
+964800785.966307 weird: spontaneous_FIN
+964800785.966378 weird: spontaneous_FIN
+964800785.966442 weird: spontaneous_FIN
+964800785.966511 weird: spontaneous_FIN
+964800785.966577 weird: spontaneous_FIN
+964800785.966639 weird: spontaneous_FIN
+964800785.966705 weird: spontaneous_FIN
+964800785.966772 weird: spontaneous_FIN
+964800785.966835 weird: spontaneous_FIN
+964800785.966903 weird: spontaneous_FIN
+964800785.966971 weird: spontaneous_FIN
+964800786.056298 weird: spontaneous_FIN
+964800786.056372 weird: spontaneous_FIN
+964800786.056442 weird: spontaneous_FIN
+964800786.056511 weird: spontaneous_FIN
+964800786.056580 weird: spontaneous_FIN
+964800786.056646 weird: spontaneous_FIN
+964800786.056713 weird: spontaneous_FIN
+964800786.056781 weird: spontaneous_FIN
+964800786.056851 weird: spontaneous_FIN
+964800786.056920 weird: spontaneous_FIN
+964800786.056989 weird: spontaneous_FIN
+964800786.143796 weird: spontaneous_FIN
+964800786.143867 weird: spontaneous_FIN
+964800786.143930 weird: spontaneous_FIN
+964800786.144001 weird: spontaneous_FIN
+964800786.144068 weird: spontaneous_FIN
+964800786.144131 weird: spontaneous_FIN
+964800786.144198 weird: spontaneous_FIN
+964800786.144262 weird: spontaneous_FIN
+964800786.144327 weird: spontaneous_FIN
+964800786.144394 weird: spontaneous_FIN
+964800786.144457 weird: spontaneous_FIN
+964800786.226297 weird: spontaneous_FIN
+964800786.226369 weird: spontaneous_FIN
+964800786.226438 weird: spontaneous_FIN
+964800786.226508 weird: spontaneous_FIN
+964800786.226576 weird: spontaneous_FIN
+964800786.226643 weird: spontaneous_FIN
+964800786.226709 weird: spontaneous_FIN
+964800786.226778 weird: spontaneous_FIN
+964800786.226846 weird: spontaneous_FIN
+964800786.226917 weird: spontaneous_FIN
+964800786.226991 weird: spontaneous_FIN
+964800786.306516 weird: spontaneous_FIN
+964800786.306586 weird: spontaneous_FIN
+964800786.306684 weird: spontaneous_FIN
+964800786.306777 weird: spontaneous_FIN
+964800786.306840 weird: spontaneous_FIN
+964800786.306912 weird: spontaneous_FIN
+964800786.307015 weird: spontaneous_FIN
+964800786.307083 weird: spontaneous_FIN
+964800786.307150 weird: spontaneous_FIN
+964800786.307212 weird: spontaneous_FIN
+964800786.307316 weird: spontaneous_FIN
+964800786.386297 weird: spontaneous_FIN
+964800786.386371 weird: spontaneous_FIN
+964800786.386439 weird: spontaneous_FIN
+964800786.386508 weird: spontaneous_FIN
+964800786.386575 weird: spontaneous_FIN
+964800786.386645 weird: spontaneous_FIN
+964800786.386713 weird: spontaneous_FIN
+964800786.386786 weird: spontaneous_FIN
+964800786.386855 weird: spontaneous_FIN
+964800786.386922 weird: spontaneous_FIN
+964800786.386990 weird: spontaneous_FIN
+964800786.466309 weird: spontaneous_FIN
+964800786.466378 weird: spontaneous_FIN
+964800786.466443 weird: spontaneous_FIN
+964800786.466512 weird: spontaneous_FIN
+964800786.466576 weird: spontaneous_FIN
+964800786.466642 weird: spontaneous_FIN
+964800786.466710 weird: spontaneous_FIN
+964800786.466776 weird: spontaneous_FIN
+964800786.466840 weird: spontaneous_FIN
+964800786.466905 weird: spontaneous_FIN
+964800786.466970 weird: spontaneous_FIN
+964800786.549056 weird: spontaneous_FIN
+964800786.549174 weird: spontaneous_FIN
+964800786.549191 weird: spontaneous_FIN
+964800786.549252 weird: spontaneous_FIN
+964800786.549318 weird: spontaneous_FIN
+964800786.549387 weird: spontaneous_FIN
+964800786.549455 weird: spontaneous_FIN
+964800786.549521 weird: spontaneous_FIN
+964800786.549590 weird: spontaneous_FIN
+964800786.549658 weird: spontaneous_FIN
+964800786.549729 weird: spontaneous_FIN
+964800786.636315 weird: spontaneous_FIN
+964800786.636385 weird: spontaneous_FIN
+964800786.636452 weird: spontaneous_FIN
+964800786.636519 weird: spontaneous_FIN
+964800786.636584 weird: spontaneous_FIN
+964800786.636650 weird: spontaneous_FIN
+964800786.636716 weird: spontaneous_FIN
+964800786.636784 weird: spontaneous_FIN
+964800786.636850 weird: spontaneous_FIN
+964800786.636915 weird: spontaneous_FIN
+964800786.636980 weird: spontaneous_FIN
+964800786.726302 weird: spontaneous_FIN
+964800786.726376 weird: spontaneous_FIN
+964800786.726444 weird: spontaneous_FIN
+964800786.726511 weird: spontaneous_FIN
+964800786.726581 weird: spontaneous_FIN
+964800786.726653 weird: spontaneous_FIN
+964800786.726722 weird: spontaneous_FIN
+964800786.726788 weird: spontaneous_FIN
+964800786.726857 weird: spontaneous_FIN
+964800786.726926 weird: spontaneous_FIN
+964800786.726996 weird: spontaneous_FIN
+964800786.806315 weird: spontaneous_FIN
+964800786.806386 weird: spontaneous_FIN
+964800786.806450 weird: spontaneous_FIN
+964800786.806514 weird: spontaneous_FIN
+964800786.806580 weird: spontaneous_FIN
+964800786.806646 weird: spontaneous_FIN
+964800786.806713 weird: spontaneous_FIN
+964800786.806780 weird: spontaneous_FIN
+964800786.806843 weird: spontaneous_FIN
+964800786.806910 weird: spontaneous_FIN
+964800786.806973 weird: spontaneous_FIN
+964800786.886301 weird: spontaneous_FIN
+964800786.897796 weird: spontaneous_FIN
+964800786.897875 weird: spontaneous_FIN
+964800786.897946 weird: spontaneous_FIN
+964800786.898016 weird: spontaneous_FIN
+964800786.898089 weird: spontaneous_FIN
+964800786.898156 weird: spontaneous_FIN
+964800786.898223 weird: spontaneous_FIN
+964800786.898291 weird: spontaneous_FIN
+964800786.898359 weird: spontaneous_FIN
+964800786.898429 weird: spontaneous_FIN
+964800786.976348 weird: spontaneous_FIN
+964800786.976419 weird: spontaneous_FIN
+964800786.976531 weird: spontaneous_FIN
+964800786.976610 weird: spontaneous_FIN
+964800786.976678 weird: spontaneous_FIN
+964800786.976745 weird: spontaneous_FIN
+964800786.976853 weird: spontaneous_FIN
+964800786.976921 weird: spontaneous_FIN
+964800786.976986 weird: spontaneous_FIN
+964800786.977053 weird: spontaneous_FIN
+964800786.977156 weird: spontaneous_FIN
+964800787.066305 weird: spontaneous_FIN
+964800787.066381 weird: spontaneous_FIN
+964800787.066450 weird: spontaneous_FIN
+964800787.066515 weird: spontaneous_FIN
+964800787.066583 weird: spontaneous_FIN
+964800787.066649 weird: spontaneous_FIN
+964800787.066717 weird: spontaneous_FIN
+964800787.066783 weird: spontaneous_FIN
+964800787.066852 weird: spontaneous_FIN
+964800787.066920 weird: spontaneous_FIN
+964800787.066988 weird: spontaneous_FIN
+964800787.156310 weird: spontaneous_FIN
+964800787.156381 weird: spontaneous_FIN
+964800787.156444 weird: spontaneous_FIN
+964800787.156511 weird: spontaneous_FIN
+964800787.156577 weird: spontaneous_FIN
+964800787.156641 weird: spontaneous_FIN
+964800787.156704 weird: spontaneous_FIN
+964800787.156770 weird: spontaneous_FIN
+964800787.156834 weird: spontaneous_FIN
+964800787.156901 weird: spontaneous_FIN
+964800787.156968 weird: spontaneous_FIN
+964800787.239169 weird: spontaneous_FIN
+964800787.239243 weird: spontaneous_FIN
+964800787.239313 weird: spontaneous_FIN
+964800787.239377 weird: spontaneous_FIN
+964800787.239446 weird: spontaneous_FIN
+964800787.239512 weird: spontaneous_FIN
+964800787.239577 weird: spontaneous_FIN
+964800787.239647 weird: spontaneous_FIN
+964800787.239715 weird: spontaneous_FIN
+964800787.239783 weird: spontaneous_FIN
+964800787.239851 weird: spontaneous_FIN
+964800787.327141 weird: spontaneous_FIN
+964800787.327220 weird: spontaneous_FIN
+964800787.327430 weird: spontaneous_FIN
+964800787.328936 weird: spontaneous_FIN
+964800787.330345 weird: spontaneous_FIN
+964800787.330430 weird: spontaneous_FIN
+964800787.330497 weird: spontaneous_FIN
+964800787.330566 weird: spontaneous_FIN
+964800787.330633 weird: spontaneous_FIN
+964800787.330703 weird: spontaneous_FIN
+964800787.330771 weird: spontaneous_FIN
+964800787.406299 weird: spontaneous_FIN
+964800787.406375 weird: spontaneous_FIN
+964800787.406446 weird: spontaneous_FIN
+964800787.406513 weird: spontaneous_FIN
+964800787.406583 weird: spontaneous_FIN
+964800787.406650 weird: spontaneous_FIN
+964800787.406720 weird: spontaneous_FIN
+964800787.406788 weird: spontaneous_FIN
+964800787.406857 weird: spontaneous_FIN
+964800787.406925 weird: spontaneous_FIN
+964800787.406992 weird: spontaneous_FIN
+964800787.486315 weird: spontaneous_FIN
+964800787.486388 weird: spontaneous_FIN
+964800787.486456 weird: spontaneous_FIN
+964800787.486524 weird: spontaneous_FIN
+964800787.486592 weird: spontaneous_FIN
+964800787.486659 weird: spontaneous_FIN
+964800787.486724 weird: spontaneous_FIN
+964800787.486792 weird: spontaneous_FIN
+964800787.486859 weird: spontaneous_FIN
+964800787.486928 weird: spontaneous_FIN
+964800787.486997 weird: spontaneous_FIN
+964800787.566309 weird: spontaneous_FIN
+964800787.566388 weird: spontaneous_FIN
+964800787.566460 weird: spontaneous_FIN
+964800787.566530 weird: spontaneous_FIN
+964800787.566599 weird: spontaneous_FIN
+964800787.566667 weird: spontaneous_FIN
+964800787.566736 weird: spontaneous_FIN
+964800787.566806 weird: spontaneous_FIN
+964800787.566876 weird: spontaneous_FIN
+964800787.566947 weird: spontaneous_FIN
+964800787.567017 weird: spontaneous_FIN
+964800787.648324 weird: spontaneous_FIN
+964800787.648482 weird: spontaneous_FIN
+964800787.648556 weird: spontaneous_FIN
+964800787.648624 weird: spontaneous_FIN
+964800787.648690 weird: spontaneous_FIN
+964800787.648759 weird: spontaneous_FIN
+964800787.648827 weird: spontaneous_FIN
+964800787.648895 weird: spontaneous_FIN
+964800787.648964 weird: spontaneous_FIN
+964800787.649038 weird: spontaneous_FIN
+964800787.649108 weird: spontaneous_FIN
+964800787.726308 weird: spontaneous_FIN
+964800787.726386 weird: spontaneous_FIN
+964800787.726457 weird: spontaneous_FIN
+964800787.726529 weird: spontaneous_FIN
+964800787.726598 weird: spontaneous_FIN
+964800787.726665 weird: spontaneous_FIN
+964800787.726735 weird: spontaneous_FIN
+964800787.726805 weird: spontaneous_FIN
+964800787.726874 weird: spontaneous_FIN
+964800787.726941 weird: spontaneous_FIN
+964800787.727007 weird: spontaneous_FIN
+964800787.816315 weird: spontaneous_FIN
+964800787.816385 weird: spontaneous_FIN
+964800787.816450 weird: spontaneous_FIN
+964800787.816518 weird: spontaneous_FIN
+964800787.816582 weird: spontaneous_FIN
+964800787.816647 weird: spontaneous_FIN
+964800787.816710 weird: spontaneous_FIN
+964800787.816777 weird: spontaneous_FIN
+964800787.816843 weird: spontaneous_FIN
+964800787.816914 weird: spontaneous_FIN
+964800787.816981 weird: spontaneous_FIN
+964800787.896298 weird: spontaneous_FIN
+964800787.896373 weird: spontaneous_FIN
+964800787.896445 weird: spontaneous_FIN
+964800787.896513 weird: spontaneous_FIN
+964800787.896583 weird: spontaneous_FIN
+964800787.896651 weird: spontaneous_FIN
+964800787.896719 weird: spontaneous_FIN
+964800787.896786 weird: spontaneous_FIN
+964800787.896855 weird: spontaneous_FIN
+964800787.896921 weird: spontaneous_FIN
+964800787.896986 weird: spontaneous_FIN
+964800787.978292 weird: spontaneous_FIN
+964800787.978429 weird: spontaneous_FIN
+964800787.978758 weird: spontaneous_FIN
+964800787.979257 weird: spontaneous_FIN
+964800787.979420 weird: spontaneous_FIN
+964800787.979584 weird: spontaneous_FIN
+964800787.979746 weird: spontaneous_FIN
+964800787.979751 weird: spontaneous_FIN
+964800787.979915 weird: spontaneous_FIN
+964800787.980078 weird: spontaneous_FIN
+964800787.980242 weird: spontaneous_FIN
+964800788.066307 weird: spontaneous_FIN
+964800788.066378 weird: spontaneous_FIN
+964800788.066445 weird: spontaneous_FIN
+964800788.066512 weird: spontaneous_FIN
+964800788.066579 weird: spontaneous_FIN
+964800788.066647 weird: spontaneous_FIN
+964800788.066714 weird: spontaneous_FIN
+964800788.066782 weird: spontaneous_FIN
+964800788.066851 weird: spontaneous_FIN
+964800788.066919 weird: spontaneous_FIN
+964800788.066987 weird: spontaneous_FIN
+964800788.146315 weird: spontaneous_FIN
+964800788.146384 weird: spontaneous_FIN
+964800788.146450 weird: spontaneous_FIN
+964800788.146516 weird: spontaneous_FIN
+964800788.146581 weird: spontaneous_FIN
+964800788.146648 weird: spontaneous_FIN
+964800788.146712 weird: spontaneous_FIN
+964800788.146779 weird: spontaneous_FIN
+964800788.146845 weird: spontaneous_FIN
+964800788.146910 weird: spontaneous_FIN
+964800788.146974 weird: spontaneous_FIN
+964800788.226307 weird: spontaneous_FIN
+964800788.226380 weird: spontaneous_FIN
+964800788.226445 weird: spontaneous_FIN
+964800788.226513 weird: spontaneous_FIN
+964800788.226584 weird: spontaneous_FIN
+964800788.226654 weird: spontaneous_FIN
+964800788.226722 weird: spontaneous_FIN
+964800788.226791 weird: spontaneous_FIN
+964800788.226861 weird: spontaneous_FIN
+964800788.226931 weird: spontaneous_FIN
+964800788.226995 weird: spontaneous_FIN
+964800788.308461 weird: spontaneous_FIN
+964800788.308661 weird: spontaneous_FIN
+964800788.308836 weird: spontaneous_FIN
+964800788.308965 weird: spontaneous_FIN
+964800788.309105 weird: spontaneous_FIN
+964800788.309256 weird: spontaneous_FIN
+964800788.309431 weird: spontaneous_FIN
+964800788.309631 weird: spontaneous_FIN
+964800788.309839 weird: spontaneous_FIN
+964800788.309960 weird: spontaneous_FIN
+964800788.310030 weird: spontaneous_FIN
+964800788.386313 weird: spontaneous_FIN
+964800788.386396 weird: spontaneous_FIN
+964800788.386466 weird: spontaneous_FIN
+964800788.386534 weird: spontaneous_FIN
+964800788.386602 weird: spontaneous_FIN
+964800788.386670 weird: spontaneous_FIN
+964800788.386741 weird: spontaneous_FIN
+964800788.386812 weird: spontaneous_FIN
+964800788.386882 weird: spontaneous_FIN
+964800788.386950 weird: spontaneous_FIN
+964800788.387024 weird: spontaneous_FIN
+964800788.476327 weird: spontaneous_FIN
+964800788.476399 weird: spontaneous_FIN
+964800788.476464 weird: spontaneous_FIN
+964800788.476531 weird: spontaneous_FIN
+964800788.476600 weird: spontaneous_FIN
+964800788.476662 weird: spontaneous_FIN
+964800788.476728 weird: spontaneous_FIN
+964800788.476795 weird: spontaneous_FIN
+964800788.476860 weird: spontaneous_FIN
+964800788.476930 weird: spontaneous_FIN
+964800788.476997 weird: spontaneous_FIN
+964800788.556312 weird: spontaneous_FIN
+964800788.556389 weird: spontaneous_FIN
+964800788.556455 weird: spontaneous_FIN
+964800788.556525 weird: spontaneous_FIN
+964800788.556591 weird: spontaneous_FIN
+964800788.556658 weird: spontaneous_FIN
+964800788.556731 weird: spontaneous_FIN
+964800788.556802 weird: spontaneous_FIN
+964800788.556873 weird: spontaneous_FIN
+964800788.556939 weird: spontaneous_FIN
+964800788.557013 weird: spontaneous_FIN
+964800788.638356 weird: spontaneous_FIN
+964800788.638539 weird: spontaneous_FIN
+964800788.638658 weird: spontaneous_FIN
+964800788.638809 weird: spontaneous_FIN
+964800788.638949 weird: spontaneous_FIN
+964800788.639107 weird: spontaneous_FIN
+964800788.639290 weird: spontaneous_FIN
+964800788.639462 weird: spontaneous_FIN
+964800788.639619 weird: spontaneous_FIN
+964800788.639792 weird: spontaneous_FIN
+964800788.639960 weird: spontaneous_FIN
+964800788.726330 weird: spontaneous_FIN
+964800788.726410 weird: spontaneous_FIN
+964800788.726479 weird: spontaneous_FIN
+964800788.726549 weird: spontaneous_FIN
+964800788.726619 weird: spontaneous_FIN
+964800788.726692 weird: spontaneous_FIN
+964800788.726761 weird: spontaneous_FIN
+964800788.726831 weird: spontaneous_FIN
+964800788.726903 weird: spontaneous_FIN
+964800788.726974 weird: spontaneous_FIN
+964800788.727050 weird: spontaneous_FIN
+964800788.806319 weird: spontaneous_FIN
+964800788.806391 weird: spontaneous_FIN
+964800788.806460 weird: spontaneous_FIN
+964800788.806529 weird: spontaneous_FIN
+964800788.806596 weird: spontaneous_FIN
+964800788.806663 weird: spontaneous_FIN
+964800788.806733 weird: spontaneous_FIN
+964800788.806804 weird: spontaneous_FIN
+964800788.806871 weird: spontaneous_FIN
+964800788.806938 weird: spontaneous_FIN
+964800788.807004 weird: spontaneous_FIN
+964800788.886310 weird: spontaneous_FIN
+964800788.886382 weird: spontaneous_FIN
+964800788.886450 weird: spontaneous_FIN
+964800788.886521 weird: spontaneous_FIN
+964800788.886591 weird: spontaneous_FIN
+964800788.886662 weird: spontaneous_FIN
+964800788.886731 weird: spontaneous_FIN
+964800788.886801 weird: spontaneous_FIN
+964800788.886874 weird: spontaneous_FIN
+964800788.886942 weird: spontaneous_FIN
+964800788.887014 weird: spontaneous_FIN
+964800788.966320 weird: spontaneous_FIN
+964800788.966389 weird: spontaneous_FIN
+964800788.966455 weird: spontaneous_FIN
+964800788.966522 weird: spontaneous_FIN
+964800788.966588 weird: spontaneous_FIN
+964800788.966656 weird: spontaneous_FIN
+964800788.966721 weird: spontaneous_FIN
+964800788.966792 weird: spontaneous_FIN
+964800788.966861 weird: spontaneous_FIN
+964800788.966930 weird: spontaneous_FIN
+964800788.966994 weird: spontaneous_FIN
+964800789.056320 weird: spontaneous_FIN
+964800789.056397 weird: spontaneous_FIN
+964800789.056468 weird: spontaneous_FIN
+964800789.056536 weird: spontaneous_FIN
+964800789.056611 weird: spontaneous_FIN
+964800789.056685 weird: spontaneous_FIN
+964800789.056754 weird: spontaneous_FIN
+964800789.056825 weird: spontaneous_FIN
+964800789.056897 weird: spontaneous_FIN
+964800789.056968 weird: spontaneous_FIN
+964800789.057042 weird: spontaneous_FIN
+964800789.146324 weird: spontaneous_FIN
+964800789.146396 weird: spontaneous_FIN
+964800789.146464 weird: spontaneous_FIN
+964800789.146529 weird: spontaneous_FIN
+964800789.146595 weird: spontaneous_FIN
+964800789.146661 weird: spontaneous_FIN
+964800789.146726 weird: spontaneous_FIN
+964800789.146794 weird: spontaneous_FIN
+964800789.146860 weird: spontaneous_FIN
+964800789.146922 weird: spontaneous_FIN
+964800789.146992 weird: spontaneous_FIN
+964800789.226309 weird: spontaneous_FIN
+964800789.226382 weird: spontaneous_FIN
+964800789.226457 weird: spontaneous_FIN
+964800789.226522 weird: spontaneous_FIN
+964800789.226590 weird: spontaneous_FIN
+964800789.226658 weird: spontaneous_FIN
+964800789.226726 weird: spontaneous_FIN
+964800789.226806 weird: spontaneous_FIN
+964800789.226863 weird: spontaneous_FIN
+964800789.226932 weird: spontaneous_FIN
+964800789.227000 weird: spontaneous_FIN
+964800789.306322 weird: spontaneous_FIN
+964800789.306394 weird: spontaneous_FIN
+964800789.306459 weird: spontaneous_FIN
+964800789.306523 weird: spontaneous_FIN
+964800789.306588 weird: spontaneous_FIN
+964800789.306654 weird: spontaneous_FIN
+964800789.306719 weird: spontaneous_FIN
+964800789.306790 weird: spontaneous_FIN
+964800789.306856 weird: spontaneous_FIN
+964800789.306920 weird: spontaneous_FIN
+964800789.306988 weird: spontaneous_FIN
+964800789.386312 weird: spontaneous_FIN
+964800789.386386 weird: spontaneous_FIN
+964800789.386454 weird: spontaneous_FIN
+964800789.386520 weird: spontaneous_FIN
+964800789.386593 weird: spontaneous_FIN
+964800789.386661 weird: spontaneous_FIN
+964800789.386728 weird: spontaneous_FIN
+964800789.386798 weird: spontaneous_FIN
+964800789.386868 weird: spontaneous_FIN
+964800789.386939 weird: spontaneous_FIN
+964800789.387010 weird: spontaneous_FIN
+964800789.476329 weird: spontaneous_FIN
+964800789.476403 weird: spontaneous_FIN
+964800789.476471 weird: spontaneous_FIN
+964800789.476537 weird: spontaneous_FIN
+964800789.476604 weird: spontaneous_FIN
+964800789.476676 weird: spontaneous_FIN
+964800789.476743 weird: spontaneous_FIN
+964800789.476812 weird: spontaneous_FIN
+964800789.476878 weird: spontaneous_FIN
+964800789.476945 weird: spontaneous_FIN
+964800789.477015 weird: spontaneous_FIN
+964800789.556324 weird: spontaneous_FIN
+964800789.556396 weird: spontaneous_FIN
+964800789.556465 weird: spontaneous_FIN
+964800789.556533 weird: spontaneous_FIN
+964800789.556603 weird: spontaneous_FIN
+964800789.556675 weird: spontaneous_FIN
+964800789.556744 weird: spontaneous_FIN
+964800789.556814 weird: spontaneous_FIN
+964800789.556884 weird: spontaneous_FIN
+964800789.556953 weird: spontaneous_FIN
+964800789.557025 weird: spontaneous_FIN
+964800789.646334 weird: spontaneous_FIN
+964800789.646412 weird: spontaneous_FIN
+964800789.646482 weird: spontaneous_FIN
+964800789.646547 weird: spontaneous_FIN
+964800789.646614 weird: spontaneous_FIN
+964800789.646682 weird: spontaneous_FIN
+964800789.646748 weird: spontaneous_FIN
+964800789.646818 weird: spontaneous_FIN
+964800789.646886 weird: spontaneous_FIN
+964800789.646953 weird: spontaneous_FIN
+964800789.647019 weird: spontaneous_FIN
+964800789.726323 weird: spontaneous_FIN
+964800789.726400 weird: spontaneous_FIN
+964800789.726471 weird: spontaneous_FIN
+964800789.726633 weird: spontaneous_FIN
+964800789.726651 weird: spontaneous_FIN
+964800789.726668 weird: spontaneous_FIN
+964800789.726735 weird: spontaneous_FIN
+964800789.726803 weird: spontaneous_FIN
+964800789.726875 weird: spontaneous_FIN
+964800789.726940 weird: spontaneous_FIN
+964800789.727011 weird: spontaneous_FIN
+964800789.816331 weird: spontaneous_FIN
+964800789.816404 weird: spontaneous_FIN
+964800789.816468 weird: spontaneous_FIN
+964800789.816534 weird: spontaneous_FIN
+964800789.816600 weird: spontaneous_FIN
+964800789.816669 weird: spontaneous_FIN
+964800789.816736 weird: spontaneous_FIN
+964800789.816805 weird: spontaneous_FIN
+964800789.816869 weird: spontaneous_FIN
+964800789.816938 weird: spontaneous_FIN
+964800789.817003 weird: spontaneous_FIN
+964800789.896341 weird: spontaneous_FIN
+964800789.896422 weird: spontaneous_FIN
+964800789.896542 weird: spontaneous_FIN
+964800789.896558 weird: spontaneous_FIN
+964800789.896629 weird: spontaneous_FIN
+964800789.896699 weird: spontaneous_FIN
+964800789.896770 weird: spontaneous_FIN
+964800789.896837 weird: spontaneous_FIN
+964800789.896911 weird: spontaneous_FIN
+964800789.896983 weird: spontaneous_FIN
+964800789.897057 weird: spontaneous_FIN
+964800789.976325 weird: spontaneous_FIN
+964800789.976397 weird: spontaneous_FIN
+964800789.976461 weird: spontaneous_FIN
+964800789.976526 weird: spontaneous_FIN
+964800789.976591 weird: spontaneous_FIN
+964800789.976658 weird: spontaneous_FIN
+964800789.976722 weird: spontaneous_FIN
+964800789.976787 weird: spontaneous_FIN
+964800789.976852 weird: spontaneous_FIN
+964800789.976922 weird: spontaneous_FIN
+964800789.976986 weird: spontaneous_FIN
+964800790.056323 weird: spontaneous_FIN
+964800790.056395 weird: spontaneous_FIN
+964800790.056466 weird: spontaneous_FIN
+964800790.056532 weird: spontaneous_FIN
+964800790.056602 weird: spontaneous_FIN
+964800790.056673 weird: spontaneous_FIN
+964800790.056742 weird: spontaneous_FIN
+964800790.056810 weird: spontaneous_FIN
+964800790.056880 weird: spontaneous_FIN
+964800790.056952 weird: spontaneous_FIN
+964800790.057024 weird: spontaneous_FIN
+964800790.136324 weird: spontaneous_FIN
+964800790.136396 weird: spontaneous_FIN
+964800790.136458 weird: spontaneous_FIN
+964800790.136525 weird: spontaneous_FIN
+964800790.136594 weird: spontaneous_FIN
+964800790.136658 weird: spontaneous_FIN
+964800790.136722 weird: spontaneous_FIN
+964800790.136792 weird: spontaneous_FIN
+964800790.136857 weird: spontaneous_FIN
+964800790.136919 weird: spontaneous_FIN
+964800790.136989 weird: spontaneous_FIN
+964800790.216318 weird: spontaneous_FIN
+964800790.216388 weird: spontaneous_FIN
+964800790.216456 weird: spontaneous_FIN
+964800790.216522 weird: spontaneous_FIN
+964800790.216593 weird: spontaneous_FIN
+964800790.216661 weird: spontaneous_FIN
+964800790.216730 weird: spontaneous_FIN
+964800790.216798 weird: spontaneous_FIN
+964800790.216869 weird: spontaneous_FIN
+964800790.216939 weird: spontaneous_FIN
+964800790.217010 weird: spontaneous_FIN
+964800790.296327 weird: spontaneous_FIN
+964800790.296399 weird: spontaneous_FIN
+964800790.296465 weird: spontaneous_FIN
+964800790.296530 weird: spontaneous_FIN
+964800790.296596 weird: spontaneous_FIN
+964800790.296663 weird: spontaneous_FIN
+964800790.296727 weird: spontaneous_FIN
+964800790.296794 weird: spontaneous_FIN
+964800790.296860 weird: spontaneous_FIN
+964800790.296924 weird: spontaneous_FIN
+964800790.296992 weird: spontaneous_FIN
+964800790.376327 weird: spontaneous_FIN
+964800790.376399 weird: spontaneous_FIN
+964800790.376467 weird: spontaneous_FIN
+964800790.376539 weird: spontaneous_FIN
+964800790.376610 weird: spontaneous_FIN
+964800790.376679 weird: spontaneous_FIN
+964800790.376753 weird: spontaneous_FIN
+964800790.376820 weird: spontaneous_FIN
+964800790.376889 weird: spontaneous_FIN
+964800790.376959 weird: spontaneous_FIN
+964800790.377031 weird: spontaneous_FIN
+964800790.456329 weird: spontaneous_FIN
+964800790.456406 weird: spontaneous_FIN
+964800790.456474 weird: spontaneous_FIN
+964800790.456541 weird: spontaneous_FIN
+964800790.456610 weird: spontaneous_FIN
+964800790.456681 weird: spontaneous_FIN
+964800790.456752 weird: spontaneous_FIN
+964800790.456818 weird: spontaneous_FIN
+964800790.456882 weird: spontaneous_FIN
+964800790.456947 weird: spontaneous_FIN
+964800790.457012 weird: spontaneous_FIN
+964800790.536316 weird: spontaneous_FIN
+964800790.536391 weird: spontaneous_FIN
+964800790.536460 weird: spontaneous_FIN
+964800790.536531 weird: spontaneous_FIN
+964800790.536609 weird: spontaneous_FIN
+964800790.536686 weird: spontaneous_FIN
+964800790.536759 weird: spontaneous_FIN
+964800790.536830 weird: spontaneous_FIN
+964800790.536903 weird: spontaneous_FIN
+964800790.536973 weird: spontaneous_FIN
+964800790.537042 weird: spontaneous_FIN
+964800790.626340 weird: spontaneous_FIN
+964800790.626415 weird: spontaneous_FIN
+964800790.626484 weird: spontaneous_FIN
+964800790.626548 weird: spontaneous_FIN
+964800790.626615 weird: spontaneous_FIN
+964800790.626682 weird: spontaneous_FIN
+964800790.626747 weird: spontaneous_FIN
+964800790.626812 weird: spontaneous_FIN
+964800790.626881 weird: spontaneous_FIN
+964800790.626949 weird: spontaneous_FIN
+964800790.627013 weird: spontaneous_FIN
+964800790.706323 weird: spontaneous_FIN
+964800790.706400 weird: spontaneous_FIN
+964800790.706467 weird: spontaneous_FIN
+964800790.706534 weird: spontaneous_FIN
+964800790.706604 weird: spontaneous_FIN
+964800790.706674 weird: spontaneous_FIN
+964800790.706745 weird: spontaneous_FIN
+964800790.706815 weird: spontaneous_FIN
+964800790.706883 weird: spontaneous_FIN
+964800790.706954 weird: spontaneous_FIN
+964800790.707026 weird: spontaneous_FIN
+964800790.786328 weird: spontaneous_FIN
+964800790.786402 weird: spontaneous_FIN
+964800790.786467 weird: spontaneous_FIN
+964800790.786533 weird: spontaneous_FIN
+964800790.786597 weird: spontaneous_FIN
+964800790.786663 weird: spontaneous_FIN
+964800790.786727 weird: spontaneous_FIN
+964800790.786794 weird: spontaneous_FIN
+964800790.786861 weird: spontaneous_FIN
+964800790.786927 weird: spontaneous_FIN
+964800790.786991 weird: spontaneous_FIN
+964800790.866322 weird: spontaneous_FIN
+964800790.866394 weird: spontaneous_FIN
+964800790.866460 weird: spontaneous_FIN
+964800790.866529 weird: spontaneous_FIN
+964800790.866599 weird: spontaneous_FIN
+964800790.866667 weird: spontaneous_FIN
+964800790.866734 weird: spontaneous_FIN
+964800790.866802 weird: spontaneous_FIN
+964800790.866870 weird: spontaneous_FIN
+964800790.866941 weird: spontaneous_FIN
+964800790.867009 weird: spontaneous_FIN
+964800790.946325 weird: spontaneous_FIN
+964800790.946400 weird: spontaneous_FIN
+964800790.946469 weird: spontaneous_FIN
+964800790.946532 weird: spontaneous_FIN
+964800790.946597 weird: spontaneous_FIN
+964800790.946663 weird: spontaneous_FIN
+964800790.946728 weird: spontaneous_FIN
+964800790.946794 weird: spontaneous_FIN
+964800790.946860 weird: spontaneous_FIN
+964800790.946926 weird: spontaneous_FIN
+964800790.946989 weird: spontaneous_FIN
+964800791.026320 weird: spontaneous_FIN
+964800791.026394 weird: spontaneous_FIN
+964800791.026462 weird: spontaneous_FIN
+964800791.026531 weird: spontaneous_FIN
+964800791.026600 weird: spontaneous_FIN
+964800791.026669 weird: spontaneous_FIN
+964800791.026738 weird: spontaneous_FIN
+964800791.026809 weird: spontaneous_FIN
+964800791.026877 weird: spontaneous_FIN
+964800791.026948 weird: spontaneous_FIN
+964800791.027015 weird: spontaneous_FIN
+964800791.106328 weird: spontaneous_FIN
+964800791.106401 weird: spontaneous_FIN
+964800791.106468 weird: spontaneous_FIN
+964800791.106534 weird: spontaneous_FIN
+964800791.106597 weird: spontaneous_FIN
+964800791.106661 weird: spontaneous_FIN
+964800791.106727 weird: spontaneous_FIN
+964800791.106791 weird: spontaneous_FIN
+964800791.106860 weird: spontaneous_FIN
+964800791.106924 weird: spontaneous_FIN
+964800791.106990 weird: spontaneous_FIN
+964800791.186323 weird: spontaneous_FIN
+964800791.186396 weird: spontaneous_FIN
+964800791.186463 weird: spontaneous_FIN
+964800791.186531 weird: spontaneous_FIN
+964800791.186600 weird: spontaneous_FIN
+964800791.186670 weird: spontaneous_FIN
+964800791.186737 weird: spontaneous_FIN
+964800791.186805 weird: spontaneous_FIN
+964800791.186875 weird: spontaneous_FIN
+964800791.186946 weird: spontaneous_FIN
+964800791.187012 weird: spontaneous_FIN
+964800791.266330 weird: spontaneous_FIN
+964800791.266404 weird: spontaneous_FIN
+964800791.266470 weird: spontaneous_FIN
+964800791.266536 weird: spontaneous_FIN
+964800791.266601 weird: spontaneous_FIN
+964800791.266667 weird: spontaneous_FIN
+964800791.266732 weird: spontaneous_FIN
+964800791.266796 weird: spontaneous_FIN
+964800791.266863 weird: spontaneous_FIN
+964800791.266929 weird: spontaneous_FIN
+964800791.266992 weird: spontaneous_FIN
+964800791.346321 weird: spontaneous_FIN
+964800791.346394 weird: spontaneous_FIN
+964800791.346466 weird: spontaneous_FIN
+964800791.346534 weird: spontaneous_FIN
+964800791.346603 weird: spontaneous_FIN
+964800791.346672 weird: spontaneous_FIN
+964800791.346740 weird: spontaneous_FIN
+964800791.346808 weird: spontaneous_FIN
+964800791.346878 weird: spontaneous_FIN
+964800791.346950 weird: spontaneous_FIN
+964800791.347019 weird: spontaneous_FIN
+964800791.426330 weird: spontaneous_FIN
+964800791.426403 weird: spontaneous_FIN
+964800791.426468 weird: spontaneous_FIN
+964800791.426531 weird: spontaneous_FIN
+964800791.426596 weird: spontaneous_FIN
+964800791.426664 weird: spontaneous_FIN
+964800791.426730 weird: spontaneous_FIN
+964800791.426795 weird: spontaneous_FIN
+964800791.426863 weird: spontaneous_FIN
+964800791.426928 weird: spontaneous_FIN
+964800791.426991 weird: spontaneous_FIN
+964800791.516330 weird: spontaneous_FIN
+964800791.516402 weird: spontaneous_FIN
+964800791.516469 weird: spontaneous_FIN
+964800791.516539 weird: spontaneous_FIN
+964800791.516611 weird: spontaneous_FIN
+964800791.516679 weird: spontaneous_FIN
+964800791.516748 weird: spontaneous_FIN
+964800791.516817 weird: spontaneous_FIN
+964800791.516888 weird: spontaneous_FIN
+964800791.516959 weird: spontaneous_FIN
+964800791.517029 weird: spontaneous_FIN
+964800791.596331 weird: spontaneous_FIN
+964800791.596407 weird: spontaneous_FIN
+964800791.596474 weird: spontaneous_FIN
+964800791.596537 weird: spontaneous_FIN
+964800791.596601 weird: spontaneous_FIN
+964800791.596667 weird: spontaneous_FIN
+964800791.596732 weird: spontaneous_FIN
+964800791.596797 weird: spontaneous_FIN
+964800791.596867 weird: spontaneous_FIN
+964800791.596932 weird: spontaneous_FIN
+964800791.596995 weird: spontaneous_FIN
+964800791.676324 weird: spontaneous_FIN
+964800791.676397 weird: spontaneous_FIN
+964800791.676463 weird: spontaneous_FIN
+964800791.676531 weird: spontaneous_FIN
+964800791.676600 weird: spontaneous_FIN
+964800791.676670 weird: spontaneous_FIN
+964800791.676739 weird: spontaneous_FIN
+964800791.676807 weird: spontaneous_FIN
+964800791.676877 weird: spontaneous_FIN
+964800791.676947 weird: spontaneous_FIN
+964800791.677014 weird: spontaneous_FIN
+964800791.756333 weird: spontaneous_FIN
+964800791.756411 weird: spontaneous_FIN
+964800791.756477 weird: spontaneous_FIN
+964800791.756547 weird: spontaneous_FIN
+964800791.756611 weird: spontaneous_FIN
+964800791.756678 weird: spontaneous_FIN
+964800791.756743 weird: spontaneous_FIN
+964800791.756808 weird: spontaneous_FIN
+964800791.756873 weird: spontaneous_FIN
+964800791.756936 weird: spontaneous_FIN
+964800791.757001 weird: spontaneous_FIN
+964800791.836330 weird: spontaneous_FIN
+964800791.836402 weird: spontaneous_FIN
+964800791.836471 weird: spontaneous_FIN
+964800791.836542 weird: spontaneous_FIN
+964800791.836610 weird: spontaneous_FIN
+964800791.836678 weird: spontaneous_FIN
+964800791.836751 weird: spontaneous_FIN
+964800791.836820 weird: spontaneous_FIN
+964800791.836890 weird: spontaneous_FIN
+964800791.836961 weird: spontaneous_FIN
+964800791.837032 weird: spontaneous_FIN
+964800791.916338 weird: spontaneous_FIN
+964800791.916413 weird: spontaneous_FIN
+964800791.916480 weird: spontaneous_FIN
+964800791.916546 weird: spontaneous_FIN
+964800791.916614 weird: spontaneous_FIN
+964800791.916682 weird: spontaneous_FIN
+964800791.916750 weird: spontaneous_FIN
+964800791.916815 weird: spontaneous_FIN
+964800791.916885 weird: spontaneous_FIN
+964800791.916950 weird: spontaneous_FIN
+964800791.917015 weird: spontaneous_FIN
+964800791.996333 weird: spontaneous_FIN
+964800791.996408 weird: spontaneous_FIN
+964800791.996476 weird: spontaneous_FIN
+964800791.996548 weird: spontaneous_FIN
+964800791.996619 weird: spontaneous_FIN
+964800791.996692 weird: spontaneous_FIN
+964800791.996765 weird: spontaneous_FIN
+964800791.996837 weird: spontaneous_FIN
+964800791.996906 weird: spontaneous_FIN
+964800791.996976 weird: spontaneous_FIN
+964800791.997045 weird: spontaneous_FIN
+964800792.076337 weird: spontaneous_FIN
+964800792.076412 weird: spontaneous_FIN
+964800792.076479 weird: spontaneous_FIN
+964800792.076544 weird: spontaneous_FIN
+964800792.076613 weird: spontaneous_FIN
+964800792.076683 weird: spontaneous_FIN
+964800792.076751 weird: spontaneous_FIN
+964800792.076817 weird: spontaneous_FIN
+964800792.076883 weird: spontaneous_FIN
+964800792.076948 weird: spontaneous_FIN
+964800792.077015 weird: spontaneous_FIN
+964800792.156328 weird: spontaneous_FIN
+964800792.156402 weird: spontaneous_FIN
+964800792.156471 weird: spontaneous_FIN
+964800792.156541 weird: spontaneous_FIN
+964800792.156613 weird: spontaneous_FIN
+964800792.156681 weird: spontaneous_FIN
+964800792.156749 weird: spontaneous_FIN
+964800792.156816 weird: spontaneous_FIN
+964800792.156888 weird: spontaneous_FIN
+964800792.156960 weird: spontaneous_FIN
+964800792.157028 weird: spontaneous_FIN
+964800792.246337 weird: spontaneous_FIN
+964800792.246414 weird: spontaneous_FIN
+964800792.246482 weird: spontaneous_FIN
+964800792.246546 weird: spontaneous_FIN
+964800792.246612 weird: spontaneous_FIN
+964800792.246679 weird: spontaneous_FIN
+964800792.246747 weird: spontaneous_FIN
+964800792.246810 weird: spontaneous_FIN
+964800792.246877 weird: spontaneous_FIN
+964800792.246943 weird: spontaneous_FIN
+964800792.247006 weird: spontaneous_FIN
+964800792.326375 weird: spontaneous_FIN
+964800792.326450 weird: spontaneous_FIN
+964800792.326520 weird: spontaneous_FIN
+964800792.326590 weird: spontaneous_FIN
+964800792.326662 weird: spontaneous_FIN
+964800792.326730 weird: spontaneous_FIN
+964800792.326799 weird: spontaneous_FIN
+964800792.326873 weird: spontaneous_FIN
+964800792.326941 weird: spontaneous_FIN
+964800792.327014 weird: spontaneous_FIN
+964800792.327084 weird: spontaneous_FIN
+964800792.406339 weird: spontaneous_FIN
+964800792.406413 weird: spontaneous_FIN
+964800792.406479 weird: spontaneous_FIN
+964800792.406545 weird: spontaneous_FIN
+964800792.406611 weird: spontaneous_FIN
+964800792.406678 weird: spontaneous_FIN
+964800792.406746 weird: spontaneous_FIN
+964800792.406808 weird: spontaneous_FIN
+964800792.406876 weird: spontaneous_FIN
+964800792.406943 weird: spontaneous_FIN
+964800792.407009 weird: spontaneous_FIN
+964800792.496337 weird: spontaneous_FIN
+964800792.496412 weird: spontaneous_FIN
+964800792.496479 weird: spontaneous_FIN
+964800792.496547 weird: spontaneous_FIN
+964800792.496620 weird: spontaneous_FIN
+964800792.496691 weird: spontaneous_FIN
+964800792.496761 weird: spontaneous_FIN
+964800792.496831 weird: spontaneous_FIN
+964800792.496902 weird: spontaneous_FIN
+964800792.496974 weird: spontaneous_FIN
+964800792.497047 weird: spontaneous_FIN
+964800792.576341 weird: spontaneous_FIN
+964800792.576416 weird: spontaneous_FIN
+964800792.576482 weird: spontaneous_FIN
+964800792.576547 weird: spontaneous_FIN
+964800792.576613 weird: spontaneous_FIN
+964800792.576679 weird: spontaneous_FIN
+964800792.576744 weird: spontaneous_FIN
+964800792.576807 weird: spontaneous_FIN
+964800792.576878 weird: spontaneous_FIN
+964800792.576945 weird: spontaneous_FIN
+964800792.577010 weird: spontaneous_FIN
+964800792.656330 weird: spontaneous_FIN
+964800792.656406 weird: spontaneous_FIN
+964800792.656474 weird: spontaneous_FIN
+964800792.656543 weird: spontaneous_FIN
+964800792.656611 weird: spontaneous_FIN
+964800792.656682 weird: spontaneous_FIN
+964800792.656754 weird: spontaneous_FIN
+964800792.656822 weird: spontaneous_FIN
+964800792.656895 weird: spontaneous_FIN
+964800792.656968 weird: spontaneous_FIN
+964800792.657035 weird: spontaneous_FIN
+964800792.746383 weird: spontaneous_FIN
+964800792.746464 weird: spontaneous_FIN
+964800792.746538 weird: spontaneous_FIN
+964800792.746606 weird: spontaneous_FIN
+964800792.746693 weird: spontaneous_FIN
+964800792.746746 weird: spontaneous_FIN
+964800792.746812 weird: spontaneous_FIN
+964800792.746880 weird: spontaneous_FIN
+964800792.746950 weird: spontaneous_FIN
+964800792.826339 weird: spontaneous_FIN
+964800792.826417 weird: spontaneous_FIN
+964800792.826488 weird: spontaneous_FIN
+964800792.826556 weird: spontaneous_FIN
+964800792.826623 weird: spontaneous_FIN
+964800792.826696 weird: spontaneous_FIN
+964800792.826766 weird: spontaneous_FIN
+964800792.826838 weird: spontaneous_FIN
+964800792.826909 weird: spontaneous_FIN
+964800795.557659 weird: spontaneous_FIN
+964800801.957557 weird: spontaneous_FIN
diff --git a/ChangeLog b/testing/btest/Baseline/policy.known-services-test/.stdout
similarity index 100%
rename from ChangeLog
rename to testing/btest/Baseline/policy.known-services-test/.stdout
diff --git a/testing/btest/Baseline/policy.known-services-test/KNOWN_SERVICES b/testing/btest/Baseline/policy.known-services-test/KNOWN_SERVICES
new file mode 100644
index 0000000000..3d4b08e453
--- /dev/null
+++ b/testing/btest/Baseline/policy.known-services-test/KNOWN_SERVICES
@@ -0,0 +1,229 @@
+ts	host	port_num	service
+964800423.225612	10.20.1.11	80/tcp	{
+
+}	
+964800428.605284	10.20.11.81	3820/tcp	{
+
+}	
+964800432.833579	10.20.11.81	3821/tcp	{
+
+}	
+964800432.220536	10.20.1.8	21/tcp	{
+
+}	
+964800435.180757	10.20.1.8	80/tcp	{
+
+}	
+964800436.657053	10.20.11.81	3822/tcp	{
+
+}	
+964800445.136946	10.20.11.81	3823/tcp	{
+
+}	
+964800447.050657	10.20.11.81	3824/tcp	{
+
+}	
+964800449.128463	10.20.11.81	3825/tcp	{
+
+}	
+964800460.548618	10.20.1.11	220/tcp	{
+
+}	
+964800470.053399	10.20.1.128	32777/tcp	{
+
+}	
+964800470.255065	10.20.1.128	32778/tcp	{
+
+}	
+964800470.326786	10.20.1.128	111/tcp	{
+
+}	
+964800472.135373	10.20.1.128	7/tcp	{
+
+}	
+964800470.551502	10.20.1.128	7100/tcp	{
+
+}	
+964800470.557677	10.20.1.128	32771/tcp	{
+
+}	
+964800470.595967	10.20.1.128	32775/tcp	{
+
+}	
+964800470.695017	10.20.1.128	32779/tcp	{
+
+}	
+964800470.736744	10.20.1.128	32776/tcp	{
+
+}	
+964800470.741478	10.20.1.128	32773/tcp	{
+
+}	
+964800470.735628	10.20.1.128	2049/tcp	{
+
+}	
+964800470.691559	10.20.1.128	6112/tcp	{
+
+}	
+964800470.080672	10.20.1.128	515/tcp	{
+
+}	
+964800470.166217	10.20.1.128	32772/tcp	{
+
+}	
+964800470.023879	10.20.1.128	9/tcp	{
+
+}	
+964800470.248286	10.20.1.128	79/tcp	{
+
+}	
+964800470.173476	10.20.1.128	513/tcp	{
+
+}	
+964800470.288767	10.20.1.128	514/tcp	{
+
+}	
+964800470.688531	10.20.1.128	512/tcp	{
+
+}	
+964800470.211035	10.20.1.128	22/tcp	{
+
+}	
+964800470.49665	10.20.1.128	23/tcp	{
+
+}	
+964800470.066351	10.20.1.128	37/tcp	{
+
+}	
+964800470.599661	10.20.1.128	19/tcp	{
+
+}	
+964800470.552646	10.20.1.128	13/tcp	{
+
+}	
+964800470.557883	10.20.1.128	25/tcp	{
+
+}	
+964800470.784425	10.20.1.128	540/tcp	{
+
+}	
+964800470.292463	10.20.1.128	21/tcp	{
+
+}	
+964800491.909762	10.20.1.133	139/tcp	{
+
+}	
+964800495.488396	10.20.1.32	6000/tcp	{
+
+}	
+964800499.931019	10.20.1.32	22/tcp	{
+
+}	
+964800501.040343	10.20.1.9	80/tcp	{
+
+}	
+964800467.45263	10.20.1.9	110/tcp	{
+
+}	
+964800551.47489	10.20.11.101	79/tcp	{
+
+}	
+964800551.731327	10.20.11.101	22/tcp	{
+
+}	
+964800560.092991	10.20.1.9	22/tcp	{
+
+}	
+964800573.291815	10.20.1.1	22/tcp	{
+
+}	
+964800542.603637	10.20.1.133	21/tcp	{
+
+}	
+964800582.574996	10.20.1.35	25/tcp	{
+
+}	
+964800587.426354	10.20.1.35	21/tcp	{
+
+}	
+964800586.110222	10.20.1.35	23/tcp	{
+
+}	
+964800586.655377	10.20.1.35	22/tcp	{
+
+}	
+964800592.165919	10.20.1.21	21/tcp	{
+
+}	
+964800598.792462	10.20.1.9	25/tcp	{
+
+}	
+964800615.91033	10.20.1.11	21/tcp	{
+
+}	
+964800632.516211	10.20.1.10	25/tcp	{
+
+}	
+964800633.234812	10.20.1.10	80/tcp	{
+
+}	
+964800634.193335	10.20.1.10	21/tcp	{
+
+}	
+964800636.102468	10.20.1.11	443/tcp	{
+
+}	
+964800635.003732	10.20.1.129	79/tcp	{
+
+}	
+964800668.873252	10.20.1.21	110/tcp	{
+
+}	
+964800669.007448	10.20.1.21	111/tcp	{
+
+}	
+964800669.665929	10.20.1.21	80/tcp	{
+
+}	
+964800669.670186	10.20.1.21	690/tcp	{
+
+}	
+964800669.693491	10.20.1.21	2049/tcp	{
+
+}	
+964800670.234186	10.20.1.21	515/tcp	{
+
+}	
+964800670.493675	10.20.1.21	113/tcp	{
+
+}	
+964800670.492704	10.20.1.21	22/tcp	{
+
+}	
+964800676.474475	10.20.1.22	21/tcp	{
+
+}	
+964800673.799597	10.20.1.21	79/tcp	{
+
+}	
+964800675.483229	10.20.1.22	22/tcp	{
+
+}	
+964800670.525453	10.20.1.21	514/tcp	{
+
+}	
+964800703.201113	10.20.1.12	79/tcp	{
+
+}	
+964800633.538485	10.20.11.102	113/tcp	{
+
+}	
+964800470.375479	10.20.1.128	6000/tcp	{
+
+}	
+964800709.128585	10.20.11.102	110/tcp	{
+
+}	
+1184887724.39694	10.20.1.11	2222/tcp	{
+
+}	
diff --git a/testing/btest/Makefile b/testing/btest/Makefile
new file mode 100644
index 0000000000..ed042722b8
--- /dev/null
+++ b/testing/btest/Makefile
@@ -0,0 +1,14 @@
+
+all:
+    # Showing all tests.
+	@btest
+
+brief:
+    # Brief output showing only failed tests.
+	@btest -b
+
+brief-debug:
+    # Verbose output for failed tests, also recorded in test.log.
+	@rm -f test.log
+	@btest -b -d -f test.log
+	@echo Output in test.log
diff --git a/testing/btest/Scripts/diff-canonifier b/testing/btest/Scripts/diff-canonifier
new file mode 100755
index 0000000000..063f1e4900
--- /dev/null
+++ b/testing/btest/Scripts/diff-canonifier
@@ -0,0 +1,5 @@
+#! /usr/bin/env bash
+#
+# Replace anything which looks like timestamps with XXXs.
+
+sed 's/[0-9]\{10\}\.[0-9]\{2,8\}/XXXXXXXXXX.XXXXXX/g'
diff --git a/testing/btest/Scripts/diff-remove-abspath b/testing/btest/Scripts/diff-remove-abspath
new file mode 100755
index 0000000000..361ad3fa6d
--- /dev/null
+++ b/testing/btest/Scripts/diff-remove-abspath
@@ -0,0 +1,5 @@
+#! /usr/bin/env bash
+#
+# Replace absolute paths with the basename.
+
+sed 's#/\([^/]\{1,\}/\)\{1,\}\([^/]\{1,\}\)#<...>/\2#g'
diff --git a/testing/btest/Scripts/doc/example-diff-canonifier.py b/testing/btest/Scripts/doc/example-diff-canonifier.py
new file mode 100755
index 0000000000..e0b8c110cc
--- /dev/null
+++ b/testing/btest/Scripts/doc/example-diff-canonifier.py
@@ -0,0 +1,15 @@
+#!/usr/bin/python
+
+import sys
+import re
+
+# MutableVal derivatives (e.g. sets/tables) don't always generate the same
+# ordering in the reST documentation, so just don't bother diffing
+# the places where example.bro uses them.
+
+RE1 = "\d*/tcp"
+RE2 = "tcp port \d*"
+
+for line in sys.stdin.readlines():
+    if re.search(RE1, line) is None and re.search(RE2, line) is None:
+        print line
diff --git a/testing/btest/Traces/conn-size.trace b/testing/btest/Traces/conn-size.trace
new file mode 100644
index 0000000000..8b03d7a67f
Binary files /dev/null and b/testing/btest/Traces/conn-size.trace differ
diff --git a/testing/istate/traces/empty.trace b/testing/btest/Traces/empty.trace
similarity index 100%
rename from testing/istate/traces/empty.trace
rename to testing/btest/Traces/empty.trace
diff --git a/testing/btest/Traces/mixed-vlan-mpls.trace b/testing/btest/Traces/mixed-vlan-mpls.trace
new file mode 100644
index 0000000000..ff9c68d5ed
Binary files /dev/null and b/testing/btest/Traces/mixed-vlan-mpls.trace differ
diff --git a/testing/istate/traces/web.trace b/testing/btest/Traces/web.trace
similarity index 100%
rename from testing/istate/traces/web.trace
rename to testing/btest/Traces/web.trace
diff --git a/testing/btest/Traces/wikipedia.trace b/testing/btest/Traces/wikipedia.trace
new file mode 100644
index 0000000000..68d85e0190
Binary files /dev/null and b/testing/btest/Traces/wikipedia.trace differ
diff --git a/testing/btest/Traces/workshop.trace1.trace b/testing/btest/Traces/workshop.trace1.trace
new file mode 100644
index 0000000000..e3d28f5c83
Binary files /dev/null and b/testing/btest/Traces/workshop.trace1.trace differ
diff --git a/testing/btest/analyzers/conn-size-cc.bro b/testing/btest/analyzers/conn-size-cc.bro
new file mode 100644
index 0000000000..0ba7977cf5
--- /dev/null
+++ b/testing/btest/analyzers/conn-size-cc.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r ${TRACES}/conn-size.trace tcp udp icmp report_conn_size_analyzer=T
+# @TEST-EXEC: btest-diff conn.log
diff --git a/testing/btest/analyzers/conn-size.bro b/testing/btest/analyzers/conn-size.bro
new file mode 100644
index 0000000000..0e413cc554
--- /dev/null
+++ b/testing/btest/analyzers/conn-size.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r ${TRACES}/conn-size.trace tcp udp icmp report_conn_size_analyzer=T use_connection_compressor=F
+# @TEST-EXEC: btest-diff conn.log
diff --git a/testing/btest/bifs/count_to_addr.bro b/testing/btest/bifs/count_to_addr.bro
new file mode 100644
index 0000000000..ffb2d975bf
--- /dev/null
+++ b/testing/btest/bifs/count_to_addr.bro
@@ -0,0 +1,20 @@
+#
+# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event bro_init()
+	{
+	local a = "1";
+	print count_to_v4_addr(to_count(a));
+	
+	a = "806716794";
+	print count_to_v4_addr(to_count(a));
+	
+	a = "4294967295";
+	print count_to_v4_addr(to_count(a));
+	
+	# This *should* fail and return 0.0.0.0 since it's 255.255.255.255 + 1
+	# Note: How do I check for runtime errors?
+	a = "4294967296";
+	print count_to_v4_addr(to_count(a));
+	}
diff --git a/testing/btest/bifs/netbios-functions.bro b/testing/btest/bifs/netbios-functions.bro
new file mode 100644
index 0000000000..1fd033dd59
--- /dev/null
+++ b/testing/btest/bifs/netbios-functions.bro
@@ -0,0 +1,18 @@
+#
+# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event bro_init()
+	{
+	local names_to_decode = set(
+		"ejfdebfeebfacacacacacacacacacaaa", # ISATAP
+		"fhepfcelehfcepfffacacacacacacabl", # WORKGROUP
+		"abacfpfpenfdecfcepfhfdeffpfpacab", # \001\002__MSBROWSE__\002
+		"enebfcfeejeocacacacacacacacacaad"); # MARTIN
+
+	for ( name in names_to_decode )
+		{
+		print decode_netbios_name(name);
+		print decode_netbios_name_type(name);
+		}
+	}
diff --git a/testing/btest/bifs/string_splitting.bro b/testing/btest/bifs/string_splitting.bro
new file mode 100644
index 0000000000..44068fe510
--- /dev/null
+++ b/testing/btest/bifs/string_splitting.bro
@@ -0,0 +1,12 @@
+#
+# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event bro_init()
+	{
+	local a = "X-Mailer: Testing Test (http://www.example.com)";
+	print split1(a, /:[[:blank:]]*/);
+
+	a = "A = B = C = D";
+	print split_all(a, /=/);
+	}
diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
new file mode 100644
index 0000000000..159e5a19e2
--- /dev/null
+++ b/testing/btest/btest.cfg
@@ -0,0 +1,18 @@
+[btest]
+TestDirs    = doc bifs logging language core istate
+TmpDir      = %(testbase)s/.tmp
+BaselineDir = %(testbase)s/Baseline
+IgnoreDirs  = .svn CVS .tmp
+IgnoreFiles = *.tmp *.swp #* *.trace
+
+[environment]
+BROPATH=`bash -c %(testbase)s/../../build/bro-path-dev`
+BRO_SEED_FILE=%(testbase)s/random.seed
+TZ=UTC
+LC_ALL=C
+PATH=%(testbase)s/../../build/src:%(testbase)s/../../aux/btest:%(default_path)s
+TEST_DIFF_CANONIFIER=%(testbase)s/Scripts/diff-canonifier
+TRACES=%(testbase)s/Traces
+SCRIPTS=%(testbase)s/Scripts
+DIST=%(testbase)s/../..
+BUILD=%(testbase)s/../../build
diff --git a/testing/btest/core/conn-id.bro b/testing/btest/core/conn-id.bro
new file mode 100644
index 0000000000..04724bba3c
--- /dev/null
+++ b/testing/btest/core/conn-id.bro
@@ -0,0 +1,32 @@
+#
+# In "normal" test mode, connection uids should be determistic.
+#
+# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT conn >output
+# @TEST-EXEC: btest-diff output
+#
+# Without a seed, they should differ each time:
+#
+# @TEST-EXEC: unset BRO_SEED_FILE &&  bro -C -r $TRACES/wikipedia.trace %INPUT tcp >output2
+# @TEST-EXEC: cat output output2 | sort | uniq -c | wc -l >counts
+# @TEST-EXEC: btest-diff counts
+#
+# Make sure it works without the connection compressor as well.
+#
+# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT tcp use_connection_compressor=F >output.cc
+# @TEST-EXEC: btest-diff output.cc
+#
+# Make sure it works with the full connection compressor as well.
+#
+# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT tcp cc_handle_only_syns=F >output.cc2
+# @TEST-EXEC: btest-diff output.cc2
+
+
+event new_connection(c: connection)
+	{
+	print c$id, c$uid;
+	}
+
+event connection_established(c: connection)
+	{
+	print c$id, c$uid;
+	}
diff --git a/testing/btest/core/load-pkg.bro b/testing/btest/core/load-pkg.bro
new file mode 100644
index 0000000000..907dde78ce
--- /dev/null
+++ b/testing/btest/core/load-pkg.bro
@@ -0,0 +1,7 @@
+# @TEST-EXEC: mkdir foo
+# @TEST-EXEC: echo "@load foo/test.bro" >foo/__load__.bro
+# @TEST-EXEC: cp %INPUT foo/test.bro
+# @TEST-EXEC: bro -l foo >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+print "Foo loaded";
diff --git a/testing/btest/core/print-bpf-filters-ipv4.bro b/testing/btest/core/print-bpf-filters-ipv4.bro
new file mode 100644
index 0000000000..5848972166
--- /dev/null
+++ b/testing/btest/core/print-bpf-filters-ipv4.bro
@@ -0,0 +1,9 @@
+# @TEST-REQUIRES: bro -e 'print bro_has_ipv6()' | grep -q F
+#
+# @TEST-EXEC: bro print-filter >output 2>&1
+# @TEST-EXEC: bro tcp print-filter >>output
+# @TEST-EXEC: bro tcp print-filter all_packets=F >>output
+# @TEST-EXEC: bro -f "port 42" print-filter >>output
+# @TEST-EXEC: bro -C -f "port 50343" -r $TRACES/mixed-vlan-mpls.trace tcp
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff conn.log
diff --git a/testing/btest/core/print-bpf-filters-ipv6.bro b/testing/btest/core/print-bpf-filters-ipv6.bro
new file mode 100644
index 0000000000..98bbc2db33
--- /dev/null
+++ b/testing/btest/core/print-bpf-filters-ipv6.bro
@@ -0,0 +1,9 @@
+# @TEST-REQUIRES: bro -e 'print bro_has_ipv6()' | grep -q T
+#
+# @TEST-EXEC: bro print-filter >output 2>&1
+# @TEST-EXEC: bro tcp print-filter >>output
+# @TEST-EXEC: bro tcp print-filter all_packets=F >>output
+# @TEST-EXEC: bro -f "port 42" print-filter >>output
+# @TEST-EXEC: bro -C -f "port 50343" -r $TRACES/mixed-vlan-mpls.trace tcp
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff conn.log
diff --git a/testing/btest/core/vlan-mpls.bro b/testing/btest/core/vlan-mpls.bro
new file mode 100644
index 0000000000..891f19d79a
--- /dev/null
+++ b/testing/btest/core/vlan-mpls.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r $TRACES/mixed-vlan-mpls.trace tcp
+# @TEST-EXEC: btest-diff conn.log
diff --git a/testing/btest/doc/autogen-reST-all b/testing/btest/doc/autogen-reST-all
new file mode 100644
index 0000000000..d6326c7042
--- /dev/null
+++ b/testing/btest/doc/autogen-reST-all
@@ -0,0 +1 @@
+@TEST-EXEC: cd $BUILD && make restdoc
diff --git a/testing/btest/doc/autogen-reST-enums.bro b/testing/btest/doc/autogen-reST-enums.bro
new file mode 100644
index 0000000000..fc01bed243
--- /dev/null
+++ b/testing/btest/doc/autogen-reST-enums.bro
@@ -0,0 +1,36 @@
+# @TEST-EXEC: bro --doc-scripts %INPUT
+# @TEST-EXEC: btest-diff autogen-reST-enums.rst
+
+## There's tons of ways an enum can look...
+type TestEnum1: enum {
+    ## like this
+    ONE,
+    TWO, ##< or like this
+    ## multiple
+    ## comments
+    THREE, ##< and even
+           ##< more comments
+};
+
+## The final comma is optional
+type TestEnum2: enum {
+    ## like this
+    A,
+    B, ##< or like this
+    ## multiple
+    ## comments
+    C  ##< and even
+           ##< more comments
+};
+
+## redefs should also work
+redef enum TestEnum1 += {
+    ## adding another
+    FOUR ##< value
+};
+
+## now with a comma
+redef enum TestEnum1 += {
+    ## adding another
+    FIVE, ##< value
+};
diff --git a/testing/btest/doc/autogen-reST-example b/testing/btest/doc/autogen-reST-example
new file mode 100644
index 0000000000..ecd314eba6
--- /dev/null
+++ b/testing/btest/doc/autogen-reST-example
@@ -0,0 +1,2 @@
+@TEST-EXEC: bro --doc-scripts $DIST/doc/scripts/example.bro
+@TEST-EXEC: btest-diff example.rst
diff --git a/testing/btest/doc/autogen-reST-records.bro b/testing/btest/doc/autogen-reST-records.bro
new file mode 100644
index 0000000000..fc6bb9f2c0
--- /dev/null
+++ b/testing/btest/doc/autogen-reST-records.bro
@@ -0,0 +1,22 @@
+# @TEST-EXEC: bro --doc-scripts %INPUT
+# @TEST-EXEC: btest-diff autogen-reST-records.rst
+
+# undocumented record
+type SimpleRecord: record {
+    field1: bool;
+    field2: count;
+};
+
+## Here's the ways records and record fields can be documented.
+type TestRecord: record {
+    ## document ``A``
+    A: count;
+
+    B: bool;  ##< document ``B``
+
+    ## and now ``C``
+    C: SimpleRecord; ##< is a declared type
+
+    ## sets/tables should show the index types
+    D: set[count, bool];
+};
diff --git a/testing/btest/doc/autogen-reST-type-aliases.bro b/testing/btest/doc/autogen-reST-type-aliases.bro
new file mode 100644
index 0000000000..ce8986f8be
--- /dev/null
+++ b/testing/btest/doc/autogen-reST-type-aliases.bro
@@ -0,0 +1,15 @@
+# @TEST-EXEC: bro --doc-scripts %INPUT
+# @TEST-EXEC: btest-diff autogen-reST-type-aliases.rst
+
+## This is just an alias for a builtin type ``bool``.
+type TypeAlias: bool;
+
+## We decided that creating alias "chains" might not be so useful to document
+## so this type just creates a cross reference to ``bool``.
+type OtherTypeAlias: TypeAlias;
+
+## But this should reference a type of ``TypeAlias``.
+global a: TypeAlias;
+
+## And this should reference a type of ``OtherTypeAlias``.
+global b: OtherTypeAlias;
diff --git a/testing/btest/doc/record-add.bro b/testing/btest/doc/record-add.bro
new file mode 100644
index 0000000000..a326314093
--- /dev/null
+++ b/testing/btest/doc/record-add.bro
@@ -0,0 +1,36 @@
+# @TEST-EXEC: bro --doc-scripts %INPUT
+
+# When in doc mode, bro will clone declared types (see add_type() in Var.cc)
+# in order to keep track of the identifier name associated with the new type.
+# This test makes sure that the cloning is done in a way that's compatible
+# with adding fields to a record type -- we want to be sure that cloning
+# a type that contains record types will correctly see field additions to
+# those contained-records.
+
+type my_record: record {
+    field1: bool;
+    field2: string;
+};
+
+type super_record: record {
+    rec: my_record;
+};
+type my_table: table[count] of my_record;
+type my_vector: vector of my_record;
+
+redef record my_record += {
+    field3: count &optional;
+};
+
+global a: my_record;
+global b: super_record;
+global c: my_table;
+global d: my_vector;
+
+function test_func()
+    {
+    a?$field3;
+    b$rec?$field3;
+    c[0]$field3;
+    d[0]$field3;
+    }
diff --git a/testing/btest/doc/record-attr-check.bro b/testing/btest/doc/record-attr-check.bro
new file mode 100644
index 0000000000..33ada44bfd
--- /dev/null
+++ b/testing/btest/doc/record-attr-check.bro
@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro --doc-scripts %INPUT
+
+type Tag: enum {
+    SOMETHING
+};
+
+type R: record {
+    field1: set[Tag] &default=set();
+};
diff --git a/testing/btest/istate/broccoli.bro b/testing/btest/istate/broccoli.bro
new file mode 100644
index 0000000000..ed6a9eee6a
--- /dev/null
+++ b/testing/btest/istate/broccoli.bro
@@ -0,0 +1,16 @@
+# @TEST-REQUIRES: grep -vq '#define BROv6' $BUILD/config.h
+# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so
+#
+# @TEST-EXEC: btest-bg-run bro bro %INPUT $DIST/aux/broccoli/test/broping-record.bro
+# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broping -r -c 3 127.0.0.1
+# @TEST-EXEC: btest-bg-wait -k 20
+# @TEST-EXEC: cat bro/ping.log | sed 's/one-way.*//g' >bro.log
+# @TEST-EXEC: cat broccoli/.stdout | sed 's/time=.*//g' >broccoli.log
+# @TEST-EXEC: btest-diff bro.log
+# @TEST-EXEC: btest-diff broccoli.log
+
+event remote_connection_closed(p: event_peer)
+	{
+	terminate();
+	}
+
diff --git a/testing/btest/istate/events-ssl.bro b/testing/btest/istate/events-ssl.bro
new file mode 100644
index 0000000000..de5709854c
--- /dev/null
+++ b/testing/btest/istate/events-ssl.bro
@@ -0,0 +1,127 @@
+#
+# @TEST-EXEC: btest-bg-run sender   bro -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro
+# @TEST-EXEC: btest-bg-run receiver bro ../receiver.bro
+# @TEST-EXEC: btest-bg-wait -k 20
+#
+# @TEST-EXEC: btest-diff sender/http.log
+# @TEST-EXEC: btest-diff receiver/http.log
+# @TEST-EXEC: cat receiver/http.log | sed 's/^\([^ ]* \)\{2\}//' >http.rec.log
+# @TEST-EXEC: cat sender/http.log | sed 's/^\([^ ]* \)\{2\}//' >http.snd.log
+# @TEST-EXEC: cmp http.rec.log http.snd.log
+#
+# @TEST-EXEC: bro -x sender/events.bst   | sed 's/^Event \[[-0-9.]*\] //g' | sed 's/%events-[^ ]* *//g' | grep '^http_' | grep -v http_stats >events.snd.log
+# @TEST-EXEC: bro -x receiver/events.bst | sed 's/^Event \[[-0-9.]*\] //g' | sed 's/%events-[^ ]* *//g' | grep '^http_' | grep -v http_stats >events.rec.log
+# @TEST-EXEC: cmp events.rec.log events.snd.log
+
+@TEST-START-FILE sender.bro
+
+@load tcp
+@load http-request
+@load http-reply
+@load http-header
+@load http-body
+@load http-abstract
+@load listen-ssl
+
+@load capture-events
+
+redef peer_description = "events-send";
+
+# Make sure the HTTP connection really gets out.
+# (We still miss one final connection event because we shutdown before
+# it gets propagated but that's ok.)
+redef tcp_close_delay = 0secs;
+
+redef ssl_ca_certificate = "../ca_cert.pem";
+redef ssl_private_key = "../bro.pem";
+redef ssl_passphrase = "my-password";
+
+@TEST-END-FILE
+
+#############
+
+@TEST-START-FILE receiver.bro
+
+@load tcp
+@load http-request
+@load http-reply
+@load http-header
+@load http-body
+@load http-abstract
+
+@load capture-events
+@load remote
+
+redef peer_description = "events-rcv";
+
+redef Remote::destinations += {
+    ["foo"] = [$host = 127.0.0.1, $events = /http_.*/, $connect=T, $ssl=T]
+};
+
+redef ssl_ca_certificate = "../ca_cert.pem";
+redef ssl_private_key = "../bro.pem";
+redef ssl_passphrase = "my-password";
+
+event remote_connection_closed(p: event_peer)
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
+
+######
+
+@TEST-START-FILE bro.pem
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDzkuad+VHAhymnpRqkcBTU6Z3OsgUNLnsqpaxPO1LdTuxiDY9N
+GuQJkFDMB/Dxu7slNepseRNu4yDDWVjcdL1TsPdSnNlnbFO3GBt0jQbYjEGLKhkt
+4dUFwjBAUfEVlklYtSWuzNAz+yVUIIyDOdpCXjj4DcuBSNh4ixA+fqmQ0QIDAQAB
+AoGAJWdZosi2lSosa2IfRUEw8cEuSp9rxypsH5BxdXlWsEV+Z1BNwTlv60gOIEbX
+6Uc65evxo9az9UNLtLPzwWbr67F90wyPXTpG7oE2eaKqbaOFuZ4/0rc8pASSZHcO
+bIVQOJbUMF+Zc3YnsNx6Ca682zQMRJrgh0745AutRkSARAECQQD9VmTAvzCqwDKG
+ylWmpTTTzN+ecqDMcZh9JmUZ8W/f3m4/i2wtwfrBTNn8ovATtCs5EWVG493tgXNM
+Ezgkmf65AkEA9iI89a6Ep2w5EPyYxBcm0ztbRC+vF3CSRoDgRPLwgS8kEsjhqPsE
+U5wQNyvCIyIssWC9VGiZmgMaSyom3cLW2QJAHR6KFDGluWrAJAgr0izZJqM87OyG
+GRnRikkYg+PhlRzvFTTEaXoLhZ58y/I6oDksYrHiL0TP5JXll8/5uxNMWQJBAJ2M
+oPSqNyNr9MNYzPiH0URYtDzbQPqCBj+28tdvol8uq6qSh0/BDa3vMbn++o++qlkI
+EWjcY6Xf4o7GdoZw11ECQQCyfgT2EY5HhzieGpA3MzrhATVnJlIuj8cvxFKjBriv
+OCc4cxVTrCW9FPxDOuLLgh7kxalvnkuKjjCmDeTGz5Fc
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICPTCCASWgAwIBAgIBATANBgkqhkiG9w0BAQUFADArMSkwJwYDVQQDEyBCcm8g
+Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMTAyMDgwNDIxMjhaFw0x
+MzAyMDcwNDIxMjhaMA4xDDAKBgNVBAMTA0JybzCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEA85LmnflRwIcpp6UapHAU1OmdzrIFDS57KqWsTztS3U7sYg2PTRrk
+CZBQzAfw8bu7JTXqbHkTbuMgw1lY3HS9U7D3UpzZZ2xTtxgbdI0G2IxBiyoZLeHV
+BcIwQFHxFZZJWLUlrszQM/slVCCMgznaQl44+A3LgUjYeIsQPn6pkNECAwEAAaMN
+MAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEAnG+PiWgxp7cOBkgKgnxz
+JFK7J9f9fXn9vCOkzq//AitwP0A+SrBmccMtqOjjSLu7RCbmBQ9pbMwYPB4/py5f
+d8SfO1ngI8cY5uXCFUylNCWJ5P+uHBNwure7hRrQwswL7+8Elour8CnVfr2Ve/qO
+h2JL1fmoFcQ8KCKrNe01DsMCRq5jZ5AZI84ASiqNmzm4PwbSWiYLqZU+cemzW0xt
+tYMDlN4loJTQJX7o/6izOGWY0IEggoibI80T4dIGnnZqnhpMbASTtSyN6fTNMIWQ
+UQXfNM59GN1Q54UZ0HgXAgxb9jncF95rqPt9yHOUv5OUzLCdRsUWn4cEg9/rsHiu
+ZA==
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+@TEST-START-FILE ca_cert.pem
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdGgAwIBAgIJAKb0Por6917kMA0GCSqGSIb3DQEBBQUAMCsxKTAnBgNV
+BAMTIEJybyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTExMDIwODA0
+MTMyM1oXDTExMDMxMDA0MTMyM1owKzEpMCcGA1UEAxMgQnJvIFJvb3QgQ2VydGlm
+aWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDfGHPVBuKZa3Dp/V/ntkaNvHrgK/XH02mn5mLnt7eaeCEQKClL1bvQ/iGUrMEi
+CfQBe1zk6B8LnHgwkbOeAO2Kv7+K9rzn25nidAg/GU5o0gxfyqP1Sipfkr+/UrCH
+3fLnjSzZIwT5ypkXZS9UNgRzK/Xk+yAJs6tB5lU+wJofPJdmiH/Ros4ZZ5P/mNf3
+MhoM4Z5i3R3uEDtMCk5IT1zfXGq3FVOMA7jVYakrBccCbWhtyHdQH0i6U9wkfVEj
+o6l6PBPJxhWq0ySVnGdd+i4RCiwRBfeizl2gq0UlZ7/pXjJUZZICqYNPyZdntfMy
+2LUwvKA0y1RSpUrB4ZCkciZ7AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQEFBQADggEBAIDoYd7ZQpLhm7ajvhqkYdrisxQfoQoCVt+oYm5jaLvzc/1V
+7sxeIatwk3kaowPcxUHHX7JfEPsf4xMGBCFp4Ce/vLXeeA2HBhBVww5sMKoAAtH6
+Y2sTNt2uTE/JUxQl6N+mqmv4y+g1X7uq2N/Eg8zYbgXF6En5L3XuEBdZbSf/AgBg
+d3m6m/N/dHLozZSjfwIQo0eygGEPW+kP7QFkve2L8g4l3k72mcAlCStlfcWDzKrh
+qPrFFujvGMD7MNUSuNbYtGVngDuYOYeHTEggq/kUDS1srMwmv/vQjxQfS9oeU4bG
+4sfSOkNotN+rwX7WQkVUq4IUOJ0q9fEPTosmsbc=
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
diff --git a/testing/btest/istate/events.bro b/testing/btest/istate/events.bro
new file mode 100644
index 0000000000..da9ac4bb58
--- /dev/null
+++ b/testing/btest/istate/events.bro
@@ -0,0 +1,62 @@
+#
+# @TEST-EXEC: btest-bg-run sender   bro -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro
+# @TEST-EXEC: btest-bg-run receiver bro ../receiver.bro
+# @TEST-EXEC: btest-bg-wait -k 20
+#
+# @TEST-EXEC: btest-diff sender/http.log
+# @TEST-EXEC: btest-diff receiver/http.log
+# @TEST-EXEC: cat receiver/http.log | sed 's/^\([^ ]* \)\{2\}//' >http.rec.log
+# @TEST-EXEC: cat sender/http.log | sed 's/^\([^ ]* \)\{2\}//' >http.snd.log
+# @TEST-EXEC: cmp http.rec.log http.snd.log
+#
+# @TEST-EXEC: bro -x sender/events.bst   | sed 's/^Event \[[-0-9.]*\] //g' | sed 's/%events-[^ ]* *//g' | grep '^http_' | grep -v http_stats >events.snd.log
+# @TEST-EXEC: bro -x receiver/events.bst | sed 's/^Event \[[-0-9.]*\] //g' | sed 's/%events-[^ ]* *//g' | grep '^http_' | grep -v http_stats >events.rec.log
+# @TEST-EXEC: cmp events.rec.log events.snd.log
+
+@TEST-START-FILE sender.bro
+
+@load tcp
+@load http-request
+@load http-reply
+@load http-header
+@load http-body
+@load http-abstract
+@load listen-clear
+
+@load capture-events
+
+redef peer_description = "events-send";
+
+# Make sure the HTTP connection really gets out.
+# (We still miss one final connection event because we shutdown before
+# it gets propagated but that's ok.)
+redef tcp_close_delay = 0secs;
+
+@TEST-END-FILE
+
+#############
+
+@TEST-START-FILE receiver.bro
+
+@load tcp
+@load http-request
+@load http-reply
+@load http-header
+@load http-body
+@load http-abstract
+
+@load capture-events
+@load remote
+
+redef peer_description = "events-rcv";
+
+redef Remote::destinations += {
+    ["foo"] = [$host = 127.0.0.1, $events = /http_.*/, $connect=T]
+};
+
+event remote_connection_closed(p: event_peer)
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/istate/persistence.bro b/testing/btest/istate/persistence.bro
new file mode 100644
index 0000000000..7b078baefb
--- /dev/null
+++ b/testing/btest/istate/persistence.bro
@@ -0,0 +1,113 @@
+#
+# @TEST-EXEC: bro -r $TRACES/empty.trace write.bro %INPUT 
+# @TEST-EXEC: cp vars.log vars.write.log
+# @TEST-EXEC: bro read.bro %INPUT 
+# @TEST-EXEC: cp vars.log vars.read.log
+# @TEST-EXEC: btest-diff vars.read.log
+# @TEST-EXEC: btest-diff vars.write.log
+# @TEST-EXEC: cmp vars.read.log vars.write.log
+
+### Common code for reader and writer.
+
+event bro_done()
+	{
+	local out = open("vars.log");
+	print out, foo1;
+	print out, foo2;
+	print out, foo3;
+	print out, foo4;
+	print out, foo5;
+	print out, foo6;
+	print out, foo7;
+	print out, foo8;
+	print out, foo9;
+	print out, foo10;
+	print out, foo11;
+	print out, foo12;
+	print out, foo13;
+	print out, foo14;
+	print out, foo15;
+	print out, foo16;
+	print out, foo17;
+	}
+
+	
+	
+	
+
+@TEST-START-FILE read.bro
+
+global foo1: count &persistent &synchronized;
+global foo2: int &persistent &synchronized;
+global foo3: string &persistent &synchronized; 
+global foo4: addr &persistent &synchronized; 
+global foo5: subnet &persistent &synchronized; 
+global foo6: double &persistent &synchronized; 
+global foo7: net &persistent &synchronized; 
+global foo8: interval &persistent &synchronized; 
+global foo9: table[count] of string &persistent &synchronized;
+global foo10: file &persistent &synchronized; 
+global foo11: pattern &persistent &synchronized; 
+global foo12: set[count] &persistent &synchronized; 
+global foo13: table[count, string] of count &persistent &synchronized;
+global foo14: table[count] of pattern &persistent &synchronized;
+global foo15: port &persistent &synchronized;
+global foo16: vector of count &persistent &synchronized;
+
+type type1: record {
+    a: string;
+    b: count &default=42;
+    c: double &optional;
+    };
+
+type type2: record {
+    a: string;
+    b: type1;
+    c: type1;
+    d: double;
+    };
+
+global foo17: type2  &persistent &synchronized;
+
+@TEST-END-FILE
+
+@TEST-START-FILE write.bro
+
+global foo1 = 42 &persistent &synchronized;
+global foo2 = -42 &persistent &synchronized;
+global foo3 = "Hallihallo" &persistent &synchronized; 
+global foo4 = 1.2.3.4 &persistent &synchronized; 
+global foo5 = 1.2.0.0/16 &persistent &synchronized; 
+global foo6 = 3.14 &persistent &synchronized; 
+global foo7 = 131.159. &persistent &synchronized; 
+global foo8 = 42 secs &persistent &synchronized; 
+global foo9 = { [1] = "qwerty", [2] = "uiop" } &persistent &synchronized;
+global foo10 = open("test") &persistent &synchronized; 
+global foo11 = /12345/ &persistent &synchronized; 
+global foo12 = { 1,2,3,4,5 } &persistent &synchronized; 
+global foo13  =  { [1,"ABC"] = 101, [2,"DEF"] = 102, [3,"GHI"] = 103 } &persistent &synchronized;
+global foo14  =  { [12345] = foo11, [12346] = foo11 } &persistent &synchronized;
+global foo15 = 42/udp &persistent &synchronized;
+global foo16: vector of count = [1,2,3] &persistent &synchronized;
+ 
+type type1: record {
+    a: string;
+    b: count &default=42;
+    c: double &optional;
+    };
+
+type type2: record {
+    a: string;
+    b: type1;
+    c: type1;
+    d: double;
+    };
+
+global foo17: type2 = [
+	$a = "yuyuyu",
+    $b = [$a="rec1", $b=100, $c=1.24],
+    $c = [$a="rec2", $b=200, $c=2.24],
+   	$d = 7.77				   
+	] &persistent &synchronized;
+
+@TEST-END-FILE
diff --git a/testing/btest/istate/pybroccoli.py b/testing/btest/istate/pybroccoli.py
new file mode 100644
index 0000000000..52aba6dfa1
--- /dev/null
+++ b/testing/btest/istate/pybroccoli.py
@@ -0,0 +1,18 @@
+# @TEST-REQUIRES: grep -vq '#define BROv6' $BUILD/config.h
+# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so
+# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/bindings/broccoli-python/_broccoli_intern.so
+#
+# @TEST-EXEC: btest-bg-run bro    bro %INPUT $DIST/aux/broccoli/bindings/broccoli-python/tests/test.bro
+# @TEST-EXEC: btest-bg-run python PYTHONPATH=$DIST/aux/broccoli/bindings/broccoli-python/:$BUILD/aux/broccoli/bindings/broccoli-python python $DIST/aux/broccoli/bindings/broccoli-python/tests/test.py
+# @TEST-EXEC: btest-bg-wait -k 20
+# @TEST-EXEC: btest-diff bro/.stdout
+#
+# @TEST-EXEC: sed 's/instance at [^>]*>/instance at >/' <python/.stdout >python/.stdout.filtered
+# @TEST-EXEC: btest-diff python/.stdout.filtered
+
+event remote_connection_closed(p: event_peer)
+	{
+	terminate();
+	}
+
+
diff --git a/testing/btest/istate/sync.bro b/testing/btest/istate/sync.bro
new file mode 100644
index 0000000000..639c1b2dfe
--- /dev/null
+++ b/testing/btest/istate/sync.bro
@@ -0,0 +1,167 @@
+#
+# @TEST-EXEC: btest-bg-run sender   bro %INPUT ../sender.bro
+# @TEST-EXEC: btest-bg-run receiver bro %INPUT ../receiver.bro
+# @TEST-EXEC: btest-bg-wait -k 20
+#
+# @TEST-EXEC: btest-diff sender/vars.log
+# @TEST-EXEC: btest-diff receiver/vars.log
+# @TEST-EXEC: cmp sender/vars.log receiver/vars.log
+
+### Common code for sender and receiver.
+
+# Instantiate variables.
+
+global foo1 = 42 &persistent &synchronized;
+global foo2 = -42 &persistent &synchronized;
+global foo3 = "Hallihallo" &persistent &synchronized; 
+global foo4 = 1.2.3.4 &persistent &synchronized; 
+global foo5 = 1.2.0.0/16 &persistent &synchronized; 
+global foo6 = 3.14 &persistent &synchronized; 
+global foo7 = 131.159. &persistent &synchronized; 
+global foo8 = 42 secs &persistent &synchronized; 
+global foo9 = { [1] = "qwerty", [2] = "uiop" } &persistent &synchronized;
+global foo10 = open("test") &persistent &synchronized; 
+global foo11 = /12345/ &persistent &synchronized; 
+global foo12 = { 1,2,3,4,5 } &persistent &synchronized; 
+global foo13  =  { [1,"ABC"] = 101, [2,"DEF"] = 102, [3,"GHI"] = 103 } &persistent &synchronized;
+global foo14  =  { [12345] = foo11, [12346] = foo11 } &persistent &synchronized;
+global foo15 = 42/udp &persistent &synchronized;
+global foo16: vector of count = [1,2,3] &persistent &synchronized;
+ 
+type type1: record {
+    a: string;
+    b: count &default=42;
+    c: double &optional;
+    };
+
+type type2: record {
+    a: string;
+    b: type1;
+    c: type1;
+    d: double;
+    e: double &optional;
+    };
+
+global foo17: type2 = [
+	$a = "yuyuyu",
+	$b = [$a="rec1", $b=100, $c=1.24],
+	$c = [$a="rec2", $b=200, $c=2.24],
+	$d = 7.77, $e=100.0
+	] &persistent &synchronized;
+
+# Print variables.
+
+event bro_done()
+	{
+	local out = open("vars.log");
+	print out, foo1;
+	print out, foo2;
+	print out, foo3;
+	print out, foo4;
+	print out, foo5;
+	print out, foo6;
+	print out, foo7;
+	print out, foo8;
+	print out, foo9;
+	print out, foo10;
+	print out, foo11;
+	print out, foo12;
+	print out, foo13;
+	print out, foo14;
+	print out, foo15;
+	print out, foo16;
+	print out, foo17;
+	}
+
+
+@TEST-START-FILE sender.bro
+
+# Perform modifications on variables.
+
+function modify()
+	{
+	foo1 = 420;
+	++foo1;
+	
+	--foo2;
+	
+	foo3 = "Jodel";
+	
+	foo4 = 4.3.2.1; 
+	
+	foo5 = 4.0.0.0/8; 
+	
+	foo6 = 21;
+	
+	foo7 = 192.150.186; 
+	
+	foo9[3] = "asdfg1";
+	foo9[1] = "asdfg2";
+	delete foo9[2];
+	
+	foo10 = open("test2");
+	
+	foo11 = /abbcdefgh/;
+	
+	add foo12[6];
+	delete foo12[1];
+	
+	foo13[4,"JKL"] = 104;
+	delete foo13[1,"ABC"];
+	++foo13[2,"DEF"];
+	
+	foo14[6767] = /QWERTZ/;
+	
+	foo15 = 6667/tcp;
+	
+	foo16[3] = 4;
+	foo16[1] = 20;
+	++foo16[0];
+	
+	local x: type1;
+	x$a = "pop";
+	++x$b;
+	x$c = 9.999;
+	foo17$a = "zxzxzx";
+	foo17$b = x;
+	foo17$c$a = "IOIOI";
+	++foo17$c$b;
+	foo17$c$c = 612.2;
+	foo17$d = 6.6666;
+	delete foo17$e;
+	
+	foo2 = 1234567;
+}
+
+@load listen-clear
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	modify();
+	terminate_communication();
+	}
+			 
+redef Remote::destinations += {
+    ["foo"] = [$host = 127.0.0.1, $sync=T]
+};
+
+@TEST-END-FILE
+
+#############
+
+@TEST-START-FILE receiver.bro
+
+@load capture-events	
+@load remote
+
+	
+redef Remote::destinations += {
+    ["foo"] = [$host = 127.0.0.1, $events = /.*/, $connect=T, $sync=T]
+};
+
+event remote_connection_closed(p: event_peer)
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/language/cross-product-init.bro b/testing/btest/language/cross-product-init.bro
new file mode 100644
index 0000000000..c12f9eb0bd
--- /dev/null
+++ b/testing/btest/language/cross-product-init.bro
@@ -0,0 +1,10 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+global my_subs = { 1.2.3.4/19, 5.6.7.8/21 };
+
+global x: set[string, subnet] &redef;
+
+redef x += { [["foo", "bar"], my_subs] };
+
+print x;
diff --git a/testing/btest/language/delete-field-set.bro b/testing/btest/language/delete-field-set.bro
new file mode 100644
index 0000000000..ad7cf6e9fb
--- /dev/null
+++ b/testing/btest/language/delete-field-set.bro
@@ -0,0 +1,16 @@
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type FooBar: record {
+        a: set[string] &default=set();
+        b: table[string] of count &default=table();
+        c: vector of string &default=vector();
+};
+
+global test: FooBar;
+
+delete test$a;
+delete test$b;
+delete test$c;
+
+print test;
diff --git a/testing/btest/language/delete-field.bro b/testing/btest/language/delete-field.bro
new file mode 100644
index 0000000000..477466b76a
--- /dev/null
+++ b/testing/btest/language/delete-field.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type X: record {
+     a: count &optional;
+     b: count &default=5;
+};
+
+function p(x: X)
+	{
+	print x?$a ? fmt("a: %d", x$a) : "a: not set";
+	print x$b;
+	}
+
+
+global x: X = [$a=20, $b=20];
+p(x);
+delete x$a;
+delete x$b;
+p(x);
diff --git a/testing/btest/language/enum-scope.bro b/testing/btest/language/enum-scope.bro
new file mode 100644
index 0000000000..c8667bfada
--- /dev/null
+++ b/testing/btest/language/enum-scope.bro
@@ -0,0 +1,10 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type foo: enum { a, b } &redef;
+
+module test;
+
+redef enum foo += { c };
+
+print c;
diff --git a/testing/btest/language/match-test.bro b/testing/btest/language/match-test.bro
new file mode 100644
index 0000000000..9352d0f39f
--- /dev/null
+++ b/testing/btest/language/match-test.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+global match_stuff = {
+	[$pred(a: count) = { return a > 5; },
+	 $result = "it's big",
+	 $priority = 2],
+
+	[$pred(a: count) = { return a > 15; },
+	 $result = "it's really big",
+	 $priority = 3],
+
+	[$pred(a: count) = { return T; },
+	 $result = "default",
+	 $priority = 0],
+};
+
+print match 0 using match_stuff;
+print match 10 using match_stuff;
+print match 20 using match_stuff;
diff --git a/testing/btest/language/match-test2.bro b/testing/btest/language/match-test2.bro
new file mode 100644
index 0000000000..f1c120adf2
--- /dev/null
+++ b/testing/btest/language/match-test2.bro
@@ -0,0 +1,51 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type fakealert : record {
+     alert: string;
+};
+
+
+type match_rec : record {
+     result : count;
+     pred : function(rec : fakealert) : bool;
+     priority: count;
+};
+
+
+#global test_set : set[int] = 
+#{
+#1, 2, 3
+#};
+
+global match_set : set[match_rec] = 
+{
+  [$result = 1, $pred(a: fakealert) = { return T; }, $priority = 8 ],
+  [$result = 2, $pred(a: fakealert) = { return T; }, $priority = 9 ]
+};
+
+global al : fakealert;
+
+#global testset : set[fakealert] = 
+#{
+#       [$alert="hithere"]
+#};
+
+
+type nonalert: record {
+     alert : string;
+     pred : function(a : int) : int;
+};
+
+#global na : nonalert;
+#na$alert = "5";
+
+#al$alert = "hithere2";
+#if (al in testset)
+#   print 1;
+#else
+#   print 0;
+
+
+al$alert = "hi";
+print (match al using match_set);
diff --git a/testing/btest/language/next-test.bro b/testing/btest/language/next-test.bro
new file mode 100644
index 0000000000..7e9626a62c
--- /dev/null
+++ b/testing/btest/language/next-test.bro
@@ -0,0 +1,36 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+# This script tests "next" being called during the last iteration of a
+# for loop
+
+event bro_done()
+  {
+
+        local number_set: set[count];
+        local i: count;
+
+        add number_set[0];
+        add number_set[1];
+
+
+        for ( i in number_set )
+                {
+                print fmt ("%d", i);
+                if ( i == 0 )
+                        next;
+                print fmt ("%d", i);
+                }
+        print fmt ("MIDDLE");
+
+
+        for ( i in number_set )
+                {
+                print fmt ("%d", i);
+                if ( i == 1 )
+                        next;
+                print fmt ("%d", i);
+                }
+        print fmt ("THE END");
+
+        }
diff --git a/testing/btest/language/rare-events.bro b/testing/btest/language/rare-events.bro
new file mode 100644
index 0000000000..ae7674d406
--- /dev/null
+++ b/testing/btest/language/rare-events.bro
@@ -0,0 +1,37 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+# This is a test script whose job is to generate rarely-seen events
+# (i.e., events that test traces might not include) to ensure that they're
+# handled properly.
+
+# This is needed or else the output fails on the warning that
+# Drop::restore_dropped_address is never defined.
+redef check_for_unused_event_handlers = F;
+
+@load netstats
+
+function test_net_stats_update()
+    {
+    local t = current_time();
+
+    local s: net_stats;
+    s$pkts_recvd = 1234;
+    s$pkts_dropped = 123;
+    s$pkts_link = 9999;
+
+    event net_stats_update(t, s);
+
+    local s2: net_stats;
+    s2$pkts_recvd = 2341;
+    s2$pkts_dropped = 125;
+    s2$pkts_link = 19999;
+
+    event net_stats_update(t + 33 sec, s2);
+    }
+
+event bro_init()
+    {
+    test_net_stats_update();
+    }
+
diff --git a/testing/btest/language/rec-comp-init.bro b/testing/btest/language/rec-comp-init.bro
new file mode 100644
index 0000000000..598c0cf3bd
--- /dev/null
+++ b/testing/btest/language/rec-comp-init.bro
@@ -0,0 +1,14 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+# Make sure composit types in records are initialized.
+
+type Foo: record {
+	a: set[count];
+	b: table[count] of string;
+	c: vector of string;
+};
+
+global f: Foo;
+
+print f;
diff --git a/testing/btest/language/rec-nested-opt.bro b/testing/btest/language/rec-nested-opt.bro
new file mode 100644
index 0000000000..ab1a64dffd
--- /dev/null
+++ b/testing/btest/language/rec-nested-opt.bro
@@ -0,0 +1,24 @@
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type Version: record {
+        major:  count &optional;    ##< Major version number
+        minor:  count &optional;    ##< Minor version number
+        addl:   string &optional;  ##< Additional version string (e.g. "beta42")
+} &log;
+
+type Info: record {
+	name: string;
+	version: Version;
+	host: addr;
+	ts: time;
+};
+
+
+# Important thing to note here is that $minor2 is not include in the $version field.
+global matched_software: table[string] of Info = {
+        ["Wget/1.9+cvs-stable (Red Hat modified)"] =
+                [$name="Wget", $version=[$major=1,$minor=9,$addl="+cvs"], $host=0.0.0.0, $ts=network_time()],
+};
+
+print matched_software;
diff --git a/testing/btest/language/rec-of-tbl.bro b/testing/btest/language/rec-of-tbl.bro
new file mode 100644
index 0000000000..59d770bb30
--- /dev/null
+++ b/testing/btest/language/rec-of-tbl.bro
@@ -0,0 +1,16 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type x: record {
+	a: table[int] of count;
+};
+
+global y: x;
+
+global yy: table[int] of count;
+
+y$a = yy;
+
+y$a[+5] = 3;
+
+print y;
diff --git a/testing/btest/language/rec-table-default.bro b/testing/btest/language/rec-table-default.bro
new file mode 100644
index 0000000000..ee4a0e25ee
--- /dev/null
+++ b/testing/btest/language/rec-table-default.bro
@@ -0,0 +1,18 @@
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type X: record {
+     a: table[string] of bool &default=table( ["foo"] = T );
+     b: table[string] of bool &default=table();
+     c: set[string] &default=set("A", "B", "C");
+     d: set[string] &default=set();
+};
+
+global x: X;
+global y: table[string] of bool &default=T;
+
+print x$a;
+print x$b;
+print x$c;
+print x$d;
+
diff --git a/testing/btest/language/record-extension.bro b/testing/btest/language/record-extension.bro
new file mode 100644
index 0000000000..c05b9da5e8
--- /dev/null
+++ b/testing/btest/language/record-extension.bro
@@ -0,0 +1,19 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+type Foo: record {
+        a: count;
+        b: count &optional;
+};
+
+redef record Foo += {
+        c: count &default=42;
+        d: count &optional;
+};
+
+global f1: Foo = [$a=21];
+global f2: Foo = [$a=21, $d="XXX"];
+
+print f1;
+print f2;
+
diff --git a/testing/btest/language/record-recursive-coercion.bro b/testing/btest/language/record-recursive-coercion.bro
new file mode 100644
index 0000000000..eda80e3d11
--- /dev/null
+++ b/testing/btest/language/record-recursive-coercion.bro
@@ -0,0 +1,24 @@
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type Version: record {
+        major:  count  &optional;
+        minor:  count  &optional;
+        minor2: count  &optional;
+        addl:   string &optional;
+};
+
+type Info: record {
+        name:    string;
+        version: Version;
+};
+
+global matched_software: table[string] of Info = {
+        ["OpenSSH_4.4"] = [$name="OpenSSH", $version=[$major=4,$minor=4]],
+};
+
+event bro_init()
+        {
+        for ( sw in matched_software )
+                print matched_software[sw]$version;
+        }
diff --git a/testing/btest/language/record-ref-assign.bro b/testing/btest/language/record-ref-assign.bro
new file mode 100644
index 0000000000..f71bc3890c
--- /dev/null
+++ b/testing/btest/language/record-ref-assign.bro
@@ -0,0 +1,12 @@
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+type State: record {
+	host: string &default="NOT SET";
+};
+
+global session: State;
+global s: State;
+s = session;
+s$host = "XXX";
+print s$host, session$host;
diff --git a/testing/btest/language/sizeof.bro b/testing/btest/language/sizeof.bro
new file mode 100644
index 0000000000..7db78212ad
--- /dev/null
+++ b/testing/btest/language/sizeof.bro
@@ -0,0 +1,119 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+# Demo policy for the sizeof operator "|x|".
+# ------------------------------------------
+#
+# This script creates various types and values and shows the result of the
+# sizeof operator on these values.
+#
+# For any types not covered in this script, the sizeof operator's semantics
+# are not defined and its application returns a count of 0. At the moment
+# the only type where this should happen is string patterns.
+
+type example_enum: enum { ENUM1, ENUM2, ENUM3 };
+
+type example_record: record {
+	i: int &optional;
+	j: int &optional;
+	k: int &optional;
+};
+
+global a:  addr = 1.2.3.4;
+global b:  bool = T;
+global c:  count = 10;
+global d:  double = -1.23;
+global f:  file = open_log_file("sizeof_demo");
+global i:  int = -10;
+global iv: interval = -5sec;
+global n:  net = 192.168.;
+global p:  port = 80/tcp;
+global r:  example_record [ $i = 10 ];
+global si: set[int];
+global s:  string = "Hello";
+global sn: subnet = 192.168.0.0/24;
+global t:  table[string] of string;
+global ti: time = current_time();
+global v:  vector of string;
+
+# Additional initialization
+#
+print f, "12345678901234567890";
+
+add si[1];
+add si[10];
+add si[100];
+
+t["foo"] = "Hello";
+t["bar"] = "World";
+
+v[0] = "Hello";
+v[4] = "World";
+
+# Print out the sizes of the various vals:
+#-----------------------------------------
+
+# Size of addr: returns integer representation for IPv4, 0 for IPv6.
+print fmt("Address %s: %d", a, |a|);
+
+# Size of boolean: returns 1 or 0.
+print fmt("Boolean %s: %d", b, |b|);
+
+# Size of count: identity.
+print fmt("Count %s: %d", c, |c|);
+
+# Size of double: returns absolute value.
+print fmt("Double %s: %f", d, |d|);
+
+# Size of enum: returns numeric value of enum constant.
+print fmt("Enum %s: %d", ENUM3, |ENUM3|);
+
+# Size of file: returns current file size.
+# Note that this is a double so that file sizes >> 4GB
+# can be expressed.
+print fmt("File %f", |f|);
+
+# Size of function: returns number of arguments.
+print fmt("Function add_interface: %d", |add_interface|);
+
+# Size of integer: returns absolute value.
+print fmt("Integer %s: %d", i, |i|);
+
+# Size of interval: returns double representation of the interval
+print fmt("Interval %s: %f", iv, |iv|);
+
+# Size of net: returns size of class N network as a double
+# (so that 2^32 can be expressed too).
+print fmt("Net %s: %f", n, |n|);
+
+# Size of port: returns port number as a count.
+print fmt("Port %s: %d", p, |p|);
+
+# Size of record: returns number of fields (assigned + unassigned)
+print fmt("Record %s: %d", r, |r|);
+
+# Size of set: returns number of elements in set.
+# Don't print the set, as its order depends on the seeding of the hash
+# fnction, and it's not worth the trouble to normalize it.
+print fmt("Set: %d", |si|);
+
+# Size of string: returns string length.
+print fmt("String '%s': %d", s, |s|);
+
+# Size of subnet: returns size of net as a double 
+# (so that 2^32 can be expressed too).
+print fmt("Subnet %s: %f", sn, |sn|);
+
+# Size of table: returns number of elements in table
+print fmt("Table %d", |t|);
+
+# Size of time: returns double representation of the time
+# print fmt("Time %s: %f", ti, |ti|);
+
+# Size of vector: returns largest assigned index.
+# Note that this is not the number of assigned values.
+# The following prints "5":
+#
+print fmt("Vector %s: %d", v, |v|);
+
+close(f);
diff --git a/testing/btest/language/smith-waterman-test.bro b/testing/btest/language/smith-waterman-test.bro
new file mode 100644
index 0000000000..50f5c1dae1
--- /dev/null
+++ b/testing/btest/language/smith-waterman-test.bro
@@ -0,0 +1,88 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+global params: sw_params = [ $min_strlen = 2, $sw_variant = 0 ];
+
+global min: vector of count;
+global mode: vector of count;
+global c: count = 0;
+
+# Alignment pairs:
+global s1: string_vec;
+global s2: string_vec;
+
+# Single alignment, no matches:
+s1[++c] = "abcdefgh";
+s2[c] = "ijklmnop";
+min[c] = 2;;
+mode[c] = 0;
+
+# Simple single match, beginning:
+s1[++c] = "AAAabcefghij";
+s2[c] = "lmnopAAAqrst";
+min[c] = 2;;
+mode[c] = 0;
+
+# Simple single match, middle:
+s1[++c] = "abcAAAefghij";
+s2[c] = "lmnopAAAqrst";
+min[c] = 2;;
+mode[c] = 0;
+
+# Simple single match, end:
+s1[++c] = "abcefghijAAA";
+s2[c] = "lmnopAAAqrst";
+min[c] = 2;;
+mode[c] = 0;
+
+# Repeated alignment:
+s1[++c] = "xxxAAAyyy";
+s2[c] = "AAAaAAAbAAA";
+min[c] = 2;;
+mode[c] = 1;
+
+# Repeated alignment, swapped input:
+s1[++c] = "AAAaAAAbAAA";
+s2[c] = "xxxAAAyyy";
+min[c] = 2;;
+mode[c] = 1;
+
+# Repeated alignment, split:
+s1[++c] = "xxCDyABzCDyABzz";
+s2[c] = "ABCD";
+min[c] = 2;;
+mode[c] = 1;
+
+# Repeated alignment, split, swapped:
+s1[++c] = "ABCD";
+s2[c] = "xxCDyABzCDyABzz";
+min[c] = 2;;
+mode[c] = 1;
+
+# Used to cause problems
+s1[++c] = "Cache-control: no-cache^M^JAccept:";
+s2[c] = "Accept-: deflate^M^JAccept-: Accept-";
+min[c] = 6;
+mode[c] = 1;
+
+# Repeated occurrences in shorter string
+s1[++c] = "xxAAxxAAxx";
+s2[c]   = "yyyyyAAyyyyy";
+min[c] = 2;
+mode[c] = 1;
+
+for ( i in s1 )
+	{
+	local ss: sw_substring_vec;
+
+	params$min_strlen = min[i];
+	params$sw_variant = mode[i];
+	ss = str_smith_waterman(s1[i], s2[i], params);
+
+	print fmt("%s - %s:", s1[i], s2[i]);
+
+	for ( j in ss )
+		print fmt("tok %d: %s (%d/%d, %s)",
+				j, ss[j]$str, ss[j]$aligns[1]$index,
+				ss[j]$aligns[2]$index, ss[j]$new);
+	}
diff --git a/testing/btest/language/strings.bro b/testing/btest/language/strings.bro
new file mode 100644
index 0000000000..8e9eef43bf
--- /dev/null
+++ b/testing/btest/language/strings.bro
@@ -0,0 +1,48 @@
+# @TEST-EXEC: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+# Demo policy for string functions
+#
+
+event bro_init()
+{
+	local s1: string = "broisaveryneatids";
+
+	print fmt("Input string: %s", s1);
+	print fmt();
+	print fmt("String splitting");
+	print fmt("----------------");
+
+	local idx1: index_vec;
+
+	idx1[0] =  0; # We really need initializers for vectors ...
+	idx1[1] =  3;
+	idx1[2] =  5;
+	idx1[3] =  6;
+	idx1[4] = 10;
+	idx1[5] = 14;
+
+	print fmt("Splitting '%s' at %d points...", s1, |idx1|);
+	local res_split: string_vec = str_split(s1, idx1);
+
+	for ( i in res_split )
+		print res_split[i];
+
+	print fmt();
+	print fmt("Substrings");
+	print fmt("----------");
+	print fmt("3@0: %s", sub_bytes(s1, 0, 3));
+	print fmt("5@2: %s", sub_bytes(s1, 2, 5));
+	print fmt("7@4: %s", sub_bytes(s1, 4, 7));
+	print fmt("10@10: %s", sub_bytes(s1, 10, 10));
+	print fmt();
+
+
+	print fmt("Finding strings");
+	print fmt("---------------");
+	print fmt("isa: %d", strstr(s1, "isa"));
+	print fmt("very: %d", strstr(s1, "very"));
+	print fmt("ids: %d", strstr(s1, "ids"));
+	print fmt("nono: %d", strstr(s1, "nono"));
+}
+
diff --git a/testing/btest/language/vector-coerce-expr.bro b/testing/btest/language/vector-coerce-expr.bro
new file mode 100644
index 0000000000..d58417f226
--- /dev/null
+++ b/testing/btest/language/vector-coerce-expr.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type X: record {
+     a: vector of bool &default=vector(T, F, T);
+     b: vector of bool &default=vector();
+};
+
+global x: X;
+
+global a: vector of count;
+
+a = vector();
+print a;
+
+a = vector(1,2,3);
+print a;
+
+print x$a;
+print x$b;
diff --git a/testing/btest/language/wrong-delete-field.bro b/testing/btest/language/wrong-delete-field.bro
new file mode 100644
index 0000000000..0b58cc6fa0
--- /dev/null
+++ b/testing/btest/language/wrong-delete-field.bro
@@ -0,0 +1,10 @@
+# @TEST-EXEC-FAIL: bro %INPUT  >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type X: record {
+     a: count;
+};
+
+global x: X = [$a=20];
+
+delete x$a;
diff --git a/testing/btest/language/wrong-record-extension.bro b/testing/btest/language/wrong-record-extension.bro
new file mode 100644
index 0000000000..4e0210546a
--- /dev/null
+++ b/testing/btest/language/wrong-record-extension.bro
@@ -0,0 +1,14 @@
+# @TEST-EXEC-FAIL: bro %INPUT  >output.tmp 2>&1 
+# @TEST-EXEC: sed 's#^.*:##g' <output.tmp >output
+# @TEST-EXEC: btest-diff output
+
+type Foo: record {
+        a: count;
+        b: count &optional;
+};
+
+redef record Foo += {
+        c: count;
+        d: string &optional;
+};
+
diff --git a/testing/btest/logging/adapt-filter.bro b/testing/btest/logging/adapt-filter.bro
new file mode 100644
index 0000000000..6312e4c106
--- /dev/null
+++ b/testing/btest/logging/adapt-filter.bro
@@ -0,0 +1,35 @@
+
+# @TEST-EXEC: bro %INPUT 
+# @TEST-EXEC: btest-diff ssh-new-default.log
+# @TEST-EXEC: test '!' -e ssh.log
+
+module SSH;
+
+@load logging
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { SSH };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+	local filter = Log::get_filter(SSH, "default");
+	filter$path= "ssh-new-default";
+	Log::add_filter(SSH, filter);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+}
diff --git a/testing/btest/logging/ascii-binary.bro b/testing/btest/logging/ascii-binary.bro
new file mode 100644
index 0000000000..6f095db0c7
--- /dev/null
+++ b/testing/btest/logging/ascii-binary.bro
@@ -0,0 +1,25 @@
+#
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		data: string;
+		data2: string;
+	} &log;
+}
+
+redef LogAscii::separator = "|";
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+	Log::write(SSH, [$data="abc\n\xffdef", $data2="DATA2"]);
+	Log::write(SSH, [$data="abc|\xffdef", $data2="DATA2"]);
+	Log::write(SSH, [$data="abc\xff|def", $data2="DATA2"]);
+}
+
diff --git a/testing/btest/logging/ascii-empty.bro b/testing/btest/logging/ascii-empty.bro
new file mode 100644
index 0000000000..9e91ebc089
--- /dev/null
+++ b/testing/btest/logging/ascii-empty.bro
@@ -0,0 +1,38 @@
+#
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+redef LogAscii::output_to_stdout = T;
+redef LogAscii::separator = "|";
+redef LogAscii::empty_field = "EMPTY";
+redef LogAscii::unset_field = "NOT-SET";
+redef LogAscii::header_prefix = "PREFIX<>";
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+		b: bool &optional;
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $b=T, $status="failure", $country=""]);
+	
+}
+
diff --git a/testing/btest/logging/ascii-escape.bro b/testing/btest/logging/ascii-escape.bro
new file mode 100644
index 0000000000..7acea46250
--- /dev/null
+++ b/testing/btest/logging/ascii-escape.bro
@@ -0,0 +1,32 @@
+#
+# @TEST-EXEC: bro %INPUT 
+# @TEST-EXEC: btest-diff ssh.log
+
+redef LogAscii::separator = "||";
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="fa||ure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="su||ess", $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);	
+}
+
diff --git a/testing/btest/logging/ascii-options.bro b/testing/btest/logging/ascii-options.bro
new file mode 100644
index 0000000000..3f33c17b96
--- /dev/null
+++ b/testing/btest/logging/ascii-options.bro
@@ -0,0 +1,35 @@
+#
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+redef LogAscii::output_to_stdout = T;
+redef LogAscii::separator = "|";
+redef LogAscii::include_header = F;
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/logging/attr-extend.bro b/testing/btest/logging/attr-extend.bro
new file mode 100644
index 0000000000..4d7e96b98e
--- /dev/null
+++ b/testing/btest/logging/attr-extend.bro
@@ -0,0 +1,37 @@
+#
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		id: conn_id;
+		status: string &optional &log;
+		country: string &default="unknown" &log;
+	};
+}
+
+redef record Log += {
+	a1: count &log &optional;
+	a2: count &optional;
+};
+
+redef record Log += {
+	b1: count &optional;
+	b2: count &optional;
+} &log;
+
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $a1=1, $a2=2, $b1=3, $b2=4]);
+}
+
diff --git a/testing/btest/logging/attr.bro b/testing/btest/logging/attr.bro
new file mode 100644
index 0000000000..658dcae04b
--- /dev/null
+++ b/testing/btest/logging/attr.bro
@@ -0,0 +1,31 @@
+#
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		id: conn_id;
+		status: string &optional &log;
+		country: string &default="unknown" &log;
+	};
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/logging/disable-stream.bro b/testing/btest/logging/disable-stream.bro
new file mode 100644
index 0000000000..472766d8e0
--- /dev/null
+++ b/testing/btest/logging/disable-stream.bro
@@ -0,0 +1,33 @@
+#
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: test '!' -e ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+	Log::disable_stream(SSH);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/logging/empty-event.bro b/testing/btest/logging/empty-event.bro
new file mode 100644
index 0000000000..3e343b75a2
--- /dev/null
+++ b/testing/btest/logging/empty-event.bro
@@ -0,0 +1,33 @@
+#
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+global log_ssh: event(rec: Log);
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log, $ev=log_ssh]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/logging/events.bro b/testing/btest/logging/events.bro
new file mode 100644
index 0000000000..101b13b095
--- /dev/null
+++ b/testing/btest/logging/events.bro
@@ -0,0 +1,39 @@
+
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+module SSH;
+
+@load logging
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { SSH };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+global ssh_log: event(rec: Log);
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log, $ev=ssh_log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	local r: Log = [$t=network_time(), $id=cid, $status="success"];
+	Log::write(SSH, r);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	
+}
+
+event ssh_log(rec: Log)
+	{
+	print rec;
+	}
diff --git a/testing/btest/logging/exclude.bro b/testing/btest/logging/exclude.bro
new file mode 100644
index 0000000000..46603d3202
--- /dev/null
+++ b/testing/btest/logging/exclude.bro
@@ -0,0 +1,34 @@
+#
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+	Log::remove_default_filter(SSH);
+	Log::add_filter(SSH, [$name="f1", $exclude=set("t", "id.orig_h")]);
+
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/logging/file.bro b/testing/btest/logging/file.bro
new file mode 100644
index 0000000000..6d73ec52dd
--- /dev/null
+++ b/testing/btest/logging/file.bro
@@ -0,0 +1,23 @@
+#
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		f: file;
+	} &log;
+}
+
+const foo_log = open_log_file("Foo") &redef;
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+	Log::write(SSH, [$t=network_time(), $f=foo_log]);
+}
+
diff --git a/testing/btest/logging/include.bro b/testing/btest/logging/include.bro
new file mode 100644
index 0000000000..f1fac64bbd
--- /dev/null
+++ b/testing/btest/logging/include.bro
@@ -0,0 +1,34 @@
+#
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+	Log::remove_default_filter(SSH);
+	Log::add_filter(SSH, [$name="default", $include=set("t", "id.orig_h")]);
+
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/logging/no-local.bro b/testing/btest/logging/no-local.bro
new file mode 100644
index 0000000000..eb6cb60151
--- /dev/null
+++ b/testing/btest/logging/no-local.bro
@@ -0,0 +1,33 @@
+#
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: test '!' -e ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+redef Log::enable_local_logging = F;
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/logging/path-func.bro b/testing/btest/logging/path-func.bro
new file mode 100644
index 0000000000..b744057a84
--- /dev/null
+++ b/testing/btest/logging/path-func.bro
@@ -0,0 +1,50 @@
+
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: ( ls static-*; cat static-* ) >output
+# @TEST-EXEC: btest-diff output
+
+module SSH;
+
+@load logging
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { SSH };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+global c = -1;
+
+function path_func(id: Log::ID, path: string) : string
+	{
+	c = (c + 1) % 3;
+
+	return fmt("%s-%d", path, c);
+	}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+	Log::remove_default_filter(SSH);
+
+	Log::add_filter(SSH, [$name="dyn", $path="static-prefix", $path_func=path_func]);
+
+	Log::set_buf(SSH, F);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX2"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX3"]);
+}
diff --git a/testing/btest/logging/pred.bro b/testing/btest/logging/pred.bro
new file mode 100644
index 0000000000..eb1a02cf08
--- /dev/null
+++ b/testing/btest/logging/pred.bro
@@ -0,0 +1,41 @@
+
+# @TEST-EXEC: bro %INPUT 
+# @TEST-EXEC: btest-diff ssh.success.log
+# @TEST-EXEC: btest-diff ssh.failure.log
+
+module SSH;
+
+@load logging
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { SSH };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+function fail(rec: Log): bool
+	{
+	return rec$status != "success";
+	}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+	Log::remove_default_filter(SSH);
+	Log::add_filter(SSH, [$name="f1", $path="ssh.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
+	Log::add_filter(SSH, [$name="f2", $path="ssh.failure", $pred=fail]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	local r: Log = [$t=network_time(), $id=cid, $status="success"];
+	Log::write(SSH, r);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	
+}
diff --git a/testing/btest/logging/remote-types.bro b/testing/btest/logging/remote-types.bro
new file mode 100644
index 0000000000..ecf3e96bc5
--- /dev/null
+++ b/testing/btest/logging/remote-types.bro
@@ -0,0 +1,93 @@
+#
+# @TEST-EXEC: btest-bg-run sender bro --pseudo-realtime %INPUT ../sender.bro
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run receiver bro --pseudo-realtime %INPUT ../receiver.bro
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-wait -k 1
+# @TEST-EXEC: btest-diff receiver/ssh.log
+# @TEST-EXEC: cmp receiver/ssh.log sender/ssh.log
+
+# Remote version testing all types.
+
+# This is the common part loaded by both sender and receiver.
+
+redef LogAscii::empty_field = "EMPTY";
+
+module SSH;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		b: bool;
+		i: int;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		n: net;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+}
+
+#####
+
+@TEST-START-FILE sender.bro
+
+module SSH;
+
+@load listen-clear
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+
+	Log::write(SSH, [
+		$b=T,
+		$i=-42,
+		$e=SSH,
+		$c=21,
+		$p=123/tcp,
+		$sn=10.0.0.1/24,
+		$n=10.0.,
+		$a=1.2.3.4,
+		$d=3.14,
+		$t=network_time(),
+		$iv=100secs,
+		$s="hurz",
+		$sc=set(1,2,3,4),
+		$ss=set("AA", "BB", "CC"),
+		$se=empty_set,
+		$vc=vector(10, 20, 30),
+		$ve=empty_vector
+		]);
+	}
+@TEST-END-FILE
+
+@TEST-START-FILE receiver.bro
+
+#####
+
+@load remote
+
+redef Remote::destinations += {
+    ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
+};
+
+@TEST-END-FILE
diff --git a/testing/btest/logging/remote.bro b/testing/btest/logging/remote.bro
new file mode 100644
index 0000000000..cd0a361b7c
--- /dev/null
+++ b/testing/btest/logging/remote.bro
@@ -0,0 +1,77 @@
+#
+# @TEST-EXEC: btest-bg-run sender bro --pseudo-realtime %INPUT ../sender.bro
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run receiver bro --pseudo-realtime %INPUT ../receiver.bro
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-wait -k 1
+# @TEST-EXEC: btest-diff sender/ssh.log
+# @TEST-EXEC: btest-diff sender/ssh.failure.log
+# @TEST-EXEC: btest-diff sender/ssh.success.log
+# @TEST-EXEC: cmp receiver/ssh.log sender/ssh.log
+# @TEST-EXEC: cmp receiver/ssh.failure.log sender/ssh.failure.log
+# @TEST-EXEC: cmp receiver/ssh.success.log sender/ssh.success.log
+
+# This is the common part loaded by both sender and receiver.
+module SSH;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { SSH };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+	Log::add_filter(SSH, [$name="f1", $path="ssh.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
+}
+
+#####
+
+@TEST-START-FILE sender.bro
+
+module SSH;
+
+@load listen-clear
+
+function fail(rec: Log): bool
+	{
+	return rec$status != "success";
+	}
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	Log::add_filter(SSH, [$name="f2", $path="ssh.failure", $pred=fail]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	local r: Log = [$t=network_time(), $id=cid, $status="success"];
+
+	# Log something.
+	Log::write(SSH, r);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	}
+@TEST-END-FILE
+
+@TEST-START-FILE receiver.bro
+
+#####
+
+@load remote
+
+redef Remote::destinations += {
+    ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
+};
+
+@TEST-END-FILE
diff --git a/testing/btest/logging/remove.bro b/testing/btest/logging/remove.bro
new file mode 100644
index 0000000000..488b21408f
--- /dev/null
+++ b/testing/btest/logging/remove.bro
@@ -0,0 +1,41 @@
+#
+# @TEST-EXEC: bro -B logging %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+# @TEST-EXEC: btest-diff ssh.failure.log
+
+module SSH;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { SSH };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+	Log::add_filter(SSH, [$name="f1", $path="ssh.failure", $pred=function(rec: Log): bool { return rec$status == "failure"; }]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	# Log something.
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+
+	Log::remove_filter(SSH, "f1");
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="BR"]);
+
+	Log::remove_filter(SSH, "default");
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+
+	Log::remove_filter(SSH, "doesn-not-exist");
+}
+
diff --git a/testing/btest/logging/rotate-custom.bro b/testing/btest/logging/rotate-custom.bro
new file mode 100644
index 0000000000..59ad1330cd
--- /dev/null
+++ b/testing/btest/logging/rotate-custom.bro
@@ -0,0 +1,37 @@
+#
+# @TEST-EXEC: bro -r %DIR/rotation.trace %INPUT >out
+# @TEST-EXEC: for i in `ls test*.log | sort`; do printf '> %s\n' $i; cat $i; done | sort | uniq >>out
+# @TEST-EXEC: btest-diff out
+
+module Test;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { Test };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+	} &log;
+}
+
+redef Log::default_rotation_interval = 1hr;
+redef Log::default_rotation_postprocessor = "echo 1st";
+
+redef Log::rotation_control += {
+	[Log::WRITER_ASCII, "test2"] = [$interv=30mins, $postprocessor="echo 2nd"]
+};
+
+event bro_init()
+{
+	Log::create_stream(Test, [$columns=Log]);
+	Log::add_filter(Test, [$name="2nd", $path="test2"]);
+
+}
+
+event new_connection(c: connection)
+	{
+	Log::write(Test, [$t=network_time(), $id=c$id]);
+	}
diff --git a/testing/btest/logging/rotate.bro b/testing/btest/logging/rotate.bro
new file mode 100644
index 0000000000..dc7cd79d56
--- /dev/null
+++ b/testing/btest/logging/rotate.bro
@@ -0,0 +1,31 @@
+#
+# @TEST-EXEC: bro -r %DIR/rotation.trace %INPUT >out
+# @TEST-EXEC: for i in test-*.log; do printf '> %s\n' $i; cat $i; done >>out
+# @TEST-EXEC: btest-diff out
+
+module Test;
+
+export {
+	# Create a new ID for our log stream
+	redef enum Log::ID += { Test };
+
+	# Define a record with all the columns the log file can have.
+	# (I'm using a subset of fields from ssh-ext for demonstration.)
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+	} &log;
+}
+
+redef Log::default_rotation_interval = 1hr;
+redef Log::default_rotation_postprocessor = "echo";
+
+event bro_init()
+{
+	Log::create_stream(Test, [$columns=Log]);
+}
+
+event new_connection(c: connection)
+	{
+	Log::write(Test, [$t=network_time(), $id=c$id]);
+	}
diff --git a/testing/btest/logging/rotation.trace b/testing/btest/logging/rotation.trace
new file mode 100644
index 0000000000..9954b22e15
Binary files /dev/null and b/testing/btest/logging/rotation.trace differ
diff --git a/testing/btest/logging/stdout.bro b/testing/btest/logging/stdout.bro
new file mode 100644
index 0000000000..a482f742a0
--- /dev/null
+++ b/testing/btest/logging/stdout.bro
@@ -0,0 +1,36 @@
+#
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: test '!' -e ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+	local filter = Log::get_filter(SSH, "default");
+	filter$path= "/dev/stdout";
+	Log::add_filter(SSH, filter);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/logging/test-logging.bro b/testing/btest/logging/test-logging.bro
new file mode 100644
index 0000000000..8443bc2236
--- /dev/null
+++ b/testing/btest/logging/test-logging.bro
@@ -0,0 +1,31 @@
+#
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+	
+}
+
diff --git a/testing/btest/logging/types.bro b/testing/btest/logging/types.bro
new file mode 100644
index 0000000000..8cd59192bd
--- /dev/null
+++ b/testing/btest/logging/types.bro
@@ -0,0 +1,62 @@
+#
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+#
+# Testing all possible types.
+
+redef LogAscii::empty_field = "EMPTY";
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+		b: bool;
+		i: int;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		n: net;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+
+	Log::write(SSH, [
+		$b=T,
+		$i=-42,
+		$e=SSH,
+		$c=21,
+		$p=123/tcp,
+		$sn=10.0.0.1/24,
+		$n=10.0.,
+		$a=1.2.3.4,
+		$d=3.14,
+		$t=network_time(),
+		$iv=100secs,
+		$s="hurz",
+		$sc=set(1,2,3,4),
+		$ss=set("AA", "BB", "CC"),
+		$se=empty_set,
+		$vc=vector(10, 20, 30),
+		$ve=empty_vector
+		]);
+}
+
diff --git a/testing/btest/logging/vec.bro b/testing/btest/logging/vec.bro
new file mode 100644
index 0000000000..b9ed8f8d6d
--- /dev/null
+++ b/testing/btest/logging/vec.bro
@@ -0,0 +1,27 @@
+#
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { SSH };
+
+	type Log: record {
+        vec: vector of string &log;
+	};
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH, [$columns=Log]);
+
+    local v: vector of string;
+
+	v[1] = "2";
+	v[4] = "5";
+
+	Log::write(SSH, [$vec=v]);
+}
+
+
diff --git a/testing/btest/policy/known-hosts-test b/testing/btest/policy/known-hosts-test
new file mode 100644
index 0000000000..b507f6cbc7
--- /dev/null
+++ b/testing/btest/policy/known-hosts-test
@@ -0,0 +1,6 @@
+
+@TEST-EXEC: bro -r $TRACES/wikipedia.trace known-hosts
+
+@TEST-EXEC: btest-diff KNOWN_HOSTS
+@TEST-EXEC: btest-diff .stderr
+@TEST-EXEC: btest-diff .stdout
diff --git a/testing/btest/policy/known-services-test.bro b/testing/btest/policy/known-services-test.bro
new file mode 100644
index 0000000000..03d5c0cf6c
--- /dev/null
+++ b/testing/btest/policy/known-services-test.bro
@@ -0,0 +1,24 @@
+
+#   Generate some output
+# @TEST-EXEC: bro -r $TRACES/workshop.trace1.trace %INPUT tcp
+
+
+#   Verify the log file, and stderr/out match the Baseline
+# @TEST-EXEC: btest-diff KNOWN_SERVICES
+# @TEST-EXEC: btest-diff .stderr
+# @TEST-EXEC: btest-diff .stdout
+
+
+# Load the script we're here to test
+@load known-services
+
+# Make some changes to how it runs
+export {
+        # Log everything, so we get some output
+        redef KnownServices::logged_hosts=Enabled;
+}
+
+# If necessary, can take setup action here as well
+event bro_init()
+{
+}
diff --git a/testing/btest/random.seed b/testing/btest/random.seed
new file mode 100644
index 0000000000..e70c8f85ef
--- /dev/null
+++ b/testing/btest/random.seed
@@ -0,0 +1,17 @@
+2983378351
+1299727368
+0
+310447
+0
+1409073626
+3975311262
+34130240
+1450515018
+1466150520
+1342286698
+1193956778
+2188527278
+3361989254
+3912865238
+3596260151
+517973768
diff --git a/testing/istate/README b/testing/istate/README
deleted file mode 100644
index 78e855074f..0000000000
--- a/testing/istate/README
+++ /dev/null
@@ -1,11 +0,0 @@
-To run these tests, invoke:
-
-	./istate.py
-
-To see differences leading to test failures, invoke:
-
-	./istate.py -s
-
-Build a new test baseline using:
-
-	./istate.py -b
diff --git a/testing/istate/base/bro-ping/remote.log b/testing/istate/base/bro-ping/remote.log
deleted file mode 100644
index 4f86bd62d6..0000000000
--- a/testing/istate/base/bro-ping/remote.log
+++ /dev/null
@@ -1,17 +0,0 @@
-xxxxxxxxxx.xxxxxx [info]  [parent] pipe's socket buffer size is 8192, setting to 1048576
-xxxxxxxxxx.xxxxxx [info]  [parent] communication started, parent 
-xxxxxxxxxx.xxxxxx [info]  [child]  listening on 0.0.0.0:47758 (clear)
-xxxxxxxxxx.xxxxxx [info]  [child]  [#10000/] accepted clear connection
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] added peer
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] peer connected
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] phase: version
-xxxxxxxxxx.xxxxxx [info]  [script] [#10000/] connection established
-xxxxxxxxxx.xxxxxx [info]  [script] [#10000/] requesting events matching /^?(ping)$?/
-xxxxxxxxxx.xxxxxx [info]  [script] [#10000/] accepting state
-xxxxxxxxxx.xxxxxx [info]  [script] [#10000/] requesting synchronized state
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] phase: handshake
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] registered for event pong
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] peer does not support 64bit PIDs; using compatibility mode
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] phase: sync (receiver)
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] phase: running
-xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] closing connection
diff --git a/testing/istate/base/bro-ping/stderr.log b/testing/istate/base/bro-ping/stderr.log
deleted file mode 100644
index bb611b7eb0..0000000000
--- a/testing/istate/base/bro-ping/stderr.log
+++ /dev/null
@@ -1,3 +0,0 @@
-xxxxxxxxxx.xxxxxx processing suspended
-xxxxxxxxxx.xxxxxx processing continued
-xxxxxxxxxx.xxxxxx received termination signal
diff --git a/testing/istate/base/bro-ping/stdout.log b/testing/istate/base/bro-ping/stdout.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/base/broccoli-ping/stderr.log b/testing/istate/base/broccoli-ping/stderr.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/base/events-display/stdout.log b/testing/istate/base/events-display/stdout.log
deleted file mode 100644
index a68f969a3c..0000000000
--- a/testing/istate/base/events-display/stdout.log
+++ /dev/null
@@ -1,36 +0,0 @@
-Event [xxxxxxxxxx.xxxxxx] bro_done()
-Event [xxxxxxxxxx.xxxxxx] connection_established([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.182510137557983, service={}, addl="", hot=0, history="Sh"])
-Event [xxxxxxxxxx.xxxxxx] connection_finished([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=5], resp=[size=9417, state=5], start_time=xxxxxxxxxx.xxxxxx, duration=1.73330307006836, service={}, addl="%events-send-1", hot=0, history="ShADdFaf"])
-Event [xxxxxxxxxx.xxxxxx] connection_pending([id=[orig_h=141.42.64.125, orig_p=56729/tcp, resp_h=125.190.109.199, resp_p=12345/tcp], orig=[size=0, state=1], resp=[size=0, state=6], start_time=xxxxxxxxxx.xxxxxx, duration=0.182432889938354, service={}, addl="", hot=0, history="Sr"])
-Event [xxxxxxxxxx.xxxxxx] connection_state_remove([id=[orig_h=141.42.64.125, orig_p=56729/tcp, resp_h=125.190.109.199, resp_p=12345/tcp], orig=[size=0, state=1], resp=[size=0, state=6], start_time=xxxxxxxxxx.xxxxxx, duration=0.182432889938354, service={}, addl="", hot=0, history="Sr"])
-Event [xxxxxxxxxx.xxxxxx] connection_state_remove([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=5], resp=[size=9417, state=5], start_time=xxxxxxxxxx.xxxxxx, duration=1.73330307006836, service={}, addl="%events-send-1", hot=0, history="ShADdFaf"])
-Event [xxxxxxxxxx.xxxxxx] http_begin_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1", hot=0, history="ShAD"]T)
-Event [xxxxxxxxxx.xxxxxx] http_begin_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F)
-Event [xxxxxxxxxx.xxxxxx] http_content_type([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"TEXT""PLAIN")
-Event [xxxxxxxxxx.xxxxxx] http_content_type([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"TEXT""HTML")
-Event [xxxxxxxxxx.xxxxxx] http_end_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T)
-Event [xxxxxxxxxx.xxxxxx] http_end_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.73563814163208, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F)
-Event [xxxxxxxxxx.xxxxxx] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=5792, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.551820039749146, service={}, addl="%events-send-1", hot=0, history="ShADd"]F4096"<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"^J"http://www.w3.org/TR/REC-html40/loose.dtd">^J<HEAD><TITLE>ICIR</TITLE></HEAD>^J<BODY bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#b20000">^J<img src=icir.gif alt="ICIR"><br>^J<p>^JICIR (The ICSI Center for Internet Research)^Jis a ^Jnon-profit^Jresearch institute at^J<a href="http://www.icsi.berkeley.edu">ICSI</a>^Jin ^J<a href="http://dir.yahoo.com/Regional/U_S__States/California/Cities/Berkeley/">Berkeley</a>, ^JCalifornia.<br>^JFor the three years from 1999 to 2001 we were named^JACIRI, the AT&T Center for Internet Research at ICSI, ^Jand were funded by <a href="http://www.att.com">AT&amp;T</a>.<br>^J^JThe goals of ICIR are to:^J<ul>^J<li>Pursue research on the Internet architecture and related networking issues,^J<li>^JParticipate actively in the research (<a href="http://www.acm.org/sigcomm/">SIGCOMM</a> and <a href="http://www.irtf.org/">IRTF</a>) and^Jstandards (<a href="http://www.ietf.org/">IETF</a>) communities,^J<li> Bridge the gap between the Internet research community and commercial ^Jinterests by providing a neutral forum where topics of mutual technical ^Jinterest can be addressed.^J</ul>^J<p>^J<!--^JICIR is now ^J<a href="jobs.html">^Jhiring</a> for both postdoctoral positions and summer interns.^J-->^J<hr>^J^J<DIV ALIGN="CENTER">^J^J<table width="100%" cellspacing=16 cellpadding=0>^J^J<tr>^J<td width="35%" valign=top>^J^J<h2>^JPeople^J</h2>^J<ul>^J<li>^J<a href="./shenker/">^JScott Shenker</a>, Group Leader<br> ^J<li><a href="http://www.icir.org/mallman/">Mark Allman</a>^J<li>^J<a href="./floyd/">Sally Floyd</a>^J<!--^J<li><a href="http://www.isi.edu/~govindan/">Ramesh Govindan</a>^J-->^J<li>^J<a href="./karp/papers.html">^JRichard Karp</a>  ^J<!-- (also with the ^J<a href="http://www.icsi.berkeley.edu/Theory/">ICSI Theory Group</a>, ^J<a href="http://www.msri.org/">MSRI</a>, and^J<a href="http://www.cs.berkeley.edu/">UC Berkeley</a>) -->^J<li>^J<a href="./vern/">^JVern Paxson</a>  ^J<li>^J<a href="http://www.icir.org/robin/">^JRobin Sommer</a>^J<li>^J<a href="http://www.cs.berkeley.edu/~nweaver/">^JNicholas Weaver</a>^J<li>^J<a href="http://www.icsi.berkeley.edu/~zhao/">^JJerry Zhao</a>^J<!-- </ul> &nbsp; &nbsp;<b>Group Members</b> <ul> -->^J<li><b><a href="pastvisitors.html">Past Group Members</a></b>,^J<br>including:^J<ul>^J<li>^J<a href="http://www.cs.ucl.ac.uk/staff/M.Handley/">^JMark Handley</a> (UCL)^J<li><a href="./kohler/">Eddie Kohler</a> (UCLA)^J</ul>^J<li><b>Affiliated <a href="http://www.xorp.org/">Xorp</a>^JResearchers</b>:^J  <ul>^J  <li><a href="./jcardona/">Javier Cardona</a>^J  <li><a href="./atanu/">Atanu Ghosh</a> ^J  <li><a href="./hodson/">Orion Hodson</a>^J  <li><a href="./pavlin/">Pavlin Radoslavov</a> ^J  <li><a href="http://www.iet.unipi.it/~luigi">Luigi Rizzo</a>^J  <li><a href="http://people.freebsd.org/~bms/">Bruce Simpson</a>^J</ul>^J<li><b>Affiliated UCB Researchers</b>:^J  <ul>^J  <li><a href="http://www.cs.berkeley.edu/~christos/">Christos Papadimitriou</a>^J  <li><a href="http://www.cs.berkeley.edu/~istoica/">Ion Stoica</a>^J  </ul>^J<li><b>Visitors</b>:^J  <ul>^J  <li><a href="http://grid.sjtu.edu.cn/teachers/dengqn/dengqn.htm">Professor Quin-Ni Deng</a>^J<!--^J  from Shanghai Jiaotong University^J-->^J  <li>Teemu Koponen^J<!--^J  , Helsinki Institute for Information Technology^J-->^J  </ul>^J<!--^J<li><a href="pastvisitors.html">Other researchers</a>^J-->^J<a name=Visitors></a>^J<li><b>Interns:</b>^J<ul>^J<li>Juan Caballero^J<li><a href="http://www.stanford.edu/~casado/">Martin Casado</a>^J<li><a href="http://www.cs.rice.edu/~scrosby/">Scott Crosby</a>^J<li><a href="http://bnrg.cs.berkeley.edu/~wdc/">Weidong Cui</a>^J<li><a href="http://www.cs.berkeley.edu/~chema">Chema Gonzalez</a>^J<li>Halldor Isak Gylfason^J<li><a href="http://www.cl.cam.ac.uk/~cpk25/">Christian Kreibich</a>^J<li><a href="http://www.cs.ucsd.edu/~braghava">Barath Raghavan</a>^J<!--^J<li><a href="newinterns.html">New Interns:</a> ^J-->^J</ul>^J<li><b>Undergraduate Interns:</b>^J<ul>^J<li>Michael Hoisie^J<li>Arthur Wayne Liao^J<li>Christopher Portka^J</ul>^J<li><b><a href="pastvisitors.html">Past Visitors and Interns:</a></b>^J</ul>^J^J</td>^J<td width="30%" vali")
-Event [xxxxxxxxxx.xxxxxx] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=8688, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.552114009857178, service={}, addl="%events-send-1", hot=0, history="ShADd"]F4096"gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<li><a href="./rfcs.html">^JRFCs</a> with ICIR authors.^J<li>^J<a href="./internetdrafts.html">^JInternet drafts</a> with ICIR authors, 3/2004 ^J(or <a href="http://www.rfc-editor.org/idsearch.html">search</a>^Jthe current list).^J<!--^Jfor "Shenker OR Floyd OR Allman OR Paxson".^J(or the ^J<a^Jhref="^Jhttp://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=%28Author%3A+Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler%29&caseflag=on&wordflag=off&errorflag=0&maxlineflag=50&maxresultflag=1000&descflag=on&sort=by-NML&verbose=on&maxobjflag=25">current list</a>.)^J^Jhttp://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=(Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler)&descflag=on">current list</a>).^J-->^J<!--^Jfrom the ^J<a href="http://search.ietf.org/search/brokers/internet-drafts/query.html">^JInternet-Drafts Search Engine</a>).^J-->^J<li>Papers by ^J<a href="./shenker/papers.html">Scott Shenker</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Scott%20w/2%20Shenker%20or%20S%20w/2%20Shenker&co=Citations">RI</a>),^J^J<a href="./mallman/papers/">Mark Allman</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Mark%20w/2%20Allman%20or%20S%20w/2%20Allman&co=Citations">RI</a>),^J^J<a href="./floyd/papers.html">Sally Floyd</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Sally%20w/2%20Floyd%20or%20S%20w/2%20Floyd&co=Citations">RI</a>),^J^J<a href="./karp/papers.html">Richard Karp</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Richard%20w/2%20Karp%20or%20R%20w/2%20Karp&co=Citations">RI</a>),^J<a href="./kohler/pubs/">Eddie Kohler</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=eddie%20w/2%20kohler%20or%20e%20w/2%20kohler&co=Citations">RI</a>),^J<a href="./vern/papers.html">Vern Paxson</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Vern%20w/2%20Paxson%20or%20V%20w/2%20Paxson&co=Citations">RI</a>).^J<li>The <a href="http://citeseer.ist.psu.edu/">^JResearchIndex</a> (RI) and the ^J<a href="http://citeseer.ist.psu.edu/cs">Search</a>^Jand ^J<a href="http://citeseer.ist.psu.edu/Networking/">^JNetworking</a> pages. ^J</ul>^J^J<h2>^JProjects ^J</h2>^J<ul>^J<li>^J<a href="./vern/bro-info.html">Bro</a>^J(detecting network intruders). ^J<li>The <a href="http://www.isi.edu/newarch/">NewArch</a> Project:^JFuture-Generation Internet Architecture.^J<LI>The <a href="http://www.isi.edu/nsnam/ns/">NS</a>^Jnetwork simulator.^J<li> <a href="./tbit/">TBIT</a>^J(TCP Behavior Identification Tool).^J<li> <a href="http://www.xorp.org/">Xorp</a>^J(Extensible Open Router Platform).^J<li>^J<a href="./funded_projects.html">^JOther Funded Projects</a>.^J<li>^J<a href="./research.html">^JAdditional Research Links</a>.^J</ul>^J^J^J</td>^J^J<td width="35%" valign=top>^J    ^J<h2>Research</h2>^J&nbsp; &nbsp;<b>Transport and Congestion</b>^J<ul>^J<li>^J<a href="./kohler/dcp/">DCCP</a>^J(Datagram Congestion Control Protocol).^J<li>^J<a href="./floyd/ecn.html">ECN</a>^J(Explicit Congestion Notification).^J<li>^J<a href="http://www.ietf.org/html.charters/intserv-charter.html">^JIntegrated services</a>.^J<li>^J<a href="./floyd/red.html">RED</a> ^Jqueue management, and^J<a href="./red-pd/">RED-PD</a>.^J<li>^J<a href="./floyd/hstcp.html">HighSpeed TCP</a>.^J<li>^J<a^Jhref="http://www.ietf.cnri.reston.va.us/html.charters/OLD/tcpimpl-charter.html">^JTCP Implementation</a>.^J<li>^JReordering-Robust TCP ^J(<a href="./bkarp/RR-TCP/">RR-TCP</a>).^J<li>TCP^J<a href="./floyd/sacks.html">SACK</a> ^J(Selective Acknowledgment).^J<li>^J<a href="./tfrc/">TFRC</a> ^J(TCP-Friendly Rate Control).^J</ul>^J^J&nbsp; &nbsp;<b>Traffic and Topology</b>^J<ul>^J<LI>^J<a href="http://idmaps.eecs.umich.edu/">IDMaps</a> ^J(Internet Distance Mapping).^J<LI>The <a href="http://www.acm.org/sigcomm/ITA/">^JInternet Traffic Archive</a>.^J<li>^J<a href="http://www-net.cs.umass.edu/minc/">MINC</a>^J(Multicast-based Inference of Network-internal Characteristics).^J<li>^J<a href="http://www.psc.edu/networking/nimi/">NIMI</a>^J(N")
-Event [xxxxxxxxxx.xxxxxx] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.73563814163208, service={}, addl="%events-send-1", hot=0, history="ShADd"]F938"ational Internet Measurement Infrastructure).^J</ul>^J^J<h2>^J<a href="./collaborators.html">^JCollaborators</a>^J</h2>^J^J<!--^J&nbsp; &nbsp;<b>Multicast and Multimedia</b>^J<ul>^J<LI><A href="/malloc/">MALLOC</a>^J(Multicast Address Allocation).^J<LI><a href="http://www.cs.columbia.edu/~hgs/sip/">SIP</a>^J(Session Initiation Protocol).^J<li> <a href="yoid"> Yoid</a> (host-based content distribution). ^J</ul>^J-->^J^J</td>^J^J</tr>^J</table>^J</DIV>^J^J<hr>^J<h2>Information for <a href="./abouticir.html">visitors</a> and <a href="/sysdocs/">local users</a>.</h2>^J<hr>^JLast modified: June 2004. <a href="./COPYRIGHTS">Copyright notice</a>.^J<a href="http://web.archive.org/web/*/http://www.aciri.org/">^JOlder versions</a> of this web page, in its ACIRI incarnation..^J<BR>^JFor more information about this server, mail <I>www@aciri.org</I>.  ^J<BR>^JTo report <a href="scanning.html">unusual activity</a> by any of our hosts, mail <I>abuse@aciri.org</I>.^J</BODY>^J")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"ACCEPT""*/*")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"CONNECTION""Keep-Alive")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"HOST""www.icir.org")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"USER-AGENT""Wget/1.10")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"ACCEPT-RANGES""bytes")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONNECTION""Keep-Alive")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONTENT-LENGTH""9130")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONTENT-TYPE""text/html")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"DATE""Fri, 07 Oct 2005 23:23:55 GMT")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"ETAG"""2c96c-23aa-4346a0e5"")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"KEEP-ALIVE""timeout=15, max=100")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"LAST-MODIFIED""Fri, 07 Oct 2005 16:23:01 GMT")
-Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"SERVER""Apache/1.3.33 (Unix)")
-Event [xxxxxxxxxx.xxxxxx] http_message_done([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T[start=xxxxxxxxxx.xxxxxx, interrupted=F, finish_msg="message ends normally", body_length=0, content_gap_length=0, header_length=86])
-Event [xxxxxxxxxx.xxxxxx] http_message_done([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.73563814163208, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F[start=xxxxxxxxxx.xxxxxx, interrupted=F, finish_msg="message ends normally", body_length=9130, content_gap_length=0, header_length=265])
-Event [xxxxxxxxxx.xxxxxx] http_reply([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1", hot=0, history="ShADd"]"1.1"200"OK")
-Event [xxxxxxxxxx.xxxxxx] http_request([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="", hot=0, history="ShAD"]"GET""/""/""1.0")
-Event [xxxxxxxxxx.xxxxxx] net_done(xxxxxxxxxx.xxxxxx)
-Event [xxxxxxxxxx.xxxxxx] new_connection([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=0], resp=[size=0, state=0], start_time=xxxxxxxxxx.xxxxxx, duration=0.0, service={}, addl="", hot=0, history=""])
-Event [xxxxxxxxxx.xxxxxx] new_connection([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=1], resp=[size=0, state=0], start_time=xxxxxxxxxx.xxxxxx, duration=0.0, service={}, addl="cc=1", hot=0, history=""])
-Event [xxxxxxxxxx.xxxxxx] protocol_confirmation([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="", hot=0, history="ShAD"]165)
diff --git a/testing/istate/base/events-rcv/conn.log b/testing/istate/base/events-rcv/conn.log
deleted file mode 100644
index b38c0a2e70..0000000000
--- a/testing/istate/base/events-rcv/conn.log
+++ /dev/null
@@ -1,2 +0,0 @@
-xxxxxxxxxx.xxxxxx 0.182433 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? REJ X
-xxxxxxxxxx.xxxxxx 1.733303 141.42.64.125 125.190.109.199 http 56730 80 tcp 98 9417 SF X %events-send-1
diff --git a/testing/istate/base/events-rcv/http.log b/testing/istate/base/events-rcv/http.log
deleted file mode 100644
index db049772d8..0000000000
--- a/testing/istate/base/events-rcv/http.log
+++ /dev/null
@@ -1,18 +0,0 @@
-xxxxxxxxxx.xxxxxx %events-rcv-1 start 141.42.64.125:56730 > 125.190.109.199:80
-xxxxxxxxxx.xxxxxx %events-rcv-1 > USER-AGENT: Wget/1.10
-xxxxxxxxxx.xxxxxx %events-rcv-1 > ACCEPT: */*
-xxxxxxxxxx.xxxxxx %events-rcv-1 > HOST: www.icir.org
-xxxxxxxxxx.xxxxxx %events-rcv-1 > CONNECTION: Keep-Alive
-xxxxxxxxxx.xxxxxx %events-rcv-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
-xxxxxxxxxx.xxxxxx %events-rcv-1 < SERVER: Apache/1.3.33 (Unix)
-xxxxxxxxxx.xxxxxx %events-rcv-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
-xxxxxxxxxx.xxxxxx %events-rcv-1 < ETAG: "2c96c-23aa-4346a0e5"
-xxxxxxxxxx.xxxxxx %events-rcv-1 < ACCEPT-RANGES: bytes
-xxxxxxxxxx.xxxxxx %events-rcv-1 < CONTENT-LENGTH: 9130
-xxxxxxxxxx.xxxxxx %events-rcv-1 < KEEP-ALIVE: timeout=15, max=100
-xxxxxxxxxx.xxxxxx %events-rcv-1 < CONNECTION: Keep-Alive
-xxxxxxxxxx.xxxxxx %events-rcv-1 < CONTENT-TYPE: text/html
-xxxxxxxxxx.xxxxxx %events-rcv-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
-xxxxxxxxxx.xxxxxx %events-rcv-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
-xxxxxxxxxx.xxxxxx %events-rcv-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
-xxxxxxxxxx.xxxxxx %events-rcv-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/istate/base/events-rcv/stderr.log b/testing/istate/base/events-rcv/stderr.log
deleted file mode 100644
index bb611b7eb0..0000000000
--- a/testing/istate/base/events-rcv/stderr.log
+++ /dev/null
@@ -1,3 +0,0 @@
-xxxxxxxxxx.xxxxxx processing suspended
-xxxxxxxxxx.xxxxxx processing continued
-xxxxxxxxxx.xxxxxx received termination signal
diff --git a/testing/istate/base/events-rcv/stdout.log b/testing/istate/base/events-rcv/stdout.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/base/events-send/conn.log b/testing/istate/base/events-send/conn.log
deleted file mode 100644
index 3ac12d6d4b..0000000000
--- a/testing/istate/base/events-send/conn.log
+++ /dev/null
@@ -1,3 +0,0 @@
-xxxxxxxxxx.xxxxxx 0.182433 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? REJ X
-xxxxxxxxxx.xxxxxx 1.733303 141.42.64.125 125.190.109.199 http 56730 80 tcp 98 9417 SF X %events-send-1
-xxxxxxxxxx.xxxxxx ? 141.42.64.125 125.190.109.199 http 56730 80 tcp ? ? OTH X
diff --git a/testing/istate/base/events-send/http.log b/testing/istate/base/events-send/http.log
deleted file mode 100644
index 2ffab6810e..0000000000
--- a/testing/istate/base/events-send/http.log
+++ /dev/null
@@ -1,18 +0,0 @@
-xxxxxxxxxx.xxxxxx %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80
-xxxxxxxxxx.xxxxxx %events-send-1 > USER-AGENT: Wget/1.10
-xxxxxxxxxx.xxxxxx %events-send-1 > ACCEPT: */*
-xxxxxxxxxx.xxxxxx %events-send-1 > HOST: www.icir.org
-xxxxxxxxxx.xxxxxx %events-send-1 > CONNECTION: Keep-Alive
-xxxxxxxxxx.xxxxxx %events-send-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
-xxxxxxxxxx.xxxxxx %events-send-1 < SERVER: Apache/1.3.33 (Unix)
-xxxxxxxxxx.xxxxxx %events-send-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
-xxxxxxxxxx.xxxxxx %events-send-1 < ETAG: "2c96c-23aa-4346a0e5"
-xxxxxxxxxx.xxxxxx %events-send-1 < ACCEPT-RANGES: bytes
-xxxxxxxxxx.xxxxxx %events-send-1 < CONTENT-LENGTH: 9130
-xxxxxxxxxx.xxxxxx %events-send-1 < KEEP-ALIVE: timeout=15, max=100
-xxxxxxxxxx.xxxxxx %events-send-1 < CONNECTION: Keep-Alive
-xxxxxxxxxx.xxxxxx %events-send-1 < CONTENT-TYPE: text/html
-xxxxxxxxxx.xxxxxx %events-send-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
-xxxxxxxxxx.xxxxxx %events-send-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
-xxxxxxxxxx.xxxxxx %events-send-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
-xxxxxxxxxx.xxxxxx %events-send-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/istate/base/events-send/stderr.log b/testing/istate/base/events-send/stderr.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/base/events-send/stdout.log b/testing/istate/base/events-send/stdout.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/base/persistence-read/stderr.log b/testing/istate/base/persistence-read/stderr.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/base/persistence-read/stdout.log b/testing/istate/base/persistence-read/stdout.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/base/persistence-write/stderr.log b/testing/istate/base/persistence-write/stderr.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/base/persistence-write/stdout.log b/testing/istate/base/persistence-write/stdout.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/base/sync-rcv/remote.log b/testing/istate/base/sync-rcv/remote.log
deleted file mode 100644
index 4feea4ccc3..0000000000
--- a/testing/istate/base/sync-rcv/remote.log
+++ /dev/null
@@ -1,21 +0,0 @@
-xxxxxxxxxx.xxxxxx [info]  [parent] pipe's socket buffer size is 8192, setting to 1048576
-xxxxxxxxxx.xxxxxx [info]  [parent] communication started, parent 
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] added peer
-xxxxxxxxxx.xxxxxx [info]  [child]  [#1/127.0.0.1:47757] connected
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] peer connected
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] phase: version
-xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] connection established
-xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] requesting events matching /^?(.*)$?/
-xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] accepting state
-xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] requesting synchronized state
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] phase: handshake
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] peer_description is not set
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] peer supports keep-in-cache; using that
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] phase: sync (sender)
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] starting to send full state
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] done sending full state
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] phase: running
-xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] connection closed
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] peer disconnected
-xxxxxxxxxx.xxxxxx [info]  [child]  [#1/127.0.0.1:47757] connection closed
-xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] closing connection
diff --git a/testing/istate/base/sync-rcv/stderr.log b/testing/istate/base/sync-rcv/stderr.log
deleted file mode 100644
index 788f8009fe..0000000000
--- a/testing/istate/base/sync-rcv/stderr.log
+++ /dev/null
@@ -1 +0,0 @@
-xxxxxxxxxx.xxxxxx received termination signal
diff --git a/testing/istate/base/sync-rcv/stdout.log b/testing/istate/base/sync-rcv/stdout.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/base/sync-send/stderr.log b/testing/istate/base/sync-send/stderr.log
deleted file mode 100644
index 4f2df4e549..0000000000
--- a/testing/istate/base/sync-send/stderr.log
+++ /dev/null
@@ -1,2 +0,0 @@
-xxxxxxxxxx.xxxxxx processing suspended
-xxxxxxxxxx.xxxxxx processing continued
diff --git a/testing/istate/base/sync-send/stdout.log b/testing/istate/base/sync-send/stdout.log
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/istate/istate.py b/testing/istate/istate.py
deleted file mode 100755
index 8c7b28fe4a..0000000000
--- a/testing/istate/istate.py
+++ /dev/null
@@ -1,174 +0,0 @@
-#! /usr/bin/env python
-# 
-# Tests persistence.
-#
-# $Id: istate.py,v 1.1.2.4 2005/10/11 22:31:42 sommer Exp $
-
-import time
-import os
-import os.path
-import optparse
-import sys
-import subprocess
-
-import tests
-
-optparser = optparse.OptionParser( usage = "%prog [options]", version = "0.1" )
-optparser.add_option( "-s", "--show-diff", action = "store_true", dest = "showdiff", 
-                    default = False, help = "show diffs of mismatches" )
-optparser.add_option( "-b", "--new-base", action = "store_true", dest = "newbase", 
-                    default = False, help = "create new baseline" )
-optparser.add_option( "-d", "--debug", action = "store_true", dest = "debug", 
-                    default = False, help = "enable debug output" )
-optparser.add_option( "-t", "--set", action = "store", type = "string", dest = "set", 
-                    default = None, help = "only do given test set" )
-
-                    
-( tests.Options, args ) = optparser.parse_args()
-
-if len(args) != 0:
-    optparser.error( "Wrong number of arguments" )
-
-##########################################    
-# Write persistent data and read it back.
-##########################################
-
-if tests.testSet("persistence"):
-
-    tests.spawnBro("persistence-write", 
-               ["-r", os.path.join(tests.Traces, "empty.trace"), 
-                os.path.join(tests.Scripts, "vars-init.bro"),
-                os.path.join(tests.Scripts, "vars-print.bro")])
-    tests.waitProc("persistence-write")
-    tests.finishTest("persistence-write", ["stdout.log", "stderr.log", "vars.log"])
-
-    tests.spawnBro("persistence-read", 
-               [os.path.join(tests.Scripts, "vars-declare.bro"),
-                os.path.join(tests.Scripts, "vars-print.bro")], 
-                copy=[os.path.join(tests.workDir("persistence-write"), ".state")])
-    tests.waitProc("persistence-read")
-    tests.finishTest("persistence-read", ["stdout.log", "stderr.log", "vars.log"])
-
-    tests.compareFiles("persistence-write", "persistence-read", ["vars.log"])
-
-##########################################    
-# Exchange events (clear-text).
-#
-# The used trace contains two connections separated by a silence of a 
-# couple of seconds. We start the processes so that the events for the 
-# *second* one (which is a full HTTP connection) are exchanged.
-##########################################    
-
-if tests.testSet("events"):
-
-    tests.spawnBro("events-send", 
-               ["-r", os.path.join(tests.Scripts, os.path.join(tests.Traces, "web.trace")), 
-                "--pseudo-realtime", 
-                "-C",
-               os.path.join(tests.Scripts, "events-send.bro")])
-    time.sleep(2)
-    tests.spawnBro("events-rcv", 
-               [os.path.join(tests.Scripts, "events-rcv.bro")])
-    tests.waitProc("events-send")
-    tests.killProc("events-rcv")
-    tests.finishTest("events-send", ["stdout.log", "stderr.log", "http.log", "conn.log"], ignoreTime=True)
-    tests.finishTest("events-rcv", ["stdout.log", "stderr.log", "http.log", "conn.log"], ignoreTime=True)
-
-    tests.spawnBro("events-display", 
-               ["-x", os.path.join(tests.workDir("events-rcv"), "events.bst")])
-    tests.waitProc("events-display")
-    tests.finishTest("events-display", ["stdout.log"], ignoreTime=True, sort=True, delete=['127.0.0.1:[0-9]*',"Event.*remote_.*"])
-
-    tests.compareFiles("events-send", "events-rcv", ["http.log"], ignoreTime=True, ignoreSessionID=True)
-
-##########################################    
-# Exchange synchronized state
-##########################################    
-
-if tests.testSet("sync"):
-
-    tests.spawnBro("sync-send", 
-               [os.path.join(tests.Scripts, "vars-sync-send.bro")])
-    tests.spawnBro("sync-rcv", 
-               [os.path.join(tests.Scripts, "vars-sync-rcv.bro")])
-    tests.waitProc("sync-send")
-    time.sleep(1)
-    tests.killProc("sync-rcv")
-    tests.finishTest("sync-send", ["stdout.log", "stderr.log", "vars.log"], ignoreTime=True)
-    tests.finishTest("sync-rcv", ["stdout.log", "stderr.log", "vars.log", "remote.log"], ignoreTime=True, delete=["pid.*pid.*", "temporarily unavailable \\[..\\]"])
-
-    tests.compareFiles("sync-send", "sync-rcv", ["vars.log"], ignoreTime=True)
-
-# Old version    
-#    tests.spawnBro("sync-send", 
-#               ["-r", os.path.join(tests.Scripts, os.path.join(tests.Traces, "web.trace")), 
-#       	        "--pseudo-realtime", 
-#                "-C",
-#               os.path.join(tests.Scripts, "vars-sync-send.bro")])
-
-##########################################
-# Test Broccoli with bro-ping
-##########################################
-
-
-if tests.testSet("broccoli"):
-
-    broctest = os.path.join(tests.Bro, "aux/broccoli/test")    
-    broclib = os.path.join(tests.Bro, "aux/broccoli/src/.libs")
-    broping = os.path.join(broctest, "broping")
-
-    brocpy = os.path.join(tests.Bro, "aux/broccoli/bindings/python")    
-
-    broccoli = True
-    
-    # Test if Broccoli was compiled.
-    if not os.path.exists(broping):
-        print "    Broccoli was not compiled, skipping tests."
-        broccoli = False
-        
-    # Test if this is a IPv6 Bro. 
-    if broccoli:
-        v6 = subprocess.call(["grep", "-q", "#define BROv6", os.path.join(tests.Bro, "config.h")])
-        if v6 == 0:
-            print "    Bro built with IPv6 support not compatible with Broccoli, skipping tests."
-            broccoli = False
-
-    if broccoli:
-        tests.spawnBro("bro-ping", [os.path.join(broctest, "broping-record.bro")])
-        time.sleep(1)
-        tests.spawnProc("broccoli-ping", 
-                        [broping, 
-                        "-r", 
-                        "-c", "5", 
-                        "127.0.0.1"])
-        tests.waitProc("broccoli-ping")
-        tests.killProc("bro-ping")
-    
-        tests.finishTest("bro-ping", ["stdout.log", "stderr.log", "remote.log"], 
-                         ignoreTime=True, delete=["127.0.0.1:[0-9]*", "pid.*pid.*", 
-                         ".*Resource temporarily unavailable.*", ".*connection closed.*", 
-                         ".*peer disconnected.*"])
-        tests.finishTest("broccoli-ping", ["stdout.log", "stderr.log"],
-                         delete=["time=.* s$"])
-                         
-        # Test if Python binding are installed.
-        sopath = subprocess.Popen(["find", brocpy, "-name", "_broccoli_intern.so"], stdout=subprocess.PIPE).communicate()[0]
-        if sopath != "":
-
-            os.environ["LD_LIBRARY_PATH"] = broclib
-            os.environ["DYLD_LIBRARY_PATH"] = broclib
-            os.environ["PYTHONPATH"] = os.path.dirname(sopath)
-            
-            tests.spawnBro("python-bro", [os.path.join(brocpy, "tests/test.bro")])
-            time.sleep(1)
-            tests.spawnProc("python-script", [os.path.join(brocpy, "tests/test.py")])
-            tests.waitProc("python-script")
-            tests.killProc("python-bro")
-            tests.finishTest("python-bro", ["stdout.log"], ignoreTime=True)
-            tests.finishTest("python-script", ["stdout.log"], ignoreTime=True, delete=["0x[^>]*", ".[0-9]{2}"])
-        else:
-            print "    Python bindings not built, skipping test."
-            print "       (To build: cd %s && python setup.py build)" % brocpy
-                         
-
-    
diff --git a/testing/istate/rndseed.dat b/testing/istate/rndseed.dat
deleted file mode 100644
index 3bc70c899b..0000000000
--- a/testing/istate/rndseed.dat
+++ /dev/null
@@ -1,17 +0,0 @@
-1971283154
-1128552575
-26676
-875311974
-790730425
-1553617948
-3593004090
-2070230499
-1420669195
-754343139
-2906181924
-542878596
-2459738795
-924396623
-743111462
-3363354015
-198575356
diff --git a/testing/istate/scripts/events-rcv.bro b/testing/istate/scripts/events-rcv.bro
deleted file mode 100644
index a345e3fa49..0000000000
--- a/testing/istate/scripts/events-rcv.bro
+++ /dev/null
@@ -1,18 +0,0 @@
-# $Id: events-rcv.bro,v 1.1.2.1 2005/10/07 01:59:12 sommer Exp $
-
-@load tcp
-@load http-request
-@load http-reply
-@load http-header
-@load http-body
-@load http-abstract
-	
-@load capture-events	
-@load remote
-	
-redef peer_description = "events-rcv";
-	
-redef Remote::destinations += {
-    ["foo"] = [$host = 127.0.0.1, $events = /.*/, $connect=T]
-};
-
diff --git a/testing/istate/scripts/events-send.bro b/testing/istate/scripts/events-send.bro
deleted file mode 100644
index 00975fd723..0000000000
--- a/testing/istate/scripts/events-send.bro
+++ /dev/null
@@ -1,21 +0,0 @@
-# $Id: events-send.bro,v 1.1.2.1 2005/10/07 01:59:12 sommer Exp $
-
-@load tcp
-@load http-request
-@load http-reply
-@load http-header
-@load http-body
-@load http-abstract
-@load listen-clear
-	
-@load capture-events	
-	
-redef peer_description = "events-send";
-
-# Make sure the HTTP connection really gets out.
-# (We still miss one final connection event because we shutdown before
-# it gets propagated but that's ok.)
-redef tcp_close_delay = 0secs;
-
-	
-	
diff --git a/testing/istate/scripts/vars-declare.bro b/testing/istate/scripts/vars-declare.bro
deleted file mode 100644
index 871e518109..0000000000
--- a/testing/istate/scripts/vars-declare.bro
+++ /dev/null
@@ -1,36 +0,0 @@
-# $Id: vars-declare.bro,v 1.1.2.2 2005/10/11 21:15:05 sommer Exp $
-#
-# Declares variables.
-
-global foo1: count &persistent &synchronized;
-global foo2: int &persistent &synchronized;
-global foo3: string &persistent &synchronized; 
-global foo4: addr &persistent &synchronized; 
-global foo5: subnet &persistent &synchronized; 
-global foo6: double &persistent &synchronized; 
-global foo7: net &persistent &synchronized; 
-global foo8: interval &persistent &synchronized; 
-global foo9: table[count] of string &persistent &synchronized;
-global foo10: file &persistent &synchronized; 
-global foo11: pattern &persistent &synchronized; 
-global foo12: set[count] &persistent &synchronized; 
-global foo13: table[count, string] of count &persistent &synchronized;
-global foo14: table[count] of pattern &persistent &synchronized;
-global foo15: port &persistent &synchronized;
-global foo16: vector of count &persistent &synchronized;
-
-type type1: record {
-    a: string;
-    b: count &default=42;
-    c: double &optional;
-    };
-
-type type2: record {
-    a: string;
-    b: type1;
-    c: type1;
-    d: double;
-    };
-
-global foo17: type2  &persistent &synchronized;
-
diff --git a/testing/istate/scripts/vars-init.bro b/testing/istate/scripts/vars-init.bro
deleted file mode 100644
index 79b1345f31..0000000000
--- a/testing/istate/scripts/vars-init.bro
+++ /dev/null
@@ -1,42 +0,0 @@
-# $Id: vars-init.bro,v 1.1.2.2 2005/10/11 21:15:05 sommer Exp $
-# 
-# Instantiates variables.
-
-global foo1 = 42 &persistent &synchronized;
-global foo2 = -42 &persistent &synchronized;
-global foo3 = "Hallihallo" &persistent &synchronized; 
-global foo4 = 1.2.3.4 &persistent &synchronized; 
-global foo5 = 1.2.0.0/16 &persistent &synchronized; 
-global foo6 = 3.14 &persistent &synchronized; 
-global foo7 = 131.159. &persistent &synchronized; 
-global foo8 = 42 secs &persistent &synchronized; 
-global foo9 = { [1] = "qwerty", [2] = "uiop" } &persistent &synchronized;
-global foo10 = open("test") &persistent &synchronized; 
-global foo11 = /12345/ &persistent &synchronized; 
-global foo12 = { 1,2,3,4,5 } &persistent &synchronized; 
-global foo13  =  { [1,"ABC"] = 101, [2,"DEF"] = 102, [3,"GHI"] = 103 } &persistent &synchronized;
-global foo14  =  { [12345] = foo11, [12346] = foo11 } &persistent &synchronized;
-global foo15 = 42/udp &persistent &synchronized;
-global foo16: vector of count = [1,2,3] &persistent &synchronized;
- 
-type type1: record {
-    a: string;
-    b: count &default=42;
-    c: double &optional;
-    };
-
-type type2: record {
-    a: string;
-    b: type1;
-    c: type1;
-    d: double;
-    };
-
-global foo17: type2 = [
-	$a = "yuyuyu",
-    $b = [$a="rec1", $b=100, $c=1.24],
-    $c = [$a="rec2", $b=200, $c=2.24],
-   	$d = 7.77				   
-	] &persistent &synchronized;
-
-
diff --git a/testing/istate/scripts/vars-modify.bro b/testing/istate/scripts/vars-modify.bro
deleted file mode 100644
index 51f723f90d..0000000000
--- a/testing/istate/scripts/vars-modify.bro
+++ /dev/null
@@ -1,61 +0,0 @@
-# $Id: vars-modify.bro,v 1.1.2.2 2005/10/11 21:15:05 sommer Exp $
-#
-# Performs modifications on variables.
-
-function modify()
-	{
-	foo1 = 420;
-	++foo1;
-	
-	--foo2;
-	
-	foo3 = "Jodel";
-	
-	foo4 = 4.3.2.1; 
-	
-	foo5 = 4.0.0.0/8; 
-	
-	foo6 = 21;
-	
-	foo7 = 192.150.186; 
-	
-	foo9[3] = "asdfg1";
-	foo9[1] = "asdfg2";
-	delete foo9[2];
-	
-	foo10 = open("test2");
-	
-	foo11 = /abbcdefgh/;
-	
-	add foo12[6];
-	delete foo12[1];
-	
-	foo13[4,"JKL"] = 104;
-	delete foo13[1,"ABC"];
-	++foo13[2,"DEF"];
-	
-	foo14[6767] = /QWERTZ/;
-	
-	foo15 = 6667/tcp;
-	
-	foo16[4] = 4;
-	foo16[2] = 20;
-	++foo16[1];
-	
-	local x: type1;
-	x$a = "pop";
-	++x$b;
-	x$c = 9.999;
-	foo17$a = "zxzxzx";
-	foo17$b = x;
-	foo17$c$a = "IOIOI";
-	++foo17$c$b;
-	foo17$c$c = 612.2;
-	foo17$d = 6.6666;
-	
-	foo2 = 1234567;
-	}
-
-
-
-
diff --git a/testing/istate/scripts/vars-print.bro b/testing/istate/scripts/vars-print.bro
deleted file mode 100644
index 26d846c9cc..0000000000
--- a/testing/istate/scripts/vars-print.bro
+++ /dev/null
@@ -1,29 +0,0 @@
-# $Id: vars-print.bro,v 1.1.2.2 2005/10/11 21:15:05 sommer Exp $
-#
-# Print variables.
-
-event bro_done()
-	{
-	local out = open("vars.log");
-	print out, foo1;
-	print out, foo2;
-	print out, foo3;
-	print out, foo4;
-	print out, foo5;
-	print out, foo6;
-	print out, foo7;
-	print out, foo8;
-	print out, foo9;
-	print out, foo10;
-	print out, foo11;
-	print out, foo12;
-	print out, foo13;
-	print out, foo14;
-	print out, foo15;
-	print out, foo16;
-	print out, foo17;
-	}
-
-	
-	
-	
diff --git a/testing/istate/scripts/vars-sync-rcv.bro b/testing/istate/scripts/vars-sync-rcv.bro
deleted file mode 100644
index 145afd6ff6..0000000000
--- a/testing/istate/scripts/vars-sync-rcv.bro
+++ /dev/null
@@ -1,13 +0,0 @@
-# $Id: vars-sync-rcv.bro,v 1.1.2.1 2005/10/11 21:15:05 sommer Exp $
-
-@load vars-init
-@load vars-print
-
-@load capture-events	
-@load remote
-
-	
-redef Remote::destinations += {
-    ["foo"] = [$host = 127.0.0.1, $events = /.*/, $connect=T, $sync=T]
-};
-
diff --git a/testing/istate/scripts/vars-sync-send.bro b/testing/istate/scripts/vars-sync-send.bro
deleted file mode 100644
index 655c8a36ea..0000000000
--- a/testing/istate/scripts/vars-sync-send.bro
+++ /dev/null
@@ -1,20 +0,0 @@
-# $Id: vars-sync-send.bro,v 1.1.2.1 2005/10/11 21:15:05 sommer Exp $
-#
-
-@load vars-init
-@load vars-print
-@load vars-modify
-
-@load listen-clear
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	modify();
-	terminate_communication();
-	}
-			 
-redef Remote::destinations += {
-    ["foo"] = [$host = 127.0.0.1, $sync=T]
-};
-
-	
diff --git a/testing/istate/tests.py b/testing/istate/tests.py
deleted file mode 100644
index a8bbb5172a..0000000000
--- a/testing/istate/tests.py
+++ /dev/null
@@ -1,297 +0,0 @@
-# $Id: tests.py,v 1.1.2.5 2005/10/11 22:31:42 sommer Exp $
-#
-# Various helper functions.
-
-import sys
-import os
-import copy
-import errno
-import signal
-import subprocess
-
-# Path to our files.
-Testing = os.path.abspath(".")
-
-# Path to top-level Bro directory.
-if os.path.exists("../../src/bro"):
-    Bro = os.path.abspath("../..")
-else:
-    Bro = os.path.abspath("../../bro")
-    
-# Path where tmp files are created.
-Tmp = os.path.join(Testing, "tmp")
-
-# Path to seed file.
-BroSeed = os.path.join(Testing, "rndseed.dat")
-
-# Path to our test scripts.
-Scripts = os.path.join(Testing, "scripts")
-
-# Path to our test traces.
-Traces = os.path.join(Testing, "traces")
-
-# Where the base files to compare against are stored.
-Base = os.path.join(os.getcwd(), "./base")
- 
-# Process ID of all processes we've spawned, indexed by textual tag *and* pid.
-Running = {}
-
-# Set to true when at least one check failed.
-Failed = False
-
-# getopt options
-Options = None
-
-def error(str):
-    print >>sys.stderr, "Error:", str
-    sys.exit(1)
-
-def debug(str):    
-    if Options.debug:
-        print >>sys.stderr, "Debug:", str
-
-def log(str):    
-    print >>sys.stderr, str
-
-# Returns full path of given process' working directory.
-def workDir(tag):     
-    return os.path.join(Tmp, tag)
-
-# Intializes work dir for given process.
-def initWorkDir(tag):
-    
-    try:
-        os.mkdir(Tmp)
-    except OSError, e:
-        if e.errno != errno.EEXIST:
-            raise
-        
-    os.system("rm -rf " + workDir(tag))
-    os.mkdir(workDir(tag))
-
-# Spawns process identified by the given tag. Enters process into RunningBro.
-def spawnProc(tag, cmdline, copy=[]):    
-    initWorkDir(tag)
-    os.chdir(workDir(tag))
-
-    for i in copy:
-        debug("Copying %s into workdir of %s" % (i, tag))
-        os.system("cp -r %s %s" % (i, workDir(tag)))
-    
-    debug("Spawning '%s' as %s" % (" ".join(cmdline), tag))
-    
-    saved_stdin = os.dup(0)
-    saved_stdout = os.dup(1)
-    saved_stderr = os.dup(2)
-    child_stdin = open("/dev/null", "r")
-    child_stdout = open("stdout.log", "w")
-    child_stderr = open("stderr.log", "w")
-    os.dup2(child_stdin.fileno(), 0)
-    os.dup2(child_stdout.fileno(), 1)
-    os.dup2(child_stderr.fileno(), 2)
-    pid = os.spawnvp(os.P_NOWAIT, cmdline[0], cmdline)
-    os.dup2(saved_stdin, 0)
-    os.dup2(saved_stdout, 1)
-    os.dup2(saved_stderr, 2)
-    
-    Running[tag] = pid
-    Running[pid] = tag
-
-# Spaws a Bro process.    
-def spawnBro(tag, args, copy=[]):
-    os.putenv("BROPATH", os.path.join(Bro, "policy") + ":" + Scripts)
-    os.unsetenv("BRO_LOG_SUFFIX")
-    args += ["--load-seeds", BroSeed, "-B", "state,comm"]
-    spawnProc(tag, [os.path.join(Bro, "src/bro")] + args, copy=copy)
-    
-# Examines a process' exit code.    
-def parseExitCode(tag, result):    
-    if os.WCOREDUMP(result):
-        error("process %s core dumped." % tag)
-
-    if os.WIFSIGNALED(result):
-        error("process %s got signal %d." % (tag, os.WTERMSIG(result)))
-        
-    if not os.WIFEXITED(result):
-        error("process %s exited abnormally (%d)." % (tag, result))
-
-    result = os.WEXITSTATUS(result)
-    debug("process %s exited with %d" % (tag, result)) 
-        
-    return result
-
-# Waits for process to finish.
-def waitProc(tag):
-    (pid, result) = os.waitpid(Running[tag], 0)
-    result = parseExitCode(tag, result)
-    if result != 0:
-	error("Execution of %s failed." % tag)
-	
-    del Running[pid]
-    del Running[tag]
-
-# Waits for all of our processes to terminte.
-def waitProcs():
-    while Running:
-        (pid, result) = os.waitpid(0, 0)
-        parseExitCode(Running[pid], result)
-        del Running[Running[pid]]
-        del Running[pid]
-
-# Kills the process and waits for its termination.
-def killProc(tag):
-    pid = Running[tag]
-    debug("Killing %s..." % tag)
-    os.kill(pid, signal.SIGTERM)
-    (pid, result) = os.waitpid(pid, 0)
-    parseExitCode(tag, result)
-    del Running[pid]
-    del Running[tag]
-	
-# Cleans up temporary stuff
-def cleanup():
-    os.system("rm -rf " + Tmp)
-
-# Canonicalizes file content for diffing.
-def canonicalizeFile(file, ignoreTime, ignoreSessionID, sort, delete):
-    
-    cmd = []
-    
-    if delete:
-        for i in delete:
-            cmd += ["sed 's/%s//g' | grep -v '^$'" % i]
-        
-    if ignoreTime:
-        cmd += ["sed 's/[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]\.[0-9][0-9]\{0,6\}/xxxxxxxxxx.xxxxxx/g'"]
-
-    if ignoreSessionID:
-        # A session is either "%1" or "%my-peer-description-1"
-        cmd += ["sed 's/%\([^ ]*-\)\{0,1\}[0-9][0-9]*/%XXX/g'"]
-        
-    if sort:
-        cmd += ["LC_ALL=c sort"]
-        
-    if not cmd:
-        return
-        
-    tmp = file + ".tmp"
-    cmd = "cat %s | %s >%s" % (file, " | ".join(cmd), tmp) 
-
-    debug("Canonicalizing '%s'" % cmd)
-    os.system(cmd)
-    os.system("mv %s %s" % (tmp, file))
-
-# Diffs the two files, If mismatch, prints "FAILED" and returns true.    
-def diff(file1, file2):
-    
-    quiet = ">/dev/null"
-    if Options.showdiff:
-        quiet = ""
-
-    for f in (file1, file2):
-        if not os.path.exists(f):
-            print "FAILED (%s does not exist)" % f
-            return False
-        
-    diff = "diff -u %s %s %s" % (file1, file2, quiet)
-        
-    debug("Executing '%s'" % diff)
-    result = os.system(diff)
-        
-    if os.WEXITSTATUS(result) != 0:
-        print "FAILED"
-        return False
-    
-    return True
-    
-# Compares files of process against base version. Returns false if mismatch found.
-def checkFiles(tag, files, ignoreTime, sort, delete):
-    base = os.path.join(Base, tag)
-    work = workDir(tag)
-    
-    print "    Checking %s..." % tag,
-    
-    failed = False
-    
-    for file in files:
-        oldfile = os.path.join(base, file)
-        newfile = os.path.join(work, file)
-
-        canonicalizeFile(newfile, ignoreTime, False, sort, delete)
-	
-        if not diff(oldfile, newfile):
-            failed = True
-            break
-    
-    if not failed:
-        print "ok"
-    else:
-        Failed = failed
-
-# Compares files of two processes. Return false if mismatch found.
-def compareFiles(tag1, tag2, files, ignoreTime=False, ignoreSessionID=False, sort=False, delete=None):
-    work1 = workDir(tag1)
-    work2 = workDir(tag2)
-
-    print "    Comparing %s with %s..." % (tag1, tag2),
-    
-    failed = False
-    
-    for file in files:
-        file1 = os.path.join(work1, file)
-        file2 = os.path.join(work2, file)
-
-        canonicalizeFile(file1, ignoreTime, ignoreSessionID, sort, delete)
-        canonicalizeFile(file2, ignoreTime, ignoreSessionID, sort, delete)
-	
-        if not diff(file1, file2):
-            failed = True
-            break
-    
-    if not failed:
-        print "ok"
-    else:
-        Failed = failed
-        
-# Make the result of process new baseline.
-def makeNewBase(tag, files, ignoreTime, sort, delete):
-
-    try:
-        os.mkdir(Base)
-    except OSError, e:
-        if e.errno != errno.EEXIST:
-            raise
-        
-    base = os.path.join(Base, tag)
-    work = workDir(tag)
-
-    print "    Copying files for %s..." % tag
-    
-    try:
-        os.mkdir(base)
-    except OSError, e:
-        if e.errno != errno.EEXIST:
-            raise
-        
-    # Delete all files but those belonging to CVS.
-    os.system("find %s -type f -not -path '*/CVS/*' -not -path '*/.svn/*' -exec rm '{}' ';'" % base)
-    
-    for file in files:
-        oldfile = os.path.join(work, file)
-        newfile = os.path.join(base, file)
-	os.system("cp %s %s" % (oldfile, newfile))
-        canonicalizeFile(newfile, ignoreTime, False, sort, delete)
-
-def testSet(set):
-    if Options.set and set != Options.set:
-        return False
-    
-    print "Running set '%s' ..." % set
-    return True
-        
-# Either check given files or make it new baseline, depending on options.
-def finishTest(tag, files, ignoreTime=False, sort=False, delete=None):
-    if Options.newbase:
-	makeNewBase(tag, files, ignoreTime, sort, delete)
-    else:
-	checkFiles(tag, files, ignoreTime, sort, delete)